FTL B3 should have basic GetById support
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-12-08  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL B3 should have basic GetById support
4         https://bugs.webkit.org/show_bug.cgi?id=152035
5
6         Reviewed by Saam Barati.
7
8         Adds basic GetById support. This was so easy to do. Unlike the LLVM code for this, the B3 code is
9         entirely self-contained within the getById() method in LowerDFG.
10
11         I discovered that we weren't folding Check(NotEqual(x, 0)) to Check(x). This was preventing us
12         from generating good code for Check(NotEqual(BitAnd(x, tagMask), 0)), since the BitAnd was
13         concealed. This was an easy strength reduction rule to add.
14
15         Finally, I found it easier to say append(value, rep) than append(ConstrainedValue(value, rep)), so
16         I added that API. The old ConstrainedValue form is still super useful in other places, like
17         compileCallOrConstruct(), where the two-argument form would be awkward. It's great to have both
18         APIs to pick from.
19
20         * b3/B3ReduceStrength.cpp:
21         * b3/B3StackmapValue.cpp:
22         (JSC::B3::StackmapValue::~StackmapValue):
23         (JSC::B3::StackmapValue::append):
24         * b3/B3StackmapValue.h:
25         * dfg/DFGCommon.h:
26         * ftl/FTLLowerDFGToLLVM.cpp:
27         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
28
29 2015-12-09  Saam barati  <sbarati@apple.com>
30
31         Update generators' features.json to indicate that we have a spec compliant implementation
32         https://bugs.webkit.org/show_bug.cgi?id=152085
33
34         Reviewed by Joseph Pecoraro.
35
36         * features.json:
37
38 2015-12-09  Saam barati  <sbarati@apple.com>
39
40         Update features.json w.r.t tail calls
41         https://bugs.webkit.org/show_bug.cgi?id=152072
42
43         Reviewed by Michael Saboff.
44
45         * features.json:
46
47 2015-12-09  Saam barati  <sbarati@apple.com>
48
49         we should emit op_watchdog after op_enter
50         https://bugs.webkit.org/show_bug.cgi?id=151972
51
52         Reviewed by Mark Lam.
53
54         This also solves the issue of watchdog not being
55         observed when we loop purely through tail calls.
56
57         * API/tests/ExecutionTimeLimitTest.cpp:
58         (testExecutionTimeLimit):
59         * bytecompiler/BytecodeGenerator.cpp:
60         (JSC::BytecodeGenerator::BytecodeGenerator):
61         (JSC::BytecodeGenerator::emitProfiledOpcode):
62         (JSC::BytecodeGenerator::emitEnter):
63         (JSC::BytecodeGenerator::emitLoopHint):
64         * bytecompiler/BytecodeGenerator.h:
65
66 2015-12-08  Benjamin Poulain  <bpoulain@apple.com>
67
68         [JSC] Improve how B3 lowers Add() and Sub() on x86
69         https://bugs.webkit.org/show_bug.cgi?id=152026
70
71         Reviewed by Geoffrey Garen.
72
73         The assembler was missing some important x86 forms of
74         ADD and SUB that were making our lowering
75         unfriendly with register allocation.
76
77         First, we were missing a 3 operand version of Add
78         implement with LEA. As a result, an Add would
79         be lowered as:
80             Move op1->srcDest
81             Add op2, srcDest
82         The problem with such code is that op2 and srcDest
83         interferes. It is impossible to assign them the same
84         machine register.
85
86         With the new Add form, we have:
87             Add op1, op2, dest
88         without interferences between any of those values.
89         The add is implement by a LEA without scaling or displacement.
90
91         This patch also adds missing forms of Add and Sub with
92         direct addressing for arguments. This avoids dealing with Tmps
93         that only exist for those operations.
94
95         Finally, the lowering of adding something to itself was updated accordingly.
96         Such operation is transformed in Shl by 2. The lowering of Shl
97         was adding an explicit Move, preventing the use of LEA when it
98         is useful.
99         Instead of having an explicit move, I changed the direct addressing
100         forms to only be selected if the two operands are different.
101         A Move is then added by appendBinOp() if needed.
102
103         * assembler/MacroAssemblerX86Common.h:
104         (JSC::MacroAssemblerX86Common::add32):
105         (JSC::MacroAssemblerX86Common::x86Lea32):
106         * assembler/MacroAssemblerX86_64.h:
107         (JSC::MacroAssemblerX86_64::add64):
108         (JSC::MacroAssemblerX86_64::x86Lea64):
109         (JSC::MacroAssemblerX86_64::sub64):
110         * assembler/X86Assembler.h:
111         (JSC::X86Assembler::addq_rm):
112         (JSC::X86Assembler::subq_mr):
113         (JSC::X86Assembler::subq_rm):
114         (JSC::X86Assembler::subq_im):
115         (JSC::X86Assembler::leal_mr):
116         (JSC::X86Assembler::leaq_mr):
117         * b3/B3LowerToAir.cpp:
118         (JSC::B3::Air::LowerToAir::appendBinOp):
119         (JSC::B3::Air::LowerToAir::lower):
120         * b3/air/AirOpcode.opcodes:
121         * b3/testb3.cpp:
122         (JSC::B3::testAddArgMem):
123         (JSC::B3::testAddMemArg):
124         (JSC::B3::testAddImmMem):
125         (JSC::B3::testAddArg32):
126         (JSC::B3::testAddArgMem32):
127         (JSC::B3::testAddMemArg32):
128         (JSC::B3::testAddImmMem32):
129         (JSC::B3::testSubArgMem):
130         (JSC::B3::testSubMemArg):
131         (JSC::B3::testSubImmMem):
132         (JSC::B3::testSubMemImm):
133         (JSC::B3::testSubMemArg32):
134         (JSC::B3::testSubArgMem32):
135         (JSC::B3::testSubImmMem32):
136         (JSC::B3::testSubMemImm32):
137         (JSC::B3::run):
138
139 2015-12-08  Mark Lam  <mark.lam@apple.com>
140
141         Factoring out common DFG code for bitwise and shift operators.
142         https://bugs.webkit.org/show_bug.cgi?id=152019
143
144         Reviewed by Michael Saboff.
145
146         * dfg/DFGSpeculativeJIT.cpp:
147         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
148         (JSC::DFG::SpeculativeJIT::compileShiftOp):
149         * dfg/DFGSpeculativeJIT.h:
150         * dfg/DFGSpeculativeJIT32_64.cpp:
151         (JSC::DFG::SpeculativeJIT::compile):
152         * dfg/DFGSpeculativeJIT64.cpp:
153         (JSC::DFG::SpeculativeJIT::compile):
154
155 2015-12-08  Mark Lam  <mark.lam@apple.com>
156
157         DFG and FTL should be resilient against cases where both snippet operands are constant.
158         https://bugs.webkit.org/show_bug.cgi?id=152017
159
160         Reviewed by Michael Saboff.
161
162         The DFG front end may not always constant fold cases where both operands are
163         constant.  As a result, the DFG and FTL back ends needs to be resilient against
164         this when using snippet generators since the generators do not support the case
165         where both operands are constant.  The strategy for handling this 2 const operands
166         case is to treat at least one of them as a variable if both are constant. 
167
168         * dfg/DFGSpeculativeJIT.cpp:
169         (JSC::DFG::SpeculativeJIT::compileValueAdd):
170         - Also remove the case for folding 2 constant operands.  It is the front end's
171           job to do so, not the back end here.
172
173         (JSC::DFG::SpeculativeJIT::compileArithSub):
174         (JSC::DFG::SpeculativeJIT::compileArithMul):
175         * ftl/FTLLowerDFGToLLVM.cpp:
176         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
177         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
178
179 2015-12-08  Mark Lam  <mark.lam@apple.com>
180
181         Snippefy shift operators for the baseline JIT.
182         https://bugs.webkit.org/show_bug.cgi?id=151875
183
184         Reviewed by Geoffrey Garen.
185
186         * CMakeLists.txt:
187         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
188         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
189         * JavaScriptCore.xcodeproj/project.pbxproj:
190         * jit/JIT.h:
191
192         * jit/JITArithmetic.cpp:
193         (JSC::JIT::emitBitBinaryOpFastPath):
194         - Don't need GPRInfo:: qualifiers.  Removed them to reduce verbosity.
195         - Also removed the emitStoreInt32() case for storing the result on 32-bit ports.
196           This is because:
197           1. The client should not make assumptions about whether the snippet fast path
198              only include cases where the result tag already contain the IntTag.
199           2. The "(op1 == result || op2 == result)" condition for skipping the IntTag
200              storage, is only valid for the bitand, bitor, and bitxor implementations.
201              It is invalid for the lshift implementation that uses this code now.
202           Instead, we'll always unconditionally store what the result tag that the
203           snippet computed for us.
204
205         (JSC::JIT::emit_op_lshift):
206         (JSC::JIT::emitSlow_op_lshift):
207         (JSC::JIT::emitRightShiftFastPath):
208         (JSC::JIT::emit_op_rshift):
209         (JSC::JIT::emitSlow_op_rshift):
210         (JSC::JIT::emit_op_urshift):
211         (JSC::JIT::emitSlow_op_urshift):
212
213         * jit/JITArithmetic32_64.cpp:
214         (JSC::JIT::emit_op_lshift): Deleted.
215         (JSC::JIT::emitSlow_op_lshift): Deleted.
216         (JSC::JIT::emitRightShift): Deleted.
217         (JSC::JIT::emitRightShiftSlowCase): Deleted.
218         (JSC::JIT::emit_op_rshift): Deleted.
219         (JSC::JIT::emitSlow_op_rshift): Deleted.
220         (JSC::JIT::emit_op_urshift): Deleted.
221         (JSC::JIT::emitSlow_op_urshift): Deleted.
222
223         * jit/JITLeftShiftGenerator.cpp: Added.
224         (JSC::JITLeftShiftGenerator::generateFastPath):
225         * jit/JITLeftShiftGenerator.h: Added.
226         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
227         * jit/JITRightShiftGenerator.cpp: Added.
228         (JSC::JITRightShiftGenerator::generateFastPath):
229         * jit/JITRightShiftGenerator.h: Added.
230         (JSC::JITRightShiftGenerator::JITRightShiftGenerator):
231
232         * tests/stress/op_lshift.js:
233         * tests/stress/op_rshift.js:
234         * tests/stress/op_urshift.js:
235         - Fixed some values and added others that are meaningful for testing shifts.
236
237         * tests/stress/resources/binary-op-test.js:
238         (stringifyIfNeeded):
239         (generateBinaryTests):
240         - Fixed the test generator to give unique names to all the generated test
241           functions.  Without this, multiple tests may end up using the same global
242           test function.  As a result, with enough test values to test, the function may
243           get prematurely JITted, and the computed expected result which is supposed to
244           be computed by the LLINT, may end up being computed by a JIT instead.
245
246 2015-12-08  Joseph Pecoraro  <pecoraro@apple.com>
247
248         Create a Sandbox SPI header
249         https://bugs.webkit.org/show_bug.cgi?id=151981
250
251         Reviewed by Andy Estes.
252
253         * inspector/remote/RemoteInspector.mm:
254
255 2015-12-08  Filip Pizlo  <fpizlo@apple.com>
256
257         DFG::UnificationPhase should merge isProfitableToUnbox, since this may have been set in ByteCodeParser
258         https://bugs.webkit.org/show_bug.cgi?id=152011
259         rdar://problem/23777875
260
261         Reviewed by Michael Saboff.
262
263         Previously UnificationPhase did not merge this because we used to only set this in FixupPhase, which runs after unification. But now
264         ByteCodeParser may set isProfitableToUnbox as part of how it handles the ArgumentCount of an inlined varargs call, so UnificationPhase
265         needs to merge it after unifying.
266
267         Also changed the order of unification since this makes the bug more obvious and easier to test.
268
269         * dfg/DFGUnificationPhase.cpp:
270         (JSC::DFG::UnificationPhase::run):
271         * tests/stress/varargs-with-unused-count.js: Added.
272
273 2015-12-08  Mark Lam  <mark.lam@apple.com>
274
275         Polymorphic operand types for DFG and FTL div.
276         https://bugs.webkit.org/show_bug.cgi?id=151747
277
278         Reviewed by Geoffrey Garen.
279
280         Perf on benchmarks is neutral.  The new JSRegress ftl-object-div test shows
281         a speed up not from the div operator itself, but from the fact that the
282         polymorphic operand types support now allow the test function to run without OSR
283         exiting, thereby realizing the DFG and FTL's speed up on other work that the test
284         function does.
285
286         This patch has passed the layout tests on x86_64 with a debug build.
287         It passed the JSC tests with x86 and x86_64 debug builds.
288
289         * dfg/DFGAbstractInterpreterInlines.h:
290         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
291         * dfg/DFGClobberize.h:
292         (JSC::DFG::clobberize):
293         * dfg/DFGFixupPhase.cpp:
294         (JSC::DFG::FixupPhase::fixupNode):
295         * dfg/DFGOperations.cpp:
296         * dfg/DFGOperations.h:
297         * dfg/DFGPredictionPropagationPhase.cpp:
298         (JSC::DFG::PredictionPropagationPhase::propagate):
299
300         * dfg/DFGSpeculativeJIT.cpp:
301         (JSC::DFG::SpeculativeJIT::compileArithDiv):
302
303         * ftl/FTLCompileBinaryOp.cpp:
304         (JSC::FTL::generateBinaryArithOpFastPath):
305         (JSC::FTL::generateBinaryOpFastPath):
306
307         * ftl/FTLInlineCacheDescriptor.h:
308         * ftl/FTLInlineCacheDescriptorInlines.h:
309         (JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
310         (JSC::FTL::ArithDivDescriptor::icSize):
311
312         * ftl/FTLInlineCacheSize.cpp:
313         (JSC::FTL::sizeOfArithDiv):
314         * ftl/FTLInlineCacheSize.h:
315
316         * ftl/FTLLowerDFGToLLVM.cpp:
317         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
318         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
319         - Fixed a cut-paste bug where the op_mul IC was using the op_sub IC size.
320           This bug is benign because the op_sub IC size turns out to be larger
321           than op_mul needs.
322         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
323
324         * jit/JITArithmetic.cpp:
325         (JSC::JIT::emit_op_div):
326         - Fixed a bug where the scratchFPR was not allocated for the 64bit port.
327           This bug is benign because the scratchFPR is only needed if we are
328           using scratchGPR register (used for branchConvertDoubleToInt32()) is
329           >= X86Registers::r8.  Since we're always using regT2 for the scratchT2,
330           the scratchFPR is never needed.   However, we should fix this anyway to
331           be correct.
332
333         * tests/stress/op_div.js:
334         - Fixed some test values.
335
336 2015-12-05 Aleksandr Skachkov   <gskachkov@gmail.com>
337
338         [ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment
339         https://bugs.webkit.org/show_bug.cgi?id=149338
340
341         Reviewed by Saam Barati.
342
343         Implemented new version of the lexically bound 'this' in arrow function. In current version 
344         'this' is stored inside of the lexical environment of the function. To store and load we use
345         op_get_from_scope and op_put_to_scope operations. Also new implementation prevent raising TDZ
346         error for arrow functions that are declared before super() but invoke after.
347
348         * builtins/BuiltinExecutables.cpp:
349         (JSC::createExecutableInternal):
350         * bytecode/BytecodeList.json:
351         * bytecode/BytecodeUseDef.h:
352         * bytecode/CodeBlock.cpp:
353         (JSC::CodeBlock::dumpBytecode):
354         * bytecode/EvalCodeCache.h:
355         (JSC::EvalCodeCache::getSlow):
356         * bytecode/ExecutableInfo.h:
357         (JSC::ExecutableInfo::ExecutableInfo):
358         (JSC::ExecutableInfo::isDerivedConstructorContext):
359         (JSC::ExecutableInfo::isArrowFunctionContext):
360         * bytecode/UnlinkedCodeBlock.cpp:
361         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
362         * bytecode/UnlinkedCodeBlock.h:
363         (JSC::UnlinkedCodeBlock::isArrowFunction):
364         (JSC::UnlinkedCodeBlock::isDerivedConstructorContext):
365         (JSC::UnlinkedCodeBlock::isArrowFunctionContext):
366         * bytecode/UnlinkedFunctionExecutable.cpp:
367         (JSC::generateUnlinkedFunctionCodeBlock):
368         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
369         * bytecode/UnlinkedFunctionExecutable.h:
370         * bytecompiler/BytecodeGenerator.cpp:
371         (JSC::BytecodeGenerator::BytecodeGenerator):
372         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
373         (JSC::BytecodeGenerator::variable):
374         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
375         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
376         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
377         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
378         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
379         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
380         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
381         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
382         * bytecompiler/BytecodeGenerator.h:
383         (JSC::BytecodeGenerator::isDerivedConstructorContext):
384         (JSC::BytecodeGenerator::usesArrowFunction):
385         (JSC::BytecodeGenerator::needsToUpdateArrowFunctionContext):
386         (JSC::BytecodeGenerator::usesEval):
387         (JSC::BytecodeGenerator::usesThis):
388         (JSC::BytecodeGenerator::newTarget):
389         (JSC::BytecodeGenerator::makeFunction):
390         * bytecompiler/NodesCodegen.cpp:
391         (JSC::ThisNode::emitBytecode):
392         (JSC::SuperNode::emitBytecode):
393         (JSC::EvalFunctionCallNode::emitBytecode):
394         (JSC::FunctionCallValueNode::emitBytecode):
395         (JSC::FunctionNode::emitBytecode):
396         * debugger/DebuggerCallFrame.cpp:
397         (JSC::DebuggerCallFrame::evaluate):
398         * dfg/DFGAbstractInterpreterInlines.h:
399         * dfg/DFGByteCodeParser.cpp:
400         (JSC::DFG::ByteCodeParser::parseBlock):
401         * dfg/DFGCapabilities.cpp:
402         * dfg/DFGClobberize.h:
403         * dfg/DFGDoesGC.cpp:
404         * dfg/DFGFixupPhase.cpp:
405         * dfg/DFGNodeType.h:
406         * dfg/DFGObjectAllocationSinkingPhase.cpp:
407         * dfg/DFGPredictionPropagationPhase.cpp:
408         * dfg/DFGPromotedHeapLocation.cpp:
409         * dfg/DFGPromotedHeapLocation.h:
410         * dfg/DFGSafeToExecute.h:
411         * dfg/DFGSpeculativeJIT.cpp:
412         * dfg/DFGSpeculativeJIT.h:
413         * dfg/DFGSpeculativeJIT32_64.cpp:
414         * dfg/DFGSpeculativeJIT64.cpp:
415         * ftl/FTLCapabilities.cpp:
416         * ftl/FTLLowerDFGToLLVM.cpp:
417         * ftl/FTLOperations.cpp:
418         (JSC::FTL::operationMaterializeObjectInOSR):
419         * interpreter/Interpreter.cpp:
420         (JSC::eval):
421         * jit/JIT.cpp:
422         * jit/JIT.h:
423         * jit/JITOpcodes.cpp:
424         (JSC::JIT::emitNewFuncExprCommon):
425         * jit/JITOpcodes32_64.cpp:
426         * llint/LLIntSlowPaths.cpp:
427         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
428         * llint/LowLevelInterpreter.asm:
429         * llint/LowLevelInterpreter32_64.asm:
430         * llint/LowLevelInterpreter64.asm:
431         * parser/ASTBuilder.h:
432         (JSC::ASTBuilder::createArrowFunctionExpr):
433         (JSC::ASTBuilder::usesArrowFunction):
434         * parser/Nodes.h:
435         (JSC::ScopeNode::usesArrowFunction):
436         * parser/Parser.cpp:
437         (JSC::Parser<LexerType>::parseFunctionInfo):
438         * parser/ParserModes.h:
439         * runtime/CodeCache.cpp:
440         (JSC::CodeCache::getGlobalCodeBlock):
441         (JSC::CodeCache::getProgramCodeBlock):
442         (JSC::CodeCache::getEvalCodeBlock):
443         (JSC::CodeCache::getModuleProgramCodeBlock):
444         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
445         * runtime/CodeCache.h:
446         * runtime/CommonIdentifiers.h:
447         * runtime/CommonSlowPaths.cpp:
448         (JSC::SLOW_PATH_DECL):
449         * runtime/Executable.cpp:
450         (JSC::ScriptExecutable::ScriptExecutable):
451         (JSC::EvalExecutable::create):
452         (JSC::EvalExecutable::EvalExecutable):
453         (JSC::ProgramExecutable::ProgramExecutable):
454         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
455         (JSC::FunctionExecutable::FunctionExecutable):
456         * runtime/Executable.h:
457         (JSC::ScriptExecutable::isArrowFunctionContext):
458         (JSC::ScriptExecutable::isDerivedConstructorContext):
459         * runtime/JSGlobalObject.cpp:
460         (JSC::JSGlobalObject::createEvalCodeBlock):
461         * runtime/JSGlobalObject.h:
462         * runtime/JSGlobalObjectFunctions.cpp:
463         (JSC::globalFuncEval):
464         * tests/es6.yaml:
465         * tests/stress/arrowfunction-activation-sink-osrexit.js:
466         * tests/stress/arrowfunction-activation-sink.js:
467         * tests/stress/arrowfunction-lexical-bind-newtarget.js: Added.
468         * tests/stress/arrowfunction-lexical-bind-supercall-1.js: Added.
469         * tests/stress/arrowfunction-lexical-bind-supercall-2.js: Added.
470         * tests/stress/arrowfunction-lexical-bind-supercall-3.js: Added.
471         * tests/stress/arrowfunction-lexical-bind-supercall-4.js: Added.
472         * tests/stress/arrowfunction-lexical-bind-this-1.js:
473         * tests/stress/arrowfunction-lexical-bind-this-7.js: Added.
474         * tests/stress/arrowfunction-tdz-1.js: Added.
475         * tests/stress/arrowfunction-tdz-2.js: Added.
476         * tests/stress/arrowfunction-tdz-3.js: Added.
477         * tests/stress/arrowfunction-tdz-4.js: Added.
478         * tests/stress/arrowfunction-tdz.js: Removed.
479
480 2015-12-08  Csaba Osztrogonác  <ossy@webkit.org>
481
482         Fix the !ENABLE(DFG_JIT) build after r193649
483         https://bugs.webkit.org/show_bug.cgi?id=151985
484
485         Reviewed by Saam Barati.
486
487         * jit/JITOpcodes.cpp:
488         (JSC::JIT::emitSlow_op_loop_hint):
489
490 2015-12-08  Alberto Garcia  <berto@igalia.com>
491
492         Unreviewed. Remove unnecessary check for 0 in commitSize().
493
494         Change suggested by Darin Adler in bug #130237.
495
496         * interpreter/JSStack.cpp:
497         (JSC::commitSize):
498
499 2015-12-08  Ryuan Choi  <ryuan.choi@navercorp.com>
500
501         [EFL] Remove the flag to check timer state in IncrementalSweeper
502         https://bugs.webkit.org/show_bug.cgi?id=151988
503
504         Reviewed by Gyuyoung Kim.
505
506         * heap/IncrementalSweeper.cpp:
507         (JSC::IncrementalSweeper::scheduleTimer):
508         (JSC::IncrementalSweeper::IncrementalSweeper):
509         (JSC::IncrementalSweeper::cancelTimer):
510
511 2015-12-08  Philippe Normand  <pnormand@igalia.com>
512
513         [Mac][GTK] Fix JSC FTL build
514         https://bugs.webkit.org/show_bug.cgi?id=151915
515
516         Reviewed by Csaba Osztrogonác.
517
518         * CMakeLists.txt: Don't pass version-script option to ld on Darwin because this platform's linker
519         doesn't support this option.
520
521 2015-12-08  Alberto Garcia  <berto@igalia.com>
522
523         Unreviewed. Use pageSize() instead of getpagesize() after r193648
524
525         * interpreter/JSStack.cpp:
526         (JSC::commitSize):
527
528 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
529
530         Small style fixes in B3MoveConstants.cpp
531         https://bugs.webkit.org/show_bug.cgi?id=151980
532
533         Reviewed by Benjamin Poulain.
534
535         * b3/B3MoveConstants.cpp:
536
537 2015-12-07  Benjamin Poulain  <bpoulain@apple.com>
538
539         [JSC] On x86, we should XOR registers instead of moving a zero immediate
540         https://bugs.webkit.org/show_bug.cgi?id=151977
541
542         Reviewed by Filip Pizlo.
543
544         It is smaller and the frontend has special support
545         for xor.
546
547         * assembler/MacroAssemblerX86Common.h:
548         (JSC::MacroAssemblerX86Common::move):
549         (JSC::MacroAssemblerX86Common::signExtend32ToPtr):
550
551 2015-12-07  Benjamin Poulain  <bpoulain@apple.com>
552
553         Fix a typo from r193683
554
555         * ftl/FTLCommonValues.cpp:
556         (JSC::FTL::CommonValues::CommonValues):
557
558 2015-12-07  Benjamin Poulain  <bpoulain@apple.com>
559
560         [JSC] Add Float support to B3
561         https://bugs.webkit.org/show_bug.cgi?id=151974
562
563         Reviewed by Filip Pizlo.
564
565         This patch adds comprehensive float support to B3.
566
567         The new phase reduceDoubleToFloat() gives us a primitive
568         version of what LLVM was giving us on floats.
569         It needs to support conversions accross Phis but that can
570         be added later.
571
572         * CMakeLists.txt:
573         * JavaScriptCore.xcodeproj/project.pbxproj:
574         * assembler/MacroAssembler.h:
575         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
576         * assembler/MacroAssemblerX86Common.h:
577         (JSC::MacroAssemblerX86Common::sqrtFloat):
578         (JSC::MacroAssemblerX86Common::loadFloat):
579         (JSC::MacroAssemblerX86Common::storeFloat):
580         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
581         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
582         (JSC::MacroAssemblerX86Common::addFloat):
583         (JSC::MacroAssemblerX86Common::divFloat):
584         (JSC::MacroAssemblerX86Common::subFloat):
585         (JSC::MacroAssemblerX86Common::mulFloat):
586         (JSC::MacroAssemblerX86Common::branchDouble):
587         (JSC::MacroAssemblerX86Common::branchFloat):
588         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
589         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
590         (JSC::MacroAssemblerX86Common::jumpAfterFloatingPointCompare):
591         (JSC::MacroAssemblerX86Common::moveConditionallyAfterFloatingPointCompare):
592         * assembler/X86Assembler.h:
593         (JSC::X86Assembler::addss_rr):
594         (JSC::X86Assembler::addss_mr):
595         (JSC::X86Assembler::cvtsd2ss_mr):
596         (JSC::X86Assembler::cvtss2sd_mr):
597         (JSC::X86Assembler::movss_rm):
598         (JSC::X86Assembler::movss_mr):
599         (JSC::X86Assembler::mulss_rr):
600         (JSC::X86Assembler::mulss_mr):
601         (JSC::X86Assembler::subss_rr):
602         (JSC::X86Assembler::subss_mr):
603         (JSC::X86Assembler::ucomiss_rr):
604         (JSC::X86Assembler::ucomiss_mr):
605         (JSC::X86Assembler::divss_rr):
606         (JSC::X86Assembler::divss_mr):
607         (JSC::X86Assembler::sqrtss_rr):
608         (JSC::X86Assembler::sqrtss_mr):
609         * b3/B3Const32Value.cpp:
610         (JSC::B3::Const32Value::bitwiseCastConstant):
611         * b3/B3Const32Value.h:
612         * b3/B3ConstDoubleValue.cpp:
613         (JSC::B3::ConstDoubleValue::doubleToFloatConstant):
614         (JSC::B3::ConstDoubleValue::sqrtConstant):
615         * b3/B3ConstDoubleValue.h:
616         * b3/B3ConstFloatValue.cpp: Added.
617         (JSC::B3::ConstFloatValue::~ConstFloatValue):
618         (JSC::B3::ConstFloatValue::negConstant):
619         (JSC::B3::ConstFloatValue::addConstant):
620         (JSC::B3::ConstFloatValue::subConstant):
621         (JSC::B3::ConstFloatValue::mulConstant):
622         (JSC::B3::ConstFloatValue::bitwiseCastConstant):
623         (JSC::B3::ConstFloatValue::floatToDoubleConstant):
624         (JSC::B3::ConstFloatValue::sqrtConstant):
625         (JSC::B3::ConstFloatValue::divConstant):
626         (JSC::B3::ConstFloatValue::equalConstant):
627         (JSC::B3::ConstFloatValue::notEqualConstant):
628         (JSC::B3::ConstFloatValue::lessThanConstant):
629         (JSC::B3::ConstFloatValue::greaterThanConstant):
630         (JSC::B3::ConstFloatValue::lessEqualConstant):
631         (JSC::B3::ConstFloatValue::greaterEqualConstant):
632         (JSC::B3::ConstFloatValue::dumpMeta):
633         * b3/B3ConstFloatValue.h: Copied from Source/JavaScriptCore/b3/B3ConstDoubleValue.h.
634         * b3/B3Generate.cpp:
635         (JSC::B3::generateToAir):
636         * b3/B3LowerToAir.cpp:
637         (JSC::B3::Air::LowerToAir::tryOpcodeForType):
638         (JSC::B3::Air::LowerToAir::opcodeForType):
639         (JSC::B3::Air::LowerToAir::appendUnOp):
640         (JSC::B3::Air::LowerToAir::appendBinOp):
641         (JSC::B3::Air::LowerToAir::appendShift):
642         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
643         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
644         (JSC::B3::Air::LowerToAir::moveForType):
645         (JSC::B3::Air::LowerToAir::relaxedMoveForType):
646         (JSC::B3::Air::LowerToAir::createGenericCompare):
647         (JSC::B3::Air::LowerToAir::createBranch):
648         (JSC::B3::Air::LowerToAir::createCompare):
649         (JSC::B3::Air::LowerToAir::createSelect):
650         (JSC::B3::Air::LowerToAir::lower):
651         * b3/B3MemoryValue.cpp:
652         (JSC::B3::MemoryValue::accessByteSize): Deleted.
653         * b3/B3MemoryValue.h:
654         * b3/B3MoveConstants.cpp:
655         * b3/B3Opcode.cpp:
656         (WTF::printInternal):
657         * b3/B3Opcode.h:
658         * b3/B3Procedure.cpp:
659         (JSC::B3::Procedure::addIntConstant):
660         * b3/B3ReduceDoubleToFloat.cpp: Added.
661         (JSC::B3::reduceDoubleToFloat):
662         * b3/B3ReduceDoubleToFloat.h: Copied from Source/JavaScriptCore/b3/B3Type.cpp.
663         * b3/B3ReduceStrength.cpp:
664         * b3/B3Type.cpp:
665         (WTF::printInternal):
666         * b3/B3Type.h:
667         (JSC::B3::isFloat):
668         (JSC::B3::sizeofType):
669         * b3/B3Validate.cpp:
670         * b3/B3Value.cpp:
671         (JSC::B3::Value::doubleToFloatConstant):
672         (JSC::B3::Value::floatToDoubleConstant):
673         (JSC::B3::Value::sqrtConstant):
674         (JSC::B3::Value::asTriState):
675         (JSC::B3::Value::effects):
676         (JSC::B3::Value::key):
677         (JSC::B3::Value::checkOpcode):
678         (JSC::B3::Value::typeFor):
679         * b3/B3Value.h:
680         * b3/B3ValueInlines.h:
681         (JSC::B3::Value::isConstant):
682         (JSC::B3::Value::hasFloat):
683         (JSC::B3::Value::asFloat):
684         (JSC::B3::Value::hasNumber):
685         (JSC::B3::Value::isNegativeZero):
686         (JSC::B3::Value::representableAs):
687         (JSC::B3::Value::asNumber):
688         * b3/B3ValueKey.cpp:
689         (JSC::B3::ValueKey::materialize):
690         * b3/B3ValueKey.h:
691         (JSC::B3::ValueKey::ValueKey):
692         (JSC::B3::ValueKey::floatValue):
693         * b3/air/AirArg.h:
694         (JSC::B3::Air::Arg::typeForB3Type):
695         (JSC::B3::Air::Arg::widthForB3Type):
696         * b3/air/AirFixPartialRegisterStalls.cpp:
697         * b3/air/AirOpcode.opcodes:
698         * b3/testb3.cpp:
699         (JSC::B3::testAddArgFloat):
700         (JSC::B3::testAddArgsFloat):
701         (JSC::B3::testAddArgImmFloat):
702         (JSC::B3::testAddImmArgFloat):
703         (JSC::B3::testAddImmsFloat):
704         (JSC::B3::testAddArgFloatWithUselessDoubleConversion):
705         (JSC::B3::testAddArgsFloatWithUselessDoubleConversion):
706         (JSC::B3::testAddArgsFloatWithEffectfulDoubleConversion):
707         (JSC::B3::testMulArgFloat):
708         (JSC::B3::testMulArgsFloat):
709         (JSC::B3::testMulArgImmFloat):
710         (JSC::B3::testMulImmArgFloat):
711         (JSC::B3::testMulImmsFloat):
712         (JSC::B3::testMulArgFloatWithUselessDoubleConversion):
713         (JSC::B3::testMulArgsFloatWithUselessDoubleConversion):
714         (JSC::B3::testMulArgsFloatWithEffectfulDoubleConversion):
715         (JSC::B3::testDivArgFloat):
716         (JSC::B3::testDivArgsFloat):
717         (JSC::B3::testDivArgImmFloat):
718         (JSC::B3::testDivImmArgFloat):
719         (JSC::B3::testDivImmsFloat):
720         (JSC::B3::testDivArgFloatWithUselessDoubleConversion):
721         (JSC::B3::testDivArgsFloatWithUselessDoubleConversion):
722         (JSC::B3::testDivArgsFloatWithEffectfulDoubleConversion):
723         (JSC::B3::testSubArgFloat):
724         (JSC::B3::testSubArgsFloat):
725         (JSC::B3::testSubArgImmFloat):
726         (JSC::B3::testSubImmArgFloat):
727         (JSC::B3::testSubImmsFloat):
728         (JSC::B3::testSubArgFloatWithUselessDoubleConversion):
729         (JSC::B3::testSubArgsFloatWithUselessDoubleConversion):
730         (JSC::B3::testSubArgsFloatWithEffectfulDoubleConversion):
731         (JSC::B3::testClzMem32):
732         (JSC::B3::testSqrtArg):
733         (JSC::B3::testSqrtImm):
734         (JSC::B3::testSqrtMem):
735         (JSC::B3::testSqrtArgWithUselessDoubleConversion):
736         (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
737         (JSC::B3::testDoubleArgToInt64BitwiseCast):
738         (JSC::B3::testDoubleImmToInt64BitwiseCast):
739         (JSC::B3::testTwoBitwiseCastOnDouble):
740         (JSC::B3::testBitwiseCastOnDoubleInMemory):
741         (JSC::B3::testInt64BArgToDoubleBitwiseCast):
742         (JSC::B3::testInt64BImmToDoubleBitwiseCast):
743         (JSC::B3::testTwoBitwiseCastOnInt64):
744         (JSC::B3::testBitwiseCastOnInt64InMemory):
745         (JSC::B3::testFloatImmToInt32BitwiseCast):
746         (JSC::B3::testBitwiseCastOnFloatInMemory):
747         (JSC::B3::testInt32BArgToFloatBitwiseCast):
748         (JSC::B3::testInt32BImmToFloatBitwiseCast):
749         (JSC::B3::testTwoBitwiseCastOnInt32):
750         (JSC::B3::testBitwiseCastOnInt32InMemory):
751         (JSC::B3::testConvertDoubleToFloatArg):
752         (JSC::B3::testConvertDoubleToFloatImm):
753         (JSC::B3::testConvertDoubleToFloatMem):
754         (JSC::B3::testConvertFloatToDoubleArg):
755         (JSC::B3::testConvertFloatToDoubleImm):
756         (JSC::B3::testConvertFloatToDoubleMem):
757         (JSC::B3::testConvertDoubleToFloatToDoubleToFloat):
758         (JSC::B3::testLoadFloatConvertDoubleConvertFloatStoreFloat):
759         (JSC::B3::testFroundArg):
760         (JSC::B3::testFroundMem):
761         (JSC::B3::testStore32):
762         (JSC::B3::modelLoad):
763         (JSC::B3::float>):
764         (JSC::B3::double>):
765         (JSC::B3::testLoad):
766         (JSC::B3::testStoreFloat):
767         (JSC::B3::testReturnFloat):
768         (JSC::B3::simpleFunctionFloat):
769         (JSC::B3::testCallSimpleFloat):
770         (JSC::B3::functionWithHellaFloatArguments):
771         (JSC::B3::testCallFunctionWithHellaFloatArguments):
772         (JSC::B3::testSelectCompareFloat):
773         (JSC::B3::testSelectCompareFloatToDouble):
774         (JSC::B3::testSelectDoubleCompareFloat):
775         (JSC::B3::testSelectFloatCompareFloat):
776         (JSC::B3::populateWithInterestingValues):
777         (JSC::B3::floatingPointOperands):
778         (JSC::B3::int64Operands):
779         (JSC::B3::run):
780         (JSC::B3::testStore): Deleted.
781         (JSC::B3::posInfinity): Deleted.
782         (JSC::B3::negInfinity): Deleted.
783         (JSC::B3::doubleOperands): Deleted.
784         * ftl/FTLB3Output.cpp:
785         (JSC::FTL::Output::loadFloatToDouble):
786         * ftl/FTLB3Output.h:
787         (JSC::FTL::Output::fround):
788         * ftl/FTLCommonValues.cpp:
789         (JSC::FTL::CommonValues::CommonValues):
790         * ftl/FTLCommonValues.h:
791
792 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
793
794         FTL B3 should be able to flag the tag constants as being super important so that B3 can hoist them and Air can force them into registers
795         https://bugs.webkit.org/show_bug.cgi?id=151955
796
797         Reviewed by Geoffrey Garen.
798
799         Taught B3 about the concept of "fast constants". A client of B3 can now tell B3 which
800         constants are super important. B3 will not spill the constant in that case and will ensure
801         that the constant is materialized only once: statically once, and dynamically once per
802         procedure execution. The hoistFastConstants() algorithm in B3MoveConstants.cpp achieves this
803         by first picking the lowest common dominator of all uses of each fast constant, and then
804         picking the materialization point by finding the lowest dominator of that dominator that is
805         tied for lowest block frequency. In practice, the second step ensures that this is the lowest
806         point in the program that is not in a loop (i.e. executes no more than once dynamically per
807         procedure invocation).
808
809         Taught Air about the concept of "fast tmps". B3 tells Air that a tmp is fast if it is used to
810         hold the materialization of a fast constant. IRC will use the lowest possible spill score for
811         fast tmps. In practice, this ensures that fast constants are never spilled.
812
813         Added a small snippet of code to FTL::LowerDFGToLLVM that makes both of the tag constants
814         into fast constants.
815
816         My hope is that this very brute-force heuristic is good enough that we don't have to think
817         about constants for a while. Based on my experience with how LLVM's constant hoisting works
818         out, the heuristic in this patch is going to be tough to beat. LLVM's constant hoisting does
819         good things when it hoists the tags, and usually causes nothing but problems when it hoists
820         anything else. This is because there is no way a low-level compiler to really understand how
821         a constant materialization impacts some operation's contribution to the overall execution
822         time of a procedure. But, in the FTL we know that constant materializations for type checks
823         are a bummer because we are super comfortable placing type checks on the hottest of paths. So
824         those are the last paths where extra instructions should be added by the compiler. On the
825         other hand, all other large constant uses are on relatively cold paths, or paths that are
826         already expensive for other reasons. For example, global variable accesses have to
827         materialize a pointer to the global. But that's not really a big deal, since a load from a
828         global involves first the load itself and then type checks on the result - so probably the
829         constant materialization is just not interesting. A store to a global often involves a store
830         barrier, so the constant materialization is really not interesting. This patch codifies this
831         heuristic in a pact between Air, B3, and the FTL: FTL demands that B3 pin the two tags in
832         registers, and B3 relays the demand to Air.
833
834         * JavaScriptCore.xcodeproj/project.pbxproj:
835         * b3/B3CFG.h: Added.
836         (JSC::B3::CFG::CFG):
837         (JSC::B3::CFG::root):
838         (JSC::B3::CFG::newMap):
839         (JSC::B3::CFG::successors):
840         (JSC::B3::CFG::predecessors):
841         (JSC::B3::CFG::index):
842         (JSC::B3::CFG::node):
843         (JSC::B3::CFG::numNodes):
844         (JSC::B3::CFG::dump):
845         * b3/B3Dominators.h: Added.
846         (JSC::B3::Dominators::Dominators):
847         * b3/B3IndexMap.h:
848         (JSC::B3::IndexMap::resize):
849         (JSC::B3::IndexMap::size):
850         (JSC::B3::IndexMap::operator[]):
851         * b3/B3LowerMacros.cpp:
852         * b3/B3LowerToAir.cpp:
853         (JSC::B3::Air::LowerToAir::tmp):
854         * b3/B3MoveConstants.cpp:
855         * b3/B3Opcode.h:
856         (JSC::B3::constPtrOpcode):
857         (JSC::B3::isConstant):
858         * b3/B3Procedure.cpp:
859         (JSC::B3::Procedure::Procedure):
860         (JSC::B3::Procedure::resetReachability):
861         (JSC::B3::Procedure::invalidateCFG):
862         (JSC::B3::Procedure::dump):
863         (JSC::B3::Procedure::deleteValue):
864         (JSC::B3::Procedure::dominators):
865         (JSC::B3::Procedure::addFastConstant):
866         (JSC::B3::Procedure::isFastConstant):
867         (JSC::B3::Procedure::addDataSection):
868         * b3/B3Procedure.h:
869         (JSC::B3::Procedure::size):
870         (JSC::B3::Procedure::cfg):
871         (JSC::B3::Procedure::setLastPhaseName):
872         * b3/B3ReduceStrength.cpp:
873         * b3/B3ValueInlines.h:
874         (JSC::B3::Value::isConstant):
875         (JSC::B3::Value::isInteger):
876         * b3/B3ValueKey.h:
877         (JSC::B3::ValueKey::canMaterialize):
878         (JSC::B3::ValueKey::isConstant):
879         * b3/air/AirCode.cpp:
880         (JSC::B3::Air::Code::findNextBlock):
881         (JSC::B3::Air::Code::addFastTmp):
882         * b3/air/AirCode.h:
883         (JSC::B3::Air::Code::specials):
884         (JSC::B3::Air::Code::isFastTmp):
885         (JSC::B3::Air::Code::setLastPhaseName):
886         * b3/air/AirIteratedRegisterCoalescing.cpp:
887         * dfg/DFGDominators.h:
888         * dfg/DFGSSACalculator.cpp:
889         * ftl/FTLLowerDFGToLLVM.cpp:
890         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
891
892 2015-12-07  Andy VanWagoner  <thetalecrafter@gmail.com>
893
894         [INTL] Implement String.prototype.toLocaleUpperCase in ECMA-402
895         https://bugs.webkit.org/show_bug.cgi?id=147609
896
897         Reviewed by Benjamin Poulain.
898
899         Refactor most of toLocaleLowerCase to static function used by both
900         toLocaleUpperCase and toLocaleLowerCase.
901         Add toLocaleUpperCase using icu u_strToUpper.
902
903         * runtime/StringPrototype.cpp:
904         (JSC::StringPrototype::finishCreation):
905         (JSC::toLocaleCase):
906         (JSC::stringProtoFuncToLocaleLowerCase):
907         (JSC::stringProtoFuncToLocaleUpperCase):
908
909 2015-12-07  Michael Saboff  <msaboff@apple.com>
910
911         CRASH: CodeBlock::setOptimizationThresholdBasedOnCompilationResult + 567
912         https://bugs.webkit.org/show_bug.cgi?id=151892
913
914         Reviewed by Geoffrey Garen.
915
916         Reverted the change made in change set r193491.
917
918         The updated change is to finish all concurrent compilations and install the resulting
919         code blocks before we make any state changes due to debugger activity.  After all code
920         blocks have been installed, we make the debugger state changes, including jettisoning
921         all optimized code blocks.
922
923         This means that we will discard the optimized code blocks we just installed,
924         but we won't do that while on the install code block path.
925
926         * bytecode/CodeBlock.cpp:
927         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Reverted r193491.
928         * debugger/Debugger.cpp:
929         (JSC::Debugger::setSteppingMode):
930         (JSC::Debugger::registerCodeBlock):
931         (JSC::Debugger::toggleBreakpoint):
932         (JSC::Debugger::clearBreakpoints):
933         (JSC::Debugger::clearDebuggerRequests):
934         Call Heap::completeAllDFGPlans() before updating code blocks for debugging changes.
935
936         * heap/Heap.h: Made completeAllDFGPlans() public.
937
938 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
939
940         FTL lowering should tell B3 the right block frequencies
941         https://bugs.webkit.org/show_bug.cgi?id=151531
942
943         Reviewed by Geoffrey Garen.
944
945         This glues together the DFG's view of basic block execution counts and B3's block frequencies.
946         This further improves our performance on imaging-gaussian-blur. It appears to improve the steady
947         state throughput by almost 4%.
948
949         * ftl/FTLB3Output.h:
950         (JSC::FTL::Output::setFrequency):
951         (JSC::FTL::Output::newBlock):
952         (JSC::FTL::Output::insertNewBlocksBefore):
953         (JSC::FTL::Output::callWithoutSideEffects):
954         * ftl/FTLLowerDFGToLLVM.cpp:
955         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
956         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock):
957         * ftl/FTLOutput.h:
958         (JSC::FTL::Output::setFrequency):
959         (JSC::FTL::Output::insertNewBlocksBefore):
960
961 2015-12-07  Saam barati  <sbarati@apple.com>
962
963         Update JSC feature list for rest parameters and generators
964         https://bugs.webkit.org/show_bug.cgi?id=151740
965
966         Reviewed by Joseph Pecoraro.
967
968         * features.json:
969
970 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
971
972         DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure).
973         https://bugs.webkit.org/show_bug.cgi?id=151952
974
975         Reviewed by Mark Lam.
976
977         Fix a bug revealed by the new ftl-has-a-bad-time.js test. It turns out that our handling of
978         structures reachable from the compiler wasn't accounting for having a bad time.
979
980         * dfg/DFGStructureRegistrationPhase.cpp:
981         (JSC::DFG::StructureRegistrationPhase::run):
982
983 2015-12-07  Saam barati  <sbarati@apple.com>
984
985         Add op_watchdog opcode that is generated when VM has a watchdog
986         https://bugs.webkit.org/show_bug.cgi?id=151954
987
988         Reviewed by Mark Lam.
989
990         This patch also makes watchdog a private member
991         of VM and adds a getter function.
992
993         * API/JSContextRef.cpp:
994         (JSContextGroupClearExecutionTimeLimit):
995         * bytecode/BytecodeList.json:
996         * bytecode/BytecodeUseDef.h:
997         (JSC::computeUsesForBytecodeOffset):
998         (JSC::computeDefsForBytecodeOffset):
999         * bytecode/CodeBlock.cpp:
1000         (JSC::CodeBlock::dumpBytecode):
1001         * bytecompiler/BytecodeGenerator.cpp:
1002         (JSC::BytecodeGenerator::emitLoopHint):
1003         (JSC::BytecodeGenerator::emitWatchdog):
1004         (JSC::BytecodeGenerator::retrieveLastBinaryOp):
1005         * bytecompiler/BytecodeGenerator.h:
1006         * dfg/DFGByteCodeParser.cpp:
1007         (JSC::DFG::ByteCodeParser::parseBlock):
1008         * dfg/DFGCapabilities.cpp:
1009         (JSC::DFG::capabilityLevel):
1010         * dfg/DFGSpeculativeJIT32_64.cpp:
1011         (JSC::DFG::SpeculativeJIT::compile):
1012         * dfg/DFGSpeculativeJIT64.cpp:
1013         (JSC::DFG::SpeculativeJIT::compile):
1014         * ftl/FTLLowerDFGToLLVM.cpp:
1015         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
1016         * jit/JIT.cpp:
1017         (JSC::JIT::privateCompileMainPass):
1018         (JSC::JIT::privateCompileSlowCases):
1019         * jit/JIT.h:
1020         * jit/JITOpcodes.cpp:
1021         (JSC::JIT::emit_op_loop_hint):
1022         (JSC::JIT::emitSlow_op_loop_hint):
1023         (JSC::JIT::emit_op_watchdog):
1024         (JSC::JIT::emitSlow_op_watchdog):
1025         (JSC::JIT::emit_op_new_regexp):
1026         * llint/LLIntSlowPaths.cpp:
1027         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1028         * llint/LowLevelInterpreter.asm:
1029         * runtime/VM.cpp:
1030         (JSC::VM::ensureWatchdog):
1031         * runtime/VM.h:
1032         (JSC::VM::watchdog):
1033         * runtime/VMEntryScope.cpp:
1034         (JSC::VMEntryScope::VMEntryScope):
1035         (JSC::VMEntryScope::~VMEntryScope):
1036         * runtime/VMInlines.h:
1037         (JSC::VM::shouldTriggerTermination):
1038
1039 2015-12-07  Alberto Garcia  <berto@igalia.com>
1040
1041         Crashes on PPC64 due to mprotect() on address not aligned to the page size
1042         https://bugs.webkit.org/show_bug.cgi?id=130237
1043
1044         Reviewed by Mark Lam.
1045
1046         Make sure that commitSize is at least as big as the page size.
1047
1048         * interpreter/JSStack.cpp:
1049         (JSC::commitSize):
1050         (JSC::JSStack::JSStack):
1051         (JSC::JSStack::growSlowCase):
1052         * interpreter/JSStack.h:
1053
1054 2015-12-06  Filip Pizlo  <fpizlo@apple.com>
1055
1056         FTL B3 should be able to make JS->JS calls
1057         https://bugs.webkit.org/show_bug.cgi?id=151901
1058
1059         Reviewed by Saam Barati.
1060
1061         This adds support for the Call and InvalidationPoint opcodes in DFG IR. This required doing some
1062         clean-up in the OSR exit code. We don't want the B3 FTL to use a bunch of vectors to hold
1063         side-state, so the use of OSRExitDescriptorImpl is not right. It makes sense in the LLVM FTL
1064         because that code needs some way of saving some state from LowerDFGToLLVM to compile(), but
1065         that's not how B3 FTL works. It turns out that for B3 FTL, there isn't anything in
1066         OSRExitDescriptorImpl that the code in LowerDFGToLLVM can't just capture in a lambda.
1067
1068         This also simplifies some stackmap-related APIs, since I got tired of writing boilerplate.
1069
1070         * CMakeLists.txt:
1071         * JavaScriptCore.xcodeproj/project.pbxproj:
1072         * assembler/AbstractMacroAssembler.h:
1073         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
1074         (JSC::AbstractMacroAssembler::addLinkTask):
1075         * b3/B3CheckSpecial.cpp:
1076         (JSC::B3::CheckSpecial::generate):
1077         * b3/B3Effects.h:
1078         * b3/B3PatchpointSpecial.cpp:
1079         (JSC::B3::PatchpointSpecial::generate):
1080         * b3/B3Procedure.cpp:
1081         (JSC::B3::Procedure::addDataSection):
1082         (JSC::B3::Procedure::callArgAreaSize):
1083         (JSC::B3::Procedure::requestCallArgAreaSize):
1084         (JSC::B3::Procedure::frameSize):
1085         * b3/B3Procedure.h:
1086         (JSC::B3::Procedure::releaseByproducts):
1087         (JSC::B3::Procedure::code):
1088         * b3/B3StackmapGenerationParams.cpp: Added.
1089         (JSC::B3::StackmapGenerationParams::usedRegisters):
1090         (JSC::B3::StackmapGenerationParams::proc):
1091         (JSC::B3::StackmapGenerationParams::StackmapGenerationParams):
1092         * b3/B3StackmapGenerationParams.h: Added.
1093         (JSC::B3::StackmapGenerationParams::value):
1094         (JSC::B3::StackmapGenerationParams::reps):
1095         (JSC::B3::StackmapGenerationParams::size):
1096         (JSC::B3::StackmapGenerationParams::at):
1097         (JSC::B3::StackmapGenerationParams::operator[]):
1098         (JSC::B3::StackmapGenerationParams::begin):
1099         (JSC::B3::StackmapGenerationParams::end):
1100         (JSC::B3::StackmapGenerationParams::context):
1101         (JSC::B3::StackmapGenerationParams::addLatePath):
1102         * b3/B3StackmapValue.h:
1103         * b3/B3ValueRep.h:
1104         (JSC::B3::ValueRep::doubleValue):
1105         (JSC::B3::ValueRep::withOffset):
1106         * b3/air/AirGenerationContext.h:
1107         * b3/testb3.cpp:
1108         (JSC::B3::testSimplePatchpoint):
1109         (JSC::B3::testSimplePatchpointWithoutOuputClobbersGPArgs):
1110         (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
1111         (JSC::B3::testSimplePatchpointWithoutOuputClobbersFPArgs):
1112         (JSC::B3::testSimplePatchpointWithOuputClobbersFPArgs):
1113         (JSC::B3::testPatchpointWithEarlyClobber):
1114         (JSC::B3::testPatchpointCallArg):
1115         (JSC::B3::testPatchpointFixedRegister):
1116         (JSC::B3::testPatchpointAny):
1117         (JSC::B3::testPatchpointLotsOfLateAnys):
1118         (JSC::B3::testPatchpointAnyImm):
1119         (JSC::B3::testPatchpointManyImms):
1120         (JSC::B3::testPatchpointWithRegisterResult):
1121         (JSC::B3::testPatchpointWithStackArgumentResult):
1122         (JSC::B3::testPatchpointWithAnyResult):
1123         (JSC::B3::testSimpleCheck):
1124         (JSC::B3::testCheckLessThan):
1125         (JSC::B3::testCheckMegaCombo):
1126         (JSC::B3::testCheckAddImm):
1127         (JSC::B3::testCheckAddImmCommute):
1128         (JSC::B3::testCheckAddImmSomeRegister):
1129         (JSC::B3::testCheckAdd):
1130         (JSC::B3::testCheckAdd64):
1131         (JSC::B3::testCheckSubImm):
1132         (JSC::B3::testCheckSubBadImm):
1133         (JSC::B3::testCheckSub):
1134         (JSC::B3::testCheckSub64):
1135         (JSC::B3::testCheckNeg):
1136         (JSC::B3::testCheckNeg64):
1137         (JSC::B3::testCheckMul):
1138         (JSC::B3::testCheckMulMemory):
1139         (JSC::B3::testCheckMul2):
1140         (JSC::B3::testCheckMul64):
1141         (JSC::B3::genericTestCompare):
1142         * ftl/FTLExceptionHandlerManager.cpp:
1143         * ftl/FTLExceptionHandlerManager.h:
1144         * ftl/FTLJSCall.cpp:
1145         * ftl/FTLJSCall.h:
1146         * ftl/FTLJSCallBase.cpp:
1147         (JSC::FTL::JSCallBase::emit):
1148         * ftl/FTLJSCallBase.h:
1149         * ftl/FTLJSCallVarargs.cpp:
1150         * ftl/FTLJSCallVarargs.h:
1151         * ftl/FTLJSTailCall.cpp:
1152         (JSC::FTL::DFG::getRegisterWithAddend):
1153         (JSC::FTL::JSTailCall::emit):
1154         (JSC::FTL::JSTailCall::JSTailCall): Deleted.
1155         * ftl/FTLJSTailCall.h:
1156         (JSC::FTL::JSTailCall::stackmapID):
1157         (JSC::FTL::JSTailCall::estimatedSize):
1158         (JSC::FTL::JSTailCall::operator<):
1159         (JSC::FTL::JSTailCall::patchpoint): Deleted.
1160         * ftl/FTLLowerDFGToLLVM.cpp:
1161         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1162         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
1163         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
1164         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1165         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
1166         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException):
1167         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1168         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
1169         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1170         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
1171         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
1172         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
1173         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
1174         * ftl/FTLOSRExit.cpp:
1175         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
1176         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
1177         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
1178         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1179         (JSC::FTL::OSRExit::OSRExit):
1180         (JSC::FTL::OSRExit::codeLocationForRepatch):
1181         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot):
1182         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck):
1183         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath):
1184         * ftl/FTLOSRExit.h:
1185         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl):
1186         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
1187         * ftl/FTLOSRExitCompiler.cpp:
1188         (JSC::FTL::compileStub):
1189         (JSC::FTL::compileFTLOSRExit):
1190         * ftl/FTLState.h:
1191
1192 2015-12-07  Saam barati  <sbarati@apple.com>
1193
1194         Rename Watchdog::didFire to Watchdog::shouldTerminate because that's what didFire really meant
1195         https://bugs.webkit.org/show_bug.cgi?id=151944
1196
1197         Reviewed by Mark Lam.
1198
1199         * interpreter/Interpreter.cpp:
1200         (JSC::Interpreter::execute):
1201         * runtime/VMInlines.h:
1202         (JSC::VM::shouldTriggerTermination):
1203         * runtime/Watchdog.cpp:
1204         (JSC::Watchdog::terminateSoon):
1205         (JSC::Watchdog::shouldTerminateSlow):
1206         (JSC::Watchdog::didFireSlow): Deleted.
1207         * runtime/Watchdog.h:
1208         (JSC::Watchdog::shouldTerminate):
1209         (JSC::Watchdog::didFire): Deleted.
1210
1211 2015-12-07  Mark Lam  <mark.lam@apple.com>
1212
1213         Rename JITBitwiseBinaryOpGenerator to JITBitBinaryOpGenerator.
1214         https://bugs.webkit.org/show_bug.cgi?id=151945
1215
1216         Reviewed by Saam Barati.
1217
1218         The lshift operator also need to inherit from JITBitBinaryOpGenerator.  Calling
1219         it "BitBinaryOp" makes more sense than "BitwiseBinaryOp" in that case, and still
1220         makes sense for the bitand, bitor, and bitxor operators.
1221
1222         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1223         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1224         * JavaScriptCore.xcodeproj/project.pbxproj:
1225         * jit/JIT.h:
1226         * jit/JITArithmetic.cpp:
1227         (JSC::JIT::emitBitBinaryOpFastPath):
1228         (JSC::JIT::emit_op_bitand):
1229         (JSC::JIT::emitSlow_op_bitand):
1230         (JSC::JIT::emit_op_bitor):
1231         (JSC::JIT::emitSlow_op_bitor):
1232         (JSC::JIT::emit_op_bitxor):
1233         (JSC::JIT::emitSlow_op_bitxor):
1234         (JSC::JIT::emitBitwiseBinaryOpFastPath): Deleted.
1235         * jit/JITBitAndGenerator.h:
1236         (JSC::JITBitAndGenerator::JITBitAndGenerator):
1237         * jit/JITBitBinaryOpGenerator.h: Copied from Source/JavaScriptCore/jit/JITBitwiseBinaryOpGenerator.h.
1238         (JSC::JITBitBinaryOpGenerator::JITBitBinaryOpGenerator):
1239         (JSC::JITBitwiseBinaryOpGenerator::JITBitwiseBinaryOpGenerator): Deleted.
1240         * jit/JITBitOrGenerator.h:
1241         (JSC::JITBitOrGenerator::JITBitOrGenerator):
1242         * jit/JITBitXorGenerator.h:
1243         (JSC::JITBitXorGenerator::JITBitXorGenerator):
1244         * jit/JITBitwiseBinaryOpGenerator.h: Removed.
1245
1246 2015-12-07  Csaba Osztrogonác  <ossy@webkit.org>
1247
1248         [B3] Typo fix after r193386 to fix the build
1249         https://bugs.webkit.org/show_bug.cgi?id=151860
1250
1251         Reviewed by Filip Pizlo.
1252
1253         * b3/B3StackmapSpecial.cpp:
1254         (JSC::B3::StackmapSpecial::isArgValidForValue):
1255
1256 2015-12-07  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
1257
1258         [EFL] Implement scheduleTimer and cancelTimer in IncrementalSweeper class
1259         https://bugs.webkit.org/show_bug.cgi?id=151656
1260
1261         Reviewed by Csaba Osztrogonác.
1262
1263         Support IncremntalSweeper using Ecore_Timer.
1264
1265         * heap/IncrementalSweeper.cpp:
1266         (JSC::IncrementalSweeper::IncrementalSweeper):
1267         (JSC::IncrementalSweeper::scheduleTimer):
1268         (JSC::IncrementalSweeper::cancelTimer):
1269         * heap/IncrementalSweeper.h:
1270
1271 2015-12-06  Andy VanWagoner  <thetalecrafter@gmail.com>
1272
1273         [INTL] Implement String.prototype.toLocaleLowerCase in ECMA-402
1274         https://bugs.webkit.org/show_bug.cgi?id=147608
1275
1276         Reviewed by Benjamin Poulain.
1277
1278         Add toLocaleLowerCase using icu u_strToLower.
1279
1280         * runtime/IntlObject.cpp:
1281         (JSC::defaultLocale): Expose.
1282         (JSC::bestAvailableLocale): Expose.
1283         (JSC::removeUnicodeLocaleExtension): Expose.
1284         * runtime/IntlObject.h:
1285         * runtime/StringPrototype.cpp:
1286         (JSC::StringPrototype::finishCreation):
1287         (JSC::stringProtoFuncToLocaleLowerCase): Add.
1288
1289 2015-12-06  David Kilzer  <ddkilzer@apple.com>
1290
1291         REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
1292         https://bugs.webkit.org/show_bug.cgi?id=151929
1293
1294         Reverted changeset:
1295
1296         "[ES6] "super" and "this" should be lexically bound inside an
1297         arrow function and should live in a JSLexicalEnvironment"
1298         https://bugs.webkit.org/show_bug.cgi?id=149338
1299         http://trac.webkit.org/changeset/193584
1300
1301 2015-12-06  Skachkov Oleksandr  <gskachkov@gmail.com>
1302
1303         [es6] Arrow function syntax. Fix tests after 149338 landing
1304         https://bugs.webkit.org/show_bug.cgi?id=151927
1305
1306         Reviewed by Saam Barati.
1307
1308         After landing patch for 149338 errors appear in for ES6 Generator. Current fix is removed assert 
1309         that was removed by patch with implemenation of ES6 Generator.
1310  
1311         * runtime/CommonSlowPaths.cpp:
1312
1313 2015-12-05 Aleksandr Skachkov   <gskachkov@gmail.com>
1314
1315         [ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment
1316         https://bugs.webkit.org/show_bug.cgi?id=149338
1317
1318         Reviewed by Saam Barati.
1319
1320         Implemented new version of the lexically bound 'this' in arrow function. In current version 
1321         'this' is stored inside of the lexical environment of the function. To store and load we use
1322         op_get_from_scope and op_put_to_scope operations. Also new implementation prevent raising TDZ
1323         error for arrow functions that are declared before super() but invoke after.
1324
1325         * builtins/BuiltinExecutables.cpp:
1326         (JSC::createExecutableInternal):
1327         * bytecode/BytecodeList.json:
1328         * bytecode/BytecodeUseDef.h:
1329         * bytecode/CodeBlock.cpp:
1330         (JSC::CodeBlock::dumpBytecode):
1331         * bytecode/EvalCodeCache.h:
1332         (JSC::EvalCodeCache::getSlow):
1333         * bytecode/ExecutableInfo.h:
1334         (JSC::ExecutableInfo::ExecutableInfo):
1335         (JSC::ExecutableInfo::isDerivedConstructorContext):
1336         (JSC::ExecutableInfo::isArrowFunctionContext):
1337         * bytecode/UnlinkedCodeBlock.cpp:
1338         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1339         * bytecode/UnlinkedCodeBlock.h:
1340         (JSC::UnlinkedCodeBlock::isArrowFunction):
1341         (JSC::UnlinkedCodeBlock::isDerivedConstructorContext):
1342         (JSC::UnlinkedCodeBlock::isArrowFunctionContext):
1343         * bytecode/UnlinkedFunctionExecutable.cpp:
1344         (JSC::generateUnlinkedFunctionCodeBlock):
1345         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1346         * bytecode/UnlinkedFunctionExecutable.h:
1347         * bytecompiler/BytecodeGenerator.cpp:
1348         (JSC::BytecodeGenerator::BytecodeGenerator):
1349         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1350         (JSC::BytecodeGenerator::variable):
1351         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
1352         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1353         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1354         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1355         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1356         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1357         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1358         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1359         * bytecompiler/BytecodeGenerator.h:
1360         (JSC::BytecodeGenerator::isDerivedConstructorContext):
1361         (JSC::BytecodeGenerator::usesArrowFunction):
1362         (JSC::BytecodeGenerator::needsToUpdateArrowFunctionContext):
1363         (JSC::BytecodeGenerator::usesEval):
1364         (JSC::BytecodeGenerator::usesThis):
1365         (JSC::BytecodeGenerator::newTarget):
1366         (JSC::BytecodeGenerator::makeFunction):
1367         * bytecompiler/NodesCodegen.cpp:
1368         (JSC::ThisNode::emitBytecode):
1369         (JSC::SuperNode::emitBytecode):
1370         (JSC::EvalFunctionCallNode::emitBytecode):
1371         (JSC::FunctionCallValueNode::emitBytecode):
1372         (JSC::FunctionNode::emitBytecode):
1373         * debugger/DebuggerCallFrame.cpp:
1374         (JSC::DebuggerCallFrame::evaluate):
1375         * dfg/DFGAbstractInterpreterInlines.h:
1376         * dfg/DFGByteCodeParser.cpp:
1377         (JSC::DFG::ByteCodeParser::parseBlock):
1378         * dfg/DFGCapabilities.cpp:
1379         * dfg/DFGClobberize.h:
1380         * dfg/DFGDoesGC.cpp:
1381         * dfg/DFGFixupPhase.cpp:
1382         * dfg/DFGNodeType.h:
1383         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1384         * dfg/DFGPredictionPropagationPhase.cpp:
1385         * dfg/DFGPromotedHeapLocation.cpp:
1386         * dfg/DFGPromotedHeapLocation.h:
1387         * dfg/DFGSafeToExecute.h:
1388         * dfg/DFGSpeculativeJIT.cpp:
1389         * dfg/DFGSpeculativeJIT.h:
1390         * dfg/DFGSpeculativeJIT32_64.cpp:
1391         * dfg/DFGSpeculativeJIT64.cpp:
1392         * ftl/FTLCapabilities.cpp:
1393         * ftl/FTLLowerDFGToLLVM.cpp:
1394         * ftl/FTLOperations.cpp:
1395         (JSC::FTL::operationMaterializeObjectInOSR):
1396         * interpreter/Interpreter.cpp:
1397         (JSC::eval):
1398         * jit/JIT.cpp:
1399         * jit/JIT.h:
1400         * jit/JITOpcodes.cpp:
1401         (JSC::JIT::emitNewFuncExprCommon):
1402         * jit/JITOpcodes32_64.cpp:
1403         * llint/LLIntSlowPaths.cpp:
1404         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1405         * llint/LowLevelInterpreter.asm:
1406         * llint/LowLevelInterpreter32_64.asm:
1407         * llint/LowLevelInterpreter64.asm:
1408         * parser/ASTBuilder.h:
1409         (JSC::ASTBuilder::createArrowFunctionExpr):
1410         (JSC::ASTBuilder::usesArrowFunction):
1411         * parser/Nodes.h:
1412         (JSC::ScopeNode::usesArrowFunction):
1413         * parser/Parser.cpp:
1414         (JSC::Parser<LexerType>::parseFunctionInfo):
1415         * parser/ParserModes.h:
1416         * runtime/CodeCache.cpp:
1417         (JSC::CodeCache::getGlobalCodeBlock):
1418         (JSC::CodeCache::getProgramCodeBlock):
1419         (JSC::CodeCache::getEvalCodeBlock):
1420         (JSC::CodeCache::getModuleProgramCodeBlock):
1421         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1422         * runtime/CodeCache.h:
1423         * runtime/CommonIdentifiers.h:
1424         * runtime/CommonSlowPaths.cpp:
1425         (JSC::SLOW_PATH_DECL):
1426         * runtime/Executable.cpp:
1427         (JSC::ScriptExecutable::ScriptExecutable):
1428         (JSC::EvalExecutable::create):
1429         (JSC::EvalExecutable::EvalExecutable):
1430         (JSC::ProgramExecutable::ProgramExecutable):
1431         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
1432         (JSC::FunctionExecutable::FunctionExecutable):
1433         * runtime/Executable.h:
1434         (JSC::ScriptExecutable::isArrowFunctionContext):
1435         (JSC::ScriptExecutable::isDerivedConstructorContext):
1436         * runtime/JSGlobalObject.cpp:
1437         (JSC::JSGlobalObject::createEvalCodeBlock):
1438         * runtime/JSGlobalObject.h:
1439         * runtime/JSGlobalObjectFunctions.cpp:
1440         (JSC::globalFuncEval):
1441         * tests/es6.yaml:
1442         * tests/stress/arrowfunction-activation-sink-osrexit.js:
1443         * tests/stress/arrowfunction-activation-sink.js:
1444         * tests/stress/arrowfunction-lexical-bind-newtarget.js: Added.
1445         * tests/stress/arrowfunction-lexical-bind-supercall-1.js: Added.
1446         * tests/stress/arrowfunction-lexical-bind-supercall-2.js: Added.
1447         * tests/stress/arrowfunction-lexical-bind-supercall-3.js: Added.
1448         * tests/stress/arrowfunction-lexical-bind-supercall-4.js: Added.
1449         * tests/stress/arrowfunction-lexical-bind-this-1.js:
1450         * tests/stress/arrowfunction-lexical-bind-this-7.js: Added.
1451         * tests/stress/arrowfunction-tdz-1.js: Added.
1452         * tests/stress/arrowfunction-tdz-2.js: Added.
1453         * tests/stress/arrowfunction-tdz-3.js: Added.
1454         * tests/stress/arrowfunction-tdz-4.js: Added.
1455         * tests/stress/arrowfunction-tdz.js: Removed.
1456
1457 2015-12-05  Benjamin Poulain  <bpoulain@apple.com>
1458
1459         [JSC] Remove FTLOutput's fence support
1460         https://bugs.webkit.org/show_bug.cgi?id=151909
1461
1462         Reviewed by Sam Weinig.
1463
1464         Unused code is unused.
1465
1466         * ftl/FTLB3Output.h:
1467         (JSC::FTL::Output::fence): Deleted.
1468         (JSC::FTL::Output::fenceAcqRel): Deleted.
1469         * ftl/FTLOutput.h:
1470         (JSC::FTL::Output::fence): Deleted.
1471         (JSC::FTL::Output::fenceAcqRel): Deleted.
1472
1473 2015-12-04  Benjamin Poulain  <bpoulain@apple.com>
1474
1475         [JSC] Some more cleanup of FTLB3Output
1476         https://bugs.webkit.org/show_bug.cgi?id=151834
1477
1478         Reviewed by Filip Pizlo.
1479
1480         * ftl/FTLB3Output.h:
1481         (JSC::FTL::Output::trap):
1482         (JSC::FTL::Output::stackmapIntrinsic): Deleted.
1483         (JSC::FTL::Output::frameAddressIntrinsic): Deleted.
1484         (JSC::FTL::Output::patchpointInt64Intrinsic): Deleted.
1485         (JSC::FTL::Output::patchpointVoidIntrinsic): Deleted.
1486         * ftl/FTLLowerDFGToLLVM.cpp:
1487         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
1488
1489 2015-12-04  Benjamin Poulain  <bpoulain@apple.com>
1490
1491         [JSC] Fix Value::returnsBool() after r193436
1492         https://bugs.webkit.org/show_bug.cgi?id=151902
1493
1494         Reviewed by Saam Barati.
1495
1496         I forgot to carry a test from Branch and Select :(
1497
1498         * b3/B3Value.cpp:
1499         (JSC::B3::Value::returnsBool):
1500
1501 2015-12-04  Andy VanWagoner  <thetalecrafter@gmail.com>
1502
1503         [INTL] Implement Number.prototype.toLocaleString in ECMA-402
1504         https://bugs.webkit.org/show_bug.cgi?id=147610
1505
1506         Reviewed by Benjamin Poulain.
1507
1508         Add toLocaleString in builtin JavaScript that delegates formatting to Intl.NumberFormat.
1509         Keep exisiting native implementation for use if INTL flag is disabled.
1510
1511         * CMakeLists.txt: Add NumberPrototype.js.
1512         * DerivedSources.make: Add NumberPrototype.js.
1513         * JavaScriptCore.xcodeproj/project.pbxproj:
1514         * builtins/NumberPrototype.js: Added.
1515         (toLocaleString):
1516         * runtime/CommonIdentifiers.h: Add private names for Intl constructors.
1517         * runtime/JSGlobalObject.cpp:
1518         (JSC::JSGlobalObject::init): Expose Intl constructors to builtin js.
1519         * runtime/NumberPrototype.cpp:
1520         (JSC::NumberPrototype::finishCreation): Replace toLocaleString implementation.
1521
1522 2015-12-04  Michael Saboff  <msaboff@apple.com>
1523
1524         CRASH: CodeBlock::setOptimizationThresholdBasedOnCompilationResult + 567
1525         https://bugs.webkit.org/show_bug.cgi?id=151892
1526
1527         Reviewed by Mark Lam.
1528
1529         When the debugger is in the process of attaching and it recompiles functions
1530         for debugging, there can also be a DFG compilation running concurrently.
1531         When we go to update the optimization threshold and find that the replacement
1532         is also baseline code, we shouldn't update the threshold.
1533
1534         * bytecode/CodeBlock.cpp:
1535         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1536
1537 2015-12-04  Jonathan Davis  <jond@apple.com>
1538
1539         Update feature status for up-to-date status information.
1540         https://bugs.webkit.org/show_bug.cgi?id=151821
1541
1542         Reviewed by Timothy Hatcher.
1543
1544         * features.json:
1545
1546 2015-12-04  Saam barati  <sbarati@apple.com>
1547
1548         OSR exits that are exception handlers should emit less code eagerly in the thunk generator, and instead, should defer as much code generation as possible to be lazily generated in the exit itself
1549         https://bugs.webkit.org/show_bug.cgi?id=151406
1550
1551         Reviewed by Filip Pizlo.
1552
1553         We no longer emit any extra code eagerly for an OSRExit that
1554         is an exception handler. We emit all code lazily in the exit
1555         itself. This has one interesting consequence which is that the
1556         actual C call to compile the exit goes through an OSR exit generation
1557         thunk that must now be aware of resetting the call frame and the stack
1558         pointer to their proper values before making the compileOSRExit C
1559         call. This has one interesting consequence in the FTL because the
1560         FTL will do a pushToSaveImmediateWithoutTouchingRegisters with the
1561         OSR exit index. We must take care to preserve this exit index when
1562         we reset the stack pointer by re-pushing it onto the stack.
1563
1564         * bytecode/CodeBlock.h:
1565         (JSC::CodeBlock::setJITCode):
1566         (JSC::CodeBlock::jitCode):
1567         (JSC::CodeBlock::jitCodeOffset):
1568         (JSC::CodeBlock::jitType):
1569         * dfg/DFGCommonData.h:
1570         (JSC::DFG::CommonData::frameRegisterCountOffset):
1571         * dfg/DFGJITCode.h:
1572         (JSC::DFG::JITCode::setOSREntryBlock):
1573         (JSC::DFG::JITCode::clearOSREntryBlock):
1574         (JSC::DFG::JITCode::commonDataOffset):
1575         * dfg/DFGJITCompiler.cpp:
1576         (JSC::DFG::JITCompiler::linkOSRExits):
1577         * dfg/DFGOSRExitCompiler.cpp:
1578         * dfg/DFGOSRExitCompilerCommon.h:
1579         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
1580         * dfg/DFGThunks.cpp:
1581         (JSC::DFG::osrExitGenerationThunkGenerator):
1582         * ftl/FTLCompile.cpp:
1583         (JSC::FTL::mmAllocateDataSection):
1584         * ftl/FTLExitThunkGenerator.cpp:
1585         (JSC::FTL::ExitThunkGenerator::~ExitThunkGenerator):
1586         (JSC::FTL::ExitThunkGenerator::emitThunk):
1587         (JSC::FTL::ExitThunkGenerator::emitThunks):
1588         * ftl/FTLExitThunkGenerator.h:
1589         (JSC::FTL::ExitThunkGenerator::didThings):
1590         * ftl/FTLJITCode.h:
1591         (JSC::FTL::JITCode::commonDataOffset):
1592         * ftl/FTLOSRExitCompiler.cpp:
1593         (JSC::FTL::compileStub):
1594         (JSC::FTL::compileFTLOSRExit):
1595         * ftl/FTLThunks.cpp:
1596         (JSC::FTL::genericGenerationThunkGenerator):
1597         (JSC::FTL::osrExitGenerationThunkGenerator):
1598         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
1599         (JSC::FTL::registerClobberCheck):
1600
1601 2015-12-04  Filip Pizlo  <fpizlo@apple.com>
1602
1603         Having a bad time has a really awful time when it runs at the same time as the JIT
1604         https://bugs.webkit.org/show_bug.cgi?id=151882
1605         rdar://problem/23547038
1606
1607         Unreviewed, really adding the test this time.
1608
1609         * tests/stress/ftl-has-a-bad-time.js: Added.
1610         (foo):
1611
1612 2015-12-04  Mark Lam  <mark.lam@apple.com>
1613
1614         Snippefy bitwise operators for the baseline JIT.
1615         https://bugs.webkit.org/show_bug.cgi?id=151680
1616
1617         Reviewed by Geoffrey Garen.
1618
1619         This patch has passed the JSC tests on x86 and x86_64.  It has also passed the
1620         layout tests on x86_64.
1621
1622         With the DFG enabled, perf is neutral on x86_64 and x86.
1623         With the DFG disabled on x86_64, some AsmBench tests are showing progressions e.g.
1624             gcc-loops.cpp           1.0269x faster
1625             stepanov_container.cpp  1.0180x faster
1626
1627         With the DFG disabled on x86, perf is neutral.
1628
1629         * CMakeLists.txt:
1630         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1631         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1632         * JavaScriptCore.xcodeproj/project.pbxproj:
1633
1634         * jit/AssemblyHelpers.h:
1635         (JSC::AssemblyHelpers::moveValueRegs):
1636         (JSC::AssemblyHelpers::branchIfNotInt32):
1637         * jit/JIT.h:
1638         * jit/JITArithmetic.cpp:
1639         (JSC::JIT::emitBitwiseBinaryOpFastPath):
1640         - Template for the bitwise operations.
1641         (JSC::JIT::emit_op_bitand):
1642         (JSC::JIT::emit_op_bitor):
1643         (JSC::JIT::emit_op_bitxor):
1644         - Specializes emitBitwiseBinaryOpFastPath() with the respective snippet generators.
1645         (JSC::JIT::emitSlow_op_bitand):
1646         (JSC::JIT::emitSlow_op_bitor):
1647         (JSC::JIT::emitSlow_op_bitxor):
1648         - Implement respective slow paths.
1649
1650         * jit/JITArithmetic32_64.cpp:
1651         (JSC::JIT::emit_op_bitand): Deleted.
1652         (JSC::JIT::emitSlow_op_bitand): Deleted.
1653         (JSC::JIT::emit_op_bitor): Deleted.
1654         (JSC::JIT::emitSlow_op_bitor): Deleted.
1655         (JSC::JIT::emit_op_bitxor): Deleted.
1656         (JSC::JIT::emitSlow_op_bitxor): Deleted.
1657         - Now unified with the 64-bit version using snippets. 
1658
1659         * jit/JITBitAndGenerator.cpp: Added.
1660         (JSC::JITBitAndGenerator::generateFastPath):
1661         * jit/JITBitAndGenerator.h: Added.
1662         (JSC::JITBitAndGenerator::JITBitAndGenerator):
1663         * jit/JITBitOrGenerator.cpp: Added.
1664         (JSC::JITBitOrGenerator::generateFastPath):
1665         * jit/JITBitOrGenerator.h: Added.
1666         (JSC::JITBitOrGenerator::JITBitOrGenerator):
1667         * jit/JITBitXorGenerator.cpp: Added.
1668         (JSC::JITBitXorGenerator::generateFastPath):
1669         * jit/JITBitXorGenerator.h: Added.
1670         (JSC::JITBitXorGenerator::JITBitXorGenerator):
1671         * jit/JITBitwiseBinaryOpGenerator.h: Added.
1672         (JSC::JITBitwiseBinaryOpGenerator::JITBitwiseBinaryOpGenerator):
1673         (JSC::JITBitwiseBinaryOpGenerator::didEmitFastPath):
1674         (JSC::JITBitwiseBinaryOpGenerator::endJumpList):
1675         (JSC::JITBitwiseBinaryOpGenerator::slowPathJumpList):
1676
1677         * jit/JITOpcodes.cpp:
1678         (JSC::JIT::emit_op_bitxor): Deleted.
1679         (JSC::JIT::emit_op_bitor): Deleted.
1680         (JSC::JIT::emitSlow_op_bitxor): Deleted.
1681         (JSC::JIT::emitSlow_op_bitor): Deleted.
1682         * jit/SnippetOperand.h:
1683         (JSC::SnippetOperand::SnippetOperand):
1684
1685         * tests/stress/op_bitand.js:
1686         * tests/stress/op_bitor.js:
1687         * tests/stress/op_bitxor.js:
1688         - Fix a test value typo: it's supposed to be 0x7fffffff, not 0x7ffffff.
1689
1690 2015-12-04  Filip Pizlo  <fpizlo@apple.com>
1691
1692         Having a bad time has a really awful time when it runs at the same time as the JIT
1693         https://bugs.webkit.org/show_bug.cgi?id=151882
1694         rdar://problem/23547038
1695
1696         Reviewed by Geoffrey Garen.
1697
1698         The DFG's use of watchpoints for havingABadTime goes back a long time. We introduced this feature
1699         when we first introduced watchpoints. That left it open to a lot of bitrot. On top of that, this
1700         code doesn't get tested much because having a bad time is not something that is really supposed to
1701         happen.
1702
1703         Well, now I've got reports that it does happen - or at least, we know that it is because of
1704         crashes in an assertion that could only be triggered if a bad time was had. In the meantime, we
1705         added two new features without adequately testing havingABadTime: concurrent JIT and FTL.
1706         Concurrency means that we have to worry about the havingABadTime watchpoint triggering during
1707         compilation. FTL means that we have new code and new optimizations that needs to deal with this
1708         feature correctly.
1709
1710         The bug can arise via race condition or just goofy profiling. As in the newly added test, we could
1711         first profile an allocation thinking that it will allocate sane arrays. Then we might have a bad
1712         time, and then compile that function with the FTL. The ByteCodeParser will represent the
1713         allocation with a NewArray node that has a sane indexingType(). But when we go to lower the Node,
1714         we observe that the Structure* that the JSGlobalObject tells us to use has a different indexing
1715         type. This is a feature of havingABadTime that the DFG knew about, but the FTL didn't. The FTL
1716         didn't know about it because we didn't have adequate tests, and this code rarely gets triggered in
1717         the wild. So, the FTL had a silly assertion that the indexing types match. They absolutely don't
1718         have to match.
1719
1720         There is another bug, a race condition, that remains even if we remove the bad assertion. We set
1721         the havingABadTime watchpoint late in compilation, and we do it based on whether the watchpoint is
1722         still OK. This means that we could parse a function before we have a bad time and then do
1723         optimizations (for example in AbstractInterpreter) like proving that the structure set associated
1724         with the value returned by the NewArray is the one with a sane indexing type. Then, after those
1725         optimizations have already been done, we will go to set the watchpoint. But just as we are doing
1726         this, we could haveABadTime on the main thread. Currently this sort of almost works because
1727         having a bad time requires doing a GC, and we can't GC until the watchpoint collection phase. But
1728         that feels too fragile. So, this phase moves the setting of the watchpoint to the FixupPhase. This
1729         is consistent with our long-term goal of removing the WatchpointCollectionPhase. Moving this to
1730         FixupPhase means that we set the watchpoint before doing any optimizations. So, if having a bad
1731         time happens before the FixupPhase then all optimizations will agree that we're having a bad time
1732         and so everything is fine; if we have a bad time after FixupPhase then we will cancel the
1733         compilation anyway.
1734
1735         * dfg/DFGByteCodeParser.cpp:
1736         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1737         * dfg/DFGFixupPhase.cpp:
1738         (JSC::DFG::FixupPhase::fixupNode):
1739         (JSC::DFG::FixupPhase::watchHavingABadTime):
1740         (JSC::DFG::FixupPhase::createToString):
1741         * dfg/DFGNode.h:
1742         (JSC::DFG::Node::hasIndexingType):
1743         (JSC::DFG::Node::indexingType):
1744         * dfg/DFGWatchpointCollectionPhase.cpp:
1745         (JSC::DFG::WatchpointCollectionPhase::handle):
1746         * ftl/FTLLowerDFGToLLVM.cpp:
1747         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArray):
1748         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayBuffer):
1749         * tests/stress/ftl-has-a-bad-time.js: Added.
1750
1751 2015-12-04  Benjamin Poulain  <bpoulain@apple.com>
1752
1753         [JSC] Use Div and ChillDiv in FTL(B3)Output
1754         https://bugs.webkit.org/show_bug.cgi?id=151844
1755
1756         Reviewed by Geoffrey Garen.
1757
1758         I copied part of the code of compileArithDiv()
1759         to create a new function FTLOutput::childDiv().
1760
1761         With childDiv() being a concept of FTLOutput,
1762         FTLB3Output was updated accordingly.
1763
1764         * ftl/FTLB3Output.h:
1765         (JSC::FTL::Output::div):
1766         (JSC::FTL::Output::chillDiv):
1767         * ftl/FTLLowerDFGToLLVM.cpp:
1768         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
1769         * ftl/FTLOutput.cpp:
1770         (JSC::FTL::Output::chillDiv):
1771         * ftl/FTLOutput.h:
1772
1773 2015-12-04  Benjamin Poulain  <bpoulain@apple.com>
1774
1775         [JSC] Extend the strength reduction of B3's BitAnd with booleans
1776         https://bugs.webkit.org/show_bug.cgi?id=151852
1777
1778         Reviewed by Saam Barati.
1779
1780         1) Masking a boolean with any pattern that has the lsb set
1781            remains a boolean.
1782         2) ReduceStrength on that particular pattern of BitAnd.
1783
1784         * b3/B3ReduceStrength.cpp:
1785         * b3/B3Value.cpp:
1786         (JSC::B3::Value::returnsBool):
1787         * b3/testb3.cpp:
1788         (JSC::B3::testBitAndWithMaskReturnsBooleans):
1789         (JSC::B3::run):
1790
1791 2015-12-04  Benjamin Poulain  <bpoulain@apple.com>
1792
1793         [JSC] Add doubleRem() to FTLB3Output
1794         https://bugs.webkit.org/show_bug.cgi?id=151851
1795
1796         Reviewed by Geoffrey Garen.
1797
1798         * ftl/FTLB3Output.h:
1799         (JSC::FTL::Output::doubleRem):
1800
1801 2015-12-04  Benjamin Poulain  <bpoulain@apple.com>
1802
1803         [JSC] Add signExt() to FTLB3Output
1804         https://bugs.webkit.org/show_bug.cgi?id=151853
1805
1806         Reviewed by Geoffrey Garen.
1807
1808         Rename signExt() to signExt32To64(). This is just to separate
1809         it explicitly from the remaining signExt() used inside FTLOutput.
1810
1811         Then use the SExt32 for implementing that in B3.
1812
1813         * ftl/FTLB3Output.h:
1814         (JSC::FTL::Output::signExt32To64):
1815         (JSC::FTL::Output::signExt): Deleted.
1816         * ftl/FTLLowerDFGToLLVM.cpp:
1817         (JSC::FTL::DFG::LowerDFGToLLVM::compileInt52Rep):
1818         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetDirectPname):
1819         (JSC::FTL::DFG::LowerDFGToLLVM::strictInt52ToInt32):
1820         (JSC::FTL::DFG::LowerDFGToLLVM::strictInt52ToJSValue):
1821         (JSC::FTL::DFG::LowerDFGToLLVM::jsValueToStrictInt52):
1822         * ftl/FTLOutput.h:
1823         (JSC::FTL::Output::signExt32To64):
1824         (JSC::FTL::Output::signExt):
1825
1826 2015-12-04  Joseph Pecoraro  <pecoraro@apple.com>
1827
1828         Web Inspector: Unskip many inspector/debugger tests
1829         https://bugs.webkit.org/show_bug.cgi?id=151843
1830
1831         Reviewed by Timothy Hatcher.
1832
1833         * bindings/ScriptFunctionCall.cpp:
1834         (Deprecated::ScriptFunctionCall::call):
1835         Ignore TerminationExceptions, as those aren't real execution
1836         exceptions and may be seen on Workers that have closed.
1837
1838 2015-12-04  Joseph Pecoraro  <pecoraro@apple.com>
1839
1840         Web Inspector: Remove untested and unused Worker inspection
1841         https://bugs.webkit.org/show_bug.cgi?id=151848
1842
1843         Reviewed by Brian Burg.
1844
1845         * CMakeLists.txt:
1846         * DerivedSources.make:
1847         * debugger/Debugger.cpp:
1848         (JSC::Debugger::Debugger):
1849         (JSC::Debugger::willExecuteProgram):
1850         * debugger/Debugger.h:
1851         * inspector/JSGlobalObjectScriptDebugServer.cpp:
1852         (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
1853         * inspector/ScriptDebugServer.cpp:
1854         (Inspector::ScriptDebugServer::ScriptDebugServer):
1855         * inspector/ScriptDebugServer.h:
1856         * inspector/agents/InspectorConsoleAgent.h:
1857         * inspector/agents/InspectorRuntimeAgent.cpp:
1858         (Inspector::InspectorRuntimeAgent::run): Deleted.
1859         * inspector/agents/InspectorRuntimeAgent.h:
1860         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1861         * inspector/protocol/Runtime.json:
1862         * inspector/protocol/Worker.json: Removed.
1863
1864 2015-12-04  Joseph Pecoraro  <pecoraro@apple.com>
1865
1866         Web Inspector: Specifically Identify the Global Lexical Environment Scope
1867         https://bugs.webkit.org/show_bug.cgi?id=151828
1868
1869         Reviewed by Brian Burg.
1870
1871         * inspector/InjectedScriptSource.js:
1872         Include the new scope type.
1873
1874         * inspector/JSJavaScriptCallFrame.h:
1875         * inspector/JSJavaScriptCallFrame.cpp:
1876         (Inspector::JSJavaScriptCallFrame::scopeType):
1877         Set the new value for the new scope type.
1878
1879         * inspector/JSJavaScriptCallFramePrototype.cpp:
1880         (Inspector::JSJavaScriptCallFramePrototype::finishCreation): Deleted.
1881         (Inspector::jsJavaScriptCallFrameConstantGLOBAL_SCOPE): Deleted.
1882         (Inspector::jsJavaScriptCallFrameConstantLOCAL_SCOPE): Deleted.
1883         (Inspector::jsJavaScriptCallFrameConstantWITH_SCOPE): Deleted.
1884         (Inspector::jsJavaScriptCallFrameConstantCLOSURE_SCOPE): Deleted.
1885         (Inspector::jsJavaScriptCallFrameConstantCATCH_SCOPE): Deleted.
1886         (Inspector::jsJavaScriptCallFrameConstantFUNCTION_NAME_SCOPE): Deleted.
1887         Remove unused constants on the JavaScriptCallFrame object.
1888         Currently they are just hardcoded in InjectedScriptSource
1889         and they don't make sense on instances anyways.
1890
1891 2015-12-04  Keith Miller  <keith_miller@apple.com>
1892
1893         Add an option to emit instructions validating exceptions in the DFG rather than always emiting them.
1894         https://bugs.webkit.org/show_bug.cgi?id=151841
1895
1896         Reviewed by Saam Barati.
1897
1898         Add a new option that validates the DFG execption checking. The default value for the option is
1899         true in Debug builds and false in Release builds. Additionally, renamed jitAssertNoException to
1900         jitReleaseAssertNoException for consistency with our ASSERT naming convention.
1901
1902         * dfg/DFGSpeculativeJIT.cpp:
1903         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1904         * jit/AssemblyHelpers.cpp:
1905         (JSC::AssemblyHelpers::jitReleaseAssertNoException):
1906         (JSC::AssemblyHelpers::jitAssertNoException): Deleted.
1907         * jit/AssemblyHelpers.h:
1908         (JSC::AssemblyHelpers::jitAssertNoException): Deleted.
1909         * runtime/Options.cpp:
1910         (JSC::recomputeDependentOptions):
1911         * runtime/Options.h:
1912
1913 2015-12-04  Csaba Osztrogonác  <ossy@webkit.org>
1914
1915         Fix the !ENABLE(DFG_JIT) build after r190735
1916         https://bugs.webkit.org/show_bug.cgi?id=151617
1917
1918         Reviewed by Filip Pizlo.
1919
1920         * jit/GCAwareJITStubRoutine.cpp:
1921         (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
1922
1923 2015-12-04  Csaba Osztrogonác  <ossy@webkit.org>
1924
1925         [cmake] Fix the B3 build after r192946
1926         https://bugs.webkit.org/show_bug.cgi?id=151857
1927
1928         Reviewed by Michael Saboff.
1929
1930         * CMakeLists.txt:
1931
1932 2015-12-04  Csaba Osztrogonác  <ossy@webkit.org>
1933
1934         [AArch64] Typo fix after r189575
1935         https://bugs.webkit.org/show_bug.cgi?id=151855
1936
1937         Reviewed by Michael Saboff.
1938
1939         * ftl/FTLUnwindInfo.cpp:
1940         (JSC::FTL::parseUnwindInfo):
1941
1942 2015-12-03  Filip Pizlo  <fpizlo@apple.com>
1943
1944         B3 Patchpoint and Check opcodes should be able to specify WarmAny, ColdAny, and LateColdAny
1945         https://bugs.webkit.org/show_bug.cgi?id=151335
1946
1947         Reviewed by Geoffrey Garen.
1948
1949         This removes ValueRep::Any and replaces it with ValueRep::WarmAny, ValueRep::ColdAny, and
1950         ValueRep::LateColdAny. I think that conceptually the most obvious users of patchpoints are inline
1951         caches, which would use WarmAny for their non-OSR inputs. For this reason, I make WarmAny the
1952         default.
1953
1954         However, the StackmapValue optimization that provides a default ValueRep for any that are missing
1955         was meant for OSR. So, this optimization now uses ColdAny.
1956
1957         This patch wires this change through the whole compiler and adds some tests.
1958
1959         * b3/B3CheckSpecial.cpp:
1960         (JSC::B3::CheckSpecial::Key::Key):
1961         (JSC::B3::CheckSpecial::Key::dump):
1962         (JSC::B3::CheckSpecial::CheckSpecial):
1963         * b3/B3CheckSpecial.h:
1964         (JSC::B3::CheckSpecial::Key::Key):
1965         (JSC::B3::CheckSpecial::Key::opcode):
1966         (JSC::B3::CheckSpecial::Key::numArgs):
1967         (JSC::B3::CheckSpecial::Key::stackmapRole):
1968         * b3/B3CheckValue.cpp:
1969         (JSC::B3::CheckValue::CheckValue):
1970         * b3/B3ConstrainedValue.h:
1971         (JSC::B3::ConstrainedValue::ConstrainedValue):
1972         * b3/B3LowerToAir.cpp:
1973         (JSC::B3::Air::LowerToAir::fillStackmap):
1974         (JSC::B3::Air::LowerToAir::lower):
1975         * b3/B3MoveConstants.cpp:
1976         * b3/B3PatchpointSpecial.cpp:
1977         (JSC::B3::PatchpointSpecial::forEachArg):
1978         (JSC::B3::PatchpointSpecial::isValid):
1979         (JSC::B3::PatchpointSpecial::admitsStack):
1980         * b3/B3PatchpointValue.cpp:
1981         (JSC::B3::PatchpointValue::PatchpointValue):
1982         * b3/B3PatchpointValue.h:
1983         * b3/B3StackmapSpecial.cpp:
1984         (JSC::B3::StackmapSpecial::forEachArgImpl):
1985         (JSC::B3::StackmapSpecial::admitsStackImpl):
1986         (JSC::B3::StackmapSpecial::isArgValidForRep):
1987         (WTF::printInternal):
1988         * b3/B3StackmapSpecial.h:
1989         * b3/B3StackmapValue.cpp:
1990         (JSC::B3::StackmapValue::append):
1991         (JSC::B3::StackmapValue::setConstraint):
1992         * b3/B3StackmapValue.h:
1993         * b3/B3Validate.cpp:
1994         * b3/B3ValueRep.cpp:
1995         (JSC::B3::ValueRep::dump):
1996         (WTF::printInternal):
1997         * b3/B3ValueRep.h:
1998         (JSC::B3::ValueRep::ValueRep):
1999         (JSC::B3::ValueRep::reg):
2000         (JSC::B3::ValueRep::operator!=):
2001         (JSC::B3::ValueRep::operator bool):
2002         (JSC::B3::ValueRep::isAny):
2003         (JSC::B3::ValueRep::isSomeRegister):
2004         * b3/testb3.cpp:
2005         (JSC::B3::compileAndRun):
2006         (JSC::B3::add32):
2007         (JSC::B3::test42):
2008         (JSC::B3::testSimplePatchpoint):
2009         (JSC::B3::testPatchpointWithEarlyClobber):
2010         (JSC::B3::testPatchpointFixedRegister):
2011         (JSC::B3::testPatchpointAny):
2012         (JSC::B3::testPatchpointLotsOfLateAnys):
2013         (JSC::B3::testPatchpointAnyImm):
2014         (JSC::B3::testPatchpointManyImms):
2015         (JSC::B3::testPatchpointWithRegisterResult):
2016         (JSC::B3::testPatchpointWithAnyResult):
2017         (JSC::B3::run):
2018         * ftl/FTLLowerDFGToLLVM.cpp:
2019         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2020
2021 2015-12-03  Filip Pizlo  <fpizlo@apple.com>
2022
2023         B3 patchpoints should allow specifying output constraints
2024         https://bugs.webkit.org/show_bug.cgi?id=151809
2025
2026         Reviewed by Benjamin Poulain.
2027
2028         JS call patchpoints should put their result into the result register, while most other patchpoints
2029         should put their results into some register. I think that it's best if we just allow arbitrary
2030         constraints on the result of a patchpoint. And by "arbitrary" I mean allowing the same kinds of
2031         constraints as we allow on the stackmap children.
2032
2033         This also adds a large comment in B3StackmapValue.h that lays out the philosophy of our stackmaps
2034         and patchpoints. I found it useful to write down the plan since it's pretty subtle.
2035
2036         * b3/B3LowerToAir.cpp:
2037         (JSC::B3::Air::LowerToAir::lower):
2038         * b3/B3PatchpointSpecial.cpp:
2039         (JSC::B3::PatchpointSpecial::isValid):
2040         (JSC::B3::PatchpointSpecial::admitsStack):
2041         * b3/B3PatchpointValue.cpp:
2042         (JSC::B3::PatchpointValue::~PatchpointValue):
2043         (JSC::B3::PatchpointValue::dumpMeta):
2044         (JSC::B3::PatchpointValue::PatchpointValue):
2045         * b3/B3PatchpointValue.h:
2046         (JSC::B3::PatchpointValue::accepts):
2047         * b3/B3Procedure.h:
2048         (JSC::B3::Procedure::code):
2049         * b3/B3StackmapSpecial.cpp:
2050         (JSC::B3::StackmapSpecial::isValidImpl):
2051         (JSC::B3::StackmapSpecial::appendRepsImpl):
2052         (JSC::B3::StackmapSpecial::isArgValidForValue):
2053         (JSC::B3::StackmapSpecial::isArgValidForRep):
2054         (JSC::B3::StackmapSpecial::repForArg):
2055         * b3/B3StackmapSpecial.h:
2056         * b3/B3StackmapValue.h:
2057         * b3/B3Validate.cpp:
2058         * b3/B3ValueRep.h:
2059         (JSC::B3::ValueRep::doubleValue):
2060         * b3/testb3.cpp:
2061         (JSC::B3::testPatchpointManyImms):
2062         (JSC::B3::testPatchpointWithRegisterResult):
2063         (JSC::B3::testPatchpointWithStackArgumentResult):
2064         (JSC::B3::testPatchpointWithAnyResult):
2065         (JSC::B3::testSimpleCheck):
2066         (JSC::B3::run):
2067         * jit/RegisterSet.h:
2068
2069 2015-12-03  Anders Carlsson  <andersca@apple.com>
2070
2071         Remove Objective-C GC support
2072         https://bugs.webkit.org/show_bug.cgi?id=151819
2073         rdar://problem/23746991
2074
2075         Reviewed by Dan Bernstein.
2076
2077         * Configurations/Base.xcconfig:
2078         * Configurations/ToolExecutable.xcconfig:
2079
2080 2015-12-03  Benjamin Poulain  <bpoulain@apple.com>
2081
2082         Attempt to fix GTK again after r193125
2083
2084         * assembler/MacroAssemblerX86Common.h:
2085         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2086
2087 2015-12-03  Benjamin Poulain  <bpoulain@apple.com>
2088
2089         Attempt to fix GTK after r193125
2090
2091         * assembler/MacroAssemblerX86Common.h:
2092         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2093         GCC is unable to handle EBX correctly when clobbered by inline asm.
2094
2095 2015-12-03  Saam barati  <sbarati@apple.com>
2096
2097         FTL::OSRExitDescriptor should use less memory by having a companion object that dies after compilation
2098         https://bugs.webkit.org/show_bug.cgi?id=151795
2099
2100         Reviewed by Geoffrey Garen.
2101
2102         There were a few fields on FTL::OSRExitDescriptor that are only
2103         needed during compilation. This patch introduces OSRExitDescriptorImpl 
2104         which is a struct that we create for each OSRExitDescriptor. The difference is 
2105         that OSRExitDescriptorImpl lives off of FTL::State so it dies after we compile.
2106         This way no unnecessary fields persist after the compilation.
2107
2108         * ftl/FTLCompile.cpp:
2109         (JSC::FTL::mmAllocateDataSection):
2110         * ftl/FTLExceptionHandlerManager.cpp:
2111         (JSC::FTL::ExceptionHandlerManager::lazySlowPathExceptionTarget):
2112         (JSC::FTL::ExceptionHandlerManager::getCallOSRExitCommon):
2113         * ftl/FTLLowerDFGToLLVM.cpp:
2114         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2115         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
2116         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2117         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2118         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2119         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
2120         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2121         * ftl/FTLOSRExit.cpp:
2122         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2123         (JSC::FTL::OSRExitDescriptor::validateReferences):
2124         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
2125         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
2126         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2127         (JSC::FTL::OSRExit::OSRExit):
2128         (JSC::FTL::OSRExit::codeLocationForRepatch):
2129         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException):
2130         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck):
2131         (JSC::FTL::exceptionTypeWillArriveAtOSRExitFromGenericUnwind):
2132         (JSC::FTL::OSRExit::willArriveAtOSRExitFromGenericUnwind):
2133         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation):
2134         (JSC::FTL::OSRExitDescriptor::isExceptionHandler): Deleted.
2135         * ftl/FTLOSRExit.h:
2136         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl):
2137         * ftl/FTLOSRExitCompiler.cpp:
2138         (JSC::FTL::compileFTLOSRExit):
2139         * ftl/FTLState.h:
2140
2141 2015-12-03  Alex Christensen  <achristensen@webkit.org>
2142
2143         Fix 64-bit Windows build after r193125.
2144         https://bugs.webkit.org/show_bug.cgi?id=151799
2145
2146         Reviewed by Michael Saboff.
2147
2148         * assembler/MacroAssemblerX86Common.h:
2149         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2150         Use __cpuid intrinsic instead of inline assembly.
2151
2152 2015-12-02  Filip Pizlo  <fpizlo@apple.com>
2153
2154         FTL B3 should support OSR exit
2155         https://bugs.webkit.org/show_bug.cgi?id=151710
2156
2157         Reviewed by Saam Barati.
2158
2159         This adds OSR exit support using the same style that I established with lazy slow paths. All of
2160         the work is driven by FTL::LowerDFGToLLVM, and from there any work that needs to be deferred
2161         until after B3 finishes is attached to the stackmap generator. In order to make it easy to port
2162         all of the different forms of OSR exit - invalidation points, exceptions, etc. - the logic for
2163         registering an OSR exit is abstracted behind OSRExitDescriptor and OSRExitHandle.
2164
2165         An issue that I encountered repeatedly in this patch is OSRExitDescriptor being passed as a
2166         reference (&) rather than pointer (*). The new code uses a lot of lambdas that run after the
2167         current frame pops, so the capture list cannot be [&]. I believe that always listing all of the
2168         captured variables is not scalable considering how sophisticated our use of lambdas is. So, it
2169         makes sense to use [=]. But anytime we captured a variable whose type was OSRExitDescriptor&, it
2170         would be captured by value, because that's how references work. One has to be mindful of these
2171         things whenever using [=]. Note that it's not enough to say that we should have listed the
2172         captured variables explicitly - in that case, we still could have made the mistake by forgetting
2173         to put & in front of the variant. The pattern that worked for me to reason about whether I'm
2174         capturing an object or a pointer to an object is to always use pointer types for pointers: either
2175         RefPtr<> when we also want the lambda to prolong the object's life, or * if we are confident that
2176         the object will stay alive. For this reason, this patch changes all code that references
2177         OSRExitDescriptor to use * instead of &. Consistency makes the code easier to grok, and it made
2178         it easier to introduce the required uses of * in places where there were lambdas.
2179
2180         I tested this by running imaging-gaussian-blur, and running some tests that reqiure OSR exit. I'm
2181         not promising that all kinds of exits work, but we have to begin somewhere.
2182
2183         * CMakeLists.txt:
2184         * JavaScriptCore.xcodeproj/project.pbxproj:
2185         * b3/B3Compilation.cpp:
2186         (JSC::B3::Compilation::Compilation):
2187         (JSC::B3::Compilation::~Compilation):
2188         * b3/B3Procedure.cpp:
2189         (JSC::B3::Procedure::addDataSection):
2190         (JSC::B3::Procedure::frameSize):
2191         (JSC::B3::Procedure::calleeSaveRegisters):
2192         * b3/B3Procedure.h:
2193         (JSC::B3::Procedure::releaseByproducts):
2194         (JSC::B3::Procedure::code):
2195         (JSC::B3::Procedure::takeByproducts): Deleted.
2196         * b3/air/AirCode.h:
2197         (JSC::B3::Air::Code::setFrameSize):
2198         (JSC::B3::Air::Code::calleeSaveRegisters):
2199         * b3/air/AirGenerationContext.h:
2200         * ftl/FTLB3Compile.cpp:
2201         (JSC::FTL::compile):
2202         * ftl/FTLCompile.cpp:
2203         (JSC::FTL::mmAllocateDataSection):
2204         * ftl/FTLExceptionHandlerManager.cpp:
2205         (JSC::FTL::ExceptionHandlerManager::lazySlowPathExceptionTarget):
2206         (JSC::FTL::ExceptionHandlerManager::getCallOSRExitCommon):
2207         * ftl/FTLExitThunkGenerator.cpp:
2208         * ftl/FTLExitThunkGenerator.h:
2209         * ftl/FTLJITCode.cpp:
2210         (JSC::FTL::JITCode::JITCode):
2211         (JSC::FTL::JITCode::initializeB3Code):
2212         (JSC::FTL::JITCode::initializeB3Byproducts):
2213         (JSC::FTL::JITCode::initializeExitThunks):
2214         (JSC::FTL::JITCode::validateReferences):
2215         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2216         * ftl/FTLJITCode.h:
2217         * ftl/FTLJITFinalizer.cpp:
2218         (JSC::FTL::JITFinalizer::finalizeFunction):
2219         * ftl/FTLJITFinalizer.h:
2220         * ftl/FTLJSCall.cpp:
2221         (JSC::FTL::JSCall::emit):
2222         * ftl/FTLJSCallBase.cpp:
2223         (JSC::FTL::JSCallBase::emit):
2224         * ftl/FTLJSTailCall.cpp:
2225         (JSC::FTL::JSTailCall::JSTailCall):
2226         (JSC::FTL::JSTailCall::emit):
2227         (JSC::FTL::DFG::getRegisterWithAddend): Deleted.
2228         (JSC::FTL::m_instructionOffset): Deleted.
2229         * ftl/FTLJSTailCall.h:
2230         (JSC::FTL::JSTailCall::patchpoint):
2231         (JSC::FTL::JSTailCall::stackmapID):
2232         (JSC::FTL::JSTailCall::estimatedSize):
2233         (JSC::FTL::JSTailCall::operator<):
2234         * ftl/FTLLowerDFGToLLVM.cpp:
2235         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2236         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
2237         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2238         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2239         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2240         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2241         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
2242         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2243         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap):
2244         (JSC::FTL::lowerDFGToLLVM):
2245         * ftl/FTLOSRExit.cpp:
2246         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2247         (JSC::FTL::OSRExitDescriptor::validateReferences):
2248         (JSC::FTL::OSRExitDescriptor::appendOSRExit):
2249         (JSC::FTL::OSRExitDescriptor::appendOSRExitLater):
2250         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2251         (JSC::FTL::OSRExit::OSRExit):
2252         (JSC::FTL::OSRExit::codeLocationForRepatch):
2253         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException):
2254         (JSC::FTL::OSRExit::spillRegistersToSpillSlot):
2255         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot):
2256         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck):
2257         * ftl/FTLOSRExit.h:
2258         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2259         * ftl/FTLOSRExitCompilationInfo.h:
2260         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
2261         * ftl/FTLOSRExitCompiler.cpp:
2262         (JSC::FTL::reboxAccordingToFormat):
2263         (JSC::FTL::compileRecovery):
2264         (JSC::FTL::compileStub):
2265         (JSC::FTL::compileFTLOSRExit):
2266         * ftl/FTLOSRExitHandle.cpp: Added.
2267         (JSC::FTL::OSRExitHandle::emitExitThunk):
2268         * ftl/FTLOSRExitHandle.h: Added.
2269         (JSC::FTL::OSRExitHandle::OSRExitHandle):
2270         * ftl/FTLState.cpp:
2271         (JSC::FTL::State::State):
2272         (JSC::FTL::State::~State):
2273
2274 2015-12-03  Joseph Pecoraro  <pecoraro@apple.com>
2275
2276         REGRESSION:(r192753): Remote Web Inspector: RemoteInspector::sendMessageToRemote with null connection
2277         https://bugs.webkit.org/show_bug.cgi?id=151789
2278
2279         Reviewed by Timothy Hatcher.
2280
2281         * inspector/remote/RemoteInspector.mm:
2282         (Inspector::RemoteInspector::sendMessageToRemote):
2283         Bail if the connection is no longer available. It may have
2284         been closed remotely.
2285
2286 2015-12-03  Joseph Pecoraro  <pecoraro@apple.com>
2287
2288         REGRESSION:(r192753): Remote Web Inspector: Window immediately closes after opening
2289         https://bugs.webkit.org/show_bug.cgi?id=151788
2290
2291         Reviewed by Timothy Hatcher.
2292
2293         * inspector/remote/RemoteInspector.mm:
2294         (Inspector::RemoteInspector::pushListingsNow):
2295         The key at the outer level was not a string. Ensure it is a
2296         string for backwards compatibility. One day we may use
2297         non-numeric page identifiers as listing keys.
2298
2299 2015-12-03  Joseph Pecoraro  <pecoraro@apple.com>
2300
2301         REGRESSION(r192753): Remote Web Inspector: Enabling Remote Inspection on Auto Inspect candidate Debuggable doesn't show up in debuggers
2302         https://bugs.webkit.org/show_bug.cgi?id=151792
2303
2304         Reviewed by Brian Burg.
2305
2306         * inspector/remote/RemoteInspector.mm:
2307         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
2308         When m_debuggablesMap was split into both m_targetMap and m_listingMap
2309         this particular case was missed in updating both the target and listing
2310         when the target is updated. We should match RemoteInspector::updateTarget
2311         and update the listing map as the debuggable may have changed to be
2312         allowed to debug.
2313
2314 2015-12-03  Benjamin Poulain  <bpoulain@apple.com>
2315
2316         [JSC] Add CLZ support to B3
2317         https://bugs.webkit.org/show_bug.cgi?id=151799
2318
2319         Reviewed by Michael Saboff.
2320
2321         Previously we were counting on LLVM to select LZCNT
2322         when its available.
2323         Since we have to do that ourself now, I added feature
2324         detection based on the CPUID. The MacroAssembler just
2325         pick the best available lowering based on the platform.
2326
2327         * assembler/MacroAssemblerX86Common.cpp:
2328         * assembler/MacroAssemblerX86Common.h:
2329         (JSC::MacroAssemblerX86Common::countLeadingZeros32):
2330         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2331         (JSC::MacroAssemblerX86Common::clz32AfterBsr):
2332         * assembler/MacroAssemblerX86_64.h:
2333         (JSC::MacroAssemblerX86_64::countLeadingZeros64):
2334         (JSC::MacroAssemblerX86_64::clz64AfterBsr):
2335         * assembler/X86Assembler.h:
2336         (JSC::X86Assembler::lzcnt_rr):
2337         (JSC::X86Assembler::lzcnt_mr):
2338         (JSC::X86Assembler::lzcntq_rr):
2339         (JSC::X86Assembler::lzcntq_mr):
2340         (JSC::X86Assembler::bsr_mr):
2341         (JSC::X86Assembler::bsrq_rr):
2342         (JSC::X86Assembler::bsrq_mr):
2343         * b3/B3LowerToAir.cpp:
2344         (JSC::B3::Air::LowerToAir::lower):
2345         * b3/B3Opcode.cpp:
2346         (WTF::printInternal):
2347         * b3/B3Opcode.h:
2348         * b3/B3Validate.cpp:
2349         * b3/B3Value.cpp:
2350         (JSC::B3::Value::effects):
2351         (JSC::B3::Value::key):
2352         (JSC::B3::Value::typeFor):
2353         * b3/air/AirOpcode.opcodes:
2354         * b3/testb3.cpp:
2355         (JSC::B3::countLeadingZero):
2356         (JSC::B3::testClzArg64):
2357         (JSC::B3::testClzMem64):
2358         (JSC::B3::testClzArg32):
2359         (JSC::B3::testClzMem32):
2360         (JSC::B3::doubleOperands):
2361         (JSC::B3::run):
2362         * ftl/FTLB3Output.h:
2363         (JSC::FTL::Output::ctlz32):
2364         * ftl/FTLLowerDFGToLLVM.cpp:
2365         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithClz32):
2366         * ftl/FTLOutput.h:
2367         (JSC::FTL::Output::ctlz32):
2368
2369 2015-12-02  Mark Lam  <mark.lam@apple.com>
2370
2371         Polymorphic operand types for DFG and FTL mul.
2372         https://bugs.webkit.org/show_bug.cgi?id=151746
2373
2374         Reviewed by Filip Pizlo.
2375
2376         Perf on benchmarks is neutral except for the newly added JSRegress ftl-object-mul
2377         test which shows a 2.16x speed up on x86_64 FTL, 1.27x speed up on x86_64 DFG,
2378         and 1.56x on x86 DFG. 
2379
2380         The speed up comes not from the mul operator itself, but from the fact that the
2381         polymorphic operand types support now allow the test function to run without OSR
2382         exiting, thereby realizing the DFG and FTL's speed up on other work that the test
2383         function does.
2384
2385         This patch has passed the layout tests on x86_64 with a debug build.
2386         It passed the JSC tests with x86 and x86_64 debug builds.
2387
2388         * dfg/DFGAbstractInterpreterInlines.h:
2389         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2390         * dfg/DFGClobberize.h:
2391         (JSC::DFG::clobberize):
2392         * dfg/DFGFixupPhase.cpp:
2393         (JSC::DFG::FixupPhase::fixupNode):
2394         * dfg/DFGOperations.cpp:
2395         * dfg/DFGOperations.h:
2396         * dfg/DFGPredictionPropagationPhase.cpp:
2397         (JSC::DFG::PredictionPropagationPhase::propagate):
2398         * dfg/DFGSpeculativeJIT.cpp:
2399         (JSC::DFG::SpeculativeJIT::compileArithMul):
2400         * ftl/FTLCompile.cpp:
2401         - Changed to call generateBinaryOpFastPath() instead now, and let it dispatch to
2402           the appropriate snippet generator.
2403
2404         * ftl/FTLCompileBinaryOp.cpp:
2405         (JSC::FTL::generateBinaryArithOpFastPath):
2406         (JSC::FTL::generateBinaryOpFastPath):
2407         (JSC::FTL::generateArithSubFastPath): Deleted.
2408         (JSC::FTL::generateValueAddFastPath): Deleted.
2409         - Refactored these functions to eliminate the need for copy-pasting every time
2410           we add support for another binary arithmetic snippet.
2411
2412         * ftl/FTLCompileBinaryOp.h:
2413         * ftl/FTLInlineCacheDescriptor.h:
2414         * ftl/FTLInlineCacheDescriptorInlines.h:
2415         (JSC::FTL::ArithMulDescriptor::ArithMulDescriptor):
2416         (JSC::FTL::ArithMulDescriptor::icSize):
2417         * ftl/FTLInlineCacheSize.cpp:
2418         (JSC::FTL::sizeOfArithMul):
2419         * ftl/FTLInlineCacheSize.h:
2420         * ftl/FTLLowerDFGToLLVM.cpp:
2421         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2422         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2423         * jit/JITMulGenerator.h:
2424         (JSC::JITMulGenerator::JITMulGenerator):
2425
2426         * tests/stress/op_mul.js:
2427         - Updated a test value: the interesting value for imminent overflow from an
2428           int32 is 0x7fffffff, not 0x7ffffff.
2429
2430 2015-12-02  Joseph Pecoraro  <pecoraro@apple.com>
2431
2432         REGRESSION(r192753): Remote Web Inspector: Applications and Debuggables not showing up in debuggers
2433         https://bugs.webkit.org/show_bug.cgi?id=151787
2434
2435         Reviewed by Brian Burg.
2436
2437         * inspector/remote/RemoteInspector.mm:
2438         (Inspector::RemoteInspector::receivedIndicateMessage):
2439         Removed lock that was unnecessarily added in r192753. It was
2440         protecting nothing.
2441
2442 2015-12-02  Saam barati  <sbarati@apple.com>
2443
2444         Insert a FIXME comment FTLLazySlowPath.h to remind us to remove/refactor the ScratchRegisterAllocator field.
2445
2446         Rubber-stamped by Filip Pizlo.
2447
2448         * ftl/FTLLazySlowPath.h:
2449
2450 2015-12-02  Benjamin Poulain  <benjamin@webkit.org>
2451
2452         [JSC] Remove insertElement() from FTLB3Output
2453         https://bugs.webkit.org/show_bug.cgi?id=151781
2454
2455         Reviewed by Sam Weinig.
2456
2457         * ftl/FTLB3Output.h:
2458         (JSC::FTL::Output::insertElement): Deleted.
2459         That's a LLVM concept.
2460
2461 2015-12-02  Benjamin Poulain  <bpoulain@apple.com>
2462
2463         [JSC] Remove stuffs related to alloca from FTLB3Output
2464         https://bugs.webkit.org/show_bug.cgi?id=151780
2465
2466         Reviewed by Mark Lam.
2467
2468         We can use the Phis directly with B3 :)
2469
2470         * ftl/FTLB3Output.h:
2471         (JSC::FTL::Output::alloca): Deleted.
2472         (JSC::FTL::Output::get): Deleted.
2473         (JSC::FTL::Output::set): Deleted.
2474
2475 2015-12-02  Benjamin Poulain  <benjamin@webkit.org>
2476
2477         [JSC] Add sin(), cos(), pow() and log() to B3
2478         https://bugs.webkit.org/show_bug.cgi?id=151778
2479
2480         Reviewed by Geoffrey Garen.
2481
2482         * ftl/FTLB3Output.h:
2483         (JSC::FTL::Output::doubleSin):
2484         (JSC::FTL::Output::doubleCos):
2485         (JSC::FTL::Output::doublePow):
2486         (JSC::FTL::Output::doubleLog):
2487         (JSC::FTL::Output::callWithoutSideEffects):
2488
2489 2015-12-02  Filip Pizlo  <fpizlo@apple.com>
2490
2491         Add a few obvious strength-reductions to Air
2492         https://bugs.webkit.org/show_bug.cgi?id=151777
2493
2494         Reviewed by Mark Lam.
2495
2496         The absence of these optimizations was obnoxious.
2497
2498         * assembler/MacroAssemblerX86Common.h:
2499         (JSC::MacroAssemblerX86Common::add32): lea 1(reg), reg -> add 1, reg.
2500         * b3/air/AirGenerate.cpp:
2501         (JSC::B3::Air::generate): Emit simpler prologue/epilogue if !frameSize.
2502         * b3/air/AirOpcode.opcodes: We have matching for BranchMul32 with immediate, but we forgot to add the instruction form.
2503         * jit/AssemblyHelpers.h: Support for the prologue/epilogue optimizations.
2504         (JSC::AssemblyHelpers::emitFunctionPrologue):
2505         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
2506         (JSC::AssemblyHelpers::emitFunctionEpilogue):
2507
2508 2015-12-02  Benjamin Poulain  <bpoulain@apple.com>
2509
2510         Update the interface added in r192967
2511
2512         * b3/B3CCallValue.h:
2513         Filip prefers explicit effects.
2514         * b3/testb3.cpp:
2515         (JSC::B3::testCallSimplePure):
2516
2517 2015-12-02  Benjamin Poulain  <bpoulain@apple.com>
2518
2519         [JSC] Add a function attribute for Pure functions in B3
2520         https://bugs.webkit.org/show_bug.cgi?id=151741
2521
2522         Reviewed by Geoffrey Garen.
2523
2524         We have plenty of functions without side effects
2525         when lowering DFG.
2526         This patch adds the "PureCall" flag to B3's CCall
2527         to make sure those functions do not prevent optimizations.
2528
2529         * b3/B3CCallValue.h:
2530         * b3/testb3.cpp:
2531         (JSC::B3::testCallSimplePure):
2532         (JSC::B3::run):
2533
2534 2015-12-02  Mark Lam  <mark.lam@apple.com>
2535
2536         Removed unnecessary #if USE(JSVALUE64).
2537         https://bugs.webkit.org/show_bug.cgi?id=151733
2538
2539         Not reviewed.
2540
2541         * dfg/DFGClobberize.h:
2542         (JSC::DFG::clobberize):
2543
2544 2015-12-02  Mark Lam  <mark.lam@apple.com>
2545
2546         Use the JITAddGenerator snippet in the FTL.
2547         https://bugs.webkit.org/show_bug.cgi?id=151519
2548
2549         Reviewed by Geoffrey Garen.
2550
2551         One detail about how we choosing to handle operands to the binary snippets that
2552         may be constant: the slow path call to a C++ function still needs the constant
2553         operand loaded in a register.  To simplify things, we're choosing to always tell
2554         LLVM to load the operands into registers even if they may be constant.  However,
2555         even though a constant operand is preloaded in a register, the snippet generator
2556         will not be made aware of it.  It will continue to load the constant as an
2557         immediate.
2558
2559         * ftl/FTLCompile.cpp:
2560         * ftl/FTLCompileBinaryOp.cpp:
2561         (JSC::FTL::generateArithSubFastPath):
2562         (JSC::FTL::generateValueAddFastPath):
2563         - generateValueAddFastPath() currently is an exact copy of generateArithSubFastPath()
2564           except that it uses JITAddGenerator instead of JITSubGenerator.  When we add
2565           support for JITMulGenerator later, the code will start to vary.  We'll refactor
2566           these functions then when we have more insight into what needs to vary between
2567           the implementations.
2568
2569         * ftl/FTLCompileBinaryOp.h:
2570         * ftl/FTLInlineCacheDescriptor.h:
2571         * ftl/FTLInlineCacheDescriptorInlines.h:
2572         (JSC::FTL::ValueAddDescriptor::ValueAddDescriptor):
2573         (JSC::FTL::ValueAddDescriptor::icSize):
2574         * ftl/FTLInlineCacheSize.cpp:
2575         (JSC::FTL::sizeOfValueAdd):
2576         * ftl/FTLInlineCacheSize.h:
2577         * ftl/FTLLowerDFGToLLVM.cpp:
2578         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2579         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2580
2581 2015-12-02  Mark Lam  <mark.lam@apple.com>
2582
2583         Teach DFG that ArithSub can now clobber the heap (and other things).
2584         https://bugs.webkit.org/show_bug.cgi?id=151733
2585
2586         Reviewed by Geoffrey Garen.
2587
2588         * dfg/DFGAbstractInterpreterInlines.h:
2589         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2590         * dfg/DFGClobberize.h:
2591         (JSC::DFG::clobberize):
2592         * dfg/DFGPredictionPropagationPhase.cpp:
2593         (JSC::DFG::PredictionPropagationPhase::propagate):
2594
2595 2015-12-02  Benjamin Poulain  <bpoulain@apple.com>
2596
2597         [JSC] Handle x86 partial register stalls in Air
2598         https://bugs.webkit.org/show_bug.cgi?id=151735
2599
2600         Reviewed by Filip Pizlo.
2601
2602         This patch adds a primitive false-dependency breaking
2603         algorithm to Air. We look for redefinition of the same
2604         variable that is too close to a partial definition.
2605
2606         There is not explicit dependency tracking going on,
2607         but it is pretty fast and the extra xorps added on false-positives
2608         are cheap anyway.
2609
2610         Typically, partial register stalls appear from instructions
2611         interfering with themselves in small loops. Something like:
2612
2613           Label0:
2614             cvtsi2sdq %eax, %xmm0
2615             ...
2616             jmp Label0
2617
2618         Those are correctly detected by propagating the local distance
2619         information from block to block until no unsafe chain is found.
2620
2621         The test testInt32ToDoublePartialRegisterStall() checks the kind
2622         of cases we typically find from JavaScript.
2623         The execution time is 20% faster with a register reset (which is
2624         astounding since the very next instruction has a real dependency).
2625
2626         Future tweaks will be needed when we can run more JavaScript:
2627         -Handle function calls differently.
2628         -Anything with a special can have hidden instructions.
2629          We need to take them into account.
2630
2631         * JavaScriptCore.xcodeproj/project.pbxproj:
2632         * assembler/MacroAssemblerX86Common.h:
2633         (JSC::MacroAssemblerX86Common::moveZeroToDouble):
2634         * assembler/X86Assembler.h:
2635         (JSC::X86Assembler::xorps_rr):
2636         (JSC::X86Assembler::xorpd_rr):
2637         According to the documentation, starting with Sandy Bridge,
2638         registers reset can be done in the frontend with xorps.
2639
2640         * b3/B3IndexSet.h:
2641         (JSC::B3::IndexSet::remove):
2642         * b3/air/AirFixPartialRegisterStalls.cpp: Added.
2643         (JSC::B3::Air::fixPartialRegisterStalls):
2644         * b3/air/AirFixPartialRegisterStalls.h: Added.
2645         * b3/air/AirGenerate.cpp:
2646         (JSC::B3::Air::prepareForGeneration):
2647         * b3/testb3.cpp:
2648         (JSC::B3::testInt32ToDoublePartialRegisterStall):
2649         (JSC::B3::run):
2650         * jit/FPRInfo.h:
2651
2652 2015-12-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2653
2654         [ES6] Implement LLInt/Baseline Support for ES6 Generators and enable this feature
2655         https://bugs.webkit.org/show_bug.cgi?id=150792
2656
2657         Reviewed by Saam Barati.
2658
2659         This patch implements basic functionality of ES6 Generators in LLInt and Baseline tiers.
2660         While the implementation has some inefficient part, the implementation covers edge cases.
2661         Later, we will make this efficient.
2662
2663             https://bugs.webkit.org/show_bug.cgi?id=151545
2664             https://bugs.webkit.org/show_bug.cgi?id=151546
2665             https://bugs.webkit.org/show_bug.cgi?id=151547
2666             https://bugs.webkit.org/show_bug.cgi?id=151552
2667             https://bugs.webkit.org/show_bug.cgi?id=151560
2668             https://bugs.webkit.org/show_bug.cgi?id=151586
2669
2670         To encourage DFG / FTL later, we take the following design.
2671
2672         1. Use switch_imm to jump to the save/resume points.
2673
2674         Instead of saving / restoring instruction pointer to resume from it, we use switch_imm to jump to the resume point.
2675         This limits one entry point to a given generator function. This design makes inlining easy.
2676         The generated code becomes the following.
2677
2678             function @generatorNext(@generator, @generatorState, @generatorValue, @generatorResumeMode)
2679             {
2680                 switch (@generatorState) {
2681                 case Initial:
2682                     ...
2683                     initial sequence.
2684                     ...
2685
2686
2687                     op_save(Yield_0);  // op_save contains *virtual* jump to Yield_0.
2688                                        // CFG shows a jump edge to Yield_0 point, but it won't be actually used.
2689                     return ...;
2690
2691                 case Yield_0:
2692                     op_resume();
2693                     if (@generatorResumeMode == Throw)
2694                         ...
2695                     else if (@generatorResumeMode == Return)
2696                         ...
2697                     ...
2698                     // sentValue is a value sent from a caller by `generator.next(sentValue)`.
2699                     sentValue = @generatorValue;
2700                     ...
2701                     op_save(Yield_1);
2702                     return ...;
2703
2704                 case Yield_1:
2705                     op_resume();
2706                     if (@generatorResumeMode == Throw)
2707                         ...
2708                     else if (@generatorResumeMode == Return)
2709                         ...
2710                     ...
2711                     sentValue = @generatorValue;
2712                     ...
2713
2714                 ...
2715                 }
2716             }
2717
2718             Resume sequence should not be emitted per yield.
2719             This should be done in https://bugs.webkit.org/show_bug.cgi?id=151552.
2720
2721         2. Store live frame registers to GeneratorFrame
2722
2723         To save and resume generator's state, we save all the live registers in GeneratorFrame.
2724         And when resuming, we refill registers with saved ones.
2725         Since saved register contains scope register, |this| etc., the environment including the scope chain will be recovered automatically.
2726         While saving and resuming callee registers, we don't save parameter registers.
2727         These registers will be used to control generator's resume behavior.
2728
2729         We perform BytecodeLivenessAnalysis in CodeBlock to determine actually *def*ined registers at that resume point.
2730
2731         3. GeneratorFunction will evaluate parameters before generating Generator
2732
2733         Generator's parameter should be evaluated before entering Generator's body. For example,
2734
2735             function hello() { ... }
2736             function *gen(a, b = hello())
2737             {
2738                 yield b;
2739             }
2740             let g = gen(20);  // Now, hello should be called.
2741
2742         To enable this, we evaluate parameters in GeneratorFunction, and after that, we create a Generator and return it.
2743         This can be explained by the following pseudo code.
2744
2745             function *gen(a, b = hello())
2746             {
2747                 // This is generator.
2748                 return {
2749                     @generatorNext: function (@generator, @generatorState, @generatorValue, @generatorResumeMode)
2750                     {
2751                         ...
2752                     }
2753                 }
2754             }
2755
2756         4. op_save seems similar to conditional jump
2757
2758         We won't jump to elsewhere from op_save actually. But we add a *virtual* jump edge (flow) from op_save to the point so called *merge point*.
2759         We construct the CFG as follows,
2760
2761             (global generator switch) -> (initial sequence) -> (op_save) ----+-> (merge point) -> (next sequence)*
2762                    |                                              |          |
2763                    |                                              v          |
2764                    |                                           (op_ret)      |
2765                    |                                                         |
2766                    +------------------------------------------->(op_resume)--+
2767
2768         By constructing such a graph,
2769
2770             1. Since we have a flow from (op_save) to (merge point), at merge point, we can *use* locals that are defined before (op_save)
2771             2. op_save should claim that it does not define anything. And claim that it *use*s locals that are used in (merge point).
2772             3. at op_resume, we see *use*d locals at merge point and define all of them.
2773
2774         We can do the above things in use-def analysis because use-def analysis is backward analysis.
2775         And after analyzing use-def chains, in op_save / op_resume, we only save / resume live registers at the head of merge point.
2776
2777         * API/JSScriptRef.cpp:
2778         (parseScript):
2779         * CMakeLists.txt:
2780         * Configurations/FeatureDefines.xcconfig:
2781         * DerivedSources.make:
2782         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2783         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2784         * JavaScriptCore.xcodeproj/project.pbxproj:
2785         * builtins/BuiltinExecutables.cpp:
2786         (JSC::createExecutableInternal):
2787         * builtins/GeneratorPrototype.js: Added.
2788         (generatorResume):
2789         (next):
2790         (return):
2791         (throw):
2792         * bytecode/BytecodeBasicBlock.cpp:
2793         (JSC::isBranch):
2794         * bytecode/BytecodeList.json:
2795         * bytecode/BytecodeLivenessAnalysis.cpp:
2796         (JSC::stepOverInstruction):
2797         (JSC::computeLocalLivenessForBytecodeOffset):
2798         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
2799         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2800         (JSC::BytecodeLivenessAnalysis::computeKills):
2801         * bytecode/BytecodeUseDef.h:
2802         (JSC::computeUsesForBytecodeOffset):
2803         (JSC::computeDefsForBytecodeOffset):
2804         * bytecode/CodeBlock.cpp:
2805         (JSC::CodeBlock::dumpBytecode):
2806         (JSC::CodeBlock::CodeBlock):
2807         (JSC::CodeBlock::finishCreation):
2808         (JSC::CodeBlock::shrinkToFit):
2809         (JSC::CodeBlock::validate):
2810         * bytecode/CodeBlock.h:
2811         (JSC::CodeBlock::numCalleeLocals):
2812         (JSC::CodeBlock::liveCalleeLocalsAtYield):
2813         * bytecode/EvalCodeCache.h:
2814         (JSC::EvalCodeCache::tryGet):
2815         (JSC::EvalCodeCache::getSlow):
2816         (JSC::EvalCodeCache::isCacheable):
2817         * bytecode/ExecutableInfo.h:
2818         (JSC::ExecutableInfo::ExecutableInfo):
2819         (JSC::ExecutableInfo::generatorThisMode):
2820         (JSC::ExecutableInfo::superBinding):
2821         (JSC::ExecutableInfo::parseMode):
2822         (JSC::ExecutableInfo::isArrowFunction): Deleted.
2823         * bytecode/PreciseJumpTargets.cpp:
2824         (JSC::getJumpTargetsForBytecodeOffset):
2825         * bytecode/UnlinkedCodeBlock.cpp:
2826         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2827         * bytecode/UnlinkedCodeBlock.h:
2828         (JSC::UnlinkedCodeBlock::parseMode):
2829         (JSC::UnlinkedCodeBlock::generatorThisMode):
2830         (JSC::UnlinkedCodeBlock::superBinding):
2831         (JSC::UnlinkedCodeBlock::isArrowFunction): Deleted.
2832         * bytecode/UnlinkedFunctionExecutable.cpp:
2833         (JSC::generateUnlinkedFunctionCodeBlock):
2834         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2835         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2836         * bytecode/UnlinkedFunctionExecutable.h:
2837         * bytecompiler/BytecodeGenerator.cpp:
2838         (JSC::BytecodeGenerator::BytecodeGenerator):
2839         (JSC::BytecodeGenerator::initializeParameters):
2840         (JSC::BytecodeGenerator::newRegister):
2841         (JSC::BytecodeGenerator::reclaimFreeRegisters):
2842         (JSC::BytecodeGenerator::createVariable):
2843         (JSC::BytecodeGenerator::emitCreateThis):
2844         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
2845         (JSC::BytecodeGenerator::emitNewFunctionExpression):
2846         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2847         (JSC::BytecodeGenerator::emitNewFunction):
2848         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
2849         (JSC::BytecodeGenerator::emitYieldPoint):
2850         (JSC::BytecodeGenerator::emitSave):
2851         (JSC::BytecodeGenerator::emitResume):
2852         (JSC::BytecodeGenerator::emitYield):
2853         (JSC::BytecodeGenerator::emitDelegateYield):
2854         (JSC::BytecodeGenerator::emitGeneratorStateChange):
2855         (JSC::BytecodeGenerator::emitGeneratorStateLabel):
2856         (JSC::BytecodeGenerator::beginGenerator):
2857         (JSC::BytecodeGenerator::endGenerator):
2858         (JSC::BytecodeGenerator::emitNewFunctionInternal): Deleted.
2859         (JSC::BytecodeGenerator::emitNewFunctionCommon): Deleted.
2860         * bytecompiler/BytecodeGenerator.h:
2861         (JSC::BytecodeGenerator::generatorThisMode):
2862         (JSC::BytecodeGenerator::superBinding):
2863         (JSC::BytecodeGenerator::generatorRegister):
2864         (JSC::BytecodeGenerator::generatorStateRegister):
2865         (JSC::BytecodeGenerator::generatorValueRegister):
2866         (JSC::BytecodeGenerator::generatorResumeModeRegister):
2867         (JSC::BytecodeGenerator::parseMode):
2868         (JSC::BytecodeGenerator::registerFor):
2869         (JSC::BytecodeGenerator::makeFunction):
2870         * bytecompiler/NodesCodegen.cpp:
2871         (JSC::ThisNode::emitBytecode):
2872         (JSC::emitHomeObjectForCallee):
2873         (JSC::emitSuperBaseForCallee):
2874         (JSC::ReturnNode::emitBytecode):
2875         (JSC::FunctionNode::emitBytecode):
2876         (JSC::YieldExprNode::emitBytecode):
2877         * dfg/DFGByteCodeParser.cpp:
2878         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2879         (JSC::DFG::ByteCodeParser::inlineCall):
2880         (JSC::DFG::ByteCodeParser::handleGetById):
2881         (JSC::DFG::ByteCodeParser::handlePutById):
2882         * dfg/DFGForAllKills.h:
2883         (JSC::DFG::forAllKilledOperands):
2884         * dfg/DFGGraph.h:
2885         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2886         * dfg/DFGOSREntrypointCreationPhase.cpp:
2887         (JSC::DFG::OSREntrypointCreationPhase::run):
2888         * dfg/DFGVariableEventStream.cpp:
2889         (JSC::DFG::VariableEventStream::reconstruct):
2890         * ftl/FTLForOSREntryJITCode.cpp:
2891         (JSC::FTL::ForOSREntryJITCode::initializeEntryBuffer):
2892         * ftl/FTLForOSREntryJITCode.h:
2893         * ftl/FTLOSREntry.cpp:
2894         (JSC::FTL::prepareOSREntry):
2895         * ftl/FTLState.cpp:
2896         (JSC::FTL::State::State):
2897         * heap/MarkedBlock.h:
2898         (JSC::MarkedBlock::isAtom):
2899         (JSC::MarkedBlock::isLiveCell):
2900         * interpreter/Interpreter.cpp:
2901         (JSC::eval):
2902         (JSC::Interpreter::dumpRegisters):
2903         * jit/JIT.cpp:
2904         (JSC::JIT::privateCompileMainPass):
2905         (JSC::JIT::frameRegisterCountFor):
2906         * jit/JIT.h:
2907         * jit/JITOpcodes.cpp:
2908         (JSC::JIT::emitNewFuncCommon):
2909         (JSC::JIT::emit_op_new_func):
2910         (JSC::JIT::emit_op_new_generator_func):
2911         (JSC::JIT::emitNewFuncExprCommon):
2912         (JSC::JIT::emit_op_new_func_exp):
2913         (JSC::JIT::emit_op_new_generator_func_exp):
2914         (JSC::JIT::emit_op_save):
2915         (JSC::JIT::emit_op_resume):
2916         * jit/JITOperations.cpp:
2917         (JSC::operationNewFunctionCommon):
2918         * jit/JITOperations.h:
2919         * llint/LLIntEntrypoint.cpp:
2920         (JSC::LLInt::frameRegisterCountFor):
2921         * llint/LLIntSlowPaths.cpp:
2922         (JSC::LLInt::traceFunctionPrologue):
2923         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2924         * llint/LLIntSlowPaths.h:
2925         * llint/LowLevelInterpreter.asm:
2926         * parser/ASTBuilder.h:
2927         (JSC::ASTBuilder::createYield):
2928         (JSC::ASTBuilder::createFunctionMetadata):
2929         (JSC::ASTBuilder::propagateArgumentsUse):
2930         * parser/Nodes.cpp:
2931         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2932         * parser/Nodes.h:
2933         * parser/Parser.cpp:
2934         (JSC::Parser<LexerType>::Parser):
2935         (JSC::Parser<LexerType>::parseInner):
2936         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2937         (JSC::Parser<LexerType>::parseFunctionBody):
2938         (JSC::stringForFunctionMode):
2939         (JSC::Parser<LexerType>::createGeneratorParameters):
2940         (JSC::Parser<LexerType>::parseFunctionInfo):
2941         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2942         (JSC::Parser<LexerType>::parseClass):
2943         (JSC::Parser<LexerType>::parseAssignmentExpression):
2944         (JSC::Parser<LexerType>::parseYieldExpression):
2945         (JSC::Parser<LexerType>::parsePropertyMethod):
2946         (JSC::Parser<LexerType>::parseFunctionExpression):
2947         * parser/Parser.h:
2948         (JSC::Scope::Scope):
2949         (JSC::Scope::setSourceParseMode):
2950         (JSC::Scope::hasArguments):
2951         (JSC::Scope::collectFreeVariables):
2952         (JSC::Scope::setIsFunction):
2953         (JSC::Scope::setIsGeneratorFunction):
2954         (JSC::Scope::setIsGenerator):
2955         (JSC::parse):
2956         * parser/ParserModes.h:
2957         (JSC::isFunctionParseMode):
2958         (JSC::isModuleParseMode):
2959         (JSC::isProgramParseMode):
2960         * parser/SourceCodeKey.h: Added.
2961         (JSC::SourceCodeKey::SourceCodeKey):
2962         (JSC::SourceCodeKey::isHashTableDeletedValue):
2963         (JSC::SourceCodeKey::hash):
2964         (JSC::SourceCodeKey::length):
2965         (JSC::SourceCodeKey::isNull):
2966         (JSC::SourceCodeKey::string):
2967         (JSC::SourceCodeKey::operator==):
2968         (JSC::SourceCodeKeyHash::hash):
2969         (JSC::SourceCodeKeyHash::equal):
2970         (JSC::SourceCodeKeyHashTraits::isEmptyValue):
2971         * parser/SyntaxChecker.h:
2972         (JSC::SyntaxChecker::createYield):
2973         (JSC::SyntaxChecker::createFunctionMetadata):
2974         (JSC::SyntaxChecker::operatorStackPop):
2975         * runtime/CodeCache.cpp:
2976         (JSC::CodeCache::getGlobalCodeBlock):
2977         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2978         * runtime/CodeCache.h:
2979         (JSC::SourceCodeKey::SourceCodeKey): Deleted.
2980         (JSC::SourceCodeKey::isHashTableDeletedValue): Deleted.
2981         (JSC::SourceCodeKey::hash): Deleted.
2982         (JSC::SourceCodeKey::length): Deleted.
2983         (JSC::SourceCodeKey::isNull): Deleted.
2984         (JSC::SourceCodeKey::string): Deleted.
2985         (JSC::SourceCodeKey::operator==): Deleted.
2986         (JSC::SourceCodeKeyHash::hash): Deleted.
2987         (JSC::SourceCodeKeyHash::equal): Deleted.
2988         (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
2989         * runtime/CommonIdentifiers.h:
2990         * runtime/CommonSlowPaths.cpp:
2991         (JSC::SLOW_PATH_DECL):
2992         * runtime/CommonSlowPaths.h:
2993         * runtime/Completion.cpp:
2994         (JSC::checkSyntax):
2995         (JSC::checkModuleSyntax):
2996         * runtime/Executable.cpp:
2997         (JSC::ScriptExecutable::newCodeBlockFor):
2998         (JSC::ProgramExecutable::checkSyntax):
2999         * runtime/Executable.h:
3000         * runtime/FunctionConstructor.cpp:
3001         (JSC::constructFunction):
3002         (JSC::constructFunctionSkippingEvalEnabledCheck):
3003         * runtime/FunctionConstructor.h:
3004         * runtime/GeneratorFrame.cpp: Added.
3005         (JSC::GeneratorFrame::GeneratorFrame):
3006         (JSC::GeneratorFrame::finishCreation):
3007         (JSC::GeneratorFrame::createStructure):
3008         (JSC::GeneratorFrame::create):
3009         (JSC::GeneratorFrame::save):
3010         (JSC::GeneratorFrame::resume):
3011         (JSC::GeneratorFrame::visitChildren):
3012         * runtime/GeneratorFrame.h: Added.
3013         (JSC::GeneratorFrame::locals):
3014         (JSC::GeneratorFrame::localAt):
3015         (JSC::GeneratorFrame::offsetOfLocals):
3016         (JSC::GeneratorFrame::allocationSizeForLocals):
3017         * runtime/GeneratorFunctionConstructor.cpp: Added.
3018         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
3019         (JSC::GeneratorFunctionConstructor::finishCreation):
3020         (JSC::callGeneratorFunctionConstructor):
3021         (JSC::constructGeneratorFunctionConstructor):
3022         (JSC::GeneratorFunctionConstructor::getCallData):
3023         (JSC::GeneratorFunctionConstructor::getConstructData):
3024         * runtime/GeneratorFunctionConstructor.h: Added.
3025         (JSC::GeneratorFunctionConstructor::create):
3026         (JSC::GeneratorFunctionConstructor::createStructure):
3027         * runtime/GeneratorFunctionPrototype.cpp: Added.
3028         (JSC::GeneratorFunctionPrototype::GeneratorFunctionPrototype):
3029         (JSC::GeneratorFunctionPrototype::finishCreation):
3030         * runtime/GeneratorFunctionPrototype.h: Added.
3031         (JSC::GeneratorFunctionPrototype::create):
3032         (JSC::GeneratorFunctionPrototype::createStructure):
3033         * runtime/GeneratorPrototype.cpp: Copied from Source/JavaScriptCore/ftl/FTLForOSREntryJITCode.cpp.
3034         (JSC::GeneratorPrototype::finishCreation):
3035         (JSC::GeneratorPrototype::getOwnPropertySlot):
3036         * runtime/GeneratorPrototype.h: Copied from Source/JavaScriptCore/ftl/FTLForOSREntryJITCode.cpp.
3037         (JSC::GeneratorPrototype::create):
3038         (JSC::GeneratorPrototype::createStructure):
3039         (JSC::GeneratorPrototype::GeneratorPrototype):
3040         * runtime/GeneratorThisMode.h: Added.
3041         * runtime/JSFunction.cpp:
3042         (JSC::JSFunction::getOwnPropertySlot):
3043         * runtime/JSGeneratorFunction.cpp: Added.
3044         (JSC::JSGeneratorFunction::JSGeneratorFunction):
3045         (JSC::JSGeneratorFunction::createImpl):
3046         (JSC::JSGeneratorFunction::create):
3047         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
3048         * runtime/JSGeneratorFunction.h: Added.
3049         (JSC::JSGeneratorFunction::allocationSize):
3050         (JSC::JSGeneratorFunction::createStructure):
3051         * runtime/JSGlobalObject.cpp:
3052         (JSC::JSGlobalObject::init):
3053         (JSC::JSGlobalObject::visitChildren):
3054         * runtime/JSGlobalObject.h:
3055         (JSC::JSGlobalObject::generatorFunctionPrototype):
3056         (JSC::JSGlobalObject::generatorPrototype):
3057         (JSC::JSGlobalObject::generatorFunctionStructure):
3058         * runtime/ModuleLoaderObject.cpp:
3059         (JSC::moduleLoaderObjectParseModule):
3060         * runtime/VM.cpp:
3061         (JSC::VM::VM):
3062         * runtime/VM.h:
3063         * tests/es6.yaml:
3064         * tests/es6/generators_yield_star_generic_iterables.js:
3065         (iterator.next):
3066         (iterable.Symbol.iterator):
3067         (__createIterableObject):
3068         * tests/es6/generators_yield_star_instances_of_iterables.js:
3069         (iterator.next):
3070         (iterable.Symbol.iterator):
3071         (__createIterableObject):
3072         * tests/es6/generators_yield_star_iterator_closing.js:
3073         (iterator.next):
3074         (iterable.Symbol.iterator):
3075         (__createIterableObject):
3076         * tests/es6/generators_yield_star_iterator_closing_via_throw.js:
3077         (iterator.next):
3078         (iterable.Symbol.iterator):
3079         (__createIterableObject):
3080         * tests/stress/generator-arguments-from-function.js: Added.
3081         (shouldBe):
3082         (test):
3083         * tests/stress/generator-arguments.js: Added.
3084         (shouldBe):
3085         (g1):
3086         * tests/stress/generator-class-methods-syntax.js: Added.
3087         (testSyntax):
3088         (testSyntaxError):
3089         (testSyntaxError.Cocoa):
3090         (testSyntax.Cocoa.prototype.ok):
3091         (testSyntax.Cocoa):
3092         (testSyntax.Cocoa.ok):
3093         * tests/stress/generator-class-methods.js: Added.
3094         (shouldBe):
3095         (prototype.gen):
3096         (staticGen):
3097         (shouldBe.g.next):
3098         * tests/stress/generator-eval-this.js: Added.
3099         (shouldBe):
3100         (shouldThrow):
3101         (B):
3102         (A):
3103         (C.prototype.generator):
3104         (C):
3105         (TypeError):
3106         * tests/stress/generator-function-constructor.js: Added.
3107         (shouldBe):
3108         (generatorFunctionConstructor):
3109         * tests/stress/generator-function-name.js: Added.
3110         (shouldBe):
3111         (ok):
3112         * tests/stress/generator-methods-with-non-generator.js: Added.
3113         (shouldThrow):
3114         * tests/stress/generator-relations.js: Added.
3115         (shouldBe):
3116         (generatorFunction):
3117         * tests/stress/generator-return-before-first-call.js: Added.
3118         (shouldBe):
3119         (shouldBeIteratorResult):
3120         * tests/stress/generator-return.js: Added.
3121         (shouldBe):
3122         (shouldBeIteratorResult):
3123         * tests/stress/generator-this.js: Added.
3124         (shouldBe):
3125         (shouldThrow):
3126         (gen):
3127         (shouldBe.g.next):
3128         * tests/stress/generator-throw-before-first-call.js: Added.
3129         (unreachable):
3130         (gen):
3131         (catch):
3132         * tests/stress/generator-throw.js: Added.
3133         (shouldBe):
3134         (shouldBeIteratorResult):
3135         * tests/stress/generator-with-new-target.js: Added.
3136         (shouldBe):
3137         (gen):
3138         * tests/stress/generator-with-super.js: Added.
3139         (shouldThrow):
3140         (test):
3141         (B.prototype.gen):
3142         (B):
3143         (A.prototype.gen):
3144         (A):
3145         * tests/stress/generator-yield-star.js: Added.
3146         (shouldBe):
3147         (shouldThrow):
3148         (prototype.call):
3149         (Arrays):
3150         (Arrays.prototype.Symbol.iterator):
3151         (Iterator.prototype.next):
3152         (Iterator.prototype.string_appeared_here):
3153         (Iterator.prototype.Symbol.iterator):
3154         (Iterator):
3155         (gen):
3156
3157 2015-12-01  Commit Queue  <commit-queue@webkit.org>
3158
3159         Unreviewed, rolling out r192914.
3160         https://bugs.webkit.org/show_bug.cgi?id=151734
3161
3162         JSC tests for this change are failing on 32 and 64-bit bots
3163         (Requested by ryanhaddad on #webkit).
3164
3165         Reverted changeset:
3166
3167         "[ES6] Implement LLInt/Baseline Support for ES6 Generators and
3168         enable this feature"
3169         https://bugs.webkit.org/show_bug.cgi?id=150792
3170         http://trac.webkit.org/changeset/192914
3171
3172 2015-12-01  Caitlin Potter  <caitpotter88@gmail.com>
3173
3174         [JSC] support CoverInitializedName in nested AssignmentPatterns
3175         https://bugs.webkit.org/show_bug.cgi?id=151595
3176
3177         Reviewed by Geoffrey Garen.
3178
3179         A regression introduced in bug https://bugs.webkit.org/show_bug.cgi?id=151026
3180         causes the parser to fail when attempting to parse nested
3181         ObjectAssignmentPatterns with CoverInitializedName destructuring targets.
3182
3183         * parser/Parser.cpp:
3184         (JSC::Parser<LexerType>::parseAssignmentExpressionOrPropagateErrorClass):
3185         (JSC::Parser<LexerType>::parseAssignmentExpression):
3186         (JSC::Parser<LexerType>::parseProperty):
3187         (JSC::Parser<LexerType>::parseArrayLiteral):
3188         * parser/Parser.h:
3189         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
3190         * tests/es6.yaml:
3191         * tests/es6/destructuring_assignment_nested_cover_initialized_name.js: Added.
3192         (test1):
3193         (test2):
3194
3195 2015-12-01  Juergen Ributzka  <juergen@apple.com>
3196
3197         Add new library dependency for LLVMForJavaScriptCore dylib
3198         https://bugs.webkit.org/show_bug.cgi?id=151687
3199         
3200         Changes on open source LLVM added a new dependency to libLLVMInstrumentation.a.
3201         Adding this dependency should be backwards compatible, since LLVM has built and
3202         shipped this library even before the creation of FTL.
3203
3204         Reviewed by Geoffrey Garen.
3205
3206         * Configurations/LLVMForJSC.xcconfig:
3207
3208 2015-12-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3209
3210         [ES6] Implement LLInt/Baseline Support for ES6 Generators and enable this feature
3211         https://bugs.webkit.org/show_bug.cgi?id=150792
3212
3213         Reviewed by Saam Barati.
3214
3215         This patch implements basic functionality of ES6 Generators in LLInt and Baseline tiers.
3216         While the implementation has some inefficient part, the implementation covers edge cases.
3217         Later, we will make this efficient.
3218
3219             https://bugs.webkit.org/show_bug.cgi?id=151545
3220             https://bugs.webkit.org/show_bug.cgi?id=151546
3221             https://bugs.webkit.org/show_bug.cgi?id=151547
3222             https://bugs.webkit.org/show_bug.cgi?id=151552
3223             https://bugs.webkit.org/show_bug.cgi?id=151560
3224             https://bugs.webkit.org/show_bug.cgi?id=151586
3225
3226         To encourage DFG / FTL later, we take the following design.
3227
3228         1. Use switch_imm to jump to the save/resume points.
3229
3230         Instead of saving / restoring instruction pointer to resume from it, we use switch_imm to jump to the resume point.
3231         This limits one entry point to a given generator function. This design makes inlining easy.
3232         The generated code becomes the following.
3233
3234             function @generatorNext(@generator, @generatorState, @generatorValue, @generatorResumeMode)
3235             {
3236                 switch (@generatorState) {
3237                 case Initial:
3238                     ...
3239                     initial sequence.
3240                     ...
3241
3242
3243                     op_save(Yield_0);  // op_save contains *virtual* jump to Yield_0.
3244                                        // CFG shows a jump edge to Yield_0 point, but it won't be actually used.
3245                     return ...;
3246
3247                 case Yield_0:
3248                     op_resume();
3249                     if (@generatorResumeMode == Throw)
3250                         ...
3251                     else if (@generatorResumeMode == Return)
3252                         ...
3253                     ...
3254                     // sentValue is a value sent from a caller by `generator.next(sentValue)`.
3255                     sentValue = @generatorValue;
3256                     ...
3257                     op_save(Yield_1);
3258                     return ...;
3259
3260                 case Yield_1:
3261                     op_resume();
3262                     if (@generatorResumeMode == Throw)
3263                         ...
3264                     else if (@generatorResumeMode == Return)
3265                         ...
3266                     ...
3267                     sentValue = @generatorValue;
3268                     ...
3269
3270                 ...
3271                 }
3272             }
3273
3274             Resume sequence should not be emitted per yield.
3275             This should be done in https://bugs.webkit.org/show_bug.cgi?id=151552.
3276
3277         2. Store live frame registers to GeneratorFrame
3278
3279         To save and resume generator's state, we save all the live registers in GeneratorFrame.
3280         And when resuming, we refill registers with saved ones.
3281         Since saved register contains scope register, |this| etc., the environment including the scope chain will be recovered automatically.
3282         While saving and resuming callee registers, we don't save parameter registers.
3283         These registers will be used to control generator's resume behavior.
3284
3285         We perform BytecodeLivenessAnalysis in CodeBlock to determine actually *def*ined registers at that resume point.
3286
3287         3. GeneratorFunction will evaluate parameters before generating Generator
3288
3289         Generator's parameter should be evaluated before entering Generator's body. For example,
3290
3291             function hello() { ... }
3292             function *gen(a, b = hello())
3293             {
3294                 yield b;
3295             }
3296             let g = gen(20);  // Now, hello should be called.
3297
3298         To enable this, we evaluate parameters in GeneratorFunction, and after that, we create a Generator and return it.
3299         This can be explained by the following pseudo code.
3300
3301             function *gen(a, b = hello())
3302             {
3303                 // This is generator.
3304                 return {
3305                     @generatorNext: function (@generator, @generatorState, @generatorValue, @generatorResumeMode)
3306                     {
3307                         ...
3308                     }
3309                 }
3310             }
3311
3312         4. op_save seems similar to conditional jump
3313
3314         We won't jump to elsewhere from op_save actually. But we add a *virtual* jump edge (flow) from op_save to the point so called *merge point*.
3315         We construct the CFG as follows,
3316
3317             (global generator switch) -> (initial sequence) -> (op_save) ----+-> (merge point) -> (next sequence)*
3318                    |                                              |          |
3319                    |                                              v          |
3320                    |                                           (op_ret)      |
3321                    |                                                         |
3322                    +------------------------------------------->(op_resume)--+
3323
3324         By constructing such a graph,
3325
3326             1. Since we have a flow from (op_save) to (merge point), at merge point, we can *use* locals that are defined before (op_save)
3327             2. op_save should claim that it does not define anything. And claim that it *use*s locals that are used in (merge point).
3328             3. at op_resume, we see *use*d locals at merge point and define all of them.
3329
3330         We can do the above things in use-def analysis because use-def analysis is backward analysis.
3331         And after analyzing use-def chains, in op_save / op_resume, we only save / resume live registers at the head of merge point.
3332
3333         * API/JSScriptRef.cpp:
3334         (parseScript):
3335         * CMakeLists.txt:
3336         * Configurations/FeatureDefines.xcconfig:
3337         * DerivedSources.make:
3338         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3339         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3340         * JavaScriptCore.xcodeproj/project.pbxproj:
3341         * builtins/BuiltinExecutables.cpp:
3342         (JSC::createExecutableInternal):
3343         * builtins/GeneratorPrototype.js: Added.
3344         (generatorResume):
3345         (next):
3346         (return):
3347         (throw):
3348         * bytecode/BytecodeBasicBlock.cpp:
3349         (JSC::isBranch):
3350         * bytecode/BytecodeList.json:
3351         * bytecode/BytecodeLivenessAnalysis.cpp:
3352         (JSC::stepOverInstruction):
3353         (JSC::computeLocalLivenessForBytecodeOffset):