Unreviewed, fix CMake build. This got messed up when rebasing.

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-02-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix CMake build. This got messed up when rebasing.

        * CMakeLists.txt:

2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>

        Fix the !ENABLE(DFG_JIT) build after r195865
        https://bugs.webkit.org/show_bug.cgi?id=154391

        Reviewed by Filip Pizlo.

        * runtime/SamplingProfiler.cpp:
        (JSC::tryGetBytecodeIndex):

2016-02-17  Filip Pizlo  <fpizlo@apple.com>

        Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
        https://bugs.webkit.org/show_bug.cgi?id=154383

        Reviewed by Saam Barati.

        I did a grep -i llvm of all of our code and did one of the following for each occurence:

        - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
          backend".

        - Removed the reference because I found it to be dead. In some cases it was a dead
          comment: it was telling us things about what LLVM did and that's just not relevant
          anymore. In other cases it was dead code that I forgot to delete in a previous patch.

        - Edited the comment in some smart way. There were comments talking about what LLVM did
          that were still of interest. In some cases, I added a FIXME to consider changing the
          code below the comment on the grounds that it was written in a weird way to placate
          LLVM and so we can do it better now.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::compileTimeStats):
        * dfg/DFGPutStackSinkingPhase.cpp:
        * dfg/DFGSSAConversionPhase.h:
        * dfg/DFGStaticExecutionCountEstimationPhase.h:
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * disassembler/ARM64Disassembler.cpp:
        (JSC::tryToDisassemble): Deleted.
        * disassembler/X86Disassembler.cpp:
        (JSC::tryToDisassemble):
        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::IndexedAbstractHeap::initialize):
        * ftl/FTLAbstractHeap.h:
        * ftl/FTLFormattedValue.h:
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
        (JSC::FTL::DFG::ftlUnreachable):
        (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
        (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
        (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
        (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
        (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
        (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
        (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
        (JSC::FTL::lowerDFGToB3):
        (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
        (JSC::FTL::lowerDFGToLLVM): Deleted.
        * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
        * ftl/FTLLowerDFGToLLVM.cpp: Removed.
        * ftl/FTLLowerDFGToLLVM.h: Removed.
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLWeight.h:
        (JSC::FTL::Weight::frequencyClass):
        (JSC::FTL::Weight::inverse):
        (JSC::FTL::Weight::scaleToTotal): Deleted.
        * ftl/FTLWeightedTarget.h:
        (JSC::FTL::rarely):
        (JSC::FTL::unsure):
        * jit/CallFrameShuffler64.cpp:
        (JSC::CallFrameShuffler::emitDisplace):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::ftlCalleeSaveRegisters):
        * llvm: Removed.
        * llvm/InitializeLLVMLinux.cpp: Removed.
        * llvm/InitializeLLVMWin.cpp: Removed.
        * llvm/library: Removed.
        * llvm/library/LLVMTrapCallback.h: Removed.
        * llvm/library/libllvmForJSC.version: Removed.
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        (JSC::Options::initialize):
        * runtime/Options.h:
        * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
        * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
        * wasm/WASMFunctionParser.cpp:

2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>

        [cmake] Build system cleanup
        https://bugs.webkit.org/show_bug.cgi?id=154337

        Reviewed by Žan Doberšek.

        * CMakeLists.txt:

2016-02-17  Mark Lam  <mark.lam@apple.com>

        Callers of JSString::value() should check for exceptions thereafter.
        https://bugs.webkit.org/show_bug.cgi?id=154346

        Reviewed by Geoffrey Garen.

        JSString::value() can throw an exception if the JS string is a rope and value() 
        needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
        able to resolve the rope, it will return a null string (in addition to throwing
        the exception).  If a caller does not check for exceptions after calling
        JSString::value(), they may eventually use the returned null string and crash the
        VM.

        The fix is to add all the necessary exception checks, and do the appropriate
        handling if needed.

        * jsc.cpp:
        (functionRun):
        (functionLoad):
        (functionReadFile):
        (functionCheckSyntax):
        (functionLoadWebAssembly):
        (functionLoadModule):
        (functionCheckModuleSyntax):
        * runtime/DateConstructor.cpp:
        (JSC::dateParse):
        (JSC::dateNow):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * tools/JSDollarVMPrototype.cpp:
        (JSC::functionPrint):

2016-02-17  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] ARM64: Support the immediate format used for bit operations in Air
        https://bugs.webkit.org/show_bug.cgi?id=154327

        Reviewed by Filip Pizlo.

        ARM64 supports a pretty rich form of immediates for bit operation.
        There are two formats used to encode repeating patterns and common
        input in a dense form.

        In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
        Those represents the valid immediate forms for bit operation.
        On x86, any 32bits value is valid. On ARM64, all the encoding
        form are tried and the immediate is used when possible.

        The arg type Imm64 is renamed to BigImm to better represent what
        it is: an immediate that does not fit into Imm.

        * assembler/ARM64Assembler.h:
        (JSC::LogicalImmediate::create32): Deleted.
        (JSC::LogicalImmediate::create64): Deleted.
        (JSC::LogicalImmediate::value): Deleted.
        (JSC::LogicalImmediate::isValid): Deleted.
        (JSC::LogicalImmediate::is64bit): Deleted.
        (JSC::LogicalImmediate::LogicalImmediate): Deleted.
        (JSC::LogicalImmediate::mask): Deleted.
        (JSC::LogicalImmediate::partialHSB): Deleted.
        (JSC::LogicalImmediate::highestSetBit): Deleted.
        (JSC::LogicalImmediate::findBitRange): Deleted.
        (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
        * assembler/AssemblerCommon.h:
        (JSC::ARM64LogicalImmediate::create32):
        (JSC::ARM64LogicalImmediate::create64):
        (JSC::ARM64LogicalImmediate::value):
        (JSC::ARM64LogicalImmediate::isValid):
        (JSC::ARM64LogicalImmediate::is64bit):
        (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
        (JSC::ARM64LogicalImmediate::mask):
        (JSC::ARM64LogicalImmediate::partialHSB):
        (JSC::ARM64LogicalImmediate::highestSetBit):
        (JSC::ARM64LogicalImmediate::findBitRange):
        (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::and64):
        (JSC::MacroAssemblerARM64::or64):
        (JSC::MacroAssemblerARM64::xor64):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::bitImm):
        (JSC::B3::Air::LowerToAir::bitImm64):
        (JSC::B3::Air::LowerToAir::appendBinOp):
        * b3/air/AirArg.cpp:
        (JSC::B3::Air::Arg::dump):
        (WTF::printInternal):
        * b3/air/AirArg.h:
        (JSC::B3::Air::Arg::bitImm):
        (JSC::B3::Air::Arg::bitImm64):
        (JSC::B3::Air::Arg::isBitImm):
        (JSC::B3::Air::Arg::isBitImm64):
        (JSC::B3::Air::Arg::isSomeImm):
        (JSC::B3::Air::Arg::value):
        (JSC::B3::Air::Arg::isGP):
        (JSC::B3::Air::Arg::isFP):
        (JSC::B3::Air::Arg::hasType):
        (JSC::B3::Air::Arg::isValidBitImmForm):
        (JSC::B3::Air::Arg::isValidBitImm64Form):
        (JSC::B3::Air::Arg::isValidForm):
        (JSC::B3::Air::Arg::asTrustedImm32):
        (JSC::B3::Air::Arg::asTrustedImm64):
        * b3/air/AirOpcode.opcodes:
        * b3/air/opcode_generator.rb:

2016-02-17  Keith Miller  <keith_miller@apple.com>

        Spread operator should be allowed when not the first argument of parameter list
        https://bugs.webkit.org/show_bug.cgi?id=152721

        Reviewed by Saam Barati.

        Spread arguments to functions should now be ES6 compliant. Before we
        would only take a spread operator if it was the sole argument to a
        function. Additionally, we would not use the Symbol.iterator on the
        object to generate the arguments. Instead we would do a loop up to the
        length mapping indexed properties to the corresponding argument. We fix
        both these issues by doing an AST transformation from foo(...a, b, ...c, d)
        to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
        old spread semantics). This solution has the downside of requiring the
        allocation of another object and copying each element twice but avoids a
        large change to the vm calling convention.

        * interpreter/Interpreter.cpp:
        (JSC::loadVarargs):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createElementList):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseArguments):
        (JSC::Parser<LexerType>::parseArgument):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/Parser.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createElementList):
        * tests/es6.yaml:
        * tests/stress/spread-calling.js: Added.
        (testFunction):
        (testEmpty):
        (makeObject):
        (otherIterator.return.next):
        (otherIterator):
        (totalIter):
        (throwingIter.return.next):
        (throwingIter):
        (i.catch):

2016-02-17  Brian Burg  <bburg@apple.com>

        Remove a wrong cast in RemoteInspector::receivedSetupMessage
        https://bugs.webkit.org/show_bug.cgi?id=154361
        <rdar://problem/24709281>

        Reviewed by Joseph Pecoraro.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::receivedSetupMessage):
        Not only is this cast unnecessary (the constructor accepts the base class),
        but it is wrong since the target could be an automation target. Remove it.

2016-02-17  Filip Pizlo  <fpizlo@apple.com>

        Rename FTLB3Blah to FTLBlah
        https://bugs.webkit.org/show_bug.cgi?id=154365

        Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLB3Compile.cpp: Removed.
        * ftl/FTLB3Output.cpp: Removed.
        * ftl/FTLB3Output.h: Removed.
        * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
        * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
        * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.

2016-02-17  Filip Pizlo  <fpizlo@apple.com>

        Remove LLVM dependencies from WebKit
        https://bugs.webkit.org/show_bug.cgi?id=154323

        Reviewed by Antti Koivisto and Benjamin Poulain.

        We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
        LLVM-related code dead, including the disassembler, which was only reachable when you were on
        a platform that already had an in-tree disassembler.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCommon.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::compileTimeStats):
        * disassembler/ARM64Disassembler.cpp:
        (JSC::tryToDisassemble):
        * disassembler/ARMv7Disassembler.cpp:
        (JSC::tryToDisassemble):
        * disassembler/Disassembler.cpp:
        (JSC::disassemble):
        (JSC::disassembleAsynchronously):
        * disassembler/Disassembler.h:
        (JSC::tryToDisassemble):
        * disassembler/LLVMDisassembler.cpp: Removed.
        * disassembler/LLVMDisassembler.h: Removed.
        * disassembler/UDis86Disassembler.cpp:
        (JSC::tryToDisassembleWithUDis86):
        * disassembler/UDis86Disassembler.h:
        (JSC::tryToDisassembleWithUDis86):
        * disassembler/X86Disassembler.cpp:
        (JSC::tryToDisassemble):
        * ftl/FTLAbbreviatedTypes.h:
        * ftl/FTLAbbreviations.h: Removed.
        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::AbstractHeap::decorateInstruction):
        (JSC::FTL::AbstractHeap::dump):
        (JSC::FTL::AbstractField::dump):
        (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
        (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
        (JSC::FTL::IndexedAbstractHeap::baseIndex):
        (JSC::FTL::IndexedAbstractHeap::dump):
        (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
        (JSC::FTL::NumberedAbstractHeap::dump):
        (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
        (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
        * ftl/FTLAbstractHeap.h:
        (JSC::FTL::AbstractHeap::AbstractHeap):
        (JSC::FTL::AbstractHeap::heapName):
        (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
        (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
        (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
        (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLB3Compile.cpp:
        * ftl/FTLB3Output.cpp:
        (JSC::FTL::Output::Output):
        (JSC::FTL::Output::check):
        (JSC::FTL::Output::load):
        (JSC::FTL::Output::store):
        * ftl/FTLB3Output.h:
        * ftl/FTLCommonValues.cpp:
        (JSC::FTL::CommonValues::CommonValues):
        (JSC::FTL::CommonValues::initializeConstants):
        * ftl/FTLCommonValues.h:
        (JSC::FTL::CommonValues::initialize): Deleted.
        * ftl/FTLCompile.cpp: Removed.
        * ftl/FTLCompileBinaryOp.cpp: Removed.
        * ftl/FTLCompileBinaryOp.h: Removed.
        * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
        * ftl/FTLDWARFDebugLineInfo.h: Removed.
        * ftl/FTLDWARFRegister.cpp: Removed.
        * ftl/FTLDWARFRegister.h: Removed.
        * ftl/FTLDataSection.cpp: Removed.
        * ftl/FTLDataSection.h: Removed.
        * ftl/FTLExceptionHandlerManager.cpp: Removed.
        * ftl/FTLExceptionHandlerManager.h: Removed.
        * ftl/FTLExceptionTarget.cpp:
        * ftl/FTLExceptionTarget.h:
        * ftl/FTLExitThunkGenerator.cpp: Removed.
        * ftl/FTLExitThunkGenerator.h: Removed.
        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):
        * ftl/FTLInlineCacheDescriptor.h: Removed.
        * ftl/FTLInlineCacheSize.cpp: Removed.
        * ftl/FTLInlineCacheSize.h: Removed.
        * ftl/FTLIntrinsicRepository.cpp: Removed.
        * ftl/FTLIntrinsicRepository.h: Removed.
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::~JITCode):
        (JSC::FTL::JITCode::initializeB3Code):
        (JSC::FTL::JITCode::initializeB3Byproducts):
        (JSC::FTL::JITCode::initializeAddressForCall):
        (JSC::FTL::JITCode::contains):
        (JSC::FTL::JITCode::ftl):
        (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
        (JSC::FTL::JITCode::initializeExitThunks): Deleted.
        (JSC::FTL::JITCode::addHandle): Deleted.
        (JSC::FTL::JITCode::addDataSection): Deleted.
        (JSC::FTL::JITCode::exitThunks): Deleted.
        * ftl/FTLJITCode.h:
        (JSC::FTL::JITCode::b3Code):
        (JSC::FTL::JITCode::handles): Deleted.
        (JSC::FTL::JITCode::dataSections): Deleted.
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::codeSize):
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLJITFinalizer.h:
        * ftl/FTLJSCall.cpp: Removed.
        * ftl/FTLJSCall.h: Removed.
        * ftl/FTLJSCallBase.cpp: Removed.
        * ftl/FTLJSCallBase.h: Removed.
        * ftl/FTLJSCallVarargs.cpp: Removed.
        * ftl/FTLJSCallVarargs.h: Removed.
        * ftl/FTLJSTailCall.cpp: Removed.
        * ftl/FTLJSTailCall.h: Removed.
        * ftl/FTLLazySlowPath.cpp:
        (JSC::FTL::LazySlowPath::LazySlowPath):
        (JSC::FTL::LazySlowPath::generate):
        * ftl/FTLLazySlowPath.h:
        (JSC::FTL::LazySlowPath::createGenerator):
        (JSC::FTL::LazySlowPath::patchableJump):
        (JSC::FTL::LazySlowPath::done):
        (JSC::FTL::LazySlowPath::usedRegisters):
        (JSC::FTL::LazySlowPath::callSiteIndex):
        (JSC::FTL::LazySlowPath::stub):
        (JSC::FTL::LazySlowPath::patchpoint): Deleted.
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forValueRep):
        (JSC::FTL::Location::dump):
        (JSC::FTL::Location::forStackmaps): Deleted.
        * ftl/FTLLocation.h:
        (JSC::FTL::Location::forRegister):
        (JSC::FTL::Location::forIndirect):
        (JSC::FTL::Location::forConstant):
        (JSC::FTL::Location::kind):
        (JSC::FTL::Location::hasReg):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::DFG::LowerDFGToLLVM::lower):
        (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
        (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
        (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
        (JSC::FTL::DFG::LowerDFGToLLVM::getById):
        (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
        (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
        (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
        (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
        (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
        (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
        (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
        (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
        (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
        (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
        (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
        (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
        (JSC::FTL::DFG::LowerDFGToLLVM::probe):
        (JSC::FTL::DFG::LowerDFGToLLVM::crash):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
        (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
        (JSC::FTL::OSRExitDescriptor::validateReferences):
        (JSC::FTL::OSRExitDescriptor::emitOSRExit):
        (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
        (JSC::FTL::OSRExit::OSRExit):
        (JSC::FTL::OSRExit::codeLocationForRepatch):
        (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
        (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
        (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
        (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
        (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
        (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
        * ftl/FTLOSRExit.h:
        (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
        (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
        * ftl/FTLOSRExitCompilationInfo.h: Removed.
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileRecovery):
        (JSC::FTL::compileStub):
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLOSRExitHandle.cpp:
        * ftl/FTLOSRExitHandle.h:
        * ftl/FTLOutput.cpp: Removed.
        * ftl/FTLOutput.h: Removed.
        * ftl/FTLPatchpointExceptionHandle.cpp:
        * ftl/FTLPatchpointExceptionHandle.h:
        * ftl/FTLStackMaps.cpp: Removed.
        * ftl/FTLStackMaps.h: Removed.
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        (JSC::FTL::State::~State):
        (JSC::FTL::State::dumpState): Deleted.
        * ftl/FTLState.h:
        * ftl/FTLUnwindInfo.cpp: Removed.
        * ftl/FTLUnwindInfo.h: Removed.
        * ftl/FTLValueRange.cpp:
        (JSC::FTL::ValueRange::decorateInstruction):
        * ftl/FTLValueRange.h:
        (JSC::FTL::ValueRange::ValueRange):
        (JSC::FTL::ValueRange::begin):
        (JSC::FTL::ValueRange::end):
        * ftl/FTLWeight.h:
        (JSC::FTL::Weight::value):
        (JSC::FTL::Weight::frequencyClass):
        (JSC::FTL::Weight::scaleToTotal):
        * llvm/InitializeLLVM.cpp: Removed.
        * llvm/InitializeLLVM.h: Removed.
        * llvm/InitializeLLVMMac.cpp: Removed.
        * llvm/InitializeLLVMPOSIX.cpp: Removed.
        * llvm/InitializeLLVMPOSIX.h: Removed.
        * llvm/LLVMAPI.cpp: Removed.
        * llvm/LLVMAPI.h: Removed.
        * llvm/LLVMAPIFunctions.h: Removed.
        * llvm/LLVMHeaders.h: Removed.
        * llvm/library/LLVMAnchor.cpp: Removed.
        * llvm/library/LLVMExports.cpp: Removed.
        * llvm/library/LLVMOverrides.cpp: Removed.
        * llvm/library/config_llvm.h: Removed.

2016-02-17  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Remove the overflow check on ArithAbs when possible
        https://bugs.webkit.org/show_bug.cgi?id=154325

        Reviewed by Filip Pizlo.

        This patch adds support for ArithMode for ArithAbs.

        It is useful for kraken tests where Math.abs() is used
        on values for which the range is known.

        For example, imaging-gaussian-blur has two Math.abs() with
        integers that are always in a small range around zero.
        The IntegerRangeOptimizationPhase detects the range correctly
        so we can just update the ArithMode depending on the input.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToArithNegate):
        (JSC::DFG::Node::hasArithMode):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
        * tests/stress/arith-abs-integer-range-optimization.js: Added.
        (negativeRange):
        (negativeRangeIncludingZero):
        (negativeRangeWithOverflow):
        (positiveRange):
        (positiveRangeIncludingZero):
        (rangeWithoutOverflow):
        * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
        (opaqueAbs):

2016-02-17  Chris Dumez  <cdumez@apple.com>

        SES selftest page crashes on nightly r196694
        https://bugs.webkit.org/show_bug.cgi?id=154350
        <rdar://problem/24704334>

        Reviewed by Mark Lam.

        SES selftest page crashes after r196001 / r196145 when calling
        Object.getOwnPropertyDescriptor(window, "length") after the window
        has been reified and "length" has been shadowed by a value property.

        It was crashing in JSObject::getOwnPropertyDescriptor() because
        we are getting a slot that has attribute "CustomAccessor" but
        the property is not a CustomGetterSetter. In this case, since
        window.length is [Replaceable] and has been set to a numeric value,
        it makes that the property is not a CustomGetterSetter. However,
        the "CustomAccessor" attribute should have been dropped from the
        slot when window.length was shadowed. Therefore, this code path
        should not be exercised at all when calling
        getOwnPropertyDescriptor().

        The issue was that putDirectInternal() was updating the slot
        attributes only if the "Accessor" flag has changed, but not
        the "customAccessor" flag. This patch fixes the issue.

        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):

2016-02-17  Saam barati  <sbarati@apple.com>

        Implement Proxy [[Get]]
        https://bugs.webkit.org/show_bug.cgi?id=154081

        Reviewed by Michael Saboff.

        This patch implements ProxyObject and ProxyConstructor. Their
        implementations are straight forward and follow the spec.
        The largest change in this patch is adding a second parameter
        to PropertySlot's constructor that specifies the internal method type of
        the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
        implement more than one Internal Method in the spec. Because 
        of this, we need InternalMethodType to give us context about 
        which Internal Method we're executing. Specifically, Proxy will 
        call into different handlers based on this information.

        InternalMethodType is an enum with the following values:
        - Get
          This corresponds to [[Get]] internal method in the spec.
        - GetOwnProperty
          This corresponds to [[GetOwnProperty]] internal method in the spec.
        - HasProperty
          This corresponds to [[HasProperty]] internal method in the spec.
        - VMInquiry
          This is basically everything else that isn't one of the above
          types. This value also mandates that getOwnPropertySlot does
          not perform any user observable effects. I.e, it can't call
          a JS function.

        The other non-VMInquiry InternalMethodTypes are allowed to perform user
        observable effects. I.e, in future patches, ProxyObject will implement
        InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
        to call user defined JS functions, which clearly have the right to perform
        user observable effects.

        This patch implements getOwnPropertySlot of ProxyObject under
        InternalMethodType::Get. 

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::put):
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::caughtValue):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ArrayPrototype.cpp:
        (JSC::getProperty):
        * runtime/CommonIdentifiers.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::get):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewWithArguments):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::defineOwnProperty):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::regExpMatchesArrayStructure):
        (JSC::JSGlobalObject::moduleRecordStructure):
        (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
        (JSC::JSGlobalObject::proxyObjectStructure):
        (JSC::JSGlobalObject::wasmModuleStructure):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::getOwnPropertySlot):
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::callbackGetter):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):
        (JSC::JSObject::putDirectNonIndexAccessor):
        (JSC::JSObject::hasProperty):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::hasOwnProperty):
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::getDirectIndex):
        (JSC::JSObject::get):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        * runtime/ObjectConstructor.cpp:
        (JSC::toPropertyDescriptor):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncToString):
        * runtime/PropertySlot.h:
        (JSC::attributesForStructure):
        (JSC::PropertySlot::PropertySlot):
        (JSC::PropertySlot::isCacheableGetter):
        (JSC::PropertySlot::isCacheableCustom):
        (JSC::PropertySlot::internalMethodType):
        (JSC::PropertySlot::disableCaching):
        (JSC::PropertySlot::getValue):
        * runtime/ProxyConstructor.cpp: Added.
        (JSC::ProxyConstructor::create):
        (JSC::ProxyConstructor::ProxyConstructor):
        (JSC::ProxyConstructor::finishCreation):
        (JSC::constructProxyObject):
        (JSC::ProxyConstructor::getConstructData):
        (JSC::ProxyConstructor::getCallData):
        * runtime/ProxyConstructor.h: Added.
        (JSC::ProxyConstructor::createStructure):
        * runtime/ProxyObject.cpp: Added.
        (JSC::ProxyObject::ProxyObject):
        (JSC::ProxyObject::finishCreation):
        (JSC::performProxyGet):
        (JSC::ProxyObject::getOwnPropertySlotCommon):
        (JSC::ProxyObject::getOwnPropertySlot):
        (JSC::ProxyObject::getOwnPropertySlotByIndex):
        (JSC::ProxyObject::visitChildren):
        * runtime/ProxyObject.h: Added.
        (JSC::ProxyObject::create):
        (JSC::ProxyObject::createStructure):
        (JSC::ProxyObject::target):
        (JSC::ProxyObject::handler):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectGet):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::StackFrame::nameFromCallee):
        * tests/es6.yaml:
        * tests/stress/proxy-basic.js: Added.
        (assert):
        (let.handler.get null):
        (get let):
        (let.handler.get switch):
        (let.handler):
        (let.theTarget.get x):
        * tests/stress/proxy-in-proto-chain.js: Added.
        (assert):
        * tests/stress/proxy-of-a-proxy.js: Added.
        (assert):
        (throw.new.Error.):
        * tests/stress/proxy-property-descriptor.js: Added.
        (assert):
        (set Object):
        * wasm/WASMModuleParser.cpp:
        (JSC::WASMModuleParser::getImportedValue):

2016-02-17  Mark Lam  <mark.lam@apple.com>

        StringPrototype functions should check for exceptions after calling JSString::value().
        https://bugs.webkit.org/show_bug.cgi?id=154340

        Reviewed by Filip Pizlo.

        JSString::value() can throw an exception if the JS string is a rope and value()
        needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
        able to resolve the rope, it will return a null string (in addition to throwing
        the exception).  If StringPrototype functions do not check for exceptions after
        calling JSString::value(), they may eventually use the returned null string and
        crash the VM.

        The fix is to add all the necessary exception checks, and do the appropriate
        handling if needed.

        Also in a few place where when an exception is detected, we return JSValue(), I
        changed it to return jsUndefined() instead to be consistent with the rest of the
        file.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSplit):
        (JSC::stringProtoFuncLocaleCompare):
        (JSC::stringProtoFuncBig):
        (JSC::stringProtoFuncSmall):
        (JSC::stringProtoFuncBlink):
        (JSC::stringProtoFuncBold):
        (JSC::stringProtoFuncFixed):
        (JSC::stringProtoFuncItalics):
        (JSC::stringProtoFuncStrike):
        (JSC::stringProtoFuncSub):
        (JSC::stringProtoFuncSup):
        (JSC::stringProtoFuncFontcolor):
        (JSC::stringProtoFuncFontsize):
        (JSC::stringProtoFuncAnchor):
        (JSC::stringProtoFuncLink):
        (JSC::trimString):

2016-02-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r196675.
        https://bugs.webkit.org/show_bug.cgi?id=154344

         "Causes major slowdowns on deltablue-varargs" (Requested by
        keith_miller on #webkit).

        Reverted changeset:

        "Spread operator should be allowed when not the first argument
        of parameter list"
        https://bugs.webkit.org/show_bug.cgi?id=152721
        http://trac.webkit.org/changeset/196675

2016-02-17  Gavin Barraclough  <barraclough@apple.com>

        JSDOMWindow::put should not do the same thing twice
        https://bugs.webkit.org/show_bug.cgi?id=154334

        Reviewed by Chris Dumez.

        It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
        In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
        table entries.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
            - no longer needed.

2016-02-16  Filip Pizlo  <fpizlo@apple.com>

        FTL_USES_B3 should be unconditionally true
        https://bugs.webkit.org/show_bug.cgi?id=154324

        Reviewed by Benjamin Poulain.

        * dfg/DFGCommon.h:

2016-02-16  Filip Pizlo  <fpizlo@apple.com>

        FTL should support CompareEq(String:, String:)
        https://bugs.webkit.org/show_bug.cgi?id=154269
        rdar://problem/24499921

        Reviewed by Benjamin Poulain.

        Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
        think we should land the increased coverage first and fix the issues after, especially since
        the regression is so small and doesn't have a statistically significant effect on the overall
        score.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
        (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
        * tests/stress/ftl-string-equality.js: Added.
        * tests/stress/ftl-string-ident-equality.js: Added.
        * tests/stress/ftl-string-strict-equality.js: Added.

2016-02-16  Filip Pizlo  <fpizlo@apple.com>

        FTL should support NewTypedArray
        https://bugs.webkit.org/show_bug.cgi?id=154268

        Reviewed by Saam Barati.

        3% speed-up on pdfjs. This was already covered by many different tests.

        Rolling this back in after fixing the butterfly argument.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
        (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
        (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):

2016-02-16  Gavin Barraclough  <barraclough@apple.com>

        JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=154257

        Reviewed by Chris Dumez.

        * runtime/Lookup.h:
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
            - this could all do with a little more love.
              But enforce the basic precedence:
                (1) regular storage properties always win over static table properties.
                (2) if properties have been reified, don't consult the static tables.
                (3) only if the property is not present on the object & not reified
                    should the static hashtable be consulted.

2016-02-16  Gavin Barraclough  <barraclough@apple.com>

        JSDOMWindow::getOwnPropertySlot should not search photo chain
        https://bugs.webkit.org/show_bug.cgi?id=154102

        Reviewed by Chris Dumez.

        Should only return *own* properties.

        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertyDescriptor):
            - remove hack/special-case for DOMWindow; we no longer need this.

2016-02-16  Keith Miller  <keith_miller@apple.com>

        Spread operator should be allowed when not the first argument of parameter list
        https://bugs.webkit.org/show_bug.cgi?id=152721

        Reviewed by Saam Barati.

        Spread arguments to functions should now be ES6 compliant. Before we
        would only take a spread operator if it was the sole argument to a
        function. Additionally, we would not use the Symbol.iterator on the
        object to generate the arguments. Instead we would do a loop up to the
        length mapping indexed properties to the corresponding argument. We fix
        both these issues by doing an AST transformation from foo(...a, b, ...c, d)
        to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
        old spread semantics). This solution has the downside of requiring the
        allocation of another object and copying each element twice but avoids a
        large change to the vm calling convention.

        * interpreter/Interpreter.cpp:
        (JSC::loadVarargs):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createElementList):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseArguments):
        (JSC::Parser<LexerType>::parseArgument):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/Parser.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createElementList):
        * tests/es6.yaml:
        * tests/stress/spread-calling.js: Added.
        (testFunction):
        (testEmpty):
        (makeObject):
        (otherIterator.return.next):
        (otherIterator):
        (totalIter):
        (throwingIter.return.next):
        (throwingIter):
        (i.catch):

2016-02-16  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Enable B3 on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=154275

        Reviewed by Mark Lam.

        The port passes more tests than LLVM now, let's use it by default.

        * dfg/DFGCommon.h:

2016-02-16  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r196652.
        https://bugs.webkit.org/show_bug.cgi?id=154315

        This change caused LayoutTest crashes (Requested by ryanhaddad
        on #webkit).

        Reverted changeset:

        "FTL should support NewTypedArray"
        https://bugs.webkit.org/show_bug.cgi?id=154268
        http://trac.webkit.org/changeset/196652

2016-02-16  Brian Burg  <bburg@apple.com>

        RemoteInspector should forward new automation session requests to its client
        https://bugs.webkit.org/show_bug.cgi?id=154260
        <rdar://problem/24663313>

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::listingForAutomationTarget):
        Use the correct key for the session identifier in the listing. The name()
        override for RemoteAutomationTarget is actually the session identifier.

        (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
        * inspector/remote/RemoteInspectorConstants.h: Add new constants.

2016-02-16  Saam barati  <sbarati@apple.com>

        SamplingProfiler still fails with ASan enabled
        https://bugs.webkit.org/show_bug.cgi?id=154301
        <rdar://problem/24679502>

        Reviewed by Filip Pizlo.

        To fix this issue, I've come up with unsafe versions
        of all operations that load memory from the thread's call
        frame. All these new unsafe methods are marked with SUPPRESS_ASAN.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::callSiteAsRawBits):
        (JSC::CallFrame::unsafeCallSiteAsRawBits):
        (JSC::CallFrame::callSiteIndex):
        (JSC::CallFrame::unsafeCallSiteIndex):
        (JSC::CallFrame::stack):
        (JSC::CallFrame::callerFrame):
        (JSC::CallFrame::unsafeCallerFrame):
        (JSC::CallFrame::friendlyFunctionName):
        * interpreter/CallFrame.h:
        (JSC::ExecState::calleeAsValue):
        (JSC::ExecState::callee):
        (JSC::ExecState::unsafeCallee):
        (JSC::ExecState::codeBlock):
        (JSC::ExecState::unsafeCodeBlock):
        (JSC::ExecState::scope):
        (JSC::ExecState::callerFrame):
        (JSC::ExecState::callerFrameOrVMEntryFrame):
        (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
        (JSC::ExecState::callerFrameOffset):
        (JSC::ExecState::callerFrameAndPC):
        (JSC::ExecState::unsafeCallerFrameAndPC):
        * interpreter/Register.h:
        (JSC::Register::codeBlock):
        (JSC::Register::asanUnsafeCodeBlock):
        (JSC::Register::unboxedInt32):
        (JSC::Register::tag):
        (JSC::Register::unsafeTag):
        (JSC::Register::payload):
        * interpreter/VMEntryRecord.h:
        (JSC::VMEntryRecord::prevTopCallFrame):
        (JSC::VMEntryRecord::unsafePrevTopCallFrame):
        (JSC::VMEntryRecord::prevTopVMEntryFrame):
        (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::walk):
        (JSC::FrameWalker::advanceToParentFrame):
        (JSC::FrameWalker::isAtTop):
        (JSC::FrameWalker::resetAtMachineFrame):

2016-02-16  Filip Pizlo  <fpizlo@apple.com>

        FTL should support NewTypedArray
        https://bugs.webkit.org/show_bug.cgi?id=154268

        Reviewed by Saam Barati.

        3% speed-up on pdfjs. This was already covered by many different tests.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
        (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
        (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):

2016-02-16  Saam barati  <sbarati@apple.com>

        stress/sampling-profiler-deep-stack.js fails on ARM 32bit
        https://bugs.webkit.org/show_bug.cgi?id=154255
        <rdar://problem/24662996>

        Reviewed by Mark Lam.

        The bug here wasn't in the implementation of the sampling profiler 
        itself. Rather, it was a bug in the test. JSC wasn't spending a lot
        of time in a function that the test assumed a lot of time was spent in.
        That's because the DFG was doing a good job at optimizing the function
        at the leaf of the recursion. Because of that, we often wouldn't sample it.
        I fixed this by making the leaf function do more work.

        * tests/stress/sampling-profiler-deep-stack.js:
        (platformSupportsSamplingProfiler.foo):

2016-02-16  Chris Dumez  <cdumez@apple.com>

        [Web IDL] Operations should be on the instance for global objects or if [Unforgeable]
        https://bugs.webkit.org/show_bug.cgi?id=154120
        <rdar://problem/24613231>

        Reviewed by Gavin Barraclough.

        Have putEntry() take a thisValue parameter in addition to the base,
        instead of relying on PropertySlot::thisValue() because this did not
        always do the right thing. In particular, when JSDOMWindow::put() was
        called to set a function, it would end up setting the new value on the
        JSDOMWindowShell instead of the actual JSDOMWindow.
        JSDOMWindow::getOwnPropertySlot() would then not be able to find it.
        Therefore the following would fail:
        $ window.open = "test"
        $ console.log(window.open) // prints the native function instead of "test"

        * runtime/JSObject.cpp:
        (JSC::JSObject::putInlineSlow):
        * runtime/Lookup.h:
        (JSC::putEntry):
        (JSC::lookupPut):

2016-02-16  Keith Miller  <keith_miller@apple.com>

        ClonedArguments should not materialize its special properties unless they are being changed or deleted
        https://bugs.webkit.org/show_bug.cgi?id=154128

        Reviewed by Filip Pizlo.

        Before we would materialize ClonedArguments whenever they were being accessed.
        However this would cause the IC to miss every time as the structure for
        the arguments object would change as we went to IC it. Thus on the next
        function call we would miss the cache since the new arguments object
        would not have materialized the value.

        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::getOwnPropertySlot):
        * tests/stress/cloned-arguments-modification.js: Added.
        (foo):

2016-02-16  Filip Pizlo  <fpizlo@apple.com>

        FTL should support StringFromCharCode
        https://bugs.webkit.org/show_bug.cgi?id=154267
        rdar://problem/24192536

        Reviewed by Mark Lam.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Fix a bug preventing the UntypedUse from being effective.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
        (JSC::FTL::DFG::LowerDFGToLLVM::compileStringFromCharCode): Implement the opcode.
        * tests/stress/string-from-char-code-slow.js: Added.

2016-02-15  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] BranchAdd can override arguments of its stackmap
        https://bugs.webkit.org/show_bug.cgi?id=154274

        Reviewed by Filip Pizlo.

        With the 3 operands BranchAdd added in r196513, we can run into
        a register allocation such that the destination register is also
        used by a value in the stack map.

        It use to be that BranchAdd was a 2 operand instruction.
        In that form, the destination is also one of the source and
        can be recovered through Sub. There is no conflict between
        destination and the stackmap.

        After r196513, the destination has its own value. It is uncommon
        on x86 because of the aggressive aliasing but that can happen.
        On ARM, that's a standard form since there is no need for aliasing.

        Since the arguments of the stackmap are of type EarlyUse,
        they appeared as not interfering with the destination. When the register
        allocator gives the same register to the destination and something in
        the stack map, the result of BranchAdd destroys the value kept alive
        for the stackmap.

        In this patch, I introduce a concept very similar to ForceLateUse
        to keep the argument of the stackmap live in CheckAdd. The new
        role is "ForceLateUseUnlessRecoverable".

        In this mode, anything that is not also an input argument becomes
        LateUse. As such, it interferes with the destination of CheckAdd.
        The arguments are recovered by the slow patch of CheckAdd. They
        remain Early use.

        This new modes ensure that destination can be aliased to the source
        when that's useful, while making sure it is not aliased with another
        value that needs to be live on exit.

        * b3/B3CheckSpecial.cpp:
        (JSC::B3::CheckSpecial::forEachArg):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/B3PatchpointSpecial.cpp:
        (JSC::B3::PatchpointSpecial::forEachArg):
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::forEachArgImpl):
        (WTF::printInternal):
        * b3/B3StackmapSpecial.h:
        * b3/B3StackmapValue.h:

2016-02-15  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Web Workers have no access to console for debugging
        https://bugs.webkit.org/show_bug.cgi?id=26237

        Reviewed by Timothy Hatcher.

        * inspector/ConsoleMessage.h:
        Add accessor for MessageLevel.

2016-02-15  Mark Lam  <mark.lam@apple.com>

        [ARMv7] stress/op_rshift.js and stress/op_urshift.js are failing.
        https://bugs.webkit.org/show_bug.cgi?id=151514

        Reviewed by Filip Pizlo.

        The issue turns out to be trivial: on ARMv7 (and traditional ARM too), arithmetic
        shift right (ASR) and logical shift right (LSR) takes an immediate shift amount
        from 1-32.  See http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cjacbgca.html.
        An immediate shift amount of 0 is interpreted as a shift of 32 bits.

        Meanwhile, our macro assembler is expecting the immediate shift value to be
        between 0-31.  As a result, a shift amount of 0 is being wrongly encoded with 0
        bits which means shift right by 32 bits.

        The fix is to check if the shift amount is 0, and if so, emit a move.  Else,
        emit the right shift as usual.

        This issue does not affect left shifts, as the immediate shift amount for left
        shifts is between 0-31 as our macro assembler expects.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::rshift32):
        (JSC::MacroAssemblerARM::urshift32):
        (JSC::MacroAssemblerARM::sub32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::rshift32):
        (JSC::MacroAssemblerARMv7::urshift32):

        * tests/stress/op_rshift.js:
        * tests/stress/op_urshift.js:
        - Un-skip these tests.  They should always pass now.

2016-02-15  Filip Pizlo  <fpizlo@apple.com>

        Parser::parseVariableDeclarationList should null check the node before attempting to create a new CommaExpr
        https://bugs.webkit.org/show_bug.cgi?id=154244
        rdar://problem/24290670

        Reviewed by Michael Saboff.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::appendToCommaExpr): Catch the bug sooner in debug.
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVariableDeclarationList): Fix the bug.
        * tests/stress/for-let-comma.js: Added. This used to crash in debug and release.

2016-02-15  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Improve the interface of Inst::shouldTryAliasingDef()
        https://bugs.webkit.org/show_bug.cgi?id=154227

        Reviewed by Andreas Kling.

        Using Optional<> instead of a bool+reference looks cleaner
        at the call sites.

        * b3/B3CheckSpecial.cpp:
        (JSC::B3::CheckSpecial::shouldTryAliasingDef):
        * b3/B3CheckSpecial.h:
        * b3/air/AirCustom.h:
        (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
        * b3/air/AirInst.h:
        * b3/air/AirInstInlines.h:
        (JSC::B3::Air::Inst::shouldTryAliasingDef):
        * b3/air/AirIteratedRegisterCoalescing.cpp:
        * b3/air/AirSpecial.cpp:
        (JSC::B3::Air::Special::shouldTryAliasingDef):
        * b3/air/AirSpecial.h:

2016-02-14  Brian Burg  <bburg@apple.com>

        WKAutomationDelegate's requestAutomationSession should take a suggested session identifier
        https://bugs.webkit.org/show_bug.cgi?id=154012
        <rdar://problem/24557697>

        Reviewed by Darin Adler.

        Add a string parameter to the client method for requesting a new session.

        * inspector/remote/RemoteInspector.h:

2016-02-13  Timothy Hatcher  <timothy@apple.com>

        Fix WebAssembly bug URL in the feature list.

        * features.json:

2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Change the last RefPtr::get() to release() in String.prototype.normalize
        https://bugs.webkit.org/show_bug.cgi?id=154211

        Reviewed by Ryosuke Niwa.

        Change the last RefPtr::get() to release() in String.prototype.normalize.

        * runtime/StringPrototype.cpp:
        (JSC::normalize):

2016-02-12  Saam barati  <sbarati@apple.com>

        [ES6] we have an incorrect syntax error when a callee of a function expression has the same name as a top-level lexical declaration
        https://bugs.webkit.org/show_bug.cgi?id=154143

        Reviewed by Benjamin Poulain.

        We were raising syntax errors on the following type of programs when
        we shouldn't have been.
        ```
        (function foo() { const foo = 20; });
        ```

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
        (JSC::Scope::declareCallee):
        (JSC::Scope::declareVariable):
        (JSC::Scope::hasDeclaredVariable):
        (JSC::Scope::hasLexicallyDeclaredVariable):
        (JSC::Scope::hasDeclaredParameter):
        (JSC::Scope::declareWrite):
        (JSC::Scope::getCapturedVars):

2016-02-12  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] ZeroExtend and SignExtend use incorrect addressing on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=154208

        Reviewed by Filip Pizlo.

        When lowering:
            @1 = Load32(@x)
            @2 = SExt8(@1)

        LowerToAir would see there is a form of SignExtend8To32 (an alias for Load8S)
        and use that.

        There are two problems with that:
        1) If we have an Addr, it went through legalizeMemoryOffsets() for a 32bits
           load. If used on an other kind of load, there is no guarantee the addressing
           is still valid.
        2) If we have an Index, it is computed for the 32bits MemoryValue.
           The computed index is not valid for the 8bits load.

        (2) could be fixed by changing LowerToAir to use the current instruction width
        instead of the B3ValueWidth but that's a bit tricky. We should just embrace
        that one of our target is a Load-Store architecture.

        In this patch, I just disabled the faulty forms on ARM64. We still need those operations
        to be fast, this will be addressed in: https://bugs.webkit.org/show_bug.cgi?id=154207

        I also strengthened the m_allowScratchRegister assertion. The instructions that do not
        invalidate the temporary did not run the assertion, making this harder to debug.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::store64):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::storeDouble):
        (JSC::MacroAssemblerARM64::branch32):
        (JSC::MacroAssemblerARM64::branch64):
        (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
        (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
        (JSC::MacroAssemblerARM64::dataMemoryTempRegister):
        (JSC::MacroAssemblerARM64::cachedMemoryTempRegister):
        (JSC::MacroAssemblerARM64::load):
        (JSC::MacroAssemblerARM64::store):
        * b3/air/AirOpcode.opcodes:

2016-02-12  Michael Saboff  <msaboff@apple.com>

        offlineasm: Emit Dwarf2 file and location directives to allow for debugging .asm files
        https://bugs.webkit.org/show_bug.cgi?id=152703

        Reviewed by Mark Lam.

        Added support to output Dwarf2 .file and .loc assembler directives to provide the debugging
        information needed to correlate the offline assembler generated code with the source lines 
        in the .asm files.

        Changed the tracking of file data to include a file index that was provided to the .file
        directive.  That index is used when emitting the .loc directives.

        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/asm.rb:
        * offlineasm/backends.rb:
        * offlineasm/config.rb:
        * offlineasm/parser.rb:
        * offlineasm/x86.rb:

2016-02-12  Saam barati  <sbarati@apple.com>

        The parser doesn't properly protect against global variable references in builtins
        https://bugs.webkit.org/show_bug.cgi?id=154144

        Reviewed by Geoffrey Garen.

        This patch fixes our global variable reference detection
        algorithm that was broken. After fixing the algorithm, I
        detected many places where we were incorrectly using global
        variables. I've fixed all those.

        * builtins/BuiltinExecutables.cpp:
        (JSC::createExecutableInternal):
        * builtins/NumberPrototype.js:
        (toLocaleString):
        * builtins/PromiseConstructor.js:
        (race):
        (reject):
        (resolve):
        * parser/Nodes.cpp:
        (JSC::ProgramNode::ProgramNode):
        (JSC::ModuleProgramNode::ModuleProgramNode):
        (JSC::ProgramNode::setClosedVariables): Deleted.
        * parser/Nodes.h:
        (JSC::ScopeNode::setClosedVariables): Deleted.
        (JSC::ProgramNode::closedVariables): Deleted.
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::didFinishParsing):
        * parser/Parser.h:
        (JSC::Scope::setIsLexicalScope):
        (JSC::Scope::isLexicalScope):
        (JSC::Scope::closedVariableCandidates):
        (JSC::Scope::declaredVariables):
        (JSC::Scope::lexicalVariables):
        (JSC::Scope::finalizeLexicalEnvironment):
        (JSC::Parser::positionBeforeLastNewline):
        (JSC::Parser::locationBeforeLastToken):
        (JSC::Parser::isFunctionMetadataNode):
        (JSC::parse):
        (JSC::Parser::closedVariables): Deleted.

2016-02-12  Filip Pizlo  <fpizlo@apple.com>

        JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse map based on MAX_STORAGE_VECTOR_INDEX
        https://bugs.webkit.org/show_bug.cgi?id=154201
        rdar://problem/24291387

        Reviewed by Saam Barati.

        I decided against adding a test for this, because it runs for a very long time.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): Fix the bug.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit): Fix a related bug: if this code creates an array that would have
            hit the above bug, then it would probably manifest as a spin or as swapping.

2016-02-12  Jonathan Davis  <jond@apple.com>

        Add WebAssembly to the status page
        https://bugs.webkit.org/show_bug.cgi?id=154199

        Reviewed by Timothy Hatcher.

        * features.json:

2016-02-12  Brian Burg  <bburg@apple.com>

        Web Inspector: disambiguate the various identifier and connection types in RemoteInspector
        https://bugs.webkit.org/show_bug.cgi?id=154130

        Reviewed by Joseph Pecoraro.

        There are multiple identifier types:
            - connection identifier, a string UUID for a remote debugger process.
            - session identifier, a string UUID for a remote driver/debugger instance.
            - page/target identifier, a number unique within a single process.

        There are multiple connection types:
            - RemoteInspectorXPCConnection, a connection from RemoteInspectorXPCConnectionor to a relay.
            - RemoteConnectionToTarget, a class that bridges to targets' dispatch queues.

        Use consistent variable and getter names so that these don't get confused and
        so that the code is easier to read. This is especially an improvement when working
        with multiple target types or connection types within the same function.

        * inspector/remote/RemoteConnectionToTarget.h:
        * inspector/remote/RemoteConnectionToTarget.mm:
        Remove the member for m_identifier since we can ask the target for its target identifier
        or use a default value via WTF::Optional. There's no reason to cache the value.

        (Inspector::RemoteTargetHandleRunSourceWithInfo):
        (Inspector::RemoteConnectionToTarget::targetIdentifier):
        (Inspector::RemoteConnectionToTarget::destination):
        (Inspector::RemoteConnectionToTarget::setup):
        (Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
        Bail out if the target pointer was somehow cleared and we can't get a useful target identifier.

        (Inspector::RemoteConnectionToTarget::RemoteConnectionToTarget): Deleted.
        * inspector/remote/RemoteControllableTarget.h:
        * inspector/remote/RemoteInspectionTarget.cpp:
        (Inspector::RemoteInspectionTarget::pauseWaitingForAutomaticInspection):
        (Inspector::RemoteInspectionTarget::unpauseForInitializedInspector):
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
        (Inspector::RemoteInspector::registerTarget):
        (Inspector::RemoteInspector::unregisterTarget):
        (Inspector::RemoteInspector::updateTarget):
        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
        (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
        (Inspector::RemoteInspector::sendMessageToRemote):
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::setupCompleted):
        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        (Inspector::RemoteInspector::listingForInspectionTarget):
        (Inspector::RemoteInspector::listingForAutomationTarget):
        (Inspector::RemoteInspector::pushListingsNow):
        (Inspector::RemoteInspector::pushListingsSoon):
        (Inspector::RemoteInspector::updateHasActiveDebugSession):
        (Inspector::RemoteInspector::receivedSetupMessage):
        (Inspector::RemoteInspector::receivedDataMessage):
        (Inspector::RemoteInspector::receivedDidCloseMessage):
        (Inspector::RemoteInspector::receivedIndicateMessage):
        (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
        (Inspector::RemoteInspector::receivedConnectionDiedMessage):
        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
        (Inspector::RemoteInspector::nextAvailableIdentifier): Deleted.
        * inspector/remote/RemoteInspectorConstants.h:

2016-02-12  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] On x86, improve the selection of which value are selected for the UseDef part of commutative operations
        https://bugs.webkit.org/show_bug.cgi?id=154151

        Reviewed by Filip Pizlo.

        Previously, when an instruction destroy an argument with
        a UseDef use, we would try to pick a good target for the UseDef
        while doing instruction selection.

        For example:
            @x = Add(@1, @2)

        can be lowered to:
            Move @1 Tmp3
            Add @2 Tmp3
        or
            Move @2 Tmp3
            Add @1 Tmp3

        The choice of which value ends up copied is done by preferRightForResult()
        at lowering time.

        There are two common problems with the code we generate:
        1) It is based on UseCount. If a value is at its last use,
           it is a good target for coalescing even with a use-count > 1.
        2) When both values are at their last use, the best choice
           depends on the register pressure of each. We don't have that information
           until we do register allocation.

        This patch implements a simple idea to minimize how many of those Moves are needed.
        Each commutative operation gets a 3 op variant. The register allocator then attempts
        to alias *both* of them to the destination.
        Since our aliasing is conservative, it removes as many copy as possible without causing
        spilling.

        There was an unexpected cool impovement too. If you have:
            Move Tmp1, Tmp2
            BranchAdd32 Tmp3, Tmp2
        we would previously restore Tmp2 by substracting Tmp3 from the result.
        We can now just use Tmp1. That removes quite a few Sub from the slow paths.

        The problem is that simple idea uncoverred a bunch of issues that had to be fixed too.
        I detail them inline below.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::and64):
        * assembler/MacroAssemblerX86Common.h:
        Most addition are adding an Address version of the 3 operands opcodes.
        The reason for this is allow the complex addressing forms of instructions
        when spilling.

        (JSC::MacroAssemblerX86Common::and32):
        (JSC::MacroAssemblerX86Common::mul32):
        (JSC::MacroAssemblerX86Common::or32):
        (JSC::MacroAssemblerX86Common::xor32):
        (JSC::MacroAssemblerX86Common::moveDouble):
        This was an unexpected discovery: removing tons of Move32 made floating-point heavy
        code much slower.

        It turns out the MoveDouble we were using has partial register dependencies.

        The x86 optimization manual, Chapter 3, section 3.4.1.13 lists the move instructions executed
        directly on the frontend. That's what we use now.

        (JSC::MacroAssemblerX86Common::addDouble):
        (JSC::MacroAssemblerX86Common::addFloat):
        (JSC::MacroAssemblerX86Common::mulDouble):
        (JSC::MacroAssemblerX86Common::mulFloat):
        (JSC::MacroAssemblerX86Common::andDouble):
        (JSC::MacroAssemblerX86Common::andFloat):
        (JSC::MacroAssemblerX86Common::xorDouble):
        (JSC::MacroAssemblerX86Common::xorFloat):
        If the destination is not aliased, the version taking an address
        use LoadFloat/LoadDouble instead of direct addressing.

        That is because this:
            Move Tmp1, Tmp2
            Op [Tmp3], Tmp2
        is slower than
            Move [Tmp3] Tmp2
            Op Tmp1, Tmp2
        (sometimes significantly).

        I am not exactly sure why.

        (JSC::MacroAssemblerX86Common::branchAdd32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::and64):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::and64):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::and32):
        (JSC::MacroAssemblerX86Common::mul32):
        (JSC::MacroAssemblerX86Common::or32):
        (JSC::MacroAssemblerX86Common::xor32):
        (JSC::MacroAssemblerX86Common::moveDouble):
        (JSC::MacroAssemblerX86Common::addDouble):
        (JSC::MacroAssemblerX86Common::addFloat):
        (JSC::MacroAssemblerX86Common::mulDouble):
        (JSC::MacroAssemblerX86Common::mulFloat):
        (JSC::MacroAssemblerX86Common::andDouble):
        (JSC::MacroAssemblerX86Common::andFloat):
        (JSC::MacroAssemblerX86Common::xorDouble):
        (JSC::MacroAssemblerX86Common::xorFloat):
        (JSC::MacroAssemblerX86Common::branchAdd32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::and64):
        (JSC::MacroAssemblerX86_64::mul64):
        (JSC::MacroAssemblerX86_64::xor64):
        (JSC::MacroAssemblerX86_64::branchAdd64):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movapd_rr):
        (JSC::X86Assembler::movaps_rr):
        * b3/B3CheckSpecial.cpp:
        (JSC::B3::CheckSpecial::shouldTryAliasingDef):
        (JSC::B3::CheckSpecial::generate):
        * b3/B3CheckSpecial.h:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/air/AirCustom.h:
        (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
        * b3/air/AirInst.h:
        * b3/air/AirInstInlines.h:
        (JSC::B3::Air::Inst::shouldTryAliasingDef):
        * b3/air/AirIteratedRegisterCoalescing.cpp:
        Aliasing the operands is done the same way as any coalescing.

        There were problem with considering all those coalescing
        as equivalent for the result.

        Moves are mostly generated for Upsilon-Phis. Getting rid of
        those tends to give better loops.

        Sometimes, blocks have only Phis and a Jump. Coalescing
        those moves gets rids of the block entirely.

        Where it go interesting was that something like:
            Move Tmp1, Tmp2
            Op Tmp3, Tmp2
        was significantly better than:
            Op Tmp1, Tmp3
            Move Tmp1, Tmp4
        even in the same basic block.

        To get back to the same performance when, I had to prioritize
        regular Moves operations over argument coalescing.

        Another argument for doing this is that the alias has a shorter
        life in the hardware because the operation itself gets a new
        virtual register from the bank.

        * b3/air/AirOpcode.opcodes:
        * b3/air/AirSpecial.cpp:
        (JSC::B3::Air::Special::shouldTryAliasingDef):
        * b3/air/AirSpecial.h:
        * b3/testb3.cpp:
        (JSC::B3::testCheckAddArgumentAliasing64):
        (JSC::B3::testCheckAddArgumentAliasing32):
        (JSC::B3::testCheckAddSelfOverflow64):
        (JSC::B3::testCheckAddSelfOverflow32):
        (JSC::B3::testCheckMulArgumentAliasing64):
        (JSC::B3::testCheckMulArgumentAliasing32):
        (JSC::B3::run):

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
        This ruined my week.

        When regenerating the frame of an inlined function that
        was called through a tail call, we were ignoring r13 for some reason.

        Since this patch makes it more likely to increase the degree
        of each Tmp, the number of register used increased and r13 was more
        commonly used.

        When getting out of OSRExit, we would have that value trashed :(

        The fix is simply to restore it like the other two Baseline callee saved
        register.

2016-02-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Implement @@search
        https://bugs.webkit.org/show_bug.cgi?id=143889

        Reviewed by Darin Adler.

        Implement RegExp.prototype[@@search].
        In ES6, String.prototype.search delegates the actual matching to it
        instead of executing RegExp matching inside String.prototype.search method itself.
        By customizing @@search method, we can change the behavior of String.prototype.search for
        derived / customized RegExp object.

        * CMakeLists.txt:
        * DerivedSources.make:
        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::BuiltinNames): Deleted.
        * builtins/BuiltinUtils.h:
        * builtins/StringPrototype.js:
        (search):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncSearch):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::create):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::getOwnPropertySlot):
        (JSC::StringPrototype::finishCreation): Deleted.
        (JSC::stringProtoFuncSearch): Deleted.
        * runtime/StringPrototype.h:
        * tests/es6.yaml:
        * tests/stress/regexp-search.js: Added.
        (shouldBe):
        (shouldThrow):
        (errorKey.toString):
        (primitive.of.primitives.shouldThrow):
        (testRegExpSearch):
        (testSearch):
        (testBoth):
        (alwaysUnmatch):

2016-02-12  Keith Miller  <keith_miller@apple.com>

        AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself
        https://bugs.webkit.org/show_bug.cgi?id=154146

        Reviewed by Filip Pizlo.

        Consider the following: there is some CodeBlock, C, that is watching some object, O, with a
        structure, S, for replacements. Also, suppose that C has no references anymore and is due to
        be GCed. Now, when some new property is added to O, S will create a new structure S' and
        fire its transition watchpoints. Since C is watching S for replacements it will attempt to
        have its AdaptiveInferredPropertyValueWatchpoint relocate itself to S'. To do so, it needs
        it allocate RareData on S'. This allocation may cause a GC, which frees C while still
        executing its watchpoint handler. The solution to this is to defer GC while running
        AdaptiveInferredPropertyValueWatchpointBase handlers.

        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
        (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):

2016-02-12  Gavin Barraclough  <barraclough@apple.com>

        Separate out !allowsAccess path in JSDOMWindowCustom getOwnPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=154156

        Reviewed by Chris Dumez.

        * runtime/CommonIdentifiers.h:
            - added new property names, needed by jsDOMWindowGetOwnPropertySlotDisallowAccess.

2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        Update ICU header files to version 52
        https://bugs.webkit.org/show_bug.cgi?id=154160

        Reviewed by Alex Christensen.

        Update ICU header files to version 52 to allow the use of newer APIs.

        * icu/unicode/localpointer.h:
        * icu/unicode/platform.h:
        * icu/unicode/ptypes.h:
        * icu/unicode/putil.h:
        * icu/unicode/ucal.h:
        * icu/unicode/uchar.h:
        * icu/unicode/ucnv.h:
        * icu/unicode/ucol.h:
        * icu/unicode/uconfig.h:
        * icu/unicode/udat.h:
        * icu/unicode/udatpg.h:
        * icu/unicode/udisplaycontext.h: Added.
        * icu/unicode/uenum.h:
        * icu/unicode/uformattable.h: Added.
        * icu/unicode/uiter.h:
        * icu/unicode/uloc.h:
        * icu/unicode/umachine.h:
        * icu/unicode/unorm2.h:
        * icu/unicode/unum.h:
        * icu/unicode/urename.h:
        * icu/unicode/uscript.h:
        * icu/unicode/uset.h:
        * icu/unicode/ustring.h:
        * icu/unicode/utf.h:
        * icu/unicode/utf16.h:
        * icu/unicode/utf8.h:
        * icu/unicode/utf_old.h:
        * icu/unicode/utypes.h:
        * icu/unicode/uvernum.h:
        * icu/unicode/uversion.h:

2016-02-12  Filip Pizlo  <fpizlo@apple.com>

        Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn't have a value
        https://bugs.webkit.org/show_bug.cgi?id=154175
        rdar://problem/24291497

        Reviewed by Geoffrey Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnIndexedProperty): Fix the bug.
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putEntry): Catch the bug sooner in debug.
        (JSC::SparseArrayValueMap::putDirect):
        * tests/stress/sparse-define-empty-descriptor.js: Added. This used to crash in release.

2016-02-11  Brian Burg  <bburg@apple.com>

        Web Inspector: RemoteInspector's listings should include whether an AutomationTarget is paired
        https://bugs.webkit.org/show_bug.cgi?id=154077
        <rdar://problem/24589133>

        Reviewed by Joseph Pecoraro.

        Instead of not generating a listing for the target when it is occupied,
        generate the listing with a 'paired' flag. The old flag was redundant
        because a _WKAutomationDelegate will not create a session if it doesn't
        support automation or it already has an active session.

        * inspector/remote/RemoteAutomationTarget.cpp:
        (Inspector::RemoteAutomationTarget::setIsPaired):
        (Inspector::RemoteAutomationTarget::setAutomationAllowed): Deleted.
        * inspector/remote/RemoteAutomationTarget.h:
        Return false for remoteControlAllowed() if the target is already paired.
        This function is used by RemoteInspector to deny incoming connections.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::listingForAutomationTarget):
        * inspector/remote/RemoteInspectorConstants.h:

2016-02-11  Filip Pizlo  <fpizlo@apple.com>

        DFG::ByteCodeParser needs to null check the result of presenceLike()
        https://bugs.webkit.org/show_bug.cgi?id=154135
        rdar://problem/24291586

        Reviewed by Geoffrey Garen.

        ByteCodeParser::presenceLike() could return a null object property condition if it detects a
        contradiction. That could happen due to bogus profiling. It's totally OK - we just need to
        bail from using a property condition when that happens.

        * bytecode/ObjectPropertyCondition.h:
        (JSC::ObjectPropertyCondition::equivalence):
        (JSC::ObjectPropertyCondition::operator bool):
        (JSC::ObjectPropertyCondition::object):
        (JSC::ObjectPropertyCondition::condition):
        (JSC::ObjectPropertyCondition::operator!): Deleted.
        * bytecode/PropertyCondition.h:
        (JSC::PropertyCondition::equivalence):
        (JSC::PropertyCondition::operator bool):
        (JSC::PropertyCondition::kind):
        (JSC::PropertyCondition::uid):
        (JSC::PropertyCondition::operator!): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::check):
        (JSC::DFG::ByteCodeParser::load):

2016-02-11  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] SqrtFloat and CeilFloat also suffer from partial register stalls
        https://bugs.webkit.org/show_bug.cgi?id=154131

        Reviewed by Filip Pizlo.

        Looks like I forgot to update this when adding Float support.
        Credit to Filip for finding this issue.

        * b3/air/AirFixPartialRegisterStalls.cpp:

2016-02-11  Filip Pizlo  <fpizlo@apple.com>

        Cannot call initializeIndex() if we didn't create the array using tryCreateUninitialized()
        https://bugs.webkit.org/show_bug.cgi?id=154126

        Reviewed by Saam Barati.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSplice):

2016-02-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>

        [INTL] Implement Intl.NumberFormat.prototype.resolvedOptions ()
        https://bugs.webkit.org/show_bug.cgi?id=147602

        Reviewed by Darin Adler.

        This patch implements Intl.NumberFormat.prototype.resolvedOptions() according
        to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)

        * runtime/IntlDateTimeFormat.cpp:
        (JSC::localeData):
        * runtime/IntlNumberFormat.cpp:
        (JSC::localeData):
        (JSC::computeCurrencySortKey):
        (JSC::extractCurrencySortKey):
        (JSC::computeCurrencyDigits):
        (JSC::IntlNumberFormat::initializeNumberFormat):
        (JSC::IntlNumberFormat::styleString):
        (JSC::IntlNumberFormat::currencyDisplayString):
        (JSC::IntlNumberFormat::resolvedOptions):
        (JSC::IntlNumberFormat::setBoundFormat):
        * runtime/IntlNumberFormat.h:
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::constructIntlNumberFormat):
        (JSC::callIntlNumberFormat):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
        * runtime/IntlObject.cpp:
        (JSC::intlNumberOption):
        (JSC::numberingSystemsForLocale):
        (JSC::getNumberingSystemsForLocale): Deleted.
        * runtime/IntlObject.h:

2016-02-11  Filip Pizlo  <fpizlo@apple.com>

        MacroAssemblerX86 should be happy with shift(cx, cx)
        https://bugs.webkit.org/show_bug.cgi?id=154124

        Reviewed by Saam Barati.

        Prior to this change the assembler asserted that shift_amount and dest cannot be the same.
        That's a good assertion for when shift_amount is not in cx. But if it's in cx already then
        it's OK for them to be the same. Air will sometimes do shift(cx, cx) if you do "x << x" and
        the coalescing got particularly clever.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::lshift32):
        (JSC::MacroAssemblerX86Common::rshift32):
        (JSC::MacroAssemblerX86Common::urshift32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::lshift64):
        (JSC::MacroAssemblerX86_64::rshift64):
        (JSC::MacroAssemblerX86_64::urshift64):
        * b3/testb3.cpp:
        (JSC::B3::testLShiftSelf32):
        (JSC::B3::testRShiftSelf32):
        (JSC::B3::testURShiftSelf32):
        (JSC::B3::testLShiftSelf64):
        (JSC::B3::testRShiftSelf64):
        (JSC::B3::testURShiftSelf64):
        (JSC::B3::run):

2016-02-11  Saam barati  <sbarati@apple.com>

        The sampling profiler's stack walker methods should be marked with SUPPRESS_ASAN
        https://bugs.webkit.org/show_bug.cgi?id=154123

        Reviewed by Mark Lam.

        The entire premise of the sampling profiler is to load from
        another thread's memory. We should SUPPRESS_ASAN on the
        methods that do this.

        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::FrameWalker):
        (JSC::FrameWalker::walk):
        (JSC::FrameWalker::advanceToParentFrame):
        (JSC::FrameWalker::isAtTop):
        (JSC::FrameWalker::resetAtMachineFrame):

2016-02-11  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed typo fix after r190063.

        * dfg/DFGSpeculativeJIT.cpp: Removed property svn:executable.
        * dfg/DFGSpeculativeJIT.h: Removed property svn:executable.
        * jit/JIT.h: Removed property svn:executable.
        * jit/JITInlines.h: Removed property svn:executable.
        * jit/JITOpcodes.cpp: Removed property svn:executable.

2016-02-11  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed typo fix after r190063.

        * dfg/DFGSpeculativeJIT.cpp: Removed property svn:executable.
        * dfg/DFGSpeculativeJIT.h: Removed property svn:executable.
        * jit/JIT.h: Removed property svn:executable.
        * jit/JITInlines.h: Removed property svn:executable.
        * jit/JITOpcodes.cpp: Removed property svn:executable.

2016-02-10  Keith Miller  <keith_miller@apple.com>

        Symbol.species accessors on builtin constructors should be configurable
        https://bugs.webkit.org/show_bug.cgi?id=154097

        Reviewed by Benjamin Poulain.

        We did not have the Symbol.species accessors on our builtin constructors
        marked as configurable. This does not accurately follow the ES6 spec as
        the ES6 spec states that all default accessors on builtins should be
        configurable. This means that we need an additional watchpoint on
        ArrayConstructor to make sure that no users re-configures Symbol.species.

        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::speciesConstructArray):
        (JSC::ArrayPrototype::setConstructor):
        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties):
        (JSC::ArrayPrototype::didChangeConstructorProperty): Deleted.
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::finishCreation):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::finishCreation):
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::JSTypedArrayViewConstructor::finishCreation):
        * runtime/MapConstructor.cpp:
        (JSC::MapConstructor::finishCreation):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        * runtime/SetConstructor.cpp:
        (JSC::SetConstructor::finishCreation):
        * tests/stress/array-species-config-array-constructor.js: Added.
        (A):
        * tests/stress/symbol-species.js:
        (testSymbolSpeciesOnConstructor):

2016-02-10  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] The destination of Sqrt should be Def, not UseDef
        https://bugs.webkit.org/show_bug.cgi?id=154086

        Reviewed by Geoffrey Garen.

        An unfortunate copy-paste: the destination of SqrtDouble and SqrtFloat
        was defined as UseDef. As a result, the argument would be interfering
        with everything defined prior.

        * b3/air/AirOpcode.opcodes:

2016-02-10  Chris Dumez  <cdumez@apple.com>

        [Web IDL] interface objects should be Function objects
        https://bugs.webkit.org/show_bug.cgi?id=154038
        <rdar://problem/24569358>

        Reviewed by Geoffrey Garen.

        Update functionProtoFuncToString() to handle JSObjects that
        have the TypeOfShouldCallGetCallData flag and are callable,
        as these behave like functions and use ClassInfo::className()
        as function name in this case.

        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):

2016-02-10  Chris Dumez  <cdumez@apple.com>

        Attributes on the Window instance should be configurable unless [Unforgeable]
        https://bugs.webkit.org/show_bug.cgi?id=153920
        <rdar://problem/24563211>

        Reviewed by Darin Adler.

        Marking the Window instance attributes as configurable but cause
        getOwnPropertyDescriptor() to report them as configurable, as
        expected. However, trying to delete them would actually lead to
        unexpected behavior because:
        - We did not reify custom accessor properties (most of the Window
          properties are custom accessors) upon deletion.
        - For non-reified static properties marked as configurable,
          JSObject::deleteProperty() would attempt to call the property
          setter with undefined. As a result, calling delete window.name
          would cause window.name to become the string "undefined" instead
          of the undefined value.

        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        Now that we reify ALL properties, we only need to check the property table
        if we have not reified. As a result, I dropped the 'didReify' parameter for
        this function and instead only call this function if we have not yet reified.

        (JSC::JSObject::putInlineSlow):
        Only call putEntry() if we have not reified: Drop the
        '|| !(entry->attributes() & BuiltinOrFunctionOrAccessor)'
        check as such properties now get reified as well.

        (JSC::JSObject::deleteProperty):
        - Call reifyAllStaticProperties() instead of reifyStaticFunctionsForDelete()
          so that we now reify all properties upon deletion, including the custom
          accessors. reifyStaticFunctionsForDelete() is now removed and the same
          reification function is now used by: deletion, getOwnPropertyDescriptor()
          and eager reification of the prototype objects in the bindings.
        - Drop code that falls back to calling the static property setter with
          undefined if we cannot find the property in the property storage. As
          we now reify ALL properties, the code removing the property from the
          property storage should succeed, provided that the property actually
          exists.

        (JSC::JSObject::getOwnNonIndexPropertyNames):
        Only call getClassPropertyNames() if we have not reified. We should no longer
        check the static property table after reifying now that we reify all
        properties.

        (JSC::JSObject::reifyAllStaticProperties):
        Merge with reifyStaticFunctionsForDelete(). The only behavior change is the
        flattening to an uncacheable dictionary, like reifyStaticFunctionsForDelete()
        used to do.

        * runtime/JSObject.h:

2016-02-10  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r196251.
        https://bugs.webkit.org/show_bug.cgi?id=154078

        Large regression on Dromaeo needs explanation (Requested by
        kling on #webkit).

        Reverted changeset:

        "Visiting a WeakBlock should report bytes visited, since we
        reported them allocated."
        https://bugs.webkit.org/show_bug.cgi?id=153978
        http://trac.webkit.org/changeset/196251

2016-02-10  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r196331): It made ~180 JSC tests crash on ARMv7 Linux
        https://bugs.webkit.org/show_bug.cgi?id=154064

        Reviewed by Mark Lam.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generate): Added EABI_32BIT_DUMMY_ARG where it is necessary.
        * dfg/DFGSpeculativeJIT.h: Fixed the comment.
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
        * wasm/WASMFunctionCompiler.h: Fixed the comment.

2016-02-09  Keith Miller  <keith_miller@apple.com>

        calling methods off super in a class constructor should check for TDZ
        https://bugs.webkit.org/show_bug.cgi?id=154060

        Reviewed by Ryosuke Niwa.

        In a class constructor we need to check for TDZ when calling a method
        off the super class. This is because, for super method calls, we use
        the derived class's newly constructed object as the super method's
        this value.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallDotNode::emitBytecode):
        * tests/stress/super-method-calls-check-tdz.js: Added.
        (Base):
        (Derived):
        (test):

2016-02-09  Filip Pizlo  <fpizlo@apple.com>

        Don't crash if we fail to parse a builtin
        https://bugs.webkit.org/show_bug.cgi?id=154047
        rdar://problem/24300617

        Reviewed by Mark Lam.

        Crashing probably seemed like a good idea at the time, but we could get here in case of a
        near stack overflow, so that the parser bails because of recursion.

        * parser/Parser.h:
        (JSC::parse):

2016-02-07  Gavin Barraclough  <barraclough@apple.com>

        GetValueFunc/PutValueFunc should not take both slotBase and thisValue
        https://bugs.webkit.org/show_bug.cgi?id=154009

        Reviewed by Geoff Garen.

        In JavaScript there are two types of properties - regular value properties, and accessor properties.
        One difference between these is how they are reflected by getOwnPropertyDescriptor, and another is
        what object they operate on in the case of a prototype access. If you access a value property of a
        prototype object it return a value pertinent to the prototype, but in the case of a prototype object
        returning an accessor, then the accessor function is applied to the base object of the access.

        JSC supports special 'custom' properties implemented as a c++ callback, and these custom properties
        can be used to implement either value- or accessor-like behavior. getOwnPropertyDescriptor behavior
        is selected via the CustomAccessor attribute. Value- or accessor-like object selection is current
        supported by passing both the slotBase and the thisValue to the callback,and hoping it uses the
        right one. This is probably inefficient, bug-prone, and leads to crazy like JSBoundSlotBaseFunction.

        Instead, just pass one thisValue to the callback functions, consistent with CustomAccessor.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getStaticValue):
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
            - Merged slotBase & thisValue to custom property callbacks.
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generate):
            - Modified the call being JIT generated - GetValueFunc/PutValueFunc now only take 3,
              rather than 4 arguments. Selects which one to keep/drop based on access type.
        (WTF::printInternal):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessCase::isGet):
        (JSC::AccessCase::isPut):
        (JSC::AccessCase::isIn):
        (JSC::AccessCase::doesCalls):
        (JSC::AccessCase::isGetter):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
            - Split the CustomGetter/Setter access types into Value/Accessor variants.
        * jsc.cpp:
        (WTF::CustomGetter::getOwnPropertySlot):
        (WTF::CustomGetter::customGetter):
        (WTF::RuntimeArray::RuntimeArray):
        (WTF::RuntimeArray::lengthGetter):
            - Merged slotBase & thisValue to custom property callbacks.
        * runtime/CustomGetterSetter.cpp:
        (JSC::callCustomSetter):
            - Pass 3 arguments when calling PutValueFunc.
        * runtime/CustomGetterSetter.h:
        * runtime/JSBoundSlotBaseFunction.cpp:
        (JSC::boundSlotBaseFunctionCall):
        (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
            - callCustomSetter currently takes a flag to distinguish value/accessor calls.
        * runtime/JSFunction.cpp:
        (JSC::retrieveArguments):
        (JSC::JSFunction::argumentsGetter):
        (JSC::retrieveCallerFunction):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        (JSC::JSFunction::nameGetter):
        * runtime/JSFunction.h:
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::visitChildren):
        (JSC::callbackGetter):
            - Merged slotBase & thisValue to custom property callbacks.
        * runtime/JSObject.cpp:
        (JSC::JSObject::putInlineSlow):
            - callCustomSetter currently takes a flag to distinguish value/accessor calls.
        * runtime/Lookup.h:
        (JSC::putEntry):
            - split PutPropertySlot setCustom into Value/Accessor variants.
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
        (JSC::PropertySlot::customGetter):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::PropertySlot):
        (JSC::PropertySlot::getValue):
            - added customGetter helper to call GetValueFunc.
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::PutPropertySlot):
        (JSC::PutPropertySlot::setNewProperty):
        (JSC::PutPropertySlot::setCustomValue):
        (JSC::PutPropertySlot::setCustomAccessor):
        (JSC::PutPropertySlot::setThisValue):
        (JSC::PutPropertySlot::customSetter):
        (JSC::PutPropertySlot::context):
        (JSC::PutPropertySlot::isStrictMode):
        (JSC::PutPropertySlot::isCacheablePut):
        (JSC::PutPropertySlot::isCacheableSetter):
        (JSC::PutPropertySlot::isCacheableCustom):
        (JSC::PutPropertySlot::isCustomAccessor):
        (JSC::PutPropertySlot::isInitialization):
        (JSC::PutPropertySlot::cachedOffset):
        (JSC::PutPropertySlot::setCustomProperty): Deleted.
            - split PutPropertySlot setCustom into Value/Accessor variants.
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlot):
        (JSC::regExpConstructorDollar1):
        (JSC::regExpConstructorDollar2):
        (JSC::regExpConstructorDollar3):
        (JSC::regExpConstructorDollar4):
        (JSC::regExpConstructorDollar5):
        (JSC::regExpConstructorDollar6):
        (JSC::regExpConstructorDollar7):
        (JSC::regExpConstructorDollar8):
        (JSC::regExpConstructorDollar9):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        (JSC::setRegExpConstructorInput):
        (JSC::setRegExpConstructorMultiline):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::defineOwnProperty):
        (JSC::regExpObjectSetLastIndexStrict):
        (JSC::regExpObjectSetLastIndexNonStrict):
        (JSC::RegExpObject::put):
            - Merged slotBase & thisValue to custom property callbacks.

2016-02-09  Filip Pizlo  <fpizlo@apple.com>

        Spread expressions are not fair game for direct binding
        https://bugs.webkit.org/show_bug.cgi?id=154042
        rdar://problem/24291413

        Reviewed by Saam Barati.

        Prior to this change we crashed on this:

            var [x] = [...y];

        Because NodesCodegen thinks that this is a direct binding.  It's not, because we cannot
        directly generate bytecode for "...y".  This is a unique property of spread expressions, so
        its sufficient to just bail out of direct binding if we see a spread expression. That's what
        this patch does.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayPatternNode::emitDirectBinding):
        * tests/stress/spread-in-tail.js: Added.
        (foo):
        (catch):

2016-02-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r196286.
        https://bugs.webkit.org/show_bug.cgi?id=154026

        Looks like 5% iOS PLT regression (Requested by kling on
        #webkit).

        Reverted changeset:

        "[iOS] Throw away some unlinked code when navigating to a new
        page."
        https://bugs.webkit.org/show_bug.cgi?id=154014
        http://trac.webkit.org/changeset/196286

2016-02-08  Keith Miller  <keith_miller@apple.com>

        Error construction for inlined operations should not use the inliner's CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=154021

        Reviewed by Mark Lam.

        Previously, if one function, A, was inlined into another function, B, in the DFG/FTL
        we would use B's DFG/FTL CodeBlock to construct source information about the Error.
        We would correctly compute the bytecodeOffset in A for the an expression but we would
        not use one of A's CodeBlocks when looking up source. This caused crashes during
        operationIn as we expected to be able to find the text "in" in the source.

        * runtime/ErrorInstance.cpp:
        (JSC::appendSourceToError):
        * tests/stress/inlined-error-gets-correct-codeblock-for-bytecodeoffset.js: Added.
        (map):
        (n):
        (one):
        (catch):

2016-02-08  Saam Barati  <sbarati@apple.com>

        runtimeTypeForValue should protect against seeing TDZ value
        https://bugs.webkit.org/show_bug.cgi?id=154023
        rdar://problem/24291413

        Reviewed by Michael Saboff.

        There are a few back traces I've seen from crashes that bottom out
        inside runtimeTypeForValue. I haven't been able to reproduce
        any such crash, but it's likely that we're encountering the
        empty JSValue. It's better to just have this function protect
        against seeing the empty value instead of dereferencing a null
        pointer when it thinks the value is a cell.

        * runtime/RuntimeType.cpp:
        (JSC::runtimeTypeForValue):

2016-02-08  Andreas Kling  <akling@apple.com>

        [iOS] Throw away some unlinked code when navigating to a new page.
        <https://webkit.org/b/154014>

        Reviewed by Gavin Barraclough.

        * runtime/VM.cpp:
        (JSC::VM::deleteAllCodeExceptCaches):
        (JSC::VM::deleteAllLinkedCode): Deleted.
        * runtime/VM.h:

2016-02-08  Filip Pizlo  <fpizlo@apple.com>

        B3::foldPathConstants() needs to execute its insertion set
        https://bugs.webkit.org/show_bug.cgi?id=154020

        Reviewed by Saam Barati.

        * b3/B3FoldPathConstants.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testFoldPathEqual): Added this. It used to crash in validation.
        (JSC::B3::run):

2016-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Introduce @isObject bytecode intrinsic and use it instead of JS implemented one
        https://bugs.webkit.org/show_bug.cgi?id=153976

        Reviewed by Darin Adler.

        Use bytecode op_is_object directly.

        * builtins/GlobalObject.js:
        (isObject): Deleted.
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Deleted.

2016-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        {Map,Set}.prototype.forEach should be visible as own properties
        https://bugs.webkit.org/show_bug.cgi?id=153974

        Reviewed by Darin Adler.

        Now, Map and Set uses builtin tables. We should inlude it in class info.

        * runtime/MapPrototype.cpp:
        * runtime/SetPrototype.cpp:

2016-02-08  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT should not require its input to be constant-propagated
        https://bugs.webkit.org/show_bug.cgi?id=154011
        rdar://problem/24290933

        Reviewed by Mark Lam.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitBitBinaryOpFastPath):
        (JSC::JIT::emitRightShiftFastPath):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emit_op_div):
        (JSC::JIT::emit_op_mul):

2016-02-08  Filip Pizlo  <fpizlo@apple.com>

        CodeCache should give up on evals if there are variables under TDZ
        https://bugs.webkit.org/show_bug.cgi?id=154002
        rdar://problem/24300998

        Reviewed by Mark Lam.

        Disable the code cache optimization because our approach to TDZ for scoped variables - using
        a separate check_tdz opcode when logically it's the get_from_scope's job to do it - makes
        caching code impossible if there are any variables in TDZ.

        We should do the right thing in the future, and fold the TDZ check into the get_from_scope.
        This is better not only because it will restore caching, but because our bytecode for heap
        accesses is usually at the highest practically doable level of abstraction, so that ICs,
        compilers and caches can see the intended meaning of the bytecode more easily.

        This doesn't appear to slow anything down, but that's just because we don't have enough ES6
        benchmarks. I've filed: https://bugs.webkit.org/show_bug.cgi?id=154010

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):

2016-02-08  Skachkov Oleksandr  <gskachkov@gmail.com>

        [ES6] Arrow function syntax. Using 'super' in arrow function that declared out of the class should lead to Syntax error
        https://bugs.webkit.org/show_bug.cgi?id=150893

        Reviewed by Saam Barati.

        'super' and 'super()' inside of the arrow function should lead to syntax error if they are used 
        out of the class context or they wrapped by ordinary function. Now JSC returns ReferenceError but 
        should return SyntaxError according to the following specs:
        http://www.ecma-international.org/ecma-262/6.0/#sec-function-definitions-static-semantics-early-errors
        and http://www.ecma-international.org/ecma-262/6.0/#sec-arrow-function-definitions-runtime-semantics-evaluation 
        Curren patch implemented only one case when super/super() are used inside of the arrow function
        Case when super/super() are used within the eval:
           class A {} 
           class B extends A { 
               costructor() { eval("super()");} 
           }
        is not part of this patch and will be implemented in this issue https://bugs.webkit.org/show_bug.cgi?id=153864. 
        The same for case when eval with super/super() is invoked in arrow function will be 
        implemented in issue https://bugs.webkit.org/show_bug.cgi?id=153977. 
 
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Scope::Scope):
        (JSC::Scope::setExpectedSuperBinding):
        (JSC::Scope::expectedSuperBinding):
        (JSC::Scope::setConstructorKind):
        (JSC::Scope::constructorKind):
        (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
        * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
        * tests/stress/arrowfunction-lexical-bind-superproperty.js:

2016-02-08  Filip Pizlo  <fpizlo@apple.com>

        Parser should detect error before calls to parseAssignmentExpression()
        https://bugs.webkit.org/show_bug.cgi?id=153975
        rdar://problem/24291231

        Reviewed by Saam Barati.

        Fixes a very hard-to-create situation that an internal test picked up.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVariableDeclarationList):
        (JSC::Parser<LexerType>::parseAssignmentExpression):

2016-02-08  Andreas Kling  <akling@apple.com>

        Visiting a WeakBlock should report bytes visited, since we reported them allocated.
        <https://webkit.org/b/153978>

        Reviewed by Darin Adler.

        When creating a WeakBlock, we tell Heap that we've allocated 1 KB (WeakBlock::blockSize)
        of memory. Consequently, when visiting a WeakBlock, we should also report 1 KB of memory
        visited. Otherwise Heap will think that those 1 KB already went away.

        This was causing us to underestimate heap size, which affects collection scheduling.

        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::reportMemoryVisited):
        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::visit):

2016-02-07  Saam barati  <sbarati@apple.com>

        Follow up patch to: [ES6] bound functions .name property should be "bound " + the target function's name 
        https://bugs.webkit.org/show_bug.cgi?id=153796

        Reviewed by Darin Adler.

        This follow-up patch addresses some comments/suggestions by
        Ryosuke, Darin, and Joe. It simplifies JSBoundFunction::toStringName
        and adds some tests for bound names.

        * runtime/JSBoundFunction.cpp:
        (JSC::hasInstanceBoundFunction):
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::toStringName):

2016-02-07  Filip Pizlo  <fpizlo@apple.com>

        String.match should defend against matches that would crash the VM
        https://bugs.webkit.org/show_bug.cgi?id=153964
        rdar://problem/24301119

        Reviewed by Saam Barati.

        This fixes a crash in an internal test case.

        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::slowAppend): Use best practices to ensure that the size we
            compute makes sense. Crash if it stops making sense, since most users of this API assume
            that they are creating something small enough to fit on the stack.
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::size):
        (JSC::MarkedArgumentBuffer::operator new): Deleted. These were ineffective. According to the
            debugger, we were still calling system malloc. So, I changed the code to use fastMalloc()
            directly.
        (JSC::MarkedArgumentBuffer::operator delete): Deleted.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch): Explicitly defend against absurd sizes. Of course, it's still
            possible to crash the VM on OOME. That's sort of always been the philosophy of JSC - we
            don't guarantee that you'll get a nice-looking error whenever you run out of memory,
            since in a GC'd environment you can't really guarantee those things. But, if you have a
            match that obvious won't fit in memory, then reporting an error is useful in case this is
            a developer experimenting with a buggy regexp.

2016-02-07  Dan Bernstein  <mitz@apple.com>

        [Cocoa] Replace __has_include guards around inclusion of Apple-internal-SDK headers with USE(APPLE_INTERNAL_SDK)
        https://bugs.webkit.org/show_bug.cgi?id=153963

        Reviewed by Sam Weinig.

        * inspector/remote/RemoteInspectorXPCConnection.mm:

2016-02-06  Filip Pizlo  <fpizlo@apple.com>

        FTL must store the call site index before runtime calls, even if it's the tail call slow path
        https://bugs.webkit.org/show_bug.cgi?id=153955
        rdar://problem/24290970

        Reviewed by Saam Barati.

        This is necessary because you could throw an exception in a host call on the tail call's slow
        path. That'll route us to lookupExceptionHandler(), which unwinds starting with the call site
        index of our frame. Bad things happen if it's not set. Prior to this patch it was possible
        for the call site index field to be uninitialized, which meant that the throwing machinery
        was making a wild guess about where we are.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
        * tests/stress/tail-call-host-call-throw.js: Added.

2016-02-06  Darin Adler  <darin@apple.com>

        Finish auditing call sites of upper() and lower(), eliminate many, and rename the functions
        https://bugs.webkit.org/show_bug.cgi?id=153905

        Reviewed by Sam Weinig.

        * runtime/IntlObject.cpp:
        (JSC::canonicalLangTag): Use converToASCIIUppercase on the language tag.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncToLowerCase): Tweak style and update for name change.
        (JSC::stringProtoFuncToUpperCase): Ditto.

2016-02-06  Chris Dumez  <cdumez@apple.com>

        Object.getOwnPropertyDescriptor() does not work on sub-frame's window
        https://bugs.webkit.org/show_bug.cgi?id=153925

        Reviewed by Darin Adler.

        Calling Object.getOwnPropertyDescriptor() on a sub-frame's window was
        returning undefined for that window's own properties. The reason was
        that the check getOwnPropertySlot() is using to make sure the
        PropertySlot is not for a property coming from the prototype was wrong.

        The check was checking that 'this != slotBase' which works fine unless
        this is a JSProxy (e.g. JSDOMWindowShell). To handle proxies, the code
        was also checking that 'slotBase.toThis() != this', attempting to
        get the slotBase/Window's proxy. However, due to the implementation of
        toThis(), we were getting the lexical global object's proxy instead of
        slotBase's proxy. To avoid this issue, the new code explicitly checks
        if 'this' is a JSProxy and makes sure 'JSProxy::target() != slotBase',
        instead of using toThis().

        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertyDescriptor):

2016-02-06  Andreas Kling  <akling@apple.com>

        [iOS] Throw away linked code when navigating to a new page.
        <https://webkit.org/b/153851>

        Reviewed by Gavin Barraclough.

        Add a VM API for throwing away linked code only.

        * runtime/VM.cpp:
        (JSC::VM::deleteAllLinkedCode):
        * runtime/VM.h:

2016-02-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r196104.
        https://bugs.webkit.org/show_bug.cgi?id=153940

        Regressed Speedometer on iOS (Requested by kling on #webkit).

        Reverted changeset:

        "[iOS] Throw away linked code when navigating to a new page."
        https://bugs.webkit.org/show_bug.cgi?id=153851
        http://trac.webkit.org/changeset/196104

2016-02-05  Alex Christensen  <achristensen@webkit.org>

        Fix internal Windows build
        https://bugs.webkit.org/show_bug.cgi?id=153930
        <rdar://problem/24534864>

        Reviewed by Mark Lam.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj:
        I made a typo in r196144.

2016-02-05  Saam barati  <sbarati@apple.com>

        Web Inspector: Include SamplingProfiler's expression-level data for stack frames in the protocol
        https://bugs.webkit.org/show_bug.cgi?id=153455
        <rdar://problem/24335884>

        Reviewed by Joseph Pecoraro.

        We now send the sampling profiler's expression-level
        line/column info in the inspector protocol.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::buildSamples):
        * inspector/protocol/ScriptProfiler.json:
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):

2016-02-05  Saam barati  <sbarati@apple.com>

        follow-up to: JSC Sampling Profiler: (host) is confusing in cases where I would expect to see JS name
        https://bugs.webkit.org/show_bug.cgi?id=153663
        <rdar://problem/24415092>

        Rubber stamped by Joseph Pecoraro.

        We were performing operations that required us to
        hold the VM lock even when we might not have been holding it.
        We now ensure we're holding it.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::InspectorScriptProfilerAgent::trackingComplete):

2016-02-05  Filip Pizlo  <fpizlo@apple.com>

        Arrayify for a typed array shouldn't create a monster
        https://bugs.webkit.org/show_bug.cgi?id=153908
        rdar://problem/24290639

        Reviewed by Mark Lam.

        Previously if you convinced the DFG to emit an Arrayify to ArrayStorage and then gave it a
        typed array, you'd corrupt the object.

        * runtime/JSArrayBufferView.cpp:
        (WTF::printInternal):
        * runtime/JSArrayBufferView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
        (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::enterDictionaryIndexingMode):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC::JSObject::growOutOfLineStorage):
        (JSC::getBoundSlotBaseFunctionForGetterSetter):
        * runtime/Structure.h:
        * tests/stress/arrayify-array-storage-typed-array.js: Added. This test failed.
        * tests/stress/arrayify-int32-typed-array.js: Added. This test case already had other protections, but we beefed them up.

2016-02-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: InspectorTimelineAgent doesn't need to recompile functions because it now uses the sampling profiler
        https://bugs.webkit.org/show_bug.cgi?id=153500
        <rdar://problem/24352458>

        Reviewed by Timothy Hatcher.

        Be more explicit about enabling legacy profiling.

        * jsc.cpp:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::hasLegacyProfiler):
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        (JSC::JSGlobalObject::hasProfiler): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::supportsLegacyProfiling):
        (JSC::JSGlobalObject::supportsProfiling): Deleted.

2016-02-04  Keith Miller  <keith_miller@apple.com>

        ArrayPrototype should have a destroy function
        https://bugs.webkit.org/show_bug.cgi?id=153847

        Reviewed by Filip Pizlo.

        ArrayPrototype should have an destroy function as it now has a unique_ptr member that
        needs to be freed at the end of the object's life cycle. Also, this patch adds an
        option, gcAtEnd, that will cause jsc.cpp to do a garbage collection before exiting.

        * jsc.cpp:
        (runJSC):
        (jscmain):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::create):
        (JSC::ArrayPrototype::destroy):
        * runtime/ArrayPrototype.h:
        * runtime/Options.h:

2016-02-04  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(192409): Cannot rely on add32() to zero-extend
        https://bugs.webkit.org/show_bug.cgi?id=153897

        Unreviewed rollout of r192409.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::add32):
        (JSC::MacroAssemblerARM64::add64):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::add32):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::add32):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::add32):
        (JSC::MacroAssemblerX86Common::add8):
        (JSC::MacroAssemblerX86Common::branchAdd32):
        (JSC::MacroAssemblerX86Common::generateTest32):
        (JSC::MacroAssemblerX86Common::clz32AfterBsr):
        (JSC::MacroAssemblerX86Common::add32AndSetFlags): Deleted.
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::add32):
        (JSC::MacroAssemblerX86_64::add64):
        (JSC::MacroAssemblerX86_64::branchAdd64):
        (JSC::MacroAssemblerX86_64::repatchCall):
        (JSC::MacroAssemblerX86_64::clz64AfterBsr):
        (JSC::MacroAssemblerX86_64::add64AndSetFlags): Deleted.

2016-02-04  Andreas Kling  <akling@apple.com>

        Remove dead ENABLE(BYTECODE_COMMENTS) cruft.
        <https://webkit.org/b/153888>

        Reviewed by Antti Koivisto.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.

2016-02-04  Saam barati  <sbarati@apple.com>

        JSC Sampling Profiler: (host) is confusing in cases where I would expect to see JS name
        https://bugs.webkit.org/show_bug.cgi?id=153663
        <rdar://problem/24415092>

        Reviewed by Geoffrey Garen.

        We now collect the Callee in the processed StackFrame
        when the Callee is a valid GC object. We later ask
        the Callee for it's .displayName or .name property.
        When we don't have a valid callee, we will still
        use the Executable for this information.

        This helps us come up with good names for frames where 
        the Callee object is a bound function or an InternalFunction.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::InspectorScriptProfilerAgent::addEvent):
        (Inspector::buildSamples):
        (Inspector::InspectorScriptProfilerAgent::trackingComplete):
        * runtime/SamplingProfiler.cpp:
        (JSC::reportStats):
        (JSC::FrameWalker::walk):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::visit):
        (JSC::SamplingProfiler::shutdown):
        (JSC::SamplingProfiler::clearData):
        (JSC::SamplingProfiler::StackFrame::nameFromCallee):
        (JSC::SamplingProfiler::StackFrame::displayName):
        (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
        (JSC::SamplingProfiler::stackTracesAsJSON):
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::UnprocessedStackFrame::UnprocessedStackFrame):
        (JSC::SamplingProfiler::StackFrame::StackFrame):
        * tests/stress/sampling-profiler-basic.js:
        (platformSupportsSamplingProfiler.nothing):
        (platformSupportsSamplingProfiler.top):
        * tests/stress/sampling-profiler-bound-function-name.js: Added.
        (platformSupportsSamplingProfiler.foo):
        (platformSupportsSamplingProfiler.bar):
        (platformSupportsSamplingProfiler.let.baz):
        (platformSupportsSamplingProfiler):
        * tests/stress/sampling-profiler-display-name.js: Added.
        (platformSupportsSamplingProfiler.foo):
        (platformSupportsSamplingProfiler.baz):
        (platformSupportsSamplingProfiler.):
        (platformSupportsSamplingProfiler.bar):
        (platformSupportsSamplingProfiler.jaz):
        (platformSupportsSamplingProfiler.makeFunction.let.result):
        (platformSupportsSamplingProfiler.makeFunction):
        * tests/stress/sampling-profiler-internal-function-name.js: Added.
        (platformSupportsSamplingProfiler.foo):
        (platformSupportsSamplingProfiler.bar):
        (platformSupportsSamplingProfiler):

2016-02-04  Chris Dumez  <cdumez@apple.com>

        Object.getOwnPropertyDescriptor() returns incomplete descriptor for instance properties
        https://bugs.webkit.org/show_bug.cgi?id=153817

        Reviewed by Geoffrey Garen.

        Extend support for Object.getOwnPropertyDescriptor() on native bindings
        to instance properties (e.g. Unforgeable properties or Global object
        properties) so that the returned descriptor has getter / setter
        functions, as expected.

        * runtime/JSObject.cpp:
        (JSC::JSObject::reifyAllStaticProperties):
        Add method that reifies all static properties, including the custom
        accessors. This is similar to what is done eagerly on the prototype
        objects in the bindings code.

        (JSC::JSObject::getOwnPropertyDescriptor):
        getOwnPropertyDescriptor() would previously fails for custom accessors
        that are on the instance because getDirect() does not check the static
        property table and those custom accessors were not reified (We only
        reified all properties eagerly - including custom accessors - on
        prototype objects. To address this issue, we now call
        reifyAllStaticProperties() if the call to getDirect() fails and then
        call getDirect() again. This fix is however insufficient for Window
        properties because |this| is a JSDOMWindowShell / JSProxy in this case
        and getDirect() / reifyAllStaticProperties() would fail as the proxy
        does not actually have the properties. This issue was addressed by
        checking if |this| is a JSProxy and then using JSProxy::target() instead
        of |this| for the calls to getDirect() and for the reification.

        * runtime/JSObject.h:
        * runtime/Lookup.h:
        (JSC::reifyStaticProperty):
        (JSC::reifyStaticProperties):
        Move most code in reifyStaticProperties() to a separate function so the
        code can be shared with JSObject::reifyAllStaticProperties().
        reifyStaticProperties() is currently called by the bindings on the
        prototype objects.

2016-02-04  Alex Christensen  <achristensen@webkit.org>

        Fix internal Windows build
        https://bugs.webkit.org/show_bug.cgi?id=153886
        <rdar://problem/24499887>

        Reviewed by Mark Lam.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj:
        In r190253 I changed the directory of the headers from AppleInternal/include/JavaScriptCore 
        to AppleInternal/include/private/JavaScriptCore.  This is ok for WebCore and WebKit, but not
        other projects, such as CFNetwork, which expect the public API headers to be in the old location.
        This used to be done by a combination of copy-files.cmd and the old JavaScriptCore.proj.
        This change copies all the API headers, which copies everything in copy-files.cmd except APIShims.h
        which does not exist any more.  It copies additional headers that were not copied before, but
        I think this is beneficial so we do not forget to add new public headers to a list of public headers
        to be copied in the internal build.  Having extra public headers in the internal Windows build is
        not a problem because only internal clients use the internal Windows build.

2016-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Make some classes non JSDestructibleObject
        https://bugs.webkit.org/show_bug.cgi?id=153838

        Reviewed by Geoffrey Garen.

        SymbolPrototype, JSMapIterator and JSSetIterator are trivially destructible.
        So there is no need to inherit JSDestructibleObject.

        * runtime/JSMapIterator.cpp:
        (JSC::JSMapIterator::destroy): Deleted.
        * runtime/JSMapIterator.h:
        * runtime/JSSetIterator.cpp:
        (JSC::JSSetIterator::destroy): Deleted.
        * runtime/JSSetIterator.h:
        * runtime/MapData.h:
        * runtime/SymbolPrototype.h:

2016-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Symbol structure has unnecessary flags
        https://bugs.webkit.org/show_bug.cgi?id=153840

        Reviewed by Saam Barati.

        * runtime/Symbol.h:
        * tests/stress/symbol-get-own-property.js: Added.
        (shouldBe):

2016-02-03  Andreas Kling  <akling@apple.com>

        [iOS] Throw away linked code when navigating to a new page.
        <https://webkit.org/b/153851>

        Reviewed by Gavin Barraclough.

        Add a VM API for throwing away linked code only.

        * runtime/VM.cpp:
        (JSC::VM::deleteAllLinkedCode):
        * runtime/VM.h:

2016-02-03  Michael Catanzaro  <mcatanzaro@igalia.com>

        [GTK][EFL] Switch FTL to B3
        https://bugs.webkit.org/show_bug.cgi?id=153478

        Reviewed by Csaba Osztrogonác.

        Conditionalize code to make it possible to build FTL completely without LLVM.

        * CMakeLists.txt:
        * dfg/DFGCommon.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * ftl/FTLAbbreviatedTypes.h:
        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        (JSC::FTL::State::~State):

2016-02-03  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix JavaScriptCore build with B3 enabled.

        Include <limits.h> for UINT_MAX.

        * b3/B3StackSlot.h:
        * b3/air/AirStackSlot.h:

2016-02-02  Caitlin Potter  <caitp@igalia.com>

        JSSymbolTableObject::deleteProperty() crashes deleting Symbols
        https://bugs.webkit.org/show_bug.cgi?id=153816

        Reviewed by Darin Adler.

        Changes JSSymbolTableObject::deleteProperty() to check if its
        symbolTable() contains the property's uid() rather than publicName().
        This ensures that it will not crash in the case of Symbols.

        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::deleteProperty):
        * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:
        (testGlobalProxy):
        * tests/stress/regress-153816.js: Added.
        (deleteSymbolFromJSSymbolTableObject):

2016-02-02  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Do not copy FP when lowering FramePointer
        https://bugs.webkit.org/show_bug.cgi?id=153769

        Reviewed by Michael Saboff.

        That extra move is just wasted time. The fewer Moves we have,
        the happier IRC is.

        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::tmp):
        (JSC::B3::Air::LowerToAir::lower):

2016-02-02  Keith Miller  <keith_miller@apple.com>

        DFG, FTL, B3, and Air should all have a unique option for printing their graphs
        https://bugs.webkit.org/show_bug.cgi?id=153815

        Reviewed by Benjamin Poulain.

        This patch adds a new printing option for each of the DFG/FTL compilation phases.

        * b3/B3Common.cpp:
        (JSC::B3::shouldDumpIR):
        (JSC::B3::shouldDumpIRAtEachPhase):
        * b3/B3Common.h:
        * b3/B3Generate.cpp:
        (JSC::B3::generateToAir):
        * b3/B3PhaseScope.cpp:
        (JSC::B3::PhaseScope::PhaseScope):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        * b3/air/AirPhaseScope.cpp:
        (JSC::B3::Air::PhaseScope::PhaseScope):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::run):
        * dfg/DFGCommon.h:
        (JSC::DFG::shouldDumpGraphAtEachPhase):
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2016-02-02  Caitlin Potter  <caitp@igalia.com>

        [JSC] make Object.getOwnPropertyDescriptors() work with non-JSObject types
        https://bugs.webkit.org/show_bug.cgi?id=153814

        Reviewed by Yusuke Suzuki.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptors):
        * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:
        (testGlobalProxy):

2016-02-02  Aakash Jain  <aakash_jain@apple.com>

        Remove references to CallFrameInlines.h
        https://bugs.webkit.org/show_bug.cgi?id=153810

        Reviewed by Mark Lam.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2016-02-02  Caitlin Potter  <caitp@igalia.com>

        [JSC] Implement Object.getOwnPropertyDescriptors() proposal
        https://bugs.webkit.org/show_bug.cgi?id=153799

        Reviewed by Darin Adler.

        Implements the Object.getOwnPropertyDescriptors() proposal, which
        reached Stage 3 in the TC39 process in January 2016.
        https://github.com/tc39/proposal-object-getownpropertydescriptors

        The method extracts a set of property descriptor objects, which can
        be safely used via `Object.create()`.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptors):

2016-02-02  Filip Pizlo  <fpizlo@apple.com>

        B3 should be able to compile trivial self-loops
        https://bugs.webkit.org/show_bug.cgi?id=153802
        rdar://problem/24465632

        Reviewed by Michael Saboff.

        Tail-duplicating a self-loop would mean doing a kind of loop unrolling. It wouldn't be
        profitable even if it did work. It turns out that it doesn't work, because we edit the target
        block before reading the source block, which breaks if the target and source block are the
        same.

        This disables tail duplication of self-loops, adds a test, and adds better validation for this
        issue.

        * b3/B3DuplicateTails.cpp:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::resetReachability):
        * b3/testb3.cpp:
        (JSC::B3::testComputeDivisionMagic):
        (JSC::B3::testTrivialInfiniteLoop):
        (JSC::B3::zero):
        (JSC::B3::run):

2016-02-02  Saam barati  <sbarati@apple.com>

        [ES6] bound functions .name property should be "bound " + the target function's name
        https://bugs.webkit.org/show_bug.cgi?id=153796

        Reviewed by Mark Lam.

        See http://tc39.github.io/ecma262/#sec-function.prototype.bind for details.
        What the spec says:
        ```
        function foo() { }
        foo.bind(null).name === "bound foo"

        (function bar() { }).bind(null).name === "bound bar"
        ```

        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/JSBoundFunction.cpp:
        (JSC::hasInstanceBoundFunction):
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::visitChildren):
        (JSC::JSBoundFunction::toStringName):
        * runtime/JSBoundFunction.h:
        (JSC::JSBoundFunction::boundThis):
        (JSC::JSBoundFunction::boundArgs):
        (JSC::JSBoundFunction::createStructure):
        * tests/es6.yaml:

2016-02-02  Filip Pizlo  <fpizlo@apple.com>

        Get rid of anonymous stack slots
        https://bugs.webkit.org/show_bug.cgi?id=151128

        Reviewed by Mark Lam.

        When I first designed stack slots, the idea was that an "anonymous" stack slot was one that
        behaved exactly like a C variable: if it never escaped, it would not need to get stack space
        for the entire lifetime of the function - it could get any slab of stack so long as it
        didn't interfere with other stack slots that would be live at the same time. The reason I
        called them "anonymous" is that external code could not get its address. This felt like it
        gave the stack slot anonymity. But it was never a good name for this concept.

        Then I had the register allocator lower temporaries to anonymous stack slots when it spilled
        them. Spilling became the sole client of anonymous stack slots.

        Then I realized that there was an aspect of how spill slots work that make them want
        slightly different semantics than a normal C variable. A C variable is a proper memory
        location - you could do a store to only some bytes in the variable, and it's reasonable to
        expect that this will not destroy the other bytes in the variable. But that means that to
        compute their liveness, you have to do something like a per-byte liveness. That's overkill
        for spill slots. You want any store to the spill slot to kill the whole slot even if it
        writes to just part of the slot. This matches how temporaries work. So rather than implement
        per-byte liveness, I decided to change the semantics of anonymous stack slots to make them
        work like how I wanted spill slots to work. This was quite dirty, and put B3 in the awkward
        situation that B3's anonymous stack slots behaved like spill slots. But it was OK since
        nobody used anonymous stack slots in B3.

        Then I added tail duplication, which required having a mechanism for introducing non-SSA
        variables in B3. I decided to use anonymous stack slots for this purpose. All of a sudden
        this all felt like it made sense: anonymous stack slots were just like variables! Hooray for
        the amazing foresight of anonymous stack slots!

        But then I realized that this was all very bad. We want B3 to be able to optimize Store and
        Load operations by reasoning about how they affect bytes in memory. For example, if you do
        a Load of a 64-bit value, and then you modify just the low 32 bits of that value, and then
        you do a 64-bit store back to the same location, then it would be better to transform this
        into 32-bit operations. We don't do this optimization yet, but it's the kind of thing that
        we want B3 to be able to do. To do it, we need Store to mean that it only affects N bytes
        starting at the pointer, where N is the size of the thing being stored. But that's not what
        Store means for anonymous stack slots. For anonymous slots, storing to any byte in the slot
        clobbers all bytes in the slot. We were never clear if you need to store directly to an
        anonymous slot to get this behavior, or if any pointer that points to an anoymous slot must
        exhibit this behavior when stored to. Neither kinds of semantics make sense to me.

        This change fixes the problem by eradicating anonymous stack slots. In B3, they are replaced
        with Variables. In Air, they are replaced with a different stack slot kind, called Spill.
        There is no such thing as stack slot kinds in B3 anymore, all B3 stack slots are locked. In
        Air, there is still the concept of stack slot kind - Locked or Spill.

        B3 Variables are awesome. They are exactly what they seem to be. They have a type. They are
        declared at the top level in the Procedure. You can access them with new opcodes, Get and
        Set. This greatly simplifies demoting SSA values to variables and promoting them back to
        SSA. I even made the instruction selector do the right things for variables, which means
        that introducing variables won't hurt instruction selection (there will be extra moves, but
        IRC will kill them). It's great to have non-SSA variables as an explicit concept in IR
        because it means that you don't have to do any magic to use them - they Just Work.

        Air spill slots behave almost like anonymous stack slots, with one exception: you cannot
        escape them. We validate this by making it illegal to UseAddr on a spill slot. This removes
        the need to answer awkward questions like: does a 32-bit Def on a pointer that may point to
        a 64-bit spill slot do anything to the 32 bits above the pointer?  Does it write zero to it?
        Does it write zero to it just when the pointer actually points to a spill slot or always?
        These are silly questions, and we don't have to answer them because the only way to refer to
        a spill slot is directly. No escaping means no aliasing.

        This doesn't affect performance. It just makes the compiler more fun to work with by
        removing some cognitive dissonance.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3ArgumentRegValue.h:
        * b3/B3CCallValue.h:
        * b3/B3CheckValue.cpp:
        (JSC::B3::CheckValue::cloneImpl):
        (JSC::B3::CheckValue::CheckValue):
        * b3/B3CheckValue.h:
        * b3/B3Const32Value.h:
        * b3/B3Const64Value.h:
        * b3/B3ConstDoubleValue.h:
        * b3/B3ConstFloatValue.h:
        * b3/B3ConstPtrValue.h:
        (JSC::B3::ConstPtrValue::ConstPtrValue):
        * b3/B3ControlValue.cpp:
        (JSC::B3::ControlValue::convertToJump):
        (JSC::B3::ControlValue::convertToOops):
        (JSC::B3::ControlValue::dumpMeta):
        * b3/B3ControlValue.h:
        * b3/B3Effects.cpp:
        (JSC::B3::Effects::interferes):
        (JSC::B3::Effects::dump):
        * b3/B3Effects.h:
        (JSC::B3::Effects::mustExecute):
        * b3/B3EliminateCommonSubexpressions.cpp:
        * b3/B3FixSSA.cpp:
        (JSC::B3::demoteValues):
        (JSC::B3::fixSSA):
        * b3/B3FixSSA.h:
        * b3/B3IndexMap.h:
        (JSC::B3::IndexMap::resize):
        (JSC::B3::IndexMap::clear):
        (JSC::B3::IndexMap::size):
        (JSC::B3::IndexMap::operator[]):
        * b3/B3IndexSet.h:
        (JSC::B3::IndexSet::contains):
        (JSC::B3::IndexSet::size):
        (JSC::B3::IndexSet::isEmpty):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::run):
        (JSC::B3::Air::LowerToAir::lower):
        * b3/B3MemoryValue.h:
        * b3/B3Opcode.cpp:
        (WTF::printInternal):
        * b3/B3Opcode.h:
        * b3/B3PatchpointValue.cpp:
        (JSC::B3::PatchpointValue::cloneImpl):
        (JSC::B3::PatchpointValue::PatchpointValue):
        * b3/B3PatchpointValue.h:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::Procedure):
        (JSC::B3::Procedure::addBlock):
        (JSC::B3::Procedure::addStackSlot):
        (JSC::B3::Procedure::addVariable):
        (JSC::B3::Procedure::clone):
        (JSC::B3::Procedure::addIntConstant):
        (JSC::B3::Procedure::dump):
        (JSC::B3::Procedure::deleteStackSlot):
        (JSC::B3::Procedure::deleteVariable):
        (JSC::B3::Procedure::deleteValue):
        (JSC::B3::Procedure::deleteOrphans):
        (JSC::B3::Procedure::calleeSaveRegisters):
        (JSC::B3::Procedure::addValueImpl):
        (JSC::B3::Procedure::setBlockOrderImpl):
        (JSC::B3::Procedure::addAnonymousStackSlot): Deleted.
        (JSC::B3::Procedure::addStackSlotIndex): Deleted.
        (JSC::B3::Procedure::addValueIndex): Deleted.
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::setBlockOrder):
        (JSC::B3::Procedure::stackSlots):
        (JSC::B3::Procedure::variables):
        (JSC::B3::Procedure::values):
        (JSC::B3::Procedure::StackSlotsCollection::StackSlotsCollection): Deleted.