ThisTDZMode is no longer needed
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-05-24  Saam barati  <sbarati@apple.com> and Yusuke Suzuki <utatane.tea@gmail.com>
2
3         ThisTDZMode is no longer needed
4         https://bugs.webkit.org/show_bug.cgi?id=157209
5
6         Reviewed by Saam Barati.
7
8         ThisTDZMode is no longer needed because we have ConstructorKind
9         and DerivedContextType. The value of ThisTDZMode is strictly less
10         expressive than the combination of those two values. We were
11         using those values anyways, and this patch just makes it official
12         by removing ThisTDZMode.
13
14         This patch also cleans up caching keys. We extract SourceCodeFlags
15         from SourceCodeKey and use it in EvalCodeCache. It correctly
16         contains needed cache attributes: EvalContextType, DerivedContextType,
17         etc. Here, we still use specialized keys for EvalCodeCache instead
18         of SourceCodeKey for performance; it does not include name String and
19         does not allocate SourceCode.
20
21         * bytecode/EvalCodeCache.h:
22         (JSC::EvalCodeCache::CacheKey::CacheKey):
23         (JSC::EvalCodeCache::CacheKey::operator==):
24         (JSC::EvalCodeCache::CacheKey::Hash::equal):
25         (JSC::EvalCodeCache::tryGet):
26         (JSC::EvalCodeCache::getSlow):
27         * bytecompiler/NodesCodegen.cpp:
28         (JSC::ThisNode::emitBytecode): Deleted.
29         * debugger/DebuggerCallFrame.cpp:
30         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
31         * interpreter/Interpreter.cpp:
32         (JSC::eval):
33         * parser/ASTBuilder.h:
34         (JSC::ASTBuilder::createThisExpr):
35         * parser/NodeConstructors.h:
36         (JSC::ThisNode::ThisNode):
37         * parser/Nodes.h:
38         * parser/Parser.cpp:
39         (JSC::Parser<LexerType>::Parser):
40         (JSC::Parser<LexerType>::parsePrimaryExpression):
41         * parser/Parser.h:
42         (JSC::parse):
43         * parser/ParserModes.h:
44         * parser/SourceCodeKey.h:
45         (JSC::SourceCodeFlags::SourceCodeFlags):
46         (JSC::SourceCodeFlags::operator==):
47         (JSC::SourceCodeKey::SourceCodeKey):
48         (JSC::SourceCodeKey::Hash::hash):
49         (JSC::SourceCodeKey::Hash::equal):
50         (JSC::SourceCodeKey::HashTraits::isEmptyValue):
51         (JSC::SourceCodeKeyHash::hash): Deleted.
52         (JSC::SourceCodeKeyHash::equal): Deleted.
53         (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
54         * parser/SyntaxChecker.h:
55         (JSC::SyntaxChecker::createThisExpr):
56         * runtime/CodeCache.cpp:
57         (JSC::CodeCache::getGlobalCodeBlock):
58         (JSC::CodeCache::getProgramCodeBlock):
59         (JSC::CodeCache::getEvalCodeBlock):
60         (JSC::CodeCache::getModuleProgramCodeBlock):
61         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
62         * runtime/CodeCache.h:
63         * runtime/Executable.cpp:
64         (JSC::EvalExecutable::create):
65         * runtime/Executable.h:
66         * runtime/JSGlobalObject.cpp:
67         (JSC::JSGlobalObject::createEvalCodeBlock):
68         * runtime/JSGlobalObject.h:
69         * runtime/JSGlobalObjectFunctions.cpp:
70         (JSC::globalFuncEval):
71         * tests/stress/code-cache-incorrect-caching.js: Added.
72         (shouldBe):
73         (hello):
74         (catch):
75         (shouldBe.test.hello):
76         (globalEval.ok):
77         (global.hello.hello):
78
79 2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
80
81         Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
82         https://bugs.webkit.org/show_bug.cgi?id=157080
83
84         Reviewed by Saam Barati.
85
86         In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
87         In this patch, we add a new parameter, "slotBase". This represents the base value offering
88         this custom getter. And use it in ProxyObject's performGet custom accessor getter.
89
90         * API/JSCallbackObject.h:
91         * API/JSCallbackObjectFunctions.h:
92         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
93         (JSC::JSCallbackObject<Parent>::callbackGetter):
94         * bytecode/PolymorphicAccess.cpp:
95         (JSC::AccessCase::generateImpl):
96         In PolymorphicAccess case, the thisValue and the slotBase are always cells.
97         This is because IC is enabled in the case that the base value is a cell.
98         And slotBase is always on the prototype chain from this base value.
99
100         * jit/CCallHelpers.h:
101         (JSC::CCallHelpers::setupArgumentsWithExecState):
102         * jsc.cpp:
103         (WTF::CustomGetter::customGetter):
104         (WTF::RuntimeArray::lengthGetter):
105         * runtime/CustomGetterSetter.cpp:
106         (JSC::callCustomSetter):
107         * runtime/JSBoundSlotBaseFunction.cpp:
108         (JSC::boundSlotBaseFunctionCall):
109         * runtime/JSFunction.cpp:
110         (JSC::JSFunction::argumentsGetter):
111         (JSC::JSFunction::callerGetter):
112         * runtime/JSFunction.h:
113         * runtime/JSModuleNamespaceObject.cpp:
114         (JSC::callbackGetter):
115         * runtime/PropertySlot.cpp:
116         (JSC::PropertySlot::customGetter):
117         * runtime/PropertySlot.h:
118         * runtime/ProxyObject.cpp:
119         (JSC::performProxyGet):
120         * runtime/RegExpConstructor.cpp:
121         (JSC::regExpConstructorDollar):
122         (JSC::regExpConstructorInput):
123         (JSC::regExpConstructorMultiline):
124         (JSC::regExpConstructorLastMatch):
125         (JSC::regExpConstructorLastParen):
126         (JSC::regExpConstructorLeftContext):
127         (JSC::regExpConstructorRightContext):
128         (JSC::regExpConstructorDollar1): Deleted.
129         (JSC::regExpConstructorDollar2): Deleted.
130         (JSC::regExpConstructorDollar3): Deleted.
131         (JSC::regExpConstructorDollar4): Deleted.
132         (JSC::regExpConstructorDollar5): Deleted.
133         (JSC::regExpConstructorDollar6): Deleted.
134         (JSC::regExpConstructorDollar7): Deleted.
135         (JSC::regExpConstructorDollar8): Deleted.
136         (JSC::regExpConstructorDollar9): Deleted.
137         * tests/stress/proxy-get-with-primitive-receiver.js: Added.
138         (shouldBe):
139
140 2016-05-23  Geoffrey Garen  <ggaren@apple.com>
141
142         REGRESSION (196374): deleting a global property is expensive
143         https://bugs.webkit.org/show_bug.cgi?id=158005
144
145         Reviewed by Chris Dumez.
146
147         * runtime/JSObject.cpp:
148         (JSC::JSObject::deleteProperty): We only need to reify static properties
149         if the name being deleted matches a static property. Otherwise, we can
150         be sure that delete won't observe any static properties.
151
152 2016-05-23  Saam barati  <sbarati@apple.com>
153
154         The baseline JIT crashes when compiling "(1,1)/1"
155         https://bugs.webkit.org/show_bug.cgi?id=157933
156
157         Reviewed by Benjamin Poulain.
158
159         op_div in the baseline JIT needed to better handle when both the lhs
160         and rhs are constants. It needs to make sure to load either the lhs or
161         the rhs into a register since the div generator can't handle both
162         the lhs and rhs being constants.
163
164         * jit/JITArithmetic.cpp:
165         (JSC::JIT::emit_op_div):
166         * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
167         (assert):
168         (test):
169
170 2016-05-23  Saam barati  <sbarati@apple.com>
171
172         String template don't handle let initialization properly inside eval
173         https://bugs.webkit.org/show_bug.cgi?id=157991
174
175         Reviewed by Oliver Hunt.
176
177         The fix is to make sure we emit TDZ checks. 
178
179         * bytecompiler/NodesCodegen.cpp:
180         (JSC::TaggedTemplateNode::emitBytecode):
181         * tests/stress/tagged-template-tdz.js: Added.
182         (shouldThrowTDZ):
183         (test):
184
185 2016-05-22  Saam barati  <sbarati@apple.com>
186
187         Unreviewed. Fixed debug assertion failures from r201235.
188
189         * runtime/JSScope.cpp:
190         (JSC::abstractAccess):
191
192 2016-05-22  Brady Eidson  <beidson@apple.com>
193
194         Attempted Yosemite build fix after http://trac.webkit.org/changeset/201255
195
196         Suggested by and reviewed by Anders Carlsson.
197
198         * b3/B3CCallValue.h: Initialize the effects member more conventionally.
199
200 2016-05-22  Brady Eidson  <beidson@apple.com>
201
202         Move to C++14.
203         https://bugs.webkit.org/show_bug.cgi?id=157948
204
205         Reviewed by Michael Catanzaro.
206
207         * Configurations/Base.xcconfig:
208
209 2016-05-22  Saam barati  <sbarati@apple.com>
210
211         REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
212         https://bugs.webkit.org/show_bug.cgi?id=157968
213         <rdar://problem/26404735>
214
215         Reviewed by Ryosuke Niwa and Filip Pizlo.
216
217         There was a bug in the DFG where we were checking a condition
218         on the wrong variable.
219
220         * dfg/DFGStrengthReductionPhase.cpp:
221         (JSC::DFG::StrengthReductionPhase::handleNode):
222
223 2016-05-22  Chris Dumez  <cdumez@apple.com>
224
225         Remove uses of PassRefPtr in JS bindings code
226         https://bugs.webkit.org/show_bug.cgi?id=157949
227
228         Reviewed by Andreas Kling.
229
230         Remove uses of PassRefPtr in JS bindings code.
231
232         * runtime/JSGlobalObject.cpp:
233         (JSC::JSGlobalObject::queueMicrotask):
234         * runtime/JSGlobalObject.h:
235
236 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
237
238         Remove LegacyProfiler
239         https://bugs.webkit.org/show_bug.cgi?id=153565
240
241         Reviewed by Mark Lam.
242
243         JavaScriptCore now provides a sampling profiler and it is enabled
244         by all ports. Web Inspector switched months ago to using the
245         sampling profiler and displaying its data. Remove the legacy
246         profiler, as it is no longer being used by anything other then
247         console.profile and tests. We will update console.profile's
248         behavior soon to have new behavior and use the sampling data.
249
250         * API/JSProfilerPrivate.cpp: Removed.
251         * API/JSProfilerPrivate.h: Removed.
252         * CMakeLists.txt:
253         * JavaScriptCore.xcodeproj/project.pbxproj:
254         * bytecode/BytecodeList.json:
255         * bytecode/BytecodeUseDef.h:
256         (JSC::computeUsesForBytecodeOffset): Deleted.
257         (JSC::computeDefsForBytecodeOffset): Deleted.
258         * bytecode/CodeBlock.cpp:
259         (JSC::CodeBlock::dumpBytecode): Deleted.
260         * bytecode/UnlinkedFunctionExecutable.cpp:
261         (JSC::generateUnlinkedFunctionCodeBlock):
262         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
263         * bytecode/UnlinkedFunctionExecutable.h:
264         * bytecompiler/BytecodeGenerator.cpp:
265         (JSC::BytecodeGenerator::BytecodeGenerator):
266         (JSC::BytecodeGenerator::emitCall):
267         (JSC::BytecodeGenerator::emitCallVarargs):
268         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
269         (JSC::BytecodeGenerator::emitConstructVarargs):
270         (JSC::BytecodeGenerator::emitConstruct):
271         * bytecompiler/BytecodeGenerator.h:
272         (JSC::CallArguments::profileHookRegister): Deleted.
273         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
274         * bytecompiler/NodesCodegen.cpp:
275         (JSC::CallFunctionCallDotNode::emitBytecode):
276         (JSC::ApplyFunctionCallDotNode::emitBytecode):
277         (JSC::CallArguments::CallArguments): Deleted.
278         * dfg/DFGAbstractInterpreterInlines.h:
279         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
280         * dfg/DFGByteCodeParser.cpp:
281         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
282         * dfg/DFGCapabilities.cpp:
283         (JSC::DFG::capabilityLevel): Deleted.
284         * dfg/DFGClobberize.h:
285         (JSC::DFG::clobberize): Deleted.
286         * dfg/DFGDoesGC.cpp:
287         (JSC::DFG::doesGC): Deleted.
288         * dfg/DFGFixupPhase.cpp:
289         (JSC::DFG::FixupPhase::fixupNode): Deleted.
290         * dfg/DFGNodeType.h:
291         * dfg/DFGPredictionPropagationPhase.cpp:
292         * dfg/DFGSafeToExecute.h:
293         (JSC::DFG::safeToExecute): Deleted.
294         * dfg/DFGSpeculativeJIT32_64.cpp:
295         (JSC::DFG::SpeculativeJIT::compile): Deleted.
296         * dfg/DFGSpeculativeJIT64.cpp:
297         (JSC::DFG::SpeculativeJIT::compile): Deleted.
298         * inspector/InjectedScriptBase.cpp:
299         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
300         * interpreter/Interpreter.cpp:
301         (JSC::UnwindFunctor::operator()): Deleted.
302         (JSC::Interpreter::execute): Deleted.
303         (JSC::Interpreter::executeCall): Deleted.
304         (JSC::Interpreter::executeConstruct): Deleted.
305         * jit/JIT.cpp:
306         (JSC::JIT::privateCompileMainPass): Deleted.
307         * jit/JIT.h:
308         * jit/JITOpcodes.cpp:
309         (JSC::JIT::emit_op_profile_will_call): Deleted.
310         (JSC::JIT::emit_op_profile_did_call): Deleted.
311         * jit/JITOpcodes32_64.cpp:
312         (JSC::JIT::emit_op_profile_will_call): Deleted.
313         (JSC::JIT::emit_op_profile_did_call): Deleted.
314         * jit/JITOperations.cpp:
315         * jit/JITOperations.h:
316         * llint/LLIntSlowPaths.cpp:
317         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
318         * llint/LLIntSlowPaths.h:
319         * llint/LowLevelInterpreter.asm:
320         * parser/ParserModes.h:
321         * profiler/CallIdentifier.h: Removed.
322         * profiler/LegacyProfiler.cpp: Removed.
323         * profiler/LegacyProfiler.h: Removed.
324         * profiler/Profile.cpp: Removed.
325         * profiler/Profile.h: Removed.
326         * profiler/ProfileGenerator.cpp: Removed.
327         * profiler/ProfileGenerator.h: Removed.
328         * profiler/ProfileNode.cpp: Removed.
329         * profiler/ProfileNode.h: Removed.
330         * profiler/ProfilerJettisonReason.cpp:
331         (WTF::printInternal): Deleted.
332         * profiler/ProfilerJettisonReason.h:
333         * runtime/CodeCache.cpp:
334         (JSC::CodeCache::getGlobalCodeBlock):
335         (JSC::CodeCache::getProgramCodeBlock):
336         (JSC::CodeCache::getEvalCodeBlock):
337         (JSC::CodeCache::getModuleProgramCodeBlock):
338         * runtime/CodeCache.h:
339         * runtime/Executable.cpp:
340         (JSC::ScriptExecutable::newCodeBlockFor):
341         * runtime/JSGlobalObject.cpp:
342         (JSC::JSGlobalObject::createProgramCodeBlock):
343         (JSC::JSGlobalObject::createEvalCodeBlock):
344         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
345         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
346         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
347         * runtime/JSGlobalObject.h:
348         * runtime/Options.h:
349         * runtime/VM.cpp:
350         (JSC::VM::VM): Deleted.
351         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
352         (JSC::VM::setEnabledProfiler): Deleted.
353         * runtime/VM.h:
354         (JSC::VM::enabledProfiler): Deleted.
355         (JSC::VM::enabledProfilerAddress): Deleted.
356
357 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
358
359         Remove LegacyProfiler
360         https://bugs.webkit.org/show_bug.cgi?id=153565
361
362         Reviewed by Saam Barati.
363
364         * inspector/protocol/Timeline.json:
365         * jsc.cpp:
366         * runtime/JSGlobalObject.cpp:
367         (JSC::JSGlobalObject::hasLegacyProfiler):
368         * runtime/JSGlobalObject.h:
369         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
370
371 2016-05-20  Saam barati  <sbarati@apple.com>
372
373         JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference
374         https://bugs.webkit.org/show_bug.cgi?id=157956
375
376         Reviewed by Geoffrey Garen.
377
378         A SymbolTableEntry may be a FatEntry. Copying a FatEntry is slow because we have to
379         malloc memory for it, then free the malloced memory once the entry goes out of
380         scope. abstractAccess uses a SymbolTableEntry temporarily when performing scope
381         accesses during bytecode linking. It copies out the SymbolTableEntry every time
382         it does a SymbolTable lookup. This is not cheap when the entry happens to be a
383         FatEntry. We should really just be using a reference to the entry because
384         there is no need to copy it in such a scenario.
385
386         * runtime/JSScope.cpp:
387         (JSC::abstractAccess):
388
389 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
390
391         Web Inspector: retained size for typed arrays does not count native backing store
392         https://bugs.webkit.org/show_bug.cgi?id=157945
393         <rdar://problem/26392238>
394
395         Reviewed by Geoffrey Garen.
396
397         * runtime/JSArrayBuffer.h:
398         * runtime/JSArrayBuffer.cpp:
399         (JSC::JSArrayBuffer::estimatedSize):
400         Include an estimatedSize implementation for JSArrayBuffer.
401         ArrayBuffer has a unique path, different from other data
402         stored in the Heap.
403
404         * tests/heapProfiler/typed-array-sizes.js: Added.
405         Test sizes of TypedArray with and without an ArrayBuffer.
406         When the TypedArray is a view wrapping an ArrayBuffer, the
407         ArrayBuffer has the size.
408
409 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
410
411         reifyAllStaticProperties makes two copies of every string
412         https://bugs.webkit.org/show_bug.cgi?id=157953
413
414         Reviewed by Mark Lam.
415
416         Let's not do that.
417
418         * runtime/JSObject.cpp:
419         (JSC::JSObject::reifyAllStaticProperties): Pass our Identifier to
420         reifyStaticProperty so it doesn't have to make its own.
421
422         * runtime/Lookup.h:
423         (JSC::reifyStaticProperty): No need to null check because callers never
424         pass null anymore. No need to make an identifier because callers pass
425         us one.
426
427         (JSC::reifyStaticProperties): Honor new interface.
428
429 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
430
431         JSBench regression: CodeBlock linking always copies the symbol table
432         https://bugs.webkit.org/show_bug.cgi?id=157951
433
434         Reviewed by Saam Barati.
435
436         We always put a SymbolTable into the constant pool, even in simple
437         functions in which it won't be used -- i.e., there's on eval and there
438         are no captured variables and so on.
439
440         This is costly because linking must copy any provided symbol tables.
441
442         * bytecompiler/BytecodeGenerator.cpp:
443         (JSC::BytecodeGenerator::BytecodeGenerator):
444         (JSC::BytecodeGenerator::emitProfileType): Only add the symbol table
445         as a constant if we will use it at runtime.
446
447 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
448
449         [JSC] Improve int->float conversion in FTL
450         https://bugs.webkit.org/show_bug.cgi?id=157936
451
452         Reviewed by Filip Pizlo.
453
454         The integer -> floating point lowering was very barebone.
455
456         For example, converting a constant integer to double
457         was doing:
458             mov #const, %eax
459             xor %xmm0, %xmm0
460             cvtsi2sd %eax, %xmm0
461
462         Conversion from integer to float was also missing.
463         We were always converting to double then rounding the double
464         to float.
465
466         This patch adds the basics:
467         -Constant folding.
468         -Integer to Float opcode.
469         -Reducing int->double to int->float when used by DoubleToFloat.
470
471         * assembler/MacroAssemblerX86Common.h:
472         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
473         * assembler/MacroAssemblerX86_64.h:
474         (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
475         (JSC::MacroAssemblerX86_64::convertInt64ToFloat):
476         * assembler/X86Assembler.h:
477         (JSC::X86Assembler::cvtsi2ss_rr):
478         (JSC::X86Assembler::cvtsi2ssq_rr):
479         (JSC::X86Assembler::cvtsi2sdq_mr):
480         (JSC::X86Assembler::cvtsi2ssq_mr):
481         (JSC::X86Assembler::cvtsi2ss_mr):
482         * assembler/MacroAssemblerARM64.h:
483         * b3/B3Const32Value.cpp:
484         (JSC::B3::Const32Value::iToDConstant):
485         (JSC::B3::Const32Value::iToFConstant):
486         * b3/B3Const32Value.h:
487         * b3/B3Const64Value.cpp:
488         (JSC::B3::Const64Value::iToDConstant):
489         (JSC::B3::Const64Value::iToFConstant):
490         * b3/B3Const64Value.h:
491         * b3/B3LowerToAir.cpp:
492         (JSC::B3::Air::LowerToAir::lower):
493         * b3/B3Opcode.cpp:
494         (WTF::printInternal):
495         * b3/B3Opcode.h:
496         * b3/B3ReduceDoubleToFloat.cpp:
497         * b3/B3ReduceStrength.cpp:
498         * b3/B3Validate.cpp:
499         * b3/B3Value.cpp:
500         (JSC::B3::Value::iToDConstant):
501         (JSC::B3::Value::iToFConstant):
502         (JSC::B3::Value::isRounded):
503         (JSC::B3::Value::effects):
504         (JSC::B3::Value::key):
505         (JSC::B3::Value::typeFor):
506         * b3/B3Value.h:
507         * b3/B3ValueKey.cpp:
508         (JSC::B3::ValueKey::materialize):
509         * b3/air/AirFixPartialRegisterStalls.cpp:
510         * b3/air/AirOpcode.opcodes:
511         * b3/testb3.cpp:
512         (JSC::B3::int64Operands):
513         (JSC::B3::testIToD64Arg):
514         (JSC::B3::testIToF64Arg):
515         (JSC::B3::testIToD32Arg):
516         (JSC::B3::testIToF32Arg):
517         (JSC::B3::testIToD64Mem):
518         (JSC::B3::testIToF64Mem):
519         (JSC::B3::testIToD32Mem):
520         (JSC::B3::testIToF32Mem):
521         (JSC::B3::testIToD64Imm):
522         (JSC::B3::testIToF64Imm):
523         (JSC::B3::testIToD32Imm):
524         (JSC::B3::testIToF32Imm):
525         (JSC::B3::testIToDReducedToIToF64Arg):
526         (JSC::B3::testIToDReducedToIToF32Arg):
527         (JSC::B3::run):
528
529 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
530
531         [JSC] FTL can crash on stack overflow
532         https://bugs.webkit.org/show_bug.cgi?id=157881
533         rdar://problem/24665964
534
535         Reviewed by Michael Saboff.
536
537         The VM's m_largestFTLStackSize was never set anywhere (updateFTLLargestStackSize()
538         was never called). We forgot to change that when implementing B3.
539
540         Even when it is set, we still have a problem on OSR Exit.
541         If the last frame is a FTL frame and it OSR Exits, the space required for
542         that frame becomes significantly larger. What happens is we crash in the OSR Exit
543         instead of the FTL frame (this is what happens in rdar://problem/24665964).
544
545         This patch changes the stack boundary checks in FTL to be the same as DFG:
546         we verify that we have enough space for the current optimized function but
547         also for the baseline version (including inlining) in case of exit.
548
549         * ftl/FTLLowerDFGToB3.cpp:
550         (JSC::FTL::DFG::LowerDFGToB3::lower):
551         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack): Deleted.
552         * runtime/VM.cpp:
553         (JSC::VM::VM): Deleted.
554         (JSC::VM::updateStackLimit): Deleted.
555         (JSC::VM::updateFTLLargestStackSize): Deleted.
556         * runtime/VM.h:
557         (JSC::VM::addressOfFTLStackLimit): Deleted.
558
559 2016-05-18  Filip Pizlo  <fpizlo@apple.com>
560
561         DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header
562         https://bugs.webkit.org/show_bug.cgi?id=144527
563
564         Reviewed by Saam Barati.
565         
566         This adds a control flow equivalence analysis (called ControlEquivalenceAnalysis) based on
567         dominator analysis over the backwards CFG. Two basic blocks are control flow equivalent if
568         the execution of one implies that the other one must also execute. It means that the two
569         blocks' forward and backward dominance are reciprocated: (A dom B and B backdom A) or (B dom
570         A and A backdom B). LICM now uses it to become more conservative about hoisting checks, if
571         this has caused problems in the past. If we hoist something that may exit from a block that
572         was not control equivalent to the pre-header then it's possible that the node's speculation
573         will fail even though it wouldn't have if it wasn't hoisted. So, we flag these nodes'
574         origins as being "wasHoisted" and we track all of their exits as "HoistingFailed". LICM will
575         turn off such speculative hoisting if the CodeBlock from which we are hoisting had the
576         HoistingFailed exit kind.
577         
578         Note that this deliberately still allows us to hoist things that may exit even if they are
579         not control equivalent to the pre-header. This is necessary because the profitability of
580         hoisting is so huge in all of the cases that we're aware of that it's worth giving it a
581         shot.
582         
583         This is neutral on macrobenchmarks since none of the benchmarks we track have a hoistable
584         operation that would exit only if hoisted. I added microbenchmarks to illustrate the problem
585         and two of them speed up by ~40% while one of them is neutral (Int52 saves us from having
586         problems on that program even though LICM previously did the wrong thing).
587
588         * JavaScriptCore.xcodeproj/project.pbxproj:
589         * bytecode/ExitKind.cpp:
590         (JSC::exitKindToString):
591         * bytecode/ExitKind.h:
592         * dfg/DFGAtTailAbstractState.h:
593         (JSC::DFG::AtTailAbstractState::operator bool):
594         (JSC::DFG::AtTailAbstractState::initializeTo):
595         * dfg/DFGBackwardsCFG.h: Added.
596         (JSC::DFG::BackwardsCFG::BackwardsCFG):
597         * dfg/DFGBackwardsDominators.h: Added.
598         (JSC::DFG::BackwardsDominators::BackwardsDominators):
599         * dfg/DFGCommon.h:
600         (JSC::DFG::checkAndSet): Deleted.
601         * dfg/DFGControlEquivalenceAnalysis.h: Added.
602         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
603         (JSC::DFG::ControlEquivalenceAnalysis::dominatesEquivalently):
604         (JSC::DFG::ControlEquivalenceAnalysis::areEquivalent):
605         * dfg/DFGGraph.cpp:
606         (JSC::DFG::Graph::dump):
607         (JSC::DFG::Graph::dumpBlockHeader):
608         (JSC::DFG::Graph::invalidateCFG):
609         (JSC::DFG::Graph::substituteGetLocal):
610         (JSC::DFG::Graph::handleAssertionFailure):
611         (JSC::DFG::Graph::ensureDominators):
612         (JSC::DFG::Graph::ensurePrePostNumbering):
613         (JSC::DFG::Graph::ensureNaturalLoops):
614         (JSC::DFG::Graph::ensureBackwardsCFG):
615         (JSC::DFG::Graph::ensureBackwardsDominators):
616         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
617         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
618         * dfg/DFGGraph.h:
619         (JSC::DFG::Graph::hasDebuggerEnabled):
620         * dfg/DFGInPlaceAbstractState.h:
621         (JSC::DFG::InPlaceAbstractState::operator bool):
622         (JSC::DFG::InPlaceAbstractState::createValueForNode):
623         (JSC::DFG::InPlaceAbstractState::forNode):
624         * dfg/DFGLICMPhase.cpp:
625         (JSC::DFG::LICMPhase::run):
626         (JSC::DFG::LICMPhase::attemptHoist):
627         * dfg/DFGMayExit.cpp:
628         (JSC::DFG::mayExit):
629         * dfg/DFGMayExit.h:
630         * dfg/DFGNode.h:
631         * dfg/DFGNodeOrigin.cpp:
632         (JSC::DFG::NodeOrigin::dump):
633         * dfg/DFGNodeOrigin.h:
634         (JSC::DFG::NodeOrigin::takeValidExit):
635         (JSC::DFG::NodeOrigin::withWasHoisted):
636         (JSC::DFG::NodeOrigin::forInsertingAfter):
637         * dfg/DFGNullAbstractState.h: Added.
638         (JSC::DFG::NullAbstractState::NullAbstractState):
639         (JSC::DFG::NullAbstractState::operator bool):
640         (JSC::DFG::NullAbstractState::forNode):
641         * dfg/DFGOSRExit.cpp:
642         (JSC::DFG::OSRExit::OSRExit):
643         * dfg/DFGOSRExitBase.cpp:
644         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
645         * dfg/DFGOSRExitBase.h:
646         (JSC::DFG::OSRExitBase::OSRExitBase):
647         * dfg/DFGTypeCheckHoistingPhase.cpp:
648         (JSC::DFG::TypeCheckHoistingPhase::run):
649         * ftl/FTLOSRExit.cpp:
650         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
651         (JSC::FTL::OSRExit::OSRExit):
652         * ftl/FTLOSRExit.h:
653
654 2016-05-19  Mark Lam  <mark.lam@apple.com>
655
656         Code that null checks the VM pointer before any use should ref the VM.
657         https://bugs.webkit.org/show_bug.cgi?id=157864
658
659         Reviewed by Filip Pizlo and Keith Miller.
660
661         JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
662         through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
663         after their null checks.
664
665         * bytecode/CodeBlock.h:
666         (JSC::CodeBlock::vm):
667         (JSC::CodeBlock::setVM): Deleted.
668         - Not used, and suggests that it can be changed during the lifetime of the
669           CodeBlock (which should not be).
670
671         * heap/HeapTimer.cpp:
672         (JSC::HeapTimer::timerDidFire):
673         * runtime/JSLock.cpp:
674         (JSC::JSLock::willReleaseLock):
675         - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
676           the raw VM pointer.  This makes the null check a strong guarantee that the
677           VM pointer is valid while these functions are using it.
678
679 2016-05-19  Saam barati  <sbarati@apple.com>
680
681         arrow function lexical environment should reuse the same environment as the function's lexical environment where possible
682         https://bugs.webkit.org/show_bug.cgi?id=157908
683
684         Reviewed by Filip Pizlo.
685
686         We can safely combine these two environment when we have
687         a simple parameter list (no default parameters, no destructring parameters).
688
689         * bytecompiler/BytecodeGenerator.cpp:
690         (JSC::BytecodeGenerator::BytecodeGenerator):
691         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
692         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
693         * bytecompiler/BytecodeGenerator.h:
694
695 2016-05-19  Michael Saboff  <msaboff@apple.com>
696
697         Unreviewed build fix.
698
699         Skipping this new test as it times out on the bots.
700
701         Issue tracked in https://bugs.webkit.org/show_bug.cgi?id=157903
702
703         * tests/stress/regress-157595.js:
704         (MyRegExp):
705
706 2016-05-19  Guillaume Emont  <guijemont@igalia.com>
707
708         JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis
709         https://bugs.webkit.org/show_bug.cgi?id=157741
710
711         Reviewed by Saam Barati.
712
713         The PutByValWithThis case needs a special case for MIPS because we
714         don't have enough registers. The special case needs to be different
715         from the x86 one because we have a different ABI.
716
717         * dfg/DFGSpeculativeJIT32_64.cpp:
718         (JSC::DFG::SpeculativeJIT::compile):
719
720 2016-05-19  Brian Burg  <bburg@apple.com>
721
722         Web Inspector: use a consistent prefix for injected scripts
723         https://bugs.webkit.org/show_bug.cgi?id=157715
724         <rdar://problem/26287188>
725
726         Reviewed by Timothy Hatcher.
727
728         * CMakeLists.txt:
729         * DerivedSources.make:
730         * inspector/InjectedScriptSource.js:
731
732 2016-05-19  Csaba Osztrogonác  <ossy@webkit.org>
733
734         [ARM] Remove redefined macro after r200606
735         https://bugs.webkit.org/show_bug.cgi?id=157890
736
737         Reviewed by Michael Saboff.
738
739         * bytecode/PolymorphicAccess.cpp:
740         * jit/CCallHelpers.h:
741
742 2016-05-18  Saam barati  <sbarati@apple.com>
743
744         Function with default parameter values that are arrow functions that capture this isn't working
745         https://bugs.webkit.org/show_bug.cgi?id=157786
746         <rdar://problem/26327329>
747
748         Reviewed by Geoffrey Garen.
749
750         To make the scopes ordered properly, I needed to initialize the arrow 
751         function lexical environment before initializing default parameter values.
752         I also made the code easier to reason about by never reusing the function's
753         var lexical environment for the arrow function lexical environment. The
754         reason for this is that that code was wrong, and we just didn't have code to
755         that properly tested it. It was easy for that code to be wrong because
756         sometimes the function's lexical environment isn't the top-most scope
757         (namely, when a function's parameter list is non-simple) and sometimes
758         it is (when the function's parameter list is simple).
759
760         Also, because a function's default parameter values may capture the
761         'arguments' variable inside an arrow function, I needed to take care
762         to initialize the 'arguments' variable as part of whichever scope
763         is the top-most scope. It's either the function's var environment
764         if the parameter list is simple, or it's the function's parameter
765         environment if the parameter list is non-simple.
766
767         * bytecompiler/BytecodeGenerator.cpp:
768         (JSC::BytecodeGenerator::BytecodeGenerator):
769         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
770         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
771         (JSC::BytecodeGenerator::initializeParameters):
772         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
773         (JSC::BytecodeGenerator::visibleNameForParameter):
774         * bytecompiler/BytecodeGenerator.h:
775         * tests/stress/arrow-functions-as-default-parameter-values.js: Added.
776         (assert):
777         (test):
778         (test.foo):
779         * tests/stress/op-push-name-scope-crashes-profiler.js:
780         (test):
781
782 2016-05-18  Michael Saboff  <msaboff@apple.com>
783
784         r199812 broke test262
785         https://bugs.webkit.org/show_bug.cgi?id=157595
786
787         Reviewed by Filip Pizlo.
788
789         Added a reasonable limit to the size of the match result array to catch possible
790         infinite loops when matching.
791         Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
792         by creating a subclass of RegExp where the base RegExp's global flag is false and
793         the subclass overrides .global with a getter that always returns true.
794
795         * builtins/RegExpPrototype.js:
796         (match):
797         * tests/stress/regress-157595.js: Added.
798         (MyRegExp):
799         (MyRegExp.prototype.get global):
800         (test):
801         (catch):
802
803 2016-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
804
805         [ES6] Namespace object re-export should be handled as local export
806         https://bugs.webkit.org/show_bug.cgi?id=157806
807
808         Reviewed by Mark Lam.
809
810         We align the implementation of ExportEntry to the spec; remove Type::Namespace.
811         This Type::Namespace is used for re-exported namespace object binding. For example,
812
813             import * as namespace from "namespace.js"
814             export { namespace }
815
816         In the above case, we used ExportEntry(Type::Namespace). In this patch, we drop this
817         and use normal local export (Type::Local) instead because namespace object actually has
818         the local binding in the above module environment. And this handling strictly meets the
819         spec (Sec 15.2.1.16.1 step 11-a-ii-2-b).
820
821         And we also clean up the ExportEntry implementation; dropping unnecessary information.
822         This change fixes the test262/test/language/module-code/instn-star-equality.js crash.
823
824         * parser/ModuleAnalyzer.cpp:
825         (JSC::ModuleAnalyzer::exportVariable):
826         * runtime/JSModuleRecord.cpp:
827         (JSC::getExportedNames):
828         (JSC::JSModuleRecord::dump): Deleted.
829         * runtime/JSModuleRecord.h:
830         * tests/modules/namespace-re-export.js: Added.
831         * tests/modules/namespace-re-export/namespace-re-export-fixture.js: Added.
832         * tests/modules/namespace-re-export/namespace-re-export.js: Added.
833         * tests/modules/resources/assert.js:
834         (export.shouldNotBe):
835
836 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
837
838         JSC should detect the right default locale even when it's not embedded in WebCore
839         https://bugs.webkit.org/show_bug.cgi?id=157755
840         rdar://problem/24665424
841
842         Reviewed by Keith Miller.
843         
844         This makes JSC try to use WTF's platform user preferred language detection if the DOM did
845         not register a defaultLanguage callback. The result is that when JSC runs standalone it
846         will detect the platform user preferred language almost the same way as when it's embedded
847         in WebCore. The only difference is that WebCore may have its own additional overrides via
848         the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
849         back to.
850         
851         We first found this bug because on iOS, the intl tests would fail because ICU would report
852         a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
853         back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
854         OS X, just less so. For example, setting things to Poland did not result in the jsc shell
855         printing dates Polish-style. Now it will print them Polish-style if your system preferences
856         say so. Also, the tests don't fail on iOS anymore.
857         
858         * runtime/IntlObject.cpp:
859         (JSC::defaultLocale):
860
861 2016-05-17  Dean Jackson  <dino@apple.com>
862
863         Remove ES6_GENERATORS flag
864         https://bugs.webkit.org/show_bug.cgi?id=157815
865         <rdar://problem/26332894>
866
867         Reviewed by Geoffrey Garen.
868
869         This flag isn't needed. Generators are enabled everywhere and
870         part of a stable specification.
871
872         * Configurations/FeatureDefines.xcconfig:
873         * parser/Parser.cpp:
874         (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
875         (JSC::Parser<LexerType>::parseClass): Deleted.
876         (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
877         (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
878         (JSC::Parser<LexerType>::parseProperty): Deleted.
879         (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.
880
881 2016-05-17  Keith Miller  <keith_miller@apple.com>
882
883         Rollout r200426 since it causes PLT regressions.
884         https://bugs.webkit.org/show_bug.cgi?id=157812
885
886         Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
887
888 2016-05-17  Keith Miller  <keith_miller@apple.com>
889
890         Add test262 harness support code
891         https://bugs.webkit.org/show_bug.cgi?id=157797
892
893         Reviewed by Filip Pizlo.
894
895         This patch adds some new tooling needed to run Test262 with the jsc
896         CLI. There were three options that needed to be added for Test262:
897
898         1) "--test262-async" This option overrides the print function in the test runner to look for
899         'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
900         and that string is not passed then the test is marked as failing.
901
902         2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
903         passed file before passing the source code to the VM. This option can, in theory, be passed
904         multiple times.
905
906         3) "--exception=<name>" This option asserts that at the end of the last script file passed
907         the VM has an uncaught exception with its name property equal to the passed name.
908
909         * jsc.cpp:
910         (Script::Script):
911         (fillBufferWithContentsOfFile):
912         (functionPrint):
913         (checkUncaughtException):
914         (runWithScripts):
915         (printUsageStatement):
916         (CommandLine::parseArguments):
917         (runJSC):
918
919 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
920
921         WTF should know about Language
922         https://bugs.webkit.org/show_bug.cgi?id=157756
923
924         Reviewed by Geoffrey Garen.
925
926         Teach our scripts that a ObjC class beginning with WTF is totally cool.
927
928         * JavaScriptCore.xcodeproj/project.pbxproj:
929
930 2016-05-17  Joseph Pecoraro  <pecoraro@apple.com>
931
932         console namespace breaks putting properties on console.__proto__
933         https://bugs.webkit.org/show_bug.cgi?id=157782
934         <rdar://problem/26250526>
935
936         Reviewed by Geoffrey Garen.
937
938         Some websites currently depend on console.__proto__ existing and being
939         a separate object from Object.prototype. This patch adds back a basic
940         console.__proto__ object, but all the console functions are left on
941         the ConsoleObject itself.
942
943         * runtime/JSGlobalObject.cpp:
944         (JSC::createConsoleProperty):
945
946 2016-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
947
948         Unreviewed, dump more information when math-pow-stable-results.js failed
949         https://bugs.webkit.org/show_bug.cgi?id=157168
950
951         * tests/stress/math-pow-stable-results.js:
952
953 2016-05-16  Saam barati  <sbarati@apple.com>
954
955         ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
956         https://bugs.webkit.org/show_bug.cgi?id=157770
957
958         Reviewed by Filip Pizlo.
959
960         ShadowChicken was reading the scope from a half formed
961         frame as it threw a stack overflow exception. The frame had
962         a valid CodeBlock pointer, but it did not have a valid scope.
963         The code in ShadowChicken's throw packet logging mechanism didn't
964         account for this. The fix is to respect whether genericUnwind wants
965         to unwind from the current frame or the caller's frame. For stack
966         overflow errors, we always unwind the caller's frame.
967
968         * jit/JITExceptions.cpp:
969         (JSC::genericUnwind):
970
971 2016-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
972
973         REGRESSION(r200208): It made 2 JSC stress tests fail on x86
974         https://bugs.webkit.org/show_bug.cgi?id=157168
975
976         Reviewed by Benjamin Poulain.
977
978         The fast path in operationMathPow produces different results between x87 and the other environments.
979         This is because x87 calculates the double value in 80bit precision.
980         The situation is the following: in x86 32bit environment, floating point operations are compiled to
981         x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
982         if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
983         and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
984         problem since x87 has 80bit precision while SSE2 has 64bit precision.
985
986         In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
987         is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
988         occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.
989
990         * b3/B3MathExtras.cpp:
991         (JSC::B3::powDoubleInt32):
992         * runtime/MathCommon.cpp:
993         (JSC::operationMathPow):
994
995 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
996
997         [JSC] "return this" in a constructor does not need a branch on isObject(this)
998         https://bugs.webkit.org/show_bug.cgi?id=157775
999
1000         Reviewed by Saam Barati and Ryosuke Niwa.
1001
1002         When returning "this" in a constructor, the bytecode generator was generating:
1003             is_object         locX, this
1004             jtrue             locX, 5(->second ret)
1005             ret               this
1006             ret               this
1007
1008         That code is eliminated in DFG but it is pretty costly lower tiers.
1009
1010         This patch changes bytecode generation to avoid the is_object test
1011         when possible and not generate two ret if they encode the same thing.
1012
1013         * bytecompiler/BytecodeGenerator.cpp:
1014         (JSC::BytecodeGenerator::emitReturn):
1015
1016 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1017
1018         [JSC] Remove the index check from op_get_by_val/op_put_by_val when the index is constant
1019         https://bugs.webkit.org/show_bug.cgi?id=157766
1020
1021         Reviewed by Geoffrey Garen.
1022
1023         If the index is an integer constant, do not generate the index check.
1024
1025         * jit/JITPropertyAccess.cpp:
1026         (JSC::JIT::emit_op_get_by_val):
1027         (JSC::JIT::emitSlow_op_get_by_val):
1028         (JSC::JIT::emit_op_put_by_val):
1029         (JSC::JIT::emitSlow_op_put_by_val):
1030
1031 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
1032
1033         [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
1034         https://bugs.webkit.org/show_bug.cgi?id=157700
1035
1036         Reviewed by Michael Saboff.
1037
1038         In general, fillSpeculateInt32() originate from SpeculateInt32
1039         and the user does not care about the tag.
1040
1041         This is particularily obvious on Sunspider's math-spectral-norm.js.
1042         In that test, registers are frequently spilled because of x86's DIV.
1043
1044         When they are re-filled, they were always tagged.
1045         Since the loops are small, all the tagging adds up.
1046
1047         * dfg/DFGSpeculativeJIT64.cpp:
1048         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1049
1050 2016-05-16  Saam barati  <sbarati@apple.com>
1051
1052         Unreviewed Cloop build fix.
1053
1054         * bytecode/CodeBlock.cpp:
1055         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1056
1057 2016-05-16  Saam barati  <sbarati@apple.com>
1058
1059         Hook up ShadowChicken to the debugger to show tail deleted frames
1060         https://bugs.webkit.org/show_bug.cgi?id=156685
1061         <rdar://problem/25770521>
1062
1063         Reviewed by Filip Pizlo and Mark Lam and Joseph Pecoraro.
1064
1065         The heart of this patch hooks up ShadowChicken to DebuggerCallFrame to
1066         allow the Web Inspector to display the ShadowChicken's shadow stack.
1067         This means the Web Inspector can now display tail deleted frames.
1068         To make this work, I made the necessary changes to ShadowChicken and
1069         DebuggerCallFrame to allow DebuggerCallFrame to keep the same API
1070         when representing both machine frames and tail deleted frames.
1071
1072         - ShadowChicken prologue packets now log the current scope. Tail packets
1073           log the current scope, the 'this' value, the CodeBlock, and the
1074           CallSiteIndex. This allows the inspector to not only show the
1075           tail deleted frame, but also show exactly where the tail call happened (line and column numbers),
1076           with which scope it executed, and with which 'this' value. This
1077           patch also allows DebuggerCallFrame to execute console statements
1078           in a tail deleted frame.
1079
1080         - I changed ShadowChicken's stack resizing algorithm. ShadowChicken
1081           now only keeps a maximum number of tail deleted frames in its shadow stack.
1082           It will happily represent all machine frames without limit. Right now, the
1083           maximum number of tail deleted frames I chose to keep alive is 128.
1084           We will keep frames alive starting from the top of the stack. This
1085           allows us to have a strong defense against runaway memory usage. We will only
1086           keep around at most 128 "shadow" frames that wouldn't have naturally been kept
1087           alive by the executing program. We can play around with this number
1088           if we find that 128 is either too many or too few frames.
1089
1090         - DebuggerCallFrame is no longer a cheap class to create. When it is created,
1091           we will eagerly create the entire virtual debugger stack. So I modified the
1092           existing code to lazily create DebuggerCallFrames only when necessary. We
1093           used to eagerly create them at each op_debug statement even though we would
1094           just throw them away if we didn't hit a breakpoint.
1095
1096         - A valid DebuggerCallFrame will always have a valid CallFrame* pointer
1097           into the stack. This pointer won't always refer to the logical frame
1098           that the DebuggerCallFrame represents because a DebuggerCallFrame can
1099           now represent a tail deleted frame. To do this, DebuggerCallFrame now
1100           has a ShadowChicken::Frame member variable. This allows DebuggerCallFrame
1101           to know when it represents a tail deleted frame and gives DebuggerCallFrame
1102           a mechanism to ask the tail deleted frame for interesting information
1103           (like its 'this' value, scope, CodeBlock, etc). A tail deleted frame's
1104           machine frame pointer will be the machine caller of the tail deleted frame
1105           (or the machine caller of the first of a series of consecutive tail calls).
1106
1107         - I added a new flag to UnlinkedCodeBlock to indicate when it is compiled
1108           with debugging opcodes. I did this because ShadowChicken may read a JSScope
1109           from the machine stack. This is only safe if the machine CodeBlock was
1110           compiled with debugging opcodes. This is safer than asking if the
1111           CodeBlock's global object has an interactive debugger enabled because
1112           it's theoretically possible for the debugger to be enabled while code
1113           compiled without a debugger is still live on the stack. This field is
1114           also now used to indicate to the DFGGraph that the interactive debugger
1115           is enabled.
1116
1117         - Finally, this patch adds a new field to the Inspector's CallFrame protocol
1118           object called 'isTailDeleted' to allow the Inspector to know when a
1119           CallFrame represents a tail deleted frame.
1120
1121         * JavaScriptCore.xcodeproj/project.pbxproj:
1122         * bytecode/BytecodeList.json:
1123         * bytecode/BytecodeUseDef.h:
1124         (JSC::computeUsesForBytecodeOffset):
1125         * bytecode/CodeBlock.cpp:
1126         (JSC::CodeBlock::dumpBytecode):
1127         (JSC::CodeBlock::findPC):
1128         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
1129         * bytecode/CodeBlock.h:
1130         (JSC::CodeBlock::clearDebuggerRequests):
1131         (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes):
1132         * bytecode/UnlinkedCodeBlock.cpp:
1133         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1134         * bytecode/UnlinkedCodeBlock.h:
1135         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes):
1136         (JSC::UnlinkedCodeBlock::finishCreation):
1137         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
1138         * bytecode/UnlinkedFunctionExecutable.cpp:
1139         (JSC::generateUnlinkedFunctionCodeBlock):
1140         * bytecompiler/BytecodeGenerator.cpp:
1141         (JSC::BytecodeGenerator::generate):
1142         (JSC::BytecodeGenerator::BytecodeGenerator):
1143         (JSC::BytecodeGenerator::emitEnter):
1144         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
1145         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
1146         (JSC::BytecodeGenerator::emitCallDefineProperty):
1147         * debugger/Debugger.cpp:
1148         (JSC::DebuggerPausedScope::DebuggerPausedScope):
1149         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1150         (JSC::Debugger::didReachBreakpoint):
1151         (JSC::Debugger::currentDebuggerCallFrame):
1152         * debugger/Debugger.h:
1153         * debugger/DebuggerCallFrame.cpp:
1154         (JSC::LineAndColumnFunctor::operator()):
1155         (JSC::DebuggerCallFrame::create):
1156         (JSC::DebuggerCallFrame::DebuggerCallFrame):
1157         (JSC::DebuggerCallFrame::callerFrame):
1158         (JSC::DebuggerCallFrame::globalExec):
1159         (JSC::DebuggerCallFrame::vmEntryGlobalObject):
1160         (JSC::DebuggerCallFrame::sourceID):
1161         (JSC::DebuggerCallFrame::functionName):
1162         (JSC::DebuggerCallFrame::scope):
1163         (JSC::DebuggerCallFrame::type):
1164         (JSC::DebuggerCallFrame::thisValue):
1165         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1166         (JSC::DebuggerCallFrame::invalidate):
1167         (JSC::DebuggerCallFrame::currentPosition):
1168         (JSC::DebuggerCallFrame::positionForCallFrame):
1169         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1170         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): Deleted.
1171         (JSC::FindCallerMidStackFunctor::operator()): Deleted.
1172         (JSC::FindCallerMidStackFunctor::getCallerFrame): Deleted.
1173         (JSC::DebuggerCallFrame::thisValueForCallFrame): Deleted.
1174         * debugger/DebuggerCallFrame.h:
1175         (JSC::DebuggerCallFrame::isValid):
1176         (JSC::DebuggerCallFrame::isTailDeleted):
1177         (JSC::DebuggerCallFrame::create): Deleted.
1178         (JSC::DebuggerCallFrame::exec): Deleted.
1179         * dfg/DFGByteCodeParser.cpp:
1180         (JSC::DFG::ByteCodeParser::parseBlock):
1181         * dfg/DFGFixupPhase.cpp:
1182         (JSC::DFG::FixupPhase::fixupNode):
1183         * dfg/DFGGraph.cpp:
1184         (JSC::DFG::Graph::Graph):
1185         (JSC::DFG::Graph::~Graph):
1186         * dfg/DFGJITCompiler.h:
1187         (JSC::DFG::JITCompiler::addCallSite):
1188         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
1189         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
1190         * dfg/DFGSpeculativeJIT32_64.cpp:
1191         (JSC::DFG::SpeculativeJIT::compile):
1192         * dfg/DFGSpeculativeJIT64.cpp:
1193         (JSC::DFG::SpeculativeJIT::compile):
1194         * ftl/FTLAbstractHeapRepository.h:
1195         * ftl/FTLLowerDFGToB3.cpp:
1196         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
1197         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
1198         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
1199         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1200         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
1201         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket): Deleted.
1202         * inspector/InjectedScriptSource.js:
1203         (InjectedScript.CallFrameProxy):
1204         * inspector/JSJavaScriptCallFrame.cpp:
1205         (Inspector::JSJavaScriptCallFrame::thisObject):
1206         (Inspector::JSJavaScriptCallFrame::isTailDeleted):
1207         (Inspector::JSJavaScriptCallFrame::type):
1208         * inspector/JSJavaScriptCallFrame.h:
1209         * inspector/JSJavaScriptCallFramePrototype.cpp:
1210         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
1211         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
1212         (Inspector::jsJavaScriptCallFrameAttributeType):
1213         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
1214         * inspector/JavaScriptCallFrame.h:
1215         (Inspector::JavaScriptCallFrame::type):
1216         (Inspector::JavaScriptCallFrame::scopeChain):
1217         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
1218         (Inspector::JavaScriptCallFrame::isTailDeleted):
1219         (Inspector::JavaScriptCallFrame::thisValue):
1220         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
1221         * inspector/ScriptDebugServer.cpp:
1222         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
1223         * inspector/protocol/Debugger.json:
1224         * interpreter/ShadowChicken.cpp:
1225         (JSC::ShadowChicken::update):
1226         (JSC::ShadowChicken::visitChildren):
1227         (JSC::ShadowChicken::reset):
1228         * interpreter/ShadowChicken.h:
1229         (JSC::ShadowChicken::Packet::throwMarker):
1230         (JSC::ShadowChicken::Packet::prologue):
1231         (JSC::ShadowChicken::Packet::tail):
1232         (JSC::ShadowChicken::Frame::Frame):
1233         (JSC::ShadowChicken::Frame::operator==):
1234         * jit/CCallHelpers.cpp:
1235         (JSC::CCallHelpers::logShadowChickenProloguePacket):
1236         (JSC::CCallHelpers::logShadowChickenTailPacket):
1237         (JSC::CCallHelpers::ensureShadowChickenPacket):
1238         (JSC::CCallHelpers::setupShadowChickenPacket): Deleted.
1239         * jit/CCallHelpers.h:
1240         * jit/JITOpcodes.cpp:
1241         (JSC::JIT::emit_op_profile_type):
1242         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1243         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1244         (JSC::JIT::emit_op_get_enumerable_length):
1245         (JSC::JIT::emit_op_resume):
1246         * jit/JITOpcodes32_64.cpp:
1247         (JSC::JIT::emit_op_profile_type):
1248         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
1249         (JSC::JIT::emit_op_log_shadow_chicken_tail):
1250         * jit/RegisterSet.cpp:
1251         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
1252         (JSC::RegisterSet::argumentGPRS):
1253         (JSC::RegisterSet::registersToNotSaveForJSCall):
1254         * jit/RegisterSet.h:
1255         * llint/LLIntData.cpp:
1256         (JSC::LLInt::Data::performAssertions):
1257         * llint/LLIntSlowPaths.cpp:
1258         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1259         * llint/LowLevelInterpreter.asm:
1260         * llint/LowLevelInterpreter32_64.asm:
1261         * llint/LowLevelInterpreter64.asm:
1262         * runtime/CodeCache.cpp:
1263         (JSC::CodeCache::getGlobalCodeBlock):
1264         * runtime/Options.h:
1265         * tests/stress/shadow-chicken-enabled.js:
1266         (test5a.foo):
1267         (test5a):
1268         (test5b.foo):
1269         (test5b):
1270         (test6.foo):
1271         (test6):
1272
1273 2016-05-16  Saam barati  <sbarati@apple.com>
1274
1275         TypeSet/StructureShape have a flawed sense of JS prototype chains
1276         https://bugs.webkit.org/show_bug.cgi?id=157760
1277
1278         Reviewed by Joseph Pecoraro.
1279
1280         There was an assumption that we would bottom out in "Object". This is
1281         not true for many reasons. JS objects may not end in Object.prototype.
1282         Also, our mechanism of grabbing an Object's class name may also not
1283         bottom out in "Object". We were seeing this in the JS objects we use
1284         in the InjectedScriptSource.js inspector script.
1285
1286         * runtime/TypeSet.cpp:
1287         (JSC::StructureShape::leastCommonAncestor):
1288         * tests/typeProfiler/weird-prototype-chain.js: Added.
1289         (wrapper.foo):
1290         (wrapper.let.o2):
1291         (wrapper):
1292
1293 2016-05-16  Joseph Pecoraro  <pecoraro@apple.com>
1294
1295         Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
1296
1297         * API/JSProfilerPrivate.cpp: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
1298         (JSStartProfiling):
1299         (JSEndProfiling):
1300         * API/JSProfilerPrivate.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
1301         * CMakeLists.txt:
1302         * JavaScriptCore.xcodeproj/project.pbxproj:
1303         * bytecode/BytecodeList.json:
1304         * bytecode/BytecodeUseDef.h:
1305         (JSC::computeUsesForBytecodeOffset):
1306         (JSC::computeDefsForBytecodeOffset):
1307         * bytecode/CodeBlock.cpp:
1308         (JSC::CodeBlock::dumpBytecode):
1309         * bytecode/UnlinkedFunctionExecutable.cpp:
1310         (JSC::generateUnlinkedFunctionCodeBlock):
1311         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1312         * bytecode/UnlinkedFunctionExecutable.h:
1313         * bytecompiler/BytecodeGenerator.cpp:
1314         (JSC::BytecodeGenerator::BytecodeGenerator):
1315         (JSC::BytecodeGenerator::emitCall):
1316         (JSC::BytecodeGenerator::emitCallVarargs):
1317         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1318         (JSC::BytecodeGenerator::emitConstructVarargs):
1319         (JSC::BytecodeGenerator::emitConstruct):
1320         * bytecompiler/BytecodeGenerator.h:
1321         (JSC::CallArguments::profileHookRegister):
1322         (JSC::BytecodeGenerator::shouldEmitProfileHooks):
1323         * bytecompiler/NodesCodegen.cpp:
1324         (JSC::CallArguments::CallArguments):
1325         (JSC::CallFunctionCallDotNode::emitBytecode):
1326         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1327         * dfg/DFGAbstractInterpreterInlines.h:
1328         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1329         * dfg/DFGByteCodeParser.cpp:
1330         (JSC::DFG::ByteCodeParser::parseBlock):
1331         * dfg/DFGCapabilities.cpp:
1332         (JSC::DFG::capabilityLevel):
1333         * dfg/DFGClobberize.h:
1334         (JSC::DFG::clobberize):
1335         * dfg/DFGDoesGC.cpp:
1336         (JSC::DFG::doesGC):
1337         * dfg/DFGFixupPhase.cpp:
1338         (JSC::DFG::FixupPhase::fixupNode):
1339         * dfg/DFGNodeType.h:
1340         * dfg/DFGPredictionPropagationPhase.cpp:
1341         * dfg/DFGSafeToExecute.h:
1342         (JSC::DFG::safeToExecute):
1343         * dfg/DFGSpeculativeJIT32_64.cpp:
1344         (JSC::DFG::SpeculativeJIT::compile):
1345         * dfg/DFGSpeculativeJIT64.cpp:
1346         (JSC::DFG::SpeculativeJIT::compile):
1347         * inspector/InjectedScriptBase.cpp:
1348         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
1349         * inspector/protocol/Timeline.json:
1350         * interpreter/Interpreter.cpp:
1351         (JSC::UnwindFunctor::operator()):
1352         (JSC::Interpreter::execute):
1353         (JSC::Interpreter::executeCall):
1354         (JSC::Interpreter::executeConstruct):
1355         * jit/JIT.cpp:
1356         (JSC::JIT::privateCompileMainPass):
1357         * jit/JIT.h:
1358         * jit/JITOpcodes.cpp:
1359         (JSC::JIT::emit_op_profile_will_call):
1360         (JSC::JIT::emit_op_profile_did_call):
1361         * jit/JITOpcodes32_64.cpp:
1362         (JSC::JIT::emit_op_profile_will_call):
1363         (JSC::JIT::emit_op_profile_did_call):
1364         * jit/JITOperations.cpp:
1365         * jit/JITOperations.h:
1366         * jsc.cpp:
1367         * llint/LLIntSlowPaths.cpp:
1368         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1369         * llint/LLIntSlowPaths.h:
1370         * llint/LowLevelInterpreter.asm:
1371         * parser/ParserModes.h:
1372         * profiler/CallIdentifier.h: Added.
1373         (JSC::CallIdentifier::CallIdentifier):
1374         (JSC::CallIdentifier::functionName):
1375         (JSC::CallIdentifier::url):
1376         (JSC::CallIdentifier::lineNumber):
1377         (JSC::CallIdentifier::columnNumber):
1378         (JSC::CallIdentifier::operator==):
1379         (JSC::CallIdentifier::operator!=):
1380         (JSC::CallIdentifier::Hash::hash):
1381         (JSC::CallIdentifier::Hash::equal):
1382         (JSC::CallIdentifier::hash):
1383         (JSC::CallIdentifier::operator const char*):
1384         (JSC::CallIdentifier::c_str):
1385         (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
1386         (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
1387         * profiler/LegacyProfiler.cpp: Added.
1388         (JSC::LegacyProfiler::profiler):
1389         (JSC::LegacyProfiler::startProfiling):
1390         (JSC::LegacyProfiler::stopProfiling):
1391         (JSC::callFunctionForProfilesWithGroup):
1392         (JSC::LegacyProfiler::suspendProfiling):
1393         (JSC::LegacyProfiler::unsuspendProfiling):
1394         (JSC::LegacyProfiler::willExecute):
1395         (JSC::LegacyProfiler::didExecute):
1396         (JSC::LegacyProfiler::exceptionUnwind):
1397         (JSC::LegacyProfiler::createCallIdentifier):
1398         (JSC::createCallIdentifierFromFunctionImp):
1399         * profiler/LegacyProfiler.h: Added.
1400         (JSC::LegacyProfiler::currentProfiles):
1401         * profiler/Profile.cpp: Added.
1402         (JSC::Profile::create):
1403         (JSC::Profile::Profile):
1404         (JSC::Profile::~Profile):
1405         (JSC::Profile::debugPrint):
1406         (JSC::functionNameCountPairComparator):
1407         (JSC::Profile::debugPrintSampleStyle):
1408         * profiler/Profile.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
1409         * profiler/ProfileGenerator.cpp: Added.
1410         (JSC::ProfileGenerator::create):
1411         (JSC::ProfileGenerator::ProfileGenerator):
1412         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
1413         (JSC::AddParentForConsoleStartFunctor::foundParent):
1414         (JSC::AddParentForConsoleStartFunctor::operator()):
1415         (JSC::ProfileGenerator::addParentForConsoleStart):
1416         (JSC::ProfileGenerator::title):
1417         (JSC::ProfileGenerator::beginCallEntry):
1418         (JSC::ProfileGenerator::endCallEntry):
1419         (JSC::ProfileGenerator::willExecute):
1420         (JSC::ProfileGenerator::didExecute):
1421         (JSC::ProfileGenerator::exceptionUnwind):
1422         (JSC::ProfileGenerator::stopProfiling):
1423         (JSC::ProfileGenerator::removeProfileStart):
1424         (JSC::ProfileGenerator::removeProfileEnd):
1425         * profiler/ProfileGenerator.h: Added.
1426         (JSC::ProfileGenerator::profile):
1427         (JSC::ProfileGenerator::origin):
1428         (JSC::ProfileGenerator::profileGroup):
1429         (JSC::ProfileGenerator::setIsSuspended):
1430         * profiler/ProfileNode.cpp: Added.
1431         (JSC::ProfileNode::ProfileNode):
1432         (JSC::ProfileNode::addChild):
1433         (JSC::ProfileNode::removeChild):
1434         (JSC::ProfileNode::spliceNode):
1435         (JSC::ProfileNode::traverseNextNodePostOrder):
1436         (JSC::ProfileNode::debugPrint):
1437         (JSC::ProfileNode::debugPrintSampleStyle):
1438         (JSC::ProfileNode::debugPrintRecursively):
1439         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
1440         * profiler/ProfileNode.h: Added.
1441         (JSC::ProfileNode::create):
1442         (JSC::ProfileNode::Call::Call):
1443         (JSC::ProfileNode::Call::startTime):
1444         (JSC::ProfileNode::Call::setStartTime):
1445         (JSC::ProfileNode::Call::elapsedTime):
1446         (JSC::ProfileNode::Call::setElapsedTime):
1447         (JSC::ProfileNode::operator==):
1448         (JSC::ProfileNode::callerCallFrame):
1449         (JSC::ProfileNode::callIdentifier):
1450         (JSC::ProfileNode::id):
1451         (JSC::ProfileNode::functionName):
1452         (JSC::ProfileNode::url):
1453         (JSC::ProfileNode::lineNumber):
1454         (JSC::ProfileNode::columnNumber):
1455         (JSC::ProfileNode::parent):
1456         (JSC::ProfileNode::setParent):
1457         (JSC::ProfileNode::calls):
1458         (JSC::ProfileNode::lastCall):
1459         (JSC::ProfileNode::appendCall):
1460         (JSC::ProfileNode::children):
1461         (JSC::ProfileNode::firstChild):
1462         (JSC::ProfileNode::lastChild):
1463         (JSC::ProfileNode::nextSibling):
1464         (JSC::ProfileNode::setNextSibling):
1465         (JSC::ProfileNode::forEachNodePostorder):
1466         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1467         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
1468         * profiler/ProfilerJettisonReason.cpp:
1469         (WTF::printInternal):
1470         * profiler/ProfilerJettisonReason.h:
1471         * runtime/CodeCache.cpp:
1472         (JSC::CodeCache::getGlobalCodeBlock):
1473         (JSC::CodeCache::getProgramCodeBlock):
1474         (JSC::CodeCache::getEvalCodeBlock):
1475         (JSC::CodeCache::getModuleProgramCodeBlock):
1476         * runtime/CodeCache.h:
1477         * runtime/Executable.cpp:
1478         (JSC::ScriptExecutable::newCodeBlockFor):
1479         * runtime/JSGlobalObject.cpp:
1480         (JSC::JSGlobalObject::~JSGlobalObject):
1481         (JSC::JSGlobalObject::hasLegacyProfiler):
1482         (JSC::JSGlobalObject::createProgramCodeBlock):
1483         (JSC::JSGlobalObject::createEvalCodeBlock):
1484         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
1485         * runtime/JSGlobalObject.h:
1486         (JSC::JSGlobalObject::supportsLegacyProfiling):
1487         * runtime/Options.h:
1488         * runtime/VM.cpp:
1489         (JSC::VM::VM):
1490         (JSC::SetEnabledProfilerFunctor::operator()):
1491         (JSC::VM::setEnabledProfiler):
1492         * runtime/VM.h:
1493         (JSC::VM::enabledProfiler):
1494         (JSC::VM::enabledProfilerAddress):
1495
1496 2016-05-16  Konstantin Tokarev  <annulen@yandex.ru>
1497
1498         Unreviewed, fixed typo in a comment.
1499
1500         * assembler/MacroAssembler.h: Replaced "onvenience" with
1501         "convenience".
1502
1503 2016-05-16  Filip Pizlo  <fpizlo@apple.com>
1504
1505         FixupPhase should be more eager to demote bit math to untyped
1506         https://bugs.webkit.org/show_bug.cgi?id=157746
1507
1508         Reviewed by Mark Lam.
1509         
1510         This just makes the logic for how we fixup bit math match the way we do it in other places.
1511         This doesn't affect performance on any major benchmark but it's a big win on new
1512         microbenchmarks added in this change.
1513         
1514         Details:
1515
1516         object-and                                     11.1610+-0.7602     ^      4.8105+-0.1690        ^ definitely 2.3201x faster
1517         object-or                                      11.0845+-0.2487     ^      4.7146+-0.0374        ^ definitely 2.3511x faster
1518         object-xor                                     10.2946+-0.9946     ^      4.7278+-0.0814        ^ definitely 2.1775x faster
1519         object-lshift                                  10.4896+-1.0867     ^      4.7699+-0.0721        ^ definitely 2.1991x faster
1520         object-rshift                                  11.1239+-0.5010     ^      4.7194+-0.0445        ^ definitely 2.3570x faster
1521         object-urshift                                 10.9745+-0.1315     ^      4.7848+-0.0479        ^ definitely 2.2936x faster
1522
1523         * dfg/DFGFixupPhase.cpp:
1524         (JSC::DFG::FixupPhase::fixupNode):
1525
1526 2016-05-15  Michael Saboff  <msaboff@apple.com>
1527
1528         RegExp /y flag incorrect handling of mixed-length alternation
1529         https://bugs.webkit.org/show_bug.cgi?id=157723
1530
1531         Reviewed by Filip Pizlo.
1532
1533         Previously for sticky patterns, we were bailing out and exiting when backtracking
1534         alternatives with dissimilar match lengths.  Deleted that code.  Instead, for
1535         sticky patterns we need to process the backtracking except for advancing to the
1536         next input index.
1537
1538         * yarr/YarrJIT.cpp:
1539         (JSC::Yarr::YarrGenerator::backtrack):
1540
1541 2016-05-15  Filip Pizlo  <fpizlo@apple.com>
1542
1543         DFG::Plan shouldn't read from its VM once it's been cancelled
1544         https://bugs.webkit.org/show_bug.cgi?id=157726
1545
1546         Reviewed by Saam Barati.
1547         
1548         Plan::vm was a reference, not a pointer, and so wasn't nulled by Plan::cancel(). So, a
1549         cancelled plan may have a dangling pointer to a VM: we could delete the VM after cancelling
1550         the plan.
1551         
1552         Prior to http://trac.webkit.org/changeset/200705, this was probably fine because nobody
1553         would read Plan::vm if the plan was cancelled. But r200705 changed that. It was a hard
1554         regression to spot because usually a cancelled plan will still refer to a valid VM.
1555         
1556         This change fixes the regression and makes it a lot easier to spot the regression in the
1557         future. Plan::vm is now a pointer and we null it in Plan::cancel(). Now if you make this
1558         mistake, you will get a crash anytime the Plan is cancelled, not just anytime the plan is
1559         cancelled and the VM gets deleted. Also, it's now very clear what to do when you want to
1560         use Plan::vm on the cancel path: you can null-check vm; if it's null, assume the worst.
1561         
1562         Because we null the VM of a cancelled plan, we cannot have Safepoint::vm() return the
1563         plan's VM anymore. That's because when we cancel a plan that is at a safepoint, we use the
1564         safepoint's VM to determine whether this is one of our safepoints *after* the plan is
1565         already cancelled. So, Safepoint now has its own copy of m_vm, and that copy gets nulled
1566         when the Safepoint is cancelled. The Safepoint's m_vm will be nulled moments after Plan's
1567         vm gets nulled (see Worklist::removeDeadPlans(), which has a cancel path for Plans in one
1568         loop and a cancel path for Safepoints in the loop after it).
1569
1570         * dfg/DFGJITFinalizer.cpp:
1571         (JSC::DFG::JITFinalizer::finalizeCommon):
1572         * dfg/DFGPlan.cpp:
1573         (JSC::DFG::Plan::Plan):
1574         (JSC::DFG::Plan::computeCompileTimes):
1575         (JSC::DFG::Plan::reportCompileTimes):
1576         (JSC::DFG::Plan::compileInThreadImpl):
1577         (JSC::DFG::Plan::reallyAdd):
1578         (JSC::DFG::Plan::notifyCompiling):
1579         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
1580         (JSC::DFG::Plan::cancel):
1581         * dfg/DFGPlan.h:
1582         (JSC::DFG::Plan::canTierUpAndOSREnter):
1583         * dfg/DFGSafepoint.cpp:
1584         (JSC::DFG::Safepoint::cancel):
1585         (JSC::DFG::Safepoint::vm):
1586         * dfg/DFGSafepoint.h:
1587         * dfg/DFGWorklist.cpp:
1588         (JSC::DFG::Worklist::isActiveForVM):
1589         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
1590         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
1591         (JSC::DFG::Worklist::rememberCodeBlocks):
1592         (JSC::DFG::Worklist::visitWeakReferences):
1593         (JSC::DFG::Worklist::removeDeadPlans):
1594         (JSC::DFG::Worklist::runThread):
1595         * ftl/FTLJITFinalizer.cpp:
1596         (JSC::FTL::JITFinalizer::finalizeFunction):
1597
1598 2016-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1599
1600         Modernize Intl constructors; using InternalFunction::createSubclassStructure
1601         https://bugs.webkit.org/show_bug.cgi?id=157082
1602
1603         Reviewed by Darin Adler.
1604
1605         Previously, Intl constructors retrieve "prototype" to inherit the "new.target".
1606         At that time, this mis-assumed that getDirect() always returns meaningful JS value.
1607         Actually, it returns an empty value if a property does not exist.
1608
1609         Instead of fixing this assertion, we now use InternalFunction::createSubclassStructure
1610         in Intl constructors. It is modern and preferable way since it can cache the derived
1611         structures in InternalFunction.
1612
1613         This patch also cleans up the workaround in Intl.NumberFormat and Intl.DateTimeFormat.
1614         Those code are largely duplicate. This is now extracted into
1615         constructIntlInstanceWithWorkaroundForLegacyIntlConstructor. This clean up does not
1616         have any behavior changes. They are already tested in LayoutTests/js/intl-datetimeformat
1617         and LayoutTests/js/intl-numberformat.
1618
1619         * JavaScriptCore.xcodeproj/project.pbxproj:
1620         * runtime/IntlCollator.cpp:
1621         (JSC::IntlCollator::create):
1622         * runtime/IntlCollator.h:
1623         * runtime/IntlCollatorConstructor.cpp:
1624         (JSC::constructIntlCollator):
1625         (JSC::callIntlCollator):
1626         * runtime/IntlDateTimeFormat.cpp:
1627         (JSC::IntlDateTimeFormat::create):
1628         * runtime/IntlDateTimeFormat.h:
1629         * runtime/IntlDateTimeFormatConstructor.cpp:
1630         (JSC::constructIntlDateTimeFormat):
1631         (JSC::callIntlDateTimeFormat):
1632         * runtime/IntlDateTimeFormatPrototype.cpp:
1633         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1634         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1635         * runtime/IntlNumberFormat.cpp:
1636         (JSC::IntlNumberFormat::create):
1637         * runtime/IntlNumberFormat.h:
1638         * runtime/IntlNumberFormatConstructor.cpp:
1639         (JSC::constructIntlNumberFormat):
1640         (JSC::callIntlNumberFormat):
1641         * runtime/IntlNumberFormatPrototype.cpp:
1642         (JSC::IntlNumberFormatPrototypeGetterFormat):
1643         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1644         * runtime/IntlObjectInlines.h: Added.
1645         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1646         * tests/stress/intl-constructors-with-proxy.js: Added.
1647         (shouldBe):
1648         (throw.new.Error.Empty):
1649         (throw.new.Error):
1650         (shouldBe.Empty):
1651
1652 2016-05-14  Joseph Pecoraro  <pecoraro@apple.com>
1653
1654         Remove LegacyProfiler
1655         https://bugs.webkit.org/show_bug.cgi?id=153565
1656
1657         Reviewed by Mark Lam.
1658
1659         JavaScriptCore now provides a sampling profiler and it is enabled
1660         by all ports. Web Inspector switched months ago to using the
1661         sampling profiler and displaying its data. Remove the legacy
1662         profiler, as it is no longer being used by anything other then
1663         console.profile and tests. We will update console.profile's
1664         behavior soon to have new behavior and use the sampling data.
1665
1666         * API/JSProfilerPrivate.cpp: Removed.
1667         * API/JSProfilerPrivate.h: Removed.
1668         * CMakeLists.txt:
1669         * JavaScriptCore.xcodeproj/project.pbxproj:
1670         * bytecode/BytecodeList.json:
1671         * bytecode/BytecodeUseDef.h:
1672         (JSC::computeUsesForBytecodeOffset): Deleted.
1673         (JSC::computeDefsForBytecodeOffset): Deleted.
1674         * bytecode/CodeBlock.cpp:
1675         (JSC::CodeBlock::dumpBytecode): Deleted.
1676         * bytecode/UnlinkedFunctionExecutable.cpp:
1677         (JSC::generateUnlinkedFunctionCodeBlock):
1678         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1679         * bytecode/UnlinkedFunctionExecutable.h:
1680         * bytecompiler/BytecodeGenerator.cpp:
1681         (JSC::BytecodeGenerator::BytecodeGenerator):
1682         (JSC::BytecodeGenerator::emitCall):
1683         (JSC::BytecodeGenerator::emitCallVarargs):
1684         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
1685         (JSC::BytecodeGenerator::emitConstructVarargs):
1686         (JSC::BytecodeGenerator::emitConstruct):
1687         * bytecompiler/BytecodeGenerator.h:
1688         (JSC::CallArguments::profileHookRegister): Deleted.
1689         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
1690         * bytecompiler/NodesCodegen.cpp:
1691         (JSC::CallFunctionCallDotNode::emitBytecode):
1692         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1693         (JSC::CallArguments::CallArguments): Deleted.
1694         * dfg/DFGAbstractInterpreterInlines.h:
1695         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
1696         * dfg/DFGByteCodeParser.cpp:
1697         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
1698         * dfg/DFGCapabilities.cpp:
1699         (JSC::DFG::capabilityLevel): Deleted.
1700         * dfg/DFGClobberize.h:
1701         (JSC::DFG::clobberize): Deleted.
1702         * dfg/DFGDoesGC.cpp:
1703         (JSC::DFG::doesGC): Deleted.
1704         * dfg/DFGFixupPhase.cpp:
1705         (JSC::DFG::FixupPhase::fixupNode): Deleted.
1706         * dfg/DFGNodeType.h:
1707         * dfg/DFGPredictionPropagationPhase.cpp:
1708         * dfg/DFGSafeToExecute.h:
1709         (JSC::DFG::safeToExecute): Deleted.
1710         * dfg/DFGSpeculativeJIT32_64.cpp:
1711         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1712         * dfg/DFGSpeculativeJIT64.cpp:
1713         (JSC::DFG::SpeculativeJIT::compile): Deleted.
1714         * inspector/InjectedScriptBase.cpp:
1715         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
1716         * inspector/protocol/Timeline.json:
1717         * interpreter/Interpreter.cpp:
1718         (JSC::UnwindFunctor::operator()): Deleted.
1719         (JSC::Interpreter::execute): Deleted.
1720         (JSC::Interpreter::executeCall): Deleted.
1721         (JSC::Interpreter::executeConstruct): Deleted.
1722         * jit/JIT.cpp:
1723         (JSC::JIT::privateCompileMainPass): Deleted.
1724         * jit/JIT.h:
1725         * jit/JITOpcodes.cpp:
1726         (JSC::JIT::emit_op_profile_will_call): Deleted.
1727         (JSC::JIT::emit_op_profile_did_call): Deleted.
1728         * jit/JITOpcodes32_64.cpp:
1729         (JSC::JIT::emit_op_profile_will_call): Deleted.
1730         (JSC::JIT::emit_op_profile_did_call): Deleted.
1731         * jit/JITOperations.cpp:
1732         * jit/JITOperations.h:
1733         * jsc.cpp:
1734         * llint/LLIntSlowPaths.cpp:
1735         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
1736         * llint/LLIntSlowPaths.h:
1737         * llint/LowLevelInterpreter.asm:
1738         * parser/ParserModes.h:
1739         * profiler/CallIdentifier.h: Removed.
1740         * profiler/LegacyProfiler.cpp: Removed.
1741         * profiler/LegacyProfiler.h: Removed.
1742         * profiler/Profile.cpp: Removed.
1743         * profiler/Profile.h: Removed.
1744         * profiler/ProfileGenerator.cpp: Removed.
1745         * profiler/ProfileGenerator.h: Removed.
1746         * profiler/ProfileNode.cpp: Removed.
1747         * profiler/ProfileNode.h: Removed.
1748         * profiler/ProfilerJettisonReason.cpp:
1749         (WTF::printInternal): Deleted.
1750         * profiler/ProfilerJettisonReason.h:
1751         * runtime/CodeCache.cpp:
1752         (JSC::CodeCache::getGlobalCodeBlock):
1753         (JSC::CodeCache::getProgramCodeBlock):
1754         (JSC::CodeCache::getEvalCodeBlock):
1755         (JSC::CodeCache::getModuleProgramCodeBlock):
1756         * runtime/CodeCache.h:
1757         * runtime/Executable.cpp:
1758         (JSC::ScriptExecutable::newCodeBlockFor):
1759         * runtime/JSGlobalObject.cpp:
1760         (JSC::JSGlobalObject::createProgramCodeBlock):
1761         (JSC::JSGlobalObject::createEvalCodeBlock):
1762         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
1763         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
1764         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
1765         * runtime/JSGlobalObject.h:
1766         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
1767         * runtime/Options.h:
1768         * runtime/VM.cpp:
1769         (JSC::VM::VM): Deleted.
1770         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
1771         (JSC::VM::setEnabledProfiler): Deleted.
1772         * runtime/VM.h:
1773         (JSC::VM::enabledProfiler): Deleted.
1774         (JSC::VM::enabledProfilerAddress): Deleted.
1775
1776 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
1777
1778         jsc: samplingProfilerStackTraces() without starting sampling should not cause jsc to crash
1779         https://bugs.webkit.org/show_bug.cgi?id=157704
1780
1781         Reviewed by Saam Barati.
1782
1783         * jsc.cpp:
1784         (functionStartSamplingProfiler):
1785         (functionSamplingProfilerStackTraces):
1786         Throw an exception instead of crashing if we haven't started sampling.
1787
1788         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1789         (Inspector::InspectorScriptProfilerAgent::startTracking):
1790         * runtime/VM.h:
1791         * runtime/VM.cpp:
1792         (JSC::VM::ensureSamplingProfiler):
1793         Switch ensure to returning a reference, like most other ensures.
1794
1795 2016-05-13  Saam barati  <sbarati@apple.com>
1796
1797         DFG/FTL have a few bugs in their reasoning about the scope
1798         https://bugs.webkit.org/show_bug.cgi?id=157696
1799
1800         Reviewed by Benjamin Poulain.
1801
1802         1. When the debugger is enabled, it is easier for the DFG to reason
1803         about the scope register by simply claiming all nodes read the scope
1804         register. This prevents us from ever entering the runtime where we
1805         may take a stack trace but there isn't a scope on the stack.
1806
1807         2. This patch fixes a bug where the FTL compilation wasn't properly
1808         setting the CodeBlock register. It was only doing this when there
1809         was inline data, but when the debugger is enabled, we never inline.
1810         So this code just needed to be removed from that loop. It was never
1811         right for it to be inside the loop.
1812
1813         * dfg/DFGClobberize.h:
1814         (JSC::DFG::clobberize):
1815         * ftl/FTLCompile.cpp:
1816         (JSC::FTL::compile):
1817
1818 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
1819
1820         [JSC] SetLocal without exit do not need phantoms
1821         https://bugs.webkit.org/show_bug.cgi?id=157653
1822
1823         Reviewed by Filip Pizlo.
1824
1825         I made a mistake in r200498.
1826
1827         If a SetLocal cannot possibly exit, we were not clearing
1828         the source of the operand. As a result, we sometime kept
1829         a value alive up to the end of the block.
1830
1831         That's uncommon because SetLocal typically appear
1832         toward the end of blocks. That's probably why there was
1833         no perf impact with that fix.
1834
1835         * dfg/DFGPhantomInsertionPhase.cpp:
1836
1837 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
1838
1839         [JSC] Move the CheckTierUp function calls out of the main path
1840         https://bugs.webkit.org/show_bug.cgi?id=157668
1841
1842         Reviewed by Mark Lam.
1843
1844         If you have a tiny tiny loop (for example, Sunspider's bits-in-byte),
1845         the size of CheckTierUp is a problem.
1846
1847         On multi-issue CPUs, the node is so big that we do not
1848         get to run anything from the loop in the instruction fetch.
1849
1850         On x86, having a bigger loop also pushes us out of the LSD.
1851
1852         This is a 6% improvement on bits-in-byte. Other Sunspider tests
1853         only improves marginally.
1854
1855         * dfg/DFGSpeculativeJIT.cpp:
1856         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
1857         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1858         * dfg/DFGSpeculativeJIT.h:
1859         (JSC::DFG::SpeculativeJIT::silentSpill):
1860         (JSC::DFG::SpeculativeJIT::silentFill):
1861         * dfg/DFGSpeculativeJIT64.cpp:
1862         (JSC::DFG::SpeculativeJIT::compile):
1863
1864 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
1865
1866         [JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used
1867         https://bugs.webkit.org/show_bug.cgi?id=157671
1868
1869         Reviewed by Mark Lam.
1870
1871         This improves the chances of having a value
1872         when issuing the TEST.
1873
1874         * jit/JITPropertyAccess.cpp:
1875         (JSC::JIT::emitLoadWithStructureCheck):
1876
1877 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
1878
1879         Web Inspector: Inform augmenting client when inspector controller is destroyed
1880         https://bugs.webkit.org/show_bug.cgi?id=157688
1881         <rdar://problem/25832724>
1882
1883         Reviewed by Timothy Hatcher.
1884
1885         * inspector/JSGlobalObjectInspectorController.cpp:
1886         (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
1887         * inspector/augmentable/AugmentableInspectorControllerClient.h:
1888         There is a weak relationship between the InspectorController and the
1889         AugmentingClient. Let the augmenting client know when the controller
1890         is destroyed so it doesn't try to use us anymore.
1891
1892 2016-05-13  Geoffrey Garen  <ggaren@apple.com>
1893
1894         Runaway malloc memory usage in this simple JSC program
1895         https://bugs.webkit.org/show_bug.cgi?id=157682
1896
1897         Reviewed by Mark Lam.
1898
1899         * heap/WeakSet.cpp:
1900         (JSC::WeakSet::sweep): Whenever we might add a block to
1901         m_logicallyEmptyWeakBlocks, be sure also to sweep a block in
1902         m_logicallyEmptyWeakBlocks. Otherwise, additions might outpace removals
1903         even when all memory is freed.
1904
1905         We do this whenever we *might* add a block and not just whenever we *do*
1906         add a block because we'd like to sweep the entries in
1907         m_logicallyEmptyWeakBlocks promptly even when it's not growing, and this
1908         is a reasonably rate-limited opportunity to do so.
1909
1910 2016-05-13  Mark Lam  <mark.lam@apple.com>
1911
1912         We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
1913         https://bugs.webkit.org/show_bug.cgi?id=157537
1914         <rdar://problem/24794845>
1915
1916         Reviewed by Michael Saboff.
1917
1918         The pre-existing code behaves this way:
1919
1920         1. When JS code throws an exception, it saves callee save registers in
1921            the VM calleeSaveRegistersBuffer.  These values are meant to be restored
1922            to the callee save registers later either at the catch handler or at the
1923            uncaught exception handler.
1924
1925         2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
1926            the exception.  That C++ code can change the values of the callee save
1927            registers.
1928
1929            The inspector code in turn re-enters the VM to execute JS inspector code.
1930
1931            The JS inspector code can run hot enough that we do an enterOptimizationCheck
1932            on it.  The enterOptimizationCheck first saves all callee save registers
1933            into the VM calleeSaveRegistersBuffer.
1934
1935            This effectively overwrites the values in the VM calleeSaveRegistersBuffer
1936            from (1).
1937
1938         3. Eventually, execution returns to the catch handler or the uncaught exception
1939            handler which restores the overwritten values in the VM
1940            calleeSaveRegistersBuffer to the callee save registers.
1941
1942            When execution returns to the C++ code that entered the VM before (1), the
1943            values in the callee registers are not what that code expects, and badness
1944            and/or crashes ensues.
1945
1946         This patch applies the following fix:
1947         
1948         1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
1949            This ensures that each VM entry session has its own buffer to use, and will
1950            not corrupt the one from the previous VM entry session.
1951
1952            Delete the VM calleeSaveRegistersBuffer.
1953
1954         2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
1955            calleeSaveRegistersBuffer in the current VMEntryFrame.
1956
1957         3. Renamed all uses of the term "VMCalleeSavesBuffer" to
1958            "VMEntryFrameCalleeSavesBuffer".
1959
1960         This fix has been tested on the following configurations:
1961         1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
1962         2. JSC tests on a release ASan build for 32-bit x86.
1963         3. JSC tests on a release normal (non-ASan) build for ARM64.
1964         4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
1965         5. JSC tests on a release ASan CLOOP build for x86_64.
1966
1967         These test runs did not produce any new crashes.  The ASan CLOOP has some
1968         pre-existing crashes which are not due to this patch.
1969
1970         This bug can be tested by running the inspector/debugger/regress-133182.html test
1971         on an ASan build.
1972
1973         * bytecode/PolymorphicAccess.cpp:
1974         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
1975         * dfg/DFGJITCompiler.cpp:
1976         (JSC::DFG::JITCompiler::compileExceptionHandlers):
1977         * dfg/DFGOSREntry.cpp:
1978         (JSC::DFG::prepareOSREntry):
1979         * dfg/DFGOSRExitCompiler.cpp:
1980         * dfg/DFGOSRExitCompiler32_64.cpp:
1981         (JSC::DFG::OSRExitCompiler::compileExit):
1982         * dfg/DFGOSRExitCompiler64.cpp:
1983         (JSC::DFG::OSRExitCompiler::compileExit):
1984         * dfg/DFGThunks.cpp:
1985         (JSC::DFG::osrEntryThunkGenerator):
1986         * ftl/FTLCompile.cpp:
1987         (JSC::FTL::compile):
1988         * ftl/FTLLowerDFGToB3.cpp:
1989         (JSC::FTL::DFG::LowerDFGToB3::lower):
1990         * ftl/FTLOSRExitCompiler.cpp:
1991         (JSC::FTL::compileStub):
1992         * interpreter/Interpreter.cpp:
1993         (JSC::UnwindFunctor::operator()):
1994         (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1995         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
1996         * interpreter/Interpreter.h:
1997         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
1998         * interpreter/VMEntryRecord.h:
1999         (JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
2000         (JSC::VMEntryRecord::prevTopCallFrame):
2001         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
2002         (JSC::VMEntryFrame::vmEntryRecordOffset):
2003         (JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
2004         * jit/AssemblyHelpers.cpp:
2005         (JSC::AssemblyHelpers::emitRandomThunk):
2006         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
2007         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
2008         * jit/AssemblyHelpers.h:
2009         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
2010         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2011         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
2012         (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
2013         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
2014         * jit/JIT.cpp:
2015         (JSC::JIT::emitEnterOptimizationCheck):
2016         (JSC::JIT::privateCompileExceptionHandlers):
2017         * jit/JITOpcodes.cpp:
2018         (JSC::JIT::emit_op_throw):
2019         (JSC::JIT::emit_op_catch):
2020         (JSC::JIT::emitSlow_op_loop_hint):
2021         * jit/JITOpcodes32_64.cpp:
2022         (JSC::JIT::emit_op_throw):
2023         (JSC::JIT::emit_op_catch):
2024         * jit/ThunkGenerators.cpp:
2025         (JSC::throwExceptionFromCallSlowPathGenerator):
2026         (JSC::nativeForGenerator):
2027         * llint/LLIntThunks.cpp:
2028         (JSC::vmEntryRecord):
2029         * llint/LowLevelInterpreter.asm:
2030         * llint/LowLevelInterpreter32_64.asm:
2031         * llint/LowLevelInterpreter64.asm:
2032         * runtime/VM.h:
2033         (JSC::VM::getCTIStub):
2034         (JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
2035         * wasm/WASMFunctionCompiler.h:
2036         (JSC::WASMFunctionCompiler::endFunction):
2037
2038 2016-05-13  Beth Dakin  <bdakin@apple.com>
2039
2040         Add dyldSPI.h for linked on or after checks, and add one for link preview
2041         https://bugs.webkit.org/show_bug.cgi?id=157401
2042         -and corresponding-
2043         rdar://problem/26253396
2044
2045         Reviewed by Darin Adler.
2046
2047         Import #import <wtf/spi/darwin/dyldSPI.h> which now declares all of the 
2048         needed dyld code.
2049         * API/JSWrapperMap.mm:
2050
2051 2016-05-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2052
2053         Assertion failure for direct eval in non-class method
2054         https://bugs.webkit.org/show_bug.cgi?id=157138
2055
2056         Reviewed by Saam Barati.
2057
2058         This assertion was incorrect. In method definitions in object literals,
2059         it can be sloppy mode, but its DerivedContextType may not be DerivedContextType::None.
2060
2061         * bytecode/EvalCodeCache.h:
2062         (JSC::EvalCodeCache::CacheKey::CacheKey):
2063         (JSC::EvalCodeCache::CacheKey::operator==):
2064         (JSC::EvalCodeCache::CacheKey::Hash::equal):
2065         (JSC::EvalCodeCache::tryGet):
2066         (JSC::EvalCodeCache::getSlow):
2067         * interpreter/Interpreter.cpp:
2068         (JSC::eval):
2069         * tests/stress/direct-eval-in-object-literal-methods.js: Added.
2070         (shouldBe):
2071         (throw.new.Error):
2072         (shouldBe.Parent.prototype.l):
2073         (shouldBe.Parent):
2074         (shouldBe.Derived.prototype.m):
2075         (shouldBe.Derived):
2076
2077 2016-05-13  Skachkov Oleksandr  <gskachkov@gmail.com>
2078
2079         Assertion failure for super() call in arrow function default parameters
2080         https://bugs.webkit.org/show_bug.cgi?id=157079
2081
2082         Reviewed by Saam Barati.
2083
2084         Root of the issue that in arrow function we load bounded variables this/super/new.target just after 
2085         input parameters were initialized, and did not covered case of default values for 
2086         function parameters. 
2087         Current patch tried to fix issue and allow to load bounded variables earlier, before the input 
2088         parameters are assigned by default values.
2089
2090         * bytecompiler/BytecodeGenerator.cpp:
2091         (JSC::BytecodeGenerator::BytecodeGenerator):
2092         * tests/stress/arrowfunction-lexical-bind-this-2.js:
2093
2094 2016-05-12  Mark Lam  <mark.lam@apple.com>
2095
2096         Baseline and DFG's JSC_report...CompileTimes needs CodeBlock hashes.
2097         https://bugs.webkit.org/show_bug.cgi?id=157643
2098
2099         Reviewed by Keith Miller.
2100
2101         * runtime/Options.cpp:
2102         (JSC::recomputeDependentOptions):
2103
2104 2016-05-12  Csaba Osztrogonác  <ossy@webkit.org>
2105
2106         Remove ENABLE(ES6_ARROWFUNCTION_SYNTAX) guards
2107         https://bugs.webkit.org/show_bug.cgi?id=157564
2108
2109         Reviewed by Darin Adler.
2110
2111         * Configurations/FeatureDefines.xcconfig:
2112         * parser/Parser.cpp:
2113
2114 2016-05-12  Joseph Pecoraro  <pecoraro@apple.com>
2115
2116         Web Inspector: CRASH getting internal properties of function with no bound arguments causes
2117         https://bugs.webkit.org/show_bug.cgi?id=157613
2118         <rdar://problem/26238754>
2119
2120         Reviewed by Timothy Hatcher.
2121
2122         * inspector/JSInjectedScriptHost.cpp:
2123         (Inspector::JSInjectedScriptHost::getInternalProperties):
2124         Gracefully handle a JSBoundFunction with no bound arguments.
2125         In this case boundArgs is JSValue() which we don't want to
2126         expose as the value of the internal property.
2127
2128 2016-05-11  Benjamin Poulain  <bpoulain@apple.com>
2129
2130         [JSC] Make sure StringRange is passed to Vector by register
2131         https://bugs.webkit.org/show_bug.cgi?id=157603
2132
2133         Reviewed by Darin Adler.
2134
2135         This is bizarre, but on my SDK, Vector::append(StringRange)
2136         is passing the values on the stack.
2137         The two integers are written to the stack, the address given
2138         to append(), then append() reads it back and store it.
2139
2140         This patch changes the code to use constructAndAppend(), ensuring
2141         the values are used directly.
2142
2143         On my machine, this helps Sunspider and Octane.
2144         This might be something wrong with my SDK but the fix is so easy
2145         that we might as well do this.
2146
2147         * runtime/StringPrototype.cpp:
2148         (JSC::removeUsingRegExpSearch):
2149         (JSC::replaceUsingRegExpSearch):
2150
2151 2016-05-11  Zan Dobersek  <zdobersek@igalia.com>
2152
2153         ARMv7Assembler: suppress a -Wnarrowing warning when compiling with GCC
2154         https://bugs.webkit.org/show_bug.cgi?id=157576
2155
2156         Reviewed by Csaba Osztrogonác.
2157
2158         * assembler/ARMv7Assembler.h:
2159         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2): Explicitly cast the
2160         `OP_CMP_reg_T2 | left` value to uint16_t, avoiding a narrowing conversion
2161         warning that's being reported when compiling with GCC. The warning is sprung
2162         due to RegisterID (which is the type of `left`) being an enum based on int,
2163         even when the enum itself only declares 23 values.
2164
2165 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2166
2167         Web Inspector: `this` in Scope Chain Sidebar does not have preview, looks poor
2168         https://bugs.webkit.org/show_bug.cgi?id=157602
2169
2170         Reviewed by Timothy Hatcher.
2171
2172         * inspector/InjectedScriptSource.js:
2173         (InjectedScript.CallFrameProxy):
2174         Include a preview when creating the RemoteObject for `this`.
2175
2176 2016-05-11  Keith Miller  <keith_miller@apple.com>
2177
2178         Unreviewed, correct the title of the ChangeLog for r200667.
2179
2180 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2181
2182         JSC test stress/reflect-set.js failing after 200694
2183         https://bugs.webkit.org/show_bug.cgi?id=157586
2184
2185         Unreviewed test rebaseline.
2186
2187         * tests/stress/reflect-set.js:
2188         Update the expected error message. We are in strict mode, so the
2189         improved error message makes sense.
2190
2191 2016-05-11  Filip Pizlo  <fpizlo@apple.com>
2192
2193         Beef up JSC profiler event log
2194         https://bugs.webkit.org/show_bug.cgi?id=157584
2195
2196         Reviewed by Saam Barati.
2197         
2198         Also log more about compilation.
2199
2200         * bytecode/ExecutionCounter.cpp: Changed the meaning of codeBlock to be the codeBlock that is doing the profiling. This will now get the baseline version if it needs it. This is needed for logging the threshold checking event.
2201         (JSC::applyMemoryUsageHeuristics):
2202         (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
2203         * dfg/DFGJITCode.cpp: Pass the right codeBlock.
2204         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
2205         (JSC::DFG::JITCode::optimizeNextInvocation):
2206         (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
2207         (JSC::DFG::JITCode::optimizeSoon):
2208         (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
2209         * dfg/DFGPlan.cpp: Log things about compile times and whether the compiler succeeded or failed.
2210         (JSC::DFG::Plan::computeCompileTimes):
2211         (JSC::DFG::Plan::reportCompileTimes):
2212         (JSC::DFG::Plan::compileInThread):
2213         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2214         * jit/ExecutableAllocatorFixedVMPool.cpp: Make it possible to look at memory usage, though separately from the log, for now.
2215         (JSC::ExecutableAllocator::allocate):
2216         * runtime/Options.h:
2217
2218 2016-05-11  Saam barati  <sbarati@apple.com>
2219
2220         Air may decide to put the result register of an arithmetic snippet in the tag register
2221         https://bugs.webkit.org/show_bug.cgi?id=157548
2222
2223         Reviewed by Filip Pizlo.
2224
2225         This patch adds a new ValueRep to B3 called LateRegister. The semantics
2226         are similar to Register in that it can be used to pin an argument to
2227         a particular register. It differs from ValueRep::Register in that the semantics of
2228         LateRegister are that it is used after the result of the node its an argument to
2229         is computed. This means that a LateRegister argument will interfere with the result
2230         of a node. LateRegister is not a valid result ValueRep.
2231
2232         This was needed because there was a bug where B3/Air would assign the
2233         result of a patchpoint to the TagTypeNumber register. This broke our
2234         code when we would box a double into a JSValue in a snippet when the
2235         result is the same as the TagTypeNumber register. To fix the issue,
2236         we pass TagMaskRegister and TagTypeNumberRegister as ValueRep::LateRegister
2237         arguments to various patchpoints.
2238
2239         * b3/B3LowerToAir.cpp:
2240         (JSC::B3::Air::LowerToAir::fillStackmap):
2241         * b3/B3PatchpointSpecial.cpp:
2242         (JSC::B3::PatchpointSpecial::admitsStack):
2243         * b3/B3StackmapSpecial.cpp:
2244         (JSC::B3::StackmapSpecial::forEachArgImpl):
2245         (JSC::B3::StackmapSpecial::isArgValidForRep):
2246         * b3/B3Validate.cpp:
2247         * b3/B3ValueRep.cpp:
2248         (JSC::B3::ValueRep::addUsedRegistersTo):
2249         (JSC::B3::ValueRep::dump):
2250         (JSC::B3::ValueRep::emitRestore):
2251         (JSC::B3::ValueRep::recoveryForJSValue):
2252         (WTF::printInternal):
2253         * b3/B3ValueRep.h:
2254         (JSC::B3::ValueRep::reg):
2255         (JSC::B3::ValueRep::lateReg):
2256         (JSC::B3::ValueRep::stack):
2257         (JSC::B3::ValueRep::operator==):
2258         (JSC::B3::ValueRep::isSomeRegister):
2259         (JSC::B3::ValueRep::isReg):
2260         * b3/testb3.cpp:
2261         (JSC::B3::testSpillUseLargerThanDef):
2262         (JSC::B3::testLateRegister):
2263         (JSC::B3::zero):
2264         (JSC::B3::run):
2265         * ftl/FTLLowerDFGToB3.cpp:
2266         (JSC::FTL::DFG::LowerDFGToB3::lower):
2267         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2268         (JSC::FTL::DFG::LowerDFGToB3::getById):
2269         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
2270         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
2271         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
2272
2273 2016-05-11  Joseph Pecoraro  <pecoraro@apple.com>
2274
2275         Improve error messages for accessing arguments.callee and similar getters in strict mode
2276         https://bugs.webkit.org/show_bug.cgi?id=157545
2277
2278         Reviewed by Mark Lam.
2279
2280         * runtime/ClonedArguments.cpp:
2281         (JSC::ClonedArguments::getOwnPropertySlot):
2282         (JSC::ClonedArguments::materializeSpecials):
2283         Provide better error GetterSetter in strict mode.
2284
2285         * runtime/JSFunction.cpp:
2286         (JSC::getThrowTypeErrorGetterSetter):
2287         (JSC::JSFunction::defineOwnProperty):
2288         Provide better error GetterSetter in strict mode.
2289
2290         * runtime/JSGlobalObject.cpp:
2291         (JSC::JSGlobalObject::init):
2292         (JSC::JSGlobalObject::visitChildren):
2293         * runtime/JSGlobalObject.h:
2294         (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
2295         (JSC::JSGlobalObject::throwTypeErrorCalleeAndCallerGetterSetter):
2296         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInStrictModeGetterSetter):
2297         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerInClassContextGetterSetter):
2298         (JSC::JSGlobalObject::throwTypeErrorArgumentsAndCallerGetterSetter): Deleted.
2299         * runtime/JSGlobalObjectFunctions.cpp:
2300         (JSC::globalFuncThrowTypeErrorCalleeAndCaller):
2301         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInStrictMode):
2302         (JSC::globalFuncThrowTypeErrorArgumentsAndCallerInClassContext):
2303         (JSC::globalFuncThrowTypeErrorArgumentsAndCaller): Deleted.
2304         * runtime/JSGlobalObjectFunctions.h:
2305         Rename and expose new handles for new error getter setter native functions.
2306
2307 2016-05-11  Commit Queue  <commit-queue@webkit.org>
2308
2309         Unreviewed, rolling out r200481.
2310         https://bugs.webkit.org/show_bug.cgi?id=157573
2311
2312         it's bad news for asm.js (Requested by pizlo on #webkit).
2313
2314         Reverted changeset:
2315
2316         "Reduce maximum JIT pool size on X86_64."
2317         http://trac.webkit.org/changeset/200481
2318
2319 2016-05-10  Keith Miller  <keith_miller@apple.com>
2320
2321         TypedArray.prototype.slice should not use the byteLength of the passed array for memmove
2322         https://bugs.webkit.org/show_bug.cgi?id=157551
2323         <rdar://problem/26179914>
2324
2325         Reviewed by Michael Saboff.
2326
2327         The TypedArray.prototype.slice function would use the byteLength of the passed array
2328         to determine the amount of data to copy. It should have been using the passed length
2329         times the size of each element. This fixes a crash on JavaPoly.com
2330
2331         * runtime/JSGenericTypedArrayViewInlines.h:
2332         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2333         * tests/stress/typedarray-slice.js:
2334
2335 2016-05-10  Michael Saboff  <msaboff@apple.com>
2336
2337         REGRESSION(r200447): Unable to build C_LOOP with clang version 800.0.12 or higher
2338         https://bugs.webkit.org/show_bug.cgi?id=157549
2339
2340         Reviewed by Keith Miller.
2341
2342         Disable debug annotations for C_LOOP builds.  They are inline assembly directives,
2343         unnecessary and they cause syntax errors.
2344
2345         * offlineasm/asm.rb:
2346
2347 2016-05-10  Filip Pizlo  <fpizlo@apple.com>
2348
2349         Internal JSC profiler should have a timestamped log of events for each code block
2350         https://bugs.webkit.org/show_bug.cgi?id=157538
2351
2352         Reviewed by Benjamin Poulain.
2353         
2354         For example, in 3d-cube, I can query the events for MMulti and I get:
2355
2356         1462917476.17083  MMulti#DTZ7qc                          installCode        
2357         1462917476.179663 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
2358         1462917476.179664 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline osrEntry           at bc#49
2359         1462917476.185651 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1011.214233/1717.000000, -707
2360         1462917476.187913 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      installCode        
2361         1462917476.187917 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      osrEntry           at bc#49
2362         1462917476.205365 MMulti#DTZ7qc MMulti#DTZ7qc-2-DFG      jettison           due to OSRExit, counting = true, detail = (null)
2363         1462917476.205368 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#65: BadCache/FromDFG
2364         1462917476.205369 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
2365         1462917476.205482 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/3434.000000, -1000
2366         1462917476.211547 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/3434.000000, -1000
2367         1462917476.213721 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      installCode        
2368         1462917476.213726 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      osrEntry           at bc#49
2369         1462917476.223976 MMulti#DTZ7qc MMulti#DTZ7qc-3-DFG      jettison           due to OSRExit, counting = true, detail = (null)
2370         1462917476.223981 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#77: BadCache/FromDFG
2371         1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline frequentExit       bc#94: BadCache/FromDFG
2372         1462917476.223982 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline installCode        
2373         1462917476.224064 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 1013.000000/6868.000000, -1000
2374         1462917476.224151 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 2013.000000/6868.000000, -1000
2375         1462917476.224258 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 3013.000000/6868.000000, -1000
2376         1462917476.224337 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 4023.000000/6868.000000, -1000
2377         1462917476.224425 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 5023.000000/6868.000000, -1000
2378         1462917476.224785 MMulti#DTZ7qc MMulti#DTZ7qc-1-Baseline delayOptimizeToDFG counter = 6023.396484/6868.000000, -862
2379         1462917476.227669 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      installCode        
2380         1462917476.227675 MMulti#DTZ7qc MMulti#DTZ7qc-4-DFG      osrEntry           at bc#0
2381         
2382         The output is ugly but useful. We can make it less ugly later.
2383
2384         * CMakeLists.txt:
2385         * JavaScriptCore.xcodeproj/project.pbxproj:
2386         * bytecode/CodeBlock.cpp:
2387         (JSC::CodeBlock::jettison):
2388         * bytecode/CodeBlock.h:
2389         (JSC::ScriptExecutable::forEachCodeBlock):
2390         * bytecode/DFGExitProfile.cpp:
2391         (JSC::DFG::ExitProfile::add):
2392         * dfg/DFGJITFinalizer.cpp:
2393         (JSC::DFG::JITFinalizer::finalizeCommon):
2394         * dfg/DFGOperations.cpp:
2395         * ftl/FTLJITFinalizer.cpp:
2396         (JSC::FTL::JITFinalizer::finalizeFunction):
2397         * jit/JIT.cpp:
2398         (JSC::JIT::privateCompile):
2399         * jit/JITOperations.cpp:
2400         * llint/LLIntSlowPaths.cpp:
2401         (JSC::LLInt::jitCompileAndSetHeuristics):
2402         (JSC::LLInt::entryOSR):
2403         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2404         * profiler/ProfilerCompilation.cpp:
2405         (JSC::Profiler::Compilation::Compilation):
2406         (JSC::Profiler::Compilation::setJettisonReason):
2407         (JSC::Profiler::Compilation::dump):
2408         (JSC::Profiler::Compilation::toJS):
2409         * profiler/ProfilerCompilation.h:
2410         (JSC::Profiler::Compilation::uid):
2411         * profiler/ProfilerDatabase.cpp:
2412         (JSC::Profiler::Database::ensureBytecodesFor):
2413         (JSC::Profiler::Database::notifyDestruction):
2414         (JSC::Profiler::Database::addCompilation):
2415         (JSC::Profiler::Database::toJS):
2416         (JSC::Profiler::Database::registerToSaveAtExit):
2417         (JSC::Profiler::Database::logEvent):
2418         (JSC::Profiler::Database::addDatabaseToAtExit):
2419         * profiler/ProfilerDatabase.h:
2420         * profiler/ProfilerEvent.cpp: Added.
2421         (JSC::Profiler::Event::dump):
2422         (JSC::Profiler::Event::toJS):
2423         * profiler/ProfilerEvent.h: Added.
2424         (JSC::Profiler::Event::Event):
2425         (JSC::Profiler::Event::operator bool):
2426         (JSC::Profiler::Event::time):
2427         (JSC::Profiler::Event::bytecodes):
2428         (JSC::Profiler::Event::compilation):
2429         (JSC::Profiler::Event::summary):
2430         (JSC::Profiler::Event::detail):
2431         * profiler/ProfilerUID.cpp: Added.
2432         (JSC::Profiler::UID::create):
2433         (JSC::Profiler::UID::dump):
2434         (JSC::Profiler::UID::toJS):
2435         * profiler/ProfilerUID.h: Added.
2436         (JSC::Profiler::UID::UID):
2437         (JSC::Profiler::UID::fromInt):
2438         (JSC::Profiler::UID::toInt):
2439         (JSC::Profiler::UID::operator==):
2440         (JSC::Profiler::UID::operator!=):
2441         (JSC::Profiler::UID::operator bool):
2442         (JSC::Profiler::UID::isHashTableDeletedValue):
2443         (JSC::Profiler::UID::hash):
2444         (JSC::Profiler::UIDHash::hash):
2445         (JSC::Profiler::UIDHash::equal):
2446         * runtime/CommonIdentifiers.h:
2447         * runtime/Executable.cpp:
2448         (JSC::ScriptExecutable::installCode):
2449         * runtime/VM.h:
2450         (JSC::VM::bytecodeIntrinsicRegistry):
2451         (JSC::VM::shadowChicken):
2452         * runtime/VMInlines.h:
2453         (JSC::VM::shouldTriggerTermination):
2454         (JSC::VM::logEvent):
2455
2456 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
2457
2458         Web Inspector: Backend should initiate timeline recordings on page navigations to ensure nothing is missed
2459         https://bugs.webkit.org/show_bug.cgi?id=157504
2460         <rdar://problem/26188642>
2461
2462         Reviewed by Brian Burg.
2463
2464         * inspector/protocol/Timeline.json:
2465         Add protocol commands to enable/disable auto capture and list the
2466         instruments that should be enabled when auto capture starts.
2467         Add protocol event for when the backend starts an auto capture.
2468
2469 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
2470
2471         Make the different evaluateWithScopeExtension implementations more consistent
2472         https://bugs.webkit.org/show_bug.cgi?id=157536
2473
2474         Reviewed by Timothy Hatcher.
2475
2476         * inspector/JSInjectedScriptHost.cpp:
2477         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2478         Throw the exception consistent with JSJavaScriptCallFrame.
2479
2480         * inspector/JSJavaScriptCallFrame.cpp:
2481         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2482         Better error message consistent with InjectedScriptHost.
2483
2484         * runtime/Completion.h:
2485         * runtime/Completion.cpp:
2486         (JSC::evaluateWithScopeExtension):
2487         Give this an Exception out parameter like other evaluations
2488         so the caller can decide what to do with it.
2489
2490 2016-05-10  Benjamin Poulain  <bpoulain@apple.com>
2491
2492         [JSC] FTL can produce GetByVal nodes without proper bounds checking
2493         https://bugs.webkit.org/show_bug.cgi?id=157502
2494         rdar://problem/26027027
2495
2496         Reviewed by Filip Pizlo.
2497
2498         It was possible for FTL to generates GetByVal on arbitrary offsets
2499         without any bounds checking.
2500
2501         The bug is caused by the order of optimization phases:
2502         -First, the Integer Range Optimization proves that a CheckInBounds
2503          test can never fail.
2504          This proof is based on control flow or preceeding instructions
2505          inside a loop.
2506         -The Loop Invariant Code Motion phase finds that the GetByVal does not
2507          depend on anything in the loop and hoist it out of the loop.
2508         -> As a result, the conditions that were necessary to eliminate
2509            the CheckInBounds are no longer met before the GetByVal.
2510
2511         This patch just moves the Integer Range Optimization phase after
2512         Loop Invariant Code Motion to make sure no code is moved after
2513         its integer ranges bounds proofs have been used.
2514
2515         * dfg/DFGPlan.cpp:
2516         (JSC::DFG::Plan::compileInThreadImpl):
2517         * tests/stress/bounds-check-not-eliminated-by-licm.js: Added.
2518         (testInLoopTests):
2519
2520 2016-05-10  Joseph Pecoraro  <pecoraro@apple.com>
2521
2522         Web Inspector: Eliminate the crazy code for evaluateOnCallFrame
2523         https://bugs.webkit.org/show_bug.cgi?id=157510
2524         <rdar://problem/26191332>
2525
2526         Reviewed by Timothy Hatcher.
2527
2528         * debugger/DebuggerCallFrame.cpp:
2529         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2530         Set and clear an optional scope extension object.
2531
2532         * inspector/InjectedScriptSource.js:
2533         (InjectedScript.prototype.evaluate):
2534         (InjectedScript.prototype._evaluateOn):
2535         (InjectedScript.prototype.evaluateOnCallFrame):
2536         Unify the code to use the passed in evaluate function and object.
2537         When evaluating on a call frame the evaluate function ends up being
2538         DebuggerCallFrame::evaluateWithScopeExtension. When evaluating globally
2539         this ends up being JSInjectedScriptHost::evaluateWithScopeExtension.
2540         In both cases "object" is the preferred this object to use.
2541
2542         * debugger/DebuggerCallFrame.h:
2543         * inspector/JSJavaScriptCallFrame.cpp:
2544         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2545         (Inspector::JSJavaScriptCallFrame::evaluate): Deleted.
2546         * inspector/JSJavaScriptCallFrame.h:
2547         * inspector/JSJavaScriptCallFramePrototype.cpp:
2548         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
2549         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
2550         * inspector/JavaScriptCallFrame.h:
2551         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
2552         (Inspector::JavaScriptCallFrame::evaluate): Deleted.
2553         Pass through to DebuggerCallFrame with the proper arguments.
2554
2555         * debugger/Debugger.cpp:
2556         (JSC::Debugger::hasBreakpoint):
2557         * inspector/ScriptDebugServer.cpp:
2558         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
2559         Use the new evaluate on call frame method name and no scope extension object.
2560
2561 2016-05-10  Saam barati  <sbarati@apple.com>
2562
2563         Make super-property-access.js test run for less time because it was timing out in debug builds.
2564
2565         Rubber stamped by Filip Pizlo.
2566
2567         * tests/stress/super-property-access.js:
2568         (test):
2569         (test.value):
2570         (test.foo):
2571         (test.B.prototype.bar):
2572         (test.B):
2573
2574 2016-05-10  Csaba Osztrogonác  <ossy@webkit.org>
2575
2576         [JSC] Fix the !ENABLE(DFG_JIT) build
2577         https://bugs.webkit.org/show_bug.cgi?id=157512
2578
2579         Reviewed by Mark Lam.
2580
2581         * jit/Repatch.cpp:
2582
2583 2016-05-09  Joseph Pecoraro  <pecoraro@apple.com>
2584
2585         Web Inspector: CRASH under JSC::DebuggerCallFrame::thisValue when hitting breakpoint
2586         https://bugs.webkit.org/show_bug.cgi?id=157442
2587         <rdar://problem/24172015>
2588
2589         Reviewed by Saam Barati.
2590
2591         * debugger/DebuggerCallFrame.cpp:
2592         (JSC::DebuggerCallFrame::thisValueForCallFrame):
2593         When the thisValue is JSValue() return undefined and avoid calling
2594         toThisValue which would lead to a crash. Having `this` be an empty
2595         JSValue could happen inside an ES6 class constructor, before
2596         calling super.
2597
2598 2016-05-09  Filip Pizlo  <fpizlo@apple.com>
2599
2600         Unreviewed, fix cloop.
2601
2602         * bytecode/ValueProfile.cpp:
2603         (JSC::ResultProfile::emitDetectNumericness):
2604         (JSC::ResultProfile::emitSetNonNumber):
2605         * bytecode/ValueProfile.h:
2606         (JSC::ResultProfile::addressOfFlags):
2607         (JSC::ResultProfile::addressOfSpecialFastPathCount):
2608         (JSC::ResultProfile::detectNumericness):
2609         (JSC::ResultProfile::hasBits):
2610
2611 2016-05-09  Michael Saboff  <msaboff@apple.com>
2612
2613         Crash beneath ObjCCallbackFunctionImpl::call
2614         https://bugs.webkit.org/show_bug.cgi?id=157491
2615
2616         Reviewed by Saam Barati.
2617
2618         Clear any exceptions after the micro task runs.
2619
2620         Tried creating a test case, but I don't have source for the app.
2621         I can't seem to find the right combination of Promises and ObjC code.
2622
2623         * runtime/JSJob.cpp:
2624         (JSC::JSJobMicrotask::run):
2625
2626 2016-05-09  Filip Pizlo  <fpizlo@apple.com>
2627
2628         Polymorphic operands in operators coerces downstream values to double.
2629         https://bugs.webkit.org/show_bug.cgi?id=151793
2630
2631         Reviewed by Mark Lam.
2632         
2633         Previously if an object flowed into arithmetic, the prediction propagation phase would either
2634         assume that the output of the arithmetic had to be double or sometimes it would assume that it
2635         couldn't be double. We want it to only assume that the output is double if it actually had been.
2636         
2637         The first part of this patch is to roll out http://trac.webkit.org/changeset/200502. That removed
2638         some of the machinery that we had in place to detect whether the output of an operation is int or
2639         double. That changeset claimed that the machinery was "fundamentally broken". It actually wasn't.
2640         The reason why it didn't work was that ByteCodeParser was ignoring it if likelyToTakeSlowCase was
2641         false. I think this was a complete goof-up: the code in ByteCodeParser::makeSafe was structured
2642         in a way that made it non-obvious that the method is a no-op if !likelyToTakeSlowCase. So, this
2643         change rolls out r200502 and makes ResultProfile do its job by reshaping how makeSafe processes
2644         it.
2645         
2646         This also makes two other changes to shore up ResultProfile:
2647         - OSR exit can now refine a ResultProfile the same way that it refines ValueProfile.
2648         - Baseline JIT slow paths now set bits in ResultProfile.
2649         
2650         Based on this stuff, the DFG now predicts int/double/string in op_add/op_sub/op_mul based on
2651         ResultProfiles. To be conservative, we still only use the ResultProfiles if the incoming
2652         prediction is not number-or-boolean. This ensures that we exactly retain our old behavior in
2653         those cases for which it was tuned. But I hope to remove this soon. I believe that ResultProfile
2654         is already strictly better than what prediction propagation was doing before.
2655         
2656         This can be an enormous win. This patch adds some simple microbenchmarks that demonstrate the
2657         problem of assuming that arithmetic on objects returns double. The most extreme of these speeds
2658         up 8x with this change (object-int-add-array).
2659         
2660         * CMakeLists.txt:
2661         * JavaScriptCore.xcodeproj/project.pbxproj:
2662         * bytecode/CodeBlock.h:
2663         (JSC::CodeBlock::addFrequentExitSite):
2664         (JSC::CodeBlock::hasExitSite):
2665         * bytecode/DFGExitProfile.cpp:
2666         (JSC::DFG::FrequentExitSite::dump):
2667         (JSC::DFG::ExitProfile::ExitProfile):
2668         (JSC::DFG::ExitProfile::~ExitProfile):
2669         (JSC::DFG::ExitProfile::add):
2670         * bytecode/DFGExitProfile.h:
2671         (JSC::DFG::FrequentExitSite::isHashTableDeletedValue):
2672         * bytecode/MethodOfGettingAValueProfile.cpp:
2673         (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
2674         (JSC::MethodOfGettingAValueProfile::emitReportValue):
2675         (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): Deleted.
2676         * bytecode/MethodOfGettingAValueProfile.h:
2677         (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
2678         (JSC::MethodOfGettingAValueProfile::operator bool):
2679         (JSC::MethodOfGettingAValueProfile::operator!): Deleted.
2680         * bytecode/PolymorphicAccess.cpp:
2681         (JSC::AccessCase::generateImpl):
2682         * bytecode/ValueProfile.cpp:
2683         (JSC::ResultProfile::emitDetectBitsLight):
2684         (JSC::ResultProfile::emitSetDouble):
2685         (JSC::ResultProfile::emitSetNonNumber):
2686         (WTF::printInternal):
2687         * bytecode/ValueProfile.h:
2688         (JSC::ResultProfile::ResultProfile):
2689         (JSC::ResultProfile::bytecodeOffset):
2690         (JSC::ResultProfile::specialFastPathCount):
2691         (JSC::ResultProfile::didObserveNonInt32):
2692         (JSC::ResultProfile::didObserveDouble):
2693         (JSC::ResultProfile::didObserveNonNegZeroDouble):
2694         (JSC::ResultProfile::didObserveNegZeroDouble):
2695         (JSC::ResultProfile::didObserveNonNumber):
2696         (JSC::ResultProfile::didObserveInt32Overflow):
2697         (JSC::ResultProfile::didObserveInt52Overflow):
2698         (JSC::ResultProfile::setObservedNonNegZeroDouble):
2699         (JSC::ResultProfile::setObservedNegZeroDouble):
2700         (JSC::ResultProfile::setObservedNonNumber):
2701         (JSC::ResultProfile::setObservedInt32Overflow):
2702         (JSC::ResultProfile::addressOfFlags):
2703         (JSC::ResultProfile::addressOfSpecialFastPathCount):
2704         (JSC::ResultProfile::detectBitsLight):
2705         (JSC::ResultProfile::hasBits):
2706         * dfg/DFGByteCodeParser.cpp:
2707         (JSC::DFG::ByteCodeParser::makeSafe):
2708         * dfg/DFGFixupPhase.cpp:
2709         (JSC::DFG::FixupPhase::fixupNode):
2710         * dfg/DFGGraph.cpp:
2711         (JSC::DFG::Graph::ensureNaturalLoops):
2712         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2713         (JSC::DFG::Graph::valueProfileFor): Deleted.
2714         * dfg/DFGGraph.h:
2715         (JSC::DFG::Graph::hasExitSite):
2716         (JSC::DFG::Graph::numBlocks):
2717         * dfg/DFGNode.h:
2718         (JSC::DFG::Node::arithNodeFlags):
2719         (JSC::DFG::Node::mayHaveNonIntResult):
2720         (JSC::DFG::Node::mayHaveDoubleResult):
2721         (JSC::DFG::Node::mayHaveNonNumberResult):
2722         (JSC::DFG::Node::hasConstantBuffer):
2723         * dfg/DFGNodeFlags.cpp:
2724         (JSC::DFG::dumpNodeFlags):
2725         * dfg/DFGNodeFlags.h:
2726         * dfg/DFGOSRExitCompiler32_64.cpp:
2727         (JSC::DFG::OSRExitCompiler::compileExit):
2728         * dfg/DFGOSRExitCompiler64.cpp:
2729         (JSC::DFG::OSRExitCompiler::compileExit):
2730         * dfg/DFGOperations.cpp:
2731         * dfg/DFGOperations.h:
2732         * dfg/DFGPredictionPropagationPhase.cpp:
2733         * dfg/DFGSpeculativeJIT.h:
2734         (JSC::DFG::SpeculativeJIT::callOperation):
2735         * ftl/FTLOSRExitCompiler.cpp:
2736         (JSC::FTL::compileStub):
2737         * jit/AssemblyHelpers.h:
2738         (JSC::AssemblyHelpers::branchIfEqual):
2739         (JSC::AssemblyHelpers::branchIfNotCell):
2740         (JSC::AssemblyHelpers::branchIfNotNumber):
2741         (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
2742         (JSC::AssemblyHelpers::branchIfBoolean):
2743         (JSC::AssemblyHelpers::branchIfEmpty):
2744         (JSC::AssemblyHelpers::branchStructure):
2745         * jit/CCallHelpers.h:
2746         (JSC::CCallHelpers::CCallHelpers):
2747         (JSC::CCallHelpers::setupArguments):
2748         (JSC::CCallHelpers::setupArgumentsWithExecState):
2749         * jit/IntrinsicEmitter.cpp:
2750         (JSC::AccessCase::emitIntrinsicGetter):
2751         * jit/JIT.h:
2752         * jit/JITAddGenerator.cpp:
2753         (JSC::JITAddGenerator::generateFastPath):
2754         * jit/JITAddGenerator.h:
2755         (JSC::JITAddGenerator::JITAddGenerator):
2756         * jit/JITArithmetic.cpp:
2757         (JSC::JIT::emit_op_add):
2758         (JSC::JIT::emitSlow_op_add):
2759         (JSC::JIT::emit_op_div):
2760         (JSC::JIT::emit_op_mul):
2761         (JSC::JIT::emitSlow_op_mul):
2762         (JSC::JIT::emit_op_sub):
2763         (JSC::JIT::emitSlow_op_sub):
2764         * jit/JITInlines.h:
2765         (JSC::JIT::callOperation):
2766         (JSC::JIT::callOperationNoExceptionCheck):
2767         * jit/JITMulGenerator.cpp:
2768         (JSC::JITMulGenerator::generateFastPath):
2769         * jit/JITOperations.cpp:
2770         * jit/JITOperations.h:
2771         * jit/JITSubGenerator.cpp:
2772         (JSC::JITSubGenerator::generateFastPath):
2773         * jit/JITSubGenerator.h:
2774         (JSC::JITSubGenerator::JITSubGenerator):
2775         * jit/TagRegistersMode.cpp: Added.
2776         (WTF::printInternal):
2777         * jit/TagRegistersMode.h: Added.
2778         * runtime/CommonSlowPaths.cpp:
2779         (JSC::updateResultProfileForBinaryArithOp):
2780
2781 2016-05-09  Keith Miller  <keith_miller@apple.com>
2782
2783         CallObjectConstructor should not call operationToThis in the FTL
2784         https://bugs.webkit.org/show_bug.cgi?id=157492
2785         <rdar://problem/26149904>
2786
2787         Reviewed by Mark Lam.
2788
2789         At some point when I was working on intrinsifying the Object
2790         constructor, I realized that the Object constructor was different
2791         from the ToObject operation. I fixed the DFG but I guess I didn't
2792         fix the FTL.
2793
2794         This patch fixes an issue with www.wunderground.com not loading
2795         the 10-day forecast and local map.
2796
2797         * ftl/FTLLowerDFGToB3.cpp:
2798         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
2799         * tests/stress/call-object-constructor.js: Added.
2800         (test):
2801         (assert):
2802
2803 2016-05-09  Saam barati  <sbarati@apple.com>
2804
2805         Getter and setter on super are called with wrong "this" object
2806         https://bugs.webkit.org/show_bug.cgi?id=147064
2807         <rdar://problem/21885916>
2808
2809         Reviewed by Filip Pizlo.
2810
2811         This patch implements calls to 'super' getters and setters.
2812         The problem before is we were passing the 'super' (i.e, the prototype
2813         object) as the this value to these getters/setters, which is wrong. 
2814         We should be passing the caller's this value.
2815
2816         To implement this behavior, I've introduced four new opcodes and their corresponding DFG nodes:
2817         - op_get_by_id_with_this | GetByIdWithThis
2818         - op_put_by_id_with_this | PutByIdWithThis
2819         - op_get_by_val_with_this | GetByValWithThis
2820         - op_put_by_val_with_this | PutByValWithThis
2821
2822         These are implemented with no optimizations. The future plan is 
2823         to unite them with the *by_id and *by_val opcodes and nodes:
2824         https://bugs.webkit.org/show_bug.cgi?id=157215
2825
2826         * bytecode/BytecodeList.json:
2827         * bytecode/BytecodeUseDef.h:
2828         (JSC::computeUsesForBytecodeOffset):
2829         (JSC::computeDefsForBytecodeOffset):
2830         * bytecode/CodeBlock.cpp:
2831         (JSC::CodeBlock::dumpBytecode):
2832         * bytecompiler/BytecodeGenerator.cpp:
2833         (JSC::BytecodeGenerator::emitGetById):
2834         (JSC::BytecodeGenerator::emitPutById):
2835         (JSC::BytecodeGenerator::emitDirectPutById):
2836         (JSC::BytecodeGenerator::emitGetByVal):
2837         (JSC::BytecodeGenerator::emitPutByVal):
2838         (JSC::BytecodeGenerator::emitDirectPutByVal):
2839         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
2840         (JSC::BytecodeGenerator::ensureThis):
2841         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
2842         * bytecompiler/BytecodeGenerator.h:
2843         * bytecompiler/NodesCodegen.cpp:
2844         (JSC::ThisNode::emitBytecode):
2845         (JSC::emitHomeObjectForCallee):
2846         (JSC::emitSuperBaseForCallee):
2847         (JSC::emitGetSuperFunctionForConstruct):
2848         (JSC::SuperNode::emitBytecode):
2849         (JSC::NewTargetNode::emitBytecode):
2850         (JSC::TaggedTemplateNode::emitBytecode):
2851         (JSC::BracketAccessorNode::emitBytecode):
2852         (JSC::DotAccessorNode::emitBytecode):
2853         (JSC::FunctionCallValueNode::emitBytecode):
2854         (JSC::FunctionCallBracketNode::emitBytecode):
2855         (JSC::FunctionCallDotNode::emitBytecode):
2856         (JSC::CallFunctionCallDotNode::emitBytecode):
2857         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2858         (JSC::PostfixNode::emitBracket):
2859         (JSC::PostfixNode::emitDot):
2860         (JSC::PrefixNode::emitBracket):
2861         (JSC::PrefixNode::emitDot):
2862         (JSC::AssignDotNode::emitBytecode):
2863         (JSC::ReadModifyDotNode::emitBytecode):
2864         (JSC::AssignBracketNode::emitBytecode):
2865         (JSC::ReadModifyBracketNode::emitBytecode):
2866         (JSC::ForInNode::emitLoopHeader):
2867         (JSC::ForOfNode::emitBytecode):
2868         (JSC::AssignmentElementNode::bindValue):
2869         * dfg/DFGAbstractInterpreterInlines.h:
2870         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2871         * dfg/DFGByteCodeParser.cpp:
2872         (JSC::DFG::ByteCodeParser::parseBlock):
2873         * dfg/DFGCapabilities.cpp:
2874         (JSC::DFG::capabilityLevel):
2875         * dfg/DFGClobberize.h:
2876         (JSC::DFG::clobberize):
2877         * dfg/DFGDoesGC.cpp:
2878         (JSC::DFG::doesGC):
2879         * dfg/DFGFixupPhase.cpp:
2880         (JSC::DFG::FixupPhase::fixupNode):
2881         * dfg/DFGNode.h:
2882         (JSC::DFG::Node::hasIdentifier):
2883         * dfg/DFGNodeType.h:
2884         * dfg/DFGOperations.cpp:
2885         (JSC::DFG::newTypedArrayWithSize):
2886         (JSC::DFG::putWithThis):
2887         * dfg/DFGOperations.h:
2888         * dfg/DFGPredictionPropagationPhase.cpp:
2889         * dfg/DFGSafeToExecute.h:
2890         (JSC::DFG::safeToExecute):
2891         * dfg/DFGSpeculativeJIT.h:
2892         (JSC::DFG::SpeculativeJIT::callOperation):
2893         * dfg/DFGSpeculativeJIT32_64.cpp:
2894         (JSC::DFG::SpeculativeJIT::compile):
2895         * dfg/DFGSpeculativeJIT64.cpp:
2896         (JSC::DFG::SpeculativeJIT::compile):
2897         * ftl/FTLCapabilities.cpp:
2898         (JSC::FTL::canCompile):
2899         * ftl/FTLLowerDFGToB3.cpp:
2900         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2901         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2902         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
2903         (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
2904         (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
2905         (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
2906         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2907         * jit/CCallHelpers.cpp:
2908         (JSC::CCallHelpers::setupShadowChickenPacket):
2909         (JSC::CCallHelpers::setupFourStubArgsGPR):
2910         * jit/CCallHelpers.h:
2911         (JSC::CCallHelpers::setupArgumentsWithExecState):
2912         (JSC::CCallHelpers::setupThreeStubArgsGPR):
2913         (JSC::CCallHelpers::setupTwoStubArgsFPR):
2914         (JSC::CCallHelpers::setupStubArguments134):
2915         * jit/GPRInfo.h:
2916         (JSC::argumentRegisterFor): Deleted.
2917         * jit/JIT.cpp:
2918         (JSC::JIT::privateCompileMainPass):
2919         * jit/JIT.h:
2920         * jit/JITOperations.h:
2921         * jit/JITPropertyAccess.cpp:
2922         (JSC::JIT::emit_op_put_by_val):
2923         (JSC::JIT::emit_op_put_by_val_with_this):
2924         (JSC::JIT::emitGenericContiguousPutByVal):
2925         (JSC::JIT::emit_op_get_by_id):
2926         (JSC::JIT::emit_op_get_by_id_with_this):
2927         (JSC::JIT::emit_op_get_by_val_with_this):
2928         (JSC::JIT::emitSlow_op_get_by_id):
2929         (JSC::JIT::emit_op_put_by_id):
2930         (JSC::JIT::emit_op_put_by_id_with_this):
2931         (JSC::JIT::emitSlow_op_put_by_id):
2932         * jit/JITPropertyAccess32_64.cpp:
2933         (JSC::JIT::emit_op_put_to_arguments):
2934         (JSC::JIT::emit_op_get_by_id_with_this):
2935         (JSC::JIT::emit_op_get_by_val_with_this):
2936         (JSC::JIT::emit_op_put_by_id_with_this):
2937         (JSC::JIT::emit_op_put_by_val_with_this):
2938         * llint/LowLevelInterpreter.asm:
2939         * runtime/CommonSlowPaths.cpp:
2940         (JSC::SLOW_PATH_DECL):
2941         * runtime/CommonSlowPaths.h:
2942         * tests/stress/super-property-access-exceptions.js: Added.
2943         (assert):
2944         (test):
2945         (test.fooProp):
2946         (test.A.prototype.get foo):
2947         (test.A.prototype.get x):
2948         (test.A):
2949         (test.B):
2950         (test.B.prototype.bar):
2951         (test.B.prototype.baz):
2952         (test.foo):
2953         (test.func):
2954         (test.A.prototype.set foo):
2955         * tests/stress/super-property-access-tdz.js: Added.
2956         (assert):
2957         (test):
2958         (shouldThrowTDZ):
2959         (test.A.prototype.get foo):
2960         (test.A.prototype.set foo):
2961         (test.A):
2962         (test.fooProp):
2963         (test.B):
2964         (test.C):
2965         (test.D):
2966         (test.E):
2967         (test.F):
2968         * tests/stress/super-property-access.js: Added.
2969         (assert):
2970         (test):
2971         (func):
2972         (test.A):
2973         (test.A.prototype.set value):
2974         (test.A.prototype.get value):
2975         (test.B.prototype.set value):
2976         (test.B.prototype.get value):
2977         (test.B):
2978         (test.value):
2979         (test.A.prototype.get func):
2980         (test.B.prototype.inc):
2981         (test.B.prototype.dec):
2982         (test.B.prototype.preInc):
2983         (test.B.prototype.preDec):
2984         (test.B.prototype.plusEq):
2985         (test.B.prototype.minusEq):
2986         (test.B.prototype.timesEq):
2987         (test.B.prototype.divEq):
2988         (test.B.prototype.funcDot):
2989         (test.B.prototype.funcBracket):
2990         (test.foo):
2991         (test.B.prototype.baz):
2992         (test.B.prototype.jaz):
2993         (test.B.prototype.bar):
2994         (test.B.prototype.index):
2995         (test.):
2996         (test.prototype.bar):
2997         (test.A.prototype.set foo):
2998         (test.A.prototype.get array):
2999         (test.A.prototype.get foo):
3000         (test.obj):
3001         (test.A.prototype.get call):
3002         (test.A.prototype.get apply):
3003         (test.B.prototype.foo):
3004         (test.A.prototype.get i):
3005
3006 2016-05-08  Chris Dumez  <cdumez@apple.com>
3007
3008         [COCOA] Disable HAVE_DTRACE at build time
3009         https://bugs.webkit.org/show_bug.cgi?id=157433
3010         <rdar://problem/26148841>
3011
3012         Reviewed by Mark Lam.
3013
3014         Drop DTRACE-related code from JSC since it is very old and seems
3015         unused.
3016
3017         * JavaScriptCore.xcodeproj/project.pbxproj:
3018         * PlatformMac.cmake:
3019         * heap/Heap.cpp:
3020         (JSC::Heap::collectImpl): Deleted.
3021         (JSC::Heap::didFinishCollection): Deleted.
3022         * profiler/ProfileGenerator.cpp:
3023         (JSC::ProfileGenerator::willExecute): Deleted.
3024         (JSC::ProfileGenerator::didExecute): Deleted.
3025         * runtime/Tracing.d: Removed.
3026         * runtime/Tracing.h: Removed.
3027
3028 2016-05-07  Mark Lam  <mark.lam@apple.com>
3029
3030         Add JSC options bytecodeRangeToJITCompile and jitWhitelist.
3031         https://bugs.webkit.org/show_bug.cgi?id=157428
3032
3033         Reviewed by Michael Saboff.
3034
3035         1. Added Options::bytecodeRangeToJITCompile and Options::jitWhitelist options.
3036
3037         2. Moved DFGFunctionWhitelist* to FunctionWhitelist* and made it generic so that
3038            it can be used for more than one whitelist instance.  In this case, we now have
3039            two: the dfgWhitelist and the jitWhitelist.
3040
3041         3. Added "can compile" checks in LLInt::shouldJIT() to check
3042            Options::bytecodeRangeToJITCompile and Options::jitWhitelist.
3043
3044         * CMakeLists.txt:
3045         * JavaScriptCore.xcodeproj/project.pbxproj:
3046         * dfg/DFGDriver.cpp:
3047         (JSC::DFG::getNumCompilations):
3048         (JSC::DFG::ensureGlobalDFGWhitelist):
3049         (JSC::DFG::compileImpl):
3050         * dfg/DFGFunctionWhitelist.cpp: Removed.
3051         * dfg/DFGFunctionWhitelist.h: Removed.
3052
3053         * llint/LLIntSlowPaths.cpp:
3054         (JSC::LLInt::ensureGlobalJITWhitelist):
3055         (JSC::LLInt::shouldJIT):
3056
3057         * runtime/Options.h:
3058
3059         * tools/FunctionWhitelist.cpp: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.cpp.
3060         (JSC::FunctionWhitelist::FunctionWhitelist):
3061         (JSC::FunctionWhitelist::contains):
3062         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): Deleted.
3063         (JSC::DFG::FunctionWhitelist::FunctionWhitelist): Deleted.
3064         (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): Deleted.
3065         (JSC::DFG::FunctionWhitelist::contains): Deleted.
3066         * tools/FunctionWhitelist.h: Copied from Source/JavaScriptCore/dfg/DFGFunctionWhitelist.h.
3067
3068 2016-05-07  Benjamin Poulain  <bpoulain@apple.com>
3069
3070         [JSC][32bit] stress/tagged-templates-template-object.js fails in debug
3071         https://bugs.webkit.org/show_bug.cgi?id=157436
3072
3073         Reviewed by Filip Pizlo.
3074
3075         * dfg/DFGSpeculativeJIT32_64.cpp:
3076         (JSC::DFG::SpeculativeJIT::compile):
3077         The node OverridesHasInstance had a speculation after a jump.
3078
3079 2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>
3080
3081         Web Inspector: Misc CommandLineAPI cleanup
3082         https://bugs.webkit.org/show_bug.cgi?id=157450
3083
3084         Reviewed by Ryosuke Niwa.
3085
3086         * inspector/InjectedScriptSource.js:
3087         (BasicCommandLineAPI):
3088         Fix mistake in r200533, and modernize related code.
3089
3090 2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>
3091
3092         Web Inspector: Improve console.count()
3093         https://bugs.webkit.org/show_bug.cgi?id=157439
3094         <rdar://problem/26152654>
3095
3096         Reviewed by Timothy Hatcher.
3097
3098           - make console.count() increment an unnamed global counter.
3099           - make console.count(label) increment a counter with that label name.
3100
3101         * inspector/agents/InspectorConsoleAgent.cpp:
3102         (Inspector::InspectorConsoleAgent::count):
3103
3104 2016-05-06  Simon Fraser  <simon.fraser@apple.com>
3105
3106         Enable IOS_TEXT_AUTOSIZING on Mac and make it testable
3107         https://bugs.webkit.org/show_bug.cgi?id=157432
3108         rdar://problem/16406720
3109
3110         Reviewed by Dean Jackson.
3111
3112         Enable IOS_TEXT_AUTOSIZING on Mac so it can be tested.
3113
3114         * Configurations/FeatureDefines.xcconfig:
3115
3116 2016-05-06  Joseph Pecoraro  <pecoraro@apple.com>
3117
3118         Web Inspector: Console: Variables defined with let/const aren't accessible outside of console's scope
3119         https://bugs.webkit.org/show_bug.cgi?id=150752
3120         <rdar://problem/23343385>
3121
3122         Reviewed by Mark Lam.
3123
3124         This approach allows Web Inspector to hang a "Scope Extension", a
3125         WithObjectScope, off the GlobalObject. When resolving identifiers
3126         in fails to resolve anything in the normal scope chain, consult
3127         the scope extension.
3128
3129         This allows us to eliminate the `with (commandLineAPI) { ... }`
3130         block in global console evaluations, and instead makes it a full
3131         program evaluation, with the commandLineAPI available and safely
3132         shadowed by actual variables as expected.
3133
3134         * inspector/InjectedScriptSource.js:
3135         (InjectedScript.prototype._evaluateOn):
3136         Use the new evaluateWithScopeExtension and provide the CommandLineAPI
3137         object as the scope extension object.
3138
3139         (BasicCommandLineAPI):
3140         (BasicCommandLineAPI.inScopeVariables): Deleted.
3141         Simplify now that we don't need to check for variable shadowing ourselves.
3142
3143         * inspector/JSInjectedScriptHost.cpp:
3144         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3145         * inspector/JSInjectedScriptHost.h:
3146         * inspector/JSInjectedScriptHostPrototype.cpp:
3147         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3148         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
3149         Provide a new InjectedScriptHost method to evaluate a program
3150         with a scope extension.
3151
3152         * runtime/Completion.cpp:
3153         (JSC::evaluateWithScopeExtension):
3154         * runtime/Completion.h:
3155         General JSC::evaluate function to evaluate a program with a scope extension.
3156
3157         * runtime/JSGlobalObject.cpp:
3158         (JSC::JSGlobalObject::setGlobalScopeExtension):
3159         (JSC::JSGlobalObject::clearGlobalScopeExtension):
3160         (JSC::JSGlobalObject::visitChildren):
3161         * runtime/JSGlobalObject.h:
3162         (JSC::JSGlobalObject::globalScopeExtension):
3163         Hang a scope extension off the global object.
3164
3165         * runtime/JSScope.cpp:
3166         (JSC::JSScope::resolve):
3167         Consult the scope extension when resolve fails to find anything normally.
3168
3169 2016-05-06  Mark Lam  <mark.lam@apple.com>
3170
3171         Add JSC options reportBaselineCompileTimes and reportDFGCompileTimes.
3172         https://bugs.webkit.org/show_bug.cgi?id=157427
3173
3174         Reviewed by Filip Pizlo and Keith Miller.
3175
3176         The compile times reporting options are now:
3177             reportCompileTimes         -> report compile times in all tiers.
3178             reportBaselineCompileTimes -> report compile times in baseline JIT.
3179             reportDFGCompileTimes      -> report compile times in DFG and FTL.
3180             reportFTLCompileTimes      -> report compile times in FTL.
3181
3182         Also updated reportTotalCompileTimes() to collect stats that include the baseline
3183         JIT.  compileTimeStats() is now moved into JIT.cpp (from DFGPlan.cpp). 
3184
3185         * dfg/DFGPlan.cpp:
3186         (JSC::DFG::Plan::reportCompileTimes):
3187         (JSC::DFG::Plan::compileInThread):
3188         (JSC::DFG::Plan::compileInThreadImpl):
3189         (JSC::DFG::Plan::cancel):
3190         (JSC::DFG::Plan::compileTimeStats): Deleted.
3191         * dfg/DFGPlan.h:
3192         (JSC::DFG::Plan::compileTimeStats): Deleted.
3193         * jit/JIT.cpp:
3194         (JSC::ctiPatchCallByReturnAddress):
3195         (JSC::JIT::privateCompile):
3196         (JSC::JIT::stackPointerOffsetFor):
3197         (JSC::JIT::reportCompileTimes):
3198         (JSC::JIT::computeCompileTimes):
3199         (JSC::JIT::compileTimeStats):
3200         * jit/JIT.h:
3201         (JSC::JIT::shouldEmitProfiling):
3202         * jsc.cpp:
3203         (runJSC):
3204         * runtime/Options.h:
3205
3206 2016-05-05  Benjamin Poulain  <bpoulain@apple.com>
3207
3208         [JSC] Get rid of NonNegZeroDouble, it is broken
3209         https://bugs.webkit.org/show_bug.cgi?id=157399
3210         rdar://problem/25339647
3211
3212         Reviewed by Mark Lam.
3213
3214         The profile "NonNegZeroDouble" is fundamentally broken.
3215
3216         It is used by DFG to predict the result of ArithMul as being a Double
3217         or Int32.
3218         The problem is you are likely to mispredict, and when you do, you are
3219         guaranteed to end up in a recompile loop.
3220
3221         The compile loops usually happen like this:
3222         -We speculate you have Int32 despite producing doubles.
3223         -We OSR exit on another node (ValueToInt32 for example) from the result of this ArithMul.
3224         -When we compile this block again, ArithMul will do the same misprediction
3225          because it unconditionally predicts Int32.
3226
3227         The flag NonNegZeroDouble was very unlikely to be set correctly
3228         in the first place.
3229
3230         In LLINT, the flag is only set on the slow path.
3231         Since double*double is on the fast path, those cases are ignored.
3232
3233         In Baseline, the flag is set for any case that falls back on double
3234         multiplication. BUT, the DFG flag was only set for nodes that spend
3235         many iteration in slow path, which obviously does not apply to double*double.
3236
3237         Given the perf drawbacks and the recompile loops, I removed
3238         the whole flag for now.
3239
3240         * bytecode/ValueProfile.cpp:
3241         (WTF::printInternal):
3242         * bytecode/ValueProfile.h:
3243         (JSC::ResultProfile::didObserveNonInt32): Deleted.
3244         (JSC::ResultProfile::didObserveDouble): Deleted.
3245         (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
3246         (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
3247         * dfg/DFGByteCodeParser.cpp:
3248         (JSC::DFG::ByteCodeParser::makeSafe): Deleted.
3249         * dfg/DFGNode.h:
3250         (JSC::DFG::Node::mayHaveNonIntResult): Deleted.
3251         * dfg/DFGNodeFlags.cpp:
3252         (JSC::DFG::dumpNodeFlags): Deleted.
3253         * dfg/DFGNodeFlags.h:
3254         * dfg/DFGPredictionPropagationPhase.cpp:
3255         * jit/JITMulGenerator.cpp:
3256         (JSC::JITMulGenerator::generateFastPath): Deleted.
3257         * runtime/CommonSlowPaths.cpp:
3258         (JSC::updateResultProfileForBinaryArithOp): Deleted.
3259
3260 2016-05-05  Joseph Pecoraro  <pecoraro@apple.com>
3261
3262         REGRESSION(r200422): Web Inspector: Make new Array Iterator objects play nice with Web Inspector
3263         https://bugs.webkit.org/show_bug.cgi?id=157361
3264         <rdar://problem/26099793>
3265
3266         Reviewed by Timothy Hatcher.
3267
3268         * builtins/ArrayPrototype.js:
3269         (createArrayIterator):
3270         (values):
3271         (keys):
3272         (entries):
3273         * builtins/TypedArrayPrototype.js:
3274         (values):
3275         (keys):
3276         (entries):
3277         * runtime/CommonIdentifiers.h:
3278         Set the kind on the iterator object, that can be shown
3279         to the inspector if the object is shown in the console.
3280
3281         * inspector/InjectedScriptSource.js:
3282         (InjectedScript.prototype._describe):
3283         Get a better name for the new Array Iterator which is just an Object.
3284
3285         * inspector/JSInjectedScriptHost.cpp:
3286         (Inspector::JSInjectedScriptHost::subtype):
3287         (Inspector::JSInjectedScriptHost::getInternalProperties):
3288         Detect and handle ArrayIterator object instances. Porting the code
3289         from the JSArrayIterator code path.
3290
3291 2016-05-05  Benjamin Poulain  <bpoulain@apple.com>
3292
3293         [JSC] In DFG, an OSR Exit on SetLocal can trash its child node
3294         https://bugs.webkit.org/show_bug.cgi?id=157358
3295         rdar://problem/25339647
3296
3297         Reviewed by Filip Pizlo.
3298
3299         When we OSR Exit on SetLocal, the child is never restored if its representation
3300         was changed since the MovHint.
3301
3302         For example, say we have:
3303             @1 = SomethingProducingDouble()
3304             @2 = MovHint(@1)
3305             @3 = ValueRep(@1)
3306             @4 = SetLocal(@3, FlushedInt32)
3307
3308         When we lower SetLocal(), we start by speculating that @3 is an Int32.
3309         Now this can fail if @1 was really a double.
3310         When that happens, we go over the VariableEventStream to find where values
3311         are, and @1 died at @3. Since the speculation failure happens before
3312         the SetLocal event, we don't do anything with @3.
3313
3314         In this patch, I extend the PhantomInsertion phase to keep the MovHint
3315         alive past the SetLocal.
3316
3317         * dfg/DFGPhantomInsertionPhase.cpp:
3318         * tests/stress/multiply-typed-double-and-object.js: Added.
3319         (otherObject.valueOf):
3320         (targetDFG.multiply):
3321         (targetFTL.multiply):
3322
3323 2016-05-05  Oliver Hunt  <oliver@apple.com>
3324
3325         Enable separated heap by default on ios
3326         https://bugs.webkit.org/show_bug.cgi?id=156720
3327
3328         Reviewed by Geoffrey Garen.
3329
3330         We've fixed the xnu side of things, so we can reland this.
3331
3332         * runtime/Options.cpp:
3333         (JSC::recomputeDependentOptions):
3334
3335 2016-05-05  Joseph Pecoraro  <pecoraro@apple.com>
3336
3337         JSContext Inspector: Better CommandLineAPI in JSContext inspection
3338         https://bugs.webkit.org/show_bug.cgi?id=157387
3339         <rdar://problem/22630583>
3340
3341         Reviewed by Timothy Hatcher.
3342
3343         * inspector/InjectedScriptSource.js:
3344         (InjectedScript.prototype._evaluateOn):
3345         (BasicCommandLineAPI.inScopeVariables):
3346         (BasicCommandLineAPI):
3347         When creating a BasicCommandLineAPI, pass the call frame so
3348         that we don't shadow variables in the callstack.
3349
3350         (BasicCommandLineAPI.methods):
3351         (clear):
3352         (table):