Replace WTF::move with WTFMove
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-12-31  Andy Estes  <aestes@apple.com>
2
3         Replace WTF::move with WTFMove
4         https://bugs.webkit.org/show_bug.cgi?id=152601
5
6         Reviewed by Brady Eidson.
7
8         * API/ObjCCallbackFunction.mm:
9         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
10         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
11         (JSC::ObjCCallbackFunction::create):
12         (objCCallbackFunctionForInvocation):
13         * assembler/AssemblerBuffer.h:
14         (JSC::AssemblerBuffer::releaseAssemblerData):
15         * assembler/LinkBuffer.cpp:
16         (JSC::LinkBuffer::linkCode):
17         * b3/B3BlockInsertionSet.cpp:
18         (JSC::B3::BlockInsertionSet::insert):
19         (JSC::B3::BlockInsertionSet::splitForward):
20         * b3/B3LowerToAir.cpp:
21         (JSC::B3::Air::LowerToAir::run):
22         (JSC::B3::Air::LowerToAir::lower):
23         * b3/B3OpaqueByproducts.cpp:
24         (JSC::B3::OpaqueByproducts::add):
25         * b3/B3Procedure.cpp:
26         (JSC::B3::Procedure::addBlock):
27         (JSC::B3::Procedure::addDataSection):
28         * b3/B3Procedure.h:
29         (JSC::B3::Procedure::releaseByproducts):
30         * b3/B3ProcedureInlines.h:
31         (JSC::B3::Procedure::add):
32         * b3/B3Value.h:
33         * b3/air/AirCode.cpp:
34         (JSC::B3::Air::Code::addBlock):
35         (JSC::B3::Air::Code::addStackSlot):
36         (JSC::B3::Air::Code::addSpecial):
37         * b3/air/AirInst.h:
38         (JSC::B3::Air::Inst::Inst):
39         * b3/air/AirIteratedRegisterCoalescing.cpp:
40         * b3/air/AirSimplifyCFG.cpp:
41         (JSC::B3::Air::simplifyCFG):
42         * bindings/ScriptValue.cpp:
43         (Deprecated::jsToInspectorValue):
44         * builtins/BuiltinExecutables.cpp:
45         (JSC::createExecutableInternal):
46         * bytecode/BytecodeBasicBlock.cpp:
47         (JSC::computeBytecodeBasicBlocks):
48         * bytecode/CodeBlock.cpp:
49         (JSC::CodeBlock::finishCreation):
50         (JSC::CodeBlock::setCalleeSaveRegisters):
51         * bytecode/CodeBlock.h:
52         (JSC::CodeBlock::setJITCodeMap):
53         (JSC::CodeBlock::livenessAnalysis):
54         * bytecode/GetByIdStatus.cpp:
55         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
56         * bytecode/GetByIdVariant.cpp:
57         (JSC::GetByIdVariant::GetByIdVariant):
58         * bytecode/PolymorphicAccess.cpp:
59         (JSC::PolymorphicAccess::regenerateWithCases):
60         (JSC::PolymorphicAccess::regenerateWithCase):
61         (JSC::PolymorphicAccess::regenerate):
62         * bytecode/PutByIdStatus.cpp:
63         (JSC::PutByIdStatus::computeForStubInfo):
64         * bytecode/PutByIdVariant.cpp:
65         (JSC::PutByIdVariant::setter):
66         * bytecode/StructureStubClearingWatchpoint.cpp:
67         (JSC::StructureStubClearingWatchpoint::push):
68         * bytecode/StructureStubClearingWatchpoint.h:
69         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
70         * bytecode/StructureStubInfo.cpp:
71         (JSC::StructureStubInfo::addAccessCase):
72         * bytecode/UnlinkedCodeBlock.cpp:
73         (JSC::UnlinkedCodeBlock::setInstructions):
74         * bytecode/UnlinkedFunctionExecutable.cpp:
75         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
76         * bytecode/UnlinkedFunctionExecutable.h:
77         * bytecompiler/SetForScope.h:
78         (JSC::SetForScope::SetForScope):
79         * dfg/DFGGraph.cpp:
80         (JSC::DFG::Graph::livenessFor):
81         (JSC::DFG::Graph::killsFor):
82         * dfg/DFGJITCompiler.cpp:
83         (JSC::DFG::JITCompiler::link):
84         (JSC::DFG::JITCompiler::compile):
85         (JSC::DFG::JITCompiler::compileFunction):
86         * dfg/DFGJITFinalizer.cpp:
87         (JSC::DFG::JITFinalizer::JITFinalizer):
88         * dfg/DFGLivenessAnalysisPhase.cpp:
89         (JSC::DFG::LivenessAnalysisPhase::process):
90         * dfg/DFGObjectAllocationSinkingPhase.cpp:
91         * dfg/DFGSpeculativeJIT.cpp:
92         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
93         (JSC::DFG::SpeculativeJIT::compileIn):
94         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
95         * dfg/DFGSpeculativeJIT32_64.cpp:
96         (JSC::DFG::SpeculativeJIT::cachedGetById):
97         (JSC::DFG::SpeculativeJIT::cachedPutById):
98         * dfg/DFGSpeculativeJIT64.cpp:
99         (JSC::DFG::SpeculativeJIT::cachedGetById):
100         (JSC::DFG::SpeculativeJIT::cachedPutById):
101         * dfg/DFGWorklist.cpp:
102         (JSC::DFG::Worklist::finishCreation):
103         * disassembler/Disassembler.cpp:
104         (JSC::disassembleAsynchronously):
105         * ftl/FTLB3Compile.cpp:
106         (JSC::FTL::compile):
107         * ftl/FTLCompile.cpp:
108         (JSC::FTL::mmAllocateDataSection):
109         * ftl/FTLJITCode.cpp:
110         (JSC::FTL::JITCode::initializeB3Byproducts):
111         * ftl/FTLJITFinalizer.h:
112         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
113         * ftl/FTLLink.cpp:
114         (JSC::FTL::link):
115         * ftl/FTLLowerDFGToLLVM.cpp:
116         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
117         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
118         * heap/Heap.cpp:
119         (JSC::Heap::releaseDelayedReleasedObjects):
120         (JSC::Heap::markRoots):
121         (JSC::Heap::setIncrementalSweeper):
122         * heap/HeapInlines.h:
123         (JSC::Heap::releaseSoon):
124         (JSC::Heap::registerWeakGCMap):
125         * heap/WeakInlines.h:
126         * inspector/ConsoleMessage.cpp:
127         (Inspector::ConsoleMessage::addToFrontend):
128         * inspector/ContentSearchUtilities.cpp:
129         (Inspector::ContentSearchUtilities::searchInTextByLines):
130         * inspector/InjectedScript.cpp:
131         (Inspector::InjectedScript::getFunctionDetails):
132         (Inspector::InjectedScript::getProperties):
133         (Inspector::InjectedScript::getDisplayableProperties):
134         (Inspector::InjectedScript::getInternalProperties):
135         (Inspector::InjectedScript::getCollectionEntries):
136         (Inspector::InjectedScript::wrapCallFrames):
137         * inspector/InspectorAgentRegistry.cpp:
138         (Inspector::AgentRegistry::append):
139         (Inspector::AgentRegistry::appendExtraAgent):
140         * inspector/InspectorBackendDispatcher.cpp:
141         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
142         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
143         (Inspector::BackendDispatcher::BackendDispatcher):
144         (Inspector::BackendDispatcher::create):
145         (Inspector::BackendDispatcher::sendPendingErrors):
146         * inspector/InspectorProtocolTypes.h:
147         (Inspector::Protocol::Array::addItem):
148         * inspector/InspectorValues.cpp:
149         * inspector/InspectorValues.h:
150         (Inspector::InspectorObjectBase::setValue):
151         (Inspector::InspectorObjectBase::setObject):
152         (Inspector::InspectorObjectBase::setArray):
153         (Inspector::InspectorArrayBase::pushValue):
154         (Inspector::InspectorArrayBase::pushObject):
155         (Inspector::InspectorArrayBase::pushArray):
156         * inspector/JSGlobalObjectConsoleClient.cpp:
157         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
158         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
159         * inspector/JSGlobalObjectInspectorController.cpp:
160         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
161         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
162         * inspector/JSInjectedScriptHost.cpp:
163         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
164         * inspector/JSInjectedScriptHost.h:
165         (Inspector::JSInjectedScriptHost::create):
166         * inspector/agents/InspectorAgent.cpp:
167         (Inspector::InspectorAgent::activateExtraDomain):
168         * inspector/agents/InspectorConsoleAgent.cpp:
169         (Inspector::InspectorConsoleAgent::addMessageToConsole):
170         (Inspector::InspectorConsoleAgent::addConsoleMessage):
171         * inspector/agents/InspectorDebuggerAgent.cpp:
172         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
173         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
174         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
175         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
176         (Inspector::InspectorDebuggerAgent::breakProgram):
177         * inspector/agents/InspectorHeapAgent.cpp:
178         (Inspector::InspectorHeapAgent::didGarbageCollect):
179         * inspector/agents/InspectorRuntimeAgent.cpp:
180         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
181         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
182         * inspector/agents/InspectorScriptProfilerAgent.cpp:
183         (Inspector::InspectorScriptProfilerAgent::addEvent):
184         (Inspector::buildInspectorObject):
185         (Inspector::buildProfileInspectorObject):
186         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
187         * inspector/augmentable/AlternateDispatchableAgent.h:
188         * inspector/scripts/codegen/cpp_generator_templates.py:
189         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
190         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
191         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
192         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
193         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
194         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
195         (_generate_unchecked_setter_for_member):
196         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
197         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
198         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
199         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
200         * inspector/scripts/codegen/objc_generator_templates.py:
201         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
202         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
203         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
204         * inspector/scripts/tests/expected/enum-values.json-result:
205         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
206         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
207         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
208         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
209         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
210         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
211         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
212         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
213         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
214         * jit/CallFrameShuffler.cpp:
215         (JSC::CallFrameShuffler::performSafeWrites):
216         * jit/PolymorphicCallStubRoutine.cpp:
217         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
218         * jit/Repatch.cpp:
219         (JSC::tryCacheGetByID):
220         (JSC::tryCachePutByID):
221         (JSC::tryRepatchIn):
222         (JSC::linkPolymorphicCall):
223         * parser/Nodes.cpp:
224         (JSC::ProgramNode::setClosedVariables):
225         * parser/Parser.cpp:
226         (JSC::Parser<LexerType>::parseInner):
227         (JSC::Parser<LexerType>::parseFunctionInfo):
228         * parser/Parser.h:
229         (JSC::Parser::closedVariables):
230         * parser/SourceProviderCache.cpp:
231         (JSC::SourceProviderCache::add):
232         * profiler/ProfileNode.h:
233         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
234         * replay/EncodedValue.cpp:
235         (JSC::EncodedValue::get<EncodedValue>):
236         * replay/scripts/CodeGeneratorReplayInputs.py:
237         (Generator.generate_member_move_expression):
238         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
239         (Test::HandleWheelEvent::HandleWheelEvent):
240         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
241         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
242         (Test::MapInput::MapInput):
243         (JSC::InputTraits<Test::MapInput>::decode):
244         * runtime/ConsoleClient.cpp:
245         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
246         (JSC::ConsoleClient::logWithLevel):
247         (JSC::ConsoleClient::clear):
248         (JSC::ConsoleClient::dir):
249         (JSC::ConsoleClient::dirXML):
250         (JSC::ConsoleClient::table):
251         (JSC::ConsoleClient::trace):
252         (JSC::ConsoleClient::assertCondition):
253         (JSC::ConsoleClient::group):
254         (JSC::ConsoleClient::groupCollapsed):
255         (JSC::ConsoleClient::groupEnd):
256         * runtime/JSNativeStdFunction.cpp:
257         (JSC::JSNativeStdFunction::create):
258         * runtime/JSString.h:
259         (JSC::jsNontrivialString):
260         * runtime/JSStringJoiner.cpp:
261         (JSC::JSStringJoiner::join):
262         * runtime/JSStringJoiner.h:
263         (JSC::JSStringJoiner::append):
264         * runtime/NativeStdFunctionCell.cpp:
265         (JSC::NativeStdFunctionCell::create):
266         (JSC::NativeStdFunctionCell::NativeStdFunctionCell):
267         * runtime/ScopedArgumentsTable.cpp:
268         (JSC::ScopedArgumentsTable::setLength):
269         * runtime/StructureIDTable.cpp:
270         (JSC::StructureIDTable::resize):
271         * runtime/TypeSet.cpp:
272         (JSC::StructureShape::inspectorRepresentation):
273         * runtime/WeakGCMap.h:
274         (JSC::WeakGCMap::set):
275         * tools/CodeProfile.h:
276         (JSC::CodeProfile::addChild):
277         * yarr/YarrInterpreter.cpp:
278         (JSC::Yarr::ByteCompiler::compile):
279         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
280         * yarr/YarrInterpreter.h:
281         (JSC::Yarr::BytecodePattern::BytecodePattern):
282         * yarr/YarrPattern.cpp:
283         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
284         (JSC::Yarr::YarrPatternConstructor::reset):
285         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
286         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
287         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
288         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
289         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
290
291 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
292
293         Unreviewed, fix copyright dates. It's super annoying when we forget to update these, and I
294         just forgot to do so in the last commit. Also update the date of the last commit in the
295         ChangeLog.
296
297         * b3/air/AirIteratedRegisterCoalescing.cpp:
298         * b3/air/AirOpcode.opcodes:
299         * b3/air/AirTmpWidth.cpp:
300         * b3/air/AirTmpWidth.h:
301         * ftl/FTLB3Output.cpp:
302         * ftl/FTLB3Output.h:
303
304 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
305
306         FTL B3 should be able to run all of the old V8v7 tests
307         https://bugs.webkit.org/show_bug.cgi?id=152579
308
309         Reviewed by Saam Barati.
310
311         Fixes some silly bugs that were preventing us from running all of the old V8v7 tests.
312
313         IRC's analysis of when to turn a Move into a Move32 when spilling is based on the premise
314         that if the dst has a 32-bit def width, then the src must also have a 32-bit def width. But
315         that doesn't happen if the src is an immediate.
316
317         This changes that condition in IRC to use the combined use/def width of both src and dst
318         rather than being clever. This is great because it's the combined width that determines the
319         size of the spill slot.
320
321         Also added some more debug support to TmpWidth.
322
323         This also fixes Air's description of DivDouble; previously it claimed to be a 32-bit
324         operation. Also implements Output::unsignedToDouble(), since we already had everything we
325         needed to implement this optimally.
326
327         * b3/air/AirIteratedRegisterCoalescing.cpp:
328         * b3/air/AirOpcode.opcodes:
329         * b3/air/AirTmpWidth.cpp:
330         (JSC::B3::Air::TmpWidth::recompute):
331         (JSC::B3::Air::TmpWidth::Widths::dump):
332         * b3/air/AirTmpWidth.h:
333         (JSC::B3::Air::TmpWidth::Widths::Widths):
334         * ftl/FTLB3Output.cpp:
335         (JSC::FTL::Output::doubleToUInt):
336         (JSC::FTL::Output::unsignedToDouble):
337         * ftl/FTLB3Output.h:
338         (JSC::FTL::Output::zeroExt):
339         (JSC::FTL::Output::zeroExtPtr):
340         (JSC::FTL::Output::intToDouble):
341         (JSC::FTL::Output::castToInt32):
342         (JSC::FTL::Output::unsignedToDouble): Deleted.
343
344 2016-01-01  Jeff Miller  <jeffm@apple.com>
345
346         Update user-visible copyright strings to include 2016
347         https://bugs.webkit.org/show_bug.cgi?id=152531
348
349         Reviewed by Alexey Proskuryakov.
350
351         * Info.plist:
352
353 2015-12-31  Andy Estes  <aestes@apple.com>
354
355         Fix warnings uncovered by migrating to WTF_MOVE
356         https://bugs.webkit.org/show_bug.cgi?id=152601
357
358         Reviewed by Daniel Bates.
359
360         * create_regex_tables: Moving a return value prevented copy elision.
361         * ftl/FTLUnwindInfo.cpp:
362         (JSC::FTL::parseUnwindInfo): Ditto.
363         * replay/EncodedValue.h: Ditto.
364
365 2015-12-30  Aleksandr Skachkov  <gskachkov@gmail.com>
366
367         [ES6] Arrow function syntax. Arrow function specific features. Lexical bind "super"
368         https://bugs.webkit.org/show_bug.cgi?id=149615
369
370         Reviewed by Saam Barati.
371
372         Implemented lexical bind "super" property for arrow function. 'super' property can be accessed 
373         inside of the arrow function in case if arrow function is nested in constructor, method, 
374         getter or setter of class. In current patch using 'super' in arrow function, that declared out of the 
375         class, lead to wrong type of error, should be SyntaxError(https://bugs.webkit.org/show_bug.cgi?id=150893) 
376         and this will be fixed in separete patch.
377
378         * builtins/BuiltinExecutables.cpp:
379         (JSC::createExecutableInternal):
380         * bytecode/EvalCodeCache.h:
381         (JSC::EvalCodeCache::getSlow):
382         * bytecode/ExecutableInfo.h:
383         (JSC::ExecutableInfo::ExecutableInfo):
384         (JSC::ExecutableInfo::derivedContextType):
385         (JSC::ExecutableInfo::isClassContext):
386         * bytecode/UnlinkedCodeBlock.cpp:
387         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
388         * bytecode/UnlinkedCodeBlock.h:
389         (JSC::UnlinkedCodeBlock::derivedContextType):
390         (JSC::UnlinkedCodeBlock::isClassContext):
391         * bytecode/UnlinkedFunctionExecutable.cpp:
392         (JSC::generateUnlinkedFunctionCodeBlock):
393         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
394         * bytecode/UnlinkedFunctionExecutable.h:
395         * bytecompiler/BytecodeGenerator.cpp:
396         (JSC::BytecodeGenerator::BytecodeGenerator):
397         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
398         * bytecompiler/BytecodeGenerator.h:
399         (JSC::BytecodeGenerator::derivedContextType):
400         (JSC::BytecodeGenerator::isDerivedConstructorContext):
401         (JSC::BytecodeGenerator::isDerivedClassContext):
402         (JSC::BytecodeGenerator::isArrowFunction):
403         (JSC::BytecodeGenerator::makeFunction):
404         * bytecompiler/NodesCodegen.cpp:
405         (JSC::emitHomeObjectForCallee):
406         (JSC::FunctionCallValueNode::emitBytecode):
407         * debugger/DebuggerCallFrame.cpp:
408         (JSC::DebuggerCallFrame::evaluate):
409         * interpreter/Interpreter.cpp:
410         (JSC::eval):
411         * runtime/CodeCache.cpp:
412         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
413         * runtime/Executable.cpp:
414         (JSC::ScriptExecutable::ScriptExecutable):
415         (JSC::EvalExecutable::create):
416         (JSC::EvalExecutable::EvalExecutable):
417         (JSC::ProgramExecutable::ProgramExecutable):
418         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
419         (JSC::FunctionExecutable::FunctionExecutable):
420         * runtime/Executable.h:
421         (JSC::ScriptExecutable::derivedContextType):
422         * runtime/JSGlobalObjectFunctions.cpp:
423         (JSC::globalFuncEval):
424         * tests/es6.yaml:
425         * tests/stress/arrowfunction-lexical-bind-superproperty.js: Added.
426
427 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
428
429         Unreviewed, relax limitation in operationCreateThis
430         https://bugs.webkit.org/show_bug.cgi?id=152383
431
432         Unreviewed. operationCreateThis now can be called with non constructible function.
433
434         * dfg/DFGOperations.cpp:
435
436 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
437
438         [ES6][ES7] Drop Constructability of generator function
439         https://bugs.webkit.org/show_bug.cgi?id=152383
440
441         Reviewed by Saam Barati.
442
443         We drop the constructability of generator functions.
444         This functionality is already landed in ES 2016 draft[1].
445         And this simplifies the existing JSC's generator implementation;
446         dropping GeneratorThisMode flag.
447
448         [1]: https://github.com/tc39/ecma262/releases/tag/es2016-draft-20151201
449
450         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
451         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
452         * JavaScriptCore.xcodeproj/project.pbxproj:
453         * builtins/BuiltinExecutables.cpp:
454         (JSC::createExecutableInternal):
455         * bytecode/ExecutableInfo.h:
456         (JSC::ExecutableInfo::ExecutableInfo):
457         (JSC::ExecutableInfo::generatorThisMode): Deleted.
458         * bytecode/UnlinkedCodeBlock.cpp:
459         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
460         * bytecode/UnlinkedCodeBlock.h:
461         (JSC::UnlinkedCodeBlock::generatorThisMode): Deleted.
462         * bytecode/UnlinkedFunctionExecutable.cpp:
463         (JSC::generateUnlinkedFunctionCodeBlock):
464         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
465         * bytecode/UnlinkedFunctionExecutable.h:
466         * bytecompiler/BytecodeGenerator.cpp:
467         (JSC::BytecodeGenerator::BytecodeGenerator): Deleted.
468         * bytecompiler/BytecodeGenerator.h:
469         (JSC::BytecodeGenerator::makeFunction):
470         (JSC::BytecodeGenerator::generatorThisMode): Deleted.
471         * bytecompiler/NodesCodegen.cpp:
472         (JSC::ThisNode::emitBytecode):
473         * interpreter/Interpreter.cpp:
474         (JSC::eval): Deleted.
475         * runtime/CodeCache.cpp:
476         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
477         * runtime/Executable.h:
478         * runtime/GeneratorThisMode.h: Removed.
479         * tests/stress/generator-eval-this.js:
480         (shouldThrow):
481         * tests/stress/generator-is-not-constructible.js: Added.
482         (shouldThrow):
483         (A.staticGen):
484         (A.prototype.gen):
485         (A):
486         (TypeError):
487         * tests/stress/generator-this.js:
488         (shouldBe.g.next):
489         * tests/stress/generator-with-new-target.js:
490         (shouldThrow):
491
492 2015-12-27  Filip Pizlo  <fpizlo@apple.com>
493
494         FTL B3 should know that used registers are not the same thing as used registers. Rename the
495         latter to unavailable registers to avoid future confusion.
496         https://bugs.webkit.org/show_bug.cgi?id=152572
497
498         Reviewed by Saam Barati.
499
500         Prior to this change, we used the term "used registers" in two different senses:
501
502         - The set of registers that are live at some point in the current compilation unit. A
503           register is live at some point if it is read after that point on some path through that
504           point.
505
506         - The set of registers that are not available for scratch register use at some point. A
507           register may not be available if it is live or if it is a callee-save register but it is
508           not being saved by the current compilation.
509
510         In the old FTL LLVM code, we had some translations from the first sense into the second
511         sense. We forgot to do those in FTL B3, and so we get crashes, for example in V8/splay. That
512         benchmark highlighted this issue because it fired some lazy slow paths, and then used an
513         unsaved callee-save for scratch.
514  
515         Curiously, we could merge these two definitions by observing that, in some sense, an unsaved
516         callee save is live at every point in a compilation in the sense that it may contain a value
517         that will be read when the compilation returns. That's pretty cool, but it feels strange to
518         me. This isn't how we would normally define liveness of registers. It's not how the
519         Air::TmpLiveness analysis would do it for any of its other clients.
520
521         So, this changes B3 to have two different concepts:
522
523         - Used registers. These are the registers that are live.
524
525         - Unavailable registers. These are the registers that are not available for scratch. It's
526           always a superset of used registers.
527
528         This also changes FTLLower to use unavailableRegisters() pretty much everywhere that it
529         previously used usedRegisters().
530
531         This makes it possible to run V8/splay.
532
533         * b3/B3StackmapGenerationParams.cpp:
534         (JSC::B3::StackmapGenerationParams::usedRegisters):
535         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
536         (JSC::B3::StackmapGenerationParams::proc):
537         * b3/B3StackmapGenerationParams.h:
538         * ftl/FTLLowerDFGToLLVM.cpp:
539         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
540         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
541         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
542
543 2015-12-25  Andy Estes  <aestes@apple.com>
544
545         Stop moving local objects in return statements
546         https://bugs.webkit.org/show_bug.cgi?id=152557
547
548         Reviewed by Brady Eidson.
549
550         Calling std::move() on a local object in a return statement prevents the compiler from applying the return value optimization.
551
552         Clang can warn about these mistakes with -Wpessimizing-move, although only when std::move() is called directly.
553         I found these issues by temporarily replacing WTF::move with std::move and recompiling.
554
555         * inspector/ScriptCallStack.cpp:
556         (Inspector::ScriptCallStack::buildInspectorArray):
557         * inspector/agents/InspectorScriptProfilerAgent.cpp:
558         (Inspector::buildInspectorObject):
559         * jit/CallFrameShuffler.h:
560         (JSC::CallFrameShuffler::snapshot):
561         * runtime/TypeSet.cpp:
562         (JSC::TypeSet::allStructureRepresentations):
563         (JSC::StructureShape::inspectorRepresentation):
564
565 2015-12-26  Mark Lam  <mark.lam@apple.com>
566
567         Rename NodeMayOverflowInXXX to NodeMayOverflowInt32InXXX.
568         https://bugs.webkit.org/show_bug.cgi?id=152555
569
570         Reviewed by Alex Christensen.
571
572         That's because the NodeMayOverflowInBaseline and NodeMayOverflowInDFG flags only
573         indicates potential overflowing of Int32 values.  We'll be adding overflow
574         profiling for Int52 values later, and we should disambiguate between the 2 types.
575
576         This is purely a renaming patch.  There are no semantic changes.
577
578         * dfg/DFGByteCodeParser.cpp:
579         (JSC::DFG::ByteCodeParser::makeSafe):
580         (JSC::DFG::ByteCodeParser::makeDivSafe):
581         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
582         * dfg/DFGNodeFlags.cpp:
583         (JSC::DFG::dumpNodeFlags):
584         * dfg/DFGNodeFlags.h:
585         (JSC::DFG::nodeMayOverflowInt32):
586         (JSC::DFG::nodeCanSpeculateInt32):
587         (JSC::DFG::nodeMayOverflow): Deleted.
588
589 2015-12-23  Andreas Kling  <akling@apple.com>
590
591         jsc CLI tool crashes on EOF.
592         <https://webkit.org/b/152522>
593
594         Reviewed by Benjamin Poulain.
595
596         SourceProvider should treat String() like the empty string for hashing purposes.
597         This was a subtle behavior change in r194017 due to how zero-length strings are
598         treated by StringImpl::createSubstringSharingImpl().
599
600         I made these SourceProviders store a Ref<StringImpl> internally instead of a
601         String, to codify the fact that these strings can't be null strings.
602
603         I couldn't find a way to cause this crash through the API.
604
605         * API/JSScriptRef.cpp:
606         (OpaqueJSScript::OpaqueJSScript):
607         * parser/SourceProvider.h:
608         (JSC::StringSourceProvider::StringSourceProvider):
609
610 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
611
612         FTL B3 should be able to run crypto-sha1 in eager mode
613         https://bugs.webkit.org/show_bug.cgi?id=152539
614
615         Reviewed by Saam Barati.
616
617         This patch contains one real bug fix and some other fixes that are primarily there for sanity
618         because I don't believe they are symptomatic.
619
620         The real fix is the instruction selector's handling of Phi. It was assuming that the correct
621         lowering of Phi is to do nothing and the correct lowering of Upsilon is to store into the tmp
622         that the Phi uses. But this fails for code patterns like:
623
624             @a = Phi()
625             Upsilon(@x, ^a)
626             use(@a) // this should see the value that @a had at the point that "@a = Phi()" executed.
627
628         This arises when we have a lot of Upsilons in a row and they are trying to perform a
629         shuffling. Prior to this change, "use(@a)" would see the new value of @a, i.e. @x. That's
630         wrong. So, this changes the lowering to make each Phi have a special shadow Tmp, and Upsilon
631         stores to it while Phi loads from it. Most of these assignments get copy-propagated by IRC,
632         so it doesn't really hurt us. I couldn't find any benchmarks that slowed down because of
633         this. In fact, I believe that the only time that this would lead to extra interference or
634         extra assignments is when it's actually needed to be correct.
635
636         This also contains other fixes, which are probably not for real bugs, but they make me feel
637         all warm and fuzzy:
638
639         - spillEverything() works again.  Previously, it didn't have all of IRC's smarts for handling
640           a spill of a ZDef.  I fixed this by creating a helper phase that finds all subwidth ZDefs
641           to spill slots and amends them with zero-fills of the top bits.
642
643         - IRC no longer requires precise TmpWidth analysis.  Previously, if TmpWidth gave pessimistic
644           results, the subwidth ZDef bug would return.  That probably means that it was never fixed
645           to begin with, since it's totally cool for just a single def or use of a tmp to cause it
646           to become pessimistic. But there may still have been some subwidth ZDefs.  The way that I
647           fixed this bug is to have IRC also run the ZDef fixup code that spillEverything() uses.
648           This is abstracted behind the beautifully named Air::fixSpillSlotZDef().
649
650         - B3::validate() does dominance checks!  So, if you shoot yourself in the foot by using
651           something before defining it, validate() will tell you.
652
653         - Air::TmpWidth is now easy to "turn off" - i.e. to make it go fully conservative. It's not
654           an Option; you have to hack code. But that's better than nothing, and it's consistent with
655           what we do for other super-internal compiler options that we use rarely.
656
657         - You can now run spillEverything() without hacking code.  Just use
658           Options::airSpillSeverything().
659
660         * JavaScriptCore.xcodeproj/project.pbxproj:
661         * b3/B3LowerToAir.cpp:
662         (JSC::B3::Air::LowerToAir::LowerToAir):
663         (JSC::B3::Air::LowerToAir::run):
664         (JSC::B3::Air::LowerToAir::lower):
665         * b3/B3Validate.cpp:
666         * b3/air/AirCode.h:
667         (JSC::B3::Air::Code::specials):
668         (JSC::B3::Air::Code::forAllTmps):
669         (JSC::B3::Air::Code::isFastTmp):
670         * b3/air/AirFixSpillSlotZDef.h: Added.
671         (JSC::B3::Air::fixSpillSlotZDef):
672         * b3/air/AirGenerate.cpp:
673         (JSC::B3::Air::prepareForGeneration):
674         * b3/air/AirIteratedRegisterCoalescing.cpp:
675         * b3/air/AirSpillEverything.cpp:
676         (JSC::B3::Air::spillEverything):
677         * b3/air/AirTmpWidth.cpp:
678         (JSC::B3::Air::TmpWidth::recompute):
679         * jit/JITOperations.cpp:
680         * runtime/Options.h:
681
682 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
683
684         Need a story for platform-specific Args
685         https://bugs.webkit.org/show_bug.cgi?id=152529
686
687         Reviewed by Michael Saboff.
688
689         This teaches Arg that some Arg forms are not valid on some targets. The instruction selector now
690         uses this to avoid immediates and addresses that the target wouldn't like.
691
692         This shouldn't change code generation on X86, but is meant as a step towards ARM64 support.
693
694         * b3/B3LowerToAir.cpp:
695         (JSC::B3::Air::LowerToAir::crossesInterference):
696         (JSC::B3::Air::LowerToAir::effectiveAddr):
697         (JSC::B3::Air::LowerToAir::addr):
698         (JSC::B3::Air::LowerToAir::loadPromise):
699         (JSC::B3::Air::LowerToAir::imm):
700         (JSC::B3::Air::LowerToAir::lower):
701         * b3/air/AirAllocateStack.cpp:
702         (JSC::B3::Air::allocateStack):
703         * b3/air/AirArg.h:
704         (JSC::B3::Air::Arg::Arg):
705         (JSC::B3::Air::Arg::imm):
706         (JSC::B3::Air::Arg::imm64):
707         (JSC::B3::Air::Arg::callArg):
708         (JSC::B3::Air::Arg::isValidScale):
709         (JSC::B3::Air::Arg::tmpIndex):
710         (JSC::B3::Air::Arg::withOffset):
711         (JSC::B3::Air::Arg::isValidImmForm):
712         (JSC::B3::Air::Arg::isValidAddrForm):
713         (JSC::B3::Air::Arg::isValidIndexForm):
714         (JSC::B3::Air::Arg::isValidForm):
715         (JSC::B3::Air::Arg::forEachTmpFast):
716         * b3/air/opcode_generator.rb:
717
718 2015-12-23  Keith Miller  <keith_miller@apple.com>
719
720         [JSC] Bugfix for intrinsic getters with dictionary structures.
721         https://bugs.webkit.org/show_bug.cgi?id=152538
722
723         Reviewed by Mark Lam.
724
725         Intrinsic getters did not check if an object was a dictionary. This meant, if a property on
726         the prototype chain of a dictionary was an intrinsic getter we would IC it. Later, if a
727         property is added to the dictionary the IC would still return the result of the intrinsic.
728         The fix is to no longer IC intrinsic getters if the base object is a dictionary.
729
730         * jit/Repatch.cpp:
731         (JSC::tryCacheGetByID):
732         * tests/stress/typedarray-length-dictionary.js: Added.
733         (len):
734
735 2015-12-23  Andy VanWagoner  <andy@instructure.com>
736
737         [INTL] Implement DateTime Format Functions
738         https://bugs.webkit.org/show_bug.cgi?id=147606
739
740         Reviewed by Benjamin Poulain.
741
742         Initialize a UDateFormat from the generated pattern. Use udat_format()
743         to format the value. Make sure that the UDateFormat is cleaned up when
744         the DateTimeFormat is deconstructed.
745
746         * runtime/IntlDateTimeFormat.cpp:
747         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat):
748         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
749         (JSC::IntlDateTimeFormat::format):
750         * runtime/IntlDateTimeFormat.h:
751
752 2015-12-23  Andy VanWagoner  <thetalecrafter@gmail.com>
753
754         [INTL] Implement String.prototype.localeCompare in ECMA-402
755         https://bugs.webkit.org/show_bug.cgi?id=147607
756
757         Reviewed by Benjamin Poulain.
758
759         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
760         Keep existing native implementation for use if INTL flag is disabled.
761         For the common case where no locale or options are specified, avoid creating
762         a new collator and just use the prototype which is initialized with the defaults.
763
764         * CMakeLists.txt:
765         * DerivedSources.make:
766         * JavaScriptCore.xcodeproj/project.pbxproj:
767         * builtins/StringPrototype.js: Added.
768         (localeCompare):
769         * runtime/StringPrototype.cpp:
770         (JSC::StringPrototype::finishCreation):
771
772 2015-12-23  Benjamin Poulain  <benjamin@webkit.org>
773
774         Fix x86_64 after r194388
775
776         * b3/B3LowerToAir.cpp:
777         (JSC::B3::Air::LowerToAir::appendShift):
778         (JSC::B3::Air::LowerToAir::lower):
779         (JSC::B3::Air::LowerToAir::lowerX86Div):
780
781 2015-12-23  Benjamin Poulain  <bpoulain@apple.com>
782
783         [JSC] Get the JavaScriptCore framework to build on ARM64 with B3 enabled
784         https://bugs.webkit.org/show_bug.cgi?id=152503
785
786         Reviewed by Filip Pizlo.
787
788         It is not working but it builds.
789
790         * assembler/ARM64Assembler.h:
791         (JSC::ARM64Assembler::vand):
792         (JSC::ARM64Assembler::vectorDataProcessing2Source):
793         * assembler/MacroAssemblerARM64.h:
794         (JSC::MacroAssemblerARM64::add32):
795         (JSC::MacroAssemblerARM64::add64):
796         (JSC::MacroAssemblerARM64::countLeadingZeros64):
797         (JSC::MacroAssemblerARM64::not32):
798         (JSC::MacroAssemblerARM64::not64):
799         (JSC::MacroAssemblerARM64::zeroExtend16To32):
800         (JSC::MacroAssemblerARM64::signExtend16To32):
801         (JSC::MacroAssemblerARM64::zeroExtend8To32):
802         (JSC::MacroAssemblerARM64::signExtend8To32):
803         (JSC::MacroAssemblerARM64::addFloat):
804         (JSC::MacroAssemblerARM64::ceilFloat):
805         (JSC::MacroAssemblerARM64::branchDouble):
806         (JSC::MacroAssemblerARM64::branchFloat):
807         (JSC::MacroAssemblerARM64::divFloat):
808         (JSC::MacroAssemblerARM64::moveZeroToDouble):
809         (JSC::MacroAssemblerARM64::moveFloatTo32):
810         (JSC::MacroAssemblerARM64::move32ToFloat):
811         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
812         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
813         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
814         (JSC::MacroAssemblerARM64::mulFloat):
815         (JSC::MacroAssemblerARM64::andDouble):
816         (JSC::MacroAssemblerARM64::andFloat):
817         (JSC::MacroAssemblerARM64::sqrtFloat):
818         (JSC::MacroAssemblerARM64::subFloat):
819         (JSC::MacroAssemblerARM64::signExtend32ToPtr):
820         (JSC::MacroAssemblerARM64::moveConditionally32):
821         (JSC::MacroAssemblerARM64::moveConditionally64):
822         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
823         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
824         (JSC::MacroAssemblerARM64::test32):
825         (JSC::MacroAssemblerARM64::setCarry):
826         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
827         * assembler/MacroAssemblerX86.h:
828         (JSC::MacroAssemblerX86::moveDoubleToInts):
829         (JSC::MacroAssemblerX86::moveIntsToDouble):
830         * assembler/MacroAssemblerX86Common.h:
831         (JSC::MacroAssemblerX86Common::move32ToFloat):
832         (JSC::MacroAssemblerX86Common::moveFloatTo32):
833         (JSC::MacroAssemblerX86Common::moveInt32ToPacked): Deleted.
834         (JSC::MacroAssemblerX86Common::movePackedToInt32): Deleted.
835         * b3/B3LowerToAir.cpp:
836         (JSC::B3::Air::LowerToAir::appendShift):
837         (JSC::B3::Air::LowerToAir::lower):
838         * b3/air/AirInstInlines.h:
839         (JSC::B3::Air::isX86DivHelperValid):
840         * b3/air/AirOpcode.opcodes:
841         * jit/AssemblyHelpers.h:
842         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
843         (JSC::AssemblyHelpers::emitFunctionEpilogue):
844         * jit/FPRInfo.h:
845         (JSC::FPRInfo::toArgumentRegister):
846
847 2015-12-23  Andy VanWagoner  <andy@instructure.com>
848
849         [INTL] Implement Intl.DateTimeFormat.prototype.resolvedOptions ()
850         https://bugs.webkit.org/show_bug.cgi?id=147603
851
852         Reviewed by Benjamin Poulain.
853
854         Implements InitializeDateTimeFormat and related abstract operations
855         using ICU. Lazy initialization is used for DateTimeFormat.prototype.
856         Refactor to align with Collator work.
857
858         * icu/unicode/udatpg.h: Added.
859         * icu/unicode/unumsys.h: Added.
860         * runtime/CommonIdentifiers.h:
861         * runtime/IntlDateTimeFormat.cpp:
862         (JSC::defaultTimeZone):
863         (JSC::canonicalizeTimeZoneName):
864         (JSC::localeData):
865         (JSC::toDateTimeOptions):
866         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
867         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
868         (JSC::IntlDateTimeFormat::weekdayString):
869         (JSC::IntlDateTimeFormat::eraString):
870         (JSC::IntlDateTimeFormat::yearString):
871         (JSC::IntlDateTimeFormat::monthString):
872         (JSC::IntlDateTimeFormat::dayString):
873         (JSC::IntlDateTimeFormat::hourString):
874         (JSC::IntlDateTimeFormat::minuteString):
875         (JSC::IntlDateTimeFormat::secondString):
876         (JSC::IntlDateTimeFormat::timeZoneNameString):
877         (JSC::IntlDateTimeFormat::resolvedOptions):
878         (JSC::IntlDateTimeFormat::format):
879         (JSC::IntlDateTimeFormatFuncFormatDateTime): Deleted.
880         * runtime/IntlDateTimeFormat.h:
881         * runtime/IntlDateTimeFormatConstructor.cpp:
882         (JSC::constructIntlDateTimeFormat):
883         (JSC::callIntlDateTimeFormat):
884         * runtime/IntlDateTimeFormatPrototype.cpp:
885         (JSC::IntlDateTimeFormatFuncFormatDateTime):
886         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
887         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
888         * runtime/IntlObject.cpp:
889         (JSC::resolveLocale):
890         (JSC::getNumberingSystemsForLocale):
891         * runtime/IntlObject.h:
892
893 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
894
895         REGRESSION(194382): FTL B3 no longer runs V8/encrypt
896         https://bugs.webkit.org/show_bug.cgi?id=152519
897
898         Reviewed by Saam Barati.
899
900         A "Move Imm, Tmp" instruction should turn into "Move32 Imm, Tmp" if the Tmp is spilled to a
901         32-bit slot. Changing where we check isTmp() achieves this. Since all of the logic is only
902         relevant to when we spill without introducing a Tmp, and since a Move does not have a "Move Addr,
903         Addr" form, this code ensures that the logic only happens for "Tmp, Tmp" and "Imm, Tmp".
904
905         * b3/air/AirIteratedRegisterCoalescing.cpp:
906         * dfg/DFGOperations.cpp:
907
908 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
909
910         FTL B3 should use the right type for comparison slow paths
911         https://bugs.webkit.org/show_bug.cgi?id=152521
912
913         Reviewed by Saam Barati.
914
915         Fixes a small goof that was leading to B3 validation failures.
916
917         * ftl/FTLLowerDFGToLLVM.cpp:
918         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
919
920 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
921
922         FTL B3 should be able to run richards
923         https://bugs.webkit.org/show_bug.cgi?id=152514
924
925         Reviewed by Michael Saboff.
926
927         This came down to a liveness bug and a register allocation bug.
928
929         The liveness bug was that the code that determined whether we should go around the fixpoint
930         assumed that BitVector::quickSet() would return true if the bit changed state from false to
931         true. That's not how it works. It returns the old value of the bit, so it will return false
932         if the bit changed from false to true. Since there is already a lot of code that relies on
933         this behavior, I fixed Liveness instead of changing BitVector.
934
935         The register allocation bug was that we weren't guarding some checks of tmp()'s with checks
936         that the Arg isTmp().
937
938         The liveness took a long time to track down, and I needed to add a lot of dumping to do it.
939         It's now possible to dump more of the liveness states, including liveAtHead. I found this
940         extremely helpful, so I removed the code that cleared liveAtHead.
941
942         * b3/air/AirIteratedRegisterCoalescing.cpp:
943         * b3/air/AirLiveness.h:
944         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
945         (JSC::B3::Air::AbstractLiveness::Iterable::Iterable):
946         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator):
947         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*):
948         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++):
949         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==):
950         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=):
951         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
952         (JSC::B3::Air::AbstractLiveness::Iterable::end):
953         (JSC::B3::Air::AbstractLiveness::liveAtHead):
954         (JSC::B3::Air::AbstractLiveness::liveAtTail):
955         * b3/air/AirStackSlot.h:
956         (WTF::printInternal):
957         * ftl/FTLOSRExitCompiler.cpp:
958         (JSC::FTL::compileFTLOSRExit):
959
960 2015-12-22  Saam barati  <sbarati@apple.com>
961
962         Cloop build fix after https://bugs.webkit.org/show_bug.cgi?id=152511.
963
964         Unreviewed build fix.
965
966         * runtime/Options.cpp:
967         (JSC::recomputeDependentOptions):
968
969 2015-12-22  Saam barati  <sbarati@apple.com>
970
971         Work around issue in bug #152510
972         https://bugs.webkit.org/show_bug.cgi?id=152511
973
974         Reviewed by Filip Pizlo.
975
976         * runtime/Options.cpp:
977         (JSC::recomputeDependentOptions):
978
979 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
980
981         FTL B3 does not logicalNot correctly
982         https://bugs.webkit.org/show_bug.cgi?id=152512
983
984         Reviewed by Saam Barati.
985
986         I'm working on a bug where V8/richards does not run correctly. I noticed that the codegen was
987         doing a log of Not32's followed by branches, which smelled like badness. To debug this, I
988         needed B3's origins to dump as something other than a hexed pointer to a node. The node index
989         would be better. So, I added the notion of an origin printer to Procedure.
990
991         The bug was easy enough to fix. This introduces Output::logicalNot(). In LLVM, it's the same
992         as bitNot(). In B3, it's compiled to Equal(value, 0). We could have also compiled it to
993         BitXor(value, 1), except that B3 will strength-reduce to that anyway whenever it's safe. It's
994         sort of nice that right now, you could use logicalNot() on non-bool values and get C-like
995         behavior.
996
997         Richards still doesn't run, though. There are more bugs!
998
999         * JavaScriptCore.xcodeproj/project.pbxproj:
1000         * b3/B3BasicBlock.cpp:
1001         (JSC::B3::BasicBlock::dump):
1002         (JSC::B3::BasicBlock::deepDump):
1003         * b3/B3BasicBlock.h:
1004         (JSC::B3::BasicBlock::frequency):
1005         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
1006         (JSC::B3::DeepBasicBlockDump::dump):
1007         (JSC::B3::deepDump):
1008         * b3/B3LowerToAir.cpp:
1009         (JSC::B3::Air::LowerToAir::run):
1010         (JSC::B3::Air::LowerToAir::lower):
1011         * b3/B3Origin.h:
1012         (JSC::B3::Origin::data):
1013         * b3/B3OriginDump.h: Added.
1014         (JSC::B3::OriginDump::OriginDump):
1015         (JSC::B3::OriginDump::dump):
1016         * b3/B3Procedure.cpp:
1017         (JSC::B3::Procedure::~Procedure):
1018         (JSC::B3::Procedure::printOrigin):
1019         (JSC::B3::Procedure::addBlock):
1020         (JSC::B3::Procedure::dump):
1021         * b3/B3Procedure.h:
1022         (JSC::B3::Procedure::setOriginPrinter):
1023         * b3/B3Value.cpp:
1024         (JSC::B3::Value::dumpChildren):
1025         (JSC::B3::Value::deepDump):
1026         * b3/B3Value.h:
1027         (JSC::B3::DeepValueDump::DeepValueDump):
1028         (JSC::B3::DeepValueDump::dump):
1029         (JSC::B3::deepDump):
1030         * ftl/FTLB3Output.cpp:
1031         (JSC::FTL::Output::lockedStackSlot):
1032         (JSC::FTL::Output::bitNot):
1033         (JSC::FTL::Output::logicalNot):
1034         (JSC::FTL::Output::load):
1035         * ftl/FTLB3Output.h:
1036         (JSC::FTL::Output::aShr):
1037         (JSC::FTL::Output::lShr):
1038         (JSC::FTL::Output::ctlz32):
1039         (JSC::FTL::Output::addWithOverflow32):
1040         (JSC::FTL::Output::lessThanOrEqual):
1041         (JSC::FTL::Output::doubleEqual):
1042         (JSC::FTL::Output::doubleEqualOrUnordered):
1043         (JSC::FTL::Output::doubleNotEqualOrUnordered):
1044         (JSC::FTL::Output::doubleLessThan):
1045         (JSC::FTL::Output::doubleLessThanOrEqual):
1046         (JSC::FTL::Output::doubleGreaterThan):
1047         (JSC::FTL::Output::doubleGreaterThanOrEqual):
1048         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1049         (JSC::FTL::Output::doubleLessThanOrUnordered):
1050         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
1051         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
1052         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
1053         (JSC::FTL::Output::isZero32):
1054         (JSC::FTL::Output::notZero32):
1055         (JSC::FTL::Output::addIncomingToPhi):
1056         (JSC::FTL::Output::bitCast):
1057         (JSC::FTL::Output::bitNot): Deleted.
1058         * ftl/FTLLowerDFGToLLVM.cpp:
1059         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
1060         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
1061         (JSC::FTL::DFG::LowerDFGToLLVM::compileLogicalNot):
1062         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1063         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
1064         (JSC::FTL::DFG::LowerDFGToLLVM::compileCountExecution):
1065         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1066         (JSC::FTL::DFG::LowerDFGToLLVM::isMisc):
1067         (JSC::FTL::DFG::LowerDFGToLLVM::isNotBoolean):
1068         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean):
1069         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean):
1070         (JSC::FTL::DFG::LowerDFGToLLVM::isNotType):
1071         (JSC::FTL::DFG::LowerDFGToLLVM::speculateObject):
1072         * ftl/FTLOutput.h:
1073         (JSC::FTL::Output::aShr):
1074         (JSC::FTL::Output::lShr):
1075         (JSC::FTL::Output::bitNot):
1076         (JSC::FTL::Output::logicalNot):
1077         (JSC::FTL::Output::insertElement):
1078         * ftl/FTLState.cpp:
1079         (JSC::FTL::State::State):
1080
1081 2015-12-22  Keith Miller  <keith_miller@apple.com>
1082
1083         Remove OverridesHasInstance from TypeInfoFlags
1084         https://bugs.webkit.org/show_bug.cgi?id=152005
1085
1086         Reviewed by Saam Barati.
1087
1088         Currently, we have three TypeInfo flags associated with instanceof behavior,
1089         ImplementsHasInstance, ImplementDefaultHasInstance, and OverridesHasInstance. This patch
1090         removes the third and moves the first to the out of line flags. In theory, we should only
1091         need one flag but removing ImplementsHasInstance is more involved and should be done in a
1092         separate patch.
1093
1094         * API/JSCallbackConstructor.h:
1095         * API/JSCallbackObject.h:
1096         * jit/JITOpcodes.cpp:
1097         (JSC::JIT::emit_op_overrides_has_instance):
1098         * jit/JITOpcodes32_64.cpp:
1099         (JSC::JIT::emit_op_overrides_has_instance):
1100         * llint/LLIntData.cpp:
1101         (JSC::LLInt::Data::performAssertions):
1102         * llint/LowLevelInterpreter.asm:
1103         * runtime/InternalFunction.h:
1104         * runtime/JSBoundFunction.h:
1105         * runtime/JSCallee.h:
1106         * runtime/JSTypeInfo.h:
1107         (JSC::TypeInfo::implementsHasInstance):
1108         (JSC::TypeInfo::TypeInfo): Deleted.
1109         (JSC::TypeInfo::overridesHasInstance): Deleted.
1110         * runtime/NumberConstructor.h:
1111
1112 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1113
1114         FTL B3 should do tail calls
1115         https://bugs.webkit.org/show_bug.cgi?id=152494
1116
1117         Reviewed by Michael Saboff.
1118
1119         OMG this was so easy.
1120
1121         The only shady part is that I broke a layering rule that we had so far been following: B3 was
1122         sitting below the JSC runtime, and did not use JS-specific types. No more, since B3::ValueRep
1123         can now turn itself into a ValueRecovery for a JSValue. This small feature makes a huge
1124         difference for the readability of tail call code: it makes it plain that the call frame
1125         shuffler is basically just directly consuming the stackmap generation params, and insofar as
1126         there is any data transformation, it's just because it uses different classes to say the same
1127         thing.
1128
1129         I think we should avoid adding too many JS-specific things to B3. But, so long as it's still
1130         possible to use B3 to compile things that aren't JS, I think we'll be fine.
1131
1132         * b3/B3ValueRep.cpp:
1133         (JSC::B3::ValueRep::dump):
1134         (JSC::B3::ValueRep::emitRestore):
1135         (JSC::B3::ValueRep::recoveryForJSValue):
1136         * b3/B3ValueRep.h:
1137         * ftl/FTLLowerDFGToLLVM.cpp:
1138         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1139         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1140         * test/stress/ftl-tail-call.js: Added.
1141
1142 2015-12-21  Mark Lam  <mark.lam@apple.com>
1143
1144         Snippefy op_negate for the baseline JIT.
1145         https://bugs.webkit.org/show_bug.cgi?id=152447
1146
1147         Reviewed by Benjamin Poulain.
1148
1149         * CMakeLists.txt:
1150         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1151         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1152         * JavaScriptCore.xcodeproj/project.pbxproj:
1153         * jit/JITArithmetic.cpp:
1154         (JSC::JIT::emit_op_unsigned):
1155         (JSC::JIT::emit_op_negate):
1156         (JSC::JIT::emitSlow_op_negate):
1157         (JSC::JIT::emitBitBinaryOpFastPath):
1158         * jit/JITArithmetic32_64.cpp:
1159         (JSC::JIT::emit_compareAndJump):
1160         (JSC::JIT::emit_op_negate): Deleted.
1161         (JSC::JIT::emitSlow_op_negate): Deleted.
1162         * jit/JITNegGenerator.cpp: Added.
1163         (JSC::JITNegGenerator::generateFastPath):
1164         * jit/JITNegGenerator.h: Added.
1165         (JSC::JITNegGenerator::JITNegGenerator):
1166         (JSC::JITNegGenerator::didEmitFastPath):
1167         (JSC::JITNegGenerator::endJumpList):
1168         (JSC::JITNegGenerator::slowPathJumpList):
1169
1170 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1171
1172         Address review feedback from Saam.  I should have landed it in r194354.
1173
1174         * b3/testb3.cpp:
1175         (JSC::B3::testStore16Arg):
1176
1177 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1178
1179         B3 should be able to compile Store16
1180         https://bugs.webkit.org/show_bug.cgi?id=152493
1181
1182         Reviewed by Saam Barati.
1183
1184         This adds comprehensive Store16 support to our assembler, Air, and B3->Air lowering.
1185
1186         * assembler/MacroAssemblerX86Common.h:
1187         (JSC::MacroAssemblerX86Common::store16):
1188         * assembler/X86Assembler.h:
1189         (JSC::X86Assembler::movb_rm):
1190         (JSC::X86Assembler::movw_rm):
1191         * b3/B3LowerToAir.cpp:
1192         (JSC::B3::Air::LowerToAir::lower):
1193         * b3/air/AirOpcode.opcodes:
1194         * b3/testb3.cpp:
1195         (JSC::B3::testStorePartial8BitRegisterOnX86):
1196         (JSC::B3::testStore16Arg):
1197         (JSC::B3::testStore16Imm):
1198         (JSC::B3::testTrunc):
1199         (JSC::B3::run):
1200
1201 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1202
1203         Unreviewed, remove highBitsAreZero(), it's unused.
1204
1205         * b3/B3LowerToAir.cpp:
1206         (JSC::B3::Air::LowerToAir::run):
1207         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1208         (JSC::B3::Air::LowerToAir::highBitsAreZero): Deleted.
1209
1210 2015-12-21  Csaba Osztrogonác  <ossy@webkit.org>
1211
1212         Unreviewed, fix the !FTL_USES_B3 build after r194334.
1213
1214         * ftl/FTLLowerDFGToLLVM.cpp: Mark forwarding unused variable.
1215         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1216
1217 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1218
1219         FTL B3 should do doubleToInt32
1220         https://bugs.webkit.org/show_bug.cgi?id=152484
1221
1222         Reviewed by Saam Barati.
1223
1224         We used to have a DToI32 opcode in B3 that we never implemented. This removes that opcode,
1225         since double-to-int conversion has dramatically different semantics on different
1226         architectures. We let FTL get the conversion instruction it wants by using a patchpoint.
1227
1228         * b3/B3Opcode.cpp:
1229         (WTF::printInternal):
1230         * b3/B3Opcode.h:
1231         * b3/B3Validate.cpp:
1232         * b3/B3Value.cpp:
1233         (JSC::B3::Value::effects):
1234         (JSC::B3::Value::key):
1235         (JSC::B3::Value::typeFor):
1236         * b3/B3ValueKey.cpp:
1237         (JSC::B3::ValueKey::materialize):
1238         * ftl/FTLB3Output.cpp:
1239         (JSC::FTL::Output::Output):
1240         (JSC::FTL::Output::appendTo):
1241         (JSC::FTL::Output::lockedStackSlot):
1242         (JSC::FTL::Output::load):
1243         (JSC::FTL::Output::doublePowi):
1244         (JSC::FTL::Output::hasSensibleDoubleToInt):
1245         (JSC::FTL::Output::doubleToInt):
1246         (JSC::FTL::Output::doubleToUInt):
1247         (JSC::FTL::Output::load8SignExt32):
1248         (JSC::FTL::Output::load8ZeroExt32):
1249         (JSC::FTL::Output::load16SignExt32):
1250         (JSC::FTL::Output::load16ZeroExt32):
1251         (JSC::FTL::Output::store):
1252         (JSC::FTL::Output::store32As8):
1253         (JSC::FTL::Output::store32As16):
1254         (JSC::FTL::Output::branch):
1255         * ftl/FTLB3Output.h:
1256         (JSC::FTL::Output::doubleLog):
1257         (JSC::FTL::Output::signExt32To64):
1258         (JSC::FTL::Output::zeroExt):
1259         (JSC::FTL::Output::zeroExtPtr):
1260         (JSC::FTL::Output::intToDouble):
1261         (JSC::FTL::Output::unsignedToDouble):
1262         (JSC::FTL::Output::castToInt32):
1263         (JSC::FTL::Output::hasSensibleDoubleToInt): Deleted.
1264         (JSC::FTL::Output::sensibleDoubleToInt): Deleted.
1265         (JSC::FTL::Output::fpToInt32): Deleted.
1266         (JSC::FTL::Output::fpToUInt32): Deleted.
1267         * ftl/FTLLowerDFGToLLVM.cpp:
1268         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithPow):
1269         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
1270         (JSC::FTL::DFG::LowerDFGToLLVM::compileSwitch):
1271         (JSC::FTL::DFG::LowerDFGToLLVM::doubleToInt32):
1272         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
1273         (JSC::FTL::DFG::LowerDFGToLLVM::convertDoubleToInt32):
1274         * ftl/FTLOutput.h:
1275         (JSC::FTL::Output::hasSensibleDoubleToInt):
1276         (JSC::FTL::Output::doubleToInt):
1277         (JSC::FTL::Output::doubleToUInt):
1278         (JSC::FTL::Output::signExt32To64):
1279         (JSC::FTL::Output::zeroExt):
1280
1281 2015-12-21  Skachkov Oleksandr  <gskachkov@gmail.com>
1282
1283         Unexpected exception assigning to this._property inside arrow function
1284         https://bugs.webkit.org/show_bug.cgi?id=152028
1285
1286         Reviewed by Saam Barati.
1287
1288         The issue appeared in case if in arrow function created base-level lexical envioronment, and in this case 
1289         |this| value was loaded from wrong scope. The problem was that loading of the |this| happened too early when
1290         compiling bytecode because the bytecode generators's scope stack wasn't in sync with runtime scope stack.
1291         To fix issue loading of |this| was moved after initializeDefaultParameterValuesAndSetupFunctionScopeStack 
1292         in BytecodeGenerator.cpp   
1293
1294         * bytecompiler/BytecodeGenerator.cpp:
1295         (JSC::BytecodeGenerator::BytecodeGenerator):
1296         * tests/stress/arrowfunction-lexical-bind-this-2.js:
1297
1298 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1299
1300         FTL B3 should do vararg calls
1301         https://bugs.webkit.org/show_bug.cgi?id=152468
1302
1303         Reviewed by Benjamin Poulain.
1304
1305         This adds FTL->B3 lowering of all kinds of varargs calls - forwarding or not, tail or not,
1306         and construct or not. Like all other such lowerings, all of the code is in one place in
1307         FTLLower.
1308
1309         I removed code for varargs and exception spill slots from the B3 path, since it won't need
1310         it. The plan is to rely on B3 doing the spilling for us by using some combination of early
1311         clobber and late use.
1312
1313         This adds ValueRep::emitRestore(), a helpful method for emitting code to restore any ValueRep
1314         into any 64-bit Reg (FPR or GPR).
1315
1316         I wrote new tests for vararg calls, because I wasn't sure which of the existing ones we can
1317         run. These are short-running tests, so I'm not worried about bloating our test suite.
1318
1319         * b3/B3ValueRep.cpp:
1320         (JSC::B3::ValueRep::dump):
1321         (JSC::B3::ValueRep::emitRestore):
1322         * b3/B3ValueRep.h:
1323         * ftl/FTLLowerDFGToLLVM.cpp:
1324         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1325         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1326         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
1327         * ftl/FTLState.h:
1328         * tests/stress/varargs-no-forward.js: Added.
1329         * tests/stress/varargs-simple.js: Added.
1330         * tests/stress/varargs-two-level.js: Added.
1331
1332 2015-12-18  Mark Lam  <mark.lam@apple.com>
1333
1334         Add unary operator tests to compare JIT and LLINT results.
1335         https://bugs.webkit.org/show_bug.cgi?id=152453
1336
1337         Reviewed by Benjamin Poulain.
1338
1339         Also fixed a few things in the binary-op-test.js.
1340
1341         * tests/stress/op_negate.js: Added.
1342         (o1.valueOf):
1343         * tests/stress/op_postdec.js: Added.
1344         (o1.valueOf):
1345         * tests/stress/op_postinc.js: Added.
1346         (o1.valueOf):
1347         * tests/stress/op_predec.js: Added.
1348         (o1.valueOf):
1349         * tests/stress/op_preinc.js: Added.
1350         (o1.valueOf):
1351         * tests/stress/resources/binary-op-test.js:
1352         (stringifyIfNeeded):
1353         (isIdentical):
1354         (run):
1355         * tests/stress/resources/unary-op-test.js: Added.
1356         (stringifyIfNeeded):
1357         (generateBinaryTests):
1358         (isIdentical):
1359         (runTest):
1360         (run):
1361
1362 2015-12-21  Ryan Haddad  <ryanhaddad@apple.com>
1363
1364         Unreviewed, rolling out r194328.
1365
1366         This change appears to have caused failures in JSC tests
1367
1368         Reverted changeset:
1369
1370         "[INTL] Implement String.prototype.localeCompare in ECMA-402"
1371         https://bugs.webkit.org/show_bug.cgi?id=147607
1372         http://trac.webkit.org/changeset/194328
1373
1374 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1375
1376         B3->Air lowering incorrectly copy-propagates over ZExt32's
1377         https://bugs.webkit.org/show_bug.cgi?id=152365
1378
1379         Reviewed by Benjamin Poulain.
1380
1381         The instruction selector thinks that Value's that return Int32's are going to always be lowered
1382         to instructions that zero-extend the destination. But this isn't actually true. If you have an
1383         Add32 with a destination on the stack (i.e. spilled) then it only writes 4 bytes. Then, the
1384         filler will load 8 bytes from the stack at the point of use. So, the use of the Add32 will see
1385         garbage in the high bits.
1386
1387         The fact that the spiller chose to use 8 bytes for a Tmp that gets defined by an Add32 is a
1388         pretty sad bug, but:
1389
1390         - It's entirely up to the spiller to decide how many bytes to use for a Tmp, since we do not
1391           ascribe a type to Tmps. We could ascribe types to Tmps, but then coalescing would become
1392           harder. Our goal is to fix the bug while still enabling coalescing in cases like "a[i]" where
1393           "i" is a 32-bit integer that is computed using operations that already do zero-extension.
1394
1395         - More broadly, it's strange that the instruction selector decides whether a Value will be
1396           lowered to something that zero-extends. That's too constraining, since the most optimal
1397           instruction selection might involve something that doesn't zero-extend in cases of spilling, so
1398           the zero-extension should only happen if it's actually needed. This means that we need to
1399           understand which Air instructions cause zero-extensions.
1400
1401         - If we know which Air instructions cause zero-extensions, then we don't need the instruction
1402           selector to copy-propagate ZExt32's. We have copy-propagation in Air thanks to the register
1403           allocator.
1404
1405         In fact, the register allocator is exactly where all of the pieces come together. It's there that
1406         we want to know which operations zero-extend and which don't. It also wants to know how many bits
1407         of a Tmp each instruction reads. Armed with that information, the register allocator can emit
1408         more optimal spill code, use less stack space for spill slots, and coalesce Move32's. As a bonus,
1409         on X86, it replaces Move's with Move32's whenever it can. On X86, Move32 is cheaper.
1410
1411         This fixes a crash bug in V8/encrypt. After fixing this, I only needed two minor fixes to get
1412         V8/encrypt to run. We're about 10% behind LLVM on steady state throughput on this test. It
1413         appears to be mostly due to excessive spilling caused by CCall slow paths. That's fixable: we
1414         could make CCalls on slow paths use a variant of CCallSpecial that promises not to clobber any
1415         registers, and then have it emit spill code around the call itself. LLVM probably gets this
1416         optimization from its live range splitting.
1417
1418         I tried writing a regression test. The problem is that you need garbage on the stack for this to
1419         work, and I didn't feel like writing a flaky test. It appears that running V8/encrypt will cover
1420         this, so we do have coverage.
1421
1422         * CMakeLists.txt:
1423         * JavaScriptCore.xcodeproj/project.pbxproj:
1424         * assembler/AbstractMacroAssembler.h:
1425         (JSC::isX86):
1426         (JSC::isX86_64):
1427         (JSC::optimizeForARMv7IDIVSupported):
1428         (JSC::optimizeForX86):
1429         (JSC::optimizeForX86_64):
1430         * b3/B3LowerToAir.cpp:
1431         (JSC::B3::Air::LowerToAir::highBitsAreZero):
1432         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1433         (JSC::B3::Air::LowerToAir::lower):
1434         * b3/B3PatchpointSpecial.cpp:
1435         (JSC::B3::PatchpointSpecial::forEachArg):
1436         * b3/B3StackmapSpecial.cpp:
1437         (JSC::B3::StackmapSpecial::forEachArgImpl):
1438         * b3/B3Value.h:
1439         * b3/air/AirAllocateStack.cpp:
1440         (JSC::B3::Air::allocateStack):
1441         * b3/air/AirArg.cpp:
1442         (WTF::printInternal):
1443         * b3/air/AirArg.h:
1444         (JSC::B3::Air::Arg::pointerWidth):
1445         (JSC::B3::Air::Arg::isAnyUse):
1446         (JSC::B3::Air::Arg::isColdUse):
1447         (JSC::B3::Air::Arg::isEarlyUse):
1448         (JSC::B3::Air::Arg::isDef):
1449         (JSC::B3::Air::Arg::isZDef):
1450         (JSC::B3::Air::Arg::widthForB3Type):
1451         (JSC::B3::Air::Arg::conservativeWidth):
1452         (JSC::B3::Air::Arg::minimumWidth):
1453         (JSC::B3::Air::Arg::bytes):
1454         (JSC::B3::Air::Arg::widthForBytes):
1455         (JSC::B3::Air::Arg::Arg):
1456         (JSC::B3::Air::Arg::forEachTmp):
1457         * b3/air/AirCCallSpecial.cpp:
1458         (JSC::B3::Air::CCallSpecial::forEachArg):
1459         * b3/air/AirEliminateDeadCode.cpp:
1460         (JSC::B3::Air::eliminateDeadCode):
1461         * b3/air/AirFixPartialRegisterStalls.cpp:
1462         (JSC::B3::Air::fixPartialRegisterStalls):
1463         * b3/air/AirInst.cpp:
1464         (JSC::B3::Air::Inst::hasArgEffects):
1465         * b3/air/AirInst.h:
1466         (JSC::B3::Air::Inst::forEachTmpFast):
1467         (JSC::B3::Air::Inst::forEachTmp):
1468         * b3/air/AirInstInlines.h:
1469         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs):
1470         * b3/air/AirIteratedRegisterCoalescing.cpp:
1471         * b3/air/AirLiveness.h:
1472         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1473         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
1474         * b3/air/AirOpcode.opcodes:
1475         * b3/air/AirSpillEverything.cpp:
1476         (JSC::B3::Air::spillEverything):
1477         * b3/air/AirTmpWidth.cpp: Added.
1478         (JSC::B3::Air::TmpWidth::TmpWidth):
1479         (JSC::B3::Air::TmpWidth::~TmpWidth):
1480         * b3/air/AirTmpWidth.h: Added.
1481         (JSC::B3::Air::TmpWidth::width):
1482         (JSC::B3::Air::TmpWidth::defWidth):
1483         (JSC::B3::Air::TmpWidth::useWidth):
1484         (JSC::B3::Air::TmpWidth::Widths::Widths):
1485         * b3/air/AirUseCounts.h:
1486         (JSC::B3::Air::UseCounts::UseCounts):
1487         * b3/air/opcode_generator.rb:
1488         * b3/testb3.cpp:
1489         (JSC::B3::testCheckMegaCombo):
1490         (JSC::B3::testCheckTrickyMegaCombo):
1491         (JSC::B3::testCheckTwoMegaCombos):
1492         (JSC::B3::run):
1493
1494 2015-12-21  Andy VanWagoner  <thetalecrafter@gmail.com>
1495
1496         [INTL] Implement String.prototype.localeCompare in ECMA-402
1497         https://bugs.webkit.org/show_bug.cgi?id=147607
1498
1499         Reviewed by Darin Adler.
1500
1501         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
1502         Keep existing native implementation for use if INTL flag is disabled.
1503
1504         * CMakeLists.txt:
1505         * DerivedSources.make:
1506         * JavaScriptCore.xcodeproj/project.pbxproj:
1507         * builtins/StringPrototype.js: Added.
1508         (localeCompare):
1509         * runtime/StringPrototype.cpp:
1510         (JSC::StringPrototype::finishCreation):
1511
1512 2015-12-18  Filip Pizlo  <fpizlo@apple.com>
1513
1514         Implement compareDouble in B3/Air
1515         https://bugs.webkit.org/show_bug.cgi?id=150903
1516
1517         Reviewed by Benjamin Poulain.
1518
1519         A hole in our coverage is that we don't fuse a double comparison into a branch, then we will
1520         crash in the instruction selector. Obviously, we *really* want to fuse double comparisons,
1521         but we can't guarantee that this will always happen.
1522
1523         This also removes all uses of WTF::Dominators verification, since it's extremely slow even in
1524         a release build. This speeds up testb3 with validateGraphAtEachPhase=true by an order of
1525         magnitude.
1526
1527         * assembler/MacroAssembler.h:
1528         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
1529         (JSC::MacroAssembler::compareDouble):
1530         (JSC::MacroAssembler::compareFloat):
1531         (JSC::MacroAssembler::lea):
1532         * b3/B3Dominators.h:
1533         (JSC::B3::Dominators::Dominators):
1534         * b3/B3LowerToAir.cpp:
1535         (JSC::B3::Air::LowerToAir::createCompare):
1536         (JSC::B3::Air::LowerToAir::lower):
1537         * b3/air/AirOpcode.opcodes:
1538         * b3/testb3.cpp:
1539         (JSC::B3::testCompare):
1540         (JSC::B3::testEqualDouble):
1541         (JSC::B3::simpleFunction):
1542         (JSC::B3::run):
1543         * dfg/DFGDominators.h:
1544         (JSC::DFG::Dominators::Dominators):
1545
1546 2015-12-19  Dan Bernstein  <mitz@apple.com>
1547
1548         [Mac] WebKit contains dead source code for OS X Mavericks and earlier
1549         https://bugs.webkit.org/show_bug.cgi?id=152462
1550
1551         Reviewed by Alexey Proskuryakov.
1552
1553         - Removed build setting definitions for OS X 10.9 and earlier, and simplified defintions
1554           that became uniform across all OS X versions as a result:
1555
1556         * Configurations/DebugRelease.xcconfig:
1557         * Configurations/FeatureDefines.xcconfig:
1558         * Configurations/Version.xcconfig:
1559
1560         * API/JSBase.h: Removed check against __MAC_OS_X_VERSION_MIN_REQUIRED that was always true.
1561
1562 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1563
1564         [JSC] Streamline Tmp indexing inside the register allocator
1565         https://bugs.webkit.org/show_bug.cgi?id=152420
1566
1567         Reviewed by Filip Pizlo.
1568
1569         AirIteratedRegisterCoalescing has been accumulating a bit of mess over time.
1570
1571         When it started, every map addressed by Tmp was using Tmp hashing.
1572         That caused massive performance problems. Everything perf sensitive was moved
1573         to direct array addressing by the absolute Tmp index. This left the code
1574         with half of the function using Tmp, the other half using indices.
1575
1576         With this patch, almost everything is moved to absolute indexing.
1577         There are a few advantages to this:
1578         -No more conversion churn for Floating Point registers.
1579         -Most of the functions can now be shared between GP and FP.
1580         -A bit of clean up since the core algorithm only deals with integers now.
1581
1582         This patch also changes the index type to be a template argument.
1583         That will allow future specialization of "m_interferenceEdges" based
1584         on the expected problem size.
1585
1586         Finally, the code related to the program modification (register assignment
1587         and spilling) was moved to the wrapper "IteratedRegisterCoalescing".
1588
1589         The current split is:
1590         -AbstractColoringAllocator: common core. Share as much as possible between
1591          GP and FP.
1592         -ColoringAllocator: the remaining parts of the algorithm, everything that
1593          is specific to GP, FP.
1594         -IteratedRegisterCoalescing: the "iterated" part of the algorithm.
1595          Try to allocate and modify the code as needed.
1596
1597         The long term plan is:
1598         -Move selectSpill() and the coloring loop to AbstractColoringAllocator.
1599         -Specialize m_interferenceEdges to make it faster.
1600
1601         * b3/air/AirIteratedRegisterCoalescing.cpp:
1602         * b3/air/AirTmpInlines.h:
1603         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::lastMachineRegisterIndex):
1604         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::lastMachineRegisterIndex):
1605
1606 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1607
1608         [JSC] FTLB3Output generates some invalid ZExt32
1609         https://bugs.webkit.org/show_bug.cgi?id=151905
1610
1611         Reviewed by Filip Pizlo.
1612
1613         FTLLowerDFGToLLVM calls zeroExt() to int32 in some cases.
1614         We were generating ZExt32 with Int32 as return type :(
1615
1616         * ftl/FTLB3Output.h:
1617         (JSC::FTL::Output::zeroExt):
1618
1619 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1620
1621         [JSC] Add EqualOrUnordered to B3
1622         https://bugs.webkit.org/show_bug.cgi?id=152425
1623
1624         Reviewed by Mark Lam.
1625
1626         Add EqualOrUnordered to B3 and use it to implements
1627         FTL::Output's NotEqualAndOrdered.
1628
1629         * b3/B3ConstDoubleValue.cpp:
1630         (JSC::B3::ConstDoubleValue::equalOrUnordered):
1631         * b3/B3ConstDoubleValue.h:
1632         * b3/B3LowerToAir.cpp:
1633         (JSC::B3::Air::LowerToAir::createGenericCompare):
1634         (JSC::B3::Air::LowerToAir::lower):
1635         * b3/B3Opcode.cpp:
1636         (WTF::printInternal):
1637         * b3/B3Opcode.h:
1638         * b3/B3ReduceDoubleToFloat.cpp:
1639         (JSC::B3::reduceDoubleToFloat):
1640         * b3/B3ReduceStrength.cpp:
1641         * b3/B3Validate.cpp:
1642         * b3/B3Value.cpp:
1643         (JSC::B3::Value::equalOrUnordered):
1644         (JSC::B3::Value::returnsBool):
1645         (JSC::B3::Value::effects):
1646         (JSC::B3::Value::key):
1647         (JSC::B3::Value::typeFor):
1648         * b3/B3Value.h:
1649         * b3/testb3.cpp:
1650         (JSC::B3::testBranchEqualOrUnorderedArgs):
1651         (JSC::B3::testBranchNotEqualAndOrderedArgs):
1652         (JSC::B3::testBranchEqualOrUnorderedDoubleArgImm):
1653         (JSC::B3::testBranchEqualOrUnorderedFloatArgImm):
1654         (JSC::B3::testBranchEqualOrUnorderedDoubleImms):
1655         (JSC::B3::testBranchEqualOrUnorderedFloatImms):
1656         (JSC::B3::testBranchEqualOrUnorderedFloatWithUselessDoubleConversion):
1657         (JSC::B3::run):
1658         * ftl/FTLB3Output.h:
1659         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1660         (JSC::FTL::Output::doubleNotEqual): Deleted.
1661         * ftl/FTLLowerDFGToLLVM.cpp:
1662         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1663         * ftl/FTLOutput.h:
1664         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1665         (JSC::FTL::Output::doubleNotEqual): Deleted.
1666
1667 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1668
1669         [JSC] B3: Add indexed addressing when lowering BitwiseCast
1670         https://bugs.webkit.org/show_bug.cgi?id=152432
1671
1672         Reviewed by Geoffrey Garen.
1673
1674         The MacroAssembler supports it, we should use it.
1675
1676         * b3/air/AirOpcode.opcodes:
1677         * b3/testb3.cpp:
1678         (JSC::B3::testBitwiseCastOnDoubleInMemoryIndexed):
1679         (JSC::B3::testBitwiseCastOnInt64InMemoryIndexed):
1680
1681 2015-12-18  Andreas Kling  <akling@apple.com>
1682
1683         Make JSString::SafeView less of a footgun.
1684         <https://webkit.org/b/152376>
1685
1686         Reviewed by Darin Adler.
1687
1688         Remove the "operator StringView()" convenience helper on JSString::SafeString since that
1689         made it possible to casually turn the return value from JSString::view() into an unsafe
1690         StringView local on the stack with this pattern:
1691
1692             StringView view = someJSValue.toString(exec)->view(exec);
1693
1694         The JSString* returned by toString() above will go out of scope by the end of the statement
1695         and does not stick around to protect itself from garbage collection.
1696
1697         It will now look like this instead:
1698
1699             JSString::SafeView view = someJSValue.toString(exec)->view(exec);
1700
1701         To be extra clear, the following is not safe:
1702
1703             StringView view = someJSValue.toString(exec)->view(exec).get();
1704
1705         By the end of that statement, the JSString::SafeView goes out of scope, and the JSString*
1706         is no longer protected from GC.
1707
1708         I added a couple of forwarding helpers to the SafeView class, and if you need a StringView
1709         object from it, you can call .get() just like before.
1710
1711         Finally I also removed the JSString::SafeView() constructor, since nobody was instantiating
1712         empty SafeView objects anyway. This way we don't have to worry about null members.
1713
1714         * runtime/ArrayPrototype.cpp:
1715         (JSC::arrayProtoFuncJoin):
1716         * runtime/FunctionConstructor.cpp:
1717         (JSC::constructFunctionSkippingEvalEnabledCheck):
1718         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1719         (JSC::genericTypedArrayViewProtoFuncJoin):
1720         * runtime/JSGlobalObjectFunctions.cpp:
1721         (JSC::decode):
1722         (JSC::globalFuncParseInt):
1723         (JSC::globalFuncParseFloat):
1724         (JSC::globalFuncEscape):
1725         (JSC::globalFuncUnescape):
1726         * runtime/JSONObject.cpp:
1727         (JSC::JSONProtoFuncParse):
1728         * runtime/JSString.cpp:
1729         (JSC::JSString::getPrimitiveNumber):
1730         (JSC::JSString::toNumber):
1731         * runtime/JSString.h:
1732         (JSC::JSString::SafeView::is8Bit):
1733         (JSC::JSString::SafeView::length):
1734         (JSC::JSString::SafeView::characters8):
1735         (JSC::JSString::SafeView::characters16):
1736         (JSC::JSString::SafeView::operator[]):
1737         (JSC::JSString::SafeView::SafeView):
1738         (JSC::JSString::SafeView::get):
1739         (JSC::JSString::SafeView::operator StringView): Deleted.
1740         * runtime/StringPrototype.cpp:
1741         (JSC::stringProtoFuncCharAt):
1742         (JSC::stringProtoFuncCharCodeAt):
1743         (JSC::stringProtoFuncIndexOf):
1744         (JSC::stringProtoFuncNormalize):
1745
1746 2015-12-18  Saam barati  <sbarati@apple.com>
1747
1748         BytecodeGenerator::pushLexicalScopeInternal and pushLexicalScope should use enums instead of bools
1749         https://bugs.webkit.org/show_bug.cgi?id=152450
1750
1751         Reviewed by Geoffrey Garen and Joseph Pecoraro.
1752
1753         This makes comprehending the call sites of these functions
1754         easier without looking up the header of the function.
1755
1756         * bytecompiler/BytecodeGenerator.cpp:
1757         (JSC::BytecodeGenerator::BytecodeGenerator):
1758         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1759         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1760         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
1761         (JSC::BytecodeGenerator::pushLexicalScope):
1762         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1763         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1764         (JSC::BytecodeGenerator::emitPushCatchScope):
1765         * bytecompiler/BytecodeGenerator.h:
1766         (JSC::BytecodeGenerator::lastOpcodeID):
1767         * bytecompiler/NodesCodegen.cpp:
1768         (JSC::BlockNode::emitBytecode):
1769         (JSC::ForNode::emitBytecode):
1770         (JSC::ForInNode::emitMultiLoopBytecode):
1771         (JSC::ForOfNode::emitBytecode):
1772         (JSC::SwitchNode::emitBytecode):
1773         (JSC::ClassExprNode::emitBytecode):
1774
1775 2015-12-18  Michael Catanzaro  <mcatanzaro@igalia.com>
1776
1777         Avoid triggering clang's -Wundefined-bool-conversion
1778         https://bugs.webkit.org/show_bug.cgi?id=152408
1779
1780         Reviewed by Mark Lam.
1781
1782         Add ASSERT_THIS_GC_OBJECT_LOOKS_VALID and ASSERT_THIS_GC_OBJECT_INHERITS to avoid use of
1783         ASSERT(this) by ASSERT_GC_OBJECT_LOOKS_VALID and ASSERT_GC_OBJECT_INHERITS.
1784
1785         * heap/GCAssertions.h:
1786
1787 2015-12-18  Mark Lam  <mark.lam@apple.com>
1788
1789         Replace SpecialFastCase profiles with ResultProfiles.
1790         https://bugs.webkit.org/show_bug.cgi?id=152433
1791
1792         Reviewed by Saam Barati.
1793
1794         This is in preparation for upcoming work to enhance the DFG predictions to deal
1795         with untyped operands.
1796
1797         This patch also enhances some of the arithmetic slow paths (for the LLINT and
1798         baseline JIT) to collect result profiling info.  This profiling info is not put
1799         to use yet. 
1800
1801         * CMakeLists.txt:
1802         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1803         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1804         * JavaScriptCore.xcodeproj/project.pbxproj:
1805         * bytecode/CodeBlock.cpp:
1806         (JSC::CodeBlock::dumpRareCaseProfile):
1807         (JSC::CodeBlock::dumpResultProfile):
1808         (JSC::CodeBlock::printLocationAndOp):
1809         (JSC::CodeBlock::dumpBytecode):
1810         (JSC::CodeBlock::shrinkToFit):
1811         (JSC::CodeBlock::dumpValueProfiles):
1812         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
1813         (JSC::CodeBlock::resultProfileForBytecodeOffset):
1814         (JSC::CodeBlock::updateResultProfileForBytecodeOffset):
1815         (JSC::CodeBlock::capabilityLevel):
1816         * bytecode/CodeBlock.h:
1817         (JSC::CodeBlock::couldTakeSlowCase):
1818         (JSC::CodeBlock::addResultProfile):
1819         (JSC::CodeBlock::numberOfResultProfiles):
1820         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
1821         (JSC::CodeBlock::couldTakeSpecialFastCase):
1822         (JSC::CodeBlock::addSpecialFastCaseProfile): Deleted.
1823         (JSC::CodeBlock::numberOfSpecialFastCaseProfiles): Deleted.
1824         (JSC::CodeBlock::specialFastCaseProfile): Deleted.
1825         (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset): Deleted.
1826         * bytecode/ValueProfile.cpp: Added.
1827         (WTF::printInternal):
1828         * bytecode/ValueProfile.h:
1829         (JSC::getRareCaseProfileBytecodeOffset):
1830         (JSC::ResultProfile::ResultProfile):
1831         (JSC::ResultProfile::bytecodeOffset):
1832         (JSC::ResultProfile::specialFastPathCount):
1833         (JSC::ResultProfile::didObserveNonInt32):
1834         (JSC::ResultProfile::didObserveDouble):
1835         (JSC::ResultProfile::didObserveNonNegZeroDouble):
1836         (JSC::ResultProfile::didObserveNegZeroDouble):
1837         (JSC::ResultProfile::didObserveNonNumber):
1838         (JSC::ResultProfile::didObserveInt32Overflow):
1839         (JSC::ResultProfile::setObservedNonNegZeroDouble):
1840         (JSC::ResultProfile::setObservedNegZeroDouble):
1841         (JSC::ResultProfile::setObservedNonNumber):
1842         (JSC::ResultProfile::setObservedInt32Overflow):
1843         (JSC::ResultProfile::addressOfFlags):
1844         (JSC::ResultProfile::addressOfSpecialFastPathCount):
1845         (JSC::ResultProfile::hasBits):
1846         (JSC::ResultProfile::setBit):
1847         (JSC::getResultProfileBytecodeOffset):
1848         * jit/JITArithmetic.cpp:
1849         (JSC::JIT::emit_op_div):
1850         (JSC::JIT::emit_op_mul):
1851         * jit/JITDivGenerator.cpp:
1852         (JSC::JITDivGenerator::generateFastPath):
1853         * jit/JITDivGenerator.h:
1854         (JSC::JITDivGenerator::JITDivGenerator):
1855         * jit/JITMulGenerator.cpp:
1856         (JSC::JITMulGenerator::generateFastPath):
1857         * jit/JITMulGenerator.h:
1858         (JSC::JITMulGenerator::JITMulGenerator):
1859         * runtime/CommonSlowPaths.cpp:
1860         (JSC::SLOW_PATH_DECL):
1861
1862 2015-12-18  Keith Miller  <keith_miller@apple.com>
1863
1864         verboseDFGByteCodeParsing option should show the bytecode it is parsing.
1865         https://bugs.webkit.org/show_bug.cgi?id=152434
1866
1867         Reviewed by Michael Saboff.
1868
1869         * dfg/DFGByteCodeParser.cpp:
1870         (JSC::DFG::ByteCodeParser::parseBlock):
1871
1872 2015-12-18  Csaba Osztrogonác  <ossy@webkit.org>
1873
1874         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
1875         https://bugs.webkit.org/show_bug.cgi?id=152214
1876
1877         Reviewed by Mark Lam.
1878
1879         Relanding r194007 after r194248.
1880
1881         * jit/CCallHelpers.h:
1882         (JSC::CCallHelpers::setupArgumentsWithExecState):
1883
1884 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1885
1886         Web Inspector: Remove "local" scope type from the protocol
1887         https://bugs.webkit.org/show_bug.cgi?id=152409
1888
1889         Reviewed by Timothy Hatcher.
1890
1891         After r194251 the backend no longer sends this scope type.
1892         So remove it from the protocol.
1893
1894         The concept of a Local Scope should be calculatable by the
1895         frontend. In fact the way the backend used to do this could
1896         easily be done by the frontend. To be done in a follow-up.
1897
1898         * inspector/InjectedScriptSource.js:
1899         * inspector/JSJavaScriptCallFrame.h:
1900         * inspector/protocol/Debugger.json:
1901
1902 2015-12-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1903
1904         [INTL] Implement Collator Compare Functions
1905         https://bugs.webkit.org/show_bug.cgi?id=147604
1906
1907         Reviewed by Darin Adler.
1908
1909         This patch implements Intl.Collator.prototype.compare() according
1910         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1911
1912         * runtime/IntlCollator.cpp:
1913         (JSC::IntlCollator::~IntlCollator):
1914         (JSC::sortLocaleData):
1915         (JSC::searchLocaleData):
1916         (JSC::IntlCollator::initializeCollator):
1917         (JSC::IntlCollator::createCollator):
1918         (JSC::IntlCollator::compareStrings):
1919         (JSC::IntlCollator::usageString):
1920         (JSC::IntlCollator::sensitivityString):
1921         (JSC::IntlCollator::resolvedOptions):
1922         (JSC::IntlCollator::setBoundCompare):
1923         (JSC::IntlCollatorFuncCompare): Deleted.
1924         * runtime/IntlCollator.h:
1925         (JSC::IntlCollator::usage): Deleted.
1926         (JSC::IntlCollator::setUsage): Deleted.
1927         (JSC::IntlCollator::locale): Deleted.
1928         (JSC::IntlCollator::setLocale): Deleted.
1929         (JSC::IntlCollator::collation): Deleted.
1930         (JSC::IntlCollator::setCollation): Deleted.
1931         (JSC::IntlCollator::numeric): Deleted.
1932         (JSC::IntlCollator::setNumeric): Deleted.
1933         (JSC::IntlCollator::sensitivity): Deleted.
1934         (JSC::IntlCollator::setSensitivity): Deleted.
1935         (JSC::IntlCollator::ignorePunctuation): Deleted.
1936         (JSC::IntlCollator::setIgnorePunctuation): Deleted.
1937         * runtime/IntlCollatorConstructor.cpp:
1938         (JSC::constructIntlCollator):
1939         (JSC::callIntlCollator):
1940         (JSC::sortLocaleData): Deleted.
1941         (JSC::searchLocaleData): Deleted.
1942         (JSC::initializeCollator): Deleted.
1943         * runtime/IntlCollatorPrototype.cpp:
1944         (JSC::IntlCollatorFuncCompare):
1945         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1946         * runtime/IntlObject.cpp:
1947         (JSC::defaultLocale):
1948         (JSC::convertICULocaleToBCP47LanguageTag):
1949         (JSC::intlStringOption):
1950         (JSC::resolveLocale):
1951         (JSC::supportedLocales):
1952         * runtime/IntlObject.h:
1953         * runtime/JSGlobalObject.cpp:
1954         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
1955         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
1956         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
1957
1958 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1959
1960         Provide a way to distinguish a nested lexical block from a function's lexical block
1961         https://bugs.webkit.org/show_bug.cgi?id=152361
1962
1963         Reviewed by Saam Barati.
1964
1965         * bytecompiler/BytecodeGenerator.h:
1966         * bytecompiler/BytecodeGenerator.cpp:
1967         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1968         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1969         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1970         (JSC::BytecodeGenerator::emitPushCatchScope):
1971         Each of these are specialized scopes. They are not nested lexical scopes.
1972         
1973         (JSC::BytecodeGenerator::pushLexicalScope):
1974         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1975         Include an extra parameter to mark the SymbolTable as a nested lexical or not.
1976
1977         * bytecompiler/NodesCodegen.cpp:
1978         (JSC::BlockNode::emitBytecode):
1979         (JSC::ForNode::emitBytecode):
1980         (JSC::ForInNode::emitMultiLoopBytecode):
1981         (JSC::ForOfNode::emitBytecode):
1982         (JSC::SwitchNode::emitBytecode):
1983         (JSC::ClassExprNode::emitBytecode):
1984         Each of these are cases of non-function nested lexical scopes.
1985         So mark the SymbolTable as nested.
1986
1987         * inspector/protocol/Debugger.json:
1988         * inspector/InjectedScriptSource.js:
1989         Include a new scope type.
1990
1991         * inspector/JSJavaScriptCallFrame.h:
1992         * inspector/JSJavaScriptCallFrame.cpp:
1993         (Inspector::JSJavaScriptCallFrame::scopeType):
1994         Use the new "NestedLexical" scope type for nested, non-function,
1995         lexical scopes. The Inspector can use this to better describe
1996         this scope in the frontend.
1997
1998         * debugger/DebuggerScope.cpp:
1999         (JSC::DebuggerScope::isNestedLexicalScope):
2000         * debugger/DebuggerScope.h:
2001         * runtime/JSScope.cpp:
2002         (JSC::JSScope::isNestedLexicalScope):
2003         * runtime/JSScope.h:
2004         * runtime/SymbolTable.cpp:
2005         (JSC::SymbolTable::SymbolTable):
2006         (JSC::SymbolTable::cloneScopePart):
2007         * runtime/SymbolTable.h:
2008         Access the isNestedLexicalScope bit.
2009
2010 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2011
2012         Unreviewed EFL Build Fix after r194247.
2013
2014         * interpreter/CallFrame.cpp:
2015         (JSC::CallFrame::friendlyFunctionName):
2016         Handle compilers that don't realize the switch handles all cases.
2017
2018 2015-12-17  Keith Miller  <keith_miller@apple.com>
2019
2020         [ES6] Add support for Symbol.hasInstance
2021         https://bugs.webkit.org/show_bug.cgi?id=151839
2022
2023         Reviewed by Saam Barati.
2024
2025         Fixed version of r193986, r193983, and r193974.
2026
2027         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
2028         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
2029         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
2030         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
2031         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
2032         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
2033         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
2034         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
2035         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
2036         emits a call to slow path code that computes the result.
2037
2038         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
2039         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
2040         it into a CheckTypeInfoFlags followed by a JSConstant.
2041
2042         * API/JSCallbackObject.h:
2043         * builtins/FunctionPrototype.js:
2044         (symbolHasInstance):
2045         * bytecode/BytecodeBasicBlock.cpp:
2046         (JSC::isBranch): Deleted.
2047         * bytecode/BytecodeList.json:
2048         * bytecode/BytecodeUseDef.h:
2049         (JSC::computeUsesForBytecodeOffset):
2050         (JSC::computeDefsForBytecodeOffset):
2051         * bytecode/CodeBlock.cpp:
2052         (JSC::CodeBlock::dumpBytecode):
2053         * bytecode/ExitKind.cpp:
2054         (JSC::exitKindToString):
2055         * bytecode/ExitKind.h:
2056         * bytecode/PreciseJumpTargets.cpp:
2057         (JSC::getJumpTargetsForBytecodeOffset): Deleted.
2058         * bytecompiler/BytecodeGenerator.cpp:
2059         (JSC::BytecodeGenerator::emitOverridesHasInstance):
2060         (JSC::BytecodeGenerator::emitInstanceOfCustom):
2061         (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
2062         * bytecompiler/BytecodeGenerator.h:
2063         * bytecompiler/NodesCodegen.cpp:
2064         (JSC::InstanceOfNode::emitBytecode):
2065         * dfg/DFGAbstractInterpreterInlines.h:
2066         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2067         * dfg/DFGByteCodeParser.cpp:
2068         (JSC::DFG::ByteCodeParser::parseBlock):
2069         * dfg/DFGCapabilities.cpp:
2070         (JSC::DFG::capabilityLevel):
2071         * dfg/DFGClobberize.h:
2072         (JSC::DFG::clobberize):
2073         * dfg/DFGDoesGC.cpp:
2074         (JSC::DFG::doesGC):
2075         * dfg/DFGFixupPhase.cpp:
2076         (JSC::DFG::FixupPhase::fixupNode):
2077         * dfg/DFGHeapLocation.cpp:
2078         (WTF::printInternal):
2079         * dfg/DFGHeapLocation.h:
2080         * dfg/DFGNode.h:
2081         (JSC::DFG::Node::hasCellOperand):
2082         (JSC::DFG::Node::hasTypeInfoOperand):
2083         (JSC::DFG::Node::typeInfoOperand):
2084         * dfg/DFGNodeType.h:
2085         * dfg/DFGPredictionPropagationPhase.cpp:
2086         (JSC::DFG::PredictionPropagationPhase::propagate):
2087         * dfg/DFGSafeToExecute.h:
2088         (JSC::DFG::safeToExecute):
2089         * dfg/DFGSpeculativeJIT.cpp:
2090         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
2091         (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
2092         * dfg/DFGSpeculativeJIT.h:
2093         (JSC::DFG::SpeculativeJIT::callOperation):
2094         * dfg/DFGSpeculativeJIT32_64.cpp:
2095         (JSC::DFG::SpeculativeJIT::compile):
2096         * dfg/DFGSpeculativeJIT64.cpp:
2097         (JSC::DFG::SpeculativeJIT::compile):
2098         * ftl/FTLCapabilities.cpp:
2099         (JSC::FTL::canCompile):
2100         * ftl/FTLIntrinsicRepository.h:
2101         * ftl/FTLLowerDFGToLLVM.cpp:
2102         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2103         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
2104         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
2105         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
2106         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
2107         * jit/JIT.cpp:
2108         (JSC::JIT::privateCompileMainPass):
2109         (JSC::JIT::privateCompileSlowCases):
2110         * jit/JIT.h:
2111         * jit/JITInlines.h:
2112         (JSC::JIT::callOperation):
2113         * jit/JITOpcodes.cpp:
2114         (JSC::JIT::emit_op_overrides_has_instance):
2115         (JSC::JIT::emit_op_instanceof):
2116         (JSC::JIT::emit_op_instanceof_custom):
2117         (JSC::JIT::emitSlow_op_instanceof):
2118         (JSC::JIT::emitSlow_op_instanceof_custom):
2119         (JSC::JIT::emit_op_check_has_instance): Deleted.
2120         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
2121         * jit/JITOpcodes32_64.cpp:
2122         (JSC::JIT::emit_op_overrides_has_instance):
2123         (JSC::JIT::emit_op_instanceof):
2124         (JSC::JIT::emit_op_instanceof_custom):
2125         (JSC::JIT::emitSlow_op_instanceof_custom):
2126         (JSC::JIT::emit_op_check_has_instance): Deleted.
2127         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
2128         * jit/JITOperations.cpp:
2129         * jit/JITOperations.h:
2130         * llint/LLIntData.cpp:
2131         (JSC::LLInt::Data::performAssertions):
2132         * llint/LLIntSlowPaths.cpp:
2133         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2134         * llint/LLIntSlowPaths.h:
2135         * llint/LowLevelInterpreter32_64.asm:
2136         * llint/LowLevelInterpreter64.asm:
2137         * runtime/CommonIdentifiers.h:
2138         * runtime/ExceptionHelpers.cpp:
2139         (JSC::invalidParameterInstanceofSourceAppender):
2140         (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
2141         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
2142         (JSC::createInvalidInstanceofParameterErrorNotFunction):
2143         (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
2144         (JSC::createInvalidInstanceofParameterError): Deleted.
2145         * runtime/ExceptionHelpers.h:
2146         * runtime/FunctionPrototype.cpp:
2147         (JSC::FunctionPrototype::addFunctionProperties):
2148         * runtime/FunctionPrototype.h:
2149         * runtime/JSBoundFunction.cpp:
2150         (JSC::isBoundFunction):
2151         (JSC::hasInstanceBoundFunction):
2152         * runtime/JSBoundFunction.h:
2153         * runtime/JSGlobalObject.cpp:
2154         (JSC::JSGlobalObject::init):
2155         (JSC::JSGlobalObject::visitChildren):
2156         * runtime/JSGlobalObject.h:
2157         (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
2158         * runtime/JSObject.cpp:
2159         (JSC::JSObject::hasInstance):
2160         (JSC::objectPrivateFuncInstanceOf):
2161         * runtime/JSObject.h:
2162         * runtime/JSTypeInfo.h:
2163         (JSC::TypeInfo::TypeInfo):
2164         (JSC::TypeInfo::overridesHasInstance):
2165         * runtime/WriteBarrier.h:
2166         (JSC::WriteBarrierBase<Unknown>::slot):
2167         * tests/es6.yaml:
2168         * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
2169         (Constructor):
2170         (value):
2171         (instanceOf):
2172         (body):
2173         * tests/stress/symbol-hasInstance.js: Added.
2174         (Constructor):
2175         (value):
2176         (ObjectClass.Symbol.hasInstance):
2177         (NumberClass.Symbol.hasInstance):
2178
2179 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2180
2181         Web Inspector: Improve names in Debugger Call Stack section when paused
2182         https://bugs.webkit.org/show_bug.cgi?id=152398
2183
2184         Reviewed by Brian Burg.
2185
2186         * debugger/DebuggerCallFrame.cpp:
2187         (JSC::DebuggerCallFrame::functionName):
2188         Provide a better name from the underlying CallFrame.
2189
2190         * inspector/InjectedScriptSource.js:
2191         (InjectedScript.CallFrameProxy):
2192         Just call functionName, it will provide a better
2193         than nothing function name.
2194
2195         * runtime/JSFunction.cpp:
2196         (JSC::getCalculatedDisplayName):
2197         Use emptyString().
2198
2199         * interpreter/CallFrame.h:
2200         * interpreter/CallFrame.cpp:
2201         (JSC::CallFrame::friendlyFunctionName):
2202         This is the third similiar implementation of this,
2203         but all other cases use other "StackFrame" objects.
2204         Use the expected names for program code.
2205
2206 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
2207
2208         Web Inspector: Add JSContext Script Profiling
2209         https://bugs.webkit.org/show_bug.cgi?id=151899
2210
2211         Reviewed by Brian Burg.
2212
2213         Extend JSC::Debugger to include a profiling client interface
2214         that the Inspector can implement to be told about script execution
2215         entry and exit points. Add new profiledCall/Evaluate/Construct
2216         methods that are entry points that will notify the profiling
2217         client if it exists.
2218
2219         By putting the profiling client on Debugger it avoids having
2220         special code paths for a JSGlobalObject being JSContext inspected
2221         or a JSGlobalObject in a Page being Web inspected. In either case
2222         the JSGlobalObject can go through its debugger() which always
2223         reaches the correct inspector instance.
2224
2225         * CMakeLists.txt:
2226         * DerivedSources.make:
2227         * JavaScriptCore.xcodeproj/project.pbxproj:
2228         Handle new files.
2229
2230         * runtime/CallData.cpp:
2231         (JSC::profiledCall):
2232         * runtime/CallData.h:
2233         * runtime/Completion.cpp:
2234         (JSC::profiledEvaluate):
2235         * runtime/Completion.h:
2236         (JSC::profiledEvaluate):
2237         * runtime/ConstructData.cpp:
2238         (JSC::profiledConstruct):
2239         * runtime/ConstructData.h:
2240         (JSC::profiledConstruct):
2241         Create profiled versions of interpreter entry points. If a profiler client is
2242         available, this will automatically inform it of entry/exit. Include a reason
2243         why this is being profiled. Currently all reasons in JavaScriptCore are enumerated
2244         (API, Microtask) and Other is to be used by WebCore or future clients.
2245
2246         * debugger/ScriptProfilingScope.h: Added.
2247         (JSC::ScriptProfilingScope::ScriptProfilingScope):
2248         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
2249         (JSC::ScriptProfilingScope::shouldStartProfile):
2250         (JSC::ScriptProfilingScope::shouldEndProfile):
2251         At profiled entry points inform the profiling client if needed.
2252
2253         * API/JSBase.cpp:
2254         (JSEvaluateScript):
2255         * API/JSObjectRef.cpp:
2256         (JSObjectCallAsFunction):
2257         (JSObjectCallAsConstructor):
2258         * runtime/JSJob.cpp:
2259         (JSC::JSJobMicrotask::run):
2260         Use the profiled functions for API and Microtask execution entry points.
2261
2262         * runtime/JSGlobalObject.cpp:
2263         (JSC::JSGlobalObject::hasProfiler):
2264         * runtime/JSGlobalObject.h:
2265         (JSC::JSGlobalObject::hasProfiler):
2266         Extend hasProfiler to also check the new Debugger script profiler.
2267
2268         * debugger/Debugger.cpp:
2269         (JSC::Debugger::setProfilingClient):
2270         (JSC::Debugger::willEvaluateScript):
2271         (JSC::Debugger::didEvaluateScript):
2272         * debugger/Debugger.h:
2273         Pass through to the profiling client.
2274
2275         * inspector/protocol/ScriptProfiler.json: Added.
2276         * inspector/agents/InspectorScriptProfilerAgent.cpp: Added.
2277         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
2278         (Inspector::InspectorScriptProfilerAgent::~InspectorScriptProfilerAgent):
2279         (Inspector::InspectorScriptProfilerAgent::didCreateFrontendAndBackend):
2280         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
2281         (Inspector::InspectorScriptProfilerAgent::startTracking):
2282         (Inspector::InspectorScriptProfilerAgent::stopTracking):
2283         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
2284         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
2285         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
2286         (Inspector::toProtocol):
2287         (Inspector::InspectorScriptProfilerAgent::addEvent):
2288         (Inspector::buildAggregateCallInfoInspectorObject):
2289         (Inspector::buildInspectorObject):
2290         (Inspector::buildProfileInspectorObject):
2291         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2292         * inspector/agents/InspectorScriptProfilerAgent.h: Added.
2293         New ScriptProfiler domain to just turn on / off script profiling.
2294         It introduces a start/update/complete event model which we want
2295         to include in new domains.
2296
2297         * inspector/InspectorEnvironment.h:
2298         * inspector/InjectedScriptBase.cpp:
2299         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2300         Simplify this now that we want it to be the same for all clients.
2301
2302         * inspector/JSGlobalObjectInspectorController.h:
2303         * inspector/JSGlobalObjectInspectorController.cpp:
2304         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2305         Create the new agent.
2306
2307         * inspector/InspectorProtocolTypes.h:
2308         (Inspector::Protocol::Array::addItem):
2309         Allow pushing a double onto a Protocol::Array.
2310
2311 2015-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2312
2313         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
2314         https://bugs.webkit.org/show_bug.cgi?id=152227
2315
2316         Reviewed by Saam Barati.
2317
2318         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
2319         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
2320         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
2321
2322         Instead of extending NewFunction / PhantomNewFunction, we just added new DFG nodes, NewGeneratorFunction and PhantomNewGeneratorFunction.
2323         This is because NewGeneratorFunction will generate an object that has different class info from JSFunction (And if JSGeneratorFunction is extended, its size will become different from JSFunction).
2324         So, rather than extending NewFunction with generator flag, just adding new DFG nodes seems cleaner.
2325
2326         Object allocation sinking phase will change NewGeneratorFunction to PhantomNewGeneratorFunction and defer or eliminate its actual materialization.
2327         It is completely the same to NewFunction and PhantomNewFunction.
2328         And when OSR exit occurs, we need to execute deferred NewGeneratorFunction since Baseline JIT does not consider it.
2329         So in FTL operation, we should create JSGeneratorFunction if we see PhantomNewGeneratorFunction materialization.
2330
2331         * dfg/DFGAbstractInterpreterInlines.h:
2332         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2333         * dfg/DFGByteCodeParser.cpp:
2334         (JSC::DFG::ByteCodeParser::parseBlock):
2335         * dfg/DFGCapabilities.cpp:
2336         (JSC::DFG::capabilityLevel):
2337         * dfg/DFGClobberize.h:
2338         (JSC::DFG::clobberize):
2339         * dfg/DFGClobbersExitState.cpp:
2340         (JSC::DFG::clobbersExitState):
2341         * dfg/DFGDoesGC.cpp:
2342         (JSC::DFG::doesGC):
2343         * dfg/DFGFixupPhase.cpp:
2344         (JSC::DFG::FixupPhase::fixupNode):
2345         * dfg/DFGMayExit.cpp:
2346         (JSC::DFG::mayExit):
2347         * dfg/DFGNode.h:
2348         (JSC::DFG::Node::convertToPhantomNewFunction):
2349         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
2350         (JSC::DFG::Node::hasCellOperand):
2351         (JSC::DFG::Node::isFunctionAllocation):
2352         (JSC::DFG::Node::isPhantomFunctionAllocation):
2353         (JSC::DFG::Node::isPhantomAllocation):
2354         * dfg/DFGNodeType.h:
2355         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2356         * dfg/DFGPredictionPropagationPhase.cpp:
2357         (JSC::DFG::PredictionPropagationPhase::propagate):
2358         * dfg/DFGSafeToExecute.h:
2359         (JSC::DFG::safeToExecute):
2360         * dfg/DFGSpeculativeJIT.cpp:
2361         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2362         * dfg/DFGSpeculativeJIT32_64.cpp:
2363         (JSC::DFG::SpeculativeJIT::compile):
2364         * dfg/DFGSpeculativeJIT64.cpp:
2365         (JSC::DFG::SpeculativeJIT::compile):
2366         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2367         * dfg/DFGStructureRegistrationPhase.cpp:
2368         (JSC::DFG::StructureRegistrationPhase::run):
2369         * dfg/DFGValidate.cpp:
2370         (JSC::DFG::Validate::validateCPS):
2371         (JSC::DFG::Validate::validateSSA):
2372         * ftl/FTLCapabilities.cpp:
2373         (JSC::FTL::canCompile):
2374         * ftl/FTLLowerDFGToLLVM.cpp:
2375         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2376         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2377         * ftl/FTLOperations.cpp:
2378         (JSC::FTL::operationPopulateObjectInOSR):
2379         (JSC::FTL::operationMaterializeObjectInOSR):
2380         * tests/stress/generator-function-create-optimized.js: Added.
2381         (shouldBe):
2382         (g):
2383         (test.return.gen):
2384         (test):
2385         (test2.gen):
2386         (test2):
2387         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
2388         (shouldBe):
2389         (GeneratorFunctionPrototype):
2390         (call):
2391         (f):
2392         (sink):
2393         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
2394         (shouldBe):
2395         (GeneratorFunctionPrototype):
2396         (g):
2397         (f):
2398         (sink):
2399         * tests/stress/generator-function-declaration-sinking-put.js: Added.
2400         (shouldBe):
2401         (GeneratorFunctionPrototype):
2402         (g):
2403         (f):
2404         (sink):
2405         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
2406         (shouldBe):
2407         (GeneratorFunctionPrototype):
2408         (call):
2409         (f):
2410         (sink):
2411         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
2412         (shouldBe):
2413         (GeneratorFunctionPrototype):
2414         (g):
2415         (sink):
2416         * tests/stress/generator-function-expression-sinking-put.js: Added.
2417         (shouldBe):
2418         (GeneratorFunctionPrototype):
2419         (g):
2420         (sink):
2421
2422 2015-12-16  Michael Saboff  <msaboff@apple.com>
2423
2424         ARM64 MacroAssembler improperly reuses data temp register in test32() and test8() calls
2425         https://bugs.webkit.org/show_bug.cgi?id=152370
2426
2427         Reviewed by Benjamin Poulain.
2428
2429         Changed the test8/32(Address, Register) flavors to use the memoryTempRegister for loading the value
2430         att Address so that it doesn't collide with the subsequent use of dataTempRegister by the
2431         test32(Register, Register) function.
2432
2433         * assembler/MacroAssemblerARM64.h:
2434         (JSC::MacroAssemblerARM64::test32):
2435         (JSC::MacroAssemblerARM64::test8):
2436
2437 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
2438
2439         FTL B3 should support switches
2440         https://bugs.webkit.org/show_bug.cgi?id=152360
2441
2442         Reviewed by Geoffrey Garen.
2443
2444         I implemented this because I was hoping it would less us run V8/crypto, but instead it just led
2445         me to file a fun bug: https://bugs.webkit.org/show_bug.cgi?id=152365.
2446
2447         * ftl/FTLB3Output.h:
2448         (JSC::FTL::Output::check):
2449         (JSC::FTL::Output::switchInstruction):
2450         (JSC::FTL::Output::ret):
2451         * ftl/FTLLowerDFGToLLVM.cpp:
2452         (JSC::FTL::DFG::ftlUnreachable):
2453         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
2454
2455 2015-12-16  Alex Christensen  <achristensen@webkit.org>
2456
2457         Fix internal Windows build
2458         https://bugs.webkit.org/show_bug.cgi?id=152364
2459
2460         Reviewed by Tim Horton.
2461
2462         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2463
2464 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
2465
2466         Improve JSObject::put performance
2467         https://bugs.webkit.org/show_bug.cgi?id=152347
2468
2469         Reviewed by Geoffrey Garen.
2470
2471         This adds a new benchmark called dynbench, which just uses the C++ API to create, modify, and
2472         query objects. This also adds some optimizations to make the JSObject::put code faster by making
2473         it inlinable in places that really need the performance, like JITOperations and LLIntSlowPaths.
2474         Inlining it is optional because the put() method is large. If you want it inlined, call
2475         putInline(). There's a putInline() variant of both JSObject::put() and JSValue::put().
2476
2477         This is up to a 20% improvement for JSObject::put calls that get inlined all the way (like from
2478         JITOperations and the new benchmark) and it's also a speed-up, albeit a smaller one, for
2479         JSObject::put calls that don't get inlined (i.e. those from the DOM and the JSC C++ library code).
2480         Specific speed-ups are as follows. Note that "dynamic context" means that we told PutPropertySlot
2481         that we're not a static put_by_id, which turns off some type inference.
2482
2483         Get By Id: 2% faster
2484         Put By Id Replace: 23% faster
2485         Put By Id Transition + object allocation: 11% faster
2486         Get By Id w/ dynamic context: 5% faster
2487         Put By Id Replace w/ dynamic context: 25% faster
2488         Put By Id Transition + object allocation w/ dynamic context: 10% faster
2489
2490         * JavaScriptCore.xcodeproj/project.pbxproj:
2491         * dynbench.cpp: Added.
2492         (JSC::benchmarkImpl):
2493         (main):
2494         * jit/CallFrameShuffler32_64.cpp:
2495         * jit/CallFrameShuffler64.cpp:
2496         * jit/JITOperations.cpp:
2497         * llint/LLIntSlowPaths.cpp:
2498         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2499         * runtime/ClassInfo.h:
2500         (JSC::ClassInfo::hasStaticProperties):
2501         * runtime/ConsoleClient.cpp:
2502         * runtime/CustomGetterSetter.h:
2503         * runtime/ErrorInstance.cpp:
2504         (JSC::ErrorInstance::finishCreation):
2505         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
2506         * runtime/GetterSetter.h:
2507         (JSC::asGetterSetter):
2508         * runtime/JSCInlines.h:
2509         * runtime/JSCJSValue.h:
2510         * runtime/JSCJSValueInlines.h:
2511         (JSC::JSValue::put):
2512         (JSC::JSValue::putInternal):
2513         (JSC::JSValue::putByIndex):
2514         * runtime/JSObject.cpp:
2515         (JSC::JSObject::put):
2516         (JSC::JSObject::putByIndex):
2517         * runtime/JSObject.h:
2518         (JSC::JSObject::getVectorLength):
2519         (JSC::JSObject::inlineGetOwnPropertySlot):
2520         (JSC::JSObject::get):
2521         (JSC::JSObject::putDirectInternal):
2522
2523 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
2524
2525         Work around a bug in LLVM by flipping the unification order
2526         https://bugs.webkit.org/show_bug.cgi?id=152341
2527         rdar://problem/23920749
2528
2529         Reviewed by Mark Lam.
2530
2531         * dfg/DFGUnificationPhase.cpp:
2532         (JSC::DFG::UnificationPhase::run):
2533
2534 2015-12-16  Saam barati  <sbarati@apple.com>
2535
2536         Add "explicit operator bool" to ScratchRegisterAllocator::PreservedState
2537         https://bugs.webkit.org/show_bug.cgi?id=152337
2538
2539         Reviewed by Mark Lam.
2540
2541         If we have a default constructor, we should also have a way
2542         to tell if a PreservedState is invalid.
2543
2544         * jit/ScratchRegisterAllocator.cpp:
2545         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2546         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2547         * jit/ScratchRegisterAllocator.h:
2548         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
2549         (JSC::ScratchRegisterAllocator::PreservedState::operator bool):
2550
2551 2015-12-16  Caitlin Potter  <caitp@igalia.com>
2552
2553         [JSC] fix error message for eval/arguments CoverInitializedName in strict code
2554         https://bugs.webkit.org/show_bug.cgi?id=152304
2555
2556         Reviewed by Darin Adler.
2557
2558         Because the error was originally classified as indicating a Pattern, the
2559         error in AssignmentPattern parsing causes the reported message to revert to
2560         the original Expression error message, which in this case is incorrect.
2561
2562         This change modifies the implementation of the strict code
2563         error slightly, and reclassifies the error to prevent the message revert,
2564         which improves the clarity of the message overall.
2565
2566         * parser/Parser.cpp:
2567         (JSC::Parser<LexerType>::parseAssignmentElement):
2568         (JSC::Parser<LexerType>::parseDestructuringPattern):
2569         * parser/Parser.h:
2570         (JSC::Parser::ExpressionErrorClassifier::reclassifyExpressionError):
2571         (JSC::Parser::reclassifyExpressionError):
2572         * tests/stress/destructuring-assignment-syntax.js:
2573
2574 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
2575
2576         Builtin source should be minified more
2577         https://bugs.webkit.org/show_bug.cgi?id=152290
2578
2579         Reviewed by Darin Adler.
2580
2581         * Scripts/builtins/builtins_model.py:
2582         (BuiltinFunction.fromString):
2583         Remove primarily empty lines that would just introduce clutter.
2584         We only do the minification in non-Debug configurations, which
2585         is determined by the CONFIGURATION environment variable. You can
2586         see how tests would generate differently, like so:
2587         shell> CONFIGURATION=Release ./Tools/Scripts/run-builtins-generator-tests
2588
2589 2015-12-16  Commit Queue  <commit-queue@webkit.org>
2590
2591         Unreviewed, rolling out r194135.
2592         https://bugs.webkit.org/show_bug.cgi?id=152333
2593
2594         due to missing OSR exit materialization support in FTL
2595         (Requested by yusukesuzuki on #webkit).
2596
2597         Reverted changeset:
2598
2599         "[ES6] Handle new_generator_func / new_generator_func_exp in
2600         DFG / FTL"
2601         https://bugs.webkit.org/show_bug.cgi?id=152227
2602         http://trac.webkit.org/changeset/194135
2603
2604 2015-12-16  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2605
2606         [Fetch API] Add fetch API compile time flag
2607         https://bugs.webkit.org/show_bug.cgi?id=152254
2608
2609         Reviewed by Darin Adler.
2610
2611         * Configurations/FeatureDefines.xcconfig:
2612
2613 2015-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2614
2615         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
2616         https://bugs.webkit.org/show_bug.cgi?id=152227
2617
2618         Reviewed by Saam Barati.
2619
2620         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
2621         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
2622         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
2623
2624         * dfg/DFGAbstractInterpreterInlines.h:
2625         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2626         * dfg/DFGByteCodeParser.cpp:
2627         (JSC::DFG::ByteCodeParser::parseBlock):
2628         * dfg/DFGCapabilities.cpp:
2629         (JSC::DFG::capabilityLevel):
2630         * dfg/DFGClobberize.h:
2631         (JSC::DFG::clobberize):
2632         * dfg/DFGClobbersExitState.cpp:
2633         (JSC::DFG::clobbersExitState):
2634         * dfg/DFGDoesGC.cpp:
2635         (JSC::DFG::doesGC):
2636         * dfg/DFGFixupPhase.cpp:
2637         (JSC::DFG::FixupPhase::fixupNode):
2638         * dfg/DFGMayExit.cpp:
2639         (JSC::DFG::mayExit):
2640         * dfg/DFGNode.h:
2641         (JSC::DFG::Node::convertToPhantomNewFunction):
2642         (JSC::DFG::Node::hasCellOperand):
2643         (JSC::DFG::Node::isFunctionAllocation):
2644         * dfg/DFGNodeType.h:
2645         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2646         * dfg/DFGPredictionPropagationPhase.cpp:
2647         (JSC::DFG::PredictionPropagationPhase::propagate):
2648         * dfg/DFGSafeToExecute.h:
2649         (JSC::DFG::safeToExecute):
2650         * dfg/DFGSpeculativeJIT.cpp:
2651         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2652         * dfg/DFGSpeculativeJIT32_64.cpp:
2653         (JSC::DFG::SpeculativeJIT::compile):
2654         * dfg/DFGSpeculativeJIT64.cpp:
2655         (JSC::DFG::SpeculativeJIT::compile):
2656         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2657         * dfg/DFGStructureRegistrationPhase.cpp:
2658         (JSC::DFG::StructureRegistrationPhase::run):
2659         * ftl/FTLCapabilities.cpp:
2660         (JSC::FTL::canCompile):
2661         * ftl/FTLLowerDFGToLLVM.cpp:
2662         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2663         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2664         * tests/stress/generator-function-create-optimized.js: Added.
2665         (shouldBe):
2666         (g):
2667         (test.return.gen):
2668         (test):
2669         (test2.gen):
2670         (test2):
2671         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
2672         (shouldBe):
2673         (GeneratorFunctionPrototype):
2674         (call):
2675         (f):
2676         (sink):
2677         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
2678         (shouldBe):
2679         (GeneratorFunctionPrototype):
2680         (g):
2681         (f):
2682         (sink):
2683         * tests/stress/generator-function-declaration-sinking-put.js: Added.
2684         (shouldBe):
2685         (GeneratorFunctionPrototype):
2686         (g):
2687         (f):
2688         (sink):
2689         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
2690         (shouldBe):
2691         (GeneratorFunctionPrototype):
2692         (call):
2693         (f):
2694         (sink):
2695         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
2696         (shouldBe):
2697         (GeneratorFunctionPrototype):
2698         (g):
2699         (sink):
2700         * tests/stress/generator-function-expression-sinking-put.js: Added.
2701         (shouldBe):
2702         (GeneratorFunctionPrototype):
2703         (g):
2704         (sink):
2705
2706 2015-12-15  Mark Lam  <mark.lam@apple.com>
2707
2708         Gardening: fix broken 32-bit JSC tests.  Just need to assign a scratch register.
2709         https://bugs.webkit.org/show_bug.cgi?id=152191 
2710
2711         Not reviewed.
2712
2713         * jit/JITArithmetic.cpp:
2714         (JSC::JIT::emitBitBinaryOpFastPath):
2715
2716 2015-12-15  Mark Lam  <mark.lam@apple.com>
2717
2718         Introducing ScratchRegisterAllocator::PreservedState.
2719         https://bugs.webkit.org/show_bug.cgi?id=152315
2720
2721         Reviewed by Geoffrey Garen.
2722
2723         restoreReusedRegistersByPopping() should always be called with 2 values that
2724         matches the expectation of preserveReusedRegistersByPushing().  Those 2 values
2725         are the number of bytes preserved and the ExtraStackSpace requirement.  By
2726         encapsulating them in a ScratchRegisterAllocator::PreservedState, we can make
2727         it less error prone when calling restoreReusedRegistersByPopping().  Now, we only
2728         need to pass it the appropriate PreservedState that its matching
2729         preserveReusedRegistersByPushing() returned.
2730
2731         * bytecode/PolymorphicAccess.cpp:
2732         (JSC::AccessGenerationState::restoreScratch):
2733         (JSC::AccessCase::generate):
2734         (JSC::PolymorphicAccess::regenerate):
2735         * bytecode/PolymorphicAccess.h:
2736         (JSC::AccessGenerationState::AccessGenerationState):
2737         * ftl/FTLCompileBinaryOp.cpp:
2738         (JSC::FTL::generateBinaryBitOpFastPath):
2739         (JSC::FTL::generateRightShiftFastPath):
2740         (JSC::FTL::generateBinaryArithOpFastPath):
2741         * ftl/FTLLazySlowPath.cpp:
2742         (JSC::FTL::LazySlowPath::generate):
2743         * ftl/FTLLowerDFGToLLVM.cpp:
2744         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
2745         * jit/ScratchRegisterAllocator.cpp:
2746         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
2747         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
2748         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2749         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2750         * jit/ScratchRegisterAllocator.h:
2751         (JSC::ScratchRegisterAllocator::usedRegisters):
2752         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
2753
2754 2015-12-15  Mark Lam  <mark.lam@apple.com>
2755
2756         Polymorphic operand types for DFG and FTL bit operators.
2757         https://bugs.webkit.org/show_bug.cgi?id=152191
2758
2759         Reviewed by Saam Barati.
2760
2761         * bytecode/SpeculatedType.h:
2762         (JSC::isUntypedSpeculationForBitOps):
2763         * dfg/DFGAbstractInterpreterInlines.h:
2764         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2765         * dfg/DFGNode.h:
2766         (JSC::DFG::Node::shouldSpeculateUntypedForBitOps):
2767         - Added check for types not supported by ValueToInt32, and therefore should be
2768           treated as untyped for bitops.
2769
2770         * dfg/DFGClobberize.h:
2771         (JSC::DFG::clobberize):
2772         * dfg/DFGFixupPhase.cpp:
2773         (JSC::DFG::FixupPhase::fixupNode):
2774         - Handled untyped operands.
2775
2776         * dfg/DFGOperations.cpp:
2777         * dfg/DFGOperations.h:
2778         - Added DFG slow path functions for bitops.
2779
2780         * dfg/DFGSpeculativeJIT.cpp:
2781         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
2782         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
2783         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
2784         (JSC::DFG::SpeculativeJIT::compileShiftOp):
2785         * dfg/DFGSpeculativeJIT.h:
2786         - Added DFG backend support untyped operands for bitops.
2787
2788         * dfg/DFGStrengthReductionPhase.cpp:
2789         (JSC::DFG::StrengthReductionPhase::handleNode):
2790         - Limit bitops strength reduction only to when we don't have untyped operands.
2791           This is because values that are not int32s need to be converted to int32.
2792           Without untyped operands, the ValueToInt32 node takes care of this.
2793           With untyped operands, we cannot use ValueToInt32, and need to do the conversion
2794           in the code emitted for the bitop node itself.  For example:
2795
2796               5.5 | 0; // yields 5 because ValueToInt32 converts the 5.5 to a 5.
2797               "abc" | 0; // would yield "abc" instead of the expected 0 if we let
2798                          // strength reduction do its thing.
2799
2800         * ftl/FTLCompileBinaryOp.cpp:
2801         (JSC::FTL::generateBinaryBitOpFastPath):
2802         (JSC::FTL::generateRightShiftFastPath):
2803         (JSC::FTL::generateBinaryOpFastPath):
2804
2805         * ftl/FTLInlineCacheDescriptor.h:
2806         (JSC::FTL::BitAndDescriptor::BitAndDescriptor):
2807         (JSC::FTL::BitAndDescriptor::icSize):
2808         (JSC::FTL::BitAndDescriptor::nodeType):
2809         (JSC::FTL::BitAndDescriptor::opName):
2810         (JSC::FTL::BitAndDescriptor::slowPathFunction):
2811         (JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
2812         (JSC::FTL::BitOrDescriptor::BitOrDescriptor):
2813         (JSC::FTL::BitOrDescriptor::icSize):
2814         (JSC::FTL::BitOrDescriptor::nodeType):
2815         (JSC::FTL::BitOrDescriptor::opName):
2816         (JSC::FTL::BitOrDescriptor::slowPathFunction):
2817         (JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
2818         (JSC::FTL::BitXorDescriptor::BitXorDescriptor):
2819         (JSC::FTL::BitXorDescriptor::icSize):
2820         (JSC::FTL::BitXorDescriptor::nodeType):
2821         (JSC::FTL::BitXorDescriptor::opName):
2822         (JSC::FTL::BitXorDescriptor::slowPathFunction):
2823         (JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
2824         (JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
2825         (JSC::FTL::BitLShiftDescriptor::icSize):
2826         (JSC::FTL::BitLShiftDescriptor::nodeType):
2827         (JSC::FTL::BitLShiftDescriptor::opName):
2828         (JSC::FTL::BitLShiftDescriptor::slowPathFunction):
2829         (JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
2830         (JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
2831         (JSC::FTL::BitRShiftDescriptor::icSize):
2832         (JSC::FTL::BitRShiftDescriptor::nodeType):
2833         (JSC::FTL::BitRShiftDescriptor::opName):
2834         (JSC::FTL::BitRShiftDescriptor::slowPathFunction):
2835         (JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
2836         (JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
2837         (JSC::FTL::BitURShiftDescriptor::icSize):
2838         (JSC::FTL::BitURShiftDescriptor::nodeType):
2839         (JSC::FTL::BitURShiftDescriptor::opName):
2840         (JSC::FTL::BitURShiftDescriptor::slowPathFunction):
2841         (JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):
2842         - Added support for bitop ICs.
2843
2844         * ftl/FTLInlineCacheSize.cpp:
2845         (JSC::FTL::sizeOfBitAnd):
2846         (JSC::FTL::sizeOfBitOr):
2847         (JSC::FTL::sizeOfBitXor):
2848         (JSC::FTL::sizeOfBitLShift):
2849         (JSC::FTL::sizeOfBitRShift):
2850         (JSC::FTL::sizeOfBitURShift):
2851         * ftl/FTLInlineCacheSize.h:
2852         - Added new bitop IC sizes.  These are just estimates for now that work adequately,
2853           and are shown to not impact performance on benchmarks.  We will re-tune these
2854           sizes values later in another patch once all snippet ICs have been added.
2855
2856         * ftl/FTLLowerDFGToLLVM.cpp:
2857         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2858         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2859         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2860         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2861         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2862         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2863         - Added support for bitop ICs.
2864
2865         * jit/JITLeftShiftGenerator.cpp:
2866         (JSC::JITLeftShiftGenerator::generateFastPath):
2867         * jit/JITLeftShiftGenerator.h:
2868         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
2869         * jit/JITRightShiftGenerator.cpp:
2870         (JSC::JITRightShiftGenerator::generateFastPath):
2871         - The shift MASM operatons need to ensure that the shiftAmount is not in the same
2872           register as the destination register.  With the baselineJIT and DFG, this is
2873           ensured in how we allocate these registers, and hence, the bug does not manifest.
2874           With the FTL, these registers are not guaranteed to be unique.  Hence, we need
2875           to fix the shift op snippet code to compensate for this. 
2876
2877 2015-12-15  Caitlin Potter  <caitp@igalia.com>
2878
2879         [JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code
2880         https://bugs.webkit.org/show_bug.cgi?id=152302
2881
2882         Reviewed by Mark Lam.
2883
2884         `eval` and `arguments` must not be assigned to in strict code. This
2885         change fixes `language/expressions/assignment/destructuring/obj-id-simple-strict.js`
2886         in Test262, as well as a variety of other similar tests.
2887
2888         * parser/Parser.cpp:
2889         (JSC::Parser<LexerType>::parseAssignmentElement):
2890         (JSC::Parser<LexerType>::parseDestructuringPattern):
2891         * tests/stress/destructuring-assignment-syntax.js:
2892
2893 2015-12-15  Csaba Osztrogonác  <ossy@webkit.org>
2894
2895         URTBF after 194062.
2896
2897         * assembler/MacroAssemblerARM.h:
2898         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Added.
2899         (JSC::MacroAssemblerARM::ceilDouble): Added.
2900
2901 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2902
2903         FTL B3 should account for localsOffset
2904         https://bugs.webkit.org/show_bug.cgi?id=152288
2905
2906         Reviewed by Saam Barati.
2907
2908         The DFG will build up some data structures that expect to know about offsets from FP. Those data
2909         structures may slide by some offset when the low-level compiler (either LLVM or B3) does stack
2910         allocation. So, the LLVM FTL modifies those data structures based on the real offset that it gets
2911         from LLVM's stackmaps. The B3 code needs to do the same.
2912
2913         I had previously vowed to never put more stuff into FTLB3Compile.cpp, because I didn't want it to
2914         look like FTLCompile.cpp. Up until now, I was successful because I used lambdas installed by
2915         FTLLower. But in this case, I actually think that having code that just does this explicitly in
2916         FTLB3Compile.cpp is least confusing. There is no particular place in FTLLower that would want to
2917         care about this, and we need to ensure that we do this fixup before we run any of the stackmap
2918         generators. In other words, it needs to happen before we call B3::generate(). The ordering
2919         constraints seem like a good reason to have this done explicitly rather than through lambdas.
2920
2921         I wrote a test. The test was failing in trunk because the B3 meaning of anchor().value() is
2922         different from the LLVM meaning. This caused breakage when we used this idiom:
2923
2924             ValueFromBlock foo = m_out.anchor(things);
2925             ...(foo.value()) // we were expecting that foo.value() == things
2926
2927         I never liked this idiom to begin with, so instead of trying to change B3's anchor(), I changed
2928         the idiom to:
2929
2930             LValue fooValue = things;
2931             ValueFromBlock foo = m_out.anchor(fooValue);
2932             ...(fooValue)
2933
2934         This is probably a good idea, since eventually we want B3's anchor() to just return the
2935         UpsilonValue*. To get there, we want to eliminate any situations where code assumes that
2936         ValueFromBlock is an actual object and not just a typedef for a pointer.
2937
2938         * ftl/FTLB3Compile.cpp:
2939         (JSC::FTL::compile):
2940         * ftl/FTLB3Output.cpp:
2941         (JSC::FTL::Output::appendTo):
2942         (JSC::FTL::Output::lockedStackSlot):
2943         * ftl/FTLB3Output.h:
2944         (JSC::FTL::Output::framePointer):
2945         (JSC::FTL::Output::constBool):
2946         (JSC::FTL::Output::constInt32):
2947         * ftl/FTLLowerDFGToLLVM.cpp:
2948         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2949         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2950         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
2951         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
2952         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringCharAt):
2953         (JSC::FTL::DFG::LowerDFGToLLVM::compileForwardVarargs):
2954         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty):
2955         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
2956         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
2957         * ftl/FTLState.h:
2958         (JSC::FTL::verboseCompilationEnabled):
2959         * tests/stress/ftl-function-dot-arguments-with-callee-saves.js: Added.
2960
2961 2015-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2962
2963         Math.random should have an intrinsic thunk and it should be later handled as a DFG Node
2964         https://bugs.webkit.org/show_bug.cgi?id=152133
2965
2966         Reviewed by Geoffrey Garen.
2967
2968         In this patch, we implement new RandomIntrinsic. It emits a machine code to generate random numbers efficiently.
2969         And later it will be recognized by DFG and converted to ArithRandom node.
2970         It provides type information SpecDoubleReal since Math.random only generates a number within [0, 1.0).
2971
2972         Currently, only 64bit version is supported. On 32bit environment, ArithRandom will be converted to callOperation.
2973         While it emits a function call, ArithRandom node on 32bit still represents SpecDoubleReal as a result type.
2974
2975         * dfg/DFGAbstractHeap.h:
2976         * dfg/DFGAbstractInterpreterInlines.h:
2977         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2978         * dfg/DFGByteCodeParser.cpp:
2979         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2980         * dfg/DFGClobberize.h:
2981         (JSC::DFG::clobberize):
2982         * dfg/DFGDoesGC.cpp:
2983         (JSC::DFG::doesGC):
2984         * dfg/DFGFixupPhase.cpp:
2985         (JSC::DFG::FixupPhase::fixupNode):
2986         * dfg/DFGNodeType.h:
2987         * dfg/DFGOperations.cpp:
2988         * dfg/DFGOperations.h:
2989         * dfg/DFGPredictionPropagationPhase.cpp:
2990         (JSC::DFG::PredictionPropagationPhase::propagate):
2991         * dfg/DFGSafeToExecute.h:
2992         (JSC::DFG::safeToExecute):
2993         * dfg/DFGSpeculativeJIT.h:
2994         (JSC::DFG::SpeculativeJIT::callOperation):
2995         * dfg/DFGSpeculativeJIT32_64.cpp:
2996         (JSC::DFG::SpeculativeJIT::compile):
2997         (JSC::DFG::SpeculativeJIT::compileArithRandom):
2998         * dfg/DFGSpeculativeJIT64.cpp:
2999         (JSC::DFG::SpeculativeJIT::compile):
3000         (JSC::DFG::SpeculativeJIT::compileArithRandom):
3001         * ftl/FTLCapabilities.cpp:
3002         (JSC::FTL::canCompile):
3003         * ftl/FTLLowerDFGToLLVM.cpp:
3004         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3005         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRandom):
3006         * jit/AssemblyHelpers.cpp:
3007         (JSC::emitRandomThunkImpl):
3008         (JSC::AssemblyHelpers::emitRandomThunk):
3009         * jit/AssemblyHelpers.h:
3010         * jit/JITOperations.h:
3011         * jit/ThunkGenerators.cpp:
3012         (JSC::randomThunkGenerator):
3013         * jit/ThunkGenerators.h:
3014         * runtime/Intrinsic.h:
3015         * runtime/JSGlobalObject.h:
3016         (JSC::JSGlobalObject::weakRandomOffset):
3017         * runtime/MathObject.cpp:
3018         (JSC::MathObject::finishCreation):
3019         * runtime/VM.cpp:
3020         (JSC::thunkGeneratorForIntrinsic):
3021         * tests/stress/random-53bit.js: Added.
3022         (test):
3023         * tests/stress/random-in-range.js: Added.
3024         (test):
3025
3026 2015-12-14  Benjamin Poulain  <benjamin@webkit.org>
3027
3028         Rename FTL::Output's ceil64() to doubleCeil()
3029
3030         Rubber-stamped by Filip Pizlo.
3031
3032         ceil64() was a bad name, that's the name convention we use for integers.
3033
3034         * ftl/FTLB3Output.h:
3035         (JSC::FTL::Output::doubleCeil):
3036         (JSC::FTL::Output::ceil64): Deleted.
3037         * ftl/FTLLowerDFGToLLVM.cpp:
3038         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRound):
3039
3040 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3041
3042         FTL B3 should be able to run n-body.js
3043         https://bugs.webkit.org/show_bug.cgi?id=152281
3044
3045         Reviewed by Benjamin Poulain.
3046
3047         Fix a bug where m_captured was pointing to the start of the captured vars slot rather than the
3048         end, like the rest of the FTL expected.
3049
3050         * ftl/FTLLowerDFGToLLVM.cpp:
3051         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3052
3053 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
3054
3055         Fix bad copy-paste in r194062
3056
3057         * ftl/FTLB3Output.h:
3058         (JSC::FTL::Output::ceil64):
3059
3060 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3061
3062         Unreviewed, fix cloop build.
3063
3064         * jit/GPRInfo.cpp:
3065
3066 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3067
3068         FTL B3 should do PutById
3069         https://bugs.webkit.org/show_bug.cgi?id=152268
3070
3071         Reviewed by Saam Barati.
3072
3073         * CMakeLists.txt:
3074         * JavaScriptCore.xcodeproj/project.pbxproj:
3075         * b3/B3LowerToAir.cpp:
3076         (JSC::B3::Air::LowerToAir::createGenericCompare): I realized that we were missing some useful matching rules.
3077         * b3/testb3.cpp: Added a bunch of tests.
3078         * ftl/FTLLowerDFGToLLVM.cpp:
3079         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById): Do the things.
3080         * jit/GPRInfo.cpp: Added. I had to do this yucky thing because clang was having issues compiling references to this from deeply nested lambdas.
3081         * jit/GPRInfo.h: Added a comment about how patchpointScratchRegister is bizarre and should probably die.
3082
3083 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
3084
3085         [JSC] Add ceil() support for x86 and expose it to B3
3086         https://bugs.webkit.org/show_bug.cgi?id=152231
3087
3088         Reviewed by Geoffrey Garen.
3089
3090         Most x86 CPUs we care about support ceil() natively
3091         with the round instruction.
3092
3093         This patch expose that behind a runtime flag, use it
3094         in the Math.ceil() thunk and expose it to B3.
3095
3096         * assembler/MacroAssemblerARM64.h:
3097         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil):
3098         * assembler/MacroAssemblerARMv7.h:
3099         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil):
3100         * assembler/MacroAssemblerMIPS.h:
3101         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil):
3102         * assembler/MacroAssemblerSH4.h:
3103         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil):
3104         * assembler/MacroAssemblerX86Common.cpp:
3105         * assembler/MacroAssemblerX86Common.h:
3106         (JSC::MacroAssemblerX86Common::ceilDouble):
3107         (JSC::MacroAssemblerX86Common::ceilFloat):
3108         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil):
3109         (JSC::MacroAssemblerX86Common::supportsLZCNT):
3110         * assembler/X86Assembler.h:
3111         (JSC::X86Assembler::roundss_rr):
3112         (JSC::X86Assembler::roundss_mr):
3113         (JSC::X86Assembler::roundsd_rr):
3114         (JSC::X86Assembler::roundsd_mr):
3115         (JSC::X86Assembler::mfence):
3116         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
3117         * b3/B3ConstDoubleValue.cpp:
3118         (JSC::B3::ConstDoubleValue::ceilConstant):
3119         * b3/B3ConstDoubleValue.h:
3120         * b3/B3ConstFloatValue.cpp:
3121         (JSC::B3::ConstFloatValue::ceilConstant):
3122         * b3/B3ConstFloatValue.h:
3123         * b3/B3LowerMacrosAfterOptimizations.cpp:
3124         * b3/B3LowerToAir.cpp:
3125         (JSC::B3::Air::LowerToAir::lower):
3126         * b3/B3Opcode.cpp:
3127         (WTF::printInternal):
3128         * b3/B3Opcode.h:
3129         * b3/B3ReduceDoubleToFloat.cpp:
3130         * b3/B3ReduceStrength.cpp:
3131         * b3/B3Validate.cpp:
3132         * b3/B3Value.cpp:
3133         (JSC::B3::Value::ceilConstant):
3134         (JSC::B3::Value::effects):
3135         (JSC::B3::Value::key):
3136         (JSC::B3::Value::typeFor):
3137         * b3/B3Value.h:
3138         * b3/air/AirOpcode.opcodes:
3139         * b3/testb3.cpp:
3140         (JSC::B3::testCeilArg):
3141         (JSC::B3::testCeilImm):
3142         (JSC::B3::testCeilMem):
3143         (JSC::B3::testCeilCeilArg):
3144         (JSC::B3::testCeilIToD64):
3145         (JSC::B3::testCeilIToD32):
3146         (JSC::B3::testCeilArgWithUselessDoubleConversion):
3147         (JSC::B3::testCeilArgWithEffectfulDoubleConversion):
3148         (JSC::B3::populateWithInterestingValues):
3149         (JSC::B3::run):
3150         * ftl/FTLB3Output.h:
3151         (JSC::FTL::Output::ceil64):
3152         * jit/ThunkGenerators.cpp:
3153         (JSC::ceilThunkGenerator):
3154
3155 2015-12-14  Andreas Kling  <akling@apple.com>
3156
3157         ResourceUsageOverlay should show GC timers.
3158         <https://webkit.org/b/152151>
3159
3160         Reviewed by Darin Adler.
3161
3162         Expose the next fire time (in WTF timestamp style) of a GCActivityCallback.
3163
3164         * heap/GCActivityCallback.cpp:
3165         (JSC::GCActivityCallback::scheduleTimer):
3166         (JSC::GCActivityCallback::cancelTimer):
3167         * heap/GCActivityCallback.h:
3168
3169 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3170
3171         Unreviewed, fix merge issue in a test.
3172
3173         * b3/testb3.cpp:
3174         (JSC::B3::testCheckTwoMegaCombos):
3175         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
3176
3177 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3178
3179         B3 should not give ValueReps for the non-stackmap children of a CheckValue to the generator callback
3180         https://bugs.webkit.org/show_bug.cgi?id=152224
3181
3182         Reviewed by Geoffrey Garen.
3183
3184         Previously, a stackmap generator for a Check had to know how many children the B3 value for the
3185         Check had at the time of code generation. That meant that B3 could not change the kind of Check
3186         that it was - for example it cannot turn a Check into a Patchpoint and it cannot turn a CheckAdd
3187         into a Check. But just changing the contract so that the stackmap generation params only get the
3188         stackmap children of the check means that B3 can transform Checks as it likes.
3189
3190         This is meant to aid sinking values into checks.
3191
3192         Also, I found that the effects of a Check did not include HeapRange::top(). I think it's best if
3193         exitsSideways does not imply reading top, the way that it does in DFG. In the DFG, that makes
3194         sense because the exit analysis is orthogonal, so the clobber analysis tells you about the reads
3195         not counting OSR exit - if you need to you can conditionally merge that with World based on a
3196         separate exit analysis. But in B3, the Effects object tells you about both exiting and reading,
3197         and it's computed by one analysis. Prior to this change, Check was not setting reads to top() so
3198         we were effectively saying that Effects::reads is meaningless when exitsSideways is true. It
3199         seems more sensible to instead force the analysis to set reads to top() when setting
3200         exitsSideways to true, not least because we only have one such analysis and many users. But it
3201         also makes sense for another reason: it allows us to bound the set of things that the program
3202         will read after it exits. That might not be useful to us now, but it's a nice feature to get for
3203         free. I've seen language features that have behave like exitsSideways that don't also read top,
3204         like an array bounds check that causes sudden termination without making any promises about how
3205         pretty the crash dump will look.
3206
3207         * b3/B3CheckSpecial.cpp:
3208         (JSC::B3::CheckSpecial::generate):
3209         * b3/B3Opcode.h:
3210         * b3/B3Value.cpp:
3211         (JSC::B3::Value::effects):
3212         * b3/testb3.cpp:
3213         (JSC::B3::testSimpleCheck):
3214         (JSC::B3::testCheckLessThan):
3215         (JSC::B3::testCheckMegaCombo):
3216         (JSC::B3::testCheckAddImm):
3217         (JSC::B3::testCheckAddImmCommute):
3218         (JSC::B3::testCheckAddImmSomeRegister):
3219         (JSC::B3::testCheckAdd):
3220         (JSC::B3::testCheckAdd64):
3221         (JSC::B3::testCheckSubImm):
3222         (JSC::B3::testCheckSubBadImm):
3223         (JSC::B3::testCheckSub):
3224         (JSC::B3::testCheckSub64):
3225         (JSC::B3::testCheckNeg):
3226         (JSC::B3::testCheckNeg64):
3227         (JSC::B3::testCheckMul):
3228         (JSC::B3::testCheckMulMemory):
3229         (JSC::B3::testCheckMul2):
3230         (JSC::B3::testCheckMul64):
3231         * ftl/FTLLowerDFGToLLVM.cpp:
3232         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
3233
3234 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3235
3236         Air: Support Architecture-specific forms and Opcodes
3237         https://bugs.webkit.org/show_bug.cgi?id=151736
3238
3239         Reviewed by Benjamin Poulain.
3240
3241         This adds really awesome architecture selection to the AirOpcode.opcodes file. If an opcode or
3242         opcode form is unavailable on some architecture, you can still mention its name in C++ code (it'll
3243         still be a member of the enum) but isValidForm() and all other reflective queries will tell you
3244         that it doesn't exist. This will make the instruction selector steer clear of it, and it will
3245         also ensure that the spiller doesn't try to use any unavailable architecture-specific address
3246         forms.
3247
3248         The new capability is documented extensively in a comment in AirOpcode.opcodes.
3249
3250         * b3/air/AirOpcode.opcodes:
3251         * b3/air/opcode_generator.rb:
3252
3253 2015-12-14  Mark Lam  <mark.lam@apple.com>
3254
3255         Misc. small fixes in snippet related code.
3256         https://bugs.webkit.org/show_bug.cgi?id=152259
3257
3258         Reviewed by Saam Barati.
3259
3260         * dfg/DFGSpeculativeJIT.cpp:
3261         (JSC::DFG::SpeculativeJIT::compileArithMul):
3262         - When loading a constant JSValue for a node, use the one that the node already
3263           provides instead of reconstructing it.  This is not a bug, but the fix makes
3264           the code cleaner.
3265
3266         * jit/JITBitAndGenerator.cpp:
3267         (JSC::JITBitAndGenerator::generateFastPath):
3268         - No need to do a bitand with a constant int 0xffffffff operand.
3269
3270         * jit/JITBitOrGenerator.cpp:
3271         (JSC::JITBitOrGenerator::generateFastPath):
3272         - Fix comments: bitor is '|', not '&'.
3273         - No need to do a bitor with a constant int 0 operand.
3274
3275         * jit/JITBitXorGenerator.cpp:
3276         (JSC::JITBitXorGenerator::generateFastPath):
3277         - Fix comments: bitxor is '^', not '&'.
3278
3279         * jit/JITRightShiftGenerator.cpp:
3280         (JSC::JITRightShiftGenerator::generateFastPath):
3281         - Renamed a jump target name to be clearer about its purpose.
3282
3283 2015-12-14  Mark Lam  <mark.lam@apple.com>
3284
3285         We should not employ the snippet code in the DFG if no OSR exit was previously encountered.
3286         https://bugs.webkit.org/show_bug.cgi?id=152255
3287
3288         Reviewed by Saam Barati.
3289
3290         * dfg/DFGFixupPhase.cpp:
3291         (JSC::DFG::FixupPhase::fixupNode):
3292
3293 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3294
3295         B3->Air compare-branch fusion should fuse even if the result of the comparison is used more than once
3296         https://bugs.webkit.org/show_bug.cgi?id=152198
3297
3298         Reviewed by Benjamin Poulain.
3299
3300         If we have a comparison operation that is branched on from multiple places, then we were
3301         previously executing the comparison to get a boolean result in a register and then we were
3302         testing/branching on that register in multiple places. This is actually less efficient than
3303         just fusing the compare/branch multiple times, even though this means that the comparison
3304         executes multiple times. This would only be bad if the comparison fused loads multiple times,
3305         since duplicating loads is both wrong and inefficient. So, this adds the notion of sharing to
3306         compare/branch fusion. If a compare is shared by multiple branches, then we refuse to fuse
3307         the load.
3308
3309         To write the test, I needed to zero-extend 8 to 32. In the process of thinking about how to
3310         do this, I realized that we needed lowerings for SExt8/SExt16. And I realized that the
3311         lowerings for the other extension operations were not fully fleshed out; for example they
3312         were incapable of load fusion. This patch fixes this and also adds some smart strength
3313         reductions for BitAnd(@x, 0xff/0xffff/0xffffffff) - all of which should be lowered to a zero
3314         extension.
3315
3316         This is a big win on asm.js code. It's not enough to bridge the gap to LLVM, but it's a huge
3317         step in that direction.
3318
3319         * assembler/MacroAssemblerX86Common.h:
3320         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
3321         (JSC::MacroAssemblerX86Common::zeroExtend8To32):
3322         (JSC::MacroAssemblerX86Common::signExtend8To32):
3323         (JSC::MacroAssemblerX86Common::load16):
3324         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
3325         (JSC::MacroAssemblerX86Common::zeroExtend16To32):
3326         (JSC::MacroAssemblerX86Common::signExtend16To32):
3327         (JSC::MacroAssemblerX86Common::store32WithAddressOffsetPatch):
3328         * assembler/X86Assembler.h:
3329         (JSC::X86Assembler::movzbl_rr):
3330         (JSC::X86Assembler::movsbl_rr):
3331         (JSC::X86Assembler::movzwl_rr):
3332         (JSC::X86Assembler::movswl_rr):
3333         (JSC::X86Assembler::cmovl_rr):
3334         * b3/B3LowerToAir.cpp:
3335         (JSC::B3::Air::LowerToAir::createGenericCompare):
3336         (JSC::B3::Air::LowerToAir::lower):
3337         * b3/B3ReduceStrength.cpp:
3338         * b3/air/AirOpcode.opcodes:
3339         * b3/testb3.cpp:
3340         (JSC::B3::testCheckMegaCombo):
3341         (JSC::B3::testCheckTwoMegaCombos):
3342         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
3343         (JSC::B3::testCheckAddImm):
3344         (JSC::B3::testTruncSExt32):
3345         (JSC::B3::testSExt8):
3346         (JSC::B3::testSExt8Fold):
3347         (JSC::B3::testSExt8SExt8):
3348         (JSC::B3::testSExt8SExt16):
3349         (JSC::B3::testSExt8BitAnd):
3350         (JSC::B3::testBitAndSExt8):
3351         (JSC::B3::testSExt16):
3352         (JSC::B3::testSExt16Fold):
3353         (JSC::B3::testSExt16SExt16):
3354         (JSC::B3::testSExt16SExt8):
3355         (JSC::B3::testSExt16BitAnd):
3356         (JSC::B3::testBitAndSExt16):
3357         (JSC::B3::testSExt32BitAnd):
3358         (JSC::B3::testBitAndSExt32):
3359         (JSC::B3::testBasicSelect):
3360         (JSC::B3::run):
3361
3362 2015-12-14  Chris Dumez  <cdumez@apple.com>