8c48dc77a1bb1ed359fdc685cd270fff658a50ab
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-20  Brian Burg  <bburg@apple.com>
2
3         Remote Inspector: some methods don't need to be marked virtual anymore
4         https://bugs.webkit.org/show_bug.cgi?id=161033
5
6         Reviewed by Darin Adler.
7
8         This probably happened when this code was last refactored and moved around.
9
10         * inspector/remote/RemoteConnectionToTarget.h:
11
12 2016-08-19  Sam Weinig  <sam@webkit.org>
13
14         Location.ancestorOrigins should return a FrozenArray<USVString>
15         https://bugs.webkit.org/show_bug.cgi?id=161018
16
17         Reviewed by Ryosuke Niwa and Chris Dumez.
18
19         * runtime/ObjectConstructor.h:
20         (JSC::objectConstructorFreeze):
21         Export objectConstructorFreeze so it can be used to freeze DOM FrozenArrays.
22
23 2016-08-19  Benjamin Poulain  <bpoulain@apple.com>
24
25         [JSC] ArithSqrt should work with any argument type
26         https://bugs.webkit.org/show_bug.cgi?id=160954
27
28         Reviewed by Saam Barati.
29
30         Previsouly, ArithSqrt would always OSR Exit if the argument
31         is not typed Integer, Double, or Boolean.
32         Since we can't recover by generalizing to those, we continuously
33         OSR Exit and recompile the same code over and over again.
34
35         This patch introduces a fallback to handle the remaining types.
36
37         * dfg/DFGAbstractInterpreterInlines.h:
38         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
39         * dfg/DFGClobberize.h:
40         (JSC::DFG::clobberize):
41         * dfg/DFGFixupPhase.cpp:
42         (JSC::DFG::FixupPhase::fixupNode):
43
44         * dfg/DFGMayExit.cpp:
45         This is somewhat unrelated. While discussing the design of this
46         with Filip, we decided not to use ToNumber+ArithSqrt despite
47         the guarantee that ToNumber does not OSR Exit.
48         Since it does not OSR Exit, we should say so in mayExitImpl().
49
50         * dfg/DFGNodeType.h:
51         * dfg/DFGOperations.cpp:
52         * dfg/DFGOperations.h:
53         * dfg/DFGSpeculativeJIT.cpp:
54         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
55         * dfg/DFGSpeculativeJIT.h:
56         (JSC::DFG::SpeculativeJIT::callOperation):
57         * ftl/FTLLowerDFGToB3.cpp:
58         (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
59
60 2016-08-19  Joseph Pecoraro  <pecoraro@apple.com>
61
62         Make custom Error properties (line, column, sourceURL) configurable and writable
63         https://bugs.webkit.org/show_bug.cgi?id=160984
64         <rdar://problem/27905979>
65
66         Reviewed by Saam Barati.
67
68         * runtime/Error.cpp:
69         (JSC::addErrorInfoAndGetBytecodeOffset):
70         (JSC::addErrorInfo):
71
72 2016-08-19  Joseph Pecoraro  <pecoraro@apple.com>
73
74         Remove empty files and empty namespace blocks
75         https://bugs.webkit.org/show_bug.cgi?id=160990
76
77         Reviewed by Alex Christensen.
78
79         * CMakeLists.txt:
80         * JavaScriptCore.xcodeproj/project.pbxproj:
81         * bytecode/ValueProfile.cpp: Removed.
82         * runtime/WatchdogMac.cpp: Removed.
83         * runtime/WatchdogNone.cpp: Removed.
84
85         * runtime/StringIteratorPrototype.cpp:
86         Remove empty namespace block.
87
88         * runtime/JSDestructibleObject.h:
89         Drive-by add missing copyright.
90
91 2016-08-19  Per Arne Vollan  <pvollan@apple.com>
92
93         [Win] Warning fix.
94         https://bugs.webkit.org/show_bug.cgi?id=160995
95
96         Avoid setting unknown compile option on source file.
97
98         Reviewed by Anders Carlsson.
99
100         * CMakeLists.txt:
101
102 2016-08-18  Mark Lam  <mark.lam@apple.com>
103
104         ScopedArguments is using the wrong owner object for a write barrier.
105         https://bugs.webkit.org/show_bug.cgi?id=160976
106         <rdar://problem/27328506>
107
108         Reviewed by Keith Miller.
109
110         * runtime/ScopedArguments.h:
111         (JSC::ScopedArguments::setIndexQuickly):
112
113 2016-08-18  Mark Lam  <mark.lam@apple.com>
114
115         Add LLINT probe() macro for X86_64.
116         https://bugs.webkit.org/show_bug.cgi?id=160968
117
118         Reviewed by Geoffrey Garen.
119
120         * llint/LowLevelInterpreter.asm:
121
122 2016-08-18  Mark Lam  <mark.lam@apple.com>
123
124         Remove unused SlotVisitor::append() variant.
125         https://bugs.webkit.org/show_bug.cgi?id=160961
126
127         Reviewed by Saam Barati.
128
129         * heap/SlotVisitor.h:
130         * jit/JITWriteBarrier.h:
131         (JSC::JITWriteBarrier::get):
132         (JSC::SlotVisitor::append): Deleted.
133
134 2016-08-18  Saam Barati  <sbarati@apple.com>
135
136         Make @Array(size) a bytecode intrinsic
137         https://bugs.webkit.org/show_bug.cgi?id=160867
138
139         Reviewed by Mark Lam.
140
141         There were a few places in the code where we were emitting `@Array(size)`
142         or `new @Array(size)`. Since we have a bytecode operation that already
143         represents this, called new_array_with_size, it's faster to just make a
144         bytecode intrinsic for the this operation. This patch does that and
145         the intrinsic is called `@newArrayWithSize`. This might be around a
146         1% speedup on ES6 sample bench, but it's within the noise. This is just
147         a good bytecode operation to have because it's common enough to
148         create arrays and it's good to make that fast in all tiers.
149
150         * builtins/ArrayConstructor.js:
151         (of):
152         (from):
153         * builtins/ArrayPrototype.js:
154         (filter):
155         (map):
156         (sort.stringSort):
157         (sort):
158         (concatSlowPath):
159         * bytecode/BytecodeIntrinsicRegistry.h:
160         * bytecompiler/NodesCodegen.cpp:
161         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
162         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newArrayWithSize):
163
164 2016-08-18  Rawinder Singh  <rawinder.singh-webkit@cisra.canon.com.au>
165
166         [web-animations] Add Animatable, AnimationEffect, KeyframeEffect and Animation interface
167         https://bugs.webkit.org/show_bug.cgi?id=156096
168
169         Reviewed by Dean Jackson.
170
171         Adds:
172         - Animatable interface and implementation of getAnimations in Element.
173         - Interface and implementation for Document getAnimations method.
174         - AnimationEffect interface and class stub.
175         - KeyframeEffect interface and constructor implementation.
176         - 'Animation' interface, constructor and query methods for effect and timeline.
177         - Remove runtime condition on Web animation interfaces (compile time flag is specified).
178
179         * runtime/CommonIdentifiers.h:
180
181 2016-08-17  Keith Miller  <keith_miller@apple.com>
182
183         Add WASM support for i64 simple opcodes.
184         https://bugs.webkit.org/show_bug.cgi?id=160928
185
186         Reviewed by Michael Saboff.
187
188         This patch also removes the unsigned int32 mod operator, which is not supported by B3 yet.
189
190         * wasm/WASMB3IRGenerator.cpp:
191         (JSC::WASM::toB3Op):
192         (JSC::WASM::B3IRGenerator::unaryOp):
193         * wasm/WASMFunctionParser.h:
194         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
195         * wasm/WASMOps.h:
196
197 2016-08-17  JF Bastien  <jfbastien@apple.com>
198
199         We allow assignments to const variables when in a for-in/for-of loop
200         https://bugs.webkit.org/show_bug.cgi?id=156673
201
202         Reviewed by Filip Pizlo.
203
204         for-in and for-of weren't checking whether iteration variable from
205         parent scopes were const. Assigning to such variables should
206         throw, but used not to.
207
208         * bytecompiler/NodesCodegen.cpp:
209         (JSC::ForInNode::emitLoopHeader):
210         (JSC::ForOfNode::emitBytecode):
211
212 2016-08-17  Geoffrey Garen  <ggaren@apple.com>
213
214         Fixed a potential bug in MarkedArgumentBuffer.
215         https://bugs.webkit.org/show_bug.cgi?id=160948
216         <rdar://problem/27889416>
217
218         Reviewed by Oliver Hunt.
219
220         I haven't been able to produce an observable test case after some trying.
221
222         * runtime/ArgList.cpp:
223         (JSC::MarkedArgumentBuffer::addMarkSet): New helper function -- I broke
224         this out from existing code for clarity, but the behavior is the same.
225
226         (JSC::MarkedArgumentBuffer::expandCapacity): Ditto.
227
228         (JSC::MarkedArgumentBuffer::slowAppend): Always addMarkSet() on the slow
229         path. This is faster than the old linear scan, and I think it might
230         avoid cases the old scan could miss.
231
232         * runtime/ArgList.h:
233         (JSC::MarkedArgumentBuffer::append): Account for the case where someone
234         has called clear() or removeLast().
235
236         (JSC::MarkedArgumentBuffer::mallocBase): No behavior change -- but it's
237         clearer to test the buffers directly instead of inferring what they
238         might be based on capacity.
239
240 2016-08-17  Mark Lam  <mark.lam@apple.com>
241
242         Remove an invalid assertion in the DFG backend's GetById emitter.
243         https://bugs.webkit.org/show_bug.cgi?id=160925
244         <rdar://problem/27248961>
245
246         Reviewed by Filip Pizlo.
247
248         The DFG backend's GetById assertion that the node's prediction not be SpecNone
249         is just plain wrong.  It assumes that we can never have a GetById node without a
250         type prediction, but this is not true.  The following test case proves otherwise:
251
252             function foo() {
253                 "use strict";
254                 return --arguments["callee"];
255             }
256
257         Will remove the assertion.  Nothing else needs to change as the DFG is working
258         correctly without the assertion.
259
260         * dfg/DFGSpeculativeJIT32_64.cpp:
261         (JSC::DFG::SpeculativeJIT::compile):
262         * dfg/DFGSpeculativeJIT64.cpp:
263         (JSC::DFG::SpeculativeJIT::compile):
264
265 2016-08-16  Mark Lam  <mark.lam@apple.com>
266
267         Heap::collectAllGarbage() should work with JSC_useImmortalObjects=true.
268         https://bugs.webkit.org/show_bug.cgi?id=160917
269
270         Reviewed by Filip Pizlo.
271
272         If we do an synchronous GC when JSC_useImmortalObjects=true, we'll get a
273         RELEASE_ASSERT failure:
274
275             $ JSC_useImmortalObjects=true jsc
276             >>> gc()
277             Trace/BPT trap: 5
278
279         This is because Heap::collectAllGarbage() is doing an explicit sweep of the
280         MarkedSpace, and the sweeper is expecting to see no RetiredBlocks.  However, we
281         make objects immortal by retiring their blocks.  As a result, there is a mismatch
282         in expectancy.
283
284         The fix is simply to not run the sweeper when JSC_useImmortalObjects=true.
285
286         * heap/Heap.cpp:
287         (JSC::Heap::collectAllGarbage):
288
289 2016-08-16  Keith Miller  <keith_miller@apple.com>
290
291         Add WASM I32 simple operators.
292         https://bugs.webkit.org/show_bug.cgi?id=160914
293
294         Reviewed by Benjamin Poulain.
295
296         This patch adds support for the i32 simple binary operators.
297
298         * wasm/WASMB3IRGenerator.cpp:
299         (JSC::WASM::toB3Op):
300         (JSC::WASM::B3IRGenerator::binaryOp):
301         * wasm/WASMFunctionParser.h:
302         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
303         * wasm/WASMOps.h:
304
305 2016-08-15  Ryosuke Niwa  <rniwa@webkit.org>
306
307         Conversion to sequence<T> is broken for iterable objects
308         https://bugs.webkit.org/show_bug.cgi?id=160801
309
310         Reviewed by Darin Adler.
311
312         Export functions used to iterate over iterable objects.
313
314         * runtime/IteratorOperations.h:
315         (JSC::forEachInIterable):
316
317 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
318
319         [Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid()
320         https://bugs.webkit.org/show_bug.cgi?id=160881
321
322         Reviewed by Mark Lam.
323
324         * dfg/DFGSpeculativeJIT32_64.cpp:
325         (JSC::DFG::SpeculativeJIT::compile):
326         We were trying to set the result of the Identity node to the same
327         value as the source of the Identity.
328         That is pretty messed up.
329
330 2016-08-15  Saam Barati  <sbarati@apple.com>
331
332         Web Inspector: Introduce a method to enable code coverage profiler without enabling type profiler
333         https://bugs.webkit.org/show_bug.cgi?id=160750
334         <rdar://problem/27793469>
335
336         Reviewed by Joseph Pecoraro.
337
338         * inspector/agents/InspectorRuntimeAgent.cpp:
339         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
340         (Inspector::InspectorRuntimeAgent::enableControlFlowProfiler):
341         (Inspector::InspectorRuntimeAgent::disableControlFlowProfiler):
342         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
343         (Inspector::InspectorRuntimeAgent::setControlFlowProfilerEnabledState):
344         * inspector/agents/InspectorRuntimeAgent.h:
345         * inspector/protocol/Runtime.json:
346
347 2016-08-15  Saam Barati  <sbarati@apple.com>
348
349         Array.prototype.map builtin should go on the fast path when constructor===@Array
350         https://bugs.webkit.org/show_bug.cgi?id=160836
351
352         Reviewed by Keith Miller.
353
354         In the FTL, we were not compiling the result array in Array.prototype.map
355         efficiently when the result array should use the Array constructor
356         (which is the common case). We used to compile it as:
357         x: JSConstant(Array)
358         y: Construct(@x, ...)
359         instead of
360         y: NewArrayWithSize(...)
361
362         This patch changes the builtin to go down the fast path when certain
363         conditions are met. Often, the check to go down the fast path will
364         be constant folded because we always create a normal array from the
365         Array constructor.
366
367         This is around a 5% speedup on ES6 Sample Bench.
368
369         I also made similar changes for Array.prototype.filter
370         and Array.prototype.concat on its slow path.
371
372         * builtins/ArrayPrototype.js:
373
374 2016-08-15  Mark Lam  <mark.lam@apple.com>
375
376         Make JSValue::strictEqual() handle failures to resolve JSRopeStrings.
377         https://bugs.webkit.org/show_bug.cgi?id=160832
378         <rdar://problem/27577556>
379
380         Reviewed by Geoffrey Garen.
381
382         Currently, JSValue::strictEqualSlowCaseInline() (and peers) will blindly try to
383         access the StringImpl of a JSRopeString that fails to resolve its rope.  As a
384         result, we'll crash with null pointer dereferences.
385
386         We can fix this by introducing a JSString::equal() method that will do the
387         equality comparison, but is aware of the potential failures to resolve ropes.
388         JSValue::strictEqualSlowCaseInline() (and peers) will now call JSString::equal()
389         instead of accessing the underlying StringImpl directly.
390
391         Also added some exception checks.
392
393         * JavaScriptCore.xcodeproj/project.pbxproj:
394         * jit/JITOperations.cpp:
395         * runtime/ArrayPrototype.cpp:
396         (JSC::arrayProtoFuncIndexOf):
397         (JSC::arrayProtoFuncLastIndexOf):
398         * runtime/JSCJSValueInlines.h:
399         (JSC::JSValue::equalSlowCaseInline):
400         (JSC::JSValue::strictEqualSlowCaseInline):
401         * runtime/JSString.cpp:
402         (JSC::JSString::equalSlowCase):
403         * runtime/JSString.h:
404         * runtime/JSStringInlines.h: Added.
405         (JSC::JSString::equal):
406
407 2016-08-15  Keith Miller  <keith_miller@apple.com>
408
409         Implement WASM Parser and B3 IR generator
410         https://bugs.webkit.org/show_bug.cgi?id=160681
411
412         Reviewed by Benjamin Poulain.
413
414         This patch adds the skeleton for a WebAssembly pipeline. The
415         pipeline is designed in order to make it easy to have as much of
416         the compilation process threaded as possible. The flow of the
417         pipeline roughly goes as follows:
418
419         1) Create a WASMPlan with the VM and a Vector of the
420         assembly. Currently the plan will process all the work
421         synchronously, however, in the future this can be offloaded to
422         other threads.
423
424         2) The plan will run the WASMModuleParser, which collates all the
425         information needed to compile each module function
426         independently. Since, we are still in the early phases, the only
427         information is the starting and ending byte of the function's
428         body. The module parser, however, still scans both and
429         semi-validates the type and the function sections.
430
431         3) Each function is decoded and compiled. In the future this
432         should also include a opcode validation phase. The
433         WASMFunctionParser is templatized so that a validator should be
434         able to use most of the same code the B3 IR generator does.
435
436         4) When the plan has finished it will fill a Vector of
437         B3::Compilation objects that correspond to the respective function
438         in the WASM module.
439
440
441         The current testing plan for the modules is to inline the the
442         binary generated by the spec's OCaml prototype. The inlined binary
443         is passed to a WASMPlan then invoked to check the result of the
444         function. In the future we should add a more robust testing
445         infrastructure.
446
447         * JavaScriptCore.xcodeproj/project.pbxproj:
448         * testWASM.cpp:
449         (printUsageStatement):
450         (CommandLine::parseArguments):
451         (invoke):
452         (runWASMTests):
453         (main):
454         * wasm/JSWASMModule.h:
455         (JSC::JSWASMModule::globalVariableTypes):
456         * wasm/WASMB3IRGenerator.cpp: Added.
457         (JSC::WASM::B3IRGenerator::B3IRGenerator):
458         (JSC::WASM::B3IRGenerator::addLocal):
459         (JSC::WASM::B3IRGenerator::binaryOp):
460         (JSC::WASM::B3IRGenerator::addConstant):
461         (JSC::WASM::B3IRGenerator::addBlock):
462         (JSC::WASM::B3IRGenerator::endBlock):
463         (JSC::WASM::B3IRGenerator::addReturn):
464         (JSC::WASM::B3IRGenerator::unify):
465         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
466         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel):
467         (JSC::WASM::B3IRGenerator::stackForControlLevel):
468         (JSC::WASM::B3IRGenerator::blockForControlLevel):
469         (JSC::WASM::parseAndCompile):
470         * wasm/WASMB3IRGenerator.h: Copied from Source/WTF/wtf/DataLog.h.
471         * wasm/WASMFormat.h:
472         * wasm/WASMFunctionParser.h: Added.
473         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser):
474         (JSC::WASM::WASMFunctionParser<Context>::parse):
475         (JSC::WASM::WASMFunctionParser<Context>::parseBlock):
476         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
477         * wasm/WASMModuleParser.cpp: Added.
478         (JSC::WASM::WASMModuleParser::parse):
479         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
480         (JSC::WASM::WASMModuleParser::parseFunctionSignatures):
481         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions):
482         * wasm/WASMModuleParser.h: Copied from Source/WTF/wtf/DataLog.h.
483         (JSC::WASM::WASMModuleParser::WASMModuleParser):
484         (JSC::WASM::WASMModuleParser::functionInformation):
485         * wasm/WASMOps.h: Copied from Source/WTF/wtf/DataLog.h.
486         * wasm/WASMParser.h: Added.
487         (JSC::WASM::WASMParser::parseVarUInt32):
488         (JSC::WASM::WASMParser::WASMParser):
489         (JSC::WASM::WASMParser::consumeCharacter):
490         (JSC::WASM::WASMParser::consumeString):
491         (JSC::WASM::WASMParser::parseUInt32):
492         (JSC::WASM::WASMParser::parseUInt7):
493         (JSC::WASM::WASMParser::parseVarUInt1):
494         (JSC::WASM::WASMParser::parseValueType):
495         * wasm/WASMPlan.cpp: Copied from Source/WTF/wtf/DataLog.h.
496         (JSC::WASM::Plan::Plan):
497         * wasm/WASMPlan.h: Copied from Source/WTF/wtf/DataLog.h.
498         * wasm/WASMSections.cpp: Copied from Source/WTF/wtf/DataLog.h.
499         (JSC::WASM::WASMSections::lookup):
500         * wasm/WASMSections.h: Copied from Source/WTF/wtf/DataLog.h.
501         (JSC::WASM::WASMSections::validateOrder):
502
503 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
504
505         [JSC] B3 Neg opcode should support float
506         https://bugs.webkit.org/show_bug.cgi?id=160795
507
508         Reviewed by Geoffrey Garen.
509
510         This is required to implement WASM f32.neg opcode.
511
512         * assembler/MacroAssemblerARM64.h:
513         (JSC::MacroAssemblerARM64::negateFloat):
514         * b3/B3LowerToAir.cpp:
515         (JSC::B3::Air::LowerToAir::lower):
516         * b3/B3ReduceDoubleToFloat.cpp:
517         * b3/air/AirOpcode.opcodes:
518         * b3/testb3.cpp:
519         (JSC::B3::testNegDouble):
520         (JSC::B3::testNegFloat):
521         (JSC::B3::testNegFloatWithUselessDoubleConversion):
522         (JSC::B3::run):
523
524 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
525
526         Use #pragma once in inspector headers
527         https://bugs.webkit.org/show_bug.cgi?id=160861
528
529         Reviewed by Mark Lam.
530
531         * inspector/*.h:
532
533 2016-08-15  Daniel Bates  <dabates@apple.com>
534
535         Cannot build WebKit for iOS device using Xcode 7.3/iOS 9.3 public SDK due to missing
536         private frameworks and libraries
537         https://bugs.webkit.org/show_bug.cgi?id=155931
538         <rdar://problem/25807989>
539
540         Reviewed by Dan Bernstein.
541
542         Add directory WebKitLibraries/WebKitPrivateFrameworkStubs/iOS/X to the framework search path
543         where X is the major version of the active iOS SDK.
544
545         * Configurations/Base.xcconfig:
546
547 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
548
549         Reduce includes of Debugger.h
550         https://bugs.webkit.org/show_bug.cgi?id=160827
551
552         Reviewed by Mark Lam.
553
554         * API/JSTypedArray.cpp:
555         * bytecode/UnlinkedCodeBlock.h:
556         * bytecode/UnlinkedFunctionExecutable.cpp:
557         * bytecode/UnlinkedFunctionExecutable.h:
558         * bytecompiler/BytecodeGenerator.h:
559         * bytecompiler/NodesCodegen.cpp:
560         * dfg/DFGPlan.cpp:
561         * dfg/DFGSpeculativeJIT32_64.cpp:
562         * dfg/DFGSpeculativeJIT64.cpp:
563         * ftl/FTLJITCode.h:
564         * inspector/ScriptCallStackFactory.cpp:
565         * inspector/agents/InspectorDebuggerAgent.h:
566         * jit/JITOpcodes.cpp:
567         * jit/JITOpcodes32_64.cpp:
568         * jit/JITOperations.cpp:
569         * llint/LLIntOffsetsExtractor.cpp:
570         * parser/Nodes.cpp:
571         * parser/Parser.cpp:
572         * parser/Parser.h:
573         * runtime/Completion.cpp:
574         * runtime/Executable.cpp:
575         * runtime/Executable.h:
576         * runtime/FunctionConstructor.cpp:
577         * runtime/SamplingProfiler.cpp:
578         * runtime/SamplingProfiler.h:
579         * runtime/VMEntryScope.cpp:
580
581 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
582
583         Remove unused includes of wtf headers
584         https://bugs.webkit.org/show_bug.cgi?id=160839
585
586         Reviewed by Alex Christensen.
587
588         * Lots of files.
589
590 2016-08-13  Per Arne Vollan  <pvollan@apple.com>
591
592         [Win] Warning fixes.
593         https://bugs.webkit.org/show_bug.cgi?id=160803
594
595         Reviewed by Brent Fulgham.
596
597         Initialize local variables.
598
599         * jit/JIT.cpp:
600         (JSC::JIT::compileWithoutLinking):
601         * runtime/Error.cpp:
602         (JSC::addErrorInfoAndGetBytecodeOffset):
603
604 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
605
606         Remove always true JSC::Debugger::needPauseHandling virtual method
607         https://bugs.webkit.org/show_bug.cgi?id=160822
608
609         Reviewed by Mark Lam.
610
611         All subclasses return true for this method. Just remove the method.
612
613         * debugger/Debugger.cpp:
614         (JSC::Debugger::pauseIfNeeded):
615         * inspector/ScriptDebugServer.h:
616
617 2016-08-12  Saam Barati  <sbarati@apple.com>
618
619         Inline store loop for CopyRest in DFG and FTL for certain array modes
620         https://bugs.webkit.org/show_bug.cgi?id=159612
621
622         Reviewed by Filip Pizlo.
623
624         This patch changes the old copy_rest bytecode to actually allocate the rest array itself.
625         The bytecode is now called create_rest with an analogous CreateRest node in the DFG/FTL.
626         This allows the bytecode to be in control of what type of indexingType the array is allocated
627         with. We always allocate using ArrayWithContiguous storage unless we're havingABadTime().
628         This also makes allocating and writing into the array fast. On the fast path, the DFG/FTL
629         JIT will fast allocate the array and its storage, and we will do a memmove from the rest
630         region of arguments into the array's storage.
631
632         I'm seeing a 1-2% speedup on ES6SampleBench, and about a 2x speedup
633         on micro benchmarks that just test rest creation speed.
634
635         * bytecode/BytecodeList.json:
636         * bytecode/BytecodeUseDef.h:
637         (JSC::computeUsesForBytecodeOffset):
638         (JSC::computeDefsForBytecodeOffset):
639         * bytecode/CodeBlock.cpp:
640         (JSC::CodeBlock::dumpBytecode):
641         * bytecompiler/BytecodeGenerator.cpp:
642         (JSC::BytecodeGenerator::emitRestParameter):
643         * dfg/DFGAbstractInterpreterInlines.h:
644         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
645         * dfg/DFGByteCodeParser.cpp:
646         (JSC::DFG::ByteCodeParser::parseBlock):
647         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
648         (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
649         * dfg/DFGCapabilities.cpp:
650         (JSC::DFG::capabilityLevel):
651         * dfg/DFGClobberize.h:
652         (JSC::DFG::clobberize):
653         * dfg/DFGDoesGC.cpp:
654         (JSC::DFG::doesGC):
655         * dfg/DFGFixupPhase.cpp:
656         (JSC::DFG::FixupPhase::fixupNode):
657         * dfg/DFGGraph.h:
658         (JSC::DFG::Graph::uses):
659         (JSC::DFG::Graph::isWatchingHavingABadTimeWatchpoint):
660         (JSC::DFG::Graph::compilation):
661         * dfg/DFGNode.h:
662         (JSC::DFG::Node::numberOfArgumentsToSkip):
663         * dfg/DFGNodeType.h:
664         * dfg/DFGOperations.cpp:
665         * dfg/DFGOperations.h:
666         * dfg/DFGPredictionPropagationPhase.cpp:
667         * dfg/DFGSafeToExecute.h:
668         (JSC::DFG::safeToExecute):
669         * dfg/DFGSpeculativeJIT.cpp:
670         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
671         (JSC::DFG::SpeculativeJIT::compileCreateRest):
672         (JSC::DFG::SpeculativeJIT::compileGetRestLength):
673         (JSC::DFG::SpeculativeJIT::compileCopyRest): Deleted.
674         * dfg/DFGSpeculativeJIT.h:
675         (JSC::DFG::SpeculativeJIT::callOperation):
676         * dfg/DFGSpeculativeJIT32_64.cpp:
677         (JSC::DFG::SpeculativeJIT::compile):
678         (JSC::DFG::SpeculativeJIT::compileArithRandom):
679         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
680         * dfg/DFGSpeculativeJIT64.cpp:
681         (JSC::DFG::SpeculativeJIT::compile):
682         (JSC::DFG::SpeculativeJIT::compileArithRandom):
683         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
684         * ftl/FTLCapabilities.cpp:
685         (JSC::FTL::canCompile):
686         * ftl/FTLLowerDFGToB3.cpp:
687         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
688         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
689         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
690         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
691         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
692         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
693         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
694         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest): Deleted.
695         * interpreter/CallFrame.h:
696         (JSC::ExecState::addressOfArgumentsStart):
697         (JSC::ExecState::argument):
698         * jit/JIT.cpp:
699         (JSC::JIT::privateCompileMainPass):
700         * jit/JIT.h:
701         * jit/JITOpcodes.cpp:
702         (JSC::JIT::emit_op_argument_count):
703         (JSC::JIT::emit_op_create_rest):
704         (JSC::JIT::emit_op_copy_rest): Deleted.
705         * jit/JITOperations.h:
706         * llint/LowLevelInterpreter.asm:
707         * runtime/CommonSlowPaths.cpp:
708         (JSC::SLOW_PATH_DECL):
709         * runtime/CommonSlowPaths.h:
710
711 2016-08-12  Ryosuke Niwa  <rniwa@webkit.org>
712
713         Add a helper class for enumerating elements in an iterable object
714         https://bugs.webkit.org/show_bug.cgi?id=160800
715
716         Reviewed by Benjamin Poulain.
717
718         Added iteratorForIterable which provides an abstraction for iterating over an iterable object,
719         and deployed it in the constructors of Set, WeakSet, Map, and WeakMap.
720
721         Also added a helper function iteratorForIterable, which retrieves the iterator out of an iterable object.
722
723         * runtime/IteratorOperations.cpp:
724         (JSC::iteratorForIterable): Added.
725         * runtime/IteratorOperations.h:
726         (JSC::forEachInIterable): Added.
727         * runtime/MapConstructor.cpp:
728         (JSC::constructMap):
729         * runtime/SetConstructor.cpp:
730         (JSC::constructSet):
731         * runtime/WeakMapConstructor.cpp:
732         (JSC::constructWeakMap):
733         * runtime/WeakSetConstructor.cpp:
734         (JSC::constructWeakSet):
735
736 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
737
738         Remove unused includes of RefCountedLeakCounter.h
739         https://bugs.webkit.org/show_bug.cgi?id=160817
740
741         Reviewed by Mark Lam.
742
743         * parser/Nodes.cpp:
744         * runtime/Structure.cpp:
745
746 2016-08-12  Pranjal Jumde  <pjumde@apple.com>
747
748         ASSERTION FAILED: : line >= firstLine in BytecodeGenerator::emitExpressionInfo.
749         https://bugs.webkit.org/show_bug.cgi?id=160535
750         <rdar://problem/27328151>
751         
752         Reviewed by Saam Barati.
753
754         lineNumber from the savePoint was not being restored before calling next() causing discrepancy in the offset and line for the token
755
756         * parser/Parser.h:
757         (JSC::Parser::restoreLexerState):
758
759 2016-08-12  Skachkov Oleksandr  <gskachkov@gmail.com>
760
761         [ES2016] Implement Object.entries
762         https://bugs.webkit.org/show_bug.cgi?id=160412
763
764         Reviewed by Saam Barati.
765
766         This patch adds entries function to Object that returns list of 
767         key+values pairs. Patch did according to the point of
768         spec https://tc39.github.io/ecma262/#sec-object.entries
769
770         * builtins/ObjectConstructor.js:
771         (globalPrivate.enumerableOwnProperties):
772         (entries):
773         * runtime/ObjectConstructor.cpp:
774
775 2016-08-11  Mark Lam  <mark.lam@apple.com>
776
777         OverridesHasInstance should not branch across register allocations.
778         https://bugs.webkit.org/show_bug.cgi?id=160792
779         <rdar://problem/27361778>
780
781         Reviewed by Benjamin Poulain.
782
783         The OverrideHasInstance node has a branch test that is emitted conditionally.
784         It also has a bug where it allocated a register after this branch, which is not
785         allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
786         From the ChangeLog for r145931:
787
788         "This [assertion that register allocations are not branched around] protects
789         against the case where an allocation could have spilled register contents to free
790         up a register and that spill only occurs on one path of many through the code.
791         A subsequent fill of the spilled register may load garbage."
792
793         Because the branch isn't always emitted, this bug has gone unnoticed until now.
794         This patch fixes this issue by pre-allocating the registers before emitting the
795         branch in OverrideHasInstance.
796
797         Note: this issue is only present in DFGSpeculativeJIT64.cpp.  The 32-bit version
798         is doing it right.
799
800         * dfg/DFGSpeculativeJIT64.cpp:
801         (JSC::DFG::SpeculativeJIT::compile):
802
803 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
804
805         [JSC] Make B3 Return opcode work without arguments
806         https://bugs.webkit.org/show_bug.cgi?id=160787
807
808         Reviewed by Keith Miller.
809
810         We need a way to create functions that do not return values.
811
812         * assembler/MacroAssembler.h:
813         (JSC::MacroAssembler::retVoid):
814         * b3/B3BasicBlock.cpp:
815         (JSC::B3::BasicBlock::appendNewControlValue):
816         * b3/B3LowerToAir.cpp:
817         (JSC::B3::Air::LowerToAir::lower):
818         * b3/B3Validate.cpp:
819         * b3/B3Value.h:
820         * b3/air/AirOpcode.opcodes:
821         * b3/testb3.cpp:
822         (JSC::B3::testReturnVoid):
823         (JSC::B3::run):
824
825 2016-08-11  Mark Lam  <mark.lam@apple.com>
826
827         Gardening: fix gcc builds after r204387. 
828
829         Not reviewed.
830
831         Apparently, gcc is not sophisticated enough to realize that the end of the
832         function is unreachable, and is wrongly complaining about "control reaches end of
833         non-void function".  I'm restoring the RELEASE_ASSERT_NOT_REACHED() and return
834         statement at the end of MarkedBlock::sweepHelper() to appease gcc.
835
836         * heap/MarkedBlock.cpp:
837         (JSC::MarkedBlock::sweepHelper):
838
839 2016-08-11  Alex Christensen  <achristensen@webkit.org>
840
841         Use StringBuilder::appendLiteral when possible don't append result of makeString
842         https://bugs.webkit.org/show_bug.cgi?id=160772
843
844         Reviewed by Sam Weinig.
845
846         * API/tests/ExecutionTimeLimitTest.cpp:
847         (testExecutionTimeLimit):
848         * API/tests/PingPongStackOverflowTest.cpp:
849         (PingPongStackOverflowObject_hasInstance):
850         * bytecompiler/NodesCodegen.cpp:
851         (JSC::ArrayPatternNode::toString):
852         (JSC::RestParameterNode::toString):
853         * runtime/ErrorInstance.cpp:
854         (JSC::ErrorInstance::sanitizedToString):
855         * runtime/Options.cpp:
856         (JSC::Options::dumpOption):
857
858 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
859
860         [JSC] Revert most of r203808
861         https://bugs.webkit.org/show_bug.cgi?id=160784
862
863         Reviewed by Geoffrey Garen.
864
865         Switching to fastMalloc() caused regressions on Jetstream and Octane
866         on MacBook Air. I was able to get back some of it in the following
867         patches but the tests that never go to FTL are still regressed.
868
869         This patch revert r203808 except of the node index.
870         Nodes are allocated with the custom allocator like before but they are
871         now also kept in a table, addressed by the node index.
872
873         * CMakeLists.txt:
874         * JavaScriptCore.xcodeproj/project.pbxproj:
875         * b3/B3SparseCollection.h:
876         (JSC::B3::SparseCollection::packIndices): Deleted.
877         * dfg/DFGAllocator.h: Added.
878         (JSC::DFG::Allocator::Region::size):
879         (JSC::DFG::Allocator::Region::headerSize):
880         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
881         (JSC::DFG::Allocator::Region::data):
882         (JSC::DFG::Allocator::Region::isInThisRegion):
883         (JSC::DFG::Allocator::Region::regionFor):
884         (JSC::DFG::Allocator<T>::Allocator):
885         (JSC::DFG::Allocator<T>::~Allocator):
886         (JSC::DFG::Allocator<T>::allocate):
887         (JSC::DFG::Allocator<T>::free):
888         (JSC::DFG::Allocator<T>::freeAll):
889         (JSC::DFG::Allocator<T>::reset):
890         (JSC::DFG::Allocator<T>::indexOf):
891         (JSC::DFG::Allocator<T>::allocatorOf):
892         (JSC::DFG::Allocator<T>::bumpAllocate):
893         (JSC::DFG::Allocator<T>::freeListAllocate):
894         (JSC::DFG::Allocator<T>::allocateSlow):
895         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
896         (JSC::DFG::Allocator<T>::startBumpingIn):
897         * dfg/DFGDriver.cpp:
898         (JSC::DFG::compileImpl):
899         * dfg/DFGGraph.cpp:
900         (JSC::DFG::Graph::Graph):
901         (JSC::DFG::Graph::~Graph):
902         (JSC::DFG::Graph::addNodeToMapByIndex):
903         (JSC::DFG::Graph::deleteNode):
904         (JSC::DFG::Graph::packNodeIndices):
905         * dfg/DFGGraph.h:
906         (JSC::DFG::Graph::addNode):
907         (JSC::DFG::Graph::maxNodeCount):
908         (JSC::DFG::Graph::nodeAt):
909         * dfg/DFGLongLivedState.cpp: Added.
910         (JSC::DFG::LongLivedState::LongLivedState):
911         (JSC::DFG::LongLivedState::~LongLivedState):
912         (JSC::DFG::LongLivedState::shrinkToFit):
913         * dfg/DFGLongLivedState.h: Added.
914         * dfg/DFGNode.h:
915         * dfg/DFGNodeAllocator.h: Added.
916         (operator new ):
917         * dfg/DFGPlan.cpp:
918         (JSC::DFG::Plan::compileInThread):
919         (JSC::DFG::Plan::compileInThreadImpl):
920         * dfg/DFGPlan.h:
921         * dfg/DFGWorklist.cpp:
922         (JSC::DFG::Worklist::runThread):
923         * runtime/VM.cpp:
924         (JSC::VM::VM):
925         * runtime/VM.h:
926
927 2016-08-11  Mark Lam  <mark.lam@apple.com>
928
929         The jsc shell's Element host constructor should throw if it fails to construct an object.
930         https://bugs.webkit.org/show_bug.cgi?id=160773
931         <rdar://problem/27328608>
932
933         Reviewed by Saam Barati.
934
935         The Element object is a test object provided in the jsc shell for testing use only.
936         JavaScriptCore expects host constructors to either throw an error or return a
937         constructed object.  Element has a host constructor that did not obey this contract.
938         As a result, the following statement will fail a RELEASE_ASSERT:
939
940             new (Element.bind())
941
942         This is now fixed.
943
944         * jsc.cpp:
945         (functionCreateElement):
946
947 2016-08-11  Mark Lam  <mark.lam@apple.com>
948
949         Disallow synchronous sweeping for eden GCs.
950         https://bugs.webkit.org/show_bug.cgi?id=160716
951
952         Reviewed by Geoffrey Garen.
953
954         * heap/Heap.cpp:
955         (JSC::Heap::collectAllGarbage):
956         (JSC::Heap::collectAndSweep): Deleted.
957         * heap/Heap.h:
958         (JSC::Heap::collectAllGarbage): Deleted.
959         - No need for a separate collectAndSweep() anymore since we only call it for
960           FullCollections.
961         - Since we've already swept all the blocks, I cleared m_blockSnapshot so that the
962           IncrementalSweeper can bail earlier when it runs later.
963
964         * heap/MarkedBlock.cpp:
965         (JSC::MarkedBlock::sweepHelper):
966         - Removed the unreachable return statement.
967
968         * heap/MarkedBlock.h:
969         - Document what "Retired" means.
970
971         * tools/JSDollarVMPrototype.cpp:
972         (JSC::JSDollarVMPrototype::edenGC):
973
974 2016-08-11  Per Arne Vollan  <pvollan@apple.com>
975
976         [Win] Warning fix.
977         https://bugs.webkit.org/show_bug.cgi?id=160734
978
979         Reviewed by Sam Weinig.
980
981         Add static cast from int to uint32_t.
982
983         * bytecode/ArithProfile.h:
984
985 2016-08-10  Michael Saboff  <msaboff@apple.com>
986
987         Baseline GetByVal and PutByVal for cache ID stubs need to handle exceptions
988         https://bugs.webkit.org/show_bug.cgi?id=160749
989
990         Reviewed by Filip Pizlo.
991
992         We were emitting "callOperation()" calls in emitGetByValWithCachedId() and
993         emitPutByValWithCachedId() without linking the exception checks created by the
994         code emitted.  This manifested itself in various ways depending on the processor.
995         This is due to what the destination is for an unlinked branch.  On X86, an unlinked
996         branch goes tot he next instructions.  On ARM64, we end up with an infinite loop
997         as we branch to the same instruction.  On ARM we branch to 0 as the branch is to
998         an absolute address of 0.
999
1000         Now we save the exception handler address for the original generated function and
1001         link the exception cases for these by-val stubs to this handler.
1002
1003         * bytecode/ByValInfo.h:
1004         (JSC::ByValInfo::ByValInfo): Added the address of the exception handler we should
1005         link to.
1006
1007         * jit/JIT.cpp:
1008         (JSC::JIT::link): Compute the linked exception handler address and pass it to
1009         the ByValInfo constructor.
1010         (JSC::JIT::privateCompileExceptionHandlers): Make sure that we generate the
1011         exception handler if we have any by-val handlers.
1012
1013         * jit/JIT.h:
1014         Added a label for the exception handler.  We'll link this later for the
1015         by value handlers.
1016
1017         * jit/JITPropertyAccess.cpp:
1018         (JSC::JIT::privateCompileGetByValWithCachedId):
1019         (JSC::JIT::privateCompilePutByValWithCachedId):
1020         Link exception branches to the exception handler for the main function.
1021
1022 2016-08-10  Mark Lam  <mark.lam@apple.com>
1023
1024         DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals.
1025         https://bugs.webkit.org/show_bug.cgi?id=160755
1026         <rdar://problem/27488507>
1027
1028         Reviewed by Filip Pizlo.
1029
1030         If the DFG sees that an inlined function will result in an OSR exit every time,
1031         it will treat all downstream blocks as dead.  However, it still needs to keep
1032         locals that are alive in the bytecode alive for the compiled function so that
1033         those locals are properly written to the stack by the OSR exit ramp.
1034
1035         The existing code neglected to do this.  This patch remedies this issue.
1036
1037         * dfg/DFGByteCodeParser.cpp:
1038         (JSC::DFG::ByteCodeParser::flushDirect):
1039         (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal):
1040         (JSC::DFG::ByteCodeParser::phantomLocalDirect):
1041         (JSC::DFG::ByteCodeParser::flushForTerminal):
1042
1043 2016-08-09  Skachkov Oleksandr  <gskachkov@gmail.com>
1044
1045         [ES2016] Implement Object.values
1046         https://bugs.webkit.org/show_bug.cgi?id=160410
1047
1048         Reviewed by Saam Barati, Yusuke Suzuki.
1049
1050         This patch adds values function to Object that return list of 
1051         own values of the object. Patch did according to the point of 
1052         spec http://tc39.github.io/ecma262/#sec-object.values
1053         
1054         Also patch adds generic builtin intrinsic constants: 
1055         @IterationKindKey/@IterationKindValue/@IterationKindKeyValue 
1056         that is used in  EnumerableOwnProperties to set Kind of operation  
1057         and replace own IterationKind enums in following iterators: 
1058         ArrayIterator, MapIterator, and SetIterator 
1059
1060         * JavaScriptCore.xcodeproj/project.pbxproj:
1061         * builtins/ObjectConstructor.js:
1062         (globalPrivate.enumerableOwnProperties):
1063         (values):
1064         * bytecode/BytecodeIntrinsicRegistry.cpp:
1065         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1066         * bytecode/BytecodeIntrinsicRegistry.h:
1067         * inspector/JSInjectedScriptHost.cpp:
1068         (Inspector::JSInjectedScriptHost::getInternalProperties):
1069         * runtime/ArrayIteratorPrototype.h:
1070         * runtime/IterationKind.h: Copied from Source/JavaScriptCore/builtins/ObjectConstructor.js.
1071         * runtime/JSMapIterator.h:
1072         (JSC::JSMapIterator::create):
1073         (JSC::JSMapIterator::next):
1074         (JSC::JSMapIterator::kind):
1075         (JSC::JSMapIterator::JSMapIterator):
1076         * runtime/JSSetIterator.h:
1077         (JSC::JSSetIterator::create):
1078         (JSC::JSSetIterator::next):
1079         (JSC::JSSetIterator::kind):
1080         (JSC::JSSetIterator::JSSetIterator):
1081         * runtime/MapPrototype.cpp:
1082         (JSC::mapProtoFuncValues):
1083         (JSC::mapProtoFuncEntries):
1084         (JSC::mapProtoFuncKeys):
1085         (JSC::privateFuncMapIterator):
1086         * runtime/ObjectConstructor.cpp:
1087         * runtime/SetPrototype.cpp:
1088         (JSC::setProtoFuncValues):
1089         (JSC::setProtoFuncEntries):
1090         (JSC::privateFuncSetIterator):
1091
1092 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1093
1094         [JSC] Speed up SparseCollection & related maps
1095         https://bugs.webkit.org/show_bug.cgi?id=160733
1096
1097         Reviewed by Saam Barati.
1098
1099         On MBA, Graph::addNode() shows up in profiles due to SparseCollection::add().
1100         This is unfortunate.
1101
1102         The first improvement is to build the new unique_ptr in the empty slot
1103         instead of moving a new value into it.
1104
1105         Previously, the code would load the previous value, test if it is null
1106         then invoke the destructor and finally fastFree(). The initial test
1107         obviously fails so that's a whole bunch of code that is never executed.
1108
1109         With the new code, we just have a store.
1110
1111         I also removed the bounds checking on our maps based on node index.
1112         Those bounds checks are never eliminated by clang because the index
1113         is always loaded from memory instead of being computed.
1114         There are unfortunately too many nodes processed and the bounds checks
1115         get costly.
1116
1117         * b3/B3SparseCollection.h:
1118         (JSC::B3::SparseCollection::add):
1119         * dfg/DFGGraph.h:
1120         (JSC::DFG::Graph::abstractValuesCache):
1121         * dfg/DFGInPlaceAbstractState.h:
1122
1123 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1124
1125         [JSC] Remove some useless code I left when rewriting CSE's large maps
1126         https://bugs.webkit.org/show_bug.cgi?id=160720
1127
1128         Reviewed by Michael Saboff.
1129
1130         * dfg/DFGCSEPhase.cpp:
1131         The maps m_worldMap && m_sideStateMap are useless. They come from the previous
1132         iteration that had weaker constraints.
1133
1134         Also move m_heapMap after m_fallbackStackMap since that is the order
1135         in which they are used in the algorithm.
1136
1137 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1138
1139         Remove AbstractInterpreter::executeEdges(unsigned), it is no longer used anywhere
1140         https://bugs.webkit.org/show_bug.cgi?id=160708
1141
1142         Reviewed by Mark Lam.
1143
1144         * dfg/DFGAbstractInterpreter.h:
1145         * dfg/DFGAbstractInterpreterInlines.h:
1146         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges): Deleted.
1147
1148 2016-08-10  Simon Fraser  <simon.fraser@apple.com>
1149
1150         Sort the feature flags in the FEATURE_DEFINES lines
1151         https://bugs.webkit.org/show_bug.cgi?id=160742
1152
1153         Reviewed by Anders Carlsson.
1154
1155         * Configurations/FeatureDefines.xcconfig:
1156
1157 2016-08-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1158
1159         [ES6] Add ModuleLoaderPrototype and move methods to it
1160         https://bugs.webkit.org/show_bug.cgi?id=160633
1161
1162         Reviewed by Saam Barati.
1163
1164         In the future, we need to add the ability to create the new Loader object (by users).
1165         So rather than holding all the methods in the ModuleLoaderObject instance, moving them
1166         to ModuleLoaderPrototype and create the default JSModuleLoader instance is better.
1167
1168         No behavior change.
1169
1170         * CMakeLists.txt:
1171         * DerivedSources.make:
1172         * JavaScriptCore.xcodeproj/project.pbxproj:
1173         * builtins/ModuleLoaderObject.js:
1174         (setStateToMax): Deleted.
1175         (newRegistryEntry): Deleted.
1176         (ensureRegistered): Deleted.
1177         (forceFulfillPromise): Deleted.
1178         (fulfillFetch): Deleted.
1179         (fulfillTranslate): Deleted.
1180         (fulfillInstantiate): Deleted.
1181         (commitInstantiated): Deleted.
1182         (instantiation): Deleted.
1183         (requestFetch): Deleted.
1184         (requestTranslate): Deleted.
1185         (requestInstantiate): Deleted.
1186         (requestResolveDependencies.): Deleted.
1187         (requestResolveDependencies): Deleted.
1188         (requestInstantiateAll): Deleted.
1189         (requestLink): Deleted.
1190         (requestReady): Deleted.
1191         (link): Deleted.
1192         (moduleEvaluation): Deleted.
1193         (provide): Deleted.
1194         (loadAndEvaluateModule): Deleted.
1195         (loadModule): Deleted.
1196         (linkAndEvaluateModule): Deleted.
1197         * builtins/ModuleLoaderPrototype.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderObject.js.
1198         (setStateToMax):
1199         (newRegistryEntry):
1200         (ensureRegistered):
1201         (forceFulfillPromise):
1202         (fulfillFetch):
1203         (fulfillTranslate):
1204         (fulfillInstantiate):
1205         (commitInstantiated):
1206         (instantiation):
1207         (requestFetch):
1208         (requestTranslate):
1209         (requestInstantiate):
1210         (requestResolveDependencies.):
1211         (requestResolveDependencies):
1212         (requestInstantiateAll):
1213         (requestLink):
1214         (requestReady):
1215         (link):
1216         (moduleEvaluation):
1217         (provide):
1218         (loadAndEvaluateModule):
1219         (loadModule):
1220         (linkAndEvaluateModule):
1221         * bytecode/BytecodeIntrinsicRegistry.cpp:
1222         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1223         * jsc.cpp:
1224         (GlobalObject::moduleLoaderResolve):
1225         (GlobalObject::moduleLoaderFetch):
1226         * runtime/Completion.cpp:
1227         (JSC::loadAndEvaluateModule):
1228         (JSC::loadModule):
1229         * runtime/JSGlobalObject.cpp:
1230         (JSC::JSGlobalObject::init):
1231         (JSC::JSGlobalObject::visitChildren):
1232         * runtime/JSGlobalObject.h:
1233         (JSC::JSGlobalObject::moduleLoader):
1234         (JSC::JSGlobalObject::moduleLoaderStructure):
1235         * runtime/JSModuleLoader.cpp: Added.
1236         (JSC::JSModuleLoader::JSModuleLoader):
1237         (JSC::JSModuleLoader::finishCreation):
1238         (JSC::printableModuleKey):
1239         (JSC::JSModuleLoader::provide):
1240         (JSC::JSModuleLoader::loadAndEvaluateModule):
1241         (JSC::JSModuleLoader::loadModule):
1242         (JSC::JSModuleLoader::linkAndEvaluateModule):
1243         (JSC::JSModuleLoader::resolve):
1244         (JSC::JSModuleLoader::fetch):
1245         (JSC::JSModuleLoader::translate):
1246         (JSC::JSModuleLoader::instantiate):
1247         (JSC::JSModuleLoader::evaluate):
1248         * runtime/JSModuleLoader.h: Copied from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1249         (JSC::JSModuleLoader::create):
1250         (JSC::JSModuleLoader::createStructure):
1251         * runtime/JSModuleRecord.h:
1252         * runtime/ModuleLoaderObject.cpp: Removed.
1253         (JSC::ModuleLoaderObject::ModuleLoaderObject): Deleted.
1254         (JSC::ModuleLoaderObject::finishCreation): Deleted.
1255         (JSC::printableModuleKey): Deleted.
1256         (JSC::ModuleLoaderObject::provide): Deleted.
1257         (JSC::ModuleLoaderObject::loadAndEvaluateModule): Deleted.
1258         (JSC::ModuleLoaderObject::loadModule): Deleted.
1259         (JSC::ModuleLoaderObject::linkAndEvaluateModule): Deleted.
1260         (JSC::ModuleLoaderObject::resolve): Deleted.
1261         (JSC::ModuleLoaderObject::fetch): Deleted.
1262         (JSC::ModuleLoaderObject::translate): Deleted.
1263         (JSC::ModuleLoaderObject::instantiate): Deleted.
1264         (JSC::ModuleLoaderObject::evaluate): Deleted.
1265         (JSC::moduleLoaderObjectParseModule): Deleted.
1266         (JSC::moduleLoaderObjectRequestedModules): Deleted.
1267         (JSC::moduleLoaderObjectModuleDeclarationInstantiation): Deleted.
1268         (JSC::moduleLoaderObjectResolve): Deleted.
1269         (JSC::moduleLoaderObjectFetch): Deleted.
1270         (JSC::moduleLoaderObjectTranslate): Deleted.
1271         (JSC::moduleLoaderObjectInstantiate): Deleted.
1272         (JSC::moduleLoaderObjectEvaluate): Deleted.
1273         * runtime/ModuleLoaderObject.h:
1274         (JSC::ModuleLoaderObject::create): Deleted.
1275         (JSC::ModuleLoaderObject::createStructure): Deleted.
1276         * runtime/ModuleLoaderPrototype.cpp: Added.
1277         (JSC::ModuleLoaderPrototype::ModuleLoaderPrototype):
1278         (JSC::moduleLoaderPrototypeParseModule):
1279         (JSC::moduleLoaderPrototypeRequestedModules):
1280         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1281         (JSC::moduleLoaderPrototypeResolve):
1282         (JSC::moduleLoaderPrototypeFetch):
1283         (JSC::moduleLoaderPrototypeTranslate):
1284         (JSC::moduleLoaderPrototypeInstantiate):
1285         (JSC::moduleLoaderPrototypeEvaluate):
1286         * runtime/ModuleLoaderPrototype.h: Renamed from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1287         (JSC::ModuleLoaderPrototype::create):
1288         (JSC::ModuleLoaderPrototype::createStructure):
1289
1290 2016-08-09  Saam Barati  <sbarati@apple.com>
1291
1292         JSBoundFunction should lazily generate its name string
1293         https://bugs.webkit.org/show_bug.cgi?id=160678
1294         <rdar://problem/27043194>
1295
1296         Reviewed by Mark Lam.
1297
1298         We were eagerly allocating the BoundFunction's 'name' string
1299         by prepending the "bound " prefix. This patch makes the 'name'
1300         string creation lazy like we do with ordinary JSFunctions.
1301
1302         This is a 25% speedup on the microbenchmark I added that measures
1303         bound function creation speed. Hopefully this also helps us recover
1304         from a 1% Speedometer regression that was introduced in the original
1305         bound function "bound " prefixing patch.
1306
1307         * runtime/JSBoundFunction.cpp:
1308         (JSC::JSBoundFunction::create):
1309         (JSC::JSBoundFunction::JSBoundFunction):
1310         (JSC::JSBoundFunction::finishCreation):
1311         * runtime/JSBoundFunction.h:
1312         * runtime/JSFunction.cpp:
1313         (JSC::JSFunction::finishCreation):
1314         (JSC::JSFunction::getOwnPropertySlot):
1315         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1316         (JSC::JSFunction::put):
1317         (JSC::JSFunction::deleteProperty):
1318         (JSC::JSFunction::defineOwnProperty):
1319         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1320         (JSC::JSFunction::reifyBoundNameIfNeeded):
1321         * runtime/JSFunction.h:
1322
1323 2016-08-09  George Ruan  <gruan@apple.com>
1324
1325         Implement functionality of media capture on iOS
1326         https://bugs.webkit.org/show_bug.cgi?id=158945
1327         <rdar://problem/26893343>
1328
1329         Reviewed by Tim Horton.
1330
1331         * Configurations/FeatureDefines.xcconfig: Enable media capture feature
1332         for iOS.
1333
1334 2016-08-09  Saam Barati  <sbarati@apple.com>
1335
1336         Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached.
1337         https://bugs.webkit.org/show_bug.cgi?id=160671
1338         <rdar://problem/27756112>
1339
1340         Reviewed by Mark Lam.
1341
1342         There was a bug in our captured variable analysis when a function has a default
1343         parameter expression that is a function that captures something from the parent scope.
1344         The bug was that we were relying on the SourceProviderCache to succeed for the
1345         analysis to work. This is obviously wrong. I've fixed this to work regardless
1346         of getting a cache hit. To prevent future bugs that rely on the success of the
1347         SourceProviderCache, I've made the validate testing mode disable the SourceProviderCache
1348
1349         * parser/Parser.cpp:
1350         (JSC::Parser<LexerType>::parseFunctionInfo):
1351         * parser/Parser.h:
1352         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1353         (JSC::Scope::addClosedVariableCandidateUnconditionally):
1354         (JSC::Scope::collectFreeVariables):
1355         * runtime/Options.h:
1356
1357 2016-08-08  Mark Lam  <mark.lam@apple.com>
1358
1359         ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
1360         https://bugs.webkit.org/show_bug.cgi?id=160666
1361
1362         Reviewed by Keith Miller.
1363
1364         This assertion is benign.  JSFinalObject::visitChildren() calls
1365         JSObject::inlineStorage() to get a pointer to the object's inline storage, and
1366         later passes it to visitor.appendValuesHidden() with a previously computed
1367         storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.
1368         However, before we get there, JSObject::inlineStorage() will be asserting
1369         hasInlineStorage() and this assertion will fail when storageSize is 0.
1370
1371         We can fix this assertion failure by simply adding a storageSize check before
1372         calling hasInlineStorage() and visitor.appendValuesHidden().
1373
1374         * runtime/JSObject.cpp:
1375         (JSC::JSFinalObject::visitChildren):
1376
1377 2016-08-08  Brian Burg  <bburg@apple.com>
1378
1379         Web Inspector: clean up prefixing of Automation protocol generated files
1380         https://bugs.webkit.org/show_bug.cgi?id=160635
1381         <rdar://problem/27735327>
1382
1383         Reviewed by Timothy Hatcher.
1384
1385         Introduce different settings for the 'protocol group' name for C++ vs. Objective-C.
1386
1387         Use 'WD' as the prefix for generated Objective-C frontend dispatchers and helpers.
1388         Continue using 'Automation' as the prefix for generated C++ backend dispatchers.
1389
1390         * inspector/scripts/codegen/cpp_generator.py:
1391         (CppGenerator.protocol_name):
1392         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1393         (ObjCProtocolTypeConversionsImplementationGenerator.generate_output):
1394         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1395         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1396         Adjust the class name. Generate one category per protocol domain to keep it easy to read.
1397
1398         * inspector/scripts/codegen/models.py:
1399         * inspector/scripts/codegen/objc_generator.py:
1400         (ObjCGenerator.protocol_name):
1401
1402         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1403         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1404         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1405         * inspector/scripts/tests/expected/enum-values.json-result:
1406         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1407         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1408         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1409         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1410         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1411         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1412         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1413         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1414         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1415         Rebaseline test results.
1416
1417 2016-08-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1418
1419         [ES6] Module namespace object should not allow unset IC
1420         https://bugs.webkit.org/show_bug.cgi?id=160553
1421
1422         Reviewed by Saam Barati.
1423
1424         Previously, module namespace object accidentally allow "unset IC". But this "unsetness" does not rely on
1425         the structure. We should disable inline caching onto the namespace object. Once it is needed, we should
1426         create the special caching for namespace object like the following: it should be similar to monomorphic IC,
1427         but it caches the object itself instead of the structure. It checks the object itself (And in DFG, it should be
1428         CheckCell) and loads the value from the target module environment directly[1].
1429
1430         And this patch also set setIsTaintedByProxy for the module namespace object to notify to the caller that
1431         this object has impure ::getOwnPropertySlot. Then this function is now renamed to setIsTaintedByOpaqueObject.
1432
1433         We drop the hack in JSModuleNamespaceObject::getOwnPropertySlot since we already introduced InternalMethodType
1434         for ProxyObject. Previously we cannot distinguish ::HasProperty and ::GetOwnProperty. So not to throw any
1435         errors for ::HasProperty case, we used slot.setCustom to delay the observable operation.
1436         But, this hack lacks the support for hasOwnProperty: hasOwnProperty uses [[GetOwnProperty]], so it should throw an error.
1437         However the previous implementation does not throw an error since the delayed observable part (custom function part) is
1438         skipped in hasOwnProperty implementation. We now remove this custom property hack and fix the corresponding failure
1439         in test262.
1440
1441         [1]: https://bugs.webkit.org/show_bug.cgi?id=160590
1442
1443         * jit/JITOperations.cpp:
1444         * runtime/ArrayPrototype.cpp:
1445         (JSC::getProperty):
1446         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1447         (JSC::constructGenericTypedArrayViewWithArguments):
1448         * runtime/JSModuleNamespaceObject.cpp:
1449         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1450         (JSC::callbackGetter): Deleted.
1451         * runtime/JSModuleNamespaceObject.h:
1452         * runtime/PropertySlot.cpp:
1453         (JSC::PropertySlot::getPureResult):
1454         * runtime/PropertySlot.h:
1455         (JSC::PropertySlot::PropertySlot):
1456         (JSC::PropertySlot::setIsTaintedByOpaqueObject):
1457         (JSC::PropertySlot::isTaintedByOpaqueObject):
1458         (JSC::PropertySlot::setIsTaintedByProxy): Deleted.
1459         (JSC::PropertySlot::isTaintedByProxy): Deleted.
1460         * runtime/ProxyObject.cpp:
1461         (JSC::ProxyObject::getOwnPropertySlotCommon):
1462
1463 2016-08-05  Keith Miller  <keith_miller@apple.com>
1464
1465         Add LEBDecoder and tests
1466         https://bugs.webkit.org/show_bug.cgi?id=160625
1467
1468         Reviewed by Benjamin Poulain.
1469
1470         Adds a new target testWASM that is currently used to test the LEB decoder.
1471         In the future, if we add more support for WASM we will put more tests
1472         here.
1473
1474         * JavaScriptCore.xcodeproj/project.pbxproj:
1475         * testWASM.cpp: Added.
1476         (CommandLine::CommandLine):
1477         (printUsageStatement):
1478         (CommandLine::parseArguments):
1479         (runLEBTests):
1480         (main):
1481
1482 2016-08-05  Keith Miller  <keith_miller@apple.com>
1483
1484         32-bit JSC test failure: stress/instanceof-late-constant-folding.js
1485         https://bugs.webkit.org/show_bug.cgi?id=160620
1486
1487         Reviewed by Filip Pizlo.
1488
1489         * dfg/DFGSpeculativeJIT32_64.cpp:
1490         (JSC::DFG::SpeculativeJIT::compile):
1491
1492 2016-08-05  Benjamin Poulain  <bpoulain@apple.com>
1493
1494         [JSC] Remove the first LocalCSE
1495         https://bugs.webkit.org/show_bug.cgi?id=160615
1496
1497         Reviewed by Saam Barati.
1498
1499         LocalCSE is the most expensive phase in DFG (excluding FTL).
1500
1501         The combination of two LocalCSEs does not seem to pay for its cost.
1502         Doing a single LocalCSE is always after ConstantFolding and StrengthReduction
1503         is always a win on my machine.
1504
1505         * dfg/DFGCleanUpPhase.cpp:
1506         (JSC::DFG::CleanUpPhase::run):
1507         * dfg/DFGPlan.cpp:
1508         (JSC::DFG::Plan::compileInThreadImpl):
1509
1510 2016-08-05  Saam Barati  <sbarati@apple.com>
1511
1512         various math operations don't properly check for an exception after calling toNumber() on the lhs
1513         https://bugs.webkit.org/show_bug.cgi?id=160154
1514
1515         Reviewed by Mark Lam.
1516
1517         We must check for an exception after calling toNumber() on the lhs
1518         because this can throw an exception. If we called toNumber() on
1519         the rhs without first checking for an exception after the toNumber()
1520         on the lhs, this can lead us to execute effectful code or deviate
1521         from the standard in subtle ways. I fixed this bug in various places
1522         by always checking for an exception after calling toNumber() on the
1523         lhs for the various bit and arithmetic operations.
1524
1525         This patch also found a commutativity bug inside DFGStrengthReduction.
1526         We could end up commuting the lhs and rhs of say an "|" expression
1527         even when the lhs/rhs may not be numbers. This is wrong because
1528         executing toNumber() on the lhs/rhs has strict ordering guarantees
1529         by the specification and is observable by user programs.
1530
1531         * dfg/DFGOperations.cpp:
1532         * dfg/DFGStrengthReductionPhase.cpp:
1533         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1534         * jit/JITOperations.cpp:
1535         * runtime/CommonSlowPaths.cpp:
1536         (JSC::SLOW_PATH_DECL):
1537         * runtime/Operations.cpp:
1538         (JSC::jsAddSlowCase):
1539
1540 2016-08-05  Michael Saboff  <msaboff@apple.com>
1541
1542         compilePutByValForIntTypedArray() has a slow path in the middle of its processing
1543         https://bugs.webkit.org/show_bug.cgi?id=160614
1544
1545         Reviewed by Keith Miller.
1546
1547         In compilePutByValForIntTypedArray() we were calling out to the slow path
1548         operationToInt32() and then returning back to the middle of code to finish
1549         the processing of writing the value to the array.  When we make the slow
1550         path call, we trash any temporary registers that have been allocated.
1551         In general slow path calls should finish the operation in progress and
1552         continue processing at the beginning of the next node.
1553
1554         This was discovered while working on the register argument changes, when
1555         we SpeculateStrictInt32Operand on the value child node.  That child node's
1556         value was live in register with a spill format of DataFormatJSInt32.  In that
1557         case we allocate a new temporary register and copy just the lower 32 bits from
1558         the child register to the new temp register.  That temp register gets trashed
1559         when we make the operationToInt32() slow path call.
1560
1561         I spent some time trying to devise a test with the current code base and wasn't
1562         successful.  This case is tested with the register argument changes in progress.
1563
1564         * dfg/DFGSpeculativeJIT.cpp:
1565         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1566
1567 2016-08-05  Saam Barati  <sbarati@apple.com>
1568
1569         Assertion failure when accessing TDZ variable in catch through eval
1570         https://bugs.webkit.org/show_bug.cgi?id=160554
1571
1572         Reviewed by Mark Lam and Keith Miller.
1573
1574         When we were calculating the variables under TDZ from a JSScope,
1575         the algorithm was not taking into account that a catch scope
1576         has variables under TDZ.
1577
1578         * runtime/JSScope.cpp:
1579         (JSC::JSScope::collectVariablesUnderTDZ):
1580
1581 2016-08-05  Keith Miller  <keith_miller@apple.com>
1582
1583         Delete out of date WASM code.
1584         https://bugs.webkit.org/show_bug.cgi?id=160603
1585
1586         Reviewed by Saam Barati.
1587
1588         This patch removes a bunch of the wasm files that we are unlikey to use
1589         with the newer wasm spec. If we end up needing any of the deleted code
1590         later we can restore it at that time.
1591
1592         * CMakeLists.txt:
1593         * JavaScriptCore.xcodeproj/project.pbxproj:
1594         * jit/JITOperations.cpp:
1595         * jsc.cpp:
1596         (GlobalObject::finishCreation): Deleted.
1597         (functionLoadWebAssembly): Deleted.
1598         * llint/LLIntSlowPaths.cpp:
1599         (JSC::LLInt::setUpCall): Deleted.
1600         * runtime/Executable.cpp:
1601         (JSC::WebAssemblyExecutable::prepareForExecution): Deleted.
1602         * runtime/JSGlobalObject.cpp:
1603         (JSC::JSGlobalObject::init): Deleted.
1604         (JSC::JSGlobalObject::visitChildren): Deleted.
1605         * runtime/JSGlobalObject.h:
1606         (JSC::JSGlobalObject::wasmModuleStructure): Deleted.
1607         * wasm/WASMConstants.h: Removed.
1608         * wasm/WASMFunctionB3IRGenerator.h: Removed.
1609         (JSC::WASMFunctionB3IRGenerator::MemoryAddress::MemoryAddress): Deleted.
1610         (JSC::WASMFunctionB3IRGenerator::startFunction): Deleted.
1611         (JSC::WASMFunctionB3IRGenerator::endFunction): Deleted.
1612         (JSC::WASMFunctionB3IRGenerator::buildSetLocal): Deleted.
1613         (JSC::WASMFunctionB3IRGenerator::buildSetGlobal): Deleted.
1614         (JSC::WASMFunctionB3IRGenerator::buildReturn): Deleted.
1615         (JSC::WASMFunctionB3IRGenerator::buildImmediateI32): Deleted.
1616         (JSC::WASMFunctionB3IRGenerator::buildImmediateF32): Deleted.
1617         (JSC::WASMFunctionB3IRGenerator::buildImmediateF64): Deleted.
1618         (JSC::WASMFunctionB3IRGenerator::buildGetLocal): Deleted.
1619         (JSC::WASMFunctionB3IRGenerator::buildGetGlobal): Deleted.
1620         (JSC::WASMFunctionB3IRGenerator::buildConvertType): Deleted.
1621         (JSC::WASMFunctionB3IRGenerator::buildLoad): Deleted.
1622         (JSC::WASMFunctionB3IRGenerator::buildStore): Deleted.
1623         (JSC::WASMFunctionB3IRGenerator::buildUnaryI32): Deleted.
1624         (JSC::WASMFunctionB3IRGenerator::buildUnaryF32): Deleted.
1625         (JSC::WASMFunctionB3IRGenerator::buildUnaryF64): Deleted.
1626         (JSC::WASMFunctionB3IRGenerator::buildBinaryI32): Deleted.
1627         (JSC::WASMFunctionB3IRGenerator::buildBinaryF32): Deleted.
1628         (JSC::WASMFunctionB3IRGenerator::buildBinaryF64): Deleted.
1629         (JSC::WASMFunctionB3IRGenerator::buildRelationalI32): Deleted.
1630         (JSC::WASMFunctionB3IRGenerator::buildRelationalF32): Deleted.
1631         (JSC::WASMFunctionB3IRGenerator::buildRelationalF64): Deleted.
1632         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxI32): Deleted.
1633         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxF64): Deleted.
1634         (JSC::WASMFunctionB3IRGenerator::buildCallInternal): Deleted.
1635         (JSC::WASMFunctionB3IRGenerator::buildCallIndirect): Deleted.
1636         (JSC::WASMFunctionB3IRGenerator::buildCallImport): Deleted.
1637         (JSC::WASMFunctionB3IRGenerator::appendExpressionList): Deleted.
1638         (JSC::WASMFunctionB3IRGenerator::discard): Deleted.
1639         (JSC::WASMFunctionB3IRGenerator::linkTarget): Deleted.
1640         (JSC::WASMFunctionB3IRGenerator::jumpToTarget): Deleted.
1641         (JSC::WASMFunctionB3IRGenerator::jumpToTargetIf): Deleted.
1642         (JSC::WASMFunctionB3IRGenerator::startLoop): Deleted.
1643         (JSC::WASMFunctionB3IRGenerator::endLoop): Deleted.
1644         (JSC::WASMFunctionB3IRGenerator::startSwitch): Deleted.
1645         (JSC::WASMFunctionB3IRGenerator::endSwitch): Deleted.
1646         (JSC::WASMFunctionB3IRGenerator::startLabel): Deleted.
1647         (JSC::WASMFunctionB3IRGenerator::endLabel): Deleted.
1648         (JSC::WASMFunctionB3IRGenerator::breakTarget): Deleted.
1649         (JSC::WASMFunctionB3IRGenerator::continueTarget): Deleted.
1650         (JSC::WASMFunctionB3IRGenerator::breakLabelTarget): Deleted.
1651         (JSC::WASMFunctionB3IRGenerator::continueLabelTarget): Deleted.
1652         (JSC::WASMFunctionB3IRGenerator::buildSwitch): Deleted.
1653         * wasm/WASMFunctionCompiler.h: Removed.
1654         (JSC::operationConvertJSValueToInt32): Deleted.
1655         (JSC::operationConvertJSValueToDouble): Deleted.
1656         (JSC::operationDiv): Deleted.
1657         (JSC::operationMod): Deleted.
1658         (JSC::operationUnsignedDiv): Deleted.
1659         (JSC::operationUnsignedMod): Deleted.
1660         (JSC::operationConvertUnsignedInt32ToDouble): Deleted.
1661         (JSC::sizeOfMemoryType): Deleted.
1662         (JSC::WASMFunctionCompiler::MemoryAddress::MemoryAddress): Deleted.
1663         (JSC::WASMFunctionCompiler::WASMFunctionCompiler): Deleted.
1664         (JSC::WASMFunctionCompiler::startFunction): Deleted.
1665         (JSC::WASMFunctionCompiler::endFunction): Deleted.
1666         (JSC::WASMFunctionCompiler::buildSetLocal): Deleted.
1667         (JSC::WASMFunctionCompiler::buildSetGlobal): Deleted.
1668         (JSC::WASMFunctionCompiler::buildReturn): Deleted.
1669         (JSC::WASMFunctionCompiler::buildImmediateI32): Deleted.
1670         (JSC::WASMFunctionCompiler::buildImmediateF32): Deleted.
1671         (JSC::WASMFunctionCompiler::buildImmediateF64): Deleted.
1672         (JSC::WASMFunctionCompiler::buildGetLocal): Deleted.
1673         (JSC::WASMFunctionCompiler::buildGetGlobal): Deleted.
1674         (JSC::WASMFunctionCompiler::buildConvertType): Deleted.
1675         (JSC::WASMFunctionCompiler::buildLoad): Deleted.
1676         (JSC::WASMFunctionCompiler::buildStore): Deleted.
1677         (JSC::WASMFunctionCompiler::buildUnaryI32): Deleted.
1678         (JSC::WASMFunctionCompiler::buildUnaryF32): Deleted.
1679         (JSC::WASMFunctionCompiler::buildUnaryF64): Deleted.
1680         (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
1681         (JSC::WASMFunctionCompiler::buildBinaryF32): Deleted.
1682         (JSC::WASMFunctionCompiler::buildBinaryF64): Deleted.
1683         (JSC::WASMFunctionCompiler::buildRelationalI32): Deleted.
1684         (JSC::WASMFunctionCompiler::buildRelationalF32): Deleted.
1685         (JSC::WASMFunctionCompiler::buildRelationalF64): Deleted.
1686         (JSC::WASMFunctionCompiler::buildMinOrMaxI32): Deleted.
1687         (JSC::WASMFunctionCompiler::buildMinOrMaxF64): Deleted.
1688         (JSC::WASMFunctionCompiler::buildCallInternal): Deleted.
1689         (JSC::WASMFunctionCompiler::buildCallIndirect): Deleted.
1690         (JSC::WASMFunctionCompiler::buildCallImport): Deleted.
1691         (JSC::WASMFunctionCompiler::appendExpressionList): Deleted.
1692         (JSC::WASMFunctionCompiler::discard): Deleted.
1693         (JSC::WASMFunctionCompiler::linkTarget): Deleted.
1694         (JSC::WASMFunctionCompiler::jumpToTarget): Deleted.
1695         (JSC::WASMFunctionCompiler::jumpToTargetIf): Deleted.
1696         (JSC::WASMFunctionCompiler::startLoop): Deleted.
1697         (JSC::WASMFunctionCompiler::endLoop): Deleted.
1698         (JSC::WASMFunctionCompiler::startSwitch): Deleted.
1699         (JSC::WASMFunctionCompiler::endSwitch): Deleted.
1700         (JSC::WASMFunctionCompiler::startLabel): Deleted.
1701         (JSC::WASMFunctionCompiler::endLabel): Deleted.
1702         (JSC::WASMFunctionCompiler::breakTarget): Deleted.
1703         (JSC::WASMFunctionCompiler::continueTarget): Deleted.
1704         (JSC::WASMFunctionCompiler::breakLabelTarget): Deleted.
1705         (JSC::WASMFunctionCompiler::continueLabelTarget): Deleted.
1706         (JSC::WASMFunctionCompiler::buildSwitch): Deleted.
1707         (JSC::WASMFunctionCompiler::localAddress): Deleted.
1708         (JSC::WASMFunctionCompiler::temporaryAddress): Deleted.
1709         (JSC::WASMFunctionCompiler::appendCall): Deleted.
1710         (JSC::WASMFunctionCompiler::appendCallWithExceptionCheck): Deleted.
1711         (JSC::WASMFunctionCompiler::emitNakedCall): Deleted.
1712         (JSC::WASMFunctionCompiler::appendCallSetResult): Deleted.
1713         (JSC::WASMFunctionCompiler::callOperation): Deleted.
1714         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer): Deleted.
1715         (JSC::WASMFunctionCompiler::callAndUnboxResult): Deleted.
1716         (JSC::WASMFunctionCompiler::convertValueToInt32): Deleted.
1717         (JSC::WASMFunctionCompiler::convertValueToDouble): Deleted.
1718         (JSC::WASMFunctionCompiler::convertDoubleToValue): Deleted.
1719         * wasm/WASMFunctionParser.cpp: Removed.
1720         (JSC::nameOfType): Deleted.
1721         (JSC::WASMFunctionParser::checkSyntax): Deleted.
1722         (JSC::WASMFunctionParser::compile): Deleted.
1723         (JSC::WASMFunctionParser::parseFunction): Deleted.
1724         (JSC::WASMFunctionParser::parseLocalVariables): Deleted.
1725         (JSC::WASMFunctionParser::parseStatement): Deleted.
1726         (JSC::WASMFunctionParser::parseReturnStatement): Deleted.
1727         (JSC::WASMFunctionParser::parseBlockStatement): Deleted.
1728         (JSC::WASMFunctionParser::parseIfStatement): Deleted.
1729         (JSC::WASMFunctionParser::parseIfElseStatement): Deleted.
1730         (JSC::WASMFunctionParser::parseWhileStatement): Deleted.
1731         (JSC::WASMFunctionParser::parseDoStatement): Deleted.
1732         (JSC::WASMFunctionParser::parseLabelStatement): Deleted.
1733         (JSC::WASMFunctionParser::parseBreakStatement): Deleted.
1734         (JSC::WASMFunctionParser::parseBreakLabelStatement): Deleted.
1735         (JSC::WASMFunctionParser::parseContinueStatement): Deleted.
1736         (JSC::WASMFunctionParser::parseContinueLabelStatement): Deleted.
1737         (JSC::WASMFunctionParser::parseSwitchStatement): Deleted.
1738         (JSC::WASMFunctionParser::parseExpression): Deleted.
1739         (JSC::WASMFunctionParser::parseExpressionI32): Deleted.
1740         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionI32): Deleted.
1741         (JSC::WASMFunctionParser::parseImmediateExpressionI32): Deleted.
1742         (JSC::WASMFunctionParser::parseUnaryExpressionI32): Deleted.
1743         (JSC::WASMFunctionParser::parseBinaryExpressionI32): Deleted.
1744         (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32): Deleted.
1745         (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32): Deleted.
1746         (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32): Deleted.
1747         (JSC::WASMFunctionParser::parseMinOrMaxExpressionI32): Deleted.
1748         (JSC::WASMFunctionParser::parseExpressionF32): Deleted.
1749         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32): Deleted.
1750         (JSC::WASMFunctionParser::parseImmediateExpressionF32): Deleted.
1751         (JSC::WASMFunctionParser::parseUnaryExpressionF32): Deleted.
1752         (JSC::WASMFunctionParser::parseBinaryExpressionF32): Deleted.
1753         (JSC::WASMFunctionParser::parseExpressionF64): Deleted.
1754         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64): Deleted.
1755         (JSC::WASMFunctionParser::parseImmediateExpressionF64): Deleted.
1756         (JSC::WASMFunctionParser::parseUnaryExpressionF64): Deleted.
1757         (JSC::WASMFunctionParser::parseBinaryExpressionF64): Deleted.
1758         (JSC::WASMFunctionParser::parseMinOrMaxExpressionF64): Deleted.
1759         (JSC::WASMFunctionParser::parseExpressionVoid): Deleted.
1760         (JSC::WASMFunctionParser::parseGetLocalExpression): Deleted.
1761         (JSC::WASMFunctionParser::parseGetGlobalExpression): Deleted.
1762         (JSC::WASMFunctionParser::parseSetLocal): Deleted.
1763         (JSC::WASMFunctionParser::parseSetGlobal): Deleted.
1764         (JSC::WASMFunctionParser::parseMemoryAddress): Deleted.
1765         (JSC::WASMFunctionParser::parseLoad): Deleted.
1766         (JSC::WASMFunctionParser::parseStore): Deleted.
1767         (JSC::WASMFunctionParser::parseCallArguments): Deleted.
1768         (JSC::WASMFunctionParser::parseCallInternal): Deleted.
1769         (JSC::WASMFunctionParser::parseCallIndirect): Deleted.
1770         (JSC::WASMFunctionParser::parseCallImport): Deleted.
1771         (JSC::WASMFunctionParser::parseConditional): Deleted.
1772         (JSC::WASMFunctionParser::parseComma): Deleted.
1773         (JSC::WASMFunctionParser::parseConvertType): Deleted.
1774         * wasm/WASMFunctionParser.h: Removed.
1775         (JSC::WASMFunctionParser::WASMFunctionParser): Deleted.
1776         * wasm/WASMFunctionSyntaxChecker.h: Removed.
1777         (JSC::WASMFunctionSyntaxChecker::MemoryAddress::MemoryAddress): Deleted.
1778         (JSC::WASMFunctionSyntaxChecker::startFunction): Deleted.
1779         (JSC::WASMFunctionSyntaxChecker::endFunction): Deleted.
1780         (JSC::WASMFunctionSyntaxChecker::buildSetLocal): Deleted.
1781         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal): Deleted.
1782         (JSC::WASMFunctionSyntaxChecker::buildReturn): Deleted.
1783         (JSC::WASMFunctionSyntaxChecker::buildImmediateI32): Deleted.
1784         (JSC::WASMFunctionSyntaxChecker::buildImmediateF32): Deleted.
1785         (JSC::WASMFunctionSyntaxChecker::buildImmediateF64): Deleted.
1786         (JSC::WASMFunctionSyntaxChecker::buildGetLocal): Deleted.
1787         (JSC::WASMFunctionSyntaxChecker::buildGetGlobal): Deleted.
1788         (JSC::WASMFunctionSyntaxChecker::buildConvertType): Deleted.
1789         (JSC::WASMFunctionSyntaxChecker::buildLoad): Deleted.
1790         (JSC::WASMFunctionSyntaxChecker::buildStore): Deleted.
1791         (JSC::WASMFunctionSyntaxChecker::buildUnaryI32): Deleted.
1792         (JSC::WASMFunctionSyntaxChecker::buildUnaryF32): Deleted.
1793         (JSC::WASMFunctionSyntaxChecker::buildUnaryF64): Deleted.
1794         (JSC::WASMFunctionSyntaxChecker::buildBinaryI32): Deleted.
1795         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32): Deleted.
1796         (JSC::WASMFunctionSyntaxChecker::buildBinaryF64): Deleted.
1797         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32): Deleted.
1798         (JSC::WASMFunctionSyntaxChecker::buildRelationalF32): Deleted.
1799         (JSC::WASMFunctionSyntaxChecker::buildRelationalF64): Deleted.
1800         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxI32): Deleted.
1801         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxF64): Deleted.
1802         (JSC::WASMFunctionSyntaxChecker::buildCallInternal): Deleted.
1803         (JSC::WASMFunctionSyntaxChecker::buildCallImport): Deleted.
1804         (JSC::WASMFunctionSyntaxChecker::buildCallIndirect): Deleted.
1805         (JSC::WASMFunctionSyntaxChecker::appendExpressionList): Deleted.
1806         (JSC::WASMFunctionSyntaxChecker::discard): Deleted.
1807         (JSC::WASMFunctionSyntaxChecker::linkTarget): Deleted.
1808         (JSC::WASMFunctionSyntaxChecker::jumpToTarget): Deleted.
1809         (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf): Deleted.
1810         (JSC::WASMFunctionSyntaxChecker::startLoop): Deleted.
1811         (JSC::WASMFunctionSyntaxChecker::endLoop): Deleted.
1812         (JSC::WASMFunctionSyntaxChecker::startSwitch): Deleted.
1813         (JSC::WASMFunctionSyntaxChecker::endSwitch): Deleted.
1814         (JSC::WASMFunctionSyntaxChecker::startLabel): Deleted.
1815         (JSC::WASMFunctionSyntaxChecker::endLabel): Deleted.
1816         (JSC::WASMFunctionSyntaxChecker::breakTarget): Deleted.
1817         (JSC::WASMFunctionSyntaxChecker::continueTarget): Deleted.
1818         (JSC::WASMFunctionSyntaxChecker::breakLabelTarget): Deleted.
1819         (JSC::WASMFunctionSyntaxChecker::continueLabelTarget): Deleted.
1820         (JSC::WASMFunctionSyntaxChecker::buildSwitch): Deleted.
1821         (JSC::WASMFunctionSyntaxChecker::stackHeight): Deleted.
1822         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeight): Deleted.
1823         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall): Deleted.
1824         * wasm/WASMModuleParser.cpp: Removed.
1825         (JSC::WASMModuleParser::WASMModuleParser): Deleted.
1826         (JSC::WASMModuleParser::parse): Deleted.
1827         (JSC::WASMModuleParser::parseModule): Deleted.
1828         (JSC::WASMModuleParser::parseConstantPoolSection): Deleted.
1829         (JSC::WASMModuleParser::parseSignatureSection): Deleted.
1830         (JSC::WASMModuleParser::parseFunctionImportSection): Deleted.
1831         (JSC::WASMModuleParser::parseGlobalSection): Deleted.
1832         (JSC::WASMModuleParser::parseFunctionDeclarationSection): Deleted.
1833         (JSC::WASMModuleParser::parseFunctionPointerTableSection): Deleted.
1834         (JSC::WASMModuleParser::parseFunctionDefinitionSection): Deleted.
1835         (JSC::WASMModuleParser::parseFunctionDefinition): Deleted.
1836         (JSC::WASMModuleParser::parseExportSection): Deleted.
1837         (JSC::WASMModuleParser::getImportedValue): Deleted.
1838         (JSC::parseWebAssembly): Deleted.
1839         * wasm/WASMModuleParser.h: Removed.
1840         * wasm/WASMReader.cpp: Removed.
1841         (JSC::WASMReader::readUInt32): Deleted.
1842         (JSC::WASMReader::readFloat): Deleted.
1843         (JSC::WASMReader::readDouble): Deleted.
1844         (JSC::WASMReader::readCompactInt32): Deleted.
1845         (JSC::WASMReader::readCompactUInt32): Deleted.
1846         (JSC::WASMReader::readString): Deleted.
1847         (JSC::WASMReader::readType): Deleted.
1848         (JSC::WASMReader::readExpressionType): Deleted.
1849         (JSC::WASMReader::readExportFormat): Deleted.
1850         (JSC::WASMReader::readByte): Deleted.
1851         (JSC::WASMReader::readOpStatement): Deleted.
1852         (JSC::WASMReader::readOpExpressionI32): Deleted.
1853         (JSC::WASMReader::readOpExpressionF32): Deleted.
1854         (JSC::WASMReader::readOpExpressionF64): Deleted.
1855         (JSC::WASMReader::readOpExpressionVoid): Deleted.
1856         (JSC::WASMReader::readVariableTypes): Deleted.
1857         (JSC::WASMReader::readOp): Deleted.
1858         (JSC::WASMReader::readSwitchCase): Deleted.
1859         * wasm/WASMReader.h: Removed.
1860         (JSC::WASMReader::WASMReader): Deleted.
1861         (JSC::WASMReader::offset): Deleted.
1862         (JSC::WASMReader::setOffset): Deleted.
1863
1864 2016-08-05  Keith Miller  <keith_miller@apple.com>
1865
1866         Fix 32-bit OverridesHasInstance in the DFG.
1867         https://bugs.webkit.org/show_bug.cgi?id=160600
1868
1869         Reviewed by Mark Lam.
1870
1871         In https://trac.webkit.org/changeset/204140, we fixed an issue where the DFG might
1872         do the wrong thing if it proved that the Symbol.hasInstance value for a constructor
1873         was a constant late in compilation. That fix was ommited from the 32-bit version,
1874         causing the new test to fail.
1875
1876         * dfg/DFGSpeculativeJIT32_64.cpp:
1877         (JSC::DFG::SpeculativeJIT::compile):
1878
1879 2016-08-04  Saam Barati  <sbarati@apple.com>
1880
1881         Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time
1882         https://bugs.webkit.org/show_bug.cgi?id=151241
1883
1884         Reviewed by Benjamin Poulain.
1885
1886         This patch rolls back in the jettisoning policy from https://bugs.webkit.org/show_bug.cgi?id=149727.
1887         We can now jettison a CodeBlock when it has been alive for a long time
1888         and is only pointed to by its owner executable. I haven't been able to get this
1889         patch to crash on anything it used to crash on, so I suspect we've fixed the bugs that
1890         were causing this before. I've also added some stress options for this feature that
1891         will cause us to either eagerly old-age jettison or to old-age jettison whenever it's legal.
1892         These options helped me find a bug where we would ask an Executable to create a CodeBlock,
1893         and then the Executable would do some other allocations, causing a GC, immediately causing
1894         the CodeBlock to jettison. There is a small chance that this was the bug we were seeing before,
1895         however, it's unlikely given that the previous timing metrics require at least 5 second between
1896         compiling to jettisoning.
1897
1898         This patch also enables the stress options for various modes
1899         of JSC stress tests.
1900
1901         * bytecode/CodeBlock.cpp:
1902         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
1903         (JSC::timeToLive):
1904         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1905         * interpreter/CallFrame.h:
1906         (JSC::ExecState::callee):
1907         (JSC::ExecState::unsafeCallee):
1908         (JSC::ExecState::codeBlock):
1909         (JSC::ExecState::addressOfCodeBlock):
1910         (JSC::ExecState::unsafeCodeBlock):
1911         (JSC::ExecState::scope):
1912         * interpreter/Interpreter.cpp:
1913         (JSC::Interpreter::execute):
1914         (JSC::Interpreter::executeCall):
1915         (JSC::Interpreter::executeConstruct):
1916         (JSC::Interpreter::prepareForRepeatCall):
1917         * jit/JITOperations.cpp:
1918         * llint/LLIntSlowPaths.cpp:
1919         (JSC::LLInt::setUpCall):
1920         * runtime/Executable.cpp:
1921         (JSC::ScriptExecutable::installCode):
1922         (JSC::setupJIT):
1923         (JSC::ScriptExecutable::prepareForExecutionImpl):
1924         * runtime/Executable.h:
1925         (JSC::ScriptExecutable::prepareForExecution):
1926         * runtime/Options.h:
1927
1928 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1929
1930         [ES6] JSModuleNamespaceObject's Symbol.iterator function should have name
1931         https://bugs.webkit.org/show_bug.cgi?id=160549
1932
1933         Reviewed by Saam Barati.
1934
1935         ES6 Module's namespace[Symbol.iterator] function should have the name, "[Symbol.iterator]".
1936
1937         * runtime/JSModuleNamespaceObject.cpp:
1938         (JSC::JSModuleNamespaceObject::finishCreation):
1939
1940 2016-08-04  Keith Miller  <keith_miller@apple.com>
1941
1942         ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
1943         https://bugs.webkit.org/show_bug.cgi?id=160562
1944         <rdar://problem/27704825>
1945
1946         Reviewed by Mark Lam.
1947
1948         This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
1949         convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
1950         associated with the assumption that this could not happen.
1951
1952         * dfg/DFGSpeculativeJIT64.cpp:
1953         (JSC::DFG::SpeculativeJIT::compile):
1954         * ftl/FTLLowerDFGToB3.cpp:
1955         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
1956
1957 2016-08-04  Keith Miller  <keith_miller@apple.com>
1958
1959         Remove unused intrinsic member of NativeExecutable
1960         https://bugs.webkit.org/show_bug.cgi?id=160560
1961
1962         Reviewed by Saam Barati.
1963
1964         NativeExecutable has an Intrinsic member. It appears that this member is never
1965         used. Instead we use the Intrinsic member NativeExecutable's super class,
1966         ExecutableBase.
1967
1968         * runtime/Executable.h:
1969
1970 2016-08-04  Benjamin Poulain  <bpoulain@apple.com>
1971
1972         [JSC] Speed up InPlaceAbstractState::endBasicBlock()
1973         https://bugs.webkit.org/show_bug.cgi?id=160539
1974
1975         Reviewed by Mark Lam.
1976
1977         This patch does small improvements to our handling
1978         of value propagation to the successors.
1979
1980         One key insight is that using HashMap to map Nodes
1981         to Value in valuesAtTail is too inefficient at the scale
1982         we use it. Instead, I reuse our existing mapping
1983         from every Node to its value, abstracted by forNode().
1984
1985         Since we are not going to use the mapping after endBasicBlock()
1986         I can replace whatever we had there. The next beginBasicBlock()
1987         will setup the new value as needed.
1988
1989         In endBasicBlock(), valuesAtTail is now a vector of all values live
1990         at tail. For each node, I merge the previous live at tail with
1991         the new value, then replace the value in the mapping.
1992         Liveness Analysis guarantees we won't have duplicates there which
1993         make the replacement sound.
1994
1995         Next, when propagating, I take the vector of values lives at head
1996         and use the global node->value mapping to find its new abstract value.
1997         Again, Liveness Analysis guarantees I won't find a value live at head
1998         that was not replaced by the merging at tail of the predecessor.
1999
2000         All our live lists have become vectors instead of HashTable.
2001         The mapping from Node to Value is always done by array indexing.
2002         Same big-O, much smaller constant.
2003
2004         * dfg/DFGAtTailAbstractState.cpp:
2005         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2006         (JSC::DFG::AtTailAbstractState::createValueForNode):
2007         (JSC::DFG::AtTailAbstractState::forNode):
2008         * dfg/DFGAtTailAbstractState.h:
2009         I did not look much into this state, I just made it equivalent
2010         to the previous mapping.
2011
2012         * dfg/DFGBasicBlock.h:
2013         * dfg/DFGCFAPhase.cpp:
2014         (JSC::DFG::CFAPhase::performBlockCFA):
2015         * dfg/DFGGraph.cpp:
2016         (JSC::DFG::Graph::dump):
2017         * dfg/DFGInPlaceAbstractState.cpp:
2018         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2019
2020         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2021         AbstractValue is big enough that we really don't want to copy it twice.
2022
2023         (JSC::DFG::InPlaceAbstractState::merge):
2024         (JSC::DFG::setLiveValues): Deleted.
2025         * dfg/DFGInPlaceAbstractState.h:
2026
2027         * dfg/DFGPhiChildren.h:
2028         This is heap allocated by AbstractInterpreter. It should use fastMalloc().
2029
2030 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2031
2032         [ES7] Update features.json for exponentiation expression
2033         https://bugs.webkit.org/show_bug.cgi?id=160541
2034
2035         Reviewed by Mark Lam.
2036
2037         * features.json:
2038
2039 2016-08-03  Chris Dumez  <cdumez@apple.com>
2040
2041         Drop DocumentType.internalSubset attribute
2042         https://bugs.webkit.org/show_bug.cgi?id=160530
2043
2044         Reviewed by Alex Christensen.
2045
2046         Drop DocumentType.internalSubset attribute.
2047
2048         * inspector/protocol/DOM.json:
2049
2050 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
2051
2052         [JSC] Improve the memory locality of DFG Node's AbstractValues
2053         https://bugs.webkit.org/show_bug.cgi?id=160443
2054
2055         Reviewed by Mark Lam.
2056
2057         The AbstractInterpreter spends a lot of time on memory operations
2058         for AbstractValues. This patch attempts to improve the situation
2059         by putting the values closer together in memory.
2060
2061         First, AbstractValue is moved out of DFG::Node and it kept in
2062         a vector addressed by node indices.
2063
2064         I initially moved them to InPlaceAbstractState but I quickly discovered
2065         initializing the values in the vector was costly.
2066         I moved the vector to Graph as a cache shared by every instantiation of
2067         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
2068         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
2069         should also help eventually.
2070
2071         I instrumented CFA to find how packed is SparseCollection.
2072         The answer is it can be very sparse, which is bad for CFA.
2073         I added packIndices() to repack the collection before running
2074         liveness since that's where we start using the memory intensively.
2075         This is a measurable improvement but it implies we can no longer
2076         keep indices on a side channel between phases since they may change.
2077
2078         * b3/B3SparseCollection.h:
2079         (JSC::B3::SparseCollection::packIndices):
2080         * dfg/DFGGraph.cpp:
2081         (JSC::DFG::Graph::packNodeIndices):
2082         * dfg/DFGGraph.h:
2083         (JSC::DFG::Graph::abstractValuesCache):
2084         * dfg/DFGInPlaceAbstractState.cpp:
2085         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
2086         * dfg/DFGInPlaceAbstractState.h:
2087         (JSC::DFG::InPlaceAbstractState::forNode):
2088         * dfg/DFGLivenessAnalysisPhase.cpp:
2089         (JSC::DFG::performLivenessAnalysis):
2090         * dfg/DFGNode.h:
2091
2092 2016-08-03  Caitlin Potter  <caitp@igalia.com>
2093
2094         Clarify SyntaxErrors around yield and unskip tests
2095         https://bugs.webkit.org/show_bug.cgi?id=158460
2096
2097         Reviewed by Saam Barati.
2098
2099         Fix and unskip tests which erroneously asserted that `yield` is not a
2100         valid BindingIdentifier, and improve error message for YieldExpressions
2101         occuring in Arrow formal parameters.
2102
2103         * parser/Parser.cpp:
2104         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
2105         (JSC::Parser<LexerType>::parseFunctionInfo):
2106         (JSC::Parser<LexerType>::parseYieldExpression):
2107         * parser/Parser.h:
2108
2109 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
2110
2111         REGRESSION(r203368): broke some test262 tests
2112         https://bugs.webkit.org/show_bug.cgi?id=160479
2113
2114         Reviewed by Mark Lam.
2115         
2116         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
2117         Accessor properties.
2118
2119         * runtime/Structure.cpp:
2120         (JSC::Structure::nonPropertyTransition):
2121         * runtime/StructureTransitionTable.h:
2122         (JSC::setsDontDeleteOnAllProperties):
2123         (JSC::setsReadOnlyOnNonAccessorProperties):
2124         (JSC::setsReadOnlyOnAllProperties): Deleted.
2125
2126 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
2127
2128         Lacking support on a arm-traditional disassembler.
2129         https://bugs.webkit.org/show_bug.cgi?id=123717
2130
2131         Reviewed by Mark Lam.
2132
2133         * CMakeLists.txt:
2134         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
2135         (JSC::tryToDisassemble):
2136
2137 2016-08-03  Saam Barati  <sbarati@apple.com>
2138
2139         Implement nested rest destructuring w.r.t the ES7 spec
2140         https://bugs.webkit.org/show_bug.cgi?id=160423
2141
2142         Reviewed by Filip Pizlo.
2143
2144         The spec has updated the BindingRestElement grammar production to be:
2145         BindingRestElement:
2146            BindingIdentifier
2147            BindingingPattern.
2148
2149         It used to only allow BindingIdentifier in the grammar production.
2150         I've updated our engine to account for this. The semantics are exactly
2151         what you'd expect.  For example:
2152         `let [a, ...[b, ...c]] = expr();`
2153         means that we create an array for the first rest element `...[b, ...c]`
2154         and then perform the binding of `[b, ...c]` to that array. And so on, 
2155         applied recursively through the pattern.
2156
2157         * bytecompiler/NodesCodegen.cpp:
2158         (JSC::RestParameterNode::collectBoundIdentifiers):
2159         (JSC::RestParameterNode::toString):
2160         (JSC::RestParameterNode::bindValue):
2161         (JSC::RestParameterNode::emit):
2162         * parser/ASTBuilder.h:
2163         (JSC::ASTBuilder::createBindingLocation):
2164         (JSC::ASTBuilder::createRestParameter):
2165         (JSC::ASTBuilder::createAssignmentElement):
2166         * parser/NodeConstructors.h:
2167         (JSC::AssignmentElementNode::AssignmentElementNode):
2168         (JSC::RestParameterNode::RestParameterNode):
2169         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2170         * parser/Nodes.h:
2171         (JSC::RestParameterNode::name): Deleted.
2172         * parser/Parser.cpp:
2173         (JSC::Parser<LexerType>::parseDestructuringPattern):
2174         (JSC::Parser<LexerType>::parseFormalParameters):
2175         * parser/SyntaxChecker.h:
2176         (JSC::SyntaxChecker::operatorStackPop):
2177
2178 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
2179
2180         [JSC] Fix Windows build after r204065
2181
2182         * dfg/DFGAbstractValue.cpp:
2183         (JSC::DFG::AbstractValue::observeTransitions):
2184         AbstractValue is bigger on Windows for an unknown reason.
2185
2186 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2187
2188         [JSC] Fix 32bits jsc after r204065
2189
2190         Default constructed JSValue() are not equal to zero in 32bits.
2191
2192         * dfg/DFGAbstractValue.h:
2193         (JSC::DFG::AbstractValue::AbstractValue):
2194
2195 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2196
2197         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
2198         https://bugs.webkit.org/show_bug.cgi?id=160370
2199
2200         Reviewed by Saam Barati.
2201
2202         We use a ton of AbstractValue to run the Abstract Interpreter.
2203
2204         When we set up the initial values, the compiler sets
2205         a zero on a first word, a one on a second word, and a zero
2206         again on a third word.
2207         Since no vector or double-store can deal with 3 words, unrolling
2208         is done by repeating those instructions.
2209
2210         The reason for the one was TinyPtrSet. It needed a flag for
2211         empty value to identify the set as thin. I flipped the flag to "fat"
2212         to make sure TinyPtrSet is initialized to zero.
2213
2214         With that done, I just had to clean some places to make
2215         the initialization shorter.
2216         It makes the binary easier to follow but this does not help with
2217         the bigger problem: the time spent per block on Abstract Interpreter.
2218
2219         * bytecode/Operands.h:
2220         The traits were useless, no client code defines it.
2221
2222         (JSC::Operands::Operands):
2223         (JSC::Operands::ensureLocals):
2224         Because of the size of the function, llvm is not inlining it.
2225         We were literally loading 3 registers from memory and storing
2226         them in the vector.
2227         Now that AbstractValue has a VectorTraits, we should just rely
2228         on the memset of Vector when possible.
2229
2230         (JSC::Operands::getLocal):
2231         (JSC::Operands::setArgumentFirstTime):
2232         (JSC::Operands::setLocalFirstTime):
2233         (JSC::Operands::clear):
2234         (JSC::OperandValueTraits::defaultValue): Deleted.
2235         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
2236         * bytecode/OperandsInlines.h:
2237         (JSC::Operands<T>::dumpInContext):
2238         (JSC::Operands<T>::dump):
2239         (JSC::Traits>::dumpInContext): Deleted.
2240         (JSC::Traits>::dump): Deleted.
2241         * dfg/DFGAbstractValue.cpp:
2242         * dfg/DFGAbstractValue.h:
2243         (JSC::DFG::AbstractValue::AbstractValue):
2244
2245 2016-08-02  Saam Barati  <sbarati@apple.com>
2246
2247         update a class extending null w.r.t the ES7 spec
2248         https://bugs.webkit.org/show_bug.cgi?id=160417
2249
2250         Reviewed by Keith Miller.
2251
2252         When a class extends null, it should not be marked as a derived class.
2253         This was changed in the ES2016 spec, and this patch makes the needed
2254         changes in JSC to follow the spec. This allows classes to extend
2255         null and have their default constructor invoked without throwing an exception.
2256         This also prevents |this| from being under TDZ at the start of the constructor.
2257         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
2258         syntax, we don't know statically if a constructor is extending null or not.
2259         Therefore, we don't always know statically if it's a base or derived constructor.
2260         I solved this by putting a boolean on the constructor function under a private
2261         symbol named isDerivedConstructor when doing class construction. We only need
2262         to put this boolean on constructors that may extend null. Constructors that are
2263         declared in a class with no extends syntax can tell statically that they are a base constructor.
2264
2265         I've also renamed the ConstructorKind::Derived enum value to be
2266         ConstructorKind::Extends to better indicate that we can't answer
2267         the "am I a derived constructor?" question statically.
2268
2269         * builtins/BuiltinExecutables.cpp:
2270         (JSC::BuiltinExecutables::createDefaultConstructor):
2271         * builtins/BuiltinNames.h:
2272         * bytecompiler/BytecodeGenerator.cpp:
2273         (JSC::BytecodeGenerator::BytecodeGenerator):
2274         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2275         (JSC::BytecodeGenerator::emitReturn):
2276         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2277         (JSC::BytecodeGenerator::ensureThis):
2278         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2279         * bytecompiler/BytecodeGenerator.h:
2280         (JSC::BytecodeGenerator::makeFunction):
2281         * bytecompiler/NodesCodegen.cpp:
2282         (JSC::EvalFunctionCallNode::emitBytecode):
2283         (JSC::FunctionCallValueNode::emitBytecode):
2284         (JSC::FunctionNode::emitBytecode):
2285         (JSC::ClassExprNode::emitBytecode):
2286         * parser/Parser.cpp:
2287         (JSC::Parser<LexerType>::Parser):
2288         (JSC::Parser<LexerType>::parseFunctionInfo):
2289         (JSC::Parser<LexerType>::parseClass):
2290         (JSC::Parser<LexerType>::parseMemberExpression):
2291         * parser/ParserModes.h:
2292
2293 2016-08-02  Enrica Casucci  <enrica@apple.com>
2294
2295         Allow building with content filtering disabled.
2296         https://bugs.webkit.org/show_bug.cgi?id=160454
2297
2298         Reviewed by Simon Fraser.
2299
2300         * Configurations/FeatureDefines.xcconfig:
2301
2302 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
2303
2304         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
2305         https://bugs.webkit.org/show_bug.cgi?id=159759
2306
2307         Reviewed by Saam Barati.
2308
2309         * jit/JITMathIC.h:
2310         (JSC::JITMathIC::generateInline):
2311
2312 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2313
2314         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
2315         https://bugs.webkit.org/show_bug.cgi?id=160438
2316
2317         Reviewed by Mark Lam.
2318         
2319         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
2320         catching stack overflow due to large parameter count. It would only catch regular old stack
2321         overflow, like if the frame pointer was already past the limit.
2322         
2323         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
2324         the stack due to large parameter count were not going down that path at all, so we haven't had
2325         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
2326         case.
2327
2328         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
2329         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
2330         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
2331         some choices here. I could have forced anyone who is rolling back to always skip VM entry
2332         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
2333         a stack frame roll back normally does, since exception unwinding needs to see the current value
2334         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
2335         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
2336         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
2337         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
2338         To signal this, I could have either made topCallFrame point to the real top JS call frame
2339         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
2340         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
2341         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
2342         engine against this case.
2343         
2344         * interpreter/StackVisitor.cpp:
2345         (JSC::StackVisitor::StackVisitor):
2346         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
2347         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
2348         StackVisitor is the only place that needs to be taught about this at this time, because it's
2349         one of the few things that access topCallFrame along this special path.
2350         
2351         * jit/JITOperations.cpp: Roll back the top call frame.
2352         * runtime/CommonSlowPaths.cpp:
2353         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
2354
2355 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
2356
2357         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
2358         https://bugs.webkit.org/show_bug.cgi?id=160439
2359
2360         Reviewed by Filip Pizlo.
2361
2362         * assembler/MacroAssemblerARM64.h:
2363         (JSC::MacroAssemblerARM64::branchTest64):
2364         * b3/air/AirOpcode.opcodes:
2365         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
2366
2367 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
2368
2369         [B3] Fusing immediates into test instructions should work again
2370         https://bugs.webkit.org/show_bug.cgi?id=160073
2371
2372         Reviewed by Sam Weinig.
2373
2374         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
2375         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
2376         was still using Imm!  This meant that isValidForm() always returned false.
2377         
2378         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
2379         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
2380         with the scratch register).
2381         
2382         This is not an obvious progression on anything, so I added comprehensive tests to
2383         testb3, which check that we selected the optimal instruction in a variety of situations.
2384         We should add more tests like this!
2385
2386         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
2387         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
2388         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
2389
2390         * b3/B3BasicBlock.h:
2391         (JSC::B3::BasicBlock::successorBlock):
2392         * b3/B3LowerToAir.cpp:
2393         (JSC::B3::Air::LowerToAir::createGenericCompare):
2394         * b3/B3LowerToAir.h:
2395         * b3/air/AirArg.cpp:
2396         (JSC::B3::Air::Arg::isRepresentableAs):
2397         (JSC::B3::Air::Arg::usesTmp):
2398         * b3/air/AirArg.h:
2399         (JSC::B3::Air::Arg::isRepresentableAs):
2400         (JSC::B3::Air::Arg::castToType):
2401         (JSC::B3::Air::Arg::asNumber):
2402         * b3/air/AirCode.h:
2403         (JSC::B3::Air::Code::size):
2404         (JSC::B3::Air::Code::at):
2405         * b3/air/AirOpcode.opcodes:
2406         * b3/air/AirValidate.h:
2407         * b3/air/opcode_generator.rb:
2408         * b3/testb3.cpp:
2409         (JSC::B3::compile):
2410         (JSC::B3::compileAndRun):
2411         (JSC::B3::lowerToAirForTesting):
2412         (JSC::B3::testSomeEarlyRegister):
2413         (JSC::B3::testBranchBitAndImmFusion):
2414         (JSC::B3::zero):
2415         (JSC::B3::run):
2416
2417 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2418
2419         Rationalize varargs stack overflow checks
2420         https://bugs.webkit.org/show_bug.cgi?id=160425
2421
2422         Reviewed by Michael Saboff.
2423
2424         * ftl/FTLLink.cpp:
2425         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
2426         * runtime/CommonSlowPaths.h:
2427         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
2428
2429 2016-08-01  Saam Barati  <sbarati@apple.com>
2430
2431         Sub should be a Math IC
2432         https://bugs.webkit.org/show_bug.cgi?id=160270
2433
2434         Reviewed by Mark Lam.
2435
2436         This makes Sub an IC like Mul and Add. I'm seeing the following
2437         improvements of average Sub size on Unity and JetStream:
2438
2439                    |   JetStream  |  Unity 3D  |
2440              ------| -------------|--------------
2441               Old  |   202 bytes  |  205 bytes |
2442              ------| -------------|--------------
2443               New  |   134  bytes |  134 bytes |
2444              ------------------------------------
2445
2446         * bytecode/CodeBlock.cpp:
2447         (JSC::CodeBlock::addJITMulIC):
2448         (JSC::CodeBlock::addJITSubIC):
2449         (JSC::CodeBlock::findStubInfo):
2450         (JSC::CodeBlock::dumpMathICStats):
2451         * bytecode/CodeBlock.h:
2452         (JSC::CodeBlock::stubInfoBegin):
2453         (JSC::CodeBlock::stubInfoEnd):
2454         * dfg/DFGSpeculativeJIT.cpp:
2455         (JSC::DFG::SpeculativeJIT::compileArithSub):
2456         * ftl/FTLLowerDFGToB3.cpp:
2457         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2458         * jit/JITArithmetic.cpp:
2459         (JSC::JIT::emit_op_sub):
2460         (JSC::JIT::emitSlow_op_sub):
2461         (JSC::JIT::emit_op_pow):
2462         * jit/JITMathIC.h:
2463         * jit/JITMathICForwards.h:
2464         * jit/JITOperations.cpp:
2465         * jit/JITOperations.h:
2466         * jit/JITSubGenerator.cpp:
2467         (JSC::JITSubGenerator::generateInline):
2468         (JSC::JITSubGenerator::generateFastPath):
2469         * jit/JITSubGenerator.h:
2470         (JSC::JITSubGenerator::JITSubGenerator):
2471         (JSC::JITSubGenerator::isLeftOperandValidConstant):
2472         (JSC::JITSubGenerator::isRightOperandValidConstant):
2473         (JSC::JITSubGenerator::arithProfile):
2474         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
2475         (JSC::JITSubGenerator::endJumpList): Deleted.
2476         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
2477
2478 2016-08-01  Keith Miller  <keith_miller@apple.com>
2479
2480         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
2481         https://bugs.webkit.org/show_bug.cgi?id=160372
2482
2483         Rubber stamped by Geoffrey Garen.
2484
2485         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
2486         a new top level directory, JSTests. Having the tests in the Source directory
2487         was both confusing an inconvenient for people that just want to checkout the
2488         source code of WebKit. Since there is no other obvious place to put all the
2489         JavaScript tests a new top level directory seemed the most sensible.
2490
2491         * tests/: Deleted.
2492
2493 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2494
2495         [JSC] Should check Test262Error correctly
2496         https://bugs.webkit.org/show_bug.cgi?id=159862
2497
2498         Reviewed by Saam Barati.
2499
2500         Test262Error in the harness does not have "name" property.
2501         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
2502
2503         * jsc.cpp:
2504         (checkUncaughtException):
2505         * runtime/JSObject.h:
2506         * tests/test262.yaml:
2507
2508 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2509
2510         [ES6] Module binding can be exported by multiple names
2511         https://bugs.webkit.org/show_bug.cgi?id=160343
2512
2513         Reviewed by Saam Barati.
2514
2515         ES6 Module can export the same local binding by using multiple names.
2516         For example,
2517
2518             ```
2519             var value = 42;
2520
2521             export { value };
2522             export { value as value2 };
2523             ```
2524
2525         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
2526         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
2527
2528         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
2529         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
2530         this information when creating the export entries in ModuleAnalyzer.
2531
2532         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
2533         names should be managed per-module, not per-scope.
2534
2535         This change fixes several test262 failures.
2536
2537         * JavaScriptCore.xcodeproj/project.pbxproj:
2538         * parser/ModuleAnalyzer.cpp:
2539         (JSC::ModuleAnalyzer::exportVariable):
2540         (JSC::ModuleAnalyzer::analyze):
2541         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
2542         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
2543         * parser/ModuleAnalyzer.h:
2544         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
2545         (JSC::ModuleScopeData::create):
2546         (JSC::ModuleScopeData::exportedBindings):
2547         (JSC::ModuleScopeData::exportName):
2548         (JSC::ModuleScopeData::exportBinding):
2549         * parser/Nodes.cpp:
2550         (JSC::ProgramNode::ProgramNode):
2551         (JSC::ModuleProgramNode::ModuleProgramNode):
2552         (JSC::EvalNode::EvalNode):
2553         (JSC::FunctionNode::FunctionNode):
2554         * parser/Nodes.h:
2555         (JSC::ModuleProgramNode::moduleScopeData):
2556         * parser/NodesAnalyzeModule.cpp:
2557         (JSC::ExportDefaultDeclarationNode::analyzeModule):
2558         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
2559         * parser/Parser.cpp:
2560         (JSC::Parser<LexerType>::Parser):
2561         (JSC::Parser<LexerType>::parseModuleSourceElements):
2562         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2563         (JSC::Parser<LexerType>::createBindingPattern):
2564         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2565         (JSC::Parser<LexerType>::parseClassDeclaration):
2566         (JSC::Parser<LexerType>::parseExportSpecifier):
2567         (JSC::Parser<LexerType>::parseExportDeclaration):
2568         * parser/Parser.h:
2569         (JSC::Parser::exportName):
2570         (JSC::Parser<LexerType>::parse):
2571         (JSC::ModuleScopeData::create): Deleted.
2572         (JSC::ModuleScopeData::exportedBindings): Deleted.
2573         (JSC::ModuleScopeData::exportName): Deleted.
2574         (JSC::ModuleScopeData::exportBinding): Deleted.
2575         (JSC::Scope::Scope): Deleted.
2576         (JSC::Scope::setSourceParseMode): Deleted.
2577         (JSC::Scope::moduleScopeData): Deleted.
2578         (JSC::Scope::setIsModule): Deleted.
2579         * tests/modules/aliased-names.js: Added.
2580         * tests/modules/aliased-names/main.js: Added.
2581         (change):
2582         * tests/stress/modules-syntax-error-with-names.js:
2583         (export.Cocoa):
2584         (SyntaxError.Cannot.export.a.duplicate.name):
2585         * tests/test262.yaml:
2586
2587 2016-07-30  Mark Lam  <mark.lam@apple.com>
2588
2589         Assertion failure while setting the length of an ArrayClass array.
2590         https://bugs.webkit.org/show_bug.cgi?id=160381
2591         <rdar://problem/27328703>
2592
2593         Reviewed by Filip Pizlo.
2594
2595         When setting large length values, we're currently treating ArrayClass as a
2596         ContiguousIndexingType array.  This results in an assertion failure.  This is
2597         now fixed.
2598
2599         There are currently only 2 places where we create arrays with indexing type
2600         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
2601         takes care of ArrayPrototype.
2602
2603         RuntimeArray already checks for the setting of its length property, and will
2604         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
2605         Instead, I added some test cases ensure that the check and throw behavior does
2606         not change without notice.
2607
2608         * runtime/JSArray.cpp:
2609         (JSC::JSArray::setLength):
2610         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
2611         (toString):
2612         (assertEqual):
2613         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
2614         (toString):
2615         (assertEqual):
2616
2617 2016-07-29  Keith Miller  <keith_miller@apple.com>
2618
2619         TypedArray super constructor has some incompatabilities
2620         https://bugs.webkit.org/show_bug.cgi?id=160369
2621
2622         Reviewed by Filip Pizlo.
2623
2624         This patch fixes the length proprety of the TypedArray super constructor.
2625         Additionally, the TypedArray super constructor should no longer be callable.
2626
2627         Also, this patch fixes the expected result of some test262 tests.
2628
2629         * runtime/JSTypedArrayViewConstructor.cpp:
2630         (JSC::JSTypedArrayViewConstructor::finishCreation):
2631         (JSC::constructTypedArrayView):
2632         (JSC::JSTypedArrayViewConstructor::getCallData):
2633         * tests/test262.yaml:
2634
2635 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
2636
2637         Undefined Behavior in JSValue cast from NaN
2638         https://bugs.webkit.org/show_bug.cgi?id=160322
2639
2640         Reviewed by Mark Lam.
2641
2642         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
2643
2644         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
2645         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
2646         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
2647         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
2648         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
2649
2650         * runtime/JSCJSValueInlines.h:
2651         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
2652
2653 2016-07-29  Michael Saboff  <msaboff@apple.com>
2654
2655         Refactor DFG::Node::hasLocal() to accessesStack()
2656         https://bugs.webkit.org/show_bug.cgi?id=160357
2657
2658         Reviewed by Filip Pizlo.
2659
2660         Refactoring in preparation for using register arguments for JavaScript calls.
2661
2662         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
2663         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
2664         use guards stack operation logic associated with the Node's VariableAccessData.
2665
2666         The hasVariableAccessData() check now implies no more than the node has a
2667         VariableAccessData and nothing about its use of that data to coordinate stack   
2668         accesses.
2669
2670         * dfg/DFGGraph.cpp:
2671         (JSC::DFG::Graph::dump):
2672         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2673         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2674         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
2675         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2676         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2677         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2678         * dfg/DFGNode.h:
2679         (JSC::DFG::Node::containsMovHint):
2680         (JSC::DFG::Node::accessesStack):
2681         (JSC::DFG::Node::hasLocal): Deleted.
2682         * dfg/DFGPredictionInjectionPhase.cpp:
2683         (JSC::DFG::PredictionInjectionPhase::run):
2684         * dfg/DFGValidate.cpp:
2685
2686 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
2687
2688         [JSC] Use the same data structures for DFG and Air Liveness Analysis
2689         https://bugs.webkit.org/show_bug.cgi?id=160346
2690
2691         Reviewed by Geoffrey Garen.
2692
2693         In Air, we minimized memory accesses during liveness analysis
2694         with a couple of tricks:
2695         -Use a single Sparse Set ADT for the live value of each block.
2696         -Manipulate compact positive indices instead of hashing values.
2697
2698         This patch brings the same ideas to DFG.
2699
2700         This patch still uses the same fixpoint algorithms.
2701         The reason is Edge's KillStatus used by other phases. We cannot
2702         use a block-boundary liveness algorithm and update KillStatus
2703         simultaneously. It's something I'll probably revisit at some point.
2704
2705         * dfg/DFGAbstractInterpreterInlines.h:
2706         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2707         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2708         * dfg/DFGBasicBlock.h:
2709         * dfg/DFGGraph.h:
2710         (JSC::DFG::Graph::maxNodeCount):
2711         (JSC::DFG::Graph::nodeAt):
2712         * dfg/DFGInPlaceAbstractState.cpp:
2713         (JSC::DFG::setLiveValues):
2714         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2715         * dfg/DFGLivenessAnalysisPhase.cpp:
2716         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2717         (JSC::DFG::LivenessAnalysisPhase::run):
2718         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2719         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
2720         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
2721
2722 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2723
2724         Unreviewed, ByValInfo is only used in JIT enabled environments
2725         https://bugs.webkit.org/show_bug.cgi?id=158908
2726
2727         * bytecode/CodeBlock.cpp:
2728         (JSC::CodeBlock::stronglyVisitStrongReferences):
2729
2730 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2731
2732         JSC::Symbol should be hash-consed
2733         https://bugs.webkit.org/show_bug.cgi?id=158908
2734
2735         Reviewed by Filip Pizlo.
2736
2737         Previously, SymbolImpls held by symbols represent identity of symbols.
2738         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
2739
2740         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
2741         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
2742         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
2743         pointer-comparison to query the equality of symbols.
2744
2745         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
2746         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
2747         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
2748         case is handled by CheckCell.
2749
2750         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
2751
2752         The performance effects in the related benchmarks are the followings.
2753
2754                                                                baseline                   patch
2755
2756             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
2757             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
2758             fold-put-by-val-with-symbol-to-multi-put-by-offset
2759                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
2760             inlined-put-by-val-with-symbol-transition
2761                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
2762             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
2763             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
2764                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
2765             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
2766             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
2767             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
2768             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
2769             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
2770                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
2771             get-by-val-with-symbol-chain-from-try-block
2772                                                             2.2316+-0.0179            2.2137+-0.0210
2773             get-by-val-with-symbol-bimorphic-check-structure-elimination
2774                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
2775             get-by-val-with-symbol-check-structure-elimination
2776                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
2777             put-by-val-with-symbol-slightly-polymorphic
2778                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
2779             put-by-val-with-symbol-replace-and-transition
2780                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
2781
2782             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
2783
2784         * bytecode/ByValInfo.h:
2785         * bytecode/CodeBlock.cpp:
2786         (JSC::CodeBlock::stronglyVisitStrongReferences):
2787         * dfg/DFGAbstractInterpreterInlines.h:
2788         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2789         * dfg/DFGByteCodeParser.cpp:
2790         (JSC::DFG::ByteCodeParser::parseBlock):
2791         * dfg/DFGClobberize.h:
2792         (JSC::DFG::clobberize):
2793         * dfg/DFGConstantFoldingPhase.cpp:
2794         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2795         * dfg/DFGDoesGC.cpp:
2796         (JSC::DFG::doesGC):
2797         * dfg/DFGFixupPhase.cpp:
2798         (JSC::DFG::FixupPhase::fixupNode):
2799         * dfg/DFGNode.h:
2800         (JSC::DFG::Node::hasUidOperand):
2801         * dfg/DFGNodeType.h:
2802         * dfg/DFGPredictionPropagationPhase.cpp:
2803         * dfg/DFGSafeToExecute.h:
2804         (JSC::DFG::safeToExecute):
2805         * dfg/DFGSpeculativeJIT.cpp:
2806         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
2807         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
2808         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
2809         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
2810         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
2811         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
2812         * dfg/DFGSpeculativeJIT.h:
2813         * dfg/DFGSpeculativeJIT32_64.cpp:
2814         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2815         (JSC::DFG::SpeculativeJIT::compile):
2816         * dfg/DFGSpeculativeJIT64.cpp:
2817         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2818         (JSC::DFG::SpeculativeJIT::compile):
2819         * ftl/FTLAbstractHeapRepository.h:
2820         * ftl/FTLCapabilities.cpp:
2821         (JSC::FTL::canCompile):
2822         * ftl/FTLLowerDFGToB3.cpp:
2823         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2824         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
2825         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2826         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
2827         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
2828         * jit/JIT.h:
2829         * jit/JITOperations.cpp:
2830         (JSC::tryGetByValOptimize):
2831         * jit/JITPropertyAccess.cpp:
2832         (JSC::JIT::emitGetByValWithCachedId):
2833         (JSC::JIT::emitPutByValWithCachedId):
2834         (JSC::JIT::emitByValIdentifierCheck):
2835         (JSC::JIT::privateCompileGetByValWithCachedId):
2836         (JSC::JIT::privateCompilePutByValWithCachedId):
2837         (JSC::JIT::emitIdentifierCheck): Deleted.
2838         * jit/JITPropertyAccess32_64.cpp:
2839         (JSC::JIT::emitGetByValWithCachedId):
2840         (JSC::JIT::emitPutByValWithCachedId):
2841         * runtime/JSCJSValue.cpp:
2842         (JSC::JSValue::dumpInContextAssumingStructure):
2843         * runtime/JSCJSValueInlines.h:
2844         (JSC::JSValue::equalSlowCaseInline):
2845         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
2846         * runtime/JSFunction.cpp:
2847         (JSC::JSFunction::setFunctionName):
2848         * runtime/MapData.h:
2849         * runtime/MapDataInlines.h:
2850         (JSC::JSIterator>::clear): Deleted.
2851         (JSC::JSIterator>::find): Deleted.
2852         (JSC::JSIterator>::add): Deleted.
2853         (JSC::JSIterator>::remove): Deleted.
2854         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
2855         * runtime/Symbol.cpp:
2856         (JSC::Symbol::finishCreation):
2857         (JSC::Symbol::create):
2858         * runtime/Symbol.h:
2859         * runtime/VM.cpp:
2860         (JSC::VM::VM):
2861         * runtime/VM.h:
2862         * tests/stress/symbol-equality-over-gc.js: Added.
2863         (shouldBe):
2864         (test):
2865
2866 2016-07-28  Mark Lam  <mark.lam@apple.com>
2867
2868         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
2869         https://bugs.webkit.org/show_bug.cgi?id=160324
2870         <rdar://problem/27389572>
2871
2872         Reviewed by Keith Miller.
2873
2874         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
2875         generate the error string even when the name string can be a single character
2876         string.  This is incorrect.  We should be using jsString() instead.
2877
2878         * runtime/ErrorPrototype.cpp:
2879         (JSC::errorProtoFuncToString):
2880         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
2881
2882 2016-07-28  Michael Saboff  <msaboff@apple.com>
2883
2884         ARM64: Fused left shift with a right shift can create NaNs from integers
2885         https://bugs.webkit.org/show_bug.cgi?id=160329
2886
2887         Reviewed by Geoffrey Garen.
2888
2889         When we fuse a left shift and a right shift of integers where the shift amounts
2890         are the same and the size of the quantity being shifted is 8 bits, we rightly
2891         generate a sign extend byte instruction.  On ARM64, we were sign extending
2892         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
2893
2894         Checking the ARM64 marco assembler and we were extending to 64 bits for all
2895         four combinations of zero / sign and 8 / 16 bits.
2896         
2897         * assembler/MacroAssemblerARM64.h:
2898         (JSC::MacroAssemblerARM64::zeroExtend16To32):
2899         (JSC::MacroAssemblerARM64::signExtend16To32):
2900         (JSC::MacroAssemblerARM64::zeroExtend8To32):
2901         (JSC::MacroAssemblerARM64::signExtend8To32):
2902         * tests/stress/regress-160329.js: New test added.
2903         (narrow):
2904
2905 2016-07-28  Mark Lam  <mark.lam@apple.com>
2906
2907         StringView should have an explicit m_is8Bit field.
2908         https://bugs.webkit.org/show_bug.cgi?id=160282
2909         <rdar://problem/27327943>
2910
2911         Reviewed by Benjamin Poulain.
2912
2913         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
2914         (catch):
2915
2916 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2917
2918         [ARM] Typo fix after r121885
2919         https://bugs.webkit.org/show_bug.cgi?id=160288
2920
2921         Reviewed by Zoltan Herczeg.
2922
2923         * assembler/MacroAssemblerARM.h:
2924         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2925
2926 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2927
2928         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
2929         https://bugs.webkit.org/show_bug.cgi?id=159711
2930
2931         Reviewed by Mark Lam.
2932
2933         * assembler/ARMAssembler.cpp:
2934         (JSC::ARMAssembler::prepareExecutableCopy):
2935
2936 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2937
2938         [JSC] Remove some unused code from FTL
2939         https://bugs.webkit.org/show_bug.cgi?id=160285
2940
2941         Reviewed by Mark Lam.
2942
2943         All the liveness and swapping is done inside B3,
2944         this code is no longer needed.
2945
2946         * dfg/DFGEdge.h:
2947         (JSC::DFG::Edge::doesNotKill): Deleted.
2948         * ftl/FTLLowerDFGToB3.cpp:
2949         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
2950
2951 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2952
2953         [JSC] DFG::Node should not have its own allocator
2954         https://bugs.webkit.org/show_bug.cgi?id=160098
2955
2956         Reviewed by Geoffrey Garen.
2957
2958         We need some design changes for DFG::Node:
2959         -Accessing the index must be fast. B3 uses indices for sets
2960          and maps, it is a lot faster than hashing pointers.
2961         -We should be able to subclass DFG::Node to specialize it.
2962
2963         * CMakeLists.txt:
2964         * JavaScriptCore.xcodeproj/project.pbxproj:
2965         * dfg/DFGAllocator.h: Removed.
2966         (JSC::DFG::Allocator::Region::size): Deleted.
2967         (JSC::DFG::Allocator::Region::headerSize): Deleted.
2968         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
2969         (JSC::DFG::Allocator::Region::data): Deleted.
2970         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
2971         (JSC::DFG::Allocator::Region::regionFor): Deleted.
2972         (JSC::DFG::Allocator<T>::Allocator): Deleted.
2973         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
2974         (JSC::DFG::Allocator<T>::allocate): Deleted.
2975         (JSC::DFG::Allocator<T>::free): Deleted.
2976         (JSC::DFG::Allocator<T>::freeAll): Deleted.
2977         (JSC::DFG::Allocator<T>::reset): Deleted.
2978         (JSC::DFG::Allocator<T>::indexOf): Deleted.
2979         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
2980         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
2981         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
2982         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
2983         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
2984         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
2985         * dfg/DFGByteCodeParser.cpp:
2986         (JSC::DFG::ByteCodeParser::addToGraph):
2987         * dfg/DFGCPSRethreadingPhase.cpp:
2988         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
2989         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
2990         * dfg/DFGCleanUpPhase.cpp:
2991         (JSC::DFG::CleanUpPhase::run):
2992         * dfg/DFGConstantFoldingPhase.cpp:
2993         (JSC::DFG::ConstantFoldingPhase::run):
2994         * dfg/DFGConstantHoistingPhase.cpp:
2995         * dfg/DFGDCEPhase.cpp:
2996         (JSC::DFG::DCEPhase::fixupBlock):
2997         * dfg/DFGDriver.cpp:
2998         (JSC::DFG::compileImpl):
2999         * dfg/DFGGraph.cpp:
3000         (JSC::DFG::Graph::Graph):
3001         (JSC::DFG::Graph::deleteNode):
3002         (JSC::DFG::Graph::killBlockAndItsContents):
3003         (JSC::DFG::Graph::~Graph): Deleted.
3004         * dfg/DFGGraph.h:
3005         (JSC::DFG::Graph::addNode):
3006         * dfg/DFGLICMPhase.cpp:
3007         (JSC::DFG::LICMPhase::attemptHoist):
3008         * dfg/DFGLongLivedState.cpp: Removed.
3009         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3010         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3011         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3012         * dfg/DFGLongLivedState.h: Removed.
3013         * dfg/DFGNode.cpp:
3014         (JSC::DFG::Node::index): Deleted.
3015         * dfg/DFGNode.h:
3016         (JSC::DFG::Node::index):
3017         * dfg/DFGNodeAllocator.h: Removed.
3018         (operator new ): Deleted.
3019         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3020         * dfg/DFGPlan.cpp:
3021         (JSC::DFG::Plan::compileInThread):
3022         (JSC::DFG::Plan::compileInThreadImpl):
3023         * dfg/DFGPlan.h:
3024         * dfg/DFGSSAConversionPhase.cpp:
3025         (JSC::DFG::SSAConversionPhase::run):
3026         * dfg/DFGWorklist.cpp:
3027         (JSC::DFG::Worklist::runThread):
3028         * runtime/VM.cpp:
3029         (JSC::VM::VM): Deleted.
3030         * runtime/VM.h:
3031
3032 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
3033
3034         [JSC] Fix a bunch of use-after-free of DFG::Node
3035         https://bugs.webkit.org/show_bug.cgi?id=160228
3036
3037         Reviewed by Mark Lam.
3038
3039         FTL had a few places where we use a node after it has been
3040         deleted. The dangling pointers come from the SSA liveness information
3041         kept on the basic blocks.
3042
3043         This patch fixes the issues I could find and adds liveness invalidation
3044         to help finding dependencies like these.
3045
3046         * dfg/DFGBasicBlock.h:
3047         (JSC::DFG::BasicBlock::SSAData::invalidate):
3048
3049         * dfg/DFGConstantFoldingPhase.cpp:
3050         (JSC::DFG::ConstantFoldingPhase::run):
3051         Constant folding phase was deleting nodes in the loop over basic blocks.
3052         The problem is the deleted nodes can be referenced by other blocks.
3053         When the abstract interpreter was manipulating the abstract values of those
3054         it was doing so on the dead nodes.
3055
3056         * dfg/DFGConstantHoistingPhase.cpp:
3057         Just invalidation. Nothing wrong here since the useless nodes were
3058         kept live while iterating the blocks.
3059
3060         * dfg/DFGGraph.cpp:
3061         (JSC::DFG::Graph::killBlockAndItsContents):
3062         (JSC::DFG::Graph::killUnreachableBlocks):
3063         (JSC::DFG::Graph::invalidateNodeLiveness):
3064
3065         * dfg/DFGGraph.h:
3066         * dfg/DFGPlan.cpp:
3067         (JSC::DFG::Plan::compileInThreadImpl):
3068         We had a lot of use-after-free in LCIM because we were using the stale
3069         live nodes deleted by previous phases.
3070
3071 2016-07-27  Keith Miller  <keith_miller@apple.com>
3072
3073         concatAppendOne should allocate using the indexing type of the array if it cannot merge
3074         https://bugs.webkit.org/show_bug.cgi?id=160261
3075         <rdar://problem/27530122>
3076
3077         Reviewed by Mark Lam.
3078
3079         Before, if we could not merge the indexing types for copying, we would allocate the
3080         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
3081         array's indexing type.
3082
3083         * runtime/ArrayPrototype.cpp:
3084         (JSC::concatAppendOne):
3085         * tests/stress/concat-append-one-with-sparse-array.js: Added.
3086
3087 2016-07-27  Saam Barati  <sbarati@apple.com>
3088
3089         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
3090         https://bugs.webkit.org/show_bug.cgi?id=160211
3091         <rdar://problem/27572612>
3092
3093         Reviewed by Geoffrey Garen.
3094
3095         The fast for-in iteration mode assumes all inline/out-of-line properties
3096         can be iterated in linear order. This is not true if we have Symbols
3097         because Symbols should not be iterated by for-in.
3098
3099         * runtime/Structure.cpp:
3100         (JSC::Structure::add):
3101         * tests/stress/symbol-should-not-break-for-in.js: Added.
3102         (assert):
3103         (foo):
3104
3105 2016-07-27  Mark Lam  <mark.lam@apple.com>
3106
3107         The second argument for Function.prototype.apply should be array-like or null/undefined.
3108         https://bugs.webkit.org/show_bug.cgi?id=160212
3109         <rdar://problem/27328525>
3110
3111         Reviewed by Filip Pizlo.
3112
3113         The spec for Function.prototype.apply says its second argument can only be null,
3114         undefined, or must be array-like.  See
3115         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
3116         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
3117
3118         Our previous implementation was not handling this correctly for SymbolType.
3119         This is now fixed.
3120
3121         * interpreter/Interpreter.cpp:
3122         (JSC::sizeOfVarargs):
3123         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
3124
3125 2016-07-27  Saam Barati  <sbarati@apple.com>
3126
3127         MathICs should be able to emit only a jump along the inline path when they don't have any type data
3128         https://bugs.webkit.org/show_bug.cgi?id=160110
3129
3130         Reviewed by Mark Lam.
3131
3132         This patch allows for MathIC fast-path generation to be delayed.
3133         We delay when we don't see any observed type information for
3134         the lhs/rhs operand, which implies that the MathIC has never
3135         executed. This is profitable for two main reasons:
3136         1. If the math operation never executes, we emit much less code.
3137         2. Once we get type information for the lhs/rhs, we can emit better code.
3138
3139         To implement this, we just emit a jump to the slow path call
3140         that will repatch on first execution.
3141
3142         New data for add:
3143                    |   JetStream  |  Unity 3D  |
3144              ------| -------------|--------------
3145               Old  |   148 bytes  |  143 bytes |
3146              ------| -------------|--------------
3147               New  |   116  bytes |  113 bytes |
3148              ------------------------------------
3149
3150         New data for mul:
3151                    |   JetStream  |  Unity 3D  |
3152              ------| -------------|--------------
3153               Old  |   210 bytes  |  185 bytes |
3154              ------| -------------|--------------
3155               New  |   170  bytes |  137 bytes |
3156              ------------------------------------
3157
3158         * jit/JITAddGenerator.cpp:
3159         (JSC::JITAddGenerator::generateInline):
3160         * jit/JITAddGenerator.h:
3161         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3162         (JSC::JITAddGenerator::isRightOperandValidConstant):
3163         (JSC::JITAddGenerator::arithProfile):
3164         * jit/JITMathIC.h:
3165         (JSC::JITMathIC::generateInline):
3166         (JSC::JITMathIC::generateOutOfLine):
3167         (JSC::JITMathIC::finalizeInlineCode):
3168         * jit/JITMathICInlineResult.h:
3169         * jit/JITMulGenerator.cpp:
3170         (JSC::JITMulGenerator::generateInline):
3171         * jit/JITMulGenerator.h:
3172         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3173         (JSC::JITMulGenerator::isRightOperandValidConstant):
3174         (JSC::JITMulGenerator::arithProfile):
3175         * jit/JITOperations.cpp:
3176
3177 2016-07-26  Saam Barati  <sbarati@apple.com>
3178
3179         rollout r203666
3180         https://bugs.webkit.org/show_bug.cgi?id=160226
3181
3182         Unreviewed rollout.
3183
3184         * b3/B3BasicBlock.h:
3185         (JSC::B3::BasicBlock::successorBlock):
3186         * b3/B3LowerToAir.cpp:
3187         (JSC::B3::Air::LowerToAir::createGenericCompare):
3188         * b3/B3LowerToAir.h:
3189         * b3/air/AirArg.cpp:
3190         (JSC::B3::Air::Arg::isRepresentableAs):
3191         (JSC::B3::Air::Arg::usesTmp):
3192         * b3/air/AirArg.h:
3193         (JSC::B3::Air::Arg::isRepresentableAs):
3194         (JSC::B3::Air::Arg::asNumber):
3195         (JSC::B3::Air::Arg::castToType): Deleted.
3196         * b3/air/AirCode.h:
3197         (JSC::B3::Air::Code::size):
3198         (JSC::B3::Air::Code::at):
3199         * b3/air/AirOpcode.opcodes:
3200         * b3/air/AirValidate.h:
3201         * b3/air/opcode_generator.rb:
3202         * b3/testb3.cpp:
3203         (JSC::B3::compileAndRun):
3204         (JSC::B3::testSomeEarlyRegister):
3205         (JSC::B3::zero):
3206         (JSC::B3::run):
3207         (JSC::B3::lowerToAirForTesting): Deleted.
3208         (JSC::B3::testBranchBitAndImmFusion): Deleted.
3209
3210 2016-07-26  Caitlin Potter  <caitp@igalia.com>
3211
3212         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
3213         https://bugs.webkit.org/show_bug.cgi?id=159409
3214
3215         Reviewed by Geoffrey Garen.
3216
3217         * runtime/ObjectConstructor.cpp:
3218         (JSC::objectConstructorGetOwnPropertyDescriptors):
3219         * tests/es6.yaml:
3220         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3221         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
3222         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
3223         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
3224         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
3225
3226 2016-07-26  Mark Lam  <mark.lam@apple.com>
3227
3228         Remove unused DEBUG_WITH_BREAKPOINT configuration.
3229         https://bugs.webkit.org/show_bug.cgi?id=160203
3230
3231         Reviewed by Keith Miller.
3232
3233         * bytecompiler/BytecodeGenerator.cpp:
3234         (JSC::BytecodeGenerator::emitDebugHook):
3235
3236 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
3237
3238         Unreviewed, rolling out r203703.
3239
3240         It breaks some internal tests
3241
3242         Reverted changeset:
3243
3244         "[JSC] DFG::Node should not have its own allocator"
3245         https://bugs.webkit.org/show_bug.cgi?id=160098
3246         http://trac.webkit.org/changeset/203703
3247
3248 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
3249
3250         [JSC] DFG::Node should not have its own allocator
3251         https://bugs.webkit.org/show_bug.cgi?id=160098
3252
3253         Reviewed by Geoffrey Garen.
3254
3255         We need some design changes for DFG::Node:
3256         -Accessing the index must be fast. B3 uses indices for sets
3257          and maps, it is a lot faster than hashing pointers.
3258         -We should be able to subclass DFG::Node to specialize it.
3259
3260         * CMakeLists.txt:
3261         * JavaScriptCore.xcodeproj/project.pbxproj:
3262         * dfg/DFGAllocator.h: Removed.
3263         (JSC::DFG::Allocator::Region::size): Deleted.
3264         (JSC::DFG::Allocator::Region::headerSize): Deleted.
3265         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
3266         (JSC::DFG::Allocator::Region::data): Deleted.
3267         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
3268         (JSC::DFG::Allocator::Region::regionFor): Deleted.
3269         (JSC::DFG::Allocator<T>::Allocator): Deleted.
3270         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
3271         (JSC::DFG::Allocator<T>::allocate): Deleted.
3272         (JSC::DFG::Allocator<T>::free): Deleted.
3273         (JSC::DFG::Allocator<T>::freeAll): Deleted.
3274         (JSC::DFG::Allocator<T>::reset): Deleted.
3275         (JSC::DFG::Allocator<T>::indexOf): Deleted.
3276         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
3277         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
3278         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
3279         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3280         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3281         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3282         * dfg/DFGByteCodeParser.cpp:
3283         (JSC::DFG::ByteCodeParser::addToGraph):
3284         * dfg/DFGCPSRethreadingPhase.cpp:
3285         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3286         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3287         * dfg/DFGCleanUpPhase.cpp:
3288         (JSC::DFG::CleanUpPhase::run):
3289         * dfg/DFGConstantFoldingPhase.cpp:
3290         (JSC::DFG::ConstantFoldingPhase::run):
3291         * dfg/DFGConstantHoistingPhase.cpp:
3292         * dfg/DFGDCEPhase.cpp:
3293         (JSC::DFG::DCEPhase::fixupBlock):
3294         * dfg/DFGDriver.cpp:
3295         (JSC::DFG::compileImpl):
3296         * dfg/DFGGraph.cpp:
3297         (JSC::DFG::Graph::Graph):
3298         (JSC::DFG::Graph::deleteNode):
3299         (JSC::DFG::Graph::killBlockAndItsContents):
3300         (JSC::DFG::Graph::~Graph): Deleted.
3301         * dfg/DFGGraph.h:
3302         (JSC::DFG::Graph::addNode):
3303         * dfg/DFGLICMPhase.cpp:
3304         (JSC::DFG::LICMPhase::attemptHoist):
3305         * dfg/DFGLongLivedState.cpp: Removed.
3306         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3307         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3308         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3309         * dfg/DFGLongLivedState.h: Removed.
3310         * dfg/DFGNode.cpp:
3311         (JSC::DFG::Node::index): Deleted.
3312         * dfg/DFGNode.h:
3313         (JSC::DFG::Node::index):
3314         * dfg/DFGNodeAllocator.h: Removed.
3315         (operator new ): Deleted.
3316         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3317         * dfg/DFGPlan.cpp:
3318         (JSC::DFG::Plan::compileInThread):
3319         (JSC::DFG::Plan::compileInThreadImpl):
3320         * dfg/DFGPlan.h:
3321         * dfg/DFGSSAConversionPhase.cpp:
3322         (JSC::DFG::SSAConversionPhase::run):
3323         * dfg/DFGWorklist.cpp:
3324         (JSC::DFG::Worklist::runThread):
3325         * runtime/VM.cpp:
3326         (JSC::VM::VM): Deleted.
3327         * runtime/VM.h:
3328
3329 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
3330
3331         AssemblyHelpers should own all of the cell allocation methods
3332         https://bugs.webkit.org/show_bug.cgi?id=160171
3333
3334         Reviewed by Saam Barati.
3335         
3336         Prior to this change we had some code in DFGSpeculativeJIT.h and some code in JIT.h that
3337         did cell allocation.
3338         
3339         This change moves all of that code into AssemblyHelpers.h.
3340
3341         * dfg/DFGSpeculativeJIT.h:
3342         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3343         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3344         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3345         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
3346         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
3347         * jit/AssemblyHelpers.h:
3348         (JSC::AssemblyHelpers::emitAllocate):
3349         (JSC::AssemblyHelpers::emitAllocateJSCell):
3350         (JSC::AssemblyHelpers::emitAllocateJSObject):
3351         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3352         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3353         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
3354         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
3355         * jit/JIT.h:
3356         * jit/JITInlines.h:
3357         (JSC::JIT::isOperandConstantChar):
3358         (JSC::JIT::emitValueProfilingSite):
3359         (JSC::JIT::emitAllocateJSObject): Deleted.
3360         * jit/JITOpcodes.cpp:
3361         (JSC::JIT::emit_op_new_object):
3362         (JSC::JIT::emit_op_create_this):
3363         * jit/JITOpcodes32_64.cpp:
3364         (JSC::JIT::emit_op_new_object):
3365         (JSC::JIT::emit_op_create_this):
3366
3367 2016-07-25  Saam Barati  <sbarati@apple.com>
3368
3369         MathICs should be able to take and dump stats about code size
3370         https://bugs.webkit.org/show_bug.cgi?id=160148
3371
3372         Reviewed by Filip Pizlo.
3373
3374         This will make testing changes on MathIC going forward much easier.
3375         We will be able to easily see if modifications to MathIC will lead
3376         to us generating smaller code. We now only dump average size when we
3377         regenerate any MathIC. This works out for large tests/pages, but is not
3378         great for testing small programs. We can add more dump points later if
3379         we find that we want to dump stats while running small small programs.
3380
3381         * bytecode/CodeBlock.cpp:
3382         (JSC::CodeBlock::jitSoon):
3383         (JSC::CodeBlock::dumpMathICStats):
3384         * bytecode/CodeBlock.h:
3385         (JSC::CodeBlock::isStrictMode):
3386         (JSC::CodeBlock::ecmaMode):
3387         * dfg/DFGSpeculativeJIT.cpp:
3388         (JSC::DFG::SpeculativeJIT::compileMathIC):
3389         * ftl/FTLLowerDFGToB3.cpp:
3390         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3391         * jit/JITArithmetic.cpp:
3392         (JSC::JIT::emitMathICFast):
3393         (JSC::JIT::emitMathICSlow):
3394         * jit/JITMathIC.h:
3395         (JSC::JITMathIC::finalizeInlineCode):
3396         (JSC::JITMathIC::codeSize):
3397         * jit/JITOperations.cpp:
3398
3399 2016-07-25  Saam Barati  <sbarati@apple.com>
3400
3401         op_mul/ArithMul(Untyped,Untyped) should be an IC
3402         https://bugs.webkit.org/show_bug.cgi?id=160108
3403
3404         Reviewed by Mark Lam.
3405
3406         This patch makes Mul a type based IC in much the same way that we made
3407         Add a type-based IC. I implemented Mul in the same way. I abstracted the
3408         implementation of the Add IC in the various JITs to allow for it to
3409         work over arbitrary IC snippets. This will make adding Div/Sub/Pow in the
3410         future easy. This patch also adds a new boolean argument to the various
3411         snippet generateFastPath() methods to indicate if we should emit result profiling.
3412         I added this because we want this profiling to be emitted for Mul in
3413         the baseline, but not in the DFG. We used to indicate this through passing
3414         in a nullptr for the ArithProfile, but we no longer do that in the upper
3415         JIT tiers. So we are passing an explicit request from the JIT tier about
3416         whether or not it's worth it for the IC to emit profiling.
3417
3418         We now emit much less code for Mul. Here is some data on the average
3419         Mul snippet/IC size:
3420
3421                    |   JetStream  |  Unity 3D  |
3422              ------| -------------|--------------
3423               Old  |  ~280 bytes  | ~280 bytes |
3424              ------| -------------|--------------
3425               New  |   210  bytes |  185 bytes |
3426              ------------------------------------
3427
3428         * bytecode/CodeBlock.cpp:
3429         (JSC::CodeBlock::addJITAddIC):
3430         (JSC::CodeBlock::addJITMulIC):
3431         (JSC::CodeBlock::findStubInfo):
3432         * bytecode/CodeBlock.h:
3433         (JSC::CodeBlock::stubInfoBegin):
3434         (JSC::CodeBlock::stubInfoEnd):
3435         * dfg/DFGSpeculativeJIT.cpp:
3436         (JSC::DFG::GPRTemporary::adopt):
3437         (JSC::DFG::FPRTemporary::FPRTemporary):
3438         (JSC::DFG::SpeculativeJIT::compileValueAdd):
3439         (JSC::DFG::SpeculativeJIT::compileMathIC):
3440         (JSC::DFG::SpeculativeJIT::compileArithMul):
3441         * dfg/DFGSpeculativeJIT.h:
3442         (JSC::DFG::SpeculativeJIT::callOperation):
3443         (JSC::DFG::GPRTemporary::GPRTemporary):
3444         (JSC::DFG::GPRTemporary::operator=):
3445         (JSC::DFG::FPRTemporary::~FPRTemporary):
3446         (JSC::DFG::FPRTemporary::fpr):
3447         * ftl/FTLLowerDFGToB3.cpp:
3448         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
3449         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
3450         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
3451         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
3452         * jit/JIT.h:
3453         (JSC::JIT::getSlowCase):
3454         * jit/JITAddGenerator.cpp:
3455         (JSC::JITAddGenerator::generateInline):
3456         (JSC::JITAddGenerator::generateFastPath):
3457         * jit/JITAddGenerator.h:
3458         (JSC::JITAddGenerator::JITAddGenerator):
3459         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3460         (JSC::JITAddGenerator::isRightOperandValidConstant):
3461         * jit/JITArithmetic.cpp:
3462         (JSC::JIT::emit_op_add):
3463         (JSC::JIT::emitSlow_op_add):
3464         (JSC::JIT::emitMathICFast):
3465         (JSC::JIT::emitMathICSlow):
3466         (JSC::JIT::emit_op_mul):
3467         (JSC::JIT::emitSlow_op_mul):
3468         (JSC::JIT::emit_op_sub):
3469         * jit/JITInlines.h:
3470         (JSC::JIT::callOperation):
3471         * jit/JITMathIC.h:
3472         (JSC::JITMathIC::slowPathStartLocation):
3473         (JSC::JITMathIC::slowPathCallLocation):
3474         (JSC::JITMathIC::isLeftOperandValidConstant):
3475         (JSC::JITMathIC::isRightOperandValidConstant):
3476         (JSC::JITMathIC::generateInline):
3477         (JSC::JITMathIC::generateOutOfLine):
3478         * jit/JITMathICForwards.h:
3479         * jit/JITMulGenerator.cpp:
3480         (JSC::JITMulGenerator::generateInline):
3481         (JSC::JITMulGenerator::generateFastPath):
3482         * jit/JITMulGenerator.h:
3483         (JSC::JITMulGenerator::JITMulGenerator):
3484         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3485         (JSC::JITMulGenerator::isRightOperandValidConstant):
3486         (JSC::JITMulGenerator::didEmitFastPath): Deleted.
3487         (JSC::JITMulGenerator::endJumpList): Deleted.
3488         (JSC::JITMulGenerator::slowPathJumpList): Deleted.
3489         * jit/JITOperations.cpp:
3490         * jit/JITOperations.h:
3491
3492 2016-07-25  Darin Adler  <darin@apple.com>
3493
3494         Speed up make process slightly by improving "list of files" idiom
3495         https://bugs.webkit.org/show_bug.cgi?id=160164
3496
3497         Reviewed by Mark Lam.
3498
3499         * DerivedSources.make: Change rules that build lists of files to only run when
3500         DerivedSources.make has been modified since the last time they were run. Since the
3501         list of files are inside this file, this is safe, and this is faster than always
3502         comparing and regenerating the file containing the list of files each time.
3503
3504 2016-07-24  Youenn Fablet  <youenn@apple.com>
3505
3506         [Fetch API] Request should be created with any HeadersInit data
3507         https://bugs.webkit.org/show_bug.cgi?id=159672
3508
3509         Reviewed by Sam Weinig.
3510
3511         * Scripts/builtins/builtins_generator.py:
3512         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
3513
3514 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
3515
3516         B3 should support multiple entrypoints
3517         https://bugs.webkit.org/show_bug.cgi?id=159391
3518
3519         Reviewed by Saam Barati.
3520         
3521         This teaches B3 how to compile procedures with multiple entrypoints in the best way ever.
3522         
3523         Multiple entrypoints are useful. We could use them to reduce the cost of compiling OSR
3524         entrypoints. We could use them to implement better try/catch.
3525         
3526         Multiple entrypoints are hard to support. All of the code that assumed that the root block
3527         is the entrypoint would have to be changed. Transformations like moveConstants() would have
3528         to do crazy things if the existence of multiple entrypoints prevented it from finding a
3529         single common dominator.
3530         
3531         Therefore, we want to add multiple entrypoints without actually teaching the compiler that
3532         there is such a thing. That's sort of what this change does.
3533         
3534         This adds a new opcode to both B3 and Air called EntrySwitch. It's a terminal that takes
3535         one or more successors and no value children. The number of successors must match
3536         Procedure::numEntrypoints(), which could be arbitrarily large. The semantics of EntrySwitch
3537         are:
3538         
3539         - Each of the entrypoints sets a hidden Entry variable to that entrypoint's index and jumps
3540           to the procedure's root block.
3541         
3542         - An EntrySwitch is a switch statement over this hidden Entry variable.
3543         
3544         The way that we actually implement this is that Air has a very late phase - after all
3545         register and stack layout - that clones all code where the Entry variable is live; i.e all
3546         code in the closure over predecessors of all blocks that do EntrySwitch.
3547         
3548         Usually, you would use this by creating an EntrySwitch in the root block, but you don't
3549         have to do that. Just remember that the code before EntrySwitch gets cloned for each
3550         entrypoint. We allow cloning of an arbitrarily large amount of code because restricting it,
3551         and so restricing the placement of EntrySwitches, would be unelegant. It would be hard to
3552         preserve this invariant. For example we wouldn't be able to lower any value before an
3553         EntrySwitch to a control flow diamond.
3554         
3555         This patch gives us an easy-to-use way to use B3 to compile code with multiple entrypoints.
3556         Inside the compiler, only code that runs very late in Air has to know about this feature.
3557         We get the best of both worlds!
3558         
3559         Also, I finally got rid of the requirement that you explicitly cast BasicBlock* to
3560         FrequentedBlock. I can no longer remember why I thought that was a good idea. Removing it
3561         doesn't cause any problems and it makes code easier to write.
3562
3563         * CMakeLists.txt:
3564         * JavaScriptCore.xcodeproj/project.pbxproj:
3565         * b3/B3BasicBlockUtils.h:
3566         (JSC::B3::updatePredecessorsAfter):
3567         (JSC::B3::clearPredecessors):
3568         (JSC::B3::recomputePredecessors):
3569         * b3/B3FrequencyClass.h:
3570         (JSC::B3::maxFrequency):
3571         * b3/B3Generate.h:
3572         * b3/B3LowerToAir.cpp:
3573         (JSC::B3::Air::LowerToAir::lower):
3574         * b3/B3MoveConstants.cpp:
3575         * b3/B3Opcode.cpp:
3576         (WTF::printInternal):
3577         * b3/B3Opcode.h:
3578         * b3/B3Procedure.cpp:
3579         (JSC::B3::Procedure::isFastConstant):
3580         (JSC::B3::Procedure::entrypointLabel):
3581         (JSC::B3::Procedure::addDataSection):
3582         * b3/B3Procedure.h:
3583         (JSC::B3::Procedure::numEntrypoints):
3584         (JSC::B3::Procedure::setNumEntrypoints):
3585         (JSC::B3::Procedure::setLastPhaseName):
3586         * b3/B3Validate.cpp:
3587         * b3/B3Value.cpp:
3588         (JSC::B3::Value::effects):
3589         (JSC::B3::Value::typeFor):
3590         * b3/B3Value.h:
3591         * b3/air/AirCode.cpp:
3592         (JSC::B3::Air::Code::cCallSpecial):
3593         (JSC::B3::Air::Code::isEntrypoint):
3594         (JSC::B3::Air::Code::resetReachability):
3595         (JSC::B3::Air::Code::dump):
3596         * b3/air/AirCode.h:
3597         (JSC::B3::Air::Code::setFrameSize):
3598         (JSC::B3::Air::Code::numEntrypoints):
3599         (JSC::B3::Air::Code::entrypoints):
3600         (JSC::B3::Air::Code::entrypoint):
3601         (JSC::B3::Air::Code::setEntrypoints):
3602         (JSC::B3::Air::Code::entrypointLabel):
3603         (JSC::B3::Air::Code::setEntrypointLabels):
3604         (JSC::B3::Air::Code::calleeSaveRegisters):
3605         * b3/air/AirCustom.h:
3606         (JSC::B3::Air::PatchCustom::isTerminal):
3607         (JSC::B3::Air::PatchCustom::hasNonArgEffects):
3608         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
3609         (JSC::B3::Air::PatchCustom::generate):
3610         (JSC::B3::Air::CommonCustomBase::hasNonArgEffects):
3611         (JSC::B3::Air::CCallCustom::forEachArg):
3612         (JSC::B3::Air::ColdCCallCustom::forEachArg):
3613         (JSC::B3::Air::ShuffleCustom::forEachArg):
3614         (JSC::B3::Air::EntrySwitchCustom::forEachArg):
3615         (JSC::B3::Air::EntrySwitchCustom::isValidFormStatic):
3616         (JSC::B3::Air::EntrySwitchCustom::isValidForm):
3617         (JSC::B3::Air::EntrySwitchCustom::admitsStack):
3618         (JSC::B3::Air::EntrySwitchCustom::isTerminal):
3619         (JSC::B3::Air::EntrySwitchCustom::hasNonArgNonControlEffects):
3620         (JSC::B3::Air::EntrySwitchCustom::generate):
3621         * b3/air/AirGenerate.cpp:
3622         (JSC::B3::Air::prepareForGeneration):
3623         (JSC::B3::Air::generate):
3624         * b3/air/AirLowerEntrySwitch.cpp: Added.
3625         (JSC::B3::Air::lowerEntrySwitch):
3626         * b3/air/AirLowerEntrySwitch.h: Added.
3627         * b3/air/AirOpcode.opcodes:
3628         * b3/air/AirOptimizeBlockOrder.cpp:
3629         (JSC::B3::Air::blocksInOptimizedOrder):
3630         * b3/air/AirSpecial.cpp:
3631         (JSC::B3::Air::Special::isTerminal):
3632         (JSC::B3::Air::Special::hasNonArgEffects):
3633         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
3634         * b3/air/AirSpecial.h:
3635         * b3/air/AirValidate.cpp:
3636         * b3/air/opcode_generator.rb:
3637         * b3/testb3.cpp:
3638
3639 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
3640
3641         Unreviewed, fix broken test. I don't know why I goofed this up without seeing it before landing.
3642
3643         * b3/air/AirOpcode.opcodes:
3644         * b3/testb3.cpp:
3645         (JSC::B3::run):
3646
3647 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
3648
3649         [B3] Fusing immediates into test instructions should work again
3650         https://bugs.webkit.org/show_bug.cgi?id=160073
3651
3652         Reviewed by Sam Weinig.
3653
3654         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
3655         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
3656         was still using Imm!  This meant that isValidForm() always returned false.
3657         
3658         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
3659         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
3660         with the scratch register).
3661         
3662         This is not an obvious progression on anything, so I added comprehensive tests to
3663         testb3, which check that we selected the optimal instruction in a variety of situations.
3664         We should add more tests like this!
3665
3666         * b3/B3BasicBlock.h:
3667         (JSC::B3::BasicBlock::successorBlock):
3668         * b3/B3LowerToAir.cpp:
3669         (JSC::B3::Air::LowerToAir::createGenericCompare):
3670         * b3/B3LowerToAir.h:
3671         * b3/air/AirArg.cpp:
3672         (JSC::B3::Air::Arg::isRepresentableAs):
3673         (JSC::B3::Air::Arg::usesTmp):
3674         * b3/air/AirArg.h:
3675         (JSC::B3::Air::Arg::isRepresentableAs):
3676         (JSC::B3::Air::Arg::castToType):
3677         (JSC::B3::Air::Arg::asNumber):
3678         * b3/air/AirCode.h:
3679         (JSC::B3::Air::Code::size):
3680         (JSC::B3::Air::Code::at):
3681         * b3/air/AirOpcode.opcodes:
3682         * b3/air/AirValidate.h:
3683         * b3/air/opcode_generator.rb:
3684         * b3/testb3.cpp:
3685         (JSC::B3::compile):
3686         (JSC::B3::compileAndRun):
3687         (JSC::B3::lowerToAirForTesting):
3688         (JSC::B3::testSomeEarlyRegister):
3689         (JSC::B3::testBranchBitAndImmFusion):
3690         (JSC::B3::zero):
3691         (JSC::B3::run):
3692
3693 2016-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3694
3695         Unreviewed, update the exponentiation expression error message
3696         https://bugs.webkit.org/show_bug.cgi?id=159969
3697
3698         Follow up patch for r203499.
3699
3700         * parser/Parser.cpp:
3701         (JSC::Parser<LexerType>::parseBinaryExpression):
3702         * tests/stress/pow-expects-update-expression-on-lhs.js:
3703         (throw.new.Error):
3704
3705 2016-07-24  Darin Adler  <darin@apple.com>
3706
3707         Adding a new WebCore JavaScript built-in source file does not trigger rebuild of WebCoreJSBuiltins*
3708         https://bugs.webkit.org/show_bug.cgi?id=160115
3709
3710         Reviewed by Youenn Fablet.
3711
3712         * make-generated-sources.sh: Removed. Was unused.
3713
3714 2016-07-23  Commit Queue  <commit-queue@webkit.org>
3715
3716         Unreviewed, rolling out r203641.
3717         https://bugs.webkit.org/show_bug.cgi?id=160116
3718
3719         It broke make-based builds (Requested by youenn on #webkit).
3720
3721         Reverted changeset:
3722
3723         "[Fetch API] Request should be created with any HeadersInit
3724         data"
3725         https://bugs.webkit.org/show_bug.cgi?id=159672
3726         http://trac.webkit.org/changeset/203641
3727
3728 2016-07-23  Youenn Fablet  <youenn@apple.com>
3729
3730         [Fetch API] Request should be created with any HeadersInit data
3731         https://bugs.webkit.org/show_bug.cgi?id=159672
3732
3733         Reviewed by Sam Weinig.
3734
3735         * Scripts/builtins/builtins_generator.py:
3736         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
3737
3738 2016-07-21  Filip Pizlo  <fpizlo@apple.com>
3739
3740         Teach MarkedSpace how to allocate auxiliary storage
3741         https://bugs.webkit.org/show_bug.cgi?id=160053
3742
3743         Reviewed by Sam Weinig.
3744         
3745         Previously, we had two kinds of subspaces in MarkedSpace: destructor and non-destructor. This
3746         was described using "bool needsDestruction" that would get passed around. We'd iterate over
3747         these spaces using duplicated code - one loop for destructors and one for non-destructors, or
3748         a single loop that does one thing for destructors and one for non-destructors.
3749         
3750         But now we want a third subspace: non-destructor non-JSCell, aka Auxiliary.
3751         
3752         So, this changes all of the reflection and iteration over subspaces to use functors, so that
3753         the looping is written once and reused. Most places don't even have to know that there is a
3754         third subspace; they just know that they must do things for each subspace, for each
3755         allocator, or for each block - and the functor magic handles it for you.
3756         
3757         To make this somewhat nice, this change also fixes how we describe subspaces. Instead of a
3758         bool, we now have AllocatorAttributes, which is a struct. If we ever add more subspaces, we
3759         can add fields to AllocatorAttributes to describe how those subspaces differ. For now it just
3760         contains two properties: a DestructionMode and a HeapCell::Kind. The DesctructionMode
3761         replaces bool needsDestruction. I deliberately used a non-class enum to avoid tautologies.
3762         DestructionMode has two members: NeedsDestruction and DoesNotNeedDestruction. I almost went
3763         with DestructionMode::Needed and DestructionMode::NotNeeded, but I felt like that involves
3764         more typing and doesn't actually avoid any kind of namespace issues.
3765         
3766         This is intended to have no behavior change other than the addition of a totally unused
3767         space, which should always be empty. So hopefully it doesn't cost anything.
3768
3769         * CMakeLists.txt:
3770         * JavaScriptCore.xcodeproj/project.pbxproj:
3771         * heap/AllocatorAttributes.cpp: Added.
3772         (JSC::AllocatorAttributes::dump):
3773         * heap/AllocatorAttributes.h: Added.
3774         (JSC::AllocatorAttributes::AllocatorAttributes):
3775         * heap/DestructionMode.cpp: Added.
3776         (WTF::printInternal):
3777         * heap/DestructionMode.h: Added.
3778         * heap/Heap.h:
3779         * heap/MarkedAllocator.cpp:
3780         (JSC::MarkedAllocator::allocateBlock):
3781         (JSC::MarkedAllocator::addBlock):
3782         * heap/MarkedAllocator.h:
3783         (JSC::MarkedAllocator::cellSize):
3784         (JSC::MarkedAllocator::attributes):
3785         (JSC::MarkedAllocator::needsDestruction):
3786         (JSC::MarkedAllocator::destruction):
3787         (JSC::MarkedAllocator::cellKind):
3788         (JSC::MarkedAllocator::heap):
3789         (JSC::MarkedAllocator::takeLastActiveBlock):
3790         (JSC::MarkedAllocator::MarkedAllocator):
3791         (JSC::MarkedAllocator::init):
3792         (JSC::MarkedAllocator::allocate):
3793         * heap/MarkedBlock.cpp:
3794         (JSC::MarkedBlock::create):
3795         (JSC::MarkedBlock::destroy):
3796         (JSC::MarkedBlock::MarkedBlock):
3797         (JSC::MarkedBlock::callDestructor):
3798         (JSC::MarkedBlock::sweep):
3799         (JSC::MarkedBlock::stopAllocating):
3800         (JSC::MarkedBlock::didRetireBlock):
3801         * heap/MarkedBlock.h:
3802         (JSC::MarkedBlock::cellSize):
3803         (JSC::MarkedBlock::attributes):
3804         (JSC::MarkedBlock::needsDestruction):
3805         (JSC::MarkedBlock::destruction):
3806         (JSC::MarkedBlock::cellKind):
3807         (JSC::MarkedBlock::size):
3808         (JSC::MarkedBlock::forEachCell):
3809         (JSC::MarkedBlock::forEachLiveCell):
3810         (JSC::MarkedBlock::forEachDeadCell):
3811         * heap/MarkedSpace.cpp:
3812         (JSC::MarkedSpace::MarkedSpace):
3813         (JSC::MarkedSpace::~MarkedSpace):
3814         (JSC::MarkedSpace::lastChanceToFinalize):
3815         (JSC::MarkedSpace::resetAllocators):
3816         (JSC::MarkedSpace::forEachAllocator):
3817         (JSC::MarkedSpace::stopAllocating):
3818         (JSC::MarkedSpace::resumeAllocating):
3819         (JSC::MarkedSpace::isPagedOut):
3820         (JSC::MarkedSpace::freeBlock):
3821         (JSC::MarkedSpace::shrink):
3822         (JSC::MarkedSpace::clearNewlyAllocated):
3823         (JSC::clearNewlyAllocatedInBlock): Deleted.
3824         * heap/MarkedSpace.h:
3825         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
3826         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
3827         (JSC::MarkedSpace::subspaceForAuxiliaryData):
3828         (JSC::MarkedSpace::allocatorFor):
3829         (JSC::MarkedSpace::destructorAllocatorFor):
3830         (JSC::MarkedSpace::auxiliaryAllocatorFor):
3831         (JSC::MarkedSpace::allocateWithoutDestructor):
3832         (JSC::MarkedSpace::allocateWithDestructor):
3833         (JSC::MarkedSpace::allocateAuxiliary):
3834         (JSC::MarkedSpace::forEachBlock):
3835         (JSC::MarkedSpace::didAddBlock):
3836         (JSC::MarkedSpace::capacity):
3837         (JSC::MarkedSpace::forEachSubspace):
3838
3839 2016-07-22  Saam Barati  <sbarati@apple.com>
3840
3841         REGRESSION(r203537): It made many tests crash on ARMv7 Linux platforms
3842         https://bugs.webkit.org/show_bug.cgi?id=160082
3843
3844         Reviewed by Keith Miller.
3845
3846         We were improperly linking the Jump in the link buffer.
3847         It caused us to be linking against the executable address
3848         which always has bit 0 set. We shouldn't be doing that.
3849         This patch fixes this, by using the same idiom that
3850         PolymorphicAccess uses to link a jump to out of line code.
3851
3852         * jit/JITMathIC.h:
3853         (JSC::JITMathIC::generateOutOfLine):
3854
3855 2016-07-22  Commit Queue  <commit-queue@webkit.org>
3856
3857         Unreviewed, rolling out r203603.
3858         https://bugs.webkit.org/show_bug.cgi?id=160096
3859
3860         Caused CLoop tests to fail with assertions (Requested by
3861         perarne on #webkit).
3862
3863         Reverted changeset:
3864
3865         "[Win] jsc.exe sometimes never exits."
3866         https://bugs.webkit.org/show_bug.cgi?id=158073
3867         http://trac.webkit.org/changeset/203603
3868
3869 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
3870
3871         [Win] jsc.exe sometimes never exits.
3872         https://bugs.webkit.org/show_bug.cgi?id=158073
3873
3874         Reviewed by Mark Lam.
3875
3876         Make sure the VM is deleted after the test has finished. This will gracefully stop the sampling profiler thread,
3877         and give the thread the opportunity to release the machine thread lock aquired in SamplingProfiler::takeSample.  
3878         If the sampling profiler thread was terminated while holding the machine thread lock, the machine thread will
3879         not be able to grab the lock afterwards. 
3880  
3881         * jsc.cpp:
3882         (jscmain):
3883
3884 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
3885
3886         Fix the Windows 64-bit build after r203537
3887         https://bugs.webkit.org/show_bug.cgi?id=160080
3888
3889         Reviewed by Csaba Osztrogonác.
3890
3891         Added new version of setupArgumentsWithExecState method.
3892
3893         * jit/CCallHelpers.h:
3894         (JSC::CCallHelpers::setupArgumentsWithExecState):
3895
3896 2016-07-22  Csaba Osztrogonác  <ossy@webkit.org>
3897
3898         [ARM] Un