[B3][Win64] Compile and warning fixes.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-19  Per Arne Vollan  <peavo@outlook.com>
2
3         [B3][Win64] Compile and warning fixes.
4         https://bugs.webkit.org/show_bug.cgi?id=153234
5
6         Reviewed by Alex Christensen.
7
8         The size of 'long' is 4 bytes on Win64. We can use 'long long' instead,
9         when we want the size to be 8 bytes.
10
11         * b3/B3LowerMacrosAfterOptimizations.cpp:
12         * b3/B3ReduceStrength.cpp:
13
14 2016-01-19  Csaba Osztrogonác  <ossy@webkit.org>
15
16         [cmake] Fix the B3 build after r195159
17         https://bugs.webkit.org/show_bug.cgi?id=153232
18
19         Reviewed by Yusuke Suzuki.
20
21         * CMakeLists.txt:
22
23 2016-01-19  Commit Queue  <commit-queue@webkit.org>
24
25         Unreviewed, rolling out r195300.
26         https://bugs.webkit.org/show_bug.cgi?id=153244
27
28         enrica wants more time to fix Windows (Requested by thorton on
29         #webkit).
30
31         Reverted changeset:
32
33         "Add support for DataDetectors in WK (iOS)."
34         https://bugs.webkit.org/show_bug.cgi?id=152989
35         http://trac.webkit.org/changeset/195300
36
37 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
38
39         Reconsider B3's constant motion policy
40         https://bugs.webkit.org/show_bug.cgi?id=152202
41
42         Reviewed by Geoffrey Garen.
43
44         This changes moveConstants() to hoist constants. This is a speed-up on things like mandreel.
45         It has a generally positive impact on the Octane score, but it's within margin of error.
46
47         This also changes IRC to make it a bit more likely to spill constants. We don't want it to
48         spill them too much, because we can't rely on fixObviousSpills() to always replace a load of
49         a constant from the stack with the constant itself, especially in case of instructions that
50         need an extra register to materialize the immediate.
51
52         Also fixed DFG graph dumping to print a bit less things. It was trying to print the results of
53         constant property inference, and this sometimes caused crashes when you dumped the graph at an
54         inopportune time.
55
56         * JavaScriptCore.xcodeproj/project.pbxproj:
57         * b3/B3MoveConstants.cpp:
58         * b3/air/AirArg.h:
59         * b3/air/AirArgInlines.h: Added.
60         (JSC::B3::Air::ArgThingHelper<Tmp>::is):
61         (JSC::B3::Air::ArgThingHelper<Tmp>::as):
62         (JSC::B3::Air::ArgThingHelper<Tmp>::forEachFast):
63         (JSC::B3::Air::ArgThingHelper<Tmp>::forEach):
64         (JSC::B3::Air::ArgThingHelper<Arg>::is):
65         (JSC::B3::Air::ArgThingHelper<Arg>::as):
66         (JSC::B3::Air::ArgThingHelper<Arg>::forEachFast):
67         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
68         (JSC::B3::Air::Arg::is):
69         (JSC::B3::Air::Arg::as):
70         (JSC::B3::Air::Arg::forEachFast):
71         (JSC::B3::Air::Arg::forEach):
72         * b3/air/AirIteratedRegisterCoalescing.cpp:
73         * b3/air/AirUseCounts.h:
74         (JSC::B3::Air::UseCounts::UseCounts):
75         * dfg/DFGGraph.cpp:
76         (JSC::DFG::Graph::dump):
77
78 2016-01-19  Enrica Casucci  <enrica@apple.com>
79
80         Add support for DataDetectors in WK (iOS).
81         https://bugs.webkit.org/show_bug.cgi?id=152989
82         rdar://problem/22855960
83
84         Reviewed by Tim Horton.
85
86         Adding feature definition.
87
88         * Configurations/FeatureDefines.xcconfig:
89
90 2016-01-17  Filip Pizlo  <fpizlo@apple.com>
91
92         FTL B3 should be just as fast as FTL LLVM on Octane/crypto
93         https://bugs.webkit.org/show_bug.cgi?id=153113
94
95         Reviewed by Saam Barati.
96
97         This is the result of a hacking rampage to close the gap between FTL B3 and FTL LLVM on
98         Octane/crypto. It was a very successful rampage.
99
100         The biggest change in this patch is the introduction of a phase called fixObviousSpills()
101         that fixes patterns like:
102
103         Store register to stack slot and then use stack slot:
104             Move %rcx, (stack42)
105             Foo use:(stack42) // replace (stack42) with %rcx here.
106
107         Load stack slot into register and then use stack slot:
108             Move (stack42), %rcx
109             Foo use:(stack42) // replace (stack42) with %rcx here.
110
111         Store constant into stack slot and then use stack slot:
112             Move $42, %rcx
113             Move %rcx, (stack42)
114             Bar def:%rcx // %rcx isn't available anymore, but we still know that (stack42) is $42
115             Foo use:(stack42) // replace (stack42) with $42 here.
116
117         This phases does these fixups by doing a global forward flow that propagates sets of
118         must-aliases.
119
120         Also added a phase to report register pressure. It pretty-prints code alongside the set of
121         in-use registers above each instruction. Using this phase, I found that our register
122         allocator is actually doing a pretty awesome job. I had previously feared that we'd have to
123         make substantial changes to register allocation. I don't have such a fear anymore, at least
124         for Octane/crypto. In the future, we can check how the regalloc is performing just by
125         enabling logAirRegisterPressure.
126
127         Also fixed some FTL codegen pathologies. We were using bitOr where we meant to use a
128         conditional or. LLVM likes to canonicalize boolean expressions this way. B3, on the other
129         hand, doesn't do this canonicalization and doesn't have logic to decompose it into sequences
130         of branches.
131
132         Also added strength reductions for checked arithmetic. It turns out that LLVM learned how to
133         reduce checked multiply to unchecked multiply in some obvious cases that our existing DFG
134         optimizations lacked. Ideally, our DFG integer range optimization phase would cover this. But
135         the cases of interest were dead simple - the incoming values to the CheckMul were obviously
136         too small to cause overflow. I added such reasoning to B3's strength reduction.
137
138         Finally, this fixes some bugs with how we were handling subwidth spill slots. The register
139         allocator was making two mistakes. First, it might cause a Width64 def or use of a 4-byte
140         spill slot. In that case, it would extend the size of the spill slot to ensure that the use
141         or def is safe. Second, it emulates ZDef on Tmp behavior by emitting a Move32 to initialize
142         the high bits of a spill slot. But this is unsound because of the liveness semantics of spill
143         slots. They cannot have more than one def to initialize their value. I fixed that by making
144         allocateStack() be the thing that fixes ZDefs. That's a change to ZDef semantics: now, ZDef
145         on an anonymous stack slot means that the high bits are zero-filled. I wasn't able to
146         construct a test for this. It might be a hypothetical bug, but still, I like how this
147         simplifies the register allocator.
148
149         This is a ~0.7% speed-up on Octane.
150
151         * CMakeLists.txt:
152         * JavaScriptCore.xcodeproj/project.pbxproj:
153         * b3/B3CheckSpecial.cpp:
154         (JSC::B3::CheckSpecial::hiddenBranch):
155         (JSC::B3::CheckSpecial::forEachArg):
156         (JSC::B3::CheckSpecial::commitHiddenBranch): Deleted.
157         * b3/B3CheckSpecial.h:
158         * b3/B3LowerToAir.cpp:
159         (JSC::B3::Air::LowerToAir::fillStackmap):
160         (JSC::B3::Air::LowerToAir::lower):
161         * b3/B3StackmapValue.h:
162         * b3/air/AirAllocateStack.cpp:
163         (JSC::B3::Air::allocateStack):
164         * b3/air/AirAllocateStack.h:
165         * b3/air/AirArg.h:
166         (JSC::B3::Air::Arg::callArg):
167         (JSC::B3::Air::Arg::stackAddr):
168         (JSC::B3::Air::Arg::isValidScale):
169         * b3/air/AirBasicBlock.cpp:
170         (JSC::B3::Air::BasicBlock::deepDump):
171         (JSC::B3::Air::BasicBlock::dumpHeader):
172         (JSC::B3::Air::BasicBlock::dumpFooter):
173         * b3/air/AirBasicBlock.h:
174         * b3/air/AirCCallSpecial.cpp:
175         (JSC::B3::Air::CCallSpecial::CCallSpecial):
176         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
177         * b3/air/AirCode.h:
178         (JSC::B3::Air::Code::lastPhaseName):
179         (JSC::B3::Air::Code::setEnableRCRS):
180         (JSC::B3::Air::Code::enableRCRS):
181         * b3/air/AirCustom.cpp:
182         (JSC::B3::Air::PatchCustom::isValidForm):
183         (JSC::B3::Air::CCallCustom::isValidForm):
184         * b3/air/AirCustom.h:
185         (JSC::B3::Air::PatchCustom::isValidFormStatic):
186         (JSC::B3::Air::PatchCustom::admitsStack):
187         (JSC::B3::Air::PatchCustom::isValidForm): Deleted.
188         * b3/air/AirEmitShuffle.cpp:
189         (JSC::B3::Air::ShufflePair::dump):
190         (JSC::B3::Air::createShuffle):
191         (JSC::B3::Air::emitShuffle):
192         * b3/air/AirEmitShuffle.h:
193         * b3/air/AirFixObviousSpills.cpp: Added.
194         (JSC::B3::Air::fixObviousSpills):
195         * b3/air/AirFixObviousSpills.h: Added.
196         * b3/air/AirFixSpillSlotZDef.h: Removed.
197         * b3/air/AirGenerate.cpp:
198         (JSC::B3::Air::prepareForGeneration):
199         (JSC::B3::Air::generate):
200         * b3/air/AirHandleCalleeSaves.cpp:
201         (JSC::B3::Air::handleCalleeSaves):
202         * b3/air/AirInst.h:
203         * b3/air/AirInstInlines.h:
204         (JSC::B3::Air::Inst::reportUsedRegisters):
205         (JSC::B3::Air::Inst::admitsStack):
206         (JSC::B3::Air::isShiftValid):
207         * b3/air/AirIteratedRegisterCoalescing.cpp:
208         * b3/air/AirLiveness.h:
209         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
210         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin):
211         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end):
212         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains):
213         (JSC::B3::Air::AbstractLiveness::LocalCalc::live):
214         (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive):
215         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
216         (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
217         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
218         (JSC::B3::Air::AbstractLiveness::Iterable::end):
219         (JSC::B3::Air::AbstractLiveness::Iterable::contains):
220         (JSC::B3::Air::AbstractLiveness::liveAtTail):
221         (JSC::B3::Air::AbstractLiveness::workset):
222         * b3/air/AirLogRegisterPressure.cpp: Added.
223         (JSC::B3::Air::logRegisterPressure):
224         * b3/air/AirLogRegisterPressure.h: Added.
225         * b3/air/AirOptimizeBlockOrder.cpp:
226         (JSC::B3::Air::blocksInOptimizedOrder):
227         (JSC::B3::Air::optimizeBlockOrder):
228         * b3/air/AirOptimizeBlockOrder.h:
229         * b3/air/AirReportUsedRegisters.cpp:
230         (JSC::B3::Air::reportUsedRegisters):
231         * b3/air/AirReportUsedRegisters.h:
232         * b3/air/AirSpillEverything.cpp:
233         (JSC::B3::Air::spillEverything):
234         * b3/air/AirStackSlot.h:
235         (JSC::B3::Air::StackSlot::isLocked):
236         (JSC::B3::Air::StackSlot::index):
237         (JSC::B3::Air::StackSlot::ensureSize):
238         (JSC::B3::Air::StackSlot::alignment):
239         * b3/air/AirValidate.cpp:
240         * ftl/FTLB3Compile.cpp:
241         (JSC::FTL::compile):
242         * ftl/FTLLowerDFGToLLVM.cpp:
243         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
244         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
245         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
246         * jit/RegisterSet.h:
247         (JSC::RegisterSet::get):
248         (JSC::RegisterSet::setAll):
249         (JSC::RegisterSet::merge):
250         (JSC::RegisterSet::filter):
251         * runtime/Options.h:
252
253 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
254
255         Unreviewed, undo unintended commit.
256
257         * dfg/DFGCommon.h:
258
259 2016-01-18  Filip Pizlo  <fpizlo@apple.com>
260
261         Fix Air shuffling assertions
262         https://bugs.webkit.org/show_bug.cgi?id=153213
263
264         Reviewed by Saam Barati.
265
266         Fixes some assertions that I was seeing running JSC tests. Adds a new Air test.
267
268         * assembler/MacroAssemblerX86Common.h:
269         (JSC::MacroAssemblerX86Common::store8):
270         (JSC::MacroAssemblerX86Common::getUnusedRegister):
271         * b3/air/AirEmitShuffle.cpp:
272         (JSC::B3::Air::emitShuffle):
273         * b3/air/AirLowerAfterRegAlloc.cpp:
274         (JSC::B3::Air::lowerAfterRegAlloc):
275         * b3/air/testair.cpp:
276         (JSC::B3::Air::testShuffleRotateWithFringe):
277         (JSC::B3::Air::testShuffleRotateWithFringeInWeirdOrder):
278         (JSC::B3::Air::testShuffleRotateWithLongFringe):
279         (JSC::B3::Air::run):
280
281 2016-01-19  Konstantin Tokarev  <annulen@yandex.ru>
282
283         [mips] Logical instructions allow immediates in range 0..0xffff, not 0x7fff
284         https://bugs.webkit.org/show_bug.cgi?id=152693
285
286         Reviewed by Michael Saboff.
287
288         * offlineasm/mips.rb:
289
290 2016-01-18  Saam barati  <sbarati@apple.com>
291
292         assertions in BytecodeUseDef.h about opcode length are off by one
293         https://bugs.webkit.org/show_bug.cgi?id=153215
294
295         Reviewed by Dan Bernstein.
296
297         * bytecode/BytecodeUseDef.h:
298         (JSC::computeUsesForBytecodeOffset):
299
300 2016-01-18  Saam barati  <sbarati@apple.com>
301
302         FTL doesn't do proper spilling for exception handling when GetById/Snippets go to slow path
303         https://bugs.webkit.org/show_bug.cgi?id=153186
304
305         Reviewed by Michael Saboff.
306
307         Michael was investigating a bug he found while doing the new JSC calling 
308         convention work and it turns out to be a latent bug in FTL try/catch machinery.
309         After I looked at the code again, I realized that what I had previously
310         written is wrong in a subtle way. The FTL callOperation machinery will remove
311         its result register from the set of registers it needs to spill. This is not
312         correct when we have try/catch. We may want to do value recovery on
313         the value that the result register is prior to the call after the call
314         throws an exception. The case that we were solving before was when the 
315         resultRegister == baseRegister in a GetById, or left/rightRegister == resultRegister in a Snippet.
316         This code is correct in wanting to spill in that case, even though it might spill
317         when we don't need it to (i.e the result is not needed for value recovery). Once I
318         investigated this bug further, I realized that the previous rule is just a
319         partial subset of the rule that says we should spill anytime the result is
320         a register we might do value recovery on. This patch implements the rule that
321         says we always want to spill the result when we will do value recovery on it 
322         if an exception is thrown.
323
324         * ftl/FTLCompile.cpp:
325         (JSC::FTL::mmAllocateDataSection):
326         * tests/stress/ftl-try-catch-getter-throw-interesting-value-recovery.js: Added.
327         (assert):
328         (random):
329         (identity):
330         (let.o2.get f):
331         (let.o3.get f):
332         (foo):
333         (i.else):
334
335 2016-01-18  Konstantin Tokarev  <annulen@yandex.ru>
336
337         [MIPS] LLInt: fix calculation of Global Offset Table
338         https://bugs.webkit.org/show_bug.cgi?id=150381
339
340         Offlineasm adds a .cpload $t9 when we create a label in MIPS, which
341         computes address of GOT. However, this instruction requires $t9 to
342         contain address of current function. So we need to set $t9 to pcBase,
343         otherwise GOT-related calculations will be invalid.
344
345         Since offlineasm does not allow direct move to $t9 on MIPS, added new
346         instruction setcallreg which does exactly that.
347
348         Reviewed by Michael Saboff.
349
350         * llint/LowLevelInterpreter.asm:
351         * offlineasm/instructions.rb:
352         * offlineasm/mips.rb:
353
354 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
355
356         REGRESSION(r194601): Fix the jsc timeout option of jsc.cpp
357         https://bugs.webkit.org/show_bug.cgi?id=153204
358
359         Reviewed by Michael Catanzaro.
360
361         * jsc.cpp:
362         (main):
363
364 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
365
366         [cmake] Add testair to the build system
367         https://bugs.webkit.org/show_bug.cgi?id=153126
368
369         Reviewed by Michael Catanzaro.
370
371         * shell/CMakeLists.txt:
372
373 2016-01-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
374
375         Ensure that CF_AVAILABLE is undefined when building webkit-gtk
376
377         https://bugs.webkit.org/show_bug.cgi?id=152720
378
379         This change ensures that CF_AVAILABLE is correctly a no-op to
380         address build failure that was observed when building on older
381         versions of OSX.  Previously, CF_AVAILABLE may have been unexpectedly
382         re-defined to the system header value based on include-order.
383
384         Reviewed by Michael Catanzaro.
385
386         * API/WebKitAvailability.h:
387
388 2016-01-17  Julien Brianceau  <jbriance@cisco.com>
389
390         [mips] Fix regT2 and regT3 trampling in MacroAssembler
391         https://bugs.webkit.org/show_bug.cgi?id=153131
392
393         Mips $t2 and $t3 registers were used as temporary registers
394         in MacroAssemblerMIPS.h, whereas they are mapped to regT2
395         and regT3 in LLInt and GPRInfo.
396
397         This patch rearranges register mapping for the mips architecture:
398         - use $t0 and $t1 as temp registers in LLInt (as in MacroAssembler)
399         - use $t7 and $t8 as temp registers in MacroAssembler (as in LLInt)
400         - remove $t6 from temp registers list in LLInt
401         - update GPRInfo.h accordingly
402         - add mips macroScratchRegisters() list in RegisterSet.cpp
403
404         Reviewed by Michael Saboff.
405
406         * assembler/MacroAssemblerMIPS.h:
407         * jit/GPRInfo.h:
408         (JSC::GPRInfo::toRegister):
409         (JSC::GPRInfo::toIndex):
410         * jit/RegisterSet.cpp:
411         (JSC::RegisterSet::macroScratchRegisters):
412         (JSC::RegisterSet::calleeSaveRegisters):
413         * offlineasm/mips.rb:
414
415 2016-01-16  Skachkov Oleksandr  <gskachkov@gmail.com>
416
417         [ES6] Arrow function syntax. Arrow function should support the destructuring parameters.
418         https://bugs.webkit.org/show_bug.cgi?id=146934
419
420         Reviewed by Saam Barati.
421         
422         Added support of destructuring parameters, before arrow function expect only simple parameters,
423         e.g. (), (x), (x, y) or x in assigment expressio. To support destructuring parameters added
424         additional check that check for destructuring paramters if check does not pass for simple parameters.
425
426         * parser/Parser.cpp:
427         (JSC::Parser<LexerType>::isArrowFunctionParameters):
428         (JSC::Parser<LexerType>::parseAssignmentExpression):
429         * parser/Parser.h:
430
431 2016-01-15  Benjamin Poulain  <bpoulain@apple.com>
432
433         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
434         https://bugs.webkit.org/show_bug.cgi?id=153065
435
436         Reviewed by Mark Lam.
437         Reviewed by Filip Pizlo.
438
439         On ARM64, we cannot use signed 32bits offset for memory addressing.
440         There are two available addressing: signed 9bits and unsigned scaled 12bits.
441         Air already knows about it.
442
443         In this patch, the offsets are changed to something valid for ARM64
444         prior to lowering. When an offset is invalid, it is just computed
445         before the instruction and used as the base for addressing.
446
447         * JavaScriptCore.xcodeproj/project.pbxproj:
448         * b3/B3Generate.cpp:
449         (JSC::B3::generateToAir):
450         * b3/B3LegalizeMemoryOffsets.cpp: Added.
451         (JSC::B3::legalizeMemoryOffsets):
452         * b3/B3LegalizeMemoryOffsets.h: Added.
453         * b3/B3LowerToAir.cpp:
454         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
455         * b3/testb3.cpp:
456         (JSC::B3::testLoadWithOffsetImpl):
457         (JSC::B3::testLoadOffsetImm9Max):
458         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
459         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
460         (JSC::B3::testLoadOffsetImm9Min):
461         (JSC::B3::testLoadOffsetImm9MinMinusOne):
462         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
463         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
464         (JSC::B3::run):
465
466 2016-01-15  Alex Christensen  <achristensen@webkit.org>
467
468         Fix internal Windows build
469         https://bugs.webkit.org/show_bug.cgi?id=153142
470
471         Reviewed by Brent Fulgham.
472
473         The internal Windows build builds JavaScriptCore from a directory that is not called JavaScriptCore.
474         Searching for JavaScriptCore/API/APICast.h fails because it is in SomethingElse/API/APICast.h.
475         Since we are including the JavaScriptCore directory, it is not necessary to have JavaScriptCore in
476         the forwarding headers, but removing it allows builds form directories that are not named JavaScriptCore.
477
478         * ForwardingHeaders/JavaScriptCore/APICast.h:
479         * ForwardingHeaders/JavaScriptCore/JSBase.h:
480         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h:
481         * ForwardingHeaders/JavaScriptCore/JSContextRef.h:
482         * ForwardingHeaders/JavaScriptCore/JSObjectRef.h:
483         * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h:
484         * ForwardingHeaders/JavaScriptCore/JSStringRef.h:
485         * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h:
486         * ForwardingHeaders/JavaScriptCore/JSValueRef.h:
487         * ForwardingHeaders/JavaScriptCore/JavaScript.h:
488         * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h:
489         * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h:
490         * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h:
491
492 2016-01-15  Per Arne Vollan  <peavo@outlook.com>
493
494         [B3][Win64] Compile fixes.
495         https://bugs.webkit.org/show_bug.cgi?id=153127
496
497         Reviewed by Alex Christensen.
498
499         MSVC have several overloads of fmod, pow, and ceil. We need to suggest to MSVC
500         which one we want to use.
501
502         * b3/B3LowerMacros.cpp:
503         * b3/B3LowerMacrosAfterOptimizations.cpp:
504         * b3/B3MathExtras.cpp:
505         (JSC::B3::powDoubleInt32):
506         * b3/B3ReduceStrength.cpp:
507
508 2016-01-15  Filip Pizlo  <fpizlo@apple.com>
509
510         Air needs a Shuffle instruction
511         https://bugs.webkit.org/show_bug.cgi?id=152952
512
513         Reviewed by Saam Barati.
514
515         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
516         multiple moves to perform arbitrary permutations over registers and memory. We call these
517         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
518         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
519         use immediates as their source.
520
521         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
522         takes any number of triplets of arguments, where each triplet describes one mapping of the
523         shuffle. For example, to represent (a => b, b => c), we might say:
524
525             Shuffle %a, %b, 64, %b, %c, 64
526
527         Note the "64"s, those are width arguments that describe how many bits of the register are
528         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
529         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
530         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
531
532         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
533         how to use it:
534
535         - C calling convention argument marshalling. Previously we used move instructions. But that's
536           problematic since it introduces artificial interference between the argument registers and
537           the inputs. Using Shuffle removes that interference. This helps a bit.
538
539         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
540           a cold path, then we want it to appear to the register allocator like it doesn't clobber
541           any registers. Only after register allocation should we handle the clobbering by simply
542           saving all of the live volatile registers to the stack. If you imagine the saving and the
543           argument marshalling, you can see how before the call, we want to have a Shuffle that does
544           both of those things. This is important. If argument marshalling was separate from the
545           saving, then we'd still appear to clobber argument registers. Doing them together as one
546           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
547
548         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
549         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
550         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
551         functionality we will need to implement other optimizations.
552
553         Relanding after fixing production build.
554
555         * CMakeLists.txt:
556         * JavaScriptCore.xcodeproj/project.pbxproj:
557         * assembler/AbstractMacroAssembler.h:
558         (JSC::isX86_64):
559         (JSC::isIOS):
560         (JSC::optimizeForARMv7IDIVSupported):
561         * assembler/MacroAssemblerX86Common.h:
562         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
563         (JSC::MacroAssemblerX86Common::swap32):
564         (JSC::MacroAssemblerX86Common::moveConditionally32):
565         * assembler/MacroAssemblerX86_64.h:
566         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
567         (JSC::MacroAssemblerX86_64::swap64):
568         (JSC::MacroAssemblerX86_64::move64ToDouble):
569         * assembler/X86Assembler.h:
570         (JSC::X86Assembler::xchgl_rr):
571         (JSC::X86Assembler::xchgl_rm):
572         (JSC::X86Assembler::xchgq_rr):
573         (JSC::X86Assembler::xchgq_rm):
574         (JSC::X86Assembler::movl_rr):
575         * b3/B3CCallValue.h:
576         * b3/B3Compilation.cpp:
577         (JSC::B3::Compilation::Compilation):
578         (JSC::B3::Compilation::~Compilation):
579         * b3/B3Compilation.h:
580         (JSC::B3::Compilation::code):
581         * b3/B3LowerToAir.cpp:
582         (JSC::B3::Air::LowerToAir::run):
583         (JSC::B3::Air::LowerToAir::createSelect):
584         (JSC::B3::Air::LowerToAir::lower):
585         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
586         * b3/B3OpaqueByproducts.h:
587         (JSC::B3::OpaqueByproducts::count):
588         * b3/B3StackmapSpecial.cpp:
589         (JSC::B3::StackmapSpecial::isArgValidForValue):
590         (JSC::B3::StackmapSpecial::isArgValidForRep):
591         * b3/air/AirArg.cpp:
592         (JSC::B3::Air::Arg::isStackMemory):
593         (JSC::B3::Air::Arg::isRepresentableAs):
594         (JSC::B3::Air::Arg::usesTmp):
595         (JSC::B3::Air::Arg::canRepresent):
596         (JSC::B3::Air::Arg::isCompatibleType):
597         (JSC::B3::Air::Arg::dump):
598         (WTF::printInternal):
599         * b3/air/AirArg.h:
600         (JSC::B3::Air::Arg::forEachType):
601         (JSC::B3::Air::Arg::isWarmUse):
602         (JSC::B3::Air::Arg::cooled):
603         (JSC::B3::Air::Arg::isEarlyUse):
604         (JSC::B3::Air::Arg::imm64):
605         (JSC::B3::Air::Arg::immPtr):
606         (JSC::B3::Air::Arg::addr):
607         (JSC::B3::Air::Arg::special):
608         (JSC::B3::Air::Arg::widthArg):
609         (JSC::B3::Air::Arg::operator==):
610         (JSC::B3::Air::Arg::isImm64):
611         (JSC::B3::Air::Arg::isSomeImm):
612         (JSC::B3::Air::Arg::isAddr):
613         (JSC::B3::Air::Arg::isIndex):
614         (JSC::B3::Air::Arg::isMemory):
615         (JSC::B3::Air::Arg::isRelCond):
616         (JSC::B3::Air::Arg::isSpecial):
617         (JSC::B3::Air::Arg::isWidthArg):
618         (JSC::B3::Air::Arg::isAlive):
619         (JSC::B3::Air::Arg::base):
620         (JSC::B3::Air::Arg::hasOffset):
621         (JSC::B3::Air::Arg::offset):
622         (JSC::B3::Air::Arg::width):
623         (JSC::B3::Air::Arg::isGPTmp):
624         (JSC::B3::Air::Arg::isGP):
625         (JSC::B3::Air::Arg::isFP):
626         (JSC::B3::Air::Arg::isType):
627         (JSC::B3::Air::Arg::isGPR):
628         (JSC::B3::Air::Arg::isValidForm):
629         (JSC::B3::Air::Arg::forEachTmpFast):
630         * b3/air/AirBasicBlock.h:
631         (JSC::B3::Air::BasicBlock::insts):
632         (JSC::B3::Air::BasicBlock::appendInst):
633         (JSC::B3::Air::BasicBlock::append):
634         * b3/air/AirCCallingConvention.cpp: Added.
635         (JSC::B3::Air::computeCCallingConvention):
636         (JSC::B3::Air::cCallResult):
637         (JSC::B3::Air::buildCCall):
638         * b3/air/AirCCallingConvention.h: Added.
639         * b3/air/AirCode.h:
640         (JSC::B3::Air::Code::proc):
641         * b3/air/AirCustom.cpp: Added.
642         (JSC::B3::Air::CCallCustom::isValidForm):
643         (JSC::B3::Air::CCallCustom::generate):
644         (JSC::B3::Air::ShuffleCustom::isValidForm):
645         (JSC::B3::Air::ShuffleCustom::generate):
646         * b3/air/AirCustom.h:
647         (JSC::B3::Air::PatchCustom::forEachArg):
648         (JSC::B3::Air::PatchCustom::generate):
649         (JSC::B3::Air::CCallCustom::forEachArg):
650         (JSC::B3::Air::CCallCustom::isValidFormStatic):
651         (JSC::B3::Air::CCallCustom::admitsStack):
652         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
653         (JSC::B3::Air::ColdCCallCustom::forEachArg):
654         (JSC::B3::Air::ShuffleCustom::forEachArg):
655         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
656         (JSC::B3::Air::ShuffleCustom::admitsStack):
657         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
658         * b3/air/AirEmitShuffle.cpp: Added.
659         (JSC::B3::Air::ShufflePair::dump):
660         (JSC::B3::Air::emitShuffle):
661         * b3/air/AirEmitShuffle.h: Added.
662         (JSC::B3::Air::ShufflePair::ShufflePair):
663         (JSC::B3::Air::ShufflePair::src):
664         (JSC::B3::Air::ShufflePair::dst):
665         (JSC::B3::Air::ShufflePair::width):
666         * b3/air/AirGenerate.cpp:
667         (JSC::B3::Air::prepareForGeneration):
668         * b3/air/AirGenerate.h:
669         * b3/air/AirInsertionSet.cpp:
670         (JSC::B3::Air::InsertionSet::insertInsts):
671         (JSC::B3::Air::InsertionSet::execute):
672         * b3/air/AirInsertionSet.h:
673         (JSC::B3::Air::InsertionSet::insertInst):
674         (JSC::B3::Air::InsertionSet::insert):
675         * b3/air/AirInst.h:
676         (JSC::B3::Air::Inst::operator bool):
677         (JSC::B3::Air::Inst::append):
678         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
679         (JSC::B3::Air::lowerAfterRegAlloc):
680         * b3/air/AirLowerAfterRegAlloc.h: Added.
681         * b3/air/AirLowerMacros.cpp: Added.
682         (JSC::B3::Air::lowerMacros):
683         * b3/air/AirLowerMacros.h: Added.
684         * b3/air/AirOpcode.opcodes:
685         * b3/air/AirRegisterPriority.h:
686         (JSC::B3::Air::regsInPriorityOrder):
687         * b3/air/testair.cpp: Added.
688         (hiddenTruthBecauseNoReturnIsStupid):
689         (usage):
690         (JSC::B3::Air::compile):
691         (JSC::B3::Air::invoke):
692         (JSC::B3::Air::compileAndRun):
693         (JSC::B3::Air::testSimple):
694         (JSC::B3::Air::loadConstantImpl):
695         (JSC::B3::Air::loadConstant):
696         (JSC::B3::Air::loadDoubleConstant):
697         (JSC::B3::Air::testShuffleSimpleSwap):
698         (JSC::B3::Air::testShuffleSimpleShift):
699         (JSC::B3::Air::testShuffleLongShift):
700         (JSC::B3::Air::testShuffleLongShiftBackwards):
701         (JSC::B3::Air::testShuffleSimpleRotate):
702         (JSC::B3::Air::testShuffleSimpleBroadcast):
703         (JSC::B3::Air::testShuffleBroadcastAllRegs):
704         (JSC::B3::Air::testShuffleTreeShift):
705         (JSC::B3::Air::testShuffleTreeShiftBackward):
706         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
707         (JSC::B3::Air::testShuffleMultipleShifts):
708         (JSC::B3::Air::testShuffleRotateWithFringe):
709         (JSC::B3::Air::testShuffleRotateWithLongFringe):
710         (JSC::B3::Air::testShuffleMultipleRotates):
711         (JSC::B3::Air::testShuffleShiftAndRotate):
712         (JSC::B3::Air::testShuffleShiftAllRegs):
713         (JSC::B3::Air::testShuffleRotateAllRegs):
714         (JSC::B3::Air::testShuffleSimpleSwap64):
715         (JSC::B3::Air::testShuffleSimpleShift64):
716         (JSC::B3::Air::testShuffleSwapMixedWidth):
717         (JSC::B3::Air::testShuffleShiftMixedWidth):
718         (JSC::B3::Air::testShuffleShiftMemory):
719         (JSC::B3::Air::testShuffleShiftMemoryLong):
720         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
721         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
722         (JSC::B3::Air::combineHiLo):
723         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
724         (JSC::B3::Air::testShuffleRotateMemory):
725         (JSC::B3::Air::testShuffleRotateMemory64):
726         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
727         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
728         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
729         (JSC::B3::Air::testShuffleSwapDouble):
730         (JSC::B3::Air::testShuffleShiftDouble):
731         (JSC::B3::Air::run):
732         (run):
733         (main):
734         * b3/testb3.cpp:
735         (JSC::B3::testCallSimple):
736         (JSC::B3::testCallRare):
737         (JSC::B3::testCallRareLive):
738         (JSC::B3::testCallSimplePure):
739         (JSC::B3::run):
740
741 2016-01-15  Andy VanWagoner  <thetalecrafter@gmail.com>
742
743         [INTL] Implement Date.prototype.toLocaleString in ECMA-402
744         https://bugs.webkit.org/show_bug.cgi?id=147611
745
746         Reviewed by Benjamin Poulain.
747
748         Expose dateProtoFuncGetTime as thisTimeValue for builtins.
749         Remove unused code in DateTimeFormat toDateTimeOptions, and make the
750         function specific to the call in initializeDateTimeFormat. Properly
751         throw when the options parameter is null.
752         Add toLocaleString in builtin JavaScript, with it's own specific branch
753         of toDateTimeOptions.
754
755         * CMakeLists.txt:
756         * DerivedSources.make:
757         * JavaScriptCore.xcodeproj/project.pbxproj:
758         * builtins/DatePrototype.js: Added.
759         (toLocaleString.toDateTimeOptionsAnyAll):
760         (toLocaleString):
761         * runtime/CommonIdentifiers.h:
762         * runtime/DatePrototype.cpp:
763         (JSC::DatePrototype::finishCreation):
764         * runtime/DatePrototype.h:
765         * runtime/IntlDateTimeFormat.cpp:
766         (JSC::toDateTimeOptionsAnyDate):
767         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
768         (JSC::toDateTimeOptions): Deleted.
769         * runtime/JSGlobalObject.cpp:
770         (JSC::JSGlobalObject::init):
771
772 2016-01-15  Konstantin Tokarev  <annulen@yandex.ru>
773
774         [mips] Implemented emitFunctionPrologue/Epilogue
775         https://bugs.webkit.org/show_bug.cgi?id=152947
776
777         Reviewed by Michael Saboff.
778
779         * assembler/MacroAssemblerMIPS.h:
780         (JSC::MacroAssemblerMIPS::popPair):
781         (JSC::MacroAssemblerMIPS::pushPair):
782         * jit/AssemblyHelpers.h:
783         (JSC::AssemblyHelpers::emitFunctionPrologue):
784         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
785         (JSC::AssemblyHelpers::emitFunctionEpilogue):
786
787 2016-01-15  Commit Queue  <commit-queue@webkit.org>
788
789         Unreviewed, rolling out r195084.
790         https://bugs.webkit.org/show_bug.cgi?id=153132
791
792         Broke Production build (Requested by ap on #webkit).
793
794         Reverted changeset:
795
796         "Air needs a Shuffle instruction"
797         https://bugs.webkit.org/show_bug.cgi?id=152952
798         http://trac.webkit.org/changeset/195084
799
800 2016-01-15  Julien Brianceau  <jbriance@cisco.com>
801
802         [mips] Add countLeadingZeros32 implementation in macro assembler
803         https://bugs.webkit.org/show_bug.cgi?id=152886
804
805         Reviewed by Michael Saboff.
806
807         * assembler/MIPSAssembler.h:
808         (JSC::MIPSAssembler::lui):
809         (JSC::MIPSAssembler::clz):
810         (JSC::MIPSAssembler::addiu):
811         * assembler/MacroAssemblerMIPS.h:
812         (JSC::MacroAssemblerMIPS::and32):
813         (JSC::MacroAssemblerMIPS::countLeadingZeros32):
814         (JSC::MacroAssemblerMIPS::lshift32):
815
816 2016-01-14  Filip Pizlo  <fpizlo@apple.com>
817
818         Air needs a Shuffle instruction
819         https://bugs.webkit.org/show_bug.cgi?id=152952
820
821         Reviewed by Saam Barati.
822
823         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
824         multiple moves to perform arbitrary permutations over registers and memory. We call these
825         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
826         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
827         use immediates as their source.
828
829         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
830         takes any number of triplets of arguments, where each triplet describes one mapping of the
831         shuffle. For example, to represent (a => b, b => c), we might say:
832
833             Shuffle %a, %b, 64, %b, %c, 64
834
835         Note the "64"s, those are width arguments that describe how many bits of the register are
836         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
837         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
838         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
839
840         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
841         how to use it:
842
843         - C calling convention argument marshalling. Previously we used move instructions. But that's
844           problematic since it introduces artificial interference between the argument registers and
845           the inputs. Using Shuffle removes that interference. This helps a bit.
846
847         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
848           a cold path, then we want it to appear to the register allocator like it doesn't clobber
849           any registers. Only after register allocation should we handle the clobbering by simply
850           saving all of the live volatile registers to the stack. If you imagine the saving and the
851           argument marshalling, you can see how before the call, we want to have a Shuffle that does
852           both of those things. This is important. If argument marshalling was separate from the
853           saving, then we'd still appear to clobber argument registers. Doing them together as one
854           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
855
856         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
857         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
858         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
859         functionality we will need to implement other optimizations.
860
861         * CMakeLists.txt:
862         * JavaScriptCore.xcodeproj/project.pbxproj:
863         * assembler/AbstractMacroAssembler.h:
864         (JSC::isX86_64):
865         (JSC::isIOS):
866         (JSC::optimizeForARMv7IDIVSupported):
867         * assembler/MacroAssemblerX86Common.h:
868         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
869         (JSC::MacroAssemblerX86Common::swap32):
870         (JSC::MacroAssemblerX86Common::moveConditionally32):
871         * assembler/MacroAssemblerX86_64.h:
872         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
873         (JSC::MacroAssemblerX86_64::swap64):
874         (JSC::MacroAssemblerX86_64::move64ToDouble):
875         * assembler/X86Assembler.h:
876         (JSC::X86Assembler::xchgl_rr):
877         (JSC::X86Assembler::xchgl_rm):
878         (JSC::X86Assembler::xchgq_rr):
879         (JSC::X86Assembler::xchgq_rm):
880         (JSC::X86Assembler::movl_rr):
881         * b3/B3CCallValue.h:
882         * b3/B3Compilation.cpp:
883         (JSC::B3::Compilation::Compilation):
884         (JSC::B3::Compilation::~Compilation):
885         * b3/B3Compilation.h:
886         (JSC::B3::Compilation::code):
887         * b3/B3LowerToAir.cpp:
888         (JSC::B3::Air::LowerToAir::run):
889         (JSC::B3::Air::LowerToAir::createSelect):
890         (JSC::B3::Air::LowerToAir::lower):
891         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
892         * b3/B3OpaqueByproducts.h:
893         (JSC::B3::OpaqueByproducts::count):
894         * b3/B3StackmapSpecial.cpp:
895         (JSC::B3::StackmapSpecial::isArgValidForValue):
896         (JSC::B3::StackmapSpecial::isArgValidForRep):
897         * b3/air/AirArg.cpp:
898         (JSC::B3::Air::Arg::isStackMemory):
899         (JSC::B3::Air::Arg::isRepresentableAs):
900         (JSC::B3::Air::Arg::usesTmp):
901         (JSC::B3::Air::Arg::canRepresent):
902         (JSC::B3::Air::Arg::isCompatibleType):
903         (JSC::B3::Air::Arg::dump):
904         (WTF::printInternal):
905         * b3/air/AirArg.h:
906         (JSC::B3::Air::Arg::forEachType):
907         (JSC::B3::Air::Arg::isWarmUse):
908         (JSC::B3::Air::Arg::cooled):
909         (JSC::B3::Air::Arg::isEarlyUse):
910         (JSC::B3::Air::Arg::imm64):
911         (JSC::B3::Air::Arg::immPtr):
912         (JSC::B3::Air::Arg::addr):
913         (JSC::B3::Air::Arg::special):
914         (JSC::B3::Air::Arg::widthArg):
915         (JSC::B3::Air::Arg::operator==):
916         (JSC::B3::Air::Arg::isImm64):
917         (JSC::B3::Air::Arg::isSomeImm):
918         (JSC::B3::Air::Arg::isAddr):
919         (JSC::B3::Air::Arg::isIndex):
920         (JSC::B3::Air::Arg::isMemory):
921         (JSC::B3::Air::Arg::isRelCond):
922         (JSC::B3::Air::Arg::isSpecial):
923         (JSC::B3::Air::Arg::isWidthArg):
924         (JSC::B3::Air::Arg::isAlive):
925         (JSC::B3::Air::Arg::base):
926         (JSC::B3::Air::Arg::hasOffset):
927         (JSC::B3::Air::Arg::offset):
928         (JSC::B3::Air::Arg::width):
929         (JSC::B3::Air::Arg::isGPTmp):
930         (JSC::B3::Air::Arg::isGP):
931         (JSC::B3::Air::Arg::isFP):
932         (JSC::B3::Air::Arg::isType):
933         (JSC::B3::Air::Arg::isGPR):
934         (JSC::B3::Air::Arg::isValidForm):
935         (JSC::B3::Air::Arg::forEachTmpFast):
936         * b3/air/AirBasicBlock.h:
937         (JSC::B3::Air::BasicBlock::insts):
938         (JSC::B3::Air::BasicBlock::appendInst):
939         (JSC::B3::Air::BasicBlock::append):
940         * b3/air/AirCCallingConvention.cpp: Added.
941         (JSC::B3::Air::computeCCallingConvention):
942         (JSC::B3::Air::cCallResult):
943         (JSC::B3::Air::buildCCall):
944         * b3/air/AirCCallingConvention.h: Added.
945         * b3/air/AirCode.h:
946         (JSC::B3::Air::Code::proc):
947         * b3/air/AirCustom.cpp: Added.
948         (JSC::B3::Air::CCallCustom::isValidForm):
949         (JSC::B3::Air::CCallCustom::generate):
950         (JSC::B3::Air::ShuffleCustom::isValidForm):
951         (JSC::B3::Air::ShuffleCustom::generate):
952         * b3/air/AirCustom.h:
953         (JSC::B3::Air::PatchCustom::forEachArg):
954         (JSC::B3::Air::PatchCustom::generate):
955         (JSC::B3::Air::CCallCustom::forEachArg):
956         (JSC::B3::Air::CCallCustom::isValidFormStatic):
957         (JSC::B3::Air::CCallCustom::admitsStack):
958         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
959         (JSC::B3::Air::ColdCCallCustom::forEachArg):
960         (JSC::B3::Air::ShuffleCustom::forEachArg):
961         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
962         (JSC::B3::Air::ShuffleCustom::admitsStack):
963         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
964         * b3/air/AirEmitShuffle.cpp: Added.
965         (JSC::B3::Air::ShufflePair::dump):
966         (JSC::B3::Air::emitShuffle):
967         * b3/air/AirEmitShuffle.h: Added.
968         (JSC::B3::Air::ShufflePair::ShufflePair):
969         (JSC::B3::Air::ShufflePair::src):
970         (JSC::B3::Air::ShufflePair::dst):
971         (JSC::B3::Air::ShufflePair::width):
972         * b3/air/AirGenerate.cpp:
973         (JSC::B3::Air::prepareForGeneration):
974         * b3/air/AirGenerate.h:
975         * b3/air/AirInsertionSet.cpp:
976         (JSC::B3::Air::InsertionSet::insertInsts):
977         (JSC::B3::Air::InsertionSet::execute):
978         * b3/air/AirInsertionSet.h:
979         (JSC::B3::Air::InsertionSet::insertInst):
980         (JSC::B3::Air::InsertionSet::insert):
981         * b3/air/AirInst.h:
982         (JSC::B3::Air::Inst::operator bool):
983         (JSC::B3::Air::Inst::append):
984         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
985         (JSC::B3::Air::lowerAfterRegAlloc):
986         * b3/air/AirLowerAfterRegAlloc.h: Added.
987         * b3/air/AirLowerMacros.cpp: Added.
988         (JSC::B3::Air::lowerMacros):
989         * b3/air/AirLowerMacros.h: Added.
990         * b3/air/AirOpcode.opcodes:
991         * b3/air/AirRegisterPriority.h:
992         (JSC::B3::Air::regsInPriorityOrder):
993         * b3/air/testair.cpp: Added.
994         (hiddenTruthBecauseNoReturnIsStupid):
995         (usage):
996         (JSC::B3::Air::compile):
997         (JSC::B3::Air::invoke):
998         (JSC::B3::Air::compileAndRun):
999         (JSC::B3::Air::testSimple):
1000         (JSC::B3::Air::loadConstantImpl):
1001         (JSC::B3::Air::loadConstant):
1002         (JSC::B3::Air::loadDoubleConstant):
1003         (JSC::B3::Air::testShuffleSimpleSwap):
1004         (JSC::B3::Air::testShuffleSimpleShift):
1005         (JSC::B3::Air::testShuffleLongShift):
1006         (JSC::B3::Air::testShuffleLongShiftBackwards):
1007         (JSC::B3::Air::testShuffleSimpleRotate):
1008         (JSC::B3::Air::testShuffleSimpleBroadcast):
1009         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1010         (JSC::B3::Air::testShuffleTreeShift):
1011         (JSC::B3::Air::testShuffleTreeShiftBackward):
1012         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1013         (JSC::B3::Air::testShuffleMultipleShifts):
1014         (JSC::B3::Air::testShuffleRotateWithFringe):
1015         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1016         (JSC::B3::Air::testShuffleMultipleRotates):
1017         (JSC::B3::Air::testShuffleShiftAndRotate):
1018         (JSC::B3::Air::testShuffleShiftAllRegs):
1019         (JSC::B3::Air::testShuffleRotateAllRegs):
1020         (JSC::B3::Air::testShuffleSimpleSwap64):
1021         (JSC::B3::Air::testShuffleSimpleShift64):
1022         (JSC::B3::Air::testShuffleSwapMixedWidth):
1023         (JSC::B3::Air::testShuffleShiftMixedWidth):
1024         (JSC::B3::Air::testShuffleShiftMemory):
1025         (JSC::B3::Air::testShuffleShiftMemoryLong):
1026         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1027         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1028         (JSC::B3::Air::combineHiLo):
1029         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1030         (JSC::B3::Air::testShuffleRotateMemory):
1031         (JSC::B3::Air::testShuffleRotateMemory64):
1032         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1033         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1034         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1035         (JSC::B3::Air::testShuffleSwapDouble):
1036         (JSC::B3::Air::testShuffleShiftDouble):
1037         (JSC::B3::Air::run):
1038         (run):
1039         (main):
1040         * b3/testb3.cpp:
1041         (JSC::B3::testCallSimple):
1042         (JSC::B3::testCallRare):
1043         (JSC::B3::testCallRareLive):
1044         (JSC::B3::testCallSimplePure):
1045         (JSC::B3::run):
1046
1047 2016-01-14  Keith Miller  <keith_miller@apple.com>
1048
1049         Unreviewed mark passing es6 tests as no longer failing.
1050
1051         * tests/es6.yaml:
1052
1053 2016-01-14  Keith Miller  <keith_miller@apple.com>
1054
1055         [ES6] Support subclassing Function.
1056         https://bugs.webkit.org/show_bug.cgi?id=153081
1057
1058         Reviewed by Geoffrey Garen.
1059
1060         This patch enables subclassing the Function object. It also fixes an existing
1061         bug that prevented users from subclassing functions that have a function in
1062         the superclass's prototype property.
1063
1064         * bytecompiler/NodesCodegen.cpp:
1065         (JSC::ClassExprNode::emitBytecode):
1066         * runtime/FunctionConstructor.cpp:
1067         (JSC::constructWithFunctionConstructor):
1068         (JSC::constructFunction):
1069         (JSC::constructFunctionSkippingEvalEnabledCheck):
1070         * runtime/FunctionConstructor.h:
1071         * runtime/JSFunction.cpp:
1072         (JSC::JSFunction::create):
1073         * runtime/JSFunction.h:
1074         (JSC::JSFunction::createImpl):
1075         * runtime/JSFunctionInlines.h:
1076         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1077         (JSC::JSFunction::JSFunction): Deleted.
1078         * tests/stress/class-subclassing-function.js: Added.
1079
1080 2016-01-13  Carlos Garcia Campos  <cgarcia@igalia.com>
1081
1082         [CMake] Do not use LLVM static libraries for FTL JIT
1083         https://bugs.webkit.org/show_bug.cgi?id=151559
1084
1085         Reviewed by Michael Catanzaro.
1086
1087         Allow ports decide whether to prefer linking to llvm static or
1088         dynamic libraries. This patch only changes the behavior of the GTK
1089         port, other ports can change the default behavior by setting
1090         llvmForJSC_LIBRARIES in their platform specific cmake files.
1091
1092         * CMakeLists.txt: Move llvmForJSC library definition after the
1093         WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS, to allow platform specific
1094         files to set their own llvmForJSC_LIBRARIES. When not set, it
1095         defaults to LLVM_STATIC_LIBRARIES. The command to create
1096         WebKitLLVMLibraryToken.h no longer depends on the static
1097         libraries, since we are going to make the build fail anyway when
1098         not found in case of linking to the static libraries. If platform
1099         specific file defined llvmForJSC_INSTALL_DIR llvmForJSC is also
1100         installed to the given destination.
1101         * PlatformGTK.cmake: Set llvmForJSC_LIBRARIES and
1102         llvmForJSC_INSTALL_DIR.
1103
1104 2016-01-13  Saam barati  <sbarati@apple.com>
1105
1106         NativeExecutable should have a name field
1107         https://bugs.webkit.org/show_bug.cgi?id=153083
1108
1109         Reviewed by Geoffrey Garen.
1110
1111         This is going to help the SamplingProfiler come up
1112         with names for NativeExecutable objects it encounters.
1113
1114         * jit/JITThunks.cpp:
1115         (JSC::JITThunks::finalize):
1116         (JSC::JITThunks::hostFunctionStub):
1117         * jit/JITThunks.h:
1118         * runtime/Executable.h:
1119         * runtime/JSBoundFunction.cpp:
1120         (JSC::JSBoundFunction::create):
1121         * runtime/JSFunction.cpp:
1122         (JSC::JSFunction::create):
1123         (JSC::JSFunction::lookUpOrCreateNativeExecutable):
1124         * runtime/JSFunction.h:
1125         (JSC::JSFunction::createImpl):
1126         * runtime/JSNativeStdFunction.cpp:
1127         (JSC::JSNativeStdFunction::create):
1128         * runtime/VM.cpp:
1129         (JSC::thunkGeneratorForIntrinsic):
1130         (JSC::VM::getHostFunction):
1131         * runtime/VM.h:
1132         (JSC::VM::getCTIStub):
1133         (JSC::VM::exceptionOffset):
1134
1135 2016-01-13  Keith Miller  <keith_miller@apple.com>
1136
1137         [ES6] Support subclassing the String builtin object
1138         https://bugs.webkit.org/show_bug.cgi?id=153068
1139
1140         Reviewed by Michael Saboff.
1141
1142         This patch adds subclassing of strings. Also, this patch fixes a bug where we could have
1143         the wrong indexing type for builtins constructed without storage.
1144
1145         * runtime/PrototypeMap.cpp:
1146         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1147         * runtime/StringConstructor.cpp:
1148         (JSC::constructWithStringConstructor):
1149         * tests/stress/class-subclassing-string.js: Added.
1150         (test):
1151
1152 2016-01-13  Mark Lam  <mark.lam@apple.com>
1153
1154         The StringFromCharCode DFG intrinsic should support untyped operands.
1155         https://bugs.webkit.org/show_bug.cgi?id=153046
1156
1157         Reviewed by Geoffrey Garen.
1158
1159         The current StringFromCharCode DFG intrinsic assumes that its operand charCode
1160         must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
1161         crypto-aes benchmark.  With support for Untyped operands, the number of OSR
1162         exits drops to 202.
1163
1164         * dfg/DFGClobberize.h:
1165         (JSC::DFG::clobberize):
1166         * dfg/DFGFixupPhase.cpp:
1167         (JSC::DFG::FixupPhase::fixupNode):
1168         * dfg/DFGOperations.cpp:
1169         * dfg/DFGOperations.h:
1170         * dfg/DFGSpeculativeJIT.cpp:
1171         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1172         * dfg/DFGSpeculativeJIT.h:
1173         (JSC::DFG::SpeculativeJIT::callOperation):
1174         * dfg/DFGValidate.cpp:
1175         (JSC::DFG::Validate::validate):
1176         * runtime/JSCJSValueInlines.h:
1177         (JSC::JSValue::toUInt32):
1178
1179 2016-01-13  Mark Lam  <mark.lam@apple.com>
1180
1181         Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
1182         https://bugs.webkit.org/show_bug.cgi?id=153080
1183
1184         Reviewed by Geoffrey Garen.
1185
1186         We currently have Graph::mulShouldSpeculateInt32/machineInt() and
1187         Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
1188         the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
1189         many other arith nodes in the DFG.  This patch renames these functions as
1190         Graph::binaryArithShouldSpeculateInt32/machineInt() and
1191         Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
1192         in the DFG.
1193
1194         * dfg/DFGFixupPhase.cpp:
1195         (JSC::DFG::FixupPhase::fixupNode):
1196         * dfg/DFGGraph.h:
1197         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
1198         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
1199         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
1200         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
1201         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
1202         (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
1203         (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
1204         (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
1205         (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
1206         * dfg/DFGPredictionPropagationPhase.cpp:
1207         (JSC::DFG::PredictionPropagationPhase::propagate):
1208         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1209
1210 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
1211
1212         Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
1213         https://bugs.webkit.org/show_bug.cgi?id=153072
1214         <rdar://problem/24168312>
1215
1216         Reviewed by Timothy Hatcher.
1217
1218         * parser/Lexer.cpp:
1219         (JSC::Lexer<T>::parseCommentDirective):
1220         Just keep overwriting the member variable so we end up with
1221         the last directive value.
1222
1223 2016-01-13  Commit Queue  <commit-queue@webkit.org>
1224
1225         Unreviewed, rolling out r194969.
1226         https://bugs.webkit.org/show_bug.cgi?id=153075
1227
1228         This change broke the iOS build (Requested by ryanhaddad on
1229         #webkit).
1230
1231         Reverted changeset:
1232
1233         "[JSC] Legalize Memory Offsets for ARM64 before lowering to
1234         Air"
1235         https://bugs.webkit.org/show_bug.cgi?id=153065
1236         http://trac.webkit.org/changeset/194969
1237
1238 2016-01-13  Benjamin Poulain  <bpoulain@apple.com>
1239
1240         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
1241         https://bugs.webkit.org/show_bug.cgi?id=153065
1242
1243         Reviewed by Mark Lam.
1244         Reviewed by Filip Pizlo.
1245
1246         On ARM64, we cannot use signed 32bits offset for memory addressing.
1247         There are two available addressing: signed 9bits and unsigned scaled 12bits.
1248         Air already knows about it.
1249
1250         In this patch, the offsets are changed to something valid for ARM64
1251         prior to lowering. When an offset is invalid, it is just computed
1252         before the instruction and used as the base for addressing.
1253
1254         * JavaScriptCore.xcodeproj/project.pbxproj:
1255         * b3/B3Generate.cpp:
1256         (JSC::B3::generateToAir):
1257         * b3/B3LegalizeMemoryOffsets.cpp: Added.
1258         (JSC::B3::legalizeMemoryOffsets):
1259         * b3/B3LegalizeMemoryOffsets.h: Added.
1260         * b3/B3LowerToAir.cpp:
1261         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1262         * b3/testb3.cpp:
1263         (JSC::B3::testLoadWithOffsetImpl):
1264         (JSC::B3::testLoadOffsetImm9Max):
1265         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
1266         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
1267         (JSC::B3::testLoadOffsetImm9Min):
1268         (JSC::B3::testLoadOffsetImm9MinMinusOne):
1269         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
1270         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
1271         (JSC::B3::run):
1272
1273 2016-01-12  Per Arne Vollan  <peavo@outlook.com>
1274
1275         [FTL][Win64] Compile error.
1276         https://bugs.webkit.org/show_bug.cgi?id=153031
1277
1278         Reviewed by Brent Fulgham.
1279
1280         The header file dlfcn.h does not exist on Windows.
1281
1282         * ftl/FTLLowerDFGToLLVM.cpp:
1283
1284 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
1285
1286         Add a build flag for custom element
1287         https://bugs.webkit.org/show_bug.cgi?id=153005
1288
1289         Reviewed by Alex Christensen.
1290
1291         * Configurations/FeatureDefines.xcconfig:
1292
1293 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
1294
1295         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
1296         https://bugs.webkit.org/show_bug.cgi?id=153024
1297
1298         Reviewed by Michael Saboff.
1299
1300         * b3/B3BasicBlock.h:
1301         Export the symbols for testb3.
1302
1303         * b3/air/AirOpcode.opcodes:
1304         We had 2 invalid opcodes:
1305         -Compare with immediate just does not exist.
1306         -Test64 with immediate exists but Air does not recognize
1307          the valid form of bit-immediates.
1308
1309         * b3/testb3.cpp:
1310         (JSC::B3::genericTestCompare):
1311         (JSC::B3::testCompareImpl):
1312         Extend the tests to cover what was invalid.
1313
1314 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
1315
1316         [JSC] JSC does not build with FTL_USES_B3 on ARM64
1317         https://bugs.webkit.org/show_bug.cgi?id=153011
1318
1319         Reviewed by Saam Barati.
1320
1321         Apparently the static const member can only be used for constexpr.
1322         C++ is weird.
1323
1324         * jit/GPRInfo.cpp:
1325         * jit/GPRInfo.h:
1326
1327 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
1328
1329         Web Inspector: console.count() shouldn't show a colon in front of a number
1330         https://bugs.webkit.org/show_bug.cgi?id=152038
1331
1332         Reviewed by Brian Burg.
1333
1334         * inspector/agents/InspectorConsoleAgent.cpp:
1335         (Inspector::InspectorConsoleAgent::count):
1336         Do not include title and colon if the title is empty.
1337
1338 2016-01-11  Dan Bernstein  <mitz@apple.com>
1339
1340         Reverted r194317.
1341
1342         Reviewed by Joseph Pecoraro.
1343
1344         r194317 did not contain a change log entry, did not explain the motivation, did not name a
1345         reviewer, and does not seem necessary.
1346
1347         * JavaScriptCore.xcodeproj/project.pbxproj:
1348
1349 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
1350
1351         keywords ("super", "delete", etc) should be valid method names
1352         https://bugs.webkit.org/show_bug.cgi?id=144281
1353
1354         Reviewed by Ryosuke Niwa.
1355
1356         * parser/Parser.cpp:
1357         (JSC::Parser<LexerType>::parseClass):
1358         - When parsing "static(" treat it as a method named "static" and not a static method.
1359         - When parsing a keyword treat it like a string method name (get and set are not keywords)
1360         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
1361
1362         (JSC::Parser<LexerType>::parseGetterSetter):
1363         - When parsing the getter / setter's name, allow it to be a keyword.
1364
1365 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
1366
1367         [JSC] Add Div/Mod and fix Mul for B3 ARM64
1368         https://bugs.webkit.org/show_bug.cgi?id=152978
1369
1370         Reviewed by Filip Pizlo.
1371
1372         Add the 3 operands forms of Mul.
1373         Remove the form taking immediate on ARM64, there are no such instruction.
1374
1375         Add Div with sdiv.
1376
1377         Unfortunately, I discovered ChillMod's division by zero
1378         makes it non-trivial on ARM64. I just made it into a macro like on x86.
1379
1380         * assembler/MacroAssemblerARM64.h:
1381         (JSC::MacroAssemblerARM64::mul32):
1382         (JSC::MacroAssemblerARM64::mul64):
1383         (JSC::MacroAssemblerARM64::div32):
1384         (JSC::MacroAssemblerARM64::div64):
1385         * b3/B3LowerMacros.cpp:
1386         * b3/B3LowerToAir.cpp:
1387         (JSC::B3::Air::LowerToAir::lower):
1388         * b3/air/AirOpcode.opcodes:
1389
1390 2016-01-11  Keith Miller  <keith_miller@apple.com>
1391
1392         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
1393         https://bugs.webkit.org/show_bug.cgi?id=152949
1394
1395         Reviewed by Michael Saboff.
1396
1397         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
1398
1399         * runtime/ArrayConstructor.cpp:
1400         (JSC::constructArrayWithSizeQuirk):
1401         (JSC::constructWithArrayConstructor):
1402         * runtime/InternalFunction.h:
1403         (JSC::InternalFunction::createStructure):
1404         * runtime/JSGlobalObject.h:
1405         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
1406         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
1407         (JSC::constructEmptyArray):
1408         (JSC::constructArray):
1409         (JSC::constructArrayNegativeIndexed):
1410         * runtime/PrototypeMap.cpp:
1411         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1412         * runtime/Structure.h:
1413         * runtime/StructureInlines.h:
1414
1415 2016-01-08  Keith Miller  <keith_miller@apple.com>
1416
1417         Use a profile to store allocation structures for subclasses of InternalFunctions
1418         https://bugs.webkit.org/show_bug.cgi?id=152942
1419
1420         Reviewed by Michael Saboff.
1421
1422         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
1423         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
1424         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
1425         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
1426         constructor as a new.target to any other constructor. This means that a user can pass some
1427         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
1428         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
1429         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
1430         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
1431         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
1432         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
1433
1434         Additionally, this patch adds subclassing to some omitted classes.
1435
1436         * API/JSObjectRef.cpp:
1437         (JSObjectMakeDate):
1438         (JSObjectMakeRegExp):
1439         * JavaScriptCore.xcodeproj/project.pbxproj:
1440         * bytecode/InternalFunctionAllocationProfile.h: Added.
1441         (JSC::InternalFunctionAllocationProfile::structure):
1442         (JSC::InternalFunctionAllocationProfile::clear):
1443         (JSC::InternalFunctionAllocationProfile::visitAggregate):
1444         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
1445         * dfg/DFGByteCodeParser.cpp:
1446         (JSC::DFG::ByteCodeParser::parseBlock):
1447         * dfg/DFGOperations.cpp:
1448         * dfg/DFGSpeculativeJIT32_64.cpp:
1449         (JSC::DFG::SpeculativeJIT::compile):
1450         * dfg/DFGSpeculativeJIT64.cpp:
1451         (JSC::DFG::SpeculativeJIT::compile):
1452         * jit/JITOpcodes.cpp:
1453         (JSC::JIT::emit_op_create_this):
1454         * jit/JITOpcodes32_64.cpp:
1455         (JSC::JIT::emit_op_create_this):
1456         * llint/LowLevelInterpreter32_64.asm:
1457         * llint/LowLevelInterpreter64.asm:
1458         * runtime/BooleanConstructor.cpp:
1459         (JSC::constructWithBooleanConstructor):
1460         * runtime/CommonSlowPaths.cpp:
1461         (JSC::SLOW_PATH_DECL):
1462         * runtime/DateConstructor.cpp:
1463         (JSC::constructDate):
1464         (JSC::constructWithDateConstructor):
1465         * runtime/DateConstructor.h:
1466         * runtime/ErrorConstructor.cpp:
1467         (JSC::Interpreter::constructWithErrorConstructor):
1468         * runtime/FunctionRareData.cpp:
1469         (JSC::FunctionRareData::create):
1470         (JSC::FunctionRareData::visitChildren):
1471         (JSC::FunctionRareData::FunctionRareData):
1472         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1473         (JSC::FunctionRareData::clear):
1474         (JSC::FunctionRareData::finishCreation): Deleted.
1475         (JSC::FunctionRareData::initialize): Deleted.
1476         * runtime/FunctionRareData.h:
1477         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
1478         (JSC::FunctionRareData::objectAllocationProfile):
1479         (JSC::FunctionRareData::objectAllocationStructure):
1480         (JSC::FunctionRareData::allocationProfileWatchpointSet):
1481         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
1482         (JSC::FunctionRareData::internalFunctionAllocationStructure):
1483         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
1484         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
1485         (JSC::FunctionRareData::allocationProfile): Deleted.
1486         (JSC::FunctionRareData::allocationStructure): Deleted.
1487         (JSC::FunctionRareData::isInitialized): Deleted.
1488         * runtime/InternalFunction.cpp:
1489         (JSC::InternalFunction::createSubclassStructure):
1490         * runtime/InternalFunction.h:
1491         * runtime/JSArrayBufferConstructor.cpp:
1492         (JSC::constructArrayBuffer):
1493         * runtime/JSFunction.cpp:
1494         (JSC::JSFunction::allocateRareData):
1495         (JSC::JSFunction::allocateAndInitializeRareData):
1496         (JSC::JSFunction::initializeRareData):
1497         * runtime/JSFunction.h:
1498         (JSC::JSFunction::rareData):
1499         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1500         (JSC::constructGenericTypedArrayView):
1501         * runtime/JSObject.h:
1502         (JSC::JSFinalObject::typeInfo):
1503         (JSC::JSFinalObject::createStructure):
1504         * runtime/JSPromiseConstructor.cpp:
1505         (JSC::constructPromise):
1506         * runtime/JSPromiseConstructor.h:
1507         * runtime/JSWeakMap.cpp:
1508         * runtime/JSWeakSet.cpp:
1509         * runtime/MapConstructor.cpp:
1510         (JSC::constructMap):
1511         * runtime/NativeErrorConstructor.cpp:
1512         (JSC::Interpreter::constructWithNativeErrorConstructor):
1513         * runtime/NumberConstructor.cpp:
1514         (JSC::constructWithNumberConstructor):
1515         * runtime/PrototypeMap.cpp:
1516         (JSC::PrototypeMap::createEmptyStructure):
1517         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1518         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
1519         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1520         * runtime/PrototypeMap.h:
1521         * runtime/RegExpConstructor.cpp:
1522         (JSC::getRegExpStructure):
1523         (JSC::constructRegExp):
1524         (JSC::constructWithRegExpConstructor):
1525         * runtime/RegExpConstructor.h:
1526         * runtime/SetConstructor.cpp:
1527         (JSC::constructSet):
1528         * runtime/WeakMapConstructor.cpp:
1529         (JSC::constructWeakMap):
1530         * runtime/WeakSetConstructor.cpp:
1531         (JSC::constructWeakSet):
1532         * tests/stress/class-subclassing-misc.js:
1533         (A):
1534         (D):
1535         (E):
1536         (WM):
1537         (WS):
1538         (test):
1539         * tests/stress/class-subclassing-typedarray.js: Added.
1540         (test):
1541
1542 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
1543
1544         [B3][Win64] Compile error.
1545         https://bugs.webkit.org/show_bug.cgi?id=152984
1546
1547         Reviewed by Alex Christensen.
1548
1549         Windows does not have bzero, use memset instead.
1550
1551         * b3/air/AirIteratedRegisterCoalescing.cpp:
1552
1553 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
1554
1555         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
1556         https://bugs.webkit.org/show_bug.cgi?id=152923
1557
1558         Reviewed by Alex Christensen.
1559
1560         * jit/CallFrameShuffler.h:
1561         (JSC::CallFrameShuffler::assumeCalleeIsCell):
1562
1563 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
1564
1565         [B3] Fix control reaches end of non-void function GCC warnings on Linux
1566         https://bugs.webkit.org/show_bug.cgi?id=152887
1567
1568         Reviewed by Mark Lam.
1569
1570         * b3/B3LowerToAir.cpp:
1571         (JSC::B3::Air::LowerToAir::createBranch):
1572         (JSC::B3::Air::LowerToAir::createCompare):
1573         (JSC::B3::Air::LowerToAir::createSelect):
1574         * b3/B3Type.h:
1575         (JSC::B3::sizeofType):
1576         * b3/air/AirArg.cpp:
1577         (JSC::B3::Air::Arg::isRepresentableAs):
1578         * b3/air/AirArg.h:
1579         (JSC::B3::Air::Arg::isAnyUse):
1580         (JSC::B3::Air::Arg::isColdUse):
1581         (JSC::B3::Air::Arg::isEarlyUse):
1582         (JSC::B3::Air::Arg::isLateUse):
1583         (JSC::B3::Air::Arg::isAnyDef):
1584         (JSC::B3::Air::Arg::isEarlyDef):
1585         (JSC::B3::Air::Arg::isLateDef):
1586         (JSC::B3::Air::Arg::isZDef):
1587         (JSC::B3::Air::Arg::widthForB3Type):
1588         (JSC::B3::Air::Arg::isGP):
1589         (JSC::B3::Air::Arg::isFP):
1590         (JSC::B3::Air::Arg::isType):
1591         (JSC::B3::Air::Arg::isValidForm):
1592         * b3/air/AirCode.h:
1593         (JSC::B3::Air::Code::newTmp):
1594         (JSC::B3::Air::Code::numTmps):
1595
1596 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
1597
1598         Make it easier to introduce exotic instructions to Air
1599         https://bugs.webkit.org/show_bug.cgi?id=152953
1600
1601         Reviewed by Benjamin Poulain.
1602
1603         Currently, you can define new "opcodes" in Air using either:
1604
1605         1) New opcode declared in AirOpcode.opcodes.
1606         2) Patch opcode with a new implementation of Air::Special.
1607
1608         With (1), you are limited to fixed-argument-length instructions. There are other
1609         restrictions as well, like that you can only use the roles that the AirOpcode syntax
1610         supports.
1611
1612         With (2), you can do anything you like, but the instruction will be harder to match
1613         since it will share the same opcode as any other Patch. Also, the instruction will have
1614         the Special argument, which means more busy-work when creating the instruction and
1615         validating it.
1616
1617         This introduces an in-between facility called "custom". This replaces what AirOpcode
1618         previously called "special". A custom instruction is one whose behavior is defined by a
1619         FooCustom struct with some static methods. Calls to those methods are emitted by
1620         opcode_generator.rb.
1621
1622         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
1623         that we now treat the Patch instruction specially in a few places. Those places were
1624         already effectively treating it specially by assuming that only Patch instructions have
1625         a Special as their first argument.
1626
1627         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
1628         for performance work.
1629
1630         * JavaScriptCore.xcodeproj/project.pbxproj:
1631         * b3/air/AirCustom.h: Added.
1632         (JSC::B3::Air::PatchCustom::forEachArg):
1633         (JSC::B3::Air::PatchCustom::isValidFormStatic):
1634         (JSC::B3::Air::PatchCustom::isValidForm):
1635         (JSC::B3::Air::PatchCustom::admitsStack):
1636         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
1637         (JSC::B3::Air::PatchCustom::generate):
1638         * b3/air/AirHandleCalleeSaves.cpp:
1639         (JSC::B3::Air::handleCalleeSaves):
1640         * b3/air/AirInst.h:
1641         * b3/air/AirInstInlines.h:
1642         (JSC::B3::Air::Inst::forEach):
1643         (JSC::B3::Air::Inst::extraClobberedRegs):
1644         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
1645         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
1646         (JSC::B3::Air::Inst::reportUsedRegisters):
1647         (JSC::B3::Air::Inst::hasSpecial): Deleted.
1648         * b3/air/AirOpcode.opcodes:
1649         * b3/air/AirReportUsedRegisters.cpp:
1650         (JSC::B3::Air::reportUsedRegisters):
1651         * b3/air/opcode_generator.rb:
1652
1653 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
1654
1655         Turn Check(true) into Patchpoint() followed by Oops
1656         https://bugs.webkit.org/show_bug.cgi?id=152968
1657
1658         Reviewed by Benjamin Poulain.
1659
1660         This is an obvious strength reduction to have, especially since if we discover that the
1661         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
1662         of the basic block unlocks CFG simplification opportunities.
1663
1664         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
1665         implement sinking (bug 152162).
1666
1667         * b3/B3ControlValue.cpp:
1668         (JSC::B3::ControlValue::convertToJump):
1669         (JSC::B3::ControlValue::convertToOops):
1670         (JSC::B3::ControlValue::dumpMeta):
1671         * b3/B3ControlValue.h:
1672         * b3/B3InsertionSet.h:
1673         (JSC::B3::InsertionSet::insertValue):
1674         * b3/B3InsertionSetInlines.h:
1675         (JSC::B3::InsertionSet::insert):
1676         * b3/B3ReduceStrength.cpp:
1677         * b3/B3StackmapValue.h:
1678         * b3/B3Value.h:
1679         * tests/stress/ftl-force-osr-exit.js: Added.
1680
1681 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
1682
1683         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
1684         https://bugs.webkit.org/show_bug.cgi?id=152840
1685
1686         Reviewed by Mark Lam.
1687
1688         ARM64 has two kinds of addressing with immediates:
1689         -Signed 9bits direct (really only -256 to 255).
1690         -Unsigned 12bits scaled by the load/store size.
1691
1692         When resolving the stack addresses, we easily run
1693         past -256 bytes from FP. Addressing from SP gives us more
1694         room to address the stack efficiently because we can
1695         use unsigned immediates.
1696
1697         * b3/B3StackmapSpecial.cpp:
1698         (JSC::B3::StackmapSpecial::repForArg):
1699         * b3/air/AirAllocateStack.cpp:
1700         (JSC::B3::Air::allocateStack):
1701
1702 2016-01-10  Saam barati  <sbarati@apple.com>
1703
1704         Implement a sampling profiler
1705         https://bugs.webkit.org/show_bug.cgi?id=151713
1706
1707         Reviewed by Filip Pizlo.
1708
1709         This patch implements a sampling profiler for JavaScriptCore
1710         that will be used in the Inspector UI. The implementation works as follows:
1711         We queue the sampling profiler to run a task on a background
1712         thread every 1ms. When the queued task executes, the sampling profiler
1713         will pause the JSC execution thread and attempt to take a stack trace. 
1714         The sampling profiler does everything it can to be very careful
1715         while taking this stack trace. Because it's reading arbitrary memory,
1716         the sampling profiler must validate every pointer it reads from.
1717
1718         The sampling profiler tries to get an ExecutableBase for every call frame
1719         it reads. It first tries to read the CodeBlock slot. It does this because
1720         it can be 100% certain that a pointer is a CodeBlock while it's taking a
1721         stack trace. But, not every call frame will have a CodeBlock. So we must read
1722         the call frame's callee. For these stack traces where we read the callee, we
1723         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
1724         on the main JSC execution thread, and not on the thread taking the stack
1725         trace. We do this verification either before we run the marking phase in
1726         GC, or when somebody asks the SamplingProfiler to materialize its data.
1727
1728         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
1729         thread is paused (this means it can't do anything that mallocs) because
1730         that could cause a deadlock. Therefore, the sampling profiler grabs
1731         locks for all data structures it consults before it pauses the JSC
1732         execution thread.
1733
1734         * CMakeLists.txt:
1735         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1736         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1737         * JavaScriptCore.xcodeproj/project.pbxproj:
1738         * bytecode/CodeBlock.h:
1739         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
1740         (JSC::CodeBlockSet::mark):
1741         * dfg/DFGNodeType.h:
1742         * heap/CodeBlockSet.cpp:
1743         (JSC::CodeBlockSet::add):
1744         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
1745         (JSC::CodeBlockSet::clearMarksForFullCollection):
1746         (JSC::CodeBlockSet::lastChanceToFinalize):
1747         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1748         (JSC::CodeBlockSet::contains):
1749         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
1750         (JSC::CodeBlockSet::remove): Deleted.
1751         * heap/CodeBlockSet.h:
1752         (JSC::CodeBlockSet::getLock):
1753         (JSC::CodeBlockSet::iterate):
1754         The sampling pofiler uses the heap's CodeBlockSet to validate
1755         CodeBlock pointers. This data structure must now be under a lock
1756         because we must be certain we're not pausing the JSC execution thread
1757         while it's manipulating this data structure.
1758
1759         * heap/ConservativeRoots.cpp:
1760         (JSC::ConservativeRoots::ConservativeRoots):
1761         (JSC::ConservativeRoots::grow):
1762         (JSC::ConservativeRoots::genericAddPointer):
1763         (JSC::ConservativeRoots::genericAddSpan):
1764         (JSC::ConservativeRoots::add):
1765         (JSC::CompositeMarkHook::CompositeMarkHook):
1766         (JSC::CompositeMarkHook::mark):
1767         * heap/ConservativeRoots.h:
1768         * heap/Heap.cpp:
1769         (JSC::Heap::markRoots):
1770         (JSC::Heap::visitHandleStack):
1771         (JSC::Heap::visitSamplingProfiler):
1772         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1773         (JSC::Heap::snapshotMarkedSpace):
1774         * heap/Heap.h:
1775         (JSC::Heap::structureIDTable):
1776         (JSC::Heap::codeBlockSet):
1777         * heap/MachineStackMarker.cpp:
1778         (pthreadSignalHandlerSuspendResume):
1779         (JSC::getCurrentPlatformThread):
1780         (JSC::MachineThreads::MachineThreads):
1781         (JSC::MachineThreads::~MachineThreads):
1782         (JSC::MachineThreads::Thread::createForCurrentThread):
1783         (JSC::MachineThreads::Thread::operator==):
1784         (JSC::isThreadInList):
1785         (JSC::MachineThreads::addCurrentThread):
1786         (JSC::MachineThreads::machineThreadForCurrentThread):
1787         (JSC::MachineThreads::removeThread):
1788         (JSC::MachineThreads::gatherFromCurrentThread):
1789         (JSC::MachineThreads::Thread::Thread):
1790         (JSC::MachineThreads::Thread::~Thread):
1791         (JSC::MachineThreads::Thread::suspend):
1792         (JSC::MachineThreads::Thread::resume):
1793         (JSC::MachineThreads::Thread::getRegisters):
1794         (JSC::MachineThreads::Thread::Registers::stackPointer):
1795         (JSC::MachineThreads::Thread::Registers::framePointer):
1796         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1797         (JSC::MachineThreads::Thread::freeRegisters):
1798         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1799         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
1800         (JSC::MachineThreads::Thread::operator!=): Deleted.
1801         * heap/MachineStackMarker.h:
1802         (JSC::MachineThreads::Thread::operator!=):
1803         (JSC::MachineThreads::getLock):
1804         (JSC::MachineThreads::threadsListHead):
1805         We can now ask a MachineThreads::Thread for its frame pointer
1806         and program counter on darwin and windows platforms. efl
1807         and gtk implementations will happen in another patch.
1808
1809         * heap/MarkedBlockSet.h:
1810         (JSC::MarkedBlockSet::getLock):
1811         (JSC::MarkedBlockSet::add):
1812         (JSC::MarkedBlockSet::remove):
1813         (JSC::MarkedBlockSet::recomputeFilter):
1814         (JSC::MarkedBlockSet::filter):
1815         (JSC::MarkedBlockSet::set):
1816         * heap/MarkedSpace.cpp:
1817         (JSC::Free::Free):
1818         (JSC::Free::operator()):
1819         (JSC::FreeOrShrink::FreeOrShrink):
1820         (JSC::FreeOrShrink::operator()):
1821         (JSC::MarkedSpace::~MarkedSpace):
1822         (JSC::MarkedSpace::isPagedOut):
1823         (JSC::MarkedSpace::freeBlock):
1824         (JSC::MarkedSpace::freeOrShrinkBlock):
1825         (JSC::MarkedSpace::shrink):
1826         * heap/MarkedSpace.h:
1827         (JSC::MarkedSpace::forEachLiveCell):
1828         (JSC::MarkedSpace::forEachDeadCell):
1829         * interpreter/CallFrame.h:
1830         (JSC::ExecState::calleeAsValue):
1831         (JSC::ExecState::callee):
1832         (JSC::ExecState::unsafeCallee):
1833         (JSC::ExecState::codeBlock):
1834         (JSC::ExecState::scope):
1835         * jit/ExecutableAllocator.cpp:
1836         (JSC::ExecutableAllocator::dumpProfile):
1837         (JSC::ExecutableAllocator::getLock):
1838         (JSC::ExecutableAllocator::isValidExecutableMemory):
1839         * jit/ExecutableAllocator.h:
1840         * jit/ExecutableAllocatorFixedVMPool.cpp:
1841         (JSC::ExecutableAllocator::allocate):
1842         (JSC::ExecutableAllocator::isValidExecutableMemory):
1843         (JSC::ExecutableAllocator::getLock):
1844         (JSC::ExecutableAllocator::committedByteCount):
1845         The sampling profiler consults the ExecutableAllocator to check
1846         if the frame pointer it reads is in executable allocated memory.
1847
1848         * jsc.cpp:
1849         (GlobalObject::finishCreation):
1850         (functionCheckModuleSyntax):
1851         (functionStartSamplingProfiler):
1852         (functionSamplingProfilerStackTraces):
1853         * llint/LLIntPCRanges.h: Added.
1854         (JSC::LLInt::isLLIntPC):
1855         * offlineasm/asm.rb:
1856         I added the ability to test whether the PC is executing
1857         LLInt code because this code is not part of the memory
1858         our executable allocator allocates.
1859
1860         * runtime/Executable.h:
1861         (JSC::ExecutableBase::isModuleProgramExecutable):
1862         (JSC::ExecutableBase::isExecutableType):
1863         (JSC::ExecutableBase::isHostFunction):
1864         * runtime/JSLock.cpp:
1865         (JSC::JSLock::didAcquireLock):
1866         (JSC::JSLock::unlock):
1867         * runtime/Options.h:
1868         * runtime/SamplingProfiler.cpp: Added.
1869         (JSC::reportStats):
1870         (JSC::FrameWalker::FrameWalker):
1871         (JSC::FrameWalker::walk):
1872         (JSC::FrameWalker::wasValidWalk):
1873         (JSC::FrameWalker::advanceToParentFrame):
1874         (JSC::FrameWalker::isAtTop):
1875         (JSC::FrameWalker::resetAtMachineFrame):
1876         (JSC::FrameWalker::isValidFramePointer):
1877         (JSC::FrameWalker::isValidCodeBlock):
1878         (JSC::FrameWalker::tryToGetExecutableFromCallee):
1879         The FrameWalker class is used to walk the stack in a safe
1880         manner. It doesn't do anything that would deadlock, and it
1881         validates all pointers that it sees.
1882
1883         (JSC::SamplingProfiler::SamplingProfiler):
1884         (JSC::SamplingProfiler::~SamplingProfiler):
1885         (JSC::SamplingProfiler::visit):
1886         (JSC::SamplingProfiler::shutdown):
1887         (JSC::SamplingProfiler::start):
1888         (JSC::SamplingProfiler::stop):
1889         (JSC::SamplingProfiler::pause):
1890         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1891         (JSC::SamplingProfiler::dispatchIfNecessary):
1892         (JSC::SamplingProfiler::dispatchFunction):
1893         (JSC::SamplingProfiler::noticeJSLockAcquisition):
1894         (JSC::SamplingProfiler::noticeVMEntry):
1895         (JSC::SamplingProfiler::observeStackTrace):
1896         (JSC::SamplingProfiler::clearData):
1897         (JSC::displayName):
1898         (JSC::startLine):
1899         (JSC::startColumn):
1900         (JSC::sourceID):
1901         (JSC::url):
1902         (JSC::SamplingProfiler::stacktracesAsJSON):
1903         * runtime/SamplingProfiler.h: Added.
1904         (JSC::SamplingProfiler::getLock):
1905         (JSC::SamplingProfiler::setTimingInterval):
1906         (JSC::SamplingProfiler::stackTraces):
1907         * runtime/VM.cpp:
1908         (JSC::VM::VM):
1909         (JSC::VM::~VM):
1910         (JSC::VM::setLastStackTop):
1911         (JSC::VM::createContextGroup):
1912         (JSC::VM::ensureWatchdog):
1913         (JSC::VM::ensureSamplingProfiler):
1914         (JSC::thunkGeneratorForIntrinsic):
1915         * runtime/VM.h:
1916         (JSC::VM::watchdog):
1917         (JSC::VM::isSafeToRecurse):
1918         (JSC::VM::lastStackTop):
1919         (JSC::VM::scratchBufferForSize):
1920         (JSC::VM::samplingProfiler):
1921         (JSC::VM::setShouldRewriteConstAsVar):
1922         (JSC::VM::setLastStackTop): Deleted.
1923         * runtime/VMEntryScope.cpp:
1924         (JSC::VMEntryScope::VMEntryScope):
1925         * tests/stress/sampling-profiler: Added.
1926         * tests/stress/sampling-profiler-anonymous-function.js: Added.
1927         (foo):
1928         (baz):
1929         * tests/stress/sampling-profiler-basic.js: Added.
1930         (bar):
1931         (foo):
1932         (nothing):
1933         (top):
1934         (jaz):
1935         (kaz):
1936         (checkInlining):
1937         * tests/stress/sampling-profiler-deep-stack.js: Added.
1938         (foo):
1939         (hellaDeep):
1940         (start):
1941         * tests/stress/sampling-profiler-microtasks.js: Added.
1942         (testResults):
1943         (loop.jaz):
1944         (loop):
1945         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
1946         (assert):
1947         (let.nodePrototype.makeChildIfNeeded):
1948         (makeNode):
1949         (updateCallingContextTree):
1950         (doesTreeHaveStackTrace):
1951         (makeTree):
1952         (runTest):
1953         (dumpTree):
1954         * tools/JSDollarVMPrototype.cpp:
1955         (JSC::JSDollarVMPrototype::isInObjectSpace):
1956         (JSC::JSDollarVMPrototype::isInStorageSpace):
1957         * yarr/YarrJIT.cpp:
1958         (JSC::Yarr::YarrGenerator::generateEnter):
1959         (JSC::Yarr::YarrGenerator::generateReturn):
1960         (JSC::Yarr::YarrGenerator::YarrGenerator):
1961         (JSC::Yarr::YarrGenerator::compile):
1962         (JSC::Yarr::jitCompile):
1963         We now have a boolean that's set to true when
1964         we're executing a RegExp, and to false otherwise.
1965         The boolean lives off of VM.
1966
1967         * CMakeLists.txt:
1968         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1969         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1970         * JavaScriptCore.xcodeproj/project.pbxproj:
1971         * bytecode/CodeBlock.h:
1972         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
1973         (JSC::CodeBlockSet::mark):
1974         * dfg/DFGNodeType.h:
1975         * heap/CodeBlockSet.cpp:
1976         (JSC::CodeBlockSet::add):
1977         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
1978         (JSC::CodeBlockSet::clearMarksForFullCollection):
1979         (JSC::CodeBlockSet::lastChanceToFinalize):
1980         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1981         (JSC::CodeBlockSet::contains):
1982         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
1983         (JSC::CodeBlockSet::remove): Deleted.
1984         * heap/CodeBlockSet.h:
1985         (JSC::CodeBlockSet::getLock):
1986         (JSC::CodeBlockSet::iterate):
1987         * heap/ConservativeRoots.cpp:
1988         (JSC::ConservativeRoots::ConservativeRoots):
1989         (JSC::ConservativeRoots::genericAddPointer):
1990         (JSC::ConservativeRoots::add):
1991         (JSC::CompositeMarkHook::CompositeMarkHook):
1992         (JSC::CompositeMarkHook::mark):
1993         * heap/ConservativeRoots.h:
1994         * heap/Heap.cpp:
1995         (JSC::Heap::markRoots):
1996         (JSC::Heap::visitHandleStack):
1997         (JSC::Heap::visitSamplingProfiler):
1998         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1999         * heap/Heap.h:
2000         (JSC::Heap::structureIDTable):
2001         (JSC::Heap::codeBlockSet):
2002         * heap/HeapInlines.h:
2003         (JSC::Heap::didFreeBlock):
2004         (JSC::Heap::isPointerGCObject):
2005         (JSC::Heap::isValueGCObject):
2006         * heap/MachineStackMarker.cpp:
2007         (pthreadSignalHandlerSuspendResume):
2008         (JSC::getCurrentPlatformThread):
2009         (JSC::MachineThreads::MachineThreads):
2010         (JSC::MachineThreads::~MachineThreads):
2011         (JSC::MachineThreads::Thread::createForCurrentThread):
2012         (JSC::MachineThreads::Thread::operator==):
2013         (JSC::isThreadInList):
2014         (JSC::MachineThreads::addCurrentThread):
2015         (JSC::MachineThreads::machineThreadForCurrentThread):
2016         (JSC::MachineThreads::removeThread):
2017         (JSC::MachineThreads::gatherFromCurrentThread):
2018         (JSC::MachineThreads::Thread::Thread):
2019         (JSC::MachineThreads::Thread::~Thread):
2020         (JSC::MachineThreads::Thread::suspend):
2021         (JSC::MachineThreads::Thread::resume):
2022         (JSC::MachineThreads::Thread::getRegisters):
2023         (JSC::MachineThreads::Thread::Registers::stackPointer):
2024         (JSC::MachineThreads::Thread::Registers::framePointer):
2025         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2026         (JSC::MachineThreads::Thread::freeRegisters):
2027         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2028         (JSC::MachineThreads::Thread::operator!=): Deleted.
2029         * heap/MachineStackMarker.h:
2030         (JSC::MachineThreads::Thread::operator!=):
2031         (JSC::MachineThreads::getLock):
2032         (JSC::MachineThreads::threadsListHead):
2033         * heap/MarkedBlockSet.h:
2034         * heap/MarkedSpace.cpp:
2035         (JSC::Free::Free):
2036         (JSC::Free::operator()):
2037         (JSC::FreeOrShrink::FreeOrShrink):
2038         (JSC::FreeOrShrink::operator()):
2039         * interpreter/CallFrame.h:
2040         (JSC::ExecState::calleeAsValue):
2041         (JSC::ExecState::callee):
2042         (JSC::ExecState::unsafeCallee):
2043         (JSC::ExecState::codeBlock):
2044         (JSC::ExecState::scope):
2045         * jit/ExecutableAllocator.cpp:
2046         (JSC::ExecutableAllocator::dumpProfile):
2047         (JSC::ExecutableAllocator::getLock):
2048         (JSC::ExecutableAllocator::isValidExecutableMemory):
2049         * jit/ExecutableAllocator.h:
2050         * jit/ExecutableAllocatorFixedVMPool.cpp:
2051         (JSC::ExecutableAllocator::allocate):
2052         (JSC::ExecutableAllocator::isValidExecutableMemory):
2053         (JSC::ExecutableAllocator::getLock):
2054         (JSC::ExecutableAllocator::committedByteCount):
2055         * jsc.cpp:
2056         (GlobalObject::finishCreation):
2057         (functionCheckModuleSyntax):
2058         (functionPlatformSupportsSamplingProfiler):
2059         (functionStartSamplingProfiler):
2060         (functionSamplingProfilerStackTraces):
2061         * llint/LLIntPCRanges.h: Added.
2062         (JSC::LLInt::isLLIntPC):
2063         * offlineasm/asm.rb:
2064         * runtime/Executable.h:
2065         (JSC::ExecutableBase::isModuleProgramExecutable):
2066         (JSC::ExecutableBase::isExecutableType):
2067         (JSC::ExecutableBase::isHostFunction):
2068         * runtime/JSLock.cpp:
2069         (JSC::JSLock::didAcquireLock):
2070         (JSC::JSLock::unlock):
2071         * runtime/Options.h:
2072         * runtime/SamplingProfiler.cpp: Added.
2073         (JSC::reportStats):
2074         (JSC::FrameWalker::FrameWalker):
2075         (JSC::FrameWalker::walk):
2076         (JSC::FrameWalker::wasValidWalk):
2077         (JSC::FrameWalker::advanceToParentFrame):
2078         (JSC::FrameWalker::isAtTop):
2079         (JSC::FrameWalker::resetAtMachineFrame):
2080         (JSC::FrameWalker::isValidFramePointer):
2081         (JSC::FrameWalker::isValidCodeBlock):
2082         (JSC::SamplingProfiler::SamplingProfiler):
2083         (JSC::SamplingProfiler::~SamplingProfiler):
2084         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2085         (JSC::SamplingProfiler::visit):
2086         (JSC::SamplingProfiler::shutdown):
2087         (JSC::SamplingProfiler::start):
2088         (JSC::SamplingProfiler::stop):
2089         (JSC::SamplingProfiler::pause):
2090         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2091         (JSC::SamplingProfiler::dispatchIfNecessary):
2092         (JSC::SamplingProfiler::dispatchFunction):
2093         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2094         (JSC::SamplingProfiler::noticeVMEntry):
2095         (JSC::SamplingProfiler::clearData):
2096         (JSC::displayName):
2097         (JSC::SamplingProfiler::stacktracesAsJSON):
2098         (WTF::printInternal):
2099         * runtime/SamplingProfiler.h: Added.
2100         (JSC::SamplingProfiler::StackFrame::StackFrame):
2101         (JSC::SamplingProfiler::getLock):
2102         (JSC::SamplingProfiler::setTimingInterval):
2103         (JSC::SamplingProfiler::stackTraces):
2104         * runtime/VM.cpp:
2105         (JSC::VM::VM):
2106         (JSC::VM::~VM):
2107         (JSC::VM::setLastStackTop):
2108         (JSC::VM::createContextGroup):
2109         (JSC::VM::ensureWatchdog):
2110         (JSC::VM::ensureSamplingProfiler):
2111         (JSC::thunkGeneratorForIntrinsic):
2112         * runtime/VM.h:
2113         (JSC::VM::watchdog):
2114         (JSC::VM::samplingProfiler):
2115         (JSC::VM::isSafeToRecurse):
2116         (JSC::VM::lastStackTop):
2117         (JSC::VM::scratchBufferForSize):
2118         (JSC::VM::setLastStackTop): Deleted.
2119         * runtime/VMEntryScope.cpp:
2120         (JSC::VMEntryScope::VMEntryScope):
2121         * tests/stress/sampling-profiler: Added.
2122         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2123         (platformSupportsSamplingProfiler.foo):
2124         (platformSupportsSamplingProfiler.baz):
2125         (platformSupportsSamplingProfiler):
2126         * tests/stress/sampling-profiler-basic.js: Added.
2127         (platformSupportsSamplingProfiler.bar):
2128         (platformSupportsSamplingProfiler.foo):
2129         (platformSupportsSamplingProfiler.nothing):
2130         (platformSupportsSamplingProfiler.top):
2131         (platformSupportsSamplingProfiler.jaz):
2132         (platformSupportsSamplingProfiler.kaz):
2133         (platformSupportsSamplingProfiler.checkInlining):
2134         (platformSupportsSamplingProfiler):
2135         * tests/stress/sampling-profiler-deep-stack.js: Added.
2136         (platformSupportsSamplingProfiler.foo):
2137         (platformSupportsSamplingProfiler.let.hellaDeep):
2138         (platformSupportsSamplingProfiler.let.start):
2139         (platformSupportsSamplingProfiler):
2140         * tests/stress/sampling-profiler-microtasks.js: Added.
2141         (platformSupportsSamplingProfiler.testResults):
2142         (platformSupportsSamplingProfiler):
2143         (platformSupportsSamplingProfiler.loop.jaz):
2144         (platformSupportsSamplingProfiler.loop):
2145         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2146         (assert):
2147         (let.nodePrototype.makeChildIfNeeded):
2148         (makeNode):
2149         (updateCallingContextTree):
2150         (doesTreeHaveStackTrace):
2151         (makeTree):
2152         (runTest):
2153         (dumpTree):
2154         * yarr/YarrJIT.cpp:
2155         (JSC::Yarr::YarrGenerator::generateEnter):
2156         (JSC::Yarr::YarrGenerator::generateReturn):
2157         (JSC::Yarr::YarrGenerator::YarrGenerator):
2158         (JSC::Yarr::YarrGenerator::compile):
2159         (JSC::Yarr::jitCompile):
2160
2161 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2162
2163         [JSC] Iterating over a Set/Map is too slow
2164         https://bugs.webkit.org/show_bug.cgi?id=152691
2165
2166         Reviewed by Saam Barati.
2167
2168         Set#forEach and Set & for-of are very slow. There are 2 reasons.
2169
2170         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
2171
2172         C++ to JS transition seems costly. perf result in Linux machine shows this.
2173
2174             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
2175             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
2176             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
2177              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
2178              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
2179              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
2180
2181         Writing forEach in JS eliminates this.
2182
2183             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
2184             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
2185             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
2186              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
2187              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
2188              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
2189              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
2190              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
2191
2192         2. Iterator result object allocation is costly.
2193
2194         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
2195
2196             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
2197             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
2198             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
2199             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
2200             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
2201              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
2202
2203         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
2204         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
2205         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
2206         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
2207
2208         After these improvements, the micro benchmark[1] shows the following.
2209
2210         old:
2211             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
2212             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
2213             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
2214             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
2215             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
2216             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
2217
2218         new:
2219             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
2220             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
2221             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
2222             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
2223             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
2224             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
2225
2226         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
2227         After this optimizations, they are still much slower than linked list and array.
2228         This should be optimized in the long term.
2229
2230         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
2231
2232         * CMakeLists.txt:
2233         * DerivedSources.make:
2234         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2235         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2236         * JavaScriptCore.xcodeproj/project.pbxproj:
2237         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2238         (forEach):
2239         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2240         (forEach):
2241         * runtime/CommonIdentifiers.h:
2242         * runtime/IteratorOperations.cpp:
2243         (JSC::createIteratorResultObjectStructure):
2244         (JSC::createIteratorResultObject):
2245         * runtime/IteratorOperations.h:
2246         * runtime/JSGlobalObject.cpp:
2247         (JSC::JSGlobalObject::init):
2248         (JSC::JSGlobalObject::visitChildren):
2249         * runtime/JSGlobalObject.h:
2250         (JSC::JSGlobalObject::iteratorResultObjectStructure):
2251         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
2252         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
2253         * runtime/MapPrototype.cpp:
2254         (JSC::MapPrototype::getOwnPropertySlot):
2255         (JSC::privateFuncIsMap):
2256         (JSC::privateFuncMapIterator):
2257         (JSC::privateFuncMapIteratorNext):
2258         (JSC::MapPrototype::finishCreation): Deleted.
2259         (JSC::mapProtoFuncForEach): Deleted.
2260         * runtime/MapPrototype.h:
2261         * runtime/SetPrototype.cpp:
2262         (JSC::SetPrototype::getOwnPropertySlot):
2263         (JSC::privateFuncIsSet):
2264         (JSC::privateFuncSetIterator):
2265         (JSC::privateFuncSetIteratorNext):
2266         (JSC::SetPrototype::finishCreation): Deleted.
2267         (JSC::setProtoFuncForEach): Deleted.
2268         * runtime/SetPrototype.h:
2269
2270 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2271
2272         Unreviewed, fix ARM64 build.
2273
2274         * b3/air/AirOpcode.opcodes:
2275
2276 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2277
2278         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
2279         https://bugs.webkit.org/show_bug.cgi?id=152955
2280
2281         Reviewed by Saam Barati.
2282
2283         This happens when we box an int32 and then immediately unbox it.
2284
2285         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
2286         benchmark. It's neutral elsewhere.
2287
2288         * b3/B3ReduceStrength.cpp:
2289         * b3/testb3.cpp:
2290         (JSC::B3::testPowDoubleByIntegerLoop):
2291         (JSC::B3::testTruncOrHigh):
2292         (JSC::B3::testTruncOrLow):
2293         (JSC::B3::testBitAndOrHigh):
2294         (JSC::B3::testBitAndOrLow):
2295         (JSC::B3::zero):
2296         (JSC::B3::run):
2297
2298 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
2299
2300         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
2301         https://bugs.webkit.org/show_bug.cgi?id=149855
2302
2303         Reviewed by Saam Barati.
2304
2305         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
2306         'this', 'arguments' and 'super'
2307
2308         * CMakeLists.txt:
2309         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2310         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2311         * JavaScriptCore.xcodeproj/project.pbxproj:
2312         * dfg/DFGAbstractInterpreterInlines.h:
2313         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2314         * dfg/DFGSpeculativeJIT.cpp:
2315         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2316         * dfg/DFGStructureRegistrationPhase.cpp:
2317         (JSC::DFG::StructureRegistrationPhase::run):
2318         * ftl/FTLAbstractHeapRepository.cpp:
2319         * ftl/FTLAbstractHeapRepository.h:
2320         * ftl/FTLLowerDFGToLLVM.cpp:
2321         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2322         * interpreter/Interpreter.cpp:
2323         * interpreter/Interpreter.h:
2324         * jit/JITOpcodes.cpp:
2325         * jit/JITOpcodes32_64.cpp:
2326         * jit/JITOperations.cpp:
2327         * jit/JITOperations.h:
2328         * llint/LLIntOffsetsExtractor.cpp:
2329         * llint/LLIntSlowPaths.cpp:
2330         * runtime/JSArrowFunction.cpp: Removed.
2331         * runtime/JSArrowFunction.h: Removed.
2332         * runtime/JSGlobalObject.cpp:
2333         * runtime/JSGlobalObject.h:
2334
2335 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2336
2337         It should be possible to run liveness over registers without also tracking Tmps
2338         https://bugs.webkit.org/show_bug.cgi?id=152963
2339
2340         Reviewed by Saam Barati.
2341
2342         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
2343         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
2344         code like that for handling cold function calls. It also makes code like that somewhat more
2345         scalable, since we're no longer using HashSets.
2346
2347         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
2348         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
2349         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
2350         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
2351         think that this is good, because the lack of set methods (add/remove/contains) has caused
2352         bugs in the past. This makes BitVector have methods both for set operations on bits and array
2353         operations on bits. I think that's good, since BitVector gets used in both contexts.
2354
2355         * b3/B3IndexSet.h:
2356         (JSC::B3::IndexSet::Iterable::iterator::iterator):
2357         (JSC::B3::IndexSet::Iterable::begin):
2358         (JSC::B3::IndexSet::dump):
2359         * b3/air/AirInstInlines.h:
2360         (JSC::B3::Air::ForEach<Tmp>::forEach):
2361         (JSC::B3::Air::ForEach<Arg>::forEach):
2362         (JSC::B3::Air::ForEach<Reg>::forEach):
2363         (JSC::B3::Air::Inst::forEach):
2364         * b3/air/AirLiveness.h:
2365         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
2366         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
2367         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
2368         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
2369         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
2370         * b3/air/AirReportUsedRegisters.cpp:
2371         (JSC::B3::Air::reportUsedRegisters):
2372         * jit/Reg.h:
2373         (JSC::Reg::next):
2374         (JSC::Reg::index):
2375         (JSC::Reg::maxIndex):
2376         (JSC::Reg::isSet):
2377         (JSC::Reg::operator bool):
2378         * jit/RegisterSet.h:
2379         (JSC::RegisterSet::forEach):
2380
2381 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
2382
2383         [JSC] Make branchMul functional in ARM B3 and minor fixes
2384         https://bugs.webkit.org/show_bug.cgi?id=152889
2385
2386         Reviewed by Mark Lam.
2387
2388         ARM64 does not have a "S" version of MUL setting the flags.
2389         What we do is abstract that in the MacroAssembler. The problem
2390         is that form requires scratch registers.
2391
2392         For simplicity, I just exposed the two scratch registers
2393         for Air. Filip already added the concept of Scratch role,
2394         all I needed was to expose it for opcodes.
2395
2396         * assembler/MacroAssemblerARM64.h:
2397         (JSC::MacroAssemblerARM64::branchMul32):
2398         (JSC::MacroAssemblerARM64::branchMul64):
2399         Expose a version with the scratch registers as arguments.
2400
2401         * b3/B3LowerToAir.cpp:
2402         (JSC::B3::Air::LowerToAir::lower):
2403         Add the new form of CheckMul lowering.
2404
2405         * b3/air/AirOpcode.opcodes:
2406         Expose the new BranchMuls.
2407         Remove all the Test variants that use immediates
2408         since Air can't handle those immediates correctly yet.
2409
2410         * b3/air/opcode_generator.rb:
2411         Expose the Scratch role.
2412
2413         * b3/testb3.cpp:
2414         (JSC::B3::testPatchpointLotsOfLateAnys):
2415         Ooops, the scratch registers were not clobbered. We were just lucky
2416         on x86.
2417
2418 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
2419
2420         [JSC] B3 is unable to do function calls on ARM64
2421         https://bugs.webkit.org/show_bug.cgi?id=152895
2422
2423         Reviewed by Mark Lam.
2424
2425         Apparently iOS does not follow the ARM64 ABI for function calls.
2426         Instead of giving each value a 8 bytes slot, it must be packed
2427         while preserving alignment.
2428
2429         This patch adds a #ifdef to make function calls functional.
2430
2431         * b3/B3LowerToAir.cpp:
2432         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
2433         (JSC::B3::Air::LowerToAir::lower):
2434
2435 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
2436
2437         Air should support Branch64 with immediates
2438         https://bugs.webkit.org/show_bug.cgi?id=152951
2439
2440         Reviewed by Oliver Hunt.
2441
2442         This doesn't significantly improve performance on any benchmarks, but it's great to get this
2443         obvious omission out of the way.
2444
2445         * assembler/MacroAssemblerX86_64.h:
2446         (JSC::MacroAssemblerX86_64::branch64):
2447         * b3/air/AirOpcode.opcodes:
2448         * b3/testb3.cpp:
2449         (JSC::B3::testPowDoubleByIntegerLoop):
2450         (JSC::B3::testBranch64Equal):
2451         (JSC::B3::testBranch64EqualImm):
2452         (JSC::B3::testBranch64EqualMem):
2453         (JSC::B3::testBranch64EqualMemImm):
2454         (JSC::B3::zero):
2455         (JSC::B3::run):
2456
2457 2016-01-09  Dan Bernstein  <mitz@apple.com>
2458
2459         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
2460         https://bugs.webkit.org/show_bug.cgi?id=152926
2461
2462         Reviewed by Tim Horton.
2463
2464         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
2465         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
2466         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
2467
2468         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
2469
2470         * Configurations/Base.xcconfig:
2471         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
2472           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
2473         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
2474         * Configurations/JSC.xcconfig:
2475           Add quotes to account for spaces.
2476         * Configurations/ToolExecutable.xcconfig:
2477           Ditto.
2478         * postprocess-headers.sh:
2479           Ditto.
2480
2481 2016-01-09  Mark Lam  <mark.lam@apple.com>
2482
2483         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
2484         https://bugs.webkit.org/show_bug.cgi?id=152918
2485
2486         Reviewed by Filip Pizlo and Saam Barati.
2487
2488         * ftl/FTLCompile.cpp:
2489         - Updated a comment.
2490         * ftl/FTLLowerDFGToLLVM.cpp:
2491         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2492         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
2493           extra slot for BinaryOps that don't have Untyped operands, and failing to
2494           allocate that extra slot for some binary ops.  This is now fixed.
2495
2496         * tests/stress/ftl-shr-exception.js:
2497         * tests/stress/ftl-xor-exception.js:
2498         - Un-skipped these tests.  They now pass with this patch.
2499
2500 2016-01-09  Andreas Kling  <akling@apple.com>
2501
2502         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
2503         <https://webkit.org/b/152902>
2504
2505         Reviewed by Anders Carlsson.
2506
2507         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
2508
2509         * API/JSAPIWrapperObject.mm:
2510         (jsAPIWrapperObjectHandleOwner):
2511         * API/JSManagedValue.mm:
2512         (managedValueHandleOwner):
2513         * inspector/agents/InspectorDebuggerAgent.cpp:
2514         (Inspector::objectGroupForBreakpointAction):
2515         * jit/ExecutableAllocator.cpp:
2516         (JSC::DemandExecutableAllocator::allocators):
2517
2518 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2519
2520         FTL B3 should do varargs tail calls and stack overflows
2521         https://bugs.webkit.org/show_bug.cgi?id=152934
2522
2523         Reviewed by Saam Barati.
2524
2525         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
2526         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
2527         why I have two fixes in one change. Now the test passes.
2528
2529         This reduces the number of failures from 13 to 0.
2530
2531         * ftl/FTLLowerDFGToLLVM.cpp:
2532         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
2533         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
2534         append an Oops (i.e. "unreachable").
2535
2536 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2537
2538         B3 needs Neg()
2539         https://bugs.webkit.org/show_bug.cgi?id=152925
2540
2541         Reviewed by Mark Lam.
2542
2543         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
2544         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
2545
2546         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
2547         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
2548         to use bitops to represent floating point operations. Whatever cuteness this would have
2549         bought us would be outweighed by the annoyance of having to write code that matches
2550         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
2551         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
2552         Also, I suspect that the omission of Neg would cause others to make the mistake of using
2553         Sub to represent floating point negation.
2554
2555         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
2556         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
2557         floats, we lower it to BitXor(x, -0) on x86.
2558
2559         This reduces the number of failures from 13 to 12.
2560
2561         * assembler/MacroAssemblerX86Common.h:
2562         (JSC::MacroAssemblerX86Common::andFloat):
2563         (JSC::MacroAssemblerX86Common::xorDouble):
2564         (JSC::MacroAssemblerX86Common::xorFloat):
2565         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
2566         * b3/B3LowerMacrosAfterOptimizations.cpp:
2567         * b3/B3LowerToAir.cpp:
2568         (JSC::B3::Air::LowerToAir::lower):
2569         * b3/B3Opcode.cpp:
2570         (WTF::printInternal):
2571         * b3/B3Opcode.h:
2572         * b3/B3ReduceStrength.cpp:
2573         * b3/B3Validate.cpp:
2574         * b3/B3Value.cpp:
2575         (JSC::B3::Value::effects):
2576         (JSC::B3::Value::key):
2577         (JSC::B3::Value::typeFor):
2578         * b3/air/AirOpcode.opcodes:
2579         * ftl/FTLB3Output.cpp:
2580         (JSC::FTL::Output::lockedStackSlot):
2581         (JSC::FTL::Output::neg):
2582         (JSC::FTL::Output::bitNot):
2583         * ftl/FTLB3Output.h:
2584         (JSC::FTL::Output::chillDiv):
2585         (JSC::FTL::Output::mod):
2586         (JSC::FTL::Output::chillMod):
2587         (JSC::FTL::Output::doubleAdd):
2588         (JSC::FTL::Output::doubleSub):
2589         (JSC::FTL::Output::doubleMul):
2590         (JSC::FTL::Output::doubleDiv):
2591         (JSC::FTL::Output::doubleMod):
2592         (JSC::FTL::Output::doubleNeg):
2593         (JSC::FTL::Output::bitAnd):
2594         (JSC::FTL::Output::bitOr):
2595         (JSC::FTL::Output::neg): Deleted.
2596         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
2597         it's such a glaring bug, I thought having a test for it specifically would be good.
2598
2599 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2600
2601         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
2602         https://bugs.webkit.org/show_bug.cgi?id=152922
2603
2604         Reviewed by Saam Barati.
2605
2606         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
2607         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
2608         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
2609         clear the handlers before generation, sort of like FTL LLVM does.
2610
2611         Also added some stuff to make it easier to inspect the handler table.
2612
2613         This reduces the numbe rof failures from 25 to 13.
2614
2615         * bytecode/CodeBlock.cpp:
2616         (JSC::CodeBlock::dumpBytecode):
2617         (JSC::CodeBlock::dumpExceptionHandlers):
2618         (JSC::CodeBlock::beginDumpProfiling):
2619         * bytecode/CodeBlock.h:
2620         * ftl/FTLB3Compile.cpp:
2621         (JSC::FTL::compile):
2622
2623 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2624
2625         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
2626         https://bugs.webkit.org/show_bug.cgi?id=152916
2627
2628         Reviewed by Mark Lam.
2629
2630         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
2631
2632         This reduces the number of failures from 27 to 25.
2633
2634         * b3/B3ReduceStrength.cpp:
2635
2636 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2637
2638         FTL B3 allocateCell() should not crash
2639         https://bugs.webkit.org/show_bug.cgi?id=152909
2640
2641         Reviewed by Mark Lam.
2642
2643         This code was crashing in some tests that forced GC slow paths because it was stubbed out
2644         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
2645         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
2646         any LLVM optimizations by using undef.
2647
2648         This reduces the number of failures from 35 to 27.
2649
2650         * ftl/FTLLowerDFGToLLVM.cpp:
2651         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2652
2653 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2654
2655         FTL B3 fails to realize that binary snippets might choose to omit their fast path
2656         https://bugs.webkit.org/show_bug.cgi?id=152901
2657
2658         Reviewed by Mark Lam.
2659
2660         This reduces the number of failures from 99 to 35.
2661
2662         * ftl/FTLLowerDFGToLLVM.cpp:
2663         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2664
2665 2016-01-08  Saam barati  <sbarati@apple.com>
2666
2667         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
2668         https://bugs.webkit.org/show_bug.cgi?id=152879
2669
2670         Reviewed by Filip Pizlo.
2671
2672         We were clobbering a register we needed when picking
2673         a scratch register inside an FTL OSR Exit.
2674
2675         * dfg/DFGThunks.cpp:
2676         (JSC::DFG::osrEntryThunkGenerator):
2677         * jit/AssemblyHelpers.cpp:
2678         (JSC::AssemblyHelpers::emitRandomThunk):
2679         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
2680         * jit/AssemblyHelpers.h:
2681         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
2682         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
2683         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
2684         (foo):
2685
2686 2016-01-08  Mark Lam  <mark.lam@apple.com>
2687
2688         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
2689         https://bugs.webkit.org/show_bug.cgi?id=152897
2690
2691         Not reviewed.
2692
2693         * dfg/DFGAbstractInterpreterInlines.h:
2694         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2695         * dfg/DFGByteCodeParser.cpp:
2696         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2697         * dfg/DFGClobberize.h:
2698         (JSC::DFG::clobberize):
2699         * dfg/DFGDoesGC.cpp:
2700         (JSC::DFG::doesGC):
2701         * dfg/DFGFixupPhase.cpp:
2702         (JSC::DFG::FixupPhase::fixupNode):
2703         * dfg/DFGNodeType.h:
2704         * dfg/DFGOperations.cpp:
2705         * dfg/DFGOperations.h:
2706         * dfg/DFGPredictionPropagationPhase.cpp:
2707         (JSC::DFG::PredictionPropagationPhase::propagate):
2708         * dfg/DFGSafeToExecute.h:
2709         (JSC::DFG::safeToExecute):
2710         * dfg/DFGSpeculativeJIT.cpp:
2711         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2712         * dfg/DFGSpeculativeJIT32_64.cpp:
2713         (JSC::DFG::SpeculativeJIT::compile):
2714         * dfg/DFGSpeculativeJIT64.cpp:
2715         (JSC::DFG::SpeculativeJIT::compile):
2716         * runtime/StringConstructor.cpp:
2717         (JSC::stringFromCharCode):
2718         (JSC::stringFromSingleCharCode): Deleted.
2719         * runtime/StringConstructor.h:
2720
2721 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
2722
2723         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
2724         https://bugs.webkit.org/show_bug.cgi?id=152893
2725
2726         Reviewed by Mark Lam.
2727
2728         Use std::call_once since pthreads is not present on all platforms.
2729
2730         * llvm/InitializeLLVM.cpp:
2731         (JSC::initializeLLVMImpl):
2732         (JSC::initializeLLVM):
2733
2734 2016-01-08  Mark Lam  <mark.lam@apple.com>
2735
2736         Rename StringFromCharCode to StringFromSingleCharCode.
2737         https://bugs.webkit.org/show_bug.cgi?id=152897
2738
2739         Reviewed by Daniel Bates.
2740
2741         StringFromSingleCharCode is a better name because the intrinsic it represents
2742         only applies when we are converting from a single char code.  This is purely
2743         a refactoring patch.  There is no semantic change.
2744
2745         * dfg/DFGAbstractInterpreterInlines.h:
2746         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2747         * dfg/DFGByteCodeParser.cpp:
2748         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2749         * dfg/DFGClobberize.h:
2750         (JSC::DFG::clobberize):
2751         * dfg/DFGDoesGC.cpp:
2752         (JSC::DFG::doesGC):
2753         * dfg/DFGFixupPhase.cpp:
2754         (JSC::DFG::FixupPhase::fixupNode):
2755         * dfg/DFGNodeType.h:
2756         * dfg/DFGOperations.cpp:
2757         * dfg/DFGOperations.h:
2758         * dfg/DFGPredictionPropagationPhase.cpp:
2759         (JSC::DFG::PredictionPropagationPhase::propagate):
2760         * dfg/DFGSafeToExecute.h:
2761         (JSC::DFG::safeToExecute):
2762         * dfg/DFGSpeculativeJIT.cpp:
2763         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2764         * dfg/DFGSpeculativeJIT32_64.cpp:
2765         (JSC::DFG::SpeculativeJIT::compile):
2766         * dfg/DFGSpeculativeJIT64.cpp:
2767         (JSC::DFG::SpeculativeJIT::compile):
2768         * runtime/StringConstructor.cpp:
2769         (JSC::stringFromCharCode):
2770         (JSC::stringFromSingleCharCode):
2771         * runtime/StringConstructor.h:
2772
2773 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
2774
2775         [mips] Fixed unused parameter warnings
2776         https://bugs.webkit.org/show_bug.cgi?id=152885
2777
2778         Reviewed by Mark Lam.
2779
2780         * jit/CCallHelpers.h:
2781         (JSC::CCallHelpers::setupArgumentsWithExecState):
2782
2783 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
2784
2785         [mips] Max value of immediate arg of logical ops is 0xffff
2786         https://bugs.webkit.org/show_bug.cgi?id=152884
2787
2788         Reviewed by Michael Saboff.
2789
2790         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
2791
2792         * assembler/MacroAssemblerMIPS.h:
2793         (JSC::MacroAssemblerMIPS::and32):
2794         (JSC::MacroAssemblerMIPS::or32):
2795
2796 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
2797
2798         [mips] Add new or32 implementation after r194613
2799         https://bugs.webkit.org/show_bug.cgi?id=152865
2800
2801         Reviewed by Michael Saboff.
2802
2803         * assembler/MacroAssemblerMIPS.h:
2804         (JSC::MacroAssemblerMIPS::or32):
2805
2806 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2807
2808         FTL B3 lazy slow paths should do exceptions
2809         https://bugs.webkit.org/show_bug.cgi?id=152853
2810
2811         Reviewed by Saam Barati.
2812
2813         This reduces the number of JSC test failures to 97.
2814
2815         * ftl/FTLLowerDFGToLLVM.cpp:
2816         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2817         * tests/stress/ftl-new-negative-array-size.js: Added.
2818         (foo):
2819
2820 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2821
2822         Unreviewed, skip more tests that fail.
2823
2824         * tests/stress/ftl-shr-exception.js:
2825         (foo):
2826         * tests/stress/ftl-xor-exception.js:
2827         (foo):
2828
2829 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2830
2831         FTL B3 binary snippets should do exceptions
2832         https://bugs.webkit.org/show_bug.cgi?id=152852
2833
2834         Reviewed by Saam Barati.
2835
2836         This reduces the number of JSC test failures to 110.
2837
2838         * ftl/FTLLowerDFGToLLVM.cpp:
2839         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2840         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2841         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2842         * tests/stress/ftl-shr-exception.js: Added.
2843         (foo):
2844         (result.foo.valueOf):
2845         * tests/stress/ftl-sub-exception.js: Added.
2846         (foo):
2847         (result.foo.valueOf):
2848         * tests/stress/ftl-xor-exception.js: Added.
2849         (foo):
2850         (result.foo.valueOf):
2851
2852 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2853
2854         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
2855
2856         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
2857         (foo):
2858
2859 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2860
2861         Unreviewed, skipping this test. Looks like LLVM can't handle it.
2862
2863         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
2864         (foo):
2865
2866 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2867
2868         FTL B3 JS calls should do exceptions
2869         https://bugs.webkit.org/show_bug.cgi?id=152851
2870
2871         Reviewed by Geoffrey Garen.
2872
2873         This reduces the number of JSC test failures with FTL B3 to 111.
2874
2875         * dfg/DFGSpeculativeJIT64.cpp:
2876         (JSC::DFG::SpeculativeJIT::emitCall):
2877         * ftl/FTLLowerDFGToLLVM.cpp:
2878         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2879         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2880         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2881         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
2882         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
2883         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
2884         * tests/stress/ftl-call-exception-no-catch.js: Added.
2885         * tests/stress/ftl-call-exception.js: Added.
2886         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
2887         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
2888         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
2889         * tests/stress/ftl-call-varargs-exception.js: Added.
2890
2891 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2892
2893         FTL B3 PutById should do exceptions
2894         https://bugs.webkit.org/show_bug.cgi?id=152850
2895
2896         Reviewed by Saam Barati.
2897
2898         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
2899         number of JSC test failures to 128.
2900
2901         * ftl/FTLLowerDFGToLLVM.cpp:
2902         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2903         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
2904         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
2905         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
2906         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
2907         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
2908         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
2909
2910 2016-01-07  Commit Queue  <commit-queue@webkit.org>
2911
2912         Unreviewed, rolling out r194714.
2913         https://bugs.webkit.org/show_bug.cgi?id=152864
2914
2915         it broke many JSC tests when FTL B3 is enabled (Requested by
2916         pizlo on #webkit).
2917
2918         Reverted changeset:
2919
2920         "[JSC] When resolving Stack arguments, use addressing from SP
2921         when addressing from FP is invalid"
2922         https://bugs.webkit.org/show_bug.cgi?id=152840
2923         http://trac.webkit.org/changeset/194714
2924
2925 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
2926
2927         [mips] Lower immediates of logical operations.
2928         https://bugs.webkit.org/show_bug.cgi?id=152693
2929
2930         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
2931         non-negative numbers.
2932
2933         Reviewed by Michael Saboff.
2934
2935         * offlineasm/mips.rb:
2936
2937 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
2938
2939         [JSC] Update testCheckSubBadImm() for ARM64
2940         https://bugs.webkit.org/show_bug.cgi?id=152846
2941
2942         Reviewed by Mark Lam.
2943
2944         * b3/testb3.cpp:
2945         (JSC::B3::testCheckSubBadImm):
2946         The test was assuming the constant can always be used
2947         as immediate. That's obviously not the case on ARM64.
2948
2949 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
2950
2951         FTL B3 getById() should do exceptions
2952         https://bugs.webkit.org/show_bug.cgi?id=152810
2953
2954         Reviewed by Saam Barati.
2955
2956         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
2957         exceptions from GetById. This covers all of the following ways that a GetById might throw an
2958         exceptions:
2959
2960         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
2961         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
2962         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
2963         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
2964         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
2965         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
2966
2967         This requires having a default exception target in FTL-generated code, and ensuring that this
2968         target is generated regardless of whether we have branches to the B3 basic block of the
2969         default exception target. This also requires adding some extra arguments to a
2970         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
2971         else. This also requires associating the CallSiteIndex of the patchpoint with the register
2972         set used for exit and with the OSR exit label for the unwind exit.
2973
2974         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
2975         is covered by the new PatchpointExceptionHandle object. You create one by calling
2976         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
2977         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
2978         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
2979         for operation calls and OSR exits for unwind. You call the
2980         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
2981         actually get OSR exits.
2982
2983         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
2984         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
2985         you use this API, it automatically registers a link task that will link the JumpList to the
2986         actual OSR exit label.
2987
2988         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
2989         to use the Box<JumpList> approach, but if you really just need the label, you can also get
2990         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
2991         to vend you the OSR exit label at link-time.
2992
2993         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
2994         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
2995         passes all of these new tests. Note that I'm not counting the new tests as part of the
2996         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
2997
2998         After this change, it should be easy to make all of the other patchpoints also handle
2999         exceptions by just following the preparePatchpointForExceptions() idiom.
3000
3001         * CMakeLists.txt:
3002         * JavaScriptCore.xcodeproj/project.pbxproj:
3003         * b3/B3StackmapValue.h:
3004         * b3/B3ValueRep.cpp:
3005         (JSC::B3::ValueRep::addUsedRegistersTo):
3006         (JSC::B3::ValueRep::usedRegisters):
3007         (JSC::B3::ValueRep::dump):
3008         * b3/B3ValueRep.h:
3009         (JSC::B3::ValueRep::doubleValue):
3010         (JSC::B3::ValueRep::withOffset):
3011         (JSC::B3::ValueRep::usedRegisters):
3012         * ftl/FTLB3Compile.cpp:
3013         (JSC::FTL::compile):
3014         * ftl/FTLB3Output.h:
3015         (JSC::FTL::Output::unreachable):
3016         (JSC::FTL::Output::speculate):
3017         * ftl/FTLExceptionTarget.cpp: Added.
3018         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
3019         (JSC::FTL::ExceptionTarget::label):
3020         (JSC::FTL::ExceptionTarget::jumps):
3021         (JSC::FTL::ExceptionTarget::ExceptionTarget):
3022         * ftl/FTLExceptionTarget.h: Added.
3023         * ftl/FTLJITCode.cpp:
3024         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3025         * ftl/FTLLowerDFGToLLVM.cpp:
3026         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3027         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
3028         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
3029         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
3030         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
3031         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
3032         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
3033         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
3034         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3035         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
3036         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
3037         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
3038         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
3039         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
3040         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
3041         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3042         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
3043         * ftl/FTLPatchpointExceptionHandle.cpp: Added.
3044         (JSC::FTL::PatchpointExceptionHandle::create):
3045         (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
3046         (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
3047         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
3048         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3049         (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
3050         (JSC::FTL::PatchpointExceptionHandle::createHandle):
3051         * ftl/FTLPatchpointExceptionHandle.h: Added.
3052         * ftl/FTLState.cpp:
3053         * ftl/FTLState.h:
3054         (JSC::FTL::verboseCompilationEnabled):
3055         * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
3056         * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
3057         * tests/stress/ftl-get-by-id-getter-exception.js: Added.
3058         * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
3059         * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
3060         * tests/stress/ftl-get-by-id-slow-exception.js: Added.
3061         * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
3062         * tests/stress/ftl-operation-exception-no-catch.js: Added.
3063
3064 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3065
3066         [mips] Implemented missing branch patching methods.
3067         https://bugs.webkit.org/show_bug.cgi?id=152845
3068
3069         Reviewed by Michael Saboff.
3070
3071         * assembler/MacroAssemblerMIPS.h:
3072         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
3073         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
3074         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
3075
3076 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3077
3078         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
3079         https://bugs.webkit.org/show_bug.cgi?id=152840
3080
3081         Reviewed by Mark Lam.
3082
3083         ARM64 has two kinds of addressing with immediates:
3084         -Signed 9bits direct (really only -256 to 255).
3085         -Unsigned 12bits scaled by the load/store size.
3086
3087         When resolving the stack addresses, we easily run
3088         past -256 bytes from FP. Addressing from SP gives us more
3089         room to address the stack efficiently because we can
3090         use unsigned immediates.
3091
3092         * b3/B3StackmapSpecial.cpp:
3093         (JSC::B3::StackmapSpecial::repForArg):
3094         * b3/air/AirAllocateStack.cpp:
3095         (JSC::B3::Air::allocateStack):
3096
3097 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3098
3099         [mips] Make repatchCall public to fix compilation.
3100         https://bugs.webkit.org/show_bug.cgi?id=152843
3101
3102         Reviewed by Michael Saboff.
3103
3104         * assembler/MacroAssemblerMIPS.h:
3105         (JSC::MacroAssemblerMIPS::repatchCall):
3106         (JSC::MacroAssemblerMIPS::linkCall): Deleted.
3107
3108 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3109
3110         [mips] Replaced subi with addi in getHostCallReturnValue
3111         https://bugs.webkit.org/show_bug.cgi?id=152841
3112
3113         Reviewed by Michael Saboff.
3114
3115         MIPS architecture does not have subi instruction, addi with negative
3116         number should be used instead.
3117
3118         * jit/JITOperations.cpp:
3119
3120 2016-01-07  Mark Lam  <mark.lam@apple.com>
3121
3122         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
3123         https://bugs.webkit.org/show_bug.cgi?id=152833
3124
3125         Reviewed by Michael Saboff.
3126
3127         Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
3128         store32.
3129
3130         * assembler/MacroAssemblerARM64.h:
3131         (JSC::MacroAssemblerARM64::or32):
3132         (JSC::MacroAssemblerARM64::store):
3133
3134 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3135
3136         [mips] GPRInfo::toArgumentRegister missing
3137         https://bugs.webkit.org/show_bug.cgi?id=152838
3138
3139         Reviewed by Michael Saboff.
3140
3141         * jit/GPRInfo.h:
3142         (JSC::GPRInfo::toArgumentRegister):
3143
3144 2016-01-07  Mark Lam  <mark.lam@apple.com>
3145
3146         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
3147         https://bugs.webkit.org/show_bug.cgi?id=152833
3148
3149         Reviewed by Benjamin Poulain.
3150
3151         * assembler/MacroAssemblerARM.h:
3152         (JSC::MacroAssemblerARM::or32):
3153         - Added some assertions to make sure it is safe to use ARMRegisters::S0 as a temp.
3154         * assembler/MacroAssemblerARM64.h:
3155         (JSC::MacroAssemblerARM64::or32):
3156         - Implement an optimization that avoids reloading the memoryTempRegister when
3157           the immediate is encodable as an instruction immediate.
3158         * assembler/MacroAssemblerARMv7.h:
3159         (JSC::MacroAssemblerARMv7::or32):
3160         - Added an assertion to make sure it is safe to use the dataTempRegister as a temp.
3161         - Implement an optimization that avoids reloading the memoryTempRegister when
3162           the immediate is encodable as an instruction immediate.  In the event that we
3163           cannot encode the immediate, we'll use the addressTempRegister as a temp, and
3164           reload it later.
3165
3166 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3167
3168         [CMake] JSC shell sources should include JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
3169         https://bugs.webkit.org/show_bug.cgi?id=152664
3170
3171         Reviewed by Alex Christensen.
3172
3173         * shell/CMakeLists.txt:
3174
3175 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
3176
3177         Web Inspector: CRASH Attempting to pause on CSP violation not inside of script
3178         https://bugs.webkit.org/show_bug.cgi?id=152825
3179         <rdar://problem/24021276>
3180
3181         Reviewed by Timothy Hatcher.
3182
3183         * debugger/Debugger.cpp:
3184         (JSC::Debugger::breakProgram):
3185         We cannot pause if we are not evaluating JavaScript, so bail.
3186
3187 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3188
3189         [JSC] Re-enable lea() in Air on ARM64
3190         https://bugs.webkit.org/show_bug.cgi?id=152832
3191
3192         Reviewed by Michael Saboff.
3193
3194         Lea() on the MacroAssembler is not the full x86 Lea (the real one being
3195         x86Lea32()). Instead, it is a addPtr() with SP and a constant.
3196
3197         The instruction is required to implement B3's StackSlot. It is not
3198         safe for big offsets but none of the stack operations are at the moment.
3199
3200         * b3/air/AirOpcode.opcodes:
3201
3202 2016-01-07  Julien Brianceau  <jbriance@cisco.com>
3203
3204         [mips] Add two missing abortWithReason implementations
3205         https://bugs.webkit.org/show_bug.cgi?id=136753
3206
3207         Reviewed by Benjamin Poulain.
3208
3209         * assembler/MacroAssemblerMIPS.h:
3210         (JSC::MacroAssemblerMIPS::memoryFence):
3211         (JSC::MacroAssemblerMIPS::abortWithReason):
3212         (JSC::MacroAssemblerMIPS::readCallTarget):
3213
3214 2016-01-07  Csaba Osztrogonác  <ossy@webkit.org>
3215
3216         Add new or32 implementation to MacroAssemblerARM after r194613
3217         https://bugs.webkit.org/show_bug.cgi?id=152784
3218
3219         Reviewed by Benjamin Poulain.
3220
3221         * assembler/MacroAssemblerARM.h:
3222         (JSC::MacroAssemblerARM::or32):
3223
3224 2016-01-06  Mark Lam  <mark.lam@apple.com>
3225
3226         REGRESSION(r194613): JITMulGenerator needs a scratch GPR on 32-bit too.
3227         https://bugs.webkit.org/show_bug.cgi?id=152805
3228
3229         Reviewed by Michael Saboff.
3230
3231         There aren't enough registers on x86 32-bit to allocate the needed scratch GPR.
3232         So, we'll continue to use one of the result registers as the scratch, and
3233         re-compute the result at the end.
3234
3235         * jit/JITMulGenerator.cpp:
3236         (JSC::JITMulGenerator::generateFastPath):
3237
3238 2016-01-06  Anders Carlsson  <andersca@apple.com>
3239
3240         Add a smart block pointer
3241         https://bugs.webkit.org/show_bug.cgi?id=152799
3242
3243         Reviewed by Tim Horton.
3244
3245         Get rid of RemoteTargetBlock and replace it with WTF::BlockPtr<void ()>.
3246
3247         * inspector/remote/RemoteConnectionToTarget.h:
3248         (Inspector::RemoteTargetBlock::RemoteTargetBlock): Deleted.
3249         (Inspector::RemoteTargetBlock::~RemoteTargetBlock): Deleted.
3250         (Inspector::RemoteTargetBlock::operator=): Deleted.
3251         (Inspector::RemoteTargetBlock::operator()): Deleted.
3252         * inspector/remote/RemoteConnectionToTarget.mm:
3253         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
3254         (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
3255
3256 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
3257
3258         [JSC] More B3 tests passing on ARM64
3259         https://bugs.webkit.org/show_bug.cgi?id=152787
3260
3261         Reviewed by Michael Saboff.
3262
3263         Some more minor bugs.
3264
3265         * assembler/MacroAssemblerARM64.h:
3266         (JSC::MacroAssemblerARM64::urshift64):
3267         The offset was being truncated. That code was just copied
3268         from the 32bits version of urshift.
3269
3270         * b3/B3LowerToAir.cpp:
3271         (JSC::B3::Air::LowerToAir::createGenericCompare):
3272         Very few instructions can encode -1 as immediate.
3273         TST certainly can't. The fallback works for ARM.
3274
3275         * b3/air/AirOpcode.opcodes:
3276         Bit instructions have very specific immediate encoding.
3277         B3 cannot express that properly yet. I disabled those
3278         forms for now. Immediates encoding is something we'll really 
3279         have to look into at some point for B3 ARM64.
3280
3281 2016-01-06  Michael Catanzaro  <mcatanzaro@igalia.com>
3282
3283         Silence -Wtautological-compare
3284         https://bugs.webkit.org/show_bug.cgi?id=152768
3285
3286         Reviewed by Saam Barati.
3287
3288         * runtime/Options.cpp:
3289         (JSC::Options::setAliasedOption):
3290
3291 2016-01-06  Filip Pizlo  <fpizlo@apple.com>
3292
3293         Make sure that the basic throw-from-operation mode of throwing makes sense in FTL B3
3294         https://bugs.webkit.org/show_bug.cgi?id=152798
3295
3296         Reviewed by Oliver Hunt.
3297
3298         This really just contains one change: we inline emitBranchToOSRExitIfWillCatchException()
3299         into callCheck(), since that was its only caller. This makes it a bit more clear what is
3300         going on.
3301
3302         It turns out that FTL B3 already handled this case properly. I added a test that I believe
3303         illustrates this. Note that although the test uses GetById, which ordinarily throws
3304         exceptions from inside a patchpoint, it uses it in such a way that the exception is thrown
3305         from the operation call for the non-cell bypass path of a GetById(UntypedUse:).
3306
3307         * ftl/FTLLowerDFGToLLVM.cpp:
3308         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
3309         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
3310         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
3311         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException): Deleted.
3312         * tests/stress/ftl-operation-exception.js: Added.
3313         (foo):
3314
3315 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
3316
3317         Web Inspector: Remove duplicate check
3318         https://bugs.webkit.org/show_bug.cgi?id=152792
3319
3320         Reviewed by Timothy Hatcher.
3321
3322         * inspector/InjectedScriptSource.js:
3323         (InjectedScript.RemoteObject.prototype._generatePreview): Deleted.
3324         This method is only called from one place, and it does an equivalent
3325         check before calling this function. Remove the duplicate check.
3326
3327 2016-01-06  Brian Burg  <bburg@apple.com>
3328
3329         Add a WebKit SPI for registering an automation controller with RemoteInspector
3330         https://bugs.webkit.org/show_bug.cgi?id=151576
3331
3332         Reviewed by Dan Bernstein and Joseph Pecoraro.
3333
3334         Given a RemoteInspector endpoint that is instantiated in UIProcess, there
3335         should be a way to delegate automation-related functionality and policy to
3336         clients of WebKit.
3337
3338         This class adds a RemoteInspector::Client interface that serves a delegate.
3339         This is ultimately delegated via _WKAutomationDelegate, which is an SPI
3340         that allows clients to install an Objective-C delegate for automation.
3341
3342         The setting for whether remote automation is allowed is included in the
3343         listing that RemoteInspector sends out. It is updated when RemoteInspector::Client
3344         is assigned, or when the client signals that its capabilities have changed.
3345
3346         * inspector/remote/RemoteInspector.h:
3347         * inspector/remote/RemoteInspector.mm:
3348         (Inspector::RemoteInspector::setRemoteInspectorClient): Added.
3349         (Inspector::RemoteInspector::pushListingsNow):
3350
3351             In the listing, include whether the application supports remote automation.
3352
3353         * inspector/remote/RemoteInspectorConstants.h: Add a constant.
3354
3355 2016-01-05  Keith Miller  <keith_miller@apple.com>
3356
3357         [ES6] Boolean, Number, Map, RegExp, and Set should be subclassable
3358         https://bugs.webkit.org/show_bug.cgi?id=152765
3359
3360         Reviewed by Michael Saboff.
3361
3362         This patch enables subclassing of five more builtins: Boolean, Number, Map, RegExp, and Set.
3363
3364         * runtime/BooleanConstructor.cpp:
3365         (JSC::constructWithBooleanConstructor):
3366         (JSC::constructBoolean): Deleted.
3367         * runtime/BooleanConstructor.h:
3368         * runtime/MapConstructor.cpp:
3369         (JSC::constructMap):
3370         * runtime/NumberConstructor.cpp:
3371         (JSC::constructWithNumberConstructor):
3372         * runtime/RegExpConstructor.cpp:
3373         (JSC::getRegExpStructure):
3374         (JSC::constructRegExp):