FTL should simplify StringReplace with an empty replacement string
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL should simplify StringReplace with an empty replacement string
4         https://bugs.webkit.org/show_bug.cgi?id=154871
5
6         Reviewed by Michael Saboff.
7
8         This is a simple and hugely profitable change. If we do a string.replace(/things/, ""), then
9         this calls directly into StringPrototype's replace-with-empty-string logic instead of going
10         through stuff that does checks before reaching that same conclusion.
11
12         This speeds up Octane/regexp by about 6-10%. It also speeds up the attached microbenchmark by
13         about 7%.
14
15         * ftl/FTLLowerDFGToB3.cpp:
16         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
17         * runtime/StringPrototype.cpp:
18         (JSC::jsSpliceSubstringsWithSeparators):
19         (JSC::removeUsingRegExpSearch):
20         (JSC::replaceUsingRegExpSearch):
21         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
22         (JSC::operationStringProtoFuncReplaceRegExpString):
23         * runtime/StringPrototype.h:
24
25 2016-03-01  Alex Christensen  <achristensen@webkit.org>
26
27         Reduce size of internal windows build output
28         https://bugs.webkit.org/show_bug.cgi?id=154763
29
30         Reviewed by Brent Fulgham.
31
32         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
33
34 2016-03-01  Saam barati  <sbarati@apple.com>
35
36         [[IsExtensible]] should be a virtual method in the method table
37         https://bugs.webkit.org/show_bug.cgi?id=154799
38
39         Reviewed by Mark Lam.
40
41         This patch makes us more consistent with how the ES6 specification models the
42         [[IsExtensible]] trap. Moving this method into ClassInfo::methodTable 
43         is a prerequisite for implementing Proxy.[[IsExtensible]].
44
45         * runtime/ClassInfo.h:
46         * runtime/JSCell.cpp:
47         (JSC::JSCell::preventExtensions):
48         (JSC::JSCell::isExtensible):
49         * runtime/JSCell.h:
50         * runtime/JSGlobalObjectFunctions.cpp:
51         (JSC::globalFuncProtoSetter):
52         * runtime/JSObject.cpp:
53         (JSC::JSObject::preventExtensions):
54         (JSC::JSObject::isExtensible):
55         (JSC::JSObject::reifyAllStaticProperties):
56         (JSC::JSObject::defineOwnIndexedProperty):
57         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
58         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
59         (JSC::JSObject::defineOwnNonIndexProperty):
60         (JSC::JSObject::defineOwnProperty):
61         * runtime/JSObject.h:
62         (JSC::JSObject::isSealed):
63         (JSC::JSObject::isFrozen):
64         (JSC::JSObject::isExtensibleImpl):
65         (JSC::JSObject::isStructureExtensible):
66         (JSC::JSObject::isExtensibleInline):
67         (JSC::JSObject::indexingShouldBeSparse):
68         (JSC::JSObject::putDirectInternal):
69         (JSC::JSObject::isExtensible): Deleted.
70         * runtime/ObjectConstructor.cpp:
71         (JSC::objectConstructorSetPrototypeOf):
72         (JSC::objectConstructorIsSealed):
73         (JSC::objectConstructorIsFrozen):
74         (JSC::objectConstructorIsExtensible):
75         (JSC::objectConstructorIs):
76         * runtime/ProxyObject.cpp:
77         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
78         (JSC::ProxyObject::performHasProperty):
79         * runtime/ReflectObject.cpp:
80         (JSC::reflectObjectIsExtensible):
81         (JSC::reflectObjectSetPrototypeOf):
82         * runtime/SparseArrayValueMap.cpp:
83         (JSC::SparseArrayValueMap::putEntry):
84         (JSC::SparseArrayValueMap::putDirect):
85         * runtime/StringObject.cpp:
86         (JSC::StringObject::defineOwnProperty):
87         * runtime/Structure.cpp:
88         (JSC::Structure::isSealed):
89         (JSC::Structure::isFrozen):
90         * runtime/Structure.h:
91
92 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
93
94         Unreviewed, fix CLOOP build.
95
96         * jit/JITOperations.h:
97
98 2016-03-01  Skachkov Oleksandr  <gskachkov@gmail.com>
99
100         [ES6] Arrow function. Some not used byte code is emited
101         https://bugs.webkit.org/show_bug.cgi?id=154639
102
103         Reviewed by Saam Barati.
104
105         Currently bytecode that is generated for arrow function is not optimal. 
106         Current fix removed following unnecessary bytecode:
107         1.create_lexical_environment not emited always for arrow function, only if some of 
108         features(this/super/arguments/eval) is used inside of the arrow function. 
109         2.load 'this' from arrow function scope in constructor is done only if super 
110         contains in arrow function 
111
112         * bytecompiler/BytecodeGenerator.cpp:
113         (JSC::BytecodeGenerator::BytecodeGenerator):
114         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
115         * bytecompiler/BytecodeGenerator.h:
116         * bytecompiler/NodesCodegen.cpp:
117         (JSC::ThisNode::emitBytecode):
118         (JSC::FunctionNode::emitBytecode):
119         * parser/Nodes.h:
120         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
121         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
122
123 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
124
125         Turn String.prototype.replace into an intrinsic
126         https://bugs.webkit.org/show_bug.cgi?id=154835
127
128         Reviewed by Michael Saboff.
129
130         Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
131         of checks to see if the parameters are what they are likely to often be (a string, a
132         regexp, and a string). The intuition of this patch is that it's good to remove those checks
133         and it's good to call the native function as directly as possible.
134
135         This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
136         It also improves Octane/jquery.
137
138         This is only the beginning of what I want to do with replace optimizations. The other
139         optimizations will rely on StringReplace being revealed as a construct in DFG IR.
140
141         * JavaScriptCore.xcodeproj/project.pbxproj:
142         * bytecode/SpeculatedType.cpp:
143         (JSC::dumpSpeculation):
144         (JSC::speculationToAbbreviatedString):
145         (JSC::speculationFromClassInfo):
146         * bytecode/SpeculatedType.h:
147         (JSC::isStringOrStringObjectSpeculation):
148         (JSC::isRegExpObjectSpeculation):
149         (JSC::isBoolInt32Speculation):
150         * dfg/DFGAbstractInterpreterInlines.h:
151         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
152         * dfg/DFGByteCodeParser.cpp:
153         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
154         * dfg/DFGClobberize.h:
155         (JSC::DFG::clobberize):
156         * dfg/DFGDoesGC.cpp:
157         (JSC::DFG::doesGC):
158         * dfg/DFGFixupPhase.cpp:
159         (JSC::DFG::FixupPhase::fixupNode):
160         * dfg/DFGNode.h:
161         (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
162         (JSC::DFG::Node::shouldSpeculateRegExpObject):
163         (JSC::DFG::Node::shouldSpeculateSymbol):
164         * dfg/DFGNodeType.h:
165         * dfg/DFGPredictionPropagationPhase.cpp:
166         (JSC::DFG::PredictionPropagationPhase::propagate):
167         * dfg/DFGSafeToExecute.h:
168         (JSC::DFG::SafeToExecuteEdge::operator()):
169         (JSC::DFG::safeToExecute):
170         * dfg/DFGSpeculativeJIT.cpp:
171         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
172         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
173         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
174         (JSC::DFG::SpeculativeJIT::speculate):
175         * dfg/DFGSpeculativeJIT.h:
176         * dfg/DFGSpeculativeJIT32_64.cpp:
177         (JSC::DFG::SpeculativeJIT::compile):
178         * dfg/DFGSpeculativeJIT64.cpp:
179         (JSC::DFG::SpeculativeJIT::compile):
180         * dfg/DFGUseKind.cpp:
181         (WTF::printInternal):
182         * dfg/DFGUseKind.h:
183         (JSC::DFG::typeFilterFor):
184         (JSC::DFG::isCell):
185         * ftl/FTLCapabilities.cpp:
186         (JSC::FTL::canCompile):
187         * ftl/FTLLowerDFGToB3.cpp:
188         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
189         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
190         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
191         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
192         (JSC::FTL::DFG::LowerDFGToB3::speculate):
193         (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
194         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
195         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
196         * jit/JITOperations.h:
197         * runtime/Intrinsic.h:
198         * runtime/JSType.h:
199         * runtime/RegExpObject.h:
200         (JSC::RegExpObject::createStructure):
201         * runtime/StringPrototype.cpp:
202         (JSC::StringPrototype::finishCreation):
203         (JSC::removeUsingRegExpSearch):
204         (JSC::replaceUsingRegExpSearch):
205         (JSC::operationStringProtoFuncReplaceRegExpString):
206         (JSC::replaceUsingStringSearch):
207         (JSC::stringProtoFuncRepeat):
208         (JSC::replace):
209         (JSC::stringProtoFuncReplace):
210         (JSC::operationStringProtoFuncReplaceGeneric):
211         (JSC::stringProtoFuncToString):
212         * runtime/StringPrototype.h:
213
214 2016-03-01  Commit Queue  <commit-queue@webkit.org>
215
216         Unreviewed, rolling out r197056.
217         https://bugs.webkit.org/show_bug.cgi?id=154870
218
219         broke win ews (Requested by alexchristensen on #webkit).
220
221         Reverted changeset:
222
223         "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
224         https://bugs.webkit.org/show_bug.cgi?id=154651
225         http://trac.webkit.org/changeset/197056
226
227 2016-02-29  Saam barati  <sbarati@apple.com>
228
229         [[PreventExtensions]] should be a virtual method in the method table.
230         https://bugs.webkit.org/show_bug.cgi?id=154800
231
232         Reviewed by Yusuke Suzuki.
233
234         This patch makes us more consistent with how the ES6 specification models the
235         [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable 
236         is a prerequisite for implementing Proxy.[[PreventExtensions]].
237
238         * runtime/ClassInfo.h:
239         * runtime/JSCell.cpp:
240         (JSC::JSCell::getGenericPropertyNames):
241         (JSC::JSCell::preventExtensions):
242         * runtime/JSCell.h:
243         * runtime/JSModuleNamespaceObject.cpp:
244         (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
245         (JSC::JSModuleNamespaceObject::finishCreation):
246         (JSC::JSModuleNamespaceObject::destroy):
247         * runtime/JSModuleNamespaceObject.h:
248         (JSC::JSModuleNamespaceObject::create):
249         (JSC::JSModuleNamespaceObject::moduleRecord):
250         * runtime/JSObject.cpp:
251         (JSC::JSObject::freeze):
252         (JSC::JSObject::preventExtensions):
253         (JSC::JSObject::reifyAllStaticProperties):
254         * runtime/JSObject.h:
255         (JSC::JSObject::isSealed):
256         (JSC::JSObject::isFrozen):
257         (JSC::JSObject::isExtensible):
258         * runtime/ObjectConstructor.cpp:
259         (JSC::objectConstructorSeal):
260         (JSC::objectConstructorFreeze):
261         (JSC::objectConstructorPreventExtensions):
262         (JSC::objectConstructorIsSealed):
263         * runtime/ReflectObject.cpp:
264         (JSC::reflectObjectPreventExtensions):
265         * runtime/Structure.cpp:
266         (JSC::Structure::Structure):
267         (JSC::Structure::preventExtensionsTransition):
268         * runtime/Structure.h:
269
270 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
271
272         [JSC] Private symbols should not be trapped by proxy handler
273         https://bugs.webkit.org/show_bug.cgi?id=154817
274
275         Reviewed by Mark Lam.
276
277         Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
278         For example, in ArrayIteratorPrototype.js
279
280             var itemKind = this.@arrayIterationKind;
281             if (itemKind === @undefined)
282                 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
283
284         Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
285         But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
286
287         To avoid these situation, we perform the default operations onto property operations with private symbols.
288
289         * runtime/ProxyObject.cpp:
290         (JSC::performProxyGet):
291         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
292         (JSC::ProxyObject::performHasProperty):
293         (JSC::ProxyObject::performPut):
294         (JSC::ProxyObject::performDelete):
295         (JSC::ProxyObject::deleteProperty):
296         (JSC::ProxyObject::deletePropertyByIndex):
297         * tests/stress/proxy-basic.js:
298         * tests/stress/proxy-with-private-symbols.js: Added.
299         (assert):
300         (let.handler.getOwnPropertyDescriptor):
301
302 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
303
304         regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
305         https://bugs.webkit.org/show_bug.cgi?id=154841
306
307         Reviewed by Benjamin Poulain.
308
309         Here's the deadlock:
310
311         Main thread:
312             1) Change an InferredType.  This acquires InferredType::m_lock.
313             2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires
314                CodeBlock::m_lock.
315
316         DFG thread:
317             1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
318             2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.
319
320         I think that the DFG thread's ordering should be legal, because the best logic for lock
321         hierarchies is that locks that protect the largest set of stuff should be acquired first.
322
323         This means that the main thread shouldn't be holding the InferredType::m_lock when firing
324         watchpoint sets.  That's what this patch ensures.
325
326         At the time of writing, this test was deadlocking for me on trunk 100% of the time.  With
327         this change I cannot get it to deadlock.
328
329         * runtime/InferredType.cpp:
330         (JSC::InferredType::willStoreValueSlow):
331         (JSC::InferredType::makeTopSlow):
332         (JSC::InferredType::set):
333         (JSC::InferredType::removeStructure):
334         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
335         * runtime/InferredType.h:
336
337 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
338
339         [DFG][FTL][B3] Support floor and ceil
340         https://bugs.webkit.org/show_bug.cgi?id=154683
341
342         Reviewed by Filip Pizlo.
343
344         This patch implements and fixes the following things.
345
346         1. Implement Ceil and Floor in DFG, FTL and B3
347
348         x86 SSE 4.2 and ARM64 have round instructions that can directly perform Ceil or Floor.
349         This patch leverages this functionality. We introduce ArithFloor and ArithCeil.
350         During DFG phase, these nodes attempt to convert itself to Identity (in Fixup phase).
351         As the same to ArithRound, it tracks arith rounding mode.
352         And if these nodes are required to emit machine codes, we emit rounding machine code
353         if it is supported in the current machine. For example, in x86, we emit `round`.
354
355         This `Floor` functionality is nice for @toInteger in builtin.
356         That is used for Array.prototype.{forEach, map, every, some, reduce...}
357         And according to the benchmark results, Kraken audio-oscillator is slightly improved
358         due to its frequent Math.round and Math.floor calls.
359
360         2. Implement Floor in B3 and Air
361
362         As the same to Ceil in B3, we add a new B3 IR and Air opcode, Floor.
363         This Floor is leveraged to implement ArithFloor in DFG.
364
365         3. Fix ArithRound operation
366
367         Currently, we used cvtsd2si (in x86) to convert double value to int32.
368         And we also used this to implement Math.round, like, cvtsd2si(value + 0.5).
369         However, this implementation is not correct. Because cvtsd2si is not floor operation.
370         It is trucate operation. This is OK for positive numbers. But NG for negative numbers.
371         For example, the current implementation accidentally rounds `-0.6` to `-0.0`. This should be `-1.0`.
372         Using Ceil and Floor instructions, we implement correct ArithRound.
373
374         * assembler/MacroAssemblerARM.h:
375         (JSC::MacroAssemblerARM::supportsFloatingPointRounding):
376         (JSC::MacroAssemblerARM::ceilDouble):
377         (JSC::MacroAssemblerARM::floorDouble):
378         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Deleted.
379         * assembler/MacroAssemblerARM64.h:
380         (JSC::MacroAssemblerARM64::supportsFloatingPointRounding):
381         (JSC::MacroAssemblerARM64::floorFloat):
382         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil): Deleted.
383         * assembler/MacroAssemblerARMv7.h:
384         (JSC::MacroAssemblerARMv7::supportsFloatingPointRounding):
385         (JSC::MacroAssemblerARMv7::ceilDouble):
386         (JSC::MacroAssemblerARMv7::floorDouble):
387         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil): Deleted.
388         * assembler/MacroAssemblerMIPS.h:
389         (JSC::MacroAssemblerMIPS::ceilDouble):
390         (JSC::MacroAssemblerMIPS::floorDouble):
391         (JSC::MacroAssemblerMIPS::supportsFloatingPointRounding):
392         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil): Deleted.
393         * assembler/MacroAssemblerSH4.h:
394         (JSC::MacroAssemblerSH4::supportsFloatingPointRounding):
395         (JSC::MacroAssemblerSH4::ceilDouble):
396         (JSC::MacroAssemblerSH4::floorDouble):
397         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil): Deleted.
398         * assembler/MacroAssemblerX86Common.h:
399         (JSC::MacroAssemblerX86Common::floorDouble):
400         (JSC::MacroAssemblerX86Common::floorFloat):
401         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
402         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil): Deleted.
403         * b3/B3ConstDoubleValue.cpp:
404         (JSC::B3::ConstDoubleValue::floorConstant):
405         * b3/B3ConstDoubleValue.h:
406         * b3/B3ConstFloatValue.cpp:
407         (JSC::B3::ConstFloatValue::floorConstant):
408         * b3/B3ConstFloatValue.h:
409         * b3/B3LowerMacrosAfterOptimizations.cpp:
410         * b3/B3LowerToAir.cpp:
411         (JSC::B3::Air::LowerToAir::lower):
412         * b3/B3Opcode.cpp:
413         (WTF::printInternal):
414         * b3/B3Opcode.h:
415         * b3/B3ReduceDoubleToFloat.cpp:
416         * b3/B3ReduceStrength.cpp:
417         * b3/B3Validate.cpp:
418         * b3/B3Value.cpp:
419         (JSC::B3::Value::floorConstant):
420         (JSC::B3::Value::isRounded):
421         (JSC::B3::Value::effects):
422         (JSC::B3::Value::key):
423         (JSC::B3::Value::typeFor):
424         * b3/B3Value.h:
425         * b3/air/AirFixPartialRegisterStalls.cpp:
426         * b3/air/AirOpcode.opcodes:
427         * b3/testb3.cpp:
428         (JSC::B3::testFloorCeilArg):
429         (JSC::B3::testFloorArg):
430         (JSC::B3::testFloorImm):
431         (JSC::B3::testFloorMem):
432         (JSC::B3::testFloorFloorArg):
433         (JSC::B3::testCeilFloorArg):
434         (JSC::B3::testFloorIToD64):
435         (JSC::B3::testFloorIToD32):
436         (JSC::B3::testFloorArgWithUselessDoubleConversion):
437         (JSC::B3::testFloorArgWithEffectfulDoubleConversion):
438         (JSC::B3::run):
439         * dfg/DFGAbstractInterpreterInlines.h:
440         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
441         * dfg/DFGArithMode.cpp:
442         (WTF::printInternal):
443         * dfg/DFGArithMode.h:
444         * dfg/DFGByteCodeParser.cpp:
445         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
446         * dfg/DFGClobberize.h:
447         (JSC::DFG::clobberize):
448         * dfg/DFGDoesGC.cpp:
449         (JSC::DFG::doesGC):
450         * dfg/DFGFixupPhase.cpp:
451         (JSC::DFG::FixupPhase::fixupNode):
452         * dfg/DFGGraph.cpp:
453         (JSC::DFG::Graph::dump):
454         * dfg/DFGGraph.h:
455         (JSC::DFG::Graph::roundShouldSpeculateInt32):
456         * dfg/DFGNode.h:
457         (JSC::DFG::Node::arithNodeFlags):
458         (JSC::DFG::Node::hasHeapPrediction):
459         (JSC::DFG::Node::hasArithRoundingMode):
460         * dfg/DFGNodeType.h:
461         * dfg/DFGPredictionPropagationPhase.cpp:
462         (JSC::DFG::PredictionPropagationPhase::propagate):
463         * dfg/DFGSafeToExecute.h:
464         (JSC::DFG::safeToExecute):
465         * dfg/DFGSpeculativeJIT.cpp:
466         (JSC::DFG::SpeculativeJIT::compileArithRounding):
467         (JSC::DFG::SpeculativeJIT::compileArithRound): Deleted.
468         * dfg/DFGSpeculativeJIT.h:
469         * dfg/DFGSpeculativeJIT32_64.cpp:
470         (JSC::DFG::SpeculativeJIT::compile):
471         * dfg/DFGSpeculativeJIT64.cpp:
472         (JSC::DFG::SpeculativeJIT::compile):
473         * ftl/FTLCapabilities.cpp:
474         (JSC::FTL::canCompile):
475         * ftl/FTLLowerDFGToB3.cpp:
476         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
477         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
478         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
479         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
480         * ftl/FTLOutput.h:
481         (JSC::FTL::Output::doubleFloor):
482         * jit/ThunkGenerators.cpp:
483         (JSC::ceilThunkGenerator):
484         * tests/stress/math-ceil-arith-rounding-mode.js: Added.
485         (firstCareAboutZeroSecondDoesNot):
486         (firstDoNotCareAboutZeroSecondDoes):
487         (warmup):
488         (verifyNegativeZeroIsPreserved):
489         * tests/stress/math-ceil-basics.js: Added.
490         (mathCeilOnIntegers):
491         (mathCeilOnDoubles):
492         (mathCeilOnBooleans):
493         (uselessMathCeil):
494         (mathCeilWithOverflow):
495         (mathCeilConsumedAsDouble):
496         (mathCeilDoesNotCareAboutMinusZero):
497         (mathCeilNoArguments):
498         (mathCeilTooManyArguments):
499         (testMathCeilOnConstants):
500         (mathCeilStructTransition):
501         (Math.ceil):
502         * tests/stress/math-floor-arith-rounding-mode.js: Added.
503         (firstCareAboutZeroSecondDoesNot):
504         (firstDoNotCareAboutZeroSecondDoes):
505         (warmup):
506         (verifyNegativeZeroIsPreserved):
507         * tests/stress/math-floor-basics.js: Added.
508         (mathFloorOnIntegers):
509         (mathFloorOnDoubles):
510         (mathFloorOnBooleans):
511         (uselessMathFloor):
512         (mathFloorWithOverflow):
513         (mathFloorConsumedAsDouble):
514         (mathFloorDoesNotCareAboutMinusZero):
515         (mathFloorNoArguments):
516         (mathFloorTooManyArguments):
517         (testMathFloorOnConstants):
518         (mathFloorStructTransition):
519         (Math.floor):
520         * tests/stress/math-round-should-not-use-truncate.js: Added.
521         (mathRoundDoesNotCareAboutMinusZero):
522         * tests/stress/math-rounding-infinity.js: Added.
523         (shouldBe):
524         (testRound):
525         (testFloor):
526         (testCeil):
527         * tests/stress/math-rounding-nan.js: Added.
528         (shouldBe):
529         (testRound):
530         (testFloor):
531         (testCeil):
532         * tests/stress/math-rounding-negative-zero.js: Added.
533         (shouldBe):
534         (testRound):
535         (testFloor):
536         (testCeil):
537         (testRoundNonNegativeZero):
538         (testRoundNonNegativeZero2):
539
540 2016-02-29  Joseph Pecoraro  <pecoraro@apple.com>
541
542         Add new MethodTable method to get an estimated size for a cell
543         https://bugs.webkit.org/show_bug.cgi?id=154838
544
545         Reviewed by Filip Pizlo.
546
547         The new class method estimatedSize(JSCell*) estimates the size for a single cell.
548         As the name implies, this is meant to be an approximation. It is more important
549         that big objects report a large size, then to get perfect size information for
550         all objects in the heap.
551
552             Base implementation (JSCell):
553               - returns the MarkedBlock bucket size for this cell.
554               - This gets us the object size include inline storage. Basically a better sizeof.
555
556             Subclasses with "Extra Memory Cost":
557               - Any class that reports extra memory (reportExtraMemoryVisited) should include that in the estimated size.
558               - E.g. CodeBlock, JSGenericTypedArrayView, WeakMapData, etc.
559
560             Subclasses with "Copied Space" storage:
561               - Any class with data in copied space (copyBackingStore) should include that in the estimated size.
562               - E.g. JSObject, JSGenericTypedArrayView, JSMap, JSSet, DirectArguments, etc.
563
564         Add reportExtraMemoryVisited for UnlinkedCodeBlock's compressed unlinked
565         instructions because this can be larger than 1kb, which is significant.
566
567         This has one special case for RegExp generated bytecode / JIT code, which
568         does not currently fall into the extra memory cost or copied space storage.
569         In practice I haven't seen this grow to a significant cost.
570
571         * runtime/ClassInfo.h:
572         Add the new estimatedSize method to the table.
573
574         * bytecode/UnlinkedCodeBlock.cpp:
575         (JSC::UnlinkedCodeBlock::visitChildren):
576         (JSC::UnlinkedCodeBlock::estimatedSize):
577         (JSC::UnlinkedCodeBlock::setInstructions):
578         * bytecode/UnlinkedCodeBlock.h:
579         Report an extra memory cost for unlinked code blocks like
580         we do for linked code blocks.
581
582         * bytecode/CodeBlock.cpp:
583         (JSC::CodeBlock::estimatedSize):
584         * bytecode/CodeBlock.h:
585         * bytecode/UnlinkedInstructionStream.cpp:
586         (JSC::UnlinkedInstructionStream::sizeInBytes):
587         * bytecode/UnlinkedInstructionStream.h:
588         * runtime/DirectArguments.cpp:
589         (JSC::DirectArguments::estimatedSize):
590         * runtime/DirectArguments.h:
591         * runtime/JSCell.cpp:
592         (JSC::JSCell::estimatedSizeInBytes):
593         (JSC::JSCell::estimatedSize):
594         * runtime/JSCell.h:
595         * runtime/JSGenericTypedArrayView.h:
596         * runtime/JSGenericTypedArrayViewInlines.h:
597         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
598         * runtime/JSMap.cpp:
599         (JSC::JSMap::estimatedSize):
600         * runtime/JSMap.h:
601         * runtime/JSObject.cpp:
602         (JSC::JSObject::visitButterfly):
603         * runtime/JSObject.h:
604         * runtime/JSSet.cpp:
605         (JSC::JSSet::estimatedSize):
606         * runtime/JSSet.h:
607         * runtime/JSString.cpp:
608         (JSC::JSString::estimatedSize):
609         * runtime/JSString.h:
610         * runtime/MapData.h:
611         (JSC::MapDataImpl::capacityInBytes):
612         * runtime/WeakMapData.cpp:
613         (JSC::WeakMapData::estimatedSize):
614         (JSC::WeakMapData::visitChildren):
615         * runtime/WeakMapData.h:
616         Implement estimated size following the pattern of reporting
617         extra visited size, or copy space memory.
618
619         * runtime/RegExp.cpp:
620         (JSC::RegExp::estimatedSize):
621         * runtime/RegExp.h:
622         * yarr/YarrInterpreter.h:
623         (JSC::Yarr::ByteDisjunction::estimatedSizeInBytes):
624         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
625         * yarr/YarrJIT.h:
626         (JSC::Yarr::YarrCodeBlock::size):
627         Include generated bytecode / JITCode to a RegExp's size.
628
629 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
630
631         SpeculatedType should be easier to edit
632         https://bugs.webkit.org/show_bug.cgi?id=154840
633
634         Reviewed by Mark Lam.
635
636         We used to specify the bitmasks in SpeculatedType.h using hex codes. This used to work
637         great because we didn't have so many masks and you could use the mask to visually see
638         which ones overlapped. It also made it easy to visualize subset relationships.
639
640         But now we have a lot of masks with a lot of confusing overlaps, and it's no longer
641         possible to just see their relationship by looking at hex codes. Worse, the use of hex
642         codes makes it super annoying to move the bits around. For example, right now we have two
643         bits free, but if we wanted to reclaim them by editing the old hex masks, it would be a
644         nightmare.
645
646         So this patch replaces the hex masks with shift expressions (1u << 15 for example) and it
647         makes any derived masks (i.e. masks that are the bit-or of other masks) be expressed using
648         an or expression (SpecFoo | SpecBar | SpecBaz for example).
649
650         This makes it easier to see the relationships and it makes it easier to take bits for new
651         types.
652
653         * bytecode/SpeculatedType.h:
654
655 2016-02-29  Keith Miller  <keith_miller@apple.com>
656
657         OverridesHasInstance constant folding is wrong
658         https://bugs.webkit.org/show_bug.cgi?id=154833
659
660         Reviewed by Filip Pizlo.
661
662         The current implementation of OverridesHasInstance constant folding
663         is incorrect. Since it relies on OSR exit information it has been
664         moved to the StrengthReductionPhase. Normally, such an optimazation would be
665         put in FixupPhase, however, there are a number of cases where we don't
666         determine an edge of OverridesHasInstance is a constant until after fixup.
667         Performing the optimization during StrengthReductionPhase means we can defer
668         our decision until later.
669
670         In the future we should consider creating a version of this optimization
671         that does not depend on OSR exit information and move the optimization back
672         to ConstantFoldingPhase.
673
674         * dfg/DFGConstantFoldingPhase.cpp:
675         (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
676         * dfg/DFGStrengthReductionPhase.cpp:
677         (JSC::DFG::StrengthReductionPhase::handleNode):
678
679 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
680
681         B3 should have global store elimination
682         https://bugs.webkit.org/show_bug.cgi?id=154658
683
684         Reviewed by Benjamin Poulain.
685
686         Implements fairly comprehensive global store elimination:
687
688         1) If you store the result of a load with no interference in between, remove the store.
689
690         2) If you store the same thing you stored previously, remove the store.
691
692         3) If you store something that you either loaded previously or stored previously along
693            arbitrarily many paths, remove the store.
694
695         4) If you store to something that is stored to again in the future with no interference in
696            between, remove the store.
697
698         Rule (4) is super relevant to FTL since the DFG does not eliminate redundant PutStructures.
699         A constructor that produces a large object will have many redundant stores to the same base
700         pointer, offset, and heap range, with no code to observe that heap raneg in between.
701
702         This doesn't have a decisive effect on major benchmarks, but it's an enormous win for
703         microbenchmarks:
704
705         - 30% faster to construct an object with many fields.
706
707         - 5x faster to do many stores to a global variable.
708
709         The compile time cost should be very small. Although the optimization is global, it aborts as
710         soon as it sees anything that would confound store elimination. For rules (1)-(3), we
711         piggy-back the existing load elimination, which gives up on interfering stores. For rule (4),
712         we search forward through the current block and then globally a block at a time (skipping
713         block contents thanks to summary data), which could be expensive. But rule (4) aborts as soon
714         as it sees a read, write, or end block (Return or Oops). Any Check will claim to read TOP. Any
715         Patchpoint that results from an InvalidationPoint will claim to read TOP, as will any
716         Patchpoints for ICs. Those are usually sprinkled all over the program.
717
718         In other words, this optimization rarely kicks in. When it does kick in, it makes programs run
719         faster. When it doesn't kick in, it's usually O(1) because there are reasons for aborting all
720         over a "normal" program so the search will halt almost immediately. This of course raises the
721         question: how much more in compile time do we pay when the optimization does kick in? The
722         optimization kicks in the most for the microbenchmarks I wrote for this patch. Amazingly, the
723         effect of the optimization a wash for compile time: whatever cost we pay doing the O(n^2)
724         searches is balanced by the massive reduction in work in the backend. On one of the two
725         microbenchmarks, overall compile time actually shrank with this optimization even though CSE
726         itself cost more. That's not too surprising - the backend costs much more per instruction, so
727         things that remove instructions before we get to the backend tend to be a good idea.
728
729         We could consider adding a more aggressive version of this in the future, which could sink
730         stores into checks. That could be crazy fun: https://bugs.webkit.org/show_bug.cgi?id=152162#c3
731
732         But mainly, I'm adding this optimization because it was super fun to implement during the
733         WebAssembly CG summit.
734
735         * b3/B3EliminateCommonSubexpressions.cpp:
736         * b3/B3MemoryValue.h:
737         * b3/B3SuccessorCollection.h:
738         (JSC::B3::SuccessorCollection::begin):
739         (JSC::B3::SuccessorCollection::end):
740         (JSC::B3::SuccessorCollection::const_iterator::const_iterator):
741         (JSC::B3::SuccessorCollection::const_iterator::operator*):
742         (JSC::B3::SuccessorCollection::const_iterator::operator++):
743         (JSC::B3::SuccessorCollection::const_iterator::operator==):
744         (JSC::B3::SuccessorCollection::const_iterator::operator!=):
745
746 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
747
748         Make it cheap to #include "JITOperations.h"
749         https://bugs.webkit.org/show_bug.cgi?id=154836
750
751         Reviewed by Mark Lam.
752
753         Prior to this change, this header included the whole world even though it did't have any
754         definitions. This patch turns almost all of the includes into forward declarations. Right
755         now this header is very cheap to include.
756
757         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
758         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
759         * JavaScriptCore.xcodeproj/project.pbxproj:
760         * dfg/DFGSpeculativeJIT.h:
761         * jit/JITOperations.cpp:
762         * jit/JITOperations.h:
763         * jit/Repatch.h:
764         * runtime/CommonSlowPaths.h:
765         (JSC::encodeResult): Deleted.
766         (JSC::decodeResult): Deleted.
767         * runtime/SlowPathReturnType.h: Added.
768         (JSC::encodeResult):
769         (JSC::decodeResult):
770
771 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
772
773         FTL should be able to run everything in Octane/regexp
774         https://bugs.webkit.org/show_bug.cgi?id=154266
775
776         Reviewed by Saam Barati.
777
778         Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
779         make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
780         DFG backend optimization anyway - if we need this optimization then it should be a
781         strength reduction rule over IR. That way, it can be shared by all backends.
782
783         I measured whether removing that optimization had any effect on performance separately
784         from measuring the performance of this patch. Removing that optimization did not change
785         our score on any benchmarks.
786
787         This patch does have an overall negative effect on the Octane/regexp score. This is
788         presumably because tiering up to the FTL has no value to the code in the regexp test. Or
789         maybe it's something else. No matter - the overall effect on the Octane score is not
790         statistically significant and we don't want this kind of coverage blocked by the fact
791         that adding coverage hurts a benchmark.
792
793         * dfg/DFGByteCodeParser.cpp:
794         (JSC::DFG::ByteCodeParser::parseBlock):
795         * dfg/DFGNode.h:
796         (JSC::DFG::Node::setIndexingType):
797         (JSC::DFG::Node::hasRegexpIndex):
798         * dfg/DFGSpeculativeJIT.cpp:
799         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
800         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
801         (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
802         * dfg/DFGSpeculativeJIT32_64.cpp:
803         (JSC::DFG::SpeculativeJIT::compile):
804         * dfg/DFGSpeculativeJIT64.cpp:
805         (JSC::DFG::SpeculativeJIT::compile):
806         * ftl/FTLCapabilities.cpp:
807         (JSC::FTL::canCompile):
808         * ftl/FTLLowerDFGToB3.cpp:
809         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
810         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
811         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
812         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
813         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
814         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
815         * tests/stress/ftl-regexp-exec.js: Added.
816         * tests/stress/ftl-regexp-test.js: Added.
817
818 2016-02-28  Andreas Kling  <akling@apple.com>
819
820         Make JSFunction.name allocation fully lazy.
821         <https://webkit.org/b/154806>
822
823         Reviewed by Saam Barati.
824
825         We were reifying the "name" field on functions lazily, but created the string
826         value itself up front. This patch gets rid of the up-front allocation,
827         saving us a JSString allocation per function in most cases.
828
829         * builtins/BuiltinExecutables.cpp:
830         (JSC::createExecutableInternal):
831         * bytecode/UnlinkedFunctionExecutable.cpp:
832         (JSC::UnlinkedFunctionExecutable::visitChildren):
833         * bytecode/UnlinkedFunctionExecutable.h:
834         * runtime/CodeCache.cpp:
835         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
836         * runtime/Executable.h:
837         * runtime/JSFunction.cpp:
838         (JSC::JSFunction::reifyName):
839
840 2016-02-28  Andreas Kling  <akling@apple.com>
841
842         REGRESSION(r197303): 4 jsc tests failing on bots.
843
844         Unreviewed follow-up fix.
845
846         * bytecode/UnlinkedCodeBlock.cpp:
847         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
848         can still get called with !m_rareData, in case the type profiler is active but this
849         particular code block doesn't have type profiler data. Handle it gracefully.
850
851 2016-02-28  Andreas Kling  <akling@apple.com>
852
853         Shrink UnlinkedCodeBlock a bit.
854         <https://webkit.org/b/154797>
855
856         Reviewed by Anders Carlsson.
857
858         Move profiler-related members of UnlinkedCodeBlock into its RareData
859         structure, saving 40 bytes, and then reorder the other members of
860         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
861
862         The VM member was removed entirely since UnlinkedCodeBlock is a cell
863         and can retrieve its VM through MarkedBlock header lookup.
864
865         * bytecode/UnlinkedCodeBlock.cpp:
866         (JSC::UnlinkedCodeBlock::vm):
867         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
868         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
869         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
870         * bytecode/UnlinkedCodeBlock.h:
871         (JSC::UnlinkedCodeBlock::addRegExp):
872         (JSC::UnlinkedCodeBlock::addConstant):
873         (JSC::UnlinkedCodeBlock::addFunctionDecl):
874         (JSC::UnlinkedCodeBlock::addFunctionExpr):
875         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
876         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
877         (JSC::UnlinkedCodeBlock::vm): Deleted.
878
879 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
880
881         FTL should lower its abstract heaps to B3 heap ranges
882         https://bugs.webkit.org/show_bug.cgi?id=154782
883
884         Reviewed by Saam Barati.
885
886         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
887         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
888         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
889         notion - the HeapRange. That's what this patch fixes.
890
891         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
892         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
893         affects by specifying a heap range: a begin...end pair that says that the operation
894         affects all abstract heaps H such that begin <= H < end.
895
896         This peculiar scheme was a deliberate attempt to distill what the abstract heap
897         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
898
899         - A heap's end is greater than its begin.
900         - A heap's begin is greater than or equal to its parent's begin.
901         - A heap's end is less than or equal to its parent's end.
902
903         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
904         went for the iterative traversal, which is a splendid algorithm, but it's totally
905         unnecessary here since we tightly control the height of the heap hierarchy.
906
907         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
908         generate new ones for field names and constant indices we encounter, we can't actually
909         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
910         new abstract heap to the hierarchy after ranges were already computed would require
911         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
912         patch solves that problem by recording the associations between abstract heaps and their
913         intended roles in the generated IR, and then decorating all of the relevant B3 values
914         after we compute the ranges of the hierarchy after lowering.
915
916         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
917         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
918         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
919         already been getting the big ones even without alias analysis.
920
921         Even without a speed-up, this patch is valuable because it makes it easier to implement
922         other optimizations, like store elimination.
923
924         * b3/B3HeapRange.h:
925         (JSC::B3::HeapRange::HeapRange):
926         * ftl/FTLAbstractHeap.cpp:
927         (JSC::FTL::AbstractHeap::AbstractHeap):
928         (JSC::FTL::AbstractHeap::changeParent):
929         (JSC::FTL::AbstractHeap::compute):
930         (JSC::FTL::AbstractHeap::shallowDump):
931         (JSC::FTL::AbstractHeap::dump):
932         (JSC::FTL::AbstractHeap::deepDump):
933         (JSC::FTL::AbstractHeap::badRangeError):
934         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
935         (JSC::FTL::IndexedAbstractHeap::baseIndex):
936         (JSC::FTL::IndexedAbstractHeap::atSlow):
937         (JSC::FTL::IndexedAbstractHeap::initialize):
938         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
939         (JSC::FTL::AbstractField::dump): Deleted.
940         * ftl/FTLAbstractHeap.h:
941         (JSC::FTL::AbstractHeap::AbstractHeap):
942         (JSC::FTL::AbstractHeap::isInitialized):
943         (JSC::FTL::AbstractHeap::initialize):
944         (JSC::FTL::AbstractHeap::parent):
945         (JSC::FTL::AbstractHeap::heapName):
946         (JSC::FTL::AbstractHeap::range):
947         (JSC::FTL::AbstractHeap::offset):
948         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
949         (JSC::FTL::IndexedAbstractHeap::at):
950         (JSC::FTL::IndexedAbstractHeap::operator[]):
951         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
952         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
953         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
954         (JSC::FTL::AbstractHeap::changeParent): Deleted.
955         (JSC::FTL::AbstractField::AbstractField): Deleted.
956         (JSC::FTL::AbstractField::initialize): Deleted.
957         (JSC::FTL::AbstractField::offset): Deleted.
958         * ftl/FTLAbstractHeapRepository.cpp:
959         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
960         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
961         (JSC::FTL::AbstractHeapRepository::decorateMemory):
962         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
963         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
964         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
965         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
966         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
967         * ftl/FTLAbstractHeapRepository.h:
968         (JSC::FTL::AbstractHeapRepository::forArrayType):
969         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
970         * ftl/FTLLowerDFGToB3.cpp:
971         (JSC::FTL::DFG::LowerDFGToB3::lower):
972         * ftl/FTLOutput.cpp:
973         (JSC::FTL::Output::load):
974         (JSC::FTL::Output::load8SignExt32):
975         (JSC::FTL::Output::load8ZeroExt32):
976         (JSC::FTL::Output::load16SignExt32):
977         (JSC::FTL::Output::load16ZeroExt32):
978         (JSC::FTL::Output::store):
979         (JSC::FTL::Output::store32As8):
980         (JSC::FTL::Output::store32As16):
981         (JSC::FTL::Output::baseIndex):
982         * ftl/FTLOutput.h:
983         (JSC::FTL::Output::address):
984         (JSC::FTL::Output::absolute):
985         (JSC::FTL::Output::load8SignExt32):
986         (JSC::FTL::Output::load8ZeroExt32):
987         (JSC::FTL::Output::load16SignExt32):
988         (JSC::FTL::Output::load16ZeroExt32):
989         (JSC::FTL::Output::load32):
990         (JSC::FTL::Output::load64):
991         (JSC::FTL::Output::loadPtr):
992         (JSC::FTL::Output::loadDouble):
993         (JSC::FTL::Output::store32):
994         (JSC::FTL::Output::store64):
995         (JSC::FTL::Output::storePtr):
996         (JSC::FTL::Output::storeDouble):
997         (JSC::FTL::Output::ascribeRange):
998         (JSC::FTL::Output::nonNegative32):
999         (JSC::FTL::Output::load32NonNegative):
1000         (JSC::FTL::Output::equal):
1001         (JSC::FTL::Output::notEqual):
1002         * ftl/FTLTypedPointer.h:
1003         (JSC::FTL::TypedPointer::operator!):
1004         (JSC::FTL::TypedPointer::heap):
1005         (JSC::FTL::TypedPointer::value):
1006
1007 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
1008
1009         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
1010         https://bugs.webkit.org/show_bug.cgi?id=153981
1011
1012         Reviewed by Saam Barati.
1013        
1014         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
1015         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
1016         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
1017         During syntax analyze parser store information about using variables in arrow function inside of 
1018         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
1019
1020         * bytecompiler/BytecodeGenerator.cpp:
1021         (JSC::BytecodeGenerator::BytecodeGenerator):
1022         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1023         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1024         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1025         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1026         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1027         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1028         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1029         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1030         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1031         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1032         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1033         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1034         * bytecompiler/BytecodeGenerator.h:
1035         * bytecompiler/NodesCodegen.cpp:
1036         (JSC::ThisNode::emitBytecode):
1037         (JSC::EvalFunctionCallNode::emitBytecode):
1038         (JSC::FunctionNode::emitBytecode):
1039         * parser/ASTBuilder.h:
1040         (JSC::ASTBuilder::createBracketAccess):
1041         (JSC::ASTBuilder::createDotAccess):
1042         (JSC::ASTBuilder::usesSuperCall):
1043         (JSC::ASTBuilder::usesSuperProperty):
1044         (JSC::ASTBuilder::makeFunctionCallNode):
1045         * parser/Nodes.cpp:
1046         (JSC::ScopeNode::ScopeNode):
1047         (JSC::ProgramNode::ProgramNode):
1048         (JSC::ModuleProgramNode::ModuleProgramNode):
1049         (JSC::EvalNode::EvalNode):
1050         (JSC::FunctionNode::FunctionNode):
1051         * parser/Nodes.h:
1052         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
1053         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
1054         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
1055         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
1056         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
1057         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
1058         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
1059         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
1060         (JSC::ScopeNode::usesSuperCall):
1061         (JSC::ScopeNode::usesSuperProperty):
1062         * parser/Parser.cpp:
1063         (JSC::Parser<LexerType>::parseProperty):
1064         (JSC::Parser<LexerType>::parsePrimaryExpression):
1065         (JSC::Parser<LexerType>::parseMemberExpression):
1066         * parser/Parser.h:
1067         (JSC::Scope::Scope):
1068         (JSC::Scope::isArrowFunctionBoundary):
1069         (JSC::Scope::innerArrowFunctionFeatures):
1070         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
1071         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
1072         (JSC::Scope::setInnerArrowFunctionUsesEval):
1073         (JSC::Scope::setInnerArrowFunctionUsesThis):
1074         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
1075         (JSC::Scope::setInnerArrowFunctionUsesArguments):
1076         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1077         (JSC::Scope::collectFreeVariables):
1078         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1079         (JSC::Scope::fillParametersForSourceProviderCache):
1080         (JSC::Scope::restoreFromSourceProviderCache):
1081         (JSC::Scope::setIsFunction):
1082         (JSC::Scope::setIsArrowFunction):
1083         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1084         (JSC::Parser::pushScope):
1085         (JSC::Parser::popScopeInternal):
1086         (JSC::Parser<LexerType>::parse):
1087         * parser/ParserModes.h:
1088         * parser/SourceProviderCacheItem.h:
1089         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1090         * parser/SyntaxChecker.h:
1091         (JSC::SyntaxChecker::createFunctionMetadata):
1092         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1093         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1094         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1095         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1096         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1097
1098 2016-02-28  Saam barati  <sbarati@apple.com>
1099
1100         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
1101         https://bugs.webkit.org/show_bug.cgi?id=154768
1102
1103         Reviewed by Ryosuke Niwa.
1104
1105         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
1106         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1107         We weren't correctly propagating the result of this operation to the
1108         out PropertySlot& parameter. This patch fixes that and adds tests.
1109
1110         * runtime/ObjectConstructor.cpp:
1111         (JSC::objectConstructorGetOwnPropertyDescriptor):
1112         I added a missing exception check after object allocation
1113         because I saw that it was missing while reading the code.
1114
1115         * runtime/PropertyDescriptor.cpp:
1116         (JSC::PropertyDescriptor::setUndefined):
1117         (JSC::PropertyDescriptor::slowGetterSetter):
1118         (JSC::PropertyDescriptor::getter):
1119         * runtime/PropertyDescriptor.h:
1120         (JSC::PropertyDescriptor::attributes):
1121         (JSC::PropertyDescriptor::value):
1122         * runtime/ProxyObject.cpp:
1123         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1124         * tests/es6.yaml:
1125         * tests/stress/proxy-get-own-property.js:
1126         (let.handler.getOwnPropertyDescriptor):
1127         (set get let.handler.return):
1128         (set get let.handler.getOwnPropertyDescriptor):
1129         (set get let):
1130         (set get let.a):
1131         (let.b):
1132         (let.setter):
1133         (let.getter):
1134
1135 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
1136
1137         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
1138         https://bugs.webkit.org/show_bug.cgi?id=152448
1139
1140         Reviewed by Darin Adler.
1141
1142         Add defaultLanguage to the globalObjectMethodTable and use it for the
1143         default locale in Intl object initializations. Fall back to ICU default
1144         locale only if the defaultLanguage function is null, or returns an
1145         empty string.
1146
1147         * jsc.cpp:
1148         * runtime/IntlCollator.cpp:
1149         (JSC::IntlCollator::initializeCollator):
1150         * runtime/IntlDateTimeFormat.cpp:
1151         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1152         * runtime/IntlNumberFormat.cpp:
1153         (JSC::IntlNumberFormat::initializeNumberFormat):
1154         * runtime/IntlObject.cpp:
1155         (JSC::defaultLocale):
1156         (JSC::lookupMatcher):
1157         (JSC::bestFitMatcher):
1158         (JSC::resolveLocale):
1159         * runtime/IntlObject.h:
1160         * runtime/JSGlobalObject.cpp:
1161         * runtime/JSGlobalObject.h:
1162         * runtime/StringPrototype.cpp:
1163         (JSC::toLocaleCase):
1164
1165 2016-02-27  Oliver Hunt  <oliver@apple.com>
1166
1167         CLoop build fix.
1168
1169         * jit/ExecutableAllocatorFixedVMPool.cpp:
1170
1171 2016-02-26  Oliver Hunt  <oliver@apple.com>
1172
1173         Remove the on demand executable allocator
1174         https://bugs.webkit.org/show_bug.cgi?id=154749
1175
1176         Reviewed by Geoffrey Garen.
1177
1178         Remove all the DemandExecutable code and executable allocator ifdefs.
1179
1180         * CMakeLists.txt:
1181         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1182         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1183         * JavaScriptCore.xcodeproj/project.pbxproj:
1184         * jit/ExecutableAllocator.cpp: Removed.
1185         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
1186         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
1187         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
1188         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
1189         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
1190         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
1191         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
1192         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
1193         (JSC::DemandExecutableAllocator::allocators): Deleted.
1194         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
1195         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
1196         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
1197         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
1198         (JSC::ExecutableAllocator::isValid): Deleted.
1199         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
1200         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
1201         (JSC::ExecutableAllocator::allocate): Deleted.
1202         (JSC::ExecutableAllocator::committedByteCount): Deleted.
1203         (JSC::ExecutableAllocator::dumpProfile): Deleted.
1204         (JSC::ExecutableAllocator::getLock): Deleted.
1205         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
1206         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
1207         * jit/ExecutableAllocator.h:
1208         * jit/ExecutableAllocatorFixedVMPool.cpp:
1209         * jit/JITStubRoutine.h:
1210         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
1211         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
1212         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
1213
1214 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
1215
1216         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
1217         https://bugs.webkit.org/show_bug.cgi?id=154751
1218
1219         Reviewed by Mark Lam.
1220
1221         * runtime/Structure.cpp:
1222         (JSC::Structure::toStructureShape):
1223         This property name iteration is identical to Structure::forEachPropertyConcurrently.
1224         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
1225
1226 2016-02-26  Mark Lam  <mark.lam@apple.com>
1227
1228         Function.name and Function.length should be configurable.
1229         https://bugs.webkit.org/show_bug.cgi?id=154604
1230
1231         Reviewed by Saam Barati.
1232
1233         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
1234         "Unless otherwise specified, the name property of a built-in Function object,
1235         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
1236         [[Configurable]]: true }."
1237
1238         Similarly, "the length property of a built-in Function object has the attributes
1239         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
1240
1241         This patch makes Function.name and Function.length configurable.
1242
1243         We do this by lazily reifying the JSFunction name and length properties on first
1244         access.  We track whether each of these properties have been reified using flags
1245         in the FunctionRareData.  On first access, if not already reified, we will put
1246         the property into the object with its default value and attributes and set the
1247         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
1248         property.
1249
1250         Also, lots of test results have to be re-baselined because the old Function.length
1251         has attribute DontDelete, which is in conflict with the ES6 requirement that it
1252         is configurable.
1253
1254         * runtime/FunctionRareData.h:
1255         (JSC::FunctionRareData::hasReifiedLength):
1256         (JSC::FunctionRareData::setHasReifiedLength):
1257         (JSC::FunctionRareData::hasReifiedName):
1258         (JSC::FunctionRareData::setHasReifiedName):
1259         - Flags for tracking whether each property has been reified.
1260
1261         * runtime/JSFunction.cpp:
1262         (JSC::JSFunction::finishCreation):
1263         (JSC::JSFunction::createBuiltinFunction):
1264         - Host and builtin functions currently always reify their name and length
1265           properties.  Currently, for builtins, the default names that are used may
1266           differ from the executable name.  For now, we'll stay with keeping this
1267           alternate approach to getting the name and length properties for host and
1268           builtin functions.
1269           However, we need their default attribute to be configurable as well.
1270
1271         (JSC::JSFunction::getOwnPropertySlot):
1272         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1273         (JSC::JSFunction::put):
1274         (JSC::JSFunction::deleteProperty):
1275         (JSC::JSFunction::defineOwnProperty):
1276         (JSC::JSFunction::reifyLength):
1277         (JSC::JSFunction::reifyName):
1278         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1279         (JSC::JSFunction::lengthGetter): Deleted.
1280         (JSC::JSFunction::nameGetter): Deleted.
1281         * runtime/JSFunction.h:
1282         * runtime/JSFunctionInlines.h:
1283         (JSC::JSFunction::hasReifiedLength):
1284         (JSC::JSFunction::hasReifiedName):
1285
1286         * tests/es6.yaml:
1287         - 4 new passing tests.
1288
1289         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
1290         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
1291         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
1292         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
1293         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
1294         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
1295         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
1296         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
1297         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
1298         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
1299         * tests/mozilla/ecma/String/15.5.4.10-1.js:
1300         * tests/mozilla/ecma/String/15.5.4.11-1.js:
1301         * tests/mozilla/ecma/String/15.5.4.11-5.js:
1302         * tests/mozilla/ecma/String/15.5.4.12-1.js:
1303         * tests/mozilla/ecma/String/15.5.4.6-2.js:
1304         * tests/mozilla/ecma/String/15.5.4.7-2.js:
1305         * tests/mozilla/ecma/String/15.5.4.8-1.js:
1306         * tests/mozilla/ecma/String/15.5.4.9-1.js:
1307         - Rebase expected test results.
1308
1309         * tests/stress/function-configurable-properties.js: Added.
1310
1311 2016-02-26  Keith Miller  <keith_miller@apple.com>
1312
1313         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
1314         https://bugs.webkit.org/show_bug.cgi?id=154743
1315
1316         Reviewed by Mark Lam.
1317
1318         * dfg/DFGConstantFoldingPhase.cpp:
1319         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1320         * dfg/DFGFixupPhase.cpp:
1321         (JSC::DFG::FixupPhase::fixupNode):
1322
1323 2016-02-26  Keith Miller  <keith_miller@apple.com>
1324
1325         Native Typed Array functions should use Symbol.species
1326         https://bugs.webkit.org/show_bug.cgi?id=154569
1327
1328         Reviewed by Michael Saboff.
1329
1330         This patch adds support for Symbol.species in the native Typed Array prototype
1331         functions. Additionally, now that other types of typedarrays are creatable inside
1332         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
1333         up, to put everything into the correct place.
1334
1335         * runtime/JSDataView.cpp:
1336         (JSC::JSDataView::set):
1337         * runtime/JSDataView.h:
1338         * runtime/JSGenericTypedArrayView.h:
1339         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1340         (JSC::constructGenericTypedArrayViewFromIterator):
1341         (JSC::constructGenericTypedArrayViewWithArguments):
1342         (JSC::constructGenericTypedArrayView):
1343         * runtime/JSGenericTypedArrayViewInlines.h:
1344         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
1345         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1346         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1347         (JSC::speciesConstruct):
1348         (JSC::genericTypedArrayViewProtoFuncSet):
1349         (JSC::genericTypedArrayViewProtoFuncSlice):
1350         (JSC::genericTypedArrayViewProtoFuncSubarray):
1351         * tests/stress/typedarray-slice.js:
1352         (subclasses.typedArrays.map):
1353         (testSpecies):
1354         (forEach):
1355         (subclasses.forEach):
1356         (testSpeciesRemoveConstructor):
1357         (testSpeciesWithSameBuffer):
1358         * tests/stress/typedarray-subarray.js: Added.
1359         (subclasses.typedArrays.map):
1360         (testSpecies):
1361         (forEach):
1362         (subclasses.forEach):
1363         (testSpeciesRemoveConstructor):
1364
1365 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
1366
1367         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
1368         https://bugs.webkit.org/show_bug.cgi?id=154704
1369
1370         Reviewed by Geoffrey Garen.
1371
1372         If the Imm is zero, we should still zero the top bits
1373         to match the definition in AirOpcodes.
1374
1375         * assembler/MacroAssemblerX86Common.h:
1376         (JSC::MacroAssemblerX86Common::add32):
1377         * b3/testb3.cpp:
1378
1379 2016-02-26  Oliver Hunt  <oliver@apple.com>
1380
1381         Make testRegExp not crash when given an invalid regexp
1382         https://bugs.webkit.org/show_bug.cgi?id=154732
1383
1384         Reviewed by Mark Lam.
1385
1386         * testRegExp.cpp:
1387         (parseRegExpLine):
1388
1389 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
1390
1391         [JSC] Add the test for r197155
1392         https://bugs.webkit.org/show_bug.cgi?id=154715
1393
1394         Reviewed by Mark Lam.
1395
1396         Silly me. I forgot the test in the latest patch update.
1397
1398         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
1399
1400 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1401
1402         [DFG] Drop unnecessary proved type branch in ToPrimitive
1403         https://bugs.webkit.org/show_bug.cgi?id=154716
1404
1405         Reviewed by Geoffrey Garen.
1406
1407         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
1408         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
1409         This patch removes the remaining JIT32_64 case.
1410
1411         * dfg/DFGSpeculativeJIT32_64.cpp:
1412         (JSC::DFG::SpeculativeJIT::compile):
1413
1414 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1415
1416         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
1417         https://bugs.webkit.org/show_bug.cgi?id=154575
1418
1419         Reviewed by Filip Pizlo.
1420
1421         I noticed that imaging-gaussian-blur spends most of its
1422         samples in DFG code despite executing most of the loop
1423         iterations in FTL.
1424
1425         On this particular test, the main function is only entered
1426         once and have a very heavy loop there. What happens is DFG
1427         starts by compiling the full function in FTL. That takes about
1428         8 to 10 milliseconds during which the DFG code makes very little
1429         progress. The calls to triggerOSREntryNow() try to OSR Enter
1430         for a while then finally start compiling something. By the time
1431         the function is ready, we have wasted a lot of time in DFG code.
1432
1433         What this patch does is set a flag when a DFG function is entered.
1434         If we try to triggerOSREntryNow() and the flag was never set,
1435         we start compiling both the full function and the one for OSR Entry.
1436
1437         * dfg/DFGJITCode.h:
1438         * dfg/DFGJITCompiler.cpp:
1439         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
1440         (JSC::DFG::JITCompiler::compile):
1441         (JSC::DFG::JITCompiler::compileFunction):
1442         * dfg/DFGJITCompiler.h:
1443         * dfg/DFGOperations.cpp:
1444         * dfg/DFGPlan.cpp:
1445         (JSC::DFG::Plan::Plan): Deleted.
1446         * dfg/DFGPlan.h:
1447         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1448         (JSC::DFG::TierUpCheckInjectionPhase::run):
1449
1450 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
1451
1452         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
1453         https://bugs.webkit.org/show_bug.cgi?id=154664
1454
1455         Reviewed by Saam Barati.
1456
1457         When doing OSR Enter into a constructor, we lose the information
1458         that this may have been set to empty by a previously executed block.
1459
1460         All the code just assumed the type for a FlushedJS value and thus
1461         not an empty value. It was then okay to eliminate the TDZ checks.
1462
1463         In this patch, the values on root entry now assume they may be empty.
1464         As a result, the SetArgument() for "this" has "empty" as possible
1465         type and the TDZ checks are no longer eliminated.
1466
1467         * dfg/DFGInPlaceAbstractState.cpp:
1468         (JSC::DFG::InPlaceAbstractState::initialize):
1469
1470 2016-02-25  Ada Chan  <adachan@apple.com>
1471
1472         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
1473         https://bugs.webkit.org/show_bug.cgi?id=154702
1474
1475         Reviewed by Dan Bernstein.
1476
1477         * Configurations/FeatureDefines.xcconfig:
1478
1479 2016-02-25  Saam barati  <sbarati@apple.com>
1480
1481         [ES6] for...in iteration doesn't comply with the specification
1482         https://bugs.webkit.org/show_bug.cgi?id=154665
1483
1484         Reviewed by Michael Saboff.
1485
1486         If you read ForIn/OfHeadEvaluation inside the spec:
1487         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
1488         It calls EnumerateObjectProperties(obj) to get a set of properties
1489         to enumerate over (it models this "set" as en ES6 generator function).
1490         EnumerateObjectProperties is defined in section 13.7.5.15:
1491         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
1492         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
1493         properties it sees. We must do the same by modeling the operation as
1494         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
1495
1496         * jit/JITOperations.cpp:
1497         * jit/JITOperations.h:
1498         * runtime/CommonSlowPaths.cpp:
1499         (JSC::SLOW_PATH_DECL):
1500         * runtime/JSObject.cpp:
1501         (JSC::JSObject::hasProperty):
1502         (JSC::JSObject::hasPropertyGeneric):
1503         * runtime/JSObject.h:
1504         * tests/stress/proxy-get-own-property.js:
1505         (assert):
1506         (let.handler.getOwnPropertyDescriptor):
1507         (i.set assert):
1508
1509 2016-02-25  Saam barati  <sbarati@apple.com>
1510
1511         [ES6] Implement Proxy.[[Set]]
1512         https://bugs.webkit.org/show_bug.cgi?id=154511
1513
1514         Reviewed by Filip Pizlo.
1515
1516         This patch is mostly an implementation of
1517         Proxy.[[Set]] with respect to section 9.5.9
1518         of the ECMAScript spec.
1519         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
1520
1521         This patch also changes JSObject::putInline and JSObject::putByIndex
1522         to be aware that a Proxy in the prototype chain will intercept
1523         property accesses.
1524
1525         * runtime/JSObject.cpp:
1526         (JSC::JSObject::putInlineSlow):
1527         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1528         * runtime/JSObject.h:
1529         * runtime/JSObjectInlines.h:
1530         (JSC::JSObject::canPerformFastPutInline):
1531         (JSC::JSObject::putInline):
1532         * runtime/JSType.h:
1533         * runtime/ProxyObject.cpp:
1534         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1535         (JSC::ProxyObject::performPut):
1536         (JSC::ProxyObject::put):
1537         (JSC::ProxyObject::putByIndexCommon):
1538         (JSC::ProxyObject::putByIndex):
1539         (JSC::performProxyCall):
1540         (JSC::ProxyObject::getCallData):
1541         (JSC::performProxyConstruct):
1542         (JSC::ProxyObject::deletePropertyByIndex):
1543         (JSC::ProxyObject::visitChildren):
1544         * runtime/ProxyObject.h:
1545         (JSC::ProxyObject::create):
1546         (JSC::ProxyObject::createStructure):
1547         (JSC::ProxyObject::target):
1548         (JSC::ProxyObject::handler):
1549         * tests/es6.yaml:
1550         * tests/stress/proxy-set.js: Added.
1551         (assert):
1552         (throw.new.Error.let.handler.set 45):
1553         (throw.new.Error):
1554         (let.target.set x):
1555         (let.target.get x):
1556         (set let):
1557
1558 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1559
1560         [JSC] Remove a useless "Move" in the lowering of Select
1561         https://bugs.webkit.org/show_bug.cgi?id=154670
1562
1563         Reviewed by Geoffrey Garen.
1564
1565         I left the Move instruction when creating the aliasing form
1566         of Select.
1567
1568         On ARM64, that meant a useless move for any case that can't
1569         be coalesced.
1570
1571         On x86, that meant an extra constraint on child2, making it
1572         stupidly hard to alias child1.
1573
1574         * b3/B3LowerToAir.cpp:
1575         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1576
1577 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
1578
1579         Web Inspector: Expose Proxy target and handler internal properties to Inspector
1580         https://bugs.webkit.org/show_bug.cgi?id=154663
1581
1582         Reviewed by Timothy Hatcher.
1583
1584         * inspector/JSInjectedScriptHost.cpp:
1585         (Inspector::JSInjectedScriptHost::getInternalProperties):
1586         Expose the ProxyObject's target and handler.
1587
1588 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
1589
1590         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
1591         https://bugs.webkit.org/show_bug.cgi?id=151688
1592
1593         Reviewed by Dean Jackson.
1594
1595         Enables the WEB_ANIMATIONS compiler switch.
1596
1597         * Configurations/FeatureDefines.xcconfig:
1598
1599 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
1600
1601         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
1602         https://bugs.webkit.org/show_bug.cgi?id=154651
1603
1604         Reviewed by Alex Christensen.
1605
1606         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
1607
1608 2016-02-24  Commit Queue  <commit-queue@webkit.org>
1609
1610         Unreviewed, rolling out r197033.
1611         https://bugs.webkit.org/show_bug.cgi?id=154649
1612
1613         "It broke JSC tests when 'this' was loaded from global scope"
1614         (Requested by saamyjoon on #webkit).
1615
1616         Reverted changeset:
1617
1618         "[ES6] Arrow function syntax. Emit loading&putting this/super
1619         only if they are used in arrow function"
1620         https://bugs.webkit.org/show_bug.cgi?id=153981
1621         http://trac.webkit.org/changeset/197033
1622
1623 2016-02-24  Saam Barati  <sbarati@apple.com>
1624
1625         [ES6] Implement Proxy.[[Delete]]
1626         https://bugs.webkit.org/show_bug.cgi?id=154607
1627
1628         Reviewed by Mark Lam.
1629
1630         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
1631         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
1632
1633         * runtime/ProxyObject.cpp:
1634         (JSC::ProxyObject::getConstructData):
1635         (JSC::ProxyObject::performDelete):
1636         (JSC::ProxyObject::deleteProperty):
1637         (JSC::ProxyObject::deletePropertyByIndex):
1638         * runtime/ProxyObject.h:
1639         * tests/es6.yaml:
1640         * tests/stress/proxy-delete.js: Added.
1641         (assert):
1642         (throw.new.Error.let.handler.get deleteProperty):
1643         (throw.new.Error):
1644         (assert.let.handler.deleteProperty):
1645         (let.handler.deleteProperty):
1646
1647 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
1648
1649         Stackmaps have problems with double register constraints
1650         https://bugs.webkit.org/show_bug.cgi?id=154643
1651
1652         Reviewed by Geoffrey Garen.
1653
1654         This is currently a benign bug. I found it while playing.
1655
1656         * b3/B3LowerToAir.cpp:
1657         (JSC::B3::Air::LowerToAir::fillStackmap):
1658         * b3/testb3.cpp:
1659         (JSC::B3::testURShiftSelf64):
1660         (JSC::B3::testPatchpointDoubleRegs):
1661         (JSC::B3::zero):
1662         (JSC::B3::run):
1663
1664 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
1665
1666         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
1667         https://bugs.webkit.org/show_bug.cgi?id=153981
1668
1669         Reviewed by Saam Barati.
1670        
1671         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
1672         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
1673         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
1674         During syntax analyze parser store information about using variables in arrow function inside of 
1675         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
1676
1677         * bytecode/ExecutableInfo.h:
1678         (JSC::ExecutableInfo::ExecutableInfo):
1679         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
1680         * bytecode/UnlinkedCodeBlock.cpp:
1681         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1682         * bytecode/UnlinkedCodeBlock.h:
1683         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
1684         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
1685         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
1686         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
1687         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
1688         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
1689         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
1690         * bytecode/UnlinkedFunctionExecutable.cpp:
1691         (JSC::generateUnlinkedFunctionCodeBlock):
1692         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1693         * bytecode/UnlinkedFunctionExecutable.h:
1694         * bytecompiler/BytecodeGenerator.cpp:
1695         (JSC::BytecodeGenerator::BytecodeGenerator):
1696         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1697         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1698         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1699         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1700         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1701         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1702         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1703         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1704         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1705         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1706         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1707         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1708         * bytecompiler/BytecodeGenerator.h:
1709         * bytecompiler/NodesCodegen.cpp:
1710         (JSC::ThisNode::emitBytecode):
1711         (JSC::EvalFunctionCallNode::emitBytecode):
1712         (JSC::FunctionCallValueNode::emitBytecode):
1713         (JSC::FunctionNode::emitBytecode):
1714         * parser/ASTBuilder.h:
1715         (JSC::ASTBuilder::createFunctionMetadata):
1716         * parser/Nodes.cpp:
1717         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1718         * parser/Nodes.h:
1719         * parser/Parser.cpp:
1720         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1721         (JSC::Parser<LexerType>::parseFunctionBody):
1722         (JSC::Parser<LexerType>::parseFunctionInfo):
1723         (JSC::Parser<LexerType>::parseProperty):
1724         (JSC::Parser<LexerType>::parsePrimaryExpression):
1725         (JSC::Parser<LexerType>::parseMemberExpression):
1726         * parser/Parser.h:
1727         (JSC::Scope::Scope):
1728         (JSC::Scope::isArrowFunctionBoundary):
1729         (JSC::Scope::innerArrowFunctionFeatures):
1730         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
1731         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
1732         (JSC::Scope::setInnerArrowFunctionUseEval):
1733         (JSC::Scope::setInnerArrowFunctionUseThis):
1734         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
1735         (JSC::Scope::setInnerArrowFunctionUseArguments):
1736         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
1737         (JSC::Scope::collectFreeVariables):
1738         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1739         (JSC::Scope::fillParametersForSourceProviderCache):
1740         (JSC::Scope::restoreFromSourceProviderCache):
1741         (JSC::Scope::setIsFunction):
1742         (JSC::Scope::setIsArrowFunction):
1743         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1744         (JSC::Parser::pushScope):
1745         (JSC::Parser::popScopeInternal):
1746         * parser/ParserModes.h:
1747         * parser/SourceProviderCacheItem.h:
1748         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1749         * parser/SyntaxChecker.h:
1750         (JSC::SyntaxChecker::createFunctionMetadata):
1751         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1752         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1753         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1754         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1755         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1756
1757 2016-02-23  Brian Burg  <bburg@apple.com>
1758
1759         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
1760         https://bugs.webkit.org/show_bug.cgi?id=154615
1761         <rdar://problem/24804330>
1762
1763         Reviewed by Timothy Hatcher.
1764
1765         Some of the generated Objective-C bindings are only relevant to code acting as the
1766         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
1767         --backend to all generators. Use the setting in a few generators to omit code that's
1768         not needed.
1769
1770         Also fix a few places where the code emits the wrong Objective-C class prefix.
1771         There is some common non-generated code that must always have the RWIProtocol prefix.
1772
1773         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1774         macros defined in the internal header now need to be used outside of the framework.
1775
1776         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1777         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1778         depending on the target framework.
1779
1780         * inspector/scripts/codegen/generate_objc_header.py:
1781         (ObjCHeaderGenerator.generate_output):
1782         For now, omit generating command protocol and event dispatchers when generating for --frontend.
1783
1784         (ObjCHeaderGenerator._generate_type_interface):
1785         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1786
1787         * inspector/scripts/codegen/generate_objc_internal_header.py:
1788         Use RWIProtocolJSONObjectPrivate.h instead.
1789
1790         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1791         (ObjCProtocolTypesImplementationGenerator.generate_output):
1792         Include the Internal header if it's being generated (only for --backend).
1793
1794         * inspector/scripts/codegen/generator.py:
1795         (Generator.__init__):
1796         (Generator.set_generator_setting):
1797         (Generator):
1798         (Generator.get_generator_setting):
1799         Crib a simple setting system from the Framework class. Make the names more obnoxious.
1800
1801         (Generator.string_for_file_include):
1802         Inspired by the replay input generator, this is a function that uses the proper syntax
1803         for a file include depending on the file's framework and target framework.
1804
1805         * inspector/scripts/codegen/objc_generator.py:
1806         (ObjCGenerator.and):
1807         (ObjCGenerator.and.objc_prefix):
1808         (ObjCGenerator):
1809         (ObjCGenerator.objc_type_for_raw_name):
1810         (ObjCGenerator.objc_class_for_raw_name):
1811         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1812
1813         * inspector/scripts/generate-inspector-protocol-bindings.py:
1814         (generate_from_specification):
1815         Change the generators to use for the frontend. Propagate --frontend and --backend.
1816
1817         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1818         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1819         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1820         * inspector/scripts/tests/expected/enum-values.json-result:
1821         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1822         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1823         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1824         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1825         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1826         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1827         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1828         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1829         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1830         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1831
1832 2016-02-23  Saam barati  <sbarati@apple.com>
1833
1834         arrayProtoFuncConcat doesn't check for an exception after allocating an array
1835         https://bugs.webkit.org/show_bug.cgi?id=154621
1836
1837         Reviewed by Michael Saboff.
1838
1839         * runtime/ArrayPrototype.cpp:
1840         (JSC::arrayProtoFuncConcat):
1841
1842 2016-02-23  Dan Bernstein  <mitz@apple.com>
1843
1844         [Xcode] Linker errors display mangled names, but no longer should
1845         https://bugs.webkit.org/show_bug.cgi?id=154632
1846
1847         Reviewed by Sam Weinig.
1848
1849         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1850
1851 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
1852
1853         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1854         https://bugs.webkit.org/show_bug.cgi?id=112323
1855
1856         Reviewed by Chris Dumez.
1857
1858         This feature is controlled by a runtime switch, and defaults off.
1859
1860         * Configurations/FeatureDefines.xcconfig:
1861
1862 2016-02-23  Keith Miller  <keith_miller@apple.com>
1863
1864         JSC stress tests' standalone-pre.js should exit on the first failure by default
1865         https://bugs.webkit.org/show_bug.cgi?id=154565
1866
1867         Reviewed by Mark Lam.
1868
1869         Currently, if a test writer does not call finishJSTest() at the end of
1870         any test using stress/resources/standalone-pre.js then the test can fail
1871         without actually reporting an error to the harness. By default, we
1872         should throw on the first error so, in the event someone does not call
1873         finishJSTest() the harness will still notice the error.
1874
1875         * tests/stress/regress-151324.js:
1876         * tests/stress/resources/standalone-pre.js:
1877         (testFailed):
1878
1879 2016-02-23  Saam barati  <sbarati@apple.com>
1880
1881         Make JSObject::getMethod have fewer branches
1882         https://bugs.webkit.org/show_bug.cgi?id=154603
1883
1884         Reviewed by Mark Lam.
1885
1886         Writing code with fewer branches is almost always better.
1887
1888         * runtime/JSObject.cpp:
1889         (JSC::JSObject::getMethod):
1890
1891 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
1892
1893         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1894         https://bugs.webkit.org/show_bug.cgi?id=154592
1895
1896         Reviewed by Saam Barati.
1897
1898         If Foo has a virtual destructor, then:
1899
1900         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1901         subclass of Foo that overrides the destructor, this syntax will not call that override.
1902
1903         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1904         get the subclass's override.
1905
1906         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1907         This caused leaks because this didn't actually call the subclass's override. This fixes the
1908         problem by using this->~Value() instead.
1909
1910         * b3/B3ControlValue.cpp:
1911         (JSC::B3::ControlValue::convertToJump):
1912         (JSC::B3::ControlValue::convertToOops):
1913         * b3/B3Value.cpp:
1914         (JSC::B3::Value::replaceWithIdentity):
1915         (JSC::B3::Value::replaceWithNop):
1916         (JSC::B3::Value::replaceWithPhi):
1917
1918 2016-02-23  Brian Burg  <bburg@apple.com>
1919
1920         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1921         https://bugs.webkit.org/show_bug.cgi?id=154596
1922         <rdar://problem/24794962>
1923
1924         Reviewed by Timothy Hatcher.
1925
1926         In order to support different generated protocol sets that don't have conflicting
1927         file and type names, allow the Objective-C prefix to be configurable based on the
1928         target framework. Each name also has the implicit prefix 'Protocol' appended to the
1929         per-target framework prefix.
1930
1931         For example, the existing protocol for remote inspection has the prefix 'RWI'
1932         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1933         and is generated as 'AutomationProtocol'.
1934
1935         To make this change, convert ObjCGenerator to be a subclass of Generator and use
1936         the instance method model() to find the target framework and its setting for
1937         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1938         these instance methods that used to be static methods. This is a large but
1939         mechanical change to use self instead of ObjCGenerator.
1940
1941         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1942         (ObjCBackendDispatcherHeaderGenerator):
1943         (ObjCBackendDispatcherHeaderGenerator.__init__):
1944         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1945         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1946         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1947         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1948         (ObjCConfigurationImplementationGenerator):
1949         (ObjCConfigurationImplementationGenerator.__init__):
1950         (ObjCConfigurationImplementationGenerator.output_filename):
1951         (ObjCConfigurationImplementationGenerator.generate_output):
1952         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1953         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1954         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1955         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1956         (ObjCConfigurationHeaderGenerator):
1957         (ObjCConfigurationHeaderGenerator.__init__):
1958         (ObjCConfigurationHeaderGenerator.output_filename):
1959         (ObjCConfigurationHeaderGenerator.generate_output):
1960         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1961         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1962         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1963         (ObjCBackendDispatcherImplementationGenerator):
1964         (ObjCBackendDispatcherImplementationGenerator.__init__):
1965         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1966         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1967         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1968         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1969         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1970         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1971         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1972         (ObjCConversionHelpersGenerator):
1973         (ObjCConversionHelpersGenerator.__init__):
1974         (ObjCConversionHelpersGenerator.output_filename):
1975         (ObjCConversionHelpersGenerator.generate_output):
1976         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1977         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1978         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1979         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1980         (ObjCFrontendDispatcherImplementationGenerator):
1981         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1982         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1983         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1984         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1985         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1986         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1987         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1988         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1989         * inspector/scripts/codegen/generate_objc_header.py:
1990         (ObjCHeaderGenerator):
1991         (ObjCHeaderGenerator.__init__):
1992         (ObjCHeaderGenerator.output_filename):
1993         (ObjCHeaderGenerator.generate_output):
1994         (ObjCHeaderGenerator._generate_forward_declarations):
1995         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1996         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1997         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1998         (ObjCHeaderGenerator._generate_type_interface):
1999         (ObjCHeaderGenerator._generate_init_method_for_required_members):
2000         (ObjCHeaderGenerator._generate_member_property):
2001         (ObjCHeaderGenerator._generate_command_protocols):
2002         (ObjCHeaderGenerator._generate_single_command_protocol):
2003         (ObjCHeaderGenerator._callback_block_for_command):
2004         (ObjCHeaderGenerator._generate_event_interfaces):
2005         (ObjCHeaderGenerator._generate_single_event_interface):
2006         * inspector/scripts/codegen/generate_objc_internal_header.py:
2007         (ObjCInternalHeaderGenerator):
2008         (ObjCInternalHeaderGenerator.__init__):
2009         (ObjCInternalHeaderGenerator.output_filename):
2010         (ObjCInternalHeaderGenerator.generate_output):
2011         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
2012         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2013         (ObjCProtocolTypesImplementationGenerator):
2014         (ObjCProtocolTypesImplementationGenerator.__init__):
2015         (ObjCProtocolTypesImplementationGenerator.output_filename):
2016         (ObjCProtocolTypesImplementationGenerator.generate_output):
2017         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2018         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
2019         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
2020         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
2021         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
2022         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
2023         * inspector/scripts/codegen/models.py:
2024         * inspector/scripts/codegen/objc_generator.py:
2025         (ObjCTypeCategory.category_for_type):
2026         (ObjCGenerator):
2027         (ObjCGenerator.__init__):
2028         (ObjCGenerator.objc_prefix):
2029         (ObjCGenerator.objc_name_for_type):
2030         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
2031         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
2032         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
2033         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
2034         (ObjCGenerator.objc_class_for_type):
2035         (ObjCGenerator.objc_class_for_array_type):
2036         (ObjCGenerator.objc_accessor_type_for_member):
2037         (ObjCGenerator.objc_accessor_type_for_member_internal):
2038         (ObjCGenerator.objc_type_for_member):
2039         (ObjCGenerator.objc_type_for_member_internal):
2040         (ObjCGenerator.objc_type_for_param):
2041         (ObjCGenerator.objc_type_for_param_internal):
2042         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2043         (ObjCGenerator.objc_protocol_import_expression_for_member):
2044         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
2045         (ObjCGenerator.objc_protocol_import_expression_for_variable):
2046         (ObjCGenerator.objc_to_protocol_expression_for_member):
2047         (ObjCGenerator.protocol_to_objc_expression_for_member):
2048
2049         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
2050
2051         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2052         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2053         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2054         * inspector/scripts/tests/expected/enum-values.json-result:
2055         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2056         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2057         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2058         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2059         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2060         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2061         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2062         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2063         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2064
2065 2016-02-23  Mark Lam  <mark.lam@apple.com>
2066
2067         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
2068         https://bugs.webkit.org/show_bug.cgi?id=154542
2069
2070         Reviewed by Saam Barati.
2071
2072         According to the spec, the constructors of the following types "are not intended
2073         to be called as a function and will throw an exception".  These types are:
2074             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
2075             Map - https://tc39.github.io/ecma262/#sec-map-constructor
2076             Set - https://tc39.github.io/ecma262/#sec-set-constructor
2077             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
2078             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
2079             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
2080             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
2081             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
2082             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
2083
2084         This patch does the foillowing:
2085         1. Ensures that these constructors can be called but will throw a TypeError
2086            when called.
2087         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
2088            in their implementation to be consistent.
2089         3. Change the error message to "calling XXX constructor without new is invalid".
2090            This is clearer because the error is likely due to the user forgetting to use
2091            the new operator on these constructors.
2092
2093         * runtime/Error.h:
2094         * runtime/Error.cpp:
2095         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2096         - Added a convenience function to throw the TypeError.
2097
2098         * runtime/JSArrayBufferConstructor.cpp:
2099         (JSC::constructArrayBuffer):
2100         (JSC::callArrayBuffer):
2101         (JSC::JSArrayBufferConstructor::getCallData):
2102         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2103         (JSC::callGenericTypedArrayView):
2104         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2105         * runtime/JSPromiseConstructor.cpp:
2106         (JSC::callPromise):
2107         * runtime/MapConstructor.cpp:
2108         (JSC::callMap):
2109         * runtime/ProxyConstructor.cpp:
2110         (JSC::callProxy):
2111         (JSC::ProxyConstructor::getCallData):
2112         * runtime/SetConstructor.cpp:
2113         (JSC::callSet):
2114         * runtime/WeakMapConstructor.cpp:
2115         (JSC::callWeakMap):
2116         * runtime/WeakSetConstructor.cpp:
2117         (JSC::callWeakSet):
2118
2119         * tests/es6.yaml:
2120         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
2121
2122         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
2123         (test):
2124
2125         * tests/stress/map-constructor.js:
2126         (testCallTypeError):
2127         * tests/stress/promise-cannot-be-called.js:
2128         (shouldThrow):
2129         * tests/stress/proxy-basic.js:
2130         * tests/stress/set-constructor.js:
2131         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
2132         (i.catch):
2133         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
2134         (i.catch):
2135         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
2136         (i.catch):
2137         * tests/stress/weak-map-constructor.js:
2138         (testCallTypeError):
2139         * tests/stress/weak-set-constructor.js:
2140         - Updated error message string.
2141
2142 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
2143
2144         ASan build fix.
2145
2146         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
2147
2148         * inspector/InspectorBackendDispatcher.h:
2149
2150 2016-02-23  Brian Burg  <bburg@apple.com>
2151
2152         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
2153         https://bugs.webkit.org/show_bug.cgi?id=154518
2154         <rdar://problem/24761096>
2155
2156         Reviewed by Timothy Hatcher.
2157
2158         * inspector/InspectorBackendDispatcher.h:
2159         Export all the classes since they are used by WebKit::WebAutomationSession.
2160
2161 2016-02-22  Brian Burg  <bburg@apple.com>
2162
2163         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2164         https://bugs.webkit.org/show_bug.cgi?id=154509
2165         <rdar://problem/24759098>
2166
2167         Reviewed by Timothy Hatcher.
2168
2169         Add a new 'WebKit' framework, which is used to generate protocol code
2170         in WebKit2.
2171
2172         Add --backend and --frontend flags to the main generator script.
2173         These allow a framework to trigger two different sets of generators
2174         so they can be separately generated and compiled.
2175
2176         * inspector/scripts/codegen/models.py:
2177         (Framework.fromString):
2178         (Frameworks): Add new framework.
2179
2180         * inspector/scripts/generate-inspector-protocol-bindings.py:
2181         If neither --backend or --frontend is specified, assume both are wanted.
2182         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2183
2184         (generate_from_specification):
2185         Generate C++ files for the backend and Objective-C files for the frontend.
2186
2187 2016-02-22  Saam barati  <sbarati@apple.com>
2188
2189         JSGlobalObject doesn't visit ProxyObjectStructure during GC
2190         https://bugs.webkit.org/show_bug.cgi?id=154564
2191
2192         Rubber stamped by Mark Lam.
2193
2194         * runtime/JSGlobalObject.cpp:
2195         (JSC::JSGlobalObject::visitChildren):
2196
2197 2016-02-22  Saam barati  <sbarati@apple.com>
2198
2199         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
2200         https://bugs.webkit.org/show_bug.cgi?id=154548
2201
2202         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
2203
2204         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
2205         an exception. Neither the function nor the call sites of the function took this into
2206         account. This patch audits the call sites of the function to make it work in
2207         the event that an exception is thrown.
2208
2209         * runtime/BooleanConstructor.cpp:
2210         (JSC::constructWithBooleanConstructor):
2211         * runtime/DateConstructor.cpp:
2212         (JSC::constructDate):
2213         * runtime/ErrorConstructor.cpp:
2214         (JSC::Interpreter::constructWithErrorConstructor):
2215         * runtime/FunctionConstructor.cpp:
2216         (JSC::constructFunctionSkippingEvalEnabledCheck):
2217         * runtime/InternalFunction.cpp:
2218         (JSC::InternalFunction::createSubclassStructure):
2219         * runtime/JSArrayBufferConstructor.cpp:
2220         (JSC::constructArrayBuffer):
2221         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2222         (JSC::constructGenericTypedArrayView):
2223         * runtime/JSGlobalObject.h:
2224         (JSC::constructEmptyArray):
2225         (JSC::constructArray):
2226         (JSC::constructArrayNegativeIndexed):
2227         * runtime/JSPromiseConstructor.cpp:
2228         (JSC::constructPromise):
2229         * runtime/MapConstructor.cpp:
2230         (JSC::constructMap):
2231         * runtime/NativeErrorConstructor.cpp:
2232         (JSC::Interpreter::constructWithNativeErrorConstructor):
2233         * runtime/NumberConstructor.cpp:
2234         (JSC::constructWithNumberConstructor):
2235         * runtime/RegExpConstructor.cpp:
2236         (JSC::getRegExpStructure):
2237         (JSC::constructRegExp):
2238         (JSC::constructWithRegExpConstructor):
2239         * runtime/SetConstructor.cpp:
2240         (JSC::constructSet):
2241         * runtime/StringConstructor.cpp:
2242         (JSC::constructWithStringConstructor):
2243         (JSC::StringConstructor::getConstructData):
2244         * runtime/WeakMapConstructor.cpp:
2245         (JSC::constructWeakMap):
2246         * runtime/WeakSetConstructor.cpp:
2247         (JSC::constructWeakSet):
2248         * tests/stress/create-subclass-structure-might-throw.js: Added.
2249         (assert):
2250
2251 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
2252
2253         Fix build and implement functions to retrieve registers on FreeBSD
2254         https://bugs.webkit.org/show_bug.cgi?id=152258
2255
2256         Reviewed by Michael Catanzaro.
2257
2258         * heap/MachineStackMarker.cpp:
2259         (pthreadSignalHandlerSuspendResume):
2260         struct ucontext is not specified in POSIX and it is not available on
2261         FreeBSD. Replacing it with ucontext_t fixes the build problem.
2262         (JSC::MachineThreads::Thread::Registers::stackPointer):
2263         (JSC::MachineThreads::Thread::Registers::framePointer):
2264         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2265         (JSC::MachineThreads::Thread::Registers::llintPC):
2266         * heap/MachineStackMarker.h:
2267
2268 2016-02-22  Saam barati  <sbarati@apple.com>
2269
2270         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
2271         https://bugs.webkit.org/show_bug.cgi?id=154552
2272
2273         Reviewed by Mark Lam.
2274
2275         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
2276         They return false on a Proxy with internal [[Call]] and [[Construct]]
2277         properties. It seems safest, most forward looking, and most adherent
2278         to the specification to check getCallData() and getConstructData() to
2279         implement these functions.
2280
2281         * runtime/InternalFunction.cpp:
2282         (JSC::InternalFunction::createSubclassStructure):
2283         * runtime/JSCJSValueInlines.h:
2284         (JSC::JSValue::isFunction):
2285         (JSC::JSValue::isConstructor):
2286
2287 2016-02-22  Keith Miller  <keith_miller@apple.com>
2288
2289         Bound functions should use the prototype of the function being bound
2290         https://bugs.webkit.org/show_bug.cgi?id=154195
2291
2292         Reviewed by Geoffrey Garen.
2293
2294         Per ES6, the result of Function.prototype.bind should have the same
2295         prototype as the the function being bound. In order to avoid creating
2296         a new structure each time a function is bound we store the new
2297         structure in our structure map. However, we cannot currently store
2298         structures that have a different GlobalObject than their prototype.
2299         In the rare case that the GlobalObject differs or the prototype of
2300         the bindee is null we create a new structure each time. To further
2301         minimize new structures, as well as making structure lookup faster,
2302         we also store the structure in the RareData of the function we
2303         are binding.
2304
2305         * runtime/FunctionRareData.cpp:
2306         (JSC::FunctionRareData::visitChildren):
2307         * runtime/FunctionRareData.h:
2308         (JSC::FunctionRareData::getBoundFunctionStructure):
2309         (JSC::FunctionRareData::setBoundFunctionStructure):
2310         * runtime/JSBoundFunction.cpp:
2311         (JSC::getBoundFunctionStructure):
2312         (JSC::JSBoundFunction::create):
2313         * tests/es6.yaml:
2314         * tests/stress/bound-function-uses-prototype.js: Added.
2315         (testChangeProto.foo):
2316         (testChangeProto):
2317         (testBuiltins):
2318         * tests/stress/class-subclassing-function.js:
2319
2320 2016-02-22  Keith Miller  <keith_miller@apple.com>
2321
2322         Unreviewed, fix stress test to not print on success.
2323
2324         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
2325         (catch): Deleted.
2326
2327 2016-02-22  Keith Miller  <keith_miller@apple.com>
2328
2329         Use Symbol.species in the builtin TypedArray.prototype functions
2330         https://bugs.webkit.org/show_bug.cgi?id=153384
2331
2332         Reviewed by Geoffrey Garen.
2333
2334         This patch adds the use of species constructors to the TypedArray.prototype map and filter
2335         functions. It also adds a new private function typedArrayGetOriginalConstructor that
2336         returns the TypedArray constructor used to originally create a TypedArray instance.
2337
2338         There are no ES6 tests to update for this patch as species creation for these functions is
2339         not tested in the compatibility table.
2340
2341         * builtins/TypedArrayPrototype.js:
2342         (map):
2343         (filter):
2344         * bytecode/BytecodeIntrinsicRegistry.cpp:
2345         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2346         * bytecode/BytecodeIntrinsicRegistry.h:
2347         * runtime/CommonIdentifiers.h:
2348         * runtime/JSGlobalObject.cpp:
2349         (JSC::JSGlobalObject::init):
2350         (JSC::JSGlobalObject::visitChildren):
2351         * runtime/JSGlobalObject.h:
2352         (JSC::JSGlobalObject::typedArrayConstructor):
2353         * runtime/JSTypedArrayViewPrototype.cpp:
2354         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
2355         * runtime/JSTypedArrayViewPrototype.h:
2356         * tests/stress/typedarray-filter.js:
2357         (subclasses.typedArrays.map):
2358         (prototype.accept):
2359         (testSpecies):
2360         (accept):
2361         (forEach):
2362         (subclasses.forEach):
2363         (testSpeciesRemoveConstructor):
2364         * tests/stress/typedarray-map.js:
2365         (subclasses.typedArrays.map):
2366         (prototype.id):
2367         (testSpecies):
2368         (id):
2369         (forEach):
2370         (subclasses.forEach):
2371         (testSpeciesRemoveConstructor):
2372
2373 2016-02-22  Keith Miller  <keith_miller@apple.com>
2374
2375         Builtins that should not rely on iteration do.
2376         https://bugs.webkit.org/show_bug.cgi?id=154475
2377
2378         Reviewed by Geoffrey Garen.
2379
2380         When changing the behavior of varargs calls to use ES6 iterators the
2381         call builtin function's use of a varargs call was overlooked. The use
2382         of iterators is observable outside the scope of the the call function,
2383         thus it must be reimplemented.
2384
2385         * builtins/FunctionPrototype.js:
2386         (call):
2387         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
2388         (test):
2389         (addAll):
2390         (catch):
2391
2392 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2393
2394         [JSC shell] Don't put empty arguments array to VM.
2395         https://bugs.webkit.org/show_bug.cgi?id=154516
2396
2397         Reviewed by Geoffrey Garen.
2398
2399         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
2400         in jsc as well as in browser.
2401
2402         * jsc.cpp:
2403         (GlobalObject::finishCreation):
2404
2405 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2406
2407         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
2408         https://bugs.webkit.org/show_bug.cgi?id=154450
2409
2410         Reviewed by Alex Christensen.
2411
2412         * CMakeLists.txt:
2413
2414 2016-02-22  Commit Queue  <commit-queue@webkit.org>
2415
2416         Unreviewed, rolling out r196891.
2417         https://bugs.webkit.org/show_bug.cgi?id=154539
2418
2419         it broke Production builds (Requested by brrian on #webkit).
2420
2421         Reverted changeset:
2422
2423         "Web Inspector: add 'Automation' protocol domain and generate
2424         its backend classes separately in WebKit2"
2425         https://bugs.webkit.org/show_bug.cgi?id=154509
2426         http://trac.webkit.org/changeset/196891
2427
2428 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2429
2430         CodeBlock always visits its unlinked code twice
2431         https://bugs.webkit.org/show_bug.cgi?id=154494
2432
2433         Reviewed by Saam Barati.
2434
2435         * bytecode/CodeBlock.cpp:
2436         (JSC::CodeBlock::visitChildren):
2437         The unlinked code is always visited in stronglyVisitStrongReferences.
2438
2439 2016-02-21  Brian Burg  <bburg@apple.com>
2440
2441         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2442         https://bugs.webkit.org/show_bug.cgi?id=154509
2443         <rdar://problem/24759098>
2444
2445         Reviewed by Timothy Hatcher.
2446
2447         Add a new 'WebKit' framework, which is used to generate protocol code
2448         in WebKit2.
2449
2450         Add --backend and --frontend flags to the main generator script.
2451         These allow a framework to trigger two different sets of generators
2452         so they can be separately generated and compiled.
2453
2454         * inspector/scripts/codegen/models.py:
2455         (Framework.fromString):
2456         (Frameworks): Add new framework.
2457
2458         * inspector/scripts/generate-inspector-protocol-bindings.py:
2459         If neither --backend or --frontend is specified, assume both are wanted.
2460         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2461
2462         (generate_from_specification):
2463         Generate C++ files for the backend and Objective-C files for the frontend.
2464
2465 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2466
2467         Improvements to Intl code
2468         https://bugs.webkit.org/show_bug.cgi?id=154486
2469
2470         Reviewed by Darin Adler.
2471
2472         This patch does several things:
2473         - Use std::unique_ptr to store ICU objects.
2474         - Pass Vector::size() to ICU functions that take a buffer size instead
2475           of Vector::capacity().
2476         - If U_SUCCESS(status) is true, it means there is no error, but there
2477           could be warnings. ICU functions ignore warnings. So, there is no need
2478           to reset status to U_ZERO_ERROR.
2479         - Remove the initialization of the String instance variables of
2480           IntlDateTimeFormat. These values are never read and cause unnecessary
2481           memory allocation.
2482         - Fix coding style.
2483         - Some small optimization.
2484
2485         * runtime/IntlCollator.cpp:
2486         (JSC::IntlCollator::UCollatorDeleter::operator()):
2487         (JSC::IntlCollator::createCollator):
2488         (JSC::IntlCollator::compareStrings):
2489         (JSC::IntlCollator::~IntlCollator): Deleted.
2490         * runtime/IntlCollator.h:
2491         * runtime/IntlDateTimeFormat.cpp:
2492         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
2493         (JSC::defaultTimeZone):
2494         (JSC::canonicalizeTimeZoneName):
2495         (JSC::toDateTimeOptionsAnyDate):
2496         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2497         (JSC::IntlDateTimeFormat::weekdayString):
2498         (JSC::IntlDateTimeFormat::format):
2499         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
2500         (JSC::localeData): Deleted.
2501         * runtime/IntlDateTimeFormat.h:
2502         * runtime/IntlDateTimeFormatConstructor.cpp:
2503         * runtime/IntlNumberFormatConstructor.cpp:
2504         * runtime/IntlObject.cpp:
2505         (JSC::numberingSystemsForLocale):
2506
2507 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
2508
2509         Remove arrowfunction test cases that rely on arguments variable in jsc
2510         https://bugs.webkit.org/show_bug.cgi?id=154517
2511
2512         Reviewed by Yusuke Suzuki.
2513
2514         Allow to jsc has the same behavior in javascript as browser has
2515
2516         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
2517         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
2518
2519 2016-02-21  Brian Burg  <bburg@apple.com>
2520
2521         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
2522         https://bugs.webkit.org/show_bug.cgi?id=154508
2523         <rdar://problem/24759077>
2524
2525         Reviewed by Timothy Hatcher.
2526
2527         In preparation for being able to generate protocol files for WebKit2,
2528         make it possible to not emit generated code that's guarded by
2529         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
2530         backend dispatchers generated outside of JavaScriptCore. We can't just
2531         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
2532         in the configurations where the code is actually used.
2533
2534         Add a new opt-in Framework configuration option that turns on generating
2535         this code. Adjust how the code is generated so that it can be easily excluded.
2536
2537         * inspector/scripts/codegen/cpp_generator_templates.py:
2538         Make a separate template for the declarations that are guarded.
2539         Add an initializer expression so the order of initalizers doesn't matter.
2540
2541         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2542         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
2543         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2544         If the declarations are needed, they will be appended to the end of the
2545         declarations list.
2546
2547         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2548         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
2549         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
2550
2551         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
2552         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
2553
2554         Rebaseline affected tests.
2555
2556         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2557         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2558         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2559         * inspector/scripts/tests/expected/enum-values.json-result:
2560         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2561
2562 2016-02-21  Brian Burg  <bburg@apple.com>
2563
2564         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
2565         https://bugs.webkit.org/show_bug.cgi?id=154505
2566         <rdar://problem/24758042>
2567
2568         Reviewed by Timothy Hatcher.
2569
2570         It should be possible to generate code for a framework using some generators
2571         that other frameworks also use. Right now the generator selection code assumes
2572         that use of a generator is mutually exclusive among non-test frameworks.
2573
2574         Make this code explicitly switch on the framework. Reorder generators
2575         alpabetically within each case.
2576
2577         * inspector/scripts/generate-inspector-protocol-bindings.py:
2578         (generate_from_specification):
2579
2580         Rebaseline tests that are affected by generator reorderings.
2581
2582         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2583         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2584         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2585         * inspector/scripts/tests/expected/enum-values.json-result:
2586         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2587         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2588         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2589         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2590         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2591         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2592         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2593         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2594         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2595
2596 2016-02-19  Saam Barati  <sbarati@apple.com>
2597
2598         [ES6] Implement Proxy.[[Construct]]
2599         https://bugs.webkit.org/show_bug.cgi?id=154440
2600
2601         Reviewed by Oliver Hunt.
2602
2603         This patch is mostly an implementation of
2604         Proxy.[[Construct]] with respect to section 9.5.13
2605         of the ECMAScript spec.
2606         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
2607
2608         This patch also changes op_create_this to accept new.target's
2609         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
2610         because we might construct a JSFunction with a new.target being
2611         a Proxy. This will also be needed when we implement Reflect.construct.
2612
2613         * dfg/DFGOperations.cpp:
2614         * dfg/DFGSpeculativeJIT32_64.cpp:
2615         (JSC::DFG::SpeculativeJIT::compile):
2616         * dfg/DFGSpeculativeJIT64.cpp:
2617         (JSC::DFG::SpeculativeJIT::compile):
2618         * jit/JITOpcodes.cpp:
2619         (JSC::JIT::emit_op_create_this):
2620         (JSC::JIT::emitSlow_op_create_this):
2621         * jit/JITOpcodes32_64.cpp:
2622         (JSC::JIT::emit_op_create_this):
2623         (JSC::JIT::emitSlow_op_create_this):
2624         * llint/LLIntData.cpp:
2625         (JSC::LLInt::Data::performAssertions):
2626         * llint/LowLevelInterpreter.asm:
2627         * llint/LowLevelInterpreter32_64.asm:
2628         * llint/LowLevelInterpreter64.asm:
2629         * runtime/CommonSlowPaths.cpp:
2630         (JSC::SLOW_PATH_DECL):
2631         * runtime/ProxyObject.cpp:
2632         (JSC::ProxyObject::finishCreation):
2633         (JSC::ProxyObject::visitChildren):
2634         (JSC::performProxyConstruct):
2635         (JSC::ProxyObject::getConstructData):
2636         * runtime/ProxyObject.h:
2637         * tests/es6.yaml:
2638         * tests/stress/proxy-construct.js: Added.
2639         (assert):
2640         (throw.new.Error.let.target):
2641         (throw.new.Error):
2642         (assert.let.target):
2643         (assert.let.handler.get construct):
2644         (let.target):
2645         (let.handler.construct):
2646         (i.catch):
2647         (assert.let.handler.construct):
2648         (assert.let.construct):
2649         (assert.else.assert.let.target):
2650         (assert.else.assert.let.construct):
2651         (assert.else.assert):
2652         (new.proxy.let.target):
2653         (new.proxy.let.construct):
2654         (new.proxy):
2655
2656 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2657
2658         [INTL] Implement Number Format Functions
2659         https://bugs.webkit.org/show_bug.cgi?id=147605
2660
2661         Reviewed by Darin Adler.
2662
2663         This patch implements Intl.NumberFormat.prototype.format() according
2664         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2665
2666         * runtime/IntlNumberFormat.cpp:
2667         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
2668         (JSC::IntlNumberFormat::initializeNumberFormat):
2669         (JSC::IntlNumberFormat::createNumberFormat):
2670         (JSC::IntlNumberFormat::formatNumber):
2671         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
2672         * runtime/IntlNumberFormat.h:
2673         * runtime/IntlNumberFormatPrototype.cpp:
2674         (JSC::IntlNumberFormatFuncFormatNumber):
2675
2676 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
2677
2678         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
2679         https://bugs.webkit.org/show_bug.cgi?id=154416
2680
2681         Reviewed by Geoff Garen.
2682
2683         Here's the bug. Suppose you call JSObject::getOwnProperty and -
2684           - PropertyName contains an index,
2685           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
2686           - The base of the access (or another object on the prototype chain) shadows that property.
2687
2688         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
2689         index, and as such walks up the prototype chain looking for non-index properties before it
2690         tries calling parseIndex.
2691
2692         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
2693         would potentially return the property) we may have already skipped over non-overriding
2694         objects that contain the property in index storage.
2695
2696         * runtime/JSObject.h:
2697         (JSC::JSObject::getOwnNonIndexPropertySlot):
2698             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
2699               added ASSERT guarding that this method never returns index properties -
2700               if it ever does, this is unsafe for getPropertySlot.
2701         (JSC::JSObject::getOwnPropertySlot):
2702             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
2703         (JSC::JSObject::getPropertySlot):
2704             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
2705         (JSC::JSObject::getNonIndexPropertySlot):
2706             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
2707               in order to avoid repeated calls to parseIndex.
2708         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
2709             - this was renamed to getOwnNonIndexPropertySlot.
2710         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
2711             - this was folded back in to getPropertySlot.
2712
2713 2016-02-19  Saam Barati  <sbarati@apple.com>
2714
2715         [ES6] Implement Proxy.[[Call]]
2716         https://bugs.webkit.org/show_bug.cgi?id=154425
2717
2718         Reviewed by Mark Lam.
2719
2720         This patch is a straight forward implementation of
2721         Proxy.[[Call]] with respect to section 9.5.12
2722         of the ECMAScript spec.
2723         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
2724
2725         * runtime/ProxyObject.cpp:
2726         (JSC::ProxyObject::finishCreation):
2727         (JSC::performProxyGet):
2728         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2729         (JSC::ProxyObject::performHasProperty):
2730         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2731         (JSC::performProxyCall):
2732         (JSC::ProxyObject::getCallData):
2733         (JSC::ProxyObject::visitChildren):
2734         * runtime/ProxyObject.h:
2735         (JSC::ProxyObject::create):
2736         * tests/es6.yaml:
2737         * tests/stress/proxy-call.js: Added.
2738         (assert):
2739         (throw.new.Error.let.target):
2740         (throw.new.Error.let.handler.apply):
2741         (throw.new.Error):
2742         (assert.let.target):
2743         (assert.let.handler.get apply):
2744         (let.target):
2745         (let.handler.apply):
2746         (i.catch):
2747         (assert.let.handler.apply):
2748
2749 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
2750
2751         Remove more LLVM related dead code after r196729
2752         https://bugs.webkit.org/show_bug.cgi?id=154387
2753
2754         Reviewed by Filip Pizlo.
2755
2756         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
2757         * Configurations/LLVMForJSC.xcconfig: Removed.
2758         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
2759         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
2760         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
2761         * JavaScriptCore.xcodeproj/project.pbxproj:
2762         * disassembler/X86Disassembler.cpp:
2763
2764 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2765
2766         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
2767         https://bugs.webkit.org/show_bug.cgi?id=154442
2768
2769         Reviewed by Saam Barati.
2770
2771         * runtime/JSString.h:
2772         (JSC::isJSString):
2773
2774 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2775
2776         Remove unused SymbolTable::createNameScopeTable
2777         https://bugs.webkit.org/show_bug.cgi?id=154443
2778
2779         Reviewed by Saam Barati.
2780
2781         * runtime/SymbolTable.h:
2782
2783 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
2784
2785         [JSC] Improve the instruction selection of Select
2786         https://bugs.webkit.org/show_bug.cgi?id=154432
2787
2788         Reviewed by Filip Pizlo.
2789
2790         Plenty of code but this patch is pretty dumb:
2791         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2792          to be alised to the destination. This gives more freedom to the register
2793          allocator and it is one less Move to process per Select.
2794         -On x86, introduce a fake 3 operands form and use aggressive aliasing
2795          to try to alias both sources to the destination.
2796
2797          If aliasing succeed on the "elseCase", the condition of the Select
2798          is reverted in the MacroAssembler.
2799
2800          If no aliasing is possible and we end up with 3 registers, the missing
2801          move instruction is generated by the MacroAssembler.
2802
2803          The missing move is generated after testing the values because the destination
2804          can use the same register as one of the test operand.
2805          Experimental testing seems to indicate there is no macro-fusion on CMOV,
2806          there is no measurable cost to having the move there.
2807
2808         * assembler/MacroAssembler.h:
2809         (JSC::MacroAssembler::isInvertible):
2810         (JSC::MacroAssembler::invert):
2811         * assembler/MacroAssemblerARM64.h:
2812         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2813         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2814         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2815         (JSC::MacroAssemblerARM64::moveConditionally32):
2816         (JSC::MacroAssemblerARM64::moveConditionally64):
2817         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2818         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2819         * assembler/MacroAssemblerX86Common.h:
2820         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2821         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2822         (JSC::MacroAssemblerX86Common::moveConditionally32):
2823         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2824         (JSC::MacroAssemblerX86Common::invert):
2825         (JSC::MacroAssemblerX86Common::isInvertible):
2826         * assembler/MacroAssemblerX86_64.h:
2827         (JSC::MacroAssemblerX86_64::moveConditionally64):
2828         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2829         * b3/B3LowerToAir.cpp:
2830         (JSC::B3::Air::LowerToAir::createSelect):
2831         (JSC::B3::Air::LowerToAir::lower):
2832         * b3/air/AirInstInlines.h:
2833         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2834         * b3/air/AirOpcode.opcodes:
2835
2836 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2837
2838         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2839         https://bugs.webkit.org/show_bug.cgi?id=154430
2840
2841         Reviewed by Saam Barati.
2842
2843         llvm isn't used anymore.
2844
2845         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2846
2847 2016-02-18  Saam Barati  <sbarati@apple.com>
2848
2849         Implement Proxy.[[HasProperty]]
2850         https://bugs.webkit.org/show_bug.cgi?id=154313
2851
2852         Reviewed by Filip Pizlo.
2853
2854         This patch is a straight forward implementation of
2855         Proxy.[[HasProperty]] with respect to section 9.5.7
2856         of the ECMAScript spec.
2857         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2858
2859         * runtime/ProxyObject.cpp:
2860         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2861         (JSC::ProxyObject::performHasProperty):
2862         (JSC::ProxyObject::getOwnPropertySlotCommon):
2863         * runtime/ProxyObject.h:
2864         * tests/es6.yaml:
2865         * tests/stress/proxy-basic.js:
2866         (assert):
2867         (let.handler.has):
2868         * tests/stress/proxy-has-property.js: Added.
2869         (assert):
2870         (throw.new.Error.let.handler.get has):
2871         (throw.new.Error):
2872         (assert.let.handler.has):
2873         (let.handler.has):
2874         (getOwnPropertyDescriptor):
2875         (i.catch):
2876
2877 2016-02-18  Saam Barati  <sbarati@apple.com>
2878
2879         Proxy's don't properly handle Symbols as PropertyKeys.
2880         https://bugs.webkit.org/show_bug.cgi?id=154385
2881
2882         Reviewed by Mark Lam and Yusuke Suzuki.
2883
2884         We were converting all PropertyKeys to strings, even when
2885         the PropertyName was a Symbol. In the spec, PropertyKeys are
2886         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2887         Proxy.[[GetOwnProperty]].
2888
2889         * runtime/Completion.cpp:
2890         (JSC::profiledEvaluate):
2891         (JSC::createSymbolForEntryPointModule):
2892         (JSC::identifierToJSValue): Deleted.
2893         * runtime/Identifier.h:
2894         (JSC::parseIndex):
2895         * runtime/IdentifierInlines.h:
2896         (JSC::Identifier::fromString):
2897         (JSC::identifierToJSValue):
2898         (JSC::identifierToSafePublicJSValue):
2899         * runtime/ProxyObject.cpp:
2900         (JSC::performProxyGet):
2901         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2902         * tests/es6.yaml:
2903         * tests/stress/proxy-basic.js:
2904         (let.handler.getOwnPropertyDescriptor):
2905
2906 2016-02-18  Saam Barati  <sbarati@apple.com>
2907
2908         Follow up fix to Implement Proxy.[[GetOwnProperty]]
2909         https://bugs.webkit.org/show_bug.cgi?id=154314
2910
2911         Reviewed by Filip Pizlo.
2912
2913         Part of the implementation was broken because
2914         of how JSObject::getOwnPropertyDescriptor worked.
2915         I've fixed JSObject::getOwnPropertyDescriptor to
2916         be able to handle ProxyObject.
2917
2918         * runtime/JSObject.cpp:
2919         (JSC::JSObject::getOwnPropertyDescriptor):
2920         * runtime/ProxyObject.cpp:
2921         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2922         * tests/stress/proxy-get-own-property.js:
2923         (assert):
2924         (assert.let.handler.get getOwnPropertyDescriptor):
2925
2926 2016-02-18  Saam Barati  <sbarati@apple.com>
2927
2928         Implement Proxy.[[GetOwnProperty]]
2929         https://bugs.webkit.org/show_bug.cgi?id=154314
2930
2931         Reviewed by Filip Pizlo.
2932
2933         This patch implements Proxy.[[GetOwnProperty]].
2934         It's a straight forward implementation as described
2935         in section 9.5.5 of the specification:
2936         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2937
2938         * runtime/FunctionPrototype.cpp:
2939         (JSC::functionProtoFuncBind):
2940         * runtime/JSObject.cpp:
2941         (JSC::validateAndApplyPropertyDescriptor):
2942         (JSC::JSObject::defineOwnNonIndexProperty):
2943         (JSC::JSObject::defineOwnProperty):
2944         (JSC::JSObject::getGenericPropertyNames):
2945         (JSC::JSObject::getMethod):
2946         * runtime/JSObject.h:
2947         (JSC::JSObject::butterflyAddress):
2948         (JSC::makeIdentifier):
2949         * runtime/ProxyObject.cpp:
2950         (JSC::performProxyGet):
2951         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2952         (JSC::ProxyObject::getOwnPropertySlotCommon):
2953         (JSC::ProxyObject::getOwnPropertySlot):
2954         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2955         (JSC::ProxyObject::visitChildren):
2956         * runtime/ProxyObject.h:
2957         * tests/es6.yaml:
2958         * tests/stress/proxy-basic.js:
2959         (let.handler.get null):
2960         * tests/stress/proxy-get-own-property.js: Added.
2961         (assert):
2962         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2963         (throw.new.Error):
2964         (let.handler.getOwnPropertyDescriptor):
2965         (i.catch):
2966         (assert.let.handler.getOwnPropertyDescriptor):
2967
2968 2016-02-18  Andreas Kling  <akling@apple.com>
2969
2970         JSString resolution of substrings should use StringImpl sharing optimization.
2971         <https://webkit.org/b/154068>
2972         <rdar://problem/24629358>
2973
2974         Reviewed by Antti Koivisto.
2975
2976         When resolving a JSString that's actually a substring of another JSString,
2977         use the StringImpl sharing optimization to create a new string pointing into
2978         the parent one, instead of copying out the bytes of the string.
2979
2980         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2981
2982         Another approach to this would be to induce GC far more frequently due to
2983         the added cost of copying out these substrings. It would reduce the risk
2984         of prolonging the life of strings only kept alive by substrings.
2985
2986         This patch chooses to trade that risk for less GC and lower peak memory.
2987
2988         * runtime/JSString.cpp:
2989         (JSC::JSRopeString::resolveRope):
2990
2991 2016-02-18  Chris Dumez  <cdumez@apple.com>
2992
2993         Crash on SES selftest page when loading the page while WebInspector is open
2994         https://bugs.webkit.org/show_bug.cgi?id=154378
2995         <rdar://problem/24713422>
2996
2997         Reviewed by Mark Lam.
2998
2999         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
3000         returns early again if it detects that getOwnPropertySlot() returns a
3001         non-own property. This check was removed in r196676 because we assumed that
3002         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
3003         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
3004         well.
3005
3006         Not having the check would lead to crashes when using the debugger because
3007         we would get a slot with the CustomAccessor attribute but getDirect() would
3008         then fail to return the property (because it is not an own property). We
3009         would then cast the value returned by getDirect() to a CustomGetterSetter*
3010         and dereference it.
3011
3012         * runtime/JSObject.cpp:
3013         (JSC::JSObject::getOwnPropertyDescriptor):
3014
3015 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
3016
3017         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
3018         for that.
3019
3020         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3021         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3022
3023 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
3024
3025         Unreviewed, fix CMake build. This got messed up when rebasing.
3026
3027         * CMakeLists.txt:
3028
3029 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
3030
3031         Fix the !ENABLE(DFG_JIT) build after r195865
3032         https://bugs.webkit.org/show_bug.cgi?id=154391
3033
3034         Reviewed by Filip Pizlo.
3035
3036         * runtime/SamplingProfiler.cpp:
3037         (JSC::tryGetBytecodeIndex):
3038
3039 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3040
3041         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
3042         https://bugs.webkit.org/show_bug.cgi?id=154383
3043
3044         Reviewed by Saam Barati.
3045
3046         I did a grep -i llvm of all of our code and did one of the following for each occurence:
3047
3048         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
3049           backend".
3050
3051         - Removed the reference because I found it to be dead. In some cases it was a dead
3052           comment: it was telling us things about what LLVM did and that's just not relevant
3053           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
3054
3055         - Edited the comment in some smart way. There were comments talking about what LLVM did
3056           that were still of interest. In some cases, I added a FIXME to consider changing the
3057           code below the comment on the grounds that it was written in a weird way to placate
3058           LLVM and so we can do it better now.
3059
3060         * CMakeLists.txt:
3061         * JavaScriptCore.xcodeproj/project.pbxproj:
3062         * dfg/DFGArgumentsEliminationPhase.cpp:
3063         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
3064         * dfg/DFGPlan.cpp:
3065         (JSC::DFG::Plan::compileInThread):
3066         (JSC::DFG::Plan::compileInThreadImpl):
3067         (JSC::DFG::Plan::compileTimeStats):
3068         * dfg/DFGPutStackSinkingPhase.cpp:
3069         * dfg/DFGSSAConversionPhase.h:
3070         * dfg/DFGStaticExecutionCountEstimationPhase.h:
3071         * dfg/DFGUnificationPhase.cpp:
3072         (JSC::DFG::UnificationPhase::run):
3073         * disassembler/ARM64Disassembler.cpp:
3074         (JSC::tryToDisassemble): Deleted.
3075         * disassembler/X86Disassembler.cpp:
3076         (JSC::tryToDisassemble):
3077         * ftl/FTLAbstractHeap.cpp:
3078         (JSC::FTL::IndexedAbstractHeap::initialize):
3079         * ftl/FTLAbstractHeap.h:
3080         * ftl/FTLFormattedValue.h:
3081         * ftl/FTLJITFinalizer.cpp:
3082         (JSC::FTL::JITFinalizer::finalizeFunction):
3083         * ftl/FTLLink.cpp:
3084         (JSC::FTL::link):
3085         * ftl/FTLLocation.cpp:
3086         (JSC::FTL::Location::restoreInto):
3087         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
3088         (JSC::FTL::DFG::ftlUnreachable):
3089         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
3090         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
3091         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3092         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
3093         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
3094         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
3095         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
3096         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3097         (JSC::FTL::lowerDFGToB3):
3098         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
3099         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
3100         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
3101         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
3102         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
3103         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
3104         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
3105         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
3106         (JSC::FTL::lowerDFGToLLVM): Deleted.
3107         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
3108         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
3109         * ftl/FTLLowerDFGToLLVM.h: Removed.
3110         * ftl/FTLOSRExitCompiler.cpp:
3111         (JSC::FTL::compileStub):
3112         * ftl/FTLWeight.h:
3113         (JSC::FTL::Weight::frequencyClass):
3114         (JSC::FTL::Weight::inverse):
3115         (JSC::FTL::Weight::scaleToTotal): Deleted.
3116         * ftl/FTLWeightedTarget.h:
3117         (JSC::FTL::rarely):
3118         (JSC::FTL::unsure):
3119         * jit/CallFrameShuffler64.cpp:
3120         (JSC::CallFrameShuffler::emitDisplace):
3121         * jit/RegisterSet.cpp:
3122         (JSC::RegisterSet::ftlCalleeSaveRegisters):
3123         * llvm: Removed.
3124         * llvm/InitializeLLVMLinux.cpp: Removed.
3125         * llvm/InitializeLLVMWin.cpp: Removed.
3126         * llvm/library: Removed.
3127         * llvm/library/LLVMTrapCallback.h: Removed.
3128         * llvm/library/libllvmForJSC.version: Removed.
3129         * runtime/Options.cpp:
3130         (JSC::recomputeDependentOptions):
3131         (JSC::Options::initialize):
3132         * runtime/Options.h:
3133         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
3134         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
3135         * wasm/WASMFunctionParser.cpp:
3136
3137 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
3138
3139         [cmake] Build system cleanup
3140         https://bugs.webkit.org/show_bug.cgi?id=154337
3141
3142         Reviewed by Žan Doberšek.
3143
3144         * CMakeLists.txt:
3145
3146 2016-02-17  Mark Lam  <mark.lam@apple.com>
3147
3148         Callers of JSString::value() should check for exceptions thereafter.
3149         https://bugs.webkit.org/show_bug.cgi?id=154346
3150
3151         Reviewed by Geoffrey Garen.
3152
3153         JSString::value() can throw an exception if the JS string is a rope and value() 
3154         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
3155         able to resolve the rope, it will return a null string (in addition to throwing
3156         the exception).  If a caller does not check for exceptions after calling
3157         JSString::value(), they may eventually use the returned null string and crash the
3158         VM.
3159
3160         The fix is to add all the necessary exception checks, and do the appropriate
3161         handling if needed.
3162
3163         * jsc.cpp:
3164         (functionRun):
3165         (functionLoad):
3166         (functionReadFile):
3167         (functionCheckSyntax):
3168         (functionLoadWebAssembly):
3169         (functionLoadModule):
3170         (functionCheckModuleSyntax):
3171         * runtime/DateConstructor.cpp:
3172         (JSC::dateParse):
3173         (JSC::dateNow):
3174         * runtime/JSGlobalObjectFunctions.cpp:
3175         (JSC::globalFuncEval):
3176         * tools/JSDollarVMPrototype.cpp:
3177         (JSC::functionPrint):
3178
3179 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
3180
3181         [JSC] ARM64: Support the immediate format used for bit operations in Air
3182         https://bugs.webkit.org/show_bug.cgi?id=154327
3183
3184         Reviewed by Filip Pizlo.
3185
3186         ARM64 supports a pretty rich form of immediates for bit operation.
3187         There are two formats used to encode repeating patterns and common
3188         input in a dense form.
3189
3190         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
3191         Those represents the valid immediate forms for bit operation.
3192         On x86, any 32bits value is valid. On ARM64, all the encoding
3193         form are tried and the immediate is used when possible.
3194
3195         The arg type Imm64 is renamed to BigImm to better represent what
3196         it is: an immediate that does not fit into Imm.
3197
3198         * assembler/ARM64Assembler.h:
3199         (JSC::LogicalImmediate::create32): Deleted.
3200         (JSC::LogicalImmediate::create64): Deleted.
3201         (JSC::LogicalImmediate::value): Deleted.
3202         (JSC::LogicalImmediate::isValid): Deleted.
3203         (JSC::LogicalImmediate::is64bit): Deleted.
3204         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
3205         (JSC::LogicalImmediate::mask): Deleted.
3206         (JSC::LogicalImmediate::partialHSB): Deleted.
3207         (JSC::LogicalImmediate::highestSetBit): Deleted.
3208         (JSC::LogicalImmediate::findBitRange): Deleted.
3209         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
3210         * assembler/AssemblerCommon.h:
3211         (JSC::ARM64LogicalImmediate::create32):
3212         (JSC::ARM64LogicalImmediate::create64):
3213         (JSC::ARM64LogicalImmediate::value):
3214         (JSC::ARM64LogicalImmediate::isValid):
3215         (JSC::ARM64LogicalImmediate::is64bit):
3216         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
3217         (JSC::ARM64LogicalImmediate::mask):
3218         (JSC::ARM64LogicalImmediate::partialHSB):
3219         (JSC::ARM64LogicalImmediate::highestSetBit):
3220         (JSC::ARM64LogicalImmediate::findBitRange):
3221         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
3222         * assembler/MacroAssemblerARM64.h:
3223         (JSC::MacroAssemblerARM64::and64):
3224         (JSC::MacroAssemblerARM64::or64):
3225         (JSC::MacroAssemblerARM64::xor64):
3226         * b3/B3LowerToAir.cpp:
3227         (JSC::B3::Air::LowerToAir::bitImm):
3228         (JSC::B3::Air::LowerToAir::bitImm64):
3229         (JSC::B3::Air::LowerToAir::appendBinOp):
3230         * b3/air/AirArg.cpp:
3231         (JSC::B3::Air::Arg::dump):
3232         (WTF::printInternal):
3233         * b3/air/AirArg.h:
3234         (JSC::B3::Air::Arg::bitImm):
3235         (JSC::B3::Air::Arg::bitImm64):
3236         (JSC::B3::Air::Arg::isBitImm):
3237         (JSC::B3::Air::Arg::isBitImm64):
3238         (JSC::B3::Air::Arg::isSomeImm):
3239         (JSC::B3::Air::Arg::value):
3240         (JSC::B3::Air::Arg::isGP):
3241         (JSC::B3::Air::Arg::isFP):
3242         (JSC::B3::Air::Arg::hasType):
3243         (JSC::B3::Air::Arg::isValidBitImmForm):
3244         (JSC::B3::Air::Arg::isValidBitImm64Form):
3245         (JSC::B3::Air::Arg::isValidForm):
3246         (JSC::B3::Air::Arg::asTrustedImm32):
3247         (JSC::B3::Air::Arg::asTrustedImm64):
3248         * b3/air/AirOpcode.opcodes:
3249         * b3/air/opcode_generator.rb:
3250
3251 2016-02-17  Keith Miller  <keith_miller@apple.com>
3252
3253         Spread operator should be allowed when not the first argument of parameter list
3254         https://bugs.webkit.org/show_bug.cgi?id=152721
3255
3256         Reviewed by Saam Barati.
3257
3258         Spread arguments to functions should now be ES6 compliant. Before we
3259         would only take a spread operator if it was the sole argument to a
3260         function. Additionally, we would not use the Symbol.iterator on the
3261         object to generate the arguments. Instead we would do a loop up to the
3262         length mapping indexed properties to the corresponding argument. We fix
3263         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3264         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3265         old spread semantics). This solution has the downside of requiring the
3266         allocation of another object and copying each element twice but avoids a
3267         large change to the vm calling convention.
3268
3269         * interpreter/Interpreter.cpp:
3270         (JSC::loadVarargs):
3271         * parser/ASTBuilder.h:
3272         (JSC::ASTBuilder::createElementList):
3273         * parser/Parser.cpp:
3274         (JSC::Parser<LexerType>::parseArguments):
3275         (JSC::Parser<LexerType>::parseArgument):
3276         (JSC::Parser<LexerType>::parseMemberExpression):
3277         * parser/Parser.h:
3278         * parser/SyntaxChecker.h:
3279         (JSC::SyntaxChecker::createElementList):
3280         * tests/es6.yaml:
3281         * tests/stress/spread-calling.js: Added.
3282         (testFunction):
3283         (testEmpty):
3284         (makeObject):
3285         (otherIterator.return.next):
3286         (otherIterator):
3287         (totalIter):
3288         (throwingIter.return.next):
3289         (throwingIter):
3290         (i.catch):
3291
3292 2016-02-17  Brian Burg  <bburg@apple.com>
3293
3294         Remove a wrong cast in RemoteInspector::receivedSetupMessage
3295         https://bugs.webkit.org/show_bug.cgi?id=154361
3296         <rdar://problem/24709281>
3297
3298         Reviewed by Joseph Pecoraro.
3299
3300         * inspector/remote/RemoteInspector.mm:
3301         (Inspector::RemoteInspector::receivedSetupMessage):
3302         Not only is this cast unnecessary (the constructor accepts the base class),
3303         but it is wrong since the target could be an automation target. Remove it.
3304
3305 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3306
3307         Rename FTLB3Blah to FTLBlah
3308         https://bugs.webkit.org/show_bug.cgi?id=154365
3309
3310         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
3311
3312         * CMakeLists.txt:
3313         * JavaScriptCore.xcodeproj/project.pbxproj:
3314         * ftl/FTLB3Compile.cpp: Removed.
3315         * ftl/FTLB3Output.cpp: Removed.
3316         * ftl/FTLB3Output.h: Removed.
3317         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
3318         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
3319         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
3320
3321 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3322
3323         Remove LLVM dependencies from WebKit
3324         https://bugs.webkit.org/show_bug.cgi?id=154323
3325
3326         Reviewed by Antti Koivisto and Benjamin Poulain.
3327
3328         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
3329         LLVM-related code dead, including the disassembler, which was only reachable when you were on
3330         a platform that already had an in-tree disassembler.
3331
3332         * CMakeLists.txt:
3333         * JavaScriptCore.xcodeproj/project.pbxproj:
3334         * dfg/DFGCommon.h:
3335         * dfg/DFGPlan.cpp:
3336         (JSC::DFG::Plan::compileInThread):
3337         (JSC::DFG::Plan::compileInThreadImpl):
3338         (JSC::DFG::Plan::compileTimeStats):
3339         * disassembler/ARM64Disassembler.cpp:
3340         (JSC::tryToDisassemble):
3341         * disassembler/ARMv7Disassembler.cpp:
3342         (JSC::tryToDisassemble):
3343         * disassembler/Disassembler.cpp:
3344         (JSC::disassemble):
3345         (JSC::disassembleAsynchronously):
3346         * disassembler/Disassembler.h:
3347         (JSC::tryToDisassemble):
3348         * disassembler/LLVMDisassembler.cpp: Removed.
3349         * disassembler/LLVMDisassembler.h: Removed.
3350         * disassembler/UDis86Disassembler.cpp:
3351         (JSC::tryToDisassembleWithUDis86):
3352         * disassembler/UDis86Disassembler.h:
3353         (JSC::tryToDisassembleWithUDis86):
3354         * disassembler/X86Disassembler.cpp:
3355         (JSC::tryToDisassemble):
3356