931d67f1e865082710842b92a22f9cb8c3dadf59
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
2
3         [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
4         https://bugs.webkit.org/show_bug.cgi?id=154947
5
6         Reviewed by Filip Pizlo.
7
8         This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.
9
10         The problem was that JSCell_freeListNext and JSCell_structureID were
11         considered as disjoint. When reordering instructions, the scheduler
12         could move the write of the StructureID first to reduce dependencies.
13         This would erase half of JSCell_freeListNext before we get a chance
14         to load the value.
15
16         This patch changes the hierarchy to make sure nothing is written
17         until JSCell_freeListNext is processed.
18
19         All credits for this patch go to Filip.
20
21         * ftl/FTLAbstractHeapRepository.cpp:
22         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
23         * ftl/FTLAbstractHeapRepository.h:
24
25 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
26
27         [JSC] Improve Select of Doubles based on Double condition
28         https://bugs.webkit.org/show_bug.cgi?id=154572
29
30         Reviewed by Filip Pizlo.
31
32         Octane has a bunch of Select on Double based on comparing Doubles.
33         A few nodes generate that: ValueRep, Min, Max, etc.
34
35         On ARM64, we can improve our code a lot. ARM can do a select
36         based on flags with the FCSEL instruction.
37
38         On x86, this patch adds aggressive aliasing for moveDoubleConditionallyXXX.
39         This has obviously a much more limited impact.
40
41         * assembler/MacroAssembler.h:
42         (JSC::MacroAssembler::moveDoubleConditionally32): Deleted.
43         (JSC::MacroAssembler::moveDoubleConditionally64): Deleted.
44         (JSC::MacroAssembler::moveDoubleConditionallyTest32): Deleted.
45         (JSC::MacroAssembler::moveDoubleConditionallyTest64): Deleted.
46         (JSC::MacroAssembler::moveDoubleConditionallyDouble): Deleted.
47         (JSC::MacroAssembler::moveDoubleConditionallyFloat): Deleted.
48         * assembler/MacroAssemblerARM64.h:
49         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
50         (JSC::MacroAssemblerARM64::moveDoubleConditionallyDouble):
51         (JSC::MacroAssemblerARM64::moveDoubleConditionallyFloat):
52         (JSC::MacroAssemblerARM64::moveConditionally32):
53         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
54         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
55         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
56         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest64):
57         (JSC::MacroAssemblerARM64::branch64):
58         * assembler/MacroAssemblerX86Common.h:
59         (JSC::MacroAssemblerX86Common::moveConditionally32):
60         (JSC::MacroAssemblerX86Common::moveDoubleConditionally32):
61         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyTest32):
62         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyDouble):
63         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyFloat):
64         * assembler/MacroAssemblerX86_64.h:
65         (JSC::MacroAssemblerX86_64::moveDoubleConditionally64):
66         (JSC::MacroAssemblerX86_64::moveDoubleConditionallyTest64):
67         * b3/air/AirInstInlines.h:
68         (JSC::B3::Air::Inst::shouldTryAliasingDef):
69         * b3/air/AirOpcode.opcodes:
70         * b3/testb3.cpp:
71         (JSC::B3::populateWithInterestingValues):
72         (JSC::B3::floatingPointOperands):
73         (JSC::B3::int64Operands):
74         (JSC::B3::int32Operands):
75         (JSC::B3::testSelectCompareFloat):
76         (JSC::B3::testSelectCompareFloatToDouble):
77         (JSC::B3::testSelectDoubleCompareDouble):
78         (JSC::B3::testSelectDoubleCompareDoubleWithAliasing):
79         (JSC::B3::testSelectFloatCompareFloat):
80         (JSC::B3::testSelectFloatCompareFloatWithAliasing):
81         (JSC::B3::run):
82
83 2016-03-02  Joseph Pecoraro  <pecoraro@apple.com>
84
85         Add ability to generate a Heap Snapshot
86         https://bugs.webkit.org/show_bug.cgi?id=154847
87
88         Reviewed by Mark Lam.
89
90         This adds HeapSnapshot, HeapSnapshotBuilder, and HeapProfiler.
91
92         HeapProfiler hangs off of the VM and holds the list of snapshots.
93         I expect to add other HeapProfiling features, such as allocation
94         tracking, to the profiler.
95
96         HeapSnapshot contains a collection of live cells and their identifiers.
97         It can point to a previous HeapSnapshot, to ensure that a cell that
98         already received an identifier maintains the same identifier across
99         multiple snapshots. When a snapshotted cell gets garbage collected,
100         the cell will be swept from the HeapSnapshot at the end of collection
101         to ensure the list contains only live cells.
102
103         When building a HeapSnapshot nodes are added in increasing node
104         identifier order. When done building, the list of nodes is complete
105         and the snapshot is finalized. At this point the nodes are sorted
106         by JSCell* address to allow for quick lookup of a JSCell*.
107
108         HeapSnapshotBuilder is where snapshotting begins. The builder
109         will initiate a specialized heap snapshotting garbage collection.
110         During this collection the builder will be notified of all marked
111         (live) cells, and connections between cells, as seen by SlotVisitors.
112         The builder can reference the previous, readonly, HeapSnapshots to
113         avoid creating new nodes for cells that have already been snapshotted.
114         When it is determined that we are visiting a live cell for the first
115         time, we give the cell a unique identifier and add it to the the
116         snapshot we are building.
117
118         Since edge data is costly, and of little long term utility, this
119         data is only held by the builder for serialization, and not stored
120         long term with the HeapSnapshot node data.
121
122         The goals of HeapSnapshotting at this time are:
123         - minimal impact on performance when not profiling the heap
124         - unique identifier for cells, so they may be identified across multiple snapshots
125         - nodes and edges to be able to construct a graph of which nodes reference/retain which other nodes
126         - node data - identifier, type (class name), size
127         - edge data - from cell, to cell, type / data (to come in a follow-up patch)
128
129         * CMakeLists.txt:
130         * JavaScriptCore.xcodeproj/project.pbxproj:
131         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
132         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
133         Add new files to the build.
134
135         * heap/Heap.cpp:
136         (JSC::Heap::isHeapSnapshotting):
137         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
138         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
139         (JSC::Heap::removeDeadHeapSnapshotNodes):
140         (JSC::Heap::collectImpl):
141         After every collection, sweep dead cells from in memory snapshots.
142
143         * runtime/VM.cpp:
144         (JSC::VM::ensureHeapProfiler):
145         * runtime/VM.h:
146         (JSC::VM::heapProfiler):
147         * heap/Heap.h:
148         * heap/HeapProfiler.cpp: Added.
149         (JSC::HeapProfiler::HeapProfiler):
150         (JSC::HeapProfiler::~HeapProfiler):
151         (JSC::HeapProfiler::mostRecentSnapshot):
152         (JSC::HeapProfiler::appendSnapshot):
153         (JSC::HeapProfiler::clearSnapshots):
154         (JSC::HeapProfiler::setActiveSnapshotBuilder):
155         * heap/HeapProfiler.h: Added.
156         (JSC::HeapProfiler::vm):
157         (JSC::HeapProfiler::activeSnapshotBuilder):
158         VM and Heap can look at the profiler to determine if we are building a
159         snapshot, or the "head" snapshot to use for sweeping.
160
161         * heap/HeapSnapshot.cpp: Added.
162         (JSC::HeapSnapshot::HeapSnapshot):
163         (JSC::HeapSnapshot::~HeapSnapshot):
164         (JSC::HeapSnapshot::appendNode):
165         Add a node to the unfinalized list of new cells.
166
167         (JSC::HeapSnapshot::sweepCell):
168         (JSC::HeapSnapshot::shrinkToFit):
169         Collect a list of cells for sweeping and then remove them all at once
170         in shrinkToFit. This is done to avoid thrashing of individual removes
171         that could cause many overlapping moves within the Vector.
172
173         (JSC::HeapSnapshot::finalize):
174         Sort the list, and also cache the bounding start/stop identifiers.
175         No other snapshot can contain an identifier in this range, so it will
176         improve lookup of a node from an identifier.
177
178         (JSC::HeapSnapshot::nodeForCell):
179         (JSC::HeapSnapshot::nodeForObjectIdentifier):
180         Search helpers.
181
182         * heap/HeapSnapshotBuilder.h: Added.
183         (JSC::HeapSnapshotNode::HeapSnapshotNode):
184         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
185         Node and Edge struct types the builder creates.
186
187         * heap/HeapSnapshotBuilder.cpp: Added.
188         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
189         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
190         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
191         (JSC::HeapSnapshotBuilder::buildSnapshot):
192         (JSC::HeapSnapshotBuilder::appendNode):
193         (JSC::HeapSnapshotBuilder::appendEdge):
194         When building the snapshot, generating the next identifier, and
195         appending to any of the lists must be guarded by a lock because
196         SlotVisitors running in parallel may be accessing the builder.
197
198         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell):
199         Looking up if a node already exists in a previous snapshot can be
200         done without a lock because at this point the data is readonly.
201
202         (JSC::edgeTypeToNumber):
203         (JSC::edgeTypeToString):
204         (JSC::HeapSnapshotBuilder::json):
205         JSON serialization of a heap snapshot contains node and edge data.
206
207         * heap/SlotVisitor.h:
208         * heap/SlotVisitor.cpp:
209         (JSC::SlotVisitor::didStartMarking):
210         (JSC::SlotVisitor::reset):
211         Set/clear the active snapshot builder to know if this will be a
212         snapshotting GC or not.
213
214         (JSC::SlotVisitor::append):
215         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
216         Inform the builder of a new node or edge.
217
218         (JSC::SlotVisitor::visitChildren):
219         Remember the current cell we are visiting so that if we need to
220         inform the builder of edges we know the "from" cell.
221
222         * jsc.cpp:
223         (SimpleObject::SimpleObject):
224         (SimpleObject::create):
225         (SimpleObject::finishCreation):
226         (SimpleObject::visitChildren):
227         (SimpleObject::createStructure):
228         (SimpleObject::hiddenValue):
229         (SimpleObject::setHiddenValue):
230         Create a new class "SimpleObject" that can be used by heap snapshotting
231         tests. It is easy to filter for this new class name and test internal
232         edge relationships created by garbage collection visiting the cell.
233
234         (functionCreateSimpleObject):
235         (functionGetHiddenValue):
236         (functionSetHiddenValue):
237         Expose methods to create and interact with a SimpleObject.
238
239         (functionGenerateHeapSnapshot):
240         Expose methods to create a heap snapshot. This currently automatically
241         turns the serialized string into a JSON object. That may change.
242
243         * tests/heapProfiler.yaml: Added.
244         * tests/heapProfiler/basic-edges.js: Added.
245         (excludeStructure):
246         * tests/heapProfiler/basic-nodes.js: Added.
247         (hasDifferentSizeNodes):
248         (hasAllInternalNodes):
249         Add tests for basic node and edge data.
250
251         * tests/heapProfiler/driver/driver.js: Added.
252         (assert):
253         (CheapHeapSnapshotNode):
254         (CheapHeapSnapshotEdge):
255         (CheapHeapSnapshotEdge.prototype.get from):
256         (CheapHeapSnapshotEdge.prototype.get to):
257         (CheapHeapSnapshot):
258         (CheapHeapSnapshot.prototype.get nodes):
259         (CheapHeapSnapshot.prototype.get edges):
260         (CheapHeapSnapshot.prototype.nodeWithIdentifier):
261         (CheapHeapSnapshot.prototype.nodesWithClassName):
262         (CheapHeapSnapshot.prototype.classNameFromTableIndex):
263         (CheapHeapSnapshot.prototype.edgeTypeFromTableIndex):
264         (createCheapHeapSnapshot):
265         (HeapSnapshotNode):
266         (HeapSnapshotEdge):
267         (HeapSnapshot):
268         (HeapSnapshot.prototype.nodesWithClassName):
269         (createHeapSnapshot):
270         Add two HeapSnapshot representations.
271         CheapHeapSnapshot creates two lists of node and edge data that
272         lazily creates objects as needed.
273         HeapSnapshot creates an object for each node and edge. This
274         is wasteful but easier to use.
275
276 2016-03-02  Filip Pizlo  <fpizlo@apple.com>
277
278         RegExpPrototype should check for exceptions after calling toString and doing so should not be expensive
279         https://bugs.webkit.org/show_bug.cgi?id=154927
280
281         Reviewed by Saam Barati.
282
283         While working on regexp optimizations, I found that RegExpPrototype calls toString(), an
284         effectful operation that could do anything, without then checking for hadException().
285
286         So I added a call to hadException().
287
288         But that regressed Octane/regexp by 5%!  That's a lot!  It turns out that
289         exec->hadException() is soooper slow. So, I made it cheaper to check for exceptions from
290         toString(): there is now a variant called toStringFast() that returns null iff it throws an
291         exception.
292
293         This allowed me to add the exception check without regressing perf.
294
295         Note that toString() must retain its old behavior of returning an empty string on exception.
296         There is just too much code that relies on that behavior.
297
298         * runtime/JSCJSValue.cpp:
299         (JSC::JSValue::isValidCallee):
300         (JSC::JSValue::toStringSlowCase):
301         (JSC::JSValue::toWTFStringSlowCase):
302         * runtime/JSCJSValue.h:
303         (JSC::JSValue::asValue):
304         * runtime/JSString.h:
305         (JSC::JSValue::toString):
306         (JSC::JSValue::toStringFast):
307         (JSC::JSValue::toWTFString):
308         * runtime/RegExpPrototype.cpp:
309         (JSC::regExpProtoFuncTest):
310         (JSC::regExpProtoFuncExec):
311         (JSC::regExpProtoFuncCompile):
312
313 2016-03-02  Saam barati  <sbarati@apple.com>
314
315         clean up JSObject::isExtensibleInline and JSObject::setPrototypeOfInline, and rename setPrototypeOf to setPrototype
316         https://bugs.webkit.org/show_bug.cgi?id=154942
317
318         Reviewed by Benjamin Poulain.
319
320         These don't need to be inlined in the way they are.
321         Doing dynamic dispatch is ok performance wise until
322         we have evidence stating otherwise.
323
324         * API/JSObjectRef.cpp:
325         (JSObjectSetPrototype):
326         (JSObjectHasProperty):
327         * runtime/ClassInfo.h:
328         * runtime/IntlCollatorConstructor.cpp:
329         (JSC::constructIntlCollator):
330         * runtime/IntlDateTimeFormatConstructor.cpp:
331         (JSC::constructIntlDateTimeFormat):
332         * runtime/IntlNumberFormatConstructor.cpp:
333         (JSC::constructIntlNumberFormat):
334         * runtime/JSCell.cpp:
335         (JSC::JSCell::isExtensible):
336         (JSC::JSCell::setPrototype):
337         (JSC::JSCell::setPrototypeOf): Deleted.
338         * runtime/JSCell.h:
339         * runtime/JSGlobalObjectFunctions.cpp:
340         (JSC::globalFuncProtoSetter):
341         * runtime/JSObject.cpp:
342         (JSC::JSObject::setPrototypeWithCycleCheck):
343         (JSC::JSObject::setPrototype):
344         (JSC::JSObject::allowsAccessFrom):
345         (JSC::JSObject::isExtensible):
346         (JSC::JSObject::reifyAllStaticProperties):
347         (JSC::JSObject::defineOwnNonIndexProperty):
348         (JSC::JSObject::setPrototypeOf): Deleted.
349         * runtime/JSObject.h:
350         (JSC::JSObject::mayInterceptIndexedAccesses):
351         (JSC::JSObject::indexingShouldBeSparse):
352         (JSC::JSObject::setPrototypeOfInline): Deleted.
353         (JSC::JSObject::isExtensibleInline): Deleted.
354         * runtime/ObjectConstructor.cpp:
355         (JSC::objectConstructorSetPrototypeOf):
356         (JSC::objectConstructorIsSealed):
357         (JSC::objectConstructorIsFrozen):
358         (JSC::objectConstructorIsExtensible):
359         * runtime/ProxyObject.cpp:
360         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
361         (JSC::ProxyObject::performHasProperty):
362         (JSC::ProxyObject::performPreventExtensions):
363         (JSC::ProxyObject::performIsExtensible):
364         * runtime/ReflectObject.cpp:
365         (JSC::reflectObjectIsExtensible):
366         (JSC::reflectObjectSetPrototypeOf):
367         * runtime/StringObject.cpp:
368         (JSC::StringObject::defineOwnProperty):
369
370 2016-03-02  Konstantin Tokarev  <annulen@yandex.ru>
371
372         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
373         https://bugs.webkit.org/show_bug.cgi?id=154651
374
375         Reviewed by Alex Christensen.
376
377         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
378
379 2016-03-02  Saam barati  <sbarati@apple.com>
380
381         [[SetPrototypeOf]] should be a fully virtual method in ClassInfo::methodTable
382         https://bugs.webkit.org/show_bug.cgi?id=154897
383
384         Reviewed by Filip Pizlo.
385
386         This patch makes us more consistent with how the ES6 specification models the
387         [[SetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
388         is a prerequisite for implementing Proxy.[[SetPrototypeOf]]. This patch
389         still allows directly setting the prototype for situations where this
390         is the desired behavior. This is equivalent to setting the internal
391         [[Prototype]] field as described in the specification. 
392
393         * API/JSClassRef.cpp:
394         (OpaqueJSClass::prototype):
395         * API/JSObjectRef.cpp:
396         (JSObjectMake):
397         (JSObjectSetPrototype):
398         (JSObjectHasProperty):
399         * API/JSWrapperMap.mm:
400         (makeWrapper):
401         * runtime/ClassInfo.h:
402         * runtime/IntlCollatorConstructor.cpp:
403         (JSC::constructIntlCollator):
404         * runtime/IntlDateTimeFormatConstructor.cpp:
405         (JSC::constructIntlDateTimeFormat):
406         * runtime/IntlNumberFormatConstructor.cpp:
407         (JSC::constructIntlNumberFormat):
408         * runtime/JSCell.cpp:
409         (JSC::JSCell::isExtensible):
410         (JSC::JSCell::setPrototypeOf):
411         * runtime/JSCell.h:
412         * runtime/JSGlobalObject.cpp:
413         (JSC::JSGlobalObject::resetPrototype):
414         * runtime/JSGlobalObjectFunctions.cpp:
415         (JSC::globalFuncProtoSetter):
416         * runtime/JSObject.cpp:
417         (JSC::JSObject::switchToSlowPutArrayStorage):
418         (JSC::JSObject::setPrototypeDirect):
419         (JSC::JSObject::setPrototypeWithCycleCheck):
420         (JSC::JSObject::setPrototypeOf):
421         (JSC::JSObject::allowsAccessFrom):
422         (JSC::JSObject::setPrototype): Deleted.
423         * runtime/JSObject.h:
424         (JSC::JSObject::setPrototypeOfInline):
425         (JSC::JSObject::mayInterceptIndexedAccesses):
426         * runtime/JSProxy.cpp:
427         (JSC::JSProxy::setTarget):
428         * runtime/ObjectConstructor.cpp:
429         (JSC::objectConstructorSetPrototypeOf):
430         * runtime/ReflectObject.cpp:
431         (JSC::reflectObjectSetPrototypeOf):
432
433 2016-03-02  Saam barati  <sbarati@apple.com>
434
435         SIGSEGV in Proxy [[Get]] and [[Set]] recursion
436         https://bugs.webkit.org/show_bug.cgi?id=154854
437
438         Reviewed by Yusuke Suzuki.
439
440         We need to be aware of the possibility that the VM
441         may recurse and that we can stack overflow.
442
443         * runtime/ProxyObject.cpp:
444         (JSC::performProxyGet):
445         (JSC::ProxyObject::performPut):
446         * tests/stress/proxy-get-and-set-recursion-stack-overflow.js: Added.
447         (assert):
448         (testStackOverflowGet):
449         (testStackOverflowIndexedGet):
450         (testStackOverflowSet):
451         (testStackOverflowIndexedSet):
452
453 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
454
455         [JSC] Use a Move without REX byte when possible
456         https://bugs.webkit.org/show_bug.cgi?id=154801
457
458         Reviewed by Alex Christensen.
459
460         Filip wrote an optimization in the register allocator
461         to use 32bit "Move" when we don't care about the top bytes.
462
463         When I moved the commutative ops to the fake 3 operands instruction
464         I largely destroyed this since all the "Moves" became full register.
465
466         In this patch, I switch back to 32bit "Moves" for 32bit operations.
467
468         * assembler/MacroAssemblerX86Common.h:
469         (JSC::MacroAssemblerX86Common::and32):
470         (JSC::MacroAssemblerX86Common::lshift32):
471         (JSC::MacroAssemblerX86Common::mul32):
472         (JSC::MacroAssemblerX86Common::or32):
473         (JSC::MacroAssemblerX86Common::rshift32):
474         (JSC::MacroAssemblerX86Common::urshift32):
475         (JSC::MacroAssemblerX86Common::xor32):
476         (JSC::MacroAssemblerX86Common::branchAdd32):
477         (JSC::MacroAssemblerX86Common::branchMul32):
478         (JSC::MacroAssemblerX86Common::branchSub32):
479         (JSC::MacroAssemblerX86Common::move32IfNeeded):
480
481 2016-03-01  Benjamin Poulain  <benjamin@webkit.org>
482
483         [JSC] Simplify ArithMod(ArithMod(x, const1), const2) if const2 >= const1
484         https://bugs.webkit.org/show_bug.cgi?id=154904
485
486         Reviewed by Saam Barati.
487
488         The ASM test "ubench" has a "x % 10 % 255".
489         The second modulo should be eliminated.
490
491         This is a 15% improvement on ASMJS' ubench.
492
493         * dfg/DFGStrengthReductionPhase.cpp:
494         (JSC::DFG::StrengthReductionPhase::handleNode):
495         * tests/stress/arith-modulo-twice.js: Added.
496         (opaqueModuloSmaller):
497         (opaqueModuloEqual):
498         (opaqueModuloLarger):
499         (opaqueModuloSmallerNeg):
500         (opaqueModuloEqualNeg):
501         (opaqueModuloLargerNeg):
502         (opaqueExpectedOther):
503
504 2016-03-01  Ryosuke Niwa  <rniwa@webkit.org>
505
506         Unreviewed. Update the status of Proxy objects to "In Development".
507
508         * features.json:
509
510 2016-03-01  Commit Queue  <commit-queue@webkit.org>
511
512         Unreviewed, rolling out r197226 and r197256.
513         https://bugs.webkit.org/show_bug.cgi?id=154910
514
515         Caused crashes on Mac 32-bit and on ARM (Requested by ap on
516         #webkit).
517
518         Reverted changesets:
519
520         "Remove the on demand executable allocator"
521         https://bugs.webkit.org/show_bug.cgi?id=154749
522         http://trac.webkit.org/changeset/197226
523
524         "CLoop build fix."
525         http://trac.webkit.org/changeset/197256
526
527 2016-03-01  Joseph Pecoraro  <pecoraro@apple.com>
528
529         Simplify some StringBuilder appends
530         https://bugs.webkit.org/show_bug.cgi?id=154902
531
532         Reviewed by Mark Lam.
533
534         * runtime/ExceptionHelpers.cpp:
535         (JSC::notAFunctionSourceAppender):
536         * runtime/SamplingProfiler.cpp:
537         (JSC::SamplingProfiler::stackTracesAsJSON):
538         Use StringBuilder::append(char) instead of append(char*) where possible.
539
540 2016-03-01  Keith Miller  <keith_miller@apple.com>
541
542         Promise.prototype.then should use Symbol.species to construct the return Promise
543         https://bugs.webkit.org/show_bug.cgi?id=154862
544
545         Reviewed by Saam Barati.
546
547         * builtins/PromisePrototype.js:
548         * tests/stress/promise-species-functions.js: Added.
549         (Symbol.species):
550         (id):
551         (funcThrows):
552         (makeC):
553         (test.species):
554         (test.speciesThrows):
555         (test):
556
557 2016-03-01  Michael Saboff  <msaboff@apple.com>
558
559         [ES6] Add support for Unicode regular expressions
560         https://bugs.webkit.org/show_bug.cgi?id=154842
561
562         Reviewed by Filip Pizlo.
563
564         Added processing of Unicode regular expressions to the Yarr interpreter.
565
566         Changed parsing of regular expression patterns and PatternTerms to process characters as
567         UChar32 in the Yarr code.  The parser converts matched surrogate pairs into the appropriate
568         Unicode character when the expression is parsed.  When matching a unicode expression and
569         reading source characters, we convert proper surrogate pair into a Unicode character and
570         advance the source cursor, "pos", one more position.  The exception to this is when we
571         know when generating a fixed character atom that we need to match a unicode character
572         that doesn't fit in 16 bits.  The code calls this an extendedUnicodeCharacter and has a
573         helper to determine this.
574
575         Added 'u' flag and 'unicode' identifier to regular expression classes.  Added an "isUnicode"
576         parameter to YarrPattern pattern() and internal users of that function.
577
578         Updated the generation of the canonicalization tables to include a new set a tables that
579         follow the ES 6.0, 21.2.2.8.2 Step 2.  Renamed the YarrCanonicalizeUCS2.* files to
580         YarrCanonicalizeUnicode.*. 
581
582         Added a new Layout/js test that tests the added functionality.  Updated other tests that
583         have minor es6 unicode checks and look for valid flags.
584
585         Ran the ChakraCore Unicode regular expression tests as well.
586
587         * CMakeLists.txt:
588         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
589         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
590         * JavaScriptCore.xcodeproj/project.pbxproj:
591
592         * inspector/ContentSearchUtilities.cpp:
593         (Inspector::ContentSearchUtilities::findMagicComment):
594         * yarr/RegularExpression.cpp:
595         (JSC::Yarr::RegularExpression::Private::compile):
596         Updated use of pattern().
597
598         * runtime/CommonIdentifiers.h:
599         * runtime/RegExp.cpp:
600         (JSC::regExpFlags):
601         (JSC::RegExpFunctionalTestCollector::outputOneTest):
602         (JSC::RegExp::finishCreation):
603         (JSC::RegExp::compile):
604         (JSC::RegExp::compileMatchOnly):
605         * runtime/RegExp.h:
606         * runtime/RegExpKey.h:
607         * runtime/RegExpPrototype.cpp:
608         (JSC::regExpProtoFuncCompile):
609         (JSC::flagsString):
610         (JSC::regExpProtoGetterMultiline):
611         (JSC::regExpProtoGetterUnicode):
612         (JSC::regExpProtoGetterFlags):
613         Updated for new 'y' (unicode) flag.  Add check to use the interpreter for unicode regular expressions.
614
615         * tests/es6.yaml:
616         * tests/stress/static-getter-in-names.js:
617         Updated tests for new flag and for passing the minimal es6 regular expression processing.
618
619         * yarr/Yarr.h: Updated the size of information now kept for backtracking.
620
621         * yarr/YarrCanonicalizeUCS2.cpp: Removed.
622         * yarr/YarrCanonicalizeUCS2.h: Removed.
623         * yarr/YarrCanonicalizeUCS2.js: Removed.
624         * yarr/YarrCanonicalizeUnicode.cpp: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.cpp.
625         * yarr/YarrCanonicalizeUnicode.h: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.h.
626         (JSC::Yarr::canonicalCharacterSetInfo):
627         (JSC::Yarr::canonicalRangeInfoFor):
628         (JSC::Yarr::getCanonicalPair):
629         (JSC::Yarr::isCanonicallyUnique):
630         (JSC::Yarr::areCanonicallyEquivalent):
631         (JSC::Yarr::rangeInfoFor): Deleted.
632         * yarr/YarrCanonicalizeUnicode.js: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.js.
633         (printHeader):
634         (printFooter):
635         (hex):
636         (canonicalize):
637         (canonicalizeUnicode):
638         (createUCS2CanonicalGroups):
639         (createUnicodeCanonicalGroups):
640         (cu.in.groupedCanonically.characters.sort): Deleted.
641         (cu.in.groupedCanonically.else): Deleted.
642         Refactored to output two sets of tables, one for UCS2 and one for Unicode.  The UCS2 tables follow
643         the legacy canonicalization rules now specified in ES 6.0, 21.2.2.8.2 Step 3.  The new Unicode
644         tables follow the rules specified in ES 6.0, 21.2.2.8.2 Step 2.  Eliminated the unused Latin1 tables.
645
646         * yarr/YarrInterpreter.cpp:
647         (JSC::Yarr::Interpreter::InputStream::InputStream):
648         (JSC::Yarr::Interpreter::InputStream::readChecked):
649         (JSC::Yarr::Interpreter::InputStream::readSurrogatePairChecked):
650         (JSC::Yarr::Interpreter::InputStream::reread):
651         (JSC::Yarr::Interpreter::InputStream::prev):
652         (JSC::Yarr::Interpreter::testCharacterClass):
653         (JSC::Yarr::Interpreter::checkCharacter):
654         (JSC::Yarr::Interpreter::checkSurrogatePair):
655         (JSC::Yarr::Interpreter::checkCasedCharacter):
656         (JSC::Yarr::Interpreter::tryConsumeBackReference):
657         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
658         (JSC::Yarr::Interpreter::matchCharacterClass):
659         (JSC::Yarr::Interpreter::backtrackCharacterClass):
660         (JSC::Yarr::Interpreter::matchParenthesesTerminalEnd):
661         (JSC::Yarr::Interpreter::matchDisjunction):
662         (JSC::Yarr::Interpreter::Interpreter):
663         (JSC::Yarr::ByteCompiler::assertionWordBoundary):
664         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
665         * yarr/YarrInterpreter.h:
666         (JSC::Yarr::ByteTerm::ByteTerm):
667         (JSC::Yarr::BytecodePattern::BytecodePattern):
668         * yarr/YarrJIT.cpp:
669         (JSC::Yarr::YarrGenerator::optimizeAlternative):
670         (JSC::Yarr::YarrGenerator::matchCharacterClassRange):
671         (JSC::Yarr::YarrGenerator::matchCharacterClass):
672         (JSC::Yarr::YarrGenerator::notAtEndOfInput):
673         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
674         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
675         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
676         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
677         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
678         * yarr/YarrParser.h:
679         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
680         (JSC::Yarr::Parser::Parser):
681         (JSC::Yarr::Parser::parseEscape):
682         (JSC::Yarr::Parser::consumePossibleSurrogatePair):
683         (JSC::Yarr::Parser::parseCharacterClass):
684         (JSC::Yarr::Parser::parseTokens):
685         (JSC::Yarr::Parser::parse):
686         (JSC::Yarr::Parser::atEndOfPattern):
687         (JSC::Yarr::Parser::patternRemaining):
688         (JSC::Yarr::Parser::peek):
689         (JSC::Yarr::parse):
690         * yarr/YarrPattern.cpp:
691         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
692         (JSC::Yarr::CharacterClassConstructor::append):
693         (JSC::Yarr::CharacterClassConstructor::putChar):
694         (JSC::Yarr::CharacterClassConstructor::putUnicodeIgnoreCase):
695         (JSC::Yarr::CharacterClassConstructor::putRange):
696         (JSC::Yarr::CharacterClassConstructor::charClass):
697         (JSC::Yarr::CharacterClassConstructor::addSorted):
698         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
699         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
700         (JSC::Yarr::YarrPatternConstructor::assertionWordBoundary):
701         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
702         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBegin):
703         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassAtom):
704         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassRange):
705         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
706         (JSC::Yarr::YarrPattern::compile):
707         (JSC::Yarr::YarrPattern::YarrPattern):
708         * yarr/YarrPattern.h:
709         (JSC::Yarr::CharacterRange::CharacterRange):
710         (JSC::Yarr::CharacterClass::CharacterClass):
711         (JSC::Yarr::PatternTerm::PatternTerm):
712         (JSC::Yarr::YarrPattern::reset):
713         * yarr/YarrSyntaxChecker.cpp:
714         (JSC::Yarr::SyntaxChecker::assertionBOL):
715         (JSC::Yarr::SyntaxChecker::assertionEOL):
716         (JSC::Yarr::SyntaxChecker::assertionWordBoundary):
717         (JSC::Yarr::SyntaxChecker::atomPatternCharacter):
718         (JSC::Yarr::SyntaxChecker::atomBuiltInCharacterClass):
719         (JSC::Yarr::SyntaxChecker::atomCharacterClassBegin):
720         (JSC::Yarr::SyntaxChecker::atomCharacterClassAtom):
721         (JSC::Yarr::checkSyntax):
722
723 2016-03-01  Saam barati  <sbarati@apple.com>
724
725         Remove FIXMEs and add valid test cases after necessary patch has landed.
726
727         Rubber stamped by Mark Lam.
728
729         * tests/stress/proxy-prevent-extensions.js:
730         (assert.Object.isSealed):
731         (assert):
732
733 2016-03-01  Saam barati  <sbarati@apple.com>
734
735         [ES6] Implement Proxy.[[IsExtensible]]
736         https://bugs.webkit.org/show_bug.cgi?id=154872
737
738         Reviewed by Oliver Hunt.
739
740         This patch is a direct implementation of Proxy.[[IsExtensible]] with respect to section 9.5.3
741         of the ECMAScript 6 spec.
742         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-isextensible
743
744         * runtime/ProxyObject.cpp:
745         (JSC::ProxyObject::preventExtensions):
746         (JSC::ProxyObject::performIsExtensible):
747         (JSC::ProxyObject::isExtensible):
748         (JSC::ProxyObject::visitChildren):
749         * runtime/ProxyObject.h:
750         * tests/es6.yaml:
751         * tests/stress/proxy-is-extensible.js: Added.
752         (assert):
753         (throw.new.Error.let.handler.get isExtensible):
754         (throw.new.Error):
755         (assert.let.handler.isExtensible):
756         (assert.):
757         (let.handler.isExtensible):
758
759 2016-03-01  Saam barati  <sbarati@apple.com>
760
761         [ES6] Implement Proxy.[[PreventExtensions]]
762         https://bugs.webkit.org/show_bug.cgi?id=154873
763
764         Reviewed by Oliver Hunt.
765
766         This patch is a direct implementation of Proxy.[[PreventExtensions]] with respect to section 9.5.4
767         of the ECMAScript 6 spec.
768         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-preventextensions
769
770         * runtime/ProxyObject.cpp:
771         (JSC::ProxyObject::deletePropertyByIndex):
772         (JSC::ProxyObject::performPreventExtensions):
773         (JSC::ProxyObject::preventExtensions):
774         (JSC::ProxyObject::visitChildren):
775         * runtime/ProxyObject.h:
776         * tests/es6.yaml:
777         * tests/stress/proxy-prevent-extensions.js: Added.
778         (assert):
779         (throw.new.Error.let.handler.get preventExtensions):
780         (throw.new.Error):
781         (assert.let.handler.preventExtensions):
782         (assert.):
783         (let.handler.preventExtensions):
784         (assert.Object.isSealed.let.handler.preventExtensions):
785         (assert.Object.isSealed):
786
787 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
788
789         FTL should simplify StringReplace with an empty replacement string
790         https://bugs.webkit.org/show_bug.cgi?id=154871
791
792         Reviewed by Michael Saboff.
793
794         This is a simple and hugely profitable change. If we do a string.replace(/things/, ""), then
795         this calls directly into StringPrototype's replace-with-empty-string logic instead of going
796         through stuff that does checks before reaching that same conclusion.
797
798         This speeds up Octane/regexp by about 6-10%. It also speeds up the attached microbenchmark by
799         about 7%.
800
801         * ftl/FTLLowerDFGToB3.cpp:
802         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
803         * runtime/StringPrototype.cpp:
804         (JSC::jsSpliceSubstringsWithSeparators):
805         (JSC::removeUsingRegExpSearch):
806         (JSC::replaceUsingRegExpSearch):
807         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
808         (JSC::operationStringProtoFuncReplaceRegExpString):
809         * runtime/StringPrototype.h:
810
811 2016-03-01  Alex Christensen  <achristensen@webkit.org>
812
813         Reduce size of internal windows build output
814         https://bugs.webkit.org/show_bug.cgi?id=154763
815
816         Reviewed by Brent Fulgham.
817
818         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
819
820 2016-03-01  Saam barati  <sbarati@apple.com>
821
822         [[IsExtensible]] should be a virtual method in the method table
823         https://bugs.webkit.org/show_bug.cgi?id=154799
824
825         Reviewed by Mark Lam.
826
827         This patch makes us more consistent with how the ES6 specification models the
828         [[IsExtensible]] trap. Moving this method into ClassInfo::methodTable 
829         is a prerequisite for implementing Proxy.[[IsExtensible]].
830
831         * runtime/ClassInfo.h:
832         * runtime/JSCell.cpp:
833         (JSC::JSCell::preventExtensions):
834         (JSC::JSCell::isExtensible):
835         * runtime/JSCell.h:
836         * runtime/JSGlobalObjectFunctions.cpp:
837         (JSC::globalFuncProtoSetter):
838         * runtime/JSObject.cpp:
839         (JSC::JSObject::preventExtensions):
840         (JSC::JSObject::isExtensible):
841         (JSC::JSObject::reifyAllStaticProperties):
842         (JSC::JSObject::defineOwnIndexedProperty):
843         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
844         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
845         (JSC::JSObject::defineOwnNonIndexProperty):
846         (JSC::JSObject::defineOwnProperty):
847         * runtime/JSObject.h:
848         (JSC::JSObject::isSealed):
849         (JSC::JSObject::isFrozen):
850         (JSC::JSObject::isExtensibleImpl):
851         (JSC::JSObject::isStructureExtensible):
852         (JSC::JSObject::isExtensibleInline):
853         (JSC::JSObject::indexingShouldBeSparse):
854         (JSC::JSObject::putDirectInternal):
855         (JSC::JSObject::isExtensible): Deleted.
856         * runtime/ObjectConstructor.cpp:
857         (JSC::objectConstructorSetPrototypeOf):
858         (JSC::objectConstructorIsSealed):
859         (JSC::objectConstructorIsFrozen):
860         (JSC::objectConstructorIsExtensible):
861         (JSC::objectConstructorIs):
862         * runtime/ProxyObject.cpp:
863         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
864         (JSC::ProxyObject::performHasProperty):
865         * runtime/ReflectObject.cpp:
866         (JSC::reflectObjectIsExtensible):
867         (JSC::reflectObjectSetPrototypeOf):
868         * runtime/SparseArrayValueMap.cpp:
869         (JSC::SparseArrayValueMap::putEntry):
870         (JSC::SparseArrayValueMap::putDirect):
871         * runtime/StringObject.cpp:
872         (JSC::StringObject::defineOwnProperty):
873         * runtime/Structure.cpp:
874         (JSC::Structure::isSealed):
875         (JSC::Structure::isFrozen):
876         * runtime/Structure.h:
877
878 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
879
880         Unreviewed, fix CLOOP build.
881
882         * jit/JITOperations.h:
883
884 2016-03-01  Skachkov Oleksandr  <gskachkov@gmail.com>
885
886         [ES6] Arrow function. Some not used byte code is emited
887         https://bugs.webkit.org/show_bug.cgi?id=154639
888
889         Reviewed by Saam Barati.
890
891         Currently bytecode that is generated for arrow function is not optimal. 
892         Current fix removed following unnecessary bytecode:
893         1.create_lexical_environment not emited always for arrow function, only if some of 
894         features(this/super/arguments/eval) is used inside of the arrow function. 
895         2.load 'this' from arrow function scope in constructor is done only if super 
896         contains in arrow function 
897
898         * bytecompiler/BytecodeGenerator.cpp:
899         (JSC::BytecodeGenerator::BytecodeGenerator):
900         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
901         * bytecompiler/BytecodeGenerator.h:
902         * bytecompiler/NodesCodegen.cpp:
903         (JSC::ThisNode::emitBytecode):
904         (JSC::FunctionNode::emitBytecode):
905         * parser/Nodes.h:
906         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
907         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
908
909 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
910
911         Turn String.prototype.replace into an intrinsic
912         https://bugs.webkit.org/show_bug.cgi?id=154835
913
914         Reviewed by Michael Saboff.
915
916         Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
917         of checks to see if the parameters are what they are likely to often be (a string, a
918         regexp, and a string). The intuition of this patch is that it's good to remove those checks
919         and it's good to call the native function as directly as possible.
920
921         This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
922         It also improves Octane/jquery.
923
924         This is only the beginning of what I want to do with replace optimizations. The other
925         optimizations will rely on StringReplace being revealed as a construct in DFG IR.
926
927         * JavaScriptCore.xcodeproj/project.pbxproj:
928         * bytecode/SpeculatedType.cpp:
929         (JSC::dumpSpeculation):
930         (JSC::speculationToAbbreviatedString):
931         (JSC::speculationFromClassInfo):
932         * bytecode/SpeculatedType.h:
933         (JSC::isStringOrStringObjectSpeculation):
934         (JSC::isRegExpObjectSpeculation):
935         (JSC::isBoolInt32Speculation):
936         * dfg/DFGAbstractInterpreterInlines.h:
937         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
938         * dfg/DFGByteCodeParser.cpp:
939         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
940         * dfg/DFGClobberize.h:
941         (JSC::DFG::clobberize):
942         * dfg/DFGDoesGC.cpp:
943         (JSC::DFG::doesGC):
944         * dfg/DFGFixupPhase.cpp:
945         (JSC::DFG::FixupPhase::fixupNode):
946         * dfg/DFGNode.h:
947         (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
948         (JSC::DFG::Node::shouldSpeculateRegExpObject):
949         (JSC::DFG::Node::shouldSpeculateSymbol):
950         * dfg/DFGNodeType.h:
951         * dfg/DFGPredictionPropagationPhase.cpp:
952         (JSC::DFG::PredictionPropagationPhase::propagate):
953         * dfg/DFGSafeToExecute.h:
954         (JSC::DFG::SafeToExecuteEdge::operator()):
955         (JSC::DFG::safeToExecute):
956         * dfg/DFGSpeculativeJIT.cpp:
957         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
958         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
959         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
960         (JSC::DFG::SpeculativeJIT::speculate):
961         * dfg/DFGSpeculativeJIT.h:
962         * dfg/DFGSpeculativeJIT32_64.cpp:
963         (JSC::DFG::SpeculativeJIT::compile):
964         * dfg/DFGSpeculativeJIT64.cpp:
965         (JSC::DFG::SpeculativeJIT::compile):
966         * dfg/DFGUseKind.cpp:
967         (WTF::printInternal):
968         * dfg/DFGUseKind.h:
969         (JSC::DFG::typeFilterFor):
970         (JSC::DFG::isCell):
971         * ftl/FTLCapabilities.cpp:
972         (JSC::FTL::canCompile):
973         * ftl/FTLLowerDFGToB3.cpp:
974         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
975         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
976         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
977         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
978         (JSC::FTL::DFG::LowerDFGToB3::speculate):
979         (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
980         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
981         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
982         * jit/JITOperations.h:
983         * runtime/Intrinsic.h:
984         * runtime/JSType.h:
985         * runtime/RegExpObject.h:
986         (JSC::RegExpObject::createStructure):
987         * runtime/StringPrototype.cpp:
988         (JSC::StringPrototype::finishCreation):
989         (JSC::removeUsingRegExpSearch):
990         (JSC::replaceUsingRegExpSearch):
991         (JSC::operationStringProtoFuncReplaceRegExpString):
992         (JSC::replaceUsingStringSearch):
993         (JSC::stringProtoFuncRepeat):
994         (JSC::replace):
995         (JSC::stringProtoFuncReplace):
996         (JSC::operationStringProtoFuncReplaceGeneric):
997         (JSC::stringProtoFuncToString):
998         * runtime/StringPrototype.h:
999
1000 2016-03-01  Commit Queue  <commit-queue@webkit.org>
1001
1002         Unreviewed, rolling out r197056.
1003         https://bugs.webkit.org/show_bug.cgi?id=154870
1004
1005         broke win ews (Requested by alexchristensen on #webkit).
1006
1007         Reverted changeset:
1008
1009         "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
1010         https://bugs.webkit.org/show_bug.cgi?id=154651
1011         http://trac.webkit.org/changeset/197056
1012
1013 2016-02-29  Saam barati  <sbarati@apple.com>
1014
1015         [[PreventExtensions]] should be a virtual method in the method table.
1016         https://bugs.webkit.org/show_bug.cgi?id=154800
1017
1018         Reviewed by Yusuke Suzuki.
1019
1020         This patch makes us more consistent with how the ES6 specification models the
1021         [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable 
1022         is a prerequisite for implementing Proxy.[[PreventExtensions]].
1023
1024         * runtime/ClassInfo.h:
1025         * runtime/JSCell.cpp:
1026         (JSC::JSCell::getGenericPropertyNames):
1027         (JSC::JSCell::preventExtensions):
1028         * runtime/JSCell.h:
1029         * runtime/JSModuleNamespaceObject.cpp:
1030         (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
1031         (JSC::JSModuleNamespaceObject::finishCreation):
1032         (JSC::JSModuleNamespaceObject::destroy):
1033         * runtime/JSModuleNamespaceObject.h:
1034         (JSC::JSModuleNamespaceObject::create):
1035         (JSC::JSModuleNamespaceObject::moduleRecord):
1036         * runtime/JSObject.cpp:
1037         (JSC::JSObject::freeze):
1038         (JSC::JSObject::preventExtensions):
1039         (JSC::JSObject::reifyAllStaticProperties):
1040         * runtime/JSObject.h:
1041         (JSC::JSObject::isSealed):
1042         (JSC::JSObject::isFrozen):
1043         (JSC::JSObject::isExtensible):
1044         * runtime/ObjectConstructor.cpp:
1045         (JSC::objectConstructorSeal):
1046         (JSC::objectConstructorFreeze):
1047         (JSC::objectConstructorPreventExtensions):
1048         (JSC::objectConstructorIsSealed):
1049         * runtime/ReflectObject.cpp:
1050         (JSC::reflectObjectPreventExtensions):
1051         * runtime/Structure.cpp:
1052         (JSC::Structure::Structure):
1053         (JSC::Structure::preventExtensionsTransition):
1054         * runtime/Structure.h:
1055
1056 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1057
1058         [JSC] Private symbols should not be trapped by proxy handler
1059         https://bugs.webkit.org/show_bug.cgi?id=154817
1060
1061         Reviewed by Mark Lam.
1062
1063         Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
1064         For example, in ArrayIteratorPrototype.js
1065
1066             var itemKind = this.@arrayIterationKind;
1067             if (itemKind === @undefined)
1068                 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
1069
1070         Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
1071         But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
1072
1073         To avoid these situation, we perform the default operations onto property operations with private symbols.
1074
1075         * runtime/ProxyObject.cpp:
1076         (JSC::performProxyGet):
1077         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1078         (JSC::ProxyObject::performHasProperty):
1079         (JSC::ProxyObject::performPut):
1080         (JSC::ProxyObject::performDelete):
1081         (JSC::ProxyObject::deleteProperty):
1082         (JSC::ProxyObject::deletePropertyByIndex):
1083         * tests/stress/proxy-basic.js:
1084         * tests/stress/proxy-with-private-symbols.js: Added.
1085         (assert):
1086         (let.handler.getOwnPropertyDescriptor):
1087
1088 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
1089
1090         regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
1091         https://bugs.webkit.org/show_bug.cgi?id=154841
1092
1093         Reviewed by Benjamin Poulain.
1094
1095         Here's the deadlock:
1096
1097         Main thread:
1098             1) Change an InferredType.  This acquires InferredType::m_lock.
1099             2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires
1100                CodeBlock::m_lock.
1101
1102         DFG thread:
1103             1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
1104             2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.
1105
1106         I think that the DFG thread's ordering should be legal, because the best logic for lock
1107         hierarchies is that locks that protect the largest set of stuff should be acquired first.
1108
1109         This means that the main thread shouldn't be holding the InferredType::m_lock when firing
1110         watchpoint sets.  That's what this patch ensures.
1111
1112         At the time of writing, this test was deadlocking for me on trunk 100% of the time.  With
1113         this change I cannot get it to deadlock.
1114
1115         * runtime/InferredType.cpp:
1116         (JSC::InferredType::willStoreValueSlow):
1117         (JSC::InferredType::makeTopSlow):
1118         (JSC::InferredType::set):
1119         (JSC::InferredType::removeStructure):
1120         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
1121         * runtime/InferredType.h:
1122
1123 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1124
1125         [DFG][FTL][B3] Support floor and ceil
1126         https://bugs.webkit.org/show_bug.cgi?id=154683
1127
1128         Reviewed by Filip Pizlo.
1129
1130         This patch implements and fixes the following things.
1131
1132         1. Implement Ceil and Floor in DFG, FTL and B3
1133
1134         x86 SSE 4.2 and ARM64 have round instructions that can directly perform Ceil or Floor.
1135         This patch leverages this functionality. We introduce ArithFloor and ArithCeil.
1136         During DFG phase, these nodes attempt to convert itself to Identity (in Fixup phase).
1137         As the same to ArithRound, it tracks arith rounding mode.
1138         And if these nodes are required to emit machine codes, we emit rounding machine code
1139         if it is supported in the current machine. For example, in x86, we emit `round`.
1140
1141         This `Floor` functionality is nice for @toInteger in builtin.
1142         That is used for Array.prototype.{forEach, map, every, some, reduce...}
1143         And according to the benchmark results, Kraken audio-oscillator is slightly improved
1144         due to its frequent Math.round and Math.floor calls.
1145
1146         2. Implement Floor in B3 and Air
1147
1148         As the same to Ceil in B3, we add a new B3 IR and Air opcode, Floor.
1149         This Floor is leveraged to implement ArithFloor in DFG.
1150
1151         3. Fix ArithRound operation
1152
1153         Currently, we used cvtsd2si (in x86) to convert double value to int32.
1154         And we also used this to implement Math.round, like, cvtsd2si(value + 0.5).
1155         However, this implementation is not correct. Because cvtsd2si is not floor operation.
1156         It is trucate operation. This is OK for positive numbers. But NG for negative numbers.
1157         For example, the current implementation accidentally rounds `-0.6` to `-0.0`. This should be `-1.0`.
1158         Using Ceil and Floor instructions, we implement correct ArithRound.
1159
1160         * assembler/MacroAssemblerARM.h:
1161         (JSC::MacroAssemblerARM::supportsFloatingPointRounding):
1162         (JSC::MacroAssemblerARM::ceilDouble):
1163         (JSC::MacroAssemblerARM::floorDouble):
1164         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Deleted.
1165         * assembler/MacroAssemblerARM64.h:
1166         (JSC::MacroAssemblerARM64::supportsFloatingPointRounding):
1167         (JSC::MacroAssemblerARM64::floorFloat):
1168         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil): Deleted.
1169         * assembler/MacroAssemblerARMv7.h:
1170         (JSC::MacroAssemblerARMv7::supportsFloatingPointRounding):
1171         (JSC::MacroAssemblerARMv7::ceilDouble):
1172         (JSC::MacroAssemblerARMv7::floorDouble):
1173         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil): Deleted.
1174         * assembler/MacroAssemblerMIPS.h:
1175         (JSC::MacroAssemblerMIPS::ceilDouble):
1176         (JSC::MacroAssemblerMIPS::floorDouble):
1177         (JSC::MacroAssemblerMIPS::supportsFloatingPointRounding):
1178         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil): Deleted.
1179         * assembler/MacroAssemblerSH4.h:
1180         (JSC::MacroAssemblerSH4::supportsFloatingPointRounding):
1181         (JSC::MacroAssemblerSH4::ceilDouble):
1182         (JSC::MacroAssemblerSH4::floorDouble):
1183         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil): Deleted.
1184         * assembler/MacroAssemblerX86Common.h:
1185         (JSC::MacroAssemblerX86Common::floorDouble):
1186         (JSC::MacroAssemblerX86Common::floorFloat):
1187         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
1188         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil): Deleted.
1189         * b3/B3ConstDoubleValue.cpp:
1190         (JSC::B3::ConstDoubleValue::floorConstant):
1191         * b3/B3ConstDoubleValue.h:
1192         * b3/B3ConstFloatValue.cpp:
1193         (JSC::B3::ConstFloatValue::floorConstant):
1194         * b3/B3ConstFloatValue.h:
1195         * b3/B3LowerMacrosAfterOptimizations.cpp:
1196         * b3/B3LowerToAir.cpp:
1197         (JSC::B3::Air::LowerToAir::lower):
1198         * b3/B3Opcode.cpp:
1199         (WTF::printInternal):
1200         * b3/B3Opcode.h:
1201         * b3/B3ReduceDoubleToFloat.cpp:
1202         * b3/B3ReduceStrength.cpp:
1203         * b3/B3Validate.cpp:
1204         * b3/B3Value.cpp:
1205         (JSC::B3::Value::floorConstant):
1206         (JSC::B3::Value::isRounded):
1207         (JSC::B3::Value::effects):
1208         (JSC::B3::Value::key):
1209         (JSC::B3::Value::typeFor):
1210         * b3/B3Value.h:
1211         * b3/air/AirFixPartialRegisterStalls.cpp:
1212         * b3/air/AirOpcode.opcodes:
1213         * b3/testb3.cpp:
1214         (JSC::B3::testFloorCeilArg):
1215         (JSC::B3::testFloorArg):
1216         (JSC::B3::testFloorImm):
1217         (JSC::B3::testFloorMem):
1218         (JSC::B3::testFloorFloorArg):
1219         (JSC::B3::testCeilFloorArg):
1220         (JSC::B3::testFloorIToD64):
1221         (JSC::B3::testFloorIToD32):
1222         (JSC::B3::testFloorArgWithUselessDoubleConversion):
1223         (JSC::B3::testFloorArgWithEffectfulDoubleConversion):
1224         (JSC::B3::run):
1225         * dfg/DFGAbstractInterpreterInlines.h:
1226         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1227         * dfg/DFGArithMode.cpp:
1228         (WTF::printInternal):
1229         * dfg/DFGArithMode.h:
1230         * dfg/DFGByteCodeParser.cpp:
1231         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1232         * dfg/DFGClobberize.h:
1233         (JSC::DFG::clobberize):
1234         * dfg/DFGDoesGC.cpp:
1235         (JSC::DFG::doesGC):
1236         * dfg/DFGFixupPhase.cpp:
1237         (JSC::DFG::FixupPhase::fixupNode):
1238         * dfg/DFGGraph.cpp:
1239         (JSC::DFG::Graph::dump):
1240         * dfg/DFGGraph.h:
1241         (JSC::DFG::Graph::roundShouldSpeculateInt32):
1242         * dfg/DFGNode.h:
1243         (JSC::DFG::Node::arithNodeFlags):
1244         (JSC::DFG::Node::hasHeapPrediction):
1245         (JSC::DFG::Node::hasArithRoundingMode):
1246         * dfg/DFGNodeType.h:
1247         * dfg/DFGPredictionPropagationPhase.cpp:
1248         (JSC::DFG::PredictionPropagationPhase::propagate):
1249         * dfg/DFGSafeToExecute.h:
1250         (JSC::DFG::safeToExecute):
1251         * dfg/DFGSpeculativeJIT.cpp:
1252         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1253         (JSC::DFG::SpeculativeJIT::compileArithRound): Deleted.
1254         * dfg/DFGSpeculativeJIT.h:
1255         * dfg/DFGSpeculativeJIT32_64.cpp:
1256         (JSC::DFG::SpeculativeJIT::compile):
1257         * dfg/DFGSpeculativeJIT64.cpp:
1258         (JSC::DFG::SpeculativeJIT::compile):
1259         * ftl/FTLCapabilities.cpp:
1260         (JSC::FTL::canCompile):
1261         * ftl/FTLLowerDFGToB3.cpp:
1262         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1263         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1264         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
1265         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
1266         * ftl/FTLOutput.h:
1267         (JSC::FTL::Output::doubleFloor):
1268         * jit/ThunkGenerators.cpp:
1269         (JSC::ceilThunkGenerator):
1270         * tests/stress/math-ceil-arith-rounding-mode.js: Added.
1271         (firstCareAboutZeroSecondDoesNot):
1272         (firstDoNotCareAboutZeroSecondDoes):
1273         (warmup):
1274         (verifyNegativeZeroIsPreserved):
1275         * tests/stress/math-ceil-basics.js: Added.
1276         (mathCeilOnIntegers):
1277         (mathCeilOnDoubles):
1278         (mathCeilOnBooleans):
1279         (uselessMathCeil):
1280         (mathCeilWithOverflow):
1281         (mathCeilConsumedAsDouble):
1282         (mathCeilDoesNotCareAboutMinusZero):
1283         (mathCeilNoArguments):
1284         (mathCeilTooManyArguments):
1285         (testMathCeilOnConstants):
1286         (mathCeilStructTransition):
1287         (Math.ceil):
1288         * tests/stress/math-floor-arith-rounding-mode.js: Added.
1289         (firstCareAboutZeroSecondDoesNot):
1290         (firstDoNotCareAboutZeroSecondDoes):
1291         (warmup):
1292         (verifyNegativeZeroIsPreserved):
1293         * tests/stress/math-floor-basics.js: Added.
1294         (mathFloorOnIntegers):
1295         (mathFloorOnDoubles):
1296         (mathFloorOnBooleans):
1297         (uselessMathFloor):
1298         (mathFloorWithOverflow):
1299         (mathFloorConsumedAsDouble):
1300         (mathFloorDoesNotCareAboutMinusZero):
1301         (mathFloorNoArguments):
1302         (mathFloorTooManyArguments):
1303         (testMathFloorOnConstants):
1304         (mathFloorStructTransition):
1305         (Math.floor):
1306         * tests/stress/math-round-should-not-use-truncate.js: Added.
1307         (mathRoundDoesNotCareAboutMinusZero):
1308         * tests/stress/math-rounding-infinity.js: Added.
1309         (shouldBe):
1310         (testRound):
1311         (testFloor):
1312         (testCeil):
1313         * tests/stress/math-rounding-nan.js: Added.
1314         (shouldBe):
1315         (testRound):
1316         (testFloor):
1317         (testCeil):
1318         * tests/stress/math-rounding-negative-zero.js: Added.
1319         (shouldBe):
1320         (testRound):
1321         (testFloor):
1322         (testCeil):
1323         (testRoundNonNegativeZero):
1324         (testRoundNonNegativeZero2):
1325
1326 2016-02-29  Joseph Pecoraro  <pecoraro@apple.com>
1327
1328         Add new MethodTable method to get an estimated size for a cell
1329         https://bugs.webkit.org/show_bug.cgi?id=154838
1330
1331         Reviewed by Filip Pizlo.
1332
1333         The new class method estimatedSize(JSCell*) estimates the size for a single cell.
1334         As the name implies, this is meant to be an approximation. It is more important
1335         that big objects report a large size, then to get perfect size information for
1336         all objects in the heap.
1337
1338             Base implementation (JSCell):
1339               - returns the MarkedBlock bucket size for this cell.
1340               - This gets us the object size include inline storage. Basically a better sizeof.
1341
1342             Subclasses with "Extra Memory Cost":
1343               - Any class that reports extra memory (reportExtraMemoryVisited) should include that in the estimated size.
1344               - E.g. CodeBlock, JSGenericTypedArrayView, WeakMapData, etc.
1345
1346             Subclasses with "Copied Space" storage:
1347               - Any class with data in copied space (copyBackingStore) should include that in the estimated size.
1348               - E.g. JSObject, JSGenericTypedArrayView, JSMap, JSSet, DirectArguments, etc.
1349
1350         Add reportExtraMemoryVisited for UnlinkedCodeBlock's compressed unlinked
1351         instructions because this can be larger than 1kb, which is significant.
1352
1353         This has one special case for RegExp generated bytecode / JIT code, which
1354         does not currently fall into the extra memory cost or copied space storage.
1355         In practice I haven't seen this grow to a significant cost.
1356
1357         * runtime/ClassInfo.h:
1358         Add the new estimatedSize method to the table.
1359
1360         * bytecode/UnlinkedCodeBlock.cpp:
1361         (JSC::UnlinkedCodeBlock::visitChildren):
1362         (JSC::UnlinkedCodeBlock::estimatedSize):
1363         (JSC::UnlinkedCodeBlock::setInstructions):
1364         * bytecode/UnlinkedCodeBlock.h:
1365         Report an extra memory cost for unlinked code blocks like
1366         we do for linked code blocks.
1367
1368         * bytecode/CodeBlock.cpp:
1369         (JSC::CodeBlock::estimatedSize):
1370         * bytecode/CodeBlock.h:
1371         * bytecode/UnlinkedInstructionStream.cpp:
1372         (JSC::UnlinkedInstructionStream::sizeInBytes):
1373         * bytecode/UnlinkedInstructionStream.h:
1374         * runtime/DirectArguments.cpp:
1375         (JSC::DirectArguments::estimatedSize):
1376         * runtime/DirectArguments.h:
1377         * runtime/JSCell.cpp:
1378         (JSC::JSCell::estimatedSizeInBytes):
1379         (JSC::JSCell::estimatedSize):
1380         * runtime/JSCell.h:
1381         * runtime/JSGenericTypedArrayView.h:
1382         * runtime/JSGenericTypedArrayViewInlines.h:
1383         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1384         * runtime/JSMap.cpp:
1385         (JSC::JSMap::estimatedSize):
1386         * runtime/JSMap.h:
1387         * runtime/JSObject.cpp:
1388         (JSC::JSObject::visitButterfly):
1389         * runtime/JSObject.h:
1390         * runtime/JSSet.cpp:
1391         (JSC::JSSet::estimatedSize):
1392         * runtime/JSSet.h:
1393         * runtime/JSString.cpp:
1394         (JSC::JSString::estimatedSize):
1395         * runtime/JSString.h:
1396         * runtime/MapData.h:
1397         (JSC::MapDataImpl::capacityInBytes):
1398         * runtime/WeakMapData.cpp:
1399         (JSC::WeakMapData::estimatedSize):
1400         (JSC::WeakMapData::visitChildren):
1401         * runtime/WeakMapData.h:
1402         Implement estimated size following the pattern of reporting
1403         extra visited size, or copy space memory.
1404
1405         * runtime/RegExp.cpp:
1406         (JSC::RegExp::estimatedSize):
1407         * runtime/RegExp.h:
1408         * yarr/YarrInterpreter.h:
1409         (JSC::Yarr::ByteDisjunction::estimatedSizeInBytes):
1410         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
1411         * yarr/YarrJIT.h:
1412         (JSC::Yarr::YarrCodeBlock::size):
1413         Include generated bytecode / JITCode to a RegExp's size.
1414
1415 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
1416
1417         SpeculatedType should be easier to edit
1418         https://bugs.webkit.org/show_bug.cgi?id=154840
1419
1420         Reviewed by Mark Lam.
1421
1422         We used to specify the bitmasks in SpeculatedType.h using hex codes. This used to work
1423         great because we didn't have so many masks and you could use the mask to visually see
1424         which ones overlapped. It also made it easy to visualize subset relationships.
1425
1426         But now we have a lot of masks with a lot of confusing overlaps, and it's no longer
1427         possible to just see their relationship by looking at hex codes. Worse, the use of hex
1428         codes makes it super annoying to move the bits around. For example, right now we have two
1429         bits free, but if we wanted to reclaim them by editing the old hex masks, it would be a
1430         nightmare.
1431
1432         So this patch replaces the hex masks with shift expressions (1u << 15 for example) and it
1433         makes any derived masks (i.e. masks that are the bit-or of other masks) be expressed using
1434         an or expression (SpecFoo | SpecBar | SpecBaz for example).
1435
1436         This makes it easier to see the relationships and it makes it easier to take bits for new
1437         types.
1438
1439         * bytecode/SpeculatedType.h:
1440
1441 2016-02-29  Keith Miller  <keith_miller@apple.com>
1442
1443         OverridesHasInstance constant folding is wrong
1444         https://bugs.webkit.org/show_bug.cgi?id=154833
1445
1446         Reviewed by Filip Pizlo.
1447
1448         The current implementation of OverridesHasInstance constant folding
1449         is incorrect. Since it relies on OSR exit information it has been
1450         moved to the StrengthReductionPhase. Normally, such an optimazation would be
1451         put in FixupPhase, however, there are a number of cases where we don't
1452         determine an edge of OverridesHasInstance is a constant until after fixup.
1453         Performing the optimization during StrengthReductionPhase means we can defer
1454         our decision until later.
1455
1456         In the future we should consider creating a version of this optimization
1457         that does not depend on OSR exit information and move the optimization back
1458         to ConstantFoldingPhase.
1459
1460         * dfg/DFGConstantFoldingPhase.cpp:
1461         (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
1462         * dfg/DFGStrengthReductionPhase.cpp:
1463         (JSC::DFG::StrengthReductionPhase::handleNode):
1464
1465 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
1466
1467         B3 should have global store elimination
1468         https://bugs.webkit.org/show_bug.cgi?id=154658
1469
1470         Reviewed by Benjamin Poulain.
1471
1472         Implements fairly comprehensive global store elimination:
1473
1474         1) If you store the result of a load with no interference in between, remove the store.
1475
1476         2) If you store the same thing you stored previously, remove the store.
1477
1478         3) If you store something that you either loaded previously or stored previously along
1479            arbitrarily many paths, remove the store.
1480
1481         4) If you store to something that is stored to again in the future with no interference in
1482            between, remove the store.
1483
1484         Rule (4) is super relevant to FTL since the DFG does not eliminate redundant PutStructures.
1485         A constructor that produces a large object will have many redundant stores to the same base
1486         pointer, offset, and heap range, with no code to observe that heap raneg in between.
1487
1488         This doesn't have a decisive effect on major benchmarks, but it's an enormous win for
1489         microbenchmarks:
1490
1491         - 30% faster to construct an object with many fields.
1492
1493         - 5x faster to do many stores to a global variable.
1494
1495         The compile time cost should be very small. Although the optimization is global, it aborts as
1496         soon as it sees anything that would confound store elimination. For rules (1)-(3), we
1497         piggy-back the existing load elimination, which gives up on interfering stores. For rule (4),
1498         we search forward through the current block and then globally a block at a time (skipping
1499         block contents thanks to summary data), which could be expensive. But rule (4) aborts as soon
1500         as it sees a read, write, or end block (Return or Oops). Any Check will claim to read TOP. Any
1501         Patchpoint that results from an InvalidationPoint will claim to read TOP, as will any
1502         Patchpoints for ICs. Those are usually sprinkled all over the program.
1503
1504         In other words, this optimization rarely kicks in. When it does kick in, it makes programs run
1505         faster. When it doesn't kick in, it's usually O(1) because there are reasons for aborting all
1506         over a "normal" program so the search will halt almost immediately. This of course raises the
1507         question: how much more in compile time do we pay when the optimization does kick in? The
1508         optimization kicks in the most for the microbenchmarks I wrote for this patch. Amazingly, the
1509         effect of the optimization a wash for compile time: whatever cost we pay doing the O(n^2)
1510         searches is balanced by the massive reduction in work in the backend. On one of the two
1511         microbenchmarks, overall compile time actually shrank with this optimization even though CSE
1512         itself cost more. That's not too surprising - the backend costs much more per instruction, so
1513         things that remove instructions before we get to the backend tend to be a good idea.
1514
1515         We could consider adding a more aggressive version of this in the future, which could sink
1516         stores into checks. That could be crazy fun: https://bugs.webkit.org/show_bug.cgi?id=152162#c3
1517
1518         But mainly, I'm adding this optimization because it was super fun to implement during the
1519         WebAssembly CG summit.
1520
1521         * b3/B3EliminateCommonSubexpressions.cpp:
1522         * b3/B3MemoryValue.h:
1523         * b3/B3SuccessorCollection.h:
1524         (JSC::B3::SuccessorCollection::begin):
1525         (JSC::B3::SuccessorCollection::end):
1526         (JSC::B3::SuccessorCollection::const_iterator::const_iterator):
1527         (JSC::B3::SuccessorCollection::const_iterator::operator*):
1528         (JSC::B3::SuccessorCollection::const_iterator::operator++):
1529         (JSC::B3::SuccessorCollection::const_iterator::operator==):
1530         (JSC::B3::SuccessorCollection::const_iterator::operator!=):
1531
1532 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
1533
1534         Make it cheap to #include "JITOperations.h"
1535         https://bugs.webkit.org/show_bug.cgi?id=154836
1536
1537         Reviewed by Mark Lam.
1538
1539         Prior to this change, this header included the whole world even though it did't have any
1540         definitions. This patch turns almost all of the includes into forward declarations. Right
1541         now this header is very cheap to include.
1542
1543         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1544         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1545         * JavaScriptCore.xcodeproj/project.pbxproj:
1546         * dfg/DFGSpeculativeJIT.h:
1547         * jit/JITOperations.cpp:
1548         * jit/JITOperations.h:
1549         * jit/Repatch.h:
1550         * runtime/CommonSlowPaths.h:
1551         (JSC::encodeResult): Deleted.
1552         (JSC::decodeResult): Deleted.
1553         * runtime/SlowPathReturnType.h: Added.
1554         (JSC::encodeResult):
1555         (JSC::decodeResult):
1556
1557 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
1558
1559         FTL should be able to run everything in Octane/regexp
1560         https://bugs.webkit.org/show_bug.cgi?id=154266
1561
1562         Reviewed by Saam Barati.
1563
1564         Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
1565         make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
1566         DFG backend optimization anyway - if we need this optimization then it should be a
1567         strength reduction rule over IR. That way, it can be shared by all backends.
1568
1569         I measured whether removing that optimization had any effect on performance separately
1570         from measuring the performance of this patch. Removing that optimization did not change
1571         our score on any benchmarks.
1572
1573         This patch does have an overall negative effect on the Octane/regexp score. This is
1574         presumably because tiering up to the FTL has no value to the code in the regexp test. Or
1575         maybe it's something else. No matter - the overall effect on the Octane score is not
1576         statistically significant and we don't want this kind of coverage blocked by the fact
1577         that adding coverage hurts a benchmark.
1578
1579         * dfg/DFGByteCodeParser.cpp:
1580         (JSC::DFG::ByteCodeParser::parseBlock):
1581         * dfg/DFGNode.h:
1582         (JSC::DFG::Node::setIndexingType):
1583         (JSC::DFG::Node::hasRegexpIndex):
1584         * dfg/DFGSpeculativeJIT.cpp:
1585         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1586         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
1587         (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
1588         * dfg/DFGSpeculativeJIT32_64.cpp:
1589         (JSC::DFG::SpeculativeJIT::compile):
1590         * dfg/DFGSpeculativeJIT64.cpp:
1591         (JSC::DFG::SpeculativeJIT::compile):
1592         * ftl/FTLCapabilities.cpp:
1593         (JSC::FTL::canCompile):
1594         * ftl/FTLLowerDFGToB3.cpp:
1595         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1596         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
1597         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
1598         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
1599         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1600         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1601         * tests/stress/ftl-regexp-exec.js: Added.
1602         * tests/stress/ftl-regexp-test.js: Added.
1603
1604 2016-02-28  Andreas Kling  <akling@apple.com>
1605
1606         Make JSFunction.name allocation fully lazy.
1607         <https://webkit.org/b/154806>
1608
1609         Reviewed by Saam Barati.
1610
1611         We were reifying the "name" field on functions lazily, but created the string
1612         value itself up front. This patch gets rid of the up-front allocation,
1613         saving us a JSString allocation per function in most cases.
1614
1615         * builtins/BuiltinExecutables.cpp:
1616         (JSC::createExecutableInternal):
1617         * bytecode/UnlinkedFunctionExecutable.cpp:
1618         (JSC::UnlinkedFunctionExecutable::visitChildren):
1619         * bytecode/UnlinkedFunctionExecutable.h:
1620         * runtime/CodeCache.cpp:
1621         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1622         * runtime/Executable.h:
1623         * runtime/JSFunction.cpp:
1624         (JSC::JSFunction::reifyName):
1625
1626 2016-02-28  Andreas Kling  <akling@apple.com>
1627
1628         REGRESSION(r197303): 4 jsc tests failing on bots.
1629
1630         Unreviewed follow-up fix.
1631
1632         * bytecode/UnlinkedCodeBlock.cpp:
1633         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
1634         can still get called with !m_rareData, in case the type profiler is active but this
1635         particular code block doesn't have type profiler data. Handle it gracefully.
1636
1637 2016-02-28  Andreas Kling  <akling@apple.com>
1638
1639         Shrink UnlinkedCodeBlock a bit.
1640         <https://webkit.org/b/154797>
1641
1642         Reviewed by Anders Carlsson.
1643
1644         Move profiler-related members of UnlinkedCodeBlock into its RareData
1645         structure, saving 40 bytes, and then reorder the other members of
1646         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
1647
1648         The VM member was removed entirely since UnlinkedCodeBlock is a cell
1649         and can retrieve its VM through MarkedBlock header lookup.
1650
1651         * bytecode/UnlinkedCodeBlock.cpp:
1652         (JSC::UnlinkedCodeBlock::vm):
1653         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
1654         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
1655         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
1656         * bytecode/UnlinkedCodeBlock.h:
1657         (JSC::UnlinkedCodeBlock::addRegExp):
1658         (JSC::UnlinkedCodeBlock::addConstant):
1659         (JSC::UnlinkedCodeBlock::addFunctionDecl):
1660         (JSC::UnlinkedCodeBlock::addFunctionExpr):
1661         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
1662         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
1663         (JSC::UnlinkedCodeBlock::vm): Deleted.
1664
1665 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
1666
1667         FTL should lower its abstract heaps to B3 heap ranges
1668         https://bugs.webkit.org/show_bug.cgi?id=154782
1669
1670         Reviewed by Saam Barati.
1671
1672         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
1673         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
1674         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
1675         notion - the HeapRange. That's what this patch fixes.
1676
1677         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
1678         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
1679         affects by specifying a heap range: a begin...end pair that says that the operation
1680         affects all abstract heaps H such that begin <= H < end.
1681
1682         This peculiar scheme was a deliberate attempt to distill what the abstract heap
1683         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
1684
1685         - A heap's end is greater than its begin.
1686         - A heap's begin is greater than or equal to its parent's begin.
1687         - A heap's end is less than or equal to its parent's end.
1688
1689         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
1690         went for the iterative traversal, which is a splendid algorithm, but it's totally
1691         unnecessary here since we tightly control the height of the heap hierarchy.
1692
1693         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
1694         generate new ones for field names and constant indices we encounter, we can't actually
1695         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
1696         new abstract heap to the hierarchy after ranges were already computed would require
1697         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
1698         patch solves that problem by recording the associations between abstract heaps and their
1699         intended roles in the generated IR, and then decorating all of the relevant B3 values
1700         after we compute the ranges of the hierarchy after lowering.
1701
1702         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
1703         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
1704         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
1705         already been getting the big ones even without alias analysis.
1706
1707         Even without a speed-up, this patch is valuable because it makes it easier to implement
1708         other optimizations, like store elimination.
1709
1710         * b3/B3HeapRange.h:
1711         (JSC::B3::HeapRange::HeapRange):
1712         * ftl/FTLAbstractHeap.cpp:
1713         (JSC::FTL::AbstractHeap::AbstractHeap):
1714         (JSC::FTL::AbstractHeap::changeParent):
1715         (JSC::FTL::AbstractHeap::compute):
1716         (JSC::FTL::AbstractHeap::shallowDump):
1717         (JSC::FTL::AbstractHeap::dump):
1718         (JSC::FTL::AbstractHeap::deepDump):
1719         (JSC::FTL::AbstractHeap::badRangeError):
1720         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
1721         (JSC::FTL::IndexedAbstractHeap::baseIndex):
1722         (JSC::FTL::IndexedAbstractHeap::atSlow):
1723         (JSC::FTL::IndexedAbstractHeap::initialize):
1724         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
1725         (JSC::FTL::AbstractField::dump): Deleted.
1726         * ftl/FTLAbstractHeap.h:
1727         (JSC::FTL::AbstractHeap::AbstractHeap):
1728         (JSC::FTL::AbstractHeap::isInitialized):
1729         (JSC::FTL::AbstractHeap::initialize):
1730         (JSC::FTL::AbstractHeap::parent):
1731         (JSC::FTL::AbstractHeap::heapName):
1732         (JSC::FTL::AbstractHeap::range):
1733         (JSC::FTL::AbstractHeap::offset):
1734         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
1735         (JSC::FTL::IndexedAbstractHeap::at):
1736         (JSC::FTL::IndexedAbstractHeap::operator[]):
1737         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
1738         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
1739         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
1740         (JSC::FTL::AbstractHeap::changeParent): Deleted.
1741         (JSC::FTL::AbstractField::AbstractField): Deleted.
1742         (JSC::FTL::AbstractField::initialize): Deleted.
1743         (JSC::FTL::AbstractField::offset): Deleted.
1744         * ftl/FTLAbstractHeapRepository.cpp:
1745         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1746         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
1747         (JSC::FTL::AbstractHeapRepository::decorateMemory):
1748         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
1749         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
1750         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
1751         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
1752         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
1753         * ftl/FTLAbstractHeapRepository.h:
1754         (JSC::FTL::AbstractHeapRepository::forArrayType):
1755         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
1756         * ftl/FTLLowerDFGToB3.cpp:
1757         (JSC::FTL::DFG::LowerDFGToB3::lower):
1758         * ftl/FTLOutput.cpp:
1759         (JSC::FTL::Output::load):
1760         (JSC::FTL::Output::load8SignExt32):
1761         (JSC::FTL::Output::load8ZeroExt32):
1762         (JSC::FTL::Output::load16SignExt32):
1763         (JSC::FTL::Output::load16ZeroExt32):
1764         (JSC::FTL::Output::store):
1765         (JSC::FTL::Output::store32As8):
1766         (JSC::FTL::Output::store32As16):
1767         (JSC::FTL::Output::baseIndex):
1768         * ftl/FTLOutput.h:
1769         (JSC::FTL::Output::address):
1770         (JSC::FTL::Output::absolute):
1771         (JSC::FTL::Output::load8SignExt32):
1772         (JSC::FTL::Output::load8ZeroExt32):
1773         (JSC::FTL::Output::load16SignExt32):
1774         (JSC::FTL::Output::load16ZeroExt32):
1775         (JSC::FTL::Output::load32):
1776         (JSC::FTL::Output::load64):
1777         (JSC::FTL::Output::loadPtr):
1778         (JSC::FTL::Output::loadDouble):
1779         (JSC::FTL::Output::store32):
1780         (JSC::FTL::Output::store64):
1781         (JSC::FTL::Output::storePtr):
1782         (JSC::FTL::Output::storeDouble):
1783         (JSC::FTL::Output::ascribeRange):
1784         (JSC::FTL::Output::nonNegative32):
1785         (JSC::FTL::Output::load32NonNegative):
1786         (JSC::FTL::Output::equal):
1787         (JSC::FTL::Output::notEqual):
1788         * ftl/FTLTypedPointer.h:
1789         (JSC::FTL::TypedPointer::operator!):
1790         (JSC::FTL::TypedPointer::heap):
1791         (JSC::FTL::TypedPointer::value):
1792
1793 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
1794
1795         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
1796         https://bugs.webkit.org/show_bug.cgi?id=153981
1797
1798         Reviewed by Saam Barati.
1799        
1800         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
1801         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
1802         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
1803         During syntax analyze parser store information about using variables in arrow function inside of 
1804         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
1805
1806         * bytecompiler/BytecodeGenerator.cpp:
1807         (JSC::BytecodeGenerator::BytecodeGenerator):
1808         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1809         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1810         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1811         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1812         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1813         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1814         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1815         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1816         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1817         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1818         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1819         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1820         * bytecompiler/BytecodeGenerator.h:
1821         * bytecompiler/NodesCodegen.cpp:
1822         (JSC::ThisNode::emitBytecode):
1823         (JSC::EvalFunctionCallNode::emitBytecode):
1824         (JSC::FunctionNode::emitBytecode):
1825         * parser/ASTBuilder.h:
1826         (JSC::ASTBuilder::createBracketAccess):
1827         (JSC::ASTBuilder::createDotAccess):
1828         (JSC::ASTBuilder::usesSuperCall):
1829         (JSC::ASTBuilder::usesSuperProperty):
1830         (JSC::ASTBuilder::makeFunctionCallNode):
1831         * parser/Nodes.cpp:
1832         (JSC::ScopeNode::ScopeNode):
1833         (JSC::ProgramNode::ProgramNode):
1834         (JSC::ModuleProgramNode::ModuleProgramNode):
1835         (JSC::EvalNode::EvalNode):
1836         (JSC::FunctionNode::FunctionNode):
1837         * parser/Nodes.h:
1838         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
1839         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
1840         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
1841         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
1842         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
1843         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
1844         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
1845         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
1846         (JSC::ScopeNode::usesSuperCall):
1847         (JSC::ScopeNode::usesSuperProperty):
1848         * parser/Parser.cpp:
1849         (JSC::Parser<LexerType>::parseProperty):
1850         (JSC::Parser<LexerType>::parsePrimaryExpression):
1851         (JSC::Parser<LexerType>::parseMemberExpression):
1852         * parser/Parser.h:
1853         (JSC::Scope::Scope):
1854         (JSC::Scope::isArrowFunctionBoundary):
1855         (JSC::Scope::innerArrowFunctionFeatures):
1856         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
1857         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
1858         (JSC::Scope::setInnerArrowFunctionUsesEval):
1859         (JSC::Scope::setInnerArrowFunctionUsesThis):
1860         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
1861         (JSC::Scope::setInnerArrowFunctionUsesArguments):
1862         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1863         (JSC::Scope::collectFreeVariables):
1864         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1865         (JSC::Scope::fillParametersForSourceProviderCache):
1866         (JSC::Scope::restoreFromSourceProviderCache):
1867         (JSC::Scope::setIsFunction):
1868         (JSC::Scope::setIsArrowFunction):
1869         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1870         (JSC::Parser::pushScope):
1871         (JSC::Parser::popScopeInternal):
1872         (JSC::Parser<LexerType>::parse):
1873         * parser/ParserModes.h:
1874         * parser/SourceProviderCacheItem.h:
1875         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1876         * parser/SyntaxChecker.h:
1877         (JSC::SyntaxChecker::createFunctionMetadata):
1878         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1879         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1880         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1881         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1882         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1883
1884 2016-02-28  Saam barati  <sbarati@apple.com>
1885
1886         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
1887         https://bugs.webkit.org/show_bug.cgi?id=154768
1888
1889         Reviewed by Ryosuke Niwa.
1890
1891         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
1892         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1893         We weren't correctly propagating the result of this operation to the
1894         out PropertySlot& parameter. This patch fixes that and adds tests.
1895
1896         * runtime/ObjectConstructor.cpp:
1897         (JSC::objectConstructorGetOwnPropertyDescriptor):
1898         I added a missing exception check after object allocation
1899         because I saw that it was missing while reading the code.
1900
1901         * runtime/PropertyDescriptor.cpp:
1902         (JSC::PropertyDescriptor::setUndefined):
1903         (JSC::PropertyDescriptor::slowGetterSetter):
1904         (JSC::PropertyDescriptor::getter):
1905         * runtime/PropertyDescriptor.h:
1906         (JSC::PropertyDescriptor::attributes):
1907         (JSC::PropertyDescriptor::value):
1908         * runtime/ProxyObject.cpp:
1909         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1910         * tests/es6.yaml:
1911         * tests/stress/proxy-get-own-property.js:
1912         (let.handler.getOwnPropertyDescriptor):
1913         (set get let.handler.return):
1914         (set get let.handler.getOwnPropertyDescriptor):
1915         (set get let):
1916         (set get let.a):
1917         (let.b):
1918         (let.setter):
1919         (let.getter):
1920
1921 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
1922
1923         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
1924         https://bugs.webkit.org/show_bug.cgi?id=152448
1925
1926         Reviewed by Darin Adler.
1927
1928         Add defaultLanguage to the globalObjectMethodTable and use it for the
1929         default locale in Intl object initializations. Fall back to ICU default
1930         locale only if the defaultLanguage function is null, or returns an
1931         empty string.
1932
1933         * jsc.cpp:
1934         * runtime/IntlCollator.cpp:
1935         (JSC::IntlCollator::initializeCollator):
1936         * runtime/IntlDateTimeFormat.cpp:
1937         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1938         * runtime/IntlNumberFormat.cpp:
1939         (JSC::IntlNumberFormat::initializeNumberFormat):
1940         * runtime/IntlObject.cpp:
1941         (JSC::defaultLocale):
1942         (JSC::lookupMatcher):
1943         (JSC::bestFitMatcher):
1944         (JSC::resolveLocale):
1945         * runtime/IntlObject.h:
1946         * runtime/JSGlobalObject.cpp:
1947         * runtime/JSGlobalObject.h:
1948         * runtime/StringPrototype.cpp:
1949         (JSC::toLocaleCase):
1950
1951 2016-02-27  Oliver Hunt  <oliver@apple.com>
1952
1953         CLoop build fix.
1954
1955         * jit/ExecutableAllocatorFixedVMPool.cpp:
1956
1957 2016-02-26  Oliver Hunt  <oliver@apple.com>
1958
1959         Remove the on demand executable allocator
1960         https://bugs.webkit.org/show_bug.cgi?id=154749
1961
1962         Reviewed by Geoffrey Garen.
1963
1964         Remove all the DemandExecutable code and executable allocator ifdefs.
1965
1966         * CMakeLists.txt:
1967         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1968         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1969         * JavaScriptCore.xcodeproj/project.pbxproj:
1970         * jit/ExecutableAllocator.cpp: Removed.
1971         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
1972         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
1973         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
1974         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
1975         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
1976         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
1977         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
1978         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
1979         (JSC::DemandExecutableAllocator::allocators): Deleted.
1980         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
1981         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
1982         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
1983         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
1984         (JSC::ExecutableAllocator::isValid): Deleted.
1985         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
1986         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
1987         (JSC::ExecutableAllocator::allocate): Deleted.
1988         (JSC::ExecutableAllocator::committedByteCount): Deleted.
1989         (JSC::ExecutableAllocator::dumpProfile): Deleted.
1990         (JSC::ExecutableAllocator::getLock): Deleted.
1991         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
1992         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
1993         * jit/ExecutableAllocator.h:
1994         * jit/ExecutableAllocatorFixedVMPool.cpp:
1995         * jit/JITStubRoutine.h:
1996         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
1997         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
1998         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
1999
2000 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
2001
2002         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
2003         https://bugs.webkit.org/show_bug.cgi?id=154751
2004
2005         Reviewed by Mark Lam.
2006
2007         * runtime/Structure.cpp:
2008         (JSC::Structure::toStructureShape):
2009         This property name iteration is identical to Structure::forEachPropertyConcurrently.
2010         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
2011
2012 2016-02-26  Mark Lam  <mark.lam@apple.com>
2013
2014         Function.name and Function.length should be configurable.
2015         https://bugs.webkit.org/show_bug.cgi?id=154604
2016
2017         Reviewed by Saam Barati.
2018
2019         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
2020         "Unless otherwise specified, the name property of a built-in Function object,
2021         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
2022         [[Configurable]]: true }."
2023
2024         Similarly, "the length property of a built-in Function object has the attributes
2025         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
2026
2027         This patch makes Function.name and Function.length configurable.
2028
2029         We do this by lazily reifying the JSFunction name and length properties on first
2030         access.  We track whether each of these properties have been reified using flags
2031         in the FunctionRareData.  On first access, if not already reified, we will put
2032         the property into the object with its default value and attributes and set the
2033         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
2034         property.
2035
2036         Also, lots of test results have to be re-baselined because the old Function.length
2037         has attribute DontDelete, which is in conflict with the ES6 requirement that it
2038         is configurable.
2039
2040         * runtime/FunctionRareData.h:
2041         (JSC::FunctionRareData::hasReifiedLength):
2042         (JSC::FunctionRareData::setHasReifiedLength):
2043         (JSC::FunctionRareData::hasReifiedName):
2044         (JSC::FunctionRareData::setHasReifiedName):
2045         - Flags for tracking whether each property has been reified.
2046
2047         * runtime/JSFunction.cpp:
2048         (JSC::JSFunction::finishCreation):
2049         (JSC::JSFunction::createBuiltinFunction):
2050         - Host and builtin functions currently always reify their name and length
2051           properties.  Currently, for builtins, the default names that are used may
2052           differ from the executable name.  For now, we'll stay with keeping this
2053           alternate approach to getting the name and length properties for host and
2054           builtin functions.
2055           However, we need their default attribute to be configurable as well.
2056
2057         (JSC::JSFunction::getOwnPropertySlot):
2058         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2059         (JSC::JSFunction::put):
2060         (JSC::JSFunction::deleteProperty):
2061         (JSC::JSFunction::defineOwnProperty):
2062         (JSC::JSFunction::reifyLength):
2063         (JSC::JSFunction::reifyName):
2064         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2065         (JSC::JSFunction::lengthGetter): Deleted.
2066         (JSC::JSFunction::nameGetter): Deleted.
2067         * runtime/JSFunction.h:
2068         * runtime/JSFunctionInlines.h:
2069         (JSC::JSFunction::hasReifiedLength):
2070         (JSC::JSFunction::hasReifiedName):
2071
2072         * tests/es6.yaml:
2073         - 4 new passing tests.
2074
2075         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
2076         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
2077         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
2078         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
2079         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
2080         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
2081         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
2082         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
2083         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
2084         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
2085         * tests/mozilla/ecma/String/15.5.4.10-1.js:
2086         * tests/mozilla/ecma/String/15.5.4.11-1.js:
2087         * tests/mozilla/ecma/String/15.5.4.11-5.js:
2088         * tests/mozilla/ecma/String/15.5.4.12-1.js:
2089         * tests/mozilla/ecma/String/15.5.4.6-2.js:
2090         * tests/mozilla/ecma/String/15.5.4.7-2.js:
2091         * tests/mozilla/ecma/String/15.5.4.8-1.js:
2092         * tests/mozilla/ecma/String/15.5.4.9-1.js:
2093         - Rebase expected test results.
2094
2095         * tests/stress/function-configurable-properties.js: Added.
2096
2097 2016-02-26  Keith Miller  <keith_miller@apple.com>
2098
2099         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
2100         https://bugs.webkit.org/show_bug.cgi?id=154743
2101
2102         Reviewed by Mark Lam.
2103
2104         * dfg/DFGConstantFoldingPhase.cpp:
2105         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2106         * dfg/DFGFixupPhase.cpp:
2107         (JSC::DFG::FixupPhase::fixupNode):
2108
2109 2016-02-26  Keith Miller  <keith_miller@apple.com>
2110
2111         Native Typed Array functions should use Symbol.species
2112         https://bugs.webkit.org/show_bug.cgi?id=154569
2113
2114         Reviewed by Michael Saboff.
2115
2116         This patch adds support for Symbol.species in the native Typed Array prototype
2117         functions. Additionally, now that other types of typedarrays are creatable inside
2118         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
2119         up, to put everything into the correct place.
2120
2121         * runtime/JSDataView.cpp:
2122         (JSC::JSDataView::set):
2123         * runtime/JSDataView.h:
2124         * runtime/JSGenericTypedArrayView.h:
2125         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2126         (JSC::constructGenericTypedArrayViewFromIterator):
2127         (JSC::constructGenericTypedArrayViewWithArguments):
2128         (JSC::constructGenericTypedArrayView):
2129         * runtime/JSGenericTypedArrayViewInlines.h:
2130         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
2131         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2132         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2133         (JSC::speciesConstruct):
2134         (JSC::genericTypedArrayViewProtoFuncSet):
2135         (JSC::genericTypedArrayViewProtoFuncSlice):
2136         (JSC::genericTypedArrayViewProtoFuncSubarray):
2137         * tests/stress/typedarray-slice.js:
2138         (subclasses.typedArrays.map):
2139         (testSpecies):
2140         (forEach):
2141         (subclasses.forEach):
2142         (testSpeciesRemoveConstructor):
2143         (testSpeciesWithSameBuffer):
2144         * tests/stress/typedarray-subarray.js: Added.
2145         (subclasses.typedArrays.map):
2146         (testSpecies):
2147         (forEach):
2148         (subclasses.forEach):
2149         (testSpeciesRemoveConstructor):
2150
2151 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
2152
2153         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
2154         https://bugs.webkit.org/show_bug.cgi?id=154704
2155
2156         Reviewed by Geoffrey Garen.
2157
2158         If the Imm is zero, we should still zero the top bits
2159         to match the definition in AirOpcodes.
2160
2161         * assembler/MacroAssemblerX86Common.h:
2162         (JSC::MacroAssemblerX86Common::add32):
2163         * b3/testb3.cpp:
2164
2165 2016-02-26  Oliver Hunt  <oliver@apple.com>
2166
2167         Make testRegExp not crash when given an invalid regexp
2168         https://bugs.webkit.org/show_bug.cgi?id=154732
2169
2170         Reviewed by Mark Lam.
2171
2172         * testRegExp.cpp:
2173         (parseRegExpLine):
2174
2175 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
2176
2177         [JSC] Add the test for r197155
2178         https://bugs.webkit.org/show_bug.cgi?id=154715
2179
2180         Reviewed by Mark Lam.
2181
2182         Silly me. I forgot the test in the latest patch update.
2183
2184         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
2185
2186 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2187
2188         [DFG] Drop unnecessary proved type branch in ToPrimitive
2189         https://bugs.webkit.org/show_bug.cgi?id=154716
2190
2191         Reviewed by Geoffrey Garen.
2192
2193         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
2194         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
2195         This patch removes the remaining JIT32_64 case.
2196
2197         * dfg/DFGSpeculativeJIT32_64.cpp:
2198         (JSC::DFG::SpeculativeJIT::compile):
2199
2200 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
2201
2202         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
2203         https://bugs.webkit.org/show_bug.cgi?id=154575
2204
2205         Reviewed by Filip Pizlo.
2206
2207         I noticed that imaging-gaussian-blur spends most of its
2208         samples in DFG code despite executing most of the loop
2209         iterations in FTL.
2210
2211         On this particular test, the main function is only entered
2212         once and have a very heavy loop there. What happens is DFG
2213         starts by compiling the full function in FTL. That takes about
2214         8 to 10 milliseconds during which the DFG code makes very little
2215         progress. The calls to triggerOSREntryNow() try to OSR Enter
2216         for a while then finally start compiling something. By the time
2217         the function is ready, we have wasted a lot of time in DFG code.
2218
2219         What this patch does is set a flag when a DFG function is entered.
2220         If we try to triggerOSREntryNow() and the flag was never set,
2221         we start compiling both the full function and the one for OSR Entry.
2222
2223         * dfg/DFGJITCode.h:
2224         * dfg/DFGJITCompiler.cpp:
2225         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
2226         (JSC::DFG::JITCompiler::compile):
2227         (JSC::DFG::JITCompiler::compileFunction):
2228         * dfg/DFGJITCompiler.h:
2229         * dfg/DFGOperations.cpp:
2230         * dfg/DFGPlan.cpp:
2231         (JSC::DFG::Plan::Plan): Deleted.
2232         * dfg/DFGPlan.h:
2233         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2234         (JSC::DFG::TierUpCheckInjectionPhase::run):
2235
2236 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
2237
2238         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
2239         https://bugs.webkit.org/show_bug.cgi?id=154664
2240
2241         Reviewed by Saam Barati.
2242
2243         When doing OSR Enter into a constructor, we lose the information
2244         that this may have been set to empty by a previously executed block.
2245
2246         All the code just assumed the type for a FlushedJS value and thus
2247         not an empty value. It was then okay to eliminate the TDZ checks.
2248
2249         In this patch, the values on root entry now assume they may be empty.
2250         As a result, the SetArgument() for "this" has "empty" as possible
2251         type and the TDZ checks are no longer eliminated.
2252
2253         * dfg/DFGInPlaceAbstractState.cpp:
2254         (JSC::DFG::InPlaceAbstractState::initialize):
2255
2256 2016-02-25  Ada Chan  <adachan@apple.com>
2257
2258         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
2259         https://bugs.webkit.org/show_bug.cgi?id=154702
2260
2261         Reviewed by Dan Bernstein.
2262
2263         * Configurations/FeatureDefines.xcconfig:
2264
2265 2016-02-25  Saam barati  <sbarati@apple.com>
2266
2267         [ES6] for...in iteration doesn't comply with the specification
2268         https://bugs.webkit.org/show_bug.cgi?id=154665
2269
2270         Reviewed by Michael Saboff.
2271
2272         If you read ForIn/OfHeadEvaluation inside the spec:
2273         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
2274         It calls EnumerateObjectProperties(obj) to get a set of properties
2275         to enumerate over (it models this "set" as en ES6 generator function).
2276         EnumerateObjectProperties is defined in section 13.7.5.15:
2277         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
2278         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
2279         properties it sees. We must do the same by modeling the operation as
2280         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
2281
2282         * jit/JITOperations.cpp:
2283         * jit/JITOperations.h:
2284         * runtime/CommonSlowPaths.cpp:
2285         (JSC::SLOW_PATH_DECL):
2286         * runtime/JSObject.cpp:
2287         (JSC::JSObject::hasProperty):
2288         (JSC::JSObject::hasPropertyGeneric):
2289         * runtime/JSObject.h:
2290         * tests/stress/proxy-get-own-property.js:
2291         (assert):
2292         (let.handler.getOwnPropertyDescriptor):
2293         (i.set assert):
2294
2295 2016-02-25  Saam barati  <sbarati@apple.com>
2296
2297         [ES6] Implement Proxy.[[Set]]
2298         https://bugs.webkit.org/show_bug.cgi?id=154511
2299
2300         Reviewed by Filip Pizlo.
2301
2302         This patch is mostly an implementation of
2303         Proxy.[[Set]] with respect to section 9.5.9
2304         of the ECMAScript spec.
2305         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
2306
2307         This patch also changes JSObject::putInline and JSObject::putByIndex
2308         to be aware that a Proxy in the prototype chain will intercept
2309         property accesses.
2310
2311         * runtime/JSObject.cpp:
2312         (JSC::JSObject::putInlineSlow):
2313         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2314         * runtime/JSObject.h:
2315         * runtime/JSObjectInlines.h:
2316         (JSC::JSObject::canPerformFastPutInline):
2317         (JSC::JSObject::putInline):
2318         * runtime/JSType.h:
2319         * runtime/ProxyObject.cpp:
2320         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2321         (JSC::ProxyObject::performPut):
2322         (JSC::ProxyObject::put):
2323         (JSC::ProxyObject::putByIndexCommon):
2324         (JSC::ProxyObject::putByIndex):
2325         (JSC::performProxyCall):
2326         (JSC::ProxyObject::getCallData):
2327         (JSC::performProxyConstruct):
2328         (JSC::ProxyObject::deletePropertyByIndex):
2329         (JSC::ProxyObject::visitChildren):
2330         * runtime/ProxyObject.h:
2331         (JSC::ProxyObject::create):
2332         (JSC::ProxyObject::createStructure):
2333         (JSC::ProxyObject::target):
2334         (JSC::ProxyObject::handler):
2335         * tests/es6.yaml:
2336         * tests/stress/proxy-set.js: Added.
2337         (assert):
2338         (throw.new.Error.let.handler.set 45):
2339         (throw.new.Error):
2340         (let.target.set x):
2341         (let.target.get x):
2342         (set let):
2343
2344 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
2345
2346         [JSC] Remove a useless "Move" in the lowering of Select
2347         https://bugs.webkit.org/show_bug.cgi?id=154670
2348
2349         Reviewed by Geoffrey Garen.
2350
2351         I left the Move instruction when creating the aliasing form
2352         of Select.
2353
2354         On ARM64, that meant a useless move for any case that can't
2355         be coalesced.
2356
2357         On x86, that meant an extra constraint on child2, making it
2358         stupidly hard to alias child1.
2359
2360         * b3/B3LowerToAir.cpp:
2361         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
2362
2363 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
2364
2365         Web Inspector: Expose Proxy target and handler internal properties to Inspector
2366         https://bugs.webkit.org/show_bug.cgi?id=154663
2367
2368         Reviewed by Timothy Hatcher.
2369
2370         * inspector/JSInjectedScriptHost.cpp:
2371         (Inspector::JSInjectedScriptHost::getInternalProperties):
2372         Expose the ProxyObject's target and handler.
2373
2374 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
2375
2376         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
2377         https://bugs.webkit.org/show_bug.cgi?id=151688
2378
2379         Reviewed by Dean Jackson.
2380
2381         Enables the WEB_ANIMATIONS compiler switch.
2382
2383         * Configurations/FeatureDefines.xcconfig:
2384
2385 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
2386
2387         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
2388         https://bugs.webkit.org/show_bug.cgi?id=154651
2389
2390         Reviewed by Alex Christensen.
2391
2392         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
2393
2394 2016-02-24  Commit Queue  <commit-queue@webkit.org>
2395
2396         Unreviewed, rolling out r197033.
2397         https://bugs.webkit.org/show_bug.cgi?id=154649
2398
2399         "It broke JSC tests when 'this' was loaded from global scope"
2400         (Requested by saamyjoon on #webkit).
2401
2402         Reverted changeset:
2403
2404         "[ES6] Arrow function syntax. Emit loading&putting this/super
2405         only if they are used in arrow function"
2406         https://bugs.webkit.org/show_bug.cgi?id=153981
2407         http://trac.webkit.org/changeset/197033
2408
2409 2016-02-24  Saam Barati  <sbarati@apple.com>
2410
2411         [ES6] Implement Proxy.[[Delete]]
2412         https://bugs.webkit.org/show_bug.cgi?id=154607
2413
2414         Reviewed by Mark Lam.
2415
2416         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
2417         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
2418
2419         * runtime/ProxyObject.cpp:
2420         (JSC::ProxyObject::getConstructData):
2421         (JSC::ProxyObject::performDelete):
2422         (JSC::ProxyObject::deleteProperty):
2423         (JSC::ProxyObject::deletePropertyByIndex):
2424         * runtime/ProxyObject.h:
2425         * tests/es6.yaml:
2426         * tests/stress/proxy-delete.js: Added.
2427         (assert):
2428         (throw.new.Error.let.handler.get deleteProperty):
2429         (throw.new.Error):
2430         (assert.let.handler.deleteProperty):
2431         (let.handler.deleteProperty):
2432
2433 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
2434
2435         Stackmaps have problems with double register constraints
2436         https://bugs.webkit.org/show_bug.cgi?id=154643
2437
2438         Reviewed by Geoffrey Garen.
2439
2440         This is currently a benign bug. I found it while playing.
2441
2442         * b3/B3LowerToAir.cpp:
2443         (JSC::B3::Air::LowerToAir::fillStackmap):
2444         * b3/testb3.cpp:
2445         (JSC::B3::testURShiftSelf64):
2446         (JSC::B3::testPatchpointDoubleRegs):
2447         (JSC::B3::zero):
2448         (JSC::B3::run):
2449
2450 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
2451
2452         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
2453         https://bugs.webkit.org/show_bug.cgi?id=153981
2454
2455         Reviewed by Saam Barati.
2456        
2457         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
2458         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
2459         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
2460         During syntax analyze parser store information about using variables in arrow function inside of 
2461         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
2462
2463         * bytecode/ExecutableInfo.h:
2464         (JSC::ExecutableInfo::ExecutableInfo):
2465         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
2466         * bytecode/UnlinkedCodeBlock.cpp:
2467         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2468         * bytecode/UnlinkedCodeBlock.h:
2469         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
2470         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
2471         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
2472         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
2473         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
2474         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
2475         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
2476         * bytecode/UnlinkedFunctionExecutable.cpp:
2477         (JSC::generateUnlinkedFunctionCodeBlock):
2478         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2479         * bytecode/UnlinkedFunctionExecutable.h:
2480         * bytecompiler/BytecodeGenerator.cpp:
2481         (JSC::BytecodeGenerator::BytecodeGenerator):
2482         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2483         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2484         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
2485         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
2486         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
2487         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
2488         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
2489         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
2490         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
2491         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
2492         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2493         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
2494         * bytecompiler/BytecodeGenerator.h:
2495         * bytecompiler/NodesCodegen.cpp:
2496         (JSC::ThisNode::emitBytecode):
2497         (JSC::EvalFunctionCallNode::emitBytecode):
2498         (JSC::FunctionCallValueNode::emitBytecode):
2499         (JSC::FunctionNode::emitBytecode):
2500         * parser/ASTBuilder.h:
2501         (JSC::ASTBuilder::createFunctionMetadata):
2502         * parser/Nodes.cpp:
2503         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2504         * parser/Nodes.h:
2505         * parser/Parser.cpp:
2506         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2507         (JSC::Parser<LexerType>::parseFunctionBody):
2508         (JSC::Parser<LexerType>::parseFunctionInfo):
2509         (JSC::Parser<LexerType>::parseProperty):
2510         (JSC::Parser<LexerType>::parsePrimaryExpression):
2511         (JSC::Parser<LexerType>::parseMemberExpression):
2512         * parser/Parser.h:
2513         (JSC::Scope::Scope):
2514         (JSC::Scope::isArrowFunctionBoundary):
2515         (JSC::Scope::innerArrowFunctionFeatures):
2516         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
2517         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
2518         (JSC::Scope::setInnerArrowFunctionUseEval):
2519         (JSC::Scope::setInnerArrowFunctionUseThis):
2520         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
2521         (JSC::Scope::setInnerArrowFunctionUseArguments):
2522         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
2523         (JSC::Scope::collectFreeVariables):
2524         (JSC::Scope::mergeInnerArrowFunctionFeatures):
2525         (JSC::Scope::fillParametersForSourceProviderCache):
2526         (JSC::Scope::restoreFromSourceProviderCache):
2527         (JSC::Scope::setIsFunction):
2528         (JSC::Scope::setIsArrowFunction):
2529         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
2530         (JSC::Parser::pushScope):
2531         (JSC::Parser::popScopeInternal):
2532         * parser/ParserModes.h:
2533         * parser/SourceProviderCacheItem.h:
2534         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
2535         * parser/SyntaxChecker.h:
2536         (JSC::SyntaxChecker::createFunctionMetadata):
2537         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
2538         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
2539         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
2540         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
2541         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
2542
2543 2016-02-23  Brian Burg  <bburg@apple.com>
2544
2545         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
2546         https://bugs.webkit.org/show_bug.cgi?id=154615
2547         <rdar://problem/24804330>
2548
2549         Reviewed by Timothy Hatcher.
2550
2551         Some of the generated Objective-C bindings are only relevant to code acting as the
2552         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
2553         --backend to all generators. Use the setting in a few generators to omit code that's
2554         not needed.
2555
2556         Also fix a few places where the code emits the wrong Objective-C class prefix.
2557         There is some common non-generated code that must always have the RWIProtocol prefix.
2558
2559         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
2560         macros defined in the internal header now need to be used outside of the framework.
2561
2562         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
2563         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
2564         depending on the target framework.
2565
2566         * inspector/scripts/codegen/generate_objc_header.py:
2567         (ObjCHeaderGenerator.generate_output):
2568         For now, omit generating command protocol and event dispatchers when generating for --frontend.
2569
2570         (ObjCHeaderGenerator._generate_type_interface):
2571         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
2572
2573         * inspector/scripts/codegen/generate_objc_internal_header.py:
2574         Use RWIProtocolJSONObjectPrivate.h instead.
2575
2576         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2577         (ObjCProtocolTypesImplementationGenerator.generate_output):
2578         Include the Internal header if it's being generated (only for --backend).
2579
2580         * inspector/scripts/codegen/generator.py:
2581         (Generator.__init__):
2582         (Generator.set_generator_setting):
2583         (Generator):
2584         (Generator.get_generator_setting):
2585         Crib a simple setting system from the Framework class. Make the names more obnoxious.
2586
2587         (Generator.string_for_file_include):
2588         Inspired by the replay input generator, this is a function that uses the proper syntax
2589         for a file include depending on the file's framework and target framework.
2590
2591         * inspector/scripts/codegen/objc_generator.py:
2592         (ObjCGenerator.and):
2593         (ObjCGenerator.and.objc_prefix):
2594         (ObjCGenerator):
2595         (ObjCGenerator.objc_type_for_raw_name):
2596         (ObjCGenerator.objc_class_for_raw_name):
2597         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
2598
2599         * inspector/scripts/generate-inspector-protocol-bindings.py:
2600         (generate_from_specification):
2601         Change the generators to use for the frontend. Propagate --frontend and --backend.
2602
2603         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2604         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2605         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2606         * inspector/scripts/tests/expected/enum-values.json-result:
2607         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2608         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2609         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2610         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2611         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2612         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2613         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2614         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2615         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2616         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
2617
2618 2016-02-23  Saam barati  <sbarati@apple.com>
2619
2620         arrayProtoFuncConcat doesn't check for an exception after allocating an array
2621         https://bugs.webkit.org/show_bug.cgi?id=154621
2622
2623         Reviewed by Michael Saboff.
2624
2625         * runtime/ArrayPrototype.cpp:
2626         (JSC::arrayProtoFuncConcat):
2627
2628 2016-02-23  Dan Bernstein  <mitz@apple.com>
2629
2630         [Xcode] Linker errors display mangled names, but no longer should
2631         https://bugs.webkit.org/show_bug.cgi?id=154632
2632
2633         Reviewed by Sam Weinig.
2634
2635         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
2636
2637 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
2638
2639         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
2640         https://bugs.webkit.org/show_bug.cgi?id=112323
2641
2642         Reviewed by Chris Dumez.
2643
2644         This feature is controlled by a runtime switch, and defaults off.
2645
2646         * Configurations/FeatureDefines.xcconfig:
2647
2648 2016-02-23  Keith Miller  <keith_miller@apple.com>
2649
2650         JSC stress tests' standalone-pre.js should exit on the first failure by default
2651         https://bugs.webkit.org/show_bug.cgi?id=154565
2652
2653         Reviewed by Mark Lam.
2654
2655         Currently, if a test writer does not call finishJSTest() at the end of
2656         any test using stress/resources/standalone-pre.js then the test can fail
2657         without actually reporting an error to the harness. By default, we
2658         should throw on the first error so, in the event someone does not call
2659         finishJSTest() the harness will still notice the error.
2660
2661         * tests/stress/regress-151324.js:
2662         * tests/stress/resources/standalone-pre.js:
2663         (testFailed):
2664
2665 2016-02-23  Saam barati  <sbarati@apple.com>
2666
2667         Make JSObject::getMethod have fewer branches
2668         https://bugs.webkit.org/show_bug.cgi?id=154603
2669
2670         Reviewed by Mark Lam.
2671
2672         Writing code with fewer branches is almost always better.
2673
2674         * runtime/JSObject.cpp:
2675         (JSC::JSObject::getMethod):
2676
2677 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
2678
2679         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
2680         https://bugs.webkit.org/show_bug.cgi?id=154592
2681
2682         Reviewed by Saam Barati.
2683
2684         If Foo has a virtual destructor, then:
2685
2686         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
2687         subclass of Foo that overrides the destructor, this syntax will not call that override.
2688
2689         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
2690         get the subclass's override.
2691
2692         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
2693         This caused leaks because this didn't actually call the subclass's override. This fixes the
2694         problem by using this->~Value() instead.
2695
2696         * b3/B3ControlValue.cpp:
2697         (JSC::B3::ControlValue::convertToJump):
2698         (JSC::B3::ControlValue::convertToOops):
2699         * b3/B3Value.cpp:
2700         (JSC::B3::Value::replaceWithIdentity):
2701         (JSC::B3::Value::replaceWithNop):
2702         (JSC::B3::Value::replaceWithPhi):
2703
2704 2016-02-23  Brian Burg  <bburg@apple.com>
2705
2706         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
2707         https://bugs.webkit.org/show_bug.cgi?id=154596
2708         <rdar://problem/24794962>
2709
2710         Reviewed by Timothy Hatcher.
2711
2712         In order to support different generated protocol sets that don't have conflicting
2713         file and type names, allow the Objective-C prefix to be configurable based on the
2714         target framework. Each name also has the implicit prefix 'Protocol' appended to the
2715         per-target framework prefix.
2716
2717         For example, the existing protocol for remote inspection has the prefix 'RWI'
2718         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
2719         and is generated as 'AutomationProtocol'.
2720
2721         To make this change, convert ObjCGenerator to be a subclass of Generator and use
2722         the instance method model() to find the target framework and its setting for
2723         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
2724         these instance methods that used to be static methods. This is a large but
2725         mechanical change to use self instead of ObjCGenerator.
2726
2727         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2728         (ObjCBackendDispatcherHeaderGenerator):
2729         (ObjCBackendDispatcherHeaderGenerator.__init__):
2730         (ObjCBackendDispatcherHeaderGenerator.output_filename):
2731         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
2732         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
2733         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2734         (ObjCConfigurationImplementationGenerator):
2735         (ObjCConfigurationImplementationGenerator.__init__):
2736         (ObjCConfigurationImplementationGenerator.output_filename):
2737         (ObjCConfigurationImplementationGenerator.generate_output):
2738         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
2739         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
2740         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
2741         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2742         (ObjCConfigurationHeaderGenerator):
2743         (ObjCConfigurationHeaderGenerator.__init__):
2744         (ObjCConfigurationHeaderGenerator.output_filename):
2745         (ObjCConfigurationHeaderGenerator.generate_output):
2746         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
2747         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
2748         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2749         (ObjCBackendDispatcherImplementationGenerator):
2750         (ObjCBackendDispatcherImplementationGenerator.__init__):
2751         (ObjCBackendDispatcherImplementationGenerator.output_filename):
2752         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2753         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
2754         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
2755         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
2756         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
2757         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
2758         (ObjCConversionHelpersGenerator):
2759         (ObjCConversionHelpersGenerator.__init__):
2760         (ObjCConversionHelpersGenerator.output_filename):
2761         (ObjCConversionHelpersGenerator.generate_output):
2762         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
2763         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
2764         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
2765         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2766         (ObjCFrontendDispatcherImplementationGenerator):
2767         (ObjCFrontendDispatcherImplementationGenerator.__init__):
2768         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
2769         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2770         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
2771         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2772         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
2773         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
2774         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2775         * inspector/scripts/codegen/generate_objc_header.py:
2776         (ObjCHeaderGenerator):
2777         (ObjCHeaderGenerator.__init__):
2778         (ObjCHeaderGenerator.output_filename):
2779         (ObjCHeaderGenerator.generate_output):
2780         (ObjCHeaderGenerator._generate_forward_declarations):
2781         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
2782         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
2783         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
2784         (ObjCHeaderGenerator._generate_type_interface):
2785         (ObjCHeaderGenerator._generate_init_method_for_required_members):
2786         (ObjCHeaderGenerator._generate_member_property):
2787         (ObjCHeaderGenerator._generate_command_protocols):
2788         (ObjCHeaderGenerator._generate_single_command_protocol):
2789         (ObjCHeaderGenerator._callback_block_for_command):
2790         (ObjCHeaderGenerator._generate_event_interfaces):
2791         (ObjCHeaderGenerator._generate_single_event_interface):
2792         * inspector/scripts/codegen/generate_objc_internal_header.py:
2793         (ObjCInternalHeaderGenerator):
2794         (ObjCInternalHeaderGenerator.__init__):
2795         (ObjCInternalHeaderGenerator.output_filename):
2796         (ObjCInternalHeaderGenerator.generate_output):
2797         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
2798         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2799         (ObjCProtocolTypesImplementationGenerator):
2800         (ObjCProtocolTypesImplementationGenerator.__init__):
2801         (ObjCProtocolTypesImplementationGenerator.output_filename):
2802         (ObjCProtocolTypesImplementationGenerator.generate_output):
2803         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2804         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
2805         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
2806         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
2807         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
2808         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
2809         * inspector/scripts/codegen/models.py:
2810         * inspector/scripts/codegen/objc_generator.py:
2811         (ObjCTypeCategory.category_for_type):
2812         (ObjCGenerator):
2813         (ObjCGenerator.__init__):
2814         (ObjCGenerator.objc_prefix):
2815         (ObjCGenerator.objc_name_for_type):
2816         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
2817         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
2818         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
2819         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
2820         (ObjCGenerator.objc_class_for_type):
2821         (ObjCGenerator.objc_class_for_array_type):
2822         (ObjCGenerator.objc_accessor_type_for_member):
2823         (ObjCGenerator.objc_accessor_type_for_member_internal):
2824         (ObjCGenerator.objc_type_for_member):
2825         (ObjCGenerator.objc_type_for_member_internal):
2826         (ObjCGenerator.objc_type_for_param):
2827         (ObjCGenerator.objc_type_for_param_internal):
2828         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2829         (ObjCGenerator.objc_protocol_import_expression_for_member):
2830         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
2831         (ObjCGenerator.objc_protocol_import_expression_for_variable):
2832         (ObjCGenerator.objc_to_protocol_expression_for_member):
2833         (ObjCGenerator.protocol_to_objc_expression_for_member):
2834
2835         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
2836
2837         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2838         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2839         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2840         * inspector/scripts/tests/expected/enum-values.json-result:
2841         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2842         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2843         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2844         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2845         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2846         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2847         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2848         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2849         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2850
2851 2016-02-23  Mark Lam  <mark.lam@apple.com>
2852
2853         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
2854         https://bugs.webkit.org/show_bug.cgi?id=154542
2855
2856         Reviewed by Saam Barati.
2857
2858         According to the spec, the constructors of the following types "are not intended
2859         to be called as a function and will throw an exception".  These types are:
2860             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
2861             Map - https://tc39.github.io/ecma262/#sec-map-constructor
2862             Set - https://tc39.github.io/ecma262/#sec-set-constructor
2863             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
2864             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
2865             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
2866             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
2867             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
2868             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
2869
2870         This patch does the foillowing:
2871         1. Ensures that these constructors can be called but will throw a TypeError
2872            when called.
2873         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
2874            in their implementation to be consistent.
2875         3. Change the error message to "calling XXX constructor without new is invalid".
2876            This is clearer because the error is likely due to the user forgetting to use
2877            the new operator on these constructors.
2878
2879         * runtime/Error.h:
2880         * runtime/Error.cpp:
2881         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2882         - Added a convenience function to throw the TypeError.
2883
2884         * runtime/JSArrayBufferConstructor.cpp:
2885         (JSC::constructArrayBuffer):
2886         (JSC::callArrayBuffer):
2887         (JSC::JSArrayBufferConstructor::getCallData):
2888         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2889         (JSC::callGenericTypedArrayView):
2890         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2891         * runtime/JSPromiseConstructor.cpp:
2892         (JSC::callPromise):
2893         * runtime/MapConstructor.cpp:
2894         (JSC::callMap):
2895         * runtime/ProxyConstructor.cpp:
2896         (JSC::callProxy):
2897         (JSC::ProxyConstructor::getCallData):
2898         * runtime/SetConstructor.cpp:
2899         (JSC::callSet):
2900         * runtime/WeakMapConstructor.cpp:
2901         (JSC::callWeakMap):
2902         * runtime/WeakSetConstructor.cpp:
2903         (JSC::callWeakSet):
2904
2905         * tests/es6.yaml:
2906         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
2907
2908         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
2909         (test):
2910
2911         * tests/stress/map-constructor.js:
2912         (testCallTypeError):
2913         * tests/stress/promise-cannot-be-called.js:
2914         (shouldThrow):
2915         * tests/stress/proxy-basic.js:
2916         * tests/stress/set-constructor.js:
2917         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
2918         (i.catch):
2919         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
2920         (i.catch):
2921         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
2922         (i.catch):
2923         * tests/stress/weak-map-constructor.js:
2924         (testCallTypeError):
2925         * tests/stress/weak-set-constructor.js:
2926         - Updated error message string.
2927
2928 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
2929
2930         ASan build fix.
2931
2932         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
2933
2934         * inspector/InspectorBackendDispatcher.h:
2935
2936 2016-02-23  Brian Burg  <bburg@apple.com>
2937
2938         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
2939         https://bugs.webkit.org/show_bug.cgi?id=154518
2940         <rdar://problem/24761096>
2941
2942         Reviewed by Timothy Hatcher.
2943
2944         * inspector/InspectorBackendDispatcher.h:
2945         Export all the classes since they are used by WebKit::WebAutomationSession.
2946
2947 2016-02-22  Brian Burg  <bburg@apple.com>
2948
2949         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2950         https://bugs.webkit.org/show_bug.cgi?id=154509
2951         <rdar://problem/24759098>
2952
2953         Reviewed by Timothy Hatcher.
2954
2955         Add a new 'WebKit' framework, which is used to generate protocol code
2956         in WebKit2.
2957
2958         Add --backend and --frontend flags to the main generator script.
2959         These allow a framework to trigger two different sets of generators
2960         so they can be separately generated and compiled.
2961
2962         * inspector/scripts/codegen/models.py:
2963         (Framework.fromString):
2964         (Frameworks): Add new framework.
2965
2966         * inspector/scripts/generate-inspector-protocol-bindings.py:
2967         If neither --backend or --frontend is specified, assume both are wanted.
2968         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2969
2970         (generate_from_specification):
2971         Generate C++ files for the backend and Objective-C files for the frontend.
2972
2973 2016-02-22  Saam barati  <sbarati@apple.com>
2974
2975         JSGlobalObject doesn't visit ProxyObjectStructure during GC
2976         https://bugs.webkit.org/show_bug.cgi?id=154564
2977
2978         Rubber stamped by Mark Lam.
2979
2980         * runtime/JSGlobalObject.cpp:
2981         (JSC::JSGlobalObject::visitChildren):
2982
2983 2016-02-22  Saam barati  <sbarati@apple.com>
2984
2985         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
2986         https://bugs.webkit.org/show_bug.cgi?id=154548
2987
2988         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
2989
2990         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
2991         an exception. Neither the function nor the call sites of the function took this into
2992         account. This patch audits the call sites of the function to make it work in
2993         the event that an exception is thrown.
2994
2995         * runtime/BooleanConstructor.cpp:
2996         (JSC::constructWithBooleanConstructor):
2997         * runtime/DateConstructor.cpp:
2998         (JSC::constructDate):
2999         * runtime/ErrorConstructor.cpp:
3000         (JSC::Interpreter::constructWithErrorConstructor):
3001         * runtime/FunctionConstructor.cpp:
3002         (JSC::constructFunctionSkippingEvalEnabledCheck):
3003         * runtime/InternalFunction.cpp:
3004         (JSC::InternalFunction::createSubclassStructure):
3005         * runtime/JSArrayBufferConstructor.cpp:
3006         (JSC::constructArrayBuffer):
3007         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3008         (JSC::constructGenericTypedArrayView):
3009         * runtime/JSGlobalObject.h:
3010         (JSC::constructEmptyArray):
3011         (JSC::constructArray):
3012         (JSC::constructArrayNegativeIndexed):
3013         * runtime/JSPromiseConstructor.cpp:
3014         (JSC::constructPromise):
3015         * runtime/MapConstructor.cpp:
3016         (JSC::constructMap):
3017         * runtime/NativeErrorConstructor.cpp:
3018         (JSC::Interpreter::constructWithNativeErrorConstructor):
3019         * runtime/NumberConstructor.cpp:
3020         (JSC::constructWithNumberConstructor):
3021         * runtime/RegExpConstructor.cpp:
3022         (JSC::getRegExpStructure):
3023         (JSC::constructRegExp):
3024         (JSC::constructWithRegExpConstructor):
3025         * runtime/SetConstructor.cpp:
3026         (JSC::constructSet):
3027         * runtime/StringConstructor.cpp:
3028         (JSC::constructWithStringConstructor):
3029         (JSC::StringConstructor::getConstructData):
3030         * runtime/WeakMapConstructor.cpp:
3031         (JSC::constructWeakMap):
3032         * runtime/WeakSetConstructor.cpp:
3033         (JSC::constructWeakSet):
3034         * tests/stress/create-subclass-structure-might-throw.js: Added.
3035         (assert):
3036
3037 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
3038
3039         Fix build and implement functions to retrieve registers on FreeBSD
3040         https://bugs.webkit.org/show_bug.cgi?id=152258
3041
3042         Reviewed by Michael Catanzaro.
3043
3044         * heap/MachineStackMarker.cpp:
3045         (pthreadSignalHandlerSuspendResume):
3046         struct ucontext is not specified in POSIX and it is not available on
3047         FreeBSD. Replacing it with ucontext_t fixes the build problem.
3048         (JSC::MachineThreads::Thread::Registers::stackPointer):
3049         (JSC::MachineThreads::Thread::Registers::framePointer):
3050         (JSC::MachineThreads::Thread::Registers::instructionPointer):
3051         (JSC::MachineThreads::Thread::Registers::llintPC):
3052         * heap/MachineStackMarker.h:
3053
3054 2016-02-22  Saam barati  <sbarati@apple.com>
3055
3056         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
3057         https://bugs.webkit.org/show_bug.cgi?id=154552
3058
3059         Reviewed by Mark Lam.
3060
3061         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
3062         They return false on a Proxy with internal [[Call]] and [[Construct]]
3063         properties. It seems safest, most forward looking, and most adherent
3064         to the specification to check getCallData() and getConstructData() to
3065         implement these functions.
3066
3067         * runtime/InternalFunction.cpp:
3068         (JSC::InternalFunction::createSubclassStructure):
3069         * runtime/JSCJSValueInlines.h:
3070         (JSC::JSValue::isFunction):
3071         (JSC::JSValue::isConstructor):
3072
3073 2016-02-22  Keith Miller  <keith_miller@apple.com>
3074
3075         Bound functions should use the prototype of the function being bound
3076         https://bugs.webkit.org/show_bug.cgi?id=154195
3077
3078         Reviewed by Geoffrey Garen.
3079
3080         Per ES6, the result of Function.prototype.bind should have the same
3081         prototype as the the function being bound. In order to avoid creating
3082         a new structure each time a function is bound we store the new
3083         structure in our structure map. However, we cannot currently store
3084         structures that have a different GlobalObject than their prototype.
3085         In the rare case that the GlobalObject differs or the prototype of
3086         the bindee is null we create a new structure each time. To further
3087         minimize new structures, as well as making structure lookup faster,
3088         we also store the structure in the RareData of the function we
3089         are binding.
3090
3091         * runtime/FunctionRareData.cpp:
3092         (JSC::FunctionRareData::visitChildren):
3093         * runtime/FunctionRareData.h:
3094         (JSC::FunctionRareData::getBoundFunctionStructure):
3095         (JSC::FunctionRareData::setBoundFunctionStructure):
3096         * runtime/JSBoundFunction.cpp:
3097         (JSC::getBoundFunctionStructure):
3098         (JSC::JSBoundFunction::create):
3099         * tests/es6.yaml:
3100         * tests/stress/bound-function-uses-prototype.js: Added.
3101         (testChangeProto.foo):
3102         (testChangeProto):
3103         (testBuiltins):
3104         * tests/stress/class-subclassing-function.js:
3105
3106 2016-02-22  Keith Miller  <keith_miller@apple.com>
3107
3108         Unreviewed, fix stress test to not print on success.
3109
3110         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
3111         (catch): Deleted.
3112
3113 2016-02-22  Keith Miller  <keith_miller@apple.com>
3114
3115         Use Symbol.species in the builtin TypedArray.prototype functions
3116         https://bugs.webkit.org/show_bug.cgi?id=153384
3117
3118         Reviewed by Geoffrey Garen.
3119
3120         This patch adds the use of species constructors to the TypedArray.prototype map and filter
3121         functions. It also adds a new private function typedArrayGetOriginalConstructor that
3122         returns the TypedArray constructor used to originally create a TypedArray instance.
3123
3124         There are no ES6 tests to update for this patch as species creation for these functions is
3125         not tested in the compatibility table.
3126
3127         * builtins/TypedArrayPrototype.js:
3128         (map):
3129         (filter):
3130         * bytecode/BytecodeIntrinsicRegistry.cpp:
3131         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3132         * bytecode/BytecodeIntrinsicRegistry.h:
3133         * runtime/CommonIdentifiers.h:
3134         * runtime/JSGlobalObject.cpp:
3135         (JSC::JSGlobalObject::init):
3136         (JSC::JSGlobalObject::visitChildren):
3137         * runtime/JSGlobalObject.h:
3138         (JSC::JSGlobalObject::typedArrayConstructor):
3139         * runtime/JSTypedArrayViewPrototype.cpp:
3140         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
3141         * runtime/JSTypedArrayViewPrototype.h:
3142         * tests/stress/typedarray-filter.js:
3143         (subclasses.typedArrays.map):
3144         (prototype.accept):
3145         (testSpecies):
3146         (accept):
3147         (forEach):
3148         (subclasses.forEach):
3149         (testSpeciesRemoveConstructor):
3150         * tests/stress/typedarray-map.js:
3151         (subclasses.typedArrays.map):
3152         (prototype.id):
3153         (testSpecies):
3154         (id):
3155         (forEach):
3156         (subclasses.forEach):
3157         (testSpeciesRemoveConstructor):
3158
3159 2016-02-22  Keith Miller  <keith_miller@apple.com>
3160
3161         Builtins that should not rely on iteration do.
3162         https://bugs.webkit.org/show_bug.cgi?id=154475
3163
3164         Reviewed by Geoffrey Garen.
3165
3166         When changing the behavior of varargs calls to use ES6 iterators the
3167         call builtin function's use of a varargs call was overlooked. The use
3168         of iterators is observable outside the scope of the the call function,
3169         thus it must be reimplemented.
3170
3171         * builtins/FunctionPrototype.js:
3172         (call):
3173         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
3174         (test):
3175         (addAll):
3176         (catch):
3177
3178 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
3179
3180         [JSC shell] Don't put empty arguments array to VM.
3181         https://bugs.webkit.org/show_bug.cgi?id=154516
3182
3183         Reviewed by Geoffrey Garen.
3184
3185         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
3186         in jsc as well as in browser.
3187
3188         * jsc.cpp:
3189         (GlobalObject::finishCreation):
3190
3191 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
3192
3193         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
3194         https://bugs.webkit.org/show_bug.cgi?id=154450
3195
3196         Reviewed by Alex Christensen.
3197
3198         * CMakeLists.txt:
3199
3200 2016-02-22  Commit Queue  <commit-queue@webkit.org>
3201
3202         Unreviewed, rolling out r196891.
3203         https://bugs.webkit.org/show_bug.cgi?id=154539
3204
3205         it broke Production builds (Requested by brrian on #webkit).
3206
3207         Reverted changeset:
3208
3209         "Web Inspector: add 'Automation' protocol domain and generate
3210         its backend classes separately in WebKit2"
3211         https://bugs.webkit.org/show_bug.cgi?id=154509
3212         http://trac.webkit.org/changeset/196891
3213
3214 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3215
3216         CodeBlock always visits its unlinked code twice
3217         https://bugs.webkit.org/show_bug.cgi?id=154494
3218
3219         Reviewed by Saam Barati.
3220
3221         * bytecode/CodeBlock.cpp:
3222         (JSC::CodeBlock::visitChildren):
3223         The unlinked code is always visited in stronglyVisitStrongReferences.
3224
3225 2016-02-21  Brian Burg  <bburg@apple.com>
3226
3227         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
3228         https://bugs.webkit.org/show_bug.cgi?id=154509
3229         <rdar://problem/24759098>
3230
3231         Reviewed by Timothy Hatcher.
3232
3233         Add a new 'WebKit' framework, which is used to generate protocol code
3234         in WebKit2.
3235
3236         Add --backend and --frontend flags to the main generator script.
3237         These allow a framework to trigger two different sets of generators
3238         so they can be separately generated and compiled.
3239
3240         * inspector/scripts/codegen/models.py:
3241         (Framework.fromString):
3242         (Frameworks): Add new framework.
3243
3244         * inspector/scripts/generate-inspector-protocol-bindings.py:
3245         If neither --backend or --frontend is specified, assume both are wanted.
3246         This matches the behavior for JavaScriptCore and WebInspector frameworks.
3247
3248         (generate_from_specification):
3249         Generate C++ files for the backend and Objective-C files for the frontend.
3250
3251 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3252
3253         Improvements to Intl code
3254         https://bugs.webkit.org/show_bug.cgi?id=154486
3255
3256         Reviewed by Darin Adler.
3257
3258         This patch does several things:
3259         - Use std::unique_ptr to store ICU objects.
3260         - Pass Vector::size() to ICU functions that take a buffer size instead
3261           of Vector::capacity().
3262         - If U_SUCCESS(status) is true, it means there is no error, but there
3263           could be warnings. ICU functions ignore warnings. So, there is no need
3264           to reset status to U_ZERO_ERROR.
3265         - Remove the initialization of the String instance variables of
3266           IntlDateTimeFormat. These values are never read and cause unnecessary
3267           memory allocation.
3268         - Fix coding style.
3269         - Some small optimization.
3270
3271         * runtime/IntlCollator.cpp:
3272         (JSC::IntlCollator::UCollatorDeleter::operator()):
3273         (JSC::IntlCollator::createCollator):
3274         (JSC::IntlCollator::compareStrings):
3275         (JSC::IntlCollator::~IntlCollator): Deleted.
3276         * runtime/IntlCollator.h:
3277         * runtime/IntlDateTimeFormat.cpp:
3278         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
3279         (JSC::defaultTimeZone):
3280         (JSC::canonicalizeTimeZoneName):
3281         (JSC::toDateTimeOptionsAnyDate):
3282         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3283         (JSC::IntlDateTimeFormat::weekdayString):
3284         (JSC::IntlDateTimeFormat::format):
3285         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
3286         (JSC::localeData): Deleted.
3287         * runtime/IntlDateTimeFormat.h:
3288         * runtime/IntlDateTimeFormatConstructor.cpp:
3289         * runtime/IntlNumberFormatConstructor.cpp:
3290         * runtime/IntlObject.cpp:
3291         (JSC::numberingSystemsForLocale):
3292
3293 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
3294
3295         Remove arrowfunction test cases that rely on arguments variable in jsc
3296         https://bugs.webkit.org/show_bug.cgi?id=154517
3297
3298         Reviewed by Yusuke Suzuki.
3299
3300         Allow to jsc has the same behavior in javascript as browser has
3301
3302         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
3303         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
3304
3305 2016-02-21  Brian Burg  <bburg@apple.com>
3306
3307         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
3308         https://bugs.webkit.org/show_bug.cgi?id=154508
3309         <rdar://problem/24759077>
3310
3311         Reviewed by Timothy Hatcher.
3312
3313         In preparation for being able to generate protocol files for WebKit2,
3314         make it possible to not emit generated code that's guarded by
3315         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
3316         backend dispatchers generated outside of JavaScriptCore. We can't just
3317         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
3318         in the configurations where the code is actually used.
3319
3320         Add a new opt-in Framework configuration option that turns on generating
3321         this code. Adjust how the code is generated so that it can be easily excluded.
3322
3323         * inspector/scripts/codegen/cpp_generator_templates.py:
3324         Make a separate template for the declarations that are guarded.
3325         Add an initializer expression so the order of initalizers doesn't matter.
3326
3327         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3328         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
3329         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
3330         If the declarations are needed, they will be appended to the end of the
3331         declarations list.
3332
3333         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3334         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
3335         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
3336
3337         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
3338         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
3339
3340         Rebaseline affected tests.
3341
3342         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3343         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3344         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3345         * inspector/scripts/tests/expected/enum-values.json-result:
3346         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3347
3348 2016-02-21  Brian Burg  <bburg@apple.com>
3349
3350         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
3351         https://bugs.webkit.org/show_bug.cgi?id=154505
3352         <rdar://problem/24758042>
3353
3354         Reviewed by Timothy Hatcher.
3355
3356         It should be possible to generate code for a framework using some generators
3357         that other frameworks also use. Right now the generator selection code assumes
3358         that use of a generator is mutually exclusive among non-test frameworks.
3359
3360         Make this code explicitly switch on the framework. Reorder generators
3361         alpabetically within each case.
3362
3363         * inspector/scripts/generate-inspector-protocol-bindings.py:
3364         (generate_from_specification):
3365
3366         Rebaseline tests that are affected by generator reorderings.
3367
3368         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3369         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3370         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3371         * inspector/scripts/tests/expected/enum-values.json-result:
3372         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3373         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3374         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3375         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3376         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3377         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3378         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3379         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3380         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3381
3382 2016-02-19  Saam Barati  <sbarati@apple.com>
3383
3384         [ES6] Implement Proxy.[[Construct]]
3385         https://bugs.webkit.org/show_bug.cgi?id=154440
3386
3387         Reviewed by Oliver Hunt.
3388
3389         This patch is mostly an implementation of
3390         Proxy.[[Construct]] with respect to section 9.5.13
3391         of the ECMAScript spec.
3392         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
3393
3394         This patch also changes op_create_this to accept new.target's
3395         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
3396         because we might construct a JSFunction with a new.target being
3397         a Proxy. This will also be needed when we implement Reflect.construct.
3398
3399         * dfg/DFGOperations.cpp:
3400         * dfg/DFGSpeculativeJIT32_64.cpp:
3401         (JSC::DFG::SpeculativeJIT::compile):
3402         * dfg/DFGSpeculativeJIT64.cpp:
3403         (JSC::DFG::SpeculativeJIT::compile):
3404         * jit/JITOpcodes.cpp:
3405         (JSC::JIT::emit_op_create_this):
3406         (JSC::JIT::emitSlow_op_create_this):
3407         * jit/JITOpcodes32_64.cpp:
3408         (JSC::JIT::emit_op_create_this):
3409         (JSC::JIT::emitSlow_op_create_this):
3410         * llint/LLIntData.cpp:
3411         (JSC::LLInt::Data::performAssertions):
3412         * llint/LowLevelInterpreter.asm:
3413         * llint/LowLevelInterpreter32_64.asm:
3414         * llint/LowLevelInterpreter64.asm:
3415         * runtime/CommonSlowPaths.cpp:
3416         (JSC::SLOW_PATH_DECL):
3417         * runtime/ProxyObject.cpp:
3418         (JSC::ProxyObject::finishCreation):
3419         (JSC::ProxyObject::visitChildren):
3420         (JSC::performProxyConstruct):
3421         (JSC::ProxyObject::getConstructData):
3422         * runtime/ProxyObject.h:
3423         * tests/es6.yaml:
3424         * tests/stress/proxy-construct.js: Added.
3425         (assert):
3426         (throw.new.Error.let.target):
3427         (throw.new.Error):
3428         (assert.let.target):
3429         (assert.let.handler.get construct):
3430         (let.target):
3431         (let.handler.construct):
3432         (i.catch):
3433         (assert.let.handler.construct):
3434         (assert.let.construct):
3435         (assert.else.assert.let.target):
3436         (assert.else.assert.let.construct):
3437         (assert.else.assert):
3438         (new.proxy.let.target):
3439         (new.proxy.let.construct):
3440         (new.proxy):
3441
3442 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3443
3444         [INTL] Implement Number Format Functions
3445         https://bugs.webkit.org/show_bug.cgi?id=147605
3446
3447         Reviewed by Darin Adler.
3448
3449         This patch implements Intl.NumberFormat.prototype.format() according
3450         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
3451
3452         * runtime/IntlNumberFormat.cpp:
3453         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
3454         (JSC::IntlNumberFormat::initializeNumberFormat):
3455         (JSC::IntlNumberFormat::createNumberFormat):
3456         (JSC::IntlNumberFormat::formatNumber):
3457         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
3458         * runtime/IntlNumberFormat.h:
3459         * runtime/IntlNumberFormatPrototype.cpp:
3460         (JSC::IntlNumberFormatFuncFormatNumber):
3461
3462 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
3463
3464         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
3465         https://bugs.webkit.org/show_bug.cgi?id=154416
3466
3467         Reviewed by Geoff Garen.
3468
3469         Here's the bug. Suppose you call JSObject::getOwnProperty and -
3470           - PropertyName contains an index,
3471           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
3472           - The base of the access (or another object on the prototype chain) shadows that property.
3473
3474         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
3475         index, and as such walks up the prototype chain looking for non-index properties before it
3476         tries calling parseIndex.
3477
3478         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
3479         would potentially return the property) we may have already skipped over non-overriding
3480         objects that contain the property in index storage.
3481
3482         * runtime/JSObject.h:
3483         (JSC::JSObject::getOwnNonIndexPropertySlot):
3484             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
3485               added ASSERT guarding that this method never returns index properties -
3486               if it ever does, this is unsafe for getPropertySlot.
3487         (JSC::JSObject::getOwnPropertySlot):
3488             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
3489         (JSC::JSObject::getPropertySlot):
3490             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
3491         (JSC::JSObject::getNonIndexPropertySlot):
3492             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
3493               in order to avoid repeated calls to parseIndex.
3494         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
3495             - this was renamed to getOwnNonIndexPropertySlot.
3496         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
3497             - this was folded back in to getPropertySlot.
3498
3499 2016-02-19  Saam Barati  <sbarati@apple.com>
3500
3501         [ES6] Implement Proxy.[[Call]]
3502         https://bugs.webkit.org/show_bug.cgi?id=154425
3503
3504         Reviewed by Mark Lam.
3505
3506         This patch is a straight forward implementation of
3507         Proxy.[[Call]] with respect to section 9.5.12
3508         of the ECMAScript spec.
3509         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
3510
3511         * runtime/ProxyObject.cpp:
3512         (JSC::ProxyObject::finishCreation):
3513         (JSC::performProxyGet):
3514         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3515         (JSC::ProxyObject::performHasProperty):
3516         (JSC::ProxyObject::getOwnPropertySlotByIndex):
3517         (JSC::performProxyCall):
3518         (JSC::ProxyObject::getCallData):
3519         (JSC::ProxyObject::visitChildren):
3520         * runtime/ProxyObject.h:
3521         (JSC::ProxyObject::create):
3522         * tests/es6.yaml:
3523         * tests/stress/proxy-call.js: Added.
3524         (assert):
3525         (throw.new.Error.let.target):
3526         (throw.new.Error.let.handler.apply):
3527         (throw.new.Error):
3528         (assert.let.target):
3529         (assert.let.handler.get apply):
3530         (let.target):
3531         (let.handler.apply):
3532         (i.catch):
3533         (assert.let.handler.apply):
3534
3535 2016-02-19  Csaba Osztrogon√°c  <ossy@webkit.org>
3536
3537         Remove more LLVM related dead code after r196729
3538         https://bugs.webkit.org/show_bug.cgi?id=154387
3539
3540         Reviewed by Filip Pizlo.
3541
3542         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
3543         * Configurations/LLVMForJSC.xcconfig: Removed.
3544         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
3545         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
3546         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
3547         * JavaScriptCore.xcodeproj/project.pbxproj:
3548         * disassembler/X86Disassembler.cpp:
3549
3550 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
3551
3552         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
3553         https://bugs.webkit.org/show_bug.cgi?id=154442
3554
3555         Reviewed by Saam Barati.
3556
3557         * runtime/JSString.h:
3558         (JSC::isJSString):
3559
3560 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
3561
3562         Remove unused SymbolTable::createNameScopeTable
3563         https://bugs.webkit.org/show_bug.cgi?id=154443
3564
3565         Reviewed by Saam Barati.
3566
3567         * runtime/SymbolTable.h:
3568
3569 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
3570
3571         [JSC] Improve the instruction selection of Select
3572         https://bugs.webkit.org/show_bug.cgi?id=154432
3573
3574         Reviewed by Filip Pizlo.
3575
3576         Plenty of code but this patch is pretty dumb:
3577         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
3578          to be alised to the destination. This gives more freedom to the register
3579          allocator and it is one less Move to process per Select.
3580         -On x86, introduce a fake 3 operands form and use aggressive aliasing
3581          to try to alias both sources to the destination.
3582
3583          If aliasing succeed on the "elseCase", the condition of the Select
3584          is reverted in the MacroAssembler.
3585
3586          If no aliasing is possible and we end up with 3 registers, the missing
3587          move instruction is generated by the MacroAssembler.
3588
3589          The missing move is generated after testing the values because the destination
3590          can use the same register as one of the test operand.
3591          Experimental testing seems to indicate there is no macro-fusion on CMOV,
3592          there is no measurable cost to having the move there.
3593
3594         * assembler/MacroAssembler.h:
3595         (JSC::MacroAssembler::isInvertible):
3596         (JSC::MacroAssembler::invert):
3597         * assembler/MacroAssemblerARM64.h:
3598         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
3599         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
3600         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
3601         (JSC::MacroAssemblerARM64::moveConditionally32):
3602         (JSC::MacroAssemblerARM64::moveConditionally64):
3603         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
3604         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
3605         * assembler/MacroAssemblerX86Common.h:
3606         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
3607         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
3608         (JSC::MacroAssemblerX86Common::moveConditionally32):
3609         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
3610         (JSC::MacroAssemblerX86Common::invert):
3611         (JSC::MacroAssemblerX86Common::isInvertible):
3612         * assembler/MacroAssemblerX86_64.h:
3613         (JSC::MacroAssemblerX86_64::moveConditionally64):
3614         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
3615         * b3/B3LowerToAir.cpp:
3616         (JSC::B3::Air::LowerToAir::createSelect):
3617         (JSC::B3::Air::LowerToAir::lower):
3618         * b3/air/AirInstInlines.h:
3619         (JSC::B3::Air::Inst::shouldTryAliasingDef):
3620         * b3/air/AirOpcode.opcodes:
3621
3622 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
3623
3624         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
3625         https://bugs.webkit.org/show_bug.cgi?id=154430
3626
3627         Reviewed by Saam Barati.
3628
3629         llvm isn't used anymore.
3630
3631         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
3632
3633 2016-02-18  Saam Barati  <sbarati@apple.com>
3634
3635         Implement Proxy.[[HasProperty]]
3636         https://bugs.webkit.org/show_bug.cgi?id=154313
3637
3638         Reviewed by Filip Pizlo.
3639
3640         This patch is a straight forward implementation of
3641         Proxy.[[HasProperty]] with respect to section 9.5.7
3642         of the ECMAScript spec.
3643         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
3644
3645         * runtime/ProxyObject.cpp:
3646         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3647         (JSC::ProxyObject::performHasProperty):
3648         (JSC::ProxyObject::getOwnPropertySlotCommon):
3649         * runtime/ProxyObject.h:
3650         * tests/es6.yaml:
3651         * tests/stress/proxy-basic.js:
3652         (assert):
3653         (let.handler.has):
3654         * tests/stress/proxy-has-property.js: Added.
3655         (assert):
3656         (throw.new.Error.let.handler.get has):
3657         (throw.new.Error):
3658         (assert.let.handler.has):
3659         (let.handler.has):
3660         (getOwnPropertyDescriptor):
3661         (i.catch):
3662
3663 2016-02-18  Saam Barati  <sbarati@apple.com>
3664
3665         Proxy's don't properly handle Symbols as PropertyKeys.
3666         https://bugs.webkit.org/show_bug.cgi?id=154385
3667
3668         Reviewed by Mark Lam and Yusuke Suzuki.
3669
3670         We were converting all PropertyKeys to strings, even when
3671         the PropertyName was a Symbol. In the spec, PropertyKeys are
3672         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
3673         Proxy.[[GetOwnProperty]].
3674
3675         * runtime/Completion.cpp:
3676         (JSC::profiledEvaluate):
3677         (JSC::createSymbolForEntryPointModule):
3678         (JSC::identifierToJSValue): Deleted.
3679         * runtime/Identifier.h:
3680         (JSC::parseIndex):
3681         * runtime/IdentifierInlines.h:
3682         (JSC::Identifier::fromString):
3683         (JSC::identifierToJSValue):
3684         (JSC::identifierToSafePublicJSValue):
3685         * runtime/ProxyObject.cpp:
3686         (JSC::performProxyGet):
3687         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3688         * tests/es6.yaml:
3689         * tests/stress/proxy-basic.js:
3690         (let.handler.getOwnPropertyDescriptor):
3691
3692 2016-02-18  Saam Barati  <sbarati@apple.com>
3693
3694         Follow up fix to Implement Proxy.[[GetOwnProperty]]
3695         https://bugs.webkit.org/show_bug.cgi?id=154314
3696
3697         Reviewed by Filip Pizlo.
3698
3699         Part of the implementation was broken because
3700         of how JSObject::getOwnPropertyDescriptor worked.
3701         I've fixed JSObject::getOwnPropertyDescriptor to
3702         be able to handle ProxyObject.
3703
3704         * runtime/JSObject.cpp:
3705         (JSC::JSObject::getOwnPropertyDescriptor):
3706         * runtime/ProxyObject.cpp:
3707         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3708         * tests/stress/proxy-get-own-property.js:
3709         (assert):
3710         (assert.let.handler.get getOwnPropertyDescriptor):
3711
3712 2016-02-18  Saam Barati  <sbarati@apple.com>
3713
3714         Implement Proxy.[[GetOwnProperty]]
3715         https://bugs.webkit.org/show_bug.cgi?id=154314
3716
3717         Reviewed by Filip Pizlo.
3718
3719         This patch implements Proxy.[[GetOwnProperty]].
3720         It's a straight forward implementation as described
3721         in section 9.5.5 of the specification:
3722         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
3723
3724         * runtime/FunctionPrototype.cpp:
3725         (JSC::functionProtoFuncBind):
3726         * runtime/JSObject.cpp:
3727         (JSC::validateAndApplyPropertyDescriptor):
3728         (JSC::JSObject::defineOwnNonIndexProperty):
3729         (JSC::JSObject::defineOwnProperty):
3730         (JSC::JSObject::getGenericPropertyNames):
3731         (JSC::JSObject::getMethod):
3732         * runtime/JSObject.h:
3733         (JSC::JSObject::butterflyAddress):
3734         (JSC::makeIdentifier):
3735         * runtime/ProxyObject.cpp:
3736         (JSC::performProxyGet):
3737         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3738         (JSC::ProxyObject::getOwnPropertySlotCommon):
3739         (JSC::ProxyObject::getOwnPropertySlot):
3740         (JSC::ProxyObject::getOwnPropertySlotByIndex):
3741         (JSC::ProxyObject::visitChildren):
3742         * runtime/ProxyObject.h:
3743         * tests/es6.yaml:
3744         * tests/stress/proxy-basic.js:
3745         (let.handler.get null):
3746         * tests/stress/proxy-get-own-property.js: Added.
3747         (assert):
3748         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
3749         (throw.new.Error):
3750         (let.handler.getOwnPropertyDescriptor):
3751         (i.catch):
3752         (assert.let.handler.getOwnPropertyDescriptor):
3753
3754 2016-02-18  Andreas Kling  <akling@apple.com>
3755
3756         JSString resolution of substrings should use StringImpl sharing optimization.
3757         <https://webkit.org/b/154068>
3758         <rdar://problem/24629358>
3759
3760         Reviewed by Antti Koivisto.
3761
3762         When resolving a JSString that's actually a substring of another JSString,
3763         use the StringImpl sharing optimization to create a new string pointing into
3764         the parent one, instead of copying out the bytes of the string.
3765
3766         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
3767
3768         Another approach to this would be to induce GC far more frequently due to
3769         the added cost of copying out these substrings. It would reduce the risk
3770         of prolonging the life of strings only kept alive by substrings.
3771
3772         This patch chooses to trade that risk for less GC and lower peak memory.
3773
3774         * runtime/JSString.cpp:
3775         (JSC::JSRopeString::resolveRope):
3776
3777 2016-02-18  Chris Dumez  <cdumez@apple.com>
3778
3779         Crash on SES selftest page when loading the page while WebInspector is open
3780         https://bugs.webkit.org/show_bug.cgi?id=154378
3781         <rdar://problem/24713422>
3782
3783         Reviewed by Mark Lam.
3784
3785         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
3786         returns early again if it detects that getOwnPropertySlot() returns a
3787         non-own property. This check was removed in r196676 because we assumed that
3788         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
3789         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
3790         well.
3791
3792         Not having the check would lead to crashes when using the debugger because
3793         we would get a slot with the CustomAccessor attribute but getDirect() would
3794         then fail to return the property (because it is not an own property). We
3795         would then cast the value returned by getDirect() to a CustomGetterSetter*
3796         and dereference it.
3797
3798         * runtime/JSObject.cpp:
3799         (JSC::JSObject::getOwnPropertyDescriptor):
3800
3801 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
3802
3803         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
3804         for that.
3805
3806         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3807         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3808
3809 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
3810
3811         Unreviewed, fix CMake build. This got messed up when rebasing.
3812
3813         * CMakeLists.txt:
3814
3815 2016-02-18  Csaba Osztrogon√°c  <ossy@webkit.org>
3816
3817         Fix the !ENABLE(DFG_JIT) build after r195865
3818         https://bugs.webkit.org/show_bug.cgi?id=154391
3819
3820         Reviewed by Filip Pizlo.
3821
3822         * runtime/SamplingProfiler.cpp:
3823         (JSC::tryGetBytecodeIndex):
3824
3825 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3826
3827         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
3828         https://bugs.webkit.org/show_bug.cgi?id=154383
3829
3830         Reviewed by Saam Barati.
3831
3832         I did a grep -i llvm of all of our code and did one of the following for each occurence:
3833
3834         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
3835           backend".
3836
3837         - Removed the reference because I found it to be dead. In some cases it was a dead
3838           comment: it was telling us things about what LLVM did and that's just not relevant
3839           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
3840
3841         - Edited the comment in some smart way. There were comments talking about what LLVM did
3842           that were still of interest. In some cases, I added a FIXME to consider changing the
3843           code below the comment on the grounds that it was written in a weird way to placate
3844           LLVM and so we can do it better now.
3845
3846         * CMakeLists.txt:
3847         * JavaScriptCore.xcodeproj/project.pbxproj:
3848         * dfg/DFGArgumentsEliminationPhase.cpp:
3849         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
3850         * dfg/DFGPlan.cpp:
3851         (JSC::DFG::Plan::compileInThread):
3852         (JSC::DFG::Plan::compileInThreadImpl):
3853         (JSC::DFG::Plan::compileTimeStats):
3854         * dfg/DFGPutStackSinkingPhase.cpp:
3855         * dfg/DFGSSAConversionPhase.h:
3856         * dfg/DFGStaticExecutionCountEstimationPhase.h:
3857         * dfg/DFGUnificationPhase.cpp:
3858         (JSC::DFG::UnificationPhase::run):
3859         * disassembler/ARM64Disassembler.cpp:
3860         (JSC::tryToDisassemble): Deleted.
3861         * disassembler/X86Disassembler.cpp:
3862         (JSC::tryToDisassemble):
3863         * ftl/FTLAbstractHeap.cpp:
3864         (JSC::FTL::IndexedAbstractHeap::initialize):
3865         * ftl/FTLAbstractHeap.h:
3866         * ftl/FTLFormattedValue.h:
3867         * ftl/FTLJITFinalizer.cpp:
3868         (JSC::FTL::JITFinalizer::finalizeFunction):
3869         * ftl/FTLLink.cpp:
3870         (JSC::FTL::link):
3871         * ftl/FTLLocation.cpp:
3872         (JSC::FTL::Location::restoreInto):
3873         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
3874         (JSC::FTL::DFG::ftlUnreachable):
3875         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
3876         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
3877         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3878         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
3879         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
3880         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
3881         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
3882         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3883         (JSC::FTL::lowerDFGToB3):
3884         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
3885         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
3886         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
3887         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
3888         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
3889         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
3890         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
3891         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
3892         (JSC::FTL::lowerDFGToLLVM): Deleted.
3893         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
3894         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
3895         * ftl/FTLLowerDFGToLLVM.h: Removed.
3896         * ftl/FTLOSRExitCompiler.cpp:
3897         (JSC::FTL::compileStub):
3898         * ftl/FTLWeight.h:
3899         (JSC::FTL::Weight::frequencyClass):
3900         (JSC::FTL::Weight::inverse):
3901         (JSC::FTL::Weight::scaleToTotal): Deleted.
3902         * ftl/FTLWeightedTarget.h:
3903         (JSC::FTL::rarely):
3904         (JSC::FTL::unsure):
3905         * jit/CallFrameShuffler64.cpp:
3906         (JSC::CallFrameShuffler::emitDisplace):
3907         * jit/RegisterSet.cpp:
3908         (JSC::RegisterSet::ftlCalleeSaveRegisters):
3909         * llvm: Removed.
3910         * llvm/InitializeLLVMLinux.cpp: Removed.
3911         * llvm/InitializeLLVMWin.cpp: Removed.
3912         * llvm/library: Removed.
3913         * llvm/library/LLVMTrapCallback.h: Removed.
3914         * llvm/library/libllvmForJSC.version: Removed.
<