RegExpExec/RegExpTest should not unconditionally speculate cell
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-02  Filip Pizlo  <fpizlo@apple.com>
2
3         RegExpExec/RegExpTest should not unconditionally speculate cell
4         https://bugs.webkit.org/show_bug.cgi?id=154901
5
6         Reviewed by Benjamin Poulain.
7
8         This is a three part change. It all started with a simple goal: end the rage-recompiles in
9         Octane/regexp by enabling the DFG and FTL to do untyped RegExpExec/RegExpTest. This keeps us
10         in the optimized code when you do a regexp match on a number, for example.
11
12         While implementing this, I realized that DFGOperations.cpp was bad at exception checking. When
13         it did check for exceptions, it used exec->hadException() instead of vm.exception(). So I
14         fixed that. I also made sure that the regexp operations checked for exception after doing
15         toString().
16
17         Unfortunately, the introduction of untyped RegExpExec/RegExpTest caused a regression on
18         Octane/regexp. This was because we were simultaneously scheduling replacement and OSR compiles
19         of some large functions with the FTL JIT. The OSR compiles were not useful. This was a
20         regression from the previous changes to make OSR compiles happen sooner. The problem is that
21         this change also removed the throttling of OSR compiles even in those cases where we suspect
22         that replacement is more likely. This patch reintroduces that throttling, but only in the
23         replacement path.
24
25         This change ends up being neutral overall.
26
27         * dfg/DFGFixupPhase.cpp:
28         (JSC::DFG::FixupPhase::fixupNode):
29         * dfg/DFGOperations.cpp:
30         * dfg/DFGOperations.h:
31         * dfg/DFGSpeculativeJIT32_64.cpp:
32         (JSC::DFG::SpeculativeJIT::compile):
33         * dfg/DFGSpeculativeJIT64.cpp:
34         (JSC::DFG::SpeculativeJIT::compile):
35         * ftl/FTLLowerDFGToB3.cpp:
36         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
37         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
38         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
39         * tests/stress/regexp-exec-effect-after-exception.js: Added.
40
41 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
42
43         [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
44         https://bugs.webkit.org/show_bug.cgi?id=154947
45
46         Reviewed by Filip Pizlo.
47
48         This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.
49
50         The problem was that JSCell_freeListNext and JSCell_structureID were
51         considered as disjoint. When reordering instructions, the scheduler
52         could move the write of the StructureID first to reduce dependencies.
53         This would erase half of JSCell_freeListNext before we get a chance
54         to load the value.
55
56         This patch changes the hierarchy to make sure nothing is written
57         until JSCell_freeListNext is processed.
58
59         All credits for this patch go to Filip.
60
61         * ftl/FTLAbstractHeapRepository.cpp:
62         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
63         * ftl/FTLAbstractHeapRepository.h:
64
65 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
66
67         [JSC] Improve Select of Doubles based on Double condition
68         https://bugs.webkit.org/show_bug.cgi?id=154572
69
70         Reviewed by Filip Pizlo.
71
72         Octane has a bunch of Select on Double based on comparing Doubles.
73         A few nodes generate that: ValueRep, Min, Max, etc.
74
75         On ARM64, we can improve our code a lot. ARM can do a select
76         based on flags with the FCSEL instruction.
77
78         On x86, this patch adds aggressive aliasing for moveDoubleConditionallyXXX.
79         This has obviously a much more limited impact.
80
81         * assembler/MacroAssembler.h:
82         (JSC::MacroAssembler::moveDoubleConditionally32): Deleted.
83         (JSC::MacroAssembler::moveDoubleConditionally64): Deleted.
84         (JSC::MacroAssembler::moveDoubleConditionallyTest32): Deleted.
85         (JSC::MacroAssembler::moveDoubleConditionallyTest64): Deleted.
86         (JSC::MacroAssembler::moveDoubleConditionallyDouble): Deleted.
87         (JSC::MacroAssembler::moveDoubleConditionallyFloat): Deleted.
88         * assembler/MacroAssemblerARM64.h:
89         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
90         (JSC::MacroAssemblerARM64::moveDoubleConditionallyDouble):
91         (JSC::MacroAssemblerARM64::moveDoubleConditionallyFloat):
92         (JSC::MacroAssemblerARM64::moveConditionally32):
93         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
94         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
95         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
96         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest64):
97         (JSC::MacroAssemblerARM64::branch64):
98         * assembler/MacroAssemblerX86Common.h:
99         (JSC::MacroAssemblerX86Common::moveConditionally32):
100         (JSC::MacroAssemblerX86Common::moveDoubleConditionally32):
101         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyTest32):
102         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyDouble):
103         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyFloat):
104         * assembler/MacroAssemblerX86_64.h:
105         (JSC::MacroAssemblerX86_64::moveDoubleConditionally64):
106         (JSC::MacroAssemblerX86_64::moveDoubleConditionallyTest64):
107         * b3/air/AirInstInlines.h:
108         (JSC::B3::Air::Inst::shouldTryAliasingDef):
109         * b3/air/AirOpcode.opcodes:
110         * b3/testb3.cpp:
111         (JSC::B3::populateWithInterestingValues):
112         (JSC::B3::floatingPointOperands):
113         (JSC::B3::int64Operands):
114         (JSC::B3::int32Operands):
115         (JSC::B3::testSelectCompareFloat):
116         (JSC::B3::testSelectCompareFloatToDouble):
117         (JSC::B3::testSelectDoubleCompareDouble):
118         (JSC::B3::testSelectDoubleCompareDoubleWithAliasing):
119         (JSC::B3::testSelectFloatCompareFloat):
120         (JSC::B3::testSelectFloatCompareFloatWithAliasing):
121         (JSC::B3::run):
122
123 2016-03-02  Joseph Pecoraro  <pecoraro@apple.com>
124
125         Add ability to generate a Heap Snapshot
126         https://bugs.webkit.org/show_bug.cgi?id=154847
127
128         Reviewed by Mark Lam.
129
130         This adds HeapSnapshot, HeapSnapshotBuilder, and HeapProfiler.
131
132         HeapProfiler hangs off of the VM and holds the list of snapshots.
133         I expect to add other HeapProfiling features, such as allocation
134         tracking, to the profiler.
135
136         HeapSnapshot contains a collection of live cells and their identifiers.
137         It can point to a previous HeapSnapshot, to ensure that a cell that
138         already received an identifier maintains the same identifier across
139         multiple snapshots. When a snapshotted cell gets garbage collected,
140         the cell will be swept from the HeapSnapshot at the end of collection
141         to ensure the list contains only live cells.
142
143         When building a HeapSnapshot nodes are added in increasing node
144         identifier order. When done building, the list of nodes is complete
145         and the snapshot is finalized. At this point the nodes are sorted
146         by JSCell* address to allow for quick lookup of a JSCell*.
147
148         HeapSnapshotBuilder is where snapshotting begins. The builder
149         will initiate a specialized heap snapshotting garbage collection.
150         During this collection the builder will be notified of all marked
151         (live) cells, and connections between cells, as seen by SlotVisitors.
152         The builder can reference the previous, readonly, HeapSnapshots to
153         avoid creating new nodes for cells that have already been snapshotted.
154         When it is determined that we are visiting a live cell for the first
155         time, we give the cell a unique identifier and add it to the the
156         snapshot we are building.
157
158         Since edge data is costly, and of little long term utility, this
159         data is only held by the builder for serialization, and not stored
160         long term with the HeapSnapshot node data.
161
162         The goals of HeapSnapshotting at this time are:
163         - minimal impact on performance when not profiling the heap
164         - unique identifier for cells, so they may be identified across multiple snapshots
165         - nodes and edges to be able to construct a graph of which nodes reference/retain which other nodes
166         - node data - identifier, type (class name), size
167         - edge data - from cell, to cell, type / data (to come in a follow-up patch)
168
169         * CMakeLists.txt:
170         * JavaScriptCore.xcodeproj/project.pbxproj:
171         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
172         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
173         Add new files to the build.
174
175         * heap/Heap.cpp:
176         (JSC::Heap::isHeapSnapshotting):
177         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
178         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
179         (JSC::Heap::removeDeadHeapSnapshotNodes):
180         (JSC::Heap::collectImpl):
181         After every collection, sweep dead cells from in memory snapshots.
182
183         * runtime/VM.cpp:
184         (JSC::VM::ensureHeapProfiler):
185         * runtime/VM.h:
186         (JSC::VM::heapProfiler):
187         * heap/Heap.h:
188         * heap/HeapProfiler.cpp: Added.
189         (JSC::HeapProfiler::HeapProfiler):
190         (JSC::HeapProfiler::~HeapProfiler):
191         (JSC::HeapProfiler::mostRecentSnapshot):
192         (JSC::HeapProfiler::appendSnapshot):
193         (JSC::HeapProfiler::clearSnapshots):
194         (JSC::HeapProfiler::setActiveSnapshotBuilder):
195         * heap/HeapProfiler.h: Added.
196         (JSC::HeapProfiler::vm):
197         (JSC::HeapProfiler::activeSnapshotBuilder):
198         VM and Heap can look at the profiler to determine if we are building a
199         snapshot, or the "head" snapshot to use for sweeping.
200
201         * heap/HeapSnapshot.cpp: Added.
202         (JSC::HeapSnapshot::HeapSnapshot):
203         (JSC::HeapSnapshot::~HeapSnapshot):
204         (JSC::HeapSnapshot::appendNode):
205         Add a node to the unfinalized list of new cells.
206
207         (JSC::HeapSnapshot::sweepCell):
208         (JSC::HeapSnapshot::shrinkToFit):
209         Collect a list of cells for sweeping and then remove them all at once
210         in shrinkToFit. This is done to avoid thrashing of individual removes
211         that could cause many overlapping moves within the Vector.
212
213         (JSC::HeapSnapshot::finalize):
214         Sort the list, and also cache the bounding start/stop identifiers.
215         No other snapshot can contain an identifier in this range, so it will
216         improve lookup of a node from an identifier.
217
218         (JSC::HeapSnapshot::nodeForCell):
219         (JSC::HeapSnapshot::nodeForObjectIdentifier):
220         Search helpers.
221
222         * heap/HeapSnapshotBuilder.h: Added.
223         (JSC::HeapSnapshotNode::HeapSnapshotNode):
224         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
225         Node and Edge struct types the builder creates.
226
227         * heap/HeapSnapshotBuilder.cpp: Added.
228         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
229         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
230         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
231         (JSC::HeapSnapshotBuilder::buildSnapshot):
232         (JSC::HeapSnapshotBuilder::appendNode):
233         (JSC::HeapSnapshotBuilder::appendEdge):
234         When building the snapshot, generating the next identifier, and
235         appending to any of the lists must be guarded by a lock because
236         SlotVisitors running in parallel may be accessing the builder.
237
238         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell):
239         Looking up if a node already exists in a previous snapshot can be
240         done without a lock because at this point the data is readonly.
241
242         (JSC::edgeTypeToNumber):
243         (JSC::edgeTypeToString):
244         (JSC::HeapSnapshotBuilder::json):
245         JSON serialization of a heap snapshot contains node and edge data.
246
247         * heap/SlotVisitor.h:
248         * heap/SlotVisitor.cpp:
249         (JSC::SlotVisitor::didStartMarking):
250         (JSC::SlotVisitor::reset):
251         Set/clear the active snapshot builder to know if this will be a
252         snapshotting GC or not.
253
254         (JSC::SlotVisitor::append):
255         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
256         Inform the builder of a new node or edge.
257
258         (JSC::SlotVisitor::visitChildren):
259         Remember the current cell we are visiting so that if we need to
260         inform the builder of edges we know the "from" cell.
261
262         * jsc.cpp:
263         (SimpleObject::SimpleObject):
264         (SimpleObject::create):
265         (SimpleObject::finishCreation):
266         (SimpleObject::visitChildren):
267         (SimpleObject::createStructure):
268         (SimpleObject::hiddenValue):
269         (SimpleObject::setHiddenValue):
270         Create a new class "SimpleObject" that can be used by heap snapshotting
271         tests. It is easy to filter for this new class name and test internal
272         edge relationships created by garbage collection visiting the cell.
273
274         (functionCreateSimpleObject):
275         (functionGetHiddenValue):
276         (functionSetHiddenValue):
277         Expose methods to create and interact with a SimpleObject.
278
279         (functionGenerateHeapSnapshot):
280         Expose methods to create a heap snapshot. This currently automatically
281         turns the serialized string into a JSON object. That may change.
282
283         * tests/heapProfiler.yaml: Added.
284         * tests/heapProfiler/basic-edges.js: Added.
285         (excludeStructure):
286         * tests/heapProfiler/basic-nodes.js: Added.
287         (hasDifferentSizeNodes):
288         (hasAllInternalNodes):
289         Add tests for basic node and edge data.
290
291         * tests/heapProfiler/driver/driver.js: Added.
292         (assert):
293         (CheapHeapSnapshotNode):
294         (CheapHeapSnapshotEdge):
295         (CheapHeapSnapshotEdge.prototype.get from):
296         (CheapHeapSnapshotEdge.prototype.get to):
297         (CheapHeapSnapshot):
298         (CheapHeapSnapshot.prototype.get nodes):
299         (CheapHeapSnapshot.prototype.get edges):
300         (CheapHeapSnapshot.prototype.nodeWithIdentifier):
301         (CheapHeapSnapshot.prototype.nodesWithClassName):
302         (CheapHeapSnapshot.prototype.classNameFromTableIndex):
303         (CheapHeapSnapshot.prototype.edgeTypeFromTableIndex):
304         (createCheapHeapSnapshot):
305         (HeapSnapshotNode):
306         (HeapSnapshotEdge):
307         (HeapSnapshot):
308         (HeapSnapshot.prototype.nodesWithClassName):
309         (createHeapSnapshot):
310         Add two HeapSnapshot representations.
311         CheapHeapSnapshot creates two lists of node and edge data that
312         lazily creates objects as needed.
313         HeapSnapshot creates an object for each node and edge. This
314         is wasteful but easier to use.
315
316 2016-03-02  Filip Pizlo  <fpizlo@apple.com>
317
318         RegExpPrototype should check for exceptions after calling toString and doing so should not be expensive
319         https://bugs.webkit.org/show_bug.cgi?id=154927
320
321         Reviewed by Saam Barati.
322
323         While working on regexp optimizations, I found that RegExpPrototype calls toString(), an
324         effectful operation that could do anything, without then checking for hadException().
325
326         So I added a call to hadException().
327
328         But that regressed Octane/regexp by 5%!  That's a lot!  It turns out that
329         exec->hadException() is soooper slow. So, I made it cheaper to check for exceptions from
330         toString(): there is now a variant called toStringFast() that returns null iff it throws an
331         exception.
332
333         This allowed me to add the exception check without regressing perf.
334
335         Note that toString() must retain its old behavior of returning an empty string on exception.
336         There is just too much code that relies on that behavior.
337
338         * runtime/JSCJSValue.cpp:
339         (JSC::JSValue::isValidCallee):
340         (JSC::JSValue::toStringSlowCase):
341         (JSC::JSValue::toWTFStringSlowCase):
342         * runtime/JSCJSValue.h:
343         (JSC::JSValue::asValue):
344         * runtime/JSString.h:
345         (JSC::JSValue::toString):
346         (JSC::JSValue::toStringFast):
347         (JSC::JSValue::toWTFString):
348         * runtime/RegExpPrototype.cpp:
349         (JSC::regExpProtoFuncTest):
350         (JSC::regExpProtoFuncExec):
351         (JSC::regExpProtoFuncCompile):
352
353 2016-03-02  Saam barati  <sbarati@apple.com>
354
355         clean up JSObject::isExtensibleInline and JSObject::setPrototypeOfInline, and rename setPrototypeOf to setPrototype
356         https://bugs.webkit.org/show_bug.cgi?id=154942
357
358         Reviewed by Benjamin Poulain.
359
360         These don't need to be inlined in the way they are.
361         Doing dynamic dispatch is ok performance wise until
362         we have evidence stating otherwise.
363
364         * API/JSObjectRef.cpp:
365         (JSObjectSetPrototype):
366         (JSObjectHasProperty):
367         * runtime/ClassInfo.h:
368         * runtime/IntlCollatorConstructor.cpp:
369         (JSC::constructIntlCollator):
370         * runtime/IntlDateTimeFormatConstructor.cpp:
371         (JSC::constructIntlDateTimeFormat):
372         * runtime/IntlNumberFormatConstructor.cpp:
373         (JSC::constructIntlNumberFormat):
374         * runtime/JSCell.cpp:
375         (JSC::JSCell::isExtensible):
376         (JSC::JSCell::setPrototype):
377         (JSC::JSCell::setPrototypeOf): Deleted.
378         * runtime/JSCell.h:
379         * runtime/JSGlobalObjectFunctions.cpp:
380         (JSC::globalFuncProtoSetter):
381         * runtime/JSObject.cpp:
382         (JSC::JSObject::setPrototypeWithCycleCheck):
383         (JSC::JSObject::setPrototype):
384         (JSC::JSObject::allowsAccessFrom):
385         (JSC::JSObject::isExtensible):
386         (JSC::JSObject::reifyAllStaticProperties):
387         (JSC::JSObject::defineOwnNonIndexProperty):
388         (JSC::JSObject::setPrototypeOf): Deleted.
389         * runtime/JSObject.h:
390         (JSC::JSObject::mayInterceptIndexedAccesses):
391         (JSC::JSObject::indexingShouldBeSparse):
392         (JSC::JSObject::setPrototypeOfInline): Deleted.
393         (JSC::JSObject::isExtensibleInline): Deleted.
394         * runtime/ObjectConstructor.cpp:
395         (JSC::objectConstructorSetPrototypeOf):
396         (JSC::objectConstructorIsSealed):
397         (JSC::objectConstructorIsFrozen):
398         (JSC::objectConstructorIsExtensible):
399         * runtime/ProxyObject.cpp:
400         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
401         (JSC::ProxyObject::performHasProperty):
402         (JSC::ProxyObject::performPreventExtensions):
403         (JSC::ProxyObject::performIsExtensible):
404         * runtime/ReflectObject.cpp:
405         (JSC::reflectObjectIsExtensible):
406         (JSC::reflectObjectSetPrototypeOf):
407         * runtime/StringObject.cpp:
408         (JSC::StringObject::defineOwnProperty):
409
410 2016-03-02  Konstantin Tokarev  <annulen@yandex.ru>
411
412         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
413         https://bugs.webkit.org/show_bug.cgi?id=154651
414
415         Reviewed by Alex Christensen.
416
417         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
418
419 2016-03-02  Saam barati  <sbarati@apple.com>
420
421         [[SetPrototypeOf]] should be a fully virtual method in ClassInfo::methodTable
422         https://bugs.webkit.org/show_bug.cgi?id=154897
423
424         Reviewed by Filip Pizlo.
425
426         This patch makes us more consistent with how the ES6 specification models the
427         [[SetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
428         is a prerequisite for implementing Proxy.[[SetPrototypeOf]]. This patch
429         still allows directly setting the prototype for situations where this
430         is the desired behavior. This is equivalent to setting the internal
431         [[Prototype]] field as described in the specification. 
432
433         * API/JSClassRef.cpp:
434         (OpaqueJSClass::prototype):
435         * API/JSObjectRef.cpp:
436         (JSObjectMake):
437         (JSObjectSetPrototype):
438         (JSObjectHasProperty):
439         * API/JSWrapperMap.mm:
440         (makeWrapper):
441         * runtime/ClassInfo.h:
442         * runtime/IntlCollatorConstructor.cpp:
443         (JSC::constructIntlCollator):
444         * runtime/IntlDateTimeFormatConstructor.cpp:
445         (JSC::constructIntlDateTimeFormat):
446         * runtime/IntlNumberFormatConstructor.cpp:
447         (JSC::constructIntlNumberFormat):
448         * runtime/JSCell.cpp:
449         (JSC::JSCell::isExtensible):
450         (JSC::JSCell::setPrototypeOf):
451         * runtime/JSCell.h:
452         * runtime/JSGlobalObject.cpp:
453         (JSC::JSGlobalObject::resetPrototype):
454         * runtime/JSGlobalObjectFunctions.cpp:
455         (JSC::globalFuncProtoSetter):
456         * runtime/JSObject.cpp:
457         (JSC::JSObject::switchToSlowPutArrayStorage):
458         (JSC::JSObject::setPrototypeDirect):
459         (JSC::JSObject::setPrototypeWithCycleCheck):
460         (JSC::JSObject::setPrototypeOf):
461         (JSC::JSObject::allowsAccessFrom):
462         (JSC::JSObject::setPrototype): Deleted.
463         * runtime/JSObject.h:
464         (JSC::JSObject::setPrototypeOfInline):
465         (JSC::JSObject::mayInterceptIndexedAccesses):
466         * runtime/JSProxy.cpp:
467         (JSC::JSProxy::setTarget):
468         * runtime/ObjectConstructor.cpp:
469         (JSC::objectConstructorSetPrototypeOf):
470         * runtime/ReflectObject.cpp:
471         (JSC::reflectObjectSetPrototypeOf):
472
473 2016-03-02  Saam barati  <sbarati@apple.com>
474
475         SIGSEGV in Proxy [[Get]] and [[Set]] recursion
476         https://bugs.webkit.org/show_bug.cgi?id=154854
477
478         Reviewed by Yusuke Suzuki.
479
480         We need to be aware of the possibility that the VM
481         may recurse and that we can stack overflow.
482
483         * runtime/ProxyObject.cpp:
484         (JSC::performProxyGet):
485         (JSC::ProxyObject::performPut):
486         * tests/stress/proxy-get-and-set-recursion-stack-overflow.js: Added.
487         (assert):
488         (testStackOverflowGet):
489         (testStackOverflowIndexedGet):
490         (testStackOverflowSet):
491         (testStackOverflowIndexedSet):
492
493 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
494
495         [JSC] Use a Move without REX byte when possible
496         https://bugs.webkit.org/show_bug.cgi?id=154801
497
498         Reviewed by Alex Christensen.
499
500         Filip wrote an optimization in the register allocator
501         to use 32bit "Move" when we don't care about the top bytes.
502
503         When I moved the commutative ops to the fake 3 operands instruction
504         I largely destroyed this since all the "Moves" became full register.
505
506         In this patch, I switch back to 32bit "Moves" for 32bit operations.
507
508         * assembler/MacroAssemblerX86Common.h:
509         (JSC::MacroAssemblerX86Common::and32):
510         (JSC::MacroAssemblerX86Common::lshift32):
511         (JSC::MacroAssemblerX86Common::mul32):
512         (JSC::MacroAssemblerX86Common::or32):
513         (JSC::MacroAssemblerX86Common::rshift32):
514         (JSC::MacroAssemblerX86Common::urshift32):
515         (JSC::MacroAssemblerX86Common::xor32):
516         (JSC::MacroAssemblerX86Common::branchAdd32):
517         (JSC::MacroAssemblerX86Common::branchMul32):
518         (JSC::MacroAssemblerX86Common::branchSub32):
519         (JSC::MacroAssemblerX86Common::move32IfNeeded):
520
521 2016-03-01  Benjamin Poulain  <benjamin@webkit.org>
522
523         [JSC] Simplify ArithMod(ArithMod(x, const1), const2) if const2 >= const1
524         https://bugs.webkit.org/show_bug.cgi?id=154904
525
526         Reviewed by Saam Barati.
527
528         The ASM test "ubench" has a "x % 10 % 255".
529         The second modulo should be eliminated.
530
531         This is a 15% improvement on ASMJS' ubench.
532
533         * dfg/DFGStrengthReductionPhase.cpp:
534         (JSC::DFG::StrengthReductionPhase::handleNode):
535         * tests/stress/arith-modulo-twice.js: Added.
536         (opaqueModuloSmaller):
537         (opaqueModuloEqual):
538         (opaqueModuloLarger):
539         (opaqueModuloSmallerNeg):
540         (opaqueModuloEqualNeg):
541         (opaqueModuloLargerNeg):
542         (opaqueExpectedOther):
543
544 2016-03-01  Ryosuke Niwa  <rniwa@webkit.org>
545
546         Unreviewed. Update the status of Proxy objects to "In Development".
547
548         * features.json:
549
550 2016-03-01  Commit Queue  <commit-queue@webkit.org>
551
552         Unreviewed, rolling out r197226 and r197256.
553         https://bugs.webkit.org/show_bug.cgi?id=154910
554
555         Caused crashes on Mac 32-bit and on ARM (Requested by ap on
556         #webkit).
557
558         Reverted changesets:
559
560         "Remove the on demand executable allocator"
561         https://bugs.webkit.org/show_bug.cgi?id=154749
562         http://trac.webkit.org/changeset/197226
563
564         "CLoop build fix."
565         http://trac.webkit.org/changeset/197256
566
567 2016-03-01  Joseph Pecoraro  <pecoraro@apple.com>
568
569         Simplify some StringBuilder appends
570         https://bugs.webkit.org/show_bug.cgi?id=154902
571
572         Reviewed by Mark Lam.
573
574         * runtime/ExceptionHelpers.cpp:
575         (JSC::notAFunctionSourceAppender):
576         * runtime/SamplingProfiler.cpp:
577         (JSC::SamplingProfiler::stackTracesAsJSON):
578         Use StringBuilder::append(char) instead of append(char*) where possible.
579
580 2016-03-01  Keith Miller  <keith_miller@apple.com>
581
582         Promise.prototype.then should use Symbol.species to construct the return Promise
583         https://bugs.webkit.org/show_bug.cgi?id=154862
584
585         Reviewed by Saam Barati.
586
587         * builtins/PromisePrototype.js:
588         * tests/stress/promise-species-functions.js: Added.
589         (Symbol.species):
590         (id):
591         (funcThrows):
592         (makeC):
593         (test.species):
594         (test.speciesThrows):
595         (test):
596
597 2016-03-01  Michael Saboff  <msaboff@apple.com>
598
599         [ES6] Add support for Unicode regular expressions
600         https://bugs.webkit.org/show_bug.cgi?id=154842
601
602         Reviewed by Filip Pizlo.
603
604         Added processing of Unicode regular expressions to the Yarr interpreter.
605
606         Changed parsing of regular expression patterns and PatternTerms to process characters as
607         UChar32 in the Yarr code.  The parser converts matched surrogate pairs into the appropriate
608         Unicode character when the expression is parsed.  When matching a unicode expression and
609         reading source characters, we convert proper surrogate pair into a Unicode character and
610         advance the source cursor, "pos", one more position.  The exception to this is when we
611         know when generating a fixed character atom that we need to match a unicode character
612         that doesn't fit in 16 bits.  The code calls this an extendedUnicodeCharacter and has a
613         helper to determine this.
614
615         Added 'u' flag and 'unicode' identifier to regular expression classes.  Added an "isUnicode"
616         parameter to YarrPattern pattern() and internal users of that function.
617
618         Updated the generation of the canonicalization tables to include a new set a tables that
619         follow the ES 6.0, 21.2.2.8.2 Step 2.  Renamed the YarrCanonicalizeUCS2.* files to
620         YarrCanonicalizeUnicode.*. 
621
622         Added a new Layout/js test that tests the added functionality.  Updated other tests that
623         have minor es6 unicode checks and look for valid flags.
624
625         Ran the ChakraCore Unicode regular expression tests as well.
626
627         * CMakeLists.txt:
628         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
629         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
630         * JavaScriptCore.xcodeproj/project.pbxproj:
631
632         * inspector/ContentSearchUtilities.cpp:
633         (Inspector::ContentSearchUtilities::findMagicComment):
634         * yarr/RegularExpression.cpp:
635         (JSC::Yarr::RegularExpression::Private::compile):
636         Updated use of pattern().
637
638         * runtime/CommonIdentifiers.h:
639         * runtime/RegExp.cpp:
640         (JSC::regExpFlags):
641         (JSC::RegExpFunctionalTestCollector::outputOneTest):
642         (JSC::RegExp::finishCreation):
643         (JSC::RegExp::compile):
644         (JSC::RegExp::compileMatchOnly):
645         * runtime/RegExp.h:
646         * runtime/RegExpKey.h:
647         * runtime/RegExpPrototype.cpp:
648         (JSC::regExpProtoFuncCompile):
649         (JSC::flagsString):
650         (JSC::regExpProtoGetterMultiline):
651         (JSC::regExpProtoGetterUnicode):
652         (JSC::regExpProtoGetterFlags):
653         Updated for new 'y' (unicode) flag.  Add check to use the interpreter for unicode regular expressions.
654
655         * tests/es6.yaml:
656         * tests/stress/static-getter-in-names.js:
657         Updated tests for new flag and for passing the minimal es6 regular expression processing.
658
659         * yarr/Yarr.h: Updated the size of information now kept for backtracking.
660
661         * yarr/YarrCanonicalizeUCS2.cpp: Removed.
662         * yarr/YarrCanonicalizeUCS2.h: Removed.
663         * yarr/YarrCanonicalizeUCS2.js: Removed.
664         * yarr/YarrCanonicalizeUnicode.cpp: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.cpp.
665         * yarr/YarrCanonicalizeUnicode.h: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.h.
666         (JSC::Yarr::canonicalCharacterSetInfo):
667         (JSC::Yarr::canonicalRangeInfoFor):
668         (JSC::Yarr::getCanonicalPair):
669         (JSC::Yarr::isCanonicallyUnique):
670         (JSC::Yarr::areCanonicallyEquivalent):
671         (JSC::Yarr::rangeInfoFor): Deleted.
672         * yarr/YarrCanonicalizeUnicode.js: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.js.
673         (printHeader):
674         (printFooter):
675         (hex):
676         (canonicalize):
677         (canonicalizeUnicode):
678         (createUCS2CanonicalGroups):
679         (createUnicodeCanonicalGroups):
680         (cu.in.groupedCanonically.characters.sort): Deleted.
681         (cu.in.groupedCanonically.else): Deleted.
682         Refactored to output two sets of tables, one for UCS2 and one for Unicode.  The UCS2 tables follow
683         the legacy canonicalization rules now specified in ES 6.0, 21.2.2.8.2 Step 3.  The new Unicode
684         tables follow the rules specified in ES 6.0, 21.2.2.8.2 Step 2.  Eliminated the unused Latin1 tables.
685
686         * yarr/YarrInterpreter.cpp:
687         (JSC::Yarr::Interpreter::InputStream::InputStream):
688         (JSC::Yarr::Interpreter::InputStream::readChecked):
689         (JSC::Yarr::Interpreter::InputStream::readSurrogatePairChecked):
690         (JSC::Yarr::Interpreter::InputStream::reread):
691         (JSC::Yarr::Interpreter::InputStream::prev):
692         (JSC::Yarr::Interpreter::testCharacterClass):
693         (JSC::Yarr::Interpreter::checkCharacter):
694         (JSC::Yarr::Interpreter::checkSurrogatePair):
695         (JSC::Yarr::Interpreter::checkCasedCharacter):
696         (JSC::Yarr::Interpreter::tryConsumeBackReference):
697         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
698         (JSC::Yarr::Interpreter::matchCharacterClass):
699         (JSC::Yarr::Interpreter::backtrackCharacterClass):
700         (JSC::Yarr::Interpreter::matchParenthesesTerminalEnd):
701         (JSC::Yarr::Interpreter::matchDisjunction):
702         (JSC::Yarr::Interpreter::Interpreter):
703         (JSC::Yarr::ByteCompiler::assertionWordBoundary):
704         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
705         * yarr/YarrInterpreter.h:
706         (JSC::Yarr::ByteTerm::ByteTerm):
707         (JSC::Yarr::BytecodePattern::BytecodePattern):
708         * yarr/YarrJIT.cpp:
709         (JSC::Yarr::YarrGenerator::optimizeAlternative):
710         (JSC::Yarr::YarrGenerator::matchCharacterClassRange):
711         (JSC::Yarr::YarrGenerator::matchCharacterClass):
712         (JSC::Yarr::YarrGenerator::notAtEndOfInput):
713         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
714         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
715         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
716         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
717         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
718         * yarr/YarrParser.h:
719         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
720         (JSC::Yarr::Parser::Parser):
721         (JSC::Yarr::Parser::parseEscape):
722         (JSC::Yarr::Parser::consumePossibleSurrogatePair):
723         (JSC::Yarr::Parser::parseCharacterClass):
724         (JSC::Yarr::Parser::parseTokens):
725         (JSC::Yarr::Parser::parse):
726         (JSC::Yarr::Parser::atEndOfPattern):
727         (JSC::Yarr::Parser::patternRemaining):
728         (JSC::Yarr::Parser::peek):
729         (JSC::Yarr::parse):
730         * yarr/YarrPattern.cpp:
731         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
732         (JSC::Yarr::CharacterClassConstructor::append):
733         (JSC::Yarr::CharacterClassConstructor::putChar):
734         (JSC::Yarr::CharacterClassConstructor::putUnicodeIgnoreCase):
735         (JSC::Yarr::CharacterClassConstructor::putRange):
736         (JSC::Yarr::CharacterClassConstructor::charClass):
737         (JSC::Yarr::CharacterClassConstructor::addSorted):
738         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
739         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
740         (JSC::Yarr::YarrPatternConstructor::assertionWordBoundary):
741         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
742         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBegin):
743         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassAtom):
744         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassRange):
745         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
746         (JSC::Yarr::YarrPattern::compile):
747         (JSC::Yarr::YarrPattern::YarrPattern):
748         * yarr/YarrPattern.h:
749         (JSC::Yarr::CharacterRange::CharacterRange):
750         (JSC::Yarr::CharacterClass::CharacterClass):
751         (JSC::Yarr::PatternTerm::PatternTerm):
752         (JSC::Yarr::YarrPattern::reset):
753         * yarr/YarrSyntaxChecker.cpp:
754         (JSC::Yarr::SyntaxChecker::assertionBOL):
755         (JSC::Yarr::SyntaxChecker::assertionEOL):
756         (JSC::Yarr::SyntaxChecker::assertionWordBoundary):
757         (JSC::Yarr::SyntaxChecker::atomPatternCharacter):
758         (JSC::Yarr::SyntaxChecker::atomBuiltInCharacterClass):
759         (JSC::Yarr::SyntaxChecker::atomCharacterClassBegin):
760         (JSC::Yarr::SyntaxChecker::atomCharacterClassAtom):
761         (JSC::Yarr::checkSyntax):
762
763 2016-03-01  Saam barati  <sbarati@apple.com>
764
765         Remove FIXMEs and add valid test cases after necessary patch has landed.
766
767         Rubber stamped by Mark Lam.
768
769         * tests/stress/proxy-prevent-extensions.js:
770         (assert.Object.isSealed):
771         (assert):
772
773 2016-03-01  Saam barati  <sbarati@apple.com>
774
775         [ES6] Implement Proxy.[[IsExtensible]]
776         https://bugs.webkit.org/show_bug.cgi?id=154872
777
778         Reviewed by Oliver Hunt.
779
780         This patch is a direct implementation of Proxy.[[IsExtensible]] with respect to section 9.5.3
781         of the ECMAScript 6 spec.
782         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-isextensible
783
784         * runtime/ProxyObject.cpp:
785         (JSC::ProxyObject::preventExtensions):
786         (JSC::ProxyObject::performIsExtensible):
787         (JSC::ProxyObject::isExtensible):
788         (JSC::ProxyObject::visitChildren):
789         * runtime/ProxyObject.h:
790         * tests/es6.yaml:
791         * tests/stress/proxy-is-extensible.js: Added.
792         (assert):
793         (throw.new.Error.let.handler.get isExtensible):
794         (throw.new.Error):
795         (assert.let.handler.isExtensible):
796         (assert.):
797         (let.handler.isExtensible):
798
799 2016-03-01  Saam barati  <sbarati@apple.com>
800
801         [ES6] Implement Proxy.[[PreventExtensions]]
802         https://bugs.webkit.org/show_bug.cgi?id=154873
803
804         Reviewed by Oliver Hunt.
805
806         This patch is a direct implementation of Proxy.[[PreventExtensions]] with respect to section 9.5.4
807         of the ECMAScript 6 spec.
808         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-preventextensions
809
810         * runtime/ProxyObject.cpp:
811         (JSC::ProxyObject::deletePropertyByIndex):
812         (JSC::ProxyObject::performPreventExtensions):
813         (JSC::ProxyObject::preventExtensions):
814         (JSC::ProxyObject::visitChildren):
815         * runtime/ProxyObject.h:
816         * tests/es6.yaml:
817         * tests/stress/proxy-prevent-extensions.js: Added.
818         (assert):
819         (throw.new.Error.let.handler.get preventExtensions):
820         (throw.new.Error):
821         (assert.let.handler.preventExtensions):
822         (assert.):
823         (let.handler.preventExtensions):
824         (assert.Object.isSealed.let.handler.preventExtensions):
825         (assert.Object.isSealed):
826
827 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
828
829         FTL should simplify StringReplace with an empty replacement string
830         https://bugs.webkit.org/show_bug.cgi?id=154871
831
832         Reviewed by Michael Saboff.
833
834         This is a simple and hugely profitable change. If we do a string.replace(/things/, ""), then
835         this calls directly into StringPrototype's replace-with-empty-string logic instead of going
836         through stuff that does checks before reaching that same conclusion.
837
838         This speeds up Octane/regexp by about 6-10%. It also speeds up the attached microbenchmark by
839         about 7%.
840
841         * ftl/FTLLowerDFGToB3.cpp:
842         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
843         * runtime/StringPrototype.cpp:
844         (JSC::jsSpliceSubstringsWithSeparators):
845         (JSC::removeUsingRegExpSearch):
846         (JSC::replaceUsingRegExpSearch):
847         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
848         (JSC::operationStringProtoFuncReplaceRegExpString):
849         * runtime/StringPrototype.h:
850
851 2016-03-01  Alex Christensen  <achristensen@webkit.org>
852
853         Reduce size of internal windows build output
854         https://bugs.webkit.org/show_bug.cgi?id=154763
855
856         Reviewed by Brent Fulgham.
857
858         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
859
860 2016-03-01  Saam barati  <sbarati@apple.com>
861
862         [[IsExtensible]] should be a virtual method in the method table
863         https://bugs.webkit.org/show_bug.cgi?id=154799
864
865         Reviewed by Mark Lam.
866
867         This patch makes us more consistent with how the ES6 specification models the
868         [[IsExtensible]] trap. Moving this method into ClassInfo::methodTable 
869         is a prerequisite for implementing Proxy.[[IsExtensible]].
870
871         * runtime/ClassInfo.h:
872         * runtime/JSCell.cpp:
873         (JSC::JSCell::preventExtensions):
874         (JSC::JSCell::isExtensible):
875         * runtime/JSCell.h:
876         * runtime/JSGlobalObjectFunctions.cpp:
877         (JSC::globalFuncProtoSetter):
878         * runtime/JSObject.cpp:
879         (JSC::JSObject::preventExtensions):
880         (JSC::JSObject::isExtensible):
881         (JSC::JSObject::reifyAllStaticProperties):
882         (JSC::JSObject::defineOwnIndexedProperty):
883         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
884         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
885         (JSC::JSObject::defineOwnNonIndexProperty):
886         (JSC::JSObject::defineOwnProperty):
887         * runtime/JSObject.h:
888         (JSC::JSObject::isSealed):
889         (JSC::JSObject::isFrozen):
890         (JSC::JSObject::isExtensibleImpl):
891         (JSC::JSObject::isStructureExtensible):
892         (JSC::JSObject::isExtensibleInline):
893         (JSC::JSObject::indexingShouldBeSparse):
894         (JSC::JSObject::putDirectInternal):
895         (JSC::JSObject::isExtensible): Deleted.
896         * runtime/ObjectConstructor.cpp:
897         (JSC::objectConstructorSetPrototypeOf):
898         (JSC::objectConstructorIsSealed):
899         (JSC::objectConstructorIsFrozen):
900         (JSC::objectConstructorIsExtensible):
901         (JSC::objectConstructorIs):
902         * runtime/ProxyObject.cpp:
903         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
904         (JSC::ProxyObject::performHasProperty):
905         * runtime/ReflectObject.cpp:
906         (JSC::reflectObjectIsExtensible):
907         (JSC::reflectObjectSetPrototypeOf):
908         * runtime/SparseArrayValueMap.cpp:
909         (JSC::SparseArrayValueMap::putEntry):
910         (JSC::SparseArrayValueMap::putDirect):
911         * runtime/StringObject.cpp:
912         (JSC::StringObject::defineOwnProperty):
913         * runtime/Structure.cpp:
914         (JSC::Structure::isSealed):
915         (JSC::Structure::isFrozen):
916         * runtime/Structure.h:
917
918 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
919
920         Unreviewed, fix CLOOP build.
921
922         * jit/JITOperations.h:
923
924 2016-03-01  Skachkov Oleksandr  <gskachkov@gmail.com>
925
926         [ES6] Arrow function. Some not used byte code is emited
927         https://bugs.webkit.org/show_bug.cgi?id=154639
928
929         Reviewed by Saam Barati.
930
931         Currently bytecode that is generated for arrow function is not optimal. 
932         Current fix removed following unnecessary bytecode:
933         1.create_lexical_environment not emited always for arrow function, only if some of 
934         features(this/super/arguments/eval) is used inside of the arrow function. 
935         2.load 'this' from arrow function scope in constructor is done only if super 
936         contains in arrow function 
937
938         * bytecompiler/BytecodeGenerator.cpp:
939         (JSC::BytecodeGenerator::BytecodeGenerator):
940         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
941         * bytecompiler/BytecodeGenerator.h:
942         * bytecompiler/NodesCodegen.cpp:
943         (JSC::ThisNode::emitBytecode):
944         (JSC::FunctionNode::emitBytecode):
945         * parser/Nodes.h:
946         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
947         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
948
949 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
950
951         Turn String.prototype.replace into an intrinsic
952         https://bugs.webkit.org/show_bug.cgi?id=154835
953
954         Reviewed by Michael Saboff.
955
956         Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
957         of checks to see if the parameters are what they are likely to often be (a string, a
958         regexp, and a string). The intuition of this patch is that it's good to remove those checks
959         and it's good to call the native function as directly as possible.
960
961         This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
962         It also improves Octane/jquery.
963
964         This is only the beginning of what I want to do with replace optimizations. The other
965         optimizations will rely on StringReplace being revealed as a construct in DFG IR.
966
967         * JavaScriptCore.xcodeproj/project.pbxproj:
968         * bytecode/SpeculatedType.cpp:
969         (JSC::dumpSpeculation):
970         (JSC::speculationToAbbreviatedString):
971         (JSC::speculationFromClassInfo):
972         * bytecode/SpeculatedType.h:
973         (JSC::isStringOrStringObjectSpeculation):
974         (JSC::isRegExpObjectSpeculation):
975         (JSC::isBoolInt32Speculation):
976         * dfg/DFGAbstractInterpreterInlines.h:
977         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
978         * dfg/DFGByteCodeParser.cpp:
979         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
980         * dfg/DFGClobberize.h:
981         (JSC::DFG::clobberize):
982         * dfg/DFGDoesGC.cpp:
983         (JSC::DFG::doesGC):
984         * dfg/DFGFixupPhase.cpp:
985         (JSC::DFG::FixupPhase::fixupNode):
986         * dfg/DFGNode.h:
987         (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
988         (JSC::DFG::Node::shouldSpeculateRegExpObject):
989         (JSC::DFG::Node::shouldSpeculateSymbol):
990         * dfg/DFGNodeType.h:
991         * dfg/DFGPredictionPropagationPhase.cpp:
992         (JSC::DFG::PredictionPropagationPhase::propagate):
993         * dfg/DFGSafeToExecute.h:
994         (JSC::DFG::SafeToExecuteEdge::operator()):
995         (JSC::DFG::safeToExecute):
996         * dfg/DFGSpeculativeJIT.cpp:
997         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
998         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
999         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1000         (JSC::DFG::SpeculativeJIT::speculate):
1001         * dfg/DFGSpeculativeJIT.h:
1002         * dfg/DFGSpeculativeJIT32_64.cpp:
1003         (JSC::DFG::SpeculativeJIT::compile):
1004         * dfg/DFGSpeculativeJIT64.cpp:
1005         (JSC::DFG::SpeculativeJIT::compile):
1006         * dfg/DFGUseKind.cpp:
1007         (WTF::printInternal):
1008         * dfg/DFGUseKind.h:
1009         (JSC::DFG::typeFilterFor):
1010         (JSC::DFG::isCell):
1011         * ftl/FTLCapabilities.cpp:
1012         (JSC::FTL::canCompile):
1013         * ftl/FTLLowerDFGToB3.cpp:
1014         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1015         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1016         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
1017         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1018         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1019         (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
1020         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
1021         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
1022         * jit/JITOperations.h:
1023         * runtime/Intrinsic.h:
1024         * runtime/JSType.h:
1025         * runtime/RegExpObject.h:
1026         (JSC::RegExpObject::createStructure):
1027         * runtime/StringPrototype.cpp:
1028         (JSC::StringPrototype::finishCreation):
1029         (JSC::removeUsingRegExpSearch):
1030         (JSC::replaceUsingRegExpSearch):
1031         (JSC::operationStringProtoFuncReplaceRegExpString):
1032         (JSC::replaceUsingStringSearch):
1033         (JSC::stringProtoFuncRepeat):
1034         (JSC::replace):
1035         (JSC::stringProtoFuncReplace):
1036         (JSC::operationStringProtoFuncReplaceGeneric):
1037         (JSC::stringProtoFuncToString):
1038         * runtime/StringPrototype.h:
1039
1040 2016-03-01  Commit Queue  <commit-queue@webkit.org>
1041
1042         Unreviewed, rolling out r197056.
1043         https://bugs.webkit.org/show_bug.cgi?id=154870
1044
1045         broke win ews (Requested by alexchristensen on #webkit).
1046
1047         Reverted changeset:
1048
1049         "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
1050         https://bugs.webkit.org/show_bug.cgi?id=154651
1051         http://trac.webkit.org/changeset/197056
1052
1053 2016-02-29  Saam barati  <sbarati@apple.com>
1054
1055         [[PreventExtensions]] should be a virtual method in the method table.
1056         https://bugs.webkit.org/show_bug.cgi?id=154800
1057
1058         Reviewed by Yusuke Suzuki.
1059
1060         This patch makes us more consistent with how the ES6 specification models the
1061         [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable 
1062         is a prerequisite for implementing Proxy.[[PreventExtensions]].
1063
1064         * runtime/ClassInfo.h:
1065         * runtime/JSCell.cpp:
1066         (JSC::JSCell::getGenericPropertyNames):
1067         (JSC::JSCell::preventExtensions):
1068         * runtime/JSCell.h:
1069         * runtime/JSModuleNamespaceObject.cpp:
1070         (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
1071         (JSC::JSModuleNamespaceObject::finishCreation):
1072         (JSC::JSModuleNamespaceObject::destroy):
1073         * runtime/JSModuleNamespaceObject.h:
1074         (JSC::JSModuleNamespaceObject::create):
1075         (JSC::JSModuleNamespaceObject::moduleRecord):
1076         * runtime/JSObject.cpp:
1077         (JSC::JSObject::freeze):
1078         (JSC::JSObject::preventExtensions):
1079         (JSC::JSObject::reifyAllStaticProperties):
1080         * runtime/JSObject.h:
1081         (JSC::JSObject::isSealed):
1082         (JSC::JSObject::isFrozen):
1083         (JSC::JSObject::isExtensible):
1084         * runtime/ObjectConstructor.cpp:
1085         (JSC::objectConstructorSeal):
1086         (JSC::objectConstructorFreeze):
1087         (JSC::objectConstructorPreventExtensions):
1088         (JSC::objectConstructorIsSealed):
1089         * runtime/ReflectObject.cpp:
1090         (JSC::reflectObjectPreventExtensions):
1091         * runtime/Structure.cpp:
1092         (JSC::Structure::Structure):
1093         (JSC::Structure::preventExtensionsTransition):
1094         * runtime/Structure.h:
1095
1096 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1097
1098         [JSC] Private symbols should not be trapped by proxy handler
1099         https://bugs.webkit.org/show_bug.cgi?id=154817
1100
1101         Reviewed by Mark Lam.
1102
1103         Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
1104         For example, in ArrayIteratorPrototype.js
1105
1106             var itemKind = this.@arrayIterationKind;
1107             if (itemKind === @undefined)
1108                 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
1109
1110         Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
1111         But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
1112
1113         To avoid these situation, we perform the default operations onto property operations with private symbols.
1114
1115         * runtime/ProxyObject.cpp:
1116         (JSC::performProxyGet):
1117         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1118         (JSC::ProxyObject::performHasProperty):
1119         (JSC::ProxyObject::performPut):
1120         (JSC::ProxyObject::performDelete):
1121         (JSC::ProxyObject::deleteProperty):
1122         (JSC::ProxyObject::deletePropertyByIndex):
1123         * tests/stress/proxy-basic.js:
1124         * tests/stress/proxy-with-private-symbols.js: Added.
1125         (assert):
1126         (let.handler.getOwnPropertyDescriptor):
1127
1128 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
1129
1130         regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
1131         https://bugs.webkit.org/show_bug.cgi?id=154841
1132
1133         Reviewed by Benjamin Poulain.
1134
1135         Here's the deadlock:
1136
1137         Main thread:
1138             1) Change an InferredType.  This acquires InferredType::m_lock.
1139             2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires
1140                CodeBlock::m_lock.
1141
1142         DFG thread:
1143             1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
1144             2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.
1145
1146         I think that the DFG thread's ordering should be legal, because the best logic for lock
1147         hierarchies is that locks that protect the largest set of stuff should be acquired first.
1148
1149         This means that the main thread shouldn't be holding the InferredType::m_lock when firing
1150         watchpoint sets.  That's what this patch ensures.
1151
1152         At the time of writing, this test was deadlocking for me on trunk 100% of the time.  With
1153         this change I cannot get it to deadlock.
1154
1155         * runtime/InferredType.cpp:
1156         (JSC::InferredType::willStoreValueSlow):
1157         (JSC::InferredType::makeTopSlow):
1158         (JSC::InferredType::set):
1159         (JSC::InferredType::removeStructure):
1160         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
1161         * runtime/InferredType.h:
1162
1163 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1164
1165         [DFG][FTL][B3] Support floor and ceil
1166         https://bugs.webkit.org/show_bug.cgi?id=154683
1167
1168         Reviewed by Filip Pizlo.
1169
1170         This patch implements and fixes the following things.
1171
1172         1. Implement Ceil and Floor in DFG, FTL and B3
1173
1174         x86 SSE 4.2 and ARM64 have round instructions that can directly perform Ceil or Floor.
1175         This patch leverages this functionality. We introduce ArithFloor and ArithCeil.
1176         During DFG phase, these nodes attempt to convert itself to Identity (in Fixup phase).
1177         As the same to ArithRound, it tracks arith rounding mode.
1178         And if these nodes are required to emit machine codes, we emit rounding machine code
1179         if it is supported in the current machine. For example, in x86, we emit `round`.
1180
1181         This `Floor` functionality is nice for @toInteger in builtin.
1182         That is used for Array.prototype.{forEach, map, every, some, reduce...}
1183         And according to the benchmark results, Kraken audio-oscillator is slightly improved
1184         due to its frequent Math.round and Math.floor calls.
1185
1186         2. Implement Floor in B3 and Air
1187
1188         As the same to Ceil in B3, we add a new B3 IR and Air opcode, Floor.
1189         This Floor is leveraged to implement ArithFloor in DFG.
1190
1191         3. Fix ArithRound operation
1192
1193         Currently, we used cvtsd2si (in x86) to convert double value to int32.
1194         And we also used this to implement Math.round, like, cvtsd2si(value + 0.5).
1195         However, this implementation is not correct. Because cvtsd2si is not floor operation.
1196         It is trucate operation. This is OK for positive numbers. But NG for negative numbers.
1197         For example, the current implementation accidentally rounds `-0.6` to `-0.0`. This should be `-1.0`.
1198         Using Ceil and Floor instructions, we implement correct ArithRound.
1199
1200         * assembler/MacroAssemblerARM.h:
1201         (JSC::MacroAssemblerARM::supportsFloatingPointRounding):
1202         (JSC::MacroAssemblerARM::ceilDouble):
1203         (JSC::MacroAssemblerARM::floorDouble):
1204         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Deleted.
1205         * assembler/MacroAssemblerARM64.h:
1206         (JSC::MacroAssemblerARM64::supportsFloatingPointRounding):
1207         (JSC::MacroAssemblerARM64::floorFloat):
1208         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil): Deleted.
1209         * assembler/MacroAssemblerARMv7.h:
1210         (JSC::MacroAssemblerARMv7::supportsFloatingPointRounding):
1211         (JSC::MacroAssemblerARMv7::ceilDouble):
1212         (JSC::MacroAssemblerARMv7::floorDouble):
1213         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil): Deleted.
1214         * assembler/MacroAssemblerMIPS.h:
1215         (JSC::MacroAssemblerMIPS::ceilDouble):
1216         (JSC::MacroAssemblerMIPS::floorDouble):
1217         (JSC::MacroAssemblerMIPS::supportsFloatingPointRounding):
1218         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil): Deleted.
1219         * assembler/MacroAssemblerSH4.h:
1220         (JSC::MacroAssemblerSH4::supportsFloatingPointRounding):
1221         (JSC::MacroAssemblerSH4::ceilDouble):
1222         (JSC::MacroAssemblerSH4::floorDouble):
1223         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil): Deleted.
1224         * assembler/MacroAssemblerX86Common.h:
1225         (JSC::MacroAssemblerX86Common::floorDouble):
1226         (JSC::MacroAssemblerX86Common::floorFloat):
1227         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
1228         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil): Deleted.
1229         * b3/B3ConstDoubleValue.cpp:
1230         (JSC::B3::ConstDoubleValue::floorConstant):
1231         * b3/B3ConstDoubleValue.h:
1232         * b3/B3ConstFloatValue.cpp:
1233         (JSC::B3::ConstFloatValue::floorConstant):
1234         * b3/B3ConstFloatValue.h:
1235         * b3/B3LowerMacrosAfterOptimizations.cpp:
1236         * b3/B3LowerToAir.cpp:
1237         (JSC::B3::Air::LowerToAir::lower):
1238         * b3/B3Opcode.cpp:
1239         (WTF::printInternal):
1240         * b3/B3Opcode.h:
1241         * b3/B3ReduceDoubleToFloat.cpp:
1242         * b3/B3ReduceStrength.cpp:
1243         * b3/B3Validate.cpp:
1244         * b3/B3Value.cpp:
1245         (JSC::B3::Value::floorConstant):
1246         (JSC::B3::Value::isRounded):
1247         (JSC::B3::Value::effects):
1248         (JSC::B3::Value::key):
1249         (JSC::B3::Value::typeFor):
1250         * b3/B3Value.h:
1251         * b3/air/AirFixPartialRegisterStalls.cpp:
1252         * b3/air/AirOpcode.opcodes:
1253         * b3/testb3.cpp:
1254         (JSC::B3::testFloorCeilArg):
1255         (JSC::B3::testFloorArg):
1256         (JSC::B3::testFloorImm):
1257         (JSC::B3::testFloorMem):
1258         (JSC::B3::testFloorFloorArg):
1259         (JSC::B3::testCeilFloorArg):
1260         (JSC::B3::testFloorIToD64):
1261         (JSC::B3::testFloorIToD32):
1262         (JSC::B3::testFloorArgWithUselessDoubleConversion):
1263         (JSC::B3::testFloorArgWithEffectfulDoubleConversion):
1264         (JSC::B3::run):
1265         * dfg/DFGAbstractInterpreterInlines.h:
1266         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1267         * dfg/DFGArithMode.cpp:
1268         (WTF::printInternal):
1269         * dfg/DFGArithMode.h:
1270         * dfg/DFGByteCodeParser.cpp:
1271         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1272         * dfg/DFGClobberize.h:
1273         (JSC::DFG::clobberize):
1274         * dfg/DFGDoesGC.cpp:
1275         (JSC::DFG::doesGC):
1276         * dfg/DFGFixupPhase.cpp:
1277         (JSC::DFG::FixupPhase::fixupNode):
1278         * dfg/DFGGraph.cpp:
1279         (JSC::DFG::Graph::dump):
1280         * dfg/DFGGraph.h:
1281         (JSC::DFG::Graph::roundShouldSpeculateInt32):
1282         * dfg/DFGNode.h:
1283         (JSC::DFG::Node::arithNodeFlags):
1284         (JSC::DFG::Node::hasHeapPrediction):
1285         (JSC::DFG::Node::hasArithRoundingMode):
1286         * dfg/DFGNodeType.h:
1287         * dfg/DFGPredictionPropagationPhase.cpp:
1288         (JSC::DFG::PredictionPropagationPhase::propagate):
1289         * dfg/DFGSafeToExecute.h:
1290         (JSC::DFG::safeToExecute):
1291         * dfg/DFGSpeculativeJIT.cpp:
1292         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1293         (JSC::DFG::SpeculativeJIT::compileArithRound): Deleted.
1294         * dfg/DFGSpeculativeJIT.h:
1295         * dfg/DFGSpeculativeJIT32_64.cpp:
1296         (JSC::DFG::SpeculativeJIT::compile):
1297         * dfg/DFGSpeculativeJIT64.cpp:
1298         (JSC::DFG::SpeculativeJIT::compile):
1299         * ftl/FTLCapabilities.cpp:
1300         (JSC::FTL::canCompile):
1301         * ftl/FTLLowerDFGToB3.cpp:
1302         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1303         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1304         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
1305         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
1306         * ftl/FTLOutput.h:
1307         (JSC::FTL::Output::doubleFloor):
1308         * jit/ThunkGenerators.cpp:
1309         (JSC::ceilThunkGenerator):
1310         * tests/stress/math-ceil-arith-rounding-mode.js: Added.
1311         (firstCareAboutZeroSecondDoesNot):
1312         (firstDoNotCareAboutZeroSecondDoes):
1313         (warmup):
1314         (verifyNegativeZeroIsPreserved):
1315         * tests/stress/math-ceil-basics.js: Added.
1316         (mathCeilOnIntegers):
1317         (mathCeilOnDoubles):
1318         (mathCeilOnBooleans):
1319         (uselessMathCeil):
1320         (mathCeilWithOverflow):
1321         (mathCeilConsumedAsDouble):
1322         (mathCeilDoesNotCareAboutMinusZero):
1323         (mathCeilNoArguments):
1324         (mathCeilTooManyArguments):
1325         (testMathCeilOnConstants):
1326         (mathCeilStructTransition):
1327         (Math.ceil):
1328         * tests/stress/math-floor-arith-rounding-mode.js: Added.
1329         (firstCareAboutZeroSecondDoesNot):
1330         (firstDoNotCareAboutZeroSecondDoes):
1331         (warmup):
1332         (verifyNegativeZeroIsPreserved):
1333         * tests/stress/math-floor-basics.js: Added.
1334         (mathFloorOnIntegers):
1335         (mathFloorOnDoubles):
1336         (mathFloorOnBooleans):
1337         (uselessMathFloor):
1338         (mathFloorWithOverflow):
1339         (mathFloorConsumedAsDouble):
1340         (mathFloorDoesNotCareAboutMinusZero):
1341         (mathFloorNoArguments):
1342         (mathFloorTooManyArguments):
1343         (testMathFloorOnConstants):
1344         (mathFloorStructTransition):
1345         (Math.floor):
1346         * tests/stress/math-round-should-not-use-truncate.js: Added.
1347         (mathRoundDoesNotCareAboutMinusZero):
1348         * tests/stress/math-rounding-infinity.js: Added.
1349         (shouldBe):
1350         (testRound):
1351         (testFloor):
1352         (testCeil):
1353         * tests/stress/math-rounding-nan.js: Added.
1354         (shouldBe):
1355         (testRound):
1356         (testFloor):
1357         (testCeil):
1358         * tests/stress/math-rounding-negative-zero.js: Added.
1359         (shouldBe):
1360         (testRound):
1361         (testFloor):
1362         (testCeil):
1363         (testRoundNonNegativeZero):
1364         (testRoundNonNegativeZero2):
1365
1366 2016-02-29  Joseph Pecoraro  <pecoraro@apple.com>
1367
1368         Add new MethodTable method to get an estimated size for a cell
1369         https://bugs.webkit.org/show_bug.cgi?id=154838
1370
1371         Reviewed by Filip Pizlo.
1372
1373         The new class method estimatedSize(JSCell*) estimates the size for a single cell.
1374         As the name implies, this is meant to be an approximation. It is more important
1375         that big objects report a large size, then to get perfect size information for
1376         all objects in the heap.
1377
1378             Base implementation (JSCell):
1379               - returns the MarkedBlock bucket size for this cell.
1380               - This gets us the object size include inline storage. Basically a better sizeof.
1381
1382             Subclasses with "Extra Memory Cost":
1383               - Any class that reports extra memory (reportExtraMemoryVisited) should include that in the estimated size.
1384               - E.g. CodeBlock, JSGenericTypedArrayView, WeakMapData, etc.
1385
1386             Subclasses with "Copied Space" storage:
1387               - Any class with data in copied space (copyBackingStore) should include that in the estimated size.
1388               - E.g. JSObject, JSGenericTypedArrayView, JSMap, JSSet, DirectArguments, etc.
1389
1390         Add reportExtraMemoryVisited for UnlinkedCodeBlock's compressed unlinked
1391         instructions because this can be larger than 1kb, which is significant.
1392
1393         This has one special case for RegExp generated bytecode / JIT code, which
1394         does not currently fall into the extra memory cost or copied space storage.
1395         In practice I haven't seen this grow to a significant cost.
1396
1397         * runtime/ClassInfo.h:
1398         Add the new estimatedSize method to the table.
1399
1400         * bytecode/UnlinkedCodeBlock.cpp:
1401         (JSC::UnlinkedCodeBlock::visitChildren):
1402         (JSC::UnlinkedCodeBlock::estimatedSize):
1403         (JSC::UnlinkedCodeBlock::setInstructions):
1404         * bytecode/UnlinkedCodeBlock.h:
1405         Report an extra memory cost for unlinked code blocks like
1406         we do for linked code blocks.
1407
1408         * bytecode/CodeBlock.cpp:
1409         (JSC::CodeBlock::estimatedSize):
1410         * bytecode/CodeBlock.h:
1411         * bytecode/UnlinkedInstructionStream.cpp:
1412         (JSC::UnlinkedInstructionStream::sizeInBytes):
1413         * bytecode/UnlinkedInstructionStream.h:
1414         * runtime/DirectArguments.cpp:
1415         (JSC::DirectArguments::estimatedSize):
1416         * runtime/DirectArguments.h:
1417         * runtime/JSCell.cpp:
1418         (JSC::JSCell::estimatedSizeInBytes):
1419         (JSC::JSCell::estimatedSize):
1420         * runtime/JSCell.h:
1421         * runtime/JSGenericTypedArrayView.h:
1422         * runtime/JSGenericTypedArrayViewInlines.h:
1423         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1424         * runtime/JSMap.cpp:
1425         (JSC::JSMap::estimatedSize):
1426         * runtime/JSMap.h:
1427         * runtime/JSObject.cpp:
1428         (JSC::JSObject::visitButterfly):
1429         * runtime/JSObject.h:
1430         * runtime/JSSet.cpp:
1431         (JSC::JSSet::estimatedSize):
1432         * runtime/JSSet.h:
1433         * runtime/JSString.cpp:
1434         (JSC::JSString::estimatedSize):
1435         * runtime/JSString.h:
1436         * runtime/MapData.h:
1437         (JSC::MapDataImpl::capacityInBytes):
1438         * runtime/WeakMapData.cpp:
1439         (JSC::WeakMapData::estimatedSize):
1440         (JSC::WeakMapData::visitChildren):
1441         * runtime/WeakMapData.h:
1442         Implement estimated size following the pattern of reporting
1443         extra visited size, or copy space memory.
1444
1445         * runtime/RegExp.cpp:
1446         (JSC::RegExp::estimatedSize):
1447         * runtime/RegExp.h:
1448         * yarr/YarrInterpreter.h:
1449         (JSC::Yarr::ByteDisjunction::estimatedSizeInBytes):
1450         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
1451         * yarr/YarrJIT.h:
1452         (JSC::Yarr::YarrCodeBlock::size):
1453         Include generated bytecode / JITCode to a RegExp's size.
1454
1455 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
1456
1457         SpeculatedType should be easier to edit
1458         https://bugs.webkit.org/show_bug.cgi?id=154840
1459
1460         Reviewed by Mark Lam.
1461
1462         We used to specify the bitmasks in SpeculatedType.h using hex codes. This used to work
1463         great because we didn't have so many masks and you could use the mask to visually see
1464         which ones overlapped. It also made it easy to visualize subset relationships.
1465
1466         But now we have a lot of masks with a lot of confusing overlaps, and it's no longer
1467         possible to just see their relationship by looking at hex codes. Worse, the use of hex
1468         codes makes it super annoying to move the bits around. For example, right now we have two
1469         bits free, but if we wanted to reclaim them by editing the old hex masks, it would be a
1470         nightmare.
1471
1472         So this patch replaces the hex masks with shift expressions (1u << 15 for example) and it
1473         makes any derived masks (i.e. masks that are the bit-or of other masks) be expressed using
1474         an or expression (SpecFoo | SpecBar | SpecBaz for example).
1475
1476         This makes it easier to see the relationships and it makes it easier to take bits for new
1477         types.
1478
1479         * bytecode/SpeculatedType.h:
1480
1481 2016-02-29  Keith Miller  <keith_miller@apple.com>
1482
1483         OverridesHasInstance constant folding is wrong
1484         https://bugs.webkit.org/show_bug.cgi?id=154833
1485
1486         Reviewed by Filip Pizlo.
1487
1488         The current implementation of OverridesHasInstance constant folding
1489         is incorrect. Since it relies on OSR exit information it has been
1490         moved to the StrengthReductionPhase. Normally, such an optimazation would be
1491         put in FixupPhase, however, there are a number of cases where we don't
1492         determine an edge of OverridesHasInstance is a constant until after fixup.
1493         Performing the optimization during StrengthReductionPhase means we can defer
1494         our decision until later.
1495
1496         In the future we should consider creating a version of this optimization
1497         that does not depend on OSR exit information and move the optimization back
1498         to ConstantFoldingPhase.
1499
1500         * dfg/DFGConstantFoldingPhase.cpp:
1501         (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
1502         * dfg/DFGStrengthReductionPhase.cpp:
1503         (JSC::DFG::StrengthReductionPhase::handleNode):
1504
1505 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
1506
1507         B3 should have global store elimination
1508         https://bugs.webkit.org/show_bug.cgi?id=154658
1509
1510         Reviewed by Benjamin Poulain.
1511
1512         Implements fairly comprehensive global store elimination:
1513
1514         1) If you store the result of a load with no interference in between, remove the store.
1515
1516         2) If you store the same thing you stored previously, remove the store.
1517
1518         3) If you store something that you either loaded previously or stored previously along
1519            arbitrarily many paths, remove the store.
1520
1521         4) If you store to something that is stored to again in the future with no interference in
1522            between, remove the store.
1523
1524         Rule (4) is super relevant to FTL since the DFG does not eliminate redundant PutStructures.
1525         A constructor that produces a large object will have many redundant stores to the same base
1526         pointer, offset, and heap range, with no code to observe that heap raneg in between.
1527
1528         This doesn't have a decisive effect on major benchmarks, but it's an enormous win for
1529         microbenchmarks:
1530
1531         - 30% faster to construct an object with many fields.
1532
1533         - 5x faster to do many stores to a global variable.
1534
1535         The compile time cost should be very small. Although the optimization is global, it aborts as
1536         soon as it sees anything that would confound store elimination. For rules (1)-(3), we
1537         piggy-back the existing load elimination, which gives up on interfering stores. For rule (4),
1538         we search forward through the current block and then globally a block at a time (skipping
1539         block contents thanks to summary data), which could be expensive. But rule (4) aborts as soon
1540         as it sees a read, write, or end block (Return or Oops). Any Check will claim to read TOP. Any
1541         Patchpoint that results from an InvalidationPoint will claim to read TOP, as will any
1542         Patchpoints for ICs. Those are usually sprinkled all over the program.
1543
1544         In other words, this optimization rarely kicks in. When it does kick in, it makes programs run
1545         faster. When it doesn't kick in, it's usually O(1) because there are reasons for aborting all
1546         over a "normal" program so the search will halt almost immediately. This of course raises the
1547         question: how much more in compile time do we pay when the optimization does kick in? The
1548         optimization kicks in the most for the microbenchmarks I wrote for this patch. Amazingly, the
1549         effect of the optimization a wash for compile time: whatever cost we pay doing the O(n^2)
1550         searches is balanced by the massive reduction in work in the backend. On one of the two
1551         microbenchmarks, overall compile time actually shrank with this optimization even though CSE
1552         itself cost more. That's not too surprising - the backend costs much more per instruction, so
1553         things that remove instructions before we get to the backend tend to be a good idea.
1554
1555         We could consider adding a more aggressive version of this in the future, which could sink
1556         stores into checks. That could be crazy fun: https://bugs.webkit.org/show_bug.cgi?id=152162#c3
1557
1558         But mainly, I'm adding this optimization because it was super fun to implement during the
1559         WebAssembly CG summit.
1560
1561         * b3/B3EliminateCommonSubexpressions.cpp:
1562         * b3/B3MemoryValue.h:
1563         * b3/B3SuccessorCollection.h:
1564         (JSC::B3::SuccessorCollection::begin):
1565         (JSC::B3::SuccessorCollection::end):
1566         (JSC::B3::SuccessorCollection::const_iterator::const_iterator):
1567         (JSC::B3::SuccessorCollection::const_iterator::operator*):
1568         (JSC::B3::SuccessorCollection::const_iterator::operator++):
1569         (JSC::B3::SuccessorCollection::const_iterator::operator==):
1570         (JSC::B3::SuccessorCollection::const_iterator::operator!=):
1571
1572 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
1573
1574         Make it cheap to #include "JITOperations.h"
1575         https://bugs.webkit.org/show_bug.cgi?id=154836
1576
1577         Reviewed by Mark Lam.
1578
1579         Prior to this change, this header included the whole world even though it did't have any
1580         definitions. This patch turns almost all of the includes into forward declarations. Right
1581         now this header is very cheap to include.
1582
1583         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1584         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1585         * JavaScriptCore.xcodeproj/project.pbxproj:
1586         * dfg/DFGSpeculativeJIT.h:
1587         * jit/JITOperations.cpp:
1588         * jit/JITOperations.h:
1589         * jit/Repatch.h:
1590         * runtime/CommonSlowPaths.h:
1591         (JSC::encodeResult): Deleted.
1592         (JSC::decodeResult): Deleted.
1593         * runtime/SlowPathReturnType.h: Added.
1594         (JSC::encodeResult):
1595         (JSC::decodeResult):
1596
1597 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
1598
1599         FTL should be able to run everything in Octane/regexp
1600         https://bugs.webkit.org/show_bug.cgi?id=154266
1601
1602         Reviewed by Saam Barati.
1603
1604         Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
1605         make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
1606         DFG backend optimization anyway - if we need this optimization then it should be a
1607         strength reduction rule over IR. That way, it can be shared by all backends.
1608
1609         I measured whether removing that optimization had any effect on performance separately
1610         from measuring the performance of this patch. Removing that optimization did not change
1611         our score on any benchmarks.
1612
1613         This patch does have an overall negative effect on the Octane/regexp score. This is
1614         presumably because tiering up to the FTL has no value to the code in the regexp test. Or
1615         maybe it's something else. No matter - the overall effect on the Octane score is not
1616         statistically significant and we don't want this kind of coverage blocked by the fact
1617         that adding coverage hurts a benchmark.
1618
1619         * dfg/DFGByteCodeParser.cpp:
1620         (JSC::DFG::ByteCodeParser::parseBlock):
1621         * dfg/DFGNode.h:
1622         (JSC::DFG::Node::setIndexingType):
1623         (JSC::DFG::Node::hasRegexpIndex):
1624         * dfg/DFGSpeculativeJIT.cpp:
1625         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1626         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
1627         (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
1628         * dfg/DFGSpeculativeJIT32_64.cpp:
1629         (JSC::DFG::SpeculativeJIT::compile):
1630         * dfg/DFGSpeculativeJIT64.cpp:
1631         (JSC::DFG::SpeculativeJIT::compile):
1632         * ftl/FTLCapabilities.cpp:
1633         (JSC::FTL::canCompile):
1634         * ftl/FTLLowerDFGToB3.cpp:
1635         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1636         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
1637         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
1638         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
1639         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1640         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1641         * tests/stress/ftl-regexp-exec.js: Added.
1642         * tests/stress/ftl-regexp-test.js: Added.
1643
1644 2016-02-28  Andreas Kling  <akling@apple.com>
1645
1646         Make JSFunction.name allocation fully lazy.
1647         <https://webkit.org/b/154806>
1648
1649         Reviewed by Saam Barati.
1650
1651         We were reifying the "name" field on functions lazily, but created the string
1652         value itself up front. This patch gets rid of the up-front allocation,
1653         saving us a JSString allocation per function in most cases.
1654
1655         * builtins/BuiltinExecutables.cpp:
1656         (JSC::createExecutableInternal):
1657         * bytecode/UnlinkedFunctionExecutable.cpp:
1658         (JSC::UnlinkedFunctionExecutable::visitChildren):
1659         * bytecode/UnlinkedFunctionExecutable.h:
1660         * runtime/CodeCache.cpp:
1661         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1662         * runtime/Executable.h:
1663         * runtime/JSFunction.cpp:
1664         (JSC::JSFunction::reifyName):
1665
1666 2016-02-28  Andreas Kling  <akling@apple.com>
1667
1668         REGRESSION(r197303): 4 jsc tests failing on bots.
1669
1670         Unreviewed follow-up fix.
1671
1672         * bytecode/UnlinkedCodeBlock.cpp:
1673         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
1674         can still get called with !m_rareData, in case the type profiler is active but this
1675         particular code block doesn't have type profiler data. Handle it gracefully.
1676
1677 2016-02-28  Andreas Kling  <akling@apple.com>
1678
1679         Shrink UnlinkedCodeBlock a bit.
1680         <https://webkit.org/b/154797>
1681
1682         Reviewed by Anders Carlsson.
1683
1684         Move profiler-related members of UnlinkedCodeBlock into its RareData
1685         structure, saving 40 bytes, and then reorder the other members of
1686         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
1687
1688         The VM member was removed entirely since UnlinkedCodeBlock is a cell
1689         and can retrieve its VM through MarkedBlock header lookup.
1690
1691         * bytecode/UnlinkedCodeBlock.cpp:
1692         (JSC::UnlinkedCodeBlock::vm):
1693         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
1694         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
1695         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
1696         * bytecode/UnlinkedCodeBlock.h:
1697         (JSC::UnlinkedCodeBlock::addRegExp):
1698         (JSC::UnlinkedCodeBlock::addConstant):
1699         (JSC::UnlinkedCodeBlock::addFunctionDecl):
1700         (JSC::UnlinkedCodeBlock::addFunctionExpr):
1701         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
1702         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
1703         (JSC::UnlinkedCodeBlock::vm): Deleted.
1704
1705 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
1706
1707         FTL should lower its abstract heaps to B3 heap ranges
1708         https://bugs.webkit.org/show_bug.cgi?id=154782
1709
1710         Reviewed by Saam Barati.
1711
1712         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
1713         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
1714         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
1715         notion - the HeapRange. That's what this patch fixes.
1716
1717         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
1718         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
1719         affects by specifying a heap range: a begin...end pair that says that the operation
1720         affects all abstract heaps H such that begin <= H < end.
1721
1722         This peculiar scheme was a deliberate attempt to distill what the abstract heap
1723         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
1724
1725         - A heap's end is greater than its begin.
1726         - A heap's begin is greater than or equal to its parent's begin.
1727         - A heap's end is less than or equal to its parent's end.
1728
1729         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
1730         went for the iterative traversal, which is a splendid algorithm, but it's totally
1731         unnecessary here since we tightly control the height of the heap hierarchy.
1732
1733         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
1734         generate new ones for field names and constant indices we encounter, we can't actually
1735         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
1736         new abstract heap to the hierarchy after ranges were already computed would require
1737         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
1738         patch solves that problem by recording the associations between abstract heaps and their
1739         intended roles in the generated IR, and then decorating all of the relevant B3 values
1740         after we compute the ranges of the hierarchy after lowering.
1741
1742         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
1743         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
1744         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
1745         already been getting the big ones even without alias analysis.
1746
1747         Even without a speed-up, this patch is valuable because it makes it easier to implement
1748         other optimizations, like store elimination.
1749
1750         * b3/B3HeapRange.h:
1751         (JSC::B3::HeapRange::HeapRange):
1752         * ftl/FTLAbstractHeap.cpp:
1753         (JSC::FTL::AbstractHeap::AbstractHeap):
1754         (JSC::FTL::AbstractHeap::changeParent):
1755         (JSC::FTL::AbstractHeap::compute):
1756         (JSC::FTL::AbstractHeap::shallowDump):
1757         (JSC::FTL::AbstractHeap::dump):
1758         (JSC::FTL::AbstractHeap::deepDump):
1759         (JSC::FTL::AbstractHeap::badRangeError):
1760         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
1761         (JSC::FTL::IndexedAbstractHeap::baseIndex):
1762         (JSC::FTL::IndexedAbstractHeap::atSlow):
1763         (JSC::FTL::IndexedAbstractHeap::initialize):
1764         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
1765         (JSC::FTL::AbstractField::dump): Deleted.
1766         * ftl/FTLAbstractHeap.h:
1767         (JSC::FTL::AbstractHeap::AbstractHeap):
1768         (JSC::FTL::AbstractHeap::isInitialized):
1769         (JSC::FTL::AbstractHeap::initialize):
1770         (JSC::FTL::AbstractHeap::parent):
1771         (JSC::FTL::AbstractHeap::heapName):
1772         (JSC::FTL::AbstractHeap::range):
1773         (JSC::FTL::AbstractHeap::offset):
1774         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
1775         (JSC::FTL::IndexedAbstractHeap::at):
1776         (JSC::FTL::IndexedAbstractHeap::operator[]):
1777         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
1778         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
1779         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
1780         (JSC::FTL::AbstractHeap::changeParent): Deleted.
1781         (JSC::FTL::AbstractField::AbstractField): Deleted.
1782         (JSC::FTL::AbstractField::initialize): Deleted.
1783         (JSC::FTL::AbstractField::offset): Deleted.
1784         * ftl/FTLAbstractHeapRepository.cpp:
1785         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1786         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
1787         (JSC::FTL::AbstractHeapRepository::decorateMemory):
1788         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
1789         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
1790         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
1791         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
1792         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
1793         * ftl/FTLAbstractHeapRepository.h:
1794         (JSC::FTL::AbstractHeapRepository::forArrayType):
1795         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
1796         * ftl/FTLLowerDFGToB3.cpp:
1797         (JSC::FTL::DFG::LowerDFGToB3::lower):
1798         * ftl/FTLOutput.cpp:
1799         (JSC::FTL::Output::load):
1800         (JSC::FTL::Output::load8SignExt32):
1801         (JSC::FTL::Output::load8ZeroExt32):
1802         (JSC::FTL::Output::load16SignExt32):
1803         (JSC::FTL::Output::load16ZeroExt32):
1804         (JSC::FTL::Output::store):
1805         (JSC::FTL::Output::store32As8):
1806         (JSC::FTL::Output::store32As16):
1807         (JSC::FTL::Output::baseIndex):
1808         * ftl/FTLOutput.h:
1809         (JSC::FTL::Output::address):
1810         (JSC::FTL::Output::absolute):
1811         (JSC::FTL::Output::load8SignExt32):
1812         (JSC::FTL::Output::load8ZeroExt32):
1813         (JSC::FTL::Output::load16SignExt32):
1814         (JSC::FTL::Output::load16ZeroExt32):
1815         (JSC::FTL::Output::load32):
1816         (JSC::FTL::Output::load64):
1817         (JSC::FTL::Output::loadPtr):
1818         (JSC::FTL::Output::loadDouble):
1819         (JSC::FTL::Output::store32):
1820         (JSC::FTL::Output::store64):
1821         (JSC::FTL::Output::storePtr):
1822         (JSC::FTL::Output::storeDouble):
1823         (JSC::FTL::Output::ascribeRange):
1824         (JSC::FTL::Output::nonNegative32):
1825         (JSC::FTL::Output::load32NonNegative):
1826         (JSC::FTL::Output::equal):
1827         (JSC::FTL::Output::notEqual):
1828         * ftl/FTLTypedPointer.h:
1829         (JSC::FTL::TypedPointer::operator!):
1830         (JSC::FTL::TypedPointer::heap):
1831         (JSC::FTL::TypedPointer::value):
1832
1833 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
1834
1835         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
1836         https://bugs.webkit.org/show_bug.cgi?id=153981
1837
1838         Reviewed by Saam Barati.
1839        
1840         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
1841         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
1842         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
1843         During syntax analyze parser store information about using variables in arrow function inside of 
1844         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
1845
1846         * bytecompiler/BytecodeGenerator.cpp:
1847         (JSC::BytecodeGenerator::BytecodeGenerator):
1848         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1849         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1850         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1851         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1852         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1853         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1854         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1855         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1856         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1857         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1858         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1859         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1860         * bytecompiler/BytecodeGenerator.h:
1861         * bytecompiler/NodesCodegen.cpp:
1862         (JSC::ThisNode::emitBytecode):
1863         (JSC::EvalFunctionCallNode::emitBytecode):
1864         (JSC::FunctionNode::emitBytecode):
1865         * parser/ASTBuilder.h:
1866         (JSC::ASTBuilder::createBracketAccess):
1867         (JSC::ASTBuilder::createDotAccess):
1868         (JSC::ASTBuilder::usesSuperCall):
1869         (JSC::ASTBuilder::usesSuperProperty):
1870         (JSC::ASTBuilder::makeFunctionCallNode):
1871         * parser/Nodes.cpp:
1872         (JSC::ScopeNode::ScopeNode):
1873         (JSC::ProgramNode::ProgramNode):
1874         (JSC::ModuleProgramNode::ModuleProgramNode):
1875         (JSC::EvalNode::EvalNode):
1876         (JSC::FunctionNode::FunctionNode):
1877         * parser/Nodes.h:
1878         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
1879         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
1880         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
1881         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
1882         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
1883         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
1884         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
1885         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
1886         (JSC::ScopeNode::usesSuperCall):
1887         (JSC::ScopeNode::usesSuperProperty):
1888         * parser/Parser.cpp:
1889         (JSC::Parser<LexerType>::parseProperty):
1890         (JSC::Parser<LexerType>::parsePrimaryExpression):
1891         (JSC::Parser<LexerType>::parseMemberExpression):
1892         * parser/Parser.h:
1893         (JSC::Scope::Scope):
1894         (JSC::Scope::isArrowFunctionBoundary):
1895         (JSC::Scope::innerArrowFunctionFeatures):
1896         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
1897         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
1898         (JSC::Scope::setInnerArrowFunctionUsesEval):
1899         (JSC::Scope::setInnerArrowFunctionUsesThis):
1900         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
1901         (JSC::Scope::setInnerArrowFunctionUsesArguments):
1902         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1903         (JSC::Scope::collectFreeVariables):
1904         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1905         (JSC::Scope::fillParametersForSourceProviderCache):
1906         (JSC::Scope::restoreFromSourceProviderCache):
1907         (JSC::Scope::setIsFunction):
1908         (JSC::Scope::setIsArrowFunction):
1909         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1910         (JSC::Parser::pushScope):
1911         (JSC::Parser::popScopeInternal):
1912         (JSC::Parser<LexerType>::parse):
1913         * parser/ParserModes.h:
1914         * parser/SourceProviderCacheItem.h:
1915         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1916         * parser/SyntaxChecker.h:
1917         (JSC::SyntaxChecker::createFunctionMetadata):
1918         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1919         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1920         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1921         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1922         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1923
1924 2016-02-28  Saam barati  <sbarati@apple.com>
1925
1926         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
1927         https://bugs.webkit.org/show_bug.cgi?id=154768
1928
1929         Reviewed by Ryosuke Niwa.
1930
1931         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
1932         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1933         We weren't correctly propagating the result of this operation to the
1934         out PropertySlot& parameter. This patch fixes that and adds tests.
1935
1936         * runtime/ObjectConstructor.cpp:
1937         (JSC::objectConstructorGetOwnPropertyDescriptor):
1938         I added a missing exception check after object allocation
1939         because I saw that it was missing while reading the code.
1940
1941         * runtime/PropertyDescriptor.cpp:
1942         (JSC::PropertyDescriptor::setUndefined):
1943         (JSC::PropertyDescriptor::slowGetterSetter):
1944         (JSC::PropertyDescriptor::getter):
1945         * runtime/PropertyDescriptor.h:
1946         (JSC::PropertyDescriptor::attributes):
1947         (JSC::PropertyDescriptor::value):
1948         * runtime/ProxyObject.cpp:
1949         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1950         * tests/es6.yaml:
1951         * tests/stress/proxy-get-own-property.js:
1952         (let.handler.getOwnPropertyDescriptor):
1953         (set get let.handler.return):
1954         (set get let.handler.getOwnPropertyDescriptor):
1955         (set get let):
1956         (set get let.a):
1957         (let.b):
1958         (let.setter):
1959         (let.getter):
1960
1961 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
1962
1963         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
1964         https://bugs.webkit.org/show_bug.cgi?id=152448
1965
1966         Reviewed by Darin Adler.
1967
1968         Add defaultLanguage to the globalObjectMethodTable and use it for the
1969         default locale in Intl object initializations. Fall back to ICU default
1970         locale only if the defaultLanguage function is null, or returns an
1971         empty string.
1972
1973         * jsc.cpp:
1974         * runtime/IntlCollator.cpp:
1975         (JSC::IntlCollator::initializeCollator):
1976         * runtime/IntlDateTimeFormat.cpp:
1977         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1978         * runtime/IntlNumberFormat.cpp:
1979         (JSC::IntlNumberFormat::initializeNumberFormat):
1980         * runtime/IntlObject.cpp:
1981         (JSC::defaultLocale):
1982         (JSC::lookupMatcher):
1983         (JSC::bestFitMatcher):
1984         (JSC::resolveLocale):
1985         * runtime/IntlObject.h:
1986         * runtime/JSGlobalObject.cpp:
1987         * runtime/JSGlobalObject.h:
1988         * runtime/StringPrototype.cpp:
1989         (JSC::toLocaleCase):
1990
1991 2016-02-27  Oliver Hunt  <oliver@apple.com>
1992
1993         CLoop build fix.
1994
1995         * jit/ExecutableAllocatorFixedVMPool.cpp:
1996
1997 2016-02-26  Oliver Hunt  <oliver@apple.com>
1998
1999         Remove the on demand executable allocator
2000         https://bugs.webkit.org/show_bug.cgi?id=154749
2001
2002         Reviewed by Geoffrey Garen.
2003
2004         Remove all the DemandExecutable code and executable allocator ifdefs.
2005
2006         * CMakeLists.txt:
2007         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2008         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2009         * JavaScriptCore.xcodeproj/project.pbxproj:
2010         * jit/ExecutableAllocator.cpp: Removed.
2011         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
2012         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
2013         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
2014         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
2015         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
2016         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
2017         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
2018         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
2019         (JSC::DemandExecutableAllocator::allocators): Deleted.
2020         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
2021         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
2022         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
2023         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
2024         (JSC::ExecutableAllocator::isValid): Deleted.
2025         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
2026         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
2027         (JSC::ExecutableAllocator::allocate): Deleted.
2028         (JSC::ExecutableAllocator::committedByteCount): Deleted.
2029         (JSC::ExecutableAllocator::dumpProfile): Deleted.
2030         (JSC::ExecutableAllocator::getLock): Deleted.
2031         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
2032         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
2033         * jit/ExecutableAllocator.h:
2034         * jit/ExecutableAllocatorFixedVMPool.cpp:
2035         * jit/JITStubRoutine.h:
2036         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
2037         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
2038         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
2039
2040 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
2041
2042         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
2043         https://bugs.webkit.org/show_bug.cgi?id=154751
2044
2045         Reviewed by Mark Lam.
2046
2047         * runtime/Structure.cpp:
2048         (JSC::Structure::toStructureShape):
2049         This property name iteration is identical to Structure::forEachPropertyConcurrently.
2050         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
2051
2052 2016-02-26  Mark Lam  <mark.lam@apple.com>
2053
2054         Function.name and Function.length should be configurable.
2055         https://bugs.webkit.org/show_bug.cgi?id=154604
2056
2057         Reviewed by Saam Barati.
2058
2059         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
2060         "Unless otherwise specified, the name property of a built-in Function object,
2061         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
2062         [[Configurable]]: true }."
2063
2064         Similarly, "the length property of a built-in Function object has the attributes
2065         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
2066
2067         This patch makes Function.name and Function.length configurable.
2068
2069         We do this by lazily reifying the JSFunction name and length properties on first
2070         access.  We track whether each of these properties have been reified using flags
2071         in the FunctionRareData.  On first access, if not already reified, we will put
2072         the property into the object with its default value and attributes and set the
2073         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
2074         property.
2075
2076         Also, lots of test results have to be re-baselined because the old Function.length
2077         has attribute DontDelete, which is in conflict with the ES6 requirement that it
2078         is configurable.
2079
2080         * runtime/FunctionRareData.h:
2081         (JSC::FunctionRareData::hasReifiedLength):
2082         (JSC::FunctionRareData::setHasReifiedLength):
2083         (JSC::FunctionRareData::hasReifiedName):
2084         (JSC::FunctionRareData::setHasReifiedName):
2085         - Flags for tracking whether each property has been reified.
2086
2087         * runtime/JSFunction.cpp:
2088         (JSC::JSFunction::finishCreation):
2089         (JSC::JSFunction::createBuiltinFunction):
2090         - Host and builtin functions currently always reify their name and length
2091           properties.  Currently, for builtins, the default names that are used may
2092           differ from the executable name.  For now, we'll stay with keeping this
2093           alternate approach to getting the name and length properties for host and
2094           builtin functions.
2095           However, we need their default attribute to be configurable as well.
2096
2097         (JSC::JSFunction::getOwnPropertySlot):
2098         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2099         (JSC::JSFunction::put):
2100         (JSC::JSFunction::deleteProperty):
2101         (JSC::JSFunction::defineOwnProperty):
2102         (JSC::JSFunction::reifyLength):
2103         (JSC::JSFunction::reifyName):
2104         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2105         (JSC::JSFunction::lengthGetter): Deleted.
2106         (JSC::JSFunction::nameGetter): Deleted.
2107         * runtime/JSFunction.h:
2108         * runtime/JSFunctionInlines.h:
2109         (JSC::JSFunction::hasReifiedLength):
2110         (JSC::JSFunction::hasReifiedName):
2111
2112         * tests/es6.yaml:
2113         - 4 new passing tests.
2114
2115         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
2116         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
2117         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
2118         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
2119         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
2120         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
2121         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
2122         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
2123         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
2124         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
2125         * tests/mozilla/ecma/String/15.5.4.10-1.js:
2126         * tests/mozilla/ecma/String/15.5.4.11-1.js:
2127         * tests/mozilla/ecma/String/15.5.4.11-5.js:
2128         * tests/mozilla/ecma/String/15.5.4.12-1.js:
2129         * tests/mozilla/ecma/String/15.5.4.6-2.js:
2130         * tests/mozilla/ecma/String/15.5.4.7-2.js:
2131         * tests/mozilla/ecma/String/15.5.4.8-1.js:
2132         * tests/mozilla/ecma/String/15.5.4.9-1.js:
2133         - Rebase expected test results.
2134
2135         * tests/stress/function-configurable-properties.js: Added.
2136
2137 2016-02-26  Keith Miller  <keith_miller@apple.com>
2138
2139         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
2140         https://bugs.webkit.org/show_bug.cgi?id=154743
2141
2142         Reviewed by Mark Lam.
2143
2144         * dfg/DFGConstantFoldingPhase.cpp:
2145         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2146         * dfg/DFGFixupPhase.cpp:
2147         (JSC::DFG::FixupPhase::fixupNode):
2148
2149 2016-02-26  Keith Miller  <keith_miller@apple.com>
2150
2151         Native Typed Array functions should use Symbol.species
2152         https://bugs.webkit.org/show_bug.cgi?id=154569
2153
2154         Reviewed by Michael Saboff.
2155
2156         This patch adds support for Symbol.species in the native Typed Array prototype
2157         functions. Additionally, now that other types of typedarrays are creatable inside
2158         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
2159         up, to put everything into the correct place.
2160
2161         * runtime/JSDataView.cpp:
2162         (JSC::JSDataView::set):
2163         * runtime/JSDataView.h:
2164         * runtime/JSGenericTypedArrayView.h:
2165         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2166         (JSC::constructGenericTypedArrayViewFromIterator):
2167         (JSC::constructGenericTypedArrayViewWithArguments):
2168         (JSC::constructGenericTypedArrayView):
2169         * runtime/JSGenericTypedArrayViewInlines.h:
2170         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
2171         (JSC::JSGenericTypedArrayView<Adaptor>::set):
2172         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2173         (JSC::speciesConstruct):
2174         (JSC::genericTypedArrayViewProtoFuncSet):
2175         (JSC::genericTypedArrayViewProtoFuncSlice):
2176         (JSC::genericTypedArrayViewProtoFuncSubarray):
2177         * tests/stress/typedarray-slice.js:
2178         (subclasses.typedArrays.map):
2179         (testSpecies):
2180         (forEach):
2181         (subclasses.forEach):
2182         (testSpeciesRemoveConstructor):
2183         (testSpeciesWithSameBuffer):
2184         * tests/stress/typedarray-subarray.js: Added.
2185         (subclasses.typedArrays.map):
2186         (testSpecies):
2187         (forEach):
2188         (subclasses.forEach):
2189         (testSpeciesRemoveConstructor):
2190
2191 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
2192
2193         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
2194         https://bugs.webkit.org/show_bug.cgi?id=154704
2195
2196         Reviewed by Geoffrey Garen.
2197
2198         If the Imm is zero, we should still zero the top bits
2199         to match the definition in AirOpcodes.
2200
2201         * assembler/MacroAssemblerX86Common.h:
2202         (JSC::MacroAssemblerX86Common::add32):
2203         * b3/testb3.cpp:
2204
2205 2016-02-26  Oliver Hunt  <oliver@apple.com>
2206
2207         Make testRegExp not crash when given an invalid regexp
2208         https://bugs.webkit.org/show_bug.cgi?id=154732
2209
2210         Reviewed by Mark Lam.
2211
2212         * testRegExp.cpp:
2213         (parseRegExpLine):
2214
2215 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
2216
2217         [JSC] Add the test for r197155
2218         https://bugs.webkit.org/show_bug.cgi?id=154715
2219
2220         Reviewed by Mark Lam.
2221
2222         Silly me. I forgot the test in the latest patch update.
2223
2224         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
2225
2226 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2227
2228         [DFG] Drop unnecessary proved type branch in ToPrimitive
2229         https://bugs.webkit.org/show_bug.cgi?id=154716
2230
2231         Reviewed by Geoffrey Garen.
2232
2233         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
2234         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
2235         This patch removes the remaining JIT32_64 case.
2236
2237         * dfg/DFGSpeculativeJIT32_64.cpp:
2238         (JSC::DFG::SpeculativeJIT::compile):
2239
2240 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
2241
2242         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
2243         https://bugs.webkit.org/show_bug.cgi?id=154575
2244
2245         Reviewed by Filip Pizlo.
2246
2247         I noticed that imaging-gaussian-blur spends most of its
2248         samples in DFG code despite executing most of the loop
2249         iterations in FTL.
2250
2251         On this particular test, the main function is only entered
2252         once and have a very heavy loop there. What happens is DFG
2253         starts by compiling the full function in FTL. That takes about
2254         8 to 10 milliseconds during which the DFG code makes very little
2255         progress. The calls to triggerOSREntryNow() try to OSR Enter
2256         for a while then finally start compiling something. By the time
2257         the function is ready, we have wasted a lot of time in DFG code.
2258
2259         What this patch does is set a flag when a DFG function is entered.
2260         If we try to triggerOSREntryNow() and the flag was never set,
2261         we start compiling both the full function and the one for OSR Entry.
2262
2263         * dfg/DFGJITCode.h:
2264         * dfg/DFGJITCompiler.cpp:
2265         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
2266         (JSC::DFG::JITCompiler::compile):
2267         (JSC::DFG::JITCompiler::compileFunction):
2268         * dfg/DFGJITCompiler.h:
2269         * dfg/DFGOperations.cpp:
2270         * dfg/DFGPlan.cpp:
2271         (JSC::DFG::Plan::Plan): Deleted.
2272         * dfg/DFGPlan.h:
2273         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2274         (JSC::DFG::TierUpCheckInjectionPhase::run):
2275
2276 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
2277
2278         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
2279         https://bugs.webkit.org/show_bug.cgi?id=154664
2280
2281         Reviewed by Saam Barati.
2282
2283         When doing OSR Enter into a constructor, we lose the information
2284         that this may have been set to empty by a previously executed block.
2285
2286         All the code just assumed the type for a FlushedJS value and thus
2287         not an empty value. It was then okay to eliminate the TDZ checks.
2288
2289         In this patch, the values on root entry now assume they may be empty.
2290         As a result, the SetArgument() for "this" has "empty" as possible
2291         type and the TDZ checks are no longer eliminated.
2292
2293         * dfg/DFGInPlaceAbstractState.cpp:
2294         (JSC::DFG::InPlaceAbstractState::initialize):
2295
2296 2016-02-25  Ada Chan  <adachan@apple.com>
2297
2298         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
2299         https://bugs.webkit.org/show_bug.cgi?id=154702
2300
2301         Reviewed by Dan Bernstein.
2302
2303         * Configurations/FeatureDefines.xcconfig:
2304
2305 2016-02-25  Saam barati  <sbarati@apple.com>
2306
2307         [ES6] for...in iteration doesn't comply with the specification
2308         https://bugs.webkit.org/show_bug.cgi?id=154665
2309
2310         Reviewed by Michael Saboff.
2311
2312         If you read ForIn/OfHeadEvaluation inside the spec:
2313         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
2314         It calls EnumerateObjectProperties(obj) to get a set of properties
2315         to enumerate over (it models this "set" as en ES6 generator function).
2316         EnumerateObjectProperties is defined in section 13.7.5.15:
2317         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
2318         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
2319         properties it sees. We must do the same by modeling the operation as
2320         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
2321
2322         * jit/JITOperations.cpp:
2323         * jit/JITOperations.h:
2324         * runtime/CommonSlowPaths.cpp:
2325         (JSC::SLOW_PATH_DECL):
2326         * runtime/JSObject.cpp:
2327         (JSC::JSObject::hasProperty):
2328         (JSC::JSObject::hasPropertyGeneric):
2329         * runtime/JSObject.h:
2330         * tests/stress/proxy-get-own-property.js:
2331         (assert):
2332         (let.handler.getOwnPropertyDescriptor):
2333         (i.set assert):
2334
2335 2016-02-25  Saam barati  <sbarati@apple.com>
2336
2337         [ES6] Implement Proxy.[[Set]]
2338         https://bugs.webkit.org/show_bug.cgi?id=154511
2339
2340         Reviewed by Filip Pizlo.
2341
2342         This patch is mostly an implementation of
2343         Proxy.[[Set]] with respect to section 9.5.9
2344         of the ECMAScript spec.
2345         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
2346
2347         This patch also changes JSObject::putInline and JSObject::putByIndex
2348         to be aware that a Proxy in the prototype chain will intercept
2349         property accesses.
2350
2351         * runtime/JSObject.cpp:
2352         (JSC::JSObject::putInlineSlow):
2353         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2354         * runtime/JSObject.h:
2355         * runtime/JSObjectInlines.h:
2356         (JSC::JSObject::canPerformFastPutInline):
2357         (JSC::JSObject::putInline):
2358         * runtime/JSType.h:
2359         * runtime/ProxyObject.cpp:
2360         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2361         (JSC::ProxyObject::performPut):
2362         (JSC::ProxyObject::put):
2363         (JSC::ProxyObject::putByIndexCommon):
2364         (JSC::ProxyObject::putByIndex):
2365         (JSC::performProxyCall):
2366         (JSC::ProxyObject::getCallData):
2367         (JSC::performProxyConstruct):
2368         (JSC::ProxyObject::deletePropertyByIndex):
2369         (JSC::ProxyObject::visitChildren):
2370         * runtime/ProxyObject.h:
2371         (JSC::ProxyObject::create):
2372         (JSC::ProxyObject::createStructure):
2373         (JSC::ProxyObject::target):
2374         (JSC::ProxyObject::handler):
2375         * tests/es6.yaml:
2376         * tests/stress/proxy-set.js: Added.
2377         (assert):
2378         (throw.new.Error.let.handler.set 45):
2379         (throw.new.Error):
2380         (let.target.set x):
2381         (let.target.get x):
2382         (set let):
2383
2384 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
2385
2386         [JSC] Remove a useless "Move" in the lowering of Select
2387         https://bugs.webkit.org/show_bug.cgi?id=154670
2388
2389         Reviewed by Geoffrey Garen.
2390
2391         I left the Move instruction when creating the aliasing form
2392         of Select.
2393
2394         On ARM64, that meant a useless move for any case that can't
2395         be coalesced.
2396
2397         On x86, that meant an extra constraint on child2, making it
2398         stupidly hard to alias child1.
2399
2400         * b3/B3LowerToAir.cpp:
2401         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
2402
2403 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
2404
2405         Web Inspector: Expose Proxy target and handler internal properties to Inspector
2406         https://bugs.webkit.org/show_bug.cgi?id=154663
2407
2408         Reviewed by Timothy Hatcher.
2409
2410         * inspector/JSInjectedScriptHost.cpp:
2411         (Inspector::JSInjectedScriptHost::getInternalProperties):
2412         Expose the ProxyObject's target and handler.
2413
2414 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
2415
2416         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
2417         https://bugs.webkit.org/show_bug.cgi?id=151688
2418
2419         Reviewed by Dean Jackson.
2420
2421         Enables the WEB_ANIMATIONS compiler switch.
2422
2423         * Configurations/FeatureDefines.xcconfig:
2424
2425 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
2426
2427         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
2428         https://bugs.webkit.org/show_bug.cgi?id=154651
2429
2430         Reviewed by Alex Christensen.
2431
2432         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
2433
2434 2016-02-24  Commit Queue  <commit-queue@webkit.org>
2435
2436         Unreviewed, rolling out r197033.
2437         https://bugs.webkit.org/show_bug.cgi?id=154649
2438
2439         "It broke JSC tests when 'this' was loaded from global scope"
2440         (Requested by saamyjoon on #webkit).
2441
2442         Reverted changeset:
2443
2444         "[ES6] Arrow function syntax. Emit loading&putting this/super
2445         only if they are used in arrow function"
2446         https://bugs.webkit.org/show_bug.cgi?id=153981
2447         http://trac.webkit.org/changeset/197033
2448
2449 2016-02-24  Saam Barati  <sbarati@apple.com>
2450
2451         [ES6] Implement Proxy.[[Delete]]
2452         https://bugs.webkit.org/show_bug.cgi?id=154607
2453
2454         Reviewed by Mark Lam.
2455
2456         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
2457         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
2458
2459         * runtime/ProxyObject.cpp:
2460         (JSC::ProxyObject::getConstructData):
2461         (JSC::ProxyObject::performDelete):
2462         (JSC::ProxyObject::deleteProperty):
2463         (JSC::ProxyObject::deletePropertyByIndex):
2464         * runtime/ProxyObject.h:
2465         * tests/es6.yaml:
2466         * tests/stress/proxy-delete.js: Added.
2467         (assert):
2468         (throw.new.Error.let.handler.get deleteProperty):
2469         (throw.new.Error):
2470         (assert.let.handler.deleteProperty):
2471         (let.handler.deleteProperty):
2472
2473 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
2474
2475         Stackmaps have problems with double register constraints
2476         https://bugs.webkit.org/show_bug.cgi?id=154643
2477
2478         Reviewed by Geoffrey Garen.
2479
2480         This is currently a benign bug. I found it while playing.
2481
2482         * b3/B3LowerToAir.cpp:
2483         (JSC::B3::Air::LowerToAir::fillStackmap):
2484         * b3/testb3.cpp:
2485         (JSC::B3::testURShiftSelf64):
2486         (JSC::B3::testPatchpointDoubleRegs):
2487         (JSC::B3::zero):
2488         (JSC::B3::run):
2489
2490 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
2491
2492         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
2493         https://bugs.webkit.org/show_bug.cgi?id=153981
2494
2495         Reviewed by Saam Barati.
2496        
2497         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
2498         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
2499         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
2500         During syntax analyze parser store information about using variables in arrow function inside of 
2501         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
2502
2503         * bytecode/ExecutableInfo.h:
2504         (JSC::ExecutableInfo::ExecutableInfo):
2505         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
2506         * bytecode/UnlinkedCodeBlock.cpp:
2507         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2508         * bytecode/UnlinkedCodeBlock.h:
2509         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
2510         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
2511         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
2512         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
2513         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
2514         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
2515         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
2516         * bytecode/UnlinkedFunctionExecutable.cpp:
2517         (JSC::generateUnlinkedFunctionCodeBlock):
2518         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2519         * bytecode/UnlinkedFunctionExecutable.h:
2520         * bytecompiler/BytecodeGenerator.cpp:
2521         (JSC::BytecodeGenerator::BytecodeGenerator):
2522         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2523         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2524         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
2525         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
2526         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
2527         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
2528         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
2529         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
2530         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
2531         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
2532         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2533         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
2534         * bytecompiler/BytecodeGenerator.h:
2535         * bytecompiler/NodesCodegen.cpp:
2536         (JSC::ThisNode::emitBytecode):
2537         (JSC::EvalFunctionCallNode::emitBytecode):
2538         (JSC::FunctionCallValueNode::emitBytecode):
2539         (JSC::FunctionNode::emitBytecode):
2540         * parser/ASTBuilder.h:
2541         (JSC::ASTBuilder::createFunctionMetadata):
2542         * parser/Nodes.cpp:
2543         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2544         * parser/Nodes.h:
2545         * parser/Parser.cpp:
2546         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
2547         (JSC::Parser<LexerType>::parseFunctionBody):
2548         (JSC::Parser<LexerType>::parseFunctionInfo):
2549         (JSC::Parser<LexerType>::parseProperty):
2550         (JSC::Parser<LexerType>::parsePrimaryExpression):
2551         (JSC::Parser<LexerType>::parseMemberExpression):
2552         * parser/Parser.h:
2553         (JSC::Scope::Scope):
2554         (JSC::Scope::isArrowFunctionBoundary):
2555         (JSC::Scope::innerArrowFunctionFeatures):
2556         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
2557         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
2558         (JSC::Scope::setInnerArrowFunctionUseEval):
2559         (JSC::Scope::setInnerArrowFunctionUseThis):
2560         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
2561         (JSC::Scope::setInnerArrowFunctionUseArguments):
2562         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
2563         (JSC::Scope::collectFreeVariables):
2564         (JSC::Scope::mergeInnerArrowFunctionFeatures):
2565         (JSC::Scope::fillParametersForSourceProviderCache):
2566         (JSC::Scope::restoreFromSourceProviderCache):
2567         (JSC::Scope::setIsFunction):
2568         (JSC::Scope::setIsArrowFunction):
2569         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
2570         (JSC::Parser::pushScope):
2571         (JSC::Parser::popScopeInternal):
2572         * parser/ParserModes.h:
2573         * parser/SourceProviderCacheItem.h:
2574         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
2575         * parser/SyntaxChecker.h:
2576         (JSC::SyntaxChecker::createFunctionMetadata):
2577         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
2578         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
2579         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
2580         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
2581         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
2582
2583 2016-02-23  Brian Burg  <bburg@apple.com>
2584
2585         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
2586         https://bugs.webkit.org/show_bug.cgi?id=154615
2587         <rdar://problem/24804330>
2588
2589         Reviewed by Timothy Hatcher.
2590
2591         Some of the generated Objective-C bindings are only relevant to code acting as the
2592         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
2593         --backend to all generators. Use the setting in a few generators to omit code that's
2594         not needed.
2595
2596         Also fix a few places where the code emits the wrong Objective-C class prefix.
2597         There is some common non-generated code that must always have the RWIProtocol prefix.
2598
2599         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
2600         macros defined in the internal header now need to be used outside of the framework.
2601
2602         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
2603         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
2604         depending on the target framework.
2605
2606         * inspector/scripts/codegen/generate_objc_header.py:
2607         (ObjCHeaderGenerator.generate_output):
2608         For now, omit generating command protocol and event dispatchers when generating for --frontend.
2609
2610         (ObjCHeaderGenerator._generate_type_interface):
2611         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
2612
2613         * inspector/scripts/codegen/generate_objc_internal_header.py:
2614         Use RWIProtocolJSONObjectPrivate.h instead.
2615
2616         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2617         (ObjCProtocolTypesImplementationGenerator.generate_output):
2618         Include the Internal header if it's being generated (only for --backend).
2619
2620         * inspector/scripts/codegen/generator.py:
2621         (Generator.__init__):
2622         (Generator.set_generator_setting):
2623         (Generator):
2624         (Generator.get_generator_setting):
2625         Crib a simple setting system from the Framework class. Make the names more obnoxious.
2626
2627         (Generator.string_for_file_include):
2628         Inspired by the replay input generator, this is a function that uses the proper syntax
2629         for a file include depending on the file's framework and target framework.
2630
2631         * inspector/scripts/codegen/objc_generator.py:
2632         (ObjCGenerator.and):
2633         (ObjCGenerator.and.objc_prefix):
2634         (ObjCGenerator):
2635         (ObjCGenerator.objc_type_for_raw_name):
2636         (ObjCGenerator.objc_class_for_raw_name):
2637         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
2638
2639         * inspector/scripts/generate-inspector-protocol-bindings.py:
2640         (generate_from_specification):
2641         Change the generators to use for the frontend. Propagate --frontend and --backend.
2642
2643         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2644         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2645         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2646         * inspector/scripts/tests/expected/enum-values.json-result:
2647         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2648         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2649         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2650         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2651         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2652         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2653         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2654         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2655         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2656         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
2657
2658 2016-02-23  Saam barati  <sbarati@apple.com>
2659
2660         arrayProtoFuncConcat doesn't check for an exception after allocating an array
2661         https://bugs.webkit.org/show_bug.cgi?id=154621
2662
2663         Reviewed by Michael Saboff.
2664
2665         * runtime/ArrayPrototype.cpp:
2666         (JSC::arrayProtoFuncConcat):
2667
2668 2016-02-23  Dan Bernstein  <mitz@apple.com>
2669
2670         [Xcode] Linker errors display mangled names, but no longer should
2671         https://bugs.webkit.org/show_bug.cgi?id=154632
2672
2673         Reviewed by Sam Weinig.
2674
2675         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
2676
2677 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
2678
2679         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
2680         https://bugs.webkit.org/show_bug.cgi?id=112323
2681
2682         Reviewed by Chris Dumez.
2683
2684         This feature is controlled by a runtime switch, and defaults off.
2685
2686         * Configurations/FeatureDefines.xcconfig:
2687
2688 2016-02-23  Keith Miller  <keith_miller@apple.com>
2689
2690         JSC stress tests' standalone-pre.js should exit on the first failure by default
2691         https://bugs.webkit.org/show_bug.cgi?id=154565
2692
2693         Reviewed by Mark Lam.
2694
2695         Currently, if a test writer does not call finishJSTest() at the end of
2696         any test using stress/resources/standalone-pre.js then the test can fail
2697         without actually reporting an error to the harness. By default, we
2698         should throw on the first error so, in the event someone does not call
2699         finishJSTest() the harness will still notice the error.
2700
2701         * tests/stress/regress-151324.js:
2702         * tests/stress/resources/standalone-pre.js:
2703         (testFailed):
2704
2705 2016-02-23  Saam barati  <sbarati@apple.com>
2706
2707         Make JSObject::getMethod have fewer branches
2708         https://bugs.webkit.org/show_bug.cgi?id=154603
2709
2710         Reviewed by Mark Lam.
2711
2712         Writing code with fewer branches is almost always better.
2713
2714         * runtime/JSObject.cpp:
2715         (JSC::JSObject::getMethod):
2716
2717 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
2718
2719         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
2720         https://bugs.webkit.org/show_bug.cgi?id=154592
2721
2722         Reviewed by Saam Barati.
2723
2724         If Foo has a virtual destructor, then:
2725
2726         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
2727         subclass of Foo that overrides the destructor, this syntax will not call that override.
2728
2729         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
2730         get the subclass's override.
2731
2732         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
2733         This caused leaks because this didn't actually call the subclass's override. This fixes the
2734         problem by using this->~Value() instead.
2735
2736         * b3/B3ControlValue.cpp:
2737         (JSC::B3::ControlValue::convertToJump):
2738         (JSC::B3::ControlValue::convertToOops):
2739         * b3/B3Value.cpp:
2740         (JSC::B3::Value::replaceWithIdentity):
2741         (JSC::B3::Value::replaceWithNop):
2742         (JSC::B3::Value::replaceWithPhi):
2743
2744 2016-02-23  Brian Burg  <bburg@apple.com>
2745
2746         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
2747         https://bugs.webkit.org/show_bug.cgi?id=154596
2748         <rdar://problem/24794962>
2749
2750         Reviewed by Timothy Hatcher.
2751
2752         In order to support different generated protocol sets that don't have conflicting
2753         file and type names, allow the Objective-C prefix to be configurable based on the
2754         target framework. Each name also has the implicit prefix 'Protocol' appended to the
2755         per-target framework prefix.
2756
2757         For example, the existing protocol for remote inspection has the prefix 'RWI'
2758         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
2759         and is generated as 'AutomationProtocol'.
2760
2761         To make this change, convert ObjCGenerator to be a subclass of Generator and use
2762         the instance method model() to find the target framework and its setting for
2763         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
2764         these instance methods that used to be static methods. This is a large but
2765         mechanical change to use self instead of ObjCGenerator.
2766
2767         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2768         (ObjCBackendDispatcherHeaderGenerator):
2769         (ObjCBackendDispatcherHeaderGenerator.__init__):
2770         (ObjCBackendDispatcherHeaderGenerator.output_filename):
2771         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
2772         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
2773         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2774         (ObjCConfigurationImplementationGenerator):
2775         (ObjCConfigurationImplementationGenerator.__init__):
2776         (ObjCConfigurationImplementationGenerator.output_filename):
2777         (ObjCConfigurationImplementationGenerator.generate_output):
2778         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
2779         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
2780         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
2781         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2782         (ObjCConfigurationHeaderGenerator):
2783         (ObjCConfigurationHeaderGenerator.__init__):
2784         (ObjCConfigurationHeaderGenerator.output_filename):
2785         (ObjCConfigurationHeaderGenerator.generate_output):
2786         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
2787         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
2788         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2789         (ObjCBackendDispatcherImplementationGenerator):
2790         (ObjCBackendDispatcherImplementationGenerator.__init__):
2791         (ObjCBackendDispatcherImplementationGenerator.output_filename):
2792         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2793         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
2794         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
2795         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
2796         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
2797         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
2798         (ObjCConversionHelpersGenerator):
2799         (ObjCConversionHelpersGenerator.__init__):
2800         (ObjCConversionHelpersGenerator.output_filename):
2801         (ObjCConversionHelpersGenerator.generate_output):
2802         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
2803         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
2804         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
2805         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2806         (ObjCFrontendDispatcherImplementationGenerator):
2807         (ObjCFrontendDispatcherImplementationGenerator.__init__):
2808         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
2809         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2810         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
2811         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2812         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
2813         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
2814         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2815         * inspector/scripts/codegen/generate_objc_header.py:
2816         (ObjCHeaderGenerator):
2817         (ObjCHeaderGenerator.__init__):
2818         (ObjCHeaderGenerator.output_filename):
2819         (ObjCHeaderGenerator.generate_output):
2820         (ObjCHeaderGenerator._generate_forward_declarations):
2821         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
2822         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
2823         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
2824         (ObjCHeaderGenerator._generate_type_interface):
2825         (ObjCHeaderGenerator._generate_init_method_for_required_members):
2826         (ObjCHeaderGenerator._generate_member_property):
2827         (ObjCHeaderGenerator._generate_command_protocols):
2828         (ObjCHeaderGenerator._generate_single_command_protocol):
2829         (ObjCHeaderGenerator._callback_block_for_command):
2830         (ObjCHeaderGenerator._generate_event_interfaces):
2831         (ObjCHeaderGenerator._generate_single_event_interface):
2832         * inspector/scripts/codegen/generate_objc_internal_header.py:
2833         (ObjCInternalHeaderGenerator):
2834         (ObjCInternalHeaderGenerator.__init__):
2835         (ObjCInternalHeaderGenerator.output_filename):
2836         (ObjCInternalHeaderGenerator.generate_output):
2837         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
2838         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2839         (ObjCProtocolTypesImplementationGenerator):
2840         (ObjCProtocolTypesImplementationGenerator.__init__):
2841         (ObjCProtocolTypesImplementationGenerator.output_filename):
2842         (ObjCProtocolTypesImplementationGenerator.generate_output):
2843         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2844         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
2845         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
2846         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
2847         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
2848         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
2849         * inspector/scripts/codegen/models.py:
2850         * inspector/scripts/codegen/objc_generator.py:
2851         (ObjCTypeCategory.category_for_type):
2852         (ObjCGenerator):
2853         (ObjCGenerator.__init__):
2854         (ObjCGenerator.objc_prefix):
2855         (ObjCGenerator.objc_name_for_type):
2856         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
2857         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
2858         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
2859         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
2860         (ObjCGenerator.objc_class_for_type):
2861         (ObjCGenerator.objc_class_for_array_type):
2862         (ObjCGenerator.objc_accessor_type_for_member):
2863         (ObjCGenerator.objc_accessor_type_for_member_internal):
2864         (ObjCGenerator.objc_type_for_member):
2865         (ObjCGenerator.objc_type_for_member_internal):
2866         (ObjCGenerator.objc_type_for_param):
2867         (ObjCGenerator.objc_type_for_param_internal):
2868         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2869         (ObjCGenerator.objc_protocol_import_expression_for_member):
2870         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
2871         (ObjCGenerator.objc_protocol_import_expression_for_variable):
2872         (ObjCGenerator.objc_to_protocol_expression_for_member):
2873         (ObjCGenerator.protocol_to_objc_expression_for_member):
2874
2875         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
2876
2877         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2878         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2879         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2880         * inspector/scripts/tests/expected/enum-values.json-result:
2881         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2882         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2883         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2884         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2885         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2886         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2887         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2888         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2889         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2890
2891 2016-02-23  Mark Lam  <mark.lam@apple.com>
2892
2893         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
2894         https://bugs.webkit.org/show_bug.cgi?id=154542
2895
2896         Reviewed by Saam Barati.
2897
2898         According to the spec, the constructors of the following types "are not intended
2899         to be called as a function and will throw an exception".  These types are:
2900             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
2901             Map - https://tc39.github.io/ecma262/#sec-map-constructor
2902             Set - https://tc39.github.io/ecma262/#sec-set-constructor
2903             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
2904             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
2905             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
2906             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
2907             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
2908             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
2909
2910         This patch does the foillowing:
2911         1. Ensures that these constructors can be called but will throw a TypeError
2912            when called.
2913         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
2914            in their implementation to be consistent.
2915         3. Change the error message to "calling XXX constructor without new is invalid".
2916            This is clearer because the error is likely due to the user forgetting to use
2917            the new operator on these constructors.
2918
2919         * runtime/Error.h:
2920         * runtime/Error.cpp:
2921         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2922         - Added a convenience function to throw the TypeError.
2923
2924         * runtime/JSArrayBufferConstructor.cpp:
2925         (JSC::constructArrayBuffer):
2926         (JSC::callArrayBuffer):
2927         (JSC::JSArrayBufferConstructor::getCallData):
2928         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2929         (JSC::callGenericTypedArrayView):
2930         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2931         * runtime/JSPromiseConstructor.cpp:
2932         (JSC::callPromise):
2933         * runtime/MapConstructor.cpp:
2934         (JSC::callMap):
2935         * runtime/ProxyConstructor.cpp:
2936         (JSC::callProxy):
2937         (JSC::ProxyConstructor::getCallData):
2938         * runtime/SetConstructor.cpp:
2939         (JSC::callSet):
2940         * runtime/WeakMapConstructor.cpp:
2941         (JSC::callWeakMap):
2942         * runtime/WeakSetConstructor.cpp:
2943         (JSC::callWeakSet):
2944
2945         * tests/es6.yaml:
2946         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
2947
2948         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
2949         (test):
2950
2951         * tests/stress/map-constructor.js:
2952         (testCallTypeError):
2953         * tests/stress/promise-cannot-be-called.js:
2954         (shouldThrow):
2955         * tests/stress/proxy-basic.js:
2956         * tests/stress/set-constructor.js:
2957         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
2958         (i.catch):
2959         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
2960         (i.catch):
2961         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
2962         (i.catch):
2963         * tests/stress/weak-map-constructor.js:
2964         (testCallTypeError):
2965         * tests/stress/weak-set-constructor.js:
2966         - Updated error message string.
2967
2968 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
2969
2970         ASan build fix.
2971
2972         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
2973
2974         * inspector/InspectorBackendDispatcher.h:
2975
2976 2016-02-23  Brian Burg  <bburg@apple.com>
2977
2978         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
2979         https://bugs.webkit.org/show_bug.cgi?id=154518
2980         <rdar://problem/24761096>
2981
2982         Reviewed by Timothy Hatcher.
2983
2984         * inspector/InspectorBackendDispatcher.h:
2985         Export all the classes since they are used by WebKit::WebAutomationSession.
2986
2987 2016-02-22  Brian Burg  <bburg@apple.com>
2988
2989         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2990         https://bugs.webkit.org/show_bug.cgi?id=154509
2991         <rdar://problem/24759098>
2992
2993         Reviewed by Timothy Hatcher.
2994
2995         Add a new 'WebKit' framework, which is used to generate protocol code
2996         in WebKit2.
2997
2998         Add --backend and --frontend flags to the main generator script.
2999         These allow a framework to trigger two different sets of generators
3000         so they can be separately generated and compiled.
3001
3002         * inspector/scripts/codegen/models.py:
3003         (Framework.fromString):
3004         (Frameworks): Add new framework.
3005
3006         * inspector/scripts/generate-inspector-protocol-bindings.py:
3007         If neither --backend or --frontend is specified, assume both are wanted.
3008         This matches the behavior for JavaScriptCore and WebInspector frameworks.
3009
3010         (generate_from_specification):
3011         Generate C++ files for the backend and Objective-C files for the frontend.
3012
3013 2016-02-22  Saam barati  <sbarati@apple.com>
3014
3015         JSGlobalObject doesn't visit ProxyObjectStructure during GC
3016         https://bugs.webkit.org/show_bug.cgi?id=154564
3017
3018         Rubber stamped by Mark Lam.
3019
3020         * runtime/JSGlobalObject.cpp:
3021         (JSC::JSGlobalObject::visitChildren):
3022
3023 2016-02-22  Saam barati  <sbarati@apple.com>
3024
3025         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
3026         https://bugs.webkit.org/show_bug.cgi?id=154548
3027
3028         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
3029
3030         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
3031         an exception. Neither the function nor the call sites of the function took this into
3032         account. This patch audits the call sites of the function to make it work in
3033         the event that an exception is thrown.
3034
3035         * runtime/BooleanConstructor.cpp:
3036         (JSC::constructWithBooleanConstructor):
3037         * runtime/DateConstructor.cpp:
3038         (JSC::constructDate):
3039         * runtime/ErrorConstructor.cpp:
3040         (JSC::Interpreter::constructWithErrorConstructor):
3041         * runtime/FunctionConstructor.cpp:
3042         (JSC::constructFunctionSkippingEvalEnabledCheck):
3043         * runtime/InternalFunction.cpp:
3044         (JSC::InternalFunction::createSubclassStructure):
3045         * runtime/JSArrayBufferConstructor.cpp:
3046         (JSC::constructArrayBuffer):
3047         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3048         (JSC::constructGenericTypedArrayView):
3049         * runtime/JSGlobalObject.h:
3050         (JSC::constructEmptyArray):
3051         (JSC::constructArray):
3052         (JSC::constructArrayNegativeIndexed):
3053         * runtime/JSPromiseConstructor.cpp:
3054         (JSC::constructPromise):
3055         * runtime/MapConstructor.cpp:
3056         (JSC::constructMap):
3057         * runtime/NativeErrorConstructor.cpp:
3058         (JSC::Interpreter::constructWithNativeErrorConstructor):
3059         * runtime/NumberConstructor.cpp:
3060         (JSC::constructWithNumberConstructor):
3061         * runtime/RegExpConstructor.cpp:
3062         (JSC::getRegExpStructure):
3063         (JSC::constructRegExp):
3064         (JSC::constructWithRegExpConstructor):
3065         * runtime/SetConstructor.cpp:
3066         (JSC::constructSet):
3067         * runtime/StringConstructor.cpp:
3068         (JSC::constructWithStringConstructor):
3069         (JSC::StringConstructor::getConstructData):
3070         * runtime/WeakMapConstructor.cpp:
3071         (JSC::constructWeakMap):
3072         * runtime/WeakSetConstructor.cpp:
3073         (JSC::constructWeakSet):
3074         * tests/stress/create-subclass-structure-might-throw.js: Added.
3075         (assert):
3076
3077 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
3078
3079         Fix build and implement functions to retrieve registers on FreeBSD
3080         https://bugs.webkit.org/show_bug.cgi?id=152258
3081
3082         Reviewed by Michael Catanzaro.
3083
3084         * heap/MachineStackMarker.cpp:
3085         (pthreadSignalHandlerSuspendResume):
3086         struct ucontext is not specified in POSIX and it is not available on
3087         FreeBSD. Replacing it with ucontext_t fixes the build problem.
3088         (JSC::MachineThreads::Thread::Registers::stackPointer):
3089         (JSC::MachineThreads::Thread::Registers::framePointer):
3090         (JSC::MachineThreads::Thread::Registers::instructionPointer):
3091         (JSC::MachineThreads::Thread::Registers::llintPC):
3092         * heap/MachineStackMarker.h:
3093
3094 2016-02-22  Saam barati  <sbarati@apple.com>
3095
3096         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
3097         https://bugs.webkit.org/show_bug.cgi?id=154552
3098
3099         Reviewed by Mark Lam.
3100
3101         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
3102         They return false on a Proxy with internal [[Call]] and [[Construct]]
3103         properties. It seems safest, most forward looking, and most adherent
3104         to the specification to check getCallData() and getConstructData() to
3105         implement these functions.
3106
3107         * runtime/InternalFunction.cpp:
3108         (JSC::InternalFunction::createSubclassStructure):
3109         * runtime/JSCJSValueInlines.h:
3110         (JSC::JSValue::isFunction):
3111         (JSC::JSValue::isConstructor):
3112
3113 2016-02-22  Keith Miller  <keith_miller@apple.com>
3114
3115         Bound functions should use the prototype of the function being bound
3116         https://bugs.webkit.org/show_bug.cgi?id=154195
3117
3118         Reviewed by Geoffrey Garen.
3119
3120         Per ES6, the result of Function.prototype.bind should have the same
3121         prototype as the the function being bound. In order to avoid creating
3122         a new structure each time a function is bound we store the new
3123         structure in our structure map. However, we cannot currently store
3124         structures that have a different GlobalObject than their prototype.
3125         In the rare case that the GlobalObject differs or the prototype of
3126         the bindee is null we create a new structure each time. To further
3127         minimize new structures, as well as making structure lookup faster,
3128         we also store the structure in the RareData of the function we
3129         are binding.
3130
3131         * runtime/FunctionRareData.cpp:
3132         (JSC::FunctionRareData::visitChildren):
3133         * runtime/FunctionRareData.h:
3134         (JSC::FunctionRareData::getBoundFunctionStructure):
3135         (JSC::FunctionRareData::setBoundFunctionStructure):
3136         * runtime/JSBoundFunction.cpp:
3137         (JSC::getBoundFunctionStructure):
3138         (JSC::JSBoundFunction::create):
3139         * tests/es6.yaml:
3140         * tests/stress/bound-function-uses-prototype.js: Added.
3141         (testChangeProto.foo):
3142         (testChangeProto):
3143         (testBuiltins):
3144         * tests/stress/class-subclassing-function.js:
3145
3146 2016-02-22  Keith Miller  <keith_miller@apple.com>
3147
3148         Unreviewed, fix stress test to not print on success.
3149
3150         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
3151         (catch): Deleted.
3152
3153 2016-02-22  Keith Miller  <keith_miller@apple.com>
3154
3155         Use Symbol.species in the builtin TypedArray.prototype functions
3156         https://bugs.webkit.org/show_bug.cgi?id=153384
3157
3158         Reviewed by Geoffrey Garen.
3159
3160         This patch adds the use of species constructors to the TypedArray.prototype map and filter
3161         functions. It also adds a new private function typedArrayGetOriginalConstructor that
3162         returns the TypedArray constructor used to originally create a TypedArray instance.
3163
3164         There are no ES6 tests to update for this patch as species creation for these functions is
3165         not tested in the compatibility table.
3166
3167         * builtins/TypedArrayPrototype.js:
3168         (map):
3169         (filter):
3170         * bytecode/BytecodeIntrinsicRegistry.cpp:
3171         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3172         * bytecode/BytecodeIntrinsicRegistry.h:
3173         * runtime/CommonIdentifiers.h:
3174         * runtime/JSGlobalObject.cpp:
3175         (JSC::JSGlobalObject::init):
3176         (JSC::JSGlobalObject::visitChildren):
3177         * runtime/JSGlobalObject.h:
3178         (JSC::JSGlobalObject::typedArrayConstructor):
3179         * runtime/JSTypedArrayViewPrototype.cpp:
3180         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
3181         * runtime/JSTypedArrayViewPrototype.h:
3182         * tests/stress/typedarray-filter.js:
3183         (subclasses.typedArrays.map):
3184         (prototype.accept):
3185         (testSpecies):
3186         (accept):
3187         (forEach):
3188         (subclasses.forEach):
3189         (testSpeciesRemoveConstructor):
3190         * tests/stress/typedarray-map.js:
3191         (subclasses.typedArrays.map):
3192         (prototype.id):
3193         (testSpecies):
3194         (id):
3195         (forEach):
3196         (subclasses.forEach):
3197         (testSpeciesRemoveConstructor):
3198
3199 2016-02-22  Keith Miller  <keith_miller@apple.com>
3200
3201         Builtins that should not rely on iteration do.
3202         https://bugs.webkit.org/show_bug.cgi?id=154475
3203
3204         Reviewed by Geoffrey Garen.
3205
3206         When changing the behavior of varargs calls to use ES6 iterators the
3207         call builtin function's use of a varargs call was overlooked. The use
3208         of iterators is observable outside the scope of the the call function,
3209         thus it must be reimplemented.
3210
3211         * builtins/FunctionPrototype.js:
3212         (call):
3213         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
3214         (test):
3215         (addAll):
3216         (catch):
3217
3218 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
3219
3220         [JSC shell] Don't put empty arguments array to VM.
3221         https://bugs.webkit.org/show_bug.cgi?id=154516
3222
3223         Reviewed by Geoffrey Garen.
3224
3225         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
3226         in jsc as well as in browser.
3227
3228         * jsc.cpp:
3229         (GlobalObject::finishCreation):
3230
3231 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
3232
3233         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
3234         https://bugs.webkit.org/show_bug.cgi?id=154450
3235
3236         Reviewed by Alex Christensen.
3237
3238         * CMakeLists.txt:
3239
3240 2016-02-22  Commit Queue  <commit-queue@webkit.org>
3241
3242         Unreviewed, rolling out r196891.
3243         https://bugs.webkit.org/show_bug.cgi?id=154539
3244
3245         it broke Production builds (Requested by brrian on #webkit).
3246
3247         Reverted changeset:
3248
3249         "Web Inspector: add 'Automation' protocol domain and generate
3250         its backend classes separately in WebKit2"
3251         https://bugs.webkit.org/show_bug.cgi?id=154509
3252         http://trac.webkit.org/changeset/196891
3253
3254 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
3255
3256         CodeBlock always visits its unlinked code twice
3257         https://bugs.webkit.org/show_bug.cgi?id=154494
3258
3259         Reviewed by Saam Barati.
3260
3261         * bytecode/CodeBlock.cpp:
3262         (JSC::CodeBlock::visitChildren):
3263         The unlinked code is always visited in stronglyVisitStrongReferences.
3264
3265 2016-02-21  Brian Burg  <bburg@apple.com>
3266
3267         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
3268         https://bugs.webkit.org/show_bug.cgi?id=154509
3269         <rdar://problem/24759098>
3270
3271         Reviewed by Timothy Hatcher.
3272
3273         Add a new 'WebKit' framework, which is used to generate protocol code
3274         in WebKit2.
3275
3276         Add --backend and --frontend flags to the main generator script.
3277         These allow a framework to trigger two different sets of generators
3278         so they can be separately generated and compiled.
3279
3280         * inspector/scripts/codegen/models.py:
3281         (Framework.fromString):
3282         (Frameworks): Add new framework.
3283
3284         * inspector/scripts/generate-inspector-protocol-bindings.py:
3285         If neither --backend or --frontend is specified, assume both are wanted.
3286         This matches the behavior for JavaScriptCore and WebInspector frameworks.
3287
3288         (generate_from_specification):
3289         Generate C++ files for the backend and Objective-C files for the frontend.
3290
3291 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3292
3293         Improvements to Intl code
3294         https://bugs.webkit.org/show_bug.cgi?id=154486
3295
3296         Reviewed by Darin Adler.
3297
3298         This patch does several things:
3299         - Use std::unique_ptr to store ICU objects.
3300         - Pass Vector::size() to ICU functions that take a buffer size instead
3301           of Vector::capacity().
3302         - If U_SUCCESS(status) is true, it means there is no error, but there
3303           could be warnings. ICU functions ignore warnings. So, there is no need
3304           to reset status to U_ZERO_ERROR.
3305         - Remove the initialization of the String instance variables of
3306           IntlDateTimeFormat. These values are never read and cause unnecessary
3307           memory allocation.
3308         - Fix coding style.
3309         - Some small optimization.
3310
3311         * runtime/IntlCollator.cpp:
3312         (JSC::IntlCollator::UCollatorDeleter::operator()):
3313         (JSC::IntlCollator::createCollator):
3314         (JSC::IntlCollator::compareStrings):
3315         (JSC::IntlCollator::~IntlCollator): Deleted.
3316         * runtime/IntlCollator.h:
3317         * runtime/IntlDateTimeFormat.cpp:
3318         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
3319         (JSC::defaultTimeZone):
3320         (JSC::canonicalizeTimeZoneName):
3321         (JSC::toDateTimeOptionsAnyDate):
3322         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3323         (JSC::IntlDateTimeFormat::weekdayString):
3324         (JSC::IntlDateTimeFormat::format):
3325         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
3326         (JSC::localeData): Deleted.
3327         * runtime/IntlDateTimeFormat.h:
3328         * runtime/IntlDateTimeFormatConstructor.cpp:
3329         * runtime/IntlNumberFormatConstructor.cpp:
3330         * runtime/IntlObject.cpp:
3331         (JSC::numberingSystemsForLocale):
3332
3333 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
3334
3335         Remove arrowfunction test cases that rely on arguments variable in jsc
3336         https://bugs.webkit.org/show_bug.cgi?id=154517
3337
3338         Reviewed by Yusuke Suzuki.
3339
3340         Allow to jsc has the same behavior in javascript as browser has
3341
3342         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
3343         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
3344
3345 2016-02-21  Brian Burg  <bburg@apple.com>
3346
3347         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
3348         https://bugs.webkit.org/show_bug.cgi?id=154508
3349         <rdar://problem/24759077>
3350
3351         Reviewed by Timothy Hatcher.
3352