Update supported platforms in xcconfig files to match the sdk names.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-07-13  Enrica Casucci  <enrica@apple.com>
2
3         Update supported platforms in xcconfig files to match the sdk names.
4         https://bugs.webkit.org/show_bug.cgi?id=159728
5
6         Reviewed by Tim Horton.
7
8         * Configurations/Base.xcconfig:
9
10 2016-07-13  Csaba Osztrogonác  <ossy@webkit.org>
11
12         CLoop buildfix after r203142
13         https://bugs.webkit.org/show_bug.cgi?id=159706
14
15         Unreviewed buildfix.
16
17         * interpreter/CLoopStack.cpp:
18         (JSC::CLoopStack::isSafeToRecurse):
19         * interpreter/CLoopStack.h:
20         * interpreter/CLoopStackInlines.h:
21         (JSC::CLoopStack::isSafeToRecurse): Deleted.
22
23 2016-07-12  Benjamin Poulain  <bpoulain@apple.com>
24
25         [JSC] Array.prototype.join() fails some conformance tests
26         https://bugs.webkit.org/show_bug.cgi?id=159657
27
28         Reviewed by Saam Barati.
29
30         There were a couple of failures:
31         -separator.toString() was called *before* we get the length
32          and process ToLength() on it.
33         -We were using toUInt32() on length instead of ToLength(),
34          failing on big integers and various negative numbers.
35
36         Additionally, I replaced the "fast" ArrayStorage path
37         by a fully generic implementation that does not depends on StringJoiner.
38
39         The reason is StringJoiner was doing poorly on sparse objects
40         in certain cases.
41         If you have a sparse object with a length > INT_MAX but very few
42         indices defined, and you join on the empty string, it should be possible
43         to join the array (albeit very slowly). With StringJoiner, we fail
44         because we try to allocate > INT_MAX empty strings in a contiguous vector.
45
46         * runtime/ArrayPrototype.cpp:
47         (JSC::slowJoin):
48         (JSC::canUseFastJoin):
49         (JSC::fastJoin):
50         (JSC::arrayProtoFuncJoin):
51         (JSC::join): Deleted.
52         * runtime/JSArray.h:
53         (JSC::toLength):
54
55 2016-07-12  Mark Lam  <mark.lam@apple.com>
56
57         Gardening: C Loop build fix after r203142.
58
59         Not reviewed.
60
61         * interpreter/CLoopStackInlines.h:
62         (JSC::CLoopStack::isSafeToRecurse):
63
64 2016-07-12  Commit Queue  <commit-queue@webkit.org>
65
66         Unreviewed, rolling out r203131.
67         https://bugs.webkit.org/show_bug.cgi?id=159698
68
69         This change caused an existing LayoutTest to time out on debug
70         testers (Requested by ryanhaddad on #webkit).
71
72         Reverted changeset:
73
74         "[JSC] Array.prototype.join() fails some conformance tests"
75         https://bugs.webkit.org/show_bug.cgi?id=159657
76         http://trac.webkit.org/changeset/203131
77
78 2016-07-12  Mark Lam  <mark.lam@apple.com>
79
80         We should use different stack limits for stack checks from JS and host code.
81         https://bugs.webkit.org/show_bug.cgi?id=159442
82         <rdar://problem/26889188>
83
84         Reviewed by Geoffrey Garen.
85
86         We have 2 stack reservedZoneSizes:
87         1. Options::softReservedZoneSize()
88         2. Options::reservedZoneSize()
89
90         Respectively, there are used to define 2 stack limits based on these reserved
91         zone sizes:
92         1. VM::m_softStackLimit
93         2. VM::m_stackLimit
94
95         Options::reservedZoneSize() is the amount of the stack space that JSC guarantees
96         to the VM and client host code for it's use.  Host code that has well known
97         stack usage characteristics (i.e. doesn't call arbitrary code) may do stack
98         checks against the VM::m_stackLimit limit (which is computed using
99         Options::reservedZoneSize()).
100
101         Options::softReservedZoneSize() is a more conservative amount of reserved stack
102         space.  This is used to compute the VM::m_softStackLimit limit.  Any code that
103         is difficult to have its stack usage characterized (i.e. may call arbitrary code)
104         may need more stack space for its work.  Hence, these should do stack checks
105         against the VM::m_softStackLimit limit.
106
107         JS code and host code that may call into JS code falls into the category of code
108         that may call arbitrary code.  Hence, they should do stack checks against the
109         VM::m_softStackLimit limit.
110
111         Accordingly, the VM now provides 2 recursion check functions:
112
113         1. VM::isSafeToRecurseSoft() will do a stack check against VM::m_softStackLimit.
114            In addition, for C Loop builds, VM::isSafeToRecurseSoft() will also
115            check the CLoopStack against VM::m_cloopStackLimit.
116
117         2. VM::isSafeToRecurse() will do a stack check against VM::m_stackLimit.
118
119         Also added a promise-infinite-recursion-should-not-crash.js test.
120
121         * bytecompiler/BytecodeGenerator.h:
122         (JSC::BytecodeGenerator::emitNodeInTailPosition):
123         (JSC::BytecodeGenerator::emitNodeInConditionContext):
124         * interpreter/CLoopStack.cpp:
125         (JSC::CLoopStack::grow):
126         * interpreter/CLoopStack.h:
127         (JSC::CLoopStack::size):
128         * interpreter/CLoopStackInlines.h:
129         (JSC::CLoopStack::ensureCapacityFor):
130         (JSC::CLoopStack::isSafeToRecurse):
131         (JSC::CLoopStack::topOfFrameFor):
132         * interpreter/CachedCall.h:
133         (JSC::CachedCall::CachedCall):
134         * interpreter/Interpreter.cpp:
135         (JSC::Interpreter::execute):
136         (JSC::Interpreter::executeCall):
137         (JSC::Interpreter::executeConstruct):
138         * llint/LLIntSlowPaths.cpp:
139         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
140         * parser/Parser.cpp:
141         * runtime/Options.h:
142         * runtime/ProxyObject.cpp:
143         (JSC::performProxyGet):
144         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
145         (JSC::ProxyObject::performHasProperty):
146         (JSC::ProxyObject::getOwnPropertySlotCommon):
147         (JSC::ProxyObject::performPut):
148         (JSC::performProxyCall):
149         (JSC::performProxyConstruct):
150         (JSC::ProxyObject::performDelete):
151         (JSC::ProxyObject::performPreventExtensions):
152         (JSC::ProxyObject::performIsExtensible):
153         (JSC::ProxyObject::performDefineOwnProperty):
154         (JSC::ProxyObject::performGetOwnPropertyNames):
155         (JSC::ProxyObject::performSetPrototype):
156         (JSC::ProxyObject::performGetPrototype):
157         * runtime/RegExp.cpp:
158         (JSC::RegExp::finishCreation):
159         (JSC::RegExp::compile):
160         (JSC::RegExp::compileMatchOnly):
161         * runtime/StringRecursionChecker.h:
162         (JSC::StringRecursionChecker::performCheck):
163         * runtime/VM.cpp:
164         (JSC::VM::setStackPointerAtVMEntry):
165         (JSC::VM::updateSoftReservedZoneSize):
166         (JSC::preCommitStackMemory):
167         (JSC::VM::updateStackLimits):
168         (JSC::VM::updateStackLimit): Deleted.
169         * runtime/VM.h:
170         (JSC::VM::stackLimit):
171         (JSC::VM::softStackLimit):
172         (JSC::VM::addressOfSoftStackLimit):
173         (JSC::VM::setCLoopStackLimit):
174         (JSC::VM::isSafeToRecurse):
175         (JSC::VM::lastStackTop):
176         (JSC::VM::setException):
177         * runtime/VMInlines.h:
178         (JSC::VM::ensureStackCapacityFor):
179         (JSC::VM::isSafeToRecurseSoft):
180         (JSC::VM::shouldTriggerTermination):
181         * tests/stress/promise-infinite-recursion-should-not-crash.js: Added.
182         (testPromise):
183         (promiseFunc):
184         * yarr/YarrPattern.cpp:
185
186 2016-07-12  Per Arne Vollan  <pvollan@apple.com>
187
188         [Win] Fix for build error when trying to version stamp dll.
189         https://bugs.webkit.org/show_bug.cgi?id=159692
190
191         Reviewed by Brent Fulgham.
192
193         Use correct path to version stamp script.
194
195         * CMakeLists.txt:
196
197 2016-07-12  Benjamin Poulain  <bpoulain@apple.com>
198
199         [JSC] Array.prototype.join() fails some conformance tests
200         https://bugs.webkit.org/show_bug.cgi?id=159657
201
202         Reviewed by Saam Barati.
203
204         There were a couple of failures:
205         -separator.toString() was called *before* we get the length
206          and process ToLength() on it.
207         -We were using toUInt32() on length instead of ToLength(),
208          failing on big integers and various negative numbers.
209
210         Additionally, I replaced the "fast" ArrayStorage path
211         by a fully generic implementation that does not depends on StringJoiner.
212
213         The reason is StringJoiner was doing poorly on sparse objects
214         in certain cases.
215         If you have a sparse object with a length > INT_MAX but very few
216         indices defined, and you join on the empty string, it should be possible
217         to join the array (albeit very slowly). With StringJoiner, we fail
218         because we try to allocate > INT_MAX empty strings in a contiguous vector.
219
220         * runtime/ArrayPrototype.cpp:
221         (JSC::slowJoin):
222         (JSC::canUseFastJoin):
223         (JSC::fastJoin):
224         (JSC::arrayProtoFuncJoin):
225         (JSC::join): Deleted.
226         * runtime/JSArray.h:
227         (JSC::toLength):
228
229 2016-07-12  Mark Lam  <mark.lam@apple.com>
230
231         More stack limit and reserved zone renaming.
232         https://bugs.webkit.org/show_bug.cgi?id=159690
233
234         Rubber-stamped by Geoffrey Garen.
235
236         We should rename the following:
237             osStackLimitWithReserve => softStackLimit
238             reservedZoneSize => softReservedZoneSize
239             errorModeReservedZoneSize => reservedZoneSize
240
241         * API/tests/PingPongStackOverflowTest.cpp:
242         (testPingPongStackOverflow):
243         * dfg/DFGJITCompiler.cpp:
244         (JSC::DFG::JITCompiler::compile):
245         (JSC::DFG::JITCompiler::compileFunction):
246         * ftl/FTLLowerDFGToB3.cpp:
247         (JSC::FTL::DFG::LowerDFGToB3::lower):
248         * interpreter/CLoopStack.cpp:
249         (JSC::CLoopStack::CLoopStack):
250         (JSC::CLoopStack::grow):
251         (JSC::CLoopStack::releaseExcessCapacity):
252         (JSC::CLoopStack::addToCommittedByteCount):
253         (JSC::CLoopStack::setSoftReservedZoneSize):
254         (JSC::CLoopStack::setReservedZoneSize): Deleted.
255         * interpreter/CLoopStack.h:
256         (JSC::CLoopStack::size):
257         * interpreter/CLoopStackInlines.h:
258         (JSC::CLoopStack::shrink):
259         * jit/JIT.cpp:
260         (JSC::JIT::compileWithoutLinking):
261         * jit/SetupVarargsFrame.cpp:
262         (JSC::emitSetupVarargsFrameFastCase):
263         * llint/LLIntSlowPaths.cpp:
264         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
265         * llint/LowLevelInterpreter.asm:
266         * llint/LowLevelInterpreter32_64.asm:
267         * llint/LowLevelInterpreter64.asm:
268         * runtime/ErrorHandlingScope.cpp:
269         (JSC::ErrorHandlingScope::ErrorHandlingScope):
270         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
271         * runtime/ErrorHandlingScope.h:
272         * runtime/Options.h:
273         * runtime/RegExp.cpp:
274         (JSC::RegExp::finishCreation):
275         (JSC::RegExp::compile):
276         (JSC::RegExp::compileMatchOnly):
277         * runtime/VM.cpp:
278         (JSC::VM::VM):
279         (JSC::VM::setStackPointerAtVMEntry):
280         (JSC::VM::updateSoftReservedZoneSize):
281         (JSC::VM::updateStackLimit):
282         (JSC::VM::updateReservedZoneSize): Deleted.
283         * runtime/VM.h:
284         (JSC::VM::stackPointerAtVMEntry):
285         (JSC::VM::softReservedZoneSize):
286         (JSC::VM::softStackLimit):
287         (JSC::VM::addressOfSoftStackLimit):
288         (JSC::VM::cloopStackLimit):
289         (JSC::VM::setCLoopStackLimit):
290         (JSC::VM::isSafeToRecurse):
291         (JSC::VM::reservedZoneSize): Deleted.
292         (JSC::VM::osStackLimitWithReserve): Deleted.
293         (JSC::VM::addressOfOSStackLimitWithReserve): Deleted.
294         * runtime/VMInlines.h:
295         (JSC::VM::ensureStackCapacityFor):
296         * wasm/WASMFunctionCompiler.h:
297         (JSC::WASMFunctionCompiler::startFunction):
298
299 2016-07-12  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
300
301         Remove ENABLE_CSS3_TEXT_LINE_BREAK flag
302         https://bugs.webkit.org/show_bug.cgi?id=159671
303
304         Reviewed by Csaba Osztrogonác.
305
306         ENABLE_CSS3_TEXT_LINE_BREAK feature was implemented without guards.
307         https://bugs.webkit.org/show_bug.cgi?id=89235
308
309         So this guard can be removed in build scripts.
310
311         * Configurations/FeatureDefines.xcconfig:
312
313 2016-07-12  Per Arne Vollan  <pvollan@apple.com>
314
315         [Win] DLLs are missing version information.
316         https://bugs.webkit.org/show_bug.cgi?id=159349
317
318         Reviewed by Brent Fulgham.
319
320         Generate autoversion.h and run perl version stamp utility.
321
322         * CMakeLists.txt:
323
324 2016-07-11  Caio Lima  <ticaiolima@gmail.com>
325
326         ECMAScript 2016: %TypedArray%.prototype.includes implementation
327         https://bugs.webkit.org/show_bug.cgi?id=159385
328
329         Reviewed by Benjamin Poulain.
330
331         This patch implements the ECMAScript 2016:
332         %TypedArray%.prototype.includes
333         following spec 22.2.3.14
334         https://tc39.github.io/ecma262/2016/#sec-%typedarray%.prototype.includes
335
336         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
337         (JSC::genericTypedArrayViewProtoFuncIncludes):
338         * runtime/JSTypedArrayViewPrototype.cpp:
339         (JSC::typedArrayViewProtoFuncIncludes):
340         (JSC::JSTypedArrayViewPrototype::finishCreation):
341
342 2016-07-11  Benjamin Poulain  <benjamin@webkit.org>
343
344         [JSC] Array.from() and Array.of() try to build objects even if "this" is not a constructor
345         https://bugs.webkit.org/show_bug.cgi?id=159604
346
347         Reviewed by Yusuke Suzuki.
348
349         The spec says IsConstructor(), we were just checking if "this"
350         is any function.
351
352         * builtins/ArrayConstructor.js:
353         (of):
354         (from):
355
356 2016-07-11  Keith Miller  <keith_miller@apple.com>
357
358         defineProperty on a index of a TypedArray should throw if configurable
359         https://bugs.webkit.org/show_bug.cgi?id=159653
360
361         Reviewed by Saam Barati.
362
363         When I fixed this before I misread the spec and thought it said we
364         should throw if the descriptor said the proprety is not
365         configurable. This is the opposite. We should throw if the
366         descriptor says the property is configurable.
367
368         * runtime/JSGenericTypedArrayViewInlines.h:
369         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
370         * tests/stress/typedarray-access-monomorphic-neutered.js:
371         * tests/stress/typedarray-access-neutered.js:
372         * tests/stress/typedarray-configure-index.js: Added.
373         (assert):
374         (assertThrows):
375         (makeDescriptor):
376         (test):
377
378 2016-07-11  Saam Barati  <sbarati@apple.com>
379
380         some paths in Array.prototype.splice don't account for the array not having certain indexed properties
381         https://bugs.webkit.org/show_bug.cgi?id=159641
382         <rdar://problem/27171999>
383
384         Reviewed by Filip Pizlo and Keith Miller.
385
386         Array.prototype.splice was incorrectly putting properties on
387         the result array even if the |this| array didn't have those
388         properties. This is not the behavior of the spec. However, this
389         could also cause a crash because we can construct a program where
390         we would putByIndex on a typed array where the value we are
391         putting is JSValue(). This is bad because the typed array will
392         try to convert JSValue() into an integer.
393
394         * runtime/ArrayPrototype.cpp:
395         (JSC::arrayProtoFuncSplice):
396         * tests/stress/array-prototype-splice-making-typed-array.js: Added.
397         (assert):
398         (test):
399
400 2016-07-11  Mark Lam  <mark.lam@apple.com>
401
402         Refactor JSStack to only be the stack data structure for the C Loop.
403         https://bugs.webkit.org/show_bug.cgi?id=159545
404
405         Reviewed by Geoffrey Garen.
406
407         Changes made:
408         1. Renamed JSStack to CLoopStack.
409         2. Made all of CLoopStack code to conditional on #if !ENABLE(JIT) i.e. they will
410            only be in effect for the C Loop build.
411         3. Changed clients of JSStack to use new equivalent VM APIs:
412             a. JSStack::ensureCapacityFor() => VM::ensureStackCapacityFor()
413             b. JSStack::committedByteCount() => VM::committedStackByteCount()
414         4. Made VM::updateReservedZoneSize() call CLoopStack::setReservedZoneSize()
415            instead of calling it from all the clients of VM::updateReservedZoneSize().
416         5. Removed all unnecessary references to JSStack.
417
418         * CMakeLists.txt:
419         * JavaScriptCore.xcodeproj/project.pbxproj:
420         * assembler/MaxFrameExtentForSlowPathCall.h:
421         * bytecode/BytecodeConventions.h:
422         * dfg/DFGGraph.h:
423         * dfg/DFGOSREntry.cpp:
424         (JSC::DFG::prepareOSREntry):
425         * ftl/FTLOSREntry.cpp:
426         (JSC::FTL::prepareOSREntry):
427         * heap/Heap.cpp:
428         (JSC::Heap::finalizeUnconditionalFinalizers):
429         (JSC::Heap::willStartIterating):
430         (JSC::Heap::gatherJSStackRoots):
431         (JSC::Heap::stack): Deleted.
432         * heap/Heap.h:
433         * interpreter/CLoopStack.cpp: Copied from Source/JavaScriptCore/interpreter/JSStack.cpp.
434         (JSC::commitSize):
435         (JSC::CLoopStack::CLoopStack):
436         (JSC::CLoopStack::~CLoopStack):
437         (JSC::CLoopStack::grow):
438         (JSC::CLoopStack::gatherConservativeRoots):
439         (JSC::CLoopStack::sanitizeStack):
440         (JSC::CLoopStack::releaseExcessCapacity):
441         (JSC::CLoopStack::addToCommittedByteCount):
442         (JSC::CLoopStack::setReservedZoneSize):
443         (JSC::CLoopStack::committedByteCount):
444         (JSC::JSStack::JSStack): Deleted.
445         (JSC::JSStack::~JSStack): Deleted.
446         (JSC::JSStack::growSlowCase): Deleted.
447         (JSC::JSStack::gatherConservativeRoots): Deleted.
448         (JSC::JSStack::sanitizeStack): Deleted.
449         (JSC::JSStack::releaseExcessCapacity): Deleted.
450         (JSC::JSStack::addToCommittedByteCount): Deleted.
451         (JSC::JSStack::setReservedZoneSize): Deleted.
452         (JSC::JSStack::lowAddress): Deleted.
453         (JSC::JSStack::highAddress): Deleted.
454         (JSC::JSStack::committedByteCount): Deleted.
455         * interpreter/CLoopStack.h: Copied from Source/JavaScriptCore/interpreter/JSStack.h.
456         (JSC::CLoopStack::containsAddress):
457         (JSC::CLoopStack::lowAddress):
458         (JSC::CLoopStack::highAddress):
459         (JSC::CLoopStack::reservationTop):
460         (JSC::JSStack::containsAddress): Deleted.
461         (JSC::JSStack::lowAddress): Deleted.
462         (JSC::JSStack::highAddress): Deleted.
463         (JSC::JSStack::reservationTop): Deleted.
464         * interpreter/CLoopStackInlines.h: Copied from Source/JavaScriptCore/interpreter/JSStackInlines.h.
465         (JSC::CLoopStack::ensureCapacityFor):
466         (JSC::CLoopStack::topOfFrameFor):
467         (JSC::CLoopStack::topOfStack):
468         (JSC::CLoopStack::shrink):
469         (JSC::CLoopStack::setCLoopStackLimit):
470         (JSC::JSStack::ensureCapacityFor): Deleted.
471         (JSC::JSStack::topOfFrameFor): Deleted.
472         (JSC::JSStack::topOfStack): Deleted.
473         (JSC::JSStack::shrink): Deleted.
474         (JSC::JSStack::grow): Deleted.
475         (JSC::JSStack::setCLoopStackLimit): Deleted.
476         * interpreter/CallFrame.cpp:
477         (JSC::CallFrame::unsafeCallSiteIndex):
478         (JSC::CallFrame::currentVPC):
479         (JSC::CallFrame::stack): Deleted.
480         * interpreter/CallFrame.h:
481         (JSC::ExecState::callerFrameAndPC):
482         (JSC::ExecState::unsafeCallerFrameAndPC):
483         * interpreter/Interpreter.cpp:
484         (JSC::sizeOfVarargs):
485         (JSC::sizeFrameForForwardArguments):
486         (JSC::sizeFrameForVarargs):
487         (JSC::Interpreter::Interpreter):
488         * interpreter/Interpreter.h:
489         (JSC::Interpreter::cloopStack):
490         (JSC::Interpreter::getOpcode):
491         (JSC::Interpreter::isCallBytecode):
492         (JSC::Interpreter::stack): Deleted.
493         * interpreter/JSStack.cpp: Removed.
494         * interpreter/JSStack.h: Removed.
495         * interpreter/JSStackInlines.h: Removed.
496         * interpreter/StackVisitor.cpp:
497         (JSC::StackVisitor::Frame::dump):
498         * jit/JIT.h:
499         * jit/JITOperations.cpp:
500         * jit/JSInterfaceJIT.h:
501         * jit/SpecializedThunkJIT.h:
502         * jit/ThunkGenerators.cpp:
503         * llint/LLIntOffsetsExtractor.cpp:
504         * llint/LLIntSlowPaths.cpp:
505         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
506         (JSC::LLInt::llint_stack_check_at_vm_entry):
507         * llint/LLIntThunks.cpp:
508         * llint/LowLevelInterpreter.cpp:
509         (JSC::CLoop::execute):
510         * runtime/CommonSlowPaths.cpp:
511         (JSC::SLOW_PATH_DECL):
512         * runtime/CommonSlowPaths.h:
513         (JSC::CommonSlowPaths::arityCheckFor):
514         * runtime/ErrorHandlingScope.cpp:
515         (JSC::ErrorHandlingScope::ErrorHandlingScope):
516         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
517         * runtime/JSGlobalObject.h:
518         * runtime/MemoryStatistics.cpp:
519         (JSC::globalMemoryStatistics):
520         * runtime/StackAlignment.h:
521         * runtime/VM.cpp:
522         (JSC::VM::VM):
523         (JSC::VM::updateReservedZoneSize):
524         (JSC::sanitizeStackForVM):
525         (JSC::VM::committedStackByteCount):
526         * runtime/VM.h:
527         (JSC::VM::reservedZoneSize):
528         (JSC::VM::osStackLimitWithReserve):
529         (JSC::VM::addressOfOSStackLimitWithReserve):
530         * runtime/VMInlines.h:
531         (JSC::VM::ensureStackCapacityFor):
532         (JSC::VM::shouldTriggerTermination):
533
534 2016-07-11  Keith Miller  <keith_miller@apple.com>
535
536         STP TypedArray.subarray 5x slowdown compared to 9.1
537         https://bugs.webkit.org/show_bug.cgi?id=156404
538         <rdar://problem/26493032>
539
540         Reviewed by Geoffrey Garen.
541
542         This patch moves the species constructor work for
543         %TypedArray%.prototype.subarray to a js wrapper. By moving the
544         species constructor work to JS we are able to completely optimize
545         it out in DFG. The actual work of creating a TypedArray is still
546         done in C++ since we are able to avoid calling into the
547         constructor, which is expensive. This patch also changes the error
548         message when a %TypedArray%.prototype function is passed a non-typed
549         array this value. Finally, we used to check that the this value
550         had not been detached, however, this behavior was incorrect.
551
552         * builtins/BuiltinNames.h:
553         * builtins/TypedArrayPrototype.js:
554         (globalPrivate.typedArraySpeciesConstructor):
555         (subarray):
556         * runtime/ConstructData.cpp:
557         (JSC::construct):
558         * runtime/ConstructData.h:
559         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
560         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
561         (JSC::genericTypedArrayViewProtoFuncSubarray): Deleted.
562         * runtime/JSGlobalObject.cpp:
563         (JSC::JSGlobalObject::init):
564         * runtime/JSTypedArrayViewPrototype.cpp:
565         (JSC::typedArrayViewPrivateFuncLength):
566         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
567         (JSC::JSTypedArrayViewPrototype::finishCreation):
568         (JSC::typedArrayViewProtoFuncSubarray): Deleted.
569         * runtime/JSTypedArrayViewPrototype.h:
570
571 2016-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
572
573         REGRESSION(r202992): JSC varargs tests are broken
574         https://bugs.webkit.org/show_bug.cgi?id=159616
575
576         Reviewed by Csaba Osztrogonác.
577
578         The substitution miss in r202992 causes varargs tests failures in GTK port.
579
580         * jit/SetupVarargsFrame.cpp:
581         (JSC::emitSetupVarargsFrameFastCase):
582
583 2016-07-10  Yusuke Suzuki  <utatane.tea@gmail.com>
584
585         [ES6] Promise.{all,race} no longer use @@species
586         https://bugs.webkit.org/show_bug.cgi?id=159615
587
588         Reviewed by Keith Miller.
589
590         As per the latest ES draft, Promise.{all,race} no longer use @@species.
591         So, this patch drops FIXMEs.
592
593         * builtins/PromiseConstructor.js:
594         (all):
595         (race):
596         * tests/stress/ignore-promise-species.js: Added.
597         (shouldBe):
598         (DerivedPromise.prototype.get Symbol):
599         (DerivedPromise):
600
601 2016-07-10  Commit Queue  <commit-queue@webkit.org>
602
603         Unreviewed, rolling out r203037.
604         https://bugs.webkit.org/show_bug.cgi?id=159614
605
606         The JSC tests are breaking in elcapitan-debug-tests-jsc and
607         elcapitan-release-tests-jsc (Requested by caiolima on
608         #webkit).
609
610         Reverted changeset:
611
612         "ECMAScript 2016: %TypedArray%.prototype.includes
613         implementation"
614         https://bugs.webkit.org/show_bug.cgi?id=159385
615         http://trac.webkit.org/changeset/203037
616
617 2016-07-10  Caio Lima  <ticaiolima@gmail.com>
618
619         ECMAScript 2016: %TypedArray%.prototype.includes implementation
620         https://bugs.webkit.org/show_bug.cgi?id=159385
621
622         Reviewed by Benjamin Poulain.
623
624         This patch implements the ECMAScript 2016:
625         %TypedArray%.prototype.includes
626         following spec 22.2.3.14
627         https://tc39.github.io/ecma262/2016/#sec-%typedarray%.prototype.includes
628
629         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
630         (JSC::genericTypedArrayViewProtoFuncIncludes):
631         * runtime/JSTypedArrayViewPrototype.cpp:
632         (JSC::typedArrayViewProtoFuncIncludes):
633         (JSC::JSTypedArrayViewPrototype::finishCreation):
634
635 2016-07-09  Filip Pizlo  <fpizlo@apple.com>
636
637         REGRESSION(201900): validation failure for GetByOffset/PutByOffset in VALIDATE((node), node->child1().node() == node->child2().node() || node->child1()->result() == NodeResultStorage)
638         https://bugs.webkit.org/show_bug.cgi?id=159603
639
640         Reviewed by Keith Miller.
641         
642         This removes an incorrect validation rule and replaces it with a FIXME about how to make this
643         aspect of IR easier to validate soundly.
644         
645         It's not valid to assert that two children of a node are the same. It should always be valid
646         to take:
647         
648         Foo(@x, @x)
649         
650         and turn it into:
651         
652         a: ValueRep(@x)
653         b: ValueRep(@x)
654         Foo(@a, @b)
655         
656         or even something like:
657         
658         y: Identity(@y)
659         Foo(@x, @y)
660         
661         That's because it should be possible to rewire any data flow edge something that produces an
662         equivalent value.
663         
664         The validation rule that this patch removes meant that such rewirings were invalid on
665         GetByOffset/PutByOffset. FixupPhase did such a rewiring sometimes.
666
667         * dfg/DFGValidate.cpp:
668         * tests/stress/get-by-offset-double.js: Added.
669
670 2016-07-09  Keith Miller  <keith_miller@apple.com>
671
672         appendMemcpy might fail in concatAppendOne
673         https://bugs.webkit.org/show_bug.cgi?id=159601
674         <rdar://problem/27211300>
675
676         Reviewed by Mark Lam.
677
678         There are multiple reasons why we might fail appendMemcpy. One
679         reason, which I suspect was the source of the crashes, is that one
680         of the Array prototypes has an indexed property. This patch
681         consolidates the two old cases by just creating an array then
682         attempting to memcpy append. If that fails, we fall back to
683         moveElements.
684
685         * runtime/ArrayPrototype.cpp:
686         (JSC::concatAppendOne):
687         * tests/stress/concat-with-holesMustForwardToPrototype.js: Added.
688         (arrayEq):
689
690 2016-07-09  Benjamin Poulain  <bpoulain@apple.com>
691
692         [JSC] Fix the Template Raw Value of \ (escape) + LineTerminatorSequence
693         https://bugs.webkit.org/show_bug.cgi?id=159595
694
695         Reviewed by Yusuke Suzuki.
696
697         The spec (https://tc39.github.io/ecma262/#sec-static-semantics-tv-and-trv)
698         says:
699         "The TRV of LineContinuation::\LineTerminatorSequence is the sequence
700          consisting of the code unit value 0x005C followed by the code units
701          of TRV of LineTerminatorSequence."
702         
703         We were not normalizing the LineTerminatorSequence in that case, but it should
704         be as it is the TRV of LineTerminatorSequence.
705
706         * parser/Lexer.cpp:
707         (JSC::Lexer<T>::parseTemplateLiteral):
708         * tests/stress/tagged-templates-raw-strings.js:
709
710 2016-07-08  Saam Barati  <sbarati@apple.com>
711
712         We may add a ReadOnly property without setting the corresponding bit on Structure
713         https://bugs.webkit.org/show_bug.cgi?id=159542
714         <rdar://problem/27084591>
715
716         Reviewed by Benjamin Poulain.
717
718         The reason this usually is OK is due to happenstance. Often, instances that putDirectWithoutTransition
719         also happen to have a static property table. Having a static property table causes the
720         HasReadOnlyOrGetterSetterPropertiesExcludingProto on the structure to be set. However, 
721         there are times where an object calls putDirectWithoutTransition, and it doesn't have a
722         static property hash table. The fix is simple, putDirectWithTransition needs to set the
723         HasReadOnlyOrGetterSetterPropertiesExcludingProto if it puts a ReadOnly property.
724
725         * runtime/JSObject.h:
726         (JSC::JSObject::putDirectWithoutTransition):
727         * tests/stress/proper-property-store-with-prototype-property-that-is-not-writable.js: Added.
728         (assert):
729
730 2016-07-08  Michael Saboff  <msaboff@apple.com>
731
732         ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *)
733         https://bugs.webkit.org/show_bug.cgi?id=159588
734
735         Reviewed by Geoffrey Garen.
736
737         We were jettisoning a CodeBlock during GC that won't survive and its owning script
738         won't survive either.  We can't install any code on the owning script as that involves
739         a write barrier that will "pull" the script back into the remembered set.  Badness would
740         ensue.  Added an early return in CodeBlock::jettison() when we are garbage collecting
741         and the owning script isn't marked.
742
743         * bytecode/CodeBlock.cpp:
744         (JSC::CodeBlock::jettison):
745
746 2016-07-08  Mark Lam  <mark.lam@apple.com>
747
748         Move CallFrame header info from JSStack.h to CallFrame.h
749         https://bugs.webkit.org/show_bug.cgi?id=159549
750
751         Reviewed by Geoffrey Garen.
752
753         CallFrame.h is a much better location for CallFrame header info.
754
755         Replaced CallFrame::init() with ExecState::initGlobalExec() because normal
756         CallFrames are setup by a different mechanism now.  Only the globalExec is still
757         using it.  So, might as well change it to be specifically for the globalExec.
758
759         Removed the use of JSStack::containsAddress() in ExecState::initGlobalExec()
760         because it is not relevant to the globalExec.
761
762         Also removed some unused code: JSStack::gatherConservativeRoots() and
763         JSStack::sanitizeStack() is never called for JIT builds.
764
765         * bytecode/PolymorphicAccess.cpp:
766         (JSC::AccessCase::generateImpl):
767         * bytecode/VirtualRegister.h:
768         (JSC::VirtualRegister::isValid):
769         (JSC::VirtualRegister::isLocal):
770         (JSC::VirtualRegister::isArgument):
771         (JSC::VirtualRegister::isHeader):
772         (JSC::VirtualRegister::isConstant):
773         (JSC::VirtualRegister::toLocal):
774         (JSC::VirtualRegister::toArgument):
775         * bytecompiler/BytecodeGenerator.cpp:
776         (JSC::BytecodeGenerator::BytecodeGenerator):
777         (JSC::BytecodeGenerator::emitCall):
778         (JSC::BytecodeGenerator::emitConstruct):
779         * bytecompiler/BytecodeGenerator.h:
780         (JSC::CallArguments::thisRegister):
781         (JSC::CallArguments::argumentRegister):
782         (JSC::CallArguments::stackOffset):
783         (JSC::CallArguments::argumentCountIncludingThis):
784         (JSC::CallArguments::argumentsNode):
785         (JSC::BytecodeGenerator::registerFor):
786         * bytecompiler/NodesCodegen.cpp:
787         (JSC::emitHomeObjectForCallee):
788         (JSC::emitGetSuperFunctionForConstruct):
789         (JSC::CallArguments::CallArguments):
790         * dfg/DFGArgumentsEliminationPhase.cpp:
791         * dfg/DFGArgumentsUtilities.cpp:
792         (JSC::DFG::argumentsInvolveStackSlot):
793         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
794         * dfg/DFGByteCodeParser.cpp:
795         (JSC::DFG::ByteCodeParser::get):
796         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
797         (JSC::DFG::ByteCodeParser::flush):
798         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
799         (JSC::DFG::ByteCodeParser::getArgumentCount):
800         (JSC::DFG::ByteCodeParser::inlineCall):
801         (JSC::DFG::ByteCodeParser::handleInlining):
802         (JSC::DFG::ByteCodeParser::handleGetById):
803         (JSC::DFG::ByteCodeParser::handlePutById):
804         (JSC::DFG::ByteCodeParser::parseBlock):
805         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
806         * dfg/DFGClobberize.h:
807         (JSC::DFG::clobberize):
808         * dfg/DFGGraph.cpp:
809         (JSC::DFG::Graph::isLiveInBytecode):
810         * dfg/DFGGraph.h:
811         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
812         * dfg/DFGJITCompiler.cpp:
813         (JSC::DFG::JITCompiler::compileEntry):
814         (JSC::DFG::JITCompiler::compileSetupRegistersForEntry):
815         (JSC::DFG::JITCompiler::compileFunction):
816         * dfg/DFGJITCompiler.h:
817         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
818         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
819         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
820         * dfg/DFGOSREntry.cpp:
821         (JSC::DFG::prepareOSREntry):
822         * dfg/DFGOSRExitCompiler.cpp:
823         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
824         * dfg/DFGOSRExitCompilerCommon.cpp:
825         (JSC::DFG::reifyInlinedCallFrames):
826         * dfg/DFGOSRExitCompilerCommon.h:
827         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
828         * dfg/DFGPreciseLocalClobberize.h:
829         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
830         * dfg/DFGSpeculativeJIT.cpp:
831         (JSC::DFG::SpeculativeJIT::emitGetLength):
832         (JSC::DFG::SpeculativeJIT::emitGetCallee):
833         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
834         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
835         * dfg/DFGSpeculativeJIT32_64.cpp:
836         (JSC::DFG::SpeculativeJIT::emitCall):
837         (JSC::DFG::SpeculativeJIT::compile):
838         * dfg/DFGSpeculativeJIT64.cpp:
839         (JSC::DFG::SpeculativeJIT::emitCall):
840         (JSC::DFG::SpeculativeJIT::compile):
841         * dfg/DFGStackLayoutPhase.cpp:
842         (JSC::DFG::StackLayoutPhase::run):
843         * dfg/DFGThunks.cpp:
844         (JSC::DFG::osrEntryThunkGenerator):
845         * ftl/FTLLink.cpp:
846         (JSC::FTL::link):
847         * ftl/FTLLowerDFGToB3.cpp:
848         (JSC::FTL::DFG::LowerDFGToB3::lower):
849         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
850         (JSC::FTL::DFG::LowerDFGToB3::compileGetCallee):
851         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
852         (JSC::FTL::DFG::LowerDFGToB3::compileGetScope):
853         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
854         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
855         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
856         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
857         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
858         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
859         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
860         (JSC::FTL::DFG::LowerDFGToB3::callPreflight):
861         * ftl/FTLOSRExitCompiler.cpp:
862         (JSC::FTL::compileStub):
863         * ftl/FTLSlowPathCall.h:
864         (JSC::FTL::callOperation):
865         * interpreter/CallFrame.cpp:
866         (JSC::ExecState::initGlobalExec):
867         (JSC::CallFrame::callSiteBitsAreBytecodeOffset):
868         (JSC::CallFrame::callSiteAsRawBits):
869         (JSC::CallFrame::unsafeCallSiteAsRawBits):
870         (JSC::CallFrame::callSiteIndex):
871         (JSC::CallFrame::setCurrentVPC):
872         (JSC::CallFrame::callSiteBitsAsBytecodeOffset):
873         * interpreter/CallFrame.h:
874         (JSC::CallSiteIndex::CallSiteIndex):
875         (JSC::ExecState::calleeAsValue):
876         (JSC::ExecState::callee):
877         (JSC::ExecState::unsafeCallee):
878         (JSC::ExecState::codeBlock):
879         (JSC::ExecState::unsafeCodeBlock):
880         (JSC::ExecState::scope):
881         (JSC::ExecState::setCallerFrame):
882         (JSC::ExecState::setScope):
883         (JSC::ExecState::argumentCount):
884         (JSC::ExecState::argumentCountIncludingThis):
885         (JSC::ExecState::argumentOffset):
886         (JSC::ExecState::argumentOffsetIncludingThis):
887         (JSC::ExecState::offsetFor):
888         (JSC::ExecState::noCaller):
889         (JSC::ExecState::setArgumentCountIncludingThis):
890         (JSC::ExecState::setCallee):
891         (JSC::ExecState::setCodeBlock):
892         (JSC::ExecState::setReturnPC):
893         (JSC::ExecState::argIndexForRegister):
894         (JSC::ExecState::callerFrameAndPC):
895         (JSC::ExecState::unsafeCallerFrameAndPC):
896         (JSC::ExecState::init): Deleted.
897         * interpreter/Interpreter.cpp:
898         (JSC::Interpreter::dumpRegisters):
899         * interpreter/Interpreter.h:
900         (JSC::calleeFrameForVarargs):
901         * interpreter/JSStack.h:
902         (JSC::JSStack::containsAddress):
903         (JSC::JSStack::gatherConservativeRoots): Deleted.
904         (JSC::JSStack::sanitizeStack): Deleted.
905         * jit/AssemblyHelpers.cpp:
906         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
907         (JSC::AssemblyHelpers::emitRandomThunk):
908         * jit/AssemblyHelpers.h:
909         (JSC::AssemblyHelpers::restoreReturnAddressBeforeReturn):
910         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
911         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
912         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
913         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
914         (JSC::AssemblyHelpers::emitPutToCallFrameHeaderBeforePrologue):
915         (JSC::AssemblyHelpers::emitPutPayloadToCallFrameHeaderBeforePrologue):
916         (JSC::AssemblyHelpers::emitPutTagToCallFrameHeaderBeforePrologue):
917         (JSC::AssemblyHelpers::calleeFrameSlot):
918         * jit/CCallHelpers.cpp:
919         (JSC::CCallHelpers::logShadowChickenProloguePacket):
920         * jit/CCallHelpers.h:
921         (JSC::CCallHelpers::prepareForTailCallSlow):
922         * jit/CallFrameShuffler.cpp:
923         (JSC::CallFrameShuffler::CallFrameShuffler):
924         (JSC::CallFrameShuffler::dump):
925         (JSC::CallFrameShuffler::extendFrameIfNeeded):
926         (JSC::CallFrameShuffler::prepareForSlowPath):
927         (JSC::CallFrameShuffler::prepareForTailCall):
928         (JSC::CallFrameShuffler::prepareAny):
929         * jit/CallFrameShuffler.h:
930         (JSC::CallFrameShuffler::snapshot):
931         (JSC::CallFrameShuffler::setCalleeJSValueRegs):
932         (JSC::CallFrameShuffler::assumeCalleeIsCell):
933         (JSC::CallFrameShuffler::numLocals):
934         (JSC::CallFrameShuffler::getOld):
935         (JSC::CallFrameShuffler::setOld):
936         (JSC::CallFrameShuffler::firstOld):
937         (JSC::CallFrameShuffler::lastOld):
938         (JSC::CallFrameShuffler::isValidOld):
939         (JSC::CallFrameShuffler::argCount):
940         (JSC::CallFrameShuffler::getNew):
941         * jit/JIT.cpp:
942         (JSC::JIT::compileWithoutLinking):
943         * jit/JIT.h:
944         * jit/JITCall.cpp:
945         (JSC::JIT::compileSetupVarargsFrame):
946         (JSC::JIT::compileCallEvalSlowCase):
947         (JSC::JIT::compileOpCall):
948         * jit/JITCall32_64.cpp:
949         (JSC::JIT::compileSetupVarargsFrame):
950         (JSC::JIT::compileCallEvalSlowCase):
951         (JSC::JIT::compileOpCall):
952         * jit/JITInlines.h:
953         (JSC::JIT::getConstantOperand):
954         (JSC::JIT::emitPutIntToCallFrameHeader):
955         (JSC::JIT::updateTopCallFrame):
956         * jit/JITOpcodes.cpp:
957         (JSC::JIT::emit_op_get_scope):
958         (JSC::JIT::emit_op_argument_count):
959         (JSC::JIT::emit_op_get_rest_length):
960         * jit/JITOpcodes32_64.cpp:
961         (JSC::JIT::privateCompileCTINativeCall):
962         (JSC::JIT::emit_op_get_scope):
963         * jit/JSInterfaceJIT.h:
964         (JSC::JSInterfaceJIT::emitJumpIfNotType):
965         (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr):
966         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
967         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
968         * jit/SetupVarargsFrame.cpp:
969         (JSC::emitSetVarargsFrame):
970         (JSC::emitSetupVarargsFrameFastCase):
971         * jit/SpecializedThunkJIT.h:
972         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
973         * jit/ThunkGenerators.cpp:
974         (JSC::nativeForGenerator):
975         (JSC::arityFixupGenerator):
976         (JSC::boundThisNoArgsFunctionCallGenerator):
977         * llint/LLIntData.cpp:
978         (JSC::LLInt::Data::performAssertions):
979         * llint/LLIntSlowPaths.cpp:
980         (JSC::LLInt::genericCall):
981         (JSC::LLInt::varargsSetup):
982         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
983         * runtime/CommonSlowPaths.h:
984         (JSC::CommonSlowPaths::arityCheckFor):
985         * runtime/JSGlobalObject.cpp:
986         (JSC::JSGlobalObject::init):
987         * runtime/JSGlobalObject.h:
988         * runtime/StackAlignment.h:
989         (JSC::roundArgumentCountToAlignFrame):
990         (JSC::roundLocalRegisterCountForFramePointerOffset):
991         (JSC::logStackAlignmentRegisters):
992         * wasm/WASMFunctionCompiler.h:
993         (JSC::WASMFunctionCompiler::startFunction):
994         (JSC::WASMFunctionCompiler::endFunction):
995         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
996         (JSC::WASMFunctionCompiler::callAndUnboxResult):
997         * wasm/WASMFunctionSyntaxChecker.h:
998         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall):
999
1000 2016-07-08  Chris Dumez  <cdumez@apple.com>
1001
1002         Object.defineProperty() should maintain existing getter / setter if not overridden in the new descriptor
1003         https://bugs.webkit.org/show_bug.cgi?id=159576
1004         <rdar://problem/27242197>
1005
1006         Reviewed by Mark Lam.
1007
1008         Object.defineProperty() should maintain existing getter / setter if not
1009         overridden in the new descriptor. Previously, if the property is a had
1010         a custom getter / setter, and if the new descriptor only had a setter
1011         (or only a getter), JSC would clear the existing getter (or setter).
1012         This behavior did not match the EcmaScript specification or Firefox /
1013         Chrome. This patch fixes the issue.
1014
1015         This fixes searching and search suggestions on www.iciba.com.
1016
1017         * runtime/JSObject.cpp:
1018         (JSC::validateAndApplyPropertyDescriptor):
1019
1020 2016-07-08  Michael Saboff  <msaboff@apple.com>
1021
1022         Dumping the object graph doesn't work with verbose GC logging
1023         https://bugs.webkit.org/show_bug.cgi?id=159569
1024
1025         Reviewed by Mark Lam.
1026
1027         The current object graph logging code tries to revisits the graph.  This doesn't work
1028         correctly and asking around it isn't used.  The only way to dump the true object graph
1029         is to log while we GC and that has obvious performance implications.
1030         Therefore I eliminated GCLogging::dumpObjectGraph() and related code.  
1031
1032         * heap/GCLogging.cpp:
1033         (JSC::GCLogging::levelAsString):
1034         (JSC::LoggingFunctor::LoggingFunctor): Deleted.
1035         (JSC::LoggingFunctor::~LoggingFunctor): Deleted.
1036         (JSC::LoggingFunctor::operator()): Deleted.
1037         (JSC::LoggingFunctor::log): Deleted.
1038         (JSC::LoggingFunctor::reviveCells): Deleted.
1039         (JSC::LoggingFunctor::returnValue): Deleted.
1040         (JSC::GCLogging::dumpObjectGraph): Deleted.
1041         * heap/Heap.cpp:
1042         (JSC::Heap::didFinishCollection):
1043
1044 2016-07-08  Keith Miller  <keith_miller@apple.com>
1045
1046         speculateTypedArrayIsNotNeutered has an inverted speculation
1047         https://bugs.webkit.org/show_bug.cgi?id=159571
1048
1049         Reviewed by Mark Lam.
1050
1051         For some confusing reason FTLLowerDFGToB3 takes the condition the
1052         speculation wants to be false. This issue caused
1053         typedarray-access-monomorphic-neutered.js to fail on the bots.
1054
1055         * ftl/FTLLowerDFGToB3.cpp:
1056         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
1057
1058 2016-07-08  Mark Lam  <mark.lam@apple.com>
1059
1060         Rename jsCPUStackLimit to osStackLimitWithReserve and jsEmulatedStackLimit to cloopStackLimit.
1061         https://bugs.webkit.org/show_bug.cgi?id=159544
1062
1063         Reviewed by Geoffrey Garen.
1064
1065         This patch does the following refactoring:
1066         1. Rename jsCPUStackLimit to osStackLimitWithReserve.
1067         2. Rename jsEmulatedStackLimit to cloopStackLimit.
1068         2. Remove llintStackLimit (which previously is either an alias for
1069            jsCPUStackLimit or jsEmulatedStackLimit depending on whether we have a JIT or
1070            C Loop build).  Instead, we'll change the LLINT to conditionally use the
1071            osStackLimitWithReserve or cloopStackLimit.
1072
1073         There are no semantic changes.
1074
1075         * dfg/DFGJITCompiler.cpp:
1076         (JSC::DFG::JITCompiler::compile):
1077         (JSC::DFG::JITCompiler::compileFunction):
1078         * ftl/FTLLowerDFGToB3.cpp:
1079         (JSC::FTL::DFG::LowerDFGToB3::lower):
1080         * interpreter/JSStack.cpp:
1081         (JSC::JSStack::JSStack):
1082         (JSC::JSStack::growSlowCase):
1083         (JSC::JSStack::lowAddress):
1084         (JSC::JSStack::highAddress):
1085         * interpreter/JSStack.h:
1086         * interpreter/JSStackInlines.h:
1087         (JSC::JSStack::ensureCapacityFor):
1088         (JSC::JSStack::shrink):
1089         (JSC::JSStack::grow):
1090         (JSC::JSStack::setCLoopStackLimit):
1091         (JSC::JSStack::setJSEmulatedStackLimit): Deleted.
1092         * jit/JIT.cpp:
1093         (JSC::JIT::compileWithoutLinking):
1094         * jit/SetupVarargsFrame.cpp:
1095         (JSC::emitSetupVarargsFrameFastCase):
1096         * llint/LLIntSlowPaths.cpp:
1097         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1098         * llint/LowLevelInterpreter.asm:
1099         * llint/LowLevelInterpreter32_64.asm:
1100         * llint/LowLevelInterpreter64.asm:
1101         * runtime/RegExp.cpp:
1102         (JSC::RegExp::finishCreation):
1103         (JSC::RegExp::compile):
1104         (JSC::RegExp::compileMatchOnly):
1105         * runtime/VM.cpp:
1106         (JSC::VM::updateStackLimit):
1107         * runtime/VM.h:
1108         (JSC::VM::reservedZoneSize):
1109         (JSC::VM::osStackLimitWithReserve):
1110         (JSC::VM::addressOfOSStackLimitWithReserve):
1111         (JSC::VM::cloopStackLimit):
1112         (JSC::VM::setCLoopStackLimit):
1113         (JSC::VM::isSafeToRecurse):
1114         (JSC::VM::jsCPUStackLimit): Deleted.
1115         (JSC::VM::addressOfJSCPUStackLimit): Deleted.
1116         (JSC::VM::jsEmulatedStackLimit): Deleted.
1117         (JSC::VM::setJSEmulatedStackLimit): Deleted.
1118         * wasm/WASMFunctionCompiler.h:
1119         (JSC::WASMFunctionCompiler::startFunction):
1120
1121 2016-07-08  Commit Queue  <commit-queue@webkit.org>
1122
1123         Unreviewed, rolling out r202799.
1124         https://bugs.webkit.org/show_bug.cgi?id=159568
1125
1126         Caused build failure (Requested by perarne on #webkit).
1127
1128         Reverted changeset:
1129
1130         "[Win] DLLs are missing version information."
1131         https://bugs.webkit.org/show_bug.cgi?id=159349
1132         http://trac.webkit.org/changeset/202799
1133
1134 2016-07-08  Youenn Fablet  <youenn@apple.com>
1135
1136         Built-in generator should generate files with a default copyright
1137         https://bugs.webkit.org/show_bug.cgi?id=159561
1138
1139         Reviewed by Alex Christensen.
1140
1141         * Scripts/builtins/builtins_model.py:
1142         (BuiltinsCollection._parse_copyright_lines): Adding default copyright to the parsed copyrights.
1143         * Scripts/builtins/builtins_templates.py:
1144         (BuiltinsGeneratorTemplates): Adding a default copyright.
1145         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: Rebasing with added default copyright.
1146         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result: Ditto.
1147         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result: Ditto.
1148         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result: Ditto.
1149         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: Ditto.
1150         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result: Ditto.
1151         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result: Ditto.
1152         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Ditto.
1153         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
1154         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
1155         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
1156         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Ditto.
1157
1158
1159 2016-07-08  Keith Miller  <keith_miller@apple.com>
1160
1161         TypedArrays need more isNeutered checks.
1162         https://bugs.webkit.org/show_bug.cgi?id=159231
1163
1164         Reviewed by Filip Pizlo.
1165
1166         According to the ES6 spec if a user tries to get, set, or define a
1167         property on a neutered TypedArray we should throw an
1168         exception. Currently, if a user tries to get an out of bounds
1169         access on a TypedArray we will always OSR.  This makes handling
1170         the exception easy as all we need to do is make out of bounds gets
1171         in PolymorphicAccess go to the slow path, which will then throw
1172         the appropriate exception. For the case of set, we need ensure we
1173         don't OSR on each out of bounds put since, for some confusing
1174         reason, people do this.  Thus, for GetByVal in the DFG/FTL if the
1175         user accesses out of bounds we then need to check if the view has
1176         been neutered. If it is neutered then we will OSR.
1177
1178         Additionally, this patch adds a bunch of isNeutered checks to
1179         various prototype functions for TypedArray, which are needed for
1180         correctness.
1181
1182         * dfg/DFGSpeculativeJIT.cpp:
1183         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
1184         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1185         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1186         * dfg/DFGSpeculativeJIT.h:
1187         * ftl/FTLLowerDFGToB3.cpp:
1188         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1189         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
1190         * jit/JITPropertyAccess.cpp:
1191         (JSC::JIT::emitIntTypedArrayPutByVal):
1192         (JSC::JIT::emitFloatTypedArrayPutByVal):
1193         * runtime/JSArrayBufferView.h:
1194         * runtime/JSCJSValue.h:
1195         (JSC::encodedJSUndefined):
1196         (JSC::encodedJSValue):
1197         * runtime/JSGenericTypedArrayView.h:
1198         * runtime/JSGenericTypedArrayViewInlines.h:
1199         (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError):
1200         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1201         (JSC::JSGenericTypedArrayView<Adaptor>::put):
1202         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1203         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1204         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1205         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
1206         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
1207         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1208         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1209         (JSC::genericTypedArrayViewProtoFuncFill):
1210         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1211         (JSC::genericTypedArrayViewProtoFuncJoin):
1212         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1213         (JSC::genericTypedArrayViewProtoFuncSlice):
1214         (JSC::genericTypedArrayViewProtoFuncSubarray):
1215         * tests/stress/fold-typed-array-properties.js:
1216         * tests/stress/typedarray-access-monomorphic-neutered.js: Added.
1217         (check):
1218         (test):
1219         (testFTL):
1220         * tests/stress/typedarray-access-neutered.js: Added.
1221         (check):
1222         (test):
1223         * tests/stress/typedarray-functions-with-neutered.js:
1224         (defaultForArg):
1225         (callWithArgs):
1226         (checkArgumentsForType):
1227         (checkArguments):
1228         * tests/stress/typedarray-view-string-properties-neutered.js: Added.
1229         (call):
1230         (test):
1231
1232 2016-07-08  Youenn Fablet  <youenn@apple.com>
1233
1234         Generate WebCore builtin wrapper files
1235         https://bugs.webkit.org/show_bug.cgi?id=159461
1236
1237         Reviewed by Brian Burg.
1238
1239         Updating builtin generator to generate wrapper files used in WebCore (See WebCore change log).
1240         Rebasing builtins generator test results according generator changes by activating wrapper file generation for
1241         WebCore builtins tests.
1242
1243         * CMakeLists.txt:
1244         * DerivedSources.make:
1245         * JavaScriptCore.xcodeproj/project.pbxproj:
1246         * Scripts/builtins/builtins.py: Adding new generators.
1247         * Scripts/builtins/builtins_generate_internals_wrapper_header.py: Added to generate WebCoreJSBuiltinInternals.h.
1248         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py: Added to generate WebCoreJSBuiltinInternals.cpp.
1249         * Scripts/builtins/builtins_generate_wrapper_header.py: Added to generate WebCoreJSBuiltins.h.
1250         * Scripts/builtins/builtins_generate_wrapper_implementation.py: Added to generate WebCoreJSBuiltins.cpp.
1251         * Scripts/generate-js-builtins.py: Adding new option to activate generation of the wrapper files.
1252         (generate_bindings_for_builtins_files):
1253         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1254         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1255         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1256         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1257         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1258
1259 2016-07-07  Joseph Pecoraro  <pecoraro@apple.com>
1260
1261         padStart/padEnd with Infinity produces unexpected result
1262         https://bugs.webkit.org/show_bug.cgi?id=159543
1263
1264         Reviewed by Benjamin Poulain.
1265
1266         * builtins/GlobalOperations.js:
1267         (globalPrivate.toLength):
1268         Fix style.
1269
1270         * builtins/StringPrototype.js:
1271         (padStart):
1272         (padEnd):
1273         After all observable operations, and after empty string has been handled,
1274         throw an out of memory error if the resulting string would be greater
1275         than the maximum string size.
1276
1277         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
1278         (shouldThrow): Deleted.
1279         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:
1280         (shouldThrow):
1281         (testMeta):
1282         * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
1283         (shouldThrow):
1284         (TestToLength):
1285         (TestMemoryLimits):
1286         (TestMeta): Deleted.
1287         * tests/es6/String.prototype_methods_String.prototype.padStart.js:
1288         (shouldThrow):
1289         (TestToLength):
1290         (TestMemoryLimits):
1291         Replace incorrect shouldThrow(..., errorType) with explicit shouldThrow(..., errorMessage).
1292         The old shouldThrow would incorrectly succeed if the expected error type was just "Error".
1293         Now we explicitly check the error message.
1294
1295 2016-07-07  Benjamin Poulain  <benjamin@webkit.org>
1296
1297         [JSC] String.prototype[Symbol.iterator] needs a name
1298         https://bugs.webkit.org/show_bug.cgi?id=159541
1299
1300         Reviewed by Yusuke Suzuki.
1301
1302         A man needs a name.
1303         Spec: https://tc39.github.io/ecma262/#sec-string.prototype-@@iterator
1304
1305         * runtime/StringPrototype.cpp:
1306         (JSC::StringPrototype::finishCreation):
1307
1308 2016-07-07  Michael Saboff  <msaboff@apple.com>
1309
1310         REGRESSION(184445): Need to insert a StoreBarrier when we don't know child's epoch
1311         https://bugs.webkit.org/show_bug.cgi?id=159537
1312
1313         Reviewed by Benjamin Poulain.
1314
1315         We weren't checking the case of a child node with a null epoch.  The problem surfaces
1316         when the base node of a PutByVal variant has a non-null epoch, because it represents an
1317         allocation in the current function, while the child of the same node has an unknown epoch.
1318         Added a check that the child node is not null before comparing the epochs of the base and
1319         child nodes.
1320
1321         The added test creates the problem circumstance by doing a full GC to place an array in
1322         remembered space, allocating a new object followed by an eden GC.  The new object is
1323         only referenced by the array and therefore won't be visited Without the store barrier.
1324         The test may crash or more likely get the wrong answer with the bug.
1325
1326         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1327         * tests/stress/regress-159537.js: Added test.
1328         (MyNumber):
1329         (MyNumber.prototype.plusOne):
1330         (bar):
1331         (foo):
1332         (test):
1333
1334 2016-07-07  Joseph Pecoraro  <pecoraro@apple.com>
1335
1336         Unexpected "Out of memory" error for "x".repeat(-1)
1337         https://bugs.webkit.org/show_bug.cgi?id=159529
1338
1339         Reviewed by Benjamin Poulain.
1340
1341         * builtins/StringPrototype.js:
1342         (globalPrivate.repeatSlowPath):
1343         (repeat):
1344         Move the @toInteger and range checking to the always path,
1345         since the spec does say it should always happen. Also remove
1346         the duplication of the fast path here.
1347
1348         * runtime/StringPrototype.cpp:
1349         (JSC::repeatCharacter):
1350         Remove unused function.
1351
1352         (JSC::stringProtoFuncRepeatCharacter):
1353         ASSERT if given a negative number. This is a private function
1354         only used internally.
1355
1356         * tests/stress/string-repeat-edge-cases.js:
1357         (shouldThrow):
1358         Update expected error message.
1359
1360 2016-07-07  Benjamin Poulain  <benjamin@webkit.org>
1361
1362         [JSC] Array.prototype[Symbol.unscopables] should have the "includes" property
1363         https://bugs.webkit.org/show_bug.cgi?id=159504
1364
1365         Reviewed by Keith Miller.
1366
1367         The property "includes" was missing.
1368         Spec: https://tc39.github.io/ecma262/#sec-array.prototype-@@unscopables
1369
1370         * runtime/ArrayPrototype.cpp:
1371         (JSC::ArrayPrototype::finishCreation):
1372         * tests/stress/unscopables.js:
1373
1374 2016-07-07  Saam Barati  <sbarati@apple.com>
1375
1376         ToThis constant folding in DFG is incorrect when the structure indicates that toThis is overridden
1377         https://bugs.webkit.org/show_bug.cgi?id=159501
1378         <rdar://problem/27109354>
1379
1380         Reviewed by Mark Lam.
1381
1382         We *cannot* constant fold ToThis when the structure of an object
1383         indicates that toThis() is overridden. isToThisAnIdentity() inside
1384         AbstractInterpreterInlines accidentally wrote the opposite rule.
1385         The rule was written as we can constant fold ToThis only when
1386         toThis() is overridden. To fix the bug, we must write the rule
1387         as isToThisAnIdentity() can only be true as long as the structure
1388         set indicates that no structures override toThis().
1389
1390         We could probably get more clever in the future and notice
1391         when we're dealing with a constant |this| values. For example,
1392         a ToThis might occur on a constant JSLexicalEnvironment. We could
1393         implement the rules of JSLexicalEnvironment's toThis() implementation
1394         inside AI/constant folding.
1395
1396         * dfg/DFGAbstractInterpreterInlines.h:
1397         (JSC::DFG::isToThisAnIdentity):
1398         * tests/stress/to-this-on-constant-lexical-environment.js: Added.
1399         (foo.bar):
1400         (foo.inner):
1401         (foo):
1402
1403 2016-07-07  Benjamin Poulain  <benjamin@webkit.org>
1404
1405         [JSC] Array.prototype.includes uses ToInt32 instead of ToInteger on the index argument
1406         https://bugs.webkit.org/show_bug.cgi?id=159505
1407
1408         Reviewed by Mark Lam.
1409
1410         The code was using (value)|0 which is effectively a ToInt32.
1411         This fails on large integers and +-Infinity.
1412
1413         Spec: https://tc39.github.io/ecma262/#sec-array.prototype.includes
1414
1415         * builtins/ArrayPrototype.js:
1416         (includes):
1417
1418 2016-07-07  Benjamin Poulain  <benjamin@webkit.org>
1419
1420         [JSC] String.prototype.normalize should have a length of zero
1421         https://bugs.webkit.org/show_bug.cgi?id=159506
1422
1423         Reviewed by Yusuke Suzuki.
1424
1425         Spec: https://tc39.github.io/ecma262/#sec-string.prototype.normalize
1426         The argument is optional, the length should be zero.
1427
1428         * runtime/StringPrototype.cpp:
1429         (JSC::StringPrototype::finishCreation):
1430
1431 2016-07-07  Csaba Osztrogonác  <ossy@webkit.org>
1432
1433         [ARMv7] REGRESSION(r197655): ASSERTION FAILED: (cond == Zero) || (cond == NonZero)
1434         https://bugs.webkit.org/show_bug.cgi?id=159419
1435
1436         Reviewed by Benjamin Poulain.
1437
1438         Allow Signed and PositiveOrZero conditions too because tst instruction updates N and Z flags.
1439
1440         * assembler/MacroAssemblerARM.h:
1441         (JSC::MacroAssemblerARM::branchTest32):
1442         * assembler/MacroAssemblerARMv7.h:
1443         (JSC::MacroAssemblerARMv7::branchTest32): Add assertions to avoid possible bugs in the future.
1444
1445 2016-07-06  Youenn Fablet  <youenn@apple.com>
1446
1447         Builtin generator should use pragma once for header files
1448         https://bugs.webkit.org/show_bug.cgi?id=159462
1449
1450         Reviewed by Alex Christensen.
1451
1452         * Scripts/builtins/builtins_generate_combined_header.py:
1453         (BuiltinsCombinedHeaderGenerator.generate_output): 
1454         * Scripts/builtins/builtins_generate_separate_header.py:
1455         (BuiltinsSeparateHeaderGenerator.generate_output):
1456         * Scripts/builtins/builtins_templates.py:
1457         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1458         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1459         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1460         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1461         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1462         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1463         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1464         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1465         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1466         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1467         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1468         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1469
1470 2016-07-06  Benjamin Poulain  <bpoulain@apple.com>
1471
1472         [JSC] Unify how we throw TypeError from C++
1473         https://bugs.webkit.org/show_bug.cgi?id=159500
1474
1475         Reviewed by Saam Barati.
1476
1477         Throwing a TypeError is an uncommon case. We should minimize the impact
1478         on the call sites.
1479
1480         This patch does that by:
1481         -Replace the 2 calls createTypeError()->throwException() by throwTypeError().
1482         -Use ASCIILiteral when possible.
1483         -Add an overload of throwTypeError() taking ASCIILiteral directly
1484          (that way, the String creation and destruction is done by the callee).
1485
1486         On x86_64, this reduces the __TEXT__ segment by 29kb.
1487
1488         * inspector/JSInjectedScriptHost.cpp:
1489         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1490         * inspector/JSJavaScriptCallFrame.cpp:
1491         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1492         * interpreter/Interpreter.cpp:
1493         (JSC::Interpreter::execute):
1494         * jit/JITOperations.cpp:
1495         * runtime/DatePrototype.cpp:
1496         (JSC::dateProtoFuncToJSON):
1497         * runtime/Error.cpp:
1498         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
1499         (JSC::throwTypeError):
1500         * runtime/Error.h:
1501         (JSC::throwVMTypeError):
1502         * runtime/JSArrayBufferPrototype.cpp:
1503         (JSC::arrayBufferProtoFuncSlice):
1504         * runtime/JSCJSValue.cpp:
1505         (JSC::JSValue::putToPrimitive):
1506         (JSC::JSValue::toStringSlowCase):
1507         * runtime/JSCJSValueInlines.h:
1508         (JSC::toPreferredPrimitiveType):
1509         * runtime/JSDataViewPrototype.cpp:
1510         (JSC::getData):
1511         (JSC::setData):
1512         * runtime/JSFunction.cpp:
1513         (JSC::JSFunction::defineOwnProperty):
1514         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1515         (JSC::constructGenericTypedArrayViewFromIterator):
1516         (JSC::constructGenericTypedArrayViewWithArguments):
1517         (JSC::constructGenericTypedArrayView):
1518         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1519         (JSC::speciesConstruct):
1520         (JSC::genericTypedArrayViewProtoFuncSet):
1521         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1522         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1523         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1524         (JSC::genericTypedArrayViewProtoFuncSubarray):
1525         * runtime/JSGlobalObjectFunctions.cpp:
1526         (JSC::globalFuncProtoGetter):
1527         (JSC::globalFuncProtoSetter):
1528         * runtime/JSONObject.cpp:
1529         (JSC::Stringifier::appendStringifiedValue):
1530         * runtime/JSObject.cpp:
1531         (JSC::JSObject::setPrototypeWithCycleCheck):
1532         (JSC::callToPrimitiveFunction):
1533         (JSC::JSObject::ordinaryToPrimitive):
1534         (JSC::JSObject::defaultHasInstance):
1535         (JSC::validateAndApplyPropertyDescriptor):
1536         * runtime/JSTypedArrayViewConstructor.cpp:
1537         (JSC::constructTypedArrayView):
1538         * runtime/JSTypedArrayViewPrototype.cpp:
1539         (JSC::typedArrayViewPrivateFuncLength):
1540         (JSC::typedArrayViewProtoFuncSet):
1541         (JSC::typedArrayViewProtoFuncCopyWithin):
1542         (JSC::typedArrayViewProtoFuncFill):
1543         (JSC::typedArrayViewProtoFuncLastIndexOf):
1544         (JSC::typedArrayViewProtoFuncIndexOf):
1545         (JSC::typedArrayViewProtoFuncJoin):
1546         (JSC::typedArrayViewProtoGetterFuncBuffer):
1547         (JSC::typedArrayViewProtoGetterFuncLength):
1548         (JSC::typedArrayViewProtoGetterFuncByteLength):
1549         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1550         (JSC::typedArrayViewProtoFuncReverse):
1551         (JSC::typedArrayViewProtoFuncSubarray):
1552         (JSC::typedArrayViewProtoFuncSlice):
1553         * runtime/ObjectConstructor.cpp:
1554         (JSC::toPropertyDescriptor):
1555         (JSC::objectConstructorDefineProperty):
1556         (JSC::objectConstructorDefineProperties):
1557         (JSC::objectConstructorCreate):
1558         * runtime/ObjectPrototype.cpp:
1559         (JSC::objectProtoFuncDefineGetter):
1560         (JSC::objectProtoFuncDefineSetter):
1561         * runtime/RegExpPrototype.cpp:
1562         (JSC::regExpProtoFuncCompile):
1563         * runtime/Symbol.cpp:
1564         (JSC::Symbol::toNumber):
1565
1566 2016-07-06  Saam Barati  <sbarati@apple.com>
1567
1568         InlineAccess::sizeForLengthAccess() is wrong on some platforms because it should also consider "length" not being array length
1569         https://bugs.webkit.org/show_bug.cgi?id=159429
1570
1571         Reviewed by Filip Pizlo.
1572
1573         The calculation inside sizeForLengthAccess() was not taking into
1574         account that an access to a "length" property might not be an
1575         array length access. sizeForLengthAccess() should always have enough
1576         room for a regular self property accesses. This only changes how
1577         much of a nop sled we emit if array length access size is smaller
1578         than self access size. This matters on ARM64.
1579
1580         * bytecode/InlineAccess.h:
1581         (JSC::InlineAccess::sizeForPropertyAccess):
1582         (JSC::InlineAccess::sizeForPropertyReplace):
1583         (JSC::InlineAccess::sizeForLengthAccess):
1584
1585 2016-07-06  Commit Queue  <commit-queue@webkit.org>
1586
1587         Unreviewed, rolling out r198928 and r198985.
1588         https://bugs.webkit.org/show_bug.cgi?id=159478
1589
1590         "It's breaking some websites" (Requested by saamyjoon on
1591         #webkit).
1592
1593         Reverted changesets:
1594
1595         "[ES6] Disallow var assignments in for-in loops"
1596         https://bugs.webkit.org/show_bug.cgi?id=155451
1597         http://trac.webkit.org/changeset/198928
1598
1599         "Unreviewed, turn ES6 for-in loop test success"
1600         https://bugs.webkit.org/show_bug.cgi?id=155451
1601         http://trac.webkit.org/changeset/198985
1602
1603 2016-07-05  Mark Lam  <mark.lam@apple.com>
1604
1605         Rename VM stack limit fields to better describe their purpose.
1606         https://bugs.webkit.org/show_bug.cgi?id=159451
1607
1608         Reviewed by Keith Miller.
1609
1610         This is in preparation for an upcoming patch that changes what stack limit values
1611         are used under various circumstances.  This patch aims to do some minimal work to
1612         rename the fields so that it will be easier to reason about the upcoming patch.
1613     
1614         In this patch, we make the following changes:
1615
1616         1. Rename VM::m_stackLimit to VM::m_jsCPUStackLimit.
1617
1618         2. VM::m_jsStackLimit used to have an overloaded meaning:
1619            a. For JIT builds, m_jsStackLimit is synonymous with m_stackLimit.
1620            b. For C Loop builds, m_jsStackLimit is a separate pointer that points to the
1621               emulated JS stack that the C Loop uses.
1622
1623            In place of m_jsStackLimit, this patch introduces 2 new fields:
1624            VM::m_jsEmulatedStackLimit and VM::m_llintStackLimit.
1625
1626            m_llintStackLimit is the limit that the LLInt assembly uses for its stack
1627            check.  m_llintStackLimit behaves like the old m_jsStackLimit in that:
1628            a. For JIT builds, m_llintStackLimit is synonymous with m_jsCPUStackLimit.
1629            b. For C Loop builds, m_llintStackLimit is synonymous with m_jsEmulatedStackLimit.
1630
1631            m_jsEmulatedStackLimit is used for the emulated stack that the C Loop uses.
1632
1633         3. Rename the following methods to match the above:
1634              VM::stackLimit() ==> VM::jsCPUStackLimit()
1635              VM::addressOfStackLimit() ==> VM::addressOfJSCPUStackLimit()
1636              VM::jsStackLimit() ==> VM::jsEmulatedStackLimit()
1637              VM::setJSStackLimit() ==> VM::setJSEmulatedStackLimit()
1638              JSStack::setStackLimit() ==> JSStack::setEmulatedStackLimit()
1639
1640         4. With change (2) and (3), the limits will be used as follows:
1641            a. VM code doing stack recursion checks will only use m_jsCPUStackLimit.
1642            b. JIT code will only use m_jsCPUStackLimit.
1643            c. C Loop emulated stack code in JSStack will only use m_jsEmulatedStackLimit.
1644               Note: the part of JSStack that operates on a JIT build will use
1645                     m_jsCPUStackLimit as expected.
1646            d. LLINT assembly code will only use m_llintStackLimit.
1647
1648         This patch only contains the above refactoring changes.  There is no behavior
1649         change.
1650
1651         * dfg/DFGJITCompiler.cpp:
1652         (JSC::DFG::JITCompiler::compile):
1653         (JSC::DFG::JITCompiler::compileFunction):
1654         * ftl/FTLLowerDFGToB3.cpp:
1655         (JSC::FTL::DFG::LowerDFGToB3::lower):
1656         * interpreter/JSStack.cpp:
1657         (JSC::JSStack::JSStack):
1658         (JSC::JSStack::growSlowCase):
1659         (JSC::JSStack::lowAddress):
1660         (JSC::JSStack::highAddress):
1661         * interpreter/JSStack.h:
1662         * interpreter/JSStackInlines.h:
1663         (JSC::JSStack::ensureCapacityFor):
1664         (JSC::JSStack::shrink):
1665         (JSC::JSStack::grow):
1666         (JSC::JSStack::setJSEmulatedStackLimit):
1667         (JSC::JSStack::setStackLimit): Deleted.
1668         * jit/JIT.cpp:
1669         (JSC::JIT::compileWithoutLinking):
1670         * jit/SetupVarargsFrame.cpp:
1671         (JSC::emitSetupVarargsFrameFastCase):
1672         * llint/LLIntSlowPaths.cpp:
1673         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1674         * llint/LowLevelInterpreter.asm:
1675         * llint/LowLevelInterpreter32_64.asm:
1676         * llint/LowLevelInterpreter64.asm:
1677         * runtime/RegExp.cpp:
1678         (JSC::RegExp::finishCreation):
1679         (JSC::RegExp::compile):
1680         (JSC::RegExp::compileMatchOnly):
1681         * runtime/VM.cpp:
1682         (JSC::VM::VM):
1683         (JSC::VM::updateStackLimit):
1684         * runtime/VM.h:
1685         (JSC::VM::reservedZoneSize):
1686         (JSC::VM::jsCPUStackLimit):
1687         (JSC::VM::addressOfJSCPUStackLimit):
1688         (JSC::VM::jsEmulatedStackLimit):
1689         (JSC::VM::setJSEmulatedStackLimit):
1690         (JSC::VM::isSafeToRecurse):
1691         (JSC::VM::jsStackLimit): Deleted.
1692         (JSC::VM::setJSStackLimit): Deleted.
1693         (JSC::VM::stackLimit): Deleted.
1694         (JSC::VM::addressOfStackLimit): Deleted.
1695         * wasm/WASMFunctionCompiler.h:
1696         (JSC::WASMFunctionCompiler::startFunction):
1697
1698 2016-07-05  Saam Barati  <sbarati@apple.com>
1699
1700         StackVisitor::unwindToMachineCodeBlockFrame() may unwind past a VM entry frame when catching an exception and the frame has inlined tail calls
1701         https://bugs.webkit.org/show_bug.cgi?id=159448
1702         <rdar://problem/27084459>
1703
1704         Reviewed by Mark Lam.
1705
1706         Consider the following stack trace:
1707         (machine) foo -> VM entry frame -> (machine) bar -> (inlined tailcall) baz
1708
1709         If an exception is thrown at 'baz', we will do exception unwinding,
1710         which will eventually call unwindToMachineCodeBlockFrame() which will call
1711         gotoNextFrame() on the 'baz' frame. The next logical frame for 'baz' is 'foo' because
1712         'bar' tail called 'baz' even though there is a machine frame for 'bar' on the stack.
1713         This is a bug. unwindToMachineCodeBlockFrame() should not care about the next
1714         logical frame, it just wants to move StackVisitor's state to the current machine
1715         frame. The bug here is that we would end up unwinding past the VM entry frame
1716         which can have all kinds of terrible consequences.
1717
1718         This bug fixes unwindToMachineCodeBlockFrame() by having it not rely
1719         on gotoNextFrame() and instead using its own mechanism for setting
1720         the StackVisotor's state to the current machine frame.
1721
1722         * interpreter/StackVisitor.cpp:
1723         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
1724         * tests/stress/dont-unwind-past-vm-entry-frame.js: Added.
1725         (let.p.new.Proxy):
1726         (let.p.new.Proxy.apply):
1727         (bar):
1728         (let.good):
1729         (getItem):
1730         (start):
1731
1732 2016-07-05  Joseph Pecoraro  <pecoraro@apple.com>
1733
1734         RELEASE_ASSERT(!thisObject) in ObjCCallbackFunctionImpl::call when calling JSExport ObjC Constructor without operator new
1735         https://bugs.webkit.org/show_bug.cgi?id=159446
1736
1737         Reviewed by Mark Lam.
1738
1739         Treat ObjC JSExport init constructors like ES6 Class Constructors
1740         and throw a TypeError when called without 'new'.
1741
1742         * API/ObjCCallbackFunction.mm:
1743         (JSC::ObjCCallbackFunctionImpl::type):
1744         (JSC::objCCallbackFunctionCallAsFunction):
1745         When calling an init method as a function instead of construction
1746         throw a TypeError.
1747
1748         * bytecompiler/BytecodeGenerator.cpp:
1749         (JSC::BytecodeGenerator::BytecodeGenerator):
1750         Improve error message.
1751
1752         * API/tests/testapi.mm:
1753         (testObjectiveCAPIMain):
1754         Test we get an exception when calling an ObjC constructor without 'new'.
1755
1756 2016-07-05  Mark Lam  <mark.lam@apple.com>
1757
1758         Remove some unneeded #include "CachedCall.h".
1759         https://bugs.webkit.org/show_bug.cgi?id=159449
1760
1761         Reviewed by Saam Barati.
1762
1763         * runtime/ArrayPrototype.cpp:
1764         * runtime/JSArray.cpp:
1765         * runtime/MapPrototype.cpp:
1766         * runtime/SetPrototype.cpp:
1767
1768 2016-07-05  Geoffrey Garen  <ggaren@apple.com>
1769
1770         Crash @ bankofamerica.com, University of Vienna
1771         https://bugs.webkit.org/show_bug.cgi?id=159439
1772
1773         Reviewed by Saam Barati.
1774
1775         * ftl/FTLLink.cpp:
1776         (JSC::FTL::link): Do check for stack overflow in the arity mismatch thunk
1777         because it can happen. Don't store a CallSiteIndex because we haven't
1778         stored a CodeBlock yet, and our stack frame is not fully constructed,
1779         so it would be an error for any client to try to load this value (and
1780         operationCallArityCheck does not load this value).
1781
1782         * tests/stress/arity-check-ftl-throw.js: Added. New test case for stressing
1783         a stack overflow with arity mismatch. Sadly, after hours of fiddling, I
1784         can't seem to get this to fail in trunk. Still, it's good to have some
1785         more testing in this area.
1786
1787 2016-07-05  Benjamin Poulain  <bpoulain@apple.com>
1788
1789         [JSC] The prototype cycle checks throws the wrong error type
1790         https://bugs.webkit.org/show_bug.cgi?id=159393
1791
1792         Reviewed by Geoffrey Garen.
1793
1794         We were supposed to throw the TypeError:
1795         -https://tc39.github.io/ecma262/#sec-set-object.prototype.__proto__
1796
1797         * runtime/JSObject.cpp:
1798         (JSC::JSObject::setPrototypeWithCycleCheck):
1799
1800 2016-07-05  Saam Barati  <sbarati@apple.com>
1801
1802         our parsing for "use strict" is wrong when we first parse other directives that are not "use strict" but are located in a place where "use strict" would be valid
1803         https://bugs.webkit.org/show_bug.cgi?id=159376
1804         <rdar://problem/27108773>
1805
1806         Reviewed by Benjamin Poulain.
1807
1808         Our strict mode detection algorithm used to break if we ever saw a directive
1809         that is not "use strict" but is syntactically located in a location where our
1810         parser looks for "use strict". It broke as follows:
1811
1812         If a function started with a non "use strict" string literal, we will allow
1813         "use strict" to be in any arbitrary statement inside the top level block in
1814         the function body. For example, this meant that if we parsed a sequence of string
1815         literals, followed by arbitrary statements, followed by "use strict", we would parse
1816         the function as if it's in strict mode. This is the wrong behavior with respect to
1817         the spec. This has consequences in other ways that break invariants of the language.
1818         For example, we used to allow functions that are lexically nested inside what we deemed
1819         a strict function to be non-strict. This used to fire an assertion if we ever skipped over
1820         that function using the source provider cache, but it worked just fine in release builds.
1821
1822         This patch fixes this bug.
1823
1824         * parser/Parser.cpp:
1825         (JSC::Parser<LexerType>::parseSourceElements):
1826         (JSC::Parser<LexerType>::parseStatement):
1827         * tests/stress/ensure-proper-strict-mode-parsing.js: Added.
1828         (foo.bar):
1829         (foo):
1830         (bar.foo):
1831         (bar):
1832         (bar.call.undefined.this.throw.new.Error.string_appeared_here.baz):
1833         (baz.call.undefined.undefined.throw.new.Error.string_appeared_here.jaz):
1834         (jaz.call.undefined.this.throw.new.Error.string_appeared_here.vaz):
1835
1836 2016-07-05  Saam Barati  <sbarati@apple.com>
1837
1838         reportAbandonedObjectGraph should report abandoned bytes based on capacity() so it works even if a GC has never happened
1839         https://bugs.webkit.org/show_bug.cgi?id=159222
1840         <rdar://problem/27001991>
1841
1842         Reviewed by Geoffrey Garen.
1843
1844         When reportAbandonedObjectGraph() was called before the first GC, it used to
1845         not indicate to the GC timers that we have memory that needs to be collected
1846         because the calculation was based on m_sizeAfterLastCollect (which was zero).
1847         This patch makes the calculation based on capacity() which is a valid number
1848         even before the first GC.
1849
1850         * heap/Heap.cpp:
1851         (JSC::Heap::reportAbandonedObjectGraph):
1852         (JSC::Heap::protect):
1853         (JSC::Heap::didAbandon): Deleted.
1854         * heap/Heap.h:
1855         (JSC::Heap::jitStubRoutines):
1856
1857 2016-07-05  Csaba Osztrogonác  <ossy@webkit.org>
1858
1859         Typo fix after r202214
1860         https://bugs.webkit.org/show_bug.cgi?id=159416
1861
1862         Reviewed by Saam Barati.
1863
1864         * bytecode/InlineAccess.h:
1865
1866 2016-07-03  Per Arne Vollan  <pvollan@apple.com>
1867
1868         [Win] DLLs are missing version information.
1869         https://bugs.webkit.org/show_bug.cgi?id=159349
1870
1871         Reviewed by Brent Fulgham.
1872
1873         Run perl version stamp utility.
1874         
1875         * CMakeLists.txt:
1876
1877 2016-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1878
1879         [JSC] MacroAssemblerX86::branch8 should accept unsigned 8bit value
1880         https://bugs.webkit.org/show_bug.cgi?id=159334
1881
1882         Reviewed by Benjamin Poulain.
1883
1884         As described in branchTest8 functions, byte in TrustedImm32 is not well defined.
1885         So the assertion here should be a little permissive; accepting -128 to 255.
1886
1887         This assertion is originally fired when executing misc-bugs-847389-jpeg2000 benchmark in Debug build.
1888         So this patch includes misc-bugs-847389-jpeg2000 benchmark.
1889
1890         * assembler/MacroAssemblerX86Common.h:
1891         (JSC::MacroAssemblerX86Common::branchTest8):
1892         (JSC::MacroAssemblerX86Common::branch8):
1893         * b3/testb3.cpp:
1894         (JSC::B3::testBranch8WithLoad8ZIndex):
1895         (JSC::B3::run):
1896
1897 2016-07-03  Benjamin Poulain  <bpoulain@apple.com>
1898
1899         [JSC] __lookupGetter__ and __lookupSetter__ should not ignore exceptions
1900         https://bugs.webkit.org/show_bug.cgi?id=159390
1901
1902         Reviewed by Mark Lam.
1903
1904         See:
1905         -https://tc39.github.io/ecma262/#sec-object.prototype.__lookupGetter__
1906         -https://tc39.github.io/ecma262/#sec-object.prototype.__lookupSetter__
1907
1908         They are both supposed to be regular [[GetOwnProperty]].
1909
1910         * runtime/ObjectPrototype.cpp:
1911         (JSC::objectProtoFuncLookupGetter):
1912         (JSC::objectProtoFuncLookupSetter):
1913
1914 2016-07-03  Saam Barati  <sbarati@apple.com>
1915
1916         BytecodeGenerator::getVariablesUnderTDZ is too conservative
1917         https://bugs.webkit.org/show_bug.cgi?id=159387
1918
1919         Reviewed by Filip Pizlo.
1920
1921         We were too conservative in the following type of programs:
1922         ```
1923         {
1924             {
1925                 let x;
1926                 ...
1927             }
1928             let x;
1929         }
1930         ```
1931         We used to report "x" as under TDZ when calling getVariablesUnderTDZ at the
1932         "...", even though "x" is not under TDZ. This patch removes this conservatism
1933         and makes the algorithm precise.
1934
1935         * bytecompiler/BytecodeGenerator.cpp:
1936         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1937         * bytecompiler/BytecodeGenerator.h:
1938
1939 2016-07-03  Filip Pizlo  <fpizlo@apple.com>
1940
1941         FTL should refer to B3 types directly
1942         https://bugs.webkit.org/show_bug.cgi?id=159389
1943
1944         Reviewed by Saam Barati.
1945         
1946         When we used LLVM, types were objects that were allocated by the LLVMContext. We had to
1947         remember pointers to them or else call through the C API every time we wanted the type. We
1948         stored the type pointers inside FTL::CommonValues.
1949         
1950         But in B3, types are just members of an enum. We don't have to remember pointers to them.
1951         
1952         This change replaces all prior uses of things like "m_out.int32" with just "Int32", and
1953         likewise for m_out.boolean, m_out.int64, m_out.intPtr, m_out.floatType, m_out.doubleType,
1954         and m_out.voidType.
1955         
1956         We still use FTL::CommonValues for common constants that we have pre-hoisted. Hopefully we
1957         will come up with a better story for those eventually, since that's still kinda ugly.
1958
1959         * ftl/FTLCommonValues.cpp:
1960         (JSC::FTL::CommonValues::CommonValues):
1961         * ftl/FTLCommonValues.h:
1962         * ftl/FTLLowerDFGToB3.cpp:
1963         (JSC::FTL::DFG::LowerDFGToB3::createPhiVariables):
1964         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1965         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
1966         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
1967         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1968         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1969         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
1970         (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax):
1971         (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
1972         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1973         (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure):
1974         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
1975         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
1976         (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
1977         (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
1978         (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
1979         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1980         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1981         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1982         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1983         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1984         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1985         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById):
1986         (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById):
1987         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal):
1988         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
1989         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
1990         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1991         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1992         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1993         (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments):
1994         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
1995         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest):
1996         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
1997         (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
1998         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1999         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2000         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2001         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2002         (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
2003         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
2004         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
2005         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2006         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2007         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2008         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
2009         (JSC::FTL::DFG::LowerDFGToB3::compileGetByOffset):
2010         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2011         (JSC::FTL::DFG::LowerDFGToB3::compilePutByOffset):
2012         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2013         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2014         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
2015         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
2016         (JSC::FTL::DFG::LowerDFGToB3::compileIsString):
2017         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
2018         (JSC::FTL::DFG::LowerDFGToB3::compileIsObject):
2019         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
2020         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
2021         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
2022         (JSC::FTL::DFG::LowerDFGToB3::compileIsTypedArrayView):
2023         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
2024         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2025         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
2026         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTypeInfoFlags):
2027         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2028         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
2029         (JSC::FTL::DFG::LowerDFGToB3::compileCountExecution):
2030         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2031         (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty):
2032         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
2033         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2034         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumerableLength):
2035         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
2036         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
2037         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
2038         (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString):
2039         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureImmediate):
2040         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2041         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
2042         (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
2043         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
2044         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
2045         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2046         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
2047         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
2048         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2049         (JSC::FTL::DFG::LowerDFGToB3::getById):
2050         (JSC::FTL::DFG::LowerDFGToB3::compare):
2051         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
2052         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
2053         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
2054         (JSC::FTL::DFG::LowerDFGToB3::speculateTruthyObject):
2055         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
2056         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
2057         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2058         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2059         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2060         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
2061         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2062         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
2063         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
2064         (JSC::FTL::DFG::LowerDFGToB3::buildSwitch):
2065         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2066         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
2067         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
2068         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToJSValue):
2069         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToInt52):
2070         (JSC::FTL::DFG::LowerDFGToB3::unboxInt32):
2071         (JSC::FTL::DFG::LowerDFGToB3::boxInt32):
2072         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
2073         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
2074         (JSC::FTL::DFG::LowerDFGToB3::boxDouble):
2075         (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
2076         (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
2077         (JSC::FTL::DFG::LowerDFGToB3::convertDoubleToInt32):
2078         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
2079         (JSC::FTL::DFG::LowerDFGToB3::crash):
2080         * ftl/FTLOutput.cpp:
2081         (JSC::FTL::Output::bitCast):
2082
2083 2016-07-02  Filip Pizlo  <fpizlo@apple.com>
2084
2085         DFG LICM needs to go all-in on the idea that some loops can't be LICMed
2086         https://bugs.webkit.org/show_bug.cgi?id=159388
2087
2088         Reviewed by Mark Lam.
2089         
2090         Some time ago I acknowledged that LICM required loops to meet certain requirements that
2091         may get broken by the time we do LICM, like that the terminal of the pre-header is ExitOK.
2092         It used to be that we just ignored that requirement and would hoist anyway, but since
2093         r189126 we've stopped hoisting out of loops that don't have ExitOK.  We also added tests
2094         for the case that the pre-header doesn't exist or is invalid.
2095
2096         It turns out that this patch didn't go far enough: even though it made LICM avoid loops
2097         that had an invalid pre-header, the part that updated the AI state in nested loops still
2098         assumed that these loops had valid pre-headers.  We would crash in null dereference in
2099         that loop if a nested loop had an invalid pre-header.
2100
2101         The fix is simple: don't update the AI state of nested loops that don't have pre-headers,
2102         since we won't try to hoist out of those loops anyway.
2103
2104         * dfg/DFGLICMPhase.cpp:
2105         (JSC::DFG::LICMPhase::attemptHoist):
2106         * tests/stress/licm-no-pre-header-nested.js: Added. This would always crash before this fix.
2107         (foo):
2108         * tests/stress/licm-pre-header-cannot-exit-nested.js: Added. This was a failed attempt at a test, but I figure it's good to have weird code anyway.
2109         (foo):
2110         (valueOf):
2111
2112 2016-06-30  Filip Pizlo  <fpizlo@apple.com>
2113
2114         Scopes that are not under TDZ should still push their variables onto the TDZ stack so that lifting TDZ doesn't bypass that scope
2115         https://bugs.webkit.org/show_bug.cgi?id=159332
2116         rdar://problem/27018958
2117
2118         Reviewed by Saam Barati.
2119         
2120         This fixes an instacrash in this code:
2121         
2122             try{}catch(e){}print(e);let e;
2123         
2124         We lift TDZ for "e" in "catch (e){}", but since that scope doesn't push anything onto the
2125         TDZ stack, we lift TDZ from "let e".
2126         
2127         The problem is that we weren't tracking the set of variables that do not have TDZ. We need
2128         to track them to "block" the traversal that lifts TDZ. This change fixes this issue by
2129         using a map that tracks all known variables, and tells you if they are under TDZ or not.
2130
2131         * bytecode/CodeBlock.h:
2132         (JSC::CodeBlock::numParameters):
2133         * bytecode/CodeOrigin.h:
2134         * bytecompiler/BytecodeGenerator.cpp:
2135         (JSC::Label::setLocation):
2136         (JSC::Variable::dump):
2137         (JSC::BytecodeGenerator::generate):
2138         (JSC::BytecodeGenerator::BytecodeGenerator):
2139         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2140         (JSC::BytecodeGenerator::popLexicalScope):
2141         (JSC::BytecodeGenerator::popLexicalScopeInternal):
2142         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2143         (JSC::BytecodeGenerator::variable):
2144         (JSC::BytecodeGenerator::needsTDZCheck):
2145         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
2146         (JSC::BytecodeGenerator::pushTDZVariables):
2147         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
2148         (JSC::BytecodeGenerator::endGenerator):
2149         (WTF::printInternal):
2150         * bytecompiler/BytecodeGenerator.h:
2151         (JSC::Variable::isConst):
2152         (JSC::Variable::setIsReadOnly):
2153         * interpreter/CallFrame.h:
2154         (JSC::ExecState::topOfFrame):
2155         * tests/stress/lift-tdz-bypass-catch.js: Added.
2156         (foo):
2157         (catch):
2158
2159 2016-07-01  Benjamin Poulain  <bpoulain@apple.com>
2160
2161         [JSC] RegExp.compile is not returning the regexp when it succeed
2162         https://bugs.webkit.org/show_bug.cgi?id=159381
2163
2164         Reviewed by Mark Lam.
2165
2166         Spec:
2167         -https://tc39.github.io/ecma262/#sec-regexp.prototype.compile
2168         -https://tc39.github.io/ecma262/#sec-regexpinitialize
2169
2170         * runtime/RegExpPrototype.cpp:
2171         (JSC::regExpProtoFuncCompile):
2172
2173 2016-07-01  Saam Barati  <sbarati@apple.com>
2174
2175         fix "ASSERTION FAILED: currentOffset() >= currentLineStartOffset()"
2176         https://bugs.webkit.org/show_bug.cgi?id=158572
2177         <rdar://problem/26884092>
2178
2179         Reviewed by Mark Lam.
2180
2181         There is a bug in our lexer when we notice the pattern:
2182         ```<return|continue|break|...etc> // some comment here```
2183         Our code will say that the token for the comment is a semicolon.
2184         This is the correct semantics, however, it would give the semicolon
2185         a start offset of the comment, but it will give its line start offset
2186         the newline after the comment.  This breaks the invariant in the lexer/parser
2187         that the offset for the current line starting point must be less than or equal to
2188         than the start offset of any token on that line. This invariant was broken because
2189         the line start offset was greater than the token start offset. To maintain this
2190         invariant, we claim that the semicolon token is located where the comment starts,
2191         and that its line start offset is the line start offset for the line with the
2192         comment on it.  There are other solutions that maintain this invariant, but this
2193         solution provides the best error messages.
2194
2195         * parser/Lexer.cpp:
2196         (JSC::Lexer<T>::lex):
2197         * parser/Parser.h:
2198         (JSC::Parser::internalSaveLexerState):
2199         * tests/stress/obscure-error-message-dont-crash.js: Added.
2200         (try.eval.or.catch):
2201
2202 2016-07-01  Benjamin Poulain  <bpoulain@apple.com>
2203
2204         __defineGetter__/__defineSetter__ should throw exceptions
2205         https://bugs.webkit.org/show_bug.cgi?id=142934
2206
2207         Reviewed by Mark Lam.
2208
2209         * runtime/ObjectPrototype.cpp:
2210         (JSC::objectProtoFuncDefineGetter):
2211         (JSC::objectProtoFuncDefineSetter):
2212
2213 2016-07-01  Jon Davis  <jond@apple.com>
2214
2215         Moved Web Animations and Resource Timing feature entries to WebCore.
2216         https://bugs.webkit.org/show_bug.cgi?id=159356
2217
2218         Reviewed by Timothy Hatcher.
2219
2220         * features.json:
2221
2222 2016-07-01  Benjamin Poulain  <bpoulain@apple.com>
2223
2224         [JSC] Date.toGMTString should be the Date.toUTCString function
2225         https://bugs.webkit.org/show_bug.cgi?id=159318
2226
2227         Reviewed by Mark Lam.
2228
2229         See https://tc39.github.io/ecma262/#sec-date.prototype.togmtstring
2230
2231         * runtime/DatePrototype.cpp:
2232         (JSC::DatePrototype::finishCreation):
2233         (JSC::dateProtoFuncToGMTString): Deleted.
2234
2235 2016-07-01  Mark Lam  <mark.lam@apple.com>
2236
2237         Update JSC_functionOverrides to handle the new SourceCode strings that have params.
2238         https://bugs.webkit.org/show_bug.cgi?id=159321
2239
2240         Reviewed by Geoffrey Garen.
2241
2242         And add tests so that this won't fail silently and bit rot anymore.
2243
2244         * API/tests/FunctionOverridesTest.cpp: Added.
2245         (testFunctionOverrides):
2246         * API/tests/FunctionOverridesTest.h: Added.
2247         * API/tests/testapi-function-overrides.js: Added.
2248         * API/tests/testapi.c:
2249         (main):
2250         * JavaScriptCore.xcodeproj/project.pbxproj:
2251         * bytecode/UnlinkedFunctionExecutable.cpp:
2252         (JSC::UnlinkedFunctionExecutable::link):
2253         * shell/PlatformWin.cmake:
2254         * tools/FunctionOverrides.cpp:
2255         (JSC::FunctionOverrides::FunctionOverrides):
2256         (JSC::FunctionOverrides::reinstallOverrides):
2257         (JSC::initializeOverrideInfo):
2258         (JSC::FunctionOverrides::initializeOverrideFor):
2259         * tools/FunctionOverrides.h:
2260         (JSC::FunctionOverrides::clear):
2261
2262 2016-07-01  Caio Lima  <ticaiolima@gmail.com>
2263
2264         ES6: Implement HasRestrictedGlobalProperty when checking for global lexical tier conflicts
2265         https://bugs.webkit.org/show_bug.cgi?id=148763
2266
2267         Reviewed by Saam Barati
2268
2269         I've implemented the ES6 spec 8.1.1.4.14
2270         (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-hasrestrictedglobalproperty)
2271         that defines when a global property can be shadowed.
2272
2273         Added some test cases into global-lexical-redeclare-variable.js
2274
2275         * runtime/Executable.cpp:
2276         (JSC::ProgramExecutable::initializeGlobalProperties):
2277         * tests/stress/global-lexical-redeclare-variable.js:
2278         (catch):
2279         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/eighth.js: Added.
2280         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/nineth.js: Added.
2281         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/seventh.js: Added.
2282         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/sixth.js:
2283         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/tenth.js: Added.
2284
2285 2016-07-01  Youenn Fablet  <youennf@gmail.com>
2286
2287         Add a runtime flag for DOM iterators
2288         https://bugs.webkit.org/show_bug.cgi?id=159300
2289
2290         Reviewed by Alex Christensen.
2291
2292         * runtime/CommonIdentifiers.h:
2293
2294 2016-06-30  Joseph Pecoraro  <pecoraro@apple.com>
2295
2296         Web Inspector: Wrong function name next to scope
2297         https://bugs.webkit.org/show_bug.cgi?id=158210
2298         <rdar://problem/26543093>
2299
2300         Reviewed by Timothy Hatcher.
2301
2302         * CMakeLists.txt:
2303         * JavaScriptCore.xcodeproj/project.pbxproj:
2304         Add DebuggerLocation. A helper for describing a unique location.
2305
2306         * bytecode/CodeBlock.cpp:
2307         (JSC::CodeBlock::setConstantRegisters):
2308         When compiled with debug info, add a SymbolTable rare data pointer
2309         back to the CodeBlock. This will be used later to get JSScope debug
2310         info if Web Inspector pauses.
2311
2312         * runtime/SymbolTable.h:
2313         * runtime/SymbolTable.cpp:
2314         (JSC::SymbolTable::cloneScopePart):
2315         (JSC::SymbolTable::prepareForTypeProfiling):
2316         (JSC::SymbolTable::uniqueIDForVariable):
2317         (JSC::SymbolTable::uniqueIDForOffset):
2318         (JSC::SymbolTable::globalTypeSetForOffset):
2319         (JSC::SymbolTable::globalTypeSetForVariable):
2320         Rename rareData and include a CodeBlock pointer.
2321
2322         (JSC::SymbolTable::rareDataCodeBlock):
2323         (JSC::SymbolTable::setRareDataCodeBlock):
2324         Setter and getter for the rare data. It should only be set once.
2325
2326         (JSC::SymbolTable::visitChildren):
2327         Visit the rare data code block if we have one.
2328
2329         * runtime/JSSymbolTableObject.h:
2330         * runtime/JSSymbolTableObject.cpp:
2331         (JSC::JSSymbolTableObject::deleteProperty):
2332         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2333         Give JSSymbolTable its own class info. JSWithScope was unexpectedly
2334         inheriting from JSSymbolTable since it did not have its own and
2335         was using JSScope's class info. Also do a bit of cleanup.
2336
2337         * debugger/DebuggerLocation.cpp: Added.
2338         (JSC::DebuggerLocation::DebuggerLocation):
2339         * debugger/DebuggerLocation.h: Added.
2340         (JSC::DebuggerLocation::DebuggerLocation):
2341         Construction from a ScriptExecutable.
2342
2343         * runtime/JSScope.cpp:
2344         (JSC::JSScope::symbolTable):
2345         * runtime/JSScope.h:
2346         * debugger/DebuggerScope.h:
2347         * debugger/DebuggerScope.cpp:
2348         (JSC::DebuggerScope::name):
2349         (JSC::DebuggerScope::location):
2350         Name and location for a scope. This uses:
2351         JSScope -> SymbolTable -> CodeBlock -> Executable
2352
2353         * inspector/protocol/Debugger.json:
2354         * inspector/InjectedScriptSource.js:
2355         (InjectedScript.CallFrameProxy.prototype._wrapScopeChain):
2356         (InjectedScript.CallFrameProxy._createScopeJson):
2357         * inspector/JSJavaScriptCallFrame.cpp:
2358         (Inspector::valueForScopeType):
2359         (Inspector::valueForScopeLocation):
2360         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2361         (Inspector::JSJavaScriptCallFrame::scopeType): Deleted.
2362         * inspector/JSJavaScriptCallFrame.h:
2363         * inspector/JSJavaScriptCallFramePrototype.cpp:
2364         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
2365         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
2366         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType): Deleted.
2367         Simplify this code to build the objects we will send across the protocol
2368         to descript a Scope.
2369
2370 2016-06-30  Saam Barati  <sbarati@apple.com>
2371
2372         missing exception checks in arrayProtoFuncReverse
2373         https://bugs.webkit.org/show_bug.cgi?id=159319
2374         <rdar://problem/27083696>
2375
2376         Reviewed by Filip Pizlo.
2377
2378         * runtime/ArrayPrototype.cpp:
2379         (JSC::arrayProtoFuncToString):
2380         (JSC::arrayProtoFuncReverse):
2381
2382 2016-06-30  Saam Barati  <sbarati@apple.com>
2383
2384         get_by_id_with_this does not trigger a to_this in caller.
2385         https://bugs.webkit.org/show_bug.cgi?id=159226
2386
2387         Reviewed by Keith Miller.
2388
2389         This is a bug if the caller is in sloppy mode and the callee is in strict
2390         mode. This can't happen with ES6 classes because they're all in strict mode,
2391         but it can happen with method syntax on an object literal. The caller must
2392         to_this on |this| when it knows that it performs super property accesses.
2393
2394         * bytecompiler/BytecodeGenerator.cpp:
2395         (JSC::BytecodeGenerator::BytecodeGenerator):
2396         * tests/stress/super-property-access-object-literal-to-this-2.js: Added.
2397         (assert):
2398         (test):
2399         (let.o1.get foo):
2400         (let.o2.a):
2401         (let.o2.aa):
2402         * tests/stress/super-property-access-object-literal-to-this.js: Added.
2403         (assert):
2404         (test):
2405         (let.o1.get foo):
2406         (let.o2.a):
2407         (let.o2.aa):
2408         (let.o2.b):
2409         (let.o2.bb):
2410         * tests/stress/super-property-access-to-this.js: Added.
2411         (assert):
2412         (test):
2413         (Base.prototype.get foo):
2414         (Base):
2415         (Child.prototype.a):
2416         (Child.prototype.b):
2417         (Child):
2418
2419 2016-06-30  Saam Barati  <sbarati@apple.com>
2420
2421         We need to to_this when an inner arrow function uses 'this'
2422         https://bugs.webkit.org/show_bug.cgi?id=159290
2423         <rdar://problem/27058322>
2424
2425         Reviewed by Geoffrey Garen.
2426
2427         We put the |this| value into the closure object when there
2428         is an arrow function that uses |this|. However, an arrow function
2429         using |this| wasn't causing the creator of the closure that
2430         holds |this| to to_this its value before putting it in the
2431         closure. That's a huge bug because it means some arrow functions
2432         can capture the raw |this| value, which might be a JSLexicalEnvironment.
2433         This patch fixes this by adding an easy to check to see if any
2434         inner arrow functions use |this|, and if any do, it will to_this
2435         the |this| value.
2436
2437         * bytecompiler/BytecodeGenerator.cpp:
2438         (JSC::BytecodeGenerator::BytecodeGenerator):
2439         * tests/stress/to-this-before-arrow-function-closes-over-this-that-starts-as-lexical-environment.js: Added.
2440         (assert):
2441         (obj):
2442         (foo.capture):
2443         (foo.wrapper.let.x.):
2444         (foo2.capture):
2445         (foo2.wrapper.let.x.):
2446         (foo2.wrapper.bar):
2447
2448 2016-06-29  Filip Pizlo  <fpizlo@apple.com>
2449
2450         Generators violate bytecode liveness validation
2451         https://bugs.webkit.org/show_bug.cgi?id=159279
2452
2453         Reviewed by Yusuke Suzuki.
2454         
2455         Fix a liveness bug found by Basic. The problem is that resume's intended liveness rule is:
2456         "live-in is just the token argument", but the liveness analysis thought that the rule was
2457         "live-in is live-out minus defs plus live-at-catch". Clearly these two rules are quite
2458         different. The way this sort of worked before is that we would define the defs of resume
2459         as being equal to our prediction of what the live-outs would be. We did this in the hope
2460         that we would subtract all live-outs. But, this misses the live-at-catch part. So, this
2461         change adds another hack to neutralize live-at-catch.
2462         
2463         This would make a lot more sense if we wrote a new liveness analysis that was just for
2464         generator conversion. It could reuse BytecodeUseDef but otherwise it would be a new thing.
2465         It would be easy to write crazy rules for save/resume in such an analysis, especially if
2466         that analysis rewrote the bytecode. We could then just have an op_yield that is a no-op.
2467         We would just record the live-outs of op_yield and use that for rewriting the code in terms
2468         of a switch statement.
2469
2470         * bytecode/BytecodeLivenessAnalysis.cpp:
2471         (JSC::stepOverInstruction):
2472         (JSC::BytecodeLivenessAnalysis::dumpResults):
2473         * bytecode/CodeBlock.cpp:
2474         (JSC::CodeBlock::dumpBytecode):
2475
2476 2016-06-30  Commit Queue  <commit-queue@webkit.org>
2477
2478         Unreviewed, rolling out r202659.
2479         https://bugs.webkit.org/show_bug.cgi?id=159305
2480
2481         The test for this change times out on mac-wk2 debug and caused
2482         an existing test to crash. (Requested by ryanhaddad on
2483         #webkit).
2484
2485         Reverted changeset:
2486
2487         "Web Inspector: Wrong function name next to scope"
2488         https://bugs.webkit.org/show_bug.cgi?id=158210
2489         http://trac.webkit.org/changeset/202659
2490
2491 2016-06-30  Benjamin Poulain  <bpoulain@apple.com>
2492
2493         [JSC] Date.setYear() misses timeClip()
2494         https://bugs.webkit.org/show_bug.cgi?id=159289
2495
2496         Reviewed by Geoffrey Garen.
2497
2498         * runtime/DatePrototype.cpp:
2499         (JSC::dateProtoFuncSetYear):
2500
2501 2016-06-30  Joseph Pecoraro  <pecoraro@apple.com> and Yusuke Suzuki  <utatane.tea@gmail.com>
2502
2503         [JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
2504         https://bugs.webkit.org/show_bug.cgi?id=154022
2505
2506         Reviewed by Filip Pizlo.
2507
2508         We aim at optimizing @toInteger operation.
2509         While it still has an unoptimized part[1], this patch should be a first step.
2510
2511         We introduce the @toNumber builtin intrinsic operation.
2512         This converts the given value to the JS number by emitting op_to_number bytecode.
2513         Previously @toInteger called C++ @Number constructor for that purpose.
2514
2515         And in DFG, op_to_number is converted to DFG ToNumber node.
2516         During DFG, we attempt to convert this to edge filtering and Identity, but if we fail,
2517         we just fall back to calling the C++ function.
2518
2519         To utilize ToNumber in user-land side, we add a path attempting to convert Number constructor calls
2520         to ToNumber DFG nodes. This conversion is useful because `Number(value)` is used to convert a value to a number in JS.
2521
2522         Before this patch, we emit simple edge filtering (NumberUse) instead of emitting DFG node like ToNumber for op_to_number.
2523         But emitting ToNumber is useful, because in the case of `Number(value)`, considering `value` may not be a number is reasonable.
2524
2525         By leveraging @toNumber operation, we rewrite Number.{isFinite, isNaN}, global.{isFinite, isNaN} and @toInteger.
2526
2527         ToNumber DFG node has a value profiling. This profiling is leveraged to determine the result number type of the ToNumber operation.
2528         This value profiling is provided from either NumberConstructor's call operation or op_to_number.
2529
2530         The results (with the added performance tests) show that, while existing cases are performance neutral, the newly added cases gain the performance benefit.
2531         And ASMBench/n-body.c also shows stable ~2% progression.
2532
2533         [1]: https://bugs.webkit.org/show_bug.cgi?id=153738
2534
2535         * CMakeLists.txt:
2536         * DerivedSources.make:
2537         * JavaScriptCore.xcodeproj/project.pbxproj:
2538         * builtins/BuiltinNames.h:
2539         * builtins/GlobalObject.js:
2540         (globalPrivate.isFinite):
2541         (globalPrivate.isNaN):
2542         (globalPrivate.toInteger): Deleted.
2543         (globalPrivate.toLength): Deleted.
2544         (globalPrivate.isDictionary): Deleted.
2545         (globalPrivate.speciesGetter): Deleted.
2546         (globalPrivate.speciesConstructor): Deleted.
2547         * builtins/GlobalOperations.js: Copied from Source/JavaScriptCore/builtins/GlobalObject.js.
2548         (globalPrivate.toInteger):
2549         (globalPrivate.toLength):
2550         (globalPrivate.isDictionary):
2551         (globalPrivate.speciesGetter):
2552         (globalPrivate.speciesConstructor):
2553         * builtins/NumberConstructor.js: Added.
2554         (isFinite):
2555         (isNaN):
2556         * bytecode/BytecodeIntrinsicRegistry.cpp:
2557         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2558         * bytecode/BytecodeIntrinsicRegistry.h:
2559         * bytecode/BytecodeList.json:
2560         * bytecode/CodeBlock.cpp:
2561         (JSC::CodeBlock::dumpBytecode):
2562         (JSC::CodeBlock::finishCreation):
2563         * bytecompiler/BytecodeGenerator.cpp:
2564         (JSC::BytecodeGenerator::emitUnaryOp):
2565         (JSC::BytecodeGenerator::emitUnaryOpProfiled):
2566         * bytecompiler/BytecodeGenerator.h:
2567         (JSC::BytecodeGenerator::emitToNumber):
2568         * bytecompiler/NodesCodegen.cpp:
2569         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
2570         (JSC::UnaryPlusNode::emitBytecode):
2571         * dfg/DFGAbstractInterpreterInlines.h:
2572         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2573         * dfg/DFGBackwardsPropagationPhase.cpp:
2574         (JSC::DFG::BackwardsPropagationPhase::propagate):
2575         * dfg/DFGByteCodeParser.cpp:
2576         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2577         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2578         (JSC::DFG::ByteCodeParser::parseBlock):
2579         We use `getPrediction()` to retrieve the heap prediction from the to_number bytecode.
2580         According to the benchmark results, choosing `getPredictionWithoutOSRExit()` causes performance regression (1.5%) in kraken stanford-crypto-aes.
2581
2582         * dfg/DFGClobberize.h:
2583         (JSC::DFG::clobberize):
2584         * dfg/DFGConstantFoldingPhase.cpp:
2585         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2586         * dfg/DFGDoesGC.cpp:
2587         (JSC::DFG::doesGC):
2588         * dfg/DFGFixupPhase.cpp:
2589         (JSC::DFG::FixupPhase::fixupNode):
2590         (JSC::DFG::FixupPhase::fixupToNumber):
2591         * dfg/DFGNode.h:
2592         (JSC::DFG::Node::hasHeapPrediction):
2593         * dfg/DFGNodeType.h:
2594         * dfg/DFGOperations.cpp:
2595         * dfg/DFGOperations.h:
2596         * dfg/DFGPredictionPropagationPhase.cpp:
2597         Always on the heap prediction.
2598
2599         * dfg/DFGSafeToExecute.h:
2600         (JSC::DFG::safeToExecute):
2601         * dfg/DFGSpeculativeJIT32_64.cpp:
2602         (JSC::DFG::SpeculativeJIT::compile):
2603         As of 64bit version, we carefully manage the register reuse. The largest difference between 32bit and 64bit is
2604         `branchIfNotNumber()` requires the temporary register. We should not use the result registers for that since
2605         it may be reuse the argument registers and it can break the argument registers before using them to call the operation.
2606         Currently, we allocate the additional temporary register for that scratch register.
2607
2608         * dfg/DFGSpeculativeJIT64.cpp:
2609         (JSC::DFG::SpeculativeJIT::compile):
2610         Reuse the argument register for the result if possible. And manually decrement the use count in the middle of the node.
2611         This is similar technique used in ToPrimitive. Typically, the child of ToNumber is only used by this ToNumber node since
2612         we would like to perform the type conversion onto this child node here. So this careful register reuse effectively removes
2613         the spills to call the operation. The example of the actually emitted code is the following.
2614
2615         76:<!2:loc11>     ToNumber(Untyped:@68, JS|MustGen|UseAsOther, DoubleimpurenanTopEmpty, R:World, W:Heap, Exits, ClobbersExit, bc#48)  predicting DoubleimpurenanTopEmpty
2616             0x7f986d5fe693: test %rax, %r14
2617             0x7f986d5fe696: jz 0x7f986d5fe6a1
2618             0x7f986d5fe69c: jmp 0x7f986d5fe6d1
2619             0x7f986d5fe6a1: mov %rax, %rsi
2620             0x7f986d5fe6a4: mov %rbp, %rdi
2621             0x7f986d5fe6a7: mov $0x2, 0x24(%rbp)
2622             0x7f986d5fe6ae: mov $0x7f98711ea5f0, %r11
2623             0x7f986d5fe6b8: call *%r11
2624             0x7f986d5fe6bb: mov $0x7f982d3f72d0, %r11
2625             0x7f986d5fe6c5: mov (%r11), %r11
2626             0x7f986d5fe6c8: test %r11, %r11
2627             0x7f986d5fe6cb: jnz 0x7f986d5fe88c
2628
2629         It effectively removes the unnecessary spill to call the operation!
2630
2631         * ftl/FTLCapabilities.cpp:
2632         (JSC::FTL::canCompile):
2633         * ftl/FTLLowerDFGToB3.cpp:
2634         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2635         (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
2636         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2637         * jit/AssemblyHelpers.h:
2638         (JSC::AssemblyHelpers::branchIfNumber):
2639         (JSC::AssemblyHelpers::branchIfNotNumber):
2640         * jit/JITOpcodes.cpp:
2641         (JSC::JIT::emit_op_to_number):
2642         * jit/JITOpcodes32_64.cpp:
2643         (JSC::JIT::emit_op_to_number):
2644         * llint/LowLevelInterpreter32_64.asm:
2645         * llint/LowLevelInterpreter64.asm:
2646         * parser/Nodes.h:
2647         (JSC::UnaryOpNode::opcodeID):
2648         * runtime/CommonSlowPaths.cpp:
2649         (JSC::SLOW_PATH_DECL):
2650         * runtime/JSGlobalObject.cpp:
2651         (JSC::JSGlobalObject::init):
2652         * runtime/JSGlobalObjectFunctions.cpp:
2653         (JSC::globalFuncIsNaN): Deleted.
2654         (JSC::globalFuncIsFinite): Deleted.
2655         * runtime/JSGlobalObjectFunctions.h:
2656         * runtime/MathCommon.h:
2657         (JSC::maxSafeInteger):
2658         (JSC::minSafeInteger):
2659         * runtime/NumberConstructor.cpp:
2660         (JSC::NumberConstructor::finishCreation):
2661         (JSC::numberConstructorFuncIsFinite): Deleted.
2662         (JSC::numberConstructorFuncIsNaN): Deleted.
2663         * runtime/NumberConstructor.h:
2664         * tests/stress/Number-isNaN-basics.js: Added.
2665         (numberIsNaNOnInteger):
2666         (testNumberIsNaNOnIntegers):
2667         (verifyNumberIsNaNOnIntegerWithOtherTypes):
2668         (numberIsNaNOnDouble):
2669         (testNumberIsNaNOnDoubles):
2670         (verifyNumberIsNaNOnDoublesWithOtherTypes):
2671         (numberIsNaNNoArguments):
2672         (numberIsNaNTooManyArguments):
2673         (testNumberIsNaNOnConstants):
2674         (numberIsNaNStructTransition):
2675         (Number.isNaN):
2676         * tests/stress/global-is-finite.js: Added.
2677         (shouldBe):
2678         * tests/stress/global-is-nan.js: Added.
2679         (shouldBe):
2680         * tests/stress/global-isNaN-basics.js: Added.
2681         (isNaNOnInteger):
2682         (testIsNaNOnIntegers):
2683         (verifyIsNaNOnIntegerWithOtherTypes):
2684         (isNaNOnDouble):
2685         (testIsNaNOnDoubles):
2686         (verifyIsNaNOnDoublesWithOtherTypes):
2687         (verifyIsNaNOnCoercedTypes):
2688         (isNaNNoArguments):
2689         (isNaNTooManyArguments):
2690         (testIsNaNOnConstants):
2691         (isNaNTypeCoercionSideEffects):
2692         (i.value.isNaNTypeCoercionSideEffects.valueOf):
2693         (isNaNStructTransition):
2694         (isNaN):
2695         * tests/stress/number-is-finite.js: Added.
2696         (shouldBe):
2697         (test2):
2698         (test3):
2699         * tests/stress/number-is-nan.js: Added.
2700         (shouldBe):
2701         (test2):
2702         (test3):
2703         * tests/stress/to-number-basics.js: Added.
2704         (shouldBe):
2705         * tests/stress/to-number-convert-identity-without-execution.js: Added.
2706         (shouldBe):
2707         (object.valueOf):
2708         (valueOf):
2709         * tests/stress/to-number-int52.js: Added.
2710         (shouldBe):
2711         (object.valueOf):
2712         * tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js: Added.
2713         (shouldBe):
2714         (object.valueOf):
2715         (valueOf):
2716         * tests/stress/to-number-intrinsic-int52.js: Added.
2717         (shouldBe):
2718         (object.valueOf):
2719         * tests/stress/to-number-intrinsic-object-without-execution.js: Added.
2720         (shouldBe):
2721         (object.valueOf):
2722         * tests/stress/to-number-intrinsic-value-profiling.js: Added.
2723         (shouldBe):
2724         (object.valueOf):
2725         * tests/stress/to-number-object-without-execution.js: Added.
2726         (shouldBe):
2727         (object.valueOf):
2728         * tests/stress/to-number-object.js: Added.
2729         (shouldBe):
2730         (test12):
2731         (object1.valueOf):
2732         (test2):
2733         (test22):
2734         (object2.valueOf):
2735         (test3):
2736         (test32):
2737         (object3.valueOf):
2738         * tests/stress/to-number-value-profiling.js: Added.
2739         (shouldBe):
2740         (object.valueOf):
2741
2742 2016-06-29  Benjamin Poulain  <benjamin@webkit.org>
2743
2744         Fix the debug build after r202667
2745
2746         * runtime/JSTypedArrayViewPrototype.cpp:
2747         (JSC::JSTypedArrayViewPrototype::finishCreation):
2748         The putDirect was missing the Accessor flag for the GetterSetter.
2749
2750 2016-06-29  Michael Saboff  <msaboff@apple.com>
2751
2752         REGRESSION(200114): Netflix app does not see ChromeCast
2753         https://bugs.webkit.org/show_bug.cgi?id=159287
2754
2755         Reviewed by Benjamin Poulain.
2756
2757         Change set 200114 changed the behavior of how we check for whether or not we
2758         wrap Objective C init methods in JavaScript constructors.  The prior method
2759         checked the version of JavaScriptCore that was linked with the application.
2760         If the application was not directly linked with JavaScriptCore the prior
2761         method indicated that we shouldn't create constructors.  The new method uses
2762         the SDK the application was compiled with.  Using the new method, an
2763         application compiled with iOS SDK 8.0 or greater would create constructors
2764         and not export init methods to JavaScript.  The problem is that an existing
2765         application that hasn't been recompiled will get a different answer using
2766         the new method.  We need to come up with a method that works in a compatible
2767         way with existing programs, but provides a newly compiled program with the
2768         "is built with SDK N or greater" check.
2769         
2770         Added back the prior check of the version of JavaScriptCore the program was
2771         directly linked against.  However we only use this check if we directly linked
2772         with JavaScriptCore.  Otherwise we fall through to check against the SDK the
2773         program was built with.  Changed the iOS SDK version we check
2774         against to be the new version of iOS, iOS 10.
2775
2776         This provides compatible behavior for existing programs.  It may be the case
2777         that some of those programs may require changes when they are rebuilt with the
2778         iOS 10 SDK or later.
2779
2780         * API/JSWrapperMap.mm:
2781         (supportsInitMethodConstructors):
2782
2783 2016-06-29  Benjamin Poulain  <bpoulain@apple.com>
2784
2785         [JSC] Minor TypedArray fixes
2786         https://bugs.webkit.org/show_bug.cgi?id=159286
2787
2788         Reviewed by Keith Miller.
2789
2790         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2791         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
2792         See https://tc39.github.io/ecma262/#sec-%typedarray%
2793
2794         * runtime/JSTypedArrayViewPrototype.cpp:
2795         (JSC::typedArrayViewPrivateFuncLength):
2796         See https://tc39.github.io/ecma262/#sec-get-%typedarray%.prototype.length
2797
2798         (JSC::typedArrayViewProtoGetterFuncToStringTag):
2799         Yep, that's odd.
2800         See https://tc39.github.io/ecma262/#sec-get-%typedarray%.prototype-@@tostringtag
2801
2802         (JSC::JSTypedArrayViewPrototype::finishCreation):
2803         See the last paragraph of https://tc39.github.io/ecma262/#sec-ecmascript-standard-built-in-objects
2804
2805 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
2806
2807         Web Inspector: API View of Native DOM APIs looks poor (TypeErrors for native getters)
2808         https://bugs.webkit.org/show_bug.cgi?id=158334
2809         <rdar://problem/26615366>
2810
2811         Reviewed by Timothy Hatcher.
2812
2813         * inspector/InjectedScriptSource.js:
2814         (InjectedScript.prototype._getProperties):
2815         (InjectedScript.prototype._propertyDescriptors):
2816         Do not create fake value property descriptors for native accessors
2817         unless requested. This means, getProperties for a native prototype
2818         should return  accessors for native accessors just like it does
2819         for normal non-native accessors (getters/setters).
2820
2821         (InjectedScript.prototype.getProperties):
2822         Do not produce fake value accessors for native accessors.
2823
2824         (InjectedScript.prototype.getDisplayableProperties):
2825         (InjectedScript.RemoteObject.prototype._generatePreview):
2826         Do produce fake value accessors for native accessors.
2827
2828 2016-06-29  Saam barati  <sbarati@apple.com>
2829
2830         JSGlobalLexicalEnvironment needs a toThis implementation
2831         https://bugs.webkit.org/show_bug.cgi?id=159285
2832
2833         Reviewed by Mark Lam.
2834
2835         This was a huge oversight of my original implementation. It gave users
2836         of the language direct access to the JSGlobalLexicalEnvironment object.
2837
2838         * runtime/JSGlobalLexicalEnvironment.cpp:
2839         (JSC::JSGlobalLexicalEnvironment::isConstVariable):
2840         (JSC::JSGlobalLexicalEnvironment::toThis):
2841         * runtime/JSGlobalLexicalEnvironment.h:
2842         (JSC::JSGlobalLexicalEnvironment::isEmpty):
2843         * tests/stress/global-lexical-environment-to-this.js: Added.
2844         (assert):
2845         (let.f):
2846         (let.fStrict):
2847
2848 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
2849
2850         Web Inspector: Wrong function name next to scope
2851         https://bugs.webkit.org/show_bug.cgi?id=158210
2852         <rdar://problem/26543093>
2853
2854         Reviewed by Brian Burg.
2855
2856         * CMakeLists.txt:
2857         * JavaScriptCore.xcodeproj/project.pbxproj:
2858         Add DebuggerLocation. A helper for describing a unique location.
2859
2860         * bytecode/CodeBlock.cpp:
2861         (JSC::CodeBlock::setConstantRegisters):
2862         When compiled with debug info, add a SymbolTable rare data pointer
2863         back to the CodeBlock. This will be used later to get JSScope debug
2864         info if Web Inspector pauses.
2865
2866         * runtime/SymbolTable.h:
2867         * runtime/SymbolTable.cpp:
2868         (JSC::SymbolTable::cloneScopePart):
2869         (JSC::SymbolTable::prepareForTypeProfiling):
2870         (JSC::SymbolTable::uniqueIDForVariable):
2871         (JSC::SymbolTable::uniqueIDForOffset):
2872         (JSC::SymbolTable::globalTypeSetForOffset):
2873         (JSC::SymbolTable::globalTypeSetForVariable):
2874         Rename rareData and include a CodeBlock pointer.
2875
2876         (JSC::SymbolTable::rareDataCodeBlock):
2877         (JSC::SymbolTable::setRareDataCodeBlock):
2878         Setter and getter for the rare data. It should only be set once.
2879
2880         (JSC::SymbolTable::visitChildren):
2881         Visit the rare data code block if we have one.
2882
2883         * debugger/DebuggerLocation.cpp: Added.
2884         (JSC::DebuggerLocation::DebuggerLocation):
2885         * debugger/DebuggerLocation.h: Added.
2886         (JSC::DebuggerLocation::DebuggerLocation):
2887         Construction from a ScriptExecutable.
2888
2889         * runtime/JSScope.cpp:
2890         (JSC::JSScope::symbolTable):
2891         * runtime/JSScope.h:
2892         * debugger/DebuggerScope.h:
2893         * debugger/DebuggerScope.cpp:
2894         (JSC::DebuggerScope::name):
2895         (JSC::DebuggerScope::location):
2896         Name and location for a scope. This uses:
2897         JSScope -> SymbolTable -> CodeBlock -> Executable
2898
2899         * inspector/protocol/Debugger.json:
2900         * inspector/InjectedScriptSource.js:
2901         (InjectedScript.CallFrameProxy.prototype._wrapScopeChain):
2902         (InjectedScript.CallFrameProxy._createScopeJson):
2903         * inspector/JSJavaScriptCallFrame.cpp:
2904         (Inspector::valueForScopeType):
2905         (Inspector::valueForScopeLocation):
2906         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2907         (Inspector::JSJavaScriptCallFrame::scopeType): Deleted.
2908         * inspector/JSJavaScriptCallFrame.h:
2909         * inspector/JSJavaScriptCallFramePrototype.cpp:
2910         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
2911         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
2912         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType): Deleted.
2913         Simplify this code to build the objects we will send across the protocol
2914         to descript a Scope.
2915
2916 2016-06-29  Saam barati  <sbarati@apple.com>
2917
2918         We don't emit TDZ checks for call_eval
2919         https://bugs.webkit.org/show_bug.cgi?id=159277
2920         <rdar://problem/27018801>
2921
2922         Reviewed by Benjamin Poulain.
2923
2924         This is a problem if you're trying to call a TDZ variable
2925         that is named 'eval'.
2926
2927         * bytecompiler/NodesCodegen.cpp:
2928         (JSC::EvalFunctionCallNode::emitBytecode):
2929         * tests/stress/variable-named-eval-under-tdz.js: Added.
2930         (shouldThrowTDZ):
2931         (test):
2932         (test.foo):
2933         (throw.new.Error):
2934
2935 2016-06-29  Mark Lam  <mark.lam@apple.com>
2936
2937         Add support for collecting cumulative LLINT stats via a JSC_llintStatsFile option.
2938         https://bugs.webkit.org/show_bug.cgi?id=159274
2939
2940         Reviewed by Keith Miller.
2941
2942         * jsc.cpp:
2943         (main):
2944         * llint/LLIntData.cpp:
2945         (JSC::LLInt::initialize):
2946         (JSC::LLInt::Data::finalizeStats):
2947         (JSC::LLInt::compareStats):
2948         (JSC::LLInt::Data::dumpStats):
2949         (JSC::LLInt::Data::ensureStats):
2950         (JSC::LLInt::Data::loadStats):
2951         (JSC::LLInt::Data::resetStats):
2952         (JSC::LLInt::Data::saveStats):
2953         * llint/LLIntData.h:
2954         (JSC::LLInt::Data::opcodeStats):
2955         * runtime/Options.cpp:
2956         (JSC::Options::isAvailable):
2957         (JSC::recomputeDependentOptions):
2958         (JSC::Options::initialize):
2959         * runtime/Options.h:
2960
2961 2016-06-29  Saam barati  <sbarati@apple.com>
2962
2963         Destructuring variable declaration is missing a validation of the syntax of a sub production when there is a rhs
2964         https://bugs.webkit.org/show_bug.cgi?id=159267
2965
2966         Reviewed by Mark Lam.
2967
2968         We were parsing something without checking if it had a syntax error.
2969         This is wrong for many reasons, but it could actually cause a crash
2970         in a debug build if you parsed particular programs.
2971
2972         * parser/Parser.cpp:
2973         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2974
2975 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
2976
2977         Web Inspector: Show Shadow Root type in DOM Tree
2978         https://bugs.webkit.org/show_bug.cgi?id=159236
2979         <rdar://problem/27068521>
2980
2981         Reviewed by Timothy Hatcher.
2982
2983         * inspector/protocol/DOM.json:
2984         Include optional shadowRootType property for DOMNodes.
2985
2986 2016-06-29  Commit Queue  <commit-queue@webkit.org>
2987
2988         Unreviewed, rolling out r202627.
2989         https://bugs.webkit.org/show_bug.cgi?id=159266
2990
2991         patch is broken on arm (Requested by keith_miller on #webkit).
2992
2993         Reverted changeset:
2994
2995         "LLInt should support other types of prototype GetById
2996         caching."
2997         https://bugs.webkit.org/show_bug.cgi?id=158083
2998         http://trac.webkit.org/changeset/202627
2999
3000 2016-06-29  Benjamin Poulain  <bpoulain@apple.com>
3001
3002         [JSC] Fix small issues of TypedArray prototype
3003         https://bugs.webkit.org/show_bug.cgi?id=159248
3004
3005         Reviewed by Saam Barati.
3006
3007         First, TypedArray's toString and Array's toString
3008         should be the same function.
3009         I moved the function to GlobalObject and each array type
3010         gets it as needed.
3011
3012         Then TypedArray length was supposed to be configurable.
3013         I removed the "DontDelete" flag accordingly.
3014
3015         * runtime/ArrayPrototype.cpp:
3016         (JSC::ArrayPrototype::finishCreation):
3017         * runtime/JSGlobalObject.cpp:
3018         (JSC::JSGlobalObject::init):
3019         (JSC::JSGlobalObject::visitChildren):
3020         * runtime/JSGlobalObject.h:
3021         (JSC::JSGlobalObject::arrayProtoToStringFunction):
3022         * runtime/JSTypedArrayViewPrototype.cpp:
3023         (JSC::JSTypedArrayViewPrototype::finishCreation):
3024
3025 2016-06-29  Caio Lima  <ticaiolima@gmail.com>
3026
3027         LLInt should support other types of prototype GetById caching.
3028         https://bugs.webkit.org/show_bug.cgi?id=158083
3029
3030         Recently, we started supporting prototype load caching for get_by_id
3031         in the LLInt. This patch is expading the caching strategy to enable
3032         cache the prototype accessor and custom acessors.
3033
3034         Similarly to the get_by_id_proto_load bytecode, we are adding new
3035         bytecodes called get_by_id_proto_accessor that uses the calculated
3036         offset of a object to call a getter function and get_by_id_proto_custom
3037         that stores the pointer to the custom function and call them directly
3038         from LowLevelInterpreter.
3039
3040         Reviewed by Keith Miller
3041
3042         * bytecode/BytecodeList.json:
3043         * bytecode/BytecodeUseDef.h:
3044         (JSC::computeUsesForBytecodeOffset):
3045         (JSC::computeDefsForBytecodeOffset):
3046         * bytecode/CodeBlock.cpp:
3047         (JSC::CodeBlock::printGetByIdOp):
3048         (JSC::CodeBlock::dumpBytecode):
3049         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3050         * bytecode/GetByIdStatus.cpp:
3051         (JSC::GetByIdStatus::computeFromLLInt):
3052         * dfg/DFGByteCodeParser.cpp:
3053         (JSC::DFG::ByteCodeParser::parseBlock):
3054         * dfg/DFGCapabilities.cpp:
3055         (JSC::DFG::capabilityLevel):
3056         * jit/JIT.cpp:
3057         (JSC::JIT::privateCompileMainPass):
3058         (JSC::JIT::privateCompileSlowCases):
3059         * llint/LLIntSlowPaths.cpp:
3060         (JSC::LLInt::setupGetByIdPrototypeCache):
3061         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3062         * llint/LLIntSlowPaths.h:
3063         * llint/LowLevelInterpreter32_64.asm:
3064         * llint/LowLevelInterpreter64.asm:
3065
3066 2016-06-28  Commit Queue  <commit-queue@webkit.org>
3067
3068         Unreviewed, rolling out r202580.
3069         https://bugs.webkit.org/show_bug.cgi?id=159245
3070
3071         Caused all WKTR tests to fail on GuardMalloc and Production
3072         only for unknown reasons, investigating offline. (Requested by
3073         brrian on #webkit).
3074
3075         Reverted changeset:
3076
3077         "RunLoop::Timer should use constructor templates instead of
3078         class templates"
3079         https://bugs.webkit.org/show_bug.cgi?id=159153
3080         http://trac.webkit.org/changeset/202580
3081
3082 2016-06-28  Keith Miller  <keith_miller@apple.com>
3083
3084         We should not crash there is a finally inside a for-in loop
3085         https://bugs.webkit.org/show_bug.cgi?id=159243
3086         <rdar://problem/27018910>
3087
3088         Reviewed by Benjamin Poulain.
3089
3090         Previously we would swap the m_forInContext with an empty vector
3091         then attempt to shrink the size of m_forInContext by the amount
3092         we expected. This meant that if there was more than one ForInContext
3093         on the stack and we wanted to pop exactly one off we would crash.
3094         This patch makes ForInContexts RefCounted so they can be duplicated
3095         into other vectors. It also has ForInContexts copy the entire stack
3096         rather than do the swap that we did before. This makes ForInContexts
3097         work the same as the other contexts.
3098
3099         * bytecompiler/BytecodeGenerator.cpp:
3100         (JSC::BytecodeGenerator::emitComplexPopScopes):
3101         (JSC::BytecodeGenerator::pushIndexedForInScope):
3102         (JSC::BytecodeGenerator::pushStructureForInScope):
3103         * bytecompiler/BytecodeGenerator.h:
3104         * tests/stress/finally-for-in.js: Added.
3105         (repeat):
3106         (createSimple):
3107
3108 2016-06-28  Saam Barati  <sbarati@apple.com>
3109
3110         Assertion failure or crash when accessing let-variable in TDZ with eval with a function in it that returns let variable
3111         https://bugs.webkit.org/show_bug.cgi?id=158796
3112         <rdar://problem/26984659>
3113
3114         Reviewed by Michael Saboff.
3115
3116         There was a bug where some functions inside of an eval were
3117         omitting a necessary TDZ check. This obviously leads to bad
3118         things because a variable under TDZ is the null pointer.
3119         The eval's bytecode was generated with the correct TDZ set, but 
3120         it created all its functions before pushing that TDZ set onto
3121         the stack. That's a mistake. Those functions need to be created with
3122         that TDZ set. The solution is simple, the TDZ set that the eval
3123         is created with needs to be pushed onto the TDZ stack before
3124         the eval creates any functions.
3125
3126         * bytecompiler/BytecodeGenerator.cpp:
3127         (JSC::BytecodeGenerator::BytecodeGenerator):
3128         * tests/stress/variable-under-tdz-eval-tricky.js: Added.
3129         (assert):
3130         (throw.new.Error):
3131         (assert.try.underTDZ):
3132
3133 2016-06-28  Michael Saboff  <msaboff@apple.com>
3134
3135         REGRESSION (r200946): Improper backtracking from last alternative in sticky patterns
3136         https://bugs.webkit.org/show_bug.cgi?id=159233
3137
3138         Reviewed by Mark Lam.
3139
3140         Jump to fail exit code when the last alternative of a sticky pattern fails.
3141
3142         * yarr/YarrJIT.cpp:
3143         (JSC::Yarr::YarrGenerator::backtrack):
3144
3145 2016-06-28  Saam Barati  <sbarati@apple.com>
3146
3147         some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct
3148         https://bugs.webkit.org/show_bug.cgi?id=159198
3149         <rdar://problem/26302360>
3150
3151         Reviewed by Filip Pizlo.
3152
3153         Firing a watchpoint may cause a GC to happen. This GC could destroy various
3154         Watchpoints themselves while they're in the process of firing. It's not safe
3155         for most Watchpoints to be destructed while they're in the middle of firing.
3156         This GC could also destroy the WatchpointSet itself, and it's not in a safe
3157         state to be destroyed. WatchpointSet::fireAllWatchpoints now defers gc for a
3158         while. This prevents a GC from destructing any Watchpoints while they're
3159         in the process of firing. This bug was being hit by the stress GC bots
3160         because we would destruct a particular Watchpoint while it was firing,
3161         and then we would access its field after it had already been destroyed.
3162         This was causing all kinds of weird symptoms. Also, this was easier to
3163         catch when running with guard malloc because the first access after
3164         destruction would lead to a crash.
3165
3166         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3167         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
3168         * bytecode/CodeBlock.cpp:
3169         (JSC::CodeBlock::finishCreation):
3170         * bytecode/VariableWriteFireDetail.cpp:
3171         (JSC::VariableWriteFireDetail::dump):
3172         (JSC::VariableWriteFireDetail::touch):
3173         * bytecode/VariableWriteFireDetail.h:
3174         * bytecode/Watchpoint.cpp:
3175         (JSC::WatchpointSet::add):
3176         (JSC::WatchpointSet::fireAllSlow):
3177         (JSC::WatchpointSet::fireAllWatchpoints):
3178         (JSC::InlineWatchpointSet::add):
3179         (JSC::InlineWatchpointSet::fireAll):
3180         (JSC::InlineWatchpointSet::inflateSlow):
3181         * bytecode/Watchpoint.h:
3182         (JSC::WatchpointSet::startWatching):
3183         (JSC::WatchpointSet::fireAll):
3184         (JSC::WatchpointSet::touch):
3185         (JSC::WatchpointSet::invalidate):
3186         (JSC::WatchpointSet::isBeingWatched):
3187         (JSC::WatchpointSet::offsetOfState):
3188         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
3189         (JSC::InlineWatchpointSet::startWatching):
3190         (JSC::InlineWatchpointSet::fireAll):
3191         (JSC::InlineWatchpointSet::invalidate):
3192         (JSC::InlineWatchpointSet::touch):
3193         * bytecompiler/BytecodeGenerator.cpp:
3194         (JSC::BytecodeGenerator::BytecodeGenerator):
3195         * dfg/DFGOperations.cpp:
3196         * interpreter/Interpreter.cpp:
3197         (JSC::Interpreter::execute):
3198         * jit/JITOperations.cpp:
3199         * jsc.cpp:
3200         (WTF::Masquerader::create):
3201         * llint/LLIntSlowPaths.cpp:
3202         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3203         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
3204         (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
3205         * runtime/FunctionRareData.cpp:
3206         (JSC::FunctionRareData::clear):
3207         * runtime/InferredType.cpp:
3208         (JSC::InferredType::willStoreValueSlow):
3209         (JSC::InferredType::makeTopSlow):
3210         (JSC::InferredType::set):
3211         (JSC::InferredType::removeStructure):
3212         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
3213         * runtime/InferredValue.cpp:
3214         (JSC::InferredValue::notifyWriteSlow):
3215         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
3216         * runtime/InferredValue.h:
3217         (JSC::InferredValue::notifyWrite):
3218         (JSC::InferredValue::invalidate):
3219         * runtime/JSGlobalObject.cpp:
3220         (JSC::JSGlobalObject::haveABadTime):
3221         * runtime/JSSymbolTableObject.h:
3222         (JSC::symbolTablePutTouchWatchpointSet):
3223         (JSC::symbolTablePutInvalidateWatchpointSet):
3224         * runtime/Structure.cpp:
3225         (JSC::Structure::didCachePropertyReplacement):
3226         (JSC::Structure::startWatchingInternalProperties):
3227         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
3228         (JSC::DeferredStructureTransitionWatchpointFire::add):
3229         (JSC::Structure::didTransitionFromThisStructure):
3230         (JSC::Structure::prototypeForLookup):
3231         * runtime/StructureInlines.h:
3232         (JSC::Structure::didReplaceProperty):
3233         (JSC::Structure::propertyReplacementWatchpointSet):
3234         * runtime/SymbolTable.h:
3235         (JSC::SymbolTableEntry::isDontEnum):
3236         (JSC::SymbolTableEntry::disableWatching):
3237         * runtime/VM.cpp:
3238         (JSC::VM::addImpureProperty):
3239         (JSC::enableProfilerWithRespectToCount):
3240
3241 2016-06-28  Filip Pizlo  <fpizlo@apple.com>
3242
3243         JSRopeString should use release asserts, not debug asserts, about substring bounds
3244         https://bugs.webkit.org/show_bug.cgi?id=159227
3245
3246         Reviewed by Saam Barati.
3247         
3248         According to my experiments this change costs nothing.  That's not surprising since the
3249         most common way to construct a rope these days is inlined into the JIT, which does its own
3250         safety checks.  This makes us crash sooner rather than corrupting memory.
3251
3252         * runtime/JSString.h:
3253
3254 2016-06-28  Brian Burg  <bburg@apple.com>
3255
3256         RunLoop::Timer should use constructor templates instead of class templates
3257         https://bugs.webkit.org/show_bug.cgi?id=159153
3258
3259         Reviewed by Alex Christensen.
3260
3261         Remove the RunLoop::Timer class template argument, and pass its constructor
3262         a reference to `this` instead of a pointer to `this`.
3263
3264         * inspector/agents/InspectorHeapAgent.cpp:
3265         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
3266
3267 2016-06-28  Joseph Pecoraro  <pecoraro@apple.com>
3268
3269         Web Inspector: selectElement.options shows unexpected entries in console (named indexes beyond collection length)
3270         https://bugs.webkit.org/show_bug.cgi?id=159192
3271
3272         Reviewed by Timothy Hatcher.
3273
3274         * inspector/InjectedScriptSource.js:
3275         (InjectedScript.prototype.arrayIndexPropertyNames):
3276         Start with an empty array because we just push valid indexes.
3277
3278         (InjectedScript.prototype._propertyDescriptors):
3279         Avoid the >100 length requirement, and always treat the
3280         array-like objects the same. The frontend currently
3281         doesn't show named indexes for arrays anyways, so they
3282         would have been unused.
3283
3284 2016-06-28  Per Arne Vollan  <pvollan@apple.com>
3285
3286         [Win] Skip failing INTL test.
3287         https://bugs.webkit.org/show_bug.cgi?id=159141
3288
3289         Reviewed by Brent Fulgham.
3290
3291         INTL is not enabled on Windows.
3292
3293         * tests/stress/intl-constructors-with-proxy.js:
3294         (shouldBe):
3295
3296 2016-06-28  Joonghun Park  <jh718.park@samsung.com>
3297
3298         [JSC] Fix build break since r202502 - 2
3299         https://bugs.webkit.org/show_bug.cgi?id=159194
3300
3301         Reviewed by Gyuyoung Kim.
3302
3303         Fix about the error message below.
3304         error: control reaches end of non-void function [-Werror=return-type]
3305
3306         * b3/B3TypeMap.h: add #pragma GCC diagnostic ignored "-Wreturn-type".
3307
3308 2016-06-28  Joonghun Park  <jh718.park@samsung.com>
3309
3310         [JSC] Fix build break since r202502
3311         https://bugs.webkit.org/show_bug.cgi?id=159194
3312
3313         Reviewed by Alex Christensen.
3314
3315         Fix about the error message below.
3316         error: control reaches end of non-void function [-Werror=return-type]
3317
3318         * b3/B3TypeMap.h:
3319         (JSC::B3::TypeMap::at): add missing ASSERT_NOT_REACHED().
3320
3321 2016-06-27  Keith Miller  <keith_miller@apple.com>
3322
3323         Fix bad assert in StructureRareData::setObjectToStringValue
3324         https://bugs.webkit.org/show_bug.cgi?id=159171
3325         <rdar://problem/26987355>
3326
3327         Reviewed by Mark Lam.
3328
3329         We should not have expected the generateConditionsForPrototypePropertyHit would succeed.
3330         There are many reasons it might fail including that there is a proxy somewhere on the
3331         prototype chain of the object.
3332
3333         * runtime/StructureRareData.cpp:
3334         (JSC::StructureRareData::setObjectToStringValue):
3335         * tests/stress/object-toString-with-proxy.js: Added.
3336         (get target):
3337
3338 2016-06-27  Filip Pizlo  <fpizlo@apple.com>
3339
3340         Crashing at an unreachable code trap in FTL should give more information
3341         https://bugs.webkit.org/show_bug.cgi?id=159177
3342
3343         Reviewed by Saam Barati.
3344         
3345         This stuffs information into registers so that we have some chance of seeing what happened
3346         by looking at the register dumps.
3347
3348         * assembler/AbortReason.h:
3349         * ftl/FTLLowerDFGToB3.cpp:
3350         (JSC::FTL::DFG::ftlUnreachable):
3351         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
3352         (JSC::FTL::DFG::LowerDFGToB3::crash):
3353
3354 2016-06-27  Filip Pizlo  <fpizlo@apple.com>
3355
3356         Clean up resetting reachability in B3/Air
3357         https://bugs.webkit.org/show_bug.cgi?id=159170
3358
3359         Reviewed by Geoffrey Garen.
3360         
3361         When I fixed bug 159165, I took the brute force approach. I still used the
3362         B3::resetReachability() method, and changed the callback to record the set of deleted values
3363         instead of deleting them eagerly. But this means tracking the set of deleted values, even
3364         though resetReachability() already internally tracks the set of deleted blocks. You can find
3365         out if a value is deleted by asking if its owning block was deleted.
3366         
3367         So, this change refactors B3::resetReachability() into a new helper called
3368         B3::recomputePredecessors(). This new helper skips the block deletion step, and lets the
3369         client delete blocks. This lets Air delete blocks the same way that it did before, and it
3370         lets B3 use the isBlockDead() method (which is a glorified proxy for
3371         block->predecessors().isEmpty()) to track which values are deleted. This allows B3 to turn
3372         Upsilons that point to dead Phis into Nops before deleting the blocks.
3373         
3374         This shouldn't affect performance or anything real. It just makes the code cleaner.
3375