985e07828d00f78a238a5516d7162d921ce7e22b
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-21  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Web Inspector: sourceMappingURL not loaded in generated script
4         https://bugs.webkit.org/show_bug.cgi?id=156022
5         <rdar://problem/25438595>
6
7         Reviewed by Geoffrey Garen.
8
9         * inspector/JSGlobalObjectInspectorController.cpp:
10         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
11         Synthetic CallFrames for native code will not have script identifiers.
12
13         * inspector/ScriptCallFrame.cpp:
14         (Inspector::ScriptCallFrame::ScriptCallFrame):
15         (Inspector::ScriptCallFrame::isEqual):
16         (Inspector::ScriptCallFrame::buildInspectorObject):
17         * inspector/ScriptCallFrame.h:
18         * inspector/protocol/Console.json:
19         Include the script identifier in ScriptCallFrame so we can correlate this
20         to the exactly script, even if there isn't a URL. The Script may have a
21         sourceURL, so the Web Inspector frontend may decide to show / link to it.
22
23         * inspector/ScriptCallStackFactory.cpp:
24         (Inspector::CreateScriptCallStackFunctor::operator()):
25         (Inspector::createScriptCallStackFromException):
26         Include SourceID when we have it.
27
28         * interpreter/Interpreter.cpp:
29         (JSC::GetStackTraceFunctor::operator()):
30         * interpreter/Interpreter.h:
31         * interpreter/StackVisitor.cpp:
32         (JSC::StackVisitor::Frame::sourceID):
33         * interpreter/StackVisitor.h:
34         Access the SourceID when we have it.
35
36 2016-04-21  Saam barati  <sbarati@apple.com>
37
38         Lets do less locking of symbol tables in the BytecodeGenerator where we don't have race conditions
39         https://bugs.webkit.org/show_bug.cgi?id=156821
40
41         Reviewed by Filip Pizlo.
42
43         The BytecodeGenerator allocates all the SymbolTables that it uses.
44         This is before any concurrent compiler thread can use that SymbolTable.
45         This means we don't actually need to lock for any operations of the
46         SymbolTable. This patch makes this change by removing all locking.
47         To do this, I've introduced a new constructor for ConcurrentJITLocker
48         which implies no locking is necessary. You instantiate such a ConcurrentJITLocker like so:
49         `ConcurrentJITLocker locker(ConcurrentJITLocker::NoLockingNecessary);`
50
51         This patch also removes all uses of Strong<SymbolTable> from the bytecode
52         generator and instead wraps bytecode generation in a DeferGC.
53
54         * bytecode/UnlinkedFunctionExecutable.cpp:
55         (JSC::generateUnlinkedFunctionCodeBlock):
56         * bytecompiler/BytecodeGenerator.cpp:
57         (JSC::BytecodeGenerator::BytecodeGenerator):
58         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
59         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
60         (JSC::BytecodeGenerator::instantiateLexicalVariables):
61         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
62         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
63         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
64         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
65         (JSC::BytecodeGenerator::popLexicalScopeInternal):
66         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
67         (JSC::BytecodeGenerator::variable):
68         (JSC::BytecodeGenerator::createVariable):
69         (JSC::BytecodeGenerator::emitResolveScope):
70         (JSC::BytecodeGenerator::emitPushWithScope):
71         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
72         * bytecompiler/BytecodeGenerator.h:
73         (JSC::BytecodeGenerator::constructorKind):
74         (JSC::BytecodeGenerator::superBinding):
75         (JSC::BytecodeGenerator::generate):
76         * runtime/CodeCache.cpp:
77         (JSC::CodeCache::getGlobalCodeBlock):
78         * runtime/ConcurrentJITLock.h:
79         (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
80         (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
81         (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
82
83 2016-04-21  Saam barati  <sbarati@apple.com>
84
85         Remove some unnecessary RefPtrs in the parser
86         https://bugs.webkit.org/show_bug.cgi?id=156865
87
88         Reviewed by Filip Pizlo.
89
90         The IdentifierArena or the SourceProviderCacheItem will own these UniquedStringImpls
91         while we are using them. There is no need for us to reference count them.
92
93         This might be a 0.5% speedup on octane code-load.
94
95         * parser/Parser.cpp:
96         (JSC::Parser<LexerType>::parseInner):
97         * parser/Parser.h:
98         (JSC::Scope::setIsLexicalScope):
99         (JSC::Scope::isLexicalScope):
100         (JSC::Scope::closedVariableCandidates):
101         (JSC::Scope::declaredVariables):
102         (JSC::Scope::lexicalVariables):
103         (JSC::Scope::finalizeLexicalEnvironment):
104         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
105         (JSC::Scope::collectFreeVariables):
106         (JSC::Scope::getCapturedVars):
107         (JSC::Scope::setStrictMode):
108         (JSC::Scope::isValidStrictMode):
109         (JSC::Scope::shadowsArguments):
110         (JSC::Scope::copyCapturedVariablesToVector):
111         * parser/SourceProviderCacheItem.h:
112         (JSC::SourceProviderCacheItem::usedVariables):
113         (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
114         (JSC::SourceProviderCacheItem::create):
115         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
116         (JSC::SourceProviderCacheItem::writtenVariables): Deleted.
117
118 2016-04-21  Filip Pizlo  <fpizlo@apple.com>
119
120         PolymorphicAccess adds sizeof(CallerFrameAndPC) rather than subtracting it when calculating stack height
121         https://bugs.webkit.org/show_bug.cgi?id=156872
122
123         Reviewed by Geoffrey Garen.
124         
125         The code that added sizeof(CallerFrameAndPC) emerged from a bad copy-paste in r189586. That was
126         the revision that created the PolymorphicAccess class. It moved code for generating a
127         getter/setter call from Repatch.cpp to PolymorphicAccess.cpp. You can see the code doing a
128         subtraction here:
129         
130             http://trac.webkit.org/changeset/189586/trunk/Source/JavaScriptCore/jit/Repatch.cpp
131         
132         This makes the world right again.
133
134         * bytecode/PolymorphicAccess.cpp:
135         (JSC::AccessCase::generateImpl):
136
137 2016-04-21  Geoffrey Garen  <ggaren@apple.com>
138
139         Build warning: CODE_SIGN_ENTITLEMENTS specified without specifying CODE_SIGN_IDENTITY
140         https://bugs.webkit.org/show_bug.cgi?id=156862
141
142         Reviewed by Joseph Pecoraro.
143
144         * Configurations/Base.xcconfig: Specify the ad hoc signing identity by
145         default. See <http://trac.webkit.org/changeset/143544>.
146
147 2016-04-21  Andy Estes  <aestes@apple.com>
148
149         REGRESSION (r199734): WebKit crashes loading numerous websites in iOS Simulator
150         https://bugs.webkit.org/show_bug.cgi?id=156842
151
152         Reviewed by Daniel Bates.
153
154         Disable separated heap on iOS Simulator.
155
156         * runtime/Options.cpp:
157         (JSC::recomputeDependentOptions):
158
159 2016-04-21  Michael Saboff  <msaboff@apple.com>
160
161         Align RegExp[@@match] with other @@ methods
162         https://bugs.webkit.org/show_bug.cgi?id=156832
163
164         Reviewed by Mark Lam.
165
166         Various changes to align the RegExp[@@match] with [@@search] and [@@split].
167
168         Made RegExp.prototype.@exec a hidden property on the global object and
169         called it @regExpBuiltinExec to match the name it has in the standard.
170         Changed all places that used the old name to use the new one.
171
172         Made the match fast path function, which used to be call @match, to be called
173         @regExpMatchFast and put it on the global object.  Changed it to also handle
174         expressions both with and without the global flag.  Refactored the builtin
175         @match accordingly.
176
177         Added the builtin function @hasObservableSideEffectsForRegExpMatch() that
178         checks to see if we can use the fast path of if we need the explicit version.
179
180         Put the main RegExp functions @match, @search and @split in alphabetical
181         order in RegExpPrototype.js.  Did the same for @match, @repeat, @search and 
182         @split in StringPrototype.js.
183         
184         * builtins/RegExpPrototype.js:
185         (regExpExec):
186         (hasObservableSideEffectsForRegExpMatch): New.
187         (match):
188         (search):
189         (hasObservableSideEffectsForRegExpSplit):
190         Reordered in the file and updated to use @regExpBuiltinExec.
191
192         * builtins/StringPrototype.js:
193         (match):
194         (repeatSlowPath):
195         (repeat):
196         (search):
197         (split):
198         Reordered functions in the file.
199
200         * runtime/CommonIdentifiers.h:
201         * runtime/JSGlobalObject.cpp:
202         (JSC::JSGlobalObject::setGlobalThis):
203         (JSC::getById):
204         (JSC::getGetterById):
205         (JSC::JSGlobalObject::init):
206         * runtime/RegExpPrototype.cpp:
207         (JSC::RegExpPrototype::finishCreation):
208         (JSC::regExpProtoFuncExec):
209         (JSC::regExpProtoFuncMatchFast):
210         (JSC::regExpProtoFuncMatchPrivate): Deleted.
211         * runtime/RegExpPrototype.h:
212
213 2016-04-20  Geoffrey Garen  <ggaren@apple.com>
214
215         JavaScriptCore garbage collection is missing an autorelease pool
216         https://bugs.webkit.org/show_bug.cgi?id=156751
217         <rdar://problem/25787802>
218
219         Reviewed by Mark Lam.
220
221         * heap/Heap.cpp:
222         (JSC::Heap::releaseDelayedReleasedObjects): Add an autorelease pool to
223         catch autoreleases when we call out to arbitrary ObjC code.
224
225         We use the C interface here because this is not an ObjC compilation unit.
226
227 2016-04-20  Filip Pizlo  <fpizlo@apple.com>
228
229         DFG del_by_id support forgets to set()
230         https://bugs.webkit.org/show_bug.cgi?id=156830
231
232         Reviewed by Saam Barati.
233
234         * dfg/DFGByteCodeParser.cpp:
235         (JSC::DFG::ByteCodeParser::parseBlock):
236         * tests/stress/dfg-del-by-id.js: Added.
237
238 2016-04-20  Saam barati  <sbarati@apple.com>
239
240         Improve sampling profiler CLI JSC tool
241         https://bugs.webkit.org/show_bug.cgi?id=156824
242
243         Reviewed by Mark Lam.
244
245         This patch enhances the Sampling Profiler CLI tool from the JSC shell
246         to display the JITType of a particular CodeBlock. Because this happens
247         once we process a log of stack frames, the data for a particular frame
248         being in LLInt vs. Baseline could be wrong. For example, we may have taken 
249         a stack trace of a CodeBlock while it was executing in the LLInt, then 
250         it tiers up to the baseline, then we process the log. We will show such CodeBlocks
251         as being in the baseline JIT. We could be smarter about this in the future if
252         it turns out to truly be a problem.
253
254         This patch also adds a 'samplingProfilerTimingInterval' JSC option to allow
255         CLI users to control the sleep time between stack traces.
256
257         * jsc.cpp:
258         (jscmain):
259         * runtime/Options.h:
260         * runtime/SamplingProfiler.cpp:
261         (JSC::SamplingProfiler::SamplingProfiler):
262         (JSC::SamplingProfiler::processUnverifiedStackTraces):
263         (JSC::SamplingProfiler::reportTopBytecodes):
264         * runtime/SamplingProfiler.h:
265         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
266
267 2016-04-20  Benjamin Poulain  <bpoulain@apple.com>
268
269         [JSC] DFG should not generate two jumps when the target of DoubleBranch is the next block  
270         https://bugs.webkit.org/show_bug.cgi?id=156815
271
272         Reviewed by Mark Lam.
273
274         * dfg/DFGSpeculativeJIT.cpp:
275         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
276
277 2016-04-20  Benjamin Poulain  <bpoulain@apple.com>
278
279         [JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG
280         https://bugs.webkit.org/show_bug.cgi?id=155164
281
282         Reviewed by Mark Lam.
283
284         Every "inc" in loop was looking like this:
285             move rX, rY
286             inc rY
287             jo 0x230f4a200580
288
289         This patch add register Reuse to that case to remove
290         the extra "move".
291
292         * dfg/DFGOSRExit.h:
293         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
294         (JSC::DFG::SpeculationRecovery::immediate):
295         * dfg/DFGOSRExitCompiler32_64.cpp:
296         (JSC::DFG::OSRExitCompiler::compileExit):
297         * dfg/DFGOSRExitCompiler64.cpp:
298         (JSC::DFG::OSRExitCompiler::compileExit):
299         * dfg/DFGSpeculativeJIT.cpp:
300         (JSC::DFG::SpeculativeJIT::compileArithAdd):
301         * tests/stress/arith-add-with-constant-overflow.js: Added.
302         (opaqueAdd):
303
304 2016-04-20  Saam barati  <sbarati@apple.com>
305
306         We don't need a manual stack for an RAII object when the machine's stack will do just fine
307         https://bugs.webkit.org/show_bug.cgi?id=156807
308
309         Reviewed by Mark Lam.
310
311         We kept around a vector for an RAII object to maintain
312         the recursive nature of having these RAII objects on
313         the stack as the parser recursed. Instead, the RAII object
314         can just have a field with the value it wants to restore
315         and use the machine's stack.
316
317         This is a 1% octane code-load progression.
318
319         * parser/SyntaxChecker.h:
320         (JSC::SyntaxChecker::BinaryExprContext::BinaryExprContext):
321         (JSC::SyntaxChecker::BinaryExprContext::~BinaryExprContext):
322         (JSC::SyntaxChecker::UnaryExprContext::UnaryExprContext):
323         (JSC::SyntaxChecker::UnaryExprContext::~UnaryExprContext):
324         (JSC::SyntaxChecker::operatorStackPop):
325
326 2016-04-20  Michael Saboff  <msaboff@apple.com>
327
328         REGRESSION(r190289): Spin trying to view/sign in to hbogo.com
329         https://bugs.webkit.org/show_bug.cgi?id=156765
330
331         Reviewed by Saam Barati.
332
333         In the op_get_by_val case, we were holding the lock on a profiled CodeBlock
334         when we call into handleGetById(). Changed to drop the lock before calling
335         handleGetById().
336
337         The bug here was that the call to handleGetById() may end up calling in to
338         getPredictionWithoutOSRExit() for a tail call opcode. As part of that
339         processing, we walk back up the stack to find the effective caller and when
340         found, we lock the corresponding CodeBlock to get the predicition.
341         That CodeBLock may be the same one locked above. There is no need anyway
342         to hold the CodeBlock lock when calling handleGetById().
343
344         Added a new stress test.
345
346         * dfg/DFGByteCodeParser.cpp:
347         (JSC::DFG::ByteCodeParser::parseBlock):
348         * tests/stress/regress-156765.js: Added.
349         (realValue):
350         (object.get hello):
351         (ok):
352
353 2016-04-20  Mark Lam  <mark.lam@apple.com>
354
355         Unindent an unnecessary block in stringProtoFuncSplitFast().
356         https://bugs.webkit.org/show_bug.cgi?id=156802
357
358         Reviewed by Filip Pizlo.
359
360         In webkit.org/b/156013, I refactored stringProtoFuncSplit into
361         stringProtoFuncSplitFast.  In that patch, I left an unnecessary block of code in
362         its original block (with FIXMEs) to keep the diff for that patch minimal.  Now
363         that the patch for webkit.org/b/156013 has landed, I will unindent that block and
364         remove the FIXMEs.
365
366         * runtime/StringPrototype.cpp:
367         (JSC::stringProtoFuncSplitFast):
368
369 2016-04-20  Brady Eidson  <beidson@apple.com>
370
371         Modern IDB (Workers): Enable INDEXED_DATABASE_IN_WORKERS compile time flag, but disabled in RuntimeEnabledFeatures.
372         https://bugs.webkit.org/show_bug.cgi?id=156782
373
374         Reviewed by Alex Christensen.
375
376         * Configurations/FeatureDefines.xcconfig:
377
378 2016-04-20  Saam barati  <sbarati@apple.com>
379
380         Remove unused m_writtenVariables from the parser and related bits
381         https://bugs.webkit.org/show_bug.cgi?id=156784
382
383         Reviewed by Yusuke Suzuki.
384
385         This isn't a octane/codeload speedup even though we're doing less work in
386         collectFreeVariables. But it's good to get rid of things that are not used.
387
388         * parser/Nodes.h:
389         (JSC::ScopeNode::usesEval):
390         (JSC::ScopeNode::usesArguments):
391         (JSC::ScopeNode::usesArrowFunction):
392         (JSC::ScopeNode::isStrictMode):
393         (JSC::ScopeNode::setUsesArguments):
394         (JSC::ScopeNode::usesThis):
395         (JSC::ScopeNode::modifiesParameter): Deleted.
396         (JSC::ScopeNode::modifiesArguments): Deleted.
397         * parser/Parser.cpp:
398         (JSC::Parser<LexerType>::parseInner):
399         (JSC::Parser<LexerType>::parseAssignmentExpression):
400         * parser/Parser.h:
401         (JSC::Scope::Scope):
402         (JSC::Scope::hasDeclaredParameter):
403         (JSC::Scope::preventAllVariableDeclarations):
404         (JSC::Scope::collectFreeVariables):
405         (JSC::Scope::mergeInnerArrowFunctionFeatures):
406         (JSC::Scope::getSloppyModeHoistedFunctions):
407         (JSC::Scope::getCapturedVars):
408         (JSC::Scope::setStrictMode):
409         (JSC::Scope::strictMode):
410         (JSC::Scope::fillParametersForSourceProviderCache):
411         (JSC::Scope::restoreFromSourceProviderCache):
412         (JSC::Parser::hasDeclaredParameter):
413         (JSC::Parser::exportName):
414         (JSC::Scope::declareWrite): Deleted.
415         (JSC::Parser::declareWrite): Deleted.
416         * parser/ParserModes.h:
417
418 2016-04-19  Saam barati  <sbarati@apple.com>
419
420         Unreviewed, fix cloop build after r199754.
421
422         * jsc.cpp:
423         (jscmain):
424
425 2016-04-19  Michael Saboff  <msaboff@apple.com>
426
427         iTunes crashing JavaScriptCore.dll
428         https://bugs.webkit.org/show_bug.cgi?id=156647
429
430         Reviewed by Filip Pizlo.
431
432         Given that there there are only 128 FLS indices compared to over a 1000 for TLS,
433         I eliminated the thread specific m_threadSpecificForThread and instead we look
434         for the current thread in m_registeredThreads list when we need it.
435         In most cases there will only be one thread.
436
437         Added THREAD_SPECIFIC_CALL to signature of ThreadSpecific remove callbacks
438         to set the calling convention correctly for Windows 32 bit.
439
440         * heap/MachineStackMarker.cpp:
441         (JSC::ActiveMachineThreadsManager::remove):
442         (JSC::MachineThreads::MachineThreads):
443         (JSC::MachineThreads::~MachineThreads):
444         (JSC::MachineThreads::addCurrentThread):
445         (JSC::MachineThreads::machineThreadForCurrentThread):
446         (JSC::MachineThreads::removeThread):
447         * heap/MachineStackMarker.h:
448
449 2016-04-19  Benjamin Poulain  <bpoulain@webkit.org>
450
451         [JSC] Small cleanup of RegisterAtOffsetList
452         https://bugs.webkit.org/show_bug.cgi?id=156779
453
454         Reviewed by Mark Lam.
455
456         I was wondering why RegisterAtOffsetList always cache-miss.
457         It looks like it is doing more than it needs to.
458
459         We do not need to sort the values. The total order of
460         RegisterAtOffset is:
461         1) Order of Reg.
462         2) Order of offsets.
463         We already generate the list in order.
464
465         Also allocate the right array size ahead of filling the array.
466
467         * jit/RegisterAtOffsetList.cpp:
468         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
469         (JSC::RegisterAtOffsetList::sort): Deleted.
470         * jit/RegisterAtOffsetList.h:
471         (JSC::RegisterAtOffsetList::append): Deleted.
472
473 2016-04-19  Saam barati  <sbarati@apple.com>
474
475         Add a couple UNLIKELY macros in parseMemberExpression
476         https://bugs.webkit.org/show_bug.cgi?id=156775
477
478         Reviewed by Filip Pizlo.
479
480         These UNLIKELY macros have to do with the base of the
481         member expression being 'super'. I think it's safe to
482         argue that this is truly UNLIKELY. I am seeing speedups
483         sometimes on Octane codeload. Usually around 0.5%. Sometimes 1%.
484
485         * parser/Parser.cpp:
486         (JSC::Parser<LexerType>::parseMemberExpression):
487
488 2016-04-19  Saam barati  <sbarati@apple.com>
489
490         allow jsc shell to dump sampling profiler data
491         https://bugs.webkit.org/show_bug.cgi?id=156725
492
493         Reviewed by Benjamin Poulain.
494
495         This patch adds a '--reportSamplingProfilerData' option to the
496         JSC shell which will enable the sampling profiler and dump
497         its data at the end of execution. The dump will include the
498         40 hottest functions and the 80 hottest bytecode locations.
499         If you're using this option to debug, it's easy to just hack
500         on the code to make it dump more or less information.
501
502         * jsc.cpp:
503         (CommandLine::parseArguments):
504         (jscmain):
505         * runtime/Options.h:
506         * runtime/SamplingProfiler.cpp:
507         (JSC::SamplingProfiler::processUnverifiedStackTraces):
508         (JSC::SamplingProfiler::stackTracesAsJSON):
509         (JSC::SamplingProfiler::reportTopFunctions):
510         (JSC::SamplingProfiler::reportTopBytecodes):
511         * runtime/SamplingProfiler.h:
512         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
513         (JSC::SamplingProfiler::StackFrame::hasBytecodeIndex):
514         (JSC::SamplingProfiler::StackFrame::hasCodeBlockHash):
515         (JSC::SamplingProfiler::setStopWatch):
516
517 2016-04-19  Mark Lam  <mark.lam@apple.com>
518
519         Re-landing: ES6: Implement RegExp.prototype[@@search].
520         https://bugs.webkit.org/show_bug.cgi?id=156331
521
522         Reviewed by Keith Miller.
523
524         What changed?
525         1. Implemented search builtin in RegExpPrototype.js.
526            The native path is now used as a fast path.
527         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
528            IsJSArrayIntrinsic).
529         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
530         4. Change the esSpecIsRegExpObject() implementation to check if the object's
531            JSType is RegExpObjectType instead of walking the classinfo chain.
532
533         * builtins/RegExpPrototype.js:
534         (search):
535         * builtins/StringPrototype.js:
536         (search):
537         - fixed some indentation.
538
539         * dfg/DFGAbstractInterpreterInlines.h:
540         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
541         * dfg/DFGByteCodeParser.cpp:
542         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
543         * dfg/DFGClobberize.h:
544         (JSC::DFG::clobberize):
545         * dfg/DFGDoesGC.cpp:
546         (JSC::DFG::doesGC):
547         * dfg/DFGFixupPhase.cpp:
548         (JSC::DFG::FixupPhase::fixupNode):
549         * dfg/DFGNodeType.h:
550         * dfg/DFGPredictionPropagationPhase.cpp:
551         (JSC::DFG::PredictionPropagationPhase::propagate):
552         * dfg/DFGSafeToExecute.h:
553         (JSC::DFG::safeToExecute):
554         * dfg/DFGSpeculativeJIT.cpp:
555         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
556         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
557         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
558         * dfg/DFGSpeculativeJIT.h:
559         * dfg/DFGSpeculativeJIT32_64.cpp:
560         (JSC::DFG::SpeculativeJIT::compile):
561         * dfg/DFGSpeculativeJIT64.cpp:
562         (JSC::DFG::SpeculativeJIT::compile):
563         * ftl/FTLCapabilities.cpp:
564         (JSC::FTL::canCompile):
565         * ftl/FTLLowerDFGToB3.cpp:
566         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
567         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
568         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
569         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
570         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
571         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
572         (JSC::FTL::DFG::LowerDFGToB3::isType):
573         * runtime/Intrinsic.h:
574         - Added IsRegExpObjectIntrinsic.
575
576         * runtime/CommonIdentifiers.h:
577
578         * runtime/ECMAScriptSpecInternalFunctions.cpp:
579         (JSC::esSpecIsConstructor):
580         - Changed to use uncheckedArgument since this is only called from internal code.
581         (JSC::esSpecIsRegExpObject):
582         (JSC::esSpecIsRegExp): Deleted.
583         * runtime/ECMAScriptSpecInternalFunctions.h:
584         - Changed to check the object for a JSType of RegExpObjectType.
585
586         * runtime/JSGlobalObject.cpp:
587         (JSC::JSGlobalObject::init):
588         - Added split fast path.
589
590         * runtime/RegExpPrototype.cpp:
591         (JSC::RegExpPrototype::finishCreation):
592         (JSC::regExpProtoFuncSearchFast):
593         (JSC::regExpProtoFuncSearch): Deleted.
594         * runtime/RegExpPrototype.h:
595
596         * tests/es6.yaml:
597         * tests/stress/regexp-search.js:
598         - Rebased test.
599
600 2016-04-19  Mark Lam  <mark.lam@apple.com>
601
602         Replace $vm.printValue() with $vm.value().
603         https://bugs.webkit.org/show_bug.cgi?id=156767
604
605         Reviewed by Saam Barati.
606
607         When debugging with $vm, this change allows us to do this:
608
609             $vm.print("myObj = " + $vm.value(myObj) + "\n");
610
611         ... instead of having to do this:
612
613             $vm.print("myObj = ");
614             $vm.printValue(myObj);
615             $vm.print("\n");
616
617         * tools/JSDollarVMPrototype.cpp:
618         (JSC::JSDollarVMPrototype::printValue):
619         (JSC::functionValue):
620         (JSC::JSDollarVMPrototype::finishCreation):
621         (JSC::functionPrintValue): Deleted.
622
623 2016-04-18  Oliver Hunt  <oliver@apple.com>
624
625         Enable separated heap by default on ios
626         https://bugs.webkit.org/show_bug.cgi?id=156720
627
628         Reviewed by ggaren.
629
630         * runtime/Options.cpp:
631         (JSC::recomputeDependentOptions):
632
633 2016-04-19  Mark Lam  <mark.lam@apple.com>
634
635         Re-landing: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
636         https://bugs.webkit.org/show_bug.cgi?id=156013
637
638         Reviewed by Keith Miller.
639
640         * CMakeLists.txt:
641         * JavaScriptCore.xcodeproj/project.pbxproj:
642         * builtins/GlobalObject.js:
643         (speciesConstructor):
644         * builtins/PromisePrototype.js:
645         - refactored to use the @speciesConstructor internal function.
646
647         * builtins/RegExpPrototype.js:
648         (advanceStringIndex):
649         - refactored from @advanceStringIndexUnicode() to be match the spec.
650           Benchmarks show that there's no advantage in doing the unicode check outside
651           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
652           spec (especially since @@split needs to call advanceStringIndex from more than
653           1 location).
654         (match):
655         - Removed an unnecessary call to @Object because it was already proven above.
656         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
657           Again, there's no perf regression for this.
658         (regExpExec):
659         (hasObservableSideEffectsForRegExpSplit):
660         (split):
661         (advanceStringIndexUnicode): Deleted.
662
663         * builtins/StringPrototype.js:
664         (split):
665         - Modified to use RegExp.prototype[@@split].
666
667         * bytecode/BytecodeIntrinsicRegistry.cpp:
668         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
669         (JSC::BytecodeIntrinsicRegistry::lookup):
670         * bytecode/BytecodeIntrinsicRegistry.h:
671         - Added the @@split symbol.
672
673         * runtime/CommonIdentifiers.h:
674         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
675         (JSC::esSpecIsConstructor):
676         (JSC::esSpecIsRegExp):
677         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
678
679         * runtime/JSGlobalObject.cpp:
680         (JSC::getGetterById):
681         (JSC::JSGlobalObject::init):
682
683         * runtime/PropertyDescriptor.cpp:
684         (JSC::PropertyDescriptor::setDescriptor):
685         - Removed an assert that is no longer valid.
686
687         * runtime/RegExpObject.h:
688         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
689           fast path.
690
691         * runtime/RegExpPrototype.cpp:
692         (JSC::RegExpPrototype::finishCreation):
693         (JSC::regExpProtoFuncExec):
694         (JSC::regExpProtoFuncSearch):
695         (JSC::advanceStringIndex):
696         (JSC::regExpProtoFuncSplitFast):
697         * runtime/RegExpPrototype.h:
698
699         * runtime/StringObject.h:
700         (JSC::jsStringWithReuse):
701         (JSC::jsSubstring):
702         - Hoisted some utility functions from StringPrototype.cpp so that they can be
703           reused by the regexp split fast path.
704
705         * runtime/StringPrototype.cpp:
706         (JSC::StringPrototype::finishCreation):
707         (JSC::stringProtoFuncSplitFast):
708         (JSC::stringProtoFuncSubstr):
709         (JSC::builtinStringSubstrInternal):
710         (JSC::stringProtoFuncSubstring):
711         (JSC::stringIncludesImpl):
712         (JSC::stringProtoFuncIncludes):
713         (JSC::builtinStringIncludesInternal):
714         (JSC::jsStringWithReuse): Deleted.
715         (JSC::jsSubstring): Deleted.
716         (JSC::stringProtoFuncSplit): Deleted.
717         * runtime/StringPrototype.h:
718
719         * tests/es6.yaml:
720
721 2016-04-19  Commit Queue  <commit-queue@webkit.org>
722
723         Unreviewed, rolling out r199726.
724         https://bugs.webkit.org/show_bug.cgi?id=156748
725
726         WebKit tests crash on Windows 32 (Requested by msaboff on
727         #webkit).
728
729         Reverted changeset:
730
731         "iTunes crashing JavaScriptCore.dll"
732         https://bugs.webkit.org/show_bug.cgi?id=156647
733         http://trac.webkit.org/changeset/199726
734
735 2016-04-19  Michael Saboff  <msaboff@apple.com>
736
737         iTunes crashing JavaScriptCore.dll
738         https://bugs.webkit.org/show_bug.cgi?id=156647
739
740         Reviewed by Saam Barati.
741
742         Given that there there are only 128 FLS indices compared to over a 1000 for TLS, I
743         eliminated the thread specific m_threadSpecificForThread and instead we look for the
744         current thread in m_registeredThreads list when we need it.  In most cases there
745         will only be one thread.
746
747         * heap/MachineStackMarker.cpp:
748         (JSC::MachineThreads::MachineThreads):
749         (JSC::MachineThreads::~MachineThreads):
750         (JSC::MachineThreads::addCurrentThread):
751         (JSC::MachineThreads::machineThreadForCurrentThread):
752         (JSC::MachineThreads::removeThread):
753         * heap/MachineStackMarker.h:
754
755 2016-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
756
757         [INTL] Use @thisNumberValue instead of `instanceof @Number`
758         https://bugs.webkit.org/show_bug.cgi?id=156680
759
760         Reviewed by Saam Barati.
761
762         Use @thisNumberValue instead of `instanceof @Number`.
763         `instanceof @Number` is not enough;
764         For example, given 2 realms, the object created in one realm does not
765         inherit the Number of another realm.
766         Another example is that the object which does not inherit Number.
767
768         ```
769         var number = new Number(42);
770         number.__proto__ = null;
771         ```
772
773         * builtins/NumberPrototype.js:
774         (toLocaleString):
775         * runtime/CommonIdentifiers.h:
776         * runtime/JSGlobalObject.cpp:
777         (JSC::JSGlobalObject::init):
778         * runtime/NumberPrototype.cpp:
779         (JSC::numberProtoFuncValueOf):
780         * runtime/NumberPrototype.h:
781         * tests/stress/number-to-locale-string-should-accept-strange-number-objects.js: Added.
782         (shouldBe):
783
784 2016-04-19  Commit Queue  <commit-queue@webkit.org>
785
786         Unreviewed, rolling out r199712.
787         https://bugs.webkit.org/show_bug.cgi?id=156741
788
789         It caused a serious regression on 32 bit platform (Requested
790         by gskachkov on #webkit).
791
792         Reverted changeset:
793
794         "calling super() a second time in a constructor should throw"
795         https://bugs.webkit.org/show_bug.cgi?id=151113
796         http://trac.webkit.org/changeset/199712
797
798 2016-04-09  Skachkov Oleksandr  <gskachkov@gmail.com>
799
800         calling super() a second time in a constructor should throw
801         https://bugs.webkit.org/show_bug.cgi?id=151113
802
803         Reviewed by Saam Barati and Keith Miller.
804
805         Currently, our implementation checks if 'super()' was called in a constructor more 
806         than once and raises a RuntimeError before the second call. According to the spec 
807         we need to raise an error just after the second super() is finished and before 
808         the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
809         To implement this behavior this patch adds a new op code, op_is_empty, that is used 
810         to check if 'this' is empty.
811
812         * bytecode/BytecodeList.json:
813         * bytecode/BytecodeUseDef.h:
814         (JSC::computeUsesForBytecodeOffset):
815         (JSC::computeDefsForBytecodeOffset):
816         * bytecode/CodeBlock.cpp:
817         (JSC::CodeBlock::dumpBytecode):
818         * bytecompiler/BytecodeGenerator.cpp:
819         (JSC::BytecodeGenerator::emitIsEmpty):
820         * bytecompiler/BytecodeGenerator.h:
821         * bytecompiler/NodesCodegen.cpp:
822         (JSC::FunctionCallValueNode::emitBytecode):
823         * dfg/DFGAbstractInterpreterInlines.h:
824         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
825         * dfg/DFGByteCodeParser.cpp:
826         (JSC::DFG::ByteCodeParser::parseBlock):
827         * dfg/DFGCapabilities.cpp:
828         (JSC::DFG::capabilityLevel):
829         * dfg/DFGClobberize.h:
830         (JSC::DFG::clobberize):
831         * dfg/DFGDoesGC.cpp:
832         (JSC::DFG::doesGC):
833         * dfg/DFGFixupPhase.cpp:
834         (JSC::DFG::FixupPhase::fixupNode):
835         * dfg/DFGNodeType.h:
836         * dfg/DFGPredictionPropagationPhase.cpp:
837         (JSC::DFG::PredictionPropagationPhase::propagate):
838         * dfg/DFGSafeToExecute.h:
839         (JSC::DFG::safeToExecute):
840         * dfg/DFGSpeculativeJIT32_64.cpp:
841         (JSC::DFG::SpeculativeJIT::compile):
842         * dfg/DFGSpeculativeJIT64.cpp:
843         (JSC::DFG::SpeculativeJIT::compile):
844         * ftl/FTLCapabilities.cpp:
845         (JSC::FTL::canCompile):
846         * ftl/FTLLowerDFGToB3.cpp:
847         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
848         (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
849         * jit/JIT.cpp:
850         (JSC::JIT::privateCompileMainPass):
851         * jit/JIT.h:
852         * jit/JITOpcodes.cpp:
853         (JSC::JIT::emit_op_is_empty):
854         * jit/JITOpcodes32_64.cpp:
855         (JSC::JIT::emit_op_is_empty):
856         * llint/LowLevelInterpreter32_64.asm:
857         * llint/LowLevelInterpreter64.asm:
858         * tests/stress/class-syntax-double-constructor.js: Added.
859
860 2016-04-18  Benjamin Poulain  <bpoulain@apple.com>
861
862         [JSC] Fix some overhead affecting small codegen
863         https://bugs.webkit.org/show_bug.cgi?id=156728
864
865         Reviewed by Filip Pizlo.
866
867         * assembler/AbstractMacroAssembler.h:
868         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
869         (JSC::AbstractMacroAssembler::random):
870         cryptographicallyRandomNumber() is very costly.
871         We only need it in lowering some very particular cases
872         of non-trusted immediates. No inline cache needs that.
873
874         * assembler/LinkBuffer.h:
875         (JSC::LinkBuffer::link):
876         * jit/JIT.h:
877         * jit/JITInlines.h:
878         (JSC::JIT::addSlowCase):
879         Do not copy the JumpList to access its elements.
880
881 2016-04-18  Saam barati  <sbarati@apple.com>
882
883         implement dynamic scope accesses in the DFG/FTL
884         https://bugs.webkit.org/show_bug.cgi?id=156567
885
886         Reviewed by Geoffrey Garen.
887
888         This patch adds dynamic scope operations to the DFG/FTL.
889         This patch adds three new DFG nodes: ResolveScope, PutDynamicVar and GetDynamicVar.
890         When we encounter a Dynamic/UnresolvedProperty/UnresolvedPropertyWithVarInjectionChecks
891         resolve type, we will compile dynamic scope resolution nodes. When we encounter
892         a resolve type that needs var injection checks and the var injection
893         watchpoint has already been fired, we will compile dynamic scope resolution
894         nodes.
895
896         This patch also adds a new value to the InitializationMode enum: ConstInitialization.
897         There was a subtle bug where we used to never compile the var injection variant of the 
898         resolve type for an eval that injected a var where there was also a global lexical variable with the same name. 
899         For example, the store compiled in this eval("var foo = 20;") wouldn't be compiled 
900         with var injection checks if there was global let/const variable named "foo".
901         So there was the potential for the injected var to store to the GlobalLexicalObject.
902         I found this bug because my initial implementation in the DFG/FTL ran into it.
903         The reason this bug existed is because when we compile a const initialization,
904         we never need a var injections check. The const initialization always
905         knows where to store its value. This same logic leaked into the above eval's 
906         "var foo = 20" store. This new enum value allows us to distinguish const
907         initialization stores from non-const initialization stores.
908
909         (I also changed InitializationMode to be an enum class instead of an enum).
910
911         * bytecode/CodeBlock.cpp:
912         (JSC::CodeBlock::finishCreation):
913         * bytecompiler/BytecodeGenerator.cpp:
914         (JSC::BytecodeGenerator::generate):
915         (JSC::BytecodeGenerator::BytecodeGenerator):
916         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
917         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
918         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
919         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
920         (JSC::BytecodeGenerator::emitGetFromScope):
921         (JSC::BytecodeGenerator::initializeVariable):
922         (JSC::BytecodeGenerator::emitInstanceOf):
923         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
924         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
925         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
926         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
927         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
928         * bytecompiler/NodesCodegen.cpp:
929         (JSC::PostfixNode::emitResolve):
930         (JSC::PrefixNode::emitResolve):
931         (JSC::ReadModifyResolveNode::emitBytecode):
932         (JSC::initializationModeForAssignmentContext):
933         (JSC::AssignResolveNode::emitBytecode):
934         (JSC::EmptyLetExpression::emitBytecode):
935         (JSC::ForInNode::emitLoopHeader):
936         (JSC::ForOfNode::emitBytecode):
937         (JSC::ClassExprNode::emitBytecode):
938         (JSC::BindingNode::bindValue):
939         (JSC::AssignmentElementNode::bindValue):
940         (JSC::RestParameterNode::emit):
941         * dfg/DFGAbstractInterpreterInlines.h:
942         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
943         * dfg/DFGByteCodeParser.cpp:
944         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
945         (JSC::DFG::ByteCodeParser::promoteToConstant):
946         (JSC::DFG::ByteCodeParser::needsDynamicLookup):
947         (JSC::DFG::ByteCodeParser::planLoad):
948         (JSC::DFG::ByteCodeParser::parseBlock):
949         * dfg/DFGCapabilities.cpp:
950         (JSC::DFG::capabilityLevel):
951         * dfg/DFGClobberize.h:
952         (JSC::DFG::clobberize):
953         * dfg/DFGDoesGC.cpp:
954         (JSC::DFG::doesGC):
955         * dfg/DFGFixupPhase.cpp:
956         (JSC::DFG::FixupPhase::fixupNode):
957         * dfg/DFGNode.h:
958         (JSC::DFG::Node::hasIdentifier):
959         (JSC::DFG::Node::identifierNumber):
960         (JSC::DFG::Node::hasGetPutInfo):
961         (JSC::DFG::Node::getPutInfo):
962         (JSC::DFG::Node::hasAccessorAttributes):
963         * dfg/DFGNodeType.h:
964         * dfg/DFGOperations.cpp:
965         * dfg/DFGOperations.h:
966         * dfg/DFGPredictionPropagationPhase.cpp:
967         (JSC::DFG::PredictionPropagationPhase::propagate):
968         * dfg/DFGSafeToExecute.h:
969         (JSC::DFG::safeToExecute):
970         * dfg/DFGSpeculativeJIT.cpp:
971         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
972         (JSC::DFG::SpeculativeJIT::compileResolveScope):
973         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
974         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
975         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
976         * dfg/DFGSpeculativeJIT.h:
977         (JSC::DFG::SpeculativeJIT::callOperation):
978         * dfg/DFGSpeculativeJIT32_64.cpp:
979         (JSC::DFG::SpeculativeJIT::compile):
980         * dfg/DFGSpeculativeJIT64.cpp:
981         (JSC::DFG::SpeculativeJIT::compile):
982         * ftl/FTLCapabilities.cpp:
983         (JSC::FTL::canCompile):
984         * ftl/FTLLowerDFGToB3.cpp:
985         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
986         (JSC::FTL::DFG::LowerDFGToB3::compare):
987         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
988         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
989         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
990         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
991         * jit/CCallHelpers.h:
992         (JSC::CCallHelpers::setupArgumentsWithExecState):
993         * jit/JITOperations.cpp:
994         * jit/JITOperations.h:
995         * jit/JITPropertyAccess.cpp:
996         (JSC::JIT::emit_op_put_to_scope):
997         (JSC::JIT::emitSlow_op_put_to_scope):
998         * jit/JITPropertyAccess32_64.cpp:
999         (JSC::JIT::emit_op_put_to_scope):
1000         (JSC::JIT::emitSlow_op_put_to_scope):
1001         * llint/LLIntData.cpp:
1002         (JSC::LLInt::Data::performAssertions):
1003         * llint/LLIntSlowPaths.cpp:
1004         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1005         * llint/LowLevelInterpreter.asm:
1006         * llint/LowLevelInterpreter64.asm:
1007         * runtime/GetPutInfo.h:
1008         (JSC::resolveModeName):
1009         (JSC::initializationModeName):
1010         (JSC::isInitialization):
1011         (JSC::makeType):
1012         (JSC::GetPutInfo::GetPutInfo):
1013         * runtime/JSScope.cpp:
1014         (JSC::abstractAccess):
1015
1016 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
1017
1018         Disable AVX.
1019
1020         Rubber stampted by Benjamin Poulain.
1021
1022         AVX is silly. If you use it and some of your other code isn't careful with float register bits, you
1023         will run 10x slower. We could fix the underlying issue, but it's better to stay away from this odd
1024         instruction subset.
1025
1026         This fixes a massive regression on some real code.
1027
1028         * assembler/MacroAssemblerX86Common.h:
1029         (JSC::MacroAssemblerX86Common::supportsAVX):
1030         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
1031
1032 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
1033
1034         ToThis should have a fast path based on type info flags
1035         https://bugs.webkit.org/show_bug.cgi?id=156712
1036
1037         Reviewed by Geoffrey Garen.
1038
1039         Prior to this change, if we couldn't nail down the type of ToThis to something easy, we'd emit code
1040         that would take slow path if the argument was not a final object. We'd end up taking that slow path
1041         a lot.
1042
1043         This adds a type info flag for ToThis having non-obvious behavior and changes the DFG and FTL paths
1044         to test this flag. This is a sub-1% speed-up on SunSpider and Octane.
1045
1046         * dfg/DFGSpeculativeJIT32_64.cpp:
1047         (JSC::DFG::SpeculativeJIT::compile):
1048         * dfg/DFGSpeculativeJIT64.cpp:
1049         (JSC::DFG::SpeculativeJIT::compile):
1050         * ftl/FTLLowerDFGToB3.cpp:
1051         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1052         * runtime/JSGlobalObject.h:
1053         (JSC::JSGlobalObject::create):
1054         * runtime/JSLexicalEnvironment.h:
1055         (JSC::JSLexicalEnvironment::create):
1056         * runtime/JSString.h:
1057         * runtime/JSTypeInfo.h:
1058         (JSC::TypeInfo::overridesGetOwnPropertySlot):
1059         (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
1060         (JSC::TypeInfo::structureIsImmortal):
1061         (JSC::TypeInfo::overridesToThis):
1062         (JSC::TypeInfo::overridesGetPropertyNames):
1063         (JSC::TypeInfo::prohibitsPropertyCaching):
1064         (JSC::TypeInfo::getOwnPropertySlotIsImpure):
1065         * runtime/StrictEvalActivation.h:
1066         (JSC::StrictEvalActivation::create):
1067         * runtime/Symbol.h:
1068
1069 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
1070
1071         Check to see how the perf bots react to megamorphic load being disabled.
1072
1073         Rubber stamped by Chris Dumez.
1074
1075         * runtime/Options.h:
1076
1077 2016-04-18  Keith Miller  <keith_miller@apple.com>
1078
1079         We should support delete in the DFG
1080         https://bugs.webkit.org/show_bug.cgi?id=156607
1081
1082         Reviewed by Benjamin Poulain.
1083
1084         This patch adds support for the delete in the DFG as it appears that
1085         some major frameworks use the operation in particularly hot functions.
1086         As a result, even if the function rarely ever calls delete we would never
1087         tier up to the DFG. This patch also changes operationDeleteById to take a
1088         UniquedStringImpl and return a size_t.
1089
1090         * dfg/DFGAbstractInterpreterInlines.h:
1091         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1092         * dfg/DFGByteCodeParser.cpp:
1093         (JSC::DFG::ByteCodeParser::parseBlock):
1094         * dfg/DFGCapabilities.cpp:
1095         (JSC::DFG::capabilityLevel):
1096         * dfg/DFGClobberize.h:
1097         (JSC::DFG::clobberize):
1098         * dfg/DFGDoesGC.cpp:
1099         (JSC::DFG::doesGC):
1100         * dfg/DFGFixupPhase.cpp:
1101         (JSC::DFG::FixupPhase::fixupNode):
1102         * dfg/DFGNode.h:
1103         (JSC::DFG::Node::hasIdentifier):
1104         * dfg/DFGNodeType.h:
1105         * dfg/DFGPredictionPropagationPhase.cpp:
1106         (JSC::DFG::PredictionPropagationPhase::propagate):
1107         * dfg/DFGSafeToExecute.h:
1108         (JSC::DFG::safeToExecute):
1109         * dfg/DFGSpeculativeJIT.cpp:
1110         (JSC::DFG::SpeculativeJIT::compileDeleteById):
1111         * dfg/DFGSpeculativeJIT.h:
1112         (JSC::DFG::SpeculativeJIT::callOperation):
1113         * dfg/DFGSpeculativeJIT32_64.cpp:
1114         (JSC::DFG::SpeculativeJIT::compile):
1115         * dfg/DFGSpeculativeJIT64.cpp:
1116         (JSC::DFG::SpeculativeJIT::compile):
1117         * jit/JIT.h:
1118         * jit/JITInlines.h:
1119         (JSC::JIT::callOperation):
1120         * jit/JITOperations.cpp:
1121         * jit/JITOperations.h:
1122         * jit/JITPropertyAccess.cpp:
1123         (JSC::JIT::emit_op_del_by_id):
1124         * jit/JITPropertyAccess32_64.cpp:
1125         (JSC::JIT::emit_op_del_by_id):
1126
1127 2016-04-17  Filip Pizlo  <fpizlo@apple.com>
1128
1129         FTL should pin the tag registers at inline caches
1130         https://bugs.webkit.org/show_bug.cgi?id=156678
1131
1132         Reviewed by Saam Barati.
1133
1134         This is a long-overdue fix to our inline caches. Back when we had LLVM, we couldn't rely on the tags
1135         being pinned to any registers. So, if the inline caches needed tags, they'd have to materialize them.
1136         
1137         This removes those materializations. This should reduce the amount of code generated in inline caches
1138         and it should make inline caches faster. The effect appears to be small.
1139
1140         It may be that after this change, we'll even be able to kill the
1141         HaveTagRegisters/DoNotHaveTagRegisters logic.
1142
1143         * bytecode/PolymorphicAccess.cpp:
1144         (JSC::AccessCase::generateWithGuard):
1145         (JSC::AccessCase::generateImpl):
1146         * ftl/FTLLowerDFGToB3.cpp:
1147         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
1148         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
1149         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
1150         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1151         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1152         (JSC::FTL::DFG::LowerDFGToB3::getById):
1153         * jit/Repatch.cpp:
1154         (JSC::readCallTarget):
1155         (JSC::linkPolymorphicCall):
1156         * jit/ThunkGenerators.cpp:
1157         (JSC::virtualThunkFor):
1158
1159 2016-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1160
1161         [ES7] yield star should not return if the inner iterator.throw returns { done: true }
1162         https://bugs.webkit.org/show_bug.cgi?id=156576
1163
1164         Reviewed by Saam Barati.
1165
1166         This is slight generator fix in ES7. When calling generator.throw(),
1167         the yield-star should call the throw() of the inner generator. At that
1168         time, when the result of throw() is { done: true}, the generator should
1169         not stop itself.
1170
1171             function * gen()
1172             {
1173                 yield * (function * () {
1174                     try {
1175                         yield 42;
1176                     } catch (error) { }
1177                 }());
1178                 // Continue executing.
1179                 yield 42;
1180             }
1181
1182             let g = gen();
1183             g.next();
1184             shouldBe(g.throw().value, 42);
1185
1186
1187         * builtins/GeneratorPrototype.js:
1188         (generatorResume):
1189         (next):
1190         (return):
1191         (throw):
1192         * bytecode/BytecodeIntrinsicRegistry.cpp:
1193         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1194         * bytecode/BytecodeIntrinsicRegistry.h:
1195         * bytecompiler/BytecodeGenerator.cpp:
1196         (JSC::BytecodeGenerator::emitDelegateYield):
1197         * runtime/JSGeneratorFunction.h:
1198         * tests/stress/generator-yield-star.js:
1199         (gen):
1200         * tests/stress/yield-star-throw-continue.js: Added.
1201         (shouldBe):
1202         (generator):
1203         (shouldThrow):
1204
1205 2016-04-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
1206
1207         Fix incorrect assumption that APPLE implies Mac.
1208         https://bugs.webkit.org/show_bug.cgi?id=156683
1209     
1210         Addresses build failure introduced in r199094
1211
1212         Reviewed by Alex Christensen.
1213
1214         * CMakeLists.txt:
1215
1216 2016-04-17  Benjamin Poulain  <bpoulain@apple.com>
1217
1218         [JSC] ReduceDoubleToFloat should work accross Phis
1219         https://bugs.webkit.org/show_bug.cgi?id=156603
1220         <rdar://problem/25736205>
1221
1222         Reviewed by Saam Barati and Filip Pizlo.
1223
1224         This patch extends B3's ReduceDoubleToFloat phase to work accross
1225         Upsilon-Phis. This is important to optimize loops and some crazy cases.
1226
1227         In its simplest form, we can have conversion propagated from something
1228         like this:
1229             Double @1 = Phi()
1230             Float @2 = DoubleToFloat(@1)
1231
1232         When that happens, we just need to propagate that the result only
1233         need float precision accross all values coming to this Phi.
1234
1235
1236         There are more complicated cases when the value produced is effectively Float
1237         but the user of the value does not do DoubleToFloat.
1238
1239         Typically, we have something like:
1240             #1
1241                 @1 = ConstDouble(1)
1242                 @2 = Upsilon(@1, ^5)
1243             #2
1244                 @3 = FloatToDouble(@x)
1245                 @4 = Upsilon(@3, ^5)
1246             #3
1247                 @5 = Phi()
1248                 @6 = Add(@5, @somethingFloat)
1249                 @7 = DoubleToFloat(@6)
1250
1251         Here with a Phi-Upsilon that is a Double but can be represented
1252         as Float without loss of precision.
1253
1254         It is valuable to convert such Phis to float if and only if the value
1255         is used as float. Otherwise, you may be just adding useless conversions
1256         (for example, two double constants that flow into a double Add should not
1257         turn into two float constant flowing into a FloatToDouble then Add).
1258
1259
1260         ReduceDoubleToFloat do two analysis passes to gather the necessary
1261         meta information. Then we have a simplify() phase to actually reduce
1262         operation. Finally, the cleanup() pass put the graph into a valid
1263         state again.
1264
1265         The two analysis passes work by disproving that something is float.
1266         -findCandidates() accumulates anything used as Double.
1267         -findPhisContainingFloat() accumulates phis that would lose precision
1268          by converting the input to float.
1269
1270         With this change, Unity3D improves by ~1.5%, box2d-f32 improves
1271         by ~2.8% (on Haswell).
1272
1273         * b3/B3ReduceDoubleToFloat.cpp:
1274         (JSC::B3::reduceDoubleToFloat):
1275         * b3/testb3.cpp:
1276         (JSC::B3::testCompareTwoFloatToDouble):
1277         (JSC::B3::testCompareOneFloatToDouble):
1278         (JSC::B3::testCompareFloatToDoubleThroughPhi):
1279         (JSC::B3::testDoubleToFloatThroughPhi):
1280         (JSC::B3::testDoubleProducerPhiToFloatConversion):
1281         (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
1282         (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
1283         (JSC::B3::testStoreDoubleConstantAsFloat):
1284         (JSC::B3::run):
1285         * tests/stress/double-compare-to-float.js: Added.
1286         (canSimplifyToFloat):
1287         (canSimplifyToFloatWithConstant):
1288         (cannotSimplifyA):
1289         (cannotSimplifyB):
1290         * tests/stress/double-to-float.js: Added.
1291         (upsilonReferencingItsPhi):
1292         (upsilonReferencingItsPhiAllFloat):
1293         (upsilonReferencingItsPhiWithoutConversion):
1294         (conversionPropagages):
1295         (chainedUpsilonBothConvert):
1296         (chainedUpsilonFirstConvert):
1297
1298 2016-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1299
1300         [ES6] Use @isObject to check Object Type instead of using instanceof
1301         https://bugs.webkit.org/show_bug.cgi?id=156676
1302
1303         Reviewed by Darin Adler.
1304
1305         Use @isObject instead of `instanceof @Object`.
1306         The `instanceof` check is not enough to check Object Type.
1307         For example, given 2 realms, the object created in one realm does not inherit the Object of another realm.
1308         Another example is that the object which does not inherit Object.
1309         This object can be easily created by calling `Object.create(null)`.
1310
1311         * builtins/RegExpPrototype.js:
1312         (match):
1313         * jsc.cpp:
1314         (GlobalObject::finishCreation):
1315         (functionCreateGlobalObject):
1316         * tests/stress/regexp-match-in-other-realm-should-work.js: Added.
1317         (shouldBe):
1318         * tests/stress/regexp-match-should-work-with-objects-not-inheriting-object-prototype.js: Added.
1319         (shouldBe):
1320         (regexp.exec):
1321
1322 2016-04-17  Darin Adler  <darin@apple.com>
1323
1324         Remove more uses of Deprecated::ScriptXXX
1325         https://bugs.webkit.org/show_bug.cgi?id=156660
1326
1327         Reviewed by Antti Koivisto.
1328
1329         * bindings/ScriptFunctionCall.cpp:
1330         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted
1331         unneeded overloads that take a ScriptObject and ScriptValue.
1332         * bindings/ScriptFunctionCall.h: Ditto.
1333
1334         * bindings/ScriptObject.h: Added operator so this can change
1335         itself into a JSObject*. Helps while phasing this class out.
1336
1337         * bindings/ScriptValue.h: Export toInspectorValue so it can be
1338         used in WebCore.
1339
1340         * inspector/InjectedScriptManager.cpp:
1341         (Inspector::InjectedScriptManager::createInjectedScript): Changed
1342         return value from Deprecated::ScriptObject to JSObject*.
1343         (Inspector::InjectedScriptManager::injectedScriptFor): Updated for
1344         the return value change above.
1345         * inspector/InjectedScriptManager.h: Ditto.
1346
1347 2016-04-16  Benjamin Poulain  <bpoulain@webkit.org>
1348
1349         [JSC] DFG should support relational comparisons of Number and Other
1350         https://bugs.webkit.org/show_bug.cgi?id=156669
1351
1352         Reviewed by Darin Adler.
1353
1354         In Sunspider/3d-raytrace, DFG falls back to JSValue in some important
1355         relational compare because profiling sees "undefined" from time to time.
1356
1357         This case is fairly common outside Sunspider too because of out-of-bounds array access.
1358         Unfortunately for us, our fallback for compare is really inefficient.
1359
1360         Fortunately, relational comparison with null/undefined/true/false are trival.
1361         We can just convert both side to Double. That's what this patch adds.
1362
1363         I also extended constant folding for those cases because I noticed
1364         a bunch of "undefined" constant going through DoubleRep at runtime.
1365
1366         * dfg/DFGAbstractInterpreterInlines.h:
1367         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1368         * dfg/DFGFixupPhase.cpp:
1369         (JSC::DFG::FixupPhase::fixupNode):
1370         * tests/stress/compare-number-and-other.js: Added.
1371         (opaqueSideEffect):
1372         (let.operator.of.operators.eval.testPolymorphic):
1373         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval.testMonomorphic):
1374         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicLeftConstant):
1375         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicRightConstant):
1376         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.i.testPolymorphic):
1377
1378 2016-04-16  Benjamin Poulain  <bpoulain@apple.com>
1379
1380         [JSC] FRound/Negate can produce an impure NaN out of a pure NaN
1381         https://bugs.webkit.org/show_bug.cgi?id=156528
1382
1383         Reviewed by Filip Pizlo.
1384
1385         If you fround a double with the bits 0xfff7000000000000
1386         you get 0xfffe000000000000. The first is a pure NaN, the second isn't.
1387
1388         This is without test because I could not find a way to create a 0xfff7000000000000
1389         while convincing DFG that its pure.
1390         When we purify NaNs from typed array, we use a specific value of NaN if the input
1391         is any NaN, making testing tricky.
1392
1393         * bytecode/SpeculatedType.cpp:
1394         (JSC::typeOfDoubleNegation):
1395
1396 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1397
1398         JS::DFG::nodeValuePairListDump does not compile with libstdc++ 4.8
1399         https://bugs.webkit.org/show_bug.cgi?id=156670
1400
1401         Reviewed by Darin Adler.
1402
1403         * dfg/DFGNode.h:
1404         (JSC::DFG::nodeValuePairListDump): Modified to use lambda as comparator.
1405
1406 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1407
1408         [mips] Implemented moveZeroToDouble.
1409         https://bugs.webkit.org/show_bug.cgi?id=155429
1410
1411         Reviewed by Darin Adler.
1412
1413         This function is required to fix compilation after r197687.
1414
1415         * assembler/MacroAssemblerMIPS.h:
1416         (JSC::MacroAssemblerMIPS::moveZeroToDouble):
1417
1418 2016-04-15  Darin Adler  <darin@apple.com>
1419
1420         Reduce use of Deprecated::ScriptXXX classes
1421         https://bugs.webkit.org/show_bug.cgi?id=156632
1422
1423         Reviewed by Alex Christensen.
1424
1425         * bindings/ScriptFunctionCall.cpp:
1426         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted version that takes a Deprecated::ScriptValue.
1427         (Deprecated::ScriptFunctionCall::call): Changed to return a JSValue.
1428         * bindings/ScriptFunctionCall.h: Updated for the above.
1429
1430         * bindings/ScriptValue.cpp:
1431         (Inspector::jsToInspectorValue): Moved from Deprecated namespace to Inspector namespace. Later, we should
1432         move this to another source file in the inspector directory.
1433         (Inspector::toInspectorValue): Added.
1434         (Deprecated::ScriptValue::toInspectorValue): Updated for change to underlying function.
1435         * bindings/ScriptValue.h: Update for the above.
1436
1437         * inspector/InjectedScript.cpp:
1438         (Inspector::InjectedScript::evaluateOnCallFrame): Changed arguments and return values from
1439         Deprecated::ScriptValue to JSC::JSValue.
1440         (Inspector::InjectedScript::functionDetails): Ditto.
1441         (Inspector::InjectedScript::wrapCallFrames): Ditto.
1442         (Inspector::InjectedScript::wrapObject): Ditto.
1443         (Inspector::InjectedScript::wrapTable): Ditto.
1444         (Inspector::InjectedScript::previewValue): Ditto.
1445         (Inspector::InjectedScript::setExceptionValue): Ditto.
1446         (Inspector::InjectedScript::findObjectById): Ditto.
1447         (Inspector::InjectedScript::inspectObject): Ditto.
1448         * inspector/InjectedScript.h: Ditto.
1449         * inspector/InjectedScriptBase.cpp:
1450         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): Ditto.
1451         (Inspector::InjectedScriptBase::makeCall): Ditto.
1452         * inspector/InjectedScriptBase.h: Ditto.
1453         * inspector/InjectedScriptModule.cpp:
1454         (Inspector::InjectedScriptModule::ensureInjected): Ditto.
1455         * inspector/ScriptDebugListener.h: Ditto.
1456         * inspector/ScriptDebugServer.cpp:
1457         (Inspector::ScriptDebugServer::evaluateBreakpointAction): Ditto.
1458         (Inspector::ScriptDebugServer::dispatchDidPause): Ditto.
1459         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
1460         (Inspector::ScriptDebugServer::exceptionOrCaughtValue): Ditto.
1461         * inspector/ScriptDebugServer.h: Ditto.
1462         * inspector/agents/InspectorDebuggerAgent.cpp:
1463         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason): Ditto.
1464         (Inspector::InspectorDebuggerAgent::didPause): Ditto.
1465         (Inspector::InspectorDebuggerAgent::breakpointActionProbe): Ditto.
1466         (Inspector::InspectorDebuggerAgent::didContinue): Ditto.
1467         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): Ditto.
1468         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
1469         * inspector/agents/InspectorHeapAgent.cpp:
1470         (Inspector::InspectorHeapAgent::getPreview): Ditto.
1471         (Inspector::InspectorHeapAgent::getRemoteObject): Ditto.
1472
1473 2016-04-15  Keith Miller  <keith_miller@apple.com>
1474
1475         Some JIT/DFG operations need NativeCallFrameTracers
1476         https://bugs.webkit.org/show_bug.cgi?id=156650
1477
1478         Reviewed by Michael Saboff.
1479
1480         Some of our operation functions did not have native call frame
1481         tracers. This meant that we would crash occasionally on some
1482         of our tests when they triggered a GC in one of the functions
1483         without a tracer. In particular, this was exemplified by another
1484         upcoming patch when calling operationSetFunctionName.
1485
1486         This patch does not add tests since this happens consistently in
1487         the patch adding delete_by_id to the DFG.
1488
1489         * dfg/DFGOperations.cpp:
1490         * jit/JITOperations.cpp:
1491
1492 2016-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1493
1494         Web Inspector: sourceMappingURL not used when sourceURL is set
1495         https://bugs.webkit.org/show_bug.cgi?id=156021
1496         <rdar://problem/25438417>
1497
1498         Reviewed by Timothy Hatcher.
1499
1500         Clean up Debugger.sourceParsed to separately include:
1501
1502             - url ("resource URL", "source url" in JSC APIs)
1503             - sourceURL - //# sourceURL directive
1504
1505         By always having the resource URL the Web Inspector frontend
1506         can better match this Script to a Resource of the same URL,
1507         and decide to use the sourceURL if it is available when
1508         appropriate.
1509
1510         * inspector/protocol/Debugger.json:
1511         * inspector/agents/InspectorDebuggerAgent.cpp:
1512         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1513         (Inspector::InspectorDebuggerAgent::didParseSource):
1514         Send the new sourceParsed parameters.
1515
1516 2016-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1517
1518         Web Inspector: Cleanup inspector/debugger tests
1519         https://bugs.webkit.org/show_bug.cgi?id=156619
1520
1521         Reviewed by Brian Burg.
1522
1523         While cleaning up the tests it exposed the fact that breakpoints
1524         were not getting disabled when the inspector closes. This means
1525         that opening the inspector, with breakpoints, and closing the
1526         inspector, would leave the JSC::Debugger thinking breakpoints
1527         are active. The JSC::Debugger should be reset.
1528
1529         * inspector/agents/InspectorDebuggerAgent.cpp:
1530         (Inspector::InspectorDebuggerAgent::disable):
1531
1532 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1533
1534         CopiedBlock should be 64kB
1535
1536         Reviewed by Benjamin Poulain.
1537
1538         Let's try another value.
1539
1540         This is 25% faster on kraken-audio-beat-detection on Mac Pro.
1541
1542         * heap/CopiedBlock.h:
1543
1544 2016-04-15  Zan Dobersek  <zdobersek@igalia.com>
1545
1546         Tail call optimizations lead to crashes on ARM Thumb + Linux
1547         https://bugs.webkit.org/show_bug.cgi?id=150083
1548
1549         Reviewed by Csaba Osztrogon√°c.
1550
1551         * assembler/AbstractMacroAssembler.h:
1552         (JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
1553         data location of the destination, and not the executable address. This is needed for
1554         the ARM Thumb2 platform where both the source and destination addresses of a jump relink
1555         must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
1556         * jit/Repatch.cpp:
1557         (JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
1558         address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().
1559
1560 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1561
1562         Unreviewed, rolling out r199567.
1563
1564         performance regression on kraken on macbook*
1565
1566         Reverted changeset:
1567
1568         "CopiedBlock should be 8kB"
1569         https://bugs.webkit.org/show_bug.cgi?id=156610
1570         http://trac.webkit.org/changeset/199567
1571
1572 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1573
1574         CopiedBlock should be 8kB
1575         https://bugs.webkit.org/show_bug.cgi?id=156610
1576
1577         Reviewed by Michael Saboff.
1578
1579         On Mac Pro, this is:
1580
1581             15% faster on kraken-audio-beat-detection
1582
1583             5% faster on v8-splay
1584
1585         Hopefully, this will be OK on MacBook* bots as well.
1586
1587         32kB is the full size of L1 cache on x86. So, allocating and zero-filling
1588         a 32kB CopiedBlock would basically flush the L1 cache. We can ameliorate
1589         this problem by using smaller blocks -- or, if that doesn't work, we can
1590         use larger blocks to amortize the cost.
1591
1592         * heap/CopiedBlock.h:
1593
1594 2016-04-14  Filip Pizlo  <fpizlo@apple.com>
1595
1596         PolymorphicAccess should try to generate a stub only once
1597         https://bugs.webkit.org/show_bug.cgi?id=156555
1598
1599         Reviewed by Geoffrey Garen.
1600         
1601         This changes the PolymorphicAccess heuristics to reduce the amount of code generation even
1602         more than before. We used to always generate a monomorphic stub for the first case we saw.
1603         This change disables that. This change also increases the buffering countdown to match the
1604         cool-down repatch count. This means that we will allow for ten slow paths for adding cases,
1605         then we will generate a stub, and then we will go into cool-down and the repatching slow
1606         paths will not even attempt repatching for a while. After we emerge from cool-down - which
1607         requires a bunch of slow path calls - we will again wait for ten slow paths to get new
1608         cases. Note that it only takes 13 cases to cause the stub to give up on future repatching
1609         entirely. Also, most stubs don't ever get to 10 cases. Therefore, for most stubs this change
1610         means that each IC will repatch once. If they make it to two repatching, then the likelihood
1611         of a third becomes infinitesimal because of all of the rules that come into play at that
1612         point (the size limit being 13, the fact that we go into exponential cool-down every time we
1613         generate code, and the fact that if we have lots of self cases then we will create a
1614         catch-all megamorphic load case).
1615
1616         This also undoes a change to the megamorphic optimization that I think was unintentional.
1617         As in the change that originally introduced megamorphic loads, we want to do this only if we
1618         would otherwise exhaust the max size of the IC. This is because megamorphic loads are pretty
1619         expensive and it's best to use them only if we know that the alternative is giving up on
1620         caching.
1621
1622         This is neutral on JS benchmarks, but looks like it's another speed-up for page loading.
1623
1624         * bytecode/PolymorphicAccess.cpp:
1625         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
1626         (JSC::AccessCase::canReplace):
1627         (JSC::AccessCase::dump):
1628         (JSC::PolymorphicAccess::regenerate):
1629         * bytecode/StructureStubInfo.cpp:
1630         (JSC::StructureStubInfo::StructureStubInfo):
1631         * runtime/Options.h:
1632
1633 2016-04-14  Mark Lam  <mark.lam@apple.com>
1634
1635         Update treatment of invoking RegExp.prototype methods on RegExp.prototype.
1636         https://bugs.webkit.org/show_bug.cgi?id=155922
1637
1638         Reviewed by Keith Miller.
1639
1640         According to the TC39 committee, when invoking the following RegExp.prototype
1641         methods on the RegExp.prototype:
1642         1. RegExp.prototype.flags yields ""
1643         2. RegExp.prototype.global yields undefined
1644         3. RegExp.prototype.ignoreCase yields undefined
1645         4. RegExp.prototype.multiline yields undefined
1646         5. RegExp.prototype.unicode yields undefined
1647         6. RegExp.prototype.source yields "(?:)"
1648         7. RegExp.prototype.sticky yields undefined
1649         8. RegExp.prototype.toString() yields "/(?:)/"
1650
1651         and RegExp.prototype is still NOT an instance of RegExp.  The above behavior
1652         changes is a special dispensation applicable only to RegExp.prototype.  The ES6
1653         spec of throwing errors still applies if those methods are applied to anything =
1654         else that is not a RegExp object.
1655
1656         * runtime/RegExpPrototype.cpp:
1657         (JSC::regExpProtoGetterGlobal):
1658         (JSC::regExpProtoGetterIgnoreCase):
1659         (JSC::regExpProtoGetterMultiline):
1660         (JSC::regExpProtoGetterSticky):
1661         (JSC::regExpProtoGetterUnicode):
1662         (JSC::regExpProtoGetterFlags):
1663         (JSC::regExpProtoGetterSource):
1664         - Implemented new behavior.
1665
1666         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
1667         (test):
1668         - Updated to match current kangax test.
1669
1670 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1671
1672         Some imported ES6 tests are missing __createIterableObject
1673         https://bugs.webkit.org/show_bug.cgi?id=156584
1674
1675         Reviewed by Keith Miller.
1676
1677         These tests were failing because I neglected to include __createIterableObject
1678         when I first imported them. Now they pass.
1679
1680         * tests/es6.yaml:
1681         * tests/es6/Array_static_methods_Array.from_generic_iterables.js:
1682         (iterator.next):
1683         (iterable.Symbol.iterator):
1684         (__createIterableObject):
1685         (test):
1686         * tests/es6/Array_static_methods_Array.from_instances_of_generic_iterables.js:
1687         (iterator.next):
1688         (iterable.Symbol.iterator):
1689         (__createIterableObject):
1690         (test):
1691         * tests/es6/Array_static_methods_Array.from_iterator_closing.js:
1692         (iterator.next):
1693         (iterable.Symbol.iterator):
1694         (__createIterableObject):
1695         * tests/es6/Array_static_methods_Array.from_map_function_generic_iterables.js:
1696         (iterator.next):
1697         (iterable.Symbol.iterator):
1698         (__createIterableObject):
1699         (test):
1700         * tests/es6/Array_static_methods_Array.from_map_function_instances_of_iterables.js:
1701         (iterator.next):
1702         (iterable.Symbol.iterator):
1703         (__createIterableObject):
1704         (test):
1705         * tests/es6/Map_iterator_closing.js:
1706         (iterator.next):
1707         (iterable.Symbol.iterator):
1708         (__createIterableObject):
1709         * tests/es6/Promise_Promise.all_generic_iterables.js:
1710         (iterator.next):
1711         (iterable.Symbol.iterator):
1712         (__createIterableObject):
1713         (test.asyncTestPassed):
1714         * tests/es6/Promise_Promise.race_generic_iterables.js:
1715         (iterator.next):
1716         (iterable.Symbol.iterator):
1717         (__createIterableObject):
1718         (test.asyncTestPassed):
1719         * tests/es6/Set_iterator_closing.js:
1720         (iterator.next):
1721         (iterable.Symbol.iterator):
1722         (__createIterableObject):
1723         * tests/es6/WeakMap_iterator_closing.js:
1724         (iterator.next):
1725         (iterable.Symbol.iterator):
1726         (__createIterableObject):
1727         * tests/es6/WeakSet_iterator_closing.js:
1728         (iterator.next):
1729         (iterable.Symbol.iterator):
1730         (__createIterableObject):
1731         * tests/es6/destructuring_iterator_closing.js:
1732         (iterator.next):
1733         (iterable.Symbol.iterator):
1734         (__createIterableObject):
1735         * tests/es6/destructuring_with_generic_iterables.js:
1736         (iterator.next):
1737         (iterable.Symbol.iterator):
1738         (__createIterableObject):
1739         (test):
1740         * tests/es6/destructuring_with_instances_of_generic_iterables.js:
1741         (iterator.next):
1742         (iterable.Symbol.iterator):
1743         (__createIterableObject):
1744         (test):
1745         * tests/es6/for..of_loops_iterator_closing_break.js:
1746         (iterator.next):
1747         (iterable.Symbol.iterator):
1748         (__createIterableObject):
1749         * tests/es6/for..of_loops_iterator_closing_throw.js:
1750         (iterator.next):
1751         (iterable.Symbol.iterator):
1752         (__createIterableObject):
1753         * tests/es6/for..of_loops_with_generic_iterables.js:
1754         (iterator.next):
1755         (iterable.Symbol.iterator):
1756         (__createIterableObject):
1757         (test):
1758         * tests/es6/for..of_loops_with_instances_of_generic_iterables.js:
1759         (iterator.next):
1760         (iterable.Symbol.iterator):
1761         (__createIterableObject):
1762         (test):
1763         * tests/es6/generators_yield_star_generic_iterables.js:
1764         (iterator.next):
1765         (iterable.Symbol.iterator):
1766         (__createIterableObject):
1767         * tests/es6/generators_yield_star_iterator_closing_via_throw.js:
1768         (iterator.next):
1769         (iterable.Symbol.iterator):
1770         (__createIterableObject):
1771         * tests/es6/spread_..._operator_with_generic_iterables_in_arrays.js:
1772         (iterator.next):
1773         (iterable.Symbol.iterator):
1774         (__createIterableObject):
1775         (test):
1776         * tests/es6/spread_..._operator_with_generic_iterables_in_calls.js:
1777         (iterator.next):
1778         (iterable.Symbol.iterator):
1779         (__createIterableObject):
1780         (test):
1781         * tests/es6/spread_..._operator_with_instances_of_iterables_in_arrays.js:
1782         (iterator.next):
1783         (iterable.Symbol.iterator):
1784         (__createIterableObject):
1785         (test):
1786         * tests/es6/spread_..._operator_with_instances_of_iterables_in_calls.js:
1787         (iterator.next):
1788         (iterable.Symbol.iterator):
1789         (__createIterableObject):
1790         (test):
1791
1792 2016-04-13  Alex Christensen  <achristensen@webkit.org>
1793
1794         CMake MiniBrowser should be an app bundle
1795         https://bugs.webkit.org/show_bug.cgi?id=156521
1796
1797         Reviewed by Brent Fulgham.
1798
1799         * PlatformMac.cmake:
1800         Unreviewed build fix.  Define __STDC_WANT_LIB_EXT1__ so we can find memset_s.
1801
1802 2016-04-13  Joseph Pecoraro  <pecoraro@apple.com>
1803
1804         JSContext Inspector: Improve Class instances and JSC API Exported Values view in Console / ObjectTree
1805         https://bugs.webkit.org/show_bug.cgi?id=156566
1806         <rdar://problem/16392365>
1807
1808         Reviewed by Timothy Hatcher.
1809
1810         * inspector/InjectedScriptSource.js:
1811         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
1812         Treat non-basic object types as not lossless so they can be expanded.
1813         Show non-enumerable native getters in Object previews.
1814
1815 2016-04-13  Michael Saboff  <msaboff@apple.com>
1816
1817         Some tests fail with ES6 `u` (Unicode) flag for regular expressions
1818         https://bugs.webkit.org/show_bug.cgi?id=151597
1819
1820         Reviewed by Geoffrey Garen.
1821
1822         Added two new tables to handle the anomolies of \w and \W CharacterClassEscapes
1823         when specified in RegExp's with both the unicode and ignoreCase flags.  Given the
1824         case folding rules described in the standard vie the meta function Canonicalize(),
1825         which allow cross ASCII case folding when unicode is specified, the unicode characters
1826         \u017f (small sharp s) and \u212a (kelvin symbol) are part of the \w (word) characterClassEscape.
1827         This is true because they case fold to 's' and 'k' respectively.  Because they case fold
1828         to lower case letters, the corresponding letters, 'k', 'K', 's' and 'S', are also matched with
1829         \W with the unicode and ignoreCase flags.
1830
1831         * create_regex_tables:
1832         * yarr/YarrPattern.cpp:
1833         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
1834         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
1835         (JSC::Yarr::YarrPattern::YarrPattern):
1836         * yarr/YarrPattern.h:
1837         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
1838         (JSC::Yarr::YarrPattern::wordUnicodeIgnoreCaseCharCharacterClass):
1839         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
1840         (JSC::Yarr::YarrPattern::nonwordUnicodeIgnoreCaseCharCharacterClass):
1841
1842 2016-04-13  Commit Queue  <commit-queue@webkit.org>
1843
1844         Unreviewed, rolling out r199502 and r199511.
1845         https://bugs.webkit.org/show_bug.cgi?id=156557
1846
1847         Appears to have in-browser perf regression (Requested by mlam
1848         on #webkit).
1849
1850         Reverted changesets:
1851
1852         "ES6: Implement String.prototype.split and
1853         RegExp.prototype[@@split]."
1854         https://bugs.webkit.org/show_bug.cgi?id=156013
1855         http://trac.webkit.org/changeset/199502
1856
1857         "ES6: Implement RegExp.prototype[@@search]."
1858         https://bugs.webkit.org/show_bug.cgi?id=156331
1859         http://trac.webkit.org/changeset/199511
1860
1861 2016-04-13  Keith Miller  <keith_miller@apple.com>
1862
1863         isJSArray should use ArrayType rather than the ClassInfo
1864         https://bugs.webkit.org/show_bug.cgi?id=156551
1865
1866         Reviewed by Filip Pizlo.
1867
1868         Using the JSType rather than the ClassInfo should be slightly faster
1869         since the type is inline on the cell whereas the ClassInfo is only
1870         on the structure.
1871
1872         * runtime/JSArray.h:
1873         (JSC::isJSArray):
1874
1875 2016-04-13  Mark Lam  <mark.lam@apple.com>
1876
1877         ES6: Implement RegExp.prototype[@@search].
1878         https://bugs.webkit.org/show_bug.cgi?id=156331
1879
1880         Reviewed by Keith Miller.
1881
1882         What changed?
1883         1. Implemented search builtin in RegExpPrototype.js.
1884            The native path is now used as a fast path.
1885         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
1886            IsJSArrayIntrinsic).
1887         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
1888         4. Change the esSpecIsRegExpObject() implementation to check if the object's
1889            JSType is RegExpObjectType instead of walking the classinfo chain.
1890
1891         * builtins/RegExpPrototype.js:
1892         (search):
1893         * builtins/StringPrototype.js:
1894         (search):
1895         - fixed some indentation.
1896
1897         * dfg/DFGAbstractInterpreterInlines.h:
1898         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1899         * dfg/DFGByteCodeParser.cpp:
1900         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1901         * dfg/DFGClobberize.h:
1902         (JSC::DFG::clobberize):
1903         * dfg/DFGDoesGC.cpp:
1904         (JSC::DFG::doesGC):
1905         * dfg/DFGFixupPhase.cpp:
1906         (JSC::DFG::FixupPhase::fixupNode):
1907         * dfg/DFGNodeType.h:
1908         * dfg/DFGPredictionPropagationPhase.cpp:
1909         (JSC::DFG::PredictionPropagationPhase::propagate):
1910         * dfg/DFGSafeToExecute.h:
1911         (JSC::DFG::safeToExecute):
1912         * dfg/DFGSpeculativeJIT.cpp:
1913         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1914         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
1915         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1916         * dfg/DFGSpeculativeJIT.h:
1917         * dfg/DFGSpeculativeJIT32_64.cpp:
1918         (JSC::DFG::SpeculativeJIT::compile):
1919         * dfg/DFGSpeculativeJIT64.cpp:
1920         (JSC::DFG::SpeculativeJIT::compile):
1921         * ftl/FTLCapabilities.cpp:
1922         (JSC::FTL::canCompile):
1923         * ftl/FTLLowerDFGToB3.cpp:
1924         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1925         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1926         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
1927         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1928         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
1929         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
1930         (JSC::FTL::DFG::LowerDFGToB3::isType):
1931         * runtime/Intrinsic.h:
1932         - Added IsRegExpObjectIntrinsic.
1933
1934         * runtime/CommonIdentifiers.h:
1935
1936         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1937         (JSC::esSpecIsConstructor):
1938         - Changed to use uncheckedArgument since this is only called from internal code.
1939         (JSC::esSpecIsRegExpObject):
1940         (JSC::esSpecIsRegExp): Deleted.
1941         * runtime/ECMAScriptSpecInternalFunctions.h:
1942         - Changed to check the object for a JSType of RegExpObjectType.
1943
1944         * runtime/JSGlobalObject.cpp:
1945         (JSC::JSGlobalObject::init):
1946         - Added split fast path.
1947
1948         * runtime/RegExpPrototype.cpp:
1949         (JSC::RegExpPrototype::finishCreation):
1950         (JSC::regExpProtoFuncSearchFast):
1951         (JSC::regExpProtoFuncSearch): Deleted.
1952         * runtime/RegExpPrototype.h:
1953
1954         * tests/es6.yaml:
1955         * tests/stress/regexp-search.js:
1956         - Rebased test.
1957
1958 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
1959
1960         PolymorphicAccess::regenerate() shouldn't have to clone non-generated AccessCases
1961         https://bugs.webkit.org/show_bug.cgi?id=156493
1962
1963         Reviewed by Geoffrey Garen.
1964
1965         Cloning AccessCases is only necessary if they hold some artifacts that are used by code that
1966         they already generated. So, if the state is not Generated, we don't have to bother with
1967         cloning them.
1968
1969         This should speed up PolymorphicAccess regeneration a bit more.
1970
1971         * bytecode/PolymorphicAccess.cpp:
1972         (JSC::AccessCase::commit):
1973         (JSC::PolymorphicAccess::regenerate):
1974
1975 2016-04-13  Mark Lam  <mark.lam@apple.com>
1976
1977         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1978         https://bugs.webkit.org/show_bug.cgi?id=156013
1979
1980         Reviewed by Keith Miller.
1981
1982         Re-landing r199393 now that the shadow chicken crash has been fixed.
1983
1984         * CMakeLists.txt:
1985         * JavaScriptCore.xcodeproj/project.pbxproj:
1986         * builtins/GlobalObject.js:
1987         (speciesConstructor):
1988         * builtins/PromisePrototype.js:
1989         - refactored to use the @speciesConstructor internal function.
1990
1991         * builtins/RegExpPrototype.js:
1992         (advanceStringIndex):
1993         - refactored from @advanceStringIndexUnicode() to be match the spec.
1994           Benchmarks show that there's no advantage in doing the unicode check outside
1995           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
1996           spec (especially since @@split needs to call advanceStringIndex from more than
1997           1 location).
1998         (match):
1999         - Removed an unnecessary call to @Object because it was already proven above.
2000         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
2001           Again, there's no perf regression for this.
2002         (regExpExec):
2003         (hasObservableSideEffectsForRegExpSplit):
2004         (split):
2005         (advanceStringIndexUnicode): Deleted.
2006
2007         * builtins/StringPrototype.js:
2008         (split):
2009         - Modified to use RegExp.prototype[@@split].
2010
2011         * bytecode/BytecodeIntrinsicRegistry.cpp:
2012         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2013         (JSC::BytecodeIntrinsicRegistry::lookup):
2014         * bytecode/BytecodeIntrinsicRegistry.h:
2015         - Added the @@split symbol.
2016
2017         * runtime/CommonIdentifiers.h:
2018         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
2019         (JSC::esSpecIsConstructor):
2020         (JSC::esSpecIsRegExp):
2021         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
2022
2023         * runtime/JSGlobalObject.cpp:
2024         (JSC::getGetterById):
2025         (JSC::JSGlobalObject::init):
2026
2027         * runtime/PropertyDescriptor.cpp:
2028         (JSC::PropertyDescriptor::setDescriptor):
2029         - Removed an assert that is no longer valid.
2030
2031         * runtime/RegExpObject.h:
2032         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
2033           fast path.
2034
2035         * runtime/RegExpPrototype.cpp:
2036         (JSC::RegExpPrototype::finishCreation):
2037         (JSC::regExpProtoFuncExec):
2038         (JSC::regExpProtoFuncSearch):
2039         (JSC::advanceStringIndex):
2040         (JSC::regExpProtoFuncSplitFast):
2041         * runtime/RegExpPrototype.h:
2042
2043         * runtime/StringObject.h:
2044         (JSC::jsStringWithReuse):
2045         (JSC::jsSubstring):
2046         - Hoisted some utility functions from StringPrototype.cpp so that they can be
2047           reused by the regexp split fast path.
2048
2049         * runtime/StringPrototype.cpp:
2050         (JSC::StringPrototype::finishCreation):
2051         (JSC::stringProtoFuncSplitFast):
2052         (JSC::stringProtoFuncSubstr):
2053         (JSC::builtinStringSubstrInternal):
2054         (JSC::stringProtoFuncSubstring):
2055         (JSC::stringIncludesImpl):
2056         (JSC::stringProtoFuncIncludes):
2057         (JSC::builtinStringIncludesInternal):
2058         (JSC::jsStringWithReuse): Deleted.
2059         (JSC::jsSubstring): Deleted.
2060         (JSC::stringProtoFuncSplit): Deleted.
2061         * runtime/StringPrototype.h:
2062
2063         * tests/es6.yaml:
2064
2065 2016-04-13  Mark Lam  <mark.lam@apple.com>
2066
2067         ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
2068         https://bugs.webkit.org/show_bug.cgi?id=156532
2069
2070         Reviewed by Saam Barati and Filip Pizlo.
2071
2072         ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
2073         the callee field of a log packet.  However, ShadowChicken::visitChildren()
2074         unconditionally visits the callee field of each packet as if they are real
2075         objects.  If visitChildren() encounters one of these markers in the log, we get a
2076         crash.
2077
2078         This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
2079         chicken when r199393 landed.  r199393 introduced tail calls to a RegExp split
2080         fast path, and the v8-regexp.js test exercised this fast path a lot.  Throw in
2081         some timely GCs, and we get a crash party.
2082
2083         The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
2084         throwMarker.
2085
2086         Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
2087         these markers so that ShadowChicken can continue to visit them.  For now, I'm
2088         going with the filter.
2089
2090         * interpreter/ShadowChicken.cpp:
2091         (JSC::ShadowChicken::visitChildren):
2092
2093 2016-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2094
2095         [ES6] Add @@toStringTag to GeneratorFunction
2096         https://bugs.webkit.org/show_bug.cgi?id=156499
2097
2098         Reviewed by Mark Lam.
2099
2100         GeneratorFunction.prototype has @@toStringTag property, "GeneratorFunction".
2101         https://tc39.github.io/ecma262/#sec-generatorfunction.prototype-@@tostringtag
2102
2103         * runtime/GeneratorFunctionPrototype.cpp:
2104         (JSC::GeneratorFunctionPrototype::finishCreation):
2105         * tests/es6.yaml:
2106         * tests/es6/well-known_symbols_Symbol.toStringTag_new_built-ins.js: Added.
2107         (test):
2108
2109 2016-04-13  Alberto Garcia  <berto@igalia.com>
2110
2111         Fix build in glibc-based BSD systems
2112         https://bugs.webkit.org/show_bug.cgi?id=156533
2113
2114         Reviewed by Carlos Garcia Campos.
2115
2116         Change the order of the #elif conditionals so glibc-based BSD
2117         systems (e.g. Debian GNU/kFreeBSD) use the code inside the
2118         OS(FREEBSD) blocks.
2119
2120         * heap/MachineStackMarker.cpp:
2121         (JSC::MachineThreads::Thread::Registers::stackPointer):
2122         (JSC::MachineThreads::Thread::Registers::framePointer):
2123         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2124         (JSC::MachineThreads::Thread::Registers::llintPC):
2125
2126 2016-04-12  Keith Miller  <keith_miller@apple.com>
2127
2128         Unreviewed undo change from ArrayClass to ArrayWithUndecided, which
2129         was not intedend to land with r199397.
2130
2131         * runtime/ArrayPrototype.h:
2132         (JSC::ArrayPrototype::createStructure):
2133
2134 2016-04-12  Mark Lam  <mark.lam@apple.com>
2135
2136         Rollout: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
2137         https://bugs.webkit.org/show_bug.cgi?id=156013
2138
2139         Speculative rollout to fix 32-bit shadow-chicken.yaml/tests/v8-v6/v8-regexp.js.shadow-chicken test failure.
2140
2141         Not reviewed.
2142
2143         * CMakeLists.txt:
2144         * JavaScriptCore.xcodeproj/project.pbxproj:
2145         * builtins/GlobalObject.js:
2146         (speciesGetter):
2147         (speciesConstructor): Deleted.
2148         * builtins/PromisePrototype.js:
2149         * builtins/RegExpPrototype.js:
2150         (advanceStringIndexUnicode):
2151         (match):
2152         (advanceStringIndex): Deleted.
2153         (regExpExec): Deleted.
2154         (hasObservableSideEffectsForRegExpSplit): Deleted.
2155         (split): Deleted.
2156         * builtins/StringPrototype.js:
2157         (repeat):
2158         (split): Deleted.
2159         * bytecode/BytecodeIntrinsicRegistry.cpp:
2160         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2161         (JSC::BytecodeIntrinsicRegistry::lookup):
2162         * bytecode/BytecodeIntrinsicRegistry.h:
2163         * runtime/CommonIdentifiers.h:
2164         * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed.
2165         * runtime/ECMAScriptSpecInternalFunctions.h: Removed.
2166         * runtime/JSGlobalObject.cpp:
2167         (JSC::JSGlobalObject::setGlobalThis):
2168         (JSC::JSGlobalObject::init):
2169         (JSC::getGetterById): Deleted.
2170         * runtime/PropertyDescriptor.cpp:
2171         (JSC::PropertyDescriptor::setDescriptor):
2172         * runtime/RegExpObject.h:
2173         (JSC::RegExpObject::offsetOfLastIndexIsWritable):
2174         * runtime/RegExpPrototype.cpp:
2175         (JSC::RegExpPrototype::finishCreation):
2176         (JSC::regExpProtoFuncExec):
2177         (JSC::regExpProtoFuncSearch):
2178         (JSC::advanceStringIndex): Deleted.
2179         (JSC::regExpProtoFuncSplitFast): Deleted.
2180         * runtime/RegExpPrototype.h:
2181         * runtime/StringObject.h:
2182         (JSC::jsStringWithReuse): Deleted.
2183         (JSC::jsSubstring): Deleted.
2184         * runtime/StringPrototype.cpp:
2185         (JSC::StringPrototype::finishCreation):
2186         (JSC::jsStringWithReuse):
2187         (JSC::jsSubstring):
2188         (JSC::substituteBackreferencesSlow):
2189         (JSC::splitStringByOneCharacterImpl):
2190         (JSC::stringProtoFuncSplit):
2191         (JSC::stringProtoFuncSubstr):
2192         (JSC::stringProtoFuncSubstring):
2193         (JSC::stringProtoFuncEndsWith):
2194         (JSC::stringProtoFuncIncludes):
2195         (JSC::stringProtoFuncIterator):
2196         (JSC::stringProtoFuncSplitFast): Deleted.
2197         (JSC::builtinStringSubstrInternal): Deleted.
2198         (JSC::stringIncludesImpl): Deleted.
2199         (JSC::builtinStringIncludesInternal): Deleted.
2200         * runtime/StringPrototype.h:
2201         * tests/es6.yaml:
2202
2203 2016-04-12  Mark Lam  <mark.lam@apple.com>
2204
2205         Remove 2 unused JSC options.
2206         https://bugs.webkit.org/show_bug.cgi?id=156526
2207
2208         Reviewed by Benjamin Poulain.
2209
2210         The options JSC_assertICSizing and JSC_dumpFailedICSizing are no longer in use
2211         now that we have B3.
2212
2213         * runtime/Options.h:
2214
2215 2016-04-12  Keith Miller  <keith_miller@apple.com>
2216
2217         [ES6] Add support for Symbol.isConcatSpreadable.
2218         https://bugs.webkit.org/show_bug.cgi?id=155351
2219
2220         Reviewed by Saam Barati.
2221
2222         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
2223         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
2224         a builtin performant. First, four new DFG intrinsics were added.
2225
2226         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
2227            the Array.isArray function.
2228         2) IsJSArray: checks the first child is a JSArray object.
2229         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
2230         4) CallObjectConstructor: an intrinsic of the Object constructor.
2231
2232         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
2233         we are able to prove that the first child is an Array or for ToObject an Object.
2234
2235         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
2236         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
2237         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
2238         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
2239         into a contiguous array).
2240
2241         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
2242         values onto the result array. This works roughly the same as the two array fast path using the same methodology
2243         to decide if we can memcpy the other butterfly into the result butterfly.
2244
2245         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
2246         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
2247         dataLog function on it.
2248
2249         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
2250         JSValueOperand if the operand's use count is one.
2251
2252         * JavaScriptCore.xcodeproj/project.pbxproj:
2253         * builtins/ArrayPrototype.js:
2254         (concatSlowPath):
2255         (concat):
2256         * bytecode/BytecodeIntrinsicRegistry.cpp:
2257         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2258         * bytecode/BytecodeIntrinsicRegistry.h:
2259         * dfg/DFGAbstractInterpreterInlines.h:
2260         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2261         * dfg/DFGByteCodeParser.cpp:
2262         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2263         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2264         * dfg/DFGClobberize.h:
2265         (JSC::DFG::clobberize):
2266         * dfg/DFGDoesGC.cpp:
2267         (JSC::DFG::doesGC):
2268         * dfg/DFGFixupPhase.cpp:
2269         (JSC::DFG::FixupPhase::fixupNode):
2270         * dfg/DFGNodeType.h:
2271         * dfg/DFGOperations.cpp:
2272         * dfg/DFGOperations.h:
2273         * dfg/DFGPredictionPropagationPhase.cpp:
2274         (JSC::DFG::PredictionPropagationPhase::propagate):
2275         * dfg/DFGSafeToExecute.h:
2276         (JSC::DFG::safeToExecute):
2277         * dfg/DFGSpeculativeJIT.cpp:
2278         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2279         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
2280         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
2281         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
2282         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
2283         * dfg/DFGSpeculativeJIT.h:
2284         (JSC::DFG::SpeculativeJIT::callOperation):
2285         * dfg/DFGSpeculativeJIT32_64.cpp:
2286         (JSC::DFG::SpeculativeJIT::compile):
2287         * dfg/DFGSpeculativeJIT64.cpp:
2288         (JSC::DFG::SpeculativeJIT::compile):
2289         * ftl/FTLCapabilities.cpp:
2290         (JSC::FTL::canCompile):
2291         * ftl/FTLLowerDFGToB3.cpp:
2292         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2293         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
2294         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
2295         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
2296         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
2297         (JSC::FTL::DFG::LowerDFGToB3::isArray):
2298         * jit/JITOperations.h:
2299         * jsc.cpp:
2300         (GlobalObject::finishCreation):
2301         (functionDataLogValue):
2302         * runtime/ArrayConstructor.cpp:
2303         (JSC::ArrayConstructor::finishCreation):
2304         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
2305         * runtime/ArrayConstructor.h:
2306         (JSC::isArrayConstructor):
2307         * runtime/ArrayPrototype.cpp:
2308         (JSC::ArrayPrototype::finishCreation):
2309         (JSC::arrayProtoPrivateFuncIsJSArray):
2310         (JSC::moveElements):
2311         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2312         (JSC::arrayProtoPrivateFuncAppendMemcpy):
2313         (JSC::arrayProtoFuncConcat): Deleted.
2314         * runtime/ArrayPrototype.h:
2315         (JSC::ArrayPrototype::createStructure):
2316         * runtime/CommonIdentifiers.h:
2317         * runtime/Intrinsic.h:
2318         * runtime/JSArray.cpp:
2319         (JSC::JSArray::appendMemcpy):
2320         (JSC::JSArray::fastConcatWith): Deleted.
2321         * runtime/JSArray.h:
2322         (JSC::JSArray::createStructure):
2323         (JSC::JSArray::fastConcatType): Deleted.
2324         * runtime/JSArrayInlines.h: Added.
2325         (JSC::JSArray::memCopyWithIndexingType):
2326         (JSC::JSArray::canFastCopy):
2327         * runtime/JSGlobalObject.cpp:
2328         (JSC::JSGlobalObject::init):
2329         * runtime/JSType.h:
2330         * runtime/ObjectConstructor.h:
2331         (JSC::constructObject):
2332         * tests/es6.yaml:
2333         * tests/stress/array-concat-spread-object.js: Added.
2334         (arrayEq):
2335         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
2336         (arrayEq):
2337         * tests/stress/array-concat-spread-proxy.js: Added.
2338         (arrayEq):
2339         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
2340         (arrayEq):
2341         * tests/stress/array-species-config-array-constructor.js:
2342
2343 2016-04-12  Saam barati  <sbarati@apple.com>
2344
2345         Lets not iterate over the constant pool twice every time we link a code block
2346         https://bugs.webkit.org/show_bug.cgi?id=156517
2347
2348         Reviewed by Mark Lam.
2349
2350         I introduced a second iteration over the constant pool when I implemented
2351         block scoping. I did this because we must clone all the symbol tables when
2352         we link a CodeBlock. We can just do this cloning when setting the constant
2353         registers for the first time. There is no need to iterate over the constant
2354         pool a second time.
2355
2356         * bytecode/CodeBlock.cpp:
2357         (JSC::CodeBlock::finishCreation):
2358         (JSC::CodeBlock::~CodeBlock):
2359         (JSC::CodeBlock::setConstantRegisters):
2360         (JSC::CodeBlock::setAlternative):
2361         * bytecode/CodeBlock.h:
2362         (JSC::CodeBlock::replaceConstant):
2363         (JSC::CodeBlock::setConstantRegisters): Deleted.
2364
2365 2016-04-12  Mark Lam  <mark.lam@apple.com>
2366
2367         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
2368         https://bugs.webkit.org/show_bug.cgi?id=156013
2369
2370         Reviewed by Keith Miller.
2371
2372         * CMakeLists.txt:
2373         * JavaScriptCore.xcodeproj/project.pbxproj:
2374         * builtins/GlobalObject.js:
2375         (speciesConstructor):
2376         * builtins/PromisePrototype.js:
2377         - refactored to use the @speciesConstructor internal function.
2378
2379         * builtins/RegExpPrototype.js:
2380         (advanceStringIndex):
2381         - refactored from @advanceStringIndexUnicode() to be match the spec.
2382           Benchmarks show that there's no advantage in doing the unicode check outside
2383           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
2384           spec (especially since @@split needs to call advanceStringIndex from more than
2385           1 location).
2386         (match):
2387         - Removed an unnecessary call to @Object because it was already proven above.
2388         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
2389           Again, there's no perf regression for this.
2390         (regExpExec):
2391         (hasObservableSideEffectsForRegExpSplit):
2392         (split):
2393         (advanceStringIndexUnicode): Deleted.
2394
2395         * builtins/StringPrototype.js:
2396         (split):
2397         - Modified to use RegExp.prototype[@@split].
2398
2399         * bytecode/BytecodeIntrinsicRegistry.cpp:
2400         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2401         (JSC::BytecodeIntrinsicRegistry::lookup):
2402         * bytecode/BytecodeIntrinsicRegistry.h:
2403         - Added the @@split symbol.
2404
2405         * runtime/CommonIdentifiers.h:
2406         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
2407         (JSC::esSpecIsConstructor):
2408         (JSC::esSpecIsRegExp):
2409         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
2410
2411         * runtime/JSGlobalObject.cpp:
2412         (JSC::getGetterById):
2413         (JSC::JSGlobalObject::init):
2414
2415         * runtime/PropertyDescriptor.cpp:
2416         (JSC::PropertyDescriptor::setDescriptor):
2417         - Removed an assert that is no longer valid.
2418
2419         * runtime/RegExpObject.h:
2420         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
2421           fast path.
2422
2423         * runtime/RegExpPrototype.cpp:
2424         (JSC::RegExpPrototype::finishCreation):
2425         (JSC::regExpProtoFuncExec):
2426         (JSC::regExpProtoFuncSearch):
2427         (JSC::advanceStringIndex):
2428         (JSC::regExpProtoFuncSplitFast):
2429         * runtime/RegExpPrototype.h:
2430
2431         * runtime/StringObject.h:
2432         (JSC::jsStringWithReuse):
2433         (JSC::jsSubstring):
2434         - Hoisted some utility functions from StringPrototype.cpp so that they can be
2435           reused by the regexp split fast path.
2436
2437         * runtime/StringPrototype.cpp:
2438         (JSC::StringPrototype::finishCreation):
2439         (JSC::stringProtoFuncSplitFast):
2440         (JSC::stringProtoFuncSubstr):
2441         (JSC::builtinStringSubstrInternal):
2442         (JSC::stringProtoFuncSubstring):
2443         (JSC::stringIncludesImpl):
2444         (JSC::stringProtoFuncIncludes):
2445         (JSC::builtinStringIncludesInternal):
2446         (JSC::jsStringWithReuse): Deleted.
2447         (JSC::jsSubstring): Deleted.
2448         (JSC::stringProtoFuncSplit): Deleted.
2449         * runtime/StringPrototype.h:
2450
2451         * tests/es6.yaml:
2452
2453 2016-04-12  Keith Miller  <keith_miller@apple.com>
2454
2455         AbstractValue should use the result type to filter structures
2456         https://bugs.webkit.org/show_bug.cgi?id=156516
2457
2458         Reviewed by Geoffrey Garen.
2459
2460         When filtering an AbstractValue with a SpeculatedType we would not use the merged type when
2461         filtering out the valid structures (despite what the comment directly above said). This
2462         would cause us to crash if our structure-set was Top and the two speculated types were
2463         different kinds of cells.
2464
2465         * dfg/DFGAbstractValue.cpp:
2466         (JSC::DFG::AbstractValue::filter):
2467         * tests/stress/ai-consistency-filter-cells.js: Added.
2468         (get value):
2469         (attribute.value.get record):
2470         (attribute.attrs.get this):
2471         (get foo):
2472         (let.thisValue.return.serialize):
2473         (let.thisValue.transformFor):
2474
2475 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
2476
2477         Unreviewed, remove FIXME for https://bugs.webkit.org/show_bug.cgi?id=156457 and replace it
2478         with a comment that describes what we do now.
2479
2480         * bytecode/PolymorphicAccess.h:
2481
2482 2016-04-12  Saam barati  <sbarati@apple.com>
2483
2484         isLocked() assertion broke builds because ConcurrentJITLock isn't always a real lock.
2485
2486         Rubber-stamped by Filip Pizlo.
2487
2488         * bytecode/CodeBlock.cpp:
2489         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2490         (JSC::CodeBlock::ensureResultProfile):
2491
2492 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2493
2494         PolymorphicAccess should buffer AccessCases before regenerating
2495         https://bugs.webkit.org/show_bug.cgi?id=156457
2496
2497         Reviewed by Benjamin Poulain.
2498
2499         Prior to this change, whenever we added an AccessCase to a PolymorphicAccess, we would
2500         regenerate the whole stub. That meant that we'd do O(N^2) work for N access cases.
2501
2502         One way to fix this is to have each AccessCase generate a stub just for itself, which
2503         cascades down to the already-generated cases. But that removes the binary switch
2504         optimization, which makes the IC perform great even when there are many cases.
2505
2506         This change fixes the issue by buffering access cases. When we take slow path and try to add
2507         a new case, the StructureStubInfo will usually just buffer the new case without generating
2508         new code. We simply guarantee that after we buffer a case, we will take at most
2509         Options::repatchBufferingCountdown() slow path calls before generating code for it. That
2510         option is currently 7. Taking 7 more slow paths means that we have 7 more opportunities to
2511         gather more access cases, or to realize that this IC is too crazy to bother with.
2512
2513         This change ensures that the DFG still gets the same kind of profiling. This is because the
2514         buffered AccessCases are still part of PolymorphicAccess and so are still scanned by
2515         GetByIdStatus and PutByIdStatus. The fact that the AccessCases hadn't been generated and so
2516         hadn't executed doesn't change much. Mainly, it increases the likelihood that the DFG will
2517         see an access case that !couldStillSucceed(). The DFG's existing profile parsing logic can
2518         handle this just fine.
2519         
2520         There are a bunch of algorithmic changes here. StructureStubInfo now caches the set of
2521         structures that it has seen as a guard to prevent adding lots of redundant cases, in case
2522         we see the same 7 cases after buffering the first one. This cache means we won't wastefully
2523         allocate 7 identical AccessCase instances. PolymorphicAccess is now restructured around
2524         having separate addCase() and regenerate() calls. That means a bit more moving data around.
2525         So far that seems OK for performance, probably since it's O(N) work rather than O(N^2) work.
2526         There is room for improvement for future patches, to be sure.
2527         
2528         This is benchmarking as slightly positive or neutral on JS benchmarks. It's meant to reduce
2529         pathologies I saw in page loads.
2530
2531         * bytecode/GetByIdStatus.cpp:
2532         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2533         * bytecode/PolymorphicAccess.cpp:
2534         (JSC::PolymorphicAccess::PolymorphicAccess):
2535         (JSC::PolymorphicAccess::~PolymorphicAccess):
2536         (JSC::PolymorphicAccess::addCases):
2537         (JSC::PolymorphicAccess::addCase):
2538         (JSC::PolymorphicAccess::visitWeak):
2539         (JSC::PolymorphicAccess::dump):
2540         (JSC::PolymorphicAccess::commit):
2541         (JSC::PolymorphicAccess::regenerate):
2542         (JSC::PolymorphicAccess::aboutToDie):
2543         (WTF::printInternal):
2544         (JSC::PolymorphicAccess::regenerateWithCases): Deleted.
2545         (JSC::PolymorphicAccess::regenerateWithCase): Deleted.
2546         * bytecode/PolymorphicAccess.h:
2547         (JSC::AccessCase::isGetter):
2548         (JSC::AccessCase::callLinkInfo):
2549         (JSC::AccessGenerationResult::AccessGenerationResult):
2550         (JSC::AccessGenerationResult::madeNoChanges):
2551         (JSC::AccessGenerationResult::gaveUp):
2552         (JSC::AccessGenerationResult::buffered):
2553         (JSC::AccessGenerationResult::generatedNewCode):
2554         (JSC::AccessGenerationResult::generatedFinalCode):
2555         (JSC::AccessGenerationResult::shouldGiveUpNow):
2556         (JSC::AccessGenerationResult::generatedSomeCode):
2557         (JSC::PolymorphicAccess::isEmpty):
2558         (JSC::PolymorphicAccess::size):
2559         (JSC::PolymorphicAccess::at):
2560         * bytecode/PutByIdStatus.cpp:
2561         (JSC::PutByIdStatus::computeForStubInfo):
2562         * bytecode/StructureStubInfo.cpp:
2563         (JSC::StructureStubInfo::StructureStubInfo):
2564         (JSC::StructureStubInfo::addAccessCase):
2565         (JSC::StructureStubInfo::reset):
2566         (JSC::StructureStubInfo::visitWeakReferences):
2567         * bytecode/StructureStubInfo.h:
2568         (JSC::StructureStubInfo::considerCaching):
2569         (JSC::StructureStubInfo::willRepatch): Deleted.
2570         (JSC::StructureStubInfo::willCoolDown): Deleted.
2571         * jit/JITOperations.cpp:
2572         * jit/Repatch.cpp:
2573         (JSC::tryCacheGetByID):
2574         (JSC::repatchGetByID):
2575         (JSC::tryCachePutByID):
2576         (JSC::repatchPutByID):
2577         (JSC::tryRepatchIn):
2578         (JSC::repatchIn):
2579         * runtime/JSCJSValue.h:
2580         * runtime/JSCJSValueInlines.h:
2581         (JSC::JSValue::putByIndex):
2582         (JSC::JSValue::structureOrNull):
2583         (JSC::JSValue::structureOrUndefined):
2584         * runtime/Options.h:
2585
2586 2016-04-12  Saam barati  <sbarati@apple.com>
2587
2588         There is a race with the compiler thread and the main thread with result profiles
2589         https://bugs.webkit.org/show_bug.cgi?id=156503
2590
2591         Reviewed by Filip Pizlo.
2592
2593         The compiler thread should not be asking for a result
2594         profile while the execution thread is creating one.
2595         We must guard against such races with a lock.
2596
2597         * bytecode/CodeBlock.cpp:
2598         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2599         (JSC::CodeBlock::ensureResultProfile):
2600         (JSC::CodeBlock::capabilityLevel):
2601         * bytecode/CodeBlock.h:
2602         (JSC::CodeBlock::couldTakeSlowCase):
2603         (JSC::CodeBlock::numberOfResultProfiles):
2604         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
2605         (JSC::CodeBlock::ensureResultProfile): Deleted.
2606
2607 2016-04-12  Commit Queue  <commit-queue@webkit.org>
2608
2609         Unreviewed, rolling out r199339.
2610         https://bugs.webkit.org/show_bug.cgi?id=156505
2611
2612         memset_s is indeed necessary (Requested by alexchristensen_ on
2613         #webkit).
2614
2615         Reverted changeset:
2616
2617         "Build fix after r199299."
2618         https://bugs.webkit.org/show_bug.cgi?id=155508
2619         http://trac.webkit.org/changeset/199339
2620
2621 2016-04-12  Guillaume Emont  <guijemont@igalia.com>
2622
2623         MIPS: add MacroAssemblerMIPS::store8(TrustedImm32,ImplicitAddress)
2624         https://bugs.webkit.org/show_bug.cgi?id=156481
2625
2626         This method with this signature is used by r199075, and therefore
2627         WebKit doesn't build on MIPS since then.
2628
2629         Reviewed by Mark Lam.
2630
2631         * assembler/MacroAssemblerMIPS.h:
2632         (JSC::MacroAssemblerMIPS::store8):
2633
2634 2016-04-12  Saam barati  <sbarati@apple.com>
2635
2636         We incorrectly parse arrow function expressions
2637         https://bugs.webkit.org/show_bug.cgi?id=156373
2638
2639         Reviewed by Mark Lam.
2640
2641         This patch removes the notion of "isEndOfArrowFunction".
2642         This was a very weird function and it was incorrect.
2643         It checked that the arrow functions with concise body
2644         grammar production "had a valid ending". "had a valid
2645         ending" is in quotes because concise body arrow functions
2646         have a valid ending as long as their body has a valid
2647         assignment expression. I've removed all notion of this
2648         function because it was wrong and was causing us
2649         to throw syntax errors on valid programs.
2650
2651         * parser/Lexer.cpp:
2652         (JSC::Lexer<T>::nextTokenIsColon):
2653         (JSC::Lexer<T>::lex):
2654         (JSC::Lexer<T>::setTokenPosition): Deleted.
2655         * parser/Lexer.h:
2656         (JSC::Lexer::setIsReparsingFunction):
2657         (JSC::Lexer::isReparsingFunction):
2658         (JSC::Lexer::lineNumber):
2659         * parser/Parser.cpp:
2660         (JSC::Parser<LexerType>::parseInner):
2661         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2662         (JSC::Parser<LexerType>::parseFunctionInfo):
2663         * parser/Parser.h:
2664         (JSC::Parser::matchIdentifierOrKeyword):
2665         (JSC::Parser::tokenStart):
2666         (JSC::Parser::autoSemiColon):
2667         (JSC::Parser::canRecurse):
2668         (JSC::Parser::isEndOfArrowFunction): Deleted.
2669         (JSC::Parser::setEndOfStatement): Deleted.
2670         * tests/stress/arrowfunction-others.js:
2671         (testCase):
2672         (simpleArrowFunction):
2673         (truthy):
2674         (falsey):
2675
2676 2016-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2677
2678         [JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG
2679         https://bugs.webkit.org/show_bug.cgi?id=155110
2680
2681         Reviewed by Saam Barati.
2682
2683         `addStaticGlobals` does not emit SymbolTableEntry watchpoints for the added entries.
2684         So, all the global variable lookups pointing to these static globals are not converted
2685         into constants in DFGBytecodeGenerator: this fact leaves these lookups as GetGlobalVar.
2686         Such thing avoids constant folding chance and emits CheckCell for @privateFunction inlining.
2687         This operation is pure overhead.
2688
2689         Static globals are not configurable, and they are typically non-writable.
2690         So they are constants in almost all the cases.
2691
2692         This patch initializes watchpoints for these static globals.
2693         These watchpoints allow DFG to convert these nodes into constants in DFG BytecodeParser.
2694         These watchpoints includes many builtin operations and `undefined`.
2695
2696         The microbenchmark, many-foreach-calls shows 5 - 7% improvement since it removes unnecessary CheckCell.
2697
2698         * bytecode/VariableWriteFireDetail.h:
2699         * runtime/JSGlobalObject.cpp:
2700         (JSC::JSGlobalObject::addGlobalVar):
2701         (JSC::JSGlobalObject::addStaticGlobals):
2702         * runtime/JSSymbolTableObject.h:
2703         (JSC::symbolTablePutTouchWatchpointSet):
2704         (JSC::symbolTablePutInvalidateWatchpointSet):
2705         (JSC::symbolTablePut):
2706         (JSC::symbolTablePutWithAttributesTouchWatchpointSet): Deleted.
2707         * runtime/SymbolTable.h:
2708         (JSC::SymbolTableEntry::SymbolTableEntry):
2709         (JSC::SymbolTableEntry::operator=):
2710         (JSC::SymbolTableEntry::swap):
2711
2712 2016-04-12  Alex Christensen  <achristensen@webkit.org>
2713
2714         Build fix after r199299.
2715         https://bugs.webkit.org/show_bug.cgi?id=155508
2716
2717         * jit/ExecutableAllocatorFixedVMPool.cpp:
2718         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2719         memset_s is not defined.  __STDC_WANT_LIB_EXT1__ is not defined anywhere.
2720         Since the return value is unused and set_constraint_handler_s is never called
2721         I'm chaning it to memset.
2722
2723 2016-04-11  Benjamin Poulain  <bpoulain@apple.com>
2724
2725         [JSC] B3 can use undefined bits or not defined required bits when spilling
2726         https://bugs.webkit.org/show_bug.cgi?id=156486
2727
2728         Reviewed by Filip Pizlo.
2729
2730         Spilling had issues when replacing arguments in place.
2731
2732         The problems are:
2733         1) If we have a 32bit stackslot, a x86 instruction could still try to load 64bits from it.
2734         2) If we have a 64bit stackslot, Move32 would only set half the bits.
2735         3) We were reducing Move to Move32 even if the top bits are read from the stack slot.
2736
2737         The case 1 appear with something like this:
2738             Move32 %tmp0, %tmp1
2739             Op64 %tmp1, %tmp2, %tmp3
2740         When we spill %tmp1, the stack slot is 32bit, Move32 sets 32bits
2741         but Op64 supports addressing for %tmp1. When we substitute %tmp1 in Op64,
2742         we are creating a 64bit read for a 32bit stack slot.
2743
2744         The case 2 is an other common one. If we have:
2745             BB#1
2746                 Move32 %tmp0, %tmp1
2747                 Jump #3
2748             BB#2
2749                 Op64 %tmp0, %tmp1
2750                 Jump #3
2751             BB#3
2752                 Use64 %tmp1
2753
2754         We have a stack slot of 64bits. When spilling %tmp1 in #1, we are
2755         effectively doing a 32bit store on the stack slot, leaving the top bits undefined.
2756
2757         Case 3 is pretty much the same as 2 but we create the Move32 ourself
2758         because the source is a 32bit with ZDef.
2759
2760         Case (1) is solved by requiring that the stack slot is at least as large as the largest
2761         use/def of that tmp.
2762
2763         Case (2) and (3) are solved by not replacing a Tmp by an Address if the Def
2764         is smaller than the stack slot.
2765
2766         * b3/air/AirIteratedRegisterCoalescing.cpp:
2767         * b3/testb3.cpp:
2768         (JSC::B3::testSpillDefSmallerThanUse):
2769         (JSC::B3::testSpillUseLargerThanDef):
2770         (JSC::B3::run):
2771
2772 2016-04-11  Brian Burg  <bburg@apple.com>
2773
2774         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
2775         https://bugs.webkit.org/show_bug.cgi?id=156407
2776         <rdar://problem/25627659>
2777
2778         Reviewed by Joseph Pecoraro.
2779
2780         There's no point having these subclasses as they don't save any space.
2781         Add a StringImpl to the union and merge some implementations of writeJSON.
2782
2783         Rename m_data to m_map and explicitly name the union as InspectorValue::m_value.
2784         If the value is a string and the string is not empty or null (i.e., it has a
2785         StringImpl), then we need to ref() and deref() the string as the InspectorValue
2786         is created or destroyed.
2787
2788         Move uses of the subclass to InspectorValue and delete redundant methods.
2789         Now, most InspectorValue methods are non-virtual so they can be templated.
2790
2791         * bindings/ScriptValue.cpp:
2792         (Deprecated::jsToInspectorValue):
2793         * inspector/InjectedScriptBase.cpp:
2794         (Inspector::InjectedScriptBase::makeCall):
2795         Don't used deleted subclasses.
2796
2797         * inspector/InspectorValues.cpp:
2798         (Inspector::InspectorValue::null):
2799         (Inspector::InspectorValue::create):
2800         (Inspector::InspectorValue::asValue):
2801         (Inspector::InspectorValue::asBoolean):
2802         (Inspector::InspectorValue::asDouble):
2803         (Inspector::InspectorValue::asInteger):
2804         (Inspector::InspectorValue::asString):
2805         These only need one implementation now.
2806
2807         (Inspector::InspectorValue::writeJSON):
2808         Still a virtual method since Object and Array need their members.
2809
2810         (Inspector::InspectorObjectBase::InspectorObjectBase):
2811         (Inspector::InspectorBasicValue::asBoolean): Deleted.
2812         (Inspector::InspectorBasicValue::asDouble): Deleted.
2813         (Inspector::InspectorBasicValue::asInteger): Deleted.
2814         (Inspector::InspectorBasicValue::writeJSON): Deleted.
2815         (Inspector::InspectorString::asString): Deleted.
2816         (Inspector::InspectorString::writeJSON): Deleted.
2817         (Inspector::InspectorString::create): Deleted.
2818         (Inspector::InspectorBasicValue::create): Deleted.
2819
2820         * inspector/InspectorValues.h:
2821         (Inspector::InspectorObjectBase::find):
2822         (Inspector::InspectorObjectBase::setBoolean):
2823         (Inspector::InspectorObjectBase::setInteger):
2824         (Inspector::InspectorObjectBase::setDouble):
2825         (Inspector::InspectorObjectBase::setString):
2826         (Inspector::InspectorObjectBase::setValue):
2827         (Inspector::InspectorObjectBase::setObject):
2828         (Inspector::InspectorObjectBase::setArray):
2829         (Inspector::InspectorArrayBase::pushBoolean):
2830         (Inspector::InspectorArrayBase::pushInteger):
2831         (Inspector::InspectorArrayBase::pushDouble):
2832         (Inspector::InspectorArrayBase::pushString):
2833         (Inspector::InspectorArrayBase::pushValue):
2834         (Inspector::InspectorArrayBase::pushObject):
2835         (Inspector::InspectorArrayBase::pushArray):
2836         Use new factory methods.
2837
2838         * replay/EncodedValue.cpp:
2839         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2840         (JSC::ScalarEncodingTraits<double>::encodeValue):
2841         (JSC::ScalarEncodingTraits<float>::encodeValue):
2842         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2843         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2844         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2845         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2846         * replay/EncodedValue.h:
2847         Use new factory methods.
2848
2849 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2850
2851         It should be possible to edit StructureStubInfo without recompiling the world
2852         https://bugs.webkit.org/show_bug.cgi?id=156470
2853
2854         Reviewed by Keith Miller.
2855
2856         This change makes it less painful to make changes to the IC code. It used to be that any
2857         change to StructureStubInfo caused every JIT-related file to get recompiled. Now only a
2858         smaller set of files - ones that actually peek into StructureStubInfo - will recompile. This
2859         is mainly because CodeBlock.h no longer includes StructureStubInfo.h.
2860
2861         * bytecode/ByValInfo.h:
2862         * bytecode/CodeBlock.cpp:
2863         * bytecode/CodeBlock.h:
2864         * bytecode/GetByIdStatus.cpp:
2865         * bytecode/GetByIdStatus.h:
2866         * bytecode/PutByIdStatus.cpp:
2867         * bytecode/PutByIdStatus.h:
2868         * bytecode/StructureStubInfo.h:
2869         (JSC::getStructureStubInfoCodeOrigin):
2870         * dfg/DFGByteCodeParser.cpp:
2871         * dfg/DFGJITCompiler.cpp:
2872         * dfg/DFGOSRExitCompilerCommon.cpp:
2873         * dfg/DFGSpeculativeJIT.h:
2874         * ftl/FTLLowerDFGToB3.cpp:
2875         * ftl/FTLSlowPathCall.h:
2876         * jit/IntrinsicEmitter.cpp:
2877         * jit/JITInlineCacheGenerator.cpp:
2878         * jit/JITInlineCacheGenerator.h:
2879         * jit/JITOperations.cpp:
2880         * jit/JITPropertyAccess.cpp:
2881         * jit/JITPropertyAccess32_64.cpp:
2882
2883 2016-04-11  Skachkov Oleksandr  <gskachkov@gmail.com>
2884
2885         Remove NewArrowFunction from DFG IR
2886         https://bugs.webkit.org/show_bug.cgi?id=156439
2887
2888         Reviewed by Saam Barati.
2889
2890         It seems that NewArrowFunction was left in DFG IR during refactoring by mistake.
2891
2892         * dfg/DFGAbstractInterpreterInlines.h:
2893         * dfg/DFGClobberize.h:
2894         (JSC::DFG::clobberize):
2895         * dfg/DFGClobbersExitState.cpp:
2896         * dfg/DFGDoesGC.cpp:
2897         * dfg/DFGFixupPhase.cpp:
2898         * dfg/DFGMayExit.cpp:
2899         * dfg/DFGNode.h:
2900         (JSC::DFG::Node::convertToPhantomNewFunction):
2901         * dfg/DFGNodeType.h:
2902         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2903         * dfg/DFGPredictionPropagationPhase.cpp:
2904         * dfg/DFGSafeToExecute.h:
2905         * dfg/DFGSpeculativeJIT.cpp:
2906         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2907         * dfg/DFGSpeculativeJIT32_64.cpp:
2908         * dfg/DFGSpeculativeJIT64.cpp:
2909         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2910         * dfg/DFGStructureRegistrationPhase.cpp:
2911         * ftl/FTLCapabilities.cpp:
2912         * ftl/FTLLowerDFGToB3.cpp:
2913         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2914
2915 2016-04-05  Oliver Hunt  <oliver@apple.com>
2916
2917         Remove compile time define for SEPARATED_HEAP
2918         https://bugs.webkit.org/show_bug.cgi?id=155508
2919
2920         Reviewed by Mark Lam.
2921
2922         Remove the SEPARATED_HEAP compile time flag. The separated
2923         heap is available, but off by default, on x86_64, ARMv7, and
2924         ARM64.
2925
2926         Working through the issues that happened last time essentially
2927         required implementing the ARMv7 path for the separated heap
2928         just so I could find all the ways it was going wrong.
2929
2930         We fixed all the logic by making the branch and jump logic in
2931         the linker and assemblers take two parameters, the location to
2932         write to, and the location we'll actually be writing to. We 
2933         need to do this because it's no longer sufficient to compute
2934         jumps relative to region the linker is writing to.
2935
2936         The repatching jump, branch, and call functions only need the
2937         executable address as the patching is performed directly using
2938         performJITMemcpy function which works in terms of the executable
2939         address.
2940
2941         There is no performance impact on jsc-benchmarks with the separate
2942         heap either emabled or disabled.
2943
2944         * Configurations/FeatureDefines.xcconfig:
2945         * assembler/ARM64Assembler.h:
2946         (JSC::ARM64Assembler::linkJump):
2947         (JSC::ARM64Assembler::linkCall):
2948         (JSC::ARM64Assembler::relinkJump):
2949         (JSC::ARM64Assembler::relinkCall):
2950         (JSC::ARM64Assembler::link):
2951         (JSC::ARM64Assembler::linkJumpOrCall):
2952         (JSC::ARM64Assembler::linkCompareAndBranch):
2953         (JSC::ARM64Assembler::linkConditionalBranch):
2954         (JSC::ARM64Assembler::linkTestAndBranch):
2955         (JSC::ARM64Assembler::relinkJumpOrCall):
2956         * assembler/ARMv7Assembler.h:
2957         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
2958         (JSC::ARMv7Assembler::revertJumpTo_movT3):
2959         (JSC::ARMv7Assembler::link):
2960         (JSC::ARMv7Assembler::linkJump):
2961         (JSC::ARMv7Assembler::relinkJump):
2962         (JSC::ARMv7Assembler::repatchCompact):
2963         (JSC::ARMv7Assembler::replaceWithJump):
2964         (JSC::ARMv7Assembler::replaceWithLoad):
2965         (JSC::ARMv7Assembler::replaceWithAddressComputation):
2966         (JSC::ARMv7Assembler::setInt32):
2967         (JSC::ARMv7Assembler::setUInt7ForLoad):
2968         (JSC::ARMv7Assembler::isB):
2969         (JSC::ARMv7Assembler::isBX):
2970         (JSC::ARMv7Assembler::isMOV_imm_T3):
2971         (JSC::ARMv7Assembler::isMOVT):
2972         (JSC::ARMv7Assembler::isNOP_T1):
2973         (JSC::ARMv7Assembler::isNOP_T2):
2974         (JSC::ARMv7Assembler::linkJumpT1):
2975         (JSC::ARMv7Assembler::linkJumpT2):
2976         (JSC::ARMv7Assembler::linkJumpT3):
2977         (JSC::ARMv7Assembler::linkJumpT4):
2978         (JSC::ARMv7Assembler::linkConditionalJumpT4):
2979         (JSC::ARMv7Assembler::linkBX):
2980         (JSC::ARMv7Assembler::linkConditionalBX):
2981         (JSC::ARMv7Assembler::linkJumpAbsolute):
2982         * assembler/LinkBuffer.cpp:
2983         (JSC::LinkBuffer::copyCompactAndLinkCode):
2984         * assembler/MacroAssemblerARM64.h:
2985         (JSC::MacroAssemblerARM64::link):
2986         * assembler/MacroAssemblerARMv7.h:
2987         (JSC::MacroAssemblerARMv7::link):
2988         * jit/ExecutableAllocator.h:
2989         (JSC::performJITMemcpy):
2990         * jit/ExecutableAllocatorFixedVMPool.cpp:
2991         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2992         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2993         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
2994         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
2995         * runtime/Options.cpp:
2996         (JSC::recomputeDependentOptions):
2997         * runtime/Options.h:
2998
2999 2016-04-10  Filip Pizlo  <fpizlo@apple.com>
3000
3001         Clean up how we reason about the states of AccessCases
3002         https://bugs.webkit.org/show_bug.cgi?id=156454
3003
3004         Reviewed by Mark Lam.
3005         
3006         Currently when we add an AccessCase to a PolymorphicAccess stub, we regenerate the stub.
3007         That means that as we grow a stub to have N cases, we will do O(N^2) generation work. I want
3008         to explore buffering AccessCases so that we can do O(N) generation work instead. But to
3009         before I go there, I want to make sure that the statefulness of AccessCase makes sense. So,
3010         I broke it down into three different states and added assertions about the transitions. I
3011         also broke out a separate operation called AccessCase::commit(), which is the work that
3012         cannot be buffered since there cannot be any JS effects between when the AccessCase was
3013         created and when we do the work in commit().
3014         
3015         This opens up a fairly obvious path to buffering AccessCases: add them to the list without
3016         regenerating. Then when we do eventually trigger regeneration, those cases will get cloned
3017         and generated automagically. This patch doesn't implement this technique yet, but gives us
3018         an opportunity to independently test the scaffolding necessary to do it.
3019
3020         This is perf-neutral on lots of tests.
3021
3022         * bytecode/PolymorphicAccess.cpp:
3023         (JSC::AccessGenerationResult::dump):
3024         (JSC::AccessCase::clone):
3025         (JSC::AccessCase::commit):
3026         (JSC::AccessCase::guardedByStructureCheck):
3027         (JSC::AccessCase::dump):
3028         (JSC::AccessCase::generateWithGuard):
3029         (JSC::AccessCase::generate):
3030         (JSC::AccessCase::generateImpl):
3031         (JSC::PolymorphicAccess::regenerateWithCases):
3032         (JSC::PolymorphicAccess::regenerate):
3033         (WTF::printInternal):
3034         * bytecode/PolymorphicAccess.h:
3035         (JSC::AccessCase::type):
3036         (JSC::AccessCase::state):
3037         (JSC::AccessCase::offset):
3038         (JSC::AccessCase::viaProxy):
3039         (JSC::AccessCase::callLinkInfo):
3040         * bytecode/StructureStubInfo.cpp:
3041         (JSC::StructureStubInfo::addAccessCase):
3042         * bytecode/Watchpoint.h:
3043         * dfg/DFGOperations.cpp:
3044         * jit/Repatch.cpp:
3045         (JSC::repatchGetByID):
3046         (JSC::repatchPutByID):
3047         (JSC::repatchIn):
3048         * runtime/VM.cpp:
3049         (JSC::VM::dumpRegExpTrace):
3050         (JSC::VM::ensureWatchpointSetForImpureProperty):
3051         (JSC::VM::registerWatchpointForImpureProperty):
3052         (JSC::VM::addImpureProperty):
3053         * runtime/VM.h:
3054
3055 2016-04-11  Fujii Hironori  <Hironori.Fujii@jp.sony.com>
3056
3057         [CMake] Make FOLDER property INHERITED
3058         https://bugs.webkit.org/show_bug.cgi?id=156460
3059
3060         Reviewed by Brent Fulgham.
3061
3062         * CMakeLists.txt:
3063         * shell/CMakeLists.txt:
3064         * shell/PlatformWin.cmake:
3065         Set FOLDER property as a directory property not a target property
3066
3067 2016-04-09  Keith Miller  <keith_miller@apple.com>
3068
3069         tryGetById should be supported by the DFG/FTL
3070         https://bugs.webkit.org/show_bug.cgi?id=156378
3071
3072         Reviewed by Filip Pizlo.
3073
3074         This patch adds support for tryGetById in the DFG/FTL. It adds a new DFG node
3075         TryGetById, which acts similarly to the normal GetById DFG node. One key
3076         difference between GetById and TryGetById is that in the LLInt and Baseline
3077         we do not profile the result type. This profiling is unnessary for the current
3078         use case of tryGetById, which is expected to be a strict equality comparision
3079         against a specific object or undefined. In either case other DFG optimizations
3080         will make this equally fast with or without the profiling information.
3081
3082         Additionally, this patch adds new reuse modes for JSValueRegsTemporary that take
3083         an operand and attempt to reuse the registers for that operand if they are free
3084         after the current DFG node.
3085
3086         * bytecode/GetByIdStatus.cpp:
3087         (JSC::GetByIdStatus::computeFromLLInt):
3088         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3089         * dfg/DFGAbstractInterpreterInlines.h:
3090         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3091         * dfg/DFGByteCodeParser.cpp:
3092         (JSC::DFG::ByteCodeParser::handleGetById):
3093         (JSC::DFG::ByteCodeParser::parseBlock):
3094         * dfg/DFGCapabilities.cpp:
3095         (JSC::DFG::capabilityLevel):
3096         * dfg/DFGClobberize.h:
3097         (JSC::DFG::clobberize):
3098         * dfg/DFGDoesGC.cpp:
3099         (JSC::DFG::doesGC):
3100         * dfg/DFGFixupPhase.cpp:
3101         (JSC::DFG::FixupPhase::fixupNode):
3102         * dfg/DFGNode.h:
3103         (JSC::DFG::Node::hasIdentifier):
3104         * dfg/DFGNodeType.h:
3105         * dfg/DFGPredictionPropagationPhase.cpp:
3106         (JSC::DFG::PredictionPropagationPhase::propagate):
3107         * dfg/DFGSafeToExecute.h:
3108         (JSC::DFG::safeToExecute):
3109         * dfg/DFGSpeculativeJIT.cpp:
3110         (JSC::DFG::SpeculativeJIT::compileTryGetById):
3111         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
3112         * dfg/DFGSpeculativeJIT.h:
3113         (JSC::DFG::GPRTemporary::operator=):
3114         * dfg/DFGSpeculativeJIT32_64.cpp:
3115         (JSC::DFG::SpeculativeJIT::cachedGetById):
3116         (JSC::DFG::SpeculativeJIT::compile):
3117         * dfg/DFGSpeculativeJIT64.cpp:
3118         (JSC::DFG::SpeculativeJIT::cachedGetById):
3119         (JSC::DFG::SpeculativeJIT::compile):
3120         * ftl/FTLCapabilities.cpp:
3121         (JSC::FTL::canCompile):
3122         * ftl/FTLLowerDFGToB3.cpp:
3123         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3124         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
3125         (JSC::FTL::DFG::LowerDFGToB3::getById):
3126         * jit/JITOperations.cpp:
3127         * jit/JITOperations.h:
3128         * tests/stress/try-get-by-id.js:
3129         (tryGetByIdTextStrict):
3130         (get let):
3131         (let.get createBuiltin):
3132         (get throw):
3133         (getCaller.obj.1.throw.new.Error): Deleted.
3134
3135 2016-04-09  Saam barati  <sbarati@apple.com>
3136
3137         Allocation sinking SSA Defs are allowed to have replacements
3138         https://bugs.webkit.org/show_bug.cgi?id=156444
3139
3140         Reviewed by Filip Pizlo.
3141
3142         Consider the following program and the annotations that explain why
3143         the SSA defs we create in allocation sinking can have replacements.
3144
3145         function foo(a1) {
3146             let o1 = {x: 20, y: 50};
3147             let o2 = {y: 40, o1: o1};
3148             let o3 = {};
3149         
3150             // We're Defing a new variable here, call it o3_field.
3151             // o3_field is defing the value that is the result of 
3152             // a GetByOffset that gets eliminated through allocation sinking.
3153             o3.field = o1.y;
3154         
3155             dontCSE();
3156         
3157             // This control flow is here to not allow the phase to consult
3158             // its local SSA mapping (which properly handles replacements)
3159             // for the value of o3_field.
3160             if (a1) {
3161                 a1 = true; 
3162             } else {
3163                 a1 = false;
3164             }
3165         
3166             // Here, we ask for the reaching def of o3_field, and assert
3167             // it doesn't have a replacement. It does have a replacement
3168             // though. The original Def was the GetByOffset. We replaced
3169             // that GetByOffset with the value of the o1_y variable.
3170             let value = o3.field;
3171             assert(value === 50);
3172         }
3173
3174         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3175         * tests/stress/allocation-sinking-defs-may-have-replacements.js: Added.
3176         (dontCSE):
3177         (assert):
3178         (foo):
3179
3180 2016-04-09  Commit Queue  <commit-queue@webkit.org>
3181
3182         Unreviewed, rolling out r199242.
3183         https://bugs.webkit.org/show_bug.cgi?id=156442
3184
3185         Caused many many leaks (Requested by ap on #webkit).
3186
3187         Reverted changeset:
3188
3189         "Web Inspector: get rid of InspectorBasicValue and
3190         InspectorString subclasses"
3191         https://bugs.webkit.org/show_bug.cgi?id=156407
3192         http://trac.webkit.org/changeset/199242
3193
3194 2016-04-09  Filip Pizlo  <fpizlo@apple.com>
3195
3196         Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
3197         https://bugs.webkit.org/show_bug.cgi?id=156406
3198
3199         Reviewed by Saam Barati.
3200
3201         The failure was because the GC ran from within the butterfly allocation call in a put_by_id
3202         transition AccessCase that had to deal with indexing storage. When the GC runs in a call from a stub,
3203         then we need to be extra careful:
3204
3205         1) The GC may reset the IC and delete the stub. So, the stub needs to tell the GC that it might be on
3206            the stack during GC, so that the GC keeps it alive if it's currently running.
3207         
3208         2) If the stub uses (dereferences or stores) some object after the call, then we need to ensure that
3209            the stub routine knows about that object independently of the IC.
3210         
3211         In the case of put_by_id transitions that use a helper to allocate the butterfly, we have both
3212         issues. A long time ago, we had to deal with (2), and we still had code to handle that case, although
3213         it appears to be dead. This change revives that code and glues it together with PolymorphicAccess.
3214
3215         * bytecode/PolymorphicAccess.cpp:
3216         (JSC::AccessCase::alternateBase):
3217         (JSC::AccessCase::doesCalls):
3218         (JSC::AccessCase::couldStillSucceed):
3219         (JSC::AccessCase::generate):
3220         (JSC::PolymorphicAccess::regenerate):
3221         * bytecode/PolymorphicAccess.h:
3222         (JSC::AccessCase::customSlotBase):
3223         (JSC::AccessCase::isGetter):
3224         (JSC::AccessCase::doesCalls): Deleted.
3225         * jit/GCAwareJITStubRoutine.cpp:
3226         (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
3227         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
3228         (JSC::MarkingGCAwareJITStubRoutine::~MarkingGCAwareJITStubRoutine):
3229         (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
3230         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
3231         (JSC::createJITStubRoutine):
3232         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
3233         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
3234         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal): Deleted.
3235         * jit/GCAwareJITStubRoutine.h:
3236         (JSC::createJITStubRoutine):
3237
3238 2016-04-08  Joseph Pecoraro  <pecoraro@apple.com>
3239
3240         Web Inspector: XHRs and Web Worker scripts are not searchable
3241         https://bugs.webkit.org/show_bug.cgi?id=154214
3242         <rdar://problem/24643587>
3243
3244         Reviewed by Timothy Hatcher.
3245
3246         * inspector/protocol/Page.json:
3247         Add optional requestId to search results properties and search
3248         parameters for when the frameId and url are not enough. XHR
3249         resources, and "Other" resources will use this.
3250
3251 2016-04-08  Guillaume Emont  <guijemont@igalia.com>
3252
3253         MIPS: support Signed cond in branchTest32()
3254         https://bugs.webkit.org/show_bug.cgi?id=156260
3255
3256         This is needed since r197688 makes use of it.
3257
3258         Reviewed by Mark Lam.
3259
3260         * assembler/MacroAssemblerMIPS.h:
3261         (JSC::MacroAssemblerMIPS::branchTest32):
3262
3263 2016-04-08  Alex Christensen  <achristensen@webkit.org>
3264
3265         Progress towards running CMake WebKit2 on Mac
3266         https://bugs.webkit.org/show_bug.cgi?id=156426
3267
3268         Reviewed by Tim Horton.
3269
3270         * PlatformMac.cmake:
3271
3272 2016-04-08  Saam barati  <sbarati@apple.com>
3273
3274         Debugger may dereference m_currentCallFrame even after the VM has gone idle
3275         https://bugs.webkit.org/show_bug.cgi?id=156413
3276
3277         Reviewed by Mark Lam.
3278
3279         There is a bug where the debugger may dereference its m_currentCallFrame
3280         pointer after that pointer becomes invalid to read from. This happens like so:
3281
3282         We may step over an instruction which causes the end of execution for the
3283         current program. This causes the VM to exit. Then, we perform a GC which
3284         causes us to collect the global object. The global object being collected
3285         causes us to detach the debugger. In detaching, we think we still have a 
3286         valid m_currentCallFrame, we dereference it, and crash. The solution is to
3287         make sure we're paused when dereferencing this pointer inside ::detach().
3288
3289         * debugger/Debugger.cpp:
3290         (JSC::Debugger::detach):
3291
3292 2016-04-08  Brian Burg  <bburg@apple.com>
3293
3294         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
3295         https://bugs.webkit.org/show_bug.cgi?id=156407
3296         <rdar://problem/25627659>
3297
3298         Reviewed by Timothy Hatcher.
3299
3300         There's no point having these subclasses as they don't save any space.
3301         Add m_stringValue to the union and merge some implementations of writeJSON.
3302         Move uses of the subclass to InspectorValue and delete redundant methods.
3303         Now, most InspectorValue methods are non-virtual so they can be templated.
3304
3305         * bindings/ScriptValue.cpp:
3306         (Deprecated::jsToInspectorValue):
3307         * inspector/InjectedScriptBase.cpp:
3308         (Inspector::InjectedScriptBase::makeCall):
3309         Don't used deleted subclasses.
3310
3311         * inspector/InspectorValues.cpp:
3312         (Inspector::InspectorValue::null):
3313         (Inspector::InspectorValue::create):
3314         (Inspector::InspectorValue::asValue):
3315         (Inspector::InspectorValue::asBoolean):
3316         (Inspector::InspectorValue::asDouble):
3317         (Inspector::InspectorValue::asInteger):
3318         (Inspector::InspectorValue::asString):
3319         These only need one implementation now.
3320
3321         (Inspector::InspectorValue::writeJSON):
3322         Still a virtual method since Object and Array need their members.
3323
3324         (Inspector::InspectorObjectBase::InspectorObjectBase):
3325         (Inspector::InspectorBasicValue::asBoolean): Deleted.
3326         (Inspector::InspectorBasicValue::asDouble): Deleted.
3327         (Inspector::InspectorBasicValue::asInteger): Deleted.
3328         (Inspector::InspectorBasicValue::writeJSON): Deleted.
3329         (Inspector::InspectorString::asString): Deleted.
3330         (Inspector::InspectorString::writeJSON): Deleted.
3331         (Inspector::InspectorString::create): Deleted.
3332         (Inspector::InspectorBasicValue::create): Deleted.
3333
3334         * inspector/InspectorValues.h:
3335         (Inspector::InspectorObjectBase::setBoolean):
3336         (Inspector::InspectorObjectBase::setInteger):
3337         (Inspector::InspectorObjectBase::setDouble):
3338         (Inspector::InspectorObjectBase::setString):
3339         (Inspector::InspectorArrayBase::pushBoolean):
3340         (Inspector::InspectorArrayBase::pushInteger):
3341         (Inspector::InspectorArrayBase::pushDouble):
3342         (Inspector::InspectorArrayBase::pushString):
3343         Use new factory methods.
3344
3345         * replay/EncodedValue.cpp:
3346         (JSC::ScalarEncodingTraits<bool>::encodeValue):
3347         (JSC::ScalarEncodingTraits<double>::encodeValue):
3348         (JSC::ScalarEncodingTraits<float>::encodeValue):
3349         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
3350         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
3351         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
3352         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
3353         * replay/EncodedValue.h:
3354         Use new factory methods.
3355
3356 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
3357
3358         Add IC support for arguments.length
3359         https://bugs.webkit.org/show_bug.cgi?id=156389
3360
3361         Reviewed by Geoffrey Garen.
3362         
3363         This adds support for caching accesses to arguments.length for both DirectArguments and
3364         ScopedArguments. In strict mode, we already cached these accesses since they were just
3365         normal properties.
3366
3367         Amazingly, we also already supported caching of overridden arguments.length in both
3368         DirectArguments and ScopedArguments. This is because when you override, the property gets
3369         materialized as a normal JS property and the structure is changed.
3370         
3371         This patch painstakingly preserves our previous caching of overridden length while
3372         introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
3373         the case where it could either be overridden or not, since we just end up with an AccessCase
3374         for each and they cascade to each other.
3375
3376         This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
3377         Entirely monomorphic accesses were already handled by the DFG.
3378
3379         * bytecode/PolymorphicAccess.cpp:
3380         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3381         (JSC::AccessCase::guardedByStructureCheck):
3382         (JSC::AccessCase::generateWithGuard):
3383         (JSC::AccessCase::generate):
3384         (WTF::printInternal):
3385         * bytecode/PolymorphicAccess.h:
3386         * jit/ICStats.h:
3387         * jit/JITOperations.cpp:
3388         * jit/Repatch.cpp:
3389         (JSC::tryCacheGetByID):
3390         (JSC::tryCachePutByID):
3391         (JSC::tryRepatchIn):
3392         * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
3393         (args):
3394         (foo):
3395         (result.foo):
3396
3397 2016-04-08  Benjamin Poulain  <bpoulain@apple.com>
3398
3399         UInt32ToNumber should have an Int52 path
3400         https://bugs.webkit.org/show_bug.cgi?id=125704
3401
3402         Reviewed by Filip Pizlo.
3403
3404         When dealing with big numbers, fall back to Int52 instead
3405         of double when possible.
3406
3407         * dfg/DFGAbstractInterpreterInlines.h:
3408         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3409         * dfg/DFGFixupPhase.cpp:
3410         (JSC::DFG::FixupPhase::fixupNode):
3411         * dfg/DFGPredictionPropagationPhase.cpp:
3412         (JSC::DFG::PredictionPropagationPhase::propagate):
3413         * dfg/DFGSpeculativeJIT.cpp:
3414         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
3415         * ftl/FTLLowerDFGToB3.cpp:
3416         (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):
3417
3418 2016-04-08  Brian Burg  <bburg@apple.com>
3419
3420         Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
3421         https://bugs.webkit.org/show_bug.cgi?id=156275
3422         <rdar://problem/25569331>
3423
3424         Reviewed by Darin Adler.
3425
3426         * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.
3427
3428         * inspector/scripts/codegen/models.py:
3429         (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
3430         (TypeReference.referenced_name): Update comment.
3431
3432         Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.
3433
3434         * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
3435         * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
3436         * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.
3437
3438 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3439
3440         Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
3441         https://bugs.webkit.org/show_bug.cgi?id=156384
3442
3443         Reviewed by Ryosuke Niwa.
3444
3445         * Configurations/FeatureDefines.xcconfig:
3446         * features.json: Mark as Done.
3447         * parser/Parser.cpp:
3448         (JSC::Parser<LexerType>::parseExportDeclaration):
3449         (JSC::Parser<LexerType>::parseStatementListItem):
3450         (JSC::Parser<LexerType>::parsePrimaryExpression):
3451         (JSC::Parser<LexerType>::parseMemberExpression):
3452
3453 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
3454
3455         Implementing caching transition puts that need to reallocate with indexing storage
3456         https://bugs.webkit.org/show_bug.cgi?id=130914
3457
3458         Reviewed by Saam Barati.
3459
3460         This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
3461         the butterfly has indexing storage. Like the DFG, we do this by calling operations that
3462         reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
3463         triggering a barrier.
3464
3465         This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
3466         do it now because the hard work is hidden under AccessGenerationState methods. This means
3467         that custom accessors now share logic with put_by_id transitions.
3468
3469         * bytecode/PolymorphicAccess.cpp:
3470         (JSC::AccessGenerationState::succeed):
3471         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3472         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
3473         (JSC::AccessGenerationState::originalCallSiteIndex):
3474         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3475         (JSC::AccessCase::AccessCase):
3476         (JSC::AccessCase::transition):
3477         (JSC::AccessCase::generate):
3478         (JSC::PolymorphicAccess::regenerate):
3479         * bytecode/PolymorphicAccess.h:
3480         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
3481         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
3482         * dfg/DFGOperations.cpp:
3483         * dfg/DFGOperations.h:
3484         * jit/JITOperations.cpp:
3485         * jit/JITOperations.h:
3486
3487 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3488
3489         Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
3490         https://bugs.webkit.org/show_bug.cgi?id=156380
3491         <rdar://problem/25323727>
3492
3493         Reviewed by Timothy Hatcher.
3494
3495         * inspector/remote/RemoteInspector.mm:
3496         (Inspector::RemoteInspector::updateTarget):
3497         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
3498         When a target has been updated and it no longer generates a listing,
3499         we should remove the old listing as that is now stale and should
3500         not be sent. Not generating a listing means this target is no
3501         longer allowed to be debugged.
3502
3503 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3504
3505         Web Inspector: Not necessary to validate webinspectord connection on iOS
3506         https://bugs.webkit.org/show_bug.cgi?id=156377
3507         <rdar://problem/25612460>
3508
3509         Reviewed by Simon Fraser.
3510
3511         * inspector/remote/RemoteInspectorXPCConnection.h:
3512         * inspector/remote/RemoteInspectorXPCConnection.mm:
3513         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3514
3515 2016-04-07  Keith Miller  <keith_miller@apple.com>
3516
3517         Rename ArrayMode::supportsLength to supportsSelfLength
3518         https://bugs.webkit.org/show_bug.cgi?id=156374
3519
3520         Reviewed by Filip Pizlo.
3521
3522         The name supportsLength is confusing because TypedArray have a
3523         length function however it is on the prototype and not on the
3524         instance. supportsSelfLength makes more sense since we use the
3525         function during fixup to tell if we can intrinsic the length
3526         property lookup on self accesses.
3527
3528         * dfg/DFGArrayMode.h:
3529         (JSC::DFG::ArrayMode::supportsSelfLength):
3530         (JSC::DFG::ArrayMode::supportsLength): Deleted.
3531         * dfg/DFGFixupPhase.cpp:
3532         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3533
3534 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3535
3536         Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
3537         https://bugs.webkit.org/show_bug.cgi?id=156371
3538
3539         Reviewed by Timothy Hatcher.
3540
3541         * inspector/protocol/ScriptProfiler.json:
3542         Clarify that these locations are 1-based.
3543
3544 2016-04-07  Jon Davis  <jond@apple.com>
3545
3546         Add Web Animations API to Feature Status Page
3547         https://bugs.webkit.org/show_bug.cgi?id=156360
3548
3549         Reviewed by Timothy Hatcher.
3550
3551         * features.json:
3552
3553 2016-04-07  Saam barati  <sbarati@apple.com>
3554
3555         Invalid assertion inside DebuggerScope::getOwnPropertySlot
3556         https://bugs.webkit.org/show_bug.cgi?id=156357
3557
3558         Reviewed by Keith Miller.
3559
3560         The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
3561         on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
3562         are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
3563         might not always be in a valid state when its getOwnPropertySlot method is called.
3564         Therefore, the assertion invalid.
3565
3566         * debugger/DebuggerScope.cpp:
3567         (JSC::DebuggerScope::getOwnPropertySlot):
3568
3569 2016-04-07  Saam barati  <sbarati@apple.com>
3570
3571         Initial implementation of annex b.3.3 behavior was incorrect
3572         https://bugs.webkit.org/show_bug.cgi?id=156276
3573
3574         Reviewed by Keith Miller.
3575
3576         I almost got annex B.3.3 correct in my first implementation.
3577         There is a subtlety here I got wrong. We always create a local binding for
3578         a function at the very beginning of execution of a block scope. So we
3579         hoist function declarations to their local binding within a given
3580         block scope. When we actually evaluate the function declaration statement
3581         itself, we must lookup the binding in the current scope, and bind the
3582         value to the binding in the "var" scope. We perform the following
3583         abstract operations when executing a function declaration statement.
3584
3585         f = lookupBindingInCurrentScope("func")
3586         store(varScope, "func", f)
3587
3588         I got this wrong by performing the store to the var binding at the beginning
3589         of the block scope instead of when we evaluate the function declaration statement.
3590         This behavior is observable. For example, a program could change the value
3591         of "func" before the actual function declaration statement executes.
3592         Consider the following two functions:
3593         ```
3594         function foo1() {
3595             // func === undefined
3596             {
3597                 // typeof func === "function"
3598                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
3599                 func = 20 // This sets the local "func" binding to 20.
3600             }
3601             // typeof func === "function"
3602         }
3603
3604         function foo2() {
3605             // func === undefined
3606             {
3607                 // typeof func === "function"
3608                 func = 20 // This sets the local "func" binding to 20.
3609                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
3610             }
3611             // func === 20
3612         }
3613         ```
3614
3615         * bytecompiler/BytecodeGenerator.cpp:
3616         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
3617         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
3618         * bytecompiler/BytecodeGenerator.h:
3619         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
3620         * bytecompiler/NodesCodegen.cpp:
3621         (JSC::FuncDeclNode::emitBytecode):
3622         * tests/stress/sloppy-mode-function-hoisting.js:
3623         (test.foo):
3624         (test):
3625         (test.):
3626         (test.bar):
3627         (test.switch.case.0):
3628         (test.capFoo1):
3629         (test.switch.capFoo2):
3630         (test.outer):
3631         (foo):
3632
3633 2016-04-07  Alex Christensen  <achristensen@webkit.org>
3634
3635         Build fix after r199170
3636
3637         * CMakeLists.txt:
3638
3639 2016-04-07  Keith Miller  <keith_miller@apple.com>
3640
3641         We should support the ability to do a non-effectful getById
3642         https://bugs.webkit.org/show_bug.cgi?id=156116
3643
3644         Reviewed by Benjamin Poulain.
3645
3646         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
3647         useful because it enables us to take different code paths based on values that we would
3648         otherwise not be able to have knowledge of. This patch adds this new feature called
3649         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
3650         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
3651         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
3652         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
3653         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
3654         the global object that indicates we could not get the result.
3655
3656         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
3657         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
3658         get_by_id the same way we would for load and return the value at the appropriate offset.
3659         Additionally, in order to make sure the we can properly compare the GetterSetter object
3660         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
3661         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
3662         likely to have little to no impact on memory usage as normal accessors are generally rare.
3663
3664         * JavaScriptCore.xcodeproj/project.pbxproj:
3665         * builtins/BuiltinExecutableCreator.cpp: Added.
3666         (JSC::createBuiltinExecutable):
3667         * builtins/BuiltinExecutableCreator.h: Copied from Source/JavaScriptCore/builtins/BuiltinExecutables.h.
3668         * builtins/BuiltinExecutables.cpp:
3669         (JSC::BuiltinExecutables::createDefaultConstructor):
3670         (JSC::BuiltinExecutables::createBuiltinExecutable):
3671         (JSC::createBuiltinExecutable):
3672         (JSC::BuiltinExecutables::createExecutable):
3673         (JSC::createExecutableInternal): Deleted.
3674         * builtins/BuiltinExecutables.h:
3675         * bytecode/BytecodeIntrinsicRegistry.h:
3676         * bytecode/BytecodeList.json:
3677         * bytecode/BytecodeUseDef.h:
3678         (JSC::computeUsesForBytecodeOffset):
3679         (JSC::computeDefsForBytecodeOffset):
3680         * bytecode/CodeBlock.cpp:
3681         (JSC::CodeBlock::dumpBytecode):
3682         * bytecode/PolymorphicAccess.cpp:
3683         (JSC::AccessCase::tryGet):
3684         (JSC::AccessCase::generate):
3685         (WTF::printInternal):
3686         * bytecode/PolymorphicAccess.h:
3687         (JSC::AccessCase::isGet): Deleted.
3688         (JSC::AccessCase::isPut): Deleted.
3689         (JSC::AccessCase::isIn): Deleted.
3690         * bytecode/StructureStubInfo.cpp:
3691         (JSC::StructureStubInfo::reset):
3692         * bytecode/StructureStubInfo.h:
3693         * bytecompiler/BytecodeGenerator.cpp:
3694         (JSC::BytecodeGenerator::emitTryGetById):
3695         * bytecompiler/BytecodeGenerator.h:
3696         * bytecompiler/NodesCodegen.cpp:
3697         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
3698         * dfg/DFGSpeculativeJIT32_64.cpp:
3699         (JSC::DFG::SpeculativeJIT::cachedGetById):
3700         * dfg/DFGSpeculativeJIT64.cpp:
3701         (JSC::DFG::SpeculativeJIT::cachedGetById):
3702         * ftl/FTLLowerDFGToB3.cpp:
3703         (JSC::FTL::DFG::LowerDFGToB3::getById):
3704         * jit/JIT.cpp:
3705         (JSC::JIT::privateCompileMainPass):
3706         (JSC::JIT::privateCompileSlowCases):
3707         * jit/JIT.h:
3708         * jit/JITInlineCacheGenerator.cpp:
3709         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3710         * jit/JITInlineCacheGenerator.h:
3711         * jit/JITInlines.h:
3712         (JSC::JIT::callOperation):
3713         * jit/JITOperations.cpp:
3714         * jit/JITOperations.h:
3715         * jit/JITPropertyAccess.cpp:
3716         (JSC::JIT::emitGetByValWithCachedId):
3717         (JSC::JIT::emit_op_try_get_by_id):
3718         (JSC::JIT::emitSlow_op_try_get_by_id):
3719         (JSC::JIT::emit_op_get_by_id):
3720         * jit/JITPropertyAccess32_64.cpp:
3721         (JSC::JIT::emitGetByValWithCachedId):
3722         (JSC::JIT::emit_op_try_get_by_id):
3723         (JSC::JIT::emitSlow_op_try_get_by_id):
3724         (JSC::JIT::emit_op_get_by_id):
3725         * jit/Repatch.cpp:
3726         (JSC::repatchByIdSelfAccess):
3727         (JSC::appropriateOptimizingGetByIdFunction):
3728         (JSC::appropriateGenericGetByIdFunction):
3729         (JSC::tryCacheGetByID):
3730         (JSC::repatchGetByID):
3731         (JSC::resetGetByID):
3732         * jit/Repatch.h:
3733         * jsc.cpp:
3734         (GlobalObject::finishCreation):
3735         (functionGetGetterSetter):
3736         (functionCreateBuiltin):
3737         * llint/LLIntData.cpp:
3738         (JSC::LLInt::Data::performAssertions):
3739         * llint/LLIntSlowPaths.cpp:
3740         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3741         * llint/LLIntSlowPaths.h:
3742         * llint/LowLevelInterpreter.asm:
3743         * runtime/GetterSetter.cpp:
3744         * runtime/GetterSetter.h:
3745         * runtime/JSType.h:
3746         * runtime/PropertySlot.cpp:
3747         (JSC::PropertySlot::getPureResult):
3748         * runtime/PropertySlot.h:
3749         * runtime/ProxyObject.cpp:
3750         (JSC::ProxyObject::getOwnPropertySlotCommon):
3751         * tests/stress/try-get-by-id.js: Added.
3752         (tryGetByIdText):
3753         (getCaller.obj.1.throw.new.Error.let.func):
3754         (getCaller.obj.1.throw.new.Error):
3755         (throw.new.Error.get let):
3756         (throw.new.Error.):
3757         (throw.new.Error.let.get createBuiltin):
3758         (get let):
3759         (let.get createBuiltin):
3760         (let.func):
3761         (get let.func):
3762         (get throw):
3763
3764 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
3765
3766         Rationalize the makeSpaceForCCall stuff
3767         https://bugs.webkit.org/show_bug.cgi?id=156352
3768
3769         Reviewed by Mark Lam.
3770
3771         I want to add more code to PolymorphicAccess that makes C calls, so that I can finally fix
3772         https://bugs.webkit.org/show_bug.cgi?id=130914 (allow transition caches to handle indexing
3773         headers).
3774
3775         When trying to understand what it takes to make a C call, I came across code that was making
3776         room on the stack for spilled arguments. This logic was guarded with some complicated
3777         condition. At first, I tried to just refactor the code so that the same ugly condition
3778         wouldn't have to be copy-pasted everywhere that we made C calls. But then I started thinking
3779         about the condition, and realized that it was probably wrong: if the outer PolymorphicAccess
3780         harness decides to reuse a register for the scratchGPR then the top of the stack will store
3781         the old value of scratchGPR, but the condition wouldn't necessarily trigger. So if the call
3782         then overwrote something on the stack, we'd have a bad time.
3783
3784         Making room on the stack for a call is a cheap operation. It's orders of magnitude cheaper
3785         than the rest of the call. Therefore, I think that it's best to just unconditionally make
3786         room on the stack.
3787
3788         This patch makes us do just that. I also made the relevant helpers not inline, because I
3789         think that we have too many inline methods in our assemblers. Now it's much easier to make
3790         C calls from PolymorphicAccess because you just call the AssemblyHelper methods for making
3791         space. There are no special conditions or anything like that.
3792
3793         * bytecode/PolymorphicAccess.cpp:
3794         (JSC::AccessCase::generate):
3795         * jit/AssemblyHelpers.cpp:
3796         (JSC::AssemblyHelpers::emitLoadStructure):
3797         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
3798         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
3799         (JSC::emitRandomThunkImpl):
3800         * jit/AssemblyHelpers.h:
3801         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall): Deleted.
3802         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall): Deleted.
3803
3804 2016-04-07  Commit Queue  <commit-queue@webkit.org>
3805
3806         Unreviewed, rolling out r199128 and r199141.
3807         https://bugs.webkit.org/show_bug.cgi?id=156348
3808
3809         Causes crashes on multiple webpages (Requested by keith_mi_ on
3810         #webkit).
3811
3812         Reverted changesets:
3813
3814         "[ES6] Add support for Symbol.isConcatSpreadable."
3815         https://bugs.webkit.org/show_bug.cgi?id=155351
3816         http://trac.webkit.org/changeset/199128
3817
3818         "Unreviewed, uncomment accidentally commented line in test."
3819         http://trac.webkit.org/changeset/199141
3820
3821 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
3822
3823         Rationalize the handling of PutById transitions a bit
3824         https://bugs.webkit.org/show_bug.cgi?id=156330
3825
3826         Reviewed by Mark Lam.
3827
3828         * bytecode/PolymorphicAccess.cpp:
3829         (JSC::AccessCase::generate): Get rid of the specialized slow calls. We can just use the failAndIgnore jump target. We just need to make sure that we don't make observable effects until we're done with all of the fast path checks.
3830         * bytecode/StructureStubInfo.cpp:
3831         (JSC::StructureStubInfo::addAccessCase): MadeNoChanges indicates that we should keep trying to repatch. Currently PutById transitions might trigger the case that addAccessCase() sees null, if the transition involves an indexing header. Doing repatching in that case is probably not good. But, we should just fix this the right way eventually.
3832
3833 2016-04-07  Per Arne Vollan  <peavo@outlook.com>
3834
3835         [Win] Fix for JSC stress test failures.
3836         https://bugs.webkit.org/show_bug.cgi?id=156343
3837
3838         Reviewed by Filip Pizlo.
3839
3840         We need to make it clear to MSVC that the method loadPtr(ImplicitAddress address, RegisterID dest)
3841         should be used, and not loadPtr(const void* address, RegisterID dest).
3842
3843         * jit/CCallHelpers.cpp:
3844         (JSC::CCallHelpers::setupShadowChickenPacket):
3845
3846 2016-04-06  Benjamin Poulain  <bpoulain@apple.com>
3847
3848         [JSC] UInt32ToNumber should be NodeMustGenerate
3849         https://bugs.webkit.org/show_bug.cgi?id=156329
3850
3851         Reviewed by Filip Pizlo.
3852
3853         It exits on negative numbers on the integer path.
3854
3855         * dfg/DFGFixupPhase.cpp:
3856         (JSC::DFG::FixupPhase::fixupNode):
3857         * dfg/DFGNodeType.h:
3858
3859 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
3860
3861         Unreviewed, rolling out r199016.
3862         https://bugs.webkit.org/show_bug.cgi?id=156140
3863
3864         "Perf bots are down, so I can't re-land this right now."
3865
3866         Reverted changeset:
3867
3868         CopiedBlock should be 16kB
3869         https://bugs.webkit.org/show_bug.cgi?id=156168
3870         http://trac.webkit.org/changeset/199016
3871
3872 2016-04-06  Mark Lam  <mark.lam@apple.com>
3873
3874         String.prototype.match() should be calling internal function RegExpCreate.
3875         https://bugs.webkit.org/show_bug.cgi?id=156318
3876
3877         Reviewed by Filip Pizlo.
3878
3879         RegExpCreate is not the same as the RegExp constructor.  The current implementation
3880         invokes new @RegExp which calls the constructor.  This results in failures in
3881         es6/Proxy_internal_get_calls_String.prototype.match.js, and
3882         es6/Proxy_internal_get_calls_String.prototype.search.js due to observable side
3883         effects.
3884
3885         This patch fixes this by factoring out the part of the RegExp constructor that
3886         makes the RegExpCreate function, and changing String's match and search to call
3887         RegExpCreate instead in accordance with the ES6 spec. 
3888
3889         * builtins/StringPrototype.js:
3890         (match):
3891         (search):
3892         * runtime/CommonIdentifiers.h:
3893         * runtime/JSGlobalObject.cpp:
3894         (JSC::JSGlobalObject::init):
3895         * runtime/RegExpConstructor.cpp:
3896         (JSC::toFlags):
3897         (JSC::regExpCreate):
3898         (JSC::constructRegExp):
3899         (JSC::esSpecRegExpCreate):
3900         (JSC::constructWithRegExpConstructor):
3901         * runtime/RegExpConstructor.h:
3902         (JSC::isRegExp):
3903
3904 2016-04-06  Keith Miller  <keith_miller@apple.com>
3905
3906         Unreviewed, uncomment accidentally commented line in test.
3907
3908         * tests/stress/array-concat-spread-object.js:
3909
3910 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
3911
3912         JSC should have a simple way of gathering IC statistics
3913         https://bugs.webkit.org/show_bug.cgi?id=156317
3914
3915         Reviewed by Benjamin Poulain.
3916
3917         This adds a cheap, runtime-enabled way of gathering statistics about why we take the slow
3918         paths for inline caches. This is complementary to our existing bytecode profiler. Eventually
3919         we may want to combine the two things.
3920         
3921         This is not a slow-down on anything because we only do extra work on IC slow paths and if
3922         it's disabled it's just a load-and-branch to skip the stats gathering code.
3923
3924         * CMakeLists.txt:
3925         * JavaScriptCore.xcodeproj/project.pbxproj:
3926         * jit/ICStats.cpp: Added.
3927         * jit/ICStats.h: Added.
3928         * jit/JITOperations.cpp:
3929         * runtime/JSCJSValue.h:
3930         * runtime/JSCJSValueInlines.h:
3931         (JSC::JSValue::inherits):
3932         (JSC::JSValue::classInfoOrNull):
3933         (JSC::JSValue::toThis):
3934         * runtime/Options.h:
3935
3936 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
3937
3938         32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing
3939         https://bugs.webkit.org/show_bug.cgi?id=156292
3940
3941         Reviewed by Benjamin Poulain.