FTL should lower its abstract heaps to B3 heap ranges
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
2
3         FTL should lower its abstract heaps to B3 heap ranges
4         https://bugs.webkit.org/show_bug.cgi?id=154782
5
6         Reviewed by Saam Barati.
7
8         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
9         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
10         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
11         notion - the HeapRange. That's what this patch fixes.
12
13         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
14         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
15         affects by specifying a heap range: a begin...end pair that says that the operation
16         affects all abstract heaps H such that begin <= H < end.
17
18         This peculiar scheme was a deliberate attempt to distill what the abstract heap
19         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
20
21         - A heap's end is greater than its begin.
22         - A heap's begin is greater than or equal to its parent's begin.
23         - A heap's end is less than or equal to its parent's end.
24
25         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
26         went for the iterative traversal, which is a splendid algorithm, but it's totally
27         unnecessary here since we tightly control the height of the heap hierarchy.
28
29         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
30         generate new ones for field names and constant indices we encounter, we can't actually
31         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
32         new abstract heap to the hierarchy after ranges were already computed would require
33         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
34         patch solves that problem by recording the associations between abstract heaps and their
35         intended roles in the generated IR, and then decorating all of the relevant B3 values
36         after we compute the ranges of the hierarchy after lowering.
37
38         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
39         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
40         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
41         already been getting the big ones even without alias analysis.
42
43         Even without a speed-up, this patch is valuable because it makes it easier to implement
44         other optimizations, like store elimination.
45
46         * b3/B3HeapRange.h:
47         (JSC::B3::HeapRange::HeapRange):
48         * ftl/FTLAbstractHeap.cpp:
49         (JSC::FTL::AbstractHeap::AbstractHeap):
50         (JSC::FTL::AbstractHeap::changeParent):
51         (JSC::FTL::AbstractHeap::compute):
52         (JSC::FTL::AbstractHeap::shallowDump):
53         (JSC::FTL::AbstractHeap::dump):
54         (JSC::FTL::AbstractHeap::deepDump):
55         (JSC::FTL::AbstractHeap::badRangeError):
56         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
57         (JSC::FTL::IndexedAbstractHeap::baseIndex):
58         (JSC::FTL::IndexedAbstractHeap::atSlow):
59         (JSC::FTL::IndexedAbstractHeap::initialize):
60         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
61         (JSC::FTL::AbstractField::dump): Deleted.
62         * ftl/FTLAbstractHeap.h:
63         (JSC::FTL::AbstractHeap::AbstractHeap):
64         (JSC::FTL::AbstractHeap::isInitialized):
65         (JSC::FTL::AbstractHeap::initialize):
66         (JSC::FTL::AbstractHeap::parent):
67         (JSC::FTL::AbstractHeap::heapName):
68         (JSC::FTL::AbstractHeap::range):
69         (JSC::FTL::AbstractHeap::offset):
70         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
71         (JSC::FTL::IndexedAbstractHeap::at):
72         (JSC::FTL::IndexedAbstractHeap::operator[]):
73         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
74         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
75         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
76         (JSC::FTL::AbstractHeap::changeParent): Deleted.
77         (JSC::FTL::AbstractField::AbstractField): Deleted.
78         (JSC::FTL::AbstractField::initialize): Deleted.
79         (JSC::FTL::AbstractField::offset): Deleted.
80         * ftl/FTLAbstractHeapRepository.cpp:
81         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
82         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
83         (JSC::FTL::AbstractHeapRepository::decorateMemory):
84         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
85         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
86         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
87         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
88         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
89         * ftl/FTLAbstractHeapRepository.h:
90         (JSC::FTL::AbstractHeapRepository::forArrayType):
91         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
92         * ftl/FTLLowerDFGToB3.cpp:
93         (JSC::FTL::DFG::LowerDFGToB3::lower):
94         * ftl/FTLOutput.cpp:
95         (JSC::FTL::Output::load):
96         (JSC::FTL::Output::load8SignExt32):
97         (JSC::FTL::Output::load8ZeroExt32):
98         (JSC::FTL::Output::load16SignExt32):
99         (JSC::FTL::Output::load16ZeroExt32):
100         (JSC::FTL::Output::store):
101         (JSC::FTL::Output::store32As8):
102         (JSC::FTL::Output::store32As16):
103         (JSC::FTL::Output::baseIndex):
104         * ftl/FTLOutput.h:
105         (JSC::FTL::Output::address):
106         (JSC::FTL::Output::absolute):
107         (JSC::FTL::Output::load8SignExt32):
108         (JSC::FTL::Output::load8ZeroExt32):
109         (JSC::FTL::Output::load16SignExt32):
110         (JSC::FTL::Output::load16ZeroExt32):
111         (JSC::FTL::Output::load32):
112         (JSC::FTL::Output::load64):
113         (JSC::FTL::Output::loadPtr):
114         (JSC::FTL::Output::loadDouble):
115         (JSC::FTL::Output::store32):
116         (JSC::FTL::Output::store64):
117         (JSC::FTL::Output::storePtr):
118         (JSC::FTL::Output::storeDouble):
119         (JSC::FTL::Output::ascribeRange):
120         (JSC::FTL::Output::nonNegative32):
121         (JSC::FTL::Output::load32NonNegative):
122         (JSC::FTL::Output::equal):
123         (JSC::FTL::Output::notEqual):
124         * ftl/FTLTypedPointer.h:
125         (JSC::FTL::TypedPointer::operator!):
126         (JSC::FTL::TypedPointer::heap):
127         (JSC::FTL::TypedPointer::value):
128
129 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
130
131         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
132         https://bugs.webkit.org/show_bug.cgi?id=153981
133
134         Reviewed by Saam Barati.
135        
136         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
137         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
138         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
139         During syntax analyze parser store information about using variables in arrow function inside of 
140         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
141
142         * bytecompiler/BytecodeGenerator.cpp:
143         (JSC::BytecodeGenerator::BytecodeGenerator):
144         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
145         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
146         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
147         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
148         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
149         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
150         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
151         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
152         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
153         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
154         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
155         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
156         * bytecompiler/BytecodeGenerator.h:
157         * bytecompiler/NodesCodegen.cpp:
158         (JSC::ThisNode::emitBytecode):
159         (JSC::EvalFunctionCallNode::emitBytecode):
160         (JSC::FunctionNode::emitBytecode):
161         * parser/ASTBuilder.h:
162         (JSC::ASTBuilder::createBracketAccess):
163         (JSC::ASTBuilder::createDotAccess):
164         (JSC::ASTBuilder::usesSuperCall):
165         (JSC::ASTBuilder::usesSuperProperty):
166         (JSC::ASTBuilder::makeFunctionCallNode):
167         * parser/Nodes.cpp:
168         (JSC::ScopeNode::ScopeNode):
169         (JSC::ProgramNode::ProgramNode):
170         (JSC::ModuleProgramNode::ModuleProgramNode):
171         (JSC::EvalNode::EvalNode):
172         (JSC::FunctionNode::FunctionNode):
173         * parser/Nodes.h:
174         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
175         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
176         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
177         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
178         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
179         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
180         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
181         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
182         (JSC::ScopeNode::usesSuperCall):
183         (JSC::ScopeNode::usesSuperProperty):
184         * parser/Parser.cpp:
185         (JSC::Parser<LexerType>::parseProperty):
186         (JSC::Parser<LexerType>::parsePrimaryExpression):
187         (JSC::Parser<LexerType>::parseMemberExpression):
188         * parser/Parser.h:
189         (JSC::Scope::Scope):
190         (JSC::Scope::isArrowFunctionBoundary):
191         (JSC::Scope::innerArrowFunctionFeatures):
192         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
193         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
194         (JSC::Scope::setInnerArrowFunctionUsesEval):
195         (JSC::Scope::setInnerArrowFunctionUsesThis):
196         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
197         (JSC::Scope::setInnerArrowFunctionUsesArguments):
198         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
199         (JSC::Scope::collectFreeVariables):
200         (JSC::Scope::mergeInnerArrowFunctionFeatures):
201         (JSC::Scope::fillParametersForSourceProviderCache):
202         (JSC::Scope::restoreFromSourceProviderCache):
203         (JSC::Scope::setIsFunction):
204         (JSC::Scope::setIsArrowFunction):
205         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
206         (JSC::Parser::pushScope):
207         (JSC::Parser::popScopeInternal):
208         (JSC::Parser<LexerType>::parse):
209         * parser/ParserModes.h:
210         * parser/SourceProviderCacheItem.h:
211         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
212         * parser/SyntaxChecker.h:
213         (JSC::SyntaxChecker::createFunctionMetadata):
214         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
215         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
216         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
217         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
218         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
219
220 2016-02-28  Saam barati  <sbarati@apple.com>
221
222         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
223         https://bugs.webkit.org/show_bug.cgi?id=154768
224
225         Reviewed by Ryosuke Niwa.
226
227         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
228         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
229         We weren't correctly propagating the result of this operation to the
230         out PropertySlot& parameter. This patch fixes that and adds tests.
231
232         * runtime/ObjectConstructor.cpp:
233         (JSC::objectConstructorGetOwnPropertyDescriptor):
234         I added a missing exception check after object allocation
235         because I saw that it was missing while reading the code.
236
237         * runtime/PropertyDescriptor.cpp:
238         (JSC::PropertyDescriptor::setUndefined):
239         (JSC::PropertyDescriptor::slowGetterSetter):
240         (JSC::PropertyDescriptor::getter):
241         * runtime/PropertyDescriptor.h:
242         (JSC::PropertyDescriptor::attributes):
243         (JSC::PropertyDescriptor::value):
244         * runtime/ProxyObject.cpp:
245         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
246         * tests/es6.yaml:
247         * tests/stress/proxy-get-own-property.js:
248         (let.handler.getOwnPropertyDescriptor):
249         (set get let.handler.return):
250         (set get let.handler.getOwnPropertyDescriptor):
251         (set get let):
252         (set get let.a):
253         (let.b):
254         (let.setter):
255         (let.getter):
256
257 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
258
259         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
260         https://bugs.webkit.org/show_bug.cgi?id=152448
261
262         Reviewed by Darin Adler.
263
264         Add defaultLanguage to the globalObjectMethodTable and use it for the
265         default locale in Intl object initializations. Fall back to ICU default
266         locale only if the defaultLanguage function is null, or returns an
267         empty string.
268
269         * jsc.cpp:
270         * runtime/IntlCollator.cpp:
271         (JSC::IntlCollator::initializeCollator):
272         * runtime/IntlDateTimeFormat.cpp:
273         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
274         * runtime/IntlNumberFormat.cpp:
275         (JSC::IntlNumberFormat::initializeNumberFormat):
276         * runtime/IntlObject.cpp:
277         (JSC::defaultLocale):
278         (JSC::lookupMatcher):
279         (JSC::bestFitMatcher):
280         (JSC::resolveLocale):
281         * runtime/IntlObject.h:
282         * runtime/JSGlobalObject.cpp:
283         * runtime/JSGlobalObject.h:
284         * runtime/StringPrototype.cpp:
285         (JSC::toLocaleCase):
286
287 2016-02-27  Oliver Hunt  <oliver@apple.com>
288
289         CLoop build fix.
290
291         * jit/ExecutableAllocatorFixedVMPool.cpp:
292
293 2016-02-26  Oliver Hunt  <oliver@apple.com>
294
295         Remove the on demand executable allocator
296         https://bugs.webkit.org/show_bug.cgi?id=154749
297
298         Reviewed by Geoffrey Garen.
299
300         Remove all the DemandExecutable code and executable allocator ifdefs.
301
302         * CMakeLists.txt:
303         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
304         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
305         * JavaScriptCore.xcodeproj/project.pbxproj:
306         * jit/ExecutableAllocator.cpp: Removed.
307         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
308         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
309         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
310         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
311         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
312         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
313         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
314         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
315         (JSC::DemandExecutableAllocator::allocators): Deleted.
316         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
317         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
318         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
319         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
320         (JSC::ExecutableAllocator::isValid): Deleted.
321         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
322         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
323         (JSC::ExecutableAllocator::allocate): Deleted.
324         (JSC::ExecutableAllocator::committedByteCount): Deleted.
325         (JSC::ExecutableAllocator::dumpProfile): Deleted.
326         (JSC::ExecutableAllocator::getLock): Deleted.
327         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
328         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
329         * jit/ExecutableAllocator.h:
330         * jit/ExecutableAllocatorFixedVMPool.cpp:
331         * jit/JITStubRoutine.h:
332         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
333         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
334         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
335
336 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
337
338         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
339         https://bugs.webkit.org/show_bug.cgi?id=154751
340
341         Reviewed by Mark Lam.
342
343         * runtime/Structure.cpp:
344         (JSC::Structure::toStructureShape):
345         This property name iteration is identical to Structure::forEachPropertyConcurrently.
346         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
347
348 2016-02-26  Mark Lam  <mark.lam@apple.com>
349
350         Function.name and Function.length should be configurable.
351         https://bugs.webkit.org/show_bug.cgi?id=154604
352
353         Reviewed by Saam Barati.
354
355         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
356         "Unless otherwise specified, the name property of a built-in Function object,
357         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
358         [[Configurable]]: true }."
359
360         Similarly, "the length property of a built-in Function object has the attributes
361         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
362
363         This patch makes Function.name and Function.length configurable.
364
365         We do this by lazily reifying the JSFunction name and length properties on first
366         access.  We track whether each of these properties have been reified using flags
367         in the FunctionRareData.  On first access, if not already reified, we will put
368         the property into the object with its default value and attributes and set the
369         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
370         property.
371
372         Also, lots of test results have to be re-baselined because the old Function.length
373         has attribute DontDelete, which is in conflict with the ES6 requirement that it
374         is configurable.
375
376         * runtime/FunctionRareData.h:
377         (JSC::FunctionRareData::hasReifiedLength):
378         (JSC::FunctionRareData::setHasReifiedLength):
379         (JSC::FunctionRareData::hasReifiedName):
380         (JSC::FunctionRareData::setHasReifiedName):
381         - Flags for tracking whether each property has been reified.
382
383         * runtime/JSFunction.cpp:
384         (JSC::JSFunction::finishCreation):
385         (JSC::JSFunction::createBuiltinFunction):
386         - Host and builtin functions currently always reify their name and length
387           properties.  Currently, for builtins, the default names that are used may
388           differ from the executable name.  For now, we'll stay with keeping this
389           alternate approach to getting the name and length properties for host and
390           builtin functions.
391           However, we need their default attribute to be configurable as well.
392
393         (JSC::JSFunction::getOwnPropertySlot):
394         (JSC::JSFunction::getOwnNonIndexPropertyNames):
395         (JSC::JSFunction::put):
396         (JSC::JSFunction::deleteProperty):
397         (JSC::JSFunction::defineOwnProperty):
398         (JSC::JSFunction::reifyLength):
399         (JSC::JSFunction::reifyName):
400         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
401         (JSC::JSFunction::lengthGetter): Deleted.
402         (JSC::JSFunction::nameGetter): Deleted.
403         * runtime/JSFunction.h:
404         * runtime/JSFunctionInlines.h:
405         (JSC::JSFunction::hasReifiedLength):
406         (JSC::JSFunction::hasReifiedName):
407
408         * tests/es6.yaml:
409         - 4 new passing tests.
410
411         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
412         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
413         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
414         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
415         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
416         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
417         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
418         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
419         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
420         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
421         * tests/mozilla/ecma/String/15.5.4.10-1.js:
422         * tests/mozilla/ecma/String/15.5.4.11-1.js:
423         * tests/mozilla/ecma/String/15.5.4.11-5.js:
424         * tests/mozilla/ecma/String/15.5.4.12-1.js:
425         * tests/mozilla/ecma/String/15.5.4.6-2.js:
426         * tests/mozilla/ecma/String/15.5.4.7-2.js:
427         * tests/mozilla/ecma/String/15.5.4.8-1.js:
428         * tests/mozilla/ecma/String/15.5.4.9-1.js:
429         - Rebase expected test results.
430
431         * tests/stress/function-configurable-properties.js: Added.
432
433 2016-02-26  Keith Miller  <keith_miller@apple.com>
434
435         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
436         https://bugs.webkit.org/show_bug.cgi?id=154743
437
438         Reviewed by Mark Lam.
439
440         * dfg/DFGConstantFoldingPhase.cpp:
441         (JSC::DFG::ConstantFoldingPhase::foldConstants):
442         * dfg/DFGFixupPhase.cpp:
443         (JSC::DFG::FixupPhase::fixupNode):
444
445 2016-02-26  Keith Miller  <keith_miller@apple.com>
446
447         Native Typed Array functions should use Symbol.species
448         https://bugs.webkit.org/show_bug.cgi?id=154569
449
450         Reviewed by Michael Saboff.
451
452         This patch adds support for Symbol.species in the native Typed Array prototype
453         functions. Additionally, now that other types of typedarrays are creatable inside
454         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
455         up, to put everything into the correct place.
456
457         * runtime/JSDataView.cpp:
458         (JSC::JSDataView::set):
459         * runtime/JSDataView.h:
460         * runtime/JSGenericTypedArrayView.h:
461         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
462         (JSC::constructGenericTypedArrayViewFromIterator):
463         (JSC::constructGenericTypedArrayViewWithArguments):
464         (JSC::constructGenericTypedArrayView):
465         * runtime/JSGenericTypedArrayViewInlines.h:
466         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
467         (JSC::JSGenericTypedArrayView<Adaptor>::set):
468         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
469         (JSC::speciesConstruct):
470         (JSC::genericTypedArrayViewProtoFuncSet):
471         (JSC::genericTypedArrayViewProtoFuncSlice):
472         (JSC::genericTypedArrayViewProtoFuncSubarray):
473         * tests/stress/typedarray-slice.js:
474         (subclasses.typedArrays.map):
475         (testSpecies):
476         (forEach):
477         (subclasses.forEach):
478         (testSpeciesRemoveConstructor):
479         (testSpeciesWithSameBuffer):
480         * tests/stress/typedarray-subarray.js: Added.
481         (subclasses.typedArrays.map):
482         (testSpecies):
483         (forEach):
484         (subclasses.forEach):
485         (testSpeciesRemoveConstructor):
486
487 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
488
489         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
490         https://bugs.webkit.org/show_bug.cgi?id=154704
491
492         Reviewed by Geoffrey Garen.
493
494         If the Imm is zero, we should still zero the top bits
495         to match the definition in AirOpcodes.
496
497         * assembler/MacroAssemblerX86Common.h:
498         (JSC::MacroAssemblerX86Common::add32):
499         * b3/testb3.cpp:
500
501 2016-02-26  Oliver Hunt  <oliver@apple.com>
502
503         Make testRegExp not crash when given an invalid regexp
504         https://bugs.webkit.org/show_bug.cgi?id=154732
505
506         Reviewed by Mark Lam.
507
508         * testRegExp.cpp:
509         (parseRegExpLine):
510
511 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
512
513         [JSC] Add the test for r197155
514         https://bugs.webkit.org/show_bug.cgi?id=154715
515
516         Reviewed by Mark Lam.
517
518         Silly me. I forgot the test in the latest patch update.
519
520         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
521
522 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
523
524         [DFG] Drop unnecessary proved type branch in ToPrimitive
525         https://bugs.webkit.org/show_bug.cgi?id=154716
526
527         Reviewed by Geoffrey Garen.
528
529         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
530         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
531         This patch removes the remaining JIT32_64 case.
532
533         * dfg/DFGSpeculativeJIT32_64.cpp:
534         (JSC::DFG::SpeculativeJIT::compile):
535
536 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
537
538         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
539         https://bugs.webkit.org/show_bug.cgi?id=154575
540
541         Reviewed by Filip Pizlo.
542
543         I noticed that imaging-gaussian-blur spends most of its
544         samples in DFG code despite executing most of the loop
545         iterations in FTL.
546
547         On this particular test, the main function is only entered
548         once and have a very heavy loop there. What happens is DFG
549         starts by compiling the full function in FTL. That takes about
550         8 to 10 milliseconds during which the DFG code makes very little
551         progress. The calls to triggerOSREntryNow() try to OSR Enter
552         for a while then finally start compiling something. By the time
553         the function is ready, we have wasted a lot of time in DFG code.
554
555         What this patch does is set a flag when a DFG function is entered.
556         If we try to triggerOSREntryNow() and the flag was never set,
557         we start compiling both the full function and the one for OSR Entry.
558
559         * dfg/DFGJITCode.h:
560         * dfg/DFGJITCompiler.cpp:
561         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
562         (JSC::DFG::JITCompiler::compile):
563         (JSC::DFG::JITCompiler::compileFunction):
564         * dfg/DFGJITCompiler.h:
565         * dfg/DFGOperations.cpp:
566         * dfg/DFGPlan.cpp:
567         (JSC::DFG::Plan::Plan): Deleted.
568         * dfg/DFGPlan.h:
569         * dfg/DFGTierUpCheckInjectionPhase.cpp:
570         (JSC::DFG::TierUpCheckInjectionPhase::run):
571
572 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
573
574         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
575         https://bugs.webkit.org/show_bug.cgi?id=154664
576
577         Reviewed by Saam Barati.
578
579         When doing OSR Enter into a constructor, we lose the information
580         that this may have been set to empty by a previously executed block.
581
582         All the code just assumed the type for a FlushedJS value and thus
583         not an empty value. It was then okay to eliminate the TDZ checks.
584
585         In this patch, the values on root entry now assume they may be empty.
586         As a result, the SetArgument() for "this" has "empty" as possible
587         type and the TDZ checks are no longer eliminated.
588
589         * dfg/DFGInPlaceAbstractState.cpp:
590         (JSC::DFG::InPlaceAbstractState::initialize):
591
592 2016-02-25  Ada Chan  <adachan@apple.com>
593
594         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
595         https://bugs.webkit.org/show_bug.cgi?id=154702
596
597         Reviewed by Dan Bernstein.
598
599         * Configurations/FeatureDefines.xcconfig:
600
601 2016-02-25  Saam barati  <sbarati@apple.com>
602
603         [ES6] for...in iteration doesn't comply with the specification
604         https://bugs.webkit.org/show_bug.cgi?id=154665
605
606         Reviewed by Michael Saboff.
607
608         If you read ForIn/OfHeadEvaluation inside the spec:
609         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
610         It calls EnumerateObjectProperties(obj) to get a set of properties
611         to enumerate over (it models this "set" as en ES6 generator function).
612         EnumerateObjectProperties is defined in section 13.7.5.15:
613         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
614         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
615         properties it sees. We must do the same by modeling the operation as
616         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
617
618         * jit/JITOperations.cpp:
619         * jit/JITOperations.h:
620         * runtime/CommonSlowPaths.cpp:
621         (JSC::SLOW_PATH_DECL):
622         * runtime/JSObject.cpp:
623         (JSC::JSObject::hasProperty):
624         (JSC::JSObject::hasPropertyGeneric):
625         * runtime/JSObject.h:
626         * tests/stress/proxy-get-own-property.js:
627         (assert):
628         (let.handler.getOwnPropertyDescriptor):
629         (i.set assert):
630
631 2016-02-25  Saam barati  <sbarati@apple.com>
632
633         [ES6] Implement Proxy.[[Set]]
634         https://bugs.webkit.org/show_bug.cgi?id=154511
635
636         Reviewed by Filip Pizlo.
637
638         This patch is mostly an implementation of
639         Proxy.[[Set]] with respect to section 9.5.9
640         of the ECMAScript spec.
641         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
642
643         This patch also changes JSObject::putInline and JSObject::putByIndex
644         to be aware that a Proxy in the prototype chain will intercept
645         property accesses.
646
647         * runtime/JSObject.cpp:
648         (JSC::JSObject::putInlineSlow):
649         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
650         * runtime/JSObject.h:
651         * runtime/JSObjectInlines.h:
652         (JSC::JSObject::canPerformFastPutInline):
653         (JSC::JSObject::putInline):
654         * runtime/JSType.h:
655         * runtime/ProxyObject.cpp:
656         (JSC::ProxyObject::getOwnPropertySlotByIndex):
657         (JSC::ProxyObject::performPut):
658         (JSC::ProxyObject::put):
659         (JSC::ProxyObject::putByIndexCommon):
660         (JSC::ProxyObject::putByIndex):
661         (JSC::performProxyCall):
662         (JSC::ProxyObject::getCallData):
663         (JSC::performProxyConstruct):
664         (JSC::ProxyObject::deletePropertyByIndex):
665         (JSC::ProxyObject::visitChildren):
666         * runtime/ProxyObject.h:
667         (JSC::ProxyObject::create):
668         (JSC::ProxyObject::createStructure):
669         (JSC::ProxyObject::target):
670         (JSC::ProxyObject::handler):
671         * tests/es6.yaml:
672         * tests/stress/proxy-set.js: Added.
673         (assert):
674         (throw.new.Error.let.handler.set 45):
675         (throw.new.Error):
676         (let.target.set x):
677         (let.target.get x):
678         (set let):
679
680 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
681
682         [JSC] Remove a useless "Move" in the lowering of Select
683         https://bugs.webkit.org/show_bug.cgi?id=154670
684
685         Reviewed by Geoffrey Garen.
686
687         I left the Move instruction when creating the aliasing form
688         of Select.
689
690         On ARM64, that meant a useless move for any case that can't
691         be coalesced.
692
693         On x86, that meant an extra constraint on child2, making it
694         stupidly hard to alias child1.
695
696         * b3/B3LowerToAir.cpp:
697         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
698
699 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
700
701         Web Inspector: Expose Proxy target and handler internal properties to Inspector
702         https://bugs.webkit.org/show_bug.cgi?id=154663
703
704         Reviewed by Timothy Hatcher.
705
706         * inspector/JSInjectedScriptHost.cpp:
707         (Inspector::JSInjectedScriptHost::getInternalProperties):
708         Expose the ProxyObject's target and handler.
709
710 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
711
712         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
713         https://bugs.webkit.org/show_bug.cgi?id=151688
714
715         Reviewed by Dean Jackson.
716
717         Enables the WEB_ANIMATIONS compiler switch.
718
719         * Configurations/FeatureDefines.xcconfig:
720
721 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
722
723         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
724         https://bugs.webkit.org/show_bug.cgi?id=154651
725
726         Reviewed by Alex Christensen.
727
728         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
729
730 2016-02-24  Commit Queue  <commit-queue@webkit.org>
731
732         Unreviewed, rolling out r197033.
733         https://bugs.webkit.org/show_bug.cgi?id=154649
734
735         "It broke JSC tests when 'this' was loaded from global scope"
736         (Requested by saamyjoon on #webkit).
737
738         Reverted changeset:
739
740         "[ES6] Arrow function syntax. Emit loading&putting this/super
741         only if they are used in arrow function"
742         https://bugs.webkit.org/show_bug.cgi?id=153981
743         http://trac.webkit.org/changeset/197033
744
745 2016-02-24  Saam Barati  <sbarati@apple.com>
746
747         [ES6] Implement Proxy.[[Delete]]
748         https://bugs.webkit.org/show_bug.cgi?id=154607
749
750         Reviewed by Mark Lam.
751
752         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
753         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
754
755         * runtime/ProxyObject.cpp:
756         (JSC::ProxyObject::getConstructData):
757         (JSC::ProxyObject::performDelete):
758         (JSC::ProxyObject::deleteProperty):
759         (JSC::ProxyObject::deletePropertyByIndex):
760         * runtime/ProxyObject.h:
761         * tests/es6.yaml:
762         * tests/stress/proxy-delete.js: Added.
763         (assert):
764         (throw.new.Error.let.handler.get deleteProperty):
765         (throw.new.Error):
766         (assert.let.handler.deleteProperty):
767         (let.handler.deleteProperty):
768
769 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
770
771         Stackmaps have problems with double register constraints
772         https://bugs.webkit.org/show_bug.cgi?id=154643
773
774         Reviewed by Geoffrey Garen.
775
776         This is currently a benign bug. I found it while playing.
777
778         * b3/B3LowerToAir.cpp:
779         (JSC::B3::Air::LowerToAir::fillStackmap):
780         * b3/testb3.cpp:
781         (JSC::B3::testURShiftSelf64):
782         (JSC::B3::testPatchpointDoubleRegs):
783         (JSC::B3::zero):
784         (JSC::B3::run):
785
786 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
787
788         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
789         https://bugs.webkit.org/show_bug.cgi?id=153981
790
791         Reviewed by Saam Barati.
792        
793         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
794         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
795         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
796         During syntax analyze parser store information about using variables in arrow function inside of 
797         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
798
799         * bytecode/ExecutableInfo.h:
800         (JSC::ExecutableInfo::ExecutableInfo):
801         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
802         * bytecode/UnlinkedCodeBlock.cpp:
803         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
804         * bytecode/UnlinkedCodeBlock.h:
805         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
806         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
807         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
808         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
809         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
810         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
811         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
812         * bytecode/UnlinkedFunctionExecutable.cpp:
813         (JSC::generateUnlinkedFunctionCodeBlock):
814         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
815         * bytecode/UnlinkedFunctionExecutable.h:
816         * bytecompiler/BytecodeGenerator.cpp:
817         (JSC::BytecodeGenerator::BytecodeGenerator):
818         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
819         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
820         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
821         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
822         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
823         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
824         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
825         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
826         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
827         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
828         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
829         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
830         * bytecompiler/BytecodeGenerator.h:
831         * bytecompiler/NodesCodegen.cpp:
832         (JSC::ThisNode::emitBytecode):
833         (JSC::EvalFunctionCallNode::emitBytecode):
834         (JSC::FunctionCallValueNode::emitBytecode):
835         (JSC::FunctionNode::emitBytecode):
836         * parser/ASTBuilder.h:
837         (JSC::ASTBuilder::createFunctionMetadata):
838         * parser/Nodes.cpp:
839         (JSC::FunctionMetadataNode::FunctionMetadataNode):
840         * parser/Nodes.h:
841         * parser/Parser.cpp:
842         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
843         (JSC::Parser<LexerType>::parseFunctionBody):
844         (JSC::Parser<LexerType>::parseFunctionInfo):
845         (JSC::Parser<LexerType>::parseProperty):
846         (JSC::Parser<LexerType>::parsePrimaryExpression):
847         (JSC::Parser<LexerType>::parseMemberExpression):
848         * parser/Parser.h:
849         (JSC::Scope::Scope):
850         (JSC::Scope::isArrowFunctionBoundary):
851         (JSC::Scope::innerArrowFunctionFeatures):
852         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
853         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
854         (JSC::Scope::setInnerArrowFunctionUseEval):
855         (JSC::Scope::setInnerArrowFunctionUseThis):
856         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
857         (JSC::Scope::setInnerArrowFunctionUseArguments):
858         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
859         (JSC::Scope::collectFreeVariables):
860         (JSC::Scope::mergeInnerArrowFunctionFeatures):
861         (JSC::Scope::fillParametersForSourceProviderCache):
862         (JSC::Scope::restoreFromSourceProviderCache):
863         (JSC::Scope::setIsFunction):
864         (JSC::Scope::setIsArrowFunction):
865         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
866         (JSC::Parser::pushScope):
867         (JSC::Parser::popScopeInternal):
868         * parser/ParserModes.h:
869         * parser/SourceProviderCacheItem.h:
870         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
871         * parser/SyntaxChecker.h:
872         (JSC::SyntaxChecker::createFunctionMetadata):
873         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
874         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
875         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
876         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
877         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
878
879 2016-02-23  Brian Burg  <bburg@apple.com>
880
881         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
882         https://bugs.webkit.org/show_bug.cgi?id=154615
883         <rdar://problem/24804330>
884
885         Reviewed by Timothy Hatcher.
886
887         Some of the generated Objective-C bindings are only relevant to code acting as the
888         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
889         --backend to all generators. Use the setting in a few generators to omit code that's
890         not needed.
891
892         Also fix a few places where the code emits the wrong Objective-C class prefix.
893         There is some common non-generated code that must always have the RWIProtocol prefix.
894
895         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
896         macros defined in the internal header now need to be used outside of the framework.
897
898         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
899         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
900         depending on the target framework.
901
902         * inspector/scripts/codegen/generate_objc_header.py:
903         (ObjCHeaderGenerator.generate_output):
904         For now, omit generating command protocol and event dispatchers when generating for --frontend.
905
906         (ObjCHeaderGenerator._generate_type_interface):
907         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
908
909         * inspector/scripts/codegen/generate_objc_internal_header.py:
910         Use RWIProtocolJSONObjectPrivate.h instead.
911
912         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
913         (ObjCProtocolTypesImplementationGenerator.generate_output):
914         Include the Internal header if it's being generated (only for --backend).
915
916         * inspector/scripts/codegen/generator.py:
917         (Generator.__init__):
918         (Generator.set_generator_setting):
919         (Generator):
920         (Generator.get_generator_setting):
921         Crib a simple setting system from the Framework class. Make the names more obnoxious.
922
923         (Generator.string_for_file_include):
924         Inspired by the replay input generator, this is a function that uses the proper syntax
925         for a file include depending on the file's framework and target framework.
926
927         * inspector/scripts/codegen/objc_generator.py:
928         (ObjCGenerator.and):
929         (ObjCGenerator.and.objc_prefix):
930         (ObjCGenerator):
931         (ObjCGenerator.objc_type_for_raw_name):
932         (ObjCGenerator.objc_class_for_raw_name):
933         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
934
935         * inspector/scripts/generate-inspector-protocol-bindings.py:
936         (generate_from_specification):
937         Change the generators to use for the frontend. Propagate --frontend and --backend.
938
939         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
940         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
941         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
942         * inspector/scripts/tests/expected/enum-values.json-result:
943         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
944         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
945         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
946         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
947         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
948         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
949         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
950         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
951         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
952         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
953
954 2016-02-23  Saam barati  <sbarati@apple.com>
955
956         arrayProtoFuncConcat doesn't check for an exception after allocating an array
957         https://bugs.webkit.org/show_bug.cgi?id=154621
958
959         Reviewed by Michael Saboff.
960
961         * runtime/ArrayPrototype.cpp:
962         (JSC::arrayProtoFuncConcat):
963
964 2016-02-23  Dan Bernstein  <mitz@apple.com>
965
966         [Xcode] Linker errors display mangled names, but no longer should
967         https://bugs.webkit.org/show_bug.cgi?id=154632
968
969         Reviewed by Sam Weinig.
970
971         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
972
973 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
974
975         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
976         https://bugs.webkit.org/show_bug.cgi?id=112323
977
978         Reviewed by Chris Dumez.
979
980         This feature is controlled by a runtime switch, and defaults off.
981
982         * Configurations/FeatureDefines.xcconfig:
983
984 2016-02-23  Keith Miller  <keith_miller@apple.com>
985
986         JSC stress tests' standalone-pre.js should exit on the first failure by default
987         https://bugs.webkit.org/show_bug.cgi?id=154565
988
989         Reviewed by Mark Lam.
990
991         Currently, if a test writer does not call finishJSTest() at the end of
992         any test using stress/resources/standalone-pre.js then the test can fail
993         without actually reporting an error to the harness. By default, we
994         should throw on the first error so, in the event someone does not call
995         finishJSTest() the harness will still notice the error.
996
997         * tests/stress/regress-151324.js:
998         * tests/stress/resources/standalone-pre.js:
999         (testFailed):
1000
1001 2016-02-23  Saam barati  <sbarati@apple.com>
1002
1003         Make JSObject::getMethod have fewer branches
1004         https://bugs.webkit.org/show_bug.cgi?id=154603
1005
1006         Reviewed by Mark Lam.
1007
1008         Writing code with fewer branches is almost always better.
1009
1010         * runtime/JSObject.cpp:
1011         (JSC::JSObject::getMethod):
1012
1013 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
1014
1015         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1016         https://bugs.webkit.org/show_bug.cgi?id=154592
1017
1018         Reviewed by Saam Barati.
1019
1020         If Foo has a virtual destructor, then:
1021
1022         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1023         subclass of Foo that overrides the destructor, this syntax will not call that override.
1024
1025         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1026         get the subclass's override.
1027
1028         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1029         This caused leaks because this didn't actually call the subclass's override. This fixes the
1030         problem by using this->~Value() instead.
1031
1032         * b3/B3ControlValue.cpp:
1033         (JSC::B3::ControlValue::convertToJump):
1034         (JSC::B3::ControlValue::convertToOops):
1035         * b3/B3Value.cpp:
1036         (JSC::B3::Value::replaceWithIdentity):
1037         (JSC::B3::Value::replaceWithNop):
1038         (JSC::B3::Value::replaceWithPhi):
1039
1040 2016-02-23  Brian Burg  <bburg@apple.com>
1041
1042         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1043         https://bugs.webkit.org/show_bug.cgi?id=154596
1044         <rdar://problem/24794962>
1045
1046         Reviewed by Timothy Hatcher.
1047
1048         In order to support different generated protocol sets that don't have conflicting
1049         file and type names, allow the Objective-C prefix to be configurable based on the
1050         target framework. Each name also has the implicit prefix 'Protocol' appended to the
1051         per-target framework prefix.
1052
1053         For example, the existing protocol for remote inspection has the prefix 'RWI'
1054         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1055         and is generated as 'AutomationProtocol'.
1056
1057         To make this change, convert ObjCGenerator to be a subclass of Generator and use
1058         the instance method model() to find the target framework and its setting for
1059         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1060         these instance methods that used to be static methods. This is a large but
1061         mechanical change to use self instead of ObjCGenerator.
1062
1063         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1064         (ObjCBackendDispatcherHeaderGenerator):
1065         (ObjCBackendDispatcherHeaderGenerator.__init__):
1066         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1067         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1068         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1069         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1070         (ObjCConfigurationImplementationGenerator):
1071         (ObjCConfigurationImplementationGenerator.__init__):
1072         (ObjCConfigurationImplementationGenerator.output_filename):
1073         (ObjCConfigurationImplementationGenerator.generate_output):
1074         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1075         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1076         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1077         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1078         (ObjCConfigurationHeaderGenerator):
1079         (ObjCConfigurationHeaderGenerator.__init__):
1080         (ObjCConfigurationHeaderGenerator.output_filename):
1081         (ObjCConfigurationHeaderGenerator.generate_output):
1082         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1083         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1084         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1085         (ObjCBackendDispatcherImplementationGenerator):
1086         (ObjCBackendDispatcherImplementationGenerator.__init__):
1087         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1088         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1089         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1090         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1091         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1092         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1093         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1094         (ObjCConversionHelpersGenerator):
1095         (ObjCConversionHelpersGenerator.__init__):
1096         (ObjCConversionHelpersGenerator.output_filename):
1097         (ObjCConversionHelpersGenerator.generate_output):
1098         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1099         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1100         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1101         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1102         (ObjCFrontendDispatcherImplementationGenerator):
1103         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1104         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1105         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1106         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1107         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1108         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1109         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1110         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1111         * inspector/scripts/codegen/generate_objc_header.py:
1112         (ObjCHeaderGenerator):
1113         (ObjCHeaderGenerator.__init__):
1114         (ObjCHeaderGenerator.output_filename):
1115         (ObjCHeaderGenerator.generate_output):
1116         (ObjCHeaderGenerator._generate_forward_declarations):
1117         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1118         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1119         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1120         (ObjCHeaderGenerator._generate_type_interface):
1121         (ObjCHeaderGenerator._generate_init_method_for_required_members):
1122         (ObjCHeaderGenerator._generate_member_property):
1123         (ObjCHeaderGenerator._generate_command_protocols):
1124         (ObjCHeaderGenerator._generate_single_command_protocol):
1125         (ObjCHeaderGenerator._callback_block_for_command):
1126         (ObjCHeaderGenerator._generate_event_interfaces):
1127         (ObjCHeaderGenerator._generate_single_event_interface):
1128         * inspector/scripts/codegen/generate_objc_internal_header.py:
1129         (ObjCInternalHeaderGenerator):
1130         (ObjCInternalHeaderGenerator.__init__):
1131         (ObjCInternalHeaderGenerator.output_filename):
1132         (ObjCInternalHeaderGenerator.generate_output):
1133         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1134         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1135         (ObjCProtocolTypesImplementationGenerator):
1136         (ObjCProtocolTypesImplementationGenerator.__init__):
1137         (ObjCProtocolTypesImplementationGenerator.output_filename):
1138         (ObjCProtocolTypesImplementationGenerator.generate_output):
1139         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1140         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1141         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1142         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1143         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1144         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1145         * inspector/scripts/codegen/models.py:
1146         * inspector/scripts/codegen/objc_generator.py:
1147         (ObjCTypeCategory.category_for_type):
1148         (ObjCGenerator):
1149         (ObjCGenerator.__init__):
1150         (ObjCGenerator.objc_prefix):
1151         (ObjCGenerator.objc_name_for_type):
1152         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1153         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1154         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
1155         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
1156         (ObjCGenerator.objc_class_for_type):
1157         (ObjCGenerator.objc_class_for_array_type):
1158         (ObjCGenerator.objc_accessor_type_for_member):
1159         (ObjCGenerator.objc_accessor_type_for_member_internal):
1160         (ObjCGenerator.objc_type_for_member):
1161         (ObjCGenerator.objc_type_for_member_internal):
1162         (ObjCGenerator.objc_type_for_param):
1163         (ObjCGenerator.objc_type_for_param_internal):
1164         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1165         (ObjCGenerator.objc_protocol_import_expression_for_member):
1166         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1167         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1168         (ObjCGenerator.objc_to_protocol_expression_for_member):
1169         (ObjCGenerator.protocol_to_objc_expression_for_member):
1170
1171         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
1172
1173         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1174         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1175         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1176         * inspector/scripts/tests/expected/enum-values.json-result:
1177         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1178         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1179         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1180         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1181         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1182         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1183         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1184         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1185         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1186
1187 2016-02-23  Mark Lam  <mark.lam@apple.com>
1188
1189         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
1190         https://bugs.webkit.org/show_bug.cgi?id=154542
1191
1192         Reviewed by Saam Barati.
1193
1194         According to the spec, the constructors of the following types "are not intended
1195         to be called as a function and will throw an exception".  These types are:
1196             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
1197             Map - https://tc39.github.io/ecma262/#sec-map-constructor
1198             Set - https://tc39.github.io/ecma262/#sec-set-constructor
1199             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
1200             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
1201             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
1202             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
1203             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
1204             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
1205
1206         This patch does the foillowing:
1207         1. Ensures that these constructors can be called but will throw a TypeError
1208            when called.
1209         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
1210            in their implementation to be consistent.
1211         3. Change the error message to "calling XXX constructor without new is invalid".
1212            This is clearer because the error is likely due to the user forgetting to use
1213            the new operator on these constructors.
1214
1215         * runtime/Error.h:
1216         * runtime/Error.cpp:
1217         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
1218         - Added a convenience function to throw the TypeError.
1219
1220         * runtime/JSArrayBufferConstructor.cpp:
1221         (JSC::constructArrayBuffer):
1222         (JSC::callArrayBuffer):
1223         (JSC::JSArrayBufferConstructor::getCallData):
1224         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1225         (JSC::callGenericTypedArrayView):
1226         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
1227         * runtime/JSPromiseConstructor.cpp:
1228         (JSC::callPromise):
1229         * runtime/MapConstructor.cpp:
1230         (JSC::callMap):
1231         * runtime/ProxyConstructor.cpp:
1232         (JSC::callProxy):
1233         (JSC::ProxyConstructor::getCallData):
1234         * runtime/SetConstructor.cpp:
1235         (JSC::callSet):
1236         * runtime/WeakMapConstructor.cpp:
1237         (JSC::callWeakMap):
1238         * runtime/WeakSetConstructor.cpp:
1239         (JSC::callWeakSet):
1240
1241         * tests/es6.yaml:
1242         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
1243
1244         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
1245         (test):
1246
1247         * tests/stress/map-constructor.js:
1248         (testCallTypeError):
1249         * tests/stress/promise-cannot-be-called.js:
1250         (shouldThrow):
1251         * tests/stress/proxy-basic.js:
1252         * tests/stress/set-constructor.js:
1253         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
1254         (i.catch):
1255         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
1256         (i.catch):
1257         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
1258         (i.catch):
1259         * tests/stress/weak-map-constructor.js:
1260         (testCallTypeError):
1261         * tests/stress/weak-set-constructor.js:
1262         - Updated error message string.
1263
1264 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
1265
1266         ASan build fix.
1267
1268         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
1269
1270         * inspector/InspectorBackendDispatcher.h:
1271
1272 2016-02-23  Brian Burg  <bburg@apple.com>
1273
1274         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
1275         https://bugs.webkit.org/show_bug.cgi?id=154518
1276         <rdar://problem/24761096>
1277
1278         Reviewed by Timothy Hatcher.
1279
1280         * inspector/InspectorBackendDispatcher.h:
1281         Export all the classes since they are used by WebKit::WebAutomationSession.
1282
1283 2016-02-22  Brian Burg  <bburg@apple.com>
1284
1285         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1286         https://bugs.webkit.org/show_bug.cgi?id=154509
1287         <rdar://problem/24759098>
1288
1289         Reviewed by Timothy Hatcher.
1290
1291         Add a new 'WebKit' framework, which is used to generate protocol code
1292         in WebKit2.
1293
1294         Add --backend and --frontend flags to the main generator script.
1295         These allow a framework to trigger two different sets of generators
1296         so they can be separately generated and compiled.
1297
1298         * inspector/scripts/codegen/models.py:
1299         (Framework.fromString):
1300         (Frameworks): Add new framework.
1301
1302         * inspector/scripts/generate-inspector-protocol-bindings.py:
1303         If neither --backend or --frontend is specified, assume both are wanted.
1304         This matches the behavior for JavaScriptCore and WebInspector frameworks.
1305
1306         (generate_from_specification):
1307         Generate C++ files for the backend and Objective-C files for the frontend.
1308
1309 2016-02-22  Saam barati  <sbarati@apple.com>
1310
1311         JSGlobalObject doesn't visit ProxyObjectStructure during GC
1312         https://bugs.webkit.org/show_bug.cgi?id=154564
1313
1314         Rubber stamped by Mark Lam.
1315
1316         * runtime/JSGlobalObject.cpp:
1317         (JSC::JSGlobalObject::visitChildren):
1318
1319 2016-02-22  Saam barati  <sbarati@apple.com>
1320
1321         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
1322         https://bugs.webkit.org/show_bug.cgi?id=154548
1323
1324         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
1325
1326         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
1327         an exception. Neither the function nor the call sites of the function took this into
1328         account. This patch audits the call sites of the function to make it work in
1329         the event that an exception is thrown.
1330
1331         * runtime/BooleanConstructor.cpp:
1332         (JSC::constructWithBooleanConstructor):
1333         * runtime/DateConstructor.cpp:
1334         (JSC::constructDate):
1335         * runtime/ErrorConstructor.cpp:
1336         (JSC::Interpreter::constructWithErrorConstructor):
1337         * runtime/FunctionConstructor.cpp:
1338         (JSC::constructFunctionSkippingEvalEnabledCheck):
1339         * runtime/InternalFunction.cpp:
1340         (JSC::InternalFunction::createSubclassStructure):
1341         * runtime/JSArrayBufferConstructor.cpp:
1342         (JSC::constructArrayBuffer):
1343         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1344         (JSC::constructGenericTypedArrayView):
1345         * runtime/JSGlobalObject.h:
1346         (JSC::constructEmptyArray):
1347         (JSC::constructArray):
1348         (JSC::constructArrayNegativeIndexed):
1349         * runtime/JSPromiseConstructor.cpp:
1350         (JSC::constructPromise):
1351         * runtime/MapConstructor.cpp:
1352         (JSC::constructMap):
1353         * runtime/NativeErrorConstructor.cpp:
1354         (JSC::Interpreter::constructWithNativeErrorConstructor):
1355         * runtime/NumberConstructor.cpp:
1356         (JSC::constructWithNumberConstructor):
1357         * runtime/RegExpConstructor.cpp:
1358         (JSC::getRegExpStructure):
1359         (JSC::constructRegExp):
1360         (JSC::constructWithRegExpConstructor):
1361         * runtime/SetConstructor.cpp:
1362         (JSC::constructSet):
1363         * runtime/StringConstructor.cpp:
1364         (JSC::constructWithStringConstructor):
1365         (JSC::StringConstructor::getConstructData):
1366         * runtime/WeakMapConstructor.cpp:
1367         (JSC::constructWeakMap):
1368         * runtime/WeakSetConstructor.cpp:
1369         (JSC::constructWeakSet):
1370         * tests/stress/create-subclass-structure-might-throw.js: Added.
1371         (assert):
1372
1373 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
1374
1375         Fix build and implement functions to retrieve registers on FreeBSD
1376         https://bugs.webkit.org/show_bug.cgi?id=152258
1377
1378         Reviewed by Michael Catanzaro.
1379
1380         * heap/MachineStackMarker.cpp:
1381         (pthreadSignalHandlerSuspendResume):
1382         struct ucontext is not specified in POSIX and it is not available on
1383         FreeBSD. Replacing it with ucontext_t fixes the build problem.
1384         (JSC::MachineThreads::Thread::Registers::stackPointer):
1385         (JSC::MachineThreads::Thread::Registers::framePointer):
1386         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1387         (JSC::MachineThreads::Thread::Registers::llintPC):
1388         * heap/MachineStackMarker.h:
1389
1390 2016-02-22  Saam barati  <sbarati@apple.com>
1391
1392         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
1393         https://bugs.webkit.org/show_bug.cgi?id=154552
1394
1395         Reviewed by Mark Lam.
1396
1397         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
1398         They return false on a Proxy with internal [[Call]] and [[Construct]]
1399         properties. It seems safest, most forward looking, and most adherent
1400         to the specification to check getCallData() and getConstructData() to
1401         implement these functions.
1402
1403         * runtime/InternalFunction.cpp:
1404         (JSC::InternalFunction::createSubclassStructure):
1405         * runtime/JSCJSValueInlines.h:
1406         (JSC::JSValue::isFunction):
1407         (JSC::JSValue::isConstructor):
1408
1409 2016-02-22  Keith Miller  <keith_miller@apple.com>
1410
1411         Bound functions should use the prototype of the function being bound
1412         https://bugs.webkit.org/show_bug.cgi?id=154195
1413
1414         Reviewed by Geoffrey Garen.
1415
1416         Per ES6, the result of Function.prototype.bind should have the same
1417         prototype as the the function being bound. In order to avoid creating
1418         a new structure each time a function is bound we store the new
1419         structure in our structure map. However, we cannot currently store
1420         structures that have a different GlobalObject than their prototype.
1421         In the rare case that the GlobalObject differs or the prototype of
1422         the bindee is null we create a new structure each time. To further
1423         minimize new structures, as well as making structure lookup faster,
1424         we also store the structure in the RareData of the function we
1425         are binding.
1426
1427         * runtime/FunctionRareData.cpp:
1428         (JSC::FunctionRareData::visitChildren):
1429         * runtime/FunctionRareData.h:
1430         (JSC::FunctionRareData::getBoundFunctionStructure):
1431         (JSC::FunctionRareData::setBoundFunctionStructure):
1432         * runtime/JSBoundFunction.cpp:
1433         (JSC::getBoundFunctionStructure):
1434         (JSC::JSBoundFunction::create):
1435         * tests/es6.yaml:
1436         * tests/stress/bound-function-uses-prototype.js: Added.
1437         (testChangeProto.foo):
1438         (testChangeProto):
1439         (testBuiltins):
1440         * tests/stress/class-subclassing-function.js:
1441
1442 2016-02-22  Keith Miller  <keith_miller@apple.com>
1443
1444         Unreviewed, fix stress test to not print on success.
1445
1446         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
1447         (catch): Deleted.
1448
1449 2016-02-22  Keith Miller  <keith_miller@apple.com>
1450
1451         Use Symbol.species in the builtin TypedArray.prototype functions
1452         https://bugs.webkit.org/show_bug.cgi?id=153384
1453
1454         Reviewed by Geoffrey Garen.
1455
1456         This patch adds the use of species constructors to the TypedArray.prototype map and filter
1457         functions. It also adds a new private function typedArrayGetOriginalConstructor that
1458         returns the TypedArray constructor used to originally create a TypedArray instance.
1459
1460         There are no ES6 tests to update for this patch as species creation for these functions is
1461         not tested in the compatibility table.
1462
1463         * builtins/TypedArrayPrototype.js:
1464         (map):
1465         (filter):
1466         * bytecode/BytecodeIntrinsicRegistry.cpp:
1467         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1468         * bytecode/BytecodeIntrinsicRegistry.h:
1469         * runtime/CommonIdentifiers.h:
1470         * runtime/JSGlobalObject.cpp:
1471         (JSC::JSGlobalObject::init):
1472         (JSC::JSGlobalObject::visitChildren):
1473         * runtime/JSGlobalObject.h:
1474         (JSC::JSGlobalObject::typedArrayConstructor):
1475         * runtime/JSTypedArrayViewPrototype.cpp:
1476         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
1477         * runtime/JSTypedArrayViewPrototype.h:
1478         * tests/stress/typedarray-filter.js:
1479         (subclasses.typedArrays.map):
1480         (prototype.accept):
1481         (testSpecies):
1482         (accept):
1483         (forEach):
1484         (subclasses.forEach):
1485         (testSpeciesRemoveConstructor):
1486         * tests/stress/typedarray-map.js:
1487         (subclasses.typedArrays.map):
1488         (prototype.id):
1489         (testSpecies):
1490         (id):
1491         (forEach):
1492         (subclasses.forEach):
1493         (testSpeciesRemoveConstructor):
1494
1495 2016-02-22  Keith Miller  <keith_miller@apple.com>
1496
1497         Builtins that should not rely on iteration do.
1498         https://bugs.webkit.org/show_bug.cgi?id=154475
1499
1500         Reviewed by Geoffrey Garen.
1501
1502         When changing the behavior of varargs calls to use ES6 iterators the
1503         call builtin function's use of a varargs call was overlooked. The use
1504         of iterators is observable outside the scope of the the call function,
1505         thus it must be reimplemented.
1506
1507         * builtins/FunctionPrototype.js:
1508         (call):
1509         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
1510         (test):
1511         (addAll):
1512         (catch):
1513
1514 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
1515
1516         [JSC shell] Don't put empty arguments array to VM.
1517         https://bugs.webkit.org/show_bug.cgi?id=154516
1518
1519         Reviewed by Geoffrey Garen.
1520
1521         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
1522         in jsc as well as in browser.
1523
1524         * jsc.cpp:
1525         (GlobalObject::finishCreation):
1526
1527 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
1528
1529         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
1530         https://bugs.webkit.org/show_bug.cgi?id=154450
1531
1532         Reviewed by Alex Christensen.
1533
1534         * CMakeLists.txt:
1535
1536 2016-02-22  Commit Queue  <commit-queue@webkit.org>
1537
1538         Unreviewed, rolling out r196891.
1539         https://bugs.webkit.org/show_bug.cgi?id=154539
1540
1541         it broke Production builds (Requested by brrian on #webkit).
1542
1543         Reverted changeset:
1544
1545         "Web Inspector: add 'Automation' protocol domain and generate
1546         its backend classes separately in WebKit2"
1547         https://bugs.webkit.org/show_bug.cgi?id=154509
1548         http://trac.webkit.org/changeset/196891
1549
1550 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
1551
1552         CodeBlock always visits its unlinked code twice
1553         https://bugs.webkit.org/show_bug.cgi?id=154494
1554
1555         Reviewed by Saam Barati.
1556
1557         * bytecode/CodeBlock.cpp:
1558         (JSC::CodeBlock::visitChildren):
1559         The unlinked code is always visited in stronglyVisitStrongReferences.
1560
1561 2016-02-21  Brian Burg  <bburg@apple.com>
1562
1563         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
1564         https://bugs.webkit.org/show_bug.cgi?id=154509
1565         <rdar://problem/24759098>
1566
1567         Reviewed by Timothy Hatcher.
1568
1569         Add a new 'WebKit' framework, which is used to generate protocol code
1570         in WebKit2.
1571
1572         Add --backend and --frontend flags to the main generator script.
1573         These allow a framework to trigger two different sets of generators
1574         so they can be separately generated and compiled.
1575
1576         * inspector/scripts/codegen/models.py:
1577         (Framework.fromString):
1578         (Frameworks): Add new framework.
1579
1580         * inspector/scripts/generate-inspector-protocol-bindings.py:
1581         If neither --backend or --frontend is specified, assume both are wanted.
1582         This matches the behavior for JavaScriptCore and WebInspector frameworks.
1583
1584         (generate_from_specification):
1585         Generate C++ files for the backend and Objective-C files for the frontend.
1586
1587 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1588
1589         Improvements to Intl code
1590         https://bugs.webkit.org/show_bug.cgi?id=154486
1591
1592         Reviewed by Darin Adler.
1593
1594         This patch does several things:
1595         - Use std::unique_ptr to store ICU objects.
1596         - Pass Vector::size() to ICU functions that take a buffer size instead
1597           of Vector::capacity().
1598         - If U_SUCCESS(status) is true, it means there is no error, but there
1599           could be warnings. ICU functions ignore warnings. So, there is no need
1600           to reset status to U_ZERO_ERROR.
1601         - Remove the initialization of the String instance variables of
1602           IntlDateTimeFormat. These values are never read and cause unnecessary
1603           memory allocation.
1604         - Fix coding style.
1605         - Some small optimization.
1606
1607         * runtime/IntlCollator.cpp:
1608         (JSC::IntlCollator::UCollatorDeleter::operator()):
1609         (JSC::IntlCollator::createCollator):
1610         (JSC::IntlCollator::compareStrings):
1611         (JSC::IntlCollator::~IntlCollator): Deleted.
1612         * runtime/IntlCollator.h:
1613         * runtime/IntlDateTimeFormat.cpp:
1614         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
1615         (JSC::defaultTimeZone):
1616         (JSC::canonicalizeTimeZoneName):
1617         (JSC::toDateTimeOptionsAnyDate):
1618         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1619         (JSC::IntlDateTimeFormat::weekdayString):
1620         (JSC::IntlDateTimeFormat::format):
1621         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
1622         (JSC::localeData): Deleted.
1623         * runtime/IntlDateTimeFormat.h:
1624         * runtime/IntlDateTimeFormatConstructor.cpp:
1625         * runtime/IntlNumberFormatConstructor.cpp:
1626         * runtime/IntlObject.cpp:
1627         (JSC::numberingSystemsForLocale):
1628
1629 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
1630
1631         Remove arrowfunction test cases that rely on arguments variable in jsc
1632         https://bugs.webkit.org/show_bug.cgi?id=154517
1633
1634         Reviewed by Yusuke Suzuki.
1635
1636         Allow to jsc has the same behavior in javascript as browser has
1637
1638         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1639         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1640
1641 2016-02-21  Brian Burg  <bburg@apple.com>
1642
1643         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
1644         https://bugs.webkit.org/show_bug.cgi?id=154508
1645         <rdar://problem/24759077>
1646
1647         Reviewed by Timothy Hatcher.
1648
1649         In preparation for being able to generate protocol files for WebKit2,
1650         make it possible to not emit generated code that's guarded by
1651         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
1652         backend dispatchers generated outside of JavaScriptCore. We can't just
1653         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
1654         in the configurations where the code is actually used.
1655
1656         Add a new opt-in Framework configuration option that turns on generating
1657         this code. Adjust how the code is generated so that it can be easily excluded.
1658
1659         * inspector/scripts/codegen/cpp_generator_templates.py:
1660         Make a separate template for the declarations that are guarded.
1661         Add an initializer expression so the order of initalizers doesn't matter.
1662
1663         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1664         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
1665         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
1666         If the declarations are needed, they will be appended to the end of the
1667         declarations list.
1668
1669         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1670         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
1671         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
1672
1673         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
1674         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
1675
1676         Rebaseline affected tests.
1677
1678         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1679         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1680         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1681         * inspector/scripts/tests/expected/enum-values.json-result:
1682         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1683
1684 2016-02-21  Brian Burg  <bburg@apple.com>
1685
1686         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
1687         https://bugs.webkit.org/show_bug.cgi?id=154505
1688         <rdar://problem/24758042>
1689
1690         Reviewed by Timothy Hatcher.
1691
1692         It should be possible to generate code for a framework using some generators
1693         that other frameworks also use. Right now the generator selection code assumes
1694         that use of a generator is mutually exclusive among non-test frameworks.
1695
1696         Make this code explicitly switch on the framework. Reorder generators
1697         alpabetically within each case.
1698
1699         * inspector/scripts/generate-inspector-protocol-bindings.py:
1700         (generate_from_specification):
1701
1702         Rebaseline tests that are affected by generator reorderings.
1703
1704         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1705         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1706         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1707         * inspector/scripts/tests/expected/enum-values.json-result:
1708         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1709         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1710         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1711         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1712         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1713         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1714         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1715         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1716         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1717
1718 2016-02-19  Saam Barati  <sbarati@apple.com>
1719
1720         [ES6] Implement Proxy.[[Construct]]
1721         https://bugs.webkit.org/show_bug.cgi?id=154440
1722
1723         Reviewed by Oliver Hunt.
1724
1725         This patch is mostly an implementation of
1726         Proxy.[[Construct]] with respect to section 9.5.13
1727         of the ECMAScript spec.
1728         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
1729
1730         This patch also changes op_create_this to accept new.target's
1731         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
1732         because we might construct a JSFunction with a new.target being
1733         a Proxy. This will also be needed when we implement Reflect.construct.
1734
1735         * dfg/DFGOperations.cpp:
1736         * dfg/DFGSpeculativeJIT32_64.cpp:
1737         (JSC::DFG::SpeculativeJIT::compile):
1738         * dfg/DFGSpeculativeJIT64.cpp:
1739         (JSC::DFG::SpeculativeJIT::compile):
1740         * jit/JITOpcodes.cpp:
1741         (JSC::JIT::emit_op_create_this):
1742         (JSC::JIT::emitSlow_op_create_this):
1743         * jit/JITOpcodes32_64.cpp:
1744         (JSC::JIT::emit_op_create_this):
1745         (JSC::JIT::emitSlow_op_create_this):
1746         * llint/LLIntData.cpp:
1747         (JSC::LLInt::Data::performAssertions):
1748         * llint/LowLevelInterpreter.asm:
1749         * llint/LowLevelInterpreter32_64.asm:
1750         * llint/LowLevelInterpreter64.asm:
1751         * runtime/CommonSlowPaths.cpp:
1752         (JSC::SLOW_PATH_DECL):
1753         * runtime/ProxyObject.cpp:
1754         (JSC::ProxyObject::finishCreation):
1755         (JSC::ProxyObject::visitChildren):
1756         (JSC::performProxyConstruct):
1757         (JSC::ProxyObject::getConstructData):
1758         * runtime/ProxyObject.h:
1759         * tests/es6.yaml:
1760         * tests/stress/proxy-construct.js: Added.
1761         (assert):
1762         (throw.new.Error.let.target):
1763         (throw.new.Error):
1764         (assert.let.target):
1765         (assert.let.handler.get construct):
1766         (let.target):
1767         (let.handler.construct):
1768         (i.catch):
1769         (assert.let.handler.construct):
1770         (assert.let.construct):
1771         (assert.else.assert.let.target):
1772         (assert.else.assert.let.construct):
1773         (assert.else.assert):
1774         (new.proxy.let.target):
1775         (new.proxy.let.construct):
1776         (new.proxy):
1777
1778 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1779
1780         [INTL] Implement Number Format Functions
1781         https://bugs.webkit.org/show_bug.cgi?id=147605
1782
1783         Reviewed by Darin Adler.
1784
1785         This patch implements Intl.NumberFormat.prototype.format() according
1786         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1787
1788         * runtime/IntlNumberFormat.cpp:
1789         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
1790         (JSC::IntlNumberFormat::initializeNumberFormat):
1791         (JSC::IntlNumberFormat::createNumberFormat):
1792         (JSC::IntlNumberFormat::formatNumber):
1793         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
1794         * runtime/IntlNumberFormat.h:
1795         * runtime/IntlNumberFormatPrototype.cpp:
1796         (JSC::IntlNumberFormatFuncFormatNumber):
1797
1798 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
1799
1800         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
1801         https://bugs.webkit.org/show_bug.cgi?id=154416
1802
1803         Reviewed by Geoff Garen.
1804
1805         Here's the bug. Suppose you call JSObject::getOwnProperty and -
1806           - PropertyName contains an index,
1807           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
1808           - The base of the access (or another object on the prototype chain) shadows that property.
1809
1810         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
1811         index, and as such walks up the prototype chain looking for non-index properties before it
1812         tries calling parseIndex.
1813
1814         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
1815         would potentially return the property) we may have already skipped over non-overriding
1816         objects that contain the property in index storage.
1817
1818         * runtime/JSObject.h:
1819         (JSC::JSObject::getOwnNonIndexPropertySlot):
1820             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
1821               added ASSERT guarding that this method never returns index properties -
1822               if it ever does, this is unsafe for getPropertySlot.
1823         (JSC::JSObject::getOwnPropertySlot):
1824             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
1825         (JSC::JSObject::getPropertySlot):
1826             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
1827         (JSC::JSObject::getNonIndexPropertySlot):
1828             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
1829               in order to avoid repeated calls to parseIndex.
1830         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
1831             - this was renamed to getOwnNonIndexPropertySlot.
1832         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
1833             - this was folded back in to getPropertySlot.
1834
1835 2016-02-19  Saam Barati  <sbarati@apple.com>
1836
1837         [ES6] Implement Proxy.[[Call]]
1838         https://bugs.webkit.org/show_bug.cgi?id=154425
1839
1840         Reviewed by Mark Lam.
1841
1842         This patch is a straight forward implementation of
1843         Proxy.[[Call]] with respect to section 9.5.12
1844         of the ECMAScript spec.
1845         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
1846
1847         * runtime/ProxyObject.cpp:
1848         (JSC::ProxyObject::finishCreation):
1849         (JSC::performProxyGet):
1850         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1851         (JSC::ProxyObject::performHasProperty):
1852         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1853         (JSC::performProxyCall):
1854         (JSC::ProxyObject::getCallData):
1855         (JSC::ProxyObject::visitChildren):
1856         * runtime/ProxyObject.h:
1857         (JSC::ProxyObject::create):
1858         * tests/es6.yaml:
1859         * tests/stress/proxy-call.js: Added.
1860         (assert):
1861         (throw.new.Error.let.target):
1862         (throw.new.Error.let.handler.apply):
1863         (throw.new.Error):
1864         (assert.let.target):
1865         (assert.let.handler.get apply):
1866         (let.target):
1867         (let.handler.apply):
1868         (i.catch):
1869         (assert.let.handler.apply):
1870
1871 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1872
1873         Remove more LLVM related dead code after r196729
1874         https://bugs.webkit.org/show_bug.cgi?id=154387
1875
1876         Reviewed by Filip Pizlo.
1877
1878         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
1879         * Configurations/LLVMForJSC.xcconfig: Removed.
1880         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
1881         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
1882         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
1883         * JavaScriptCore.xcodeproj/project.pbxproj:
1884         * disassembler/X86Disassembler.cpp:
1885
1886 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1887
1888         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
1889         https://bugs.webkit.org/show_bug.cgi?id=154442
1890
1891         Reviewed by Saam Barati.
1892
1893         * runtime/JSString.h:
1894         (JSC::isJSString):
1895
1896 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1897
1898         Remove unused SymbolTable::createNameScopeTable
1899         https://bugs.webkit.org/show_bug.cgi?id=154443
1900
1901         Reviewed by Saam Barati.
1902
1903         * runtime/SymbolTable.h:
1904
1905 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
1906
1907         [JSC] Improve the instruction selection of Select
1908         https://bugs.webkit.org/show_bug.cgi?id=154432
1909
1910         Reviewed by Filip Pizlo.
1911
1912         Plenty of code but this patch is pretty dumb:
1913         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
1914          to be alised to the destination. This gives more freedom to the register
1915          allocator and it is one less Move to process per Select.
1916         -On x86, introduce a fake 3 operands form and use aggressive aliasing
1917          to try to alias both sources to the destination.
1918
1919          If aliasing succeed on the "elseCase", the condition of the Select
1920          is reverted in the MacroAssembler.
1921
1922          If no aliasing is possible and we end up with 3 registers, the missing
1923          move instruction is generated by the MacroAssembler.
1924
1925          The missing move is generated after testing the values because the destination
1926          can use the same register as one of the test operand.
1927          Experimental testing seems to indicate there is no macro-fusion on CMOV,
1928          there is no measurable cost to having the move there.
1929
1930         * assembler/MacroAssembler.h:
1931         (JSC::MacroAssembler::isInvertible):
1932         (JSC::MacroAssembler::invert):
1933         * assembler/MacroAssemblerARM64.h:
1934         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
1935         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
1936         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1937         (JSC::MacroAssemblerARM64::moveConditionally32):
1938         (JSC::MacroAssemblerARM64::moveConditionally64):
1939         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
1940         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
1941         * assembler/MacroAssemblerX86Common.h:
1942         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
1943         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
1944         (JSC::MacroAssemblerX86Common::moveConditionally32):
1945         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
1946         (JSC::MacroAssemblerX86Common::invert):
1947         (JSC::MacroAssemblerX86Common::isInvertible):
1948         * assembler/MacroAssemblerX86_64.h:
1949         (JSC::MacroAssemblerX86_64::moveConditionally64):
1950         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
1951         * b3/B3LowerToAir.cpp:
1952         (JSC::B3::Air::LowerToAir::createSelect):
1953         (JSC::B3::Air::LowerToAir::lower):
1954         * b3/air/AirInstInlines.h:
1955         (JSC::B3::Air::Inst::shouldTryAliasingDef):
1956         * b3/air/AirOpcode.opcodes:
1957
1958 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
1959
1960         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
1961         https://bugs.webkit.org/show_bug.cgi?id=154430
1962
1963         Reviewed by Saam Barati.
1964
1965         llvm isn't used anymore.
1966
1967         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
1968
1969 2016-02-18  Saam Barati  <sbarati@apple.com>
1970
1971         Implement Proxy.[[HasProperty]]
1972         https://bugs.webkit.org/show_bug.cgi?id=154313
1973
1974         Reviewed by Filip Pizlo.
1975
1976         This patch is a straight forward implementation of
1977         Proxy.[[HasProperty]] with respect to section 9.5.7
1978         of the ECMAScript spec.
1979         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
1980
1981         * runtime/ProxyObject.cpp:
1982         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1983         (JSC::ProxyObject::performHasProperty):
1984         (JSC::ProxyObject::getOwnPropertySlotCommon):
1985         * runtime/ProxyObject.h:
1986         * tests/es6.yaml:
1987         * tests/stress/proxy-basic.js:
1988         (assert):
1989         (let.handler.has):
1990         * tests/stress/proxy-has-property.js: Added.
1991         (assert):
1992         (throw.new.Error.let.handler.get has):
1993         (throw.new.Error):
1994         (assert.let.handler.has):
1995         (let.handler.has):
1996         (getOwnPropertyDescriptor):
1997         (i.catch):
1998
1999 2016-02-18  Saam Barati  <sbarati@apple.com>
2000
2001         Proxy's don't properly handle Symbols as PropertyKeys.
2002         https://bugs.webkit.org/show_bug.cgi?id=154385
2003
2004         Reviewed by Mark Lam and Yusuke Suzuki.
2005
2006         We were converting all PropertyKeys to strings, even when
2007         the PropertyName was a Symbol. In the spec, PropertyKeys are
2008         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2009         Proxy.[[GetOwnProperty]].
2010
2011         * runtime/Completion.cpp:
2012         (JSC::profiledEvaluate):
2013         (JSC::createSymbolForEntryPointModule):
2014         (JSC::identifierToJSValue): Deleted.
2015         * runtime/Identifier.h:
2016         (JSC::parseIndex):
2017         * runtime/IdentifierInlines.h:
2018         (JSC::Identifier::fromString):
2019         (JSC::identifierToJSValue):
2020         (JSC::identifierToSafePublicJSValue):
2021         * runtime/ProxyObject.cpp:
2022         (JSC::performProxyGet):
2023         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2024         * tests/es6.yaml:
2025         * tests/stress/proxy-basic.js:
2026         (let.handler.getOwnPropertyDescriptor):
2027
2028 2016-02-18  Saam Barati  <sbarati@apple.com>
2029
2030         Follow up fix to Implement Proxy.[[GetOwnProperty]]
2031         https://bugs.webkit.org/show_bug.cgi?id=154314
2032
2033         Reviewed by Filip Pizlo.
2034
2035         Part of the implementation was broken because
2036         of how JSObject::getOwnPropertyDescriptor worked.
2037         I've fixed JSObject::getOwnPropertyDescriptor to
2038         be able to handle ProxyObject.
2039
2040         * runtime/JSObject.cpp:
2041         (JSC::JSObject::getOwnPropertyDescriptor):
2042         * runtime/ProxyObject.cpp:
2043         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2044         * tests/stress/proxy-get-own-property.js:
2045         (assert):
2046         (assert.let.handler.get getOwnPropertyDescriptor):
2047
2048 2016-02-18  Saam Barati  <sbarati@apple.com>
2049
2050         Implement Proxy.[[GetOwnProperty]]
2051         https://bugs.webkit.org/show_bug.cgi?id=154314
2052
2053         Reviewed by Filip Pizlo.
2054
2055         This patch implements Proxy.[[GetOwnProperty]].
2056         It's a straight forward implementation as described
2057         in section 9.5.5 of the specification:
2058         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2059
2060         * runtime/FunctionPrototype.cpp:
2061         (JSC::functionProtoFuncBind):
2062         * runtime/JSObject.cpp:
2063         (JSC::validateAndApplyPropertyDescriptor):
2064         (JSC::JSObject::defineOwnNonIndexProperty):
2065         (JSC::JSObject::defineOwnProperty):
2066         (JSC::JSObject::getGenericPropertyNames):
2067         (JSC::JSObject::getMethod):
2068         * runtime/JSObject.h:
2069         (JSC::JSObject::butterflyAddress):
2070         (JSC::makeIdentifier):
2071         * runtime/ProxyObject.cpp:
2072         (JSC::performProxyGet):
2073         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2074         (JSC::ProxyObject::getOwnPropertySlotCommon):
2075         (JSC::ProxyObject::getOwnPropertySlot):
2076         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2077         (JSC::ProxyObject::visitChildren):
2078         * runtime/ProxyObject.h:
2079         * tests/es6.yaml:
2080         * tests/stress/proxy-basic.js:
2081         (let.handler.get null):
2082         * tests/stress/proxy-get-own-property.js: Added.
2083         (assert):
2084         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2085         (throw.new.Error):
2086         (let.handler.getOwnPropertyDescriptor):
2087         (i.catch):
2088         (assert.let.handler.getOwnPropertyDescriptor):
2089
2090 2016-02-18  Andreas Kling  <akling@apple.com>
2091
2092         JSString resolution of substrings should use StringImpl sharing optimization.
2093         <https://webkit.org/b/154068>
2094         <rdar://problem/24629358>
2095
2096         Reviewed by Antti Koivisto.
2097
2098         When resolving a JSString that's actually a substring of another JSString,
2099         use the StringImpl sharing optimization to create a new string pointing into
2100         the parent one, instead of copying out the bytes of the string.
2101
2102         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2103
2104         Another approach to this would be to induce GC far more frequently due to
2105         the added cost of copying out these substrings. It would reduce the risk
2106         of prolonging the life of strings only kept alive by substrings.
2107
2108         This patch chooses to trade that risk for less GC and lower peak memory.
2109
2110         * runtime/JSString.cpp:
2111         (JSC::JSRopeString::resolveRope):
2112
2113 2016-02-18  Chris Dumez  <cdumez@apple.com>
2114
2115         Crash on SES selftest page when loading the page while WebInspector is open
2116         https://bugs.webkit.org/show_bug.cgi?id=154378
2117         <rdar://problem/24713422>
2118
2119         Reviewed by Mark Lam.
2120
2121         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2122         returns early again if it detects that getOwnPropertySlot() returns a
2123         non-own property. This check was removed in r196676 because we assumed that
2124         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2125         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2126         well.
2127
2128         Not having the check would lead to crashes when using the debugger because
2129         we would get a slot with the CustomAccessor attribute but getDirect() would
2130         then fail to return the property (because it is not an own property). We
2131         would then cast the value returned by getDirect() to a CustomGetterSetter*
2132         and dereference it.
2133
2134         * runtime/JSObject.cpp:
2135         (JSC::JSObject::getOwnPropertyDescriptor):
2136
2137 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2138
2139         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2140         for that.
2141
2142         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2143         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2144
2145 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2146
2147         Unreviewed, fix CMake build. This got messed up when rebasing.
2148
2149         * CMakeLists.txt:
2150
2151 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2152
2153         Fix the !ENABLE(DFG_JIT) build after r195865
2154         https://bugs.webkit.org/show_bug.cgi?id=154391
2155
2156         Reviewed by Filip Pizlo.
2157
2158         * runtime/SamplingProfiler.cpp:
2159         (JSC::tryGetBytecodeIndex):
2160
2161 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2162
2163         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
2164         https://bugs.webkit.org/show_bug.cgi?id=154383
2165
2166         Reviewed by Saam Barati.
2167
2168         I did a grep -i llvm of all of our code and did one of the following for each occurence:
2169
2170         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
2171           backend".
2172
2173         - Removed the reference because I found it to be dead. In some cases it was a dead
2174           comment: it was telling us things about what LLVM did and that's just not relevant
2175           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
2176
2177         - Edited the comment in some smart way. There were comments talking about what LLVM did
2178           that were still of interest. In some cases, I added a FIXME to consider changing the
2179           code below the comment on the grounds that it was written in a weird way to placate
2180           LLVM and so we can do it better now.
2181
2182         * CMakeLists.txt:
2183         * JavaScriptCore.xcodeproj/project.pbxproj:
2184         * dfg/DFGArgumentsEliminationPhase.cpp:
2185         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2186         * dfg/DFGPlan.cpp:
2187         (JSC::DFG::Plan::compileInThread):
2188         (JSC::DFG::Plan::compileInThreadImpl):
2189         (JSC::DFG::Plan::compileTimeStats):
2190         * dfg/DFGPutStackSinkingPhase.cpp:
2191         * dfg/DFGSSAConversionPhase.h:
2192         * dfg/DFGStaticExecutionCountEstimationPhase.h:
2193         * dfg/DFGUnificationPhase.cpp:
2194         (JSC::DFG::UnificationPhase::run):
2195         * disassembler/ARM64Disassembler.cpp:
2196         (JSC::tryToDisassemble): Deleted.
2197         * disassembler/X86Disassembler.cpp:
2198         (JSC::tryToDisassemble):
2199         * ftl/FTLAbstractHeap.cpp:
2200         (JSC::FTL::IndexedAbstractHeap::initialize):
2201         * ftl/FTLAbstractHeap.h:
2202         * ftl/FTLFormattedValue.h:
2203         * ftl/FTLJITFinalizer.cpp:
2204         (JSC::FTL::JITFinalizer::finalizeFunction):
2205         * ftl/FTLLink.cpp:
2206         (JSC::FTL::link):
2207         * ftl/FTLLocation.cpp:
2208         (JSC::FTL::Location::restoreInto):
2209         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
2210         (JSC::FTL::DFG::ftlUnreachable):
2211         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2212         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2213         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2214         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2215         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
2216         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
2217         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
2218         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
2219         (JSC::FTL::lowerDFGToB3):
2220         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
2221         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
2222         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
2223         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
2224         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
2225         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
2226         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
2227         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
2228         (JSC::FTL::lowerDFGToLLVM): Deleted.
2229         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
2230         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
2231         * ftl/FTLLowerDFGToLLVM.h: Removed.
2232         * ftl/FTLOSRExitCompiler.cpp:
2233         (JSC::FTL::compileStub):
2234         * ftl/FTLWeight.h:
2235         (JSC::FTL::Weight::frequencyClass):
2236         (JSC::FTL::Weight::inverse):
2237         (JSC::FTL::Weight::scaleToTotal): Deleted.
2238         * ftl/FTLWeightedTarget.h:
2239         (JSC::FTL::rarely):
2240         (JSC::FTL::unsure):
2241         * jit/CallFrameShuffler64.cpp:
2242         (JSC::CallFrameShuffler::emitDisplace):
2243         * jit/RegisterSet.cpp:
2244         (JSC::RegisterSet::ftlCalleeSaveRegisters):
2245         * llvm: Removed.
2246         * llvm/InitializeLLVMLinux.cpp: Removed.
2247         * llvm/InitializeLLVMWin.cpp: Removed.
2248         * llvm/library: Removed.
2249         * llvm/library/LLVMTrapCallback.h: Removed.
2250         * llvm/library/libllvmForJSC.version: Removed.
2251         * runtime/Options.cpp:
2252         (JSC::recomputeDependentOptions):
2253         (JSC::Options::initialize):
2254         * runtime/Options.h:
2255         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
2256         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
2257         * wasm/WASMFunctionParser.cpp:
2258
2259 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2260
2261         [cmake] Build system cleanup
2262         https://bugs.webkit.org/show_bug.cgi?id=154337
2263
2264         Reviewed by Žan Doberšek.
2265
2266         * CMakeLists.txt:
2267
2268 2016-02-17  Mark Lam  <mark.lam@apple.com>
2269
2270         Callers of JSString::value() should check for exceptions thereafter.
2271         https://bugs.webkit.org/show_bug.cgi?id=154346
2272
2273         Reviewed by Geoffrey Garen.
2274
2275         JSString::value() can throw an exception if the JS string is a rope and value() 
2276         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
2277         able to resolve the rope, it will return a null string (in addition to throwing
2278         the exception).  If a caller does not check for exceptions after calling
2279         JSString::value(), they may eventually use the returned null string and crash the
2280         VM.
2281
2282         The fix is to add all the necessary exception checks, and do the appropriate
2283         handling if needed.
2284
2285         * jsc.cpp:
2286         (functionRun):
2287         (functionLoad):
2288         (functionReadFile):
2289         (functionCheckSyntax):
2290         (functionLoadWebAssembly):
2291         (functionLoadModule):
2292         (functionCheckModuleSyntax):
2293         * runtime/DateConstructor.cpp:
2294         (JSC::dateParse):
2295         (JSC::dateNow):
2296         * runtime/JSGlobalObjectFunctions.cpp:
2297         (JSC::globalFuncEval):
2298         * tools/JSDollarVMPrototype.cpp:
2299         (JSC::functionPrint):
2300
2301 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
2302
2303         [JSC] ARM64: Support the immediate format used for bit operations in Air
2304         https://bugs.webkit.org/show_bug.cgi?id=154327
2305
2306         Reviewed by Filip Pizlo.
2307
2308         ARM64 supports a pretty rich form of immediates for bit operation.
2309         There are two formats used to encode repeating patterns and common
2310         input in a dense form.
2311
2312         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
2313         Those represents the valid immediate forms for bit operation.
2314         On x86, any 32bits value is valid. On ARM64, all the encoding
2315         form are tried and the immediate is used when possible.
2316
2317         The arg type Imm64 is renamed to BigImm to better represent what
2318         it is: an immediate that does not fit into Imm.
2319
2320         * assembler/ARM64Assembler.h:
2321         (JSC::LogicalImmediate::create32): Deleted.
2322         (JSC::LogicalImmediate::create64): Deleted.
2323         (JSC::LogicalImmediate::value): Deleted.
2324         (JSC::LogicalImmediate::isValid): Deleted.
2325         (JSC::LogicalImmediate::is64bit): Deleted.
2326         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
2327         (JSC::LogicalImmediate::mask): Deleted.
2328         (JSC::LogicalImmediate::partialHSB): Deleted.
2329         (JSC::LogicalImmediate::highestSetBit): Deleted.
2330         (JSC::LogicalImmediate::findBitRange): Deleted.
2331         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
2332         * assembler/AssemblerCommon.h:
2333         (JSC::ARM64LogicalImmediate::create32):
2334         (JSC::ARM64LogicalImmediate::create64):
2335         (JSC::ARM64LogicalImmediate::value):
2336         (JSC::ARM64LogicalImmediate::isValid):
2337         (JSC::ARM64LogicalImmediate::is64bit):
2338         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
2339         (JSC::ARM64LogicalImmediate::mask):
2340         (JSC::ARM64LogicalImmediate::partialHSB):
2341         (JSC::ARM64LogicalImmediate::highestSetBit):
2342         (JSC::ARM64LogicalImmediate::findBitRange):
2343         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
2344         * assembler/MacroAssemblerARM64.h:
2345         (JSC::MacroAssemblerARM64::and64):
2346         (JSC::MacroAssemblerARM64::or64):
2347         (JSC::MacroAssemblerARM64::xor64):
2348         * b3/B3LowerToAir.cpp:
2349         (JSC::B3::Air::LowerToAir::bitImm):
2350         (JSC::B3::Air::LowerToAir::bitImm64):
2351         (JSC::B3::Air::LowerToAir::appendBinOp):
2352         * b3/air/AirArg.cpp:
2353         (JSC::B3::Air::Arg::dump):
2354         (WTF::printInternal):
2355         * b3/air/AirArg.h:
2356         (JSC::B3::Air::Arg::bitImm):
2357         (JSC::B3::Air::Arg::bitImm64):
2358         (JSC::B3::Air::Arg::isBitImm):
2359         (JSC::B3::Air::Arg::isBitImm64):
2360         (JSC::B3::Air::Arg::isSomeImm):
2361         (JSC::B3::Air::Arg::value):
2362         (JSC::B3::Air::Arg::isGP):
2363         (JSC::B3::Air::Arg::isFP):
2364         (JSC::B3::Air::Arg::hasType):
2365         (JSC::B3::Air::Arg::isValidBitImmForm):
2366         (JSC::B3::Air::Arg::isValidBitImm64Form):
2367         (JSC::B3::Air::Arg::isValidForm):
2368         (JSC::B3::Air::Arg::asTrustedImm32):
2369         (JSC::B3::Air::Arg::asTrustedImm64):
2370         * b3/air/AirOpcode.opcodes:
2371         * b3/air/opcode_generator.rb:
2372
2373 2016-02-17  Keith Miller  <keith_miller@apple.com>
2374
2375         Spread operator should be allowed when not the first argument of parameter list
2376         https://bugs.webkit.org/show_bug.cgi?id=152721
2377
2378         Reviewed by Saam Barati.
2379
2380         Spread arguments to functions should now be ES6 compliant. Before we
2381         would only take a spread operator if it was the sole argument to a
2382         function. Additionally, we would not use the Symbol.iterator on the
2383         object to generate the arguments. Instead we would do a loop up to the
2384         length mapping indexed properties to the corresponding argument. We fix
2385         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
2386         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
2387         old spread semantics). This solution has the downside of requiring the
2388         allocation of another object and copying each element twice but avoids a
2389         large change to the vm calling convention.
2390
2391         * interpreter/Interpreter.cpp:
2392         (JSC::loadVarargs):
2393         * parser/ASTBuilder.h:
2394         (JSC::ASTBuilder::createElementList):
2395         * parser/Parser.cpp:
2396         (JSC::Parser<LexerType>::parseArguments):
2397         (JSC::Parser<LexerType>::parseArgument):
2398         (JSC::Parser<LexerType>::parseMemberExpression):
2399         * parser/Parser.h:
2400         * parser/SyntaxChecker.h:
2401         (JSC::SyntaxChecker::createElementList):
2402         * tests/es6.yaml:
2403         * tests/stress/spread-calling.js: Added.
2404         (testFunction):
2405         (testEmpty):
2406         (makeObject):
2407         (otherIterator.return.next):
2408         (otherIterator):
2409         (totalIter):
2410         (throwingIter.return.next):
2411         (throwingIter):
2412         (i.catch):
2413
2414 2016-02-17  Brian Burg  <bburg@apple.com>
2415
2416         Remove a wrong cast in RemoteInspector::receivedSetupMessage
2417         https://bugs.webkit.org/show_bug.cgi?id=154361
2418         <rdar://problem/24709281>
2419
2420         Reviewed by Joseph Pecoraro.
2421
2422         * inspector/remote/RemoteInspector.mm:
2423         (Inspector::RemoteInspector::receivedSetupMessage):
2424         Not only is this cast unnecessary (the constructor accepts the base class),
2425         but it is wrong since the target could be an automation target. Remove it.
2426
2427 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2428
2429         Rename FTLB3Blah to FTLBlah
2430         https://bugs.webkit.org/show_bug.cgi?id=154365
2431
2432         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
2433
2434         * CMakeLists.txt:
2435         * JavaScriptCore.xcodeproj/project.pbxproj:
2436         * ftl/FTLB3Compile.cpp: Removed.
2437         * ftl/FTLB3Output.cpp: Removed.
2438         * ftl/FTLB3Output.h: Removed.
2439         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
2440         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
2441         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
2442
2443 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2444
2445         Remove LLVM dependencies from WebKit
2446         https://bugs.webkit.org/show_bug.cgi?id=154323
2447
2448         Reviewed by Antti Koivisto and Benjamin Poulain.
2449
2450         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
2451         LLVM-related code dead, including the disassembler, which was only reachable when you were on
2452         a platform that already had an in-tree disassembler.
2453
2454         * CMakeLists.txt:
2455         * JavaScriptCore.xcodeproj/project.pbxproj:
2456         * dfg/DFGCommon.h:
2457         * dfg/DFGPlan.cpp:
2458         (JSC::DFG::Plan::compileInThread):
2459         (JSC::DFG::Plan::compileInThreadImpl):
2460         (JSC::DFG::Plan::compileTimeStats):
2461         * disassembler/ARM64Disassembler.cpp:
2462         (JSC::tryToDisassemble):
2463         * disassembler/ARMv7Disassembler.cpp:
2464         (JSC::tryToDisassemble):
2465         * disassembler/Disassembler.cpp:
2466         (JSC::disassemble):
2467         (JSC::disassembleAsynchronously):
2468         * disassembler/Disassembler.h:
2469         (JSC::tryToDisassemble):
2470         * disassembler/LLVMDisassembler.cpp: Removed.
2471         * disassembler/LLVMDisassembler.h: Removed.
2472         * disassembler/UDis86Disassembler.cpp:
2473         (JSC::tryToDisassembleWithUDis86):
2474         * disassembler/UDis86Disassembler.h:
2475         (JSC::tryToDisassembleWithUDis86):
2476         * disassembler/X86Disassembler.cpp:
2477         (JSC::tryToDisassemble):
2478         * ftl/FTLAbbreviatedTypes.h:
2479         * ftl/FTLAbbreviations.h: Removed.
2480         * ftl/FTLAbstractHeap.cpp:
2481         (JSC::FTL::AbstractHeap::decorateInstruction):
2482         (JSC::FTL::AbstractHeap::dump):
2483         (JSC::FTL::AbstractField::dump):
2484         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2485         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
2486         (JSC::FTL::IndexedAbstractHeap::baseIndex):
2487         (JSC::FTL::IndexedAbstractHeap::dump):
2488         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
2489         (JSC::FTL::NumberedAbstractHeap::dump):
2490         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
2491         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
2492         * ftl/FTLAbstractHeap.h:
2493         (JSC::FTL::AbstractHeap::AbstractHeap):
2494         (JSC::FTL::AbstractHeap::heapName):
2495         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
2496         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
2497         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
2498         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
2499         * ftl/FTLAbstractHeapRepository.cpp:
2500         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2501         * ftl/FTLAbstractHeapRepository.h:
2502         * ftl/FTLB3Compile.cpp:
2503         * ftl/FTLB3Output.cpp:
2504         (JSC::FTL::Output::Output):
2505         (JSC::FTL::Output::check):
2506         (JSC::FTL::Output::load):
2507         (JSC::FTL::Output::store):
2508         * ftl/FTLB3Output.h:
2509         * ftl/FTLCommonValues.cpp:
2510         (JSC::FTL::CommonValues::CommonValues):
2511         (JSC::FTL::CommonValues::initializeConstants):
2512         * ftl/FTLCommonValues.h:
2513         (JSC::FTL::CommonValues::initialize): Deleted.
2514         * ftl/FTLCompile.cpp: Removed.
2515         * ftl/FTLCompileBinaryOp.cpp: Removed.
2516         * ftl/FTLCompileBinaryOp.h: Removed.
2517         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
2518         * ftl/FTLDWARFDebugLineInfo.h: Removed.
2519         * ftl/FTLDWARFRegister.cpp: Removed.
2520         * ftl/FTLDWARFRegister.h: Removed.
2521         * ftl/FTLDataSection.cpp: Removed.
2522         * ftl/FTLDataSection.h: Removed.
2523         * ftl/FTLExceptionHandlerManager.cpp: Removed.
2524         * ftl/FTLExceptionHandlerManager.h: Removed.
2525         * ftl/FTLExceptionTarget.cpp:
2526         * ftl/FTLExceptionTarget.h:
2527         * ftl/FTLExitThunkGenerator.cpp: Removed.
2528         * ftl/FTLExitThunkGenerator.h: Removed.
2529         * ftl/FTLFail.cpp:
2530         (JSC::FTL::fail):
2531         * ftl/FTLInlineCacheDescriptor.h: Removed.
2532         * ftl/FTLInlineCacheSize.cpp: Removed.
2533         * ftl/FTLInlineCacheSize.h: Removed.
2534         * ftl/FTLIntrinsicRepository.cpp: Removed.
2535         * ftl/FTLIntrinsicRepository.h: Removed.
2536         * ftl/FTLJITCode.cpp:
2537         (JSC::FTL::JITCode::~JITCode):
2538         (JSC::FTL::JITCode::initializeB3Code):
2539         (JSC::FTL::JITCode::initializeB3Byproducts):
2540         (JSC::FTL::JITCode::initializeAddressForCall):
2541         (JSC::FTL::JITCode::contains):
2542         (JSC::FTL::JITCode::ftl):
2543         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2544         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
2545         (JSC::FTL::JITCode::addHandle): Deleted.
2546         (JSC::FTL::JITCode::addDataSection): Deleted.
2547         (JSC::FTL::JITCode::exitThunks): Deleted.
2548         * ftl/FTLJITCode.h:
2549         (JSC::FTL::JITCode::b3Code):
2550         (JSC::FTL::JITCode::handles): Deleted.
2551         (JSC::FTL::JITCode::dataSections): Deleted.
2552         * ftl/FTLJITFinalizer.cpp:
2553         (JSC::FTL::JITFinalizer::codeSize):
2554         (JSC::FTL::JITFinalizer::finalizeFunction):
2555         * ftl/FTLJITFinalizer.h:
2556         * ftl/FTLJSCall.cpp: Removed.
2557         * ftl/FTLJSCall.h: Removed.
2558         * ftl/FTLJSCallBase.cpp: Removed.
2559         * ftl/FTLJSCallBase.h: Removed.
2560         * ftl/FTLJSCallVarargs.cpp: Removed.
2561         * ftl/FTLJSCallVarargs.h: Removed.
2562         * ftl/FTLJSTailCall.cpp: Removed.
2563         * ftl/FTLJSTailCall.h: Removed.
2564         * ftl/FTLLazySlowPath.cpp:
2565         (JSC::FTL::LazySlowPath::LazySlowPath):
2566         (JSC::FTL::LazySlowPath::generate):
2567         * ftl/FTLLazySlowPath.h:
2568         (JSC::FTL::LazySlowPath::createGenerator):
2569         (JSC::FTL::LazySlowPath::patchableJump):
2570         (JSC::FTL::LazySlowPath::done):
2571         (JSC::FTL::LazySlowPath::usedRegisters):
2572         (JSC::FTL::LazySlowPath::callSiteIndex):
2573         (JSC::FTL::LazySlowPath::stub):
2574         (JSC::FTL::LazySlowPath::patchpoint): Deleted.
2575         * ftl/FTLLink.cpp:
2576         (JSC::FTL::link):
2577         * ftl/FTLLocation.cpp:
2578         (JSC::FTL::Location::forValueRep):
2579         (JSC::FTL::Location::dump):
2580         (JSC::FTL::Location::forStackmaps): Deleted.
2581         * ftl/FTLLocation.h:
2582         (JSC::FTL::Location::forRegister):
2583         (JSC::FTL::Location::forIndirect):
2584         (JSC::FTL::Location::forConstant):
2585         (JSC::FTL::Location::kind):
2586         (JSC::FTL::Location::hasReg):
2587         * ftl/FTLLowerDFGToLLVM.cpp:
2588         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
2589         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2590         (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
2591         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2592         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
2593         (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
2594         (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
2595         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2596         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2597         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2598         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2599         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2600         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2601         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2602         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2603         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2604         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2605         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2606         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2607         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2608         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
2609         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
2610         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2611         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2612         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2613         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
2614         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2615         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
2616         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2617         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2618         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
2619         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
2620         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2621         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2622         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2623         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
2624         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2625         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
2626         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2627         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2628         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2629         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2630         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2631         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
2632         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
2633         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
2634         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
2635         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
2636         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
2637         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
2638         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
2639         * ftl/FTLOSRExit.cpp:
2640         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2641         (JSC::FTL::OSRExitDescriptor::validateReferences):
2642         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
2643         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2644         (JSC::FTL::OSRExit::OSRExit):
2645         (JSC::FTL::OSRExit::codeLocationForRepatch):
2646         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
2647         (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
2648         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
2649         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
2650         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
2651         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
2652         * ftl/FTLOSRExit.h:
2653         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2654         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
2655         * ftl/FTLOSRExitCompilationInfo.h: Removed.
2656         * ftl/FTLOSRExitCompiler.cpp:
2657         (JSC::FTL::compileRecovery):
2658         (JSC::FTL::compileStub):
2659         (JSC::FTL::compileFTLOSRExit):
2660         * ftl/FTLOSRExitHandle.cpp:
2661         * ftl/FTLOSRExitHandle.h:
2662         * ftl/FTLOutput.cpp: Removed.
2663         * ftl/FTLOutput.h: Removed.
2664         * ftl/FTLPatchpointExceptionHandle.cpp:
2665         * ftl/FTLPatchpointExceptionHandle.h:
2666         * ftl/FTLStackMaps.cpp: Removed.
2667         * ftl/FTLStackMaps.h: Removed.
2668         * ftl/FTLState.cpp:
2669         (JSC::FTL::State::State):
2670         (JSC::FTL::State::~State):
2671         (JSC::FTL::State::dumpState): Deleted.
2672         * ftl/FTLState.h:
2673         * ftl/FTLUnwindInfo.cpp: Removed.
2674         * ftl/FTLUnwindInfo.h: Removed.
2675         * ftl/FTLValueRange.cpp:
2676         (JSC::FTL::ValueRange::decorateInstruction):
2677         * ftl/FTLValueRange.h:
2678         (JSC::FTL::ValueRange::ValueRange):
2679         (JSC::FTL::ValueRange::begin):
2680         (JSC::FTL::ValueRange::end):
2681         * ftl/FTLWeight.h:
2682         (JSC::FTL::Weight::value):
2683         (JSC::FTL::Weight::frequencyClass):
2684         (JSC::FTL::Weight::scaleToTotal):
2685         * llvm/InitializeLLVM.cpp: Removed.
2686         * llvm/InitializeLLVM.h: Removed.
2687         * llvm/InitializeLLVMMac.cpp: Removed.
2688         * llvm/InitializeLLVMPOSIX.cpp: Removed.
2689         * llvm/InitializeLLVMPOSIX.h: Removed.
2690         * llvm/LLVMAPI.cpp: Removed.
2691         * llvm/LLVMAPI.h: Removed.
2692         * llvm/LLVMAPIFunctions.h: Removed.
2693         * llvm/LLVMHeaders.h: Removed.
2694         * llvm/library/LLVMAnchor.cpp: Removed.
2695         * llvm/library/LLVMExports.cpp: Removed.
2696         * llvm/library/LLVMOverrides.cpp: Removed.
2697         * llvm/library/config_llvm.h: Removed.
2698
2699 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
2700
2701         [JSC] Remove the overflow check on ArithAbs when possible
2702         https://bugs.webkit.org/show_bug.cgi?id=154325
2703
2704         Reviewed by Filip Pizlo.
2705
2706         This patch adds support for ArithMode for ArithAbs.
2707
2708         It is useful for kraken tests where Math.abs() is used
2709         on values for which the range is known.
2710
2711         For example, imaging-gaussian-blur has two Math.abs() with
2712         integers that are always in a small range around zero.
2713         The IntegerRangeOptimizationPhase detects the range correctly
2714         so we can just update the ArithMode depending on the input.
2715
2716         * dfg/DFGFixupPhase.cpp:
2717         (JSC::DFG::FixupPhase::fixupNode):
2718         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2719         * dfg/DFGNode.h:
2720         (JSC::DFG::Node::convertToArithNegate):
2721         (JSC::DFG::Node::hasArithMode):
2722         * dfg/DFGSpeculativeJIT64.cpp:
2723         (JSC::DFG::SpeculativeJIT::compile):
2724         * ftl/FTLLowerDFGToLLVM.cpp:
2725         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
2726         * tests/stress/arith-abs-integer-range-optimization.js: Added.
2727         (negativeRange):
2728         (negativeRangeIncludingZero):
2729         (negativeRangeWithOverflow):
2730         (positiveRange):
2731         (positiveRangeIncludingZero):
2732         (rangeWithoutOverflow):
2733         * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
2734         (opaqueAbs):
2735
2736 2016-02-17  Chris Dumez  <cdumez@apple.com>
2737
2738         SES selftest page crashes on nightly r196694
2739         https://bugs.webkit.org/show_bug.cgi?id=154350
2740         <rdar://problem/24704334>
2741
2742         Reviewed by Mark Lam.
2743
2744         SES selftest page crashes after r196001 / r196145 when calling
2745         Object.getOwnPropertyDescriptor(window, "length") after the window
2746         has been reified and "length" has been shadowed by a value property.
2747
2748         It was crashing in JSObject::getOwnPropertyDescriptor() because
2749         we are getting a slot that has attribute "CustomAccessor" but
2750         the property is not a CustomGetterSetter. In this case, since
2751         window.length is [Replaceable] and has been set to a numeric value,
2752         it makes that the property is not a CustomGetterSetter. However,
2753         the "CustomAccessor" attribute should have been dropped from the
2754         slot when window.length was shadowed. Therefore, this code path
2755         should not be exercised at all when calling
2756         getOwnPropertyDescriptor().
2757
2758         The issue was that putDirectInternal() was updating the slot
2759         attributes only if the "Accessor" flag has changed, but not
2760         the "customAccessor" flag. This patch fixes the issue.
2761
2762         * runtime/JSObject.h:
2763         (JSC::JSObject::putDirectInternal):
2764
2765 2016-02-17  Saam barati  <sbarati@apple.com>
2766
2767         Implement Proxy [[Get]]
2768         https://bugs.webkit.org/show_bug.cgi?id=154081
2769
2770         Reviewed by Michael Saboff.
2771
2772         This patch implements ProxyObject and ProxyConstructor. Their
2773         implementations are straight forward and follow the spec.
2774         The largest change in this patch is adding a second parameter
2775         to PropertySlot's constructor that specifies the internal method type of
2776         the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
2777         implement more than one Internal Method in the spec. Because 
2778         of this, we need InternalMethodType to give us context about 
2779         which Internal Method we're executing. Specifically, Proxy will 
2780         call into different handlers based on this information.
2781
2782         InternalMethodType is an enum with the following values:
2783         - Get
2784           This corresponds to [[Get]] internal method in the spec.
2785         - GetOwnProperty
2786           This corresponds to [[GetOwnProperty]] internal method in the spec.
2787         - HasProperty
2788           This corresponds to [[HasProperty]] internal method in the spec.
2789         - VMInquiry
2790           This is basically everything else that isn't one of the above
2791           types. This value also mandates that getOwnPropertySlot does
2792           not perform any user observable effects. I.e, it can't call
2793           a JS function.
2794
2795         The other non-VMInquiry InternalMethodTypes are allowed to perform user
2796         observable effects. I.e, in future patches, ProxyObject will implement
2797         InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
2798         to call user defined JS functions, which clearly have the right to perform
2799         user observable effects.
2800
2801         This patch implements getOwnPropertySlot of ProxyObject under
2802         InternalMethodType::Get. 
2803
2804         * API/JSCallbackObjectFunctions.h:
2805         (JSC::JSCallbackObject<Parent>::put):
2806         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2807         * CMakeLists.txt:
2808         * JavaScriptCore.xcodeproj/project.pbxproj:
2809         * debugger/DebuggerScope.cpp:
2810         (JSC::DebuggerScope::caughtValue):
2811         * interpreter/Interpreter.cpp:
2812         (JSC::Interpreter::execute):
2813         * jit/JITOperations.cpp:
2814         * llint/LLIntSlowPaths.cpp:
2815         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2816         * runtime/ArrayPrototype.cpp:
2817         (JSC::getProperty):
2818         * runtime/CommonIdentifiers.h:
2819         * runtime/JSCJSValueInlines.h:
2820         (JSC::JSValue::get):
2821         * runtime/JSFunction.cpp:
2822         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2823         (JSC::JSFunction::put):
2824         (JSC::JSFunction::defineOwnProperty):
2825         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2826         (JSC::constructGenericTypedArrayViewWithArguments):
2827         * runtime/JSGlobalObject.cpp:
2828         (JSC::JSGlobalObject::init):
2829         (JSC::JSGlobalObject::defineOwnProperty):
2830         * runtime/JSGlobalObject.h:
2831         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2832         (JSC::JSGlobalObject::moduleRecordStructure):
2833         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2834         (JSC::JSGlobalObject::proxyObjectStructure):
2835         (JSC::JSGlobalObject::wasmModuleStructure):
2836         * runtime/JSModuleEnvironment.cpp:
2837         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2838         * runtime/JSModuleNamespaceObject.cpp:
2839         (JSC::callbackGetter):
2840         * runtime/JSONObject.cpp:
2841         (JSC::Stringifier::Holder::appendNextProperty):
2842         (JSC::Walker::walk):
2843         * runtime/JSObject.cpp:
2844         (JSC::JSObject::calculatedClassName):
2845         (JSC::JSObject::putDirectNonIndexAccessor):
2846         (JSC::JSObject::hasProperty):
2847         (JSC::JSObject::deleteProperty):
2848         (JSC::JSObject::hasOwnProperty):
2849         (JSC::JSObject::getOwnPropertyDescriptor):
2850         * runtime/JSObject.h:
2851         (JSC::JSObject::getDirectIndex):
2852         (JSC::JSObject::get):
2853         * runtime/JSScope.cpp:
2854         (JSC::abstractAccess):
2855         * runtime/ObjectConstructor.cpp:
2856         (JSC::toPropertyDescriptor):
2857         * runtime/ObjectPrototype.cpp:
2858         (JSC::objectProtoFuncLookupGetter):
2859         (JSC::objectProtoFuncLookupSetter):
2860         (JSC::objectProtoFuncToString):
2861         * runtime/PropertySlot.h:
2862         (JSC::attributesForStructure):
2863         (JSC::PropertySlot::PropertySlot):
2864         (JSC::PropertySlot::isCacheableGetter):
2865         (JSC::PropertySlot::isCacheableCustom):
2866         (JSC::PropertySlot::internalMethodType):
2867         (JSC::PropertySlot::disableCaching):
2868         (JSC::PropertySlot::getValue):
2869         * runtime/ProxyConstructor.cpp: Added.
2870         (JSC::ProxyConstructor::create):
2871         (JSC::ProxyConstructor::ProxyConstructor):
2872         (JSC::ProxyConstructor::finishCreation):
2873         (JSC::constructProxyObject):
2874         (JSC::ProxyConstructor::getConstructData):
2875         (JSC::ProxyConstructor::getCallData):
2876         * runtime/ProxyConstructor.h: Added.
2877         (JSC::ProxyConstructor::createStructure):
2878         * runtime/ProxyObject.cpp: Added.
2879         (JSC::ProxyObject::ProxyObject):
2880         (JSC::ProxyObject::finishCreation):
2881         (JSC::performProxyGet):
2882         (JSC::ProxyObject::getOwnPropertySlotCommon):
2883         (JSC::ProxyObject::getOwnPropertySlot):
2884         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2885         (JSC::ProxyObject::visitChildren):
2886         * runtime/ProxyObject.h: Added.
2887         (JSC::ProxyObject::create):
2888         (JSC::ProxyObject::createStructure):
2889         (JSC::ProxyObject::target):
2890         (JSC::ProxyObject::handler):
2891         * runtime/ReflectObject.cpp:
2892         (JSC::reflectObjectGet):
2893         * runtime/SamplingProfiler.cpp:
2894         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
2895         * tests/es6.yaml:
2896         * tests/stress/proxy-basic.js: Added.
2897         (assert):
2898         (let.handler.get null):
2899         (get let):
2900         (let.handler.get switch):
2901         (let.handler):
2902         (let.theTarget.get x):
2903         * tests/stress/proxy-in-proto-chain.js: Added.
2904         (assert):
2905         * tests/stress/proxy-of-a-proxy.js: Added.
2906         (assert):
2907         (throw.new.Error.):
2908         * tests/stress/proxy-property-descriptor.js: Added.
2909         (assert):
2910         (set Object):
2911         * wasm/WASMModuleParser.cpp:
2912         (JSC::WASMModuleParser::getImportedValue):
2913
2914 2016-02-17  Mark Lam  <mark.lam@apple.com>
2915
2916         StringPrototype functions should check for exceptions after calling JSString::value().
2917         https://bugs.webkit.org/show_bug.cgi?id=154340
2918
2919         Reviewed by Filip Pizlo.
2920
2921         JSString::value() can throw an exception if the JS string is a rope and value()
2922         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
2923         able to resolve the rope, it will return a null string (in addition to throwing
2924         the exception).  If StringPrototype functions do not check for exceptions after
2925         calling JSString::value(), they may eventually use the returned null string and
2926         crash the VM.
2927
2928         The fix is to add all the necessary exception checks, and do the appropriate
2929         handling if needed.
2930
2931         Also in a few place where when an exception is detected, we return JSValue(), I
2932         changed it to return jsUndefined() instead to be consistent with the rest of the
2933         file.
2934
2935         * runtime/StringPrototype.cpp:
2936         (JSC::replaceUsingRegExpSearch):
2937         (JSC::stringProtoFuncMatch):
2938         (JSC::stringProtoFuncSlice):
2939         (JSC::stringProtoFuncSplit):
2940         (JSC::stringProtoFuncLocaleCompare):
2941         (JSC::stringProtoFuncBig):
2942         (JSC::stringProtoFuncSmall):
2943         (JSC::stringProtoFuncBlink):
2944         (JSC::stringProtoFuncBold):
2945         (JSC::stringProtoFuncFixed):
2946         (JSC::stringProtoFuncItalics):
2947         (JSC::stringProtoFuncStrike):
2948         (JSC::stringProtoFuncSub):
2949         (JSC::stringProtoFuncSup):
2950         (JSC::stringProtoFuncFontcolor):
2951         (JSC::stringProtoFuncFontsize):
2952         (JSC::stringProtoFuncAnchor):
2953         (JSC::stringProtoFuncLink):
2954         (JSC::trimString):
2955
2956 2016-02-17  Commit Queue  <commit-queue@webkit.org>
2957
2958         Unreviewed, rolling out r196675.
2959         https://bugs.webkit.org/show_bug.cgi?id=154344
2960
2961          "Causes major slowdowns on deltablue-varargs" (Requested by
2962         keith_miller on #webkit).
2963
2964         Reverted changeset:
2965
2966         "Spread operator should be allowed when not the first argument
2967         of parameter list"
2968         https://bugs.webkit.org/show_bug.cgi?id=152721
2969         http://trac.webkit.org/changeset/196675
2970
2971 2016-02-17  Gavin Barraclough  <barraclough@apple.com>
2972
2973         JSDOMWindow::put should not do the same thing twice
2974         https://bugs.webkit.org/show_bug.cgi?id=154334
2975
2976         Reviewed by Chris Dumez.
2977
2978         It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
2979         In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
2980         table entries.
2981
2982         * runtime/JSGlobalObject.h:
2983         (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
2984             - no longer needed.
2985
2986 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2987
2988         FTL_USES_B3 should be unconditionally true
2989         https://bugs.webkit.org/show_bug.cgi?id=154324
2990
2991         Reviewed by Benjamin Poulain.
2992
2993         * dfg/DFGCommon.h:
2994
2995 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2996
2997         FTL should support CompareEq(String:, String:)
2998         https://bugs.webkit.org/show_bug.cgi?id=154269
2999         rdar://problem/24499921
3000
3001         Reviewed by Benjamin Poulain.
3002
3003         Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
3004         think we should land the increased coverage first and fix the issues after, especially since
3005         the regression is so small and doesn't have a statistically significant effect on the overall
3006         score.
3007
3008         * ftl/FTLCapabilities.cpp:
3009         (JSC::FTL::canCompile):
3010         * ftl/FTLLowerDFGToLLVM.cpp:
3011         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
3012         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
3013         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
3014         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
3015         * tests/stress/ftl-string-equality.js: Added.
3016         * tests/stress/ftl-string-ident-equality.js: Added.
3017         * tests/stress/ftl-string-strict-equality.js: Added.
3018
3019 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3020
3021         FTL should support NewTypedArray
3022         https://bugs.webkit.org/show_bug.cgi?id=154268
3023
3024         Reviewed by Saam Barati.
3025
3026         3% speed-up on pdfjs. This was already covered by many different tests.
3027
3028         Rolling this back in after fixing the butterfly argument.
3029
3030         * ftl/FTLCapabilities.cpp:
3031         (JSC::FTL::canCompile):
3032         * ftl/FTLLowerDFGToLLVM.cpp:
3033         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3034         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3035         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3036         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3037         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3038         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3039         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3040
3041 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3042
3043         JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
3044         https://bugs.webkit.org/show_bug.cgi?id=154257
3045
3046         Reviewed by Chris Dumez.
3047
3048         * runtime/Lookup.h:
3049         (JSC::getStaticPropertySlot):
3050         (JSC::getStaticFunctionSlot):
3051         (JSC::getStaticValueSlot):
3052             - this could all do with a little more love.
3053               But enforce the basic precedence:
3054                 (1) regular storage properties always win over static table properties.
3055                 (2) if properties have been reified, don't consult the static tables.
3056                 (3) only if the property is not present on the object & not reified
3057                     should the static hashtable be consulted.
3058
3059 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
3060
3061         JSDOMWindow::getOwnPropertySlot should not search photo chain
3062         https://bugs.webkit.org/show_bug.cgi?id=154102
3063
3064         Reviewed by Chris Dumez.
3065
3066         Should only return *own* properties.
3067
3068         * runtime/JSObject.cpp:
3069         (JSC::JSObject::getOwnPropertyDescriptor):
3070             - remove hack/special-case for DOMWindow; we no longer need this.
3071
3072 2016-02-16  Keith Miller  <keith_miller@apple.com>
3073
3074         Spread operator should be allowed when not the first argument of parameter list
3075         https://bugs.webkit.org/show_bug.cgi?id=152721
3076
3077         Reviewed by Saam Barati.
3078
3079         Spread arguments to functions should now be ES6 compliant. Before we
3080         would only take a spread operator if it was the sole argument to a
3081         function. Additionally, we would not use the Symbol.iterator on the
3082         object to generate the arguments. Instead we would do a loop up to the
3083         length mapping indexed properties to the corresponding argument. We fix
3084         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3085         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3086         old spread semantics). This solution has the downside of requiring the
3087         allocation of another object and copying each element twice but avoids a
3088         large change to the vm calling convention.
3089
3090         * interpreter/Interpreter.cpp:
3091         (JSC::loadVarargs):
3092         * parser/ASTBuilder.h:
3093         (JSC::ASTBuilder::createElementList):
3094         * parser/Parser.cpp:
3095         (JSC::Parser<LexerType>::parseArguments):
3096         (JSC::Parser<LexerType>::parseArgument):
3097         (JSC::Parser<LexerType>::parseMemberExpression):
3098         * parser/Parser.h:
3099         * parser/SyntaxChecker.h:
3100         (JSC::SyntaxChecker::createElementList):
3101         * tests/es6.yaml:
3102         * tests/stress/spread-calling.js: Added.
3103         (testFunction):
3104         (testEmpty):
3105         (makeObject):
3106         (otherIterator.return.next):
3107         (otherIterator):
3108         (totalIter):
3109         (throwingIter.return.next):
3110         (throwingIter):
3111         (i.catch):
3112
3113 2016-02-16  Benjamin Poulain  <bpoulain@apple.com>
3114
3115         [JSC] Enable B3 on ARM64
3116         https://bugs.webkit.org/show_bug.cgi?id=154275
3117
3118         Reviewed by Mark Lam.
3119
3120         The port passes more tests than LLVM now, let's use it by default.
3121
3122         * dfg/DFGCommon.h:
3123
3124 2016-02-16  Commit Queue  <commit-queue@webkit.org>
3125
3126         Unreviewed, rolling out r196652.
3127         https://bugs.webkit.org/show_bug.cgi?id=154315
3128
3129         This change caused LayoutTest crashes (Requested by ryanhaddad
3130         on #webkit).
3131
3132         Reverted changeset:
3133
3134         "FTL should support NewTypedArray"
3135         https://bugs.webkit.org/show_bug.cgi?id=154268
3136         http://trac.webkit.org/changeset/196652
3137
3138 2016-02-16  Brian Burg  <bburg@apple.com>
3139
3140         RemoteInspector should forward new automation session requests to its client
3141         https://bugs.webkit.org/show_bug.cgi?id=154260
3142         <rdar://problem/24663313>
3143
3144         Reviewed by Timothy Hatcher.
3145
3146         * inspector/remote/RemoteInspector.h:
3147         * inspector/remote/RemoteInspector.mm:
3148         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3149         (Inspector::RemoteInspector::listingForAutomationTarget):
3150         Use the correct key for the session identifier in the listing. The name()
3151         override for RemoteAutomationTarget is actually the session identifier.
3152
3153         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
3154         * inspector/remote/RemoteInspectorConstants.h: Add new constants.
3155
3156 2016-02-16  Saam barati  <sbarati@apple.com>
3157
3158         SamplingProfiler still fails with ASan enabled
3159         https://bugs.webkit.org/show_bug.cgi?id=154301
3160         <rdar://problem/24679502>
3161
3162         Reviewed by Filip Pizlo.
3163
3164         To fix this issue, I've come up with unsafe versions
3165         of all operations that load memory from the thread's call
3166         frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
3167
3168         * interpreter/CallFrame.cpp:
3169         (JSC::CallFrame::callSiteAsRawBits):
3170         (JSC::CallFrame::unsafeCallSiteAsRawBits):
3171         (JSC::CallFrame::callSiteIndex):
3172         (JSC::CallFrame::unsafeCallSiteIndex):
3173         (JSC::CallFrame::stack):
3174         (JSC::CallFrame::callerFrame):
3175         (JSC::CallFrame::unsafeCallerFrame):
3176         (JSC::CallFrame::friendlyFunctionName):
3177         * interpreter/CallFrame.h:
3178         (JSC::ExecState::calleeAsValue):
3179         (JSC::ExecState::callee):
3180         (JSC::ExecState::unsafeCallee):
3181         (JSC::ExecState::codeBlock):
3182         (JSC::ExecState::unsafeCodeBlock):
3183         (JSC::ExecState::scope):
3184         (JSC::ExecState::callerFrame):
3185         (JSC::ExecState::callerFrameOrVMEntryFrame):
3186         (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
3187         (JSC::ExecState::callerFrameOffset):
3188         (JSC::ExecState::callerFrameAndPC):
3189         (JSC::ExecState::unsafeCallerFrameAndPC):
3190         * interpreter/Register.h:
3191         (JSC::Register::codeBlock):
3192         (JSC::Register::asanUnsafeCodeBlock):
3193         (JSC::Register::unboxedInt32):
3194         (JSC::Register::tag):
3195         (JSC::Register::unsafeTag):
3196         (JSC::Register::payload):
3197         * interpreter/VMEntryRecord.h:
3198         (JSC::VMEntryRecord::prevTopCallFrame):
3199         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
3200         (JSC::VMEntryRecord::prevTopVMEntryFrame):
3201         (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
3202         * runtime/SamplingProfiler.cpp:
3203         (JSC::FrameWalker::walk):
3204         (JSC::FrameWalker::advanceToParentFrame):
3205         (JSC::FrameWalker::isAtTop):
3206         (JSC::FrameWalker::resetAtMachineFrame):
3207
3208 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3209
3210         FTL should support NewTypedArray
3211         https://bugs.webkit.org/show_bug.cgi?id=154268
3212
3213         Reviewed by Saam Barati.
3214
3215         3% speed-up on pdfjs. This was already covered by many different tests.
3216
3217         * ftl/FTLCapabilities.cpp:
3218         (JSC::FTL::canCompile):
3219         * ftl/FTLLowerDFGToLLVM.cpp:
3220         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3221         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
3222         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
3223         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
3224         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
3225         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
3226         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
3227
3228 2016-02-16  Saam barati  <sbarati@apple.com>
3229
3230         stress/sampling-profiler-deep-stack.js fails on ARM 32bit
3231         https://bugs.webkit.org/show_bug.cgi?id=154255
3232         <rdar://problem/24662996>
3233
3234         Reviewed by Mark Lam.
3235
3236         The bug here wasn't in the implementation of the sampling profiler 
3237         itself. Rather, it was a bug in the test. JSC wasn't spending a lot
3238         of time in a function that the test assumed a lot of time was spent in.
3239         That's because the DFG was doing a good job at optimizing the function
3240         at the leaf of the recursion. Because of that, we often wouldn't sample it.
3241         I fixed this by making the leaf function do more work.
3242
3243         * tests/stress/sampling-profiler-deep-stack.js:
3244         (platformSupportsSamplingProfiler.foo):
3245
3246 2016-02-16  Chris Dumez  <cdumez@apple.com>
3247
3248         [Web IDL] Operations should be on the instance for global objects or if [Unforgeable]
3249         https://bugs.webkit.org/show_bug.cgi?id=154120
3250         <rdar://problem/24613231>
3251
3252         Reviewed by Gavin Barraclough.
3253
3254         Have putEntry() take a thisValue parameter in addition to the base,
3255         instead of relying on PropertySlot::thisValue() because this did not
3256         always do the right thing. In particular, when JSDOMWindow::put() was
3257         called to set a function, it would end up setting the new value on the
3258         JSDOMWindowShell instead of the actual JSDOMWindow.
3259         JSDOMWindow::getOwnPropertySlot() would then not be able to find it.
3260         Therefore the following would fail:
3261         $ window.open = "test"
3262         $ console.log(window.open) // prints the native function instead of "test"
3263
3264         * runtime/JSObject.cpp:
3265         (JSC::JSObject::putInlineSlow):
3266         * runtime/Lookup.h:
3267         (JSC::putEntry):
3268         (JSC::lookupPut):
3269
3270 2016-02-16  Keith Miller  <keith_miller@apple.com>
3271
3272         ClonedArguments should not materialize its special properties unless they are being changed or deleted
3273         https://bugs.webkit.org/show_bug.cgi?id=154128
3274
3275         Reviewed by Filip Pizlo.
3276
3277         Before we would materialize ClonedArguments whenever they were being accessed.
3278         However this would cause the IC to miss every time as the structure for
3279         the arguments object would change as we went to IC it. Thus on the next
3280         function call we would miss the cache since the new arguments object
3281         would not have materialized the value.
3282
3283         * runtime/ClonedArguments.cpp:
3284         (JSC::ClonedArguments::getOwnPropertySlot):
3285         * tests/stress/cloned-arguments-modification.js: Added.
3286         (foo):
3287
3288 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
3289
3290         FTL should support StringFromCharCode
3291         https://bugs.webkit.org/show_bug.cgi?id=154267
3292         rdar://problem/24192536
3293
3294         Reviewed by Mark Lam.
3295
3296         * dfg/DFGFixupPhase.cpp:
3297         (JSC::DFG::FixupPhase::fixupNode): Fix a bug preventing the UntypedUse from being effective.
3298         * ftl/FTLCapabilities.cpp:
3299         (JSC::FTL::canCompile):
3300         * ftl/FTLLowerDFGToLLVM.cpp:
3301         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3302         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringFromCharCode): Implement the opcode.
3303         * tests/stress/string-from-char-code-slow.js: Added.
3304
3305 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
3306
3307         [JSC] BranchAdd can override arguments of its stackmap
3308         https://bugs.webkit.org/show_bug.cgi?id=154274
3309
3310         Reviewed by Filip Pizlo.
3311
3312         With the 3 operands BranchAdd added in r196513, we can run into
3313         a register allocation such that the destination register is also
3314         used by a value in the stack map.
3315
3316         It use to be that BranchAdd was a 2 operand instruction.
3317         In that form, the destination is also one of the source and
3318         can be recovered through Sub. There is no conflict between
3319         destination and the stackmap.
3320
3321         After r196513, the destination has its own value. It is uncommon
3322         on x86 because of the aggressive aliasing but that can happen.
3323         On ARM, that's a standard form since there is no need for aliasing.
3324
3325         Since the arguments of the stackmap are of type EarlyUse,
3326         they appeared as not interfering with the destination. When the register
3327         allocator gives the same register to the destination and something in
3328         the stack map, the result of BranchAdd destroys the value kept alive
3329         for the stackmap.
3330
3331         In this patch, I introduce a concept very similar to ForceLateUse
3332         to keep the argument of the stackmap live in CheckAdd. The new
3333         role is "ForceLateUseUnlessRecoverable".
3334
3335         In this mode, anything that is not also an input argument becomes
3336         LateUse. As such, it interferes with the destination of CheckAdd.
3337         The arguments are recovered by the slow patch of CheckAdd. They
3338         remain Early use.
3339
3340         This new modes ensure that destination can be aliased to the source
3341         when that's useful, while making sure it is not aliased with another
3342         value that needs to be live on exit.
3343
3344         * b3/B3CheckSpecial.cpp:
3345         (JSC::B3::CheckSpecial::forEachArg):
3346         * b3/B3LowerToAir.cpp:
3347         (JSC::B3::Air::LowerToAir::lower):
3348         * b3/B3PatchpointSpecial.cpp:
3349         (JSC::B3::PatchpointSpecial::forEachArg):
3350         * b3/B3StackmapSpecial.cpp:
3351         (JSC::B3::StackmapSpecial::forEachArgImpl):
3352         (WTF::printInternal):
3353         * b3/B3StackmapSpecial.h:
3354         * b3/B3StackmapValue.h:
3355
3356 2016-02-15  Joseph Pecoraro  <pecoraro@apple.com>
3357
3358         Web Inspector: Web Workers have no access to console for debugging
3359         https://bugs.webkit.org/show_bug.cgi?id=26237
3360
3361         Reviewed by Timothy Hatcher.
3362
3363         * inspector/ConsoleMessage.h:
3364         Add accessor for MessageLevel.
3365
3366 2016-02-15  Mark Lam  <mark.lam@apple.com>
3367
3368         [ARMv7] stress/op_rshift.js and stress/op_urshift.js are failing.