[ES7] Update features.json for exponentiation expression
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [ES7] Update features.json for exponentiation expression
4         https://bugs.webkit.org/show_bug.cgi?id=160541
5
6         Reviewed by Mark Lam.
7
8         * features.json:
9
10 2016-08-03  Chris Dumez  <cdumez@apple.com>
11
12         Drop DocumentType.internalSubset attribute
13         https://bugs.webkit.org/show_bug.cgi?id=160530
14
15         Reviewed by Alex Christensen.
16
17         Drop DocumentType.internalSubset attribute.
18
19         * inspector/protocol/DOM.json:
20
21 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
22
23         [JSC] Improve the memory locality of DFG Node's AbstractValues
24         https://bugs.webkit.org/show_bug.cgi?id=160443
25
26         Reviewed by Mark Lam.
27
28         The AbstractInterpreter spends a lot of time on memory operations
29         for AbstractValues. This patch attempts to improve the situation
30         by putting the values closer together in memory.
31
32         First, AbstractValue is moved out of DFG::Node and it kept in
33         a vector addressed by node indices.
34
35         I initially moved them to InPlaceAbstractState but I quickly discovered
36         initializing the values in the vector was costly.
37         I moved the vector to Graph as a cache shared by every instantiation of
38         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
39         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
40         should also help eventually.
41
42         I instrumented CFA to find how packed is SparseCollection.
43         The answer is it can be very sparse, which is bad for CFA.
44         I added packIndices() to repack the collection before running
45         liveness since that's where we start using the memory intensively.
46         This is a measurable improvement but it implies we can no longer
47         keep indices on a side channel between phases since they may change.
48
49         * b3/B3SparseCollection.h:
50         (JSC::B3::SparseCollection::packIndices):
51         * dfg/DFGGraph.cpp:
52         (JSC::DFG::Graph::packNodeIndices):
53         * dfg/DFGGraph.h:
54         (JSC::DFG::Graph::abstractValuesCache):
55         * dfg/DFGInPlaceAbstractState.cpp:
56         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
57         * dfg/DFGInPlaceAbstractState.h:
58         (JSC::DFG::InPlaceAbstractState::forNode):
59         * dfg/DFGLivenessAnalysisPhase.cpp:
60         (JSC::DFG::performLivenessAnalysis):
61         * dfg/DFGNode.h:
62
63 2016-08-03  Caitlin Potter  <caitp@igalia.com>
64
65         Clarify SyntaxErrors around yield and unskip tests
66         https://bugs.webkit.org/show_bug.cgi?id=158460
67
68         Reviewed by Saam Barati.
69
70         Fix and unskip tests which erroneously asserted that `yield` is not a
71         valid BindingIdentifier, and improve error message for YieldExpressions
72         occuring in Arrow formal parameters.
73
74         * parser/Parser.cpp:
75         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
76         (JSC::Parser<LexerType>::parseFunctionInfo):
77         (JSC::Parser<LexerType>::parseYieldExpression):
78         * parser/Parser.h:
79
80 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
81
82         REGRESSION(r203368): broke some test262 tests
83         https://bugs.webkit.org/show_bug.cgi?id=160479
84
85         Reviewed by Mark Lam.
86         
87         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
88         Accessor properties.
89
90         * runtime/Structure.cpp:
91         (JSC::Structure::nonPropertyTransition):
92         * runtime/StructureTransitionTable.h:
93         (JSC::setsDontDeleteOnAllProperties):
94         (JSC::setsReadOnlyOnNonAccessorProperties):
95         (JSC::setsReadOnlyOnAllProperties): Deleted.
96
97 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
98
99         Lacking support on a arm-traditional disassembler.
100         https://bugs.webkit.org/show_bug.cgi?id=123717
101
102         Reviewed by Mark Lam.
103
104         * CMakeLists.txt:
105         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
106         (JSC::tryToDisassemble):
107
108 2016-08-03  Saam Barati  <sbarati@apple.com>
109
110         Implement nested rest destructuring w.r.t the ES7 spec
111         https://bugs.webkit.org/show_bug.cgi?id=160423
112
113         Reviewed by Filip Pizlo.
114
115         The spec has updated the BindingRestElement grammar production to be:
116         BindingRestElement:
117            BindingIdentifier
118            BindingingPattern.
119
120         It used to only allow BindingIdentifier in the grammar production.
121         I've updated our engine to account for this. The semantics are exactly
122         what you'd expect.  For example:
123         `let [a, ...[b, ...c]] = expr();`
124         means that we create an array for the first rest element `...[b, ...c]`
125         and then perform the binding of `[b, ...c]` to that array. And so on, 
126         applied recursively through the pattern.
127
128         * bytecompiler/NodesCodegen.cpp:
129         (JSC::RestParameterNode::collectBoundIdentifiers):
130         (JSC::RestParameterNode::toString):
131         (JSC::RestParameterNode::bindValue):
132         (JSC::RestParameterNode::emit):
133         * parser/ASTBuilder.h:
134         (JSC::ASTBuilder::createBindingLocation):
135         (JSC::ASTBuilder::createRestParameter):
136         (JSC::ASTBuilder::createAssignmentElement):
137         * parser/NodeConstructors.h:
138         (JSC::AssignmentElementNode::AssignmentElementNode):
139         (JSC::RestParameterNode::RestParameterNode):
140         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
141         * parser/Nodes.h:
142         (JSC::RestParameterNode::name): Deleted.
143         * parser/Parser.cpp:
144         (JSC::Parser<LexerType>::parseDestructuringPattern):
145         (JSC::Parser<LexerType>::parseFormalParameters):
146         * parser/SyntaxChecker.h:
147         (JSC::SyntaxChecker::operatorStackPop):
148
149 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
150
151         [JSC] Fix Windows build after r204065
152
153         * dfg/DFGAbstractValue.cpp:
154         (JSC::DFG::AbstractValue::observeTransitions):
155         AbstractValue is bigger on Windows for an unknown reason.
156
157 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
158
159         [JSC] Fix 32bits jsc after r204065
160
161         Default constructed JSValue() are not equal to zero in 32bits.
162
163         * dfg/DFGAbstractValue.h:
164         (JSC::DFG::AbstractValue::AbstractValue):
165
166 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
167
168         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
169         https://bugs.webkit.org/show_bug.cgi?id=160370
170
171         Reviewed by Saam Barati.
172
173         We use a ton of AbstractValue to run the Abstract Interpreter.
174
175         When we set up the initial values, the compiler sets
176         a zero on a first word, a one on a second word, and a zero
177         again on a third word.
178         Since no vector or double-store can deal with 3 words, unrolling
179         is done by repeating those instructions.
180
181         The reason for the one was TinyPtrSet. It needed a flag for
182         empty value to identify the set as thin. I flipped the flag to "fat"
183         to make sure TinyPtrSet is initialized to zero.
184
185         With that done, I just had to clean some places to make
186         the initialization shorter.
187         It makes the binary easier to follow but this does not help with
188         the bigger problem: the time spent per block on Abstract Interpreter.
189
190         * bytecode/Operands.h:
191         The traits were useless, no client code defines it.
192
193         (JSC::Operands::Operands):
194         (JSC::Operands::ensureLocals):
195         Because of the size of the function, llvm is not inlining it.
196         We were literally loading 3 registers from memory and storing
197         them in the vector.
198         Now that AbstractValue has a VectorTraits, we should just rely
199         on the memset of Vector when possible.
200
201         (JSC::Operands::getLocal):
202         (JSC::Operands::setArgumentFirstTime):
203         (JSC::Operands::setLocalFirstTime):
204         (JSC::Operands::clear):
205         (JSC::OperandValueTraits::defaultValue): Deleted.
206         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
207         * bytecode/OperandsInlines.h:
208         (JSC::Operands<T>::dumpInContext):
209         (JSC::Operands<T>::dump):
210         (JSC::Traits>::dumpInContext): Deleted.
211         (JSC::Traits>::dump): Deleted.
212         * dfg/DFGAbstractValue.cpp:
213         * dfg/DFGAbstractValue.h:
214         (JSC::DFG::AbstractValue::AbstractValue):
215
216 2016-08-02  Saam Barati  <sbarati@apple.com>
217
218         update a class extending null w.r.t the ES7 spec
219         https://bugs.webkit.org/show_bug.cgi?id=160417
220
221         Reviewed by Keith Miller.
222
223         When a class extends null, it should not be marked as a derived class.
224         This was changed in the ES2016 spec, and this patch makes the needed
225         changes in JSC to follow the spec. This allows classes to extend
226         null and have their default constructor invoked without throwing an exception.
227         This also prevents |this| from being under TDZ at the start of the constructor.
228         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
229         syntax, we don't know statically if a constructor is extending null or not.
230         Therefore, we don't always know statically if it's a base or derived constructor.
231         I solved this by putting a boolean on the constructor function under a private
232         symbol named isDerivedConstructor when doing class construction. We only need
233         to put this boolean on constructors that may extend null. Constructors that are
234         declared in a class with no extends syntax can tell statically that they are a base constructor.
235
236         I've also renamed the ConstructorKind::Derived enum value to be
237         ConstructorKind::Extends to better indicate that we can't answer
238         the "am I a derived constructor?" question statically.
239
240         * builtins/BuiltinExecutables.cpp:
241         (JSC::BuiltinExecutables::createDefaultConstructor):
242         * builtins/BuiltinNames.h:
243         * bytecompiler/BytecodeGenerator.cpp:
244         (JSC::BytecodeGenerator::BytecodeGenerator):
245         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
246         (JSC::BytecodeGenerator::emitReturn):
247         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
248         (JSC::BytecodeGenerator::ensureThis):
249         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
250         * bytecompiler/BytecodeGenerator.h:
251         (JSC::BytecodeGenerator::makeFunction):
252         * bytecompiler/NodesCodegen.cpp:
253         (JSC::EvalFunctionCallNode::emitBytecode):
254         (JSC::FunctionCallValueNode::emitBytecode):
255         (JSC::FunctionNode::emitBytecode):
256         (JSC::ClassExprNode::emitBytecode):
257         * parser/Parser.cpp:
258         (JSC::Parser<LexerType>::Parser):
259         (JSC::Parser<LexerType>::parseFunctionInfo):
260         (JSC::Parser<LexerType>::parseClass):
261         (JSC::Parser<LexerType>::parseMemberExpression):
262         * parser/ParserModes.h:
263
264 2016-08-02  Enrica Casucci  <enrica@apple.com>
265
266         Allow building with content filtering disabled.
267         https://bugs.webkit.org/show_bug.cgi?id=160454
268
269         Reviewed by Simon Fraser.
270
271         * Configurations/FeatureDefines.xcconfig:
272
273 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
274
275         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
276         https://bugs.webkit.org/show_bug.cgi?id=159759
277
278         Reviewed by Saam Barati.
279
280         * jit/JITMathIC.h:
281         (JSC::JITMathIC::generateInline):
282
283 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
284
285         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
286         https://bugs.webkit.org/show_bug.cgi?id=160438
287
288         Reviewed by Mark Lam.
289         
290         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
291         catching stack overflow due to large parameter count. It would only catch regular old stack
292         overflow, like if the frame pointer was already past the limit.
293         
294         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
295         the stack due to large parameter count were not going down that path at all, so we haven't had
296         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
297         case.
298
299         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
300         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
301         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
302         some choices here. I could have forced anyone who is rolling back to always skip VM entry
303         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
304         a stack frame roll back normally does, since exception unwinding needs to see the current value
305         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
306         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
307         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
308         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
309         To signal this, I could have either made topCallFrame point to the real top JS call frame
310         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
311         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
312         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
313         engine against this case.
314         
315         * interpreter/StackVisitor.cpp:
316         (JSC::StackVisitor::StackVisitor):
317         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
318         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
319         StackVisitor is the only place that needs to be taught about this at this time, because it's
320         one of the few things that access topCallFrame along this special path.
321         
322         * jit/JITOperations.cpp: Roll back the top call frame.
323         * runtime/CommonSlowPaths.cpp:
324         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
325
326 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
327
328         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
329         https://bugs.webkit.org/show_bug.cgi?id=160439
330
331         Reviewed by Filip Pizlo.
332
333         * assembler/MacroAssemblerARM64.h:
334         (JSC::MacroAssemblerARM64::branchTest64):
335         * b3/air/AirOpcode.opcodes:
336         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
337
338 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
339
340         [B3] Fusing immediates into test instructions should work again
341         https://bugs.webkit.org/show_bug.cgi?id=160073
342
343         Reviewed by Sam Weinig.
344
345         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
346         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
347         was still using Imm!  This meant that isValidForm() always returned false.
348         
349         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
350         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
351         with the scratch register).
352         
353         This is not an obvious progression on anything, so I added comprehensive tests to
354         testb3, which check that we selected the optimal instruction in a variety of situations.
355         We should add more tests like this!
356
357         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
358         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
359         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
360
361         * b3/B3BasicBlock.h:
362         (JSC::B3::BasicBlock::successorBlock):
363         * b3/B3LowerToAir.cpp:
364         (JSC::B3::Air::LowerToAir::createGenericCompare):
365         * b3/B3LowerToAir.h:
366         * b3/air/AirArg.cpp:
367         (JSC::B3::Air::Arg::isRepresentableAs):
368         (JSC::B3::Air::Arg::usesTmp):
369         * b3/air/AirArg.h:
370         (JSC::B3::Air::Arg::isRepresentableAs):
371         (JSC::B3::Air::Arg::castToType):
372         (JSC::B3::Air::Arg::asNumber):
373         * b3/air/AirCode.h:
374         (JSC::B3::Air::Code::size):
375         (JSC::B3::Air::Code::at):
376         * b3/air/AirOpcode.opcodes:
377         * b3/air/AirValidate.h:
378         * b3/air/opcode_generator.rb:
379         * b3/testb3.cpp:
380         (JSC::B3::compile):
381         (JSC::B3::compileAndRun):
382         (JSC::B3::lowerToAirForTesting):
383         (JSC::B3::testSomeEarlyRegister):
384         (JSC::B3::testBranchBitAndImmFusion):
385         (JSC::B3::zero):
386         (JSC::B3::run):
387
388 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
389
390         Rationalize varargs stack overflow checks
391         https://bugs.webkit.org/show_bug.cgi?id=160425
392
393         Reviewed by Michael Saboff.
394
395         * ftl/FTLLink.cpp:
396         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
397         * runtime/CommonSlowPaths.h:
398         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
399
400 2016-08-01  Saam Barati  <sbarati@apple.com>
401
402         Sub should be a Math IC
403         https://bugs.webkit.org/show_bug.cgi?id=160270
404
405         Reviewed by Mark Lam.
406
407         This makes Sub an IC like Mul and Add. I'm seeing the following
408         improvements of average Sub size on Unity and JetStream:
409
410                    |   JetStream  |  Unity 3D  |
411              ------| -------------|--------------
412               Old  |   202 bytes  |  205 bytes |
413              ------| -------------|--------------
414               New  |   134  bytes |  134 bytes |
415              ------------------------------------
416
417         * bytecode/CodeBlock.cpp:
418         (JSC::CodeBlock::addJITMulIC):
419         (JSC::CodeBlock::addJITSubIC):
420         (JSC::CodeBlock::findStubInfo):
421         (JSC::CodeBlock::dumpMathICStats):
422         * bytecode/CodeBlock.h:
423         (JSC::CodeBlock::stubInfoBegin):
424         (JSC::CodeBlock::stubInfoEnd):
425         * dfg/DFGSpeculativeJIT.cpp:
426         (JSC::DFG::SpeculativeJIT::compileArithSub):
427         * ftl/FTLLowerDFGToB3.cpp:
428         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
429         * jit/JITArithmetic.cpp:
430         (JSC::JIT::emit_op_sub):
431         (JSC::JIT::emitSlow_op_sub):
432         (JSC::JIT::emit_op_pow):
433         * jit/JITMathIC.h:
434         * jit/JITMathICForwards.h:
435         * jit/JITOperations.cpp:
436         * jit/JITOperations.h:
437         * jit/JITSubGenerator.cpp:
438         (JSC::JITSubGenerator::generateInline):
439         (JSC::JITSubGenerator::generateFastPath):
440         * jit/JITSubGenerator.h:
441         (JSC::JITSubGenerator::JITSubGenerator):
442         (JSC::JITSubGenerator::isLeftOperandValidConstant):
443         (JSC::JITSubGenerator::isRightOperandValidConstant):
444         (JSC::JITSubGenerator::arithProfile):
445         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
446         (JSC::JITSubGenerator::endJumpList): Deleted.
447         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
448
449 2016-08-01  Keith Miller  <keith_miller@apple.com>
450
451         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
452         https://bugs.webkit.org/show_bug.cgi?id=160372
453
454         Rubber stamped by Geoffrey Garen.
455
456         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
457         a new top level directory, JSTests. Having the tests in the Source directory
458         was both confusing an inconvenient for people that just want to checkout the
459         source code of WebKit. Since there is no other obvious place to put all the
460         JavaScript tests a new top level directory seemed the most sensible.
461
462         * tests/: Deleted.
463
464 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
465
466         [JSC] Should check Test262Error correctly
467         https://bugs.webkit.org/show_bug.cgi?id=159862
468
469         Reviewed by Saam Barati.
470
471         Test262Error in the harness does not have "name" property.
472         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
473
474         * jsc.cpp:
475         (checkUncaughtException):
476         * runtime/JSObject.h:
477         * tests/test262.yaml:
478
479 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
480
481         [ES6] Module binding can be exported by multiple names
482         https://bugs.webkit.org/show_bug.cgi?id=160343
483
484         Reviewed by Saam Barati.
485
486         ES6 Module can export the same local binding by using multiple names.
487         For example,
488
489             ```
490             var value = 42;
491
492             export { value };
493             export { value as value2 };
494             ```
495
496         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
497         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
498
499         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
500         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
501         this information when creating the export entries in ModuleAnalyzer.
502
503         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
504         names should be managed per-module, not per-scope.
505
506         This change fixes several test262 failures.
507
508         * JavaScriptCore.xcodeproj/project.pbxproj:
509         * parser/ModuleAnalyzer.cpp:
510         (JSC::ModuleAnalyzer::exportVariable):
511         (JSC::ModuleAnalyzer::analyze):
512         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
513         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
514         * parser/ModuleAnalyzer.h:
515         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
516         (JSC::ModuleScopeData::create):
517         (JSC::ModuleScopeData::exportedBindings):
518         (JSC::ModuleScopeData::exportName):
519         (JSC::ModuleScopeData::exportBinding):
520         * parser/Nodes.cpp:
521         (JSC::ProgramNode::ProgramNode):
522         (JSC::ModuleProgramNode::ModuleProgramNode):
523         (JSC::EvalNode::EvalNode):
524         (JSC::FunctionNode::FunctionNode):
525         * parser/Nodes.h:
526         (JSC::ModuleProgramNode::moduleScopeData):
527         * parser/NodesAnalyzeModule.cpp:
528         (JSC::ExportDefaultDeclarationNode::analyzeModule):
529         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
530         * parser/Parser.cpp:
531         (JSC::Parser<LexerType>::Parser):
532         (JSC::Parser<LexerType>::parseModuleSourceElements):
533         (JSC::Parser<LexerType>::parseVariableDeclarationList):
534         (JSC::Parser<LexerType>::createBindingPattern):
535         (JSC::Parser<LexerType>::parseFunctionDeclaration):
536         (JSC::Parser<LexerType>::parseClassDeclaration):
537         (JSC::Parser<LexerType>::parseExportSpecifier):
538         (JSC::Parser<LexerType>::parseExportDeclaration):
539         * parser/Parser.h:
540         (JSC::Parser::exportName):
541         (JSC::Parser<LexerType>::parse):
542         (JSC::ModuleScopeData::create): Deleted.
543         (JSC::ModuleScopeData::exportedBindings): Deleted.
544         (JSC::ModuleScopeData::exportName): Deleted.
545         (JSC::ModuleScopeData::exportBinding): Deleted.
546         (JSC::Scope::Scope): Deleted.
547         (JSC::Scope::setSourceParseMode): Deleted.
548         (JSC::Scope::moduleScopeData): Deleted.
549         (JSC::Scope::setIsModule): Deleted.
550         * tests/modules/aliased-names.js: Added.
551         * tests/modules/aliased-names/main.js: Added.
552         (change):
553         * tests/stress/modules-syntax-error-with-names.js:
554         (export.Cocoa):
555         (SyntaxError.Cannot.export.a.duplicate.name):
556         * tests/test262.yaml:
557
558 2016-07-30  Mark Lam  <mark.lam@apple.com>
559
560         Assertion failure while setting the length of an ArrayClass array.
561         https://bugs.webkit.org/show_bug.cgi?id=160381
562         <rdar://problem/27328703>
563
564         Reviewed by Filip Pizlo.
565
566         When setting large length values, we're currently treating ArrayClass as a
567         ContiguousIndexingType array.  This results in an assertion failure.  This is
568         now fixed.
569
570         There are currently only 2 places where we create arrays with indexing type
571         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
572         takes care of ArrayPrototype.
573
574         RuntimeArray already checks for the setting of its length property, and will
575         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
576         Instead, I added some test cases ensure that the check and throw behavior does
577         not change without notice.
578
579         * runtime/JSArray.cpp:
580         (JSC::JSArray::setLength):
581         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
582         (toString):
583         (assertEqual):
584         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
585         (toString):
586         (assertEqual):
587
588 2016-07-29  Keith Miller  <keith_miller@apple.com>
589
590         TypedArray super constructor has some incompatabilities
591         https://bugs.webkit.org/show_bug.cgi?id=160369
592
593         Reviewed by Filip Pizlo.
594
595         This patch fixes the length proprety of the TypedArray super constructor.
596         Additionally, the TypedArray super constructor should no longer be callable.
597
598         Also, this patch fixes the expected result of some test262 tests.
599
600         * runtime/JSTypedArrayViewConstructor.cpp:
601         (JSC::JSTypedArrayViewConstructor::finishCreation):
602         (JSC::constructTypedArrayView):
603         (JSC::JSTypedArrayViewConstructor::getCallData):
604         * tests/test262.yaml:
605
606 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
607
608         Undefined Behavior in JSValue cast from NaN
609         https://bugs.webkit.org/show_bug.cgi?id=160322
610
611         Reviewed by Mark Lam.
612
613         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
614
615         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
616         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
617         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
618         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
619         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
620
621         * runtime/JSCJSValueInlines.h:
622         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
623
624 2016-07-29  Michael Saboff  <msaboff@apple.com>
625
626         Refactor DFG::Node::hasLocal() to accessesStack()
627         https://bugs.webkit.org/show_bug.cgi?id=160357
628
629         Reviewed by Filip Pizlo.
630
631         Refactoring in preparation for using register arguments for JavaScript calls.
632
633         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
634         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
635         use guards stack operation logic associated with the Node's VariableAccessData.
636
637         The hasVariableAccessData() check now implies no more than the node has a
638         VariableAccessData and nothing about its use of that data to coordinate stack   
639         accesses.
640
641         * dfg/DFGGraph.cpp:
642         (JSC::DFG::Graph::dump):
643         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
644         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
645         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
646         * dfg/DFGMaximalFlushInsertionPhase.cpp:
647         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
648         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
649         * dfg/DFGNode.h:
650         (JSC::DFG::Node::containsMovHint):
651         (JSC::DFG::Node::accessesStack):
652         (JSC::DFG::Node::hasLocal): Deleted.
653         * dfg/DFGPredictionInjectionPhase.cpp:
654         (JSC::DFG::PredictionInjectionPhase::run):
655         * dfg/DFGValidate.cpp:
656
657 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
658
659         [JSC] Use the same data structures for DFG and Air Liveness Analysis
660         https://bugs.webkit.org/show_bug.cgi?id=160346
661
662         Reviewed by Geoffrey Garen.
663
664         In Air, we minimized memory accesses during liveness analysis
665         with a couple of tricks:
666         -Use a single Sparse Set ADT for the live value of each block.
667         -Manipulate compact positive indices instead of hashing values.
668
669         This patch brings the same ideas to DFG.
670
671         This patch still uses the same fixpoint algorithms.
672         The reason is Edge's KillStatus used by other phases. We cannot
673         use a block-boundary liveness algorithm and update KillStatus
674         simultaneously. It's something I'll probably revisit at some point.
675
676         * dfg/DFGAbstractInterpreterInlines.h:
677         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
678         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
679         * dfg/DFGBasicBlock.h:
680         * dfg/DFGGraph.h:
681         (JSC::DFG::Graph::maxNodeCount):
682         (JSC::DFG::Graph::nodeAt):
683         * dfg/DFGInPlaceAbstractState.cpp:
684         (JSC::DFG::setLiveValues):
685         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
686         * dfg/DFGLivenessAnalysisPhase.cpp:
687         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
688         (JSC::DFG::LivenessAnalysisPhase::run):
689         (JSC::DFG::LivenessAnalysisPhase::processBlock):
690         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
691         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
692
693 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
694
695         Unreviewed, ByValInfo is only used in JIT enabled environments
696         https://bugs.webkit.org/show_bug.cgi?id=158908
697
698         * bytecode/CodeBlock.cpp:
699         (JSC::CodeBlock::stronglyVisitStrongReferences):
700
701 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
702
703         JSC::Symbol should be hash-consed
704         https://bugs.webkit.org/show_bug.cgi?id=158908
705
706         Reviewed by Filip Pizlo.
707
708         Previously, SymbolImpls held by symbols represent identity of symbols.
709         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
710
711         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
712         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
713         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
714         pointer-comparison to query the equality of symbols.
715
716         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
717         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
718         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
719         case is handled by CheckCell.
720
721         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
722
723         The performance effects in the related benchmarks are the followings.
724
725                                                                baseline                   patch
726
727             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
728             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
729             fold-put-by-val-with-symbol-to-multi-put-by-offset
730                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
731             inlined-put-by-val-with-symbol-transition
732                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
733             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
734             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
735                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
736             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
737             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
738             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
739             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
740             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
741                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
742             get-by-val-with-symbol-chain-from-try-block
743                                                             2.2316+-0.0179            2.2137+-0.0210
744             get-by-val-with-symbol-bimorphic-check-structure-elimination
745                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
746             get-by-val-with-symbol-check-structure-elimination
747                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
748             put-by-val-with-symbol-slightly-polymorphic
749                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
750             put-by-val-with-symbol-replace-and-transition
751                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
752
753             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
754
755         * bytecode/ByValInfo.h:
756         * bytecode/CodeBlock.cpp:
757         (JSC::CodeBlock::stronglyVisitStrongReferences):
758         * dfg/DFGAbstractInterpreterInlines.h:
759         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
760         * dfg/DFGByteCodeParser.cpp:
761         (JSC::DFG::ByteCodeParser::parseBlock):
762         * dfg/DFGClobberize.h:
763         (JSC::DFG::clobberize):
764         * dfg/DFGConstantFoldingPhase.cpp:
765         (JSC::DFG::ConstantFoldingPhase::foldConstants):
766         * dfg/DFGDoesGC.cpp:
767         (JSC::DFG::doesGC):
768         * dfg/DFGFixupPhase.cpp:
769         (JSC::DFG::FixupPhase::fixupNode):
770         * dfg/DFGNode.h:
771         (JSC::DFG::Node::hasUidOperand):
772         * dfg/DFGNodeType.h:
773         * dfg/DFGPredictionPropagationPhase.cpp:
774         * dfg/DFGSafeToExecute.h:
775         (JSC::DFG::safeToExecute):
776         * dfg/DFGSpeculativeJIT.cpp:
777         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
778         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
779         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
780         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
781         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
782         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
783         * dfg/DFGSpeculativeJIT.h:
784         * dfg/DFGSpeculativeJIT32_64.cpp:
785         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
786         (JSC::DFG::SpeculativeJIT::compile):
787         * dfg/DFGSpeculativeJIT64.cpp:
788         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
789         (JSC::DFG::SpeculativeJIT::compile):
790         * ftl/FTLAbstractHeapRepository.h:
791         * ftl/FTLCapabilities.cpp:
792         (JSC::FTL::canCompile):
793         * ftl/FTLLowerDFGToB3.cpp:
794         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
795         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
796         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
797         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
798         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
799         * jit/JIT.h:
800         * jit/JITOperations.cpp:
801         (JSC::tryGetByValOptimize):
802         * jit/JITPropertyAccess.cpp:
803         (JSC::JIT::emitGetByValWithCachedId):
804         (JSC::JIT::emitPutByValWithCachedId):
805         (JSC::JIT::emitByValIdentifierCheck):
806         (JSC::JIT::privateCompileGetByValWithCachedId):
807         (JSC::JIT::privateCompilePutByValWithCachedId):
808         (JSC::JIT::emitIdentifierCheck): Deleted.
809         * jit/JITPropertyAccess32_64.cpp:
810         (JSC::JIT::emitGetByValWithCachedId):
811         (JSC::JIT::emitPutByValWithCachedId):
812         * runtime/JSCJSValue.cpp:
813         (JSC::JSValue::dumpInContextAssumingStructure):
814         * runtime/JSCJSValueInlines.h:
815         (JSC::JSValue::equalSlowCaseInline):
816         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
817         * runtime/JSFunction.cpp:
818         (JSC::JSFunction::setFunctionName):
819         * runtime/MapData.h:
820         * runtime/MapDataInlines.h:
821         (JSC::JSIterator>::clear): Deleted.
822         (JSC::JSIterator>::find): Deleted.
823         (JSC::JSIterator>::add): Deleted.
824         (JSC::JSIterator>::remove): Deleted.
825         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
826         * runtime/Symbol.cpp:
827         (JSC::Symbol::finishCreation):
828         (JSC::Symbol::create):
829         * runtime/Symbol.h:
830         * runtime/VM.cpp:
831         (JSC::VM::VM):
832         * runtime/VM.h:
833         * tests/stress/symbol-equality-over-gc.js: Added.
834         (shouldBe):
835         (test):
836
837 2016-07-28  Mark Lam  <mark.lam@apple.com>
838
839         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
840         https://bugs.webkit.org/show_bug.cgi?id=160324
841         <rdar://problem/27389572>
842
843         Reviewed by Keith Miller.
844
845         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
846         generate the error string even when the name string can be a single character
847         string.  This is incorrect.  We should be using jsString() instead.
848
849         * runtime/ErrorPrototype.cpp:
850         (JSC::errorProtoFuncToString):
851         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
852
853 2016-07-28  Michael Saboff  <msaboff@apple.com>
854
855         ARM64: Fused left shift with a right shift can create NaNs from integers
856         https://bugs.webkit.org/show_bug.cgi?id=160329
857
858         Reviewed by Geoffrey Garen.
859
860         When we fuse a left shift and a right shift of integers where the shift amounts
861         are the same and the size of the quantity being shifted is 8 bits, we rightly
862         generate a sign extend byte instruction.  On ARM64, we were sign extending
863         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
864
865         Checking the ARM64 marco assembler and we were extending to 64 bits for all
866         four combinations of zero / sign and 8 / 16 bits.
867         
868         * assembler/MacroAssemblerARM64.h:
869         (JSC::MacroAssemblerARM64::zeroExtend16To32):
870         (JSC::MacroAssemblerARM64::signExtend16To32):
871         (JSC::MacroAssemblerARM64::zeroExtend8To32):
872         (JSC::MacroAssemblerARM64::signExtend8To32):
873         * tests/stress/regress-160329.js: New test added.
874         (narrow):
875
876 2016-07-28  Mark Lam  <mark.lam@apple.com>
877
878         StringView should have an explicit m_is8Bit field.
879         https://bugs.webkit.org/show_bug.cgi?id=160282
880         <rdar://problem/27327943>
881
882         Reviewed by Benjamin Poulain.
883
884         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
885         (catch):
886
887 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
888
889         [ARM] Typo fix after r121885
890         https://bugs.webkit.org/show_bug.cgi?id=160288
891
892         Reviewed by Zoltan Herczeg.
893
894         * assembler/MacroAssemblerARM.h:
895         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
896
897 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
898
899         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
900         https://bugs.webkit.org/show_bug.cgi?id=159711
901
902         Reviewed by Mark Lam.
903
904         * assembler/ARMAssembler.cpp:
905         (JSC::ARMAssembler::prepareExecutableCopy):
906
907 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
908
909         [JSC] Remove some unused code from FTL
910         https://bugs.webkit.org/show_bug.cgi?id=160285
911
912         Reviewed by Mark Lam.
913
914         All the liveness and swapping is done inside B3,
915         this code is no longer needed.
916
917         * dfg/DFGEdge.h:
918         (JSC::DFG::Edge::doesNotKill): Deleted.
919         * ftl/FTLLowerDFGToB3.cpp:
920         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
921
922 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
923
924         [JSC] DFG::Node should not have its own allocator
925         https://bugs.webkit.org/show_bug.cgi?id=160098
926
927         Reviewed by Geoffrey Garen.
928
929         We need some design changes for DFG::Node:
930         -Accessing the index must be fast. B3 uses indices for sets
931          and maps, it is a lot faster than hashing pointers.
932         -We should be able to subclass DFG::Node to specialize it.
933
934         * CMakeLists.txt:
935         * JavaScriptCore.xcodeproj/project.pbxproj:
936         * dfg/DFGAllocator.h: Removed.
937         (JSC::DFG::Allocator::Region::size): Deleted.
938         (JSC::DFG::Allocator::Region::headerSize): Deleted.
939         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
940         (JSC::DFG::Allocator::Region::data): Deleted.
941         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
942         (JSC::DFG::Allocator::Region::regionFor): Deleted.
943         (JSC::DFG::Allocator<T>::Allocator): Deleted.
944         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
945         (JSC::DFG::Allocator<T>::allocate): Deleted.
946         (JSC::DFG::Allocator<T>::free): Deleted.
947         (JSC::DFG::Allocator<T>::freeAll): Deleted.
948         (JSC::DFG::Allocator<T>::reset): Deleted.
949         (JSC::DFG::Allocator<T>::indexOf): Deleted.
950         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
951         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
952         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
953         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
954         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
955         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
956         * dfg/DFGByteCodeParser.cpp:
957         (JSC::DFG::ByteCodeParser::addToGraph):
958         * dfg/DFGCPSRethreadingPhase.cpp:
959         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
960         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
961         * dfg/DFGCleanUpPhase.cpp:
962         (JSC::DFG::CleanUpPhase::run):
963         * dfg/DFGConstantFoldingPhase.cpp:
964         (JSC::DFG::ConstantFoldingPhase::run):
965         * dfg/DFGConstantHoistingPhase.cpp:
966         * dfg/DFGDCEPhase.cpp:
967         (JSC::DFG::DCEPhase::fixupBlock):
968         * dfg/DFGDriver.cpp:
969         (JSC::DFG::compileImpl):
970         * dfg/DFGGraph.cpp:
971         (JSC::DFG::Graph::Graph):
972         (JSC::DFG::Graph::deleteNode):
973         (JSC::DFG::Graph::killBlockAndItsContents):
974         (JSC::DFG::Graph::~Graph): Deleted.
975         * dfg/DFGGraph.h:
976         (JSC::DFG::Graph::addNode):
977         * dfg/DFGLICMPhase.cpp:
978         (JSC::DFG::LICMPhase::attemptHoist):
979         * dfg/DFGLongLivedState.cpp: Removed.
980         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
981         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
982         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
983         * dfg/DFGLongLivedState.h: Removed.
984         * dfg/DFGNode.cpp:
985         (JSC::DFG::Node::index): Deleted.
986         * dfg/DFGNode.h:
987         (JSC::DFG::Node::index):
988         * dfg/DFGNodeAllocator.h: Removed.
989         (operator new ): Deleted.
990         * dfg/DFGObjectAllocationSinkingPhase.cpp:
991         * dfg/DFGPlan.cpp:
992         (JSC::DFG::Plan::compileInThread):
993         (JSC::DFG::Plan::compileInThreadImpl):
994         * dfg/DFGPlan.h:
995         * dfg/DFGSSAConversionPhase.cpp:
996         (JSC::DFG::SSAConversionPhase::run):
997         * dfg/DFGWorklist.cpp:
998         (JSC::DFG::Worklist::runThread):
999         * runtime/VM.cpp:
1000         (JSC::VM::VM): Deleted.
1001         * runtime/VM.h:
1002
1003 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
1004
1005         [JSC] Fix a bunch of use-after-free of DFG::Node
1006         https://bugs.webkit.org/show_bug.cgi?id=160228
1007
1008         Reviewed by Mark Lam.
1009
1010         FTL had a few places where we use a node after it has been
1011         deleted. The dangling pointers come from the SSA liveness information
1012         kept on the basic blocks.
1013
1014         This patch fixes the issues I could find and adds liveness invalidation
1015         to help finding dependencies like these.
1016
1017         * dfg/DFGBasicBlock.h:
1018         (JSC::DFG::BasicBlock::SSAData::invalidate):
1019
1020         * dfg/DFGConstantFoldingPhase.cpp:
1021         (JSC::DFG::ConstantFoldingPhase::run):
1022         Constant folding phase was deleting nodes in the loop over basic blocks.
1023         The problem is the deleted nodes can be referenced by other blocks.
1024         When the abstract interpreter was manipulating the abstract values of those
1025         it was doing so on the dead nodes.
1026
1027         * dfg/DFGConstantHoistingPhase.cpp:
1028         Just invalidation. Nothing wrong here since the useless nodes were
1029         kept live while iterating the blocks.
1030
1031         * dfg/DFGGraph.cpp:
1032         (JSC::DFG::Graph::killBlockAndItsContents):
1033         (JSC::DFG::Graph::killUnreachableBlocks):
1034         (JSC::DFG::Graph::invalidateNodeLiveness):
1035
1036         * dfg/DFGGraph.h:
1037         * dfg/DFGPlan.cpp:
1038         (JSC::DFG::Plan::compileInThreadImpl):
1039         We had a lot of use-after-free in LCIM because we were using the stale
1040         live nodes deleted by previous phases.
1041
1042 2016-07-27  Keith Miller  <keith_miller@apple.com>
1043
1044         concatAppendOne should allocate using the indexing type of the array if it cannot merge
1045         https://bugs.webkit.org/show_bug.cgi?id=160261
1046         <rdar://problem/27530122>
1047
1048         Reviewed by Mark Lam.
1049
1050         Before, if we could not merge the indexing types for copying, we would allocate the
1051         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
1052         array's indexing type.
1053
1054         * runtime/ArrayPrototype.cpp:
1055         (JSC::concatAppendOne):
1056         * tests/stress/concat-append-one-with-sparse-array.js: Added.
1057
1058 2016-07-27  Saam Barati  <sbarati@apple.com>
1059
1060         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
1061         https://bugs.webkit.org/show_bug.cgi?id=160211
1062         <rdar://problem/27572612>
1063
1064         Reviewed by Geoffrey Garen.
1065
1066         The fast for-in iteration mode assumes all inline/out-of-line properties
1067         can be iterated in linear order. This is not true if we have Symbols
1068         because Symbols should not be iterated by for-in.
1069
1070         * runtime/Structure.cpp:
1071         (JSC::Structure::add):
1072         * tests/stress/symbol-should-not-break-for-in.js: Added.
1073         (assert):
1074         (foo):
1075
1076 2016-07-27  Mark Lam  <mark.lam@apple.com>
1077
1078         The second argument for Function.prototype.apply should be array-like or null/undefined.
1079         https://bugs.webkit.org/show_bug.cgi?id=160212
1080         <rdar://problem/27328525>
1081
1082         Reviewed by Filip Pizlo.
1083
1084         The spec for Function.prototype.apply says its second argument can only be null,
1085         undefined, or must be array-like.  See
1086         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
1087         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
1088
1089         Our previous implementation was not handling this correctly for SymbolType.
1090         This is now fixed.
1091
1092         * interpreter/Interpreter.cpp:
1093         (JSC::sizeOfVarargs):
1094         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
1095
1096 2016-07-27  Saam Barati  <sbarati@apple.com>
1097
1098         MathICs should be able to emit only a jump along the inline path when they don't have any type data
1099         https://bugs.webkit.org/show_bug.cgi?id=160110
1100
1101         Reviewed by Mark Lam.
1102
1103         This patch allows for MathIC fast-path generation to be delayed.
1104         We delay when we don't see any observed type information for
1105         the lhs/rhs operand, which implies that the MathIC has never
1106         executed. This is profitable for two main reasons:
1107         1. If the math operation never executes, we emit much less code.
1108         2. Once we get type information for the lhs/rhs, we can emit better code.
1109
1110         To implement this, we just emit a jump to the slow path call
1111         that will repatch on first execution.
1112
1113         New data for add:
1114                    |   JetStream  |  Unity 3D  |
1115              ------| -------------|--------------
1116               Old  |   148 bytes  |  143 bytes |
1117              ------| -------------|--------------
1118               New  |   116  bytes |  113 bytes |
1119              ------------------------------------
1120
1121         New data for mul:
1122                    |   JetStream  |  Unity 3D  |
1123              ------| -------------|--------------
1124               Old  |   210 bytes  |  185 bytes |
1125              ------| -------------|--------------
1126               New  |   170  bytes |  137 bytes |
1127              ------------------------------------
1128
1129         * jit/JITAddGenerator.cpp:
1130         (JSC::JITAddGenerator::generateInline):
1131         * jit/JITAddGenerator.h:
1132         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1133         (JSC::JITAddGenerator::isRightOperandValidConstant):
1134         (JSC::JITAddGenerator::arithProfile):
1135         * jit/JITMathIC.h:
1136         (JSC::JITMathIC::generateInline):
1137         (JSC::JITMathIC::generateOutOfLine):
1138         (JSC::JITMathIC::finalizeInlineCode):
1139         * jit/JITMathICInlineResult.h:
1140         * jit/JITMulGenerator.cpp:
1141         (JSC::JITMulGenerator::generateInline):
1142         * jit/JITMulGenerator.h:
1143         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1144         (JSC::JITMulGenerator::isRightOperandValidConstant):
1145         (JSC::JITMulGenerator::arithProfile):
1146         * jit/JITOperations.cpp:
1147
1148 2016-07-26  Saam Barati  <sbarati@apple.com>
1149
1150         rollout r203666
1151         https://bugs.webkit.org/show_bug.cgi?id=160226
1152
1153         Unreviewed rollout.
1154
1155         * b3/B3BasicBlock.h:
1156         (JSC::B3::BasicBlock::successorBlock):
1157         * b3/B3LowerToAir.cpp:
1158         (JSC::B3::Air::LowerToAir::createGenericCompare):
1159         * b3/B3LowerToAir.h:
1160         * b3/air/AirArg.cpp:
1161         (JSC::B3::Air::Arg::isRepresentableAs):
1162         (JSC::B3::Air::Arg::usesTmp):
1163         * b3/air/AirArg.h:
1164         (JSC::B3::Air::Arg::isRepresentableAs):
1165         (JSC::B3::Air::Arg::asNumber):
1166         (JSC::B3::Air::Arg::castToType): Deleted.
1167         * b3/air/AirCode.h:
1168         (JSC::B3::Air::Code::size):
1169         (JSC::B3::Air::Code::at):
1170         * b3/air/AirOpcode.opcodes:
1171         * b3/air/AirValidate.h:
1172         * b3/air/opcode_generator.rb:
1173         * b3/testb3.cpp:
1174         (JSC::B3::compileAndRun):
1175         (JSC::B3::testSomeEarlyRegister):
1176         (JSC::B3::zero):
1177         (JSC::B3::run):
1178         (JSC::B3::lowerToAirForTesting): Deleted.
1179         (JSC::B3::testBranchBitAndImmFusion): Deleted.
1180
1181 2016-07-26  Caitlin Potter  <caitp@igalia.com>
1182
1183         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
1184         https://bugs.webkit.org/show_bug.cgi?id=159409
1185
1186         Reviewed by Geoffrey Garen.
1187
1188         * runtime/ObjectConstructor.cpp:
1189         (JSC::objectConstructorGetOwnPropertyDescriptors):
1190         * tests/es6.yaml:
1191         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
1192         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
1193         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
1194         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
1195         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
1196
1197 2016-07-26  Mark Lam  <mark.lam@apple.com>
1198
1199         Remove unused DEBUG_WITH_BREAKPOINT configuration.
1200         https://bugs.webkit.org/show_bug.cgi?id=160203
1201
1202         Reviewed by Keith Miller.
1203
1204         * bytecompiler/BytecodeGenerator.cpp:
1205         (JSC::BytecodeGenerator::emitDebugHook):
1206
1207 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
1208
1209         Unreviewed, rolling out r203703.
1210
1211         It breaks some internal tests
1212
1213         Reverted changeset:
1214
1215         "[JSC] DFG::Node should not have its own allocator"
1216         https://bugs.webkit.org/show_bug.cgi?id=160098
1217         http://trac.webkit.org/changeset/203703
1218
1219 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
1220
1221         [JSC] DFG::Node should not have its own allocator
1222         https://bugs.webkit.org/show_bug.cgi?id=160098
1223
1224         Reviewed by Geoffrey Garen.
1225
1226         We need some design changes for DFG::Node:
1227         -Accessing the index must be fast. B3 uses indices for sets
1228          and maps, it is a lot faster than hashing pointers.
1229         -We should be able to subclass DFG::Node to specialize it.
1230
1231         * CMakeLists.txt:
1232         * JavaScriptCore.xcodeproj/project.pbxproj:
1233         * dfg/DFGAllocator.h: Removed.
1234         (JSC::DFG::Allocator::Region::size): Deleted.
1235         (JSC::DFG::Allocator::Region::headerSize): Deleted.
1236         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
1237         (JSC::DFG::Allocator::Region::data): Deleted.
1238         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
1239         (JSC::DFG::Allocator::Region::regionFor): Deleted.
1240         (JSC::DFG::Allocator<T>::Allocator): Deleted.
1241         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
1242         (JSC::DFG::Allocator<T>::allocate): Deleted.
1243         (JSC::DFG::Allocator<T>::free): Deleted.
1244         (JSC::DFG::Allocator<T>::freeAll): Deleted.
1245         (JSC::DFG::Allocator<T>::reset): Deleted.
1246         (JSC::DFG::Allocator<T>::indexOf): Deleted.
1247         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
1248         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
1249         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
1250         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
1251         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
1252         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
1253         * dfg/DFGByteCodeParser.cpp:
1254         (JSC::DFG::ByteCodeParser::addToGraph):
1255         * dfg/DFGCPSRethreadingPhase.cpp:
1256         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1257         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1258         * dfg/DFGCleanUpPhase.cpp:
1259         (JSC::DFG::CleanUpPhase::run):
1260         * dfg/DFGConstantFoldingPhase.cpp:
1261         (JSC::DFG::ConstantFoldingPhase::run):
1262         * dfg/DFGConstantHoistingPhase.cpp:
1263         * dfg/DFGDCEPhase.cpp:
1264         (JSC::DFG::DCEPhase::fixupBlock):
1265         * dfg/DFGDriver.cpp:
1266         (JSC::DFG::compileImpl):
1267         * dfg/DFGGraph.cpp:
1268         (JSC::DFG::Graph::Graph):
1269         (JSC::DFG::Graph::deleteNode):
1270         (JSC::DFG::Graph::killBlockAndItsContents):
1271         (JSC::DFG::Graph::~Graph): Deleted.
1272         * dfg/DFGGraph.h:
1273         (JSC::DFG::Graph::addNode):
1274         * dfg/DFGLICMPhase.cpp:
1275         (JSC::DFG::LICMPhase::attemptHoist):
1276         * dfg/DFGLongLivedState.cpp: Removed.
1277         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
1278         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
1279         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
1280         * dfg/DFGLongLivedState.h: Removed.
1281         * dfg/DFGNode.cpp:
1282         (JSC::DFG::Node::index): Deleted.
1283         * dfg/DFGNode.h:
1284         (JSC::DFG::Node::index):
1285         * dfg/DFGNodeAllocator.h: Removed.
1286         (operator new ): Deleted.
1287         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1288         * dfg/DFGPlan.cpp:
1289         (JSC::DFG::Plan::compileInThread):
1290         (JSC::DFG::Plan::compileInThreadImpl):
1291         * dfg/DFGPlan.h:
1292         * dfg/DFGSSAConversionPhase.cpp:
1293         (JSC::DFG::SSAConversionPhase::run):
1294         * dfg/DFGWorklist.cpp:
1295         (JSC::DFG::Worklist::runThread):
1296         * runtime/VM.cpp:
1297         (JSC::VM::VM): Deleted.
1298         * runtime/VM.h:
1299
1300 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
1301
1302         AssemblyHelpers should own all of the cell allocation methods
1303         https://bugs.webkit.org/show_bug.cgi?id=160171
1304
1305         Reviewed by Saam Barati.
1306         
1307         Prior to this change we had some code in DFGSpeculativeJIT.h and some code in JIT.h that
1308         did cell allocation.
1309         
1310         This change moves all of that code into AssemblyHelpers.h.
1311
1312         * dfg/DFGSpeculativeJIT.h:
1313         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1314         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1315         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1316         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
1317         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1318         * jit/AssemblyHelpers.h:
1319         (JSC::AssemblyHelpers::emitAllocate):
1320         (JSC::AssemblyHelpers::emitAllocateJSCell):
1321         (JSC::AssemblyHelpers::emitAllocateJSObject):
1322         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1323         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1324         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1325         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1326         * jit/JIT.h:
1327         * jit/JITInlines.h:
1328         (JSC::JIT::isOperandConstantChar):
1329         (JSC::JIT::emitValueProfilingSite):
1330         (JSC::JIT::emitAllocateJSObject): Deleted.
1331         * jit/JITOpcodes.cpp:
1332         (JSC::JIT::emit_op_new_object):
1333         (JSC::JIT::emit_op_create_this):
1334         * jit/JITOpcodes32_64.cpp:
1335         (JSC::JIT::emit_op_new_object):
1336         (JSC::JIT::emit_op_create_this):
1337
1338 2016-07-25  Saam Barati  <sbarati@apple.com>
1339
1340         MathICs should be able to take and dump stats about code size
1341         https://bugs.webkit.org/show_bug.cgi?id=160148
1342
1343         Reviewed by Filip Pizlo.
1344
1345         This will make testing changes on MathIC going forward much easier.
1346         We will be able to easily see if modifications to MathIC will lead
1347         to us generating smaller code. We now only dump average size when we
1348         regenerate any MathIC. This works out for large tests/pages, but is not
1349         great for testing small programs. We can add more dump points later if
1350         we find that we want to dump stats while running small small programs.
1351
1352         * bytecode/CodeBlock.cpp:
1353         (JSC::CodeBlock::jitSoon):
1354         (JSC::CodeBlock::dumpMathICStats):
1355         * bytecode/CodeBlock.h:
1356         (JSC::CodeBlock::isStrictMode):
1357         (JSC::CodeBlock::ecmaMode):
1358         * dfg/DFGSpeculativeJIT.cpp:
1359         (JSC::DFG::SpeculativeJIT::compileMathIC):
1360         * ftl/FTLLowerDFGToB3.cpp:
1361         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
1362         * jit/JITArithmetic.cpp:
1363         (JSC::JIT::emitMathICFast):
1364         (JSC::JIT::emitMathICSlow):
1365         * jit/JITMathIC.h:
1366         (JSC::JITMathIC::finalizeInlineCode):
1367         (JSC::JITMathIC::codeSize):
1368         * jit/JITOperations.cpp:
1369
1370 2016-07-25  Saam Barati  <sbarati@apple.com>
1371
1372         op_mul/ArithMul(Untyped,Untyped) should be an IC
1373         https://bugs.webkit.org/show_bug.cgi?id=160108
1374
1375         Reviewed by Mark Lam.
1376
1377         This patch makes Mul a type based IC in much the same way that we made
1378         Add a type-based IC. I implemented Mul in the same way. I abstracted the
1379         implementation of the Add IC in the various JITs to allow for it to
1380         work over arbitrary IC snippets. This will make adding Div/Sub/Pow in the
1381         future easy. This patch also adds a new boolean argument to the various
1382         snippet generateFastPath() methods to indicate if we should emit result profiling.
1383         I added this because we want this profiling to be emitted for Mul in
1384         the baseline, but not in the DFG. We used to indicate this through passing
1385         in a nullptr for the ArithProfile, but we no longer do that in the upper
1386         JIT tiers. So we are passing an explicit request from the JIT tier about
1387         whether or not it's worth it for the IC to emit profiling.
1388
1389         We now emit much less code for Mul. Here is some data on the average
1390         Mul snippet/IC size:
1391
1392                    |   JetStream  |  Unity 3D  |
1393              ------| -------------|--------------
1394               Old  |  ~280 bytes  | ~280 bytes |
1395              ------| -------------|--------------
1396               New  |   210  bytes |  185 bytes |
1397              ------------------------------------
1398
1399         * bytecode/CodeBlock.cpp:
1400         (JSC::CodeBlock::addJITAddIC):
1401         (JSC::CodeBlock::addJITMulIC):
1402         (JSC::CodeBlock::findStubInfo):
1403         * bytecode/CodeBlock.h:
1404         (JSC::CodeBlock::stubInfoBegin):
1405         (JSC::CodeBlock::stubInfoEnd):
1406         * dfg/DFGSpeculativeJIT.cpp:
1407         (JSC::DFG::GPRTemporary::adopt):
1408         (JSC::DFG::FPRTemporary::FPRTemporary):
1409         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1410         (JSC::DFG::SpeculativeJIT::compileMathIC):
1411         (JSC::DFG::SpeculativeJIT::compileArithMul):
1412         * dfg/DFGSpeculativeJIT.h:
1413         (JSC::DFG::SpeculativeJIT::callOperation):
1414         (JSC::DFG::GPRTemporary::GPRTemporary):
1415         (JSC::DFG::GPRTemporary::operator=):
1416         (JSC::DFG::FPRTemporary::~FPRTemporary):
1417         (JSC::DFG::FPRTemporary::fpr):
1418         * ftl/FTLLowerDFGToB3.cpp:
1419         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1420         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1421         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
1422         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
1423         * jit/JIT.h:
1424         (JSC::JIT::getSlowCase):
1425         * jit/JITAddGenerator.cpp:
1426         (JSC::JITAddGenerator::generateInline):
1427         (JSC::JITAddGenerator::generateFastPath):
1428         * jit/JITAddGenerator.h:
1429         (JSC::JITAddGenerator::JITAddGenerator):
1430         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1431         (JSC::JITAddGenerator::isRightOperandValidConstant):
1432         * jit/JITArithmetic.cpp:
1433         (JSC::JIT::emit_op_add):
1434         (JSC::JIT::emitSlow_op_add):
1435         (JSC::JIT::emitMathICFast):
1436         (JSC::JIT::emitMathICSlow):
1437         (JSC::JIT::emit_op_mul):
1438         (JSC::JIT::emitSlow_op_mul):
1439         (JSC::JIT::emit_op_sub):
1440         * jit/JITInlines.h:
1441         (JSC::JIT::callOperation):
1442         * jit/JITMathIC.h:
1443         (JSC::JITMathIC::slowPathStartLocation):
1444         (JSC::JITMathIC::slowPathCallLocation):
1445         (JSC::JITMathIC::isLeftOperandValidConstant):
1446         (JSC::JITMathIC::isRightOperandValidConstant):
1447         (JSC::JITMathIC::generateInline):
1448         (JSC::JITMathIC::generateOutOfLine):
1449         * jit/JITMathICForwards.h:
1450         * jit/JITMulGenerator.cpp:
1451         (JSC::JITMulGenerator::generateInline):
1452         (JSC::JITMulGenerator::generateFastPath):
1453         * jit/JITMulGenerator.h:
1454         (JSC::JITMulGenerator::JITMulGenerator):
1455         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1456         (JSC::JITMulGenerator::isRightOperandValidConstant):
1457         (JSC::JITMulGenerator::didEmitFastPath): Deleted.
1458         (JSC::JITMulGenerator::endJumpList): Deleted.
1459         (JSC::JITMulGenerator::slowPathJumpList): Deleted.
1460         * jit/JITOperations.cpp:
1461         * jit/JITOperations.h:
1462
1463 2016-07-25  Darin Adler  <darin@apple.com>
1464
1465         Speed up make process slightly by improving "list of files" idiom
1466         https://bugs.webkit.org/show_bug.cgi?id=160164
1467
1468         Reviewed by Mark Lam.
1469
1470         * DerivedSources.make: Change rules that build lists of files to only run when
1471         DerivedSources.make has been modified since the last time they were run. Since the
1472         list of files are inside this file, this is safe, and this is faster than always
1473         comparing and regenerating the file containing the list of files each time.
1474
1475 2016-07-24  Youenn Fablet  <youenn@apple.com>
1476
1477         [Fetch API] Request should be created with any HeadersInit data
1478         https://bugs.webkit.org/show_bug.cgi?id=159672
1479
1480         Reviewed by Sam Weinig.
1481
1482         * Scripts/builtins/builtins_generator.py:
1483         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
1484
1485 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
1486
1487         B3 should support multiple entrypoints
1488         https://bugs.webkit.org/show_bug.cgi?id=159391
1489
1490         Reviewed by Saam Barati.
1491         
1492         This teaches B3 how to compile procedures with multiple entrypoints in the best way ever.
1493         
1494         Multiple entrypoints are useful. We could use them to reduce the cost of compiling OSR
1495         entrypoints. We could use them to implement better try/catch.
1496         
1497         Multiple entrypoints are hard to support. All of the code that assumed that the root block
1498         is the entrypoint would have to be changed. Transformations like moveConstants() would have
1499         to do crazy things if the existence of multiple entrypoints prevented it from finding a
1500         single common dominator.
1501         
1502         Therefore, we want to add multiple entrypoints without actually teaching the compiler that
1503         there is such a thing. That's sort of what this change does.
1504         
1505         This adds a new opcode to both B3 and Air called EntrySwitch. It's a terminal that takes
1506         one or more successors and no value children. The number of successors must match
1507         Procedure::numEntrypoints(), which could be arbitrarily large. The semantics of EntrySwitch
1508         are:
1509         
1510         - Each of the entrypoints sets a hidden Entry variable to that entrypoint's index and jumps
1511           to the procedure's root block.
1512         
1513         - An EntrySwitch is a switch statement over this hidden Entry variable.
1514         
1515         The way that we actually implement this is that Air has a very late phase - after all
1516         register and stack layout - that clones all code where the Entry variable is live; i.e all
1517         code in the closure over predecessors of all blocks that do EntrySwitch.
1518         
1519         Usually, you would use this by creating an EntrySwitch in the root block, but you don't
1520         have to do that. Just remember that the code before EntrySwitch gets cloned for each
1521         entrypoint. We allow cloning of an arbitrarily large amount of code because restricting it,
1522         and so restricing the placement of EntrySwitches, would be unelegant. It would be hard to
1523         preserve this invariant. For example we wouldn't be able to lower any value before an
1524         EntrySwitch to a control flow diamond.
1525         
1526         This patch gives us an easy-to-use way to use B3 to compile code with multiple entrypoints.
1527         Inside the compiler, only code that runs very late in Air has to know about this feature.
1528         We get the best of both worlds!
1529         
1530         Also, I finally got rid of the requirement that you explicitly cast BasicBlock* to
1531         FrequentedBlock. I can no longer remember why I thought that was a good idea. Removing it
1532         doesn't cause any problems and it makes code easier to write.
1533
1534         * CMakeLists.txt:
1535         * JavaScriptCore.xcodeproj/project.pbxproj:
1536         * b3/B3BasicBlockUtils.h:
1537         (JSC::B3::updatePredecessorsAfter):
1538         (JSC::B3::clearPredecessors):
1539         (JSC::B3::recomputePredecessors):
1540         * b3/B3FrequencyClass.h:
1541         (JSC::B3::maxFrequency):
1542         * b3/B3Generate.h:
1543         * b3/B3LowerToAir.cpp:
1544         (JSC::B3::Air::LowerToAir::lower):
1545         * b3/B3MoveConstants.cpp:
1546         * b3/B3Opcode.cpp:
1547         (WTF::printInternal):
1548         * b3/B3Opcode.h:
1549         * b3/B3Procedure.cpp:
1550         (JSC::B3::Procedure::isFastConstant):
1551         (JSC::B3::Procedure::entrypointLabel):
1552         (JSC::B3::Procedure::addDataSection):
1553         * b3/B3Procedure.h:
1554         (JSC::B3::Procedure::numEntrypoints):
1555         (JSC::B3::Procedure::setNumEntrypoints):
1556         (JSC::B3::Procedure::setLastPhaseName):
1557         * b3/B3Validate.cpp:
1558         * b3/B3Value.cpp:
1559         (JSC::B3::Value::effects):
1560         (JSC::B3::Value::typeFor):
1561         * b3/B3Value.h:
1562         * b3/air/AirCode.cpp:
1563         (JSC::B3::Air::Code::cCallSpecial):
1564         (JSC::B3::Air::Code::isEntrypoint):
1565         (JSC::B3::Air::Code::resetReachability):
1566         (JSC::B3::Air::Code::dump):
1567         * b3/air/AirCode.h:
1568         (JSC::B3::Air::Code::setFrameSize):
1569         (JSC::B3::Air::Code::numEntrypoints):
1570         (JSC::B3::Air::Code::entrypoints):
1571         (JSC::B3::Air::Code::entrypoint):
1572         (JSC::B3::Air::Code::setEntrypoints):
1573         (JSC::B3::Air::Code::entrypointLabel):
1574         (JSC::B3::Air::Code::setEntrypointLabels):
1575         (JSC::B3::Air::Code::calleeSaveRegisters):
1576         * b3/air/AirCustom.h:
1577         (JSC::B3::Air::PatchCustom::isTerminal):
1578         (JSC::B3::Air::PatchCustom::hasNonArgEffects):
1579         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
1580         (JSC::B3::Air::PatchCustom::generate):
1581         (JSC::B3::Air::CommonCustomBase::hasNonArgEffects):
1582         (JSC::B3::Air::CCallCustom::forEachArg):
1583         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1584         (JSC::B3::Air::ShuffleCustom::forEachArg):
1585         (JSC::B3::Air::EntrySwitchCustom::forEachArg):
1586         (JSC::B3::Air::EntrySwitchCustom::isValidFormStatic):
1587         (JSC::B3::Air::EntrySwitchCustom::isValidForm):
1588         (JSC::B3::Air::EntrySwitchCustom::admitsStack):
1589         (JSC::B3::Air::EntrySwitchCustom::isTerminal):
1590         (JSC::B3::Air::EntrySwitchCustom::hasNonArgNonControlEffects):
1591         (JSC::B3::Air::EntrySwitchCustom::generate):
1592         * b3/air/AirGenerate.cpp:
1593         (JSC::B3::Air::prepareForGeneration):
1594         (JSC::B3::Air::generate):
1595         * b3/air/AirLowerEntrySwitch.cpp: Added.
1596         (JSC::B3::Air::lowerEntrySwitch):
1597         * b3/air/AirLowerEntrySwitch.h: Added.
1598         * b3/air/AirOpcode.opcodes:
1599         * b3/air/AirOptimizeBlockOrder.cpp:
1600         (JSC::B3::Air::blocksInOptimizedOrder):
1601         * b3/air/AirSpecial.cpp:
1602         (JSC::B3::Air::Special::isTerminal):
1603         (JSC::B3::Air::Special::hasNonArgEffects):
1604         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
1605         * b3/air/AirSpecial.h:
1606         * b3/air/AirValidate.cpp:
1607         * b3/air/opcode_generator.rb:
1608         * b3/testb3.cpp:
1609
1610 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
1611
1612         Unreviewed, fix broken test. I don't know why I goofed this up without seeing it before landing.
1613
1614         * b3/air/AirOpcode.opcodes:
1615         * b3/testb3.cpp:
1616         (JSC::B3::run):
1617
1618 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
1619
1620         [B3] Fusing immediates into test instructions should work again
1621         https://bugs.webkit.org/show_bug.cgi?id=160073
1622
1623         Reviewed by Sam Weinig.
1624
1625         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
1626         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
1627         was still using Imm!  This meant that isValidForm() always returned false.
1628         
1629         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
1630         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
1631         with the scratch register).
1632         
1633         This is not an obvious progression on anything, so I added comprehensive tests to
1634         testb3, which check that we selected the optimal instruction in a variety of situations.
1635         We should add more tests like this!
1636
1637         * b3/B3BasicBlock.h:
1638         (JSC::B3::BasicBlock::successorBlock):
1639         * b3/B3LowerToAir.cpp:
1640         (JSC::B3::Air::LowerToAir::createGenericCompare):
1641         * b3/B3LowerToAir.h:
1642         * b3/air/AirArg.cpp:
1643         (JSC::B3::Air::Arg::isRepresentableAs):
1644         (JSC::B3::Air::Arg::usesTmp):
1645         * b3/air/AirArg.h:
1646         (JSC::B3::Air::Arg::isRepresentableAs):
1647         (JSC::B3::Air::Arg::castToType):
1648         (JSC::B3::Air::Arg::asNumber):
1649         * b3/air/AirCode.h:
1650         (JSC::B3::Air::Code::size):
1651         (JSC::B3::Air::Code::at):
1652         * b3/air/AirOpcode.opcodes:
1653         * b3/air/AirValidate.h:
1654         * b3/air/opcode_generator.rb:
1655         * b3/testb3.cpp:
1656         (JSC::B3::compile):
1657         (JSC::B3::compileAndRun):
1658         (JSC::B3::lowerToAirForTesting):
1659         (JSC::B3::testSomeEarlyRegister):
1660         (JSC::B3::testBranchBitAndImmFusion):
1661         (JSC::B3::zero):
1662         (JSC::B3::run):
1663
1664 2016-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1665
1666         Unreviewed, update the exponentiation expression error message
1667         https://bugs.webkit.org/show_bug.cgi?id=159969
1668
1669         Follow up patch for r203499.
1670
1671         * parser/Parser.cpp:
1672         (JSC::Parser<LexerType>::parseBinaryExpression):
1673         * tests/stress/pow-expects-update-expression-on-lhs.js:
1674         (throw.new.Error):
1675
1676 2016-07-24  Darin Adler  <darin@apple.com>
1677
1678         Adding a new WebCore JavaScript built-in source file does not trigger rebuild of WebCoreJSBuiltins*
1679         https://bugs.webkit.org/show_bug.cgi?id=160115
1680
1681         Reviewed by Youenn Fablet.
1682
1683         * make-generated-sources.sh: Removed. Was unused.
1684
1685 2016-07-23  Commit Queue  <commit-queue@webkit.org>
1686
1687         Unreviewed, rolling out r203641.
1688         https://bugs.webkit.org/show_bug.cgi?id=160116
1689
1690         It broke make-based builds (Requested by youenn on #webkit).
1691
1692         Reverted changeset:
1693
1694         "[Fetch API] Request should be created with any HeadersInit
1695         data"
1696         https://bugs.webkit.org/show_bug.cgi?id=159672
1697         http://trac.webkit.org/changeset/203641
1698
1699 2016-07-23  Youenn Fablet  <youenn@apple.com>
1700
1701         [Fetch API] Request should be created with any HeadersInit data
1702         https://bugs.webkit.org/show_bug.cgi?id=159672
1703
1704         Reviewed by Sam Weinig.
1705
1706         * Scripts/builtins/builtins_generator.py:
1707         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
1708
1709 2016-07-21  Filip Pizlo  <fpizlo@apple.com>
1710
1711         Teach MarkedSpace how to allocate auxiliary storage
1712         https://bugs.webkit.org/show_bug.cgi?id=160053
1713
1714         Reviewed by Sam Weinig.
1715         
1716         Previously, we had two kinds of subspaces in MarkedSpace: destructor and non-destructor. This
1717         was described using "bool needsDestruction" that would get passed around. We'd iterate over
1718         these spaces using duplicated code - one loop for destructors and one for non-destructors, or
1719         a single loop that does one thing for destructors and one for non-destructors.
1720         
1721         But now we want a third subspace: non-destructor non-JSCell, aka Auxiliary.
1722         
1723         So, this changes all of the reflection and iteration over subspaces to use functors, so that
1724         the looping is written once and reused. Most places don't even have to know that there is a
1725         third subspace; they just know that they must do things for each subspace, for each
1726         allocator, or for each block - and the functor magic handles it for you.
1727         
1728         To make this somewhat nice, this change also fixes how we describe subspaces. Instead of a
1729         bool, we now have AllocatorAttributes, which is a struct. If we ever add more subspaces, we
1730         can add fields to AllocatorAttributes to describe how those subspaces differ. For now it just
1731         contains two properties: a DestructionMode and a HeapCell::Kind. The DesctructionMode
1732         replaces bool needsDestruction. I deliberately used a non-class enum to avoid tautologies.
1733         DestructionMode has two members: NeedsDestruction and DoesNotNeedDestruction. I almost went
1734         with DestructionMode::Needed and DestructionMode::NotNeeded, but I felt like that involves
1735         more typing and doesn't actually avoid any kind of namespace issues.
1736         
1737         This is intended to have no behavior change other than the addition of a totally unused
1738         space, which should always be empty. So hopefully it doesn't cost anything.
1739
1740         * CMakeLists.txt:
1741         * JavaScriptCore.xcodeproj/project.pbxproj:
1742         * heap/AllocatorAttributes.cpp: Added.
1743         (JSC::AllocatorAttributes::dump):
1744         * heap/AllocatorAttributes.h: Added.
1745         (JSC::AllocatorAttributes::AllocatorAttributes):
1746         * heap/DestructionMode.cpp: Added.
1747         (WTF::printInternal):
1748         * heap/DestructionMode.h: Added.
1749         * heap/Heap.h:
1750         * heap/MarkedAllocator.cpp:
1751         (JSC::MarkedAllocator::allocateBlock):
1752         (JSC::MarkedAllocator::addBlock):
1753         * heap/MarkedAllocator.h:
1754         (JSC::MarkedAllocator::cellSize):
1755         (JSC::MarkedAllocator::attributes):
1756         (JSC::MarkedAllocator::needsDestruction):
1757         (JSC::MarkedAllocator::destruction):
1758         (JSC::MarkedAllocator::cellKind):
1759         (JSC::MarkedAllocator::heap):
1760         (JSC::MarkedAllocator::takeLastActiveBlock):
1761         (JSC::MarkedAllocator::MarkedAllocator):
1762         (JSC::MarkedAllocator::init):
1763         (JSC::MarkedAllocator::allocate):
1764         * heap/MarkedBlock.cpp:
1765         (JSC::MarkedBlock::create):
1766         (JSC::MarkedBlock::destroy):
1767         (JSC::MarkedBlock::MarkedBlock):
1768         (JSC::MarkedBlock::callDestructor):
1769         (JSC::MarkedBlock::sweep):
1770         (JSC::MarkedBlock::stopAllocating):
1771         (JSC::MarkedBlock::didRetireBlock):
1772         * heap/MarkedBlock.h:
1773         (JSC::MarkedBlock::cellSize):
1774         (JSC::MarkedBlock::attributes):
1775         (JSC::MarkedBlock::needsDestruction):
1776         (JSC::MarkedBlock::destruction):
1777         (JSC::MarkedBlock::cellKind):
1778         (JSC::MarkedBlock::size):
1779         (JSC::MarkedBlock::forEachCell):
1780         (JSC::MarkedBlock::forEachLiveCell):
1781         (JSC::MarkedBlock::forEachDeadCell):
1782         * heap/MarkedSpace.cpp:
1783         (JSC::MarkedSpace::MarkedSpace):
1784         (JSC::MarkedSpace::~MarkedSpace):
1785         (JSC::MarkedSpace::lastChanceToFinalize):
1786         (JSC::MarkedSpace::resetAllocators):
1787         (JSC::MarkedSpace::forEachAllocator):
1788         (JSC::MarkedSpace::stopAllocating):
1789         (JSC::MarkedSpace::resumeAllocating):
1790         (JSC::MarkedSpace::isPagedOut):
1791         (JSC::MarkedSpace::freeBlock):
1792         (JSC::MarkedSpace::shrink):
1793         (JSC::MarkedSpace::clearNewlyAllocated):
1794         (JSC::clearNewlyAllocatedInBlock): Deleted.
1795         * heap/MarkedSpace.h:
1796         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1797         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
1798         (JSC::MarkedSpace::subspaceForAuxiliaryData):
1799         (JSC::MarkedSpace::allocatorFor):
1800         (JSC::MarkedSpace::destructorAllocatorFor):
1801         (JSC::MarkedSpace::auxiliaryAllocatorFor):
1802         (JSC::MarkedSpace::allocateWithoutDestructor):
1803         (JSC::MarkedSpace::allocateWithDestructor):
1804         (JSC::MarkedSpace::allocateAuxiliary):
1805         (JSC::MarkedSpace::forEachBlock):
1806         (JSC::MarkedSpace::didAddBlock):
1807         (JSC::MarkedSpace::capacity):
1808         (JSC::MarkedSpace::forEachSubspace):
1809
1810 2016-07-22  Saam Barati  <sbarati@apple.com>
1811
1812         REGRESSION(r203537): It made many tests crash on ARMv7 Linux platforms
1813         https://bugs.webkit.org/show_bug.cgi?id=160082
1814
1815         Reviewed by Keith Miller.
1816
1817         We were improperly linking the Jump in the link buffer.
1818         It caused us to be linking against the executable address
1819         which always has bit 0 set. We shouldn't be doing that.
1820         This patch fixes this, by using the same idiom that
1821         PolymorphicAccess uses to link a jump to out of line code.
1822
1823         * jit/JITMathIC.h:
1824         (JSC::JITMathIC::generateOutOfLine):
1825
1826 2016-07-22  Commit Queue  <commit-queue@webkit.org>
1827
1828         Unreviewed, rolling out r203603.
1829         https://bugs.webkit.org/show_bug.cgi?id=160096
1830
1831         Caused CLoop tests to fail with assertions (Requested by
1832         perarne on #webkit).
1833
1834         Reverted changeset:
1835
1836         "[Win] jsc.exe sometimes never exits."
1837         https://bugs.webkit.org/show_bug.cgi?id=158073
1838         http://trac.webkit.org/changeset/203603
1839
1840 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
1841
1842         [Win] jsc.exe sometimes never exits.
1843         https://bugs.webkit.org/show_bug.cgi?id=158073
1844
1845         Reviewed by Mark Lam.
1846
1847         Make sure the VM is deleted after the test has finished. This will gracefully stop the sampling profiler thread,
1848         and give the thread the opportunity to release the machine thread lock aquired in SamplingProfiler::takeSample.  
1849         If the sampling profiler thread was terminated while holding the machine thread lock, the machine thread will
1850         not be able to grab the lock afterwards. 
1851  
1852         * jsc.cpp:
1853         (jscmain):
1854
1855 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
1856
1857         Fix the Windows 64-bit build after r203537
1858         https://bugs.webkit.org/show_bug.cgi?id=160080
1859
1860         Reviewed by Csaba Osztrogonác.
1861
1862         Added new version of setupArgumentsWithExecState method.
1863
1864         * jit/CCallHelpers.h:
1865         (JSC::CCallHelpers::setupArgumentsWithExecState):
1866
1867 2016-07-22  Csaba Osztrogonác  <ossy@webkit.org>
1868
1869         [ARM] Unreviewed EABI buildfix after r203537.
1870
1871         * jit/CCallHelpers.h:
1872         (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
1873
1874 2016-07-22  Youenn Fablet  <youenn@apple.com>
1875
1876         run-builtins-generator-tests should be able to test WebCore builtins wrapper with more than one file
1877         https://bugs.webkit.org/show_bug.cgi?id=159921
1878
1879         Reviewed by Brian Burg.
1880
1881         Updated built-in generator to generate only wrapper files when passed the --wrappers-only option.
1882         When this option is used, wrapper files are generated but no individual file is generated.
1883         When this option is not used, individual files are generated but not wrapper file is generated.
1884         This allows the builtin generator test runner to generate a single WebCore-Wrappers.h-result generated for all
1885         WebCore test files, like used for real in WebCore.
1886         Previously wrapper code was generated individually for each WebCore test file.
1887
1888         Added new built-in test file to cover the case of concatenating several guards in generated WebCore wrapper files.
1889
1890         * Scripts/generate-js-builtins.py:
1891         (concatenated_output_filename): Compute a decent name for wrapper files in case of test mode.
1892         (generate_bindings_for_builtins_files): When --wrappers-only is activated, this generates only the wrapper files, not the individual files.
1893         * Scripts/tests/builtins/WebCore-AnotherGuardedInternalBuiltin-Separate.js: Added.
1894         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: Added.
1895         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Removed wrapper code.
1896         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
1897         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
1898         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
1899         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Removed wrapper code.
1900         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: Added, contains wrapper code for all WebCore valid test cases.
1901
1902 2016-07-21  Saam Barati  <sbarati@apple.com>
1903
1904         callOperation(.) variants in the DFG that explicitly take a tag/payload register should take a JSValueRegs instead
1905         https://bugs.webkit.org/show_bug.cgi?id=160007
1906
1907         Reviewed by Filip Pizlo.
1908
1909         This patch is the first step in my plan to remove all callOperation(.) variants
1910         in the various JITs and to unify them using a couple template variations.
1911         The steps are as follows:
1912         1. Replace all explicit tag/payload pairs with JSValueRegs in the DFG
1913         2. Replace all explicit tag/payload pairs with JSValueRegs in the baseline
1914         3. remove callOperation(.) variants and teach setupArgumentsWithExecState
1915            about JSValueRegs.
1916
1917         * dfg/DFGSpeculativeJIT.cpp:
1918         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1919         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1920         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
1921         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
1922         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
1923         * dfg/DFGSpeculativeJIT.h:
1924         (JSC::DFG::SpeculativeJIT::callOperation):
1925         * dfg/DFGSpeculativeJIT32_64.cpp:
1926         (JSC::DFG::SpeculativeJIT::cachedGetById):
1927         (JSC::DFG::SpeculativeJIT::cachedPutById):
1928         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1929         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal):
1930         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1931         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1932         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1933         (JSC::DFG::SpeculativeJIT::emitCall):
1934         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1935         (JSC::DFG::SpeculativeJIT::emitBranch):
1936         (JSC::DFG::SpeculativeJIT::compile):
1937
1938 2016-07-21  Saam Barati  <sbarati@apple.com>
1939
1940         op_add/ValueAdd should be an IC in all JIT tiers
1941         https://bugs.webkit.org/show_bug.cgi?id=159649
1942
1943         Reviewed by Benjamin Poulain.
1944
1945         This patch makes Add an IC inside all JIT tiers. It does so in a
1946         simple, but effective, way. We will try to generate an int+int add
1947         that will repatch itself if its type checks fail. Sometimes though,
1948         we have runtime type data saying that the add won't be int+int.
1949         In those cases, we will just generate a full snippet that doesn't patch itself.
1950         Other times, we may generate no inline code and defer to making a C call. A lot
1951         of this patch is just refactoring ResultProfile into what we're now calling ArithProfile.
1952         ArithProfile does everything ResultProfile used to do, and more. It records simple type
1953         data about the LHS/RHS operands it sees. This allows us to determine if an op_add
1954         has only seen int+int operands, etc. ArithProfile will also contain the ResultType
1955         for the LHS/RHS that the parser feeds into op_add. ArithProfile now fits into 32-bits.
1956         This means instead of having a side table like we did for ResultProfile, we just
1957         inject the ArithProfile into the bytecode instruction stream. This makes asking
1958         for ArithProfile faster; we no longer need to lock around this operation.
1959
1960         The size of an Add has gone down on average, but we can still do better.
1961         We still generate a lot of code because we generate calls to the slow path.
1962         I think we can make this better by moving the slow path to a shared thunk
1963         system. This patch mostly lays the foundation for future improvements to Add,
1964         and a framework to move all other arithmetic operations to be typed-based ICs.
1965
1966         Here is some data I took on the average op_add/ValueAdd size on various benchmarks:
1967                    |   JetStream  |  Speedometer |  Unity 3D  |
1968              ------| -------------|-----------------------------
1969               Old  |  189 bytes   |  169 bytes   |  192 bytes |
1970              ------| -------------|-----------------------------
1971               New  |  148 bytes   |  124 bytes   |  143 bytes |
1972              ---------------------------------------------------
1973
1974         Making an arithmetic IC is now easy. The JITMathIC class will hold a snippet
1975         generator as a member variable. To make a snippet an IC, you need to implement
1976         a generateInline(.) method, which generates the inline IC. Then, you need to
1977         generate the IC where you used to generate the snippet. When generating the
1978         IC, we need to inform JITMathIC of various data like we do with StructureStubInfo.
1979         We need to tell it about where the slow path starts, where the slow path call is, etc.
1980         When generating a JITMathIC, it may tell you that it didn't generate any code inline.
1981         This is a request to the user of JITMathIC to just generate a C call along the
1982         fast path. JITMathIC may also have the snippet tell it to just generate the full
1983         snippet instead of the int+int path along the fast path.
1984
1985         In subsequent patches, we can improve upon how we decide to generate int+int or
1986         the full snippet. I tried to get clever by having double+double, double+int, int+double,
1987         fast paths, but they didn't work out nearly as well as the int+int fast path. I ended up
1988         generating a lot of code when I did this and ended up using more memory than just generating
1989         the full snippet. There is probably some way we can be clever and generate specialized fast
1990         paths that are more successful than what I tried implementing, but I think that's worth deferring
1991         this to follow up patches once the JITMathIC foundation has landed.
1992
1993         This patch also fixes a bug inside the slow path lambdas in the DFG.
1994         Before, it was not legal to emit an exception check inside them. Now,
1995         it is. So it's now easy to define arbitrary late paths using the DFG
1996         slow path lambda API.
1997
1998         * CMakeLists.txt:
1999         * JavaScriptCore.xcodeproj/project.pbxproj:
2000         * bytecode/ArithProfile.cpp: Added.
2001         (JSC::ArithProfile::emitObserveResult):
2002         (JSC::ArithProfile::shouldEmitSetDouble):
2003         (JSC::ArithProfile::emitSetDouble):
2004         (JSC::ArithProfile::shouldEmitSetNonNumber):
2005         (JSC::ArithProfile::emitSetNonNumber):
2006         (WTF::printInternal):
2007         * bytecode/ArithProfile.h: Added.
2008         (JSC::ObservedType::ObservedType):
2009         (JSC::ObservedType::sawInt32):
2010         (JSC::ObservedType::isOnlyInt32):
2011         (JSC::ObservedType::sawNumber):
2012         (JSC::ObservedType::isOnlyNumber):
2013         (JSC::ObservedType::sawNonNumber):
2014         (JSC::ObservedType::isOnlyNonNumber):
2015         (JSC::ObservedType::isEmpty):
2016         (JSC::ObservedType::bits):
2017         (JSC::ObservedType::withInt32):
2018         (JSC::ObservedType::withNumber):
2019         (JSC::ObservedType::withNonNumber):
2020         (JSC::ObservedType::withoutNonNumber):
2021         (JSC::ObservedType::operator==):
2022         (JSC::ArithProfile::ArithProfile):
2023         (JSC::ArithProfile::fromInt):
2024         (JSC::ArithProfile::lhsResultType):
2025         (JSC::ArithProfile::rhsResultType):
2026         (JSC::ArithProfile::lhsObservedType):
2027         (JSC::ArithProfile::rhsObservedType):
2028         (JSC::ArithProfile::setLhsObservedType):
2029         (JSC::ArithProfile::setRhsObservedType):
2030         (JSC::ArithProfile::tookSpecialFastPath):
2031         (JSC::ArithProfile::didObserveNonInt32):
2032         (JSC::ArithProfile::didObserveDouble):
2033         (JSC::ArithProfile::didObserveNonNegZeroDouble):
2034         (JSC::ArithProfile::didObserveNegZeroDouble):
2035         (JSC::ArithProfile::didObserveNonNumber):
2036         (JSC::ArithProfile::didObserveInt32Overflow):
2037         (JSC::ArithProfile::didObserveInt52Overflow):
2038         (JSC::ArithProfile::setObservedNonNegZeroDouble):
2039         (JSC::ArithProfile::setObservedNegZeroDouble):
2040         (JSC::ArithProfile::setObservedNonNumber):
2041         (JSC::ArithProfile::setObservedInt32Overflow):
2042         (JSC::ArithProfile::setObservedInt52Overflow):
2043         (JSC::ArithProfile::addressOfBits):
2044         (JSC::ArithProfile::observeResult):
2045         (JSC::ArithProfile::lhsSawInt32):
2046         (JSC::ArithProfile::lhsSawNumber):
2047         (JSC::ArithProfile::lhsSawNonNumber):
2048         (JSC::ArithProfile::rhsSawInt32):
2049         (JSC::ArithProfile::rhsSawNumber):
2050         (JSC::ArithProfile::rhsSawNonNumber):
2051         (JSC::ArithProfile::observeLHSAndRHS):
2052         (JSC::ArithProfile::bits):
2053         (JSC::ArithProfile::hasBits):
2054         (JSC::ArithProfile::setBit):
2055         * bytecode/CodeBlock.cpp:
2056         (JSC::CodeBlock::dumpRareCaseProfile):
2057         (JSC::CodeBlock::dumpArithProfile):
2058         (JSC::CodeBlock::dumpBytecode):
2059         (JSC::CodeBlock::addStubInfo):
2060         (JSC::CodeBlock::addJITAddIC):
2061         (JSC::CodeBlock::findStubInfo):
2062         (JSC::CodeBlock::resetJITData):
2063         (JSC::CodeBlock::shrinkToFit):
2064         (JSC::CodeBlock::dumpValueProfiles):
2065         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2066         (JSC::CodeBlock::arithProfileForBytecodeOffset):
2067         (JSC::CodeBlock::arithProfileForPC):
2068         (JSC::CodeBlock::couldTakeSpecialFastCase):
2069         (JSC::CodeBlock::dumpResultProfile): Deleted.
2070         (JSC::CodeBlock::resultProfileForBytecodeOffset): Deleted.
2071         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset): Deleted.
2072         (JSC::CodeBlock::ensureResultProfile): Deleted.
2073         * bytecode/CodeBlock.h:
2074         (JSC::CodeBlock::stubInfoBegin):
2075         (JSC::CodeBlock::stubInfoEnd):
2076         (JSC::CodeBlock::couldTakeSlowCase):
2077         (JSC::CodeBlock::numberOfResultProfiles): Deleted.
2078         * bytecode/MethodOfGettingAValueProfile.cpp:
2079         (JSC::MethodOfGettingAValueProfile::emitReportValue):
2080         * bytecode/MethodOfGettingAValueProfile.h:
2081         (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
2082         * bytecode/ValueProfile.cpp:
2083         (JSC::ResultProfile::emitDetectNumericness): Deleted.
2084         (JSC::ResultProfile::emitSetDouble): Deleted.
2085         (JSC::ResultProfile::emitSetNonNumber): Deleted.
2086         (WTF::printInternal): Deleted.
2087         * bytecode/ValueProfile.h:
2088         (JSC::getRareCaseProfileBytecodeOffset):
2089         (JSC::ResultProfile::ResultProfile): Deleted.
2090         (JSC::ResultProfile::bytecodeOffset): Deleted.
2091         (JSC::ResultProfile::specialFastPathCount): Deleted.
2092         (JSC::ResultProfile::didObserveNonInt32): Deleted.
2093         (JSC::ResultProfile::didObserveDouble): Deleted.
2094         (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
2095         (JSC::ResultProfile::didObserveNegZeroDouble): Deleted.
2096         (JSC::ResultProfile::didObserveNonNumber): Deleted.
2097         (JSC::ResultProfile::didObserveInt32Overflow): Deleted.
2098         (JSC::ResultProfile::didObserveInt52Overflow): Deleted.
2099         (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
2100         (JSC::ResultProfile::setObservedNegZeroDouble): Deleted.
2101         (JSC::ResultProfile::setObservedNonNumber): Deleted.
2102         (JSC::ResultProfile::setObservedInt32Overflow): Deleted.
2103         (JSC::ResultProfile::setObservedInt52Overflow): Deleted.
2104         (JSC::ResultProfile::addressOfFlags): Deleted.
2105         (JSC::ResultProfile::addressOfSpecialFastPathCount): Deleted.
2106         (JSC::ResultProfile::detectNumericness): Deleted.
2107         (JSC::ResultProfile::hasBits): Deleted.
2108         (JSC::ResultProfile::setBit): Deleted.
2109         (JSC::getResultProfileBytecodeOffset): Deleted.
2110         * bytecompiler/BytecodeGenerator.cpp:
2111         (JSC::BytecodeGenerator::emitBinaryOp):
2112         * dfg/DFGByteCodeParser.cpp:
2113         (JSC::DFG::ByteCodeParser::makeSafe):
2114         * dfg/DFGGraph.cpp:
2115         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2116         * dfg/DFGJITCompiler.cpp:
2117         (JSC::DFG::JITCompiler::exceptionCheck):
2118         * dfg/DFGSlowPathGenerator.h:
2119         (JSC::DFG::SlowPathGenerator::generate):
2120         * dfg/DFGSpeculativeJIT.cpp:
2121         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
2122         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
2123         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2124         * dfg/DFGSpeculativeJIT.h:
2125         (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
2126         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
2127         (JSC::DFG::SpeculativeJIT::callOperation):
2128         * ftl/FTLLowerDFGToB3.cpp:
2129         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2130         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
2131         * jit/CCallHelpers.h:
2132         (JSC::CCallHelpers::setupArgumentsWithExecState):
2133         (JSC::CCallHelpers::setupArguments):
2134         * jit/JIT.h:
2135         * jit/JITAddGenerator.cpp:
2136         (JSC::JITAddGenerator::generateInline):
2137         (JSC::JITAddGenerator::generateFastPath):
2138         * jit/JITAddGenerator.h:
2139         (JSC::JITAddGenerator::JITAddGenerator):
2140         (JSC::JITAddGenerator::didEmitFastPath): Deleted.
2141         (JSC::JITAddGenerator::endJumpList): Deleted.
2142         (JSC::JITAddGenerator::slowPathJumpList): Deleted.
2143         * jit/JITArithmetic.cpp:
2144         (JSC::JIT::emit_op_jless):
2145         (JSC::JIT::emitSlow_op_urshift):
2146         (JSC::getOperandTypes):
2147         (JSC::JIT::emit_op_add):
2148         (JSC::JIT::emitSlow_op_add):
2149         (JSC::JIT::emit_op_div):
2150         (JSC::JIT::emit_op_mul):
2151         (JSC::JIT::emitSlow_op_mul):
2152         (JSC::JIT::emit_op_sub):
2153         (JSC::JIT::emitSlow_op_sub):
2154         * jit/JITDivGenerator.cpp:
2155         (JSC::JITDivGenerator::generateFastPath):
2156         * jit/JITDivGenerator.h:
2157         (JSC::JITDivGenerator::JITDivGenerator):
2158         * jit/JITInlines.h:
2159         (JSC::JIT::callOperation):
2160         * jit/JITMathIC.h: Added.
2161         (JSC::JITMathIC::doneLocation):
2162         (JSC::JITMathIC::slowPathStartLocation):
2163         (JSC::JITMathIC::slowPathCallLocation):
2164         (JSC::JITMathIC::generateInline):
2165         (JSC::JITMathIC::generateOutOfLine):
2166         (JSC::JITMathIC::finalizeInlineCode):
2167         * jit/JITMathICForwards.h: Added.
2168         * jit/JITMathICInlineResult.h: Added.
2169         * jit/JITMulGenerator.cpp:
2170         (JSC::JITMulGenerator::generateFastPath):
2171         * jit/JITMulGenerator.h:
2172         (JSC::JITMulGenerator::JITMulGenerator):
2173         * jit/JITOperations.cpp:
2174         * jit/JITOperations.h:
2175         * jit/JITSubGenerator.cpp:
2176         (JSC::JITSubGenerator::generateFastPath):
2177         * jit/JITSubGenerator.h:
2178         (JSC::JITSubGenerator::JITSubGenerator):
2179         * jit/Repatch.cpp:
2180         (JSC::readCallTarget):
2181         (JSC::ftlThunkAwareRepatchCall):
2182         (JSC::tryCacheGetByID):
2183         (JSC::repatchGetByID):
2184         (JSC::appropriateGenericPutByIdFunction):
2185         (JSC::tryCachePutByID):
2186         (JSC::repatchPutByID):
2187         (JSC::tryRepatchIn):
2188         (JSC::repatchIn):
2189         (JSC::linkSlowFor):
2190         (JSC::resetGetByID):
2191         (JSC::resetPutByID):
2192         (JSC::repatchCall): Deleted.
2193         * jit/Repatch.h:
2194         * llint/LLIntData.cpp:
2195         (JSC::LLInt::Data::performAssertions):
2196         * llint/LowLevelInterpreter.asm:
2197         * llint/LowLevelInterpreter32_64.asm:
2198         * llint/LowLevelInterpreter64.asm:
2199         * parser/ResultType.h:
2200         (JSC::ResultType::ResultType):
2201         (JSC::ResultType::isInt32):
2202         (JSC::ResultType::definitelyIsNumber):
2203         (JSC::ResultType::definitelyIsString):
2204         (JSC::ResultType::definitelyIsBoolean):
2205         (JSC::ResultType::mightBeNumber):
2206         (JSC::ResultType::isNotNumber):
2207         (JSC::ResultType::forBitOp):
2208         (JSC::ResultType::bits):
2209         (JSC::OperandTypes::OperandTypes):
2210         * runtime/CommonSlowPaths.cpp:
2211         (JSC::SLOW_PATH_DECL):
2212         (JSC::updateArithProfileForBinaryArithOp):
2213         (JSC::updateResultProfileForBinaryArithOp): Deleted.
2214         * tests/stress/op-add-exceptions.js: Added.
2215         (assert):
2216         (f1):
2217         (f2):
2218         (f3):
2219         (let.oException.valueOf):
2220         (foo):
2221         (ident):
2222         (bar):
2223
2224 2016-07-21  Csaba Osztrogonác  <ossy@webkit.org>
2225
2226         Clarify testing mode names in run-jsc-stress-tests
2227         https://bugs.webkit.org/show_bug.cgi?id=160021
2228
2229         Reviewed by Mark Lam.
2230
2231         Default should mean really default, not default with disabled FTL, renamed
2232         - runMozillaTestDefault to runMozillaTestNoFTL
2233         - runMozillaTestDefaultFTL to runMozillaTestDefault
2234         - runDefault to runNoFTL
2235         - runDefaultFTL to runDefault
2236         - runLayoutTestDefault to runLayoutTestNoFTL
2237         - runLayoutTestDefaultFTL to runLayoutTestDefault
2238         - runNoisyTestDefault to runNoisyTestNoFTL
2239         - runNoisyTestDefaultFTL to runNoisyTestDefault
2240
2241         * tests/mozilla/mozilla-tests.yaml:
2242         * tests/stress/lift-tdz-bypass-catch.js:
2243         * tests/stress/obscure-error-message-dont-crash.js:
2244         * tests/stress/shadow-chicken-disabled.js:
2245
2246 2016-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2247
2248         [ES7] Introduce exponentiation expression
2249         https://bugs.webkit.org/show_bug.cgi?id=159969
2250
2251         Reviewed by Saam Barati.
2252
2253         This patch implements the exponentiation expression, e.g. `x ** y`.
2254         The exponentiation expression is introduced in ECMA262 2016 and ECMA262 2016
2255         is already released. So this is not the draft spec.
2256
2257         The exponentiation expression has 2 interesting points.
2258
2259         1. Right associative
2260
2261             To follow the Math expression, ** operator is right associative.
2262             When we execute `x ** y ** z`, this is handled as `x ** (y ** z)`, not `(x ** y) ** z`.
2263             This patch introduces the right associativity to the binary operator and handles it
2264             in the operator precedence parser in Parser.cpp.
2265
2266         2. LHS of the exponentiation expression is UpdateExpression
2267
2268             ExponentiationExpression[Yield]:
2269                 UnaryExpression[?Yield]
2270                 UpdateExpression[?Yield] ** ExponentiationExpression[?Yield]
2271
2272             As we can see, the left hand side of the ExponentiationExpression is UpdateExpression, not UnaryExpression.
2273             It means that `+x ** y` becomes a syntax error. This is intentional. Without superscript in JS,
2274             `-x**y` is confusing between `-(x ** y)` and `(-x) ** y`. So ECMA262 intentionally avoids UnaryExpression here.
2275             If we need to use a negated value, we need to write parentheses explicitly e.g. `(-x) ** y`.
2276             In this patch, we ensure that the left hand side is not an unary expression by checking an operator in
2277             parseBinaryExpression. This works since `**` has the highest operator precedence in the binary operators.
2278
2279         We introduce a new bytecode, op_pow. That simply works as similar as the other binary operators.
2280         And it is converted to ArithPow in DFG and handled in DFG and FTL.
2281         In this patch, we take the approach just introducing a new bytecode instead of calling Math.pow.
2282         This is because we would like to execute ToNumber in the caller side, not in the callee (Math.pow) side.
2283         And we don't want to compile ** into the following.
2284
2285             lhsNumber = to_number (lhs)
2286             rhsNumber = to_number (rhs)
2287             call Math.pow(lhsNumber, rhsNumber)
2288
2289         We ensure that this patch passes all the test262 tests related to the exponentiation expression.
2290
2291         The only sensitive part to the performance is the parser changes.
2292         So we measured the code-load performance and it is neutral in my x64 Linux box (hanayamata).
2293
2294             Collected 30 samples per benchmark/VM, with 30 VM invocations per benchmark. Emitted a call to
2295             gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used
2296             the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark
2297             execution times with 95% confidence intervals in milliseconds.
2298
2299                                      baseline                  patched
2300
2301             closure              0.60499+-0.00250          0.60180+-0.00244
2302             jquery               7.89175+-0.02433    ?     7.91287+-0.04759       ?
2303
2304             <geometric>          2.18499+-0.00523          2.18207+-0.00689         might be 1.0013x faster
2305
2306         * bytecode/BytecodeList.json:
2307         * bytecode/BytecodeUseDef.h:
2308         (JSC::computeUsesForBytecodeOffset):
2309         (JSC::computeDefsForBytecodeOffset):
2310         * bytecode/CodeBlock.cpp:
2311         (JSC::CodeBlock::dumpBytecode):
2312         * bytecompiler/NodesCodegen.cpp:
2313         (JSC::emitReadModifyAssignment):
2314         * dfg/DFGByteCodeParser.cpp:
2315         (JSC::DFG::ByteCodeParser::parseBlock):
2316         * dfg/DFGCapabilities.cpp:
2317         (JSC::DFG::capabilityLevel):
2318         * jit/JIT.cpp:
2319         (JSC::JIT::privateCompileMainPass):
2320         * jit/JIT.h:
2321         * jit/JITArithmetic.cpp:
2322         (JSC::JIT::emit_op_pow):
2323         * llint/LowLevelInterpreter.asm:
2324         * parser/ASTBuilder.h:
2325         (JSC::ASTBuilder::operatorStackShouldReduce):
2326         (JSC::ASTBuilder::makePowNode):
2327         (JSC::ASTBuilder::makeMultNode):
2328         (JSC::ASTBuilder::makeDivNode):
2329         (JSC::ASTBuilder::makeModNode):
2330         (JSC::ASTBuilder::makeSubNode):
2331         (JSC::ASTBuilder::makeBinaryNode):
2332         (JSC::ASTBuilder::operatorStackHasHigherPrecedence): Deleted.
2333         * parser/Lexer.cpp:
2334         (JSC::Lexer<T>::lex):
2335         * parser/NodeConstructors.h:
2336         (JSC::PowNode::PowNode):
2337         * parser/Nodes.h:
2338         * parser/Parser.cpp:
2339         (JSC::Parser<LexerType>::parseAssignmentExpression):
2340         (JSC::isUnaryOpExcludingUpdateOp):
2341         (JSC::Parser<LexerType>::parseBinaryExpression):
2342         (JSC::isUnaryOp): Deleted.
2343         * parser/ParserTokens.h:
2344         (JSC::isUpdateOp):
2345         (JSC::isUnaryOp):
2346         * parser/SyntaxChecker.h:
2347         (JSC::SyntaxChecker::operatorStackPop):
2348         * runtime/CommonSlowPaths.cpp:
2349         (JSC::SLOW_PATH_DECL):
2350         * runtime/CommonSlowPaths.h:
2351         * tests/stress/pow-basics.js: Added.
2352         (valuesAreClose):
2353         (mathPowDoubleDouble1):
2354         (mathPowDoubleInt1):
2355         (test1):
2356         (mathPowDoubleDouble2):
2357         (mathPowDoubleInt2):
2358         (test2):
2359         (mathPowDoubleDouble3):
2360         (mathPowDoubleInt3):
2361         (test3):
2362         (mathPowDoubleDouble4):
2363         (mathPowDoubleInt4):
2364         (test4):
2365         (mathPowDoubleDouble5):
2366         (mathPowDoubleInt5):
2367         (test5):
2368         (mathPowDoubleDouble6):
2369         (mathPowDoubleInt6):
2370         (test6):
2371         (mathPowDoubleDouble7):
2372         (mathPowDoubleInt7):
2373         (test7):
2374         (mathPowDoubleDouble8):
2375         (mathPowDoubleInt8):
2376         (test8):
2377         (mathPowDoubleDouble9):
2378         (mathPowDoubleInt9):
2379         (test9):
2380         (mathPowDoubleDouble10):
2381         (mathPowDoubleInt10):
2382         (test10):
2383         (mathPowDoubleDouble11):
2384         (mathPowDoubleInt11):
2385         (test11):
2386         * tests/stress/pow-coherency.js: Added.
2387         (pow42):
2388         (build42AsDouble.opaqueAdd):
2389         (build42AsDouble):
2390         (powDouble42):
2391         (clobber):
2392         (pow42NoConstantFolding):
2393         (powDouble42NoConstantFolding):
2394         * tests/stress/pow-evaluation-order.js: Added.
2395         (shouldBe):
2396         (throw.new.Error):
2397         * tests/stress/pow-expects-update-expression-on-lhs.js: Added.
2398         (testSyntax):
2399         (testSyntaxError):
2400         (throw.new.Error):
2401         (let.token.of.tokens.testSyntax.pow):
2402         (testSyntax.pow):
2403         * tests/stress/pow-integer-exponent-fastpath.js: Added.
2404         (valuesAreClose):
2405         (mathPowDoubleDoubleTestExponentFifty):
2406         (mathPowDoubleIntTestExponentFifty):
2407         (testExponentFifty):
2408         (mathPowDoubleDoubleTestExponentTenThousands):
2409         (mathPowDoubleIntTestExponentTenThousands):
2410         (testExponentTenThousands):
2411         * tests/stress/pow-nan-behaviors.js: Added.
2412         (testIntegerBaseWithNaNExponentStatic):
2413         (mathPowIntegerBaseWithNaNExponentDynamic):
2414         (testIntegerBaseWithNaNExponentDynamic):
2415         (testFloatingPointBaseWithNaNExponentStatic):
2416         (mathPowFloatingPointBaseWithNaNExponentDynamic):
2417         (testFloatingPointBaseWithNaNExponentDynamic):
2418         (testNaNBaseStatic):
2419         (mathPowNaNBaseDynamic1):
2420         (mathPowNaNBaseDynamic2):
2421         (mathPowNaNBaseDynamic3):
2422         (mathPowNaNBaseDynamic4):
2423         (testNaNBaseDynamic):
2424         (infiniteExponentsStatic):
2425         (mathPowInfiniteExponentsDynamic1):
2426         (mathPowInfiniteExponentsDynamic2):
2427         (mathPowInfiniteExponentsDynamic3):
2428         (mathPowInfiniteExponentsDynamic4):
2429         (infiniteExponentsDynamic):
2430         * tests/stress/pow-simple.js: Added.
2431         (shouldBe):
2432         (throw.new.Error):
2433         * tests/stress/pow-stable-results.js: Added.
2434         (opaquePow):
2435         (isIdentical):
2436         * tests/stress/pow-to-number-should-be-executed-in-code-side.js: Added.
2437         (shouldBe):
2438         (throw.new.Error):
2439         * tests/stress/pow-with-constants.js: Added.
2440         (exponentIsZero):
2441         (testExponentIsZero):
2442         (exponentIsOne):
2443         (testExponentIsOne):
2444         (powUsedAsSqrt):
2445         (testPowUsedAsSqrt):
2446         (powUsedAsOneOverSqrt):
2447         (testPowUsedAsOneOverSqrt):
2448         (powUsedAsSquare):
2449         (testPowUsedAsSquare):
2450         (intIntConstantsSmallNumbers):
2451         (intIntConstantsLargeNumbers):
2452         (intIntSmallConstants):
2453         (intDoubleConstants):
2454         (doubleDoubleConstants):
2455         (doubleIntConstants):
2456         (testBaseAndExponentConstantLiterals):
2457         (exponentIsIntegerConstant):
2458         (testExponentIsIntegerConstant):
2459         (exponentIsDoubleConstant):
2460         (testExponentIsDoubleConstant):
2461         (exponentIsInfinityConstant):
2462         (testExponentIsInfinityConstant):
2463         (exponentIsNegativeInfinityConstant):
2464         (testExponentIsNegativeInfinityConstant):
2465         * tests/stress/pow-with-never-NaN-exponent.js: Added.
2466         (exponentIsNonNanDouble1):
2467         (exponentIsNonNanDouble2):
2468         (testExponentIsDoubleConstant):
2469         * tests/test262.yaml:
2470
2471 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
2472
2473         Switching on symbols should be fast
2474         https://bugs.webkit.org/show_bug.cgi?id=158892
2475
2476         Reviewed by Keith Miller.
2477         
2478         This does two things: fixes some goofs in our lowering of symbol equality and adds a new phase
2479         to B3 to infer switch statements from linear chains of branches.
2480         
2481         This changes how we compile equality to Symbols to constant-fold the load of the Symbol's UID.
2482         This is necessary for making switches on Symbols inferrable. This also gives us the ability to
2483         efficiently compile strict equality comparisons of SymbolUse and UntypedUse.
2484
2485         This adds a new phase to B3, which finds chains of branches that test for (in)equality on the
2486         same value and constants, and turns them into a Switch. This can turn O(n) code into
2487         O(log n) code, or even O(1) code if the switch cases are dense.
2488         
2489         This can make a big difference in JS. Say you write a switch in which the case statements are
2490         variable resolutions. The bytecode generator cannot use a bytecode switch in this case, since
2491         we're required to evaluate the resolutions in order. But in DFG IR, we will often turn those
2492         variable resolutions into constants, since we do that for any immutable singleton. This means
2493         that B3 will see a chain of Branches: the else case of one Branch will point to a basic block
2494         that does nothing but Branch on equality on the same value as the first Branch.
2495
2496         The inference algorithm is quite simple. The basic building block is the ability to summarize
2497         a block's switch behavior. For a block that ends in a switch, this is just the collection of
2498         switch cases. For a block that ends in a branch, we recognize Branch(Equal(value, const)),
2499         Branch(NotEqual(value, const)), and Branch(value). Each of these are summarized as if they
2500         were one-case switches. We infer a new switch if both some block and its sole predecessor
2501         can be described as switches on the same value, nothing shady is going on (like loops), and
2502         the block in question does no work other than this switch. In that case, the block is killed
2503         and its cases (which we get from the summary) are added to the predecessor's switch. This
2504         algorithm runs to fixpoint.
2505         
2506         * CMakeLists.txt:
2507         * JavaScriptCore.xcodeproj/project.pbxproj:
2508         * b3/B3Generate.cpp:
2509         (JSC::B3::generateToAir):
2510         * b3/B3InferSwitches.cpp: Added.
2511         (JSC::B3::inferSwitches):
2512         * b3/B3InferSwitches.h: Added.
2513         * b3/B3Procedure.h:
2514         (JSC::B3::Procedure::cfg):
2515         * b3/B3ReduceStrength.cpp:
2516         * b3/B3Value.cpp:
2517         (JSC::B3::Value::performSubstitution):
2518         (JSC::B3::Value::isFree):
2519         (JSC::B3::Value::dumpMeta):
2520         * b3/B3Value.h:
2521         * ftl/FTLLowerDFGToB3.cpp:
2522         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent):
2523         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2524         (JSC::FTL::DFG::LowerDFGToB3::lowSymbol):
2525         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID):
2526         (JSC::FTL::DFG::LowerDFGToB3::lowNonNullObject):
2527
2528 2016-07-20  Filip Pizlo  <fpizlo@apple.com>
2529
2530         FTL snippet generators should be able to request a different register for output and input
2531         https://bugs.webkit.org/show_bug.cgi?id=160010
2532         rdar://problem/27439330
2533
2534         Reviewed by Saam Barati.
2535         
2536         The BitOr and BitXor snippet generators have problems if the register for the right input is
2537         the same as the register for the result. We could fix those generators, but I'm not convinced
2538         that the other snippet generators don't have this bug. So, the approach that this patch takes
2539         is to teach the FTL to request that B3 to use a different register for the result than for
2540         any input to the snippet patchpoint.
2541         
2542         Air already has the ability to let any instruction do an EarlyDef, which means exactly this.
2543         But B3 did not expose this via ValueRep. This patch exposes this in ValueRep as
2544         SomeEarlyRegister. That's most of the change.
2545         
2546         This adds a testb3 test for SomeEarlyRegister and a regression test for this particular
2547         problem. The regression test failed on trunk JSC before this.
2548
2549         * b3/B3LowerToAir.cpp:
2550         (JSC::B3::Air::LowerToAir::lower):
2551         * b3/B3PatchpointSpecial.cpp:
2552         (JSC::B3::PatchpointSpecial::forEachArg):
2553         (JSC::B3::PatchpointSpecial::admitsStack):
2554         * b3/B3StackmapSpecial.cpp:
2555         (JSC::B3::StackmapSpecial::forEachArgImpl):
2556         (JSC::B3::StackmapSpecial::isArgValidForRep):
2557         * b3/B3Validate.cpp:
2558         * b3/B3ValueRep.cpp:
2559         (JSC::B3::ValueRep::addUsedRegistersTo):
2560         (JSC::B3::ValueRep::dump):
2561         (WTF::printInternal):
2562         * b3/B3ValueRep.h:
2563         (JSC::B3::ValueRep::ValueRep):
2564         (JSC::B3::ValueRep::reg):
2565         (JSC::B3::ValueRep::isAny):
2566         (JSC::B3::ValueRep::isReg):
2567         (JSC::B3::ValueRep::isSomeRegister): Deleted.
2568         * b3/testb3.cpp:
2569         * ftl/FTLLowerDFGToB3.cpp:
2570         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
2571         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
2572         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
2573         * tests/stress/ftl-bit-xor-right-result-interference.js: Added.
2574
2575 2016-07-20  Michael Saboff  <msaboff@apple.com>
2576
2577         CrashOnOverflow in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets
2578         https://bugs.webkit.org/show_bug.cgi?id=159954
2579
2580         Reviewed by Benjamin Poulain.
2581
2582         YarrPatternConstructor::setupAlternativeOffsets() is using the checked arithmetic class
2583         Checked<>, for offset calculations.  However the default use will just crash on
2584         overflow.  Instead we should stop processing and propagate the error up the call stack.
2585
2586         Consolidated explicit error string with the common RegExp parsing error logic.
2587         Moved that logic to YarrPattern as that seems like a better common place to put it.
2588
2589         * jit/JITOperations.cpp:
2590         * llint/LLIntSlowPaths.cpp:
2591         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2592         * tests/stress/regress-159954.js: New test.
2593         * yarr/YarrParser.h:
2594         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
2595         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
2596         (JSC::Yarr::Parser::Parser):
2597         (JSC::Yarr::Parser::isIdentityEscapeAnError):
2598         (JSC::Yarr::Parser::parseEscape):
2599         (JSC::Yarr::Parser::parseCharacterClass):
2600         (JSC::Yarr::Parser::parseParenthesesBegin):
2601         (JSC::Yarr::Parser::parseParenthesesEnd):
2602         (JSC::Yarr::Parser::parseQuantifier):
2603         (JSC::Yarr::Parser::parseTokens):
2604         (JSC::Yarr::Parser::parse):
2605         * yarr/YarrPattern.cpp:
2606         (JSC::Yarr::YarrPatternConstructor::disjunction):
2607         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
2608         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
2609         (JSC::Yarr::YarrPattern::errorMessage):
2610         (JSC::Yarr::YarrPattern::compile):
2611         * yarr/YarrPattern.h:
2612         (JSC::Yarr::YarrPattern::reset):
2613
2614 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2615
2616         The default testing mode should not involve disabling the FTL JIT
2617         https://bugs.webkit.org/show_bug.cgi?id=159929
2618
2619         Rubber stamped by Mark Lam and Saam Barati.
2620         
2621         Use the new powers to make some tests run only in the default configuration (i.e. FTL,
2622         concurrent JIT).
2623
2624         * tests/mozilla/mozilla-tests.yaml:
2625
2626 2016-07-19  Keith Miller  <keith_miller@apple.com>
2627
2628         Test262 should have a file with the revision and url
2629         https://bugs.webkit.org/show_bug.cgi?id=159937
2630
2631         Reviewed by Mark Lam.
2632
2633         The file.
2634
2635         * tests/test262/test262-Revision.txt: Added.
2636
2637 2016-07-19  Anders Carlsson  <andersca@apple.com>
2638
2639         WebCore-7602.1.42 fails to build: error: private field 'm_vm' is not used
2640         https://bugs.webkit.org/show_bug.cgi?id=159944
2641         rdar://problem/27420308
2642
2643         Reviewed by Dan Bernstein.
2644
2645         Wrap the m_vm declaration and initialization in conditional guards.
2646
2647         * Scripts/builtins/builtins_generate_internals_wrapper_header.py:
2648         (generate_members):
2649         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2650         (BuiltinsInternalsWrapperImplementationGenerator.generate_constructor):
2651         Add guards.
2652
2653         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2654         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2655         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2656         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2657         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2658         Update expected results.
2659
2660 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2661
2662         REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
2663         https://bugs.webkit.org/show_bug.cgi?id=159930
2664
2665         Reviewed by Geoffrey Garen.
2666         
2667         The problem is that the 32-bit DFG can flush the scope register as an unboxed cell, but the
2668         Register::scope() method was causing us to assert that it's a JSValue with proper cell
2669         boxing. We could have forced the DFG to flush it as a boxed JSValue, but I don't think that
2670         would have made anything better. This fixes the issue by teaching Register::scope() that it
2671         might see unboxed cells.
2672
2673         * runtime/JSScope.h:
2674         (JSC::Register::scope):
2675         (JSC::ExecState::lexicalGlobalObject):
2676
2677 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2678
2679         B3 methods that mutate the successors array should take FrequentedBlock by value
2680         https://bugs.webkit.org/show_bug.cgi?id=159935
2681
2682         Reviewed by Michael Saboff.
2683         
2684         This bug was found by ASan testing. setSuccessors() takes a const FrequentedBlock&, and the
2685         caller that caused the ASan crash was doing:
2686
2687         block->setSuccessors(block->notTaken())
2688
2689         So, inside setSuccessors(), after we resize() the successors array, the const
2690         FrequentedBlock& points to nonsense.
2691
2692         The fix is to pass FrequentedBlock by value in all of these kinds of methods.
2693         
2694         No new tests, but ASan testing catches this instantly for anything that triggers CFG
2695         simplification in B3. So like half of our tests.
2696
2697         * b3/B3BasicBlock.cpp:
2698         (JSC::B3::BasicBlock::clearSuccessors):
2699         (JSC::B3::BasicBlock::appendSuccessor):
2700         (JSC::B3::BasicBlock::setSuccessors):
2701         * b3/B3BasicBlock.h:
2702         (JSC::B3::BasicBlock::successors):
2703         (JSC::B3::BasicBlock::successorBlock):
2704         * b3/B3Value.cpp:
2705         (JSC::B3::Value::replaceWithPhi):
2706         (JSC::B3::Value::replaceWithJump):
2707         (JSC::B3::Value::replaceWithOops):
2708         * b3/B3Value.h:
2709
2710 2016-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2711
2712         Make builtin TypeErrors consistent
2713         https://bugs.webkit.org/show_bug.cgi?id=159899
2714
2715         Reviewed by Keith Miller.
2716
2717         Converge on the single TypeError for non-coercible this objects in builtins.
2718         Also update some other style to be more consistent with-in builtins.
2719
2720         * builtins/ArrayIteratorPrototype.js:
2721         (next):
2722         * builtins/ArrayPrototype.js:
2723         (values):
2724         (keys):
2725         (entries):
2726         (reduce):
2727         (reduceRight):
2728         (every):
2729         (forEach):
2730         (filter):
2731         (map):
2732         (some):
2733         (fill):
2734         (find):
2735         (findIndex):
2736         (includes):
2737         (sort):
2738         (concatSlowPath):
2739         (copyWithin):
2740         * builtins/StringPrototype.js:
2741         (match):
2742         (repeat):
2743         (padStart):
2744         (padEnd):
2745         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
2746         (localeCompare):
2747         (search):
2748         (split):
2749         * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
2750         * tests/es6/String.prototype_methods_String.prototype.padStart.js:
2751         * tests/stress/array-iterators-next-error-messages.js:
2752         (catch):
2753         * tests/stress/array-iterators-next-with-call.js:
2754         * tests/stress/regexp-match.js:
2755         (shouldThrow):
2756         * tests/stress/regexp-search.js:
2757         (shouldThrow):
2758
2759 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
2760
2761         Implement table-based switches in B3/Air
2762         https://bugs.webkit.org/show_bug.cgi?id=151141
2763
2764         Reviewed by Benjamin Poulain.
2765
2766         If a switch statement gets large, it's better to express it as an indirect jump rather than
2767         using a binary switch (divide-and-conquer tree of comparisons leading to O(log n) branches to
2768         get to the switch case). When dealing with integer switches, FTL will already use the B3
2769         Switch and expect this to get lowered as efficiently as possible; it's a bug that B3 will
2770         always use a binary switch rather than indirect jumps. When dealing with switches over some
2771         more sophisticated types, we'd want FTL to build an indirect jump table itself and use
2772         something like a hashtable to feed it. In that case, there will be no B3 Switch; we'll want
2773         some way for the FTL to directly express an indirection jump when emitting B3.
2774         
2775         This implies that we want B3 to have the ability to lower Switch to indirect jumps and to
2776         expose those indirect jumps in IR so that the FTL could do its own indirect jumps for
2777         switches over more complicated things like strings. But indirect jumps are tough to express
2778         in IR. For example, the LLVM approach ("indirectbr" and "blockaddress", see
2779         http://blog.llvm.org/2010/01/address-of-label-and-indirect-branches.html) means that some
2780         control flow edges cannot be split. Indirectbr takes an address as input and jumps to it, and
2781         blockaddress lets you build jump tables out of basic block addresses. This means that the
2782         compiler can never change any successor of an indirectbr, since the client will have already
2783         arranged for that indirectbr to jump to exactly those successors. We don't want such
2784         restrictions in B3, since B3 relies on being able to break critical edges for SSA conversion.
2785         Also, indirectbr is not cloneable, which would break any hope of doing specialization-based
2786         transformations like we want to do for multiple entrypoints (bug 159391). The goal of this
2787         change is to let clients do indirect jumps without placing any restrictions on IR.
2788         
2789         The trick is to allow Patchpoints to be used as block terminals. Patchpoints already allow
2790         clients of B3 to emit whatever code they like. Patchpoints are friendly to B3's other
2791         transformations because the client of the patchpoint has to play along with whatever
2792         decisions B3 had made around the patchpoint: what registers got used, what the control flow
2793         looks like, etc. Patchpoints can even be cloned by B3, and the client has to accommodate this
2794         in their patchpoint generator. It turns out that using Patchpoints as terminals is quite
2795         natural. We accomplish this by moving the successor edges out of ControlValue and into
2796         BasicBlock, and removing ControlValue entirely. This way, any Value subclass can be a
2797         terminal. It was already true that a Value is a terminal if value->effects().terminal, which
2798         works great with Patchpoints since they control their effects via PatchpointValue::effects.
2799         You can make your Patchpoint into a terminal by placing it at the end of a block and doing:
2800         
2801         patchpoint->effects.terminal = true;
2802         
2803         A Patchpoints in terminal position gets access to additional API in StackmapGenerationParams.
2804         The generator can get a Box<Label> for each successor to its owning block. For example, to
2805         implement a jump-table-based switch, you would make your patchpoint take the table index as
2806         its sole input. Inside the generator, you allocate the jump table and emit a BaseIndex jump
2807         that uses the jump table pointer (which will be a constant known to the generator since it
2808         just allocated it) as the base and the patchpoint input as an index. The jump table can be
2809         populated by MacroAssemblerCodePtr's computed by installing a link task to resolve the labels
2810         to concrete locations. This change makes LowerMacros do such a lowering for Switches that can
2811         benefit from jump tables. This happens recursively: if the original Switch is too sparse, we
2812         will divide-and-conquer as before. If at any recursion step we find that the remaining cases
2813         are dense and large enough to profit from a jump table, then those cases will be lowered to a
2814         Patchpoint that does the table jump. This is a fun way to do stepwise lowering: LowerMacros
2815         is essentially pre-lowering the Switch directly to machine code, and wrapping that machine
2816         code in a Patchpoint so that the rest of the compiler doesn't have to know anything about
2817         what happened. I suspect that in the future we will want to do other pre-lowerings this way,
2818         whenever the B3 IR phases have some special knowledge about what machine code should be
2819         emitted and it would be annoying to drag that knowledge through the rest of the compiler.
2820         
2821         One downside of this change is that we used ControlValue in so many places. Most of this
2822         patch involves removing references to ControlValue. It would be less than 100kb if it wasn't
2823         for that. To make this a bit easier, I added "appendNewControlValue" methods to BasicBlock,
2824         which allocate a Value and set the successors as if you had done "appendNew<ControlValue>".
2825         This made for an easy search-and-replace in testb3 and FTLOutput. I filed bug 159440 to
2826         remove this ugly stopgap method.
2827         
2828         I think that we will also end up using this facility to extend our use of snippets. We
2829         already use shared snippet generators for the generic forms of arithmetic. We will probably
2830         also want to do this for generic forms of branches. This wouldn't have been possible prior to
2831         this change, since there would have been no way to emit a control snippet in FTL. Now we can
2832         emit control snippets using terminal patchpoints.
2833
2834         This is a ~30% speed-up on microbenchmarks that have big switch statements (~60 cases). It's
2835         not a speed-up on mainstream benchmarks.
2836         
2837         This also adds a new test to testb3 for terminal Patchpoints, Get, and Set. The FTL does not
2838         currently use terminal Patchpoints directly, but we want this to be possible. It also doesn't
2839         use Get/Set directly even though we want this to be possible. It's important to test these
2840         since opcodes that result from lowering don't affect early phases, so we could have
2841         regressions in early phases related to these opcodes that wouldn't be caught by any JS test.
2842         So, this adds a very basic threaded interpreter to testb3 for a Brainfuck-style language, and
2843         tests it by having it run a program that prints the numbers 1..100 in a loop. Unlike a real
2844         threaded interpreter, it uses a common dispatch block rather than having dispatch at the
2845         terminus of each opcode. That's necessary because PolyJump is not cloneable. The state of the
2846         interpreter is represented using Variables that we Get and Set, so it tests Get/Set as well.
2847
2848         * CMakeLists.txt:
2849         * JavaScriptCore.xcodeproj/project.pbxproj:
2850         * assembler/MacroAssemblerARM64.h:
2851         (JSC::MacroAssemblerARM64::jump):
2852         * assembler/MacroAssemblerX86Common.h:
2853         (JSC::MacroAssemblerX86Common::jump):
2854         * assembler/X86Assembler.h:
2855         (JSC::X86Assembler::jmp_m):
2856         * b3/B3BasicBlock.cpp:
2857         (JSC::B3::BasicBlock::append):
2858         (JSC::B3::BasicBlock::appendNonTerminal):
2859         (JSC::B3::BasicBlock::removeLast):
2860         (JSC::B3::BasicBlock::appendIntConstant):
2861         (JSC::B3::BasicBlock::clearSuccessors):
2862         (JSC::B3::BasicBlock::appendSuccessor):
2863         (JSC::B3::BasicBlock::setSuccessors):
2864         (JSC::B3::BasicBlock::replaceSuccessor):
2865         (JSC::B3::BasicBlock::addPredecessor):
2866         (JSC::B3::BasicBlock::deepDump):
2867         (JSC::B3::BasicBlock::appendNewControlValue):
2868         * b3/B3BasicBlock.h:
2869         (JSC::B3::BasicBlock::numSuccessors):
2870         (JSC::B3::BasicBlock::successor):
2871         (JSC::B3::BasicBlock::successors):
2872         (JSC::B3::BasicBlock::successorBlock):
2873         (JSC::B3::BasicBlock::successorBlocks):
2874         (JSC::B3::BasicBlock::numPredecessors):
2875         (JSC::B3::BasicBlock::predecessor):
2876         (JSC::B3::BasicBlock::frequency):
2877         * b3/B3BasicBlockInlines.h:
2878         (JSC::B3::BasicBlock::replaceLastWithNew):
2879         (JSC::B3::BasicBlock::taken):
2880         (JSC::B3::BasicBlock::notTaken):
2881         (JSC::B3::BasicBlock::fallThrough):
2882         (JSC::B3::BasicBlock::numSuccessors): Deleted.
2883         (JSC::B3::BasicBlock::successor): Deleted.
2884         (JSC::B3::BasicBlock::successors): Deleted.
2885         (JSC::B3::BasicBlock::successorBlock): Deleted.
2886         (JSC::B3::BasicBlock::successorBlocks): Deleted.
2887         * b3/B3BlockInsertionSet.cpp:
2888         (JSC::B3::BlockInsertionSet::splitForward):
2889         * b3/B3BreakCriticalEdges.cpp:
2890         (JSC::B3::breakCriticalEdges):
2891         * b3/B3CaseCollection.cpp: Added.
2892         (JSC::B3::CaseCollection::dump):
2893         * b3/B3CaseCollection.h: Added.
2894         (JSC::B3::CaseCollection::CaseCollection):
2895         (JSC::B3::CaseCollection::operator[]):
2896         (JSC::B3::CaseCollection::iterator::iterator):
2897         (JSC::B3::CaseCollection::iterator::operator*):
2898         (JSC::B3::CaseCollection::iterator::operator++):
2899         (JSC::B3::CaseCollection::iterator::operator==):
2900         (JSC::B3::CaseCollection::iterator::operator!=):
2901         (JSC::B3::CaseCollection::begin):
2902         (JSC::B3::CaseCollection::end):
2903         * b3/B3CaseCollectionInlines.h: Added.
2904         (JSC::B3::CaseCollection::fallThrough):
2905         (JSC::B3::CaseCollection::size):
2906         (JSC::B3::CaseCollection::at):
2907         * b3/B3CheckSpecial.cpp:
2908         (JSC::B3::CheckSpecial::CheckSpecial):
2909         (JSC::B3::CheckSpecial::hiddenBranch):
2910         * b3/B3Common.h:
2911         (JSC::B3::is64Bit):
2912         * b3/B3ControlValue.cpp: Removed.
2913         * b3/B3ControlValue.h: Removed.
2914         * b3/B3DataSection.cpp:
2915         (JSC::B3::DataSection::DataSection):
2916         * b3/B3DuplicateTails.cpp:
2917         * b3/B3FixSSA.cpp:
2918         * b3/B3FoldPathConstants.cpp:
2919         * b3/B3LowerMacros.cpp:
2920         * b3/B3LowerToAir.cpp:
2921         (JSC::B3::Air::LowerToAir::run):
2922         (JSC::B3::Air::LowerToAir::lower):
2923         * b3/B3MathExtras.cpp:
2924         (JSC::B3::powDoubleInt32):
2925         * b3/B3Opcode.h:
2926         (JSC::B3::isConstant):
2927         (JSC::B3::isDefinitelyTerminal):
2928         * b3/B3PatchpointSpecial.cpp:
2929         (JSC::B3::PatchpointSpecial::generate):
2930         (JSC::B3::PatchpointSpecial::isTerminal):
2931         (JSC::B3::PatchpointSpecial::dumpImpl):
2932         * b3/B3PatchpointSpecial.h:
2933         * b3/B3Procedure.cpp:
2934         (JSC::B3::Procedure::resetReachability):
2935         * b3/B3Procedure.h:
2936         (JSC::B3::Procedure::lastPhaseName):
2937         (JSC::B3::Procedure::byproducts):
2938         * b3/B3ReduceStrength.cpp:
2939         * b3/B3StackmapGenerationParams.cpp:
2940         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
2941         (JSC::B3::StackmapGenerationParams::successorLabels):
2942         (JSC::B3::StackmapGenerationParams::fallsThroughToSuccessor):
2943         (JSC::B3::StackmapGenerationParams::proc):
2944         * b3/B3StackmapGenerationParams.h:
2945         (JSC::B3::StackmapGenerationParams::gpScratch):
2946         (JSC::B3::StackmapGenerationParams::fpScratch):
2947         * b3/B3SwitchValue.cpp:
2948         (JSC::B3::SwitchValue::~SwitchValue):
2949         (JSC::B3::SwitchValue::removeCase):
2950         (JSC::B3::SwitchValue::hasFallThrough):
2951         (JSC::B3::SwitchValue::setFallThrough):
2952         (JSC::B3::SwitchValue::appendCase):
2953         (JSC::B3::SwitchValue::dumpSuccessors):
2954         (JSC::B3::SwitchValue::dumpMeta):
2955         (JSC::B3::SwitchValue::cloneImpl):
2956         (JSC::B3::SwitchValue::SwitchValue):
2957         * b3/B3SwitchValue.h:
2958         (JSC::B3::SwitchValue::accepts):
2959         (JSC::B3::SwitchValue::caseValues):
2960         (JSC::B3::SwitchValue::cases):
2961         (JSC::B3::SwitchValue::fallThrough): Deleted.
2962         (JSC::B3::SwitchValue::size): Deleted.
2963         (JSC::B3::SwitchValue::at): Deleted.
2964         (JSC::B3::SwitchValue::operator[]): Deleted.
2965         (JSC::B3::SwitchValue::iterator::iterator): Deleted.
2966         (JSC::B3::SwitchValue::iterator::operator*): Deleted.
2967         (JSC::B3::SwitchValue::iterator::operator++): Deleted.
2968         (JSC::B3::SwitchValue::iterator::operator==): Deleted.
2969         (JSC::B3::SwitchValue::iterator::operator!=): Deleted.
2970         (JSC::B3::SwitchValue::begin): Deleted.
2971         (JSC::B3::SwitchValue::end): Deleted.
2972         * b3/B3Validate.cpp:
2973         * b3/B3Value.cpp:
2974         (JSC::B3::Value::replaceWithPhi):
2975         (JSC::B3::Value::replaceWithJump):
2976         (JSC::B3::Value::replaceWithOops):
2977         (JSC::B3::Value::dump):
2978         (JSC::B3::Value::deepDump):
2979         (JSC::B3::Value::dumpSuccessors):
2980         (JSC::B3::Value::negConstant):
2981         (JSC::B3::Value::typeFor):
2982         * b3/B3Value.h:
2983         * b3/air/AirCode.cpp:
2984         (JSC::B3::Air::Code::addFastTmp):
2985         (JSC::B3::Air::Code::addDataSection):
2986         (JSC::B3::Air::Code::jsHash):
2987         * b3/air/AirCode.h:
2988         (JSC::B3::Air::Code::isFastTmp):
2989         (JSC::B3::Air::Code::setLastPhaseName):
2990         * b3/air/AirCustom.h:
2991         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2992         (JSC::B3::Air::PatchCustom::isTerminal):
2993         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
2994         (JSC::B3::Air::PatchCustom::generate):
2995         (JSC::B3::Air::CCallCustom::admitsStack):
2996         (JSC::B3::Air::CCallCustom::isTerminal):
2997         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
2998         (JSC::B3::Air::ShuffleCustom::admitsStack):
2999         (JSC::B3::Air::ShuffleCustom::isTerminal):
3000         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
3001         * b3/air/AirGenerate.cpp:
3002         (JSC::B3::Air::generate):
3003         * b3/air/AirGenerationContext.h:
3004         * b3/air/AirInst.h:
3005         (JSC::B3::Air::Inst::hasNonControlEffects):
3006         * b3/air/AirSimplifyCFG.cpp:
3007         (JSC::B3::Air::simplifyCFG):
3008         * b3/air/AirSpecial.cpp:
3009         (JSC::B3::Air::Special::shouldTryAliasingDef):
3010         (JSC::B3::Air::Special::isTerminal):
3011         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
3012         * b3/air/AirSpecial.h:
3013         * b3/air/AirValidate.cpp:
3014         * b3/air/opcode_generator.rb:
3015         * b3/testb3.cpp:
3016         * ftl/FTLLowerDFGToB3.cpp:
3017         * ftl/FTLOutput.cpp:
3018         (JSC::FTL::Output::jump):
3019         (JSC::FTL::Output::branch):
3020         (JSC::FTL::Output::ret):
3021         (JSC::FTL::Output::unreachable):
3022         (JSC::FTL::Output::speculate):
3023         (JSC::FTL::Output::trap):
3024         (JSC::FTL::Output::anchor):
3025         (JSC::FTL::Output::decrementSuperSamplerCount):
3026         (JSC::FTL::Output::addIncomingToPhi):
3027         * ftl/FTLOutput.h:
3028         (JSC::FTL::Output::constIntPtr):
3029         (JSC::FTL::Output::callWithoutSideEffects):
3030         (JSC::FTL::Output::switchInstruction):
3031         (JSC::FTL::Output::phi):
3032         (JSC::FTL::Output::addIncomingToPhi):
3033
3034 2016-07-18  Anders Carlsson  <andersca@apple.com>
3035
3036         WebKit nightly fails to build on macOS Sierra
3037         https://bugs.webkit.org/show_bug.cgi?id=159902
3038         rdar://problem/27365672
3039
3040         Reviewed by Tim Horton.
3041
3042         * icu/unicode/ucurr.h: Added.
3043         Add ucurr.h from ICU.
3044
3045 2016-07-18  Michael Saboff  <msaboff@apple.com>
3046
3047         ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp
3048         https://bugs.webkit.org/show_bug.cgi?id=159883
3049
3050         Reviewed by Filip Pizlo.
3051
3052         New test.
3053
3054         * tests/stress/regress-159883.js: Added.
3055
3056 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
3057
3058         MarkedBlocks should know that they can be used for more than JSCells
3059         https://bugs.webkit.org/show_bug.cgi?id=159643
3060
3061         Reviewed by Geoffrey Garen.
3062         
3063         This teaches the Heap that a MarkedBlock may hold either JSCells, or Auxiliary, which is
3064         not a JSCell. It teaches the heap and all of the things that walk the heap to ignore
3065         non-JSCells whenever they are looking for global objects, JSObjects, and things to trace
3066         for debugging or profiling. The idea is that we will be able to allocate butterflies and
3067         typed array backing stores as Auxiliary in MarkedSpace rather than allocating those things
3068         in CopiedSpace. That's what bug 159658 is all about.
3069         
3070         This gives us a new type, called HeapCell, which is just meant to be a class distinct from
3071         JSCell or any type we would use for Auxiliary. For convenience, JSCell is a subclass of
3072         HeapCell. HeapCell has an enum called HeapCell::Kind, which is either HeapCell::JSCell or
3073         HeapCell::Auxiliary. MarkedSpace no longer speaks of JSCells directly except when dealing
3074         with destruction.
3075         
3076         This change required doing a lot of stuff to all of those functor callbacks, since they
3077         now take HeapCell* instead of JSCell* and they take an extra HeapCell::Kind argument to
3078         tell them if they are dealing with JSCells or Auxiliary. I figured that this would be as
3079         good a time as any to convert those functors to being lambda-compatible. This means that
3080         operator() must be const. In some cases, converting the operator() to be const would have
3081         taken more work than just turning the whole thing into a lambda. Whenever this was the
3082         case, I converted the code to use lambdas. I left a lot of functors alone. In cases where
3083         the functor would benefit from being a lambda, for example because it would get rid of
3084         const_casts or mutables, I put in a FIXME referencing bug 159644.
3085
3086         * CMakeLists.txt:
3087         * JavaScriptCore.xcodeproj/project.pbxproj:
3088         * debugger/Debugger.cpp:
3089         (JSC::Debugger::SetSteppingModeFunctor::SetSteppingModeFunctor):
3090         (JSC::Debugger::SetSteppingModeFunctor::operator()):
3091         (JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor):
3092         (JSC::Debugger::ToggleBreakpointFunctor::operator()):
3093         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::ClearCodeBlockDebuggerRequestsFunctor):
3094         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator()):
3095         (JSC::Debugger::ClearDebuggerRequestsFunctor::ClearDebuggerRequestsFunctor):
3096         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator()):
3097         * heap/CodeBlockSet.h:
3098         (JSC::CodeBlockSet::iterate):
3099         * heap/HandleSet.h:
3100         (JSC::HandleNode::next):
3101         (JSC::HandleSet::forEachStrongHandle):
3102         * heap/Heap.cpp:
3103         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
3104         (JSC::GatherHeapSnapshotData::operator()):
3105         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
3106         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
3107         (JSC::Heap::protectedGlobalObjectCount):
3108         (JSC::Heap::globalObjectCount):
3109         (JSC::Heap::protectedObjectCount):
3110         (JSC::Heap::protectedObjectTypeCounts):
3111         (JSC::Heap::objectTypeCounts):
3112         (JSC::Heap::deleteAllCodeBlocks):
3113         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
3114         (JSC::MarkedBlockSnapshotFunctor::operator()):
3115         (JSC::Zombify::visit):
3116         (JSC::Zombify::operator()):
3117         (JSC::Heap::zombifyDeadObjects):
3118         (JSC::Heap::flushWriteBarrierBuffer):
3119         * heap/Heap.h:
3120         (JSC::Heap::handleSet):
3121         (JSC::Heap::handleStack):
3122         * heap/HeapCell.cpp: Added.
3123         (WTF::printInternal):
3124         * heap/HeapCell.h: Added.
3125         (JSC::HeapCell::HeapCell):
3126         (JSC::HeapCell::zap):
3127         (JSC::HeapCell::isZapped):
3128         * heap/HeapInlines.h:
3129         (JSC::Heap::deprecatedReportExtraMemory):
3130         (JSC::Heap::forEachCodeBlock):
3131         (JSC::Heap::forEachProtectedCell):
3132         (JSC::Heap::allocateWithDestructor):
3133         * heap/HeapStatistics.cpp:
3134         (JSC::StorageStatistics::visit):
3135         (JSC::StorageStatistics::operator()):
3136         * heap/HeapVerifier.cpp:
3137         (JSC::GatherLiveObjFunctor::visit):
3138         (JSC::GatherLiveObjFunctor::operator()):
3139         * heap/MarkedAllocator.cpp:
3140         (JSC::MarkedAllocator::allocateBlock):
3141         (JSC::MarkedAllocator::addBlock):
3142         (JSC::MarkedAllocator::reset):
3143         (JSC::MarkedAllocator::lastChanceToFinalize):
3144         (JSC::LastChanceToFinalize::operator()): Deleted.
3145         * heap/MarkedAllocator.h:
3146         (JSC::MarkedAllocator::takeLastActiveBlock):
3147         (JSC::MarkedAllocator::resumeAllocating):
3148         (JSC::MarkedAllocator::forEachBlock):
3149         * heap/MarkedBlock.cpp:
3150         (JSC::MarkedBlock::create):
3151         (JSC::MarkedBlock::destroy):
3152         (JSC::MarkedBlock::MarkedBlock):
3153         (JSC::MarkedBlock::callDestructor):
3154         (JSC::MarkedBlock::specializedSweep):
3155         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
3156         (JSC::SetNewlyAllocatedFunctor::operator()):
3157         (JSC::MarkedBlock::stopAllocating):
3158         (JSC::MarkedBlock::didRetireBlock):
3159         * heap/MarkedBlock.h:
3160         (JSC::MarkedBlock::CountFunctor::CountFunctor):
3161         (JSC::MarkedBlock::CountFunctor::count):
3162         (JSC::MarkedBlock::CountFunctor::returnValue):
3163         (JSC::MarkedBlock::needsDestruction):
3164         (JSC::MarkedBlock::cellKind):
3165         (JSC::MarkedBlock::size):
3166         (JSC::MarkedBlock::clearNewlyAllocated):
3167         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
3168         (JSC::MarkedBlock::isLive):
3169         (JSC::MarkedBlock::isLiveCell):
3170         (JSC::MarkedBlock::forEachCell):
3171         (JSC::MarkedBlock::forEachLiveCell):
3172         (JSC::MarkedBlock::forEachDeadCell):
3173         * heap/MarkedSpace.cpp:
3174         (JSC::MarkedSpace::MarkedSpace):
3175         (JSC::MarkedSpace::~MarkedSpace):
3176         (JSC::MarkedSpace::lastChanceToFinalize):
3177         (JSC::MarkedSpace::sweep):
3178         (JSC::MarkedSpace::zombifySweep):
3179         (JSC::MarkedSpace::resetAllocators):
3180         (JSC::MarkedSpace::visitWeakSets):
3181         (JSC::MarkedSpace::reapWeakSets):
3182         (JSC::MarkedSpace::forEachAllocator):
3183         (JSC::MarkedSpace::stopAllocating):
3184         (JSC::MarkedSpace::resumeAllocating):
3185         (JSC::MarkedSpace::isPagedOut):
3186         (JSC::MarkedSpace::shrink):
3187         (JSC::clearNewlyAllocatedInBlock):
3188         (JSC::MarkedSpace::clearNewlyAllocated):
3189         (JSC::MarkedSpace::clearMarks):
3190         (JSC::Free::Free): Deleted.
3191         (JSC::Free::operator()): Deleted.
3192         (JSC::FreeOrShrink::FreeOrShrink): Deleted.
3193         (JSC::FreeOrShrink::operator()): Deleted.
3194         (JSC::VisitWeakSet::VisitWeakSet): Deleted.
3195         (JSC::VisitWeakSet::operator()): Deleted.
3196         (JSC::ReapWeakSet::operator()): Deleted.
3197         (JSC::LastChanceToFinalize::operator()): Deleted.
3198         (JSC::StopAllocatingFunctor::operator()): Deleted.
3199         (JSC::ResumeAllocatingFunctor::operator()): Deleted.
3200         (JSC::ClearNewlyAllocated::operator()): Deleted.
3201         (JSC::VerifyNewlyAllocated::operator()): Deleted.
3202         * heap/MarkedSpace.h:
3203         (JSC::MarkedSpace::forEachLiveCell):
3204         (JSC::MarkedSpace::forEachDeadCell):
3205         (JSC::MarkedSpace::allocatorFor):
3206         (JSC::MarkedSpace::allocateWithDestructor):
3207         (JSC::MarkedSpace::forEachBlock):
3208         (JSC::MarkedSpace::didAddBlock):
3209         (JSC::MarkedSpace::objectCount):
3210         (JSC::MarkedSpace::size):
3211         (JSC::MarkedSpace::capacity):
3212         (JSC::ClearMarks::operator()): Deleted.
3213         (JSC::Sweep::operator()): Deleted.
3214         (JSC::ZombifySweep::operator()): Deleted.
3215         (JSC::MarkCount::operator()): Deleted.
3216         (JSC::Size::operator()): Deleted.
3217         * runtime/JSCell.h:
3218         (JSC::JSCell::zap): Deleted.
3219         (JSC::JSCell::isZapped): Deleted.
3220         * runtime/JSCellInlines.h:
3221         (JSC::allocateCell):
3222         (JSC::JSCell::isObject):
3223         (JSC::isZapped): Deleted.
3224         * runtime/JSGlobalObject.cpp:
3225         * tools/JSDollarVMPrototype.cpp:
3226         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
3227         (JSC::CellAddressCheckFunctor::operator()):
3228
3229 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
3230
3231         Repeatedly creating and destroying workers that enqueue DFG plans can outpace the DFG worklist, which then causes VM shutdown to stall, which then causes memory growth
3232         https://bugs.webkit.org/show_bug.cgi?id=159754
3233
3234         Reviewed by Geoffrey Garen.
3235         
3236         If you create and destroy workers at a high rate and those workers enqueue some DFG plans
3237         that are still not compiled at the time that the worker is closed, then the closed workers
3238         end up stalling in VM::~VM waiting for the DFG worklist thread to finish those plans. Since
3239         we don't actually cancel the plans, it's easy to create a situation where the workers
3240         outpace the DFG worklist, especially if you create many workers at a time and each one
3241         finishes just after enqueueing those plans.
3242         
3243         The solution is to allow VM::~VM to remove plans from the DFG worklist that are related to
3244         that VM but aren't currently being worked on. That turns out to be an easy change.
3245         
3246         I have a test that repros this, but it's quite long-running. I call it workers/bomb.html. We
3247         may want to exclude it from test runs because of how long it takes.
3248
3249         * dfg/DFGWorklist.cpp:
3250         (JSC::DFG::Worklist::removeDeadPlans):
3251         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
3252         (JSC::DFG::Worklist::queueLength):
3253         (JSC::DFG::Worklist::runThread):
3254         * dfg/DFGWorklist.h:
3255         * runtime/VM.cpp:
3256         (JSC::VM::~VM):
3257
3258 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
3259
3260         Object.preventExtensions/seal/freeze makes code much slower
3261         https://bugs.webkit.org/show_bug.cgi?id=143247
3262
3263         Reviewed by Michael Saboff.
3264         
3265         This has been a huge pet peeve of mine for a long time, but I was always afraid of fixing
3266         it because I thought that it would be hard. Well, it looks like it's not hard at all.
3267         
3268         The problem is that you cannot mutate a structure that participates in transition caching.
3269         You can only clone the structure and mutate that one. But if you do this, you have to make
3270         a hard choice:
3271         
3272         1) Clone the structure without caching the transition. This is what the code did before
3273            this change. It's the most obvious choice, but it introduces an uncacheable transition
3274            that leads to an explosion of structures, which then breaks all inline caches.
3275         
3276         2) Perform one of the existing cacheable transitions. Cacheable transitions can either add
3277            properties or they can do one of the NonPropertyTransitions, which until now have been
3278            restricted to just IndexingType transitions. So, only adding transitions or making
3279            certain prescribed changes to the indexing type count as cacheable transitions.
3280         
3281         This change decouples NonPropertyTransition from IndexingType and adds three new kinds of
3282