WebRTC: OWR: Add support for the muted state in the mediaplayer
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-03  Chris Dumez  <cdumez@apple.com>
2
3         Drop DocumentType.internalSubset attribute
4         https://bugs.webkit.org/show_bug.cgi?id=160530
5
6         Reviewed by Alex Christensen.
7
8         Drop DocumentType.internalSubset attribute.
9
10         * inspector/protocol/DOM.json:
11
12 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
13
14         [JSC] Improve the memory locality of DFG Node's AbstractValues
15         https://bugs.webkit.org/show_bug.cgi?id=160443
16
17         Reviewed by Mark Lam.
18
19         The AbstractInterpreter spends a lot of time on memory operations
20         for AbstractValues. This patch attempts to improve the situation
21         by putting the values closer together in memory.
22
23         First, AbstractValue is moved out of DFG::Node and it kept in
24         a vector addressed by node indices.
25
26         I initially moved them to InPlaceAbstractState but I quickly discovered
27         initializing the values in the vector was costly.
28         I moved the vector to Graph as a cache shared by every instantiation of
29         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
30         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
31         should also help eventually.
32
33         I instrumented CFA to find how packed is SparseCollection.
34         The answer is it can be very sparse, which is bad for CFA.
35         I added packIndices() to repack the collection before running
36         liveness since that's where we start using the memory intensively.
37         This is a measurable improvement but it implies we can no longer
38         keep indices on a side channel between phases since they may change.
39
40         * b3/B3SparseCollection.h:
41         (JSC::B3::SparseCollection::packIndices):
42         * dfg/DFGGraph.cpp:
43         (JSC::DFG::Graph::packNodeIndices):
44         * dfg/DFGGraph.h:
45         (JSC::DFG::Graph::abstractValuesCache):
46         * dfg/DFGInPlaceAbstractState.cpp:
47         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
48         * dfg/DFGInPlaceAbstractState.h:
49         (JSC::DFG::InPlaceAbstractState::forNode):
50         * dfg/DFGLivenessAnalysisPhase.cpp:
51         (JSC::DFG::performLivenessAnalysis):
52         * dfg/DFGNode.h:
53
54 2016-08-03  Caitlin Potter  <caitp@igalia.com>
55
56         Clarify SyntaxErrors around yield and unskip tests
57         https://bugs.webkit.org/show_bug.cgi?id=158460
58
59         Reviewed by Saam Barati.
60
61         Fix and unskip tests which erroneously asserted that `yield` is not a
62         valid BindingIdentifier, and improve error message for YieldExpressions
63         occuring in Arrow formal parameters.
64
65         * parser/Parser.cpp:
66         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
67         (JSC::Parser<LexerType>::parseFunctionInfo):
68         (JSC::Parser<LexerType>::parseYieldExpression):
69         * parser/Parser.h:
70
71 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
72
73         REGRESSION(r203368): broke some test262 tests
74         https://bugs.webkit.org/show_bug.cgi?id=160479
75
76         Reviewed by Mark Lam.
77         
78         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
79         Accessor properties.
80
81         * runtime/Structure.cpp:
82         (JSC::Structure::nonPropertyTransition):
83         * runtime/StructureTransitionTable.h:
84         (JSC::setsDontDeleteOnAllProperties):
85         (JSC::setsReadOnlyOnNonAccessorProperties):
86         (JSC::setsReadOnlyOnAllProperties): Deleted.
87
88 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
89
90         Lacking support on a arm-traditional disassembler.
91         https://bugs.webkit.org/show_bug.cgi?id=123717
92
93         Reviewed by Mark Lam.
94
95         * CMakeLists.txt:
96         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
97         (JSC::tryToDisassemble):
98
99 2016-08-03  Saam Barati  <sbarati@apple.com>
100
101         Implement nested rest destructuring w.r.t the ES7 spec
102         https://bugs.webkit.org/show_bug.cgi?id=160423
103
104         Reviewed by Filip Pizlo.
105
106         The spec has updated the BindingRestElement grammar production to be:
107         BindingRestElement:
108            BindingIdentifier
109            BindingingPattern.
110
111         It used to only allow BindingIdentifier in the grammar production.
112         I've updated our engine to account for this. The semantics are exactly
113         what you'd expect.  For example:
114         `let [a, ...[b, ...c]] = expr();`
115         means that we create an array for the first rest element `...[b, ...c]`
116         and then perform the binding of `[b, ...c]` to that array. And so on, 
117         applied recursively through the pattern.
118
119         * bytecompiler/NodesCodegen.cpp:
120         (JSC::RestParameterNode::collectBoundIdentifiers):
121         (JSC::RestParameterNode::toString):
122         (JSC::RestParameterNode::bindValue):
123         (JSC::RestParameterNode::emit):
124         * parser/ASTBuilder.h:
125         (JSC::ASTBuilder::createBindingLocation):
126         (JSC::ASTBuilder::createRestParameter):
127         (JSC::ASTBuilder::createAssignmentElement):
128         * parser/NodeConstructors.h:
129         (JSC::AssignmentElementNode::AssignmentElementNode):
130         (JSC::RestParameterNode::RestParameterNode):
131         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
132         * parser/Nodes.h:
133         (JSC::RestParameterNode::name): Deleted.
134         * parser/Parser.cpp:
135         (JSC::Parser<LexerType>::parseDestructuringPattern):
136         (JSC::Parser<LexerType>::parseFormalParameters):
137         * parser/SyntaxChecker.h:
138         (JSC::SyntaxChecker::operatorStackPop):
139
140 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
141
142         [JSC] Fix Windows build after r204065
143
144         * dfg/DFGAbstractValue.cpp:
145         (JSC::DFG::AbstractValue::observeTransitions):
146         AbstractValue is bigger on Windows for an unknown reason.
147
148 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
149
150         [JSC] Fix 32bits jsc after r204065
151
152         Default constructed JSValue() are not equal to zero in 32bits.
153
154         * dfg/DFGAbstractValue.h:
155         (JSC::DFG::AbstractValue::AbstractValue):
156
157 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
158
159         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
160         https://bugs.webkit.org/show_bug.cgi?id=160370
161
162         Reviewed by Saam Barati.
163
164         We use a ton of AbstractValue to run the Abstract Interpreter.
165
166         When we set up the initial values, the compiler sets
167         a zero on a first word, a one on a second word, and a zero
168         again on a third word.
169         Since no vector or double-store can deal with 3 words, unrolling
170         is done by repeating those instructions.
171
172         The reason for the one was TinyPtrSet. It needed a flag for
173         empty value to identify the set as thin. I flipped the flag to "fat"
174         to make sure TinyPtrSet is initialized to zero.
175
176         With that done, I just had to clean some places to make
177         the initialization shorter.
178         It makes the binary easier to follow but this does not help with
179         the bigger problem: the time spent per block on Abstract Interpreter.
180
181         * bytecode/Operands.h:
182         The traits were useless, no client code defines it.
183
184         (JSC::Operands::Operands):
185         (JSC::Operands::ensureLocals):
186         Because of the size of the function, llvm is not inlining it.
187         We were literally loading 3 registers from memory and storing
188         them in the vector.
189         Now that AbstractValue has a VectorTraits, we should just rely
190         on the memset of Vector when possible.
191
192         (JSC::Operands::getLocal):
193         (JSC::Operands::setArgumentFirstTime):
194         (JSC::Operands::setLocalFirstTime):
195         (JSC::Operands::clear):
196         (JSC::OperandValueTraits::defaultValue): Deleted.
197         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
198         * bytecode/OperandsInlines.h:
199         (JSC::Operands<T>::dumpInContext):
200         (JSC::Operands<T>::dump):
201         (JSC::Traits>::dumpInContext): Deleted.
202         (JSC::Traits>::dump): Deleted.
203         * dfg/DFGAbstractValue.cpp:
204         * dfg/DFGAbstractValue.h:
205         (JSC::DFG::AbstractValue::AbstractValue):
206
207 2016-08-02  Saam Barati  <sbarati@apple.com>
208
209         update a class extending null w.r.t the ES7 spec
210         https://bugs.webkit.org/show_bug.cgi?id=160417
211
212         Reviewed by Keith Miller.
213
214         When a class extends null, it should not be marked as a derived class.
215         This was changed in the ES2016 spec, and this patch makes the needed
216         changes in JSC to follow the spec. This allows classes to extend
217         null and have their default constructor invoked without throwing an exception.
218         This also prevents |this| from being under TDZ at the start of the constructor.
219         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
220         syntax, we don't know statically if a constructor is extending null or not.
221         Therefore, we don't always know statically if it's a base or derived constructor.
222         I solved this by putting a boolean on the constructor function under a private
223         symbol named isDerivedConstructor when doing class construction. We only need
224         to put this boolean on constructors that may extend null. Constructors that are
225         declared in a class with no extends syntax can tell statically that they are a base constructor.
226
227         I've also renamed the ConstructorKind::Derived enum value to be
228         ConstructorKind::Extends to better indicate that we can't answer
229         the "am I a derived constructor?" question statically.
230
231         * builtins/BuiltinExecutables.cpp:
232         (JSC::BuiltinExecutables::createDefaultConstructor):
233         * builtins/BuiltinNames.h:
234         * bytecompiler/BytecodeGenerator.cpp:
235         (JSC::BytecodeGenerator::BytecodeGenerator):
236         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
237         (JSC::BytecodeGenerator::emitReturn):
238         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
239         (JSC::BytecodeGenerator::ensureThis):
240         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
241         * bytecompiler/BytecodeGenerator.h:
242         (JSC::BytecodeGenerator::makeFunction):
243         * bytecompiler/NodesCodegen.cpp:
244         (JSC::EvalFunctionCallNode::emitBytecode):
245         (JSC::FunctionCallValueNode::emitBytecode):
246         (JSC::FunctionNode::emitBytecode):
247         (JSC::ClassExprNode::emitBytecode):
248         * parser/Parser.cpp:
249         (JSC::Parser<LexerType>::Parser):
250         (JSC::Parser<LexerType>::parseFunctionInfo):
251         (JSC::Parser<LexerType>::parseClass):
252         (JSC::Parser<LexerType>::parseMemberExpression):
253         * parser/ParserModes.h:
254
255 2016-08-02  Enrica Casucci  <enrica@apple.com>
256
257         Allow building with content filtering disabled.
258         https://bugs.webkit.org/show_bug.cgi?id=160454
259
260         Reviewed by Simon Fraser.
261
262         * Configurations/FeatureDefines.xcconfig:
263
264 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
265
266         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
267         https://bugs.webkit.org/show_bug.cgi?id=159759
268
269         Reviewed by Saam Barati.
270
271         * jit/JITMathIC.h:
272         (JSC::JITMathIC::generateInline):
273
274 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
275
276         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
277         https://bugs.webkit.org/show_bug.cgi?id=160438
278
279         Reviewed by Mark Lam.
280         
281         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
282         catching stack overflow due to large parameter count. It would only catch regular old stack
283         overflow, like if the frame pointer was already past the limit.
284         
285         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
286         the stack due to large parameter count were not going down that path at all, so we haven't had
287         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
288         case.
289
290         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
291         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
292         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
293         some choices here. I could have forced anyone who is rolling back to always skip VM entry
294         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
295         a stack frame roll back normally does, since exception unwinding needs to see the current value
296         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
297         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
298         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
299         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
300         To signal this, I could have either made topCallFrame point to the real top JS call frame
301         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
302         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
303         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
304         engine against this case.
305         
306         * interpreter/StackVisitor.cpp:
307         (JSC::StackVisitor::StackVisitor):
308         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
309         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
310         StackVisitor is the only place that needs to be taught about this at this time, because it's
311         one of the few things that access topCallFrame along this special path.
312         
313         * jit/JITOperations.cpp: Roll back the top call frame.
314         * runtime/CommonSlowPaths.cpp:
315         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
316
317 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
318
319         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
320         https://bugs.webkit.org/show_bug.cgi?id=160439
321
322         Reviewed by Filip Pizlo.
323
324         * assembler/MacroAssemblerARM64.h:
325         (JSC::MacroAssemblerARM64::branchTest64):
326         * b3/air/AirOpcode.opcodes:
327         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
328
329 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
330
331         [B3] Fusing immediates into test instructions should work again
332         https://bugs.webkit.org/show_bug.cgi?id=160073
333
334         Reviewed by Sam Weinig.
335
336         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
337         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
338         was still using Imm!  This meant that isValidForm() always returned false.
339         
340         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
341         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
342         with the scratch register).
343         
344         This is not an obvious progression on anything, so I added comprehensive tests to
345         testb3, which check that we selected the optimal instruction in a variety of situations.
346         We should add more tests like this!
347
348         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
349         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
350         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
351
352         * b3/B3BasicBlock.h:
353         (JSC::B3::BasicBlock::successorBlock):
354         * b3/B3LowerToAir.cpp:
355         (JSC::B3::Air::LowerToAir::createGenericCompare):
356         * b3/B3LowerToAir.h:
357         * b3/air/AirArg.cpp:
358         (JSC::B3::Air::Arg::isRepresentableAs):
359         (JSC::B3::Air::Arg::usesTmp):
360         * b3/air/AirArg.h:
361         (JSC::B3::Air::Arg::isRepresentableAs):
362         (JSC::B3::Air::Arg::castToType):
363         (JSC::B3::Air::Arg::asNumber):
364         * b3/air/AirCode.h:
365         (JSC::B3::Air::Code::size):
366         (JSC::B3::Air::Code::at):
367         * b3/air/AirOpcode.opcodes:
368         * b3/air/AirValidate.h:
369         * b3/air/opcode_generator.rb:
370         * b3/testb3.cpp:
371         (JSC::B3::compile):
372         (JSC::B3::compileAndRun):
373         (JSC::B3::lowerToAirForTesting):
374         (JSC::B3::testSomeEarlyRegister):
375         (JSC::B3::testBranchBitAndImmFusion):
376         (JSC::B3::zero):
377         (JSC::B3::run):
378
379 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
380
381         Rationalize varargs stack overflow checks
382         https://bugs.webkit.org/show_bug.cgi?id=160425
383
384         Reviewed by Michael Saboff.
385
386         * ftl/FTLLink.cpp:
387         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
388         * runtime/CommonSlowPaths.h:
389         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
390
391 2016-08-01  Saam Barati  <sbarati@apple.com>
392
393         Sub should be a Math IC
394         https://bugs.webkit.org/show_bug.cgi?id=160270
395
396         Reviewed by Mark Lam.
397
398         This makes Sub an IC like Mul and Add. I'm seeing the following
399         improvements of average Sub size on Unity and JetStream:
400
401                    |   JetStream  |  Unity 3D  |
402              ------| -------------|--------------
403               Old  |   202 bytes  |  205 bytes |
404              ------| -------------|--------------
405               New  |   134  bytes |  134 bytes |
406              ------------------------------------
407
408         * bytecode/CodeBlock.cpp:
409         (JSC::CodeBlock::addJITMulIC):
410         (JSC::CodeBlock::addJITSubIC):
411         (JSC::CodeBlock::findStubInfo):
412         (JSC::CodeBlock::dumpMathICStats):
413         * bytecode/CodeBlock.h:
414         (JSC::CodeBlock::stubInfoBegin):
415         (JSC::CodeBlock::stubInfoEnd):
416         * dfg/DFGSpeculativeJIT.cpp:
417         (JSC::DFG::SpeculativeJIT::compileArithSub):
418         * ftl/FTLLowerDFGToB3.cpp:
419         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
420         * jit/JITArithmetic.cpp:
421         (JSC::JIT::emit_op_sub):
422         (JSC::JIT::emitSlow_op_sub):
423         (JSC::JIT::emit_op_pow):
424         * jit/JITMathIC.h:
425         * jit/JITMathICForwards.h:
426         * jit/JITOperations.cpp:
427         * jit/JITOperations.h:
428         * jit/JITSubGenerator.cpp:
429         (JSC::JITSubGenerator::generateInline):
430         (JSC::JITSubGenerator::generateFastPath):
431         * jit/JITSubGenerator.h:
432         (JSC::JITSubGenerator::JITSubGenerator):
433         (JSC::JITSubGenerator::isLeftOperandValidConstant):
434         (JSC::JITSubGenerator::isRightOperandValidConstant):
435         (JSC::JITSubGenerator::arithProfile):
436         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
437         (JSC::JITSubGenerator::endJumpList): Deleted.
438         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
439
440 2016-08-01  Keith Miller  <keith_miller@apple.com>
441
442         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
443         https://bugs.webkit.org/show_bug.cgi?id=160372
444
445         Rubber stamped by Geoffrey Garen.
446
447         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
448         a new top level directory, JSTests. Having the tests in the Source directory
449         was both confusing an inconvenient for people that just want to checkout the
450         source code of WebKit. Since there is no other obvious place to put all the
451         JavaScript tests a new top level directory seemed the most sensible.
452
453         * tests/: Deleted.
454
455 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
456
457         [JSC] Should check Test262Error correctly
458         https://bugs.webkit.org/show_bug.cgi?id=159862
459
460         Reviewed by Saam Barati.
461
462         Test262Error in the harness does not have "name" property.
463         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
464
465         * jsc.cpp:
466         (checkUncaughtException):
467         * runtime/JSObject.h:
468         * tests/test262.yaml:
469
470 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
471
472         [ES6] Module binding can be exported by multiple names
473         https://bugs.webkit.org/show_bug.cgi?id=160343
474
475         Reviewed by Saam Barati.
476
477         ES6 Module can export the same local binding by using multiple names.
478         For example,
479
480             ```
481             var value = 42;
482
483             export { value };
484             export { value as value2 };
485             ```
486
487         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
488         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
489
490         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
491         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
492         this information when creating the export entries in ModuleAnalyzer.
493
494         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
495         names should be managed per-module, not per-scope.
496
497         This change fixes several test262 failures.
498
499         * JavaScriptCore.xcodeproj/project.pbxproj:
500         * parser/ModuleAnalyzer.cpp:
501         (JSC::ModuleAnalyzer::exportVariable):
502         (JSC::ModuleAnalyzer::analyze):
503         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
504         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
505         * parser/ModuleAnalyzer.h:
506         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
507         (JSC::ModuleScopeData::create):
508         (JSC::ModuleScopeData::exportedBindings):
509         (JSC::ModuleScopeData::exportName):
510         (JSC::ModuleScopeData::exportBinding):
511         * parser/Nodes.cpp:
512         (JSC::ProgramNode::ProgramNode):
513         (JSC::ModuleProgramNode::ModuleProgramNode):
514         (JSC::EvalNode::EvalNode):
515         (JSC::FunctionNode::FunctionNode):
516         * parser/Nodes.h:
517         (JSC::ModuleProgramNode::moduleScopeData):
518         * parser/NodesAnalyzeModule.cpp:
519         (JSC::ExportDefaultDeclarationNode::analyzeModule):
520         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
521         * parser/Parser.cpp:
522         (JSC::Parser<LexerType>::Parser):
523         (JSC::Parser<LexerType>::parseModuleSourceElements):
524         (JSC::Parser<LexerType>::parseVariableDeclarationList):
525         (JSC::Parser<LexerType>::createBindingPattern):
526         (JSC::Parser<LexerType>::parseFunctionDeclaration):
527         (JSC::Parser<LexerType>::parseClassDeclaration):
528         (JSC::Parser<LexerType>::parseExportSpecifier):
529         (JSC::Parser<LexerType>::parseExportDeclaration):
530         * parser/Parser.h:
531         (JSC::Parser::exportName):
532         (JSC::Parser<LexerType>::parse):
533         (JSC::ModuleScopeData::create): Deleted.
534         (JSC::ModuleScopeData::exportedBindings): Deleted.
535         (JSC::ModuleScopeData::exportName): Deleted.
536         (JSC::ModuleScopeData::exportBinding): Deleted.
537         (JSC::Scope::Scope): Deleted.
538         (JSC::Scope::setSourceParseMode): Deleted.
539         (JSC::Scope::moduleScopeData): Deleted.
540         (JSC::Scope::setIsModule): Deleted.
541         * tests/modules/aliased-names.js: Added.
542         * tests/modules/aliased-names/main.js: Added.
543         (change):
544         * tests/stress/modules-syntax-error-with-names.js:
545         (export.Cocoa):
546         (SyntaxError.Cannot.export.a.duplicate.name):
547         * tests/test262.yaml:
548
549 2016-07-30  Mark Lam  <mark.lam@apple.com>
550
551         Assertion failure while setting the length of an ArrayClass array.
552         https://bugs.webkit.org/show_bug.cgi?id=160381
553         <rdar://problem/27328703>
554
555         Reviewed by Filip Pizlo.
556
557         When setting large length values, we're currently treating ArrayClass as a
558         ContiguousIndexingType array.  This results in an assertion failure.  This is
559         now fixed.
560
561         There are currently only 2 places where we create arrays with indexing type
562         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
563         takes care of ArrayPrototype.
564
565         RuntimeArray already checks for the setting of its length property, and will
566         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
567         Instead, I added some test cases ensure that the check and throw behavior does
568         not change without notice.
569
570         * runtime/JSArray.cpp:
571         (JSC::JSArray::setLength):
572         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
573         (toString):
574         (assertEqual):
575         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
576         (toString):
577         (assertEqual):
578
579 2016-07-29  Keith Miller  <keith_miller@apple.com>
580
581         TypedArray super constructor has some incompatabilities
582         https://bugs.webkit.org/show_bug.cgi?id=160369
583
584         Reviewed by Filip Pizlo.
585
586         This patch fixes the length proprety of the TypedArray super constructor.
587         Additionally, the TypedArray super constructor should no longer be callable.
588
589         Also, this patch fixes the expected result of some test262 tests.
590
591         * runtime/JSTypedArrayViewConstructor.cpp:
592         (JSC::JSTypedArrayViewConstructor::finishCreation):
593         (JSC::constructTypedArrayView):
594         (JSC::JSTypedArrayViewConstructor::getCallData):
595         * tests/test262.yaml:
596
597 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
598
599         Undefined Behavior in JSValue cast from NaN
600         https://bugs.webkit.org/show_bug.cgi?id=160322
601
602         Reviewed by Mark Lam.
603
604         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
605
606         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
607         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
608         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
609         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
610         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
611
612         * runtime/JSCJSValueInlines.h:
613         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
614
615 2016-07-29  Michael Saboff  <msaboff@apple.com>
616
617         Refactor DFG::Node::hasLocal() to accessesStack()
618         https://bugs.webkit.org/show_bug.cgi?id=160357
619
620         Reviewed by Filip Pizlo.
621
622         Refactoring in preparation for using register arguments for JavaScript calls.
623
624         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
625         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
626         use guards stack operation logic associated with the Node's VariableAccessData.
627
628         The hasVariableAccessData() check now implies no more than the node has a
629         VariableAccessData and nothing about its use of that data to coordinate stack   
630         accesses.
631
632         * dfg/DFGGraph.cpp:
633         (JSC::DFG::Graph::dump):
634         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
635         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
636         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
637         * dfg/DFGMaximalFlushInsertionPhase.cpp:
638         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
639         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
640         * dfg/DFGNode.h:
641         (JSC::DFG::Node::containsMovHint):
642         (JSC::DFG::Node::accessesStack):
643         (JSC::DFG::Node::hasLocal): Deleted.
644         * dfg/DFGPredictionInjectionPhase.cpp:
645         (JSC::DFG::PredictionInjectionPhase::run):
646         * dfg/DFGValidate.cpp:
647
648 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
649
650         [JSC] Use the same data structures for DFG and Air Liveness Analysis
651         https://bugs.webkit.org/show_bug.cgi?id=160346
652
653         Reviewed by Geoffrey Garen.
654
655         In Air, we minimized memory accesses during liveness analysis
656         with a couple of tricks:
657         -Use a single Sparse Set ADT for the live value of each block.
658         -Manipulate compact positive indices instead of hashing values.
659
660         This patch brings the same ideas to DFG.
661
662         This patch still uses the same fixpoint algorithms.
663         The reason is Edge's KillStatus used by other phases. We cannot
664         use a block-boundary liveness algorithm and update KillStatus
665         simultaneously. It's something I'll probably revisit at some point.
666
667         * dfg/DFGAbstractInterpreterInlines.h:
668         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
669         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
670         * dfg/DFGBasicBlock.h:
671         * dfg/DFGGraph.h:
672         (JSC::DFG::Graph::maxNodeCount):
673         (JSC::DFG::Graph::nodeAt):
674         * dfg/DFGInPlaceAbstractState.cpp:
675         (JSC::DFG::setLiveValues):
676         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
677         * dfg/DFGLivenessAnalysisPhase.cpp:
678         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
679         (JSC::DFG::LivenessAnalysisPhase::run):
680         (JSC::DFG::LivenessAnalysisPhase::processBlock):
681         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
682         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
683
684 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
685
686         Unreviewed, ByValInfo is only used in JIT enabled environments
687         https://bugs.webkit.org/show_bug.cgi?id=158908
688
689         * bytecode/CodeBlock.cpp:
690         (JSC::CodeBlock::stronglyVisitStrongReferences):
691
692 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
693
694         JSC::Symbol should be hash-consed
695         https://bugs.webkit.org/show_bug.cgi?id=158908
696
697         Reviewed by Filip Pizlo.
698
699         Previously, SymbolImpls held by symbols represent identity of symbols.
700         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
701
702         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
703         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
704         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
705         pointer-comparison to query the equality of symbols.
706
707         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
708         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
709         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
710         case is handled by CheckCell.
711
712         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
713
714         The performance effects in the related benchmarks are the followings.
715
716                                                                baseline                   patch
717
718             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
719             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
720             fold-put-by-val-with-symbol-to-multi-put-by-offset
721                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
722             inlined-put-by-val-with-symbol-transition
723                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
724             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
725             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
726                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
727             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
728             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
729             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
730             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
731             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
732                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
733             get-by-val-with-symbol-chain-from-try-block
734                                                             2.2316+-0.0179            2.2137+-0.0210
735             get-by-val-with-symbol-bimorphic-check-structure-elimination
736                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
737             get-by-val-with-symbol-check-structure-elimination
738                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
739             put-by-val-with-symbol-slightly-polymorphic
740                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
741             put-by-val-with-symbol-replace-and-transition
742                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
743
744             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
745
746         * bytecode/ByValInfo.h:
747         * bytecode/CodeBlock.cpp:
748         (JSC::CodeBlock::stronglyVisitStrongReferences):
749         * dfg/DFGAbstractInterpreterInlines.h:
750         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
751         * dfg/DFGByteCodeParser.cpp:
752         (JSC::DFG::ByteCodeParser::parseBlock):
753         * dfg/DFGClobberize.h:
754         (JSC::DFG::clobberize):
755         * dfg/DFGConstantFoldingPhase.cpp:
756         (JSC::DFG::ConstantFoldingPhase::foldConstants):
757         * dfg/DFGDoesGC.cpp:
758         (JSC::DFG::doesGC):
759         * dfg/DFGFixupPhase.cpp:
760         (JSC::DFG::FixupPhase::fixupNode):
761         * dfg/DFGNode.h:
762         (JSC::DFG::Node::hasUidOperand):
763         * dfg/DFGNodeType.h:
764         * dfg/DFGPredictionPropagationPhase.cpp:
765         * dfg/DFGSafeToExecute.h:
766         (JSC::DFG::safeToExecute):
767         * dfg/DFGSpeculativeJIT.cpp:
768         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
769         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
770         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
771         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
772         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
773         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
774         * dfg/DFGSpeculativeJIT.h:
775         * dfg/DFGSpeculativeJIT32_64.cpp:
776         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
777         (JSC::DFG::SpeculativeJIT::compile):
778         * dfg/DFGSpeculativeJIT64.cpp:
779         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
780         (JSC::DFG::SpeculativeJIT::compile):
781         * ftl/FTLAbstractHeapRepository.h:
782         * ftl/FTLCapabilities.cpp:
783         (JSC::FTL::canCompile):
784         * ftl/FTLLowerDFGToB3.cpp:
785         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
786         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
787         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
788         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
789         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
790         * jit/JIT.h:
791         * jit/JITOperations.cpp:
792         (JSC::tryGetByValOptimize):
793         * jit/JITPropertyAccess.cpp:
794         (JSC::JIT::emitGetByValWithCachedId):
795         (JSC::JIT::emitPutByValWithCachedId):
796         (JSC::JIT::emitByValIdentifierCheck):
797         (JSC::JIT::privateCompileGetByValWithCachedId):
798         (JSC::JIT::privateCompilePutByValWithCachedId):
799         (JSC::JIT::emitIdentifierCheck): Deleted.
800         * jit/JITPropertyAccess32_64.cpp:
801         (JSC::JIT::emitGetByValWithCachedId):
802         (JSC::JIT::emitPutByValWithCachedId):
803         * runtime/JSCJSValue.cpp:
804         (JSC::JSValue::dumpInContextAssumingStructure):
805         * runtime/JSCJSValueInlines.h:
806         (JSC::JSValue::equalSlowCaseInline):
807         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
808         * runtime/JSFunction.cpp:
809         (JSC::JSFunction::setFunctionName):
810         * runtime/MapData.h:
811         * runtime/MapDataInlines.h:
812         (JSC::JSIterator>::clear): Deleted.
813         (JSC::JSIterator>::find): Deleted.
814         (JSC::JSIterator>::add): Deleted.
815         (JSC::JSIterator>::remove): Deleted.
816         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
817         * runtime/Symbol.cpp:
818         (JSC::Symbol::finishCreation):
819         (JSC::Symbol::create):
820         * runtime/Symbol.h:
821         * runtime/VM.cpp:
822         (JSC::VM::VM):
823         * runtime/VM.h:
824         * tests/stress/symbol-equality-over-gc.js: Added.
825         (shouldBe):
826         (test):
827
828 2016-07-28  Mark Lam  <mark.lam@apple.com>
829
830         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
831         https://bugs.webkit.org/show_bug.cgi?id=160324
832         <rdar://problem/27389572>
833
834         Reviewed by Keith Miller.
835
836         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
837         generate the error string even when the name string can be a single character
838         string.  This is incorrect.  We should be using jsString() instead.
839
840         * runtime/ErrorPrototype.cpp:
841         (JSC::errorProtoFuncToString):
842         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
843
844 2016-07-28  Michael Saboff  <msaboff@apple.com>
845
846         ARM64: Fused left shift with a right shift can create NaNs from integers
847         https://bugs.webkit.org/show_bug.cgi?id=160329
848
849         Reviewed by Geoffrey Garen.
850
851         When we fuse a left shift and a right shift of integers where the shift amounts
852         are the same and the size of the quantity being shifted is 8 bits, we rightly
853         generate a sign extend byte instruction.  On ARM64, we were sign extending
854         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
855
856         Checking the ARM64 marco assembler and we were extending to 64 bits for all
857         four combinations of zero / sign and 8 / 16 bits.
858         
859         * assembler/MacroAssemblerARM64.h:
860         (JSC::MacroAssemblerARM64::zeroExtend16To32):
861         (JSC::MacroAssemblerARM64::signExtend16To32):
862         (JSC::MacroAssemblerARM64::zeroExtend8To32):
863         (JSC::MacroAssemblerARM64::signExtend8To32):
864         * tests/stress/regress-160329.js: New test added.
865         (narrow):
866
867 2016-07-28  Mark Lam  <mark.lam@apple.com>
868
869         StringView should have an explicit m_is8Bit field.
870         https://bugs.webkit.org/show_bug.cgi?id=160282
871         <rdar://problem/27327943>
872
873         Reviewed by Benjamin Poulain.
874
875         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
876         (catch):
877
878 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
879
880         [ARM] Typo fix after r121885
881         https://bugs.webkit.org/show_bug.cgi?id=160288
882
883         Reviewed by Zoltan Herczeg.
884
885         * assembler/MacroAssemblerARM.h:
886         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
887
888 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
889
890         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
891         https://bugs.webkit.org/show_bug.cgi?id=159711
892
893         Reviewed by Mark Lam.
894
895         * assembler/ARMAssembler.cpp:
896         (JSC::ARMAssembler::prepareExecutableCopy):
897
898 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
899
900         [JSC] Remove some unused code from FTL
901         https://bugs.webkit.org/show_bug.cgi?id=160285
902
903         Reviewed by Mark Lam.
904
905         All the liveness and swapping is done inside B3,
906         this code is no longer needed.
907
908         * dfg/DFGEdge.h:
909         (JSC::DFG::Edge::doesNotKill): Deleted.
910         * ftl/FTLLowerDFGToB3.cpp:
911         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
912
913 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
914
915         [JSC] DFG::Node should not have its own allocator
916         https://bugs.webkit.org/show_bug.cgi?id=160098
917
918         Reviewed by Geoffrey Garen.
919
920         We need some design changes for DFG::Node:
921         -Accessing the index must be fast. B3 uses indices for sets
922          and maps, it is a lot faster than hashing pointers.
923         -We should be able to subclass DFG::Node to specialize it.
924
925         * CMakeLists.txt:
926         * JavaScriptCore.xcodeproj/project.pbxproj:
927         * dfg/DFGAllocator.h: Removed.
928         (JSC::DFG::Allocator::Region::size): Deleted.
929         (JSC::DFG::Allocator::Region::headerSize): Deleted.
930         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
931         (JSC::DFG::Allocator::Region::data): Deleted.
932         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
933         (JSC::DFG::Allocator::Region::regionFor): Deleted.
934         (JSC::DFG::Allocator<T>::Allocator): Deleted.
935         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
936         (JSC::DFG::Allocator<T>::allocate): Deleted.
937         (JSC::DFG::Allocator<T>::free): Deleted.
938         (JSC::DFG::Allocator<T>::freeAll): Deleted.
939         (JSC::DFG::Allocator<T>::reset): Deleted.
940         (JSC::DFG::Allocator<T>::indexOf): Deleted.
941         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
942         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
943         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
944         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
945         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
946         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
947         * dfg/DFGByteCodeParser.cpp:
948         (JSC::DFG::ByteCodeParser::addToGraph):
949         * dfg/DFGCPSRethreadingPhase.cpp:
950         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
951         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
952         * dfg/DFGCleanUpPhase.cpp:
953         (JSC::DFG::CleanUpPhase::run):
954         * dfg/DFGConstantFoldingPhase.cpp:
955         (JSC::DFG::ConstantFoldingPhase::run):
956         * dfg/DFGConstantHoistingPhase.cpp:
957         * dfg/DFGDCEPhase.cpp:
958         (JSC::DFG::DCEPhase::fixupBlock):
959         * dfg/DFGDriver.cpp:
960         (JSC::DFG::compileImpl):
961         * dfg/DFGGraph.cpp:
962         (JSC::DFG::Graph::Graph):
963         (JSC::DFG::Graph::deleteNode):
964         (JSC::DFG::Graph::killBlockAndItsContents):
965         (JSC::DFG::Graph::~Graph): Deleted.
966         * dfg/DFGGraph.h:
967         (JSC::DFG::Graph::addNode):
968         * dfg/DFGLICMPhase.cpp:
969         (JSC::DFG::LICMPhase::attemptHoist):
970         * dfg/DFGLongLivedState.cpp: Removed.
971         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
972         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
973         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
974         * dfg/DFGLongLivedState.h: Removed.
975         * dfg/DFGNode.cpp:
976         (JSC::DFG::Node::index): Deleted.
977         * dfg/DFGNode.h:
978         (JSC::DFG::Node::index):
979         * dfg/DFGNodeAllocator.h: Removed.
980         (operator new ): Deleted.
981         * dfg/DFGObjectAllocationSinkingPhase.cpp:
982         * dfg/DFGPlan.cpp:
983         (JSC::DFG::Plan::compileInThread):
984         (JSC::DFG::Plan::compileInThreadImpl):
985         * dfg/DFGPlan.h:
986         * dfg/DFGSSAConversionPhase.cpp:
987         (JSC::DFG::SSAConversionPhase::run):
988         * dfg/DFGWorklist.cpp:
989         (JSC::DFG::Worklist::runThread):
990         * runtime/VM.cpp:
991         (JSC::VM::VM): Deleted.
992         * runtime/VM.h:
993
994 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
995
996         [JSC] Fix a bunch of use-after-free of DFG::Node
997         https://bugs.webkit.org/show_bug.cgi?id=160228
998
999         Reviewed by Mark Lam.
1000
1001         FTL had a few places where we use a node after it has been
1002         deleted. The dangling pointers come from the SSA liveness information
1003         kept on the basic blocks.
1004
1005         This patch fixes the issues I could find and adds liveness invalidation
1006         to help finding dependencies like these.
1007
1008         * dfg/DFGBasicBlock.h:
1009         (JSC::DFG::BasicBlock::SSAData::invalidate):
1010
1011         * dfg/DFGConstantFoldingPhase.cpp:
1012         (JSC::DFG::ConstantFoldingPhase::run):
1013         Constant folding phase was deleting nodes in the loop over basic blocks.
1014         The problem is the deleted nodes can be referenced by other blocks.
1015         When the abstract interpreter was manipulating the abstract values of those
1016         it was doing so on the dead nodes.
1017
1018         * dfg/DFGConstantHoistingPhase.cpp:
1019         Just invalidation. Nothing wrong here since the useless nodes were
1020         kept live while iterating the blocks.
1021
1022         * dfg/DFGGraph.cpp:
1023         (JSC::DFG::Graph::killBlockAndItsContents):
1024         (JSC::DFG::Graph::killUnreachableBlocks):
1025         (JSC::DFG::Graph::invalidateNodeLiveness):
1026
1027         * dfg/DFGGraph.h:
1028         * dfg/DFGPlan.cpp:
1029         (JSC::DFG::Plan::compileInThreadImpl):
1030         We had a lot of use-after-free in LCIM because we were using the stale
1031         live nodes deleted by previous phases.
1032
1033 2016-07-27  Keith Miller  <keith_miller@apple.com>
1034
1035         concatAppendOne should allocate using the indexing type of the array if it cannot merge
1036         https://bugs.webkit.org/show_bug.cgi?id=160261
1037         <rdar://problem/27530122>
1038
1039         Reviewed by Mark Lam.
1040
1041         Before, if we could not merge the indexing types for copying, we would allocate the
1042         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
1043         array's indexing type.
1044
1045         * runtime/ArrayPrototype.cpp:
1046         (JSC::concatAppendOne):
1047         * tests/stress/concat-append-one-with-sparse-array.js: Added.
1048
1049 2016-07-27  Saam Barati  <sbarati@apple.com>
1050
1051         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
1052         https://bugs.webkit.org/show_bug.cgi?id=160211
1053         <rdar://problem/27572612>
1054
1055         Reviewed by Geoffrey Garen.
1056
1057         The fast for-in iteration mode assumes all inline/out-of-line properties
1058         can be iterated in linear order. This is not true if we have Symbols
1059         because Symbols should not be iterated by for-in.
1060
1061         * runtime/Structure.cpp:
1062         (JSC::Structure::add):
1063         * tests/stress/symbol-should-not-break-for-in.js: Added.
1064         (assert):
1065         (foo):
1066
1067 2016-07-27  Mark Lam  <mark.lam@apple.com>
1068
1069         The second argument for Function.prototype.apply should be array-like or null/undefined.
1070         https://bugs.webkit.org/show_bug.cgi?id=160212
1071         <rdar://problem/27328525>
1072
1073         Reviewed by Filip Pizlo.
1074
1075         The spec for Function.prototype.apply says its second argument can only be null,
1076         undefined, or must be array-like.  See
1077         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
1078         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
1079
1080         Our previous implementation was not handling this correctly for SymbolType.
1081         This is now fixed.
1082
1083         * interpreter/Interpreter.cpp:
1084         (JSC::sizeOfVarargs):
1085         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
1086
1087 2016-07-27  Saam Barati  <sbarati@apple.com>
1088
1089         MathICs should be able to emit only a jump along the inline path when they don't have any type data
1090         https://bugs.webkit.org/show_bug.cgi?id=160110
1091
1092         Reviewed by Mark Lam.
1093
1094         This patch allows for MathIC fast-path generation to be delayed.
1095         We delay when we don't see any observed type information for
1096         the lhs/rhs operand, which implies that the MathIC has never
1097         executed. This is profitable for two main reasons:
1098         1. If the math operation never executes, we emit much less code.
1099         2. Once we get type information for the lhs/rhs, we can emit better code.
1100
1101         To implement this, we just emit a jump to the slow path call
1102         that will repatch on first execution.
1103
1104         New data for add:
1105                    |   JetStream  |  Unity 3D  |
1106              ------| -------------|--------------
1107               Old  |   148 bytes  |  143 bytes |
1108              ------| -------------|--------------
1109               New  |   116  bytes |  113 bytes |
1110              ------------------------------------
1111
1112         New data for mul:
1113                    |   JetStream  |  Unity 3D  |
1114              ------| -------------|--------------
1115               Old  |   210 bytes  |  185 bytes |
1116              ------| -------------|--------------
1117               New  |   170  bytes |  137 bytes |
1118              ------------------------------------
1119
1120         * jit/JITAddGenerator.cpp:
1121         (JSC::JITAddGenerator::generateInline):
1122         * jit/JITAddGenerator.h:
1123         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1124         (JSC::JITAddGenerator::isRightOperandValidConstant):
1125         (JSC::JITAddGenerator::arithProfile):
1126         * jit/JITMathIC.h:
1127         (JSC::JITMathIC::generateInline):
1128         (JSC::JITMathIC::generateOutOfLine):
1129         (JSC::JITMathIC::finalizeInlineCode):
1130         * jit/JITMathICInlineResult.h:
1131         * jit/JITMulGenerator.cpp:
1132         (JSC::JITMulGenerator::generateInline):
1133         * jit/JITMulGenerator.h:
1134         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1135         (JSC::JITMulGenerator::isRightOperandValidConstant):
1136         (JSC::JITMulGenerator::arithProfile):
1137         * jit/JITOperations.cpp:
1138
1139 2016-07-26  Saam Barati  <sbarati@apple.com>
1140
1141         rollout r203666
1142         https://bugs.webkit.org/show_bug.cgi?id=160226
1143
1144         Unreviewed rollout.
1145
1146         * b3/B3BasicBlock.h:
1147         (JSC::B3::BasicBlock::successorBlock):
1148         * b3/B3LowerToAir.cpp:
1149         (JSC::B3::Air::LowerToAir::createGenericCompare):
1150         * b3/B3LowerToAir.h:
1151         * b3/air/AirArg.cpp:
1152         (JSC::B3::Air::Arg::isRepresentableAs):
1153         (JSC::B3::Air::Arg::usesTmp):
1154         * b3/air/AirArg.h:
1155         (JSC::B3::Air::Arg::isRepresentableAs):
1156         (JSC::B3::Air::Arg::asNumber):
1157         (JSC::B3::Air::Arg::castToType): Deleted.
1158         * b3/air/AirCode.h:
1159         (JSC::B3::Air::Code::size):
1160         (JSC::B3::Air::Code::at):
1161         * b3/air/AirOpcode.opcodes:
1162         * b3/air/AirValidate.h:
1163         * b3/air/opcode_generator.rb:
1164         * b3/testb3.cpp:
1165         (JSC::B3::compileAndRun):
1166         (JSC::B3::testSomeEarlyRegister):
1167         (JSC::B3::zero):
1168         (JSC::B3::run):
1169         (JSC::B3::lowerToAirForTesting): Deleted.
1170         (JSC::B3::testBranchBitAndImmFusion): Deleted.
1171
1172 2016-07-26  Caitlin Potter  <caitp@igalia.com>
1173
1174         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
1175         https://bugs.webkit.org/show_bug.cgi?id=159409
1176
1177         Reviewed by Geoffrey Garen.
1178
1179         * runtime/ObjectConstructor.cpp:
1180         (JSC::objectConstructorGetOwnPropertyDescriptors):
1181         * tests/es6.yaml:
1182         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
1183         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
1184         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
1185         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
1186         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
1187
1188 2016-07-26  Mark Lam  <mark.lam@apple.com>
1189
1190         Remove unused DEBUG_WITH_BREAKPOINT configuration.
1191         https://bugs.webkit.org/show_bug.cgi?id=160203
1192
1193         Reviewed by Keith Miller.
1194
1195         * bytecompiler/BytecodeGenerator.cpp:
1196         (JSC::BytecodeGenerator::emitDebugHook):
1197
1198 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
1199
1200         Unreviewed, rolling out r203703.
1201
1202         It breaks some internal tests
1203
1204         Reverted changeset:
1205
1206         "[JSC] DFG::Node should not have its own allocator"
1207         https://bugs.webkit.org/show_bug.cgi?id=160098
1208         http://trac.webkit.org/changeset/203703
1209
1210 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
1211
1212         [JSC] DFG::Node should not have its own allocator
1213         https://bugs.webkit.org/show_bug.cgi?id=160098
1214
1215         Reviewed by Geoffrey Garen.
1216
1217         We need some design changes for DFG::Node:
1218         -Accessing the index must be fast. B3 uses indices for sets
1219          and maps, it is a lot faster than hashing pointers.
1220         -We should be able to subclass DFG::Node to specialize it.
1221
1222         * CMakeLists.txt:
1223         * JavaScriptCore.xcodeproj/project.pbxproj:
1224         * dfg/DFGAllocator.h: Removed.
1225         (JSC::DFG::Allocator::Region::size): Deleted.
1226         (JSC::DFG::Allocator::Region::headerSize): Deleted.
1227         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
1228         (JSC::DFG::Allocator::Region::data): Deleted.
1229         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
1230         (JSC::DFG::Allocator::Region::regionFor): Deleted.
1231         (JSC::DFG::Allocator<T>::Allocator): Deleted.
1232         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
1233         (JSC::DFG::Allocator<T>::allocate): Deleted.
1234         (JSC::DFG::Allocator<T>::free): Deleted.
1235         (JSC::DFG::Allocator<T>::freeAll): Deleted.
1236         (JSC::DFG::Allocator<T>::reset): Deleted.
1237         (JSC::DFG::Allocator<T>::indexOf): Deleted.
1238         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
1239         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
1240         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
1241         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
1242         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
1243         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
1244         * dfg/DFGByteCodeParser.cpp:
1245         (JSC::DFG::ByteCodeParser::addToGraph):
1246         * dfg/DFGCPSRethreadingPhase.cpp:
1247         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1248         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1249         * dfg/DFGCleanUpPhase.cpp:
1250         (JSC::DFG::CleanUpPhase::run):
1251         * dfg/DFGConstantFoldingPhase.cpp:
1252         (JSC::DFG::ConstantFoldingPhase::run):
1253         * dfg/DFGConstantHoistingPhase.cpp:
1254         * dfg/DFGDCEPhase.cpp:
1255         (JSC::DFG::DCEPhase::fixupBlock):
1256         * dfg/DFGDriver.cpp:
1257         (JSC::DFG::compileImpl):
1258         * dfg/DFGGraph.cpp:
1259         (JSC::DFG::Graph::Graph):
1260         (JSC::DFG::Graph::deleteNode):
1261         (JSC::DFG::Graph::killBlockAndItsContents):
1262         (JSC::DFG::Graph::~Graph): Deleted.
1263         * dfg/DFGGraph.h:
1264         (JSC::DFG::Graph::addNode):
1265         * dfg/DFGLICMPhase.cpp:
1266         (JSC::DFG::LICMPhase::attemptHoist):
1267         * dfg/DFGLongLivedState.cpp: Removed.
1268         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
1269         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
1270         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
1271         * dfg/DFGLongLivedState.h: Removed.
1272         * dfg/DFGNode.cpp:
1273         (JSC::DFG::Node::index): Deleted.
1274         * dfg/DFGNode.h:
1275         (JSC::DFG::Node::index):
1276         * dfg/DFGNodeAllocator.h: Removed.
1277         (operator new ): Deleted.
1278         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1279         * dfg/DFGPlan.cpp:
1280         (JSC::DFG::Plan::compileInThread):
1281         (JSC::DFG::Plan::compileInThreadImpl):
1282         * dfg/DFGPlan.h:
1283         * dfg/DFGSSAConversionPhase.cpp:
1284         (JSC::DFG::SSAConversionPhase::run):
1285         * dfg/DFGWorklist.cpp:
1286         (JSC::DFG::Worklist::runThread):
1287         * runtime/VM.cpp:
1288         (JSC::VM::VM): Deleted.
1289         * runtime/VM.h:
1290
1291 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
1292
1293         AssemblyHelpers should own all of the cell allocation methods
1294         https://bugs.webkit.org/show_bug.cgi?id=160171
1295
1296         Reviewed by Saam Barati.
1297         
1298         Prior to this change we had some code in DFGSpeculativeJIT.h and some code in JIT.h that
1299         did cell allocation.
1300         
1301         This change moves all of that code into AssemblyHelpers.h.
1302
1303         * dfg/DFGSpeculativeJIT.h:
1304         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1305         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1306         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1307         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
1308         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1309         * jit/AssemblyHelpers.h:
1310         (JSC::AssemblyHelpers::emitAllocate):
1311         (JSC::AssemblyHelpers::emitAllocateJSCell):
1312         (JSC::AssemblyHelpers::emitAllocateJSObject):
1313         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1314         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1315         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1316         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1317         * jit/JIT.h:
1318         * jit/JITInlines.h:
1319         (JSC::JIT::isOperandConstantChar):
1320         (JSC::JIT::emitValueProfilingSite):
1321         (JSC::JIT::emitAllocateJSObject): Deleted.
1322         * jit/JITOpcodes.cpp:
1323         (JSC::JIT::emit_op_new_object):
1324         (JSC::JIT::emit_op_create_this):
1325         * jit/JITOpcodes32_64.cpp:
1326         (JSC::JIT::emit_op_new_object):
1327         (JSC::JIT::emit_op_create_this):
1328
1329 2016-07-25  Saam Barati  <sbarati@apple.com>
1330
1331         MathICs should be able to take and dump stats about code size
1332         https://bugs.webkit.org/show_bug.cgi?id=160148
1333
1334         Reviewed by Filip Pizlo.
1335
1336         This will make testing changes on MathIC going forward much easier.
1337         We will be able to easily see if modifications to MathIC will lead
1338         to us generating smaller code. We now only dump average size when we
1339         regenerate any MathIC. This works out for large tests/pages, but is not
1340         great for testing small programs. We can add more dump points later if
1341         we find that we want to dump stats while running small small programs.
1342
1343         * bytecode/CodeBlock.cpp:
1344         (JSC::CodeBlock::jitSoon):
1345         (JSC::CodeBlock::dumpMathICStats):
1346         * bytecode/CodeBlock.h:
1347         (JSC::CodeBlock::isStrictMode):
1348         (JSC::CodeBlock::ecmaMode):
1349         * dfg/DFGSpeculativeJIT.cpp:
1350         (JSC::DFG::SpeculativeJIT::compileMathIC):
1351         * ftl/FTLLowerDFGToB3.cpp:
1352         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
1353         * jit/JITArithmetic.cpp:
1354         (JSC::JIT::emitMathICFast):
1355         (JSC::JIT::emitMathICSlow):
1356         * jit/JITMathIC.h:
1357         (JSC::JITMathIC::finalizeInlineCode):
1358         (JSC::JITMathIC::codeSize):
1359         * jit/JITOperations.cpp:
1360
1361 2016-07-25  Saam Barati  <sbarati@apple.com>
1362
1363         op_mul/ArithMul(Untyped,Untyped) should be an IC
1364         https://bugs.webkit.org/show_bug.cgi?id=160108
1365
1366         Reviewed by Mark Lam.
1367
1368         This patch makes Mul a type based IC in much the same way that we made
1369         Add a type-based IC. I implemented Mul in the same way. I abstracted the
1370         implementation of the Add IC in the various JITs to allow for it to
1371         work over arbitrary IC snippets. This will make adding Div/Sub/Pow in the
1372         future easy. This patch also adds a new boolean argument to the various
1373         snippet generateFastPath() methods to indicate if we should emit result profiling.
1374         I added this because we want this profiling to be emitted for Mul in
1375         the baseline, but not in the DFG. We used to indicate this through passing
1376         in a nullptr for the ArithProfile, but we no longer do that in the upper
1377         JIT tiers. So we are passing an explicit request from the JIT tier about
1378         whether or not it's worth it for the IC to emit profiling.
1379
1380         We now emit much less code for Mul. Here is some data on the average
1381         Mul snippet/IC size:
1382
1383                    |   JetStream  |  Unity 3D  |
1384              ------| -------------|--------------
1385               Old  |  ~280 bytes  | ~280 bytes |
1386              ------| -------------|--------------
1387               New  |   210  bytes |  185 bytes |
1388              ------------------------------------
1389
1390         * bytecode/CodeBlock.cpp:
1391         (JSC::CodeBlock::addJITAddIC):
1392         (JSC::CodeBlock::addJITMulIC):
1393         (JSC::CodeBlock::findStubInfo):
1394         * bytecode/CodeBlock.h:
1395         (JSC::CodeBlock::stubInfoBegin):
1396         (JSC::CodeBlock::stubInfoEnd):
1397         * dfg/DFGSpeculativeJIT.cpp:
1398         (JSC::DFG::GPRTemporary::adopt):
1399         (JSC::DFG::FPRTemporary::FPRTemporary):
1400         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1401         (JSC::DFG::SpeculativeJIT::compileMathIC):
1402         (JSC::DFG::SpeculativeJIT::compileArithMul):
1403         * dfg/DFGSpeculativeJIT.h:
1404         (JSC::DFG::SpeculativeJIT::callOperation):
1405         (JSC::DFG::GPRTemporary::GPRTemporary):
1406         (JSC::DFG::GPRTemporary::operator=):
1407         (JSC::DFG::FPRTemporary::~FPRTemporary):
1408         (JSC::DFG::FPRTemporary::fpr):
1409         * ftl/FTLLowerDFGToB3.cpp:
1410         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1411         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1412         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
1413         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
1414         * jit/JIT.h:
1415         (JSC::JIT::getSlowCase):
1416         * jit/JITAddGenerator.cpp:
1417         (JSC::JITAddGenerator::generateInline):
1418         (JSC::JITAddGenerator::generateFastPath):
1419         * jit/JITAddGenerator.h:
1420         (JSC::JITAddGenerator::JITAddGenerator):
1421         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1422         (JSC::JITAddGenerator::isRightOperandValidConstant):
1423         * jit/JITArithmetic.cpp:
1424         (JSC::JIT::emit_op_add):
1425         (JSC::JIT::emitSlow_op_add):
1426         (JSC::JIT::emitMathICFast):
1427         (JSC::JIT::emitMathICSlow):
1428         (JSC::JIT::emit_op_mul):
1429         (JSC::JIT::emitSlow_op_mul):
1430         (JSC::JIT::emit_op_sub):
1431         * jit/JITInlines.h:
1432         (JSC::JIT::callOperation):
1433         * jit/JITMathIC.h:
1434         (JSC::JITMathIC::slowPathStartLocation):
1435         (JSC::JITMathIC::slowPathCallLocation):
1436         (JSC::JITMathIC::isLeftOperandValidConstant):
1437         (JSC::JITMathIC::isRightOperandValidConstant):
1438         (JSC::JITMathIC::generateInline):
1439         (JSC::JITMathIC::generateOutOfLine):
1440         * jit/JITMathICForwards.h:
1441         * jit/JITMulGenerator.cpp:
1442         (JSC::JITMulGenerator::generateInline):
1443         (JSC::JITMulGenerator::generateFastPath):
1444         * jit/JITMulGenerator.h:
1445         (JSC::JITMulGenerator::JITMulGenerator):
1446         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1447         (JSC::JITMulGenerator::isRightOperandValidConstant):
1448         (JSC::JITMulGenerator::didEmitFastPath): Deleted.
1449         (JSC::JITMulGenerator::endJumpList): Deleted.
1450         (JSC::JITMulGenerator::slowPathJumpList): Deleted.
1451         * jit/JITOperations.cpp:
1452         * jit/JITOperations.h:
1453
1454 2016-07-25  Darin Adler  <darin@apple.com>
1455
1456         Speed up make process slightly by improving "list of files" idiom
1457         https://bugs.webkit.org/show_bug.cgi?id=160164
1458
1459         Reviewed by Mark Lam.
1460
1461         * DerivedSources.make: Change rules that build lists of files to only run when
1462         DerivedSources.make has been modified since the last time they were run. Since the
1463         list of files are inside this file, this is safe, and this is faster than always
1464         comparing and regenerating the file containing the list of files each time.
1465
1466 2016-07-24  Youenn Fablet  <youenn@apple.com>
1467
1468         [Fetch API] Request should be created with any HeadersInit data
1469         https://bugs.webkit.org/show_bug.cgi?id=159672
1470
1471         Reviewed by Sam Weinig.
1472
1473         * Scripts/builtins/builtins_generator.py:
1474         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
1475
1476 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
1477
1478         B3 should support multiple entrypoints
1479         https://bugs.webkit.org/show_bug.cgi?id=159391
1480
1481         Reviewed by Saam Barati.
1482         
1483         This teaches B3 how to compile procedures with multiple entrypoints in the best way ever.
1484         
1485         Multiple entrypoints are useful. We could use them to reduce the cost of compiling OSR
1486         entrypoints. We could use them to implement better try/catch.
1487         
1488         Multiple entrypoints are hard to support. All of the code that assumed that the root block
1489         is the entrypoint would have to be changed. Transformations like moveConstants() would have
1490         to do crazy things if the existence of multiple entrypoints prevented it from finding a
1491         single common dominator.
1492         
1493         Therefore, we want to add multiple entrypoints without actually teaching the compiler that
1494         there is such a thing. That's sort of what this change does.
1495         
1496         This adds a new opcode to both B3 and Air called EntrySwitch. It's a terminal that takes
1497         one or more successors and no value children. The number of successors must match
1498         Procedure::numEntrypoints(), which could be arbitrarily large. The semantics of EntrySwitch
1499         are:
1500         
1501         - Each of the entrypoints sets a hidden Entry variable to that entrypoint's index and jumps
1502           to the procedure's root block.
1503         
1504         - An EntrySwitch is a switch statement over this hidden Entry variable.
1505         
1506         The way that we actually implement this is that Air has a very late phase - after all
1507         register and stack layout - that clones all code where the Entry variable is live; i.e all
1508         code in the closure over predecessors of all blocks that do EntrySwitch.
1509         
1510         Usually, you would use this by creating an EntrySwitch in the root block, but you don't
1511         have to do that. Just remember that the code before EntrySwitch gets cloned for each
1512         entrypoint. We allow cloning of an arbitrarily large amount of code because restricting it,
1513         and so restricing the placement of EntrySwitches, would be unelegant. It would be hard to
1514         preserve this invariant. For example we wouldn't be able to lower any value before an
1515         EntrySwitch to a control flow diamond.
1516         
1517         This patch gives us an easy-to-use way to use B3 to compile code with multiple entrypoints.
1518         Inside the compiler, only code that runs very late in Air has to know about this feature.
1519         We get the best of both worlds!
1520         
1521         Also, I finally got rid of the requirement that you explicitly cast BasicBlock* to
1522         FrequentedBlock. I can no longer remember why I thought that was a good idea. Removing it
1523         doesn't cause any problems and it makes code easier to write.
1524
1525         * CMakeLists.txt:
1526         * JavaScriptCore.xcodeproj/project.pbxproj:
1527         * b3/B3BasicBlockUtils.h:
1528         (JSC::B3::updatePredecessorsAfter):
1529         (JSC::B3::clearPredecessors):
1530         (JSC::B3::recomputePredecessors):
1531         * b3/B3FrequencyClass.h:
1532         (JSC::B3::maxFrequency):
1533         * b3/B3Generate.h:
1534         * b3/B3LowerToAir.cpp:
1535         (JSC::B3::Air::LowerToAir::lower):
1536         * b3/B3MoveConstants.cpp:
1537         * b3/B3Opcode.cpp:
1538         (WTF::printInternal):
1539         * b3/B3Opcode.h:
1540         * b3/B3Procedure.cpp:
1541         (JSC::B3::Procedure::isFastConstant):
1542         (JSC::B3::Procedure::entrypointLabel):
1543         (JSC::B3::Procedure::addDataSection):
1544         * b3/B3Procedure.h:
1545         (JSC::B3::Procedure::numEntrypoints):
1546         (JSC::B3::Procedure::setNumEntrypoints):
1547         (JSC::B3::Procedure::setLastPhaseName):
1548         * b3/B3Validate.cpp:
1549         * b3/B3Value.cpp:
1550         (JSC::B3::Value::effects):
1551         (JSC::B3::Value::typeFor):
1552         * b3/B3Value.h:
1553         * b3/air/AirCode.cpp:
1554         (JSC::B3::Air::Code::cCallSpecial):
1555         (JSC::B3::Air::Code::isEntrypoint):
1556         (JSC::B3::Air::Code::resetReachability):
1557         (JSC::B3::Air::Code::dump):
1558         * b3/air/AirCode.h:
1559         (JSC::B3::Air::Code::setFrameSize):
1560         (JSC::B3::Air::Code::numEntrypoints):
1561         (JSC::B3::Air::Code::entrypoints):
1562         (JSC::B3::Air::Code::entrypoint):
1563         (JSC::B3::Air::Code::setEntrypoints):
1564         (JSC::B3::Air::Code::entrypointLabel):
1565         (JSC::B3::Air::Code::setEntrypointLabels):
1566         (JSC::B3::Air::Code::calleeSaveRegisters):
1567         * b3/air/AirCustom.h:
1568         (JSC::B3::Air::PatchCustom::isTerminal):
1569         (JSC::B3::Air::PatchCustom::hasNonArgEffects):
1570         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
1571         (JSC::B3::Air::PatchCustom::generate):
1572         (JSC::B3::Air::CommonCustomBase::hasNonArgEffects):
1573         (JSC::B3::Air::CCallCustom::forEachArg):
1574         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1575         (JSC::B3::Air::ShuffleCustom::forEachArg):
1576         (JSC::B3::Air::EntrySwitchCustom::forEachArg):
1577         (JSC::B3::Air::EntrySwitchCustom::isValidFormStatic):
1578         (JSC::B3::Air::EntrySwitchCustom::isValidForm):
1579         (JSC::B3::Air::EntrySwitchCustom::admitsStack):
1580         (JSC::B3::Air::EntrySwitchCustom::isTerminal):
1581         (JSC::B3::Air::EntrySwitchCustom::hasNonArgNonControlEffects):
1582         (JSC::B3::Air::EntrySwitchCustom::generate):
1583         * b3/air/AirGenerate.cpp:
1584         (JSC::B3::Air::prepareForGeneration):
1585         (JSC::B3::Air::generate):
1586         * b3/air/AirLowerEntrySwitch.cpp: Added.
1587         (JSC::B3::Air::lowerEntrySwitch):
1588         * b3/air/AirLowerEntrySwitch.h: Added.
1589         * b3/air/AirOpcode.opcodes:
1590         * b3/air/AirOptimizeBlockOrder.cpp:
1591         (JSC::B3::Air::blocksInOptimizedOrder):
1592         * b3/air/AirSpecial.cpp:
1593         (JSC::B3::Air::Special::isTerminal):
1594         (JSC::B3::Air::Special::hasNonArgEffects):
1595         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
1596         * b3/air/AirSpecial.h:
1597         * b3/air/AirValidate.cpp:
1598         * b3/air/opcode_generator.rb:
1599         * b3/testb3.cpp:
1600
1601 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
1602
1603         Unreviewed, fix broken test. I don't know why I goofed this up without seeing it before landing.
1604
1605         * b3/air/AirOpcode.opcodes:
1606         * b3/testb3.cpp:
1607         (JSC::B3::run):
1608
1609 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
1610
1611         [B3] Fusing immediates into test instructions should work again
1612         https://bugs.webkit.org/show_bug.cgi?id=160073
1613
1614         Reviewed by Sam Weinig.
1615
1616         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
1617         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
1618         was still using Imm!  This meant that isValidForm() always returned false.
1619         
1620         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
1621         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
1622         with the scratch register).
1623         
1624         This is not an obvious progression on anything, so I added comprehensive tests to
1625         testb3, which check that we selected the optimal instruction in a variety of situations.
1626         We should add more tests like this!
1627
1628         * b3/B3BasicBlock.h:
1629         (JSC::B3::BasicBlock::successorBlock):
1630         * b3/B3LowerToAir.cpp:
1631         (JSC::B3::Air::LowerToAir::createGenericCompare):
1632         * b3/B3LowerToAir.h:
1633         * b3/air/AirArg.cpp:
1634         (JSC::B3::Air::Arg::isRepresentableAs):
1635         (JSC::B3::Air::Arg::usesTmp):
1636         * b3/air/AirArg.h:
1637         (JSC::B3::Air::Arg::isRepresentableAs):
1638         (JSC::B3::Air::Arg::castToType):
1639         (JSC::B3::Air::Arg::asNumber):
1640         * b3/air/AirCode.h:
1641         (JSC::B3::Air::Code::size):
1642         (JSC::B3::Air::Code::at):
1643         * b3/air/AirOpcode.opcodes:
1644         * b3/air/AirValidate.h:
1645         * b3/air/opcode_generator.rb:
1646         * b3/testb3.cpp:
1647         (JSC::B3::compile):
1648         (JSC::B3::compileAndRun):
1649         (JSC::B3::lowerToAirForTesting):
1650         (JSC::B3::testSomeEarlyRegister):
1651         (JSC::B3::testBranchBitAndImmFusion):
1652         (JSC::B3::zero):
1653         (JSC::B3::run):
1654
1655 2016-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1656
1657         Unreviewed, update the exponentiation expression error message
1658         https://bugs.webkit.org/show_bug.cgi?id=159969
1659
1660         Follow up patch for r203499.
1661
1662         * parser/Parser.cpp:
1663         (JSC::Parser<LexerType>::parseBinaryExpression):
1664         * tests/stress/pow-expects-update-expression-on-lhs.js:
1665         (throw.new.Error):
1666
1667 2016-07-24  Darin Adler  <darin@apple.com>
1668
1669         Adding a new WebCore JavaScript built-in source file does not trigger rebuild of WebCoreJSBuiltins*
1670         https://bugs.webkit.org/show_bug.cgi?id=160115
1671
1672         Reviewed by Youenn Fablet.
1673
1674         * make-generated-sources.sh: Removed. Was unused.
1675
1676 2016-07-23  Commit Queue  <commit-queue@webkit.org>
1677
1678         Unreviewed, rolling out r203641.
1679         https://bugs.webkit.org/show_bug.cgi?id=160116
1680
1681         It broke make-based builds (Requested by youenn on #webkit).
1682
1683         Reverted changeset:
1684
1685         "[Fetch API] Request should be created with any HeadersInit
1686         data"
1687         https://bugs.webkit.org/show_bug.cgi?id=159672
1688         http://trac.webkit.org/changeset/203641
1689
1690 2016-07-23  Youenn Fablet  <youenn@apple.com>
1691
1692         [Fetch API] Request should be created with any HeadersInit data
1693         https://bugs.webkit.org/show_bug.cgi?id=159672
1694
1695         Reviewed by Sam Weinig.
1696
1697         * Scripts/builtins/builtins_generator.py:
1698         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
1699
1700 2016-07-21  Filip Pizlo  <fpizlo@apple.com>
1701
1702         Teach MarkedSpace how to allocate auxiliary storage
1703         https://bugs.webkit.org/show_bug.cgi?id=160053
1704
1705         Reviewed by Sam Weinig.
1706         
1707         Previously, we had two kinds of subspaces in MarkedSpace: destructor and non-destructor. This
1708         was described using "bool needsDestruction" that would get passed around. We'd iterate over
1709         these spaces using duplicated code - one loop for destructors and one for non-destructors, or
1710         a single loop that does one thing for destructors and one for non-destructors.
1711         
1712         But now we want a third subspace: non-destructor non-JSCell, aka Auxiliary.
1713         
1714         So, this changes all of the reflection and iteration over subspaces to use functors, so that
1715         the looping is written once and reused. Most places don't even have to know that there is a
1716         third subspace; they just know that they must do things for each subspace, for each
1717         allocator, or for each block - and the functor magic handles it for you.
1718         
1719         To make this somewhat nice, this change also fixes how we describe subspaces. Instead of a
1720         bool, we now have AllocatorAttributes, which is a struct. If we ever add more subspaces, we
1721         can add fields to AllocatorAttributes to describe how those subspaces differ. For now it just
1722         contains two properties: a DestructionMode and a HeapCell::Kind. The DesctructionMode
1723         replaces bool needsDestruction. I deliberately used a non-class enum to avoid tautologies.
1724         DestructionMode has two members: NeedsDestruction and DoesNotNeedDestruction. I almost went
1725         with DestructionMode::Needed and DestructionMode::NotNeeded, but I felt like that involves
1726         more typing and doesn't actually avoid any kind of namespace issues.
1727         
1728         This is intended to have no behavior change other than the addition of a totally unused
1729         space, which should always be empty. So hopefully it doesn't cost anything.
1730
1731         * CMakeLists.txt:
1732         * JavaScriptCore.xcodeproj/project.pbxproj:
1733         * heap/AllocatorAttributes.cpp: Added.
1734         (JSC::AllocatorAttributes::dump):
1735         * heap/AllocatorAttributes.h: Added.
1736         (JSC::AllocatorAttributes::AllocatorAttributes):
1737         * heap/DestructionMode.cpp: Added.
1738         (WTF::printInternal):
1739         * heap/DestructionMode.h: Added.
1740         * heap/Heap.h:
1741         * heap/MarkedAllocator.cpp:
1742         (JSC::MarkedAllocator::allocateBlock):
1743         (JSC::MarkedAllocator::addBlock):
1744         * heap/MarkedAllocator.h:
1745         (JSC::MarkedAllocator::cellSize):
1746         (JSC::MarkedAllocator::attributes):
1747         (JSC::MarkedAllocator::needsDestruction):
1748         (JSC::MarkedAllocator::destruction):
1749         (JSC::MarkedAllocator::cellKind):
1750         (JSC::MarkedAllocator::heap):
1751         (JSC::MarkedAllocator::takeLastActiveBlock):
1752         (JSC::MarkedAllocator::MarkedAllocator):
1753         (JSC::MarkedAllocator::init):
1754         (JSC::MarkedAllocator::allocate):
1755         * heap/MarkedBlock.cpp:
1756         (JSC::MarkedBlock::create):
1757         (JSC::MarkedBlock::destroy):
1758         (JSC::MarkedBlock::MarkedBlock):
1759         (JSC::MarkedBlock::callDestructor):
1760         (JSC::MarkedBlock::sweep):
1761         (JSC::MarkedBlock::stopAllocating):
1762         (JSC::MarkedBlock::didRetireBlock):
1763         * heap/MarkedBlock.h:
1764         (JSC::MarkedBlock::cellSize):
1765         (JSC::MarkedBlock::attributes):
1766         (JSC::MarkedBlock::needsDestruction):
1767         (JSC::MarkedBlock::destruction):
1768         (JSC::MarkedBlock::cellKind):
1769         (JSC::MarkedBlock::size):
1770         (JSC::MarkedBlock::forEachCell):
1771         (JSC::MarkedBlock::forEachLiveCell):
1772         (JSC::MarkedBlock::forEachDeadCell):
1773         * heap/MarkedSpace.cpp:
1774         (JSC::MarkedSpace::MarkedSpace):
1775         (JSC::MarkedSpace::~MarkedSpace):
1776         (JSC::MarkedSpace::lastChanceToFinalize):
1777         (JSC::MarkedSpace::resetAllocators):
1778         (JSC::MarkedSpace::forEachAllocator):
1779         (JSC::MarkedSpace::stopAllocating):
1780         (JSC::MarkedSpace::resumeAllocating):
1781         (JSC::MarkedSpace::isPagedOut):
1782         (JSC::MarkedSpace::freeBlock):
1783         (JSC::MarkedSpace::shrink):
1784         (JSC::MarkedSpace::clearNewlyAllocated):
1785         (JSC::clearNewlyAllocatedInBlock): Deleted.
1786         * heap/MarkedSpace.h:
1787         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1788         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
1789         (JSC::MarkedSpace::subspaceForAuxiliaryData):
1790         (JSC::MarkedSpace::allocatorFor):
1791         (JSC::MarkedSpace::destructorAllocatorFor):
1792         (JSC::MarkedSpace::auxiliaryAllocatorFor):
1793         (JSC::MarkedSpace::allocateWithoutDestructor):
1794         (JSC::MarkedSpace::allocateWithDestructor):
1795         (JSC::MarkedSpace::allocateAuxiliary):
1796         (JSC::MarkedSpace::forEachBlock):
1797         (JSC::MarkedSpace::didAddBlock):
1798         (JSC::MarkedSpace::capacity):
1799         (JSC::MarkedSpace::forEachSubspace):
1800
1801 2016-07-22  Saam Barati  <sbarati@apple.com>
1802
1803         REGRESSION(r203537): It made many tests crash on ARMv7 Linux platforms
1804         https://bugs.webkit.org/show_bug.cgi?id=160082
1805
1806         Reviewed by Keith Miller.
1807
1808         We were improperly linking the Jump in the link buffer.
1809         It caused us to be linking against the executable address
1810         which always has bit 0 set. We shouldn't be doing that.
1811         This patch fixes this, by using the same idiom that
1812         PolymorphicAccess uses to link a jump to out of line code.
1813
1814         * jit/JITMathIC.h:
1815         (JSC::JITMathIC::generateOutOfLine):
1816
1817 2016-07-22  Commit Queue  <commit-queue@webkit.org>
1818
1819         Unreviewed, rolling out r203603.
1820         https://bugs.webkit.org/show_bug.cgi?id=160096
1821
1822         Caused CLoop tests to fail with assertions (Requested by
1823         perarne on #webkit).
1824
1825         Reverted changeset:
1826
1827         "[Win] jsc.exe sometimes never exits."
1828         https://bugs.webkit.org/show_bug.cgi?id=158073
1829         http://trac.webkit.org/changeset/203603
1830
1831 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
1832
1833         [Win] jsc.exe sometimes never exits.
1834         https://bugs.webkit.org/show_bug.cgi?id=158073
1835
1836         Reviewed by Mark Lam.
1837
1838         Make sure the VM is deleted after the test has finished. This will gracefully stop the sampling profiler thread,
1839         and give the thread the opportunity to release the machine thread lock aquired in SamplingProfiler::takeSample.  
1840         If the sampling profiler thread was terminated while holding the machine thread lock, the machine thread will
1841         not be able to grab the lock afterwards. 
1842  
1843         * jsc.cpp:
1844         (jscmain):
1845
1846 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
1847
1848         Fix the Windows 64-bit build after r203537
1849         https://bugs.webkit.org/show_bug.cgi?id=160080
1850
1851         Reviewed by Csaba Osztrogonác.
1852
1853         Added new version of setupArgumentsWithExecState method.
1854
1855         * jit/CCallHelpers.h:
1856         (JSC::CCallHelpers::setupArgumentsWithExecState):
1857
1858 2016-07-22  Csaba Osztrogonác  <ossy@webkit.org>
1859
1860         [ARM] Unreviewed EABI buildfix after r203537.
1861
1862         * jit/CCallHelpers.h:
1863         (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
1864
1865 2016-07-22  Youenn Fablet  <youenn@apple.com>
1866
1867         run-builtins-generator-tests should be able to test WebCore builtins wrapper with more than one file
1868         https://bugs.webkit.org/show_bug.cgi?id=159921
1869
1870         Reviewed by Brian Burg.
1871
1872         Updated built-in generator to generate only wrapper files when passed the --wrappers-only option.
1873         When this option is used, wrapper files are generated but no individual file is generated.
1874         When this option is not used, individual files are generated but not wrapper file is generated.
1875         This allows the builtin generator test runner to generate a single WebCore-Wrappers.h-result generated for all
1876         WebCore test files, like used for real in WebCore.
1877         Previously wrapper code was generated individually for each WebCore test file.
1878
1879         Added new built-in test file to cover the case of concatenating several guards in generated WebCore wrapper files.
1880
1881         * Scripts/generate-js-builtins.py:
1882         (concatenated_output_filename): Compute a decent name for wrapper files in case of test mode.
1883         (generate_bindings_for_builtins_files): When --wrappers-only is activated, this generates only the wrapper files, not the individual files.
1884         * Scripts/tests/builtins/WebCore-AnotherGuardedInternalBuiltin-Separate.js: Added.
1885         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: Added.
1886         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Removed wrapper code.
1887         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
1888         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
1889         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
1890         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Removed wrapper code.
1891         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: Added, contains wrapper code for all WebCore valid test cases.
1892
1893 2016-07-21  Saam Barati  <sbarati@apple.com>
1894
1895         callOperation(.) variants in the DFG that explicitly take a tag/payload register should take a JSValueRegs instead
1896         https://bugs.webkit.org/show_bug.cgi?id=160007
1897
1898         Reviewed by Filip Pizlo.
1899
1900         This patch is the first step in my plan to remove all callOperation(.) variants
1901         in the various JITs and to unify them using a couple template variations.
1902         The steps are as follows:
1903         1. Replace all explicit tag/payload pairs with JSValueRegs in the DFG
1904         2. Replace all explicit tag/payload pairs with JSValueRegs in the baseline
1905         3. remove callOperation(.) variants and teach setupArgumentsWithExecState
1906            about JSValueRegs.
1907
1908         * dfg/DFGSpeculativeJIT.cpp:
1909         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1910         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1911         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
1912         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
1913         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
1914         * dfg/DFGSpeculativeJIT.h:
1915         (JSC::DFG::SpeculativeJIT::callOperation):
1916         * dfg/DFGSpeculativeJIT32_64.cpp:
1917         (JSC::DFG::SpeculativeJIT::cachedGetById):
1918         (JSC::DFG::SpeculativeJIT::cachedPutById):
1919         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1920         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal):
1921         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1922         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1923         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1924         (JSC::DFG::SpeculativeJIT::emitCall):
1925         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1926         (JSC::DFG::SpeculativeJIT::emitBranch):
1927         (JSC::DFG::SpeculativeJIT::compile):
1928
1929 2016-07-21  Saam Barati  <sbarati@apple.com>
1930
1931         op_add/ValueAdd should be an IC in all JIT tiers
1932         https://bugs.webkit.org/show_bug.cgi?id=159649
1933
1934         Reviewed by Benjamin Poulain.
1935
1936         This patch makes Add an IC inside all JIT tiers. It does so in a
1937         simple, but effective, way. We will try to generate an int+int add
1938         that will repatch itself if its type checks fail. Sometimes though,
1939         we have runtime type data saying that the add won't be int+int.
1940         In those cases, we will just generate a full snippet that doesn't patch itself.
1941         Other times, we may generate no inline code and defer to making a C call. A lot
1942         of this patch is just refactoring ResultProfile into what we're now calling ArithProfile.
1943         ArithProfile does everything ResultProfile used to do, and more. It records simple type
1944         data about the LHS/RHS operands it sees. This allows us to determine if an op_add
1945         has only seen int+int operands, etc. ArithProfile will also contain the ResultType
1946         for the LHS/RHS that the parser feeds into op_add. ArithProfile now fits into 32-bits.
1947         This means instead of having a side table like we did for ResultProfile, we just
1948         inject the ArithProfile into the bytecode instruction stream. This makes asking
1949         for ArithProfile faster; we no longer need to lock around this operation.
1950
1951         The size of an Add has gone down on average, but we can still do better.
1952         We still generate a lot of code because we generate calls to the slow path.
1953         I think we can make this better by moving the slow path to a shared thunk
1954         system. This patch mostly lays the foundation for future improvements to Add,
1955         and a framework to move all other arithmetic operations to be typed-based ICs.
1956
1957         Here is some data I took on the average op_add/ValueAdd size on various benchmarks:
1958                    |   JetStream  |  Speedometer |  Unity 3D  |
1959              ------| -------------|-----------------------------
1960               Old  |  189 bytes   |  169 bytes   |  192 bytes |
1961              ------| -------------|-----------------------------
1962               New  |  148 bytes   |  124 bytes   |  143 bytes |
1963              ---------------------------------------------------
1964
1965         Making an arithmetic IC is now easy. The JITMathIC class will hold a snippet
1966         generator as a member variable. To make a snippet an IC, you need to implement
1967         a generateInline(.) method, which generates the inline IC. Then, you need to
1968         generate the IC where you used to generate the snippet. When generating the
1969         IC, we need to inform JITMathIC of various data like we do with StructureStubInfo.
1970         We need to tell it about where the slow path starts, where the slow path call is, etc.
1971         When generating a JITMathIC, it may tell you that it didn't generate any code inline.
1972         This is a request to the user of JITMathIC to just generate a C call along the
1973         fast path. JITMathIC may also have the snippet tell it to just generate the full
1974         snippet instead of the int+int path along the fast path.
1975
1976         In subsequent patches, we can improve upon how we decide to generate int+int or
1977         the full snippet. I tried to get clever by having double+double, double+int, int+double,
1978         fast paths, but they didn't work out nearly as well as the int+int fast path. I ended up
1979         generating a lot of code when I did this and ended up using more memory than just generating
1980         the full snippet. There is probably some way we can be clever and generate specialized fast
1981         paths that are more successful than what I tried implementing, but I think that's worth deferring
1982         this to follow up patches once the JITMathIC foundation has landed.
1983
1984         This patch also fixes a bug inside the slow path lambdas in the DFG.
1985         Before, it was not legal to emit an exception check inside them. Now,
1986         it is. So it's now easy to define arbitrary late paths using the DFG
1987         slow path lambda API.
1988
1989         * CMakeLists.txt:
1990         * JavaScriptCore.xcodeproj/project.pbxproj:
1991         * bytecode/ArithProfile.cpp: Added.
1992         (JSC::ArithProfile::emitObserveResult):
1993         (JSC::ArithProfile::shouldEmitSetDouble):
1994         (JSC::ArithProfile::emitSetDouble):
1995         (JSC::ArithProfile::shouldEmitSetNonNumber):
1996         (JSC::ArithProfile::emitSetNonNumber):
1997         (WTF::printInternal):
1998         * bytecode/ArithProfile.h: Added.
1999         (JSC::ObservedType::ObservedType):
2000         (JSC::ObservedType::sawInt32):
2001         (JSC::ObservedType::isOnlyInt32):
2002         (JSC::ObservedType::sawNumber):
2003         (JSC::ObservedType::isOnlyNumber):
2004         (JSC::ObservedType::sawNonNumber):
2005         (JSC::ObservedType::isOnlyNonNumber):
2006         (JSC::ObservedType::isEmpty):
2007         (JSC::ObservedType::bits):
2008         (JSC::ObservedType::withInt32):
2009         (JSC::ObservedType::withNumber):
2010         (JSC::ObservedType::withNonNumber):
2011         (JSC::ObservedType::withoutNonNumber):
2012         (JSC::ObservedType::operator==):
2013         (JSC::ArithProfile::ArithProfile):
2014         (JSC::ArithProfile::fromInt):
2015         (JSC::ArithProfile::lhsResultType):
2016         (JSC::ArithProfile::rhsResultType):
2017         (JSC::ArithProfile::lhsObservedType):
2018         (JSC::ArithProfile::rhsObservedType):
2019         (JSC::ArithProfile::setLhsObservedType):
2020         (JSC::ArithProfile::setRhsObservedType):
2021         (JSC::ArithProfile::tookSpecialFastPath):
2022         (JSC::ArithProfile::didObserveNonInt32):
2023         (JSC::ArithProfile::didObserveDouble):
2024         (JSC::ArithProfile::didObserveNonNegZeroDouble):
2025         (JSC::ArithProfile::didObserveNegZeroDouble):
2026         (JSC::ArithProfile::didObserveNonNumber):
2027         (JSC::ArithProfile::didObserveInt32Overflow):
2028         (JSC::ArithProfile::didObserveInt52Overflow):
2029         (JSC::ArithProfile::setObservedNonNegZeroDouble):
2030         (JSC::ArithProfile::setObservedNegZeroDouble):
2031         (JSC::ArithProfile::setObservedNonNumber):
2032         (JSC::ArithProfile::setObservedInt32Overflow):
2033         (JSC::ArithProfile::setObservedInt52Overflow):
2034         (JSC::ArithProfile::addressOfBits):
2035         (JSC::ArithProfile::observeResult):
2036         (JSC::ArithProfile::lhsSawInt32):
2037         (JSC::ArithProfile::lhsSawNumber):
2038         (JSC::ArithProfile::lhsSawNonNumber):
2039         (JSC::ArithProfile::rhsSawInt32):
2040         (JSC::ArithProfile::rhsSawNumber):
2041         (JSC::ArithProfile::rhsSawNonNumber):
2042         (JSC::ArithProfile::observeLHSAndRHS):
2043         (JSC::ArithProfile::bits):
2044         (JSC::ArithProfile::hasBits):
2045         (JSC::ArithProfile::setBit):
2046         * bytecode/CodeBlock.cpp:
2047         (JSC::CodeBlock::dumpRareCaseProfile):
2048         (JSC::CodeBlock::dumpArithProfile):
2049         (JSC::CodeBlock::dumpBytecode):
2050         (JSC::CodeBlock::addStubInfo):
2051         (JSC::CodeBlock::addJITAddIC):
2052         (JSC::CodeBlock::findStubInfo):
2053         (JSC::CodeBlock::resetJITData):
2054         (JSC::CodeBlock::shrinkToFit):
2055         (JSC::CodeBlock::dumpValueProfiles):
2056         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2057         (JSC::CodeBlock::arithProfileForBytecodeOffset):
2058         (JSC::CodeBlock::arithProfileForPC):
2059         (JSC::CodeBlock::couldTakeSpecialFastCase):
2060         (JSC::CodeBlock::dumpResultProfile): Deleted.
2061         (JSC::CodeBlock::resultProfileForBytecodeOffset): Deleted.
2062         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset): Deleted.
2063         (JSC::CodeBlock::ensureResultProfile): Deleted.
2064         * bytecode/CodeBlock.h:
2065         (JSC::CodeBlock::stubInfoBegin):
2066         (JSC::CodeBlock::stubInfoEnd):
2067         (JSC::CodeBlock::couldTakeSlowCase):
2068         (JSC::CodeBlock::numberOfResultProfiles): Deleted.
2069         * bytecode/MethodOfGettingAValueProfile.cpp:
2070         (JSC::MethodOfGettingAValueProfile::emitReportValue):
2071         * bytecode/MethodOfGettingAValueProfile.h:
2072         (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
2073         * bytecode/ValueProfile.cpp:
2074         (JSC::ResultProfile::emitDetectNumericness): Deleted.
2075         (JSC::ResultProfile::emitSetDouble): Deleted.
2076         (JSC::ResultProfile::emitSetNonNumber): Deleted.
2077         (WTF::printInternal): Deleted.
2078         * bytecode/ValueProfile.h:
2079         (JSC::getRareCaseProfileBytecodeOffset):
2080         (JSC::ResultProfile::ResultProfile): Deleted.
2081         (JSC::ResultProfile::bytecodeOffset): Deleted.
2082         (JSC::ResultProfile::specialFastPathCount): Deleted.
2083         (JSC::ResultProfile::didObserveNonInt32): Deleted.
2084         (JSC::ResultProfile::didObserveDouble): Deleted.
2085         (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
2086         (JSC::ResultProfile::didObserveNegZeroDouble): Deleted.
2087         (JSC::ResultProfile::didObserveNonNumber): Deleted.
2088         (JSC::ResultProfile::didObserveInt32Overflow): Deleted.
2089         (JSC::ResultProfile::didObserveInt52Overflow): Deleted.
2090         (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
2091         (JSC::ResultProfile::setObservedNegZeroDouble): Deleted.
2092         (JSC::ResultProfile::setObservedNonNumber): Deleted.
2093         (JSC::ResultProfile::setObservedInt32Overflow): Deleted.
2094         (JSC::ResultProfile::setObservedInt52Overflow): Deleted.
2095         (JSC::ResultProfile::addressOfFlags): Deleted.
2096         (JSC::ResultProfile::addressOfSpecialFastPathCount): Deleted.
2097         (JSC::ResultProfile::detectNumericness): Deleted.
2098         (JSC::ResultProfile::hasBits): Deleted.
2099         (JSC::ResultProfile::setBit): Deleted.
2100         (JSC::getResultProfileBytecodeOffset): Deleted.
2101         * bytecompiler/BytecodeGenerator.cpp:
2102         (JSC::BytecodeGenerator::emitBinaryOp):
2103         * dfg/DFGByteCodeParser.cpp:
2104         (JSC::DFG::ByteCodeParser::makeSafe):
2105         * dfg/DFGGraph.cpp:
2106         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2107         * dfg/DFGJITCompiler.cpp:
2108         (JSC::DFG::JITCompiler::exceptionCheck):
2109         * dfg/DFGSlowPathGenerator.h:
2110         (JSC::DFG::SlowPathGenerator::generate):
2111         * dfg/DFGSpeculativeJIT.cpp:
2112         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
2113         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
2114         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2115         * dfg/DFGSpeculativeJIT.h:
2116         (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
2117         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
2118         (JSC::DFG::SpeculativeJIT::callOperation):
2119         * ftl/FTLLowerDFGToB3.cpp:
2120         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2121         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
2122         * jit/CCallHelpers.h:
2123         (JSC::CCallHelpers::setupArgumentsWithExecState):
2124         (JSC::CCallHelpers::setupArguments):
2125         * jit/JIT.h:
2126         * jit/JITAddGenerator.cpp:
2127         (JSC::JITAddGenerator::generateInline):
2128         (JSC::JITAddGenerator::generateFastPath):
2129         * jit/JITAddGenerator.h:
2130         (JSC::JITAddGenerator::JITAddGenerator):
2131         (JSC::JITAddGenerator::didEmitFastPath): Deleted.
2132         (JSC::JITAddGenerator::endJumpList): Deleted.
2133         (JSC::JITAddGenerator::slowPathJumpList): Deleted.
2134         * jit/JITArithmetic.cpp:
2135         (JSC::JIT::emit_op_jless):
2136         (JSC::JIT::emitSlow_op_urshift):
2137         (JSC::getOperandTypes):
2138         (JSC::JIT::emit_op_add):
2139         (JSC::JIT::emitSlow_op_add):
2140         (JSC::JIT::emit_op_div):
2141         (JSC::JIT::emit_op_mul):
2142         (JSC::JIT::emitSlow_op_mul):
2143         (JSC::JIT::emit_op_sub):
2144         (JSC::JIT::emitSlow_op_sub):
2145         * jit/JITDivGenerator.cpp:
2146         (JSC::JITDivGenerator::generateFastPath):
2147         * jit/JITDivGenerator.h:
2148         (JSC::JITDivGenerator::JITDivGenerator):
2149         * jit/JITInlines.h:
2150         (JSC::JIT::callOperation):
2151         * jit/JITMathIC.h: Added.
2152         (JSC::JITMathIC::doneLocation):
2153         (JSC::JITMathIC::slowPathStartLocation):
2154         (JSC::JITMathIC::slowPathCallLocation):
2155         (JSC::JITMathIC::generateInline):
2156         (JSC::JITMathIC::generateOutOfLine):
2157         (JSC::JITMathIC::finalizeInlineCode):
2158         * jit/JITMathICForwards.h: Added.
2159         * jit/JITMathICInlineResult.h: Added.
2160         * jit/JITMulGenerator.cpp:
2161         (JSC::JITMulGenerator::generateFastPath):
2162         * jit/JITMulGenerator.h:
2163         (JSC::JITMulGenerator::JITMulGenerator):
2164         * jit/JITOperations.cpp:
2165         * jit/JITOperations.h:
2166         * jit/JITSubGenerator.cpp:
2167         (JSC::JITSubGenerator::generateFastPath):
2168         * jit/JITSubGenerator.h:
2169         (JSC::JITSubGenerator::JITSubGenerator):
2170         * jit/Repatch.cpp:
2171         (JSC::readCallTarget):
2172         (JSC::ftlThunkAwareRepatchCall):
2173         (JSC::tryCacheGetByID):
2174         (JSC::repatchGetByID):
2175         (JSC::appropriateGenericPutByIdFunction):
2176         (JSC::tryCachePutByID):
2177         (JSC::repatchPutByID):
2178         (JSC::tryRepatchIn):
2179         (JSC::repatchIn):
2180         (JSC::linkSlowFor):
2181         (JSC::resetGetByID):
2182         (JSC::resetPutByID):
2183         (JSC::repatchCall): Deleted.
2184         * jit/Repatch.h:
2185         * llint/LLIntData.cpp:
2186         (JSC::LLInt::Data::performAssertions):
2187         * llint/LowLevelInterpreter.asm:
2188         * llint/LowLevelInterpreter32_64.asm:
2189         * llint/LowLevelInterpreter64.asm:
2190         * parser/ResultType.h:
2191         (JSC::ResultType::ResultType):
2192         (JSC::ResultType::isInt32):
2193         (JSC::ResultType::definitelyIsNumber):
2194         (JSC::ResultType::definitelyIsString):
2195         (JSC::ResultType::definitelyIsBoolean):
2196         (JSC::ResultType::mightBeNumber):
2197         (JSC::ResultType::isNotNumber):
2198         (JSC::ResultType::forBitOp):
2199         (JSC::ResultType::bits):
2200         (JSC::OperandTypes::OperandTypes):
2201         * runtime/CommonSlowPaths.cpp:
2202         (JSC::SLOW_PATH_DECL):
2203         (JSC::updateArithProfileForBinaryArithOp):
2204         (JSC::updateResultProfileForBinaryArithOp): Deleted.
2205         * tests/stress/op-add-exceptions.js: Added.
2206         (assert):
2207         (f1):
2208         (f2):
2209         (f3):
2210         (let.oException.valueOf):
2211         (foo):
2212         (ident):
2213         (bar):
2214
2215 2016-07-21  Csaba Osztrogonác  <ossy@webkit.org>
2216
2217         Clarify testing mode names in run-jsc-stress-tests
2218         https://bugs.webkit.org/show_bug.cgi?id=160021
2219
2220         Reviewed by Mark Lam.
2221
2222         Default should mean really default, not default with disabled FTL, renamed
2223         - runMozillaTestDefault to runMozillaTestNoFTL
2224         - runMozillaTestDefaultFTL to runMozillaTestDefault
2225         - runDefault to runNoFTL
2226         - runDefaultFTL to runDefault
2227         - runLayoutTestDefault to runLayoutTestNoFTL
2228         - runLayoutTestDefaultFTL to runLayoutTestDefault
2229         - runNoisyTestDefault to runNoisyTestNoFTL
2230         - runNoisyTestDefaultFTL to runNoisyTestDefault
2231
2232         * tests/mozilla/mozilla-tests.yaml:
2233         * tests/stress/lift-tdz-bypass-catch.js:
2234         * tests/stress/obscure-error-message-dont-crash.js:
2235         * tests/stress/shadow-chicken-disabled.js:
2236
2237 2016-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2238
2239         [ES7] Introduce exponentiation expression
2240         https://bugs.webkit.org/show_bug.cgi?id=159969
2241
2242         Reviewed by Saam Barati.
2243
2244         This patch implements the exponentiation expression, e.g. `x ** y`.
2245         The exponentiation expression is introduced in ECMA262 2016 and ECMA262 2016
2246         is already released. So this is not the draft spec.
2247
2248         The exponentiation expression has 2 interesting points.
2249
2250         1. Right associative
2251
2252             To follow the Math expression, ** operator is right associative.
2253             When we execute `x ** y ** z`, this is handled as `x ** (y ** z)`, not `(x ** y) ** z`.
2254             This patch introduces the right associativity to the binary operator and handles it
2255             in the operator precedence parser in Parser.cpp.
2256
2257         2. LHS of the exponentiation expression is UpdateExpression
2258
2259             ExponentiationExpression[Yield]:
2260                 UnaryExpression[?Yield]
2261                 UpdateExpression[?Yield] ** ExponentiationExpression[?Yield]
2262
2263             As we can see, the left hand side of the ExponentiationExpression is UpdateExpression, not UnaryExpression.
2264             It means that `+x ** y` becomes a syntax error. This is intentional. Without superscript in JS,
2265             `-x**y` is confusing between `-(x ** y)` and `(-x) ** y`. So ECMA262 intentionally avoids UnaryExpression here.
2266             If we need to use a negated value, we need to write parentheses explicitly e.g. `(-x) ** y`.
2267             In this patch, we ensure that the left hand side is not an unary expression by checking an operator in
2268             parseBinaryExpression. This works since `**` has the highest operator precedence in the binary operators.
2269
2270         We introduce a new bytecode, op_pow. That simply works as similar as the other binary operators.
2271         And it is converted to ArithPow in DFG and handled in DFG and FTL.
2272         In this patch, we take the approach just introducing a new bytecode instead of calling Math.pow.
2273         This is because we would like to execute ToNumber in the caller side, not in the callee (Math.pow) side.
2274         And we don't want to compile ** into the following.
2275
2276             lhsNumber = to_number (lhs)
2277             rhsNumber = to_number (rhs)
2278             call Math.pow(lhsNumber, rhsNumber)
2279
2280         We ensure that this patch passes all the test262 tests related to the exponentiation expression.
2281
2282         The only sensitive part to the performance is the parser changes.
2283         So we measured the code-load performance and it is neutral in my x64 Linux box (hanayamata).
2284
2285             Collected 30 samples per benchmark/VM, with 30 VM invocations per benchmark. Emitted a call to
2286             gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used
2287             the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark
2288             execution times with 95% confidence intervals in milliseconds.
2289
2290                                      baseline                  patched
2291
2292             closure              0.60499+-0.00250          0.60180+-0.00244
2293             jquery               7.89175+-0.02433    ?     7.91287+-0.04759       ?
2294
2295             <geometric>          2.18499+-0.00523          2.18207+-0.00689         might be 1.0013x faster
2296
2297         * bytecode/BytecodeList.json:
2298         * bytecode/BytecodeUseDef.h:
2299         (JSC::computeUsesForBytecodeOffset):
2300         (JSC::computeDefsForBytecodeOffset):
2301         * bytecode/CodeBlock.cpp:
2302         (JSC::CodeBlock::dumpBytecode):
2303         * bytecompiler/NodesCodegen.cpp:
2304         (JSC::emitReadModifyAssignment):
2305         * dfg/DFGByteCodeParser.cpp:
2306         (JSC::DFG::ByteCodeParser::parseBlock):
2307         * dfg/DFGCapabilities.cpp:
2308         (JSC::DFG::capabilityLevel):
2309         * jit/JIT.cpp:
2310         (JSC::JIT::privateCompileMainPass):
2311         * jit/JIT.h:
2312         * jit/JITArithmetic.cpp:
2313         (JSC::JIT::emit_op_pow):
2314         * llint/LowLevelInterpreter.asm:
2315         * parser/ASTBuilder.h:
2316         (JSC::ASTBuilder::operatorStackShouldReduce):
2317         (JSC::ASTBuilder::makePowNode):
2318         (JSC::ASTBuilder::makeMultNode):
2319         (JSC::ASTBuilder::makeDivNode):
2320         (JSC::ASTBuilder::makeModNode):
2321         (JSC::ASTBuilder::makeSubNode):
2322         (JSC::ASTBuilder::makeBinaryNode):
2323         (JSC::ASTBuilder::operatorStackHasHigherPrecedence): Deleted.
2324         * parser/Lexer.cpp:
2325         (JSC::Lexer<T>::lex):
2326         * parser/NodeConstructors.h:
2327         (JSC::PowNode::PowNode):
2328         * parser/Nodes.h:
2329         * parser/Parser.cpp:
2330         (JSC::Parser<LexerType>::parseAssignmentExpression):
2331         (JSC::isUnaryOpExcludingUpdateOp):
2332         (JSC::Parser<LexerType>::parseBinaryExpression):
2333         (JSC::isUnaryOp): Deleted.
2334         * parser/ParserTokens.h:
2335         (JSC::isUpdateOp):
2336         (JSC::isUnaryOp):
2337         * parser/SyntaxChecker.h:
2338         (JSC::SyntaxChecker::operatorStackPop):
2339         * runtime/CommonSlowPaths.cpp:
2340         (JSC::SLOW_PATH_DECL):
2341         * runtime/CommonSlowPaths.h:
2342         * tests/stress/pow-basics.js: Added.
2343         (valuesAreClose):
2344         (mathPowDoubleDouble1):
2345         (mathPowDoubleInt1):
2346         (test1):
2347         (mathPowDoubleDouble2):
2348         (mathPowDoubleInt2):
2349         (test2):
2350         (mathPowDoubleDouble3):
2351         (mathPowDoubleInt3):
2352         (test3):
2353         (mathPowDoubleDouble4):
2354         (mathPowDoubleInt4):
2355         (test4):
2356         (mathPowDoubleDouble5):
2357         (mathPowDoubleInt5):
2358         (test5):
2359         (mathPowDoubleDouble6):
2360         (mathPowDoubleInt6):
2361         (test6):
2362         (mathPowDoubleDouble7):
2363         (mathPowDoubleInt7):
2364         (test7):
2365         (mathPowDoubleDouble8):
2366         (mathPowDoubleInt8):
2367         (test8):
2368         (mathPowDoubleDouble9):
2369         (mathPowDoubleInt9):
2370         (test9):
2371         (mathPowDoubleDouble10):
2372         (mathPowDoubleInt10):
2373         (test10):
2374         (mathPowDoubleDouble11):
2375         (mathPowDoubleInt11):
2376         (test11):
2377         * tests/stress/pow-coherency.js: Added.
2378         (pow42):
2379         (build42AsDouble.opaqueAdd):
2380         (build42AsDouble):
2381         (powDouble42):
2382         (clobber):
2383         (pow42NoConstantFolding):
2384         (powDouble42NoConstantFolding):
2385         * tests/stress/pow-evaluation-order.js: Added.
2386         (shouldBe):
2387         (throw.new.Error):
2388         * tests/stress/pow-expects-update-expression-on-lhs.js: Added.
2389         (testSyntax):
2390         (testSyntaxError):
2391         (throw.new.Error):
2392         (let.token.of.tokens.testSyntax.pow):
2393         (testSyntax.pow):
2394         * tests/stress/pow-integer-exponent-fastpath.js: Added.
2395         (valuesAreClose):
2396         (mathPowDoubleDoubleTestExponentFifty):
2397         (mathPowDoubleIntTestExponentFifty):
2398         (testExponentFifty):
2399         (mathPowDoubleDoubleTestExponentTenThousands):
2400         (mathPowDoubleIntTestExponentTenThousands):
2401         (testExponentTenThousands):
2402         * tests/stress/pow-nan-behaviors.js: Added.
2403         (testIntegerBaseWithNaNExponentStatic):
2404         (mathPowIntegerBaseWithNaNExponentDynamic):
2405         (testIntegerBaseWithNaNExponentDynamic):
2406         (testFloatingPointBaseWithNaNExponentStatic):
2407         (mathPowFloatingPointBaseWithNaNExponentDynamic):
2408         (testFloatingPointBaseWithNaNExponentDynamic):
2409         (testNaNBaseStatic):
2410         (mathPowNaNBaseDynamic1):
2411         (mathPowNaNBaseDynamic2):
2412         (mathPowNaNBaseDynamic3):
2413         (mathPowNaNBaseDynamic4):
2414         (testNaNBaseDynamic):
2415         (infiniteExponentsStatic):
2416         (mathPowInfiniteExponentsDynamic1):
2417         (mathPowInfiniteExponentsDynamic2):
2418         (mathPowInfiniteExponentsDynamic3):
2419         (mathPowInfiniteExponentsDynamic4):
2420         (infiniteExponentsDynamic):
2421         * tests/stress/pow-simple.js: Added.
2422         (shouldBe):
2423         (throw.new.Error):
2424         * tests/stress/pow-stable-results.js: Added.
2425         (opaquePow):
2426         (isIdentical):
2427         * tests/stress/pow-to-number-should-be-executed-in-code-side.js: Added.
2428         (shouldBe):
2429         (throw.new.Error):
2430         * tests/stress/pow-with-constants.js: Added.
2431         (exponentIsZero):
2432         (testExponentIsZero):
2433         (exponentIsOne):
2434         (testExponentIsOne):
2435         (powUsedAsSqrt):
2436         (testPowUsedAsSqrt):
2437         (powUsedAsOneOverSqrt):
2438         (testPowUsedAsOneOverSqrt):
2439         (powUsedAsSquare):
2440         (testPowUsedAsSquare):
2441         (intIntConstantsSmallNumbers):
2442         (intIntConstantsLargeNumbers):
2443         (intIntSmallConstants):
2444         (intDoubleConstants):
2445         (doubleDoubleConstants):
2446         (doubleIntConstants):
2447         (testBaseAndExponentConstantLiterals):
2448         (exponentIsIntegerConstant):
2449         (testExponentIsIntegerConstant):
2450         (exponentIsDoubleConstant):
2451         (testExponentIsDoubleConstant):
2452         (exponentIsInfinityConstant):
2453         (testExponentIsInfinityConstant):
2454         (exponentIsNegativeInfinityConstant):
2455         (testExponentIsNegativeInfinityConstant):
2456         * tests/stress/pow-with-never-NaN-exponent.js: Added.
2457         (exponentIsNonNanDouble1):
2458         (exponentIsNonNanDouble2):
2459         (testExponentIsDoubleConstant):
2460         * tests/test262.yaml:
2461
2462 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
2463
2464         Switching on symbols should be fast
2465         https://bugs.webkit.org/show_bug.cgi?id=158892
2466
2467         Reviewed by Keith Miller.
2468         
2469         This does two things: fixes some goofs in our lowering of symbol equality and adds a new phase
2470         to B3 to infer switch statements from linear chains of branches.
2471         
2472         This changes how we compile equality to Symbols to constant-fold the load of the Symbol's UID.
2473         This is necessary for making switches on Symbols inferrable. This also gives us the ability to
2474         efficiently compile strict equality comparisons of SymbolUse and UntypedUse.
2475
2476         This adds a new phase to B3, which finds chains of branches that test for (in)equality on the
2477         same value and constants, and turns them into a Switch. This can turn O(n) code into
2478         O(log n) code, or even O(1) code if the switch cases are dense.
2479         
2480         This can make a big difference in JS. Say you write a switch in which the case statements are
2481         variable resolutions. The bytecode generator cannot use a bytecode switch in this case, since
2482         we're required to evaluate the resolutions in order. But in DFG IR, we will often turn those
2483         variable resolutions into constants, since we do that for any immutable singleton. This means
2484         that B3 will see a chain of Branches: the else case of one Branch will point to a basic block
2485         that does nothing but Branch on equality on the same value as the first Branch.
2486
2487         The inference algorithm is quite simple. The basic building block is the ability to summarize
2488         a block's switch behavior. For a block that ends in a switch, this is just the collection of
2489         switch cases. For a block that ends in a branch, we recognize Branch(Equal(value, const)),
2490         Branch(NotEqual(value, const)), and Branch(value). Each of these are summarized as if they
2491         were one-case switches. We infer a new switch if both some block and its sole predecessor
2492         can be described as switches on the same value, nothing shady is going on (like loops), and
2493         the block in question does no work other than this switch. In that case, the block is killed
2494         and its cases (which we get from the summary) are added to the predecessor's switch. This
2495         algorithm runs to fixpoint.
2496         
2497         * CMakeLists.txt:
2498         * JavaScriptCore.xcodeproj/project.pbxproj:
2499         * b3/B3Generate.cpp:
2500         (JSC::B3::generateToAir):
2501         * b3/B3InferSwitches.cpp: Added.
2502         (JSC::B3::inferSwitches):
2503         * b3/B3InferSwitches.h: Added.
2504         * b3/B3Procedure.h:
2505         (JSC::B3::Procedure::cfg):
2506         * b3/B3ReduceStrength.cpp:
2507         * b3/B3Value.cpp:
2508         (JSC::B3::Value::performSubstitution):
2509         (JSC::B3::Value::isFree):
2510         (JSC::B3::Value::dumpMeta):
2511         * b3/B3Value.h:
2512         * ftl/FTLLowerDFGToB3.cpp:
2513         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent):
2514         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2515         (JSC::FTL::DFG::LowerDFGToB3::lowSymbol):
2516         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID):
2517         (JSC::FTL::DFG::LowerDFGToB3::lowNonNullObject):
2518
2519 2016-07-20  Filip Pizlo  <fpizlo@apple.com>
2520
2521         FTL snippet generators should be able to request a different register for output and input
2522         https://bugs.webkit.org/show_bug.cgi?id=160010
2523         rdar://problem/27439330
2524
2525         Reviewed by Saam Barati.
2526         
2527         The BitOr and BitXor snippet generators have problems if the register for the right input is
2528         the same as the register for the result. We could fix those generators, but I'm not convinced
2529         that the other snippet generators don't have this bug. So, the approach that this patch takes
2530         is to teach the FTL to request that B3 to use a different register for the result than for
2531         any input to the snippet patchpoint.
2532         
2533         Air already has the ability to let any instruction do an EarlyDef, which means exactly this.
2534         But B3 did not expose this via ValueRep. This patch exposes this in ValueRep as
2535         SomeEarlyRegister. That's most of the change.
2536         
2537         This adds a testb3 test for SomeEarlyRegister and a regression test for this particular
2538         problem. The regression test failed on trunk JSC before this.
2539
2540         * b3/B3LowerToAir.cpp:
2541         (JSC::B3::Air::LowerToAir::lower):
2542         * b3/B3PatchpointSpecial.cpp:
2543         (JSC::B3::PatchpointSpecial::forEachArg):
2544         (JSC::B3::PatchpointSpecial::admitsStack):
2545         * b3/B3StackmapSpecial.cpp:
2546         (JSC::B3::StackmapSpecial::forEachArgImpl):
2547         (JSC::B3::StackmapSpecial::isArgValidForRep):
2548         * b3/B3Validate.cpp:
2549         * b3/B3ValueRep.cpp:
2550         (JSC::B3::ValueRep::addUsedRegistersTo):
2551         (JSC::B3::ValueRep::dump):
2552         (WTF::printInternal):
2553         * b3/B3ValueRep.h:
2554         (JSC::B3::ValueRep::ValueRep):
2555         (JSC::B3::ValueRep::reg):
2556         (JSC::B3::ValueRep::isAny):
2557         (JSC::B3::ValueRep::isReg):
2558         (JSC::B3::ValueRep::isSomeRegister): Deleted.
2559         * b3/testb3.cpp:
2560         * ftl/FTLLowerDFGToB3.cpp:
2561         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
2562         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
2563         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
2564         * tests/stress/ftl-bit-xor-right-result-interference.js: Added.
2565
2566 2016-07-20  Michael Saboff  <msaboff@apple.com>
2567
2568         CrashOnOverflow in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets
2569         https://bugs.webkit.org/show_bug.cgi?id=159954
2570
2571         Reviewed by Benjamin Poulain.
2572
2573         YarrPatternConstructor::setupAlternativeOffsets() is using the checked arithmetic class
2574         Checked<>, for offset calculations.  However the default use will just crash on
2575         overflow.  Instead we should stop processing and propagate the error up the call stack.
2576
2577         Consolidated explicit error string with the common RegExp parsing error logic.
2578         Moved that logic to YarrPattern as that seems like a better common place to put it.
2579
2580         * jit/JITOperations.cpp:
2581         * llint/LLIntSlowPaths.cpp:
2582         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2583         * tests/stress/regress-159954.js: New test.
2584         * yarr/YarrParser.h:
2585         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
2586         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
2587         (JSC::Yarr::Parser::Parser):
2588         (JSC::Yarr::Parser::isIdentityEscapeAnError):
2589         (JSC::Yarr::Parser::parseEscape):
2590         (JSC::Yarr::Parser::parseCharacterClass):
2591         (JSC::Yarr::Parser::parseParenthesesBegin):
2592         (JSC::Yarr::Parser::parseParenthesesEnd):
2593         (JSC::Yarr::Parser::parseQuantifier):
2594         (JSC::Yarr::Parser::parseTokens):
2595         (JSC::Yarr::Parser::parse):
2596         * yarr/YarrPattern.cpp:
2597         (JSC::Yarr::YarrPatternConstructor::disjunction):
2598         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
2599         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
2600         (JSC::Yarr::YarrPattern::errorMessage):
2601         (JSC::Yarr::YarrPattern::compile):
2602         * yarr/YarrPattern.h:
2603         (JSC::Yarr::YarrPattern::reset):
2604
2605 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2606
2607         The default testing mode should not involve disabling the FTL JIT
2608         https://bugs.webkit.org/show_bug.cgi?id=159929
2609
2610         Rubber stamped by Mark Lam and Saam Barati.
2611         
2612         Use the new powers to make some tests run only in the default configuration (i.e. FTL,
2613         concurrent JIT).
2614
2615         * tests/mozilla/mozilla-tests.yaml:
2616
2617 2016-07-19  Keith Miller  <keith_miller@apple.com>
2618
2619         Test262 should have a file with the revision and url
2620         https://bugs.webkit.org/show_bug.cgi?id=159937
2621
2622         Reviewed by Mark Lam.
2623
2624         The file.
2625
2626         * tests/test262/test262-Revision.txt: Added.
2627
2628 2016-07-19  Anders Carlsson  <andersca@apple.com>
2629
2630         WebCore-7602.1.42 fails to build: error: private field 'm_vm' is not used
2631         https://bugs.webkit.org/show_bug.cgi?id=159944
2632         rdar://problem/27420308
2633
2634         Reviewed by Dan Bernstein.
2635
2636         Wrap the m_vm declaration and initialization in conditional guards.
2637
2638         * Scripts/builtins/builtins_generate_internals_wrapper_header.py:
2639         (generate_members):
2640         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2641         (BuiltinsInternalsWrapperImplementationGenerator.generate_constructor):
2642         Add guards.
2643
2644         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2645         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2646         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2647         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2648         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2649         Update expected results.
2650
2651 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2652
2653         REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
2654         https://bugs.webkit.org/show_bug.cgi?id=159930
2655
2656         Reviewed by Geoffrey Garen.
2657         
2658         The problem is that the 32-bit DFG can flush the scope register as an unboxed cell, but the
2659         Register::scope() method was causing us to assert that it's a JSValue with proper cell
2660         boxing. We could have forced the DFG to flush it as a boxed JSValue, but I don't think that
2661         would have made anything better. This fixes the issue by teaching Register::scope() that it
2662         might see unboxed cells.
2663
2664         * runtime/JSScope.h:
2665         (JSC::Register::scope):
2666         (JSC::ExecState::lexicalGlobalObject):
2667
2668 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2669
2670         B3 methods that mutate the successors array should take FrequentedBlock by value
2671         https://bugs.webkit.org/show_bug.cgi?id=159935
2672
2673         Reviewed by Michael Saboff.
2674         
2675         This bug was found by ASan testing. setSuccessors() takes a const FrequentedBlock&, and the
2676         caller that caused the ASan crash was doing:
2677
2678         block->setSuccessors(block->notTaken())
2679
2680         So, inside setSuccessors(), after we resize() the successors array, the const
2681         FrequentedBlock& points to nonsense.
2682
2683         The fix is to pass FrequentedBlock by value in all of these kinds of methods.
2684         
2685         No new tests, but ASan testing catches this instantly for anything that triggers CFG
2686         simplification in B3. So like half of our tests.
2687
2688         * b3/B3BasicBlock.cpp:
2689         (JSC::B3::BasicBlock::clearSuccessors):
2690         (JSC::B3::BasicBlock::appendSuccessor):
2691         (JSC::B3::BasicBlock::setSuccessors):
2692         * b3/B3BasicBlock.h:
2693         (JSC::B3::BasicBlock::successors):
2694         (JSC::B3::BasicBlock::successorBlock):
2695         * b3/B3Value.cpp:
2696         (JSC::B3::Value::replaceWithPhi):
2697         (JSC::B3::Value::replaceWithJump):
2698         (JSC::B3::Value::replaceWithOops):
2699         * b3/B3Value.h:
2700
2701 2016-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2702
2703         Make builtin TypeErrors consistent
2704         https://bugs.webkit.org/show_bug.cgi?id=159899
2705
2706         Reviewed by Keith Miller.
2707
2708         Converge on the single TypeError for non-coercible this objects in builtins.
2709         Also update some other style to be more consistent with-in builtins.
2710
2711         * builtins/ArrayIteratorPrototype.js:
2712         (next):
2713         * builtins/ArrayPrototype.js:
2714         (values):
2715         (keys):
2716         (entries):
2717         (reduce):
2718         (reduceRight):
2719         (every):
2720         (forEach):
2721         (filter):
2722         (map):
2723         (some):
2724         (fill):
2725         (find):
2726         (findIndex):
2727         (includes):
2728         (sort):
2729         (concatSlowPath):
2730         (copyWithin):
2731         * builtins/StringPrototype.js:
2732         (match):
2733         (repeat):
2734         (padStart):
2735         (padEnd):
2736         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
2737         (localeCompare):
2738         (search):
2739         (split):
2740         * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
2741         * tests/es6/String.prototype_methods_String.prototype.padStart.js:
2742         * tests/stress/array-iterators-next-error-messages.js:
2743         (catch):
2744         * tests/stress/array-iterators-next-with-call.js:
2745         * tests/stress/regexp-match.js:
2746         (shouldThrow):
2747         * tests/stress/regexp-search.js:
2748         (shouldThrow):
2749
2750 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
2751
2752         Implement table-based switches in B3/Air
2753         https://bugs.webkit.org/show_bug.cgi?id=151141
2754
2755         Reviewed by Benjamin Poulain.
2756
2757         If a switch statement gets large, it's better to express it as an indirect jump rather than
2758         using a binary switch (divide-and-conquer tree of comparisons leading to O(log n) branches to
2759         get to the switch case). When dealing with integer switches, FTL will already use the B3
2760         Switch and expect this to get lowered as efficiently as possible; it's a bug that B3 will
2761         always use a binary switch rather than indirect jumps. When dealing with switches over some
2762         more sophisticated types, we'd want FTL to build an indirect jump table itself and use
2763         something like a hashtable to feed it. In that case, there will be no B3 Switch; we'll want
2764         some way for the FTL to directly express an indirection jump when emitting B3.
2765         
2766         This implies that we want B3 to have the ability to lower Switch to indirect jumps and to
2767         expose those indirect jumps in IR so that the FTL could do its own indirect jumps for
2768         switches over more complicated things like strings. But indirect jumps are tough to express
2769         in IR. For example, the LLVM approach ("indirectbr" and "blockaddress", see
2770         http://blog.llvm.org/2010/01/address-of-label-and-indirect-branches.html) means that some
2771         control flow edges cannot be split. Indirectbr takes an address as input and jumps to it, and
2772         blockaddress lets you build jump tables out of basic block addresses. This means that the
2773         compiler can never change any successor of an indirectbr, since the client will have already
2774         arranged for that indirectbr to jump to exactly those successors. We don't want such
2775         restrictions in B3, since B3 relies on being able to break critical edges for SSA conversion.
2776         Also, indirectbr is not cloneable, which would break any hope of doing specialization-based
2777         transformations like we want to do for multiple entrypoints (bug 159391). The goal of this
2778         change is to let clients do indirect jumps without placing any restrictions on IR.
2779         
2780         The trick is to allow Patchpoints to be used as block terminals. Patchpoints already allow
2781         clients of B3 to emit whatever code they like. Patchpoints are friendly to B3's other
2782         transformations because the client of the patchpoint has to play along with whatever
2783         decisions B3 had made around the patchpoint: what registers got used, what the control flow
2784         looks like, etc. Patchpoints can even be cloned by B3, and the client has to accommodate this
2785         in their patchpoint generator. It turns out that using Patchpoints as terminals is quite
2786         natural. We accomplish this by moving the successor edges out of ControlValue and into
2787         BasicBlock, and removing ControlValue entirely. This way, any Value subclass can be a
2788         terminal. It was already true that a Value is a terminal if value->effects().terminal, which
2789         works great with Patchpoints since they control their effects via PatchpointValue::effects.
2790         You can make your Patchpoint into a terminal by placing it at the end of a block and doing:
2791         
2792         patchpoint->effects.terminal = true;
2793         
2794         A Patchpoints in terminal position gets access to additional API in StackmapGenerationParams.
2795         The generator can get a Box<Label> for each successor to its owning block. For example, to
2796         implement a jump-table-based switch, you would make your patchpoint take the table index as
2797         its sole input. Inside the generator, you allocate the jump table and emit a BaseIndex jump
2798         that uses the jump table pointer (which will be a constant known to the generator since it
2799         just allocated it) as the base and the patchpoint input as an index. The jump table can be
2800         populated by MacroAssemblerCodePtr's computed by installing a link task to resolve the labels
2801         to concrete locations. This change makes LowerMacros do such a lowering for Switches that can
2802         benefit from jump tables. This happens recursively: if the original Switch is too sparse, we
2803         will divide-and-conquer as before. If at any recursion step we find that the remaining cases
2804         are dense and large enough to profit from a jump table, then those cases will be lowered to a
2805         Patchpoint that does the table jump. This is a fun way to do stepwise lowering: LowerMacros
2806         is essentially pre-lowering the Switch directly to machine code, and wrapping that machine
2807         code in a Patchpoint so that the rest of the compiler doesn't have to know anything about
2808         what happened. I suspect that in the future we will want to do other pre-lowerings this way,
2809         whenever the B3 IR phases have some special knowledge about what machine code should be
2810         emitted and it would be annoying to drag that knowledge through the rest of the compiler.
2811         
2812         One downside of this change is that we used ControlValue in so many places. Most of this
2813         patch involves removing references to ControlValue. It would be less than 100kb if it wasn't
2814         for that. To make this a bit easier, I added "appendNewControlValue" methods to BasicBlock,
2815         which allocate a Value and set the successors as if you had done "appendNew<ControlValue>".
2816         This made for an easy search-and-replace in testb3 and FTLOutput. I filed bug 159440 to
2817         remove this ugly stopgap method.
2818         
2819         I think that we will also end up using this facility to extend our use of snippets. We
2820         already use shared snippet generators for the generic forms of arithmetic. We will probably
2821         also want to do this for generic forms of branches. This wouldn't have been possible prior to
2822         this change, since there would have been no way to emit a control snippet in FTL. Now we can
2823         emit control snippets using terminal patchpoints.
2824
2825         This is a ~30% speed-up on microbenchmarks that have big switch statements (~60 cases). It's
2826         not a speed-up on mainstream benchmarks.
2827         
2828         This also adds a new test to testb3 for terminal Patchpoints, Get, and Set. The FTL does not
2829         currently use terminal Patchpoints directly, but we want this to be possible. It also doesn't
2830         use Get/Set directly even though we want this to be possible. It's important to test these
2831         since opcodes that result from lowering don't affect early phases, so we could have
2832         regressions in early phases related to these opcodes that wouldn't be caught by any JS test.
2833         So, this adds a very basic threaded interpreter to testb3 for a Brainfuck-style language, and
2834         tests it by having it run a program that prints the numbers 1..100 in a loop. Unlike a real
2835         threaded interpreter, it uses a common dispatch block rather than having dispatch at the
2836         terminus of each opcode. That's necessary because PolyJump is not cloneable. The state of the
2837         interpreter is represented using Variables that we Get and Set, so it tests Get/Set as well.
2838
2839         * CMakeLists.txt:
2840         * JavaScriptCore.xcodeproj/project.pbxproj:
2841         * assembler/MacroAssemblerARM64.h:
2842         (JSC::MacroAssemblerARM64::jump):
2843         * assembler/MacroAssemblerX86Common.h:
2844         (JSC::MacroAssemblerX86Common::jump):
2845         * assembler/X86Assembler.h:
2846         (JSC::X86Assembler::jmp_m):
2847         * b3/B3BasicBlock.cpp:
2848         (JSC::B3::BasicBlock::append):
2849         (JSC::B3::BasicBlock::appendNonTerminal):
2850         (JSC::B3::BasicBlock::removeLast):
2851         (JSC::B3::BasicBlock::appendIntConstant):
2852         (JSC::B3::BasicBlock::clearSuccessors):
2853         (JSC::B3::BasicBlock::appendSuccessor):
2854         (JSC::B3::BasicBlock::setSuccessors):
2855         (JSC::B3::BasicBlock::replaceSuccessor):
2856         (JSC::B3::BasicBlock::addPredecessor):
2857         (JSC::B3::BasicBlock::deepDump):
2858         (JSC::B3::BasicBlock::appendNewControlValue):
2859         * b3/B3BasicBlock.h:
2860         (JSC::B3::BasicBlock::numSuccessors):
2861         (JSC::B3::BasicBlock::successor):
2862         (JSC::B3::BasicBlock::successors):
2863         (JSC::B3::BasicBlock::successorBlock):
2864         (JSC::B3::BasicBlock::successorBlocks):
2865         (JSC::B3::BasicBlock::numPredecessors):
2866         (JSC::B3::BasicBlock::predecessor):
2867         (JSC::B3::BasicBlock::frequency):
2868         * b3/B3BasicBlockInlines.h:
2869         (JSC::B3::BasicBlock::replaceLastWithNew):
2870         (JSC::B3::BasicBlock::taken):
2871         (JSC::B3::BasicBlock::notTaken):
2872         (JSC::B3::BasicBlock::fallThrough):
2873         (JSC::B3::BasicBlock::numSuccessors): Deleted.
2874         (JSC::B3::BasicBlock::successor): Deleted.
2875         (JSC::B3::BasicBlock::successors): Deleted.
2876         (JSC::B3::BasicBlock::successorBlock): Deleted.
2877         (JSC::B3::BasicBlock::successorBlocks): Deleted.
2878         * b3/B3BlockInsertionSet.cpp:
2879         (JSC::B3::BlockInsertionSet::splitForward):
2880         * b3/B3BreakCriticalEdges.cpp:
2881         (JSC::B3::breakCriticalEdges):
2882         * b3/B3CaseCollection.cpp: Added.
2883         (JSC::B3::CaseCollection::dump):
2884         * b3/B3CaseCollection.h: Added.
2885         (JSC::B3::CaseCollection::CaseCollection):
2886         (JSC::B3::CaseCollection::operator[]):
2887         (JSC::B3::CaseCollection::iterator::iterator):
2888         (JSC::B3::CaseCollection::iterator::operator*):
2889         (JSC::B3::CaseCollection::iterator::operator++):
2890         (JSC::B3::CaseCollection::iterator::operator==):
2891         (JSC::B3::CaseCollection::iterator::operator!=):
2892         (JSC::B3::CaseCollection::begin):
2893         (JSC::B3::CaseCollection::end):
2894         * b3/B3CaseCollectionInlines.h: Added.
2895         (JSC::B3::CaseCollection::fallThrough):
2896         (JSC::B3::CaseCollection::size):
2897         (JSC::B3::CaseCollection::at):
2898         * b3/B3CheckSpecial.cpp:
2899         (JSC::B3::CheckSpecial::CheckSpecial):
2900         (JSC::B3::CheckSpecial::hiddenBranch):
2901         * b3/B3Common.h:
2902         (JSC::B3::is64Bit):
2903         * b3/B3ControlValue.cpp: Removed.
2904         * b3/B3ControlValue.h: Removed.
2905         * b3/B3DataSection.cpp:
2906         (JSC::B3::DataSection::DataSection):
2907         * b3/B3DuplicateTails.cpp:
2908         * b3/B3FixSSA.cpp:
2909         * b3/B3FoldPathConstants.cpp:
2910         * b3/B3LowerMacros.cpp:
2911         * b3/B3LowerToAir.cpp:
2912         (JSC::B3::Air::LowerToAir::run):
2913         (JSC::B3::Air::LowerToAir::lower):
2914         * b3/B3MathExtras.cpp:
2915         (JSC::B3::powDoubleInt32):
2916         * b3/B3Opcode.h:
2917         (JSC::B3::isConstant):
2918         (JSC::B3::isDefinitelyTerminal):
2919         * b3/B3PatchpointSpecial.cpp:
2920         (JSC::B3::PatchpointSpecial::generate):
2921         (JSC::B3::PatchpointSpecial::isTerminal):
2922         (JSC::B3::PatchpointSpecial::dumpImpl):
2923         * b3/B3PatchpointSpecial.h:
2924         * b3/B3Procedure.cpp:
2925         (JSC::B3::Procedure::resetReachability):
2926         * b3/B3Procedure.h:
2927         (JSC::B3::Procedure::lastPhaseName):
2928         (JSC::B3::Procedure::byproducts):
2929         * b3/B3ReduceStrength.cpp:
2930         * b3/B3StackmapGenerationParams.cpp:
2931         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
2932         (JSC::B3::StackmapGenerationParams::successorLabels):
2933         (JSC::B3::StackmapGenerationParams::fallsThroughToSuccessor):
2934         (JSC::B3::StackmapGenerationParams::proc):
2935         * b3/B3StackmapGenerationParams.h:
2936         (JSC::B3::StackmapGenerationParams::gpScratch):
2937         (JSC::B3::StackmapGenerationParams::fpScratch):
2938         * b3/B3SwitchValue.cpp:
2939         (JSC::B3::SwitchValue::~SwitchValue):
2940         (JSC::B3::SwitchValue::removeCase):
2941         (JSC::B3::SwitchValue::hasFallThrough):
2942         (JSC::B3::SwitchValue::setFallThrough):
2943         (JSC::B3::SwitchValue::appendCase):
2944         (JSC::B3::SwitchValue::dumpSuccessors):
2945         (JSC::B3::SwitchValue::dumpMeta):
2946         (JSC::B3::SwitchValue::cloneImpl):
2947         (JSC::B3::SwitchValue::SwitchValue):
2948         * b3/B3SwitchValue.h:
2949         (JSC::B3::SwitchValue::accepts):
2950         (JSC::B3::SwitchValue::caseValues):
2951         (JSC::B3::SwitchValue::cases):
2952         (JSC::B3::SwitchValue::fallThrough): Deleted.
2953         (JSC::B3::SwitchValue::size): Deleted.
2954         (JSC::B3::SwitchValue::at): Deleted.
2955         (JSC::B3::SwitchValue::operator[]): Deleted.
2956         (JSC::B3::SwitchValue::iterator::iterator): Deleted.
2957         (JSC::B3::SwitchValue::iterator::operator*): Deleted.
2958         (JSC::B3::SwitchValue::iterator::operator++): Deleted.
2959         (JSC::B3::SwitchValue::iterator::operator==): Deleted.
2960         (JSC::B3::SwitchValue::iterator::operator!=): Deleted.
2961         (JSC::B3::SwitchValue::begin): Deleted.
2962         (JSC::B3::SwitchValue::end): Deleted.
2963         * b3/B3Validate.cpp:
2964         * b3/B3Value.cpp:
2965         (JSC::B3::Value::replaceWithPhi):
2966         (JSC::B3::Value::replaceWithJump):
2967         (JSC::B3::Value::replaceWithOops):
2968         (JSC::B3::Value::dump):
2969         (JSC::B3::Value::deepDump):
2970         (JSC::B3::Value::dumpSuccessors):
2971         (JSC::B3::Value::negConstant):
2972         (JSC::B3::Value::typeFor):
2973         * b3/B3Value.h:
2974         * b3/air/AirCode.cpp:
2975         (JSC::B3::Air::Code::addFastTmp):
2976         (JSC::B3::Air::Code::addDataSection):
2977         (JSC::B3::Air::Code::jsHash):
2978         * b3/air/AirCode.h:
2979         (JSC::B3::Air::Code::isFastTmp):
2980         (JSC::B3::Air::Code::setLastPhaseName):
2981         * b3/air/AirCustom.h:
2982         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2983         (JSC::B3::Air::PatchCustom::isTerminal):
2984         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
2985         (JSC::B3::Air::PatchCustom::generate):
2986         (JSC::B3::Air::CCallCustom::admitsStack):
2987         (JSC::B3::Air::CCallCustom::isTerminal):
2988         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
2989         (JSC::B3::Air::ShuffleCustom::admitsStack):
2990         (JSC::B3::Air::ShuffleCustom::isTerminal):
2991         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
2992         * b3/air/AirGenerate.cpp:
2993         (JSC::B3::Air::generate):
2994         * b3/air/AirGenerationContext.h:
2995         * b3/air/AirInst.h:
2996         (JSC::B3::Air::Inst::hasNonControlEffects):
2997         * b3/air/AirSimplifyCFG.cpp:
2998         (JSC::B3::Air::simplifyCFG):
2999         * b3/air/AirSpecial.cpp:
3000         (JSC::B3::Air::Special::shouldTryAliasingDef):
3001         (JSC::B3::Air::Special::isTerminal):
3002         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
3003         * b3/air/AirSpecial.h:
3004         * b3/air/AirValidate.cpp:
3005         * b3/air/opcode_generator.rb:
3006         * b3/testb3.cpp:
3007         * ftl/FTLLowerDFGToB3.cpp:
3008         * ftl/FTLOutput.cpp:
3009         (JSC::FTL::Output::jump):
3010         (JSC::FTL::Output::branch):
3011         (JSC::FTL::Output::ret):
3012         (JSC::FTL::Output::unreachable):
3013         (JSC::FTL::Output::speculate):
3014         (JSC::FTL::Output::trap):
3015         (JSC::FTL::Output::anchor):
3016         (JSC::FTL::Output::decrementSuperSamplerCount):
3017         (JSC::FTL::Output::addIncomingToPhi):
3018         * ftl/FTLOutput.h:
3019         (JSC::FTL::Output::constIntPtr):
3020         (JSC::FTL::Output::callWithoutSideEffects):
3021         (JSC::FTL::Output::switchInstruction):
3022         (JSC::FTL::Output::phi):
3023         (JSC::FTL::Output::addIncomingToPhi):
3024
3025 2016-07-18  Anders Carlsson  <andersca@apple.com>
3026
3027         WebKit nightly fails to build on macOS Sierra
3028         https://bugs.webkit.org/show_bug.cgi?id=159902
3029         rdar://problem/27365672
3030
3031         Reviewed by Tim Horton.
3032
3033         * icu/unicode/ucurr.h: Added.
3034         Add ucurr.h from ICU.
3035
3036 2016-07-18  Michael Saboff  <msaboff@apple.com>
3037
3038         ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp
3039         https://bugs.webkit.org/show_bug.cgi?id=159883
3040
3041         Reviewed by Filip Pizlo.
3042
3043         New test.
3044
3045         * tests/stress/regress-159883.js: Added.
3046
3047 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
3048
3049         MarkedBlocks should know that they can be used for more than JSCells
3050         https://bugs.webkit.org/show_bug.cgi?id=159643
3051
3052         Reviewed by Geoffrey Garen.
3053         
3054         This teaches the Heap that a MarkedBlock may hold either JSCells, or Auxiliary, which is
3055         not a JSCell. It teaches the heap and all of the things that walk the heap to ignore
3056         non-JSCells whenever they are looking for global objects, JSObjects, and things to trace
3057         for debugging or profiling. The idea is that we will be able to allocate butterflies and
3058         typed array backing stores as Auxiliary in MarkedSpace rather than allocating those things
3059         in CopiedSpace. That's what bug 159658 is all about.
3060         
3061         This gives us a new type, called HeapCell, which is just meant to be a class distinct from
3062         JSCell or any type we would use for Auxiliary. For convenience, JSCell is a subclass of
3063         HeapCell. HeapCell has an enum called HeapCell::Kind, which is either HeapCell::JSCell or
3064         HeapCell::Auxiliary. MarkedSpace no longer speaks of JSCells directly except when dealing
3065         with destruction.
3066         
3067         This change required doing a lot of stuff to all of those functor callbacks, since they
3068         now take HeapCell* instead of JSCell* and they take an extra HeapCell::Kind argument to
3069         tell them if they are dealing with JSCells or Auxiliary. I figured that this would be as
3070         good a time as any to convert those functors to being lambda-compatible. This means that
3071         operator() must be const. In some cases, converting the operator() to be const would have
3072         taken more work than just turning the whole thing into a lambda. Whenever this was the
3073         case, I converted the code to use lambdas. I left a lot of functors alone. In cases where
3074         the functor would benefit from being a lambda, for example because it would get rid of
3075         const_casts or mutables, I put in a FIXME referencing bug 159644.
3076
3077         * CMakeLists.txt:
3078         * JavaScriptCore.xcodeproj/project.pbxproj:
3079         * debugger/Debugger.cpp:
3080         (JSC::Debugger::SetSteppingModeFunctor::SetSteppingModeFunctor):
3081         (JSC::Debugger::SetSteppingModeFunctor::operator()):
3082         (JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor):
3083         (JSC::Debugger::ToggleBreakpointFunctor::operator()):
3084         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::ClearCodeBlockDebuggerRequestsFunctor):
3085         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator()):
3086         (JSC::Debugger::ClearDebuggerRequestsFunctor::ClearDebuggerRequestsFunctor):
3087         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator()):
3088         * heap/CodeBlockSet.h:
3089         (JSC::CodeBlockSet::iterate):
3090         * heap/HandleSet.h:
3091         (JSC::HandleNode::next):
3092         (JSC::HandleSet::forEachStrongHandle):
3093         * heap/Heap.cpp:
3094         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
3095         (JSC::GatherHeapSnapshotData::operator()):
3096         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
3097         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
3098         (JSC::Heap::protectedGlobalObjectCount):
3099         (JSC::Heap::globalObjectCount):
3100         (JSC::Heap::protectedObjectCount):
3101         (JSC::Heap::protectedObjectTypeCounts):
3102         (JSC::Heap::objectTypeCounts):
3103         (JSC::Heap::deleteAllCodeBlocks):
3104         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
3105         (JSC::MarkedBlockSnapshotFunctor::operator()):
3106         (JSC::Zombify::visit):
3107         (JSC::Zombify::operator()):
3108         (JSC::Heap::zombifyDeadObjects):
3109         (JSC::Heap::flushWriteBarrierBuffer):
3110         * heap/Heap.h:
3111         (JSC::Heap::handleSet):
3112         (JSC::Heap::handleStack):
3113         * heap/HeapCell.cpp: Added.
3114         (WTF::printInternal):
3115         * heap/HeapCell.h: Added.
3116         (JSC::HeapCell::HeapCell):
3117         (JSC::HeapCell::zap):
3118         (JSC::HeapCell::isZapped):
3119         * heap/HeapInlines.h:
3120         (JSC::Heap::deprecatedReportExtraMemory):
3121         (JSC::Heap::forEachCodeBlock):
3122         (JSC::Heap::forEachProtectedCell):
3123         (JSC::Heap::allocateWithDestructor):
3124         * heap/HeapStatistics.cpp:
3125         (JSC::StorageStatistics::visit):
3126         (JSC::StorageStatistics::operator()):
3127         * heap/HeapVerifier.cpp:
3128         (JSC::GatherLiveObjFunctor::visit):
3129         (JSC::GatherLiveObjFunctor::operator()):
3130         * heap/MarkedAllocator.cpp:
3131         (JSC::MarkedAllocator::allocateBlock):
3132         (JSC::MarkedAllocator::addBlock):
3133         (JSC::MarkedAllocator::reset):
3134         (JSC::MarkedAllocator::lastChanceToFinalize):
3135         (JSC::LastChanceToFinalize::operator()): Deleted.
3136         * heap/MarkedAllocator.h:
3137         (JSC::MarkedAllocator::takeLastActiveBlock):
3138         (JSC::MarkedAllocator::resumeAllocating):
3139         (JSC::MarkedAllocator::forEachBlock):
3140         * heap/MarkedBlock.cpp:
3141         (JSC::MarkedBlock::create):
3142         (JSC::MarkedBlock::destroy):
3143         (JSC::MarkedBlock::MarkedBlock):
3144         (JSC::MarkedBlock::callDestructor):
3145         (JSC::MarkedBlock::specializedSweep):
3146         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
3147         (JSC::SetNewlyAllocatedFunctor::operator()):
3148         (JSC::MarkedBlock::stopAllocating):
3149         (JSC::MarkedBlock::didRetireBlock):
3150         * heap/MarkedBlock.h:
3151         (JSC::MarkedBlock::CountFunctor::CountFunctor):
3152         (JSC::MarkedBlock::CountFunctor::count):
3153         (JSC::MarkedBlock::CountFunctor::returnValue):
3154         (JSC::MarkedBlock::needsDestruction):
3155         (JSC::MarkedBlock::cellKind):
3156         (JSC::MarkedBlock::size):
3157         (JSC::MarkedBlock::clearNewlyAllocated):
3158         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
3159         (JSC::MarkedBlock::isLive):
3160         (JSC::MarkedBlock::isLiveCell):
3161         (JSC::MarkedBlock::forEachCell):
3162         (JSC::MarkedBlock::forEachLiveCell):
3163         (JSC::MarkedBlock::forEachDeadCell):
3164         * heap/MarkedSpace.cpp:
3165         (JSC::MarkedSpace::MarkedSpace):
3166         (JSC::MarkedSpace::~MarkedSpace):
3167         (JSC::MarkedSpace::lastChanceToFinalize):
3168         (JSC::MarkedSpace::sweep):
3169         (JSC::MarkedSpace::zombifySweep):
3170         (JSC::MarkedSpace::resetAllocators):
3171         (JSC::MarkedSpace::visitWeakSets):
3172         (JSC::MarkedSpace::reapWeakSets):
3173         (JSC::MarkedSpace::forEachAllocator):
3174         (JSC::MarkedSpace::stopAllocating):
3175         (JSC::MarkedSpace::resumeAllocating):
3176         (JSC::MarkedSpace::isPagedOut):
3177         (JSC::MarkedSpace::shrink):
3178         (JSC::clearNewlyAllocatedInBlock):
3179         (JSC::MarkedSpace::clearNewlyAllocated):
3180         (JSC::MarkedSpace::clearMarks):
3181         (JSC::Free::Free): Deleted.
3182         (JSC::Free::operator()): Deleted.
3183         (JSC::FreeOrShrink::FreeOrShrink): Deleted.
3184         (JSC::FreeOrShrink::operator()): Deleted.
3185         (JSC::VisitWeakSet::VisitWeakSet): Deleted.
3186         (JSC::VisitWeakSet::operator()): Deleted.
3187         (JSC::ReapWeakSet::operator()): Deleted.
3188         (JSC::LastChanceToFinalize::operator()): Deleted.
3189         (JSC::StopAllocatingFunctor::operator()): Deleted.
3190         (JSC::ResumeAllocatingFunctor::operator()): Deleted.
3191         (JSC::ClearNewlyAllocated::operator()): Deleted.
3192         (JSC::VerifyNewlyAllocated::operator()): Deleted.
3193         * heap/MarkedSpace.h:
3194         (JSC::MarkedSpace::forEachLiveCell):
3195         (JSC::MarkedSpace::forEachDeadCell):
3196         (JSC::MarkedSpace::allocatorFor):
3197         (JSC::MarkedSpace::allocateWithDestructor):
3198         (JSC::MarkedSpace::forEachBlock):
3199         (JSC::MarkedSpace::didAddBlock):
3200         (JSC::MarkedSpace::objectCount):
3201         (JSC::MarkedSpace::size):
3202         (JSC::MarkedSpace::capacity):
3203         (JSC::ClearMarks::operator()): Deleted.
3204         (JSC::Sweep::operator()): Deleted.
3205         (JSC::ZombifySweep::operator()): Deleted.
3206         (JSC::MarkCount::operator()): Deleted.
3207         (JSC::Size::operator()): Deleted.
3208         * runtime/JSCell.h:
3209         (JSC::JSCell::zap): Deleted.
3210         (JSC::JSCell::isZapped): Deleted.
3211         * runtime/JSCellInlines.h:
3212         (JSC::allocateCell):
3213         (JSC::JSCell::isObject):
3214         (JSC::isZapped): Deleted.
3215         * runtime/JSGlobalObject.cpp:
3216         * tools/JSDollarVMPrototype.cpp:
3217         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
3218         (JSC::CellAddressCheckFunctor::operator()):
3219
3220 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
3221
3222         Repeatedly creating and destroying workers that enqueue DFG plans can outpace the DFG worklist, which then causes VM shutdown to stall, which then causes memory growth
3223         https://bugs.webkit.org/show_bug.cgi?id=159754
3224
3225         Reviewed by Geoffrey Garen.
3226         
3227         If you create and destroy workers at a high rate and those workers enqueue some DFG plans
3228         that are still not compiled at the time that the worker is closed, then the closed workers
3229         end up stalling in VM::~VM waiting for the DFG worklist thread to finish those plans. Since
3230         we don't actually cancel the plans, it's easy to create a situation where the workers
3231         outpace the DFG worklist, especially if you create many workers at a time and each one
3232         finishes just after enqueueing those plans.
3233         
3234         The solution is to allow VM::~VM to remove plans from the DFG worklist that are related to
3235         that VM but aren't currently being worked on. That turns out to be an easy change.
3236         
3237         I have a test that repros this, but it's quite long-running. I call it workers/bomb.html. We
3238         may want to exclude it from test runs because of how long it takes.
3239
3240         * dfg/DFGWorklist.cpp:
3241         (JSC::DFG::Worklist::removeDeadPlans):
3242         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
3243         (JSC::DFG::Worklist::queueLength):
3244         (JSC::DFG::Worklist::runThread):
3245         * dfg/DFGWorklist.h:
3246         * runtime/VM.cpp:
3247         (JSC::VM::~VM):
3248
3249 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
3250
3251         Object.preventExtensions/seal/freeze makes code much slower
3252         https://bugs.webkit.org/show_bug.cgi?id=143247
3253
3254         Reviewed by Michael Saboff.
3255         
3256         This has been a huge pet peeve of mine for a long time, but I was always afraid of fixing
3257         it because I thought that it would be hard. Well, it looks like it's not hard at all.
3258         
3259         The problem is that you cannot mutate a structure that participates in transition caching.
3260         You can only clone the structure and mutate that one. But if you do this, you have to make
3261         a hard choice:
3262         
3263         1) Clone the structure without caching the transition. This is what the code did before
3264            this change. It's the most obvious choice, but it introduces an uncacheable transition
3265            that leads to an explosion of structures, which then breaks all inline caches.
3266         
3267         2) Perform one of the existing cacheable transitions. Cacheable transitions can either add
3268            properties or they can do one of the NonPropertyTransitions, which until now have been
3269            restricted to just IndexingType transitions. So, only adding transitions or making
3270            certain prescribed changes to the indexing type count as cacheable transitions.
3271         
3272         This change decouples NonPropertyTransition from IndexingType and adds three new kinds of
3273         transitions: PreventExtensions, Seal, and Freeze. We have to give any cacheable transition
3274         a name that fully disambiguates this transition from any other, so that the transition can
3275         be cached. Since we're already giving them names in an enum, I figured that the most
3276         pragmatic way to implement them is to have Structure::nonPropertyTransition() case on the
3277         NonPropertyTransition and implement all of the mutations associated with that transition.
3278         The alternative would have been to allow callers of nonPropertyTransition() to supply