Heap Snapshot should include different Edge types and data (Property, Index, Variable)
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-07  Joseph Pecoraro  <pecoraro@apple.com>
2
3         Heap Snapshot should include different Edge types and data (Property, Index, Variable)
4         https://bugs.webkit.org/show_bug.cgi?id=154937
5
6         Reviewed by Geoffrey Garen.
7
8         * heap/SlotVisitor.cpp:
9         (JSC::SlotVisitor::appendHidden):
10         * heap/SlotVisitor.h:
11         * heap/SlotVisitorInlines.h:
12         (JSC::SlotVisitor::appendHidden):
13         (JSC::SlotVisitor::appendValuesHidden):
14         Add new visit methods to visit a reference without snapshotting the edge.
15
16         * heap/Heap.cpp:
17         (JSC::AddExtraHeapSnapshotEdges::AddExtraHeapSnapshotEdges):
18         (JSC::AddExtraHeapSnapshotEdges::operator()):
19         (JSC::Heap::addHeapSnapshotEdges):
20         (JSC::Heap::removeDeadHeapSnapshotNodes):
21         (JSC::Heap::collectImpl):
22         * heap/Heap.h:
23         After marking, visit the live cells for a chance to record extra
24         heap snapshotting information about the cell.
25
26         * heap/HeapSnapshotBuilder.cpp:
27         (JSC::HeapSnapshotBuilder::appendNode):
28         (JSC::HeapSnapshotBuilder::appendEdge):
29         (JSC::HeapSnapshotBuilder::appendPropertyNameEdge):
30         (JSC::HeapSnapshotBuilder::appendVariableNameEdge):
31         (JSC::HeapSnapshotBuilder::appendIndexEdge):
32         (JSC::HeapSnapshotBuilder::json):
33         * heap/HeapSnapshotBuilder.h:
34         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
35         Construct edges with extra data.
36
37         * runtime/ClassInfo.h:
38         * runtime/JSCell.cpp:
39         (JSC::JSCell::heapSnapshot):
40         * runtime/JSCell.h:
41         Add a new method to provide cells with an opportunity to provide
42         extra heap snapshotting information.
43
44         * runtime/JSObject.cpp:
45         (JSC::JSObject::visitButterfly):
46         (JSC::JSObject::visitChildren):
47         (JSC::JSObject::heapSnapshot):
48         (JSC::JSFinalObject::visitChildren):
49         * runtime/JSObject.h:
50         Capture object property names and index names when heap snapshotting.
51         Do not include them as internal edges in normal visitChildren.
52
53         * runtime/JSEnvironmentRecord.cpp:
54         (JSC::JSEnvironmentRecord::visitChildren):
55         (JSC::JSEnvironmentRecord::heapSnapshot):
56         * runtime/JSEnvironmentRecord.h:
57         * runtime/JSSegmentedVariableObject.cpp:
58         (JSC::JSSegmentedVariableObject::visitChildren):
59         (JSC::JSSegmentedVariableObject::heapSnapshot):
60         * runtime/JSSegmentedVariableObject.h:
61         Capture scope variable names when heap snapshotting.
62
63         * runtime/Structure.cpp:
64         (JSC::Structure::visitChildren):
65         * runtime/Structure.h:
66         * runtime/StructureInlines.h:
67         (JSC::Structure::propertyTable):
68         When performing a heap snapshotting collection, don't clear the
69         property table so that accessing the table during this GC is okay.
70
71         * tests/heapProfiler/driver/driver.js:
72         * tests/heapProfiler/property-edge-types.js: Added.
73         * tests/heapProfiler/variable-edge-types.js: Added.
74         Tests covering the different edge types and data we capture.
75
76 2016-03-07  Saam barati  <sbarati@apple.com>
77
78         [ES6] Implement Proxy.[[GetPrototypeOf]]
79         https://bugs.webkit.org/show_bug.cgi?id=155099
80
81         Reviewed by Mark Lam.
82
83         This patch is a straight forward implementation of Proxy.[[GetPrototypeOf]]
84         with respect to section 9.5.1 of the ECMAScript spec.
85         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-getprototypeof
86
87         * runtime/ProxyObject.cpp:
88         (JSC::performProxyGet):
89         (JSC::ProxyObject::setPrototype):
90         (JSC::ProxyObject::performGetPrototype):
91         (JSC::ProxyObject::getPrototype):
92         (JSC::ProxyObject::visitChildren):
93         * runtime/ProxyObject.h:
94         * tests/es6.yaml:
95         * tests/stress/proxy-get-prototype-of.js: Added.
96         (assert):
97         (throw.new.Error.let.handler.get getPrototypeOf):
98         (throw.new.Error.get let):
99         (throw.new.Error.get catch):
100         (throw.new.Error):
101         (assert.let.handler.getPrototypeOf):
102         (assert.get let):
103         (assert.get catch):
104         (assert.):
105         (let.handler.getPrototypeOf):
106         (get let):
107         (let.handler.has):
108
109 2016-03-07  Brian Burg  <bburg@apple.com>
110
111         Web Inspector: rename generated *EnumConversionHelpers.h to *TypeConversions.h
112         https://bugs.webkit.org/show_bug.cgi?id=155121
113         <rdar://problem/25010391>
114
115         Reviewed by Timothy Hatcher.
116
117         Split out this renaming from the work to generate factory method stubs for types.
118
119         * JavaScriptCore.xcodeproj/project.pbxproj:
120         * inspector/scripts/codegen/__init__.py:
121         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
122         (ObjCConfigurationImplementationGenerator.generate_output):
123         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
124         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
125         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objc_conversion_helpers.py.
126         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
127         (ObjCProtocolTypesImplementationGenerator.generate_output):
128         * inspector/scripts/codegen/objc_generator_templates.py:
129         * inspector/scripts/generate-inspector-protocol-bindings.py:
130         (generate_from_specification):
131
132         Rebaseline tests after changing generator order.
133
134         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
135         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
136         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
137         * inspector/scripts/tests/expected/enum-values.json-result:
138         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
139         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
140         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
141         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
142         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
143         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
144         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
145         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
146         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
147
148 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
149
150         [JSC] Improve and64() and or64() with immediate on x86
151         https://bugs.webkit.org/show_bug.cgi?id=155104
152
153         Reviewed by Geoffrey Garen.
154
155         GetButterflyReadOnly was doing:
156             movq 0x8(%rbx), %r9
157             movq $0xfffffffffffffffc, %r11
158             andq %r11, %r9
159         There is no need for the move to load the immediate,
160         andq sign extend its immediate.
161
162         With this patch, we have:
163             movq 0x8(%rbx), %r9
164             andq $0xfffffffffffffffc, %r9
165
166         * assembler/MacroAssemblerX86_64.h:
167         (JSC::MacroAssemblerX86_64::and64):
168         (JSC::MacroAssemblerX86_64::or64):
169
170 2016-03-07  Brian Burg  <bburg@apple.com>
171
172         Web Inspector: It should be possible to initialize generated ObjC protocol types from an NSDictionary payload
173         https://bugs.webkit.org/show_bug.cgi?id=155102
174         <rdar://problem/25002015>
175
176         Reviewed by Timothy Hatcher.
177
178         In Objective-C code, we sometimes prefer to parse JSON using Cocoa rather
179         than the InspectorValue classes. Support initializing protocol objects
180         directly from an NSDictionary payload. This delegates validation of values to
181         the setter methods that already exist on the protocol object classes.
182
183         * inspector/scripts/codegen/generate_objc_header.py:
184         (ObjCHeaderGenerator._generate_type_interface):
185         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
186         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
187         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
188         * inspector/scripts/codegen/objc_generator.py:
189         (ObjCGenerator.payload_to_objc_expression_for_member):
190         Add a new helper method to generate an expression to unpack the value
191         from an NSDictionary. If it's not a primitive, the setter performs
192         validation of the value's kind using -[NSObject isKindOfClass:].
193
194         Rebaseline relevant tests.
195
196         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
197         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
198         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
199         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
200         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
201         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
202         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
203
204 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
205
206         [JSC] Simplify the overflow check of ArithAbs
207         https://bugs.webkit.org/show_bug.cgi?id=155063
208
209         Reviewed by Geoffrey Garen.
210
211         The only integer that overflow abs(int32) is INT_MIN.
212         For some reason, our code testing for that case
213         was checking the top bit of the result specifically.
214
215         The code required a large immediate on x86 and an extra
216         register on ARM64.
217
218         This patch turns the overflow check into a branch on
219         the sign of the result.
220
221         * dfg/DFGSpeculativeJIT32_64.cpp:
222         (JSC::DFG::SpeculativeJIT::compile):
223         * dfg/DFGSpeculativeJIT64.cpp:
224         (JSC::DFG::SpeculativeJIT::compile):
225         * ftl/FTLLowerDFGToB3.cpp:
226         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
227         * jit/ThunkGenerators.cpp:
228         (JSC::absThunkGenerator):
229         * tests/stress/arith-abs-overflow.js: Added.
230         (opaqueAbs):
231
232 2016-03-07  Benjamin Poulain  <bpoulain@apple.com>
233
234         [JSC] Improve how DFG zero Floating Point registers
235         https://bugs.webkit.org/show_bug.cgi?id=155096
236
237         Reviewed by Geoffrey Garen.
238
239         DFG had a weird way of zeroing a FPR:
240             -zero a GP.
241             -move that to a FP.
242
243         Filip added moveZeroToDouble() for B3. This patch
244         uses that in the lower tiers.
245
246         * assembler/MacroAssemblerARMv7.h:
247         (JSC::MacroAssemblerARMv7::moveZeroToDouble):
248         * dfg/DFGSpeculativeJIT64.cpp:
249         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
250         * jit/ThunkGenerators.cpp:
251         (JSC::floorThunkGenerator):
252         (JSC::roundThunkGenerator):
253
254 2016-03-07  Andreas Kling  <akling@apple.com>
255
256         REGRESSION (r197303): Web Inspector crashes web process when inspecting an element on TOT
257         <https://webkit.org/b/154812>
258
259         Reviewed by Geoffrey Garen.
260
261         Guard against null pointer dereference for UnlinkedCodeBlocks that don't have any control flow
262         profiling data.
263
264         * bytecode/CodeBlock.cpp:
265         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
266         * bytecode/UnlinkedCodeBlock.h:
267         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets):
268
269 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
270
271         [JSC] Remove a useless "Move" from baseline-JIT op_mul's fast path
272         https://bugs.webkit.org/show_bug.cgi?id=155071
273
274         Reviewed by Geoffrey Garen.
275
276         We do not need to multiply to a scratch and then move the result
277         to the destination. We can just multiply to the destination.
278
279         * jit/JITArithmetic.cpp:
280         (JSC::JIT::emit_op_mul):
281         * jit/JITMulGenerator.cpp:
282         (JSC::JITMulGenerator::generateFastPath):
283
284 2016-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
285
286         [JSC] StringObject.{put, defineOwnProperty} should realize indexed properties
287         https://bugs.webkit.org/show_bug.cgi?id=155089
288
289         Reviewed by Geoffrey Garen.
290
291         Through implementing Reflect.set[1], we found StringObject does not obey the spec.
292         StringObject::put should call putByIndex if the given propertyName is index.
293         And StringObject::defineOwnProperty should recognize indexed properties since
294         JSObject::defineOwnIndexedProperty is specialized to JSObject layout.
295         Before calling JSObject::defineOwnProperty,
296         StringObject should handle its special indexed own properties.
297         It is responsibility of StringObject::defineOwnProperty.
298
299         And the logic is cleaned up by using validateAndApplyPropertyDescriptor.
300
301         [1]: https://bugs.webkit.org/show_bug.cgi?id=155024
302
303         * runtime/StringObject.cpp:
304         (JSC::StringObject::put):
305         (JSC::StringObject::putByIndex):
306         (JSC::isStringOwnProperty):
307         (JSC::StringObject::defineOwnProperty):
308         (JSC::StringObject::deleteProperty):
309         * tests/stress/string-object-define-own-property.js: Added.
310         (shouldBe):
311         (shouldThrow):
312         * tests/stress/string-object-put-by-index.js: Added.
313         (shouldBe):
314         (shouldThrow):
315         (testSloppy):
316         (testStrict):
317
318 2016-03-06  Brian Burg  <bburg@apple.com>
319
320         Web Inspector: the protocol generator should have separate prefix options for Objective-C classes and filenames
321         https://bugs.webkit.org/show_bug.cgi?id=155101
322         <rdar://problem/25000053>
323
324         Reviewed by Timothy Hatcher.
325
326         It should be possible to generate Objective-C protocol types without prefixing all class names.
327         The prefixes are only necessary when the generated files are part of a framework, but this isn't
328         how the generated Objective-C frontend files are used.
329
330         Add a separate framework setting and switch over code to use the 'protocol_group' in filenames,
331         and the 'objc_prefix' for Objective-C enum and class prefixes.
332
333         No tests need to be rebaselined because tests always set the protocol_group and objc_prefix
334         to the same value.
335
336         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
337         (ObjCBackendDispatcherHeaderGenerator.output_filename):
338         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
339         (ObjCConfigurationImplementationGenerator.output_filename):
340         (ObjCConfigurationImplementationGenerator.generate_output):
341         * inspector/scripts/codegen/generate_objc_configuration_header.py:
342         (ObjCConfigurationHeaderGenerator.output_filename):
343         (ObjCConfigurationHeaderGenerator.generate_output):
344         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
345         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
346         (ObjCBackendDispatcherImplementationGenerator.output_filename):
347         (ObjCBackendDispatcherImplementationGenerator.generate_output):
348         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
349         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
350         (ObjCConversionHelpersGenerator.output_filename):
351         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
352         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
353         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
354         * inspector/scripts/codegen/generate_objc_header.py:
355         (ObjCHeaderGenerator.output_filename):
356         * inspector/scripts/codegen/generate_objc_internal_header.py:
357         (ObjCInternalHeaderGenerator.output_filename):
358         (ObjCInternalHeaderGenerator.generate_output):
359         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
360         (ObjCProtocolTypesImplementationGenerator.output_filename):
361         (ObjCProtocolTypesImplementationGenerator.generate_output):
362         * inspector/scripts/codegen/models.py:
363         * inspector/scripts/codegen/objc_generator.py:
364         (ObjCGenerator):
365         (ObjCGenerator.protocol_name):
366         (ObjCGenerator.objc_prefix):
367
368 2016-03-06  Brian Burg  <bburg@apple.com>
369
370         Unreviewed, rebaseline inspector protocol generator tests after r197563.
371
372         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
373         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
374         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
375         * inspector/scripts/tests/expected/enum-values.json-result:
376         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
377
378 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
379
380         [JSC] Improve DFG's Int32 ArithMul if one operand is a constant
381         https://bugs.webkit.org/show_bug.cgi?id=155066
382
383         Reviewed by Filip Pizlo.
384
385         When multiplying an integer by a constant, DFG was doing quite
386         a bit worse than baseline JIT.
387         We were loading the constant into a register, doing the multiply,
388         the checking the result and both operands for negative zero.
389
390         This patch changes:
391         -Use the multiply-by-immediate form on x86.
392         -Do as few checks as possible to detect negative-zero.
393
394         In most cases, this reduce the negative-zero checks
395         to zero or one TEST+JUMP.
396
397         * assembler/MacroAssembler.h:
398         (JSC::MacroAssembler::mul32):
399         * dfg/DFGSpeculativeJIT.cpp:
400         (JSC::DFG::SpeculativeJIT::compileArithMul):
401
402 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
403
404         [JSC] Remove a superfluous Move in front of every double unboxing
405         https://bugs.webkit.org/show_bug.cgi?id=155064
406
407         Reviewed by Saam Barati.
408
409         Double unboxing was always doing:
410             Move source, scratch
411             Add64 tag, scratch
412             IntToDouble scratch, fp
413
414         We do not need to "Move" to copy the source.
415         Both x86 and ARM64 have an efficient 3 operands Add instruction.
416
417         * dfg/DFGSpeculativeJIT.cpp:
418         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
419         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
420         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
421         * dfg/DFGSpeculativeJIT.h:
422         (JSC::DFG::SpeculativeJIT::unboxDouble):
423         * jit/AssemblyHelpers.h:
424         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
425         (JSC::AssemblyHelpers::unboxDouble):
426         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
427
428 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
429
430         [JSC] Use 3 operands Add in more places
431         https://bugs.webkit.org/show_bug.cgi?id=155082
432
433         Reviewed by Filip Pizlo.
434
435         * assembler/MacroAssembler.h:
436         (JSC::MacroAssembler::addPtr):
437         (JSC::MacroAssembler::add32):
438         * assembler/MacroAssemblerARMv7.h:
439         (JSC::MacroAssemblerARMv7::add32):
440         * dfg/DFGSpeculativeJIT.cpp:
441         (JSC::DFG::SpeculativeJIT::compileArithAdd):
442         The case with child1 constant is useless.
443         The canonical form will have the constant as child2.
444
445         Also add register reuse for the fast-add.
446         Registers are a scarce resource on x86.
447
448         * jit/CCallHelpers.h:
449         (JSC::CCallHelpers::prepareForTailCallSlow):
450         * yarr/YarrJIT.cpp:
451         (JSC::Yarr::YarrGenerator::generate):
452
453 2016-03-06  Benjamin Poulain  <bpoulain@apple.com>
454
455         [JSC] Improve codegen of Compare and Test
456         https://bugs.webkit.org/show_bug.cgi?id=155055
457
458         Reviewed by Filip Pizlo.
459
460         This patch introduces a few improvements on how we lower
461         Compare and Test with immediates:
462             -Add certain Immediate forms of ARM64.
463             -Use CBZ/CBNZ when possible on ARM64.
464             -When possible, convert a CMP into a TST
465              On some hardware, we can issue more TST simultaneously.
466
467              On x86, any TST+Jump is candidate for macro-fusion.
468              They are also smaller.
469              (sections 3.4.2.2 and 3.5.1.9)
470             -Do not load the mask immediate of a TST
471              if it only contains ones (mostly useful for ARM64
472              since that would not have been a valid immediate).
473
474         * assembler/MacroAssembler.h:
475         (JSC::MacroAssembler::compare32):
476         * assembler/MacroAssemblerARM64.h:
477         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
478         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
479         This is somewhat unrelated but I found that out while working
480         on moveDoubleConditionallyTest32:
481             If "thenCase" and "dest" are assigned the same register
482             by the allocator, then the first (f)fcsel would override
483             the "thenCase" and the second fcsel would always be "elseCase".
484
485         This is covered by testb3 but was only uncovered
486         after recent "Move" removals in lowering.
487
488         (JSC::MacroAssemblerARM64::moveConditionally32):
489         (JSC::MacroAssemblerARM64::moveConditionally64):
490         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
491         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
492         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
493         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
494         (JSC::MacroAssemblerARM64::branch32):
495         (JSC::MacroAssemblerARM64::branch64):
496         (JSC::MacroAssemblerARM64::branchTest32):
497         (JSC::MacroAssemblerARM64::test32):
498         The version taking an immediate was guarded by
499         (cond == Zero) || (cond == NonZero). That is overzealous,
500         and only needed for CBZ/CBNZ.
501
502         (JSC::MacroAssemblerARM64::branchTest64):
503         (JSC::MacroAssemblerARM64::compare32):
504         (JSC::MacroAssemblerARM64::compare64):
505         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
506         * assembler/MacroAssemblerX86Common.h:
507         (JSC::MacroAssemblerX86Common::moveConditionally32):
508         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
509         (JSC::MacroAssemblerX86Common::branch32):
510         (JSC::MacroAssemblerX86Common::test32):
511         (JSC::MacroAssemblerX86Common::branchTest32):
512         (JSC::MacroAssemblerX86Common::compare32):
513         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
514         * assembler/MacroAssemblerX86_64.h:
515         (JSC::MacroAssemblerX86_64::compare64):
516         (JSC::MacroAssemblerX86_64::branch64):
517         (JSC::MacroAssemblerX86_64::moveConditionally64):
518         * b3/B3LowerToAir.cpp:
519         (JSC::B3::Air::LowerToAir::createGenericCompare):
520         Unfortunately this cannot be abstracted by the MacroAssembler.
521         Those immediates are not valid, we have to pick the better
522         for right away.
523
524         * b3/air/AirOpcode.opcodes:
525         * b3/testb3.cpp:
526         (JSC::B3::int64Operands):
527         (JSC::B3::modelCompare):
528         (JSC::B3::testCompareImpl):
529         (JSC::B3::testCompare):
530         (JSC::B3::b3Pow):
531         (JSC::B3::testPowDoubleByIntegerLoop):
532         Some versions of pow(double, int) do not return
533         the exact same bits as our integer loop.
534         Added a new version to have the same behavior
535         as the B3 loop.
536
537         (JSC::B3::run):
538         * dfg/DFGSpeculativeJIT.cpp:
539         (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
540         * dfg/DFGSpeculativeJIT64.cpp:
541         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
542         Comparing to an immediate is super common. Do not waste
543         a register for that!
544
545 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
546
547         Unreviewed, fix build. This was a messed up merge.
548
549         * ftl/FTLLowerDFGToB3.cpp:
550         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
551
552 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
553
554         DFG should know how to speculate StringOrOther
555         https://bugs.webkit.org/show_bug.cgi?id=155094
556
557         Reviewed by Saam Barati.
558
559         Any code that processes the regexp matches array was previously doing a relatively expensive
560         Branch(Untyped:). This introduces a new use kind called StringOrOther, which is perfect for
561         code that loops over the matches array and branches on the entries being non-empty.
562
563         To do this, I needed to introduce code into the FTL that creates new blocks. We still had that
564         awful FTL_NEW_BLOCK idiom since the only way to debug LLVM IR was to ascribe names to basic
565         blocks. B3 IR is inherently more debuggable since unlike LLVM, B3 knows how to always respect
566         code origin, and it knows how to print the code origin nicely in the dumps. So, rather than
567         continue using FTL_NEW_BLOCK(m_out, ("things")), I replaced all of that stuff with
568         m_out.newBlock(). It's much nicer that way.
569
570         This is a tiny speed-up on Octane/regexp at best. I was hoping for more. Oh well.
571
572         * bytecode/SpeculatedType.h:
573         (JSC::isStringSpeculation):
574         (JSC::isStringOrOtherSpeculation):
575         (JSC::isSymbolSpeculation):
576         * dfg/DFGFixupPhase.cpp:
577         (JSC::DFG::FixupPhase::fixupNode):
578         * dfg/DFGNode.h:
579         (JSC::DFG::Node::shouldSpeculateString):
580         (JSC::DFG::Node::shouldSpeculateStringOrOther):
581         (JSC::DFG::Node::shouldSpeculateStringObject):
582         * dfg/DFGSafeToExecute.h:
583         (JSC::DFG::SafeToExecuteEdge::operator()):
584         * dfg/DFGSpeculativeJIT.cpp:
585         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
586         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
587         (JSC::DFG::SpeculativeJIT::emitStringBranch):
588         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
589         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
590         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
591         (JSC::DFG::SpeculativeJIT::speculateString):
592         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
593         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
594         (JSC::DFG::SpeculativeJIT::speculate):
595         * dfg/DFGSpeculativeJIT.h:
596         * dfg/DFGSpeculativeJIT32_64.cpp:
597         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
598         (JSC::DFG::SpeculativeJIT::emitBranch):
599         * dfg/DFGSpeculativeJIT64.cpp:
600         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
601         (JSC::DFG::SpeculativeJIT::emitBranch):
602         * dfg/DFGUseKind.cpp:
603         (WTF::printInternal):
604         * dfg/DFGUseKind.h:
605         (JSC::DFG::typeFilterFor):
606         * ftl/FTLCapabilities.cpp:
607         (JSC::FTL::canCompile):
608         * ftl/FTLLowerDFGToB3.cpp:
609         (JSC::FTL::DFG::LowerDFGToB3::lower):
610         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
611         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
612         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
613         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
614         (JSC::FTL::DFG::LowerDFGToB3::compileArithDiv):
615         (JSC::FTL::DFG::LowerDFGToB3::compileArithMod):
616         (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax):
617         (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
618         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
619         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructure):
620         (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure):
621         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
622         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
623         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
624         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
625         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
626         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
627         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
628         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
629         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
630         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
631         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest):
632         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
633         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
634         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
635         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
636         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
637         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
638         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
639         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
640         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
641         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
642         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
643         (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
644         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
645         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
646         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
647         (JSC::FTL::DFG::LowerDFGToB3::compileIsString):
648         (JSC::FTL::DFG::LowerDFGToB3::compileIsObject):
649         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
650         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
651         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
652         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
653         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
654         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
655         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
656         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
657         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
658         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
659         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
660         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
661         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
662         (JSC::FTL::DFG::LowerDFGToB3::checkStructure):
663         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
664         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
665         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
666         (JSC::FTL::DFG::LowerDFGToB3::loadVectorWithBarrier):
667         (JSC::FTL::DFG::LowerDFGToB3::copyBarrier):
668         (JSC::FTL::DFG::LowerDFGToB3::loadVectorReadOnly):
669         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
670         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
671         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
672         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
673         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
674         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd):
675         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
676         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
677         (JSC::FTL::DFG::LowerDFGToB3::boolify):
678         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
679         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
680         (JSC::FTL::DFG::LowerDFGToB3::switchString):
681         (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
682         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
683         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
684         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
685         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToJSValue):
686         (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
687         (JSC::FTL::DFG::LowerDFGToB3::convertDoubleToInt32):
688         (JSC::FTL::DFG::LowerDFGToB3::speculate):
689         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
690         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
691         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
692         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
693         (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent):
694         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
695         (JSC::FTL::DFG::LowerDFGToB3::speculateRealNumber):
696         (JSC::FTL::DFG::LowerDFGToB3::speculateNotStringVar):
697         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
698         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
699         * ftl/FTLOutput.cpp:
700         (JSC::FTL::Output::initialize):
701         (JSC::FTL::Output::newBlock):
702         (JSC::FTL::Output::check):
703         * ftl/FTLOutput.h:
704         (JSC::FTL::Output::setFrequency):
705         (JSC::FTL::Output::insertNewBlocksBefore):
706
707 2016-03-06  Saam Barati  <sbarati@apple.com>
708
709         [[GetPrototypeOf]] should be a fully virtual method in the method table
710         https://bugs.webkit.org/show_bug.cgi?id=155002
711
712         Reviewed by Filip Pizlo.
713
714         This patch makes us more consistent with how the ES6 specification models the
715         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
716         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
717         still allows directly accessing the prototype for situations where this
718         is the desired behavior. This is equivalent to getting the internal
719         [[Prototype]] field as described in the specification. 
720
721         * API/JSObjectRef.cpp:
722         (JSObjectGetPrototype):
723         (JSObjectSetPrototype):
724         * dfg/DFGOperations.cpp:
725         * dfg/DFGOperations.h:
726         * dfg/DFGSpeculativeJIT.cpp:
727         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
728         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
729         * ftl/FTLLowerDFGToB3.cpp:
730         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
731         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
732         * jit/JITOpcodes.cpp:
733         (JSC::JIT::emit_op_instanceof):
734         (JSC::JIT::emitSlow_op_instanceof):
735         * jit/JITOpcodes32_64.cpp:
736         (JSC::JIT::emit_op_instanceof):
737         (JSC::JIT::emitSlow_op_instanceof):
738         * jit/JITOperations.cpp:
739         * jit/JITOperations.h:
740         * jsc.cpp:
741         (functionCreateProxy):
742         * llint/LLIntSlowPaths.cpp:
743         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
744         * llint/LowLevelInterpreter.asm:
745         * llint/LowLevelInterpreter32_64.asm:
746         * llint/LowLevelInterpreter64.asm:
747         * runtime/ArrayPrototype.cpp:
748         (JSC::speciesConstructArray):
749         * runtime/ClassInfo.h:
750         * runtime/FunctionPrototype.cpp:
751         (JSC::functionProtoFuncBind):
752         * runtime/IntlCollatorPrototype.cpp:
753         (JSC::IntlCollatorPrototypeGetterCompare):
754         * runtime/IntlDateTimeFormatPrototype.cpp:
755         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
756         * runtime/IntlNumberFormatPrototype.cpp:
757         (JSC::IntlNumberFormatPrototypeGetterFormat):
758         * runtime/JSBoundFunction.cpp:
759         (JSC::hasInstanceBoundFunction):
760         (JSC::getBoundFunctionStructure):
761         (JSC::JSBoundFunction::create):
762         * runtime/JSBoundFunction.h:
763         * runtime/JSCJSValue.cpp:
764         (JSC::JSValue::putToPrimitive):
765         * runtime/JSCell.cpp:
766         (JSC::JSCell::setPrototype):
767         (JSC::JSCell::getPrototype):
768         * runtime/JSCell.h:
769         * runtime/JSGlobalObject.cpp:
770         (JSC::JSGlobalObject::init):
771         (JSC::JSGlobalObject::hasLegacyProfiler):
772         (JSC::lastInPrototypeChain):
773         (JSC::JSGlobalObject::objectPrototypeIsSane):
774         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
775         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
776         * runtime/JSGlobalObject.h:
777         (JSC::JSGlobalObject::finishCreation):
778         * runtime/JSGlobalObjectFunctions.cpp:
779         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
780         (JSC::GlobalFuncProtoGetterFunctor::operator()):
781         (JSC::globalFuncProtoGetter):
782         * runtime/JSLexicalEnvironment.cpp:
783         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
784         * runtime/JSObject.cpp:
785         (JSC::JSObject::calculatedClassName):
786         (JSC::JSObject::putInlineSlow):
787         (JSC::JSObject::setPrototypeWithCycleCheck):
788         (JSC::JSObject::setPrototype):
789         (JSC::JSObject::getPrototype):
790         (JSC::JSObject::defaultHasInstance):
791         (JSC::objectPrivateFuncInstanceOf):
792         (JSC::JSObject::getPropertyNames):
793         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
794         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
795         (JSC::JSObject::getGenericPropertyNames):
796         * runtime/JSObject.h:
797         (JSC::JSObject::finishCreation):
798         (JSC::JSObject::JSObject):
799         (JSC::JSObject::getPrototypeDirect):
800         (JSC::JSObject::getPrototype):
801         (JSC::JSObject::getOwnNonIndexPropertySlot):
802         (JSC::JSObject::getPropertySlot):
803         (JSC::JSObject::getNonIndexPropertySlot):
804         (JSC::JSObject::prototype): Deleted.
805         * runtime/JSObjectInlines.h:
806         (JSC::JSObject::canPerformFastPutInline):
807         * runtime/JSProxy.cpp:
808         (JSC::JSProxy::setTarget):
809         * runtime/JSTypedArrayViewConstructor.cpp:
810         (JSC::constructTypedArrayView):
811         * runtime/ObjectConstructor.cpp:
812         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
813         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
814         (JSC::objectConstructorGetPrototypeOf):
815         * runtime/ObjectPrototype.cpp:
816         (JSC::objectProtoFuncIsPrototypeOf):
817         * runtime/ProxyObject.cpp:
818         (JSC::performProxyGet):
819         (JSC::ProxyObject::performSetPrototype):
820         * runtime/StructureInlines.h:
821         (JSC::Structure::isValid):
822         * tests/stress/proxy-has-property.js:
823         (assert.let.h1.has):
824         (assert.let.h2.has):
825         (assert):
826
827 2016-03-06  Commit Queue  <commit-queue@webkit.org>
828
829         Unreviewed, rolling out r197645.
830         https://bugs.webkit.org/show_bug.cgi?id=155097
831
832         "Doesn't build properly when building entire webkit"
833         (Requested by saamyjoon on #webkit).
834
835         Reverted changeset:
836
837         "[[GetPrototypeOf]] should be a fully virtual method in the
838         method table"
839         https://bugs.webkit.org/show_bug.cgi?id=155002
840         http://trac.webkit.org/changeset/197645
841
842 2016-03-06  Saam barati  <sbarati@apple.com>
843
844         [[GetPrototypeOf]] should be a fully virtual method in the method table
845         https://bugs.webkit.org/show_bug.cgi?id=155002
846
847         Reviewed by Filip Pizlo.
848
849         This patch makes us more consistent with how the ES6 specification models the
850         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
851         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
852         still allows directly accessing the prototype for situations where this
853         is the desired behavior. This is equivalent to getting the internal
854         [[Prototype]] field as described in the specification. 
855
856         * API/JSObjectRef.cpp:
857         (JSObjectGetPrototype):
858         (JSObjectSetPrototype):
859         * dfg/DFGOperations.cpp:
860         * dfg/DFGOperations.h:
861         * dfg/DFGSpeculativeJIT.cpp:
862         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
863         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
864         * ftl/FTLLowerDFGToB3.cpp:
865         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
866         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
867         * jit/JITOpcodes.cpp:
868         (JSC::JIT::emit_op_instanceof):
869         (JSC::JIT::emitSlow_op_instanceof):
870         * jit/JITOpcodes32_64.cpp:
871         (JSC::JIT::emit_op_instanceof):
872         (JSC::JIT::emitSlow_op_instanceof):
873         * jit/JITOperations.cpp:
874         * jit/JITOperations.h:
875         * jsc.cpp:
876         (functionCreateProxy):
877         * llint/LLIntSlowPaths.cpp:
878         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
879         * llint/LowLevelInterpreter.asm:
880         * llint/LowLevelInterpreter32_64.asm:
881         * llint/LowLevelInterpreter64.asm:
882         * runtime/ArrayPrototype.cpp:
883         (JSC::speciesConstructArray):
884         * runtime/ClassInfo.h:
885         * runtime/FunctionPrototype.cpp:
886         (JSC::functionProtoFuncBind):
887         * runtime/IntlCollatorPrototype.cpp:
888         (JSC::IntlCollatorPrototypeGetterCompare):
889         * runtime/IntlDateTimeFormatPrototype.cpp:
890         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
891         * runtime/IntlNumberFormatPrototype.cpp:
892         (JSC::IntlNumberFormatPrototypeGetterFormat):
893         * runtime/JSBoundFunction.cpp:
894         (JSC::hasInstanceBoundFunction):
895         (JSC::getBoundFunctionStructure):
896         (JSC::JSBoundFunction::create):
897         * runtime/JSBoundFunction.h:
898         * runtime/JSCJSValue.cpp:
899         (JSC::JSValue::putToPrimitive):
900         * runtime/JSCell.cpp:
901         (JSC::JSCell::setPrototype):
902         (JSC::JSCell::getPrototype):
903         * runtime/JSCell.h:
904         * runtime/JSGlobalObject.cpp:
905         (JSC::JSGlobalObject::init):
906         (JSC::JSGlobalObject::hasLegacyProfiler):
907         (JSC::lastInPrototypeChain):
908         (JSC::JSGlobalObject::objectPrototypeIsSane):
909         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
910         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
911         * runtime/JSGlobalObject.h:
912         (JSC::JSGlobalObject::finishCreation):
913         * runtime/JSGlobalObjectFunctions.cpp:
914         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
915         (JSC::GlobalFuncProtoGetterFunctor::operator()):
916         (JSC::globalFuncProtoGetter):
917         * runtime/JSLexicalEnvironment.cpp:
918         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
919         * runtime/JSObject.cpp:
920         (JSC::JSObject::calculatedClassName):
921         (JSC::JSObject::putInlineSlow):
922         (JSC::JSObject::setPrototypeWithCycleCheck):
923         (JSC::JSObject::setPrototype):
924         (JSC::JSObject::getPrototype):
925         (JSC::JSObject::defaultHasInstance):
926         (JSC::objectPrivateFuncInstanceOf):
927         (JSC::JSObject::getPropertyNames):
928         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
929         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
930         (JSC::JSObject::getGenericPropertyNames):
931         * runtime/JSObject.h:
932         (JSC::JSObject::finishCreation):
933         (JSC::JSObject::JSObject):
934         (JSC::JSObject::getPrototypeDirect):
935         (JSC::JSObject::getPrototype):
936         (JSC::JSObject::getOwnNonIndexPropertySlot):
937         (JSC::JSObject::getPropertySlot):
938         (JSC::JSObject::getNonIndexPropertySlot):
939         (JSC::JSObject::prototype): Deleted.
940         * runtime/JSObjectInlines.h:
941         (JSC::JSObject::canPerformFastPutInline):
942         * runtime/JSProxy.cpp:
943         (JSC::JSProxy::setTarget):
944         * runtime/JSTypedArrayViewConstructor.cpp:
945         (JSC::constructTypedArrayView):
946         * runtime/ObjectConstructor.cpp:
947         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
948         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
949         (JSC::objectConstructorGetPrototypeOf):
950         * runtime/ObjectPrototype.cpp:
951         (JSC::objectProtoFuncIsPrototypeOf):
952         * runtime/ProxyObject.cpp:
953         (JSC::performProxyGet):
954         (JSC::ProxyObject::performSetPrototype):
955         * runtime/StructureInlines.h:
956         (JSC::Structure::isValid):
957         * tests/stress/proxy-has-property.js:
958         (assert.let.h1.has):
959         (assert.let.h2.has):
960         (assert):
961
962 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
963
964         RegExpMatchesArray doesn't know how to have a bad time
965         https://bugs.webkit.org/show_bug.cgi?id=155069
966
967         Reviewed by Yusuke Suzuki.
968
969         In trunk if we are having a bad time, the regexp matches array is still allocated with a
970         non-slow-put indexing shape, which makes it have the wrong behavior on indexed setters on
971         the prototype chain.
972
973         Getting this to work right requires introducing bad time code paths into the regexp matches
974         array. It also requires something more drastic: making this code not play games with the
975         global object. The code that creates the matches array needs to have the actual global
976         object of the regexp native function that it's logically created by.
977
978         This is totally different from how we've handled global objects in the past because it means
979         that the global object is not a constant. Normally we can make it a constant because a
980         script executable will know its global object. But with native functions, it's the function
981         instance that knows the global object - not the native executable. When we inline a native
982         intrinsic, we are guaranteed to know the native executable but we're not guaranteed to know
983         the functon instance. This means that the global object may be a variable that gets computed
984         by looking at the instance at run-time. So, the RegExpExec/RegExpTest nodes in DFG IR now
985         take a global object child. That also meant adding a new node type, GetGlobalObject, which
986         does the thing to the callee that CallFrame::lexicalGlobalObject() would have done.
987         Eventually, we'll probably have to make other native intrinsics also use GetGlobalObject. It
988         turns out that this really isn't so bad because usually it's constant-folded anyway, since
989         although the intrinsic code supports executable-based inlining (which leaves the callee
990         instance as an unknown), it happens rarely for intrinsics. So, conveying the global object
991         via a child isn't any worse than conveying it via meta-data, and it's probably better than
992         telling the inliner not to do executable-based inlining of native intrinsics. That would
993         have been a confusing special-case.
994
995         This is perf-neutral on my machines but it fixes a bug and it unlocks some interesting
996         possibilities. For example, RegExpExec can now make a firm promise about the type of array
997         it's creating.
998
999         This also contains some other changes:
1000         
1001         - We are now using Structure::addPropertyTransition() in a lot of places even though it was
1002           meant to be an internal method with a quirky contract - for example if only works if you
1003           know that there is not existing transition. This relaxes this constraint.
1004         
1005         - Restores the use of "*" for heap references in JSString.h. It's very unusual to have heap
1006           references pointed at with "&", since we don't currently do that anywhere. The fact that
1007           it was using the wrong reference type also meant that the code couldn't elegantly make use
1008           of some our GC pointer helpers like jsCast<>.
1009
1010         * dfg/DFGAbstractInterpreterInlines.h:
1011         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1012         * dfg/DFGByteCodeParser.cpp:
1013         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1014         (JSC::DFG::ByteCodeParser::handleMinMax):
1015         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1016         * dfg/DFGClobberize.h:
1017         (JSC::DFG::clobberize):
1018         * dfg/DFGDoesGC.cpp:
1019         (JSC::DFG::doesGC):
1020         * dfg/DFGFixupPhase.cpp:
1021         (JSC::DFG::FixupPhase::fixupNode):
1022         * dfg/DFGNodeType.h:
1023         * dfg/DFGOperations.cpp:
1024         * dfg/DFGOperations.h:
1025         * dfg/DFGPredictionPropagationPhase.cpp:
1026         (JSC::DFG::PredictionPropagationPhase::propagate):
1027         * dfg/DFGSafeToExecute.h:
1028         (JSC::DFG::safeToExecute):
1029         * dfg/DFGSpeculativeJIT.cpp:
1030         (JSC::DFG::SpeculativeJIT::compileSkipScope):
1031         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
1032         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1033         * dfg/DFGSpeculativeJIT.h:
1034         (JSC::DFG::SpeculativeJIT::callOperation):
1035         * dfg/DFGSpeculativeJIT32_64.cpp:
1036         (JSC::DFG::SpeculativeJIT::compile):
1037         * dfg/DFGSpeculativeJIT64.cpp:
1038         (JSC::DFG::SpeculativeJIT::compile):
1039         * ftl/FTLCapabilities.cpp:
1040         (JSC::FTL::canCompile):
1041         * ftl/FTLLowerDFGToB3.cpp:
1042         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1043         (JSC::FTL::DFG::LowerDFGToB3::compileSkipScope):
1044         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalObject):
1045         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
1046         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
1047         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
1048         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1049         * jit/JITOperations.h:
1050         * runtime/JSGlobalObject.cpp:
1051         (JSC::JSGlobalObject::init):
1052         (JSC::JSGlobalObject::haveABadTime):
1053         (JSC::JSGlobalObject::visitChildren):
1054         * runtime/JSGlobalObject.h:
1055         * runtime/JSObject.h:
1056         (JSC::JSObject::putDirectInternal):
1057         * runtime/JSString.h:
1058         (JSC::jsString):
1059         (JSC::jsSubstring):
1060         * runtime/RegExpCachedResult.cpp:
1061         (JSC::RegExpCachedResult::lastResult):
1062         * runtime/RegExpMatchesArray.cpp:
1063         (JSC::tryCreateUninitializedRegExpMatchesArray):
1064         (JSC::createRegExpMatchesArray):
1065         (JSC::createStructureImpl):
1066         (JSC::createRegExpMatchesArrayStructure):
1067         (JSC::createRegExpMatchesArraySlowPutStructure):
1068         * runtime/RegExpMatchesArray.h:
1069         * runtime/RegExpObject.cpp:
1070         (JSC::RegExpObject::put):
1071         (JSC::RegExpObject::exec):
1072         (JSC::RegExpObject::match):
1073         * runtime/RegExpObject.h:
1074         (JSC::RegExpObject::getLastIndex):
1075         (JSC::RegExpObject::test):
1076         * runtime/RegExpPrototype.cpp:
1077         (JSC::regExpProtoFuncTest):
1078         (JSC::regExpProtoFuncExec):
1079         (JSC::regExpProtoFuncCompile):
1080         * runtime/StringPrototype.cpp:
1081         (JSC::stringProtoFuncMatch):
1082         * runtime/Structure.cpp:
1083         (JSC::Structure::suggestedArrayStorageTransition):
1084         (JSC::Structure::addPropertyTransition):
1085         (JSC::Structure::addNewPropertyTransition):
1086         * runtime/Structure.h:
1087         * tests/stress/regexp-matches-array-bad-time.js: Added.
1088         * tests/stress/regexp-matches-array-slow-put.js: Added.
1089
1090 2016-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1091
1092         [JSC] RegExp#lastIndex should handle writable attribute when defining in defineOwnProperty path
1093         https://bugs.webkit.org/show_bug.cgi?id=155093
1094
1095         Reviewed by Filip Pizlo.
1096
1097         Before this patch, `setLastIndex(ExecState* exec, size_t lastIndex)` always overwrites the existing value
1098         regardless of writable attribute.
1099         And when defining RegExp#lastIndex in defineOwnProperty, we need to define the value first
1100         before making the attribute readonly. After changing the writable attribute, we cannot define the value.
1101
1102         * runtime/RegExpObject.cpp:
1103         (JSC::RegExpObject::defineOwnProperty):
1104         * runtime/RegExpObject.h:
1105         (JSC::RegExpObject::setLastIndex):
1106         * tests/stress/regexp-last-index-writable.js: Added.
1107         (shouldBe):
1108         (shouldThrow):
1109         (regExpLastIndex):
1110
1111 2016-03-05  Filip Pizlo  <fpizlo@apple.com>
1112
1113         The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell
1114         https://bugs.webkit.org/show_bug.cgi?id=154900
1115
1116         Reviewed by Saam Barati.
1117
1118         These old operations used to speculate cell. That's what they did when they were first
1119         introduced. That was probably about as good as they could do back then because we didn't have
1120         very powerful checks. Now we have powerful checks, so we can do this right.
1121
1122         The most profitable thing to check is that child1 is a RegExpObject and child2 is a JSString.
1123         Sometimes though, we will not know what child2 is even though we know that child1 is a
1124         RegExpObject. So, this patch means that RegExpExec/RegExpTest have the following overloads:
1125
1126             RegExpExec(RegExpObject:, String:)
1127             RegExpExec(RegExpObject:, Untyped:)
1128             RegExpExec(Untyped:, Untyped:)
1129
1130         This shaves off some type checks in Octane/regexp. It also cleans up some problems in our
1131         modeling of the effectfulness of these operations.
1132
1133         * dfg/DFGAbstractInterpreterInlines.h:
1134         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1135         * dfg/DFGClobberize.h:
1136         (JSC::DFG::clobberize):
1137         * dfg/DFGFixupPhase.cpp:
1138         (JSC::DFG::FixupPhase::fixupNode):
1139         * dfg/DFGOperations.cpp:
1140         * dfg/DFGOperations.h:
1141         * dfg/DFGSpeculativeJIT.h:
1142         (JSC::DFG::SpeculativeJIT::callOperation):
1143         * dfg/DFGSpeculativeJIT32_64.cpp:
1144         (JSC::DFG::SpeculativeJIT::compile):
1145         * dfg/DFGSpeculativeJIT64.cpp:
1146         (JSC::DFG::SpeculativeJIT::compile):
1147         * ftl/FTLLowerDFGToB3.cpp:
1148         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
1149         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
1150         * jit/JITOperations.h:
1151
1152 2016-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1153
1154         [ES6] Support Reflect.construct
1155         https://bugs.webkit.org/show_bug.cgi?id=147330
1156
1157         Reviewed by Saam Barati.
1158
1159         Based on Saam's r196868, this patch adds support for Reflect.construct.
1160         This patch implements OrdinaryCreateFromConstructor[1] for fallback cases.
1161         This path is rarely taken. For example,
1162
1163             Reflect.construct(function () { }, [], Map);
1164
1165         In this case, the `new.target` becomes `Map`.
1166         So we should create an object that `__proto__` is `Map.prototype`.
1167
1168         And to allow forward declaration (and encouraging strong type checking), we change
1169         ConstructType, CallType to C++11 enum class.
1170
1171         [1]: http://ecma-international.org/ecma-262/6.0/#sec-ordinarycreatefromconstructor
1172
1173         * API/JSCallbackConstructor.cpp:
1174         (JSC::JSCallbackConstructor::getConstructData):
1175         * API/JSCallbackFunction.cpp:
1176         (JSC::JSCallbackFunction::getCallData):
1177         * API/JSCallbackObjectFunctions.h:
1178         (JSC::JSCallbackObject<Parent>::getConstructData):
1179         (JSC::JSCallbackObject<Parent>::getCallData):
1180         * API/JSObjectRef.cpp:
1181         (JSObjectIsFunction):
1182         (JSObjectCallAsFunction):
1183         (JSObjectIsConstructor):
1184         (JSObjectCallAsConstructor):
1185         * API/ObjCCallbackFunction.mm:
1186         (JSC::ObjCCallbackFunction::getCallData):
1187         (JSC::ObjCCallbackFunction::getConstructData):
1188         * bindings/ScriptFunctionCall.cpp:
1189         (Deprecated::ScriptFunctionCall::call):
1190         * bindings/ScriptValue.cpp:
1191         (Deprecated::ScriptValue::isFunction):
1192         * builtins/ReflectObject.js:
1193         * dfg/DFGOperations.cpp:
1194         * inspector/InjectedScriptManager.cpp:
1195         (Inspector::InjectedScriptManager::createInjectedScript):
1196         * interpreter/Interpreter.cpp:
1197         (JSC::sizeOfVarargs):
1198         (JSC::Interpreter::execute):
1199         (JSC::Interpreter::executeCall):
1200         (JSC::Interpreter::executeConstruct):
1201         * jit/JITOperations.cpp:
1202         * llint/LLIntSlowPaths.cpp:
1203         (JSC::LLInt::handleHostCall):
1204         * runtime/ArrayConstructor.cpp:
1205         (JSC::ArrayConstructor::getConstructData):
1206         (JSC::ArrayConstructor::getCallData):
1207         * runtime/ArrayPrototype.cpp:
1208         (JSC::arrayProtoFuncToString):
1209         (JSC::arrayProtoFuncToLocaleString):
1210         (JSC::getLength): Deleted.
1211         * runtime/BooleanConstructor.cpp:
1212         (JSC::BooleanConstructor::getConstructData):
1213         (JSC::BooleanConstructor::getCallData):
1214         * runtime/CallData.cpp:
1215         (JSC::call):
1216         * runtime/CallData.h:
1217         * runtime/CommonSlowPaths.cpp:
1218         (JSC::SLOW_PATH_DECL):
1219         * runtime/ConstructData.cpp:
1220         (JSC::construct):
1221         * runtime/ConstructData.h:
1222         * runtime/DateConstructor.cpp:
1223         (JSC::DateConstructor::getConstructData):
1224         (JSC::DateConstructor::getCallData):
1225         * runtime/DatePrototype.cpp:
1226         (JSC::dateProtoFuncToJSON):
1227         * runtime/Error.h:
1228         (JSC::StrictModeTypeErrorFunction::getConstructData):
1229         (JSC::StrictModeTypeErrorFunction::getCallData):
1230         * runtime/ErrorConstructor.cpp:
1231         (JSC::ErrorConstructor::getConstructData):
1232         (JSC::ErrorConstructor::getCallData):
1233         * runtime/ExceptionHelpers.cpp:
1234         (JSC::errorDescriptionForValue):
1235         * runtime/FunctionConstructor.cpp:
1236         (JSC::FunctionConstructor::getConstructData):
1237         (JSC::FunctionConstructor::getCallData):
1238         * runtime/FunctionPrototype.cpp:
1239         (JSC::FunctionPrototype::getCallData):
1240         (JSC::functionProtoFuncToString):
1241         (JSC::functionProtoFuncBind):
1242         * runtime/GeneratorFunctionConstructor.cpp:
1243         (JSC::GeneratorFunctionConstructor::getCallData):
1244         (JSC::GeneratorFunctionConstructor::getConstructData):
1245         * runtime/InternalFunction.cpp:
1246         (JSC::InternalFunction::getCallData):
1247         * runtime/IntlCollatorConstructor.cpp:
1248         (JSC::IntlCollatorConstructor::getConstructData):
1249         (JSC::IntlCollatorConstructor::getCallData):
1250         * runtime/IntlDateTimeFormatConstructor.cpp:
1251         (JSC::IntlDateTimeFormatConstructor::getConstructData):
1252         (JSC::IntlDateTimeFormatConstructor::getCallData):
1253         * runtime/IntlNumberFormatConstructor.cpp:
1254         (JSC::IntlNumberFormatConstructor::getConstructData):
1255         (JSC::IntlNumberFormatConstructor::getCallData):
1256         * runtime/IteratorOperations.cpp:
1257         (JSC::iteratorNext):
1258         (JSC::iteratorClose):
1259         * runtime/JSArray.h:
1260         (JSC::getLength):
1261         * runtime/JSArrayBufferConstructor.cpp:
1262         (JSC::JSArrayBufferConstructor::getConstructData):
1263         (JSC::JSArrayBufferConstructor::getCallData):
1264         * runtime/JSBoundFunction.cpp:
1265         (JSC::boundFunctionCall):
1266         (JSC::boundFunctionConstruct):
1267         (JSC::JSBoundFunction::create):
1268         * runtime/JSCJSValue.h:
1269         * runtime/JSCJSValueInlines.h:
1270         (JSC::JSValue::isFunction):
1271         (JSC::JSValue::isConstructor):
1272         * runtime/JSCell.cpp:
1273         (JSC::JSCell::getCallData):
1274         (JSC::JSCell::getConstructData):
1275         * runtime/JSFunction.cpp:
1276         (JSC::JSFunction::getCallData):
1277         (JSC::JSFunction::getConstructData):
1278         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1279         (JSC::constructGenericTypedArrayViewWithArguments):
1280         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData):
1281         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
1282         * runtime/JSInternalPromise.cpp:
1283         (JSC::JSInternalPromise::then):
1284         * runtime/JSInternalPromiseConstructor.cpp:
1285         (JSC::JSInternalPromiseConstructor::getConstructData):
1286         (JSC::JSInternalPromiseConstructor::getCallData):
1287         * runtime/JSJob.cpp:
1288         (JSC::JSJobMicrotask::run):
1289         * runtime/JSONObject.cpp:
1290         (JSC::Stringifier::Stringifier):
1291         (JSC::Stringifier::toJSONImpl):
1292         (JSC::Stringifier::appendStringifiedValue):
1293         (JSC::JSONProtoFuncParse):
1294         * runtime/JSObject.cpp:
1295         (JSC::callToPrimitiveFunction):
1296         (JSC::JSObject::hasInstance):
1297         (JSC::JSObject::getMethod):
1298         * runtime/JSObject.h:
1299         (JSC::getCallData):
1300         (JSC::getConstructData):
1301         * runtime/JSPromise.cpp:
1302         (JSC::JSPromise::initialize):
1303         * runtime/JSPromiseConstructor.cpp:
1304         (JSC::JSPromiseConstructor::getConstructData):
1305         (JSC::JSPromiseConstructor::getCallData):
1306         * runtime/JSPromiseDeferred.cpp:
1307         (JSC::newPromiseCapability):
1308         (JSC::callFunction):
1309         * runtime/JSTypedArrayViewConstructor.cpp:
1310         (JSC::constructTypedArrayView):
1311         (JSC::JSTypedArrayViewConstructor::getConstructData):
1312         (JSC::JSTypedArrayViewConstructor::getCallData):
1313         * runtime/MapConstructor.cpp:
1314         (JSC::constructMap):
1315         (JSC::MapConstructor::getConstructData):
1316         (JSC::MapConstructor::getCallData):
1317         * runtime/ModuleLoaderObject.cpp:
1318         (JSC::ModuleLoaderObject::provide):
1319         (JSC::ModuleLoaderObject::loadAndEvaluateModule):
1320         (JSC::ModuleLoaderObject::loadModule):
1321         (JSC::ModuleLoaderObject::linkAndEvaluateModule):
1322         * runtime/NativeErrorConstructor.cpp:
1323         (JSC::NativeErrorConstructor::getConstructData):
1324         (JSC::NativeErrorConstructor::getCallData):
1325         * runtime/NullGetterFunction.cpp:
1326         (JSC::NullGetterFunction::getCallData):
1327         (JSC::NullGetterFunction::getConstructData):
1328         * runtime/NullSetterFunction.cpp:
1329         (JSC::NullSetterFunction::getCallData):
1330         (JSC::NullSetterFunction::getConstructData):
1331         * runtime/NumberConstructor.cpp:
1332         (JSC::NumberConstructor::getConstructData):
1333         (JSC::NumberConstructor::getCallData):
1334         * runtime/ObjectConstructor.cpp:
1335         (JSC::ObjectConstructor::getConstructData):
1336         (JSC::ObjectConstructor::getCallData):
1337         (JSC::toPropertyDescriptor):
1338         * runtime/ObjectPrototype.cpp:
1339         (JSC::objectProtoFuncDefineGetter):
1340         (JSC::objectProtoFuncDefineSetter):
1341         (JSC::objectProtoFuncToLocaleString):
1342         * runtime/Operations.cpp:
1343         (JSC::jsTypeStringForValue):
1344         (JSC::jsIsObjectTypeOrNull):
1345         (JSC::jsIsFunctionType):
1346         * runtime/ProxyConstructor.cpp:
1347         (JSC::ProxyConstructor::getConstructData):
1348         (JSC::ProxyConstructor::getCallData):
1349         * runtime/ProxyObject.cpp:
1350         (JSC::ProxyObject::finishCreation):
1351         (JSC::performProxyCall):
1352         (JSC::ProxyObject::getCallData):
1353         (JSC::performProxyConstruct):
1354         (JSC::ProxyObject::getConstructData):
1355         * runtime/ReflectObject.cpp:
1356         (JSC::reflectObjectConstruct):
1357         * runtime/RegExpConstructor.cpp:
1358         (JSC::RegExpConstructor::getConstructData):
1359         (JSC::RegExpConstructor::getCallData):
1360         * runtime/RuntimeType.h:
1361         * runtime/SamplingProfiler.cpp:
1362         (JSC::SamplingProfiler::processUnverifiedStackTraces):
1363         * runtime/SetConstructor.cpp:
1364         (JSC::constructSet):
1365         (JSC::SetConstructor::getConstructData):
1366         (JSC::SetConstructor::getCallData):
1367         * runtime/StringConstructor.cpp:
1368         (JSC::StringConstructor::getConstructData):
1369         (JSC::StringConstructor::getCallData):
1370         * runtime/StringPrototype.cpp:
1371         (JSC::replaceUsingRegExpSearch):
1372         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1373         (JSC::operationStringProtoFuncReplaceRegExpString):
1374         (JSC::replaceUsingStringSearch):
1375         * runtime/SymbolConstructor.cpp:
1376         (JSC::SymbolConstructor::getConstructData):
1377         (JSC::SymbolConstructor::getCallData):
1378         * runtime/WeakMapConstructor.cpp:
1379         (JSC::constructWeakMap):
1380         (JSC::WeakMapConstructor::getConstructData):
1381         (JSC::WeakMapConstructor::getCallData):
1382         * runtime/WeakSetConstructor.cpp:
1383         (JSC::constructWeakSet):
1384         (JSC::WeakSetConstructor::getConstructData):
1385         (JSC::WeakSetConstructor::getCallData):
1386         * tests/es6.yaml:
1387         * tests/stress/reflect-construct.js: Added.
1388         (shouldBe):
1389         (shouldThrow):
1390         (shouldThrow.array.get length):
1391         (shouldThrow.array.get 0):
1392         (array.get length):
1393         (array.get 0):
1394         (shouldBe.Reflect.construct):
1395         (shouldBe.Reflect.construct.Hello):
1396         (3.shouldBe.Reflect.construct.Hello):
1397         (3.newTarget):
1398         (0.shouldBe.Reflect.construct):
1399         (shouldBe.A):
1400         (shouldBe.B):
1401         (nativeConstructorTest.DerivedMap):
1402         (nativeConstructorTest.FailedMap):
1403         (set noInline):
1404
1405 2016-03-04  Andreas Kling  <akling@apple.com>
1406
1407         [iOS] Throw away compiled RegExp code when navigating to a new page.
1408         <https://webkit.org/b/155015>
1409
1410         Reviewed by Anders Carlsson.
1411
1412         Add a mechanism to have the VM discard all RegExp bytecode and JIT code.
1413
1414         * runtime/VM.cpp:
1415         (JSC::VM::deleteAllRegExpCode):
1416         * runtime/VM.h:
1417
1418 2016-03-04  David Kilzer  <ddkilzer@apple.com>
1419
1420         REGRESSION (r197531): JavaScriptCore ASan build fails due to weak external symbol
1421         <http://webkit.org/b/155033>
1422         <rdar://problem/24979661>
1423
1424         Reviewed by Alexey Proskuryakov.
1425
1426         * runtime/JSObject.cpp:
1427         (JSC::JSObject::ordinaryToPrimitive): Don't mark this method
1428         inline since it's also used in DatePrototype.cpp, and is
1429         declared as a public class method.
1430         * runtime/JSObject.h:
1431         (JSC::JSObject::ordinaryToPrimitive): Don't export this method
1432         since it is not used outside of JavaScriptCore.
1433
1434 2016-03-04  Alex Christensen  <achristensen@webkit.org>
1435
1436         Remove vcxproj build system
1437         https://bugs.webkit.org/show_bug.cgi?id=154388
1438
1439         Rubber-stamped by Brent Fulgham.
1440
1441         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed.
1442         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Removed.
1443         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Removed.
1444         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Removed.
1445         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Removed.
1446         * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Removed.
1447         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Removed.
1448         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Removed.
1449         * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Removed.
1450         * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Removed.
1451         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Removed.
1452         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Removed.
1453         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Removed.
1454         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Removed.
1455         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Removed.
1456         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Removed.
1457         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Removed.
1458         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Removed.
1459         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Removed.
1460         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Removed.
1461         * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Removed.
1462         * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Removed.
1463         * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Removed.
1464         * JavaScriptCore.vcxproj/build-generated-files.pl: Removed.
1465         * JavaScriptCore.vcxproj/copy-files.cmd: Removed.
1466
1467 2016-03-04  Chris Dumez  <cdumez@apple.com>
1468
1469         Location.reload should not be writable
1470         https://bugs.webkit.org/show_bug.cgi?id=154989
1471
1472         Reviewed by Gavin Barraclough.
1473
1474         After r196770, operations marked as [Unforgeable] in the IDL (such as
1475         Location.reload) are correctly reported as not writable by
1476         Object.getOwnPropertyDescriptor(). Trying to set such property in JS
1477         is correctly ignored (or throws in strict mode) if the object has
1478         previously been reified. However, due to a bug in putEntry(), it was
1479         still possible to override the property if the object was not reified
1480         yet. This patch fixes the issue by checking in putEntry() that entries
1481         that are functions are not ReadOnly before calling putDirect().
1482
1483         * runtime/Lookup.h:
1484         (JSC::putEntry):
1485
1486 2016-03-04  Skachkov Oleksandr  <gskachkov@gmail.com>
1487
1488         [ES6] Arrow function syntax. Lexical bind "super" inside of the arrow function in generator.
1489         https://bugs.webkit.org/show_bug.cgi?id=152575
1490
1491         Reviewed by Yusuke Suzuki.
1492
1493         Added support of the 'SuperProperty' in arrow function within of the generator 
1494         method of class. Before patch parser  did not recognize that current arrow function 
1495         is declated inside of the generator and raise SyntaxError.
1496
1497         * parser/Parser.cpp:
1498         (JSC::Parser<LexerType>::parseFunctionInfo):
1499         * parser/Parser.h:
1500         (JSC::Scope::Scope):
1501         (JSC::Scope::isGeneratorBoundary):
1502         (JSC::Scope::setIsFunction):
1503         (JSC::Scope::setIsGenerator):
1504         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
1505         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1506
1507 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
1508
1509         DFG/FTL should inline accesses to RegExpObject::m_lastIndex
1510         https://bugs.webkit.org/show_bug.cgi?id=155003
1511
1512         Reviewed by Benjamin Poulain.
1513
1514         The Octane/regexp benchmark sets RegExps' lastIndex a lot. I could imagine this being
1515         something that people want to do. Right now, I'm not convinced that making the RegExp object
1516         be more plain-JS would be a good idea considering that pretty much all uses of it will
1517         require some special compiler magic. Also, it's good that this patch teaches the compiler
1518         how to reason about lastIndex since some of my other plans for regexp involve having the
1519         compiler treat more regexp stuff as intrinsic.
1520
1521         This is a smaller Octane/regexp speed-up than I hoped - maybe around 1%. It's an enormous
1522         speed-up on the microbenchmarks attached to this patch.
1523
1524         * dfg/DFGAbstractHeap.h:
1525         * dfg/DFGAbstractInterpreterInlines.h:
1526         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1527         * dfg/DFGClobberize.h:
1528         (JSC::DFG::clobberize):
1529         * dfg/DFGDoesGC.cpp:
1530         (JSC::DFG::doesGC):
1531         * dfg/DFGFixupPhase.cpp:
1532         (JSC::DFG::FixupPhase::fixupNode):
1533         * dfg/DFGHeapLocation.h:
1534         * dfg/DFGNodeType.h:
1535         * dfg/DFGPredictionPropagationPhase.cpp:
1536         (JSC::DFG::PredictionPropagationPhase::propagate):
1537         * dfg/DFGSafeToExecute.h:
1538         (JSC::DFG::safeToExecute):
1539         * dfg/DFGSpeculativeJIT.cpp:
1540         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
1541         (JSC::DFG::SpeculativeJIT::compileGetRegExpObjectLastIndex):
1542         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
1543         * dfg/DFGSpeculativeJIT.h:
1544         * dfg/DFGSpeculativeJIT32_64.cpp:
1545         (JSC::DFG::SpeculativeJIT::compile):
1546         * dfg/DFGSpeculativeJIT64.cpp:
1547         (JSC::DFG::SpeculativeJIT::compile):
1548         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1549         * ftl/FTLAbstractHeapRepository.cpp:
1550         * ftl/FTLAbstractHeapRepository.h:
1551         * ftl/FTLCapabilities.cpp:
1552         (JSC::FTL::canCompile):
1553         * ftl/FTLLowerDFGToB3.cpp:
1554         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1555         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
1556         (JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):
1557         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
1558         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
1559         (JSC::FTL::DFG::LowerDFGToB3::lowObject):
1560         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject):
1561         (JSC::FTL::DFG::LowerDFGToB3::lowString):
1562         * runtime/RegExpObject.h:
1563         (JSC::RegExpObject::createStructure):
1564         (JSC::RegExpObject::offsetOfLastIndex):
1565
1566 2016-03-03  Chris Dumez  <cdumez@apple.com>
1567
1568         Regression(r196770): Unable to use HipChat Mac app
1569         https://bugs.webkit.org/show_bug.cgi?id=154999
1570         <rdar://problem/24931959>
1571
1572         Reviewed by Darin Adler.
1573
1574         Add a setter to PutPropertySlot to override the 'isStrictMode' flag.
1575
1576         * runtime/PutPropertySlot.h:
1577         (JSC::PutPropertySlot::setStrictMode):
1578
1579 2016-03-03  Benjamin Poulain  <bpoulain@apple.com>
1580
1581         [JSC] Add support for MADD, MSUB and MNEG to Air
1582         https://bugs.webkit.org/show_bug.cgi?id=154997
1583
1584         Reviewed by Filip Pizlo.
1585
1586         ARM64 can do an Add/Sub in the Multiply units.
1587         LLVM was doing so but we lost that when switching to B3.
1588
1589         This patch adds those instructions in Air.
1590
1591         There are more ALUs than multiply units, thus we are more
1592         likely to successfully schedule a Multiply+Add than 2 Multiply.
1593         I am conservative and only emit a multiply-add if the value
1594         can be interned. As far as I can tell from what is generated
1595         by LLVM, that backend had the same rule.
1596
1597         * assembler/MacroAssemblerARM64.h:
1598         (JSC::MacroAssemblerARM64::multiplyAdd32):
1599         (JSC::MacroAssemblerARM64::multiplySub32):
1600         (JSC::MacroAssemblerARM64::multiplyNeg32):
1601         (JSC::MacroAssemblerARM64::multiplyAdd64):
1602         (JSC::MacroAssemblerARM64::multiplySub64):
1603         (JSC::MacroAssemblerARM64::multiplyNeg64):
1604         * b3/B3LowerToAir.cpp:
1605         (JSC::B3::Air::LowerToAir::lower):
1606         * b3/air/AirOpcode.opcodes:
1607         * b3/testb3.cpp:
1608         (JSC::B3::populateWithInterestingValues):
1609         (JSC::B3::floatingPointOperands):
1610         (JSC::B3::int64Operands):
1611         (JSC::B3::int32Operands):
1612         (JSC::B3::testMulAddArgsLeft):
1613         (JSC::B3::testMulAddArgsRight):
1614         (JSC::B3::testMulAddArgsLeft32):
1615         (JSC::B3::testMulAddArgsRight32):
1616         (JSC::B3::testMulSubArgsLeft):
1617         (JSC::B3::testMulSubArgsRight):
1618         (JSC::B3::testMulSubArgsLeft32):
1619         (JSC::B3::testMulSubArgsRight32):
1620         (JSC::B3::testMulNegArgs):
1621         (JSC::B3::testMulNegArgs32):
1622         (JSC::B3::run):
1623
1624 2016-03-03  Saam Barati  <sbarati@apple.com>
1625
1626         [ES6] Implement Proxy.[[SetPrototypeOf]]
1627         https://bugs.webkit.org/show_bug.cgi?id=154931
1628
1629         Reviewed by Ryosuke Niwa.
1630
1631         This patch is a straight forward implementation of Proxy.[[SetPrototypeOf]]
1632         with respect to section 9.5.2 of the ECMAScript spec.
1633         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-setprototypeof-v
1634
1635         * runtime/JSObject.cpp:
1636         (JSC::JSObject::putInlineSlow):
1637         * runtime/ProxyObject.cpp:
1638         (JSC::ProxyObject::put):
1639         (JSC::ProxyObject::getGenericPropertyNames):
1640         (JSC::ProxyObject::performSetPrototype):
1641         (JSC::ProxyObject::setPrototype):
1642         (JSC::ProxyObject::visitChildren):
1643         * runtime/ProxyObject.h:
1644         * tests/es6.yaml:
1645         * tests/stress/proxy-set-prototype-of.js: Added.
1646         (assert):
1647         (throw.new.Error.let.handler.get setPrototypeOf):
1648         (throw.new.Error.set let):
1649         (throw.new.Error.set catch):
1650         (throw.new.Error):
1651         (assert.let.handler.setPrototypeOf):
1652         (assert.set let):
1653         (assert.set catch):
1654         (let.handler.setPrototypeOf):
1655         (set let):
1656         (set catch):
1657
1658 2016-03-03  Keith Miller  <keith_miller@apple.com>
1659
1660         JSArrayBuffers should be collected less aggressively
1661         https://bugs.webkit.org/show_bug.cgi?id=154982
1662
1663         Reviewed by Geoffrey Garen.
1664
1665         We are currently too aggressive in our collection of ArrayBuffer wrappers.
1666         There are three cases where we need to avoid collecting ArrayBuffer wrappers.
1667         1. If the wrapper has custom properties.
1668         2. If the wrapper is a subclass of ArrayBuffer.
1669         3. If the wrapper is in a WeakMap/WeakSet.
1670
1671         Currently, we only pass the first case in WebCore and none in the jsc CLI.
1672         This patch removes some optimizations that cause us to collect when we
1673         should not. Namely, always skipping the object unless it has custom
1674         properties. Additionally, in the case of subclassing, we also need a way
1675         for custom JSArrayBuffer objects to register themselves as the wrapper for
1676         an ArrayBuffer class.
1677
1678         Finally, this patch fixes an issue where views would not mark their ArrayBuffer
1679         as an opaque root. This patch also moves an associated ASSERT that the
1680         ArrayBuffer held by a view is not null in JSGenericTypedArrayView::visitChildren
1681         into JSArrayBufferView::visitChildren, where we add the opaque root.
1682
1683         * runtime/JSArrayBuffer.cpp:
1684         (JSC::JSArrayBuffer::finishCreation):
1685         (JSC::JSArrayBuffer::create):
1686         (JSC::JSArrayBuffer::createWithoutWrapping):
1687         * runtime/JSArrayBuffer.h:
1688         * runtime/JSArrayBufferView.cpp:
1689         (JSC::JSArrayBufferView::visitChildren):
1690         * runtime/JSArrayBufferView.h:
1691         * runtime/JSGenericTypedArrayViewInlines.h:
1692         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
1693         * runtime/SimpleTypedArrayController.cpp:
1694         (JSC::SimpleTypedArrayController::toJS):
1695         (JSC::SimpleTypedArrayController::registerWrapper):
1696         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
1697         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::finalize):
1698         * runtime/SimpleTypedArrayController.h:
1699         * runtime/TypedArrayController.h:
1700
1701 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
1702
1703         Octane/regexp's Exec function should benefit from array length accessor inlining
1704         https://bugs.webkit.org/show_bug.cgi?id=154994
1705
1706         Reviewed by Benjamin Poulain.
1707
1708         It does:
1709
1710             var thingy = blahbitty.blah;
1711             if (thingy)
1712                 foo = thingy.length;
1713
1714         So, 'thingy' is SpecArray | SpecOther, which prevents the array length accessor inlining from
1715         kicking in. Our strategy for this elsewhere in the DFG is to allow a one-time speculation that
1716         we won't see SpecOther, since *usually* we see SpecOther mixed with other stuff in cases like
1717         this where there is some null check guarding the code.
1718
1719         This gives another slight speed-up on Octane/regexp.
1720
1721         * bytecode/SpeculatedType.h:
1722         (JSC::isCellSpeculation):
1723         (JSC::isCellOrOtherSpeculation):
1724         (JSC::isNotCellSpeculation):
1725         * dfg/DFGFixupPhase.cpp:
1726         (JSC::DFG::FixupPhase::fixupNode):
1727         * dfg/DFGNode.h:
1728         (JSC::DFG::Node::shouldSpeculateCell):
1729         (JSC::DFG::Node::shouldSpeculateCellOrOther):
1730         (JSC::DFG::Node::shouldSpeculateNotCell):
1731
1732 2016-03-03  Saam Barati  <sbarati@apple.com>
1733
1734         Add Proxy tests for exceptions that depend on an object being non-extensible and having configurable properties
1735         https://bugs.webkit.org/show_bug.cgi?id=154745
1736
1737         Reviewed by Geoffrey Garen.
1738
1739         This patch is mostly an implementation of Proxy.[[OwnPropertyKeys]] 
1740         with respect to section 9.5.11 of the ECMAScript spec.
1741         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys
1742
1743         This patch also changes call sites of getOwnPropertyNames and
1744         getPropertyNames to expect that an exception can be thrown.
1745
1746         * dfg/DFGOperations.cpp:
1747         * inspector/JSInjectedScriptHost.cpp:
1748         (Inspector::JSInjectedScriptHost::iteratorEntries):
1749         * interpreter/Interpreter.cpp:
1750         (JSC::Interpreter::execute):
1751         * runtime/IntlObject.cpp:
1752         (JSC::supportedLocales):
1753         * runtime/JSCJSValue.h:
1754         * runtime/JSCJSValueInlines.h:
1755         (JSC::JSValue::get):
1756         (JSC::JSValue::put):
1757         * runtime/JSONObject.cpp:
1758         (JSC::Stringifier::Holder::appendNextProperty):
1759         (JSC::Walker::walk):
1760         * runtime/JSObject.cpp:
1761         (JSC::JSObject::getPropertyNames):
1762         (JSC::JSObject::getGenericPropertyNames):
1763         * runtime/JSObject.h:
1764         (JSC::makeIdentifier):
1765         (JSC::createListFromArrayLike):
1766         * runtime/JSPropertyNameEnumerator.h:
1767         (JSC::propertyNameEnumerator):
1768         * runtime/JSPropertyNameIterator.cpp:
1769         (JSC::JSPropertyNameIterator::create):
1770         * runtime/MapConstructor.cpp:
1771         (JSC::constructMap):
1772         * runtime/ObjectConstructor.cpp:
1773         (JSC::defineProperties):
1774         (JSC::objectConstructorSeal):
1775         (JSC::objectConstructorFreeze):
1776         (JSC::objectConstructorIsSealed):
1777         (JSC::objectConstructorIsFrozen):
1778         (JSC::ownPropertyKeys):
1779         * runtime/ProxyObject.cpp:
1780         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1781         (JSC::ProxyObject::deleteProperty):
1782         (JSC::ProxyObject::deletePropertyByIndex):
1783         (JSC::ProxyObject::defineOwnProperty):
1784         (JSC::ProxyObject::performGetOwnPropertyNames):
1785         (JSC::ProxyObject::getOwnPropertyNames):
1786         (JSC::ProxyObject::getOwnNonIndexPropertyNames):
1787         (JSC::ProxyObject::getStructurePropertyNames):
1788         (JSC::ProxyObject::getGenericPropertyNames):
1789         (JSC::ProxyObject::visitChildren):
1790         * runtime/ProxyObject.h:
1791         (JSC::ProxyObject::create):
1792         (JSC::ProxyObject::createStructure):
1793         * runtime/Structure.cpp:
1794         (JSC::Structure::Structure):
1795         (JSC::Structure::add):
1796         (JSC::Structure::getPropertyNamesFromStructure):
1797         (JSC::Structure::checkConsistency):
1798         (JSC::Structure::canCachePropertyNameEnumerator):
1799         (JSC::Structure::canAccessPropertiesQuicklyForEnumeration):
1800         (JSC::Structure::canAccessPropertiesQuickly): Deleted.
1801         * runtime/Structure.h:
1802         * runtime/WeakMapConstructor.cpp:
1803         (JSC::constructWeakMap):
1804         * tests/es6.yaml:
1805         * tests/stress/proxy-own-keys.js: Added.
1806         (assert):
1807         (throw.new.Error.let.handler.ownKeys):
1808         (throw.new.Error):
1809         (assert.let.handler.get ownKeys):
1810         (assert.let.handler.ownKeys):
1811         (let.handler.ownKeys):
1812         (i.catch):
1813         (shallowEq):
1814         (let.handler.getOwnPropertyDescriptor):
1815         (i.set assert):
1816         (set add):
1817         (set assert):
1818         (set if):
1819
1820 2016-03-03  Keith Miller  <keith_miller@apple.com>
1821
1822         Array prototype JS builtins should support Symbol.species
1823         https://bugs.webkit.org/show_bug.cgi?id=154710
1824
1825         Reviewed by Geoffrey Garen.
1826
1827         Add support for Symbol.species in the Array.prototype JS
1828         builtin functions.
1829
1830         * builtins/ArrayPrototype.js:
1831         (filter):
1832         (map):
1833         * runtime/ArrayConstructor.cpp:
1834         (JSC::ArrayConstructor::finishCreation):
1835         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
1836         * runtime/ArrayConstructor.h:
1837         (JSC::ArrayConstructor::create):
1838         * runtime/CommonIdentifiers.h:
1839         * runtime/JSGlobalObject.cpp:
1840         (JSC::JSGlobalObject::init):
1841         * tests/stress/array-species-functions.js:
1842         (id):
1843
1844 2016-03-03  Michael Saboff  <msaboff@apple.com>
1845
1846         [ES6] Make Unicode RegExp pattern parsing conform to the spec
1847         https://bugs.webkit.org/show_bug.cgi?id=154988
1848
1849         Reviewed by Benjamin Poulain.
1850
1851         Updated RegExp pattern processing with 'u' (Unicode) flag to conform to the
1852         spec (https://tc39.github.io/ecma262/2016/#sec-patterns).  In the spec, the
1853         grammar is annotated with [U] annotations.  Productions that are prefixed with
1854         [+U] are only available with the Unicode flags while productions prefixed with
1855         [~U] are only available without the Unicode flag.
1856         
1857         Added flags argument to Yarr::checkSyntax() so we can catch Unicode flag related
1858         parsing errors at syntax checking time.  Restricted what escapes are available for
1859         non Unicode patterns.  Most of this is defined in the IdentityEscape rule in the
1860         pattern grammar.
1861
1862         Added \- as a CharacterClass only escape in Unicode patterns.
1863
1864         Updated the tests for these changes.
1865
1866         Made changes suggested in https://bugs.webkit.org/show_bug.cgi?id=154842#c22 after
1867         change set r197426 was landed.
1868
1869         * parser/ASTBuilder.h:
1870         (JSC::ASTBuilder::createRegExp):
1871         * parser/Parser.cpp:
1872         (JSC::Parser<LexerType>::parsePrimaryExpression):
1873         * parser/SyntaxChecker.h:
1874         (JSC::SyntaxChecker::createRegExp):
1875         * yarr/YarrInterpreter.cpp:
1876         (JSC::Yarr::Interpreter::InputStream::readChecked):
1877         (JSC::Yarr::Interpreter::InputStream::readSurrogatePairChecked):
1878         (JSC::Yarr::Interpreter::InputStream::reread):
1879         (JSC::Yarr::Interpreter::InputStream::uncheckInput):
1880         (JSC::Yarr::Interpreter::InputStream::atStart):
1881         (JSC::Yarr::Interpreter::InputStream::atEnd):
1882         (JSC::Yarr::Interpreter::testCharacterClass):
1883         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
1884         (JSC::Yarr::Interpreter::matchDisjunction):
1885         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
1886         * yarr/YarrParser.h:
1887         (JSC::Yarr::Parser::Parser):
1888         (JSC::Yarr::Parser::isIdentityEscapeAnError):
1889         (JSC::Yarr::Parser::parseEscape):
1890         (JSC::Yarr::Parser::parse):
1891         * yarr/YarrPattern.cpp:
1892         (JSC::Yarr::CharacterClassConstructor::putChar):
1893         (JSC::Yarr::CharacterClassConstructor::putRange):
1894         (JSC::Yarr::CharacterClassConstructor::addSorted):
1895         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
1896         * yarr/YarrSyntaxChecker.cpp:
1897         (JSC::Yarr::SyntaxChecker::disjunction):
1898         (JSC::Yarr::checkSyntax):
1899         * yarr/YarrSyntaxChecker.h:
1900
1901 2016-03-03  Saam barati  <sbarati@apple.com>
1902
1903         [ES6] Implement Proxy.[[DefineOwnProperty]]
1904         https://bugs.webkit.org/show_bug.cgi?id=154759
1905
1906         Reviewed by Geoffrey Garen and Mark Lam.
1907
1908         This patch is a straight forward implementation of Proxy.[[DefineOwnProperty]]
1909         with respect to section 9.5.6 of the ECMAScript spec.
1910         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-defineownproperty-p-desc
1911
1912         * runtime/ObjectConstructor.cpp:
1913         (JSC::objectConstructorGetOwnPropertyDescriptor):
1914         (JSC::objectConstructorGetOwnPropertyDescriptors):
1915         * runtime/ObjectConstructor.h:
1916         (JSC::constructEmptyObject):
1917         (JSC::constructObjectFromPropertyDescriptor):
1918         * runtime/ProxyObject.cpp:
1919         (JSC::ProxyObject::isExtensible):
1920         (JSC::ProxyObject::performDefineOwnProperty):
1921         (JSC::ProxyObject::defineOwnProperty):
1922         (JSC::ProxyObject::visitChildren):
1923         * runtime/ProxyObject.h:
1924         * tests/es6.yaml:
1925         * tests/stress/proxy-define-own-property.js: Added.
1926         (assert):
1927         (throw.new.Error):
1928         (assert.let.handler.get defineProperty):
1929         (assert.let.handler.defineProperty):
1930         (let.handler.defineProperty):
1931         (i.catch):
1932         (assert.try.):
1933         (assert.set get catch):
1934         (assert.let.setter):
1935         (assert.let.getter):
1936         (assert.set get let.handler.defineProperty):
1937         (assert.set get let):
1938         (assert.):
1939
1940 2016-03-03  Keith Miller  <keith_miller@apple.com>
1941
1942         [ES6] Add support for Symbol.toPrimitive
1943         https://bugs.webkit.org/show_bug.cgi?id=154877
1944
1945         Reviewed by Saam Barati.
1946
1947         This patch adds suport for Symbol.toPrimitive. Since we don't currently
1948         generate snippits for one side of a binary operation we only need to change
1949         the JSObject::ToPrimitive function and update some optimizations in the DFG
1950         that need to know how conversions to primitive values should work. As of
1951         ES6, the date prototype is also no longer special cased in the ToPrimitive
1952         operation. Instead, Date.prototype has a Symbol.species function that
1953         replicates the old behavior.
1954
1955         * bytecode/ObjectPropertyConditionSet.cpp:
1956         (JSC::generateConditionsForPropertyMissConcurrently):
1957         * bytecode/ObjectPropertyConditionSet.h:
1958         * dfg/DFGGraph.cpp:
1959         (JSC::DFG::Graph::watchConditions):
1960         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
1961         * dfg/DFGGraph.h:
1962         * runtime/CommonIdentifiers.h:
1963         * runtime/DatePrototype.cpp:
1964         (JSC::DatePrototype::finishCreation):
1965         (JSC::dateProtoFuncToPrimitiveSymbol):
1966         * runtime/Error.cpp:
1967         (JSC::throwTypeError):
1968         * runtime/Error.h:
1969         * runtime/JSCJSValueInlines.h:
1970         (JSC::toPreferredPrimitiveType):
1971         * runtime/JSObject.cpp:
1972         (JSC::callToPrimitiveFunction):
1973         (JSC::JSObject::ordinaryToPrimitive):
1974         (JSC::JSObject::defaultValue):
1975         (JSC::JSObject::toPrimitive):
1976         (JSC::JSObject::getPrimitiveNumber):
1977         (JSC::callDefaultValueFunction): Deleted.
1978         (JSC::throwTypeError): Deleted.
1979         * runtime/JSObject.h:
1980         (JSC::JSObject::toPrimitive): Deleted.
1981         * runtime/SmallStrings.h:
1982         * runtime/SymbolPrototype.cpp:
1983         (JSC::SymbolPrototype::finishCreation):
1984         * runtime/SymbolPrototype.h:
1985         (JSC::SymbolPrototype::create):
1986         * tests/es6.yaml:
1987         * tests/stress/date-symbol-toprimitive.js: Added.
1988         * tests/stress/ropes-symbol-toprimitive.js: Added.
1989         (ropify):
1990         (String.prototype.Symbol.toPrimitive):
1991         * tests/stress/symbol-toprimitive.js: Added.
1992         (foo.Symbol.toPrimitive):
1993         (catch):
1994
1995 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
1996
1997         DFG should be able to compile StringReplace
1998         https://bugs.webkit.org/show_bug.cgi?id=154979
1999
2000         Reviewed by Benjamin Poulain.
2001
2002         Adds support for StringReplace to the DFG tier. This is a 3% speed-up on Octane/regexp.
2003
2004         * dfg/DFGByteCodeParser.cpp:
2005         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2006         * dfg/DFGSpeculativeJIT.cpp:
2007         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
2008         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
2009         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2010         * dfg/DFGSpeculativeJIT.h:
2011         (JSC::DFG::SpeculativeJIT::callOperation):
2012         * dfg/DFGSpeculativeJIT32_64.cpp:
2013         (JSC::DFG::SpeculativeJIT::compile):
2014         * dfg/DFGSpeculativeJIT64.cpp:
2015         (JSC::DFG::SpeculativeJIT::compile):
2016         * jit/JITOperations.h:
2017
2018 2016-03-03  Saam barati  <sbarati@apple.com>
2019
2020         [[SetPrototypeOf]] isn't properly implemented everywhere
2021         https://bugs.webkit.org/show_bug.cgi?id=154943
2022
2023         Reviewed by Benjamin Poulain.
2024
2025         We were copy-pasting implememntation bits that belong in OrdinarySetPrototypeOf 
2026         in a few different places that call O.[[SetPrototypeOf]](v)
2027         rather than having those bits in OrdinarySetPrototypeOf itself.
2028         We need to put those copy-pasted bits into OrdinarySetPrototypeOf
2029         and not the call sites of O.[[SetPrototypeOf]](v) because
2030         O.[[SetPrototypeOf]](v) won't always call into OrdinarySetPrototypeOf.
2031         This is needed for correctness because this behavior is now observable
2032         with the ES6 Proxy object.
2033
2034         * runtime/ClassInfo.h:
2035         * runtime/JSCell.cpp:
2036         (JSC::JSCell::isExtensible):
2037         (JSC::JSCell::setPrototype):
2038         * runtime/JSCell.h:
2039         * runtime/JSGlobalObjectFunctions.cpp:
2040         (JSC::globalFuncProtoSetter):
2041         * runtime/JSObject.cpp:
2042         (JSC::JSObject::setPrototypeDirect):
2043         (JSC::JSObject::setPrototypeWithCycleCheck):
2044         (JSC::JSObject::setPrototype):
2045         (JSC::JSObject::allowsAccessFrom):
2046         * runtime/JSObject.h:
2047         (JSC::JSObject::mayInterceptIndexedAccesses):
2048         * runtime/ObjectConstructor.cpp:
2049         (JSC::objectConstructorSetPrototypeOf):
2050         * runtime/ReflectObject.cpp:
2051         (JSC::reflectObjectSetPrototypeOf):
2052
2053 2016-03-03  Alex Christensen  <achristensen@webkit.org>
2054
2055         Fix Windows build after r197489.
2056
2057         * jsc.cpp:
2058
2059 2016-03-02  Filip Pizlo  <fpizlo@apple.com>
2060
2061         RegExpExec/RegExpTest should not unconditionally speculate cell
2062         https://bugs.webkit.org/show_bug.cgi?id=154901
2063
2064         Reviewed by Benjamin Poulain.
2065
2066         This is a three part change. It all started with a simple goal: end the rage-recompiles in
2067         Octane/regexp by enabling the DFG and FTL to do untyped RegExpExec/RegExpTest. This keeps us
2068         in the optimized code when you do a regexp match on a number, for example.
2069
2070         While implementing this, I realized that DFGOperations.cpp was bad at exception checking. When
2071         it did check for exceptions, it used exec->hadException() instead of vm.exception(). So I
2072         fixed that. I also made sure that the regexp operations checked for exception after doing
2073         toString().
2074
2075         Unfortunately, the introduction of untyped RegExpExec/RegExpTest caused a regression on
2076         Octane/regexp. This was because we were simultaneously scheduling replacement and OSR compiles
2077         of some large functions with the FTL JIT. The OSR compiles were not useful. This was a
2078         regression from the previous changes to make OSR compiles happen sooner. The problem is that
2079         this change also removed the throttling of OSR compiles even in those cases where we suspect
2080         that replacement is more likely. This patch reintroduces that throttling, but only in the
2081         replacement path.
2082
2083         This change ends up being neutral overall.
2084
2085         * dfg/DFGFixupPhase.cpp:
2086         (JSC::DFG::FixupPhase::fixupNode):
2087         * dfg/DFGOperations.cpp:
2088         * dfg/DFGOperations.h:
2089         * dfg/DFGSpeculativeJIT32_64.cpp:
2090         (JSC::DFG::SpeculativeJIT::compile):
2091         * dfg/DFGSpeculativeJIT64.cpp:
2092         (JSC::DFG::SpeculativeJIT::compile):
2093         * ftl/FTLLowerDFGToB3.cpp:
2094         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
2095         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
2096         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2097         * tests/stress/regexp-exec-effect-after-exception.js: Added.
2098
2099 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
2100
2101         [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
2102         https://bugs.webkit.org/show_bug.cgi?id=154947
2103
2104         Reviewed by Filip Pizlo.
2105
2106         This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.
2107
2108         The problem was that JSCell_freeListNext and JSCell_structureID were
2109         considered as disjoint. When reordering instructions, the scheduler
2110         could move the write of the StructureID first to reduce dependencies.
2111         This would erase half of JSCell_freeListNext before we get a chance
2112         to load the value.
2113
2114         This patch changes the hierarchy to make sure nothing is written
2115         until JSCell_freeListNext is processed.
2116
2117         All credits for this patch go to Filip.
2118
2119         * ftl/FTLAbstractHeapRepository.cpp:
2120         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2121         * ftl/FTLAbstractHeapRepository.h:
2122
2123 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
2124
2125         [JSC] Improve Select of Doubles based on Double condition
2126         https://bugs.webkit.org/show_bug.cgi?id=154572
2127
2128         Reviewed by Filip Pizlo.
2129
2130         Octane has a bunch of Select on Double based on comparing Doubles.
2131         A few nodes generate that: ValueRep, Min, Max, etc.
2132
2133         On ARM64, we can improve our code a lot. ARM can do a select
2134         based on flags with the FCSEL instruction.
2135
2136         On x86, this patch adds aggressive aliasing for moveDoubleConditionallyXXX.
2137         This has obviously a much more limited impact.
2138
2139         * assembler/MacroAssembler.h:
2140         (JSC::MacroAssembler::moveDoubleConditionally32): Deleted.
2141         (JSC::MacroAssembler::moveDoubleConditionally64): Deleted.
2142         (JSC::MacroAssembler::moveDoubleConditionallyTest32): Deleted.
2143         (JSC::MacroAssembler::moveDoubleConditionallyTest64): Deleted.
2144         (JSC::MacroAssembler::moveDoubleConditionallyDouble): Deleted.
2145         (JSC::MacroAssembler::moveDoubleConditionallyFloat): Deleted.
2146         * assembler/MacroAssemblerARM64.h:
2147         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
2148         (JSC::MacroAssemblerARM64::moveDoubleConditionallyDouble):
2149         (JSC::MacroAssemblerARM64::moveDoubleConditionallyFloat):
2150         (JSC::MacroAssemblerARM64::moveConditionally32):
2151         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
2152         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
2153         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
2154         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest64):
2155         (JSC::MacroAssemblerARM64::branch64):
2156         * assembler/MacroAssemblerX86Common.h:
2157         (JSC::MacroAssemblerX86Common::moveConditionally32):
2158         (JSC::MacroAssemblerX86Common::moveDoubleConditionally32):
2159         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyTest32):
2160         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyDouble):
2161         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyFloat):
2162         * assembler/MacroAssemblerX86_64.h:
2163         (JSC::MacroAssemblerX86_64::moveDoubleConditionally64):
2164         (JSC::MacroAssemblerX86_64::moveDoubleConditionallyTest64):
2165         * b3/air/AirInstInlines.h:
2166         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2167         * b3/air/AirOpcode.opcodes:
2168         * b3/testb3.cpp:
2169         (JSC::B3::populateWithInterestingValues):
2170         (JSC::B3::floatingPointOperands):
2171         (JSC::B3::int64Operands):
2172         (JSC::B3::int32Operands):
2173         (JSC::B3::testSelectCompareFloat):
2174         (JSC::B3::testSelectCompareFloatToDouble):
2175         (JSC::B3::testSelectDoubleCompareDouble):
2176         (JSC::B3::testSelectDoubleCompareDoubleWithAliasing):
2177         (JSC::B3::testSelectFloatCompareFloat):
2178         (JSC::B3::testSelectFloatCompareFloatWithAliasing):
2179         (JSC::B3::run):
2180
2181 2016-03-02  Joseph Pecoraro  <pecoraro@apple.com>
2182
2183         Add ability to generate a Heap Snapshot
2184         https://bugs.webkit.org/show_bug.cgi?id=154847
2185
2186         Reviewed by Mark Lam.
2187
2188         This adds HeapSnapshot, HeapSnapshotBuilder, and HeapProfiler.
2189
2190         HeapProfiler hangs off of the VM and holds the list of snapshots.
2191         I expect to add other HeapProfiling features, such as allocation
2192         tracking, to the profiler.
2193
2194         HeapSnapshot contains a collection of live cells and their identifiers.
2195         It can point to a previous HeapSnapshot, to ensure that a cell that
2196         already received an identifier maintains the same identifier across
2197         multiple snapshots. When a snapshotted cell gets garbage collected,
2198         the cell will be swept from the HeapSnapshot at the end of collection
2199         to ensure the list contains only live cells.
2200
2201         When building a HeapSnapshot nodes are added in increasing node
2202         identifier order. When done building, the list of nodes is complete
2203         and the snapshot is finalized. At this point the nodes are sorted
2204         by JSCell* address to allow for quick lookup of a JSCell*.
2205
2206         HeapSnapshotBuilder is where snapshotting begins. The builder
2207         will initiate a specialized heap snapshotting garbage collection.
2208         During this collection the builder will be notified of all marked
2209         (live) cells, and connections between cells, as seen by SlotVisitors.
2210         The builder can reference the previous, readonly, HeapSnapshots to
2211         avoid creating new nodes for cells that have already been snapshotted.
2212         When it is determined that we are visiting a live cell for the first
2213         time, we give the cell a unique identifier and add it to the the
2214         snapshot we are building.
2215
2216         Since edge data is costly, and of little long term utility, this
2217         data is only held by the builder for serialization, and not stored
2218         long term with the HeapSnapshot node data.
2219
2220         The goals of HeapSnapshotting at this time are:
2221         - minimal impact on performance when not profiling the heap
2222         - unique identifier for cells, so they may be identified across multiple snapshots
2223         - nodes and edges to be able to construct a graph of which nodes reference/retain which other nodes
2224         - node data - identifier, type (class name), size
2225         - edge data - from cell, to cell, type / data (to come in a follow-up patch)
2226
2227         * CMakeLists.txt:
2228         * JavaScriptCore.xcodeproj/project.pbxproj:
2229         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2230         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2231         Add new files to the build.
2232
2233         * heap/Heap.cpp:
2234         (JSC::Heap::isHeapSnapshotting):
2235         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
2236         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
2237         (JSC::Heap::removeDeadHeapSnapshotNodes):
2238         (JSC::Heap::collectImpl):
2239         After every collection, sweep dead cells from in memory snapshots.
2240
2241         * runtime/VM.cpp:
2242         (JSC::VM::ensureHeapProfiler):
2243         * runtime/VM.h:
2244         (JSC::VM::heapProfiler):
2245         * heap/Heap.h:
2246         * heap/HeapProfiler.cpp: Added.
2247         (JSC::HeapProfiler::HeapProfiler):
2248         (JSC::HeapProfiler::~HeapProfiler):
2249         (JSC::HeapProfiler::mostRecentSnapshot):
2250         (JSC::HeapProfiler::appendSnapshot):
2251         (JSC::HeapProfiler::clearSnapshots):
2252         (JSC::HeapProfiler::setActiveSnapshotBuilder):
2253         * heap/HeapProfiler.h: Added.
2254         (JSC::HeapProfiler::vm):
2255         (JSC::HeapProfiler::activeSnapshotBuilder):
2256         VM and Heap can look at the profiler to determine if we are building a
2257         snapshot, or the "head" snapshot to use for sweeping.
2258
2259         * heap/HeapSnapshot.cpp: Added.
2260         (JSC::HeapSnapshot::HeapSnapshot):
2261         (JSC::HeapSnapshot::~HeapSnapshot):
2262         (JSC::HeapSnapshot::appendNode):
2263         Add a node to the unfinalized list of new cells.
2264
2265         (JSC::HeapSnapshot::sweepCell):
2266         (JSC::HeapSnapshot::shrinkToFit):
2267         Collect a list of cells for sweeping and then remove them all at once
2268         in shrinkToFit. This is done to avoid thrashing of individual removes
2269         that could cause many overlapping moves within the Vector.
2270
2271         (JSC::HeapSnapshot::finalize):
2272         Sort the list, and also cache the bounding start/stop identifiers.
2273         No other snapshot can contain an identifier in this range, so it will
2274         improve lookup of a node from an identifier.
2275
2276         (JSC::HeapSnapshot::nodeForCell):
2277         (JSC::HeapSnapshot::nodeForObjectIdentifier):
2278         Search helpers.
2279
2280         * heap/HeapSnapshotBuilder.h: Added.
2281         (JSC::HeapSnapshotNode::HeapSnapshotNode):
2282         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
2283         Node and Edge struct types the builder creates.
2284
2285         * heap/HeapSnapshotBuilder.cpp: Added.
2286         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
2287         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
2288         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
2289         (JSC::HeapSnapshotBuilder::buildSnapshot):
2290         (JSC::HeapSnapshotBuilder::appendNode):
2291         (JSC::HeapSnapshotBuilder::appendEdge):
2292         When building the snapshot, generating the next identifier, and
2293         appending to any of the lists must be guarded by a lock because
2294         SlotVisitors running in parallel may be accessing the builder.
2295
2296         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell):
2297         Looking up if a node already exists in a previous snapshot can be
2298         done without a lock because at this point the data is readonly.
2299
2300         (JSC::edgeTypeToNumber):
2301         (JSC::edgeTypeToString):
2302         (JSC::HeapSnapshotBuilder::json):
2303         JSON serialization of a heap snapshot contains node and edge data.
2304
2305         * heap/SlotVisitor.h:
2306         * heap/SlotVisitor.cpp:
2307         (JSC::SlotVisitor::didStartMarking):
2308         (JSC::SlotVisitor::reset):
2309         Set/clear the active snapshot builder to know if this will be a
2310         snapshotting GC or not.
2311
2312         (JSC::SlotVisitor::append):
2313         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2314         Inform the builder of a new node or edge.
2315
2316         (JSC::SlotVisitor::visitChildren):
2317         Remember the current cell we are visiting so that if we need to
2318         inform the builder of edges we know the "from" cell.
2319
2320         * jsc.cpp:
2321         (SimpleObject::SimpleObject):
2322         (SimpleObject::create):
2323         (SimpleObject::finishCreation):
2324         (SimpleObject::visitChildren):
2325         (SimpleObject::createStructure):
2326         (SimpleObject::hiddenValue):
2327         (SimpleObject::setHiddenValue):
2328         Create a new class "SimpleObject" that can be used by heap snapshotting
2329         tests. It is easy to filter for this new class name and test internal
2330         edge relationships created by garbage collection visiting the cell.
2331
2332         (functionCreateSimpleObject):
2333         (functionGetHiddenValue):
2334         (functionSetHiddenValue):
2335         Expose methods to create and interact with a SimpleObject.
2336
2337         (functionGenerateHeapSnapshot):
2338         Expose methods to create a heap snapshot. This currently automatically
2339         turns the serialized string into a JSON object. That may change.
2340
2341         * tests/heapProfiler.yaml: Added.
2342         * tests/heapProfiler/basic-edges.js: Added.
2343         (excludeStructure):
2344         * tests/heapProfiler/basic-nodes.js: Added.
2345         (hasDifferentSizeNodes):
2346         (hasAllInternalNodes):
2347         Add tests for basic node and edge data.
2348
2349         * tests/heapProfiler/driver/driver.js: Added.
2350         (assert):
2351         (CheapHeapSnapshotNode):
2352         (CheapHeapSnapshotEdge):
2353         (CheapHeapSnapshotEdge.prototype.get from):
2354         (CheapHeapSnapshotEdge.prototype.get to):
2355         (CheapHeapSnapshot):
2356         (CheapHeapSnapshot.prototype.get nodes):
2357         (CheapHeapSnapshot.prototype.get edges):
2358         (CheapHeapSnapshot.prototype.nodeWithIdentifier):
2359         (CheapHeapSnapshot.prototype.nodesWithClassName):
2360         (CheapHeapSnapshot.prototype.classNameFromTableIndex):
2361         (CheapHeapSnapshot.prototype.edgeTypeFromTableIndex):
2362         (createCheapHeapSnapshot):
2363         (HeapSnapshotNode):
2364         (HeapSnapshotEdge):
2365         (HeapSnapshot):
2366         (HeapSnapshot.prototype.nodesWithClassName):
2367         (createHeapSnapshot):
2368         Add two HeapSnapshot representations.
2369         CheapHeapSnapshot creates two lists of node and edge data that
2370         lazily creates objects as needed.
2371         HeapSnapshot creates an object for each node and edge. This
2372         is wasteful but easier to use.
2373
2374 2016-03-02  Filip Pizlo  <fpizlo@apple.com>
2375
2376         RegExpPrototype should check for exceptions after calling toString and doing so should not be expensive
2377         https://bugs.webkit.org/show_bug.cgi?id=154927
2378
2379         Reviewed by Saam Barati.
2380
2381         While working on regexp optimizations, I found that RegExpPrototype calls toString(), an
2382         effectful operation that could do anything, without then checking for hadException().
2383
2384         So I added a call to hadException().
2385
2386         But that regressed Octane/regexp by 5%!  That's a lot!  It turns out that
2387         exec->hadException() is soooper slow. So, I made it cheaper to check for exceptions from
2388         toString(): there is now a variant called toStringFast() that returns null iff it throws an
2389         exception.
2390
2391         This allowed me to add the exception check without regressing perf.
2392
2393         Note that toString() must retain its old behavior of returning an empty string on exception.
2394         There is just too much code that relies on that behavior.
2395
2396         * runtime/JSCJSValue.cpp:
2397         (JSC::JSValue::isValidCallee):
2398         (JSC::JSValue::toStringSlowCase):
2399         (JSC::JSValue::toWTFStringSlowCase):
2400         * runtime/JSCJSValue.h:
2401         (JSC::JSValue::asValue):
2402         * runtime/JSString.h:
2403         (JSC::JSValue::toString):
2404         (JSC::JSValue::toStringFast):
2405         (JSC::JSValue::toWTFString):
2406         * runtime/RegExpPrototype.cpp:
2407         (JSC::regExpProtoFuncTest):
2408         (JSC::regExpProtoFuncExec):
2409         (JSC::regExpProtoFuncCompile):
2410
2411 2016-03-02  Saam barati  <sbarati@apple.com>
2412
2413         clean up JSObject::isExtensibleInline and JSObject::setPrototypeOfInline, and rename setPrototypeOf to setPrototype
2414         https://bugs.webkit.org/show_bug.cgi?id=154942
2415
2416         Reviewed by Benjamin Poulain.
2417
2418         These don't need to be inlined in the way they are.
2419         Doing dynamic dispatch is ok performance wise until
2420         we have evidence stating otherwise.
2421
2422         * API/JSObjectRef.cpp:
2423         (JSObjectSetPrototype):
2424         (JSObjectHasProperty):
2425         * runtime/ClassInfo.h:
2426         * runtime/IntlCollatorConstructor.cpp:
2427         (JSC::constructIntlCollator):
2428         * runtime/IntlDateTimeFormatConstructor.cpp:
2429         (JSC::constructIntlDateTimeFormat):
2430         * runtime/IntlNumberFormatConstructor.cpp:
2431         (JSC::constructIntlNumberFormat):
2432         * runtime/JSCell.cpp:
2433         (JSC::JSCell::isExtensible):
2434         (JSC::JSCell::setPrototype):
2435         (JSC::JSCell::setPrototypeOf): Deleted.
2436         * runtime/JSCell.h:
2437         * runtime/JSGlobalObjectFunctions.cpp:
2438         (JSC::globalFuncProtoSetter):
2439         * runtime/JSObject.cpp:
2440         (JSC::JSObject::setPrototypeWithCycleCheck):
2441         (JSC::JSObject::setPrototype):
2442         (JSC::JSObject::allowsAccessFrom):
2443         (JSC::JSObject::isExtensible):
2444         (JSC::JSObject::reifyAllStaticProperties):
2445         (JSC::JSObject::defineOwnNonIndexProperty):
2446         (JSC::JSObject::setPrototypeOf): Deleted.
2447         * runtime/JSObject.h:
2448         (JSC::JSObject::mayInterceptIndexedAccesses):
2449         (JSC::JSObject::indexingShouldBeSparse):
2450         (JSC::JSObject::setPrototypeOfInline): Deleted.
2451         (JSC::JSObject::isExtensibleInline): Deleted.
2452         * runtime/ObjectConstructor.cpp:
2453         (JSC::objectConstructorSetPrototypeOf):
2454         (JSC::objectConstructorIsSealed):
2455         (JSC::objectConstructorIsFrozen):
2456         (JSC::objectConstructorIsExtensible):
2457         * runtime/ProxyObject.cpp:
2458         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2459         (JSC::ProxyObject::performHasProperty):
2460         (JSC::ProxyObject::performPreventExtensions):
2461         (JSC::ProxyObject::performIsExtensible):
2462         * runtime/ReflectObject.cpp:
2463         (JSC::reflectObjectIsExtensible):
2464         (JSC::reflectObjectSetPrototypeOf):
2465         * runtime/StringObject.cpp:
2466         (JSC::StringObject::defineOwnProperty):
2467
2468 2016-03-02  Konstantin Tokarev  <annulen@yandex.ru>
2469
2470         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
2471         https://bugs.webkit.org/show_bug.cgi?id=154651
2472
2473         Reviewed by Alex Christensen.
2474
2475         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
2476
2477 2016-03-02  Saam barati  <sbarati@apple.com>
2478
2479         [[SetPrototypeOf]] should be a fully virtual method in ClassInfo::methodTable
2480         https://bugs.webkit.org/show_bug.cgi?id=154897
2481
2482         Reviewed by Filip Pizlo.
2483
2484         This patch makes us more consistent with how the ES6 specification models the
2485         [[SetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
2486         is a prerequisite for implementing Proxy.[[SetPrototypeOf]]. This patch
2487         still allows directly setting the prototype for situations where this
2488         is the desired behavior. This is equivalent to setting the internal
2489         [[Prototype]] field as described in the specification. 
2490
2491         * API/JSClassRef.cpp:
2492         (OpaqueJSClass::prototype):
2493         * API/JSObjectRef.cpp:
2494         (JSObjectMake):
2495         (JSObjectSetPrototype):
2496         (JSObjectHasProperty):
2497         * API/JSWrapperMap.mm:
2498         (makeWrapper):
2499         * runtime/ClassInfo.h:
2500         * runtime/IntlCollatorConstructor.cpp:
2501         (JSC::constructIntlCollator):
2502         * runtime/IntlDateTimeFormatConstructor.cpp:
2503         (JSC::constructIntlDateTimeFormat):
2504         * runtime/IntlNumberFormatConstructor.cpp:
2505         (JSC::constructIntlNumberFormat):
2506         * runtime/JSCell.cpp:
2507         (JSC::JSCell::isExtensible):
2508         (JSC::JSCell::setPrototypeOf):
2509         * runtime/JSCell.h:
2510         * runtime/JSGlobalObject.cpp:
2511         (JSC::JSGlobalObject::resetPrototype):
2512         * runtime/JSGlobalObjectFunctions.cpp:
2513         (JSC::globalFuncProtoSetter):
2514         * runtime/JSObject.cpp:
2515         (JSC::JSObject::switchToSlowPutArrayStorage):
2516         (JSC::JSObject::setPrototypeDirect):
2517         (JSC::JSObject::setPrototypeWithCycleCheck):
2518         (JSC::JSObject::setPrototypeOf):
2519         (JSC::JSObject::allowsAccessFrom):
2520         (JSC::JSObject::setPrototype): Deleted.
2521         * runtime/JSObject.h:
2522         (JSC::JSObject::setPrototypeOfInline):
2523         (JSC::JSObject::mayInterceptIndexedAccesses):
2524         * runtime/JSProxy.cpp:
2525         (JSC::JSProxy::setTarget):
2526         * runtime/ObjectConstructor.cpp:
2527         (JSC::objectConstructorSetPrototypeOf):
2528         * runtime/ReflectObject.cpp:
2529         (JSC::reflectObjectSetPrototypeOf):
2530
2531 2016-03-02  Saam barati  <sbarati@apple.com>
2532
2533         SIGSEGV in Proxy [[Get]] and [[Set]] recursion
2534         https://bugs.webkit.org/show_bug.cgi?id=154854
2535
2536         Reviewed by Yusuke Suzuki.
2537
2538         We need to be aware of the possibility that the VM
2539         may recurse and that we can stack overflow.
2540
2541         * runtime/ProxyObject.cpp:
2542         (JSC::performProxyGet):
2543         (JSC::ProxyObject::performPut):
2544         * tests/stress/proxy-get-and-set-recursion-stack-overflow.js: Added.
2545         (assert):
2546         (testStackOverflowGet):
2547         (testStackOverflowIndexedGet):
2548         (testStackOverflowSet):
2549         (testStackOverflowIndexedSet):
2550
2551 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
2552
2553         [JSC] Use a Move without REX byte when possible
2554         https://bugs.webkit.org/show_bug.cgi?id=154801
2555
2556         Reviewed by Alex Christensen.
2557
2558         Filip wrote an optimization in the register allocator
2559         to use 32bit "Move" when we don't care about the top bytes.
2560
2561         When I moved the commutative ops to the fake 3 operands instruction
2562         I largely destroyed this since all the "Moves" became full register.
2563
2564         In this patch, I switch back to 32bit "Moves" for 32bit operations.
2565
2566         * assembler/MacroAssemblerX86Common.h:
2567         (JSC::MacroAssemblerX86Common::and32):
2568         (JSC::MacroAssemblerX86Common::lshift32):
2569         (JSC::MacroAssemblerX86Common::mul32):
2570         (JSC::MacroAssemblerX86Common::or32):
2571         (JSC::MacroAssemblerX86Common::rshift32):
2572         (JSC::MacroAssemblerX86Common::urshift32):
2573         (JSC::MacroAssemblerX86Common::xor32):
2574         (JSC::MacroAssemblerX86Common::branchAdd32):
2575         (JSC::MacroAssemblerX86Common::branchMul32):
2576         (JSC::MacroAssemblerX86Common::branchSub32):
2577         (JSC::MacroAssemblerX86Common::move32IfNeeded):
2578
2579 2016-03-01  Benjamin Poulain  <benjamin@webkit.org>
2580
2581         [JSC] Simplify ArithMod(ArithMod(x, const1), const2) if const2 >= const1
2582         https://bugs.webkit.org/show_bug.cgi?id=154904
2583
2584         Reviewed by Saam Barati.
2585
2586         The ASM test "ubench" has a "x % 10 % 255".
2587         The second modulo should be eliminated.
2588
2589         This is a 15% improvement on ASMJS' ubench.
2590
2591         * dfg/DFGStrengthReductionPhase.cpp:
2592         (JSC::DFG::StrengthReductionPhase::handleNode):
2593         * tests/stress/arith-modulo-twice.js: Added.
2594         (opaqueModuloSmaller):
2595         (opaqueModuloEqual):
2596         (opaqueModuloLarger):
2597         (opaqueModuloSmallerNeg):
2598         (opaqueModuloEqualNeg):
2599         (opaqueModuloLargerNeg):
2600         (opaqueExpectedOther):
2601
2602 2016-03-01  Ryosuke Niwa  <rniwa@webkit.org>
2603
2604         Unreviewed. Update the status of Proxy objects to "In Development".
2605
2606         * features.json:
2607
2608 2016-03-01  Commit Queue  <commit-queue@webkit.org>
2609
2610         Unreviewed, rolling out r197226 and r197256.
2611         https://bugs.webkit.org/show_bug.cgi?id=154910
2612
2613         Caused crashes on Mac 32-bit and on ARM (Requested by ap on
2614         #webkit).
2615
2616         Reverted changesets:
2617
2618         "Remove the on demand executable allocator"
2619         https://bugs.webkit.org/show_bug.cgi?id=154749
2620         http://trac.webkit.org/changeset/197226
2621
2622         "CLoop build fix."
2623         http://trac.webkit.org/changeset/197256
2624
2625 2016-03-01  Joseph Pecoraro  <pecoraro@apple.com>
2626
2627         Simplify some StringBuilder appends
2628         https://bugs.webkit.org/show_bug.cgi?id=154902
2629
2630         Reviewed by Mark Lam.
2631
2632         * runtime/ExceptionHelpers.cpp:
2633         (JSC::notAFunctionSourceAppender):
2634         * runtime/SamplingProfiler.cpp:
2635         (JSC::SamplingProfiler::stackTracesAsJSON):
2636         Use StringBuilder::append(char) instead of append(char*) where possible.
2637
2638 2016-03-01  Keith Miller  <keith_miller@apple.com>
2639
2640         Promise.prototype.then should use Symbol.species to construct the return Promise
2641         https://bugs.webkit.org/show_bug.cgi?id=154862
2642
2643         Reviewed by Saam Barati.
2644
2645         * builtins/PromisePrototype.js:
2646         * tests/stress/promise-species-functions.js: Added.
2647         (Symbol.species):
2648         (id):
2649         (funcThrows):
2650         (makeC):
2651         (test.species):
2652         (test.speciesThrows):
2653         (test):
2654
2655 2016-03-01  Michael Saboff  <msaboff@apple.com>
2656
2657         [ES6] Add support for Unicode regular expressions
2658         https://bugs.webkit.org/show_bug.cgi?id=154842
2659
2660         Reviewed by Filip Pizlo.
2661
2662         Added processing of Unicode regular expressions to the Yarr interpreter.
2663
2664         Changed parsing of regular expression patterns and PatternTerms to process characters as
2665         UChar32 in the Yarr code.  The parser converts matched surrogate pairs into the appropriate
2666         Unicode character when the expression is parsed.  When matching a unicode expression and
2667         reading source characters, we convert proper surrogate pair into a Unicode character and
2668         advance the source cursor, "pos", one more position.  The exception to this is when we
2669         know when generating a fixed character atom that we need to match a unicode character
2670         that doesn't fit in 16 bits.  The code calls this an extendedUnicodeCharacter and has a
2671         helper to determine this.
2672
2673         Added 'u' flag and 'unicode' identifier to regular expression classes.  Added an "isUnicode"
2674         parameter to YarrPattern pattern() and internal users of that function.
2675
2676         Updated the generation of the canonicalization tables to include a new set a tables that
2677         follow the ES 6.0, 21.2.2.8.2 Step 2.  Renamed the YarrCanonicalizeUCS2.* files to
2678         YarrCanonicalizeUnicode.*. 
2679
2680         Added a new Layout/js test that tests the added functionality.  Updated other tests that
2681         have minor es6 unicode checks and look for valid flags.
2682
2683         Ran the ChakraCore Unicode regular expression tests as well.
2684
2685         * CMakeLists.txt:
2686         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2687         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2688         * JavaScriptCore.xcodeproj/project.pbxproj:
2689
2690         * inspector/ContentSearchUtilities.cpp:
2691         (Inspector::ContentSearchUtilities::findMagicComment):
2692         * yarr/RegularExpression.cpp:
2693         (JSC::Yarr::RegularExpression::Private::compile):
2694         Updated use of pattern().
2695
2696         * runtime/CommonIdentifiers.h:
2697         * runtime/RegExp.cpp:
2698         (JSC::regExpFlags):
2699         (JSC::RegExpFunctionalTestCollector::outputOneTest):
2700         (JSC::RegExp::finishCreation):
2701         (JSC::RegExp::compile):
2702         (JSC::RegExp::compileMatchOnly):
2703         * runtime/RegExp.h:
2704         * runtime/RegExpKey.h:
2705         * runtime/RegExpPrototype.cpp:
2706         (JSC::regExpProtoFuncCompile):
2707         (JSC::flagsString):
2708         (JSC::regExpProtoGetterMultiline):
2709         (JSC::regExpProtoGetterUnicode):
2710         (JSC::regExpProtoGetterFlags):
2711         Updated for new 'y' (unicode) flag.  Add check to use the interpreter for unicode regular expressions.
2712
2713         * tests/es6.yaml:
2714         * tests/stress/static-getter-in-names.js:
2715         Updated tests for new flag and for passing the minimal es6 regular expression processing.
2716
2717         * yarr/Yarr.h: Updated the size of information now kept for backtracking.
2718
2719         * yarr/YarrCanonicalizeUCS2.cpp: Removed.
2720         * yarr/YarrCanonicalizeUCS2.h: Removed.
2721         * yarr/YarrCanonicalizeUCS2.js: Removed.
2722         * yarr/YarrCanonicalizeUnicode.cpp: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.cpp.
2723         * yarr/YarrCanonicalizeUnicode.h: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.h.
2724         (JSC::Yarr::canonicalCharacterSetInfo):
2725         (JSC::Yarr::canonicalRangeInfoFor):
2726         (JSC::Yarr::getCanonicalPair):
2727         (JSC::Yarr::isCanonicallyUnique):
2728         (JSC::Yarr::areCanonicallyEquivalent):
2729         (JSC::Yarr::rangeInfoFor): Deleted.
2730         * yarr/YarrCanonicalizeUnicode.js: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUCS2.js.
2731         (printHeader):
2732         (printFooter):
2733         (hex):
2734         (canonicalize):
2735         (canonicalizeUnicode):
2736         (createUCS2CanonicalGroups):
2737         (createUnicodeCanonicalGroups):
2738         (cu.in.groupedCanonically.characters.sort): Deleted.
2739         (cu.in.groupedCanonically.else): Deleted.
2740         Refactored to output two sets of tables, one for UCS2 and one for Unicode.  The UCS2 tables follow
2741         the legacy canonicalization rules now specified in ES 6.0, 21.2.2.8.2 Step 3.  The new Unicode
2742         tables follow the rules specified in ES 6.0, 21.2.2.8.2 Step 2.  Eliminated the unused Latin1 tables.
2743
2744         * yarr/YarrInterpreter.cpp:
2745         (JSC::Yarr::Interpreter::InputStream::InputStream):
2746         (JSC::Yarr::Interpreter::InputStream::readChecked):
2747         (JSC::Yarr::Interpreter::InputStream::readSurrogatePairChecked):
2748         (JSC::Yarr::Interpreter::InputStream::reread):
2749         (JSC::Yarr::Interpreter::InputStream::prev):
2750         (JSC::Yarr::Interpreter::testCharacterClass):
2751         (JSC::Yarr::Interpreter::checkCharacter):
2752         (JSC::Yarr::Interpreter::checkSurrogatePair):
2753         (JSC::Yarr::Interpreter::checkCasedCharacter):
2754         (JSC::Yarr::Interpreter::tryConsumeBackReference):
2755         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
2756         (JSC::Yarr::Interpreter::matchCharacterClass):
2757         (JSC::Yarr::Interpreter::backtrackCharacterClass):
2758         (JSC::Yarr::Interpreter::matchParenthesesTerminalEnd):
2759         (JSC::Yarr::Interpreter::matchDisjunction):
2760         (JSC::Yarr::Interpreter::Interpreter):
2761         (JSC::Yarr::ByteCompiler::assertionWordBoundary):
2762         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
2763         * yarr/YarrInterpreter.h:
2764         (JSC::Yarr::ByteTerm::ByteTerm):
2765         (JSC::Yarr::BytecodePattern::BytecodePattern):
2766         * yarr/YarrJIT.cpp:
2767         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2768         (JSC::Yarr::YarrGenerator::matchCharacterClassRange):
2769         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2770         (JSC::Yarr::YarrGenerator::notAtEndOfInput):
2771         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
2772         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2773         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
2774         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
2775         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
2776         * yarr/YarrParser.h:
2777         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
2778         (JSC::Yarr::Parser::Parser):
2779         (JSC::Yarr::Parser::parseEscape):
2780         (JSC::Yarr::Parser::consumePossibleSurrogatePair):
2781         (JSC::Yarr::Parser::parseCharacterClass):
2782         (JSC::Yarr::Parser::parseTokens):
2783         (JSC::Yarr::Parser::parse):
2784         (JSC::Yarr::Parser::atEndOfPattern):
2785         (JSC::Yarr::Parser::patternRemaining):
2786         (JSC::Yarr::Parser::peek):
2787         (JSC::Yarr::parse):
2788         * yarr/YarrPattern.cpp:
2789         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2790         (JSC::Yarr::CharacterClassConstructor::append):
2791         (JSC::Yarr::CharacterClassConstructor::putChar):
2792         (JSC::Yarr::CharacterClassConstructor::putUnicodeIgnoreCase):
2793         (JSC::Yarr::CharacterClassConstructor::putRange):
2794         (JSC::Yarr::CharacterClassConstructor::charClass):
2795         (JSC::Yarr::CharacterClassConstructor::addSorted):
2796         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2797         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
2798         (JSC::Yarr::YarrPatternConstructor::assertionWordBoundary):
2799         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
2800         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBegin):
2801         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassAtom):
2802         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassRange):
2803         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
2804         (JSC::Yarr::YarrPattern::compile):
2805         (JSC::Yarr::YarrPattern::YarrPattern):
2806         * yarr/YarrPattern.h:
2807         (JSC::Yarr::CharacterRange::CharacterRange):
2808         (JSC::Yarr::CharacterClass::CharacterClass):
2809         (JSC::Yarr::PatternTerm::PatternTerm):
2810         (JSC::Yarr::YarrPattern::reset):
2811         * yarr/YarrSyntaxChecker.cpp:
2812         (JSC::Yarr::SyntaxChecker::assertionBOL):
2813         (JSC::Yarr::SyntaxChecker::assertionEOL):
2814         (JSC::Yarr::SyntaxChecker::assertionWordBoundary):
2815         (JSC::Yarr::SyntaxChecker::atomPatternCharacter):
2816         (JSC::Yarr::SyntaxChecker::atomBuiltInCharacterClass):
2817         (JSC::Yarr::SyntaxChecker::atomCharacterClassBegin):
2818         (JSC::Yarr::SyntaxChecker::atomCharacterClassAtom):
2819         (JSC::Yarr::checkSyntax):
2820
2821 2016-03-01  Saam barati  <sbarati@apple.com>
2822
2823         Remove FIXMEs and add valid test cases after necessary patch has landed.
2824
2825         Rubber stamped by Mark Lam.
2826
2827         * tests/stress/proxy-prevent-extensions.js:
2828         (assert.Object.isSealed):
2829         (assert):
2830
2831 2016-03-01  Saam barati  <sbarati@apple.com>
2832
2833         [ES6] Implement Proxy.[[IsExtensible]]
2834         https://bugs.webkit.org/show_bug.cgi?id=154872
2835
2836         Reviewed by Oliver Hunt.
2837
2838         This patch is a direct implementation of Proxy.[[IsExtensible]] with respect to section 9.5.3
2839         of the ECMAScript 6 spec.
2840         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-isextensible
2841
2842         * runtime/ProxyObject.cpp:
2843         (JSC::ProxyObject::preventExtensions):
2844         (JSC::ProxyObject::performIsExtensible):
2845         (JSC::ProxyObject::isExtensible):
2846         (JSC::ProxyObject::visitChildren):
2847         * runtime/ProxyObject.h:
2848         * tests/es6.yaml:
2849         * tests/stress/proxy-is-extensible.js: Added.
2850         (assert):
2851         (throw.new.Error.let.handler.get isExtensible):
2852         (throw.new.Error):
2853         (assert.let.handler.isExtensible):
2854         (assert.):
2855         (let.handler.isExtensible):
2856
2857 2016-03-01  Saam barati  <sbarati@apple.com>
2858
2859         [ES6] Implement Proxy.[[PreventExtensions]]
2860         https://bugs.webkit.org/show_bug.cgi?id=154873
2861
2862         Reviewed by Oliver Hunt.
2863
2864         This patch is a direct implementation of Proxy.[[PreventExtensions]] with respect to section 9.5.4
2865         of the ECMAScript 6 spec.
2866         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-preventextensions
2867
2868         * runtime/ProxyObject.cpp:
2869         (JSC::ProxyObject::deletePropertyByIndex):
2870         (JSC::ProxyObject::performPreventExtensions):
2871         (JSC::ProxyObject::preventExtensions):
2872         (JSC::ProxyObject::visitChildren):
2873         * runtime/ProxyObject.h:
2874         * tests/es6.yaml:
2875         * tests/stress/proxy-prevent-extensions.js: Added.
2876         (assert):
2877         (throw.new.Error.let.handler.get preventExtensions):
2878         (throw.new.Error):
2879         (assert.let.handler.preventExtensions):
2880         (assert.):
2881         (let.handler.preventExtensions):
2882         (assert.Object.isSealed.let.handler.preventExtensions):
2883         (assert.Object.isSealed):
2884
2885 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
2886
2887         FTL should simplify StringReplace with an empty replacement string
2888         https://bugs.webkit.org/show_bug.cgi?id=154871
2889
2890         Reviewed by Michael Saboff.
2891
2892         This is a simple and hugely profitable change. If we do a string.replace(/things/, ""), then
2893         this calls directly into StringPrototype's replace-with-empty-string logic instead of going
2894         through stuff that does checks before reaching that same conclusion.
2895
2896         This speeds up Octane/regexp by about 6-10%. It also speeds up the attached microbenchmark by
2897         about 7%.
2898
2899         * ftl/FTLLowerDFGToB3.cpp:
2900         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
2901         * runtime/StringPrototype.cpp:
2902         (JSC::jsSpliceSubstringsWithSeparators):
2903         (JSC::removeUsingRegExpSearch):
2904         (JSC::replaceUsingRegExpSearch):
2905         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
2906         (JSC::operationStringProtoFuncReplaceRegExpString):
2907         * runtime/StringPrototype.h:
2908
2909 2016-03-01  Alex Christensen  <achristensen@webkit.org>
2910
2911         Reduce size of internal windows build output
2912         https://bugs.webkit.org/show_bug.cgi?id=154763
2913
2914         Reviewed by Brent Fulgham.
2915
2916         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2917
2918 2016-03-01  Saam barati  <sbarati@apple.com>
2919
2920         [[IsExtensible]] should be a virtual method in the method table
2921         https://bugs.webkit.org/show_bug.cgi?id=154799
2922
2923         Reviewed by Mark Lam.
2924
2925         This patch makes us more consistent with how the ES6 specification models the
2926         [[IsExtensible]] trap. Moving this method into ClassInfo::methodTable 
2927         is a prerequisite for implementing Proxy.[[IsExtensible]].
2928
2929         * runtime/ClassInfo.h:
2930         * runtime/JSCell.cpp:
2931         (JSC::JSCell::preventExtensions):
2932         (JSC::JSCell::isExtensible):
2933         * runtime/JSCell.h:
2934         * runtime/JSGlobalObjectFunctions.cpp:
2935         (JSC::globalFuncProtoSetter):
2936         * runtime/JSObject.cpp:
2937         (JSC::JSObject::preventExtensions):
2938         (JSC::JSObject::isExtensible):
2939         (JSC::JSObject::reifyAllStaticProperties):
2940         (JSC::JSObject::defineOwnIndexedProperty):
2941         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2942         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2943         (JSC::JSObject::defineOwnNonIndexProperty):
2944         (JSC::JSObject::defineOwnProperty):
2945         * runtime/JSObject.h:
2946         (JSC::JSObject::isSealed):
2947         (JSC::JSObject::isFrozen):
2948         (JSC::JSObject::isExtensibleImpl):
2949         (JSC::JSObject::isStructureExtensible):
2950         (JSC::JSObject::isExtensibleInline):
2951         (JSC::JSObject::indexingShouldBeSparse):
2952         (JSC::JSObject::putDirectInternal):
2953         (JSC::JSObject::isExtensible): Deleted.
2954         * runtime/ObjectConstructor.cpp:
2955         (JSC::objectConstructorSetPrototypeOf):
2956         (JSC::objectConstructorIsSealed):
2957         (JSC::objectConstructorIsFrozen):
2958         (JSC::objectConstructorIsExtensible):
2959         (JSC::objectConstructorIs):
2960         * runtime/ProxyObject.cpp:
2961         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2962         (JSC::ProxyObject::performHasProperty):
2963         * runtime/ReflectObject.cpp:
2964         (JSC::reflectObjectIsExtensible):
2965         (JSC::reflectObjectSetPrototypeOf):
2966         * runtime/SparseArrayValueMap.cpp:
2967         (JSC::SparseArrayValueMap::putEntry):
2968         (JSC::SparseArrayValueMap::putDirect):
2969         * runtime/StringObject.cpp:
2970         (JSC::StringObject::defineOwnProperty):
2971         * runtime/Structure.cpp:
2972         (JSC::Structure::isSealed):
2973         (JSC::Structure::isFrozen):
2974         * runtime/Structure.h:
2975
2976 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
2977
2978         Unreviewed, fix CLOOP build.
2979
2980         * jit/JITOperations.h:
2981
2982 2016-03-01  Skachkov Oleksandr  <gskachkov@gmail.com>
2983
2984         [ES6] Arrow function. Some not used byte code is emited
2985         https://bugs.webkit.org/show_bug.cgi?id=154639
2986
2987         Reviewed by Saam Barati.
2988
2989         Currently bytecode that is generated for arrow function is not optimal. 
2990         Current fix removed following unnecessary bytecode:
2991         1.create_lexical_environment not emited always for arrow function, only if some of 
2992         features(this/super/arguments/eval) is used inside of the arrow function. 
2993         2.load 'this' from arrow function scope in constructor is done only if super 
2994         contains in arrow function 
2995
2996         * bytecompiler/BytecodeGenerator.cpp:
2997         (JSC::BytecodeGenerator::BytecodeGenerator):
2998         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
2999         * bytecompiler/BytecodeGenerator.h:
3000         * bytecompiler/NodesCodegen.cpp:
3001         (JSC::ThisNode::emitBytecode):
3002         (JSC::FunctionNode::emitBytecode):
3003         * parser/Nodes.h:
3004         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
3005         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
3006
3007 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
3008
3009         Turn String.prototype.replace into an intrinsic
3010         https://bugs.webkit.org/show_bug.cgi?id=154835
3011
3012         Reviewed by Michael Saboff.
3013
3014         Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
3015         of checks to see if the parameters are what they are likely to often be (a string, a
3016         regexp, and a string). The intuition of this patch is that it's good to remove those checks
3017         and it's good to call the native function as directly as possible.
3018
3019         This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
3020         It also improves Octane/jquery.
3021
3022         This is only the beginning of what I want to do with replace optimizations. The other
3023         optimizations will rely on StringReplace being revealed as a construct in DFG IR.
3024
3025         * JavaScriptCore.xcodeproj/project.pbxproj:
3026         * bytecode/SpeculatedType.cpp:
3027         (JSC::dumpSpeculation):
3028         (JSC::speculationToAbbreviatedString):
3029         (JSC::speculationFromClassInfo):
3030         * bytecode/SpeculatedType.h:
3031         (JSC::isStringOrStringObjectSpeculation):
3032         (JSC::isRegExpObjectSpeculation):
3033         (JSC::isBoolInt32Speculation):
3034         * dfg/DFGAbstractInterpreterInlines.h:
3035         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3036         * dfg/DFGByteCodeParser.cpp:
3037         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3038         * dfg/DFGClobberize.h:
3039         (JSC::DFG::clobberize):
3040         * dfg/DFGDoesGC.cpp:
3041         (JSC::DFG::doesGC):
3042         * dfg/DFGFixupPhase.cpp:
3043         (JSC::DFG::FixupPhase::fixupNode):
3044         * dfg/DFGNode.h:
3045         (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
3046         (JSC::DFG::Node::shouldSpeculateRegExpObject):
3047         (JSC::DFG::Node::shouldSpeculateSymbol):
3048         * dfg/DFGNodeType.h:
3049         * dfg/DFGPredictionPropagationPhase.cpp:
3050         (JSC::DFG::PredictionPropagationPhase::propagate):
3051         * dfg/DFGSafeToExecute.h:
3052         (JSC::DFG::SafeToExecuteEdge::operator()):
3053         (JSC::DFG::safeToExecute):
3054         * dfg/DFGSpeculativeJIT.cpp:
3055         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3056         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
3057         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
3058         (JSC::DFG::SpeculativeJIT::speculate):
3059         * dfg/DFGSpeculativeJIT.h:
3060         * dfg/DFGSpeculativeJIT32_64.cpp:
3061         (JSC::DFG::SpeculativeJIT::compile):
3062         * dfg/DFGSpeculativeJIT64.cpp:
3063         (JSC::DFG::SpeculativeJIT::compile):
3064         * dfg/DFGUseKind.cpp:
3065         (WTF::printInternal):
3066         * dfg/DFGUseKind.h:
3067         (JSC::DFG::typeFilterFor):
3068         (JSC::DFG::isCell):
3069         * ftl/FTLCapabilities.cpp:
3070         (JSC::FTL::canCompile):
3071         * ftl/FTLLowerDFGToB3.cpp:
3072         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3073         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3074         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
3075         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
3076         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3077         (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
3078         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
3079         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
3080         * jit/JITOperations.h:
3081         * runtime/Intrinsic.h:
3082         * runtime/JSType.h:
3083         * runtime/RegExpObject.h:
3084         (JSC::RegExpObject::createStructure):
3085         * runtime/StringPrototype.cpp:
3086         (JSC::StringPrototype::finishCreation):
3087         (JSC::removeUsingRegExpSearch):
3088         (JSC::replaceUsingRegExpSearch):
3089         (JSC::operationStringProtoFuncReplaceRegExpString):
3090         (JSC::replaceUsingStringSearch):
3091         (JSC::stringProtoFuncRepeat):
3092         (JSC::replace):
3093         (JSC::stringProtoFuncReplace):
3094         (JSC::operationStringProtoFuncReplaceGeneric):
3095         (JSC::stringProtoFuncToString):
3096         * runtime/StringPrototype.h:
3097
3098 2016-03-01  Commit Queue  <commit-queue@webkit.org>
3099
3100         Unreviewed, rolling out r197056.
3101         https://bugs.webkit.org/show_bug.cgi?id=154870
3102
3103         broke win ews (Requested by alexchristensen on #webkit).
3104
3105         Reverted changeset:
3106
3107         "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
3108         https://bugs.webkit.org/show_bug.cgi?id=154651
3109         http://trac.webkit.org/changeset/197056
3110
3111 2016-02-29  Saam barati  <sbarati@apple.com>
3112
3113         [[PreventExtensions]] should be a virtual method in the method table.
3114         https://bugs.webkit.org/show_bug.cgi?id=154800
3115
3116         Reviewed by Yusuke Suzuki.
3117
3118         This patch makes us more consistent with how the ES6 specification models the
3119         [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable 
3120         is a prerequisite for implementing Proxy.[[PreventExtensions]].
3121
3122         * runtime/ClassInfo.h:
3123         * runtime/JSCell.cpp:
3124         (JSC::JSCell::getGenericPropertyNames):
3125         (JSC::JSCell::preventExtensions):
3126         * runtime/JSCell.h:
3127         * runtime/JSModuleNamespaceObject.cpp:
3128         (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
3129         (JSC::JSModuleNamespaceObject::finishCreation):
3130         (JSC::JSModuleNamespaceObject::destroy):
3131         * runtime/JSModuleNamespaceObject.h:
3132         (JSC::JSModuleNamespaceObject::create):
3133         (JSC::JSModuleNamespaceObject::moduleRecord):
3134         * runtime/JSObject.cpp:
3135         (JSC::JSObject::freeze):
3136         (JSC::JSObject::preventExtensions):
3137         (JSC::JSObject::reifyAllStaticProperties):
3138         * runtime/JSObject.h:
3139         (JSC::JSObject::isSealed):
3140         (JSC::JSObject::isFrozen):
3141         (JSC::JSObject::isExtensible):
3142         * runtime/ObjectConstructor.cpp:
3143         (JSC::objectConstructorSeal):
3144         (JSC::objectConstructorFreeze):
3145         (JSC::objectConstructorPreventExtensions):
3146         (JSC::objectConstructorIsSealed):
3147         * runtime/ReflectObject.cpp:
3148         (JSC::reflectObjectPreventExtensions):
3149         * runtime/Structure.cpp:
3150         (JSC::Structure::Structure):
3151         (JSC::Structure::preventExtensionsTransition):
3152         * runtime/Structure.h:
3153
3154 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3155
3156         [JSC] Private symbols should not be trapped by proxy handler
3157         https://bugs.webkit.org/show_bug.cgi?id=154817
3158
3159         Reviewed by Mark Lam.
3160
3161         Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
3162         For example, in ArrayIteratorPrototype.js
3163
3164             var itemKind = this.@arrayIterationKind;
3165             if (itemKind === @undefined)
3166                 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
3167
3168         Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
3169         But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
3170
3171         To avoid these situation, we perform the default operations onto property operations with private symbols.
3172
3173         * runtime/ProxyObject.cpp:
3174         (JSC::performProxyGet):
3175         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3176         (JSC::ProxyObject::performHasProperty):
3177         (JSC::ProxyObject::performPut):
3178         (JSC::ProxyObject::performDelete):
3179         (JSC::ProxyObject::deleteProperty):
3180         (JSC::ProxyObject::deletePropertyByIndex):
3181         * tests/stress/proxy-basic.js:
3182         * tests/stress/proxy-with-private-symbols.js: Added.
3183         (assert):
3184         (let.handler.getOwnPropertyDescriptor):
3185
3186 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
3187
3188         regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
3189         https://bugs.webkit.org/show_bug.cgi?id=154841
3190
3191         Reviewed by Benjamin Poulain.
3192
3193         Here's the deadlock:
3194
3195         Main thread:
3196             1) Change an InferredType.  This acquires InferredType::m_lock.
3197             2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires
3198                CodeBlock::m_lock.
3199
3200         DFG thread:
3201             1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
3202             2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.
3203
3204         I think that the DFG thread's ordering should be legal, because the best logic for lock
3205         hierarchies is that locks that protect the largest set of stuff should be acquired first.
3206
3207         This means that the main thread shouldn't be holding the InferredType::m_lock when firing
3208         watchpoint sets.  That's what this patch ensures.
3209
3210         At the time of writing, this test was deadlocking for me on trunk 100% of the time.  With
3211         this change I cannot get it to deadlock.
3212
3213         * runtime/InferredType.cpp:
3214         (JSC::InferredType::willStoreValueSlow):
3215         (JSC::InferredType::makeTopSlow):
3216         (JSC::InferredType::set):
3217         (JSC::InferredType::removeStructure):
3218         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
3219         * runtime/InferredType.h:
3220
3221 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3222
3223         [DFG][FTL][B3] Support floor and ceil
3224         https://bugs.webkit.org/show_bug.cgi?id=154683
3225
3226         Reviewed by Filip Pizlo.
3227
3228         This patch implements and fixes the following things.
3229
3230         1. Implement Ceil and Floor in DFG, FTL and B3
3231
3232         x86 SSE 4.2 and ARM64 have round instructions that can directly perform Ceil or Floor.
3233         This patch leverages this functionality. We introduce ArithFloor and ArithCeil.
3234         During DFG phase, these nodes attempt to convert itself to Identity (in Fixup phase).
3235         As the same to ArithRound, it tracks arith rounding mode.
3236         And if these nodes are required to emit machine codes, we emit rounding machine code
3237         if it is supported in the current machine. For example, in x86, we emit `round`.
3238
3239         This `Floor` functionality is nice for @toInteger in builtin.
3240         That is used for Array.prototype.{forEach, map, every, some, reduce...}
3241         And according to the benchmark results, Kraken audio-oscillator is slightly improved
3242         due to its frequent Math.round and Math.floor calls.
3243
3244         2. Implement Floor in B3 and Air
3245
3246         As the same to Ceil in B3, we add a new B3 IR and Air opcode, Floor.
3247         This Floor is leveraged to implement ArithFloor in DFG.
3248
3249         3. Fix ArithRound operation
3250
3251         Currently, we used cvtsd2si (in x86) to convert double value to int32.
3252         And we also used this to implement Math.round, like, cvtsd2si(value + 0.5).
3253         However, this implementation is not correct. Because cvtsd2si is not floor operation.
3254         It is trucate operation. This is OK for positive numbers. But NG for negative numbers.
3255         For example, the current implementation accidentally rounds `-0.6` to `-0.0`. This should be `-1.0`.
3256         Using Ceil and Floor instructions, we implement correct ArithRound.
3257
3258         * assembler/MacroAssemblerARM.h:
3259         (JSC::MacroAssemblerARM::supportsFloatingPointRounding):
3260         (JSC::MacroAssemblerARM::ceilDouble):
3261         (JSC::MacroAssemblerARM::floorDouble):
3262         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Deleted.
3263         * assembler/MacroAssemblerARM64.h:
3264         (JSC::MacroAssemblerARM64::supportsFloatingPointRounding):
3265         (JSC::MacroAssemblerARM64::floorFloat):
3266         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil): Deleted.
3267         * assembler/MacroAssemblerARMv7.h:
3268         (JSC::MacroAssemblerARMv7::supportsFloatingPointRounding):
3269         (JSC::MacroAssemblerARMv7::ceilDouble):
3270         (JSC::MacroAssemblerARMv7::floorDouble):
3271         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil): Deleted.
3272         * assembler/MacroAssemblerMIPS.h:
3273         (JSC::MacroAssemblerMIPS::ceilDouble):
3274         (JSC::MacroAssemblerMIPS::floorDouble):
3275         (JSC::MacroAssemblerMIPS::supportsFloatingPointRounding):
3276         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil): Deleted.
3277         * assembler/MacroAssemblerSH4.h:
3278         (JSC::MacroAssemblerSH4::supportsFloatingPointRounding):
3279         (JSC::MacroAssemblerSH4::ceilDouble):
3280         (JSC::MacroAssemblerSH4::floorDouble):
3281         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil): Deleted.
3282         * assembler/MacroAssemblerX86Common.h:
3283         (JSC::MacroAssemblerX86Common::floorDouble):
3284         (JSC::MacroAssemblerX86Common::floorFloat):
3285         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
3286         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil): Deleted.
3287         * b3/B3ConstDoubleValue.cpp:
3288         (JSC::B3::ConstDoubleValue::floorConstant):
3289         * b3/B3ConstDoubleValue.h:
3290         * b3/B3ConstFloatValue.cpp:
3291         (JSC::B3::ConstFloatValue::floorConstant):
3292         * b3/B3ConstFloatValue.h:
3293         * b3/B3LowerMacrosAfterOptimizations.cpp:
3294         * b3/B3LowerToAir.cpp:
3295         (JSC::B3::Air::LowerToAir::lower):
3296         * b3/B3Opcode.cpp:
3297         (WTF::printInternal):
3298         * b3/B3Opcode.h:
3299         * b3/B3ReduceDoubleToFloat.cpp:
3300         * b3/B3ReduceStrength.cpp:
3301         * b3/B3Validate.cpp:
3302         * b3/B3Value.cpp:
3303         (JSC::B3::Value::floorConstant):
3304         (JSC::B3::Value::isRounded):
3305         (JSC::B3::Value::effects):
3306         (JSC::B3::Value::key):
3307         (JSC::B3::Value::typeFor):
3308         * b3/B3Value.h:
3309         * b3/air/AirFixPartialRegisterStalls.cpp:
3310         * b3/air/AirOpcode.opcodes:
3311         * b3/testb3.cpp:
3312         (JSC::B3::testFloorCeilArg):
3313         (JSC::B3::testFloorArg):
3314         (JSC::B3::testFloorImm):
3315         (JSC::B3::testFloorMem):
3316         (JSC::B3::testFloorFloorArg):
3317         (JSC::B3::testCeilFloorArg):
3318         (JSC::B3::testFloorIToD64):
3319         (JSC::B3::testFloorIToD32):
3320         (JSC::B3::testFloorArgWithUselessDoubleConversion):
3321         (JSC::B3::testFloorArgWithEffectfulDoubleConversion):
3322         (JSC::B3::run):
3323         * dfg/DFGAbstractInterpreterInlines.h:
3324         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3325         * dfg/DFGArithMode.cpp:
3326         (WTF::printInternal):
3327         * dfg/DFGArithMode.h:
3328         * dfg/DFGByteCodeParser.cpp:
3329         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3330         * dfg/DFGClobberize.h:
3331         (JSC::DFG::clobberize):
3332         * dfg/DFGDoesGC.cpp:
3333         (JSC::DFG::doesGC):
3334         * dfg/DFGFixupPhase.cpp:
3335         (JSC::DFG::FixupPhase::fixupNode):
3336         * dfg/DFGGraph.cpp:
3337         (JSC::DFG::Graph::dump):
3338         * dfg/DFGGraph.h:
3339         (JSC::DFG::Graph::roundShouldSpeculateInt32):
3340         * dfg/DFGNode.h:
3341         (JSC::DFG::Node::arithNodeFlags):
3342         (JSC::DFG::Node::hasHeapPrediction):
3343         (JSC::DFG::Node::hasArithRoundingMode):
3344         * dfg/DFGNodeType.h:
3345         * dfg/DFGPredictionPropagationPhase.cpp:
3346         (JSC::DFG::PredictionPropagationPhase::propagate):
3347         * dfg/DFGSafeToExecute.h:
3348         (JSC::DFG::safeToExecute):
3349         * dfg/DFGSpeculativeJIT.cpp:
3350         (JSC::DFG::SpeculativeJIT::compileArithRounding):
3351         (JSC::DFG::SpeculativeJIT::compileArithRound): Deleted.
3352         * dfg/DFGSpeculativeJIT.h:
3353         * dfg/DFGSpeculativeJIT32_64.cpp:
3354         (JSC::DFG::SpeculativeJIT::compile):
3355         * dfg/DFGSpeculativeJIT64.cpp:
3356         (JSC::DFG::SpeculativeJIT::compile):
3357         * ftl/FTLCapabilities.cpp:
3358         (JSC::FTL::canCompile):
3359         * ftl/FTLLowerDFGToB3.cpp:
3360         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3361         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
3362         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
3363         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
3364         * ftl/FTLOutput.h:
3365         (JSC::FTL::Output::doubleFloor):