Unreviewed, fix CLOOP build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
2
3         Unreviewed, fix CLOOP build.
4
5         * jit/JITOperations.h:
6
7 2016-03-01  Skachkov Oleksandr  <gskachkov@gmail.com>
8
9         [ES6] Arrow function. Some not used byte code is emited
10         https://bugs.webkit.org/show_bug.cgi?id=154639
11
12         Reviewed by Saam Barati.
13
14         Currently bytecode that is generated for arrow function is not optimal. 
15         Current fix removed following unnecessary bytecode:
16         1.create_lexical_environment not emited always for arrow function, only if some of 
17         features(this/super/arguments/eval) is used inside of the arrow function. 
18         2.load 'this' from arrow function scope in constructor is done only if super 
19         contains in arrow function 
20
21         * bytecompiler/BytecodeGenerator.cpp:
22         (JSC::BytecodeGenerator::BytecodeGenerator):
23         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
24         * bytecompiler/BytecodeGenerator.h:
25         * bytecompiler/NodesCodegen.cpp:
26         (JSC::ThisNode::emitBytecode):
27         (JSC::FunctionNode::emitBytecode):
28         * parser/Nodes.h:
29         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
30         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
31
32 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
33
34         Turn String.prototype.replace into an intrinsic
35         https://bugs.webkit.org/show_bug.cgi?id=154835
36
37         Reviewed by Michael Saboff.
38
39         Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
40         of checks to see if the parameters are what they are likely to often be (a string, a
41         regexp, and a string). The intuition of this patch is that it's good to remove those checks
42         and it's good to call the native function as directly as possible.
43
44         This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
45         It also improves Octane/jquery.
46
47         This is only the beginning of what I want to do with replace optimizations. The other
48         optimizations will rely on StringReplace being revealed as a construct in DFG IR.
49
50         * JavaScriptCore.xcodeproj/project.pbxproj:
51         * bytecode/SpeculatedType.cpp:
52         (JSC::dumpSpeculation):
53         (JSC::speculationToAbbreviatedString):
54         (JSC::speculationFromClassInfo):
55         * bytecode/SpeculatedType.h:
56         (JSC::isStringOrStringObjectSpeculation):
57         (JSC::isRegExpObjectSpeculation):
58         (JSC::isBoolInt32Speculation):
59         * dfg/DFGAbstractInterpreterInlines.h:
60         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
61         * dfg/DFGByteCodeParser.cpp:
62         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
63         * dfg/DFGClobberize.h:
64         (JSC::DFG::clobberize):
65         * dfg/DFGDoesGC.cpp:
66         (JSC::DFG::doesGC):
67         * dfg/DFGFixupPhase.cpp:
68         (JSC::DFG::FixupPhase::fixupNode):
69         * dfg/DFGNode.h:
70         (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
71         (JSC::DFG::Node::shouldSpeculateRegExpObject):
72         (JSC::DFG::Node::shouldSpeculateSymbol):
73         * dfg/DFGNodeType.h:
74         * dfg/DFGPredictionPropagationPhase.cpp:
75         (JSC::DFG::PredictionPropagationPhase::propagate):
76         * dfg/DFGSafeToExecute.h:
77         (JSC::DFG::SafeToExecuteEdge::operator()):
78         (JSC::DFG::safeToExecute):
79         * dfg/DFGSpeculativeJIT.cpp:
80         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
81         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
82         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
83         (JSC::DFG::SpeculativeJIT::speculate):
84         * dfg/DFGSpeculativeJIT.h:
85         * dfg/DFGSpeculativeJIT32_64.cpp:
86         (JSC::DFG::SpeculativeJIT::compile):
87         * dfg/DFGSpeculativeJIT64.cpp:
88         (JSC::DFG::SpeculativeJIT::compile):
89         * dfg/DFGUseKind.cpp:
90         (WTF::printInternal):
91         * dfg/DFGUseKind.h:
92         (JSC::DFG::typeFilterFor):
93         (JSC::DFG::isCell):
94         * ftl/FTLCapabilities.cpp:
95         (JSC::FTL::canCompile):
96         * ftl/FTLLowerDFGToB3.cpp:
97         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
98         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
99         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
100         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
101         (JSC::FTL::DFG::LowerDFGToB3::speculate):
102         (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
103         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
104         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
105         * jit/JITOperations.h:
106         * runtime/Intrinsic.h:
107         * runtime/JSType.h:
108         * runtime/RegExpObject.h:
109         (JSC::RegExpObject::createStructure):
110         * runtime/StringPrototype.cpp:
111         (JSC::StringPrototype::finishCreation):
112         (JSC::removeUsingRegExpSearch):
113         (JSC::replaceUsingRegExpSearch):
114         (JSC::operationStringProtoFuncReplaceRegExpString):
115         (JSC::replaceUsingStringSearch):
116         (JSC::stringProtoFuncRepeat):
117         (JSC::replace):
118         (JSC::stringProtoFuncReplace):
119         (JSC::operationStringProtoFuncReplaceGeneric):
120         (JSC::stringProtoFuncToString):
121         * runtime/StringPrototype.h:
122
123 2016-03-01  Commit Queue  <commit-queue@webkit.org>
124
125         Unreviewed, rolling out r197056.
126         https://bugs.webkit.org/show_bug.cgi?id=154870
127
128         broke win ews (Requested by alexchristensen on #webkit).
129
130         Reverted changeset:
131
132         "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
133         https://bugs.webkit.org/show_bug.cgi?id=154651
134         http://trac.webkit.org/changeset/197056
135
136 2016-02-29  Saam barati  <sbarati@apple.com>
137
138         [[PreventExtensions]] should be a virtual method in the method table.
139         https://bugs.webkit.org/show_bug.cgi?id=154800
140
141         Reviewed by Yusuke Suzuki.
142
143         This patch makes us more consistent with how the ES6 specification models the
144         [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable 
145         is a prerequisite for implementing Proxy.[[PreventExtensions]].
146
147         * runtime/ClassInfo.h:
148         * runtime/JSCell.cpp:
149         (JSC::JSCell::getGenericPropertyNames):
150         (JSC::JSCell::preventExtensions):
151         * runtime/JSCell.h:
152         * runtime/JSModuleNamespaceObject.cpp:
153         (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
154         (JSC::JSModuleNamespaceObject::finishCreation):
155         (JSC::JSModuleNamespaceObject::destroy):
156         * runtime/JSModuleNamespaceObject.h:
157         (JSC::JSModuleNamespaceObject::create):
158         (JSC::JSModuleNamespaceObject::moduleRecord):
159         * runtime/JSObject.cpp:
160         (JSC::JSObject::freeze):
161         (JSC::JSObject::preventExtensions):
162         (JSC::JSObject::reifyAllStaticProperties):
163         * runtime/JSObject.h:
164         (JSC::JSObject::isSealed):
165         (JSC::JSObject::isFrozen):
166         (JSC::JSObject::isExtensible):
167         * runtime/ObjectConstructor.cpp:
168         (JSC::objectConstructorSeal):
169         (JSC::objectConstructorFreeze):
170         (JSC::objectConstructorPreventExtensions):
171         (JSC::objectConstructorIsSealed):
172         * runtime/ReflectObject.cpp:
173         (JSC::reflectObjectPreventExtensions):
174         * runtime/Structure.cpp:
175         (JSC::Structure::Structure):
176         (JSC::Structure::preventExtensionsTransition):
177         * runtime/Structure.h:
178
179 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
180
181         [JSC] Private symbols should not be trapped by proxy handler
182         https://bugs.webkit.org/show_bug.cgi?id=154817
183
184         Reviewed by Mark Lam.
185
186         Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
187         For example, in ArrayIteratorPrototype.js
188
189             var itemKind = this.@arrayIterationKind;
190             if (itemKind === @undefined)
191                 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
192
193         Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
194         But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
195
196         To avoid these situation, we perform the default operations onto property operations with private symbols.
197
198         * runtime/ProxyObject.cpp:
199         (JSC::performProxyGet):
200         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
201         (JSC::ProxyObject::performHasProperty):
202         (JSC::ProxyObject::performPut):
203         (JSC::ProxyObject::performDelete):
204         (JSC::ProxyObject::deleteProperty):
205         (JSC::ProxyObject::deletePropertyByIndex):
206         * tests/stress/proxy-basic.js:
207         * tests/stress/proxy-with-private-symbols.js: Added.
208         (assert):
209         (let.handler.getOwnPropertyDescriptor):
210
211 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
212
213         regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
214         https://bugs.webkit.org/show_bug.cgi?id=154841
215
216         Reviewed by Benjamin Poulain.
217
218         Here's the deadlock:
219
220         Main thread:
221             1) Change an InferredType.  This acquires InferredType::m_lock.
222             2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires
223                CodeBlock::m_lock.
224
225         DFG thread:
226             1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
227             2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.
228
229         I think that the DFG thread's ordering should be legal, because the best logic for lock
230         hierarchies is that locks that protect the largest set of stuff should be acquired first.
231
232         This means that the main thread shouldn't be holding the InferredType::m_lock when firing
233         watchpoint sets.  That's what this patch ensures.
234
235         At the time of writing, this test was deadlocking for me on trunk 100% of the time.  With
236         this change I cannot get it to deadlock.
237
238         * runtime/InferredType.cpp:
239         (JSC::InferredType::willStoreValueSlow):
240         (JSC::InferredType::makeTopSlow):
241         (JSC::InferredType::set):
242         (JSC::InferredType::removeStructure):
243         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
244         * runtime/InferredType.h:
245
246 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
247
248         [DFG][FTL][B3] Support floor and ceil
249         https://bugs.webkit.org/show_bug.cgi?id=154683
250
251         Reviewed by Filip Pizlo.
252
253         This patch implements and fixes the following things.
254
255         1. Implement Ceil and Floor in DFG, FTL and B3
256
257         x86 SSE 4.2 and ARM64 have round instructions that can directly perform Ceil or Floor.
258         This patch leverages this functionality. We introduce ArithFloor and ArithCeil.
259         During DFG phase, these nodes attempt to convert itself to Identity (in Fixup phase).
260         As the same to ArithRound, it tracks arith rounding mode.
261         And if these nodes are required to emit machine codes, we emit rounding machine code
262         if it is supported in the current machine. For example, in x86, we emit `round`.
263
264         This `Floor` functionality is nice for @toInteger in builtin.
265         That is used for Array.prototype.{forEach, map, every, some, reduce...}
266         And according to the benchmark results, Kraken audio-oscillator is slightly improved
267         due to its frequent Math.round and Math.floor calls.
268
269         2. Implement Floor in B3 and Air
270
271         As the same to Ceil in B3, we add a new B3 IR and Air opcode, Floor.
272         This Floor is leveraged to implement ArithFloor in DFG.
273
274         3. Fix ArithRound operation
275
276         Currently, we used cvtsd2si (in x86) to convert double value to int32.
277         And we also used this to implement Math.round, like, cvtsd2si(value + 0.5).
278         However, this implementation is not correct. Because cvtsd2si is not floor operation.
279         It is trucate operation. This is OK for positive numbers. But NG for negative numbers.
280         For example, the current implementation accidentally rounds `-0.6` to `-0.0`. This should be `-1.0`.
281         Using Ceil and Floor instructions, we implement correct ArithRound.
282
283         * assembler/MacroAssemblerARM.h:
284         (JSC::MacroAssemblerARM::supportsFloatingPointRounding):
285         (JSC::MacroAssemblerARM::ceilDouble):
286         (JSC::MacroAssemblerARM::floorDouble):
287         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Deleted.
288         * assembler/MacroAssemblerARM64.h:
289         (JSC::MacroAssemblerARM64::supportsFloatingPointRounding):
290         (JSC::MacroAssemblerARM64::floorFloat):
291         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil): Deleted.
292         * assembler/MacroAssemblerARMv7.h:
293         (JSC::MacroAssemblerARMv7::supportsFloatingPointRounding):
294         (JSC::MacroAssemblerARMv7::ceilDouble):
295         (JSC::MacroAssemblerARMv7::floorDouble):
296         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil): Deleted.
297         * assembler/MacroAssemblerMIPS.h:
298         (JSC::MacroAssemblerMIPS::ceilDouble):
299         (JSC::MacroAssemblerMIPS::floorDouble):
300         (JSC::MacroAssemblerMIPS::supportsFloatingPointRounding):
301         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil): Deleted.
302         * assembler/MacroAssemblerSH4.h:
303         (JSC::MacroAssemblerSH4::supportsFloatingPointRounding):
304         (JSC::MacroAssemblerSH4::ceilDouble):
305         (JSC::MacroAssemblerSH4::floorDouble):
306         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil): Deleted.
307         * assembler/MacroAssemblerX86Common.h:
308         (JSC::MacroAssemblerX86Common::floorDouble):
309         (JSC::MacroAssemblerX86Common::floorFloat):
310         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
311         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil): Deleted.
312         * b3/B3ConstDoubleValue.cpp:
313         (JSC::B3::ConstDoubleValue::floorConstant):
314         * b3/B3ConstDoubleValue.h:
315         * b3/B3ConstFloatValue.cpp:
316         (JSC::B3::ConstFloatValue::floorConstant):
317         * b3/B3ConstFloatValue.h:
318         * b3/B3LowerMacrosAfterOptimizations.cpp:
319         * b3/B3LowerToAir.cpp:
320         (JSC::B3::Air::LowerToAir::lower):
321         * b3/B3Opcode.cpp:
322         (WTF::printInternal):
323         * b3/B3Opcode.h:
324         * b3/B3ReduceDoubleToFloat.cpp:
325         * b3/B3ReduceStrength.cpp:
326         * b3/B3Validate.cpp:
327         * b3/B3Value.cpp:
328         (JSC::B3::Value::floorConstant):
329         (JSC::B3::Value::isRounded):
330         (JSC::B3::Value::effects):
331         (JSC::B3::Value::key):
332         (JSC::B3::Value::typeFor):
333         * b3/B3Value.h:
334         * b3/air/AirFixPartialRegisterStalls.cpp:
335         * b3/air/AirOpcode.opcodes:
336         * b3/testb3.cpp:
337         (JSC::B3::testFloorCeilArg):
338         (JSC::B3::testFloorArg):
339         (JSC::B3::testFloorImm):
340         (JSC::B3::testFloorMem):
341         (JSC::B3::testFloorFloorArg):
342         (JSC::B3::testCeilFloorArg):
343         (JSC::B3::testFloorIToD64):
344         (JSC::B3::testFloorIToD32):
345         (JSC::B3::testFloorArgWithUselessDoubleConversion):
346         (JSC::B3::testFloorArgWithEffectfulDoubleConversion):
347         (JSC::B3::run):
348         * dfg/DFGAbstractInterpreterInlines.h:
349         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
350         * dfg/DFGArithMode.cpp:
351         (WTF::printInternal):
352         * dfg/DFGArithMode.h:
353         * dfg/DFGByteCodeParser.cpp:
354         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
355         * dfg/DFGClobberize.h:
356         (JSC::DFG::clobberize):
357         * dfg/DFGDoesGC.cpp:
358         (JSC::DFG::doesGC):
359         * dfg/DFGFixupPhase.cpp:
360         (JSC::DFG::FixupPhase::fixupNode):
361         * dfg/DFGGraph.cpp:
362         (JSC::DFG::Graph::dump):
363         * dfg/DFGGraph.h:
364         (JSC::DFG::Graph::roundShouldSpeculateInt32):
365         * dfg/DFGNode.h:
366         (JSC::DFG::Node::arithNodeFlags):
367         (JSC::DFG::Node::hasHeapPrediction):
368         (JSC::DFG::Node::hasArithRoundingMode):
369         * dfg/DFGNodeType.h:
370         * dfg/DFGPredictionPropagationPhase.cpp:
371         (JSC::DFG::PredictionPropagationPhase::propagate):
372         * dfg/DFGSafeToExecute.h:
373         (JSC::DFG::safeToExecute):
374         * dfg/DFGSpeculativeJIT.cpp:
375         (JSC::DFG::SpeculativeJIT::compileArithRounding):
376         (JSC::DFG::SpeculativeJIT::compileArithRound): Deleted.
377         * dfg/DFGSpeculativeJIT.h:
378         * dfg/DFGSpeculativeJIT32_64.cpp:
379         (JSC::DFG::SpeculativeJIT::compile):
380         * dfg/DFGSpeculativeJIT64.cpp:
381         (JSC::DFG::SpeculativeJIT::compile):
382         * ftl/FTLCapabilities.cpp:
383         (JSC::FTL::canCompile):
384         * ftl/FTLLowerDFGToB3.cpp:
385         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
386         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
387         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
388         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
389         * ftl/FTLOutput.h:
390         (JSC::FTL::Output::doubleFloor):
391         * jit/ThunkGenerators.cpp:
392         (JSC::ceilThunkGenerator):
393         * tests/stress/math-ceil-arith-rounding-mode.js: Added.
394         (firstCareAboutZeroSecondDoesNot):
395         (firstDoNotCareAboutZeroSecondDoes):
396         (warmup):
397         (verifyNegativeZeroIsPreserved):
398         * tests/stress/math-ceil-basics.js: Added.
399         (mathCeilOnIntegers):
400         (mathCeilOnDoubles):
401         (mathCeilOnBooleans):
402         (uselessMathCeil):
403         (mathCeilWithOverflow):
404         (mathCeilConsumedAsDouble):
405         (mathCeilDoesNotCareAboutMinusZero):
406         (mathCeilNoArguments):
407         (mathCeilTooManyArguments):
408         (testMathCeilOnConstants):
409         (mathCeilStructTransition):
410         (Math.ceil):
411         * tests/stress/math-floor-arith-rounding-mode.js: Added.
412         (firstCareAboutZeroSecondDoesNot):
413         (firstDoNotCareAboutZeroSecondDoes):
414         (warmup):
415         (verifyNegativeZeroIsPreserved):
416         * tests/stress/math-floor-basics.js: Added.
417         (mathFloorOnIntegers):
418         (mathFloorOnDoubles):
419         (mathFloorOnBooleans):
420         (uselessMathFloor):
421         (mathFloorWithOverflow):
422         (mathFloorConsumedAsDouble):
423         (mathFloorDoesNotCareAboutMinusZero):
424         (mathFloorNoArguments):
425         (mathFloorTooManyArguments):
426         (testMathFloorOnConstants):
427         (mathFloorStructTransition):
428         (Math.floor):
429         * tests/stress/math-round-should-not-use-truncate.js: Added.
430         (mathRoundDoesNotCareAboutMinusZero):
431         * tests/stress/math-rounding-infinity.js: Added.
432         (shouldBe):
433         (testRound):
434         (testFloor):
435         (testCeil):
436         * tests/stress/math-rounding-nan.js: Added.
437         (shouldBe):
438         (testRound):
439         (testFloor):
440         (testCeil):
441         * tests/stress/math-rounding-negative-zero.js: Added.
442         (shouldBe):
443         (testRound):
444         (testFloor):
445         (testCeil):
446         (testRoundNonNegativeZero):
447         (testRoundNonNegativeZero2):
448
449 2016-02-29  Joseph Pecoraro  <pecoraro@apple.com>
450
451         Add new MethodTable method to get an estimated size for a cell
452         https://bugs.webkit.org/show_bug.cgi?id=154838
453
454         Reviewed by Filip Pizlo.
455
456         The new class method estimatedSize(JSCell*) estimates the size for a single cell.
457         As the name implies, this is meant to be an approximation. It is more important
458         that big objects report a large size, then to get perfect size information for
459         all objects in the heap.
460
461             Base implementation (JSCell):
462               - returns the MarkedBlock bucket size for this cell.
463               - This gets us the object size include inline storage. Basically a better sizeof.
464
465             Subclasses with "Extra Memory Cost":
466               - Any class that reports extra memory (reportExtraMemoryVisited) should include that in the estimated size.
467               - E.g. CodeBlock, JSGenericTypedArrayView, WeakMapData, etc.
468
469             Subclasses with "Copied Space" storage:
470               - Any class with data in copied space (copyBackingStore) should include that in the estimated size.
471               - E.g. JSObject, JSGenericTypedArrayView, JSMap, JSSet, DirectArguments, etc.
472
473         Add reportExtraMemoryVisited for UnlinkedCodeBlock's compressed unlinked
474         instructions because this can be larger than 1kb, which is significant.
475
476         This has one special case for RegExp generated bytecode / JIT code, which
477         does not currently fall into the extra memory cost or copied space storage.
478         In practice I haven't seen this grow to a significant cost.
479
480         * runtime/ClassInfo.h:
481         Add the new estimatedSize method to the table.
482
483         * bytecode/UnlinkedCodeBlock.cpp:
484         (JSC::UnlinkedCodeBlock::visitChildren):
485         (JSC::UnlinkedCodeBlock::estimatedSize):
486         (JSC::UnlinkedCodeBlock::setInstructions):
487         * bytecode/UnlinkedCodeBlock.h:
488         Report an extra memory cost for unlinked code blocks like
489         we do for linked code blocks.
490
491         * bytecode/CodeBlock.cpp:
492         (JSC::CodeBlock::estimatedSize):
493         * bytecode/CodeBlock.h:
494         * bytecode/UnlinkedInstructionStream.cpp:
495         (JSC::UnlinkedInstructionStream::sizeInBytes):
496         * bytecode/UnlinkedInstructionStream.h:
497         * runtime/DirectArguments.cpp:
498         (JSC::DirectArguments::estimatedSize):
499         * runtime/DirectArguments.h:
500         * runtime/JSCell.cpp:
501         (JSC::JSCell::estimatedSizeInBytes):
502         (JSC::JSCell::estimatedSize):
503         * runtime/JSCell.h:
504         * runtime/JSGenericTypedArrayView.h:
505         * runtime/JSGenericTypedArrayViewInlines.h:
506         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
507         * runtime/JSMap.cpp:
508         (JSC::JSMap::estimatedSize):
509         * runtime/JSMap.h:
510         * runtime/JSObject.cpp:
511         (JSC::JSObject::visitButterfly):
512         * runtime/JSObject.h:
513         * runtime/JSSet.cpp:
514         (JSC::JSSet::estimatedSize):
515         * runtime/JSSet.h:
516         * runtime/JSString.cpp:
517         (JSC::JSString::estimatedSize):
518         * runtime/JSString.h:
519         * runtime/MapData.h:
520         (JSC::MapDataImpl::capacityInBytes):
521         * runtime/WeakMapData.cpp:
522         (JSC::WeakMapData::estimatedSize):
523         (JSC::WeakMapData::visitChildren):
524         * runtime/WeakMapData.h:
525         Implement estimated size following the pattern of reporting
526         extra visited size, or copy space memory.
527
528         * runtime/RegExp.cpp:
529         (JSC::RegExp::estimatedSize):
530         * runtime/RegExp.h:
531         * yarr/YarrInterpreter.h:
532         (JSC::Yarr::ByteDisjunction::estimatedSizeInBytes):
533         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
534         * yarr/YarrJIT.h:
535         (JSC::Yarr::YarrCodeBlock::size):
536         Include generated bytecode / JITCode to a RegExp's size.
537
538 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
539
540         SpeculatedType should be easier to edit
541         https://bugs.webkit.org/show_bug.cgi?id=154840
542
543         Reviewed by Mark Lam.
544
545         We used to specify the bitmasks in SpeculatedType.h using hex codes. This used to work
546         great because we didn't have so many masks and you could use the mask to visually see
547         which ones overlapped. It also made it easy to visualize subset relationships.
548
549         But now we have a lot of masks with a lot of confusing overlaps, and it's no longer
550         possible to just see their relationship by looking at hex codes. Worse, the use of hex
551         codes makes it super annoying to move the bits around. For example, right now we have two
552         bits free, but if we wanted to reclaim them by editing the old hex masks, it would be a
553         nightmare.
554
555         So this patch replaces the hex masks with shift expressions (1u << 15 for example) and it
556         makes any derived masks (i.e. masks that are the bit-or of other masks) be expressed using
557         an or expression (SpecFoo | SpecBar | SpecBaz for example).
558
559         This makes it easier to see the relationships and it makes it easier to take bits for new
560         types.
561
562         * bytecode/SpeculatedType.h:
563
564 2016-02-29  Keith Miller  <keith_miller@apple.com>
565
566         OverridesHasInstance constant folding is wrong
567         https://bugs.webkit.org/show_bug.cgi?id=154833
568
569         Reviewed by Filip Pizlo.
570
571         The current implementation of OverridesHasInstance constant folding
572         is incorrect. Since it relies on OSR exit information it has been
573         moved to the StrengthReductionPhase. Normally, such an optimazation would be
574         put in FixupPhase, however, there are a number of cases where we don't
575         determine an edge of OverridesHasInstance is a constant until after fixup.
576         Performing the optimization during StrengthReductionPhase means we can defer
577         our decision until later.
578
579         In the future we should consider creating a version of this optimization
580         that does not depend on OSR exit information and move the optimization back
581         to ConstantFoldingPhase.
582
583         * dfg/DFGConstantFoldingPhase.cpp:
584         (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
585         * dfg/DFGStrengthReductionPhase.cpp:
586         (JSC::DFG::StrengthReductionPhase::handleNode):
587
588 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
589
590         B3 should have global store elimination
591         https://bugs.webkit.org/show_bug.cgi?id=154658
592
593         Reviewed by Benjamin Poulain.
594
595         Implements fairly comprehensive global store elimination:
596
597         1) If you store the result of a load with no interference in between, remove the store.
598
599         2) If you store the same thing you stored previously, remove the store.
600
601         3) If you store something that you either loaded previously or stored previously along
602            arbitrarily many paths, remove the store.
603
604         4) If you store to something that is stored to again in the future with no interference in
605            between, remove the store.
606
607         Rule (4) is super relevant to FTL since the DFG does not eliminate redundant PutStructures.
608         A constructor that produces a large object will have many redundant stores to the same base
609         pointer, offset, and heap range, with no code to observe that heap raneg in between.
610
611         This doesn't have a decisive effect on major benchmarks, but it's an enormous win for
612         microbenchmarks:
613
614         - 30% faster to construct an object with many fields.
615
616         - 5x faster to do many stores to a global variable.
617
618         The compile time cost should be very small. Although the optimization is global, it aborts as
619         soon as it sees anything that would confound store elimination. For rules (1)-(3), we
620         piggy-back the existing load elimination, which gives up on interfering stores. For rule (4),
621         we search forward through the current block and then globally a block at a time (skipping
622         block contents thanks to summary data), which could be expensive. But rule (4) aborts as soon
623         as it sees a read, write, or end block (Return or Oops). Any Check will claim to read TOP. Any
624         Patchpoint that results from an InvalidationPoint will claim to read TOP, as will any
625         Patchpoints for ICs. Those are usually sprinkled all over the program.
626
627         In other words, this optimization rarely kicks in. When it does kick in, it makes programs run
628         faster. When it doesn't kick in, it's usually O(1) because there are reasons for aborting all
629         over a "normal" program so the search will halt almost immediately. This of course raises the
630         question: how much more in compile time do we pay when the optimization does kick in? The
631         optimization kicks in the most for the microbenchmarks I wrote for this patch. Amazingly, the
632         effect of the optimization a wash for compile time: whatever cost we pay doing the O(n^2)
633         searches is balanced by the massive reduction in work in the backend. On one of the two
634         microbenchmarks, overall compile time actually shrank with this optimization even though CSE
635         itself cost more. That's not too surprising - the backend costs much more per instruction, so
636         things that remove instructions before we get to the backend tend to be a good idea.
637
638         We could consider adding a more aggressive version of this in the future, which could sink
639         stores into checks. That could be crazy fun: https://bugs.webkit.org/show_bug.cgi?id=152162#c3
640
641         But mainly, I'm adding this optimization because it was super fun to implement during the
642         WebAssembly CG summit.
643
644         * b3/B3EliminateCommonSubexpressions.cpp:
645         * b3/B3MemoryValue.h:
646         * b3/B3SuccessorCollection.h:
647         (JSC::B3::SuccessorCollection::begin):
648         (JSC::B3::SuccessorCollection::end):
649         (JSC::B3::SuccessorCollection::const_iterator::const_iterator):
650         (JSC::B3::SuccessorCollection::const_iterator::operator*):
651         (JSC::B3::SuccessorCollection::const_iterator::operator++):
652         (JSC::B3::SuccessorCollection::const_iterator::operator==):
653         (JSC::B3::SuccessorCollection::const_iterator::operator!=):
654
655 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
656
657         Make it cheap to #include "JITOperations.h"
658         https://bugs.webkit.org/show_bug.cgi?id=154836
659
660         Reviewed by Mark Lam.
661
662         Prior to this change, this header included the whole world even though it did't have any
663         definitions. This patch turns almost all of the includes into forward declarations. Right
664         now this header is very cheap to include.
665
666         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
667         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
668         * JavaScriptCore.xcodeproj/project.pbxproj:
669         * dfg/DFGSpeculativeJIT.h:
670         * jit/JITOperations.cpp:
671         * jit/JITOperations.h:
672         * jit/Repatch.h:
673         * runtime/CommonSlowPaths.h:
674         (JSC::encodeResult): Deleted.
675         (JSC::decodeResult): Deleted.
676         * runtime/SlowPathReturnType.h: Added.
677         (JSC::encodeResult):
678         (JSC::decodeResult):
679
680 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
681
682         FTL should be able to run everything in Octane/regexp
683         https://bugs.webkit.org/show_bug.cgi?id=154266
684
685         Reviewed by Saam Barati.
686
687         Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
688         make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
689         DFG backend optimization anyway - if we need this optimization then it should be a
690         strength reduction rule over IR. That way, it can be shared by all backends.
691
692         I measured whether removing that optimization had any effect on performance separately
693         from measuring the performance of this patch. Removing that optimization did not change
694         our score on any benchmarks.
695
696         This patch does have an overall negative effect on the Octane/regexp score. This is
697         presumably because tiering up to the FTL has no value to the code in the regexp test. Or
698         maybe it's something else. No matter - the overall effect on the Octane score is not
699         statistically significant and we don't want this kind of coverage blocked by the fact
700         that adding coverage hurts a benchmark.
701
702         * dfg/DFGByteCodeParser.cpp:
703         (JSC::DFG::ByteCodeParser::parseBlock):
704         * dfg/DFGNode.h:
705         (JSC::DFG::Node::setIndexingType):
706         (JSC::DFG::Node::hasRegexpIndex):
707         * dfg/DFGSpeculativeJIT.cpp:
708         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
709         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
710         (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
711         * dfg/DFGSpeculativeJIT32_64.cpp:
712         (JSC::DFG::SpeculativeJIT::compile):
713         * dfg/DFGSpeculativeJIT64.cpp:
714         (JSC::DFG::SpeculativeJIT::compile):
715         * ftl/FTLCapabilities.cpp:
716         (JSC::FTL::canCompile):
717         * ftl/FTLLowerDFGToB3.cpp:
718         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
719         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
720         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
721         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
722         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
723         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
724         * tests/stress/ftl-regexp-exec.js: Added.
725         * tests/stress/ftl-regexp-test.js: Added.
726
727 2016-02-28  Andreas Kling  <akling@apple.com>
728
729         Make JSFunction.name allocation fully lazy.
730         <https://webkit.org/b/154806>
731
732         Reviewed by Saam Barati.
733
734         We were reifying the "name" field on functions lazily, but created the string
735         value itself up front. This patch gets rid of the up-front allocation,
736         saving us a JSString allocation per function in most cases.
737
738         * builtins/BuiltinExecutables.cpp:
739         (JSC::createExecutableInternal):
740         * bytecode/UnlinkedFunctionExecutable.cpp:
741         (JSC::UnlinkedFunctionExecutable::visitChildren):
742         * bytecode/UnlinkedFunctionExecutable.h:
743         * runtime/CodeCache.cpp:
744         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
745         * runtime/Executable.h:
746         * runtime/JSFunction.cpp:
747         (JSC::JSFunction::reifyName):
748
749 2016-02-28  Andreas Kling  <akling@apple.com>
750
751         REGRESSION(r197303): 4 jsc tests failing on bots.
752
753         Unreviewed follow-up fix.
754
755         * bytecode/UnlinkedCodeBlock.cpp:
756         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
757         can still get called with !m_rareData, in case the type profiler is active but this
758         particular code block doesn't have type profiler data. Handle it gracefully.
759
760 2016-02-28  Andreas Kling  <akling@apple.com>
761
762         Shrink UnlinkedCodeBlock a bit.
763         <https://webkit.org/b/154797>
764
765         Reviewed by Anders Carlsson.
766
767         Move profiler-related members of UnlinkedCodeBlock into its RareData
768         structure, saving 40 bytes, and then reorder the other members of
769         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
770
771         The VM member was removed entirely since UnlinkedCodeBlock is a cell
772         and can retrieve its VM through MarkedBlock header lookup.
773
774         * bytecode/UnlinkedCodeBlock.cpp:
775         (JSC::UnlinkedCodeBlock::vm):
776         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
777         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
778         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
779         * bytecode/UnlinkedCodeBlock.h:
780         (JSC::UnlinkedCodeBlock::addRegExp):
781         (JSC::UnlinkedCodeBlock::addConstant):
782         (JSC::UnlinkedCodeBlock::addFunctionDecl):
783         (JSC::UnlinkedCodeBlock::addFunctionExpr):
784         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
785         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
786         (JSC::UnlinkedCodeBlock::vm): Deleted.
787
788 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
789
790         FTL should lower its abstract heaps to B3 heap ranges
791         https://bugs.webkit.org/show_bug.cgi?id=154782
792
793         Reviewed by Saam Barati.
794
795         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
796         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
797         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
798         notion - the HeapRange. That's what this patch fixes.
799
800         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
801         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
802         affects by specifying a heap range: a begin...end pair that says that the operation
803         affects all abstract heaps H such that begin <= H < end.
804
805         This peculiar scheme was a deliberate attempt to distill what the abstract heap
806         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
807
808         - A heap's end is greater than its begin.
809         - A heap's begin is greater than or equal to its parent's begin.
810         - A heap's end is less than or equal to its parent's end.
811
812         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
813         went for the iterative traversal, which is a splendid algorithm, but it's totally
814         unnecessary here since we tightly control the height of the heap hierarchy.
815
816         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
817         generate new ones for field names and constant indices we encounter, we can't actually
818         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
819         new abstract heap to the hierarchy after ranges were already computed would require
820         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
821         patch solves that problem by recording the associations between abstract heaps and their
822         intended roles in the generated IR, and then decorating all of the relevant B3 values
823         after we compute the ranges of the hierarchy after lowering.
824
825         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
826         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
827         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
828         already been getting the big ones even without alias analysis.
829
830         Even without a speed-up, this patch is valuable because it makes it easier to implement
831         other optimizations, like store elimination.
832
833         * b3/B3HeapRange.h:
834         (JSC::B3::HeapRange::HeapRange):
835         * ftl/FTLAbstractHeap.cpp:
836         (JSC::FTL::AbstractHeap::AbstractHeap):
837         (JSC::FTL::AbstractHeap::changeParent):
838         (JSC::FTL::AbstractHeap::compute):
839         (JSC::FTL::AbstractHeap::shallowDump):
840         (JSC::FTL::AbstractHeap::dump):
841         (JSC::FTL::AbstractHeap::deepDump):
842         (JSC::FTL::AbstractHeap::badRangeError):
843         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
844         (JSC::FTL::IndexedAbstractHeap::baseIndex):
845         (JSC::FTL::IndexedAbstractHeap::atSlow):
846         (JSC::FTL::IndexedAbstractHeap::initialize):
847         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
848         (JSC::FTL::AbstractField::dump): Deleted.
849         * ftl/FTLAbstractHeap.h:
850         (JSC::FTL::AbstractHeap::AbstractHeap):
851         (JSC::FTL::AbstractHeap::isInitialized):
852         (JSC::FTL::AbstractHeap::initialize):
853         (JSC::FTL::AbstractHeap::parent):
854         (JSC::FTL::AbstractHeap::heapName):
855         (JSC::FTL::AbstractHeap::range):
856         (JSC::FTL::AbstractHeap::offset):
857         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
858         (JSC::FTL::IndexedAbstractHeap::at):
859         (JSC::FTL::IndexedAbstractHeap::operator[]):
860         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
861         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
862         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
863         (JSC::FTL::AbstractHeap::changeParent): Deleted.
864         (JSC::FTL::AbstractField::AbstractField): Deleted.
865         (JSC::FTL::AbstractField::initialize): Deleted.
866         (JSC::FTL::AbstractField::offset): Deleted.
867         * ftl/FTLAbstractHeapRepository.cpp:
868         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
869         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
870         (JSC::FTL::AbstractHeapRepository::decorateMemory):
871         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
872         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
873         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
874         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
875         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
876         * ftl/FTLAbstractHeapRepository.h:
877         (JSC::FTL::AbstractHeapRepository::forArrayType):
878         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
879         * ftl/FTLLowerDFGToB3.cpp:
880         (JSC::FTL::DFG::LowerDFGToB3::lower):
881         * ftl/FTLOutput.cpp:
882         (JSC::FTL::Output::load):
883         (JSC::FTL::Output::load8SignExt32):
884         (JSC::FTL::Output::load8ZeroExt32):
885         (JSC::FTL::Output::load16SignExt32):
886         (JSC::FTL::Output::load16ZeroExt32):
887         (JSC::FTL::Output::store):
888         (JSC::FTL::Output::store32As8):
889         (JSC::FTL::Output::store32As16):
890         (JSC::FTL::Output::baseIndex):
891         * ftl/FTLOutput.h:
892         (JSC::FTL::Output::address):
893         (JSC::FTL::Output::absolute):
894         (JSC::FTL::Output::load8SignExt32):
895         (JSC::FTL::Output::load8ZeroExt32):
896         (JSC::FTL::Output::load16SignExt32):
897         (JSC::FTL::Output::load16ZeroExt32):
898         (JSC::FTL::Output::load32):
899         (JSC::FTL::Output::load64):
900         (JSC::FTL::Output::loadPtr):
901         (JSC::FTL::Output::loadDouble):
902         (JSC::FTL::Output::store32):
903         (JSC::FTL::Output::store64):
904         (JSC::FTL::Output::storePtr):
905         (JSC::FTL::Output::storeDouble):
906         (JSC::FTL::Output::ascribeRange):
907         (JSC::FTL::Output::nonNegative32):
908         (JSC::FTL::Output::load32NonNegative):
909         (JSC::FTL::Output::equal):
910         (JSC::FTL::Output::notEqual):
911         * ftl/FTLTypedPointer.h:
912         (JSC::FTL::TypedPointer::operator!):
913         (JSC::FTL::TypedPointer::heap):
914         (JSC::FTL::TypedPointer::value):
915
916 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
917
918         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
919         https://bugs.webkit.org/show_bug.cgi?id=153981
920
921         Reviewed by Saam Barati.
922        
923         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
924         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
925         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
926         During syntax analyze parser store information about using variables in arrow function inside of 
927         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
928
929         * bytecompiler/BytecodeGenerator.cpp:
930         (JSC::BytecodeGenerator::BytecodeGenerator):
931         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
932         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
933         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
934         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
935         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
936         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
937         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
938         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
939         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
940         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
941         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
942         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
943         * bytecompiler/BytecodeGenerator.h:
944         * bytecompiler/NodesCodegen.cpp:
945         (JSC::ThisNode::emitBytecode):
946         (JSC::EvalFunctionCallNode::emitBytecode):
947         (JSC::FunctionNode::emitBytecode):
948         * parser/ASTBuilder.h:
949         (JSC::ASTBuilder::createBracketAccess):
950         (JSC::ASTBuilder::createDotAccess):
951         (JSC::ASTBuilder::usesSuperCall):
952         (JSC::ASTBuilder::usesSuperProperty):
953         (JSC::ASTBuilder::makeFunctionCallNode):
954         * parser/Nodes.cpp:
955         (JSC::ScopeNode::ScopeNode):
956         (JSC::ProgramNode::ProgramNode):
957         (JSC::ModuleProgramNode::ModuleProgramNode):
958         (JSC::EvalNode::EvalNode):
959         (JSC::FunctionNode::FunctionNode):
960         * parser/Nodes.h:
961         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
962         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
963         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
964         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
965         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
966         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
967         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
968         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
969         (JSC::ScopeNode::usesSuperCall):
970         (JSC::ScopeNode::usesSuperProperty):
971         * parser/Parser.cpp:
972         (JSC::Parser<LexerType>::parseProperty):
973         (JSC::Parser<LexerType>::parsePrimaryExpression):
974         (JSC::Parser<LexerType>::parseMemberExpression):
975         * parser/Parser.h:
976         (JSC::Scope::Scope):
977         (JSC::Scope::isArrowFunctionBoundary):
978         (JSC::Scope::innerArrowFunctionFeatures):
979         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
980         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
981         (JSC::Scope::setInnerArrowFunctionUsesEval):
982         (JSC::Scope::setInnerArrowFunctionUsesThis):
983         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
984         (JSC::Scope::setInnerArrowFunctionUsesArguments):
985         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
986         (JSC::Scope::collectFreeVariables):
987         (JSC::Scope::mergeInnerArrowFunctionFeatures):
988         (JSC::Scope::fillParametersForSourceProviderCache):
989         (JSC::Scope::restoreFromSourceProviderCache):
990         (JSC::Scope::setIsFunction):
991         (JSC::Scope::setIsArrowFunction):
992         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
993         (JSC::Parser::pushScope):
994         (JSC::Parser::popScopeInternal):
995         (JSC::Parser<LexerType>::parse):
996         * parser/ParserModes.h:
997         * parser/SourceProviderCacheItem.h:
998         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
999         * parser/SyntaxChecker.h:
1000         (JSC::SyntaxChecker::createFunctionMetadata):
1001         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1002         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1003         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1004         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1005         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1006
1007 2016-02-28  Saam barati  <sbarati@apple.com>
1008
1009         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
1010         https://bugs.webkit.org/show_bug.cgi?id=154768
1011
1012         Reviewed by Ryosuke Niwa.
1013
1014         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
1015         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1016         We weren't correctly propagating the result of this operation to the
1017         out PropertySlot& parameter. This patch fixes that and adds tests.
1018
1019         * runtime/ObjectConstructor.cpp:
1020         (JSC::objectConstructorGetOwnPropertyDescriptor):
1021         I added a missing exception check after object allocation
1022         because I saw that it was missing while reading the code.
1023
1024         * runtime/PropertyDescriptor.cpp:
1025         (JSC::PropertyDescriptor::setUndefined):
1026         (JSC::PropertyDescriptor::slowGetterSetter):
1027         (JSC::PropertyDescriptor::getter):
1028         * runtime/PropertyDescriptor.h:
1029         (JSC::PropertyDescriptor::attributes):
1030         (JSC::PropertyDescriptor::value):
1031         * runtime/ProxyObject.cpp:
1032         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1033         * tests/es6.yaml:
1034         * tests/stress/proxy-get-own-property.js:
1035         (let.handler.getOwnPropertyDescriptor):
1036         (set get let.handler.return):
1037         (set get let.handler.getOwnPropertyDescriptor):
1038         (set get let):
1039         (set get let.a):
1040         (let.b):
1041         (let.setter):
1042         (let.getter):
1043
1044 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
1045
1046         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
1047         https://bugs.webkit.org/show_bug.cgi?id=152448
1048
1049         Reviewed by Darin Adler.
1050
1051         Add defaultLanguage to the globalObjectMethodTable and use it for the
1052         default locale in Intl object initializations. Fall back to ICU default
1053         locale only if the defaultLanguage function is null, or returns an
1054         empty string.
1055
1056         * jsc.cpp:
1057         * runtime/IntlCollator.cpp:
1058         (JSC::IntlCollator::initializeCollator):
1059         * runtime/IntlDateTimeFormat.cpp:
1060         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1061         * runtime/IntlNumberFormat.cpp:
1062         (JSC::IntlNumberFormat::initializeNumberFormat):
1063         * runtime/IntlObject.cpp:
1064         (JSC::defaultLocale):
1065         (JSC::lookupMatcher):
1066         (JSC::bestFitMatcher):
1067         (JSC::resolveLocale):
1068         * runtime/IntlObject.h:
1069         * runtime/JSGlobalObject.cpp:
1070         * runtime/JSGlobalObject.h:
1071         * runtime/StringPrototype.cpp:
1072         (JSC::toLocaleCase):
1073
1074 2016-02-27  Oliver Hunt  <oliver@apple.com>
1075
1076         CLoop build fix.
1077
1078         * jit/ExecutableAllocatorFixedVMPool.cpp:
1079
1080 2016-02-26  Oliver Hunt  <oliver@apple.com>
1081
1082         Remove the on demand executable allocator
1083         https://bugs.webkit.org/show_bug.cgi?id=154749
1084
1085         Reviewed by Geoffrey Garen.
1086
1087         Remove all the DemandExecutable code and executable allocator ifdefs.
1088
1089         * CMakeLists.txt:
1090         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1091         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1092         * JavaScriptCore.xcodeproj/project.pbxproj:
1093         * jit/ExecutableAllocator.cpp: Removed.
1094         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
1095         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
1096         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
1097         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
1098         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
1099         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
1100         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
1101         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
1102         (JSC::DemandExecutableAllocator::allocators): Deleted.
1103         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
1104         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
1105         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
1106         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
1107         (JSC::ExecutableAllocator::isValid): Deleted.
1108         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
1109         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
1110         (JSC::ExecutableAllocator::allocate): Deleted.
1111         (JSC::ExecutableAllocator::committedByteCount): Deleted.
1112         (JSC::ExecutableAllocator::dumpProfile): Deleted.
1113         (JSC::ExecutableAllocator::getLock): Deleted.
1114         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
1115         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
1116         * jit/ExecutableAllocator.h:
1117         * jit/ExecutableAllocatorFixedVMPool.cpp:
1118         * jit/JITStubRoutine.h:
1119         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
1120         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
1121         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
1122
1123 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
1124
1125         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
1126         https://bugs.webkit.org/show_bug.cgi?id=154751
1127
1128         Reviewed by Mark Lam.
1129
1130         * runtime/Structure.cpp:
1131         (JSC::Structure::toStructureShape):
1132         This property name iteration is identical to Structure::forEachPropertyConcurrently.
1133         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
1134
1135 2016-02-26  Mark Lam  <mark.lam@apple.com>
1136
1137         Function.name and Function.length should be configurable.
1138         https://bugs.webkit.org/show_bug.cgi?id=154604
1139
1140         Reviewed by Saam Barati.
1141
1142         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
1143         "Unless otherwise specified, the name property of a built-in Function object,
1144         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
1145         [[Configurable]]: true }."
1146
1147         Similarly, "the length property of a built-in Function object has the attributes
1148         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
1149
1150         This patch makes Function.name and Function.length configurable.
1151
1152         We do this by lazily reifying the JSFunction name and length properties on first
1153         access.  We track whether each of these properties have been reified using flags
1154         in the FunctionRareData.  On first access, if not already reified, we will put
1155         the property into the object with its default value and attributes and set the
1156         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
1157         property.
1158
1159         Also, lots of test results have to be re-baselined because the old Function.length
1160         has attribute DontDelete, which is in conflict with the ES6 requirement that it
1161         is configurable.
1162
1163         * runtime/FunctionRareData.h:
1164         (JSC::FunctionRareData::hasReifiedLength):
1165         (JSC::FunctionRareData::setHasReifiedLength):
1166         (JSC::FunctionRareData::hasReifiedName):
1167         (JSC::FunctionRareData::setHasReifiedName):
1168         - Flags for tracking whether each property has been reified.
1169
1170         * runtime/JSFunction.cpp:
1171         (JSC::JSFunction::finishCreation):
1172         (JSC::JSFunction::createBuiltinFunction):
1173         - Host and builtin functions currently always reify their name and length
1174           properties.  Currently, for builtins, the default names that are used may
1175           differ from the executable name.  For now, we'll stay with keeping this
1176           alternate approach to getting the name and length properties for host and
1177           builtin functions.
1178           However, we need their default attribute to be configurable as well.
1179
1180         (JSC::JSFunction::getOwnPropertySlot):
1181         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1182         (JSC::JSFunction::put):
1183         (JSC::JSFunction::deleteProperty):
1184         (JSC::JSFunction::defineOwnProperty):
1185         (JSC::JSFunction::reifyLength):
1186         (JSC::JSFunction::reifyName):
1187         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1188         (JSC::JSFunction::lengthGetter): Deleted.
1189         (JSC::JSFunction::nameGetter): Deleted.
1190         * runtime/JSFunction.h:
1191         * runtime/JSFunctionInlines.h:
1192         (JSC::JSFunction::hasReifiedLength):
1193         (JSC::JSFunction::hasReifiedName):
1194
1195         * tests/es6.yaml:
1196         - 4 new passing tests.
1197
1198         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
1199         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
1200         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
1201         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
1202         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
1203         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
1204         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
1205         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
1206         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
1207         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
1208         * tests/mozilla/ecma/String/15.5.4.10-1.js:
1209         * tests/mozilla/ecma/String/15.5.4.11-1.js:
1210         * tests/mozilla/ecma/String/15.5.4.11-5.js:
1211         * tests/mozilla/ecma/String/15.5.4.12-1.js:
1212         * tests/mozilla/ecma/String/15.5.4.6-2.js:
1213         * tests/mozilla/ecma/String/15.5.4.7-2.js:
1214         * tests/mozilla/ecma/String/15.5.4.8-1.js:
1215         * tests/mozilla/ecma/String/15.5.4.9-1.js:
1216         - Rebase expected test results.
1217
1218         * tests/stress/function-configurable-properties.js: Added.
1219
1220 2016-02-26  Keith Miller  <keith_miller@apple.com>
1221
1222         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
1223         https://bugs.webkit.org/show_bug.cgi?id=154743
1224
1225         Reviewed by Mark Lam.
1226
1227         * dfg/DFGConstantFoldingPhase.cpp:
1228         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1229         * dfg/DFGFixupPhase.cpp:
1230         (JSC::DFG::FixupPhase::fixupNode):
1231
1232 2016-02-26  Keith Miller  <keith_miller@apple.com>
1233
1234         Native Typed Array functions should use Symbol.species
1235         https://bugs.webkit.org/show_bug.cgi?id=154569
1236
1237         Reviewed by Michael Saboff.
1238
1239         This patch adds support for Symbol.species in the native Typed Array prototype
1240         functions. Additionally, now that other types of typedarrays are creatable inside
1241         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
1242         up, to put everything into the correct place.
1243
1244         * runtime/JSDataView.cpp:
1245         (JSC::JSDataView::set):
1246         * runtime/JSDataView.h:
1247         * runtime/JSGenericTypedArrayView.h:
1248         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1249         (JSC::constructGenericTypedArrayViewFromIterator):
1250         (JSC::constructGenericTypedArrayViewWithArguments):
1251         (JSC::constructGenericTypedArrayView):
1252         * runtime/JSGenericTypedArrayViewInlines.h:
1253         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
1254         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1255         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1256         (JSC::speciesConstruct):
1257         (JSC::genericTypedArrayViewProtoFuncSet):
1258         (JSC::genericTypedArrayViewProtoFuncSlice):
1259         (JSC::genericTypedArrayViewProtoFuncSubarray):
1260         * tests/stress/typedarray-slice.js:
1261         (subclasses.typedArrays.map):
1262         (testSpecies):
1263         (forEach):
1264         (subclasses.forEach):
1265         (testSpeciesRemoveConstructor):
1266         (testSpeciesWithSameBuffer):
1267         * tests/stress/typedarray-subarray.js: Added.
1268         (subclasses.typedArrays.map):
1269         (testSpecies):
1270         (forEach):
1271         (subclasses.forEach):
1272         (testSpeciesRemoveConstructor):
1273
1274 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
1275
1276         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
1277         https://bugs.webkit.org/show_bug.cgi?id=154704
1278
1279         Reviewed by Geoffrey Garen.
1280
1281         If the Imm is zero, we should still zero the top bits
1282         to match the definition in AirOpcodes.
1283
1284         * assembler/MacroAssemblerX86Common.h:
1285         (JSC::MacroAssemblerX86Common::add32):
1286         * b3/testb3.cpp:
1287
1288 2016-02-26  Oliver Hunt  <oliver@apple.com>
1289
1290         Make testRegExp not crash when given an invalid regexp
1291         https://bugs.webkit.org/show_bug.cgi?id=154732
1292
1293         Reviewed by Mark Lam.
1294
1295         * testRegExp.cpp:
1296         (parseRegExpLine):
1297
1298 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
1299
1300         [JSC] Add the test for r197155
1301         https://bugs.webkit.org/show_bug.cgi?id=154715
1302
1303         Reviewed by Mark Lam.
1304
1305         Silly me. I forgot the test in the latest patch update.
1306
1307         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
1308
1309 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1310
1311         [DFG] Drop unnecessary proved type branch in ToPrimitive
1312         https://bugs.webkit.org/show_bug.cgi?id=154716
1313
1314         Reviewed by Geoffrey Garen.
1315
1316         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
1317         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
1318         This patch removes the remaining JIT32_64 case.
1319
1320         * dfg/DFGSpeculativeJIT32_64.cpp:
1321         (JSC::DFG::SpeculativeJIT::compile):
1322
1323 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1324
1325         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
1326         https://bugs.webkit.org/show_bug.cgi?id=154575
1327
1328         Reviewed by Filip Pizlo.
1329
1330         I noticed that imaging-gaussian-blur spends most of its
1331         samples in DFG code despite executing most of the loop
1332         iterations in FTL.
1333
1334         On this particular test, the main function is only entered
1335         once and have a very heavy loop there. What happens is DFG
1336         starts by compiling the full function in FTL. That takes about
1337         8 to 10 milliseconds during which the DFG code makes very little
1338         progress. The calls to triggerOSREntryNow() try to OSR Enter
1339         for a while then finally start compiling something. By the time
1340         the function is ready, we have wasted a lot of time in DFG code.
1341
1342         What this patch does is set a flag when a DFG function is entered.
1343         If we try to triggerOSREntryNow() and the flag was never set,
1344         we start compiling both the full function and the one for OSR Entry.
1345
1346         * dfg/DFGJITCode.h:
1347         * dfg/DFGJITCompiler.cpp:
1348         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
1349         (JSC::DFG::JITCompiler::compile):
1350         (JSC::DFG::JITCompiler::compileFunction):
1351         * dfg/DFGJITCompiler.h:
1352         * dfg/DFGOperations.cpp:
1353         * dfg/DFGPlan.cpp:
1354         (JSC::DFG::Plan::Plan): Deleted.
1355         * dfg/DFGPlan.h:
1356         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1357         (JSC::DFG::TierUpCheckInjectionPhase::run):
1358
1359 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
1360
1361         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
1362         https://bugs.webkit.org/show_bug.cgi?id=154664
1363
1364         Reviewed by Saam Barati.
1365
1366         When doing OSR Enter into a constructor, we lose the information
1367         that this may have been set to empty by a previously executed block.
1368
1369         All the code just assumed the type for a FlushedJS value and thus
1370         not an empty value. It was then okay to eliminate the TDZ checks.
1371
1372         In this patch, the values on root entry now assume they may be empty.
1373         As a result, the SetArgument() for "this" has "empty" as possible
1374         type and the TDZ checks are no longer eliminated.
1375
1376         * dfg/DFGInPlaceAbstractState.cpp:
1377         (JSC::DFG::InPlaceAbstractState::initialize):
1378
1379 2016-02-25  Ada Chan  <adachan@apple.com>
1380
1381         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
1382         https://bugs.webkit.org/show_bug.cgi?id=154702
1383
1384         Reviewed by Dan Bernstein.
1385
1386         * Configurations/FeatureDefines.xcconfig:
1387
1388 2016-02-25  Saam barati  <sbarati@apple.com>
1389
1390         [ES6] for...in iteration doesn't comply with the specification
1391         https://bugs.webkit.org/show_bug.cgi?id=154665
1392
1393         Reviewed by Michael Saboff.
1394
1395         If you read ForIn/OfHeadEvaluation inside the spec:
1396         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
1397         It calls EnumerateObjectProperties(obj) to get a set of properties
1398         to enumerate over (it models this "set" as en ES6 generator function).
1399         EnumerateObjectProperties is defined in section 13.7.5.15:
1400         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
1401         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
1402         properties it sees. We must do the same by modeling the operation as
1403         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
1404
1405         * jit/JITOperations.cpp:
1406         * jit/JITOperations.h:
1407         * runtime/CommonSlowPaths.cpp:
1408         (JSC::SLOW_PATH_DECL):
1409         * runtime/JSObject.cpp:
1410         (JSC::JSObject::hasProperty):
1411         (JSC::JSObject::hasPropertyGeneric):
1412         * runtime/JSObject.h:
1413         * tests/stress/proxy-get-own-property.js:
1414         (assert):
1415         (let.handler.getOwnPropertyDescriptor):
1416         (i.set assert):
1417
1418 2016-02-25  Saam barati  <sbarati@apple.com>
1419
1420         [ES6] Implement Proxy.[[Set]]
1421         https://bugs.webkit.org/show_bug.cgi?id=154511
1422
1423         Reviewed by Filip Pizlo.
1424
1425         This patch is mostly an implementation of
1426         Proxy.[[Set]] with respect to section 9.5.9
1427         of the ECMAScript spec.
1428         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
1429
1430         This patch also changes JSObject::putInline and JSObject::putByIndex
1431         to be aware that a Proxy in the prototype chain will intercept
1432         property accesses.
1433
1434         * runtime/JSObject.cpp:
1435         (JSC::JSObject::putInlineSlow):
1436         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1437         * runtime/JSObject.h:
1438         * runtime/JSObjectInlines.h:
1439         (JSC::JSObject::canPerformFastPutInline):
1440         (JSC::JSObject::putInline):
1441         * runtime/JSType.h:
1442         * runtime/ProxyObject.cpp:
1443         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1444         (JSC::ProxyObject::performPut):
1445         (JSC::ProxyObject::put):
1446         (JSC::ProxyObject::putByIndexCommon):
1447         (JSC::ProxyObject::putByIndex):
1448         (JSC::performProxyCall):
1449         (JSC::ProxyObject::getCallData):
1450         (JSC::performProxyConstruct):
1451         (JSC::ProxyObject::deletePropertyByIndex):
1452         (JSC::ProxyObject::visitChildren):
1453         * runtime/ProxyObject.h:
1454         (JSC::ProxyObject::create):
1455         (JSC::ProxyObject::createStructure):
1456         (JSC::ProxyObject::target):
1457         (JSC::ProxyObject::handler):
1458         * tests/es6.yaml:
1459         * tests/stress/proxy-set.js: Added.
1460         (assert):
1461         (throw.new.Error.let.handler.set 45):
1462         (throw.new.Error):
1463         (let.target.set x):
1464         (let.target.get x):
1465         (set let):
1466
1467 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1468
1469         [JSC] Remove a useless "Move" in the lowering of Select
1470         https://bugs.webkit.org/show_bug.cgi?id=154670
1471
1472         Reviewed by Geoffrey Garen.
1473
1474         I left the Move instruction when creating the aliasing form
1475         of Select.
1476
1477         On ARM64, that meant a useless move for any case that can't
1478         be coalesced.
1479
1480         On x86, that meant an extra constraint on child2, making it
1481         stupidly hard to alias child1.
1482
1483         * b3/B3LowerToAir.cpp:
1484         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1485
1486 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
1487
1488         Web Inspector: Expose Proxy target and handler internal properties to Inspector
1489         https://bugs.webkit.org/show_bug.cgi?id=154663
1490
1491         Reviewed by Timothy Hatcher.
1492
1493         * inspector/JSInjectedScriptHost.cpp:
1494         (Inspector::JSInjectedScriptHost::getInternalProperties):
1495         Expose the ProxyObject's target and handler.
1496
1497 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
1498
1499         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
1500         https://bugs.webkit.org/show_bug.cgi?id=151688
1501
1502         Reviewed by Dean Jackson.
1503
1504         Enables the WEB_ANIMATIONS compiler switch.
1505
1506         * Configurations/FeatureDefines.xcconfig:
1507
1508 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
1509
1510         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
1511         https://bugs.webkit.org/show_bug.cgi?id=154651
1512
1513         Reviewed by Alex Christensen.
1514
1515         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
1516
1517 2016-02-24  Commit Queue  <commit-queue@webkit.org>
1518
1519         Unreviewed, rolling out r197033.
1520         https://bugs.webkit.org/show_bug.cgi?id=154649
1521
1522         "It broke JSC tests when 'this' was loaded from global scope"
1523         (Requested by saamyjoon on #webkit).
1524
1525         Reverted changeset:
1526
1527         "[ES6] Arrow function syntax. Emit loading&putting this/super
1528         only if they are used in arrow function"
1529         https://bugs.webkit.org/show_bug.cgi?id=153981
1530         http://trac.webkit.org/changeset/197033
1531
1532 2016-02-24  Saam Barati  <sbarati@apple.com>
1533
1534         [ES6] Implement Proxy.[[Delete]]
1535         https://bugs.webkit.org/show_bug.cgi?id=154607
1536
1537         Reviewed by Mark Lam.
1538
1539         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
1540         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
1541
1542         * runtime/ProxyObject.cpp:
1543         (JSC::ProxyObject::getConstructData):
1544         (JSC::ProxyObject::performDelete):
1545         (JSC::ProxyObject::deleteProperty):
1546         (JSC::ProxyObject::deletePropertyByIndex):
1547         * runtime/ProxyObject.h:
1548         * tests/es6.yaml:
1549         * tests/stress/proxy-delete.js: Added.
1550         (assert):
1551         (throw.new.Error.let.handler.get deleteProperty):
1552         (throw.new.Error):
1553         (assert.let.handler.deleteProperty):
1554         (let.handler.deleteProperty):
1555
1556 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
1557
1558         Stackmaps have problems with double register constraints
1559         https://bugs.webkit.org/show_bug.cgi?id=154643
1560
1561         Reviewed by Geoffrey Garen.
1562
1563         This is currently a benign bug. I found it while playing.
1564
1565         * b3/B3LowerToAir.cpp:
1566         (JSC::B3::Air::LowerToAir::fillStackmap):
1567         * b3/testb3.cpp:
1568         (JSC::B3::testURShiftSelf64):
1569         (JSC::B3::testPatchpointDoubleRegs):
1570         (JSC::B3::zero):
1571         (JSC::B3::run):
1572
1573 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
1574
1575         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
1576         https://bugs.webkit.org/show_bug.cgi?id=153981
1577
1578         Reviewed by Saam Barati.
1579        
1580         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
1581         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
1582         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
1583         During syntax analyze parser store information about using variables in arrow function inside of 
1584         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
1585
1586         * bytecode/ExecutableInfo.h:
1587         (JSC::ExecutableInfo::ExecutableInfo):
1588         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
1589         * bytecode/UnlinkedCodeBlock.cpp:
1590         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1591         * bytecode/UnlinkedCodeBlock.h:
1592         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
1593         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
1594         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
1595         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
1596         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
1597         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
1598         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
1599         * bytecode/UnlinkedFunctionExecutable.cpp:
1600         (JSC::generateUnlinkedFunctionCodeBlock):
1601         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1602         * bytecode/UnlinkedFunctionExecutable.h:
1603         * bytecompiler/BytecodeGenerator.cpp:
1604         (JSC::BytecodeGenerator::BytecodeGenerator):
1605         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1606         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1607         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1608         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1609         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1610         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1611         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1612         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1613         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1614         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1615         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1616         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1617         * bytecompiler/BytecodeGenerator.h:
1618         * bytecompiler/NodesCodegen.cpp:
1619         (JSC::ThisNode::emitBytecode):
1620         (JSC::EvalFunctionCallNode::emitBytecode):
1621         (JSC::FunctionCallValueNode::emitBytecode):
1622         (JSC::FunctionNode::emitBytecode):
1623         * parser/ASTBuilder.h:
1624         (JSC::ASTBuilder::createFunctionMetadata):
1625         * parser/Nodes.cpp:
1626         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1627         * parser/Nodes.h:
1628         * parser/Parser.cpp:
1629         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1630         (JSC::Parser<LexerType>::parseFunctionBody):
1631         (JSC::Parser<LexerType>::parseFunctionInfo):
1632         (JSC::Parser<LexerType>::parseProperty):
1633         (JSC::Parser<LexerType>::parsePrimaryExpression):
1634         (JSC::Parser<LexerType>::parseMemberExpression):
1635         * parser/Parser.h:
1636         (JSC::Scope::Scope):
1637         (JSC::Scope::isArrowFunctionBoundary):
1638         (JSC::Scope::innerArrowFunctionFeatures):
1639         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
1640         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
1641         (JSC::Scope::setInnerArrowFunctionUseEval):
1642         (JSC::Scope::setInnerArrowFunctionUseThis):
1643         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
1644         (JSC::Scope::setInnerArrowFunctionUseArguments):
1645         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
1646         (JSC::Scope::collectFreeVariables):
1647         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1648         (JSC::Scope::fillParametersForSourceProviderCache):
1649         (JSC::Scope::restoreFromSourceProviderCache):
1650         (JSC::Scope::setIsFunction):
1651         (JSC::Scope::setIsArrowFunction):
1652         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1653         (JSC::Parser::pushScope):
1654         (JSC::Parser::popScopeInternal):
1655         * parser/ParserModes.h:
1656         * parser/SourceProviderCacheItem.h:
1657         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1658         * parser/SyntaxChecker.h:
1659         (JSC::SyntaxChecker::createFunctionMetadata):
1660         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1661         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1662         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1663         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1664         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1665
1666 2016-02-23  Brian Burg  <bburg@apple.com>
1667
1668         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
1669         https://bugs.webkit.org/show_bug.cgi?id=154615
1670         <rdar://problem/24804330>
1671
1672         Reviewed by Timothy Hatcher.
1673
1674         Some of the generated Objective-C bindings are only relevant to code acting as the
1675         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
1676         --backend to all generators. Use the setting in a few generators to omit code that's
1677         not needed.
1678
1679         Also fix a few places where the code emits the wrong Objective-C class prefix.
1680         There is some common non-generated code that must always have the RWIProtocol prefix.
1681
1682         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1683         macros defined in the internal header now need to be used outside of the framework.
1684
1685         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1686         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1687         depending on the target framework.
1688
1689         * inspector/scripts/codegen/generate_objc_header.py:
1690         (ObjCHeaderGenerator.generate_output):
1691         For now, omit generating command protocol and event dispatchers when generating for --frontend.
1692
1693         (ObjCHeaderGenerator._generate_type_interface):
1694         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1695
1696         * inspector/scripts/codegen/generate_objc_internal_header.py:
1697         Use RWIProtocolJSONObjectPrivate.h instead.
1698
1699         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1700         (ObjCProtocolTypesImplementationGenerator.generate_output):
1701         Include the Internal header if it's being generated (only for --backend).
1702
1703         * inspector/scripts/codegen/generator.py:
1704         (Generator.__init__):
1705         (Generator.set_generator_setting):
1706         (Generator):
1707         (Generator.get_generator_setting):
1708         Crib a simple setting system from the Framework class. Make the names more obnoxious.
1709
1710         (Generator.string_for_file_include):
1711         Inspired by the replay input generator, this is a function that uses the proper syntax
1712         for a file include depending on the file's framework and target framework.
1713
1714         * inspector/scripts/codegen/objc_generator.py:
1715         (ObjCGenerator.and):
1716         (ObjCGenerator.and.objc_prefix):
1717         (ObjCGenerator):
1718         (ObjCGenerator.objc_type_for_raw_name):
1719         (ObjCGenerator.objc_class_for_raw_name):
1720         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1721
1722         * inspector/scripts/generate-inspector-protocol-bindings.py:
1723         (generate_from_specification):
1724         Change the generators to use for the frontend. Propagate --frontend and --backend.
1725
1726         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1727         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1728         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1729         * inspector/scripts/tests/expected/enum-values.json-result:
1730         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1731         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1732         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1733         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1734         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1735         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1736         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1737         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1738         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1739         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1740
1741 2016-02-23  Saam barati  <sbarati@apple.com>
1742
1743         arrayProtoFuncConcat doesn't check for an exception after allocating an array
1744         https://bugs.webkit.org/show_bug.cgi?id=154621
1745
1746         Reviewed by Michael Saboff.
1747
1748         * runtime/ArrayPrototype.cpp:
1749         (JSC::arrayProtoFuncConcat):
1750
1751 2016-02-23  Dan Bernstein  <mitz@apple.com>
1752
1753         [Xcode] Linker errors display mangled names, but no longer should
1754         https://bugs.webkit.org/show_bug.cgi?id=154632
1755
1756         Reviewed by Sam Weinig.
1757
1758         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1759
1760 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
1761
1762         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1763         https://bugs.webkit.org/show_bug.cgi?id=112323
1764
1765         Reviewed by Chris Dumez.
1766
1767         This feature is controlled by a runtime switch, and defaults off.
1768
1769         * Configurations/FeatureDefines.xcconfig:
1770
1771 2016-02-23  Keith Miller  <keith_miller@apple.com>
1772
1773         JSC stress tests' standalone-pre.js should exit on the first failure by default
1774         https://bugs.webkit.org/show_bug.cgi?id=154565
1775
1776         Reviewed by Mark Lam.
1777
1778         Currently, if a test writer does not call finishJSTest() at the end of
1779         any test using stress/resources/standalone-pre.js then the test can fail
1780         without actually reporting an error to the harness. By default, we
1781         should throw on the first error so, in the event someone does not call
1782         finishJSTest() the harness will still notice the error.
1783
1784         * tests/stress/regress-151324.js:
1785         * tests/stress/resources/standalone-pre.js:
1786         (testFailed):
1787
1788 2016-02-23  Saam barati  <sbarati@apple.com>
1789
1790         Make JSObject::getMethod have fewer branches
1791         https://bugs.webkit.org/show_bug.cgi?id=154603
1792
1793         Reviewed by Mark Lam.
1794
1795         Writing code with fewer branches is almost always better.
1796
1797         * runtime/JSObject.cpp:
1798         (JSC::JSObject::getMethod):
1799
1800 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
1801
1802         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1803         https://bugs.webkit.org/show_bug.cgi?id=154592
1804
1805         Reviewed by Saam Barati.
1806
1807         If Foo has a virtual destructor, then:
1808
1809         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1810         subclass of Foo that overrides the destructor, this syntax will not call that override.
1811
1812         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1813         get the subclass's override.
1814
1815         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1816         This caused leaks because this didn't actually call the subclass's override. This fixes the
1817         problem by using this->~Value() instead.
1818
1819         * b3/B3ControlValue.cpp:
1820         (JSC::B3::ControlValue::convertToJump):
1821         (JSC::B3::ControlValue::convertToOops):
1822         * b3/B3Value.cpp:
1823         (JSC::B3::Value::replaceWithIdentity):
1824         (JSC::B3::Value::replaceWithNop):
1825         (JSC::B3::Value::replaceWithPhi):
1826
1827 2016-02-23  Brian Burg  <bburg@apple.com>
1828
1829         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1830         https://bugs.webkit.org/show_bug.cgi?id=154596
1831         <rdar://problem/24794962>
1832
1833         Reviewed by Timothy Hatcher.
1834
1835         In order to support different generated protocol sets that don't have conflicting
1836         file and type names, allow the Objective-C prefix to be configurable based on the
1837         target framework. Each name also has the implicit prefix 'Protocol' appended to the
1838         per-target framework prefix.
1839
1840         For example, the existing protocol for remote inspection has the prefix 'RWI'
1841         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1842         and is generated as 'AutomationProtocol'.
1843
1844         To make this change, convert ObjCGenerator to be a subclass of Generator and use
1845         the instance method model() to find the target framework and its setting for
1846         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1847         these instance methods that used to be static methods. This is a large but
1848         mechanical change to use self instead of ObjCGenerator.
1849
1850         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1851         (ObjCBackendDispatcherHeaderGenerator):
1852         (ObjCBackendDispatcherHeaderGenerator.__init__):
1853         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1854         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1855         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1856         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1857         (ObjCConfigurationImplementationGenerator):
1858         (ObjCConfigurationImplementationGenerator.__init__):
1859         (ObjCConfigurationImplementationGenerator.output_filename):
1860         (ObjCConfigurationImplementationGenerator.generate_output):
1861         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1862         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1863         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1864         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1865         (ObjCConfigurationHeaderGenerator):
1866         (ObjCConfigurationHeaderGenerator.__init__):
1867         (ObjCConfigurationHeaderGenerator.output_filename):
1868         (ObjCConfigurationHeaderGenerator.generate_output):
1869         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1870         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1871         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1872         (ObjCBackendDispatcherImplementationGenerator):
1873         (ObjCBackendDispatcherImplementationGenerator.__init__):
1874         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1875         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1876         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1877         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1878         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1879         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1880         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1881         (ObjCConversionHelpersGenerator):
1882         (ObjCConversionHelpersGenerator.__init__):
1883         (ObjCConversionHelpersGenerator.output_filename):
1884         (ObjCConversionHelpersGenerator.generate_output):
1885         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1886         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1887         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1888         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1889         (ObjCFrontendDispatcherImplementationGenerator):
1890         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1891         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1892         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1893         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1894         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1895         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1896         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1897         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1898         * inspector/scripts/codegen/generate_objc_header.py:
1899         (ObjCHeaderGenerator):
1900         (ObjCHeaderGenerator.__init__):
1901         (ObjCHeaderGenerator.output_filename):
1902         (ObjCHeaderGenerator.generate_output):
1903         (ObjCHeaderGenerator._generate_forward_declarations):
1904         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1905         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1906         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1907         (ObjCHeaderGenerator._generate_type_interface):
1908         (ObjCHeaderGenerator._generate_init_method_for_required_members):
1909         (ObjCHeaderGenerator._generate_member_property):
1910         (ObjCHeaderGenerator._generate_command_protocols):
1911         (ObjCHeaderGenerator._generate_single_command_protocol):
1912         (ObjCHeaderGenerator._callback_block_for_command):
1913         (ObjCHeaderGenerator._generate_event_interfaces):
1914         (ObjCHeaderGenerator._generate_single_event_interface):
1915         * inspector/scripts/codegen/generate_objc_internal_header.py:
1916         (ObjCInternalHeaderGenerator):
1917         (ObjCInternalHeaderGenerator.__init__):
1918         (ObjCInternalHeaderGenerator.output_filename):
1919         (ObjCInternalHeaderGenerator.generate_output):
1920         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1921         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1922         (ObjCProtocolTypesImplementationGenerator):
1923         (ObjCProtocolTypesImplementationGenerator.__init__):
1924         (ObjCProtocolTypesImplementationGenerator.output_filename):
1925         (ObjCProtocolTypesImplementationGenerator.generate_output):
1926         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1927         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1928         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1929         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1930         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1931         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1932         * inspector/scripts/codegen/models.py:
1933         * inspector/scripts/codegen/objc_generator.py:
1934         (ObjCTypeCategory.category_for_type):
1935         (ObjCGenerator):
1936         (ObjCGenerator.__init__):
1937         (ObjCGenerator.objc_prefix):
1938         (ObjCGenerator.objc_name_for_type):
1939         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1940         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1941         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
1942         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
1943         (ObjCGenerator.objc_class_for_type):
1944         (ObjCGenerator.objc_class_for_array_type):
1945         (ObjCGenerator.objc_accessor_type_for_member):
1946         (ObjCGenerator.objc_accessor_type_for_member_internal):
1947         (ObjCGenerator.objc_type_for_member):
1948         (ObjCGenerator.objc_type_for_member_internal):
1949         (ObjCGenerator.objc_type_for_param):
1950         (ObjCGenerator.objc_type_for_param_internal):
1951         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1952         (ObjCGenerator.objc_protocol_import_expression_for_member):
1953         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1954         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1955         (ObjCGenerator.objc_to_protocol_expression_for_member):
1956         (ObjCGenerator.protocol_to_objc_expression_for_member):
1957
1958         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
1959
1960         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1961         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1962         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1963         * inspector/scripts/tests/expected/enum-values.json-result:
1964         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1965         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1966         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1967         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1968         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1969         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1970         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1971         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1972         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1973
1974 2016-02-23  Mark Lam  <mark.lam@apple.com>
1975
1976         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
1977         https://bugs.webkit.org/show_bug.cgi?id=154542
1978
1979         Reviewed by Saam Barati.
1980
1981         According to the spec, the constructors of the following types "are not intended
1982         to be called as a function and will throw an exception".  These types are:
1983             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
1984             Map - https://tc39.github.io/ecma262/#sec-map-constructor
1985             Set - https://tc39.github.io/ecma262/#sec-set-constructor
1986             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
1987             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
1988             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
1989             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
1990             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
1991             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
1992
1993         This patch does the foillowing:
1994         1. Ensures that these constructors can be called but will throw a TypeError
1995            when called.
1996         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
1997            in their implementation to be consistent.
1998         3. Change the error message to "calling XXX constructor without new is invalid".
1999            This is clearer because the error is likely due to the user forgetting to use
2000            the new operator on these constructors.
2001
2002         * runtime/Error.h:
2003         * runtime/Error.cpp:
2004         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2005         - Added a convenience function to throw the TypeError.
2006
2007         * runtime/JSArrayBufferConstructor.cpp:
2008         (JSC::constructArrayBuffer):
2009         (JSC::callArrayBuffer):
2010         (JSC::JSArrayBufferConstructor::getCallData):
2011         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2012         (JSC::callGenericTypedArrayView):
2013         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2014         * runtime/JSPromiseConstructor.cpp:
2015         (JSC::callPromise):
2016         * runtime/MapConstructor.cpp:
2017         (JSC::callMap):
2018         * runtime/ProxyConstructor.cpp:
2019         (JSC::callProxy):
2020         (JSC::ProxyConstructor::getCallData):
2021         * runtime/SetConstructor.cpp:
2022         (JSC::callSet):
2023         * runtime/WeakMapConstructor.cpp:
2024         (JSC::callWeakMap):
2025         * runtime/WeakSetConstructor.cpp:
2026         (JSC::callWeakSet):
2027
2028         * tests/es6.yaml:
2029         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
2030
2031         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
2032         (test):
2033
2034         * tests/stress/map-constructor.js:
2035         (testCallTypeError):
2036         * tests/stress/promise-cannot-be-called.js:
2037         (shouldThrow):
2038         * tests/stress/proxy-basic.js:
2039         * tests/stress/set-constructor.js:
2040         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
2041         (i.catch):
2042         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
2043         (i.catch):
2044         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
2045         (i.catch):
2046         * tests/stress/weak-map-constructor.js:
2047         (testCallTypeError):
2048         * tests/stress/weak-set-constructor.js:
2049         - Updated error message string.
2050
2051 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
2052
2053         ASan build fix.
2054
2055         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
2056
2057         * inspector/InspectorBackendDispatcher.h:
2058
2059 2016-02-23  Brian Burg  <bburg@apple.com>
2060
2061         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
2062         https://bugs.webkit.org/show_bug.cgi?id=154518
2063         <rdar://problem/24761096>
2064
2065         Reviewed by Timothy Hatcher.
2066
2067         * inspector/InspectorBackendDispatcher.h:
2068         Export all the classes since they are used by WebKit::WebAutomationSession.
2069
2070 2016-02-22  Brian Burg  <bburg@apple.com>
2071
2072         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2073         https://bugs.webkit.org/show_bug.cgi?id=154509
2074         <rdar://problem/24759098>
2075
2076         Reviewed by Timothy Hatcher.
2077
2078         Add a new 'WebKit' framework, which is used to generate protocol code
2079         in WebKit2.
2080
2081         Add --backend and --frontend flags to the main generator script.
2082         These allow a framework to trigger two different sets of generators
2083         so they can be separately generated and compiled.
2084
2085         * inspector/scripts/codegen/models.py:
2086         (Framework.fromString):
2087         (Frameworks): Add new framework.
2088
2089         * inspector/scripts/generate-inspector-protocol-bindings.py:
2090         If neither --backend or --frontend is specified, assume both are wanted.
2091         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2092
2093         (generate_from_specification):
2094         Generate C++ files for the backend and Objective-C files for the frontend.
2095
2096 2016-02-22  Saam barati  <sbarati@apple.com>
2097
2098         JSGlobalObject doesn't visit ProxyObjectStructure during GC
2099         https://bugs.webkit.org/show_bug.cgi?id=154564
2100
2101         Rubber stamped by Mark Lam.
2102
2103         * runtime/JSGlobalObject.cpp:
2104         (JSC::JSGlobalObject::visitChildren):
2105
2106 2016-02-22  Saam barati  <sbarati@apple.com>
2107
2108         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
2109         https://bugs.webkit.org/show_bug.cgi?id=154548
2110
2111         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
2112
2113         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
2114         an exception. Neither the function nor the call sites of the function took this into
2115         account. This patch audits the call sites of the function to make it work in
2116         the event that an exception is thrown.
2117
2118         * runtime/BooleanConstructor.cpp:
2119         (JSC::constructWithBooleanConstructor):
2120         * runtime/DateConstructor.cpp:
2121         (JSC::constructDate):
2122         * runtime/ErrorConstructor.cpp:
2123         (JSC::Interpreter::constructWithErrorConstructor):
2124         * runtime/FunctionConstructor.cpp:
2125         (JSC::constructFunctionSkippingEvalEnabledCheck):
2126         * runtime/InternalFunction.cpp:
2127         (JSC::InternalFunction::createSubclassStructure):
2128         * runtime/JSArrayBufferConstructor.cpp:
2129         (JSC::constructArrayBuffer):
2130         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2131         (JSC::constructGenericTypedArrayView):
2132         * runtime/JSGlobalObject.h:
2133         (JSC::constructEmptyArray):
2134         (JSC::constructArray):
2135         (JSC::constructArrayNegativeIndexed):
2136         * runtime/JSPromiseConstructor.cpp:
2137         (JSC::constructPromise):
2138         * runtime/MapConstructor.cpp:
2139         (JSC::constructMap):
2140         * runtime/NativeErrorConstructor.cpp:
2141         (JSC::Interpreter::constructWithNativeErrorConstructor):
2142         * runtime/NumberConstructor.cpp:
2143         (JSC::constructWithNumberConstructor):
2144         * runtime/RegExpConstructor.cpp:
2145         (JSC::getRegExpStructure):
2146         (JSC::constructRegExp):
2147         (JSC::constructWithRegExpConstructor):
2148         * runtime/SetConstructor.cpp:
2149         (JSC::constructSet):
2150         * runtime/StringConstructor.cpp:
2151         (JSC::constructWithStringConstructor):
2152         (JSC::StringConstructor::getConstructData):
2153         * runtime/WeakMapConstructor.cpp:
2154         (JSC::constructWeakMap):
2155         * runtime/WeakSetConstructor.cpp:
2156         (JSC::constructWeakSet):
2157         * tests/stress/create-subclass-structure-might-throw.js: Added.
2158         (assert):
2159
2160 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
2161
2162         Fix build and implement functions to retrieve registers on FreeBSD
2163         https://bugs.webkit.org/show_bug.cgi?id=152258
2164
2165         Reviewed by Michael Catanzaro.
2166
2167         * heap/MachineStackMarker.cpp:
2168         (pthreadSignalHandlerSuspendResume):
2169         struct ucontext is not specified in POSIX and it is not available on
2170         FreeBSD. Replacing it with ucontext_t fixes the build problem.
2171         (JSC::MachineThreads::Thread::Registers::stackPointer):
2172         (JSC::MachineThreads::Thread::Registers::framePointer):
2173         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2174         (JSC::MachineThreads::Thread::Registers::llintPC):
2175         * heap/MachineStackMarker.h:
2176
2177 2016-02-22  Saam barati  <sbarati@apple.com>
2178
2179         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
2180         https://bugs.webkit.org/show_bug.cgi?id=154552
2181
2182         Reviewed by Mark Lam.
2183
2184         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
2185         They return false on a Proxy with internal [[Call]] and [[Construct]]
2186         properties. It seems safest, most forward looking, and most adherent
2187         to the specification to check getCallData() and getConstructData() to
2188         implement these functions.
2189
2190         * runtime/InternalFunction.cpp:
2191         (JSC::InternalFunction::createSubclassStructure):
2192         * runtime/JSCJSValueInlines.h:
2193         (JSC::JSValue::isFunction):
2194         (JSC::JSValue::isConstructor):
2195
2196 2016-02-22  Keith Miller  <keith_miller@apple.com>
2197
2198         Bound functions should use the prototype of the function being bound
2199         https://bugs.webkit.org/show_bug.cgi?id=154195
2200
2201         Reviewed by Geoffrey Garen.
2202
2203         Per ES6, the result of Function.prototype.bind should have the same
2204         prototype as the the function being bound. In order to avoid creating
2205         a new structure each time a function is bound we store the new
2206         structure in our structure map. However, we cannot currently store
2207         structures that have a different GlobalObject than their prototype.
2208         In the rare case that the GlobalObject differs or the prototype of
2209         the bindee is null we create a new structure each time. To further
2210         minimize new structures, as well as making structure lookup faster,
2211         we also store the structure in the RareData of the function we
2212         are binding.
2213
2214         * runtime/FunctionRareData.cpp:
2215         (JSC::FunctionRareData::visitChildren):
2216         * runtime/FunctionRareData.h:
2217         (JSC::FunctionRareData::getBoundFunctionStructure):
2218         (JSC::FunctionRareData::setBoundFunctionStructure):
2219         * runtime/JSBoundFunction.cpp:
2220         (JSC::getBoundFunctionStructure):
2221         (JSC::JSBoundFunction::create):
2222         * tests/es6.yaml:
2223         * tests/stress/bound-function-uses-prototype.js: Added.
2224         (testChangeProto.foo):
2225         (testChangeProto):
2226         (testBuiltins):
2227         * tests/stress/class-subclassing-function.js:
2228
2229 2016-02-22  Keith Miller  <keith_miller@apple.com>
2230
2231         Unreviewed, fix stress test to not print on success.
2232
2233         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
2234         (catch): Deleted.
2235
2236 2016-02-22  Keith Miller  <keith_miller@apple.com>
2237
2238         Use Symbol.species in the builtin TypedArray.prototype functions
2239         https://bugs.webkit.org/show_bug.cgi?id=153384
2240
2241         Reviewed by Geoffrey Garen.
2242
2243         This patch adds the use of species constructors to the TypedArray.prototype map and filter
2244         functions. It also adds a new private function typedArrayGetOriginalConstructor that
2245         returns the TypedArray constructor used to originally create a TypedArray instance.
2246
2247         There are no ES6 tests to update for this patch as species creation for these functions is
2248         not tested in the compatibility table.
2249
2250         * builtins/TypedArrayPrototype.js:
2251         (map):
2252         (filter):
2253         * bytecode/BytecodeIntrinsicRegistry.cpp:
2254         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2255         * bytecode/BytecodeIntrinsicRegistry.h:
2256         * runtime/CommonIdentifiers.h:
2257         * runtime/JSGlobalObject.cpp:
2258         (JSC::JSGlobalObject::init):
2259         (JSC::JSGlobalObject::visitChildren):
2260         * runtime/JSGlobalObject.h:
2261         (JSC::JSGlobalObject::typedArrayConstructor):
2262         * runtime/JSTypedArrayViewPrototype.cpp:
2263         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
2264         * runtime/JSTypedArrayViewPrototype.h:
2265         * tests/stress/typedarray-filter.js:
2266         (subclasses.typedArrays.map):
2267         (prototype.accept):
2268         (testSpecies):
2269         (accept):
2270         (forEach):
2271         (subclasses.forEach):
2272         (testSpeciesRemoveConstructor):
2273         * tests/stress/typedarray-map.js:
2274         (subclasses.typedArrays.map):
2275         (prototype.id):
2276         (testSpecies):
2277         (id):
2278         (forEach):
2279         (subclasses.forEach):
2280         (testSpeciesRemoveConstructor):
2281
2282 2016-02-22  Keith Miller  <keith_miller@apple.com>
2283
2284         Builtins that should not rely on iteration do.
2285         https://bugs.webkit.org/show_bug.cgi?id=154475
2286
2287         Reviewed by Geoffrey Garen.
2288
2289         When changing the behavior of varargs calls to use ES6 iterators the
2290         call builtin function's use of a varargs call was overlooked. The use
2291         of iterators is observable outside the scope of the the call function,
2292         thus it must be reimplemented.
2293
2294         * builtins/FunctionPrototype.js:
2295         (call):
2296         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
2297         (test):
2298         (addAll):
2299         (catch):
2300
2301 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2302
2303         [JSC shell] Don't put empty arguments array to VM.
2304         https://bugs.webkit.org/show_bug.cgi?id=154516
2305
2306         Reviewed by Geoffrey Garen.
2307
2308         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
2309         in jsc as well as in browser.
2310
2311         * jsc.cpp:
2312         (GlobalObject::finishCreation):
2313
2314 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2315
2316         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
2317         https://bugs.webkit.org/show_bug.cgi?id=154450
2318
2319         Reviewed by Alex Christensen.
2320
2321         * CMakeLists.txt:
2322
2323 2016-02-22  Commit Queue  <commit-queue@webkit.org>
2324
2325         Unreviewed, rolling out r196891.
2326         https://bugs.webkit.org/show_bug.cgi?id=154539
2327
2328         it broke Production builds (Requested by brrian on #webkit).
2329
2330         Reverted changeset:
2331
2332         "Web Inspector: add 'Automation' protocol domain and generate
2333         its backend classes separately in WebKit2"
2334         https://bugs.webkit.org/show_bug.cgi?id=154509
2335         http://trac.webkit.org/changeset/196891
2336
2337 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2338
2339         CodeBlock always visits its unlinked code twice
2340         https://bugs.webkit.org/show_bug.cgi?id=154494
2341
2342         Reviewed by Saam Barati.
2343
2344         * bytecode/CodeBlock.cpp:
2345         (JSC::CodeBlock::visitChildren):
2346         The unlinked code is always visited in stronglyVisitStrongReferences.
2347
2348 2016-02-21  Brian Burg  <bburg@apple.com>
2349
2350         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2351         https://bugs.webkit.org/show_bug.cgi?id=154509
2352         <rdar://problem/24759098>
2353
2354         Reviewed by Timothy Hatcher.
2355
2356         Add a new 'WebKit' framework, which is used to generate protocol code
2357         in WebKit2.
2358
2359         Add --backend and --frontend flags to the main generator script.
2360         These allow a framework to trigger two different sets of generators
2361         so they can be separately generated and compiled.
2362
2363         * inspector/scripts/codegen/models.py:
2364         (Framework.fromString):
2365         (Frameworks): Add new framework.
2366
2367         * inspector/scripts/generate-inspector-protocol-bindings.py:
2368         If neither --backend or --frontend is specified, assume both are wanted.
2369         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2370
2371         (generate_from_specification):
2372         Generate C++ files for the backend and Objective-C files for the frontend.
2373
2374 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2375
2376         Improvements to Intl code
2377         https://bugs.webkit.org/show_bug.cgi?id=154486
2378
2379         Reviewed by Darin Adler.
2380
2381         This patch does several things:
2382         - Use std::unique_ptr to store ICU objects.
2383         - Pass Vector::size() to ICU functions that take a buffer size instead
2384           of Vector::capacity().
2385         - If U_SUCCESS(status) is true, it means there is no error, but there
2386           could be warnings. ICU functions ignore warnings. So, there is no need
2387           to reset status to U_ZERO_ERROR.
2388         - Remove the initialization of the String instance variables of
2389           IntlDateTimeFormat. These values are never read and cause unnecessary
2390           memory allocation.
2391         - Fix coding style.
2392         - Some small optimization.
2393
2394         * runtime/IntlCollator.cpp:
2395         (JSC::IntlCollator::UCollatorDeleter::operator()):
2396         (JSC::IntlCollator::createCollator):
2397         (JSC::IntlCollator::compareStrings):
2398         (JSC::IntlCollator::~IntlCollator): Deleted.
2399         * runtime/IntlCollator.h:
2400         * runtime/IntlDateTimeFormat.cpp:
2401         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
2402         (JSC::defaultTimeZone):
2403         (JSC::canonicalizeTimeZoneName):
2404         (JSC::toDateTimeOptionsAnyDate):
2405         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2406         (JSC::IntlDateTimeFormat::weekdayString):
2407         (JSC::IntlDateTimeFormat::format):
2408         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
2409         (JSC::localeData): Deleted.
2410         * runtime/IntlDateTimeFormat.h:
2411         * runtime/IntlDateTimeFormatConstructor.cpp:
2412         * runtime/IntlNumberFormatConstructor.cpp:
2413         * runtime/IntlObject.cpp:
2414         (JSC::numberingSystemsForLocale):
2415
2416 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
2417
2418         Remove arrowfunction test cases that rely on arguments variable in jsc
2419         https://bugs.webkit.org/show_bug.cgi?id=154517
2420
2421         Reviewed by Yusuke Suzuki.
2422
2423         Allow to jsc has the same behavior in javascript as browser has
2424
2425         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
2426         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
2427
2428 2016-02-21  Brian Burg  <bburg@apple.com>
2429
2430         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
2431         https://bugs.webkit.org/show_bug.cgi?id=154508
2432         <rdar://problem/24759077>
2433
2434         Reviewed by Timothy Hatcher.
2435
2436         In preparation for being able to generate protocol files for WebKit2,
2437         make it possible to not emit generated code that's guarded by
2438         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
2439         backend dispatchers generated outside of JavaScriptCore. We can't just
2440         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
2441         in the configurations where the code is actually used.
2442
2443         Add a new opt-in Framework configuration option that turns on generating
2444         this code. Adjust how the code is generated so that it can be easily excluded.
2445
2446         * inspector/scripts/codegen/cpp_generator_templates.py:
2447         Make a separate template for the declarations that are guarded.
2448         Add an initializer expression so the order of initalizers doesn't matter.
2449
2450         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2451         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
2452         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2453         If the declarations are needed, they will be appended to the end of the
2454         declarations list.
2455
2456         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2457         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
2458         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
2459
2460         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
2461         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
2462
2463         Rebaseline affected tests.
2464
2465         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2466         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2467         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2468         * inspector/scripts/tests/expected/enum-values.json-result:
2469         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2470
2471 2016-02-21  Brian Burg  <bburg@apple.com>
2472
2473         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
2474         https://bugs.webkit.org/show_bug.cgi?id=154505
2475         <rdar://problem/24758042>
2476
2477         Reviewed by Timothy Hatcher.
2478
2479         It should be possible to generate code for a framework using some generators
2480         that other frameworks also use. Right now the generator selection code assumes
2481         that use of a generator is mutually exclusive among non-test frameworks.
2482
2483         Make this code explicitly switch on the framework. Reorder generators
2484         alpabetically within each case.
2485
2486         * inspector/scripts/generate-inspector-protocol-bindings.py:
2487         (generate_from_specification):
2488
2489         Rebaseline tests that are affected by generator reorderings.
2490
2491         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2492         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2493         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2494         * inspector/scripts/tests/expected/enum-values.json-result:
2495         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2496         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2497         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2498         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2499         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2500         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2501         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2502         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2503         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2504
2505 2016-02-19  Saam Barati  <sbarati@apple.com>
2506
2507         [ES6] Implement Proxy.[[Construct]]
2508         https://bugs.webkit.org/show_bug.cgi?id=154440
2509
2510         Reviewed by Oliver Hunt.
2511
2512         This patch is mostly an implementation of
2513         Proxy.[[Construct]] with respect to section 9.5.13
2514         of the ECMAScript spec.
2515         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
2516
2517         This patch also changes op_create_this to accept new.target's
2518         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
2519         because we might construct a JSFunction with a new.target being
2520         a Proxy. This will also be needed when we implement Reflect.construct.
2521
2522         * dfg/DFGOperations.cpp:
2523         * dfg/DFGSpeculativeJIT32_64.cpp:
2524         (JSC::DFG::SpeculativeJIT::compile):
2525         * dfg/DFGSpeculativeJIT64.cpp:
2526         (JSC::DFG::SpeculativeJIT::compile):
2527         * jit/JITOpcodes.cpp:
2528         (JSC::JIT::emit_op_create_this):
2529         (JSC::JIT::emitSlow_op_create_this):
2530         * jit/JITOpcodes32_64.cpp:
2531         (JSC::JIT::emit_op_create_this):
2532         (JSC::JIT::emitSlow_op_create_this):
2533         * llint/LLIntData.cpp:
2534         (JSC::LLInt::Data::performAssertions):
2535         * llint/LowLevelInterpreter.asm:
2536         * llint/LowLevelInterpreter32_64.asm:
2537         * llint/LowLevelInterpreter64.asm:
2538         * runtime/CommonSlowPaths.cpp:
2539         (JSC::SLOW_PATH_DECL):
2540         * runtime/ProxyObject.cpp:
2541         (JSC::ProxyObject::finishCreation):
2542         (JSC::ProxyObject::visitChildren):
2543         (JSC::performProxyConstruct):
2544         (JSC::ProxyObject::getConstructData):
2545         * runtime/ProxyObject.h:
2546         * tests/es6.yaml:
2547         * tests/stress/proxy-construct.js: Added.
2548         (assert):
2549         (throw.new.Error.let.target):
2550         (throw.new.Error):
2551         (assert.let.target):
2552         (assert.let.handler.get construct):
2553         (let.target):
2554         (let.handler.construct):
2555         (i.catch):
2556         (assert.let.handler.construct):
2557         (assert.let.construct):
2558         (assert.else.assert.let.target):
2559         (assert.else.assert.let.construct):
2560         (assert.else.assert):
2561         (new.proxy.let.target):
2562         (new.proxy.let.construct):
2563         (new.proxy):
2564
2565 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2566
2567         [INTL] Implement Number Format Functions
2568         https://bugs.webkit.org/show_bug.cgi?id=147605
2569
2570         Reviewed by Darin Adler.
2571
2572         This patch implements Intl.NumberFormat.prototype.format() according
2573         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2574
2575         * runtime/IntlNumberFormat.cpp:
2576         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
2577         (JSC::IntlNumberFormat::initializeNumberFormat):
2578         (JSC::IntlNumberFormat::createNumberFormat):
2579         (JSC::IntlNumberFormat::formatNumber):
2580         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
2581         * runtime/IntlNumberFormat.h:
2582         * runtime/IntlNumberFormatPrototype.cpp:
2583         (JSC::IntlNumberFormatFuncFormatNumber):
2584
2585 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
2586
2587         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
2588         https://bugs.webkit.org/show_bug.cgi?id=154416
2589
2590         Reviewed by Geoff Garen.
2591
2592         Here's the bug. Suppose you call JSObject::getOwnProperty and -
2593           - PropertyName contains an index,
2594           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
2595           - The base of the access (or another object on the prototype chain) shadows that property.
2596
2597         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
2598         index, and as such walks up the prototype chain looking for non-index properties before it
2599         tries calling parseIndex.
2600
2601         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
2602         would potentially return the property) we may have already skipped over non-overriding
2603         objects that contain the property in index storage.
2604
2605         * runtime/JSObject.h:
2606         (JSC::JSObject::getOwnNonIndexPropertySlot):
2607             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
2608               added ASSERT guarding that this method never returns index properties -
2609               if it ever does, this is unsafe for getPropertySlot.
2610         (JSC::JSObject::getOwnPropertySlot):
2611             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
2612         (JSC::JSObject::getPropertySlot):
2613             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
2614         (JSC::JSObject::getNonIndexPropertySlot):
2615             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
2616               in order to avoid repeated calls to parseIndex.
2617         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
2618             - this was renamed to getOwnNonIndexPropertySlot.
2619         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
2620             - this was folded back in to getPropertySlot.
2621
2622 2016-02-19  Saam Barati  <sbarati@apple.com>
2623
2624         [ES6] Implement Proxy.[[Call]]
2625         https://bugs.webkit.org/show_bug.cgi?id=154425
2626
2627         Reviewed by Mark Lam.
2628
2629         This patch is a straight forward implementation of
2630         Proxy.[[Call]] with respect to section 9.5.12
2631         of the ECMAScript spec.
2632         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
2633
2634         * runtime/ProxyObject.cpp:
2635         (JSC::ProxyObject::finishCreation):
2636         (JSC::performProxyGet):
2637         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2638         (JSC::ProxyObject::performHasProperty):
2639         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2640         (JSC::performProxyCall):
2641         (JSC::ProxyObject::getCallData):
2642         (JSC::ProxyObject::visitChildren):
2643         * runtime/ProxyObject.h:
2644         (JSC::ProxyObject::create):
2645         * tests/es6.yaml:
2646         * tests/stress/proxy-call.js: Added.
2647         (assert):
2648         (throw.new.Error.let.target):
2649         (throw.new.Error.let.handler.apply):
2650         (throw.new.Error):
2651         (assert.let.target):
2652         (assert.let.handler.get apply):
2653         (let.target):
2654         (let.handler.apply):
2655         (i.catch):
2656         (assert.let.handler.apply):
2657
2658 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
2659
2660         Remove more LLVM related dead code after r196729
2661         https://bugs.webkit.org/show_bug.cgi?id=154387
2662
2663         Reviewed by Filip Pizlo.
2664
2665         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
2666         * Configurations/LLVMForJSC.xcconfig: Removed.
2667         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
2668         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
2669         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
2670         * JavaScriptCore.xcodeproj/project.pbxproj:
2671         * disassembler/X86Disassembler.cpp:
2672
2673 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2674
2675         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
2676         https://bugs.webkit.org/show_bug.cgi?id=154442
2677
2678         Reviewed by Saam Barati.
2679
2680         * runtime/JSString.h:
2681         (JSC::isJSString):
2682
2683 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2684
2685         Remove unused SymbolTable::createNameScopeTable
2686         https://bugs.webkit.org/show_bug.cgi?id=154443
2687
2688         Reviewed by Saam Barati.
2689
2690         * runtime/SymbolTable.h:
2691
2692 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
2693
2694         [JSC] Improve the instruction selection of Select
2695         https://bugs.webkit.org/show_bug.cgi?id=154432
2696
2697         Reviewed by Filip Pizlo.
2698
2699         Plenty of code but this patch is pretty dumb:
2700         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2701          to be alised to the destination. This gives more freedom to the register
2702          allocator and it is one less Move to process per Select.
2703         -On x86, introduce a fake 3 operands form and use aggressive aliasing
2704          to try to alias both sources to the destination.
2705
2706          If aliasing succeed on the "elseCase", the condition of the Select
2707          is reverted in the MacroAssembler.
2708
2709          If no aliasing is possible and we end up with 3 registers, the missing
2710          move instruction is generated by the MacroAssembler.
2711
2712          The missing move is generated after testing the values because the destination
2713          can use the same register as one of the test operand.
2714          Experimental testing seems to indicate there is no macro-fusion on CMOV,
2715          there is no measurable cost to having the move there.
2716
2717         * assembler/MacroAssembler.h:
2718         (JSC::MacroAssembler::isInvertible):
2719         (JSC::MacroAssembler::invert):
2720         * assembler/MacroAssemblerARM64.h:
2721         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2722         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2723         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2724         (JSC::MacroAssemblerARM64::moveConditionally32):
2725         (JSC::MacroAssemblerARM64::moveConditionally64):
2726         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2727         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2728         * assembler/MacroAssemblerX86Common.h:
2729         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2730         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2731         (JSC::MacroAssemblerX86Common::moveConditionally32):
2732         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2733         (JSC::MacroAssemblerX86Common::invert):
2734         (JSC::MacroAssemblerX86Common::isInvertible):
2735         * assembler/MacroAssemblerX86_64.h:
2736         (JSC::MacroAssemblerX86_64::moveConditionally64):
2737         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2738         * b3/B3LowerToAir.cpp:
2739         (JSC::B3::Air::LowerToAir::createSelect):
2740         (JSC::B3::Air::LowerToAir::lower):
2741         * b3/air/AirInstInlines.h:
2742         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2743         * b3/air/AirOpcode.opcodes:
2744
2745 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2746
2747         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2748         https://bugs.webkit.org/show_bug.cgi?id=154430
2749
2750         Reviewed by Saam Barati.
2751
2752         llvm isn't used anymore.
2753
2754         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2755
2756 2016-02-18  Saam Barati  <sbarati@apple.com>
2757
2758         Implement Proxy.[[HasProperty]]
2759         https://bugs.webkit.org/show_bug.cgi?id=154313
2760
2761         Reviewed by Filip Pizlo.
2762
2763         This patch is a straight forward implementation of
2764         Proxy.[[HasProperty]] with respect to section 9.5.7
2765         of the ECMAScript spec.
2766         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2767
2768         * runtime/ProxyObject.cpp:
2769         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2770         (JSC::ProxyObject::performHasProperty):
2771         (JSC::ProxyObject::getOwnPropertySlotCommon):
2772         * runtime/ProxyObject.h:
2773         * tests/es6.yaml:
2774         * tests/stress/proxy-basic.js:
2775         (assert):
2776         (let.handler.has):
2777         * tests/stress/proxy-has-property.js: Added.
2778         (assert):
2779         (throw.new.Error.let.handler.get has):
2780         (throw.new.Error):
2781         (assert.let.handler.has):
2782         (let.handler.has):
2783         (getOwnPropertyDescriptor):
2784         (i.catch):
2785
2786 2016-02-18  Saam Barati  <sbarati@apple.com>
2787
2788         Proxy's don't properly handle Symbols as PropertyKeys.
2789         https://bugs.webkit.org/show_bug.cgi?id=154385
2790
2791         Reviewed by Mark Lam and Yusuke Suzuki.
2792
2793         We were converting all PropertyKeys to strings, even when
2794         the PropertyName was a Symbol. In the spec, PropertyKeys are
2795         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2796         Proxy.[[GetOwnProperty]].
2797
2798         * runtime/Completion.cpp:
2799         (JSC::profiledEvaluate):
2800         (JSC::createSymbolForEntryPointModule):
2801         (JSC::identifierToJSValue): Deleted.
2802         * runtime/Identifier.h:
2803         (JSC::parseIndex):
2804         * runtime/IdentifierInlines.h:
2805         (JSC::Identifier::fromString):
2806         (JSC::identifierToJSValue):
2807         (JSC::identifierToSafePublicJSValue):
2808         * runtime/ProxyObject.cpp:
2809         (JSC::performProxyGet):
2810         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2811         * tests/es6.yaml:
2812         * tests/stress/proxy-basic.js:
2813         (let.handler.getOwnPropertyDescriptor):
2814
2815 2016-02-18  Saam Barati  <sbarati@apple.com>
2816
2817         Follow up fix to Implement Proxy.[[GetOwnProperty]]
2818         https://bugs.webkit.org/show_bug.cgi?id=154314
2819
2820         Reviewed by Filip Pizlo.
2821
2822         Part of the implementation was broken because
2823         of how JSObject::getOwnPropertyDescriptor worked.
2824         I've fixed JSObject::getOwnPropertyDescriptor to
2825         be able to handle ProxyObject.
2826
2827         * runtime/JSObject.cpp:
2828         (JSC::JSObject::getOwnPropertyDescriptor):
2829         * runtime/ProxyObject.cpp:
2830         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2831         * tests/stress/proxy-get-own-property.js:
2832         (assert):
2833         (assert.let.handler.get getOwnPropertyDescriptor):
2834
2835 2016-02-18  Saam Barati  <sbarati@apple.com>
2836
2837         Implement Proxy.[[GetOwnProperty]]
2838         https://bugs.webkit.org/show_bug.cgi?id=154314
2839
2840         Reviewed by Filip Pizlo.
2841
2842         This patch implements Proxy.[[GetOwnProperty]].
2843         It's a straight forward implementation as described
2844         in section 9.5.5 of the specification:
2845         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2846
2847         * runtime/FunctionPrototype.cpp:
2848         (JSC::functionProtoFuncBind):
2849         * runtime/JSObject.cpp:
2850         (JSC::validateAndApplyPropertyDescriptor):
2851         (JSC::JSObject::defineOwnNonIndexProperty):
2852         (JSC::JSObject::defineOwnProperty):
2853         (JSC::JSObject::getGenericPropertyNames):
2854         (JSC::JSObject::getMethod):
2855         * runtime/JSObject.h:
2856         (JSC::JSObject::butterflyAddress):
2857         (JSC::makeIdentifier):
2858         * runtime/ProxyObject.cpp:
2859         (JSC::performProxyGet):
2860         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2861         (JSC::ProxyObject::getOwnPropertySlotCommon):
2862         (JSC::ProxyObject::getOwnPropertySlot):
2863         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2864         (JSC::ProxyObject::visitChildren):
2865         * runtime/ProxyObject.h:
2866         * tests/es6.yaml:
2867         * tests/stress/proxy-basic.js:
2868         (let.handler.get null):
2869         * tests/stress/proxy-get-own-property.js: Added.
2870         (assert):
2871         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2872         (throw.new.Error):
2873         (let.handler.getOwnPropertyDescriptor):
2874         (i.catch):
2875         (assert.let.handler.getOwnPropertyDescriptor):
2876
2877 2016-02-18  Andreas Kling  <akling@apple.com>
2878
2879         JSString resolution of substrings should use StringImpl sharing optimization.
2880         <https://webkit.org/b/154068>
2881         <rdar://problem/24629358>
2882
2883         Reviewed by Antti Koivisto.
2884
2885         When resolving a JSString that's actually a substring of another JSString,
2886         use the StringImpl sharing optimization to create a new string pointing into
2887         the parent one, instead of copying out the bytes of the string.
2888
2889         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2890
2891         Another approach to this would be to induce GC far more frequently due to
2892         the added cost of copying out these substrings. It would reduce the risk
2893         of prolonging the life of strings only kept alive by substrings.
2894
2895         This patch chooses to trade that risk for less GC and lower peak memory.
2896
2897         * runtime/JSString.cpp:
2898         (JSC::JSRopeString::resolveRope):
2899
2900 2016-02-18  Chris Dumez  <cdumez@apple.com>
2901
2902         Crash on SES selftest page when loading the page while WebInspector is open
2903         https://bugs.webkit.org/show_bug.cgi?id=154378
2904         <rdar://problem/24713422>
2905
2906         Reviewed by Mark Lam.
2907
2908         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2909         returns early again if it detects that getOwnPropertySlot() returns a
2910         non-own property. This check was removed in r196676 because we assumed that
2911         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2912         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2913         well.
2914
2915         Not having the check would lead to crashes when using the debugger because
2916         we would get a slot with the CustomAccessor attribute but getDirect() would
2917         then fail to return the property (because it is not an own property). We
2918         would then cast the value returned by getDirect() to a CustomGetterSetter*
2919         and dereference it.
2920
2921         * runtime/JSObject.cpp:
2922         (JSC::JSObject::getOwnPropertyDescriptor):
2923
2924 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2925
2926         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2927         for that.
2928
2929         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2930         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2931
2932 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2933
2934         Unreviewed, fix CMake build. This got messed up when rebasing.
2935
2936         * CMakeLists.txt:
2937
2938 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2939
2940         Fix the !ENABLE(DFG_JIT) build after r195865
2941         https://bugs.webkit.org/show_bug.cgi?id=154391
2942
2943         Reviewed by Filip Pizlo.
2944
2945         * runtime/SamplingProfiler.cpp:
2946         (JSC::tryGetBytecodeIndex):
2947
2948 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2949
2950         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
2951         https://bugs.webkit.org/show_bug.cgi?id=154383
2952
2953         Reviewed by Saam Barati.
2954
2955         I did a grep -i llvm of all of our code and did one of the following for each occurence:
2956
2957         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
2958           backend".
2959
2960         - Removed the reference because I found it to be dead. In some cases it was a dead
2961           comment: it was telling us things about what LLVM did and that's just not relevant
2962           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
2963
2964         - Edited the comment in some smart way. There were comments talking about what LLVM did
2965           that were still of interest. In some cases, I added a FIXME to consider changing the
2966           code below the comment on the grounds that it was written in a weird way to placate
2967           LLVM and so we can do it better now.
2968
2969         * CMakeLists.txt:
2970         * JavaScriptCore.xcodeproj/project.pbxproj:
2971         * dfg/DFGArgumentsEliminationPhase.cpp:
2972         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2973         * dfg/DFGPlan.cpp:
2974         (JSC::DFG::Plan::compileInThread):
2975         (JSC::DFG::Plan::compileInThreadImpl):
2976         (JSC::DFG::Plan::compileTimeStats):
2977         * dfg/DFGPutStackSinkingPhase.cpp:
2978         * dfg/DFGSSAConversionPhase.h:
2979         * dfg/DFGStaticExecutionCountEstimationPhase.h:
2980         * dfg/DFGUnificationPhase.cpp:
2981         (JSC::DFG::UnificationPhase::run):
2982         * disassembler/ARM64Disassembler.cpp:
2983         (JSC::tryToDisassemble): Deleted.
2984         * disassembler/X86Disassembler.cpp:
2985         (JSC::tryToDisassemble):
2986         * ftl/FTLAbstractHeap.cpp:
2987         (JSC::FTL::IndexedAbstractHeap::initialize):
2988         * ftl/FTLAbstractHeap.h:
2989         * ftl/FTLFormattedValue.h:
2990         * ftl/FTLJITFinalizer.cpp:
2991         (JSC::FTL::JITFinalizer::finalizeFunction):
2992         * ftl/FTLLink.cpp:
2993         (JSC::FTL::link):
2994         * ftl/FTLLocation.cpp:
2995         (JSC::FTL::Location::restoreInto):
2996         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
2997         (JSC::FTL::DFG::ftlUnreachable):
2998         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2999         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
3000         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3001         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
3002         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
3003         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
3004         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
3005         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3006         (JSC::FTL::lowerDFGToB3):
3007         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
3008         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
3009         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
3010         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
3011         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
3012         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
3013         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
3014         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
3015         (JSC::FTL::lowerDFGToLLVM): Deleted.
3016         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
3017         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
3018         * ftl/FTLLowerDFGToLLVM.h: Removed.
3019         * ftl/FTLOSRExitCompiler.cpp:
3020         (JSC::FTL::compileStub):
3021         * ftl/FTLWeight.h:
3022         (JSC::FTL::Weight::frequencyClass):
3023         (JSC::FTL::Weight::inverse):
3024         (JSC::FTL::Weight::scaleToTotal): Deleted.
3025         * ftl/FTLWeightedTarget.h:
3026         (JSC::FTL::rarely):
3027         (JSC::FTL::unsure):
3028         * jit/CallFrameShuffler64.cpp:
3029         (JSC::CallFrameShuffler::emitDisplace):
3030         * jit/RegisterSet.cpp:
3031         (JSC::RegisterSet::ftlCalleeSaveRegisters):
3032         * llvm: Removed.
3033         * llvm/InitializeLLVMLinux.cpp: Removed.
3034         * llvm/InitializeLLVMWin.cpp: Removed.
3035         * llvm/library: Removed.
3036         * llvm/library/LLVMTrapCallback.h: Removed.
3037         * llvm/library/libllvmForJSC.version: Removed.
3038         * runtime/Options.cpp:
3039         (JSC::recomputeDependentOptions):
3040         (JSC::Options::initialize):
3041         * runtime/Options.h:
3042         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
3043         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
3044         * wasm/WASMFunctionParser.cpp:
3045
3046 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
3047
3048         [cmake] Build system cleanup
3049         https://bugs.webkit.org/show_bug.cgi?id=154337
3050
3051         Reviewed by Žan Doberšek.
3052
3053         * CMakeLists.txt:
3054
3055 2016-02-17  Mark Lam  <mark.lam@apple.com>
3056
3057         Callers of JSString::value() should check for exceptions thereafter.
3058         https://bugs.webkit.org/show_bug.cgi?id=154346
3059
3060         Reviewed by Geoffrey Garen.
3061
3062         JSString::value() can throw an exception if the JS string is a rope and value() 
3063         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
3064         able to resolve the rope, it will return a null string (in addition to throwing
3065         the exception).  If a caller does not check for exceptions after calling
3066         JSString::value(), they may eventually use the returned null string and crash the
3067         VM.
3068
3069         The fix is to add all the necessary exception checks, and do the appropriate
3070         handling if needed.
3071
3072         * jsc.cpp:
3073         (functionRun):
3074         (functionLoad):
3075         (functionReadFile):
3076         (functionCheckSyntax):
3077         (functionLoadWebAssembly):
3078         (functionLoadModule):
3079         (functionCheckModuleSyntax):
3080         * runtime/DateConstructor.cpp:
3081         (JSC::dateParse):
3082         (JSC::dateNow):
3083         * runtime/JSGlobalObjectFunctions.cpp:
3084         (JSC::globalFuncEval):
3085         * tools/JSDollarVMPrototype.cpp:
3086         (JSC::functionPrint):
3087
3088 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
3089
3090         [JSC] ARM64: Support the immediate format used for bit operations in Air
3091         https://bugs.webkit.org/show_bug.cgi?id=154327
3092
3093         Reviewed by Filip Pizlo.
3094
3095         ARM64 supports a pretty rich form of immediates for bit operation.
3096         There are two formats used to encode repeating patterns and common
3097         input in a dense form.
3098
3099         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
3100         Those represents the valid immediate forms for bit operation.
3101         On x86, any 32bits value is valid. On ARM64, all the encoding
3102         form are tried and the immediate is used when possible.
3103
3104         The arg type Imm64 is renamed to BigImm to better represent what
3105         it is: an immediate that does not fit into Imm.
3106
3107         * assembler/ARM64Assembler.h:
3108         (JSC::LogicalImmediate::create32): Deleted.
3109         (JSC::LogicalImmediate::create64): Deleted.
3110         (JSC::LogicalImmediate::value): Deleted.
3111         (JSC::LogicalImmediate::isValid): Deleted.
3112         (JSC::LogicalImmediate::is64bit): Deleted.
3113         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
3114         (JSC::LogicalImmediate::mask): Deleted.
3115         (JSC::LogicalImmediate::partialHSB): Deleted.
3116         (JSC::LogicalImmediate::highestSetBit): Deleted.
3117         (JSC::LogicalImmediate::findBitRange): Deleted.
3118         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
3119         * assembler/AssemblerCommon.h:
3120         (JSC::ARM64LogicalImmediate::create32):
3121         (JSC::ARM64LogicalImmediate::create64):
3122         (JSC::ARM64LogicalImmediate::value):
3123         (JSC::ARM64LogicalImmediate::isValid):
3124         (JSC::ARM64LogicalImmediate::is64bit):
3125         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
3126         (JSC::ARM64LogicalImmediate::mask):
3127         (JSC::ARM64LogicalImmediate::partialHSB):
3128         (JSC::ARM64LogicalImmediate::highestSetBit):
3129         (JSC::ARM64LogicalImmediate::findBitRange):
3130         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
3131         * assembler/MacroAssemblerARM64.h:
3132         (JSC::MacroAssemblerARM64::and64):
3133         (JSC::MacroAssemblerARM64::or64):
3134         (JSC::MacroAssemblerARM64::xor64):
3135         * b3/B3LowerToAir.cpp:
3136         (JSC::B3::Air::LowerToAir::bitImm):
3137         (JSC::B3::Air::LowerToAir::bitImm64):
3138         (JSC::B3::Air::LowerToAir::appendBinOp):
3139         * b3/air/AirArg.cpp:
3140         (JSC::B3::Air::Arg::dump):
3141         (WTF::printInternal):
3142         * b3/air/AirArg.h:
3143         (JSC::B3::Air::Arg::bitImm):
3144         (JSC::B3::Air::Arg::bitImm64):
3145         (JSC::B3::Air::Arg::isBitImm):
3146         (JSC::B3::Air::Arg::isBitImm64):
3147         (JSC::B3::Air::Arg::isSomeImm):
3148         (JSC::B3::Air::Arg::value):
3149         (JSC::B3::Air::Arg::isGP):
3150         (JSC::B3::Air::Arg::isFP):
3151         (JSC::B3::Air::Arg::hasType):
3152         (JSC::B3::Air::Arg::isValidBitImmForm):
3153         (JSC::B3::Air::Arg::isValidBitImm64Form):
3154         (JSC::B3::Air::Arg::isValidForm):
3155         (JSC::B3::Air::Arg::asTrustedImm32):
3156         (JSC::B3::Air::Arg::asTrustedImm64):
3157         * b3/air/AirOpcode.opcodes:
3158         * b3/air/opcode_generator.rb:
3159
3160 2016-02-17  Keith Miller  <keith_miller@apple.com>
3161
3162         Spread operator should be allowed when not the first argument of parameter list
3163         https://bugs.webkit.org/show_bug.cgi?id=152721
3164
3165         Reviewed by Saam Barati.
3166
3167         Spread arguments to functions should now be ES6 compliant. Before we
3168         would only take a spread operator if it was the sole argument to a
3169         function. Additionally, we would not use the Symbol.iterator on the
3170         object to generate the arguments. Instead we would do a loop up to the
3171         length mapping indexed properties to the corresponding argument. We fix
3172         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3173         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3174         old spread semantics). This solution has the downside of requiring the
3175         allocation of another object and copying each element twice but avoids a
3176         large change to the vm calling convention.
3177
3178         * interpreter/Interpreter.cpp:
3179         (JSC::loadVarargs):
3180         * parser/ASTBuilder.h:
3181         (JSC::ASTBuilder::createElementList):
3182         * parser/Parser.cpp:
3183         (JSC::Parser<LexerType>::parseArguments):
3184         (JSC::Parser<LexerType>::parseArgument):
3185         (JSC::Parser<LexerType>::parseMemberExpression):
3186         * parser/Parser.h:
3187         * parser/SyntaxChecker.h:
3188         (JSC::SyntaxChecker::createElementList):
3189         * tests/es6.yaml:
3190         * tests/stress/spread-calling.js: Added.
3191         (testFunction):
3192         (testEmpty):
3193         (makeObject):
3194         (otherIterator.return.next):
3195         (otherIterator):
3196         (totalIter):
3197         (throwingIter.return.next):
3198         (throwingIter):
3199         (i.catch):
3200
3201 2016-02-17  Brian Burg  <bburg@apple.com>
3202
3203         Remove a wrong cast in RemoteInspector::receivedSetupMessage
3204         https://bugs.webkit.org/show_bug.cgi?id=154361
3205         <rdar://problem/24709281>
3206
3207         Reviewed by Joseph Pecoraro.
3208
3209         * inspector/remote/RemoteInspector.mm:
3210         (Inspector::RemoteInspector::receivedSetupMessage):
3211         Not only is this cast unnecessary (the constructor accepts the base class),
3212         but it is wrong since the target could be an automation target. Remove it.
3213
3214 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3215
3216         Rename FTLB3Blah to FTLBlah
3217         https://bugs.webkit.org/show_bug.cgi?id=154365
3218
3219         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
3220
3221         * CMakeLists.txt:
3222         * JavaScriptCore.xcodeproj/project.pbxproj:
3223         * ftl/FTLB3Compile.cpp: Removed.
3224         * ftl/FTLB3Output.cpp: Removed.
3225         * ftl/FTLB3Output.h: Removed.
3226         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
3227         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
3228         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
3229
3230 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3231
3232         Remove LLVM dependencies from WebKit
3233         https://bugs.webkit.org/show_bug.cgi?id=154323
3234
3235         Reviewed by Antti Koivisto and Benjamin Poulain.
3236
3237         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
3238         LLVM-related code dead, including the disassembler, which was only reachable when you were on
3239         a platform that already had an in-tree disassembler.
3240
3241         * CMakeLists.txt:
3242         * JavaScriptCore.xcodeproj/project.pbxproj:
3243         * dfg/DFGCommon.h:
3244         * dfg/DFGPlan.cpp:
3245         (JSC::DFG::Plan::compileInThread):
3246         (JSC::DFG::Plan::compileInThreadImpl):
3247         (JSC::DFG::Plan::compileTimeStats):
3248         * disassembler/ARM64Disassembler.cpp:
3249         (JSC::tryToDisassemble):
3250         * disassembler/ARMv7Disassembler.cpp:
3251         (JSC::tryToDisassemble):
3252         * disassembler/Disassembler.cpp:
3253         (JSC::disassemble):
3254         (JSC::disassembleAsynchronously):
3255         * disassembler/Disassembler.h:
3256         (JSC::tryToDisassemble):
3257         * disassembler/LLVMDisassembler.cpp: Removed.
3258         * disassembler/LLVMDisassembler.h: Removed.
3259         * disassembler/UDis86Disassembler.cpp:
3260         (JSC::tryToDisassembleWithUDis86):
3261         * disassembler/UDis86Disassembler.h:
3262         (JSC::tryToDisassembleWithUDis86):
3263         * disassembler/X86Disassembler.cpp:
3264         (JSC::tryToDisassemble):
3265         * ftl/FTLAbbreviatedTypes.h:
3266         * ftl/FTLAbbreviations.h: Removed.
3267         * ftl/FTLAbstractHeap.cpp:
3268         (JSC::FTL::AbstractHeap::decorateInstruction):
3269         (JSC::FTL::AbstractHeap::dump):
3270         (JSC::FTL::AbstractField::dump):
3271         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
3272         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
3273         (JSC::FTL::IndexedAbstractHeap::baseIndex):
3274         (JSC::FTL::IndexedAbstractHeap::dump):
3275         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
3276         (JSC::FTL::NumberedAbstractHeap::dump):
3277         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
3278         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
3279         * ftl/FTLAbstractHeap.h:
3280         (JSC::FTL::AbstractHeap::AbstractHeap):
3281         (JSC::FTL::AbstractHeap::heapName):
3282         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
3283         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
3284         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
3285         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
3286         * ftl/FTLAbstractHeapRepository.cpp:
3287         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3288         * ftl/FTLAbstractHeapRepository.h:
3289         * ftl/FTLB3Compile.cpp:
3290         * ftl/FTLB3Output.cpp:
3291         (JSC::FTL::Output::Output):
3292         (JSC::FTL::Output::check):
3293         (JSC::FTL::Output::load):
3294         (JSC::FTL::Output::store):
3295         * ftl/FTLB3Output.h:
3296         * ftl/FTLCommonValues.cpp:
3297         (JSC::FTL::CommonValues::CommonValues):
3298         (JSC::FTL::CommonValues::initializeConstants):
3299         * ftl/FTLCommonValues.h:
3300         (JSC::FTL::CommonValues::initialize): Deleted.
3301         * ftl/FTLCompile.cpp: Removed.
3302         * ftl/FTLCompileBinaryOp.cpp: Removed.
3303         * ftl/FTLCompileBinaryOp.h: Removed.
3304         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
3305         * ftl/FTLDWARFDebugLineInfo.h: Removed.
3306         * ftl/FTLDWARFRegister.cpp: Removed.
3307         * ftl/FTLDWARFRegister.h: Removed.
3308         * ftl/FTLDataSection.cpp: Removed.
3309         * ftl/FTLDataSection.h: Removed.
3310         * ftl/FTLExceptionHandlerManager.cpp: Removed.
3311         * ftl/FTLExceptionHandlerManager.h: Removed.
3312         * ftl/FTLExceptionTarget.cpp:
3313         * ftl/FTLExceptionTarget.h:
3314         * ftl/FTLExitThunkGenerator.cpp: Removed.
3315         * ftl/FTLExitThunkGenerator.h: Removed.
3316         * ftl/FTLFail.cpp:
3317         (JSC::FTL::fail):
3318         * ftl/FTLInlineCacheDescriptor.h: Removed.
3319         * ftl/FTLInlineCacheSize.cpp: Removed.
3320         * ftl/FTLInlineCacheSize.h: Removed.
3321         * ftl/FTLIntrinsicRepository.cpp: Removed.
3322         * ftl/FTLIntrinsicRepository.h: Removed.
3323         * ftl/FTLJITCode.cpp:
3324         (JSC::FTL::JITCode::~JITCode):
3325         (JSC::FTL::JITCode::initializeB3Code):
3326         (JSC::FTL::JITCode::initializeB3Byproducts):
3327         (JSC::FTL::JITCode::initializeAddressForCall):
3328         (JSC::FTL::JITCode::contains):
3329         (JSC::FTL::JITCode::ftl):
3330         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3331         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
3332         (JSC::FTL::JITCode::addHandle): Deleted.
3333         (JSC::FTL::JITCode::addDataSection): Deleted.
3334         (JSC::FTL::JITCode::exitThunks): Deleted.
3335         * ftl/FTLJITCode.h:
3336         (JSC::FTL::JITCode::b3Code):
3337         (JSC::FTL::JITCode::handles): Deleted.
3338         (JSC::FTL::JITCode::dataSections): Deleted.
3339         * ftl/FTLJITFinalizer.cpp:
3340         (JSC::FTL::JITFinalizer::codeSize):
3341         (JSC::FTL::JITFinalizer::finalizeFunction):
3342         * ftl/FTLJITFinalizer.h:
3343         * ftl/FTLJSCall.cpp: Removed.
3344         * ftl/FTLJSCall.h: Removed.
3345         * ftl/FTLJSCallBase.cpp: Removed.
3346         * ftl/FTLJSCallBase.h: Removed.
3347         * ftl/FTLJSCallVarargs.cpp: Removed.
3348         * ftl/FTLJSCallVarargs.h: Removed.
3349         * ftl/FTLJSTailCall.cpp: Removed.
3350         * ftl/FTLJSTailCall.h: Removed.
3351         * ftl/FTLLazySlowPath.cpp:
3352         (JSC::FTL::LazySlowPath::LazySlowPath):
3353         (JSC::FTL::LazySlowPath::generate):