[Fetch API] Add fetch API compile time flag
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-12-16  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2
3         [Fetch API] Add fetch API compile time flag
4         https://bugs.webkit.org/show_bug.cgi?id=152254
5
6         Reviewed by Darin Adler.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2015-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
11
12         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
13         https://bugs.webkit.org/show_bug.cgi?id=152227
14
15         Reviewed by Saam Barati.
16
17         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
18         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
19         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
20
21         * dfg/DFGAbstractInterpreterInlines.h:
22         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
23         * dfg/DFGByteCodeParser.cpp:
24         (JSC::DFG::ByteCodeParser::parseBlock):
25         * dfg/DFGCapabilities.cpp:
26         (JSC::DFG::capabilityLevel):
27         * dfg/DFGClobberize.h:
28         (JSC::DFG::clobberize):
29         * dfg/DFGClobbersExitState.cpp:
30         (JSC::DFG::clobbersExitState):
31         * dfg/DFGDoesGC.cpp:
32         (JSC::DFG::doesGC):
33         * dfg/DFGFixupPhase.cpp:
34         (JSC::DFG::FixupPhase::fixupNode):
35         * dfg/DFGMayExit.cpp:
36         (JSC::DFG::mayExit):
37         * dfg/DFGNode.h:
38         (JSC::DFG::Node::convertToPhantomNewFunction):
39         (JSC::DFG::Node::hasCellOperand):
40         (JSC::DFG::Node::isFunctionAllocation):
41         * dfg/DFGNodeType.h:
42         * dfg/DFGObjectAllocationSinkingPhase.cpp:
43         * dfg/DFGPredictionPropagationPhase.cpp:
44         (JSC::DFG::PredictionPropagationPhase::propagate):
45         * dfg/DFGSafeToExecute.h:
46         (JSC::DFG::safeToExecute):
47         * dfg/DFGSpeculativeJIT.cpp:
48         (JSC::DFG::SpeculativeJIT::compileNewFunction):
49         * dfg/DFGSpeculativeJIT32_64.cpp:
50         (JSC::DFG::SpeculativeJIT::compile):
51         * dfg/DFGSpeculativeJIT64.cpp:
52         (JSC::DFG::SpeculativeJIT::compile):
53         * dfg/DFGStoreBarrierInsertionPhase.cpp:
54         * dfg/DFGStructureRegistrationPhase.cpp:
55         (JSC::DFG::StructureRegistrationPhase::run):
56         * ftl/FTLCapabilities.cpp:
57         (JSC::FTL::canCompile):
58         * ftl/FTLLowerDFGToLLVM.cpp:
59         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
60         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
61         * tests/stress/generator-function-create-optimized.js: Added.
62         (shouldBe):
63         (g):
64         (test.return.gen):
65         (test):
66         (test2.gen):
67         (test2):
68         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
69         (shouldBe):
70         (GeneratorFunctionPrototype):
71         (call):
72         (f):
73         (sink):
74         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
75         (shouldBe):
76         (GeneratorFunctionPrototype):
77         (g):
78         (f):
79         (sink):
80         * tests/stress/generator-function-declaration-sinking-put.js: Added.
81         (shouldBe):
82         (GeneratorFunctionPrototype):
83         (g):
84         (f):
85         (sink):
86         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
87         (shouldBe):
88         (GeneratorFunctionPrototype):
89         (call):
90         (f):
91         (sink):
92         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
93         (shouldBe):
94         (GeneratorFunctionPrototype):
95         (g):
96         (sink):
97         * tests/stress/generator-function-expression-sinking-put.js: Added.
98         (shouldBe):
99         (GeneratorFunctionPrototype):
100         (g):
101         (sink):
102
103 2015-12-15  Mark Lam  <mark.lam@apple.com>
104
105         Gardening: fix broken 32-bit JSC tests.  Just need to assign a scratch register.
106         https://bugs.webkit.org/show_bug.cgi?id=152191 
107
108         Not reviewed.
109
110         * jit/JITArithmetic.cpp:
111         (JSC::JIT::emitBitBinaryOpFastPath):
112
113 2015-12-15  Mark Lam  <mark.lam@apple.com>
114
115         Introducing ScratchRegisterAllocator::PreservedState.
116         https://bugs.webkit.org/show_bug.cgi?id=152315
117
118         Reviewed by Geoffrey Garen.
119
120         restoreReusedRegistersByPopping() should always be called with 2 values that
121         matches the expectation of preserveReusedRegistersByPushing().  Those 2 values
122         are the number of bytes preserved and the ExtraStackSpace requirement.  By
123         encapsulating them in a ScratchRegisterAllocator::PreservedState, we can make
124         it less error prone when calling restoreReusedRegistersByPopping().  Now, we only
125         need to pass it the appropriate PreservedState that its matching
126         preserveReusedRegistersByPushing() returned.
127
128         * bytecode/PolymorphicAccess.cpp:
129         (JSC::AccessGenerationState::restoreScratch):
130         (JSC::AccessCase::generate):
131         (JSC::PolymorphicAccess::regenerate):
132         * bytecode/PolymorphicAccess.h:
133         (JSC::AccessGenerationState::AccessGenerationState):
134         * ftl/FTLCompileBinaryOp.cpp:
135         (JSC::FTL::generateBinaryBitOpFastPath):
136         (JSC::FTL::generateRightShiftFastPath):
137         (JSC::FTL::generateBinaryArithOpFastPath):
138         * ftl/FTLLazySlowPath.cpp:
139         (JSC::FTL::LazySlowPath::generate):
140         * ftl/FTLLowerDFGToLLVM.cpp:
141         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
142         * jit/ScratchRegisterAllocator.cpp:
143         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
144         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
145         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
146         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
147         * jit/ScratchRegisterAllocator.h:
148         (JSC::ScratchRegisterAllocator::usedRegisters):
149         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
150
151 2015-12-15  Mark Lam  <mark.lam@apple.com>
152
153         Polymorphic operand types for DFG and FTL bit operators.
154         https://bugs.webkit.org/show_bug.cgi?id=152191
155
156         Reviewed by Saam Barati.
157
158         * bytecode/SpeculatedType.h:
159         (JSC::isUntypedSpeculationForBitOps):
160         * dfg/DFGAbstractInterpreterInlines.h:
161         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
162         * dfg/DFGNode.h:
163         (JSC::DFG::Node::shouldSpeculateUntypedForBitOps):
164         - Added check for types not supported by ValueToInt32, and therefore should be
165           treated as untyped for bitops.
166
167         * dfg/DFGClobberize.h:
168         (JSC::DFG::clobberize):
169         * dfg/DFGFixupPhase.cpp:
170         (JSC::DFG::FixupPhase::fixupNode):
171         - Handled untyped operands.
172
173         * dfg/DFGOperations.cpp:
174         * dfg/DFGOperations.h:
175         - Added DFG slow path functions for bitops.
176
177         * dfg/DFGSpeculativeJIT.cpp:
178         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
179         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
180         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
181         (JSC::DFG::SpeculativeJIT::compileShiftOp):
182         * dfg/DFGSpeculativeJIT.h:
183         - Added DFG backend support untyped operands for bitops.
184
185         * dfg/DFGStrengthReductionPhase.cpp:
186         (JSC::DFG::StrengthReductionPhase::handleNode):
187         - Limit bitops strength reduction only to when we don't have untyped operands.
188           This is because values that are not int32s need to be converted to int32.
189           Without untyped operands, the ValueToInt32 node takes care of this.
190           With untyped operands, we cannot use ValueToInt32, and need to do the conversion
191           in the code emitted for the bitop node itself.  For example:
192
193               5.5 | 0; // yields 5 because ValueToInt32 converts the 5.5 to a 5.
194               "abc" | 0; // would yield "abc" instead of the expected 0 if we let
195                          // strength reduction do its thing.
196
197         * ftl/FTLCompileBinaryOp.cpp:
198         (JSC::FTL::generateBinaryBitOpFastPath):
199         (JSC::FTL::generateRightShiftFastPath):
200         (JSC::FTL::generateBinaryOpFastPath):
201
202         * ftl/FTLInlineCacheDescriptor.h:
203         (JSC::FTL::BitAndDescriptor::BitAndDescriptor):
204         (JSC::FTL::BitAndDescriptor::icSize):
205         (JSC::FTL::BitAndDescriptor::nodeType):
206         (JSC::FTL::BitAndDescriptor::opName):
207         (JSC::FTL::BitAndDescriptor::slowPathFunction):
208         (JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
209         (JSC::FTL::BitOrDescriptor::BitOrDescriptor):
210         (JSC::FTL::BitOrDescriptor::icSize):
211         (JSC::FTL::BitOrDescriptor::nodeType):
212         (JSC::FTL::BitOrDescriptor::opName):
213         (JSC::FTL::BitOrDescriptor::slowPathFunction):
214         (JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
215         (JSC::FTL::BitXorDescriptor::BitXorDescriptor):
216         (JSC::FTL::BitXorDescriptor::icSize):
217         (JSC::FTL::BitXorDescriptor::nodeType):
218         (JSC::FTL::BitXorDescriptor::opName):
219         (JSC::FTL::BitXorDescriptor::slowPathFunction):
220         (JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
221         (JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
222         (JSC::FTL::BitLShiftDescriptor::icSize):
223         (JSC::FTL::BitLShiftDescriptor::nodeType):
224         (JSC::FTL::BitLShiftDescriptor::opName):
225         (JSC::FTL::BitLShiftDescriptor::slowPathFunction):
226         (JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
227         (JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
228         (JSC::FTL::BitRShiftDescriptor::icSize):
229         (JSC::FTL::BitRShiftDescriptor::nodeType):
230         (JSC::FTL::BitRShiftDescriptor::opName):
231         (JSC::FTL::BitRShiftDescriptor::slowPathFunction):
232         (JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
233         (JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
234         (JSC::FTL::BitURShiftDescriptor::icSize):
235         (JSC::FTL::BitURShiftDescriptor::nodeType):
236         (JSC::FTL::BitURShiftDescriptor::opName):
237         (JSC::FTL::BitURShiftDescriptor::slowPathFunction):
238         (JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):
239         - Added support for bitop ICs.
240
241         * ftl/FTLInlineCacheSize.cpp:
242         (JSC::FTL::sizeOfBitAnd):
243         (JSC::FTL::sizeOfBitOr):
244         (JSC::FTL::sizeOfBitXor):
245         (JSC::FTL::sizeOfBitLShift):
246         (JSC::FTL::sizeOfBitRShift):
247         (JSC::FTL::sizeOfBitURShift):
248         * ftl/FTLInlineCacheSize.h:
249         - Added new bitop IC sizes.  These are just estimates for now that work adequately,
250           and are shown to not impact performance on benchmarks.  We will re-tune these
251           sizes values later in another patch once all snippet ICs have been added.
252
253         * ftl/FTLLowerDFGToLLVM.cpp:
254         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
255         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
256         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
257         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
258         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
259         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
260         - Added support for bitop ICs.
261
262         * jit/JITLeftShiftGenerator.cpp:
263         (JSC::JITLeftShiftGenerator::generateFastPath):
264         * jit/JITLeftShiftGenerator.h:
265         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
266         * jit/JITRightShiftGenerator.cpp:
267         (JSC::JITRightShiftGenerator::generateFastPath):
268         - The shift MASM operatons need to ensure that the shiftAmount is not in the same
269           register as the destination register.  With the baselineJIT and DFG, this is
270           ensured in how we allocate these registers, and hence, the bug does not manifest.
271           With the FTL, these registers are not guaranteed to be unique.  Hence, we need
272           to fix the shift op snippet code to compensate for this. 
273
274 2015-12-15  Caitlin Potter  <caitp@igalia.com>
275
276         [JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code
277         https://bugs.webkit.org/show_bug.cgi?id=152302
278
279         Reviewed by Mark Lam.
280
281         `eval` and `arguments` must not be assigned to in strict code. This
282         change fixes `language/expressions/assignment/destructuring/obj-id-simple-strict.js`
283         in Test262, as well as a variety of other similar tests.
284
285         * parser/Parser.cpp:
286         (JSC::Parser<LexerType>::parseAssignmentElement):
287         (JSC::Parser<LexerType>::parseDestructuringPattern):
288         * tests/stress/destructuring-assignment-syntax.js:
289
290 2015-12-15  Csaba Osztrogonác  <ossy@webkit.org>
291
292         URTBF after 194062.
293
294         * assembler/MacroAssemblerARM.h:
295         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Added.
296         (JSC::MacroAssemblerARM::ceilDouble): Added.
297
298 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
299
300         FTL B3 should account for localsOffset
301         https://bugs.webkit.org/show_bug.cgi?id=152288
302
303         Reviewed by Saam Barati.
304
305         The DFG will build up some data structures that expect to know about offsets from FP. Those data
306         structures may slide by some offset when the low-level compiler (either LLVM or B3) does stack
307         allocation. So, the LLVM FTL modifies those data structures based on the real offset that it gets
308         from LLVM's stackmaps. The B3 code needs to do the same.
309
310         I had previously vowed to never put more stuff into FTLB3Compile.cpp, because I didn't want it to
311         look like FTLCompile.cpp. Up until now, I was successful because I used lambdas installed by
312         FTLLower. But in this case, I actually think that having code that just does this explicitly in
313         FTLB3Compile.cpp is least confusing. There is no particular place in FTLLower that would want to
314         care about this, and we need to ensure that we do this fixup before we run any of the stackmap
315         generators. In other words, it needs to happen before we call B3::generate(). The ordering
316         constraints seem like a good reason to have this done explicitly rather than through lambdas.
317
318         I wrote a test. The test was failing in trunk because the B3 meaning of anchor().value() is
319         different from the LLVM meaning. This caused breakage when we used this idiom:
320
321             ValueFromBlock foo = m_out.anchor(things);
322             ...(foo.value()) // we were expecting that foo.value() == things
323
324         I never liked this idiom to begin with, so instead of trying to change B3's anchor(), I changed
325         the idiom to:
326
327             LValue fooValue = things;
328             ValueFromBlock foo = m_out.anchor(fooValue);
329             ...(fooValue)
330
331         This is probably a good idea, since eventually we want B3's anchor() to just return the
332         UpsilonValue*. To get there, we want to eliminate any situations where code assumes that
333         ValueFromBlock is an actual object and not just a typedef for a pointer.
334
335         * ftl/FTLB3Compile.cpp:
336         (JSC::FTL::compile):
337         * ftl/FTLB3Output.cpp:
338         (JSC::FTL::Output::appendTo):
339         (JSC::FTL::Output::lockedStackSlot):
340         * ftl/FTLB3Output.h:
341         (JSC::FTL::Output::framePointer):
342         (JSC::FTL::Output::constBool):
343         (JSC::FTL::Output::constInt32):
344         * ftl/FTLLowerDFGToLLVM.cpp:
345         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
346         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
347         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
348         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
349         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringCharAt):
350         (JSC::FTL::DFG::LowerDFGToLLVM::compileForwardVarargs):
351         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty):
352         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
353         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
354         * ftl/FTLState.h:
355         (JSC::FTL::verboseCompilationEnabled):
356         * tests/stress/ftl-function-dot-arguments-with-callee-saves.js: Added.
357
358 2015-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
359
360         Math.random should have an intrinsic thunk and it should be later handled as a DFG Node
361         https://bugs.webkit.org/show_bug.cgi?id=152133
362
363         Reviewed by Geoffrey Garen.
364
365         In this patch, we implement new RandomIntrinsic. It emits a machine code to generate random numbers efficiently.
366         And later it will be recognized by DFG and converted to ArithRandom node.
367         It provides type information SpecDoubleReal since Math.random only generates a number within [0, 1.0).
368
369         Currently, only 64bit version is supported. On 32bit environment, ArithRandom will be converted to callOperation.
370         While it emits a function call, ArithRandom node on 32bit still represents SpecDoubleReal as a result type.
371
372         * dfg/DFGAbstractHeap.h:
373         * dfg/DFGAbstractInterpreterInlines.h:
374         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
375         * dfg/DFGByteCodeParser.cpp:
376         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
377         * dfg/DFGClobberize.h:
378         (JSC::DFG::clobberize):
379         * dfg/DFGDoesGC.cpp:
380         (JSC::DFG::doesGC):
381         * dfg/DFGFixupPhase.cpp:
382         (JSC::DFG::FixupPhase::fixupNode):
383         * dfg/DFGNodeType.h:
384         * dfg/DFGOperations.cpp:
385         * dfg/DFGOperations.h:
386         * dfg/DFGPredictionPropagationPhase.cpp:
387         (JSC::DFG::PredictionPropagationPhase::propagate):
388         * dfg/DFGSafeToExecute.h:
389         (JSC::DFG::safeToExecute):
390         * dfg/DFGSpeculativeJIT.h:
391         (JSC::DFG::SpeculativeJIT::callOperation):
392         * dfg/DFGSpeculativeJIT32_64.cpp:
393         (JSC::DFG::SpeculativeJIT::compile):
394         (JSC::DFG::SpeculativeJIT::compileArithRandom):
395         * dfg/DFGSpeculativeJIT64.cpp:
396         (JSC::DFG::SpeculativeJIT::compile):
397         (JSC::DFG::SpeculativeJIT::compileArithRandom):
398         * ftl/FTLCapabilities.cpp:
399         (JSC::FTL::canCompile):
400         * ftl/FTLLowerDFGToLLVM.cpp:
401         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
402         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRandom):
403         * jit/AssemblyHelpers.cpp:
404         (JSC::emitRandomThunkImpl):
405         (JSC::AssemblyHelpers::emitRandomThunk):
406         * jit/AssemblyHelpers.h:
407         * jit/JITOperations.h:
408         * jit/ThunkGenerators.cpp:
409         (JSC::randomThunkGenerator):
410         * jit/ThunkGenerators.h:
411         * runtime/Intrinsic.h:
412         * runtime/JSGlobalObject.h:
413         (JSC::JSGlobalObject::weakRandomOffset):
414         * runtime/MathObject.cpp:
415         (JSC::MathObject::finishCreation):
416         * runtime/VM.cpp:
417         (JSC::thunkGeneratorForIntrinsic):
418         * tests/stress/random-53bit.js: Added.
419         (test):
420         * tests/stress/random-in-range.js: Added.
421         (test):
422
423 2015-12-14  Benjamin Poulain  <benjamin@webkit.org>
424
425         Rename FTL::Output's ceil64() to doubleCeil()
426
427         Rubber-stamped by Filip Pizlo.
428
429         ceil64() was a bad name, that's the name convention we use for integers.
430
431         * ftl/FTLB3Output.h:
432         (JSC::FTL::Output::doubleCeil):
433         (JSC::FTL::Output::ceil64): Deleted.
434         * ftl/FTLLowerDFGToLLVM.cpp:
435         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRound):
436
437 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
438
439         FTL B3 should be able to run n-body.js
440         https://bugs.webkit.org/show_bug.cgi?id=152281
441
442         Reviewed by Benjamin Poulain.
443
444         Fix a bug where m_captured was pointing to the start of the captured vars slot rather than the
445         end, like the rest of the FTL expected.
446
447         * ftl/FTLLowerDFGToLLVM.cpp:
448         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
449
450 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
451
452         Fix bad copy-paste in r194062
453
454         * ftl/FTLB3Output.h:
455         (JSC::FTL::Output::ceil64):
456
457 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
458
459         Unreviewed, fix cloop build.
460
461         * jit/GPRInfo.cpp:
462
463 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
464
465         FTL B3 should do PutById
466         https://bugs.webkit.org/show_bug.cgi?id=152268
467
468         Reviewed by Saam Barati.
469
470         * CMakeLists.txt:
471         * JavaScriptCore.xcodeproj/project.pbxproj:
472         * b3/B3LowerToAir.cpp:
473         (JSC::B3::Air::LowerToAir::createGenericCompare): I realized that we were missing some useful matching rules.
474         * b3/testb3.cpp: Added a bunch of tests.
475         * ftl/FTLLowerDFGToLLVM.cpp:
476         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById): Do the things.
477         * jit/GPRInfo.cpp: Added. I had to do this yucky thing because clang was having issues compiling references to this from deeply nested lambdas.
478         * jit/GPRInfo.h: Added a comment about how patchpointScratchRegister is bizarre and should probably die.
479
480 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
481
482         [JSC] Add ceil() support for x86 and expose it to B3
483         https://bugs.webkit.org/show_bug.cgi?id=152231
484
485         Reviewed by Geoffrey Garen.
486
487         Most x86 CPUs we care about support ceil() natively
488         with the round instruction.
489
490         This patch expose that behind a runtime flag, use it
491         in the Math.ceil() thunk and expose it to B3.
492
493         * assembler/MacroAssemblerARM64.h:
494         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil):
495         * assembler/MacroAssemblerARMv7.h:
496         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil):
497         * assembler/MacroAssemblerMIPS.h:
498         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil):
499         * assembler/MacroAssemblerSH4.h:
500         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil):
501         * assembler/MacroAssemblerX86Common.cpp:
502         * assembler/MacroAssemblerX86Common.h:
503         (JSC::MacroAssemblerX86Common::ceilDouble):
504         (JSC::MacroAssemblerX86Common::ceilFloat):
505         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil):
506         (JSC::MacroAssemblerX86Common::supportsLZCNT):
507         * assembler/X86Assembler.h:
508         (JSC::X86Assembler::roundss_rr):
509         (JSC::X86Assembler::roundss_mr):
510         (JSC::X86Assembler::roundsd_rr):
511         (JSC::X86Assembler::roundsd_mr):
512         (JSC::X86Assembler::mfence):
513         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
514         * b3/B3ConstDoubleValue.cpp:
515         (JSC::B3::ConstDoubleValue::ceilConstant):
516         * b3/B3ConstDoubleValue.h:
517         * b3/B3ConstFloatValue.cpp:
518         (JSC::B3::ConstFloatValue::ceilConstant):
519         * b3/B3ConstFloatValue.h:
520         * b3/B3LowerMacrosAfterOptimizations.cpp:
521         * b3/B3LowerToAir.cpp:
522         (JSC::B3::Air::LowerToAir::lower):
523         * b3/B3Opcode.cpp:
524         (WTF::printInternal):
525         * b3/B3Opcode.h:
526         * b3/B3ReduceDoubleToFloat.cpp:
527         * b3/B3ReduceStrength.cpp:
528         * b3/B3Validate.cpp:
529         * b3/B3Value.cpp:
530         (JSC::B3::Value::ceilConstant):
531         (JSC::B3::Value::effects):
532         (JSC::B3::Value::key):
533         (JSC::B3::Value::typeFor):
534         * b3/B3Value.h:
535         * b3/air/AirOpcode.opcodes:
536         * b3/testb3.cpp:
537         (JSC::B3::testCeilArg):
538         (JSC::B3::testCeilImm):
539         (JSC::B3::testCeilMem):
540         (JSC::B3::testCeilCeilArg):
541         (JSC::B3::testCeilIToD64):
542         (JSC::B3::testCeilIToD32):
543         (JSC::B3::testCeilArgWithUselessDoubleConversion):
544         (JSC::B3::testCeilArgWithEffectfulDoubleConversion):
545         (JSC::B3::populateWithInterestingValues):
546         (JSC::B3::run):
547         * ftl/FTLB3Output.h:
548         (JSC::FTL::Output::ceil64):
549         * jit/ThunkGenerators.cpp:
550         (JSC::ceilThunkGenerator):
551
552 2015-12-14  Andreas Kling  <akling@apple.com>
553
554         ResourceUsageOverlay should show GC timers.
555         <https://webkit.org/b/152151>
556
557         Reviewed by Darin Adler.
558
559         Expose the next fire time (in WTF timestamp style) of a GCActivityCallback.
560
561         * heap/GCActivityCallback.cpp:
562         (JSC::GCActivityCallback::scheduleTimer):
563         (JSC::GCActivityCallback::cancelTimer):
564         * heap/GCActivityCallback.h:
565
566 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
567
568         Unreviewed, fix merge issue in a test.
569
570         * b3/testb3.cpp:
571         (JSC::B3::testCheckTwoMegaCombos):
572         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
573
574 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
575
576         B3 should not give ValueReps for the non-stackmap children of a CheckValue to the generator callback
577         https://bugs.webkit.org/show_bug.cgi?id=152224
578
579         Reviewed by Geoffrey Garen.
580
581         Previously, a stackmap generator for a Check had to know how many children the B3 value for the
582         Check had at the time of code generation. That meant that B3 could not change the kind of Check
583         that it was - for example it cannot turn a Check into a Patchpoint and it cannot turn a CheckAdd
584         into a Check. But just changing the contract so that the stackmap generation params only get the
585         stackmap children of the check means that B3 can transform Checks as it likes.
586
587         This is meant to aid sinking values into checks.
588
589         Also, I found that the effects of a Check did not include HeapRange::top(). I think it's best if
590         exitsSideways does not imply reading top, the way that it does in DFG. In the DFG, that makes
591         sense because the exit analysis is orthogonal, so the clobber analysis tells you about the reads
592         not counting OSR exit - if you need to you can conditionally merge that with World based on a
593         separate exit analysis. But in B3, the Effects object tells you about both exiting and reading,
594         and it's computed by one analysis. Prior to this change, Check was not setting reads to top() so
595         we were effectively saying that Effects::reads is meaningless when exitsSideways is true. It
596         seems more sensible to instead force the analysis to set reads to top() when setting
597         exitsSideways to true, not least because we only have one such analysis and many users. But it
598         also makes sense for another reason: it allows us to bound the set of things that the program
599         will read after it exits. That might not be useful to us now, but it's a nice feature to get for
600         free. I've seen language features that have behave like exitsSideways that don't also read top,
601         like an array bounds check that causes sudden termination without making any promises about how
602         pretty the crash dump will look.
603
604         * b3/B3CheckSpecial.cpp:
605         (JSC::B3::CheckSpecial::generate):
606         * b3/B3Opcode.h:
607         * b3/B3Value.cpp:
608         (JSC::B3::Value::effects):
609         * b3/testb3.cpp:
610         (JSC::B3::testSimpleCheck):
611         (JSC::B3::testCheckLessThan):
612         (JSC::B3::testCheckMegaCombo):
613         (JSC::B3::testCheckAddImm):
614         (JSC::B3::testCheckAddImmCommute):
615         (JSC::B3::testCheckAddImmSomeRegister):
616         (JSC::B3::testCheckAdd):
617         (JSC::B3::testCheckAdd64):
618         (JSC::B3::testCheckSubImm):
619         (JSC::B3::testCheckSubBadImm):
620         (JSC::B3::testCheckSub):
621         (JSC::B3::testCheckSub64):
622         (JSC::B3::testCheckNeg):
623         (JSC::B3::testCheckNeg64):
624         (JSC::B3::testCheckMul):
625         (JSC::B3::testCheckMulMemory):
626         (JSC::B3::testCheckMul2):
627         (JSC::B3::testCheckMul64):
628         * ftl/FTLLowerDFGToLLVM.cpp:
629         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
630
631 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
632
633         Air: Support Architecture-specific forms and Opcodes
634         https://bugs.webkit.org/show_bug.cgi?id=151736
635
636         Reviewed by Benjamin Poulain.
637
638         This adds really awesome architecture selection to the AirOpcode.opcodes file. If an opcode or
639         opcode form is unavailable on some architecture, you can still mention its name in C++ code (it'll
640         still be a member of the enum) but isValidForm() and all other reflective queries will tell you
641         that it doesn't exist. This will make the instruction selector steer clear of it, and it will
642         also ensure that the spiller doesn't try to use any unavailable architecture-specific address
643         forms.
644
645         The new capability is documented extensively in a comment in AirOpcode.opcodes.
646
647         * b3/air/AirOpcode.opcodes:
648         * b3/air/opcode_generator.rb:
649
650 2015-12-14  Mark Lam  <mark.lam@apple.com>
651
652         Misc. small fixes in snippet related code.
653         https://bugs.webkit.org/show_bug.cgi?id=152259
654
655         Reviewed by Saam Barati.
656
657         * dfg/DFGSpeculativeJIT.cpp:
658         (JSC::DFG::SpeculativeJIT::compileArithMul):
659         - When loading a constant JSValue for a node, use the one that the node already
660           provides instead of reconstructing it.  This is not a bug, but the fix makes
661           the code cleaner.
662
663         * jit/JITBitAndGenerator.cpp:
664         (JSC::JITBitAndGenerator::generateFastPath):
665         - No need to do a bitand with a constant int 0xffffffff operand.
666
667         * jit/JITBitOrGenerator.cpp:
668         (JSC::JITBitOrGenerator::generateFastPath):
669         - Fix comments: bitor is '|', not '&'.
670         - No need to do a bitor with a constant int 0 operand.
671
672         * jit/JITBitXorGenerator.cpp:
673         (JSC::JITBitXorGenerator::generateFastPath):
674         - Fix comments: bitxor is '^', not '&'.
675
676         * jit/JITRightShiftGenerator.cpp:
677         (JSC::JITRightShiftGenerator::generateFastPath):
678         - Renamed a jump target name to be clearer about its purpose.
679
680 2015-12-14  Mark Lam  <mark.lam@apple.com>
681
682         We should not employ the snippet code in the DFG if no OSR exit was previously encountered.
683         https://bugs.webkit.org/show_bug.cgi?id=152255
684
685         Reviewed by Saam Barati.
686
687         * dfg/DFGFixupPhase.cpp:
688         (JSC::DFG::FixupPhase::fixupNode):
689
690 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
691
692         B3->Air compare-branch fusion should fuse even if the result of the comparison is used more than once
693         https://bugs.webkit.org/show_bug.cgi?id=152198
694
695         Reviewed by Benjamin Poulain.
696
697         If we have a comparison operation that is branched on from multiple places, then we were
698         previously executing the comparison to get a boolean result in a register and then we were
699         testing/branching on that register in multiple places. This is actually less efficient than
700         just fusing the compare/branch multiple times, even though this means that the comparison
701         executes multiple times. This would only be bad if the comparison fused loads multiple times,
702         since duplicating loads is both wrong and inefficient. So, this adds the notion of sharing to
703         compare/branch fusion. If a compare is shared by multiple branches, then we refuse to fuse
704         the load.
705
706         To write the test, I needed to zero-extend 8 to 32. In the process of thinking about how to
707         do this, I realized that we needed lowerings for SExt8/SExt16. And I realized that the
708         lowerings for the other extension operations were not fully fleshed out; for example they
709         were incapable of load fusion. This patch fixes this and also adds some smart strength
710         reductions for BitAnd(@x, 0xff/0xffff/0xffffffff) - all of which should be lowered to a zero
711         extension.
712
713         This is a big win on asm.js code. It's not enough to bridge the gap to LLVM, but it's a huge
714         step in that direction.
715
716         * assembler/MacroAssemblerX86Common.h:
717         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
718         (JSC::MacroAssemblerX86Common::zeroExtend8To32):
719         (JSC::MacroAssemblerX86Common::signExtend8To32):
720         (JSC::MacroAssemblerX86Common::load16):
721         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
722         (JSC::MacroAssemblerX86Common::zeroExtend16To32):
723         (JSC::MacroAssemblerX86Common::signExtend16To32):
724         (JSC::MacroAssemblerX86Common::store32WithAddressOffsetPatch):
725         * assembler/X86Assembler.h:
726         (JSC::X86Assembler::movzbl_rr):
727         (JSC::X86Assembler::movsbl_rr):
728         (JSC::X86Assembler::movzwl_rr):
729         (JSC::X86Assembler::movswl_rr):
730         (JSC::X86Assembler::cmovl_rr):
731         * b3/B3LowerToAir.cpp:
732         (JSC::B3::Air::LowerToAir::createGenericCompare):
733         (JSC::B3::Air::LowerToAir::lower):
734         * b3/B3ReduceStrength.cpp:
735         * b3/air/AirOpcode.opcodes:
736         * b3/testb3.cpp:
737         (JSC::B3::testCheckMegaCombo):
738         (JSC::B3::testCheckTwoMegaCombos):
739         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
740         (JSC::B3::testCheckAddImm):
741         (JSC::B3::testTruncSExt32):
742         (JSC::B3::testSExt8):
743         (JSC::B3::testSExt8Fold):
744         (JSC::B3::testSExt8SExt8):
745         (JSC::B3::testSExt8SExt16):
746         (JSC::B3::testSExt8BitAnd):
747         (JSC::B3::testBitAndSExt8):
748         (JSC::B3::testSExt16):
749         (JSC::B3::testSExt16Fold):
750         (JSC::B3::testSExt16SExt16):
751         (JSC::B3::testSExt16SExt8):
752         (JSC::B3::testSExt16BitAnd):
753         (JSC::B3::testBitAndSExt16):
754         (JSC::B3::testSExt32BitAnd):
755         (JSC::B3::testBitAndSExt32):
756         (JSC::B3::testBasicSelect):
757         (JSC::B3::run):
758
759 2015-12-14  Chris Dumez  <cdumez@apple.com>
760
761         Roll out r193974 and follow-up fixes as it caused JSC crashes
762         https://bugs.webkit.org/show_bug.cgi?id=152256
763
764         Unreviewed, Roll out r193974 and follow-up fixes as it caused JSC crashes.
765
766         * API/JSCallbackObject.h:
767         * builtins/FunctionPrototype.js:
768         * bytecode/BytecodeBasicBlock.cpp:
769         (JSC::isBranch):
770         * bytecode/BytecodeList.json:
771         * bytecode/BytecodeUseDef.h:
772         (JSC::computeUsesForBytecodeOffset):
773         (JSC::computeDefsForBytecodeOffset):
774         * bytecode/CodeBlock.cpp:
775         (JSC::CodeBlock::dumpBytecode):
776         * bytecode/ExitKind.cpp:
777         (JSC::exitKindToString): Deleted.
778         * bytecode/ExitKind.h:
779         * bytecode/PreciseJumpTargets.cpp:
780         (JSC::getJumpTargetsForBytecodeOffset):
781         * bytecompiler/BytecodeGenerator.cpp:
782         (JSC::BytecodeGenerator::emitCheckHasInstance):
783         (JSC::BytecodeGenerator::emitGetById): Deleted.
784         * bytecompiler/BytecodeGenerator.h:
785         (JSC::BytecodeGenerator::emitTypeOf): Deleted.
786         * bytecompiler/NodesCodegen.cpp:
787         (JSC::InstanceOfNode::emitBytecode):
788         (JSC::LogicalOpNode::emitBytecode): Deleted.
789         (JSC::LogicalOpNode::emitBytecodeInConditionContext): Deleted.
790         * dfg/DFGAbstractInterpreterInlines.h:
791         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
792         * dfg/DFGByteCodeParser.cpp:
793         (JSC::DFG::ByteCodeParser::parseBlock):
794         * dfg/DFGCapabilities.cpp:
795         (JSC::DFG::capabilityLevel):
796         * dfg/DFGClobberize.h:
797         (JSC::DFG::clobberize):
798         * dfg/DFGDoesGC.cpp:
799         (JSC::DFG::doesGC):
800         * dfg/DFGFixupPhase.cpp:
801         (JSC::DFG::FixupPhase::fixupNode):
802         * dfg/DFGHeapLocation.cpp:
803         (WTF::printInternal):
804         * dfg/DFGHeapLocation.h:
805         * dfg/DFGNode.h:
806         (JSC::DFG::Node::hasCellOperand): Deleted.
807         (JSC::DFG::Node::hasTransition): Deleted.
808         * dfg/DFGNodeType.h:
809         * dfg/DFGPredictionPropagationPhase.cpp:
810         (JSC::DFG::PredictionPropagationPhase::propagate):
811         * dfg/DFGSafeToExecute.h:
812         (JSC::DFG::safeToExecute):
813         * dfg/DFGSpeculativeJIT.cpp:
814         (JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
815         (JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.
816         * dfg/DFGSpeculativeJIT.h:
817         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
818         * dfg/DFGSpeculativeJIT32_64.cpp:
819         (JSC::DFG::SpeculativeJIT::compile):
820         * dfg/DFGSpeculativeJIT64.cpp:
821         (JSC::DFG::SpeculativeJIT::compile):
822         * ftl/FTLCapabilities.cpp:
823         (JSC::FTL::canCompile):
824         * ftl/FTLIntrinsicRepository.h:
825         * ftl/FTLLowerDFGToLLVM.cpp:
826         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
827         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance):
828         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOf): Deleted.
829         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty): Deleted.
830         * jit/CCallHelpers.h:
831         (JSC::CCallHelpers::setupArguments): Deleted.
832         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
833         * jit/JIT.cpp:
834         (JSC::JIT::privateCompileMainPass):
835         (JSC::JIT::privateCompileSlowCases):
836         * jit/JIT.h:
837         * jit/JITInlines.h:
838         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
839         (JSC::JIT::callOperation): Deleted.
840         * jit/JITOpcodes.cpp:
841         (JSC::JIT::emit_op_check_has_instance):
842         (JSC::JIT::emit_op_instanceof):
843         (JSC::JIT::emitSlow_op_check_has_instance):
844         (JSC::JIT::emitSlow_op_instanceof):
845         (JSC::JIT::emit_op_is_undefined): Deleted.
846         (JSC::JIT::emitSlow_op_to_number): Deleted.
847         (JSC::JIT::emitSlow_op_to_string): Deleted.
848         * jit/JITOpcodes32_64.cpp:
849         (JSC::JIT::emit_op_check_has_instance):
850         (JSC::JIT::emit_op_instanceof):
851         (JSC::JIT::emitSlow_op_check_has_instance):
852         (JSC::JIT::emitSlow_op_instanceof):
853         (JSC::JIT::emit_op_is_undefined): Deleted.
854         * jit/JITOperations.cpp:
855         * jit/JITOperations.h:
856         * llint/LLIntData.cpp:
857         (JSC::LLInt::Data::performAssertions): Deleted.
858         * llint/LLIntSlowPaths.cpp:
859         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
860         * llint/LLIntSlowPaths.h:
861         * llint/LowLevelInterpreter32_64.asm:
862         * llint/LowLevelInterpreter64.asm:
863         * runtime/CommonIdentifiers.h:
864         * runtime/ExceptionHelpers.cpp:
865         (JSC::invalidParameterInstanceofSourceAppender):
866         (JSC::createInvalidInstanceofParameterError):
867         (JSC::createError): Deleted.
868         (JSC::createNotAFunctionError): Deleted.
869         (JSC::createNotAnObjectError): Deleted.
870         * runtime/ExceptionHelpers.h:
871         * runtime/FunctionPrototype.cpp:
872         (JSC::FunctionPrototype::addFunctionProperties):
873         * runtime/FunctionPrototype.h:
874         * runtime/JSBoundFunction.cpp:
875         (JSC::JSBoundFunction::create): Deleted.
876         (JSC::JSBoundFunction::customHasInstance): Deleted.
877         * runtime/JSBoundFunction.h:
878         * runtime/JSGlobalObject.cpp:
879         (JSC::JSGlobalObject::init):
880         (JSC::JSGlobalObject::visitChildren): Deleted.
881         * runtime/JSGlobalObject.h:
882         (JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.
883         * runtime/JSObject.cpp:
884         (JSC::JSObject::hasInstance):
885         (JSC::JSObject::defaultHasInstance): Deleted.
886         (JSC::JSObject::getPropertyNames): Deleted.
887         (JSC::JSObject::getOwnPropertyNames): Deleted.
888         * runtime/JSObject.h:
889         (JSC::JSFinalObject::create): Deleted.
890         * runtime/JSTypeInfo.h:
891         (JSC::TypeInfo::TypeInfo):
892         (JSC::TypeInfo::overridesHasInstance):
893         * runtime/WriteBarrier.h:
894         (JSC::WriteBarrierBase<Unknown>::slot):
895         * tests/es6.yaml:
896         * tests/stress/instanceof-custom-hasinstancesymbol.js: Removed.
897         * tests/stress/symbol-hasInstance.js: Removed.
898
899 2015-12-13  Benjamin Poulain  <bpoulain@apple.com>
900
901         [JSC] Remove FTL::Output's doubleEqualOrUnordered()
902         https://bugs.webkit.org/show_bug.cgi?id=152234
903
904         Reviewed by Sam Weinig.
905
906         It is unused, one less thing to worry about.
907
908         * ftl/FTLB3Output.h:
909         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
910         * ftl/FTLOutput.h:
911         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
912
913 2015-12-13  Yusuke Suzuki  <utatane.tea@gmail.com>
914
915         [JSC] Should not emit get_by_id for indexed property access
916         https://bugs.webkit.org/show_bug.cgi?id=151354
917
918         Reviewed by Darin Adler.
919
920         Before this patch, `a["1"]` is converted to `a.1` get_by_id operation in the bytecode compiler.
921         get_by_id emits IC. IC rely on the fact that Structure transition occur when adding / removing object's properties.
922         However, it's not true for indexed element properties. They are stored in the element storage and Structure transition does not occur.
923
924         For example, in the following case,
925
926              function getOne(a) { return a['1']; }
927
928              for (var i = 0; i < 36; ++i)
929                  getOne({2: true});
930
931              if (!getOne({1: true}))
932                  throw new Error("OUT");
933
934         In this case, `a['1']` creates get_by_id. `getOne({2: true})` calls makes getOne's get_by_id to create IC says that,
935         "when comming this structure chain, there is no property in "1", so we should return `undefined`".
936
937         After that, we call `getOne({1: true})`. But in this case, `{2: true}` and `{1: true}` have the same structure chain,
938         because indexed property addition does not occur structure transition.
939         So previous IC fast path is used and return `undefined`. But the correct answer is returning `true`.
940
941         This patch fixes the above issue. When there is string bracket access, we only emits get_by_id if the given string is not an index.
942         There are bugs in get_by_id, put_by_id, put_by_id (direct). But only get_by_id poses user observable issue.
943         Because in the put_by_id case, the generic path just says "this put is uncacheable".
944
945         * bytecompiler/BytecodeGenerator.cpp:
946         (JSC::BytecodeGenerator::emitGetById):
947         (JSC::BytecodeGenerator::emitPutById):
948         (JSC::BytecodeGenerator::emitDirectPutById):
949         * bytecompiler/NodesCodegen.cpp:
950         (JSC::isNonIndexStringElement):
951         (JSC::BracketAccessorNode::emitBytecode):
952         (JSC::FunctionCallBracketNode::emitBytecode):
953         (JSC::AssignBracketNode::emitBytecode):
954         (JSC::ObjectPatternNode::bindValue):
955         * tests/stress/element-property-get-should-not-handled-with-get-by-id.js: Added.
956         (getOne):
957
958 2015-12-13  Andreas Kling  <akling@apple.com>
959
960         CachedScript could have a copy-free path for all-ASCII scripts.
961         <https://webkit.org/b/152203>
962
963         Reviewed by Antti Koivisto.
964
965         Make SourceProvider vend a StringView instead of a String.
966         This relaxes the promises that providers have to make about string lifetimes.
967
968         This means that on the WebCore side, CachedScript is free to cache a String
969         internally, while only ever exposing it as a temporary StringView.
970
971         A few extra copies (CPU, not memory) are introduced, none of them on hot paths.
972
973         * API/JSScriptRef.cpp:
974         * bytecode/CodeBlock.cpp:
975         (JSC::CodeBlock::sourceCodeForTools):
976         (JSC::CodeBlock::dumpSource):
977         * inspector/ScriptDebugServer.cpp:
978         (Inspector::ScriptDebugServer::dispatchDidParseSource):
979         (Inspector::ScriptDebugServer::dispatchFailedToParseSource):
980         * interpreter/Interpreter.cpp:
981         (JSC::Interpreter::execute):
982         * jsc.cpp:
983         (functionFindTypeForExpression):
984         (functionHasBasicBlockExecuted):
985         (functionBasicBlockExecutionCount):
986         * parser/Lexer.cpp:
987         (JSC::Lexer<T>::setCode):
988         * parser/Lexer.h:
989         (JSC::Lexer<LChar>::setCodeStart):
990         (JSC::Lexer<UChar>::setCodeStart):
991         * parser/Parser.h:
992         (JSC::Parser::getToken):
993         * parser/SourceCode.cpp:
994         (JSC::SourceCode::toUTF8):
995         * parser/SourceCode.h:
996         (JSC::SourceCode::hash):
997         (JSC::SourceCode::view):
998         (JSC::SourceCode::toString): Deleted.
999         * parser/SourceCodeKey.h:
1000         (JSC::SourceCodeKey::SourceCodeKey):
1001         (JSC::SourceCodeKey::string):
1002         * parser/SourceProvider.h:
1003         (JSC::SourceProvider::getRange):
1004         * runtime/Completion.cpp:
1005         (JSC::loadAndEvaluateModule):
1006         (JSC::loadModule):
1007         * runtime/ErrorInstance.cpp:
1008         (JSC::appendSourceToError):
1009         * runtime/FunctionPrototype.cpp:
1010         (JSC::functionProtoFuncToString):
1011         * tools/FunctionOverrides.cpp:
1012         (JSC::initializeOverrideInfo):
1013         (JSC::FunctionOverrides::initializeOverrideFor):
1014
1015 2015-12-12  Benjamin Poulain  <benjamin@webkit.org>
1016
1017         [JSC] Add lowering for B3's Store8 opcode
1018         https://bugs.webkit.org/show_bug.cgi?id=152208
1019
1020         Reviewed by Geoffrey Garen.
1021
1022         B3 has an opcode to store 8bit values but it had
1023         no lowering.
1024
1025         * b3/B3LowerToAir.cpp:
1026         (JSC::B3::Air::LowerToAir::createStore):
1027         (JSC::B3::Air::LowerToAir::lower):
1028         * b3/air/AirOpcode.opcodes:
1029         * b3/testb3.cpp:
1030         (JSC::B3::testStore8Arg):
1031         (JSC::B3::testStore8Imm):
1032         (JSC::B3::testStorePartial8BitRegisterOnX86):
1033         (JSC::B3::run):
1034
1035 2015-12-12  Csaba Osztrogonác  <ossy@webkit.org>
1036
1037         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
1038         https://bugs.webkit.org/show_bug.cgi?id=152214
1039
1040         Reviewed by Mark Lam.
1041
1042         * jit/CCallHelpers.h:
1043         (JSC::CCallHelpers::setupArgumentsWithExecState):
1044
1045 2015-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1046
1047         Web Inspector: Too many derefs when RemoteInspectorXPCConnection fails to validate connection
1048         https://bugs.webkit.org/show_bug.cgi?id=152213
1049
1050         Rubber-stamped by Ryosuke Niwa.
1051
1052         * inspector/remote/RemoteInspectorXPCConnection.mm:
1053         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1054         We should just close the XPC connection triggering XPC_ERROR_CONNECTION_INVALID
1055         which will then graceful teardown the connection as expected.
1056
1057 2015-12-11  Benjamin Poulain  <bpoulain@apple.com>
1058
1059         [JSC] Add Floating Point Abs() to B3
1060         https://bugs.webkit.org/show_bug.cgi?id=152176
1061
1062         Reviewed by Geoffrey Garen.
1063
1064         This patch adds an Abs() operation for floating point.
1065
1066         On x86, Abs() is implemented by masking the top bit
1067         of the floating point value. On ARM64, there is a builtin
1068         abs opcode.
1069
1070         To account for those differences, B3 use "Abs" as
1071         the cannonical operation. When we are about to lower
1072         to Air, Abs is extended on x86 to get a clean handling
1073         of the mask constants.
1074
1075         This patch has one cool thing related to FTL.
1076         If you do:
1077            @1 = unboxDouble(@0)
1078            @2 = abs(@1)
1079            @3 = boxDouble(@2)
1080
1081         B3ReduceStrength completely eliminate the Double-Integer
1082         conversion.
1083
1084         The strength reduction of Abs is aware that it can do a bit
1085         mask over the bitcast used by unboxing.
1086         If even works if you use floats by forcing fround: reduceDoubleToFloat()
1087         elminiates the useless conversions, followed by ReduceStrength
1088         that removes the switch from GP to FP.
1089
1090         * CMakeLists.txt:
1091         * JavaScriptCore.xcodeproj/project.pbxproj:
1092         * assembler/MacroAssemblerX86Common.h:
1093         (JSC::MacroAssemblerX86Common::andDouble):
1094         (JSC::MacroAssemblerX86Common::andFloat):
1095         * assembler/X86Assembler.h:
1096         (JSC::X86Assembler::andps_rr):
1097         * b3/B3ConstDoubleValue.cpp:
1098         (JSC::B3::ConstDoubleValue::bitAndConstant):
1099         (JSC::B3::ConstDoubleValue::absConstant):
1100         * b3/B3ConstDoubleValue.h:
1101         * b3/B3ConstFloatValue.cpp:
1102         (JSC::B3::ConstFloatValue::bitAndConstant):
1103         (JSC::B3::ConstFloatValue::absConstant):
1104         * b3/B3ConstFloatValue.h:
1105         * b3/B3Generate.cpp:
1106         (JSC::B3::generateToAir):
1107         * b3/B3LowerMacrosAfterOptimizations.cpp: Added.
1108         (JSC::B3::lowerMacrosAfterOptimizations):
1109         * b3/B3LowerMacrosAfterOptimizations.h: Added.
1110         * b3/B3LowerToAir.cpp:
1111         (JSC::B3::Air::LowerToAir::lower):
1112         * b3/B3Opcode.cpp:
1113         (WTF::printInternal):
1114         * b3/B3Opcode.h:
1115         * b3/B3ReduceDoubleToFloat.cpp:
1116         * b3/B3ReduceStrength.cpp:
1117         * b3/B3Validate.cpp:
1118         * b3/B3Value.cpp:
1119         (JSC::B3::Value::absConstant):
1120         (JSC::B3::Value::effects):
1121         (JSC::B3::Value::key):
1122         (JSC::B3::Value::typeFor):
1123         * b3/B3Value.h:
1124         * b3/air/AirOpcode.opcodes:
1125         * b3/testb3.cpp:
1126         (JSC::B3::bitAndDouble):
1127         (JSC::B3::testBitAndArgDouble):
1128         (JSC::B3::testBitAndArgsDouble):
1129         (JSC::B3::testBitAndArgImmDouble):
1130         (JSC::B3::testBitAndImmsDouble):
1131         (JSC::B3::bitAndFloat):
1132         (JSC::B3::testBitAndArgFloat):
1133         (JSC::B3::testBitAndArgsFloat):
1134         (JSC::B3::testBitAndArgImmFloat):
1135         (JSC::B3::testBitAndImmsFloat):
1136         (JSC::B3::testBitAndArgsFloatWithUselessDoubleConversion):
1137         (JSC::B3::testAbsArg):
1138         (JSC::B3::testAbsImm):
1139         (JSC::B3::testAbsMem):
1140         (JSC::B3::testAbsAbsArg):
1141         (JSC::B3::testAbsBitwiseCastArg):
1142         (JSC::B3::testBitwiseCastAbsBitwiseCastArg):
1143         (JSC::B3::testAbsArgWithUselessDoubleConversion):
1144         (JSC::B3::testAbsArgWithEffectfulDoubleConversion):
1145         (JSC::B3::run):
1146         * ftl/FTLB3Output.h:
1147         (JSC::FTL::Output::doubleAbs):
1148
1149 2015-12-11  Mark Lam  <mark.lam@apple.com>
1150
1151         Removed some dead code, and simplified some code in the baseline JIT.
1152         https://bugs.webkit.org/show_bug.cgi?id=152199
1153
1154         Reviewed by Benjamin Poulain.
1155
1156         * jit/JIT.h:
1157         * jit/JITArithmetic.cpp:
1158         (JSC::JIT::emitBitBinaryOpFastPath):
1159         (JSC::JIT::emit_op_bitand):
1160         (JSC::JIT::emitSlow_op_lshift):
1161         (JSC::JIT::emitRightShiftFastPath):
1162         (JSC::JIT::emit_op_rshift):
1163         (JSC::JIT::emitSlow_op_rshift):
1164         (JSC::JIT::emit_op_urshift):
1165         (JSC::JIT::emitSlow_op_urshift):
1166
1167 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
1168
1169         B3::reduceStrength should remove redundant Phi's
1170         https://bugs.webkit.org/show_bug.cgi?id=152184
1171
1172         Reviewed by Benjamin Poulain.
1173
1174         This adds redundant Phi removal using Aycock and Horspools SSA simplification algorithm. This
1175         is needed because even in simple asm.js code, we see a lot of CFG simplification that leaves
1176         behind totally useless Phi's.
1177
1178         * b3/B3PhiChildren.cpp:
1179         (JSC::B3::PhiChildren::PhiChildren):
1180         * b3/B3PhiChildren.h:
1181         (JSC::B3::PhiChildren::at):
1182         (JSC::B3::PhiChildren::operator[]):
1183         (JSC::B3::PhiChildren::phis):
1184         * b3/B3ReduceStrength.cpp:
1185
1186 2015-12-11  Benjamin Poulain  <benjamin@webkit.org>
1187
1188         [JSC] Add an implementation of pow() taking an integer exponent to B3
1189         https://bugs.webkit.org/show_bug.cgi?id=152165
1190
1191         Reviewed by Mark Lam.
1192
1193         LLVM has this really neat optimized opcode for
1194         raising the power of something by an integer exponent.
1195
1196         There is no such native instruction so we need to extend
1197         the existing FTLOutput API to something efficient.
1198
1199         DFG has a pretty competitive implementation. In this patch,
1200         I added a version of it to B3.
1201         I created powDoubleInt32() instead of putting the code directly
1202         in FTL for easier testing and optimization.
1203
1204         * CMakeLists.txt:
1205         * JavaScriptCore.xcodeproj/project.pbxproj:
1206         * b3/B3MathExtras.cpp: Added.
1207         (JSC::B3::powDoubleInt32):
1208         * b3/B3MathExtras.h: Added.
1209         * b3/B3MemoryValue.h:
1210         * b3/testb3.cpp:
1211         (JSC::B3::testPowDoubleByIntegerLoop):
1212         (JSC::B3::run):
1213         * dfg/DFGSpeculativeJIT.cpp:
1214         (JSC::DFG::compileArithPowIntegerFastPath):
1215         * ftl/FTLB3Output.cpp:
1216         (JSC::FTL::Output::doublePowi):
1217         * ftl/FTLB3Output.h:
1218         (JSC::FTL::Output::doublePowi): Deleted.
1219
1220 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
1221
1222         B3 should have CSE
1223         https://bugs.webkit.org/show_bug.cgi?id=150961
1224
1225         Reviewed by Benjamin Poulain.
1226
1227         This implements a very simple CSE for pure values. I need this as a prerequisite for other
1228         optimizations that I'm implementing. For now, this is neutral on imaging-gaussian-blur but a
1229         slow-down on asm.js code. I suspect that the asm.js slow-down is because of other things that are
1230         still going wrong, and anyway, I need CSE to be able to do even the most basic asm.js strength
1231         reductions.
1232
1233         * b3/B3ReduceStrength.cpp:
1234         * b3/B3ReduceStrength.h:
1235         * b3/B3Value.cpp:
1236         (JSC::B3::Value::replaceWithIdentity):
1237         (JSC::B3::Value::key):
1238
1239 2015-12-11  Mark Lam  <mark.lam@apple.com>
1240
1241         Refactoring to reduce potential cut-paste errors with the FTL ICs.
1242         https://bugs.webkit.org/show_bug.cgi?id=152185
1243
1244         Reviewed by Saam Barati.
1245
1246         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1247         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1248         * JavaScriptCore.xcodeproj/project.pbxproj:
1249
1250         * ftl/FTLCompile.cpp:
1251         - ICs now have their own names.  GetById and PutByID fast path ICs no longer just
1252           say "inline cache fast path".
1253
1254         * ftl/FTLCompileBinaryOp.cpp:
1255         (JSC::FTL::generateBinaryArithOpFastPath):
1256         - Fixed an indentation.
1257
1258         * ftl/FTLInlineCacheDescriptor.h:
1259         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1260         (JSC::FTL::InlineCacheDescriptor::name):
1261         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1262         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
1263         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
1264         (JSC::FTL::BinaryOpDescriptor::nodeType):
1265         (JSC::FTL::BinaryOpDescriptor::size):
1266         (JSC::FTL::BinaryOpDescriptor::slowPathFunction):
1267         (JSC::FTL::BinaryOpDescriptor::leftOperand):
1268         (JSC::FTL::BinaryOpDescriptor::BinaryOpDescriptor):
1269         (JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
1270         (JSC::FTL::ArithDivDescriptor::icSize):
1271         (JSC::FTL::ArithDivDescriptor::nodeType):
1272         (JSC::FTL::ArithDivDescriptor::opName):
1273         (JSC::FTL::ArithDivDescriptor::slowPathFunction):
1274         (JSC::FTL::ArithDivDescriptor::nonNumberSlowPathFunction):
1275         (JSC::FTL::ArithMulDescriptor::ArithMulDescriptor):
1276         (JSC::FTL::ArithMulDescriptor::icSize):
1277         (JSC::FTL::ArithMulDescriptor::nodeType):
1278         (JSC::FTL::ArithMulDescriptor::opName):
1279         (JSC::FTL::ArithMulDescriptor::slowPathFunction):
1280         (JSC::FTL::ArithMulDescriptor::nonNumberSlowPathFunction):
1281         (JSC::FTL::ArithSubDescriptor::ArithSubDescriptor):
1282         (JSC::FTL::ArithSubDescriptor::icSize):
1283         (JSC::FTL::ArithSubDescriptor::nodeType):
1284         (JSC::FTL::ArithSubDescriptor::opName):
1285         (JSC::FTL::ArithSubDescriptor::slowPathFunction):
1286         (JSC::FTL::ArithSubDescriptor::nonNumberSlowPathFunction):
1287         (JSC::FTL::ValueAddDescriptor::ValueAddDescriptor):
1288         (JSC::FTL::ValueAddDescriptor::icSize):
1289         (JSC::FTL::ValueAddDescriptor::nodeType):
1290         (JSC::FTL::ValueAddDescriptor::opName):
1291         (JSC::FTL::ValueAddDescriptor::slowPathFunction):
1292         (JSC::FTL::ValueAddDescriptor::nonNumberSlowPathFunction):
1293         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
1294         (JSC::FTL::ProbeDescriptor::ProbeDescriptor):
1295         (JSC::FTL::BinaryOpDescriptor::name): Deleted.
1296         (JSC::FTL::BinaryOpDescriptor::fastPathICName): Deleted.
1297         * ftl/FTLInlineCacheDescriptorInlines.h: Removed.
1298         - Consolidate the number of places where we have to fill in a data about new
1299           snippet ICs.  It is all done in FTLInlineCacheDescriptor.h now.   
1300
1301         * ftl/FTLJITFinalizer.cpp:
1302         (JSC::FTL::JITFinalizer::finalizeFunction):
1303
1304         * ftl/FTLLowerDFGToLLVM.cpp:
1305         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
1306         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
1307         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1308         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1309         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
1310         - Introduced a compileUntypedBinaryOp() template and use that at all the FTL
1311           places that need to use a snippet.  This reduces the amount of cut and paste
1312           code.
1313
1314         * ftl/FTLState.h:
1315         - Removed a bad #include.
1316
1317 2015-12-11  Keith Miller  <keith_miller@apple.com>
1318
1319         Overrides has instance should not move ValueFalse to a register then immediately to the stack in the LLInt.
1320         https://bugs.webkit.org/show_bug.cgi?id=152188
1321
1322         Reviewed by Mark Lam.
1323
1324         This fixes a minor issue with the code for the overrides_has_instance in the LLInt. Old code had an extra move,
1325         which is both slow and breaks the build on cloop.
1326
1327         * llint/LowLevelInterpreter64.asm:
1328
1329 2015-12-11  Keith Miller  <keith_miller@apple.com>
1330
1331         [ES6] Add support for Symbol.hasInstance
1332         https://bugs.webkit.org/show_bug.cgi?id=151839
1333
1334         Reviewed by Saam Barati.
1335
1336         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
1337         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
1338         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
1339         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
1340         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
1341         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
1342         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
1343         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
1344         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
1345         emits a call to slow path code that computes the result.
1346
1347         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
1348         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
1349         it into a CheckTypeInfoFlags followed by a JSConstant.
1350
1351         * API/JSCallbackObject.h:
1352         * builtins/FunctionPrototype.js:
1353         (symbolHasInstance):
1354         * bytecode/BytecodeBasicBlock.cpp:
1355         (JSC::isBranch): Deleted.
1356         * bytecode/BytecodeList.json:
1357         * bytecode/BytecodeUseDef.h:
1358         (JSC::computeUsesForBytecodeOffset):
1359         (JSC::computeDefsForBytecodeOffset):
1360         * bytecode/CodeBlock.cpp:
1361         (JSC::CodeBlock::dumpBytecode):
1362         * bytecode/ExitKind.cpp:
1363         (JSC::exitKindToString):
1364         * bytecode/ExitKind.h:
1365         * bytecode/PreciseJumpTargets.cpp:
1366         (JSC::getJumpTargetsForBytecodeOffset): Deleted.
1367         * bytecompiler/BytecodeGenerator.cpp:
1368         (JSC::BytecodeGenerator::emitOverridesHasInstance):
1369         (JSC::BytecodeGenerator::emitInstanceOfCustom):
1370         (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
1371         * bytecompiler/BytecodeGenerator.h:
1372         * bytecompiler/NodesCodegen.cpp:
1373         (JSC::InstanceOfNode::emitBytecode):
1374         * dfg/DFGAbstractInterpreterInlines.h:
1375         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1376         * dfg/DFGByteCodeParser.cpp:
1377         (JSC::DFG::ByteCodeParser::parseBlock):
1378         * dfg/DFGCapabilities.cpp:
1379         (JSC::DFG::capabilityLevel):
1380         * dfg/DFGClobberize.h:
1381         (JSC::DFG::clobberize):
1382         * dfg/DFGDoesGC.cpp:
1383         (JSC::DFG::doesGC):
1384         * dfg/DFGFixupPhase.cpp:
1385         (JSC::DFG::FixupPhase::fixupNode):
1386         * dfg/DFGHeapLocation.cpp:
1387         (WTF::printInternal):
1388         * dfg/DFGHeapLocation.h:
1389         * dfg/DFGNode.h:
1390         (JSC::DFG::Node::hasCellOperand):
1391         (JSC::DFG::Node::hasTypeInfoOperand):
1392         (JSC::DFG::Node::typeInfoOperand):
1393         * dfg/DFGNodeType.h:
1394         * dfg/DFGPredictionPropagationPhase.cpp:
1395         (JSC::DFG::PredictionPropagationPhase::propagate):
1396         * dfg/DFGSafeToExecute.h:
1397         (JSC::DFG::safeToExecute):
1398         * dfg/DFGSpeculativeJIT.cpp:
1399         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1400         (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
1401         * dfg/DFGSpeculativeJIT.h:
1402         (JSC::DFG::SpeculativeJIT::callOperation):
1403         * dfg/DFGSpeculativeJIT32_64.cpp:
1404         (JSC::DFG::SpeculativeJIT::compile):
1405         * dfg/DFGSpeculativeJIT64.cpp:
1406         (JSC::DFG::SpeculativeJIT::compile):
1407         * ftl/FTLCapabilities.cpp:
1408         (JSC::FTL::canCompile):
1409         * ftl/FTLIntrinsicRepository.h:
1410         * ftl/FTLLowerDFGToLLVM.cpp:
1411         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1412         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
1413         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
1414         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
1415         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
1416         * jit/JIT.cpp:
1417         (JSC::JIT::privateCompileMainPass):
1418         (JSC::JIT::privateCompileSlowCases):
1419         * jit/JIT.h:
1420         * jit/JITInlines.h:
1421         (JSC::JIT::callOperation):
1422         * jit/JITOpcodes.cpp:
1423         (JSC::JIT::emit_op_overrides_has_instance):
1424         (JSC::JIT::emit_op_instanceof):
1425         (JSC::JIT::emit_op_instanceof_custom):
1426         (JSC::JIT::emitSlow_op_instanceof):
1427         (JSC::JIT::emitSlow_op_instanceof_custom):
1428         (JSC::JIT::emit_op_check_has_instance): Deleted.
1429         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
1430         * jit/JITOpcodes32_64.cpp:
1431         (JSC::JIT::emit_op_overrides_has_instance):
1432         (JSC::JIT::emit_op_instanceof):
1433         (JSC::JIT::emit_op_instanceof_custom):
1434         (JSC::JIT::emitSlow_op_instanceof_custom):
1435         (JSC::JIT::emit_op_check_has_instance): Deleted.
1436         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
1437         * jit/JITOperations.cpp:
1438         * jit/JITOperations.h:
1439         * llint/LLIntData.cpp:
1440         (JSC::LLInt::Data::performAssertions):
1441         * llint/LLIntSlowPaths.cpp:
1442         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1443         * llint/LLIntSlowPaths.h:
1444         * llint/LowLevelInterpreter32_64.asm:
1445         * llint/LowLevelInterpreter64.asm:
1446         * runtime/CommonIdentifiers.h:
1447         * runtime/ExceptionHelpers.cpp:
1448         (JSC::invalidParameterInstanceofSourceAppender):
1449         (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
1450         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
1451         (JSC::createInvalidInstanceofParameterErrorNotFunction):
1452         (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
1453         (JSC::createInvalidInstanceofParameterError): Deleted.
1454         * runtime/ExceptionHelpers.h:
1455         * runtime/FunctionPrototype.cpp:
1456         (JSC::FunctionPrototype::addFunctionProperties):
1457         * runtime/FunctionPrototype.h:
1458         * runtime/JSBoundFunction.cpp:
1459         (JSC::isBoundFunction):
1460         (JSC::hasInstanceBoundFunction):
1461         * runtime/JSBoundFunction.h:
1462         * runtime/JSGlobalObject.cpp:
1463         (JSC::JSGlobalObject::init):
1464         (JSC::JSGlobalObject::visitChildren):
1465         * runtime/JSGlobalObject.h:
1466         (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
1467         * runtime/JSObject.cpp:
1468         (JSC::JSObject::hasInstance):
1469         (JSC::objectPrivateFuncInstanceOf):
1470         * runtime/JSObject.h:
1471         * runtime/JSTypeInfo.h:
1472         (JSC::TypeInfo::TypeInfo):
1473         (JSC::TypeInfo::overridesHasInstance):
1474         * runtime/WriteBarrier.h:
1475         (JSC::WriteBarrierBase<Unknown>::slot):
1476         * tests/es6.yaml:
1477         * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
1478         (Constructor):
1479         (value):
1480         (instanceOf):
1481         (body):
1482         * tests/stress/symbol-hasInstance.js: Added.
1483         (Constructor):
1484         (value):
1485         (ObjectClass.Symbol.hasInstance):
1486         (NumberClass.Symbol.hasInstance):
1487
1488 2015-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1489
1490         check-for-inappropriate-objc-class-names should check all class names, not just externally visible ones
1491         https://bugs.webkit.org/show_bug.cgi?id=152156
1492
1493         Reviewed by Dan Bernstein.
1494
1495         * llvm/InitializeLLVMMac.cpp:
1496         Remove stale comment. The ObjC class this comment referenced
1497         has already been removed.
1498
1499 2015-12-11  Benjamin Poulain  <benjamin@webkit.org>
1500
1501         [JSC] Little cleanup of FTLOutput type casts and conversions
1502         https://bugs.webkit.org/show_bug.cgi?id=152166
1503
1504         Reviewed by Geoffrey Garen.
1505
1506         Clean up:
1507         -Change fpCast() to explicit conversion doubleToFloat() and floatToDouble()
1508          to match B3's opcodes.
1509         -Remove unused conversion functions.
1510         -Use the most specific cast function when possible.
1511         -Functions that are only used inside FTLOutput are made private.
1512          In FTLB3Output, those functions were removed.
1513
1514         * ftl/FTLB3Output.h:
1515         (JSC::FTL::Output::doubleToFloat):
1516         (JSC::FTL::Output::floatToDouble):
1517         (JSC::FTL::Output::fround):
1518         (JSC::FTL::Output::fpToInt): Deleted.
1519         (JSC::FTL::Output::fpToUInt): Deleted.
1520         (JSC::FTL::Output::intToFP): Deleted.
1521         (JSC::FTL::Output::unsignedToFP): Deleted.
1522         (JSC::FTL::Output::intCast): Deleted.
1523         (JSC::FTL::Output::fpCast): Deleted.
1524         (JSC::FTL::Output::intToPtr): Deleted.
1525         (JSC::FTL::Output::ptrToInt): Deleted.
1526         * ftl/FTLLowerDFGToLLVM.cpp:
1527         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
1528         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
1529         * ftl/FTLOutput.h:
1530         (JSC::FTL::Output::doubleToFloat):
1531         (JSC::FTL::Output::floatToDouble):
1532         (JSC::FTL::Output::intCast):
1533         (JSC::FTL::Output::fpToInt):
1534         (JSC::FTL::Output::fpToUInt):
1535         (JSC::FTL::Output::fpCast):
1536         (JSC::FTL::Output::intToFP):
1537         (JSC::FTL::Output::unsignedToFP):
1538
1539 2015-12-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1540
1541         Binding and builtin generators should lowercase RTCXX as rtcXX and not rTCXX
1542         https://bugs.webkit.org/show_bug.cgi?id=152121
1543
1544         Reviewed by Darin Adler.
1545
1546         * Scripts/builtins/builtins_generator.py:
1547         (WK_lcfirst): Added RTC special rule.
1548
1549 2015-12-09  Filip Pizlo  <fpizlo@apple.com>
1550
1551         FTL B3 should be able to run quicksort asm.js test
1552         https://bugs.webkit.org/show_bug.cgi?id=152105
1553
1554         Reviewed by Geoffrey Garen.
1555
1556         This covers making all of the changes needed to run quicksort.js from AsmBench.
1557
1558         - Reintroduced float types to FTLLower since we now have B3::Float.
1559
1560         - Gave FTL::Output the ability to speak of load types and store types separately from LValue
1561           types. This dodges the problem that B3 doesn't have types for Int8 and Int16 but supports loads
1562           and stores of that type.
1563
1564         - Implemented Mod in B3 and wrote tests.
1565
1566         I also fixed a pre-existing bug in a test that appeared to only manifest in release builds.
1567
1568         Currently, B3's performance on asm.js tests is not good. It should be easy to fix:
1569
1570         - B3 should strength-reduce the shifting madness that happens in asm.js memory accesses
1571           https://bugs.webkit.org/show_bug.cgi?id=152106
1572
1573         - B3 constant hoisting should have a story for the asm.js heap constant
1574           https://bugs.webkit.org/show_bug.cgi?id=152107
1575
1576         * b3/B3CCallValue.h:
1577         * b3/B3Const32Value.cpp:
1578         (JSC::B3::Const32Value::divConstant):
1579         (JSC::B3::Const32Value::modConstant):
1580         (JSC::B3::Const32Value::bitAndConstant):
1581         * b3/B3Const32Value.h:
1582         * b3/B3Const64Value.cpp:
1583         (JSC::B3::Const64Value::divConstant):
1584         (JSC::B3::Const64Value::modConstant):
1585         (JSC::B3::Const64Value::bitAndConstant):
1586         * b3/B3Const64Value.h:
1587         * b3/B3ReduceStrength.cpp:
1588         * b3/B3Validate.cpp:
1589         * b3/B3Value.cpp:
1590         (JSC::B3::Value::divConstant):
1591         (JSC::B3::Value::modConstant):
1592         (JSC::B3::Value::bitAndConstant):
1593         * b3/B3Value.h:
1594         * b3/testb3.cpp:
1595         (JSC::B3::testChillDiv64):
1596         (JSC::B3::testMod):
1597         (JSC::B3::testSwitch):
1598         (JSC::B3::run):
1599         * ftl/FTLB3Output.cpp:
1600         (JSC::FTL::Output::load16ZeroExt32):
1601         (JSC::FTL::Output::store):
1602         (JSC::FTL::Output::store32As8):
1603         (JSC::FTL::Output::store32As16):
1604         (JSC::FTL::Output::loadFloatToDouble): Deleted.
1605         * ftl/FTLB3Output.h:
1606         (JSC::FTL::Output::mul):
1607         (JSC::FTL::Output::div):
1608         (JSC::FTL::Output::chillDiv):
1609         (JSC::FTL::Output::rem):
1610         (JSC::FTL::Output::neg):
1611         (JSC::FTL::Output::load32):
1612         (JSC::FTL::Output::load64):
1613         (JSC::FTL::Output::loadPtr):
1614         (JSC::FTL::Output::loadFloat):
1615         (JSC::FTL::Output::loadDouble):
1616         (JSC::FTL::Output::store32):
1617         (JSC::FTL::Output::store64):
1618         (JSC::FTL::Output::storePtr):
1619         (JSC::FTL::Output::storeFloat):
1620         (JSC::FTL::Output::storeDouble):
1621         (JSC::FTL::Output::addPtr):
1622         (JSC::FTL::Output::extractValue):
1623         (JSC::FTL::Output::call):
1624         (JSC::FTL::Output::operation):
1625         * ftl/FTLLowerDFGToLLVM.cpp:
1626         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
1627         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
1628         (JSC::FTL::DFG::LowerDFGToLLVM::compileArrayPush):
1629         (JSC::FTL::DFG::LowerDFGToLLVM::compileArrayPop):
1630         * ftl/FTLOutput.cpp:
1631         (JSC::FTL::Output::Output):
1632         (JSC::FTL::Output::store):
1633         (JSC::FTL::Output::check):
1634         (JSC::FTL::Output::load):
1635         * ftl/FTLOutput.h:
1636         (JSC::FTL::Output::load32):
1637         (JSC::FTL::Output::load64):
1638         (JSC::FTL::Output::loadPtr):
1639         (JSC::FTL::Output::loadFloat):
1640         (JSC::FTL::Output::loadDouble):
1641         (JSC::FTL::Output::store32As8):
1642         (JSC::FTL::Output::store32As16):
1643         (JSC::FTL::Output::store32):
1644         (JSC::FTL::Output::store64):
1645         (JSC::FTL::Output::storePtr):
1646         (JSC::FTL::Output::storeFloat):
1647         (JSC::FTL::Output::storeDouble):
1648         (JSC::FTL::Output::addPtr):
1649         (JSC::FTL::Output::loadFloatToDouble): Deleted.
1650         (JSC::FTL::Output::store16): Deleted.
1651
1652 2015-12-10  Filip Pizlo  <fpizlo@apple.com>
1653
1654         Consider still matching an address expression even if B3 has already assigned a Tmp to it
1655         https://bugs.webkit.org/show_bug.cgi?id=150777
1656
1657         Reviewed by Geoffrey Garen.
1658
1659         We need some heuristic for when an address should be computed as a separate instruction. It's
1660         usually profitable to sink the address into the memory access. The previous heuristic meant that
1661         the address would get separate instructions if it was in a separate block from the memory access.
1662         This was messing up codegen of things like PutByVal out-of-bounds, where the address is computed
1663         in one block and then used in another. I don't think that which block owns the address
1664         computation should factor into any heuristic here, since it's so fragile: the compiler may lower
1665         something by splitting blocks and we don't want this to ruin performance.
1666
1667         So, this replaces that heuristic with a more sensible one: the address computation gets its own
1668         instruction if it has a lot of uses. In practice this means that we always sink the address
1669         computation into the memory access.
1670
1671         * b3/B3LowerToAir.cpp:
1672         (JSC::B3::Air::LowerToAir::effectiveAddr):
1673
1674 2015-12-10  Daniel Bates  <dabates@apple.com>
1675
1676         [CSP] eval() is not blocked for stringified literals
1677         https://bugs.webkit.org/show_bug.cgi?id=152158
1678         <rdar://problem/15775625>
1679
1680         Reviewed by Saam Barati.
1681
1682         Fixes an issue where stringified literals can be eval()ed despite being disallowed by
1683         Content Security Policy of the page.
1684
1685         * interpreter/Interpreter.cpp:
1686         (JSC::eval): Throw a JavaScript EvalError exception if eval() is disallowed for the page
1687         and return undefined.
1688         * runtime/JSGlobalObjectFunctions.cpp:
1689         (JSC::globalFuncEval): Ditto.
1690
1691 2015-12-10  Joseph Pecoraro  <pecoraro@apple.com>
1692
1693         Fix jsc symlink creation on iOS
1694         https://bugs.webkit.org/show_bug.cgi?id=152155
1695
1696         Reviewed by Dan Bernstein.
1697
1698         * JavaScriptCore.xcodeproj/project.pbxproj:
1699         Switch from INSTALL_PATH_ACTUAL to just INSTALL_PATH.
1700         Remove now unnecessary INSTALL_PATH_PREFIX use as well.
1701
1702 2015-12-10  Joseph Pecoraro  <pecoraro@apple.com>
1703
1704         Remote Inspector: Verify the identity of the other side of XPC connections
1705         https://bugs.webkit.org/show_bug.cgi?id=152153
1706
1707         Reviewed by Brian Burg.
1708
1709         * JavaScriptCore.xcodeproj/project.pbxproj:
1710         Link with the Security framework.
1711
1712         * inspector/remote/RemoteInspectorXPCConnection.h:
1713         * inspector/remote/RemoteInspectorXPCConnection.mm:
1714         (auditTokenHasEntitlement):
1715         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1716         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): Deleted.
1717         When receiving the first message, verify the XPC connection
1718         is connected to who we thought we were connected to and
1719         Bail if it isn't.
1720
1721 2015-12-10  Benjamin Poulain  <bpoulain@apple.com>
1722
1723         [JSC] Add a Modulo operator to B3, and a chill variant
1724         https://bugs.webkit.org/show_bug.cgi?id=152110
1725
1726         Reviewed by Geoffrey Garen.
1727
1728         It is basically refactoring the Div and ChillDiv
1729         code to be used by both opcodes.
1730
1731         * b3/B3Common.h:
1732         (JSC::B3::chillDiv):
1733         (JSC::B3::chillMod):
1734         * b3/B3Const32Value.cpp:
1735         (JSC::B3::Const32Value::modConstant):
1736         * b3/B3Const32Value.h:
1737         * b3/B3Const64Value.cpp:
1738         (JSC::B3::Const64Value::modConstant):
1739         * b3/B3Const64Value.h:
1740         * b3/B3ConstDoubleValue.cpp:
1741         (JSC::B3::ConstDoubleValue::modConstant):
1742         * b3/B3ConstDoubleValue.h:
1743         * b3/B3LowerMacros.cpp:
1744         * b3/B3LowerToAir.cpp:
1745         (JSC::B3::Air::LowerToAir::lower):
1746         (JSC::B3::Air::LowerToAir::lowerX86Div):
1747         * b3/B3Opcode.cpp:
1748         (WTF::printInternal):
1749         * b3/B3Opcode.h:
1750         * b3/B3ReduceStrength.cpp:
1751         * b3/B3Validate.cpp:
1752         * b3/B3Value.cpp:
1753         (JSC::B3::Value::modConstant):
1754         (JSC::B3::Value::effects):
1755         (JSC::B3::Value::key):
1756         (JSC::B3::Value::typeFor):
1757         * b3/B3Value.h:
1758         * b3/testb3.cpp:
1759         (JSC::B3::testModArgDouble):
1760         (JSC::B3::testModArgsDouble):
1761         (JSC::B3::testModArgImmDouble):
1762         (JSC::B3::testModImmArgDouble):
1763         (JSC::B3::testModImmsDouble):
1764         (JSC::B3::testModArgFloat):
1765         (JSC::B3::testModArgsFloat):
1766         (JSC::B3::testModArgImmFloat):
1767         (JSC::B3::testModImmArgFloat):
1768         (JSC::B3::testModImmsFloat):
1769         (JSC::B3::testModArg):
1770         (JSC::B3::testModArgs):
1771         (JSC::B3::testModImms):
1772         (JSC::B3::testModArg32):
1773         (JSC::B3::testModArgs32):
1774         (JSC::B3::testModImms32):
1775         (JSC::B3::testChillModArg):
1776         (JSC::B3::testChillModArgs):
1777         (JSC::B3::testChillModImms):
1778         (JSC::B3::testChillModArg32):
1779         (JSC::B3::testChillModArgs32):
1780         (JSC::B3::testChillModImms32):
1781         (JSC::B3::run):
1782         * ftl/FTLB3Output.h:
1783         (JSC::FTL::Output::mod):
1784         (JSC::FTL::Output::chillMod):
1785         (JSC::FTL::Output::doubleMod):
1786         (JSC::FTL::Output::rem): Deleted.
1787         (JSC::FTL::Output::doubleRem): Deleted.
1788         * ftl/FTLLowerDFGToLLVM.cpp:
1789         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
1790         * ftl/FTLOutput.cpp:
1791         (JSC::FTL::Output::chillMod):
1792         * ftl/FTLOutput.h:
1793         (JSC::FTL::Output::mod):
1794         (JSC::FTL::Output::doubleMod):
1795         (JSC::FTL::Output::rem): Deleted.
1796         (JSC::FTL::Output::doubleRem): Deleted.
1797
1798 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1799
1800         [B3] Add new files to the cmake build system
1801         https://bugs.webkit.org/show_bug.cgi?id=152120
1802
1803         Reviewed by Filip Pizlo.
1804
1805         * CMakeLists.txt:
1806
1807 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1808
1809         [B3] Use mark pragmas only if it is supported
1810         https://bugs.webkit.org/show_bug.cgi?id=152123
1811
1812         Reviewed by Mark Lam.
1813
1814         * ftl/FTLB3Output.h:
1815
1816 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1817
1818         [B3] Typo fix in testb3.cpp
1819         https://bugs.webkit.org/show_bug.cgi?id=152126
1820
1821         Reviewed by Mark Lam.
1822
1823         * b3/testb3.cpp:
1824         (JSC::B3::populateWithInterestingValues):
1825
1826 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1827
1828         [B3] Fix unused-but-set-variable warning
1829         https://bugs.webkit.org/show_bug.cgi?id=152122
1830
1831         Reviewed by Mark Lam.
1832
1833         * ftl/FTLLowerDFGToLLVM.cpp:
1834         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1835
1836 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1837
1838         [B3] Make GCC ignore warnings in FTLB3Output.h
1839         https://bugs.webkit.org/show_bug.cgi?id=152124
1840
1841         Reviewed by Mark Lam.
1842
1843         * ftl/FTLB3Output.h:
1844
1845 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1846
1847         [EFL] Remove the unused IncrementalSweeper::m_isTimerFrozen member after r193749
1848         https://bugs.webkit.org/show_bug.cgi?id=152127
1849
1850         Reviewed by Mark Lam.
1851
1852         * heap/IncrementalSweeper.h:
1853
1854 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1855
1856         Source/JavaScriptCore/create_hash_table shouldn't be too verbose
1857         https://bugs.webkit.org/show_bug.cgi?id=151861
1858
1859         Reviewed by Darin Adler.
1860
1861         * create_hash_table:
1862
1863 2015-12-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1864
1865         JSC Builtins should use safe array methods
1866         https://bugs.webkit.org/show_bug.cgi?id=151501
1867
1868         Reviewed by Darin Adler.
1869
1870         Adding @push and @shift to Array prototype.
1871         Using @push in TypedArray built-in.
1872
1873         Covered by added test in LayoutTests/js/builtins
1874
1875         * builtins/TypedArray.prototype.js:
1876         (filter):
1877         * runtime/ArrayPrototype.cpp:
1878         (JSC::ArrayPrototype::finishCreation):
1879         * runtime/CommonIdentifiers.h:
1880
1881 2015-12-08  Filip Pizlo  <fpizlo@apple.com>
1882
1883         FTL B3 should have basic GetById support
1884         https://bugs.webkit.org/show_bug.cgi?id=152035
1885
1886         Reviewed by Saam Barati.
1887
1888         Adds basic GetById support. This was so easy to do. Unlike the LLVM code for this, the B3 code is
1889         entirely self-contained within the getById() method in LowerDFG.
1890
1891         I discovered that we weren't folding Check(NotEqual(x, 0)) to Check(x). This was preventing us
1892         from generating good code for Check(NotEqual(BitAnd(x, tagMask), 0)), since the BitAnd was
1893         concealed. This was an easy strength reduction rule to add.
1894
1895         Finally, I found it easier to say append(value, rep) than append(ConstrainedValue(value, rep)), so
1896         I added that API. The old ConstrainedValue form is still super useful in other places, like
1897         compileCallOrConstruct(), where the two-argument form would be awkward. It's great to have both
1898         APIs to pick from.
1899
1900         * b3/B3ReduceStrength.cpp:
1901         * b3/B3StackmapValue.cpp:
1902         (JSC::B3::StackmapValue::~StackmapValue):
1903         (JSC::B3::StackmapValue::append):
1904         * b3/B3StackmapValue.h:
1905         * dfg/DFGCommon.h:
1906         * ftl/FTLLowerDFGToLLVM.cpp:
1907         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
1908
1909 2015-12-09  Saam barati  <sbarati@apple.com>
1910
1911         Update generators' features.json to indicate that we have a spec compliant implementation
1912         https://bugs.webkit.org/show_bug.cgi?id=152085
1913
1914         Reviewed by Joseph Pecoraro.
1915
1916         * features.json:
1917
1918 2015-12-09  Saam barati  <sbarati@apple.com>
1919
1920         Update features.json w.r.t tail calls
1921         https://bugs.webkit.org/show_bug.cgi?id=152072
1922
1923         Reviewed by Michael Saboff.
1924
1925         * features.json:
1926
1927 2015-12-09  Saam barati  <sbarati@apple.com>
1928
1929         we should emit op_watchdog after op_enter
1930         https://bugs.webkit.org/show_bug.cgi?id=151972
1931
1932         Reviewed by Mark Lam.
1933
1934         This also solves the issue of watchdog not being
1935         observed when we loop purely through tail calls.
1936
1937         * API/tests/ExecutionTimeLimitTest.cpp:
1938         (testExecutionTimeLimit):
1939         * bytecompiler/BytecodeGenerator.cpp:
1940         (JSC::BytecodeGenerator::BytecodeGenerator):
1941         (JSC::BytecodeGenerator::emitProfiledOpcode):
1942         (JSC::BytecodeGenerator::emitEnter):
1943         (JSC::BytecodeGenerator::emitLoopHint):
1944         * bytecompiler/BytecodeGenerator.h:
1945
1946 2015-12-08  Benjamin Poulain  <bpoulain@apple.com>
1947
1948         [JSC] Improve how B3 lowers Add() and Sub() on x86
1949         https://bugs.webkit.org/show_bug.cgi?id=152026
1950
1951         Reviewed by Geoffrey Garen.
1952
1953         The assembler was missing some important x86 forms of
1954         ADD and SUB that were making our lowering
1955         unfriendly with register allocation.
1956
1957         First, we were missing a 3 operand version of Add
1958         implement with LEA. As a result, an Add would
1959         be lowered as:
1960             Move op1->srcDest
1961             Add op2, srcDest
1962         The problem with such code is that op2 and srcDest
1963         interferes. It is impossible to assign them the same
1964         machine register.
1965
1966         With the new Add form, we have:
1967             Add op1, op2, dest
1968         without interferences between any of those values.
1969         The add is implement by a LEA without scaling or displacement.
1970
1971         This patch also adds missing forms of Add and Sub with
1972         direct addressing for arguments. This avoids dealing with Tmps
1973         that only exist for those operations.
1974
1975         Finally, the lowering of adding something to itself was updated accordingly.
1976         Such operation is transformed in Shl by 2. The lowering of Shl
1977         was adding an explicit Move, preventing the use of LEA when it
1978         is useful.
1979         Instead of having an explicit move, I changed the direct addressing
1980         forms to only be selected if the two operands are different.
1981         A Move is then added by appendBinOp() if needed.
1982
1983         * assembler/MacroAssemblerX86Common.h:
1984         (JSC::MacroAssemblerX86Common::add32):
1985         (JSC::MacroAssemblerX86Common::x86Lea32):
1986         * assembler/MacroAssemblerX86_64.h:
1987         (JSC::MacroAssemblerX86_64::add64):
1988         (JSC::MacroAssemblerX86_64::x86Lea64):
1989         (JSC::MacroAssemblerX86_64::sub64):
1990         * assembler/X86Assembler.h:
1991         (JSC::X86Assembler::addq_rm):
1992         (JSC::X86Assembler::subq_mr):
1993         (JSC::X86Assembler::subq_rm):
1994         (JSC::X86Assembler::subq_im):
1995         (JSC::X86Assembler::leal_mr):
1996         (JSC::X86Assembler::leaq_mr):
1997         * b3/B3LowerToAir.cpp:
1998         (JSC::B3::Air::LowerToAir::appendBinOp):
1999         (JSC::B3::Air::LowerToAir::lower):
2000         * b3/air/AirOpcode.opcodes:
2001         * b3/testb3.cpp:
2002         (JSC::B3::testAddArgMem):
2003         (JSC::B3::testAddMemArg):
2004         (JSC::B3::testAddImmMem):
2005         (JSC::B3::testAddArg32):
2006         (JSC::B3::testAddArgMem32):
2007         (JSC::B3::testAddMemArg32):
2008         (JSC::B3::testAddImmMem32):
2009         (JSC::B3::testSubArgMem):
2010         (JSC::B3::testSubMemArg):
2011         (JSC::B3::testSubImmMem):
2012         (JSC::B3::testSubMemImm):
2013         (JSC::B3::testSubMemArg32):
2014         (JSC::B3::testSubArgMem32):
2015         (JSC::B3::testSubImmMem32):
2016         (JSC::B3::testSubMemImm32):
2017         (JSC::B3::run):
2018
2019 2015-12-08  Mark Lam  <mark.lam@apple.com>
2020
2021         Factoring out common DFG code for bitwise and shift operators.
2022         https://bugs.webkit.org/show_bug.cgi?id=152019
2023
2024         Reviewed by Michael Saboff.
2025
2026         * dfg/DFGSpeculativeJIT.cpp:
2027         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
2028         (JSC::DFG::SpeculativeJIT::compileShiftOp):
2029         * dfg/DFGSpeculativeJIT.h:
2030         * dfg/DFGSpeculativeJIT32_64.cpp:
2031         (JSC::DFG::SpeculativeJIT::compile):
2032         * dfg/DFGSpeculativeJIT64.cpp:
2033         (JSC::DFG::SpeculativeJIT::compile):
2034
2035 2015-12-08  Mark Lam  <mark.lam@apple.com>
2036
2037         DFG and FTL should be resilient against cases where both snippet operands are constant.
2038         https://bugs.webkit.org/show_bug.cgi?id=152017
2039
2040         Reviewed by Michael Saboff.
2041
2042         The DFG front end may not always constant fold cases where both operands are
2043         constant.  As a result, the DFG and FTL back ends needs to be resilient against
2044         this when using snippet generators since the generators do not support the case
2045         where both operands are constant.  The strategy for handling this 2 const operands
2046         case is to treat at least one of them as a variable if both are constant. 
2047
2048         * dfg/DFGSpeculativeJIT.cpp:
2049         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2050         - Also remove the case for folding 2 constant operands.  It is the front end's
2051           job to do so, not the back end here.
2052
2053         (JSC::DFG::SpeculativeJIT::compileArithSub):
2054         (JSC::DFG::SpeculativeJIT::compileArithMul):
2055         * ftl/FTLLowerDFGToLLVM.cpp:
2056         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2057         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2058
2059 2015-12-08  Mark Lam  <mark.lam@apple.com>
2060
2061         Snippefy shift operators for the baseline JIT.
2062         https://bugs.webkit.org/show_bug.cgi?id=151875
2063
2064         Reviewed by Geoffrey Garen.
2065
2066         * CMakeLists.txt:
2067         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2068         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2069         * JavaScriptCore.xcodeproj/project.pbxproj:
2070         * jit/JIT.h:
2071
2072         * jit/JITArithmetic.cpp:
2073         (JSC::JIT::emitBitBinaryOpFastPath):
2074         - Don't need GPRInfo:: qualifiers.  Removed them to reduce verbosity.
2075         - Also removed the emitStoreInt32() case for storing the result on 32-bit ports.
2076           This is because:
2077           1. The client should not make assumptions about whether the snippet fast path
2078              only include cases where the result tag already contain the IntTag.
2079           2. The "(op1 == result || op2 == result)" condition for skipping the IntTag
2080              storage, is only valid for the bitand, bitor, and bitxor implementations.
2081              It is invalid for the lshift implementation that uses this code now.
2082           Instead, we'll always unconditionally store what the result tag that the
2083           snippet computed for us.
2084
2085         (JSC::JIT::emit_op_lshift):
2086         (JSC::JIT::emitSlow_op_lshift):
2087         (JSC::JIT::emitRightShiftFastPath):
2088         (JSC::JIT::emit_op_rshift):
2089         (JSC::JIT::emitSlow_op_rshift):
2090         (JSC::JIT::emit_op_urshift):
2091         (JSC::JIT::emitSlow_op_urshift):
2092
2093         * jit/JITArithmetic32_64.cpp:
2094         (JSC::JIT::emit_op_lshift): Deleted.
2095         (JSC::JIT::emitSlow_op_lshift): Deleted.
2096         (JSC::JIT::emitRightShift): Deleted.
2097         (JSC::JIT::emitRightShiftSlowCase): Deleted.
2098         (JSC::JIT::emit_op_rshift): Deleted.
2099         (JSC::JIT::emitSlow_op_rshift): Deleted.
2100         (JSC::JIT::emit_op_urshift): Deleted.
2101         (JSC::JIT::emitSlow_op_urshift): Deleted.
2102
2103         * jit/JITLeftShiftGenerator.cpp: Added.
2104         (JSC::JITLeftShiftGenerator::generateFastPath):
2105         * jit/JITLeftShiftGenerator.h: Added.
2106         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
2107         * jit/JITRightShiftGenerator.cpp: Added.
2108         (JSC::JITRightShiftGenerator::generateFastPath):
2109         * jit/JITRightShiftGenerator.h: Added.
2110         (JSC::JITRightShiftGenerator::JITRightShiftGenerator):
2111
2112         * tests/stress/op_lshift.js:
2113         * tests/stress/op_rshift.js:
2114         * tests/stress/op_urshift.js:
2115         - Fixed some values and added others that are meaningful for testing shifts.
2116
2117         * tests/stress/resources/binary-op-test.js:
2118         (stringifyIfNeeded):
2119         (generateBinaryTests):
2120         - Fixed the test generator to give unique names to all the generated test
2121           functions.  Without this, multiple tests may end up using the same global
2122           test function.  As a result, with enough test values to test, the function may
2123           get prematurely JITted, and the computed expected result which is supposed to
2124           be computed by the LLINT, may end up being computed by a JIT instead.
2125
2126 2015-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2127
2128         Create a Sandbox SPI header
2129         https://bugs.webkit.org/show_bug.cgi?id=151981
2130
2131         Reviewed by Andy Estes.
2132
2133         * inspector/remote/RemoteInspector.mm:
2134
2135 2015-12-08  Filip Pizlo  <fpizlo@apple.com>
2136
2137         DFG::UnificationPhase should merge isProfitableToUnbox, since this may have been set in ByteCodeParser
2138         https://bugs.webkit.org/show_bug.cgi?id=152011
2139         rdar://problem/23777875
2140
2141         Reviewed by Michael Saboff.
2142
2143         Previously UnificationPhase did not merge this because we used to only set this in FixupPhase, which runs after unification. But now
2144         ByteCodeParser may set isProfitableToUnbox as part of how it handles the ArgumentCount of an inlined varargs call, so UnificationPhase
2145         needs to merge it after unifying.
2146
2147         Also changed the order of unification since this makes the bug more obvious and easier to test.
2148
2149         * dfg/DFGUnificationPhase.cpp:
2150         (JSC::DFG::UnificationPhase::run):
2151         * tests/stress/varargs-with-unused-count.js: Added.
2152
2153 2015-12-08  Mark Lam  <mark.lam@apple.com>
2154
2155         Polymorphic operand types for DFG and FTL div.
2156         https://bugs.webkit.org/show_bug.cgi?id=151747
2157
2158         Reviewed by Geoffrey Garen.
2159
2160         Perf on benchmarks is neutral.  The new JSRegress ftl-object-div test shows
2161         a speed up not from the div operator itself, but from the fact that the
2162         polymorphic operand types support now allow the test function to run without OSR
2163         exiting, thereby realizing the DFG and FTL's speed up on other work that the test
2164         function does.
2165
2166         This patch has passed the layout tests on x86_64 with a debug build.
2167         It passed the JSC tests with x86 and x86_64 debug builds.
2168
2169         * dfg/DFGAbstractInterpreterInlines.h:
2170         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2171         * dfg/DFGClobberize.h:
2172         (JSC::DFG::clobberize):
2173         * dfg/DFGFixupPhase.cpp:
2174         (JSC::DFG::FixupPhase::fixupNode):
2175         * dfg/DFGOperations.cpp:
2176         * dfg/DFGOperations.h:
2177         * dfg/DFGPredictionPropagationPhase.cpp:
2178         (JSC::DFG::PredictionPropagationPhase::propagate):
2179
2180         * dfg/DFGSpeculativeJIT.cpp:
2181         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2182
2183         * ftl/FTLCompileBinaryOp.cpp:
2184         (JSC::FTL::generateBinaryArithOpFastPath):
2185         (JSC::FTL::generateBinaryOpFastPath):
2186
2187         * ftl/FTLInlineCacheDescriptor.h:
2188         * ftl/FTLInlineCacheDescriptorInlines.h:
2189         (JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
2190         (JSC::FTL::ArithDivDescriptor::icSize):
2191
2192         * ftl/FTLInlineCacheSize.cpp:
2193         (JSC::FTL::sizeOfArithDiv):
2194         * ftl/FTLInlineCacheSize.h:
2195
2196         * ftl/FTLLowerDFGToLLVM.cpp:
2197         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2198         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2199         - Fixed a cut-paste bug where the op_mul IC was using the op_sub IC size.
2200           This bug is benign because the op_sub IC size turns out to be larger
2201           than op_mul needs.
2202         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2203
2204         * jit/JITArithmetic.cpp:
2205         (JSC::JIT::emit_op_div):
2206         - Fixed a bug where the scratchFPR was not allocated for the 64bit port.
2207           This bug is benign because the scratchFPR is only needed if we are
2208           using scratchGPR register (used for branchConvertDoubleToInt32()) is
2209           >= X86Registers::r8.  Since we're always using regT2 for the scratchT2,
2210           the scratchFPR is never needed.   However, we should fix this anyway to
2211           be correct.
2212
2213         * tests/stress/op_div.js:
2214         - Fixed some test values.
2215
2216 2015-12-05 Aleksandr Skachkov   <gskachkov@gmail.com>
2217
2218         [ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment
2219         https://bugs.webkit.org/show_bug.cgi?id=149338
2220
2221         Reviewed by Saam Barati.
2222
2223         Implemented new version of the lexically bound 'this' in arrow function. In current version 
2224         'this' is stored inside of the lexical environment of the function. To store and load we use
2225         op_get_from_scope and op_put_to_scope operations. Also new implementation prevent raising TDZ
2226         error for arrow functions that are declared before super() but invoke after.
2227
2228         * builtins/BuiltinExecutables.cpp:
2229         (JSC::createExecutableInternal):
2230         * bytecode/BytecodeList.json:
2231         * bytecode/BytecodeUseDef.h:
2232         * bytecode/CodeBlock.cpp:
2233         (JSC::CodeBlock::dumpBytecode):
2234         * bytecode/EvalCodeCache.h:
2235         (JSC::EvalCodeCache::getSlow):
2236         * bytecode/ExecutableInfo.h:
2237         (JSC::ExecutableInfo::ExecutableInfo):
2238         (JSC::ExecutableInfo::isDerivedConstructorContext):
2239         (JSC::ExecutableInfo::isArrowFunctionContext):
2240         * bytecode/UnlinkedCodeBlock.cpp:
2241         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2242         * bytecode/UnlinkedCodeBlock.h:
2243         (JSC::UnlinkedCodeBlock::isArrowFunction):
2244         (JSC::UnlinkedCodeBlock::isDerivedConstructorContext):
2245         (JSC::UnlinkedCodeBlock::isArrowFunctionContext):
2246         * bytecode/UnlinkedFunctionExecutable.cpp:
2247         (JSC::generateUnlinkedFunctionCodeBlock):
2248         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2249         * bytecode/UnlinkedFunctionExecutable.h:
2250         * bytecompiler/BytecodeGenerator.cpp:
2251         (JSC::BytecodeGenerator::BytecodeGenerator):
2252         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2253         (JSC::BytecodeGenerator::variable):
2254         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2255         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2256         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
2257         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
2258         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
2259         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
2260         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2261         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
2262         * bytecompiler/BytecodeGenerator.h:
2263         (JSC::BytecodeGenerator::isDerivedConstructorContext):
2264         (JSC::BytecodeGenerator::usesArrowFunction):
2265         (JSC::BytecodeGenerator::needsToUpdateArrowFunctionContext):
2266         (JSC::BytecodeGenerator::usesEval):
2267         (JSC::BytecodeGenerator::usesThis):
2268         (JSC::BytecodeGenerator::newTarget):
2269         (JSC::BytecodeGenerator::makeFunction):
2270         * bytecompiler/NodesCodegen.cpp:
2271         (JSC::ThisNode::emitBytecode):
2272         (JSC::SuperNode::emitBytecode):
2273         (JSC::EvalFunctionCallNode::emitBytecode):
2274         (JSC::FunctionCallValueNode::emitBytecode):
2275         (JSC::FunctionNode::emitBytecode):
2276         * debugger/DebuggerCallFrame.cpp:
2277         (JSC::DebuggerCallFrame::evaluate):
2278         * dfg/DFGAbstractInterpreterInlines.h:
2279         * dfg/DFGByteCodeParser.cpp:
2280         (JSC::DFG::ByteCodeParser::parseBlock):
2281         * dfg/DFGCapabilities.cpp:
2282         * dfg/DFGClobberize.h:
2283         * dfg/DFGDoesGC.cpp:
2284         * dfg/DFGFixupPhase.cpp:
2285         * dfg/DFGNodeType.h:
2286         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2287         * dfg/DFGPredictionPropagationPhase.cpp:
2288         * dfg/DFGPromotedHeapLocation.cpp:
2289         * dfg/DFGPromotedHeapLocation.h:
2290         * dfg/DFGSafeToExecute.h:
2291         * dfg/DFGSpeculativeJIT.cpp:
2292         * dfg/DFGSpeculativeJIT.h:
2293         * dfg/DFGSpeculativeJIT32_64.cpp:
2294         * dfg/DFGSpeculativeJIT64.cpp:
2295         * ftl/FTLCapabilities.cpp:
2296         * ftl/FTLLowerDFGToLLVM.cpp:
2297         * ftl/FTLOperations.cpp:
2298         (JSC::FTL::operationMaterializeObjectInOSR):
2299         * interpreter/Interpreter.cpp:
2300         (JSC::eval):
2301         * jit/JIT.cpp:
2302         * jit/JIT.h:
2303         * jit/JITOpcodes.cpp:
2304         (JSC::JIT::emitNewFuncExprCommon):
2305         * jit/JITOpcodes32_64.cpp:
2306         * llint/LLIntSlowPaths.cpp:
2307         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2308         * llint/LowLevelInterpreter.asm:
2309         * llint/LowLevelInterpreter32_64.asm:
2310         * llint/LowLevelInterpreter64.asm:
2311         * parser/ASTBuilder.h:
2312         (JSC::ASTBuilder::createArrowFunctionExpr):
2313         (JSC::ASTBuilder::usesArrowFunction):
2314         * parser/Nodes.h:
2315         (JSC::ScopeNode::usesArrowFunction):
2316         * parser/Parser.cpp:
2317         (JSC::Parser<LexerType>::parseFunctionInfo):
2318         * parser/ParserModes.h:
2319         * runtime/CodeCache.cpp:
2320         (JSC::CodeCache::getGlobalCodeBlock):
2321         (JSC::CodeCache::getProgramCodeBlock):
2322         (JSC::CodeCache::getEvalCodeBlock):
2323         (JSC::CodeCache::getModuleProgramCodeBlock):
2324         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2325         * runtime/CodeCache.h:
2326         * runtime/CommonIdentifiers.h:
2327         * runtime/CommonSlowPaths.cpp:
2328         (JSC::SLOW_PATH_DECL):
2329         * runtime/Executable.cpp:
2330         (JSC::ScriptExecutable::ScriptExecutable):
2331         (JSC::EvalExecutable::create):
2332         (JSC::EvalExecutable::EvalExecutable):
2333         (JSC::ProgramExecutable::ProgramExecutable):
2334         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2335         (JSC::FunctionExecutable::FunctionExecutable):
2336         * runtime/Executable.h:
2337         (JSC::ScriptExecutable::isArrowFunctionContext):
2338         (JSC::ScriptExecutable::isDerivedConstructorContext):
2339         * runtime/JSGlobalObject.cpp:
2340         (JSC::JSGlobalObject::createEvalCodeBlock):
2341         * runtime/JSGlobalObject.h:
2342         * runtime/JSGlobalObjectFunctions.cpp:
2343         (JSC::globalFuncEval):
2344         * tests/es6.yaml:
2345         * tests/stress/arrowfunction-activation-sink-osrexit.js:
2346         * tests/stress/arrowfunction-activation-sink.js:
2347         * tests/stress/arrowfunction-lexical-bind-newtarget.js: Added.
2348         * tests/stress/arrowfunction-lexical-bind-supercall-1.js: Added.
2349         * tests/stress/arrowfunction-lexical-bind-supercall-2.js: Added.
2350         * tests/stress/arrowfunction-lexical-bind-supercall-3.js: Added.
2351         * tests/stress/arrowfunction-lexical-bind-supercall-4.js: Added.
2352         * tests/stress/arrowfunction-lexical-bind-this-1.js:
2353         * tests/stress/arrowfunction-lexical-bind-this-7.js: Added.
2354         * tests/stress/arrowfunction-tdz-1.js: Added.
2355         * tests/stress/arrowfunction-tdz-2.js: Added.
2356         * tests/stress/arrowfunction-tdz-3.js: Added.
2357         * tests/stress/arrowfunction-tdz-4.js: Added.
2358         * tests/stress/arrowfunction-tdz.js: Removed.
2359
2360 2015-12-08  Csaba Osztrogonác  <ossy@webkit.org>
2361
2362         Fix the !ENABLE(DFG_JIT) build after r193649
2363         https://bugs.webkit.org/show_bug.cgi?id=151985
2364
2365         Reviewed by Saam Barati.
2366
2367         * jit/JITOpcodes.cpp:
2368         (JSC::JIT::emitSlow_op_loop_hint):
2369
2370 2015-12-08  Alberto Garcia  <berto@igalia.com>
2371
2372         Unreviewed. Remove unnecessary check for 0 in commitSize().
2373
2374         Change suggested by Darin Adler in bug #130237.
2375
2376         * interpreter/JSStack.cpp:
2377         (JSC::commitSize):
2378
2379 2015-12-08  Ryuan Choi  <ryuan.choi@navercorp.com>
2380
2381         [EFL] Remove the flag to check timer state in IncrementalSweeper
2382         https://bugs.webkit.org/show_bug.cgi?id=151988
2383
2384         Reviewed by Gyuyoung Kim.
2385
2386         * heap/IncrementalSweeper.cpp:
2387         (JSC::IncrementalSweeper::scheduleTimer):
2388         (JSC::IncrementalSweeper::IncrementalSweeper):
2389         (JSC::IncrementalSweeper::cancelTimer):
2390
2391 2015-12-08  Philippe Normand  <pnormand@igalia.com>
2392
2393         [Mac][GTK] Fix JSC FTL build
2394         https://bugs.webkit.org/show_bug.cgi?id=151915
2395
2396         Reviewed by Csaba Osztrogonác.
2397
2398         * CMakeLists.txt: Don't pass version-script option to ld on Darwin because this platform's linker
2399         doesn't support this option.
2400
2401 2015-12-08  Alberto Garcia  <berto@igalia.com>
2402
2403         Unreviewed. Use pageSize() instead of getpagesize() after r193648
2404
2405         * interpreter/JSStack.cpp:
2406         (JSC::commitSize):
2407
2408 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
2409
2410         Small style fixes in B3MoveConstants.cpp
2411         https://bugs.webkit.org/show_bug.cgi?id=151980
2412
2413         Reviewed by Benjamin Poulain.
2414
2415         * b3/B3MoveConstants.cpp:
2416
2417 2015-12-07  Benjamin Poulain  <bpoulain@apple.com>
2418
2419         [JSC] On x86, we should XOR registers instead of moving a zero immediate
2420         https://bugs.webkit.org/show_bug.cgi?id=151977
2421
2422         Reviewed by Filip Pizlo.
2423
2424         It is smaller and the frontend has special support
2425         for xor.
2426
2427         * assembler/MacroAssemblerX86Common.h:
2428         (JSC::MacroAssemblerX86Common::move):
2429         (JSC::MacroAssemblerX86Common::signExtend32ToPtr):
2430
2431 2015-12-07  Benjamin Poulain  <bpoulain@apple.com>
2432
2433         Fix a typo from r193683
2434
2435         * ftl/FTLCommonValues.cpp:
2436         (JSC::FTL::CommonValues::CommonValues):
2437
2438 2015-12-07  Benjamin Poulain  <bpoulain@apple.com>
2439
2440         [JSC] Add Float support to B3
2441         https://bugs.webkit.org/show_bug.cgi?id=151974
2442
2443         Reviewed by Filip Pizlo.
2444
2445         This patch adds comprehensive float support to B3.
2446
2447         The new phase reduceDoubleToFloat() gives us a primitive
2448         version of what LLVM was giving us on floats.
2449         It needs to support conversions accross Phis but that can
2450         be added later.
2451
2452         * CMakeLists.txt:
2453         * JavaScriptCore.xcodeproj/project.pbxproj:
2454         * assembler/MacroAssembler.h:
2455         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
2456         * assembler/MacroAssemblerX86Common.h:
2457         (JSC::MacroAssemblerX86Common::sqrtFloat):
2458         (JSC::MacroAssemblerX86Common::loadFloat):
2459         (JSC::MacroAssemblerX86Common::storeFloat):
2460         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
2461         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
2462         (JSC::MacroAssemblerX86Common::addFloat):
2463         (JSC::MacroAssemblerX86Common::divFloat):
2464         (JSC::MacroAssemblerX86Common::subFloat):
2465         (JSC::MacroAssemblerX86Common::mulFloat):
2466         (JSC::MacroAssemblerX86Common::branchDouble):
2467         (JSC::MacroAssemblerX86Common::branchFloat):
2468         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2469         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2470         (JSC::MacroAssemblerX86Common::jumpAfterFloatingPointCompare):
2471         (JSC::MacroAssemblerX86Common::moveConditionallyAfterFloatingPointCompare):
2472         * assembler/X86Assembler.h:
2473         (JSC::X86Assembler::addss_rr):
2474         (JSC::X86Assembler::addss_mr):
2475         (JSC::X86Assembler::cvtsd2ss_mr):
2476         (JSC::X86Assembler::cvtss2sd_mr):
2477         (JSC::X86Assembler::movss_rm):
2478         (JSC::X86Assembler::movss_mr):
2479         (JSC::X86Assembler::mulss_rr):
2480         (JSC::X86Assembler::mulss_mr):
2481         (JSC::X86Assembler::subss_rr):
2482         (JSC::X86Assembler::subss_mr):
2483         (JSC::X86Assembler::ucomiss_rr):
2484         (JSC::X86Assembler::ucomiss_mr):
2485         (JSC::X86Assembler::divss_rr):
2486         (JSC::X86Assembler::divss_mr):
2487         (JSC::X86Assembler::sqrtss_rr):
2488         (JSC::X86Assembler::sqrtss_mr):
2489         * b3/B3Const32Value.cpp:
2490         (JSC::B3::Const32Value::bitwiseCastConstant):
2491         * b3/B3Const32Value.h:
2492         * b3/B3ConstDoubleValue.cpp:
2493         (JSC::B3::ConstDoubleValue::doubleToFloatConstant):
2494         (JSC::B3::ConstDoubleValue::sqrtConstant):
2495         * b3/B3ConstDoubleValue.h:
2496         * b3/B3ConstFloatValue.cpp: Added.
2497         (JSC::B3::ConstFloatValue::~ConstFloatValue):
2498         (JSC::B3::ConstFloatValue::negConstant):
2499         (JSC::B3::ConstFloatValue::addConstant):
2500         (JSC::B3::ConstFloatValue::subConstant):
2501         (JSC::B3::ConstFloatValue::mulConstant):
2502         (JSC::B3::ConstFloatValue::bitwiseCastConstant):
2503         (JSC::B3::ConstFloatValue::floatToDoubleConstant):
2504         (JSC::B3::ConstFloatValue::sqrtConstant):
2505         (JSC::B3::ConstFloatValue::divConstant):
2506         (JSC::B3::ConstFloatValue::equalConstant):
2507         (JSC::B3::ConstFloatValue::notEqualConstant):
2508         (JSC::B3::ConstFloatValue::lessThanConstant):
2509         (JSC::B3::ConstFloatValue::greaterThanConstant):
2510         (JSC::B3::ConstFloatValue::lessEqualConstant):
2511         (JSC::B3::ConstFloatValue::greaterEqualConstant):
2512         (JSC::B3::ConstFloatValue::dumpMeta):
2513         * b3/B3ConstFloatValue.h: Copied from Source/JavaScriptCore/b3/B3ConstDoubleValue.h.
2514         * b3/B3Generate.cpp:
2515         (JSC::B3::generateToAir):
2516         * b3/B3LowerToAir.cpp:
2517         (JSC::B3::Air::LowerToAir::tryOpcodeForType):
2518         (JSC::B3::Air::LowerToAir::opcodeForType):
2519         (JSC::B3::Air::LowerToAir::appendUnOp):
2520         (JSC::B3::Air::LowerToAir::appendBinOp):
2521         (JSC::B3::Air::LowerToAir::appendShift):
2522         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
2523         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2524         (JSC::B3::Air::LowerToAir::moveForType):
2525         (JSC::B3::Air::LowerToAir::relaxedMoveForType):
2526         (JSC::B3::Air::LowerToAir::createGenericCompare):
2527         (JSC::B3::Air::LowerToAir::createBranch):
2528         (JSC::B3::Air::LowerToAir::createCompare):
2529         (JSC::B3::Air::LowerToAir::createSelect):
2530         (JSC::B3::Air::LowerToAir::lower):
2531         * b3/B3MemoryValue.cpp:
2532         (JSC::B3::MemoryValue::accessByteSize): Deleted.
2533         * b3/B3MemoryValue.h:
2534         * b3/B3MoveConstants.cpp:
2535         * b3/B3Opcode.cpp:
2536         (WTF::printInternal):
2537         * b3/B3Opcode.h:
2538         * b3/B3Procedure.cpp:
2539         (JSC::B3::Procedure::addIntConstant):
2540         * b3/B3ReduceDoubleToFloat.cpp: Added.
2541         (JSC::B3::reduceDoubleToFloat):
2542         * b3/B3ReduceDoubleToFloat.h: Copied from Source/JavaScriptCore/b3/B3Type.cpp.
2543         * b3/B3ReduceStrength.cpp:
2544         * b3/B3Type.cpp:
2545         (WTF::printInternal):
2546         * b3/B3Type.h:
2547         (JSC::B3::isFloat):
2548         (JSC::B3::sizeofType):
2549         * b3/B3Validate.cpp:
2550         * b3/B3Value.cpp:
2551         (JSC::B3::Value::doubleToFloatConstant):
2552         (JSC::B3::Value::floatToDoubleConstant):
2553         (JSC::B3::Value::sqrtConstant):
2554         (JSC::B3::Value::asTriState):
2555         (JSC::B3::Value::effects):
2556         (JSC::B3::Value::key):
2557         (JSC::B3::Value::checkOpcode):
2558         (JSC::B3::Value::typeFor):
2559         * b3/B3Value.h:
2560         * b3/B3ValueInlines.h:
2561         (JSC::B3::Value::isConstant):
2562         (JSC::B3::Value::hasFloat):
2563         (JSC::B3::Value::asFloat):
2564         (JSC::B3::Value::hasNumber):
2565         (JSC::B3::Value::isNegativeZero):
2566         (JSC::B3::Value::representableAs):
2567         (JSC::B3::Value::asNumber):
2568         * b3/B3ValueKey.cpp:
2569         (JSC::B3::ValueKey::materialize):
2570         * b3/B3ValueKey.h:
2571         (JSC::B3::ValueKey::ValueKey):
2572         (JSC::B3::ValueKey::floatValue):
2573         * b3/air/AirArg.h:
2574         (JSC::B3::Air::Arg::typeForB3Type):
2575         (JSC::B3::Air::Arg::widthForB3Type):
2576         * b3/air/AirFixPartialRegisterStalls.cpp:
2577         * b3/air/AirOpcode.opcodes:
2578         * b3/testb3.cpp:
2579         (JSC::B3::testAddArgFloat):
2580         (JSC::B3::testAddArgsFloat):
2581         (JSC::B3::testAddArgImmFloat):
2582         (JSC::B3::testAddImmArgFloat):
2583         (JSC::B3::testAddImmsFloat):
2584         (JSC::B3::testAddArgFloatWithUselessDoubleConversion):
2585         (JSC::B3::testAddArgsFloatWithUselessDoubleConversion):
2586         (JSC::B3::testAddArgsFloatWithEffectfulDoubleConversion):
2587         (JSC::B3::testMulArgFloat):
2588         (JSC::B3::testMulArgsFloat):
2589         (JSC::B3::testMulArgImmFloat):
2590         (JSC::B3::testMulImmArgFloat):
2591         (JSC::B3::testMulImmsFloat):
2592         (JSC::B3::testMulArgFloatWithUselessDoubleConversion):
2593         (JSC::B3::testMulArgsFloatWithUselessDoubleConversion):
2594         (JSC::B3::testMulArgsFloatWithEffectfulDoubleConversion):
2595         (JSC::B3::testDivArgFloat):
2596         (JSC::B3::testDivArgsFloat):
2597         (JSC::B3::testDivArgImmFloat):
2598         (JSC::B3::testDivImmArgFloat):
2599         (JSC::B3::testDivImmsFloat):
2600         (JSC::B3::testDivArgFloatWithUselessDoubleConversion):
2601         (JSC::B3::testDivArgsFloatWithUselessDoubleConversion):
2602         (JSC::B3::testDivArgsFloatWithEffectfulDoubleConversion):
2603         (JSC::B3::testSubArgFloat):
2604         (JSC::B3::testSubArgsFloat):
2605         (JSC::B3::testSubArgImmFloat):
2606         (JSC::B3::testSubImmArgFloat):
2607         (JSC::B3::testSubImmsFloat):
2608         (JSC::B3::testSubArgFloatWithUselessDoubleConversion):
2609         (JSC::B3::testSubArgsFloatWithUselessDoubleConversion):
2610         (JSC::B3::testSubArgsFloatWithEffectfulDoubleConversion):
2611         (JSC::B3::testClzMem32):
2612         (JSC::B3::testSqrtArg):
2613         (JSC::B3::testSqrtImm):
2614         (JSC::B3::testSqrtMem):
2615         (JSC::B3::testSqrtArgWithUselessDoubleConversion):
2616         (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
2617         (JSC::B3::testDoubleArgToInt64BitwiseCast):
2618         (JSC::B3::testDoubleImmToInt64BitwiseCast):
2619         (JSC::B3::testTwoBitwiseCastOnDouble):
2620         (JSC::B3::testBitwiseCastOnDoubleInMemory):
2621         (JSC::B3::testInt64BArgToDoubleBitwiseCast):
2622         (JSC::B3::testInt64BImmToDoubleBitwiseCast):
2623         (JSC::B3::testTwoBitwiseCastOnInt64):
2624         (JSC::B3::testBitwiseCastOnInt64InMemory):
2625         (JSC::B3::testFloatImmToInt32BitwiseCast):
2626         (JSC::B3::testBitwiseCastOnFloatInMemory):
2627         (JSC::B3::testInt32BArgToFloatBitwiseCast):
2628         (JSC::B3::testInt32BImmToFloatBitwiseCast):
2629         (JSC::B3::testTwoBitwiseCastOnInt32):
2630         (JSC::B3::testBitwiseCastOnInt32InMemory):
2631         (JSC::B3::testConvertDoubleToFloatArg):
2632         (JSC::B3::testConvertDoubleToFloatImm):
2633         (JSC::B3::testConvertDoubleToFloatMem):
2634         (JSC::B3::testConvertFloatToDoubleArg):
2635         (JSC::B3::testConvertFloatToDoubleImm):
2636         (JSC::B3::testConvertFloatToDoubleMem):
2637         (JSC::B3::testConvertDoubleToFloatToDoubleToFloat):
2638         (JSC::B3::testLoadFloatConvertDoubleConvertFloatStoreFloat):
2639         (JSC::B3::testFroundArg):
2640         (JSC::B3::testFroundMem):
2641         (JSC::B3::testStore32):
2642         (JSC::B3::modelLoad):
2643         (JSC::B3::float>):
2644         (JSC::B3::double>):
2645         (JSC::B3::testLoad):
2646         (JSC::B3::testStoreFloat):
2647         (JSC::B3::testReturnFloat):
2648         (JSC::B3::simpleFunctionFloat):
2649         (JSC::B3::testCallSimpleFloat):
2650         (JSC::B3::functionWithHellaFloatArguments):
2651         (JSC::B3::testCallFunctionWithHellaFloatArguments):
2652         (JSC::B3::testSelectCompareFloat):
2653         (JSC::B3::testSelectCompareFloatToDouble):
2654         (JSC::B3::testSelectDoubleCompareFloat):
2655         (JSC::B3::testSelectFloatCompareFloat):
2656         (JSC::B3::populateWithInterestingValues):
2657         (JSC::B3::floatingPointOperands):
2658         (JSC::B3::int64Operands):
2659         (JSC::B3::run):
2660         (JSC::B3::testStore): Deleted.
2661         (JSC::B3::posInfinity): Deleted.
2662         (JSC::B3::negInfinity): Deleted.
2663         (JSC::B3::doubleOperands): Deleted.
2664         * ftl/FTLB3Output.cpp:
2665         (JSC::FTL::Output::loadFloatToDouble):
2666         * ftl/FTLB3Output.h:
2667         (JSC::FTL::Output::fround):
2668         * ftl/FTLCommonValues.cpp:
2669         (JSC::FTL::CommonValues::CommonValues):
2670         * ftl/FTLCommonValues.h:
2671
2672 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
2673
2674         FTL B3 should be able to flag the tag constants as being super important so that B3 can hoist them and Air can force them into registers
2675         https://bugs.webkit.org/show_bug.cgi?id=151955
2676
2677         Reviewed by Geoffrey Garen.
2678
2679         Taught B3 about the concept of "fast constants". A client of B3 can now tell B3 which
2680         constants are super important. B3 will not spill the constant in that case and will ensure
2681         that the constant is materialized only once: statically once, and dynamically once per
2682         procedure execution. The hoistFastConstants() algorithm in B3MoveConstants.cpp achieves this
2683         by first picking the lowest common dominator of all uses of each fast constant, and then
2684         picking the materialization point by finding the lowest dominator of that dominator that is
2685         tied for lowest block frequency. In practice, the second step ensures that this is the lowest
2686         point in the program that is not in a loop (i.e. executes no more than once dynamically per
2687         procedure invocation).
2688
2689         Taught Air about the concept of "fast tmps". B3 tells Air that a tmp is fast if it is used to
2690         hold the materialization of a fast constant. IRC will use the lowest possible spill score for
2691         fast tmps. In practice, this ensures that fast constants are never spilled.
2692
2693         Added a small snippet of code to FTL::LowerDFGToLLVM that makes both of the tag constants
2694         into fast constants.
2695
2696         My hope is that this very brute-force heuristic is good enough that we don't have to think
2697         about constants for a while. Based on my experience with how LLVM's constant hoisting works
2698         out, the heuristic in this patch is going to be tough to beat. LLVM's constant hoisting does
2699         good things when it hoists the tags, and usually causes nothing but problems when it hoists
2700         anything else. This is because there is no way a low-level compiler to really understand how
2701         a constant materialization impacts some operation's contribution to the overall execution
2702         time of a procedure. But, in the FTL we know that constant materializations for type checks
2703         are a bummer because we are super comfortable placing type checks on the hottest of paths. So
2704         those are the last paths where extra instructions should be added by the compiler. On the
2705         other hand, all other large constant uses are on relatively cold paths, or paths that are
2706         already expensive for other reasons. For example, global variable accesses have to
2707         materialize a pointer to the global. But that's not really a big deal, since a load from a
2708         global involves first the load itself and then type checks on the result - so probably the
2709         constant materialization is just not interesting. A store to a global often involves a store
2710         barrier, so the constant materialization is really not interesting. This patch codifies this
2711         heuristic in a pact between Air, B3, and the FTL: FTL demands that B3 pin the two tags in
2712         registers, and B3 relays the demand to Air.
2713
2714         * JavaScriptCore.xcodeproj/project.pbxproj:
2715         * b3/B3CFG.h: Added.
2716         (JSC::B3::CFG::CFG):
2717         (JSC::B3::CFG::root):
2718         (JSC::B3::CFG::newMap):
2719         (JSC::B3::CFG::successors):
2720         (JSC::B3::CFG::predecessors):
2721         (JSC::B3::CFG::index):
2722         (JSC::B3::CFG::node):
2723         (JSC::B3::CFG::numNodes):
2724         (JSC::B3::CFG::dump):
2725         * b3/B3Dominators.h: Added.
2726         (JSC::B3::Dominators::Dominators):
2727         * b3/B3IndexMap.h:
2728         (JSC::B3::IndexMap::resize):
2729         (JSC::B3::IndexMap::size):
2730         (JSC::B3::IndexMap::operator[]):
2731         * b3/B3LowerMacros.cpp:
2732         * b3/B3LowerToAir.cpp:
2733         (JSC::B3::Air::LowerToAir::tmp):
2734         * b3/B3MoveConstants.cpp:
2735         * b3/B3Opcode.h:
2736         (JSC::B3::constPtrOpcode):
2737         (JSC::B3::isConstant):
2738         * b3/B3Procedure.cpp:
2739         (JSC::B3::Procedure::Procedure):
2740         (JSC::B3::Procedure::resetReachability):
2741         (JSC::B3::Procedure::invalidateCFG):
2742         (JSC::B3::Procedure::dump):
2743         (JSC::B3::Procedure::deleteValue):
2744         (JSC::B3::Procedure::dominators):
2745         (JSC::B3::Procedure::addFastConstant):
2746         (JSC::B3::Procedure::isFastConstant):
2747         (JSC::B3::Procedure::addDataSection):
2748         * b3/B3Procedure.h:
2749         (JSC::B3::Procedure::size):
2750         (JSC::B3::Procedure::cfg):
2751         (JSC::B3::Procedure::setLastPhaseName):
2752         * b3/B3ReduceStrength.cpp:
2753         * b3/B3ValueInlines.h:
2754         (JSC::B3::Value::isConstant):
2755         (JSC::B3::Value::isInteger):
2756         * b3/B3ValueKey.h:
2757         (JSC::B3::ValueKey::canMaterialize):
2758         (JSC::B3::ValueKey::isConstant):
2759         * b3/air/AirCode.cpp:
2760         (JSC::B3::Air::Code::findNextBlock):
2761         (JSC::B3::Air::Code::addFastTmp):
2762         * b3/air/AirCode.h:
2763         (JSC::B3::Air::Code::specials):
2764         (JSC::B3::Air::Code::isFastTmp):
2765         (JSC::B3::Air::Code::setLastPhaseName):
2766         * b3/air/AirIteratedRegisterCoalescing.cpp:
2767         * dfg/DFGDominators.h:
2768         * dfg/DFGSSACalculator.cpp:
2769         * ftl/FTLLowerDFGToLLVM.cpp:
2770         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2771
2772 2015-12-07  Andy VanWagoner  <thetalecrafter@gmail.com>
2773
2774         [INTL] Implement String.prototype.toLocaleUpperCase in ECMA-402
2775         https://bugs.webkit.org/show_bug.cgi?id=147609
2776
2777         Reviewed by Benjamin Poulain.
2778
2779         Refactor most of toLocaleLowerCase to static function used by both
2780         toLocaleUpperCase and toLocaleLowerCase.
2781         Add toLocaleUpperCase using icu u_strToUpper.
2782
2783         * runtime/StringPrototype.cpp:
2784         (JSC::StringPrototype::finishCreation):
2785         (JSC::toLocaleCase):
2786         (JSC::stringProtoFuncToLocaleLowerCase):
2787         (JSC::stringProtoFuncToLocaleUpperCase):
2788
2789 2015-12-07  Michael Saboff  <msaboff@apple.com>
2790
2791         CRASH: CodeBlock::setOptimizationThresholdBasedOnCompilationResult + 567
2792         https://bugs.webkit.org/show_bug.cgi?id=151892
2793
2794         Reviewed by Geoffrey Garen.
2795
2796         Reverted the change made in change set r193491.
2797
2798         The updated change is to finish all concurrent compilations and install the resulting
2799         code blocks before we make any state changes due to debugger activity.  After all code
2800         blocks have been installed, we make the debugger state changes, including jettisoning
2801         all optimized code blocks.
2802
2803         This means that we will discard the optimized code blocks we just installed,
2804         but we won't do that while on the install code block path.
2805
2806         * bytecode/CodeBlock.cpp:
2807         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Reverted r193491.
2808         * debugger/Debugger.cpp:
2809         (JSC::Debugger::setSteppingMode):
2810         (JSC::Debugger::registerCodeBlock):
2811         (JSC::Debugger::toggleBreakpoint):
2812         (JSC::Debugger::clearBreakpoints):
2813         (JSC::Debugger::clearDebuggerRequests):
2814         Call Heap::completeAllDFGPlans() before updating code blocks for debugging changes.
2815
2816         * heap/Heap.h: Made completeAllDFGPlans() public.
2817
2818 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
2819
2820         FTL lowering should tell B3 the right block frequencies
2821         https://bugs.webkit.org/show_bug.cgi?id=151531
2822
2823         Reviewed by Geoffrey Garen.
2824
2825         This glues together the DFG's view of basic block execution counts and B3's block frequencies.
2826         This further improves our performance on imaging-gaussian-blur. It appears to improve the steady
2827         state throughput by almost 4%.
2828
2829         * ftl/FTLB3Output.h:
2830         (JSC::FTL::Output::setFrequency):
2831         (JSC::FTL::Output::newBlock):
2832         (JSC::FTL::Output::insertNewBlocksBefore):
2833         (JSC::FTL::Output::callWithoutSideEffects):
2834         * ftl/FTLLowerDFGToLLVM.cpp:
2835         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2836         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock):
2837         * ftl/FTLOutput.h:
2838         (JSC::FTL::Output::setFrequency):
2839         (JSC::FTL::Output::insertNewBlocksBefore):
2840
2841 2015-12-07  Saam barati  <sbarati@apple.com>
2842
2843         Update JSC feature list for rest parameters and generators
2844         https://bugs.webkit.org/show_bug.cgi?id=151740
2845
2846         Reviewed by Joseph Pecoraro.
2847
2848         * features.json:
2849
2850 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
2851
2852         DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure).
2853         https://bugs.webkit.org/show_bug.cgi?id=151952
2854
2855         Reviewed by Mark Lam.
2856
2857         Fix a bug revealed by the new ftl-has-a-bad-time.js test. It turns out that our handling of
2858         structures reachable from the compiler wasn't accounting for having a bad time.
2859
2860         * dfg/DFGStructureRegistrationPhase.cpp:
2861         (JSC::DFG::StructureRegistrationPhase::run):
2862
2863 2015-12-07  Saam barati  <sbarati@apple.com>
2864
2865         Add op_watchdog opcode that is generated when VM has a watchdog
2866         https://bugs.webkit.org/show_bug.cgi?id=151954
2867
2868         Reviewed by Mark Lam.
2869
2870         This patch also makes watchdog a private member
2871         of VM and adds a getter function.
2872
2873         * API/JSContextRef.cpp:
2874         (JSContextGroupClearExecutionTimeLimit):
2875         * bytecode/BytecodeList.json:
2876         * bytecode/BytecodeUseDef.h:
2877         (JSC::computeUsesForBytecodeOffset):
2878         (JSC::computeDefsForBytecodeOffset):
2879         * bytecode/CodeBlock.cpp:
2880         (JSC::CodeBlock::dumpBytecode):
2881         * bytecompiler/BytecodeGenerator.cpp:
2882         (JSC::BytecodeGenerator::emitLoopHint):
2883         (JSC::BytecodeGenerator::emitWatchdog):
2884         (JSC::BytecodeGenerator::retrieveLastBinaryOp):
2885         * bytecompiler/BytecodeGenerator.h:
2886         * dfg/DFGByteCodeParser.cpp:
2887         (JSC::DFG::ByteCodeParser::parseBlock):
2888         * dfg/DFGCapabilities.cpp:
2889         (JSC::DFG::capabilityLevel):
2890         * dfg/DFGSpeculativeJIT32_64.cpp:
2891         (JSC::DFG::SpeculativeJIT::compile):
2892         * dfg/DFGSpeculativeJIT64.cpp:
2893         (JSC::DFG::SpeculativeJIT::compile):
2894         * ftl/FTLLowerDFGToLLVM.cpp:
2895         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
2896         * jit/JIT.cpp:
2897         (JSC::JIT::privateCompileMainPass):
2898         (JSC::JIT::privateCompileSlowCases):
2899         * jit/JIT.h:
2900         * jit/JITOpcodes.cpp:
2901         (JSC::JIT::emit_op_loop_hint):
2902         (JSC::JIT::emitSlow_op_loop_hint):
2903         (JSC::JIT::emit_op_watchdog):
2904         (JSC::JIT::emitSlow_op_watchdog):
2905         (JSC::JIT::emit_op_new_regexp):
2906         * llint/LLIntSlowPaths.cpp:
2907         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2908         * llint/LowLevelInterpreter.asm:
2909         * runtime/VM.cpp:
2910         (JSC::VM::ensureWatchdog):
2911         * runtime/VM.h:
2912         (JSC::VM::watchdog):
2913         * runtime/VMEntryScope.cpp:
2914         (JSC::VMEntryScope::VMEntryScope):
2915         (JSC::VMEntryScope::~VMEntryScope):
2916         * runtime/VMInlines.h:
2917         (JSC::VM::shouldTriggerTermination):
2918
2919 2015-12-07  Alberto Garcia  <berto@igalia.com>
2920
2921         Crashes on PPC64 due to mprotect() on address not aligned to the page size
2922         https://bugs.webkit.org/show_bug.cgi?id=130237
2923
2924         Reviewed by Mark Lam.
2925
2926         Make sure that commitSize is at least as big as the page size.
2927
2928         * interpreter/JSStack.cpp:
2929         (JSC::commitSize):
2930         (JSC::JSStack::JSStack):
2931         (JSC::JSStack::growSlowCase):
2932         * interpreter/JSStack.h:
2933
2934 2015-12-06  Filip Pizlo  <fpizlo@apple.com>
2935
2936         FTL B3 should be able to make JS->JS calls
2937         https://bugs.webkit.org/show_bug.cgi?id=151901
2938
2939         Reviewed by Saam Barati.
2940
2941         This adds support for the Call and InvalidationPoint opcodes in DFG IR. This required doing some
2942         clean-up in the OSR exit code. We don't want the B3 FTL to use a bunch of vectors to hold
2943         side-state, so the use of OSRExitDescriptorImpl is not right. It makes sense in the LLVM FTL
2944         because that code needs some way of saving some state from LowerDFGToLLVM to compile(), but
2945         that's not how B3 FTL works. It turns out that for B3 FTL, there isn't anything in
2946         OSRExitDescriptorImpl that the code in LowerDFGToLLVM can't just capture in a lambda.
2947
2948         This also simplifies some stackmap-related APIs, since I got tired of writing boilerplate.
2949
2950         * CMakeLists.txt:
2951         * JavaScriptCore.xcodeproj/project.pbxproj:
2952         * assembler/AbstractMacroAssembler.h:
2953         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
2954         (JSC::AbstractMacroAssembler::addLinkTask):
2955         * b3/B3CheckSpecial.cpp:
2956         (JSC::B3::CheckSpecial::generate):
2957         * b3/B3Effects.h:
2958         * b3/B3PatchpointSpecial.cpp:
2959         (JSC::B3::PatchpointSpecial::generate):
2960         * b3/B3Procedure.cpp:
2961         (JSC::B3::Procedure::addDataSection):
2962         (JSC::B3::Procedure::callArgAreaSize):
2963         (JSC::B3::Procedure::requestCallArgAreaSize):
2964         (JSC::B3::Procedure::frameSize):
2965         * b3/B3Procedure.h:
2966         (JSC::B3::Procedure::releaseByproducts):
2967         (JSC::B3::Procedure::code):
2968         * b3/B3StackmapGenerationParams.cpp: Added.
2969         (JSC::B3::StackmapGenerationParams::usedRegisters):
2970         (JSC::B3::StackmapGenerationParams::proc):
2971         (JSC::B3::StackmapGenerationParams::StackmapGenerationParams):
2972         * b3/B3StackmapGenerationParams.h: Added.
2973         (JSC::B3::StackmapGenerationParams::value):
2974         (JSC::B3::StackmapGenerationParams::reps):
2975         (JSC::B3::StackmapGenerationParams::size):
2976         (JSC::B3::StackmapGenerationParams::at):
2977         (JSC::B3::StackmapGenerationParams::operator[]):
2978         (JSC::B3::StackmapGenerationParams::begin):
2979         (JSC::B3::StackmapGenerationParams::end):
2980         (JSC::B3::StackmapGenerationParams::context):
2981         (JSC::B3::StackmapGenerationParams::addLatePath):
2982         * b3/B3StackmapValue.h:
2983         * b3/B3ValueRep.h:
2984         (JSC::B3::ValueRep::doubleValue):
2985         (JSC::B3::ValueRep::withOffset):
2986         * b3/air/AirGenerationContext.h:
2987         * b3/testb3.cpp:
2988         (JSC::B3::testSimplePatchpoint):
2989         (JSC::B3::testSimplePatchpointWithoutOuputClobbersGPArgs):
2990         (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
2991         (JSC::B3::testSimplePatchpointWithoutOuputClobbersFPArgs):
2992         (JSC::B3::testSimplePatchpointWithOuputClobbersFPArgs):
2993         (JSC::B3::testPatchpointWithEarlyClobber):
2994         (JSC::B3::testPatchpointCallArg):
2995         (JSC::B3::testPatchpointFixedRegister):
2996         (JSC::B3::testPatchpointAny):
2997         (JSC::B3::testPatchpointLotsOfLateAnys):
2998         (JSC::B3::testPatchpointAnyImm):
2999         (JSC::B3::testPatchpointManyImms):
3000         (JSC::B3::testPatchpointWithRegisterResult):
3001         (JSC::B3::testPatchpointWithStackArgumentResult):
3002         (JSC::B3::testPatchpointWithAnyResult):
3003         (JSC::B3::testSimpleCheck):
3004         (JSC::B3::testCheckLessThan):
3005         (JSC::B3::testCheckMegaCombo):
3006         (JSC::B3::testCheckAddImm):
3007         (JSC::B3::testCheckAddImmCommute):
3008         (JSC::B3::testCheckAddImmSomeRegister):
3009         (JSC::B3::testCheckAdd):
3010         (JSC::B3::testCheckAdd64):
3011         (JSC::B3::testCheckSubImm):
3012         (JSC::B3::testCheckSubBadImm):
3013         (JSC::B3::testCheckSub):
3014         (JSC::B3::testCheckSub64):
3015         (JSC::B3::testCheckNeg):
3016         (JSC::B3::testCheckNeg64):
3017         (JSC::B3::testCheckMul):
3018         (JSC::B3::testCheckMulMemory):
3019         (JSC::B3::testCheckMul2):
3020         (JSC::B3::testCheckMul64):
3021         (JSC::B3::genericTestCompare):
3022         * ftl/FTLExceptionHandlerManager.cpp:
3023         * ftl/FTLExceptionHandlerManager.h:
3024         * ftl/FTLJSCall.cpp:
3025         * ftl/FTLJSCall.h:
3026         * ftl/FTLJSCallBase.cpp:
3027         (JSC::FTL::JSCallBase::emit):
3028         * ftl/FTLJSCallBase.h:
3029         * ftl/FTLJSCallVarargs.cpp:
3030         * ftl/FTLJSCallVarargs.h:
3031         * ftl/FTLJSTailCall.cpp:
3032         (JSC::FTL::DFG::getRegisterWithAddend):
3033         (JSC::FTL::JSTailCall::emit):
3034         (JSC::FTL::JSTailCall::JSTailCall): Deleted.
3035         * ftl/FTLJSTailCall.h:
3036         (JSC::FTL::JSTailCall::stackmapID):
3037         (JSC::FTL::JSTailCall::estimatedSize):
3038         (JSC::FTL::JSTailCall::operator<):
3039         (JSC::FTL::JSTailCall::patchpoint): Deleted.
3040         * ftl/FTLLowerDFGToLLVM.cpp:
3041         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
3042         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
3043         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3044         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
3045         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
3046         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException):
3047         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
3048         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
3049         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3050         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
3051         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
3052         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
3053         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
3054         * ftl/FTLOSRExit.cpp:
3055         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
3056         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
3057         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
3058         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
3059         (JSC::FTL::OSRExit::OSRExit):
3060         (JSC::FTL::OSRExit::codeLocationForRepatch):
3061         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot):
3062         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck):
3063         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath):
3064         * ftl/FTLOSRExit.h:
3065         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl):
3066         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
3067         * ftl/FTLOSRExitCompiler.cpp:
3068         (JSC::FTL::compileStub):
3069         (JSC::FTL::compileFTLOSRExit):
3070         * ftl/FTLState.h:
3071
3072 2015-12-07  Saam barati  <sbarati@apple.com>
3073
3074         Rename Watchdog::didFire to Watchdog::shouldTerminate because that's what didFire really meant
3075         https://bugs.webkit.org/show_bug.cgi?id=151944
3076
3077         Reviewed by Mark Lam.
3078
3079         * interpreter/Interpreter.cpp:
3080         (JSC::Interpreter::execute):
3081         * runtime/VMInlines.h:
3082         (JSC::VM::shouldTriggerTermination):
3083         * runtime/Watchdog.cpp:
3084         (JSC::Watchdog::terminateSoon):
3085         (JSC::Watchdog::shouldTerminateSlow):
3086         (JSC::Watchdog::didFireSlow): Deleted.
3087         * runtime/Watchdog.h:
3088         (JSC::Watchdog::shouldTerminate):
3089         (JSC::Watchdog::didFire): Deleted.
3090
3091 2015-12-07  Mark Lam  <mark.lam@apple.com>
3092
3093         Rename JITBitwiseBinaryOpGenerator to JITBitBinaryOpGenerator.
3094         https://bugs.webkit.org/show_bug.cgi?id=151945
3095
3096         Reviewed by Saam Barati.
3097
3098         The lshift operator also need to inherit from JITBitBinaryOpGenerator.  Calling
3099         it "BitBinaryOp" makes more sense than "BitwiseBinaryOp" in that case, and still
3100         makes sense for the bitand, bitor, and bitxor operators.
3101
3102         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3103         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3104         * JavaScriptCore.xcodeproj/project.pbxproj:
3105         * jit/JIT.h:
3106         * jit/JITArithmetic.cpp:
3107         (JSC::JIT::emitBitBinaryOpFastPath):
3108         (JSC::JIT::emit_op_bitand):
3109         (JSC::JIT::emitSlow_op_bitand):
3110         (JSC::JIT::emit_op_bitor):
3111         (JSC::JIT::emitSlow_op_bitor):
3112         (JSC::JIT::emit_op_bitxor):
3113         (JSC::JIT::emitSlow_op_bitxor):
3114         (JSC::JIT::emitBitwiseBinaryOpFastPath): Deleted.
3115         * jit/JITBitAndGenerator.h:
3116         (JSC::JITBitAndGenerator::JITBitAndGenerator):
3117         * jit/JITBitBinaryOpGenerator.h: Copied from Source/JavaScriptCore/jit/JITBitwiseBinaryOpGenerator.h.
3118         (JSC::JITBitBinaryOpGenerator::JITBitBinaryOpGenerator):
3119         (JSC::JITBitwiseBinaryOpGenerator::JITBitwiseBinaryOpGenerator): Deleted.
3120         * jit/JITBitOrGenerator.h:
3121         (JSC::JITBitOrGenerator::JITBitOrGenerator):
3122         * jit/JITBitXorGenerator.h:
3123         (JSC::JITBitXorGenerator::JITBitXorGenerator):
3124         * jit/JITBitwiseBinaryOpGenerator.h: Removed.
3125
3126 2015-12-07  Csaba Osztrogonác  <ossy@webkit.org>
3127
3128         [B3] Typo fix after r193386 to fix the build
3129         https://bugs.webkit.org/show_bug.cgi?id=151860
3130
3131         Reviewed by Filip Pizlo.
3132
3133         * b3/B3StackmapSpecial.cpp:
3134         (JSC::B3::StackmapSpecial::isArgValidForValue):
3135
3136 2015-12-07  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
3137
3138         [EFL] Implement scheduleTimer and cancelTimer in IncrementalSweeper class
3139         https://bugs.webkit.org/show_bug.cgi?id=151656
3140
3141         Reviewed by Csaba Osztrogonác.
3142
3143         Support IncremntalSweeper using Ecore_Timer.
3144
3145         * heap/IncrementalSweeper.cpp:
3146         (JSC::IncrementalSweeper::IncrementalSweeper):
3147         (JSC::IncrementalSweeper::scheduleTimer):
3148         (JSC::IncrementalSweeper::cancelTimer):
3149         * heap/IncrementalSweeper.h:
3150
3151 2015-12-06  Andy VanWagoner  <thetalecrafter@gmail.com>
3152
3153         [INTL] Implement String.prototype.toLocaleLowerCase in ECMA-402
3154         https://bugs.webkit.org/show_bug.cgi?id=147608
3155
3156         Reviewed by Benjamin Poulain.
3157
3158         Add toLocaleLowerCase using icu u_strToLower.
3159
3160         * runtime/IntlObject.cpp:
3161         (JSC::defaultLocale): Expose.
3162         (JSC::bestAvailableLocale): Expose.
3163         (JSC::removeUnicodeLocaleExtension): Expose.
3164         * runtime/IntlObject.h:
3165         * runtime/StringPrototype.cpp:
3166         (JSC::StringPrototype::finishCreation):
3167         (JSC::stringProtoFuncToLocaleLowerCase): Add.
3168
3169 2015-12-06  David Kilzer  <ddkilzer@apple.com>
3170
3171         REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
3172         https://bugs.webkit.org/show_bug.cgi?id=151929
3173
3174         Reverted changeset:
3175
3176         "[ES6] "super" and "this" should be lexically bound inside an
3177         arrow function and should live in a JSLexicalEnvironment"
3178         https://bugs.webkit.org/show_bug.cgi?id=149338
3179         http://trac.webkit.org/changeset/193584
3180
3181 2015-12-06  Skachkov Oleksandr  <gskachkov@gmail.com>
3182
3183         [es6] Arrow function syntax. Fix tests after 149338 landing
3184         https://bugs.webkit.org/show_bug.cgi?id=151927
3185
3186         Reviewed by Saam Barati.
3187
3188         After landing patch for 149338 errors appear in for ES6 Generator. Current fix is removed assert 
3189         that was removed by patch with implemenation of ES6 Generator.
3190  
3191         * runtime/CommonSlowPaths.cpp:
3192
3193 2015-12-05 Aleksandr Skachkov   <gskachkov@gmail.com>
3194
3195         [ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment
3196         https://bugs.webkit.org/show_bug.cgi?id=149338
3197
3198         Reviewed by Saam Barati.
3199
3200         Implemented new version of the lexically bound 'this' in arrow function. In current version 
3201         'this' is stored inside of the lexical environment of the function. To store and load we use
3202         op_get_from_scope and op_put_to_scope operations. Also new implementation prevent raising TDZ
3203         error for arrow functions that are declared before super() but invoke after.
3204
3205         * builtins/BuiltinExecutables.cpp:
3206         (JSC::createExecutableInternal):
3207         * bytecode/BytecodeList.json:
3208         * bytecode/BytecodeUseDef.h:
3209         * bytecode/CodeBlock.cpp:
3210         (JSC::CodeBlock::dumpBytecode):
3211         * bytecode/EvalCodeCache.h:
3212         (JSC::EvalCodeCache::getSlow):
3213         * bytecode/ExecutableInfo.h:
3214         (JSC::ExecutableInfo::ExecutableInfo):
3215         (JSC::ExecutableInfo::isDerivedConstructorContext):
3216         (JSC::ExecutableInfo::isArrowFunctionContext):
3217         * bytecode/UnlinkedCodeBlock.cpp:
3218         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3219         * bytecode/UnlinkedCodeBlock.h:
3220         (JSC::UnlinkedCodeBlock::isArrowFunction):
3221         (JSC::UnlinkedCodeBlock::isDerivedConstructorContext):
3222         (JSC::UnlinkedCodeBlock::isArrowFunctionContext):
3223         * bytecode/UnlinkedFunctionExecutable.cpp:
3224         (JSC::generateUnlinkedFunctionCodeBlock):
3225         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3226         * bytecode/UnlinkedFunctionExecutable.h:
3227         * bytecompiler/BytecodeGenerator.cpp:
3228         (JSC::BytecodeGenerator::BytecodeGenerator):
3229         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
3230         (JSC::BytecodeGenerator::variable):
3231         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
3232         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
3233         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
3234         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
3235         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
3236         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
3237         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
3238         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
3239         * bytecompiler/BytecodeGenerator.h:
3240         (JSC::BytecodeGenerator::isDerivedConstructorContext):
3241         (JSC::BytecodeGenerator::usesArrowFunction):
3242         (JSC::BytecodeGenerator::needsToUpdateArrowFunctionContext):
3243         (JSC::BytecodeGenerator::usesEval):
3244         (JSC::BytecodeGenerator::usesThis):
3245         (JSC::BytecodeGenerator::newTarget):
3246         (JSC::BytecodeGenerator::makeFunction):
3247         * bytecompiler/NodesCodegen.cpp:
3248         (JSC::ThisNode::emitBytecode):
3249         (JSC::SuperNode::emitBytecode):
3250         (JSC::EvalFunctionCallNode::emitBytecode):
3251         (JSC::FunctionCallValueNode::emitBytecode):
3252         (JSC::FunctionNode::emitBytecode):
3253         * debugger/DebuggerCallFrame.cpp:
3254         (JSC::DebuggerCallFrame::evaluate):
3255         * dfg/DFGAbstractInterpreterInlines.h:
3256         * dfg/DFGByteCodeParser.cpp:
3257         (JSC::DFG::ByteCodeParser::parseBlock):
3258         * dfg/DFGCapabilities.cpp:
3259         * dfg/DFGClobberize.h:
3260         * dfg/DFGDoesGC.cpp:
3261         * dfg/DFGFixupPhase.cpp:
3262         * dfg/DFGNodeType.h:
3263         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3264         * dfg/DFGPredictionPropagationPhase.cpp:
3265         * dfg/DFGPromotedHeapLocation.cpp:
3266         * dfg/DFGPromotedHeapLocation.h:
3267         * dfg/DFGSafeToExecute.h:
3268         * dfg/DFGSpeculativeJIT.cpp:
3269         * dfg/DFGSpeculativeJIT.h:
3270         * dfg/DFGSpeculativeJIT32_64.cpp:
3271         * dfg/DFGSpeculativeJIT64.cpp:
3272         * ftl/FTLCapabilities.cpp:
3273         * ftl/FTLLowerDFGToLLVM.cpp:
3274         * ftl/FTLOperations.cpp:
3275         (JSC::FTL::operationMaterializeObjectInOSR):
3276         * interpreter/Interpreter.cpp:
3277         (JSC::eval):
3278         * jit/JIT.cpp:
3279         * jit/JIT.h:
3280         * jit/JITOpcodes.cpp:
3281         (JSC::JIT::emitNewFuncExprCommon):
3282         * jit/JITOpcodes32_64.cpp:
3283         * llint/LLIntSlowPaths.cpp:
3284         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3285         * llint/LowLevelInterpreter.asm:
3286         * llint/LowLevelInterpreter32_64.asm:
3287         * llint/LowLevelInterpreter64.asm:
3288         * parser/ASTBuilder.h:
3289         (JSC::ASTBuilder::createArrowFunctionExpr):
3290         (JSC::ASTBuilder::usesArrowFunction):
3291         * parser/Nodes.h:
3292         (JSC::ScopeNode::usesArrowFunction):
3293         * parser/Parser.cpp:
3294         (JSC::Parser<LexerType>::parseFunctionInfo):
3295         * parser/ParserModes.h:
3296         * runtime/CodeCache.cpp:
3297         (JSC::CodeCache::getGlobalCodeBlock):
3298         (JSC::CodeCache::getProgramCodeBlock):
3299         (JSC::CodeCache::getEvalCodeBlock):
3300         (JSC::CodeCache::getModuleProgramCodeBlock):
3301         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3302         * runtime/CodeCache.h:
3303         * runtime/CommonIdentifiers.h:
3304         * runtime/CommonSlowPaths.cpp:
3305         (JSC::SLOW_PATH_DECL):
3306         * runtime/Executable.cpp:
3307         (JSC::ScriptExecutable::ScriptExecutable):
3308         (JSC::EvalExecutable::create):
3309         (JSC::EvalExecutable::EvalExecutable):
3310         (JSC::ProgramExecutable::ProgramExecutable):
3311         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
3312         (JSC::FunctionExecutable::FunctionExecutable):
3313         * runtime/Executable.h:
3314         (JSC::ScriptExecutable::isArrowFunctionContext):
3315         (JSC::ScriptExecutable::isDerivedConstructorContext):
3316         * runtime/JSGlobalObject.cpp:
3317         (JSC::JSGlobalObject::createEvalCodeBlock):
3318         * runtime/JSGlobalObject.h:
3319         * runtime/JSGlobalObjectFunctions.cpp:
3320         (JSC::globalFuncEval):
3321         * tests/es6.yaml:
3322         * tests/stress/arrowfunction-activation-sink-osrexit.js:
3323         * tests/stress/arrowfunction-activation-sink.js:
3324         * tests/stress/arrowfunction-lexical-bind-newtarget.js: Added.
3325         * tests/stress/arrowfunction-lexical-bind-supercall-1.js: Added.
3326         * tests/stress/arrowfunction-lexical-bind-supercall-2.js: Added.
3327         * tests/stress/arrowfunction-lexical-bind-supercall-3.js: Added.
3328         * tests/stress/arrowfunction-lexical-bind-supercall-4.js: Added.
3329         * tests/stress/arrowfunction-lexical-bind-this-1.js:
3330         * tests/stress/arrowfunction-lexical-bind-this-7.js: Added.
3331         * tests/stress/arrowfunction-tdz-1.js: Added.
3332         * tests/stress/arrowfunction-tdz-2.js: Added.
3333         * tests/stress/arrowfunction-tdz-3.js: Added.
3334         * tests/stress/arrowfunction-tdz-4.js: Added.
3335         * tests/stress/arrowfunction-tdz.js: Removed.
3336
3337 2015-12-05  Benjamin Poulain  <bpoulain@apple.com>
3338
3339         [JSC] Remove FTLOutput's fence support
3340         https://bugs.webkit.org/show_bug.cgi?id=151909
3341
3342         Reviewed by Sam Weinig.
3343
3344         Unused code is unused.
3345
3346         * ftl/FTLB3Output.h:
3347         (JSC::FTL::Output::fence): Deleted.
3348         (JSC::FTL::Output::fenceAcqRel): Deleted.
3349         * ftl/FTLOutput.h:
3350         (JSC::FTL::Output::fence): Deleted.
3351         (JSC::FTL::Output::fenceAcqRel): Deleted.
3352
3353 2015-12-04  Benjamin Poulain  <bpoulain@apple.com>
3354
3355         [JSC] Some more cleanup of FTLB3Output
3356         https://bugs.webkit.org/show_bug.cgi?id=151834
3357
3358         Reviewed by Filip Pizlo.
3359
3360         * ftl/FTLB3Output.h:
3361         (JSC::FTL::Output::trap):
3362         (JSC::FTL::Output::stackmapIntrinsic): Deleted.
3363         (JSC::FTL::Output::frameAddressIntrinsic): Deleted.
3364         (JSC::FTL::Output::patchpointInt64Intrinsic): Deleted.
3365         (JSC::FTL::Output::patchpointVoidIntrinsic): Deleted.
3366         * ftl/FTLLowerDFGToLLVM.cpp:
3367         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
3368
3369 2015-12-04  Benjamin Poulain  <bpoulain@apple.com>
3370
3371         [JSC] Fix Value::returnsBool() after r193436
3372         https://bugs.webkit.org/show_bug.cgi?id=151902
3373
3374         Reviewed by Saam Barati.
3375
3376         I forgot to carry a test from Branch and Select :(
3377
3378         * b3/B3Value.cpp:
3379         (JSC::B3::Value::returnsBool):
3380
3381 2015-12-04  Andy VanWagoner  <thetalecrafter@gmail.com>
3382
3383         [INTL] Implement Number.prototype.toLocaleString in ECMA-402
3384         https://bugs.webkit.org/show_bug.cgi?id=147610
3385
3386         Reviewed by Benjamin Poulain.
3387
3388         Add toLocaleString in builtin JavaScript that delegates formatting to Intl.NumberFormat.
3389         Keep exisiting native implementation for use if INTL flag is disabled.
3390
3391         * CMakeLists.txt: Add NumberPrototype.js.