Save and restore callee save registers in WebAssembly
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-09-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2
3         Save and restore callee save registers in WebAssembly
4         https://bugs.webkit.org/show_bug.cgi?id=149247
5
6         Reviewed by Michael Saboff.
7
8         Save callee save registers when entering WebAssembly functions
9         and restore them when returning.
10
11         * jit/RegisterSet.cpp:
12         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
13         * jit/RegisterSet.h:
14         * wasm/WASMFunctionCompiler.h:
15         (JSC::WASMFunctionCompiler::startFunction):
16         (JSC::WASMFunctionCompiler::endFunction):
17         (JSC::WASMFunctionCompiler::buildReturn):
18         (JSC::WASMFunctionCompiler::localAddress):
19         (JSC::WASMFunctionCompiler::temporaryAddress):
20         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
21         (JSC::WASMFunctionCompiler::callAndUnboxResult):
22
23 2015-09-16  Sukolsak Sakshuwong  <sukolsak@gmail.com>
24
25         Implement indirect calls in WebAssembly
26         https://bugs.webkit.org/show_bug.cgi?id=149100
27
28         Reviewed by Geoffrey Garen.
29
30         This patch implement indirect calls for WebAssembly files generated by
31         pack-asmjs <https://github.com/WebAssembly/polyfill-prototype-1>.
32         pack-asmjs uses the same indirect call model as asm.js. In asm.js, an
33         indirect call looks like this:
34             t[i & n](...)
35         where t is a variable referring to an array of functions with the same
36         signature, i is an integer expression, n is an integer that is equal to
37         (t.length - 1), and t.length is a power of two. pack-asmjs does not
38         use the '&' operator nor n in the WebAssembly output, but the semantics
39         is still the same as asm.js.
40
41         * tests/stress/wasm-calls.js:
42         * tests/stress/wasm/calls.wasm:
43         * wasm/WASMFormat.h:
44         * wasm/WASMFunctionCompiler.h:
45         (JSC::WASMFunctionCompiler::buildCallIndirect):
46         * wasm/WASMFunctionParser.cpp:
47         (JSC::WASMFunctionParser::parseExpressionI32):
48         (JSC::WASMFunctionParser::parseExpressionF32):
49         (JSC::WASMFunctionParser::parseExpressionF64):
50         (JSC::WASMFunctionParser::parseCallIndirect):
51         * wasm/WASMFunctionParser.h:
52         * wasm/WASMFunctionSyntaxChecker.h:
53         (JSC::WASMFunctionSyntaxChecker::buildCallIndirect):
54         * wasm/WASMModuleParser.cpp:
55         (JSC::WASMModuleParser::parseFunctionPointerTableSection):
56         (JSC::WASMModuleParser::parseFunctionDefinitionSection):
57
58 2015-09-16  Sukolsak Sakshuwong  <sukolsak@gmail.com>
59
60         Fix 32-bit build issues in WebAssembly
61         https://bugs.webkit.org/show_bug.cgi?id=149240
62
63         Reviewed by Geoffrey Garen.
64
65         Fix the syntax error and replace the instructions that are not available on
66         64-bit platforms.
67
68         * wasm/WASMFunctionCompiler.h:
69         (JSC::WASMFunctionCompiler::startFunction):
70         (JSC::WASMFunctionCompiler::endFunction):
71         (JSC::WASMFunctionCompiler::buildReturn):
72         (JSC::WASMFunctionCompiler::callAndUnboxResult):
73         (JSC::WASMFunctionCompiler::loadValueAndConvertToDouble):
74
75 2015-09-16  Geoffrey Garen  <ggaren@apple.com>
76
77         JavaScriptCore should discard baseline code after some time
78         https://bugs.webkit.org/show_bug.cgi?id=149220
79
80         Reviewed by Saam Barati.
81
82         This is a bit more complicated than discarding optimized code because
83         the engine previously assumed that we would never discard baseline code.
84
85         * bytecode/CodeBlock.cpp:
86         (JSC::CodeBlock::CodeBlock): Record creation time (and compute time since
87         creation) instead of install time because CodeBlocks can be installed
88         more than once, and we don't want to have to worry about edge cases
89         created by CodeBlocks seeming to get younger.
90
91         (JSC::CodeBlock::visitAggregate): Be explicit about only doing the 
92         weak reference fixpoint for optimized CodeBlocks. We used to avoid the
93         fixpoint for baseline CodeBlocks implicitly, since they would always
94         visit themselves strongly right away. But now baseline CodeBlocks might
95         not visit themselves strongly, since they might choose to jettison due
96         to old age.
97
98         (JSC::CodeBlock::shouldVisitStrongly): Add old age as a reason not to
99         visit ourselves strongly, so that baseline CodeBlocks can jettison due
100         to old age.
101
102         (JSC::CodeBlock::shouldJettisonDueToWeakReference): Be explicit about
103         only jettisoning optimized CodeBlocks due to weak references so that we
104         don't confuse ourselves into thinking that we will jettison a baseline
105         CodeBlock due to weak references.
106
107         (JSC::CodeBlock::shouldJettisonDueToOldAge): Updated to use creation time.
108
109         (JSC::CodeBlock::visitOSRExitTargets): Clarify a comment and add an
110         ASSERT to help record some things I discovered while debugging.
111
112         (JSC::CodeBlock::jettison): Allow a baseline CodeBlock to jettison. Don't
113         assume that we have an alternative or a profiler.
114
115         (JSC::CodeBlock::install): Deleted.
116         * bytecode/CodeBlock.h:
117         (JSC::CodeBlock::releaseAlternative): Deleted.
118         (JSC::CodeBlock::setInstallTime): Deleted.
119         (JSC::CodeBlock::timeSinceInstall): Deleted.
120
121         * dfg/DFGOSRExitPreparation.cpp:
122         (JSC::DFG::prepareCodeOriginForOSRExit): Simplified the computation of
123         baseline CodeBlock.
124
125         * dfg/DFGPlan.cpp:
126         (JSC::DFG::Plan::checkLivenessAndVisitChildren): Be sure to strongly
127         visit our inline callframes because we assume that an optimized CodeBlock
128         will keep its OSR exit targets alive, but the CodeBlock object won't be
129         able to mark them for itself until compilation has completed (since it
130         won't have a JITCode object yet).
131
132         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
133         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
134         Updated for interface change.
135
136         * jit/JITCode.h:
137         (JSC::JITCode::timeToLive): Provide a time to live for interpreter and
138         baseline code, so they will jettison when old. Use seconds in our
139         code so that we don't need comments. Make DFG 2X interpreter+baseline,
140         and FTL 2X DFG+interpreter+baseline, also matching the time we allot
141         before throwing away all code.
142
143         * jit/JITToDFGDeferredCompilationCallback.cpp:
144         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
145         * llint/LLIntSlowPaths.cpp:
146         (JSC::LLInt::jitCompileAndSetHeuristics): Updated for interface change.
147
148         * runtime/Executable.cpp:
149         (JSC::ScriptExecutable::installCode): Allow our caller to install nullptr,
150         since we need to do this when jettisoning a baseline CodeBlock. Require
151         our caller to specify the details of the installation because we can't
152         rely on a non-null CodeBlock in order to compute them.
153
154         (JSC::ScriptExecutable::newCodeBlockFor):
155         (JSC::ScriptExecutable::prepareForExecutionImpl):
156         * runtime/Executable.h:
157         (JSC::ScriptExecutable::recordParse): Updated for interface change.
158
159         * runtime/Options.h: Renamed the CodeBlock liveness option since it now
160         controls baseline and optimized code.
161
162 2015-09-16  Geoffrey Garen  <ggaren@apple.com>
163
164         Remove obsolete code for deleting CodeBlocks
165         https://bugs.webkit.org/show_bug.cgi?id=149231
166
167         Reviewed by Mark Lam.
168
169         * heap/Heap.cpp:
170         (JSC::Heap::deleteAllCodeBlocks): ASSERT that we're called in a valid
171         state, and do the compiler waiting ourselves instead of having our
172         caller do it. This is more appropriate to our new limited use.
173
174         (JSC::Heap::collectImpl):
175         (JSC::Heap::deleteOldCode): Deleted. Don't call deleteAllCodeBlocks
176         periodically because it's not such a good idea to delete everything
177         at once, and CodeBlocks now have a more precise individual policy for
178         when to delete. Also, this function used to fail all or nearly all of
179         the time because its invariants that we were not executing or compiling
180         could not be met.
181
182         * heap/Heap.h:
183
184         * jsc.cpp:
185         (GlobalObject::finishCreation):
186         (functionDeleteAllCompiledCode): Deleted.
187         * tests/stress/deleteAllCompiledCode.js: Removed. Removed this testing
188         code because it did not do what it thought it did. All of this code
189         was guaranteed to no-op since it would run JavaScript to call a function
190         that would return early because JavaScript was running.
191
192         * runtime/VM.cpp:
193         (JSC::VM::deleteAllCode): This code is simpler now becaue 
194         heap.deleteAllCodeBlocks does some work for us.
195
196         * runtime/VMEntryScope.cpp:
197         (JSC::VMEntryScope::VMEntryScope): Don't delete code on VM entry. This
198         policy was old, and it dated back to a time when we 
199
200             (a) couldn't run in the interpreter if compilation failed;
201
202             (b) didn't reduce the rate of compilation in response to executable
203             memory pressure;
204
205             (c) didn't throw away individual CodeBlocks automatically.
206
207 2015-09-16  Michael Saboff  <msaboff@apple.com>
208
209         [ES6] Implement tail calls in the LLInt and Baseline JIT
210         https://bugs.webkit.org/show_bug.cgi?id=148661
211
212         Fix for the breakage of Speedometer/Full.html (https://bugs.webkit.org/show_bug.cgi?id=149162).
213
214         Reviewed by Filip Pizlo.
215         Changed SetupVarargsFrame.cpp::emitSetVarargsFrame to align the callframe size to be a
216         multiple of stackAlignmentRegisters() in addition to the location of the new frame.
217
218         Fixed Reviewed by Filip Pizlo.
219
220         * CMakeLists.txt:
221         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
222         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
223         * JavaScriptCore.xcodeproj/project.pbxproj:
224         * assembler/AbortReason.h:
225         * assembler/AbstractMacroAssembler.h:
226         (JSC::AbstractMacroAssembler::Call::Call):
227         (JSC::AbstractMacroAssembler::repatchNearCall):
228         (JSC::AbstractMacroAssembler::repatchCompact):
229         * assembler/CodeLocation.h:
230         (JSC::CodeLocationNearCall::CodeLocationNearCall):
231         (JSC::CodeLocationNearCall::callMode):
232         (JSC::CodeLocationCommon::callAtOffset):
233         (JSC::CodeLocationCommon::nearCallAtOffset):
234         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
235         * assembler/LinkBuffer.h:
236         (JSC::LinkBuffer::locationOfNearCall):
237         (JSC::LinkBuffer::locationOf):
238         * assembler/MacroAssemblerARM.h:
239         (JSC::MacroAssemblerARM::nearCall):
240         (JSC::MacroAssemblerARM::nearTailCall):
241         (JSC::MacroAssemblerARM::call):
242         (JSC::MacroAssemblerARM::linkCall):
243         * assembler/MacroAssemblerARM64.h:
244         (JSC::MacroAssemblerARM64::nearCall):
245         (JSC::MacroAssemblerARM64::nearTailCall):
246         (JSC::MacroAssemblerARM64::ret):
247         (JSC::MacroAssemblerARM64::linkCall):
248         * assembler/MacroAssemblerARMv7.h:
249         (JSC::MacroAssemblerARMv7::nearCall):
250         (JSC::MacroAssemblerARMv7::nearTailCall):
251         (JSC::MacroAssemblerARMv7::call):
252         (JSC::MacroAssemblerARMv7::linkCall):
253         * assembler/MacroAssemblerMIPS.h:
254         (JSC::MacroAssemblerMIPS::nearCall):
255         (JSC::MacroAssemblerMIPS::nearTailCall):
256         (JSC::MacroAssemblerMIPS::call):
257         (JSC::MacroAssemblerMIPS::linkCall):
258         (JSC::MacroAssemblerMIPS::repatchCall):
259         * assembler/MacroAssemblerSH4.h:
260         (JSC::MacroAssemblerSH4::call):
261         (JSC::MacroAssemblerSH4::nearTailCall):
262         (JSC::MacroAssemblerSH4::nearCall):
263         (JSC::MacroAssemblerSH4::linkCall):
264         (JSC::MacroAssemblerSH4::repatchCall):
265         * assembler/MacroAssemblerX86.h:
266         (JSC::MacroAssemblerX86::linkCall):
267         * assembler/MacroAssemblerX86Common.h:
268         (JSC::MacroAssemblerX86Common::breakpoint):
269         (JSC::MacroAssemblerX86Common::nearTailCall):
270         (JSC::MacroAssemblerX86Common::nearCall):
271         * assembler/MacroAssemblerX86_64.h:
272         (JSC::MacroAssemblerX86_64::linkCall):
273         * bytecode/BytecodeList.json:
274         * bytecode/BytecodeUseDef.h:
275         (JSC::computeUsesForBytecodeOffset):
276         (JSC::computeDefsForBytecodeOffset):
277         * bytecode/CallLinkInfo.h:
278         (JSC::CallLinkInfo::callTypeFor):
279         (JSC::CallLinkInfo::isVarargsCallType):
280         (JSC::CallLinkInfo::CallLinkInfo):
281         (JSC::CallLinkInfo::specializationKind):
282         (JSC::CallLinkInfo::callModeFor):
283         (JSC::CallLinkInfo::callMode):
284         (JSC::CallLinkInfo::isTailCall):
285         (JSC::CallLinkInfo::isVarargs):
286         (JSC::CallLinkInfo::registerPreservationMode):
287         * bytecode/CallLinkStatus.cpp:
288         (JSC::CallLinkStatus::computeFromLLInt):
289         * bytecode/CodeBlock.cpp:
290         (JSC::CodeBlock::dumpBytecode):
291         (JSC::CodeBlock::CodeBlock):
292         * bytecompiler/BytecodeGenerator.cpp:
293         (JSC::BytecodeGenerator::BytecodeGenerator):
294         (JSC::BytecodeGenerator::emitCallInTailPosition):
295         (JSC::BytecodeGenerator::emitCallEval):
296         (JSC::BytecodeGenerator::emitCall):
297         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
298         (JSC::BytecodeGenerator::emitConstructVarargs):
299         * bytecompiler/NodesCodegen.cpp:
300         (JSC::CallArguments::CallArguments):
301         (JSC::LabelNode::emitBytecode):
302         * dfg/DFGByteCodeParser.cpp:
303         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
304         * ftl/FTLLowerDFGToLLVM.cpp:
305         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
306         * interpreter/Interpreter.h:
307         (JSC::Interpreter::isCallBytecode):
308         (JSC::calleeFrameForVarargs):
309         * jit/CCallHelpers.h:
310         (JSC::CCallHelpers::jumpToExceptionHandler):
311         (JSC::CCallHelpers::prepareForTailCallSlow):
312         * jit/JIT.cpp:
313         (JSC::JIT::privateCompileMainPass):
314         (JSC::JIT::privateCompileSlowCases):
315         * jit/JIT.h:
316         * jit/JITCall.cpp:
317         (JSC::JIT::compileOpCall):
318         (JSC::JIT::compileOpCallSlowCase):
319         (JSC::JIT::emit_op_call):
320         (JSC::JIT::emit_op_tail_call):
321         (JSC::JIT::emit_op_call_eval):
322         (JSC::JIT::emit_op_call_varargs):
323         (JSC::JIT::emit_op_tail_call_varargs):
324         (JSC::JIT::emit_op_construct_varargs):
325         (JSC::JIT::emitSlow_op_call):
326         (JSC::JIT::emitSlow_op_tail_call):
327         (JSC::JIT::emitSlow_op_call_eval):
328         (JSC::JIT::emitSlow_op_call_varargs):
329         (JSC::JIT::emitSlow_op_tail_call_varargs):
330         (JSC::JIT::emitSlow_op_construct_varargs):
331         * jit/JITCall32_64.cpp:
332         (JSC::JIT::emitSlow_op_call):
333         (JSC::JIT::emitSlow_op_tail_call):
334         (JSC::JIT::emitSlow_op_call_eval):
335         (JSC::JIT::emitSlow_op_call_varargs):
336         (JSC::JIT::emitSlow_op_tail_call_varargs):
337         (JSC::JIT::emitSlow_op_construct_varargs):
338         (JSC::JIT::emit_op_call):
339         (JSC::JIT::emit_op_tail_call):
340         (JSC::JIT::emit_op_call_eval):
341         (JSC::JIT::emit_op_call_varargs):
342         (JSC::JIT::emit_op_tail_call_varargs):
343         (JSC::JIT::emit_op_construct_varargs):
344         (JSC::JIT::compileOpCall):
345         (JSC::JIT::compileOpCallSlowCase):
346         * jit/JITInlines.h:
347         (JSC::JIT::emitNakedCall):
348         (JSC::JIT::emitNakedTailCall):
349         (JSC::JIT::updateTopCallFrame):
350         * jit/JITOperations.cpp:
351         * jit/JITOperations.h:
352         * jit/Repatch.cpp:
353         (JSC::linkVirtualFor):
354         (JSC::linkPolymorphicCall):
355         * jit/SetupVarargsFrame.cpp:
356         (JSC::emitSetVarargsFrame):
357         * jit/ThunkGenerators.cpp:
358         (JSC::throwExceptionFromCallSlowPathGenerator):
359         (JSC::slowPathFor):
360         (JSC::linkCallThunkGenerator):
361         (JSC::virtualThunkFor):
362         (JSC::arityFixupGenerator):
363         (JSC::unreachableGenerator):
364         (JSC::baselineGetterReturnThunkGenerator):
365         * jit/ThunkGenerators.h:
366         * llint/LowLevelInterpreter.asm:
367         * llint/LowLevelInterpreter32_64.asm:
368         * llint/LowLevelInterpreter64.asm:
369         * runtime/CommonSlowPaths.h:
370         (JSC::CommonSlowPaths::arityCheckFor):
371         (JSC::CommonSlowPaths::opIn):
372
373 2015-09-15  Michael Saboff  <msaboff@apple.com>
374
375         Rollout r189774 and 189818.
376
377         Broke Speedometer/Full.html
378
379         Not reviewed.
380
381         * CMakeLists.txt:
382         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
383         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
384         * JavaScriptCore.xcodeproj/project.pbxproj:
385         * assembler/AbortReason.h:
386         * assembler/AbstractMacroAssembler.h:
387         (JSC::AbstractMacroAssembler::Call::Call):
388         (JSC::AbstractMacroAssembler::repatchNearCall):
389         (JSC::AbstractMacroAssembler::repatchCompact):
390         * assembler/CodeLocation.h:
391         (JSC::CodeLocationNearCall::CodeLocationNearCall):
392         (JSC::CodeLocationCommon::callAtOffset):
393         (JSC::CodeLocationCommon::nearCallAtOffset):
394         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
395         (JSC::CodeLocationNearCall::callMode): Deleted.
396         * assembler/LinkBuffer.h:
397         (JSC::LinkBuffer::locationOfNearCall):
398         (JSC::LinkBuffer::locationOf):
399         * assembler/MacroAssemblerARM.h:
400         (JSC::MacroAssemblerARM::nearCall):
401         (JSC::MacroAssemblerARM::call):
402         (JSC::MacroAssemblerARM::linkCall):
403         (JSC::MacroAssemblerARM::nearTailCall): Deleted.
404         * assembler/MacroAssemblerARM64.h:
405         (JSC::MacroAssemblerARM64::nearCall):
406         (JSC::MacroAssemblerARM64::ret):
407         (JSC::MacroAssemblerARM64::linkCall):
408         (JSC::MacroAssemblerARM64::nearTailCall): Deleted.
409         * assembler/MacroAssemblerARMv7.h:
410         (JSC::MacroAssemblerARMv7::nearCall):
411         (JSC::MacroAssemblerARMv7::call):
412         (JSC::MacroAssemblerARMv7::linkCall):
413         (JSC::MacroAssemblerARMv7::nearTailCall): Deleted.
414         * assembler/MacroAssemblerMIPS.h:
415         (JSC::MacroAssemblerMIPS::nearCall):
416         (JSC::MacroAssemblerMIPS::call):
417         (JSC::MacroAssemblerMIPS::linkCall):
418         (JSC::MacroAssemblerMIPS::repatchCall):
419         (JSC::MacroAssemblerMIPS::nearTailCall): Deleted.
420         * assembler/MacroAssemblerSH4.h:
421         (JSC::MacroAssemblerSH4::call):
422         (JSC::MacroAssemblerSH4::nearCall):
423         (JSC::MacroAssemblerSH4::linkCall):
424         (JSC::MacroAssemblerSH4::repatchCall):
425         (JSC::MacroAssemblerSH4::nearTailCall): Deleted.
426         * assembler/MacroAssemblerX86.h:
427         (JSC::MacroAssemblerX86::linkCall):
428         * assembler/MacroAssemblerX86Common.h:
429         (JSC::MacroAssemblerX86Common::breakpoint):
430         (JSC::MacroAssemblerX86Common::nearCall):
431         (JSC::MacroAssemblerX86Common::nearTailCall): Deleted.
432         * assembler/MacroAssemblerX86_64.h:
433         (JSC::MacroAssemblerX86_64::linkCall):
434         * bytecode/BytecodeList.json:
435         * bytecode/BytecodeUseDef.h:
436         (JSC::computeUsesForBytecodeOffset):
437         (JSC::computeDefsForBytecodeOffset):
438         * bytecode/CallLinkInfo.h:
439         (JSC::CallLinkInfo::callTypeFor):
440         (JSC::CallLinkInfo::CallLinkInfo):
441         (JSC::CallLinkInfo::specializationKind):
442         (JSC::CallLinkInfo::registerPreservationMode):
443         (JSC::CallLinkInfo::isVarargsCallType): Deleted.
444         (JSC::CallLinkInfo::callModeFor): Deleted.
445         (JSC::CallLinkInfo::callMode): Deleted.
446         (JSC::CallLinkInfo::isTailCall): Deleted.
447         (JSC::CallLinkInfo::isVarargs): Deleted.
448         * bytecode/CallLinkStatus.cpp:
449         (JSC::CallLinkStatus::computeFromLLInt):
450         * bytecode/CodeBlock.cpp:
451         (JSC::CodeBlock::dumpBytecode):
452         (JSC::CodeBlock::CodeBlock):
453         * bytecompiler/BytecodeGenerator.cpp:
454         (JSC::BytecodeGenerator::BytecodeGenerator):
455         (JSC::BytecodeGenerator::emitCallInTailPosition):
456         (JSC::BytecodeGenerator::emitCallEval):
457         (JSC::BytecodeGenerator::emitCall):
458         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
459         (JSC::BytecodeGenerator::emitConstructVarargs):
460         * bytecompiler/NodesCodegen.cpp:
461         (JSC::CallArguments::CallArguments):
462         (JSC::LabelNode::emitBytecode):
463         * dfg/DFGByteCodeParser.cpp:
464         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
465         * ftl/FTLLowerDFGToLLVM.cpp:
466         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
467         * interpreter/Interpreter.h:
468         (JSC::Interpreter::isCallBytecode):
469         * jit/CCallHelpers.h:
470         (JSC::CCallHelpers::jumpToExceptionHandler):
471         (JSC::CCallHelpers::prepareForTailCallSlow): Deleted.
472         * jit/JIT.cpp:
473         (JSC::JIT::privateCompileMainPass):
474         (JSC::JIT::privateCompileSlowCases):
475         * jit/JIT.h:
476         * jit/JITCall.cpp:
477         (JSC::JIT::compileOpCall):
478         (JSC::JIT::compileOpCallSlowCase):
479         (JSC::JIT::emit_op_call):
480         (JSC::JIT::emit_op_call_eval):
481         (JSC::JIT::emit_op_call_varargs):
482         (JSC::JIT::emit_op_construct_varargs):
483         (JSC::JIT::emitSlow_op_call):
484         (JSC::JIT::emitSlow_op_call_eval):
485         (JSC::JIT::emitSlow_op_call_varargs):
486         (JSC::JIT::emitSlow_op_construct_varargs):
487         (JSC::JIT::emit_op_tail_call): Deleted.
488         (JSC::JIT::emit_op_tail_call_varargs): Deleted.
489         (JSC::JIT::emitSlow_op_tail_call): Deleted.
490         (JSC::JIT::emitSlow_op_tail_call_varargs): Deleted.
491         * jit/JITCall32_64.cpp:
492         (JSC::JIT::emitSlow_op_call):
493         (JSC::JIT::emitSlow_op_call_eval):
494         (JSC::JIT::emitSlow_op_call_varargs):
495         (JSC::JIT::emitSlow_op_construct_varargs):
496         (JSC::JIT::emit_op_call):
497         (JSC::JIT::emit_op_call_eval):
498         (JSC::JIT::emit_op_call_varargs):
499         (JSC::JIT::emit_op_construct_varargs):
500         (JSC::JIT::compileOpCall):
501         (JSC::JIT::compileOpCallSlowCase):
502         (JSC::JIT::emitSlow_op_tail_call): Deleted.
503         (JSC::JIT::emitSlow_op_tail_call_varargs): Deleted.
504         (JSC::JIT::emit_op_tail_call): Deleted.
505         (JSC::JIT::emit_op_tail_call_varargs): Deleted.
506         * jit/JITInlines.h:
507         (JSC::JIT::emitNakedCall):
508         (JSC::JIT::updateTopCallFrame):
509         (JSC::JIT::emitNakedTailCall): Deleted.
510         * jit/JITOperations.cpp:
511         * jit/JITOperations.h:
512         * jit/Repatch.cpp:
513         (JSC::linkVirtualFor):
514         (JSC::linkPolymorphicCall):
515         * jit/ThunkGenerators.cpp:
516         (JSC::throwExceptionFromCallSlowPathGenerator):
517         (JSC::slowPathFor):
518         (JSC::linkCallThunkGenerator):
519         (JSC::virtualThunkFor):
520         (JSC::arityFixupGenerator):
521         (JSC::baselineGetterReturnThunkGenerator):
522         (JSC::unreachableGenerator): Deleted.
523         * jit/ThunkGenerators.h:
524         * llint/LowLevelInterpreter.asm:
525         * llint/LowLevelInterpreter32_64.asm:
526         * llint/LowLevelInterpreter64.asm:
527         * runtime/CommonSlowPaths.h:
528         (JSC::CommonSlowPaths::arityCheckFor):
529         (JSC::CommonSlowPaths::opIn):
530         * tests/stress/mutual-tail-call-no-stack-overflow.js: Removed.
531         * tests/stress/tail-call-no-stack-overflow.js: Removed.
532         * tests/stress/tail-call-recognize.js: Removed.
533         * tests/stress/tail-call-varargs-no-stack-overflow.js: Removed.
534         * tests/stress/tail-calls-dont-overwrite-live-stack.js: Removed.
535
536 2015-09-15  Sukolsak Sakshuwong  <sukolsak@gmail.com>
537
538         Implement imported global variables in WebAssembly
539         https://bugs.webkit.org/show_bug.cgi?id=149206
540
541         Reviewed by Filip Pizlo.
542
543         Values can now be imported to a WebAssembly module through properties of
544         the imports object that is passed to loadWebAssembly(). In order to
545         avoid any side effect when accessing the imports object, we check that
546         the properties are data properties. We also check that each value is a
547         primitive and is not a Symbol. According to the ECMA262 6.0 spec,
548         calling ToNumber() on a primitive that is not a Symbol should not cause
549         any side effect.[1]
550
551         [1]: http://www.ecma-international.org/ecma-262/6.0/#sec-tonumber
552
553         * tests/stress/wasm-globals.js:
554         * tests/stress/wasm/globals.wasm:
555         * wasm/WASMModuleParser.cpp:
556         (JSC::WASMModuleParser::parseModule):
557         (JSC::WASMModuleParser::parseGlobalSection):
558         * wasm/WASMModuleParser.h:
559
560 2015-09-15  Sukolsak Sakshuwong  <sukolsak@gmail.com>
561
562         Fix asm.js errors in WebAssembly tests
563         https://bugs.webkit.org/show_bug.cgi?id=149203
564
565         Reviewed by Geoffrey Garen.
566
567         Our WebAssembly implementation uses asm.js for testing. Using Firefox to
568         parse asm.js reveals many errors that are not caught by pack-asmjs. For
569         example,
570         - asm.js does not allow the use of the multiplication operator (*) to
571           multiply two integers, because the result can be so large that some
572           lower bits of precision are lost. Math.imul is used instead.
573         - an int variable must be coerced to either signed (via x|0) or unsigned
574           (via x>>>0) before it's returned.
575
576         * tests/stress/wasm-arithmetic-int32.js:
577         * tests/stress/wasm-calls.js:
578         * tests/stress/wasm-control-flow.js:
579         * tests/stress/wasm-globals.js:
580         * tests/stress/wasm-locals.js:
581         * tests/stress/wasm-relational.js:
582         * tests/stress/wasm/control-flow.wasm:
583
584 2015-09-15  Ryosuke Niwa  <rniwa@webkit.org>
585
586         Add ShadowRoot interface and Element.prototype.attachShadow
587         https://bugs.webkit.org/show_bug.cgi?id=149187
588
589         Reviewed by Antti Koivisto.
590
591         * Configurations/FeatureDefines.xcconfig:
592
593 2015-09-15  Joseph Pecoraro  <pecoraro@apple.com>
594
595         Web Inspector: Paused Debugger prevents page reload
596         https://bugs.webkit.org/show_bug.cgi?id=148174
597
598         Reviewed by Brian Burg.
599
600         * debugger/Debugger.h:
601         (JSC::Debugger::suppressAllPauses):
602         (JSC::Debugger::setSuppressAllPauses):
603         * debugger/Debugger.cpp:
604         (JSC::Debugger::Debugger):
605         (JSC::Debugger::pauseIfNeeded):
606         * inspector/agents/InspectorDebuggerAgent.h:
607         * inspector/agents/InspectorDebuggerAgent.cpp:
608         (Inspector::InspectorDebuggerAgent::setSuppressAllPauses):
609         Provide a way to suppress pauses.
610
611 2015-09-15  Sukolsak Sakshuwong  <sukolsak@gmail.com>
612
613         Implement calls to JavaScript functions in WebAssembly
614         https://bugs.webkit.org/show_bug.cgi?id=149093
615
616         Reviewed by Filip Pizlo.
617
618         This patch implements calls to JavaScript functions in WebAssembly.
619         WebAssembly functions can only call JavaScript functions that are
620         imported to their module via an object that is passed into
621         loadWebAssembly(). References to JavaScript functions are resolved at
622         the module's load time, just like asm.js.
623
624         * jsc.cpp:
625         (GlobalObject::finishCreation):
626         (functionLoadWebAssembly):
627         * tests/stress/wasm-calls.js:
628         * tests/stress/wasm/calls.wasm:
629         * wasm/JSWASMModule.cpp:
630         (JSC::JSWASMModule::visitChildren):
631         * wasm/JSWASMModule.h:
632         (JSC::JSWASMModule::importedFunctions):
633         * wasm/WASMFunctionCompiler.h:
634         (JSC::WASMFunctionCompiler::buildCallImport):
635         * wasm/WASMFunctionParser.cpp:
636         (JSC::WASMFunctionParser::parseExpressionI32):
637         (JSC::WASMFunctionParser::parseExpressionF64):
638         (JSC::WASMFunctionParser::parseCallImport):
639         * wasm/WASMFunctionParser.h:
640         * wasm/WASMFunctionSyntaxChecker.h:
641         (JSC::WASMFunctionSyntaxChecker::buildCallInternal):
642         (JSC::WASMFunctionSyntaxChecker::buildCallImport):
643         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall):
644         * wasm/WASMModuleParser.cpp:
645         (JSC::WASMModuleParser::WASMModuleParser):
646         (JSC::WASMModuleParser::parse):
647         (JSC::WASMModuleParser::parseModule):
648         (JSC::WASMModuleParser::parseFunctionImportSection):
649         (JSC::WASMModuleParser::getImportedValue):
650         (JSC::parseWebAssembly):
651         * wasm/WASMModuleParser.h:
652
653 2015-09-15  Csaba Osztrogon√°c  <ossy@webkit.org>
654
655         Fix the !ENABLE(DFG_JIT) build after r188696
656         https://bugs.webkit.org/show_bug.cgi?id=149158
657
658         Reviewed by Yusuke Suzuki.
659
660         * bytecode/GetByIdStatus.cpp:
661         * bytecode/GetByIdStatus.h:
662
663 2015-09-15  Saam barati  <sbarati@apple.com>
664
665         functions that use try/catch will allocate a top level JSLexicalEnvironment even when it is not necessary
666         https://bugs.webkit.org/show_bug.cgi?id=148169
667
668         Reviewed by Geoffrey Garen.
669
670         We used to do this before we had proper lexical scoping
671         in the bytecode generator. There is absolutely no reason
672         why need to allocate a top-level "var" activation when a
673         function/program uses a "catch" block.
674
675         * parser/ASTBuilder.h:
676         (JSC::ASTBuilder::createTryStatement):
677         (JSC::ASTBuilder::incConstants):
678         (JSC::ASTBuilder::usesThis):
679         (JSC::ASTBuilder::usesArguments):
680         (JSC::ASTBuilder::usesWith):
681         (JSC::ASTBuilder::usesEval):
682         (JSC::ASTBuilder::usesCatch): Deleted.
683         * parser/Nodes.h:
684         (JSC::ScopeNode::isStrictMode):
685         (JSC::ScopeNode::setUsesArguments):
686         (JSC::ScopeNode::usesThis):
687         (JSC::ScopeNode::needsActivation):
688         (JSC::ScopeNode::hasCapturedVariables):
689         (JSC::ScopeNode::captures):
690         (JSC::ScopeNode::needsActivationForMoreThanVariables): Deleted.
691         * parser/ParserModes.h:
692         * runtime/Executable.h:
693         (JSC::ScriptExecutable::usesEval):
694         (JSC::ScriptExecutable::usesArguments):
695         (JSC::ScriptExecutable::needsActivation):
696         (JSC::ScriptExecutable::isStrictMode):
697         (JSC::ScriptExecutable::ecmaMode):
698
699 2015-09-15  Michael Saboff  <msaboff@apple.com>
700
701         REGRESSION(r189774): CLoop doesn't build after r189774
702         https://bugs.webkit.org/show_bug.cgi?id=149171
703
704         Unreviewed build fix for the C Loop.
705
706         Added needed C Loop label opcodes.
707
708         * bytecode/BytecodeList.json:
709
710 2015-09-15  Andy VanWagoner  <thetalecrafter@gmail.com>
711
712         [INTL] Implement supportedLocalesOf on Intl Constructors
713         https://bugs.webkit.org/show_bug.cgi?id=147599
714
715         Reviewed by Benjamin Poulain.
716
717         Implements all of the abstract operations used by supportedLocalesOf,
718         except during canonicalization it does not replace redundant tags,
719         or subtags with their preferred values.
720
721         * icu/unicode/ucal.h: Added.
722         * icu/unicode/udat.h: Added.
723         * icu/unicode/umisc.h: Added.
724         * icu/unicode/unum.h: Added.
725         * icu/unicode/utypes.h: Clear the U_SHOW_CPLUSPLUS_API flag to prevent C++ headers from being included.
726         * runtime/CommonIdentifiers.h: Adde localeMatcher.
727         * runtime/IntlCollatorConstructor.cpp:
728         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf): Implemented.
729         * runtime/IntlDateTimeFormatConstructor.cpp:
730         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf): Implemented.
731         * runtime/IntlNumberFormatConstructor.cpp:
732         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf): Implemented.
733         * runtime/IntlObject.cpp:
734         (JSC::canonicalizeLanguageTag):
735         (JSC::getCanonicalLangTag):
736         (JSC::getPrivateUseLangTag):
737         (JSC::getGrandfatheredLangTag):
738         (JSC::canonicalizeLocaleList):
739         (JSC::bestAvailableLocale):
740         (JSC::lookupSupportedLocales):
741         (JSC::bestFitSupportedLocales):
742         (JSC::supportedLocales):
743         (JSC::getIntlStringOption):
744         (JSC::getIntlBooleanOption):
745         * runtime/IntlObject.h:
746         * runtime/JSCJSValue.h: Added toLength.
747         * runtime/JSCJSValue.cpp: Added toLength.
748         (JSC::JSValue::toLength): Implement ToLength from ECMA 262 6.0 7.1.15
749         * runtime/JSGlobalObject.cpp:
750         (JSC::JSGlobalObject::intlCollatorAvailableLocales): Added lazy locale list.
751         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales): Added lazy locale list.
752         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales): Added lazy locale list.
753         * runtime/JSGlobalObject.h:
754
755 2015-09-14  Saam barati  <sbarati@apple.com>
756
757         rename callFrameForThrow to callFrameForCatch
758         https://bugs.webkit.org/show_bug.cgi?id=149136
759
760         Reviewed by Michael Saboff.
761
762         We use "callFrameForThrow" to mean the call frame in
763         which we're catching the exception. The field name
764         should accurately represent its purpose by being
765         named "callFrameForCatch".
766
767         * jit/CCallHelpers.h:
768         (JSC::CCallHelpers::jumpToExceptionHandler):
769         * jit/JITExceptions.cpp:
770         (JSC::genericUnwind):
771         * jit/JITOpcodes.cpp:
772         (JSC::JIT::emit_op_catch):
773         * jit/JITOpcodes32_64.cpp:
774         (JSC::JIT::emit_op_catch):
775         * jit/JITOperations.cpp:
776         * llint/LowLevelInterpreter32_64.asm:
777         * llint/LowLevelInterpreter64.asm:
778         * runtime/VM.h:
779         (JSC::VM::exceptionOffset):
780         (JSC::VM::callFrameForCatchOffset):
781         (JSC::VM::targetMachinePCForThrowOffset):
782         (JSC::VM::callFrameForThrowOffset): Deleted.
783
784 2015-09-14  Basile Clement  <basile_clement@apple.com>
785
786         [ES6] Implement tail calls in the LLInt and Baseline JIT
787         https://bugs.webkit.org/show_bug.cgi?id=148661
788
789         Reviewed by Filip Pizlo.
790
791         This patch introduces two new opcodes, op_tail_call and
792         op_tail_call_varargs, to perform tail calls, and implements them in the
793         LLInt and baseline JIT. Their use prevents DFG and FTL compilation for
794         now. They are currently implemented by sliding the call frame and
795         masquerading as our own caller right before performing an actual call.
796
797         This required to change the operationLink family of operation to return
798         a SlowPathReturnType instead of a char* in order to distinguish between
799         exception cases and actual call cases. We introduce a new FrameAction
800         enum that indicates whether to reuse (non-exceptional tail call) or
801         keep the current call frame (non-tail call, and exceptional cases).
802
803         This is also a semantics change, since the Function.caller property is
804         now leaking tail calls. Since tail calls are only used in strict mode,
805         which poisons this property, the only way of seeing this semantics
806         change is when a sloppy function calls a strict function that then
807         tail-calls a sloppy function. Previously, the second sloppy function's
808         caller would have been the strict function (i.e. raises a TypeError
809         when the .caller attribute is accessed), while it is now the first
810         sloppy function. Tests have been updated to reflect that.
811
812         This also changes the assumptions we make about call frames. In order
813         to be relatively efficient, we want to be able to compute the frame
814         size based only on the argument count, which was not possible
815         previously. To enable this, we now enforce at the bytecode generator,
816         DFG and FTL level that any space reserved for a call frame is
817         stack-aligned, which allows to easily compute its size when performing
818         a tail call. In all the "special call cases" (calls from native code,
819         inlined cache calls, etc.), we are starting the frame at the current
820         stack pointer and thus will always have a stack-aligned frame size.
821
822         Finally, this patch adds a couple of tests to check that tail calls run
823         in constant stack space, as well as tests checking that tail calls are
824         recognized correctly. Those tests use the handy aforementioned leaking
825         of tail calls through Function.caller to detect tail calls. 
826
827         Given that this patch only implements tail calls for the LLInt and
828         Baseline JIT, tail calls are disabled by default.  Until changes are
829         landed for all tiers, tail call testing and use requires the
830         --enableTailCalls=true or equivalent.
831
832         * CMakeLists.txt:
833         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
834         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
835         * JavaScriptCore.xcodeproj/project.pbxproj:
836         * assembler/AbortReason.h:
837         * assembler/AbstractMacroAssembler.h:
838         (JSC::AbstractMacroAssembler::Call::Call):
839         (JSC::AbstractMacroAssembler::repatchNearCall):
840         (JSC::AbstractMacroAssembler::repatchCompact):
841         * assembler/CodeLocation.h:
842         (JSC::CodeLocationNearCall::CodeLocationNearCall):
843         (JSC::CodeLocationNearCall::callMode):
844         (JSC::CodeLocationCommon::callAtOffset):
845         (JSC::CodeLocationCommon::nearCallAtOffset):
846         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
847         * assembler/LinkBuffer.h:
848         (JSC::LinkBuffer::locationOfNearCall):
849         (JSC::LinkBuffer::locationOf):
850         * assembler/MacroAssemblerARM.h:
851         (JSC::MacroAssemblerARM::nearCall):
852         (JSC::MacroAssemblerARM::nearTailCall):
853         (JSC::MacroAssemblerARM::call):
854         (JSC::MacroAssemblerARM::linkCall):
855         * assembler/MacroAssemblerARM64.h:
856         (JSC::MacroAssemblerARM64::nearCall):
857         (JSC::MacroAssemblerARM64::nearTailCall):
858         (JSC::MacroAssemblerARM64::ret):
859         (JSC::MacroAssemblerARM64::linkCall):
860         * assembler/MacroAssemblerARMv7.h:
861         (JSC::MacroAssemblerARMv7::nearCall):
862         (JSC::MacroAssemblerARMv7::nearTailCall):
863         (JSC::MacroAssemblerARMv7::call):
864         (JSC::MacroAssemblerARMv7::linkCall):
865         * assembler/MacroAssemblerMIPS.h:
866         (JSC::MacroAssemblerMIPS::nearCall):
867         (JSC::MacroAssemblerMIPS::nearTailCall):
868         (JSC::MacroAssemblerMIPS::call):
869         (JSC::MacroAssemblerMIPS::linkCall):
870         (JSC::MacroAssemblerMIPS::repatchCall):
871         * assembler/MacroAssemblerSH4.h:
872         (JSC::MacroAssemblerSH4::call):
873         (JSC::MacroAssemblerSH4::nearTailCall):
874         (JSC::MacroAssemblerSH4::nearCall):
875         (JSC::MacroAssemblerSH4::linkCall):
876         (JSC::MacroAssemblerSH4::repatchCall):
877         * assembler/MacroAssemblerX86.h:
878         (JSC::MacroAssemblerX86::linkCall):
879         * assembler/MacroAssemblerX86Common.h:
880         (JSC::MacroAssemblerX86Common::breakpoint):
881         (JSC::MacroAssemblerX86Common::nearTailCall):
882         (JSC::MacroAssemblerX86Common::nearCall):
883         * assembler/MacroAssemblerX86_64.h:
884         (JSC::MacroAssemblerX86_64::linkCall):
885         * bytecode/BytecodeList.json:
886         * bytecode/BytecodeUseDef.h:
887         (JSC::computeUsesForBytecodeOffset):
888         (JSC::computeDefsForBytecodeOffset):
889         * bytecode/CallLinkInfo.h:
890         (JSC::CallLinkInfo::callTypeFor):
891         (JSC::CallLinkInfo::isVarargsCallType):
892         (JSC::CallLinkInfo::CallLinkInfo):
893         (JSC::CallLinkInfo::specializationKind):
894         (JSC::CallLinkInfo::callModeFor):
895         (JSC::CallLinkInfo::callMode):
896         (JSC::CallLinkInfo::isTailCall):
897         (JSC::CallLinkInfo::isVarargs):
898         (JSC::CallLinkInfo::registerPreservationMode):
899         * bytecode/CallLinkStatus.cpp:
900         (JSC::CallLinkStatus::computeFromLLInt):
901         * bytecode/CallMode.cpp: Added.
902         (WTF::printInternal):
903         * bytecode/CallMode.h: Added.
904         * bytecode/CodeBlock.cpp:
905         (JSC::CodeBlock::dumpBytecode):
906         (JSC::CodeBlock::CodeBlock):
907         * bytecompiler/BytecodeGenerator.cpp:
908         (JSC::BytecodeGenerator::BytecodeGenerator):
909         (JSC::BytecodeGenerator::emitCallInTailPosition):
910         (JSC::BytecodeGenerator::emitCallEval):
911         (JSC::BytecodeGenerator::emitCall):
912         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
913         (JSC::BytecodeGenerator::emitConstructVarargs):
914         * bytecompiler/NodesCodegen.cpp:
915         (JSC::CallArguments::CallArguments):
916         (JSC::LabelNode::emitBytecode):
917         * dfg/DFGByteCodeParser.cpp:
918         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
919         * ftl/FTLLowerDFGToLLVM.cpp:
920         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
921         * interpreter/Interpreter.h:
922         (JSC::Interpreter::isCallBytecode):
923         * jit/CCallHelpers.h:
924         (JSC::CCallHelpers::jumpToExceptionHandler):
925         (JSC::CCallHelpers::prepareForTailCallSlow):
926         * jit/JIT.cpp:
927         (JSC::JIT::privateCompileMainPass):
928         (JSC::JIT::privateCompileSlowCases):
929         * jit/JIT.h:
930         * jit/JITCall.cpp:
931         (JSC::JIT::compileOpCall):
932         (JSC::JIT::compileOpCallSlowCase):
933         (JSC::JIT::emit_op_call):
934         (JSC::JIT::emit_op_tail_call):
935         (JSC::JIT::emit_op_call_eval):
936         (JSC::JIT::emit_op_call_varargs):
937         (JSC::JIT::emit_op_tail_call_varargs):
938         (JSC::JIT::emit_op_construct_varargs):
939         (JSC::JIT::emitSlow_op_call):
940         (JSC::JIT::emitSlow_op_tail_call):
941         (JSC::JIT::emitSlow_op_call_eval):
942         (JSC::JIT::emitSlow_op_call_varargs):
943         (JSC::JIT::emitSlow_op_tail_call_varargs):
944         (JSC::JIT::emitSlow_op_construct_varargs):
945         * jit/JITCall32_64.cpp:
946         (JSC::JIT::emitSlow_op_call):
947         (JSC::JIT::emitSlow_op_tail_call):
948         (JSC::JIT::emitSlow_op_call_eval):
949         (JSC::JIT::emitSlow_op_call_varargs):
950         (JSC::JIT::emitSlow_op_tail_call_varargs):
951         (JSC::JIT::emitSlow_op_construct_varargs):
952         (JSC::JIT::emit_op_call):
953         (JSC::JIT::emit_op_tail_call):
954         (JSC::JIT::emit_op_call_eval):
955         (JSC::JIT::emit_op_call_varargs):
956         (JSC::JIT::emit_op_tail_call_varargs):
957         (JSC::JIT::emit_op_construct_varargs):
958         (JSC::JIT::compileOpCall):
959         (JSC::JIT::compileOpCallSlowCase):
960         * jit/JITInlines.h:
961         (JSC::JIT::emitNakedCall):
962         (JSC::JIT::emitNakedTailCall):
963         (JSC::JIT::updateTopCallFrame):
964         * jit/JITOperations.cpp:
965         * jit/JITOperations.h:
966         * jit/Repatch.cpp:
967         (JSC::linkVirtualFor):
968         (JSC::linkPolymorphicCall):
969         * jit/ThunkGenerators.cpp:
970         (JSC::throwExceptionFromCallSlowPathGenerator):
971         (JSC::slowPathFor):
972         (JSC::linkCallThunkGenerator):
973         (JSC::virtualThunkFor):
974         (JSC::arityFixupGenerator):
975         (JSC::unreachableGenerator):
976         (JSC::baselineGetterReturnThunkGenerator):
977         * jit/ThunkGenerators.h:
978         * llint/LowLevelInterpreter.asm:
979         * llint/LowLevelInterpreter32_64.asm:
980         * llint/LowLevelInterpreter64.asm:
981         * runtime/CommonSlowPaths.h:
982         (JSC::CommonSlowPaths::arityCheckFor):
983         (JSC::CommonSlowPaths::opIn):
984         * runtime/Options.h:
985         * tests/stress/mutual-tail-call-no-stack-overflow.js: Added.
986         (shouldThrow):
987         (sloppyCountdown.even):
988         (sloppyCountdown.odd):
989         (strictCountdown.even):
990         (strictCountdown.odd):
991         (strictCountdown):
992         (odd):
993         (even):
994         * tests/stress/tail-call-no-stack-overflow.js: Added.
995         (shouldThrow):
996         (strictLoop):
997         (strictLoopArityFixup1):
998         (strictLoopArityFixup2):
999         * tests/stress/tail-call-recognize.js: Added.
1000         (callerMustBeRun):
1001         (callerMustBeStrict):
1002         (runTests):
1003         * tests/stress/tail-call-varargs-no-stack-overflow.js: Added.
1004         (shouldThrow):
1005         (strictLoop):
1006         * tests/stress/tail-calls-dont-overwrite-live-stack.js: Added.
1007         (tail):
1008         (obj.method):
1009         (obj.get fromNative):
1010         (getThis):
1011
1012 2015-09-14  Filip Pizlo  <fpizlo@apple.com>
1013
1014         LLInt get/put inline caches shouldn't use tons of opcodes
1015         https://bugs.webkit.org/show_bug.cgi?id=149106
1016
1017         Reviewed by Geoffrey Garen.
1018
1019         Our LLInt get/put inline caches currently use separate opcodes to reduce branching. For
1020         example, instead of having get_by_id branch on the kind of offset (inline or
1021         out-of-line), we have two get_by_id instructions: get_by_id and get_by_id_out_of_line.
1022         But the problem with this approach is that it doesn't scale. In the property type
1023         inference work (https://bugs.webkit.org/show_bug.cgi?id=148610), we need each kind of put
1024         inline cache to support 11 different kinds of type checks. It seemed ridiculous to add 60
1025         new put_by_id opcodes (there are currently 6 variants of put_by_id, so after adding type
1026         checks, we'd have 6 * 11 = 66 variants of put_by_id).
1027
1028         So, this patch completely changes the strategy to mostly using branching inside the
1029         opcode implementation. It's unlikely to have a performance effect. For example, the long
1030         road to generational GC caused a seemingly prohibitive regression in LLInt inline caches,
1031         and yet nobody noticed. The regression was because the inline cache was in terms of the
1032         structure, not the structure ID, so the code was doing a structure ID table lookup. If we
1033         didn't notice that, then we probably won't notice a couple new branches. (Also, this
1034         patch fixes that regression - the code no longer does such lookups except in the one
1035         unavoidable case in put_by_id transition chain checking.)
1036
1037         This patch also turns the isDirect operand of put_by_id into a flags field. I will use
1038         this flags field to encode the desired type check in bug 148610.
1039
1040         This patch has no effect on performance according to run-jsc-benchmarks.
1041
1042         Relanding this patch with LLInt fixes for non-x86. Previous attempts to fix non-x86 LLInt
1043         build also caused every 64-bit test to crash on every platform. So the patch got rolled
1044         out. This fixes the non-x86 LLInt build while also ensuring that 64-bit platforms don't
1045         crash.
1046
1047         * CMakeLists.txt:
1048         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1049         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1050         * JavaScriptCore.xcodeproj/project.pbxproj:
1051         * bytecode/BytecodeList.json:
1052         * bytecode/BytecodeUseDef.h:
1053         (JSC::computeUsesForBytecodeOffset):
1054         (JSC::computeDefsForBytecodeOffset):
1055         * bytecode/CodeBlock.cpp:
1056         (JSC::CodeBlock::printGetByIdOp):
1057         (JSC::CodeBlock::printGetByIdCacheStatus):
1058         (JSC::CodeBlock::printPutByIdCacheStatus):
1059         (JSC::CodeBlock::dumpBytecode):
1060         (JSC::CodeBlock::CodeBlock):
1061         (JSC::CodeBlock::propagateTransitions):
1062         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1063         * bytecode/CodeBlock.h:
1064         * bytecode/GetByIdStatus.cpp:
1065         (JSC::GetByIdStatus::computeFromLLInt):
1066         * bytecode/Instruction.h:
1067         (JSC::Instruction::Instruction):
1068         * bytecode/PutByIdFlags.cpp: Added.
1069         (WTF::printInternal):
1070         * bytecode/PutByIdFlags.h: Added.
1071         * bytecode/PutByIdStatus.cpp:
1072         (JSC::PutByIdStatus::computeFromLLInt):
1073         * bytecode/UnlinkedCodeBlock.h:
1074         (JSC::UnlinkedInstruction::UnlinkedInstruction):
1075         * bytecompiler/BytecodeGenerator.cpp:
1076         (JSC::BytecodeGenerator::emitPutById):
1077         (JSC::BytecodeGenerator::emitDirectPutById):
1078         * dfg/DFGByteCodeParser.cpp:
1079         (JSC::DFG::ByteCodeParser::parseBlock):
1080         * dfg/DFGCapabilities.cpp:
1081         (JSC::DFG::capabilityLevel):
1082         * jit/JIT.cpp:
1083         (JSC::JIT::privateCompileMainPass):
1084         (JSC::JIT::privateCompileSlowCases):
1085         * jit/JITPropertyAccess.cpp:
1086         (JSC::JIT::emit_op_put_by_id):
1087         * jit/JITPropertyAccess32_64.cpp:
1088         (JSC::JIT::emit_op_put_by_id):
1089         * llint/LLIntSlowPaths.cpp:
1090         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1091         * llint/LowLevelInterpreter32_64.asm:
1092         * llint/LowLevelInterpreter64.asm:
1093
1094 2015-09-14  Commit Queue  <commit-queue@webkit.org>
1095
1096         Unreviewed, rolling out r189751, r189752, and r189754.
1097         https://bugs.webkit.org/show_bug.cgi?id=149143
1098
1099         caused crashes everywhere (Requested by alexchristensen on
1100         #webkit).
1101
1102         Reverted changesets:
1103
1104         "LLInt get/put inline caches shouldn't use tons of opcodes"
1105         https://bugs.webkit.org/show_bug.cgi?id=149106
1106         http://trac.webkit.org/changeset/189751
1107
1108         "Unreviewed, fix non-x86 LLInt build."
1109         http://trac.webkit.org/changeset/189752
1110
1111         "Unreviewed, really fix non-x86 LLInt build without also
1112         breaking everything else."
1113         http://trac.webkit.org/changeset/189754
1114
1115 2015-09-14  Filip Pizlo  <fpizlo@apple.com>
1116
1117         Unreviewed, really fix non-x86 LLInt build without also breaking everything else.
1118
1119         * llint/LowLevelInterpreter64.asm:
1120
1121 2015-09-14  Filip Pizlo  <fpizlo@apple.com>
1122
1123         Unreviewed, fix non-x86 LLInt build.
1124
1125         * llint/LowLevelInterpreter64.asm:
1126
1127 2015-09-13  Filip Pizlo  <fpizlo@apple.com>
1128
1129         LLInt get/put inline caches shouldn't use tons of opcodes
1130         https://bugs.webkit.org/show_bug.cgi?id=149106
1131
1132         Reviewed by Geoffrey Garen.
1133
1134         Our LLInt get/put inline caches currently use separate opcodes to reduce branching. For
1135         example, instead of having get_by_id branch on the kind of offset (inline or
1136         out-of-line), we have two get_by_id instructions: get_by_id and get_by_id_out_of_line.
1137         But the problem with this approach is that it doesn't scale. In the property type
1138         inference work (https://bugs.webkit.org/show_bug.cgi?id=148610), we need each kind of put
1139         inline cache to support 11 different kinds of type checks. It seemed ridiculous to add 60
1140         new put_by_id opcodes (there are currently 6 variants of put_by_id, so after adding type
1141         checks, we'd have 6 * 11 = 66 variants of put_by_id).
1142
1143         So, this patch completely changes the strategy to mostly using branching inside the
1144         opcode implementation. It's unlikely to have a performance effect. For example, the long
1145         road to generational GC caused a seemingly prohibitive regression in LLInt inline caches,
1146         and yet nobody noticed. The regression was because the inline cache was in terms of the
1147         structure, not the structure ID, so the code was doing a structure ID table lookup. If we
1148         didn't notice that, then we probably won't notice a couple new branches. (Also, this
1149         patch fixes that regression - the code no longer does such lookups except in the one
1150         unavoidable case in put_by_id transition chain checking.)
1151
1152         This patch also turns the isDirect operand of put_by_id into a flags field. I will use
1153         this flags field to encode the desired type check in bug 148610.
1154
1155         This patch has no effect on performance according to run-jsc-benchmarks.
1156
1157         * CMakeLists.txt:
1158         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1159         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1160         * JavaScriptCore.xcodeproj/project.pbxproj:
1161         * bytecode/BytecodeList.json:
1162         * bytecode/BytecodeUseDef.h:
1163         (JSC::computeUsesForBytecodeOffset):
1164         (JSC::computeDefsForBytecodeOffset):
1165         * bytecode/CodeBlock.cpp:
1166         (JSC::CodeBlock::printGetByIdOp):
1167         (JSC::CodeBlock::printGetByIdCacheStatus):
1168         (JSC::CodeBlock::printPutByIdCacheStatus):
1169         (JSC::CodeBlock::dumpBytecode):
1170         (JSC::CodeBlock::CodeBlock):
1171         (JSC::CodeBlock::propagateTransitions):
1172         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1173         * bytecode/CodeBlock.h:
1174         * bytecode/GetByIdStatus.cpp:
1175         (JSC::GetByIdStatus::computeFromLLInt):
1176         * bytecode/Instruction.h:
1177         (JSC::Instruction::Instruction):
1178         * bytecode/PutByIdFlags.cpp: Added.
1179         (WTF::printInternal):
1180         * bytecode/PutByIdFlags.h: Added.
1181         * bytecode/PutByIdStatus.cpp:
1182         (JSC::PutByIdStatus::computeFromLLInt):
1183         * bytecode/UnlinkedCodeBlock.h:
1184         (JSC::UnlinkedInstruction::UnlinkedInstruction):
1185         * bytecompiler/BytecodeGenerator.cpp:
1186         (JSC::BytecodeGenerator::emitPutById):
1187         (JSC::BytecodeGenerator::emitDirectPutById):
1188         * dfg/DFGAbstractInterpreterInlines.h:
1189         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1190         * dfg/DFGByteCodeParser.cpp:
1191         (JSC::DFG::ByteCodeParser::parseBlock):
1192         * dfg/DFGCapabilities.cpp:
1193         (JSC::DFG::capabilityLevel):
1194         * jit/JIT.cpp:
1195         (JSC::JIT::privateCompileMainPass):
1196         (JSC::JIT::privateCompileSlowCases):
1197         * jit/JITPropertyAccess.cpp:
1198         (JSC::JIT::emit_op_put_by_id):
1199         * jit/JITPropertyAccess32_64.cpp:
1200         (JSC::JIT::emit_op_put_by_id):
1201         * llint/LLIntSlowPaths.cpp:
1202         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1203         * llint/LowLevelInterpreter32_64.asm:
1204         * llint/LowLevelInterpreter64.asm:
1205
1206 2015-09-14  Alex Christensen  <achristensen@webkit.org>
1207
1208         Progress towards CMake on Mac.
1209         https://bugs.webkit.org/show_bug.cgi?id=149123
1210
1211         Reviewed by Chris Dumez.
1212
1213         * CMakeLists.txt:
1214         Make forwarding headers for the replay subdirectory.
1215         * PlatformMac.cmake:
1216         Make forwarding headers for the generated inspector headers. 
1217         They should eventually either be packaged correctly with JavaScriptCore headers and included correctly.
1218
1219 2015-09-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1220
1221         [ES6] Cache the resolution result in JSModuleRecord
1222         https://bugs.webkit.org/show_bug.cgi?id=148896
1223
1224         Reviewed by Saam Barati.
1225
1226         The resolveExport operation is frequently called. For example,
1227         1. When instantiating the module environment, we call it for each exported name and imported
1228            name.
1229         2. When linking the imported module environment to the code block, we call it to resolve the
1230            resolution.
1231         3. When looking up the property from the namespace object, we call it to look up the original
1232            module for the imported binding.
1233         4. When creating the namespace object, we need to collect all the exported names from the module
1234            and need to resolve them by calling resolveExport.
1235
1236         However, resolveExport takes some cost. It traces the imported modules and resolves the reference
1237         queried by the original module.
1238
1239         The resolveExport operation is pure function; given a module record and an export name,
1240         it always returns the same result. So we cache resolution results in the module record to avoid
1241         repeated resolveExport calls with the same arguments.
1242         Here, we only cache the correctly resolved references, since,
1243         1. We rarely looked up the non-correctly-resolved ones. In the linking phase, attempting to
1244            resolve non-correctly-resolved ones throws a syntax error. So only namespace object creation
1245            phase does it in a syntax valid script.
1246         2. This strategy limits the size of the cache map. The number of the correctly exported bindings
1247            is defined by the modules' code. So the size does not become infinitely large.
1248
1249         Currently, the all modules cannot be linked twice. For example,
1250
1251           graph 1
1252
1253           -> (A) -> (B)
1254
1255           graph 2
1256
1257           -> (C) -> (A) -> (B)
1258
1259         We cannot test the behavior now because when executing the graph 2, (A) and (B) are already linked,
1260         it raises an error in the current loader spec. But it should be allowed[1] since it will occur when
1261         there is multiple module tag in WebCore.
1262
1263         [1]: https://github.com/whatwg/loader/issues/41
1264
1265         * runtime/JSModuleRecord.cpp:
1266         (JSC::JSModuleRecord::ResolveQuery::Hash::hash):
1267         (JSC::JSModuleRecord::ResolveQuery::Hash::equal):
1268         (JSC::JSModuleRecord::cacheResolution):
1269         (JSC::ResolveQueryHash::hash): Deleted.
1270         (JSC::ResolveQueryHash::equal): Deleted.
1271         (JSC::resolveExportLoop): Deleted.
1272         * runtime/JSModuleRecord.h:
1273         * tests/modules/caching-should-not-make-ambiguous.js: Added.
1274         * tests/modules/caching-should-not-make-ambiguous/A.js: Added.
1275         * tests/modules/caching-should-not-make-ambiguous/B.js: Added.
1276         * tests/modules/caching-should-not-make-ambiguous/C.js: Added.
1277         * tests/modules/caching-should-not-make-ambiguous/D.js: Added.
1278         * tests/modules/caching-should-not-make-ambiguous/main.js: Added.
1279         * tests/modules/different-view.js: Added.
1280         (from.string_appeared_here.shouldThrow):
1281         * tests/modules/different-view/A.js: Added.
1282         * tests/modules/different-view/B.js: Added.
1283         * tests/modules/different-view/C.js: Added.
1284         * tests/modules/different-view/D.js: Added.
1285         * tests/modules/different-view/E.js: Added.
1286         * tests/modules/different-view/main.js: Added.
1287         * tests/modules/fallback-ambiguous.js: Added.
1288         (from.string_appeared_here.shouldThrow):
1289         * tests/modules/fallback-ambiguous/A.js: Added.
1290         * tests/modules/fallback-ambiguous/B.js: Added.
1291         * tests/modules/fallback-ambiguous/C.js: Added.
1292         * tests/modules/fallback-ambiguous/D.js: Added.
1293         * tests/modules/fallback-ambiguous/E.js: Added.
1294         * tests/modules/fallback-ambiguous/main.js: Added.
1295         * tests/modules/self-star-link.js: Added.
1296         * tests/modules/self-star-link/A.js: Added.
1297         * tests/modules/self-star-link/B.js: Added.
1298         * tests/modules/self-star-link/C.js: Added.
1299         * tests/modules/self-star-link/D.js: Added.
1300         * tests/modules/self-star-link/E.js: Added.
1301         * tests/modules/uncacheable-when-see-star.js: Added.
1302         * tests/modules/uncacheable-when-see-star/A-pre.js: Added.
1303         * tests/modules/uncacheable-when-see-star/A.js: Added.
1304         * tests/modules/uncacheable-when-see-star/B.js: Added.
1305         * tests/modules/uncacheable-when-see-star/C.js: Added.
1306         * tests/modules/uncacheable-when-see-star/D.js: Added.
1307         * tests/modules/uncacheable-when-see-star/E-pre.js: Added.
1308         * tests/modules/uncacheable-when-see-star/E.js: Added.
1309         * tests/modules/uncacheable-when-see-star/main1.js: Added.
1310         * tests/modules/uncacheable-when-see-star/main2.js: Added.
1311
1312 2015-09-14  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1313
1314         Implement the arithmetic instructions for floats in WebAssembly
1315         https://bugs.webkit.org/show_bug.cgi?id=149102
1316
1317         Reviewed by Geoffrey Garen.
1318
1319         This patch implements the arithmetic instructions for floats (float32)
1320         in WebAssembly by converting the float operands to doubles, performing
1321         the equivalent double instructions, and converting the result back to
1322         float. The asm.js spec says that "As proved in 'When is double rounding
1323         innocuous?' (Figueroa 1995), both the 32- and 64-bit versions of
1324         standard arithmetic operations produce equivalent results when given
1325         32-bit inputs and coerced to 32-bit outputs."
1326         (http://asmjs.org/spec/latest/#floatish)
1327
1328         This patch also pads WebAssembly call frames by maxFrameExtentForSlowPathCall,
1329         so that there is no need to adjust the stack pointer every time we make
1330         a slow path call.
1331
1332         * tests/stress/wasm-arithmetic-float32.js:
1333         * tests/stress/wasm/arithmetic-float32.wasm:
1334         * wasm/WASMFunctionCompiler.h:
1335         (JSC::WASMFunctionCompiler::startFunction):
1336         (JSC::WASMFunctionCompiler::buildUnaryF32):
1337         (JSC::WASMFunctionCompiler::buildBinaryF32):
1338         (JSC::WASMFunctionCompiler::callOperation):
1339         (JSC::WASMFunctionCompiler::callAndUnboxResult):
1340         (JSC::WASMFunctionCompiler::endFunction): Deleted.
1341         (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
1342         * wasm/WASMFunctionParser.cpp:
1343         (JSC::WASMFunctionParser::parseExpressionF32):
1344         (JSC::WASMFunctionParser::parseUnaryExpressionF32):
1345         (JSC::WASMFunctionParser::parseBinaryExpressionF32):
1346         * wasm/WASMFunctionParser.h:
1347         * wasm/WASMFunctionSyntaxChecker.h:
1348         (JSC::WASMFunctionSyntaxChecker::buildUnaryF32):
1349         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32):
1350
1351 2015-09-13  Geoffrey Garen  <ggaren@apple.com>
1352
1353         Eden GC should not try to jettison old CodeBlocks in the remembered set
1354         https://bugs.webkit.org/show_bug.cgi?id=149108
1355
1356         Reviewed by Saam Barati.
1357
1358         All we know about objects in the remembered set is that they must be
1359         visited. We don't know whether they're referenced or not because we
1360         won't mark the objects that point to them.
1361
1362         Therefore, it's incorrect for a CodeBlock to consider jettisoning
1363         itself when it's marked as a part of the remembered set: Some
1364         old object might have visited the CodeBlock strongly if given the chance.
1365
1366         I believe this doesn't cause any problems currently because we happen
1367         to visit all strong references to all CodeBlocks elligible for jettison
1368         during every GC.
1369
1370         However, this behavior is a logical oddity that tripped me up, and I
1371         believe it will start causing real problems once we start to jettison
1372         baseline CodeBlocks, since we do not visit all strong references to all
1373         baseline CodeBlocks during every GC.
1374
1375         * heap/CodeBlockSet.cpp:
1376         (JSC::CodeBlockSet::clearMarksForEdenCollection):
1377         (JSC::CodeBlockSet::traceMarked): Be sure to visit the remembered set
1378         strongly, in order to prohibit jettisoning.
1379
1380         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
1381         * heap/CodeBlockSet.h: Track the remembered set during eden GCs.
1382
1383 2015-09-11  Filip Pizlo  <fpizlo@apple.com>
1384
1385         REGRESSION(r189585): run-perf-tests Speedometer fails with a console error
1386         https://bugs.webkit.org/show_bug.cgi?id=149066
1387
1388         Reviewed by Michael Saboff.
1389
1390         The bug here was that the new IC code was calling actionForCell() more than once. That's
1391         illegal, since when actionForCell() returns RetryCacheLater, it means that it changed some
1392         object's Structure. The Repatch code was doing things like "if (actionForCell(blah) ==
1393         AttemptToCache)" in more than one place, so that if the first such expression was false, then
1394         we'd fall through to the next one. It's possible for the first call to return RetryCacheLater,
1395         in which case our view of the world just got clobbered and we need to return, and then the
1396         second call will probably return AttemptToCache because it *thinks* that we had bailed the last
1397         time and we're now in a future IC invocation.
1398
1399         The solution is to cache the actionForCell() result. This is a bit tricky, because we need to
1400         do this after we check if we're in a proxy.
1401
1402         Debugging bugs like these requires adding ad hoc bisection code in various places. We already
1403         had the basic hooks for this. This patch makes those hooks a bit more useful. In the case of
1404         the LLInt->JIT tier-up hooks, it adds a CodeBlock* argument so that we can bisect based on the
1405         CodeBlock. In the case of Repatch, it puts the Options::forceICFailure() check in a helper
1406         function that also takes ExecState*, which allows us to bisect on either CodeBlock or
1407         CodeOrigin.
1408
1409         * jit/Repatch.cpp:
1410         (JSC::actionForCell):
1411         (JSC::forceICFailure):
1412         (JSC::tryCacheGetByID):
1413         (JSC::tryCachePutByID):
1414         (JSC::tryRepatchIn):
1415         * llint/LLIntSlowPaths.cpp:
1416         (JSC::LLInt::shouldJIT):
1417         (JSC::LLInt::jitCompileAndSetHeuristics):
1418         (JSC::LLInt::entryOSR):
1419         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1420         * tests/stress/retry-cache-later.js:
1421
1422 2015-09-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1423
1424         Implement the relational instructions for floats in WebAssembly
1425         https://bugs.webkit.org/show_bug.cgi?id=149080
1426
1427         Reviewed by Geoffrey Garen.
1428
1429         This patch implements the relational instructions for floats (float32)
1430         in WebAssembly by converting float operands to doubles and then
1431         comparing them using the existing double comparison instructions in the
1432         macro assembler.
1433
1434         * tests/stress/wasm-relational.js:
1435         * tests/stress/wasm/relational.wasm:
1436         * wasm/WASMFunctionCompiler.h:
1437         (JSC::WASMFunctionCompiler::buildRelationalF32):
1438         * wasm/WASMFunctionParser.cpp:
1439         (JSC::WASMFunctionParser::parseExpressionI32):
1440         (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32):
1441         * wasm/WASMFunctionParser.h:
1442         * wasm/WASMFunctionSyntaxChecker.h:
1443         (JSC::WASMFunctionSyntaxChecker::buildRelationalF32):
1444
1445 2015-09-11  Nan Wang  <n_wang@apple.com>
1446
1447         AX: ARIA 1.1 @aria-current
1448         https://bugs.webkit.org/show_bug.cgi?id=146012
1449
1450         Reviewed by Chris Fleizach.
1451
1452         Updated inspector to support aria-current.
1453
1454         * inspector/protocol/DOM.json:
1455
1456 2015-09-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1457
1458         Add initial support for floats in WebAsssembly
1459         https://bugs.webkit.org/show_bug.cgi?id=149062
1460
1461         Reviewed by Geoffrey Garen.
1462
1463         Implement the ConstantPoolIndex, Immediate, GetLocal, and GetGlobal
1464         instructions for floats (float32) in WebAssembly.
1465
1466         * tests/stress/wasm-arithmetic-float32.js: Added.
1467         (shouldBe):
1468         * tests/stress/wasm-globals.js:
1469         * tests/stress/wasm-type-conversion.js:
1470         * tests/stress/wasm/arithmetic-float32.wasm: Added.
1471         * tests/stress/wasm/globals.wasm:
1472         * tests/stress/wasm/type-conversion.wasm:
1473         * wasm/WASMConstants.h:
1474         * wasm/WASMFunctionCompiler.h:
1475         (JSC::WASMFunctionCompiler::buildSetLocal):
1476         (JSC::WASMFunctionCompiler::buildReturn):
1477         (JSC::WASMFunctionCompiler::buildImmediateF32):
1478         (JSC::WASMFunctionCompiler::buildGetLocal):
1479         * wasm/WASMFunctionParser.cpp:
1480         (JSC::WASMFunctionParser::parseExpression):
1481         (JSC::WASMFunctionParser::parseExpressionF32):
1482         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32):
1483         (JSC::WASMFunctionParser::parseImmediateExpressionF32):
1484         (JSC::WASMFunctionParser::parseGetLocalExpressionF32):
1485         (JSC::WASMFunctionParser::parseGetGlobalExpressionF32):
1486         * wasm/WASMFunctionParser.h:
1487         * wasm/WASMFunctionSyntaxChecker.h:
1488         (JSC::WASMFunctionSyntaxChecker::buildImmediateF32):
1489         * wasm/WASMReader.cpp:
1490         (JSC::WASMReader::readOpExpressionF32):
1491         * wasm/WASMReader.h:
1492
1493 2015-09-11  Geoffrey Garen  <ggaren@apple.com>
1494
1495         Try to fix the CLOOP build.
1496
1497         Unreviewed.
1498
1499         * bytecode/CodeBlock.cpp:
1500         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
1501         (JSC::CodeBlock::finalizeUnconditionally):
1502
1503 2015-09-11  Csaba Osztrogon√°c  <ossy@webkit.org>
1504
1505         [EFL] Fix WASM build
1506         https://bugs.webkit.org/show_bug.cgi?id=149065
1507
1508         Reviewed by Darin Adler.
1509
1510         * wasm/WASMFunctionParser.cpp:
1511
1512 2015-09-11  Geoffrey Garen  <ggaren@apple.com>
1513
1514         JavaScriptCore should discard optimized code after some time
1515         https://bugs.webkit.org/show_bug.cgi?id=149048
1516
1517         Reviewed by Michael Saboff.
1518
1519         This patch adds a new jettison type -- JettisonDueToOldAge -- and starts
1520         using it for DFG and FTL code. Baseline and LLInt code will come in a
1521         follow-up patch.
1522
1523         The primary goal is to save memory. Some popular websites leave about 10MB
1524         of dead code sitting around immediately after they finish loading.
1525
1526         Throwing away code periodically might also save us from profiling
1527         pathologies that lead to performance dead ends.
1528
1529         * bytecode/CodeBlock.cpp:
1530         (JSC::CodeBlock::visitAggregate): Updated for rename, and removed a
1531         stale comment.
1532
1533         (JSC::CodeBlock::shouldVisitStrongly): Renamed to shouldVisitStrongly
1534         because the practical effect of this function is to trigger a call to
1535         visitStrongly.
1536
1537         (JSC::CodeBlock::isKnownToBeLiveDuringGC): Check the
1538         m_visitStronglyHasBeenCalled flag instead of
1539         shouldImmediatelyAssumeLivenessDuringScan / shouldVisitStrongly because
1540         m_visitStronglyHasBeenCalled can be set by anybody even if the CodeBlock
1541         would not otherwise visit itself strongly.
1542
1543         (JSC::CodeBlock::shouldJettisonDueToWeakReference): New helper function
1544         for readability.
1545
1546         (JSC::CodeBlock::shouldJettisonDueToOldAge): New helper function that
1547         tells if a CodeBlock is old enough for deletion.
1548
1549         (JSC::CodeBlock::determineLiveness): There's no need to check
1550         shouldImmediatelyAssumeLivenessDuringScan here because we will not call
1551         this function if shouldImmediatelyAssumeLivenessDuringScan is true.
1552         Also, it's just not clear -- if someone chooses to call this function --
1553         that it would be safe to ignore them simply because
1554         shouldImmediatelyAssumeLivenessDuringScan was true.
1555
1556         (JSC::CodeBlock::finalizeLLIntInlineCaches): Moved code out into a helper
1557         function to make the main function more readable.
1558
1559         (JSC::CodeBlock::finalizeBaselineJITInlineCaches): Ditto.
1560
1561         (JSC::CodeBlock::finalizeUnconditionally): Added code for jettisoning a
1562         CodeBlock if it is too old. Moved large sections of code into helper
1563         functions to aid readability in this function.
1564
1565         (JSC::CodeBlock::jettison): Account for the fact that we might jettison
1566         a CodeBlock without OSR exit and without requiring a stack shoot-down.
1567
1568         * bytecode/CodeBlock.h:
1569         (JSC::CodeBlock::setInstallTime):
1570         (JSC::CodeBlock::timeSinceInstall): Track CodeBlock age to help us
1571         decide when to delete.
1572
1573         * jit/JITCode.h:
1574         (JSC::JITCode::timeToLive): Static limits on CodeBlock lifetime. I got
1575         these numbers from the place where numbers come from. 
1576
1577         * profiler/ProfilerJettisonReason.cpp:
1578         (WTF::printInternal):
1579         * profiler/ProfilerJettisonReason.h: Updated for new jettison type.
1580
1581         * runtime/Executable.cpp:
1582         (JSC::ScriptExecutable::installCode): Record install time so that we
1583         can measure how old a CodeBlock is.
1584
1585 2015-09-11  Andreas Kling  <akling@apple.com>
1586
1587         [JSC] Weak should only accept cell pointees.
1588         <https://webkit.org/b/148955>
1589
1590         Reviewed by Geoffrey Garen.
1591
1592         Since WeakImpls only support pointing to JSCell derived objects,
1593         enforce that at compile time by having the API use JSCell* instead of JSValue.
1594
1595         WeakHandleOwner callbacks now get JSCell& and JSCell*& respectively instead
1596         of wrapping the cell pointer in a Handle<Unknown>.
1597
1598         Also added a static_assert so Weak<T> can't be instantiated with a T that's
1599         not convertible to JSCell.
1600
1601         * API/JSAPIWrapperObject.mm:
1602         (JSAPIWrapperObjectHandleOwner::finalize):
1603         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1604         (JSC::JSAPIWrapperObject::finishCreation):
1605         * API/JSManagedValue.mm:
1606         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
1607         (JSManagedValueHandleOwner::finalize):
1608         * builtins/BuiltinExecutables.cpp:
1609         (JSC::BuiltinExecutables::finalize):
1610         * builtins/BuiltinExecutables.h:
1611         * heap/Heap.cpp:
1612         (JSC::Heap::addFinalizer):
1613         (JSC::Heap::FinalizerOwner::finalize):
1614         * heap/Heap.h:
1615         * heap/WeakBlock.cpp:
1616         (JSC::WeakBlock::visit):
1617         (JSC::WeakBlock::reap):
1618         * heap/WeakHandleOwner.cpp:
1619         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
1620         (JSC::WeakHandleOwner::finalize):
1621         * heap/WeakHandleOwner.h:
1622         * heap/WeakImpl.h:
1623         (JSC::WeakImpl::WeakImpl):
1624         (JSC::WeakImpl::state):
1625         (JSC::WeakImpl::cell):
1626         (JSC::WeakImpl::asWeakImpl):
1627         (JSC::WeakImpl::jsValue): Deleted.
1628         * heap/WeakInlines.h:
1629         (JSC::Weak<T>::Weak):
1630         (JSC::>):
1631         (JSC::Weak<T>::operator):
1632         (JSC::Weak<T>::get):
1633         (JSC::Weak<T>::was):
1634         * heap/WeakSet.h:
1635         * heap/WeakSetInlines.h:
1636         (JSC::WeakSet::allocate):
1637         (JSC::WeakBlock::finalize):
1638         * jit/JITThunks.cpp:
1639         (JSC::JITThunks::finalize):
1640         * jit/JITThunks.h:
1641         * jsc.cpp:
1642         (WTF::ElementHandleOwner::isReachableFromOpaqueRoots): Deleted.
1643         * runtime/JSCell.h:
1644         (JSC::jsCast):
1645         * runtime/RegExpCache.cpp:
1646         (JSC::RegExpCache::finalize):
1647         * runtime/RegExpCache.h:
1648         * runtime/Structure.cpp:
1649         (JSC::StructureTransitionTable::singleTransition):
1650         (JSC::StructureTransitionTable::setSingleTransition):
1651
1652 2015-09-10  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1653
1654         Implement switch statements in WebAssembly
1655         https://bugs.webkit.org/show_bug.cgi?id=149051
1656
1657         Reviewed by Geoffrey Garen.
1658
1659         This patch implements switch statements in WebAssembly using the
1660         JSC::BinarySwitch class.
1661
1662         * tests/stress/wasm-control-flow.js:
1663         * tests/stress/wasm/control-flow.wasm:
1664         * wasm/WASMFunctionCompiler.h:
1665         (JSC::WASMFunctionCompiler::buildSwitch):
1666         * wasm/WASMFunctionParser.cpp:
1667         (JSC::WASMFunctionParser::parseSwitchStatement):
1668         * wasm/WASMFunctionSyntaxChecker.h:
1669         (JSC::WASMFunctionSyntaxChecker::buildSwitch):
1670
1671 2015-09-10  Filip Pizlo  <fpizlo@apple.com>
1672
1673         Structure should be able to tell you if it had ever been a dictionary
1674         https://bugs.webkit.org/show_bug.cgi?id=149047
1675
1676         Reviewed by Mark Lam.
1677
1678         Introduces the hasBeenDictionary flag to Structure, which tells you if this structure or
1679         any of its ancestors is a dictionary. We already implicitly tracked this for DFG
1680         watchpoint optimizations, so this is mainly just decoupling that existing logic from
1681         watchpoints. Having Structure::hasBeenDictionary() enables some of the heuristics in the
1682         property type inference work (https://bugs.webkit.org/show_bug.cgi?id=148610).
1683
1684         * runtime/Structure.cpp:
1685         (JSC::Structure::Structure):
1686         (JSC::Structure::toDictionaryTransition):
1687         (JSC::Structure::dump):
1688         * runtime/Structure.h:
1689
1690 2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1691
1692         Unreviewed, fix Windows file loading in JSC shell after r189583
1693         https://bugs.webkit.org/show_bug.cgi?id=148917
1694
1695         Should load the script files with the binary mode.
1696         Since these loading functions are only used for the simple test scripts,
1697         we just use ftell / fseek now.
1698
1699         * jsc.cpp:
1700         (fillBufferWithContentsOfFile):
1701
1702 2015-09-10  Michael Saboff  <msaboff@apple.com>
1703
1704         REGRESSION(r189575): Appears to break ARM64 linux builds
1705         https://bugs.webkit.org/show_bug.cgi?id=149044
1706
1707         Reviewed by Filip Pizlo.
1708
1709         Changed the use of the ARM64 "fp", a register alias, to be "x29", the real register name.
1710
1711         * llint/LowLevelInterpreter.asm:
1712
1713 2015-09-09  Filip Pizlo  <fpizlo@apple.com>
1714
1715         There should be one stub hanging off an inline cache that contains code for all of the cases, rather than forming a linked list consisting of one stub per case
1716         https://bugs.webkit.org/show_bug.cgi?id=148717
1717
1718         Reviewed by Michael Saboff.
1719
1720         This is a major rewrite of the JSC get/put/in inline caches (ICs), motivated by the need to add
1721         fancy new kinds of inline caches for property type inference (https://webkit.org/b/148610).
1722
1723         Previously, our inline caches had some problems that made them difficult to work with. It was
1724         impossible to change any code that was previously generated by the IC except by blowing the
1725         whole IC away, the ICs scaled poorly if there were many cases, and there was a lot of duplicate
1726         and ad hoc code.
1727
1728         Impossible to regenerate a previously generated stub: Say that some access (o.f = v) causes our
1729         IC code to emit some stub; let's call it stub1. Then later we find that we need to emit a
1730         different stub, stub2, where we think that stub2 might subsume stub1. We say that stub2
1731         subsumes stub1 if failing to execute stub2 to completion means that we are guaranteed to fail
1732         to execute stub1 to completion. This could happen in trunk if stub2 has the same base structure
1733         as stub1 but different prototype conditions. It could happen with property type inference if
1734         stub2 has a looser type check on v than stub1 did. Currently, if this happened, we would emit
1735         stub2 and have its slow path jump to stub1. Hence, we would still end up executing the checks
1736         of stub1 before falling through to the slow path. This gets bad when there are many stubs.
1737         Stub1 might be in front of a bunch of other stubs, so when we add stub2, we will end up
1738         executing both stub2's and stub1's checks before falling through to the other stubs. It would
1739         be better if we could remove stub1 from the list at this point. But since stub1 could be linked
1740         to from a different stub that we had already generated, we'd have to have a way of patching
1741         stubs or regenerating them from scratch. This is currenty impossible because we just don't keep
1742         around enough meta-data to mess with a stub after it's generated. After this change, we never
1743         link new stubs onto a linked list of pre-existing stubs; instead each IC will have one stub
1744         hanging off of it and we always regenerate that one stub from scratch. That one stub contains
1745         either a BinarySwitch or a branch cascade to select one of the AccessCases. Each AccessCase is
1746         an object that describes everything we need to regenerate it in the future. This means that
1747         when we add a new case to an IC stub, we can figure out which previous cases this one subsumes.
1748
1749         Poor scalability when there are many cases: Previously, the cases of a polymorphic inline cache
1750         formed a linked list of branches. This meant that the complexity of an inline cache grew
1751         linearly with the number of cases. This change turns this into a BinarySwitch in most cases,
1752         leading to logarithmic scaling.
1753
1754         Duplicate code between get, put, and in: The code for op_get_by_id, op_put_by_id, and op_in
1755         inline caches grew independently and ended up having a lot of duplicate code. We had the worst
1756         kinds of duplicate code. In some cases, the code was copy-pasted. In other cases, we wrote code
1757         that felt like it was new despite the fact that it was logically identical to code that was
1758         already written elsewhere. The main sources of duplication were in selecting a scratch
1759         register, checking all of the ObjectPropertyConditions and the base structure, the pro forma
1760         involved in generating a stub, and the data structures needed to describe all of the access
1761         cases. This change deduplicates all of that code. Now, all of those ICs use the same classes:
1762         the PolymorphicAccess and AccessCase. There is code in those classes that handles all of the
1763         common things, and for the most part the only code that actually specializes for the kind of
1764         access is in some switch statement in AccessCase::generate().
1765
1766         Special-casing of array length and string length: Previously, array.length and string.length
1767         were handled in an ad hoc manner in the get_by_id repatching code. The handling was separate
1768         from the polymorphic get_by_id handling, which meant that we could not handle polymorphic
1769         length accesses if one of the length cases was either array or string length. For example, if
1770         you had "o.length" where the length was either array length or a vanilla length property, then
1771         the get_by_id inline cache would either emit a monomorphic stub for array length, or a
1772         monomorphic stub for the vanilla length property, but never a polymorphic stub (or list) that
1773         could do both. This change addresses this problem by folding array length and string length
1774         into the polymorphic get_by_id code.
1775
1776         This was meant to be a perf-neutral change to enable property type inference, but it ended up
1777         being a 1% Octane speed-up, mainly because of a 14% speed-up in raytrace. This isn't too
1778         surprising, since that test does use inline caches a lot and this change makes inline caches
1779         more scalable.
1780
1781         This also fixes and adds a test for a BinarySwitch bug. BinarySwitch had an optimization for
1782         consecutive integer cases. Using it on typed array structures triggers this bug. It's a hard
1783         bug to trigger any other way because our other switch optimizations will usually use a jump
1784         table in case of consecutive integers.
1785
1786         * CMakeLists.txt:
1787         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1788         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1789         * JavaScriptCore.xcodeproj/project.pbxproj:
1790         * assembler/MacroAssemblerCodeRef.h:
1791         (JSC::MacroAssemblerCodePtr::dumpWithName):
1792         * bytecode/CodeBlock.cpp:
1793         (JSC::CodeBlock::printGetByIdCacheStatus):
1794         (JSC::CodeBlock::printPutByIdCacheStatus):
1795         (JSC::CodeBlock::propagateTransitions):
1796         (JSC::CodeBlock::getByValInfoMap):
1797         (JSC::CodeBlock::addStubInfo):
1798         (JSC::CodeBlock::findStubInfo):
1799         * bytecode/CodeBlock.h:
1800         (JSC::CodeBlock::stubInfoBegin):
1801         (JSC::CodeBlock::stubInfoEnd):
1802         * bytecode/GetByIdStatus.cpp:
1803         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1804         * bytecode/PolymorphicAccess.cpp: Copied from Source/JavaScriptCore/bytecode/PolymorphicGetByIdList.cpp.
1805         (JSC::AccessGenerationState::addWatchpoint):
1806         (JSC::AccessGenerationState::restoreScratch):
1807         (JSC::AccessGenerationState::succeed):
1808         (JSC::AccessCase::AccessCase):
1809         (JSC::AccessCase::get):
1810         (JSC::AccessCase::replace):
1811         (JSC::AccessCase::transition):
1812         (JSC::AccessCase::setter):
1813         (JSC::AccessCase::in):
1814         (JSC::AccessCase::getLength):
1815         (JSC::AccessCase::~AccessCase):
1816         (JSC::AccessCase::fromStructureStubInfo):
1817         (JSC::AccessCase::clone):
1818         (JSC::AccessCase::guardedByStructureCheck):
1819         (JSC::AccessCase::alternateBase):
1820         (JSC::AccessCase::canReplace):
1821         (JSC::AccessCase::dump):
1822         (JSC::AccessCase::visitWeak):
1823         (JSC::AccessCase::generateWithGuard):
1824         (JSC::AccessCase::generate):
1825         (JSC::PolymorphicAccess::PolymorphicAccess):
1826         (JSC::PolymorphicAccess::~PolymorphicAccess):
1827         (JSC::PolymorphicAccess::regenerateWithCases):
1828         (JSC::PolymorphicAccess::regenerateWithCase):
1829         (JSC::PolymorphicAccess::visitWeak):
1830         (JSC::PolymorphicAccess::dump):
1831         (JSC::PolymorphicAccess::regenerate):
1832         (WTF::printInternal):
1833         (JSC::GetByIdAccess::GetByIdAccess): Deleted.
1834         (JSC::GetByIdAccess::~GetByIdAccess): Deleted.
1835         (JSC::GetByIdAccess::fromStructureStubInfo): Deleted.
1836         (JSC::GetByIdAccess::visitWeak): Deleted.
1837         (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList): Deleted.
1838         (JSC::PolymorphicGetByIdList::from): Deleted.
1839         (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList): Deleted.
1840         (JSC::PolymorphicGetByIdList::currentSlowPathTarget): Deleted.
1841         (JSC::PolymorphicGetByIdList::addAccess): Deleted.
1842         (JSC::PolymorphicGetByIdList::isFull): Deleted.
1843         (JSC::PolymorphicGetByIdList::isAlmostFull): Deleted.
1844         (JSC::PolymorphicGetByIdList::didSelfPatching): Deleted.
1845         (JSC::PolymorphicGetByIdList::visitWeak): Deleted.
1846         * bytecode/PolymorphicAccess.h: Copied from Source/JavaScriptCore/bytecode/PolymorphicGetByIdList.h.
1847         (JSC::AccessCase::isGet):
1848         (JSC::AccessCase::isPut):
1849         (JSC::AccessCase::isIn):
1850         (JSC::AccessCase::type):
1851         (JSC::AccessCase::offset):
1852         (JSC::AccessCase::viaProxy):
1853         (JSC::AccessCase::structure):
1854         (JSC::AccessCase::newStructure):
1855         (JSC::AccessCase::conditionSet):
1856         (JSC::AccessCase::additionalSet):
1857         (JSC::AccessCase::customSlotBase):
1858         (JSC::AccessCase::doesCalls):
1859         (JSC::AccessCase::callLinkInfo):
1860         (JSC::AccessCase::RareData::RareData):
1861         (JSC::PolymorphicAccess::isEmpty):
1862         (JSC::PolymorphicAccess::size):
1863         (JSC::PolymorphicAccess::at):
1864         (JSC::PolymorphicAccess::operator[]):
1865         (JSC::GetByIdAccess::GetByIdAccess): Deleted.
1866         (JSC::GetByIdAccess::isSet): Deleted.
1867         (JSC::GetByIdAccess::operator!): Deleted.
1868         (JSC::GetByIdAccess::type): Deleted.
1869         (JSC::GetByIdAccess::structure): Deleted.
1870         (JSC::GetByIdAccess::conditionSet): Deleted.
1871         (JSC::GetByIdAccess::stubRoutine): Deleted.
1872         (JSC::GetByIdAccess::doesCalls): Deleted.
1873         (JSC::PolymorphicGetByIdList::isEmpty): Deleted.
1874         (JSC::PolymorphicGetByIdList::size): Deleted.
1875         (JSC::PolymorphicGetByIdList::at): Deleted.
1876         (JSC::PolymorphicGetByIdList::operator[]): Deleted.
1877         * bytecode/PolymorphicAccessStructureList.h: Removed.
1878         * bytecode/PolymorphicGetByIdList.cpp: Removed.
1879         * bytecode/PolymorphicGetByIdList.h: Removed.
1880         * bytecode/PolymorphicPutByIdList.cpp: Removed.
1881         * bytecode/PolymorphicPutByIdList.h: Removed.
1882         * bytecode/PutByIdStatus.cpp:
1883         (JSC::PutByIdStatus::computeForStubInfo):
1884         * bytecode/StructureStubInfo.cpp:
1885         (JSC::StructureStubInfo::deref):
1886         (JSC::StructureStubInfo::addAccessCase):
1887         (JSC::StructureStubInfo::reset):
1888         (JSC::StructureStubInfo::visitWeakReferences):
1889         * bytecode/StructureStubInfo.h:
1890         (JSC::StructureStubInfo::StructureStubInfo):
1891         (JSC::StructureStubInfo::initGetByIdSelf):
1892         (JSC::StructureStubInfo::initPutByIdReplace):
1893         (JSC::StructureStubInfo::initStub):
1894         (JSC::StructureStubInfo::setSeen):
1895         (JSC::getStructureStubInfoCodeOrigin):
1896         (JSC::isGetByIdAccess): Deleted.
1897         (JSC::isPutByIdAccess): Deleted.
1898         (JSC::isInAccess): Deleted.
1899         (JSC::StructureStubInfo::initGetByIdList): Deleted.
1900         (JSC::StructureStubInfo::initPutByIdTransition): Deleted.
1901         (JSC::StructureStubInfo::initPutByIdList): Deleted.
1902         (JSC::StructureStubInfo::initInList): Deleted.
1903         (JSC::StructureStubInfo::addWatchpoint): Deleted.
1904         * dfg/DFGSpeculativeJIT.cpp:
1905         (JSC::DFG::SpeculativeJIT::compileIn):
1906         * ftl/FTLCompile.cpp:
1907         (JSC::FTL::mmAllocateDataSection):
1908         * jit/AccessorCallJITStubRoutine.cpp: Removed.
1909         * jit/AccessorCallJITStubRoutine.h: Removed.
1910         * jit/AssemblyHelpers.h:
1911         (JSC::AssemblyHelpers::branchIfEmpty):
1912         (JSC::AssemblyHelpers::branchStructure):
1913         (JSC::AssemblyHelpers::boxBooleanPayload):
1914         (JSC::AssemblyHelpers::boxBoolean):
1915         (JSC::AssemblyHelpers::boxInt32):
1916         * jit/BinarySwitch.cpp:
1917         (JSC::BinarySwitch::BinarySwitch):
1918         (JSC::BinarySwitch::build):
1919         (JSC::BinarySwitch::Case::dump):
1920         (JSC::BinarySwitch::BranchCode::dump):
1921         * jit/BinarySwitch.h:
1922         (JSC::BinarySwitch::Case::operator<):
1923         (JSC::BinarySwitch::BranchCode::BranchCode):
1924         * jit/JIT.h:
1925         * jit/JITInlineCacheGenerator.cpp:
1926         (JSC::garbageStubInfo):
1927         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1928         (JSC::JITByIdGenerator::JITByIdGenerator):
1929         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
1930         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
1931         * jit/JITInlineCacheGenerator.h:
1932         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
1933         (JSC::JITInlineCacheGenerator::stubInfo):
1934         (JSC::JITByIdGenerator::JITByIdGenerator):
1935         (JSC::JITByIdGenerator::reportSlowPathCall):
1936         * jit/JITOperations.cpp:
1937         * jit/Repatch.cpp:
1938         (JSC::repatchCall):
1939         (JSC::repatchByIdSelfAccess):
1940         (JSC::resetGetByIDCheckAndLoad):
1941         (JSC::resetPutByIDCheckAndLoad):
1942         (JSC::replaceWithJump):
1943         (JSC::tryCacheGetByID):
1944         (JSC::repatchGetByID):
1945         (JSC::appropriateGenericPutByIdFunction):
1946         (JSC::appropriateOptimizingPutByIdFunction):
1947         (JSC::tryCachePutByID):
1948         (JSC::repatchPutByID):
1949         (JSC::tryRepatchIn):
1950         (JSC::repatchIn):
1951         (JSC::resetGetByID):
1952         (JSC::resetPutByID):
1953         (JSC::checkObjectPropertyCondition): Deleted.
1954         (JSC::checkObjectPropertyConditions): Deleted.
1955         (JSC::emitRestoreScratch): Deleted.
1956         (JSC::linkRestoreScratch): Deleted.
1957         (JSC::toString): Deleted.
1958         (JSC::kindFor): Deleted.
1959         (JSC::customFor): Deleted.
1960         (JSC::generateByIdStub): Deleted.
1961         (JSC::patchJumpToGetByIdStub): Deleted.
1962         (JSC::tryBuildGetByIDList): Deleted.
1963         (JSC::buildGetByIDList): Deleted.
1964         (JSC::appropriateListBuildingPutByIdFunction): Deleted.
1965         (JSC::emitPutReplaceStub): Deleted.
1966         (JSC::emitPutTransitionStub): Deleted.
1967         (JSC::tryBuildPutByIdList): Deleted.
1968         (JSC::buildPutByIdList): Deleted.
1969         * jit/ScratchRegisterAllocator.cpp:
1970         (JSC::ScratchRegisterAllocator::lock):
1971         (JSC::ScratchRegisterAllocator::allocateScratch):
1972         * jit/ScratchRegisterAllocator.h:
1973         (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
1974         * jsc.cpp:
1975         (GlobalObject::finishCreation):
1976         (functionQuit):
1977         (functionAbort):
1978         (functionFalse1):
1979         (functionFalse2):
1980         * runtime/Options.h:
1981         * tests/stress/array-message-passing.js: Added.
1982         (window.addEventListener):
1983         (window.postMessage):
1984         (window._handleEvents):
1985         (testPassed):
1986         (testFailed):
1987         (classCompare):
1988         (bufferCompare):
1989         (viewCompare):
1990         (typedArrayCompare):
1991         (dataViewCompare):
1992         (dataViewCompare2):
1993         (dataViewCompare3):
1994         (createBuffer):
1995         (createTypedArray):
1996         (createTypedArrayOverBuffer):
1997         (new.DataView):
1998         (testList.testList.concat.basicBufferTypes.map):
1999         (doneTest):
2000
2001 2015-09-10  Geoffrey Garen  <ggaren@apple.com>
2002
2003         CodeBlock::codeType() doesn't need to compute anything
2004         https://bugs.webkit.org/show_bug.cgi?id=149039
2005
2006         Reviewed by Michael Saboff.
2007
2008         CodeBlock already has an m_codeType data member.
2009
2010         * bytecode/CodeBlock.h:
2011         (JSC::CodeBlock::codeType):
2012         (JSC::CodeBlock::putByIdContext):
2013
2014 2015-09-10  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2015
2016         Implement global variables in WebAssembly
2017         https://bugs.webkit.org/show_bug.cgi?id=149031
2018
2019         Reviewed by Geoffrey Garen.
2020
2021         This patch implements global variables in WebAssembly. There are two
2022         types of global variables in the current format that we use (the format
2023         used by <https://github.com/WebAssembly/polyfill-prototype-1>): internal
2024         global variables and imported global variables. This patch does not yet
2025         import values for imported global variables. It will be done in a
2026         subsequent patch.
2027
2028         * tests/stress/wasm-globals.js: Added.
2029         (shouldBe):
2030         * tests/stress/wasm/globals.wasm: Added.
2031         * wasm/JSWASMModule.h:
2032         (JSC::JSWASMModule::globalVariables):
2033         * wasm/WASMFunctionCompiler.h:
2034         (JSC::WASMFunctionCompiler::buildSetGlobal):
2035         (JSC::WASMFunctionCompiler::buildGetGlobal):
2036         * wasm/WASMFunctionParser.cpp:
2037         (JSC::WASMFunctionParser::parseStatement):
2038         (JSC::WASMFunctionParser::parseSetGlobalStatement):
2039         (JSC::WASMFunctionParser::parseExpressionI32):
2040         (JSC::WASMFunctionParser::parseGetGlobalExpressionI32):
2041         (JSC::WASMFunctionParser::parseExpressionF64):
2042         (JSC::WASMFunctionParser::parseGetGlobalExpressionF64):
2043         * wasm/WASMFunctionParser.h:
2044         * wasm/WASMFunctionSyntaxChecker.h:
2045         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal):
2046         (JSC::WASMFunctionSyntaxChecker::buildGetGlobal):
2047         * wasm/WASMModuleParser.cpp:
2048         (JSC::WASMModuleParser::parseGlobalSection):
2049
2050 2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2051
2052         Consider long module path name case in Windows
2053         https://bugs.webkit.org/show_bug.cgi?id=148917
2054
2055         Reviewed by Alex Christensen.
2056
2057         The local file system module loader in the JSC shell manages the module files by the absolute path.
2058         However, in Windows, _MAX_PATH is defined as 260. So if the path like the current working directory or the path to the module is long,
2059         it will be truncated by the API and it fail to open the file.
2060         In JSC tests in Apple Windows buildbot, since the current working directory is long enough, the tests failed.
2061
2062         This patch introduces the following 3 tweaks.
2063
2064         1. When retrieving the current working path, we use GetCurrentDirectoryW instead of _getcwd.
2065            GetCurrentDirectoryW allows the long path while _getcwd automatically truncate the result by the _MAX_PATH.
2066
2067         2. Before opening the module file, we prepend "\\?\" to the path. It converts the local file path to the long UNC path
2068            which allows longer path names.
2069
2070         3. Since Windows ASCII API accepts the characters in the current code page, we use the Unicode APIs like _wfopen instead.
2071
2072         And enable the once disabled module tests in Windows.
2073
2074         Since this functionality is the part of the JSC shell to run the module tests, it is now implemented in jsc.cpp.
2075
2076         * jsc.cpp:
2077         (stringFromUTF):
2078         (jscSource):
2079         (extractDirectoryName):
2080         (currentWorkingDirectory):
2081         (convertShebangToJSComment):
2082         (fillBufferWithContentsOfFile):
2083         (fetchScriptFromLocalFileSystem):
2084         (fetchModuleFromLocalFileSystem):
2085         (GlobalObject::moduleLoaderFetch):
2086         (functionRun):
2087         (functionLoad):
2088         (functionReadFile):
2089         (functionCheckSyntax):
2090         (functionLoadModule):
2091         (runWithScripts):
2092         (runInteractive):
2093         * tests/modules.yaml:
2094
2095 2015-09-10  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2096
2097         Convert arguments to WebAssembly functions to the declared types
2098         https://bugs.webkit.org/show_bug.cgi?id=149033
2099
2100         Reviewed by Geoffrey Garen.
2101
2102         This patch checks the types of arguments to WebAssembly functions and
2103         converts them to the declared types. This is necessary because:
2104         - For example, if a function expects an argument of type double and we
2105           pass 1.0 to it, it will get a JSValue of an integer, not a double.
2106         - We should follow asm.js's behavior for now, because we want to be able
2107           to test WebAssembly apps against asm.js apps. asm.js does type
2108           coercion on arguments by using int|0, Math.fround(float), and +double.
2109
2110         * jit/JITOperations.h:
2111         * tests/stress/wasm-type-conversion.js: Added.
2112         (shouldBe):
2113         (two.valueOf):
2114         * tests/stress/wasm/type-conversion.wasm: Added.
2115         * wasm/WASMFunctionCompiler.h:
2116         (JSC::operationConvertJSValueToInt32):
2117         (JSC::operationConvertJSValueToDouble):
2118         (JSC::WASMFunctionCompiler::startFunction):
2119         (JSC::WASMFunctionCompiler::appendCallSetResult):
2120         (JSC::WASMFunctionCompiler::callOperation):
2121         (JSC::WASMFunctionCompiler::loadValueAndConvertToInt32):
2122         (JSC::WASMFunctionCompiler::loadValueAndConvertToDouble):
2123
2124 2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2125
2126         JSInternalPromiseDeferred should inherit JSPromiseDeferred
2127         https://bugs.webkit.org/show_bug.cgi?id=149027
2128
2129         Reviewed by Darin Adler.
2130
2131         JSInternalPromiseDeferred is constructed by using JSPromiseDeferred implementation.
2132         So the class info of JSInternalPromiseDeferred should inherit JSPromiseDeferred.
2133
2134         * runtime/JSInternalPromiseDeferred.cpp:
2135
2136 2015-09-10  Michael Saboff  <msaboff@apple.com>
2137
2138         Add support for Callee-Saves registers
2139         https://bugs.webkit.org/show_bug.cgi?id=148666
2140
2141         Reviewed by Filip Pizlo.
2142
2143         We save platform callee save registers right below the call frame header,
2144         in the location(s) starting with VirtualRegister 0.  This local space is
2145         allocated in the bytecode compiler.  This space is the maximum space
2146         needed for the callee registers that the LLInt and baseline JIT use,
2147         rounded up to a stack aligned number of VirtualRegisters.
2148         The LLInt explicitly saves and restores the registers in the macros
2149         preserveCalleeSavesUsedByLLInt and restoreCalleeSavesUsedByLLInt.
2150         The JITs saves and restores callee saves registers by what registers
2151         are included in m_calleeSaveRegisters in the code block.
2152
2153         Added handling of callee save register restoration to exception handling.
2154         The basic flow is when an exception is thrown or one is recognized to
2155         have been generated in C++ code, we save the current state of all
2156         callee save registers to VM::calleeSaveRegistersBuffer.  As we unwind
2157         looking for the corresponding catch, we copy the callee saves from call 
2158         frames to the same VM::calleeSaveRegistersBuffer.  This is done for all
2159         call frames on the stack up to but not including the call frame that has
2160         the corresponding catch block.  When we process the catch, we restore
2161         the callee save registers with the contents of VM::calleeSaveRegistersBuffer.
2162         If there isn't a catch, then handleUncaughtException will restore callee
2163         saves before it returns back to the calling C++.
2164
2165         Eliminated callee saves registers as free registers for various thunk
2166         generators as the callee saves may not have been saved by the function
2167         calling the thunk.
2168
2169         Added code to transition callee saves from one VM's format to the another
2170         as part of OSR entry and OSR exit.
2171
2172         Cleaned up the static RegisterSet's including adding one for LLInt and 
2173         baseline JIT callee saves and one to be used to allocate local registers
2174         not including the callee saves or other special registers.
2175
2176         Moved ftl/FTLRegisterAtOffset.{cpp,h} to jit/RegisterAtOffset.{cpp,h}.
2177         Factored out the vector of RegisterAtOffsets in ftl/FTLUnwindInfo.{cpp,h}
2178         into a new class in jit/RegisterAtOffsetList.{cpp,h}.
2179         Eliminted UnwindInfo and changed UnwindInfo::parse() into a standalone
2180         function named parseUnwindInfo.  That standalone function now returns
2181         the callee saves RegisterAtOffsetList.  This is stored in the CodeBlock
2182         and used instead of UnwindInfo.
2183
2184         Turned off register preservation thunks for outgoing calls from FTL
2185         generated code.  THey'll be removed in a subsequent patch.
2186
2187         Changed specialized thinks to save and restore the contents of
2188         tagTypeNumberRegister and tagMaskRegister as they can be called by FTL
2189         compiled functions.  We materialize those tag registers for the thunk's
2190         use and then restore the prior contents on function exit.
2191
2192         Also removed the arity check fail return thunk since it is now the
2193         caller's responsibility to restore the stack pointer.
2194
2195         Removed saving of callee save registers and materialization of special
2196         tag registers for 64 bit platforms from vmEntryToJavaScript and
2197         vmEntryToNative.
2198
2199         * CMakeLists.txt:
2200         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2201         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2202         * JavaScriptCore.xcodeproj/project.pbxproj:
2203         * ftl/FTLJITCode.h:
2204         * ftl/FTLRegisterAtOffset.cpp: Removed.
2205         * ftl/FTLRegisterAtOffset.h: Removed.
2206         * ftl/FTLUnwindInfo.cpp:
2207         (JSC::FTL::parseUnwindInfo):
2208         (JSC::FTL::UnwindInfo::UnwindInfo): Deleted.
2209         (JSC::FTL::UnwindInfo::~UnwindInfo): Deleted.
2210         (JSC::FTL::UnwindInfo::parse): Deleted.
2211         (JSC::FTL::UnwindInfo::dump): Deleted.
2212         (JSC::FTL::UnwindInfo::find): Deleted.
2213         (JSC::FTL::UnwindInfo::indexOf): Deleted.
2214         * ftl/FTLUnwindInfo.h:
2215         (JSC::RegisterAtOffset::dump):
2216         * jit/RegisterAtOffset.cpp: Added.
2217         * jit/RegisterAtOffset.h: Added.
2218         (JSC::RegisterAtOffset::RegisterAtOffset):
2219         (JSC::RegisterAtOffset::operator!):
2220         (JSC::RegisterAtOffset::reg):
2221         (JSC::RegisterAtOffset::offset):
2222         (JSC::RegisterAtOffset::offsetAsIndex):
2223         (JSC::RegisterAtOffset::operator==):
2224         (JSC::RegisterAtOffset::operator<):
2225         (JSC::RegisterAtOffset::getReg):
2226         * jit/RegisterAtOffsetList.cpp: Added.
2227         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
2228         (JSC::RegisterAtOffsetList::sort):
2229         (JSC::RegisterAtOffsetList::dump):
2230         (JSC::RegisterAtOffsetList::find):
2231         (JSC::RegisterAtOffsetList::indexOf):
2232         * jit/RegisterAtOffsetList.h: Added.
2233         (JSC::RegisterAtOffsetList::clear):
2234         (JSC::RegisterAtOffsetList::size):
2235         (JSC::RegisterAtOffsetList::at):
2236         (JSC::RegisterAtOffsetList::append):
2237         Move and refactored use of FTLRegisterAtOffset to RegisterAtOffset.
2238         Added RegisterAtOffset and RegisterAtOffsetList to build configurations.
2239         Remove FTLRegisterAtOffset files.
2240
2241         * bytecode/CallLinkInfo.h:
2242         (JSC::CallLinkInfo::setUpCallFromFTL):
2243         Turned off FTL register preservation thunks.
2244
2245         * bytecode/CodeBlock.cpp:
2246         (JSC::CodeBlock::CodeBlock):
2247         (JSC::CodeBlock::setCalleeSaveRegisters):
2248         (JSC::roundCalleeSaveSpaceAsVirtualRegisters):
2249         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
2250         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2251         * bytecode/CodeBlock.h:
2252         (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
2253         (JSC::CodeBlock::calleeSaveRegisters):
2254         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
2255         (JSC::CodeBlock::optimizeAfterWarmUp):
2256         (JSC::CodeBlock::numberOfDFGCompiles):
2257         Methods to manage a set of callee save registers.  Also to allocate the appropriate
2258         number of VirtualRegisters for callee saves.
2259
2260         * bytecompiler/BytecodeGenerator.cpp:
2261         (JSC::BytecodeGenerator::BytecodeGenerator):
2262         (JSC::BytecodeGenerator::allocateCalleeSaveSpace):
2263         * bytecompiler/BytecodeGenerator.h:
2264         Allocate the appropriate number of VirtualRegisters for callee saves needed by LLInt or baseline JIT.
2265
2266         * dfg/DFGJITCompiler.cpp:
2267         (JSC::DFG::JITCompiler::compileEntry):
2268         (JSC::DFG::JITCompiler::compileSetupRegistersForEntry):
2269         (JSC::DFG::JITCompiler::compileBody):
2270         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2271         (JSC::DFG::JITCompiler::compile):
2272         (JSC::DFG::JITCompiler::compileFunction):
2273         * dfg/DFGJITCompiler.h:
2274         * interpreter/Interpreter.cpp:
2275         (JSC::UnwindFunctor::operator()):
2276         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
2277         * dfg/DFGPlan.cpp:
2278         (JSC::DFG::Plan::compileInThreadImpl):
2279         * dfg/DFGSpeculativeJIT.cpp:
2280         (JSC::DFG::SpeculativeJIT::usedRegisters):
2281         * dfg/DFGSpeculativeJIT32_64.cpp:
2282         (JSC::DFG::SpeculativeJIT::compile):
2283         * dfg/DFGSpeculativeJIT64.cpp:
2284         (JSC::DFG::SpeculativeJIT::compile):
2285         * dfg/DFGStackLayoutPhase.cpp:
2286         (JSC::DFG::StackLayoutPhase::run):
2287         * ftl/FTLCompile.cpp:
2288         (JSC::FTL::fixFunctionBasedOnStackMaps):
2289         (JSC::FTL::compile):
2290         * ftl/FTLLink.cpp:
2291         (JSC::FTL::link):
2292         * ftl/FTLOSRExitCompiler.cpp:
2293         (JSC::FTL::compileStub):
2294         * ftl/FTLThunks.cpp:
2295         (JSC::FTL::osrExitGenerationThunkGenerator):
2296         * jit/ArityCheckFailReturnThunks.cpp: Removed.
2297         * jit/ArityCheckFailReturnThunks.h: Removed.
2298         * jit/JIT.cpp:
2299         (JSC::JIT::emitEnterOptimizationCheck):
2300         (JSC::JIT::privateCompile):
2301         (JSC::JIT::privateCompileExceptionHandlers):
2302         * jit/JITCall32_64.cpp:
2303         (JSC::JIT::emit_op_ret):
2304         * jit/JITExceptions.cpp:
2305         (JSC::genericUnwind):
2306         * jit/JITExceptions.h:
2307         * jit/JITOpcodes.cpp:
2308         (JSC::JIT::emit_op_end):
2309         (JSC::JIT::emit_op_ret):
2310         (JSC::JIT::emit_op_throw):
2311         (JSC::JIT::emit_op_catch):
2312         (JSC::JIT::emit_op_enter):
2313         (JSC::JIT::emitSlow_op_loop_hint):
2314         * jit/JITOpcodes32_64.cpp:
2315         (JSC::JIT::emit_op_end):
2316         (JSC::JIT::emit_op_throw):
2317         (JSC::JIT::emit_op_catch):
2318         * jit/JITOperations.cpp:
2319         * jit/Repatch.cpp:
2320         (JSC::generateByIdStub):
2321         * jit/ThunkGenerators.cpp:
2322         * llint/LLIntData.cpp:
2323         (JSC::LLInt::Data::performAssertions):
2324         * llint/LLIntSlowPaths.cpp:
2325         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2326         * llint/LowLevelInterpreter.asm:
2327         * llint/LowLevelInterpreter32_64.asm:
2328         * llint/LowLevelInterpreter64.asm:
2329         (JSC::throwExceptionFromCallSlowPathGenerator):
2330         (JSC::arityFixupGenerator):
2331         * runtime/CommonSlowPaths.cpp:
2332         (JSC::setupArityCheckData):
2333         * runtime/CommonSlowPaths.h:
2334         (JSC::CommonSlowPaths::arityCheckFor):
2335         Emit code to save and restore callee save registers and materialize tagTypeNumberRegister
2336         and tagMaskRegister.
2337         Handle callee saves when tiering up.
2338         Copy callee saves register contents to VM::calleeSaveRegistersBuffer at beginning of
2339         exception processing.
2340         Process callee save registers in frames when unwinding from an exception.
2341         Restore callee saves register contents from VM::calleeSaveRegistersBuffer on catch.
2342         Use appropriate register set to make sure we don't allocate a callee save register when
2343         compiling a thunk.
2344         Helper to populate tagTypeNumberRegister and tagMaskRegister with the appropriate
2345         constants.
2346         Removed arity fixup return thunks.
2347
2348         * dfg/DFGOSREntry.cpp:
2349         (JSC::DFG::prepareOSREntry):
2350         * dfg/DFGOSRExitCompiler32_64.cpp:
2351         (JSC::DFG::OSRExitCompiler::compileExit):
2352         * dfg/DFGOSRExitCompiler64.cpp:
2353         (JSC::DFG::OSRExitCompiler::compileExit):
2354         * dfg/DFGOSRExitCompilerCommon.cpp:
2355         (JSC::DFG::reifyInlinedCallFrames):
2356         (JSC::DFG::adjustAndJumpToTarget):
2357         Restore callee saves from the DFG and save the appropriate ones for the baseline JIT.
2358         Materialize the tag registers on 64 bit platforms.
2359
2360         * jit/AssemblyHelpers.h:
2361         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
2362         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
2363         (JSC::AssemblyHelpers::emitSaveCalleeSaves):
2364         (JSC::AssemblyHelpers::emitRestoreCalleeSaves):
2365         (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer):
2366         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
2367         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
2368         (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
2369         New helpers to save and restore callee saves as well as materialize the tag registers
2370         contents.
2371
2372         * jit/FPRInfo.h:
2373         * jit/GPRInfo.h:
2374         (JSC::GPRInfo::toRegister):
2375         Updated to include FP callee save registers.  Added number of callee saves registers and
2376         cleanup register aliases that collide with callee save registers.
2377
2378         * jit/JITPropertyAccess.cpp:
2379         (JSC::JIT::emitGetByValWithCachedId):
2380         (JSC::JIT::emitPutByValWithCachedId):
2381         (JSC::JIT::emit_op_get_by_id):
2382         (JSC::JIT::emit_op_put_by_id):
2383         * jit/JITPropertyAccess32_64.cpp:
2384         (JSC::JIT::emitGetByValWithCachedId):
2385         (JSC::JIT::emitPutByValWithCachedId):
2386         (JSC::JIT::emit_op_get_by_id):
2387         (JSC::JIT::emit_op_put_by_id):
2388         Uses new stubUnavailableRegisters register set to limit what registers are available for 
2389         temporaries.
2390
2391         * jit/RegisterSet.cpp:
2392         (JSC::RegisterSet::stubUnavailableRegisters):
2393         (JSC::RegisterSet::calleeSaveRegisters):
2394         (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
2395         (JSC::RegisterSet::dfgCalleeSaveRegisters):
2396         (JSC::RegisterSet::ftlCalleeSaveRegisters):
2397         * jit/RegisterSet.h:
2398         New register sets with the callee saves used by various tiers as well as one listing registers
2399         not availble to stub code.
2400
2401         * jit/SpecializedThunkJIT.h:
2402         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
2403         (JSC::SpecializedThunkJIT::loadDoubleArgument):
2404         (JSC::SpecializedThunkJIT::returnJSValue):
2405         (JSC::SpecializedThunkJIT::returnDouble):
2406         (JSC::SpecializedThunkJIT::returnInt32):
2407         (JSC::SpecializedThunkJIT::returnJSCell):
2408         (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
2409         (JSC::SpecializedThunkJIT::emitSaveThenMaterializeTagRegisters):
2410         (JSC::SpecializedThunkJIT::emitRestoreSavedTagRegisters):
2411         (JSC::SpecializedThunkJIT::tagReturnAsInt32):
2412         * jit/ThunkGenerators.cpp:
2413         (JSC::nativeForGenerator):
2414         Changed to save and restore existing tag register contents as the may contain other values.
2415         After saving the existing values, we materialize the tag constants.
2416
2417         * jit/TempRegisterSet.h:
2418         (JSC::TempRegisterSet::getFPRByIndex):
2419         (JSC::TempRegisterSet::getFreeFPR):
2420         (JSC::TempRegisterSet::setByIndex):
2421         * offlineasm/arm64.rb:
2422         * offlineasm/registers.rb:
2423         Added methods for floating point registers to support callee save FP registers.
2424
2425         * jit/JITArithmetic32_64.cpp:
2426         (JSC::JIT::emit_op_mod):
2427         Removed unnecessary #if CPU(X86_64) check to this 32 bit only file.
2428
2429         * offlineasm/x86.rb:
2430         Fixed Windows callee saves naming.
2431
2432         * runtime/VM.cpp:
2433         (JSC::VM::VM):
2434         * runtime/VM.h:
2435         (JSC::VM::calleeSaveRegistersBufferOffset):
2436         (JSC::VM::getAllCalleeSaveRegistersMap):
2437         Provide a RegisterSaveMap that has all registers that might be saved.  Added a callee save buffer to be
2438         used for OSR exit and for exception processing in a future patch.
2439
2440 2015-09-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2441
2442         ModuleProgramExecutable should provide CodeBlock to ScriptExecutable::forEachCodeBlock
2443         https://bugs.webkit.org/show_bug.cgi?id=149028
2444
2445         Reviewed by Michael Saboff.
2446
2447         ModuleProgramExecutable should provide CodeBlock since ModuleProgramExecutable inherits
2448         ScriptExecutable.
2449
2450         * bytecode/CodeBlock.h:
2451         (JSC::ScriptExecutable::forEachCodeBlock):
2452
2453 2015-09-09  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2454
2455         Implement internal calls in WebAssembly
2456         https://bugs.webkit.org/show_bug.cgi?id=148998
2457
2458         Reviewed by Filip Pizlo.
2459
2460         This patch implements internal calls to functions that return a 32-bit
2461         integer in WebAssembly.
2462
2463         * tests/stress/wasm-calls.js: Added.
2464         (shouldBe):
2465         * tests/stress/wasm/calls.wasm: Added.
2466         * wasm/WASMFunctionCompiler.h:
2467         (JSC::WASMFunctionCompiler::WASMFunctionCompiler):
2468         (JSC::WASMFunctionCompiler::endFunction):
2469         (JSC::WASMFunctionCompiler::buildCallInternal):
2470         (JSC::WASMFunctionCompiler::appendExpressionList):
2471         (JSC::WASMFunctionCompiler::emitNakedCall):
2472         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
2473         (JSC::WASMFunctionCompiler::callAndUnboxResult):
2474         * wasm/WASMFunctionParser.cpp:
2475         (JSC::WASMFunctionParser::compile):
2476         (JSC::WASMFunctionParser::parseExpressionI32):
2477         (JSC::WASMFunctionParser::parseCallInternalExpressionI32):
2478         (JSC::WASMFunctionParser::parseCallArguments):
2479         (JSC::WASMFunctionParser::parseCallInternal):
2480         * wasm/WASMFunctionParser.h:
2481         * wasm/WASMFunctionSyntaxChecker.h:
2482         (JSC::WASMFunctionSyntaxChecker::buildCallInternal):
2483         (JSC::WASMFunctionSyntaxChecker::appendExpressionList):
2484
2485 2015-09-09  Commit Queue  <commit-queue@webkit.org>
2486
2487         Unreviewed, rolling out r189522.
2488         https://bugs.webkit.org/show_bug.cgi?id=149020
2489
2490         "Caused a ~4% Speedometer regression" (Requested by cdumez on
2491         #webkit).
2492
2493         Reverted changeset:
2494
2495         "Function.prototype.bind: Bound functions must use the
2496         [[Prototype]] of their target function instead of
2497         Function.prototype"
2498         https://bugs.webkit.org/show_bug.cgi?id=145605
2499         http://trac.webkit.org/changeset/189522
2500
2501 2015-09-09  Geoffrey Garen  <ggaren@apple.com>
2502
2503         Fix the no-DFG build.
2504
2505         Unreviewed.
2506
2507         * bytecode/CodeBlock.cpp:
2508         (JSC::CodeBlock::visitOSRExitTargets):
2509         (JSC::CodeBlock::stronglyVisitStrongReferences):
2510
2511 2015-09-09  Geoffrey Garen  <ggaren@apple.com>
2512
2513         CodeBlocks should strongly visit their OSR exit targets
2514         https://bugs.webkit.org/show_bug.cgi?id=148988
2515
2516         Reviewed by Saam Barati.
2517
2518         CodeBlocks jump to their OSR exit targets, so we need to keep them alive
2519         explicitly.
2520
2521         This is a step toward throwing away CodeBlocks, which is only safe
2522         if we keep alive logically in-use CodeBlocks.
2523
2524         * bytecode/CodeBlock.cpp:
2525         (JSC::CodeBlock::CodeBlock):
2526         (JSC::CodeBlock::visitStrongly): Added a flag to indicate if visit
2527         strongly had been performed yet, since we are likely to revisit
2528         the same CodeBlock many times now.
2529
2530         (JSC::CodeBlock::visitOSRExitTargets):
2531         (JSC::CodeBlock::stronglyVisitStrongReferences): Do the visiting.
2532
2533         * bytecode/CodeBlock.h:
2534         (JSC::CodeBlock::clearMarks):
2535         (JSC::CodeBlockSet::mark): Added a helper function for clearing out
2536         two flags.
2537
2538 2015-09-09  Geoffrey Garen  <ggaren@apple.com>
2539
2540         Unreviewed, rolling back in r189516.
2541         https://bugs.webkit.org/show_bug.cgi?id=148989
2542
2543         Restored changeset:
2544
2545         "GC should be able to discover new strong CodeBlock references
2546         during marking"
2547         https://bugs.webkit.org/show_bug.cgi?id=148981
2548         http://trac.webkit.org/changeset/189516
2549
2550         This patch caused infinite recursion on Windows because of a pre-existing
2551         logical error in the non-parallel GC configuration. Even in non-parallel
2552         GC, we must set the mark bit on a CodeBlock to avoid marking it twice
2553         (or, in the case of our crash, infinitely recursively).
2554
2555 2015-09-09  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2556
2557         Implement the relational instructions for doubles in WebAssembly
2558         https://bugs.webkit.org/show_bug.cgi?id=148999
2559
2560         Reviewed by Filip Pizlo.
2561
2562         Implements the relational instructions for doubles (float64) in
2563         WebAssembly. Also pass the values into the test functions as Mark Lam
2564         suggested in https://bugs.webkit.org/show_bug.cgi?id=148882#c3
2565
2566         * tests/stress/wasm-relational.js:
2567         * tests/stress/wasm/relational.wasm:
2568         * wasm/WASMFunctionCompiler.h:
2569         (JSC::WASMFunctionCompiler::buildRelationalF64):
2570         * wasm/WASMFunctionParser.cpp:
2571         (JSC::WASMFunctionParser::parseExpressionI32):
2572         (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32):
2573         * wasm/WASMFunctionParser.h:
2574         * wasm/WASMFunctionSyntaxChecker.h:
2575         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32):
2576         (JSC::WASMFunctionSyntaxChecker::buildRelationalF64):
2577
2578 2015-09-09  Saam barati  <sbarati@apple.com>
2579
2580         DFG should have a debugging option that runs a phase that flushes all locals
2581         https://bugs.webkit.org/show_bug.cgi?id=148916
2582
2583         Reviewed by Filip Pizlo.
2584
2585         There is now an option to enable the DFG's new MaximalFlushInsertionPhase
2586         phase to run. This phase ensures that we keep all locals and arguments flushed
2587         to the stack at all places in the CFG. This phase is helpful for finding
2588         a class of bugs where enabling this phase to run removes the bug.
2589         This may also be useful in the development of a faster debugger
2590         that doesn't capture all variables.
2591
2592         * CMakeLists.txt:
2593         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2594         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2595         * JavaScriptCore.xcodeproj/project.pbxproj:
2596         * dfg/DFGMaximalFlushInsertionPhase.cpp: Added.
2597         (JSC::DFG::MaximalFlushInsertionPhase::MaximalFlushInsertionPhase):
2598         (JSC::DFG::MaximalFlushInsertionPhase::run):
2599         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2600         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2601         (JSC::DFG::MaximalFlushInsertionPhase::newVariableAccessData):
2602         (JSC::DFG::performMaximalFlushInsertion):
2603         * dfg/DFGMaximalFlushInsertionPhase.h: Added.
2604         * dfg/DFGPlan.cpp:
2605         (JSC::DFG::Plan::compileInThreadImpl):
2606         * runtime/Options.cpp:
2607         (JSC::recomputeDependentOptions):
2608         * runtime/Options.h:
2609
2610 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2611
2612         Refactor the test for the arithmetic instructions in WebAssembly
2613         https://bugs.webkit.org/show_bug.cgi?id=148983
2614
2615         Reviewed by Mark Lam.
2616
2617         Pass the values into the test functions as Mark Lam suggested in
2618         https://bugs.webkit.org/show_bug.cgi?id=148882#c3
2619
2620         * tests/stress/wasm-arithmetic-int32.js: Added.
2621         (shouldBe):
2622         (shouldThrow):
2623         * tests/stress/wasm-arithmetic.js: Removed.
2624         (shouldBe): Deleted.
2625         (shouldThrow): Deleted.
2626         * tests/stress/wasm/arithmetic-int32.wasm: Added.
2627         * tests/stress/wasm/arithmetic.wasm: Removed.
2628
2629 2015-09-08  Benjamin Poulain  <bpoulain@apple.com>
2630
2631         [JSC] reduce the amount of memory access needed for LivenessAnalysisPhase
2632         https://bugs.webkit.org/show_bug.cgi?id=148414
2633
2634         Reviewed by Mark Lam.
2635
2636         LivenessAnalysisPhase still causes a huge number of cache miss.
2637         This patch reduces the amount of accesses needed by the HashTables.
2638
2639         * dfg/DFGBasicBlock.h:
2640         * dfg/DFGLivenessAnalysisPhase.cpp:
2641         (JSC::DFG::LivenessAnalysisPhase::run):
2642         (JSC::DFG::LivenessAnalysisPhase::process):
2643
2644 2015-09-08  Myles C. Maxfield  <mmaxfield@apple.com>
2645
2646         Prospective build fix after r189517
2647
2648         Unreviewed.
2649
2650         * heap/MachineStackMarker.cpp:
2651         (JSC::MachineThreads::Thread::captureStack):
2652
2653 2015-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2654
2655         Unify symbolTableGet and Put in JSLexicalEnvironment and JSSymbolTableObject
2656         https://bugs.webkit.org/show_bug.cgi?id=148783
2657
2658         Reviewed by Geoffrey Garen.
2659
2660         Unify the symbolTableGet and symbolTablePut into JSSymbolTableObject's one.
2661         Since symbolTablePutWithAttributes in JSLexicalEnvironment is not used, we drop that function.
2662
2663         * runtime/JSEnvironmentRecord.h:
2664         (JSC::JSEnvironmentRecord::isValidScopeOffset):
2665         (JSC::JSEnvironmentRecord::variableAt):
2666         (JSC::JSEnvironmentRecord::isValid): Deleted.
2667         * runtime/JSGlobalLexicalEnvironment.cpp:
2668         (JSC::JSGlobalLexicalEnvironment::put):
2669         * runtime/JSGlobalObject.cpp:
2670         (JSC::JSGlobalObject::put):
2671         * runtime/JSLexicalEnvironment.cpp:
2672         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2673         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2674         (JSC::JSLexicalEnvironment::put):
2675         (JSC::JSLexicalEnvironment::symbolTableGet): Deleted.
2676         (JSC::JSLexicalEnvironment::symbolTablePut): Deleted.
2677         (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes): Deleted.
2678         * runtime/JSLexicalEnvironment.h:
2679         * runtime/JSModuleRecord.cpp:
2680         (JSC::JSModuleRecord::instantiateDeclarations):
2681         * runtime/JSSegmentedVariableObject.h:
2682         (JSC::JSSegmentedVariableObject::isValidScopeOffset):
2683         * runtime/JSSymbolTableObject.h:
2684         (JSC::symbolTableGet):
2685         (JSC::symbolTablePut):
2686         (JSC::symbolTablePutTouchWatchpointSet):
2687         (JSC::symbolTablePutInvalidateWatchpointSet):
2688         (JSC::symbolTablePutWithAttributesTouchWatchpointSet):
2689         (JSC::symbolTablePutWithAttributes): Deleted.
2690
2691 2015-09-08  Commit Queue  <commit-queue@webkit.org>
2692
2693         Unreviewed, rolling out r189516.
2694         https://bugs.webkit.org/show_bug.cgi?id=148989
2695
2696         broke tests on windows (Requested by alexchristensen on
2697         #webkit).
2698
2699         Reverted changeset:
2700
2701         "GC should be able to discover new strong CodeBlock references
2702         during marking"
2703         https://bugs.webkit.org/show_bug.cgi?id=148981
2704         http://trac.webkit.org/changeset/189516
2705
2706 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2707
2708         Remove unused DFG::dfgConvertJSValueToInt32()
2709         https://bugs.webkit.org/show_bug.cgi?id=148986
2710
2711         Reviewed by Geoffrey Garen.
2712
2713         Remove unused DFG::dfgConvertJSValueToInt32() and also remove
2714         DFG::JITCompiler::callOperation(D_JITOperation_EJ operation, ...) which
2715         was introduced in Bug 69806 for dfgConvertJSValueToNumber() and is no
2716         longer used.
2717
2718         * dfg/DFGOperations.cpp:
2719         * dfg/DFGOperations.h:
2720         * dfg/DFGSpeculativeJIT.h:
2721         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
2722
2723 2015-09-08  Matthew Hill  <matthew.jh@outlook.com>
2724
2725         Function.prototype.bind: Bound functions must use the [[Prototype]] of their target function instead of Function.prototype
2726         https://bugs.webkit.org/show_bug.cgi?id=145605
2727
2728         Reviewed by Geoffrey Garen.
2729
2730         * runtime/JSBoundFunction.cpp:
2731         (JSC::JSBoundFunction::create):
2732         * tests/es6.yaml:
2733
2734 2015-09-08  Mark Lam  <mark.lam@apple.com>
2735
2736         Fixed a bad comment r189517.
2737
2738         Not reviewed.
2739
2740         * heap/MachineStackMarker.cpp:
2741         (JSC::osRedZoneAdjustment):
2742
2743 2015-09-08  Geoffrey Garen  <ggaren@apple.com>
2744
2745         InlineCallFrames shouldn't be strongly marked by CodeBlock
2746         https://bugs.webkit.org/show_bug.cgi?id=146613
2747
2748         Reviewed by Saam Barati.
2749
2750         This code was vestigial an unnecessary, so I removed it.
2751
2752         * bytecode/CodeBlock.cpp:
2753         (JSC::CodeBlock::stronglyVisitStrongReferences):
2754         * bytecode/InlineCallFrame.cpp:
2755         (JSC::InlineCallFrame::calleeConstant):
2756         (JSC::InlineCallFrame::calleeForCallFrame):
2757         (JSC::InlineCallFrame::visitAggregate): Deleted.
2758         * bytecode/InlineCallFrame.h:
2759         (JSC::InlineCallFrame::specializationKind):
2760         * bytecode/InlineCallFrameSet.cpp:
2761         (JSC::InlineCallFrameSet::add):
2762         (JSC::InlineCallFrameSet::visitAggregate): Deleted.
2763         * bytecode/InlineCallFrameSet.h:
2764         (JSC::InlineCallFrameSet::begin):
2765         (JSC::InlineCallFrameSet::end):
2766
2767 2015-09-08  Mark Lam  <mark.lam@apple.com>
2768
2769         GC stack scan should include ABI red zone.
2770         https://bugs.webkit.org/show_bug.cgi?id=148976
2771
2772         Reviewed by Geoffrey Garen and Benjamin Poulain.
2773
2774         The x86_64 ABI section 3.2.2[1] and ARM64 ABI[2] both state that there is a
2775         128 byte red zone below the stack pointer (reserved by the OS), and that
2776         "functions may use this area for temporary data that is not needed across
2777         function calls".
2778
2779         Hence, it is possible for a thread to store JSCell pointers in the red zone
2780         area, and the conservative GC thread scanner needs to scan that area as well.
2781
2782         Note: the red zone should not be scanned for the GC thread itself (in
2783         gatherFromCurrentThread()).  This because we're guaranteed that there will
2784         be GC frames below the lowest (top of stack) frame that we need to scan.
2785         Hence, we are guaranteed that there are no red zone areas there containing
2786         JSObject pointers of relevance.
2787
2788         No test added for this issue because the issue relies on:
2789         1. the compiler tool chain generating code that stores local variables
2790            containing the sole reference to a JS object (that needs to be kept
2791            alive) in the stack red zone, and
2792         2. GC has to run on another thread while that red zone containing the
2793            JS object reference is in use. 
2794
2795         These conditions require a race that cannot be reliably reproduced.
2796
2797         [1]: http://people.freebsd.org/~obrien/amd64-elf-abi.pdf
2798         [2]: https://developer.apple.com/library/ios/documentation/Xcode/Conceptual/iPhoneOSABIReference/Articles/ARM64FunctionCallingConventions.html#//apple_ref/doc/uid/TP40013702-SW7
2799
2800         * heap/MachineStackMarker.cpp:
2801         (JSC::MachineThreads::Thread::Thread):
2802         (JSC::MachineThreads::Thread::createForCurrentThread):
2803         (JSC::MachineThreads::Thread::freeRegisters):
2804         (JSC::osRedZoneAdjustment):
2805         (JSC::MachineThreads::Thread::captureStack):
2806
2807 2015-09-08  Geoffrey Garen  <ggaren@apple.com>
2808
2809         GC should be able to discover new strong CodeBlock references during marking
2810         https://bugs.webkit.org/show_bug.cgi?id=148981
2811
2812         Reviewed by Mark Lam.
2813
2814         Previously, we required a strong reference to register itself before the
2815         first visit to a CodeBlock. Now, we can discover a strong reference at
2816         any time during the marking phase.
2817
2818         * bytecode/CodeBlock.cpp:
2819         (JSC::CodeBlock::CodeBlock): Remove the two strong reference state
2820         variables from CodeBlock. Now, a strong reference immediately marks
2821         the CodeBlock and its references at the moment of its discovery, and no
2822         separate state is required.
2823
2824         (JSC::CodeBlock::visitStrongly): New helper function for establishing
2825         a strong reference to a CodeBlock.
2826
2827         (JSC::CodeBlock::visitAggregate): Adopt helper function above.
2828
2829         (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Updated
2830         for state removal.
2831
2832         (JSC::CodeBlock::isKnownToBeLiveDuringGC): Ditto.
2833
2834         (JSC::CodeBlock::stronglyVisitWeakReferences): Be sure to record that
2835         we have proven liveness (by virtue of marking all the references the
2836         proof would check). This is required so that the CodeBlock knows itself
2837         to be live, and it is also an optimization to avoid testing weak references
2838         after we have already visited them.
2839
2840         * bytecode/CodeBlock.h:
2841         (JSC::CodeBlock::clearMarks):
2842         (JSC::CodeBlockSet::mark):
2843         (JSC::CodeBlockSet::clearMarks): Deleted. Updated for state removal.
2844
2845         * dfg/DFGPlan.cpp:
2846         (JSC::DFG::Plan::clearCodeBlockMarks):
2847         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2848         * dfg/DFGPlan.h: No need to use a CodeBlockSet in order to mark anymore.
2849
2850         * dfg/DFGWorklist.cpp:
2851         (JSC::DFG::Worklist::completeAllPlansForVM):
2852         (JSC::DFG::Worklist::clearCodeBlockMarks):
2853         (JSC::DFG::Worklist::resumeAllThreads):
2854         (JSC::DFG::Worklist::visitWeakReferences):
2855         (JSC::DFG::completeAllPlansForVM):
2856         (JSC::DFG::clearCodeBlockMarks):
2857         * dfg/DFGWorklist.h:
2858         (JSC::DFG::worklistForIndexOrNull): No need to use a CodeBlockSet in order
2859         to mark anymore.
2860
2861         * heap/CodeBlockSet.cpp:
2862         (JSC::CodeBlockSet::clearMarksForFullCollection):
2863         (JSC::CodeBlockSet::clearMarksForEdenCollection):
2864         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2865         (JSC::CodeBlockSet::traceMarked):
2866         (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
2867         (JSC::CodeBlockSet::dump):
2868         * heap/CodeBlockSet.h: Keep the currently executing CodeBlocks in RefPtrs
2869         since we can no longer rely on the m_currentlyExecuting bit to keep them
2870         alive. (A currently executing CodeBlock may not be referenced by its
2871         Executable because it may since have been replaced by another CodeBlock.
2872         This is common in the cases of OSR entry and exit.)
2873
2874         * heap/Heap.cpp:
2875         (JSC::Heap::markRoots):
2876         (JSC::Heap::visitCompilerWorklistWeakReferences):
2877         (JSC::Heap::visitWeakHandles): No need to trace the list of CodeBlocks
2878         on the stack in the weak reference fixpoint because we no longer overload
2879         "on the stack" to include CodeBlocks referenced by the compiler.
2880
2881 2015-09-08  Andreas Kling  <akling@apple.com>
2882
2883         [JSC] Remove unused Heap::getConservativeRegisterRoots().
2884         <https://webkit.org/b/148974>
2885
2886         Reviewed by Geoffrey Garen.
2887
2888         Spotted this unused stack root gathering helper in Heap. Let's lose it.
2889
2890         * heap/Heap.cpp:
2891         (JSC::Heap::getConservativeRegisterRoots): Deleted.
2892         * interpreter/JSStack.cpp:
2893         (JSC::JSStack::gatherConservativeRoots): Deleted.
2894         * interpreter/JSStack.h:
2895         (JSC::JSStack::gatherConservativeRoots): Deleted.
2896
2897 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2898
2899         Implement control flow statements in WebAssembly
2900         https://bugs.webkit.org/show_bug.cgi?id=148934
2901
2902         Reviewed by Geoffrey Garen.
2903
2904         This patch implements if, while, do, label, break, and continue
2905         statements in WebAssembly. Switches will be implemented in a subsequent
2906         patch.
2907
2908         * tests/stress/wasm-control-flow.js: Added.
2909         (shouldBe):
2910         * tests/stress/wasm/control-flow.wasm: Added.
2911         * wasm/WASMFunctionCompiler.h:
2912         (JSC::WASMFunctionCompiler::linkTarget):
2913         (JSC::WASMFunctionCompiler::jumpToTarget):
2914         (JSC::WASMFunctionCompiler::jumpToTargetIf):
2915         (JSC::WASMFunctionCompiler::startLoop):
2916         (JSC::WASMFunctionCompiler::endLoop):
2917         (JSC::WASMFunctionCompiler::startSwitch):
2918         (JSC::WASMFunctionCompiler::endSwitch):
2919         (JSC::WASMFunctionCompiler::startLabel):
2920         (JSC::WASMFunctionCompiler::endLabel):
2921         (JSC::WASMFunctionCompiler::breakTarget):
2922         (JSC::WASMFunctionCompiler::continueTarget):
2923         (JSC::WASMFunctionCompiler::breakLabelTarget):
2924         (JSC::WASMFunctionCompiler::continueLabelTarget):
2925         * wasm/WASMFunctionParser.cpp:
2926         (JSC::WASMFunctionParser::parseIfStatement):
2927         (JSC::WASMFunctionParser::parseIfElseStatement):
2928         (JSC::WASMFunctionParser::parseWhileStatement):
2929         (JSC::WASMFunctionParser::parseDoStatement):
2930         (JSC::WASMFunctionParser::parseLabelStatement):
2931         (JSC::WASMFunctionParser::parseBreakStatement):
2932         (JSC::WASMFunctionParser::parseBreakLabelStatement):
2933         (JSC::WASMFunctionParser::parseContinueStatement):
2934         (JSC::WASMFunctionParser::parseContinueLabelStatement):
2935         * wasm/WASMFunctionParser.h:
2936         * wasm/WASMFunctionSyntaxChecker.h:
2937         (JSC::WASMFunctionSyntaxChecker::linkTarget):
2938         (JSC::WASMFunctionSyntaxChecker::jumpToTarget):
2939         (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf):
2940         (JSC::WASMFunctionSyntaxChecker::startLoop):
2941         (JSC::WASMFunctionSyntaxChecker::endLoop):
2942         (JSC::WASMFunctionSyntaxChecker::startSwitch):
2943         (JSC::WASMFunctionSyntaxChecker::endSwitch):
2944         (JSC::WASMFunctionSyntaxChecker::startLabel):
2945         (JSC::WASMFunctionSyntaxChecker::endLabel):
2946         (JSC::WASMFunctionSyntaxChecker::breakTarget):
2947         (JSC::WASMFunctionSyntaxChecker::continueTarget):
2948         (JSC::WASMFunctionSyntaxChecker::breakLabelTarget):
2949         (JSC::WASMFunctionSyntaxChecker::continueLabelTarget):
2950
2951 2015-09-08  Per Arne Vollan  <peavo@outlook.com>
2952
2953         [Win] Compile errors in inspector code.
2954         https://bugs.webkit.org/show_bug.cgi?id=148977
2955
2956         Reviewed by Alex Christensen.
2957
2958         Include definition of class FrontendRouter before use.
2959
2960         * inspector/InspectorBackendDispatcher.h:
2961         * inspector/JSGlobalObjectInspectorController.h:
2962
2963 2015-09-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2964
2965         [ES6] Implement computed accessors
2966         https://bugs.webkit.org/show_bug.cgi?id=147883
2967
2968         Reviewed by Geoffrey Garen.
2969
2970         Patch by Yusuke Suzuki <utatane.tea@gmail.com> and Matthew Mirman <mmirman@apple.com>.
2971
2972         Implement the computed accessors functionality for class syntax and object literal syntax.
2973         Added new opcodes, op_put_getter_by_val and op_put_setter_by_val. LLInt and baseline JIT support them.
2974         As the same to the other accessor opcodes (like op_put_getter_by_id etc.), DFG / FTL does not support
2975         them. This is handled here[1].
2976
2977         [1]: https://bugs.webkit.org/show_bug.cgi?id=148860
2978
2979         * bytecode/BytecodeList.json:
2980         * bytecode/BytecodeUseDef.h:
2981         (JSC::computeUsesForBytecodeOffset):
2982         (JSC::computeDefsForBytecodeOffset):
2983         * bytecode/CodeBlock.cpp:
2984         (JSC::CodeBlock::dumpBytecode):
2985         * bytecompiler/BytecodeGenerator.cpp:
2986         (JSC::BytecodeGenerator::emitPutGetterByVal):
2987         (JSC::BytecodeGenerator::emitPutSetterByVal):
2988         * bytecompiler/BytecodeGenerator.h:
2989         * bytecompiler/NodesCodegen.cpp:
2990         (JSC::PropertyListNode::emitBytecode):
2991         * jit/JIT.cpp:
2992         (JSC::JIT::privateCompileMainPass):
2993         * jit/JIT.h:
2994         * jit/JITInlines.h:
2995         (JSC::JIT::callOperation):
2996         * jit/JITOperations.cpp:
2997         * jit/JITOperations.h:
2998         * jit/JITPropertyAccess.cpp:
2999         (JSC::JIT::emit_op_put_getter_by_val):
3000         (JSC::JIT::emit_op_put_setter_by_val):
3001         * jit/JITPropertyAccess32_64.cpp:
3002         (JSC::JIT::emit_op_put_getter_by_val):
3003         (JSC::JIT::emit_op_put_setter_by_val):
3004         * llint/LLIntSlowPaths.cpp:
3005         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3006         * llint/LLIntSlowPaths.h:
3007         * llint/LowLevelInterpreter.asm:
3008         * parser/ASTBuilder.h:
3009         (JSC::ASTBuilder::createGetterOrSetterProperty):
3010         * parser/Parser.cpp:
3011         (JSC::Parser<LexerType>::parseClass):
3012         (JSC::Parser<LexerType>::parseGetterSetter):
3013         * parser/SyntaxChecker.h:
3014         (JSC::SyntaxChecker::createGetterOrSetterProperty):
3015         * tests/es6.yaml:
3016         * tests/stress/computed-accessor-parsing.js: Added.
3017         (testShouldNotThrow):
3018         (testShouldThrow):
3019         (Val.prototype.get string_appeared_here):
3020         (Val):
3021         * tests/stress/computed-accessor.js: Added.
3022         (shouldBe):
3023         (.):
3024         * tests/stress/duplicate-computed-accessors.js: Added.
3025         (shouldBe):
3026
3027 2015-09-08  Saam barati  <sbarati@apple.com>
3028
3029         baseline JIT should emit better code for UnresolvedProperty in resolve_scope/get_from_scope/put_to_scope
3030         https://bugs.webkit.org/show_bug.cgi?id=148895
3031
3032         Reviewed by Geoffrey Garen.
3033
3034         Previously, if a resolve_scope/get_from_scope/put_to_scope with
3035         UnresolvedProperty made it to the baseline JIT, we would hard compile
3036         a jump to the slow path. This is bad and slow. Because UnresolvedProperty
3037         tries to update itself to something more useful, and succeeds at doing so
3038         with high probability, we should be emitting code that checks to see if the 
3039         slow path has performed an update, and if it has, execute more efficient code 
3040         and not go to the slow path (unless it needs to for var injection check failure, 
3041         or other check failures). This increases the speed of this code greatly because 
3042         we may decide to compile a program/function before certain resolve_scope/get_from_scope/put_to_scope 
3043         operations ever execute. And now, the baseline JIT code better adapts to such
3044         compilation scenarios.
3045
3046         * bytecode/Watchpoint.h:
3047         (JSC::WatchpointSet::isBeingWatched):
3048         (JSC::WatchpointSet::addressOfState):
3049         (JSC::WatchpointSet::offsetOfState):
3050         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
3051         * jit/JIT.cpp:
3052         (JSC::JIT::emitNotifyWrite):
3053         (JSC::JIT::assertStackPointerOffset):
3054         * jit/JIT.h:
3055         * jit/JITPropertyAccess.cpp:
3056         (JSC::JIT::emit_op_resolve_scope):
3057         (JSC::JIT::emitSlow_op_resolve_scope):
3058         (JSC::JIT::emitGetGlobalProperty):
3059         (JSC::JIT::emitGetVarFromPointer):
3060         (JSC::JIT::emitGetVarFromIndirectPointer):
3061         (JSC::JIT::emitGetClosureVar):
3062         (JSC::JIT::emit_op_get_from_scope):
3063         (JSC::JIT::emitSlow_op_get_from_scope):
3064         (JSC::JIT::emitPutGlobalProperty):
3065         (JSC::JIT::emitPutGlobalVariable):
3066         (JSC::JIT::emitPutGlobalVariableIndirect):
3067         (JSC::JIT::emitPutClosureVar):
3068         (JSC::JIT::emit_op_put_to_scope):
3069         (JSC::JIT::emitSlow_op_put_to_scope):
3070         * jit/JITPropertyAccess32_64.cpp:
3071         (JSC::JIT::emit_op_resolve_scope):
3072         (JSC::JIT::emitSlow_op_resolve_scope):
3073         (JSC::JIT::emitGetGlobalProperty):
3074         (JSC::JIT::emitGetVarFromPointer):
3075         (JSC::JIT::emitGetVarFromIndirectPointer):
3076         (JSC::JIT::emitGetClosureVar):
3077         (JSC::JIT::emit_op_get_from_scope):
3078         (JSC::JIT::emitSlow_op_get_from_scope):
3079         (JSC::JIT::emitPutGlobalProperty):
3080         (JSC::JIT::emitPutGlobalVariable):
3081         (JSC::JIT::emitPutGlobalVariableIndirect):
3082         (JSC::JIT::emitPutClosureVar):
3083         (JSC::JIT::emit_op_put_to_scope):
3084         (JSC::JIT::emitSlow_op_put_to_scope):
3085         * runtime/CommonSlowPaths.h:
3086         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3087         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3088         * runtime/JSScope.cpp:
3089         (JSC::abstractAccess):
3090         * tests/stress/multiple-files-tests/global-lexical-variable-unresolved-property/first.js:
3091         (foo):
3092
3093 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3094
3095         Implement all the arithmetic and logical instructions in WebAssembly
3096         https://bugs.webkit.org/show_bug.cgi?id=148882
3097
3098         Reviewed by Mark Lam.
3099
3100         This patch implements all the arithmetic and logical instructions for
3101         32-bit integers in WebAssembly.
3102
3103         * tests/stress/wasm-arithmetic.js:
3104         * tests/stress/wasm/arithmetic.wasm:
3105         * wasm/WASMFunctionCompiler.h:
3106         (JSC::WASMFunctionCompiler::buildUnaryI32):
3107         (JSC::WASMFunctionCompiler::buildBinaryI32):
3108         * wasm/WASMFunctionParser.cpp:
3109         (JSC::WASMFunctionParser::parseExpressionI32):
3110         (JSC::WASMFunctionParser::parseUnaryExpressionI32):
3111         * wasm/WASMFunctionParser.h:
3112         * wasm/WASMFunctionSyntaxChecker.h:
3113         (JSC::WASMFunctionSyntaxChecker::buildUnaryI32):
3114
3115 2015-09-08  Filip Pizlo  <fpizlo@apple.com>
3116
3117         Unreviewed, fix debug by removing an assertion that is not correct anymore.
3118
3119         * jit/Repatch.cpp:
3120         (JSC::linkFor):
3121
3122 2015-09-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3123
3124         Add initial support for doubles in WebAssembly
3125         https://bugs.webkit.org/show_bug.cgi?id=148913
3126
3127         Reviewed by Filip Pizlo.
3128
3129         Implement the ConstantPoolIndex, Immediate, and GetLocal instructions
3130         for doubles (float64) in WebAssembly.
3131
3132         * tests/stress/wasm-arithmetic-float64.js: Added.
3133         (shouldBe):
3134         * tests/stress/wasm/arithmetic-float64.wasm: Added.
3135         * wasm/WASMConstants.h:
3136         * wasm/WASMFunctionCompiler.h:
3137         (JSC::WASMFunctionCompiler::buildSetLocal):
3138         (JSC::WASMFunctionCompiler::buildReturn):
3139         (JSC::WASMFunctionCompiler::buildImmediateI32):
3140         (JSC::WASMFunctionCompiler::buildImmediateF64):
3141         (JSC::WASMFunctionCompiler::buildGetLocal):
3142         * wasm/WASMFunctionParser.cpp:
3143         (JSC::WASMFunctionParser::parseExpression):
3144         (JSC::WASMFunctionParser::parseExpressionF64):
3145         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64):
3146         (JSC::WASMFunctionParser::parseImmediateExpressionF64):
3147         (JSC::WASMFunctionParser::parseGetLocalExpressionF64):
3148         * wasm/WASMFunctionParser.h:
3149         * wasm/WASMFunctionSyntaxChecker.h:
3150         (JSC::WASMFunctionSyntaxChecker::buildImmediateF64):
3151         * wasm/WASMReader.cpp:
3152         (JSC::WASMReader::readOpExpressionF64):
3153         * wasm/WASMReader.h:
3154
3155 2015-09-06  Filip Pizlo  <fpizlo@apple.com>
3156
3157         CallLinkInfo inside StructureStubInfo should not use polymorphic stubs
3158         https://bugs.webkit.org/show_bug.cgi?id=148915
3159
3160         Reviewed by Mark Lam.
3161
3162         There is a subtle bug where if we reset a get_by_id IC that had a getter stub that in
3163         turn had a polymorphic call stub, then the GC won't know to keep the getter stub alive.
3164         This patch documents the bug in a FIXME and disables polymorphic call optimizations for
3165         getters. It also just so happens that the polymorphic call optimizations usually don't
3166         benefit getters, since it's hard to create polymorphism at the point of call without also
3167         introducing polymorphism in the base object's structure.
3168
3169         The added test doesn't reproduce the problem, because it's hard to get the GC to delete
3170         all of the stubs.
3171
3172         * bytecode/CallLinkInfo.h:
3173         (JSC::CallLinkInfo::CallLinkInfo):
3174         (JSC::CallLinkInfo::setCallLocations):
3175         (JSC::CallLinkInfo::allowStubs):
3176         (JSC::CallLinkInfo::disallowStubs):
3177         (JSC::CallLinkInfo::setUpCallFromFTL):
3178         * jit/Repatch.cpp:
3179         (JSC::generateByIdStub):
3180         (JSC::linkFor):
3181         (JSC::linkPolymorphicCall):
3182         * tests/stress/poly-call-stub-in-getter-stub.js: Added.
3183         (foo):
3184         (makeGetter):
3185
3186 2015-09-07  Filip Pizlo  <fpizlo@apple.com>
3187
3188         The put_by_id IC store barrier contract should benefit transition over replace
3189         https://bugs.webkit.org/show_bug.cgi?id=148943
3190
3191         Reviewed by Mark Lam.
3192
3193         Previously, we would only emit a barrier if the value being stored was possibly a cell, so
3194         the transition stub code generator would have to emit a barrier for the store of the
3195         structure, just in case the structure was newer than the base object.
3196
3197         This changes the contract so that the put_by_id callsite would always have a barrier on the
3198         base (except if it proved that the base was brand new). That way, the transition doesn't have
3199         to have a barrier unless it allocates.
3200
3201         This is meant to be a perf-neutral change that I need for the IC refactoring in
3202         https://bugs.webkit.org/show_bug.cgi?id=148717.
3203
3204         * dfg/DFGFixupPhase.cpp:
3205         (JSC::DFG::FixupPhase::fixupNode):
3206         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3207         * jit/Repatch.cpp:
3208         (JSC::emitPutTransitionStub):
3209
3210 2015-09-07  Alex Christensen  <achristensen@webkit.org>
3211
3212         Windows non-cygwin build fix after r189333.
3213
3214         SVN on Windows (non-cygwin) doesn't like having the * character in file names.
3215         I replaced "*" with "star" in some of Geoff's new tests.
3216
3217         * tests/es6.yaml:
3218         Changed all _*_ to _star_
3219         * tests/es6/generators_yield_*_arrays.js: Removed.
3220         * tests/es6/generators_yield_*_astral_plane_strings.js: Removed.
3221         * tests/es6/generators_yield_*_generator_instances.js: Removed.
3222         * tests/es6/generators_yield_*_generic_iterables.js: Removed.
3223         * tests/es6/generators_yield_*_instances_of_iterables.js: Removed.
3224         * tests/es6/generators_yield_*_iterator_closing.js: Removed.
3225         * tests/es6/generators_yield_*_iterator_closing_via_throw.js: Removed.
3226         * tests/es6/generators_yield_*_on_non-iterables_is_a_runtime_error.js: Removed.
3227         * tests/es6/generators_yield_*_sparse_arrays.js: Removed.
3228         * tests/es6/generators_yield_*_strings.js: Removed.
3229         * tests/es6/generators_yield_star_arrays.js: Copied from tests/es6/generators_yield_*_arrays.js.
3230         * tests/es6/generators_yield_star_astral_plane_strings.js: Copied from tests/es6/generators_yield_*_astral_plane_strings.js.
3231         * tests/es6/generators_yield_star_generator_instances.js: Copied from tests/es6/generators_yield_*_generator_instances.js.
3232         * tests/es6/generators_yield_star_generic_iterables.js: Copied from tests/es6/generators_yield_*_generic_iterables.js.
3233         * tests/es6/generators_yield_star_instances_of_iterables.js: Copied from tests/es6/generators_yield_*_instances_of_iterables.js.
3234         * tests/es6/generators_yield_star_iterator_closing.js: Copied from tests/es6/generators_yield_*_iterator_closing.js.
3235         * tests/es6/generators_yield_star_iterator_closing_via_throw.js: Copied from tests/es6/generators_yield_*_iterator_closing_via_throw.js.
3236         * tests/es6/generators_yield_star_on_non-iterables_is_a_runtime_error.js: Copied from tests/es6/generators_yield_*_on_non-iterables_is_a_runtime_error.js.
3237         * tests/es6/generators_yield_star_sparse_arrays.js: Copied from tests/es6/generators_yield_*_sparse_arrays.js.
3238         * tests/es6/generators_yield_star_strings.js: Copied from tests/es6/generators_yield_*_strings.js.
3239
3240 2015-09-06  Mark Lam  <mark.lam@apple.com>
3241
3242         Gardening: fix broken Windows build after r189454.
3243
3244         Not reviewed.
3245
3246         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3247         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
3248
3249 2015-09-06  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3250
3251         Implement the relational instructions in WebAssembly
3252         https://bugs.webkit.org/show_bug.cgi?id=148838
3253
3254         Reviewed by Saam Barati.
3255
3256         This patch implements the relational instructions for 32-bit integers in
3257         WebAssembly.
3258
3259         * tests/stress/wasm-arithmetic.js:
3260         * tests/stress/wasm-locals.js:
3261         * tests/stress/wasm-relational.js: Added.
3262         (shouldBe):
3263         * tests/stress/wasm/arithmetic.wasm: Renamed from Source/JavaScriptCore/tests/stress/wasm-arithmetic.wasm.
3264         * tests/stress/wasm/locals.wasm: Renamed from Source/JavaScriptCore/tests/stress/wasm-locals.wasm.
3265         * tests/stress/wasm/relational.wasm: Added.
3266         * wasm/WASMFunctionCompiler.h:
3267         (JSC::WASMFunctionCompiler::buildRelationalI32):
3268         * wasm/WASMFunctionParser.cpp:
3269         (JSC::WASMFunctionParser::parseExpressionI32):
3270         (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32):
3271         * wasm/WASMFunctionParser.h:
3272         * wasm/WASMFunctionSyntaxChecker.h:
3273         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32):
3274
3275 2015-09-06  Mark Lam  <mark.lam@apple.com>
3276
3277         StackOverflow stack unwinding should stop at native frames.
3278         https://bugs.webkit.org/show_bug.cgi?id=148749
3279
3280         Reviewed by Michael Saboff.
3281
3282         In the present code, after ping-pong'ing back and forth between native and JS
3283         code a few times, if we have a stack overflow on re-entry into the VM to run
3284         JS code's whose stack frame would overflow the JS stack, the code will end up
3285         unwinding past the native function that is making the call to re-enter the VM.
3286         As a result, any clean up code (e.g. destructors for stack variables) in the
3287         skipped native function frame (and its chain of native function callers) will
3288         not be called.
3289
3290         This patch is based on the Michael Saboff's fix of this issue landed on the
3291         jsc-tailcall branch: http://trac.webkit.org/changeset/188555
3292
3293         We now check for the case where there are no JS frames to unwind since the
3294         last native frame, and treat the exception as an unhandled exception.  The
3295         native function is responsible for further propagating the exception if needed.
3296
3297         Other supporting work:
3298         1. Remove vm->vmEntryFrameForThrow.  It should always be the same as
3299            vm->topVMEntryFrame.
3300         2. Change operationThrowStackOverflowError() to use the throwStackOverflowError()
3301            helper function instead of rolling its own.
3302         3. Added a test that exercises this edge case.  The test should not hang or crash.
3303
3304         * API/tests/PingPongStackOverflowTest.cpp: Added.
3305         (PingPongStackOverflowObject_hasInstance):
3306         (testPingPongStackOverflow):
3307         * API/tests/PingPongStackOverflowTest.h: Added.
3308         * API/tests/testapi.c:
3309         (main):
3310         * JavaScriptCore.xcodeproj/project.pbxproj:
3311         * interpreter/CallFrame.h:
3312         (JSC::ExecState::operator=):
3313         (JSC::ExecState::callerFrame):
3314         (JSC::ExecState::callerFrameOrVMEntryFrame):
3315         (JSC::ExecState::argIndexForRegister):
3316         (JSC::ExecState::callerFrameAndPC):
3317         * interpreter/Interpreter.cpp:
3318         (JSC::UnwindFunctor::UnwindFunctor):
3319         (JSC::UnwindFunctor::operator()):
3320         (JSC::Interpreter::unwind):
3321         * interpreter/Interpreter.h:
3322         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
3323         (JSC::Interpreter::sampler):
3324         * jit/CCallHelpers.h:
3325         (JSC::CCallHelpers::jumpToExceptionHandler):
3326         * jit/JITExceptions.cpp:
3327         (JSC::genericUnwind):
3328         * jit/JITExceptions.h:
3329         * jit/JITOpcodes.cpp:
3330         (JSC::JIT::emit_op_catch):
3331         * jit/JITOpcodes32_64.cpp:
3332         (JSC::JIT::emit_op_catch):
3333         * jit/JITOperations.cpp:
3334         * llint/LowLevelInterpreter32_64.asm:
3335         * llint/LowLevelInterpreter64.asm:
3336         * runtime/VM.h:
3337         (JSC::VM::exceptionOffset):
3338         (JSC::VM::callFrameForThrowOffset):
3339         (JSC::VM::vmEntryFrameForThrowOffset): Deleted.
3340  &nb