c138fa28db0bcb83b9744afeb5c509eb96b44a1a
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-22  Keith Miller  <keith_miller@apple.com>
2
3         Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
4         https://bugs.webkit.org/show_bug.cgi?id=152912
5
6         Reviewed by Mark Lam.
7
8         When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by
9         the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons.
10         The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted
11         thus the offset is now invalid.
12
13         * bytecode/PropertyCondition.cpp:
14         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
15         * tests/stress/global-property-into-variable-get-from-scope.js: Added.
16
17 2016-01-22  Keith Miller  <keith_miller@apple.com>
18
19         [ES6] Add Symbol.species properties to the relevant constructors
20         https://bugs.webkit.org/show_bug.cgi?id=153339
21
22         Reviewed by Michael Saboff.
23
24         This patch adds Symbol.species to the RegExp, Array, TypedArray, Map, Set, ArrayBuffer, and
25         Promise constructors.  The functions that use these properties will be added in a later
26         patch.
27
28         * builtins/GlobalObject.js:
29         (speciesGetter):
30         * runtime/ArrayConstructor.cpp:
31         (JSC::ArrayConstructor::finishCreation):
32         * runtime/ArrayConstructor.h:
33         (JSC::ArrayConstructor::create):
34         * runtime/BooleanConstructor.h:
35         (JSC::BooleanConstructor::create):
36         * runtime/CommonIdentifiers.h:
37         * runtime/DateConstructor.h:
38         (JSC::DateConstructor::create):
39         * runtime/ErrorConstructor.h:
40         (JSC::ErrorConstructor::create):
41         * runtime/JSArrayBufferConstructor.cpp:
42         (JSC::JSArrayBufferConstructor::finishCreation):
43         (JSC::JSArrayBufferConstructor::create):
44         * runtime/JSArrayBufferConstructor.h:
45         * runtime/JSGlobalObject.cpp:
46         (JSC::JSGlobalObject::init):
47         * runtime/JSInternalPromiseConstructor.cpp:
48         (JSC::JSInternalPromiseConstructor::create):
49         * runtime/JSInternalPromiseConstructor.h:
50         * runtime/JSPromiseConstructor.cpp:
51         (JSC::JSPromiseConstructor::create):
52         (JSC::JSPromiseConstructor::finishCreation):
53         * runtime/JSPromiseConstructor.h:
54         * runtime/JSTypedArrayViewConstructor.cpp:
55         (JSC::JSTypedArrayViewConstructor::finishCreation):
56         (JSC::JSTypedArrayViewConstructor::create): Deleted.
57         * runtime/JSTypedArrayViewConstructor.h:
58         (JSC::JSTypedArrayViewConstructor::create):
59         * runtime/MapConstructor.cpp:
60         (JSC::MapConstructor::finishCreation):
61         * runtime/MapConstructor.h:
62         (JSC::MapConstructor::create):
63         * runtime/NumberConstructor.h:
64         (JSC::NumberConstructor::create):
65         * runtime/RegExpConstructor.cpp:
66         (JSC::RegExpConstructor::finishCreation):
67         * runtime/RegExpConstructor.h:
68         (JSC::RegExpConstructor::create):
69         * runtime/SetConstructor.cpp:
70         (JSC::SetConstructor::finishCreation):
71         * runtime/SetConstructor.h:
72         (JSC::SetConstructor::create):
73         * runtime/StringConstructor.h:
74         (JSC::StringConstructor::create):
75         * runtime/SymbolConstructor.h:
76         (JSC::SymbolConstructor::create):
77         * runtime/WeakMapConstructor.h:
78         (JSC::WeakMapConstructor::create):
79         * runtime/WeakSetConstructor.h:
80         (JSC::WeakSetConstructor::create):
81         * tests/stress/symbol-species.js: Added.
82         (testSymbolSpeciesOnConstructor):
83
84 2016-01-21  Benjamin Poulain  <benjamin@webkit.org>
85
86         [JSC] The IRC allocator can mess up the degree of Tmps interfering with move-related Tmps
87         https://bugs.webkit.org/show_bug.cgi?id=153340
88
89         Reviewed by Filip Pizlo.
90
91         The JavaScriptCore tests uncovered an interested bug in the iterated register
92         coalescing allocator. When coalescing a move under the right conditions, it is
93         possible to mess-up the graph for the Tmps interfering with the coalesced Tmps.
94
95         Some context first:
96         -When coalescing a move, we alias one Tmp to another. Let say that we had
97              Move X, Y
98          the coalescing may alias Y to X: Y->X.
99         -Since X and Y are equivalent after coalescing, any interference
100          edge with Y is "moved" to X.
101          The way this was done was to add an edge to X for every edge there was with Y.
102          Say we had an edge R--Y, we add an edge R--X.
103          Adding an edge increases the degree of R and Y. The degree of R was then
104          fixed by calling decrementDegree() on it.
105         -decrementDegree() is non trivial. It will move the Tmp to the right list
106          for further processing if the Tmp's degree becomes lower than the number
107          of available registers.
108
109         The bug appear in a particular case. Say we have 3 Tmp, A, B, and C.
110         -A and B are move related, they can be coalesced.
111         -A has an interference edge with C.
112         -B does not have and interfence edge with C.
113         -C's degree is exactly the number of avaialble registers/colors minus one (k - 1).
114          -> This implies C is already in its list.
115
116         We coalesce A and B into B (A->B).
117         -The first step, addEdgeDistinct() adds an edge between B and C. The degrees of
118          B and C are increased by one. The degree of C becomes k.
119         -Next, decrementDegree() is called on C. Its degree decreases to k-1.
120          Because of the change from k to k-1, decrementDegree() adds C to a list again.
121
122         We have two kinds of bugs depending on the test:
123         -A Tmp can be added to the simplifyWorklist several time.
124         -A Tmp can be in both simplifyWorklist and freezeWorklist (because its move-related
125          status changed since the last decrementDegree()).
126         In both cases, the Tmps interfering with the duplicated Tmp will end up with
127         a degree lower than their real value.
128
129         * b3/air/AirIteratedRegisterCoalescing.cpp:
130
131 2016-01-21  Andreas Kling  <akling@apple.com>
132
133         Add some missing WTF_MAKE_FAST_ALLOCATED in JavaScriptCore.
134         <https://webkit.org/b/153335>
135
136         Reviewed by Alex Christensen.
137
138         Saw these things getting system malloc()'ed in an Instruments trace.
139
140         * inspector/InspectorAgentBase.h:
141         * jit/CallFrameShuffleData.h:
142         * jit/CallFrameShuffler.h:
143         * jit/RegisterAtOffsetList.h:
144         * runtime/GenericOffset.h:
145
146 2016-01-21  Yusuke Suzuki  <utatane.tea@gmail.com>
147
148         [ES6] Catch parameter should accept BindingPattern
149         https://bugs.webkit.org/show_bug.cgi?id=152385
150
151         Reviewed by Saam Barati.
152
153         This patch implements destructuring in catch parameter.
154         Catch parameter accepts binding pattern and binding identifier.
155         It creates lexical bindings. And "yield" and "let" are specially
156         handled as is the same to function parameters.
157
158         In addition to that, we make destructuring parsing errors more descriptive.
159
160         * bytecompiler/BytecodeGenerator.cpp:
161         (JSC::BytecodeGenerator::emitPushCatchScope):
162         * bytecompiler/BytecodeGenerator.h:
163         * bytecompiler/NodesCodegen.cpp:
164         (JSC::TryNode::emitBytecode):
165         * parser/ASTBuilder.h:
166         (JSC::ASTBuilder::createTryStatement):
167         * parser/NodeConstructors.h:
168         (JSC::TryNode::TryNode):
169         * parser/Nodes.h:
170         * parser/Parser.cpp:
171         (JSC::Parser<LexerType>::createBindingPattern):
172         (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
173         (JSC::Parser<LexerType>::parseBindingOrAssignmentElement):
174         (JSC::destructuringKindToVariableKindName):
175         (JSC::Parser<LexerType>::parseDestructuringPattern):
176         (JSC::Parser<LexerType>::parseTryStatement):
177         (JSC::Parser<LexerType>::parseFormalParameters):
178         (JSC::Parser<LexerType>::parseFunctionParameters):
179         * parser/Parser.h:
180         (JSC::Parser::destructuringKindFromDeclarationType):
181         * parser/SyntaxChecker.h:
182         (JSC::SyntaxChecker::createTryStatement):
183         * tests/es6.yaml:
184         * tests/es6/destructuring_in_catch_heads.js: Added.
185         (test):
186         * tests/stress/catch-parameter-destructuring.js: Added.
187         (shouldBe):
188         (shouldThrow):
189         (prototype.call):
190         (catch):
191         (shouldThrow.try.throw.get error):
192         (initialize):
193         (array):
194         (generator.gen):
195         (generator):
196         * tests/stress/catch-parameter-syntax.js: Added.
197         (testSyntax):
198         (testSyntaxError):
199         * tests/stress/reserved-word-with-escape.js:
200         (testSyntaxError.String.raw.a):
201         (String.raw.SyntaxError.Cannot.use.the.keyword.string_appeared_here.as.a.name):
202         * tests/stress/yield-named-variable.js:
203
204 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
205
206         Unreviewed, fix build.
207
208         * b3/B3EliminateCommonSubexpressions.cpp:
209
210 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
211
212         B3 CSE should be able to match a full redundancy even if none of the matches dominate the value in question
213         https://bugs.webkit.org/show_bug.cgi?id=153321
214
215         Reviewed by Benjamin Poulain.
216
217         I once learned that LLVM's GVN can manufacture Phi functions. I don't know the details
218         but I'm presuming that it involves:
219
220             if (p)
221                 tmp1 = *ptr
222             else
223                 tmp2 = *ptr
224             tmp3 = *ptr // Replace this with Phi(tmp1, tmp2).
225
226         This adds such an optimization to our CSE. The idea is that we search through basic
227         blocks until we find the value we want, a side effect, or the start of the procedure. If
228         we find a value that matches our search criteria, we record it and ignore the
229         predecessors. If we find a side effect or the start of the procedure, we give up the
230         whole search. This ensures that if we come out of the search without giving up, we'll
231         have a set of matches that are fully redundant.
232
233         CSE could then create a Phi graph by using SSACalculator. But the recent work on FixSSA
234         revealed a much more exciting option: create a stack slot! In case there is more than one
235         match, CSE now creates a stack slot that each match stores to, and replaces the redundant
236         instruction with a loadfrom the stack slot. The stack slot is anonymous, which ensures
237         that FixSSA will turn it into an optimal Phi graph or whatever.
238
239         This is a significant speed-up on Octane/richards.
240
241         * b3/B3DuplicateTails.cpp:
242         * b3/B3EliminateCommonSubexpressions.cpp:
243         * b3/B3FixSSA.cpp:
244         (JSC::B3::fixSSA):
245         * b3/B3Generate.cpp:
246         (JSC::B3::generateToAir):
247         * b3/B3Procedure.h:
248         (JSC::B3::Procedure::setFrontendData):
249         (JSC::B3::Procedure::frontendData):
250         * b3/testb3.cpp:
251         * ftl/FTLState.cpp:
252         (JSC::FTL::State::State):
253
254 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
255
256         Air should know that CeilDouble has the partial register stall issue
257         https://bugs.webkit.org/show_bug.cgi?id=153338
258
259         Rubber stamped by Benjamin Poulain.
260
261         This is a 8% speed-up on Kraken with B3 enabled, mostly because of a 2.4x speed-up on
262         audio-oscillator.
263
264         * b3/air/AirFixPartialRegisterStalls.cpp:
265
266 2016-01-21  Andy VanWagoner  <andy@instructure.com>
267
268         [INTL] Implement Array.prototype.toLocaleString in ECMA-402
269         https://bugs.webkit.org/show_bug.cgi?id=147614
270
271         Reviewed by Benjamin Poulain.
272
273         The primary changes in the ECMA-402 version, and the existing implementation
274         are passing the arguments on to each element's toLocaleString call, and
275         missing/undefined/null elements become empty string instead of being skipped.
276
277         * runtime/ArrayPrototype.cpp:
278         (JSC::arrayProtoFuncToLocaleString):
279
280 2016-01-21  Per Arne Vollan  <peavo@outlook.com>
281
282         [B3][Win64] Compile fixes.
283         https://bugs.webkit.org/show_bug.cgi?id=153312
284
285         Reviewed by Alex Christensen.
286
287         Since MSVC has several overloads of sin, cos, pow, and log, we need to specify
288         which one we want to use.
289
290         * ftl/FTLB3Output.h:
291         (JSC::FTL::Output::doubleSin):
292         (JSC::FTL::Output::doubleCos):
293         (JSC::FTL::Output::doublePow):
294         (JSC::FTL::Output::doubleLog):
295
296 2016-01-21  Benjamin Poulain  <benjamin@webkit.org>
297
298         [JSC] foldPathConstants() makes invalid assumptions with Switch
299         https://bugs.webkit.org/show_bug.cgi?id=153324
300
301         Reviewed by Filip Pizlo.
302
303         If a Switch() has two cases pointing to the same basic block, foldPathConstants()
304         was adding two override for that block with two different constants.
305         If the block with the Switch dominates the target, both override were equally valid
306         and we were assuming any of the constants as the value in the target block.
307
308         See testSwitchTargettingSameBlockFoldPathConstant() for an example that breaks.
309
310         This patch adds checks to ignore any block that is reached more than
311         once by the control value.
312
313         * b3/B3FoldPathConstants.cpp:
314         * b3/B3Generate.cpp:
315         (JSC::B3::generateToAir):
316         * b3/testb3.cpp:
317         (JSC::B3::testSwitchTargettingSameBlock):
318         (JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
319         (JSC::B3::run):
320
321 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
322
323         Unreviewed, undo DFGCommon.h change that accidentally enabled the B3 JIT.
324
325         * dfg/DFGCommon.h:
326
327 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
328
329         Move32 should have an Imm, Tmp form
330         https://bugs.webkit.org/show_bug.cgi?id=153313
331
332         Reviewed by Mark Lam.
333
334         This enables some useful optimizations, like constant propagation in fixObviousSpills().
335
336         * assembler/MacroAssemblerX86Common.h:
337         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
338         (JSC::MacroAssemblerX86Common::move):
339         * b3/air/AirOpcode.opcodes:
340
341 2016-01-21  Filip Pizlo  <fpizlo@apple.com>
342
343         B3 should have load elimination
344         https://bugs.webkit.org/show_bug.cgi?id=153288
345
346         Reviewed by Geoffrey Garen.
347
348         This adds a complete GCSE pass that includes load elimination. It would have been super hard
349         to make this work as part of the reduceStrength() fixpoint, since GCSE needs to analyze
350         control flow and reduceStrength() is messing with control flow. So, I did a compromise: I
351         factored out the pure CSE that reduceStrength() was already doing, and now we have:
352
353         - reduceStrength() still does pure CSE using the new PureCSE helper.
354
355         - eliminateCommonSubexpressions() is a separate phase that does general CSE. It uses the
356           PureCSE helper for pure values and does its own special thing for memory values.
357         
358         Unfortunately, this doesn't help any benchmark right now. It doesn't hurt anything, either,
359         and it's likely to become a bigger pay-off once we implement other features, like mapping
360         FTL's abstract heaps onto B3's heap ranges.
361
362         * CMakeLists.txt:
363         * JavaScriptCore.xcodeproj/project.pbxproj:
364         * b3/B3EliminateCommonSubexpressions.cpp: Added.
365         (JSC::B3::eliminateCommonSubexpressions):
366         * b3/B3EliminateCommonSubexpressions.h: Added.
367         * b3/B3Generate.cpp:
368         (JSC::B3::generateToAir):
369         * b3/B3HeapRange.h:
370         (JSC::B3::HeapRange::HeapRange):
371         * b3/B3InsertionSet.h:
372         (JSC::B3::InsertionSet::InsertionSet):
373         (JSC::B3::InsertionSet::isEmpty):
374         (JSC::B3::InsertionSet::code):
375         (JSC::B3::InsertionSet::appendInsertion):
376         * b3/B3MemoryValue.h:
377         * b3/B3PureCSE.cpp: Added.
378         (JSC::B3::PureCSE::PureCSE):
379         (JSC::B3::PureCSE::~PureCSE):
380         (JSC::B3::PureCSE::clear):
381         (JSC::B3::PureCSE::process):
382         * b3/B3PureCSE.h: Added.
383         * b3/B3ReduceStrength.cpp:
384         * b3/B3ReduceStrength.h:
385         * b3/B3Validate.cpp:
386
387 2016-01-21  Keith Miller  <keith_miller@apple.com>
388
389         Fix bug in TypedArray.prototype.set and add tests
390         https://bugs.webkit.org/show_bug.cgi?id=153309
391
392         Reviewed by Michael Saboff.
393
394         This patch fixes an issue with TypedArray.prototype.set where we would
395         assign a double to an unsigned without checking that the double was
396         in the range of the unsigned. Additionally, the patch also adds
397         tests for set for cases that were not covered before.
398
399         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
400         (JSC::genericTypedArrayViewProtoFuncSet):
401         * tests/stress/typedarray-set.js: Added.
402
403 2016-01-19  Ada Chan  <adachan@apple.com>
404
405         Make it possible to enable VIDEO_PRESENTATION_MODE on other Cocoa platforms.
406         https://bugs.webkit.org/show_bug.cgi?id=153218
407
408         Reviewed by Eric Carlson.
409
410         * Configurations/FeatureDefines.xcconfig:
411
412 2016-01-21  Per Arne Vollan  <peavo@outlook.com>
413
414         [B3][CMake] Add missing source file.
415         https://bugs.webkit.org/show_bug.cgi?id=153303
416
417         Reviewed by Csaba Osztrogonác.
418
419         * CMakeLists.txt:
420
421 2016-01-20  Commit Queue  <commit-queue@webkit.org>
422
423         Unreviewed, rolling out r195375.
424         https://bugs.webkit.org/show_bug.cgi?id=153300
425
426         Caused crashes on GuardMalloc (Requested by ap on #webkit).
427
428         Reverted changeset:
429
430         "TypedArray's .buffer does not return the JSArrayBuffer that
431         was passed to it on creation."
432         https://bugs.webkit.org/show_bug.cgi?id=153281
433         http://trac.webkit.org/changeset/195375
434
435 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
436
437         B3 should have basic path specialization
438         https://bugs.webkit.org/show_bug.cgi?id=153200
439
440         Reviewed by Benjamin Poulain.
441
442         This adds two different kind of path specializations:
443
444         - Check(Select) where the Select results are constants is specialized into a Branch
445           instead of a Select and duplicated paths where the results of the Select are folded.
446
447         - Tail duplication. A jump to a small block causes the block's contents to be copied over
448           the Jump.
449
450         Both optimizations required being able to clone Values. We can now do that using
451         proc.clone(value).
452
453         Check(Select) specialization needed some utilities for walking graphs of Values.
454
455         Tail duplication needed SSA fixup, so I added a way to demote values to anonymous stack
456         slots (B3's equivalent of non-SSA variables) and a way to "fix SSA", i.e. to allocate
457         anonymous stack slots to SSA values along with an optimal Phi graph.
458
459         This is a big speed-up on Octane/deltablue. It's a 2.2% speed-up on Octane overall.
460
461         * CMakeLists.txt:
462         * JavaScriptCore.xcodeproj/project.pbxproj:
463         * b3/B3ArgumentRegValue.cpp:
464         (JSC::B3::ArgumentRegValue::dumpMeta):
465         (JSC::B3::ArgumentRegValue::cloneImpl):
466         * b3/B3ArgumentRegValue.h:
467         * b3/B3BasicBlock.cpp:
468         (JSC::B3::BasicBlock::append):
469         (JSC::B3::BasicBlock::appendNonTerminal):
470         (JSC::B3::BasicBlock::removeLast):
471         * b3/B3BasicBlock.h:
472         (JSC::B3::BasicBlock::values):
473         * b3/B3BasicBlockInlines.h:
474         (JSC::B3::BasicBlock::appendNew):
475         (JSC::B3::BasicBlock::appendNewNonTerminal):
476         (JSC::B3::BasicBlock::replaceLastWithNew):
477         * b3/B3BlockInsertionSet.h:
478         * b3/B3BreakCriticalEdges.cpp: Added.
479         (JSC::B3::breakCriticalEdges):
480         * b3/B3BreakCriticalEdges.h: Added.
481         * b3/B3CCallValue.cpp:
482         (JSC::B3::CCallValue::~CCallValue):
483         (JSC::B3::CCallValue::cloneImpl):
484         * b3/B3CCallValue.h:
485         * b3/B3CheckValue.cpp:
486         (JSC::B3::CheckValue::convertToAdd):
487         (JSC::B3::CheckValue::cloneImpl):
488         (JSC::B3::CheckValue::CheckValue):
489         * b3/B3CheckValue.h:
490         * b3/B3Const32Value.cpp:
491         (JSC::B3::Const32Value::dumpMeta):
492         (JSC::B3::Const32Value::cloneImpl):
493         * b3/B3Const32Value.h:
494         * b3/B3Const64Value.cpp:
495         (JSC::B3::Const64Value::dumpMeta):
496         (JSC::B3::Const64Value::cloneImpl):
497         * b3/B3Const64Value.h:
498         * b3/B3ConstDoubleValue.cpp:
499         (JSC::B3::ConstDoubleValue::dumpMeta):
500         (JSC::B3::ConstDoubleValue::cloneImpl):
501         * b3/B3ConstDoubleValue.h:
502         * b3/B3ConstFloatValue.cpp:
503         (JSC::B3::ConstFloatValue::dumpMeta):
504         (JSC::B3::ConstFloatValue::cloneImpl):
505         * b3/B3ConstFloatValue.h:
506         * b3/B3ControlValue.cpp:
507         (JSC::B3::ControlValue::dumpMeta):
508         (JSC::B3::ControlValue::cloneImpl):
509         * b3/B3ControlValue.h:
510         * b3/B3DuplicateTails.cpp: Added.
511         (JSC::B3::duplicateTails):
512         * b3/B3DuplicateTails.h: Added.
513         * b3/B3FixSSA.cpp: Added.
514         (JSC::B3::demoteValues):
515         (JSC::B3::fixSSA):
516         * b3/B3FixSSA.h: Added.
517         * b3/B3Generate.cpp:
518         (JSC::B3::generateToAir):
519         * b3/B3IndexSet.h:
520         (JSC::B3::IndexSet::Iterable::Iterable):
521         (JSC::B3::IndexSet::values):
522         (JSC::B3::IndexSet::indices):
523         * b3/B3InsertionSet.cpp:
524         (JSC::B3::InsertionSet::insertIntConstant):
525         (JSC::B3::InsertionSet::insertBottom):
526         (JSC::B3::InsertionSet::execute):
527         * b3/B3InsertionSet.h:
528         * b3/B3LowerToAir.cpp:
529         (JSC::B3::Air::LowerToAir::run):
530         (JSC::B3::Air::LowerToAir::tmp):
531         * b3/B3MemoryValue.cpp:
532         (JSC::B3::MemoryValue::dumpMeta):
533         (JSC::B3::MemoryValue::cloneImpl):
534         * b3/B3MemoryValue.h:
535         * b3/B3OriginDump.cpp: Added.
536         (JSC::B3::OriginDump::dump):
537         * b3/B3OriginDump.h:
538         (JSC::B3::OriginDump::OriginDump):
539         (JSC::B3::OriginDump::dump): Deleted.
540         * b3/B3PatchpointValue.cpp:
541         (JSC::B3::PatchpointValue::dumpMeta):
542         (JSC::B3::PatchpointValue::cloneImpl):
543         (JSC::B3::PatchpointValue::PatchpointValue):
544         * b3/B3PatchpointValue.h:
545         * b3/B3Procedure.cpp:
546         (JSC::B3::Procedure::addBlock):
547         (JSC::B3::Procedure::clone):
548         (JSC::B3::Procedure::addIntConstant):
549         (JSC::B3::Procedure::addBottom):
550         (JSC::B3::Procedure::addBoolConstant):
551         (JSC::B3::Procedure::deleteValue):
552         * b3/B3Procedure.h:
553         * b3/B3ReduceStrength.cpp:
554         * b3/B3SSACalculator.cpp: Added.
555         (JSC::B3::SSACalculator::Variable::dump):
556         (JSC::B3::SSACalculator::Variable::dumpVerbose):
557         (JSC::B3::SSACalculator::Def::dump):
558         (JSC::B3::SSACalculator::SSACalculator):
559         (JSC::B3::SSACalculator::~SSACalculator):
560         (JSC::B3::SSACalculator::reset):
561         (JSC::B3::SSACalculator::newVariable):
562         (JSC::B3::SSACalculator::newDef):
563         (JSC::B3::SSACalculator::nonLocalReachingDef):
564         (JSC::B3::SSACalculator::reachingDefAtTail):
565         (JSC::B3::SSACalculator::dump):
566         * b3/B3SSACalculator.h: Added.
567         (JSC::B3::SSACalculator::Variable::index):
568         (JSC::B3::SSACalculator::Variable::Variable):
569         (JSC::B3::SSACalculator::Def::variable):
570         (JSC::B3::SSACalculator::Def::block):
571         (JSC::B3::SSACalculator::Def::value):
572         (JSC::B3::SSACalculator::Def::Def):
573         (JSC::B3::SSACalculator::variable):
574         (JSC::B3::SSACalculator::computePhis):
575         (JSC::B3::SSACalculator::phisForBlock):
576         (JSC::B3::SSACalculator::reachingDefAtHead):
577         * b3/B3StackSlotKind.h:
578         * b3/B3StackSlotValue.cpp:
579         (JSC::B3::StackSlotValue::dumpMeta):
580         (JSC::B3::StackSlotValue::cloneImpl):
581         * b3/B3StackSlotValue.h:
582         * b3/B3SwitchValue.cpp:
583         (JSC::B3::SwitchValue::dumpMeta):
584         (JSC::B3::SwitchValue::cloneImpl):
585         (JSC::B3::SwitchValue::SwitchValue):
586         * b3/B3SwitchValue.h:
587         * b3/B3UpsilonValue.cpp:
588         (JSC::B3::UpsilonValue::dumpMeta):
589         (JSC::B3::UpsilonValue::cloneImpl):
590         * b3/B3UpsilonValue.h:
591         * b3/B3Validate.cpp:
592         * b3/B3Value.cpp:
593         (JSC::B3::Value::replaceWithNop):
594         (JSC::B3::Value::replaceWithPhi):
595         (JSC::B3::Value::dump):
596         (JSC::B3::Value::cloneImpl):
597         (JSC::B3::Value::dumpChildren):
598         (JSC::B3::Value::deepDump):
599         * b3/B3Value.h:
600         (JSC::B3::DeepValueDump::DeepValueDump):
601         (JSC::B3::DeepValueDump::dump):
602         (JSC::B3::deepDump):
603         * b3/B3ValueInlines.h:
604         (JSC::B3::Value::asNumber):
605         (JSC::B3::Value::walk):
606         * b3/B3ValueKey.cpp:
607         (JSC::B3::ValueKey::intConstant):
608         (JSC::B3::ValueKey::dump):
609         * b3/B3ValueKey.h:
610         (JSC::B3::ValueKey::ValueKey):
611         (JSC::B3::ValueKey::opcode):
612         (JSC::B3::ValueKey::type):
613         (JSC::B3::ValueKey::childIndex):
614         * b3/air/AirCode.h:
615         (JSC::B3::Air::Code::forAllTmps):
616         (JSC::B3::Air::Code::isFastTmp):
617         * b3/air/AirIteratedRegisterCoalescing.cpp:
618         * b3/air/AirUseCounts.h:
619         (JSC::B3::Air::UseCounts::UseCounts):
620         (JSC::B3::Air::UseCounts::operator[]):
621         (JSC::B3::Air::UseCounts::dump):
622         * b3/testb3.cpp:
623         (JSC::B3::testSelectInvert):
624         (JSC::B3::testCheckSelect):
625         (JSC::B3::testCheckSelectCheckSelect):
626         (JSC::B3::testPowDoubleByIntegerLoop):
627         (JSC::B3::run):
628         * runtime/Options.h:
629
630 2016-01-20  Benjamin Poulain  <bpoulain@apple.com>
631
632         [JSC] Fix a typo in the Air definition of CeilDouble/CeilFloat
633         https://bugs.webkit.org/show_bug.cgi?id=153286
634
635         Reviewed by Mark Lam.
636
637         * b3/air/AirOpcode.opcodes:
638         The second argument should a Def. The previous definition was
639         adding useless constraints on the allocation of the second argument.
640
641 2016-01-20  Benjamin Poulain  <benjamin@webkit.org>
642
643         [JSC] The register allocator can use a dangling pointer when selecting a spill candidate
644         https://bugs.webkit.org/show_bug.cgi?id=153287
645
646         Reviewed by Mark Lam.
647
648         A tricky bug I discovered while experimenting with live range breaking.
649
650         We have the following initial conditions:
651         -UseCounts is slow, so we only compute it once for all the iterations
652          of the allocator.
653         -The only new Tmps we create are for spills and refills. They are unspillable
654          by definition so it is fine to not update UseCounts accordingly.
655
656         But, in selectSpill(), we go over all the spill candidates and select the best
657         one based on its score. The score() lambda uses useCounts, it cannot be used
658         with a new Tmps created for something we already spilled.
659
660         The first time we use score is correct, we started by skipping all the unspillable
661         Tmps from the candidate. The next use was incorrect: we were checking unspillableTmps
662         *after* calling score().
663
664         The existing tests did not catch this due to back luck. I added an assertion
665         to find similar problems in the future.
666
667         * b3/air/AirIteratedRegisterCoalescing.cpp:
668         * b3/air/AirUseCounts.h:
669
670 2016-01-20  Saam barati  <sbarati@apple.com>
671
672         Fix CLoop build after bug https://bugs.webkit.org/show_bug.cgi?id=152766
673
674         Unreviewed build fix.
675
676         * inspector/agents/InspectorScriptProfilerAgent.h:
677
678 2016-01-20  Andy VanWagoner  <thetalecrafter@gmail.com>
679
680         [INTL] Implement Date.prototype.toLocaleTimeString in ECMA-402
681         https://bugs.webkit.org/show_bug.cgi?id=147613
682
683         Reviewed by Darin Adler.
684
685         Implement toLocaleTimeString in builtin JavaScript.
686
687         * builtins/DatePrototype.js:
688         (toLocaleTimeString.toDateTimeOptionsTimeTime):
689         (toLocaleTimeString):
690         * runtime/DatePrototype.cpp:
691         (JSC::DatePrototype::finishCreation):
692
693 2016-01-20  Saam barati  <sbarati@apple.com>
694
695         Web Inspector: Hook the sampling profiler into the Timelines UI
696         https://bugs.webkit.org/show_bug.cgi?id=152766
697         <rdar://problem/24066360>
698
699         Reviewed by Joseph Pecoraro.
700
701         This patch adds some necessary functions to SamplingProfiler::StackFrame
702         to allow it to give data to the Inspector for the timelines UI. i.e, the
703         sourceID of the executable of a stack frame.
704
705         This patch also swaps in the SamplingProfiler in place of the
706         LegacyProfiler inside InspectorScriptProfilerAgent. It adds
707         the necessary protocol data to allow the SamplingProfiler's
708         data to hook into the timelines UI.
709
710         * debugger/Debugger.cpp:
711         (JSC::Debugger::setProfilingClient):
712         (JSC::Debugger::willEvaluateScript):
713         (JSC::Debugger::didEvaluateScript):
714         (JSC::Debugger::toggleBreakpoint):
715         * debugger/Debugger.h:
716         * debugger/ScriptProfilingScope.h:
717         (JSC::ScriptProfilingScope::ScriptProfilingScope):
718         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
719         * inspector/agents/InspectorScriptProfilerAgent.cpp:
720         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
721         (Inspector::InspectorScriptProfilerAgent::startTracking):
722         (Inspector::InspectorScriptProfilerAgent::stopTracking):
723         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
724         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
725         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
726         (Inspector::InspectorScriptProfilerAgent::addEvent):
727         (Inspector::buildSamples):
728         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
729         (Inspector::buildAggregateCallInfoInspectorObject): Deleted.
730         (Inspector::buildInspectorObject): Deleted.
731         (Inspector::buildProfileInspectorObject): Deleted.
732         * inspector/agents/InspectorScriptProfilerAgent.h:
733         * inspector/protocol/ScriptProfiler.json:
734         * jsc.cpp:
735         (functionSamplingProfilerStackTraces):
736         * runtime/SamplingProfiler.cpp:
737         (JSC::SamplingProfiler::start):
738         (JSC::SamplingProfiler::stop):
739         (JSC::SamplingProfiler::clearData):
740         (JSC::SamplingProfiler::StackFrame::displayName):
741         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
742         (JSC::SamplingProfiler::StackFrame::startLine):
743         (JSC::SamplingProfiler::StackFrame::startColumn):
744         (JSC::SamplingProfiler::StackFrame::sourceID):
745         (JSC::SamplingProfiler::StackFrame::url):
746         (JSC::SamplingProfiler::stackTraces):
747         (JSC::SamplingProfiler::stackTracesAsJSON):
748         (JSC::displayName): Deleted.
749         (JSC::SamplingProfiler::stacktracesAsJSON): Deleted.
750         * runtime/SamplingProfiler.h:
751         (JSC::SamplingProfiler::StackFrame::StackFrame):
752         (JSC::SamplingProfiler::getLock):
753         (JSC::SamplingProfiler::setTimingInterval):
754         (JSC::SamplingProfiler::totalTime):
755         (JSC::SamplingProfiler::setStopWatch):
756         (JSC::SamplingProfiler::stackTraces): Deleted.
757         * tests/stress/sampling-profiler-anonymous-function.js:
758         (platformSupportsSamplingProfiler.baz):
759         (platformSupportsSamplingProfiler):
760         * tests/stress/sampling-profiler-basic.js:
761         (platformSupportsSamplingProfiler.nothing):
762         (platformSupportsSamplingProfiler.top):
763         * tests/stress/sampling-profiler/samplingProfiler.js:
764         (doesTreeHaveStackTrace):
765
766 2016-01-20  Keith Miller  <keith_miller@apple.com>
767
768         TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation.
769         https://bugs.webkit.org/show_bug.cgi?id=153281
770
771         Reviewed by Geoffrey Garen.
772
773         When creating an JSArrayBuffer we should make sure that the backing ArrayBuffer uses the
774         new JSArrayBuffer as its wrapper. This causes issues when we get the buffer of a Typed Array
775         created by passing a JSArrayBuffer as the backing ArrayBuffer does not have a reference to
776         the original JSArrayBuffer and a new object is created.
777
778         * runtime/JSArrayBuffer.cpp:
779         (JSC::JSArrayBuffer::finishCreation):
780         * tests/stress/typedarray-buffer-neutered.js: Added.
781         (arrays.typedArrays.map):
782
783 2016-01-20  Andreas Kling  <akling@apple.com>
784
785         Pack RegisterAtOffset harder.
786         <https://webkit.org/b/152501>
787
788         Reviewed by Michael Saboff.
789
790         Pack the register index and the offset into a single pointer-sized word instead of two.
791         This reduces memory consumption by 620 kB on mobile theverge.com.
792
793         The packing doesn't succeed on MSVC for some reason, so I've left out the static
794         assertion about class size in those builds.
795
796         * jit/RegisterAtOffset.cpp:
797         * jit/RegisterAtOffset.h:
798
799 2016-01-20  Per Arne Vollan  <peavo@outlook.com>
800
801         [B3][Win64] Compile fix.
802         https://bugs.webkit.org/show_bug.cgi?id=153278
803
804         Reviewed by Filip Pizlo.
805
806         MSVC does not accept that a class declared as exported also have members declared as exported.
807
808         * b3/B3Const32Value.h:
809         * b3/B3ControlValue.h:
810
811 2016-01-19  Keith Miller  <keith_miller@apple.com>
812
813         [ES6] Fix various issues with TypedArrays.
814         https://bugs.webkit.org/show_bug.cgi?id=153245
815
816         Reviewed by Geoffrey Garen.
817
818         This patch fixes a couple of issues with TypedArrays:
819
820         1) We were not checking if a view had been neutered and throwing an error
821         if it had in the our TypedArray.prototype functions.
822
823         2) The TypedArray.prototype.set function had a couple of minor issues with
824         checking for the offset being negative.
825
826         3) The JSArrayBufferView class did not check if the backing store had
827         been neutered when computing the offset even though the view's vector
828         pointer had been set to NULL. This meant that under some conditions we
829         could, occasionally, return a garbage number as the offset. Now, we only
830         neuter views if the backing ArrayBuffer's view is actually transfered.
831
832         * jsc.cpp:
833         (GlobalObject::finishCreation):
834         (functionNeuterTypedArray):
835         * runtime/JSArrayBufferView.h:
836         (JSC::JSArrayBufferView::isNeutered):
837         * runtime/JSArrayBufferViewInlines.h:
838         (JSC::JSArrayBufferView::byteOffset):
839         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
840         (JSC::genericTypedArrayViewProtoFuncSet):
841         (JSC::genericTypedArrayViewProtoFuncEntries):
842         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
843         (JSC::genericTypedArrayViewProtoFuncFill):
844         (JSC::genericTypedArrayViewProtoFuncIndexOf):
845         (JSC::genericTypedArrayViewProtoFuncJoin):
846         (JSC::genericTypedArrayViewProtoFuncKeys):
847         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
848         (JSC::genericTypedArrayViewProtoFuncReverse):
849         (JSC::genericTypedArrayViewPrivateFuncSort):
850         (JSC::genericTypedArrayViewProtoFuncSlice):
851         (JSC::genericTypedArrayViewProtoFuncSubarray):
852         (JSC::typedArrayViewProtoFuncValues):
853         * runtime/JSTypedArrayViewPrototype.cpp:
854         (JSC::typedArrayViewPrivateFuncLength):
855         (JSC::typedArrayViewPrivateFuncSort): Deleted.
856         * tests/stress/typedarray-functions-with-neutered.js: Added.
857         (getGetter):
858         (unit):
859         (args.new.Int32Array):
860         (arrays.typedArrays.map):
861         (checkProtoFunc.throwsCorrectError):
862         (checkProtoFunc):
863         (test):
864
865 2016-01-19  Andy VanWagoner  <thetalecrafter@gmail.com>
866
867         [INTL] Implement Date.prototype.toLocaleDateString in ECMA-402
868         https://bugs.webkit.org/show_bug.cgi?id=147612
869
870         Reviewed by Benjamin Poulain.
871
872         Implement toLocaleDateString in builtin JavaScript. Remove comments with
873         spec steps, and instead link to the new HTML version of the spec.
874
875         Avoids creating an extra empty object in the prototype chain of the options
876         object in ToDateTimeOptions. The version used in toLocaleString was updated
877         to match as well.
878
879         * builtins/DatePrototype.js:
880         (toLocaleString.toDateTimeOptionsAnyAll):
881         (toLocaleString):
882         (toLocaleDateString.toDateTimeOptionsDateDate):
883         (toLocaleDateString):
884         * runtime/DatePrototype.cpp:
885         (JSC::DatePrototype::finishCreation):
886
887 2016-01-19  Benjamin Poulain  <bpoulain@apple.com>
888
889         [JSC] fixSpillSlotZDef() crashes on ARM64
890         https://bugs.webkit.org/show_bug.cgi?id=153246
891
892         Reviewed by Geoffrey Garen.
893
894         Moving an immediate to memory is not a valid instruction on ARM64.
895         This patch adds a small workaround for this specific case: an instruction
896         to zero a chunk of memory.
897
898         * assembler/MacroAssemblerARM64.h:
899         (JSC::MacroAssemblerARM64::storeZero32):
900         * assembler/MacroAssemblerX86Common.h:
901         (JSC::MacroAssemblerX86Common::storeZero32):
902         * b3/air/AirFixSpillSlotZDef.h:
903         (JSC::B3::Air::fixSpillSlotZDef):
904         * b3/air/AirOpcode.opcodes:
905
906 2016-01-19  Enrica Casucci  <enrica@apple.com>
907
908         Add support for DataDetectors in WK (iOS).
909         https://bugs.webkit.org/show_bug.cgi?id=152989
910         rdar://problem/22855960
911
912         Reviewed by Tim Horton.
913
914         Adding feature definition for data detection.
915
916         * Configurations/FeatureDefines.xcconfig:
917
918 2016-01-19  Per Arne Vollan  <peavo@outlook.com>
919
920         [B3][Win64] Compile and warning fixes.
921         https://bugs.webkit.org/show_bug.cgi?id=153234
922
923         Reviewed by Alex Christensen.
924
925         The size of 'long' is 4 bytes on Win64. We can use 'long long' instead,
926         when we want the size to be 8 bytes.
927
928         * b3/B3LowerMacrosAfterOptimizations.cpp:
929         * b3/B3ReduceStrength.cpp:
930
931 2016-01-19  Csaba Osztrogonác  <ossy@webkit.org>
932
933         [cmake] Fix the B3 build after r195159
934         https://bugs.webkit.org/show_bug.cgi?id=153232
935
936         Reviewed by Yusuke Suzuki.
937
938         * CMakeLists.txt:
939
940 2016-01-19  Commit Queue  <commit-queue@webkit.org>
941
942         Unreviewed, rolling out r195300.
943         https://bugs.webkit.org/show_bug.cgi?id=153244
944
945         enrica wants more time to fix Windows (Requested by thorton on
946         #webkit).
947
948         Reverted changeset:
949
950         "Add support for DataDetectors in WK (iOS)."
951         https://bugs.webkit.org/show_bug.cgi?id=152989
952         http://trac.webkit.org/changeset/195300
953
954 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
955
956         Reconsider B3's constant motion policy
957         https://bugs.webkit.org/show_bug.cgi?id=152202
958
959         Reviewed by Geoffrey Garen.
960
961         This changes moveConstants() to hoist constants. This is a speed-up on things like mandreel.
962         It has a generally positive impact on the Octane score, but it's within margin of error.
963
964         This also changes IRC to make it a bit more likely to spill constants. We don't want it to
965         spill them too much, because we can't rely on fixObviousSpills() to always replace a load of
966         a constant from the stack with the constant itself, especially in case of instructions that
967         need an extra register to materialize the immediate.
968
969         Also fixed DFG graph dumping to print a bit less things. It was trying to print the results of
970         constant property inference, and this sometimes caused crashes when you dumped the graph at an
971         inopportune time.
972
973         * JavaScriptCore.xcodeproj/project.pbxproj:
974         * b3/B3MoveConstants.cpp:
975         * b3/air/AirArg.h:
976         * b3/air/AirArgInlines.h: Added.
977         (JSC::B3::Air::ArgThingHelper<Tmp>::is):
978         (JSC::B3::Air::ArgThingHelper<Tmp>::as):
979         (JSC::B3::Air::ArgThingHelper<Tmp>::forEachFast):
980         (JSC::B3::Air::ArgThingHelper<Tmp>::forEach):
981         (JSC::B3::Air::ArgThingHelper<Arg>::is):
982         (JSC::B3::Air::ArgThingHelper<Arg>::as):
983         (JSC::B3::Air::ArgThingHelper<Arg>::forEachFast):
984         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
985         (JSC::B3::Air::Arg::is):
986         (JSC::B3::Air::Arg::as):
987         (JSC::B3::Air::Arg::forEachFast):
988         (JSC::B3::Air::Arg::forEach):
989         * b3/air/AirIteratedRegisterCoalescing.cpp:
990         * b3/air/AirUseCounts.h:
991         (JSC::B3::Air::UseCounts::UseCounts):
992         * dfg/DFGGraph.cpp:
993         (JSC::DFG::Graph::dump):
994
995 2016-01-19  Enrica Casucci  <enrica@apple.com>
996
997         Add support for DataDetectors in WK (iOS).
998         https://bugs.webkit.org/show_bug.cgi?id=152989
999         rdar://problem/22855960
1000
1001         Reviewed by Tim Horton.
1002
1003         Adding feature definition.
1004
1005         * Configurations/FeatureDefines.xcconfig:
1006
1007 2016-01-17  Filip Pizlo  <fpizlo@apple.com>
1008
1009         FTL B3 should be just as fast as FTL LLVM on Octane/crypto
1010         https://bugs.webkit.org/show_bug.cgi?id=153113
1011
1012         Reviewed by Saam Barati.
1013
1014         This is the result of a hacking rampage to close the gap between FTL B3 and FTL LLVM on
1015         Octane/crypto. It was a very successful rampage.
1016
1017         The biggest change in this patch is the introduction of a phase called fixObviousSpills()
1018         that fixes patterns like:
1019
1020         Store register to stack slot and then use stack slot:
1021             Move %rcx, (stack42)
1022             Foo use:(stack42) // replace (stack42) with %rcx here.
1023
1024         Load stack slot into register and then use stack slot:
1025             Move (stack42), %rcx
1026             Foo use:(stack42) // replace (stack42) with %rcx here.
1027
1028         Store constant into stack slot and then use stack slot:
1029             Move $42, %rcx
1030             Move %rcx, (stack42)
1031             Bar def:%rcx // %rcx isn't available anymore, but we still know that (stack42) is $42
1032             Foo use:(stack42) // replace (stack42) with $42 here.
1033
1034         This phases does these fixups by doing a global forward flow that propagates sets of
1035         must-aliases.
1036
1037         Also added a phase to report register pressure. It pretty-prints code alongside the set of
1038         in-use registers above each instruction. Using this phase, I found that our register
1039         allocator is actually doing a pretty awesome job. I had previously feared that we'd have to
1040         make substantial changes to register allocation. I don't have such a fear anymore, at least
1041         for Octane/crypto. In the future, we can check how the regalloc is performing just by
1042         enabling logAirRegisterPressure.
1043
1044         Also fixed some FTL codegen pathologies. We were using bitOr where we meant to use a
1045         conditional or. LLVM likes to canonicalize boolean expressions this way. B3, on the other
1046         hand, doesn't do this canonicalization and doesn't have logic to decompose it into sequences
1047         of branches.
1048
1049         Also added strength reductions for checked arithmetic. It turns out that LLVM learned how to
1050         reduce checked multiply to unchecked multiply in some obvious cases that our existing DFG
1051         optimizations lacked. Ideally, our DFG integer range optimization phase would cover this. But
1052         the cases of interest were dead simple - the incoming values to the CheckMul were obviously
1053         too small to cause overflow. I added such reasoning to B3's strength reduction.
1054
1055         Finally, this fixes some bugs with how we were handling subwidth spill slots. The register
1056         allocator was making two mistakes. First, it might cause a Width64 def or use of a 4-byte
1057         spill slot. In that case, it would extend the size of the spill slot to ensure that the use
1058         or def is safe. Second, it emulates ZDef on Tmp behavior by emitting a Move32 to initialize
1059         the high bits of a spill slot. But this is unsound because of the liveness semantics of spill
1060         slots. They cannot have more than one def to initialize their value. I fixed that by making
1061         allocateStack() be the thing that fixes ZDefs. That's a change to ZDef semantics: now, ZDef
1062         on an anonymous stack slot means that the high bits are zero-filled. I wasn't able to
1063         construct a test for this. It might be a hypothetical bug, but still, I like how this
1064         simplifies the register allocator.
1065
1066         This is a ~0.7% speed-up on Octane.
1067
1068         * CMakeLists.txt:
1069         * JavaScriptCore.xcodeproj/project.pbxproj:
1070         * b3/B3CheckSpecial.cpp:
1071         (JSC::B3::CheckSpecial::hiddenBranch):
1072         (JSC::B3::CheckSpecial::forEachArg):
1073         (JSC::B3::CheckSpecial::commitHiddenBranch): Deleted.
1074         * b3/B3CheckSpecial.h:
1075         * b3/B3LowerToAir.cpp:
1076         (JSC::B3::Air::LowerToAir::fillStackmap):
1077         (JSC::B3::Air::LowerToAir::lower):
1078         * b3/B3StackmapValue.h:
1079         * b3/air/AirAllocateStack.cpp:
1080         (JSC::B3::Air::allocateStack):
1081         * b3/air/AirAllocateStack.h:
1082         * b3/air/AirArg.h:
1083         (JSC::B3::Air::Arg::callArg):
1084         (JSC::B3::Air::Arg::stackAddr):
1085         (JSC::B3::Air::Arg::isValidScale):
1086         * b3/air/AirBasicBlock.cpp:
1087         (JSC::B3::Air::BasicBlock::deepDump):
1088         (JSC::B3::Air::BasicBlock::dumpHeader):
1089         (JSC::B3::Air::BasicBlock::dumpFooter):
1090         * b3/air/AirBasicBlock.h:
1091         * b3/air/AirCCallSpecial.cpp:
1092         (JSC::B3::Air::CCallSpecial::CCallSpecial):
1093         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
1094         * b3/air/AirCode.h:
1095         (JSC::B3::Air::Code::lastPhaseName):
1096         (JSC::B3::Air::Code::setEnableRCRS):
1097         (JSC::B3::Air::Code::enableRCRS):
1098         * b3/air/AirCustom.cpp:
1099         (JSC::B3::Air::PatchCustom::isValidForm):
1100         (JSC::B3::Air::CCallCustom::isValidForm):
1101         * b3/air/AirCustom.h:
1102         (JSC::B3::Air::PatchCustom::isValidFormStatic):
1103         (JSC::B3::Air::PatchCustom::admitsStack):
1104         (JSC::B3::Air::PatchCustom::isValidForm): Deleted.
1105         * b3/air/AirEmitShuffle.cpp:
1106         (JSC::B3::Air::ShufflePair::dump):
1107         (JSC::B3::Air::createShuffle):
1108         (JSC::B3::Air::emitShuffle):
1109         * b3/air/AirEmitShuffle.h:
1110         * b3/air/AirFixObviousSpills.cpp: Added.
1111         (JSC::B3::Air::fixObviousSpills):
1112         * b3/air/AirFixObviousSpills.h: Added.
1113         * b3/air/AirFixSpillSlotZDef.h: Removed.
1114         * b3/air/AirGenerate.cpp:
1115         (JSC::B3::Air::prepareForGeneration):
1116         (JSC::B3::Air::generate):
1117         * b3/air/AirHandleCalleeSaves.cpp:
1118         (JSC::B3::Air::handleCalleeSaves):
1119         * b3/air/AirInst.h:
1120         * b3/air/AirInstInlines.h:
1121         (JSC::B3::Air::Inst::reportUsedRegisters):
1122         (JSC::B3::Air::Inst::admitsStack):
1123         (JSC::B3::Air::isShiftValid):
1124         * b3/air/AirIteratedRegisterCoalescing.cpp:
1125         * b3/air/AirLiveness.h:
1126         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1127         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin):
1128         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end):
1129         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains):
1130         (JSC::B3::Air::AbstractLiveness::LocalCalc::live):
1131         (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive):
1132         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
1133         (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
1134         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
1135         (JSC::B3::Air::AbstractLiveness::Iterable::end):
1136         (JSC::B3::Air::AbstractLiveness::Iterable::contains):
1137         (JSC::B3::Air::AbstractLiveness::liveAtTail):
1138         (JSC::B3::Air::AbstractLiveness::workset):
1139         * b3/air/AirLogRegisterPressure.cpp: Added.
1140         (JSC::B3::Air::logRegisterPressure):
1141         * b3/air/AirLogRegisterPressure.h: Added.
1142         * b3/air/AirOptimizeBlockOrder.cpp:
1143         (JSC::B3::Air::blocksInOptimizedOrder):
1144         (JSC::B3::Air::optimizeBlockOrder):
1145         * b3/air/AirOptimizeBlockOrder.h:
1146         * b3/air/AirReportUsedRegisters.cpp:
1147         (JSC::B3::Air::reportUsedRegisters):
1148         * b3/air/AirReportUsedRegisters.h:
1149         * b3/air/AirSpillEverything.cpp:
1150         (JSC::B3::Air::spillEverything):
1151         * b3/air/AirStackSlot.h:
1152         (JSC::B3::Air::StackSlot::isLocked):
1153         (JSC::B3::Air::StackSlot::index):
1154         (JSC::B3::Air::StackSlot::ensureSize):
1155         (JSC::B3::Air::StackSlot::alignment):
1156         * b3/air/AirValidate.cpp:
1157         * ftl/FTLB3Compile.cpp:
1158         (JSC::FTL::compile):
1159         * ftl/FTLLowerDFGToLLVM.cpp:
1160         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1161         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
1162         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
1163         * jit/RegisterSet.h:
1164         (JSC::RegisterSet::get):
1165         (JSC::RegisterSet::setAll):
1166         (JSC::RegisterSet::merge):
1167         (JSC::RegisterSet::filter):
1168         * runtime/Options.h:
1169
1170 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
1171
1172         Unreviewed, undo unintended commit.
1173
1174         * dfg/DFGCommon.h:
1175
1176 2016-01-18  Filip Pizlo  <fpizlo@apple.com>
1177
1178         Fix Air shuffling assertions
1179         https://bugs.webkit.org/show_bug.cgi?id=153213
1180
1181         Reviewed by Saam Barati.
1182
1183         Fixes some assertions that I was seeing running JSC tests. Adds a new Air test.
1184
1185         * assembler/MacroAssemblerX86Common.h:
1186         (JSC::MacroAssemblerX86Common::store8):
1187         (JSC::MacroAssemblerX86Common::getUnusedRegister):
1188         * b3/air/AirEmitShuffle.cpp:
1189         (JSC::B3::Air::emitShuffle):
1190         * b3/air/AirLowerAfterRegAlloc.cpp:
1191         (JSC::B3::Air::lowerAfterRegAlloc):
1192         * b3/air/testair.cpp:
1193         (JSC::B3::Air::testShuffleRotateWithFringe):
1194         (JSC::B3::Air::testShuffleRotateWithFringeInWeirdOrder):
1195         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1196         (JSC::B3::Air::run):
1197
1198 2016-01-19  Konstantin Tokarev  <annulen@yandex.ru>
1199
1200         [mips] Logical instructions allow immediates in range 0..0xffff, not 0x7fff
1201         https://bugs.webkit.org/show_bug.cgi?id=152693
1202
1203         Reviewed by Michael Saboff.
1204
1205         * offlineasm/mips.rb:
1206
1207 2016-01-18  Saam barati  <sbarati@apple.com>
1208
1209         assertions in BytecodeUseDef.h about opcode length are off by one
1210         https://bugs.webkit.org/show_bug.cgi?id=153215
1211
1212         Reviewed by Dan Bernstein.
1213
1214         * bytecode/BytecodeUseDef.h:
1215         (JSC::computeUsesForBytecodeOffset):
1216
1217 2016-01-18  Saam barati  <sbarati@apple.com>
1218
1219         FTL doesn't do proper spilling for exception handling when GetById/Snippets go to slow path
1220         https://bugs.webkit.org/show_bug.cgi?id=153186
1221
1222         Reviewed by Michael Saboff.
1223
1224         Michael was investigating a bug he found while doing the new JSC calling 
1225         convention work and it turns out to be a latent bug in FTL try/catch machinery.
1226         After I looked at the code again, I realized that what I had previously
1227         written is wrong in a subtle way. The FTL callOperation machinery will remove
1228         its result register from the set of registers it needs to spill. This is not
1229         correct when we have try/catch. We may want to do value recovery on
1230         the value that the result register is prior to the call after the call
1231         throws an exception. The case that we were solving before was when the 
1232         resultRegister == baseRegister in a GetById, or left/rightRegister == resultRegister in a Snippet.
1233         This code is correct in wanting to spill in that case, even though it might spill
1234         when we don't need it to (i.e the result is not needed for value recovery). Once I
1235         investigated this bug further, I realized that the previous rule is just a
1236         partial subset of the rule that says we should spill anytime the result is
1237         a register we might do value recovery on. This patch implements the rule that
1238         says we always want to spill the result when we will do value recovery on it 
1239         if an exception is thrown.
1240
1241         * ftl/FTLCompile.cpp:
1242         (JSC::FTL::mmAllocateDataSection):
1243         * tests/stress/ftl-try-catch-getter-throw-interesting-value-recovery.js: Added.
1244         (assert):
1245         (random):
1246         (identity):
1247         (let.o2.get f):
1248         (let.o3.get f):
1249         (foo):
1250         (i.else):
1251
1252 2016-01-18  Konstantin Tokarev  <annulen@yandex.ru>
1253
1254         [MIPS] LLInt: fix calculation of Global Offset Table
1255         https://bugs.webkit.org/show_bug.cgi?id=150381
1256
1257         Offlineasm adds a .cpload $t9 when we create a label in MIPS, which
1258         computes address of GOT. However, this instruction requires $t9 to
1259         contain address of current function. So we need to set $t9 to pcBase,
1260         otherwise GOT-related calculations will be invalid.
1261
1262         Since offlineasm does not allow direct move to $t9 on MIPS, added new
1263         instruction setcallreg which does exactly that.
1264
1265         Reviewed by Michael Saboff.
1266
1267         * llint/LowLevelInterpreter.asm:
1268         * offlineasm/instructions.rb:
1269         * offlineasm/mips.rb:
1270
1271 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
1272
1273         REGRESSION(r194601): Fix the jsc timeout option of jsc.cpp
1274         https://bugs.webkit.org/show_bug.cgi?id=153204
1275
1276         Reviewed by Michael Catanzaro.
1277
1278         * jsc.cpp:
1279         (main):
1280
1281 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
1282
1283         [cmake] Add testair to the build system
1284         https://bugs.webkit.org/show_bug.cgi?id=153126
1285
1286         Reviewed by Michael Catanzaro.
1287
1288         * shell/CMakeLists.txt:
1289
1290 2016-01-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
1291
1292         Ensure that CF_AVAILABLE is undefined when building webkit-gtk
1293
1294         https://bugs.webkit.org/show_bug.cgi?id=152720
1295
1296         This change ensures that CF_AVAILABLE is correctly a no-op to
1297         address build failure that was observed when building on older
1298         versions of OSX.  Previously, CF_AVAILABLE may have been unexpectedly
1299         re-defined to the system header value based on include-order.
1300
1301         Reviewed by Michael Catanzaro.
1302
1303         * API/WebKitAvailability.h:
1304
1305 2016-01-17  Julien Brianceau  <jbriance@cisco.com>
1306
1307         [mips] Fix regT2 and regT3 trampling in MacroAssembler
1308         https://bugs.webkit.org/show_bug.cgi?id=153131
1309
1310         Mips $t2 and $t3 registers were used as temporary registers
1311         in MacroAssemblerMIPS.h, whereas they are mapped to regT2
1312         and regT3 in LLInt and GPRInfo.
1313
1314         This patch rearranges register mapping for the mips architecture:
1315         - use $t0 and $t1 as temp registers in LLInt (as in MacroAssembler)
1316         - use $t7 and $t8 as temp registers in MacroAssembler (as in LLInt)
1317         - remove $t6 from temp registers list in LLInt
1318         - update GPRInfo.h accordingly
1319         - add mips macroScratchRegisters() list in RegisterSet.cpp
1320
1321         Reviewed by Michael Saboff.
1322
1323         * assembler/MacroAssemblerMIPS.h:
1324         * jit/GPRInfo.h:
1325         (JSC::GPRInfo::toRegister):
1326         (JSC::GPRInfo::toIndex):
1327         * jit/RegisterSet.cpp:
1328         (JSC::RegisterSet::macroScratchRegisters):
1329         (JSC::RegisterSet::calleeSaveRegisters):
1330         * offlineasm/mips.rb:
1331
1332 2016-01-16  Skachkov Oleksandr  <gskachkov@gmail.com>
1333
1334         [ES6] Arrow function syntax. Arrow function should support the destructuring parameters.
1335         https://bugs.webkit.org/show_bug.cgi?id=146934
1336
1337         Reviewed by Saam Barati.
1338         
1339         Added support of destructuring parameters, before arrow function expect only simple parameters,
1340         e.g. (), (x), (x, y) or x in assigment expressio. To support destructuring parameters added
1341         additional check that check for destructuring paramters if check does not pass for simple parameters.
1342
1343         * parser/Parser.cpp:
1344         (JSC::Parser<LexerType>::isArrowFunctionParameters):
1345         (JSC::Parser<LexerType>::parseAssignmentExpression):
1346         * parser/Parser.h:
1347
1348 2016-01-15  Benjamin Poulain  <bpoulain@apple.com>
1349
1350         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
1351         https://bugs.webkit.org/show_bug.cgi?id=153065
1352
1353         Reviewed by Mark Lam.
1354         Reviewed by Filip Pizlo.
1355
1356         On ARM64, we cannot use signed 32bits offset for memory addressing.
1357         There are two available addressing: signed 9bits and unsigned scaled 12bits.
1358         Air already knows about it.
1359
1360         In this patch, the offsets are changed to something valid for ARM64
1361         prior to lowering. When an offset is invalid, it is just computed
1362         before the instruction and used as the base for addressing.
1363
1364         * JavaScriptCore.xcodeproj/project.pbxproj:
1365         * b3/B3Generate.cpp:
1366         (JSC::B3::generateToAir):
1367         * b3/B3LegalizeMemoryOffsets.cpp: Added.
1368         (JSC::B3::legalizeMemoryOffsets):
1369         * b3/B3LegalizeMemoryOffsets.h: Added.
1370         * b3/B3LowerToAir.cpp:
1371         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1372         * b3/testb3.cpp:
1373         (JSC::B3::testLoadWithOffsetImpl):
1374         (JSC::B3::testLoadOffsetImm9Max):
1375         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
1376         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
1377         (JSC::B3::testLoadOffsetImm9Min):
1378         (JSC::B3::testLoadOffsetImm9MinMinusOne):
1379         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
1380         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
1381         (JSC::B3::run):
1382
1383 2016-01-15  Alex Christensen  <achristensen@webkit.org>
1384
1385         Fix internal Windows build
1386         https://bugs.webkit.org/show_bug.cgi?id=153142
1387
1388         Reviewed by Brent Fulgham.
1389
1390         The internal Windows build builds JavaScriptCore from a directory that is not called JavaScriptCore.
1391         Searching for JavaScriptCore/API/APICast.h fails because it is in SomethingElse/API/APICast.h.
1392         Since we are including the JavaScriptCore directory, it is not necessary to have JavaScriptCore in
1393         the forwarding headers, but removing it allows builds form directories that are not named JavaScriptCore.
1394
1395         * ForwardingHeaders/JavaScriptCore/APICast.h:
1396         * ForwardingHeaders/JavaScriptCore/JSBase.h:
1397         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h:
1398         * ForwardingHeaders/JavaScriptCore/JSContextRef.h:
1399         * ForwardingHeaders/JavaScriptCore/JSObjectRef.h:
1400         * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h:
1401         * ForwardingHeaders/JavaScriptCore/JSStringRef.h:
1402         * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h:
1403         * ForwardingHeaders/JavaScriptCore/JSValueRef.h:
1404         * ForwardingHeaders/JavaScriptCore/JavaScript.h:
1405         * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h:
1406         * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h:
1407         * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h:
1408
1409 2016-01-15  Per Arne Vollan  <peavo@outlook.com>
1410
1411         [B3][Win64] Compile fixes.
1412         https://bugs.webkit.org/show_bug.cgi?id=153127
1413
1414         Reviewed by Alex Christensen.
1415
1416         MSVC have several overloads of fmod, pow, and ceil. We need to suggest to MSVC
1417         which one we want to use.
1418
1419         * b3/B3LowerMacros.cpp:
1420         * b3/B3LowerMacrosAfterOptimizations.cpp:
1421         * b3/B3MathExtras.cpp:
1422         (JSC::B3::powDoubleInt32):
1423         * b3/B3ReduceStrength.cpp:
1424
1425 2016-01-15  Filip Pizlo  <fpizlo@apple.com>
1426
1427         Air needs a Shuffle instruction
1428         https://bugs.webkit.org/show_bug.cgi?id=152952
1429
1430         Reviewed by Saam Barati.
1431
1432         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
1433         multiple moves to perform arbitrary permutations over registers and memory. We call these
1434         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
1435         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
1436         use immediates as their source.
1437
1438         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
1439         takes any number of triplets of arguments, where each triplet describes one mapping of the
1440         shuffle. For example, to represent (a => b, b => c), we might say:
1441
1442             Shuffle %a, %b, 64, %b, %c, 64
1443
1444         Note the "64"s, those are width arguments that describe how many bits of the register are
1445         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
1446         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
1447         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
1448
1449         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
1450         how to use it:
1451
1452         - C calling convention argument marshalling. Previously we used move instructions. But that's
1453           problematic since it introduces artificial interference between the argument registers and
1454           the inputs. Using Shuffle removes that interference. This helps a bit.
1455
1456         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
1457           a cold path, then we want it to appear to the register allocator like it doesn't clobber
1458           any registers. Only after register allocation should we handle the clobbering by simply
1459           saving all of the live volatile registers to the stack. If you imagine the saving and the
1460           argument marshalling, you can see how before the call, we want to have a Shuffle that does
1461           both of those things. This is important. If argument marshalling was separate from the
1462           saving, then we'd still appear to clobber argument registers. Doing them together as one
1463           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
1464
1465         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
1466         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
1467         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
1468         functionality we will need to implement other optimizations.
1469
1470         Relanding after fixing production build.
1471
1472         * CMakeLists.txt:
1473         * JavaScriptCore.xcodeproj/project.pbxproj:
1474         * assembler/AbstractMacroAssembler.h:
1475         (JSC::isX86_64):
1476         (JSC::isIOS):
1477         (JSC::optimizeForARMv7IDIVSupported):
1478         * assembler/MacroAssemblerX86Common.h:
1479         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
1480         (JSC::MacroAssemblerX86Common::swap32):
1481         (JSC::MacroAssemblerX86Common::moveConditionally32):
1482         * assembler/MacroAssemblerX86_64.h:
1483         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
1484         (JSC::MacroAssemblerX86_64::swap64):
1485         (JSC::MacroAssemblerX86_64::move64ToDouble):
1486         * assembler/X86Assembler.h:
1487         (JSC::X86Assembler::xchgl_rr):
1488         (JSC::X86Assembler::xchgl_rm):
1489         (JSC::X86Assembler::xchgq_rr):
1490         (JSC::X86Assembler::xchgq_rm):
1491         (JSC::X86Assembler::movl_rr):
1492         * b3/B3CCallValue.h:
1493         * b3/B3Compilation.cpp:
1494         (JSC::B3::Compilation::Compilation):
1495         (JSC::B3::Compilation::~Compilation):
1496         * b3/B3Compilation.h:
1497         (JSC::B3::Compilation::code):
1498         * b3/B3LowerToAir.cpp:
1499         (JSC::B3::Air::LowerToAir::run):
1500         (JSC::B3::Air::LowerToAir::createSelect):
1501         (JSC::B3::Air::LowerToAir::lower):
1502         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
1503         * b3/B3OpaqueByproducts.h:
1504         (JSC::B3::OpaqueByproducts::count):
1505         * b3/B3StackmapSpecial.cpp:
1506         (JSC::B3::StackmapSpecial::isArgValidForValue):
1507         (JSC::B3::StackmapSpecial::isArgValidForRep):
1508         * b3/air/AirArg.cpp:
1509         (JSC::B3::Air::Arg::isStackMemory):
1510         (JSC::B3::Air::Arg::isRepresentableAs):
1511         (JSC::B3::Air::Arg::usesTmp):
1512         (JSC::B3::Air::Arg::canRepresent):
1513         (JSC::B3::Air::Arg::isCompatibleType):
1514         (JSC::B3::Air::Arg::dump):
1515         (WTF::printInternal):
1516         * b3/air/AirArg.h:
1517         (JSC::B3::Air::Arg::forEachType):
1518         (JSC::B3::Air::Arg::isWarmUse):
1519         (JSC::B3::Air::Arg::cooled):
1520         (JSC::B3::Air::Arg::isEarlyUse):
1521         (JSC::B3::Air::Arg::imm64):
1522         (JSC::B3::Air::Arg::immPtr):
1523         (JSC::B3::Air::Arg::addr):
1524         (JSC::B3::Air::Arg::special):
1525         (JSC::B3::Air::Arg::widthArg):
1526         (JSC::B3::Air::Arg::operator==):
1527         (JSC::B3::Air::Arg::isImm64):
1528         (JSC::B3::Air::Arg::isSomeImm):
1529         (JSC::B3::Air::Arg::isAddr):
1530         (JSC::B3::Air::Arg::isIndex):
1531         (JSC::B3::Air::Arg::isMemory):
1532         (JSC::B3::Air::Arg::isRelCond):
1533         (JSC::B3::Air::Arg::isSpecial):
1534         (JSC::B3::Air::Arg::isWidthArg):
1535         (JSC::B3::Air::Arg::isAlive):
1536         (JSC::B3::Air::Arg::base):
1537         (JSC::B3::Air::Arg::hasOffset):
1538         (JSC::B3::Air::Arg::offset):
1539         (JSC::B3::Air::Arg::width):
1540         (JSC::B3::Air::Arg::isGPTmp):
1541         (JSC::B3::Air::Arg::isGP):
1542         (JSC::B3::Air::Arg::isFP):
1543         (JSC::B3::Air::Arg::isType):
1544         (JSC::B3::Air::Arg::isGPR):
1545         (JSC::B3::Air::Arg::isValidForm):
1546         (JSC::B3::Air::Arg::forEachTmpFast):
1547         * b3/air/AirBasicBlock.h:
1548         (JSC::B3::Air::BasicBlock::insts):
1549         (JSC::B3::Air::BasicBlock::appendInst):
1550         (JSC::B3::Air::BasicBlock::append):
1551         * b3/air/AirCCallingConvention.cpp: Added.
1552         (JSC::B3::Air::computeCCallingConvention):
1553         (JSC::B3::Air::cCallResult):
1554         (JSC::B3::Air::buildCCall):
1555         * b3/air/AirCCallingConvention.h: Added.
1556         * b3/air/AirCode.h:
1557         (JSC::B3::Air::Code::proc):
1558         * b3/air/AirCustom.cpp: Added.
1559         (JSC::B3::Air::CCallCustom::isValidForm):
1560         (JSC::B3::Air::CCallCustom::generate):
1561         (JSC::B3::Air::ShuffleCustom::isValidForm):
1562         (JSC::B3::Air::ShuffleCustom::generate):
1563         * b3/air/AirCustom.h:
1564         (JSC::B3::Air::PatchCustom::forEachArg):
1565         (JSC::B3::Air::PatchCustom::generate):
1566         (JSC::B3::Air::CCallCustom::forEachArg):
1567         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1568         (JSC::B3::Air::CCallCustom::admitsStack):
1569         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1570         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1571         (JSC::B3::Air::ShuffleCustom::forEachArg):
1572         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1573         (JSC::B3::Air::ShuffleCustom::admitsStack):
1574         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1575         * b3/air/AirEmitShuffle.cpp: Added.
1576         (JSC::B3::Air::ShufflePair::dump):
1577         (JSC::B3::Air::emitShuffle):
1578         * b3/air/AirEmitShuffle.h: Added.
1579         (JSC::B3::Air::ShufflePair::ShufflePair):
1580         (JSC::B3::Air::ShufflePair::src):
1581         (JSC::B3::Air::ShufflePair::dst):
1582         (JSC::B3::Air::ShufflePair::width):
1583         * b3/air/AirGenerate.cpp:
1584         (JSC::B3::Air::prepareForGeneration):
1585         * b3/air/AirGenerate.h:
1586         * b3/air/AirInsertionSet.cpp:
1587         (JSC::B3::Air::InsertionSet::insertInsts):
1588         (JSC::B3::Air::InsertionSet::execute):
1589         * b3/air/AirInsertionSet.h:
1590         (JSC::B3::Air::InsertionSet::insertInst):
1591         (JSC::B3::Air::InsertionSet::insert):
1592         * b3/air/AirInst.h:
1593         (JSC::B3::Air::Inst::operator bool):
1594         (JSC::B3::Air::Inst::append):
1595         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1596         (JSC::B3::Air::lowerAfterRegAlloc):
1597         * b3/air/AirLowerAfterRegAlloc.h: Added.
1598         * b3/air/AirLowerMacros.cpp: Added.
1599         (JSC::B3::Air::lowerMacros):
1600         * b3/air/AirLowerMacros.h: Added.
1601         * b3/air/AirOpcode.opcodes:
1602         * b3/air/AirRegisterPriority.h:
1603         (JSC::B3::Air::regsInPriorityOrder):
1604         * b3/air/testair.cpp: Added.
1605         (hiddenTruthBecauseNoReturnIsStupid):
1606         (usage):
1607         (JSC::B3::Air::compile):
1608         (JSC::B3::Air::invoke):
1609         (JSC::B3::Air::compileAndRun):
1610         (JSC::B3::Air::testSimple):
1611         (JSC::B3::Air::loadConstantImpl):
1612         (JSC::B3::Air::loadConstant):
1613         (JSC::B3::Air::loadDoubleConstant):
1614         (JSC::B3::Air::testShuffleSimpleSwap):
1615         (JSC::B3::Air::testShuffleSimpleShift):
1616         (JSC::B3::Air::testShuffleLongShift):
1617         (JSC::B3::Air::testShuffleLongShiftBackwards):
1618         (JSC::B3::Air::testShuffleSimpleRotate):
1619         (JSC::B3::Air::testShuffleSimpleBroadcast):
1620         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1621         (JSC::B3::Air::testShuffleTreeShift):
1622         (JSC::B3::Air::testShuffleTreeShiftBackward):
1623         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1624         (JSC::B3::Air::testShuffleMultipleShifts):
1625         (JSC::B3::Air::testShuffleRotateWithFringe):
1626         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1627         (JSC::B3::Air::testShuffleMultipleRotates):
1628         (JSC::B3::Air::testShuffleShiftAndRotate):
1629         (JSC::B3::Air::testShuffleShiftAllRegs):
1630         (JSC::B3::Air::testShuffleRotateAllRegs):
1631         (JSC::B3::Air::testShuffleSimpleSwap64):
1632         (JSC::B3::Air::testShuffleSimpleShift64):
1633         (JSC::B3::Air::testShuffleSwapMixedWidth):
1634         (JSC::B3::Air::testShuffleShiftMixedWidth):
1635         (JSC::B3::Air::testShuffleShiftMemory):
1636         (JSC::B3::Air::testShuffleShiftMemoryLong):
1637         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1638         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1639         (JSC::B3::Air::combineHiLo):
1640         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1641         (JSC::B3::Air::testShuffleRotateMemory):
1642         (JSC::B3::Air::testShuffleRotateMemory64):
1643         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1644         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1645         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1646         (JSC::B3::Air::testShuffleSwapDouble):
1647         (JSC::B3::Air::testShuffleShiftDouble):
1648         (JSC::B3::Air::run):
1649         (run):
1650         (main):
1651         * b3/testb3.cpp:
1652         (JSC::B3::testCallSimple):
1653         (JSC::B3::testCallRare):
1654         (JSC::B3::testCallRareLive):
1655         (JSC::B3::testCallSimplePure):
1656         (JSC::B3::run):
1657
1658 2016-01-15  Andy VanWagoner  <thetalecrafter@gmail.com>
1659
1660         [INTL] Implement Date.prototype.toLocaleString in ECMA-402
1661         https://bugs.webkit.org/show_bug.cgi?id=147611
1662
1663         Reviewed by Benjamin Poulain.
1664
1665         Expose dateProtoFuncGetTime as thisTimeValue for builtins.
1666         Remove unused code in DateTimeFormat toDateTimeOptions, and make the
1667         function specific to the call in initializeDateTimeFormat. Properly
1668         throw when the options parameter is null.
1669         Add toLocaleString in builtin JavaScript, with it's own specific branch
1670         of toDateTimeOptions.
1671
1672         * CMakeLists.txt:
1673         * DerivedSources.make:
1674         * JavaScriptCore.xcodeproj/project.pbxproj:
1675         * builtins/DatePrototype.js: Added.
1676         (toLocaleString.toDateTimeOptionsAnyAll):
1677         (toLocaleString):
1678         * runtime/CommonIdentifiers.h:
1679         * runtime/DatePrototype.cpp:
1680         (JSC::DatePrototype::finishCreation):
1681         * runtime/DatePrototype.h:
1682         * runtime/IntlDateTimeFormat.cpp:
1683         (JSC::toDateTimeOptionsAnyDate):
1684         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1685         (JSC::toDateTimeOptions): Deleted.
1686         * runtime/JSGlobalObject.cpp:
1687         (JSC::JSGlobalObject::init):
1688
1689 2016-01-15  Konstantin Tokarev  <annulen@yandex.ru>
1690
1691         [mips] Implemented emitFunctionPrologue/Epilogue
1692         https://bugs.webkit.org/show_bug.cgi?id=152947
1693
1694         Reviewed by Michael Saboff.
1695
1696         * assembler/MacroAssemblerMIPS.h:
1697         (JSC::MacroAssemblerMIPS::popPair):
1698         (JSC::MacroAssemblerMIPS::pushPair):
1699         * jit/AssemblyHelpers.h:
1700         (JSC::AssemblyHelpers::emitFunctionPrologue):
1701         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
1702         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1703
1704 2016-01-15  Commit Queue  <commit-queue@webkit.org>
1705
1706         Unreviewed, rolling out r195084.
1707         https://bugs.webkit.org/show_bug.cgi?id=153132
1708
1709         Broke Production build (Requested by ap on #webkit).
1710
1711         Reverted changeset:
1712
1713         "Air needs a Shuffle instruction"
1714         https://bugs.webkit.org/show_bug.cgi?id=152952
1715         http://trac.webkit.org/changeset/195084
1716
1717 2016-01-15  Julien Brianceau  <jbriance@cisco.com>
1718
1719         [mips] Add countLeadingZeros32 implementation in macro assembler
1720         https://bugs.webkit.org/show_bug.cgi?id=152886
1721
1722         Reviewed by Michael Saboff.
1723
1724         * assembler/MIPSAssembler.h:
1725         (JSC::MIPSAssembler::lui):
1726         (JSC::MIPSAssembler::clz):
1727         (JSC::MIPSAssembler::addiu):
1728         * assembler/MacroAssemblerMIPS.h:
1729         (JSC::MacroAssemblerMIPS::and32):
1730         (JSC::MacroAssemblerMIPS::countLeadingZeros32):
1731         (JSC::MacroAssemblerMIPS::lshift32):
1732
1733 2016-01-14  Filip Pizlo  <fpizlo@apple.com>
1734
1735         Air needs a Shuffle instruction
1736         https://bugs.webkit.org/show_bug.cgi?id=152952
1737
1738         Reviewed by Saam Barati.
1739
1740         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
1741         multiple moves to perform arbitrary permutations over registers and memory. We call these
1742         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
1743         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
1744         use immediates as their source.
1745
1746         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
1747         takes any number of triplets of arguments, where each triplet describes one mapping of the
1748         shuffle. For example, to represent (a => b, b => c), we might say:
1749
1750             Shuffle %a, %b, 64, %b, %c, 64
1751
1752         Note the "64"s, those are width arguments that describe how many bits of the register are
1753         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
1754         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
1755         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
1756
1757         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
1758         how to use it:
1759
1760         - C calling convention argument marshalling. Previously we used move instructions. But that's
1761           problematic since it introduces artificial interference between the argument registers and
1762           the inputs. Using Shuffle removes that interference. This helps a bit.
1763
1764         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
1765           a cold path, then we want it to appear to the register allocator like it doesn't clobber
1766           any registers. Only after register allocation should we handle the clobbering by simply
1767           saving all of the live volatile registers to the stack. If you imagine the saving and the
1768           argument marshalling, you can see how before the call, we want to have a Shuffle that does
1769           both of those things. This is important. If argument marshalling was separate from the
1770           saving, then we'd still appear to clobber argument registers. Doing them together as one
1771           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
1772
1773         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
1774         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
1775         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
1776         functionality we will need to implement other optimizations.
1777
1778         * CMakeLists.txt:
1779         * JavaScriptCore.xcodeproj/project.pbxproj:
1780         * assembler/AbstractMacroAssembler.h:
1781         (JSC::isX86_64):
1782         (JSC::isIOS):
1783         (JSC::optimizeForARMv7IDIVSupported):
1784         * assembler/MacroAssemblerX86Common.h:
1785         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
1786         (JSC::MacroAssemblerX86Common::swap32):
1787         (JSC::MacroAssemblerX86Common::moveConditionally32):
1788         * assembler/MacroAssemblerX86_64.h:
1789         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
1790         (JSC::MacroAssemblerX86_64::swap64):
1791         (JSC::MacroAssemblerX86_64::move64ToDouble):
1792         * assembler/X86Assembler.h:
1793         (JSC::X86Assembler::xchgl_rr):
1794         (JSC::X86Assembler::xchgl_rm):
1795         (JSC::X86Assembler::xchgq_rr):
1796         (JSC::X86Assembler::xchgq_rm):
1797         (JSC::X86Assembler::movl_rr):
1798         * b3/B3CCallValue.h:
1799         * b3/B3Compilation.cpp:
1800         (JSC::B3::Compilation::Compilation):
1801         (JSC::B3::Compilation::~Compilation):
1802         * b3/B3Compilation.h:
1803         (JSC::B3::Compilation::code):
1804         * b3/B3LowerToAir.cpp:
1805         (JSC::B3::Air::LowerToAir::run):
1806         (JSC::B3::Air::LowerToAir::createSelect):
1807         (JSC::B3::Air::LowerToAir::lower):
1808         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
1809         * b3/B3OpaqueByproducts.h:
1810         (JSC::B3::OpaqueByproducts::count):
1811         * b3/B3StackmapSpecial.cpp:
1812         (JSC::B3::StackmapSpecial::isArgValidForValue):
1813         (JSC::B3::StackmapSpecial::isArgValidForRep):
1814         * b3/air/AirArg.cpp:
1815         (JSC::B3::Air::Arg::isStackMemory):
1816         (JSC::B3::Air::Arg::isRepresentableAs):
1817         (JSC::B3::Air::Arg::usesTmp):
1818         (JSC::B3::Air::Arg::canRepresent):
1819         (JSC::B3::Air::Arg::isCompatibleType):
1820         (JSC::B3::Air::Arg::dump):
1821         (WTF::printInternal):
1822         * b3/air/AirArg.h:
1823         (JSC::B3::Air::Arg::forEachType):
1824         (JSC::B3::Air::Arg::isWarmUse):
1825         (JSC::B3::Air::Arg::cooled):
1826         (JSC::B3::Air::Arg::isEarlyUse):
1827         (JSC::B3::Air::Arg::imm64):
1828         (JSC::B3::Air::Arg::immPtr):
1829         (JSC::B3::Air::Arg::addr):
1830         (JSC::B3::Air::Arg::special):
1831         (JSC::B3::Air::Arg::widthArg):
1832         (JSC::B3::Air::Arg::operator==):
1833         (JSC::B3::Air::Arg::isImm64):
1834         (JSC::B3::Air::Arg::isSomeImm):
1835         (JSC::B3::Air::Arg::isAddr):
1836         (JSC::B3::Air::Arg::isIndex):
1837         (JSC::B3::Air::Arg::isMemory):
1838         (JSC::B3::Air::Arg::isRelCond):
1839         (JSC::B3::Air::Arg::isSpecial):
1840         (JSC::B3::Air::Arg::isWidthArg):
1841         (JSC::B3::Air::Arg::isAlive):
1842         (JSC::B3::Air::Arg::base):
1843         (JSC::B3::Air::Arg::hasOffset):
1844         (JSC::B3::Air::Arg::offset):
1845         (JSC::B3::Air::Arg::width):
1846         (JSC::B3::Air::Arg::isGPTmp):
1847         (JSC::B3::Air::Arg::isGP):
1848         (JSC::B3::Air::Arg::isFP):
1849         (JSC::B3::Air::Arg::isType):
1850         (JSC::B3::Air::Arg::isGPR):
1851         (JSC::B3::Air::Arg::isValidForm):
1852         (JSC::B3::Air::Arg::forEachTmpFast):
1853         * b3/air/AirBasicBlock.h:
1854         (JSC::B3::Air::BasicBlock::insts):
1855         (JSC::B3::Air::BasicBlock::appendInst):
1856         (JSC::B3::Air::BasicBlock::append):
1857         * b3/air/AirCCallingConvention.cpp: Added.
1858         (JSC::B3::Air::computeCCallingConvention):
1859         (JSC::B3::Air::cCallResult):
1860         (JSC::B3::Air::buildCCall):
1861         * b3/air/AirCCallingConvention.h: Added.
1862         * b3/air/AirCode.h:
1863         (JSC::B3::Air::Code::proc):
1864         * b3/air/AirCustom.cpp: Added.
1865         (JSC::B3::Air::CCallCustom::isValidForm):
1866         (JSC::B3::Air::CCallCustom::generate):
1867         (JSC::B3::Air::ShuffleCustom::isValidForm):
1868         (JSC::B3::Air::ShuffleCustom::generate):
1869         * b3/air/AirCustom.h:
1870         (JSC::B3::Air::PatchCustom::forEachArg):
1871         (JSC::B3::Air::PatchCustom::generate):
1872         (JSC::B3::Air::CCallCustom::forEachArg):
1873         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1874         (JSC::B3::Air::CCallCustom::admitsStack):
1875         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1876         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1877         (JSC::B3::Air::ShuffleCustom::forEachArg):
1878         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1879         (JSC::B3::Air::ShuffleCustom::admitsStack):
1880         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1881         * b3/air/AirEmitShuffle.cpp: Added.
1882         (JSC::B3::Air::ShufflePair::dump):
1883         (JSC::B3::Air::emitShuffle):
1884         * b3/air/AirEmitShuffle.h: Added.
1885         (JSC::B3::Air::ShufflePair::ShufflePair):
1886         (JSC::B3::Air::ShufflePair::src):
1887         (JSC::B3::Air::ShufflePair::dst):
1888         (JSC::B3::Air::ShufflePair::width):
1889         * b3/air/AirGenerate.cpp:
1890         (JSC::B3::Air::prepareForGeneration):
1891         * b3/air/AirGenerate.h:
1892         * b3/air/AirInsertionSet.cpp:
1893         (JSC::B3::Air::InsertionSet::insertInsts):
1894         (JSC::B3::Air::InsertionSet::execute):
1895         * b3/air/AirInsertionSet.h:
1896         (JSC::B3::Air::InsertionSet::insertInst):
1897         (JSC::B3::Air::InsertionSet::insert):
1898         * b3/air/AirInst.h:
1899         (JSC::B3::Air::Inst::operator bool):
1900         (JSC::B3::Air::Inst::append):
1901         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1902         (JSC::B3::Air::lowerAfterRegAlloc):
1903         * b3/air/AirLowerAfterRegAlloc.h: Added.
1904         * b3/air/AirLowerMacros.cpp: Added.
1905         (JSC::B3::Air::lowerMacros):
1906         * b3/air/AirLowerMacros.h: Added.
1907         * b3/air/AirOpcode.opcodes:
1908         * b3/air/AirRegisterPriority.h:
1909         (JSC::B3::Air::regsInPriorityOrder):
1910         * b3/air/testair.cpp: Added.
1911         (hiddenTruthBecauseNoReturnIsStupid):
1912         (usage):
1913         (JSC::B3::Air::compile):
1914         (JSC::B3::Air::invoke):
1915         (JSC::B3::Air::compileAndRun):
1916         (JSC::B3::Air::testSimple):
1917         (JSC::B3::Air::loadConstantImpl):
1918         (JSC::B3::Air::loadConstant):
1919         (JSC::B3::Air::loadDoubleConstant):
1920         (JSC::B3::Air::testShuffleSimpleSwap):
1921         (JSC::B3::Air::testShuffleSimpleShift):
1922         (JSC::B3::Air::testShuffleLongShift):
1923         (JSC::B3::Air::testShuffleLongShiftBackwards):
1924         (JSC::B3::Air::testShuffleSimpleRotate):
1925         (JSC::B3::Air::testShuffleSimpleBroadcast):
1926         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1927         (JSC::B3::Air::testShuffleTreeShift):
1928         (JSC::B3::Air::testShuffleTreeShiftBackward):
1929         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1930         (JSC::B3::Air::testShuffleMultipleShifts):
1931         (JSC::B3::Air::testShuffleRotateWithFringe):
1932         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1933         (JSC::B3::Air::testShuffleMultipleRotates):
1934         (JSC::B3::Air::testShuffleShiftAndRotate):
1935         (JSC::B3::Air::testShuffleShiftAllRegs):
1936         (JSC::B3::Air::testShuffleRotateAllRegs):
1937         (JSC::B3::Air::testShuffleSimpleSwap64):
1938         (JSC::B3::Air::testShuffleSimpleShift64):
1939         (JSC::B3::Air::testShuffleSwapMixedWidth):
1940         (JSC::B3::Air::testShuffleShiftMixedWidth):
1941         (JSC::B3::Air::testShuffleShiftMemory):
1942         (JSC::B3::Air::testShuffleShiftMemoryLong):
1943         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1944         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1945         (JSC::B3::Air::combineHiLo):
1946         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1947         (JSC::B3::Air::testShuffleRotateMemory):
1948         (JSC::B3::Air::testShuffleRotateMemory64):
1949         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1950         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1951         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1952         (JSC::B3::Air::testShuffleSwapDouble):
1953         (JSC::B3::Air::testShuffleShiftDouble):
1954         (JSC::B3::Air::run):
1955         (run):
1956         (main):
1957         * b3/testb3.cpp:
1958         (JSC::B3::testCallSimple):
1959         (JSC::B3::testCallRare):
1960         (JSC::B3::testCallRareLive):
1961         (JSC::B3::testCallSimplePure):
1962         (JSC::B3::run):
1963
1964 2016-01-14  Keith Miller  <keith_miller@apple.com>
1965
1966         Unreviewed mark passing es6 tests as no longer failing.
1967
1968         * tests/es6.yaml:
1969
1970 2016-01-14  Keith Miller  <keith_miller@apple.com>
1971
1972         [ES6] Support subclassing Function.
1973         https://bugs.webkit.org/show_bug.cgi?id=153081
1974
1975         Reviewed by Geoffrey Garen.
1976
1977         This patch enables subclassing the Function object. It also fixes an existing
1978         bug that prevented users from subclassing functions that have a function in
1979         the superclass's prototype property.
1980
1981         * bytecompiler/NodesCodegen.cpp:
1982         (JSC::ClassExprNode::emitBytecode):
1983         * runtime/FunctionConstructor.cpp:
1984         (JSC::constructWithFunctionConstructor):
1985         (JSC::constructFunction):
1986         (JSC::constructFunctionSkippingEvalEnabledCheck):
1987         * runtime/FunctionConstructor.h:
1988         * runtime/JSFunction.cpp:
1989         (JSC::JSFunction::create):
1990         * runtime/JSFunction.h:
1991         (JSC::JSFunction::createImpl):
1992         * runtime/JSFunctionInlines.h:
1993         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1994         (JSC::JSFunction::JSFunction): Deleted.
1995         * tests/stress/class-subclassing-function.js: Added.
1996
1997 2016-01-13  Carlos Garcia Campos  <cgarcia@igalia.com>
1998
1999         [CMake] Do not use LLVM static libraries for FTL JIT
2000         https://bugs.webkit.org/show_bug.cgi?id=151559
2001
2002         Reviewed by Michael Catanzaro.
2003
2004         Allow ports decide whether to prefer linking to llvm static or
2005         dynamic libraries. This patch only changes the behavior of the GTK
2006         port, other ports can change the default behavior by setting
2007         llvmForJSC_LIBRARIES in their platform specific cmake files.
2008
2009         * CMakeLists.txt: Move llvmForJSC library definition after the
2010         WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS, to allow platform specific
2011         files to set their own llvmForJSC_LIBRARIES. When not set, it
2012         defaults to LLVM_STATIC_LIBRARIES. The command to create
2013         WebKitLLVMLibraryToken.h no longer depends on the static
2014         libraries, since we are going to make the build fail anyway when
2015         not found in case of linking to the static libraries. If platform
2016         specific file defined llvmForJSC_INSTALL_DIR llvmForJSC is also
2017         installed to the given destination.
2018         * PlatformGTK.cmake: Set llvmForJSC_LIBRARIES and
2019         llvmForJSC_INSTALL_DIR.
2020
2021 2016-01-13  Saam barati  <sbarati@apple.com>
2022
2023         NativeExecutable should have a name field
2024         https://bugs.webkit.org/show_bug.cgi?id=153083
2025
2026         Reviewed by Geoffrey Garen.
2027
2028         This is going to help the SamplingProfiler come up
2029         with names for NativeExecutable objects it encounters.
2030
2031         * jit/JITThunks.cpp:
2032         (JSC::JITThunks::finalize):
2033         (JSC::JITThunks::hostFunctionStub):
2034         * jit/JITThunks.h:
2035         * runtime/Executable.h:
2036         * runtime/JSBoundFunction.cpp:
2037         (JSC::JSBoundFunction::create):
2038         * runtime/JSFunction.cpp:
2039         (JSC::JSFunction::create):
2040         (JSC::JSFunction::lookUpOrCreateNativeExecutable):
2041         * runtime/JSFunction.h:
2042         (JSC::JSFunction::createImpl):
2043         * runtime/JSNativeStdFunction.cpp:
2044         (JSC::JSNativeStdFunction::create):
2045         * runtime/VM.cpp:
2046         (JSC::thunkGeneratorForIntrinsic):
2047         (JSC::VM::getHostFunction):
2048         * runtime/VM.h:
2049         (JSC::VM::getCTIStub):
2050         (JSC::VM::exceptionOffset):
2051
2052 2016-01-13  Keith Miller  <keith_miller@apple.com>
2053
2054         [ES6] Support subclassing the String builtin object
2055         https://bugs.webkit.org/show_bug.cgi?id=153068
2056
2057         Reviewed by Michael Saboff.
2058
2059         This patch adds subclassing of strings. Also, this patch fixes a bug where we could have
2060         the wrong indexing type for builtins constructed without storage.
2061
2062         * runtime/PrototypeMap.cpp:
2063         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2064         * runtime/StringConstructor.cpp:
2065         (JSC::constructWithStringConstructor):
2066         * tests/stress/class-subclassing-string.js: Added.
2067         (test):
2068
2069 2016-01-13  Mark Lam  <mark.lam@apple.com>
2070
2071         The StringFromCharCode DFG intrinsic should support untyped operands.
2072         https://bugs.webkit.org/show_bug.cgi?id=153046
2073
2074         Reviewed by Geoffrey Garen.
2075
2076         The current StringFromCharCode DFG intrinsic assumes that its operand charCode
2077         must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
2078         crypto-aes benchmark.  With support for Untyped operands, the number of OSR
2079         exits drops to 202.
2080
2081         * dfg/DFGClobberize.h:
2082         (JSC::DFG::clobberize):
2083         * dfg/DFGFixupPhase.cpp:
2084         (JSC::DFG::FixupPhase::fixupNode):
2085         * dfg/DFGOperations.cpp:
2086         * dfg/DFGOperations.h:
2087         * dfg/DFGSpeculativeJIT.cpp:
2088         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2089         * dfg/DFGSpeculativeJIT.h:
2090         (JSC::DFG::SpeculativeJIT::callOperation):
2091         * dfg/DFGValidate.cpp:
2092         (JSC::DFG::Validate::validate):
2093         * runtime/JSCJSValueInlines.h:
2094         (JSC::JSValue::toUInt32):
2095
2096 2016-01-13  Mark Lam  <mark.lam@apple.com>
2097
2098         Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
2099         https://bugs.webkit.org/show_bug.cgi?id=153080
2100
2101         Reviewed by Geoffrey Garen.
2102
2103         We currently have Graph::mulShouldSpeculateInt32/machineInt() and
2104         Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
2105         the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
2106         many other arith nodes in the DFG.  This patch renames these functions as
2107         Graph::binaryArithShouldSpeculateInt32/machineInt() and
2108         Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
2109         in the DFG.
2110
2111         * dfg/DFGFixupPhase.cpp:
2112         (JSC::DFG::FixupPhase::fixupNode):
2113         * dfg/DFGGraph.h:
2114         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
2115         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
2116         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
2117         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
2118         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
2119         (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
2120         (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
2121         (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
2122         (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
2123         * dfg/DFGPredictionPropagationPhase.cpp:
2124         (JSC::DFG::PredictionPropagationPhase::propagate):
2125         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2126
2127 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
2128
2129         Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
2130         https://bugs.webkit.org/show_bug.cgi?id=153072
2131         <rdar://problem/24168312>
2132
2133         Reviewed by Timothy Hatcher.
2134
2135         * parser/Lexer.cpp:
2136         (JSC::Lexer<T>::parseCommentDirective):
2137         Just keep overwriting the member variable so we end up with
2138         the last directive value.
2139
2140 2016-01-13  Commit Queue  <commit-queue@webkit.org>
2141
2142         Unreviewed, rolling out r194969.
2143         https://bugs.webkit.org/show_bug.cgi?id=153075
2144
2145         This change broke the iOS build (Requested by ryanhaddad on
2146         #webkit).
2147
2148         Reverted changeset:
2149
2150         "[JSC] Legalize Memory Offsets for ARM64 before lowering to
2151         Air"
2152         https://bugs.webkit.org/show_bug.cgi?id=153065
2153         http://trac.webkit.org/changeset/194969
2154
2155 2016-01-13  Benjamin Poulain  <bpoulain@apple.com>
2156
2157         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
2158         https://bugs.webkit.org/show_bug.cgi?id=153065
2159
2160         Reviewed by Mark Lam.
2161         Reviewed by Filip Pizlo.
2162
2163         On ARM64, we cannot use signed 32bits offset for memory addressing.
2164         There are two available addressing: signed 9bits and unsigned scaled 12bits.
2165         Air already knows about it.
2166
2167         In this patch, the offsets are changed to something valid for ARM64
2168         prior to lowering. When an offset is invalid, it is just computed
2169         before the instruction and used as the base for addressing.
2170
2171         * JavaScriptCore.xcodeproj/project.pbxproj:
2172         * b3/B3Generate.cpp:
2173         (JSC::B3::generateToAir):
2174         * b3/B3LegalizeMemoryOffsets.cpp: Added.
2175         (JSC::B3::legalizeMemoryOffsets):
2176         * b3/B3LegalizeMemoryOffsets.h: Added.
2177         * b3/B3LowerToAir.cpp:
2178         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
2179         * b3/testb3.cpp:
2180         (JSC::B3::testLoadWithOffsetImpl):
2181         (JSC::B3::testLoadOffsetImm9Max):
2182         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
2183         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
2184         (JSC::B3::testLoadOffsetImm9Min):
2185         (JSC::B3::testLoadOffsetImm9MinMinusOne):
2186         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
2187         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
2188         (JSC::B3::run):
2189
2190 2016-01-12  Per Arne Vollan  <peavo@outlook.com>
2191
2192         [FTL][Win64] Compile error.
2193         https://bugs.webkit.org/show_bug.cgi?id=153031
2194
2195         Reviewed by Brent Fulgham.
2196
2197         The header file dlfcn.h does not exist on Windows.
2198
2199         * ftl/FTLLowerDFGToLLVM.cpp:
2200
2201 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
2202
2203         Add a build flag for custom element
2204         https://bugs.webkit.org/show_bug.cgi?id=153005
2205
2206         Reviewed by Alex Christensen.
2207
2208         * Configurations/FeatureDefines.xcconfig:
2209
2210 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
2211
2212         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
2213         https://bugs.webkit.org/show_bug.cgi?id=153024
2214
2215         Reviewed by Michael Saboff.
2216
2217         * b3/B3BasicBlock.h:
2218         Export the symbols for testb3.
2219
2220         * b3/air/AirOpcode.opcodes:
2221         We had 2 invalid opcodes:
2222         -Compare with immediate just does not exist.
2223         -Test64 with immediate exists but Air does not recognize
2224          the valid form of bit-immediates.
2225
2226         * b3/testb3.cpp:
2227         (JSC::B3::genericTestCompare):
2228         (JSC::B3::testCompareImpl):
2229         Extend the tests to cover what was invalid.
2230
2231 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
2232
2233         [JSC] JSC does not build with FTL_USES_B3 on ARM64
2234         https://bugs.webkit.org/show_bug.cgi?id=153011
2235
2236         Reviewed by Saam Barati.
2237
2238         Apparently the static const member can only be used for constexpr.
2239         C++ is weird.
2240
2241         * jit/GPRInfo.cpp:
2242         * jit/GPRInfo.h:
2243
2244 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
2245
2246         Web Inspector: console.count() shouldn't show a colon in front of a number
2247         https://bugs.webkit.org/show_bug.cgi?id=152038
2248
2249         Reviewed by Brian Burg.
2250
2251         * inspector/agents/InspectorConsoleAgent.cpp:
2252         (Inspector::InspectorConsoleAgent::count):
2253         Do not include title and colon if the title is empty.
2254
2255 2016-01-11  Dan Bernstein  <mitz@apple.com>
2256
2257         Reverted r194317.
2258
2259         Reviewed by Joseph Pecoraro.
2260
2261         r194317 did not contain a change log entry, did not explain the motivation, did not name a
2262         reviewer, and does not seem necessary.
2263
2264         * JavaScriptCore.xcodeproj/project.pbxproj:
2265
2266 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
2267
2268         keywords ("super", "delete", etc) should be valid method names
2269         https://bugs.webkit.org/show_bug.cgi?id=144281
2270
2271         Reviewed by Ryosuke Niwa.
2272
2273         * parser/Parser.cpp:
2274         (JSC::Parser<LexerType>::parseClass):
2275         - When parsing "static(" treat it as a method named "static" and not a static method.
2276         - When parsing a keyword treat it like a string method name (get and set are not keywords)
2277         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
2278
2279         (JSC::Parser<LexerType>::parseGetterSetter):
2280         - When parsing the getter / setter's name, allow it to be a keyword.
2281
2282 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
2283
2284         [JSC] Add Div/Mod and fix Mul for B3 ARM64
2285         https://bugs.webkit.org/show_bug.cgi?id=152978
2286
2287         Reviewed by Filip Pizlo.
2288
2289         Add the 3 operands forms of Mul.
2290         Remove the form taking immediate on ARM64, there are no such instruction.
2291
2292         Add Div with sdiv.
2293
2294         Unfortunately, I discovered ChillMod's division by zero
2295         makes it non-trivial on ARM64. I just made it into a macro like on x86.
2296
2297         * assembler/MacroAssemblerARM64.h:
2298         (JSC::MacroAssemblerARM64::mul32):
2299         (JSC::MacroAssemblerARM64::mul64):
2300         (JSC::MacroAssemblerARM64::div32):
2301         (JSC::MacroAssemblerARM64::div64):
2302         * b3/B3LowerMacros.cpp:
2303         * b3/B3LowerToAir.cpp:
2304         (JSC::B3::Air::LowerToAir::lower):
2305         * b3/air/AirOpcode.opcodes:
2306
2307 2016-01-11  Keith Miller  <keith_miller@apple.com>
2308
2309         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
2310         https://bugs.webkit.org/show_bug.cgi?id=152949
2311
2312         Reviewed by Michael Saboff.
2313
2314         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
2315
2316         * runtime/ArrayConstructor.cpp:
2317         (JSC::constructArrayWithSizeQuirk):
2318         (JSC::constructWithArrayConstructor):
2319         * runtime/InternalFunction.h:
2320         (JSC::InternalFunction::createStructure):
2321         * runtime/JSGlobalObject.h:
2322         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
2323         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
2324         (JSC::constructEmptyArray):
2325         (JSC::constructArray):
2326         (JSC::constructArrayNegativeIndexed):
2327         * runtime/PrototypeMap.cpp:
2328         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2329         * runtime/Structure.h:
2330         * runtime/StructureInlines.h:
2331
2332 2016-01-08  Keith Miller  <keith_miller@apple.com>
2333
2334         Use a profile to store allocation structures for subclasses of InternalFunctions
2335         https://bugs.webkit.org/show_bug.cgi?id=152942
2336
2337         Reviewed by Michael Saboff.
2338
2339         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
2340         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
2341         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
2342         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
2343         constructor as a new.target to any other constructor. This means that a user can pass some
2344         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
2345         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
2346         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
2347         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
2348         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
2349         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
2350
2351         Additionally, this patch adds subclassing to some omitted classes.
2352
2353         * API/JSObjectRef.cpp:
2354         (JSObjectMakeDate):
2355         (JSObjectMakeRegExp):
2356         * JavaScriptCore.xcodeproj/project.pbxproj:
2357         * bytecode/InternalFunctionAllocationProfile.h: Added.
2358         (JSC::InternalFunctionAllocationProfile::structure):
2359         (JSC::InternalFunctionAllocationProfile::clear):
2360         (JSC::InternalFunctionAllocationProfile::visitAggregate):
2361         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
2362         * dfg/DFGByteCodeParser.cpp:
2363         (JSC::DFG::ByteCodeParser::parseBlock):
2364         * dfg/DFGOperations.cpp:
2365         * dfg/DFGSpeculativeJIT32_64.cpp:
2366         (JSC::DFG::SpeculativeJIT::compile):
2367         * dfg/DFGSpeculativeJIT64.cpp:
2368         (JSC::DFG::SpeculativeJIT::compile):
2369         * jit/JITOpcodes.cpp:
2370         (JSC::JIT::emit_op_create_this):
2371         * jit/JITOpcodes32_64.cpp:
2372         (JSC::JIT::emit_op_create_this):
2373         * llint/LowLevelInterpreter32_64.asm:
2374         * llint/LowLevelInterpreter64.asm:
2375         * runtime/BooleanConstructor.cpp:
2376         (JSC::constructWithBooleanConstructor):
2377         * runtime/CommonSlowPaths.cpp:
2378         (JSC::SLOW_PATH_DECL):
2379         * runtime/DateConstructor.cpp:
2380         (JSC::constructDate):
2381         (JSC::constructWithDateConstructor):
2382         * runtime/DateConstructor.h:
2383         * runtime/ErrorConstructor.cpp:
2384         (JSC::Interpreter::constructWithErrorConstructor):
2385         * runtime/FunctionRareData.cpp:
2386         (JSC::FunctionRareData::create):
2387         (JSC::FunctionRareData::visitChildren):
2388         (JSC::FunctionRareData::FunctionRareData):
2389         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2390         (JSC::FunctionRareData::clear):
2391         (JSC::FunctionRareData::finishCreation): Deleted.
2392         (JSC::FunctionRareData::initialize): Deleted.
2393         * runtime/FunctionRareData.h:
2394         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
2395         (JSC::FunctionRareData::objectAllocationProfile):
2396         (JSC::FunctionRareData::objectAllocationStructure):
2397         (JSC::FunctionRareData::allocationProfileWatchpointSet):
2398         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
2399         (JSC::FunctionRareData::internalFunctionAllocationStructure):
2400         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
2401         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
2402         (JSC::FunctionRareData::allocationProfile): Deleted.
2403         (JSC::FunctionRareData::allocationStructure): Deleted.
2404         (JSC::FunctionRareData::isInitialized): Deleted.
2405         * runtime/InternalFunction.cpp:
2406         (JSC::InternalFunction::createSubclassStructure):
2407         * runtime/InternalFunction.h:
2408         * runtime/JSArrayBufferConstructor.cpp:
2409         (JSC::constructArrayBuffer):
2410         * runtime/JSFunction.cpp:
2411         (JSC::JSFunction::allocateRareData):
2412         (JSC::JSFunction::allocateAndInitializeRareData):
2413         (JSC::JSFunction::initializeRareData):
2414         * runtime/JSFunction.h:
2415         (JSC::JSFunction::rareData):
2416         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2417         (JSC::constructGenericTypedArrayView):
2418         * runtime/JSObject.h:
2419         (JSC::JSFinalObject::typeInfo):
2420         (JSC::JSFinalObject::createStructure):
2421         * runtime/JSPromiseConstructor.cpp:
2422         (JSC::constructPromise):
2423         * runtime/JSPromiseConstructor.h:
2424         * runtime/JSWeakMap.cpp:
2425         * runtime/JSWeakSet.cpp:
2426         * runtime/MapConstructor.cpp:
2427         (JSC::constructMap):
2428         * runtime/NativeErrorConstructor.cpp:
2429         (JSC::Interpreter::constructWithNativeErrorConstructor):
2430         * runtime/NumberConstructor.cpp:
2431         (JSC::constructWithNumberConstructor):
2432         * runtime/PrototypeMap.cpp:
2433         (JSC::PrototypeMap::createEmptyStructure):
2434         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2435         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2436         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
2437         * runtime/PrototypeMap.h:
2438         * runtime/RegExpConstructor.cpp:
2439         (JSC::getRegExpStructure):
2440         (JSC::constructRegExp):
2441         (JSC::constructWithRegExpConstructor):
2442         * runtime/RegExpConstructor.h:
2443         * runtime/SetConstructor.cpp:
2444         (JSC::constructSet):
2445         * runtime/WeakMapConstructor.cpp:
2446         (JSC::constructWeakMap):
2447         * runtime/WeakSetConstructor.cpp:
2448         (JSC::constructWeakSet):
2449         * tests/stress/class-subclassing-misc.js:
2450         (A):
2451         (D):
2452         (E):
2453         (WM):
2454         (WS):
2455         (test):
2456         * tests/stress/class-subclassing-typedarray.js: Added.
2457         (test):
2458
2459 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
2460
2461         [B3][Win64] Compile error.
2462         https://bugs.webkit.org/show_bug.cgi?id=152984
2463
2464         Reviewed by Alex Christensen.
2465
2466         Windows does not have bzero, use memset instead.
2467
2468         * b3/air/AirIteratedRegisterCoalescing.cpp:
2469
2470 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
2471
2472         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
2473         https://bugs.webkit.org/show_bug.cgi?id=152923
2474
2475         Reviewed by Alex Christensen.
2476
2477         * jit/CallFrameShuffler.h:
2478         (JSC::CallFrameShuffler::assumeCalleeIsCell):
2479
2480 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
2481
2482         [B3] Fix control reaches end of non-void function GCC warnings on Linux
2483         https://bugs.webkit.org/show_bug.cgi?id=152887
2484
2485         Reviewed by Mark Lam.
2486
2487         * b3/B3LowerToAir.cpp:
2488         (JSC::B3::Air::LowerToAir::createBranch):
2489         (JSC::B3::Air::LowerToAir::createCompare):
2490         (JSC::B3::Air::LowerToAir::createSelect):
2491         * b3/B3Type.h:
2492         (JSC::B3::sizeofType):
2493         * b3/air/AirArg.cpp:
2494         (JSC::B3::Air::Arg::isRepresentableAs):
2495         * b3/air/AirArg.h:
2496         (JSC::B3::Air::Arg::isAnyUse):
2497         (JSC::B3::Air::Arg::isColdUse):
2498         (JSC::B3::Air::Arg::isEarlyUse):
2499         (JSC::B3::Air::Arg::isLateUse):
2500         (JSC::B3::Air::Arg::isAnyDef):
2501         (JSC::B3::Air::Arg::isEarlyDef):
2502         (JSC::B3::Air::Arg::isLateDef):
2503         (JSC::B3::Air::Arg::isZDef):
2504         (JSC::B3::Air::Arg::widthForB3Type):
2505         (JSC::B3::Air::Arg::isGP):
2506         (JSC::B3::Air::Arg::isFP):
2507         (JSC::B3::Air::Arg::isType):
2508         (JSC::B3::Air::Arg::isValidForm):
2509         * b3/air/AirCode.h:
2510         (JSC::B3::Air::Code::newTmp):
2511         (JSC::B3::Air::Code::numTmps):
2512
2513 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
2514
2515         Make it easier to introduce exotic instructions to Air
2516         https://bugs.webkit.org/show_bug.cgi?id=152953
2517
2518         Reviewed by Benjamin Poulain.
2519
2520         Currently, you can define new "opcodes" in Air using either:
2521
2522         1) New opcode declared in AirOpcode.opcodes.
2523         2) Patch opcode with a new implementation of Air::Special.
2524
2525         With (1), you are limited to fixed-argument-length instructions. There are other
2526         restrictions as well, like that you can only use the roles that the AirOpcode syntax
2527         supports.
2528
2529         With (2), you can do anything you like, but the instruction will be harder to match
2530         since it will share the same opcode as any other Patch. Also, the instruction will have
2531         the Special argument, which means more busy-work when creating the instruction and
2532         validating it.
2533
2534         This introduces an in-between facility called "custom". This replaces what AirOpcode
2535         previously called "special". A custom instruction is one whose behavior is defined by a
2536         FooCustom struct with some static methods. Calls to those methods are emitted by
2537         opcode_generator.rb.
2538
2539         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
2540         that we now treat the Patch instruction specially in a few places. Those places were
2541         already effectively treating it specially by assuming that only Patch instructions have
2542         a Special as their first argument.
2543
2544         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
2545         for performance work.
2546
2547         * JavaScriptCore.xcodeproj/project.pbxproj:
2548         * b3/air/AirCustom.h: Added.
2549         (JSC::B3::Air::PatchCustom::forEachArg):
2550         (JSC::B3::Air::PatchCustom::isValidFormStatic):
2551         (JSC::B3::Air::PatchCustom::isValidForm):
2552         (JSC::B3::Air::PatchCustom::admitsStack):
2553         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
2554         (JSC::B3::Air::PatchCustom::generate):
2555         * b3/air/AirHandleCalleeSaves.cpp:
2556         (JSC::B3::Air::handleCalleeSaves):
2557         * b3/air/AirInst.h:
2558         * b3/air/AirInstInlines.h:
2559         (JSC::B3::Air::Inst::forEach):
2560         (JSC::B3::Air::Inst::extraClobberedRegs):
2561         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
2562         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
2563         (JSC::B3::Air::Inst::reportUsedRegisters):
2564         (JSC::B3::Air::Inst::hasSpecial): Deleted.
2565         * b3/air/AirOpcode.opcodes:
2566         * b3/air/AirReportUsedRegisters.cpp:
2567         (JSC::B3::Air::reportUsedRegisters):
2568         * b3/air/opcode_generator.rb:
2569
2570 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
2571
2572         Turn Check(true) into Patchpoint() followed by Oops
2573         https://bugs.webkit.org/show_bug.cgi?id=152968
2574
2575         Reviewed by Benjamin Poulain.
2576
2577         This is an obvious strength reduction to have, especially since if we discover that the
2578         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
2579         of the basic block unlocks CFG simplification opportunities.
2580
2581         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
2582         implement sinking (bug 152162).
2583
2584         * b3/B3ControlValue.cpp:
2585         (JSC::B3::ControlValue::convertToJump):
2586         (JSC::B3::ControlValue::convertToOops):
2587         (JSC::B3::ControlValue::dumpMeta):
2588         * b3/B3ControlValue.h:
2589         * b3/B3InsertionSet.h:
2590         (JSC::B3::InsertionSet::insertValue):
2591         * b3/B3InsertionSetInlines.h:
2592         (JSC::B3::InsertionSet::insert):
2593         * b3/B3ReduceStrength.cpp:
2594         * b3/B3StackmapValue.h:
2595         * b3/B3Value.h:
2596         * tests/stress/ftl-force-osr-exit.js: Added.
2597
2598 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
2599
2600         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
2601         https://bugs.webkit.org/show_bug.cgi?id=152840
2602
2603         Reviewed by Mark Lam.
2604
2605         ARM64 has two kinds of addressing with immediates:
2606         -Signed 9bits direct (really only -256 to 255).
2607         -Unsigned 12bits scaled by the load/store size.
2608
2609         When resolving the stack addresses, we easily run
2610         past -256 bytes from FP. Addressing from SP gives us more
2611         room to address the stack efficiently because we can
2612         use unsigned immediates.
2613
2614         * b3/B3StackmapSpecial.cpp:
2615         (JSC::B3::StackmapSpecial::repForArg):
2616         * b3/air/AirAllocateStack.cpp:
2617         (JSC::B3::Air::allocateStack):
2618
2619 2016-01-10  Saam barati  <sbarati@apple.com>
2620
2621         Implement a sampling profiler
2622         https://bugs.webkit.org/show_bug.cgi?id=151713
2623
2624         Reviewed by Filip Pizlo.
2625
2626         This patch implements a sampling profiler for JavaScriptCore
2627         that will be used in the Inspector UI. The implementation works as follows:
2628         We queue the sampling profiler to run a task on a background
2629         thread every 1ms. When the queued task executes, the sampling profiler
2630         will pause the JSC execution thread and attempt to take a stack trace. 
2631         The sampling profiler does everything it can to be very careful
2632         while taking this stack trace. Because it's reading arbitrary memory,
2633         the sampling profiler must validate every pointer it reads from.
2634
2635         The sampling profiler tries to get an ExecutableBase for every call frame
2636         it reads. It first tries to read the CodeBlock slot. It does this because
2637         it can be 100% certain that a pointer is a CodeBlock while it's taking a
2638         stack trace. But, not every call frame will have a CodeBlock. So we must read
2639         the call frame's callee. For these stack traces where we read the callee, we
2640         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
2641         on the main JSC execution thread, and not on the thread taking the stack
2642         trace. We do this verification either before we run the marking phase in
2643         GC, or when somebody asks the SamplingProfiler to materialize its data.
2644
2645         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
2646         thread is paused (this means it can't do anything that mallocs) because
2647         that could cause a deadlock. Therefore, the sampling profiler grabs
2648         locks for all data structures it consults before it pauses the JSC
2649         execution thread.
2650
2651         * CMakeLists.txt:
2652         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2653         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2654         * JavaScriptCore.xcodeproj/project.pbxproj:
2655         * bytecode/CodeBlock.h:
2656         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2657         (JSC::CodeBlockSet::mark):
2658         * dfg/DFGNodeType.h:
2659         * heap/CodeBlockSet.cpp:
2660         (JSC::CodeBlockSet::add):
2661         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2662         (JSC::CodeBlockSet::clearMarksForFullCollection):
2663         (JSC::CodeBlockSet::lastChanceToFinalize):
2664         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2665         (JSC::CodeBlockSet::contains):
2666         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2667         (JSC::CodeBlockSet::remove): Deleted.
2668         * heap/CodeBlockSet.h:
2669         (JSC::CodeBlockSet::getLock):
2670         (JSC::CodeBlockSet::iterate):
2671         The sampling pofiler uses the heap's CodeBlockSet to validate
2672         CodeBlock pointers. This data structure must now be under a lock
2673         because we must be certain we're not pausing the JSC execution thread
2674         while it's manipulating this data structure.
2675
2676         * heap/ConservativeRoots.cpp:
2677         (JSC::ConservativeRoots::ConservativeRoots):
2678         (JSC::ConservativeRoots::grow):
2679         (JSC::ConservativeRoots::genericAddPointer):
2680         (JSC::ConservativeRoots::genericAddSpan):
2681         (JSC::ConservativeRoots::add):
2682         (JSC::CompositeMarkHook::CompositeMarkHook):
2683         (JSC::CompositeMarkHook::mark):
2684         * heap/ConservativeRoots.h:
2685         * heap/Heap.cpp:
2686         (JSC::Heap::markRoots):
2687         (JSC::Heap::visitHandleStack):
2688         (JSC::Heap::visitSamplingProfiler):
2689         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2690         (JSC::Heap::snapshotMarkedSpace):
2691         * heap/Heap.h:
2692         (JSC::Heap::structureIDTable):
2693         (JSC::Heap::codeBlockSet):
2694         * heap/MachineStackMarker.cpp:
2695         (pthreadSignalHandlerSuspendResume):
2696         (JSC::getCurrentPlatformThread):
2697         (JSC::MachineThreads::MachineThreads):
2698         (JSC::MachineThreads::~MachineThreads):
2699         (JSC::MachineThreads::Thread::createForCurrentThread):
2700         (JSC::MachineThreads::Thread::operator==):
2701         (JSC::isThreadInList):
2702         (JSC::MachineThreads::addCurrentThread):
2703         (JSC::MachineThreads::machineThreadForCurrentThread):
2704         (JSC::MachineThreads::removeThread):
2705         (JSC::MachineThreads::gatherFromCurrentThread):
2706         (JSC::MachineThreads::Thread::Thread):
2707         (JSC::MachineThreads::Thread::~Thread):
2708         (JSC::MachineThreads::Thread::suspend):
2709         (JSC::MachineThreads::Thread::resume):
2710         (JSC::MachineThreads::Thread::getRegisters):
2711         (JSC::MachineThreads::Thread::Registers::stackPointer):
2712         (JSC::MachineThreads::Thread::Registers::framePointer):
2713         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2714         (JSC::MachineThreads::Thread::freeRegisters):
2715         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2716         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2717         (JSC::MachineThreads::Thread::operator!=): Deleted.
2718         * heap/MachineStackMarker.h:
2719         (JSC::MachineThreads::Thread::operator!=):
2720         (JSC::MachineThreads::getLock):
2721         (JSC::MachineThreads::threadsListHead):
2722         We can now ask a MachineThreads::Thread for its frame pointer
2723         and program counter on darwin and windows platforms. efl
2724         and gtk implementations will happen in another patch.
2725
2726         * heap/MarkedBlockSet.h:
2727         (JSC::MarkedBlockSet::getLock):
2728         (JSC::MarkedBlockSet::add):
2729         (JSC::MarkedBlockSet::remove):
2730         (JSC::MarkedBlockSet::recomputeFilter):
2731         (JSC::MarkedBlockSet::filter):
2732         (JSC::MarkedBlockSet::set):
2733         * heap/MarkedSpace.cpp:
2734         (JSC::Free::Free):
2735         (JSC::Free::operator()):
2736         (JSC::FreeOrShrink::FreeOrShrink):
2737         (JSC::FreeOrShrink::operator()):
2738         (JSC::MarkedSpace::~MarkedSpace):
2739         (JSC::MarkedSpace::isPagedOut):
2740         (JSC::MarkedSpace::freeBlock):
2741         (JSC::MarkedSpace::freeOrShrinkBlock):
2742         (JSC::MarkedSpace::shrink):
2743         * heap/MarkedSpace.h:
2744         (JSC::MarkedSpace::forEachLiveCell):
2745         (JSC::MarkedSpace::forEachDeadCell):
2746         * interpreter/CallFrame.h:
2747         (JSC::ExecState::calleeAsValue):
2748         (JSC::ExecState::callee):
2749         (JSC::ExecState::unsafeCallee):
2750         (JSC::ExecState::codeBlock):
2751         (JSC::ExecState::scope):
2752         * jit/ExecutableAllocator.cpp:
2753         (JSC::ExecutableAllocator::dumpProfile):
2754         (JSC::ExecutableAllocator::getLock):
2755         (JSC::ExecutableAllocator::isValidExecutableMemory):
2756         * jit/ExecutableAllocator.h:
2757         * jit/ExecutableAllocatorFixedVMPool.cpp:
2758         (JSC::ExecutableAllocator::allocate):
2759         (JSC::ExecutableAllocator::isValidExecutableMemory):
2760         (JSC::ExecutableAllocator::getLock):
2761         (JSC::ExecutableAllocator::committedByteCount):
2762         The sampling profiler consults the ExecutableAllocator to check
2763         if the frame pointer it reads is in executable allocated memory.
2764
2765         * jsc.cpp:
2766         (GlobalObject::finishCreation):
2767         (functionCheckModuleSyntax):
2768         (functionStartSamplingProfiler):
2769         (functionSamplingProfilerStackTraces):
2770         * llint/LLIntPCRanges.h: Added.
2771         (JSC::LLInt::isLLIntPC):
2772         * offlineasm/asm.rb:
2773         I added the ability to test whether the PC is executing
2774         LLInt code because this code is not part of the memory
2775         our executable allocator allocates.
2776
2777         * runtime/Executable.h:
2778         (JSC::ExecutableBase::isModuleProgramExecutable):
2779         (JSC::ExecutableBase::isExecutableType):
2780         (JSC::ExecutableBase::isHostFunction):
2781         * runtime/JSLock.cpp:
2782         (JSC::JSLock::didAcquireLock):
2783         (JSC::JSLock::unlock):
2784         * runtime/Options.h:
2785         * runtime/SamplingProfiler.cpp: Added.
2786         (JSC::reportStats):
2787         (JSC::FrameWalker::FrameWalker):
2788         (JSC::FrameWalker::walk):
2789         (JSC::FrameWalker::wasValidWalk):
2790         (JSC::FrameWalker::advanceToParentFrame):
2791         (JSC::FrameWalker::isAtTop):
2792         (JSC::FrameWalker::resetAtMachineFrame):
2793         (JSC::FrameWalker::isValidFramePointer):
2794         (JSC::FrameWalker::isValidCodeBlock):
2795         (JSC::FrameWalker::tryToGetExecutableFromCallee):
2796         The FrameWalker class is used to walk the stack in a safe
2797         manner. It doesn't do anything that would deadlock, and it
2798         validates all pointers that it sees.
2799
2800         (JSC::SamplingProfiler::SamplingProfiler):
2801         (JSC::SamplingProfiler::~SamplingProfiler):
2802         (JSC::SamplingProfiler::visit):
2803         (JSC::SamplingProfiler::shutdown):
2804         (JSC::SamplingProfiler::start):
2805         (JSC::SamplingProfiler::stop):
2806         (JSC::SamplingProfiler::pause):
2807         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2808         (JSC::SamplingProfiler::dispatchIfNecessary):
2809         (JSC::SamplingProfiler::dispatchFunction):
2810         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2811         (JSC::SamplingProfiler::noticeVMEntry):
2812         (JSC::SamplingProfiler::observeStackTrace):
2813         (JSC::SamplingProfiler::clearData):
2814         (JSC::displayName):
2815         (JSC::startLine):
2816         (JSC::startColumn):
2817         (JSC::sourceID):
2818         (JSC::url):
2819         (JSC::SamplingProfiler::stacktracesAsJSON):
2820         * runtime/SamplingProfiler.h: Added.
2821         (JSC::SamplingProfiler::getLock):
2822         (JSC::SamplingProfiler::setTimingInterval):
2823         (JSC::SamplingProfiler::stackTraces):
2824         * runtime/VM.cpp:
2825         (JSC::VM::VM):
2826         (JSC::VM::~VM):
2827         (JSC::VM::setLastStackTop):
2828         (JSC::VM::createContextGroup):
2829         (JSC::VM::ensureWatchdog):
2830         (JSC::VM::ensureSamplingProfiler):
2831         (JSC::thunkGeneratorForIntrinsic):
2832         * runtime/VM.h:
2833         (JSC::VM::watchdog):
2834         (JSC::VM::isSafeToRecurse):
2835         (JSC::VM::lastStackTop):
2836         (JSC::VM::scratchBufferForSize):
2837         (JSC::VM::samplingProfiler):
2838         (JSC::VM::setShouldRewriteConstAsVar):
2839         (JSC::VM::setLastStackTop): Deleted.
2840         * runtime/VMEntryScope.cpp:
2841         (JSC::VMEntryScope::VMEntryScope):
2842         * tests/stress/sampling-profiler: Added.
2843         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2844         (foo):
2845         (baz):
2846         * tests/stress/sampling-profiler-basic.js: Added.
2847         (bar):
2848         (foo):
2849         (nothing):
2850         (top):
2851         (jaz):
2852         (kaz):
2853         (checkInlining):
2854         * tests/stress/sampling-profiler-deep-stack.js: Added.
2855         (foo):
2856         (hellaDeep):
2857         (start):
2858         * tests/stress/sampling-profiler-microtasks.js: Added.
2859         (testResults):
2860         (loop.jaz):
2861         (loop):
2862         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2863         (assert):
2864         (let.nodePrototype.makeChildIfNeeded):
2865         (makeNode):
2866         (updateCallingContextTree):
2867         (doesTreeHaveStackTrace):
2868         (makeTree):
2869         (runTest):
2870         (dumpTree):
2871         * tools/JSDollarVMPrototype.cpp:
2872         (JSC::JSDollarVMPrototype::isInObjectSpace):
2873         (JSC::JSDollarVMPrototype::isInStorageSpace):
2874         * yarr/YarrJIT.cpp:
2875         (JSC::Yarr::YarrGenerator::generateEnter):
2876         (JSC::Yarr::YarrGenerator::generateReturn):
2877         (JSC::Yarr::YarrGenerator::YarrGenerator):
2878         (JSC::Yarr::YarrGenerator::compile):
2879         (JSC::Yarr::jitCompile):
2880         We now have a boolean that's set to true when
2881         we're executing a RegExp, and to false otherwise.
2882         The boolean lives off of VM.
2883
2884         * CMakeLists.txt:
2885         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2886         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2887         * JavaScriptCore.xcodeproj/project.pbxproj:
2888         * bytecode/CodeBlock.h:
2889         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2890         (JSC::CodeBlockSet::mark):
2891         * dfg/DFGNodeType.h:
2892         * heap/CodeBlockSet.cpp:
2893         (JSC::CodeBlockSet::add):
2894         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2895         (JSC::CodeBlockSet::clearMarksForFullCollection):
2896         (JSC::CodeBlockSet::lastChanceToFinalize):
2897         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2898         (JSC::CodeBlockSet::contains):
2899         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2900         (JSC::CodeBlockSet::remove): Deleted.
2901         * heap/CodeBlockSet.h:
2902         (JSC::CodeBlockSet::getLock):
2903         (JSC::CodeBlockSet::iterate):
2904         * heap/ConservativeRoots.cpp:
2905         (JSC::ConservativeRoots::ConservativeRoots):
2906         (JSC::ConservativeRoots::genericAddPointer):
2907         (JSC::ConservativeRoots::add):
2908         (JSC::CompositeMarkHook::CompositeMarkHook):
2909         (JSC::CompositeMarkHook::mark):
2910         * heap/ConservativeRoots.h:
2911         * heap/Heap.cpp:
2912         (JSC::Heap::markRoots):
2913         (JSC::Heap::visitHandleStack):
2914         (JSC::Heap::visitSamplingProfiler):
2915         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2916         * heap/Heap.h:
2917         (JSC::Heap::structureIDTable):
2918         (JSC::Heap::codeBlockSet):
2919         * heap/HeapInlines.h:
2920         (JSC::Heap::didFreeBlock):
2921         (JSC::Heap::isPointerGCObject):
2922         (JSC::Heap::isValueGCObject):
2923         * heap/MachineStackMarker.cpp:
2924         (pthreadSignalHandlerSuspendResume):
2925         (JSC::getCurrentPlatformThread):
2926         (JSC::MachineThreads::MachineThreads):
2927         (JSC::MachineThreads::~MachineThreads):
2928         (JSC::MachineThreads::Thread::createForCurrentThread):
2929         (JSC::MachineThreads::Thread::operator==):
2930         (JSC::isThreadInList):
2931         (JSC::MachineThreads::addCurrentThread):
2932         (JSC::MachineThreads::machineThreadForCurrentThread):
2933         (JSC::MachineThreads::removeThread):
2934         (JSC::MachineThreads::gatherFromCurrentThread):
2935         (JSC::MachineThreads::Thread::Thread):
2936         (JSC::MachineThreads::Thread::~Thread):
2937         (JSC::MachineThreads::Thread::suspend):
2938         (JSC::MachineThreads::Thread::resume):
2939         (JSC::MachineThreads::Thread::getRegisters):
2940         (JSC::MachineThreads::Thread::Registers::stackPointer):
2941         (JSC::MachineThreads::Thread::Registers::framePointer):
2942         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2943         (JSC::MachineThreads::Thread::freeRegisters):
2944         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2945         (JSC::MachineThreads::Thread::operator!=): Deleted.
2946         * heap/MachineStackMarker.h:
2947         (JSC::MachineThreads::Thread::operator!=):
2948         (JSC::MachineThreads::getLock):
2949         (JSC::MachineThreads::threadsListHead):
2950         * heap/MarkedBlockSet.h:
2951         * heap/MarkedSpace.cpp:
2952         (JSC::Free::Free):
2953         (JSC::Free::operator()):
2954         (JSC::FreeOrShrink::FreeOrShrink):
2955         (JSC::FreeOrShrink::operator()):
2956         * interpreter/CallFrame.h:
2957         (JSC::ExecState::calleeAsValue):
2958         (JSC::ExecState::callee):
2959         (JSC::ExecState::unsafeCallee):
2960         (JSC::ExecState::codeBlock):
2961         (JSC::ExecState::scope):
2962         * jit/ExecutableAllocator.cpp:
2963         (JSC::ExecutableAllocator::dumpProfile):
2964         (JSC::ExecutableAllocator::getLock):
2965         (JSC::ExecutableAllocator::isValidExecutableMemory):
2966         * jit/ExecutableAllocator.h:
2967         * jit/ExecutableAllocatorFixedVMPool.cpp:
2968         (JSC::ExecutableAllocator::allocate):
2969         (JSC::ExecutableAllocator::isValidExecutableMemory):
2970         (JSC::ExecutableAllocator::getLock):
2971         (JSC::ExecutableAllocator::committedByteCount):
2972         * jsc.cpp:
2973         (GlobalObject::finishCreation):
2974         (functionCheckModuleSyntax):
2975         (functionPlatformSupportsSamplingProfiler):
2976         (functionStartSamplingProfiler):
2977         (functionSamplingProfilerStackTraces):
2978         * llint/LLIntPCRanges.h: Added.
2979         (JSC::LLInt::isLLIntPC):
2980         * offlineasm/asm.rb:
2981         * runtime/Executable.h:
2982         (JSC::ExecutableBase::isModuleProgramExecutable):
2983         (JSC::ExecutableBase::isExecutableType):
2984         (JSC::ExecutableBase::isHostFunction):
2985         * runtime/JSLock.cpp:
2986         (JSC::JSLock::didAcquireLock):
2987         (JSC::JSLock::unlock):
2988         * runtime/Options.h:
2989         * runtime/SamplingProfiler.cpp: Added.
2990         (JSC::reportStats):
2991         (JSC::FrameWalker::FrameWalker):
2992         (JSC::FrameWalker::walk):
2993         (JSC::FrameWalker::wasValidWalk):
2994         (JSC::FrameWalker::advanceToParentFrame):
2995         (JSC::FrameWalker::isAtTop):
2996         (JSC::FrameWalker::resetAtMachineFrame):
2997         (JSC::FrameWalker::isValidFramePointer):
2998         (JSC::FrameWalker::isValidCodeBlock):
2999         (JSC::SamplingProfiler::SamplingProfiler):
3000         (JSC::SamplingProfiler::~SamplingProfiler):
3001         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3002         (JSC::SamplingProfiler::visit):
3003         (JSC::SamplingProfiler::shutdown):
3004         (JSC::SamplingProfiler::start):
3005         (JSC::SamplingProfiler::stop):
3006         (JSC::SamplingProfiler::pause):
3007         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3008         (JSC::SamplingProfiler::dispatchIfNecessary):
3009         (JSC::SamplingProfiler::dispatchFunction):
3010         (JSC::SamplingProfiler::noticeJSLockAcquisition):
3011         (JSC::SamplingProfiler::noticeVMEntry):
3012         (JSC::SamplingProfiler::clearData):
3013         (JSC::displayName):
3014         (JSC::SamplingProfiler::stacktracesAsJSON):
3015         (WTF::printInternal):
3016         * runtime/SamplingProfiler.h: Added.
3017         (JSC::SamplingProfiler::StackFrame::StackFrame):
3018         (JSC::SamplingProfiler::getLock):
3019         (JSC::SamplingProfiler::setTimingInterval):
3020         (JSC::SamplingProfiler::stackTraces):
3021         * runtime/VM.cpp:
3022         (JSC::VM::VM):
3023         (JSC::VM::~VM):
3024         (JSC::VM::setLastStackTop):
3025         (JSC::VM::createContextGroup):
3026         (JSC::VM::ensureWatchdog):
3027         (JSC::VM::ensureSamplingProfiler):
3028         (JSC::thunkGeneratorForIntrinsic):
3029         * runtime/VM.h:
3030         (JSC::VM::watchdog):
3031         (JSC::VM::samplingProfiler):
3032         (JSC::VM::isSafeToRecurse):
3033         (JSC::VM::lastStackTop):
3034         (JSC::VM::scratchBufferForSize):
3035         (JSC::VM::setLastStackTop): Deleted.
3036         * runtime/VMEntryScope.cpp:
3037         (JSC::VMEntryScope::VMEntryScope):
3038         * tests/stress/sampling-profiler: Added.
3039         * tests/stress/sampling-profiler-anonymous-function.js: Added.
3040         (platformSupportsSamplingProfiler.foo):
3041         (platformSupportsSamplingProfiler.baz):
3042         (platformSupportsSamplingProfiler):
3043         * tests/stress/sampling-profiler-basic.js: Added.
3044         (platformSupportsSamplingProfiler.bar):
3045         (platformSupportsSamplingProfiler.foo):
3046         (platformSupportsSamplingProfiler.nothing):
3047         (platformSupportsSamplingProfiler.top):
3048         (platformSupportsSamplingProfiler.jaz):
3049         (platformSupportsSamplingProfiler.kaz):
3050         (platformSupportsSamplingProfiler.checkInlining):
3051         (platformSupportsSamplingProfiler):
3052         * tests/stress/sampling-profiler-deep-stack.js: Added.
3053         (platformSupportsSamplingProfiler.foo):
3054         (platformSupportsSamplingProfiler.let.hellaDeep):
3055         (platformSupportsSamplingProfiler.let.start):
3056         (platformSupportsSamplingProfiler):
3057         * tests/stress/sampling-profiler-microtasks.js: Added.
3058         (platformSupportsSamplingProfiler.testResults):
3059         (platformSupportsSamplingProfiler):
3060         (platformSupportsSamplingProfiler.loop.jaz):
3061         (platformSupportsSamplingProfiler.loop):
3062         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
3063         (assert):
3064         (let.nodePrototype.makeChildIfNeeded):
3065         (makeNode):
3066         (updateCallingContextTree):
3067         (doesTreeHaveStackTrace):
3068         (makeTree):
3069         (runTest):
3070         (dumpTree):
3071         * yarr/YarrJIT.cpp:
3072         (JSC::Yarr::YarrGenerator::generateEnter):
3073         (JSC::Yarr::YarrGenerator::generateReturn):
3074         (JSC::Yarr::YarrGenerator::YarrGenerator):
3075         (JSC::Yarr::YarrGenerator::compile):
3076         (JSC::Yarr::jitCompile):
3077
3078 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3079
3080         [JSC] Iterating over a Set/Map is too slow
3081         https://bugs.webkit.org/show_bug.cgi?id=152691
3082
3083         Reviewed by Saam Barati.
3084
3085         Set#forEach and Set & for-of are very slow. There are 2 reasons.
3086
3087         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
3088
3089         C++ to JS transition seems costly. perf result in Linux machine shows this.
3090
3091             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
3092             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
3093             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
3094              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
3095              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
3096              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
3097
3098         Writing forEach in JS eliminates this.
3099
3100             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
3101             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
3102             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
3103              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
3104              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
3105              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
3106              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
3107              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
3108
3109         2. Iterator result object allocation is costly.
3110
3111         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
3112
3113             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
3114             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
3115             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
3116             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
3117             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
3118              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
3119
3120         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
3121         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
3122         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
3123         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
3124
3125         After these improvements, the micro benchmark[1] shows the following.
3126
3127         old:
3128             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
3129             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
3130             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
3131             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
3132             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
3133             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
3134
3135         new:
3136             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
3137             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
3138             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
3139             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
3140             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
3141             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
3142
3143         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
3144         After this optimizations, they are still much slower than linked list and array.
3145         This should be optimized in the long term.
3146
3147         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
3148
3149         * CMakeLists.txt:
3150         * DerivedSources.make:
3151         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3152         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3153         * JavaScriptCore.xcodeproj/project.pbxproj:
3154         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
3155         (forEach):
3156         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
3157         (forEach):
3158         * runtime/CommonIdentifiers.h:
3159         * runtime/IteratorOperations.cpp:
3160         (JSC::createIteratorResultObjectStructure):
3161         (JSC::createIteratorResultObject):
3162         * runtime/IteratorOperations.h:
3163         * runtime/JSGlobalObject.cpp:
3164         (JSC::JSGlobalObject::init):
3165         (JSC::JSGlobalObject::visitChildren):
3166         * runtime/JSGlobalObject.h:
3167         (JSC::JSGlobalObject::iteratorResultObjectStructure):
3168         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
3169         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
3170         * runtime/MapPrototype.cpp:
3171         (JSC::MapPrototype::getOwnPropertySlot):
3172         (JSC::privateFuncIsMap):
3173         (JSC::privateFuncMapIterator):
3174         (JSC::privateFuncMapIteratorNext):
3175         (JSC::MapPrototype::finishCreation): Deleted.
3176         (JSC::mapProtoFuncForEach): Deleted.
3177         * runtime/MapPrototype.h:
3178         * runtime/SetPrototype.cpp:
3179         (JSC::SetPrototype::getOwnPropertySlot):
3180         (JSC::privateFuncIsSet):
3181         (JSC::privateFuncSetIterator):
3182         (JSC::privateFuncSetIteratorNext):
3183         (JSC::SetPrototype::finishCreation): Deleted.
3184         (JSC::setProtoFuncForEach): Deleted.
3185         * runtime/SetPrototype.h:
3186
3187 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
3188
3189         Unreviewed, fix ARM64 build.
3190
3191         * b3/air/AirOpcode.opcodes:
3192
3193 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
3194
3195         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
3196         https://bugs.webkit.org/show_bug.cgi?id=152955
3197
3198         Reviewed by Saam Barati.
3199
3200         This happens when we box an int32 and then immediately unbox it.
3201
3202         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
3203         benchmark. It's neutral elsewhere.
3204
3205         * b3/B3ReduceStrength.cpp:
3206         * b3/testb3.cpp:
3207         (JSC::B3::testPowDoubleByIntegerLoop):
3208         (JSC::B3::testTruncOrHigh):
3209         (JSC::B3::testTruncOrLow):
3210         (JSC::B3::testBitAndOrHigh):
3211         (JSC::B3::testBitAndOrLow):
3212         (JSC::B3::zero):
3213         (JSC::B3::run):
3214
3215 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
3216
3217         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
3218         https://bugs.webkit.org/show_bug.cgi?id=149855
3219
3220         Reviewed by Saam Barati.
3221
3222         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
3223         'this', 'arguments' and 'super'
3224
3225         * CMakeLists.txt:
3226         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3227         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3228         * JavaScriptCore.xcodeproj/project.pbxproj:
3229         * dfg/DFGAbstractInterpreterInlines.h:
3230         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3231         * dfg/DFGSpeculativeJIT.cpp:
3232         (JSC::DFG::SpeculativeJIT::compileNewFunction):
3233         * dfg/DFGStructureRegistrationPhase.cpp:
3234         (JSC::DFG::StructureRegistrationPhase::run):
3235         * ftl/FTLAbstractHeapRepository.cpp:
3236         * ftl/FTLAbstractHeapRepository.h:
3237         * ftl/FTLLowerDFGToLLVM.cpp:
3238         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
3239         * interpreter/Interpreter.cpp:
3240         * interpreter/Interpreter.h:
3241         * jit/JITOpcodes.cpp:
3242         * jit/JITOpcodes32_64.cpp:
3243         * jit/JITOperations.cpp:
3244         * jit/JITOperations.h:
3245         * llint/LLIntOffsetsExtractor.cpp:
3246         * llint/LLIntSlowPaths.cpp:
3247         * runtime/JSArrowFunction.cpp: Removed.
3248         * runtime/JSArrowFunction.h: Removed.
3249         * runtime/JSGlobalObject.cpp:
3250         * runtime/JSGlobalObject.h:
3251
3252 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
3253
3254         It should be possible to run liveness over registers without also tracking Tmps
3255         https://bugs.webkit.org/show_bug.cgi?id=152963
3256
3257         Reviewed by Saam Barati.
3258
3259         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
3260         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
3261         code like that for handling cold function calls. It also makes code like that somewhat more
3262         scalable, since we're no longer using HashSets.
3263
3264         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
3265         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
3266         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
3267         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
3268         think that this is good, because the lack of set methods (add/remove/contains) has caused
3269         bugs in the past. This makes BitVector have methods both for set operations on bits and array
3270         operations on bits. I think that's good, since BitVector gets used in both contexts.
3271
3272         * b3/B3IndexSet.h:
3273         (JSC::B3::IndexSet::Iterable::iterator::iterator):
3274         (JSC::B3::IndexSet::Iterable::begin):
3275         (JSC::B3::IndexSet::dump):
3276         * b3/air/AirInstInlines.h:
3277         (JSC::B3::Air::ForEach<Tmp>::forEach):
3278         (JSC::B3::Air::ForEach<Arg>::forEach):
3279         (JSC::B3::Air::ForEach<Reg>::forEach):
3280         (JSC::B3::Air::Inst::forEach):
3281         * b3/air/AirLiveness.h:
3282         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
3283         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
3284         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
3285         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
3286         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
3287         * b3/air/AirReportUsedRegisters.cpp:
3288         (JSC::B3::Air::reportUsedRegisters):
3289         * jit/Reg.h:
3290         (JSC::Reg::next):
3291         (JSC::Reg::index):
3292         (JSC::Reg::maxIndex):
3293         (JSC::Reg::isSet):
3294         (JSC::Reg::operator bool):
3295         * jit/RegisterSet.h:
3296         (JSC::RegisterSet::forEach):
3297
3298 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
3299
3300         [JSC] Make branchMul functional in ARM B3 and minor fixes
3301         https://bugs.webkit.org/show_bug.cgi?id=152889
3302
3303         Reviewed by Mark Lam.
3304
3305         ARM64 does not have a "S" version of MUL setting the flags.
3306         What we do is abstract that in the MacroAssembler. The problem
3307         is that form requires scratch registers.
3308
3309         For simplicity, I just exposed the two scratch registers
3310         for Air. Filip already added the concept of Scratch role,
3311         all I needed was to expose it for opcodes.
3312
3313         * assembler/MacroAssemblerARM64.h:
3314         (JSC::MacroAssemblerARM64::branchMul32):
3315         (JSC::MacroAssemblerARM64::branchMul64):
3316         Expose a version with the scratch registers as arguments.
3317
3318         * b3/B3LowerToAir.cpp:
3319         (JSC::B3::Air::LowerToAir::lower):
3320         Add the new form of CheckMul lowering.
3321
3322         * b3/air/AirOpcode.opcodes:
3323         Expose the new BranchMuls.
3324         Remove all the Test variants that use immediates
3325         since Air can't handle those immediates correctly yet.
3326
3327         * b3/air/opcode_generator.rb:
3328         Expose the Scratch role.
3329
3330         * b3/testb3.cpp:
3331         (JSC::B3::testPatchpointLotsOfLateAnys):
3332         Ooops, the scratch registers were not clobbered. We were just lucky
3333         on x86.
3334
3335 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
3336
3337         [JSC] B3 is unable to do function calls on ARM64
3338         https://bugs.webkit.org/show_bug.cgi?id=152895
3339
3340         Reviewed by Mark Lam.
3341
3342         Apparently iOS does not follow the ARM64 ABI for function calls.
3343         Instead of giving each value a 8 bytes slot, it must be packed
3344         while preserving alignment.
3345
3346         This patch adds a #ifdef to make function calls functional.
3347
3348         * b3/B3LowerToAir.cpp:
3349         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
3350         (JSC::B3::Air::LowerToAir::lower):
3351
3352 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
3353
3354         Air should support Branch64 with immediates
3355         https://bugs.webkit.org/show_bug.cgi?id=152951
3356
3357         Reviewed by Oliver Hunt.
3358
3359         This doesn't significantly improve performance on any benchmarks, but it's great to get this
3360         obvious omission out of the way.
3361
3362         * assembler/MacroAssemblerX86_64.h:
3363         (JSC::MacroAssemblerX86_64::branch64):
3364         * b3/air/AirOpcode.opcodes:
3365         * b3/testb3.cpp:
3366         (JSC::B3::testPowDoubleByIntegerLoop):
3367         (JSC::B3::testBranch64Equal):
3368         (JSC::B3::testBranch64EqualImm):
3369         (JSC::B3::testBranch64EqualMem):
3370         (JSC::B3::testBranch64EqualMemImm):
3371         (JSC::B3::zero):
3372         (JSC::B3::run):
3373
3374 2016-01-09  Dan Bernstein  <mitz@apple.com>
3375
3376         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
3377         https://bugs.webkit.org/show_bug.cgi?id=152926
3378
3379         Reviewed by Tim Horton.
3380
3381         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
3382         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
3383         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
3384
3385         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
3386
3387         * Configurations/Base.xcconfig:
3388         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
3389           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
3390         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
3391         * Configurations/JSC.xcconfig:
3392           Add quotes to account for spaces.
3393         * Configurations/ToolExecutable.xcconfig:
3394           Ditto.
3395         * postprocess-headers.sh:
3396           Ditto.
3397
3398 2016-01-09  Mark Lam  <mark.lam@apple.com>
3399
3400         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
3401         https://bugs.webkit.org/show_bug.cgi?id=152918
3402
3403         Reviewed by Filip Pizlo and Saam Barati.
3404
3405         * ftl/FTLCompile.cpp:
3406         - Updated a comment.
3407         * ftl/FTLLowerDFGToLLVM.cpp:
3408         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3409         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
3410           extra slot for BinaryOps that don't have Untyped operands, and failing to
3411           allocate that extra slot for some binary ops.  This is now fixed.
3412
3413         * tests/stress/ftl-shr-exception.js:
3414         * tests/stress/ftl-xor-exception.js:
3415         - Un-skipped these tests.  They now pass with this patch.
3416
3417 2016-01-09  Andreas Kling  <akling@apple.com>
3418
3419         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
3420         <https://webkit.org/b/152902>
3421
3422         Reviewed by Anders Carlsson.
3423
3424         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
3425
3426         * API/JSAPIWrapperObject.mm:
3427         (jsAPIWrapperObjectHandleOwner):
3428         * API/JSManagedValue.mm:
3429         (managedValueHandleOwner):
3430         * inspector/agents/InspectorDebuggerAgent.cpp:
3431         (Inspector::objectGroupForBreakpointAction):
3432         * jit/ExecutableAllocator.cpp:
3433         (JSC::DemandExecutableAllocator::allocators):
3434
3435 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3436
3437         FTL B3 should do varargs tail calls and stack overflows
3438         https://bugs.webkit.org/show_bug.cgi?id=152934
3439
3440         Reviewed by Saam Barati.
3441
3442         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
3443         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
3444         why I have two fixes in one change. Now the test passes.
3445
3446         This reduces the number of failures from 13 to 0.
3447
3448         * ftl/FTLLowerDFGToLLVM.cpp:
3449         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
3450         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
3451         append an Oops (i.e. "unreachable").
3452
3453 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3454
3455         B3 needs Neg()
3456         https://bugs.webkit.org/show_bug.cgi?id=152925
3457
3458         Reviewed by Mark Lam.
3459
3460         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
3461         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
3462
3463         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
3464         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
3465         to use bitops to represent floating point operations. Whatever cuteness this would have
3466         bought us would be outweighed by the annoyance of having to write code that matches
3467         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
3468         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
3469         Also, I suspect that the omission of Neg would cause others to make the mistake of using
3470         Sub to represent floating point negation.
3471
3472         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
3473         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
3474         floats, we lower it to BitXor(x, -0) on x86.
3475
3476         This reduces the number of failures from 13 to 12.
3477
3478         * assembler/MacroAssemblerX86Common.h:
3479         (JSC::MacroAssemblerX86Common::andFloat):
3480         (JSC::MacroAssemblerX86Common::xorDouble):
3481         (JSC::MacroAssemblerX86Common::xorFloat):
3482         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
3483         * b3/B3LowerMacrosAfterOptimizations.cpp:
3484         * b3/B3LowerToAir.cpp:
3485         (JSC::B3::Air::LowerToAir::lower):
3486         * b3/B3Opcode.cpp:
3487         (WTF::printInternal):
3488         * b3/B3Opcode.h:
3489         * b3/B3ReduceStrength.cpp:
3490         * b3/B3Validate.cpp:
3491         * b3/B3Value.cpp:
3492         (JSC::B3::Value::effects):
3493         (JSC::B3::Value::key):
3494         (JSC::B3::Value::typeFor):
3495         * b3/air/AirOpcode.opcodes:
3496         * ftl/FTLB3Output.cpp:
3497         (JSC::FTL::Output::lockedStackSlot):
3498         (JSC::FTL::Output::neg):
3499         (JSC::FTL::Output::bitNot):
3500         * ftl/FTLB3Output.h:
3501         (JSC::FTL::Output::chillDiv):
3502         (JSC::FTL::Output::mod):
3503         (JSC::FTL::Output::chillMod):
3504         (JSC::FTL::Output::doubleAdd):
3505         (JSC::FTL::Output::doubleSub):
3506         (JSC::FTL::Output::doubleMul):
3507         (JSC::FTL::Output::doubleDiv):
3508         (JSC::FTL::Output::doubleMod):
3509         (JSC::FTL::Output::doubleNeg):
3510         (JSC::FTL::Output::bitAnd):
3511         (JSC::FTL::Output::bitOr):
3512         (JSC::FTL::Output::neg): Deleted.
3513         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
3514         it's such a glaring bug, I thought having a test for it specifically would be good.
3515
3516 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3517
3518         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
3519         https://bugs.webkit.org/show_bug.cgi?id=152922
3520
3521         Reviewed by Saam Barati.
3522
3523         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
3524         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
3525         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
3526         clear the handlers before generation, sort of like FTL LLVM does.
3527
3528         Also added some stuff to make it easier to inspect the handler table.
3529
3530         This reduces the numbe rof failures from 25 to 13.
3531
3532         * bytecode/CodeBlock.cpp:
3533         (JSC::CodeBlock::dumpBytecode):
3534         (JSC::CodeBlock::dumpExceptionHandlers):
3535         (JSC::CodeBlock::beginDumpProfiling):
3536         * bytecode/CodeBlock.h:
3537         * ftl/FTLB3Compile.cpp:
3538         (JSC::FTL::compile):
3539
3540 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3541
3542         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
3543         https://bugs.webkit.org/show_bug.cgi?id=152916
3544
3545         Reviewed by Mark Lam.
3546
3547         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
3548
3549         This reduces the number of failures from 27 to 25.
3550
3551         * b3/B3ReduceStrength.cpp:
3552
3553 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3554
3555         FTL B3 allocateCell() should not crash
3556         https://bugs.webkit.org/show_bug.cgi?id=152909
3557
3558         Reviewed by Mark Lam.
3559
3560         This code was crashing in some tests that forced GC slow paths because it was stubbed out
3561         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
3562         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
3563         any LLVM optimizations by using undef.
3564
3565         This reduces the number of failures from 35 to 27.
3566
3567         * ftl/FTLLowerDFGToLLVM.cpp:
3568         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
3569
3570 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
3571
3572         FTL B3 fails to realize that binary snippets might choose to omit their fast path
3573         https://bugs.webkit.org/show_bug.cgi?id=152901
3574
3575         Reviewed by Mark Lam.
3576
3577         This reduces the number of failures from 99 to 35.
3578
3579         * ftl/FTLLowerDFGToLLVM.cpp:
3580         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3581
3582 2016-01-08  Saam barati  <sbarati@apple.com>
3583
3584         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
3585         https://bugs.webkit.org/show_bug.cgi?id=152879
3586
3587         Reviewed by Filip Pizlo.
3588
3589         We were clobbering a register we needed when picking
3590         a scratch register inside an FTL OSR Exit.
3591
3592         * dfg/DFGThunks.cpp:
3593         (JSC::DFG::osrEntryThunkGenerator):
3594         * jit/AssemblyHelpers.cpp:
3595         (JSC::AssemblyHelpers::emitRandomThunk):
3596         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
3597         * jit/AssemblyHelpers.h:
3598         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
3599         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
3600         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
3601         (foo):
3602
3603 2016-01-08  Mark Lam  <mark.lam@apple.com>
3604
3605         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
3606         https://bugs.webkit.org/show_bug.cgi?id=152897
3607
3608         Not reviewed.
3609
3610         * dfg/DFGAbstractInterpreterInlines.h:
3611         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3612         * dfg/DFGByteCodeParser.cpp:
3613         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3614         * dfg/DFGClobberize.h:
3615         (JSC::DFG::clobberize):
3616         * dfg/DFGDoesGC.cpp:
3617         (JSC::DFG::doesGC):
3618         * dfg/DFGFixupPhase.cpp:
3619         (JSC::DFG::FixupPhase::fixupNode):
3620         * dfg/DFGNodeType.h:
3621         * dfg/DFGOperations.cpp:
3622         * dfg/DFGOperations.h:
3623         * dfg/DFGPredictionPropagationPhase.cpp:
3624         (JSC::DFG::PredictionPropagationPhase::propagate):
3625         * dfg/DFGSafeToExecute.h:
3626         (JSC::DFG::safeToExecute):
3627         * dfg/DFGSpeculativeJIT.cpp:
3628         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
3629         * dfg/DFGSpeculativeJIT32_64.cpp:
3630         (JSC::DFG::SpeculativeJIT::compile):
3631         * dfg/DFGSpeculativeJIT64.cpp:
3632         (JSC::DFG::SpeculativeJIT::compile):
3633         * runtime/StringConstructor.cpp:
3634         (JSC::stringFromCharCode):
3635         (JSC::stringFromSingleCharCode): Deleted.
3636         * runtime/StringConstructor.h:
3637
3638 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
3639
3640         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
3641         https://bugs.webkit.org/show_bug.cgi?id=152893
3642
3643         Reviewed by Mark Lam.
3644
3645         Use std::call_once since pthreads is not present on all platforms.
3646
3647         * llvm/InitializeLLVM.cpp:
3648         (JSC::initializeLLVMImpl):
3649         (JSC::initializeLLVM):
3650
3651 2016-01-08  Mark Lam  <mark.lam@apple.com>
3652
3653         Rename StringFromCharCode to StringFromSingleCharCode.
3654         https://bugs.webkit.org/show_bug.cgi?id=152897
3655
3656         Reviewed by Daniel Bates.
3657
3658         StringFromSingleCharCode is a better name because the intrinsic it represents
3659         only applies when we are converting from a single char code.  This is purely
3660         a refactoring patch.  There is no semantic change.
3661
3662         * dfg/DFGAbstractInterpreterInlines.h:
3663         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3664         * dfg/DFGByteCodeParser.cpp:
3665         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3666         * dfg/DFGClobberize.h:
3667         (JSC::DFG::clobberize):
3668         * dfg/DFGDoesGC.cpp:
3669         (JSC::DFG::doesGC):
3670         * dfg/DFGFixupPhase.cpp:
3671         (JSC::DFG::FixupPhase::fixupNode):
3672         * dfg/DFGNodeType.h:
3673         * dfg/DFGOperations.cpp:
3674         * dfg/DFGOperations.h:
3675         * dfg/DFGPredictionPropagationPhase.cpp:
3676         (JSC::DFG::PredictionPropagationPhase::propagate):
3677         * dfg/DFGSafeToExecute.h:
3678         (JSC::DFG::safeToExecute):
3679         * dfg/DFGSpeculativeJIT.cpp:
3680         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
3681         * dfg/DFGSpeculativeJIT32_64.cpp:
3682         (JSC::DFG::SpeculativeJIT::compile):
3683         * dfg/DFGSpeculativeJIT64.cpp:
3684         (JSC::DFG::SpeculativeJIT::compile):
3685         * runtime/StringConstructor.cpp:
3686         (JSC::stringFromCharCode):
3687         (JSC::stringFromSingleCharCode):
3688         * runtime/StringConstructor.h:
3689
3690 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
3691
3692         [mips] Fixed unused parameter warnings
3693         https://bugs.webkit.org/show_bug.cgi?id=152885
3694
3695         Reviewed by Mark Lam.
3696
3697         * jit/CCallHelpers.h:
3698         (JSC::CCallHelpers::setupArgumentsWithExecState):
3699
3700 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
3701
3702         [mips] Max value of immediate arg of logical ops is 0xffff
3703         https://bugs.webkit.org/show_bug.cgi?id=152884
3704
3705         Reviewed by Michael Saboff.
3706
3707         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
3708
3709         * assembler/MacroAssemblerMIPS.h:
3710         (JSC::MacroAssemblerMIPS::and32):
3711         (JSC::MacroAssemblerMIPS::or32):
3712
3713 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
3714
3715         [mips] Add new or32 implementation after r194613
3716         https://bugs.webkit.org/show_bug.cgi?id=152865
3717
3718         Reviewed by Michael Saboff.
3719
3720         * assembler/MacroAssemblerMIPS.h:
3721         (JSC::MacroAssemblerMIPS::or32):
3722
3723 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3724
3725         FTL B3 lazy slow paths should do exceptions
3726         https://bugs.webkit.org/show_bug.cgi?id=152853
3727
3728         Reviewed by Saam Barati.
3729
3730         This reduces the number of JSC test failures to 97.
3731
3732         * ftl/FTLLowerDFGToLLVM.cpp:
3733         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3734         * tests/stress/ftl-new-negative-array-size.js: Added.
3735         (foo):
3736
3737 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3738
3739         Unreviewed, skip more tests that fail.
3740
3741         * tests/stress/ftl-shr-exception.js:
3742         (foo):
3743         * tests/stress/ftl-xor-exception.js:
3744         (foo):
3745
3746 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3747
3748         FTL B3 binary snippets should do exceptions
3749         https://bugs.webkit.org/show_bug.cgi?id=152852
3750
3751         Reviewed by Saam Barati.
3752
3753         This reduces the number of JSC test failures to 110.
3754
3755         * ftl/FTLLowerDFGToLLVM.cpp:
3756         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3757         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
3758         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
3759         * tests/stress/ftl-shr-exception.js: Added.
3760         (foo):
3761         (result.foo.valueOf):
3762         * tests/stress/ftl-sub-exception.js: Added.
3763         (foo):
3764         (result.foo.valueOf):
3765         * tests/stress/ftl-xor-exception.js: Added.
3766         (foo):
3767         (result.foo.valueOf):
3768
3769 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3770
3771         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
3772
3773         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
3774         (foo):
3775
3776 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3777
3778         Unreviewed, skipping this test. Looks like LLVM can't handle it.
3779
3780         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
3781         (foo):
3782
3783 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3784
3785         FTL B3 JS calls should do exceptions
3786         https://bugs.webkit.org/show_bug.cgi?id=152851
3787
3788         Reviewed by Geoffrey Garen.
3789
3790         This reduces the number of JSC test failures with FTL B3 to 111.
3791
3792         * dfg/DFGSpeculativeJIT64.cpp:
3793         (JSC::DFG::SpeculativeJIT::emitCall):
3794         * ftl/FTLLowerDFGToLLVM.cpp:
3795         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
3796         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
3797         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
3798         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
3799         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
3800         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
3801         * tests/stress/ftl-call-exception-no-catch.js: Added.
3802         * tests/stress/ftl-call-exception.js: Added.
3803         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
3804         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
3805         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
3806         * tests/stress/ftl-call-varargs-exception.js: Added.
3807
3808 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3809
3810         FTL B3 PutById should do exceptions
3811         https://bugs.webkit.org/show_bug.cgi?id=152850
3812
3813         Reviewed by Saam Barati.
3814
3815         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
3816         number of JSC test failures to 128.
3817
3818         * ftl/FTLLowerDFGToLLVM.cpp:
3819         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
3820         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
3821         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
3822         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
3823         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
3824         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
3825         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
3826
3827 2016-01-07  Commit Queue  <commit-queue@webkit.org>
3828
3829         Unreviewed, rolling out r194714.
3830         https://bugs.webkit.org/show_bug.cgi?id=152864
3831
3832         it broke many JSC tests when FTL B3 is enabled (Requested by
3833         pizlo on #webkit).
3834
3835         Reverted changeset:
3836
3837         "[JSC] When resolving Stack arguments, use addressing from SP
3838         when addressing from FP is invalid"
3839         https://bugs.webkit.org/show_bug.cgi?id=152840
3840         http://trac.webkit.org/changeset/194714
3841
3842 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3843
3844         [mips] Lower immediates of logical operations.
3845         https://bugs.webkit.org/show_bug.cgi?id=152693
3846
3847         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
3848         non-negative numbers.
3849
3850         Reviewed by Michael Saboff.
3851
3852         * offlineasm/mips.rb:
3853
3854 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3855
3856         [JSC] Update testCheckSubBadImm() for ARM64
3857         https://bugs.webkit.org/show_bug.cgi?id=152846
3858
3859         Reviewed by Mark Lam.
3860
3861         * b3/testb3.cpp:
3862         (JSC::B3::testCheckSubBadImm):
3863         The test was assuming the constant can always be used
3864         as immediate. That's obviously not the case on ARM64.
3865
3866 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3867
3868         FTL B3 getById() should do exceptions
3869         https://bugs.webkit.org/show_bug.cgi?id=152810
3870
3871         Reviewed by Saam Barati.
3872
3873         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
3874         exceptions from GetById. This covers all of the following ways that a GetById might throw an
3875         exceptions:
3876
3877         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
3878         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
3879         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
3880         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
3881         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
3882         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
3883
3884         This requires having a default exception target in FTL-generated code, and ensuring that this
3885         target is generated regardless of whether we have branches to the B3 basic block of the
3886         default exception target. This also requires adding some extra arguments to a
3887         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
3888         else. This also requires associating the CallSiteIndex of the patchpoint with the register
3889         set used for exit and with the OSR exit label for the unwind exit.
3890
3891         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
3892         is covered by the new PatchpointExceptionHandle object. You create one by calling
3893         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
3894         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
3895         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
3896         for operation calls and OSR exits for unwind. You call the
3897         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
3898         actually get OSR exits.
3899
3900         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
3901         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
3902         you use this API, it automatically registers a link task that will link the JumpList to the
3903         actual OSR exit label.
3904
3905         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
3906         to use the Box<JumpList> approach, but if you really just need the label, you can also get
3907         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
3908         to vend you the OSR exit label at link-time.
3909
3910         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
3911         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
3912         passes all of these new tests. Note that I'm not counting the new tests as part of the
3913         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
3914
3915         After this change, it should be easy to make all of the other patchpoints also handle
3916         exceptions by just following the preparePatchpointForExceptions() idiom.
3917
3918         * CMakeLists.txt:
3919         * JavaScriptCore.xcodeproj/project.pbxproj:
3920         * b3/B3StackmapValue.h:
3921         * b3/B3ValueRep.cpp:
3922         (JSC::B3::ValueRep::addUsedRegistersTo):
3923         (JSC::B3::ValueRep::usedRegisters):
3924         (JSC::B3::ValueRep::dump):
3925         * b3/B3ValueRep.h:
3926         (JSC::B3::ValueRep::doubleValue):
3927         (JSC::B3::ValueRep::withOffset):
3928         (JSC::B3::ValueRep::usedRegisters):
3929         * ftl/FTLB3Compile.cpp:
3930         (JSC::FTL::compile):
3931         * ftl/FTLB3Output.h:
3932         (JSC::FTL::Output::unreachable):
3933         (JSC::FTL::Output::speculate):
3934         * ftl/FTLExceptionTarget.cpp: Added.
3935         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
3936         (JSC::FTL::ExceptionTarget::label):
3937         (JSC::FTL::ExceptionTarg