Wincairo buildfix
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-09  Oliver Hunt  <oliver@apple.com>
2
3         Wincairo buildfix
4         https://bugs.webkit.org/show_bug.cgi?id=155245
5
6         Reviewed by Mark Lam.
7
8         Fix up exports for a few symbols
9
10         * jit/ExecutableAllocator.h:
11         * jit/ExecutableAllocatorFixedVMPool.cpp:
12
13 2016-03-09  Mark Lam  <mark.lam@apple.com>
14
15         Add dumping of function expression names in CodeBlock bytecode dump.
16         https://bugs.webkit.org/show_bug.cgi?id=155248
17
18         Reviewed by Filip Pizlo.
19
20         Because ...
21         [  19] new_func_exp      loc5, loc3, f0:foo
22
23         ... is more informative than
24         [  19] new_func_exp      loc5, loc3, f0
25
26         Anonymous functions will be dumped as <anon>.
27
28         * bytecode/CodeBlock.cpp:
29         (JSC::CodeBlock::dumpFunctionExpr):
30         (JSC::CodeBlock::dumpBytecode):
31         * bytecode/CodeBlock.h:
32
33 2016-03-09  Michael Saboff  <msaboff@apple.com>
34
35         [ES6] Implement RegExp sticky flag and related functionality
36         https://bugs.webkit.org/show_bug.cgi?id=155177
37
38         Reviewed by Saam Barati.
39
40         Implemented the ES6 RegExp sticky functionality.
41
42         There are two main behavior changes when the sticky flag is specified.
43         1) Matching starts at lastIndex and lastIndex is updated after the match.
44         2) The regular expression is only matched from the start position in the string.
45         See ES6 section 21.2.5.2.2 for details.
46
47         Changed both the Yarr interpreter and jit to not loop to the next character for sticky RegExp's.
48         Updated RegExp exec and match, and stringProtoFuncMatch to handle lastIndex changes.
49
50         Restructured the way flags are passed to and through YarrPatterns to use RegExpFlags instead of
51         individual bools.
52
53         Updated tests for 'y' flag and new behavior.
54
55         * bytecode/CodeBlock.cpp:
56         (JSC::regexpToSourceString):
57         * inspector/ContentSearchUtilities.cpp:
58         (Inspector::ContentSearchUtilities::findMagicComment):
59         * runtime/CommonIdentifiers.h:
60         * runtime/RegExp.cpp:
61         (JSC::regExpFlags):
62         (JSC::RegExpFunctionalTestCollector::outputOneTest):
63         (JSC::RegExp::finishCreation):
64         (JSC::RegExp::compile):
65         (JSC::RegExp::compileMatchOnly):
66         * runtime/RegExp.h:
67         * runtime/RegExpKey.h:
68         * runtime/RegExpObjectInlines.h:
69         (JSC::RegExpObject::execInline):
70         (JSC::RegExpObject::matchInline):
71         * runtime/RegExpPrototype.cpp:
72         (JSC::regExpProtoFuncCompile):
73         (JSC::flagsString):
74         (JSC::regExpProtoGetterMultiline):
75         (JSC::regExpProtoGetterSticky):
76         (JSC::regExpProtoGetterUnicode):
77         * runtime/StringPrototype.cpp:
78         (JSC::stringProtoFuncMatch):
79         * tests/es6.yaml:
80         * tests/stress/static-getter-in-names.js:
81         (shouldBe):
82         * yarr/RegularExpression.cpp:
83         (JSC::Yarr::RegularExpression::Private::compile):
84         * yarr/YarrInterpreter.cpp:
85         (JSC::Yarr::Interpreter::tryConsumeBackReference):
86         (JSC::Yarr::Interpreter::matchAssertionBOL):
87         (JSC::Yarr::Interpreter::matchAssertionEOL):
88         (JSC::Yarr::Interpreter::matchAssertionWordBoundary):
89         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
90         (JSC::Yarr::Interpreter::matchDisjunction):
91         (JSC::Yarr::Interpreter::Interpreter):
92         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
93         * yarr/YarrInterpreter.h:
94         (JSC::Yarr::BytecodePattern::BytecodePattern):
95         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
96         (JSC::Yarr::BytecodePattern::ignoreCase):
97         (JSC::Yarr::BytecodePattern::multiline):
98         (JSC::Yarr::BytecodePattern::sticky):
99         (JSC::Yarr::BytecodePattern::unicode):
100         * yarr/YarrJIT.cpp:
101         (JSC::Yarr::YarrGenerator::matchCharacterClass):
102         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
103         (JSC::Yarr::YarrGenerator::generateAssertionBOL):
104         (JSC::Yarr::YarrGenerator::generateAssertionEOL):
105         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
106         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
107         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
108         (JSC::Yarr::YarrGenerator::backtrack):
109         * yarr/YarrPattern.cpp:
110         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
111         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
112         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
113         (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
114         (JSC::Yarr::YarrPattern::compile):
115         (JSC::Yarr::YarrPattern::YarrPattern):
116         * yarr/YarrPattern.h:
117         (JSC::Yarr::YarrPattern::reset):
118         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
119         (JSC::Yarr::YarrPattern::ignoreCase):
120         (JSC::Yarr::YarrPattern::multiline):
121         (JSC::Yarr::YarrPattern::sticky):
122         (JSC::Yarr::YarrPattern::unicode):
123
124 2016-03-09  Mark Lam  <mark.lam@apple.com>
125
126         FunctionExecutable::ecmaName() should not be based on inferredName().
127         https://bugs.webkit.org/show_bug.cgi?id=155203
128
129         Reviewed by Michael Saboff.
130
131         The ES6 rules for how a function name should be inferred closely matches JSC's
132         implementation with one exception:
133             var o = {}
134             o.foo = function() {}
135
136         JSC's inferredName for o.foo would be "foo".
137         ES6 specifies that o.foo.name is "".
138
139         The fix is to add a distinct FunctionExecutable::ecmaName() which applies the ES6
140         rules for inferring the initial value of Function.name.
141
142         * bytecode/UnlinkedFunctionExecutable.cpp:
143         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
144         * bytecode/UnlinkedFunctionExecutable.h:
145         * parser/ASTBuilder.h:
146         (JSC::ASTBuilder::createAssignResolve):
147         (JSC::ASTBuilder::createGetterOrSetterProperty):
148         (JSC::ASTBuilder::createProperty):
149         (JSC::ASTBuilder::makeAssignNode):
150         * parser/Nodes.h:
151         * runtime/Executable.h:
152         * runtime/JSFunction.cpp:
153         (JSC::JSFunction::reifyName):
154         * tests/es6.yaml:
155
156 2016-03-09  Michael Saboff  <msaboff@apple.com>
157
158         Harden JSC Root element functions from bad values
159         https://bugs.webkit.org/show_bug.cgi?id=155234
160
161         Reviewed by Saam Barati.
162
163         Changed jsCast() to jsDynamicCast() in Root related function to protect against being
164         called with non-Root arguments.
165
166         * jsc.cpp:
167         (functionCreateElement):
168         (functionGetElement):
169         (functionSetElementRoot):
170
171 2016-03-09  Benjamin Poulain  <benjamin@webkit.org>
172
173         [JSC] Pick how to OSR Enter to FTL at runtime instead of compile time
174         https://bugs.webkit.org/show_bug.cgi?id=155217
175
176         Reviewed by Filip Pizlo.
177
178         This patch addresses 2 types of problems with tiering up to FTL
179         with OSR Entry in a loop:
180         -When there are nested loops, it is generally valuable to enter
181          an outer loop rather than an inner loop.
182         -When tiering up at a point that cannot OSR Enter, we are at
183          the mercy of the outer loop frequency to compile the right
184          entry point.
185
186         The first case is significant in the test "gaussian-blur".
187         That test has 4 nested loops. When we have an OSR Entry,
188         the analysis phases have to be pesimistic where we enter:
189         we do not really know what constraint can be proven from
190         the DFG code that was running.
191
192         In "gaussian-blur", integer-range analysis removes pretty
193         much all overflow checks in the inner loops of where we entered.
194         The more outside we enter, the better code we generate.
195
196         Since we spend the most iterations in the inner loop, we naturally
197         tend to OSR Enter into the 2 most inner loops, making the most
198         pessimistic assumptions.
199
200         To avoid such problems, I changed how we decide where to OSR Enter.
201         Previously, the last CheckTierUpAndOSREnter to cross the threshold
202         was where we take the entry point for FTL.
203
204         What happens now is that the entry point is not decied when
205         compiling the CheckTierUp variants. Instead, all the information
206         we need is gathered during compilation and keept on the JITCode
207         to be used at runtime.
208
209         When we try to tier up and decide to OSR Enter, we use the information
210         we have to pick a good outer loop for OSR Entry.
211
212         Now the problem is outer loop do not CheckTierUpAndOSREnter often,
213         wasting several miliseconds before entering the newly compiled FTL code.
214
215         To solve that, every CheckTierUpAndOSREnter has its own trigger that
216         bypass the counter. When the FTL Code is compiled, the trigger is set
217         and we enter through the right CheckTierUpAndOSREnter immediately.
218
219         ---
220
221         This new mechanism also solves a problem of ai-astar.
222         When we try to tier up in ai-astar, we had nothing to compile until
223         the outer loop is reached.
224
225         To make sure we reached the CheckTierUpAndOSREnter in a reasonable time,
226         we had CheckTierUpWithNestedTriggerAndOSREnter with a special trigger.
227
228         With the new mechanism, we can do much better:
229         -When we keep hitting CheckTierUpInLoop, we now have all the information
230          we need to already start compiling the outer loop.
231          Instead of waiting for the outer loop to be reached a few times, we compile
232          it as soon as the inner loop is hammering CheckTierUpInLoop.
233         -With the new triggers, the very next time we hit the outer loop, we OSR Enter.
234
235         This allow us to compile what we need sooner and enter sooner.
236
237         * dfg/DFGAbstractInterpreterInlines.h:
238         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
239         * dfg/DFGClobberize.h:
240         (JSC::DFG::clobberize): Deleted.
241         * dfg/DFGDoesGC.cpp:
242         (JSC::DFG::doesGC): Deleted.
243         * dfg/DFGFixupPhase.cpp:
244         (JSC::DFG::FixupPhase::fixupNode): Deleted.
245         * dfg/DFGJITCode.h:
246         * dfg/DFGJITCompiler.cpp:
247         (JSC::DFG::JITCompiler::JITCompiler):
248         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
249         * dfg/DFGNodeType.h:
250         * dfg/DFGOperations.cpp:
251         * dfg/DFGOperations.h:
252         * dfg/DFGPlan.h:
253         (JSC::DFG::Plan::canTierUpAndOSREnter):
254         * dfg/DFGPredictionPropagationPhase.cpp:
255         (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
256         * dfg/DFGSafeToExecute.h:
257         (JSC::DFG::safeToExecute): Deleted.
258         * dfg/DFGSpeculativeJIT32_64.cpp:
259         (JSC::DFG::SpeculativeJIT::compile): Deleted.
260         * dfg/DFGSpeculativeJIT64.cpp:
261         (JSC::DFG::SpeculativeJIT::compile):
262         * dfg/DFGTierUpCheckInjectionPhase.cpp:
263         (JSC::DFG::TierUpCheckInjectionPhase::run):
264         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
265         (JSC::DFG::TierUpCheckInjectionPhase::findLoopsContainingLoopHintWithoutOSREnter): Deleted.
266         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
267         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
268         (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
269         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
270         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
271         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
272
273 2016-03-08  Filip Pizlo  <fpizlo@apple.com>
274
275         DFG should be able to constant-fold strings
276         https://bugs.webkit.org/show_bug.cgi?id=155200
277
278         Reviewed by Geoffrey Garen.
279
280         This adds constant-folding of string1 + string2 and string.length. The actual folding
281         rule is easy, but there are some gotchas.
282
283         The problem is that the DFG cannot allocate new JSString objects until we are on the
284         main thread. So, DFG IR must have a node for a JSValue string constant that hasn't been
285         created yet - i.e. it doesn't have any concrete JSValue bits yet.
286
287         We have the ability to speak of such things, using LazyJSValue. But that's a class, not
288         a node type. This patch now adds a node type, LazyJSConstant, which is a Node that holds
289         a LazyJSValue.
290
291         This puts us in a weird situation: AI uses JSValue to represent constants. It would take
292         a lot of work to change it to use LazyJSValue. So, this implements the constant folding
293         in StrengthReductionPhase. I created a bug and put a FIXME about moving these rules into
294         AI.
295
296         OTOH, our experience in B3 shows that constant folding in strength reduction is quite
297         nice. It would totally make sense to have strength reduction have constant folding rules
298         that mirror the rules in AI, or to factor out the AI constant folding rules, the same
299         way that B3 factors out those rules into Value methods.
300
301         Another issue is how to represent the cumulative result of possibly many foldings. I
302         initially considered adding LazyJSValue kinds that represented concatenation. Folding
303         the concatenation to a constant meand that this constant was actually a LazyJSValue that
304         represented the concatenation of two other things. But this would get super messy if we
305         wanted to fold an operation that uses the results of another folded operation.
306
307         So, the JIT thread folds string operations by creating a WTF::String that contains the
308         result. The DFG::Graph holds a +1 on the underlying StringImpl, so we can pass the
309         StringImpl* around without reference counting. The LazyJSValue now has a special kind
310         that means: we created this StringImpl* on the JIT thread, and once the JIT is done, we
311         will relinquish ownership of it. LazyJSValue has some magic to emit code for these
312         to-be-created-JSStrings while also transferring ownership of the StringImpl from the JIT
313         thread to the main thread and registering the JSString with the GC.
314
315         This just implements folding for concatenation and GetArrayLength. It's just a proof of
316         concept for evil things I want to do later.
317
318         This change is a 2.5x speed-up on the string concatenation microbenchmarks I added in
319         this patch.
320
321         * dfg/DFGAbstractInterpreterInlines.h:
322         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
323         * dfg/DFGClobberize.h:
324         (JSC::DFG::clobberize):
325         * dfg/DFGDoesGC.cpp:
326         (JSC::DFG::doesGC):
327         * dfg/DFGFixupPhase.cpp:
328         (JSC::DFG::FixupPhase::fixupNode):
329         * dfg/DFGFrozenValue.cpp:
330         (JSC::DFG::FrozenValue::emptySingleton):
331         (JSC::DFG::FrozenValue::tryGetString):
332         (JSC::DFG::FrozenValue::dumpInContext):
333         * dfg/DFGFrozenValue.h:
334         (JSC::DFG::FrozenValue::strength):
335         * dfg/DFGGraph.h:
336         * dfg/DFGLazyJSValue.cpp:
337         (JSC::DFG::LazyJSValue::newString):
338         (JSC::DFG::LazyJSValue::getValue):
339         (JSC::DFG::equalToStringImpl):
340         (JSC::DFG::LazyJSValue::tryGetStringImpl):
341         (JSC::DFG::LazyJSValue::tryGetString):
342         (JSC::DFG::LazyJSValue::strictEqual):
343         (JSC::DFG::LazyJSValue::switchLookupValue):
344         (JSC::DFG::LazyJSValue::emit):
345         (JSC::DFG::LazyJSValue::dumpInContext):
346         * dfg/DFGLazyJSValue.h:
347         (JSC::DFG::LazyJSValue::LazyJSValue):
348         (JSC::DFG::LazyJSValue::knownStringImpl):
349         (JSC::DFG::LazyJSValue::kind):
350         (JSC::DFG::LazyJSValue::tryGetValue):
351         (JSC::DFG::LazyJSValue::character):
352         (JSC::DFG::LazyJSValue::stringImpl):
353         * dfg/DFGMayExit.cpp:
354         (JSC::DFG::mayExit):
355         * dfg/DFGNode.cpp:
356         (JSC::DFG::Node::convertToIdentityOn):
357         (JSC::DFG::Node::convertToLazyJSConstant):
358         (JSC::DFG::Node::convertToPutHint):
359         (JSC::DFG::Node::convertToPutClosureVarHint):
360         (JSC::DFG::Node::tryGetString):
361         (JSC::DFG::Node::promotedLocationDescriptor):
362         * dfg/DFGNode.h:
363         (JSC::DFG::Node::convertToConstant):
364         (JSC::DFG::Node::convertToConstantStoragePointer):
365         (JSC::DFG::Node::castConstant):
366         (JSC::DFG::Node::hasLazyJSValue):
367         (JSC::DFG::Node::lazyJSValue):
368         (JSC::DFG::Node::initializationValueForActivation):
369         * dfg/DFGNodeType.h:
370         * dfg/DFGPredictionPropagationPhase.cpp:
371         (JSC::DFG::PredictionPropagationPhase::propagate):
372         * dfg/DFGSafeToExecute.h:
373         (JSC::DFG::safeToExecute):
374         * dfg/DFGSpeculativeJIT.cpp:
375         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
376         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
377         * dfg/DFGSpeculativeJIT.h:
378         * dfg/DFGSpeculativeJIT32_64.cpp:
379         (JSC::DFG::SpeculativeJIT::compile):
380         * dfg/DFGSpeculativeJIT64.cpp:
381         (JSC::DFG::SpeculativeJIT::compile):
382         * dfg/DFGStrengthReductionPhase.cpp:
383         (JSC::DFG::StrengthReductionPhase::handleNode):
384         * ftl/FTLCapabilities.cpp:
385         (JSC::FTL::canCompile):
386         * ftl/FTLLowerDFGToB3.cpp:
387         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
388         (JSC::FTL::DFG::LowerDFGToB3::compileInt52Constant):
389         (JSC::FTL::DFG::LowerDFGToB3::compileLazyJSConstant):
390         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
391
392 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
393
394         Web Inspector: Memory Timeline should show MemoryPressure events
395         https://bugs.webkit.org/show_bug.cgi?id=155158
396         <rdar://problem/25026610>
397
398         Reviewed by Brian Burg.
399
400         * inspector/protocol/Memory.json:
401
402 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
403
404         Web Inspector: Add Heap domain start/stop tracking commands
405         https://bugs.webkit.org/show_bug.cgi?id=155190
406
407         Reviewed by Brian Burg.
408
409         * inspector/agents/InspectorHeapAgent.cpp:
410         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
411         (Inspector::InspectorHeapAgent::startTracking):
412         (Inspector::InspectorHeapAgent::stopTracking):
413         * inspector/agents/InspectorHeapAgent.h:
414         * inspector/protocol/Heap.json:
415
416 2016-03-08  Joseph Pecoraro  <pecoraro@apple.com>
417
418         Web Inspector: Add a way to create a Heap Snapshot
419         https://bugs.webkit.org/show_bug.cgi?id=155188
420
421         Reviewed by Brian Burg.
422
423         * inspector/agents/InspectorHeapAgent.h:
424         * inspector/protocol/Heap.json:
425         * inspector/agents/InspectorHeapAgent.cpp:
426         (Inspector::InspectorHeapAgent::snapshot):
427         Take a heap snapshot and return the JSON string result.
428
429         * inspector/protocol/Debugger.json:
430         Remove unused optional inferredName. Our displayName would be inferred.
431
432 2016-03-08  Oliver Hunt  <oliver@apple.com>
433
434         Fix ios bot build.
435
436         * jit/ExecutableAllocatorFixedVMPool.cpp:
437         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
438
439 2016-03-08  Mark Lam  <mark.lam@apple.com>
440
441         Implement Function.name support for getters/setters and inferring name of function properties.
442         https://bugs.webkit.org/show_bug.cgi?id=154865
443
444         Rubber-stamped by Joseph Pecoraro.
445
446         Follow up to the fix for this bug: adding a few small clean-ups for issues Joe
447         pointed out in the bug.
448
449         * runtime/JSBoundSlotBaseFunction.cpp:
450         (JSC::JSBoundSlotBaseFunction::create):
451         * runtime/JSCJSValue.cpp:
452         (JSC::JSValue::putToPrimitiveByIndex):
453
454 2016-03-08  Oliver Hunt  <oliver@apple.com>
455
456         Start moving to separated writable and executable mappings in the JIT
457         https://bugs.webkit.org/show_bug.cgi?id=155178
458
459         Reviewed by Fil Pizlo.
460
461         Start moving to a separate writable and executable heap for the various
462         JITs.
463
464         As part of our work to harden the JIT against various attacks, we're
465         moving away from our current RWX heap and on to using separate RW and X
466         mappings. This means that simply leaking the location of the executable
467         mapping is not sufficient to compromise JSC, so we can continue to
468         use direct executable pointers in our GC objects (which we need for
469         performance), but keep the writable pointer in only a single location
470         so that we are less likely to leak the address. To further obscure the
471         address of the writable region we place it in an execute only region
472         of memory so that it is not possible to read the location from 
473         anywhere. That means an attacker must have at least partial control
474         of PC (to call jitMemCopy) before they can start to attack the JIT.
475
476         This work is initially ARM64 only, as we use as the jitMemCopy is
477         currently specific to that platform's calling conventions and layout.
478         We're just landing it in the current form so that we can at least
479         ensure it doesn't regress.
480
481         * Configurations/FeatureDefines.xcconfig:
482         * assembler/ARM64Assembler.h:
483         (JSC::ARM64Assembler::ldp):
484         (JSC::ARM64Assembler::ldnp):
485         (JSC::ARM64Assembler::fillNops):
486         (JSC::ARM64Assembler::stp):
487         (JSC::ARM64Assembler::stnp):
488         (JSC::ARM64Assembler::replaceWithJump):
489         (JSC::ARM64Assembler::replaceWithLoad):
490         (JSC::ARM64Assembler::replaceWithAddressComputation):
491         (JSC::ARM64Assembler::setPointer):
492         (JSC::ARM64Assembler::repatchInt32):
493         (JSC::ARM64Assembler::repatchCompact):
494         (JSC::ARM64Assembler::linkJumpOrCall):
495         (JSC::ARM64Assembler::linkCompareAndBranch):
496         (JSC::ARM64Assembler::linkConditionalBranch):
497         (JSC::ARM64Assembler::linkTestAndBranch):
498         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
499         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
500         * assembler/LinkBuffer.cpp:
501         (JSC::LinkBuffer::copyCompactAndLinkCode):
502         (JSC::LinkBuffer::allocate):
503         * assembler/LinkBuffer.h:
504         (JSC::LinkBuffer::LinkBuffer):
505         * assembler/MacroAssemblerARM64.h:
506         (JSC::MacroAssemblerARM64::sub64):
507         (JSC::MacroAssemblerARM64::load64):
508         (JSC::MacroAssemblerARM64::loadPair64):
509         (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
510         (JSC::MacroAssemblerARM64::load8):
511         (JSC::MacroAssemblerARM64::store64):
512         (JSC::MacroAssemblerARM64::storePair64):
513         (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
514         (JSC::MacroAssemblerARM64::store8):
515         (JSC::MacroAssemblerARM64::branchAdd64):
516         (JSC::MacroAssemblerARM64::branchSub64):
517         * jit/ExecutableAllocator.h:
518         (JSC::performJITMemcpy):
519         * jit/ExecutableAllocatorFixedVMPool.cpp:
520         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
521         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
522         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
523         * runtime/Options.cpp:
524         (JSC::recomputeDependentOptions):
525         * runtime/Options.h:
526
527 2016-03-08  Mark Lam  <mark.lam@apple.com>
528
529         Implement Function.name support for getters/setters and inferring name of function properties.
530         https://bugs.webkit.org/show_bug.cgi?id=154865
531
532         Reviewed by Geoffrey Garen.
533
534         1. toString() no longer uses the value of Function.name as the name of the
535            function in the returned string, because ...
536
537             i. Function.name is supposed to be configurable.  Hence, it can be made
538                writable and can be set to any JSValue, or deleted.
539            ii. Function.prototype.toString() is supposed to produce a string that can be
540                eval'ed.  Hence, for JS functions, the function name in the produced
541                string must be a legal function name (and not some arbitrary value set in
542                Function.name).  For example, while a number is a legal value for
543                Function.name, it is not legal as the function name in the toString()
544                string.
545
546            Instead, we'll always use the original name from the JS source that the
547            function was parsed from.
548
549         2. JSFunction::name() now always return the original name, not the value of
550            the Function.name property.  As a result, it also no longer needs an
551            ExecState* arg.
552
553            If the original name is an empty string, JSFunction::name() will use the
554            inferred name.
555
556         3. For JS functions, the original name can be attained from their
557            FunctionExecutable object.
558
559            For host/native functions (which do not have a FunctionExecutable), we get the
560            "original" name from its NativeExecutable.
561
562         4. The m_hostFunctionStubMap now keys its NativeExecutable pointers using the
563            original name, in addition to the native function and constructor pointers.
564
565            This is needed because we want a different NativeExecutable for functions with
566            a different name (to satisfy (3) above).
567
568         5. Changed JSBoundFunction to store the name of its bound function in its
569            NativeExecutable.  This will later be used to generate the toString() string.
570            It's Function.name value is eagerly initialized at construction time.
571
572         6. Function.name for getters/setters are now prefixed with "get"/"set".
573            This was done both for the JSBoundSlotBaseFunctions and JS definable get/set
574            functions.
575
576         7. Added InternalFunction::m_originalName so that we can use it to generate the
577            toString() string.  We're storing it as a JSString instead of a WTF::String
578            only because we want InternalFunction to be continue to be trivially
579            destructible.
580
581         * inspector/JSInjectedScriptHost.cpp:
582         (Inspector::JSInjectedScriptHost::functionDetails):
583         * jit/JITThunks.cpp:
584         (JSC::JITThunks::finalize):
585         (JSC::JITThunks::hostFunctionStub):
586         * jit/JITThunks.h:
587         * runtime/Executable.h:
588         * runtime/FunctionPrototype.cpp:
589         (JSC::functionProtoFuncToString):
590         * runtime/InternalFunction.cpp:
591         (JSC::InternalFunction::finishCreation):
592         (JSC::InternalFunction::visitChildren):
593         (JSC::InternalFunction::name):
594         (JSC::InternalFunction::displayName):
595         * runtime/InternalFunction.h:
596         * runtime/JSBoundFunction.cpp:
597         (JSC::JSBoundFunction::create):
598         (JSC::JSBoundFunction::visitChildren):
599         (JSC::JSBoundFunction::toStringName): Deleted.
600         * runtime/JSBoundFunction.h:
601         (JSC::JSBoundFunction::boundThis):
602         (JSC::JSBoundFunction::boundArgs):
603         (JSC::JSBoundFunction::createStructure):
604         * runtime/JSBoundSlotBaseFunction.cpp:
605         (JSC::boundSlotBaseFunctionCall):
606         (JSC::JSBoundSlotBaseFunction::create):
607         * runtime/JSFunction.cpp:
608         (JSC::JSFunction::initializeRareData):
609         (JSC::JSFunction::name):
610         (JSC::JSFunction::displayName):
611         (JSC::JSFunction::calculatedDisplayName):
612         (JSC::JSFunction::reifyName):
613         * runtime/JSFunction.h:
614         * tests/es6.yaml:
615
616 2016-03-08  Commit Queue  <commit-queue@webkit.org>
617
618         Unreviewed, rolling out r197793 and r197799.
619         https://bugs.webkit.org/show_bug.cgi?id=155195
620
621         something weird happened while landing this and everything
622         broke (Requested by olliej on #webkit).
623
624         Reverted changesets:
625
626         "Start moving to separated writable and executable mappings in
627         the JIT"
628         https://bugs.webkit.org/show_bug.cgi?id=155178
629         http://trac.webkit.org/changeset/197793
630
631         "arm64 build fix after r197793."
632         http://trac.webkit.org/changeset/197799
633
634 2016-03-08  Alex Christensen  <achristensen@webkit.org>
635
636         arm64 build fix after r197793.
637
638         * jit/ExecutableAllocatorFixedVMPool.cpp:
639         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
640         (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
641         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
642         Use consistent ENABLE macro.  It looks like it was partially renamed.
643
644 2016-03-08  Filip Pizlo  <fpizlo@apple.com>
645
646         Regexp matching should incur less call overhead
647         https://bugs.webkit.org/show_bug.cgi?id=155181
648
649         Reviewed by Geoffrey Garen.
650
651         Previously we had DFG/FTL code call into the DFGOperation, which then called in to
652         RegExpObject, which then called into createRegExpMatchesArray, which then called into
653         RegExp, which then called the code generated by Yarr.
654
655         Now we have DFG/FTL code call into the DFGOperation, which does all of the things and calls
656         into code generated by Yarr.
657
658         This is another tiny Octane/regexp speed-up.
659
660         * JavaScriptCore.xcodeproj/project.pbxproj:
661         * dfg/DFGOperations.cpp:
662         * runtime/RegExp.cpp:
663         (JSC::regExpFlags):
664         (JSC::RegExp::compile):
665         (JSC::RegExp::match):
666         (JSC::RegExp::compileMatchOnly):
667         (JSC::RegExp::deleteCode):
668         (JSC::RegExpFunctionalTestCollector::clearRegExp): Deleted.
669         (JSC::RegExp::compileIfNecessary): Deleted.
670         (JSC::RegExp::compileIfNecessaryMatchOnly): Deleted.
671         * runtime/RegExp.h:
672         * runtime/RegExpInlines.h: Added.
673         (JSC::RegExpFunctionalTestCollector::clearRegExp):
674         (JSC::RegExp::compileIfNecessary):
675         (JSC::RegExp::matchInline):
676         (JSC::RegExp::compileIfNecessaryMatchOnly):
677         * runtime/RegExpMatchesArray.cpp:
678         (JSC::createEmptyRegExpMatchesArray):
679         (JSC::createStructureImpl):
680         (JSC::tryCreateUninitializedRegExpMatchesArray): Deleted.
681         (JSC::createRegExpMatchesArray): Deleted.
682         * runtime/RegExpMatchesArray.h:
683         (JSC::tryCreateUninitializedRegExpMatchesArray):
684         (JSC::createRegExpMatchesArray):
685         * runtime/RegExpObject.cpp:
686         (JSC::RegExpObject::put):
687         (JSC::RegExpObject::exec):
688         (JSC::RegExpObject::match):
689         (JSC::getLastIndexAsUnsigned): Deleted.
690         * runtime/RegExpObject.h:
691         (JSC::RegExpObject::getLastIndex):
692         (JSC::RegExpObject::test):
693         (JSC::RegExpObject::testInline):
694         * runtime/RegExpObjectInlines.h: Added.
695         (JSC::getRegExpObjectLastIndexAsUnsigned):
696         (JSC::RegExpObject::execInline):
697         (JSC::RegExpObject::matchInline):
698
699 2016-03-08  Mark Lam  <mark.lam@apple.com>
700
701         synthesizePrototype() and friends need to be followed by exception checks (or equivalent).
702         https://bugs.webkit.org/show_bug.cgi?id=155169
703
704         Reviewed by Geoffrey Garen.
705
706         With the exception checks, we may end up throwing new exceptions over an existing
707         one that has been thrown but not handled yet, thereby obscuring it.  It may also
708         mean that the VM will continue running on potentially unstable state, which may
709         have undesirable consequences.
710
711         I first observed this in some failed assertion while running tests on a patch for
712         https://bugs.webkit.org/show_bug.cgi?id=154865.
713
714         Performance is neutral with this patch (tested on x86_64).
715
716         1. Deleted JSNotAnObject, and removed all uses of it.
717
718         2. Added exception checks, when needed, following calls to synthesizePrototype()
719            and JSValue::toObject().
720
721            The cases that do not need an exception check are the ones that already ensures
722            that JSValue::toObject() is only called on a value that is convertible to an
723            object.  In those cases, I added an assertion that no exception was thrown
724            after the call.
725
726         * CMakeLists.txt:
727         * JavaScriptCore.xcodeproj/project.pbxproj:
728         * inspector/ScriptCallStackFactory.cpp:
729         (Inspector::createScriptCallStackFromException):
730         * interpreter/Interpreter.cpp:
731         * jit/JITOperations.cpp:
732         * llint/LLIntSlowPaths.cpp:
733         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
734         * runtime/ArrayPrototype.cpp:
735         (JSC::arrayProtoFuncJoin):
736         (JSC::arrayProtoFuncConcat):
737         (JSC::arrayProtoFuncPop):
738         (JSC::arrayProtoFuncPush):
739         (JSC::arrayProtoFuncReverse):
740         (JSC::arrayProtoFuncShift):
741         (JSC::arrayProtoFuncSlice):
742         (JSC::arrayProtoFuncSplice):
743         (JSC::arrayProtoFuncUnShift):
744         (JSC::arrayProtoFuncIndexOf):
745         (JSC::arrayProtoFuncLastIndexOf):
746         (JSC::arrayProtoFuncValues):
747         (JSC::arrayProtoFuncEntries):
748         (JSC::arrayProtoFuncKeys):
749         * runtime/CommonSlowPaths.cpp:
750         (JSC::SLOW_PATH_DECL):
751         * runtime/ExceptionHelpers.cpp:
752         * runtime/JSCJSValue.cpp:
753         (JSC::JSValue::toObjectSlowCase):
754         (JSC::JSValue::toThisSlowCase):
755         (JSC::JSValue::synthesizePrototype):
756         (JSC::JSValue::putToPrimitive):
757         (JSC::JSValue::putToPrimitiveByIndex):
758         * runtime/JSCJSValueInlines.h:
759         (JSC::JSValue::getPropertySlot):
760         (JSC::JSValue::get):
761         * runtime/JSFunction.cpp:
762         * runtime/JSGlobalObjectFunctions.cpp:
763         (JSC::globalFuncProtoGetter):
764         * runtime/JSNotAnObject.cpp: Removed.
765         * runtime/JSNotAnObject.h: Removed.
766         * runtime/ObjectConstructor.cpp:
767         (JSC::objectConstructorDefineProperties):
768         (JSC::objectConstructorCreate):
769         * runtime/ObjectPrototype.cpp:
770         (JSC::objectProtoFuncValueOf):
771         (JSC::objectProtoFuncHasOwnProperty):
772         (JSC::objectProtoFuncIsPrototypeOf):
773         (JSC::objectProtoFuncToString):
774         * runtime/VM.cpp:
775         (JSC::VM::VM):
776         * runtime/VM.h:
777
778 2016-03-08  Oliver Hunt  <oliver@apple.com>
779
780         Start moving to separated writable and executable mappings in the JIT
781         https://bugs.webkit.org/show_bug.cgi?id=155178
782
783         Reviewed by Filip Pizlo.
784
785         Start moving to a separate writable and executable heap for the various
786         JITs.
787
788         As part of our work to harden the JIT against various attacks, we're
789         moving away from our current RWX heap and on to using separate RW and X
790         mappings. This means that simply leaking the location of the executable
791         mapping is not sufficient to compromise JSC, so we can continue to
792         use direct executable pointers in our GC objects (which we need for
793         performance), but keep the writable pointer in only a single location
794         so that we are less likely to leak the address. To further obscure the
795         address of the writable region we place it in an execute only region
796         of memory so that it is not possible to read the location from 
797         anywhere. That means an attacker must have at least partial control
798         of PC (to call jitMemCopy) before they can start to attack the JIT.
799
800         This work is initially ARM64 only, as we use as the jitMemCopy is
801         currently specific to that platform's calling conventions and layout.
802         We're just landing it in the current form so that we can at least
803         ensure it doesn't regress.
804
805         * Configurations/FeatureDefines.xcconfig:
806         * assembler/ARM64Assembler.h:
807         (JSC::ARM64Assembler::ldp):
808         (JSC::ARM64Assembler::ldnp):
809         (JSC::ARM64Assembler::fillNops):
810         (JSC::ARM64Assembler::stp):
811         (JSC::ARM64Assembler::stnp):
812         (JSC::ARM64Assembler::replaceWithJump):
813         (JSC::ARM64Assembler::replaceWithLoad):
814         (JSC::ARM64Assembler::replaceWithAddressComputation):
815         (JSC::ARM64Assembler::setPointer):
816         (JSC::ARM64Assembler::repatchInt32):
817         (JSC::ARM64Assembler::repatchCompact):
818         (JSC::ARM64Assembler::linkJumpOrCall):
819         (JSC::ARM64Assembler::linkCompareAndBranch):
820         (JSC::ARM64Assembler::linkConditionalBranch):
821         (JSC::ARM64Assembler::linkTestAndBranch):
822         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
823         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
824         * assembler/LinkBuffer.cpp:
825         (JSC::LinkBuffer::copyCompactAndLinkCode):
826         (JSC::LinkBuffer::allocate):
827         * assembler/LinkBuffer.h:
828         (JSC::LinkBuffer::LinkBuffer):
829         * assembler/MacroAssemblerARM64.h:
830         (JSC::MacroAssemblerARM64::sub64):
831         (JSC::MacroAssemblerARM64::load64):
832         (JSC::MacroAssemblerARM64::loadPair64):
833         (JSC::MacroAssemblerARM64::loadPair64WithNonTemporalAccess):
834         (JSC::MacroAssemblerARM64::load8):
835         (JSC::MacroAssemblerARM64::store64):
836         (JSC::MacroAssemblerARM64::storePair64):
837         (JSC::MacroAssemblerARM64::storePair64WithNonTemporalAccess):
838         (JSC::MacroAssemblerARM64::store8):
839         (JSC::MacroAssemblerARM64::branchAdd64):
840         (JSC::MacroAssemblerARM64::branchSub64):
841         * jit/ExecutableAllocator.h:
842         (JSC::performJITMemcpy):
843         * jit/ExecutableAllocatorFixedVMPool.cpp:
844         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
845         (JSC::FixedVMPoolExecutableAllocator::initializeBulletproofJIT):
846         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
847         * runtime/Options.cpp:
848         (JSC::recomputeDependentOptions):
849         * runtime/Options.h:
850
851 2016-03-08  Michael Saboff  <msaboff@apple.com>
852
853         [ES6] Regular Expression canonicalization tables for Unicode need to be updated to use Unicode CaseFolding.txt
854         https://bugs.webkit.org/show_bug.cgi?id=155114
855
856         Reviewed by Darin Adler.
857
858         Extracted out the Unicode canonicalization table creation from
859         YarrCanonicalizeUnicode.js into a new Python script, generateYarrCanonicalizeUnicode.
860         That script generates the Unicode tables as the file YarrCanonicalizeUnicode.cpp in
861         DerivedSources/JavaScriptCore.
862
863         Updated the processing of ignore case to make the ASCII short cuts dependent on whether
864         or not we are a Unicode pattern.
865
866         Renamed yarr/YarrCanonicalizeUnicode.{cpp,js} back to their prior names,
867         YarrCanonicalizeUCS2.{cpp,js}.
868         Renamed yarr/YarrCanonicalizeUnicode.h to YarrCanonicalize.h as it declares both the
869         legacy UCS2 and Unicode tables.
870
871         * CMakeLists.txt:
872         * DerivedSources.make:
873         * JavaScriptCore.xcodeproj/project.pbxproj:
874         * generateYarrCanonicalizeUnicode: Added.
875         * ucd: Added.
876         * ucd/CaseFolding.txt: Added.  The current verion, 8.0, of the Unicode CaseFolding table.
877         * yarr/YarrCanonicalizeUCS2.cpp: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.cpp.
878         * yarr/YarrCanonicalize.h: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.h.
879         * yarr/YarrCanonicalizeUCS2.js: Copied from Source/JavaScriptCore/yarr/YarrCanonicalizeUnicode.js.
880         (printHeader):
881         * yarr/YarrCanonicalizeUnicode.cpp: Removed.
882         * yarr/YarrCanonicalizeUnicode.h: Removed.
883         * yarr/YarrCanonicalizeUnicode.js: Removed.
884         * yarr/YarrInterpreter.cpp:
885         (JSC::Yarr::Interpreter::tryConsumeBackReference):
886         * yarr/YarrJIT.cpp:
887         * yarr/YarrPattern.cpp:
888         (JSC::Yarr::CharacterClassConstructor::putChar):
889
890 2016-03-08  Andreas Kling  <akling@apple.com>
891
892         WeakBlock::visit() should check for a WeakHandleOwner before consulting mark bits.
893         <https://webkit.org/b/155154>
894
895         Reviewed by Darin Adler.
896
897         Reorder the checks in WeakBlock::visit() so we don't look at the mark bits in MarkedBlock
898         unless the current WeakImpl has a WeakHandleOwner we need to consult.
899
900         I was originally hoping to make an optimization that could skip over entire WeakBlocks
901         if they didn't have a single WeakHandleOwner, but it turns out that scenario is not as
902         common as I suspected.
903
904         * heap/WeakBlock.cpp:
905         (JSC::WeakBlock::visit):
906
907 2016-03-07  Saam barati  <sbarati@apple.com>
908
909         [ES6] Implement revocable proxies
910         https://bugs.webkit.org/show_bug.cgi?id=154321
911
912         Reviewed by Mark Lam.
913
914         This patch is a straight forward implementation of Proxy.revocable
915         with respect to section 26.2.2.1 of the ECMAScript spec.
916         https://tc39.github.io/ecma262/#sec-proxy.revocable
917
918         This patch also fixes a bug in Proxy where we
919         were incorrectly caching "in", i.e, `"x" in proxy`.
920         We should never blatantly cache this because caching is observable
921         behavior by users of the language. We could come up with
922         a smarter caching scheme that caches only if the Proxy's
923         handler doesn't have a "has" property, i.e, we don't have
924         to call out to JS code. But for now, it's easiest to disable
925         caching.
926
927         * CMakeLists.txt:
928         * JavaScriptCore.xcodeproj/project.pbxproj:
929         * runtime/JSGlobalObject.cpp:
930         (JSC::JSGlobalObject::init):
931         (JSC::JSGlobalObject::visitChildren):
932         * runtime/JSGlobalObject.h:
933         (JSC::JSGlobalObject::moduleRecordStructure):
934         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
935         (JSC::JSGlobalObject::proxyObjectStructure):
936         (JSC::JSGlobalObject::proxyRevokeStructure):
937         (JSC::JSGlobalObject::wasmModuleStructure):
938         * runtime/ProxyConstructor.cpp:
939         (JSC::ProxyConstructor::create):
940         (JSC::ProxyConstructor::ProxyConstructor):
941         (JSC::makeRevocableProxy):
942         (JSC::proxyRevocableConstructorThrowError):
943         (JSC::ProxyConstructor::finishCreation):
944         (JSC::constructProxyObject):
945         * runtime/ProxyConstructor.h:
946         (JSC::ProxyConstructor::createStructure):
947         * runtime/ProxyObject.cpp:
948         (JSC::ProxyObject::finishCreation):
949         (JSC::performProxyGet):
950         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
951         (JSC::ProxyObject::performHasProperty):
952         (JSC::ProxyObject::performPut):
953         (JSC::performProxyCall):
954         (JSC::performProxyConstruct):
955         (JSC::ProxyObject::performDelete):
956         (JSC::ProxyObject::performPreventExtensions):
957         (JSC::ProxyObject::performIsExtensible):
958         (JSC::ProxyObject::performDefineOwnProperty):
959         (JSC::ProxyObject::performGetOwnPropertyNames):
960         (JSC::ProxyObject::performSetPrototype):
961         (JSC::ProxyObject::performGetPrototype):
962         (JSC::ProxyObject::getPrototype):
963         (JSC::ProxyObject::revoke):
964         (JSC::ProxyObject::visitChildren):
965         * runtime/ProxyObject.h:
966         (JSC::ProxyObject::create):
967         * runtime/ProxyRevoke.cpp: Added.
968         (JSC::ProxyRevoke::create):
969         (JSC::ProxyRevoke::ProxyRevoke):
970         (JSC::ProxyRevoke::finishCreation):
971         (JSC::performProxyRevoke):
972         (JSC::ProxyRevoke::getCallData):
973         (JSC::ProxyRevoke::visitChildren):
974         * runtime/ProxyRevoke.h: Added.
975         (JSC::ProxyRevoke::createStructure):
976         (JSC::ProxyRevoke::proxy):
977         (JSC::ProxyRevoke::setProxyToNull):
978         * tests/stress/proxy-has-property.js:
979         (assert):
980         (assert.let.handler.has):
981         (assert.let.foo):
982         * tests/stress/proxy-revoke.js: Added.
983         (assert):
984         (throw.new.Error.):
985         (throw.new.Error):
986         (callAllHandlers):
987         (shouldThrowNullHandler):
988         (allHandlersShouldThrow):
989         (i.let.trap.of.traps.trap.string_appeared_here.func):
990         (i.let.trap.of.traps.else.func):
991         (i.Proxy.revocable):
992
993 2016-03-07  Csaba Osztrogon√°c  <ossy@webkit.org>
994
995         Fix the ARM build after r197687
996         https://bugs.webkit.org/show_bug.cgi?id=155128
997
998         Reviewed by Saam Barati.
999
1000         * assembler/MacroAssemblerARM.h:
1001         (JSC::MacroAssemblerARM::moveZeroToDouble):
1002
1003 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
1004
1005         Reduce the number of instructions needed to record the last regexp result
1006         https://bugs.webkit.org/show_bug.cgi?id=155161
1007
1008         Reviewed by Sam Weinig.
1009
1010         This tightens up RegExpCachedResult::record(). My profiling shows that we spend just
1011         over 1% of the time in Octane/regexp in this function. This function had two obvious
1012         redundancies:
1013
1014         1) It executed the write barrier on owner twice. It only needs to execute it once. Since
1015            the same RegExpConstructor is likely to be used many times, it makes sense to do the
1016            barrier without looking at the 'to' objects at all. In steady state, this means that
1017            the RegExpConstructor will simply be OldGrey so this one barrier will always skip the
1018            slow path.
1019
1020         2) It cleared some fields that didn't need to be cleared, since we can just use
1021            m_reified to indicate that the fields are not meaningful anymore.
1022
1023         This is meant to be a microscopic regexp speed-up.
1024
1025         * runtime/RegExpCachedResult.cpp:
1026         (JSC::RegExpCachedResult::visitChildren):
1027         (JSC::RegExpCachedResult::lastResult):
1028         * runtime/RegExpCachedResult.h:
1029         (JSC::RegExpCachedResult::record):
1030
1031 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
1032
1033         createRegExpMatchesArray should allocate substrings more quickly
1034         https://bugs.webkit.org/show_bug.cgi?id=155160
1035
1036         Reviewed by Sam Weinig.
1037
1038         This was calling a version of jsSubstring() that isn't inlineable because it was doing a lot
1039         of checks in finishCreation(). In particular, it was checking that the base string is not
1040         itself a substring and that it's been resolved. We don't need those checks here, since the
1041         string must have been resolved prior to regexp processing.
1042
1043         This patch is also smart about whether to do checks for the empty and full substrings. In
1044         the matches array loop, these checks are super unlikely to be profitable, so we just
1045         unconditionally allocate the substring.
1046
1047         This removes those checks and makes the allocation inlineable. It looks like a 1% speed-up
1048         on Octane/regexp.
1049
1050         * runtime/JSString.h:
1051         (JSC::jsSubstring):
1052         (JSC::jsSubstringOfResolved):
1053         * runtime/RegExpMatchesArray.cpp:
1054         (JSC::createRegExpMatchesArray):
1055
1056 2016-03-07  Benjamin Poulain  <bpoulain@apple.com>
1057
1058         [JSC] Small clean up of how we use SSA's valuesAtHead
1059         https://bugs.webkit.org/show_bug.cgi?id=155152
1060
1061         Reviewed by Filip Pizlo.
1062
1063         liveAtHead and valuesAtHead contain the same nodes,
1064         we do not need the extra look up.
1065
1066         This also opens the way to use the same kind of liveness
1067         analysis as Air (where live values at head do not use a set).
1068
1069         * dfg/DFGInPlaceAbstractState.cpp:
1070         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1071         (JSC::DFG::InPlaceAbstractState::merge):
1072
1073 2016-03-07  Brian Burg  <bburg@apple.com>
1074
1075         Web Inspector: the protocol generator should generate factory method stubs for protocol types
1076         https://bugs.webkit.org/show_bug.cgi?id=155103
1077         <rdar://problem/25002772>
1078
1079         Reviewed by Timothy Hatcher.
1080
1081         Generate stubs with unique names so that parsing methods can be used
1082         reflectively at runtime, based on the protocol version that's loaded.
1083
1084         * JavaScriptCore.xcodeproj/project.pbxproj:
1085         * inspector/scripts/codegen/__init__.py:
1086         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1087         Added. For each type in a domain, add a method of the form
1088         -[ProtocolTypeConversions _parseXXX:fromPayload]. This is in a category
1089         method, and the selector is only ever looked up at runtime.
1090
1091         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
1092         * inspector/scripts/generate-inspector-protocol-bindings.py:
1093         (generate_from_specification):
1094
1095         Rebaseline test results with new generator output.
1096
1097         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1098         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1099         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1100         * inspector/scripts/tests/expected/enum-values.json-result:
1101         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1102         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1103         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1104         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1105         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1106         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1107         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1108         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1109         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1110
1111 2016-03-07  Filip Pizlo  <fpizlo@apple.com>
1112
1113         RegExp.prototype.exec() should call into Yarr at most once
1114         https://bugs.webkit.org/show_bug.cgi?id=155139
1115
1116         Reviewed by Saam Barati.
1117
1118         For apparently no good reason, RegExp.prototype.match() was calling into Yarr twice, almost
1119         as if it was hoping that the non-matching case was so common that it was best to have the
1120         matching case do the work all over again.
1121
1122         This is a 4% speed-up on Octane/regexp. It's also a matter of common sense: we should not be
1123         in the business of presuming whether someone's match will succeed or fail. The increased
1124         cost of running Yarr twice is so much larger than whatever savings we were getting from
1125         running a match-only regexp that this is just not a good overall deal for the engine.
1126
1127         Also, it's interesting that we are seeing a 4% speed-up on regexp despite the fact that a
1128         majority (almost a supermajority, I think) of calls into RegExp.prototype.match() are failed
1129         matches. So, this change is a 4% speed-up despite being a slow down on the common case. That
1130         tells you just how bad the old behavior was on the uncommon case.
1131
1132         * runtime/MatchResult.h:
1133         (MatchResult::MatchResult):
1134         (MatchResult::failed):
1135         (MatchResult::operator bool):
1136         * runtime/RegExpCachedResult.cpp:
1137         (JSC::RegExpCachedResult::lastResult):
1138         * runtime/RegExpConstructor.h:
1139         (JSC::RegExpConstructor::setMultiline):
1140         (JSC::RegExpConstructor::multiline):
1141         (JSC::RegExpConstructor::performMatch):
1142         (JSC::RegExpConstructor::recordMatch):
1143         * runtime/RegExpMatchesArray.cpp:
1144         (JSC::createRegExpMatchesArray):
1145         (JSC::createEmptyRegExpMatchesArray):
1146         (JSC::createStructureImpl):
1147         * runtime/RegExpMatchesArray.h:
1148         (JSC::createRegExpMatchesArray):
1149         * runtime/RegExpObject.cpp:
1150         (JSC::RegExpObject::put):
1151         (JSC::getLastIndexAsUnsigned):
1152         (JSC::RegExpObject::exec):
1153         (JSC::RegExpObject::match):
1154         * runtime/RegExpObject.h:
1155         (JSC::RegExpObject::getLastIndex):
1156         (JSC::RegExpObject::test):
1157         * runtime/StringPrototype.cpp:
1158         (JSC::stringProtoFuncMatch):
1159
1160 2016-03-07  Joseph Pecoraro  <pecoraro@apple.com>
1161
1162         Heap Snapshot should include different Edge types and data (Property, Index, Variable)
1163         https://bugs.webkit.org/show_bug.cgi?id=154937
1164
1165         Reviewed by Geoffrey Garen.
1166
1167         * heap/SlotVisitor.cpp:
1168         (JSC::SlotVisitor::appendHidden):
1169         * heap/SlotVisitor.h:
1170         * heap/SlotVisitorInlines.h:
1171         (JSC::SlotVisitor::appendHidden):
1172         (JSC::SlotVisitor::appendValuesHidden):
1173         Add new visit methods to visit a reference without snapshotting the edge.
1174
1175         * heap/Heap.cpp:
1176         (JSC::AddExtraHeapSnapshotEdges::AddExtraHeapSnapshotEdges):
1177         (JSC::AddExtraHeapSnapshotEdges::operator()):
1178         (JSC::Heap::addHeapSnapshotEdges):
1179         (JSC::Heap::removeDeadHeapSnapshotNodes):
1180         (JSC::Heap::collectImpl):
1181         * heap/Heap.h:
1182         After marking, visit the live cells for a chance to record extra
1183         heap snapshotting information about the cell.
1184
1185         * heap/HeapSnapshotBuilder.cpp:
1186         (JSC::HeapSnapshotBuilder::appendNode):
1187         (JSC::HeapSnapshotBuilder::appendEdge):
1188         (JSC::HeapSnapshotBuilder::appendPropertyNameEdge):
1189         (JSC::HeapSnapshotBuilder::appendVariableNameEdge):
1190         (JSC::HeapSnapshotBuilder::appendIndexEdge):
1191         (JSC::HeapSnapshotBuilder::json):
1192         * heap/HeapSnapshotBuilder.h:
1193         (JSC::HeapSnapshotEdge::HeapSnapshotEdge):
1194         Construct edges with extra data.
1195
1196         * runtime/ClassInfo.h:
1197         * runtime/JSCell.cpp:
1198         (JSC::JSCell::heapSnapshot):
1199         * runtime/JSCell.h:
1200         Add a new method to provide cells with an opportunity to provide
1201         extra heap snapshotting information.
1202
1203         * runtime/JSObject.cpp:
1204         (JSC::JSObject::visitButterfly):
1205         (JSC::JSObject::visitChildren):
1206         (JSC::JSObject::heapSnapshot):
1207         (JSC::JSFinalObject::visitChildren):
1208         * runtime/JSObject.h:
1209         Capture object property names and index names when heap snapshotting.
1210         Do not include them as internal edges in normal visitChildren.
1211
1212         * runtime/JSEnvironmentRecord.cpp:
1213         (JSC::JSEnvironmentRecord::visitChildren):
1214         (JSC::JSEnvironmentRecord::heapSnapshot):
1215         * runtime/JSEnvironmentRecord.h:
1216         * runtime/JSSegmentedVariableObject.cpp:
1217         (JSC::JSSegmentedVariableObject::visitChildren):
1218         (JSC::JSSegmentedVariableObject::heapSnapshot):
1219         * runtime/JSSegmentedVariableObject.h:
1220         Capture scope variable names when heap snapshotting.
1221
1222         * runtime/Structure.cpp:
1223         (JSC::Structure::visitChildren):
1224         * runtime/Structure.h:
1225         * runtime/StructureInlines.h:
1226         (JSC::Structure::propertyTable):
1227         When performing a heap snapshotting collection, don't clear the
1228         property table so that accessing the table during this GC is okay.
1229
1230         * tests/heapProfiler/driver/driver.js:
1231         * tests/heapProfiler/property-edge-types.js: Added.
1232         * tests/heapProfiler/variable-edge-types.js: Added.
1233         Tests covering the different edge types and data we capture.
1234
1235 2016-03-07  Saam barati  <sbarati@apple.com>
1236
1237         [ES6] Implement Proxy.[[GetPrototypeOf]]
1238         https://bugs.webkit.org/show_bug.cgi?id=155099
1239
1240         Reviewed by Mark Lam.
1241
1242         This patch is a straight forward implementation of Proxy.[[GetPrototypeOf]]
1243         with respect to section 9.5.1 of the ECMAScript spec.
1244         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-getprototypeof
1245
1246         * runtime/ProxyObject.cpp:
1247         (JSC::performProxyGet):
1248         (JSC::ProxyObject::setPrototype):
1249         (JSC::ProxyObject::performGetPrototype):
1250         (JSC::ProxyObject::getPrototype):
1251         (JSC::ProxyObject::visitChildren):
1252         * runtime/ProxyObject.h:
1253         * tests/es6.yaml:
1254         * tests/stress/proxy-get-prototype-of.js: Added.
1255         (assert):
1256         (throw.new.Error.let.handler.get getPrototypeOf):
1257         (throw.new.Error.get let):
1258         (throw.new.Error.get catch):
1259         (throw.new.Error):
1260         (assert.let.handler.getPrototypeOf):
1261         (assert.get let):
1262         (assert.get catch):
1263         (assert.):
1264         (let.handler.getPrototypeOf):
1265         (get let):
1266         (let.handler.has):
1267
1268 2016-03-07  Brian Burg  <bburg@apple.com>
1269
1270         Web Inspector: rename generated *EnumConversionHelpers.h to *TypeConversions.h
1271         https://bugs.webkit.org/show_bug.cgi?id=155121
1272         <rdar://problem/25010391>
1273
1274         Reviewed by Timothy Hatcher.
1275
1276         Split out this renaming from the work to generate factory method stubs for types.
1277
1278         * JavaScriptCore.xcodeproj/project.pbxproj:
1279         * inspector/scripts/codegen/__init__.py:
1280         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1281         (ObjCConfigurationImplementationGenerator.generate_output):
1282         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1283         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1284         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objc_conversion_helpers.py.
1285         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1286         (ObjCProtocolTypesImplementationGenerator.generate_output):
1287         * inspector/scripts/codegen/objc_generator_templates.py:
1288         * inspector/scripts/generate-inspector-protocol-bindings.py:
1289         (generate_from_specification):
1290
1291         Rebaseline tests after changing generator order.
1292
1293         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1294         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1295         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1296         * inspector/scripts/tests/expected/enum-values.json-result:
1297         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1298         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1299         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1300         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1301         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1302         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1303         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1304         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1305         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1306
1307 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
1308
1309         [JSC] Improve and64() and or64() with immediate on x86
1310         https://bugs.webkit.org/show_bug.cgi?id=155104
1311
1312         Reviewed by Geoffrey Garen.
1313
1314         GetButterflyReadOnly was doing:
1315             movq 0x8(%rbx), %r9
1316             movq $0xfffffffffffffffc, %r11
1317             andq %r11, %r9
1318         There is no need for the move to load the immediate,
1319         andq sign extend its immediate.
1320
1321         With this patch, we have:
1322             movq 0x8(%rbx), %r9
1323             andq $0xfffffffffffffffc, %r9
1324
1325         * assembler/MacroAssemblerX86_64.h:
1326         (JSC::MacroAssemblerX86_64::and64):
1327         (JSC::MacroAssemblerX86_64::or64):
1328
1329 2016-03-07  Brian Burg  <bburg@apple.com>
1330
1331         Web Inspector: It should be possible to initialize generated ObjC protocol types from an NSDictionary payload
1332         https://bugs.webkit.org/show_bug.cgi?id=155102
1333         <rdar://problem/25002015>
1334
1335         Reviewed by Timothy Hatcher.
1336
1337         In Objective-C code, we sometimes prefer to parse JSON using Cocoa rather
1338         than the InspectorValue classes. Support initializing protocol objects
1339         directly from an NSDictionary payload. This delegates validation of values to
1340         the setter methods that already exist on the protocol object classes.
1341
1342         * inspector/scripts/codegen/generate_objc_header.py:
1343         (ObjCHeaderGenerator._generate_type_interface):
1344         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1345         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1346         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
1347         * inspector/scripts/codegen/objc_generator.py:
1348         (ObjCGenerator.payload_to_objc_expression_for_member):
1349         Add a new helper method to generate an expression to unpack the value
1350         from an NSDictionary. If it's not a primitive, the setter performs
1351         validation of the value's kind using -[NSObject isKindOfClass:].
1352
1353         Rebaseline relevant tests.
1354
1355         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1356         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1357         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1358         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1359         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1360         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1361         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1362
1363 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
1364
1365         [JSC] Simplify the overflow check of ArithAbs
1366         https://bugs.webkit.org/show_bug.cgi?id=155063
1367
1368         Reviewed by Geoffrey Garen.
1369
1370         The only integer that overflow abs(int32) is INT_MIN.
1371         For some reason, our code testing for that case
1372         was checking the top bit of the result specifically.
1373
1374         The code required a large immediate on x86 and an extra
1375         register on ARM64.
1376
1377         This patch turns the overflow check into a branch on
1378         the sign of the result.
1379
1380         * dfg/DFGSpeculativeJIT32_64.cpp:
1381         (JSC::DFG::SpeculativeJIT::compile):
1382         * dfg/DFGSpeculativeJIT64.cpp:
1383         (JSC::DFG::SpeculativeJIT::compile):
1384         * ftl/FTLLowerDFGToB3.cpp:
1385         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
1386         * jit/ThunkGenerators.cpp:
1387         (JSC::absThunkGenerator):
1388         * tests/stress/arith-abs-overflow.js: Added.
1389         (opaqueAbs):
1390
1391 2016-03-07  Benjamin Poulain  <bpoulain@apple.com>
1392
1393         [JSC] Improve how DFG zero Floating Point registers
1394         https://bugs.webkit.org/show_bug.cgi?id=155096
1395
1396         Reviewed by Geoffrey Garen.
1397
1398         DFG had a weird way of zeroing a FPR:
1399             -zero a GP.
1400             -move that to a FP.
1401
1402         Filip added moveZeroToDouble() for B3. This patch
1403         uses that in the lower tiers.
1404
1405         * assembler/MacroAssemblerARMv7.h:
1406         (JSC::MacroAssemblerARMv7::moveZeroToDouble):
1407         * dfg/DFGSpeculativeJIT64.cpp:
1408         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1409         * jit/ThunkGenerators.cpp:
1410         (JSC::floorThunkGenerator):
1411         (JSC::roundThunkGenerator):
1412
1413 2016-03-07  Andreas Kling  <akling@apple.com>
1414
1415         REGRESSION (r197303): Web Inspector crashes web process when inspecting an element on TOT
1416         <https://webkit.org/b/154812>
1417
1418         Reviewed by Geoffrey Garen.
1419
1420         Guard against null pointer dereference for UnlinkedCodeBlocks that don't have any control flow
1421         profiling data.
1422
1423         * bytecode/CodeBlock.cpp:
1424         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1425         * bytecode/UnlinkedCodeBlock.h:
1426         (JSC::UnlinkedCodeBlock::hasOpProfileControlFlowBytecodeOffsets):
1427
1428 2016-03-07  Benjamin Poulain  <benjamin@webkit.org>
1429
1430         [JSC] Remove a useless "Move" from baseline-JIT op_mul's fast path
1431         https://bugs.webkit.org/show_bug.cgi?id=155071
1432
1433         Reviewed by Geoffrey Garen.
1434
1435         We do not need to multiply to a scratch and then move the result
1436         to the destination. We can just multiply to the destination.
1437
1438         * jit/JITArithmetic.cpp:
1439         (JSC::JIT::emit_op_mul):
1440         * jit/JITMulGenerator.cpp:
1441         (JSC::JITMulGenerator::generateFastPath):
1442
1443 2016-03-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1444
1445         [JSC] StringObject.{put, defineOwnProperty} should realize indexed properties
1446         https://bugs.webkit.org/show_bug.cgi?id=155089
1447
1448         Reviewed by Geoffrey Garen.
1449
1450         Through implementing Reflect.set[1], we found StringObject does not obey the spec.
1451         StringObject::put should call putByIndex if the given propertyName is index.
1452         And StringObject::defineOwnProperty should recognize indexed properties since
1453         JSObject::defineOwnIndexedProperty is specialized to JSObject layout.
1454         Before calling JSObject::defineOwnProperty,
1455         StringObject should handle its special indexed own properties.
1456         It is responsibility of StringObject::defineOwnProperty.
1457
1458         And the logic is cleaned up by using validateAndApplyPropertyDescriptor.
1459
1460         [1]: https://bugs.webkit.org/show_bug.cgi?id=155024
1461
1462         * runtime/StringObject.cpp:
1463         (JSC::StringObject::put):
1464         (JSC::StringObject::putByIndex):
1465         (JSC::isStringOwnProperty):
1466         (JSC::StringObject::defineOwnProperty):
1467         (JSC::StringObject::deleteProperty):
1468         * tests/stress/string-object-define-own-property.js: Added.
1469         (shouldBe):
1470         (shouldThrow):
1471         * tests/stress/string-object-put-by-index.js: Added.
1472         (shouldBe):
1473         (shouldThrow):
1474         (testSloppy):
1475         (testStrict):
1476
1477 2016-03-06  Brian Burg  <bburg@apple.com>
1478
1479         Web Inspector: the protocol generator should have separate prefix options for Objective-C classes and filenames
1480         https://bugs.webkit.org/show_bug.cgi?id=155101
1481         <rdar://problem/25000053>
1482
1483         Reviewed by Timothy Hatcher.
1484
1485         It should be possible to generate Objective-C protocol types without prefixing all class names.
1486         The prefixes are only necessary when the generated files are part of a framework, but this isn't
1487         how the generated Objective-C frontend files are used.
1488
1489         Add a separate framework setting and switch over code to use the 'protocol_group' in filenames,
1490         and the 'objc_prefix' for Objective-C enum and class prefixes.
1491
1492         No tests need to be rebaselined because tests always set the protocol_group and objc_prefix
1493         to the same value.
1494
1495         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1496         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1497         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1498         (ObjCConfigurationImplementationGenerator.output_filename):
1499         (ObjCConfigurationImplementationGenerator.generate_output):
1500         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1501         (ObjCConfigurationHeaderGenerator.output_filename):
1502         (ObjCConfigurationHeaderGenerator.generate_output):
1503         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1504         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1505         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1506         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1507         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1508         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1509         (ObjCConversionHelpersGenerator.output_filename):
1510         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1511         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1512         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1513         * inspector/scripts/codegen/generate_objc_header.py:
1514         (ObjCHeaderGenerator.output_filename):
1515         * inspector/scripts/codegen/generate_objc_internal_header.py:
1516         (ObjCInternalHeaderGenerator.output_filename):
1517         (ObjCInternalHeaderGenerator.generate_output):
1518         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1519         (ObjCProtocolTypesImplementationGenerator.output_filename):
1520         (ObjCProtocolTypesImplementationGenerator.generate_output):
1521         * inspector/scripts/codegen/models.py:
1522         * inspector/scripts/codegen/objc_generator.py:
1523         (ObjCGenerator):
1524         (ObjCGenerator.protocol_name):
1525         (ObjCGenerator.objc_prefix):
1526
1527 2016-03-06  Brian Burg  <bburg@apple.com>
1528
1529         Unreviewed, rebaseline inspector protocol generator tests after r197563.
1530
1531         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1532         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1533         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1534         * inspector/scripts/tests/expected/enum-values.json-result:
1535         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1536
1537 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
1538
1539         [JSC] Improve DFG's Int32 ArithMul if one operand is a constant
1540         https://bugs.webkit.org/show_bug.cgi?id=155066
1541
1542         Reviewed by Filip Pizlo.
1543
1544         When multiplying an integer by a constant, DFG was doing quite
1545         a bit worse than baseline JIT.
1546         We were loading the constant into a register, doing the multiply,
1547         the checking the result and both operands for negative zero.
1548
1549         This patch changes:
1550         -Use the multiply-by-immediate form on x86.
1551         -Do as few checks as possible to detect negative-zero.
1552
1553         In most cases, this reduce the negative-zero checks
1554         to zero or one TEST+JUMP.
1555
1556         * assembler/MacroAssembler.h:
1557         (JSC::MacroAssembler::mul32):
1558         * dfg/DFGSpeculativeJIT.cpp:
1559         (JSC::DFG::SpeculativeJIT::compileArithMul):
1560
1561 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
1562
1563         [JSC] Remove a superfluous Move in front of every double unboxing
1564         https://bugs.webkit.org/show_bug.cgi?id=155064
1565
1566         Reviewed by Saam Barati.
1567
1568         Double unboxing was always doing:
1569             Move source, scratch
1570             Add64 tag, scratch
1571             IntToDouble scratch, fp
1572
1573         We do not need to "Move" to copy the source.
1574         Both x86 and ARM64 have an efficient 3 operands Add instruction.
1575
1576         * dfg/DFGSpeculativeJIT.cpp:
1577         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1578         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1579         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
1580         * dfg/DFGSpeculativeJIT.h:
1581         (JSC::DFG::SpeculativeJIT::unboxDouble):
1582         * jit/AssemblyHelpers.h:
1583         (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
1584         (JSC::AssemblyHelpers::unboxDouble):
1585         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
1586
1587 2016-03-06  Benjamin Poulain  <benjamin@webkit.org>
1588
1589         [JSC] Use 3 operands Add in more places
1590         https://bugs.webkit.org/show_bug.cgi?id=155082
1591
1592         Reviewed by Filip Pizlo.
1593
1594         * assembler/MacroAssembler.h:
1595         (JSC::MacroAssembler::addPtr):
1596         (JSC::MacroAssembler::add32):
1597         * assembler/MacroAssemblerARMv7.h:
1598         (JSC::MacroAssemblerARMv7::add32):
1599         * dfg/DFGSpeculativeJIT.cpp:
1600         (JSC::DFG::SpeculativeJIT::compileArithAdd):
1601         The case with child1 constant is useless.
1602         The canonical form will have the constant as child2.
1603
1604         Also add register reuse for the fast-add.
1605         Registers are a scarce resource on x86.
1606
1607         * jit/CCallHelpers.h:
1608         (JSC::CCallHelpers::prepareForTailCallSlow):
1609         * yarr/YarrJIT.cpp:
1610         (JSC::Yarr::YarrGenerator::generate):
1611
1612 2016-03-06  Benjamin Poulain  <bpoulain@apple.com>
1613
1614         [JSC] Improve codegen of Compare and Test
1615         https://bugs.webkit.org/show_bug.cgi?id=155055
1616
1617         Reviewed by Filip Pizlo.
1618
1619         This patch introduces a few improvements on how we lower
1620         Compare and Test with immediates:
1621             -Add certain Immediate forms of ARM64.
1622             -Use CBZ/CBNZ when possible on ARM64.
1623             -When possible, convert a CMP into a TST
1624              On some hardware, we can issue more TST simultaneously.
1625
1626              On x86, any TST+Jump is candidate for macro-fusion.
1627              They are also smaller.
1628              (sections 3.4.2.2 and 3.5.1.9)
1629             -Do not load the mask immediate of a TST
1630              if it only contains ones (mostly useful for ARM64
1631              since that would not have been a valid immediate).
1632
1633         * assembler/MacroAssembler.h:
1634         (JSC::MacroAssembler::compare32):
1635         * assembler/MacroAssemblerARM64.h:
1636         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1637         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
1638         This is somewhat unrelated but I found that out while working
1639         on moveDoubleConditionallyTest32:
1640             If "thenCase" and "dest" are assigned the same register
1641             by the allocator, then the first (f)fcsel would override
1642             the "thenCase" and the second fcsel would always be "elseCase".
1643
1644         This is covered by testb3 but was only uncovered
1645         after recent "Move" removals in lowering.
1646
1647         (JSC::MacroAssemblerARM64::moveConditionally32):
1648         (JSC::MacroAssemblerARM64::moveConditionally64):
1649         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
1650         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
1651         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
1652         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
1653         (JSC::MacroAssemblerARM64::branch32):
1654         (JSC::MacroAssemblerARM64::branch64):
1655         (JSC::MacroAssemblerARM64::branchTest32):
1656         (JSC::MacroAssemblerARM64::test32):
1657         The version taking an immediate was guarded by
1658         (cond == Zero) || (cond == NonZero). That is overzealous,
1659         and only needed for CBZ/CBNZ.
1660
1661         (JSC::MacroAssemblerARM64::branchTest64):
1662         (JSC::MacroAssemblerARM64::compare32):
1663         (JSC::MacroAssemblerARM64::compare64):
1664         (JSC::MacroAssemblerARM64::commuteCompareToZeroIntoTest):
1665         * assembler/MacroAssemblerX86Common.h:
1666         (JSC::MacroAssemblerX86Common::moveConditionally32):
1667         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
1668         (JSC::MacroAssemblerX86Common::branch32):
1669         (JSC::MacroAssemblerX86Common::test32):
1670         (JSC::MacroAssemblerX86Common::branchTest32):
1671         (JSC::MacroAssemblerX86Common::compare32):
1672         (JSC::MacroAssemblerX86Common::commuteCompareToZeroIntoTest):
1673         * assembler/MacroAssemblerX86_64.h:
1674         (JSC::MacroAssemblerX86_64::compare64):
1675         (JSC::MacroAssemblerX86_64::branch64):
1676         (JSC::MacroAssemblerX86_64::moveConditionally64):
1677         * b3/B3LowerToAir.cpp:
1678         (JSC::B3::Air::LowerToAir::createGenericCompare):
1679         Unfortunately this cannot be abstracted by the MacroAssembler.
1680         Those immediates are not valid, we have to pick the better
1681         for right away.
1682
1683         * b3/air/AirOpcode.opcodes:
1684         * b3/testb3.cpp:
1685         (JSC::B3::int64Operands):
1686         (JSC::B3::modelCompare):
1687         (JSC::B3::testCompareImpl):
1688         (JSC::B3::testCompare):
1689         (JSC::B3::b3Pow):
1690         (JSC::B3::testPowDoubleByIntegerLoop):
1691         Some versions of pow(double, int) do not return
1692         the exact same bits as our integer loop.
1693         Added a new version to have the same behavior
1694         as the B3 loop.
1695
1696         (JSC::B3::run):
1697         * dfg/DFGSpeculativeJIT.cpp:
1698         (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
1699         * dfg/DFGSpeculativeJIT64.cpp:
1700         (JSC::DFG::SpeculativeJIT::compileInt32Compare):
1701         Comparing to an immediate is super common. Do not waste
1702         a register for that!
1703
1704 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
1705
1706         Unreviewed, fix build. This was a messed up merge.
1707
1708         * ftl/FTLLowerDFGToB3.cpp:
1709         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1710
1711 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
1712
1713         DFG should know how to speculate StringOrOther
1714         https://bugs.webkit.org/show_bug.cgi?id=155094
1715
1716         Reviewed by Saam Barati.
1717
1718         Any code that processes the regexp matches array was previously doing a relatively expensive
1719         Branch(Untyped:). This introduces a new use kind called StringOrOther, which is perfect for
1720         code that loops over the matches array and branches on the entries being non-empty.
1721
1722         To do this, I needed to introduce code into the FTL that creates new blocks. We still had that
1723         awful FTL_NEW_BLOCK idiom since the only way to debug LLVM IR was to ascribe names to basic
1724         blocks. B3 IR is inherently more debuggable since unlike LLVM, B3 knows how to always respect
1725         code origin, and it knows how to print the code origin nicely in the dumps. So, rather than
1726         continue using FTL_NEW_BLOCK(m_out, ("things")), I replaced all of that stuff with
1727         m_out.newBlock(). It's much nicer that way.
1728
1729         This is a tiny speed-up on Octane/regexp at best. I was hoping for more. Oh well.
1730
1731         * bytecode/SpeculatedType.h:
1732         (JSC::isStringSpeculation):
1733         (JSC::isStringOrOtherSpeculation):
1734         (JSC::isSymbolSpeculation):
1735         * dfg/DFGFixupPhase.cpp:
1736         (JSC::DFG::FixupPhase::fixupNode):
1737         * dfg/DFGNode.h:
1738         (JSC::DFG::Node::shouldSpeculateString):
1739         (JSC::DFG::Node::shouldSpeculateStringOrOther):
1740         (JSC::DFG::Node::shouldSpeculateStringObject):
1741         * dfg/DFGSafeToExecute.h:
1742         (JSC::DFG::SafeToExecuteEdge::operator()):
1743         * dfg/DFGSpeculativeJIT.cpp:
1744         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
1745         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
1746         (JSC::DFG::SpeculativeJIT::emitStringBranch):
1747         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
1748         (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
1749         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1750         (JSC::DFG::SpeculativeJIT::speculateString):
1751         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
1752         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1753         (JSC::DFG::SpeculativeJIT::speculate):
1754         * dfg/DFGSpeculativeJIT.h:
1755         * dfg/DFGSpeculativeJIT32_64.cpp:
1756         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1757         (JSC::DFG::SpeculativeJIT::emitBranch):
1758         * dfg/DFGSpeculativeJIT64.cpp:
1759         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1760         (JSC::DFG::SpeculativeJIT::emitBranch):
1761         * dfg/DFGUseKind.cpp:
1762         (WTF::printInternal):
1763         * dfg/DFGUseKind.h:
1764         (JSC::DFG::typeFilterFor):
1765         * ftl/FTLCapabilities.cpp:
1766         (JSC::FTL::canCompile):
1767         * ftl/FTLLowerDFGToB3.cpp:
1768         (JSC::FTL::DFG::LowerDFGToB3::lower):
1769         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1770         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
1771         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1772         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
1773         (JSC::FTL::DFG::LowerDFGToB3::compileArithDiv):
1774         (JSC::FTL::DFG::LowerDFGToB3::compileArithMod):
1775         (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax):
1776         (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
1777         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1778         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructure):
1779         (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure):
1780         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
1781         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1782         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1783         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1784         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1785         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
1786         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
1787         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1788         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1789         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1790         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest):
1791         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
1792         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1793         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1794         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
1795         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
1796         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1797         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1798         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1799         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1800         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
1801         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
1802         (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
1803         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1804         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
1805         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
1806         (JSC::FTL::DFG::LowerDFGToB3::compileIsString):
1807         (JSC::FTL::DFG::LowerDFGToB3::compileIsObject):
1808         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
1809         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1810         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1811         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1812         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1813         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1814         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
1815         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1816         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
1817         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
1818         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1819         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1820         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
1821         (JSC::FTL::DFG::LowerDFGToB3::checkStructure):
1822         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
1823         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
1824         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1825         (JSC::FTL::DFG::LowerDFGToB3::loadVectorWithBarrier):
1826         (JSC::FTL::DFG::LowerDFGToB3::copyBarrier):
1827         (JSC::FTL::DFG::LowerDFGToB3::loadVectorReadOnly):
1828         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
1829         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
1830         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
1831         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1832         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1833         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd):
1834         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1835         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1836         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1837         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
1838         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
1839         (JSC::FTL::DFG::LowerDFGToB3::switchString):
1840         (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
1841         (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
1842         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
1843         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
1844         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToJSValue):
1845         (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
1846         (JSC::FTL::DFG::LowerDFGToB3::convertDoubleToInt32):
1847         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1848         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
1849         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
1850         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
1851         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
1852         (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent):
1853         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrStringObject):
1854         (JSC::FTL::DFG::LowerDFGToB3::speculateRealNumber):
1855         (JSC::FTL::DFG::LowerDFGToB3::speculateNotStringVar):
1856         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
1857         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
1858         * ftl/FTLOutput.cpp:
1859         (JSC::FTL::Output::initialize):
1860         (JSC::FTL::Output::newBlock):
1861         (JSC::FTL::Output::check):
1862         * ftl/FTLOutput.h:
1863         (JSC::FTL::Output::setFrequency):
1864         (JSC::FTL::Output::insertNewBlocksBefore):
1865
1866 2016-03-06  Saam Barati  <sbarati@apple.com>
1867
1868         [[GetPrototypeOf]] should be a fully virtual method in the method table
1869         https://bugs.webkit.org/show_bug.cgi?id=155002
1870
1871         Reviewed by Filip Pizlo.
1872
1873         This patch makes us more consistent with how the ES6 specification models the
1874         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
1875         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
1876         still allows directly accessing the prototype for situations where this
1877         is the desired behavior. This is equivalent to getting the internal
1878         [[Prototype]] field as described in the specification. 
1879
1880         * API/JSObjectRef.cpp:
1881         (JSObjectGetPrototype):
1882         (JSObjectSetPrototype):
1883         * dfg/DFGOperations.cpp:
1884         * dfg/DFGOperations.h:
1885         * dfg/DFGSpeculativeJIT.cpp:
1886         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1887         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1888         * ftl/FTLLowerDFGToB3.cpp:
1889         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1890         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
1891         * jit/JITOpcodes.cpp:
1892         (JSC::JIT::emit_op_instanceof):
1893         (JSC::JIT::emitSlow_op_instanceof):
1894         * jit/JITOpcodes32_64.cpp:
1895         (JSC::JIT::emit_op_instanceof):
1896         (JSC::JIT::emitSlow_op_instanceof):
1897         * jit/JITOperations.cpp:
1898         * jit/JITOperations.h:
1899         * jsc.cpp:
1900         (functionCreateProxy):
1901         * llint/LLIntSlowPaths.cpp:
1902         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1903         * llint/LowLevelInterpreter.asm:
1904         * llint/LowLevelInterpreter32_64.asm:
1905         * llint/LowLevelInterpreter64.asm:
1906         * runtime/ArrayPrototype.cpp:
1907         (JSC::speciesConstructArray):
1908         * runtime/ClassInfo.h:
1909         * runtime/FunctionPrototype.cpp:
1910         (JSC::functionProtoFuncBind):
1911         * runtime/IntlCollatorPrototype.cpp:
1912         (JSC::IntlCollatorPrototypeGetterCompare):
1913         * runtime/IntlDateTimeFormatPrototype.cpp:
1914         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1915         * runtime/IntlNumberFormatPrototype.cpp:
1916         (JSC::IntlNumberFormatPrototypeGetterFormat):
1917         * runtime/JSBoundFunction.cpp:
1918         (JSC::hasInstanceBoundFunction):
1919         (JSC::getBoundFunctionStructure):
1920         (JSC::JSBoundFunction::create):
1921         * runtime/JSBoundFunction.h:
1922         * runtime/JSCJSValue.cpp:
1923         (JSC::JSValue::putToPrimitive):
1924         * runtime/JSCell.cpp:
1925         (JSC::JSCell::setPrototype):
1926         (JSC::JSCell::getPrototype):
1927         * runtime/JSCell.h:
1928         * runtime/JSGlobalObject.cpp:
1929         (JSC::JSGlobalObject::init):
1930         (JSC::JSGlobalObject::hasLegacyProfiler):
1931         (JSC::lastInPrototypeChain):
1932         (JSC::JSGlobalObject::objectPrototypeIsSane):
1933         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
1934         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
1935         * runtime/JSGlobalObject.h:
1936         (JSC::JSGlobalObject::finishCreation):
1937         * runtime/JSGlobalObjectFunctions.cpp:
1938         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
1939         (JSC::GlobalFuncProtoGetterFunctor::operator()):
1940         (JSC::globalFuncProtoGetter):
1941         * runtime/JSLexicalEnvironment.cpp:
1942         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
1943         * runtime/JSObject.cpp:
1944         (JSC::JSObject::calculatedClassName):
1945         (JSC::JSObject::putInlineSlow):
1946         (JSC::JSObject::setPrototypeWithCycleCheck):
1947         (JSC::JSObject::setPrototype):
1948         (JSC::JSObject::getPrototype):
1949         (JSC::JSObject::defaultHasInstance):
1950         (JSC::objectPrivateFuncInstanceOf):
1951         (JSC::JSObject::getPropertyNames):
1952         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1953         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
1954         (JSC::JSObject::getGenericPropertyNames):
1955         * runtime/JSObject.h:
1956         (JSC::JSObject::finishCreation):
1957         (JSC::JSObject::JSObject):
1958         (JSC::JSObject::getPrototypeDirect):
1959         (JSC::JSObject::getPrototype):
1960         (JSC::JSObject::getOwnNonIndexPropertySlot):
1961         (JSC::JSObject::getPropertySlot):
1962         (JSC::JSObject::getNonIndexPropertySlot):
1963         (JSC::JSObject::prototype): Deleted.
1964         * runtime/JSObjectInlines.h:
1965         (JSC::JSObject::canPerformFastPutInline):
1966         * runtime/JSProxy.cpp:
1967         (JSC::JSProxy::setTarget):
1968         * runtime/JSTypedArrayViewConstructor.cpp:
1969         (JSC::constructTypedArrayView):
1970         * runtime/ObjectConstructor.cpp:
1971         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
1972         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
1973         (JSC::objectConstructorGetPrototypeOf):
1974         * runtime/ObjectPrototype.cpp:
1975         (JSC::objectProtoFuncIsPrototypeOf):
1976         * runtime/ProxyObject.cpp:
1977         (JSC::performProxyGet):
1978         (JSC::ProxyObject::performSetPrototype):
1979         * runtime/StructureInlines.h:
1980         (JSC::Structure::isValid):
1981         * tests/stress/proxy-has-property.js:
1982         (assert.let.h1.has):
1983         (assert.let.h2.has):
1984         (assert):
1985
1986 2016-03-06  Commit Queue  <commit-queue@webkit.org>
1987
1988         Unreviewed, rolling out r197645.
1989         https://bugs.webkit.org/show_bug.cgi?id=155097
1990
1991         "Doesn't build properly when building entire webkit"
1992         (Requested by saamyjoon on #webkit).
1993
1994         Reverted changeset:
1995
1996         "[[GetPrototypeOf]] should be a fully virtual method in the
1997         method table"
1998         https://bugs.webkit.org/show_bug.cgi?id=155002
1999         http://trac.webkit.org/changeset/197645
2000
2001 2016-03-06  Saam barati  <sbarati@apple.com>
2002
2003         [[GetPrototypeOf]] should be a fully virtual method in the method table
2004         https://bugs.webkit.org/show_bug.cgi?id=155002
2005
2006         Reviewed by Filip Pizlo.
2007
2008         This patch makes us more consistent with how the ES6 specification models the
2009         [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
2010         is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
2011         still allows directly accessing the prototype for situations where this
2012         is the desired behavior. This is equivalent to getting the internal
2013         [[Prototype]] field as described in the specification. 
2014
2015         * API/JSObjectRef.cpp:
2016         (JSObjectGetPrototype):
2017         (JSObjectSetPrototype):
2018         * dfg/DFGOperations.cpp:
2019         * dfg/DFGOperations.h:
2020         * dfg/DFGSpeculativeJIT.cpp:
2021         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2022         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
2023         * ftl/FTLLowerDFGToB3.cpp:
2024         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2025         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
2026         * jit/JITOpcodes.cpp:
2027         (JSC::JIT::emit_op_instanceof):
2028         (JSC::JIT::emitSlow_op_instanceof):
2029         * jit/JITOpcodes32_64.cpp:
2030         (JSC::JIT::emit_op_instanceof):
2031         (JSC::JIT::emitSlow_op_instanceof):
2032         * jit/JITOperations.cpp:
2033         * jit/JITOperations.h:
2034         * jsc.cpp:
2035         (functionCreateProxy):
2036         * llint/LLIntSlowPaths.cpp:
2037         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2038         * llint/LowLevelInterpreter.asm:
2039         * llint/LowLevelInterpreter32_64.asm:
2040         * llint/LowLevelInterpreter64.asm:
2041         * runtime/ArrayPrototype.cpp:
2042         (JSC::speciesConstructArray):
2043         * runtime/ClassInfo.h:
2044         * runtime/FunctionPrototype.cpp:
2045         (JSC::functionProtoFuncBind):
2046         * runtime/IntlCollatorPrototype.cpp:
2047         (JSC::IntlCollatorPrototypeGetterCompare):
2048         * runtime/IntlDateTimeFormatPrototype.cpp:
2049         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2050         * runtime/IntlNumberFormatPrototype.cpp:
2051         (JSC::IntlNumberFormatPrototypeGetterFormat):
2052         * runtime/JSBoundFunction.cpp:
2053         (JSC::hasInstanceBoundFunction):
2054         (JSC::getBoundFunctionStructure):
2055         (JSC::JSBoundFunction::create):
2056         * runtime/JSBoundFunction.h:
2057         * runtime/JSCJSValue.cpp:
2058         (JSC::JSValue::putToPrimitive):
2059         * runtime/JSCell.cpp:
2060         (JSC::JSCell::setPrototype):
2061         (JSC::JSCell::getPrototype):
2062         * runtime/JSCell.h:
2063         * runtime/JSGlobalObject.cpp:
2064         (JSC::JSGlobalObject::init):
2065         (JSC::JSGlobalObject::hasLegacyProfiler):
2066         (JSC::lastInPrototypeChain):
2067         (JSC::JSGlobalObject::objectPrototypeIsSane):
2068         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2069         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2070         * runtime/JSGlobalObject.h:
2071         (JSC::JSGlobalObject::finishCreation):
2072         * runtime/JSGlobalObjectFunctions.cpp:
2073         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
2074         (JSC::GlobalFuncProtoGetterFunctor::operator()):
2075         (JSC::globalFuncProtoGetter):
2076         * runtime/JSLexicalEnvironment.cpp:
2077         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2078         * runtime/JSObject.cpp:
2079         (JSC::JSObject::calculatedClassName):
2080         (JSC::JSObject::putInlineSlow):
2081         (JSC::JSObject::setPrototypeWithCycleCheck):
2082         (JSC::JSObject::setPrototype):
2083         (JSC::JSObject::getPrototype):
2084         (JSC::JSObject::defaultHasInstance):
2085         (JSC::objectPrivateFuncInstanceOf):
2086         (JSC::JSObject::getPropertyNames):
2087         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2088         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
2089         (JSC::JSObject::getGenericPropertyNames):
2090         * runtime/JSObject.h:
2091         (JSC::JSObject::finishCreation):
2092         (JSC::JSObject::JSObject):
2093         (JSC::JSObject::getPrototypeDirect):
2094         (JSC::JSObject::getPrototype):
2095         (JSC::JSObject::getOwnNonIndexPropertySlot):
2096         (JSC::JSObject::getPropertySlot):
2097         (JSC::JSObject::getNonIndexPropertySlot):
2098         (JSC::JSObject::prototype): Deleted.
2099         * runtime/JSObjectInlines.h:
2100         (JSC::JSObject::canPerformFastPutInline):
2101         * runtime/JSProxy.cpp:
2102         (JSC::JSProxy::setTarget):
2103         * runtime/JSTypedArrayViewConstructor.cpp:
2104         (JSC::constructTypedArrayView):
2105         * runtime/ObjectConstructor.cpp:
2106         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
2107         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2108         (JSC::objectConstructorGetPrototypeOf):
2109         * runtime/ObjectPrototype.cpp:
2110         (JSC::objectProtoFuncIsPrototypeOf):
2111         * runtime/ProxyObject.cpp:
2112         (JSC::performProxyGet):
2113         (JSC::ProxyObject::performSetPrototype):
2114         * runtime/StructureInlines.h:
2115         (JSC::Structure::isValid):
2116         * tests/stress/proxy-has-property.js:
2117         (assert.let.h1.has):
2118         (assert.let.h2.has):
2119         (assert):
2120
2121 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
2122
2123         RegExpMatchesArray doesn't know how to have a bad time
2124         https://bugs.webkit.org/show_bug.cgi?id=155069
2125
2126         Reviewed by Yusuke Suzuki.
2127
2128         In trunk if we are having a bad time, the regexp matches array is still allocated with a
2129         non-slow-put indexing shape, which makes it have the wrong behavior on indexed setters on
2130         the prototype chain.
2131
2132         Getting this to work right requires introducing bad time code paths into the regexp matches
2133         array. It also requires something more drastic: making this code not play games with the
2134         global object. The code that creates the matches array needs to have the actual global
2135         object of the regexp native function that it's logically created by.
2136
2137         This is totally different from how we've handled global objects in the past because it means
2138         that the global object is not a constant. Normally we can make it a constant because a
2139         script executable will know its global object. But with native functions, it's the function
2140         instance that knows the global object - not the native executable. When we inline a native
2141         intrinsic, we are guaranteed to know the native executable but we're not guaranteed to know
2142         the functon instance. This means that the global object may be a variable that gets computed
2143         by looking at the instance at run-time. So, the RegExpExec/RegExpTest nodes in DFG IR now
2144         take a global object child. That also meant adding a new node type, GetGlobalObject, which
2145         does the thing to the callee that CallFrame::lexicalGlobalObject() would have done.
2146         Eventually, we'll probably have to make other native intrinsics also use GetGlobalObject. It
2147         turns out that this really isn't so bad because usually it's constant-folded anyway, since
2148         although the intrinsic code supports executable-based inlining (which leaves the callee
2149         instance as an unknown), it happens rarely for intrinsics. So, conveying the global object
2150         via a child isn't any worse than conveying it via meta-data, and it's probably better than
2151         telling the inliner not to do executable-based inlining of native intrinsics. That would
2152         have been a confusing special-case.
2153
2154         This is perf-neutral on my machines but it fixes a bug and it unlocks some interesting
2155         possibilities. For example, RegExpExec can now make a firm promise about the type of array
2156         it's creating.
2157
2158         This also contains some other changes:
2159         
2160         - We are now using Structure::addPropertyTransition() in a lot of places even though it was
2161           meant to be an internal method with a quirky contract - for example if only works if you
2162           know that there is not existing transition. This relaxes this constraint.
2163         
2164         - Restores the use of "*" for heap references in JSString.h. It's very unusual to have heap
2165           references pointed at with "&", since we don't currently do that anywhere. The fact that
2166           it was using the wrong reference type also meant that the code couldn't elegantly make use
2167           of some our GC pointer helpers like jsCast<>.
2168
2169         * dfg/DFGAbstractInterpreterInlines.h:
2170         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2171         * dfg/DFGByteCodeParser.cpp:
2172         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2173         (JSC::DFG::ByteCodeParser::handleMinMax):
2174         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2175         * dfg/DFGClobberize.h:
2176         (JSC::DFG::clobberize):
2177         * dfg/DFGDoesGC.cpp:
2178         (JSC::DFG::doesGC):
2179         * dfg/DFGFixupPhase.cpp:
2180         (JSC::DFG::FixupPhase::fixupNode):
2181         * dfg/DFGNodeType.h:
2182         * dfg/DFGOperations.cpp:
2183         * dfg/DFGOperations.h:
2184         * dfg/DFGPredictionPropagationPhase.cpp:
2185         (JSC::DFG::PredictionPropagationPhase::propagate):
2186         * dfg/DFGSafeToExecute.h:
2187         (JSC::DFG::safeToExecute):
2188         * dfg/DFGSpeculativeJIT.cpp:
2189         (JSC::DFG::SpeculativeJIT::compileSkipScope):
2190         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
2191         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
2192         * dfg/DFGSpeculativeJIT.h:
2193         (JSC::DFG::SpeculativeJIT::callOperation):
2194         * dfg/DFGSpeculativeJIT32_64.cpp:
2195         (JSC::DFG::SpeculativeJIT::compile):
2196         * dfg/DFGSpeculativeJIT64.cpp:
2197         (JSC::DFG::SpeculativeJIT::compile):
2198         * ftl/FTLCapabilities.cpp:
2199         (JSC::FTL::canCompile):
2200         * ftl/FTLLowerDFGToB3.cpp:
2201         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2202         (JSC::FTL::DFG::LowerDFGToB3::compileSkipScope):
2203         (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalObject):
2204         (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
2205         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
2206         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
2207         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
2208         * jit/JITOperations.h:
2209         * runtime/JSGlobalObject.cpp:
2210         (JSC::JSGlobalObject::init):
2211         (JSC::JSGlobalObject::haveABadTime):
2212         (JSC::JSGlobalObject::visitChildren):
2213         * runtime/JSGlobalObject.h:
2214         * runtime/JSObject.h:
2215         (JSC::JSObject::putDirectInternal):
2216         * runtime/JSString.h:
2217         (JSC::jsString):
2218         (JSC::jsSubstring):
2219         * runtime/RegExpCachedResult.cpp:
2220         (JSC::RegExpCachedResult::lastResult):
2221         * runtime/RegExpMatchesArray.cpp:
2222         (JSC::tryCreateUninitializedRegExpMatchesArray):
2223         (JSC::createRegExpMatchesArray):
2224         (JSC::createStructureImpl):
2225         (JSC::createRegExpMatchesArrayStructure):
2226         (JSC::createRegExpMatchesArraySlowPutStructure):
2227         * runtime/RegExpMatchesArray.h:
2228         * runtime/RegExpObject.cpp:
2229         (JSC::RegExpObject::put):
2230         (JSC::RegExpObject::exec):
2231         (JSC::RegExpObject::match):
2232         * runtime/RegExpObject.h:
2233         (JSC::RegExpObject::getLastIndex):
2234         (JSC::RegExpObject::test):
2235         * runtime/RegExpPrototype.cpp:
2236         (JSC::regExpProtoFuncTest):
2237         (JSC::regExpProtoFuncExec):
2238         (JSC::regExpProtoFuncCompile):
2239         * runtime/StringPrototype.cpp:
2240         (JSC::stringProtoFuncMatch):
2241         * runtime/Structure.cpp:
2242         (JSC::Structure::suggestedArrayStorageTransition):
2243         (JSC::Structure::addPropertyTransition):
2244         (JSC::Structure::addNewPropertyTransition):
2245         * runtime/Structure.h:
2246         * tests/stress/regexp-matches-array-bad-time.js: Added.
2247         * tests/stress/regexp-matches-array-slow-put.js: Added.
2248
2249 2016-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2250
2251         [JSC] RegExp#lastIndex should handle writable attribute when defining in defineOwnProperty path
2252         https://bugs.webkit.org/show_bug.cgi?id=155093
2253
2254         Reviewed by Filip Pizlo.
2255
2256         Before this patch, `setLastIndex(ExecState* exec, size_t lastIndex)` always overwrites the existing value
2257         regardless of writable attribute.
2258         And when defining RegExp#lastIndex in defineOwnProperty, we need to define the value first
2259         before making the attribute readonly. After changing the writable attribute, we cannot define the value.
2260
2261         * runtime/RegExpObject.cpp:
2262         (JSC::RegExpObject::defineOwnProperty):
2263         * runtime/RegExpObject.h:
2264         (JSC::RegExpObject::setLastIndex):
2265         * tests/stress/regexp-last-index-writable.js: Added.
2266         (shouldBe):
2267         (shouldThrow):
2268         (regExpLastIndex):
2269
2270 2016-03-05  Filip Pizlo  <fpizlo@apple.com>
2271
2272         The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell
2273         https://bugs.webkit.org/show_bug.cgi?id=154900
2274
2275         Reviewed by Saam Barati.
2276
2277         These old operations used to speculate cell. That's what they did when they were first
2278         introduced. That was probably about as good as they could do back then because we didn't have
2279         very powerful checks. Now we have powerful checks, so we can do this right.
2280
2281         The most profitable thing to check is that child1 is a RegExpObject and child2 is a JSString.
2282         Sometimes though, we will not know what child2 is even though we know that child1 is a
2283         RegExpObject. So, this patch means that RegExpExec/RegExpTest have the following overloads:
2284
2285             RegExpExec(RegExpObject:, String:)
2286             RegExpExec(RegExpObject:, Untyped:)
2287             RegExpExec(Untyped:, Untyped:)
2288
2289         This shaves off some type checks in Octane/regexp. It also cleans up some problems in our
2290         modeling of the effectfulness of these operations.
2291
2292         * dfg/DFGAbstractInterpreterInlines.h:
2293         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2294         * dfg/DFGClobberize.h:
2295         (JSC::DFG::clobberize):
2296         * dfg/DFGFixupPhase.cpp:
2297         (JSC::DFG::FixupPhase::fixupNode):
2298         * dfg/DFGOperations.cpp:
2299         * dfg/DFGOperations.h:
2300         * dfg/DFGSpeculativeJIT.h:
2301         (JSC::DFG::SpeculativeJIT::callOperation):
2302         * dfg/DFGSpeculativeJIT32_64.cpp:
2303         (JSC::DFG::SpeculativeJIT::compile):
2304         * dfg/DFGSpeculativeJIT64.cpp:
2305         (JSC::DFG::SpeculativeJIT::compile):
2306         * ftl/FTLLowerDFGToB3.cpp:
2307         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
2308         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
2309         * jit/JITOperations.h:
2310
2311 2016-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2312
2313         [ES6] Support Reflect.construct
2314         https://bugs.webkit.org/show_bug.cgi?id=147330
2315
2316         Reviewed by Saam Barati.
2317
2318         Based on Saam's r196868, this patch adds support for Reflect.construct.
2319         This patch implements OrdinaryCreateFromConstructor[1] for fallback cases.
2320         This path is rarely taken. For example,
2321
2322             Reflect.construct(function () { }, [], Map);
2323
2324         In this case, the `new.target` becomes `Map`.
2325         So we should create an object that `__proto__` is `Map.prototype`.
2326
2327         And to allow forward declaration (and encouraging strong type checking), we change
2328         ConstructType, CallType to C++11 enum class.
2329
2330         [1]: http://ecma-international.org/ecma-262/6.0/#sec-ordinarycreatefromconstructor
2331
2332         * API/JSCallbackConstructor.cpp:
2333         (JSC::JSCallbackConstructor::getConstructData):
2334         * API/JSCallbackFunction.cpp:
2335         (JSC::JSCallbackFunction::getCallData):
2336         * API/JSCallbackObjectFunctions.h:
2337         (JSC::JSCallbackObject<Parent>::getConstructData):
2338         (JSC::JSCallbackObject<Parent>::getCallData):
2339         * API/JSObjectRef.cpp:
2340         (JSObjectIsFunction):
2341         (JSObjectCallAsFunction):
2342         (JSObjectIsConstructor):
2343         (JSObjectCallAsConstructor):
2344         * API/ObjCCallbackFunction.mm:
2345         (JSC::ObjCCallbackFunction::getCallData):
2346         (JSC::ObjCCallbackFunction::getConstructData):
2347         * bindings/ScriptFunctionCall.cpp:
2348         (Deprecated::ScriptFunctionCall::call):
2349         * bindings/ScriptValue.cpp:
2350         (Deprecated::ScriptValue::isFunction):
2351         * builtins/ReflectObject.js:
2352         * dfg/DFGOperations.cpp:
2353         * inspector/InjectedScriptManager.cpp:
2354         (Inspector::InjectedScriptManager::createInjectedScript):
2355         * interpreter/Interpreter.cpp:
2356         (JSC::sizeOfVarargs):
2357         (JSC::Interpreter::execute):
2358         (JSC::Interpreter::executeCall):
2359         (JSC::Interpreter::executeConstruct):
2360         * jit/JITOperations.cpp:
2361         * llint/LLIntSlowPaths.cpp:
2362         (JSC::LLInt::handleHostCall):
2363         * runtime/ArrayConstructor.cpp:
2364         (JSC::ArrayConstructor::getConstructData):
2365         (JSC::ArrayConstructor::getCallData):
2366         * runtime/ArrayPrototype.cpp:
2367         (JSC::arrayProtoFuncToString):
2368         (JSC::arrayProtoFuncToLocaleString):
2369         (JSC::getLength): Deleted.
2370         * runtime/BooleanConstructor.cpp:
2371         (JSC::BooleanConstructor::getConstructData):
2372         (JSC::BooleanConstructor::getCallData):
2373         * runtime/CallData.cpp:
2374         (JSC::call):
2375         * runtime/CallData.h:
2376         * runtime/CommonSlowPaths.cpp:
2377         (JSC::SLOW_PATH_DECL):
2378         * runtime/ConstructData.cpp:
2379         (JSC::construct):
2380         * runtime/ConstructData.h:
2381         * runtime/DateConstructor.cpp:
2382         (JSC::DateConstructor::getConstructData):
2383         (JSC::DateConstructor::getCallData):
2384         * runtime/DatePrototype.cpp:
2385         (JSC::dateProtoFuncToJSON):
2386         * runtime/Error.h:
2387         (JSC::StrictModeTypeErrorFunction::getConstructData):
2388         (JSC::StrictModeTypeErrorFunction::getCallData):
2389         * runtime/ErrorConstructor.cpp:
2390         (JSC::ErrorConstructor::getConstructData):
2391         (JSC::ErrorConstructor::getCallData):
2392         * runtime/ExceptionHelpers.cpp:
2393         (JSC::errorDescriptionForValue):
2394         * runtime/FunctionConstructor.cpp:
2395         (JSC::FunctionConstructor::getConstructData):
2396         (JSC::FunctionConstructor::getCallData):
2397         * runtime/FunctionPrototype.cpp:
2398         (JSC::FunctionPrototype::getCallData):
2399         (JSC::functionProtoFuncToString):
2400         (JSC::functionProtoFuncBind):
2401         * runtime/GeneratorFunctionConstructor.cpp:
2402         (JSC::GeneratorFunctionConstructor::getCallData):
2403         (JSC::GeneratorFunctionConstructor::getConstructData):
2404         * runtime/InternalFunction.cpp:
2405         (JSC::InternalFunction::getCallData):
2406         * runtime/IntlCollatorConstructor.cpp:
2407         (JSC::IntlCollatorConstructor::getConstructData):
2408         (JSC::IntlCollatorConstructor::getCallData):
2409         * runtime/IntlDateTimeFormatConstructor.cpp:
2410         (JSC::IntlDateTimeFormatConstructor::getConstructData):
2411         (JSC::IntlDateTimeFormatConstructor::getCallData):
2412         * runtime/IntlNumberFormatConstructor.cpp:
2413         (JSC::IntlNumberFormatConstructor::getConstructData):
2414         (JSC::IntlNumberFormatConstructor::getCallData):
2415         * runtime/IteratorOperations.cpp:
2416         (JSC::iteratorNext):
2417         (JSC::iteratorClose):
2418         * runtime/JSArray.h:
2419         (JSC::getLength):
2420         * runtime/JSArrayBufferConstructor.cpp:
2421         (JSC::JSArrayBufferConstructor::getConstructData):
2422         (JSC::JSArrayBufferConstructor::getCallData):
2423         * runtime/JSBoundFunction.cpp:
2424         (JSC::boundFunctionCall):
2425         (JSC::boundFunctionConstruct):
2426         (JSC::JSBoundFunction::create):
2427         * runtime/JSCJSValue.h:
2428         * runtime/JSCJSValueInlines.h:
2429         (JSC::JSValue::isFunction):
2430         (JSC::JSValue::isConstructor):
2431         * runtime/JSCell.cpp:
2432         (JSC::JSCell::getCallData):
2433         (JSC::JSCell::getConstructData):
2434         * runtime/JSFunction.cpp:
2435         (JSC::JSFunction::getCallData):
2436         (JSC::JSFunction::getConstructData):
2437         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2438         (JSC::constructGenericTypedArrayViewWithArguments):
2439         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData):
2440         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2441         * runtime/JSInternalPromise.cpp:
2442         (JSC::JSInternalPromise::then):
2443         * runtime/JSInternalPromiseConstructor.cpp:
2444         (JSC::JSInternalPromiseConstructor::getConstructData):
2445         (JSC::JSInternalPromiseConstructor::getCallData):
2446         * runtime/JSJob.cpp:
2447         (JSC::JSJobMicrotask::run):
2448         * runtime/JSONObject.cpp:
2449         (JSC::Stringifier::Stringifier):
2450         (JSC::Stringifier::toJSONImpl):
2451         (JSC::Stringifier::appendStringifiedValue):
2452         (JSC::JSONProtoFuncParse):
2453         * runtime/JSObject.cpp:
2454         (JSC::callToPrimitiveFunction):
2455         (JSC::JSObject::hasInstance):
2456         (JSC::JSObject::getMethod):
2457         * runtime/JSObject.h:
2458         (JSC::getCallData):
2459         (JSC::getConstructData):
2460         * runtime/JSPromise.cpp:
2461         (JSC::JSPromise::initialize):
2462         * runtime/JSPromiseConstructor.cpp:
2463         (JSC::JSPromiseConstructor::getConstructData):
2464         (JSC::JSPromiseConstructor::getCallData):
2465         * runtime/JSPromiseDeferred.cpp:
2466         (JSC::newPromiseCapability):
2467         (JSC::callFunction):
2468         * runtime/JSTypedArrayViewConstructor.cpp:
2469         (JSC::constructTypedArrayView):
2470         (JSC::JSTypedArrayViewConstructor::getConstructData):
2471         (JSC::JSTypedArrayViewConstructor::getCallData):
2472         * runtime/MapConstructor.cpp:
2473         (JSC::constructMap):
2474         (JSC::MapConstructor::getConstructData):
2475         (JSC::MapConstructor::getCallData):
2476         * runtime/ModuleLoaderObject.cpp:
2477         (JSC::ModuleLoaderObject::provide):
2478         (JSC::ModuleLoaderObject::loadAndEvaluateModule):
2479         (JSC::ModuleLoaderObject::loadModule):
2480         (JSC::ModuleLoaderObject::linkAndEvaluateModule):
2481         * runtime/NativeErrorConstructor.cpp:
2482         (JSC::NativeErrorConstructor::getConstructData):
2483         (JSC::NativeErrorConstructor::getCallData):
2484         * runtime/NullGetterFunction.cpp:
2485         (JSC::NullGetterFunction::getCallData):
2486         (JSC::NullGetterFunction::getConstructData):
2487         * runtime/NullSetterFunction.cpp:
2488         (JSC::NullSetterFunction::getCallData):
2489         (JSC::NullSetterFunction::getConstructData):
2490         * runtime/NumberConstructor.cpp:
2491         (JSC::NumberConstructor::getConstructData):
2492         (JSC::NumberConstructor::getCallData):
2493         * runtime/ObjectConstructor.cpp:
2494         (JSC::ObjectConstructor::getConstructData):
2495         (JSC::ObjectConstructor::getCallData):
2496         (JSC::toPropertyDescriptor):
2497         * runtime/ObjectPrototype.cpp:
2498         (JSC::objectProtoFuncDefineGetter):
2499         (JSC::objectProtoFuncDefineSetter):
2500         (JSC::objectProtoFuncToLocaleString):
2501         * runtime/Operations.cpp:
2502         (JSC::jsTypeStringForValue):
2503         (JSC::jsIsObjectTypeOrNull):
2504         (JSC::jsIsFunctionType):
2505         * runtime/ProxyConstructor.cpp:
2506         (JSC::ProxyConstructor::getConstructData):
2507         (JSC::ProxyConstructor::getCallData):
2508         * runtime/ProxyObject.cpp:
2509         (JSC::ProxyObject::finishCreation):
2510         (JSC::performProxyCall):
2511         (JSC::ProxyObject::getCallData):
2512         (JSC::performProxyConstruct):
2513         (JSC::ProxyObject::getConstructData):
2514         * runtime/ReflectObject.cpp:
2515         (JSC::reflectObjectConstruct):
2516         * runtime/RegExpConstructor.cpp:
2517         (JSC::RegExpConstructor::getConstructData):
2518         (JSC::RegExpConstructor::getCallData):
2519         * runtime/RuntimeType.h:
2520         * runtime/SamplingProfiler.cpp:
2521         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2522         * runtime/SetConstructor.cpp:
2523         (JSC::constructSet):
2524         (JSC::SetConstructor::getConstructData):
2525         (JSC::SetConstructor::getCallData):
2526         * runtime/StringConstructor.cpp:
2527         (JSC::StringConstructor::getConstructData):
2528         (JSC::StringConstructor::getCallData):
2529         * runtime/StringPrototype.cpp:
2530         (JSC::replaceUsingRegExpSearch):
2531         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
2532         (JSC::operationStringProtoFuncReplaceRegExpString):
2533         (JSC::replaceUsingStringSearch):
2534         * runtime/SymbolConstructor.cpp:
2535         (JSC::SymbolConstructor::getConstructData):
2536         (JSC::SymbolConstructor::getCallData):
2537         * runtime/WeakMapConstructor.cpp:
2538         (JSC::constructWeakMap):
2539         (JSC::WeakMapConstructor::getConstructData):
2540         (JSC::WeakMapConstructor::getCallData):
2541         * runtime/WeakSetConstructor.cpp:
2542         (JSC::constructWeakSet):
2543         (JSC::WeakSetConstructor::getConstructData):
2544         (JSC::WeakSetConstructor::getCallData):
2545         * tests/es6.yaml:
2546         * tests/stress/reflect-construct.js: Added.
2547         (shouldBe):
2548         (shouldThrow):
2549         (shouldThrow.array.get length):
2550         (shouldThrow.array.get 0):
2551         (array.get length):
2552         (array.get 0):
2553         (shouldBe.Reflect.construct):
2554         (shouldBe.Reflect.construct.Hello):
2555         (3.shouldBe.Reflect.construct.Hello):
2556         (3.newTarget):
2557         (0.shouldBe.Reflect.construct):
2558         (shouldBe.A):
2559         (shouldBe.B):
2560         (nativeConstructorTest.DerivedMap):
2561         (nativeConstructorTest.FailedMap):
2562         (set noInline):
2563
2564 2016-03-04  Andreas Kling  <akling@apple.com>
2565
2566         [iOS] Throw away compiled RegExp code when navigating to a new page.
2567         <https://webkit.org/b/155015>
2568
2569         Reviewed by Anders Carlsson.
2570
2571         Add a mechanism to have the VM discard all RegExp bytecode and JIT code.
2572
2573         * runtime/VM.cpp:
2574         (JSC::VM::deleteAllRegExpCode):
2575         * runtime/VM.h:
2576
2577 2016-03-04  David Kilzer  <ddkilzer@apple.com>
2578
2579         REGRESSION (r197531): JavaScriptCore ASan build fails due to weak external symbol
2580         <http://webkit.org/b/155033>
2581         <rdar://problem/24979661>
2582
2583         Reviewed by Alexey Proskuryakov.
2584
2585         * runtime/JSObject.cpp:
2586         (JSC::JSObject::ordinaryToPrimitive): Don't mark this method
2587         inline since it's also used in DatePrototype.cpp, and is
2588         declared as a public class method.
2589         * runtime/JSObject.h:
2590         (JSC::JSObject::ordinaryToPrimitive): Don't export this method
2591         since it is not used outside of JavaScriptCore.
2592
2593 2016-03-04  Alex Christensen  <achristensen@webkit.org>
2594
2595         Remove vcxproj build system
2596         https://bugs.webkit.org/show_bug.cgi?id=154388
2597
2598         Rubber-stamped by Brent Fulgham.
2599
2600         * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed.
2601         * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Removed.
2602         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Removed.
2603         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Removed.
2604         * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Removed.
2605         * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Removed.
2606         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Removed.
2607         * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Removed.
2608         * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Removed.
2609         * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Removed.
2610         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Removed.
2611         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Removed.
2612         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Removed.
2613         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Removed.
2614         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Removed.
2615         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Removed.
2616         * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Removed.
2617         * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Removed.
2618         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Removed.
2619         * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Removed.
2620         * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Removed.
2621         * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Removed.
2622         * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Removed.
2623         * JavaScriptCore.vcxproj/build-generated-files.pl: Removed.
2624         * JavaScriptCore.vcxproj/copy-files.cmd: Removed.
2625
2626 2016-03-04  Chris Dumez  <cdumez@apple.com>
2627
2628         Location.reload should not be writable
2629         https://bugs.webkit.org/show_bug.cgi?id=154989
2630
2631         Reviewed by Gavin Barraclough.
2632
2633         After r196770, operations marked as [Unforgeable] in the IDL (such as
2634         Location.reload) are correctly reported as not writable by
2635         Object.getOwnPropertyDescriptor(). Trying to set such property in JS
2636         is correctly ignored (or throws in strict mode) if the object has
2637         previously been reified. However, due to a bug in putEntry(), it was
2638         still possible to override the property if the object was not reified
2639         yet. This patch fixes the issue by checking in putEntry() that entries
2640         that are functions are not ReadOnly before calling putDirect().
2641
2642         * runtime/Lookup.h:
2643         (JSC::putEntry):
2644
2645 2016-03-04  Skachkov Oleksandr  <gskachkov@gmail.com>
2646
2647         [ES6] Arrow function syntax. Lexical bind "super" inside of the arrow function in generator.
2648         https://bugs.webkit.org/show_bug.cgi?id=152575
2649
2650         Reviewed by Yusuke Suzuki.
2651
2652         Added support of the 'SuperProperty' in arrow function within of the generator 
2653         method of class. Before patch parser  did not recognize that current arrow function 
2654         is declated inside of the generator and raise SyntaxError.
2655
2656         * parser/Parser.cpp:
2657         (JSC::Parser<LexerType>::parseFunctionInfo):
2658         * parser/Parser.h:
2659         (JSC::Scope::Scope):
2660         (JSC::Scope::isGeneratorBoundary):
2661         (JSC::Scope::setIsFunction):
2662         (JSC::Scope::setIsGenerator):
2663         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
2664         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
2665
2666 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
2667
2668         DFG/FTL should inline accesses to RegExpObject::m_lastIndex
2669         https://bugs.webkit.org/show_bug.cgi?id=155003
2670
2671         Reviewed by Benjamin Poulain.
2672
2673         The Octane/regexp benchmark sets RegExps' lastIndex a lot. I could imagine this being
2674         something that people want to do. Right now, I'm not convinced that making the RegExp object
2675         be more plain-JS would be a good idea considering that pretty much all uses of it will
2676         require some special compiler magic. Also, it's good that this patch teaches the compiler
2677         how to reason about lastIndex since some of my other plans for regexp involve having the
2678         compiler treat more regexp stuff as intrinsic.
2679
2680         This is a smaller Octane/regexp speed-up than I hoped - maybe around 1%. It's an enormous
2681         speed-up on the microbenchmarks attached to this patch.
2682
2683         * dfg/DFGAbstractHeap.h:
2684         * dfg/DFGAbstractInterpreterInlines.h:
2685         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2686         * dfg/DFGClobberize.h:
2687         (JSC::DFG::clobberize):
2688         * dfg/DFGDoesGC.cpp:
2689         (JSC::DFG::doesGC):
2690         * dfg/DFGFixupPhase.cpp:
2691         (JSC::DFG::FixupPhase::fixupNode):
2692         * dfg/DFGHeapLocation.h:
2693         * dfg/DFGNodeType.h:
2694         * dfg/DFGPredictionPropagationPhase.cpp:
2695         (JSC::DFG::PredictionPropagationPhase::propagate):
2696         * dfg/DFGSafeToExecute.h:
2697         (JSC::DFG::safeToExecute):
2698         * dfg/DFGSpeculativeJIT.cpp:
2699         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2700         (JSC::DFG::SpeculativeJIT::compileGetRegExpObjectLastIndex):
2701         (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
2702         * dfg/DFGSpeculativeJIT.h:
2703         * dfg/DFGSpeculativeJIT32_64.cpp:
2704         (JSC::DFG::SpeculativeJIT::compile):
2705         * dfg/DFGSpeculativeJIT64.cpp:
2706         (JSC::DFG::SpeculativeJIT::compile):
2707         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2708         * ftl/FTLAbstractHeapRepository.cpp:
2709         * ftl/FTLAbstractHeapRepository.h:
2710         * ftl/FTLCapabilities.cpp:
2711         (JSC::FTL::canCompile):
2712         * ftl/FTLLowerDFGToB3.cpp:
2713         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2714         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
2715         (JSC::FTL::DFG::LowerDFGToB3::compileGetRegExpObjectLastIndex):
2716         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
2717         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
2718         (JSC::FTL::DFG::LowerDFGToB3::lowObject):
2719         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject):
2720         (JSC::FTL::DFG::LowerDFGToB3::lowString):
2721         * runtime/RegExpObject.h:
2722         (JSC::RegExpObject::createStructure):
2723         (JSC::RegExpObject::offsetOfLastIndex):
2724
2725 2016-03-03  Chris Dumez  <cdumez@apple.com>
2726
2727         Regression(r196770): Unable to use HipChat Mac app
2728         https://bugs.webkit.org/show_bug.cgi?id=154999
2729         <rdar://problem/24931959>
2730
2731         Reviewed by Darin Adler.
2732
2733         Add a setter to PutPropertySlot to override the 'isStrictMode' flag.
2734
2735         * runtime/PutPropertySlot.h:
2736         (JSC::PutPropertySlot::setStrictMode):
2737
2738 2016-03-03  Benjamin Poulain  <bpoulain@apple.com>
2739
2740         [JSC] Add support for MADD, MSUB and MNEG to Air
2741         https://bugs.webkit.org/show_bug.cgi?id=154997
2742
2743         Reviewed by Filip Pizlo.
2744
2745         ARM64 can do an Add/Sub in the Multiply units.
2746         LLVM was doing so but we lost that when switching to B3.
2747
2748         This patch adds those instructions in Air.
2749
2750         There are more ALUs than multiply units, thus we are more
2751         likely to successfully schedule a Multiply+Add than 2 Multiply.
2752         I am conservative and only emit a multiply-add if the value
2753         can be interned. As far as I can tell from what is generated
2754         by LLVM, that backend had the same rule.
2755
2756         * assembler/MacroAssemblerARM64.h:
2757         (JSC::MacroAssemblerARM64::multiplyAdd32):
2758         (JSC::MacroAssemblerARM64::multiplySub32):
2759         (JSC::MacroAssemblerARM64::multiplyNeg32):
2760         (JSC::MacroAssemblerARM64::multiplyAdd64):
2761         (JSC::MacroAssemblerARM64::multiplySub64):
2762         (JSC::MacroAssemblerARM64::multiplyNeg64):
2763         * b3/B3LowerToAir.cpp:
2764         (JSC::B3::Air::LowerToAir::lower):
2765         * b3/air/AirOpcode.opcodes:
2766         * b3/testb3.cpp:
2767         (JSC::B3::populateWithInterestingValues):
2768         (JSC::B3::floatingPointOperands):
2769         (JSC::B3::int64Operands):
2770         (JSC::B3::int32Operands):
2771         (JSC::B3::testMulAddArgsLeft):
2772         (JSC::B3::testMulAddArgsRight):
2773         (JSC::B3::testMulAddArgsLeft32):
2774         (JSC::B3::testMulAddArgsRight32):
2775         (JSC::B3::testMulSubArgsLeft):
2776         (JSC::B3::testMulSubArgsRight):
2777         (JSC::B3::testMulSubArgsLeft32):
2778         (JSC::B3::testMulSubArgsRight32):
2779         (JSC::B3::testMulNegArgs):
2780         (JSC::B3::testMulNegArgs32):
2781         (JSC::B3::run):
2782
2783 2016-03-03  Saam Barati  <sbarati@apple.com>
2784
2785         [ES6] Implement Proxy.[[SetPrototypeOf]]
2786         https://bugs.webkit.org/show_bug.cgi?id=154931
2787
2788         Reviewed by Ryosuke Niwa.
2789
2790         This patch is a straight forward implementation of Proxy.[[SetPrototypeOf]]
2791         with respect to section 9.5.2 of the ECMAScript spec.
2792         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-setprototypeof-v
2793
2794         * runtime/JSObject.cpp:
2795         (JSC::JSObject::putInlineSlow):
2796         * runtime/ProxyObject.cpp:
2797         (JSC::ProxyObject::put):
2798         (JSC::ProxyObject::getGenericPropertyNames):
2799         (JSC::ProxyObject::performSetPrototype):
2800         (JSC::ProxyObject::setPrototype):
2801         (JSC::ProxyObject::visitChildren):
2802         * runtime/ProxyObject.h:
2803         * tests/es6.yaml:
2804         * tests/stress/proxy-set-prototype-of.js: Added.
2805         (assert):
2806         (throw.new.Error.let.handler.get setPrototypeOf):
2807         (throw.new.Error.set let):
2808         (throw.new.Error.set catch):
2809         (throw.new.Error):
2810         (assert.let.handler.setPrototypeOf):
2811         (assert.set let):
2812         (assert.set catch):
2813         (let.handler.setPrototypeOf):
2814         (set let):
2815         (set catch):
2816
2817 2016-03-03  Keith Miller  <keith_miller@apple.com>
2818
2819         JSArrayBuffers should be collected less aggressively
2820         https://bugs.webkit.org/show_bug.cgi?id=154982
2821
2822         Reviewed by Geoffrey Garen.
2823
2824         We are currently too aggressive in our collection of ArrayBuffer wrappers.
2825         There are three cases where we need to avoid collecting ArrayBuffer wrappers.
2826         1. If the wrapper has custom properties.
2827         2. If the wrapper is a subclass of ArrayBuffer.
2828         3. If the wrapper is in a WeakMap/WeakSet.
2829
2830         Currently, we only pass the first case in WebCore and none in the jsc CLI.
2831         This patch removes some optimizations that cause us to collect when we
2832         should not. Namely, always skipping the object unless it has custom
2833         properties. Additionally, in the case of subclassing, we also need a way
2834         for custom JSArrayBuffer objects to register themselves as the wrapper for
2835         an ArrayBuffer class.
2836
2837         Finally, this patch fixes an issue where views would not mark their ArrayBuffer
2838         as an opaque root. This patch also moves an associated ASSERT that the
2839         ArrayBuffer held by a view is not null in JSGenericTypedArrayView::visitChildren
2840         into JSArrayBufferView::visitChildren, where we add the opaque root.
2841
2842         * runtime/JSArrayBuffer.cpp:
2843         (JSC::JSArrayBuffer::finishCreation):
2844         (JSC::JSArrayBuffer::create):
2845         (JSC::JSArrayBuffer::createWithoutWrapping):
2846         * runtime/JSArrayBuffer.h:
2847         * runtime/JSArrayBufferView.cpp:
2848         (JSC::JSArrayBufferView::visitChildren):
2849         * runtime/JSArrayBufferView.h:
2850         * runtime/JSGenericTypedArrayViewInlines.h:
2851         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
2852         * runtime/SimpleTypedArrayController.cpp:
2853         (JSC::SimpleTypedArrayController::toJS):
2854         (JSC::SimpleTypedArrayController::registerWrapper):
2855         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
2856         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::finalize):
2857         * runtime/SimpleTypedArrayController.h:
2858         * runtime/TypedArrayController.h:
2859
2860 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
2861
2862         Octane/regexp's Exec function should benefit from array length accessor inlining
2863         https://bugs.webkit.org/show_bug.cgi?id=154994
2864
2865         Reviewed by Benjamin Poulain.
2866
2867         It does:
2868
2869             var thingy = blahbitty.blah;
2870             if (thingy)
2871                 foo = thingy.length;
2872
2873         So, 'thingy' is SpecArray | SpecOther, which prevents the array length accessor inlining from
2874         kicking in. Our strategy for this elsewhere in the DFG is to allow a one-time speculation that
2875         we won't see SpecOther, since *usually* we see SpecOther mixed with other stuff in cases like
2876         this where there is some null check guarding the code.
2877
2878         This gives another slight speed-up on Octane/regexp.
2879
2880         * bytecode/SpeculatedType.h:
2881         (JSC::isCellSpeculation):
2882         (JSC::isCellOrOtherSpeculation):
2883         (JSC::isNotCellSpeculation):
2884         * dfg/DFGFixupPhase.cpp:
2885         (JSC::DFG::FixupPhase::fixupNode):
2886         * dfg/DFGNode.h:
2887         (JSC::DFG::Node::shouldSpeculateCell):
2888         (JSC::DFG::Node::shouldSpeculateCellOrOther):
2889         (JSC::DFG::Node::shouldSpeculateNotCell):
2890
2891 2016-03-03  Saam Barati  <sbarati@apple.com>
2892
2893         Add Proxy tests for exceptions that depend on an object being non-extensible and having configurable properties
2894         https://bugs.webkit.org/show_bug.cgi?id=154745
2895
2896         Reviewed by Geoffrey Garen.
2897
2898         This patch is mostly an implementation of Proxy.[[OwnPropertyKeys]] 
2899         with respect to section 9.5.11 of the ECMAScript spec.
2900         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys
2901
2902         This patch also changes call sites of getOwnPropertyNames and
2903         getPropertyNames to expect that an exception can be thrown.
2904
2905         * dfg/DFGOperations.cpp:
2906         * inspector/JSInjectedScriptHost.cpp:
2907         (Inspector::JSInjectedScriptHost::iteratorEntries):
2908         * interpreter/Interpreter.cpp:
2909         (JSC::Interpreter::execute):
2910         * runtime/IntlObject.cpp:
2911         (JSC::supportedLocales):
2912         * runtime/JSCJSValue.h:
2913         * runtime/JSCJSValueInlines.h:
2914         (JSC::JSValue::get):
2915         (JSC::JSValue::put):
2916         * runtime/JSONObject.cpp:
2917         (JSC::Stringifier::Holder::appendNextProperty):
2918         (JSC::Walker::walk):
2919         * runtime/JSObject.cpp:
2920         (JSC::JSObject::getPropertyNames):
2921         (JSC::JSObject::getGenericPropertyNames):
2922         * runtime/JSObject.h:
2923         (JSC::makeIdentifier):
2924         (JSC::createListFromArrayLike):
2925         * runtime/JSPropertyNameEnumerator.h:
2926         (JSC::propertyNameEnumerator):
2927         * runtime/JSPropertyNameIterator.cpp:
2928         (JSC::JSPropertyNameIterator::create):
2929         * runtime/MapConstructor.cpp:
2930         (JSC::constructMap):
2931         * runtime/ObjectConstructor.cpp:
2932         (JSC::defineProperties):
2933         (JSC::objectConstructorSeal):
2934         (JSC::objectConstructorFreeze):
2935         (JSC::objectConstructorIsSealed):
2936         (JSC::objectConstructorIsFrozen):
2937         (JSC::ownPropertyKeys):
2938         * runtime/ProxyObject.cpp:
2939         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2940         (JSC::ProxyObject::deleteProperty):
2941         (JSC::ProxyObject::deletePropertyByIndex):
2942         (JSC::ProxyObject::defineOwnProperty):
2943         (JSC::ProxyObject::performGetOwnPropertyNames):
2944         (JSC::ProxyObject::getOwnPropertyNames):
2945         (JSC::ProxyObject::getOwnNonIndexPropertyNames):
2946         (JSC::ProxyObject::getStructurePropertyNames):
2947         (JSC::ProxyObject::getGenericPropertyNames):
2948         (JSC::ProxyObject::visitChildren):
2949         * runtime/ProxyObject.h:
2950         (JSC::ProxyObject::create):
2951         (JSC::ProxyObject::createStructure):
2952         * runtime/Structure.cpp:
2953         (JSC::Structure::Structure):
2954         (JSC::Structure::add):
2955         (JSC::Structure::getPropertyNamesFromStructure):
2956         (JSC::Structure::checkConsistency):
2957         (JSC::Structure::canCachePropertyNameEnumerator):
2958         (JSC::Structure::canAccessPropertiesQuicklyForEnumeration):
2959         (JSC::Structure::canAccessPropertiesQuickly): Deleted.
2960         * runtime/Structure.h:
2961         * runtime/WeakMapConstructor.cpp:
2962         (JSC::constructWeakMap):
2963         * tests/es6.yaml:
2964         * tests/stress/proxy-own-keys.js: Added.
2965         (assert):
2966         (throw.new.Error.let.handler.ownKeys):
2967         (throw.new.Error):
2968         (assert.let.handler.get ownKeys):
2969         (assert.let.handler.ownKeys):
2970         (let.handler.ownKeys):
2971         (i.catch):
2972         (shallowEq):
2973         (let.handler.getOwnPropertyDescriptor):
2974         (i.set assert):
2975         (set add):
2976         (set assert):
2977         (set if):
2978
2979 2016-03-03  Keith Miller  <keith_miller@apple.com>
2980
2981         Array prototype JS builtins should support Symbol.species
2982         https://bugs.webkit.org/show_bug.cgi?id=154710
2983
2984         Reviewed by Geoffrey Garen.
2985
2986         Add support for Symbol.species in the Array.prototype JS
2987         builtin functions.
2988
2989         * builtins/ArrayPrototype.js:
2990         (filter):
2991         (map):
2992         * runtime/ArrayConstructor.cpp:
2993         (JSC::ArrayConstructor::finishCreation):
2994         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
2995         * runtime/ArrayConstructor.h:
2996         (JSC::ArrayConstructor::create):
2997         * runtime/CommonIdentifiers.h:
2998         * runtime/JSGlobalObject.cpp:
2999         (JSC::JSGlobalObject::init):
3000         * tests/stress/array-species-functions.js:
3001         (id):
3002
3003 2016-03-03  Michael Saboff  <msaboff@apple.com>
3004
3005         [ES6] Make Unicode RegExp pattern parsing conform to the spec
3006         https://bugs.webkit.org/show_bug.cgi?id=154988
3007
3008         Reviewed by Benjamin Poulain.
3009
3010         Updated RegExp pattern processing with 'u' (Unicode) flag to conform to the
3011         spec (https://tc39.github.io/ecma262/2016/#sec-patterns).  In the spec, the
3012         grammar is annotated with [U] annotations.  Productions that are prefixed with
3013         [+U] are only available with the Unicode flags while productions prefixed with
3014         [~U] are only available without the Unicode flag.
3015         
3016         Added flags argument to Yarr::checkSyntax() so we can catch Unicode flag related
3017         parsing errors at syntax checking time.  Restricted what escapes are available for
3018         non Unicode patterns.  Most of this is defined in the IdentityEscape rule in the
3019         pattern grammar.
3020
3021         Added \- as a CharacterClass only escape in Unicode patterns.
3022
3023         Updated the tests for these changes.
3024
3025         Made changes suggested in https://bugs.webkit.org/show_bug.cgi?id=154842#c22 after
3026         change set r197426 was landed.
3027
3028         * parser/ASTBuilder.h:
3029         (JSC::ASTBuilder::createRegExp):
3030         * parser/Parser.cpp:
3031         (JSC::Parser<LexerType>::parsePrimaryExpression):
3032         * parser/SyntaxChecker.h:
3033         (JSC::SyntaxChecker::createRegExp):
3034         * yarr/YarrInterpreter.cpp:
3035         (JSC::Yarr::Interpreter::InputStream::readChecked):
3036         (JSC::Yarr::Interpreter::InputStream::readSurrogatePairChecked):
3037         (JSC::Yarr::Interpreter::InputStream::reread):
3038         (JSC::Yarr::Interpreter::InputStream::uncheckInput):
3039         (JSC::Yarr::Interpreter::InputStream::atStart):
3040         (JSC::Yarr::Interpreter::InputStream::atEnd):
3041         (JSC::Yarr::Interpreter::testCharacterClass):
3042         (JSC::Yarr::Interpreter::backtrackPatternCharacter):
3043         (JSC::Yarr::Interpreter::matchDisjunction):
3044         (JSC::Yarr::ByteCompiler::atomPatternCharacter):
3045         * yarr/YarrParser.h:
3046         (JSC::Yarr::Parser::Parser):
3047         (JSC::Yarr::Parser::isIdentityEscapeAnError):
3048         (JSC::Yarr::Parser::parseEscape):
3049         (JSC::Yarr::Parser::parse):
3050         * yarr/YarrPattern.cpp:
3051         (JSC::Yarr::CharacterClassConstructor::putChar):
3052         (JSC::Yarr::CharacterClassConstructor::putRange):
3053         (JSC::Yarr::CharacterClassConstructor::addSorted):
3054         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
3055         * yarr/YarrSyntaxChecker.cpp:
3056         (JSC::Yarr::SyntaxChecker::disjunction):
3057         (JSC::Yarr::checkSyntax):
3058         * yarr/YarrSyntaxChecker.h:
3059
3060 2016-03-03  Saam barati  <sbarati@apple.com>
3061
3062         [ES6] Implement Proxy.[[DefineOwnProperty]]
3063         https://bugs.webkit.org/show_bug.cgi?id=154759
3064
3065         Reviewed by Geoffrey Garen and Mark Lam.
3066
3067         This patch is a straight forward implementation of Proxy.[[DefineOwnProperty]]
3068         with respect to section 9.5.6 of the ECMAScript spec.
3069         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-defineownproperty-p-desc
3070
3071         * runtime/ObjectConstructor.cpp:
3072         (JSC::objectConstructorGetOwnPropertyDescriptor):
3073         (JSC::objectConstructorGetOwnPropertyDescriptors):
3074         * runtime/ObjectConstructor.h:
3075         (JSC::constructEmptyObject):
3076         (JSC::constructObjectFromPropertyDescriptor):
3077         * runtime/ProxyObject.cpp:
3078         (JSC::ProxyObject::isExtensible):
3079         (JSC::ProxyObject::performDefineOwnProperty):
3080         (JSC::ProxyObject::defineOwnProperty):
3081         (JSC::ProxyObject::visitChildren):
3082         * runtime/ProxyObject.h:
3083         * tests/es6.yaml:
3084         * tests/stress/proxy-define-own-property.js: Added.
3085         (assert):
3086         (throw.new.Error):
3087         (assert.let.handler.get defineProperty):
3088         (assert.let.handler.defineProperty):
3089         (let.handler.defineProperty):
3090         (i.catch):
3091         (assert.try.):
3092         (assert.set get catch):
3093         (assert.let.setter):
3094         (assert.let.getter):
3095         (assert.set get let.handler.defineProperty):
3096         (assert.set get let):
3097         (assert.):
3098
3099 2016-03-03  Keith Miller  <keith_miller@apple.com>
3100
3101         [ES6] Add support for Symbol.toPrimitive
3102         https://bugs.webkit.org/show_bug.cgi?id=154877
3103
3104         Reviewed by Saam Barati.
3105
3106         This patch adds suport for Symbol.toPrimitive. Since we don't currently
3107         generate snippits for one side of a binary operation we only need to change
3108         the JSObject::ToPrimitive function and update some optimizations in the DFG
3109         that need to know how conversions to primitive values should work. As of
3110         ES6, the date prototype is also no longer special cased in the ToPrimitive
3111         operation. Instead, Date.prototype has a Symbol.species function that
3112         replicates the old behavior.
3113
3114         * bytecode/ObjectPropertyConditionSet.cpp:
3115         (JSC::generateConditionsForPropertyMissConcurrently):
3116         * bytecode/ObjectPropertyConditionSet.h:
3117         * dfg/DFGGraph.cpp:
3118         (JSC::DFG::Graph::watchConditions):
3119         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
3120         * dfg/DFGGraph.h:
3121         * runtime/CommonIdentifiers.h:
3122         * runtime/DatePrototype.cpp:
3123         (JSC::DatePrototype::finishCreation):
3124         (JSC::dateProtoFuncToPrimitiveSymbol):
3125         * runtime/Error.cpp:
3126         (JSC::throwTypeError):
3127         * runtime/Error.h:
3128         * runtime/JSCJSValueInlines.h:
3129         (JSC::toPreferredPrimitiveType):
3130         * runtime/JSObject.cpp:
3131         (JSC::callToPrimitiveFunction):
3132         (JSC::JSObject::ordinaryToPrimitive):
3133         (JSC::JSObject::defaultValue):
3134         (JSC::JSObject::toPrimitive):
3135         (JSC::JSObject::getPrimitiveNumber):
3136         (JSC::callDefaultValueFunction): Deleted.
3137         (JSC::throwTypeError): Deleted.
3138         * runtime/JSObject.h:
3139         (JSC::JSObject::toPrimitive): Deleted.
3140         * runtime/SmallStrings.h:
3141         * runtime/SymbolPrototype.cpp:
3142         (JSC::SymbolPrototype::finishCreation):
3143         * runtime/SymbolPrototype.h:
3144         (JSC::SymbolPrototype::create):
3145         * tests/es6.yaml:
3146         * tests/stress/date-symbol-toprimitive.js: Added.
3147         * tests/stress/ropes-symbol-toprimitive.js: Added.
3148         (ropify):
3149         (String.prototype.Symbol.toPrimitive):
3150         * tests/stress/symbol-toprimitive.js: Added.
3151         (foo.Symbol.toPrimitive):
3152         (catch):
3153
3154 2016-03-03  Filip Pizlo  <fpizlo@apple.com>
3155
3156         DFG should be able to compile StringReplace
3157         https://bugs.webkit.org/show_bug.cgi?id=154979
3158
3159         Reviewed by Benjamin Poulain.
3160
3161         Adds support for StringReplace to the DFG tier. This is a 3% speed-up on Octane/regexp.
3162
3163         * dfg/DFGByteCodeParser.cpp:
3164         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3165         * dfg/DFGSpeculativeJIT.cpp:
3166         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3167         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
3168         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
3169         * dfg/DFGSpeculativeJIT.h:
3170         (JSC::DFG::SpeculativeJIT::callOperation):
3171         * dfg/DFGSpeculativeJIT32_64.cpp:
3172         (JSC::DFG::SpeculativeJIT::compile):
3173         * dfg/DFGSpeculativeJIT64.cpp:
3174         (JSC::DFG::SpeculativeJIT::compile):
3175         * jit/JITOperations.h:
3176
3177 2016-03-03  Saam barati  <sbarati@apple.com>
3178
3179         [[SetPrototypeOf]] isn't properly implemented everywhere
3180         https://bugs.webkit.org/show_bug.cgi?id=154943
3181
3182         Reviewed by Benjamin Poulain.
3183
3184         We were copy-pasting implememntation bits that belong in OrdinarySetPrototypeOf 
3185         in a few different places that call O.[[SetPrototypeOf]](v)
3186         rather than having those bits in OrdinarySetPrototypeOf itself.
3187         We need to put those copy-pasted bits into OrdinarySetPrototypeOf
3188         and not the call sites of O.[[SetPrototypeOf]](v) because
3189         O.[[SetPrototypeOf]](v) won't always call into OrdinarySetPrototypeOf.
3190         This is needed for correctness because this behavior is now observable
3191         with the ES6 Proxy object.
3192
3193         * runtime/ClassInfo.h:
3194         * runtime/JSCell.cpp:
3195         (JSC::JSCell::isExtensible):
3196         (JSC::JSCell::setPrototype):
3197         * runtime/JSCell.h:
3198         * runtime/JSGlobalObjectFunctions.cpp:
3199         (JSC::globalFuncProtoSetter):
3200         * runtime/JSObject.cpp:
3201         (JSC::JSObject::setPrototypeDirect):
3202         (JSC::JSObject::setPrototypeWithCycleCheck):
3203         (JSC::JSObject::setPrototype):
3204         (JSC::JSObject::allowsAccessFrom):
3205         * runtime/JSObject.h:
3206         (JSC::JSObject::mayInterceptIndexedAccesses):
3207         * runtime/ObjectConstructor.cpp:
3208         (JSC::objectConstructorSetPrototypeOf):
3209         * runtime/ReflectObject.cpp:
3210         (JSC::reflectObjectSetPrototypeOf):
3211
3212 2016-03-03  Alex Christensen  <achristensen@webkit.org>
3213
3214         Fix Windows build after r197489.
3215
3216         * jsc.cpp:
3217
3218 2016-03-02  Filip Pizlo  <fpizlo@apple.com>
3219
3220         RegExpExec/RegExpTest should not unconditionally speculate cell
3221         https://bugs.webkit.org/show_bug.cgi?id=154901
3222
3223         Reviewed by Benjamin Poulain.
3224
3225         This is a three part change. It all started with a simple goal: end the rage-recompiles in
3226         Octane/regexp by enabling the DFG and FTL to do untyped RegExpExec/RegExpTest. This keeps us
3227         in the optimized code when you do a regexp match on a number, for example.
3228
3229         While implementing this, I realized that DFGOperations.cpp was bad at exception checking. When
3230         it did check for exceptions, it used exec->hadException() instead of vm.exception(). So I
3231         fixed that. I also made sure that the regexp operations checked for exception after doing
3232         toString().
3233
3234         Unfortunately, the introduction of untyped RegExpExec/RegExpTest caused a regression on
3235         Octane/regexp. This was because we were simultaneously scheduling replacement and OSR compiles
3236         of some large functions with the FTL JIT. The OSR compiles were not useful. This was a
3237         regression from the previous changes to make OSR compiles happen sooner. The problem is that
3238         this change also removed the throttling of OSR compiles even in those cases where we suspect
3239         that replacement is more likely. This patch reintroduces that throttling, but only in the
3240         replacement path.
3241
3242         This change ends up being neutral overall.
3243
3244         * dfg/DFGFixupPhase.cpp:
3245         (JSC::DFG::FixupPhase::fixupNode):
3246         * dfg/DFGOperations.cpp:
3247         * dfg/DFGOperations.h:
3248         * dfg/DFGSpeculativeJIT32_64.cpp:
3249         (JSC::DFG::SpeculativeJIT::compile):
3250         * dfg/DFGSpeculativeJIT64.cpp:
3251         (JSC::DFG::SpeculativeJIT::compile):
3252         * ftl/FTLLowerDFGToB3.cpp:
3253         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
3254         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
3255         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
3256         * tests/stress/regexp-exec-effect-after-exception.js: Added.
3257
3258 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
3259
3260         [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
3261         https://bugs.webkit.org/show_bug.cgi?id=154947
3262
3263         Reviewed by Filip Pizlo.
3264
3265         This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.
3266
3267         The problem was that JSCell_freeListNext and JSCell_structureID were
3268         considered as disjoint. When reordering instructions, the scheduler
3269         could move the write of the StructureID first to reduce dependencies.
3270         This would erase half of JSCell_freeListNext before we get a chance
3271         to load the value.
3272
3273         This patch changes the hierarchy to make sure nothing is written
3274         until JSCell_freeListNext is processed.
3275
3276         All credits for this patch go to Filip.
3277
3278         * ftl/FTLAbstractHeapRepository.cpp:
3279         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3280         * ftl/FTLAbstractHeapRepository.h:
3281
3282 2016-03-02  Benjamin Poulain  <bpoulain@apple.com>
3283
3284         [JSC] Improve Select of Doubles based on Double condition
3285         https://bugs.webkit.org/show_bug.cgi?id=154572
3286
3287         Reviewed by Filip Pizlo.
3288
3289         Octane has a bunch of Select on Double based on comparing Doubles.
3290         A few nodes generate that: ValueRep, Min, Max, etc.
3291
3292         On ARM64, we can improve our code a lot. ARM can do a select
3293         based on flags with the FCSEL instruction.
3294
3295         On x86, this patch adds aggressive aliasing for moveDoubleConditionallyXXX.
3296         This has obviously a much more limited impact.
3297
3298         * assembler/MacroAssembler.h:
3299         (JSC::MacroAssembler::moveDoubleConditionally32): Deleted.
3300         (JSC::MacroAssembler::moveDoubleConditionally64): Deleted.
3301         (JSC::MacroAssembler::moveDoubleConditionallyTest32): Deleted.
3302         (JSC::MacroAssembler::moveDoubleConditionallyTest64): Deleted.
3303         (JSC::MacroAssembler::moveDoubleConditionallyDouble): Deleted.
3304         (JSC::MacroAssembler::moveDoubleConditionallyFloat): Deleted.
3305         * assembler/MacroAssemblerARM64.h:
3306         (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
3307         (JSC::MacroAssemblerARM64::moveDoubleConditionallyDouble):
3308         (JSC::MacroAssemblerARM64::moveDoubleConditionallyFloat):
3309         (JSC::MacroAssemblerARM64::moveConditionally32):
3310         (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
3311         (JSC::MacroAssemblerARM64::moveDoubleConditionally64):
3312         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest32):
3313         (JSC::MacroAssemblerARM64::moveDoubleConditionallyTest64):
3314         (JSC::MacroAssemblerARM64::branch64):
3315         * assembler/MacroAssemblerX86Common.h:
3316         (JSC::MacroAssemblerX86Common::moveConditionally32):
3317         (JSC::MacroAssemblerX86Common::moveDoubleConditionally32):
3318         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyTest32):
3319         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyDouble):
3320         (JSC::MacroAssemblerX86Common::moveDoubleConditionallyFloat):
3321         * assembler/MacroAssemblerX86_64.h:
3322         (JSC::MacroAssemblerX86_64::moveDoubleConditionally64):
3323         (JSC::MacroAssemblerX86_64::moveDoubleConditionallyTest64):
3324         * b3/air/AirInstInlines.h:
3325         (JSC::B3::Air::Inst::shouldTryAliasingDef):
3326         * b3/air/AirOpcode.opcodes:
3327         * b3/testb3.cpp:
3328         (JSC::B3::populateWithInterestingValues):
3329         (JSC::B3::floatingPointOperands):
3330         (JSC::B3::int64Operands):
3331         (JSC::B3::int32Operands):
3332         (JSC::B3::testSelectCompareFloat):
3333         (JSC::B3::testSelectCompareFloatToDouble):
3334         (JSC::B3::testSelectDoubleCompareDouble):
3335         (JSC::B3::testSelectDoubleCompareDoubleWithAliasing):
3336         (JSC::B3::testSelectFloatCompareFloat):
3337         (JSC::B3::testSelectFloatCompareFloatWithAliasing):
3338         (JSC::B3::run):
3339
3340 2016-03-02  Joseph Pecoraro  <pecoraro@apple.com>
3341
3342         Add ability to generate a Heap Snapshot
3343         https://bugs.webkit.org/show_bug.cgi?id=154847
3344
3345         Reviewed by Mark Lam.
3346
3347         This adds HeapSnapshot, HeapSnapshotBuilder, and HeapProfiler.
3348
3349         HeapProfiler hangs off of the VM and holds the list of snapshots.
3350         I expect to add other HeapProfiling features, such as allocation