Add magnify and rotate gesture event support for Mac
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-10-19  Tim Horton  <timothy_horton@apple.com>
2
3         Add magnify and rotate gesture event support for Mac
4         https://bugs.webkit.org/show_bug.cgi?id=150179
5         <rdar://problem/8036240>
6
7         Reviewed by Darin Adler.
8
9         * Configurations/FeatureDefines.xcconfig:
10         New feature flag.
11
12 2015-10-19  Csaba Osztrogonác  <ossy@webkit.org>
13
14         Fix the ENABLE(WEBASSEMBLY) build after r190827
15         https://bugs.webkit.org/show_bug.cgi?id=150330
16
17         Reviewed by Geoffrey Garen.
18
19         * bytecode/CodeBlock.cpp:
20         (JSC::CodeBlock::CodeBlock): Removed the duplicated VM argument.
21         * bytecode/CodeBlock.h:
22         (JSC::WebAssemblyCodeBlock::create): Added new parameters to finishCreation() calls.
23         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Change VM parameter to pointer to match *CodeBlock classes.
24         * runtime/Executable.cpp:
25         (JSC::WebAssemblyExecutable::prepareForExecution): Removed extra ")" and pass pointer as it is expected.
26
27 2015-10-19  Mark Lam  <mark.lam@apple.com>
28
29         DoubleRep fails to convert SpecBoolean values.
30         https://bugs.webkit.org/show_bug.cgi?id=150313
31
32         Reviewed by Geoffrey Garen.
33
34         This was uncovered by the op_sub stress test on 32-bit builds.  On 32-bit builds,
35         DoubleRep will erroneously convert 'true' to a 'NaN' instead of a double 1.
36         On 64-bit, the same issue exists but is masked by another bug in DoubleRep where
37         boolean values will always erroneously trigger a BadType OSR exit.
38
39         The erroneous conversion of 'true' to 'NaN' is because the 'true' case in
40         compileDoubleRep() is missing a jump to the "done" destination.  Instead, it
41         fall through to the "isUndefined" case where it produces a NaN.
42
43         The 64-bit erroneous BadType OSR exit is due to the boolean type check being
44         implemented incorrectly.  It was checking if any bits other than bit 0 were set.
45         However, boolean JS values always have TagBitBool (the 3rd bit) set.  Hence, the
46         check will always fail if we have a boolean value.
47
48         This patch fixes both of these issues.
49
50         No new test is needed because these issues are already covered by scenarios in
51         the op_sub.js stress test.  This patch also fixes the op_sub.js test to throw an
52         exception if any failures are encountered (as expected by the stress test
53         harness).  This patch also re-worked the test code to provide more accurate
54         descriptions of each test scenario for error reporting.
55
56         * dfg/DFGSpeculativeJIT.cpp:
57         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
58
59         * tests/stress/op_sub.js:
60         (generateScenarios):
61         (func):
62         (initializeTestCases):
63         (runTest):
64         (stringify): Deleted.
65
66 2015-10-19  Yusuke Suzuki  <utatane.tea@gmail.com>
67
68         Drop !newTarget check since it always becomes true
69         https://bugs.webkit.org/show_bug.cgi?id=150308
70
71         Reviewed by Geoffrey Garen.
72
73         In a context of calling a constructor, `newTarget` should not become JSEmpty.
74         So `!newTarget` always becomes true. This patch drops this unneccessary check.
75         And to ensure the implementation of the constructor is only called under
76         the context of calling it as a constructor, we change these functions to
77         static and only use them for constructor implementations of InternalFunction.
78
79         * runtime/IntlCollatorConstructor.cpp:
80         (JSC::constructIntlCollator):
81         (JSC::callIntlCollator):
82         * runtime/IntlCollatorConstructor.h:
83         * runtime/IntlDateTimeFormatConstructor.cpp:
84         (JSC::constructIntlDateTimeFormat):
85         (JSC::callIntlDateTimeFormat):
86         * runtime/IntlDateTimeFormatConstructor.h:
87         * runtime/IntlNumberFormatConstructor.cpp:
88         (JSC::constructIntlNumberFormat):
89         (JSC::callIntlNumberFormat):
90         * runtime/IntlNumberFormatConstructor.h:
91         * runtime/JSPromiseConstructor.cpp:
92         (JSC::constructPromise):
93
94 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
95
96         Promise constructor should throw when not called with "new"
97         https://bugs.webkit.org/show_bug.cgi?id=149380
98
99         Reviewed by Darin Adler.
100
101         Implement handling new.target in Promise constructor. And
102         prohibiting Promise constructor call without "new".
103
104         * runtime/JSPromiseConstructor.cpp:
105         (JSC::constructPromise):
106         (JSC::callPromise):
107         (JSC::JSPromiseConstructor::getCallData):
108         * tests/es6.yaml:
109         * tests/stress/promise-cannot-be-called.js: Added.
110         (shouldBe):
111         (shouldThrow):
112         (Deferred):
113         (super):
114
115 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
116
117         [ES6] Handle asynchronous tests in tests/es6
118         https://bugs.webkit.org/show_bug.cgi?id=150293
119
120         Reviewed by Darin Adler.
121
122         Since JSC can handle microtasks, some of ES6 Promise tests can be executed under the JSC shell.
123         Some of them still fail because it uses setTimeout that invokes macrotasks with explicit delay.
124
125         * tests/es6.yaml:
126         * tests/es6/Promise_Promise.all.js:
127         (test.asyncTestPassed):
128         (test):
129         * tests/es6/Promise_Promise.all_generic_iterables.js:
130         (test.asyncTestPassed):
131         (test):
132         * tests/es6/Promise_Promise.race.js:
133         (test.asyncTestPassed):
134         (test):
135         * tests/es6/Promise_Promise.race_generic_iterables.js:
136         (test.asyncTestPassed):
137         (test):
138         * tests/es6/Promise_basic_functionality.js:
139         (test.asyncTestPassed):
140         (test):
141         * tests/es6/Promise_is_subclassable_Promise.all.js:
142         (test.asyncTestPassed):
143         (test):
144         * tests/es6/Promise_is_subclassable_Promise.race.js:
145         (test.asyncTestPassed):
146         (test):
147         * tests/es6/Promise_is_subclassable_basic_functionality.js:
148         (test.asyncTestPassed):
149         (test):
150
151 2015-10-18  Sungmann Cho  <sungmann.cho@navercorp.com>
152
153         [Win] Fix the Windows builds.
154         https://bugs.webkit.org/show_bug.cgi?id=150300
155
156         Reviewed by Darin Adler.
157
158         Add missing files to JavaScriptCore.vcxproj.
159
160         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
161         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
162
163 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
164
165         Fix some generational heap growth pathologies
166         https://bugs.webkit.org/show_bug.cgi?id=150270
167
168         Reviewed by Andreas Kling.
169
170         When doing generational copying, we would pretend that the size of old space was increased
171         just by the amount of bytes we copied. In reality, it would be increased by the number of
172         bytes used by the copied blocks we created. This is a larger number, and in some simple
173         pathological programs, the difference can be huge.
174
175         Fixing this bug was relatively easy, and the only really meaningful change here is in
176         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
177         add some debugging code and I had to refactor some stuff so that it made more sense.
178
179         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
180         release builds to decide how much heap we are using at the end of collection. But I added a
181         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
182         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
183
184         Relanding with build fix.
185
186         * CMakeLists.txt:
187         * JavaScriptCore.xcodeproj/project.pbxproj:
188         * heap/CopiedBlock.cpp: Added.
189         (JSC::CopiedBlock::createNoZeroFill):
190         (JSC::CopiedBlock::destroy):
191         (JSC::CopiedBlock::create):
192         (JSC::CopiedBlock::zeroFillWilderness):
193         (JSC::CopiedBlock::CopiedBlock):
194         * heap/CopiedBlock.h:
195         (JSC::CopiedBlock::didSurviveGC):
196         (JSC::CopiedBlock::createNoZeroFill): Deleted.
197         (JSC::CopiedBlock::destroy): Deleted.
198         (JSC::CopiedBlock::create): Deleted.
199         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
200         (JSC::CopiedBlock::CopiedBlock): Deleted.
201         * heap/CopiedSpaceInlines.h:
202         (JSC::CopiedSpace::startedCopying):
203         * heap/Heap.cpp:
204         (JSC::Heap::updateObjectCounts):
205         (JSC::Heap::resetVisitors):
206         (JSC::Heap::capacity):
207         (JSC::Heap::protectedGlobalObjectCount):
208         (JSC::Heap::collectImpl):
209         (JSC::Heap::willStartCollection):
210         (JSC::Heap::updateAllocationLimits):
211         (JSC::Heap::didFinishCollection):
212         (JSC::Heap::sizeAfterCollect): Deleted.
213         * heap/Heap.h:
214         * heap/HeapInlines.h:
215         (JSC::Heap::shouldCollect):
216         (JSC::Heap::isBusy):
217         (JSC::Heap::collectIfNecessaryOrDefer):
218         * heap/MarkedBlock.cpp:
219         (JSC::MarkedBlock::create):
220         (JSC::MarkedBlock::destroy):
221
222 2015-10-17  Commit Queue  <commit-queue@webkit.org>
223
224         Unreviewed, rolling out r191240.
225         https://bugs.webkit.org/show_bug.cgi?id=150281
226
227         Broke 32-bit builds (Requested by smfr on #webkit).
228
229         Reverted changeset:
230
231         "Fix some generational heap growth pathologies"
232         https://bugs.webkit.org/show_bug.cgi?id=150270
233         http://trac.webkit.org/changeset/191240
234
235 2015-10-17  Sungmann Cho  <sungmann.cho@navercorp.com>
236
237         [Win] Fix the Windows build.
238         https://bugs.webkit.org/show_bug.cgi?id=150278
239
240         Reviewed by Brent Fulgham.
241
242         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
243         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
244
245 2015-10-17  Mark Lam  <mark.lam@apple.com>
246
247         Fixed typos from r191224.
248
249         Not reviewed.
250
251         * jit/JITSubGenerator.h:
252         (JSC::JITSubGenerator::generateFastPath):
253
254 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
255
256         Fix some generational heap growth pathologies
257         https://bugs.webkit.org/show_bug.cgi?id=150270
258
259         Reviewed by Andreas Kling.
260
261         When doing generational copying, we would pretend that the size of old space was increased
262         just by the amount of bytes we copied. In reality, it would be increased by the number of
263         bytes used by the copied blocks we created. This is a larger number, and in some simple
264         pathological programs, the difference can be huge.
265
266         Fixing this bug was relatively easy, and the only really meaningful change here is in
267         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
268         add some debugging code and I had to refactor some stuff so that it made more sense.
269
270         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
271         release builds to decide how much heap we are using at the end of collection. But I added a
272         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
273         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
274
275         * CMakeLists.txt:
276         * JavaScriptCore.xcodeproj/project.pbxproj:
277         * heap/CopiedBlock.cpp: Added.
278         (JSC::CopiedBlock::createNoZeroFill):
279         (JSC::CopiedBlock::destroy):
280         (JSC::CopiedBlock::create):
281         (JSC::CopiedBlock::zeroFillWilderness):
282         (JSC::CopiedBlock::CopiedBlock):
283         * heap/CopiedBlock.h:
284         (JSC::CopiedBlock::didSurviveGC):
285         (JSC::CopiedBlock::createNoZeroFill): Deleted.
286         (JSC::CopiedBlock::destroy): Deleted.
287         (JSC::CopiedBlock::create): Deleted.
288         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
289         (JSC::CopiedBlock::CopiedBlock): Deleted.
290         * heap/CopiedSpaceInlines.h:
291         (JSC::CopiedSpace::startedCopying):
292         * heap/Heap.cpp:
293         (JSC::Heap::updateObjectCounts):
294         (JSC::Heap::resetVisitors):
295         (JSC::Heap::capacity):
296         (JSC::Heap::protectedGlobalObjectCount):
297         (JSC::Heap::collectImpl):
298         (JSC::Heap::willStartCollection):
299         (JSC::Heap::updateAllocationLimits):
300         (JSC::Heap::didFinishCollection):
301         (JSC::Heap::sizeAfterCollect): Deleted.
302         * heap/Heap.h:
303         * heap/HeapInlines.h:
304         (JSC::Heap::shouldCollect):
305         (JSC::Heap::isBusy):
306         (JSC::Heap::collectIfNecessaryOrDefer):
307         * heap/MarkedBlock.cpp:
308         (JSC::MarkedBlock::create):
309         (JSC::MarkedBlock::destroy):
310
311 2015-10-16  Yusuke Suzuki  <utatane.tea@gmail.com>
312
313         [ES6] Implement String.prototype.normalize
314         https://bugs.webkit.org/show_bug.cgi?id=150094
315
316         Reviewed by Geoffrey Garen.
317
318         This patch implements String.prototype.normalize leveraging ICU.
319         It can provide the feature applying {NFC, NFD, NFKC, NFKD} normalization to a given string.
320
321         * runtime/StringPrototype.cpp:
322         (JSC::StringPrototype::finishCreation):
323         (JSC::normalize):
324         (JSC::stringProtoFuncNormalize):
325         * tests/es6.yaml:
326         * tests/stress/string-normalize.js: Added.
327         (unicode):
328         (shouldBe):
329         (shouldThrow):
330         (normalizeTest):
331
332 2015-10-16  Geoffrey Garen  <ggaren@apple.com>
333
334         Update JavaScriptCore API docs
335         https://bugs.webkit.org/show_bug.cgi?id=150262
336
337         Reviewed by Mark Lam.
338
339         Apply some edits for clarity. These came out of a docs review.
340
341         * API/JSContext.h:
342         * API/JSExport.h:
343         * API/JSManagedValue.h:
344         * API/JSValue.h:
345
346 2015-10-16  Keith Miller  <keith_miller@apple.com>
347
348         Unreviewed. Fix typo in TypeError messages in TypedArray.prototype.forEach/filter.
349
350         * builtins/TypedArray.prototype.js:
351         (forEach):
352         (filter):
353
354 2015-10-16  Mark Lam  <mark.lam@apple.com>
355
356         Use JITSubGenerator to support UntypedUse operands for op_sub in the DFG.
357         https://bugs.webkit.org/show_bug.cgi?id=150038
358
359         Reviewed by Geoffrey Garen.
360
361         * bytecode/SpeculatedType.h:
362         (JSC::isUntypedSpeculationForArithmetic): Added
363         - Also fixed some comments.
364         
365         * dfg/DFGAbstractInterpreterInlines.h:
366         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
367
368         * dfg/DFGAbstractValue.cpp:
369         (JSC::DFG::AbstractValue::resultType):
370         * dfg/DFGAbstractValue.h:
371         - Added function to compute the ResultType of an operand from its SpeculatedType.
372
373         * dfg/DFGFixupPhase.cpp:
374         (JSC::DFG::FixupPhase::fixupNode):
375         - Fix up ArithSub to speculate its operands to be numbers.  But if an OSR exit
376           due to a BadType was seen at this node, we'll fix it up to expect UntypedUse
377           operands.  This gives the generated code a change to run fast if it only
378           receives numeric operands.
379
380         * dfg/DFGNode.h:
381         (JSC::DFG::Node::shouldSpeculateUntypedForArithmetic):
382
383         * dfg/DFGOperations.cpp:
384         * dfg/DFGOperations.h:
385         - Add the C++ runtime function to implement op_sub when we really encounter the
386           hard types in the operands.
387
388         * dfg/DFGSpeculativeJIT.cpp:
389         (JSC::DFG::SpeculativeJIT::compileArithSub):
390         - Added support for UntypedUse operands using the JITSubGenerator.
391
392         * dfg/DFGSpeculativeJIT.h:
393         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
394         (JSC::DFG::SpeculativeJIT::pickCanTrample):
395         (JSC::DFG::SpeculativeJIT::callOperation):
396
397         * ftl/FTLCapabilities.cpp:
398         (JSC::FTL::canCompile):
399         - Just refuse to FTL compile functions with UntypedUse op_sub operands for now.
400
401         * jit/AssemblyHelpers.h:
402         (JSC::AssemblyHelpers::boxDouble):
403         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
404         (JSC::AssemblyHelpers::unboxDouble):
405         (JSC::AssemblyHelpers::boxBooleanPayload):
406         * jit/JITArithmetic.cpp:
407         (JSC::JIT::emit_op_sub):
408
409         * jit/JITSubGenerator.h:
410         (JSC::JITSubGenerator::generateFastPath):
411         (JSC::JITSubGenerator::endJumpList):
412         - Added some asserts to document the contract that this generator expects in
413           terms of its incoming registers.
414
415           Also fixed the generated code to not be destructive with regards to incoming
416           registers.  The DFG expects this.
417
418           Also added an endJumpList so that we don't have to jump twice for the fast
419           path where both operands are ints.
420
421         * parser/ResultType.h:
422         (JSC::ResultType::ResultType):
423         - Make the internal Type bits and the constructor private.  Clients should only
424           create ResultType values using one of the provided factory methods.
425
426         * tests/stress/op_sub.js: Added.
427         (o1.valueOf):
428         (stringify):
429         (generateScenarios):
430         (printScenarios):
431         (testCases.func):
432         (func):
433         (initializeTestCases):
434         (runTest):
435         - test op_sub results by comparing one LLINT result against the output of
436           multiple LLINT, and JIT runs.  This test assume that we'll at least get the
437           right result some of the time (if not all the time), and confirms that the
438           various engines produce consistent results for all the various value pairs
439           being tested.
440
441 2015-10-15  Filip Pizlo  <fpizlo@apple.com>
442
443         CopyBarrier must be avoided for slow TypedArrays
444         https://bugs.webkit.org/show_bug.cgi?id=150217
445         rdar://problem/23128791
446
447         Reviewed by Michael Saboff.
448
449         Change how we access array buffer views so that we don't fire the barrier slow path, and
450         don't mask off the spaceBits, if the view is not FastTypedArray. That's because in that case
451         m_vector could be misaligned and so have meaningful non-space data in the spaceBits. Also in
452         that case, m_vector does not point into copied space.
453
454         * dfg/DFGSpeculativeJIT.cpp:
455         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
456         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
457         * ftl/FTLLowerDFGToLLVM.cpp:
458         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
459         (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
460         (JSC::FTL::DFG::LowerDFGToLLVM::isInToSpace):
461         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
462         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
463         (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
464         (JSC::FTL::DFG::LowerDFGToLLVM::isFastTypedArray):
465         (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
466         * heap/CopyBarrier.h:
467         (JSC::CopyBarrierBase::getWithoutBarrier):
468         (JSC::CopyBarrierBase::getPredicated):
469         (JSC::CopyBarrierBase::get):
470         (JSC::CopyBarrierBase::copyState):
471         (JSC::CopyBarrier::get):
472         (JSC::CopyBarrier::getPredicated):
473         (JSC::CopyBarrier::set):
474         * heap/Heap.cpp:
475         (JSC::Heap::copyBarrier):
476         * jit/AssemblyHelpers.cpp:
477         (JSC::AssemblyHelpers::branchIfNotType):
478         (JSC::AssemblyHelpers::branchIfFastTypedArray):
479         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
480         (JSC::AssemblyHelpers::loadTypedArrayVector):
481         (JSC::AssemblyHelpers::purifyNaN):
482         * jit/AssemblyHelpers.h:
483         (JSC::AssemblyHelpers::branchStructure):
484         (JSC::AssemblyHelpers::branchIfToSpace):
485         (JSC::AssemblyHelpers::branchIfNotToSpace):
486         (JSC::AssemblyHelpers::removeSpaceBits):
487         (JSC::AssemblyHelpers::addressForByteOffset):
488         * jit/JITPropertyAccess.cpp:
489         (JSC::JIT::emitIntTypedArrayGetByVal):
490         (JSC::JIT::emitFloatTypedArrayGetByVal):
491         (JSC::JIT::emitIntTypedArrayPutByVal):
492         (JSC::JIT::emitFloatTypedArrayPutByVal):
493         * runtime/JSArrayBufferView.h:
494         (JSC::JSArrayBufferView::vector):
495         (JSC::JSArrayBufferView::length):
496         * runtime/JSArrayBufferViewInlines.h:
497         (JSC::JSArrayBufferView::byteOffset):
498         * runtime/JSGenericTypedArrayView.h:
499         (JSC::JSGenericTypedArrayView::typedVector):
500         * runtime/JSGenericTypedArrayViewInlines.h:
501         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
502         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
503         * tests/stress/misaligned-int8-view-byte-offset.js: Added.
504         * tests/stress/misaligned-int8-view-read.js: Added.
505         * tests/stress/misaligned-int8-view-write.js: Added.
506
507 2015-10-16  Keith Miller  <keith_miller@apple.com>
508
509         Unreviewed. Build fix for 191215.
510
511         * jit/IntrinsicEmitter.cpp:
512
513 2015-10-16  Keith Miller  <keith@Keiths-MacBook-Pro-5.local>
514
515         Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties.
516         https://bugs.webkit.org/show_bug.cgi?id=149687
517
518         Reviewed by Geoffrey Garen.
519
520         Add the ability to create intrinsic getters in both the inline cache and the DFG/FTL. When the
521         getter fetched by a GetById has an intrinsic we know about we add a new intrinsic access case.
522         Once we get to the DFG, we observe that the access case was an intrinsic and add an appropriate
523         GetByIdVariant. We then parse the intrinsic into an appropriate DFG node.
524
525         The first intrinsics are the new TypedArray prototype getters length, byteLength, and byteOffset.
526
527         * CMakeLists.txt:
528         * JavaScriptCore.xcodeproj/project.pbxproj:
529         * bytecode/GetByIdStatus.cpp:
530         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
531         (JSC::GetByIdStatus::computeFor):
532         * bytecode/GetByIdVariant.cpp:
533         (JSC::GetByIdVariant::GetByIdVariant):
534         (JSC::GetByIdVariant::operator=):
535         (JSC::GetByIdVariant::canMergeIntrinsicStructures):
536         (JSC::GetByIdVariant::attemptToMerge):
537         (JSC::GetByIdVariant::dumpInContext):
538         * bytecode/GetByIdVariant.h:
539         (JSC::GetByIdVariant::intrinsicFunction):
540         (JSC::GetByIdVariant::intrinsic):
541         (JSC::GetByIdVariant::callLinkStatus): Deleted.
542         * bytecode/PolymorphicAccess.cpp:
543         (JSC::AccessGenerationState::addWatchpoint):
544         (JSC::AccessGenerationState::restoreScratch):
545         (JSC::AccessGenerationState::succeed):
546         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
547         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
548         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
549         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
550         (JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
551         (JSC::AccessGenerationState::originalExceptionHandler):
552         (JSC::AccessGenerationState::originalCallSiteIndex):
553         (JSC::AccessCase::getIntrinsic):
554         (JSC::AccessCase::clone):
555         (JSC::AccessCase::visitWeak):
556         (JSC::AccessCase::generate):
557         (WTF::printInternal):
558         (JSC::AccessCase::AccessCase): Deleted.
559         (JSC::AccessCase::get): Deleted.
560         (JSC::AccessCase::replace): Deleted.
561         (JSC::AccessCase::transition): Deleted.
562         * bytecode/PolymorphicAccess.h:
563         (JSC::AccessCase::isGet):
564         (JSC::AccessCase::isPut):
565         (JSC::AccessCase::isIn):
566         (JSC::AccessCase::intrinsicFunction):
567         (JSC::AccessCase::intrinsic):
568         (JSC::AccessGenerationState::AccessGenerationState):
569         (JSC::AccessGenerationState::liveRegistersForCall):
570         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
571         (JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation):
572         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
573         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
574         * bytecode/PutByIdVariant.h:
575         (JSC::PutByIdVariant::intrinsic):
576         * dfg/DFGAbstractInterpreterInlines.h:
577         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
578         * dfg/DFGArrayMode.cpp:
579         (JSC::DFG::ArrayMode::alreadyChecked):
580         (JSC::DFG::arrayTypeToString):
581         (JSC::DFG::toTypedArrayType):
582         (JSC::DFG::refineTypedArrayType):
583         (JSC::DFG::permitsBoundsCheckLowering):
584         * dfg/DFGArrayMode.h:
585         (JSC::DFG::ArrayMode::supportsLength):
586         (JSC::DFG::ArrayMode::isSomeTypedArrayView):
587         * dfg/DFGByteCodeParser.cpp:
588         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
589         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
590         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
591         (JSC::DFG::ByteCodeParser::load):
592         (JSC::DFG::ByteCodeParser::handleGetById):
593         (JSC::DFG::ByteCodeParser::presenceLike): Deleted.
594         (JSC::DFG::ByteCodeParser::store): Deleted.
595         * dfg/DFGClobberize.h:
596         (JSC::DFG::clobberize):
597         * dfg/DFGFixupPhase.cpp:
598         (JSC::DFG::FixupPhase::fixupNode):
599         (JSC::DFG::FixupPhase::convertToGetArrayLength): Deleted.
600         (JSC::DFG::FixupPhase::prependGetArrayLength): Deleted.
601         (JSC::DFG::FixupPhase::fixupChecksInBlock): Deleted.
602         * dfg/DFGGraph.cpp:
603         (JSC::DFG::Graph::tryGetFoldableView):
604         * dfg/DFGPredictionPropagationPhase.cpp:
605         (JSC::DFG::PredictionPropagationPhase::propagate):
606         * dfg/DFGSpeculativeJIT.cpp:
607         (JSC::DFG::SpeculativeJIT::checkArray):
608         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
609         * ftl/FTLCapabilities.cpp:
610         (JSC::FTL::canCompile):
611         * ftl/FTLLowerDFGToLLVM.cpp:
612         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetArrayLength):
613         * jit/IntrinsicEmitter.cpp: Added.
614         (JSC::AccessCase::canEmitIntrinsicGetter):
615         (JSC::AccessCase::emitIntrinsicGetter):
616         * jit/Repatch.cpp:
617         (JSC::tryCacheGetByID):
618         * runtime/Intrinsic.h:
619         * runtime/JSArrayBufferView.cpp:
620         (JSC::JSArrayBufferView::put):
621         (JSC::JSArrayBufferView::defineOwnProperty):
622         (JSC::JSArrayBufferView::deleteProperty):
623         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
624         (JSC::JSArrayBufferView::getOwnPropertySlot): Deleted.
625         (JSC::JSArrayBufferView::finalize): Deleted.
626         * runtime/JSDataView.cpp:
627         (JSC::JSDataView::getOwnPropertySlot):
628         (JSC::JSDataView::put):
629         (JSC::JSDataView::defineOwnProperty):
630         (JSC::JSDataView::deleteProperty):
631         (JSC::JSDataView::getOwnNonIndexPropertyNames):
632         * runtime/JSDataView.h:
633         * runtime/JSFunction.h:
634         * runtime/JSFunctionInlines.h:
635         (JSC::JSFunction::intrinsic):
636         * runtime/JSGenericTypedArrayView.h:
637         * runtime/JSGenericTypedArrayViewInlines.h:
638         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
639         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
640         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
641         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex): Deleted.
642         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
643         * runtime/JSObject.cpp:
644         (JSC::JSObject::putDirectNativeIntrinsicGetter):
645         * runtime/JSObject.h:
646         * runtime/JSTypedArrayViewPrototype.cpp:
647         (JSC::JSTypedArrayViewPrototype::finishCreation):
648         * tests/stress/typedarray-add-property-to-base-object.js: Added.
649         (body.foo):
650         (body):
651         * tests/stress/typedarray-bad-getter.js: Added.
652         (body.foo):
653         (body.get Bar):
654         (body):
655         * tests/stress/typedarray-getter-on-self.js: Added.
656         (body.foo):
657         (body.bar):
658         (body.baz):
659         (body.get for):
660         (body):
661         * tests/stress/typedarray-intrinsic-getters-change-prototype.js: Added.
662         (body.foo):
663         (body.bar):
664         (body.baz):
665         (body):
666
667 2015-10-16  Keith Miller  <keith_miller@apple.com>
668
669         Fix some issues with TypedArrays
670         https://bugs.webkit.org/show_bug.cgi?id=150216
671
672         Reviewed by Geoffrey Garen.
673
674         This fixes a couple of issues:
675         1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
676            Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
677            the two cases have been merged.
678         2) If the length property on an object was unset then the construction could crash.
679         3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
680            length of the source object when the source object is a TypedArray.
681         4) The conditions that were used to decide if the iterator could be skipped were incorrect.
682            Instead of checking for have a bad time we should have checked the Indexing type did not allow for
683            indexed accessors.
684
685         * dfg/DFGOperations.cpp:
686         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
687         (JSC::constructGenericTypedArrayViewWithArguments):
688         (JSC::constructGenericTypedArrayView):
689         (JSC::constructGenericTypedArrayViewWithFirstArgument): Deleted.
690
691 2015-10-16  Anders Carlsson  <andersca@apple.com>
692
693         Fix Windows build.
694
695         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
696         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
697
698 2015-10-16  Michael Saboff  <msaboff@apple.com>
699
700         REGRESSION (r191175): Still crashing when clicking back button on netflix.com
701         https://bugs.webkit.org/show_bug.cgi?id=150251
702
703         Rubber stamped by Filip Pizlo.
704
705         Turning off Tail Calls and disabling tests until the crash is fixed.
706
707         * runtime/Options.h:
708         * tests/es6.yaml:
709         * tests/stress/dfg-tail-calls.js:
710         (nonInlinedTailCall.callee):
711         * tests/stress/mutual-tail-call-no-stack-overflow.js:
712         (shouldThrow):
713         * tests/stress/tail-call-in-inline-cache.js:
714         (tail):
715         * tests/stress/tail-call-no-stack-overflow.js:
716         (shouldThrow):
717         * tests/stress/tail-call-recognize.js:
718         (callerMustBeRun):
719         * tests/stress/tail-call-varargs-no-stack-overflow.js:
720         (shouldThrow):
721
722 2015-10-16  Mark Lam  <mark.lam@apple.com>
723
724         Add MacroAssembler::callProbe() for supporting lambda JIT probes.
725         https://bugs.webkit.org/show_bug.cgi?id=150186
726
727         Reviewed by Geoffrey Garen.
728
729         With callProbe(), we can now make probes that are lambdas.  For example, we can
730         now conveniently add probes like so: 
731
732             // When you know exactly which register you want to inspect:
733             jit.callProbe([] (MacroAssembler::ProbeContext* context) {
734                 intptr_t value = reinterpret_cast<intptr_t>(context->cpu.eax);
735                 dataLogF("eax %p\n", context->cpu.eax); // Inspect the register.
736                 ASSERT(value > 10); // Add test code for debugging.
737             });
738
739             // When you want to inspect whichever register the JIT allocated:
740             auto reg = op1.gpr();
741             jit.callProbe([reg] (MacroAssembler::ProbeContext* context) {
742                 intptr_t value = reinterpret_cast<intptr_t>(context->gpr(reg));
743                 dataLogF("reg %s: %ld\n", context->gprName(reg), value);
744                 ASSERT(value > 10);
745             });
746
747         callProbe() is only meant to be used for debugging sessions.  It is not
748         appropriate to use it in permanent code (even for debug builds).
749         This is because:
750         1. The probe mechanism saves and restores all (and I really mean "all")
751            registers, and is inherently slow.
752         2. callProbe() currently works by allocating (via new) a std::function to
753            guarantee that it is persisted for the duration that the JIT generated code is
754            live.  We don't currently delete it ever i.e. it leaks a bit of memory each
755            time the JIT generates code that contains such a lambda probe.
756
757         These limitations are acceptable for a debugging session (assuming you're not
758         debugging a memory leak), but not for deployment code.  If there's a need, we can
759         plug that leak in another patch.
760
761         * assembler/AbstractMacroAssembler.h:
762         (JSC::AbstractMacroAssembler::CPUState::fpr):
763         - Removed an unnecessary empty line.
764         (JSC::AbstractMacroAssembler::ProbeContext::gpr):
765         (JSC::AbstractMacroAssembler::ProbeContext::fpr):
766         (JSC::AbstractMacroAssembler::ProbeContext::gprName):
767         (JSC::AbstractMacroAssembler::ProbeContext::fprName):
768         - Added some convenience functions that will make using the probe mechanism
769           easier.
770
771         * assembler/MacroAssembler.cpp:
772         (JSC::StdFunctionData::StdFunctionData):
773         (JSC::stdFunctionCallback):
774         (JSC::MacroAssembler::callProbe):
775         * assembler/MacroAssembler.h:
776
777 2015-10-16  Andreas Kling  <akling@apple.com>
778
779         Remove unused StructureRareData::m_cachedGenericPropertyNameEnumerator.
780         <https://webkit.org/b/150244>
781
782         Reviewed by Geoffrey Garen.
783
784         Remove an unused field from StructureRareData.
785
786         * runtime/StructureRareData.cpp:
787         (JSC::StructureRareData::visitChildren): Deleted.
788         * runtime/StructureRareData.h:
789
790 2015-10-16  Keith Miller  <keith_miller@apple.com>
791
792         Unreviewed, rolling out r191190.
793
794         Patch needs some design changes.
795
796         Reverted changeset:
797
798         "Fix some issues with TypedArrays"
799         https://bugs.webkit.org/show_bug.cgi?id=150216
800         http://trac.webkit.org/changeset/191190
801
802 2015-10-16  Mark Lam  <mark.lam@apple.com>
803
804         Move all the probe trampolines into their respective MacroAssembler files.
805         https://bugs.webkit.org/show_bug.cgi?id=150239
806
807         Reviewed by Saam Barati.
808
809         This patch does not introduce any behavior changes.  It only moves the
810         ctiMasmProbeTrampoline implementations from the respective JITStubs<CPU>.h
811         files to the corresponding MacroAssembler<CPU>.cpp files. 
812
813         I also had to make some minor changes to get the code to build after this move:
814         1. Added #include <wtf/InlineASM.h> in the MacroAssembler<CPU>.cpp files
815            because the ctiMasmProbeTrampoline is an inline assembly blob.
816         2. In the moved code, convert MacroAssembler:: qualifiers to the CPU specific
817            MacroAssembler equivalent.  The referenced entities were always defined in
818            the CPU specific MacroAssembler anyway, and indirectly referenced through
819            the generic MacroAssembler.
820
821         With this, we can get rid of all the JITStubs<CPU>.cpp files.  There is one
822         exception: JITStubsMSVC64.asm.  However, that one is unrelated to the probe
823         mechanism.  So, I'll leave it as is.
824
825         We can also remove JITStubs.cpp and JITStubs.h which are now empty except for
826         some stale unused code.
827
828         This patch has been build tested for x86, x86_64, armv7, and arm64.
829
830         * CMakeLists.txt:
831         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
832         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
833         * JavaScriptCore.xcodeproj/project.pbxproj:
834         * assembler/MacroAssemblerARM.cpp:
835         (JSC::MacroAssemblerARM::probe):
836         * assembler/MacroAssemblerARM64.cpp:
837         (JSC::arm64ProbeTrampoline):
838         (JSC::MacroAssemblerARM64::probe):
839         * assembler/MacroAssemblerARMv7.cpp:
840         (JSC::MacroAssemblerARMv7::probe):
841         * assembler/MacroAssemblerX86Common.cpp:
842         * bytecode/CodeBlock.cpp:
843         * ftl/FTLCompile.cpp:
844         * ftl/FTLLink.cpp:
845         * jit/JITArithmetic.cpp:
846         * jit/JITArithmetic32_64.cpp:
847         * jit/JITCode.h:
848         * jit/JITExceptions.cpp:
849         * jit/JITStubs.cpp: Removed.
850         * jit/JITStubs.h: Removed.
851         * jit/JITStubsARM.h: Removed.
852         * jit/JITStubsARM64.h: Removed.
853         * jit/JITStubsARMv7.h: Removed.
854         * jit/JITStubsX86.h: Removed.
855         * jit/JITStubsX86Common.h: Removed.
856         * jit/JITStubsX86_64.h: Removed.
857         * jit/JSInterfaceJIT.h:
858         * llint/LLIntOffsetsExtractor.cpp:
859         * runtime/CommonSlowPaths.cpp:
860
861 2015-10-16  Keith Miller  <keith_miller@apple.com>
862
863         Fix some issues with TypedArrays
864         https://bugs.webkit.org/show_bug.cgi?id=150216
865
866         Reviewed by Michael Saboff.
867
868         This fixes a couple of issues:
869         1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
870            Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
871            the two cases have been merged.
872         2) If the length property on an object was unset then the construction could crash.
873         3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
874            length of the source object when the source object is a TypedArray.
875         4) The conditions that were used to decide if the iterator could be skipped were incorrect.
876            Instead of checking for have a bad time we should have checked the Indexing type did not allow for
877            indexed accessors.
878
879         * dfg/DFGOperations.cpp:
880         (JSC::DFG::newTypedArrayWithOneArgument): Deleted.
881         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
882         (JSC::constructGenericTypedArrayViewFromIterator):
883         (JSC::constructGenericTypedArrayViewWithFirstArgument):
884         (JSC::constructGenericTypedArrayView):
885         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
886         (JSC::genericTypedArrayViewProtoFuncSet):
887         * tests/stress/typedarray-construct-iterator.js: Added.
888         (iterator.return.next):
889         (iterator):
890         (body):
891
892 2015-10-15  Michael Saboff  <msaboff@apple.com>
893
894         REGRESSION (r190289): Repro crash clicking back button on netflix.com
895         https://bugs.webkit.org/show_bug.cgi?id=150220
896
897         Reviewed by Geoffrey Garen.
898
899         Since constructors check for a valid new "this" object and return it, we can't make
900         a tail call to another function from within a constructor.
901
902         Re-enabled the tail calls and the related tail call tests.
903
904         Did some other miscellaneous clean up in the tail call code as part of the debugging.
905
906         * bytecompiler/BytecodeGenerator.cpp:
907         (JSC::BytecodeGenerator::BytecodeGenerator):
908         * ftl/FTLLowerDFGToLLVM.cpp:
909         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
910         * interpreter/Interpreter.h:
911         (JSC::calleeFrameForVarargs):
912         * runtime/Options.h:
913         * tests/es6.yaml:
914         * tests/stress/dfg-tail-calls.js:
915         (nonInlinedTailCall.callee):
916         * tests/stress/mutual-tail-call-no-stack-overflow.js:
917         (shouldThrow):
918         * tests/stress/tail-call-in-inline-cache.js:
919         (tail):
920         * tests/stress/tail-call-no-stack-overflow.js:
921         (shouldThrow):
922         * tests/stress/tail-call-recognize.js:
923         (callerMustBeRun):
924         * tests/stress/tail-call-varargs-no-stack-overflow.js:
925         (shouldThrow):
926
927 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
928
929         Unreviewed. Attempted EFL build fix 2 after r191159.
930
931         * PlatformEfl.cmake:
932
933 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
934
935         Unreviewed. Attempted EFL build fix after r191159.
936
937         * PlatformEfl.cmake:
938
939 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
940
941         Unreviewed. Build fix after r191160.
942
943         * inspector/agents/InspectorHeapAgent.cpp:
944         (Inspector::InspectorHeapAgent::didGarbageCollect):
945
946 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
947
948         Unreviewed. Revert part of r191159 which caused ASSERTs.
949
950         A review comment suggested using WeakPtr. It is not suitable
951         here and causes ASSERTs across threads. Will address separately.
952
953         * inspector/agents/InspectorHeapAgent.h:
954         * inspector/agents/InspectorHeapAgent.cpp:
955         (Inspector::InspectorHeapAgent::didGarbageCollect):
956         (Inspector::InspectorHeapAgent::InspectorHeapAgent): Deleted.
957
958 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
959
960         Web Inspector: Include Garbage Collection Event in Timeline
961         https://bugs.webkit.org/show_bug.cgi?id=142510
962
963         Reviewed by Geoffrey Garen and Brian Burg.
964
965         * CMakeLists.txt:
966         * DerivedSources.make:
967         * JavaScriptCore.xcodeproj/project.pbxproj:
968         Include new files in the build.
969
970         * heap/HeapObserver.h:
971         (JSC::HeapObserver::~HeapObserver):
972         * heap/Heap.cpp:
973         (JSC::Heap::willStartCollection):
974         (JSC::Heap::didFinishCollection):
975         * heap/Heap.h:
976         (JSC::Heap::addObserver):
977         (JSC::Heap::removeObserver):
978         Allow observers on heap to add hooks for starting / ending garbage collection.
979
980         * inspector/InspectorEnvironment.h:
981         * inspector/JSGlobalObjectInspectorController.cpp:
982         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
983         (Inspector::JSGlobalObjectInspectorController::vm):
984         * inspector/JSGlobalObjectInspectorController.h:
985         Access the VM through the InspectorEnvironment as it won't change.
986
987         * inspector/agents/InspectorHeapAgent.cpp: Added.
988         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
989         (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
990         (Inspector::InspectorHeapAgent::didCreateFrontendAndBackend):
991         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
992         (Inspector::InspectorHeapAgent::enable):
993         (Inspector::InspectorHeapAgent::disable):
994         (Inspector::InspectorHeapAgent::gc):
995         (Inspector::protocolTypeForHeapOperation):
996         (Inspector::InspectorHeapAgent::willGarbageCollect):
997         (Inspector::InspectorHeapAgent::didGarbageCollect):
998         * inspector/agents/InspectorHeapAgent.h: Added.
999         * inspector/protocol/Heap.json: Added.
1000         New domain and agent to handle tasks related to the JavaScriptCore heap.
1001
1002 2015-10-15  Commit Queue  <commit-queue@webkit.org>
1003
1004         Unreviewed, rolling out r191135.
1005         https://bugs.webkit.org/show_bug.cgi?id=150197
1006
1007         This patch causes 50+ LayoutTest crashes related to the
1008         inspector (Requested by ryanhaddad on #webkit).
1009
1010         Reverted changeset:
1011
1012         "Web Inspector: JavaScriptCore should parse sourceURL and
1013         sourceMappingURL directives"
1014         https://bugs.webkit.org/show_bug.cgi?id=150096
1015         http://trac.webkit.org/changeset/191135
1016
1017 2015-10-15  Geoffrey Garen  <ggaren@apple.com>
1018
1019         Unreviewed, rolling out r191003.
1020         https://bugs.webkit.org/show_bug.cgi?id=150042
1021
1022         We're seeing some crashes in GC beneath speculationFromCell. Maybe this
1023         patch caused them?
1024
1025         Reverted changeset:
1026
1027         CodeBlock write barriers should be precise
1028         https://bugs.webkit.org/show_bug.cgi?id=150042
1029         http://trac.webkit.org/changeset/191003
1030
1031 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1032
1033         Web Inspector: JavaScriptCore should parse sourceURL and sourceMappingURL directives
1034         https://bugs.webkit.org/show_bug.cgi?id=150096
1035
1036         Reviewed by Geoffrey Garen.
1037
1038         * inspector/ContentSearchUtilities.cpp:
1039         (Inspector::ContentSearchUtilities::scriptCommentPattern): Deleted.
1040         (Inspector::ContentSearchUtilities::findScriptSourceURL): Deleted.
1041         (Inspector::ContentSearchUtilities::findScriptSourceMapURL): Deleted.
1042         * inspector/ContentSearchUtilities.h:
1043         No longer need to search script content.
1044
1045         * inspector/ScriptDebugServer.cpp:
1046         (Inspector::ScriptDebugServer::dispatchDidParseSource):
1047         Carry over the sourceURL and sourceMappingURL from the SourceProvider.
1048
1049         * inspector/agents/InspectorDebuggerAgent.cpp:
1050         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
1051         (Inspector::InspectorDebuggerAgent::didParseSource):
1052         No longer do content searching.
1053
1054         * parser/Lexer.cpp:
1055         (JSC::Lexer<T>::setCode):
1056         (JSC::Lexer<T>::skipWhitespace):
1057         (JSC::Lexer<T>::parseCommentDirective):
1058         (JSC::Lexer<T>::parseCommentDirectiveValue):
1059         (JSC::Lexer<T>::consume):
1060         (JSC::Lexer<T>::lex):
1061         * parser/Lexer.h:
1062         (JSC::Lexer::sourceURL):
1063         (JSC::Lexer::sourceMappingURL):
1064         (JSC::Lexer::sourceProvider): Deleted.
1065         Give lexer the ability to detect script comment directives.
1066         This just consumes characters in single line comments and
1067         ultimately sets the sourceURL or sourceMappingURL found.
1068
1069         * parser/Parser.h:
1070         (JSC::Parser<LexerType>::parse):
1071         * parser/SourceProvider.h:
1072         (JSC::SourceProvider::url):
1073         (JSC::SourceProvider::sourceURL):
1074         (JSC::SourceProvider::sourceMappingURL):
1075         (JSC::SourceProvider::setSourceURL):
1076         (JSC::SourceProvider::setSourceMappingURL):
1077         After parsing a script, update the Source Provider with the
1078         value of directives that may have been found in the script.
1079
1080 2015-10-15  Filip Pizlo  <fpizlo@apple.com>
1081
1082         InferredTypeTable should ref its keys
1083         https://bugs.webkit.org/show_bug.cgi?id=150138
1084         rdar://problem/23080555
1085
1086         Reviewed by Michael Saboff.
1087
1088         InferredTypeTable was incorrectly using a key hash traits that caused the underlying HashTable to
1089         store keys as UniquedStringImpl* rather than RefPtr<UniquedStringImpl>, even though the HashMap's
1090         nominal key type was RefPtr<UniquedStringImpl>. This arose because I copy-pasted the HashMap type
1091         instantiation from other places and then made random changes to adapt it to my needs, rather than
1092         actually thinking about what I was doing. The solution is to remove the key hash traits argument,
1093         since all it accomplishes is to produce this bug.
1094
1095         The way this bug manifested is probably best described in http://webkit.org/b/150008. After a while
1096         the InferredTypeTable would have dangling references to its strings, if some recompilation or other
1097         thing caused us to drop all other references to those strings. InferredTypeTable is particularly
1098         susceptible to this because it is designed to know about a superset of the property names that its
1099         client Structures know about. The debug assert would then happen when we rehashed the
1100         InferredTypeTable's HashMap, because we'd try to get the hashes of strings that were already
1101         deleted. AFAICT, we didn't have release crashes arising from those strings' memory being returned
1102         to the OS - but it's totally possible that this could have happened. So, we definitely should treat
1103         this bug as more than just a debug issue.
1104
1105         Interestingly, we could have also solved this problem by changing the hash function to use PtrHash.
1106         In all other ways, it's OK for InferredTypeTable to hold dangling references, since it uses the
1107         address of the UniquedStringImpl as a way to name an abstract heap. It's fine if the name of an
1108         abstract heap is a bogus memory address, and it's also fine if that name referred to an entirely
1109         different UniquedStringImpl at some point in the past. That's a nice benefit of any data structure
1110         that keys by abstract heap - if two of them get unified then it's no big deal. I've filed another
1111         bug, http://webkit.org/b/150137 about changing all of our UniquedStringImpl* hashing to use
1112         PtrHash.
1113
1114         * runtime/Identifier.h: Add a comment about http://webkit.org/b/150137.
1115         * runtime/InferredTypeTable.h: Fix the bug.
1116         * tests/stress/inferred-type-table-stale-identifiers.js: Added. I couldn't get this to cause a crash before my change, but it's an interesting test nonetheless.
1117
1118 2015-10-15  Mark Lam  <mark.lam@apple.com>
1119
1120         Add MASM_PROBE support for ARM64.
1121         https://bugs.webkit.org/show_bug.cgi?id=150128
1122
1123         Reviewed by Michael Saboff.
1124
1125         * JavaScriptCore.xcodeproj/project.pbxproj:
1126         * assembler/ARM64Assembler.h:
1127         - Convert the ARM64 registers enum list into a macro list so that we can use
1128           it elsewhere e.g. to declare fields in the probe CPUState.
1129           Also de-tabbed the contents of the ARM64Registers namespace since the enum
1130           list change touches almost all of it anyway. This reduces the amount of
1131           complaints from the style checker.
1132
1133         * assembler/AbstractMacroAssembler.h:
1134         (JSC::AbstractMacroAssembler::CPUState::registerName):
1135         (JSC::AbstractMacroAssembler::CPUState::registerValue):
1136         - Change CPUState methods to allow for registers ID that do not map to one of
1137           its fields. This is needed because ARM64's registers include aliases for some
1138           register names. The CPUState will not allocate separate storage for the
1139           aliases. 
1140
1141         * assembler/MacroAssemblerARM64.cpp: Added.
1142         (JSC::arm64ProbeTrampoline):
1143         - Unlike the probe mechanism for other CPUs, the ARM64 implementation does not
1144           allow the probe function to modify the sp and pc registers.  We insert this
1145           wrapper function between ctiMasmProbeTrampoline() and the user's probe function
1146           so that we can check if the user tried to modify sp and pc.  If so, we will
1147           print an error message so that we can alert the user that we don't support
1148           that on ARM64.
1149
1150           See the comment in ctiMasmProbeTrampoline() in JITStubsARM64.h for details
1151           on why we cannot support sp and pc modifications by the probe function.
1152
1153         (JSC::MacroAssemblerARM64::probe):
1154
1155         * assembler/MacroAssemblerARM64.h:
1156         (JSC::MacroAssemblerARM64::repatchCall):
1157         (JSC::MacroAssemblerARM64::makeBranch):
1158         * jit/JITStubs.cpp:
1159         * jit/JITStubsARM64.h: Added.
1160
1161 2015-10-15  Mark Lam  <mark.lam@apple.com>
1162
1163         Fix some typos in comments.
1164         https://bugs.webkit.org/show_bug.cgi?id=150181
1165
1166         Rubber stamped by Michael Saboff.
1167
1168         * jit/JITStubsARM.h:
1169         * jit/JITStubsARMv7.h:
1170
1171 2015-10-15  Mark Lam  <mark.lam@apple.com>
1172
1173         Refactoring: give the MASM probe CPUState methods shorter names.
1174         https://bugs.webkit.org/show_bug.cgi?id=150177
1175
1176         Reviewed by Michael Saboff.
1177
1178         The existing names are longer than they need to be.  Renaming them as follows:
1179             For GPR, registerName ==> gprName
1180             For GPR, registerValue ==> gpr
1181             For FPR, registerName ==> fprName
1182             For FPR, registerValue ==> fpr
1183
1184         * assembler/AbstractMacroAssembler.h:
1185         (JSC::AbstractMacroAssembler::CPUState::gprName):
1186         (JSC::AbstractMacroAssembler::CPUState::fprName):
1187         (JSC::AbstractMacroAssembler::CPUState::gpr):
1188         (JSC::AbstractMacroAssembler::CPUState::fpr):
1189         (JSC::AbstractMacroAssembler::CPUState::registerName): Deleted.
1190         (JSC::AbstractMacroAssembler::CPUState::registerValue): Deleted.
1191
1192         * assembler/MacroAssemblerPrinter.cpp:
1193         (JSC::printRegister):
1194         (JSC::printMemory):
1195         - Updated to use the new names.
1196
1197 2015-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1198
1199         [ES6] Class expression should have lexical environment that has itself as an imutable binding
1200         https://bugs.webkit.org/show_bug.cgi?id=150089
1201
1202         Reviewed by Geoffrey Garen.
1203
1204         According to ES6 spec, class expression has its own lexical environment that holds itself
1205         as an immutable binding[1] (section 14.5.14 step 2, 3, 4, 23)
1206
1207         As a result, even if the binding declared in the outer scope is overridden, methods inside
1208         class expression can refer its class by the class name.
1209
1210         [1]: http://ecma-international.org/ecma-262/6.0/#sec-runtime-semantics-classdefinitionevaluation
1211
1212         * bytecompiler/NodesCodegen.cpp:
1213         (JSC::ClassExprNode::emitBytecode):
1214         * parser/ASTBuilder.h:
1215         (JSC::ASTBuilder::createClassExpr):
1216         * parser/NodeConstructors.h:
1217         (JSC::ClassExprNode::ClassExprNode):
1218         * parser/Nodes.h:
1219         * parser/Parser.cpp:
1220         (JSC::Parser<LexerType>::parseClass):
1221         * parser/SyntaxChecker.h:
1222         (JSC::SyntaxChecker::createClassExpr):
1223         * tests/es6.yaml:
1224         * tests/stress/class-expression-generates-environment.js: Added.
1225         (shouldBe):
1226         (shouldThrow):
1227         (prototype.method):
1228         (staticMethod):
1229         (A.prototype.method):
1230         (A.staticMethod):
1231         (A):
1232         * tests/stress/class-expression-should-be-tdz-in-heritage.js: Added.
1233         (shouldThrow):
1234         (shouldThrow.A):
1235
1236 2015-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1237
1238         [ES6] Class method should not declare any variables to upper scope.
1239         https://bugs.webkit.org/show_bug.cgi?id=150115
1240
1241         Reviewed by Geoffrey Garen.
1242
1243         In the current implementation, class methods attempt to declare variables to an upper scope with their method names.
1244         But this is not specified behavior in the ES6 spec.
1245
1246         And as a result, previously, we attempted to declare variables with invalid identifiers.
1247         For example, `class A { 1() { } }` attempt to declare a variable with name `1`.
1248         This (declaring variables with incorrect names) is not allowed in the lexical environment.
1249         And it fires assertions in https://bugs.webkit.org/show_bug.cgi?id=150089.
1250
1251         * parser/Parser.cpp:
1252         (JSC::Parser<LexerType>::parseClass): Deleted.
1253         * tests/stress/class-method-does-not-declare-variable-to-upper-scope.js: Added.
1254         (shouldBe):
1255         (A.prototype.method):
1256         (A.staticMethod):
1257         (A):
1258
1259 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
1260
1261         REGRESSION: Web Inspector hangs for many seconds when trying to reload page
1262         https://bugs.webkit.org/show_bug.cgi?id=150065
1263
1264         Reviewed by Mark Lam.
1265
1266         When debugging Web Pages, the same Debugger (PageScriptDebugServer) is
1267         attached to each of the different JSGlobalObjects on the page. This could
1268         mean multiple frames or isolated scripting contexts. Therefore we should
1269         only need to send sourceParsed events to the frontend for scripts within
1270         this new JSGlobalObject, not any JSGlobalObject that has this debugger.
1271
1272         * debugger/Debugger.cpp:
1273         (JSC::Debugger::attach):
1274         Only send sourceParsed events for Scripts in this JSGlobalObject.
1275
1276 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
1277
1278         Remove unimplemented methods in CopiedSpace
1279         https://bugs.webkit.org/show_bug.cgi?id=150143
1280
1281         Reviewed by Andreas Kling.
1282
1283         * heap/CopiedSpace.h:
1284
1285 2015-10-14  Brent Fulgham  <bfulgham@apple.com>
1286
1287         [Win] Enforce launcher/library naming scheme
1288         https://bugs.webkit.org/show_bug.cgi?id=150124
1289
1290         Reviewed by Alex Christensen.
1291
1292         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Look for
1293         {name}Lib.dll instead of {name}.dll.
1294         (wWinMain):
1295         * shell/PlatformWin.cmake: Add 'Lib' suffix to DLLs.
1296
1297 2015-10-14  Keith Miller  <keith_miller@apple.com>
1298
1299         ES6 Fix TypedArray constructors.
1300         https://bugs.webkit.org/show_bug.cgi?id=149975
1301
1302         Reviewed by Geoffrey Garen.
1303
1304         The ES6 spec requires that any object argument passed to a TypedArray constructor that is not a TypedArray
1305         and has an iterator should use the iterator to construct the TypedArray. To avoid performance regressions related
1306         to iterating we check if the iterator attached to the object points to the generic array iterator and length is a value.
1307         If so, we do not use the iterator since there should be no observable difference. Another other interesting note is
1308         that the ES6 spec has the of and from functions on a shared constructor between all the TypedArray constructors.
1309         When the TypedArray is constructed the expectation is to crawl the prototype chain of the this value
1310         passed to the function. If the function finds a known TypedArray constructor (Int32Array, Float64Array,...) then
1311         it creates a TypedArray of that type. This is implemented by adding a private function (@allocateTypedArray) to each
1312         of the constructors that can be called in order to construct the array. By using the private functions the JIT should
1313         hopefully be able to optimize this to a direct call.
1314
1315         * CMakeLists.txt:
1316         * JavaScriptCore.xcodeproj/project.pbxproj:
1317         * builtins/TypedArrayConstructor.js: Added.
1318         (of):
1319         (from):
1320         (allocateInt8Array):
1321         (allocateInt16Array):
1322         (allocateInt32Array):
1323         (allocateUint32Array):
1324         (allocateUint16Array):
1325         (allocateUint8Array):
1326         (allocateUint8ClampedArray):
1327         (allocateFloat32Array):
1328         (allocateFloat64Array):
1329         * runtime/CommonIdentifiers.h:
1330         * runtime/JSDataView.cpp:
1331         (JSC::JSDataView::setIndex):
1332         * runtime/JSDataView.h:
1333         * runtime/JSGenericTypedArrayView.h:
1334         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue):
1335         * runtime/JSGenericTypedArrayViewConstructor.h:
1336         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1337         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
1338         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::create):
1339         (JSC::constructGenericTypedArrayViewFromIterator):
1340         (JSC::constructGenericTypedArrayView):
1341         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1342         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1343         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1344         * runtime/JSGlobalObject.cpp:
1345         (JSC::JSGlobalObject::init):
1346         * runtime/JSTypedArrayViewConstructor.cpp: Added.
1347         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
1348         (JSC::JSTypedArrayViewConstructor::finishCreation):
1349         (JSC::JSTypedArrayViewConstructor::create):
1350         (JSC::JSTypedArrayViewConstructor::createStructure):
1351         (JSC::constructTypedArrayView):
1352         (JSC::JSTypedArrayViewConstructor::getConstructData):
1353         (JSC::JSTypedArrayViewConstructor::getCallData):
1354         * runtime/JSTypedArrayViewConstructor.h: Copied from Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructor.h.
1355         * runtime/JSTypedArrayViewPrototype.cpp:
1356         (JSC::JSTypedArrayViewPrototype::create):
1357         * tests/es6.yaml:
1358         * tests/stress/resources/typedarray-constructor-helper-functions.js: Added.
1359         (forEachTypedArray):
1360         (hasSameValues):
1361         (foo):
1362         (testConstructorFunction):
1363         (testConstructor):
1364         * tests/stress/typedarray-constructor.js: Added.
1365         (A):
1366         (iterator.return.next):
1367         (iterator):
1368         (obj.valueOf):
1369         (iterator2.return.next):
1370         (iterator2):
1371         * tests/stress/typedarray-from.js: Added.
1372         (even):
1373         (isBigEnoughAndException):
1374         * tests/stress/typedarray-of.js: Added.
1375
1376 2015-10-14  Mark Lam  <mark.lam@apple.com>
1377
1378         Rename some JSC option names to be more uniform.
1379         https://bugs.webkit.org/show_bug.cgi?id=150127
1380
1381         Reviewed by Geoffrey Garen.
1382
1383         Renaming JSC_enableXXX options to JSC_useXXX, and JSC_showXXX options to JSC_dumpXXX.
1384         Also will renaming a few other miscellaneous to options, to abide by this scheme.
1385
1386         Also renaming some functions to match the option names where relevant.
1387
1388         * API/tests/ExecutionTimeLimitTest.cpp:
1389         (testExecutionTimeLimit):
1390         * assembler/AbstractMacroAssembler.h:
1391         (JSC::optimizeForARMv7IDIVSupported):
1392         (JSC::optimizeForARM64):
1393         (JSC::optimizeForX86):
1394         * assembler/LinkBuffer.cpp:
1395         (JSC::shouldDumpDisassemblyFor):
1396         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1397         (JSC::shouldShowDisassemblyFor): Deleted.
1398         * assembler/LinkBuffer.h:
1399         * bytecode/CodeBlock.cpp:
1400         (JSC::CodeBlock::jettison):
1401         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1402         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
1403         * bytecompiler/BytecodeGenerator.cpp:
1404         (JSC::BytecodeGenerator::BytecodeGenerator):
1405         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
1406         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire):
1407         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
1408         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
1409         * dfg/DFGByteCodeParser.cpp:
1410         (JSC::DFG::ByteCodeParser::handleInlining):
1411         (JSC::DFG::ByteCodeParser::handleGetById):
1412         (JSC::DFG::ByteCodeParser::handlePutById):
1413         (JSC::DFG::ByteCodeParser::parse):
1414         * dfg/DFGCommon.h:
1415         (JSC::DFG::leastUpperBound):
1416         (JSC::DFG::shouldDumpDisassembly):
1417         (JSC::DFG::shouldShowDisassembly): Deleted.
1418         * dfg/DFGDriver.cpp:
1419         (JSC::DFG::compileImpl):
1420         * dfg/DFGJITCompiler.cpp:
1421         (JSC::DFG::JITCompiler::JITCompiler):
1422         (JSC::DFG::JITCompiler::disassemble):
1423         * dfg/DFGJumpReplacement.cpp:
1424         (JSC::DFG::JumpReplacement::fire):
1425         * dfg/DFGOSREntry.cpp:
1426         (JSC::DFG::prepareOSREntry):
1427         * dfg/DFGOSRExitCompiler.cpp:
1428         * dfg/DFGOSRExitFuzz.h:
1429         (JSC::DFG::doOSRExitFuzzing):
1430         * dfg/DFGPlan.cpp:
1431         (JSC::DFG::Plan::compileInThreadImpl):
1432         * dfg/DFGSpeculativeJIT.cpp:
1433         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
1434         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1435         (JSC::DFG::TierUpCheckInjectionPhase::run):
1436         * ftl/FTLCompile.cpp:
1437         (JSC::FTL::mmAllocateDataSection):
1438         * ftl/FTLJITCode.cpp:
1439         (JSC::FTL::JITCode::~JITCode):
1440         * ftl/FTLLowerDFGToLLVM.cpp:
1441         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1442         * ftl/FTLOSRExitCompiler.cpp:
1443         (JSC::FTL::compileStub):
1444         (JSC::FTL::compileFTLOSRExit):
1445         * ftl/FTLState.h:
1446         (JSC::FTL::verboseCompilationEnabled):
1447         (JSC::FTL::shouldDumpDisassembly):
1448         (JSC::FTL::shouldShowDisassembly): Deleted.
1449         * heap/Heap.cpp:
1450         (JSC::Heap::addToRememberedSet):
1451         (JSC::Heap::didFinishCollection):
1452         (JSC::Heap::shouldDoFullCollection):
1453         * heap/Heap.h:
1454         (JSC::Heap::isDeferred):
1455         (JSC::Heap::structureIDTable):
1456         * heap/HeapStatistics.cpp:
1457         (JSC::StorageStatistics::storageCapacity):
1458         (JSC::HeapStatistics::dumpObjectStatistics):
1459         (JSC::HeapStatistics::showObjectStatistics): Deleted.
1460         * heap/HeapStatistics.h:
1461         * interpreter/StackVisitor.cpp:
1462         (JSC::StackVisitor::Frame::createArguments):
1463         * jit/AssemblyHelpers.cpp:
1464         (JSC::AssemblyHelpers::callExceptionFuzz):
1465         * jit/ExecutableAllocationFuzz.cpp:
1466         (JSC::doExecutableAllocationFuzzing):
1467         * jit/ExecutableAllocationFuzz.h:
1468         (JSC::doExecutableAllocationFuzzingIfEnabled):
1469         * jit/JIT.cpp:
1470         (JSC::JIT::privateCompile):
1471         * jit/JITCode.cpp:
1472         (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef):
1473         * jit/PolymorphicCallStubRoutine.cpp:
1474         (JSC::PolymorphicCallNode::unlink):
1475         (JSC::PolymorphicCallNode::clearCallLinkInfo):
1476         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1477         * jit/Repatch.cpp:
1478         (JSC::linkFor):
1479         (JSC::unlinkFor):
1480         (JSC::linkVirtualFor):
1481         * jsc.cpp:
1482         (functionEnableExceptionFuzz):
1483         (jscmain):
1484         * llvm/InitializeLLVM.cpp:
1485         (JSC::initializeLLVMImpl):
1486         * runtime/ExceptionFuzz.cpp:
1487         (JSC::doExceptionFuzzing):
1488         * runtime/ExceptionFuzz.h:
1489         (JSC::doExceptionFuzzingIfEnabled):
1490         * runtime/JSGlobalObject.cpp:
1491         (JSC::JSGlobalObject::init):
1492         * runtime/Options.cpp:
1493         (JSC::recomputeDependentOptions):
1494         (JSC::Options::initialize):
1495         (JSC::Options::dumpOptionsIfNeeded):
1496         (JSC::Options::setOption):
1497         (JSC::Options::dumpAllOptions):
1498         (JSC::Options::dumpAllOptionsInALine):
1499         (JSC::Options::dumpOption):
1500         * runtime/Options.h:
1501         * runtime/VM.cpp:
1502         (JSC::VM::VM):
1503         * runtime/VM.h:
1504         (JSC::VM::exceptionFuzzingBuffer):
1505         * runtime/WriteBarrierInlines.h:
1506         (JSC::WriteBarrierBase<T>::set):
1507         (JSC::WriteBarrierBase<Unknown>::set):
1508         * tests/executableAllocationFuzz.yaml:
1509         * tests/stress/arrowfunction-typeof.js:
1510         * tests/stress/disable-function-dot-arguments.js:
1511         (foo):
1512         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js:
1513         (sqrtOnInteger):
1514         * tests/stress/regress-148564.js:
1515
1516 2015-10-14  Mark Lam  <mark.lam@apple.com>
1517
1518         Speculative build fix: the CallSiteIndex constructor is explicit and requires an uint32_t.
1519
1520         Not Reviewed.
1521
1522         * bytecode/CodeBlock.cpp:
1523         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
1524
1525 2015-10-14  Commit Queue  <commit-queue@webkit.org>
1526
1527         Unreviewed, rolling out r191030.
1528         https://bugs.webkit.org/show_bug.cgi?id=150116
1529
1530         caused js/class-syntax-method-names.html to crash on debug
1531         builds (Requested by alexchristensen_ on #webkit).
1532
1533         Reverted changeset:
1534
1535         "[ES6] Class expression should have lexical environment that
1536         has itself as an imutable binding"
1537         https://bugs.webkit.org/show_bug.cgi?id=150089
1538         http://trac.webkit.org/changeset/191030
1539
1540 2015-10-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1541
1542         [ES6] Class expression should have lexical environment that has itself as an imutable binding
1543         https://bugs.webkit.org/show_bug.cgi?id=150089
1544
1545         Reviewed by Geoffrey Garen.
1546
1547         According to ES6 spec, class expression has its own lexical environment that holds itself
1548         as an immutable binding[1] (section 14.5.14 step 2, 3, 4, 23)
1549
1550         As a result, even if the binding declared in the outer scope is overridden, methods inside
1551         class expression can refer its class by the class name.
1552
1553         [1]: http://ecma-international.org/ecma-262/6.0/#sec-runtime-semantics-classdefinitionevaluation
1554
1555         * bytecompiler/NodesCodegen.cpp:
1556         (JSC::ClassExprNode::emitBytecode):
1557         * parser/ASTBuilder.h:
1558         (JSC::ASTBuilder::createClassExpr):
1559         * parser/NodeConstructors.h:
1560         (JSC::ClassExprNode::ClassExprNode):
1561         * parser/Nodes.h:
1562         * parser/Parser.cpp:
1563         (JSC::Parser<LexerType>::parseClass):
1564         * parser/SyntaxChecker.h:
1565         (JSC::SyntaxChecker::createClassExpr):
1566         * tests/es6.yaml:
1567         * tests/stress/class-expression-generates-environment.js: Added.
1568         (shouldBe):
1569         (shouldThrow):
1570         (prototype.method):
1571         (staticMethod):
1572         (A.prototype.method):
1573         (A.staticMethod):
1574         (A):
1575         * tests/stress/class-expression-should-be-tdz-in-heritage.js: Added.
1576         (shouldThrow):
1577         (shouldThrow.A):
1578
1579 2015-10-13  Saam barati  <sbarati@apple.com>
1580
1581         We were creating a GCAwareJITStubRoutineWithExceptionHandler when we didn't actually have an exception handler in the CodeBlock's exception handler table
1582         https://bugs.webkit.org/show_bug.cgi?id=150016
1583
1584         Reviewed by Geoffrey Garen.
1585
1586         There was a bug where we created a GCAwareJITStubRoutineWithExceptionHandler
1587         for inline caches that were custom setters/getters (but not JS getters/setters).
1588         This is wrong; we only create GCAwareJITStubRoutineWithExceptionHandler when we have
1589         an inline cache with a JS getter/setter call which causes the inline cache to add itself
1590         to the CodeBlock's exception handling table. The problem was that we created
1591         a GCAwareJITStubRoutineWithExceptionHandler that tried to remove itself from
1592         the exception handler table only to find out that it didn't have an entry in the table.
1593
1594         * bytecode/PolymorphicAccess.cpp:
1595         (JSC::PolymorphicAccess::regenerate):
1596
1597 2015-10-13  Joseph Pecoraro  <pecoraro@apple.com>
1598
1599         Simplify WeakBlock visit and reap phases
1600         https://bugs.webkit.org/show_bug.cgi?id=150045
1601
1602         Reviewed by Geoffrey Garen.
1603
1604         WeakBlock visiting and reaping both happen after MarkedBlock marking.
1605         All the MarkedBlocks we encounter should be either Marked or Retired.
1606
1607         * heap/MarkedBlock.h:
1608         (JSC::MarkedBlock::isMarkedOrRetired):
1609         * heap/WeakBlock.cpp:
1610         (JSC::WeakBlock::visit):
1611         (JSC::WeakBlock::reap):
1612         * heap/WeakBlock.h:
1613
1614 2015-10-12  Geoffrey Garen  <ggaren@apple.com>
1615
1616         CodeBlock write barriers should be precise
1617         https://bugs.webkit.org/show_bug.cgi?id=150042
1618
1619         Reviewed by Saam Barati.
1620
1621         CodeBlock performs lots of unnecessary write barriers. This wastes
1622         performance and makes the code a bit harder to follow, and it might mask
1623         important bugs. Now is a good time to unmask important bugs.
1624
1625         * bytecode/CodeBlock.h:
1626         (JSC::CodeBlockSet::mark): Don't write barrier all CodeBlocks on the
1627         stack. Only CodeBlocks that do value profiling need write barriers, and
1628         they do those themselves.
1629
1630         In steady state, when most of our CodeBlocks are old and FTL-compiled,
1631         and we're doing eden GC's, we should almost never visit a CodeBlock.
1632
1633         * dfg/DFGOSRExitCompilerCommon.cpp:
1634         (JSC::DFG::osrWriteBarrier):
1635         (JSC::DFG::adjustAndJumpToTarget): Don't write barrier all inlined
1636         CodeBlocks on exit. That's not necessary. Instead, write barrier the 
1637         CodeBlock(s) we will exit to, along with the one we will write a value
1638         profile to.
1639
1640 2015-10-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1641
1642         REGRESSION: ASSERT (impl->isAtomic()) @ facebook.com
1643         https://bugs.webkit.org/show_bug.cgi?id=149965
1644
1645         Reviewed by Geoffrey Garen.
1646
1647         Edge filtering for CheckIdent ensures that a given value is either Symbol or StringIdent.
1648         However, this filtering is not applied to CheckIdent when propagating a constant value in
1649         the constant folding phase. As a result, it is not guaranteeed that a constant value
1650         propagated in constant folding is Symbol or StringIdent.
1651
1652         * dfg/DFGConstantFoldingPhase.cpp:
1653         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1654
1655 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1656
1657         Unreviewed, register symbol structure to fix Debug build
1658         https://bugs.webkit.org/show_bug.cgi?id=149622
1659
1660         Since InferredTypes for String or Symbol claim that they don't have any structure,
1661         `registerInferredType` does not register the structure for Symbol.
1662         We take the similar way to String to fix this issue; Registering Symbol structure
1663         explicitly in DFGStructureRegisterationPhase. Because,
1664
1665         1. InferredType::structure is only allowed for ObjectWithStructure / ObjectWithStructureOrOther.
1666            It looks clear to me that only ObjectWithStructure has structure.
1667         2. Symbol is similar primitive value to String. So handling its structure in similar way to String is nice.
1668
1669         * dfg/DFGStructureRegistrationPhase.cpp:
1670         (JSC::DFG::StructureRegistrationPhase::run):
1671
1672 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1673
1674         Iterator loops over key twice after delete
1675         https://bugs.webkit.org/show_bug.cgi?id=149811
1676
1677         Reviewed by Geoffrey Garen.
1678
1679         When an object is the dictionary mode, JSPropertyNameEnumerator collects property names through generic property name enumeration `getPropertyNames`.
1680         The result vector contains indexed property names. But in this case, `publicLength()` may not be 0.
1681         So without disabling indexed names enumeration phase explicitly, JSPropertyNameEnumerator produces indexed property names twice.
1682         One in indexed name enumeration phase, and another in generic property name enumeration phase.
1683         This patch disables indexed names enumeration by setting `indexedLength` to 0 when collecting names through generic property name enumeration.
1684
1685         * runtime/JSPropertyNameEnumerator.h:
1686         (JSC::propertyNameEnumerator):
1687         * tests/stress/property-name-enumerator-should-not-look-into-indexed-values-when-it-is-a-dictionary.js: Added.
1688         (shouldBe):
1689         (col2.of.Reflect.enumerate):
1690
1691 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1692
1693         Introduce Symbol type for property type inference
1694         https://bugs.webkit.org/show_bug.cgi?id=149622
1695
1696         Reviewed by Geoffrey Garen.
1697
1698         This patch introduces Symbol type into property type inference.
1699         One of the use cases of ES6 Symbol is enum value. In this case,
1700         we may hold different symbols as the same property of the same structure.
1701         Current property type inference does not support Symbol type, so in the
1702         above case, the property will be inferred as Top type.
1703
1704         * bytecode/PutByIdFlags.h:
1705         * dfg/DFGAbstractValue.cpp:
1706         (JSC::DFG::AbstractValue::set):
1707         * dfg/DFGInferredTypeCheck.cpp:
1708         (JSC::DFG::insertInferredTypeCheck):
1709         * ftl/FTLLowerDFGToLLVM.cpp:
1710         (JSC::FTL::DFG::LowerDFGToLLVM::checkInferredType):
1711         * jit/AssemblyHelpers.cpp:
1712         (JSC::AssemblyHelpers::branchIfNotType):
1713         * llint/LLIntData.cpp:
1714         (JSC::LLInt::Data::performAssertions):
1715         * llint/LowLevelInterpreter.asm:
1716         * llint/LowLevelInterpreter32_64.asm:
1717         * llint/LowLevelInterpreter64.asm:
1718         * runtime/InferredType.cpp:
1719         (JSC::InferredType::kindForFlags):
1720         (JSC::InferredType::Descriptor::forValue):
1721         (JSC::InferredType::Descriptor::putByIdFlags):
1722         (JSC::InferredType::Descriptor::merge):
1723         (WTF::printInternal):
1724         * runtime/InferredType.h:
1725         * tests/stress/prop-type-symbol-then-object.js: Added.
1726         (foo):
1727         (bar):
1728         (toString):
1729         * tests/stress/prop-type-symbol-then-string.js: Added.
1730         (foo):
1731         (bar):
1732
1733 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
1734
1735         Web Inspector: Rebaseline Inspector generator tests and make better use of RWIProtocol constant
1736         https://bugs.webkit.org/show_bug.cgi?id=150044
1737
1738         Reviewed by Brian Burg.
1739
1740         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1741         (ObjCConfigurationHeaderGenerator.generate_output):
1742         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1743         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1744         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1745         * inspector/scripts/codegen/generate_objc_header.py:
1746         (ObjCHeaderGenerator.generate_output):
1747         * inspector/scripts/codegen/generate_objc_internal_header.py:
1748         (ObjCInternalHeaderGenerator.generate_output):
1749         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1750         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1751         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1752         * inspector/scripts/tests/expected/enum-values.json-result:
1753         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1754         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1755         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1756         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1757         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1758         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1759         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1760         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1761         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1762
1763 2015-10-12  Myles C. Maxfield  <mmaxfield@apple.com>
1764
1765         Unreviewed build fix
1766
1767         * runtime/JSObject.cpp:
1768         (JSC::JSObject::reallocateAndShrinkButterfly):
1769
1770 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
1771
1772         GC should have a Baker barrier for concurrent copying
1773         https://bugs.webkit.org/show_bug.cgi?id=149852
1774
1775         Reviewed by Geoffrey Garen.
1776
1777         This adds a Baker-style read barrier [1] to copied space accesses. This barrier incurs some
1778         overhead (0%-2% depending on benchmark suite), but what it buys is the ability to make the GC copy
1779         phase concurrent.
1780
1781         The barrier relies on copied space pointers having two "space bits" in the low pointer bits. The
1782         space bits indicate whether the backing store is being copied right now or not, and if it is being
1783         copied, what stage of copying it's in. Two barrier variants are supported:
1784
1785         Read only barrier: if you load a backing store and immediately load from it without doing anything
1786         else, you can just mask off the bits. In the worst case, you'll get the old backing store while
1787         some copying thread is already allocating and populating the new version of the backing store. But
1788         in that case, forwarding to the new backing store will not enable you to load a more up-to-date
1789         value from the backing store. So, just masking the bits is enough. The read-only barrier is only
1790         used in ICs where we know that we are only reading, and opportunistically within the DFG and FTL
1791         thanks to the CopyBarrierOptimizationPhase. We never explicitly emit a read-only barrier in those
1792         compilers; instead the phase will turn a GetButterfly into GetButterflyReadOnly if it proves that a
1793         bunch of requirements are met.
1794
1795         Normal barrier: if the space bits are non-zero, call a slow path. The slow path will either do
1796         nothing (if the copy phase hasn't started yet), or it will copy the backing store and update the
1797         pointer (if the copy phase hasn't gotten around to copying this particular backing store), or it
1798         will wait for the copying thread to finish (if some thread is copying this backing store right
1799         now), or it will do nothing (if by the time we called into the slow path the backing store was
1800         already copied). This is just like Baker's CAR/CDR barrier, but with a lock thrown in to handle
1801         concurrent execution.
1802
1803         This is a 1% slow-down on SunSpider, a 1.5% slow-down on Octane, a 1.5% slow-down on Kraken, and a
1804         0% slow-down on AsmBench. Note that the Octane slow-down is excluding the SplayLatency benchmark.
1805         That benchmark will eventually speed up a lot once we finish doing all of this stuff. Probably, the
1806         JetStream splay-latency will see an even larger speed-up, since our version of the latency tests do
1807         a better job of punishing bad worst-case behavior.
1808
1809         [1] http://dspace.mit.edu/bitstream/handle/1721.1/41976/AI_WP_139.pdf, look for the CAR and CDR
1810         procedures on page 9.
1811
1812         * CMakeLists.txt:
1813         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1814         * JavaScriptCore.xcodeproj/project.pbxproj:
1815         * bytecode/PolymorphicAccess.cpp:
1816         (JSC::AccessCase::generate):
1817         * dfg/DFGAbstractInterpreterInlines.h:
1818         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1819         * dfg/DFGArgumentsEliminationPhase.cpp:
1820         * dfg/DFGClobberize.h:
1821         (JSC::DFG::clobberize):
1822         * dfg/DFGCopyBarrierOptimizationPhase.cpp: Added.
1823         (JSC::DFG::performCopyBarrierOptimization):
1824         * dfg/DFGCopyBarrierOptimizationPhase.h: Added.
1825         * dfg/DFGDoesGC.cpp:
1826         (JSC::DFG::doesGC):
1827         * dfg/DFGFixupPhase.cpp:
1828         (JSC::DFG::FixupPhase::fixupNode):
1829         * dfg/DFGHeapLocation.cpp:
1830         (WTF::printInternal):
1831         * dfg/DFGHeapLocation.h:
1832         * dfg/DFGLICMPhase.cpp:
1833         (JSC::DFG::LICMPhase::run):
1834         * dfg/DFGNodeType.h:
1835         * dfg/DFGOperations.cpp:
1836         * dfg/DFGOperations.h:
1837         * dfg/DFGPlan.cpp:
1838         (JSC::DFG::Plan::compileInThreadImpl):
1839         * dfg/DFGPredictionPropagationPhase.cpp:
1840         (JSC::DFG::PredictionPropagationPhase::propagate):
1841         * dfg/DFGSafeToExecute.h:
1842         (JSC::DFG::safeToExecute):
1843         * dfg/DFGSpeculativeJIT.cpp:
1844         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1845         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1846         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1847         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1848         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
1849         * dfg/DFGSpeculativeJIT.h:
1850         * dfg/DFGSpeculativeJIT32_64.cpp:
1851         (JSC::DFG::SpeculativeJIT::compile):
1852         * dfg/DFGSpeculativeJIT64.cpp:
1853         (JSC::DFG::SpeculativeJIT::compile):
1854         * dfg/DFGTypeCheckHoistingPhase.cpp:
1855         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1856         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1857         * ftl/FTLCapabilities.cpp:
1858         (JSC::FTL::canCompile):
1859         * ftl/FTLLowerDFGToLLVM.cpp:
1860         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1861         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
1862         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterflyReadOnly):
1863         (JSC::FTL::DFG::LowerDFGToLLVM::compileConstantStoragePointer):
1864         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
1865         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
1866         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
1867         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
1868         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiPutByOffset):
1869         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetDirectPname):
1870         (JSC::FTL::DFG::LowerDFGToLLVM::storageForTransition):
1871         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
1872         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
1873         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
1874         (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
1875         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
1876         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
1877         (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
1878         (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
1879         * ftl/FTLOperations.cpp:
1880         (JSC::FTL::operationNewObjectWithButterfly):
1881         (JSC::FTL::operationPopulateObjectInOSR):
1882         * ftl/FTLOutput.h:
1883         (JSC::FTL::Output::testNonZero32):
1884         (JSC::FTL::Output::testIsZero64):
1885         (JSC::FTL::Output::testNonZero64):
1886         (JSC::FTL::Output::testIsZeroPtr):
1887         (JSC::FTL::Output::testNonZeroPtr):
1888         (JSC::FTL::Output::select):
1889         (JSC::FTL::Output::extractValue):
1890         * heap/CopyBarrier.h: Copied from Source/JavaScriptCore/heap/CopyWriteBarrier.h.
1891         (JSC::CopyBarrierBase::CopyBarrierBase):
1892         (JSC::CopyBarrierBase::operator!):
1893         (JSC::CopyBarrierBase::operator bool):
1894         (JSC::CopyBarrierBase::getWithoutBarrier):
1895         (JSC::CopyBarrierBase::get):
1896         (JSC::CopyBarrierBase::copyState):
1897         (JSC::CopyBarrierBase::setCopyState):
1898         (JSC::CopyBarrierBase::clear):
1899         (JSC::CopyBarrierBase::set):
1900         (JSC::CopyBarrierBase::setWithoutBarrier):
1901         (JSC::CopyBarrierBase::weakCASWithoutBarrier):
1902         (JSC::CopyBarrier::CopyBarrier):
1903         (JSC::CopyBarrier::getWithoutBarrier):
1904         (JSC::CopyBarrier::get):
1905         (JSC::CopyBarrier::set):
1906         (JSC::CopyBarrier::setWithoutBarrier):
1907         (JSC::CopyBarrier::weakCASWithoutBarrier):
1908         (JSC::CopyWriteBarrier::CopyWriteBarrier): Deleted.
1909         (JSC::CopyWriteBarrier::operator!): Deleted.
1910         (JSC::CopyWriteBarrier::operator bool): Deleted.
1911         (JSC::CopyWriteBarrier::get): Deleted.
1912         (JSC::CopyWriteBarrier::operator*): Deleted.
1913         (JSC::CopyWriteBarrier::operator->): Deleted.
1914         (JSC::CopyWriteBarrier::set): Deleted.
1915         (JSC::CopyWriteBarrier::setWithoutWriteBarrier): Deleted.
1916         (JSC::CopyWriteBarrier::clear): Deleted.
1917         * heap/CopyVisitorInlines.h:
1918         (JSC::CopyVisitor::checkIfShouldCopy):
1919         * heap/CopyWriteBarrier.h: Removed.
1920         * heap/Heap.cpp:
1921         (JSC::Heap::addToRememberedSet):
1922         (JSC::Heap::copyBarrier):
1923         (JSC::Heap::collectAndSweep):
1924         * heap/Heap.h:
1925         (JSC::Heap::writeBarrierBuffer):
1926         * heap/HeapInlines.h:
1927         * jit/AssemblyHelpers.h:
1928         (JSC::AssemblyHelpers::branchStructure):
1929         (JSC::AssemblyHelpers::branchIfNotToSpace):
1930         (JSC::AssemblyHelpers::removeSpaceBits):
1931         (JSC::AssemblyHelpers::addressForByteOffset):
1932         * jit/JIT.cpp:
1933         (JSC::JIT::privateCompileMainPass):
1934         (JSC::JIT::privateCompileSlowCases):
1935         * jit/JITOpcodes.cpp:
1936         (JSC::JIT::emitSlow_op_has_indexed_property):
1937         (JSC::JIT::emit_op_get_direct_pname):
1938         (JSC::JIT::emitSlow_op_get_direct_pname):
1939         * jit/JITOpcodes32_64.cpp:
1940         (JSC::JIT::emit_op_get_direct_pname):
1941         (JSC::JIT::emitSlow_op_get_direct_pname):
1942         * jit/JITPropertyAccess.cpp:
1943         (JSC::JIT::emitDoubleLoad):
1944         (JSC::JIT::emitContiguousLoad):
1945         (JSC::JIT::emitArrayStorageLoad):
1946         (JSC::JIT::emitSlow_op_get_by_val):
1947         (JSC::JIT::emitGenericContiguousPutByVal):
1948         (JSC::JIT::emitArrayStoragePutByVal):
1949         (JSC::JIT::emitSlow_op_put_by_val):
1950         (JSC::JIT::emit_op_get_from_scope):
1951         (JSC::JIT::emitSlow_op_get_from_scope):
1952         (JSC::JIT::emit_op_put_to_scope):
1953         (JSC::JIT::emitSlow_op_put_to_scope):
1954         (JSC::JIT::emitIntTypedArrayGetByVal):
1955         (JSC::JIT::emitFloatTypedArrayGetByVal):
1956         (JSC::JIT::emitIntTypedArrayPutByVal):
1957         (JSC::JIT::emitFloatTypedArrayPutByVal):
1958         * llint/LowLevelInterpreter.asm:
1959         * llint/LowLevelInterpreter64.asm:
1960         * runtime/DirectArguments.cpp:
1961         (JSC::DirectArguments::visitChildren):
1962         (JSC::DirectArguments::copyBackingStore):
1963         (JSC::DirectArguments::overrideThings):
1964         (JSC::DirectArguments::overrideThingsIfNecessary):
1965         (JSC::DirectArguments::overrideArgument):
1966         (JSC::DirectArguments::copyToArguments):
1967         * runtime/DirectArguments.h:
1968         (JSC::DirectArguments::canAccessIndexQuickly):
1969         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG):
1970         * runtime/JSArray.cpp:
1971         (JSC::JSArray::setLength):
1972         (JSC::JSArray::pop):
1973         (JSC::JSArray::push):
1974         (JSC::JSArray::fastSlice):
1975         (JSC::JSArray::fastConcatWith):
1976         (JSC::JSArray::shiftCountWithArrayStorage):
1977         (JSC::JSArray::shiftCountWithAnyIndexingType):
1978         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1979         (JSC::JSArray::fillArgList):
1980         (JSC::JSArray::copyToArguments):
1981         * runtime/JSArrayBufferView.cpp:
1982         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1983         (JSC::JSArrayBufferView::JSArrayBufferView):
1984         (JSC::JSArrayBufferView::finishCreation):
1985         (JSC::JSArrayBufferView::finalize):
1986         * runtime/JSArrayBufferView.h:
1987         (JSC::JSArrayBufferView::vector):
1988         (JSC::JSArrayBufferView::length):
1989         * runtime/JSArrayBufferViewInlines.h:
1990         (JSC::JSArrayBufferView::neuter):
1991         (JSC::JSArrayBufferView::byteOffset):
1992         * runtime/JSGenericTypedArrayView.h:
1993         (JSC::JSGenericTypedArrayView::typedVector):
1994         * runtime/JSGenericTypedArrayViewInlines.h:
1995         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1996         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
1997         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1998         * runtime/JSMap.h:
1999         (JSC::JSMap::JSMap):
2000         * runtime/JSObject.cpp:
2001         (JSC::JSObject::copyButterfly):
2002         (JSC::JSObject::visitChildren):
2003         (JSC::JSObject::copyBackingStore):
2004         (JSC::JSObject::getOwnPropertySlotByIndex):
2005         (JSC::JSObject::putByIndex):
2006         (JSC::JSObject::enterDictionaryIndexingMode):
2007         (JSC::JSObject::createInitialIndexedStorage):
2008         (JSC::JSObject::createArrayStorage):
2009         (JSC::JSObject::convertUndecidedToInt32):
2010         (JSC::JSObject::convertUndecidedToDouble):
2011         (JSC::JSObject::convertUndecidedToContiguous):
2012         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2013         (JSC::JSObject::convertUndecidedToArrayStorage):
2014         (JSC::JSObject::convertInt32ToDouble):
2015         (JSC::JSObject::convertInt32ToContiguous):
2016         (JSC::JSObject::convertInt32ToArrayStorage):
2017         (JSC::JSObject::convertDoubleToContiguous):
2018         (JSC::JSObject::convertDoubleToArrayStorage):
2019         (JSC::JSObject::convertContiguousToArrayStorage):
2020         (JSC::JSObject::setIndexQuicklyToUndecided):
2021         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2022         (JSC::JSObject::deletePropertyByIndex):
2023         (JSC::JSObject::getOwnPropertyNames):
2024         (JSC::JSObject::putIndexedDescriptor):
2025         (JSC::JSObject::defineOwnIndexedProperty):
2026         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2027         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2028         (JSC::JSObject::getNewVectorLength):
2029         (JSC::JSObject::ensureLengthSlow):
2030         (JSC::JSObject::reallocateAndShrinkButterfly):
2031         (JSC::JSObject::growOutOfLineStorage):
2032         (JSC::JSObject::getOwnPropertyDescriptor):
2033         (JSC::JSObject::getEnumerableLength):
2034         * runtime/JSObject.h:
2035         (JSC::JSObject::getArrayLength):
2036         (JSC::JSObject::getVectorLength):
2037         (JSC::JSObject::canGetIndexQuickly):
2038         (JSC::JSObject::getIndexQuickly):
2039         (JSC::JSObject::tryGetIndexQuickly):
2040         (JSC::JSObject::canSetIndexQuickly):
2041         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2042         (JSC::JSObject::setIndexQuickly):
2043         (JSC::JSObject::initializeIndex):
2044         (JSC::JSObject::hasSparseMap):
2045         (JSC::JSObject::inSparseIndexingMode):
2046         (JSC::JSObject::inlineStorage):
2047         (JSC::JSObject::butterfly):
2048         (JSC::JSObject::outOfLineStorage):
2049         (JSC::JSObject::locationForOffset):
2050         (JSC::JSObject::ensureInt32):
2051         (JSC::JSObject::ensureDouble):
2052         (JSC::JSObject::ensureContiguous):
2053         (JSC::JSObject::ensureArrayStorage):
2054         (JSC::JSObject::arrayStorage):
2055         (JSC::JSObject::arrayStorageOrNull):
2056         (JSC::JSObject::ensureLength):
2057         (JSC::JSObject::putDirectWithoutTransition):
2058         * runtime/JSSet.h:
2059         (JSC::JSSet::JSSet):
2060         * runtime/MapData.h:
2061         (JSC::JSIterator>::MapDataImpl):
2062         (JSC::JSIterator>::IteratorData::next):
2063         (JSC::JSIterator>::IteratorData::refreshCursor):
2064         * runtime/MapDataInlines.h:
2065         (JSC::JSIterator>::clear):
2066         (JSC::JSIterator>::find):
2067         (JSC::JSIterator>::add):
2068         (JSC::JSIterator>::remove):
2069         (JSC::JSIterator>::replaceAndPackBackingStore):
2070         (JSC::JSIterator>::replaceBackingStore):
2071         (JSC::JSIterator>::ensureSpaceForAppend):
2072         (JSC::JSIterator>::visitChildren):
2073         (JSC::JSIterator>::copyBackingStore):
2074         * runtime/Options.h:
2075
2076 2015-10-12  Saam barati  <sbarati@apple.com>
2077
2078         Update JSC features.json
2079         https://bugs.webkit.org/show_bug.cgi?id=150043
2080
2081         Reviewed by Mark Lam.
2082
2083         There were a lot of things implemented that weren't in
2084         the list. We should be better about updating the list
2085         as we land patches for new ES6 features.
2086
2087         * features.json:
2088
2089 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2090
2091         Cleanup Heap.h and some related headers
2092         https://bugs.webkit.org/show_bug.cgi?id=149981
2093
2094         Reviewed by Geoffrey Garen.
2095
2096         * heap/Heap.h:
2097         - Some functions did not need export.
2098         - threadDupStrings never had an implementation.
2099
2100         * heap/ConservativeRoots.cpp:
2101         * heap/ConservativeRoots.h:
2102         * heap/Heap.cpp:
2103         * heap/ListableHandler.h:
2104         * heap/WeakReferenceHarvester.h:
2105         * jit/Repatch.cpp:
2106         * runtime/JSONObject.h:
2107         * runtime/VM.h:
2108         - Stale forward declarations / includes.
2109
2110 2015-10-12  Saam barati  <sbarati@apple.com>
2111
2112         Each *ById inline cache in the FTL must have its own CallSiteIndex
2113         https://bugs.webkit.org/show_bug.cgi?id=150039
2114
2115         Reviewed by Geoffrey Garen and Filip Pizlo.
2116
2117         When lowering to LLVM, we create a patchpoint intrinsic for each
2118         *ById in DFG IR. LLVM may choose to duplicate these patchpoints.
2119         Therefore, we want each resulting inline cache to have a unique
2120         CallSiteIndex because each inline cache will have its own set of 
2121         used registers. This change is necessary when we implement try/catch 
2122         in the FTL because an inline cache will ask for the set of used 
2123         registers it will need to restore in the event of an exception 
2124         being thrown. It asks for this set of registers by giving JITCode
2125         a CallSiteIndex. Because each corresponding inline cache that results
2126         from a duplicated patchpoint may all ask this for this set of registers, 
2127         we must assign each inline cache a unique CallSiteIndex.
2128
2129         * bytecode/CodeBlock.cpp:
2130         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
2131         * dfg/DFGCommonData.cpp:
2132         (JSC::DFG::CommonData::addCodeOrigin):
2133         (JSC::DFG::CommonData::addUniqueCallSiteIndex):
2134         (JSC::DFG::CommonData::addCodeOriginUnconditionally): Deleted.
2135         * dfg/DFGCommonData.h:
2136         * ftl/FTLCompile.cpp:
2137         (JSC::FTL::mmAllocateDataSection):
2138         * ftl/FTLInlineCacheDescriptor.h:
2139         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
2140         (JSC::FTL::InlineCacheDescriptor::stackmapID):
2141         (JSC::FTL::InlineCacheDescriptor::codeOrigin):
2142         (JSC::FTL::InlineCacheDescriptor::uid):
2143         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
2144         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
2145         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
2146         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
2147         (JSC::FTL::InlineCacheDescriptor::callSiteIndex): Deleted.
2148         * ftl/FTLLowerDFGToLLVM.cpp:
2149         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2150         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2151         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2152         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2153
2154 2015-10-12  Andreas Kling  <akling@apple.com>
2155
2156         "A + B" with strings shouldn't copy if A or B is empty.
2157         <https://webkit.org/b/150034>
2158
2159         Reviewed by Anders Carlsson.
2160
2161         * runtime/JSStringBuilder.h:
2162         (JSC::jsMakeNontrivialString):
2163         * runtime/Lookup.cpp:
2164         (JSC::reifyStaticAccessor):
2165         * runtime/ObjectPrototype.cpp:
2166         (JSC::objectProtoFuncToString):
2167
2168 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2169
2170         VisitedValueCount GC Counter misses parallel SlotVisitors
2171         https://bugs.webkit.org/show_bug.cgi?id=149980
2172
2173         Reviewed by Geoffrey Garen.
2174
2175         * heap/Heap.cpp:
2176         (JSC::Heap::updateObjectCounts):
2177         Include threaded slot visitor's object counts in the debugging value.
2178
2179 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2180
2181         Unreviewed, fix non-FTL build for real.
2182
2183         * ftl/FTLLazySlowPath.h:
2184
2185 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2186
2187         Unreviewed, clarify a comment. The example code had a bug.
2188
2189         * ftl/FTLLowerDFGToLLVM.cpp:
2190
2191 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2192
2193         Unreviewed, fix no-FTL build.
2194
2195         * ftl/FTLLazySlowPath.cpp:
2196
2197 2015-10-12  Philip Chimento  <philip.chimento@gmail.com>
2198
2199         webkit-gtk 2.3.3 fails to build on OS X - Conflicting type "Fixed"
2200         https://bugs.webkit.org/show_bug.cgi?id=126433
2201
2202         Reviewed by Philippe Normand
2203
2204         Don't include CoreFoundation.h when building the GTK port.
2205
2206         * Source/JavaScriptCore/API/WebKitAvailability.h: Add !defined(BUILDING_GTK__) to defined(__APPLE__).
2207
2208 2015-10-10  Filip Pizlo  <fpizlo@apple.com>
2209
2210         FTL should generate code to call slow paths lazily
2211         https://bugs.webkit.org/show_bug.cgi?id=149936
2212
2213         Reviewed by Saam Barati.
2214
2215         We often have complex slow paths in FTL-generated code. Those slow paths may never run. Even
2216         if they do run, they don't need stellar performance. So, it doesn't make sense to have LLVM
2217         worry about compiling such slow path code.
2218
2219         This patch enables us to use our own MacroAssembler for compiling the slow path inside FTL
2220         code. It does this by using a crazy lambda thingy (see FTLLowerDFGToLLVM.cpp's lazySlowPath()
2221         and its documentation). The result is quite natural to use.
2222
2223         Even for straight slow path calls via something like vmCall(), the lazySlowPath offers the
2224         benefit that the call marshalling and the exception checking are not expressed using LLVM IR
2225         and do not require LLVM to think about it. It also has the benefit that we never generate the
2226         code if it never runs. That's great, since function calls usually involve ~10 instructions
2227         total (move arguments to argument registers, make the call, check exception, etc.).
2228
2229         This patch adds the lazy slow path abstraction and uses it for some slow paths in the FTL.
2230         The code we generate with lazy slow paths is worse than the code that LLVM would have
2231         generated. Therefore, a lazy slow path only makes sense when we have strong evidence that
2232         the slow path will execute infrequently relative to the fast path. This completely precludes
2233         the use of lazy slow paths for out-of-line Nodes that unconditionally call a C++ function.
2234         It also precludes their use for the GetByVal out-of-bounds handler, since when we generate
2235         a GetByVal with an out-of-bounds handler it means that we only know that the out-of-bounds
2236         case executed at least once. So, for all we know, it may actually be the common case. So,
2237         this patch just deployed the lazy slow path for GC slow paths and masquerades-as-undefined
2238         slow paths. It makes sense for GC slow paths because those have a statistical guarantee of
2239         slow path frequency - probably bounded at less than 1/10. It makes sense for masquerades-as-
2240         undefined because we can say quite confidently that this is an uncommon scenario on the
2241         modern Web.
2242
2243         Something that's always been challenging about abstractions involving the MacroAssembler is
2244         that linking is a separate phase, and there is no way for someone who is just given access to
2245         the MacroAssembler& to emit code that requires linking, since linking happens once we have
2246         emitted all code and we are creating the LinkBuffer. Moreover, the FTL requires that the
2247         final parts of linking happen on the main thread. This patch ran into this issue, and solved
2248         it comprehensively, by introducing MacroAssembler::addLinkTask(). This takes a lambda and
2249         runs it at the bitter end of linking - when performFinalization() is called. This ensure that
2250         the task added by addLinkTask() runs on the main thread. This patch doesn't replace all of
2251         the previously existing idioms for dealing with this issue; we can do that later.
2252
2253         This shows small speed-ups on a bunch of things. No big win on any benchmark aggregate. But
2254         mainly this is done for https://bugs.webkit.org/show_bug.cgi?id=149852, where we found that
2255         outlining the slow path in this way was a significant speed boost.
2256
2257         * CMakeLists.txt:
2258         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2259         * JavaScriptCore.xcodeproj/project.pbxproj:
2260         * assembler/AbstractMacroAssembler.h:
2261         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
2262         (JSC::AbstractMacroAssembler::addLinkTask):
2263         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
2264         * assembler/LinkBuffer.cpp:
2265         (JSC::LinkBuffer::linkCode):
2266         (JSC::LinkBuffer::allocate):
2267         (JSC::LinkBuffer::performFinalization):
2268         * assembler/LinkBuffer.h:
2269         (JSC::LinkBuffer::wasAlreadyDisassembled):
2270         (JSC::LinkBuffer::didAlreadyDisassemble):
2271         (JSC::LinkBuffer::vm):
2272         (JSC::LinkBuffer::executableOffsetFor):
2273         * bytecode/CodeOrigin.h:
2274         (JSC::CodeOrigin::CodeOrigin):
2275         (JSC::CodeOrigin::isSet):
2276         (JSC::CodeOrigin::operator bool):
2277         (JSC::CodeOrigin::isHashTableDeletedValue):
2278         (JSC::CodeOrigin::operator!): Deleted.
2279         * ftl/FTLCompile.cpp:
2280         (JSC::FTL::mmAllocateDataSection):
2281         * ftl/FTLInlineCacheDescriptor.h:
2282         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
2283         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
2284         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
2285         * ftl/FTLJITCode.h:
2286         * ftl/FTLJITFinalizer.cpp:
2287         (JSC::FTL::JITFinalizer::finalizeFunction):
2288         * ftl/FTLJITFinalizer.h:
2289         * ftl/FTLLazySlowPath.cpp: Added.
2290         (JSC::FTL::LazySlowPath::LazySlowPath):
2291         (JSC::FTL::LazySlowPath::~LazySlowPath):
2292         (JSC::FTL::LazySlowPath::generate):
2293         * ftl/FTLLazySlowPath.h: Added.
2294         (JSC::FTL::LazySlowPath::createGenerator):
2295         (JSC::FTL::LazySlowPath::patchpoint):
2296         (JSC::FTL::LazySlowPath::usedRegisters):
2297         (JSC::FTL::LazySlowPath::callSiteIndex):
2298         (JSC::FTL::LazySlowPath::stub):
2299         * ftl/FTLLazySlowPathCall.h: Added.
2300         (JSC::FTL::createLazyCallGenerator):
2301         * ftl/FTLLowerDFGToLLVM.cpp:
2302         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
2303         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2304         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
2305         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
2306         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
2307         (JSC::FTL::DFG::LowerDFGToLLVM::compileNotifyWrite):
2308         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsObjectOrNull):
2309         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsFunction):
2310         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2311         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject):
2312         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
2313         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
2314         (JSC::FTL::DFG::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
2315         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
2316         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
2317         (JSC::FTL::DFG::LowerDFGToLLVM::buildTypeOf):
2318         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
2319         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2320         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
2321         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
2322         * ftl/FTLOperations.cpp:
2323         (JSC::FTL::operationMaterializeObjectInOSR):
2324         (JSC::FTL::compileFTLLazySlowPath):
2325         * ftl/FTLOperations.h:
2326         * ftl/FTLSlowPathCall.cpp:
2327         (JSC::FTL::SlowPathCallContext::SlowPathCallContext):
2328         (JSC::FTL::SlowPathCallContext::~SlowPathCallContext):
2329         (JSC::FTL::SlowPathCallContext::keyWithTarget):
2330         (JSC::FTL::SlowPathCallContext::makeCall):
2331         (JSC::FTL::callSiteIndexForCodeOrigin):
2332         (JSC::FTL::storeCodeOrigin): Deleted.
2333         (JSC::FTL::callOperation): Deleted.
2334         * ftl/FTLSlowPathCall.h:
2335         (JSC::FTL::callOperation):
2336         * ftl/FTLState.h:
2337         * ftl/FTLThunks.cpp:
2338         (JSC::FTL::genericGenerationThunkGenerator):
2339         (JSC::FTL::osrExitGenerationThunkGenerator):
2340         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2341         (JSC::FTL::registerClobberCheck):
2342         * ftl/FTLThunks.h:
2343         * interpreter/CallFrame.h:
2344         (JSC::CallSiteIndex::CallSiteIndex):
2345         (JSC::CallSiteIndex::operator bool):
2346         (JSC::CallSiteIndex::bits):
2347         * jit/CCallHelpers.h:
2348         (JSC::CCallHelpers::setupArgument):
2349         (JSC::CCallHelpers::setupArgumentsWithExecState):
2350         * jit/JITOperations.cpp:
2351
2352 2015-10-12  Philip Chimento  <philip.chimento@gmail.com>
2353
2354         webkit-gtk-2.3.4 fails to link JavaScriptCore, missing symbols add_history and readline
2355         https://bugs.webkit.org/show_bug.cgi?id=127059
2356
2357         Reviewed by Philippe Normand.
2358
2359         * shell/CMakeLists.txt: Link JSC with -ledit on Mac OSX.
2360
2361 2015-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2362
2363         ES6 classes: When a class extends B, super() invokes B.prototype.constructor() instead of B()
2364         https://bugs.webkit.org/show_bug.cgi?id=149001
2365
2366         Reviewed by Saam Barati.
2367
2368         This patch matches the `super()` call in the constructor to the latest spec.
2369         Before this patch, when calling `super()`, it loads `callee.[[HomeObject]].__proto__.constructor`
2370         as a super constructor. But after this patch, it loads `callee.__proto__` as a super constructor.
2371         This behavior corresponds to the section 12.3.5.2[1].
2372
2373         [1]: http://www.ecma-international.org/ecma-262/6.0/#sec-getsuperconstructor
2374
2375         * bytecompiler/NodesCodegen.cpp:
2376         (JSC::SuperNode::emitBytecode):
2377         * tests/stress/super-call-does-not-look-up-constructor.js: Added.
2378         (shouldBe):
2379         (B):
2380         (C):
2381         (B.prototype):
2382
2383 2015-10-10  Andreas Kling  <akling@apple.com>
2384
2385         Reduce pointless malloc traffic in CodeBlock construction.
2386         <https://webkit.org/b/149999>
2387
2388         Reviewed by Antti Koivisto.
2389
2390         Create the RefCountedArray<Instruction> for CodeBlock's m_instructions directly
2391         instead of first creating a Vector<Instruction> and then creating a RefCountedArray
2392         from that. None of the Vector functionality is needed here anyway.
2393
2394         * bytecode/CodeBlock.cpp:
2395         (JSC::CodeBlock::finishCreation):
2396         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2397         * bytecode/CodeBlock.h:
2398
2399 2015-10-10  Dan Bernstein  <mitz@apple.com>
2400
2401         [iOS] Remove unnecessary iOS version checks
2402         https://bugs.webkit.org/show_bug.cgi?id=150002
2403
2404         Reviewed by Alexey Proskuryakov.
2405
2406         * llvm/library/LLVMExports.cpp:
2407         (initializeAndGetJSCLLVMAPI):
2408
2409 2015-10-10  Dan Bernstein  <mitz@apple.com>
2410
2411         [iOS] Remove project support for iOS 8
2412         https://bugs.webkit.org/show_bug.cgi?id=149993
2413
2414         Reviewed by Alexey Proskuryakov.
2415
2416         * Configurations/Base.xcconfig:
2417         * Configurations/JSC.xcconfig:
2418         * Configurations/JavaScriptCore.xcconfig:
2419         * Configurations/LLVMForJSC.xcconfig:
2420         * Configurations/ToolExecutable.xcconfig:
2421
2422 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
2423
2424         Modernize and cleanup an NSNumber constant
2425         https://bugs.webkit.org/show_bug.cgi?id=149962
2426
2427         Reviewed by Andreas Kling.
2428
2429         * API/JSVirtualMachine.mm:
2430         (-[JSVirtualMachine addExternalRememberedObject:]):
2431
2432 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
2433
2434         No need to keep setting needsVisit flag in SmallStrings
2435         https://bugs.webkit.org/show_bug.cgi?id=149961
2436
2437         Reviewed by Andreas Kling.
2438
2439         SmallStrings are all initialized at once privately before the VM
2440         enables Garbage Collection. There is no need to keep updating
2441         this flag, as it couldn't have changed.
2442
2443         * runtime/SmallStrings.cpp:
2444         (JSC::SmallStrings::createEmptyString):
2445         (JSC::SmallStrings::createSingleCharacterString):
2446         (JSC::SmallStrings::initialize):
2447         * runtime/SmallStrings.h:
2448
2449 2015-10-09  Geoffrey Garen  <ggaren@apple.com>
2450
2451         Unreviewed, rolling back in r190694
2452         https://bugs.webkit.org/show_bug.cgi?id=149727
2453
2454         This time for double sure?
2455
2456         The cause of the crash was an incorrect write barrier.
2457
2458         OSR exit was barriering the baseline codeblock for the top of the stack
2459         twice, missing the baseline codeblock for the bottom of the stack.
2460
2461         Restored changesets:
2462
2463         "CodeBlock should be a GC object"
2464         https://bugs.webkit.org/show_bug.cgi?id=149727
2465         http://trac.webkit.org/changeset/r190694
2466
2467 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
2468
2469         Remove unused RecursiveAllocationScope
2470         https://bugs.webkit.org/show_bug.cgi?id=149967
2471
2472         Reviewed by Csaba Osztrogonác.
2473
2474         RecursiveAllocationScope has been unused since r163691.
2475
2476         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2477         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2478         * JavaScriptCore.xcodeproj/project.pbxproj:
2479         * heap/Heap.cpp:
2480         * heap/Heap.h:
2481         * heap/RecursiveAllocationScope.h: Removed.
2482         * runtime/VM.h:
2483
2484 2015-10-09  Geoffrey Garen  <ggaren@apple.com>
2485
2486         Unreviewed, rolling out r190694
2487         https://bugs.webkit.org/show_bug.cgi?id=148560
2488
2489         Crashes seen on PLT bots and facebook.com.
2490
2491         Reverted changesets:
2492
2493         "CodeBlock should be a GC object"
2494         https://bugs.webkit.org/show_bug.cgi?id=149727
2495         http://trac.webkit.org/changeset/190694
2496
2497 2015-10-09  Xabier Rodriguez Calvar  <calvaris@igalia.com> and Youenn Fablet  <youenn.fablet@crf.canon.fr>
2498
2499         Automate WebCore JS builtins generation and build system
2500         https://bugs.webkit.org/show_bug.cgi?id=149751
2501
2502         Reviewed by Darin Adler.
2503
2504         * generate-js-builtins: updating the part related to WebCore JS binding.
2505
2506 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
2507
2508         DFG SSA should remove unreachable code
2509         https://bugs.webkit.org/show_bug.cgi?id=149931
2510
2511         Reviewed by Geoffrey Garen.
2512
2513         Rolled back in with a call to m_state.reset(), which fixes the debug asserts.
2514
2515         * dfg/DFGConstantFoldingPhase.cpp:
2516         (JSC::DFG::ConstantFoldingPhase::run): Remove unreachable code.
2517         * dfg/DFGObjectAllocationSinkingPhase.cpp: Deal with the CFG changing.
2518         * dfg/DFGPutStackSinkingPhase.cpp: Deal with the CFG changing.
2519
2520 2015-10-08  Daniel Bates  <dabates@apple.com>
2521
2522         Add LLVM binaries for iOS 9 device
2523         https://bugs.webkit.org/show_bug.cgi?id=149913
2524
2525         Reviewed by Filip Pizlo.
2526
2527         Look for locally built/binary dropped LLVM headers and libraries when building for iOS device
2528         in WebKitBuild/usr/local.
2529
2530         Currently Mac and iOS look for the locally built/binary dropped LLVM in different directories:
2531         WebKitBuild/usr/local and /usr/local/LLVMForJavaScriptCore, respectively. This difference is
2532         due to dependencies with the Apple internal build system. We should look to resolve the
2533         Apple internal dependencies and standardize on one location for both platforms.
2534
2535         * Configurations/Base.xcconfig:
2536
2537 2015-10-08  Commit Queue  <commit-queue@webkit.org>
2538
2539         Unreviewed, rolling out r190749.
2540         https://bugs.webkit.org/show_bug.cgi?id=149938
2541
2542         Caused 50+ layout test failures
2543         https://build.webkit.org/results/Apple%20El%20Capitan%20Debug%20WK1%20(Tests)/r190749%20(213)/results.html
2544         (Requested by litherum1 on #webkit).
2545
2546         Reverted changeset:
2547
2548         "DFG SSA should remove unreachable code"
2549         https://bugs.webkit.org/show_bug.cgi?id=149931
2550         http://trac.webkit.org/changeset/190749
2551
2552 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
2553
2554         DFG SSA should remove unreachable code
2555         https://bugs.webkit.org/show_bug.cgi?id=149931
2556
2557         Reviewed by Geoffrey Garen.
2558
2559         * dfg/DFGConstantFoldingPhase.cpp:
2560         (JSC::DFG::ConstantFoldingPhase::run): Remove unreachable code.
2561         * dfg/DFGObjectAllocationSinkingPhase.cpp: Deal with the CFG changing.
2562         * dfg/DFGPutStackSinkingPhase.cpp: Deal with the CFG changing.
2563
2564 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
2565
2566         Unreviewed build fix. Missing forward declaration.
2567
2568         * heap/Heap.h:
2569
2570 2015-10-08  Saam barati  <sbarati@apple.com>
2571
2572         Unreviewed Cloop build fix after bug: https://bugs.webkit.org/show_bug.cgi?id=149601
2573
2574         * bytecode/CodeBlock.cpp:
2575         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
2576         * jit/JITCode.cpp:
2577         (JSC::NativeJITCode::addressForCall):
2578         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2579         * jit/JITCode.h:
2580
2581 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
2582
2583         Clean up Marked classes
2584         https://bugs.webkit.org/show_bug.cgi?id=149853
2585
2586         Reviewed by Darin Adler.
2587
2588         * heap/Heap.h:
2589         Move include here where it is really needed.
2590
2591         * heap/HeapStatistics.cpp:
2592         * heap/HeapStatistics.h:
2593         Simplify includes.
2594
2595         * heap/MarkedAllocator.h:
2596         Add missing copyright header.
2597
2598         * heap/MarkedBlock.cpp:
2599         * heap/MarkedBlock.h:
2600         (JSC::MarkedBlock::needsSweeping):
2601         Remove unused constants. Add some static asserts. Add some `const` ness.
2602
2603         * heap/MarkedSpace.h:
2604         (JSC::MarkedSpace::isIterating):
2605         Update comments to better reflect actual values.
2606         Remove unimplemented method (moved to Heap).
2607
2608         * heap/MarkedSpace.cpp:
2609         (JSC::Free::Free):
2610         (JSC::Free::operator()):
2611         (JSC::Free::returnValue): Deleted.
2612         (JSC::FreeOrShrink::FreeOrShrink):
2613         (JSC::FreeOrShrink::operator()):
2614         (JSC::MarkedSpace::~MarkedSpace):
2615         (JSC::MarkedSpace::shrink):
2616         Replace conditional Functor that was not using return value
2617         with simplified targeted VoidFunctors.
2618
2619         (JSC::Shrink::operator()): Deleted.
2620         Remove unused functor.
2621
2622         * heap/WeakBlock.cpp:
2623         * heap/WeakBlock.h:
2624         * runtime/Options.cpp:
2625         Remove dead code.
2626
2627 2015-10-08  Saam barati  <sbarati@apple.com>
2628
2629         We should be able to inline getter/setter calls inside an inline cache even when the SpillRegistersMode is NeedsToSpill
2630         https://bugs.webkit.org/show_bug.cgi?id=149601
2631
2632         Reviewed by Filip Pizlo.
2633
2634         Before, if we had a PolymorphicAccess with and a StructureStubInfo
2635         with a NeedToSpill spillMode, we wouldn't generate getter/setter
2636         calls. This patch changes it such that we will generate the
2637         getter/setter call and do the necessary register spilling/filling
2638         around the getter/setter call to preserve any "usedRegisters".
2639
2640         This has an interesting story with how it relates to exception handling 
2641         inside the DFG. Because the GetById variants are considered a throwing call 
2642         site, we must make sure that we properly restore the registers spilled to the stack 
2643         in case of an exception being thrown inside the getter/setter call. We do 
2644         this by having the inline cache register itself as a new exception handling 
2645         call site. When the inline cache "catches" the exception (i.e, genericUnwind 
2646         will jump to this code), it will restore the registers it spilled that are 
2647         live inside the original catch handler, and then jump to the original catch 
2648         handler. We make sure to only generate this makeshift catch handler when we 
2649         actually need to do any cleanup. If we determine that we don't need to restore 
2650         any registers, we don't bother generating this makeshift catch handler.
2651
2652         * bytecode/CodeBlock.cpp:
2653         (JSC::CodeBlock::~CodeBlock):
2654         (JSC::CodeBlock::handlerForIndex):
2655         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
2656         (JSC::CodeBlock::removeExceptionHandlerForCallSite):
2657         (JSC::CodeBlock::lineNumberForBytecodeOffset):
2658         * bytecode/CodeBlock.h:
2659         (JSC::CodeBlock::appendExceptionHandler):
2660         * bytecode/PolymorphicAccess.cpp:
2661         (JSC::AccessGenerationState::AccessGenerationState):
2662         (JSC::AccessGenerationState::restoreScratch):
2663         (JSC::AccessGenerationState::succeed):
2664         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
2665         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
2666         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
2667         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
2668         (JSC::AccessGenerationState::liveRegistersForCall):
2669         (JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
2670         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
2671         (JSC::AccessGenerationState::originalExceptionHandler):
2672         (JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation):
2673         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
2674         (JSC::AccessGenerationState::originalCallSiteIndex):
2675         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
2676         (JSC::AccessCase::AccessCase):
2677         (JSC::AccessCase::generate):
2678         (JSC::PolymorphicAccess::regenerateWithCases):
2679         (JSC::PolymorphicAccess::regenerate):
2680         (JSC::PolymorphicAccess::aboutToDie):
2681         * bytecode/PolymorphicAccess.h:
2682         (JSC::AccessCase::doesCalls):
2683         (JSC::AccessCase::isGetter):
2684         (JSC::AccessCase::callLinkInfo):
2685         * bytecode/StructureStubInfo.cpp:
2686         (JSC::StructureStubInfo::deref):
2687         (JSC::StructureStubInfo::aboutToDie):
2688         (JSC::StructureStubInfo::addAccessCase):
2689         * bytecode/StructureStubInfo.h:
2690         * bytecode/ValueRecovery.h:
2691         (JSC::ValueRecovery::isInJSValueRegs):
2692         (JSC::ValueRecovery::fpr):
2693         * dfg/DFGCommonData.cpp:
2694         (JSC::DFG::CommonData::addCodeOrigin):
2695         (JSC::DFG::CommonData::addCodeOriginUnconditionally):
2696         (JSC::DFG::CommonData::lastCallSite):
2697         (JSC::DFG::CommonData::removeCallSiteIndex):
2698         (JSC::DFG::CommonData::shrinkToFit):
2699         * dfg/DFGCommonData.h:
2700         * dfg/DFGJITCode.cpp:
2701         (JSC::DFG::JITCode::reconstruct):
2702         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2703         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
2704         * dfg/DFGJITCode.h:
2705         (JSC::DFG::JITCode::osrEntryBlock):
2706         (JSC::DFG::JITCode::setOSREntryBlock):
2707         * dfg/DFGJITCompiler.cpp:
2708         (JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
2709         * dfg/DFGOSRExit.cpp:
2710         (JSC::DFG::OSRExit::OSRExit):
2711         * dfg/DFGOSRExit.h:
2712         * dfg/DFGSpeculativeJIT.cpp:
2713         (JSC::DFG::SpeculativeJIT::compileIn):
2714         * dfg/DFGSpeculativeJIT32_64.cpp:
2715         (JSC::DFG::SpeculativeJIT::cachedGetById):
2716         (JSC::DFG::SpeculativeJIT::cachedPutById):
2717         * dfg/DFGSpeculativeJIT64.cpp:
2718         (JSC::DFG::SpeculativeJIT::cachedGetById):
2719         (JSC::DFG::SpeculativeJIT::cachedPutById):
2720         * ftl/FTLCompile.cpp:
2721         (JSC::FTL::mmAllocateDataSection):
2722         * ftl/FTLJITCode.cpp:
2723         (JSC::FTL::JITCode::validateReferences):
2724         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2725         * ftl/FTLJITCode.h:
2726         (JSC::FTL::JITCode::handles):
2727         (JSC::FTL::JITCode::dataSections):
2728         * jit/GCAwareJITStubRoutine.cpp:
2729         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2730         (JSC::GCAwareJITStubRoutine::~GCAwareJITStubRoutine):
2731         (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
2732         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal):
2733         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
2734         (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
2735         (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler):
2736         (JSC::createJITStubRoutine):
2737         * jit/GCAwareJITStubRoutine.h:
2738         * jit/JITCode.cpp:
2739         (JSC::NativeJITCode::addressForCall):
2740         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2741         * jit/JITCode.h:
2742         * jit/JITInlineCacheGenerator.cpp:
2743         (JSC::JITByIdGenerator::JITByIdGenerator):
2744         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2745         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
2746         * jit/JITInlineCacheGenerator.h:
2747         (JSC::JITByIdGenerator::reportSlowPathCall):
2748         * jit/JITPropertyAccess.cpp:
2749         (JSC::JIT::emitGetByValWithCachedId):
2750         (JSC::JIT::emitPutByValWithCachedId):
2751         (JSC::JIT::emit_op_get_by_id):
2752         (JSC::JIT::emit_op_put_by_id):
2753         * jit/JITPropertyAccess32_64.cpp:
2754         (JSC::JIT::emitGetByValWithCachedId):
2755         (JSC::JIT::emitPutByValWithCachedId):
2756         (JSC::JIT::emit_op_get_by_id):
2757         (JSC::JIT::emit_op_put_by_id):
2758         * jit/JITStubRoutine.h:
2759         (JSC::JITStubRoutine::createSelfManagedRoutine):
2760         (JSC::JITStubRoutine::aboutToDie):
2761         * jit/RegisterSet.cpp:
2762         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
2763         (JSC::RegisterSet::registersToNotSaveForCall):
2764         (JSC::RegisterSet::allGPRs):
2765         * jit/RegisterSet.h:
2766         (JSC::RegisterSet::set):
2767         (JSC::RegisterSet::clear):
2768         * jit/ScratchRegisterAllocator.cpp:
2769         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
2770         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
2771         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2772         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2773         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
2774         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2775         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2776         (JSC::ScratchRegisterAllocator::preserveRegistersToStackForCall):
2777         (JSC::ScratchRegisterAllocator::restoreRegistersFromStackForCall):
2778         * jit/ScratchRegisterAllocator.h:
2779         (JSC::ScratchRegisterAllocator::numberOfReusedRegisters):
2780         (JSC::ScratchRegisterAllocator::usedRegisters):
2781         * jsc.cpp:
2782         (WTF::CustomGetter::CustomGetter):
2783         (WTF::CustomGetter::createStructure):
2784         (WTF::CustomGetter::create):
2785         (WTF::CustomGetter::getOwnPropertySlot):
2786         (WTF::CustomGetter::customGetter):
2787         (WTF::Element::handleOwner):
2788         (GlobalObject::finishCreation):
2789         (functionCreateImpureGetter):
2790         (functionCreateCustomGetterObject):
2791         (functionSetImpureGetterDelegate):
2792         * tests/stress/try-catch-custom-getter-as-get-by-id.js: Added.
2793         (assert):
2794         (bar):
2795         (foo):
2796         * tests/stress/try-catch-getter-as-get-by-id-register-restoration.js: Added.
2797         (assert):
2798         (o1.get f):
2799         (bar):
2800         (foo):
2801         * tests/stress/try-catch-getter-as-get-by-id.js: Added.
2802         (assert):
2803         (o1.get f):
2804         (bar):
2805         (foo):
2806         * tests/stress/try-catch-setter-as-put-by-id.js: Added.
2807         (assert):
2808         (o1.set f):
2809         (bar):
2810         (foo):
2811         * tests/stress/try-catch-stub-routine-replaced.js: Added.
2812         (assert):
2813         (arr):
2814         (hello):
2815         (foo):
2816         (objChain.get f):
2817         (fakeOut.get f):
2818         (o.get f):
2819
2820 2015-10-08  Commit Queue  <commit-queue@webkit.org>
2821
2822         Unreviewed, rolling out r190716.
2823         https://bugs.webkit.org/show_bug.cgi?id=149924
2824
2825         broke mac build from time to time (Requested by youenn on
2826         #webkit).
2827
2828         Reverted changeset:
2829
2830         "Automate WebCore JS builtins generation and build system"
2831         https://bugs.webkit.org/show_bug.cgi?id=149751
2832         http://trac.webkit.org/changeset/190716
2833
2834 2015-10-08  Csaba Osztrogonác  <ossy@webkit.org>
2835
2836         Fix the WASM build on Linux
2837         https://bugs.webkit.org/show_bug.cgi?id=149919
2838
2839         Reviewed by Mark Lam.
2840
2841         * inspector/ScriptCallStackFactory.cpp:
2842         * wasm/JSWASMModule.cpp:
2843         * wasm/WASMFunctionCompiler.h:
2844         (JSC::sizeOfMemoryType):
2845         * wasm/WASMFunctionLLVMIRGenerator.h:
2846
2847 2015-10-08  Csaba Osztrogonác  <ossy@webkit.org>
2848
2849         Unreviewed CLOOP buildfix after r190718.
2850
2851         * jit/Repatch.h:
2852         (JSC::resetGetByID): Deleted.
2853         (JSC::resetPutByID): Deleted.
2854         (JSC::resetIn): Deleted.
2855
2856 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
2857
2858         Remove references to removed class RepatchBuffer
2859         https://bugs.webkit.org/show_bug.cgi?id=149909
2860
2861         Reviewed by Csaba Osztrogonác.
2862
2863         * assembler/AbstractMacroAssembler.h:
2864         * assembler/MacroAssemblerARM.h:
2865         * assembler/MacroAssemblerARM64.h:
2866         * assembler/MacroAssemblerARMv7.h:
2867         * assembler/MacroAssemblerMIPS.h:
2868         * assembler/MacroAssemblerSH4.h:
2869         * assembler/MacroAssemblerX86.h:
2870         * assembler/MacroAssemblerX86_64.h:
2871         * jit/JITStubRoutine.h:
2872         * jit/Repatch.h:
2873
2874 2015-10-08  Xabier Rodriguez Calvar  <calvaris@igalia.com> and Youenn Fablet  <youenn.fablet@crf.canon.fr>
2875
2876         Automate WebCore JS builtins generation and build system
2877         https://bugs.webkit.org/show_bug.cgi?id=149751
2878
2879         Reviewed by Darin Adler.
2880
2881         * generate-js-builtins: updating the part related to WebCore JS binding.
2882
2883 2015-10-07  Joseph Pecoraro  <pecoraro@apple.com>
2884
2885         Clean up Copied classes
2886         https://bugs.webkit.org/show_bug.cgi?id=149863
2887
2888         Reviewed by Saam Barati.
2889
2890         * heap/CopiedAllocator.h:
2891         (JSC::CopiedAllocator::isValid):
2892         * heap/CopiedBlock.h:
2893         * heap/CopiedBlockInlines.h:
2894         * heap/CopiedSpace.cpp:
2895         * heap/CopiedSpace.h:
2896         (JSC::CopiedSpace::isInCopyPhase):
2897         (JSC::CopiedSpace::shouldDoCopyPhase):
2898         * heap/CopiedSpaceInlines.h:
2899         * heap/CopyToken.h:
2900         * heap/CopyVisitor.cpp:
2901         * heap/CopyVisitor.h:
2902         * heap/CopyVisitorInlines.h:
2903         * heap/CopyWorkList.h:
2904         * heap/HandleBlock.h:
2905         * heap/HandleSet.h:
2906         * heap/HeapHelperPool.cpp:
2907         * heap/HeapHelperPool.h:
2908
2909 2015-10-07  Mark Lam  <mark.lam@apple.com>
2910
2911         [Follow up 2] Disable tail calls because it is breaking some sites.
2912         https://bugs.webkit.org/show_bug.cgi?id=149900
2913
2914         Rubber stamped by Saam Barati.
2915
2916         Also need to surpress JSC tail call tests.
2917
2918         * tests/es6.yaml:
2919         * tests/stress/dfg-tail-calls.js:
2920         (nonInlinedTailCall.callee):
2921         * tests/stress/mutual-tail-call-no-stack-overflow.js:
2922         (shouldThrow):
2923         * tests/stress/tail-call-in-inline-cache.js:
2924         (tail):
2925         * tests/stress/tail-call-no-stack-overflow.js:
2926         (shouldThrow):
2927         * tests/stress/tail-call-recognize.js:
2928         (callerMustBeRun):
2929         * tests/stress/tail-call-varargs-no-stack-overflow.js:
2930         (shouldThrow):
2931
2932 2015-10-07  Geoffrey Garen  <ggaren@apple.com>
2933
2934         Unreviewed, rolling back in r190450
2935         https://bugs.webkit.org/show_bug.cgi?id=149727
2936
2937         This time for sure?
2938
2939         The cause of the leak was an invalidated compilation.
2940
2941         There was vestigial manual memory management code that eagerly removed
2942         a CodeBlock from the set of CodeBlocks if compilation was invalidated.
2943         That's not cool since we rely on the set of CodeBlocks when we run
2944         destructors.
2945
2946         The fix is to remove the vestigial code.
2947
2948         I ran the leaks, correctness, and performance tests locally and did not
2949         see any problems.
2950
2951         Restored changesets:
2952
2953         "CodeBlock should be a GC object"
2954         https://bugs.webkit.org/show_bug.cgi?id=149727
2955         http://trac.webkit.org/changeset/190450
2956
2957 2015-10-07  Mark Lam  <mark.lam@apple.com>
2958
2959         Disable tail calls because it is breaking some sites.
2960         https://bugs.webkit.org/show_bug.cgi?id=149900
2961
2962         Reviewed by Saam Barati.
2963
2964         This is until we fix whatever the breakage is.
2965
2966         * runtime/Options.h:
2967
2968 2015-10-07  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2969
2970         Add an LLVM IR generator for WebAssembly
2971         https://bugs.webkit.org/show_bug.cgi?id=149486
2972
2973         Reviewed by Mark Lam.
2974
2975         This patch adds initial support for an LLVM IR generator in WebAssembly
2976         (polyfill-prototype-1 format). All the methods will be implemented in
2977         subsequent patches.
2978
2979         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2980         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2981         * JavaScriptCore.xcodeproj/project.pbxproj:
2982         * wasm/WASMFunctionLLVMIRGenerator.h: Added.
2983         (JSC::WASMFunctionLLVMIRGenerator::MemoryAddress::MemoryAddress):
2984         (JSC::WASMFunctionLLVMIRGenerator::startFunction):
2985         (JSC::WASMFunctionLLVMIRGenerator::endFunction):
2986         (JSC::WASMFunctionLLVMIRGenerator::buildSetLocal):
2987         (JSC::WASMFunctionLLVMIRGenerator::buildSetGlobal):
2988         (JSC::WASMFunctionLLVMIRGenerator::buildReturn):
2989         (JSC::WASMFunctionLLVMIRGenerator::buildImmediateI32):
2990         (JSC::WASMFunctionLLVMIRGenerator::buildImmediateF32):
2991         (JSC::WASMFunctionLLVMIRGenerator::buildImmediateF64):
2992         (JSC::WASMFunctionLLVMIRGenerator::buildGetLocal):
2993         (JSC::WASMFunctionLLVMIRGenerator::buildGetGlobal):
2994         (JSC::WASMFunctionLLVMIRGenerator::buildConvertType):
2995         (JSC::WASMFunctionLLVMIRGenerator::buildLoad):
2996         (JSC::WASMFunctionLLVMIRGenerator::buildStore):
2997         (JSC::WASMFunctionLLVMIRGenerator::buildUnaryI32):
2998         (JSC::WASMFunctionLLVMIRGenerator::buildUnaryF32):
2999         (JSC::WASMFunctionLLVMIRGenerator::buildUnaryF64):
3000         (JSC::WASMFunctionLLVMIRGenerator::buildBinaryI32):
3001         (JSC::WASMFunctionLLVMIRGenerator::buildBinaryF32):
3002         (JSC::WASMFunctionLLVMIRGenerator::buildBinaryF64):
3003         (JSC::WASMFunctionLLVMIRGenerator::buildRelationalI32):
3004         (JSC::WASMFunctionLLVMIRGenerator::buildRelationalF32):
3005         (JSC::WASMFunctionLLVMIRGenerator::buildRelationalF64):
3006         (JSC::WASMFunctionLLVMIRGenerator::buildMinOrMaxI32):
3007         (JSC::WASMFunctionLLVMIRGenerator::buildMinOrMaxF64):
3008         (JSC::WASMFunctionLLVMIRGenerator::buildCallInternal):
3009         (JSC::WASMFunctionLLVMIRGenerator::buildCallIndirect):
3010         (JSC::WASMFunctionLLVMIRGenerator::buildCallImport):
3011         (JSC::WASMFunctionLLVMIRGenerator::appendExpressionList):
3012         (JSC::WASMFunctionLLVMIRGenerator::discard):
3013         (JSC::WASMFunctionLLVMIRGenerator::linkTarget):
3014         (JSC::WASMFunctionLLVMIRGenerator::jumpToTarget):
3015         (JSC::WASMFunctionLLVMIRGenerator::jumpToTargetIf):
3016         (JSC::WASMFunctionLLVMIRGenerator::startLoop):
3017         (JSC::WASMFunctionLLVMIRGenerator::endLoop):
3018         (JSC::WASMFunctionLLVMIRGenerator::startSwitch):
3019         (JSC::WASMFunctionLLVMIRGenerator::endSwitch):
3020         (JSC::WASMFunctionLLVMIRGenerator::startLabel):
3021         (JSC::WASMFunctionLLVMIRGenerator::endLabel):
3022         (JSC::WASMFunctionLLVMIRGenerator::breakTarget):
3023         (JSC::WASMFunctionLLVMIRGenerator::continueTarget):
3024         (JSC::WASMFunctionLLVMIRGenerator::breakLabelTarget):
3025         (JSC::WASMFunctionLLVMIRGenerator::continueLabelTarget):
3026         (JSC::WASMFunctionLLVMIRGenerator::buildSwitch):
3027         * wasm/WASMFunctionParser.cpp:
3028
3029 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3030
3031         Get rid of LLInt inline/out-of-line storage helpers, they are unused
3032         https://bugs.webkit.org/show_bug.cgi?id=149892
3033
3034         Reviewed by Mark Lam.
3035
3036         Just killing dead code.
3037
3038         * llint/LowLevelInterpreter.asm:
3039
3040 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3041
3042         Don't setOutOfBounds in JIT code for PutByVal, since the C++ slow path already does it
3043         https://bugs.webkit.org/show_bug.cgi?id=149885
3044
3045         Reviewed by Geoffrey Garen.
3046
3047         This simplifies the slow path code, which will make it easier to put read barriers on all of
3048         the butterflies.
3049
3050         * jit/JITOperations.cpp:
3051         (JSC::getByVal):
3052         * jit/JITPropertyAccess.cpp:
3053         (JSC::JIT::emitSlow_op_put_by_val):
3054
3055 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3056
3057         Get rid of JIT::compilePutDirectOffset
3058         https://bugs.webkit.org/show_bug.cgi?id=149884
3059
3060         Reviewed by Andreas Kling.
3061
3062         I'm finding more dead code.
3063
3064         * jit/JIT.h:
3065         * jit/JITPropertyAccess.cpp:
3066         (JSC::JIT::emitSlow_op_put_by_id):
3067         (JSC::JIT::emitVarInjectionCheck):
3068         (JSC::JIT::compilePutDirectOffset): Deleted.
3069
3070 2015-10-07  Joseph Pecoraro  <pecoraro@apple.com>
3071
3072         Heap::isWriteBarrierEnabled is unused
3073         https://bugs.webkit.org/show_bug.cgi?id=149881
3074
3075         Reviewed by Geoffrey Garen.
3076
3077         * heap/Heap.h:
3078         * heap/HeapInlines.h:
3079         (JSC::Heap::isWriteBarrierEnabled): Deleted.
3080
3081 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3082
3083         JIT::emitGetGlobalProperty/emitPutGlobalProperty are only called from one place
3084         https://bugs.webkit.org/show_bug.cgi?id=149879
3085
3086         Reviewed by Saam Barati.
3087
3088         To simplify my work to insert barriers on loads of the butterfly, I want to reduce the amount
3089         of abstraction we have around code that loads the butterfly.
3090
3091         * jit/JIT.h:
3092         * jit/JITPropertyAccess.cpp:
3093         (JSC::JIT::emitLoadWithStructureCheck):
3094         (JSC::JIT::emitGetVarFromPointer):
3095         (JSC::JIT::emit_op_get_from_scope):
3096         (JSC::JIT::emitSlow_op_get_from_scope):
3097         (JSC::JIT::emitPutGlobalVariable):
3098         (JSC::JIT::emit_op_put_to_scope):
3099         (JSC::JIT::emitGetGlobalProperty): Deleted.
3100         (JSC::JIT::emitPutGlobalProperty): Deleted.
3101         * jit/JITPropertyAccess32_64.cpp:
3102         (JSC::JIT::emitLoadWithStructureCheck):
3103         (JSC::JIT::emitGetVarFromPointer):
3104         (JSC::JIT::emit_op_get_from_scope):
3105         (JSC::JIT::emitSlow_op_get_from_scope):
3106         (JSC::JIT::emitPutGlobalVariable):
3107         (JSC::JIT::emit_op_put_to_scope):
3108         (JSC::JIT::emitGetGlobalProperty): Deleted.
3109         (JSC::JIT::emitPutGlobalProperty): Deleted.
3110
3111 2015-10-07  Filip Pizlo  <fpizlo@apple.com>
3112
3113         JIT::compileGetDirectOffset is useless
3114         https://bugs.webkit.org/show_bug.cgi?id=149878
3115
3116         Reviewed by Mark Lam.
3117
3118         Two of the overloads of this method were never called. The other was called only from one
3119         place, in a manner that rendered most of its code dead. This change removes the dead code and
3120         folds the method into its one caller.
3121
3122         * jit/JIT.h:
3123         * jit/JITPropertyAccess.cpp:
3124         (JSC::JIT::emitSlow_op_get_by_val):
3125         (JSC::JIT::emit_op_put_by_val):
3126         (JSC::JIT::compilePutDirectOffset):
3127         (JSC::JIT::emitVarInjectionCheck):
3128         (JSC::JIT::emitGetGlobalProperty):
3129         (JSC::JIT::emitGetVarFromPointer):
3130         (JSC::JIT::compileGetDirectOffset): Deleted.
3131         * jit/JITPropertyAccess32_64.cpp:
3132         (JSC::JIT::compilePutDirectOffset):
3133         (JSC::JIT::emitVarInjectionCheck):
3134         (JSC::JIT::emitGetGlobalProperty):
3135         (JSC::JIT::emitGetVarFromPointer):
3136         (JSC::JIT::compileGetDirectOffset): Deleted.
3137
3138 2015-10-06  Filip Pizlo  <fpizlo@apple.com>
3139
3140         Inline caches should handle out-of-line offsets out-of-line
3141         https://bugs.webkit.org/show_bug.cgi?id=149869
3142
3143         Reviewed by Saam Barati.
3144
3145         If we want to have a concurrent copying GC, then we need a read barrier on copied space
3146         pointers. That makes the convertible load portion of the get_by_id/put_by_id inline caches
3147         rather challenging. Currently we have a load instruction that we can turn into an add
3148         instruction - the add case is when we have an inline offset, and the load case is when we
3149         have an out-of-line offset and we need to load a copied space pointer. But if the load from
3150         copied space requires a barrier, then there is no easy way to convert that back to the inline
3151         case.
3152
3153         This patch removes the convertible load. The inline path of get_by_id/put_by_id only handles
3154         the inline offsets. Out-of-line offsets are now handled using out-of-line stubs.
3155
3156         * bytecode/StructureStubInfo.h:
3157         * ftl/FTLInlineCacheSize.cpp:
3158         (JSC::FTL::sizeOfGetById):
3159         (JSC::FTL::sizeOfPutById):
3160         * jit/JITInlineCacheGenerator.cpp:
3161         (JSC::JITByIdGenerator::finalize):
3162         (JSC::JITByIdGenerator::generateFastPathChecks):
3163         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3164         (JSC::JITGetByIdGenerator::generateFastPath):
3165         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
3166         (JSC::JITPutByIdGenerator::generateFastPath):
3167         * jit/JITInlineCacheGenerator.h:
3168         * jit/Repatch.cpp:
3169         (JSC::repatchByIdSelfAccess):
3170         (JSC::tryCacheGetByID):
3171         (JSC::tryCachePutByID):
3172         * runtime/JSObject.h:
3173         (JSC::JSObject::butterflyTotalSize):
3174         (JSC::indexRelativeToBase):
3175         (JSC::offsetRelativeToBase):
3176         (JSC::maxOffsetRelativeToBase):
3177         (JSC::makeIdentifier):
3178         (JSC::offsetRelativeToPatchedStorage): Deleted.
3179         (JSC::maxOffsetRelativeToPatchedStorage): Deleted.
3180
3181 2015-10-07  Commit Queue  <commit-queue@webkit.org>
3182
3183         Unreviewed, rolling out r190664.
3184         https://bugs.webkit.org/show_bug.cgi?id=149877
3185
3186         mac build is sometimes borken due to missing generated header
3187         file (Requested by youenn on #webkit).
3188
3189         Reverted changeset:
3190
3191         "Automate WebCore JS builtins generation and build system"
3192         https://bugs.webkit.org/show_bug.cgi?id=149751
3193         http://trac.webkit.org/changeset/190664
3194
3195 2015-10-07  Xabier Rodriguez Calvar  <calvaris@igalia.com> and Youenn Fablet  <youenn.fablet@crf.canon.fr>
3196
3197         Automate WebCore JS builtins generation and build system
3198         https://bugs.webkit.org/show_bug.cgi?id=149751
3199
3200         Reviewed by Darin Adler.
3201
3202         * generate-js-builtins: updating the part related to WebCore JS binding.
3203
3204 2015-10-06  Mark Lam  <mark.lam@apple.com>
3205
3206         Factoring out op_sub baseline code generation into JITSubGenerator.
3207         https://bugs.webkit.org/show_bug.cgi?id=149600
3208
3209         Reviewed by Geoffrey Garen.
3210
3211         We're going to factor out baseline code generation into snippet generators so
3212         that we can later use them in the DFG and FTL to emit code for to perform the
3213         JS operations where the operand types are predicted to be polymorphic.
3214         We are starting in this patch with the implementation of op_sub.
3215
3216         What was done in this patch:
3217         1. Created JITSubGenerator based on the baseline implementation of op_sub as
3218            expressed in compileBinaryArithOp() and compileBinaryArithOpSlowCase().
3219            I did not attempt to do write a more optimal version of op_sub.  I'll
3220            leave that to a later patch.
3221
3222         2. Convert the 32-bit op_sub baseline implementation to use the same
3223            JITSubGenerator which was based on the 64-bit implementation.  The
3224            pre-existing 32-bit baseline op_sub had handling for more optimization cases.
3225            However, a benchmark run shows that simply going with the 64-bit version
3226            (foregoing those extra optimizations) did not change the performance.
3227
3228            Also, previously, the 32-bit version was able to move double results directly
3229            into the result location on the stack directly.  By using JITSubGenerator,
3230            we now always move that result into a pair of GPRs before storing it into
3231            the stack location.
3232
3233         3. Add some needed emitters to AssemblyHelpers that play nice with JSValueRegs.
3234
3235         * JavaScriptCore.xcodeproj/project.pbxproj:
3236         * jit/AssemblyHelpers.h:
3237         (JSC::AssemblyHelpers::boxDouble):
3238         (JSC::AssemblyHelpers::unboxDouble):
3239         (JSC::AssemblyHelpers::boxBooleanPayload):
3240         * jit/JIT.h:
3241         (JSC::JIT::linkDummySlowCase):
3242         * jit/JITArithmetic.cpp:
3243         (JSC::JIT::compileBinaryArithOp):
3244         (JSC::JIT::compileBinaryArithOpSlowCase):
3245         (JSC::JIT::emitSlow_op_div):
3246         (JSC::JIT::emit_op_sub):
3247         (JSC::JIT::emitSlow_op_sub):
3248         * jit/JITArithmetic32_64.cpp:
3249         (JSC::JIT::emitBinaryDoubleOp):
3250         (JSC::JIT::emit_op_sub): Deleted.
3251         (JSC::JIT::emitSub32Constant): Deleted.
3252         (JSC::JIT::emitSlow_op_sub): Deleted.
3253         * jit/JITInlines.h:
3254         (JSC::JIT::linkSlowCaseIfNotJSCell):
3255         (JSC::JIT::linkAllSlowCasesForBytecodeOffset):
3256         (JSC::JIT::addSlowCase):
3257         (JSC::JIT::emitLoad):
3258         (JSC::JIT::emitGetVirtualRegister):
3259         (JSC::JIT::emitPutVirtualRegister):
3260         * jit/JITSubGenerator.h: Added.
3261         (JSC::JITSubGenerator::JITSubGenerator):
3262         (JSC::JITSubGenerator::generateFastPath):
3263         (JSC::JITSubGenerator::slowPathJumpList):
3264
3265 2015-10-06  Daniel Bates  <dbates@webkit.org>
3266
3267         Enable XSLT when building WebKit for iOS using the public iOS SDK
3268         https://bugs.webkit.org/show_bug.cgi?id=149827
3269
3270         Reviewed by Alexey Proskuryakov.
3271
3272         * Configurations/FeatureDefines.xcconfig:
3273
3274 2015-10-05  Commit Queue  <commit-queue@webkit.org>
3275
3276         Unreviewed, rolling out r190599.
3277         https://bugs.webkit.org/show_bug.cgi?id=149836
3278
3279         Made perf tests randomly crash (Requested by ap on #webkit).
3280
3281         Reverted changeset:
3282
3283         "GC shouldn't cancel every FTL compilation"
3284         https://bugs.webkit.org/show_bug.cgi?id=149821
3285         http://trac.webkit.org/changeset/190599
3286
3287 2015-10-05  Commit Queue  <commit-queue@webkit.org>
3288
3289         Unreviewed, rolling out r190589.
3290         https://bugs.webkit.org/show_bug.cgi?id=149833
3291
3292         Caused lots of leaks, and possibly crashes (Requested by ap on
3293         #webkit).
3294
3295         Reverted changeset:
3296
3297         "Unreviewed, rolling back in r190450"
3298         https://bugs.webkit.org/show_bug.cgi?id=149727
3299         http://trac.webkit.org/changeset/190589
3300
3301 2015-10-05  Geoffrey Garen  <ggaren@apple.com>
3302
3303         Remove a few includes from JSGlobalObject.h
3304         https://bugs.webkit.org/show_bug.cgi?id=148004
3305
3306         Reviewed by Saam Barati.
3307
3308         * parser/VariableEnvironment.cpp:
3309         * parser/VariableEnvironment.h:
3310         * runtime/JSGlobalObject.h:
3311         * runtime/JSString.cpp:
3312         (JSC::JSString::createStructure):
3313         (JSC::JSRopeString::RopeBuilder::expand):
3314         * runtime/JSString.h:
3315         (JSC::JSString::canGetIndex):
3316         (JSC::JSString::offsetOfLength):
3317         (JSC::JSString::offsetOfFlags):
3318         (JSC::JSString::createStructure): Deleted.
3319         * runtime/Structure.h:
3320         * runtime/StructureInlines.h:
3321         * runtime/StructureRareDataInlines.h:
3322
3323 2015-10-05  Filip Pizlo  <fpizlo@apple.com>
3324
3325         GC shouldn't cancel every FTL compilation
3326         https://bugs.webkit.org/show_bug.cgi?id=149821
3327
3328         Reviewed by Saam Barati.
3329
3330         During one of the CodeBlock GC refactorings, we messed up the GC's compilation cancellation
3331         code. The GC should be able to cancel compilation plans if it determines that the plan will
3332         be DOA. But, prior to this fix, that code was killing every FTL compilation. This happened
3333         because the meaning of CodeBlock::isKnownToBeLiveDuringGC() changed.
3334
3335         It's funny that this didn't show up as a bigger slow-down. Basically, those benchmarks that
3336         GC a lot usually don't rely on good compilation, while those benchmarks that do rely on good
3337         compilation usually don't GC a lot. That's probably why this wasn't super obvious when we
3338         broke it.
3339
3340         This change just changes the cancellation logic so that it only cancels plans if the owning
3341         executable is dead. This is safe; in fact the relevant method would be correct even if it
3342         always returned true. It would also be correct if it always returned false. So, compared to
3343         what we had before we changed isKnownToBeLiveDuringGC(), this new code will cancel fewer
3344         compilations. But, that's better than cancelling every compilation. I've filed a bug and
3345         written a FIXME for investigating ways to resurrect the old behavior:
3346         https://bugs.webkit.org/show_bug.cgi?id=149823
3347
3348         Nonetheless, this change looks like it might be a 1% speed-up on Octane. It improves earley
3349         and gbemu.
3350
3351         * dfg/DFGPlan.cpp:
3352         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
3353
3354 2015-10-05  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3355
3356         [Intl] Change the return type of canonicalizeLocaleList() from JSArray* to Vector<String>
3357         https://bugs.webkit.org/show_bug.cgi?id=149807
3358
3359         Reviewed by Benjamin Poulain.
3360
3361         From ECMA-402, 9.2.1, the abstract operation CanonicalizeLocaleList
3362         returns a List of Strings. From the spec, we never modify the result
3363         from CanonicalizeLocaleList(). We never expose it to the user either.
3364         This patch changes the return type of canonicalizeLocaleList() from
3365         JSArray* to Vector<String>. This should ease the workload of the GC and
3366         make the code a bit easier to read.
3367
3368         * runtime/IntlCollatorConstructor.cpp:
3369         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
3370         * runtime/IntlDateTimeFormatConstructor.cpp:
3371         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
3372         * runtime/IntlNumberFormatConstructor.cpp:
3373         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
3374         * runtime/IntlObject.cpp:
3375         (JSC::canonicalizeLocaleList):