cf8f8c9eb94302592b34e4fa25456eee6e9e1459
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
2
3         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
4         https://bugs.webkit.org/show_bug.cgi?id=153981
5
6         Reviewed by Saam Barati.
7        
8         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
9         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
10         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
11         During syntax analyze parser store information about using variables in arrow function inside of 
12         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
13
14         * bytecode/ExecutableInfo.h:
15         (JSC::ExecutableInfo::ExecutableInfo):
16         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
17         * bytecode/UnlinkedCodeBlock.cpp:
18         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
19         * bytecode/UnlinkedCodeBlock.h:
20         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
21         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
22         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
23         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
24         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
25         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
26         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
27         * bytecode/UnlinkedFunctionExecutable.cpp:
28         (JSC::generateUnlinkedFunctionCodeBlock):
29         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
30         * bytecode/UnlinkedFunctionExecutable.h:
31         * bytecompiler/BytecodeGenerator.cpp:
32         (JSC::BytecodeGenerator::BytecodeGenerator):
33         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
34         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
35         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
36         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
37         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
38         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
39         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
40         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
41         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
42         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
43         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
44         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
45         * bytecompiler/BytecodeGenerator.h:
46         * bytecompiler/NodesCodegen.cpp:
47         (JSC::ThisNode::emitBytecode):
48         (JSC::EvalFunctionCallNode::emitBytecode):
49         (JSC::FunctionCallValueNode::emitBytecode):
50         (JSC::FunctionNode::emitBytecode):
51         * parser/ASTBuilder.h:
52         (JSC::ASTBuilder::createFunctionMetadata):
53         * parser/Nodes.cpp:
54         (JSC::FunctionMetadataNode::FunctionMetadataNode):
55         * parser/Nodes.h:
56         * parser/Parser.cpp:
57         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
58         (JSC::Parser<LexerType>::parseFunctionBody):
59         (JSC::Parser<LexerType>::parseFunctionInfo):
60         (JSC::Parser<LexerType>::parseProperty):
61         (JSC::Parser<LexerType>::parsePrimaryExpression):
62         (JSC::Parser<LexerType>::parseMemberExpression):
63         * parser/Parser.h:
64         (JSC::Scope::Scope):
65         (JSC::Scope::isArrowFunctionBoundary):
66         (JSC::Scope::innerArrowFunctionFeatures):
67         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
68         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
69         (JSC::Scope::setInnerArrowFunctionUseEval):
70         (JSC::Scope::setInnerArrowFunctionUseThis):
71         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
72         (JSC::Scope::setInnerArrowFunctionUseArguments):
73         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
74         (JSC::Scope::collectFreeVariables):
75         (JSC::Scope::mergeInnerArrowFunctionFeatures):
76         (JSC::Scope::fillParametersForSourceProviderCache):
77         (JSC::Scope::restoreFromSourceProviderCache):
78         (JSC::Scope::setIsFunction):
79         (JSC::Scope::setIsArrowFunction):
80         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
81         (JSC::Parser::pushScope):
82         (JSC::Parser::popScopeInternal):
83         * parser/ParserModes.h:
84         * parser/SourceProviderCacheItem.h:
85         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
86         * parser/SyntaxChecker.h:
87         (JSC::SyntaxChecker::createFunctionMetadata):
88         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
89         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
90         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
91         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
92         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
93
94 2016-02-23  Brian Burg  <bburg@apple.com>
95
96         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
97         https://bugs.webkit.org/show_bug.cgi?id=154615
98         <rdar://problem/24804330>
99
100         Reviewed by Timothy Hatcher.
101
102         Some of the generated Objective-C bindings are only relevant to code acting as the
103         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
104         --backend to all generators. Use the setting in a few generators to omit code that's
105         not needed.
106
107         Also fix a few places where the code emits the wrong Objective-C class prefix.
108         There is some common non-generated code that must always have the RWIProtocol prefix.
109
110         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
111         macros defined in the internal header now need to be used outside of the framework.
112
113         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
114         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
115         depending on the target framework.
116
117         * inspector/scripts/codegen/generate_objc_header.py:
118         (ObjCHeaderGenerator.generate_output):
119         For now, omit generating command protocol and event dispatchers when generating for --frontend.
120
121         (ObjCHeaderGenerator._generate_type_interface):
122         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
123
124         * inspector/scripts/codegen/generate_objc_internal_header.py:
125         Use RWIProtocolJSONObjectPrivate.h instead.
126
127         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
128         (ObjCProtocolTypesImplementationGenerator.generate_output):
129         Include the Internal header if it's being generated (only for --backend).
130
131         * inspector/scripts/codegen/generator.py:
132         (Generator.__init__):
133         (Generator.set_generator_setting):
134         (Generator):
135         (Generator.get_generator_setting):
136         Crib a simple setting system from the Framework class. Make the names more obnoxious.
137
138         (Generator.string_for_file_include):
139         Inspired by the replay input generator, this is a function that uses the proper syntax
140         for a file include depending on the file's framework and target framework.
141
142         * inspector/scripts/codegen/objc_generator.py:
143         (ObjCGenerator.and):
144         (ObjCGenerator.and.objc_prefix):
145         (ObjCGenerator):
146         (ObjCGenerator.objc_type_for_raw_name):
147         (ObjCGenerator.objc_class_for_raw_name):
148         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
149
150         * inspector/scripts/generate-inspector-protocol-bindings.py:
151         (generate_from_specification):
152         Change the generators to use for the frontend. Propagate --frontend and --backend.
153
154         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
155         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
156         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
157         * inspector/scripts/tests/expected/enum-values.json-result:
158         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
159         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
160         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
161         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
162         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
163         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
164         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
165         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
166         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
167         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
168
169 2016-02-23  Saam barati  <sbarati@apple.com>
170
171         arrayProtoFuncConcat doesn't check for an exception after allocating an array
172         https://bugs.webkit.org/show_bug.cgi?id=154621
173
174         Reviewed by Michael Saboff.
175
176         * runtime/ArrayPrototype.cpp:
177         (JSC::arrayProtoFuncConcat):
178
179 2016-02-23  Dan Bernstein  <mitz@apple.com>
180
181         [Xcode] Linker errors display mangled names, but no longer should
182         https://bugs.webkit.org/show_bug.cgi?id=154632
183
184         Reviewed by Sam Weinig.
185
186         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
187
188 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
189
190         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
191         https://bugs.webkit.org/show_bug.cgi?id=112323
192
193         Reviewed by Chris Dumez.
194
195         This feature is controlled by a runtime switch, and defaults off.
196
197         * Configurations/FeatureDefines.xcconfig:
198
199 2016-02-23  Keith Miller  <keith_miller@apple.com>
200
201         JSC stress tests' standalone-pre.js should exit on the first failure by default
202         https://bugs.webkit.org/show_bug.cgi?id=154565
203
204         Reviewed by Mark Lam.
205
206         Currently, if a test writer does not call finishJSTest() at the end of
207         any test using stress/resources/standalone-pre.js then the test can fail
208         without actually reporting an error to the harness. By default, we
209         should throw on the first error so, in the event someone does not call
210         finishJSTest() the harness will still notice the error.
211
212         * tests/stress/regress-151324.js:
213         * tests/stress/resources/standalone-pre.js:
214         (testFailed):
215
216 2016-02-23  Saam barati  <sbarati@apple.com>
217
218         Make JSObject::getMethod have fewer branches
219         https://bugs.webkit.org/show_bug.cgi?id=154603
220
221         Reviewed by Mark Lam.
222
223         Writing code with fewer branches is almost always better.
224
225         * runtime/JSObject.cpp:
226         (JSC::JSObject::getMethod):
227
228 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
229
230         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
231         https://bugs.webkit.org/show_bug.cgi?id=154592
232
233         Reviewed by Saam Barati.
234
235         If Foo has a virtual destructor, then:
236
237         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
238         subclass of Foo that overrides the destructor, this syntax will not call that override.
239
240         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
241         get the subclass's override.
242
243         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
244         This caused leaks because this didn't actually call the subclass's override. This fixes the
245         problem by using this->~Value() instead.
246
247         * b3/B3ControlValue.cpp:
248         (JSC::B3::ControlValue::convertToJump):
249         (JSC::B3::ControlValue::convertToOops):
250         * b3/B3Value.cpp:
251         (JSC::B3::Value::replaceWithIdentity):
252         (JSC::B3::Value::replaceWithNop):
253         (JSC::B3::Value::replaceWithPhi):
254
255 2016-02-23  Brian Burg  <bburg@apple.com>
256
257         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
258         https://bugs.webkit.org/show_bug.cgi?id=154596
259         <rdar://problem/24794962>
260
261         Reviewed by Timothy Hatcher.
262
263         In order to support different generated protocol sets that don't have conflicting
264         file and type names, allow the Objective-C prefix to be configurable based on the
265         target framework. Each name also has the implicit prefix 'Protocol' appended to the
266         per-target framework prefix.
267
268         For example, the existing protocol for remote inspection has the prefix 'RWI'
269         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
270         and is generated as 'AutomationProtocol'.
271
272         To make this change, convert ObjCGenerator to be a subclass of Generator and use
273         the instance method model() to find the target framework and its setting for
274         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
275         these instance methods that used to be static methods. This is a large but
276         mechanical change to use self instead of ObjCGenerator.
277
278         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
279         (ObjCBackendDispatcherHeaderGenerator):
280         (ObjCBackendDispatcherHeaderGenerator.__init__):
281         (ObjCBackendDispatcherHeaderGenerator.output_filename):
282         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
283         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
284         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
285         (ObjCConfigurationImplementationGenerator):
286         (ObjCConfigurationImplementationGenerator.__init__):
287         (ObjCConfigurationImplementationGenerator.output_filename):
288         (ObjCConfigurationImplementationGenerator.generate_output):
289         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
290         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
291         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
292         * inspector/scripts/codegen/generate_objc_configuration_header.py:
293         (ObjCConfigurationHeaderGenerator):
294         (ObjCConfigurationHeaderGenerator.__init__):
295         (ObjCConfigurationHeaderGenerator.output_filename):
296         (ObjCConfigurationHeaderGenerator.generate_output):
297         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
298         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
299         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
300         (ObjCBackendDispatcherImplementationGenerator):
301         (ObjCBackendDispatcherImplementationGenerator.__init__):
302         (ObjCBackendDispatcherImplementationGenerator.output_filename):
303         (ObjCBackendDispatcherImplementationGenerator.generate_output):
304         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
305         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
306         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
307         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
308         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
309         (ObjCConversionHelpersGenerator):
310         (ObjCConversionHelpersGenerator.__init__):
311         (ObjCConversionHelpersGenerator.output_filename):
312         (ObjCConversionHelpersGenerator.generate_output):
313         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
314         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
315         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
316         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
317         (ObjCFrontendDispatcherImplementationGenerator):
318         (ObjCFrontendDispatcherImplementationGenerator.__init__):
319         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
320         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
321         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
322         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
323         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
324         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
325         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
326         * inspector/scripts/codegen/generate_objc_header.py:
327         (ObjCHeaderGenerator):
328         (ObjCHeaderGenerator.__init__):
329         (ObjCHeaderGenerator.output_filename):
330         (ObjCHeaderGenerator.generate_output):
331         (ObjCHeaderGenerator._generate_forward_declarations):
332         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
333         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
334         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
335         (ObjCHeaderGenerator._generate_type_interface):
336         (ObjCHeaderGenerator._generate_init_method_for_required_members):
337         (ObjCHeaderGenerator._generate_member_property):
338         (ObjCHeaderGenerator._generate_command_protocols):
339         (ObjCHeaderGenerator._generate_single_command_protocol):
340         (ObjCHeaderGenerator._callback_block_for_command):
341         (ObjCHeaderGenerator._generate_event_interfaces):
342         (ObjCHeaderGenerator._generate_single_event_interface):
343         * inspector/scripts/codegen/generate_objc_internal_header.py:
344         (ObjCInternalHeaderGenerator):
345         (ObjCInternalHeaderGenerator.__init__):
346         (ObjCInternalHeaderGenerator.output_filename):
347         (ObjCInternalHeaderGenerator.generate_output):
348         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
349         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
350         (ObjCProtocolTypesImplementationGenerator):
351         (ObjCProtocolTypesImplementationGenerator.__init__):
352         (ObjCProtocolTypesImplementationGenerator.output_filename):
353         (ObjCProtocolTypesImplementationGenerator.generate_output):
354         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
355         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
356         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
357         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
358         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
359         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
360         * inspector/scripts/codegen/models.py:
361         * inspector/scripts/codegen/objc_generator.py:
362         (ObjCTypeCategory.category_for_type):
363         (ObjCGenerator):
364         (ObjCGenerator.__init__):
365         (ObjCGenerator.objc_prefix):
366         (ObjCGenerator.objc_name_for_type):
367         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
368         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
369         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
370         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
371         (ObjCGenerator.objc_class_for_type):
372         (ObjCGenerator.objc_class_for_array_type):
373         (ObjCGenerator.objc_accessor_type_for_member):
374         (ObjCGenerator.objc_accessor_type_for_member_internal):
375         (ObjCGenerator.objc_type_for_member):
376         (ObjCGenerator.objc_type_for_member_internal):
377         (ObjCGenerator.objc_type_for_param):
378         (ObjCGenerator.objc_type_for_param_internal):
379         (ObjCGenerator.objc_protocol_export_expression_for_variable):
380         (ObjCGenerator.objc_protocol_import_expression_for_member):
381         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
382         (ObjCGenerator.objc_protocol_import_expression_for_variable):
383         (ObjCGenerator.objc_to_protocol_expression_for_member):
384         (ObjCGenerator.protocol_to_objc_expression_for_member):
385
386         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
387
388         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
389         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
390         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
391         * inspector/scripts/tests/expected/enum-values.json-result:
392         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
393         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
394         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
395         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
396         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
397         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
398         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
399         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
400         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
401
402 2016-02-23  Mark Lam  <mark.lam@apple.com>
403
404         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
405         https://bugs.webkit.org/show_bug.cgi?id=154542
406
407         Reviewed by Saam Barati.
408
409         According to the spec, the constructors of the following types "are not intended
410         to be called as a function and will throw an exception".  These types are:
411             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
412             Map - https://tc39.github.io/ecma262/#sec-map-constructor
413             Set - https://tc39.github.io/ecma262/#sec-set-constructor
414             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
415             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
416             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
417             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
418             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
419             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
420
421         This patch does the foillowing:
422         1. Ensures that these constructors can be called but will throw a TypeError
423            when called.
424         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
425            in their implementation to be consistent.
426         3. Change the error message to "calling XXX constructor without new is invalid".
427            This is clearer because the error is likely due to the user forgetting to use
428            the new operator on these constructors.
429
430         * runtime/Error.h:
431         * runtime/Error.cpp:
432         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
433         - Added a convenience function to throw the TypeError.
434
435         * runtime/JSArrayBufferConstructor.cpp:
436         (JSC::constructArrayBuffer):
437         (JSC::callArrayBuffer):
438         (JSC::JSArrayBufferConstructor::getCallData):
439         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
440         (JSC::callGenericTypedArrayView):
441         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
442         * runtime/JSPromiseConstructor.cpp:
443         (JSC::callPromise):
444         * runtime/MapConstructor.cpp:
445         (JSC::callMap):
446         * runtime/ProxyConstructor.cpp:
447         (JSC::callProxy):
448         (JSC::ProxyConstructor::getCallData):
449         * runtime/SetConstructor.cpp:
450         (JSC::callSet):
451         * runtime/WeakMapConstructor.cpp:
452         (JSC::callWeakMap):
453         * runtime/WeakSetConstructor.cpp:
454         (JSC::callWeakSet):
455
456         * tests/es6.yaml:
457         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
458
459         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
460         (test):
461
462         * tests/stress/map-constructor.js:
463         (testCallTypeError):
464         * tests/stress/promise-cannot-be-called.js:
465         (shouldThrow):
466         * tests/stress/proxy-basic.js:
467         * tests/stress/set-constructor.js:
468         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
469         (i.catch):
470         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
471         (i.catch):
472         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
473         (i.catch):
474         * tests/stress/weak-map-constructor.js:
475         (testCallTypeError):
476         * tests/stress/weak-set-constructor.js:
477         - Updated error message string.
478
479 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
480
481         ASan build fix.
482
483         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
484
485         * inspector/InspectorBackendDispatcher.h:
486
487 2016-02-23  Brian Burg  <bburg@apple.com>
488
489         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
490         https://bugs.webkit.org/show_bug.cgi?id=154518
491         <rdar://problem/24761096>
492
493         Reviewed by Timothy Hatcher.
494
495         * inspector/InspectorBackendDispatcher.h:
496         Export all the classes since they are used by WebKit::WebAutomationSession.
497
498 2016-02-22  Brian Burg  <bburg@apple.com>
499
500         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
501         https://bugs.webkit.org/show_bug.cgi?id=154509
502         <rdar://problem/24759098>
503
504         Reviewed by Timothy Hatcher.
505
506         Add a new 'WebKit' framework, which is used to generate protocol code
507         in WebKit2.
508
509         Add --backend and --frontend flags to the main generator script.
510         These allow a framework to trigger two different sets of generators
511         so they can be separately generated and compiled.
512
513         * inspector/scripts/codegen/models.py:
514         (Framework.fromString):
515         (Frameworks): Add new framework.
516
517         * inspector/scripts/generate-inspector-protocol-bindings.py:
518         If neither --backend or --frontend is specified, assume both are wanted.
519         This matches the behavior for JavaScriptCore and WebInspector frameworks.
520
521         (generate_from_specification):
522         Generate C++ files for the backend and Objective-C files for the frontend.
523
524 2016-02-22  Saam barati  <sbarati@apple.com>
525
526         JSGlobalObject doesn't visit ProxyObjectStructure during GC
527         https://bugs.webkit.org/show_bug.cgi?id=154564
528
529         Rubber stamped by Mark Lam.
530
531         * runtime/JSGlobalObject.cpp:
532         (JSC::JSGlobalObject::visitChildren):
533
534 2016-02-22  Saam barati  <sbarati@apple.com>
535
536         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
537         https://bugs.webkit.org/show_bug.cgi?id=154548
538
539         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
540
541         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
542         an exception. Neither the function nor the call sites of the function took this into
543         account. This patch audits the call sites of the function to make it work in
544         the event that an exception is thrown.
545
546         * runtime/BooleanConstructor.cpp:
547         (JSC::constructWithBooleanConstructor):
548         * runtime/DateConstructor.cpp:
549         (JSC::constructDate):
550         * runtime/ErrorConstructor.cpp:
551         (JSC::Interpreter::constructWithErrorConstructor):
552         * runtime/FunctionConstructor.cpp:
553         (JSC::constructFunctionSkippingEvalEnabledCheck):
554         * runtime/InternalFunction.cpp:
555         (JSC::InternalFunction::createSubclassStructure):
556         * runtime/JSArrayBufferConstructor.cpp:
557         (JSC::constructArrayBuffer):
558         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
559         (JSC::constructGenericTypedArrayView):
560         * runtime/JSGlobalObject.h:
561         (JSC::constructEmptyArray):
562         (JSC::constructArray):
563         (JSC::constructArrayNegativeIndexed):
564         * runtime/JSPromiseConstructor.cpp:
565         (JSC::constructPromise):
566         * runtime/MapConstructor.cpp:
567         (JSC::constructMap):
568         * runtime/NativeErrorConstructor.cpp:
569         (JSC::Interpreter::constructWithNativeErrorConstructor):
570         * runtime/NumberConstructor.cpp:
571         (JSC::constructWithNumberConstructor):
572         * runtime/RegExpConstructor.cpp:
573         (JSC::getRegExpStructure):
574         (JSC::constructRegExp):
575         (JSC::constructWithRegExpConstructor):
576         * runtime/SetConstructor.cpp:
577         (JSC::constructSet):
578         * runtime/StringConstructor.cpp:
579         (JSC::constructWithStringConstructor):
580         (JSC::StringConstructor::getConstructData):
581         * runtime/WeakMapConstructor.cpp:
582         (JSC::constructWeakMap):
583         * runtime/WeakSetConstructor.cpp:
584         (JSC::constructWeakSet):
585         * tests/stress/create-subclass-structure-might-throw.js: Added.
586         (assert):
587
588 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
589
590         Fix build and implement functions to retrieve registers on FreeBSD
591         https://bugs.webkit.org/show_bug.cgi?id=152258
592
593         Reviewed by Michael Catanzaro.
594
595         * heap/MachineStackMarker.cpp:
596         (pthreadSignalHandlerSuspendResume):
597         struct ucontext is not specified in POSIX and it is not available on
598         FreeBSD. Replacing it with ucontext_t fixes the build problem.
599         (JSC::MachineThreads::Thread::Registers::stackPointer):
600         (JSC::MachineThreads::Thread::Registers::framePointer):
601         (JSC::MachineThreads::Thread::Registers::instructionPointer):
602         (JSC::MachineThreads::Thread::Registers::llintPC):
603         * heap/MachineStackMarker.h:
604
605 2016-02-22  Saam barati  <sbarati@apple.com>
606
607         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
608         https://bugs.webkit.org/show_bug.cgi?id=154552
609
610         Reviewed by Mark Lam.
611
612         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
613         They return false on a Proxy with internal [[Call]] and [[Construct]]
614         properties. It seems safest, most forward looking, and most adherent
615         to the specification to check getCallData() and getConstructData() to
616         implement these functions.
617
618         * runtime/InternalFunction.cpp:
619         (JSC::InternalFunction::createSubclassStructure):
620         * runtime/JSCJSValueInlines.h:
621         (JSC::JSValue::isFunction):
622         (JSC::JSValue::isConstructor):
623
624 2016-02-22  Keith Miller  <keith_miller@apple.com>
625
626         Bound functions should use the prototype of the function being bound
627         https://bugs.webkit.org/show_bug.cgi?id=154195
628
629         Reviewed by Geoffrey Garen.
630
631         Per ES6, the result of Function.prototype.bind should have the same
632         prototype as the the function being bound. In order to avoid creating
633         a new structure each time a function is bound we store the new
634         structure in our structure map. However, we cannot currently store
635         structures that have a different GlobalObject than their prototype.
636         In the rare case that the GlobalObject differs or the prototype of
637         the bindee is null we create a new structure each time. To further
638         minimize new structures, as well as making structure lookup faster,
639         we also store the structure in the RareData of the function we
640         are binding.
641
642         * runtime/FunctionRareData.cpp:
643         (JSC::FunctionRareData::visitChildren):
644         * runtime/FunctionRareData.h:
645         (JSC::FunctionRareData::getBoundFunctionStructure):
646         (JSC::FunctionRareData::setBoundFunctionStructure):
647         * runtime/JSBoundFunction.cpp:
648         (JSC::getBoundFunctionStructure):
649         (JSC::JSBoundFunction::create):
650         * tests/es6.yaml:
651         * tests/stress/bound-function-uses-prototype.js: Added.
652         (testChangeProto.foo):
653         (testChangeProto):
654         (testBuiltins):
655         * tests/stress/class-subclassing-function.js:
656
657 2016-02-22  Keith Miller  <keith_miller@apple.com>
658
659         Unreviewed, fix stress test to not print on success.
660
661         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
662         (catch): Deleted.
663
664 2016-02-22  Keith Miller  <keith_miller@apple.com>
665
666         Use Symbol.species in the builtin TypedArray.prototype functions
667         https://bugs.webkit.org/show_bug.cgi?id=153384
668
669         Reviewed by Geoffrey Garen.
670
671         This patch adds the use of species constructors to the TypedArray.prototype map and filter
672         functions. It also adds a new private function typedArrayGetOriginalConstructor that
673         returns the TypedArray constructor used to originally create a TypedArray instance.
674
675         There are no ES6 tests to update for this patch as species creation for these functions is
676         not tested in the compatibility table.
677
678         * builtins/TypedArrayPrototype.js:
679         (map):
680         (filter):
681         * bytecode/BytecodeIntrinsicRegistry.cpp:
682         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
683         * bytecode/BytecodeIntrinsicRegistry.h:
684         * runtime/CommonIdentifiers.h:
685         * runtime/JSGlobalObject.cpp:
686         (JSC::JSGlobalObject::init):
687         (JSC::JSGlobalObject::visitChildren):
688         * runtime/JSGlobalObject.h:
689         (JSC::JSGlobalObject::typedArrayConstructor):
690         * runtime/JSTypedArrayViewPrototype.cpp:
691         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
692         * runtime/JSTypedArrayViewPrototype.h:
693         * tests/stress/typedarray-filter.js:
694         (subclasses.typedArrays.map):
695         (prototype.accept):
696         (testSpecies):
697         (accept):
698         (forEach):
699         (subclasses.forEach):
700         (testSpeciesRemoveConstructor):
701         * tests/stress/typedarray-map.js:
702         (subclasses.typedArrays.map):
703         (prototype.id):
704         (testSpecies):
705         (id):
706         (forEach):
707         (subclasses.forEach):
708         (testSpeciesRemoveConstructor):
709
710 2016-02-22  Keith Miller  <keith_miller@apple.com>
711
712         Builtins that should not rely on iteration do.
713         https://bugs.webkit.org/show_bug.cgi?id=154475
714
715         Reviewed by Geoffrey Garen.
716
717         When changing the behavior of varargs calls to use ES6 iterators the
718         call builtin function's use of a varargs call was overlooked. The use
719         of iterators is observable outside the scope of the the call function,
720         thus it must be reimplemented.
721
722         * builtins/FunctionPrototype.js:
723         (call):
724         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
725         (test):
726         (addAll):
727         (catch):
728
729 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
730
731         [JSC shell] Don't put empty arguments array to VM.
732         https://bugs.webkit.org/show_bug.cgi?id=154516
733
734         Reviewed by Geoffrey Garen.
735
736         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
737         in jsc as well as in browser.
738
739         * jsc.cpp:
740         (GlobalObject::finishCreation):
741
742 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
743
744         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
745         https://bugs.webkit.org/show_bug.cgi?id=154450
746
747         Reviewed by Alex Christensen.
748
749         * CMakeLists.txt:
750
751 2016-02-22  Commit Queue  <commit-queue@webkit.org>
752
753         Unreviewed, rolling out r196891.
754         https://bugs.webkit.org/show_bug.cgi?id=154539
755
756         it broke Production builds (Requested by brrian on #webkit).
757
758         Reverted changeset:
759
760         "Web Inspector: add 'Automation' protocol domain and generate
761         its backend classes separately in WebKit2"
762         https://bugs.webkit.org/show_bug.cgi?id=154509
763         http://trac.webkit.org/changeset/196891
764
765 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
766
767         CodeBlock always visits its unlinked code twice
768         https://bugs.webkit.org/show_bug.cgi?id=154494
769
770         Reviewed by Saam Barati.
771
772         * bytecode/CodeBlock.cpp:
773         (JSC::CodeBlock::visitChildren):
774         The unlinked code is always visited in stronglyVisitStrongReferences.
775
776 2016-02-21  Brian Burg  <bburg@apple.com>
777
778         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
779         https://bugs.webkit.org/show_bug.cgi?id=154509
780         <rdar://problem/24759098>
781
782         Reviewed by Timothy Hatcher.
783
784         Add a new 'WebKit' framework, which is used to generate protocol code
785         in WebKit2.
786
787         Add --backend and --frontend flags to the main generator script.
788         These allow a framework to trigger two different sets of generators
789         so they can be separately generated and compiled.
790
791         * inspector/scripts/codegen/models.py:
792         (Framework.fromString):
793         (Frameworks): Add new framework.
794
795         * inspector/scripts/generate-inspector-protocol-bindings.py:
796         If neither --backend or --frontend is specified, assume both are wanted.
797         This matches the behavior for JavaScriptCore and WebInspector frameworks.
798
799         (generate_from_specification):
800         Generate C++ files for the backend and Objective-C files for the frontend.
801
802 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
803
804         Improvements to Intl code
805         https://bugs.webkit.org/show_bug.cgi?id=154486
806
807         Reviewed by Darin Adler.
808
809         This patch does several things:
810         - Use std::unique_ptr to store ICU objects.
811         - Pass Vector::size() to ICU functions that take a buffer size instead
812           of Vector::capacity().
813         - If U_SUCCESS(status) is true, it means there is no error, but there
814           could be warnings. ICU functions ignore warnings. So, there is no need
815           to reset status to U_ZERO_ERROR.
816         - Remove the initialization of the String instance variables of
817           IntlDateTimeFormat. These values are never read and cause unnecessary
818           memory allocation.
819         - Fix coding style.
820         - Some small optimization.
821
822         * runtime/IntlCollator.cpp:
823         (JSC::IntlCollator::UCollatorDeleter::operator()):
824         (JSC::IntlCollator::createCollator):
825         (JSC::IntlCollator::compareStrings):
826         (JSC::IntlCollator::~IntlCollator): Deleted.
827         * runtime/IntlCollator.h:
828         * runtime/IntlDateTimeFormat.cpp:
829         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
830         (JSC::defaultTimeZone):
831         (JSC::canonicalizeTimeZoneName):
832         (JSC::toDateTimeOptionsAnyDate):
833         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
834         (JSC::IntlDateTimeFormat::weekdayString):
835         (JSC::IntlDateTimeFormat::format):
836         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
837         (JSC::localeData): Deleted.
838         * runtime/IntlDateTimeFormat.h:
839         * runtime/IntlDateTimeFormatConstructor.cpp:
840         * runtime/IntlNumberFormatConstructor.cpp:
841         * runtime/IntlObject.cpp:
842         (JSC::numberingSystemsForLocale):
843
844 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
845
846         Remove arrowfunction test cases that rely on arguments variable in jsc
847         https://bugs.webkit.org/show_bug.cgi?id=154517
848
849         Reviewed by Yusuke Suzuki.
850
851         Allow to jsc has the same behavior in javascript as browser has
852
853         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
854         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
855
856 2016-02-21  Brian Burg  <bburg@apple.com>
857
858         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
859         https://bugs.webkit.org/show_bug.cgi?id=154508
860         <rdar://problem/24759077>
861
862         Reviewed by Timothy Hatcher.
863
864         In preparation for being able to generate protocol files for WebKit2,
865         make it possible to not emit generated code that's guarded by
866         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
867         backend dispatchers generated outside of JavaScriptCore. We can't just
868         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
869         in the configurations where the code is actually used.
870
871         Add a new opt-in Framework configuration option that turns on generating
872         this code. Adjust how the code is generated so that it can be easily excluded.
873
874         * inspector/scripts/codegen/cpp_generator_templates.py:
875         Make a separate template for the declarations that are guarded.
876         Add an initializer expression so the order of initalizers doesn't matter.
877
878         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
879         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
880         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
881         If the declarations are needed, they will be appended to the end of the
882         declarations list.
883
884         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
885         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
886         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
887
888         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
889         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
890
891         Rebaseline affected tests.
892
893         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
894         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
895         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
896         * inspector/scripts/tests/expected/enum-values.json-result:
897         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
898
899 2016-02-21  Brian Burg  <bburg@apple.com>
900
901         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
902         https://bugs.webkit.org/show_bug.cgi?id=154505
903         <rdar://problem/24758042>
904
905         Reviewed by Timothy Hatcher.
906
907         It should be possible to generate code for a framework using some generators
908         that other frameworks also use. Right now the generator selection code assumes
909         that use of a generator is mutually exclusive among non-test frameworks.
910
911         Make this code explicitly switch on the framework. Reorder generators
912         alpabetically within each case.
913
914         * inspector/scripts/generate-inspector-protocol-bindings.py:
915         (generate_from_specification):
916
917         Rebaseline tests that are affected by generator reorderings.
918
919         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
920         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
921         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
922         * inspector/scripts/tests/expected/enum-values.json-result:
923         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
924         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
925         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
926         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
927         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
928         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
929         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
930         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
931         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
932
933 2016-02-19  Saam Barati  <sbarati@apple.com>
934
935         [ES6] Implement Proxy.[[Construct]]
936         https://bugs.webkit.org/show_bug.cgi?id=154440
937
938         Reviewed by Oliver Hunt.
939
940         This patch is mostly an implementation of
941         Proxy.[[Construct]] with respect to section 9.5.13
942         of the ECMAScript spec.
943         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
944
945         This patch also changes op_create_this to accept new.target's
946         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
947         because we might construct a JSFunction with a new.target being
948         a Proxy. This will also be needed when we implement Reflect.construct.
949
950         * dfg/DFGOperations.cpp:
951         * dfg/DFGSpeculativeJIT32_64.cpp:
952         (JSC::DFG::SpeculativeJIT::compile):
953         * dfg/DFGSpeculativeJIT64.cpp:
954         (JSC::DFG::SpeculativeJIT::compile):
955         * jit/JITOpcodes.cpp:
956         (JSC::JIT::emit_op_create_this):
957         (JSC::JIT::emitSlow_op_create_this):
958         * jit/JITOpcodes32_64.cpp:
959         (JSC::JIT::emit_op_create_this):
960         (JSC::JIT::emitSlow_op_create_this):
961         * llint/LLIntData.cpp:
962         (JSC::LLInt::Data::performAssertions):
963         * llint/LowLevelInterpreter.asm:
964         * llint/LowLevelInterpreter32_64.asm:
965         * llint/LowLevelInterpreter64.asm:
966         * runtime/CommonSlowPaths.cpp:
967         (JSC::SLOW_PATH_DECL):
968         * runtime/ProxyObject.cpp:
969         (JSC::ProxyObject::finishCreation):
970         (JSC::ProxyObject::visitChildren):
971         (JSC::performProxyConstruct):
972         (JSC::ProxyObject::getConstructData):
973         * runtime/ProxyObject.h:
974         * tests/es6.yaml:
975         * tests/stress/proxy-construct.js: Added.
976         (assert):
977         (throw.new.Error.let.target):
978         (throw.new.Error):
979         (assert.let.target):
980         (assert.let.handler.get construct):
981         (let.target):
982         (let.handler.construct):
983         (i.catch):
984         (assert.let.handler.construct):
985         (assert.let.construct):
986         (assert.else.assert.let.target):
987         (assert.else.assert.let.construct):
988         (assert.else.assert):
989         (new.proxy.let.target):
990         (new.proxy.let.construct):
991         (new.proxy):
992
993 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
994
995         [INTL] Implement Number Format Functions
996         https://bugs.webkit.org/show_bug.cgi?id=147605
997
998         Reviewed by Darin Adler.
999
1000         This patch implements Intl.NumberFormat.prototype.format() according
1001         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1002
1003         * runtime/IntlNumberFormat.cpp:
1004         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
1005         (JSC::IntlNumberFormat::initializeNumberFormat):
1006         (JSC::IntlNumberFormat::createNumberFormat):
1007         (JSC::IntlNumberFormat::formatNumber):
1008         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
1009         * runtime/IntlNumberFormat.h:
1010         * runtime/IntlNumberFormatPrototype.cpp:
1011         (JSC::IntlNumberFormatFuncFormatNumber):
1012
1013 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
1014
1015         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
1016         https://bugs.webkit.org/show_bug.cgi?id=154416
1017
1018         Reviewed by Geoff Garen.
1019
1020         Here's the bug. Suppose you call JSObject::getOwnProperty and -
1021           - PropertyName contains an index,
1022           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
1023           - The base of the access (or another object on the prototype chain) shadows that property.
1024
1025         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
1026         index, and as such walks up the prototype chain looking for non-index properties before it
1027         tries calling parseIndex.
1028
1029         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
1030         would potentially return the property) we may have already skipped over non-overriding
1031         objects that contain the property in index storage.
1032
1033         * runtime/JSObject.h:
1034         (JSC::JSObject::getOwnNonIndexPropertySlot):
1035             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
1036               added ASSERT guarding that this method never returns index properties -
1037               if it ever does, this is unsafe for getPropertySlot.
1038         (JSC::JSObject::getOwnPropertySlot):
1039             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
1040         (JSC::JSObject::getPropertySlot):
1041             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
1042         (JSC::JSObject::getNonIndexPropertySlot):
1043             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
1044               in order to avoid repeated calls to parseIndex.
1045         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
1046             - this was renamed to getOwnNonIndexPropertySlot.
1047         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
1048             - this was folded back in to getPropertySlot.
1049
1050 2016-02-19  Saam Barati  <sbarati@apple.com>
1051
1052         [ES6] Implement Proxy.[[Call]]
1053         https://bugs.webkit.org/show_bug.cgi?id=154425
1054
1055         Reviewed by Mark Lam.
1056
1057         This patch is a straight forward implementation of
1058         Proxy.[[Call]] with respect to section 9.5.12
1059         of the ECMAScript spec.
1060         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
1061
1062         * runtime/ProxyObject.cpp:
1063         (JSC::ProxyObject::finishCreation):
1064         (JSC::performProxyGet):
1065         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1066         (JSC::ProxyObject::performHasProperty):
1067         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1068         (JSC::performProxyCall):
1069         (JSC::ProxyObject::getCallData):
1070         (JSC::ProxyObject::visitChildren):
1071         * runtime/ProxyObject.h:
1072         (JSC::ProxyObject::create):
1073         * tests/es6.yaml:
1074         * tests/stress/proxy-call.js: Added.
1075         (assert):
1076         (throw.new.Error.let.target):
1077         (throw.new.Error.let.handler.apply):
1078         (throw.new.Error):
1079         (assert.let.target):
1080         (assert.let.handler.get apply):
1081         (let.target):
1082         (let.handler.apply):
1083         (i.catch):
1084         (assert.let.handler.apply):
1085
1086 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1087
1088         Remove more LLVM related dead code after r196729
1089         https://bugs.webkit.org/show_bug.cgi?id=154387
1090
1091         Reviewed by Filip Pizlo.
1092
1093         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
1094         * Configurations/LLVMForJSC.xcconfig: Removed.
1095         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
1096         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
1097         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
1098         * JavaScriptCore.xcodeproj/project.pbxproj:
1099         * disassembler/X86Disassembler.cpp:
1100
1101 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1102
1103         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
1104         https://bugs.webkit.org/show_bug.cgi?id=154442
1105
1106         Reviewed by Saam Barati.
1107
1108         * runtime/JSString.h:
1109         (JSC::isJSString):
1110
1111 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1112
1113         Remove unused SymbolTable::createNameScopeTable
1114         https://bugs.webkit.org/show_bug.cgi?id=154443
1115
1116         Reviewed by Saam Barati.
1117
1118         * runtime/SymbolTable.h:
1119
1120 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
1121
1122         [JSC] Improve the instruction selection of Select
1123         https://bugs.webkit.org/show_bug.cgi?id=154432
1124
1125         Reviewed by Filip Pizlo.
1126
1127         Plenty of code but this patch is pretty dumb:
1128         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
1129          to be alised to the destination. This gives more freedom to the register
1130          allocator and it is one less Move to process per Select.
1131         -On x86, introduce a fake 3 operands form and use aggressive aliasing
1132          to try to alias both sources to the destination.
1133
1134          If aliasing succeed on the "elseCase", the condition of the Select
1135          is reverted in the MacroAssembler.
1136
1137          If no aliasing is possible and we end up with 3 registers, the missing
1138          move instruction is generated by the MacroAssembler.
1139
1140          The missing move is generated after testing the values because the destination
1141          can use the same register as one of the test operand.
1142          Experimental testing seems to indicate there is no macro-fusion on CMOV,
1143          there is no measurable cost to having the move there.
1144
1145         * assembler/MacroAssembler.h:
1146         (JSC::MacroAssembler::isInvertible):
1147         (JSC::MacroAssembler::invert):
1148         * assembler/MacroAssemblerARM64.h:
1149         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
1150         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
1151         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1152         (JSC::MacroAssemblerARM64::moveConditionally32):
1153         (JSC::MacroAssemblerARM64::moveConditionally64):
1154         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
1155         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
1156         * assembler/MacroAssemblerX86Common.h:
1157         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
1158         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
1159         (JSC::MacroAssemblerX86Common::moveConditionally32):
1160         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
1161         (JSC::MacroAssemblerX86Common::invert):
1162         (JSC::MacroAssemblerX86Common::isInvertible):
1163         * assembler/MacroAssemblerX86_64.h:
1164         (JSC::MacroAssemblerX86_64::moveConditionally64):
1165         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
1166         * b3/B3LowerToAir.cpp:
1167         (JSC::B3::Air::LowerToAir::createSelect):
1168         (JSC::B3::Air::LowerToAir::lower):
1169         * b3/air/AirInstInlines.h:
1170         (JSC::B3::Air::Inst::shouldTryAliasingDef):
1171         * b3/air/AirOpcode.opcodes:
1172
1173 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
1174
1175         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
1176         https://bugs.webkit.org/show_bug.cgi?id=154430
1177
1178         Reviewed by Saam Barati.
1179
1180         llvm isn't used anymore.
1181
1182         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
1183
1184 2016-02-18  Saam Barati  <sbarati@apple.com>
1185
1186         Implement Proxy.[[HasProperty]]
1187         https://bugs.webkit.org/show_bug.cgi?id=154313
1188
1189         Reviewed by Filip Pizlo.
1190
1191         This patch is a straight forward implementation of
1192         Proxy.[[HasProperty]] with respect to section 9.5.7
1193         of the ECMAScript spec.
1194         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
1195
1196         * runtime/ProxyObject.cpp:
1197         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1198         (JSC::ProxyObject::performHasProperty):
1199         (JSC::ProxyObject::getOwnPropertySlotCommon):
1200         * runtime/ProxyObject.h:
1201         * tests/es6.yaml:
1202         * tests/stress/proxy-basic.js:
1203         (assert):
1204         (let.handler.has):
1205         * tests/stress/proxy-has-property.js: Added.
1206         (assert):
1207         (throw.new.Error.let.handler.get has):
1208         (throw.new.Error):
1209         (assert.let.handler.has):
1210         (let.handler.has):
1211         (getOwnPropertyDescriptor):
1212         (i.catch):
1213
1214 2016-02-18  Saam Barati  <sbarati@apple.com>
1215
1216         Proxy's don't properly handle Symbols as PropertyKeys.
1217         https://bugs.webkit.org/show_bug.cgi?id=154385
1218
1219         Reviewed by Mark Lam and Yusuke Suzuki.
1220
1221         We were converting all PropertyKeys to strings, even when
1222         the PropertyName was a Symbol. In the spec, PropertyKeys are
1223         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
1224         Proxy.[[GetOwnProperty]].
1225
1226         * runtime/Completion.cpp:
1227         (JSC::profiledEvaluate):
1228         (JSC::createSymbolForEntryPointModule):
1229         (JSC::identifierToJSValue): Deleted.
1230         * runtime/Identifier.h:
1231         (JSC::parseIndex):
1232         * runtime/IdentifierInlines.h:
1233         (JSC::Identifier::fromString):
1234         (JSC::identifierToJSValue):
1235         (JSC::identifierToSafePublicJSValue):
1236         * runtime/ProxyObject.cpp:
1237         (JSC::performProxyGet):
1238         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1239         * tests/es6.yaml:
1240         * tests/stress/proxy-basic.js:
1241         (let.handler.getOwnPropertyDescriptor):
1242
1243 2016-02-18  Saam Barati  <sbarati@apple.com>
1244
1245         Follow up fix to Implement Proxy.[[GetOwnProperty]]
1246         https://bugs.webkit.org/show_bug.cgi?id=154314
1247
1248         Reviewed by Filip Pizlo.
1249
1250         Part of the implementation was broken because
1251         of how JSObject::getOwnPropertyDescriptor worked.
1252         I've fixed JSObject::getOwnPropertyDescriptor to
1253         be able to handle ProxyObject.
1254
1255         * runtime/JSObject.cpp:
1256         (JSC::JSObject::getOwnPropertyDescriptor):
1257         * runtime/ProxyObject.cpp:
1258         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1259         * tests/stress/proxy-get-own-property.js:
1260         (assert):
1261         (assert.let.handler.get getOwnPropertyDescriptor):
1262
1263 2016-02-18  Saam Barati  <sbarati@apple.com>
1264
1265         Implement Proxy.[[GetOwnProperty]]
1266         https://bugs.webkit.org/show_bug.cgi?id=154314
1267
1268         Reviewed by Filip Pizlo.
1269
1270         This patch implements Proxy.[[GetOwnProperty]].
1271         It's a straight forward implementation as described
1272         in section 9.5.5 of the specification:
1273         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1274
1275         * runtime/FunctionPrototype.cpp:
1276         (JSC::functionProtoFuncBind):
1277         * runtime/JSObject.cpp:
1278         (JSC::validateAndApplyPropertyDescriptor):
1279         (JSC::JSObject::defineOwnNonIndexProperty):
1280         (JSC::JSObject::defineOwnProperty):
1281         (JSC::JSObject::getGenericPropertyNames):
1282         (JSC::JSObject::getMethod):
1283         * runtime/JSObject.h:
1284         (JSC::JSObject::butterflyAddress):
1285         (JSC::makeIdentifier):
1286         * runtime/ProxyObject.cpp:
1287         (JSC::performProxyGet):
1288         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1289         (JSC::ProxyObject::getOwnPropertySlotCommon):
1290         (JSC::ProxyObject::getOwnPropertySlot):
1291         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1292         (JSC::ProxyObject::visitChildren):
1293         * runtime/ProxyObject.h:
1294         * tests/es6.yaml:
1295         * tests/stress/proxy-basic.js:
1296         (let.handler.get null):
1297         * tests/stress/proxy-get-own-property.js: Added.
1298         (assert):
1299         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
1300         (throw.new.Error):
1301         (let.handler.getOwnPropertyDescriptor):
1302         (i.catch):
1303         (assert.let.handler.getOwnPropertyDescriptor):
1304
1305 2016-02-18  Andreas Kling  <akling@apple.com>
1306
1307         JSString resolution of substrings should use StringImpl sharing optimization.
1308         <https://webkit.org/b/154068>
1309         <rdar://problem/24629358>
1310
1311         Reviewed by Antti Koivisto.
1312
1313         When resolving a JSString that's actually a substring of another JSString,
1314         use the StringImpl sharing optimization to create a new string pointing into
1315         the parent one, instead of copying out the bytes of the string.
1316
1317         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
1318
1319         Another approach to this would be to induce GC far more frequently due to
1320         the added cost of copying out these substrings. It would reduce the risk
1321         of prolonging the life of strings only kept alive by substrings.
1322
1323         This patch chooses to trade that risk for less GC and lower peak memory.
1324
1325         * runtime/JSString.cpp:
1326         (JSC::JSRopeString::resolveRope):
1327
1328 2016-02-18  Chris Dumez  <cdumez@apple.com>
1329
1330         Crash on SES selftest page when loading the page while WebInspector is open
1331         https://bugs.webkit.org/show_bug.cgi?id=154378
1332         <rdar://problem/24713422>
1333
1334         Reviewed by Mark Lam.
1335
1336         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
1337         returns early again if it detects that getOwnPropertySlot() returns a
1338         non-own property. This check was removed in r196676 because we assumed that
1339         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
1340         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
1341         well.
1342
1343         Not having the check would lead to crashes when using the debugger because
1344         we would get a slot with the CustomAccessor attribute but getDirect() would
1345         then fail to return the property (because it is not an own property). We
1346         would then cast the value returned by getDirect() to a CustomGetterSetter*
1347         and dereference it.
1348
1349         * runtime/JSObject.cpp:
1350         (JSC::JSObject::getOwnPropertyDescriptor):
1351
1352 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
1353
1354         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
1355         for that.
1356
1357         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1358         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1359
1360 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
1361
1362         Unreviewed, fix CMake build. This got messed up when rebasing.
1363
1364         * CMakeLists.txt:
1365
1366 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1367
1368         Fix the !ENABLE(DFG_JIT) build after r195865
1369         https://bugs.webkit.org/show_bug.cgi?id=154391
1370
1371         Reviewed by Filip Pizlo.
1372
1373         * runtime/SamplingProfiler.cpp:
1374         (JSC::tryGetBytecodeIndex):
1375
1376 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
1377
1378         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
1379         https://bugs.webkit.org/show_bug.cgi?id=154383
1380
1381         Reviewed by Saam Barati.
1382
1383         I did a grep -i llvm of all of our code and did one of the following for each occurence:
1384
1385         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
1386           backend".
1387
1388         - Removed the reference because I found it to be dead. In some cases it was a dead
1389           comment: it was telling us things about what LLVM did and that's just not relevant
1390           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
1391
1392         - Edited the comment in some smart way. There were comments talking about what LLVM did
1393           that were still of interest. In some cases, I added a FIXME to consider changing the
1394           code below the comment on the grounds that it was written in a weird way to placate
1395           LLVM and so we can do it better now.
1396
1397         * CMakeLists.txt:
1398         * JavaScriptCore.xcodeproj/project.pbxproj:
1399         * dfg/DFGArgumentsEliminationPhase.cpp:
1400         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1401         * dfg/DFGPlan.cpp:
1402         (JSC::DFG::Plan::compileInThread):
1403         (JSC::DFG::Plan::compileInThreadImpl):
1404         (JSC::DFG::Plan::compileTimeStats):
1405         * dfg/DFGPutStackSinkingPhase.cpp:
1406         * dfg/DFGSSAConversionPhase.h:
1407         * dfg/DFGStaticExecutionCountEstimationPhase.h:
1408         * dfg/DFGUnificationPhase.cpp:
1409         (JSC::DFG::UnificationPhase::run):
1410         * disassembler/ARM64Disassembler.cpp:
1411         (JSC::tryToDisassemble): Deleted.
1412         * disassembler/X86Disassembler.cpp:
1413         (JSC::tryToDisassemble):
1414         * ftl/FTLAbstractHeap.cpp:
1415         (JSC::FTL::IndexedAbstractHeap::initialize):
1416         * ftl/FTLAbstractHeap.h:
1417         * ftl/FTLFormattedValue.h:
1418         * ftl/FTLJITFinalizer.cpp:
1419         (JSC::FTL::JITFinalizer::finalizeFunction):
1420         * ftl/FTLLink.cpp:
1421         (JSC::FTL::link):
1422         * ftl/FTLLocation.cpp:
1423         (JSC::FTL::Location::restoreInto):
1424         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
1425         (JSC::FTL::DFG::ftlUnreachable):
1426         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1427         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
1428         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1429         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
1430         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1431         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
1432         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
1433         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
1434         (JSC::FTL::lowerDFGToB3):
1435         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
1436         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
1437         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
1438         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
1439         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
1440         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
1441         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
1442         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
1443         (JSC::FTL::lowerDFGToLLVM): Deleted.
1444         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
1445         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
1446         * ftl/FTLLowerDFGToLLVM.h: Removed.
1447         * ftl/FTLOSRExitCompiler.cpp:
1448         (JSC::FTL::compileStub):
1449         * ftl/FTLWeight.h:
1450         (JSC::FTL::Weight::frequencyClass):
1451         (JSC::FTL::Weight::inverse):
1452         (JSC::FTL::Weight::scaleToTotal): Deleted.
1453         * ftl/FTLWeightedTarget.h:
1454         (JSC::FTL::rarely):
1455         (JSC::FTL::unsure):
1456         * jit/CallFrameShuffler64.cpp:
1457         (JSC::CallFrameShuffler::emitDisplace):
1458         * jit/RegisterSet.cpp:
1459         (JSC::RegisterSet::ftlCalleeSaveRegisters):
1460         * llvm: Removed.
1461         * llvm/InitializeLLVMLinux.cpp: Removed.
1462         * llvm/InitializeLLVMWin.cpp: Removed.
1463         * llvm/library: Removed.
1464         * llvm/library/LLVMTrapCallback.h: Removed.
1465         * llvm/library/libllvmForJSC.version: Removed.
1466         * runtime/Options.cpp:
1467         (JSC::recomputeDependentOptions):
1468         (JSC::Options::initialize):
1469         * runtime/Options.h:
1470         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
1471         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
1472         * wasm/WASMFunctionParser.cpp:
1473
1474 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1475
1476         [cmake] Build system cleanup
1477         https://bugs.webkit.org/show_bug.cgi?id=154337
1478
1479         Reviewed by Žan Doberšek.
1480
1481         * CMakeLists.txt:
1482
1483 2016-02-17  Mark Lam  <mark.lam@apple.com>
1484
1485         Callers of JSString::value() should check for exceptions thereafter.
1486         https://bugs.webkit.org/show_bug.cgi?id=154346
1487
1488         Reviewed by Geoffrey Garen.
1489
1490         JSString::value() can throw an exception if the JS string is a rope and value() 
1491         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
1492         able to resolve the rope, it will return a null string (in addition to throwing
1493         the exception).  If a caller does not check for exceptions after calling
1494         JSString::value(), they may eventually use the returned null string and crash the
1495         VM.
1496
1497         The fix is to add all the necessary exception checks, and do the appropriate
1498         handling if needed.
1499
1500         * jsc.cpp:
1501         (functionRun):
1502         (functionLoad):
1503         (functionReadFile):
1504         (functionCheckSyntax):
1505         (functionLoadWebAssembly):
1506         (functionLoadModule):
1507         (functionCheckModuleSyntax):
1508         * runtime/DateConstructor.cpp:
1509         (JSC::dateParse):
1510         (JSC::dateNow):
1511         * runtime/JSGlobalObjectFunctions.cpp:
1512         (JSC::globalFuncEval):
1513         * tools/JSDollarVMPrototype.cpp:
1514         (JSC::functionPrint):
1515
1516 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
1517
1518         [JSC] ARM64: Support the immediate format used for bit operations in Air
1519         https://bugs.webkit.org/show_bug.cgi?id=154327
1520
1521         Reviewed by Filip Pizlo.
1522
1523         ARM64 supports a pretty rich form of immediates for bit operation.
1524         There are two formats used to encode repeating patterns and common
1525         input in a dense form.
1526
1527         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
1528         Those represents the valid immediate forms for bit operation.
1529         On x86, any 32bits value is valid. On ARM64, all the encoding
1530         form are tried and the immediate is used when possible.
1531
1532         The arg type Imm64 is renamed to BigImm to better represent what
1533         it is: an immediate that does not fit into Imm.
1534
1535         * assembler/ARM64Assembler.h:
1536         (JSC::LogicalImmediate::create32): Deleted.
1537         (JSC::LogicalImmediate::create64): Deleted.
1538         (JSC::LogicalImmediate::value): Deleted.
1539         (JSC::LogicalImmediate::isValid): Deleted.
1540         (JSC::LogicalImmediate::is64bit): Deleted.
1541         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
1542         (JSC::LogicalImmediate::mask): Deleted.
1543         (JSC::LogicalImmediate::partialHSB): Deleted.
1544         (JSC::LogicalImmediate::highestSetBit): Deleted.
1545         (JSC::LogicalImmediate::findBitRange): Deleted.
1546         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
1547         * assembler/AssemblerCommon.h:
1548         (JSC::ARM64LogicalImmediate::create32):
1549         (JSC::ARM64LogicalImmediate::create64):
1550         (JSC::ARM64LogicalImmediate::value):
1551         (JSC::ARM64LogicalImmediate::isValid):
1552         (JSC::ARM64LogicalImmediate::is64bit):
1553         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
1554         (JSC::ARM64LogicalImmediate::mask):
1555         (JSC::ARM64LogicalImmediate::partialHSB):
1556         (JSC::ARM64LogicalImmediate::highestSetBit):
1557         (JSC::ARM64LogicalImmediate::findBitRange):
1558         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
1559         * assembler/MacroAssemblerARM64.h:
1560         (JSC::MacroAssemblerARM64::and64):
1561         (JSC::MacroAssemblerARM64::or64):
1562         (JSC::MacroAssemblerARM64::xor64):
1563         * b3/B3LowerToAir.cpp:
1564         (JSC::B3::Air::LowerToAir::bitImm):
1565         (JSC::B3::Air::LowerToAir::bitImm64):
1566         (JSC::B3::Air::LowerToAir::appendBinOp):
1567         * b3/air/AirArg.cpp:
1568         (JSC::B3::Air::Arg::dump):
1569         (WTF::printInternal):
1570         * b3/air/AirArg.h:
1571         (JSC::B3::Air::Arg::bitImm):
1572         (JSC::B3::Air::Arg::bitImm64):
1573         (JSC::B3::Air::Arg::isBitImm):
1574         (JSC::B3::Air::Arg::isBitImm64):
1575         (JSC::B3::Air::Arg::isSomeImm):
1576         (JSC::B3::Air::Arg::value):
1577         (JSC::B3::Air::Arg::isGP):
1578         (JSC::B3::Air::Arg::isFP):
1579         (JSC::B3::Air::Arg::hasType):
1580         (JSC::B3::Air::Arg::isValidBitImmForm):
1581         (JSC::B3::Air::Arg::isValidBitImm64Form):
1582         (JSC::B3::Air::Arg::isValidForm):
1583         (JSC::B3::Air::Arg::asTrustedImm32):
1584         (JSC::B3::Air::Arg::asTrustedImm64):
1585         * b3/air/AirOpcode.opcodes:
1586         * b3/air/opcode_generator.rb:
1587
1588 2016-02-17  Keith Miller  <keith_miller@apple.com>
1589
1590         Spread operator should be allowed when not the first argument of parameter list
1591         https://bugs.webkit.org/show_bug.cgi?id=152721
1592
1593         Reviewed by Saam Barati.
1594
1595         Spread arguments to functions should now be ES6 compliant. Before we
1596         would only take a spread operator if it was the sole argument to a
1597         function. Additionally, we would not use the Symbol.iterator on the
1598         object to generate the arguments. Instead we would do a loop up to the
1599         length mapping indexed properties to the corresponding argument. We fix
1600         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
1601         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
1602         old spread semantics). This solution has the downside of requiring the
1603         allocation of another object and copying each element twice but avoids a
1604         large change to the vm calling convention.
1605
1606         * interpreter/Interpreter.cpp:
1607         (JSC::loadVarargs):
1608         * parser/ASTBuilder.h:
1609         (JSC::ASTBuilder::createElementList):
1610         * parser/Parser.cpp:
1611         (JSC::Parser<LexerType>::parseArguments):
1612         (JSC::Parser<LexerType>::parseArgument):
1613         (JSC::Parser<LexerType>::parseMemberExpression):
1614         * parser/Parser.h:
1615         * parser/SyntaxChecker.h:
1616         (JSC::SyntaxChecker::createElementList):
1617         * tests/es6.yaml:
1618         * tests/stress/spread-calling.js: Added.
1619         (testFunction):
1620         (testEmpty):
1621         (makeObject):
1622         (otherIterator.return.next):
1623         (otherIterator):
1624         (totalIter):
1625         (throwingIter.return.next):
1626         (throwingIter):
1627         (i.catch):
1628
1629 2016-02-17  Brian Burg  <bburg@apple.com>
1630
1631         Remove a wrong cast in RemoteInspector::receivedSetupMessage
1632         https://bugs.webkit.org/show_bug.cgi?id=154361
1633         <rdar://problem/24709281>
1634
1635         Reviewed by Joseph Pecoraro.
1636
1637         * inspector/remote/RemoteInspector.mm:
1638         (Inspector::RemoteInspector::receivedSetupMessage):
1639         Not only is this cast unnecessary (the constructor accepts the base class),
1640         but it is wrong since the target could be an automation target. Remove it.
1641
1642 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
1643
1644         Rename FTLB3Blah to FTLBlah
1645         https://bugs.webkit.org/show_bug.cgi?id=154365
1646
1647         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
1648
1649         * CMakeLists.txt:
1650         * JavaScriptCore.xcodeproj/project.pbxproj:
1651         * ftl/FTLB3Compile.cpp: Removed.
1652         * ftl/FTLB3Output.cpp: Removed.
1653         * ftl/FTLB3Output.h: Removed.
1654         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
1655         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
1656         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
1657
1658 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
1659
1660         Remove LLVM dependencies from WebKit
1661         https://bugs.webkit.org/show_bug.cgi?id=154323
1662
1663         Reviewed by Antti Koivisto and Benjamin Poulain.
1664
1665         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
1666         LLVM-related code dead, including the disassembler, which was only reachable when you were on
1667         a platform that already had an in-tree disassembler.
1668
1669         * CMakeLists.txt:
1670         * JavaScriptCore.xcodeproj/project.pbxproj:
1671         * dfg/DFGCommon.h:
1672         * dfg/DFGPlan.cpp:
1673         (JSC::DFG::Plan::compileInThread):
1674         (JSC::DFG::Plan::compileInThreadImpl):
1675         (JSC::DFG::Plan::compileTimeStats):
1676         * disassembler/ARM64Disassembler.cpp:
1677         (JSC::tryToDisassemble):
1678         * disassembler/ARMv7Disassembler.cpp:
1679         (JSC::tryToDisassemble):
1680         * disassembler/Disassembler.cpp:
1681         (JSC::disassemble):
1682         (JSC::disassembleAsynchronously):
1683         * disassembler/Disassembler.h:
1684         (JSC::tryToDisassemble):
1685         * disassembler/LLVMDisassembler.cpp: Removed.
1686         * disassembler/LLVMDisassembler.h: Removed.
1687         * disassembler/UDis86Disassembler.cpp:
1688         (JSC::tryToDisassembleWithUDis86):
1689         * disassembler/UDis86Disassembler.h:
1690         (JSC::tryToDisassembleWithUDis86):
1691         * disassembler/X86Disassembler.cpp:
1692         (JSC::tryToDisassemble):
1693         * ftl/FTLAbbreviatedTypes.h:
1694         * ftl/FTLAbbreviations.h: Removed.
1695         * ftl/FTLAbstractHeap.cpp:
1696         (JSC::FTL::AbstractHeap::decorateInstruction):
1697         (JSC::FTL::AbstractHeap::dump):
1698         (JSC::FTL::AbstractField::dump):
1699         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
1700         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
1701         (JSC::FTL::IndexedAbstractHeap::baseIndex):
1702         (JSC::FTL::IndexedAbstractHeap::dump):
1703         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
1704         (JSC::FTL::NumberedAbstractHeap::dump):
1705         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
1706         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
1707         * ftl/FTLAbstractHeap.h:
1708         (JSC::FTL::AbstractHeap::AbstractHeap):
1709         (JSC::FTL::AbstractHeap::heapName):
1710         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
1711         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
1712         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
1713         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
1714         * ftl/FTLAbstractHeapRepository.cpp:
1715         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1716         * ftl/FTLAbstractHeapRepository.h:
1717         * ftl/FTLB3Compile.cpp:
1718         * ftl/FTLB3Output.cpp:
1719         (JSC::FTL::Output::Output):
1720         (JSC::FTL::Output::check):
1721         (JSC::FTL::Output::load):
1722         (JSC::FTL::Output::store):
1723         * ftl/FTLB3Output.h:
1724         * ftl/FTLCommonValues.cpp:
1725         (JSC::FTL::CommonValues::CommonValues):
1726         (JSC::FTL::CommonValues::initializeConstants):
1727         * ftl/FTLCommonValues.h:
1728         (JSC::FTL::CommonValues::initialize): Deleted.
1729         * ftl/FTLCompile.cpp: Removed.
1730         * ftl/FTLCompileBinaryOp.cpp: Removed.
1731         * ftl/FTLCompileBinaryOp.h: Removed.
1732         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
1733         * ftl/FTLDWARFDebugLineInfo.h: Removed.
1734         * ftl/FTLDWARFRegister.cpp: Removed.
1735         * ftl/FTLDWARFRegister.h: Removed.
1736         * ftl/FTLDataSection.cpp: Removed.
1737         * ftl/FTLDataSection.h: Removed.
1738         * ftl/FTLExceptionHandlerManager.cpp: Removed.
1739         * ftl/FTLExceptionHandlerManager.h: Removed.
1740         * ftl/FTLExceptionTarget.cpp:
1741         * ftl/FTLExceptionTarget.h:
1742         * ftl/FTLExitThunkGenerator.cpp: Removed.
1743         * ftl/FTLExitThunkGenerator.h: Removed.
1744         * ftl/FTLFail.cpp:
1745         (JSC::FTL::fail):
1746         * ftl/FTLInlineCacheDescriptor.h: Removed.
1747         * ftl/FTLInlineCacheSize.cpp: Removed.
1748         * ftl/FTLInlineCacheSize.h: Removed.
1749         * ftl/FTLIntrinsicRepository.cpp: Removed.
1750         * ftl/FTLIntrinsicRepository.h: Removed.
1751         * ftl/FTLJITCode.cpp:
1752         (JSC::FTL::JITCode::~JITCode):
1753         (JSC::FTL::JITCode::initializeB3Code):
1754         (JSC::FTL::JITCode::initializeB3Byproducts):
1755         (JSC::FTL::JITCode::initializeAddressForCall):
1756         (JSC::FTL::JITCode::contains):
1757         (JSC::FTL::JITCode::ftl):
1758         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1759         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
1760         (JSC::FTL::JITCode::addHandle): Deleted.
1761         (JSC::FTL::JITCode::addDataSection): Deleted.
1762         (JSC::FTL::JITCode::exitThunks): Deleted.
1763         * ftl/FTLJITCode.h:
1764         (JSC::FTL::JITCode::b3Code):
1765         (JSC::FTL::JITCode::handles): Deleted.
1766         (JSC::FTL::JITCode::dataSections): Deleted.
1767         * ftl/FTLJITFinalizer.cpp:
1768         (JSC::FTL::JITFinalizer::codeSize):
1769         (JSC::FTL::JITFinalizer::finalizeFunction):
1770         * ftl/FTLJITFinalizer.h:
1771         * ftl/FTLJSCall.cpp: Removed.
1772         * ftl/FTLJSCall.h: Removed.
1773         * ftl/FTLJSCallBase.cpp: Removed.
1774         * ftl/FTLJSCallBase.h: Removed.
1775         * ftl/FTLJSCallVarargs.cpp: Removed.
1776         * ftl/FTLJSCallVarargs.h: Removed.
1777         * ftl/FTLJSTailCall.cpp: Removed.
1778         * ftl/FTLJSTailCall.h: Removed.
1779         * ftl/FTLLazySlowPath.cpp:
1780         (JSC::FTL::LazySlowPath::LazySlowPath):
1781         (JSC::FTL::LazySlowPath::generate):
1782         * ftl/FTLLazySlowPath.h:
1783         (JSC::FTL::LazySlowPath::createGenerator):
1784         (JSC::FTL::LazySlowPath::patchableJump):
1785         (JSC::FTL::LazySlowPath::done):
1786         (JSC::FTL::LazySlowPath::usedRegisters):
1787         (JSC::FTL::LazySlowPath::callSiteIndex):
1788         (JSC::FTL::LazySlowPath::stub):
1789         (JSC::FTL::LazySlowPath::patchpoint): Deleted.
1790         * ftl/FTLLink.cpp:
1791         (JSC::FTL::link):
1792         * ftl/FTLLocation.cpp:
1793         (JSC::FTL::Location::forValueRep):
1794         (JSC::FTL::Location::dump):
1795         (JSC::FTL::Location::forStackmaps): Deleted.
1796         * ftl/FTLLocation.h:
1797         (JSC::FTL::Location::forRegister):
1798         (JSC::FTL::Location::forIndirect):
1799         (JSC::FTL::Location::forConstant):
1800         (JSC::FTL::Location::kind):
1801         (JSC::FTL::Location::hasReg):
1802         * ftl/FTLLowerDFGToLLVM.cpp:
1803         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
1804         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1805         (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
1806         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1807         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
1808         (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
1809         (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
1810         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
1811         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
1812         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1813         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1814         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
1815         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
1816         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
1817         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
1818         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
1819         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
1820         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
1821         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
1822         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1823         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
1824         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
1825         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1826         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1827         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1828         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
1829         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
1830         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
1831         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
1832         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
1833         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
1834         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
1835         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1836         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1837         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
1838         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
1839         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1840         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
1841         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1842         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
1843         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1844         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
1845         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
1846         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
1847         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
1848         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
1849         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
1850         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
1851         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
1852         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
1853         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
1854         * ftl/FTLOSRExit.cpp:
1855         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
1856         (JSC::FTL::OSRExitDescriptor::validateReferences):
1857         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
1858         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1859         (JSC::FTL::OSRExit::OSRExit):
1860         (JSC::FTL::OSRExit::codeLocationForRepatch):
1861         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
1862         (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
1863         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
1864         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
1865         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
1866         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
1867         * ftl/FTLOSRExit.h:
1868         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
1869         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
1870         * ftl/FTLOSRExitCompilationInfo.h: Removed.
1871         * ftl/FTLOSRExitCompiler.cpp:
1872         (JSC::FTL::compileRecovery):
1873         (JSC::FTL::compileStub):
1874         (JSC::FTL::compileFTLOSRExit):
1875         * ftl/FTLOSRExitHandle.cpp:
1876         * ftl/FTLOSRExitHandle.h:
1877         * ftl/FTLOutput.cpp: Removed.
1878         * ftl/FTLOutput.h: Removed.
1879         * ftl/FTLPatchpointExceptionHandle.cpp:
1880         * ftl/FTLPatchpointExceptionHandle.h:
1881         * ftl/FTLStackMaps.cpp: Removed.
1882         * ftl/FTLStackMaps.h: Removed.
1883         * ftl/FTLState.cpp:
1884         (JSC::FTL::State::State):
1885         (JSC::FTL::State::~State):
1886         (JSC::FTL::State::dumpState): Deleted.
1887         * ftl/FTLState.h:
1888         * ftl/FTLUnwindInfo.cpp: Removed.
1889         * ftl/FTLUnwindInfo.h: Removed.
1890         * ftl/FTLValueRange.cpp:
1891         (JSC::FTL::ValueRange::decorateInstruction):
1892         * ftl/FTLValueRange.h:
1893         (JSC::FTL::ValueRange::ValueRange):
1894         (JSC::FTL::ValueRange::begin):
1895         (JSC::FTL::ValueRange::end):
1896         * ftl/FTLWeight.h:
1897         (JSC::FTL::Weight::value):
1898         (JSC::FTL::Weight::frequencyClass):
1899         (JSC::FTL::Weight::scaleToTotal):
1900         * llvm/InitializeLLVM.cpp: Removed.
1901         * llvm/InitializeLLVM.h: Removed.
1902         * llvm/InitializeLLVMMac.cpp: Removed.
1903         * llvm/InitializeLLVMPOSIX.cpp: Removed.
1904         * llvm/InitializeLLVMPOSIX.h: Removed.
1905         * llvm/LLVMAPI.cpp: Removed.
1906         * llvm/LLVMAPI.h: Removed.
1907         * llvm/LLVMAPIFunctions.h: Removed.
1908         * llvm/LLVMHeaders.h: Removed.
1909         * llvm/library/LLVMAnchor.cpp: Removed.
1910         * llvm/library/LLVMExports.cpp: Removed.
1911         * llvm/library/LLVMOverrides.cpp: Removed.
1912         * llvm/library/config_llvm.h: Removed.
1913
1914 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
1915
1916         [JSC] Remove the overflow check on ArithAbs when possible
1917         https://bugs.webkit.org/show_bug.cgi?id=154325
1918
1919         Reviewed by Filip Pizlo.
1920
1921         This patch adds support for ArithMode for ArithAbs.
1922
1923         It is useful for kraken tests where Math.abs() is used
1924         on values for which the range is known.
1925
1926         For example, imaging-gaussian-blur has two Math.abs() with
1927         integers that are always in a small range around zero.
1928         The IntegerRangeOptimizationPhase detects the range correctly
1929         so we can just update the ArithMode depending on the input.
1930
1931         * dfg/DFGFixupPhase.cpp:
1932         (JSC::DFG::FixupPhase::fixupNode):
1933         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1934         * dfg/DFGNode.h:
1935         (JSC::DFG::Node::convertToArithNegate):
1936         (JSC::DFG::Node::hasArithMode):
1937         * dfg/DFGSpeculativeJIT64.cpp:
1938         (JSC::DFG::SpeculativeJIT::compile):
1939         * ftl/FTLLowerDFGToLLVM.cpp:
1940         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
1941         * tests/stress/arith-abs-integer-range-optimization.js: Added.
1942         (negativeRange):
1943         (negativeRangeIncludingZero):
1944         (negativeRangeWithOverflow):
1945         (positiveRange):
1946         (positiveRangeIncludingZero):
1947         (rangeWithoutOverflow):
1948         * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
1949         (opaqueAbs):
1950
1951 2016-02-17  Chris Dumez  <cdumez@apple.com>
1952
1953         SES selftest page crashes on nightly r196694
1954         https://bugs.webkit.org/show_bug.cgi?id=154350
1955         <rdar://problem/24704334>
1956
1957         Reviewed by Mark Lam.
1958
1959         SES selftest page crashes after r196001 / r196145 when calling
1960         Object.getOwnPropertyDescriptor(window, "length") after the window
1961         has been reified and "length" has been shadowed by a value property.
1962
1963         It was crashing in JSObject::getOwnPropertyDescriptor() because
1964         we are getting a slot that has attribute "CustomAccessor" but
1965         the property is not a CustomGetterSetter. In this case, since
1966         window.length is [Replaceable] and has been set to a numeric value,
1967         it makes that the property is not a CustomGetterSetter. However,
1968         the "CustomAccessor" attribute should have been dropped from the
1969         slot when window.length was shadowed. Therefore, this code path
1970         should not be exercised at all when calling
1971         getOwnPropertyDescriptor().
1972
1973         The issue was that putDirectInternal() was updating the slot
1974         attributes only if the "Accessor" flag has changed, but not
1975         the "customAccessor" flag. This patch fixes the issue.
1976
1977         * runtime/JSObject.h:
1978         (JSC::JSObject::putDirectInternal):
1979
1980 2016-02-17  Saam barati  <sbarati@apple.com>
1981
1982         Implement Proxy [[Get]]
1983         https://bugs.webkit.org/show_bug.cgi?id=154081
1984
1985         Reviewed by Michael Saboff.
1986
1987         This patch implements ProxyObject and ProxyConstructor. Their
1988         implementations are straight forward and follow the spec.
1989         The largest change in this patch is adding a second parameter
1990         to PropertySlot's constructor that specifies the internal method type of
1991         the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
1992         implement more than one Internal Method in the spec. Because 
1993         of this, we need InternalMethodType to give us context about 
1994         which Internal Method we're executing. Specifically, Proxy will 
1995         call into different handlers based on this information.
1996
1997         InternalMethodType is an enum with the following values:
1998         - Get
1999           This corresponds to [[Get]] internal method in the spec.
2000         - GetOwnProperty
2001           This corresponds to [[GetOwnProperty]] internal method in the spec.
2002         - HasProperty
2003           This corresponds to [[HasProperty]] internal method in the spec.
2004         - VMInquiry
2005           This is basically everything else that isn't one of the above
2006           types. This value also mandates that getOwnPropertySlot does
2007           not perform any user observable effects. I.e, it can't call
2008           a JS function.
2009
2010         The other non-VMInquiry InternalMethodTypes are allowed to perform user
2011         observable effects. I.e, in future patches, ProxyObject will implement
2012         InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
2013         to call user defined JS functions, which clearly have the right to perform
2014         user observable effects.
2015
2016         This patch implements getOwnPropertySlot of ProxyObject under
2017         InternalMethodType::Get. 
2018
2019         * API/JSCallbackObjectFunctions.h:
2020         (JSC::JSCallbackObject<Parent>::put):
2021         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2022         * CMakeLists.txt:
2023         * JavaScriptCore.xcodeproj/project.pbxproj:
2024         * debugger/DebuggerScope.cpp:
2025         (JSC::DebuggerScope::caughtValue):
2026         * interpreter/Interpreter.cpp:
2027         (JSC::Interpreter::execute):
2028         * jit/JITOperations.cpp:
2029         * llint/LLIntSlowPaths.cpp:
2030         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2031         * runtime/ArrayPrototype.cpp:
2032         (JSC::getProperty):
2033         * runtime/CommonIdentifiers.h:
2034         * runtime/JSCJSValueInlines.h:
2035         (JSC::JSValue::get):
2036         * runtime/JSFunction.cpp:
2037         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2038         (JSC::JSFunction::put):
2039         (JSC::JSFunction::defineOwnProperty):
2040         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2041         (JSC::constructGenericTypedArrayViewWithArguments):
2042         * runtime/JSGlobalObject.cpp:
2043         (JSC::JSGlobalObject::init):
2044         (JSC::JSGlobalObject::defineOwnProperty):
2045         * runtime/JSGlobalObject.h:
2046         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2047         (JSC::JSGlobalObject::moduleRecordStructure):
2048         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2049         (JSC::JSGlobalObject::proxyObjectStructure):
2050         (JSC::JSGlobalObject::wasmModuleStructure):
2051         * runtime/JSModuleEnvironment.cpp:
2052         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2053         * runtime/JSModuleNamespaceObject.cpp:
2054         (JSC::callbackGetter):
2055         * runtime/JSONObject.cpp:
2056         (JSC::Stringifier::Holder::appendNextProperty):
2057         (JSC::Walker::walk):
2058         * runtime/JSObject.cpp:
2059         (JSC::JSObject::calculatedClassName):
2060         (JSC::JSObject::putDirectNonIndexAccessor):
2061         (JSC::JSObject::hasProperty):
2062         (JSC::JSObject::deleteProperty):
2063         (JSC::JSObject::hasOwnProperty):
2064         (JSC::JSObject::getOwnPropertyDescriptor):
2065         * runtime/JSObject.h:
2066         (JSC::JSObject::getDirectIndex):
2067         (JSC::JSObject::get):
2068         * runtime/JSScope.cpp:
2069         (JSC::abstractAccess):
2070         * runtime/ObjectConstructor.cpp:
2071         (JSC::toPropertyDescriptor):
2072         * runtime/ObjectPrototype.cpp:
2073         (JSC::objectProtoFuncLookupGetter):
2074         (JSC::objectProtoFuncLookupSetter):
2075         (JSC::objectProtoFuncToString):
2076         * runtime/PropertySlot.h:
2077         (JSC::attributesForStructure):
2078         (JSC::PropertySlot::PropertySlot):
2079         (JSC::PropertySlot::isCacheableGetter):
2080         (JSC::PropertySlot::isCacheableCustom):
2081         (JSC::PropertySlot::internalMethodType):
2082         (JSC::PropertySlot::disableCaching):
2083         (JSC::PropertySlot::getValue):
2084         * runtime/ProxyConstructor.cpp: Added.
2085         (JSC::ProxyConstructor::create):
2086         (JSC::ProxyConstructor::ProxyConstructor):
2087         (JSC::ProxyConstructor::finishCreation):
2088         (JSC::constructProxyObject):
2089         (JSC::ProxyConstructor::getConstructData):
2090         (JSC::ProxyConstructor::getCallData):
2091         * runtime/ProxyConstructor.h: Added.
2092         (JSC::ProxyConstructor::createStructure):
2093         * runtime/ProxyObject.cpp: Added.
2094         (JSC::ProxyObject::ProxyObject):
2095         (JSC::ProxyObject::finishCreation):
2096         (JSC::performProxyGet):
2097         (JSC::ProxyObject::getOwnPropertySlotCommon):
2098         (JSC::ProxyObject::getOwnPropertySlot):
2099         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2100         (JSC::ProxyObject::visitChildren):
2101         * runtime/ProxyObject.h: Added.
2102         (JSC::ProxyObject::create):
2103         (JSC::ProxyObject::createStructure):
2104         (JSC::ProxyObject::target):
2105         (JSC::ProxyObject::handler):
2106         * runtime/ReflectObject.cpp:
2107         (JSC::reflectObjectGet):
2108         * runtime/SamplingProfiler.cpp:
2109         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
2110         * tests/es6.yaml:
2111         * tests/stress/proxy-basic.js: Added.
2112         (assert):
2113         (let.handler.get null):
2114         (get let):
2115         (let.handler.get switch):
2116         (let.handler):
2117         (let.theTarget.get x):
2118         * tests/stress/proxy-in-proto-chain.js: Added.
2119         (assert):
2120         * tests/stress/proxy-of-a-proxy.js: Added.
2121         (assert):
2122         (throw.new.Error.):
2123         * tests/stress/proxy-property-descriptor.js: Added.
2124         (assert):
2125         (set Object):
2126         * wasm/WASMModuleParser.cpp:
2127         (JSC::WASMModuleParser::getImportedValue):
2128
2129 2016-02-17  Mark Lam  <mark.lam@apple.com>
2130
2131         StringPrototype functions should check for exceptions after calling JSString::value().
2132         https://bugs.webkit.org/show_bug.cgi?id=154340
2133
2134         Reviewed by Filip Pizlo.
2135
2136         JSString::value() can throw an exception if the JS string is a rope and value()
2137         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
2138         able to resolve the rope, it will return a null string (in addition to throwing
2139         the exception).  If StringPrototype functions do not check for exceptions after
2140         calling JSString::value(), they may eventually use the returned null string and
2141         crash the VM.
2142
2143         The fix is to add all the necessary exception checks, and do the appropriate
2144         handling if needed.
2145
2146         Also in a few place where when an exception is detected, we return JSValue(), I
2147         changed it to return jsUndefined() instead to be consistent with the rest of the
2148         file.
2149
2150         * runtime/StringPrototype.cpp:
2151         (JSC::replaceUsingRegExpSearch):
2152         (JSC::stringProtoFuncMatch):
2153         (JSC::stringProtoFuncSlice):
2154         (JSC::stringProtoFuncSplit):
2155         (JSC::stringProtoFuncLocaleCompare):
2156         (JSC::stringProtoFuncBig):
2157         (JSC::stringProtoFuncSmall):
2158         (JSC::stringProtoFuncBlink):
2159         (JSC::stringProtoFuncBold):
2160         (JSC::stringProtoFuncFixed):
2161         (JSC::stringProtoFuncItalics):
2162         (JSC::stringProtoFuncStrike):
2163         (JSC::stringProtoFuncSub):
2164         (JSC::stringProtoFuncSup):
2165         (JSC::stringProtoFuncFontcolor):
2166         (JSC::stringProtoFuncFontsize):
2167         (JSC::stringProtoFuncAnchor):
2168         (JSC::stringProtoFuncLink):
2169         (JSC::trimString):
2170
2171 2016-02-17  Commit Queue  <commit-queue@webkit.org>
2172
2173         Unreviewed, rolling out r196675.
2174         https://bugs.webkit.org/show_bug.cgi?id=154344
2175
2176          "Causes major slowdowns on deltablue-varargs" (Requested by
2177         keith_miller on #webkit).
2178
2179         Reverted changeset:
2180
2181         "Spread operator should be allowed when not the first argument
2182         of parameter list"
2183         https://bugs.webkit.org/show_bug.cgi?id=152721
2184         http://trac.webkit.org/changeset/196675
2185
2186 2016-02-17  Gavin Barraclough  <barraclough@apple.com>
2187
2188         JSDOMWindow::put should not do the same thing twice
2189         https://bugs.webkit.org/show_bug.cgi?id=154334
2190
2191         Reviewed by Chris Dumez.
2192
2193         It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
2194         In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
2195         table entries.
2196
2197         * runtime/JSGlobalObject.h:
2198         (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
2199             - no longer needed.
2200
2201 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2202
2203         FTL_USES_B3 should be unconditionally true
2204         https://bugs.webkit.org/show_bug.cgi?id=154324
2205
2206         Reviewed by Benjamin Poulain.
2207
2208         * dfg/DFGCommon.h:
2209
2210 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2211
2212         FTL should support CompareEq(String:, String:)
2213         https://bugs.webkit.org/show_bug.cgi?id=154269
2214         rdar://problem/24499921
2215
2216         Reviewed by Benjamin Poulain.
2217
2218         Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
2219         think we should land the increased coverage first and fix the issues after, especially since
2220         the regression is so small and doesn't have a statistically significant effect on the overall
2221         score.
2222
2223         * ftl/FTLCapabilities.cpp:
2224         (JSC::FTL::canCompile):
2225         * ftl/FTLLowerDFGToLLVM.cpp:
2226         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
2227         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
2228         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
2229         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
2230         * tests/stress/ftl-string-equality.js: Added.
2231         * tests/stress/ftl-string-ident-equality.js: Added.
2232         * tests/stress/ftl-string-strict-equality.js: Added.
2233
2234 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2235
2236         FTL should support NewTypedArray
2237         https://bugs.webkit.org/show_bug.cgi?id=154268
2238
2239         Reviewed by Saam Barati.
2240
2241         3% speed-up on pdfjs. This was already covered by many different tests.
2242
2243         Rolling this back in after fixing the butterfly argument.
2244
2245         * ftl/FTLCapabilities.cpp:
2246         (JSC::FTL::canCompile):
2247         * ftl/FTLLowerDFGToLLVM.cpp:
2248         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2249         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
2250         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
2251         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
2252         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
2253         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
2254         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
2255
2256 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
2257
2258         JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
2259         https://bugs.webkit.org/show_bug.cgi?id=154257
2260
2261         Reviewed by Chris Dumez.
2262
2263         * runtime/Lookup.h:
2264         (JSC::getStaticPropertySlot):
2265         (JSC::getStaticFunctionSlot):
2266         (JSC::getStaticValueSlot):
2267             - this could all do with a little more love.
2268               But enforce the basic precedence:
2269                 (1) regular storage properties always win over static table properties.
2270                 (2) if properties have been reified, don't consult the static tables.
2271                 (3) only if the property is not present on the object & not reified
2272                     should the static hashtable be consulted.
2273
2274 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
2275
2276         JSDOMWindow::getOwnPropertySlot should not search photo chain
2277         https://bugs.webkit.org/show_bug.cgi?id=154102
2278
2279         Reviewed by Chris Dumez.
2280
2281         Should only return *own* properties.
2282
2283         * runtime/JSObject.cpp:
2284         (JSC::JSObject::getOwnPropertyDescriptor):
2285             - remove hack/special-case for DOMWindow; we no longer need this.
2286
2287 2016-02-16  Keith Miller  <keith_miller@apple.com>
2288
2289         Spread operator should be allowed when not the first argument of parameter list
2290         https://bugs.webkit.org/show_bug.cgi?id=152721
2291
2292         Reviewed by Saam Barati.
2293
2294         Spread arguments to functions should now be ES6 compliant. Before we
2295         would only take a spread operator if it was the sole argument to a
2296         function. Additionally, we would not use the Symbol.iterator on the
2297         object to generate the arguments. Instead we would do a loop up to the
2298         length mapping indexed properties to the corresponding argument. We fix
2299         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
2300         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
2301         old spread semantics). This solution has the downside of requiring the
2302         allocation of another object and copying each element twice but avoids a
2303         large change to the vm calling convention.
2304
2305         * interpreter/Interpreter.cpp:
2306         (JSC::loadVarargs):
2307         * parser/ASTBuilder.h:
2308         (JSC::ASTBuilder::createElementList):
2309         * parser/Parser.cpp:
2310         (JSC::Parser<LexerType>::parseArguments):
2311         (JSC::Parser<LexerType>::parseArgument):
2312         (JSC::Parser<LexerType>::parseMemberExpression):
2313         * parser/Parser.h:
2314         * parser/SyntaxChecker.h:
2315         (JSC::SyntaxChecker::createElementList):
2316         * tests/es6.yaml:
2317         * tests/stress/spread-calling.js: Added.
2318         (testFunction):
2319         (testEmpty):
2320         (makeObject):
2321         (otherIterator.return.next):
2322         (otherIterator):
2323         (totalIter):
2324         (throwingIter.return.next):
2325         (throwingIter):
2326         (i.catch):
2327
2328 2016-02-16  Benjamin Poulain  <bpoulain@apple.com>
2329
2330         [JSC] Enable B3 on ARM64
2331         https://bugs.webkit.org/show_bug.cgi?id=154275
2332
2333         Reviewed by Mark Lam.
2334
2335         The port passes more tests than LLVM now, let's use it by default.
2336
2337         * dfg/DFGCommon.h:
2338
2339 2016-02-16  Commit Queue  <commit-queue@webkit.org>
2340
2341         Unreviewed, rolling out r196652.
2342         https://bugs.webkit.org/show_bug.cgi?id=154315
2343
2344         This change caused LayoutTest crashes (Requested by ryanhaddad
2345         on #webkit).
2346
2347         Reverted changeset:
2348
2349         "FTL should support NewTypedArray"
2350         https://bugs.webkit.org/show_bug.cgi?id=154268
2351         http://trac.webkit.org/changeset/196652
2352
2353 2016-02-16  Brian Burg  <bburg@apple.com>
2354
2355         RemoteInspector should forward new automation session requests to its client
2356         https://bugs.webkit.org/show_bug.cgi?id=154260
2357         <rdar://problem/24663313>
2358
2359         Reviewed by Timothy Hatcher.
2360
2361         * inspector/remote/RemoteInspector.h:
2362         * inspector/remote/RemoteInspector.mm:
2363         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2364         (Inspector::RemoteInspector::listingForAutomationTarget):
2365         Use the correct key for the session identifier in the listing. The name()
2366         override for RemoteAutomationTarget is actually the session identifier.
2367
2368         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
2369         * inspector/remote/RemoteInspectorConstants.h: Add new constants.
2370
2371 2016-02-16  Saam barati  <sbarati@apple.com>
2372
2373         SamplingProfiler still fails with ASan enabled
2374         https://bugs.webkit.org/show_bug.cgi?id=154301
2375         <rdar://problem/24679502>
2376
2377         Reviewed by Filip Pizlo.
2378
2379         To fix this issue, I've come up with unsafe versions
2380         of all operations that load memory from the thread's call
2381         frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
2382
2383         * interpreter/CallFrame.cpp:
2384         (JSC::CallFrame::callSiteAsRawBits):
2385         (JSC::CallFrame::unsafeCallSiteAsRawBits):
2386         (JSC::CallFrame::callSiteIndex):
2387         (JSC::CallFrame::unsafeCallSiteIndex):
2388         (JSC::CallFrame::stack):
2389         (JSC::CallFrame::callerFrame):
2390         (JSC::CallFrame::unsafeCallerFrame):
2391         (JSC::CallFrame::friendlyFunctionName):
2392         * interpreter/CallFrame.h:
2393         (JSC::ExecState::calleeAsValue):
2394         (JSC::ExecState::callee):
2395         (JSC::ExecState::unsafeCallee):
2396         (JSC::ExecState::codeBlock):
2397         (JSC::ExecState::unsafeCodeBlock):
2398         (JSC::ExecState::scope):
2399         (JSC::ExecState::callerFrame):
2400         (JSC::ExecState::callerFrameOrVMEntryFrame):
2401         (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
2402         (JSC::ExecState::callerFrameOffset):
2403         (JSC::ExecState::callerFrameAndPC):
2404         (JSC::ExecState::unsafeCallerFrameAndPC):
2405         * interpreter/Register.h:
2406         (JSC::Register::codeBlock):
2407         (JSC::Register::asanUnsafeCodeBlock):
2408         (JSC::Register::unboxedInt32):
2409         (JSC::Register::tag):
2410         (JSC::Register::unsafeTag):
2411         (JSC::Register::payload):
2412         * interpreter/VMEntryRecord.h:
2413         (JSC::VMEntryRecord::prevTopCallFrame):
2414         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
2415         (JSC::VMEntryRecord::prevTopVMEntryFrame):
2416         (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
2417         * runtime/SamplingProfiler.cpp:
2418         (JSC::FrameWalker::walk):
2419         (JSC::FrameWalker::advanceToParentFrame):
2420         (JSC::FrameWalker::isAtTop):
2421         (JSC::FrameWalker::resetAtMachineFrame):
2422
2423 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2424
2425         FTL should support NewTypedArray
2426         https://bugs.webkit.org/show_bug.cgi?id=154268
2427
2428         Reviewed by Saam Barati.
2429
2430         3% speed-up on pdfjs. This was already covered by many different tests.
2431
2432         * ftl/FTLCapabilities.cpp:
2433         (JSC::FTL::canCompile):
2434         * ftl/FTLLowerDFGToLLVM.cpp:
2435         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2436         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
2437         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
2438         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
2439         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
2440         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
2441         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
2442
2443 2016-02-16  Saam barati  <sbarati@apple.com>
2444
2445         stress/sampling-profiler-deep-stack.js fails on ARM 32bit
2446         https://bugs.webkit.org/show_bug.cgi?id=154255
2447         <rdar://problem/24662996>
2448
2449         Reviewed by Mark Lam.
2450
2451         The bug here wasn't in the implementation of the sampling profiler 
2452         itself. Rather, it was a bug in the test. JSC wasn't spending a lot
2453         of time in a function that the test assumed a lot of time was spent in.
2454         That's because the DFG was doing a good job at optimizing the function
2455         at the leaf of the recursion. Because of that, we often wouldn't sample it.
2456         I fixed this by making the leaf function do more work.
2457
2458         * tests/stress/sampling-profiler-deep-stack.js:
2459         (platformSupportsSamplingProfiler.foo):
2460
2461 2016-02-16  Chris Dumez  <cdumez@apple.com>
2462
2463         [Web IDL] Operations should be on the instance for global objects or if [Unforgeable]
2464         https://bugs.webkit.org/show_bug.cgi?id=154120
2465         <rdar://problem/24613231>
2466
2467         Reviewed by Gavin Barraclough.
2468
2469         Have putEntry() take a thisValue parameter in addition to the base,
2470         instead of relying on PropertySlot::thisValue() because this did not
2471         always do the right thing. In particular, when JSDOMWindow::put() was
2472         called to set a function, it would end up setting the new value on the
2473         JSDOMWindowShell instead of the actual JSDOMWindow.
2474         JSDOMWindow::getOwnPropertySlot() would then not be able to find it.
2475         Therefore the following would fail:
2476         $ window.open = "test"
2477         $ console.log(window.open) // prints the native function instead of "test"
2478
2479         * runtime/JSObject.cpp:
2480         (JSC::JSObject::putInlineSlow):
2481         * runtime/Lookup.h:
2482         (JSC::putEntry):
2483         (JSC::lookupPut):
2484
2485 2016-02-16  Keith Miller  <keith_miller@apple.com>
2486
2487         ClonedArguments should not materialize its special properties unless they are being changed or deleted
2488         https://bugs.webkit.org/show_bug.cgi?id=154128
2489
2490         Reviewed by Filip Pizlo.
2491
2492         Before we would materialize ClonedArguments whenever they were being accessed.
2493         However this would cause the IC to miss every time as the structure for
2494         the arguments object would change as we went to IC it. Thus on the next
2495         function call we would miss the cache since the new arguments object
2496         would not have materialized the value.
2497
2498         * runtime/ClonedArguments.cpp:
2499         (JSC::ClonedArguments::getOwnPropertySlot):
2500         * tests/stress/cloned-arguments-modification.js: Added.
2501         (foo):
2502
2503 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2504
2505         FTL should support StringFromCharCode
2506         https://bugs.webkit.org/show_bug.cgi?id=154267
2507         rdar://problem/24192536
2508
2509         Reviewed by Mark Lam.
2510
2511         * dfg/DFGFixupPhase.cpp:
2512         (JSC::DFG::FixupPhase::fixupNode): Fix a bug preventing the UntypedUse from being effective.
2513         * ftl/FTLCapabilities.cpp:
2514         (JSC::FTL::canCompile):
2515         * ftl/FTLLowerDFGToLLVM.cpp:
2516         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2517         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringFromCharCode): Implement the opcode.
2518         * tests/stress/string-from-char-code-slow.js: Added.
2519
2520 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
2521
2522         [JSC] BranchAdd can override arguments of its stackmap
2523         https://bugs.webkit.org/show_bug.cgi?id=154274
2524
2525         Reviewed by Filip Pizlo.
2526
2527         With the 3 operands BranchAdd added in r196513, we can run into
2528         a register allocation such that the destination register is also
2529         used by a value in the stack map.
2530
2531         It use to be that BranchAdd was a 2 operand instruction.
2532         In that form, the destination is also one of the source and
2533         can be recovered through Sub. There is no conflict between
2534         destination and the stackmap.
2535
2536         After r196513, the destination has its own value. It is uncommon
2537         on x86 because of the aggressive aliasing but that can happen.
2538         On ARM, that's a standard form since there is no need for aliasing.
2539
2540         Since the arguments of the stackmap are of type EarlyUse,
2541         they appeared as not interfering with the destination. When the register
2542         allocator gives the same register to the destination and something in
2543         the stack map, the result of BranchAdd destroys the value kept alive
2544         for the stackmap.
2545
2546         In this patch, I introduce a concept very similar to ForceLateUse
2547         to keep the argument of the stackmap live in CheckAdd. The new
2548         role is "ForceLateUseUnlessRecoverable".
2549
2550         In this mode, anything that is not also an input argument becomes
2551         LateUse. As such, it interferes with the destination of CheckAdd.
2552         The arguments are recovered by the slow patch of CheckAdd. They
2553         remain Early use.
2554
2555         This new modes ensure that destination can be aliased to the source
2556         when that's useful, while making sure it is not aliased with another
2557         value that needs to be live on exit.
2558
2559         * b3/B3CheckSpecial.cpp:
2560         (JSC::B3::CheckSpecial::forEachArg):
2561         * b3/B3LowerToAir.cpp:
2562         (JSC::B3::Air::LowerToAir::lower):
2563         * b3/B3PatchpointSpecial.cpp:
2564         (JSC::B3::PatchpointSpecial::forEachArg):
2565         * b3/B3StackmapSpecial.cpp:
2566         (JSC::B3::StackmapSpecial::forEachArgImpl):
2567         (WTF::printInternal):
2568         * b3/B3StackmapSpecial.h:
2569         * b3/B3StackmapValue.h:
2570
2571 2016-02-15  Joseph Pecoraro  <pecoraro@apple.com>
2572
2573         Web Inspector: Web Workers have no access to console for debugging
2574         https://bugs.webkit.org/show_bug.cgi?id=26237
2575
2576         Reviewed by Timothy Hatcher.
2577
2578         * inspector/ConsoleMessage.h:
2579         Add accessor for MessageLevel.
2580
2581 2016-02-15  Mark Lam  <mark.lam@apple.com>
2582
2583         [ARMv7] stress/op_rshift.js and stress/op_urshift.js are failing.
2584         https://bugs.webkit.org/show_bug.cgi?id=151514
2585
2586         Reviewed by Filip Pizlo.
2587
2588         The issue turns out to be trivial: on ARMv7 (and traditional ARM too), arithmetic
2589         shift right (ASR) and logical shift right (LSR) takes an immediate shift amount
2590         from 1-32.  See http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cjacbgca.html.
2591         An immediate shift amount of 0 is interpreted as a shift of 32 bits.
2592
2593         Meanwhile, our macro assembler is expecting the immediate shift value to be
2594         between 0-31.  As a result, a shift amount of 0 is being wrongly encoded with 0
2595         bits which means shift right by 32 bits.
2596
2597         The fix is to check if the shift amount is 0, and if so, emit a move.  Else,
2598         emit the right shift as usual.
2599
2600         This issue does not affect left shifts, as the immediate shift amount for left
2601         shifts is between 0-31 as our macro assembler expects.
2602
2603         * assembler/MacroAssemblerARM.h:
2604         (JSC::MacroAssemblerARM::rshift32):
2605         (JSC::MacroAssemblerARM::urshift32):
2606         (JSC::MacroAssemblerARM::sub32):
2607         * assembler/MacroAssemblerARMv7.h:
2608         (JSC::MacroAssemblerARMv7::rshift32):
2609         (JSC::MacroAssemblerARMv7::urshift32):
2610
2611         * tests/stress/op_rshift.js:
2612         * tests/stress/op_urshift.js:
2613         - Un-skip these tests.  They should always pass now.
2614
2615 2016-02-15  Filip Pizlo  <fpizlo@apple.com>
2616
2617         Parser::parseVariableDeclarationList should null check the node before attempting to create a new CommaExpr
2618         https://bugs.webkit.org/show_bug.cgi?id=154244
2619         rdar://problem/24290670
2620
2621         Reviewed by Michael Saboff.
2622
2623         * parser/ASTBuilder.h:
2624         (JSC::ASTBuilder::appendToCommaExpr): Catch the bug sooner in debug.
2625         * parser/Parser.cpp:
2626         (JSC::Parser<LexerType>::parseVariableDeclarationList): Fix the bug.
2627         * tests/stress/for-let-comma.js: Added. This used to crash in debug and release.
2628
2629 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
2630
2631         [JSC] Improve the interface of Inst::shouldTryAliasingDef()
2632         https://bugs.webkit.org/show_bug.cgi?id=154227
2633
2634         Reviewed by Andreas Kling.
2635
2636         Using Optional<> instead of a bool+reference looks cleaner
2637         at the call sites.
2638
2639         * b3/B3CheckSpecial.cpp:
2640         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
2641         * b3/B3CheckSpecial.h:
2642         * b3/air/AirCustom.h:
2643         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2644         * b3/air/AirInst.h:
2645         * b3/air/AirInstInlines.h:
2646         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2647         * b3/air/AirIteratedRegisterCoalescing.cpp:
2648         * b3/air/AirSpecial.cpp:
2649         (JSC::B3::Air::Special::shouldTryAliasingDef):
2650         * b3/air/AirSpecial.h:
2651
2652 2016-02-14  Brian Burg  <bburg@apple.com>
2653
2654         WKAutomationDelegate's requestAutomationSession should take a suggested session identifier
2655         https://bugs.webkit.org/show_bug.cgi?id=154012
2656         <rdar://problem/24557697>
2657
2658         Reviewed by Darin Adler.
2659
2660         Add a string parameter to the client method for requesting a new session.
2661
2662         * inspector/remote/RemoteInspector.h:
2663
2664 2016-02-13  Timothy Hatcher  <timothy@apple.com>
2665
2666         Fix WebAssembly bug URL in the feature list.
2667
2668         * features.json:
2669
2670 2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2671
2672         Change the last RefPtr::get() to release() in String.prototype.normalize
2673         https://bugs.webkit.org/show_bug.cgi?id=154211
2674
2675         Reviewed by Ryosuke Niwa.
2676
2677         Change the last RefPtr::get() to release() in String.prototype.normalize.
2678
2679         * runtime/StringPrototype.cpp:
2680         (JSC::normalize):
2681
2682 2016-02-12  Saam barati  <sbarati@apple.com>
2683
2684         [ES6] we have an incorrect syntax error when a callee of a function expression has the same name as a top-level lexical declaration
2685         https://bugs.webkit.org/show_bug.cgi?id=154143
2686
2687         Reviewed by Benjamin Poulain.
2688
2689         We were raising syntax errors on the following type of programs when
2690         we shouldn't have been.
2691         ```
2692         (function foo() { const foo = 20; });
2693         ```
2694
2695         * parser/Parser.cpp:
2696         (JSC::Parser<LexerType>::parseFunctionInfo):
2697         * parser/Parser.h:
2698         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
2699         (JSC::Scope::declareCallee):
2700         (JSC::Scope::declareVariable):
2701         (JSC::Scope::hasDeclaredVariable):
2702         (JSC::Scope::hasLexicallyDeclaredVariable):
2703         (JSC::Scope::hasDeclaredParameter):
2704         (JSC::Scope::declareWrite):
2705         (JSC::Scope::getCapturedVars):
2706
2707 2016-02-12  Benjamin Poulain  <bpoulain@apple.com>
2708
2709         [JSC] ZeroExtend and SignExtend use incorrect addressing on ARM64
2710         https://bugs.webkit.org/show_bug.cgi?id=154208
2711
2712         Reviewed by Filip Pizlo.
2713
2714         When lowering:
2715             @1 = Load32(@x)
2716             @2 = SExt8(@1)
2717
2718         LowerToAir would see there is a form of SignExtend8To32 (an alias for Load8S)
2719         and use that.
2720
2721         There are two problems with that:
2722         1) If we have an Addr, it went through legalizeMemoryOffsets() for a 32bits
2723            load. If used on an other kind of load, there is no guarantee the addressing
2724            is still valid.
2725         2) If we have an Index, it is computed for the 32bits MemoryValue.
2726            The computed index is not valid for the 8bits load.
2727
2728         (2) could be fixed by changing LowerToAir to use the current instruction width
2729         instead of the B3ValueWidth but that's a bit tricky. We should just embrace
2730         that one of our target is a Load-Store architecture.
2731
2732         In this patch, I just disabled the faulty forms on ARM64. We still need those operations
2733         to be fast, this will be addressed in: https://bugs.webkit.org/show_bug.cgi?id=154207
2734
2735         I also strengthened the m_allowScratchRegister assertion. The instructions that do not
2736         invalidate the temporary did not run the assertion, making this harder to debug.
2737
2738         * assembler/MacroAssemblerARM64.h:
2739         (JSC::MacroAssemblerARM64::load8):
2740         (JSC::MacroAssemblerARM64::store64):
2741         (JSC::MacroAssemblerARM64::store32):
2742         (JSC::MacroAssemblerARM64::loadDouble):
2743         (JSC::MacroAssemblerARM64::storeDouble):
2744         (JSC::MacroAssemblerARM64::branch32):
2745         (JSC::MacroAssemblerARM64::branch64):
2746         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
2747         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
2748         (JSC::MacroAssemblerARM64::dataMemoryTempRegister):
2749         (JSC::MacroAssemblerARM64::cachedMemoryTempRegister):
2750         (JSC::MacroAssemblerARM64::load):
2751         (JSC::MacroAssemblerARM64::store):
2752         * b3/air/AirOpcode.opcodes:
2753
2754 2016-02-12  Michael Saboff  <msaboff@apple.com>
2755
2756         offlineasm: Emit Dwarf2 file and location directives to allow for debugging .asm files
2757         https://bugs.webkit.org/show_bug.cgi?id=152703
2758
2759         Reviewed by Mark Lam.
2760
2761         Added support to output Dwarf2 .file and .loc assembler directives to provide the debugging
2762         information needed to correlate the offline assembler generated code with the source lines 
2763         in the .asm files.
2764
2765         Changed the tracking of file data to include a file index that was provided to the .file
2766         directive.  That index is used when emitting the .loc directives.
2767
2768         * offlineasm/arm.rb:
2769         * offlineasm/arm64.rb:
2770         * offlineasm/asm.rb:
2771         * offlineasm/backends.rb:
2772         * offlineasm/config.rb:
2773         * offlineasm/parser.rb:
2774         * offlineasm/x86.rb:
2775
2776 2016-02-12  Saam barati  <sbarati@apple.com>
2777
2778         The parser doesn't properly protect against global variable references in builtins
2779         https://bugs.webkit.org/show_bug.cgi?id=154144
2780
2781         Reviewed by Geoffrey Garen.
2782
2783         This patch fixes our global variable reference detection
2784         algorithm that was broken. After fixing the algorithm, I
2785         detected many places where we were incorrectly using global
2786         variables. I've fixed all those.
2787
2788         * builtins/BuiltinExecutables.cpp:
2789         (JSC::createExecutableInternal):
2790         * builtins/NumberPrototype.js:
2791         (toLocaleString):
2792         * builtins/PromiseConstructor.js:
2793         (race):
2794         (reject):
2795         (resolve):
2796         * parser/Nodes.cpp:
2797         (JSC::ProgramNode::ProgramNode):
2798         (JSC::ModuleProgramNode::ModuleProgramNode):
2799         (JSC::ProgramNode::setClosedVariables): Deleted.
2800         * parser/Nodes.h:
2801         (JSC::ScopeNode::setClosedVariables): Deleted.
2802         (JSC::ProgramNode::closedVariables): Deleted.
2803         * parser/Parser.cpp:
2804         (JSC::Parser<LexerType>::parseInner):
2805         (JSC::Parser<LexerType>::didFinishParsing):
2806         * parser/Parser.h:
2807         (JSC::Scope::setIsLexicalScope):
2808         (JSC::Scope::isLexicalScope):
2809         (JSC::Scope::closedVariableCandidates):
2810         (JSC::Scope::declaredVariables):
2811         (JSC::Scope::lexicalVariables):
2812         (JSC::Scope::finalizeLexicalEnvironment):
2813         (JSC::Parser::positionBeforeLastNewline):
2814         (JSC::Parser::locationBeforeLastToken):
2815         (JSC::Parser::isFunctionMetadataNode):
2816         (JSC::parse):
2817         (JSC::Parser::closedVariables): Deleted.
2818
2819 2016-02-12  Filip Pizlo  <fpizlo@apple.com>
2820
2821         JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse map based on MAX_STORAGE_VECTOR_INDEX
2822         https://bugs.webkit.org/show_bug.cgi?id=154201
2823         rdar://problem/24291387
2824
2825         Reviewed by Saam Barati.
2826
2827         I decided against adding a test for this, because it runs for a very long time.
2828
2829         * runtime/JSObject.cpp:
2830         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): Fix the bug.
2831         * runtime/StringPrototype.cpp:
2832         (JSC::stringProtoFuncSplit): Fix a related bug: if this code creates an array that would have
2833             hit the above bug, then it would probably manifest as a spin or as swapping.
2834
2835 2016-02-12  Jonathan Davis  <jond@apple.com>
2836
2837         Add WebAssembly to the status page
2838         https://bugs.webkit.org/show_bug.cgi?id=154199
2839
2840         Reviewed by Timothy Hatcher.
2841
2842         * features.json:
2843
2844 2016-02-12  Brian Burg  <bburg@apple.com>
2845
2846         Web Inspector: disambiguate the various identifier and connection types in RemoteInspector
2847         https://bugs.webkit.org/show_bug.cgi?id=154130
2848
2849         Reviewed by Joseph Pecoraro.
2850
2851         There are multiple identifier types:
2852             - connection identifier, a string UUID for a remote debugger process.
2853             - session identifier, a string UUID for a remote driver/debugger instance.
2854             - page/target identifier, a number unique within a single process.
2855
2856         There are multiple connection types:
2857             - RemoteInspectorXPCConnection, a connection from RemoteInspectorXPCConnectionor to a relay.
2858             - RemoteConnectionToTarget, a class that bridges to targets' dispatch queues.
2859
2860         Use consistent variable and getter names so that these don't get confused and
2861         so that the code is easier to read. This is especially an improvement when working
2862         with multiple target types or connection types within the same function.
2863
2864         * inspector/remote/RemoteConnectionToTarget.h:
2865         * inspector/remote/RemoteConnectionToTarget.mm:
2866         Remove the member for m_identifier since we can ask the target for its target identifier
2867         or use a default value via WTF::Optional. There's no reason to cache the value.
2868
2869         (Inspector::RemoteTargetHandleRunSourceWithInfo):
2870         (Inspector::RemoteConnectionToTarget::targetIdentifier):
2871         (Inspector::RemoteConnectionToTarget::destination):
2872         (Inspector::RemoteConnectionToTarget::setup):
2873         (Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
2874         Bail out if the target pointer was somehow cleared and we can't get a useful target identifier.
2875
2876         (Inspector::RemoteConnectionToTarget::RemoteConnectionToTarget): Deleted.
2877         * inspector/remote/RemoteControllableTarget.h:
2878         * inspector/remote/RemoteInspectionTarget.cpp:
2879         (Inspector::RemoteInspectionTarget::pauseWaitingForAutomaticInspection):
2880         (Inspector::RemoteInspectionTarget::unpauseForInitializedInspector):
2881         * inspector/remote/RemoteInspector.h:
2882         * inspector/remote/RemoteInspector.mm:
2883         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
2884         (Inspector::RemoteInspector::registerTarget):
2885         (Inspector::RemoteInspector::unregisterTarget):
2886         (Inspector::RemoteInspector::updateTarget):
2887         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
2888         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
2889         (Inspector::RemoteInspector::sendMessageToRemote):
2890         (Inspector::RemoteInspector::setupFailed):
2891         (Inspector::RemoteInspector::setupCompleted):
2892         (Inspector::RemoteInspector::stopInternal):
2893         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2894         (Inspector::RemoteInspector::xpcConnectionFailed):
2895         (Inspector::RemoteInspector::listingForInspectionTarget):
2896         (Inspector::RemoteInspector::listingForAutomationTarget):
2897         (Inspector::RemoteInspector::pushListingsNow):
2898         (Inspector::RemoteInspector::pushListingsSoon):
2899         (Inspector::RemoteInspector::updateHasActiveDebugSession):
2900         (Inspector::RemoteInspector::receivedSetupMessage):
2901         (Inspector::RemoteInspector::receivedDataMessage):
2902         (Inspector::RemoteInspector::receivedDidCloseMessage):
2903         (Inspector::RemoteInspector::receivedIndicateMessage):
2904         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2905         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
2906         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2907         (Inspector::RemoteInspector::nextAvailableIdentifier): Deleted.
2908         * inspector/remote/RemoteInspectorConstants.h:
2909
2910 2016-02-12  Benjamin Poulain  <benjamin@webkit.org>
2911
2912         [JSC] On x86, improve the selection of which value are selected for the UseDef part of commutative operations
2913         https://bugs.webkit.org/show_bug.cgi?id=154151
2914
2915         Reviewed by Filip Pizlo.
2916
2917         Previously, when an instruction destroy an argument with
2918         a UseDef use, we would try to pick a good target for the UseDef
2919         while doing instruction selection.
2920
2921         For example:
2922             @x = Add(@1, @2)
2923
2924         can be lowered to:
2925             Move @1 Tmp3
2926             Add @2 Tmp3
2927         or
2928             Move @2 Tmp3
2929             Add @1 Tmp3
2930
2931         The choice of which value ends up copied is done by preferRightForResult()
2932         at lowering time.
2933
2934         There are two common problems with the code we generate:
2935         1) It is based on UseCount. If a value is at its last use,
2936            it is a good target for coalescing even with a use-count > 1.
2937         2) When both values are at their last use, the best choice
2938            depends on the register pressure of each. We don't have that information
2939            until we do register allocation.
2940
2941         This patch implements a simple idea to minimize how many of those Moves are needed.
2942         Each commutative operation gets a 3 op variant. The register allocator then attempts
2943         to alias *both* of them to the destination.
2944         Since our aliasing is conservative, it removes as many copy as possible without causing
2945         spilling.
2946
2947         There was an unexpected cool impovement too. If you have:
2948             Move Tmp1, Tmp2
2949             BranchAdd32 Tmp3, Tmp2
2950         we would previously restore Tmp2 by substracting Tmp3 from the result.
2951         We can now just use Tmp1. That removes quite a few Sub from the slow paths.
2952
2953         The problem is that simple idea uncoverred a bunch of issues that had to be fixed too.
2954         I detail them inline below.
2955
2956         * assembler/MacroAssemblerARM64.h:
2957         (JSC::MacroAssemblerARM64::and64):
2958         * assembler/MacroAssemblerX86Common.h:
2959         Most addition are adding an Address version of the 3 operands opcodes.
2960         The reason for this is allow the complex addressing forms of instructions
2961         when spilling.
2962
2963         (JSC::MacroAssemblerX86Common::and32):
2964         (JSC::MacroAssemblerX86Common::mul32):
2965         (JSC::MacroAssemblerX86Common::or32):
2966         (JSC::MacroAssemblerX86Common::xor32):
2967         (JSC::MacroAssemblerX86Common::moveDouble):
2968         This was an unexpected discovery: removing tons of Move32 made floating-point heavy
2969         code much slower.
2970
2971         It turns out the MoveDouble we were using has partial register dependencies.
2972
2973         The x86 optimization manual, Chapter 3, section 3.4.1.13 lists the move instructions executed
2974         directly on the frontend. That's what we use now.
2975
2976         (JSC::MacroAssemblerX86Common::addDouble):
2977         (JSC::MacroAssemblerX86Common::addFloat):
2978         (JSC::MacroAssemblerX86Common::mulDouble):
2979         (JSC::MacroAssemblerX86Common::mulFloat):
2980         (JSC::MacroAssemblerX86Common::andDouble):
2981         (JSC::MacroAssemblerX86Common::andFloat):
2982         (JSC::MacroAssemblerX86Common::xorDouble):
2983         (JSC::MacroAssemblerX86Common::xorFloat):
2984         If the destination is not aliased, the version taking an address
2985         use LoadFloat/LoadDouble instead of direct addressing.
2986
2987         That is because this:
2988             Move Tmp1, Tmp2
2989             Op [Tmp3], Tmp2
2990         is slower than
2991             Move [Tmp3] Tmp2
2992             Op Tmp1, Tmp2
2993         (sometimes significantly).
2994
2995         I am not exactly sure why.
2996
2997         (JSC::MacroAssemblerX86Common::branchAdd32):
2998         * assembler/MacroAssemblerX86_64.h:
2999         (JSC::MacroAssemblerX86_64::and64):
3000         * assembler/MacroAssemblerARM64.h:
3001         (JSC::MacroAssemblerARM64::and64):
3002         * assembler/MacroAssemblerX86Common.h:
3003         (JSC::MacroAssemblerX86Common::and32):
3004         (JSC::MacroAssemblerX86Common::mul32):
3005         (JSC::MacroAssemblerX86Common::or32):
3006         (JSC::MacroAssemblerX86Common::xor32):
3007         (JSC::MacroAssemblerX86Common::moveDouble):
3008         (JSC::MacroAssemblerX86Common::addDouble):
3009         (JSC::MacroAssemblerX86Common::addFloat):
3010         (JSC::MacroAssemblerX86Common::mulDouble):
3011         (JSC::MacroAssemblerX86Common::mulFloat):
3012         (JSC::MacroAssemblerX86Common::andDouble):
3013         (JSC::MacroAssemblerX86Common::andFloat):
3014         (JSC::MacroAssemblerX86Common::xorDouble):
3015         (JSC::MacroAssemblerX86Common::xorFloat):
3016         (JSC::MacroAssemblerX86Common::branchAdd32):
3017         * assembler/MacroAssemblerX86_64.h:
3018         (JSC::MacroAssemblerX86_64::and64):
3019         (JSC::MacroAssemblerX86_64::mul64):
3020         (JSC::MacroAssemblerX86_64::xor64):
3021         (JSC::MacroAssemblerX86_64::branchAdd64):
3022         * assembler/X86Assembler.h:
3023         (JSC::X86Assembler::movapd_rr):
3024         (JSC::X86Assembler::movaps_rr):
3025         * b3/B3CheckSpecial.cpp:
3026         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
3027         (JSC::B3::CheckSpecial::generate):
3028         * b3/B3CheckSpecial.h:
3029         * b3/B3LowerToAir.cpp:
3030         (JSC::B3::Air::LowerToAir::lower):
3031         * b3/air/AirCustom.h:
3032         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
3033         * b3/air/AirInst.h:
3034         * b3/air/AirInstInlines.h:
3035         (JSC::B3::Air::Inst::shouldTryAliasingDef):
3036         * b3/air/AirIteratedRegisterCoalescing.cpp:
3037         Aliasing the operands is done the same way as any coalescing.
3038
3039         There were problem with considering all those coalescing
3040         as equivalent for the result.
3041
3042         Moves are mostly generated for Upsilon-Phis. Getting rid of
3043         those tends to give better loops.
3044
3045         Sometimes, blocks have only Phis and a Jump. Coalescing
3046         those moves gets rids of the block entirely.
3047
3048         Where it go interesting was that something like:
3049             Move Tmp1, Tmp2
3050             Op Tmp3, Tmp2
3051         was significantly better than:
3052             Op Tmp1, Tmp3
3053             Move Tmp1, Tmp4
3054         even in the same basic block.
3055
3056         To get back to the same performance when, I had to prioritize
3057         regular Moves operations over argument coalescing.
3058
3059         Another argument for doing this is that the alias has a shorter
3060         life in the hardware because the operation itself gets a new
3061         virtual register from the bank.
3062
3063         * b3/air/AirOpcode.opcodes:
3064         * b3/air/AirSpecial.cpp:
3065         (JSC::B3::Air::Special::shouldTryAliasingDef):
3066         * b3/air/AirSpecial.h:
3067         * b3/testb3.cpp:
3068         (JSC::B3::testCheckAddArgumentAliasing64):
3069         (JSC::B3::testCheckAddArgumentAliasing32):
3070         (JSC::B3::testCheckAddSelfOverflow64):
3071         (JSC::B3::testCheckAddSelfOverflow32):
3072         (JSC::B3::testCheckMulArgumentAliasing64):
3073         (JSC::B3::testCheckMulArgumentAliasing32):
3074         (JSC::B3::run):
3075
3076         * dfg/DFGOSRExitCompilerCommon.cpp:
3077         (JSC::DFG::reifyInlinedCallFrames):
3078         * jit/AssemblyHelpers.h:
3079         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
3080         This ruined my week.
3081
3082         When regenerating the frame of an inlined function that
3083         was called through a tail call, we were ignoring r13 for some reason.
3084
3085         Since this patch makes it more likely to increase the degree
3086         of each Tmp, the number of register used increased and r13 was more
3087         commonly used.
3088
3089         When getting out of OSRExit, we would have that value trashed :(
3090
3091         The fix is simply to restore it like the other two Baseline callee saved
3092         register.
3093
3094 2016-02-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3095
3096         [ES6] Implement @@search
3097         https://bugs.webkit.org/show_bug.cgi?id=143889
3098
3099         Reviewed by Darin Adler.
3100
3101         Implement RegExp.prototype[@@search].
3102         In ES6, String.prototype.search delegates the actual matching to it
3103         instead of executing RegExp matching inside String.prototype.search method itself.
3104         By customizing @@search method, we can change the behavior of String.prototype.search for
3105         derived / customized RegExp object.
3106
3107         * CMakeLists.txt:
3108         * DerivedSources.make:
3109         * builtins/BuiltinNames.h:
3110         (JSC::BuiltinNames::BuiltinNames): Deleted.
3111         * builtins/BuiltinUtils.h:
3112         * builtins/StringPrototype.js:
3113         (search):
3114         * bytecode/BytecodeIntrinsicRegistry.cpp:
3115         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3116         * bytecode/BytecodeIntrinsicRegistry.h:
3117         * runtime/CommonIdentifiers.h:
3118         * runtime/JSGlobalObject.cpp:
3119         (JSC::JSGlobalObject::init):
3120         * runtime/RegExpPrototype.cpp:
3121         (JSC::RegExpPrototype::finishCreation):
3122         (JSC::regExpProtoFuncSearch):
3123         * runtime/RegExpPrototype.h:
3124         (JSC::RegExpPrototype::create):
3125         * runtime/StringPrototype.cpp:
3126         (JSC::StringPrototype::getOwnPropertySlot):
3127         (JSC::StringPrototype::finishCreation): Deleted.
3128         (JSC::stringProtoFuncSearch): Deleted.
3129         * runtime/StringPrototype.h:
3130         * tests/es6.yaml:
3131         * tests/stress/regexp-search.js: Added.
3132         (shouldBe):
3133         (shouldThrow):
3134         (errorKey.toString):
3135         (primitive.of.primitives.shouldThrow):
3136         (testRegExpSearch):
3137         (testSearch):
3138         (testBoth):
3139         (alwaysUnmatch):
3140
3141 2016-02-12  Keith Miller  <keith_miller@apple.com>
3142
3143         AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself
3144         https://bugs.webkit.org/show_bug.cgi?id=154146
3145
3146         Reviewed by Filip Pizlo.
3147
3148         Consider the following: there is some CodeBlock, C, that is watching some object, O, with a
3149         structure, S, for replacements. Also, suppose that C has no references anymore and is due to
3150         be GCed. Now, when some new property is added to O, S will create a new structure S' and
3151         fire its transition watchpoints. Since C is watching S for replacements it will attempt to
3152         have its AdaptiveInferredPropertyValueWatchpoint relocate itself to S'. To do so, it needs
3153         it allocate RareData on S'. This allocation may cause a GC, which frees C while still
3154         executing its watchpoint handler. The solution to this is to defer GC while running
3155         AdaptiveInferredPropertyValueWatchpointBase handlers.
3156
3157         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3158         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
3159
3160 2016-02-12  Gavin Barraclough  <barraclough@apple.com>
3161
3162         Separate out !allowsAccess path in JSDOMWindowCustom getOwnPropertySlot
3163         https://bugs.webkit.org/show_bug.cgi?id=154156
3164
3165         Reviewed by Chris Dumez.
3166
3167         * runtime/CommonIdentifiers.h:
3168             - added new property names, needed by jsDOMWindowGetOwnPropertySlotDisallowAccess.
3169
3170 2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3171
3172         Update ICU header files to version 52
3173         https://bugs.webkit.org/show_bug.cgi?id=154160
3174
3175         Reviewed by Alex Christensen.
3176
3177         Update ICU header files to version 52 to allow the use of newer APIs.
3178
3179         * icu/unicode/localpointer.h:
3180         * icu/unicode/platform.h:
3181         * icu/unicode/ptypes.h:
3182         * icu/unicode/putil.h:
3183         * icu/unicode/ucal.h:
3184         * icu/unicode/uchar.h:
3185         * icu/unicode/ucnv.h:
3186         * icu/unicode/ucol.h:
3187         * icu/unicode/uconfig.h:
3188         * icu/unicode/udat.h:
3189         * icu/unicode/udatpg.h:
3190         * icu/unicode/udisplaycontext.h: Added.
3191         * icu/unicode/uenum.h:
3192         * icu/unicode/uformattable.h: Added.
3193         * icu/unicode/uiter.h:
3194         * icu/unicode/uloc.h:
3195         * icu/unicode/umachine.h:
3196         * icu/unicode/unorm2.h:
3197         * icu/unicode/unum.h:
3198         * icu/unicode/urename.h:
3199         * icu/unicode/uscript.h:
3200         * icu/unicode/uset.h:
3201         * icu/unicode/ustring.h:
3202         * icu/unicode/utf.h:
3203         * icu/unicode/utf16.h:
3204         * icu/unicode/utf8.h:
3205         * icu/unicode/utf_old.h:
3206         * icu/unicode/utypes.h:
3207         * icu/unicode/uvernum.h:
3208         * icu/unicode/uversion.h:
3209
3210 2016-02-12  Filip Pizlo  <fpizlo@apple.com>
3211
3212         Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn't have a value
3213         https://bugs.webkit.org/show_bug.cgi?id=154175
3214         rdar://problem/24291497
3215
3216         Reviewed by Geoffrey Garen.
3217
3218         * runtime/JSObject.cpp:
3219         (JSC::JSObject::defineOwnIndexedProperty): Fix the bug.
3220         * runtime/SparseArrayValueMap.cpp:
3221         (JSC::SparseArrayValueMap::putEntry): Catch the bug sooner in debug.
3222         (JSC::SparseArrayValueMap::putDirect):
3223         * tests/stress/sparse-define-empty-descriptor.js: Added. This used to crash in release.
3224
3225 2016-02-11  Brian Burg  <bburg@apple.com>
3226
3227         Web Inspector: RemoteInspector's listings should include whether an AutomationTarget is paired
3228         https://bugs.webkit.org/show_bug.cgi?id=154077
3229         <rdar://problem/24589133>
3230
3231         Reviewed by Joseph Pecoraro.
3232
3233         Instead of not generating a listing for the target when it is occupied,
3234         generate the listing with a 'paired' flag. The old flag was redundant
3235         because a _WKAutomationDelegate will not create a session if it doesn't
3236         support automation or it already has an active session.
3237
3238         * inspector/remote/RemoteAutomationTarget.cpp:
3239         (Inspector::RemoteAutomationTarget::setIsPaired):
3240         (Inspector::RemoteAutomationTarget::setAutomationAllowed): Deleted.
3241         * inspector/remote/RemoteAutomationTarget.h:
3242         Return false for remoteControlAllowed() if the target is already paired.
3243         This function is used by RemoteInspector to deny incoming connections.
3244
3245         * inspector/remote/RemoteInspector.mm:
3246         (Inspector::RemoteInspector::listingForAutomationTarget):
3247         * inspector/remote/RemoteInspectorConstants.h:
3248
3249 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
3250
3251         DFG::ByteCodeParser needs to null check the result of presenceLike()
3252         https://bugs.webkit.org/show_bug.cgi?id=154135
3253         rdar://problem/24291586
3254
3255         Reviewed by Geoffrey Garen.
3256
3257         ByteCodeParser::presenceLike() could return a null object property condition if it detects a
3258         contradiction. That could happen due to bogus profiling. It's totally OK - we just need to
3259         bail from using a property condition when that happens.
3260
3261         * bytecode/ObjectPropertyCondition.h:
3262         (JSC::ObjectPropertyCondition::equivalence):
3263         (JSC::ObjectPropertyCondition::operator bool):
3264         (JSC::ObjectPropertyCondition::object):
3265         (JSC::ObjectPropertyCondition::condition):
3266         (JSC::ObjectPropertyCondition::operator!): Deleted.
3267         * bytecode/PropertyCondition.h:
3268         (JSC::PropertyCondition::equivalence):
3269         (JSC::PropertyCondition::operator bool):
3270         (JSC::PropertyCondition::kind):
3271         (JSC::PropertyCondition::uid):
3272         (JSC::PropertyCondition::operator!): Deleted.
3273         * dfg/DFGByteCodeParser.cpp:
3274         (JSC::DFG::ByteCodeParser::check):
3275         (JSC::DFG::ByteCodeParser::load):
3276
3277 2016-02-11  Benjamin Poulain  <benjamin@webkit.org>
3278
3279         [JSC] SqrtFloat and CeilFloat also suffer from partial register stalls
3280         https://bugs.webkit.org/show_bug.cgi?id=154131
3281
3282         Reviewed by Filip Pizlo.
3283
3284         Looks like I forgot to update this when adding Float support.
3285         Credit to Filip for finding this issue.
3286
3287         * b3/air/AirFixPartialRegisterStalls.cpp:
3288
3289 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
3290
3291         Cannot call initializeIndex() if we didn't create the array using tryCreateUninitialized()
3292         https://bugs.webkit.org/show_bug.cgi?id=154126
3293
3294         Reviewed by Saam Barati.
3295
3296         * runtime/ArrayPrototype.cpp:
3297         (JSC::arrayProtoFuncSplice):
3298
3299 2016-02-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3300
3301         [INTL] Implement Intl.NumberFormat.prototype.resolvedOptions ()
3302         https://bugs.webkit.org/show_bug.cgi?id=147602
3303
3304         Reviewed by Darin Adler.
3305
3306         This patch implements Intl.NumberFormat.prototype.resolvedOptions() according
3307         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
3308
3309         * runtime/IntlDateTimeFormat.cpp:
3310         (JSC::localeData):
3311         * runtime/IntlNumberFormat.cpp:
3312         (JSC::localeData):
3313         (JSC::computeCurrencySortKey):
3314         (JSC::extractCurrencySortKey):
3315         (JSC::computeCurrencyDigits):
3316         (JSC::IntlNumberFormat::initializeNumberFormat):
3317         (JSC::IntlNumberFormat::styleString):
3318         (JSC::IntlNumberFormat::currencyDisplayString):
3319         (JSC::IntlNumberFormat::resolvedOptions):
3320         (JSC::IntlNumberFormat::setBoundFormat):
3321         * runtime/IntlNumberFormat.h:
3322         * runtime/IntlNumberFormatConstructor.cpp:
3323         (JSC::constructIntlNumberFormat):
3324         (JSC::callIntlNumberFormat):
3325         * runtime/IntlNumberFormatPrototype.cpp:
3326         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3327         * runtime/IntlObject.cpp:
3328         (JSC::intlNumberOption):
3329         (JSC::numberingSystemsForLocale):
3330         (JSC::getNumberingSystemsForLocale): Deleted.
3331         * runtime/IntlObject.h:
3332
3333 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
3334
3335         MacroAssemblerX86 should be happy with shift(cx, cx)
3336         https://bugs.webkit.org/show_bug.cgi?id=154124
3337
3338         Reviewed by Saam Barati.
3339
3340         Prior to this change the assembler asserted that shift_amount and dest cannot be the same.
3341         That's a good assertion for when shift_amount is not in cx. But if it's in cx already then
3342         it's OK for them to be the same. Air will sometimes do shift(cx, cx) if you do "x << x" and
3343         the coalescing got particularly clever.
3344
3345         * assembler/MacroAssemblerX86Common.h:
3346         (JSC::MacroAssemblerX86Common::lshift32):
3347         (JSC::MacroAssemblerX86Common::rshift32):
3348         (JSC::MacroAssemblerX86Common::urshift32):
3349         * assembler/MacroAssemblerX86_64.h:
3350         (JSC::MacroAssemblerX86_64::lshift64):
3351         (JSC::MacroAssemblerX86_64::rshift64):
3352         (JSC::MacroAssemblerX86_64::urshift64):
3353         * b3/testb3.cpp:
3354         (JSC::B3::testLShiftSelf32):
3355         (JSC::B3::testRShiftSelf32):
3356         (JSC::B3::testURShiftSelf32):
3357         (JSC::B3::testLShiftSelf64):
3358         (JSC::B3::testRShiftSelf64):
3359         (JSC::B3::testURShiftSelf64):
3360         (JSC::B3::run):
3361
3362 2016-02-11  Saam barati  <sbarati@apple.com>
3363
3364         The sampling profiler's stack walker methods should be marked with SUPPRESS_ASAN
3365         https://bugs.webkit.org/show_bug.cgi?id=154123
3366
3367         Reviewed by Mark Lam.
3368
3369         The entire premise of the sampling profiler is to load from
3370         another thread's memory. We should SUPPRESS_ASAN on the
3371         methods that do this.
3372
3373         * runtime/SamplingProfiler.cpp:
3374         (JSC::FrameWalker::FrameWalker):
3375         (JSC::FrameWalker::walk):
3376         (JSC::FrameWalker::advanceToParentFrame):
3377         (JSC::FrameWalker::isAtTop):
3378         (JSC::FrameWalker::resetAtMachineFrame):
3379
3380 2016-02-11  Csaba Osztrogonác  <ossy@webkit.org>
3381
3382         Unreviewed typo fix after r190063.
3383
3384         * dfg/DFGSpeculativeJIT.cpp: Removed property svn:executable.
3385         * dfg/DFGSpeculativeJIT.h: Removed property svn:executable.
3386         * jit/JIT.h: Removed property svn:executable.
3387         * jit/JITInlines.h: Removed property svn:executable.
3388         * jit/JITOpcodes.cpp: Removed property svn:executable.
3389
3390 2016-02-11  Csaba Osztrogonác  <ossy@webkit.org>
3391
3392         Unreviewed typo fix after r190063.
3393
3394         * dfg/DFGSpeculativeJIT.cpp: Removed property svn:executable.
3395         * dfg/DFGSpeculativeJIT.h: Removed property svn:executable.
3396         * jit/JIT.h: Removed property svn:executable.
3397         * jit/JITInlines.h: Removed property svn:executable.
3398         * jit/JITOpcodes.cpp: Removed property svn:executable.
3399
3400 2016-02-10  Keith Miller  <keith_miller@apple.com>
3401
3402         Symbol.species accessors on builtin constructors should be configurable
3403         https://bugs.webkit.org/show_bug.cgi?id=154097
3404
3405         Reviewed by Benjamin Poulain.
3406
3407         We did not have the Symbol.species accessors on our builtin constructors
3408         marked as configurable. This does not accurately follow the ES6 spec as
3409         the ES6 spec states that all default accessors on builtins should be
3410         configurable. This means that we need an additional watchpoint on
3411         ArrayConstructor to make sure that no users re-configures Symbol.species.
3412
3413         * runtime/ArrayConstructor.cpp:
3414         (JSC::ArrayConstructor::finishCreation):
3415         * runtime/ArrayPrototype.cpp:
3416         (JSC::speciesConstructArray):
3417         (JSC::ArrayPrototype::setConstructor):
3418         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3419         * runtime/ArrayPrototype.h:
3420         (JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties):
3421         (JSC::ArrayPrototype::didChangeConstructorProperty): Deleted.
3422         * runtime/JSArrayBufferConstructor.cpp:
3423         (JSC::JSArrayBufferConstructor::finishCreation):
3424         * runtime/JSPromiseConstructor.cpp:
3425         (JSC::JSPromiseConstructor::finishCreation):
3426         * runtime/JSTypedArrayViewConstructor.cpp:
3427         (JSC::JSTypedArrayViewConstructor::finishCreation):
3428         * runtime/MapConstructor.cpp:
3429         (JSC::MapConstructor::finishCreation):
3430         * runtime/RegExpConstructor.cpp:
3431         (JSC::RegExpConstructor::finishCreation):
3432         * runtime/SetConstructor.cpp:
3433         (JSC::SetConstructor::finishCreation):
3434         * tests/stress/array-species-config-array-constructor.js: Added.
3435         (A):
3436         * tests/stress/symbol-species.js:
3437         (testSymbolSpeciesOnConstructor):
3438
3439 2016-02-10  Benjamin Poulain  <benjamin@webkit.org>
3440
3441         [JSC] The destination of Sqrt should be Def, not UseDef
3442         https://bugs.webkit.org/show_bug.cgi?id=154086
3443
3444         Reviewed by Geoffrey Garen.
3445
3446         An unfortunate copy-paste: the destination of SqrtDouble and SqrtFloat
3447         was defined as UseDef. As a result, the argument would be interfering
3448         with everything defined prior.
3449
3450         * b3/air/AirOpcode.opcodes:
3451
3452 2016-02-10  Chris Dumez  <cdumez@apple.com>
3453
3454         [Web IDL] interface objects should be Function objects
3455         https://bugs.webkit.org/show_bug.cgi?id=154038
3456         <rdar://problem/24569358>
3457
3458         Reviewed by Geoffrey Garen.
3459
3460         Update functionProtoFuncToString() to handle JSObjects that
3461         have the TypeOfShouldCallGetCallData flag and are callable,
3462         as these behave like functions and use ClassInfo::className()
3463         as function name in this case.
3464
3465         * runtime/FunctionPrototype.cpp:
3466         (JSC::functionProtoFuncToString):
3467
3468 2016-02-10  Chris Dumez  <cdumez@apple.com>
3469
3470         Attributes on the Window instance should be configurable unless [Unforgeable]
3471         https://bugs.webkit.org/show_bug.cgi?id=153920
3472         <rdar://problem/24563211>
3473
3474         Reviewed by Darin Adler.
3475
3476         Marking the Window instance attributes as configurable but cause
3477         getOwnPropertyDescriptor() to report them as configurable, as
3478         expected. However, trying to delete them would actually lead to
3479         unexpected behavior because:
3480         - We did not reify custom accessor properties (most of the Window
3481           properties are custom accessors) upon deletion.
3482         - For non-reified static properties marked as configurable,
3483           JSObject::deleteProperty() would attempt to call the property
3484           setter with undefined. As a result, calling delete window.name
3485           would cause window.name to become the string "undefined" instead
3486           of the undefined value.
3487
3488         * runtime/JSObject.cpp:
3489         (JSC::getClassPropertyNames):
3490         Now that we reify ALL properties, we only need to check the property table
3491         if we have not reified. As a result, I dropped the 'didReify' parameter for
3492         this function and instead only call this function if we have not yet reified.
3493
3494         (JSC::JSObject::putInlineSlow):
3495         Only call putEntry() if we have not reified: Drop the
3496         '|| !(entry->attributes() & BuiltinOrFunctionOrAccessor)'
3497         check as such properties now get reified as well.
3498
3499         (JSC::JSObject::deleteProperty):
3500         - Call reifyAllStaticProperties() instead of reifyStaticFunctionsForDelete()
3501           so that we now reify all properties upon deletion, including the custom
3502           accessors. reifyStaticFunctionsForDelete() is now removed and the same
3503           reification function is now used by: deletion, getOwnPropertyDescriptor()
3504           and eager reification of the prototype objects in the bindings.
3505         - Drop code that falls back to calling the static property setter with
3506           undefined if we cannot find the property in the property storage. As
3507           we now reify ALL properties, the code removing the property from the
3508           property storage should succeed, provided that the property actually
3509           exists.
3510
3511         (JSC::JSObject::getOwnNonIndexPropertyNames):
3512         Only call getClassPropertyNames() if we have not reified. We should no longer
3513         check the static property table after reifying now that we reify all
3514         properties.
3515
3516         (JSC::JSObject::reifyAllStaticProperties):
3517         Merge with reifyStaticFunctionsForDelete(). The only behavior change is the
3518         flattening to an uncacheable dictionary, like reifyStaticFunctionsForDelete()
3519         used to do.
3520
3521         * runtime/JSObject.h:
3522
3523 2016-02-10  Commit Queue  <commit-queue@webkit.org>
3524
3525         Unreviewed, rolling out r196251.
3526         https://bugs.webkit.org/show_bug.cgi?id=154078
3527
3528         Large regression on Dromaeo needs explanation (Requested by
3529         kling on #webkit).
3530
3531         Reverted changeset:
3532
3533         "Visiting a WeakBlock should report bytes visited, since we
3534         reported them allocated."
3535         https://bugs.webkit.org/show_bug.cgi?id=153978
3536         http://trac.webkit.org/changeset/196251
3537
3538 2016-02-10  Csaba Osztrogonác  <ossy@webkit.org>
3539
3540         REGRESSION(r196331): It made ~180 JSC tests crash on ARMv7 Linux
3541         https://bugs.webkit.org/show_bug.cgi?id=154064
3542
3543         Reviewed by Mark Lam.
3544
3545         * bytecode/PolymorphicAccess.cpp:
3546         (JSC::AccessCase::generate): Added EABI_32BIT_DUMMY_ARG where it is necessary.
3547         * dfg/DFGSpeculativeJIT.h: Fixed the comment.
3548         * jit/CCallHelpers.h:
3549         (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
3550         * wasm/WASMFunctionCompiler.h: Fixed the comment.
3551
3552 2016-02-09  Keith Miller  <keith_miller@apple.com>
3553
3554         calling methods off super in a class constructor should check for TDZ
3555         https://bugs.webkit.org/show_bug.cgi?id=154060
3556
3557         Reviewed by Ryosuke Niwa.
3558
3559         In a class constructor we need to check for TDZ when calling a method
3560         off the super class. This is because, for super method calls, we use
3561         the derived class's newly constructed object as the super method's
3562         this value.
3563
3564         * bytecompiler/NodesCodegen.cpp:
3565         (JSC::FunctionCallDotNode::emitBytecode):
3566         * tests/stress/super-method-calls-check-tdz.js: Added.
3567         (Base):
3568         (Derived):
3569         (test):
3570
3571 2016-02-09  Filip Pizlo  <fpizlo@apple.com>
3572
3573         Don't crash if we fail to parse a builtin
3574         https://bugs.webkit.org/show_bug.cgi?id=154047
3575         rdar://problem/24300617
3576
3577         Reviewed by Mark Lam.
3578
3579         Crashing probably seemed like a good idea at the time, but we could get here in case of a
3580         near stack overflow, so that the parser bails because of recursion.
3581
3582         * parser/Parser.h:
3583         (JSC::parse):
3584
3585 2016-02-07  Gavin Barraclough  <barraclough@apple.com>
3586
3587         GetValueFunc/PutValueFunc should not take both slotBase and thisValue
3588         https://bugs.webkit.org/show_bug.cgi?id=154009
3589
3590         Reviewed by Geoff Garen.
3591
3592         In JavaScript there are two types of properties - regular value properties, and accessor properties.
3593         One difference between these is how they are reflected by getOwnPropertyDescriptor, and another is
3594         what object they operate on in the case of a prototype access. If you access a value property of a
3595         prototype object it return a value pertinent to the prototype, but in the case of a prototype object
3596         returning an accessor, then the accessor function is applied to the base object of the access.
3597
3598         JSC supports special 'custom' properties implemented as a c++ callback, and these custom properties
3599         can be used to implement either value- or accessor-like behavior. getOwnPropertyDescriptor behavior
3600         is selected via the CustomAccessor attribute. Value- or accessor-like object selection is current
3601         supported by passing both the slotBase and the thisValue to the callback,and hoping it uses the
3602         right one. This is probably inefficient, bug-prone, and leads to crazy like JSBoundSlotBaseFunction.
3603
3604         Instead, just pass one thisValue to the callback functions, consistent with CustomAccessor.
3605
3606         * API/JSCallbackObject.h:
3607         * API/JSCallbackObjectFunctions.h:
3608         (JSC::JSCallbackObject<Parent>::getStaticValue):
3609         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3610         (JSC::JSCallbackObject<Parent>::callbackGetter):
3611             - Merged slotBase & thisValue to custom property callbacks.
3612         * bytecode/PolymorphicAccess.cpp:
3613         (JSC::AccessCase::generate):
3614             - Modified the call being JIT generated - GetValueFunc/PutValueFunc now only take 3,
3615               rather than 4 arguments. Selects which one to keep/drop based on access type.
3616         (WTF::printInternal):
3617         * bytecode/PolymorphicAccess.h:
3618         (JSC::AccessCase::isGet):
3619         (JSC::AccessCase::isPut):
3620         (JSC::AccessCase::isIn):
3621         (JSC::AccessCase::doesCalls):
3622         (JSC::AccessCase::isGetter):
3623         * bytecode/PutByIdStatus.cpp:
3624         (JSC::PutByIdStatus::computeForStubInfo):
3625         * jit/Repatch.cpp:
3626         (JSC::tryCacheGetByID):
3627         (JSC::tryCachePutByID):
3628             - Split the CustomGetter/Setter access types into Value/Accessor variants.
3629         * jsc.cpp:
3630         (WTF::CustomGetter::getOwnPropertySlot):
3631         (WTF::CustomGetter::customGetter):
3632         (WTF::RuntimeArray::RuntimeArray):
3633         (WTF::RuntimeArray::lengthGetter):
3634             - Merged slotBase & thisValue to custom property callbacks.
3635         * runtime/CustomGetterSetter.cpp:
3636         (JSC::callCustomSetter):
3637             - Pass 3 arguments when calling PutValueFunc.
3638         * runtime/CustomGetterSetter.h:
3639         * runtime/JSBoundSlotBaseFunction.cpp:
3640         (JSC::boundSlotBaseFunctionCall):
3641         (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):
3642         * runtime/JSCJSValue.cpp:
3643         (JSC::JSValue::putToPrimitive):
3644             - callCustomSetter currently takes a flag to distinguish value/accessor calls.
3645         * runtime/JSFunction.cpp:
3646         (JSC::retrieveArguments):
3647         (JSC::JSFunction::argumentsGetter):
3648         (JSC::retrieveCallerFunction):
3649         (JSC::JSFunction::callerGetter):
3650         (JSC::JSFunction::lengthGetter):
3651         (JSC::JSFunction::nameGetter):
3652         * runtime/JSFunction.h:
3653         * runtime/JSModuleNamespaceObject.cpp:
3654         (JSC::JSModuleNamespaceObject::visitChildren):
3655         (JSC::callbackGetter):
3656             - Merged slotBase & thisValue to custom property callbacks.
3657         * runtime/JSObject.cpp:
3658         (JSC::JSObject::putInlineSlow):
3659             - callCustomSetter currently takes a flag to distinguish value/accessor calls.
3660         * runtime/Lookup.h:
3661         (JSC::putEntry):
3662             - split PutPropertySlot setCustom into Value/Accessor variants.
3663         * runtime/PropertySlot.cpp:
3664         (JSC::PropertySlot::functionGetter):
3665         (JSC::PropertySlot::customGetter):
3666         * runtime/PropertySlot.h:
3667         (JSC::PropertySlot::PropertySlot):
3668         (JSC::PropertySlot::getValue):
3669             - added customGetter helper to call GetValueFunc.
3670         * runtime/PutPropertySlot.h:
3671         (JSC::PutPropertySlot::PutPropertySlot):
3672         (JSC::PutPropertySlot::setNewProperty):
3673         (JSC::PutPropertySlot::setCustomValue):
3674         (JSC::PutPropertySlot::setCustomAccessor):
3675         (JSC::PutPropertySlot::setThisValue):
3676         (JSC::PutPropertySlot::customSetter):
3677         (JSC::PutPropertySlot::context):
3678         (JSC::PutPropertySlot::isStrictMode):
3679         (JSC::PutPropertySlot::isCacheablePut):
3680         (JSC::PutPropertySlot::isCacheableSetter):
3681         (JSC::PutPropertySlot::isCacheableCustom):
3682         (JSC::PutPropertySlot::isCustomAccessor):
3683         (JSC::PutPropertySlot::isInitialization):
3684         (JSC::PutPropertySlot::cachedOffset):
3685         (JSC::PutPropertySlot::setCustomProperty): Deleted.
3686             - split PutPropertySlot setCustom into Value/Accessor variants.
3687         * runtime/RegExpConstructor.cpp:
3688         (JSC::RegExpConstructor::getOwnPropertySlot):
3689         (JSC::regExpConstructorDollar1):
3690         (JSC::regExpConstructorDollar2):
3691         (JSC::regExpConstructorDollar3):
3692         (JSC::regExpConstructorDollar4):
3693         (JSC::regExpConstructorDollar5):
3694         (JSC::regExpConstructorDollar6):
3695         (JSC::regExpConstructorDollar7):
3696         (JSC::regExpConstructorDollar8):
3697         (JSC::regExpConstructorDollar9):
3698         (JSC::regExpConstructorInput):
3699         (JSC::regExpConstructorMultiline):
3700         (JSC::regExpConstructorLastMatch):
3701         (JSC::regExpConstructorLastParen):
3702         (JSC::regExpConstructorLeftContext):
3703         (JSC::regExpConstructorRightContext):
3704         (JSC::setRegExpConstructorInput):
3705         (JSC::setRegExpConstructorMultiline):
3706         * runtime/RegExpObject.cpp:
3707         (JSC::RegExpObject::defineOwnProperty):
3708         (JSC::regExpObjectSetLastIndexStrict):
3709         (JSC::regExpObjectSetLastIndexNonStrict):
3710         (JSC::RegExpObject::put):
3711             - Merged slotBase & thisValue to custom property callbacks.
3712
3713 2016-02-09  Filip Pizlo  <fpizlo@apple.com>
3714
3715         Spread expressions are not fair game for direct binding
3716         https://bugs.webkit.org/show_bug.cgi?id=154042
3717         rdar://problem/24291413
3718
3719         Reviewed by Saam Barati.
3720
3721         Prior to this change we crashed on this:
3722
3723             var [x] = [...y];
3724
3725         Because NodesCodegen thinks that this is a direct binding.  It's not, because we cannot
3726         directly generate bytecode for "...y".  This is a unique property of spread expressions, so
3727         its sufficient to just bail out of direct binding if we see a spread expression. That's what
3728         this patch does.
3729
3730         * bytecompiler/NodesCodegen.cpp:
3731         (JSC::ArrayPatternNode::emitDirectBinding):
3732         * tests/stress/spread-in-tail.js: Added.
3733         (foo):
3734         (catch):
3735
3736 2016-02-09  Commit Queue  <commit-queue@webkit.org>
3737
3738         Unreviewed, rolling out r196286.
3739         https://bugs.webkit.org/show_bug.cgi?id=154026
3740
3741         Looks like 5% iOS PLT regression (Requested by kling on
3742         #webkit).
3743
3744         Reverted changeset:
3745
3746         "[iOS] Throw away some unlinked code when navigating to a new
3747         page."
3748         https://bugs.webkit.org/show_bug.cgi?id=154014
3749         http://trac.webkit.org/changeset/196286
3750
3751 2016-02-08  Keith Miller  <keith_miller@apple.com>
3752
3753         Error construction for inlined operations should not use the inliner's CodeBlock
3754         https://bugs.webkit.org/show_bug.cgi?id=154021
3755
3756         Reviewed by Mark Lam.
3757
3758         Previously, if one function, A, was inlined into another function, B, in the DFG/FTL
3759         we would use B's DFG/FTL CodeBlock to construct source information about the Error.
3760         We would correctly compute the bytecodeOffset in A for the an expression but we would
3761         not use one of A's CodeBlocks when looking up source. This caused crashes during
3762         operationIn as we expected to be able to find the text "in" in the source.
3763
3764         * runtime/ErrorInstance.cpp:
3765         (JSC::appendSourceToError):
3766         * tests/stress/inlined-error-gets-correct-codeblock-for-bytecodeoffset.js: Added.
3767         (map):
3768         (n):
3769         (one):
3770         (catch):
3771
3772 2016-02-08  Saam Barati  <sbarati@apple.com>
3773
3774         runtimeTypeForValue should protect against seeing TDZ value
3775         https://bugs.webkit.org/show_bug.cgi?id=154023
3776         rdar://problem/24291413
3777
3778         Reviewed by Michael Saboff.
3779
3780         There are a few back traces I've seen from crashes that bottom out
3781         inside runtimeTypeForValue. I haven't been able to reproduce
3782         any such crash, but it's likely that we're encountering the
3783         empty JSValue. It's better to just have this function protect
3784         against seeing the empty value instead of dereferencing a null
3785         pointer when it thinks the value is a cell.
3786
3787         * runtime/RuntimeType.cpp:
3788         (JSC::runtimeTypeForValue):
3789
3790 2016-02-08  Andreas Kling  <akling@apple.com>
3791
3792         [iOS] Throw away some unlinked code when navigating to a new page.
3793         <https://webkit.org/b/154014>
3794
3795         Reviewed by Gavin Barraclough.
3796
3797         * runtime/VM.cpp:
3798         (JSC::VM::deleteAllCodeExceptCaches):
3799         (JSC::VM::deleteAllLinkedCode): Deleted.
3800         * runtime/VM.h:
3801
3802 2016-02-08  Filip Pizlo  <fpizlo@apple.com>
3803
3804         B3::foldPathConstants() needs to execute its insertion set
3805         https://bugs.webkit.org/show_bug.cgi?id=154020
3806
3807         Reviewed by Saam Barati.
3808
3809         * b3/B3FoldPathConstants.cpp:
3810         * b3/testb3.cpp:
3811         (JSC::B3::testFoldPathEqual): Added this. It used to crash in validation.
3812         (JSC::B3::run):
3813
3814 2016-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3815
3816         [JSC] Introduce @isObject bytecode intrinsic and use it instead of JS implemented one
3817         https://bugs.webkit.org/show_bug.cgi?id=153976
3818
3819         Reviewed by Darin Adler.
3820
3821         Use bytecode op_is_object directly.
3822
3823         * builtins/GlobalObject.js:
3824         (isObject): Deleted.
3825         * bytecode/BytecodeIntrinsicRegistry.h:
3826         * bytecompiler/NodesCodegen.cpp:
3827         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
3828         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
3829         * runtime/JSGlobalObject.cpp:
3830         (JSC::JSGlobalObject::init): Deleted.
3831
3832 2016-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3833
3834         {Map,Set}.prototype.forEach should be visible as own properties
3835         https://bugs.webkit.org/show_bug.cgi?id=153974
3836
3837         Reviewed by Darin Adler.
3838
3839         Now, Map and Set uses builtin tables. We should inlude it in class info.
3840
3841         * runtime/MapPrototype.cpp:
3842         * runtime/SetPrototype.cpp:
3843
3844 2016-02-08  Filip Pizlo  <fpizlo@apple.com>
3845
3846         Baseline JIT should not require its input to be constant-propagated
3847         https://bugs.webkit.org/show_bug.cgi?id=154011
3848         rdar://problem/24290933
3849
3850         Reviewed by Mark Lam.
3851
3852         * jit/JITArithmetic.cpp:
3853         (JSC::JIT::emitBitBinaryOpFastPath):
3854         (JSC::JIT::emitRightShiftFastPath):
3855         (JSC::JIT::emit_op_add):
3856         (JSC::JIT::emit_op_div):
3857         (JSC::JIT::emit_op_mul):
3858
3859 2016-02-08  Filip Pizlo  <fpizlo@apple.com>
3860
3861         CodeCache should give up on evals if there are variables under TDZ
3862         https://bugs.webkit.org/show_bug.cgi?id=154002
3863         rdar://problem/24300998
3864
3865         Reviewed by Mark Lam.
3866
3867         Disable the code cache optimization because our approach to TDZ for scoped variables - using
3868         a separate check_tdz opcode when logically it's the get_from_scope's job to do it - makes
3869         caching code impossible if there are any variables in TDZ.
3870
3871         We should do the right thing in the future, and fold the TDZ check into the get_from_scope.
3872         This is better not only because it will restore caching, but because our bytecode for heap
3873         accesses is usually at the highest practically doable level of abstraction, so that ICs,
3874         compilers and caches can see the intended meaning of the bytecode more easily.
3875
3876         This doesn't appear to slow anything down, but that's just because we don't have enough ES6
3877         benchmarks. I've filed: https://bugs.webkit.org/show_bug.cgi?id=154010
3878
3879         * runtime/CodeCache.cpp:
3880         (JSC::CodeCache::getGlobalCodeBlock):
3881
3882 2016-02-08  Skachkov Oleksandr  <gskachkov@gmail.com>
3883
3884         [ES6] Arrow function syntax. Using 'super' in arrow function that declared out of the class should lead to Syntax error
3885         https://bugs.webkit.org/show_bug.cgi?id=150893
3886
3887         Reviewed by Saam Barati.
3888
3889         'super' and 'super()' inside of the arrow function should lead to syntax error if they are used 
3890         out of the class context or they wrapped by ordinary function. Now JSC returns ReferenceError but 
3891         should return SyntaxError according to the following specs:
3892         http://www.ecma-international.org/ecma-262/6.0/#sec-function-definitions-static-semantics-early-errors
3893         and http://www.ecma-international.org/ecma-262/6.0/#sec-arrow-function-definitions-runtime-semantics-evaluation 
3894         Curren patch implemented only one case when super/super() are used inside of the arrow function
3895         Case when super/super() are used within the eval:
3896            class A {} 
3897            class B extends A { 
3898                costructor() { eval("super()");} 
3899            }
3900         is not part of this patch and will be implemented in this issue https://bugs.webkit.org/show_bug.cgi?id=153864. 
3901         The same for case when eval with super/super() is invoked in arrow function will be 
3902         implemented in issue https://bugs.webkit.org/show_bug.cgi?id=153977. 
3903  
3904         * parser/Parser.cpp:
3905         (JSC::Parser<LexerType>::parseFunctionInfo):
3906         * parser/Parser.h:
3907         (JSC::Scope::Scope):
3908         (JSC::Scope::setExpectedSuperBinding):
3909         (JSC::Scope::expectedSuperBinding):
3910         (JSC::Scope::setConstructorKind):
3911         (JSC::Scope::constructorKind):
3912         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
3913         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
3914         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
3915
3916 2016-02-08  Filip Pizlo  <fpizlo@apple.com>
3917
3918         Parser should detect error before calls to parseAssignmentExpression()
3919         https://bugs.webkit.org/show_bug.cgi?id=153975
3920         rdar://problem/24291231
3921
3922         Reviewed by Saam Barati.
3923
3924         Fixes a very hard-to-create situation that an internal test picked up.
3925
3926         * parser/Parser.cpp:
3927         (JSC::Parser<LexerType>::parseVariableDeclarationList):
3928         (JSC::Parser<LexerType>::parseAssignmentExpression):
3929
3930 2016-02-08  Andreas Kling  <akling@apple.com>