DFG del_by_id support forgets to set()
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-20  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG del_by_id support forgets to set()
4         https://bugs.webkit.org/show_bug.cgi?id=156830
5
6         Reviewed by Saam Barati.
7
8         * dfg/DFGByteCodeParser.cpp:
9         (JSC::DFG::ByteCodeParser::parseBlock):
10         * tests/stress/dfg-del-by-id.js: Added.
11
12 2016-04-20  Saam barati  <sbarati@apple.com>
13
14         Improve sampling profiler CLI JSC tool
15         https://bugs.webkit.org/show_bug.cgi?id=156824
16
17         Reviewed by Mark Lam.
18
19         This patch enhances the Sampling Profiler CLI tool from the JSC shell
20         to display the JITType of a particular CodeBlock. Because this happens
21         once we process a log of stack frames, the data for a particular frame
22         being in LLInt vs. Baseline could be wrong. For example, we may have taken 
23         a stack trace of a CodeBlock while it was executing in the LLInt, then 
24         it tiers up to the baseline, then we process the log. We will show such CodeBlocks
25         as being in the baseline JIT. We could be smarter about this in the future if
26         it turns out to truly be a problem.
27
28         This patch also adds a 'samplingProfilerTimingInterval' JSC option to allow
29         CLI users to control the sleep time between stack traces.
30
31         * jsc.cpp:
32         (jscmain):
33         * runtime/Options.h:
34         * runtime/SamplingProfiler.cpp:
35         (JSC::SamplingProfiler::SamplingProfiler):
36         (JSC::SamplingProfiler::processUnverifiedStackTraces):
37         (JSC::SamplingProfiler::reportTopBytecodes):
38         * runtime/SamplingProfiler.h:
39         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
40
41 2016-04-20  Benjamin Poulain  <bpoulain@apple.com>
42
43         [JSC] DFG should not generate two jumps when the target of DoubleBranch is the next block  
44         https://bugs.webkit.org/show_bug.cgi?id=156815
45
46         Reviewed by Mark Lam.
47
48         * dfg/DFGSpeculativeJIT.cpp:
49         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
50
51 2016-04-20  Benjamin Poulain  <bpoulain@apple.com>
52
53         [JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG
54         https://bugs.webkit.org/show_bug.cgi?id=155164
55
56         Reviewed by Mark Lam.
57
58         Every "inc" in loop was looking like this:
59             move rX, rY
60             inc rY
61             jo 0x230f4a200580
62
63         This patch add register Reuse to that case to remove
64         the extra "move".
65
66         * dfg/DFGOSRExit.h:
67         (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
68         (JSC::DFG::SpeculationRecovery::immediate):
69         * dfg/DFGOSRExitCompiler32_64.cpp:
70         (JSC::DFG::OSRExitCompiler::compileExit):
71         * dfg/DFGOSRExitCompiler64.cpp:
72         (JSC::DFG::OSRExitCompiler::compileExit):
73         * dfg/DFGSpeculativeJIT.cpp:
74         (JSC::DFG::SpeculativeJIT::compileArithAdd):
75         * tests/stress/arith-add-with-constant-overflow.js: Added.
76         (opaqueAdd):
77
78 2016-04-20  Saam barati  <sbarati@apple.com>
79
80         We don't need a manual stack for an RAII object when the machine's stack will do just fine
81         https://bugs.webkit.org/show_bug.cgi?id=156807
82
83         Reviewed by Mark Lam.
84
85         We kept around a vector for an RAII object to maintain
86         the recursive nature of having these RAII objects on
87         the stack as the parser recursed. Instead, the RAII object
88         can just have a field with the value it wants to restore
89         and use the machine's stack.
90
91         This is a 1% octane code-load progression.
92
93         * parser/SyntaxChecker.h:
94         (JSC::SyntaxChecker::BinaryExprContext::BinaryExprContext):
95         (JSC::SyntaxChecker::BinaryExprContext::~BinaryExprContext):
96         (JSC::SyntaxChecker::UnaryExprContext::UnaryExprContext):
97         (JSC::SyntaxChecker::UnaryExprContext::~UnaryExprContext):
98         (JSC::SyntaxChecker::operatorStackPop):
99
100 2016-04-20  Michael Saboff  <msaboff@apple.com>
101
102         REGRESSION(r190289): Spin trying to view/sign in to hbogo.com
103         https://bugs.webkit.org/show_bug.cgi?id=156765
104
105         Reviewed by Saam Barati.
106
107         In the op_get_by_val case, we were holding the lock on a profiled CodeBlock
108         when we call into handleGetById(). Changed to drop the lock before calling
109         handleGetById().
110
111         The bug here was that the call to handleGetById() may end up calling in to
112         getPredictionWithoutOSRExit() for a tail call opcode. As part of that
113         processing, we walk back up the stack to find the effective caller and when
114         found, we lock the corresponding CodeBlock to get the predicition.
115         That CodeBLock may be the same one locked above. There is no need anyway
116         to hold the CodeBlock lock when calling handleGetById().
117
118         Added a new stress test.
119
120         * dfg/DFGByteCodeParser.cpp:
121         (JSC::DFG::ByteCodeParser::parseBlock):
122         * tests/stress/regress-156765.js: Added.
123         (realValue):
124         (object.get hello):
125         (ok):
126
127 2016-04-20  Mark Lam  <mark.lam@apple.com>
128
129         Unindent an unnecessary block in stringProtoFuncSplitFast().
130         https://bugs.webkit.org/show_bug.cgi?id=156802
131
132         Reviewed by Filip Pizlo.
133
134         In webkit.org/b/156013, I refactored stringProtoFuncSplit into
135         stringProtoFuncSplitFast.  In that patch, I left an unnecessary block of code in
136         its original block (with FIXMEs) to keep the diff for that patch minimal.  Now
137         that the patch for webkit.org/b/156013 has landed, I will unindent that block and
138         remove the FIXMEs.
139
140         * runtime/StringPrototype.cpp:
141         (JSC::stringProtoFuncSplitFast):
142
143 2016-04-20  Brady Eidson  <beidson@apple.com>
144
145         Modern IDB (Workers): Enable INDEXED_DATABASE_IN_WORKERS compile time flag, but disabled in RuntimeEnabledFeatures.
146         https://bugs.webkit.org/show_bug.cgi?id=156782
147
148         Reviewed by Alex Christensen.
149
150         * Configurations/FeatureDefines.xcconfig:
151
152 2016-04-20  Saam barati  <sbarati@apple.com>
153
154         Remove unused m_writtenVariables from the parser and related bits
155         https://bugs.webkit.org/show_bug.cgi?id=156784
156
157         Reviewed by Yusuke Suzuki.
158
159         This isn't a octane/codeload speedup even though we're doing less work in
160         collectFreeVariables. But it's good to get rid of things that are not used.
161
162         * parser/Nodes.h:
163         (JSC::ScopeNode::usesEval):
164         (JSC::ScopeNode::usesArguments):
165         (JSC::ScopeNode::usesArrowFunction):
166         (JSC::ScopeNode::isStrictMode):
167         (JSC::ScopeNode::setUsesArguments):
168         (JSC::ScopeNode::usesThis):
169         (JSC::ScopeNode::modifiesParameter): Deleted.
170         (JSC::ScopeNode::modifiesArguments): Deleted.
171         * parser/Parser.cpp:
172         (JSC::Parser<LexerType>::parseInner):
173         (JSC::Parser<LexerType>::parseAssignmentExpression):
174         * parser/Parser.h:
175         (JSC::Scope::Scope):
176         (JSC::Scope::hasDeclaredParameter):
177         (JSC::Scope::preventAllVariableDeclarations):
178         (JSC::Scope::collectFreeVariables):
179         (JSC::Scope::mergeInnerArrowFunctionFeatures):
180         (JSC::Scope::getSloppyModeHoistedFunctions):
181         (JSC::Scope::getCapturedVars):
182         (JSC::Scope::setStrictMode):
183         (JSC::Scope::strictMode):
184         (JSC::Scope::fillParametersForSourceProviderCache):
185         (JSC::Scope::restoreFromSourceProviderCache):
186         (JSC::Parser::hasDeclaredParameter):
187         (JSC::Parser::exportName):
188         (JSC::Scope::declareWrite): Deleted.
189         (JSC::Parser::declareWrite): Deleted.
190         * parser/ParserModes.h:
191
192 2016-04-19  Saam barati  <sbarati@apple.com>
193
194         Unreviewed, fix cloop build after r199754.
195
196         * jsc.cpp:
197         (jscmain):
198
199 2016-04-19  Michael Saboff  <msaboff@apple.com>
200
201         iTunes crashing JavaScriptCore.dll
202         https://bugs.webkit.org/show_bug.cgi?id=156647
203
204         Reviewed by Filip Pizlo.
205
206         Given that there there are only 128 FLS indices compared to over a 1000 for TLS,
207         I eliminated the thread specific m_threadSpecificForThread and instead we look
208         for the current thread in m_registeredThreads list when we need it.
209         In most cases there will only be one thread.
210
211         Added THREAD_SPECIFIC_CALL to signature of ThreadSpecific remove callbacks
212         to set the calling convention correctly for Windows 32 bit.
213
214         * heap/MachineStackMarker.cpp:
215         (JSC::ActiveMachineThreadsManager::remove):
216         (JSC::MachineThreads::MachineThreads):
217         (JSC::MachineThreads::~MachineThreads):
218         (JSC::MachineThreads::addCurrentThread):
219         (JSC::MachineThreads::machineThreadForCurrentThread):
220         (JSC::MachineThreads::removeThread):
221         * heap/MachineStackMarker.h:
222
223 2016-04-19  Benjamin Poulain  <bpoulain@webkit.org>
224
225         [JSC] Small cleanup of RegisterAtOffsetList
226         https://bugs.webkit.org/show_bug.cgi?id=156779
227
228         Reviewed by Mark Lam.
229
230         I was wondering why RegisterAtOffsetList always cache-miss.
231         It looks like it is doing more than it needs to.
232
233         We do not need to sort the values. The total order of
234         RegisterAtOffset is:
235         1) Order of Reg.
236         2) Order of offsets.
237         We already generate the list in order.
238
239         Also allocate the right array size ahead of filling the array.
240
241         * jit/RegisterAtOffsetList.cpp:
242         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
243         (JSC::RegisterAtOffsetList::sort): Deleted.
244         * jit/RegisterAtOffsetList.h:
245         (JSC::RegisterAtOffsetList::append): Deleted.
246
247 2016-04-19  Saam barati  <sbarati@apple.com>
248
249         Add a couple UNLIKELY macros in parseMemberExpression
250         https://bugs.webkit.org/show_bug.cgi?id=156775
251
252         Reviewed by Filip Pizlo.
253
254         These UNLIKELY macros have to do with the base of the
255         member expression being 'super'. I think it's safe to
256         argue that this is truly UNLIKELY. I am seeing speedups
257         sometimes on Octane codeload. Usually around 0.5%. Sometimes 1%.
258
259         * parser/Parser.cpp:
260         (JSC::Parser<LexerType>::parseMemberExpression):
261
262 2016-04-19  Saam barati  <sbarati@apple.com>
263
264         allow jsc shell to dump sampling profiler data
265         https://bugs.webkit.org/show_bug.cgi?id=156725
266
267         Reviewed by Benjamin Poulain.
268
269         This patch adds a '--reportSamplingProfilerData' option to the
270         JSC shell which will enable the sampling profiler and dump
271         its data at the end of execution. The dump will include the
272         40 hottest functions and the 80 hottest bytecode locations.
273         If you're using this option to debug, it's easy to just hack
274         on the code to make it dump more or less information.
275
276         * jsc.cpp:
277         (CommandLine::parseArguments):
278         (jscmain):
279         * runtime/Options.h:
280         * runtime/SamplingProfiler.cpp:
281         (JSC::SamplingProfiler::processUnverifiedStackTraces):
282         (JSC::SamplingProfiler::stackTracesAsJSON):
283         (JSC::SamplingProfiler::reportTopFunctions):
284         (JSC::SamplingProfiler::reportTopBytecodes):
285         * runtime/SamplingProfiler.h:
286         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
287         (JSC::SamplingProfiler::StackFrame::hasBytecodeIndex):
288         (JSC::SamplingProfiler::StackFrame::hasCodeBlockHash):
289         (JSC::SamplingProfiler::setStopWatch):
290
291 2016-04-19  Mark Lam  <mark.lam@apple.com>
292
293         Re-landing: ES6: Implement RegExp.prototype[@@search].
294         https://bugs.webkit.org/show_bug.cgi?id=156331
295
296         Reviewed by Keith Miller.
297
298         What changed?
299         1. Implemented search builtin in RegExpPrototype.js.
300            The native path is now used as a fast path.
301         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
302            IsJSArrayIntrinsic).
303         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
304         4. Change the esSpecIsRegExpObject() implementation to check if the object's
305            JSType is RegExpObjectType instead of walking the classinfo chain.
306
307         * builtins/RegExpPrototype.js:
308         (search):
309         * builtins/StringPrototype.js:
310         (search):
311         - fixed some indentation.
312
313         * dfg/DFGAbstractInterpreterInlines.h:
314         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
315         * dfg/DFGByteCodeParser.cpp:
316         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
317         * dfg/DFGClobberize.h:
318         (JSC::DFG::clobberize):
319         * dfg/DFGDoesGC.cpp:
320         (JSC::DFG::doesGC):
321         * dfg/DFGFixupPhase.cpp:
322         (JSC::DFG::FixupPhase::fixupNode):
323         * dfg/DFGNodeType.h:
324         * dfg/DFGPredictionPropagationPhase.cpp:
325         (JSC::DFG::PredictionPropagationPhase::propagate):
326         * dfg/DFGSafeToExecute.h:
327         (JSC::DFG::safeToExecute):
328         * dfg/DFGSpeculativeJIT.cpp:
329         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
330         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
331         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
332         * dfg/DFGSpeculativeJIT.h:
333         * dfg/DFGSpeculativeJIT32_64.cpp:
334         (JSC::DFG::SpeculativeJIT::compile):
335         * dfg/DFGSpeculativeJIT64.cpp:
336         (JSC::DFG::SpeculativeJIT::compile):
337         * ftl/FTLCapabilities.cpp:
338         (JSC::FTL::canCompile):
339         * ftl/FTLLowerDFGToB3.cpp:
340         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
341         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
342         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
343         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
344         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
345         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
346         (JSC::FTL::DFG::LowerDFGToB3::isType):
347         * runtime/Intrinsic.h:
348         - Added IsRegExpObjectIntrinsic.
349
350         * runtime/CommonIdentifiers.h:
351
352         * runtime/ECMAScriptSpecInternalFunctions.cpp:
353         (JSC::esSpecIsConstructor):
354         - Changed to use uncheckedArgument since this is only called from internal code.
355         (JSC::esSpecIsRegExpObject):
356         (JSC::esSpecIsRegExp): Deleted.
357         * runtime/ECMAScriptSpecInternalFunctions.h:
358         - Changed to check the object for a JSType of RegExpObjectType.
359
360         * runtime/JSGlobalObject.cpp:
361         (JSC::JSGlobalObject::init):
362         - Added split fast path.
363
364         * runtime/RegExpPrototype.cpp:
365         (JSC::RegExpPrototype::finishCreation):
366         (JSC::regExpProtoFuncSearchFast):
367         (JSC::regExpProtoFuncSearch): Deleted.
368         * runtime/RegExpPrototype.h:
369
370         * tests/es6.yaml:
371         * tests/stress/regexp-search.js:
372         - Rebased test.
373
374 2016-04-19  Mark Lam  <mark.lam@apple.com>
375
376         Replace $vm.printValue() with $vm.value().
377         https://bugs.webkit.org/show_bug.cgi?id=156767
378
379         Reviewed by Saam Barati.
380
381         When debugging with $vm, this change allows us to do this:
382
383             $vm.print("myObj = " + $vm.value(myObj) + "\n");
384
385         ... instead of having to do this:
386
387             $vm.print("myObj = ");
388             $vm.printValue(myObj);
389             $vm.print("\n");
390
391         * tools/JSDollarVMPrototype.cpp:
392         (JSC::JSDollarVMPrototype::printValue):
393         (JSC::functionValue):
394         (JSC::JSDollarVMPrototype::finishCreation):
395         (JSC::functionPrintValue): Deleted.
396
397 2016-04-18  Oliver Hunt  <oliver@apple.com>
398
399         Enable separated heap by default on ios
400         https://bugs.webkit.org/show_bug.cgi?id=156720
401
402         Reviewed by ggaren.
403
404         * runtime/Options.cpp:
405         (JSC::recomputeDependentOptions):
406
407 2016-04-19  Mark Lam  <mark.lam@apple.com>
408
409         Re-landing: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
410         https://bugs.webkit.org/show_bug.cgi?id=156013
411
412         Reviewed by Keith Miller.
413
414         * CMakeLists.txt:
415         * JavaScriptCore.xcodeproj/project.pbxproj:
416         * builtins/GlobalObject.js:
417         (speciesConstructor):
418         * builtins/PromisePrototype.js:
419         - refactored to use the @speciesConstructor internal function.
420
421         * builtins/RegExpPrototype.js:
422         (advanceStringIndex):
423         - refactored from @advanceStringIndexUnicode() to be match the spec.
424           Benchmarks show that there's no advantage in doing the unicode check outside
425           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
426           spec (especially since @@split needs to call advanceStringIndex from more than
427           1 location).
428         (match):
429         - Removed an unnecessary call to @Object because it was already proven above.
430         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
431           Again, there's no perf regression for this.
432         (regExpExec):
433         (hasObservableSideEffectsForRegExpSplit):
434         (split):
435         (advanceStringIndexUnicode): Deleted.
436
437         * builtins/StringPrototype.js:
438         (split):
439         - Modified to use RegExp.prototype[@@split].
440
441         * bytecode/BytecodeIntrinsicRegistry.cpp:
442         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
443         (JSC::BytecodeIntrinsicRegistry::lookup):
444         * bytecode/BytecodeIntrinsicRegistry.h:
445         - Added the @@split symbol.
446
447         * runtime/CommonIdentifiers.h:
448         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
449         (JSC::esSpecIsConstructor):
450         (JSC::esSpecIsRegExp):
451         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
452
453         * runtime/JSGlobalObject.cpp:
454         (JSC::getGetterById):
455         (JSC::JSGlobalObject::init):
456
457         * runtime/PropertyDescriptor.cpp:
458         (JSC::PropertyDescriptor::setDescriptor):
459         - Removed an assert that is no longer valid.
460
461         * runtime/RegExpObject.h:
462         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
463           fast path.
464
465         * runtime/RegExpPrototype.cpp:
466         (JSC::RegExpPrototype::finishCreation):
467         (JSC::regExpProtoFuncExec):
468         (JSC::regExpProtoFuncSearch):
469         (JSC::advanceStringIndex):
470         (JSC::regExpProtoFuncSplitFast):
471         * runtime/RegExpPrototype.h:
472
473         * runtime/StringObject.h:
474         (JSC::jsStringWithReuse):
475         (JSC::jsSubstring):
476         - Hoisted some utility functions from StringPrototype.cpp so that they can be
477           reused by the regexp split fast path.
478
479         * runtime/StringPrototype.cpp:
480         (JSC::StringPrototype::finishCreation):
481         (JSC::stringProtoFuncSplitFast):
482         (JSC::stringProtoFuncSubstr):
483         (JSC::builtinStringSubstrInternal):
484         (JSC::stringProtoFuncSubstring):
485         (JSC::stringIncludesImpl):
486         (JSC::stringProtoFuncIncludes):
487         (JSC::builtinStringIncludesInternal):
488         (JSC::jsStringWithReuse): Deleted.
489         (JSC::jsSubstring): Deleted.
490         (JSC::stringProtoFuncSplit): Deleted.
491         * runtime/StringPrototype.h:
492
493         * tests/es6.yaml:
494
495 2016-04-19  Commit Queue  <commit-queue@webkit.org>
496
497         Unreviewed, rolling out r199726.
498         https://bugs.webkit.org/show_bug.cgi?id=156748
499
500         WebKit tests crash on Windows 32 (Requested by msaboff on
501         #webkit).
502
503         Reverted changeset:
504
505         "iTunes crashing JavaScriptCore.dll"
506         https://bugs.webkit.org/show_bug.cgi?id=156647
507         http://trac.webkit.org/changeset/199726
508
509 2016-04-19  Michael Saboff  <msaboff@apple.com>
510
511         iTunes crashing JavaScriptCore.dll
512         https://bugs.webkit.org/show_bug.cgi?id=156647
513
514         Reviewed by Saam Barati.
515
516         Given that there there are only 128 FLS indices compared to over a 1000 for TLS, I
517         eliminated the thread specific m_threadSpecificForThread and instead we look for the
518         current thread in m_registeredThreads list when we need it.  In most cases there
519         will only be one thread.
520
521         * heap/MachineStackMarker.cpp:
522         (JSC::MachineThreads::MachineThreads):
523         (JSC::MachineThreads::~MachineThreads):
524         (JSC::MachineThreads::addCurrentThread):
525         (JSC::MachineThreads::machineThreadForCurrentThread):
526         (JSC::MachineThreads::removeThread):
527         * heap/MachineStackMarker.h:
528
529 2016-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
530
531         [INTL] Use @thisNumberValue instead of `instanceof @Number`
532         https://bugs.webkit.org/show_bug.cgi?id=156680
533
534         Reviewed by Saam Barati.
535
536         Use @thisNumberValue instead of `instanceof @Number`.
537         `instanceof @Number` is not enough;
538         For example, given 2 realms, the object created in one realm does not
539         inherit the Number of another realm.
540         Another example is that the object which does not inherit Number.
541
542         ```
543         var number = new Number(42);
544         number.__proto__ = null;
545         ```
546
547         * builtins/NumberPrototype.js:
548         (toLocaleString):
549         * runtime/CommonIdentifiers.h:
550         * runtime/JSGlobalObject.cpp:
551         (JSC::JSGlobalObject::init):
552         * runtime/NumberPrototype.cpp:
553         (JSC::numberProtoFuncValueOf):
554         * runtime/NumberPrototype.h:
555         * tests/stress/number-to-locale-string-should-accept-strange-number-objects.js: Added.
556         (shouldBe):
557
558 2016-04-19  Commit Queue  <commit-queue@webkit.org>
559
560         Unreviewed, rolling out r199712.
561         https://bugs.webkit.org/show_bug.cgi?id=156741
562
563         It caused a serious regression on 32 bit platform (Requested
564         by gskachkov on #webkit).
565
566         Reverted changeset:
567
568         "calling super() a second time in a constructor should throw"
569         https://bugs.webkit.org/show_bug.cgi?id=151113
570         http://trac.webkit.org/changeset/199712
571
572 2016-04-09  Skachkov Oleksandr  <gskachkov@gmail.com>
573
574         calling super() a second time in a constructor should throw
575         https://bugs.webkit.org/show_bug.cgi?id=151113
576
577         Reviewed by Saam Barati and Keith Miller.
578
579         Currently, our implementation checks if 'super()' was called in a constructor more 
580         than once and raises a RuntimeError before the second call. According to the spec 
581         we need to raise an error just after the second super() is finished and before 
582         the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
583         To implement this behavior this patch adds a new op code, op_is_empty, that is used 
584         to check if 'this' is empty.
585
586         * bytecode/BytecodeList.json:
587         * bytecode/BytecodeUseDef.h:
588         (JSC::computeUsesForBytecodeOffset):
589         (JSC::computeDefsForBytecodeOffset):
590         * bytecode/CodeBlock.cpp:
591         (JSC::CodeBlock::dumpBytecode):
592         * bytecompiler/BytecodeGenerator.cpp:
593         (JSC::BytecodeGenerator::emitIsEmpty):
594         * bytecompiler/BytecodeGenerator.h:
595         * bytecompiler/NodesCodegen.cpp:
596         (JSC::FunctionCallValueNode::emitBytecode):
597         * dfg/DFGAbstractInterpreterInlines.h:
598         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
599         * dfg/DFGByteCodeParser.cpp:
600         (JSC::DFG::ByteCodeParser::parseBlock):
601         * dfg/DFGCapabilities.cpp:
602         (JSC::DFG::capabilityLevel):
603         * dfg/DFGClobberize.h:
604         (JSC::DFG::clobberize):
605         * dfg/DFGDoesGC.cpp:
606         (JSC::DFG::doesGC):
607         * dfg/DFGFixupPhase.cpp:
608         (JSC::DFG::FixupPhase::fixupNode):
609         * dfg/DFGNodeType.h:
610         * dfg/DFGPredictionPropagationPhase.cpp:
611         (JSC::DFG::PredictionPropagationPhase::propagate):
612         * dfg/DFGSafeToExecute.h:
613         (JSC::DFG::safeToExecute):
614         * dfg/DFGSpeculativeJIT32_64.cpp:
615         (JSC::DFG::SpeculativeJIT::compile):
616         * dfg/DFGSpeculativeJIT64.cpp:
617         (JSC::DFG::SpeculativeJIT::compile):
618         * ftl/FTLCapabilities.cpp:
619         (JSC::FTL::canCompile):
620         * ftl/FTLLowerDFGToB3.cpp:
621         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
622         (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
623         * jit/JIT.cpp:
624         (JSC::JIT::privateCompileMainPass):
625         * jit/JIT.h:
626         * jit/JITOpcodes.cpp:
627         (JSC::JIT::emit_op_is_empty):
628         * jit/JITOpcodes32_64.cpp:
629         (JSC::JIT::emit_op_is_empty):
630         * llint/LowLevelInterpreter32_64.asm:
631         * llint/LowLevelInterpreter64.asm:
632         * tests/stress/class-syntax-double-constructor.js: Added.
633
634 2016-04-18  Benjamin Poulain  <bpoulain@apple.com>
635
636         [JSC] Fix some overhead affecting small codegen
637         https://bugs.webkit.org/show_bug.cgi?id=156728
638
639         Reviewed by Filip Pizlo.
640
641         * assembler/AbstractMacroAssembler.h:
642         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
643         (JSC::AbstractMacroAssembler::random):
644         cryptographicallyRandomNumber() is very costly.
645         We only need it in lowering some very particular cases
646         of non-trusted immediates. No inline cache needs that.
647
648         * assembler/LinkBuffer.h:
649         (JSC::LinkBuffer::link):
650         * jit/JIT.h:
651         * jit/JITInlines.h:
652         (JSC::JIT::addSlowCase):
653         Do not copy the JumpList to access its elements.
654
655 2016-04-18  Saam barati  <sbarati@apple.com>
656
657         implement dynamic scope accesses in the DFG/FTL
658         https://bugs.webkit.org/show_bug.cgi?id=156567
659
660         Reviewed by Geoffrey Garen.
661
662         This patch adds dynamic scope operations to the DFG/FTL.
663         This patch adds three new DFG nodes: ResolveScope, PutDynamicVar and GetDynamicVar.
664         When we encounter a Dynamic/UnresolvedProperty/UnresolvedPropertyWithVarInjectionChecks
665         resolve type, we will compile dynamic scope resolution nodes. When we encounter
666         a resolve type that needs var injection checks and the var injection
667         watchpoint has already been fired, we will compile dynamic scope resolution
668         nodes.
669
670         This patch also adds a new value to the InitializationMode enum: ConstInitialization.
671         There was a subtle bug where we used to never compile the var injection variant of the 
672         resolve type for an eval that injected a var where there was also a global lexical variable with the same name. 
673         For example, the store compiled in this eval("var foo = 20;") wouldn't be compiled 
674         with var injection checks if there was global let/const variable named "foo".
675         So there was the potential for the injected var to store to the GlobalLexicalObject.
676         I found this bug because my initial implementation in the DFG/FTL ran into it.
677         The reason this bug existed is because when we compile a const initialization,
678         we never need a var injections check. The const initialization always
679         knows where to store its value. This same logic leaked into the above eval's 
680         "var foo = 20" store. This new enum value allows us to distinguish const
681         initialization stores from non-const initialization stores.
682
683         (I also changed InitializationMode to be an enum class instead of an enum).
684
685         * bytecode/CodeBlock.cpp:
686         (JSC::CodeBlock::finishCreation):
687         * bytecompiler/BytecodeGenerator.cpp:
688         (JSC::BytecodeGenerator::generate):
689         (JSC::BytecodeGenerator::BytecodeGenerator):
690         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
691         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
692         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
693         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
694         (JSC::BytecodeGenerator::emitGetFromScope):
695         (JSC::BytecodeGenerator::initializeVariable):
696         (JSC::BytecodeGenerator::emitInstanceOf):
697         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
698         (JSC::BytecodeGenerator::pushScopedControlFlowContext):
699         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
700         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
701         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
702         * bytecompiler/NodesCodegen.cpp:
703         (JSC::PostfixNode::emitResolve):
704         (JSC::PrefixNode::emitResolve):
705         (JSC::ReadModifyResolveNode::emitBytecode):
706         (JSC::initializationModeForAssignmentContext):
707         (JSC::AssignResolveNode::emitBytecode):
708         (JSC::EmptyLetExpression::emitBytecode):
709         (JSC::ForInNode::emitLoopHeader):
710         (JSC::ForOfNode::emitBytecode):
711         (JSC::ClassExprNode::emitBytecode):
712         (JSC::BindingNode::bindValue):
713         (JSC::AssignmentElementNode::bindValue):
714         (JSC::RestParameterNode::emit):
715         * dfg/DFGAbstractInterpreterInlines.h:
716         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
717         * dfg/DFGByteCodeParser.cpp:
718         (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
719         (JSC::DFG::ByteCodeParser::promoteToConstant):
720         (JSC::DFG::ByteCodeParser::needsDynamicLookup):
721         (JSC::DFG::ByteCodeParser::planLoad):
722         (JSC::DFG::ByteCodeParser::parseBlock):
723         * dfg/DFGCapabilities.cpp:
724         (JSC::DFG::capabilityLevel):
725         * dfg/DFGClobberize.h:
726         (JSC::DFG::clobberize):
727         * dfg/DFGDoesGC.cpp:
728         (JSC::DFG::doesGC):
729         * dfg/DFGFixupPhase.cpp:
730         (JSC::DFG::FixupPhase::fixupNode):
731         * dfg/DFGNode.h:
732         (JSC::DFG::Node::hasIdentifier):
733         (JSC::DFG::Node::identifierNumber):
734         (JSC::DFG::Node::hasGetPutInfo):
735         (JSC::DFG::Node::getPutInfo):
736         (JSC::DFG::Node::hasAccessorAttributes):
737         * dfg/DFGNodeType.h:
738         * dfg/DFGOperations.cpp:
739         * dfg/DFGOperations.h:
740         * dfg/DFGPredictionPropagationPhase.cpp:
741         (JSC::DFG::PredictionPropagationPhase::propagate):
742         * dfg/DFGSafeToExecute.h:
743         (JSC::DFG::safeToExecute):
744         * dfg/DFGSpeculativeJIT.cpp:
745         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
746         (JSC::DFG::SpeculativeJIT::compileResolveScope):
747         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
748         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
749         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
750         * dfg/DFGSpeculativeJIT.h:
751         (JSC::DFG::SpeculativeJIT::callOperation):
752         * dfg/DFGSpeculativeJIT32_64.cpp:
753         (JSC::DFG::SpeculativeJIT::compile):
754         * dfg/DFGSpeculativeJIT64.cpp:
755         (JSC::DFG::SpeculativeJIT::compile):
756         * ftl/FTLCapabilities.cpp:
757         (JSC::FTL::canCompile):
758         * ftl/FTLLowerDFGToB3.cpp:
759         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
760         (JSC::FTL::DFG::LowerDFGToB3::compare):
761         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
762         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
763         (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
764         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
765         * jit/CCallHelpers.h:
766         (JSC::CCallHelpers::setupArgumentsWithExecState):
767         * jit/JITOperations.cpp:
768         * jit/JITOperations.h:
769         * jit/JITPropertyAccess.cpp:
770         (JSC::JIT::emit_op_put_to_scope):
771         (JSC::JIT::emitSlow_op_put_to_scope):
772         * jit/JITPropertyAccess32_64.cpp:
773         (JSC::JIT::emit_op_put_to_scope):
774         (JSC::JIT::emitSlow_op_put_to_scope):
775         * llint/LLIntData.cpp:
776         (JSC::LLInt::Data::performAssertions):
777         * llint/LLIntSlowPaths.cpp:
778         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
779         * llint/LowLevelInterpreter.asm:
780         * llint/LowLevelInterpreter64.asm:
781         * runtime/GetPutInfo.h:
782         (JSC::resolveModeName):
783         (JSC::initializationModeName):
784         (JSC::isInitialization):
785         (JSC::makeType):
786         (JSC::GetPutInfo::GetPutInfo):
787         * runtime/JSScope.cpp:
788         (JSC::abstractAccess):
789
790 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
791
792         Disable AVX.
793
794         Rubber stampted by Benjamin Poulain.
795
796         AVX is silly. If you use it and some of your other code isn't careful with float register bits, you
797         will run 10x slower. We could fix the underlying issue, but it's better to stay away from this odd
798         instruction subset.
799
800         This fixes a massive regression on some real code.
801
802         * assembler/MacroAssemblerX86Common.h:
803         (JSC::MacroAssemblerX86Common::supportsAVX):
804         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
805
806 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
807
808         ToThis should have a fast path based on type info flags
809         https://bugs.webkit.org/show_bug.cgi?id=156712
810
811         Reviewed by Geoffrey Garen.
812
813         Prior to this change, if we couldn't nail down the type of ToThis to something easy, we'd emit code
814         that would take slow path if the argument was not a final object. We'd end up taking that slow path
815         a lot.
816
817         This adds a type info flag for ToThis having non-obvious behavior and changes the DFG and FTL paths
818         to test this flag. This is a sub-1% speed-up on SunSpider and Octane.
819
820         * dfg/DFGSpeculativeJIT32_64.cpp:
821         (JSC::DFG::SpeculativeJIT::compile):
822         * dfg/DFGSpeculativeJIT64.cpp:
823         (JSC::DFG::SpeculativeJIT::compile):
824         * ftl/FTLLowerDFGToB3.cpp:
825         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
826         * runtime/JSGlobalObject.h:
827         (JSC::JSGlobalObject::create):
828         * runtime/JSLexicalEnvironment.h:
829         (JSC::JSLexicalEnvironment::create):
830         * runtime/JSString.h:
831         * runtime/JSTypeInfo.h:
832         (JSC::TypeInfo::overridesGetOwnPropertySlot):
833         (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
834         (JSC::TypeInfo::structureIsImmortal):
835         (JSC::TypeInfo::overridesToThis):
836         (JSC::TypeInfo::overridesGetPropertyNames):
837         (JSC::TypeInfo::prohibitsPropertyCaching):
838         (JSC::TypeInfo::getOwnPropertySlotIsImpure):
839         * runtime/StrictEvalActivation.h:
840         (JSC::StrictEvalActivation::create):
841         * runtime/Symbol.h:
842
843 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
844
845         Check to see how the perf bots react to megamorphic load being disabled.
846
847         Rubber stamped by Chris Dumez.
848
849         * runtime/Options.h:
850
851 2016-04-18  Keith Miller  <keith_miller@apple.com>
852
853         We should support delete in the DFG
854         https://bugs.webkit.org/show_bug.cgi?id=156607
855
856         Reviewed by Benjamin Poulain.
857
858         This patch adds support for the delete in the DFG as it appears that
859         some major frameworks use the operation in particularly hot functions.
860         As a result, even if the function rarely ever calls delete we would never
861         tier up to the DFG. This patch also changes operationDeleteById to take a
862         UniquedStringImpl and return a size_t.
863
864         * dfg/DFGAbstractInterpreterInlines.h:
865         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
866         * dfg/DFGByteCodeParser.cpp:
867         (JSC::DFG::ByteCodeParser::parseBlock):
868         * dfg/DFGCapabilities.cpp:
869         (JSC::DFG::capabilityLevel):
870         * dfg/DFGClobberize.h:
871         (JSC::DFG::clobberize):
872         * dfg/DFGDoesGC.cpp:
873         (JSC::DFG::doesGC):
874         * dfg/DFGFixupPhase.cpp:
875         (JSC::DFG::FixupPhase::fixupNode):
876         * dfg/DFGNode.h:
877         (JSC::DFG::Node::hasIdentifier):
878         * dfg/DFGNodeType.h:
879         * dfg/DFGPredictionPropagationPhase.cpp:
880         (JSC::DFG::PredictionPropagationPhase::propagate):
881         * dfg/DFGSafeToExecute.h:
882         (JSC::DFG::safeToExecute):
883         * dfg/DFGSpeculativeJIT.cpp:
884         (JSC::DFG::SpeculativeJIT::compileDeleteById):
885         * dfg/DFGSpeculativeJIT.h:
886         (JSC::DFG::SpeculativeJIT::callOperation):
887         * dfg/DFGSpeculativeJIT32_64.cpp:
888         (JSC::DFG::SpeculativeJIT::compile):
889         * dfg/DFGSpeculativeJIT64.cpp:
890         (JSC::DFG::SpeculativeJIT::compile):
891         * jit/JIT.h:
892         * jit/JITInlines.h:
893         (JSC::JIT::callOperation):
894         * jit/JITOperations.cpp:
895         * jit/JITOperations.h:
896         * jit/JITPropertyAccess.cpp:
897         (JSC::JIT::emit_op_del_by_id):
898         * jit/JITPropertyAccess32_64.cpp:
899         (JSC::JIT::emit_op_del_by_id):
900
901 2016-04-17  Filip Pizlo  <fpizlo@apple.com>
902
903         FTL should pin the tag registers at inline caches
904         https://bugs.webkit.org/show_bug.cgi?id=156678
905
906         Reviewed by Saam Barati.
907
908         This is a long-overdue fix to our inline caches. Back when we had LLVM, we couldn't rely on the tags
909         being pinned to any registers. So, if the inline caches needed tags, they'd have to materialize them.
910         
911         This removes those materializations. This should reduce the amount of code generated in inline caches
912         and it should make inline caches faster. The effect appears to be small.
913
914         It may be that after this change, we'll even be able to kill the
915         HaveTagRegisters/DoNotHaveTagRegisters logic.
916
917         * bytecode/PolymorphicAccess.cpp:
918         (JSC::AccessCase::generateWithGuard):
919         (JSC::AccessCase::generateImpl):
920         * ftl/FTLLowerDFGToB3.cpp:
921         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
922         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
923         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
924         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
925         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
926         (JSC::FTL::DFG::LowerDFGToB3::getById):
927         * jit/Repatch.cpp:
928         (JSC::readCallTarget):
929         (JSC::linkPolymorphicCall):
930         * jit/ThunkGenerators.cpp:
931         (JSC::virtualThunkFor):
932
933 2016-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
934
935         [ES7] yield star should not return if the inner iterator.throw returns { done: true }
936         https://bugs.webkit.org/show_bug.cgi?id=156576
937
938         Reviewed by Saam Barati.
939
940         This is slight generator fix in ES7. When calling generator.throw(),
941         the yield-star should call the throw() of the inner generator. At that
942         time, when the result of throw() is { done: true}, the generator should
943         not stop itself.
944
945             function * gen()
946             {
947                 yield * (function * () {
948                     try {
949                         yield 42;
950                     } catch (error) { }
951                 }());
952                 // Continue executing.
953                 yield 42;
954             }
955
956             let g = gen();
957             g.next();
958             shouldBe(g.throw().value, 42);
959
960
961         * builtins/GeneratorPrototype.js:
962         (generatorResume):
963         (next):
964         (return):
965         (throw):
966         * bytecode/BytecodeIntrinsicRegistry.cpp:
967         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
968         * bytecode/BytecodeIntrinsicRegistry.h:
969         * bytecompiler/BytecodeGenerator.cpp:
970         (JSC::BytecodeGenerator::emitDelegateYield):
971         * runtime/JSGeneratorFunction.h:
972         * tests/stress/generator-yield-star.js:
973         (gen):
974         * tests/stress/yield-star-throw-continue.js: Added.
975         (shouldBe):
976         (generator):
977         (shouldThrow):
978
979 2016-04-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
980
981         Fix incorrect assumption that APPLE implies Mac.
982         https://bugs.webkit.org/show_bug.cgi?id=156683
983     
984         Addresses build failure introduced in r199094
985
986         Reviewed by Alex Christensen.
987
988         * CMakeLists.txt:
989
990 2016-04-17  Benjamin Poulain  <bpoulain@apple.com>
991
992         [JSC] ReduceDoubleToFloat should work accross Phis
993         https://bugs.webkit.org/show_bug.cgi?id=156603
994         <rdar://problem/25736205>
995
996         Reviewed by Saam Barati and Filip Pizlo.
997
998         This patch extends B3's ReduceDoubleToFloat phase to work accross
999         Upsilon-Phis. This is important to optimize loops and some crazy cases.
1000
1001         In its simplest form, we can have conversion propagated from something
1002         like this:
1003             Double @1 = Phi()
1004             Float @2 = DoubleToFloat(@1)
1005
1006         When that happens, we just need to propagate that the result only
1007         need float precision accross all values coming to this Phi.
1008
1009
1010         There are more complicated cases when the value produced is effectively Float
1011         but the user of the value does not do DoubleToFloat.
1012
1013         Typically, we have something like:
1014             #1
1015                 @1 = ConstDouble(1)
1016                 @2 = Upsilon(@1, ^5)
1017             #2
1018                 @3 = FloatToDouble(@x)
1019                 @4 = Upsilon(@3, ^5)
1020             #3
1021                 @5 = Phi()
1022                 @6 = Add(@5, @somethingFloat)
1023                 @7 = DoubleToFloat(@6)
1024
1025         Here with a Phi-Upsilon that is a Double but can be represented
1026         as Float without loss of precision.
1027
1028         It is valuable to convert such Phis to float if and only if the value
1029         is used as float. Otherwise, you may be just adding useless conversions
1030         (for example, two double constants that flow into a double Add should not
1031         turn into two float constant flowing into a FloatToDouble then Add).
1032
1033
1034         ReduceDoubleToFloat do two analysis passes to gather the necessary
1035         meta information. Then we have a simplify() phase to actually reduce
1036         operation. Finally, the cleanup() pass put the graph into a valid
1037         state again.
1038
1039         The two analysis passes work by disproving that something is float.
1040         -findCandidates() accumulates anything used as Double.
1041         -findPhisContainingFloat() accumulates phis that would lose precision
1042          by converting the input to float.
1043
1044         With this change, Unity3D improves by ~1.5%, box2d-f32 improves
1045         by ~2.8% (on Haswell).
1046
1047         * b3/B3ReduceDoubleToFloat.cpp:
1048         (JSC::B3::reduceDoubleToFloat):
1049         * b3/testb3.cpp:
1050         (JSC::B3::testCompareTwoFloatToDouble):
1051         (JSC::B3::testCompareOneFloatToDouble):
1052         (JSC::B3::testCompareFloatToDoubleThroughPhi):
1053         (JSC::B3::testDoubleToFloatThroughPhi):
1054         (JSC::B3::testDoubleProducerPhiToFloatConversion):
1055         (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
1056         (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
1057         (JSC::B3::testStoreDoubleConstantAsFloat):
1058         (JSC::B3::run):
1059         * tests/stress/double-compare-to-float.js: Added.
1060         (canSimplifyToFloat):
1061         (canSimplifyToFloatWithConstant):
1062         (cannotSimplifyA):
1063         (cannotSimplifyB):
1064         * tests/stress/double-to-float.js: Added.
1065         (upsilonReferencingItsPhi):
1066         (upsilonReferencingItsPhiAllFloat):
1067         (upsilonReferencingItsPhiWithoutConversion):
1068         (conversionPropagages):
1069         (chainedUpsilonBothConvert):
1070         (chainedUpsilonFirstConvert):
1071
1072 2016-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1073
1074         [ES6] Use @isObject to check Object Type instead of using instanceof
1075         https://bugs.webkit.org/show_bug.cgi?id=156676
1076
1077         Reviewed by Darin Adler.
1078
1079         Use @isObject instead of `instanceof @Object`.
1080         The `instanceof` check is not enough to check Object Type.
1081         For example, given 2 realms, the object created in one realm does not inherit the Object of another realm.
1082         Another example is that the object which does not inherit Object.
1083         This object can be easily created by calling `Object.create(null)`.
1084
1085         * builtins/RegExpPrototype.js:
1086         (match):
1087         * jsc.cpp:
1088         (GlobalObject::finishCreation):
1089         (functionCreateGlobalObject):
1090         * tests/stress/regexp-match-in-other-realm-should-work.js: Added.
1091         (shouldBe):
1092         * tests/stress/regexp-match-should-work-with-objects-not-inheriting-object-prototype.js: Added.
1093         (shouldBe):
1094         (regexp.exec):
1095
1096 2016-04-17  Darin Adler  <darin@apple.com>
1097
1098         Remove more uses of Deprecated::ScriptXXX
1099         https://bugs.webkit.org/show_bug.cgi?id=156660
1100
1101         Reviewed by Antti Koivisto.
1102
1103         * bindings/ScriptFunctionCall.cpp:
1104         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted
1105         unneeded overloads that take a ScriptObject and ScriptValue.
1106         * bindings/ScriptFunctionCall.h: Ditto.
1107
1108         * bindings/ScriptObject.h: Added operator so this can change
1109         itself into a JSObject*. Helps while phasing this class out.
1110
1111         * bindings/ScriptValue.h: Export toInspectorValue so it can be
1112         used in WebCore.
1113
1114         * inspector/InjectedScriptManager.cpp:
1115         (Inspector::InjectedScriptManager::createInjectedScript): Changed
1116         return value from Deprecated::ScriptObject to JSObject*.
1117         (Inspector::InjectedScriptManager::injectedScriptFor): Updated for
1118         the return value change above.
1119         * inspector/InjectedScriptManager.h: Ditto.
1120
1121 2016-04-16  Benjamin Poulain  <bpoulain@webkit.org>
1122
1123         [JSC] DFG should support relational comparisons of Number and Other
1124         https://bugs.webkit.org/show_bug.cgi?id=156669
1125
1126         Reviewed by Darin Adler.
1127
1128         In Sunspider/3d-raytrace, DFG falls back to JSValue in some important
1129         relational compare because profiling sees "undefined" from time to time.
1130
1131         This case is fairly common outside Sunspider too because of out-of-bounds array access.
1132         Unfortunately for us, our fallback for compare is really inefficient.
1133
1134         Fortunately, relational comparison with null/undefined/true/false are trival.
1135         We can just convert both side to Double. That's what this patch adds.
1136
1137         I also extended constant folding for those cases because I noticed
1138         a bunch of "undefined" constant going through DoubleRep at runtime.
1139
1140         * dfg/DFGAbstractInterpreterInlines.h:
1141         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1142         * dfg/DFGFixupPhase.cpp:
1143         (JSC::DFG::FixupPhase::fixupNode):
1144         * tests/stress/compare-number-and-other.js: Added.
1145         (opaqueSideEffect):
1146         (let.operator.of.operators.eval.testPolymorphic):
1147         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval.testMonomorphic):
1148         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicLeftConstant):
1149         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicRightConstant):
1150         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.i.testPolymorphic):
1151
1152 2016-04-16  Benjamin Poulain  <bpoulain@apple.com>
1153
1154         [JSC] FRound/Negate can produce an impure NaN out of a pure NaN
1155         https://bugs.webkit.org/show_bug.cgi?id=156528
1156
1157         Reviewed by Filip Pizlo.
1158
1159         If you fround a double with the bits 0xfff7000000000000
1160         you get 0xfffe000000000000. The first is a pure NaN, the second isn't.
1161
1162         This is without test because I could not find a way to create a 0xfff7000000000000
1163         while convincing DFG that its pure.
1164         When we purify NaNs from typed array, we use a specific value of NaN if the input
1165         is any NaN, making testing tricky.
1166
1167         * bytecode/SpeculatedType.cpp:
1168         (JSC::typeOfDoubleNegation):
1169
1170 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1171
1172         JS::DFG::nodeValuePairListDump does not compile with libstdc++ 4.8
1173         https://bugs.webkit.org/show_bug.cgi?id=156670
1174
1175         Reviewed by Darin Adler.
1176
1177         * dfg/DFGNode.h:
1178         (JSC::DFG::nodeValuePairListDump): Modified to use lambda as comparator.
1179
1180 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
1181
1182         [mips] Implemented moveZeroToDouble.
1183         https://bugs.webkit.org/show_bug.cgi?id=155429
1184
1185         Reviewed by Darin Adler.
1186
1187         This function is required to fix compilation after r197687.
1188
1189         * assembler/MacroAssemblerMIPS.h:
1190         (JSC::MacroAssemblerMIPS::moveZeroToDouble):
1191
1192 2016-04-15  Darin Adler  <darin@apple.com>
1193
1194         Reduce use of Deprecated::ScriptXXX classes
1195         https://bugs.webkit.org/show_bug.cgi?id=156632
1196
1197         Reviewed by Alex Christensen.
1198
1199         * bindings/ScriptFunctionCall.cpp:
1200         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted version that takes a Deprecated::ScriptValue.
1201         (Deprecated::ScriptFunctionCall::call): Changed to return a JSValue.
1202         * bindings/ScriptFunctionCall.h: Updated for the above.
1203
1204         * bindings/ScriptValue.cpp:
1205         (Inspector::jsToInspectorValue): Moved from Deprecated namespace to Inspector namespace. Later, we should
1206         move this to another source file in the inspector directory.
1207         (Inspector::toInspectorValue): Added.
1208         (Deprecated::ScriptValue::toInspectorValue): Updated for change to underlying function.
1209         * bindings/ScriptValue.h: Update for the above.
1210
1211         * inspector/InjectedScript.cpp:
1212         (Inspector::InjectedScript::evaluateOnCallFrame): Changed arguments and return values from
1213         Deprecated::ScriptValue to JSC::JSValue.
1214         (Inspector::InjectedScript::functionDetails): Ditto.
1215         (Inspector::InjectedScript::wrapCallFrames): Ditto.
1216         (Inspector::InjectedScript::wrapObject): Ditto.
1217         (Inspector::InjectedScript::wrapTable): Ditto.
1218         (Inspector::InjectedScript::previewValue): Ditto.
1219         (Inspector::InjectedScript::setExceptionValue): Ditto.
1220         (Inspector::InjectedScript::findObjectById): Ditto.
1221         (Inspector::InjectedScript::inspectObject): Ditto.
1222         * inspector/InjectedScript.h: Ditto.
1223         * inspector/InjectedScriptBase.cpp:
1224         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): Ditto.
1225         (Inspector::InjectedScriptBase::makeCall): Ditto.
1226         * inspector/InjectedScriptBase.h: Ditto.
1227         * inspector/InjectedScriptModule.cpp:
1228         (Inspector::InjectedScriptModule::ensureInjected): Ditto.
1229         * inspector/ScriptDebugListener.h: Ditto.
1230         * inspector/ScriptDebugServer.cpp:
1231         (Inspector::ScriptDebugServer::evaluateBreakpointAction): Ditto.
1232         (Inspector::ScriptDebugServer::dispatchDidPause): Ditto.
1233         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
1234         (Inspector::ScriptDebugServer::exceptionOrCaughtValue): Ditto.
1235         * inspector/ScriptDebugServer.h: Ditto.
1236         * inspector/agents/InspectorDebuggerAgent.cpp:
1237         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason): Ditto.
1238         (Inspector::InspectorDebuggerAgent::didPause): Ditto.
1239         (Inspector::InspectorDebuggerAgent::breakpointActionProbe): Ditto.
1240         (Inspector::InspectorDebuggerAgent::didContinue): Ditto.
1241         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): Ditto.
1242         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
1243         * inspector/agents/InspectorHeapAgent.cpp:
1244         (Inspector::InspectorHeapAgent::getPreview): Ditto.
1245         (Inspector::InspectorHeapAgent::getRemoteObject): Ditto.
1246
1247 2016-04-15  Keith Miller  <keith_miller@apple.com>
1248
1249         Some JIT/DFG operations need NativeCallFrameTracers
1250         https://bugs.webkit.org/show_bug.cgi?id=156650
1251
1252         Reviewed by Michael Saboff.
1253
1254         Some of our operation functions did not have native call frame
1255         tracers. This meant that we would crash occasionally on some
1256         of our tests when they triggered a GC in one of the functions
1257         without a tracer. In particular, this was exemplified by another
1258         upcoming patch when calling operationSetFunctionName.
1259
1260         This patch does not add tests since this happens consistently in
1261         the patch adding delete_by_id to the DFG.
1262
1263         * dfg/DFGOperations.cpp:
1264         * jit/JITOperations.cpp:
1265
1266 2016-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1267
1268         Web Inspector: sourceMappingURL not used when sourceURL is set
1269         https://bugs.webkit.org/show_bug.cgi?id=156021
1270         <rdar://problem/25438417>
1271
1272         Reviewed by Timothy Hatcher.
1273
1274         Clean up Debugger.sourceParsed to separately include:
1275
1276             - url ("resource URL", "source url" in JSC APIs)
1277             - sourceURL - //# sourceURL directive
1278
1279         By always having the resource URL the Web Inspector frontend
1280         can better match this Script to a Resource of the same URL,
1281         and decide to use the sourceURL if it is available when
1282         appropriate.
1283
1284         * inspector/protocol/Debugger.json:
1285         * inspector/agents/InspectorDebuggerAgent.cpp:
1286         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1287         (Inspector::InspectorDebuggerAgent::didParseSource):
1288         Send the new sourceParsed parameters.
1289
1290 2016-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1291
1292         Web Inspector: Cleanup inspector/debugger tests
1293         https://bugs.webkit.org/show_bug.cgi?id=156619
1294
1295         Reviewed by Brian Burg.
1296
1297         While cleaning up the tests it exposed the fact that breakpoints
1298         were not getting disabled when the inspector closes. This means
1299         that opening the inspector, with breakpoints, and closing the
1300         inspector, would leave the JSC::Debugger thinking breakpoints
1301         are active. The JSC::Debugger should be reset.
1302
1303         * inspector/agents/InspectorDebuggerAgent.cpp:
1304         (Inspector::InspectorDebuggerAgent::disable):
1305
1306 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1307
1308         CopiedBlock should be 64kB
1309
1310         Reviewed by Benjamin Poulain.
1311
1312         Let's try another value.
1313
1314         This is 25% faster on kraken-audio-beat-detection on Mac Pro.
1315
1316         * heap/CopiedBlock.h:
1317
1318 2016-04-15  Zan Dobersek  <zdobersek@igalia.com>
1319
1320         Tail call optimizations lead to crashes on ARM Thumb + Linux
1321         https://bugs.webkit.org/show_bug.cgi?id=150083
1322
1323         Reviewed by Csaba Osztrogon√°c.
1324
1325         * assembler/AbstractMacroAssembler.h:
1326         (JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
1327         data location of the destination, and not the executable address. This is needed for
1328         the ARM Thumb2 platform where both the source and destination addresses of a jump relink
1329         must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
1330         * jit/Repatch.cpp:
1331         (JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
1332         address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().
1333
1334 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1335
1336         Unreviewed, rolling out r199567.
1337
1338         performance regression on kraken on macbook*
1339
1340         Reverted changeset:
1341
1342         "CopiedBlock should be 8kB"
1343         https://bugs.webkit.org/show_bug.cgi?id=156610
1344         http://trac.webkit.org/changeset/199567
1345
1346 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1347
1348         CopiedBlock should be 8kB
1349         https://bugs.webkit.org/show_bug.cgi?id=156610
1350
1351         Reviewed by Michael Saboff.
1352
1353         On Mac Pro, this is:
1354
1355             15% faster on kraken-audio-beat-detection
1356
1357             5% faster on v8-splay
1358
1359         Hopefully, this will be OK on MacBook* bots as well.
1360
1361         32kB is the full size of L1 cache on x86. So, allocating and zero-filling
1362         a 32kB CopiedBlock would basically flush the L1 cache. We can ameliorate
1363         this problem by using smaller blocks -- or, if that doesn't work, we can
1364         use larger blocks to amortize the cost.
1365
1366         * heap/CopiedBlock.h:
1367
1368 2016-04-14  Filip Pizlo  <fpizlo@apple.com>
1369
1370         PolymorphicAccess should try to generate a stub only once
1371         https://bugs.webkit.org/show_bug.cgi?id=156555
1372
1373         Reviewed by Geoffrey Garen.
1374         
1375         This changes the PolymorphicAccess heuristics to reduce the amount of code generation even
1376         more than before. We used to always generate a monomorphic stub for the first case we saw.
1377         This change disables that. This change also increases the buffering countdown to match the
1378         cool-down repatch count. This means that we will allow for ten slow paths for adding cases,
1379         then we will generate a stub, and then we will go into cool-down and the repatching slow
1380         paths will not even attempt repatching for a while. After we emerge from cool-down - which
1381         requires a bunch of slow path calls - we will again wait for ten slow paths to get new
1382         cases. Note that it only takes 13 cases to cause the stub to give up on future repatching
1383         entirely. Also, most stubs don't ever get to 10 cases. Therefore, for most stubs this change
1384         means that each IC will repatch once. If they make it to two repatching, then the likelihood
1385         of a third becomes infinitesimal because of all of the rules that come into play at that
1386         point (the size limit being 13, the fact that we go into exponential cool-down every time we
1387         generate code, and the fact that if we have lots of self cases then we will create a
1388         catch-all megamorphic load case).
1389
1390         This also undoes a change to the megamorphic optimization that I think was unintentional.
1391         As in the change that originally introduced megamorphic loads, we want to do this only if we
1392         would otherwise exhaust the max size of the IC. This is because megamorphic loads are pretty
1393         expensive and it's best to use them only if we know that the alternative is giving up on
1394         caching.
1395
1396         This is neutral on JS benchmarks, but looks like it's another speed-up for page loading.
1397
1398         * bytecode/PolymorphicAccess.cpp:
1399         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
1400         (JSC::AccessCase::canReplace):
1401         (JSC::AccessCase::dump):
1402         (JSC::PolymorphicAccess::regenerate):
1403         * bytecode/StructureStubInfo.cpp:
1404         (JSC::StructureStubInfo::StructureStubInfo):
1405         * runtime/Options.h:
1406
1407 2016-04-14  Mark Lam  <mark.lam@apple.com>
1408
1409         Update treatment of invoking RegExp.prototype methods on RegExp.prototype.
1410         https://bugs.webkit.org/show_bug.cgi?id=155922
1411
1412         Reviewed by Keith Miller.
1413
1414         According to the TC39 committee, when invoking the following RegExp.prototype
1415         methods on the RegExp.prototype:
1416         1. RegExp.prototype.flags yields ""
1417         2. RegExp.prototype.global yields undefined
1418         3. RegExp.prototype.ignoreCase yields undefined
1419         4. RegExp.prototype.multiline yields undefined
1420         5. RegExp.prototype.unicode yields undefined
1421         6. RegExp.prototype.source yields "(?:)"
1422         7. RegExp.prototype.sticky yields undefined
1423         8. RegExp.prototype.toString() yields "/(?:)/"
1424
1425         and RegExp.prototype is still NOT an instance of RegExp.  The above behavior
1426         changes is a special dispensation applicable only to RegExp.prototype.  The ES6
1427         spec of throwing errors still applies if those methods are applied to anything =
1428         else that is not a RegExp object.
1429
1430         * runtime/RegExpPrototype.cpp:
1431         (JSC::regExpProtoGetterGlobal):
1432         (JSC::regExpProtoGetterIgnoreCase):
1433         (JSC::regExpProtoGetterMultiline):
1434         (JSC::regExpProtoGetterSticky):
1435         (JSC::regExpProtoGetterUnicode):
1436         (JSC::regExpProtoGetterFlags):
1437         (JSC::regExpProtoGetterSource):
1438         - Implemented new behavior.
1439
1440         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
1441         (test):
1442         - Updated to match current kangax test.
1443
1444 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
1445
1446         Some imported ES6 tests are missing __createIterableObject
1447         https://bugs.webkit.org/show_bug.cgi?id=156584
1448
1449         Reviewed by Keith Miller.
1450
1451         These tests were failing because I neglected to include __createIterableObject
1452         when I first imported them. Now they pass.
1453
1454         * tests/es6.yaml:
1455         * tests/es6/Array_static_methods_Array.from_generic_iterables.js:
1456         (iterator.next):
1457         (iterable.Symbol.iterator):
1458         (__createIterableObject):
1459         (test):
1460         * tests/es6/Array_static_methods_Array.from_instances_of_generic_iterables.js:
1461         (iterator.next):
1462         (iterable.Symbol.iterator):
1463         (__createIterableObject):
1464         (test):
1465         * tests/es6/Array_static_methods_Array.from_iterator_closing.js:
1466         (iterator.next):
1467         (iterable.Symbol.iterator):
1468         (__createIterableObject):
1469         * tests/es6/Array_static_methods_Array.from_map_function_generic_iterables.js:
1470         (iterator.next):
1471         (iterable.Symbol.iterator):
1472         (__createIterableObject):
1473         (test):
1474         * tests/es6/Array_static_methods_Array.from_map_function_instances_of_iterables.js:
1475         (iterator.next):
1476         (iterable.Symbol.iterator):
1477         (__createIterableObject):
1478         (test):
1479         * tests/es6/Map_iterator_closing.js:
1480         (iterator.next):
1481         (iterable.Symbol.iterator):
1482         (__createIterableObject):
1483         * tests/es6/Promise_Promise.all_generic_iterables.js:
1484         (iterator.next):
1485         (iterable.Symbol.iterator):
1486         (__createIterableObject):
1487         (test.asyncTestPassed):
1488         * tests/es6/Promise_Promise.race_generic_iterables.js:
1489         (iterator.next):
1490         (iterable.Symbol.iterator):
1491         (__createIterableObject):
1492         (test.asyncTestPassed):
1493         * tests/es6/Set_iterator_closing.js:
1494         (iterator.next):
1495         (iterable.Symbol.iterator):
1496         (__createIterableObject):
1497         * tests/es6/WeakMap_iterator_closing.js:
1498         (iterator.next):
1499         (iterable.Symbol.iterator):
1500         (__createIterableObject):
1501         * tests/es6/WeakSet_iterator_closing.js:
1502         (iterator.next):
1503         (iterable.Symbol.iterator):
1504         (__createIterableObject):
1505         * tests/es6/destructuring_iterator_closing.js:
1506         (iterator.next):
1507         (iterable.Symbol.iterator):
1508         (__createIterableObject):
1509         * tests/es6/destructuring_with_generic_iterables.js:
1510         (iterator.next):
1511         (iterable.Symbol.iterator):
1512         (__createIterableObject):
1513         (test):
1514         * tests/es6/destructuring_with_instances_of_generic_iterables.js:
1515         (iterator.next):
1516         (iterable.Symbol.iterator):
1517         (__createIterableObject):
1518         (test):
1519         * tests/es6/for..of_loops_iterator_closing_break.js:
1520         (iterator.next):
1521         (iterable.Symbol.iterator):
1522         (__createIterableObject):
1523         * tests/es6/for..of_loops_iterator_closing_throw.js:
1524         (iterator.next):
1525         (iterable.Symbol.iterator):
1526         (__createIterableObject):
1527         * tests/es6/for..of_loops_with_generic_iterables.js:
1528         (iterator.next):
1529         (iterable.Symbol.iterator):
1530         (__createIterableObject):
1531         (test):
1532         * tests/es6/for..of_loops_with_instances_of_generic_iterables.js:
1533         (iterator.next):
1534         (iterable.Symbol.iterator):
1535         (__createIterableObject):
1536         (test):
1537         * tests/es6/generators_yield_star_generic_iterables.js:
1538         (iterator.next):
1539         (iterable.Symbol.iterator):
1540         (__createIterableObject):
1541         * tests/es6/generators_yield_star_iterator_closing_via_throw.js:
1542         (iterator.next):
1543         (iterable.Symbol.iterator):
1544         (__createIterableObject):
1545         * tests/es6/spread_..._operator_with_generic_iterables_in_arrays.js:
1546         (iterator.next):
1547         (iterable.Symbol.iterator):
1548         (__createIterableObject):
1549         (test):
1550         * tests/es6/spread_..._operator_with_generic_iterables_in_calls.js:
1551         (iterator.next):
1552         (iterable.Symbol.iterator):
1553         (__createIterableObject):
1554         (test):
1555         * tests/es6/spread_..._operator_with_instances_of_iterables_in_arrays.js:
1556         (iterator.next):
1557         (iterable.Symbol.iterator):
1558         (__createIterableObject):
1559         (test):
1560         * tests/es6/spread_..._operator_with_instances_of_iterables_in_calls.js:
1561         (iterator.next):
1562         (iterable.Symbol.iterator):
1563         (__createIterableObject):
1564         (test):
1565
1566 2016-04-13  Alex Christensen  <achristensen@webkit.org>
1567
1568         CMake MiniBrowser should be an app bundle
1569         https://bugs.webkit.org/show_bug.cgi?id=156521
1570
1571         Reviewed by Brent Fulgham.
1572
1573         * PlatformMac.cmake:
1574         Unreviewed build fix.  Define __STDC_WANT_LIB_EXT1__ so we can find memset_s.
1575
1576 2016-04-13  Joseph Pecoraro  <pecoraro@apple.com>
1577
1578         JSContext Inspector: Improve Class instances and JSC API Exported Values view in Console / ObjectTree
1579         https://bugs.webkit.org/show_bug.cgi?id=156566
1580         <rdar://problem/16392365>
1581
1582         Reviewed by Timothy Hatcher.
1583
1584         * inspector/InjectedScriptSource.js:
1585         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
1586         Treat non-basic object types as not lossless so they can be expanded.
1587         Show non-enumerable native getters in Object previews.
1588
1589 2016-04-13  Michael Saboff  <msaboff@apple.com>
1590
1591         Some tests fail with ES6 `u` (Unicode) flag for regular expressions
1592         https://bugs.webkit.org/show_bug.cgi?id=151597
1593
1594         Reviewed by Geoffrey Garen.
1595
1596         Added two new tables to handle the anomolies of \w and \W CharacterClassEscapes
1597         when specified in RegExp's with both the unicode and ignoreCase flags.  Given the
1598         case folding rules described in the standard vie the meta function Canonicalize(),
1599         which allow cross ASCII case folding when unicode is specified, the unicode characters
1600         \u017f (small sharp s) and \u212a (kelvin symbol) are part of the \w (word) characterClassEscape.
1601         This is true because they case fold to 's' and 'k' respectively.  Because they case fold
1602         to lower case letters, the corresponding letters, 'k', 'K', 's' and 'S', are also matched with
1603         \W with the unicode and ignoreCase flags.
1604
1605         * create_regex_tables:
1606         * yarr/YarrPattern.cpp:
1607         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
1608         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
1609         (JSC::Yarr::YarrPattern::YarrPattern):
1610         * yarr/YarrPattern.h:
1611         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
1612         (JSC::Yarr::YarrPattern::wordUnicodeIgnoreCaseCharCharacterClass):
1613         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
1614         (JSC::Yarr::YarrPattern::nonwordUnicodeIgnoreCaseCharCharacterClass):
1615
1616 2016-04-13  Commit Queue  <commit-queue@webkit.org>
1617
1618         Unreviewed, rolling out r199502 and r199511.
1619         https://bugs.webkit.org/show_bug.cgi?id=156557
1620
1621         Appears to have in-browser perf regression (Requested by mlam
1622         on #webkit).
1623
1624         Reverted changesets:
1625
1626         "ES6: Implement String.prototype.split and
1627         RegExp.prototype[@@split]."
1628         https://bugs.webkit.org/show_bug.cgi?id=156013
1629         http://trac.webkit.org/changeset/199502
1630
1631         "ES6: Implement RegExp.prototype[@@search]."
1632         https://bugs.webkit.org/show_bug.cgi?id=156331
1633         http://trac.webkit.org/changeset/199511
1634
1635 2016-04-13  Keith Miller  <keith_miller@apple.com>
1636
1637         isJSArray should use ArrayType rather than the ClassInfo
1638         https://bugs.webkit.org/show_bug.cgi?id=156551
1639
1640         Reviewed by Filip Pizlo.
1641
1642         Using the JSType rather than the ClassInfo should be slightly faster
1643         since the type is inline on the cell whereas the ClassInfo is only
1644         on the structure.
1645
1646         * runtime/JSArray.h:
1647         (JSC::isJSArray):
1648
1649 2016-04-13  Mark Lam  <mark.lam@apple.com>
1650
1651         ES6: Implement RegExp.prototype[@@search].
1652         https://bugs.webkit.org/show_bug.cgi?id=156331
1653
1654         Reviewed by Keith Miller.
1655
1656         What changed?
1657         1. Implemented search builtin in RegExpPrototype.js.
1658            The native path is now used as a fast path.
1659         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
1660            IsJSArrayIntrinsic).
1661         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
1662         4. Change the esSpecIsRegExpObject() implementation to check if the object's
1663            JSType is RegExpObjectType instead of walking the classinfo chain.
1664
1665         * builtins/RegExpPrototype.js:
1666         (search):
1667         * builtins/StringPrototype.js:
1668         (search):
1669         - fixed some indentation.
1670
1671         * dfg/DFGAbstractInterpreterInlines.h:
1672         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1673         * dfg/DFGByteCodeParser.cpp:
1674         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1675         * dfg/DFGClobberize.h:
1676         (JSC::DFG::clobberize):
1677         * dfg/DFGDoesGC.cpp:
1678         (JSC::DFG::doesGC):
1679         * dfg/DFGFixupPhase.cpp:
1680         (JSC::DFG::FixupPhase::fixupNode):
1681         * dfg/DFGNodeType.h:
1682         * dfg/DFGPredictionPropagationPhase.cpp:
1683         (JSC::DFG::PredictionPropagationPhase::propagate):
1684         * dfg/DFGSafeToExecute.h:
1685         (JSC::DFG::safeToExecute):
1686         * dfg/DFGSpeculativeJIT.cpp:
1687         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1688         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
1689         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1690         * dfg/DFGSpeculativeJIT.h:
1691         * dfg/DFGSpeculativeJIT32_64.cpp:
1692         (JSC::DFG::SpeculativeJIT::compile):
1693         * dfg/DFGSpeculativeJIT64.cpp:
1694         (JSC::DFG::SpeculativeJIT::compile):
1695         * ftl/FTLCapabilities.cpp:
1696         (JSC::FTL::canCompile):
1697         * ftl/FTLLowerDFGToB3.cpp:
1698         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1699         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1700         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
1701         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1702         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
1703         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
1704         (JSC::FTL::DFG::LowerDFGToB3::isType):
1705         * runtime/Intrinsic.h:
1706         - Added IsRegExpObjectIntrinsic.
1707
1708         * runtime/CommonIdentifiers.h:
1709
1710         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1711         (JSC::esSpecIsConstructor):
1712         - Changed to use uncheckedArgument since this is only called from internal code.
1713         (JSC::esSpecIsRegExpObject):
1714         (JSC::esSpecIsRegExp): Deleted.
1715         * runtime/ECMAScriptSpecInternalFunctions.h:
1716         - Changed to check the object for a JSType of RegExpObjectType.
1717
1718         * runtime/JSGlobalObject.cpp:
1719         (JSC::JSGlobalObject::init):
1720         - Added split fast path.
1721
1722         * runtime/RegExpPrototype.cpp:
1723         (JSC::RegExpPrototype::finishCreation):
1724         (JSC::regExpProtoFuncSearchFast):
1725         (JSC::regExpProtoFuncSearch): Deleted.
1726         * runtime/RegExpPrototype.h:
1727
1728         * tests/es6.yaml:
1729         * tests/stress/regexp-search.js:
1730         - Rebased test.
1731
1732 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
1733
1734         PolymorphicAccess::regenerate() shouldn't have to clone non-generated AccessCases
1735         https://bugs.webkit.org/show_bug.cgi?id=156493
1736
1737         Reviewed by Geoffrey Garen.
1738
1739         Cloning AccessCases is only necessary if they hold some artifacts that are used by code that
1740         they already generated. So, if the state is not Generated, we don't have to bother with
1741         cloning them.
1742
1743         This should speed up PolymorphicAccess regeneration a bit more.
1744
1745         * bytecode/PolymorphicAccess.cpp:
1746         (JSC::AccessCase::commit):
1747         (JSC::PolymorphicAccess::regenerate):
1748
1749 2016-04-13  Mark Lam  <mark.lam@apple.com>
1750
1751         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1752         https://bugs.webkit.org/show_bug.cgi?id=156013
1753
1754         Reviewed by Keith Miller.
1755
1756         Re-landing r199393 now that the shadow chicken crash has been fixed.
1757
1758         * CMakeLists.txt:
1759         * JavaScriptCore.xcodeproj/project.pbxproj:
1760         * builtins/GlobalObject.js:
1761         (speciesConstructor):
1762         * builtins/PromisePrototype.js:
1763         - refactored to use the @speciesConstructor internal function.
1764
1765         * builtins/RegExpPrototype.js:
1766         (advanceStringIndex):
1767         - refactored from @advanceStringIndexUnicode() to be match the spec.
1768           Benchmarks show that there's no advantage in doing the unicode check outside
1769           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
1770           spec (especially since @@split needs to call advanceStringIndex from more than
1771           1 location).
1772         (match):
1773         - Removed an unnecessary call to @Object because it was already proven above.
1774         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
1775           Again, there's no perf regression for this.
1776         (regExpExec):
1777         (hasObservableSideEffectsForRegExpSplit):
1778         (split):
1779         (advanceStringIndexUnicode): Deleted.
1780
1781         * builtins/StringPrototype.js:
1782         (split):
1783         - Modified to use RegExp.prototype[@@split].
1784
1785         * bytecode/BytecodeIntrinsicRegistry.cpp:
1786         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1787         (JSC::BytecodeIntrinsicRegistry::lookup):
1788         * bytecode/BytecodeIntrinsicRegistry.h:
1789         - Added the @@split symbol.
1790
1791         * runtime/CommonIdentifiers.h:
1792         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
1793         (JSC::esSpecIsConstructor):
1794         (JSC::esSpecIsRegExp):
1795         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
1796
1797         * runtime/JSGlobalObject.cpp:
1798         (JSC::getGetterById):
1799         (JSC::JSGlobalObject::init):
1800
1801         * runtime/PropertyDescriptor.cpp:
1802         (JSC::PropertyDescriptor::setDescriptor):
1803         - Removed an assert that is no longer valid.
1804
1805         * runtime/RegExpObject.h:
1806         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
1807           fast path.
1808
1809         * runtime/RegExpPrototype.cpp:
1810         (JSC::RegExpPrototype::finishCreation):
1811         (JSC::regExpProtoFuncExec):
1812         (JSC::regExpProtoFuncSearch):
1813         (JSC::advanceStringIndex):
1814         (JSC::regExpProtoFuncSplitFast):
1815         * runtime/RegExpPrototype.h:
1816
1817         * runtime/StringObject.h:
1818         (JSC::jsStringWithReuse):
1819         (JSC::jsSubstring):
1820         - Hoisted some utility functions from StringPrototype.cpp so that they can be
1821           reused by the regexp split fast path.
1822
1823         * runtime/StringPrototype.cpp:
1824         (JSC::StringPrototype::finishCreation):
1825         (JSC::stringProtoFuncSplitFast):
1826         (JSC::stringProtoFuncSubstr):
1827         (JSC::builtinStringSubstrInternal):
1828         (JSC::stringProtoFuncSubstring):
1829         (JSC::stringIncludesImpl):
1830         (JSC::stringProtoFuncIncludes):
1831         (JSC::builtinStringIncludesInternal):
1832         (JSC::jsStringWithReuse): Deleted.
1833         (JSC::jsSubstring): Deleted.
1834         (JSC::stringProtoFuncSplit): Deleted.
1835         * runtime/StringPrototype.h:
1836
1837         * tests/es6.yaml:
1838
1839 2016-04-13  Mark Lam  <mark.lam@apple.com>
1840
1841         ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
1842         https://bugs.webkit.org/show_bug.cgi?id=156532
1843
1844         Reviewed by Saam Barati and Filip Pizlo.
1845
1846         ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
1847         the callee field of a log packet.  However, ShadowChicken::visitChildren()
1848         unconditionally visits the callee field of each packet as if they are real
1849         objects.  If visitChildren() encounters one of these markers in the log, we get a
1850         crash.
1851
1852         This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
1853         chicken when r199393 landed.  r199393 introduced tail calls to a RegExp split
1854         fast path, and the v8-regexp.js test exercised this fast path a lot.  Throw in
1855         some timely GCs, and we get a crash party.
1856
1857         The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
1858         throwMarker.
1859
1860         Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
1861         these markers so that ShadowChicken can continue to visit them.  For now, I'm
1862         going with the filter.
1863
1864         * interpreter/ShadowChicken.cpp:
1865         (JSC::ShadowChicken::visitChildren):
1866
1867 2016-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1868
1869         [ES6] Add @@toStringTag to GeneratorFunction
1870         https://bugs.webkit.org/show_bug.cgi?id=156499
1871
1872         Reviewed by Mark Lam.
1873
1874         GeneratorFunction.prototype has @@toStringTag property, "GeneratorFunction".
1875         https://tc39.github.io/ecma262/#sec-generatorfunction.prototype-@@tostringtag
1876
1877         * runtime/GeneratorFunctionPrototype.cpp:
1878         (JSC::GeneratorFunctionPrototype::finishCreation):
1879         * tests/es6.yaml:
1880         * tests/es6/well-known_symbols_Symbol.toStringTag_new_built-ins.js: Added.
1881         (test):
1882
1883 2016-04-13  Alberto Garcia  <berto@igalia.com>
1884
1885         Fix build in glibc-based BSD systems
1886         https://bugs.webkit.org/show_bug.cgi?id=156533
1887
1888         Reviewed by Carlos Garcia Campos.
1889
1890         Change the order of the #elif conditionals so glibc-based BSD
1891         systems (e.g. Debian GNU/kFreeBSD) use the code inside the
1892         OS(FREEBSD) blocks.
1893
1894         * heap/MachineStackMarker.cpp:
1895         (JSC::MachineThreads::Thread::Registers::stackPointer):
1896         (JSC::MachineThreads::Thread::Registers::framePointer):
1897         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1898         (JSC::MachineThreads::Thread::Registers::llintPC):
1899
1900 2016-04-12  Keith Miller  <keith_miller@apple.com>
1901
1902         Unreviewed undo change from ArrayClass to ArrayWithUndecided, which
1903         was not intedend to land with r199397.
1904
1905         * runtime/ArrayPrototype.h:
1906         (JSC::ArrayPrototype::createStructure):
1907
1908 2016-04-12  Mark Lam  <mark.lam@apple.com>
1909
1910         Rollout: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1911         https://bugs.webkit.org/show_bug.cgi?id=156013
1912
1913         Speculative rollout to fix 32-bit shadow-chicken.yaml/tests/v8-v6/v8-regexp.js.shadow-chicken test failure.
1914
1915         Not reviewed.
1916
1917         * CMakeLists.txt:
1918         * JavaScriptCore.xcodeproj/project.pbxproj:
1919         * builtins/GlobalObject.js:
1920         (speciesGetter):
1921         (speciesConstructor): Deleted.
1922         * builtins/PromisePrototype.js:
1923         * builtins/RegExpPrototype.js:
1924         (advanceStringIndexUnicode):
1925         (match):
1926         (advanceStringIndex): Deleted.
1927         (regExpExec): Deleted.
1928         (hasObservableSideEffectsForRegExpSplit): Deleted.
1929         (split): Deleted.
1930         * builtins/StringPrototype.js:
1931         (repeat):
1932         (split): Deleted.
1933         * bytecode/BytecodeIntrinsicRegistry.cpp:
1934         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1935         (JSC::BytecodeIntrinsicRegistry::lookup):
1936         * bytecode/BytecodeIntrinsicRegistry.h:
1937         * runtime/CommonIdentifiers.h:
1938         * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed.
1939         * runtime/ECMAScriptSpecInternalFunctions.h: Removed.
1940         * runtime/JSGlobalObject.cpp:
1941         (JSC::JSGlobalObject::setGlobalThis):
1942         (JSC::JSGlobalObject::init):
1943         (JSC::getGetterById): Deleted.
1944         * runtime/PropertyDescriptor.cpp:
1945         (JSC::PropertyDescriptor::setDescriptor):
1946         * runtime/RegExpObject.h:
1947         (JSC::RegExpObject::offsetOfLastIndexIsWritable):
1948         * runtime/RegExpPrototype.cpp:
1949         (JSC::RegExpPrototype::finishCreation):
1950         (JSC::regExpProtoFuncExec):
1951         (JSC::regExpProtoFuncSearch):
1952         (JSC::advanceStringIndex): Deleted.
1953         (JSC::regExpProtoFuncSplitFast): Deleted.
1954         * runtime/RegExpPrototype.h:
1955         * runtime/StringObject.h:
1956         (JSC::jsStringWithReuse): Deleted.
1957         (JSC::jsSubstring): Deleted.
1958         * runtime/StringPrototype.cpp:
1959         (JSC::StringPrototype::finishCreation):
1960         (JSC::jsStringWithReuse):
1961         (JSC::jsSubstring):
1962         (JSC::substituteBackreferencesSlow):
1963         (JSC::splitStringByOneCharacterImpl):
1964         (JSC::stringProtoFuncSplit):
1965         (JSC::stringProtoFuncSubstr):
1966         (JSC::stringProtoFuncSubstring):
1967         (JSC::stringProtoFuncEndsWith):
1968         (JSC::stringProtoFuncIncludes):
1969         (JSC::stringProtoFuncIterator):
1970         (JSC::stringProtoFuncSplitFast): Deleted.
1971         (JSC::builtinStringSubstrInternal): Deleted.
1972         (JSC::stringIncludesImpl): Deleted.
1973         (JSC::builtinStringIncludesInternal): Deleted.
1974         * runtime/StringPrototype.h:
1975         * tests/es6.yaml:
1976
1977 2016-04-12  Mark Lam  <mark.lam@apple.com>
1978
1979         Remove 2 unused JSC options.
1980         https://bugs.webkit.org/show_bug.cgi?id=156526
1981
1982         Reviewed by Benjamin Poulain.
1983
1984         The options JSC_assertICSizing and JSC_dumpFailedICSizing are no longer in use
1985         now that we have B3.
1986
1987         * runtime/Options.h:
1988
1989 2016-04-12  Keith Miller  <keith_miller@apple.com>
1990
1991         [ES6] Add support for Symbol.isConcatSpreadable.
1992         https://bugs.webkit.org/show_bug.cgi?id=155351
1993
1994         Reviewed by Saam Barati.
1995
1996         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
1997         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
1998         a builtin performant. First, four new DFG intrinsics were added.
1999
2000         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
2001            the Array.isArray function.
2002         2) IsJSArray: checks the first child is a JSArray object.
2003         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
2004         4) CallObjectConstructor: an intrinsic of the Object constructor.
2005
2006         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
2007         we are able to prove that the first child is an Array or for ToObject an Object.
2008
2009         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
2010         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
2011         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
2012         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
2013         into a contiguous array).
2014
2015         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
2016         values onto the result array. This works roughly the same as the two array fast path using the same methodology
2017         to decide if we can memcpy the other butterfly into the result butterfly.
2018
2019         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
2020         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
2021         dataLog function on it.
2022
2023         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
2024         JSValueOperand if the operand's use count is one.
2025
2026         * JavaScriptCore.xcodeproj/project.pbxproj:
2027         * builtins/ArrayPrototype.js:
2028         (concatSlowPath):
2029         (concat):
2030         * bytecode/BytecodeIntrinsicRegistry.cpp:
2031         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2032         * bytecode/BytecodeIntrinsicRegistry.h:
2033         * dfg/DFGAbstractInterpreterInlines.h:
2034         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2035         * dfg/DFGByteCodeParser.cpp:
2036         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2037         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2038         * dfg/DFGClobberize.h:
2039         (JSC::DFG::clobberize):
2040         * dfg/DFGDoesGC.cpp:
2041         (JSC::DFG::doesGC):
2042         * dfg/DFGFixupPhase.cpp:
2043         (JSC::DFG::FixupPhase::fixupNode):
2044         * dfg/DFGNodeType.h:
2045         * dfg/DFGOperations.cpp:
2046         * dfg/DFGOperations.h:
2047         * dfg/DFGPredictionPropagationPhase.cpp:
2048         (JSC::DFG::PredictionPropagationPhase::propagate):
2049         * dfg/DFGSafeToExecute.h:
2050         (JSC::DFG::safeToExecute):
2051         * dfg/DFGSpeculativeJIT.cpp:
2052         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2053         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
2054         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
2055         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
2056         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
2057         * dfg/DFGSpeculativeJIT.h:
2058         (JSC::DFG::SpeculativeJIT::callOperation):
2059         * dfg/DFGSpeculativeJIT32_64.cpp:
2060         (JSC::DFG::SpeculativeJIT::compile):
2061         * dfg/DFGSpeculativeJIT64.cpp:
2062         (JSC::DFG::SpeculativeJIT::compile):
2063         * ftl/FTLCapabilities.cpp:
2064         (JSC::FTL::canCompile):
2065         * ftl/FTLLowerDFGToB3.cpp:
2066         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2067         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
2068         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
2069         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
2070         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
2071         (JSC::FTL::DFG::LowerDFGToB3::isArray):
2072         * jit/JITOperations.h:
2073         * jsc.cpp:
2074         (GlobalObject::finishCreation):
2075         (functionDataLogValue):
2076         * runtime/ArrayConstructor.cpp:
2077         (JSC::ArrayConstructor::finishCreation):
2078         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
2079         * runtime/ArrayConstructor.h:
2080         (JSC::isArrayConstructor):
2081         * runtime/ArrayPrototype.cpp:
2082         (JSC::ArrayPrototype::finishCreation):
2083         (JSC::arrayProtoPrivateFuncIsJSArray):
2084         (JSC::moveElements):
2085         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2086         (JSC::arrayProtoPrivateFuncAppendMemcpy):
2087         (JSC::arrayProtoFuncConcat): Deleted.
2088         * runtime/ArrayPrototype.h:
2089         (JSC::ArrayPrototype::createStructure):
2090         * runtime/CommonIdentifiers.h:
2091         * runtime/Intrinsic.h:
2092         * runtime/JSArray.cpp:
2093         (JSC::JSArray::appendMemcpy):
2094         (JSC::JSArray::fastConcatWith): Deleted.
2095         * runtime/JSArray.h:
2096         (JSC::JSArray::createStructure):
2097         (JSC::JSArray::fastConcatType): Deleted.
2098         * runtime/JSArrayInlines.h: Added.
2099         (JSC::JSArray::memCopyWithIndexingType):
2100         (JSC::JSArray::canFastCopy):
2101         * runtime/JSGlobalObject.cpp:
2102         (JSC::JSGlobalObject::init):
2103         * runtime/JSType.h:
2104         * runtime/ObjectConstructor.h:
2105         (JSC::constructObject):
2106         * tests/es6.yaml:
2107         * tests/stress/array-concat-spread-object.js: Added.
2108         (arrayEq):
2109         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
2110         (arrayEq):
2111         * tests/stress/array-concat-spread-proxy.js: Added.
2112         (arrayEq):
2113         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
2114         (arrayEq):
2115         * tests/stress/array-species-config-array-constructor.js:
2116
2117 2016-04-12  Saam barati  <sbarati@apple.com>
2118
2119         Lets not iterate over the constant pool twice every time we link a code block
2120         https://bugs.webkit.org/show_bug.cgi?id=156517
2121
2122         Reviewed by Mark Lam.
2123
2124         I introduced a second iteration over the constant pool when I implemented
2125         block scoping. I did this because we must clone all the symbol tables when
2126         we link a CodeBlock. We can just do this cloning when setting the constant
2127         registers for the first time. There is no need to iterate over the constant
2128         pool a second time.
2129
2130         * bytecode/CodeBlock.cpp:
2131         (JSC::CodeBlock::finishCreation):
2132         (JSC::CodeBlock::~CodeBlock):
2133         (JSC::CodeBlock::setConstantRegisters):
2134         (JSC::CodeBlock::setAlternative):
2135         * bytecode/CodeBlock.h:
2136         (JSC::CodeBlock::replaceConstant):
2137         (JSC::CodeBlock::setConstantRegisters): Deleted.
2138
2139 2016-04-12  Mark Lam  <mark.lam@apple.com>
2140
2141         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
2142         https://bugs.webkit.org/show_bug.cgi?id=156013
2143
2144         Reviewed by Keith Miller.
2145
2146         * CMakeLists.txt:
2147         * JavaScriptCore.xcodeproj/project.pbxproj:
2148         * builtins/GlobalObject.js:
2149         (speciesConstructor):
2150         * builtins/PromisePrototype.js:
2151         - refactored to use the @speciesConstructor internal function.
2152
2153         * builtins/RegExpPrototype.js:
2154         (advanceStringIndex):
2155         - refactored from @advanceStringIndexUnicode() to be match the spec.
2156           Benchmarks show that there's no advantage in doing the unicode check outside
2157           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
2158           spec (especially since @@split needs to call advanceStringIndex from more than
2159           1 location).
2160         (match):
2161         - Removed an unnecessary call to @Object because it was already proven above.
2162         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
2163           Again, there's no perf regression for this.
2164         (regExpExec):
2165         (hasObservableSideEffectsForRegExpSplit):
2166         (split):
2167         (advanceStringIndexUnicode): Deleted.
2168
2169         * builtins/StringPrototype.js:
2170         (split):
2171         - Modified to use RegExp.prototype[@@split].
2172
2173         * bytecode/BytecodeIntrinsicRegistry.cpp:
2174         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2175         (JSC::BytecodeIntrinsicRegistry::lookup):
2176         * bytecode/BytecodeIntrinsicRegistry.h:
2177         - Added the @@split symbol.
2178
2179         * runtime/CommonIdentifiers.h:
2180         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
2181         (JSC::esSpecIsConstructor):
2182         (JSC::esSpecIsRegExp):
2183         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
2184
2185         * runtime/JSGlobalObject.cpp:
2186         (JSC::getGetterById):
2187         (JSC::JSGlobalObject::init):
2188
2189         * runtime/PropertyDescriptor.cpp:
2190         (JSC::PropertyDescriptor::setDescriptor):
2191         - Removed an assert that is no longer valid.
2192
2193         * runtime/RegExpObject.h:
2194         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
2195           fast path.
2196
2197         * runtime/RegExpPrototype.cpp:
2198         (JSC::RegExpPrototype::finishCreation):
2199         (JSC::regExpProtoFuncExec):
2200         (JSC::regExpProtoFuncSearch):
2201         (JSC::advanceStringIndex):
2202         (JSC::regExpProtoFuncSplitFast):
2203         * runtime/RegExpPrototype.h:
2204
2205         * runtime/StringObject.h:
2206         (JSC::jsStringWithReuse):
2207         (JSC::jsSubstring):
2208         - Hoisted some utility functions from StringPrototype.cpp so that they can be
2209           reused by the regexp split fast path.
2210
2211         * runtime/StringPrototype.cpp:
2212         (JSC::StringPrototype::finishCreation):
2213         (JSC::stringProtoFuncSplitFast):
2214         (JSC::stringProtoFuncSubstr):
2215         (JSC::builtinStringSubstrInternal):
2216         (JSC::stringProtoFuncSubstring):
2217         (JSC::stringIncludesImpl):
2218         (JSC::stringProtoFuncIncludes):
2219         (JSC::builtinStringIncludesInternal):
2220         (JSC::jsStringWithReuse): Deleted.
2221         (JSC::jsSubstring): Deleted.
2222         (JSC::stringProtoFuncSplit): Deleted.
2223         * runtime/StringPrototype.h:
2224
2225         * tests/es6.yaml:
2226
2227 2016-04-12  Keith Miller  <keith_miller@apple.com>
2228
2229         AbstractValue should use the result type to filter structures
2230         https://bugs.webkit.org/show_bug.cgi?id=156516
2231
2232         Reviewed by Geoffrey Garen.
2233
2234         When filtering an AbstractValue with a SpeculatedType we would not use the merged type when
2235         filtering out the valid structures (despite what the comment directly above said). This
2236         would cause us to crash if our structure-set was Top and the two speculated types were
2237         different kinds of cells.
2238
2239         * dfg/DFGAbstractValue.cpp:
2240         (JSC::DFG::AbstractValue::filter):
2241         * tests/stress/ai-consistency-filter-cells.js: Added.
2242         (get value):
2243         (attribute.value.get record):
2244         (attribute.attrs.get this):
2245         (get foo):
2246         (let.thisValue.return.serialize):
2247         (let.thisValue.transformFor):
2248
2249 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
2250
2251         Unreviewed, remove FIXME for https://bugs.webkit.org/show_bug.cgi?id=156457 and replace it
2252         with a comment that describes what we do now.
2253
2254         * bytecode/PolymorphicAccess.h:
2255
2256 2016-04-12  Saam barati  <sbarati@apple.com>
2257
2258         isLocked() assertion broke builds because ConcurrentJITLock isn't always a real lock.
2259
2260         Rubber-stamped by Filip Pizlo.
2261
2262         * bytecode/CodeBlock.cpp:
2263         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2264         (JSC::CodeBlock::ensureResultProfile):
2265
2266 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2267
2268         PolymorphicAccess should buffer AccessCases before regenerating
2269         https://bugs.webkit.org/show_bug.cgi?id=156457
2270
2271         Reviewed by Benjamin Poulain.
2272
2273         Prior to this change, whenever we added an AccessCase to a PolymorphicAccess, we would
2274         regenerate the whole stub. That meant that we'd do O(N^2) work for N access cases.
2275
2276         One way to fix this is to have each AccessCase generate a stub just for itself, which
2277         cascades down to the already-generated cases. But that removes the binary switch
2278         optimization, which makes the IC perform great even when there are many cases.
2279
2280         This change fixes the issue by buffering access cases. When we take slow path and try to add
2281         a new case, the StructureStubInfo will usually just buffer the new case without generating
2282         new code. We simply guarantee that after we buffer a case, we will take at most
2283         Options::repatchBufferingCountdown() slow path calls before generating code for it. That
2284         option is currently 7. Taking 7 more slow paths means that we have 7 more opportunities to
2285         gather more access cases, or to realize that this IC is too crazy to bother with.
2286
2287         This change ensures that the DFG still gets the same kind of profiling. This is because the
2288         buffered AccessCases are still part of PolymorphicAccess and so are still scanned by
2289         GetByIdStatus and PutByIdStatus. The fact that the AccessCases hadn't been generated and so
2290         hadn't executed doesn't change much. Mainly, it increases the likelihood that the DFG will
2291         see an access case that !couldStillSucceed(). The DFG's existing profile parsing logic can
2292         handle this just fine.
2293         
2294         There are a bunch of algorithmic changes here. StructureStubInfo now caches the set of
2295         structures that it has seen as a guard to prevent adding lots of redundant cases, in case
2296         we see the same 7 cases after buffering the first one. This cache means we won't wastefully
2297         allocate 7 identical AccessCase instances. PolymorphicAccess is now restructured around
2298         having separate addCase() and regenerate() calls. That means a bit more moving data around.
2299         So far that seems OK for performance, probably since it's O(N) work rather than O(N^2) work.
2300         There is room for improvement for future patches, to be sure.
2301         
2302         This is benchmarking as slightly positive or neutral on JS benchmarks. It's meant to reduce
2303         pathologies I saw in page loads.
2304
2305         * bytecode/GetByIdStatus.cpp:
2306         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2307         * bytecode/PolymorphicAccess.cpp:
2308         (JSC::PolymorphicAccess::PolymorphicAccess):
2309         (JSC::PolymorphicAccess::~PolymorphicAccess):
2310         (JSC::PolymorphicAccess::addCases):
2311         (JSC::PolymorphicAccess::addCase):
2312         (JSC::PolymorphicAccess::visitWeak):
2313         (JSC::PolymorphicAccess::dump):
2314         (JSC::PolymorphicAccess::commit):
2315         (JSC::PolymorphicAccess::regenerate):
2316         (JSC::PolymorphicAccess::aboutToDie):
2317         (WTF::printInternal):
2318         (JSC::PolymorphicAccess::regenerateWithCases): Deleted.
2319         (JSC::PolymorphicAccess::regenerateWithCase): Deleted.
2320         * bytecode/PolymorphicAccess.h:
2321         (JSC::AccessCase::isGetter):
2322         (JSC::AccessCase::callLinkInfo):
2323         (JSC::AccessGenerationResult::AccessGenerationResult):
2324         (JSC::AccessGenerationResult::madeNoChanges):
2325         (JSC::AccessGenerationResult::gaveUp):
2326         (JSC::AccessGenerationResult::buffered):
2327         (JSC::AccessGenerationResult::generatedNewCode):
2328         (JSC::AccessGenerationResult::generatedFinalCode):
2329         (JSC::AccessGenerationResult::shouldGiveUpNow):
2330         (JSC::AccessGenerationResult::generatedSomeCode):
2331         (JSC::PolymorphicAccess::isEmpty):
2332         (JSC::PolymorphicAccess::size):
2333         (JSC::PolymorphicAccess::at):
2334         * bytecode/PutByIdStatus.cpp:
2335         (JSC::PutByIdStatus::computeForStubInfo):
2336         * bytecode/StructureStubInfo.cpp:
2337         (JSC::StructureStubInfo::StructureStubInfo):
2338         (JSC::StructureStubInfo::addAccessCase):
2339         (JSC::StructureStubInfo::reset):
2340         (JSC::StructureStubInfo::visitWeakReferences):
2341         * bytecode/StructureStubInfo.h:
2342         (JSC::StructureStubInfo::considerCaching):
2343         (JSC::StructureStubInfo::willRepatch): Deleted.
2344         (JSC::StructureStubInfo::willCoolDown): Deleted.
2345         * jit/JITOperations.cpp:
2346         * jit/Repatch.cpp:
2347         (JSC::tryCacheGetByID):
2348         (JSC::repatchGetByID):
2349         (JSC::tryCachePutByID):
2350         (JSC::repatchPutByID):
2351         (JSC::tryRepatchIn):
2352         (JSC::repatchIn):
2353         * runtime/JSCJSValue.h:
2354         * runtime/JSCJSValueInlines.h:
2355         (JSC::JSValue::putByIndex):
2356         (JSC::JSValue::structureOrNull):
2357         (JSC::JSValue::structureOrUndefined):
2358         * runtime/Options.h:
2359
2360 2016-04-12  Saam barati  <sbarati@apple.com>
2361
2362         There is a race with the compiler thread and the main thread with result profiles
2363         https://bugs.webkit.org/show_bug.cgi?id=156503
2364
2365         Reviewed by Filip Pizlo.
2366
2367         The compiler thread should not be asking for a result
2368         profile while the execution thread is creating one.
2369         We must guard against such races with a lock.
2370
2371         * bytecode/CodeBlock.cpp:
2372         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2373         (JSC::CodeBlock::ensureResultProfile):
2374         (JSC::CodeBlock::capabilityLevel):
2375         * bytecode/CodeBlock.h:
2376         (JSC::CodeBlock::couldTakeSlowCase):
2377         (JSC::CodeBlock::numberOfResultProfiles):
2378         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
2379         (JSC::CodeBlock::ensureResultProfile): Deleted.
2380
2381 2016-04-12  Commit Queue  <commit-queue@webkit.org>
2382
2383         Unreviewed, rolling out r199339.
2384         https://bugs.webkit.org/show_bug.cgi?id=156505
2385
2386         memset_s is indeed necessary (Requested by alexchristensen_ on
2387         #webkit).
2388
2389         Reverted changeset:
2390
2391         "Build fix after r199299."
2392         https://bugs.webkit.org/show_bug.cgi?id=155508
2393         http://trac.webkit.org/changeset/199339
2394
2395 2016-04-12  Guillaume Emont  <guijemont@igalia.com>
2396
2397         MIPS: add MacroAssemblerMIPS::store8(TrustedImm32,ImplicitAddress)
2398         https://bugs.webkit.org/show_bug.cgi?id=156481
2399
2400         This method with this signature is used by r199075, and therefore
2401         WebKit doesn't build on MIPS since then.
2402
2403         Reviewed by Mark Lam.
2404
2405         * assembler/MacroAssemblerMIPS.h:
2406         (JSC::MacroAssemblerMIPS::store8):
2407
2408 2016-04-12  Saam barati  <sbarati@apple.com>
2409
2410         We incorrectly parse arrow function expressions
2411         https://bugs.webkit.org/show_bug.cgi?id=156373
2412
2413         Reviewed by Mark Lam.
2414
2415         This patch removes the notion of "isEndOfArrowFunction".
2416         This was a very weird function and it was incorrect.
2417         It checked that the arrow functions with concise body
2418         grammar production "had a valid ending". "had a valid
2419         ending" is in quotes because concise body arrow functions
2420         have a valid ending as long as their body has a valid
2421         assignment expression. I've removed all notion of this
2422         function because it was wrong and was causing us
2423         to throw syntax errors on valid programs.
2424
2425         * parser/Lexer.cpp:
2426         (JSC::Lexer<T>::nextTokenIsColon):
2427         (JSC::Lexer<T>::lex):
2428         (JSC::Lexer<T>::setTokenPosition): Deleted.
2429         * parser/Lexer.h:
2430         (JSC::Lexer::setIsReparsingFunction):
2431         (JSC::Lexer::isReparsingFunction):
2432         (JSC::Lexer::lineNumber):
2433         * parser/Parser.cpp:
2434         (JSC::Parser<LexerType>::parseInner):
2435         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
2436         (JSC::Parser<LexerType>::parseFunctionInfo):
2437         * parser/Parser.h:
2438         (JSC::Parser::matchIdentifierOrKeyword):
2439         (JSC::Parser::tokenStart):
2440         (JSC::Parser::autoSemiColon):
2441         (JSC::Parser::canRecurse):
2442         (JSC::Parser::isEndOfArrowFunction): Deleted.
2443         (JSC::Parser::setEndOfStatement): Deleted.
2444         * tests/stress/arrowfunction-others.js:
2445         (testCase):
2446         (simpleArrowFunction):
2447         (truthy):
2448         (falsey):
2449
2450 2016-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2451
2452         [JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG
2453         https://bugs.webkit.org/show_bug.cgi?id=155110
2454
2455         Reviewed by Saam Barati.
2456
2457         `addStaticGlobals` does not emit SymbolTableEntry watchpoints for the added entries.
2458         So, all the global variable lookups pointing to these static globals are not converted
2459         into constants in DFGBytecodeGenerator: this fact leaves these lookups as GetGlobalVar.
2460         Such thing avoids constant folding chance and emits CheckCell for @privateFunction inlining.
2461         This operation is pure overhead.
2462
2463         Static globals are not configurable, and they are typically non-writable.
2464         So they are constants in almost all the cases.
2465
2466         This patch initializes watchpoints for these static globals.
2467         These watchpoints allow DFG to convert these nodes into constants in DFG BytecodeParser.
2468         These watchpoints includes many builtin operations and `undefined`.
2469
2470         The microbenchmark, many-foreach-calls shows 5 - 7% improvement since it removes unnecessary CheckCell.
2471
2472         * bytecode/VariableWriteFireDetail.h:
2473         * runtime/JSGlobalObject.cpp:
2474         (JSC::JSGlobalObject::addGlobalVar):
2475         (JSC::JSGlobalObject::addStaticGlobals):
2476         * runtime/JSSymbolTableObject.h:
2477         (JSC::symbolTablePutTouchWatchpointSet):
2478         (JSC::symbolTablePutInvalidateWatchpointSet):
2479         (JSC::symbolTablePut):
2480         (JSC::symbolTablePutWithAttributesTouchWatchpointSet): Deleted.
2481         * runtime/SymbolTable.h:
2482         (JSC::SymbolTableEntry::SymbolTableEntry):
2483         (JSC::SymbolTableEntry::operator=):
2484         (JSC::SymbolTableEntry::swap):
2485
2486 2016-04-12  Alex Christensen  <achristensen@webkit.org>
2487
2488         Build fix after r199299.
2489         https://bugs.webkit.org/show_bug.cgi?id=155508
2490
2491         * jit/ExecutableAllocatorFixedVMPool.cpp:
2492         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2493         memset_s is not defined.  __STDC_WANT_LIB_EXT1__ is not defined anywhere.
2494         Since the return value is unused and set_constraint_handler_s is never called
2495         I'm chaning it to memset.
2496
2497 2016-04-11  Benjamin Poulain  <bpoulain@apple.com>
2498
2499         [JSC] B3 can use undefined bits or not defined required bits when spilling
2500         https://bugs.webkit.org/show_bug.cgi?id=156486
2501
2502         Reviewed by Filip Pizlo.
2503
2504         Spilling had issues when replacing arguments in place.
2505
2506         The problems are:
2507         1) If we have a 32bit stackslot, a x86 instruction could still try to load 64bits from it.
2508         2) If we have a 64bit stackslot, Move32 would only set half the bits.
2509         3) We were reducing Move to Move32 even if the top bits are read from the stack slot.
2510
2511         The case 1 appear with something like this:
2512             Move32 %tmp0, %tmp1
2513             Op64 %tmp1, %tmp2, %tmp3
2514         When we spill %tmp1, the stack slot is 32bit, Move32 sets 32bits
2515         but Op64 supports addressing for %tmp1. When we substitute %tmp1 in Op64,
2516         we are creating a 64bit read for a 32bit stack slot.
2517
2518         The case 2 is an other common one. If we have:
2519             BB#1
2520                 Move32 %tmp0, %tmp1
2521                 Jump #3
2522             BB#2
2523                 Op64 %tmp0, %tmp1
2524                 Jump #3
2525             BB#3
2526                 Use64 %tmp1
2527
2528         We have a stack slot of 64bits. When spilling %tmp1 in #1, we are
2529         effectively doing a 32bit store on the stack slot, leaving the top bits undefined.
2530
2531         Case 3 is pretty much the same as 2 but we create the Move32 ourself
2532         because the source is a 32bit with ZDef.
2533
2534         Case (1) is solved by requiring that the stack slot is at least as large as the largest
2535         use/def of that tmp.
2536
2537         Case (2) and (3) are solved by not replacing a Tmp by an Address if the Def
2538         is smaller than the stack slot.
2539
2540         * b3/air/AirIteratedRegisterCoalescing.cpp:
2541         * b3/testb3.cpp:
2542         (JSC::B3::testSpillDefSmallerThanUse):
2543         (JSC::B3::testSpillUseLargerThanDef):
2544         (JSC::B3::run):
2545
2546 2016-04-11  Brian Burg  <bburg@apple.com>
2547
2548         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
2549         https://bugs.webkit.org/show_bug.cgi?id=156407
2550         <rdar://problem/25627659>
2551
2552         Reviewed by Joseph Pecoraro.
2553
2554         There's no point having these subclasses as they don't save any space.
2555         Add a StringImpl to the union and merge some implementations of writeJSON.
2556
2557         Rename m_data to m_map and explicitly name the union as InspectorValue::m_value.
2558         If the value is a string and the string is not empty or null (i.e., it has a
2559         StringImpl), then we need to ref() and deref() the string as the InspectorValue
2560         is created or destroyed.
2561
2562         Move uses of the subclass to InspectorValue and delete redundant methods.
2563         Now, most InspectorValue methods are non-virtual so they can be templated.
2564
2565         * bindings/ScriptValue.cpp:
2566         (Deprecated::jsToInspectorValue):
2567         * inspector/InjectedScriptBase.cpp:
2568         (Inspector::InjectedScriptBase::makeCall):
2569         Don't used deleted subclasses.
2570
2571         * inspector/InspectorValues.cpp:
2572         (Inspector::InspectorValue::null):
2573         (Inspector::InspectorValue::create):
2574         (Inspector::InspectorValue::asValue):
2575         (Inspector::InspectorValue::asBoolean):
2576         (Inspector::InspectorValue::asDouble):
2577         (Inspector::InspectorValue::asInteger):
2578         (Inspector::InspectorValue::asString):
2579         These only need one implementation now.
2580
2581         (Inspector::InspectorValue::writeJSON):
2582         Still a virtual method since Object and Array need their members.
2583
2584         (Inspector::InspectorObjectBase::InspectorObjectBase):
2585         (Inspector::InspectorBasicValue::asBoolean): Deleted.
2586         (Inspector::InspectorBasicValue::asDouble): Deleted.
2587         (Inspector::InspectorBasicValue::asInteger): Deleted.
2588         (Inspector::InspectorBasicValue::writeJSON): Deleted.
2589         (Inspector::InspectorString::asString): Deleted.
2590         (Inspector::InspectorString::writeJSON): Deleted.
2591         (Inspector::InspectorString::create): Deleted.
2592         (Inspector::InspectorBasicValue::create): Deleted.
2593
2594         * inspector/InspectorValues.h:
2595         (Inspector::InspectorObjectBase::find):
2596         (Inspector::InspectorObjectBase::setBoolean):
2597         (Inspector::InspectorObjectBase::setInteger):
2598         (Inspector::InspectorObjectBase::setDouble):
2599         (Inspector::InspectorObjectBase::setString):
2600         (Inspector::InspectorObjectBase::setValue):
2601         (Inspector::InspectorObjectBase::setObject):
2602         (Inspector::InspectorObjectBase::setArray):
2603         (Inspector::InspectorArrayBase::pushBoolean):
2604         (Inspector::InspectorArrayBase::pushInteger):
2605         (Inspector::InspectorArrayBase::pushDouble):
2606         (Inspector::InspectorArrayBase::pushString):
2607         (Inspector::InspectorArrayBase::pushValue):
2608         (Inspector::InspectorArrayBase::pushObject):
2609         (Inspector::InspectorArrayBase::pushArray):
2610         Use new factory methods.
2611
2612         * replay/EncodedValue.cpp:
2613         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2614         (JSC::ScalarEncodingTraits<double>::encodeValue):
2615         (JSC::ScalarEncodingTraits<float>::encodeValue):
2616         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2617         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2618         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2619         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2620         * replay/EncodedValue.h:
2621         Use new factory methods.
2622
2623 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
2624
2625         It should be possible to edit StructureStubInfo without recompiling the world
2626         https://bugs.webkit.org/show_bug.cgi?id=156470
2627
2628         Reviewed by Keith Miller.
2629
2630         This change makes it less painful to make changes to the IC code. It used to be that any
2631         change to StructureStubInfo caused every JIT-related file to get recompiled. Now only a
2632         smaller set of files - ones that actually peek into StructureStubInfo - will recompile. This
2633         is mainly because CodeBlock.h no longer includes StructureStubInfo.h.
2634
2635         * bytecode/ByValInfo.h:
2636         * bytecode/CodeBlock.cpp:
2637         * bytecode/CodeBlock.h:
2638         * bytecode/GetByIdStatus.cpp:
2639         * bytecode/GetByIdStatus.h:
2640         * bytecode/PutByIdStatus.cpp:
2641         * bytecode/PutByIdStatus.h:
2642         * bytecode/StructureStubInfo.h:
2643         (JSC::getStructureStubInfoCodeOrigin):
2644         * dfg/DFGByteCodeParser.cpp:
2645         * dfg/DFGJITCompiler.cpp:
2646         * dfg/DFGOSRExitCompilerCommon.cpp:
2647         * dfg/DFGSpeculativeJIT.h:
2648         * ftl/FTLLowerDFGToB3.cpp:
2649         * ftl/FTLSlowPathCall.h:
2650         * jit/IntrinsicEmitter.cpp:
2651         * jit/JITInlineCacheGenerator.cpp:
2652         * jit/JITInlineCacheGenerator.h:
2653         * jit/JITOperations.cpp:
2654         * jit/JITPropertyAccess.cpp:
2655         * jit/JITPropertyAccess32_64.cpp:
2656
2657 2016-04-11  Skachkov Oleksandr  <gskachkov@gmail.com>
2658
2659         Remove NewArrowFunction from DFG IR
2660         https://bugs.webkit.org/show_bug.cgi?id=156439
2661
2662         Reviewed by Saam Barati.
2663
2664         It seems that NewArrowFunction was left in DFG IR during refactoring by mistake.
2665
2666         * dfg/DFGAbstractInterpreterInlines.h:
2667         * dfg/DFGClobberize.h:
2668         (JSC::DFG::clobberize):
2669         * dfg/DFGClobbersExitState.cpp:
2670         * dfg/DFGDoesGC.cpp:
2671         * dfg/DFGFixupPhase.cpp:
2672         * dfg/DFGMayExit.cpp:
2673         * dfg/DFGNode.h:
2674         (JSC::DFG::Node::convertToPhantomNewFunction):
2675         * dfg/DFGNodeType.h:
2676         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2677         * dfg/DFGPredictionPropagationPhase.cpp:
2678         * dfg/DFGSafeToExecute.h:
2679         * dfg/DFGSpeculativeJIT.cpp:
2680         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2681         * dfg/DFGSpeculativeJIT32_64.cpp:
2682         * dfg/DFGSpeculativeJIT64.cpp:
2683         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2684         * dfg/DFGStructureRegistrationPhase.cpp:
2685         * ftl/FTLCapabilities.cpp:
2686         * ftl/FTLLowerDFGToB3.cpp:
2687         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2688
2689 2016-04-05  Oliver Hunt  <oliver@apple.com>
2690
2691         Remove compile time define for SEPARATED_HEAP
2692         https://bugs.webkit.org/show_bug.cgi?id=155508
2693
2694         Reviewed by Mark Lam.
2695
2696         Remove the SEPARATED_HEAP compile time flag. The separated
2697         heap is available, but off by default, on x86_64, ARMv7, and
2698         ARM64.
2699
2700         Working through the issues that happened last time essentially
2701         required implementing the ARMv7 path for the separated heap
2702         just so I could find all the ways it was going wrong.
2703
2704         We fixed all the logic by making the branch and jump logic in
2705         the linker and assemblers take two parameters, the location to
2706         write to, and the location we'll actually be writing to. We 
2707         need to do this because it's no longer sufficient to compute
2708         jumps relative to region the linker is writing to.
2709
2710         The repatching jump, branch, and call functions only need the
2711         executable address as the patching is performed directly using
2712         performJITMemcpy function which works in terms of the executable
2713         address.
2714
2715         There is no performance impact on jsc-benchmarks with the separate
2716         heap either emabled or disabled.
2717
2718         * Configurations/FeatureDefines.xcconfig:
2719         * assembler/ARM64Assembler.h:
2720         (JSC::ARM64Assembler::linkJump):
2721         (JSC::ARM64Assembler::linkCall):
2722         (JSC::ARM64Assembler::relinkJump):
2723         (JSC::ARM64Assembler::relinkCall):
2724         (JSC::ARM64Assembler::link):
2725         (JSC::ARM64Assembler::linkJumpOrCall):
2726         (JSC::ARM64Assembler::linkCompareAndBranch):
2727         (JSC::ARM64Assembler::linkConditionalBranch):
2728         (JSC::ARM64Assembler::linkTestAndBranch):
2729         (JSC::ARM64Assembler::relinkJumpOrCall):
2730         * assembler/ARMv7Assembler.h:
2731         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
2732         (JSC::ARMv7Assembler::revertJumpTo_movT3):
2733         (JSC::ARMv7Assembler::link):
2734         (JSC::ARMv7Assembler::linkJump):
2735         (JSC::ARMv7Assembler::relinkJump):
2736         (JSC::ARMv7Assembler::repatchCompact):
2737         (JSC::ARMv7Assembler::replaceWithJump):
2738         (JSC::ARMv7Assembler::replaceWithLoad):
2739         (JSC::ARMv7Assembler::replaceWithAddressComputation):
2740         (JSC::ARMv7Assembler::setInt32):
2741         (JSC::ARMv7Assembler::setUInt7ForLoad):
2742         (JSC::ARMv7Assembler::isB):
2743         (JSC::ARMv7Assembler::isBX):
2744         (JSC::ARMv7Assembler::isMOV_imm_T3):
2745         (JSC::ARMv7Assembler::isMOVT):
2746         (JSC::ARMv7Assembler::isNOP_T1):
2747         (JSC::ARMv7Assembler::isNOP_T2):
2748         (JSC::ARMv7Assembler::linkJumpT1):
2749         (JSC::ARMv7Assembler::linkJumpT2):
2750         (JSC::ARMv7Assembler::linkJumpT3):
2751         (JSC::ARMv7Assembler::linkJumpT4):
2752         (JSC::ARMv7Assembler::linkConditionalJumpT4):
2753         (JSC::ARMv7Assembler::linkBX):
2754         (JSC::ARMv7Assembler::linkConditionalBX):
2755         (JSC::ARMv7Assembler::linkJumpAbsolute):
2756         * assembler/LinkBuffer.cpp:
2757         (JSC::LinkBuffer::copyCompactAndLinkCode):
2758         * assembler/MacroAssemblerARM64.h:
2759         (JSC::MacroAssemblerARM64::link):
2760         * assembler/MacroAssemblerARMv7.h:
2761         (JSC::MacroAssemblerARMv7::link):
2762         * jit/ExecutableAllocator.h:
2763         (JSC::performJITMemcpy):
2764         * jit/ExecutableAllocatorFixedVMPool.cpp:
2765         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2766         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2767         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
2768         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
2769         * runtime/Options.cpp:
2770         (JSC::recomputeDependentOptions):
2771         * runtime/Options.h:
2772
2773 2016-04-10  Filip Pizlo  <fpizlo@apple.com>
2774
2775         Clean up how we reason about the states of AccessCases
2776         https://bugs.webkit.org/show_bug.cgi?id=156454
2777
2778         Reviewed by Mark Lam.
2779         
2780         Currently when we add an AccessCase to a PolymorphicAccess stub, we regenerate the stub.
2781         That means that as we grow a stub to have N cases, we will do O(N^2) generation work. I want
2782         to explore buffering AccessCases so that we can do O(N) generation work instead. But to
2783         before I go there, I want to make sure that the statefulness of AccessCase makes sense. So,
2784         I broke it down into three different states and added assertions about the transitions. I
2785         also broke out a separate operation called AccessCase::commit(), which is the work that
2786         cannot be buffered since there cannot be any JS effects between when the AccessCase was
2787         created and when we do the work in commit().
2788         
2789         This opens up a fairly obvious path to buffering AccessCases: add them to the list without
2790         regenerating. Then when we do eventually trigger regeneration, those cases will get cloned
2791         and generated automagically. This patch doesn't implement this technique yet, but gives us
2792         an opportunity to independently test the scaffolding necessary to do it.
2793
2794         This is perf-neutral on lots of tests.
2795
2796         * bytecode/PolymorphicAccess.cpp:
2797         (JSC::AccessGenerationResult::dump):
2798         (JSC::AccessCase::clone):
2799         (JSC::AccessCase::commit):
2800         (JSC::AccessCase::guardedByStructureCheck):
2801         (JSC::AccessCase::dump):
2802         (JSC::AccessCase::generateWithGuard):
2803         (JSC::AccessCase::generate):
2804         (JSC::AccessCase::generateImpl):
2805         (JSC::PolymorphicAccess::regenerateWithCases):
2806         (JSC::PolymorphicAccess::regenerate):
2807         (WTF::printInternal):
2808         * bytecode/PolymorphicAccess.h:
2809         (JSC::AccessCase::type):
2810         (JSC::AccessCase::state):
2811         (JSC::AccessCase::offset):
2812         (JSC::AccessCase::viaProxy):
2813         (JSC::AccessCase::callLinkInfo):
2814         * bytecode/StructureStubInfo.cpp:
2815         (JSC::StructureStubInfo::addAccessCase):
2816         * bytecode/Watchpoint.h:
2817         * dfg/DFGOperations.cpp:
2818         * jit/Repatch.cpp:
2819         (JSC::repatchGetByID):
2820         (JSC::repatchPutByID):
2821         (JSC::repatchIn):
2822         * runtime/VM.cpp:
2823         (JSC::VM::dumpRegExpTrace):
2824         (JSC::VM::ensureWatchpointSetForImpureProperty):
2825         (JSC::VM::registerWatchpointForImpureProperty):
2826         (JSC::VM::addImpureProperty):
2827         * runtime/VM.h:
2828
2829 2016-04-11  Fujii Hironori  <Hironori.Fujii@jp.sony.com>
2830
2831         [CMake] Make FOLDER property INHERITED
2832         https://bugs.webkit.org/show_bug.cgi?id=156460
2833
2834         Reviewed by Brent Fulgham.
2835
2836         * CMakeLists.txt:
2837         * shell/CMakeLists.txt:
2838         * shell/PlatformWin.cmake:
2839         Set FOLDER property as a directory property not a target property
2840
2841 2016-04-09  Keith Miller  <keith_miller@apple.com>
2842
2843         tryGetById should be supported by the DFG/FTL
2844         https://bugs.webkit.org/show_bug.cgi?id=156378
2845
2846         Reviewed by Filip Pizlo.
2847
2848         This patch adds support for tryGetById in the DFG/FTL. It adds a new DFG node
2849         TryGetById, which acts similarly to the normal GetById DFG node. One key
2850         difference between GetById and TryGetById is that in the LLInt and Baseline
2851         we do not profile the result type. This profiling is unnessary for the current
2852         use case of tryGetById, which is expected to be a strict equality comparision
2853         against a specific object or undefined. In either case other DFG optimizations
2854         will make this equally fast with or without the profiling information.
2855
2856         Additionally, this patch adds new reuse modes for JSValueRegsTemporary that take
2857         an operand and attempt to reuse the registers for that operand if they are free
2858         after the current DFG node.
2859
2860         * bytecode/GetByIdStatus.cpp:
2861         (JSC::GetByIdStatus::computeFromLLInt):
2862         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2863         * dfg/DFGAbstractInterpreterInlines.h:
2864         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2865         * dfg/DFGByteCodeParser.cpp:
2866         (JSC::DFG::ByteCodeParser::handleGetById):
2867         (JSC::DFG::ByteCodeParser::parseBlock):
2868         * dfg/DFGCapabilities.cpp:
2869         (JSC::DFG::capabilityLevel):
2870         * dfg/DFGClobberize.h:
2871         (JSC::DFG::clobberize):
2872         * dfg/DFGDoesGC.cpp:
2873         (JSC::DFG::doesGC):
2874         * dfg/DFGFixupPhase.cpp:
2875         (JSC::DFG::FixupPhase::fixupNode):
2876         * dfg/DFGNode.h:
2877         (JSC::DFG::Node::hasIdentifier):
2878         * dfg/DFGNodeType.h:
2879         * dfg/DFGPredictionPropagationPhase.cpp:
2880         (JSC::DFG::PredictionPropagationPhase::propagate):
2881         * dfg/DFGSafeToExecute.h:
2882         (JSC::DFG::safeToExecute):
2883         * dfg/DFGSpeculativeJIT.cpp:
2884         (JSC::DFG::SpeculativeJIT::compileTryGetById):
2885         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
2886         * dfg/DFGSpeculativeJIT.h:
2887         (JSC::DFG::GPRTemporary::operator=):
2888         * dfg/DFGSpeculativeJIT32_64.cpp:
2889         (JSC::DFG::SpeculativeJIT::cachedGetById):
2890         (JSC::DFG::SpeculativeJIT::compile):
2891         * dfg/DFGSpeculativeJIT64.cpp:
2892         (JSC::DFG::SpeculativeJIT::cachedGetById):
2893         (JSC::DFG::SpeculativeJIT::compile):
2894         * ftl/FTLCapabilities.cpp:
2895         (JSC::FTL::canCompile):
2896         * ftl/FTLLowerDFGToB3.cpp:
2897         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2898         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2899         (JSC::FTL::DFG::LowerDFGToB3::getById):
2900         * jit/JITOperations.cpp:
2901         * jit/JITOperations.h:
2902         * tests/stress/try-get-by-id.js:
2903         (tryGetByIdTextStrict):
2904         (get let):
2905         (let.get createBuiltin):
2906         (get throw):
2907         (getCaller.obj.1.throw.new.Error): Deleted.
2908
2909 2016-04-09  Saam barati  <sbarati@apple.com>
2910
2911         Allocation sinking SSA Defs are allowed to have replacements
2912         https://bugs.webkit.org/show_bug.cgi?id=156444
2913
2914         Reviewed by Filip Pizlo.
2915
2916         Consider the following program and the annotations that explain why
2917         the SSA defs we create in allocation sinking can have replacements.
2918
2919         function foo(a1) {
2920             let o1 = {x: 20, y: 50};
2921             let o2 = {y: 40, o1: o1};
2922             let o3 = {};
2923         
2924             // We're Defing a new variable here, call it o3_field.
2925             // o3_field is defing the value that is the result of 
2926             // a GetByOffset that gets eliminated through allocation sinking.
2927             o3.field = o1.y;
2928         
2929             dontCSE();
2930         
2931             // This control flow is here to not allow the phase to consult
2932             // its local SSA mapping (which properly handles replacements)
2933             // for the value of o3_field.
2934             if (a1) {
2935                 a1 = true; 
2936             } else {
2937                 a1 = false;
2938             }
2939         
2940             // Here, we ask for the reaching def of o3_field, and assert
2941             // it doesn't have a replacement. It does have a replacement
2942             // though. The original Def was the GetByOffset. We replaced
2943             // that GetByOffset with the value of the o1_y variable.
2944             let value = o3.field;
2945             assert(value === 50);
2946         }
2947
2948         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2949         * tests/stress/allocation-sinking-defs-may-have-replacements.js: Added.
2950         (dontCSE):
2951         (assert):
2952         (foo):
2953
2954 2016-04-09  Commit Queue  <commit-queue@webkit.org>
2955
2956         Unreviewed, rolling out r199242.
2957         https://bugs.webkit.org/show_bug.cgi?id=156442
2958
2959         Caused many many leaks (Requested by ap on #webkit).
2960
2961         Reverted changeset:
2962
2963         "Web Inspector: get rid of InspectorBasicValue and
2964         InspectorString subclasses"
2965         https://bugs.webkit.org/show_bug.cgi?id=156407
2966         http://trac.webkit.org/changeset/199242
2967
2968 2016-04-09  Filip Pizlo  <fpizlo@apple.com>
2969
2970         Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
2971         https://bugs.webkit.org/show_bug.cgi?id=156406
2972
2973         Reviewed by Saam Barati.
2974
2975         The failure was because the GC ran from within the butterfly allocation call in a put_by_id
2976         transition AccessCase that had to deal with indexing storage. When the GC runs in a call from a stub,
2977         then we need to be extra careful:
2978
2979         1) The GC may reset the IC and delete the stub. So, the stub needs to tell the GC that it might be on
2980            the stack during GC, so that the GC keeps it alive if it's currently running.
2981         
2982         2) If the stub uses (dereferences or stores) some object after the call, then we need to ensure that
2983            the stub routine knows about that object independently of the IC.
2984         
2985         In the case of put_by_id transitions that use a helper to allocate the butterfly, we have both
2986         issues. A long time ago, we had to deal with (2), and we still had code to handle that case, although
2987         it appears to be dead. This change revives that code and glues it together with PolymorphicAccess.
2988
2989         * bytecode/PolymorphicAccess.cpp:
2990         (JSC::AccessCase::alternateBase):
2991         (JSC::AccessCase::doesCalls):
2992         (JSC::AccessCase::couldStillSucceed):
2993         (JSC::AccessCase::generate):
2994         (JSC::PolymorphicAccess::regenerate):
2995         * bytecode/PolymorphicAccess.h:
2996         (JSC::AccessCase::customSlotBase):
2997         (JSC::AccessCase::isGetter):
2998         (JSC::AccessCase::doesCalls): Deleted.
2999         * jit/GCAwareJITStubRoutine.cpp:
3000         (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
3001         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
3002         (JSC::MarkingGCAwareJITStubRoutine::~MarkingGCAwareJITStubRoutine):
3003         (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
3004         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
3005         (JSC::createJITStubRoutine):
3006         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
3007         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
3008         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal): Deleted.
3009         * jit/GCAwareJITStubRoutine.h:
3010         (JSC::createJITStubRoutine):
3011
3012 2016-04-08  Joseph Pecoraro  <pecoraro@apple.com>
3013
3014         Web Inspector: XHRs and Web Worker scripts are not searchable
3015         https://bugs.webkit.org/show_bug.cgi?id=154214
3016         <rdar://problem/24643587>
3017
3018         Reviewed by Timothy Hatcher.
3019
3020         * inspector/protocol/Page.json:
3021         Add optional requestId to search results properties and search
3022         parameters for when the frameId and url are not enough. XHR
3023         resources, and "Other" resources will use this.
3024
3025 2016-04-08  Guillaume Emont  <guijemont@igalia.com>
3026
3027         MIPS: support Signed cond in branchTest32()
3028         https://bugs.webkit.org/show_bug.cgi?id=156260
3029
3030         This is needed since r197688 makes use of it.
3031
3032         Reviewed by Mark Lam.
3033
3034         * assembler/MacroAssemblerMIPS.h:
3035         (JSC::MacroAssemblerMIPS::branchTest32):
3036
3037 2016-04-08  Alex Christensen  <achristensen@webkit.org>
3038
3039         Progress towards running CMake WebKit2 on Mac
3040         https://bugs.webkit.org/show_bug.cgi?id=156426
3041
3042         Reviewed by Tim Horton.
3043
3044         * PlatformMac.cmake:
3045
3046 2016-04-08  Saam barati  <sbarati@apple.com>
3047
3048         Debugger may dereference m_currentCallFrame even after the VM has gone idle
3049         https://bugs.webkit.org/show_bug.cgi?id=156413
3050
3051         Reviewed by Mark Lam.
3052
3053         There is a bug where the debugger may dereference its m_currentCallFrame
3054         pointer after that pointer becomes invalid to read from. This happens like so:
3055
3056         We may step over an instruction which causes the end of execution for the
3057         current program. This causes the VM to exit. Then, we perform a GC which
3058         causes us to collect the global object. The global object being collected
3059         causes us to detach the debugger. In detaching, we think we still have a 
3060         valid m_currentCallFrame, we dereference it, and crash. The solution is to
3061         make sure we're paused when dereferencing this pointer inside ::detach().
3062
3063         * debugger/Debugger.cpp:
3064         (JSC::Debugger::detach):
3065
3066 2016-04-08  Brian Burg  <bburg@apple.com>
3067
3068         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
3069         https://bugs.webkit.org/show_bug.cgi?id=156407
3070         <rdar://problem/25627659>
3071
3072         Reviewed by Timothy Hatcher.
3073
3074         There's no point having these subclasses as they don't save any space.
3075         Add m_stringValue to the union and merge some implementations of writeJSON.
3076         Move uses of the subclass to InspectorValue and delete redundant methods.
3077         Now, most InspectorValue methods are non-virtual so they can be templated.
3078
3079         * bindings/ScriptValue.cpp:
3080         (Deprecated::jsToInspectorValue):
3081         * inspector/InjectedScriptBase.cpp:
3082         (Inspector::InjectedScriptBase::makeCall):
3083         Don't used deleted subclasses.
3084
3085         * inspector/InspectorValues.cpp:
3086         (Inspector::InspectorValue::null):
3087         (Inspector::InspectorValue::create):
3088         (Inspector::InspectorValue::asValue):
3089         (Inspector::InspectorValue::asBoolean):
3090         (Inspector::InspectorValue::asDouble):
3091         (Inspector::InspectorValue::asInteger):
3092         (Inspector::InspectorValue::asString):
3093         These only need one implementation now.
3094
3095         (Inspector::InspectorValue::writeJSON):
3096         Still a virtual method since Object and Array need their members.
3097
3098         (Inspector::InspectorObjectBase::InspectorObjectBase):
3099         (Inspector::InspectorBasicValue::asBoolean): Deleted.
3100         (Inspector::InspectorBasicValue::asDouble): Deleted.
3101         (Inspector::InspectorBasicValue::asInteger): Deleted.
3102         (Inspector::InspectorBasicValue::writeJSON): Deleted.
3103         (Inspector::InspectorString::asString): Deleted.
3104         (Inspector::InspectorString::writeJSON): Deleted.
3105         (Inspector::InspectorString::create): Deleted.
3106         (Inspector::InspectorBasicValue::create): Deleted.
3107
3108         * inspector/InspectorValues.h:
3109         (Inspector::InspectorObjectBase::setBoolean):
3110         (Inspector::InspectorObjectBase::setInteger):
3111         (Inspector::InspectorObjectBase::setDouble):
3112         (Inspector::InspectorObjectBase::setString):
3113         (Inspector::InspectorArrayBase::pushBoolean):
3114         (Inspector::InspectorArrayBase::pushInteger):
3115         (Inspector::InspectorArrayBase::pushDouble):
3116         (Inspector::InspectorArrayBase::pushString):
3117         Use new factory methods.
3118
3119         * replay/EncodedValue.cpp:
3120         (JSC::ScalarEncodingTraits<bool>::encodeValue):
3121         (JSC::ScalarEncodingTraits<double>::encodeValue):
3122         (JSC::ScalarEncodingTraits<float>::encodeValue):
3123         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
3124         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
3125         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
3126         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
3127         * replay/EncodedValue.h:
3128         Use new factory methods.
3129
3130 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
3131
3132         Add IC support for arguments.length
3133         https://bugs.webkit.org/show_bug.cgi?id=156389
3134
3135         Reviewed by Geoffrey Garen.
3136         
3137         This adds support for caching accesses to arguments.length for both DirectArguments and
3138         ScopedArguments. In strict mode, we already cached these accesses since they were just
3139         normal properties.
3140
3141         Amazingly, we also already supported caching of overridden arguments.length in both
3142         DirectArguments and ScopedArguments. This is because when you override, the property gets
3143         materialized as a normal JS property and the structure is changed.
3144         
3145         This patch painstakingly preserves our previous caching of overridden length while
3146         introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
3147         the case where it could either be overridden or not, since we just end up with an AccessCase
3148         for each and they cascade to each other.
3149
3150         This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
3151         Entirely monomorphic accesses were already handled by the DFG.
3152
3153         * bytecode/PolymorphicAccess.cpp:
3154         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3155         (JSC::AccessCase::guardedByStructureCheck):
3156         (JSC::AccessCase::generateWithGuard):
3157         (JSC::AccessCase::generate):
3158         (WTF::printInternal):
3159         * bytecode/PolymorphicAccess.h:
3160         * jit/ICStats.h:
3161         * jit/JITOperations.cpp:
3162         * jit/Repatch.cpp:
3163         (JSC::tryCacheGetByID):
3164         (JSC::tryCachePutByID):
3165         (JSC::tryRepatchIn):
3166         * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
3167         (args):
3168         (foo):
3169         (result.foo):
3170
3171 2016-04-08  Benjamin Poulain  <bpoulain@apple.com>
3172
3173         UInt32ToNumber should have an Int52 path
3174         https://bugs.webkit.org/show_bug.cgi?id=125704
3175
3176         Reviewed by Filip Pizlo.
3177
3178         When dealing with big numbers, fall back to Int52 instead
3179         of double when possible.
3180
3181         * dfg/DFGAbstractInterpreterInlines.h:
3182         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3183         * dfg/DFGFixupPhase.cpp:
3184         (JSC::DFG::FixupPhase::fixupNode):
3185         * dfg/DFGPredictionPropagationPhase.cpp:
3186         (JSC::DFG::PredictionPropagationPhase::propagate):
3187         * dfg/DFGSpeculativeJIT.cpp:
3188         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
3189         * ftl/FTLLowerDFGToB3.cpp:
3190         (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):
3191
3192 2016-04-08  Brian Burg  <bburg@apple.com>
3193
3194         Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
3195         https://bugs.webkit.org/show_bug.cgi?id=156275
3196         <rdar://problem/25569331>
3197
3198         Reviewed by Darin Adler.
3199
3200         * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.
3201
3202         * inspector/scripts/codegen/models.py:
3203         (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
3204         (TypeReference.referenced_name): Update comment.
3205
3206         Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.
3207
3208         * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
3209         * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
3210         * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.
3211
3212 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3213
3214         Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
3215         https://bugs.webkit.org/show_bug.cgi?id=156384
3216
3217         Reviewed by Ryosuke Niwa.
3218
3219         * Configurations/FeatureDefines.xcconfig:
3220         * features.json: Mark as Done.
3221         * parser/Parser.cpp:
3222         (JSC::Parser<LexerType>::parseExportDeclaration):
3223         (JSC::Parser<LexerType>::parseStatementListItem):
3224         (JSC::Parser<LexerType>::parsePrimaryExpression):
3225         (JSC::Parser<LexerType>::parseMemberExpression):
3226
3227 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
3228
3229         Implementing caching transition puts that need to reallocate with indexing storage
3230         https://bugs.webkit.org/show_bug.cgi?id=130914
3231
3232         Reviewed by Saam Barati.
3233
3234         This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
3235         the butterfly has indexing storage. Like the DFG, we do this by calling operations that
3236         reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
3237         triggering a barrier.
3238
3239         This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
3240         do it now because the hard work is hidden under AccessGenerationState methods. This means
3241         that custom accessors now share logic with put_by_id transitions.
3242
3243         * bytecode/PolymorphicAccess.cpp:
3244         (JSC::AccessGenerationState::succeed):
3245         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3246         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
3247         (JSC::AccessGenerationState::originalCallSiteIndex):
3248         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3249         (JSC::AccessCase::AccessCase):
3250         (JSC::AccessCase::transition):
3251         (JSC::AccessCase::generate):
3252         (JSC::PolymorphicAccess::regenerate):
3253         * bytecode/PolymorphicAccess.h:
3254         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
3255         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
3256         * dfg/DFGOperations.cpp:
3257         * dfg/DFGOperations.h:
3258         * jit/JITOperations.cpp:
3259         * jit/JITOperations.h:
3260
3261 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3262
3263         Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
3264         https://bugs.webkit.org/show_bug.cgi?id=156380
3265         <rdar://problem/25323727>
3266
3267         Reviewed by Timothy Hatcher.
3268
3269         * inspector/remote/RemoteInspector.mm:
3270         (Inspector::RemoteInspector::updateTarget):
3271         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
3272         When a target has been updated and it no longer generates a listing,
3273         we should remove the old listing as that is now stale and should
3274         not be sent. Not generating a listing means this target is no
3275         longer allowed to be debugged.
3276
3277 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3278
3279         Web Inspector: Not necessary to validate webinspectord connection on iOS
3280         https://bugs.webkit.org/show_bug.cgi?id=156377
3281         <rdar://problem/25612460>
3282
3283         Reviewed by Simon Fraser.
3284
3285         * inspector/remote/RemoteInspectorXPCConnection.h:
3286         * inspector/remote/RemoteInspectorXPCConnection.mm:
3287         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3288
3289 2016-04-07  Keith Miller  <keith_miller@apple.com>
3290
3291         Rename ArrayMode::supportsLength to supportsSelfLength
3292         https://bugs.webkit.org/show_bug.cgi?id=156374
3293
3294         Reviewed by Filip Pizlo.
3295
3296         The name supportsLength is confusing because TypedArray have a
3297         length function however it is on the prototype and not on the
3298         instance. supportsSelfLength makes more sense since we use the
3299         function during fixup to tell if we can intrinsic the length
3300         property lookup on self accesses.
3301
3302         * dfg/DFGArrayMode.h:
3303         (JSC::DFG::ArrayMode::supportsSelfLength):
3304         (JSC::DFG::ArrayMode::supportsLength): Deleted.
3305         * dfg/DFGFixupPhase.cpp:
3306         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
3307
3308 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
3309
3310         Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
3311         https://bugs.webkit.org/show_bug.cgi?id=156371
3312
3313         Reviewed by Timothy Hatcher.
3314
3315         * inspector/protocol/ScriptProfiler.json:
3316         Clarify that these locations are 1-based.
3317
3318 2016-04-07  Jon Davis  <jond@apple.com>
3319
3320         Add Web Animations API to Feature Status Page
3321         https://bugs.webkit.org/show_bug.cgi?id=156360
3322
3323         Reviewed by Timothy Hatcher.
3324
3325         * features.json:
3326
3327 2016-04-07  Saam barati  <sbarati@apple.com>
3328
3329         Invalid assertion inside DebuggerScope::getOwnPropertySlot
3330         https://bugs.webkit.org/show_bug.cgi?id=156357
3331
3332         Reviewed by Keith Miller.
3333
3334         The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
3335         on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
3336         are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
3337         might not always be in a valid state when its getOwnPropertySlot method is called.
3338         Therefore, the assertion invalid.
3339
3340         * debugger/DebuggerScope.cpp:
3341         (JSC::DebuggerScope::getOwnPropertySlot):
3342
3343 2016-04-07  Saam barati  <sbarati@apple.com>
3344
3345         Initial implementation of annex b.3.3 behavior was incorrect
3346         https://bugs.webkit.org/show_bug.cgi?id=156276
3347
3348         Reviewed by Keith Miller.
3349
3350         I almost got annex B.3.3 correct in my first implementation.
3351         There is a subtlety here I got wrong. We always create a local binding for
3352         a function at the very beginning of execution of a block scope. So we
3353         hoist function declarations to their local binding within a given
3354         block scope. When we actually evaluate the function declaration statement
3355         itself, we must lookup the binding in the current scope, and bind the
3356         value to the binding in the "var" scope. We perform the following
3357         abstract operations when executing a function declaration statement.
3358
3359         f = lookupBindingInCurrentScope("func")
3360         store(varScope, "func", f)
3361
3362         I got this wrong by performing the store to the var binding at the beginning
3363         of the block scope instead of when we evaluate the function declaration statement.
3364         This behavior is observable. For example, a program could change the value
3365         of "func" before the actual function declaration statement executes.
3366         Consider the following two functions:
3367         ```
3368         function foo1() {
3369             // func === undefined
3370             {
3371                 // typeof func === "function"
3372                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
3373                 func = 20 // This sets the local "func" binding to 20.
3374             }
3375             // typeof func === "function"
3376         }
3377
3378         function foo2() {
3379             // func === undefined
3380             {