DFG del_by_id support forgets to set()

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-04-20  Filip Pizlo  <fpizlo@apple.com>

        DFG del_by_id support forgets to set()
        https://bugs.webkit.org/show_bug.cgi?id=156830

        Reviewed by Saam Barati.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * tests/stress/dfg-del-by-id.js: Added.

2016-04-20  Saam barati  <sbarati@apple.com>

        Improve sampling profiler CLI JSC tool
        https://bugs.webkit.org/show_bug.cgi?id=156824

        Reviewed by Mark Lam.

        This patch enhances the Sampling Profiler CLI tool from the JSC shell
        to display the JITType of a particular CodeBlock. Because this happens
        once we process a log of stack frames, the data for a particular frame
        being in LLInt vs. Baseline could be wrong. For example, we may have taken 
        a stack trace of a CodeBlock while it was executing in the LLInt, then 
        it tiers up to the baseline, then we process the log. We will show such CodeBlocks
        as being in the baseline JIT. We could be smarter about this in the future if
        it turns out to truly be a problem.

        This patch also adds a 'samplingProfilerTimingInterval' JSC option to allow
        CLI users to control the sleep time between stack traces.

        * jsc.cpp:
        (jscmain):
        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::SamplingProfiler):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::reportTopBytecodes):
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):

2016-04-20  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] DFG should not generate two jumps when the target of DoubleBranch is the next block  
        https://bugs.webkit.org/show_bug.cgi?id=156815

        Reviewed by Mark Lam.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):

2016-04-20  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG
        https://bugs.webkit.org/show_bug.cgi?id=155164

        Reviewed by Mark Lam.

        Every "inc" in loop was looking like this:
            move rX, rY
            inc rY
            jo 0x230f4a200580

        This patch add register Reuse to that case to remove
        the extra "move".

        * dfg/DFGOSRExit.h:
        (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
        (JSC::DFG::SpeculationRecovery::immediate):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithAdd):
        * tests/stress/arith-add-with-constant-overflow.js: Added.
        (opaqueAdd):

2016-04-20  Saam barati  <sbarati@apple.com>

        We don't need a manual stack for an RAII object when the machine's stack will do just fine
        https://bugs.webkit.org/show_bug.cgi?id=156807

        Reviewed by Mark Lam.

        We kept around a vector for an RAII object to maintain
        the recursive nature of having these RAII objects on
        the stack as the parser recursed. Instead, the RAII object
        can just have a field with the value it wants to restore
        and use the machine's stack.

        This is a 1% octane code-load progression.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::BinaryExprContext::BinaryExprContext):
        (JSC::SyntaxChecker::BinaryExprContext::~BinaryExprContext):
        (JSC::SyntaxChecker::UnaryExprContext::UnaryExprContext):
        (JSC::SyntaxChecker::UnaryExprContext::~UnaryExprContext):
        (JSC::SyntaxChecker::operatorStackPop):

2016-04-20  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r190289): Spin trying to view/sign in to hbogo.com
        https://bugs.webkit.org/show_bug.cgi?id=156765

        Reviewed by Saam Barati.

        In the op_get_by_val case, we were holding the lock on a profiled CodeBlock
        when we call into handleGetById(). Changed to drop the lock before calling
        handleGetById().

        The bug here was that the call to handleGetById() may end up calling in to
        getPredictionWithoutOSRExit() for a tail call opcode. As part of that
        processing, we walk back up the stack to find the effective caller and when
        found, we lock the corresponding CodeBlock to get the predicition.
        That CodeBLock may be the same one locked above. There is no need anyway
        to hold the CodeBlock lock when calling handleGetById().

        Added a new stress test.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * tests/stress/regress-156765.js: Added.
        (realValue):
        (object.get hello):
        (ok):

2016-04-20  Mark Lam  <mark.lam@apple.com>

        Unindent an unnecessary block in stringProtoFuncSplitFast().
        https://bugs.webkit.org/show_bug.cgi?id=156802

        Reviewed by Filip Pizlo.

        In webkit.org/b/156013, I refactored stringProtoFuncSplit into
        stringProtoFuncSplitFast.  In that patch, I left an unnecessary block of code in
        its original block (with FIXMEs) to keep the diff for that patch minimal.  Now
        that the patch for webkit.org/b/156013 has landed, I will unindent that block and
        remove the FIXMEs.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplitFast):

2016-04-20  Brady Eidson  <beidson@apple.com>

        Modern IDB (Workers): Enable INDEXED_DATABASE_IN_WORKERS compile time flag, but disabled in RuntimeEnabledFeatures.
        https://bugs.webkit.org/show_bug.cgi?id=156782

        Reviewed by Alex Christensen.

        * Configurations/FeatureDefines.xcconfig:

2016-04-20  Saam barati  <sbarati@apple.com>

        Remove unused m_writtenVariables from the parser and related bits
        https://bugs.webkit.org/show_bug.cgi?id=156784

        Reviewed by Yusuke Suzuki.

        This isn't a octane/codeload speedup even though we're doing less work in
        collectFreeVariables. But it's good to get rid of things that are not used.

        * parser/Nodes.h:
        (JSC::ScopeNode::usesEval):
        (JSC::ScopeNode::usesArguments):
        (JSC::ScopeNode::usesArrowFunction):
        (JSC::ScopeNode::isStrictMode):
        (JSC::ScopeNode::setUsesArguments):
        (JSC::ScopeNode::usesThis):
        (JSC::ScopeNode::modifiesParameter): Deleted.
        (JSC::ScopeNode::modifiesArguments): Deleted.
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Scope::Scope):
        (JSC::Scope::hasDeclaredParameter):
        (JSC::Scope::preventAllVariableDeclarations):
        (JSC::Scope::collectFreeVariables):
        (JSC::Scope::mergeInnerArrowFunctionFeatures):
        (JSC::Scope::getSloppyModeHoistedFunctions):
        (JSC::Scope::getCapturedVars):
        (JSC::Scope::setStrictMode):
        (JSC::Scope::strictMode):
        (JSC::Scope::fillParametersForSourceProviderCache):
        (JSC::Scope::restoreFromSourceProviderCache):
        (JSC::Parser::hasDeclaredParameter):
        (JSC::Parser::exportName):
        (JSC::Scope::declareWrite): Deleted.
        (JSC::Parser::declareWrite): Deleted.
        * parser/ParserModes.h:

2016-04-19  Saam barati  <sbarati@apple.com>

        Unreviewed, fix cloop build after r199754.

        * jsc.cpp:
        (jscmain):

2016-04-19  Michael Saboff  <msaboff@apple.com>

        iTunes crashing JavaScriptCore.dll
        https://bugs.webkit.org/show_bug.cgi?id=156647

        Reviewed by Filip Pizlo.

        Given that there there are only 128 FLS indices compared to over a 1000 for TLS,
        I eliminated the thread specific m_threadSpecificForThread and instead we look
        for the current thread in m_registeredThreads list when we need it.
        In most cases there will only be one thread.

        Added THREAD_SPECIFIC_CALL to signature of ThreadSpecific remove callbacks
        to set the calling convention correctly for Windows 32 bit.

        * heap/MachineStackMarker.cpp:
        (JSC::ActiveMachineThreadsManager::remove):
        (JSC::MachineThreads::MachineThreads):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::machineThreadForCurrentThread):
        (JSC::MachineThreads::removeThread):
        * heap/MachineStackMarker.h:

2016-04-19  Benjamin Poulain  <bpoulain@webkit.org>

        [JSC] Small cleanup of RegisterAtOffsetList
        https://bugs.webkit.org/show_bug.cgi?id=156779

        Reviewed by Mark Lam.

        I was wondering why RegisterAtOffsetList always cache-miss.
        It looks like it is doing more than it needs to.

        We do not need to sort the values. The total order of
        RegisterAtOffset is:
        1) Order of Reg.
        2) Order of offsets.
        We already generate the list in order.

        Also allocate the right array size ahead of filling the array.

        * jit/RegisterAtOffsetList.cpp:
        (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
        (JSC::RegisterAtOffsetList::sort): Deleted.
        * jit/RegisterAtOffsetList.h:
        (JSC::RegisterAtOffsetList::append): Deleted.

2016-04-19  Saam barati  <sbarati@apple.com>

        Add a couple UNLIKELY macros in parseMemberExpression
        https://bugs.webkit.org/show_bug.cgi?id=156775

        Reviewed by Filip Pizlo.

        These UNLIKELY macros have to do with the base of the
        member expression being 'super'. I think it's safe to
        argue that this is truly UNLIKELY. I am seeing speedups
        sometimes on Octane codeload. Usually around 0.5%. Sometimes 1%.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):

2016-04-19  Saam barati  <sbarati@apple.com>

        allow jsc shell to dump sampling profiler data
        https://bugs.webkit.org/show_bug.cgi?id=156725

        Reviewed by Benjamin Poulain.

        This patch adds a '--reportSamplingProfilerData' option to the
        JSC shell which will enable the sampling profiler and dump
        its data at the end of execution. The dump will include the
        40 hottest functions and the 80 hottest bytecode locations.
        If you're using this option to debug, it's easy to just hack
        on the code to make it dump more or less information.

        * jsc.cpp:
        (CommandLine::parseArguments):
        (jscmain):
        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::stackTracesAsJSON):
        (JSC::SamplingProfiler::reportTopFunctions):
        (JSC::SamplingProfiler::reportTopBytecodes):
        * runtime/SamplingProfiler.h:
        (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
        (JSC::SamplingProfiler::StackFrame::hasBytecodeIndex):
        (JSC::SamplingProfiler::StackFrame::hasCodeBlockHash):
        (JSC::SamplingProfiler::setStopWatch):

2016-04-19  Mark Lam  <mark.lam@apple.com>

        Re-landing: ES6: Implement RegExp.prototype[@@search].
        https://bugs.webkit.org/show_bug.cgi?id=156331

        Reviewed by Keith Miller.

        What changed?
        1. Implemented search builtin in RegExpPrototype.js.
           The native path is now used as a fast path.
        2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
           IsJSArrayIntrinsic).
        3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
        4. Change the esSpecIsRegExpObject() implementation to check if the object's
           JSType is RegExpObjectType instead of walking the classinfo chain.

        * builtins/RegExpPrototype.js:
        (search):
        * builtins/StringPrototype.js:
        (search):
        - fixed some indentation.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
        (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
        (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
        (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
        (JSC::FTL::DFG::LowerDFGToB3::isType):
        * runtime/Intrinsic.h:
        - Added IsRegExpObjectIntrinsic.

        * runtime/CommonIdentifiers.h:

        * runtime/ECMAScriptSpecInternalFunctions.cpp:
        (JSC::esSpecIsConstructor):
        - Changed to use uncheckedArgument since this is only called from internal code.
        (JSC::esSpecIsRegExpObject):
        (JSC::esSpecIsRegExp): Deleted.
        * runtime/ECMAScriptSpecInternalFunctions.h:
        - Changed to check the object for a JSType of RegExpObjectType.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        - Added split fast path.

        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncSearchFast):
        (JSC::regExpProtoFuncSearch): Deleted.
        * runtime/RegExpPrototype.h:

        * tests/es6.yaml:
        * tests/stress/regexp-search.js:
        - Rebased test.

2016-04-19  Mark Lam  <mark.lam@apple.com>

        Replace $vm.printValue() with $vm.value().
        https://bugs.webkit.org/show_bug.cgi?id=156767

        Reviewed by Saam Barati.

        When debugging with $vm, this change allows us to do this:

            $vm.print("myObj = " + $vm.value(myObj) + "\n");

        ... instead of having to do this:

            $vm.print("myObj = ");
            $vm.printValue(myObj);
            $vm.print("\n");

        * tools/JSDollarVMPrototype.cpp:
        (JSC::JSDollarVMPrototype::printValue):
        (JSC::functionValue):
        (JSC::JSDollarVMPrototype::finishCreation):
        (JSC::functionPrintValue): Deleted.

2016-04-18  Oliver Hunt  <oliver@apple.com>

        Enable separated heap by default on ios
        https://bugs.webkit.org/show_bug.cgi?id=156720

        Reviewed by ggaren.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2016-04-19  Mark Lam  <mark.lam@apple.com>

        Re-landing: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
        https://bugs.webkit.org/show_bug.cgi?id=156013

        Reviewed by Keith Miller.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/GlobalObject.js:
        (speciesConstructor):
        * builtins/PromisePrototype.js:
        - refactored to use the @speciesConstructor internal function.

        * builtins/RegExpPrototype.js:
        (advanceStringIndex):
        - refactored from @advanceStringIndexUnicode() to be match the spec.
          Benchmarks show that there's no advantage in doing the unicode check outside
          of the advanceStringIndexUnicode part.  So, I simplified the code to match the
          spec (especially since @@split needs to call advanceStringIndex from more than
          1 location).
        (match):
        - Removed an unnecessary call to @Object because it was already proven above.
        - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
          Again, there's no perf regression for this.
        (regExpExec):
        (hasObservableSideEffectsForRegExpSplit):
        (split):
        (advanceStringIndexUnicode): Deleted.

        * builtins/StringPrototype.js:
        (split):
        - Modified to use RegExp.prototype[@@split].

        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        (JSC::BytecodeIntrinsicRegistry::lookup):
        * bytecode/BytecodeIntrinsicRegistry.h:
        - Added the @@split symbol.

        * runtime/CommonIdentifiers.h:
        * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
        (JSC::esSpecIsConstructor):
        (JSC::esSpecIsRegExp):
        * runtime/ECMAScriptSpecInternalFunctions.h: Added.

        * runtime/JSGlobalObject.cpp:
        (JSC::getGetterById):
        (JSC::JSGlobalObject::init):

        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setDescriptor):
        - Removed an assert that is no longer valid.

        * runtime/RegExpObject.h:
        - Made advanceStringUnicode() public so that it can be re-used by the regexp split
          fast path.

        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncSearch):
        (JSC::advanceStringIndex):
        (JSC::regExpProtoFuncSplitFast):
        * runtime/RegExpPrototype.h:

        * runtime/StringObject.h:
        (JSC::jsStringWithReuse):
        (JSC::jsSubstring):
        - Hoisted some utility functions from StringPrototype.cpp so that they can be
          reused by the regexp split fast path.

        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::stringProtoFuncSplitFast):
        (JSC::stringProtoFuncSubstr):
        (JSC::builtinStringSubstrInternal):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringIncludesImpl):
        (JSC::stringProtoFuncIncludes):
        (JSC::builtinStringIncludesInternal):
        (JSC::jsStringWithReuse): Deleted.
        (JSC::jsSubstring): Deleted.
        (JSC::stringProtoFuncSplit): Deleted.
        * runtime/StringPrototype.h:

        * tests/es6.yaml:

2016-04-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r199726.
        https://bugs.webkit.org/show_bug.cgi?id=156748

        WebKit tests crash on Windows 32 (Requested by msaboff on
        #webkit).

        Reverted changeset:

        "iTunes crashing JavaScriptCore.dll"
        https://bugs.webkit.org/show_bug.cgi?id=156647
        http://trac.webkit.org/changeset/199726

2016-04-19  Michael Saboff  <msaboff@apple.com>

        iTunes crashing JavaScriptCore.dll
        https://bugs.webkit.org/show_bug.cgi?id=156647

        Reviewed by Saam Barati.

        Given that there there are only 128 FLS indices compared to over a 1000 for TLS, I
        eliminated the thread specific m_threadSpecificForThread and instead we look for the
        current thread in m_registeredThreads list when we need it.  In most cases there
        will only be one thread.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::machineThreadForCurrentThread):
        (JSC::MachineThreads::removeThread):
        * heap/MachineStackMarker.h:

2016-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        [INTL] Use @thisNumberValue instead of `instanceof @Number`
        https://bugs.webkit.org/show_bug.cgi?id=156680

        Reviewed by Saam Barati.

        Use @thisNumberValue instead of `instanceof @Number`.
        `instanceof @Number` is not enough;
        For example, given 2 realms, the object created in one realm does not
        inherit the Number of another realm.
        Another example is that the object which does not inherit Number.

        ```
        var number = new Number(42);
        number.__proto__ = null;
        ```

        * builtins/NumberPrototype.js:
        (toLocaleString):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncValueOf):
        * runtime/NumberPrototype.h:
        * tests/stress/number-to-locale-string-should-accept-strange-number-objects.js: Added.
        (shouldBe):

2016-04-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r199712.
        https://bugs.webkit.org/show_bug.cgi?id=156741

        It caused a serious regression on 32 bit platform (Requested
        by gskachkov on #webkit).

        Reverted changeset:

        "calling super() a second time in a constructor should throw"
        https://bugs.webkit.org/show_bug.cgi?id=151113
        http://trac.webkit.org/changeset/199712

2016-04-09  Skachkov Oleksandr  <gskachkov@gmail.com>

        calling super() a second time in a constructor should throw
        https://bugs.webkit.org/show_bug.cgi?id=151113

        Reviewed by Saam Barati and Keith Miller.

        Currently, our implementation checks if 'super()' was called in a constructor more 
        than once and raises a RuntimeError before the second call. According to the spec 
        we need to raise an error just after the second super() is finished and before 
        the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour. 
        To implement this behavior this patch adds a new op code, op_is_empty, that is used 
        to check if 'this' is empty.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitIsEmpty):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallValueNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_is_empty):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_is_empty):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * tests/stress/class-syntax-double-constructor.js: Added.

2016-04-18  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Fix some overhead affecting small codegen
        https://bugs.webkit.org/show_bug.cgi?id=156728

        Reviewed by Filip Pizlo.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::random):
        cryptographicallyRandomNumber() is very costly.
        We only need it in lowering some very particular cases
        of non-trusted immediates. No inline cache needs that.

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::link):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::addSlowCase):
        Do not copy the JumpList to access its elements.

2016-04-18  Saam barati  <sbarati@apple.com>

        implement dynamic scope accesses in the DFG/FTL
        https://bugs.webkit.org/show_bug.cgi?id=156567

        Reviewed by Geoffrey Garen.

        This patch adds dynamic scope operations to the DFG/FTL.
        This patch adds three new DFG nodes: ResolveScope, PutDynamicVar and GetDynamicVar.
        When we encounter a Dynamic/UnresolvedProperty/UnresolvedPropertyWithVarInjectionChecks
        resolve type, we will compile dynamic scope resolution nodes. When we encounter
        a resolve type that needs var injection checks and the var injection
        watchpoint has already been fired, we will compile dynamic scope resolution
        nodes.

        This patch also adds a new value to the InitializationMode enum: ConstInitialization.
        There was a subtle bug where we used to never compile the var injection variant of the 
        resolve type for an eval that injected a var where there was also a global lexical variable with the same name. 
        For example, the store compiled in this eval("var foo = 20;") wouldn't be compiled 
        with var injection checks if there was global let/const variable named "foo".
        So there was the potential for the injected var to store to the GlobalLexicalObject.
        I found this bug because my initial implementation in the DFG/FTL ran into it.
        The reason this bug existed is because when we compile a const initialization,
        we never need a var injections check. The const initialization always
        knows where to store its value. This same logic leaked into the above eval's 
        "var foo = 20" store. This new enum value allows us to distinguish const
        initialization stores from non-const initialization stores.

        (I also changed InitializationMode to be an enum class instead of an enum).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
        (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
        (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
        (JSC::BytecodeGenerator::emitGetFromScope):
        (JSC::BytecodeGenerator::initializeVariable):
        (JSC::BytecodeGenerator::emitInstanceOf):
        (JSC::BytecodeGenerator::emitPushFunctionNameScope):
        (JSC::BytecodeGenerator::pushScopedControlFlowContext):
        (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
        (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
        (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::initializationModeForAssignmentContext):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::EmptyLetExpression::emitBytecode):
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        (JSC::ClassExprNode::emitBytecode):
        (JSC::BindingNode::bindValue):
        (JSC::AssignmentElementNode::bindValue):
        (JSC::RestParameterNode::emit):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
        (JSC::DFG::ByteCodeParser::promoteToConstant):
        (JSC::DFG::ByteCodeParser::needsDynamicLookup):
        (JSC::DFG::ByteCodeParser::planLoad):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::identifierNumber):
        (JSC::DFG::Node::hasGetPutInfo):
        (JSC::DFG::Node::getPutInfo):
        (JSC::DFG::Node::hasAccessorAttributes):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
        (JSC::DFG::SpeculativeJIT::compileResolveScope):
        (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
        (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
        (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compare):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/GetPutInfo.h:
        (JSC::resolveModeName):
        (JSC::initializationModeName):
        (JSC::isInitialization):
        (JSC::makeType):
        (JSC::GetPutInfo::GetPutInfo):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):

2016-04-18  Filip Pizlo  <fpizlo@apple.com>

        Disable AVX.

        Rubber stampted by Benjamin Poulain.

        AVX is silly. If you use it and some of your other code isn't careful with float register bits, you
        will run 10x slower. We could fix the underlying issue, but it's better to stay away from this odd
        instruction subset.

        This fixes a massive regression on some real code.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::supportsAVX):
        (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):

2016-04-18  Filip Pizlo  <fpizlo@apple.com>

        ToThis should have a fast path based on type info flags
        https://bugs.webkit.org/show_bug.cgi?id=156712

        Reviewed by Geoffrey Garen.

        Prior to this change, if we couldn't nail down the type of ToThis to something easy, we'd emit code
        that would take slow path if the argument was not a final object. We'd end up taking that slow path
        a lot.

        This adds a type info flag for ToThis having non-obvious behavior and changes the DFG and FTL paths
        to test this flag. This is a sub-1% speed-up on SunSpider and Octane.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::create):
        * runtime/JSString.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::overridesGetOwnPropertySlot):
        (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
        (JSC::TypeInfo::structureIsImmortal):
        (JSC::TypeInfo::overridesToThis):
        (JSC::TypeInfo::overridesGetPropertyNames):
        (JSC::TypeInfo::prohibitsPropertyCaching):
        (JSC::TypeInfo::getOwnPropertySlotIsImpure):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        * runtime/Symbol.h:

2016-04-18  Filip Pizlo  <fpizlo@apple.com>

        Check to see how the perf bots react to megamorphic load being disabled.

        Rubber stamped by Chris Dumez.

        * runtime/Options.h:

2016-04-18  Keith Miller  <keith_miller@apple.com>

        We should support delete in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=156607

        Reviewed by Benjamin Poulain.

        This patch adds support for the delete in the DFG as it appears that
        some major frameworks use the operation in particularly hot functions.
        As a result, even if the function rarely ever calls delete we would never
        tier up to the DFG. This patch also changes operationDeleteById to take a
        UniquedStringImpl and return a size_t.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDeleteById):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_del_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_del_by_id):

2016-04-17  Filip Pizlo  <fpizlo@apple.com>

        FTL should pin the tag registers at inline caches
        https://bugs.webkit.org/show_bug.cgi?id=156678

        Reviewed by Saam Barati.

        This is a long-overdue fix to our inline caches. Back when we had LLVM, we couldn't rely on the tags
        being pinned to any registers. So, if the inline caches needed tags, they'd have to materialize them.
        
        This removes those materializations. This should reduce the amount of code generated in inline caches
        and it should make inline caches faster. The effect appears to be small.

        It may be that after this change, we'll even be able to kill the
        HaveTagRegisters/DoNotHaveTagRegisters logic.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateWithGuard):
        (JSC::AccessCase::generateImpl):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
        (JSC::FTL::DFG::LowerDFGToB3::getById):
        * jit/Repatch.cpp:
        (JSC::readCallTarget):
        (JSC::linkPolymorphicCall):
        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):

2016-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES7] yield star should not return if the inner iterator.throw returns { done: true }
        https://bugs.webkit.org/show_bug.cgi?id=156576

        Reviewed by Saam Barati.

        This is slight generator fix in ES7. When calling generator.throw(),
        the yield-star should call the throw() of the inner generator. At that
        time, when the result of throw() is { done: true}, the generator should
        not stop itself.

            function * gen()
            {
                yield * (function * () {
                    try {
                        yield 42;
                    } catch (error) { }
                }());
                // Continue executing.
                yield 42;
            }

            let g = gen();
            g.next();
            shouldBe(g.throw().value, 42);


        * builtins/GeneratorPrototype.js:
        (generatorResume):
        (next):
        (return):
        (throw):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDelegateYield):
        * runtime/JSGeneratorFunction.h:
        * tests/stress/generator-yield-star.js:
        (gen):
        * tests/stress/yield-star-throw-continue.js: Added.
        (shouldBe):
        (generator):
        (shouldThrow):

2016-04-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>

        Fix incorrect assumption that APPLE implies Mac.
        https://bugs.webkit.org/show_bug.cgi?id=156683
    
        Addresses build failure introduced in r199094

        Reviewed by Alex Christensen.

        * CMakeLists.txt:

2016-04-17  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] ReduceDoubleToFloat should work accross Phis
        https://bugs.webkit.org/show_bug.cgi?id=156603
        <rdar://problem/25736205>

        Reviewed by Saam Barati and Filip Pizlo.

        This patch extends B3's ReduceDoubleToFloat phase to work accross
        Upsilon-Phis. This is important to optimize loops and some crazy cases.

        In its simplest form, we can have conversion propagated from something
        like this:
            Double @1 = Phi()
            Float @2 = DoubleToFloat(@1)

        When that happens, we just need to propagate that the result only
        need float precision accross all values coming to this Phi.


        There are more complicated cases when the value produced is effectively Float
        but the user of the value does not do DoubleToFloat.

        Typically, we have something like:
            #1
                @1 = ConstDouble(1)
                @2 = Upsilon(@1, ^5)
            #2
                @3 = FloatToDouble(@x)
                @4 = Upsilon(@3, ^5)
            #3
                @5 = Phi()
                @6 = Add(@5, @somethingFloat)
                @7 = DoubleToFloat(@6)

        Here with a Phi-Upsilon that is a Double but can be represented
        as Float without loss of precision.

        It is valuable to convert such Phis to float if and only if the value
        is used as float. Otherwise, you may be just adding useless conversions
        (for example, two double constants that flow into a double Add should not
        turn into two float constant flowing into a FloatToDouble then Add).


        ReduceDoubleToFloat do two analysis passes to gather the necessary
        meta information. Then we have a simplify() phase to actually reduce
        operation. Finally, the cleanup() pass put the graph into a valid
        state again.

        The two analysis passes work by disproving that something is float.
        -findCandidates() accumulates anything used as Double.
        -findPhisContainingFloat() accumulates phis that would lose precision
         by converting the input to float.

        With this change, Unity3D improves by ~1.5%, box2d-f32 improves
        by ~2.8% (on Haswell).

        * b3/B3ReduceDoubleToFloat.cpp:
        (JSC::B3::reduceDoubleToFloat):
        * b3/testb3.cpp:
        (JSC::B3::testCompareTwoFloatToDouble):
        (JSC::B3::testCompareOneFloatToDouble):
        (JSC::B3::testCompareFloatToDoubleThroughPhi):
        (JSC::B3::testDoubleToFloatThroughPhi):
        (JSC::B3::testDoubleProducerPhiToFloatConversion):
        (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
        (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
        (JSC::B3::testStoreDoubleConstantAsFloat):
        (JSC::B3::run):
        * tests/stress/double-compare-to-float.js: Added.
        (canSimplifyToFloat):
        (canSimplifyToFloatWithConstant):
        (cannotSimplifyA):
        (cannotSimplifyB):
        * tests/stress/double-to-float.js: Added.
        (upsilonReferencingItsPhi):
        (upsilonReferencingItsPhiAllFloat):
        (upsilonReferencingItsPhiWithoutConversion):
        (conversionPropagages):
        (chainedUpsilonBothConvert):
        (chainedUpsilonFirstConvert):

2016-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Use @isObject to check Object Type instead of using instanceof
        https://bugs.webkit.org/show_bug.cgi?id=156676

        Reviewed by Darin Adler.

        Use @isObject instead of `instanceof @Object`.
        The `instanceof` check is not enough to check Object Type.
        For example, given 2 realms, the object created in one realm does not inherit the Object of another realm.
        Another example is that the object which does not inherit Object.
        This object can be easily created by calling `Object.create(null)`.

        * builtins/RegExpPrototype.js:
        (match):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionCreateGlobalObject):
        * tests/stress/regexp-match-in-other-realm-should-work.js: Added.
        (shouldBe):
        * tests/stress/regexp-match-should-work-with-objects-not-inheriting-object-prototype.js: Added.
        (shouldBe):
        (regexp.exec):

2016-04-17  Darin Adler  <darin@apple.com>

        Remove more uses of Deprecated::ScriptXXX
        https://bugs.webkit.org/show_bug.cgi?id=156660

        Reviewed by Antti Koivisto.

        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted
        unneeded overloads that take a ScriptObject and ScriptValue.
        * bindings/ScriptFunctionCall.h: Ditto.

        * bindings/ScriptObject.h: Added operator so this can change
        itself into a JSObject*. Helps while phasing this class out.

        * bindings/ScriptValue.h: Export toInspectorValue so it can be
        used in WebCore.

        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::createInjectedScript): Changed
        return value from Deprecated::ScriptObject to JSObject*.
        (Inspector::InjectedScriptManager::injectedScriptFor): Updated for
        the return value change above.
        * inspector/InjectedScriptManager.h: Ditto.

2016-04-16  Benjamin Poulain  <bpoulain@webkit.org>

        [JSC] DFG should support relational comparisons of Number and Other
        https://bugs.webkit.org/show_bug.cgi?id=156669

        Reviewed by Darin Adler.

        In Sunspider/3d-raytrace, DFG falls back to JSValue in some important
        relational compare because profiling sees "undefined" from time to time.

        This case is fairly common outside Sunspider too because of out-of-bounds array access.
        Unfortunately for us, our fallback for compare is really inefficient.

        Fortunately, relational comparison with null/undefined/true/false are trival.
        We can just convert both side to Double. That's what this patch adds.

        I also extended constant folding for those cases because I noticed
        a bunch of "undefined" constant going through DoubleRep at runtime.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * tests/stress/compare-number-and-other.js: Added.
        (opaqueSideEffect):
        (let.operator.of.operators.eval.testPolymorphic):
        (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval.testMonomorphic):
        (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicLeftConstant):
        (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicRightConstant):
        (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.i.testPolymorphic):

2016-04-16  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] FRound/Negate can produce an impure NaN out of a pure NaN
        https://bugs.webkit.org/show_bug.cgi?id=156528

        Reviewed by Filip Pizlo.

        If you fround a double with the bits 0xfff7000000000000
        you get 0xfffe000000000000. The first is a pure NaN, the second isn't.

        This is without test because I could not find a way to create a 0xfff7000000000000
        while convincing DFG that its pure.
        When we purify NaNs from typed array, we use a specific value of NaN if the input
        is any NaN, making testing tricky.

        * bytecode/SpeculatedType.cpp:
        (JSC::typeOfDoubleNegation):

2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>

        JS::DFG::nodeValuePairListDump does not compile with libstdc++ 4.8
        https://bugs.webkit.org/show_bug.cgi?id=156670

        Reviewed by Darin Adler.

        * dfg/DFGNode.h:
        (JSC::DFG::nodeValuePairListDump): Modified to use lambda as comparator.

2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>

        [mips] Implemented moveZeroToDouble.
        https://bugs.webkit.org/show_bug.cgi?id=155429

        Reviewed by Darin Adler.

        This function is required to fix compilation after r197687.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::moveZeroToDouble):

2016-04-15  Darin Adler  <darin@apple.com>

        Reduce use of Deprecated::ScriptXXX classes
        https://bugs.webkit.org/show_bug.cgi?id=156632

        Reviewed by Alex Christensen.

        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted version that takes a Deprecated::ScriptValue.
        (Deprecated::ScriptFunctionCall::call): Changed to return a JSValue.
        * bindings/ScriptFunctionCall.h: Updated for the above.

        * bindings/ScriptValue.cpp:
        (Inspector::jsToInspectorValue): Moved from Deprecated namespace to Inspector namespace. Later, we should
        move this to another source file in the inspector directory.
        (Inspector::toInspectorValue): Added.
        (Deprecated::ScriptValue::toInspectorValue): Updated for change to underlying function.
        * bindings/ScriptValue.h: Update for the above.

        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::evaluateOnCallFrame): Changed arguments and return values from
        Deprecated::ScriptValue to JSC::JSValue.
        (Inspector::InjectedScript::functionDetails): Ditto.
        (Inspector::InjectedScript::wrapCallFrames): Ditto.
        (Inspector::InjectedScript::wrapObject): Ditto.
        (Inspector::InjectedScript::wrapTable): Ditto.
        (Inspector::InjectedScript::previewValue): Ditto.
        (Inspector::InjectedScript::setExceptionValue): Ditto.
        (Inspector::InjectedScript::findObjectById): Ditto.
        (Inspector::InjectedScript::inspectObject): Ditto.
        * inspector/InjectedScript.h: Ditto.
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): Ditto.
        (Inspector::InjectedScriptBase::makeCall): Ditto.
        * inspector/InjectedScriptBase.h: Ditto.
        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected): Ditto.
        * inspector/ScriptDebugListener.h: Ditto.
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::evaluateBreakpointAction): Ditto.
        (Inspector::ScriptDebugServer::dispatchDidPause): Ditto.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
        (Inspector::ScriptDebugServer::exceptionOrCaughtValue): Ditto.
        * inspector/ScriptDebugServer.h: Ditto.
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason): Ditto.
        (Inspector::InspectorDebuggerAgent::didPause): Ditto.
        (Inspector::InspectorDebuggerAgent::breakpointActionProbe): Ditto.
        (Inspector::InspectorDebuggerAgent::didContinue): Ditto.
        (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): Ditto.
        * inspector/agents/InspectorDebuggerAgent.h: Ditto.
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::getPreview): Ditto.
        (Inspector::InspectorHeapAgent::getRemoteObject): Ditto.

2016-04-15  Keith Miller  <keith_miller@apple.com>

        Some JIT/DFG operations need NativeCallFrameTracers
        https://bugs.webkit.org/show_bug.cgi?id=156650

        Reviewed by Michael Saboff.

        Some of our operation functions did not have native call frame
        tracers. This meant that we would crash occasionally on some
        of our tests when they triggered a GC in one of the functions
        without a tracer. In particular, this was exemplified by another
        upcoming patch when calling operationSetFunctionName.

        This patch does not add tests since this happens consistently in
        the patch adding delete_by_id to the DFG.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:

2016-04-15  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: sourceMappingURL not used when sourceURL is set
        https://bugs.webkit.org/show_bug.cgi?id=156021
        <rdar://problem/25438417>

        Reviewed by Timothy Hatcher.

        Clean up Debugger.sourceParsed to separately include:

            - url ("resource URL", "source url" in JSC APIs)
            - sourceURL - //# sourceURL directive

        By always having the resource URL the Web Inspector frontend
        can better match this Script to a Resource of the same URL,
        and decide to use the sourceURL if it is available when
        appropriate.

        * inspector/protocol/Debugger.json:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        Send the new sourceParsed parameters.

2016-04-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Cleanup inspector/debugger tests
        https://bugs.webkit.org/show_bug.cgi?id=156619

        Reviewed by Brian Burg.

        While cleaning up the tests it exposed the fact that breakpoints
        were not getting disabled when the inspector closes. This means
        that opening the inspector, with breakpoints, and closing the
        inspector, would leave the JSC::Debugger thinking breakpoints
        are active. The JSC::Debugger should be reset.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::disable):

2016-04-14  Geoffrey Garen  <ggaren@apple.com>

        CopiedBlock should be 64kB

        Reviewed by Benjamin Poulain.

        Let's try another value.

        This is 25% faster on kraken-audio-beat-detection on Mac Pro.

        * heap/CopiedBlock.h:

2016-04-15  Zan Dobersek  <zdobersek@igalia.com>

        Tail call optimizations lead to crashes on ARM Thumb + Linux
        https://bugs.webkit.org/show_bug.cgi?id=150083

        Reviewed by Csaba Osztrogonác.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
        data location of the destination, and not the executable address. This is needed for
        the ARM Thumb2 platform where both the source and destination addresses of a jump relink
        must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
        * jit/Repatch.cpp:
        (JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
        address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().

2016-04-14  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed, rolling out r199567.

        performance regression on kraken on macbook*

        Reverted changeset:

        "CopiedBlock should be 8kB"
        https://bugs.webkit.org/show_bug.cgi?id=156610
        http://trac.webkit.org/changeset/199567

2016-04-14  Geoffrey Garen  <ggaren@apple.com>

        CopiedBlock should be 8kB
        https://bugs.webkit.org/show_bug.cgi?id=156610

        Reviewed by Michael Saboff.

        On Mac Pro, this is:

            15% faster on kraken-audio-beat-detection

            5% faster on v8-splay

        Hopefully, this will be OK on MacBook* bots as well.

        32kB is the full size of L1 cache on x86. So, allocating and zero-filling
        a 32kB CopiedBlock would basically flush the L1 cache. We can ameliorate
        this problem by using smaller blocks -- or, if that doesn't work, we can
        use larger blocks to amortize the cost.

        * heap/CopiedBlock.h:

2016-04-14  Filip Pizlo  <fpizlo@apple.com>

        PolymorphicAccess should try to generate a stub only once
        https://bugs.webkit.org/show_bug.cgi?id=156555

        Reviewed by Geoffrey Garen.
        
        This changes the PolymorphicAccess heuristics to reduce the amount of code generation even
        more than before. We used to always generate a monomorphic stub for the first case we saw.
        This change disables that. This change also increases the buffering countdown to match the
        cool-down repatch count. This means that we will allow for ten slow paths for adding cases,
        then we will generate a stub, and then we will go into cool-down and the repatching slow
        paths will not even attempt repatching for a while. After we emerge from cool-down - which
        requires a bunch of slow path calls - we will again wait for ten slow paths to get new
        cases. Note that it only takes 13 cases to cause the stub to give up on future repatching
        entirely. Also, most stubs don't ever get to 10 cases. Therefore, for most stubs this change
        means that each IC will repatch once. If they make it to two repatching, then the likelihood
        of a third becomes infinitesimal because of all of the rules that come into play at that
        point (the size limit being 13, the fact that we go into exponential cool-down every time we
        generate code, and the fact that if we have lots of self cases then we will create a
        catch-all megamorphic load case).

        This also undoes a change to the megamorphic optimization that I think was unintentional.
        As in the change that originally introduced megamorphic loads, we want to do this only if we
        would otherwise exhaust the max size of the IC. This is because megamorphic loads are pretty
        expensive and it's best to use them only if we know that the alternative is giving up on
        caching.

        This is neutral on JS benchmarks, but looks like it's another speed-up for page loading.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
        (JSC::AccessCase::canReplace):
        (JSC::AccessCase::dump):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::StructureStubInfo):
        * runtime/Options.h:

2016-04-14  Mark Lam  <mark.lam@apple.com>

        Update treatment of invoking RegExp.prototype methods on RegExp.prototype.
        https://bugs.webkit.org/show_bug.cgi?id=155922

        Reviewed by Keith Miller.

        According to the TC39 committee, when invoking the following RegExp.prototype
        methods on the RegExp.prototype:
        1. RegExp.prototype.flags yields ""
        2. RegExp.prototype.global yields undefined
        3. RegExp.prototype.ignoreCase yields undefined
        4. RegExp.prototype.multiline yields undefined
        5. RegExp.prototype.unicode yields undefined
        6. RegExp.prototype.source yields "(?:)"
        7. RegExp.prototype.sticky yields undefined
        8. RegExp.prototype.toString() yields "/(?:)/"

        and RegExp.prototype is still NOT an instance of RegExp.  The above behavior
        changes is a special dispensation applicable only to RegExp.prototype.  The ES6
        spec of throwing errors still applies if those methods are applied to anything =
        else that is not a RegExp object.

        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoGetterGlobal):
        (JSC::regExpProtoGetterIgnoreCase):
        (JSC::regExpProtoGetterMultiline):
        (JSC::regExpProtoGetterSticky):
        (JSC::regExpProtoGetterUnicode):
        (JSC::regExpProtoGetterFlags):
        (JSC::regExpProtoGetterSource):
        - Implemented new behavior.

        * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
        (test):
        - Updated to match current kangax test.

2016-04-14  Geoffrey Garen  <ggaren@apple.com>

        Some imported ES6 tests are missing __createIterableObject
        https://bugs.webkit.org/show_bug.cgi?id=156584

        Reviewed by Keith Miller.

        These tests were failing because I neglected to include __createIterableObject
        when I first imported them. Now they pass.

        * tests/es6.yaml:
        * tests/es6/Array_static_methods_Array.from_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/Array_static_methods_Array.from_instances_of_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/Array_static_methods_Array.from_iterator_closing.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/Array_static_methods_Array.from_map_function_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/Array_static_methods_Array.from_map_function_instances_of_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/Map_iterator_closing.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/Promise_Promise.all_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test.asyncTestPassed):
        * tests/es6/Promise_Promise.race_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test.asyncTestPassed):
        * tests/es6/Set_iterator_closing.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/WeakMap_iterator_closing.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/WeakSet_iterator_closing.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/destructuring_iterator_closing.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/destructuring_with_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/destructuring_with_instances_of_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/for..of_loops_iterator_closing_break.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/for..of_loops_iterator_closing_throw.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/for..of_loops_with_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/for..of_loops_with_instances_of_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/generators_yield_star_generic_iterables.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/generators_yield_star_iterator_closing_via_throw.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        * tests/es6/spread_..._operator_with_generic_iterables_in_arrays.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/spread_..._operator_with_generic_iterables_in_calls.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/spread_..._operator_with_instances_of_iterables_in_arrays.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):
        * tests/es6/spread_..._operator_with_instances_of_iterables_in_calls.js:
        (iterator.next):
        (iterable.Symbol.iterator):
        (__createIterableObject):
        (test):

2016-04-13  Alex Christensen  <achristensen@webkit.org>

        CMake MiniBrowser should be an app bundle
        https://bugs.webkit.org/show_bug.cgi?id=156521

        Reviewed by Brent Fulgham.

        * PlatformMac.cmake:
        Unreviewed build fix.  Define __STDC_WANT_LIB_EXT1__ so we can find memset_s.

2016-04-13  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspector: Improve Class instances and JSC API Exported Values view in Console / ObjectTree
        https://bugs.webkit.org/show_bug.cgi?id=156566
        <rdar://problem/16392365>

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
        Treat non-basic object types as not lossless so they can be expanded.
        Show non-enumerable native getters in Object previews.

2016-04-13  Michael Saboff  <msaboff@apple.com>

        Some tests fail with ES6 `u` (Unicode) flag for regular expressions
        https://bugs.webkit.org/show_bug.cgi?id=151597

        Reviewed by Geoffrey Garen.

        Added two new tables to handle the anomolies of \w and \W CharacterClassEscapes
        when specified in RegExp's with both the unicode and ignoreCase flags.  Given the
        case folding rules described in the standard vie the meta function Canonicalize(),
        which allow cross ASCII case folding when unicode is specified, the unicode characters
        \u017f (small sharp s) and \u212a (kelvin symbol) are part of the \w (word) characterClassEscape.
        This is true because they case fold to 's' and 'k' respectively.  Because they case fold
        to lower case letters, the corresponding letters, 'k', 'K', 's' and 'S', are also matched with
        \W with the unicode and ignoreCase flags.

        * create_regex_tables:
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
        (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
        (JSC::Yarr::YarrPattern::YarrPattern):
        * yarr/YarrPattern.h:
        (JSC::Yarr::YarrPattern::wordcharCharacterClass):
        (JSC::Yarr::YarrPattern::wordUnicodeIgnoreCaseCharCharacterClass):
        (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
        (JSC::Yarr::YarrPattern::nonwordUnicodeIgnoreCaseCharCharacterClass):

2016-04-13  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r199502 and r199511.
        https://bugs.webkit.org/show_bug.cgi?id=156557

        Appears to have in-browser perf regression (Requested by mlam
        on #webkit).

        Reverted changesets:

        "ES6: Implement String.prototype.split and
        RegExp.prototype[@@split]."
        https://bugs.webkit.org/show_bug.cgi?id=156013
        http://trac.webkit.org/changeset/199502

        "ES6: Implement RegExp.prototype[@@search]."
        https://bugs.webkit.org/show_bug.cgi?id=156331
        http://trac.webkit.org/changeset/199511

2016-04-13  Keith Miller  <keith_miller@apple.com>

        isJSArray should use ArrayType rather than the ClassInfo
        https://bugs.webkit.org/show_bug.cgi?id=156551

        Reviewed by Filip Pizlo.

        Using the JSType rather than the ClassInfo should be slightly faster
        since the type is inline on the cell whereas the ClassInfo is only
        on the structure.

        * runtime/JSArray.h:
        (JSC::isJSArray):

2016-04-13  Mark Lam  <mark.lam@apple.com>

        ES6: Implement RegExp.prototype[@@search].
        https://bugs.webkit.org/show_bug.cgi?id=156331

        Reviewed by Keith Miller.

        What changed?
        1. Implemented search builtin in RegExpPrototype.js.
           The native path is now used as a fast path.
        2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
           IsJSArrayIntrinsic).
        3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
        4. Change the esSpecIsRegExpObject() implementation to check if the object's
           JSType is RegExpObjectType instead of walking the classinfo chain.

        * builtins/RegExpPrototype.js:
        (search):
        * builtins/StringPrototype.js:
        (search):
        - fixed some indentation.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
        (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
        (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
        (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
        (JSC::FTL::DFG::LowerDFGToB3::isType):
        * runtime/Intrinsic.h:
        - Added IsRegExpObjectIntrinsic.

        * runtime/CommonIdentifiers.h:

        * runtime/ECMAScriptSpecInternalFunctions.cpp:
        (JSC::esSpecIsConstructor):
        - Changed to use uncheckedArgument since this is only called from internal code.
        (JSC::esSpecIsRegExpObject):
        (JSC::esSpecIsRegExp): Deleted.
        * runtime/ECMAScriptSpecInternalFunctions.h:
        - Changed to check the object for a JSType of RegExpObjectType.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        - Added split fast path.

        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncSearchFast):
        (JSC::regExpProtoFuncSearch): Deleted.
        * runtime/RegExpPrototype.h:

        * tests/es6.yaml:
        * tests/stress/regexp-search.js:
        - Rebased test.

2016-04-12  Filip Pizlo  <fpizlo@apple.com>

        PolymorphicAccess::regenerate() shouldn't have to clone non-generated AccessCases
        https://bugs.webkit.org/show_bug.cgi?id=156493

        Reviewed by Geoffrey Garen.

        Cloning AccessCases is only necessary if they hold some artifacts that are used by code that
        they already generated. So, if the state is not Generated, we don't have to bother with
        cloning them.

        This should speed up PolymorphicAccess regeneration a bit more.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::commit):
        (JSC::PolymorphicAccess::regenerate):

2016-04-13  Mark Lam  <mark.lam@apple.com>

        ES6: Implement String.prototype.split and RegExp.prototype[@@split].
        https://bugs.webkit.org/show_bug.cgi?id=156013

        Reviewed by Keith Miller.

        Re-landing r199393 now that the shadow chicken crash has been fixed.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/GlobalObject.js:
        (speciesConstructor):
        * builtins/PromisePrototype.js:
        - refactored to use the @speciesConstructor internal function.

        * builtins/RegExpPrototype.js:
        (advanceStringIndex):
        - refactored from @advanceStringIndexUnicode() to be match the spec.
          Benchmarks show that there's no advantage in doing the unicode check outside
          of the advanceStringIndexUnicode part.  So, I simplified the code to match the
          spec (especially since @@split needs to call advanceStringIndex from more than
          1 location).
        (match):
        - Removed an unnecessary call to @Object because it was already proven above.
        - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
          Again, there's no perf regression for this.
        (regExpExec):
        (hasObservableSideEffectsForRegExpSplit):
        (split):
        (advanceStringIndexUnicode): Deleted.

        * builtins/StringPrototype.js:
        (split):
        - Modified to use RegExp.prototype[@@split].

        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        (JSC::BytecodeIntrinsicRegistry::lookup):
        * bytecode/BytecodeIntrinsicRegistry.h:
        - Added the @@split symbol.

        * runtime/CommonIdentifiers.h:
        * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
        (JSC::esSpecIsConstructor):
        (JSC::esSpecIsRegExp):
        * runtime/ECMAScriptSpecInternalFunctions.h: Added.

        * runtime/JSGlobalObject.cpp:
        (JSC::getGetterById):
        (JSC::JSGlobalObject::init):

        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setDescriptor):
        - Removed an assert that is no longer valid.

        * runtime/RegExpObject.h:
        - Made advanceStringUnicode() public so that it can be re-used by the regexp split
          fast path.

        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncSearch):
        (JSC::advanceStringIndex):
        (JSC::regExpProtoFuncSplitFast):
        * runtime/RegExpPrototype.h:

        * runtime/StringObject.h:
        (JSC::jsStringWithReuse):
        (JSC::jsSubstring):
        - Hoisted some utility functions from StringPrototype.cpp so that they can be
          reused by the regexp split fast path.

        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::stringProtoFuncSplitFast):
        (JSC::stringProtoFuncSubstr):
        (JSC::builtinStringSubstrInternal):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringIncludesImpl):
        (JSC::stringProtoFuncIncludes):
        (JSC::builtinStringIncludesInternal):
        (JSC::jsStringWithReuse): Deleted.
        (JSC::jsSubstring): Deleted.
        (JSC::stringProtoFuncSplit): Deleted.
        * runtime/StringPrototype.h:

        * tests/es6.yaml:

2016-04-13  Mark Lam  <mark.lam@apple.com>

        ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
        https://bugs.webkit.org/show_bug.cgi?id=156532

        Reviewed by Saam Barati and Filip Pizlo.

        ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
        the callee field of a log packet.  However, ShadowChicken::visitChildren()
        unconditionally visits the callee field of each packet as if they are real
        objects.  If visitChildren() encounters one of these markers in the log, we get a
        crash.

        This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
        chicken when r199393 landed.  r199393 introduced tail calls to a RegExp split
        fast path, and the v8-regexp.js test exercised this fast path a lot.  Throw in
        some timely GCs, and we get a crash party.

        The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
        throwMarker.

        Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
        these markers so that ShadowChicken can continue to visit them.  For now, I'm
        going with the filter.

        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::visitChildren):

2016-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Add @@toStringTag to GeneratorFunction
        https://bugs.webkit.org/show_bug.cgi?id=156499

        Reviewed by Mark Lam.

        GeneratorFunction.prototype has @@toStringTag property, "GeneratorFunction".
        https://tc39.github.io/ecma262/#sec-generatorfunction.prototype-@@tostringtag

        * runtime/GeneratorFunctionPrototype.cpp:
        (JSC::GeneratorFunctionPrototype::finishCreation):
        * tests/es6.yaml:
        * tests/es6/well-known_symbols_Symbol.toStringTag_new_built-ins.js: Added.
        (test):

2016-04-13  Alberto Garcia  <berto@igalia.com>

        Fix build in glibc-based BSD systems
        https://bugs.webkit.org/show_bug.cgi?id=156533

        Reviewed by Carlos Garcia Campos.

        Change the order of the #elif conditionals so glibc-based BSD
        systems (e.g. Debian GNU/kFreeBSD) use the code inside the
        OS(FREEBSD) blocks.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::Thread::Registers::stackPointer):
        (JSC::MachineThreads::Thread::Registers::framePointer):
        (JSC::MachineThreads::Thread::Registers::instructionPointer):
        (JSC::MachineThreads::Thread::Registers::llintPC):

2016-04-12  Keith Miller  <keith_miller@apple.com>

        Unreviewed undo change from ArrayClass to ArrayWithUndecided, which
        was not intedend to land with r199397.

        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):

2016-04-12  Mark Lam  <mark.lam@apple.com>

        Rollout: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
        https://bugs.webkit.org/show_bug.cgi?id=156013

        Speculative rollout to fix 32-bit shadow-chicken.yaml/tests/v8-v6/v8-regexp.js.shadow-chicken test failure.

        Not reviewed.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/GlobalObject.js:
        (speciesGetter):
        (speciesConstructor): Deleted.
        * builtins/PromisePrototype.js:
        * builtins/RegExpPrototype.js:
        (advanceStringIndexUnicode):
        (match):
        (advanceStringIndex): Deleted.
        (regExpExec): Deleted.
        (hasObservableSideEffectsForRegExpSplit): Deleted.
        (split): Deleted.
        * builtins/StringPrototype.js:
        (repeat):
        (split): Deleted.
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        (JSC::BytecodeIntrinsicRegistry::lookup):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * runtime/CommonIdentifiers.h:
        * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed.
        * runtime/ECMAScriptSpecInternalFunctions.h: Removed.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::setGlobalThis):
        (JSC::JSGlobalObject::init):
        (JSC::getGetterById): Deleted.
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setDescriptor):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::offsetOfLastIndexIsWritable):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncSearch):
        (JSC::advanceStringIndex): Deleted.
        (JSC::regExpProtoFuncSplitFast): Deleted.
        * runtime/RegExpPrototype.h:
        * runtime/StringObject.h:
        (JSC::jsStringWithReuse): Deleted.
        (JSC::jsSubstring): Deleted.
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::jsStringWithReuse):
        (JSC::jsSubstring):
        (JSC::substituteBackreferencesSlow):
        (JSC::splitStringByOneCharacterImpl):
        (JSC::stringProtoFuncSplit):
        (JSC::stringProtoFuncSubstr):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncEndsWith):
        (JSC::stringProtoFuncIncludes):
        (JSC::stringProtoFuncIterator):
        (JSC::stringProtoFuncSplitFast): Deleted.
        (JSC::builtinStringSubstrInternal): Deleted.
        (JSC::stringIncludesImpl): Deleted.
        (JSC::builtinStringIncludesInternal): Deleted.
        * runtime/StringPrototype.h:
        * tests/es6.yaml:

2016-04-12  Mark Lam  <mark.lam@apple.com>

        Remove 2 unused JSC options.
        https://bugs.webkit.org/show_bug.cgi?id=156526

        Reviewed by Benjamin Poulain.

        The options JSC_assertICSizing and JSC_dumpFailedICSizing are no longer in use
        now that we have B3.

        * runtime/Options.h:

2016-04-12  Keith Miller  <keith_miller@apple.com>

        [ES6] Add support for Symbol.isConcatSpreadable.
        https://bugs.webkit.org/show_bug.cgi?id=155351

        Reviewed by Saam Barati.

        This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
        Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
        a builtin performant. First, four new DFG intrinsics were added.

        1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
           the Array.isArray function.
        2) IsJSArray: checks the first child is a JSArray object.
        3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
        4) CallObjectConstructor: an intrinsic of the Object constructor.

        IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
        we are able to prove that the first child is an Array or for ToObject an Object.

        In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
        code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
        were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
        the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
        into a contiguous array).

        This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
        values onto the result array. This works roughly the same as the two array fast path using the same methodology
        to decide if we can memcpy the other butterfly into the result butterfly.

        Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
        name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
        dataLog function on it.

        Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
        JSValueOperand if the operand's use count is one.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/ArrayPrototype.js:
        (concatSlowPath):
        (concat):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileIsJSArray):
        (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
        (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
        (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::isArray):
        * jit/JITOperations.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDataLogValue):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
        * runtime/ArrayConstructor.h:
        (JSC::isArrayConstructor):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoPrivateFuncIsJSArray):
        (JSC::moveElements):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        (JSC::arrayProtoPrivateFuncAppendMemcpy):
        (JSC::arrayProtoFuncConcat): Deleted.
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::appendMemcpy):
        (JSC::JSArray::fastConcatWith): Deleted.
        * runtime/JSArray.h:
        (JSC::JSArray::createStructure):
        (JSC::JSArray::fastConcatType): Deleted.
        * runtime/JSArrayInlines.h: Added.
        (JSC::JSArray::memCopyWithIndexingType):
        (JSC::JSArray::canFastCopy):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSType.h:
        * runtime/ObjectConstructor.h:
        (JSC::constructObject):
        * tests/es6.yaml:
        * tests/stress/array-concat-spread-object.js: Added.
        (arrayEq):
        * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
        (arrayEq):
        * tests/stress/array-concat-spread-proxy.js: Added.
        (arrayEq):
        * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
        (arrayEq):
        * tests/stress/array-species-config-array-constructor.js:

2016-04-12  Saam barati  <sbarati@apple.com>

        Lets not iterate over the constant pool twice every time we link a code block
        https://bugs.webkit.org/show_bug.cgi?id=156517

        Reviewed by Mark Lam.

        I introduced a second iteration over the constant pool when I implemented
        block scoping. I did this because we must clone all the symbol tables when
        we link a CodeBlock. We can just do this cloning when setting the constant
        registers for the first time. There is no need to iterate over the constant
        pool a second time.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::setConstantRegisters):
        (JSC::CodeBlock::setAlternative):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::replaceConstant):
        (JSC::CodeBlock::setConstantRegisters): Deleted.

2016-04-12  Mark Lam  <mark.lam@apple.com>

        ES6: Implement String.prototype.split and RegExp.prototype[@@split].
        https://bugs.webkit.org/show_bug.cgi?id=156013

        Reviewed by Keith Miller.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/GlobalObject.js:
        (speciesConstructor):
        * builtins/PromisePrototype.js:
        - refactored to use the @speciesConstructor internal function.

        * builtins/RegExpPrototype.js:
        (advanceStringIndex):
        - refactored from @advanceStringIndexUnicode() to be match the spec.
          Benchmarks show that there's no advantage in doing the unicode check outside
          of the advanceStringIndexUnicode part.  So, I simplified the code to match the
          spec (especially since @@split needs to call advanceStringIndex from more than
          1 location).
        (match):
        - Removed an unnecessary call to @Object because it was already proven above.
        - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
          Again, there's no perf regression for this.
        (regExpExec):
        (hasObservableSideEffectsForRegExpSplit):
        (split):
        (advanceStringIndexUnicode): Deleted.

        * builtins/StringPrototype.js:
        (split):
        - Modified to use RegExp.prototype[@@split].

        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        (JSC::BytecodeIntrinsicRegistry::lookup):
        * bytecode/BytecodeIntrinsicRegistry.h:
        - Added the @@split symbol.

        * runtime/CommonIdentifiers.h:
        * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
        (JSC::esSpecIsConstructor):
        (JSC::esSpecIsRegExp):
        * runtime/ECMAScriptSpecInternalFunctions.h: Added.

        * runtime/JSGlobalObject.cpp:
        (JSC::getGetterById):
        (JSC::JSGlobalObject::init):

        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setDescriptor):
        - Removed an assert that is no longer valid.

        * runtime/RegExpObject.h:
        - Made advanceStringUnicode() public so that it can be re-used by the regexp split
          fast path.

        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncSearch):
        (JSC::advanceStringIndex):
        (JSC::regExpProtoFuncSplitFast):
        * runtime/RegExpPrototype.h:

        * runtime/StringObject.h:
        (JSC::jsStringWithReuse):
        (JSC::jsSubstring):
        - Hoisted some utility functions from StringPrototype.cpp so that they can be
          reused by the regexp split fast path.

        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::stringProtoFuncSplitFast):
        (JSC::stringProtoFuncSubstr):
        (JSC::builtinStringSubstrInternal):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringIncludesImpl):
        (JSC::stringProtoFuncIncludes):
        (JSC::builtinStringIncludesInternal):
        (JSC::jsStringWithReuse): Deleted.
        (JSC::jsSubstring): Deleted.
        (JSC::stringProtoFuncSplit): Deleted.
        * runtime/StringPrototype.h:

        * tests/es6.yaml:

2016-04-12  Keith Miller  <keith_miller@apple.com>

        AbstractValue should use the result type to filter structures
        https://bugs.webkit.org/show_bug.cgi?id=156516

        Reviewed by Geoffrey Garen.

        When filtering an AbstractValue with a SpeculatedType we would not use the merged type when
        filtering out the valid structures (despite what the comment directly above said). This
        would cause us to crash if our structure-set was Top and the two speculated types were
        different kinds of cells.

        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::filter):
        * tests/stress/ai-consistency-filter-cells.js: Added.
        (get value):
        (attribute.value.get record):
        (attribute.attrs.get this):
        (get foo):
        (let.thisValue.return.serialize):
        (let.thisValue.transformFor):

2016-04-12  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, remove FIXME for https://bugs.webkit.org/show_bug.cgi?id=156457 and replace it
        with a comment that describes what we do now.

        * bytecode/PolymorphicAccess.h:

2016-04-12  Saam barati  <sbarati@apple.com>

        isLocked() assertion broke builds because ConcurrentJITLock isn't always a real lock.

        Rubber-stamped by Filip Pizlo.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resultProfileForBytecodeOffset):
        (JSC::CodeBlock::ensureResultProfile):

2016-04-11  Filip Pizlo  <fpizlo@apple.com>

        PolymorphicAccess should buffer AccessCases before regenerating
        https://bugs.webkit.org/show_bug.cgi?id=156457

        Reviewed by Benjamin Poulain.

        Prior to this change, whenever we added an AccessCase to a PolymorphicAccess, we would
        regenerate the whole stub. That meant that we'd do O(N^2) work for N access cases.

        One way to fix this is to have each AccessCase generate a stub just for itself, which
        cascades down to the already-generated cases. But that removes the binary switch
        optimization, which makes the IC perform great even when there are many cases.

        This change fixes the issue by buffering access cases. When we take slow path and try to add
        a new case, the StructureStubInfo will usually just buffer the new case without generating
        new code. We simply guarantee that after we buffer a case, we will take at most
        Options::repatchBufferingCountdown() slow path calls before generating code for it. That
        option is currently 7. Taking 7 more slow paths means that we have 7 more opportunities to
        gather more access cases, or to realize that this IC is too crazy to bother with.

        This change ensures that the DFG still gets the same kind of profiling. This is because the
        buffered AccessCases are still part of PolymorphicAccess and so are still scanned by
        GetByIdStatus and PutByIdStatus. The fact that the AccessCases hadn't been generated and so
        hadn't executed doesn't change much. Mainly, it increases the likelihood that the DFG will
        see an access case that !couldStillSucceed(). The DFG's existing profile parsing logic can
        handle this just fine.
        
        There are a bunch of algorithmic changes here. StructureStubInfo now caches the set of
        structures that it has seen as a guard to prevent adding lots of redundant cases, in case
        we see the same 7 cases after buffering the first one. This cache means we won't wastefully
        allocate 7 identical AccessCase instances. PolymorphicAccess is now restructured around
        having separate addCase() and regenerate() calls. That means a bit more moving data around.
        So far that seems OK for performance, probably since it's O(N) work rather than O(N^2) work.
        There is room for improvement for future patches, to be sure.
        
        This is benchmarking as slightly positive or neutral on JS benchmarks. It's meant to reduce
        pathologies I saw in page loads.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::PolymorphicAccess):
        (JSC::PolymorphicAccess::~PolymorphicAccess):
        (JSC::PolymorphicAccess::addCases):
        (JSC::PolymorphicAccess::addCase):
        (JSC::PolymorphicAccess::visitWeak):
        (JSC::PolymorphicAccess::dump):
        (JSC::PolymorphicAccess::commit):
        (JSC::PolymorphicAccess::regenerate):
        (JSC::PolymorphicAccess::aboutToDie):
        (WTF::printInternal):
        (JSC::PolymorphicAccess::regenerateWithCases): Deleted.
        (JSC::PolymorphicAccess::regenerateWithCase): Deleted.
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessCase::isGetter):
        (JSC::AccessCase::callLinkInfo):
        (JSC::AccessGenerationResult::AccessGenerationResult):
        (JSC::AccessGenerationResult::madeNoChanges):
        (JSC::AccessGenerationResult::gaveUp):
        (JSC::AccessGenerationResult::buffered):
        (JSC::AccessGenerationResult::generatedNewCode):
        (JSC::AccessGenerationResult::generatedFinalCode):
        (JSC::AccessGenerationResult::shouldGiveUpNow):
        (JSC::AccessGenerationResult::generatedSomeCode):
        (JSC::PolymorphicAccess::isEmpty):
        (JSC::PolymorphicAccess::size):
        (JSC::PolymorphicAccess::at):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::StructureStubInfo):
        (JSC::StructureStubInfo::addAccessCase):
        (JSC::StructureStubInfo::reset):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::considerCaching):
        (JSC::StructureStubInfo::willRepatch): Deleted.
        (JSC::StructureStubInfo::willCoolDown): Deleted.
        * jit/JITOperations.cpp:
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryRepatchIn):
        (JSC::repatchIn):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::putByIndex):
        (JSC::JSValue::structureOrNull):
        (JSC::JSValue::structureOrUndefined):
        * runtime/Options.h:

2016-04-12  Saam barati  <sbarati@apple.com>

        There is a race with the compiler thread and the main thread with result profiles
        https://bugs.webkit.org/show_bug.cgi?id=156503

        Reviewed by Filip Pizlo.

        The compiler thread should not be asking for a result
        profile while the execution thread is creating one.
        We must guard against such races with a lock.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resultProfileForBytecodeOffset):
        (JSC::CodeBlock::ensureResultProfile):
        (JSC::CodeBlock::capabilityLevel):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::numberOfResultProfiles):
        (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
        (JSC::CodeBlock::ensureResultProfile): Deleted.

2016-04-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r199339.
        https://bugs.webkit.org/show_bug.cgi?id=156505

        memset_s is indeed necessary (Requested by alexchristensen_ on
        #webkit).

        Reverted changeset:

        "Build fix after r199299."
        https://bugs.webkit.org/show_bug.cgi?id=155508
        http://trac.webkit.org/changeset/199339

2016-04-12  Guillaume Emont  <guijemont@igalia.com>

        MIPS: add MacroAssemblerMIPS::store8(TrustedImm32,ImplicitAddress)
        https://bugs.webkit.org/show_bug.cgi?id=156481

        This method with this signature is used by r199075, and therefore
        WebKit doesn't build on MIPS since then.

        Reviewed by Mark Lam.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::store8):

2016-04-12  Saam barati  <sbarati@apple.com>

        We incorrectly parse arrow function expressions
        https://bugs.webkit.org/show_bug.cgi?id=156373

        Reviewed by Mark Lam.

        This patch removes the notion of "isEndOfArrowFunction".
        This was a very weird function and it was incorrect.
        It checked that the arrow functions with concise body
        grammar production "had a valid ending". "had a valid
        ending" is in quotes because concise body arrow functions
        have a valid ending as long as their body has a valid
        assignment expression. I've removed all notion of this
        function because it was wrong and was causing us
        to throw syntax errors on valid programs.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::nextTokenIsColon):
        (JSC::Lexer<T>::lex):
        (JSC::Lexer<T>::setTokenPosition): Deleted.
        * parser/Lexer.h:
        (JSC::Lexer::setIsReparsingFunction):
        (JSC::Lexer::isReparsingFunction):
        (JSC::Lexer::lineNumber):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Parser::matchIdentifierOrKeyword):
        (JSC::Parser::tokenStart):
        (JSC::Parser::autoSemiColon):
        (JSC::Parser::canRecurse):
        (JSC::Parser::isEndOfArrowFunction): Deleted.
        (JSC::Parser::setEndOfStatement): Deleted.
        * tests/stress/arrowfunction-others.js:
        (testCase):
        (simpleArrowFunction):
        (truthy):
        (falsey):

2016-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG
        https://bugs.webkit.org/show_bug.cgi?id=155110

        Reviewed by Saam Barati.

        `addStaticGlobals` does not emit SymbolTableEntry watchpoints for the added entries.
        So, all the global variable lookups pointing to these static globals are not converted
        into constants in DFGBytecodeGenerator: this fact leaves these lookups as GetGlobalVar.
        Such thing avoids constant folding chance and emits CheckCell for @privateFunction inlining.
        This operation is pure overhead.

        Static globals are not configurable, and they are typically non-writable.
        So they are constants in almost all the cases.

        This patch initializes watchpoints for these static globals.
        These watchpoints allow DFG to convert these nodes into constants in DFG BytecodeParser.
        These watchpoints includes many builtin operations and `undefined`.

        The microbenchmark, many-foreach-calls shows 5 - 7% improvement since it removes unnecessary CheckCell.

        * bytecode/VariableWriteFireDetail.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addStaticGlobals):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePutTouchWatchpointSet):
        (JSC::symbolTablePutInvalidateWatchpointSet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributesTouchWatchpointSet): Deleted.
        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::SymbolTableEntry):
        (JSC::SymbolTableEntry::operator=):
        (JSC::SymbolTableEntry::swap):

2016-04-12  Alex Christensen  <achristensen@webkit.org>

        Build fix after r199299.
        https://bugs.webkit.org/show_bug.cgi?id=155508

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
        memset_s is not defined.  __STDC_WANT_LIB_EXT1__ is not defined anywhere.
        Since the return value is unused and set_constraint_handler_s is never called
        I'm chaning it to memset.

2016-04-11  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] B3 can use undefined bits or not defined required bits when spilling
        https://bugs.webkit.org/show_bug.cgi?id=156486

        Reviewed by Filip Pizlo.

        Spilling had issues when replacing arguments in place.

        The problems are:
        1) If we have a 32bit stackslot, a x86 instruction could still try to load 64bits from it.
        2) If we have a 64bit stackslot, Move32 would only set half the bits.
        3) We were reducing Move to Move32 even if the top bits are read from the stack slot.

        The case 1 appear with something like this:
            Move32 %tmp0, %tmp1
            Op64 %tmp1, %tmp2, %tmp3
        When we spill %tmp1, the stack slot is 32bit, Move32 sets 32bits
        but Op64 supports addressing for %tmp1. When we substitute %tmp1 in Op64,
        we are creating a 64bit read for a 32bit stack slot.

        The case 2 is an other common one. If we have:
            BB#1
                Move32 %tmp0, %tmp1
                Jump #3
            BB#2
                Op64 %tmp0, %tmp1
                Jump #3
            BB#3
                Use64 %tmp1

        We have a stack slot of 64bits. When spilling %tmp1 in #1, we are
        effectively doing a 32bit store on the stack slot, leaving the top bits undefined.

        Case 3 is pretty much the same as 2 but we create the Move32 ourself
        because the source is a 32bit with ZDef.

        Case (1) is solved by requiring that the stack slot is at least as large as the largest
        use/def of that tmp.

        Case (2) and (3) are solved by not replacing a Tmp by an Address if the Def
        is smaller than the stack slot.

        * b3/air/AirIteratedRegisterCoalescing.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testSpillDefSmallerThanUse):
        (JSC::B3::testSpillUseLargerThanDef):
        (JSC::B3::run):

2016-04-11  Brian Burg  <bburg@apple.com>

        Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
        https://bugs.webkit.org/show_bug.cgi?id=156407
        <rdar://problem/25627659>

        Reviewed by Joseph Pecoraro.

        There's no point having these subclasses as they don't save any space.
        Add a StringImpl to the union and merge some implementations of writeJSON.

        Rename m_data to m_map and explicitly name the union as InspectorValue::m_value.
        If the value is a string and the string is not empty or null (i.e., it has a
        StringImpl), then we need to ref() and deref() the string as the InspectorValue
        is created or destroyed.

        Move uses of the subclass to InspectorValue and delete redundant methods.
        Now, most InspectorValue methods are non-virtual so they can be templated.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeCall):
        Don't used deleted subclasses.

        * inspector/InspectorValues.cpp:
        (Inspector::InspectorValue::null):
        (Inspector::InspectorValue::create):
        (Inspector::InspectorValue::asValue):
        (Inspector::InspectorValue::asBoolean):
        (Inspector::InspectorValue::asDouble):
        (Inspector::InspectorValue::asInteger):
        (Inspector::InspectorValue::asString):
        These only need one implementation now.

        (Inspector::InspectorValue::writeJSON):
        Still a virtual method since Object and Array need their members.

        (Inspector::InspectorObjectBase::InspectorObjectBase):
        (Inspector::InspectorBasicValue::asBoolean): Deleted.
        (Inspector::InspectorBasicValue::asDouble): Deleted.
        (Inspector::InspectorBasicValue::asInteger): Deleted.
        (Inspector::InspectorBasicValue::writeJSON): Deleted.
        (Inspector::InspectorString::asString): Deleted.
        (Inspector::InspectorString::writeJSON): Deleted.
        (Inspector::InspectorString::create): Deleted.
        (Inspector::InspectorBasicValue::create): Deleted.

        * inspector/InspectorValues.h:
        (Inspector::InspectorObjectBase::find):
        (Inspector::InspectorObjectBase::setBoolean):
        (Inspector::InspectorObjectBase::setInteger):
        (Inspector::InspectorObjectBase::setDouble):
        (Inspector::InspectorObjectBase::setString):
        (Inspector::InspectorObjectBase::setValue):
        (Inspector::InspectorObjectBase::setObject):
        (Inspector::InspectorObjectBase::setArray):
        (Inspector::InspectorArrayBase::pushBoolean):
        (Inspector::InspectorArrayBase::pushInteger):
        (Inspector::InspectorArrayBase::pushDouble):
        (Inspector::InspectorArrayBase::pushString):
        (Inspector::InspectorArrayBase::pushValue):
        (Inspector::InspectorArrayBase::pushObject):
        (Inspector::InspectorArrayBase::pushArray):
        Use new factory methods.

        * replay/EncodedValue.cpp:
        (JSC::ScalarEncodingTraits<bool>::encodeValue):
        (JSC::ScalarEncodingTraits<double>::encodeValue):
        (JSC::ScalarEncodingTraits<float>::encodeValue):
        (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
        (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
        (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
        (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
        * replay/EncodedValue.h:
        Use new factory methods.

2016-04-11  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to edit StructureStubInfo without recompiling the world
        https://bugs.webkit.org/show_bug.cgi?id=156470

        Reviewed by Keith Miller.

        This change makes it less painful to make changes to the IC code. It used to be that any
        change to StructureStubInfo caused every JIT-related file to get recompiled. Now only a
        smaller set of files - ones that actually peek into StructureStubInfo - will recompile. This
        is mainly because CodeBlock.h no longer includes StructureStubInfo.h.

        * bytecode/ByValInfo.h:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/GetByIdStatus.cpp:
        * bytecode/GetByIdStatus.h:
        * bytecode/PutByIdStatus.cpp:
        * bytecode/PutByIdStatus.h:
        * bytecode/StructureStubInfo.h:
        (JSC::getStructureStubInfoCodeOrigin):
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        * dfg/DFGSpeculativeJIT.h:
        * ftl/FTLLowerDFGToB3.cpp:
        * ftl/FTLSlowPathCall.h:
        * jit/IntrinsicEmitter.cpp:
        * jit/JITInlineCacheGenerator.cpp:
        * jit/JITInlineCacheGenerator.h:
        * jit/JITOperations.cpp:
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:

2016-04-11  Skachkov Oleksandr  <gskachkov@gmail.com>

        Remove NewArrowFunction from DFG IR
        https://bugs.webkit.org/show_bug.cgi?id=156439

        Reviewed by Saam Barati.

        It seems that NewArrowFunction was left in DFG IR during refactoring by mistake.

        * dfg/DFGAbstractInterpreterInlines.h:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGClobbersExitState.cpp:
        * dfg/DFGDoesGC.cpp:
        * dfg/DFGFixupPhase.cpp:
        * dfg/DFGMayExit.cpp:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPhantomNewFunction):
        * dfg/DFGNodeType.h:
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunction):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * dfg/DFGStructureRegistrationPhase.cpp:
        * ftl/FTLCapabilities.cpp:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):

2016-04-05  Oliver Hunt  <oliver@apple.com>

        Remove compile time define for SEPARATED_HEAP
        https://bugs.webkit.org/show_bug.cgi?id=155508

        Reviewed by Mark Lam.

        Remove the SEPARATED_HEAP compile time flag. The separated
        heap is available, but off by default, on x86_64, ARMv7, and
        ARM64.

        Working through the issues that happened last time essentially
        required implementing the ARMv7 path for the separated heap
        just so I could find all the ways it was going wrong.

        We fixed all the logic by making the branch and jump logic in
        the linker and assemblers take two parameters, the location to
        write to, and the location we'll actually be writing to. We 
        need to do this because it's no longer sufficient to compute
        jumps relative to region the linker is writing to.

        The repatching jump, branch, and call functions only need the
        executable address as the patching is performed directly using
        performJITMemcpy function which works in terms of the executable
        address.

        There is no performance impact on jsc-benchmarks with the separate
        heap either emabled or disabled.

        * Configurations/FeatureDefines.xcconfig:
        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::linkJump):
        (JSC::ARM64Assembler::linkCall):
        (JSC::ARM64Assembler::relinkJump):
        (JSC::ARM64Assembler::relinkCall):
        (JSC::ARM64Assembler::link):
        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::linkCompareAndBranch):
        (JSC::ARM64Assembler::linkConditionalBranch):
        (JSC::ARM64Assembler::linkTestAndBranch):
        (JSC::ARM64Assembler::relinkJumpOrCall):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
        (JSC::ARMv7Assembler::revertJumpTo_movT3):
        (JSC::ARMv7Assembler::link):
        (JSC::ARMv7Assembler::linkJump):
        (JSC::ARMv7Assembler::relinkJump):
        (JSC::ARMv7Assembler::repatchCompact):
        (JSC::ARMv7Assembler::replaceWithJump):
        (JSC::ARMv7Assembler::replaceWithLoad):
        (JSC::ARMv7Assembler::replaceWithAddressComputation):
        (JSC::ARMv7Assembler::setInt32):
        (JSC::ARMv7Assembler::setUInt7ForLoad):
        (JSC::ARMv7Assembler::isB):
        (JSC::ARMv7Assembler::isBX):
        (JSC::ARMv7Assembler::isMOV_imm_T3):
        (JSC::ARMv7Assembler::isMOVT):
        (JSC::ARMv7Assembler::isNOP_T1):
        (JSC::ARMv7Assembler::isNOP_T2):
        (JSC::ARMv7Assembler::linkJumpT1):
        (JSC::ARMv7Assembler::linkJumpT2):
        (JSC::ARMv7Assembler::linkJumpT3):
        (JSC::ARMv7Assembler::linkJumpT4):
        (JSC::ARMv7Assembler::linkConditionalJumpT4):
        (JSC::ARMv7Assembler::linkBX):
        (JSC::ARMv7Assembler::linkConditionalBX):
        (JSC::ARMv7Assembler::linkJumpAbsolute):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::link):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::link):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
        (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2016-04-10  Filip Pizlo  <fpizlo@apple.com>

        Clean up how we reason about the states of AccessCases
        https://bugs.webkit.org/show_bug.cgi?id=156454

        Reviewed by Mark Lam.
        
        Currently when we add an AccessCase to a PolymorphicAccess stub, we regenerate the stub.
        That means that as we grow a stub to have N cases, we will do O(N^2) generation work. I want
        to explore buffering AccessCases so that we can do O(N) generation work instead. But to
        before I go there, I want to make sure that the statefulness of AccessCase makes sense. So,
        I broke it down into three different states and added assertions about the transitions. I
        also broke out a separate operation called AccessCase::commit(), which is the work that
        cannot be buffered since there cannot be any JS effects between when the AccessCase was
        created and when we do the work in commit().
        
        This opens up a fairly obvious path to buffering AccessCases: add them to the list without
        regenerating. Then when we do eventually trigger regeneration, those cases will get cloned
        and generated automagically. This patch doesn't implement this technique yet, but gives us
        an opportunity to independently test the scaffolding necessary to do it.

        This is perf-neutral on lots of tests.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationResult::dump):
        (JSC::AccessCase::clone):
        (JSC::AccessCase::commit):
        (JSC::AccessCase::guardedByStructureCheck):
        (JSC::AccessCase::dump):
        (JSC::AccessCase::generateWithGuard):
        (JSC::AccessCase::generate):
        (JSC::AccessCase::generateImpl):
        (JSC::PolymorphicAccess::regenerateWithCases):
        (JSC::PolymorphicAccess::regenerate):
        (WTF::printInternal):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessCase::type):
        (JSC::AccessCase::state):
        (JSC::AccessCase::offset):
        (JSC::AccessCase::viaProxy):
        (JSC::AccessCase::callLinkInfo):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::addAccessCase):
        * bytecode/Watchpoint.h:
        * dfg/DFGOperations.cpp:
        * jit/Repatch.cpp:
        (JSC::repatchGetByID):
        (JSC::repatchPutByID):
        (JSC::repatchIn):
        * runtime/VM.cpp:
        (JSC::VM::dumpRegExpTrace):
        (JSC::VM::ensureWatchpointSetForImpureProperty):
        (JSC::VM::registerWatchpointForImpureProperty):
        (JSC::VM::addImpureProperty):
        * runtime/VM.h:

2016-04-11  Fujii Hironori  <Hironori.Fujii@jp.sony.com>

        [CMake] Make FOLDER property INHERITED
        https://bugs.webkit.org/show_bug.cgi?id=156460

        Reviewed by Brent Fulgham.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:
        * shell/PlatformWin.cmake:
        Set FOLDER property as a directory property not a target property

2016-04-09  Keith Miller  <keith_miller@apple.com>

        tryGetById should be supported by the DFG/FTL
        https://bugs.webkit.org/show_bug.cgi?id=156378

        Reviewed by Filip Pizlo.

        This patch adds support for tryGetById in the DFG/FTL. It adds a new DFG node
        TryGetById, which acts similarly to the normal GetById DFG node. One key
        difference between GetById and TryGetById is that in the LLInt and Baseline
        we do not profile the result type. This profiling is unnessary for the current
        use case of tryGetById, which is expected to be a strict equality comparision
        against a specific object or undefined. In either case other DFG optimizations
        will make this equally fast with or without the profiling information.

        Additionally, this patch adds new reuse modes for JSValueRegsTemporary that take
        an operand and attempt to reuse the registers for that operand if they are free
        after the current DFG node.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileTryGetById):
        (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::GPRTemporary::operator=):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
        (JSC::FTL::DFG::LowerDFGToB3::getById):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * tests/stress/try-get-by-id.js:
        (tryGetByIdTextStrict):
        (get let):
        (let.get createBuiltin):
        (get throw):
        (getCaller.obj.1.throw.new.Error): Deleted.

2016-04-09  Saam barati  <sbarati@apple.com>

        Allocation sinking SSA Defs are allowed to have replacements
        https://bugs.webkit.org/show_bug.cgi?id=156444

        Reviewed by Filip Pizlo.

        Consider the following program and the annotations that explain why
        the SSA defs we create in allocation sinking can have replacements.

        function foo(a1) {
            let o1 = {x: 20, y: 50};
            let o2 = {y: 40, o1: o1};
            let o3 = {};
        
            // We're Defing a new variable here, call it o3_field.
            // o3_field is defing the value that is the result of 
            // a GetByOffset that gets eliminated through allocation sinking.
            o3.field = o1.y;
        
            dontCSE();
        
            // This control flow is here to not allow the phase to consult
            // its local SSA mapping (which properly handles replacements)
            // for the value of o3_field.
            if (a1) {
                a1 = true; 
            } else {
                a1 = false;
            }
        
            // Here, we ask for the reaching def of o3_field, and assert
            // it doesn't have a replacement. It does have a replacement
            // though. The original Def was the GetByOffset. We replaced
            // that GetByOffset with the value of the o1_y variable.
            let value = o3.field;
            assert(value === 50);
        }

        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * tests/stress/allocation-sinking-defs-may-have-replacements.js: Added.
        (dontCSE):
        (assert):
        (foo):

2016-04-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r199242.
        https://bugs.webkit.org/show_bug.cgi?id=156442

        Caused many many leaks (Requested by ap on #webkit).

        Reverted changeset:

        "Web Inspector: get rid of InspectorBasicValue and
        InspectorString subclasses"
        https://bugs.webkit.org/show_bug.cgi?id=156407
        http://trac.webkit.org/changeset/199242

2016-04-09  Filip Pizlo  <fpizlo@apple.com>

        Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
        https://bugs.webkit.org/show_bug.cgi?id=156406

        Reviewed by Saam Barati.

        The failure was because the GC ran from within the butterfly allocation call in a put_by_id
        transition AccessCase that had to deal with indexing storage. When the GC runs in a call from a stub,
        then we need to be extra careful:

        1) The GC may reset the IC and delete the stub. So, the stub needs to tell the GC that it might be on
           the stack during GC, so that the GC keeps it alive if it's currently running.
        
        2) If the stub uses (dereferences or stores) some object after the call, then we need to ensure that
           the stub routine knows about that object independently of the IC.
        
        In the case of put_by_id transitions that use a helper to allocate the butterfly, we have both
        issues. A long time ago, we had to deal with (2), and we still had code to handle that case, although
        it appears to be dead. This change revives that code and glues it together with PolymorphicAccess.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::alternateBase):
        (JSC::AccessCase::doesCalls):
        (JSC::AccessCase::couldStillSucceed):
        (JSC::AccessCase::generate):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessCase::customSlotBase):
        (JSC::AccessCase::isGetter):
        (JSC::AccessCase::doesCalls): Deleted.
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
        (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
        (JSC::MarkingGCAwareJITStubRoutine::~MarkingGCAwareJITStubRoutine):
        (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
        (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
        (JSC::createJITStubRoutine):
        (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
        (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
        (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal): Deleted.
        * jit/GCAwareJITStubRoutine.h:
        (JSC::createJITStubRoutine):

2016-04-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: XHRs and Web Worker scripts are not searchable
        https://bugs.webkit.org/show_bug.cgi?id=154214
        <rdar://problem/24643587>

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Page.json:
        Add optional requestId to search results properties and search
        parameters for when the frameId and url are not enough. XHR
        resources, and "Other" resources will use this.

2016-04-08  Guillaume Emont  <guijemont@igalia.com>

        MIPS: support Signed cond in branchTest32()
        https://bugs.webkit.org/show_bug.cgi?id=156260

        This is needed since r197688 makes use of it.

        Reviewed by Mark Lam.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branchTest32):

2016-04-08  Alex Christensen  <achristensen@webkit.org>

        Progress towards running CMake WebKit2 on Mac
        https://bugs.webkit.org/show_bug.cgi?id=156426

        Reviewed by Tim Horton.

        * PlatformMac.cmake:

2016-04-08  Saam barati  <sbarati@apple.com>

        Debugger may dereference m_currentCallFrame even after the VM has gone idle
        https://bugs.webkit.org/show_bug.cgi?id=156413

        Reviewed by Mark Lam.

        There is a bug where the debugger may dereference its m_currentCallFrame
        pointer after that pointer becomes invalid to read from. This happens like so:

        We may step over an instruction which causes the end of execution for the
        current program. This causes the VM to exit. Then, we perform a GC which
        causes us to collect the global object. The global object being collected
        causes us to detach the debugger. In detaching, we think we still have a 
        valid m_currentCallFrame, we dereference it, and crash. The solution is to
        make sure we're paused when dereferencing this pointer inside ::detach().

        * debugger/Debugger.cpp:
        (JSC::Debugger::detach):

2016-04-08  Brian Burg  <bburg@apple.com>

        Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
        https://bugs.webkit.org/show_bug.cgi?id=156407
        <rdar://problem/25627659>

        Reviewed by Timothy Hatcher.

        There's no point having these subclasses as they don't save any space.
        Add m_stringValue to the union and merge some implementations of writeJSON.
        Move uses of the subclass to InspectorValue and delete redundant methods.
        Now, most InspectorValue methods are non-virtual so they can be templated.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeCall):
        Don't used deleted subclasses.

        * inspector/InspectorValues.cpp:
        (Inspector::InspectorValue::null):
        (Inspector::InspectorValue::create):
        (Inspector::InspectorValue::asValue):
        (Inspector::InspectorValue::asBoolean):
        (Inspector::InspectorValue::asDouble):
        (Inspector::InspectorValue::asInteger):
        (Inspector::InspectorValue::asString):
        These only need one implementation now.

        (Inspector::InspectorValue::writeJSON):
        Still a virtual method since Object and Array need their members.

        (Inspector::InspectorObjectBase::InspectorObjectBase):
        (Inspector::InspectorBasicValue::asBoolean): Deleted.
        (Inspector::InspectorBasicValue::asDouble): Deleted.
        (Inspector::InspectorBasicValue::asInteger): Deleted.
        (Inspector::InspectorBasicValue::writeJSON): Deleted.
        (Inspector::InspectorString::asString): Deleted.
        (Inspector::InspectorString::writeJSON): Deleted.
        (Inspector::InspectorString::create): Deleted.
        (Inspector::InspectorBasicValue::create): Deleted.

        * inspector/InspectorValues.h:
        (Inspector::InspectorObjectBase::setBoolean):
        (Inspector::InspectorObjectBase::setInteger):
        (Inspector::InspectorObjectBase::setDouble):
        (Inspector::InspectorObjectBase::setString):
        (Inspector::InspectorArrayBase::pushBoolean):
        (Inspector::InspectorArrayBase::pushInteger):
        (Inspector::InspectorArrayBase::pushDouble):
        (Inspector::InspectorArrayBase::pushString):
        Use new factory methods.

        * replay/EncodedValue.cpp:
        (JSC::ScalarEncodingTraits<bool>::encodeValue):
        (JSC::ScalarEncodingTraits<double>::encodeValue):
        (JSC::ScalarEncodingTraits<float>::encodeValue):
        (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
        (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
        (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
        (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
        * replay/EncodedValue.h:
        Use new factory methods.

2016-04-08  Filip Pizlo  <fpizlo@apple.com>

        Add IC support for arguments.length
        https://bugs.webkit.org/show_bug.cgi?id=156389

        Reviewed by Geoffrey Garen.
        
        This adds support for caching accesses to arguments.length for both DirectArguments and
        ScopedArguments. In strict mode, we already cached these accesses since they were just
        normal properties.

        Amazingly, we also already supported caching of overridden arguments.length in both
        DirectArguments and ScopedArguments. This is because when you override, the property gets
        materialized as a normal JS property and the structure is changed.
        
        This patch painstakingly preserves our previous caching of overridden length while
        introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
        the case where it could either be overridden or not, since we just end up with an AccessCase
        for each and they cascade to each other.

        This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
        Entirely monomorphic accesses were already handled by the DFG.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
        (JSC::AccessCase::guardedByStructureCheck):
        (JSC::AccessCase::generateWithGuard):
        (JSC::AccessCase::generate):
        (WTF::printInternal):
        * bytecode/PolymorphicAccess.h:
        * jit/ICStats.h:
        * jit/JITOperations.cpp:
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::tryRepatchIn):
        * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
        (args):
        (foo):
        (result.foo):

2016-04-08  Benjamin Poulain  <bpoulain@apple.com>

        UInt32ToNumber should have an Int52 path
        https://bugs.webkit.org/show_bug.cgi?id=125704

        Reviewed by Filip Pizlo.

        When dealing with big numbers, fall back to Int52 instead
        of double when possible.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):

2016-04-08  Brian Burg  <bburg@apple.com>

        Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
        https://bugs.webkit.org/show_bug.cgi?id=156275
        <rdar://problem/25569331>

        Reviewed by Darin Adler.

        * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.

        * inspector/scripts/codegen/models.py:
        (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
        (TypeReference.referenced_name): Update comment.

        Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.

        * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
        * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
        * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.

2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>

        Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
        https://bugs.webkit.org/show_bug.cgi?id=156384

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:
        * features.json: Mark as Done.
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseStatementListItem):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):

2016-04-07  Filip Pizlo  <fpizlo@apple.com>

        Implementing caching transition puts that need to reallocate with indexing storage
        https://bugs.webkit.org/show_bug.cgi?id=130914

        Reviewed by Saam Barati.

        This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
        the butterfly has indexing storage. Like the DFG, we do this by calling operations that
        reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
        triggering a barrier.

        This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
        do it now because the hard work is hidden under AccessGenerationState methods. This means
        that custom accessors now share logic with put_by_id transitions.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::succeed):
        (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
        (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
        (JSC::AccessGenerationState::originalCallSiteIndex):
        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
        (JSC::AccessCase::AccessCase):
        (JSC::AccessCase::transition):
        (JSC::AccessCase::generate):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
        (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:

2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>

        Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
        https://bugs.webkit.org/show_bug.cgi?id=156380
        <rdar://problem/25323727>

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::updateTarget):
        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
        When a target has been updated and it no longer generates a listing,
        we should remove the old listing as that is now stale and should
        not be sent. Not generating a listing means this target is no
        longer allowed to be debugged.

2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Not necessary to validate webinspectord connection on iOS
        https://bugs.webkit.org/show_bug.cgi?id=156377
        <rdar://problem/25612460>

        Reviewed by Simon Fraser.

        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::handleEvent):

2016-04-07  Keith Miller  <keith_miller@apple.com>

        Rename ArrayMode::supportsLength to supportsSelfLength
        https://bugs.webkit.org/show_bug.cgi?id=156374

        Reviewed by Filip Pizlo.

        The name supportsLength is confusing because TypedArray have a
        length function however it is on the prototype and not on the
        instance. supportsSelfLength makes more sense since we use the
        function during fixup to tell if we can intrinsic the length
        property lookup on self accesses.

        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::supportsSelfLength):
        (JSC::DFG::ArrayMode::supportsLength): Deleted.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):

2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
        https://bugs.webkit.org/show_bug.cgi?id=156371

        Reviewed by Timothy Hatcher.

        * inspector/protocol/ScriptProfiler.json:
        Clarify that these locations are 1-based.

2016-04-07  Jon Davis  <jond@apple.com>

        Add Web Animations API to Feature Status Page
        https://bugs.webkit.org/show_bug.cgi?id=156360

        Reviewed by Timothy Hatcher.

        * features.json:

2016-04-07  Saam barati  <sbarati@apple.com>

        Invalid assertion inside DebuggerScope::getOwnPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=156357

        Reviewed by Keith Miller.

        The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
        on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
        are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
        might not always be in a valid state when its getOwnPropertySlot method is called.
        Therefore, the assertion invalid.

        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::getOwnPropertySlot):

2016-04-07  Saam barati  <sbarati@apple.com>

        Initial implementation of annex b.3.3 behavior was incorrect
        https://bugs.webkit.org/show_bug.cgi?id=156276

        Reviewed by Keith Miller.

        I almost got annex B.3.3 correct in my first implementation.
        There is a subtlety here I got wrong. We always create a local binding for
        a function at the very beginning of execution of a block scope. So we
        hoist function declarations to their local binding within a given
        block scope. When we actually evaluate the function declaration statement
        itself, we must lookup the binding in the current scope, and bind the
        value to the binding in the "var" scope. We perform the following
        abstract operations when executing a function declaration statement.

        f = lookupBindingInCurrentScope("func")
        store(varScope, "func", f)

        I got this wrong by performing the store to the var binding at the beginning
        of the block scope instead of when we evaluate the function declaration statement.
        This behavior is observable. For example, a program could change the value
        of "func" before the actual function declaration statement executes.
        Consider the following two functions:
        ```
        function foo1() {
            // func === undefined
            {
                // typeof func === "function"
                function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
                func = 20 // This sets the local "func" binding to 20.
            }
            // typeof func === "function"
        }

        function foo2() {
            // func === undefined
            {