d87d3245af56d7053cf15f439ccc528ac340480b
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2
3         Fix the !ENABLE(DFG_JIT) build after r195865
4         https://bugs.webkit.org/show_bug.cgi?id=154391
5
6         Reviewed by Filip Pizlo.
7
8         * runtime/SamplingProfiler.cpp:
9         (JSC::tryGetBytecodeIndex):
10
11 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
12
13         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
14         https://bugs.webkit.org/show_bug.cgi?id=154383
15
16         Reviewed by Saam Barati.
17
18         I did a grep -i llvm of all of our code and did one of the following for each occurence:
19
20         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
21           backend".
22
23         - Removed the reference because I found it to be dead. In some cases it was a dead
24           comment: it was telling us things about what LLVM did and that's just not relevant
25           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
26
27         - Edited the comment in some smart way. There were comments talking about what LLVM did
28           that were still of interest. In some cases, I added a FIXME to consider changing the
29           code below the comment on the grounds that it was written in a weird way to placate
30           LLVM and so we can do it better now.
31
32         * CMakeLists.txt:
33         * JavaScriptCore.xcodeproj/project.pbxproj:
34         * dfg/DFGArgumentsEliminationPhase.cpp:
35         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
36         * dfg/DFGPlan.cpp:
37         (JSC::DFG::Plan::compileInThread):
38         (JSC::DFG::Plan::compileInThreadImpl):
39         (JSC::DFG::Plan::compileTimeStats):
40         * dfg/DFGPutStackSinkingPhase.cpp:
41         * dfg/DFGSSAConversionPhase.h:
42         * dfg/DFGStaticExecutionCountEstimationPhase.h:
43         * dfg/DFGUnificationPhase.cpp:
44         (JSC::DFG::UnificationPhase::run):
45         * disassembler/ARM64Disassembler.cpp:
46         (JSC::tryToDisassemble): Deleted.
47         * disassembler/X86Disassembler.cpp:
48         (JSC::tryToDisassemble):
49         * ftl/FTLAbstractHeap.cpp:
50         (JSC::FTL::IndexedAbstractHeap::initialize):
51         * ftl/FTLAbstractHeap.h:
52         * ftl/FTLFormattedValue.h:
53         * ftl/FTLJITFinalizer.cpp:
54         (JSC::FTL::JITFinalizer::finalizeFunction):
55         * ftl/FTLLink.cpp:
56         (JSC::FTL::link):
57         * ftl/FTLLocation.cpp:
58         (JSC::FTL::Location::restoreInto):
59         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
60         (JSC::FTL::DFG::ftlUnreachable):
61         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
62         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
63         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
64         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
65         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
66         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
67         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
68         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
69         (JSC::FTL::lowerDFGToB3):
70         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
71         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
72         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
73         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
74         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
75         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
76         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
77         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
78         (JSC::FTL::lowerDFGToLLVM): Deleted.
79         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
80         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
81         * ftl/FTLLowerDFGToLLVM.h: Removed.
82         * ftl/FTLOSRExitCompiler.cpp:
83         (JSC::FTL::compileStub):
84         * ftl/FTLWeight.h:
85         (JSC::FTL::Weight::frequencyClass):
86         (JSC::FTL::Weight::inverse):
87         (JSC::FTL::Weight::scaleToTotal): Deleted.
88         * ftl/FTLWeightedTarget.h:
89         (JSC::FTL::rarely):
90         (JSC::FTL::unsure):
91         * jit/CallFrameShuffler64.cpp:
92         (JSC::CallFrameShuffler::emitDisplace):
93         * jit/RegisterSet.cpp:
94         (JSC::RegisterSet::ftlCalleeSaveRegisters):
95         * llvm: Removed.
96         * llvm/InitializeLLVMLinux.cpp: Removed.
97         * llvm/InitializeLLVMWin.cpp: Removed.
98         * llvm/library: Removed.
99         * llvm/library/LLVMTrapCallback.h: Removed.
100         * llvm/library/libllvmForJSC.version: Removed.
101         * runtime/Options.cpp:
102         (JSC::recomputeDependentOptions):
103         (JSC::Options::initialize):
104         * runtime/Options.h:
105         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
106         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
107         * wasm/WASMFunctionParser.cpp:
108
109 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
110
111         [cmake] Build system cleanup
112         https://bugs.webkit.org/show_bug.cgi?id=154337
113
114         Reviewed by Žan Doberšek.
115
116         * CMakeLists.txt:
117
118 2016-02-17  Mark Lam  <mark.lam@apple.com>
119
120         Callers of JSString::value() should check for exceptions thereafter.
121         https://bugs.webkit.org/show_bug.cgi?id=154346
122
123         Reviewed by Geoffrey Garen.
124
125         JSString::value() can throw an exception if the JS string is a rope and value() 
126         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
127         able to resolve the rope, it will return a null string (in addition to throwing
128         the exception).  If a caller does not check for exceptions after calling
129         JSString::value(), they may eventually use the returned null string and crash the
130         VM.
131
132         The fix is to add all the necessary exception checks, and do the appropriate
133         handling if needed.
134
135         * jsc.cpp:
136         (functionRun):
137         (functionLoad):
138         (functionReadFile):
139         (functionCheckSyntax):
140         (functionLoadWebAssembly):
141         (functionLoadModule):
142         (functionCheckModuleSyntax):
143         * runtime/DateConstructor.cpp:
144         (JSC::dateParse):
145         (JSC::dateNow):
146         * runtime/JSGlobalObjectFunctions.cpp:
147         (JSC::globalFuncEval):
148         * tools/JSDollarVMPrototype.cpp:
149         (JSC::functionPrint):
150
151 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
152
153         [JSC] ARM64: Support the immediate format used for bit operations in Air
154         https://bugs.webkit.org/show_bug.cgi?id=154327
155
156         Reviewed by Filip Pizlo.
157
158         ARM64 supports a pretty rich form of immediates for bit operation.
159         There are two formats used to encode repeating patterns and common
160         input in a dense form.
161
162         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
163         Those represents the valid immediate forms for bit operation.
164         On x86, any 32bits value is valid. On ARM64, all the encoding
165         form are tried and the immediate is used when possible.
166
167         The arg type Imm64 is renamed to BigImm to better represent what
168         it is: an immediate that does not fit into Imm.
169
170         * assembler/ARM64Assembler.h:
171         (JSC::LogicalImmediate::create32): Deleted.
172         (JSC::LogicalImmediate::create64): Deleted.
173         (JSC::LogicalImmediate::value): Deleted.
174         (JSC::LogicalImmediate::isValid): Deleted.
175         (JSC::LogicalImmediate::is64bit): Deleted.
176         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
177         (JSC::LogicalImmediate::mask): Deleted.
178         (JSC::LogicalImmediate::partialHSB): Deleted.
179         (JSC::LogicalImmediate::highestSetBit): Deleted.
180         (JSC::LogicalImmediate::findBitRange): Deleted.
181         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
182         * assembler/AssemblerCommon.h:
183         (JSC::ARM64LogicalImmediate::create32):
184         (JSC::ARM64LogicalImmediate::create64):
185         (JSC::ARM64LogicalImmediate::value):
186         (JSC::ARM64LogicalImmediate::isValid):
187         (JSC::ARM64LogicalImmediate::is64bit):
188         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
189         (JSC::ARM64LogicalImmediate::mask):
190         (JSC::ARM64LogicalImmediate::partialHSB):
191         (JSC::ARM64LogicalImmediate::highestSetBit):
192         (JSC::ARM64LogicalImmediate::findBitRange):
193         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
194         * assembler/MacroAssemblerARM64.h:
195         (JSC::MacroAssemblerARM64::and64):
196         (JSC::MacroAssemblerARM64::or64):
197         (JSC::MacroAssemblerARM64::xor64):
198         * b3/B3LowerToAir.cpp:
199         (JSC::B3::Air::LowerToAir::bitImm):
200         (JSC::B3::Air::LowerToAir::bitImm64):
201         (JSC::B3::Air::LowerToAir::appendBinOp):
202         * b3/air/AirArg.cpp:
203         (JSC::B3::Air::Arg::dump):
204         (WTF::printInternal):
205         * b3/air/AirArg.h:
206         (JSC::B3::Air::Arg::bitImm):
207         (JSC::B3::Air::Arg::bitImm64):
208         (JSC::B3::Air::Arg::isBitImm):
209         (JSC::B3::Air::Arg::isBitImm64):
210         (JSC::B3::Air::Arg::isSomeImm):
211         (JSC::B3::Air::Arg::value):
212         (JSC::B3::Air::Arg::isGP):
213         (JSC::B3::Air::Arg::isFP):
214         (JSC::B3::Air::Arg::hasType):
215         (JSC::B3::Air::Arg::isValidBitImmForm):
216         (JSC::B3::Air::Arg::isValidBitImm64Form):
217         (JSC::B3::Air::Arg::isValidForm):
218         (JSC::B3::Air::Arg::asTrustedImm32):
219         (JSC::B3::Air::Arg::asTrustedImm64):
220         * b3/air/AirOpcode.opcodes:
221         * b3/air/opcode_generator.rb:
222
223 2016-02-17  Keith Miller  <keith_miller@apple.com>
224
225         Spread operator should be allowed when not the first argument of parameter list
226         https://bugs.webkit.org/show_bug.cgi?id=152721
227
228         Reviewed by Saam Barati.
229
230         Spread arguments to functions should now be ES6 compliant. Before we
231         would only take a spread operator if it was the sole argument to a
232         function. Additionally, we would not use the Symbol.iterator on the
233         object to generate the arguments. Instead we would do a loop up to the
234         length mapping indexed properties to the corresponding argument. We fix
235         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
236         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
237         old spread semantics). This solution has the downside of requiring the
238         allocation of another object and copying each element twice but avoids a
239         large change to the vm calling convention.
240
241         * interpreter/Interpreter.cpp:
242         (JSC::loadVarargs):
243         * parser/ASTBuilder.h:
244         (JSC::ASTBuilder::createElementList):
245         * parser/Parser.cpp:
246         (JSC::Parser<LexerType>::parseArguments):
247         (JSC::Parser<LexerType>::parseArgument):
248         (JSC::Parser<LexerType>::parseMemberExpression):
249         * parser/Parser.h:
250         * parser/SyntaxChecker.h:
251         (JSC::SyntaxChecker::createElementList):
252         * tests/es6.yaml:
253         * tests/stress/spread-calling.js: Added.
254         (testFunction):
255         (testEmpty):
256         (makeObject):
257         (otherIterator.return.next):
258         (otherIterator):
259         (totalIter):
260         (throwingIter.return.next):
261         (throwingIter):
262         (i.catch):
263
264 2016-02-17  Brian Burg  <bburg@apple.com>
265
266         Remove a wrong cast in RemoteInspector::receivedSetupMessage
267         https://bugs.webkit.org/show_bug.cgi?id=154361
268         <rdar://problem/24709281>
269
270         Reviewed by Joseph Pecoraro.
271
272         * inspector/remote/RemoteInspector.mm:
273         (Inspector::RemoteInspector::receivedSetupMessage):
274         Not only is this cast unnecessary (the constructor accepts the base class),
275         but it is wrong since the target could be an automation target. Remove it.
276
277 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
278
279         Rename FTLB3Blah to FTLBlah
280         https://bugs.webkit.org/show_bug.cgi?id=154365
281
282         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
283
284         * CMakeLists.txt:
285         * JavaScriptCore.xcodeproj/project.pbxproj:
286         * ftl/FTLB3Compile.cpp: Removed.
287         * ftl/FTLB3Output.cpp: Removed.
288         * ftl/FTLB3Output.h: Removed.
289         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
290         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
291         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
292
293 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
294
295         Remove LLVM dependencies from WebKit
296         https://bugs.webkit.org/show_bug.cgi?id=154323
297
298         Reviewed by Antti Koivisto and Benjamin Poulain.
299
300         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
301         LLVM-related code dead, including the disassembler, which was only reachable when you were on
302         a platform that already had an in-tree disassembler.
303
304         * CMakeLists.txt:
305         * JavaScriptCore.xcodeproj/project.pbxproj:
306         * dfg/DFGCommon.h:
307         * dfg/DFGPlan.cpp:
308         (JSC::DFG::Plan::compileInThread):
309         (JSC::DFG::Plan::compileInThreadImpl):
310         (JSC::DFG::Plan::compileTimeStats):
311         * disassembler/ARM64Disassembler.cpp:
312         (JSC::tryToDisassemble):
313         * disassembler/ARMv7Disassembler.cpp:
314         (JSC::tryToDisassemble):
315         * disassembler/Disassembler.cpp:
316         (JSC::disassemble):
317         (JSC::disassembleAsynchronously):
318         * disassembler/Disassembler.h:
319         (JSC::tryToDisassemble):
320         * disassembler/LLVMDisassembler.cpp: Removed.
321         * disassembler/LLVMDisassembler.h: Removed.
322         * disassembler/UDis86Disassembler.cpp:
323         (JSC::tryToDisassembleWithUDis86):
324         * disassembler/UDis86Disassembler.h:
325         (JSC::tryToDisassembleWithUDis86):
326         * disassembler/X86Disassembler.cpp:
327         (JSC::tryToDisassemble):
328         * ftl/FTLAbbreviatedTypes.h:
329         * ftl/FTLAbbreviations.h: Removed.
330         * ftl/FTLAbstractHeap.cpp:
331         (JSC::FTL::AbstractHeap::decorateInstruction):
332         (JSC::FTL::AbstractHeap::dump):
333         (JSC::FTL::AbstractField::dump):
334         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
335         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
336         (JSC::FTL::IndexedAbstractHeap::baseIndex):
337         (JSC::FTL::IndexedAbstractHeap::dump):
338         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
339         (JSC::FTL::NumberedAbstractHeap::dump):
340         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
341         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
342         * ftl/FTLAbstractHeap.h:
343         (JSC::FTL::AbstractHeap::AbstractHeap):
344         (JSC::FTL::AbstractHeap::heapName):
345         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
346         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
347         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
348         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
349         * ftl/FTLAbstractHeapRepository.cpp:
350         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
351         * ftl/FTLAbstractHeapRepository.h:
352         * ftl/FTLB3Compile.cpp:
353         * ftl/FTLB3Output.cpp:
354         (JSC::FTL::Output::Output):
355         (JSC::FTL::Output::check):
356         (JSC::FTL::Output::load):
357         (JSC::FTL::Output::store):
358         * ftl/FTLB3Output.h:
359         * ftl/FTLCommonValues.cpp:
360         (JSC::FTL::CommonValues::CommonValues):
361         (JSC::FTL::CommonValues::initializeConstants):
362         * ftl/FTLCommonValues.h:
363         (JSC::FTL::CommonValues::initialize): Deleted.
364         * ftl/FTLCompile.cpp: Removed.
365         * ftl/FTLCompileBinaryOp.cpp: Removed.
366         * ftl/FTLCompileBinaryOp.h: Removed.
367         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
368         * ftl/FTLDWARFDebugLineInfo.h: Removed.
369         * ftl/FTLDWARFRegister.cpp: Removed.
370         * ftl/FTLDWARFRegister.h: Removed.
371         * ftl/FTLDataSection.cpp: Removed.
372         * ftl/FTLDataSection.h: Removed.
373         * ftl/FTLExceptionHandlerManager.cpp: Removed.
374         * ftl/FTLExceptionHandlerManager.h: Removed.
375         * ftl/FTLExceptionTarget.cpp:
376         * ftl/FTLExceptionTarget.h:
377         * ftl/FTLExitThunkGenerator.cpp: Removed.
378         * ftl/FTLExitThunkGenerator.h: Removed.
379         * ftl/FTLFail.cpp:
380         (JSC::FTL::fail):
381         * ftl/FTLInlineCacheDescriptor.h: Removed.
382         * ftl/FTLInlineCacheSize.cpp: Removed.
383         * ftl/FTLInlineCacheSize.h: Removed.
384         * ftl/FTLIntrinsicRepository.cpp: Removed.
385         * ftl/FTLIntrinsicRepository.h: Removed.
386         * ftl/FTLJITCode.cpp:
387         (JSC::FTL::JITCode::~JITCode):
388         (JSC::FTL::JITCode::initializeB3Code):
389         (JSC::FTL::JITCode::initializeB3Byproducts):
390         (JSC::FTL::JITCode::initializeAddressForCall):
391         (JSC::FTL::JITCode::contains):
392         (JSC::FTL::JITCode::ftl):
393         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
394         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
395         (JSC::FTL::JITCode::addHandle): Deleted.
396         (JSC::FTL::JITCode::addDataSection): Deleted.
397         (JSC::FTL::JITCode::exitThunks): Deleted.
398         * ftl/FTLJITCode.h:
399         (JSC::FTL::JITCode::b3Code):
400         (JSC::FTL::JITCode::handles): Deleted.
401         (JSC::FTL::JITCode::dataSections): Deleted.
402         * ftl/FTLJITFinalizer.cpp:
403         (JSC::FTL::JITFinalizer::codeSize):
404         (JSC::FTL::JITFinalizer::finalizeFunction):
405         * ftl/FTLJITFinalizer.h:
406         * ftl/FTLJSCall.cpp: Removed.
407         * ftl/FTLJSCall.h: Removed.
408         * ftl/FTLJSCallBase.cpp: Removed.
409         * ftl/FTLJSCallBase.h: Removed.
410         * ftl/FTLJSCallVarargs.cpp: Removed.
411         * ftl/FTLJSCallVarargs.h: Removed.
412         * ftl/FTLJSTailCall.cpp: Removed.
413         * ftl/FTLJSTailCall.h: Removed.
414         * ftl/FTLLazySlowPath.cpp:
415         (JSC::FTL::LazySlowPath::LazySlowPath):
416         (JSC::FTL::LazySlowPath::generate):
417         * ftl/FTLLazySlowPath.h:
418         (JSC::FTL::LazySlowPath::createGenerator):
419         (JSC::FTL::LazySlowPath::patchableJump):
420         (JSC::FTL::LazySlowPath::done):
421         (JSC::FTL::LazySlowPath::usedRegisters):
422         (JSC::FTL::LazySlowPath::callSiteIndex):
423         (JSC::FTL::LazySlowPath::stub):
424         (JSC::FTL::LazySlowPath::patchpoint): Deleted.
425         * ftl/FTLLink.cpp:
426         (JSC::FTL::link):
427         * ftl/FTLLocation.cpp:
428         (JSC::FTL::Location::forValueRep):
429         (JSC::FTL::Location::dump):
430         (JSC::FTL::Location::forStackmaps): Deleted.
431         * ftl/FTLLocation.h:
432         (JSC::FTL::Location::forRegister):
433         (JSC::FTL::Location::forIndirect):
434         (JSC::FTL::Location::forConstant):
435         (JSC::FTL::Location::kind):
436         (JSC::FTL::Location::hasReg):
437         * ftl/FTLLowerDFGToLLVM.cpp:
438         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
439         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
440         (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
441         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
442         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
443         (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
444         (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
445         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
446         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
447         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
448         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
449         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
450         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
451         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
452         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
453         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
454         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
455         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
456         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
457         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
458         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
459         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
460         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
461         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
462         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
463         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
464         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
465         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
466         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
467         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
468         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
469         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
470         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
471         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
472         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
473         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
474         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
475         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
476         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
477         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
478         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
479         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
480         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
481         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
482         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
483         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
484         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
485         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
486         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
487         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
488         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
489         * ftl/FTLOSRExit.cpp:
490         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
491         (JSC::FTL::OSRExitDescriptor::validateReferences):
492         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
493         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
494         (JSC::FTL::OSRExit::OSRExit):
495         (JSC::FTL::OSRExit::codeLocationForRepatch):
496         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
497         (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
498         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
499         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
500         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
501         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
502         * ftl/FTLOSRExit.h:
503         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
504         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
505         * ftl/FTLOSRExitCompilationInfo.h: Removed.
506         * ftl/FTLOSRExitCompiler.cpp:
507         (JSC::FTL::compileRecovery):
508         (JSC::FTL::compileStub):
509         (JSC::FTL::compileFTLOSRExit):
510         * ftl/FTLOSRExitHandle.cpp:
511         * ftl/FTLOSRExitHandle.h:
512         * ftl/FTLOutput.cpp: Removed.
513         * ftl/FTLOutput.h: Removed.
514         * ftl/FTLPatchpointExceptionHandle.cpp:
515         * ftl/FTLPatchpointExceptionHandle.h:
516         * ftl/FTLStackMaps.cpp: Removed.
517         * ftl/FTLStackMaps.h: Removed.
518         * ftl/FTLState.cpp:
519         (JSC::FTL::State::State):
520         (JSC::FTL::State::~State):
521         (JSC::FTL::State::dumpState): Deleted.
522         * ftl/FTLState.h:
523         * ftl/FTLUnwindInfo.cpp: Removed.
524         * ftl/FTLUnwindInfo.h: Removed.
525         * ftl/FTLValueRange.cpp:
526         (JSC::FTL::ValueRange::decorateInstruction):
527         * ftl/FTLValueRange.h:
528         (JSC::FTL::ValueRange::ValueRange):
529         (JSC::FTL::ValueRange::begin):
530         (JSC::FTL::ValueRange::end):
531         * ftl/FTLWeight.h:
532         (JSC::FTL::Weight::value):
533         (JSC::FTL::Weight::frequencyClass):
534         (JSC::FTL::Weight::scaleToTotal):
535         * llvm/InitializeLLVM.cpp: Removed.
536         * llvm/InitializeLLVM.h: Removed.
537         * llvm/InitializeLLVMMac.cpp: Removed.
538         * llvm/InitializeLLVMPOSIX.cpp: Removed.
539         * llvm/InitializeLLVMPOSIX.h: Removed.
540         * llvm/LLVMAPI.cpp: Removed.
541         * llvm/LLVMAPI.h: Removed.
542         * llvm/LLVMAPIFunctions.h: Removed.
543         * llvm/LLVMHeaders.h: Removed.
544         * llvm/library/LLVMAnchor.cpp: Removed.
545         * llvm/library/LLVMExports.cpp: Removed.
546         * llvm/library/LLVMOverrides.cpp: Removed.
547         * llvm/library/config_llvm.h: Removed.
548
549 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
550
551         [JSC] Remove the overflow check on ArithAbs when possible
552         https://bugs.webkit.org/show_bug.cgi?id=154325
553
554         Reviewed by Filip Pizlo.
555
556         This patch adds support for ArithMode for ArithAbs.
557
558         It is useful for kraken tests where Math.abs() is used
559         on values for which the range is known.
560
561         For example, imaging-gaussian-blur has two Math.abs() with
562         integers that are always in a small range around zero.
563         The IntegerRangeOptimizationPhase detects the range correctly
564         so we can just update the ArithMode depending on the input.
565
566         * dfg/DFGFixupPhase.cpp:
567         (JSC::DFG::FixupPhase::fixupNode):
568         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
569         * dfg/DFGNode.h:
570         (JSC::DFG::Node::convertToArithNegate):
571         (JSC::DFG::Node::hasArithMode):
572         * dfg/DFGSpeculativeJIT64.cpp:
573         (JSC::DFG::SpeculativeJIT::compile):
574         * ftl/FTLLowerDFGToLLVM.cpp:
575         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
576         * tests/stress/arith-abs-integer-range-optimization.js: Added.
577         (negativeRange):
578         (negativeRangeIncludingZero):
579         (negativeRangeWithOverflow):
580         (positiveRange):
581         (positiveRangeIncludingZero):
582         (rangeWithoutOverflow):
583         * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
584         (opaqueAbs):
585
586 2016-02-17  Chris Dumez  <cdumez@apple.com>
587
588         SES selftest page crashes on nightly r196694
589         https://bugs.webkit.org/show_bug.cgi?id=154350
590         <rdar://problem/24704334>
591
592         Reviewed by Mark Lam.
593
594         SES selftest page crashes after r196001 / r196145 when calling
595         Object.getOwnPropertyDescriptor(window, "length") after the window
596         has been reified and "length" has been shadowed by a value property.
597
598         It was crashing in JSObject::getOwnPropertyDescriptor() because
599         we are getting a slot that has attribute "CustomAccessor" but
600         the property is not a CustomGetterSetter. In this case, since
601         window.length is [Replaceable] and has been set to a numeric value,
602         it makes that the property is not a CustomGetterSetter. However,
603         the "CustomAccessor" attribute should have been dropped from the
604         slot when window.length was shadowed. Therefore, this code path
605         should not be exercised at all when calling
606         getOwnPropertyDescriptor().
607
608         The issue was that putDirectInternal() was updating the slot
609         attributes only if the "Accessor" flag has changed, but not
610         the "customAccessor" flag. This patch fixes the issue.
611
612         * runtime/JSObject.h:
613         (JSC::JSObject::putDirectInternal):
614
615 2016-02-17  Saam barati  <sbarati@apple.com>
616
617         Implement Proxy [[Get]]
618         https://bugs.webkit.org/show_bug.cgi?id=154081
619
620         Reviewed by Michael Saboff.
621
622         This patch implements ProxyObject and ProxyConstructor. Their
623         implementations are straight forward and follow the spec.
624         The largest change in this patch is adding a second parameter
625         to PropertySlot's constructor that specifies the internal method type of
626         the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
627         implement more than one Internal Method in the spec. Because 
628         of this, we need InternalMethodType to give us context about 
629         which Internal Method we're executing. Specifically, Proxy will 
630         call into different handlers based on this information.
631
632         InternalMethodType is an enum with the following values:
633         - Get
634           This corresponds to [[Get]] internal method in the spec.
635         - GetOwnProperty
636           This corresponds to [[GetOwnProperty]] internal method in the spec.
637         - HasProperty
638           This corresponds to [[HasProperty]] internal method in the spec.
639         - VMInquiry
640           This is basically everything else that isn't one of the above
641           types. This value also mandates that getOwnPropertySlot does
642           not perform any user observable effects. I.e, it can't call
643           a JS function.
644
645         The other non-VMInquiry InternalMethodTypes are allowed to perform user
646         observable effects. I.e, in future patches, ProxyObject will implement
647         InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
648         to call user defined JS functions, which clearly have the right to perform
649         user observable effects.
650
651         This patch implements getOwnPropertySlot of ProxyObject under
652         InternalMethodType::Get. 
653
654         * API/JSCallbackObjectFunctions.h:
655         (JSC::JSCallbackObject<Parent>::put):
656         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
657         * CMakeLists.txt:
658         * JavaScriptCore.xcodeproj/project.pbxproj:
659         * debugger/DebuggerScope.cpp:
660         (JSC::DebuggerScope::caughtValue):
661         * interpreter/Interpreter.cpp:
662         (JSC::Interpreter::execute):
663         * jit/JITOperations.cpp:
664         * llint/LLIntSlowPaths.cpp:
665         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
666         * runtime/ArrayPrototype.cpp:
667         (JSC::getProperty):
668         * runtime/CommonIdentifiers.h:
669         * runtime/JSCJSValueInlines.h:
670         (JSC::JSValue::get):
671         * runtime/JSFunction.cpp:
672         (JSC::JSFunction::getOwnNonIndexPropertyNames):
673         (JSC::JSFunction::put):
674         (JSC::JSFunction::defineOwnProperty):
675         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
676         (JSC::constructGenericTypedArrayViewWithArguments):
677         * runtime/JSGlobalObject.cpp:
678         (JSC::JSGlobalObject::init):
679         (JSC::JSGlobalObject::defineOwnProperty):
680         * runtime/JSGlobalObject.h:
681         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
682         (JSC::JSGlobalObject::moduleRecordStructure):
683         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
684         (JSC::JSGlobalObject::proxyObjectStructure):
685         (JSC::JSGlobalObject::wasmModuleStructure):
686         * runtime/JSModuleEnvironment.cpp:
687         (JSC::JSModuleEnvironment::getOwnPropertySlot):
688         * runtime/JSModuleNamespaceObject.cpp:
689         (JSC::callbackGetter):
690         * runtime/JSONObject.cpp:
691         (JSC::Stringifier::Holder::appendNextProperty):
692         (JSC::Walker::walk):
693         * runtime/JSObject.cpp:
694         (JSC::JSObject::calculatedClassName):
695         (JSC::JSObject::putDirectNonIndexAccessor):
696         (JSC::JSObject::hasProperty):
697         (JSC::JSObject::deleteProperty):
698         (JSC::JSObject::hasOwnProperty):
699         (JSC::JSObject::getOwnPropertyDescriptor):
700         * runtime/JSObject.h:
701         (JSC::JSObject::getDirectIndex):
702         (JSC::JSObject::get):
703         * runtime/JSScope.cpp:
704         (JSC::abstractAccess):
705         * runtime/ObjectConstructor.cpp:
706         (JSC::toPropertyDescriptor):
707         * runtime/ObjectPrototype.cpp:
708         (JSC::objectProtoFuncLookupGetter):
709         (JSC::objectProtoFuncLookupSetter):
710         (JSC::objectProtoFuncToString):
711         * runtime/PropertySlot.h:
712         (JSC::attributesForStructure):
713         (JSC::PropertySlot::PropertySlot):
714         (JSC::PropertySlot::isCacheableGetter):
715         (JSC::PropertySlot::isCacheableCustom):
716         (JSC::PropertySlot::internalMethodType):
717         (JSC::PropertySlot::disableCaching):
718         (JSC::PropertySlot::getValue):
719         * runtime/ProxyConstructor.cpp: Added.
720         (JSC::ProxyConstructor::create):
721         (JSC::ProxyConstructor::ProxyConstructor):
722         (JSC::ProxyConstructor::finishCreation):
723         (JSC::constructProxyObject):
724         (JSC::ProxyConstructor::getConstructData):
725         (JSC::ProxyConstructor::getCallData):
726         * runtime/ProxyConstructor.h: Added.
727         (JSC::ProxyConstructor::createStructure):
728         * runtime/ProxyObject.cpp: Added.
729         (JSC::ProxyObject::ProxyObject):
730         (JSC::ProxyObject::finishCreation):
731         (JSC::performProxyGet):
732         (JSC::ProxyObject::getOwnPropertySlotCommon):
733         (JSC::ProxyObject::getOwnPropertySlot):
734         (JSC::ProxyObject::getOwnPropertySlotByIndex):
735         (JSC::ProxyObject::visitChildren):
736         * runtime/ProxyObject.h: Added.
737         (JSC::ProxyObject::create):
738         (JSC::ProxyObject::createStructure):
739         (JSC::ProxyObject::target):
740         (JSC::ProxyObject::handler):
741         * runtime/ReflectObject.cpp:
742         (JSC::reflectObjectGet):
743         * runtime/SamplingProfiler.cpp:
744         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
745         * tests/es6.yaml:
746         * tests/stress/proxy-basic.js: Added.
747         (assert):
748         (let.handler.get null):
749         (get let):
750         (let.handler.get switch):
751         (let.handler):
752         (let.theTarget.get x):
753         * tests/stress/proxy-in-proto-chain.js: Added.
754         (assert):
755         * tests/stress/proxy-of-a-proxy.js: Added.
756         (assert):
757         (throw.new.Error.):
758         * tests/stress/proxy-property-descriptor.js: Added.
759         (assert):
760         (set Object):
761         * wasm/WASMModuleParser.cpp:
762         (JSC::WASMModuleParser::getImportedValue):
763
764 2016-02-17  Mark Lam  <mark.lam@apple.com>
765
766         StringPrototype functions should check for exceptions after calling JSString::value().
767         https://bugs.webkit.org/show_bug.cgi?id=154340
768
769         Reviewed by Filip Pizlo.
770
771         JSString::value() can throw an exception if the JS string is a rope and value()
772         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
773         able to resolve the rope, it will return a null string (in addition to throwing
774         the exception).  If StringPrototype functions do not check for exceptions after
775         calling JSString::value(), they may eventually use the returned null string and
776         crash the VM.
777
778         The fix is to add all the necessary exception checks, and do the appropriate
779         handling if needed.
780
781         Also in a few place where when an exception is detected, we return JSValue(), I
782         changed it to return jsUndefined() instead to be consistent with the rest of the
783         file.
784
785         * runtime/StringPrototype.cpp:
786         (JSC::replaceUsingRegExpSearch):
787         (JSC::stringProtoFuncMatch):
788         (JSC::stringProtoFuncSlice):
789         (JSC::stringProtoFuncSplit):
790         (JSC::stringProtoFuncLocaleCompare):
791         (JSC::stringProtoFuncBig):
792         (JSC::stringProtoFuncSmall):
793         (JSC::stringProtoFuncBlink):
794         (JSC::stringProtoFuncBold):
795         (JSC::stringProtoFuncFixed):
796         (JSC::stringProtoFuncItalics):
797         (JSC::stringProtoFuncStrike):
798         (JSC::stringProtoFuncSub):
799         (JSC::stringProtoFuncSup):
800         (JSC::stringProtoFuncFontcolor):
801         (JSC::stringProtoFuncFontsize):
802         (JSC::stringProtoFuncAnchor):
803         (JSC::stringProtoFuncLink):
804         (JSC::trimString):
805
806 2016-02-17  Commit Queue  <commit-queue@webkit.org>
807
808         Unreviewed, rolling out r196675.
809         https://bugs.webkit.org/show_bug.cgi?id=154344
810
811          "Causes major slowdowns on deltablue-varargs" (Requested by
812         keith_miller on #webkit).
813
814         Reverted changeset:
815
816         "Spread operator should be allowed when not the first argument
817         of parameter list"
818         https://bugs.webkit.org/show_bug.cgi?id=152721
819         http://trac.webkit.org/changeset/196675
820
821 2016-02-17  Gavin Barraclough  <barraclough@apple.com>
822
823         JSDOMWindow::put should not do the same thing twice
824         https://bugs.webkit.org/show_bug.cgi?id=154334
825
826         Reviewed by Chris Dumez.
827
828         It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
829         In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
830         table entries.
831
832         * runtime/JSGlobalObject.h:
833         (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
834             - no longer needed.
835
836 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
837
838         FTL_USES_B3 should be unconditionally true
839         https://bugs.webkit.org/show_bug.cgi?id=154324
840
841         Reviewed by Benjamin Poulain.
842
843         * dfg/DFGCommon.h:
844
845 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
846
847         FTL should support CompareEq(String:, String:)
848         https://bugs.webkit.org/show_bug.cgi?id=154269
849         rdar://problem/24499921
850
851         Reviewed by Benjamin Poulain.
852
853         Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
854         think we should land the increased coverage first and fix the issues after, especially since
855         the regression is so small and doesn't have a statistically significant effect on the overall
856         score.
857
858         * ftl/FTLCapabilities.cpp:
859         (JSC::FTL::canCompile):
860         * ftl/FTLLowerDFGToLLVM.cpp:
861         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
862         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
863         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
864         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
865         * tests/stress/ftl-string-equality.js: Added.
866         * tests/stress/ftl-string-ident-equality.js: Added.
867         * tests/stress/ftl-string-strict-equality.js: Added.
868
869 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
870
871         FTL should support NewTypedArray
872         https://bugs.webkit.org/show_bug.cgi?id=154268
873
874         Reviewed by Saam Barati.
875
876         3% speed-up on pdfjs. This was already covered by many different tests.
877
878         Rolling this back in after fixing the butterfly argument.
879
880         * ftl/FTLCapabilities.cpp:
881         (JSC::FTL::canCompile):
882         * ftl/FTLLowerDFGToLLVM.cpp:
883         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
884         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
885         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
886         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
887         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
888         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
889         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
890
891 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
892
893         JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
894         https://bugs.webkit.org/show_bug.cgi?id=154257
895
896         Reviewed by Chris Dumez.
897
898         * runtime/Lookup.h:
899         (JSC::getStaticPropertySlot):
900         (JSC::getStaticFunctionSlot):
901         (JSC::getStaticValueSlot):
902             - this could all do with a little more love.
903               But enforce the basic precedence:
904                 (1) regular storage properties always win over static table properties.
905                 (2) if properties have been reified, don't consult the static tables.
906                 (3) only if the property is not present on the object & not reified
907                     should the static hashtable be consulted.
908
909 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
910
911         JSDOMWindow::getOwnPropertySlot should not search photo chain
912         https://bugs.webkit.org/show_bug.cgi?id=154102
913
914         Reviewed by Chris Dumez.
915
916         Should only return *own* properties.
917
918         * runtime/JSObject.cpp:
919         (JSC::JSObject::getOwnPropertyDescriptor):
920             - remove hack/special-case for DOMWindow; we no longer need this.
921
922 2016-02-16  Keith Miller  <keith_miller@apple.com>
923
924         Spread operator should be allowed when not the first argument of parameter list
925         https://bugs.webkit.org/show_bug.cgi?id=152721
926
927         Reviewed by Saam Barati.
928
929         Spread arguments to functions should now be ES6 compliant. Before we
930         would only take a spread operator if it was the sole argument to a
931         function. Additionally, we would not use the Symbol.iterator on the
932         object to generate the arguments. Instead we would do a loop up to the
933         length mapping indexed properties to the corresponding argument. We fix
934         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
935         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
936         old spread semantics). This solution has the downside of requiring the
937         allocation of another object and copying each element twice but avoids a
938         large change to the vm calling convention.
939
940         * interpreter/Interpreter.cpp:
941         (JSC::loadVarargs):
942         * parser/ASTBuilder.h:
943         (JSC::ASTBuilder::createElementList):
944         * parser/Parser.cpp:
945         (JSC::Parser<LexerType>::parseArguments):
946         (JSC::Parser<LexerType>::parseArgument):
947         (JSC::Parser<LexerType>::parseMemberExpression):
948         * parser/Parser.h:
949         * parser/SyntaxChecker.h:
950         (JSC::SyntaxChecker::createElementList):
951         * tests/es6.yaml:
952         * tests/stress/spread-calling.js: Added.
953         (testFunction):
954         (testEmpty):
955         (makeObject):
956         (otherIterator.return.next):
957         (otherIterator):
958         (totalIter):
959         (throwingIter.return.next):
960         (throwingIter):
961         (i.catch):
962
963 2016-02-16  Benjamin Poulain  <bpoulain@apple.com>
964
965         [JSC] Enable B3 on ARM64
966         https://bugs.webkit.org/show_bug.cgi?id=154275
967
968         Reviewed by Mark Lam.
969
970         The port passes more tests than LLVM now, let's use it by default.
971
972         * dfg/DFGCommon.h:
973
974 2016-02-16  Commit Queue  <commit-queue@webkit.org>
975
976         Unreviewed, rolling out r196652.
977         https://bugs.webkit.org/show_bug.cgi?id=154315
978
979         This change caused LayoutTest crashes (Requested by ryanhaddad
980         on #webkit).
981
982         Reverted changeset:
983
984         "FTL should support NewTypedArray"
985         https://bugs.webkit.org/show_bug.cgi?id=154268
986         http://trac.webkit.org/changeset/196652
987
988 2016-02-16  Brian Burg  <bburg@apple.com>
989
990         RemoteInspector should forward new automation session requests to its client
991         https://bugs.webkit.org/show_bug.cgi?id=154260
992         <rdar://problem/24663313>
993
994         Reviewed by Timothy Hatcher.
995
996         * inspector/remote/RemoteInspector.h:
997         * inspector/remote/RemoteInspector.mm:
998         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
999         (Inspector::RemoteInspector::listingForAutomationTarget):
1000         Use the correct key for the session identifier in the listing. The name()
1001         override for RemoteAutomationTarget is actually the session identifier.
1002
1003         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
1004         * inspector/remote/RemoteInspectorConstants.h: Add new constants.
1005
1006 2016-02-16  Saam barati  <sbarati@apple.com>
1007
1008         SamplingProfiler still fails with ASan enabled
1009         https://bugs.webkit.org/show_bug.cgi?id=154301
1010         <rdar://problem/24679502>
1011
1012         Reviewed by Filip Pizlo.
1013
1014         To fix this issue, I've come up with unsafe versions
1015         of all operations that load memory from the thread's call
1016         frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
1017
1018         * interpreter/CallFrame.cpp:
1019         (JSC::CallFrame::callSiteAsRawBits):
1020         (JSC::CallFrame::unsafeCallSiteAsRawBits):
1021         (JSC::CallFrame::callSiteIndex):
1022         (JSC::CallFrame::unsafeCallSiteIndex):
1023         (JSC::CallFrame::stack):
1024         (JSC::CallFrame::callerFrame):
1025         (JSC::CallFrame::unsafeCallerFrame):
1026         (JSC::CallFrame::friendlyFunctionName):
1027         * interpreter/CallFrame.h:
1028         (JSC::ExecState::calleeAsValue):
1029         (JSC::ExecState::callee):
1030         (JSC::ExecState::unsafeCallee):
1031         (JSC::ExecState::codeBlock):
1032         (JSC::ExecState::unsafeCodeBlock):
1033         (JSC::ExecState::scope):
1034         (JSC::ExecState::callerFrame):
1035         (JSC::ExecState::callerFrameOrVMEntryFrame):
1036         (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
1037         (JSC::ExecState::callerFrameOffset):
1038         (JSC::ExecState::callerFrameAndPC):
1039         (JSC::ExecState::unsafeCallerFrameAndPC):
1040         * interpreter/Register.h:
1041         (JSC::Register::codeBlock):
1042         (JSC::Register::asanUnsafeCodeBlock):
1043         (JSC::Register::unboxedInt32):
1044         (JSC::Register::tag):
1045         (JSC::Register::unsafeTag):
1046         (JSC::Register::payload):
1047         * interpreter/VMEntryRecord.h:
1048         (JSC::VMEntryRecord::prevTopCallFrame):
1049         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
1050         (JSC::VMEntryRecord::prevTopVMEntryFrame):
1051         (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
1052         * runtime/SamplingProfiler.cpp:
1053         (JSC::FrameWalker::walk):
1054         (JSC::FrameWalker::advanceToParentFrame):
1055         (JSC::FrameWalker::isAtTop):
1056         (JSC::FrameWalker::resetAtMachineFrame):
1057
1058 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
1059
1060         FTL should support NewTypedArray
1061         https://bugs.webkit.org/show_bug.cgi?id=154268
1062
1063         Reviewed by Saam Barati.
1064
1065         3% speed-up on pdfjs. This was already covered by many different tests.
1066
1067         * ftl/FTLCapabilities.cpp:
1068         (JSC::FTL::canCompile):
1069         * ftl/FTLLowerDFGToLLVM.cpp:
1070         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1071         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
1072         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
1073         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
1074         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
1075         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
1076         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
1077
1078 2016-02-16  Saam barati  <sbarati@apple.com>
1079
1080         stress/sampling-profiler-deep-stack.js fails on ARM 32bit
1081         https://bugs.webkit.org/show_bug.cgi?id=154255
1082         <rdar://problem/24662996>
1083
1084         Reviewed by Mark Lam.
1085
1086         The bug here wasn't in the implementation of the sampling profiler 
1087         itself. Rather, it was a bug in the test. JSC wasn't spending a lot
1088         of time in a function that the test assumed a lot of time was spent in.
1089         That's because the DFG was doing a good job at optimizing the function
1090         at the leaf of the recursion. Because of that, we often wouldn't sample it.
1091         I fixed this by making the leaf function do more work.
1092
1093         * tests/stress/sampling-profiler-deep-stack.js:
1094         (platformSupportsSamplingProfiler.foo):
1095
1096 2016-02-16  Chris Dumez  <cdumez@apple.com>
1097
1098         [Web IDL] Operations should be on the instance for global objects or if [Unforgeable]
1099         https://bugs.webkit.org/show_bug.cgi?id=154120
1100         <rdar://problem/24613231>
1101
1102         Reviewed by Gavin Barraclough.
1103
1104         Have putEntry() take a thisValue parameter in addition to the base,
1105         instead of relying on PropertySlot::thisValue() because this did not
1106         always do the right thing. In particular, when JSDOMWindow::put() was
1107         called to set a function, it would end up setting the new value on the
1108         JSDOMWindowShell instead of the actual JSDOMWindow.
1109         JSDOMWindow::getOwnPropertySlot() would then not be able to find it.
1110         Therefore the following would fail:
1111         $ window.open = "test"
1112         $ console.log(window.open) // prints the native function instead of "test"
1113
1114         * runtime/JSObject.cpp:
1115         (JSC::JSObject::putInlineSlow):
1116         * runtime/Lookup.h:
1117         (JSC::putEntry):
1118         (JSC::lookupPut):
1119
1120 2016-02-16  Keith Miller  <keith_miller@apple.com>
1121
1122         ClonedArguments should not materialize its special properties unless they are being changed or deleted
1123         https://bugs.webkit.org/show_bug.cgi?id=154128
1124
1125         Reviewed by Filip Pizlo.
1126
1127         Before we would materialize ClonedArguments whenever they were being accessed.
1128         However this would cause the IC to miss every time as the structure for
1129         the arguments object would change as we went to IC it. Thus on the next
1130         function call we would miss the cache since the new arguments object
1131         would not have materialized the value.
1132
1133         * runtime/ClonedArguments.cpp:
1134         (JSC::ClonedArguments::getOwnPropertySlot):
1135         * tests/stress/cloned-arguments-modification.js: Added.
1136         (foo):
1137
1138 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
1139
1140         FTL should support StringFromCharCode
1141         https://bugs.webkit.org/show_bug.cgi?id=154267
1142         rdar://problem/24192536
1143
1144         Reviewed by Mark Lam.
1145
1146         * dfg/DFGFixupPhase.cpp:
1147         (JSC::DFG::FixupPhase::fixupNode): Fix a bug preventing the UntypedUse from being effective.
1148         * ftl/FTLCapabilities.cpp:
1149         (JSC::FTL::canCompile):
1150         * ftl/FTLLowerDFGToLLVM.cpp:
1151         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1152         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringFromCharCode): Implement the opcode.
1153         * tests/stress/string-from-char-code-slow.js: Added.
1154
1155 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
1156
1157         [JSC] BranchAdd can override arguments of its stackmap
1158         https://bugs.webkit.org/show_bug.cgi?id=154274
1159
1160         Reviewed by Filip Pizlo.
1161
1162         With the 3 operands BranchAdd added in r196513, we can run into
1163         a register allocation such that the destination register is also
1164         used by a value in the stack map.
1165
1166         It use to be that BranchAdd was a 2 operand instruction.
1167         In that form, the destination is also one of the source and
1168         can be recovered through Sub. There is no conflict between
1169         destination and the stackmap.
1170
1171         After r196513, the destination has its own value. It is uncommon
1172         on x86 because of the aggressive aliasing but that can happen.
1173         On ARM, that's a standard form since there is no need for aliasing.
1174
1175         Since the arguments of the stackmap are of type EarlyUse,
1176         they appeared as not interfering with the destination. When the register
1177         allocator gives the same register to the destination and something in
1178         the stack map, the result of BranchAdd destroys the value kept alive
1179         for the stackmap.
1180
1181         In this patch, I introduce a concept very similar to ForceLateUse
1182         to keep the argument of the stackmap live in CheckAdd. The new
1183         role is "ForceLateUseUnlessRecoverable".
1184
1185         In this mode, anything that is not also an input argument becomes
1186         LateUse. As such, it interferes with the destination of CheckAdd.
1187         The arguments are recovered by the slow patch of CheckAdd. They
1188         remain Early use.
1189
1190         This new modes ensure that destination can be aliased to the source
1191         when that's useful, while making sure it is not aliased with another
1192         value that needs to be live on exit.
1193
1194         * b3/B3CheckSpecial.cpp:
1195         (JSC::B3::CheckSpecial::forEachArg):
1196         * b3/B3LowerToAir.cpp:
1197         (JSC::B3::Air::LowerToAir::lower):
1198         * b3/B3PatchpointSpecial.cpp:
1199         (JSC::B3::PatchpointSpecial::forEachArg):
1200         * b3/B3StackmapSpecial.cpp:
1201         (JSC::B3::StackmapSpecial::forEachArgImpl):
1202         (WTF::printInternal):
1203         * b3/B3StackmapSpecial.h:
1204         * b3/B3StackmapValue.h:
1205
1206 2016-02-15  Joseph Pecoraro  <pecoraro@apple.com>
1207
1208         Web Inspector: Web Workers have no access to console for debugging
1209         https://bugs.webkit.org/show_bug.cgi?id=26237
1210
1211         Reviewed by Timothy Hatcher.
1212
1213         * inspector/ConsoleMessage.h:
1214         Add accessor for MessageLevel.
1215
1216 2016-02-15  Mark Lam  <mark.lam@apple.com>
1217
1218         [ARMv7] stress/op_rshift.js and stress/op_urshift.js are failing.
1219         https://bugs.webkit.org/show_bug.cgi?id=151514
1220
1221         Reviewed by Filip Pizlo.
1222
1223         The issue turns out to be trivial: on ARMv7 (and traditional ARM too), arithmetic
1224         shift right (ASR) and logical shift right (LSR) takes an immediate shift amount
1225         from 1-32.  See http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cjacbgca.html.
1226         An immediate shift amount of 0 is interpreted as a shift of 32 bits.
1227
1228         Meanwhile, our macro assembler is expecting the immediate shift value to be
1229         between 0-31.  As a result, a shift amount of 0 is being wrongly encoded with 0
1230         bits which means shift right by 32 bits.
1231
1232         The fix is to check if the shift amount is 0, and if so, emit a move.  Else,
1233         emit the right shift as usual.
1234
1235         This issue does not affect left shifts, as the immediate shift amount for left
1236         shifts is between 0-31 as our macro assembler expects.
1237
1238         * assembler/MacroAssemblerARM.h:
1239         (JSC::MacroAssemblerARM::rshift32):
1240         (JSC::MacroAssemblerARM::urshift32):
1241         (JSC::MacroAssemblerARM::sub32):
1242         * assembler/MacroAssemblerARMv7.h:
1243         (JSC::MacroAssemblerARMv7::rshift32):
1244         (JSC::MacroAssemblerARMv7::urshift32):
1245
1246         * tests/stress/op_rshift.js:
1247         * tests/stress/op_urshift.js:
1248         - Un-skip these tests.  They should always pass now.
1249
1250 2016-02-15  Filip Pizlo  <fpizlo@apple.com>
1251
1252         Parser::parseVariableDeclarationList should null check the node before attempting to create a new CommaExpr
1253         https://bugs.webkit.org/show_bug.cgi?id=154244
1254         rdar://problem/24290670
1255
1256         Reviewed by Michael Saboff.
1257
1258         * parser/ASTBuilder.h:
1259         (JSC::ASTBuilder::appendToCommaExpr): Catch the bug sooner in debug.
1260         * parser/Parser.cpp:
1261         (JSC::Parser<LexerType>::parseVariableDeclarationList): Fix the bug.
1262         * tests/stress/for-let-comma.js: Added. This used to crash in debug and release.
1263
1264 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
1265
1266         [JSC] Improve the interface of Inst::shouldTryAliasingDef()
1267         https://bugs.webkit.org/show_bug.cgi?id=154227
1268
1269         Reviewed by Andreas Kling.
1270
1271         Using Optional<> instead of a bool+reference looks cleaner
1272         at the call sites.
1273
1274         * b3/B3CheckSpecial.cpp:
1275         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
1276         * b3/B3CheckSpecial.h:
1277         * b3/air/AirCustom.h:
1278         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
1279         * b3/air/AirInst.h:
1280         * b3/air/AirInstInlines.h:
1281         (JSC::B3::Air::Inst::shouldTryAliasingDef):
1282         * b3/air/AirIteratedRegisterCoalescing.cpp:
1283         * b3/air/AirSpecial.cpp:
1284         (JSC::B3::Air::Special::shouldTryAliasingDef):
1285         * b3/air/AirSpecial.h:
1286
1287 2016-02-14  Brian Burg  <bburg@apple.com>
1288
1289         WKAutomationDelegate's requestAutomationSession should take a suggested session identifier
1290         https://bugs.webkit.org/show_bug.cgi?id=154012
1291         <rdar://problem/24557697>
1292
1293         Reviewed by Darin Adler.
1294
1295         Add a string parameter to the client method for requesting a new session.
1296
1297         * inspector/remote/RemoteInspector.h:
1298
1299 2016-02-13  Timothy Hatcher  <timothy@apple.com>
1300
1301         Fix WebAssembly bug URL in the feature list.
1302
1303         * features.json:
1304
1305 2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1306
1307         Change the last RefPtr::get() to release() in String.prototype.normalize
1308         https://bugs.webkit.org/show_bug.cgi?id=154211
1309
1310         Reviewed by Ryosuke Niwa.
1311
1312         Change the last RefPtr::get() to release() in String.prototype.normalize.
1313
1314         * runtime/StringPrototype.cpp:
1315         (JSC::normalize):
1316
1317 2016-02-12  Saam barati  <sbarati@apple.com>
1318
1319         [ES6] we have an incorrect syntax error when a callee of a function expression has the same name as a top-level lexical declaration
1320         https://bugs.webkit.org/show_bug.cgi?id=154143
1321
1322         Reviewed by Benjamin Poulain.
1323
1324         We were raising syntax errors on the following type of programs when
1325         we shouldn't have been.
1326         ```
1327         (function foo() { const foo = 20; });
1328         ```
1329
1330         * parser/Parser.cpp:
1331         (JSC::Parser<LexerType>::parseFunctionInfo):
1332         * parser/Parser.h:
1333         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
1334         (JSC::Scope::declareCallee):
1335         (JSC::Scope::declareVariable):
1336         (JSC::Scope::hasDeclaredVariable):
1337         (JSC::Scope::hasLexicallyDeclaredVariable):
1338         (JSC::Scope::hasDeclaredParameter):
1339         (JSC::Scope::declareWrite):
1340         (JSC::Scope::getCapturedVars):
1341
1342 2016-02-12  Benjamin Poulain  <bpoulain@apple.com>
1343
1344         [JSC] ZeroExtend and SignExtend use incorrect addressing on ARM64
1345         https://bugs.webkit.org/show_bug.cgi?id=154208
1346
1347         Reviewed by Filip Pizlo.
1348
1349         When lowering:
1350             @1 = Load32(@x)
1351             @2 = SExt8(@1)
1352
1353         LowerToAir would see there is a form of SignExtend8To32 (an alias for Load8S)
1354         and use that.
1355
1356         There are two problems with that:
1357         1) If we have an Addr, it went through legalizeMemoryOffsets() for a 32bits
1358            load. If used on an other kind of load, there is no guarantee the addressing
1359            is still valid.
1360         2) If we have an Index, it is computed for the 32bits MemoryValue.
1361            The computed index is not valid for the 8bits load.
1362
1363         (2) could be fixed by changing LowerToAir to use the current instruction width
1364         instead of the B3ValueWidth but that's a bit tricky. We should just embrace
1365         that one of our target is a Load-Store architecture.
1366
1367         In this patch, I just disabled the faulty forms on ARM64. We still need those operations
1368         to be fast, this will be addressed in: https://bugs.webkit.org/show_bug.cgi?id=154207
1369
1370         I also strengthened the m_allowScratchRegister assertion. The instructions that do not
1371         invalidate the temporary did not run the assertion, making this harder to debug.
1372
1373         * assembler/MacroAssemblerARM64.h:
1374         (JSC::MacroAssemblerARM64::load8):
1375         (JSC::MacroAssemblerARM64::store64):
1376         (JSC::MacroAssemblerARM64::store32):
1377         (JSC::MacroAssemblerARM64::loadDouble):
1378         (JSC::MacroAssemblerARM64::storeDouble):
1379         (JSC::MacroAssemblerARM64::branch32):
1380         (JSC::MacroAssemblerARM64::branch64):
1381         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
1382         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
1383         (JSC::MacroAssemblerARM64::dataMemoryTempRegister):
1384         (JSC::MacroAssemblerARM64::cachedMemoryTempRegister):
1385         (JSC::MacroAssemblerARM64::load):
1386         (JSC::MacroAssemblerARM64::store):
1387         * b3/air/AirOpcode.opcodes:
1388
1389 2016-02-12  Michael Saboff  <msaboff@apple.com>
1390
1391         offlineasm: Emit Dwarf2 file and location directives to allow for debugging .asm files
1392         https://bugs.webkit.org/show_bug.cgi?id=152703
1393
1394         Reviewed by Mark Lam.
1395
1396         Added support to output Dwarf2 .file and .loc assembler directives to provide the debugging
1397         information needed to correlate the offline assembler generated code with the source lines 
1398         in the .asm files.
1399
1400         Changed the tracking of file data to include a file index that was provided to the .file
1401         directive.  That index is used when emitting the .loc directives.
1402
1403         * offlineasm/arm.rb:
1404         * offlineasm/arm64.rb:
1405         * offlineasm/asm.rb:
1406         * offlineasm/backends.rb:
1407         * offlineasm/config.rb:
1408         * offlineasm/parser.rb:
1409         * offlineasm/x86.rb:
1410
1411 2016-02-12  Saam barati  <sbarati@apple.com>
1412
1413         The parser doesn't properly protect against global variable references in builtins
1414         https://bugs.webkit.org/show_bug.cgi?id=154144
1415
1416         Reviewed by Geoffrey Garen.
1417
1418         This patch fixes our global variable reference detection
1419         algorithm that was broken. After fixing the algorithm, I
1420         detected many places where we were incorrectly using global
1421         variables. I've fixed all those.
1422
1423         * builtins/BuiltinExecutables.cpp:
1424         (JSC::createExecutableInternal):
1425         * builtins/NumberPrototype.js:
1426         (toLocaleString):
1427         * builtins/PromiseConstructor.js:
1428         (race):
1429         (reject):
1430         (resolve):
1431         * parser/Nodes.cpp:
1432         (JSC::ProgramNode::ProgramNode):
1433         (JSC::ModuleProgramNode::ModuleProgramNode):
1434         (JSC::ProgramNode::setClosedVariables): Deleted.
1435         * parser/Nodes.h:
1436         (JSC::ScopeNode::setClosedVariables): Deleted.
1437         (JSC::ProgramNode::closedVariables): Deleted.
1438         * parser/Parser.cpp:
1439         (JSC::Parser<LexerType>::parseInner):
1440         (JSC::Parser<LexerType>::didFinishParsing):
1441         * parser/Parser.h:
1442         (JSC::Scope::setIsLexicalScope):
1443         (JSC::Scope::isLexicalScope):
1444         (JSC::Scope::closedVariableCandidates):
1445         (JSC::Scope::declaredVariables):
1446         (JSC::Scope::lexicalVariables):
1447         (JSC::Scope::finalizeLexicalEnvironment):
1448         (JSC::Parser::positionBeforeLastNewline):
1449         (JSC::Parser::locationBeforeLastToken):
1450         (JSC::Parser::isFunctionMetadataNode):
1451         (JSC::parse):
1452         (JSC::Parser::closedVariables): Deleted.
1453
1454 2016-02-12  Filip Pizlo  <fpizlo@apple.com>
1455
1456         JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse map based on MAX_STORAGE_VECTOR_INDEX
1457         https://bugs.webkit.org/show_bug.cgi?id=154201
1458         rdar://problem/24291387
1459
1460         Reviewed by Saam Barati.
1461
1462         I decided against adding a test for this, because it runs for a very long time.
1463
1464         * runtime/JSObject.cpp:
1465         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): Fix the bug.
1466         * runtime/StringPrototype.cpp:
1467         (JSC::stringProtoFuncSplit): Fix a related bug: if this code creates an array that would have
1468             hit the above bug, then it would probably manifest as a spin or as swapping.
1469
1470 2016-02-12  Jonathan Davis  <jond@apple.com>
1471
1472         Add WebAssembly to the status page
1473         https://bugs.webkit.org/show_bug.cgi?id=154199
1474
1475         Reviewed by Timothy Hatcher.
1476
1477         * features.json:
1478
1479 2016-02-12  Brian Burg  <bburg@apple.com>
1480
1481         Web Inspector: disambiguate the various identifier and connection types in RemoteInspector
1482         https://bugs.webkit.org/show_bug.cgi?id=154130
1483
1484         Reviewed by Joseph Pecoraro.
1485
1486         There are multiple identifier types:
1487             - connection identifier, a string UUID for a remote debugger process.
1488             - session identifier, a string UUID for a remote driver/debugger instance.
1489             - page/target identifier, a number unique within a single process.
1490
1491         There are multiple connection types:
1492             - RemoteInspectorXPCConnection, a connection from RemoteInspectorXPCConnectionor to a relay.
1493             - RemoteConnectionToTarget, a class that bridges to targets' dispatch queues.
1494
1495         Use consistent variable and getter names so that these don't get confused and
1496         so that the code is easier to read. This is especially an improvement when working
1497         with multiple target types or connection types within the same function.
1498
1499         * inspector/remote/RemoteConnectionToTarget.h:
1500         * inspector/remote/RemoteConnectionToTarget.mm:
1501         Remove the member for m_identifier since we can ask the target for its target identifier
1502         or use a default value via WTF::Optional. There's no reason to cache the value.
1503
1504         (Inspector::RemoteTargetHandleRunSourceWithInfo):
1505         (Inspector::RemoteConnectionToTarget::targetIdentifier):
1506         (Inspector::RemoteConnectionToTarget::destination):
1507         (Inspector::RemoteConnectionToTarget::setup):
1508         (Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
1509         Bail out if the target pointer was somehow cleared and we can't get a useful target identifier.
1510
1511         (Inspector::RemoteConnectionToTarget::RemoteConnectionToTarget): Deleted.
1512         * inspector/remote/RemoteControllableTarget.h:
1513         * inspector/remote/RemoteInspectionTarget.cpp:
1514         (Inspector::RemoteInspectionTarget::pauseWaitingForAutomaticInspection):
1515         (Inspector::RemoteInspectionTarget::unpauseForInitializedInspector):
1516         * inspector/remote/RemoteInspector.h:
1517         * inspector/remote/RemoteInspector.mm:
1518         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
1519         (Inspector::RemoteInspector::registerTarget):
1520         (Inspector::RemoteInspector::unregisterTarget):
1521         (Inspector::RemoteInspector::updateTarget):
1522         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
1523         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
1524         (Inspector::RemoteInspector::sendMessageToRemote):
1525         (Inspector::RemoteInspector::setupFailed):
1526         (Inspector::RemoteInspector::setupCompleted):
1527         (Inspector::RemoteInspector::stopInternal):
1528         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
1529         (Inspector::RemoteInspector::xpcConnectionFailed):
1530         (Inspector::RemoteInspector::listingForInspectionTarget):
1531         (Inspector::RemoteInspector::listingForAutomationTarget):
1532         (Inspector::RemoteInspector::pushListingsNow):
1533         (Inspector::RemoteInspector::pushListingsSoon):
1534         (Inspector::RemoteInspector::updateHasActiveDebugSession):
1535         (Inspector::RemoteInspector::receivedSetupMessage):
1536         (Inspector::RemoteInspector::receivedDataMessage):
1537         (Inspector::RemoteInspector::receivedDidCloseMessage):
1538         (Inspector::RemoteInspector::receivedIndicateMessage):
1539         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
1540         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
1541         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
1542         (Inspector::RemoteInspector::nextAvailableIdentifier): Deleted.
1543         * inspector/remote/RemoteInspectorConstants.h:
1544
1545 2016-02-12  Benjamin Poulain  <benjamin@webkit.org>
1546
1547         [JSC] On x86, improve the selection of which value are selected for the UseDef part of commutative operations
1548         https://bugs.webkit.org/show_bug.cgi?id=154151
1549
1550         Reviewed by Filip Pizlo.
1551
1552         Previously, when an instruction destroy an argument with
1553         a UseDef use, we would try to pick a good target for the UseDef
1554         while doing instruction selection.
1555
1556         For example:
1557             @x = Add(@1, @2)
1558
1559         can be lowered to:
1560             Move @1 Tmp3
1561             Add @2 Tmp3
1562         or
1563             Move @2 Tmp3
1564             Add @1 Tmp3
1565
1566         The choice of which value ends up copied is done by preferRightForResult()
1567         at lowering time.
1568
1569         There are two common problems with the code we generate:
1570         1) It is based on UseCount. If a value is at its last use,
1571            it is a good target for coalescing even with a use-count > 1.
1572         2) When both values are at their last use, the best choice
1573            depends on the register pressure of each. We don't have that information
1574            until we do register allocation.
1575
1576         This patch implements a simple idea to minimize how many of those Moves are needed.
1577         Each commutative operation gets a 3 op variant. The register allocator then attempts
1578         to alias *both* of them to the destination.
1579         Since our aliasing is conservative, it removes as many copy as possible without causing
1580         spilling.
1581
1582         There was an unexpected cool impovement too. If you have:
1583             Move Tmp1, Tmp2
1584             BranchAdd32 Tmp3, Tmp2
1585         we would previously restore Tmp2 by substracting Tmp3 from the result.
1586         We can now just use Tmp1. That removes quite a few Sub from the slow paths.
1587
1588         The problem is that simple idea uncoverred a bunch of issues that had to be fixed too.
1589         I detail them inline below.
1590
1591         * assembler/MacroAssemblerARM64.h:
1592         (JSC::MacroAssemblerARM64::and64):
1593         * assembler/MacroAssemblerX86Common.h:
1594         Most addition are adding an Address version of the 3 operands opcodes.
1595         The reason for this is allow the complex addressing forms of instructions
1596         when spilling.
1597
1598         (JSC::MacroAssemblerX86Common::and32):
1599         (JSC::MacroAssemblerX86Common::mul32):
1600         (JSC::MacroAssemblerX86Common::or32):
1601         (JSC::MacroAssemblerX86Common::xor32):
1602         (JSC::MacroAssemblerX86Common::moveDouble):
1603         This was an unexpected discovery: removing tons of Move32 made floating-point heavy
1604         code much slower.
1605
1606         It turns out the MoveDouble we were using has partial register dependencies.
1607
1608         The x86 optimization manual, Chapter 3, section 3.4.1.13 lists the move instructions executed
1609         directly on the frontend. That's what we use now.
1610
1611         (JSC::MacroAssemblerX86Common::addDouble):
1612         (JSC::MacroAssemblerX86Common::addFloat):
1613         (JSC::MacroAssemblerX86Common::mulDouble):
1614         (JSC::MacroAssemblerX86Common::mulFloat):
1615         (JSC::MacroAssemblerX86Common::andDouble):
1616         (JSC::MacroAssemblerX86Common::andFloat):
1617         (JSC::MacroAssemblerX86Common::xorDouble):
1618         (JSC::MacroAssemblerX86Common::xorFloat):
1619         If the destination is not aliased, the version taking an address
1620         use LoadFloat/LoadDouble instead of direct addressing.
1621
1622         That is because this:
1623             Move Tmp1, Tmp2
1624             Op [Tmp3], Tmp2
1625         is slower than
1626             Move [Tmp3] Tmp2
1627             Op Tmp1, Tmp2
1628         (sometimes significantly).
1629
1630         I am not exactly sure why.
1631
1632         (JSC::MacroAssemblerX86Common::branchAdd32):
1633         * assembler/MacroAssemblerX86_64.h:
1634         (JSC::MacroAssemblerX86_64::and64):
1635         * assembler/MacroAssemblerARM64.h:
1636         (JSC::MacroAssemblerARM64::and64):
1637         * assembler/MacroAssemblerX86Common.h:
1638         (JSC::MacroAssemblerX86Common::and32):
1639         (JSC::MacroAssemblerX86Common::mul32):
1640         (JSC::MacroAssemblerX86Common::or32):
1641         (JSC::MacroAssemblerX86Common::xor32):
1642         (JSC::MacroAssemblerX86Common::moveDouble):
1643         (JSC::MacroAssemblerX86Common::addDouble):
1644         (JSC::MacroAssemblerX86Common::addFloat):
1645         (JSC::MacroAssemblerX86Common::mulDouble):
1646         (JSC::MacroAssemblerX86Common::mulFloat):
1647         (JSC::MacroAssemblerX86Common::andDouble):
1648         (JSC::MacroAssemblerX86Common::andFloat):
1649         (JSC::MacroAssemblerX86Common::xorDouble):
1650         (JSC::MacroAssemblerX86Common::xorFloat):
1651         (JSC::MacroAssemblerX86Common::branchAdd32):
1652         * assembler/MacroAssemblerX86_64.h:
1653         (JSC::MacroAssemblerX86_64::and64):
1654         (JSC::MacroAssemblerX86_64::mul64):
1655         (JSC::MacroAssemblerX86_64::xor64):
1656         (JSC::MacroAssemblerX86_64::branchAdd64):
1657         * assembler/X86Assembler.h:
1658         (JSC::X86Assembler::movapd_rr):
1659         (JSC::X86Assembler::movaps_rr):
1660         * b3/B3CheckSpecial.cpp:
1661         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
1662         (JSC::B3::CheckSpecial::generate):
1663         * b3/B3CheckSpecial.h:
1664         * b3/B3LowerToAir.cpp:
1665         (JSC::B3::Air::LowerToAir::lower):
1666         * b3/air/AirCustom.h:
1667         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
1668         * b3/air/AirInst.h:
1669         * b3/air/AirInstInlines.h:
1670         (JSC::B3::Air::Inst::shouldTryAliasingDef):
1671         * b3/air/AirIteratedRegisterCoalescing.cpp:
1672         Aliasing the operands is done the same way as any coalescing.
1673
1674         There were problem with considering all those coalescing
1675         as equivalent for the result.
1676
1677         Moves are mostly generated for Upsilon-Phis. Getting rid of
1678         those tends to give better loops.
1679
1680         Sometimes, blocks have only Phis and a Jump. Coalescing
1681         those moves gets rids of the block entirely.
1682
1683         Where it go interesting was that something like:
1684             Move Tmp1, Tmp2
1685             Op Tmp3, Tmp2
1686         was significantly better than:
1687             Op Tmp1, Tmp3
1688             Move Tmp1, Tmp4
1689         even in the same basic block.
1690
1691         To get back to the same performance when, I had to prioritize
1692         regular Moves operations over argument coalescing.
1693
1694         Another argument for doing this is that the alias has a shorter
1695         life in the hardware because the operation itself gets a new
1696         virtual register from the bank.
1697
1698         * b3/air/AirOpcode.opcodes:
1699         * b3/air/AirSpecial.cpp:
1700         (JSC::B3::Air::Special::shouldTryAliasingDef):
1701         * b3/air/AirSpecial.h:
1702         * b3/testb3.cpp:
1703         (JSC::B3::testCheckAddArgumentAliasing64):
1704         (JSC::B3::testCheckAddArgumentAliasing32):
1705         (JSC::B3::testCheckAddSelfOverflow64):
1706         (JSC::B3::testCheckAddSelfOverflow32):
1707         (JSC::B3::testCheckMulArgumentAliasing64):
1708         (JSC::B3::testCheckMulArgumentAliasing32):
1709         (JSC::B3::run):
1710
1711         * dfg/DFGOSRExitCompilerCommon.cpp:
1712         (JSC::DFG::reifyInlinedCallFrames):
1713         * jit/AssemblyHelpers.h:
1714         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1715         This ruined my week.
1716
1717         When regenerating the frame of an inlined function that
1718         was called through a tail call, we were ignoring r13 for some reason.
1719
1720         Since this patch makes it more likely to increase the degree
1721         of each Tmp, the number of register used increased and r13 was more
1722         commonly used.
1723
1724         When getting out of OSRExit, we would have that value trashed :(
1725
1726         The fix is simply to restore it like the other two Baseline callee saved
1727         register.
1728
1729 2016-02-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1730
1731         [ES6] Implement @@search
1732         https://bugs.webkit.org/show_bug.cgi?id=143889
1733
1734         Reviewed by Darin Adler.
1735
1736         Implement RegExp.prototype[@@search].
1737         In ES6, String.prototype.search delegates the actual matching to it
1738         instead of executing RegExp matching inside String.prototype.search method itself.
1739         By customizing @@search method, we can change the behavior of String.prototype.search for
1740         derived / customized RegExp object.
1741
1742         * CMakeLists.txt:
1743         * DerivedSources.make:
1744         * builtins/BuiltinNames.h:
1745         (JSC::BuiltinNames::BuiltinNames): Deleted.
1746         * builtins/BuiltinUtils.h:
1747         * builtins/StringPrototype.js:
1748         (search):
1749         * bytecode/BytecodeIntrinsicRegistry.cpp:
1750         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1751         * bytecode/BytecodeIntrinsicRegistry.h:
1752         * runtime/CommonIdentifiers.h:
1753         * runtime/JSGlobalObject.cpp:
1754         (JSC::JSGlobalObject::init):
1755         * runtime/RegExpPrototype.cpp:
1756         (JSC::RegExpPrototype::finishCreation):
1757         (JSC::regExpProtoFuncSearch):
1758         * runtime/RegExpPrototype.h:
1759         (JSC::RegExpPrototype::create):
1760         * runtime/StringPrototype.cpp:
1761         (JSC::StringPrototype::getOwnPropertySlot):
1762         (JSC::StringPrototype::finishCreation): Deleted.
1763         (JSC::stringProtoFuncSearch): Deleted.
1764         * runtime/StringPrototype.h:
1765         * tests/es6.yaml:
1766         * tests/stress/regexp-search.js: Added.
1767         (shouldBe):
1768         (shouldThrow):
1769         (errorKey.toString):
1770         (primitive.of.primitives.shouldThrow):
1771         (testRegExpSearch):
1772         (testSearch):
1773         (testBoth):
1774         (alwaysUnmatch):
1775
1776 2016-02-12  Keith Miller  <keith_miller@apple.com>
1777
1778         AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself
1779         https://bugs.webkit.org/show_bug.cgi?id=154146
1780
1781         Reviewed by Filip Pizlo.
1782
1783         Consider the following: there is some CodeBlock, C, that is watching some object, O, with a
1784         structure, S, for replacements. Also, suppose that C has no references anymore and is due to
1785         be GCed. Now, when some new property is added to O, S will create a new structure S' and
1786         fire its transition watchpoints. Since C is watching S for replacements it will attempt to
1787         have its AdaptiveInferredPropertyValueWatchpoint relocate itself to S'. To do so, it needs
1788         it allocate RareData on S'. This allocation may cause a GC, which frees C while still
1789         executing its watchpoint handler. The solution to this is to defer GC while running
1790         AdaptiveInferredPropertyValueWatchpointBase handlers.
1791
1792         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
1793         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
1794
1795 2016-02-12  Gavin Barraclough  <barraclough@apple.com>
1796
1797         Separate out !allowsAccess path in JSDOMWindowCustom getOwnPropertySlot
1798         https://bugs.webkit.org/show_bug.cgi?id=154156
1799
1800         Reviewed by Chris Dumez.
1801
1802         * runtime/CommonIdentifiers.h:
1803             - added new property names, needed by jsDOMWindowGetOwnPropertySlotDisallowAccess.
1804
1805 2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1806
1807         Update ICU header files to version 52
1808         https://bugs.webkit.org/show_bug.cgi?id=154160
1809
1810         Reviewed by Alex Christensen.
1811
1812         Update ICU header files to version 52 to allow the use of newer APIs.
1813
1814         * icu/unicode/localpointer.h:
1815         * icu/unicode/platform.h:
1816         * icu/unicode/ptypes.h:
1817         * icu/unicode/putil.h:
1818         * icu/unicode/ucal.h:
1819         * icu/unicode/uchar.h:
1820         * icu/unicode/ucnv.h:
1821         * icu/unicode/ucol.h:
1822         * icu/unicode/uconfig.h:
1823         * icu/unicode/udat.h:
1824         * icu/unicode/udatpg.h:
1825         * icu/unicode/udisplaycontext.h: Added.
1826         * icu/unicode/uenum.h:
1827         * icu/unicode/uformattable.h: Added.
1828         * icu/unicode/uiter.h:
1829         * icu/unicode/uloc.h:
1830         * icu/unicode/umachine.h:
1831         * icu/unicode/unorm2.h:
1832         * icu/unicode/unum.h:
1833         * icu/unicode/urename.h:
1834         * icu/unicode/uscript.h:
1835         * icu/unicode/uset.h:
1836         * icu/unicode/ustring.h:
1837         * icu/unicode/utf.h:
1838         * icu/unicode/utf16.h:
1839         * icu/unicode/utf8.h:
1840         * icu/unicode/utf_old.h:
1841         * icu/unicode/utypes.h:
1842         * icu/unicode/uvernum.h:
1843         * icu/unicode/uversion.h:
1844
1845 2016-02-12  Filip Pizlo  <fpizlo@apple.com>
1846
1847         Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn't have a value
1848         https://bugs.webkit.org/show_bug.cgi?id=154175
1849         rdar://problem/24291497
1850
1851         Reviewed by Geoffrey Garen.
1852
1853         * runtime/JSObject.cpp:
1854         (JSC::JSObject::defineOwnIndexedProperty): Fix the bug.
1855         * runtime/SparseArrayValueMap.cpp:
1856         (JSC::SparseArrayValueMap::putEntry): Catch the bug sooner in debug.
1857         (JSC::SparseArrayValueMap::putDirect):
1858         * tests/stress/sparse-define-empty-descriptor.js: Added. This used to crash in release.
1859
1860 2016-02-11  Brian Burg  <bburg@apple.com>
1861
1862         Web Inspector: RemoteInspector's listings should include whether an AutomationTarget is paired
1863         https://bugs.webkit.org/show_bug.cgi?id=154077
1864         <rdar://problem/24589133>
1865
1866         Reviewed by Joseph Pecoraro.
1867
1868         Instead of not generating a listing for the target when it is occupied,
1869         generate the listing with a 'paired' flag. The old flag was redundant
1870         because a _WKAutomationDelegate will not create a session if it doesn't
1871         support automation or it already has an active session.
1872
1873         * inspector/remote/RemoteAutomationTarget.cpp:
1874         (Inspector::RemoteAutomationTarget::setIsPaired):
1875         (Inspector::RemoteAutomationTarget::setAutomationAllowed): Deleted.
1876         * inspector/remote/RemoteAutomationTarget.h:
1877         Return false for remoteControlAllowed() if the target is already paired.
1878         This function is used by RemoteInspector to deny incoming connections.
1879
1880         * inspector/remote/RemoteInspector.mm:
1881         (Inspector::RemoteInspector::listingForAutomationTarget):
1882         * inspector/remote/RemoteInspectorConstants.h:
1883
1884 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
1885
1886         DFG::ByteCodeParser needs to null check the result of presenceLike()
1887         https://bugs.webkit.org/show_bug.cgi?id=154135
1888         rdar://problem/24291586
1889
1890         Reviewed by Geoffrey Garen.
1891
1892         ByteCodeParser::presenceLike() could return a null object property condition if it detects a
1893         contradiction. That could happen due to bogus profiling. It's totally OK - we just need to
1894         bail from using a property condition when that happens.
1895
1896         * bytecode/ObjectPropertyCondition.h:
1897         (JSC::ObjectPropertyCondition::equivalence):
1898         (JSC::ObjectPropertyCondition::operator bool):
1899         (JSC::ObjectPropertyCondition::object):
1900         (JSC::ObjectPropertyCondition::condition):
1901         (JSC::ObjectPropertyCondition::operator!): Deleted.
1902         * bytecode/PropertyCondition.h:
1903         (JSC::PropertyCondition::equivalence):
1904         (JSC::PropertyCondition::operator bool):
1905         (JSC::PropertyCondition::kind):
1906         (JSC::PropertyCondition::uid):
1907         (JSC::PropertyCondition::operator!): Deleted.
1908         * dfg/DFGByteCodeParser.cpp:
1909         (JSC::DFG::ByteCodeParser::check):
1910         (JSC::DFG::ByteCodeParser::load):
1911
1912 2016-02-11  Benjamin Poulain  <benjamin@webkit.org>
1913
1914         [JSC] SqrtFloat and CeilFloat also suffer from partial register stalls
1915         https://bugs.webkit.org/show_bug.cgi?id=154131
1916
1917         Reviewed by Filip Pizlo.
1918
1919         Looks like I forgot to update this when adding Float support.
1920         Credit to Filip for finding this issue.
1921
1922         * b3/air/AirFixPartialRegisterStalls.cpp:
1923
1924 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
1925
1926         Cannot call initializeIndex() if we didn't create the array using tryCreateUninitialized()
1927         https://bugs.webkit.org/show_bug.cgi?id=154126
1928
1929         Reviewed by Saam Barati.
1930
1931         * runtime/ArrayPrototype.cpp:
1932         (JSC::arrayProtoFuncSplice):
1933
1934 2016-02-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1935
1936         [INTL] Implement Intl.NumberFormat.prototype.resolvedOptions ()
1937         https://bugs.webkit.org/show_bug.cgi?id=147602
1938
1939         Reviewed by Darin Adler.
1940
1941         This patch implements Intl.NumberFormat.prototype.resolvedOptions() according
1942         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1943
1944         * runtime/IntlDateTimeFormat.cpp:
1945         (JSC::localeData):
1946         * runtime/IntlNumberFormat.cpp:
1947         (JSC::localeData):
1948         (JSC::computeCurrencySortKey):
1949         (JSC::extractCurrencySortKey):
1950         (JSC::computeCurrencyDigits):
1951         (JSC::IntlNumberFormat::initializeNumberFormat):
1952         (JSC::IntlNumberFormat::styleString):
1953         (JSC::IntlNumberFormat::currencyDisplayString):
1954         (JSC::IntlNumberFormat::resolvedOptions):
1955         (JSC::IntlNumberFormat::setBoundFormat):
1956         * runtime/IntlNumberFormat.h:
1957         * runtime/IntlNumberFormatConstructor.cpp:
1958         (JSC::constructIntlNumberFormat):
1959         (JSC::callIntlNumberFormat):
1960         * runtime/IntlNumberFormatPrototype.cpp:
1961         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1962         * runtime/IntlObject.cpp:
1963         (JSC::intlNumberOption):
1964         (JSC::numberingSystemsForLocale):
1965         (JSC::getNumberingSystemsForLocale): Deleted.
1966         * runtime/IntlObject.h:
1967
1968 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
1969
1970         MacroAssemblerX86 should be happy with shift(cx, cx)
1971         https://bugs.webkit.org/show_bug.cgi?id=154124
1972
1973         Reviewed by Saam Barati.
1974
1975         Prior to this change the assembler asserted that shift_amount and dest cannot be the same.
1976         That's a good assertion for when shift_amount is not in cx. But if it's in cx already then
1977         it's OK for them to be the same. Air will sometimes do shift(cx, cx) if you do "x << x" and
1978         the coalescing got particularly clever.
1979
1980         * assembler/MacroAssemblerX86Common.h:
1981         (JSC::MacroAssemblerX86Common::lshift32):
1982         (JSC::MacroAssemblerX86Common::rshift32):
1983         (JSC::MacroAssemblerX86Common::urshift32):
1984         * assembler/MacroAssemblerX86_64.h:
1985         (JSC::MacroAssemblerX86_64::lshift64):
1986         (JSC::MacroAssemblerX86_64::rshift64):
1987         (JSC::MacroAssemblerX86_64::urshift64):
1988         * b3/testb3.cpp:
1989         (JSC::B3::testLShiftSelf32):
1990         (JSC::B3::testRShiftSelf32):
1991         (JSC::B3::testURShiftSelf32):
1992         (JSC::B3::testLShiftSelf64):
1993         (JSC::B3::testRShiftSelf64):
1994         (JSC::B3::testURShiftSelf64):
1995         (JSC::B3::run):
1996
1997 2016-02-11  Saam barati  <sbarati@apple.com>
1998
1999         The sampling profiler's stack walker methods should be marked with SUPPRESS_ASAN
2000         https://bugs.webkit.org/show_bug.cgi?id=154123
2001
2002         Reviewed by Mark Lam.
2003
2004         The entire premise of the sampling profiler is to load from
2005         another thread's memory. We should SUPPRESS_ASAN on the
2006         methods that do this.
2007
2008         * runtime/SamplingProfiler.cpp:
2009         (JSC::FrameWalker::FrameWalker):
2010         (JSC::FrameWalker::walk):
2011         (JSC::FrameWalker::advanceToParentFrame):
2012         (JSC::FrameWalker::isAtTop):
2013         (JSC::FrameWalker::resetAtMachineFrame):
2014
2015 2016-02-11  Csaba Osztrogonác  <ossy@webkit.org>
2016
2017         Unreviewed typo fix after r190063.
2018
2019         * dfg/DFGSpeculativeJIT.cpp: Removed property svn:executable.
2020         * dfg/DFGSpeculativeJIT.h: Removed property svn:executable.
2021         * jit/JIT.h: Removed property svn:executable.
2022         * jit/JITInlines.h: Removed property svn:executable.
2023         * jit/JITOpcodes.cpp: Removed property svn:executable.
2024
2025 2016-02-11  Csaba Osztrogonác  <ossy@webkit.org>
2026
2027         Unreviewed typo fix after r190063.
2028
2029         * dfg/DFGSpeculativeJIT.cpp: Removed property svn:executable.
2030         * dfg/DFGSpeculativeJIT.h: Removed property svn:executable.
2031         * jit/JIT.h: Removed property svn:executable.
2032         * jit/JITInlines.h: Removed property svn:executable.
2033         * jit/JITOpcodes.cpp: Removed property svn:executable.
2034
2035 2016-02-10  Keith Miller  <keith_miller@apple.com>
2036
2037         Symbol.species accessors on builtin constructors should be configurable
2038         https://bugs.webkit.org/show_bug.cgi?id=154097
2039
2040         Reviewed by Benjamin Poulain.
2041
2042         We did not have the Symbol.species accessors on our builtin constructors
2043         marked as configurable. This does not accurately follow the ES6 spec as
2044         the ES6 spec states that all default accessors on builtins should be
2045         configurable. This means that we need an additional watchpoint on
2046         ArrayConstructor to make sure that no users re-configures Symbol.species.
2047
2048         * runtime/ArrayConstructor.cpp:
2049         (JSC::ArrayConstructor::finishCreation):
2050         * runtime/ArrayPrototype.cpp:
2051         (JSC::speciesConstructArray):
2052         (JSC::ArrayPrototype::setConstructor):
2053         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2054         * runtime/ArrayPrototype.h:
2055         (JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties):
2056         (JSC::ArrayPrototype::didChangeConstructorProperty): Deleted.
2057         * runtime/JSArrayBufferConstructor.cpp:
2058         (JSC::JSArrayBufferConstructor::finishCreation):
2059         * runtime/JSPromiseConstructor.cpp:
2060         (JSC::JSPromiseConstructor::finishCreation):
2061         * runtime/JSTypedArrayViewConstructor.cpp:
2062         (JSC::JSTypedArrayViewConstructor::finishCreation):
2063         * runtime/MapConstructor.cpp:
2064         (JSC::MapConstructor::finishCreation):
2065         * runtime/RegExpConstructor.cpp:
2066         (JSC::RegExpConstructor::finishCreation):
2067         * runtime/SetConstructor.cpp:
2068         (JSC::SetConstructor::finishCreation):
2069         * tests/stress/array-species-config-array-constructor.js: Added.
2070         (A):
2071         * tests/stress/symbol-species.js:
2072         (testSymbolSpeciesOnConstructor):
2073
2074 2016-02-10  Benjamin Poulain  <benjamin@webkit.org>
2075
2076         [JSC] The destination of Sqrt should be Def, not UseDef
2077         https://bugs.webkit.org/show_bug.cgi?id=154086
2078
2079         Reviewed by Geoffrey Garen.
2080
2081         An unfortunate copy-paste: the destination of SqrtDouble and SqrtFloat
2082         was defined as UseDef. As a result, the argument would be interfering
2083         with everything defined prior.
2084
2085         * b3/air/AirOpcode.opcodes:
2086
2087 2016-02-10  Chris Dumez  <cdumez@apple.com>
2088
2089         [Web IDL] interface objects should be Function objects
2090         https://bugs.webkit.org/show_bug.cgi?id=154038
2091         <rdar://problem/24569358>
2092
2093         Reviewed by Geoffrey Garen.
2094
2095         Update functionProtoFuncToString() to handle JSObjects that
2096         have the TypeOfShouldCallGetCallData flag and are callable,
2097         as these behave like functions and use ClassInfo::className()
2098         as function name in this case.
2099
2100         * runtime/FunctionPrototype.cpp:
2101         (JSC::functionProtoFuncToString):
2102
2103 2016-02-10  Chris Dumez  <cdumez@apple.com>
2104
2105         Attributes on the Window instance should be configurable unless [Unforgeable]
2106         https://bugs.webkit.org/show_bug.cgi?id=153920
2107         <rdar://problem/24563211>
2108
2109         Reviewed by Darin Adler.
2110
2111         Marking the Window instance attributes as configurable but cause
2112         getOwnPropertyDescriptor() to report them as configurable, as
2113         expected. However, trying to delete them would actually lead to
2114         unexpected behavior because:
2115         - We did not reify custom accessor properties (most of the Window
2116           properties are custom accessors) upon deletion.
2117         - For non-reified static properties marked as configurable,
2118           JSObject::deleteProperty() would attempt to call the property
2119           setter with undefined. As a result, calling delete window.name
2120           would cause window.name to become the string "undefined" instead
2121           of the undefined value.
2122
2123         * runtime/JSObject.cpp:
2124         (JSC::getClassPropertyNames):
2125         Now that we reify ALL properties, we only need to check the property table
2126         if we have not reified. As a result, I dropped the 'didReify' parameter for
2127         this function and instead only call this function if we have not yet reified.
2128
2129         (JSC::JSObject::putInlineSlow):
2130         Only call putEntry() if we have not reified: Drop the
2131         '|| !(entry->attributes() & BuiltinOrFunctionOrAccessor)'
2132         check as such properties now get reified as well.
2133
2134         (JSC::JSObject::deleteProperty):
2135         - Call reifyAllStaticProperties() instead of reifyStaticFunctionsForDelete()
2136           so that we now reify all properties upon deletion, including the custom
2137           accessors. reifyStaticFunctionsForDelete() is now removed and the same
2138           reification function is now used by: deletion, getOwnPropertyDescriptor()
2139           and eager reification of the prototype objects in the bindings.
2140         - Drop code that falls back to calling the static property setter with
2141           undefined if we cannot find the property in the property storage. As
2142           we now reify ALL properties, the code removing the property from the
2143           property storage should succeed, provided that the property actually
2144           exists.
2145
2146         (JSC::JSObject::getOwnNonIndexPropertyNames):
2147         Only call getClassPropertyNames() if we have not reified. We should no longer
2148         check the static property table after reifying now that we reify all
2149         properties.
2150
2151         (JSC::JSObject::reifyAllStaticProperties):
2152         Merge with reifyStaticFunctionsForDelete(). The only behavior change is the
2153         flattening to an uncacheable dictionary, like reifyStaticFunctionsForDelete()
2154         used to do.
2155
2156         * runtime/JSObject.h:
2157
2158 2016-02-10  Commit Queue  <commit-queue@webkit.org>
2159
2160         Unreviewed, rolling out r196251.
2161         https://bugs.webkit.org/show_bug.cgi?id=154078
2162
2163         Large regression on Dromaeo needs explanation (Requested by
2164         kling on #webkit).
2165
2166         Reverted changeset:
2167
2168         "Visiting a WeakBlock should report bytes visited, since we
2169         reported them allocated."
2170         https://bugs.webkit.org/show_bug.cgi?id=153978
2171         http://trac.webkit.org/changeset/196251
2172
2173 2016-02-10  Csaba Osztrogonác  <ossy@webkit.org>
2174
2175         REGRESSION(r196331): It made ~180 JSC tests crash on ARMv7 Linux
2176         https://bugs.webkit.org/show_bug.cgi?id=154064
2177
2178         Reviewed by Mark Lam.
2179
2180         * bytecode/PolymorphicAccess.cpp:
2181         (JSC::AccessCase::generate): Added EABI_32BIT_DUMMY_ARG where it is necessary.
2182         * dfg/DFGSpeculativeJIT.h: Fixed the comment.
2183         * jit/CCallHelpers.h:
2184         (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
2185         * wasm/WASMFunctionCompiler.h: Fixed the comment.
2186
2187 2016-02-09  Keith Miller  <keith_miller@apple.com>
2188
2189         calling methods off super in a class constructor should check for TDZ
2190         https://bugs.webkit.org/show_bug.cgi?id=154060
2191
2192         Reviewed by Ryosuke Niwa.
2193
2194         In a class constructor we need to check for TDZ when calling a method
2195         off the super class. This is because, for super method calls, we use
2196         the derived class's newly constructed object as the super method's
2197         this value.
2198
2199         * bytecompiler/NodesCodegen.cpp:
2200         (JSC::FunctionCallDotNode::emitBytecode):
2201         * tests/stress/super-method-calls-check-tdz.js: Added.
2202         (Base):
2203         (Derived):
2204         (test):
2205
2206 2016-02-09  Filip Pizlo  <fpizlo@apple.com>
2207
2208         Don't crash if we fail to parse a builtin
2209         https://bugs.webkit.org/show_bug.cgi?id=154047
2210         rdar://problem/24300617
2211
2212         Reviewed by Mark Lam.
2213
2214         Crashing probably seemed like a good idea at the time, but we could get here in case of a
2215         near stack overflow, so that the parser bails because of recursion.
2216
2217         * parser/Parser.h:
2218         (JSC::parse):
2219
2220 2016-02-07  Gavin Barraclough  <barraclough@apple.com>
2221
2222         GetValueFunc/PutValueFunc should not take both slotBase and thisValue
2223         https://bugs.webkit.org/show_bug.cgi?id=154009
2224
2225         Reviewed by Geoff Garen.
2226
2227         In JavaScript there are two types of properties - regular value properties, and accessor properties.
2228         One difference between these is how they are reflected by getOwnPropertyDescriptor, and another is
2229         what object they operate on in the case of a prototype access. If you access a value property of a
2230         prototype object it return a value pertinent to the prototype, but in the case of a prototype object
2231         returning an accessor, then the accessor function is applied to the base object of the access.
2232
2233         JSC supports special 'custom' properties implemented as a c++ callback, and these custom properties
2234         can be used to implement either value- or accessor-like behavior. getOwnPropertyDescriptor behavior
2235         is selected via the CustomAccessor attribute. Value- or accessor-like object selection is current
2236         supported by passing both the slotBase and the thisValue to the callback,and hoping it uses the
2237         right one. This is probably inefficient, bug-prone, and leads to crazy like JSBoundSlotBaseFunction.
2238
2239         Instead, just pass one thisValue to the callback functions, consistent with CustomAccessor.
2240
2241         * API/JSCallbackObject.h:
2242         * API/JSCallbackObjectFunctions.h:
2243         (JSC::JSCallbackObject<Parent>::getStaticValue):
2244         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2245         (JSC::JSCallbackObject<Parent>::callbackGetter):
2246             - Merged slotBase & thisValue to custom property callbacks.
2247         * bytecode/PolymorphicAccess.cpp:
2248         (JSC::AccessCase::generate):
2249             - Modified the call being JIT generated - GetValueFunc/PutValueFunc now only take 3,
2250               rather than 4 arguments. Selects which one to keep/drop based on access type.
2251         (WTF::printInternal):
2252         * bytecode/PolymorphicAccess.h:
2253         (JSC::AccessCase::isGet):
2254         (JSC::AccessCase::isPut):
2255         (JSC::AccessCase::isIn):
2256         (JSC::AccessCase::doesCalls):
2257         (JSC::AccessCase::isGetter):
2258         * bytecode/PutByIdStatus.cpp:
2259         (JSC::PutByIdStatus::computeForStubInfo):
2260         * jit/Repatch.cpp:
2261         (JSC::tryCacheGetByID):
2262         (JSC::tryCachePutByID):
2263             - Split the CustomGetter/Setter access types into Value/Accessor variants.
2264         * jsc.cpp:
2265         (WTF::CustomGetter::getOwnPropertySlot):
2266         (WTF::CustomGetter::customGetter):
2267         (WTF::RuntimeArray::RuntimeArray):
2268         (WTF::RuntimeArray::lengthGetter):
2269             - Merged slotBase & thisValue to custom property callbacks.
2270         * runtime/CustomGetterSetter.cpp:
2271         (JSC::callCustomSetter):
2272             - Pass 3 arguments when calling PutValueFunc.
2273         * runtime/CustomGetterSetter.h:
2274         * runtime/JSBoundSlotBaseFunction.cpp:
2275         (JSC::boundSlotBaseFunctionCall):
2276         (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):
2277         * runtime/JSCJSValue.cpp:
2278         (JSC::JSValue::putToPrimitive):
2279             - callCustomSetter currently takes a flag to distinguish value/accessor calls.
2280         * runtime/JSFunction.cpp:
2281         (JSC::retrieveArguments):
2282         (JSC::JSFunction::argumentsGetter):
2283         (JSC::retrieveCallerFunction):
2284         (JSC::JSFunction::callerGetter):
2285         (JSC::JSFunction::lengthGetter):
2286         (JSC::JSFunction::nameGetter):
2287         * runtime/JSFunction.h:
2288         * runtime/JSModuleNamespaceObject.cpp:
2289         (JSC::JSModuleNamespaceObject::visitChildren):
2290         (JSC::callbackGetter):
2291             - Merged slotBase & thisValue to custom property callbacks.
2292         * runtime/JSObject.cpp:
2293         (JSC::JSObject::putInlineSlow):
2294             - callCustomSetter currently takes a flag to distinguish value/accessor calls.
2295         * runtime/Lookup.h:
2296         (JSC::putEntry):
2297             - split PutPropertySlot setCustom into Value/Accessor variants.
2298         * runtime/PropertySlot.cpp:
2299         (JSC::PropertySlot::functionGetter):
2300         (JSC::PropertySlot::customGetter):
2301         * runtime/PropertySlot.h:
2302         (JSC::PropertySlot::PropertySlot):
2303         (JSC::PropertySlot::getValue):
2304             - added customGetter helper to call GetValueFunc.
2305         * runtime/PutPropertySlot.h:
2306         (JSC::PutPropertySlot::PutPropertySlot):
2307         (JSC::PutPropertySlot::setNewProperty):
2308         (JSC::PutPropertySlot::setCustomValue):
2309         (JSC::PutPropertySlot::setCustomAccessor):
2310         (JSC::PutPropertySlot::setThisValue):
2311         (JSC::PutPropertySlot::customSetter):
2312         (JSC::PutPropertySlot::context):
2313         (JSC::PutPropertySlot::isStrictMode):
2314         (JSC::PutPropertySlot::isCacheablePut):
2315         (JSC::PutPropertySlot::isCacheableSetter):
2316         (JSC::PutPropertySlot::isCacheableCustom):
2317         (JSC::PutPropertySlot::isCustomAccessor):
2318         (JSC::PutPropertySlot::isInitialization):
2319         (JSC::PutPropertySlot::cachedOffset):
2320         (JSC::PutPropertySlot::setCustomProperty): Deleted.
2321             - split PutPropertySlot setCustom into Value/Accessor variants.
2322         * runtime/RegExpConstructor.cpp:
2323         (JSC::RegExpConstructor::getOwnPropertySlot):
2324         (JSC::regExpConstructorDollar1):
2325         (JSC::regExpConstructorDollar2):
2326         (JSC::regExpConstructorDollar3):
2327         (JSC::regExpConstructorDollar4):
2328         (JSC::regExpConstructorDollar5):
2329         (JSC::regExpConstructorDollar6):
2330         (JSC::regExpConstructorDollar7):
2331         (JSC::regExpConstructorDollar8):
2332         (JSC::regExpConstructorDollar9):
2333         (JSC::regExpConstructorInput):
2334         (JSC::regExpConstructorMultiline):
2335         (JSC::regExpConstructorLastMatch):
2336         (JSC::regExpConstructorLastParen):
2337         (JSC::regExpConstructorLeftContext):
2338         (JSC::regExpConstructorRightContext):
2339         (JSC::setRegExpConstructorInput):
2340         (JSC::setRegExpConstructorMultiline):
2341         * runtime/RegExpObject.cpp:
2342         (JSC::RegExpObject::defineOwnProperty):
2343         (JSC::regExpObjectSetLastIndexStrict):
2344         (JSC::regExpObjectSetLastIndexNonStrict):
2345         (JSC::RegExpObject::put):
2346             - Merged slotBase & thisValue to custom property callbacks.
2347
2348 2016-02-09  Filip Pizlo  <fpizlo@apple.com>
2349
2350         Spread expressions are not fair game for direct binding
2351         https://bugs.webkit.org/show_bug.cgi?id=154042
2352         rdar://problem/24291413
2353
2354         Reviewed by Saam Barati.
2355
2356         Prior to this change we crashed on this:
2357
2358             var [x] = [...y];
2359
2360         Because NodesCodegen thinks that this is a direct binding.  It's not, because we cannot
2361         directly generate bytecode for "...y".  This is a unique property of spread expressions, so
2362         its sufficient to just bail out of direct binding if we see a spread expression. That's what
2363         this patch does.
2364
2365         * bytecompiler/NodesCodegen.cpp:
2366         (JSC::ArrayPatternNode::emitDirectBinding):
2367         * tests/stress/spread-in-tail.js: Added.
2368         (foo):
2369         (catch):
2370
2371 2016-02-09  Commit Queue  <commit-queue@webkit.org>
2372
2373         Unreviewed, rolling out r196286.
2374         https://bugs.webkit.org/show_bug.cgi?id=154026
2375
2376         Looks like 5% iOS PLT regression (Requested by kling on
2377         #webkit).
2378
2379         Reverted changeset:
2380
2381         "[iOS] Throw away some unlinked code when navigating to a new
2382         page."
2383         https://bugs.webkit.org/show_bug.cgi?id=154014
2384         http://trac.webkit.org/changeset/196286
2385
2386 2016-02-08  Keith Miller  <keith_miller@apple.com>
2387
2388         Error construction for inlined operations should not use the inliner's CodeBlock
2389         https://bugs.webkit.org/show_bug.cgi?id=154021
2390
2391         Reviewed by Mark Lam.
2392
2393         Previously, if one function, A, was inlined into another function, B, in the DFG/FTL
2394         we would use B's DFG/FTL CodeBlock to construct source information about the Error.
2395         We would correctly compute the bytecodeOffset in A for the an expression but we would
2396         not use one of A's CodeBlocks when looking up source. This caused crashes during
2397         operationIn as we expected to be able to find the text "in" in the source.
2398
2399         * runtime/ErrorInstance.cpp:
2400         (JSC::appendSourceToError):
2401         * tests/stress/inlined-error-gets-correct-codeblock-for-bytecodeoffset.js: Added.
2402         (map):
2403         (n):
2404         (one):
2405         (catch):
2406
2407 2016-02-08  Saam Barati  <sbarati@apple.com>
2408
2409         runtimeTypeForValue should protect against seeing TDZ value
2410         https://bugs.webkit.org/show_bug.cgi?id=154023
2411         rdar://problem/24291413
2412
2413         Reviewed by Michael Saboff.
2414
2415         There are a few back traces I've seen from crashes that bottom out
2416         inside runtimeTypeForValue. I haven't been able to reproduce
2417         any such crash, but it's likely that we're encountering the
2418         empty JSValue. It's better to just have this function protect
2419         against seeing the empty value instead of dereferencing a null
2420         pointer when it thinks the value is a cell.
2421
2422         * runtime/RuntimeType.cpp:
2423         (JSC::runtimeTypeForValue):
2424
2425 2016-02-08  Andreas Kling  <akling@apple.com>
2426
2427         [iOS] Throw away some unlinked code when navigating to a new page.
2428         <https://webkit.org/b/154014>
2429
2430         Reviewed by Gavin Barraclough.
2431
2432         * runtime/VM.cpp:
2433         (JSC::VM::deleteAllCodeExceptCaches):
2434         (JSC::VM::deleteAllLinkedCode): Deleted.
2435         * runtime/VM.h:
2436
2437 2016-02-08  Filip Pizlo  <fpizlo@apple.com>
2438
2439         B3::foldPathConstants() needs to execute its insertion set
2440         https://bugs.webkit.org/show_bug.cgi?id=154020
2441
2442         Reviewed by Saam Barati.
2443
2444         * b3/B3FoldPathConstants.cpp:
2445         * b3/testb3.cpp:
2446         (JSC::B3::testFoldPathEqual): Added this. It used to crash in validation.
2447         (JSC::B3::run):
2448
2449 2016-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2450
2451         [JSC] Introduce @isObject bytecode intrinsic and use it instead of JS implemented one
2452         https://bugs.webkit.org/show_bug.cgi?id=153976
2453
2454         Reviewed by Darin Adler.
2455
2456         Use bytecode op_is_object directly.
2457
2458         * builtins/GlobalObject.js:
2459         (isObject): Deleted.
2460         * bytecode/BytecodeIntrinsicRegistry.h:
2461         * bytecompiler/NodesCodegen.cpp:
2462         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
2463         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
2464         * runtime/JSGlobalObject.cpp:
2465         (JSC::JSGlobalObject::init): Deleted.
2466
2467 2016-02-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2468
2469         {Map,Set}.prototype.forEach should be visible as own properties
2470         https://bugs.webkit.org/show_bug.cgi?id=153974
2471
2472         Reviewed by Darin Adler.
2473
2474         Now, Map and Set uses builtin tables. We should inlude it in class info.
2475
2476         * runtime/MapPrototype.cpp:
2477         * runtime/SetPrototype.cpp:
2478
2479 2016-02-08  Filip Pizlo  <fpizlo@apple.com>
2480
2481         Baseline JIT should not require its input to be constant-propagated
2482         https://bugs.webkit.org/show_bug.cgi?id=154011
2483         rdar://problem/24290933
2484
2485         Reviewed by Mark Lam.
2486
2487         * jit/JITArithmetic.cpp:
2488         (JSC::JIT::emitBitBinaryOpFastPath):
2489         (JSC::JIT::emitRightShiftFastPath):
2490         (JSC::JIT::emit_op_add):
2491         (JSC::JIT::emit_op_div):
2492         (JSC::JIT::emit_op_mul):
2493
2494 2016-02-08  Filip Pizlo  <fpizlo@apple.com>
2495
2496         CodeCache should give up on evals if there are variables under TDZ
2497         https://bugs.webkit.org/show_bug.cgi?id=154002
2498         rdar://problem/24300998
2499
2500         Reviewed by Mark Lam.
2501
2502         Disable the code cache optimization because our approach to TDZ for scoped variables - using
2503         a separate check_tdz opcode when logically it's the get_from_scope's job to do it - makes
2504         caching code impossible if there are any variables in TDZ.
2505
2506         We should do the right thing in the future, and fold the TDZ check into the get_from_scope.
2507         This is better not only because it will restore caching, but because our bytecode for heap
2508         accesses is usually at the highest practically doable level of abstraction, so that ICs,
2509         compilers and caches can see the intended meaning of the bytecode more easily.
2510
2511         This doesn't appear to slow anything down, but that's just because we don't have enough ES6
2512         benchmarks. I've filed: https://bugs.webkit.org/show_bug.cgi?id=154010
2513
2514         * runtime/CodeCache.cpp:
2515         (JSC::CodeCache::getGlobalCodeBlock):
2516
2517 2016-02-08  Skachkov Oleksandr  <gskachkov@gmail.com>
2518
2519         [ES6] Arrow function syntax. Using 'super' in arrow function that declared out of the class should lead to Syntax error
2520         https://bugs.webkit.org/show_bug.cgi?id=150893
2521
2522         Reviewed by Saam Barati.
2523
2524         'super' and 'super()' inside of the arrow function should lead to syntax error if they are used 
2525         out of the class context or they wrapped by ordinary function. Now JSC returns ReferenceError but 
2526         should return SyntaxError according to the following specs:
2527         http://www.ecma-international.org/ecma-262/6.0/#sec-function-definitions-static-semantics-early-errors
2528         and http://www.ecma-international.org/ecma-262/6.0/#sec-arrow-function-definitions-runtime-semantics-evaluation 
2529         Curren patch implemented only one case when super/super() are used inside of the arrow function
2530         Case when super/super() are used within the eval:
2531            class A {} 
2532            class B extends A { 
2533                costructor() { eval("super()");} 
2534            }
2535         is not part of this patch and will be implemented in this issue https://bugs.webkit.org/show_bug.cgi?id=153864. 
2536         The same for case when eval with super/super() is invoked in arrow function will be 
2537         implemented in issue https://bugs.webkit.org/show_bug.cgi?id=153977. 
2538  
2539         * parser/Parser.cpp:
2540         (JSC::Parser<LexerType>::parseFunctionInfo):
2541         * parser/Parser.h:
2542         (JSC::Scope::Scope):
2543         (JSC::Scope::setExpectedSuperBinding):
2544         (JSC::Scope::expectedSuperBinding):
2545         (JSC::Scope::setConstructorKind):
2546         (JSC::Scope::constructorKind):
2547         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
2548         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
2549         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
2550
2551 2016-02-08  Filip Pizlo  <fpizlo@apple.com>
2552
2553         Parser should detect error before calls to parseAssignmentExpression()
2554         https://bugs.webkit.org/show_bug.cgi?id=153975
2555         rdar://problem/24291231
2556
2557         Reviewed by Saam Barati.
2558
2559         Fixes a very hard-to-create situation that an internal test picked up.
2560
2561         * parser/Parser.cpp:
2562         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2563         (JSC::Parser<LexerType>::parseAssignmentExpression):
2564
2565 2016-02-08  Andreas Kling  <akling@apple.com>
2566
2567         Visiting a WeakBlock should report bytes visited, since we reported them allocated.
2568         <https://webkit.org/b/153978>
2569
2570         Reviewed by Darin Adler.
2571
2572         When creating a WeakBlock, we tell Heap that we've allocated 1 KB (WeakBlock::blockSize)
2573         of memory. Consequently, when visiting a WeakBlock, we should also report 1 KB of memory
2574         visited. Otherwise Heap will think that those 1 KB already went away.
2575
2576         This was causing us to underestimate heap size, which affects collection scheduling.
2577
2578         * heap/SlotVisitor.h:
2579         (JSC::SlotVisitor::reportMemoryVisited):
2580         * heap/WeakBlock.cpp:
2581         (JSC::WeakBlock::visit):
2582
2583 2016-02-07  Saam barati  <sbarati@apple.com>
2584
2585         Follow up patch to: [ES6] bound functions .name property should be "bound " + the target function's name 
2586         https://bugs.webkit.org/show_bug.cgi?id=153796
2587
2588         Reviewed by Darin Adler.
2589
2590         This follow-up patch addresses some comments/suggestions by
2591         Ryosuke, Darin, and Joe. It simplifies JSBoundFunction::toStringName
2592         and adds some tests for bound names.
2593
2594         * runtime/JSBoundFunction.cpp:
2595         (JSC::hasInstanceBoundFunction):
2596         (JSC::JSBoundFunction::create):
2597         (JSC::JSBoundFunction::toStringName):
2598
2599 2016-02-07  Filip Pizlo  <fpizlo@apple.com>
2600
2601         String.match should defend against matches that would crash the VM
2602         https://bugs.webkit.org/show_bug.cgi?id=153964
2603         rdar://problem/24301119
2604
2605         Reviewed by Saam Barati.
2606
2607         This fixes a crash in an internal test case.
2608
2609         * runtime/ArgList.cpp:
2610         (JSC::MarkedArgumentBuffer::slowAppend): Use best practices to ensure that the size we
2611             compute makes sense. Crash if it stops making sense, since most users of this API assume
2612             that they are creating something small enough to fit on the stack.
2613         * runtime/ArgList.h:
2614         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
2615         (JSC::MarkedArgumentBuffer::size):
2616         (JSC::MarkedArgumentBuffer::operator new): Deleted. These were ineffective. According to the
2617             debugger, we were still calling system malloc. So, I changed the code to use fastMalloc()
2618             directly.
2619         (JSC::MarkedArgumentBuffer::operator delete): Deleted.
2620         * runtime/StringPrototype.cpp:
2621         (JSC::stringProtoFuncMatch): Explicitly defend against absurd sizes. Of course, it's still
2622             possible to crash the VM on OOME. That's sort of always been the philosophy of JSC - we
2623             don't guarantee that you'll get a nice-looking error whenever you run out of memory,
2624             since in a GC'd environment you can't really guarantee those things. But, if you have a
2625             match that obvious won't fit in memory, then reporting an error is useful in case this is
2626             a developer experimenting with a buggy regexp.
2627
2628 2016-02-07  Dan Bernstein  <mitz@apple.com>
2629
2630         [Cocoa] Replace __has_include guards around inclusion of Apple-internal-SDK headers with USE(APPLE_INTERNAL_SDK)
2631         https://bugs.webkit.org/show_bug.cgi?id=153963
2632
2633         Reviewed by Sam Weinig.
2634
2635         * inspector/remote/RemoteInspectorXPCConnection.mm:
2636
2637 2016-02-06  Filip Pizlo  <fpizlo@apple.com>
2638
2639         FTL must store the call site index before runtime calls, even if it's the tail call slow path
2640         https://bugs.webkit.org/show_bug.cgi?id=153955
2641         rdar://problem/24290970
2642
2643         Reviewed by Saam Barati.
2644
2645         This is necessary because you could throw an exception in a host call on the tail call's slow
2646         path. That'll route us to lookupExceptionHandler(), which unwinds starting with the call site
2647         index of our frame. Bad things happen if it's not set. Prior to this patch it was possible
2648         for the call site index field to be uninitialized, which meant that the throwing machinery
2649         was making a wild guess about where we are.
2650
2651         * ftl/FTLLowerDFGToLLVM.cpp:
2652         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2653         * tests/stress/tail-call-host-call-throw.js: Added.
2654
2655 2016-02-06  Darin Adler  <darin@apple.com>
2656
2657         Finish auditing call sites of upper() and lower(), eliminate many, and rename the functions
2658         https://bugs.webkit.org/show_bug.cgi?id=153905
2659
2660         Reviewed by Sam Weinig.
2661
2662         * runtime/IntlObject.cpp:
2663         (JSC::canonicalLangTag): Use converToASCIIUppercase on the language tag.
2664
2665         * runtime/StringPrototype.cpp:
2666         (JSC::stringProtoFuncToLowerCase): Tweak style and update for name change.
2667         (JSC::stringProtoFuncToUpperCase): Ditto.
2668
2669 2016-02-06  Chris Dumez  <cdumez@apple.com>
2670
2671         Object.getOwnPropertyDescriptor() does not work on sub-frame's window
2672         https://bugs.webkit.org/show_bug.cgi?id=153925
2673
2674         Reviewed by Darin Adler.
2675
2676         Calling Object.getOwnPropertyDescriptor() on a sub-frame's window was
2677         returning undefined for that window's own properties. The reason was
2678         that the check getOwnPropertySlot() is using to make sure the
2679         PropertySlot is not for a property coming from the prototype was wrong.
2680
2681         The check was checking that 'this != slotBase' which works fine unless
2682         this is a JSProxy (e.g. JSDOMWindowShell). To handle proxies, the code
2683         was also checking that 'slotBase.toThis() != this', attempting to
2684         get the slotBase/Window's proxy. However, due to the implementation of
2685         toThis(), we were getting the lexical global object's proxy instead of
2686         slotBase's proxy. To avoid this issue, the new code explicitly checks
2687         if 'this' is a JSProxy and makes sure 'JSProxy::target() != slotBase',
2688         instead of using toThis().
2689
2690         * runtime/JSObject.cpp:
2691         (JSC::JSObject::getOwnPropertyDescriptor):
2692
2693 2016-02-06  Andreas Kling  <akling@apple.com>
2694
2695         [iOS] Throw away linked code when navigating to a new page.
2696         <https://webkit.org/b/153851>
2697
2698         Reviewed by Gavin Barraclough.
2699
2700         Add a VM API for throwing away linked code only.
2701
2702         * runtime/VM.cpp:
2703         (JSC::VM::deleteAllLinkedCode):
2704         * runtime/VM.h:
2705
2706 2016-02-06  Commit Queue  <commit-queue@webkit.org>
2707
2708         Unreviewed, rolling out r196104.
2709         https://bugs.webkit.org/show_bug.cgi?id=153940
2710
2711         Regressed Speedometer on iOS (Requested by kling on #webkit).
2712
2713         Reverted changeset:
2714
2715         "[iOS] Throw away linked code when navigating to a new page."
2716         https://bugs.webkit.org/show_bug.cgi?id=153851
2717         http://trac.webkit.org/changeset/196104
2718
2719 2016-02-05  Alex Christensen  <achristensen@webkit.org>
2720
2721         Fix internal Windows build
2722         https://bugs.webkit.org/show_bug.cgi?id=153930
2723         <rdar://problem/24534864>
2724
2725         Reviewed by Mark Lam.
2726
2727         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2728         I made a typo in r196144.
2729
2730 2016-02-05  Saam barati  <sbarati@apple.com>
2731
2732         Web Inspector: Include SamplingProfiler's expression-level data for stack frames in the protocol
2733         https://bugs.webkit.org/show_bug.cgi?id=153455
2734         <rdar://problem/24335884>
2735
2736         Reviewed by Joseph Pecoraro.
2737
2738         We now send the sampling profiler's expression-level
2739         line/column info in the inspector protocol.
2740
2741         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2742         (Inspector::buildSamples):
2743         * inspector/protocol/ScriptProfiler.json:
2744         * runtime/SamplingProfiler.h:
2745         (JSC::SamplingProfiler::StackFrame::hasExpressionInfo):
2746
2747 2016-02-05  Saam barati  <sbarati@apple.com>
2748
2749         follow-up to: JSC Sampling Profiler: (host) is confusing in cases where I would expect to see JS name
2750         https://bugs.webkit.org/show_bug.cgi?id=153663
2751         <rdar://problem/24415092>
2752
2753         Rubber stamped by Joseph Pecoraro.
2754
2755         We were performing operations that required us to
2756         hold the VM lock even when we might not have been holding it.
2757         We now ensure we're holding it.
2758
2759         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2760         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2761
2762 2016-02-05  Filip Pizlo  <fpizlo@apple.com>
2763
2764         Arrayify for a typed array shouldn't create a monster
2765         https://bugs.webkit.org/show_bug.cgi?id=153908
2766         rdar://problem/24290639
2767
2768         Reviewed by Mark Lam.
2769
2770         Previously if you convinced the DFG to emit an Arrayify to ArrayStorage and then gave it a
2771         typed array, you'd corrupt the object.
2772
2773         * runtime/JSArrayBufferView.cpp:
2774         (WTF::printInternal):
2775         * runtime/JSArrayBufferView.h:
2776         * runtime/JSGenericTypedArrayViewInlines.h:
2777         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2778         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2779         * runtime/JSObject.cpp:
2780         (JSC::JSObject::copyButterfly):
2781         (JSC::JSObject::enterDictionaryIndexingMode):
2782         (JSC::JSObject::ensureInt32Slow):
2783         (JSC::JSObject::ensureDoubleSlow):
2784         (JSC::JSObject::ensureContiguousSlow):
2785         (JSC::JSObject::ensureArrayStorageSlow):
2786         (JSC::JSObject::growOutOfLineStorage):
2787         (JSC::getBoundSlotBaseFunctionForGetterSetter):
2788         * runtime/Structure.h:
2789         * tests/stress/arrayify-array-storage-typed-array.js: Added. This test failed.
2790         * tests/stress/arrayify-int32-typed-array.js: Added. This test case already had other protections, but we beefed them up.
2791
2792 2016-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2793
2794         Web Inspector: InspectorTimelineAgent doesn't need to recompile functions because it now uses the sampling profiler
2795         https://bugs.webkit.org/show_bug.cgi?id=153500
2796         <rdar://problem/24352458>
2797
2798         Reviewed by Timothy Hatcher.
2799
2800         Be more explicit about enabling legacy profiling.
2801
2802         * jsc.cpp:
2803         * runtime/Executable.cpp:
2804         (JSC::ScriptExecutable::newCodeBlockFor):
2805         * runtime/JSGlobalObject.cpp:
2806         (JSC::JSGlobalObject::hasLegacyProfiler):
2807         (JSC::JSGlobalObject::createProgramCodeBlock):
2808         (JSC::JSGlobalObject::createEvalCodeBlock):
2809         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2810         (JSC::JSGlobalObject::hasProfiler): Deleted.
2811         * runtime/JSGlobalObject.h:
2812         (JSC::JSGlobalObject::supportsLegacyProfiling):
2813         (JSC::JSGlobalObject::supportsProfiling): Deleted.
2814
2815 2016-02-04  Keith Miller  <keith_miller@apple.com>
2816
2817         ArrayPrototype should have a destroy function
2818         https://bugs.webkit.org/show_bug.cgi?id=153847
2819
2820         Reviewed by Filip Pizlo.
2821
2822         ArrayPrototype should have an destroy function as it now has a unique_ptr member that
2823         needs to be freed at the end of the object's life cycle. Also, this patch adds an
2824         option, gcAtEnd, that will cause jsc.cpp to do a garbage collection before exiting.
2825
2826         * jsc.cpp:
2827         (runJSC):
2828         (jscmain):
2829         * runtime/ArrayPrototype.cpp:
2830         (JSC::ArrayPrototype::create):
2831         (JSC::ArrayPrototype::destroy):
2832         * runtime/ArrayPrototype.h:
2833         * runtime/Options.h:
2834
2835 2016-02-04  Filip Pizlo  <fpizlo@apple.com>
2836
2837         REGRESSION(192409): Cannot rely on add32() to zero-extend
2838         https://bugs.webkit.org/show_bug.cgi?id=153897
2839
2840         Unreviewed rollout of r192409.
2841
2842         * assembler/MacroAssemblerARM64.h:
2843         (JSC::MacroAssemblerARM64::add32):
2844         (JSC::MacroAssemblerARM64::add64):
2845         * assembler/MacroAssemblerARMv7.h:
2846         (JSC::MacroAssemblerARMv7::add32):
2847         * assembler/MacroAssemblerX86.h:
2848         (JSC::MacroAssemblerX86::add32):
2849         * assembler/MacroAssemblerX86Common.h:
2850         (JSC::MacroAssemblerX86Common::add32):
2851         (JSC::MacroAssemblerX86Common::add8):
2852         (JSC::MacroAssemblerX86Common::branchAdd32):
2853         (JSC::MacroAssemblerX86Common::generateTest32):
2854         (JSC::MacroAssemblerX86Common::clz32AfterBsr):
2855         (JSC::MacroAssemblerX86Common::add32AndSetFlags): Deleted.
2856         * assembler/MacroAssemblerX86_64.h:
2857         (JSC::MacroAssemblerX86_64::add32):
2858         (JSC::MacroAssemblerX86_64::add64):
2859         (JSC::MacroAssemblerX86_64::branchAdd64):
2860         (JSC::MacroAssemblerX86_64::repatchCall):
2861         (JSC::MacroAssemblerX86_64::clz64AfterBsr):
2862         (JSC::MacroAssemblerX86_64::add64AndSetFlags): Deleted.
2863
2864 2016-02-04  Andreas Kling  <akling@apple.com>
2865
2866         Remove dead ENABLE(BYTECODE_COMMENTS) cruft.
2867         <https://webkit.org/b/153888>
2868
2869         Reviewed by Antti Koivisto.
2870
2871         * bytecode/UnlinkedCodeBlock.cpp:
2872         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
2873         * bytecode/UnlinkedCodeBlock.h:
2874         (JSC::UnlinkedCodeBlock::shrinkToFit): Deleted.
2875
2876 2016-02-04  Saam barati  <sbarati@apple.com>
2877
2878         JSC Sampling Profiler: (host) is confusing in cases where I would expect to see JS name
2879         https://bugs.webkit.org/show_bug.cgi?id=153663
2880         <rdar://problem/24415092>
2881
2882         Reviewed by Geoffrey Garen.
2883
2884         We now collect the Callee in the processed StackFrame
2885         when the Callee is a valid GC object. We later ask
2886         the Callee for it's .displayName or .name property.
2887         When we don't have a valid callee, we will still
2888         use the Executable for this information.
2889
2890         This helps us come up with good names for frames where 
2891         the Callee object is a bound function or an InternalFunction.
2892
2893         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2894         (Inspector::InspectorScriptProfilerAgent::addEvent):
2895         (Inspector::buildSamples):
2896         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2897         * runtime/SamplingProfiler.cpp:
2898         (JSC::reportStats):
2899         (JSC::FrameWalker::walk):
2900         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2901         (JSC::SamplingProfiler::visit):
2902         (JSC::SamplingProfiler::shutdown):
2903         (JSC::SamplingProfiler::clearData):
2904         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
2905         (JSC::SamplingProfiler::StackFrame::displayName):
2906         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
2907         (JSC::SamplingProfiler::stackTracesAsJSON):
2908         * runtime/SamplingProfiler.h:
2909         (JSC::SamplingProfiler::UnprocessedStackFrame::UnprocessedStackFrame):
2910         (JSC::SamplingProfiler::StackFrame::StackFrame):
2911         * tests/stress/sampling-profiler-basic.js:
2912         (platformSupportsSamplingProfiler.nothing):
2913         (platformSupportsSamplingProfiler.top):
2914         * tests/stress/sampling-profiler-bound-function-name.js: Added.
2915         (platformSupportsSamplingProfiler.foo):
2916         (platformSupportsSamplingProfiler.bar):
2917         (platformSupportsSamplingProfiler.let.baz):
2918         (platformSupportsSamplingProfiler):
2919         * tests/stress/sampling-profiler-display-name.js: Added.
2920         (platformSupportsSamplingProfiler.foo):
2921         (platformSupportsSamplingProfiler.baz):
2922         (platformSupportsSamplingProfiler.):
2923         (platformSupportsSamplingProfiler.bar):
2924         (platformSupportsSamplingProfiler.jaz):
2925         (platformSupportsSamplingProfiler.makeFunction.let.result):
2926         (platformSupportsSamplingProfiler.makeFunction):
2927         * tests/stress/sampling-profiler-internal-function-name.js: Added.
2928         (platformSupportsSamplingProfiler.foo):
2929         (platformSupportsSamplingProfiler.bar):
2930         (platformSupportsSamplingProfiler):
2931
2932 2016-02-04  Chris Dumez  <cdumez@apple.com>
2933
2934         Object.getOwnPropertyDescriptor() returns incomplete descriptor for instance properties
2935         https://bugs.webkit.org/show_bug.cgi?id=153817
2936
2937         Reviewed by Geoffrey Garen.
2938
2939         Extend support for Object.getOwnPropertyDescriptor() on native bindings
2940         to instance properties (e.g. Unforgeable properties or Global object
2941         properties) so that the returned descriptor has getter / setter
2942         functions, as expected.
2943
2944         * runtime/JSObject.cpp:
2945         (JSC::JSObject::reifyAllStaticProperties):
2946         Add method that reifies all static properties, including the custom
2947         accessors. This is similar to what is done eagerly on the prototype
2948         objects in the bindings code.
2949
2950         (JSC::JSObject::getOwnPropertyDescriptor):
2951         getOwnPropertyDescriptor() would previously fails for custom accessors
2952         that are on the instance because getDirect() does not check the static
2953         property table and those custom accessors were not reified (We only
2954         reified all properties eagerly - including custom accessors - on
2955         prototype objects. To address this issue, we now call
2956         reifyAllStaticProperties() if the call to getDirect() fails and then
2957         call getDirect() again. This fix is however insufficient for Window
2958         properties because |this| is a JSDOMWindowShell / JSProxy in this case
2959         and getDirect() / reifyAllStaticProperties() would fail as the proxy
2960         does not actually have the properties. This issue was addressed by
2961         checking if |this| is a JSProxy and then using JSProxy::target() instead
2962         of |this| for the calls to getDirect() and for the reification.
2963
2964         * runtime/JSObject.h:
2965         * runtime/Lookup.h:
2966         (JSC::reifyStaticProperty):
2967         (JSC::reifyStaticProperties):
2968         Move most code in reifyStaticProperties() to a separate function so the
2969         code can be shared with JSObject::reifyAllStaticProperties().
2970         reifyStaticProperties() is currently called by the bindings on the
2971         prototype objects.
2972
2973 2016-02-04  Alex Christensen  <achristensen@webkit.org>
2974
2975         Fix internal Windows build
2976         https://bugs.webkit.org/show_bug.cgi?id=153886
2977         <rdar://problem/24499887>
2978
2979         Reviewed by Mark Lam.
2980
2981         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2982         In r190253 I changed the directory of the headers from AppleInternal/include/JavaScriptCore 
2983         to AppleInternal/include/private/JavaScriptCore.  This is ok for WebCore and WebKit, but not
2984         other projects, such as CFNetwork, which expect the public API headers to be in the old location.
2985         This used to be done by a combination of copy-files.cmd and the old JavaScriptCore.proj.
2986         This change copies all the API headers, which copies everything in copy-files.cmd except APIShims.h
2987         which does not exist any more.  It copies additional headers that were not copied before, but
2988         I think this is beneficial so we do not forget to add new public headers to a list of public headers
2989         to be copied in the internal build.  Having extra public headers in the internal Windows build is
2990         not a problem because only internal clients use the internal Windows build.
2991
2992 2016-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2993
2994         [JSC] Make some classes non JSDestructibleObject
2995         https://bugs.webkit.org/show_bug.cgi?id=153838
2996
2997         Reviewed by Geoffrey Garen.
2998
2999         SymbolPrototype, JSMapIterator and JSSetIterator are trivially destructible.
3000         So there is no need to inherit JSDestructibleObject.
3001
3002         * runtime/JSMapIterator.cpp:
3003         (JSC::JSMapIterator::destroy): Deleted.
3004         * runtime/JSMapIterator.h:
3005         * runtime/JSSetIterator.cpp:
3006         (JSC::JSSetIterator::destroy): Deleted.
3007         * runtime/JSSetIterator.h:
3008         * runtime/MapData.h:
3009         * runtime/SymbolPrototype.h:
3010
3011 2016-02-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3012
3013         [JSC] Symbol structure has unnecessary flags
3014         https://bugs.webkit.org/show_bug.cgi?id=153840
3015
3016         Reviewed by Saam Barati.
3017
3018         * runtime/Symbol.h:
3019         * tests/stress/symbol-get-own-property.js: Added.
3020         (shouldBe):
3021
3022 2016-02-03  Andreas Kling  <akling@apple.com>
3023
3024         [iOS] Throw away linked code when navigating to a new page.
3025         <https://webkit.org/b/153851>
3026
3027         Reviewed by Gavin Barraclough.
3028
3029         Add a VM API for throwing away linked code only.
3030
3031         * runtime/VM.cpp:
3032         (JSC::VM::deleteAllLinkedCode):
3033         * runtime/VM.h:
3034
3035 2016-02-03  Michael Catanzaro  <mcatanzaro@igalia.com>
3036
3037         [GTK][EFL] Switch FTL to B3
3038         https://bugs.webkit.org/show_bug.cgi?id=153478
3039
3040         Reviewed by Csaba Osztrogonác.
3041
3042         Conditionalize code to make it possible to build FTL completely without LLVM.
3043
3044         * CMakeLists.txt:
3045         * dfg/DFGCommon.h:
3046         * dfg/DFGPlan.cpp:
3047         (JSC::DFG::Plan::compileInThreadImpl):
3048         * ftl/FTLAbbreviatedTypes.h:
3049         * ftl/FTLFail.cpp:
3050         (JSC::FTL::fail):
3051         * ftl/FTLState.cpp:
3052         (JSC::FTL::State::State):
3053         (JSC::FTL::State::~State):
3054
3055 2016-02-03  Carlos Garcia Campos  <cgarcia@igalia.com>
3056
3057         Unreviewed. Fix JavaScriptCore build with B3 enabled.
3058
3059         Include <limits.h> for UINT_MAX.
3060
3061         * b3/B3StackSlot.h:
3062         * b3/air/AirStackSlot.h:
3063
3064 2016-02-02  Caitlin Potter  <caitp@igalia.com>
3065
3066         JSSymbolTableObject::deleteProperty() crashes deleting Symbols
3067         https://bugs.webkit.org/show_bug.cgi?id=153816
3068
3069         Reviewed by Darin Adler.
3070
3071         Changes JSSymbolTableObject::deleteProperty() to check if its
3072         symbolTable() contains the property's uid() rather than publicName().
3073         This ensures that it will not crash in the case of Symbols.
3074
3075         * runtime/JSSymbolTableObject.cpp:
3076         (JSC::JSSymbolTableObject::deleteProperty):
3077         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:
3078         (testGlobalProxy):
3079         * tests/stress/regress-153816.js: Added.
3080         (deleteSymbolFromJSSymbolTableObject):
3081
3082 2016-02-02  Benjamin Poulain  <benjamin@webkit.org>
3083
3084         [JSC] Do not copy FP when lowering FramePointer
3085         https://bugs.webkit.org/show_bug.cgi?id=153769
3086
3087         Reviewed by Michael Saboff.
3088
3089         That extra move is just wasted time. The fewer Moves we have,
3090         the happier IRC is.
3091
3092         * b3/B3LowerToAir.cpp:
3093         (JSC::B3::Air::LowerToAir::tmp):
3094         (JSC::B3::Air::LowerToAir::lower):
3095
3096 2016-02-02  Keith Miller  <keith_miller@apple.com>
3097
3098         DFG, FTL, B3, and Air should all have a unique option for printing their graphs
3099         https://bugs.webkit.org/show_bug.cgi?id=153815
3100
3101         Reviewed by Benjamin Poulain.
3102
3103         This patch adds a new printing option for each of the DFG/FTL compilation phases.
3104
3105         * b3/B3Common.cpp:
3106         (JSC::B3::shouldDumpIR):
3107         (JSC::B3::shouldDumpIRAtEachPhase):
3108         * b3/B3Common.h:
3109         * b3/B3Generate.cpp:
3110         (JSC::B3::generateToAir):
3111         * b3/B3PhaseScope.cpp:
3112         (JSC::B3::PhaseScope::PhaseScope):
3113         * b3/air/AirGenerate.cpp:
3114         (JSC::B3::Air::prepareForGeneration):
3115         * b3/air/AirPhaseScope.cpp:
3116         (JSC::B3::Air::PhaseScope::PhaseScope):
3117         * dfg/DFGCFAPhase.cpp:
3118         (JSC::DFG::CFAPhase::run):
3119         * dfg/DFGCommon.h:
3120         (JSC::DFG::shouldDumpGraphAtEachPhase):
3121         * dfg/DFGPhase.cpp:
3122         (JSC::DFG::Phase::beginPhase):
3123         * runtime/Options.cpp:
3124         (JSC::recomputeDependentOptions):
3125         * runtime/Options.h:
3126
3127 2016-02-02  Caitlin Potter  <caitp@igalia.com>
3128
3129         [JSC] make Object.getOwnPropertyDescriptors() work with non-JSObject types
3130         https://bugs.webkit.org/show_bug.cgi?id=153814
3131
3132         Reviewed by Yusuke Suzuki.
3133
3134         * runtime/ObjectConstructor.cpp:
3135         (JSC::objectConstructorGetOwnPropertyDescriptors):
3136         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:
3137         (testGlobalProxy):
3138
3139 2016-02-02  Aakash Jain  <aakash_jain@apple.com>
3140
3141         Remove references to CallFrameInlines.h
3142         https://bugs.webkit.org/show_bug.cgi?id=153810
3143
3144         Reviewed by Mark Lam.
3145
3146         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3147         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3148
3149 2016-02-02  Caitlin Potter  <caitp@igalia.com>
3150
3151         [JSC] Implement Object.getOwnPropertyDescriptors() proposal
3152         https://bugs.webkit.org/show_bug.cgi?id=153799
3153
3154         Reviewed by Darin Adler.
3155
3156         Implements the Object.getOwnPropertyDescriptors() proposal, which
3157         reached Stage 3 in the TC39 process in January 2016.
3158         https://github.com/tc39/proposal-object-getownpropertydescriptors
3159
3160         The method extracts a set of property descriptor objects, which can
3161         be safely used via `Object.create()`.
3162
3163         * runtime/ObjectConstructor.cpp:
3164         (JSC::objectConstructorGetOwnPropertyDescriptors):
3165
3166 2016-02-02  Filip Pizlo  <fpizlo@apple.com>
3167
3168         B3 should be able to compile trivial self-loops
3169         https://bugs.webkit.org/show_bug.cgi?id=153802
3170         rdar://problem/24465632
3171
3172         Reviewed by Michael Saboff.
3173
3174         Tail-duplicating a self-loop would mean doing a kind of loop unrolling. It wouldn't be
3175         profitable even if it did work. It turns out that it doesn't work, because we edit the target
3176         block before reading the source block, which breaks if the target and source block are the
3177         same.
3178
3179         This disables tail duplication of self-loops, adds a test, and adds better validation for this
3180         issue.
3181
3182         * b3/B3DuplicateTails.cpp:
3183         * b3/B3Procedure.cpp:
3184         (JSC::B3::Procedure::resetReachability):
3185         * b3/testb3.cpp:
3186         (JSC::B3::testComputeDivisionMagic):
3187         (JSC::B3::testTrivialInfiniteLoop):
3188         (JSC::B3::zero):
3189         (JSC::B3::run):
3190
3191 2016-02-02  Saam barati  <sbarati@apple.com>
3192
3193         [ES6] bound functions .name property should be "bound " + the target function's name
3194         https://bugs.webkit.org/show_bug.cgi?id=153796
3195
3196         Reviewed by Mark Lam.
3197
3198         See http://tc39.github.io/ecma262/#sec-function.prototype.bind for details.
3199         What the spec says:
3200         ```
3201         function foo() { }
3202         foo.bind(null).name === "bound foo"
3203
3204         (function bar() { }).bind(null).name === "bound bar"
3205         ```
3206
3207         * runtime/FunctionPrototype.cpp:
3208         (JSC::functionProtoFuncToString):
3209         * runtime/JSBoundFunction.cpp:
3210         (JSC::hasInstanceBoundFunction):
3211         (JSC::JSBoundFunction::create):
3212         (JSC::JSBoundFunction::visitChildren):
3213         (JSC::JSBoundFunction::toStringName):
3214         * runtime/JSBoundFunction.h:
3215         (JSC::JSBoundFunction::boundThis):
3216         (JSC::JSBoundFunction::boundArgs):
3217         (JSC::JSBoundFunction::createStructure):
3218         * tests/es6.yaml:
3219
3220 2016-02-02  Filip Pizlo  <fpizlo@apple.com>
3221
3222         Get rid of anonymous stack slots
3223         https://bugs.webkit.org/show_bug.cgi?id=151128
3224
3225         Reviewed by Mark Lam.
3226
3227         When I first designed stack slots, the idea was that an "anonymous" stack slot was one that
3228         behaved exactly like a C variable: if it never escaped, it would not need to get stack space
3229         for the entire lifetime of the function - it could get any slab of stack so long as it
3230         didn't interfere with other stack slots that would be live at the same time. The reason I
3231         called them "anonymous" is that external code could not get its address. This felt like it
3232         gave the stack slot anonymity. But it was never a good name for this concept.
3233
3234         Then I had the register allocator lower temporaries to anonymous stack slots when it spilled
3235         them. Spilling became the sole client of anonymous stack slots.
3236
3237         Then I realized that there was an aspect of how spill slots work that make them want
3238         slightly different semantics than a normal C variable. A C variable is a proper memory
3239         location - you could do a store to only some bytes in the variable, and it's reasonable to
3240         expect that this will not destroy the other bytes in the variable. But that means that to
3241         compute their liveness, you have to do something like a per-byte liveness. That's overkill
3242         for spill slots. You want any store to the spill slot to kill the whole slot even if it
3243         writes to just part of the slot. This matches how temporaries work. So rather than implement
3244         per-byte liveness, I decided to change the semantics of anonymous stack slots to make them
3245         work like how I wanted spill slots to work. This was quite dirty, and put B3 in the awkward
3246         situation that B3's anonymous stack slots behaved like spill slots. But it was OK since
3247         nobody used anonymous stack slots in B3.
3248
3249         Then I added tail duplication, which required having a mechanism for introducing non-SSA
3250         variables in B3. I decided to use anonymous stack slots for this purpose. All of a sudden
3251         this all felt like it made sense: anonymous stack slots were just like variables! Hooray for
3252         the amazing foresight of anonymous stack slots!
3253
3254         But then I realized that this was all very bad. We want B3 to be able to optimize Store and
3255         Load operations by reasoning about how they affect bytes in memory. For example, if you do
3256         a Load of a 64-bit value, and then you modify just the low 32 bits of that value, and then
3257         you do a 64-bit store back to the same location, then it would be better to transform this
3258         into 32-bit operations. We don't do this optimization yet, but it's the kind of thing that
3259         we want B3 to be able to do. To do it, we need Store to mean that it only affects N bytes
3260         starting at the pointer, where N is the size of the thing being stored. But that's not what
3261         Store means for anonymous stack slots. For anonymous slots, storing to any byte in the slot
3262         clobbers all bytes in the slot. We were never clear if you need to store directly to an
3263         anonymous slot to get this behavior, or if any pointer that points to an anoymous slot must
3264         exhibit this behavior when stored to. Neither kinds of semantics make sense to me.
3265
3266         This change fixes the problem by eradicating anonymous stack slots. In B3, they are replaced
3267         with Variables. In Air, they are replaced with a different stack slot kind, called Spill.
3268         There is no such thing as stack slot kinds in B3 anymore, all B3 stack slots are locked. In
3269         Air, there is still the concept of stack slot kind - Locked or Spill.
3270
3271         B3 Variables are awesome. They are exactly what they seem to be. They have a type. They are
3272         declared at the top level in the Procedure. You can access them with new opcodes, Get and
3273         Set. This greatly simplifies demoting SSA values to variables and promoting them back to
3274         SSA. I even made the instruction selector do the right things for variables, which means
3275         that introducing variables won't hurt instruction selection (there will be extra moves, but
3276         IRC will kill them). It's great to have non-SSA variables as an explicit concept in IR
3277         because it means that you don't have to do any magic to use them - they Just Work.
3278
3279         Air spill slots behave almost like anonymous stack slots, with one exception: you cannot
3280         escape them. We validate this by making it illegal to UseAddr on a spill slot. This removes
3281         the need to answer awkward questions like: does a 32-bit Def on a pointer that may point to
3282         a 64-bit spill slot do anything to the 32 bits above the pointer?  Does it write zero to it?
3283         Does it write zero to it just when the pointer actually points to a spill slot or always?
3284         These are silly questions, and we don't have to answer them because the only way to refer to
3285         a spill slot is directly. No escaping means no aliasing.
3286
3287         This doesn't affect performance. It just makes the compiler more fun to work with by
3288         removing some cognitive dissonance.
3289
3290         * CMakeLists.txt:
3291         * JavaScriptCore.xcodeproj/project.pbxproj:
3292         * b3/B3ArgumentRegValue.h:
3293         * b3/B3CCallValue.h:
3294         * b3/B3CheckValue.cpp:
3295         (JSC::B3::CheckValue::cloneImpl):
3296         (JSC::B3::CheckValue::CheckValue):
3297         * b3/B3CheckValue.h:
3298         * b3/B3Const32Value.h:
3299         * b3/B3Const64Value.h:
3300         * b3/B3ConstDoubleValue.h:
3301         * b3/B3ConstFloatValue.h:
3302         * b3/B3ConstPtrValue.h:
3303         (JSC::B3::ConstPtrValue::ConstPtrValue):
3304         * b3/B3ControlValue.cpp:
3305         (JSC::B3::ControlValue::convertToJump):
3306         (JSC::B3::ControlValue::convertToOops):
3307         (JSC::B3::ControlValue::dumpMeta):
3308         * b3/B3ControlValue.h:
3309         * b3/B3Effects.cpp:
3310         (JSC::B3::Effects::interferes):
3311         (JSC::B3::Effects::dump):
3312         * b3/B3Effects.h:
3313         (JSC::B3::Effects::mustExecute):
3314         * b3/B3EliminateCommonSubexpressions.cpp:
3315         * b3/B3FixSSA.cpp:
3316         (JSC::B3::demoteValues):
3317         (JSC::B3::fixSSA):
3318         * b3/B3FixSSA.h:
3319         * b3/B3IndexMap.h:
3320         (JSC::B3::IndexMap::resize):
3321         (JSC::B3::IndexMap::clear):
3322         (JSC::B3::IndexMap::size):
3323         (JSC::B3::IndexMap::operator[]):
3324         * b3/B3IndexSet.h:
3325         (JSC::B3::IndexSet::contains):
3326         (JSC::B3::IndexSet::size):
3327         (JSC::B3::IndexSet::isEmpty):
3328         * b3/B3LowerToAir.cpp:
3329         (JSC::B3::Air::LowerToAir::run):
3330         (JSC::B3::Air::LowerToAir::lower):
3331         * b3/B3MemoryValue.h:
3332         * b3/B3Opcode.cpp:
3333         (WTF::printInternal):
3334         * b3/B3Opcode.h:
3335         * b3/B3PatchpointValue.cpp:
3336         (JSC::B3::PatchpointValue::cloneImpl):
3337         (JSC::B3::PatchpointValue::PatchpointValue):
3338         * b3/B3PatchpointValue.h:
3339         * b3/B3Procedure.cpp:
3340         (JSC::B3::Procedure::Procedure):
3341         (JSC::B3::Procedure::addBlock):
3342         (JSC::B3::Procedure::addStackSlot):
3343         (JSC::B3::Procedure::addVariable):
3344         (JSC::B3::Procedure::clone):
3345         (JSC::B3::Procedure::addIntConstant):
3346         (JSC::B3::Procedure::dump):
3347         (JSC::B3::Procedure::deleteStackSlot):
3348         (JSC::B3::Procedure::deleteVariable):
3349         (JSC::B3::Procedure::deleteValue):
3350         (JSC::B3::Procedure::deleteOrphans):
3351         (JSC::B3::Procedure::calleeSaveRegisters):
3352         (JSC::B3::Procedure::addValueImpl):
3353         (JSC::B3::Procedure::setBlockOrderImpl):
3354         (JSC::B3::Procedure::addAnonymousStackSlot): Deleted.
3355         (JSC::B3::Procedure::addStackSlotIndex): Deleted.
3356         (JSC::B3::Procedure::addValueIndex): Deleted.
3357         * b3/B3Procedure.h:
3358         (JSC::B3::Procedure::setBlockOrder):
3359         (JSC::B3::Procedure::stackSlots):
3360         (JSC::B3::Procedure::variables):
3361         (JSC::B3::Procedure::values):
3362         (JSC::B3::Procedure::StackSlotsCollection::StackSlotsCollection): Deleted.
3363         (JSC::B3::Procedure::StackSlotsCollection::size): Deleted.
3364         (JSC::B3::Procedure::StackSlotsCollection::at): Deleted.
3365         (JSC::B3::Procedure::StackSlotsCollection::operator[]): Deleted.
3366         (JSC::B3::Procedure::StackSlotsCollection::iterator::iterator): Deleted.
3367         (JSC::B3::Procedure::StackSlotsCollection::iterator::operator*): Deleted.
3368         (JSC::B3::Procedure::StackSlotsCollection::iterator::operator++): Deleted.
3369         (JSC::B3::Procedure::StackSlotsCollection::iterator::operator==): Deleted.
3370         (JSC::B3::Procedure::StackSlotsCollection::iterator::operator!=): Deleted.
3371         (JSC::B3::Procedure::StackSlotsCollection::iterator::findNext): Deleted.
3372         (JSC::B3::Procedure::StackSlotsCollection::begin): Deleted.
3373         (JSC::B3::Procedure::StackSlotsCollection::end): Deleted.
3374         (JSC::B3::Procedure::ValuesCollection::ValuesCollection): Deleted.
3375         (JSC::B3::Procedure::ValuesCollection::iterator::iterator): Deleted.
3376         (JSC::B3::Procedure::ValuesCollection::iterator::operator*): Deleted.
3377         (JSC::B3::Procedure::ValuesCollection::iterator::operator++): Deleted.
3378         (JSC::B3::Procedure::ValuesCollection::iterator::operator==): Deleted.
3379         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=): Deleted.
3380         (JSC::B3::Procedure::ValuesCollection::iterator::findNext): Deleted.
3381         (JSC::B3::Procedure::ValuesCollection::begin): Deleted.
3382         (JSC::B3::Procedure::ValuesCollection::end): Deleted.
3383         (JSC::B3::Procedure::ValuesCollection::size): Deleted.
3384         (JSC::B3::Procedure::ValuesCollection::at): Deleted.
3385         (JSC::B3::Procedure::ValuesCollection::operator[]): Deleted.
3386         * b3/B3ProcedureInlines.h:
3387         (JSC::B3::Procedure::add):
3388         * b3/B3ReduceStrength.cpp:
3389         * b3/B3SlotBaseValue.h:
3390         * b3/B3SparseCollection.h: Added.
3391         (JSC::B3::SparseCollection::SparseCollection):
3392         (JSC::B3::SparseCollection::add):
3393         (JSC::B3::SparseCollection::addNew):
3394         (JSC::B3::SparseCollection::remove):
3395         (JSC::B3::SparseCollection::size):
3396         (JSC::B3::SparseCollection::isEmpty):
3397         (JSC::B3::SparseCollection::at):
3398         (JSC::B3::SparseCollection::operator[]):
3399         (JSC::B3::SparseCollection::iterator::iterator):
3400         (JSC::B3::SparseCollection::iterator::operator*):
3401         (JSC::B3::SparseCollection::iterator::operator++):
3402         (JSC::B3::SparseCollection::iterator::operator==):
3403         (JSC::B3::SparseCollection::iterator::operator!=):
3404         (JSC::B3::SparseCollection::iterator::findNext):
3405         (JSC::B3::SparseCollection::begin):
3406         (JSC::B3::SparseCollection::end):
3407         * b3/B3StackSlot.cpp:
3408         (JSC::B3::StackSlot::deepDump):
3409         (JSC::B3::StackSlot::StackSlot):
3410         * b3/B3StackSlot.h:
3411         (JSC::B3::StackSlot::byteSize):
3412         (JSC::B3::StackSlot::index):
3413         (JSC::B3::StackSlot::setOffsetFromFP):
3414         (JSC::B3::StackSlot::kind): Deleted.
3415         (JSC::B3::StackSlot::isLocked): Deleted.
3416         * b3/B3StackSlotKind.cpp: Removed.
3417         * b3/B3StackSlotKind.h: Removed.
3418         * b3/B3StackmapValue.cpp:
3419         (JSC::B3::StackmapValue::dumpMeta):
3420         (JSC::B3::StackmapValue::StackmapValue):
3421         * b3/B3StackmapValue.h:
3422         * b3/B3SwitchValue.cpp:
3423         (JSC::B3::SwitchValue::cloneImpl):
3424         (JSC::B3::SwitchValue::SwitchValue):
3425         * b3/B3SwitchValue.h:
3426         * b3/B3UpsilonValue.h:
3427         * b3/B3Validate.cpp:
3428         * b3/B3Value.cpp:
3429         (JSC::B3::Value::replaceWithIdentity):
3430         (JSC::B3::Value::replaceWithNop):
3431         (JSC::B3::Value::replaceWithPhi):
3432         (JSC::B3::Value::dump):
3433         (JSC::B3::Value::effects):
3434         (JSC::B3::Value::checkOpcode):
3435         * b3/B3Value.h:
3436         * b3/B3Variable.cpp: Added.
3437         (JSC::B3::Variable::~Variable):
3438         (JSC::B3::Variable::dump):
3439         (JSC::B3::Variable::deepDump):
3440         (JSC::B3::Variable::Variable):
3441         * b3/B3Variable.h: Added.
3442         (JSC::B3::Variable::type):
3443         (JSC::B3::Variable::index):
3444         (JSC::B3::DeepVariableDump::DeepVariableDump):
3445         (JSC::B3::DeepVariableDump::dump):
3446         (JSC::B3::deepDump):
3447         * b3/B3VariableValue.cpp: Added.
3448         (JSC::B3::VariableValue::~VariableValue):
3449         (JSC::B3::VariableValue::dumpMeta):
3450         (JSC::B3::VariableValue::cloneImpl):
3451         (JSC::B3::VariableValue::VariableValue):
3452         * b3/B3VariableValue.h: Added.
3453         * b3/air/AirAllocateStack.cpp:
3454         (JSC::B3::Air::allocateStack):
3455         * b3/air/AirCode.cpp:
3456         (JSC::B3::Air::Code::addStackSlot):
3457         (JSC::B3::Air::Code::addSpecial):
3458         (JSC::B3::Air::Code::cCallSpecial):
3459         * b3/air/AirCode.h:
3460         (JSC::B3::Air::Code::begin):
3461         (JSC::B3::Air::Code::end):
3462         (JSC::B3::Air::Code::stackSlots):
3463         (JSC::B3::Air::Code::specials):
3464         (JSC::B3::Air::Code::forAllTmps):
3465         (JSC::B3::Air::Code::StackSlotsCollection::StackSlotsCollection): Deleted.
3466         (JSC::B3::Air::Code::StackSlotsCollection::size): Deleted.
3467         (JSC::B3::Air::Code::StackSlotsCollection::at): Deleted.
3468         (JSC::B3::Air::Code::StackSlotsCollection::operator[]): Deleted.
3469         (JSC::B3::Air::Code::StackSlotsCollection::iterator::iterator): Deleted.
3470         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator*): Deleted.
3471         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator++): Deleted.
3472         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator==): Deleted.
3473         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator!=): Deleted.
3474         (JSC::B3::Air::Code::StackSlotsCollection::begin): Deleted.
3475         (JSC::B3::Air::Code::StackSlotsCollection::end): Deleted.
3476         (JSC::B3::Air::Code::SpecialsCollection::SpecialsCollection): Deleted.
3477         (JSC::B3::Air::Code::SpecialsCollection::size): Deleted.
3478         (JSC::B3::Air::Code::SpecialsCollection::at): Deleted.
3479         (JSC::B3::Air::Code::SpecialsCollection::operator[]): Deleted.
3480         (JSC::B3::Air::Code::SpecialsCollection::iterator::iterator): Deleted.
3481         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator*): Deleted.
3482         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator++): Deleted.
3483         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator==): Deleted.
3484         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator!=): Deleted.
3485         (JSC::B3::Air::Code::SpecialsCollection::begin): Deleted.
3486         (JSC::B3::Air::Code::SpecialsCollection::end): Deleted.
3487         * b3/air/AirFixObviousSpills.cpp:
3488         * b3/air/AirInstInlines.h:
3489         * b3/air/AirIteratedRegisterCoalescing.cpp:
3490         * b3/air/AirLiveness.h:
3491         * b3/air/AirLowerAfterRegAlloc.cpp:
3492         (JSC::B3::Air::lowerAfterRegAlloc):
3493         * b3/air/AirSpecial.cpp:
3494         (JSC::B3::Air::Special::Special):
3495         * b3/air/AirSpecial.h:
3496         * b3/air/AirSpillEverything.cpp:
3497         (JSC::B3::Air::spillEverything):
3498         * b3/air/AirStackSlot.cpp:
3499         (JSC::B3::Air::StackSlot::dump):
3500         (JSC::B3::Air::StackSlot::deepDump):
3501         (JSC::B3::Air::StackSlot::StackSlot):
3502         * b3/air/AirStackSlot.h:
3503         (JSC::B3::Air::StackSlot::byteSize):
3504         (JSC::B3::Air::StackSlot::kind):
3505         (JSC::B3::Air::StackSlot::isLocked):
3506         (JSC::B3::Air::StackSlot::isSpill):
3507         (JSC::B3::Air::StackSlot::index):
3508         (JSC::B3::Air::StackSlot::ensureSize):
3509         * b3/air/AirStackSlotKind.cpp: Copied from Source/JavaScriptCore/b3/B3StackSlotKind.cpp.
3510         (WTF::printInternal):
3511         * b3/air/AirStackSlotKind.h: Copied from Source/JavaScriptCore/b3/B3StackSlotKind.h.
3512         * b3/air/opcode_generator.rb:
3513         * b3/air/testair.cpp:
3514         (JSC::B3::Air::testShuffleBroadcastAllRegs):
3515         (JSC::B3::Air::testShuffleShiftAllRegs):
3516         (JSC::B3::Air::testShuffleRotateAllRegs):
3517         * b3/testb3.cpp:
3518         (JSC::B3::testStackSlot):
3519         (JSC::B3::testStoreLoadStackSlot):
3520         * ftl/FTLB3Output.cpp:
3521         (JSC::FTL::Output::lockedStackSlot):
3522         (JSC::FTL::Output::neg):
3523         * ftl/FTLLowerDFGToLLVM.cpp:
3524         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
3525
3526 2016-02-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3527
3528         [JSC] Introduce BytecodeIntrinsic constant rep like @undefined
3529         https://bugs.webkit.org/show_bug.cgi?id=153737
3530
3531         Reviewed by Darin Adler.
3532
3533         This patch enhances existing BytecodeIntrinsic mechanism to accept `@xxx` form,
3534         that will be used to represent bytecode intrinsic constants.
3535         After this change, we can use 2 forms for bytecode intrinsics. (1) Function form (like, @toString(value))
3536         and (2) Constant form (like @undefined).
3537
3538         Bytecode intrinsic constants allow us to easily expose constant values from C++ world.
3539         For example, we can expose ArrayIterationKind flags to JS world without using private global variables.
3540         Exposed constant values are loaded from bytecodes directly through constant registers.
3541         While previously we expose them through private global variables, bytecode intrinsic constants
3542         can be loaded directly from CodeBlock. And later, it will become JSConstant in DFG.
3543
3544         And by using this mechanism, we implement several constants. @undefined, @arrayIterationKindKeyValue etc.
3545
3546         * builtins/ArrayConstructor.js:
3547         (from):
3548         * builtins/ArrayIteratorPrototype.js:
3549         (next):
3550         * builtins/ArrayPrototype.js:
3551         (reduce):
3552         (reduceRight):
3553         (every):
3554         (forEach):
3555         (filter):
3556         (map):
3557         (some):
3558         (fill):
3559         (find):
3560         (findIndex):
3561         (includes):
3562         (sort.compactSparse):
3563         (sort.compactSlow):
3564         (sort.compact):
3565         (sort):
3566         (copyWithin):
3567         * builtins/DatePrototype.js:
3568         (toLocaleString.toDateTimeOptionsAnyAll):
3569         (toLocaleString):
3570         (toLocaleDateString.toDateTimeOptionsDateDate):
3571         (toLocaleDateString):
3572         (toLocaleTimeString.toDateTimeOptionsTimeTime):
3573         (toLocaleTimeString):
3574         * builtins/GeneratorPrototype.js:
3575         (generatorResume):
3576         * builtins/GlobalObject.js:
3577         (isDictionary):
3578         * builtins/InternalPromiseConstructor.js:
3579         (internalAll.newResolveElement):
3580         (internalAll):
3581         * builtins/IteratorPrototype.js:
3582         (symbolIteratorGetter):
3583         (symbolIterator): Deleted.
3584         * builtins/MapPrototype.js:
3585         (forEach):
3586         * builtins/ModuleLoaderObject.js:
3587         (newRegistryEntry):
3588         (forceFulfillPromise):
3589         (commitInstantiated):
3590         (requestFetch):
3591         (requestTranslate):
3592         (requestInstantiate):
3593         (requestLink):
3594         (provide):
3595         * builtins/PromiseConstructor.js:
3596         (all.newResolveElement):
3597         (all):
3598         (race):
3599         (reject):
3600         (resolve):
3601         * builtins/PromiseOperations.js:
3602         (newPromiseCapability.executor):
3603         (newPromiseCapability):
3604         (rejectPromise):
3605         (fulfillPromise):
3606         (createResolvingFunctions.resolve):
3607         (createResolvingFunctions.reject):
3608         (createResolvingFunctions):
3609         (promiseReactionJob):
3610         (promiseResolveThenableJob):
3611         (initializePromise):
3612         * builtins/PromisePrototype.js:
3613         (catch):
3614         (then):
3615         * builtins/SetPrototype.js:
3616         (forEach):
3617         * builtins/StringConstructor.js:
3618         (raw):
3619         * builtins/StringIteratorPrototype.js:
3620         (next):
3621         * builtins/StringPrototype.js:
3622         (localeCompare):
3623         * builtins/TypedArrayConstructor.js:
3624         (of):
3625         (from):
3626         * builtins/TypedArrayPrototype.js:
3627         (every):
3628         (find):
3629         (findIndex):
3630         (forEach):
3631         (some):
3632         (reduce):
3633         (reduceRight):
3634         (map):
3635         (filter):
3636         * bytecode/BytecodeIntrinsicRegistry.cpp:
3637         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3638         (JSC::BytecodeIntrinsicRegistry::lookup):
3639         * bytecode/BytecodeIntrinsicRegistry.h:
3640         * bytecompiler/NodesCodegen.cpp:
3641         * parser/ASTBuilder.h:
3642         (JSC::ASTBuilder::createResolve):
3643         (JSC::ASTBuilder::makeFunctionCallNode):
3644         * parser/NodeConstructors.h:
3645         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
3646         * parser/Nodes.h:
3647         (JSC::ExpressionNode::isBytecodeIntrinsicNode):
3648         (JSC::BytecodeIntrinsicNode::type):
3649         (JSC::BytecodeIntrinsicNode::emitter):
3650         * parser/Parser.cpp:
3651         (JSC::Parser<LexerType>::parseProperty):
3652         (JSC::Parser<LexerType>::parsePrimaryExpression):
3653         * parser/SyntaxChecker.h:
3654         (JSC::SyntaxChecker::createResolve):
3655         * runtime/CommonIdentifiers.cpp:
3656         (JSC::CommonIdentifiers::CommonIdentifiers): Deleted.
3657         * runtime/CommonIdentifiers.h:
3658         (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry): Deleted.
3659         * runtime/IteratorPrototype.cpp:
3660         (JSC::IteratorPrototype::finishCreation):
3661         * runtime/JSGlobalObject.cpp:
3662         (JSC::JSGlobalObject::init): Deleted.
3663         * runtime/VM.cpp:
3664         (JSC::VM::VM):
3665         * runtime/VM.h:
3666         (JSC::VM::bytecodeIntrinsicRegistry):
3667
3668 2016-02-02  Per Arne Vollan  <peavo@outlook.com>
3669
3670         [B3][Win64] Compile fixes.
3671         https://bugs.webkit.org/show_bug.cgi?id=153605
3672
3673         Reviewed by Filip Pizlo.
3674
3675         Fix remaining compile errors on Win64.
3676
3677         * CMakeLists.txt:
3678         * b3/B3CFG.h:
3679         (JSC::B3::CFG::newMap):
3680         * ftl/FTLJITCode.h:
3681
3682 2016-02-01  Chris Dumez  <cdumez@apple.com>
3683
3684         object.__lookupGetter__() / object.__lookupSetter__() does not work for native bindings
3685         https://bugs.webkit.org/show_bug.cgi?id=153765
3686         <rdar://problem/24439699>
3687
3688         Reviewed by Oliver Hunt.
3689
3690         Add support for CustomAccessor slots to objectProtoFuncLookupGetter() and
3691         objectProtoFuncLookupSetter() by return getOwnPropertyDescriptor().get / set.
3692         getOwnPropertyDescriptor() now correctly deals with CustomAccessors since
3693         r196001.
3694
3695         * runtime/ObjectPrototype.cpp:
3696         (JSC::objectProtoFuncLookupGetter):
3697         (JSC::objectProtoFuncLookupSetter):
3698
3699 2016-02-01  Chris Dumez  <cdumez@apple.com>
3700
3701         Native Bindings Descriptors are Incomplete
3702         https://bugs.webkit.org/show_bug.cgi?id=140575
3703         <rdar://problem/19506502>
3704
3705         Reviewed by Oliver Hunt.
3706
3707         This patch is based on initial work by Joe Pecoraro and Matthew Mirman.
3708
3709         This patch was initially rolled out for breaking chromeexperiments.com,
3710         presumably because our IDL attributes were not marked as [configurable]
3711         at the time. However, since r190104, our IDL attributes are now
3712         configurable. Based on local testing, chromeexperiments.com seems to be
3713         working fine now.
3714
3715         * JavaScriptCore.xcodeproj/project.pbxproj:
3716         * inspector/InjectedScriptSource.js:
3717         (endsWith):
3718         (InjectedScript.prototype.processProperties):
3719         * runtime/JSBoundSlotBaseFunction.cpp: Added.
3720         (JSC::boundSlotBaseFunctionCall):
3721         (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):
3722         (JSC::JSBoundSlotBaseFunction::create):
3723         (JSC::JSBoundSlotBaseFunction::visitChildren):
3724         (JSC::JSBoundSlotBaseFunction::finishCreation):
3725         * runtime/JSBoundSlotBaseFunction.h: Added.
3726         (JSC::JSBoundSlotBaseFunction::createStructure):
3727         (JSC::JSBoundSlotBaseFunction::boundSlotBase):
3728         (JSC::JSBoundSlotBaseFunction::customGetterSetter):
3729         (JSC::JSBoundSlotBaseFunction::isSetter):
3730         * runtime/JSGlobalObject.cpp:
3731         (JSC::JSGlobalObject::init):
3732         (JSC::JSGlobalObject::visitChildren):
3733         * runtime/JSGlobalObject.h:
3734         (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
3735         * runtime/JSObject.cpp:
3736         (JSC::getBoundSlotBaseFunctionForGetterSetter):
3737         (JSC::JSObject::getOwnPropertyDescriptor):
3738         * runtime/VM.cpp:
3739         (JSC::VM::VM):
3740         * runtime/VM.h:
3741
3742 2016-02-01  Joseph Pecoraro  <pecoraro@apple.com>
3743
3744         Web Inspector: High Level Memory Overview Instrument
3745         https://bugs.webkit.org/show_bug.cgi?id=153516
3746         <rdar://problem/24356378>
3747
3748         Reviewed by Brian Burg.
3749
3750         * CMakeLists.txt:
3751         * Configurations/FeatureDefines.xcconfig:
3752         * DerivedSources.make:
3753         * inspector/protocol/Memory.json: Added.
3754         * inspector/scripts/codegen/generator.py:
3755         New Memory domain guarded by ENABLE(RESOURCE_USAGE).
3756         This feature flag was already used in WebCore.
3757
3758 2016-02-01  Benjamin Poulain  <benjamin@webkit.org>
3759
3760         [JSC] IRC can coalesce the frame pointer with a Tmp that is modified
3761         https://bugs.webkit.org/show_bug.cgi?id=153694
3762
3763         Reviewed by Filip Pizlo.
3764
3765         Let's say we have:
3766             Move(FP, Tmp1)
3767             Add64(#1, Tmp1)
3768
3769         If we were to coalesce the Move, we would modify the frame pointer.
3770         Well, that's exactly what was happening with IRC.
3771
3772         Since the epilogue is not know to Air before IRC, the liveness analysis
3773         never discovers that FP is live when Tmp1 is UseDef by Add64. Adding
3774         FP would a be a problem anyway for a bunch of reasons.
3775
3776         I tried two ways to prevent IRC to override IRC:
3777         1) Add an interference edge with FP for all non-duplication Defs.
3778         2) Let coalesce() know about FP and constraint any coalescing with a re-Def.
3779
3780         The two are within margin of error for performance. The second one was considerably
3781         more complicated. This patch implements the first one.
3782
3783         Some extra note:
3784         -It is very important to not increment the degree of a Tmp when making it interfere
3785          with FP. FP is not a valid color, it is not counted in the "K" colors considered
3786          for coloring. Increasing the degree with the edge to FP would make every stage
3787          pessimistic since there is an extra degree that can never be removed.
3788         -I put "interferenceEdges" and "adjacencyList" in an inconsistent state.
3789          This is intentional, "interferenceEdges" is used to test the existence of an edge,
3790          "adjacencyList" is used to go over all the edges. In this case, we don't want
3791          the edge with FP to be considered when pruning the graph.
3792
3793         * b3/air/AirIteratedRegisterCoalescing.cpp:
3794         One branch could be transformed into an assertion: TmpLiveness is type specific now.
3795         * b3/testb3.cpp:
3796         (JSC::B3::testOverrideFramePointer):
3797         (JSC::B3::run):
3798
3799 2016-02-01  Csaba Osztrogonác  <ossy@webkit.org>
3800
3801         Unreviewed speculative buildfix.
3802
3803         * dfg/DFGCommon.h: FTL_USES_B3 should be false if FTL JIT is disabled.
3804
3805 2016-01-31  Dan Bernstein  <mitz@apple.com>
3806
3807         [Cocoa] Remove unused definition of HAVE_HEADER_DETECTION_H
3808         https://bugs.webkit.org/show_bug.cgi?id=153729
3809
3810         Reviewed by Sam Weinig.
3811
3812         After r141700, HAVE_HEADER_DETECTION_H is no longer used.
3813
3814         * Configurations/Base.xcconfig:
3815
3816 2016-01-30  Filip Pizlo  <fpizlo@apple.com>
3817
3818         B3->Air lowering should use MoveFloat more
3819         https://bugs.webkit.org/show_bug.cgi?id=153714
3820
3821         Reviewed by Sam Weinig.
3822
3823         This is a very minor and benign bug. It just means that we will use the more canonical
3824         MoveFloat instruction when moving floats, rather than using MoveDouble.
3825
3826         * b3/B3LowerToAir.cpp:
3827         (JSC::B3::Air::LowerToAir::relaxedMoveForType):
3828
3829 2016-01-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3830
3831         Should not predict OtherObj for ToThis with primitive types under strict mode
3832         https://bugs.webkit.org/show_bug.cgi?id=153544
3833
3834         Reviewed by Filip Pizlo.
3835
3836         Currently, ToThis predicates OtherObj for primitive values.
3837         But it's not true in strict mode.
3838         In strict mode, ToThis does nothing on primitive values.
3839
3840         In this patch, we
3841
3842         1. fix prediction. Handles primitive types in strict mode. And we also handles StringObject.
3843         2. convert it to Identity if the argument should be predicted as primitive types.
3844
3845         This optimization is important to implement Primitive.prototype.methods[1].
3846         Otherwise, we always got BadType OSR exits.
3847
3848         [1]: https://bugs.webkit.org/show_bug.cgi?id=143889
3849
3850         * dfg/DFGAbstractInterpreterInlines.h:
3851         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3852         * dfg/DFGConstantFoldingPhase.cpp:
3853         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3854         * dfg/DFGFixupPhase.cpp:
3855         (JSC::DFG::FixupPhase::fixupNode):
3856         (JSC::DFG::FixupPhase::fixupToThis):
3857         * dfg/DFGPredictionPropagationPhase.cpp:
3858         (JSC::DFG::PredictionPropagationPhase::propagate):
3859         * tests/stress/to-this-boolean.js: Added.
3860         (Boolean.prototype.negate):
3861         (Boolean.prototype.negate2):
3862         * tests/stress/to-this-double.js: Added.
3863         (Number.prototype.negate):
3864         * tests/stress/to-this-int32.js: Added.
3865         (Number.prototype.negate):
3866         * tests/stress/to-this-int52.js: Added.
3867         (Number.prototype.negate):
3868         * tests/stress/to-this-number.js: Added.
3869         (Number.prototype.negate):
3870         * tests/stress/to-this-string.js: Added.
3871         (String.prototype.prefix):
3872         (String.prototype.first):
3873         (String.prototype.second):
3874         * tests/stress/to-this-symbol.js: Added.
3875         (Symbol.prototype.identity):
3876         (Symbol.prototype.identity2):
3877
3878 2016-01-31  Guillaume Emont  <guijemont@igalia.com>
3879
3880         [mips] don't save to a callee saved register too early
3881         https://bugs.webkit.org/show_bug.cgi?id=153463
3882
3883         If we save $gp to $s4 in pichdr, then in some cases, we were
3884         overwriting $s4 before LLInt's pushCalleeSaves() is called (as pichdr
3885         is at the very beginning of a function). Now we save $gp to $s4 at the
3886         end of pushCalleeSaves().
3887
3888         Reviewed by Michael Saboff.
3889
3890         * offlineasm/mips.rb:
3891         * llint/LowLevelInterpreter.asm:
3892         Move the saving of $gp to $s4 from pichdr to pushCalleeSaves(). Take
3893         the opportunity to only save $s4 as we never use the other callee
3894         saved registers.
3895
3896 2016-01-30  Commit Queue  <commit-queue@webkit.org>
3897
3898         Unreviewed, rolling out r195799 and r195828.
3899         https://bugs.webkit.org/show_bug.cgi?id=153722
3900
3901         Caused assertion failures, severely affecting EWS (Requested
3902         by ap on #webkit).
3903
3904         Reverted changesets:
3905
3906         "Web Inspector: InspectorTimelineAgent doesn't need to
3907         recompile functions because it now uses the sampling profiler"
3908         https://bugs.webkit.org/show_bug.cgi?id=153500
3909         http://trac.webkit.org/changeset/195799
3910
3911         "Attempt to fix the Windows build after r195799"
3912         http://trac.webkit.org/changeset/195828
3913
3914 2016-01-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3915
3916         [B3] JetStream/quicksort.c fails/hangs on Linux with GCC
3917         https://bugs.webkit.org/show_bug.cgi?id=153647
3918
3919         Reviewed by Filip Pizlo.
3920
3921         In B3ComputeDivisionMagic, we accidentally perform sub, add operation onto signed integer. (In this case, int32_t)
3922         But integer overflow is undefined behavior in C![1][2]
3923         As a result, in GCC 4.9 release build, computeDivisionMagic(2) returns unexpected value.
3924         `divisor = 2`
3925         `d = 2`
3926         `signedMin = INT32_MIN = -2147483647 (-0x7fffffff)`
3927         `t = signedMin`
3928         `anc = t - 1 - (t % ad)` Oops, we performed overflow operation!
3929
3930         So, `anc` value becomes undefined.
3931         In this patch, we first cast all the operated values to unsigned one.
3932         Reading the code, there are no operations that depends on signedness. (For example, we used aboveEqual like unsigned operations for comparison.)
3933
<