da5470c0811a16f4fa159db1f6aa38a0f77e6d43
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
2
3         ToThis should have a fast path based on type info flags
4         https://bugs.webkit.org/show_bug.cgi?id=156712
5
6         Reviewed by Geoffrey Garen.
7
8         Prior to this change, if we couldn't nail down the type of ToThis to something easy, we'd emit code
9         that would take slow path if the argument was not a final object. We'd end up taking that slow path
10         a lot.
11
12         This adds a type info flag for ToThis having non-obvious behavior and changes the DFG and FTL paths
13         to test this flag. This is a sub-1% speed-up on SunSpider and Octane.
14
15         * dfg/DFGSpeculativeJIT32_64.cpp:
16         (JSC::DFG::SpeculativeJIT::compile):
17         * dfg/DFGSpeculativeJIT64.cpp:
18         (JSC::DFG::SpeculativeJIT::compile):
19         * ftl/FTLLowerDFGToB3.cpp:
20         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
21         * runtime/JSGlobalObject.h:
22         (JSC::JSGlobalObject::create):
23         * runtime/JSLexicalEnvironment.h:
24         (JSC::JSLexicalEnvironment::create):
25         * runtime/JSString.h:
26         * runtime/JSTypeInfo.h:
27         (JSC::TypeInfo::overridesGetOwnPropertySlot):
28         (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
29         (JSC::TypeInfo::structureIsImmortal):
30         (JSC::TypeInfo::overridesToThis):
31         (JSC::TypeInfo::overridesGetPropertyNames):
32         (JSC::TypeInfo::prohibitsPropertyCaching):
33         (JSC::TypeInfo::getOwnPropertySlotIsImpure):
34         * runtime/StrictEvalActivation.h:
35         (JSC::StrictEvalActivation::create):
36         * runtime/Symbol.h:
37
38 2016-04-18  Filip Pizlo  <fpizlo@apple.com>
39
40         Check to see how the perf bots react to megamorphic load being disabled.
41
42         Rubber stamped by Chris Dumez.
43
44         * runtime/Options.h:
45
46 2016-04-18  Keith Miller  <keith_miller@apple.com>
47
48         We should support delete in the DFG
49         https://bugs.webkit.org/show_bug.cgi?id=156607
50
51         Reviewed by Benjamin Poulain.
52
53         This patch adds support for the delete in the DFG as it appears that
54         some major frameworks use the operation in particularly hot functions.
55         As a result, even if the function rarely ever calls delete we would never
56         tier up to the DFG. This patch also changes operationDeleteById to take a
57         UniquedStringImpl and return a size_t.
58
59         * dfg/DFGAbstractInterpreterInlines.h:
60         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
61         * dfg/DFGByteCodeParser.cpp:
62         (JSC::DFG::ByteCodeParser::parseBlock):
63         * dfg/DFGCapabilities.cpp:
64         (JSC::DFG::capabilityLevel):
65         * dfg/DFGClobberize.h:
66         (JSC::DFG::clobberize):
67         * dfg/DFGDoesGC.cpp:
68         (JSC::DFG::doesGC):
69         * dfg/DFGFixupPhase.cpp:
70         (JSC::DFG::FixupPhase::fixupNode):
71         * dfg/DFGNode.h:
72         (JSC::DFG::Node::hasIdentifier):
73         * dfg/DFGNodeType.h:
74         * dfg/DFGPredictionPropagationPhase.cpp:
75         (JSC::DFG::PredictionPropagationPhase::propagate):
76         * dfg/DFGSafeToExecute.h:
77         (JSC::DFG::safeToExecute):
78         * dfg/DFGSpeculativeJIT.cpp:
79         (JSC::DFG::SpeculativeJIT::compileDeleteById):
80         * dfg/DFGSpeculativeJIT.h:
81         (JSC::DFG::SpeculativeJIT::callOperation):
82         * dfg/DFGSpeculativeJIT32_64.cpp:
83         (JSC::DFG::SpeculativeJIT::compile):
84         * dfg/DFGSpeculativeJIT64.cpp:
85         (JSC::DFG::SpeculativeJIT::compile):
86         * jit/JIT.h:
87         * jit/JITInlines.h:
88         (JSC::JIT::callOperation):
89         * jit/JITOperations.cpp:
90         * jit/JITOperations.h:
91         * jit/JITPropertyAccess.cpp:
92         (JSC::JIT::emit_op_del_by_id):
93         * jit/JITPropertyAccess32_64.cpp:
94         (JSC::JIT::emit_op_del_by_id):
95
96 2016-04-17  Filip Pizlo  <fpizlo@apple.com>
97
98         FTL should pin the tag registers at inline caches
99         https://bugs.webkit.org/show_bug.cgi?id=156678
100
101         Reviewed by Saam Barati.
102
103         This is a long-overdue fix to our inline caches. Back when we had LLVM, we couldn't rely on the tags
104         being pinned to any registers. So, if the inline caches needed tags, they'd have to materialize them.
105         
106         This removes those materializations. This should reduce the amount of code generated in inline caches
107         and it should make inline caches faster. The effect appears to be small.
108
109         It may be that after this change, we'll even be able to kill the
110         HaveTagRegisters/DoNotHaveTagRegisters logic.
111
112         * bytecode/PolymorphicAccess.cpp:
113         (JSC::AccessCase::generateWithGuard):
114         (JSC::AccessCase::generateImpl):
115         * ftl/FTLLowerDFGToB3.cpp:
116         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
117         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
118         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
119         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
120         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
121         (JSC::FTL::DFG::LowerDFGToB3::getById):
122         * jit/Repatch.cpp:
123         (JSC::readCallTarget):
124         (JSC::linkPolymorphicCall):
125         * jit/ThunkGenerators.cpp:
126         (JSC::virtualThunkFor):
127
128 2016-04-18  Yusuke Suzuki  <utatane.tea@gmail.com>
129
130         [ES7] yield star should not return if the inner iterator.throw returns { done: true }
131         https://bugs.webkit.org/show_bug.cgi?id=156576
132
133         Reviewed by Saam Barati.
134
135         This is slight generator fix in ES7. When calling generator.throw(),
136         the yield-star should call the throw() of the inner generator. At that
137         time, when the result of throw() is { done: true}, the generator should
138         not stop itself.
139
140             function * gen()
141             {
142                 yield * (function * () {
143                     try {
144                         yield 42;
145                     } catch (error) { }
146                 }());
147                 // Continue executing.
148                 yield 42;
149             }
150
151             let g = gen();
152             g.next();
153             shouldBe(g.throw().value, 42);
154
155
156         * builtins/GeneratorPrototype.js:
157         (generatorResume):
158         (next):
159         (return):
160         (throw):
161         * bytecode/BytecodeIntrinsicRegistry.cpp:
162         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
163         * bytecode/BytecodeIntrinsicRegistry.h:
164         * bytecompiler/BytecodeGenerator.cpp:
165         (JSC::BytecodeGenerator::emitDelegateYield):
166         * runtime/JSGeneratorFunction.h:
167         * tests/stress/generator-yield-star.js:
168         (gen):
169         * tests/stress/yield-star-throw-continue.js: Added.
170         (shouldBe):
171         (generator):
172         (shouldThrow):
173
174 2016-04-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
175
176         Fix incorrect assumption that APPLE implies Mac.
177         https://bugs.webkit.org/show_bug.cgi?id=156683
178     
179         Addresses build failure introduced in r199094
180
181         Reviewed by Alex Christensen.
182
183         * CMakeLists.txt:
184
185 2016-04-17  Benjamin Poulain  <bpoulain@apple.com>
186
187         [JSC] ReduceDoubleToFloat should work accross Phis
188         https://bugs.webkit.org/show_bug.cgi?id=156603
189         <rdar://problem/25736205>
190
191         Reviewed by Saam Barati and Filip Pizlo.
192
193         This patch extends B3's ReduceDoubleToFloat phase to work accross
194         Upsilon-Phis. This is important to optimize loops and some crazy cases.
195
196         In its simplest form, we can have conversion propagated from something
197         like this:
198             Double @1 = Phi()
199             Float @2 = DoubleToFloat(@1)
200
201         When that happens, we just need to propagate that the result only
202         need float precision accross all values coming to this Phi.
203
204
205         There are more complicated cases when the value produced is effectively Float
206         but the user of the value does not do DoubleToFloat.
207
208         Typically, we have something like:
209             #1
210                 @1 = ConstDouble(1)
211                 @2 = Upsilon(@1, ^5)
212             #2
213                 @3 = FloatToDouble(@x)
214                 @4 = Upsilon(@3, ^5)
215             #3
216                 @5 = Phi()
217                 @6 = Add(@5, @somethingFloat)
218                 @7 = DoubleToFloat(@6)
219
220         Here with a Phi-Upsilon that is a Double but can be represented
221         as Float without loss of precision.
222
223         It is valuable to convert such Phis to float if and only if the value
224         is used as float. Otherwise, you may be just adding useless conversions
225         (for example, two double constants that flow into a double Add should not
226         turn into two float constant flowing into a FloatToDouble then Add).
227
228
229         ReduceDoubleToFloat do two analysis passes to gather the necessary
230         meta information. Then we have a simplify() phase to actually reduce
231         operation. Finally, the cleanup() pass put the graph into a valid
232         state again.
233
234         The two analysis passes work by disproving that something is float.
235         -findCandidates() accumulates anything used as Double.
236         -findPhisContainingFloat() accumulates phis that would lose precision
237          by converting the input to float.
238
239         With this change, Unity3D improves by ~1.5%, box2d-f32 improves
240         by ~2.8% (on Haswell).
241
242         * b3/B3ReduceDoubleToFloat.cpp:
243         (JSC::B3::reduceDoubleToFloat):
244         * b3/testb3.cpp:
245         (JSC::B3::testCompareTwoFloatToDouble):
246         (JSC::B3::testCompareOneFloatToDouble):
247         (JSC::B3::testCompareFloatToDoubleThroughPhi):
248         (JSC::B3::testDoubleToFloatThroughPhi):
249         (JSC::B3::testDoubleProducerPhiToFloatConversion):
250         (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
251         (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
252         (JSC::B3::testStoreDoubleConstantAsFloat):
253         (JSC::B3::run):
254         * tests/stress/double-compare-to-float.js: Added.
255         (canSimplifyToFloat):
256         (canSimplifyToFloatWithConstant):
257         (cannotSimplifyA):
258         (cannotSimplifyB):
259         * tests/stress/double-to-float.js: Added.
260         (upsilonReferencingItsPhi):
261         (upsilonReferencingItsPhiAllFloat):
262         (upsilonReferencingItsPhiWithoutConversion):
263         (conversionPropagages):
264         (chainedUpsilonBothConvert):
265         (chainedUpsilonFirstConvert):
266
267 2016-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
268
269         [ES6] Use @isObject to check Object Type instead of using instanceof
270         https://bugs.webkit.org/show_bug.cgi?id=156676
271
272         Reviewed by Darin Adler.
273
274         Use @isObject instead of `instanceof @Object`.
275         The `instanceof` check is not enough to check Object Type.
276         For example, given 2 realms, the object created in one realm does not inherit the Object of another realm.
277         Another example is that the object which does not inherit Object.
278         This object can be easily created by calling `Object.create(null)`.
279
280         * builtins/RegExpPrototype.js:
281         (match):
282         * jsc.cpp:
283         (GlobalObject::finishCreation):
284         (functionCreateGlobalObject):
285         * tests/stress/regexp-match-in-other-realm-should-work.js: Added.
286         (shouldBe):
287         * tests/stress/regexp-match-should-work-with-objects-not-inheriting-object-prototype.js: Added.
288         (shouldBe):
289         (regexp.exec):
290
291 2016-04-17  Darin Adler  <darin@apple.com>
292
293         Remove more uses of Deprecated::ScriptXXX
294         https://bugs.webkit.org/show_bug.cgi?id=156660
295
296         Reviewed by Antti Koivisto.
297
298         * bindings/ScriptFunctionCall.cpp:
299         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted
300         unneeded overloads that take a ScriptObject and ScriptValue.
301         * bindings/ScriptFunctionCall.h: Ditto.
302
303         * bindings/ScriptObject.h: Added operator so this can change
304         itself into a JSObject*. Helps while phasing this class out.
305
306         * bindings/ScriptValue.h: Export toInspectorValue so it can be
307         used in WebCore.
308
309         * inspector/InjectedScriptManager.cpp:
310         (Inspector::InjectedScriptManager::createInjectedScript): Changed
311         return value from Deprecated::ScriptObject to JSObject*.
312         (Inspector::InjectedScriptManager::injectedScriptFor): Updated for
313         the return value change above.
314         * inspector/InjectedScriptManager.h: Ditto.
315
316 2016-04-16  Benjamin Poulain  <bpoulain@webkit.org>
317
318         [JSC] DFG should support relational comparisons of Number and Other
319         https://bugs.webkit.org/show_bug.cgi?id=156669
320
321         Reviewed by Darin Adler.
322
323         In Sunspider/3d-raytrace, DFG falls back to JSValue in some important
324         relational compare because profiling sees "undefined" from time to time.
325
326         This case is fairly common outside Sunspider too because of out-of-bounds array access.
327         Unfortunately for us, our fallback for compare is really inefficient.
328
329         Fortunately, relational comparison with null/undefined/true/false are trival.
330         We can just convert both side to Double. That's what this patch adds.
331
332         I also extended constant folding for those cases because I noticed
333         a bunch of "undefined" constant going through DoubleRep at runtime.
334
335         * dfg/DFGAbstractInterpreterInlines.h:
336         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
337         * dfg/DFGFixupPhase.cpp:
338         (JSC::DFG::FixupPhase::fixupNode):
339         * tests/stress/compare-number-and-other.js: Added.
340         (opaqueSideEffect):
341         (let.operator.of.operators.eval.testPolymorphic):
342         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.eval.testMonomorphic):
343         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicLeftConstant):
344         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.testMonomorphicRightConstant):
345         (let.operator.of.operators.let.left.of.typeCases.let.right.of.typeCases.i.testPolymorphic):
346
347 2016-04-16  Benjamin Poulain  <bpoulain@apple.com>
348
349         [JSC] FRound/Negate can produce an impure NaN out of a pure NaN
350         https://bugs.webkit.org/show_bug.cgi?id=156528
351
352         Reviewed by Filip Pizlo.
353
354         If you fround a double with the bits 0xfff7000000000000
355         you get 0xfffe000000000000. The first is a pure NaN, the second isn't.
356
357         This is without test because I could not find a way to create a 0xfff7000000000000
358         while convincing DFG that its pure.
359         When we purify NaNs from typed array, we use a specific value of NaN if the input
360         is any NaN, making testing tricky.
361
362         * bytecode/SpeculatedType.cpp:
363         (JSC::typeOfDoubleNegation):
364
365 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
366
367         JS::DFG::nodeValuePairListDump does not compile with libstdc++ 4.8
368         https://bugs.webkit.org/show_bug.cgi?id=156670
369
370         Reviewed by Darin Adler.
371
372         * dfg/DFGNode.h:
373         (JSC::DFG::nodeValuePairListDump): Modified to use lambda as comparator.
374
375 2016-04-16  Konstantin Tokarev  <annulen@yandex.ru>
376
377         [mips] Implemented moveZeroToDouble.
378         https://bugs.webkit.org/show_bug.cgi?id=155429
379
380         Reviewed by Darin Adler.
381
382         This function is required to fix compilation after r197687.
383
384         * assembler/MacroAssemblerMIPS.h:
385         (JSC::MacroAssemblerMIPS::moveZeroToDouble):
386
387 2016-04-15  Darin Adler  <darin@apple.com>
388
389         Reduce use of Deprecated::ScriptXXX classes
390         https://bugs.webkit.org/show_bug.cgi?id=156632
391
392         Reviewed by Alex Christensen.
393
394         * bindings/ScriptFunctionCall.cpp:
395         (Deprecated::ScriptCallArgumentHandler::appendArgument): Deleted version that takes a Deprecated::ScriptValue.
396         (Deprecated::ScriptFunctionCall::call): Changed to return a JSValue.
397         * bindings/ScriptFunctionCall.h: Updated for the above.
398
399         * bindings/ScriptValue.cpp:
400         (Inspector::jsToInspectorValue): Moved from Deprecated namespace to Inspector namespace. Later, we should
401         move this to another source file in the inspector directory.
402         (Inspector::toInspectorValue): Added.
403         (Deprecated::ScriptValue::toInspectorValue): Updated for change to underlying function.
404         * bindings/ScriptValue.h: Update for the above.
405
406         * inspector/InjectedScript.cpp:
407         (Inspector::InjectedScript::evaluateOnCallFrame): Changed arguments and return values from
408         Deprecated::ScriptValue to JSC::JSValue.
409         (Inspector::InjectedScript::functionDetails): Ditto.
410         (Inspector::InjectedScript::wrapCallFrames): Ditto.
411         (Inspector::InjectedScript::wrapObject): Ditto.
412         (Inspector::InjectedScript::wrapTable): Ditto.
413         (Inspector::InjectedScript::previewValue): Ditto.
414         (Inspector::InjectedScript::setExceptionValue): Ditto.
415         (Inspector::InjectedScript::findObjectById): Ditto.
416         (Inspector::InjectedScript::inspectObject): Ditto.
417         * inspector/InjectedScript.h: Ditto.
418         * inspector/InjectedScriptBase.cpp:
419         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): Ditto.
420         (Inspector::InjectedScriptBase::makeCall): Ditto.
421         * inspector/InjectedScriptBase.h: Ditto.
422         * inspector/InjectedScriptModule.cpp:
423         (Inspector::InjectedScriptModule::ensureInjected): Ditto.
424         * inspector/ScriptDebugListener.h: Ditto.
425         * inspector/ScriptDebugServer.cpp:
426         (Inspector::ScriptDebugServer::evaluateBreakpointAction): Ditto.
427         (Inspector::ScriptDebugServer::dispatchDidPause): Ditto.
428         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
429         (Inspector::ScriptDebugServer::exceptionOrCaughtValue): Ditto.
430         * inspector/ScriptDebugServer.h: Ditto.
431         * inspector/agents/InspectorDebuggerAgent.cpp:
432         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason): Ditto.
433         (Inspector::InspectorDebuggerAgent::didPause): Ditto.
434         (Inspector::InspectorDebuggerAgent::breakpointActionProbe): Ditto.
435         (Inspector::InspectorDebuggerAgent::didContinue): Ditto.
436         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): Ditto.
437         * inspector/agents/InspectorDebuggerAgent.h: Ditto.
438         * inspector/agents/InspectorHeapAgent.cpp:
439         (Inspector::InspectorHeapAgent::getPreview): Ditto.
440         (Inspector::InspectorHeapAgent::getRemoteObject): Ditto.
441
442 2016-04-15  Keith Miller  <keith_miller@apple.com>
443
444         Some JIT/DFG operations need NativeCallFrameTracers
445         https://bugs.webkit.org/show_bug.cgi?id=156650
446
447         Reviewed by Michael Saboff.
448
449         Some of our operation functions did not have native call frame
450         tracers. This meant that we would crash occasionally on some
451         of our tests when they triggered a GC in one of the functions
452         without a tracer. In particular, this was exemplified by another
453         upcoming patch when calling operationSetFunctionName.
454
455         This patch does not add tests since this happens consistently in
456         the patch adding delete_by_id to the DFG.
457
458         * dfg/DFGOperations.cpp:
459         * jit/JITOperations.cpp:
460
461 2016-04-15  Joseph Pecoraro  <pecoraro@apple.com>
462
463         Web Inspector: sourceMappingURL not used when sourceURL is set
464         https://bugs.webkit.org/show_bug.cgi?id=156021
465         <rdar://problem/25438417>
466
467         Reviewed by Timothy Hatcher.
468
469         Clean up Debugger.sourceParsed to separately include:
470
471             - url ("resource URL", "source url" in JSC APIs)
472             - sourceURL - //# sourceURL directive
473
474         By always having the resource URL the Web Inspector frontend
475         can better match this Script to a Resource of the same URL,
476         and decide to use the sourceURL if it is available when
477         appropriate.
478
479         * inspector/protocol/Debugger.json:
480         * inspector/agents/InspectorDebuggerAgent.cpp:
481         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
482         (Inspector::InspectorDebuggerAgent::didParseSource):
483         Send the new sourceParsed parameters.
484
485 2016-04-14  Joseph Pecoraro  <pecoraro@apple.com>
486
487         Web Inspector: Cleanup inspector/debugger tests
488         https://bugs.webkit.org/show_bug.cgi?id=156619
489
490         Reviewed by Brian Burg.
491
492         While cleaning up the tests it exposed the fact that breakpoints
493         were not getting disabled when the inspector closes. This means
494         that opening the inspector, with breakpoints, and closing the
495         inspector, would leave the JSC::Debugger thinking breakpoints
496         are active. The JSC::Debugger should be reset.
497
498         * inspector/agents/InspectorDebuggerAgent.cpp:
499         (Inspector::InspectorDebuggerAgent::disable):
500
501 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
502
503         CopiedBlock should be 64kB
504
505         Reviewed by Benjamin Poulain.
506
507         Let's try another value.
508
509         This is 25% faster on kraken-audio-beat-detection on Mac Pro.
510
511         * heap/CopiedBlock.h:
512
513 2016-04-15  Zan Dobersek  <zdobersek@igalia.com>
514
515         Tail call optimizations lead to crashes on ARM Thumb + Linux
516         https://bugs.webkit.org/show_bug.cgi?id=150083
517
518         Reviewed by Csaba Osztrogon√°c.
519
520         * assembler/AbstractMacroAssembler.h:
521         (JSC::AbstractMacroAssembler::repatchNearCall): In case of a tail call relink to the
522         data location of the destination, and not the executable address. This is needed for
523         the ARM Thumb2 platform where both the source and destination addresses of a jump relink
524         must not have the bottom bit decorated, as asserted in ARMv7Assembler::relinkJump().
525         * jit/Repatch.cpp:
526         (JSC::linkPolymorphicCall): Similarly, when linking a tail call we must link to the
527         address that has a non-decorated bottom bit, as asserted in ARMv7Assembler::linkJumpAbsolute().
528
529 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
530
531         Unreviewed, rolling out r199567.
532
533         performance regression on kraken on macbook*
534
535         Reverted changeset:
536
537         "CopiedBlock should be 8kB"
538         https://bugs.webkit.org/show_bug.cgi?id=156610
539         http://trac.webkit.org/changeset/199567
540
541 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
542
543         CopiedBlock should be 8kB
544         https://bugs.webkit.org/show_bug.cgi?id=156610
545
546         Reviewed by Michael Saboff.
547
548         On Mac Pro, this is:
549
550             15% faster on kraken-audio-beat-detection
551
552             5% faster on v8-splay
553
554         Hopefully, this will be OK on MacBook* bots as well.
555
556         32kB is the full size of L1 cache on x86. So, allocating and zero-filling
557         a 32kB CopiedBlock would basically flush the L1 cache. We can ameliorate
558         this problem by using smaller blocks -- or, if that doesn't work, we can
559         use larger blocks to amortize the cost.
560
561         * heap/CopiedBlock.h:
562
563 2016-04-14  Filip Pizlo  <fpizlo@apple.com>
564
565         PolymorphicAccess should try to generate a stub only once
566         https://bugs.webkit.org/show_bug.cgi?id=156555
567
568         Reviewed by Geoffrey Garen.
569         
570         This changes the PolymorphicAccess heuristics to reduce the amount of code generation even
571         more than before. We used to always generate a monomorphic stub for the first case we saw.
572         This change disables that. This change also increases the buffering countdown to match the
573         cool-down repatch count. This means that we will allow for ten slow paths for adding cases,
574         then we will generate a stub, and then we will go into cool-down and the repatching slow
575         paths will not even attempt repatching for a while. After we emerge from cool-down - which
576         requires a bunch of slow path calls - we will again wait for ten slow paths to get new
577         cases. Note that it only takes 13 cases to cause the stub to give up on future repatching
578         entirely. Also, most stubs don't ever get to 10 cases. Therefore, for most stubs this change
579         means that each IC will repatch once. If they make it to two repatching, then the likelihood
580         of a third becomes infinitesimal because of all of the rules that come into play at that
581         point (the size limit being 13, the fact that we go into exponential cool-down every time we
582         generate code, and the fact that if we have lots of self cases then we will create a
583         catch-all megamorphic load case).
584
585         This also undoes a change to the megamorphic optimization that I think was unintentional.
586         As in the change that originally introduced megamorphic loads, we want to do this only if we
587         would otherwise exhaust the max size of the IC. This is because megamorphic loads are pretty
588         expensive and it's best to use them only if we know that the alternative is giving up on
589         caching.
590
591         This is neutral on JS benchmarks, but looks like it's another speed-up for page loading.
592
593         * bytecode/PolymorphicAccess.cpp:
594         (JSC::AccessCase::canBeReplacedByMegamorphicLoad):
595         (JSC::AccessCase::canReplace):
596         (JSC::AccessCase::dump):
597         (JSC::PolymorphicAccess::regenerate):
598         * bytecode/StructureStubInfo.cpp:
599         (JSC::StructureStubInfo::StructureStubInfo):
600         * runtime/Options.h:
601
602 2016-04-14  Mark Lam  <mark.lam@apple.com>
603
604         Update treatment of invoking RegExp.prototype methods on RegExp.prototype.
605         https://bugs.webkit.org/show_bug.cgi?id=155922
606
607         Reviewed by Keith Miller.
608
609         According to the TC39 committee, when invoking the following RegExp.prototype
610         methods on the RegExp.prototype:
611         1. RegExp.prototype.flags yields ""
612         2. RegExp.prototype.global yields undefined
613         3. RegExp.prototype.ignoreCase yields undefined
614         4. RegExp.prototype.multiline yields undefined
615         5. RegExp.prototype.unicode yields undefined
616         6. RegExp.prototype.source yields "(?:)"
617         7. RegExp.prototype.sticky yields undefined
618         8. RegExp.prototype.toString() yields "/(?:)/"
619
620         and RegExp.prototype is still NOT an instance of RegExp.  The above behavior
621         changes is a special dispensation applicable only to RegExp.prototype.  The ES6
622         spec of throwing errors still applies if those methods are applied to anything =
623         else that is not a RegExp object.
624
625         * runtime/RegExpPrototype.cpp:
626         (JSC::regExpProtoGetterGlobal):
627         (JSC::regExpProtoGetterIgnoreCase):
628         (JSC::regExpProtoGetterMultiline):
629         (JSC::regExpProtoGetterSticky):
630         (JSC::regExpProtoGetterUnicode):
631         (JSC::regExpProtoGetterFlags):
632         (JSC::regExpProtoGetterSource):
633         - Implemented new behavior.
634
635         * tests/es6/miscellaneous_built-in_prototypes_are_not_instances.js:
636         (test):
637         - Updated to match current kangax test.
638
639 2016-04-14  Geoffrey Garen  <ggaren@apple.com>
640
641         Some imported ES6 tests are missing __createIterableObject
642         https://bugs.webkit.org/show_bug.cgi?id=156584
643
644         Reviewed by Keith Miller.
645
646         These tests were failing because I neglected to include __createIterableObject
647         when I first imported them. Now they pass.
648
649         * tests/es6.yaml:
650         * tests/es6/Array_static_methods_Array.from_generic_iterables.js:
651         (iterator.next):
652         (iterable.Symbol.iterator):
653         (__createIterableObject):
654         (test):
655         * tests/es6/Array_static_methods_Array.from_instances_of_generic_iterables.js:
656         (iterator.next):
657         (iterable.Symbol.iterator):
658         (__createIterableObject):
659         (test):
660         * tests/es6/Array_static_methods_Array.from_iterator_closing.js:
661         (iterator.next):
662         (iterable.Symbol.iterator):
663         (__createIterableObject):
664         * tests/es6/Array_static_methods_Array.from_map_function_generic_iterables.js:
665         (iterator.next):
666         (iterable.Symbol.iterator):
667         (__createIterableObject):
668         (test):
669         * tests/es6/Array_static_methods_Array.from_map_function_instances_of_iterables.js:
670         (iterator.next):
671         (iterable.Symbol.iterator):
672         (__createIterableObject):
673         (test):
674         * tests/es6/Map_iterator_closing.js:
675         (iterator.next):
676         (iterable.Symbol.iterator):
677         (__createIterableObject):
678         * tests/es6/Promise_Promise.all_generic_iterables.js:
679         (iterator.next):
680         (iterable.Symbol.iterator):
681         (__createIterableObject):
682         (test.asyncTestPassed):
683         * tests/es6/Promise_Promise.race_generic_iterables.js:
684         (iterator.next):
685         (iterable.Symbol.iterator):
686         (__createIterableObject):
687         (test.asyncTestPassed):
688         * tests/es6/Set_iterator_closing.js:
689         (iterator.next):
690         (iterable.Symbol.iterator):
691         (__createIterableObject):
692         * tests/es6/WeakMap_iterator_closing.js:
693         (iterator.next):
694         (iterable.Symbol.iterator):
695         (__createIterableObject):
696         * tests/es6/WeakSet_iterator_closing.js:
697         (iterator.next):
698         (iterable.Symbol.iterator):
699         (__createIterableObject):
700         * tests/es6/destructuring_iterator_closing.js:
701         (iterator.next):
702         (iterable.Symbol.iterator):
703         (__createIterableObject):
704         * tests/es6/destructuring_with_generic_iterables.js:
705         (iterator.next):
706         (iterable.Symbol.iterator):
707         (__createIterableObject):
708         (test):
709         * tests/es6/destructuring_with_instances_of_generic_iterables.js:
710         (iterator.next):
711         (iterable.Symbol.iterator):
712         (__createIterableObject):
713         (test):
714         * tests/es6/for..of_loops_iterator_closing_break.js:
715         (iterator.next):
716         (iterable.Symbol.iterator):
717         (__createIterableObject):
718         * tests/es6/for..of_loops_iterator_closing_throw.js:
719         (iterator.next):
720         (iterable.Symbol.iterator):
721         (__createIterableObject):
722         * tests/es6/for..of_loops_with_generic_iterables.js:
723         (iterator.next):
724         (iterable.Symbol.iterator):
725         (__createIterableObject):
726         (test):
727         * tests/es6/for..of_loops_with_instances_of_generic_iterables.js:
728         (iterator.next):
729         (iterable.Symbol.iterator):
730         (__createIterableObject):
731         (test):
732         * tests/es6/generators_yield_star_generic_iterables.js:
733         (iterator.next):
734         (iterable.Symbol.iterator):
735         (__createIterableObject):
736         * tests/es6/generators_yield_star_iterator_closing_via_throw.js:
737         (iterator.next):
738         (iterable.Symbol.iterator):
739         (__createIterableObject):
740         * tests/es6/spread_..._operator_with_generic_iterables_in_arrays.js:
741         (iterator.next):
742         (iterable.Symbol.iterator):
743         (__createIterableObject):
744         (test):
745         * tests/es6/spread_..._operator_with_generic_iterables_in_calls.js:
746         (iterator.next):
747         (iterable.Symbol.iterator):
748         (__createIterableObject):
749         (test):
750         * tests/es6/spread_..._operator_with_instances_of_iterables_in_arrays.js:
751         (iterator.next):
752         (iterable.Symbol.iterator):
753         (__createIterableObject):
754         (test):
755         * tests/es6/spread_..._operator_with_instances_of_iterables_in_calls.js:
756         (iterator.next):
757         (iterable.Symbol.iterator):
758         (__createIterableObject):
759         (test):
760
761 2016-04-13  Alex Christensen  <achristensen@webkit.org>
762
763         CMake MiniBrowser should be an app bundle
764         https://bugs.webkit.org/show_bug.cgi?id=156521
765
766         Reviewed by Brent Fulgham.
767
768         * PlatformMac.cmake:
769         Unreviewed build fix.  Define __STDC_WANT_LIB_EXT1__ so we can find memset_s.
770
771 2016-04-13  Joseph Pecoraro  <pecoraro@apple.com>
772
773         JSContext Inspector: Improve Class instances and JSC API Exported Values view in Console / ObjectTree
774         https://bugs.webkit.org/show_bug.cgi?id=156566
775         <rdar://problem/16392365>
776
777         Reviewed by Timothy Hatcher.
778
779         * inspector/InjectedScriptSource.js:
780         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
781         Treat non-basic object types as not lossless so they can be expanded.
782         Show non-enumerable native getters in Object previews.
783
784 2016-04-13  Michael Saboff  <msaboff@apple.com>
785
786         Some tests fail with ES6 `u` (Unicode) flag for regular expressions
787         https://bugs.webkit.org/show_bug.cgi?id=151597
788
789         Reviewed by Geoffrey Garen.
790
791         Added two new tables to handle the anomolies of \w and \W CharacterClassEscapes
792         when specified in RegExp's with both the unicode and ignoreCase flags.  Given the
793         case folding rules described in the standard vie the meta function Canonicalize(),
794         which allow cross ASCII case folding when unicode is specified, the unicode characters
795         \u017f (small sharp s) and \u212a (kelvin symbol) are part of the \w (word) characterClassEscape.
796         This is true because they case fold to 's' and 'k' respectively.  Because they case fold
797         to lower case letters, the corresponding letters, 'k', 'K', 's' and 'S', are also matched with
798         \W with the unicode and ignoreCase flags.
799
800         * create_regex_tables:
801         * yarr/YarrPattern.cpp:
802         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
803         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
804         (JSC::Yarr::YarrPattern::YarrPattern):
805         * yarr/YarrPattern.h:
806         (JSC::Yarr::YarrPattern::wordcharCharacterClass):
807         (JSC::Yarr::YarrPattern::wordUnicodeIgnoreCaseCharCharacterClass):
808         (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
809         (JSC::Yarr::YarrPattern::nonwordUnicodeIgnoreCaseCharCharacterClass):
810
811 2016-04-13  Commit Queue  <commit-queue@webkit.org>
812
813         Unreviewed, rolling out r199502 and r199511.
814         https://bugs.webkit.org/show_bug.cgi?id=156557
815
816         Appears to have in-browser perf regression (Requested by mlam
817         on #webkit).
818
819         Reverted changesets:
820
821         "ES6: Implement String.prototype.split and
822         RegExp.prototype[@@split]."
823         https://bugs.webkit.org/show_bug.cgi?id=156013
824         http://trac.webkit.org/changeset/199502
825
826         "ES6: Implement RegExp.prototype[@@search]."
827         https://bugs.webkit.org/show_bug.cgi?id=156331
828         http://trac.webkit.org/changeset/199511
829
830 2016-04-13  Keith Miller  <keith_miller@apple.com>
831
832         isJSArray should use ArrayType rather than the ClassInfo
833         https://bugs.webkit.org/show_bug.cgi?id=156551
834
835         Reviewed by Filip Pizlo.
836
837         Using the JSType rather than the ClassInfo should be slightly faster
838         since the type is inline on the cell whereas the ClassInfo is only
839         on the structure.
840
841         * runtime/JSArray.h:
842         (JSC::isJSArray):
843
844 2016-04-13  Mark Lam  <mark.lam@apple.com>
845
846         ES6: Implement RegExp.prototype[@@search].
847         https://bugs.webkit.org/show_bug.cgi?id=156331
848
849         Reviewed by Keith Miller.
850
851         What changed?
852         1. Implemented search builtin in RegExpPrototype.js.
853            The native path is now used as a fast path.
854         2. Added DFG support for an IsRegExpObjectIntrinsic (modelled after the
855            IsJSArrayIntrinsic).
856         3. Renamed @isRegExp to @isRegExpObject to match the new IsRegExpObjectIntrinsic.
857         4. Change the esSpecIsRegExpObject() implementation to check if the object's
858            JSType is RegExpObjectType instead of walking the classinfo chain.
859
860         * builtins/RegExpPrototype.js:
861         (search):
862         * builtins/StringPrototype.js:
863         (search):
864         - fixed some indentation.
865
866         * dfg/DFGAbstractInterpreterInlines.h:
867         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
868         * dfg/DFGByteCodeParser.cpp:
869         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
870         * dfg/DFGClobberize.h:
871         (JSC::DFG::clobberize):
872         * dfg/DFGDoesGC.cpp:
873         (JSC::DFG::doesGC):
874         * dfg/DFGFixupPhase.cpp:
875         (JSC::DFG::FixupPhase::fixupNode):
876         * dfg/DFGNodeType.h:
877         * dfg/DFGPredictionPropagationPhase.cpp:
878         (JSC::DFG::PredictionPropagationPhase::propagate):
879         * dfg/DFGSafeToExecute.h:
880         (JSC::DFG::safeToExecute):
881         * dfg/DFGSpeculativeJIT.cpp:
882         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
883         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject):
884         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
885         * dfg/DFGSpeculativeJIT.h:
886         * dfg/DFGSpeculativeJIT32_64.cpp:
887         (JSC::DFG::SpeculativeJIT::compile):
888         * dfg/DFGSpeculativeJIT64.cpp:
889         (JSC::DFG::SpeculativeJIT::compile):
890         * ftl/FTLCapabilities.cpp:
891         (JSC::FTL::canCompile):
892         * ftl/FTLLowerDFGToB3.cpp:
893         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
894         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
895         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
896         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
897         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
898         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject):
899         (JSC::FTL::DFG::LowerDFGToB3::isType):
900         * runtime/Intrinsic.h:
901         - Added IsRegExpObjectIntrinsic.
902
903         * runtime/CommonIdentifiers.h:
904
905         * runtime/ECMAScriptSpecInternalFunctions.cpp:
906         (JSC::esSpecIsConstructor):
907         - Changed to use uncheckedArgument since this is only called from internal code.
908         (JSC::esSpecIsRegExpObject):
909         (JSC::esSpecIsRegExp): Deleted.
910         * runtime/ECMAScriptSpecInternalFunctions.h:
911         - Changed to check the object for a JSType of RegExpObjectType.
912
913         * runtime/JSGlobalObject.cpp:
914         (JSC::JSGlobalObject::init):
915         - Added split fast path.
916
917         * runtime/RegExpPrototype.cpp:
918         (JSC::RegExpPrototype::finishCreation):
919         (JSC::regExpProtoFuncSearchFast):
920         (JSC::regExpProtoFuncSearch): Deleted.
921         * runtime/RegExpPrototype.h:
922
923         * tests/es6.yaml:
924         * tests/stress/regexp-search.js:
925         - Rebased test.
926
927 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
928
929         PolymorphicAccess::regenerate() shouldn't have to clone non-generated AccessCases
930         https://bugs.webkit.org/show_bug.cgi?id=156493
931
932         Reviewed by Geoffrey Garen.
933
934         Cloning AccessCases is only necessary if they hold some artifacts that are used by code that
935         they already generated. So, if the state is not Generated, we don't have to bother with
936         cloning them.
937
938         This should speed up PolymorphicAccess regeneration a bit more.
939
940         * bytecode/PolymorphicAccess.cpp:
941         (JSC::AccessCase::commit):
942         (JSC::PolymorphicAccess::regenerate):
943
944 2016-04-13  Mark Lam  <mark.lam@apple.com>
945
946         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
947         https://bugs.webkit.org/show_bug.cgi?id=156013
948
949         Reviewed by Keith Miller.
950
951         Re-landing r199393 now that the shadow chicken crash has been fixed.
952
953         * CMakeLists.txt:
954         * JavaScriptCore.xcodeproj/project.pbxproj:
955         * builtins/GlobalObject.js:
956         (speciesConstructor):
957         * builtins/PromisePrototype.js:
958         - refactored to use the @speciesConstructor internal function.
959
960         * builtins/RegExpPrototype.js:
961         (advanceStringIndex):
962         - refactored from @advanceStringIndexUnicode() to be match the spec.
963           Benchmarks show that there's no advantage in doing the unicode check outside
964           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
965           spec (especially since @@split needs to call advanceStringIndex from more than
966           1 location).
967         (match):
968         - Removed an unnecessary call to @Object because it was already proven above.
969         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
970           Again, there's no perf regression for this.
971         (regExpExec):
972         (hasObservableSideEffectsForRegExpSplit):
973         (split):
974         (advanceStringIndexUnicode): Deleted.
975
976         * builtins/StringPrototype.js:
977         (split):
978         - Modified to use RegExp.prototype[@@split].
979
980         * bytecode/BytecodeIntrinsicRegistry.cpp:
981         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
982         (JSC::BytecodeIntrinsicRegistry::lookup):
983         * bytecode/BytecodeIntrinsicRegistry.h:
984         - Added the @@split symbol.
985
986         * runtime/CommonIdentifiers.h:
987         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
988         (JSC::esSpecIsConstructor):
989         (JSC::esSpecIsRegExp):
990         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
991
992         * runtime/JSGlobalObject.cpp:
993         (JSC::getGetterById):
994         (JSC::JSGlobalObject::init):
995
996         * runtime/PropertyDescriptor.cpp:
997         (JSC::PropertyDescriptor::setDescriptor):
998         - Removed an assert that is no longer valid.
999
1000         * runtime/RegExpObject.h:
1001         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
1002           fast path.
1003
1004         * runtime/RegExpPrototype.cpp:
1005         (JSC::RegExpPrototype::finishCreation):
1006         (JSC::regExpProtoFuncExec):
1007         (JSC::regExpProtoFuncSearch):
1008         (JSC::advanceStringIndex):
1009         (JSC::regExpProtoFuncSplitFast):
1010         * runtime/RegExpPrototype.h:
1011
1012         * runtime/StringObject.h:
1013         (JSC::jsStringWithReuse):
1014         (JSC::jsSubstring):
1015         - Hoisted some utility functions from StringPrototype.cpp so that they can be
1016           reused by the regexp split fast path.
1017
1018         * runtime/StringPrototype.cpp:
1019         (JSC::StringPrototype::finishCreation):
1020         (JSC::stringProtoFuncSplitFast):
1021         (JSC::stringProtoFuncSubstr):
1022         (JSC::builtinStringSubstrInternal):
1023         (JSC::stringProtoFuncSubstring):
1024         (JSC::stringIncludesImpl):
1025         (JSC::stringProtoFuncIncludes):
1026         (JSC::builtinStringIncludesInternal):
1027         (JSC::jsStringWithReuse): Deleted.
1028         (JSC::jsSubstring): Deleted.
1029         (JSC::stringProtoFuncSplit): Deleted.
1030         * runtime/StringPrototype.h:
1031
1032         * tests/es6.yaml:
1033
1034 2016-04-13  Mark Lam  <mark.lam@apple.com>
1035
1036         ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
1037         https://bugs.webkit.org/show_bug.cgi?id=156532
1038
1039         Reviewed by Saam Barati and Filip Pizlo.
1040
1041         ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
1042         the callee field of a log packet.  However, ShadowChicken::visitChildren()
1043         unconditionally visits the callee field of each packet as if they are real
1044         objects.  If visitChildren() encounters one of these markers in the log, we get a
1045         crash.
1046
1047         This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
1048         chicken when r199393 landed.  r199393 introduced tail calls to a RegExp split
1049         fast path, and the v8-regexp.js test exercised this fast path a lot.  Throw in
1050         some timely GCs, and we get a crash party.
1051
1052         The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
1053         throwMarker.
1054
1055         Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
1056         these markers so that ShadowChicken can continue to visit them.  For now, I'm
1057         going with the filter.
1058
1059         * interpreter/ShadowChicken.cpp:
1060         (JSC::ShadowChicken::visitChildren):
1061
1062 2016-04-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1063
1064         [ES6] Add @@toStringTag to GeneratorFunction
1065         https://bugs.webkit.org/show_bug.cgi?id=156499
1066
1067         Reviewed by Mark Lam.
1068
1069         GeneratorFunction.prototype has @@toStringTag property, "GeneratorFunction".
1070         https://tc39.github.io/ecma262/#sec-generatorfunction.prototype-@@tostringtag
1071
1072         * runtime/GeneratorFunctionPrototype.cpp:
1073         (JSC::GeneratorFunctionPrototype::finishCreation):
1074         * tests/es6.yaml:
1075         * tests/es6/well-known_symbols_Symbol.toStringTag_new_built-ins.js: Added.
1076         (test):
1077
1078 2016-04-13  Alberto Garcia  <berto@igalia.com>
1079
1080         Fix build in glibc-based BSD systems
1081         https://bugs.webkit.org/show_bug.cgi?id=156533
1082
1083         Reviewed by Carlos Garcia Campos.
1084
1085         Change the order of the #elif conditionals so glibc-based BSD
1086         systems (e.g. Debian GNU/kFreeBSD) use the code inside the
1087         OS(FREEBSD) blocks.
1088
1089         * heap/MachineStackMarker.cpp:
1090         (JSC::MachineThreads::Thread::Registers::stackPointer):
1091         (JSC::MachineThreads::Thread::Registers::framePointer):
1092         (JSC::MachineThreads::Thread::Registers::instructionPointer):
1093         (JSC::MachineThreads::Thread::Registers::llintPC):
1094
1095 2016-04-12  Keith Miller  <keith_miller@apple.com>
1096
1097         Unreviewed undo change from ArrayClass to ArrayWithUndecided, which
1098         was not intedend to land with r199397.
1099
1100         * runtime/ArrayPrototype.h:
1101         (JSC::ArrayPrototype::createStructure):
1102
1103 2016-04-12  Mark Lam  <mark.lam@apple.com>
1104
1105         Rollout: ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1106         https://bugs.webkit.org/show_bug.cgi?id=156013
1107
1108         Speculative rollout to fix 32-bit shadow-chicken.yaml/tests/v8-v6/v8-regexp.js.shadow-chicken test failure.
1109
1110         Not reviewed.
1111
1112         * CMakeLists.txt:
1113         * JavaScriptCore.xcodeproj/project.pbxproj:
1114         * builtins/GlobalObject.js:
1115         (speciesGetter):
1116         (speciesConstructor): Deleted.
1117         * builtins/PromisePrototype.js:
1118         * builtins/RegExpPrototype.js:
1119         (advanceStringIndexUnicode):
1120         (match):
1121         (advanceStringIndex): Deleted.
1122         (regExpExec): Deleted.
1123         (hasObservableSideEffectsForRegExpSplit): Deleted.
1124         (split): Deleted.
1125         * builtins/StringPrototype.js:
1126         (repeat):
1127         (split): Deleted.
1128         * bytecode/BytecodeIntrinsicRegistry.cpp:
1129         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1130         (JSC::BytecodeIntrinsicRegistry::lookup):
1131         * bytecode/BytecodeIntrinsicRegistry.h:
1132         * runtime/CommonIdentifiers.h:
1133         * runtime/ECMAScriptSpecInternalFunctions.cpp: Removed.
1134         * runtime/ECMAScriptSpecInternalFunctions.h: Removed.
1135         * runtime/JSGlobalObject.cpp:
1136         (JSC::JSGlobalObject::setGlobalThis):
1137         (JSC::JSGlobalObject::init):
1138         (JSC::getGetterById): Deleted.
1139         * runtime/PropertyDescriptor.cpp:
1140         (JSC::PropertyDescriptor::setDescriptor):
1141         * runtime/RegExpObject.h:
1142         (JSC::RegExpObject::offsetOfLastIndexIsWritable):
1143         * runtime/RegExpPrototype.cpp:
1144         (JSC::RegExpPrototype::finishCreation):
1145         (JSC::regExpProtoFuncExec):
1146         (JSC::regExpProtoFuncSearch):
1147         (JSC::advanceStringIndex): Deleted.
1148         (JSC::regExpProtoFuncSplitFast): Deleted.
1149         * runtime/RegExpPrototype.h:
1150         * runtime/StringObject.h:
1151         (JSC::jsStringWithReuse): Deleted.
1152         (JSC::jsSubstring): Deleted.
1153         * runtime/StringPrototype.cpp:
1154         (JSC::StringPrototype::finishCreation):
1155         (JSC::jsStringWithReuse):
1156         (JSC::jsSubstring):
1157         (JSC::substituteBackreferencesSlow):
1158         (JSC::splitStringByOneCharacterImpl):
1159         (JSC::stringProtoFuncSplit):
1160         (JSC::stringProtoFuncSubstr):
1161         (JSC::stringProtoFuncSubstring):
1162         (JSC::stringProtoFuncEndsWith):
1163         (JSC::stringProtoFuncIncludes):
1164         (JSC::stringProtoFuncIterator):
1165         (JSC::stringProtoFuncSplitFast): Deleted.
1166         (JSC::builtinStringSubstrInternal): Deleted.
1167         (JSC::stringIncludesImpl): Deleted.
1168         (JSC::builtinStringIncludesInternal): Deleted.
1169         * runtime/StringPrototype.h:
1170         * tests/es6.yaml:
1171
1172 2016-04-12  Mark Lam  <mark.lam@apple.com>
1173
1174         Remove 2 unused JSC options.
1175         https://bugs.webkit.org/show_bug.cgi?id=156526
1176
1177         Reviewed by Benjamin Poulain.
1178
1179         The options JSC_assertICSizing and JSC_dumpFailedICSizing are no longer in use
1180         now that we have B3.
1181
1182         * runtime/Options.h:
1183
1184 2016-04-12  Keith Miller  <keith_miller@apple.com>
1185
1186         [ES6] Add support for Symbol.isConcatSpreadable.
1187         https://bugs.webkit.org/show_bug.cgi?id=155351
1188
1189         Reviewed by Saam Barati.
1190
1191         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
1192         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
1193         a builtin performant. First, four new DFG intrinsics were added.
1194
1195         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
1196            the Array.isArray function.
1197         2) IsJSArray: checks the first child is a JSArray object.
1198         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
1199         4) CallObjectConstructor: an intrinsic of the Object constructor.
1200
1201         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
1202         we are able to prove that the first child is an Array or for ToObject an Object.
1203
1204         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
1205         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
1206         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
1207         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
1208         into a contiguous array).
1209
1210         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
1211         values onto the result array. This works roughly the same as the two array fast path using the same methodology
1212         to decide if we can memcpy the other butterfly into the result butterfly.
1213
1214         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
1215         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
1216         dataLog function on it.
1217
1218         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
1219         JSValueOperand if the operand's use count is one.
1220
1221         * JavaScriptCore.xcodeproj/project.pbxproj:
1222         * builtins/ArrayPrototype.js:
1223         (concatSlowPath):
1224         (concat):
1225         * bytecode/BytecodeIntrinsicRegistry.cpp:
1226         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1227         * bytecode/BytecodeIntrinsicRegistry.h:
1228         * dfg/DFGAbstractInterpreterInlines.h:
1229         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1230         * dfg/DFGByteCodeParser.cpp:
1231         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1232         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1233         * dfg/DFGClobberize.h:
1234         (JSC::DFG::clobberize):
1235         * dfg/DFGDoesGC.cpp:
1236         (JSC::DFG::doesGC):
1237         * dfg/DFGFixupPhase.cpp:
1238         (JSC::DFG::FixupPhase::fixupNode):
1239         * dfg/DFGNodeType.h:
1240         * dfg/DFGOperations.cpp:
1241         * dfg/DFGOperations.h:
1242         * dfg/DFGPredictionPropagationPhase.cpp:
1243         (JSC::DFG::PredictionPropagationPhase::propagate):
1244         * dfg/DFGSafeToExecute.h:
1245         (JSC::DFG::safeToExecute):
1246         * dfg/DFGSpeculativeJIT.cpp:
1247         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1248         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
1249         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
1250         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
1251         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
1252         * dfg/DFGSpeculativeJIT.h:
1253         (JSC::DFG::SpeculativeJIT::callOperation):
1254         * dfg/DFGSpeculativeJIT32_64.cpp:
1255         (JSC::DFG::SpeculativeJIT::compile):
1256         * dfg/DFGSpeculativeJIT64.cpp:
1257         (JSC::DFG::SpeculativeJIT::compile):
1258         * ftl/FTLCapabilities.cpp:
1259         (JSC::FTL::canCompile):
1260         * ftl/FTLLowerDFGToB3.cpp:
1261         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1262         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
1263         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
1264         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
1265         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
1266         (JSC::FTL::DFG::LowerDFGToB3::isArray):
1267         * jit/JITOperations.h:
1268         * jsc.cpp:
1269         (GlobalObject::finishCreation):
1270         (functionDataLogValue):
1271         * runtime/ArrayConstructor.cpp:
1272         (JSC::ArrayConstructor::finishCreation):
1273         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
1274         * runtime/ArrayConstructor.h:
1275         (JSC::isArrayConstructor):
1276         * runtime/ArrayPrototype.cpp:
1277         (JSC::ArrayPrototype::finishCreation):
1278         (JSC::arrayProtoPrivateFuncIsJSArray):
1279         (JSC::moveElements):
1280         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1281         (JSC::arrayProtoPrivateFuncAppendMemcpy):
1282         (JSC::arrayProtoFuncConcat): Deleted.
1283         * runtime/ArrayPrototype.h:
1284         (JSC::ArrayPrototype::createStructure):
1285         * runtime/CommonIdentifiers.h:
1286         * runtime/Intrinsic.h:
1287         * runtime/JSArray.cpp:
1288         (JSC::JSArray::appendMemcpy):
1289         (JSC::JSArray::fastConcatWith): Deleted.
1290         * runtime/JSArray.h:
1291         (JSC::JSArray::createStructure):
1292         (JSC::JSArray::fastConcatType): Deleted.
1293         * runtime/JSArrayInlines.h: Added.
1294         (JSC::JSArray::memCopyWithIndexingType):
1295         (JSC::JSArray::canFastCopy):
1296         * runtime/JSGlobalObject.cpp:
1297         (JSC::JSGlobalObject::init):
1298         * runtime/JSType.h:
1299         * runtime/ObjectConstructor.h:
1300         (JSC::constructObject):
1301         * tests/es6.yaml:
1302         * tests/stress/array-concat-spread-object.js: Added.
1303         (arrayEq):
1304         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
1305         (arrayEq):
1306         * tests/stress/array-concat-spread-proxy.js: Added.
1307         (arrayEq):
1308         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
1309         (arrayEq):
1310         * tests/stress/array-species-config-array-constructor.js:
1311
1312 2016-04-12  Saam barati  <sbarati@apple.com>
1313
1314         Lets not iterate over the constant pool twice every time we link a code block
1315         https://bugs.webkit.org/show_bug.cgi?id=156517
1316
1317         Reviewed by Mark Lam.
1318
1319         I introduced a second iteration over the constant pool when I implemented
1320         block scoping. I did this because we must clone all the symbol tables when
1321         we link a CodeBlock. We can just do this cloning when setting the constant
1322         registers for the first time. There is no need to iterate over the constant
1323         pool a second time.
1324
1325         * bytecode/CodeBlock.cpp:
1326         (JSC::CodeBlock::finishCreation):
1327         (JSC::CodeBlock::~CodeBlock):
1328         (JSC::CodeBlock::setConstantRegisters):
1329         (JSC::CodeBlock::setAlternative):
1330         * bytecode/CodeBlock.h:
1331         (JSC::CodeBlock::replaceConstant):
1332         (JSC::CodeBlock::setConstantRegisters): Deleted.
1333
1334 2016-04-12  Mark Lam  <mark.lam@apple.com>
1335
1336         ES6: Implement String.prototype.split and RegExp.prototype[@@split].
1337         https://bugs.webkit.org/show_bug.cgi?id=156013
1338
1339         Reviewed by Keith Miller.
1340
1341         * CMakeLists.txt:
1342         * JavaScriptCore.xcodeproj/project.pbxproj:
1343         * builtins/GlobalObject.js:
1344         (speciesConstructor):
1345         * builtins/PromisePrototype.js:
1346         - refactored to use the @speciesConstructor internal function.
1347
1348         * builtins/RegExpPrototype.js:
1349         (advanceStringIndex):
1350         - refactored from @advanceStringIndexUnicode() to be match the spec.
1351           Benchmarks show that there's no advantage in doing the unicode check outside
1352           of the advanceStringIndexUnicode part.  So, I simplified the code to match the
1353           spec (especially since @@split needs to call advanceStringIndex from more than
1354           1 location).
1355         (match):
1356         - Removed an unnecessary call to @Object because it was already proven above.
1357         - Changed to use advanceStringIndex instead of advanceStringIndexUnicode.
1358           Again, there's no perf regression for this.
1359         (regExpExec):
1360         (hasObservableSideEffectsForRegExpSplit):
1361         (split):
1362         (advanceStringIndexUnicode): Deleted.
1363
1364         * builtins/StringPrototype.js:
1365         (split):
1366         - Modified to use RegExp.prototype[@@split].
1367
1368         * bytecode/BytecodeIntrinsicRegistry.cpp:
1369         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1370         (JSC::BytecodeIntrinsicRegistry::lookup):
1371         * bytecode/BytecodeIntrinsicRegistry.h:
1372         - Added the @@split symbol.
1373
1374         * runtime/CommonIdentifiers.h:
1375         * runtime/ECMAScriptSpecInternalFunctions.cpp: Added.
1376         (JSC::esSpecIsConstructor):
1377         (JSC::esSpecIsRegExp):
1378         * runtime/ECMAScriptSpecInternalFunctions.h: Added.
1379
1380         * runtime/JSGlobalObject.cpp:
1381         (JSC::getGetterById):
1382         (JSC::JSGlobalObject::init):
1383
1384         * runtime/PropertyDescriptor.cpp:
1385         (JSC::PropertyDescriptor::setDescriptor):
1386         - Removed an assert that is no longer valid.
1387
1388         * runtime/RegExpObject.h:
1389         - Made advanceStringUnicode() public so that it can be re-used by the regexp split
1390           fast path.
1391
1392         * runtime/RegExpPrototype.cpp:
1393         (JSC::RegExpPrototype::finishCreation):
1394         (JSC::regExpProtoFuncExec):
1395         (JSC::regExpProtoFuncSearch):
1396         (JSC::advanceStringIndex):
1397         (JSC::regExpProtoFuncSplitFast):
1398         * runtime/RegExpPrototype.h:
1399
1400         * runtime/StringObject.h:
1401         (JSC::jsStringWithReuse):
1402         (JSC::jsSubstring):
1403         - Hoisted some utility functions from StringPrototype.cpp so that they can be
1404           reused by the regexp split fast path.
1405
1406         * runtime/StringPrototype.cpp:
1407         (JSC::StringPrototype::finishCreation):
1408         (JSC::stringProtoFuncSplitFast):
1409         (JSC::stringProtoFuncSubstr):
1410         (JSC::builtinStringSubstrInternal):
1411         (JSC::stringProtoFuncSubstring):
1412         (JSC::stringIncludesImpl):
1413         (JSC::stringProtoFuncIncludes):
1414         (JSC::builtinStringIncludesInternal):
1415         (JSC::jsStringWithReuse): Deleted.
1416         (JSC::jsSubstring): Deleted.
1417         (JSC::stringProtoFuncSplit): Deleted.
1418         * runtime/StringPrototype.h:
1419
1420         * tests/es6.yaml:
1421
1422 2016-04-12  Keith Miller  <keith_miller@apple.com>
1423
1424         AbstractValue should use the result type to filter structures
1425         https://bugs.webkit.org/show_bug.cgi?id=156516
1426
1427         Reviewed by Geoffrey Garen.
1428
1429         When filtering an AbstractValue with a SpeculatedType we would not use the merged type when
1430         filtering out the valid structures (despite what the comment directly above said). This
1431         would cause us to crash if our structure-set was Top and the two speculated types were
1432         different kinds of cells.
1433
1434         * dfg/DFGAbstractValue.cpp:
1435         (JSC::DFG::AbstractValue::filter):
1436         * tests/stress/ai-consistency-filter-cells.js: Added.
1437         (get value):
1438         (attribute.value.get record):
1439         (attribute.attrs.get this):
1440         (get foo):
1441         (let.thisValue.return.serialize):
1442         (let.thisValue.transformFor):
1443
1444 2016-04-12  Filip Pizlo  <fpizlo@apple.com>
1445
1446         Unreviewed, remove FIXME for https://bugs.webkit.org/show_bug.cgi?id=156457 and replace it
1447         with a comment that describes what we do now.
1448
1449         * bytecode/PolymorphicAccess.h:
1450
1451 2016-04-12  Saam barati  <sbarati@apple.com>
1452
1453         isLocked() assertion broke builds because ConcurrentJITLock isn't always a real lock.
1454
1455         Rubber-stamped by Filip Pizlo.
1456
1457         * bytecode/CodeBlock.cpp:
1458         (JSC::CodeBlock::resultProfileForBytecodeOffset):
1459         (JSC::CodeBlock::ensureResultProfile):
1460
1461 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
1462
1463         PolymorphicAccess should buffer AccessCases before regenerating
1464         https://bugs.webkit.org/show_bug.cgi?id=156457
1465
1466         Reviewed by Benjamin Poulain.
1467
1468         Prior to this change, whenever we added an AccessCase to a PolymorphicAccess, we would
1469         regenerate the whole stub. That meant that we'd do O(N^2) work for N access cases.
1470
1471         One way to fix this is to have each AccessCase generate a stub just for itself, which
1472         cascades down to the already-generated cases. But that removes the binary switch
1473         optimization, which makes the IC perform great even when there are many cases.
1474
1475         This change fixes the issue by buffering access cases. When we take slow path and try to add
1476         a new case, the StructureStubInfo will usually just buffer the new case without generating
1477         new code. We simply guarantee that after we buffer a case, we will take at most
1478         Options::repatchBufferingCountdown() slow path calls before generating code for it. That
1479         option is currently 7. Taking 7 more slow paths means that we have 7 more opportunities to
1480         gather more access cases, or to realize that this IC is too crazy to bother with.
1481
1482         This change ensures that the DFG still gets the same kind of profiling. This is because the
1483         buffered AccessCases are still part of PolymorphicAccess and so are still scanned by
1484         GetByIdStatus and PutByIdStatus. The fact that the AccessCases hadn't been generated and so
1485         hadn't executed doesn't change much. Mainly, it increases the likelihood that the DFG will
1486         see an access case that !couldStillSucceed(). The DFG's existing profile parsing logic can
1487         handle this just fine.
1488         
1489         There are a bunch of algorithmic changes here. StructureStubInfo now caches the set of
1490         structures that it has seen as a guard to prevent adding lots of redundant cases, in case
1491         we see the same 7 cases after buffering the first one. This cache means we won't wastefully
1492         allocate 7 identical AccessCase instances. PolymorphicAccess is now restructured around
1493         having separate addCase() and regenerate() calls. That means a bit more moving data around.
1494         So far that seems OK for performance, probably since it's O(N) work rather than O(N^2) work.
1495         There is room for improvement for future patches, to be sure.
1496         
1497         This is benchmarking as slightly positive or neutral on JS benchmarks. It's meant to reduce
1498         pathologies I saw in page loads.
1499
1500         * bytecode/GetByIdStatus.cpp:
1501         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1502         * bytecode/PolymorphicAccess.cpp:
1503         (JSC::PolymorphicAccess::PolymorphicAccess):
1504         (JSC::PolymorphicAccess::~PolymorphicAccess):
1505         (JSC::PolymorphicAccess::addCases):
1506         (JSC::PolymorphicAccess::addCase):
1507         (JSC::PolymorphicAccess::visitWeak):
1508         (JSC::PolymorphicAccess::dump):
1509         (JSC::PolymorphicAccess::commit):
1510         (JSC::PolymorphicAccess::regenerate):
1511         (JSC::PolymorphicAccess::aboutToDie):
1512         (WTF::printInternal):
1513         (JSC::PolymorphicAccess::regenerateWithCases): Deleted.
1514         (JSC::PolymorphicAccess::regenerateWithCase): Deleted.
1515         * bytecode/PolymorphicAccess.h:
1516         (JSC::AccessCase::isGetter):
1517         (JSC::AccessCase::callLinkInfo):
1518         (JSC::AccessGenerationResult::AccessGenerationResult):
1519         (JSC::AccessGenerationResult::madeNoChanges):
1520         (JSC::AccessGenerationResult::gaveUp):
1521         (JSC::AccessGenerationResult::buffered):
1522         (JSC::AccessGenerationResult::generatedNewCode):
1523         (JSC::AccessGenerationResult::generatedFinalCode):
1524         (JSC::AccessGenerationResult::shouldGiveUpNow):
1525         (JSC::AccessGenerationResult::generatedSomeCode):
1526         (JSC::PolymorphicAccess::isEmpty):
1527         (JSC::PolymorphicAccess::size):
1528         (JSC::PolymorphicAccess::at):
1529         * bytecode/PutByIdStatus.cpp:
1530         (JSC::PutByIdStatus::computeForStubInfo):
1531         * bytecode/StructureStubInfo.cpp:
1532         (JSC::StructureStubInfo::StructureStubInfo):
1533         (JSC::StructureStubInfo::addAccessCase):
1534         (JSC::StructureStubInfo::reset):
1535         (JSC::StructureStubInfo::visitWeakReferences):
1536         * bytecode/StructureStubInfo.h:
1537         (JSC::StructureStubInfo::considerCaching):
1538         (JSC::StructureStubInfo::willRepatch): Deleted.
1539         (JSC::StructureStubInfo::willCoolDown): Deleted.
1540         * jit/JITOperations.cpp:
1541         * jit/Repatch.cpp:
1542         (JSC::tryCacheGetByID):
1543         (JSC::repatchGetByID):
1544         (JSC::tryCachePutByID):
1545         (JSC::repatchPutByID):
1546         (JSC::tryRepatchIn):
1547         (JSC::repatchIn):
1548         * runtime/JSCJSValue.h:
1549         * runtime/JSCJSValueInlines.h:
1550         (JSC::JSValue::putByIndex):
1551         (JSC::JSValue::structureOrNull):
1552         (JSC::JSValue::structureOrUndefined):
1553         * runtime/Options.h:
1554
1555 2016-04-12  Saam barati  <sbarati@apple.com>
1556
1557         There is a race with the compiler thread and the main thread with result profiles
1558         https://bugs.webkit.org/show_bug.cgi?id=156503
1559
1560         Reviewed by Filip Pizlo.
1561
1562         The compiler thread should not be asking for a result
1563         profile while the execution thread is creating one.
1564         We must guard against such races with a lock.
1565
1566         * bytecode/CodeBlock.cpp:
1567         (JSC::CodeBlock::resultProfileForBytecodeOffset):
1568         (JSC::CodeBlock::ensureResultProfile):
1569         (JSC::CodeBlock::capabilityLevel):
1570         * bytecode/CodeBlock.h:
1571         (JSC::CodeBlock::couldTakeSlowCase):
1572         (JSC::CodeBlock::numberOfResultProfiles):
1573         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
1574         (JSC::CodeBlock::ensureResultProfile): Deleted.
1575
1576 2016-04-12  Commit Queue  <commit-queue@webkit.org>
1577
1578         Unreviewed, rolling out r199339.
1579         https://bugs.webkit.org/show_bug.cgi?id=156505
1580
1581         memset_s is indeed necessary (Requested by alexchristensen_ on
1582         #webkit).
1583
1584         Reverted changeset:
1585
1586         "Build fix after r199299."
1587         https://bugs.webkit.org/show_bug.cgi?id=155508
1588         http://trac.webkit.org/changeset/199339
1589
1590 2016-04-12  Guillaume Emont  <guijemont@igalia.com>
1591
1592         MIPS: add MacroAssemblerMIPS::store8(TrustedImm32,ImplicitAddress)
1593         https://bugs.webkit.org/show_bug.cgi?id=156481
1594
1595         This method with this signature is used by r199075, and therefore
1596         WebKit doesn't build on MIPS since then.
1597
1598         Reviewed by Mark Lam.
1599
1600         * assembler/MacroAssemblerMIPS.h:
1601         (JSC::MacroAssemblerMIPS::store8):
1602
1603 2016-04-12  Saam barati  <sbarati@apple.com>
1604
1605         We incorrectly parse arrow function expressions
1606         https://bugs.webkit.org/show_bug.cgi?id=156373
1607
1608         Reviewed by Mark Lam.
1609
1610         This patch removes the notion of "isEndOfArrowFunction".
1611         This was a very weird function and it was incorrect.
1612         It checked that the arrow functions with concise body
1613         grammar production "had a valid ending". "had a valid
1614         ending" is in quotes because concise body arrow functions
1615         have a valid ending as long as their body has a valid
1616         assignment expression. I've removed all notion of this
1617         function because it was wrong and was causing us
1618         to throw syntax errors on valid programs.
1619
1620         * parser/Lexer.cpp:
1621         (JSC::Lexer<T>::nextTokenIsColon):
1622         (JSC::Lexer<T>::lex):
1623         (JSC::Lexer<T>::setTokenPosition): Deleted.
1624         * parser/Lexer.h:
1625         (JSC::Lexer::setIsReparsingFunction):
1626         (JSC::Lexer::isReparsingFunction):
1627         (JSC::Lexer::lineNumber):
1628         * parser/Parser.cpp:
1629         (JSC::Parser<LexerType>::parseInner):
1630         (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBodySourceElements):
1631         (JSC::Parser<LexerType>::parseFunctionInfo):
1632         * parser/Parser.h:
1633         (JSC::Parser::matchIdentifierOrKeyword):
1634         (JSC::Parser::tokenStart):
1635         (JSC::Parser::autoSemiColon):
1636         (JSC::Parser::canRecurse):
1637         (JSC::Parser::isEndOfArrowFunction): Deleted.
1638         (JSC::Parser::setEndOfStatement): Deleted.
1639         * tests/stress/arrowfunction-others.js:
1640         (testCase):
1641         (simpleArrowFunction):
1642         (truthy):
1643         (falsey):
1644
1645 2016-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1646
1647         [JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG
1648         https://bugs.webkit.org/show_bug.cgi?id=155110
1649
1650         Reviewed by Saam Barati.
1651
1652         `addStaticGlobals` does not emit SymbolTableEntry watchpoints for the added entries.
1653         So, all the global variable lookups pointing to these static globals are not converted
1654         into constants in DFGBytecodeGenerator: this fact leaves these lookups as GetGlobalVar.
1655         Such thing avoids constant folding chance and emits CheckCell for @privateFunction inlining.
1656         This operation is pure overhead.
1657
1658         Static globals are not configurable, and they are typically non-writable.
1659         So they are constants in almost all the cases.
1660
1661         This patch initializes watchpoints for these static globals.
1662         These watchpoints allow DFG to convert these nodes into constants in DFG BytecodeParser.
1663         These watchpoints includes many builtin operations and `undefined`.
1664
1665         The microbenchmark, many-foreach-calls shows 5 - 7% improvement since it removes unnecessary CheckCell.
1666
1667         * bytecode/VariableWriteFireDetail.h:
1668         * runtime/JSGlobalObject.cpp:
1669         (JSC::JSGlobalObject::addGlobalVar):
1670         (JSC::JSGlobalObject::addStaticGlobals):
1671         * runtime/JSSymbolTableObject.h:
1672         (JSC::symbolTablePutTouchWatchpointSet):
1673         (JSC::symbolTablePutInvalidateWatchpointSet):
1674         (JSC::symbolTablePut):
1675         (JSC::symbolTablePutWithAttributesTouchWatchpointSet): Deleted.
1676         * runtime/SymbolTable.h:
1677         (JSC::SymbolTableEntry::SymbolTableEntry):
1678         (JSC::SymbolTableEntry::operator=):
1679         (JSC::SymbolTableEntry::swap):
1680
1681 2016-04-12  Alex Christensen  <achristensen@webkit.org>
1682
1683         Build fix after r199299.
1684         https://bugs.webkit.org/show_bug.cgi?id=155508
1685
1686         * jit/ExecutableAllocatorFixedVMPool.cpp:
1687         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1688         memset_s is not defined.  __STDC_WANT_LIB_EXT1__ is not defined anywhere.
1689         Since the return value is unused and set_constraint_handler_s is never called
1690         I'm chaning it to memset.
1691
1692 2016-04-11  Benjamin Poulain  <bpoulain@apple.com>
1693
1694         [JSC] B3 can use undefined bits or not defined required bits when spilling
1695         https://bugs.webkit.org/show_bug.cgi?id=156486
1696
1697         Reviewed by Filip Pizlo.
1698
1699         Spilling had issues when replacing arguments in place.
1700
1701         The problems are:
1702         1) If we have a 32bit stackslot, a x86 instruction could still try to load 64bits from it.
1703         2) If we have a 64bit stackslot, Move32 would only set half the bits.
1704         3) We were reducing Move to Move32 even if the top bits are read from the stack slot.
1705
1706         The case 1 appear with something like this:
1707             Move32 %tmp0, %tmp1
1708             Op64 %tmp1, %tmp2, %tmp3
1709         When we spill %tmp1, the stack slot is 32bit, Move32 sets 32bits
1710         but Op64 supports addressing for %tmp1. When we substitute %tmp1 in Op64,
1711         we are creating a 64bit read for a 32bit stack slot.
1712
1713         The case 2 is an other common one. If we have:
1714             BB#1
1715                 Move32 %tmp0, %tmp1
1716                 Jump #3
1717             BB#2
1718                 Op64 %tmp0, %tmp1
1719                 Jump #3
1720             BB#3
1721                 Use64 %tmp1
1722
1723         We have a stack slot of 64bits. When spilling %tmp1 in #1, we are
1724         effectively doing a 32bit store on the stack slot, leaving the top bits undefined.
1725
1726         Case 3 is pretty much the same as 2 but we create the Move32 ourself
1727         because the source is a 32bit with ZDef.
1728
1729         Case (1) is solved by requiring that the stack slot is at least as large as the largest
1730         use/def of that tmp.
1731
1732         Case (2) and (3) are solved by not replacing a Tmp by an Address if the Def
1733         is smaller than the stack slot.
1734
1735         * b3/air/AirIteratedRegisterCoalescing.cpp:
1736         * b3/testb3.cpp:
1737         (JSC::B3::testSpillDefSmallerThanUse):
1738         (JSC::B3::testSpillUseLargerThanDef):
1739         (JSC::B3::run):
1740
1741 2016-04-11  Brian Burg  <bburg@apple.com>
1742
1743         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
1744         https://bugs.webkit.org/show_bug.cgi?id=156407
1745         <rdar://problem/25627659>
1746
1747         Reviewed by Joseph Pecoraro.
1748
1749         There's no point having these subclasses as they don't save any space.
1750         Add a StringImpl to the union and merge some implementations of writeJSON.
1751
1752         Rename m_data to m_map and explicitly name the union as InspectorValue::m_value.
1753         If the value is a string and the string is not empty or null (i.e., it has a
1754         StringImpl), then we need to ref() and deref() the string as the InspectorValue
1755         is created or destroyed.
1756
1757         Move uses of the subclass to InspectorValue and delete redundant methods.
1758         Now, most InspectorValue methods are non-virtual so they can be templated.
1759
1760         * bindings/ScriptValue.cpp:
1761         (Deprecated::jsToInspectorValue):
1762         * inspector/InjectedScriptBase.cpp:
1763         (Inspector::InjectedScriptBase::makeCall):
1764         Don't used deleted subclasses.
1765
1766         * inspector/InspectorValues.cpp:
1767         (Inspector::InspectorValue::null):
1768         (Inspector::InspectorValue::create):
1769         (Inspector::InspectorValue::asValue):
1770         (Inspector::InspectorValue::asBoolean):
1771         (Inspector::InspectorValue::asDouble):
1772         (Inspector::InspectorValue::asInteger):
1773         (Inspector::InspectorValue::asString):
1774         These only need one implementation now.
1775
1776         (Inspector::InspectorValue::writeJSON):
1777         Still a virtual method since Object and Array need their members.
1778
1779         (Inspector::InspectorObjectBase::InspectorObjectBase):
1780         (Inspector::InspectorBasicValue::asBoolean): Deleted.
1781         (Inspector::InspectorBasicValue::asDouble): Deleted.
1782         (Inspector::InspectorBasicValue::asInteger): Deleted.
1783         (Inspector::InspectorBasicValue::writeJSON): Deleted.
1784         (Inspector::InspectorString::asString): Deleted.
1785         (Inspector::InspectorString::writeJSON): Deleted.
1786         (Inspector::InspectorString::create): Deleted.
1787         (Inspector::InspectorBasicValue::create): Deleted.
1788
1789         * inspector/InspectorValues.h:
1790         (Inspector::InspectorObjectBase::find):
1791         (Inspector::InspectorObjectBase::setBoolean):
1792         (Inspector::InspectorObjectBase::setInteger):
1793         (Inspector::InspectorObjectBase::setDouble):
1794         (Inspector::InspectorObjectBase::setString):
1795         (Inspector::InspectorObjectBase::setValue):
1796         (Inspector::InspectorObjectBase::setObject):
1797         (Inspector::InspectorObjectBase::setArray):
1798         (Inspector::InspectorArrayBase::pushBoolean):
1799         (Inspector::InspectorArrayBase::pushInteger):
1800         (Inspector::InspectorArrayBase::pushDouble):
1801         (Inspector::InspectorArrayBase::pushString):
1802         (Inspector::InspectorArrayBase::pushValue):
1803         (Inspector::InspectorArrayBase::pushObject):
1804         (Inspector::InspectorArrayBase::pushArray):
1805         Use new factory methods.
1806
1807         * replay/EncodedValue.cpp:
1808         (JSC::ScalarEncodingTraits<bool>::encodeValue):
1809         (JSC::ScalarEncodingTraits<double>::encodeValue):
1810         (JSC::ScalarEncodingTraits<float>::encodeValue):
1811         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
1812         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
1813         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
1814         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
1815         * replay/EncodedValue.h:
1816         Use new factory methods.
1817
1818 2016-04-11  Filip Pizlo  <fpizlo@apple.com>
1819
1820         It should be possible to edit StructureStubInfo without recompiling the world
1821         https://bugs.webkit.org/show_bug.cgi?id=156470
1822
1823         Reviewed by Keith Miller.
1824
1825         This change makes it less painful to make changes to the IC code. It used to be that any
1826         change to StructureStubInfo caused every JIT-related file to get recompiled. Now only a
1827         smaller set of files - ones that actually peek into StructureStubInfo - will recompile. This
1828         is mainly because CodeBlock.h no longer includes StructureStubInfo.h.
1829
1830         * bytecode/ByValInfo.h:
1831         * bytecode/CodeBlock.cpp:
1832         * bytecode/CodeBlock.h:
1833         * bytecode/GetByIdStatus.cpp:
1834         * bytecode/GetByIdStatus.h:
1835         * bytecode/PutByIdStatus.cpp:
1836         * bytecode/PutByIdStatus.h:
1837         * bytecode/StructureStubInfo.h:
1838         (JSC::getStructureStubInfoCodeOrigin):
1839         * dfg/DFGByteCodeParser.cpp:
1840         * dfg/DFGJITCompiler.cpp:
1841         * dfg/DFGOSRExitCompilerCommon.cpp:
1842         * dfg/DFGSpeculativeJIT.h:
1843         * ftl/FTLLowerDFGToB3.cpp:
1844         * ftl/FTLSlowPathCall.h:
1845         * jit/IntrinsicEmitter.cpp:
1846         * jit/JITInlineCacheGenerator.cpp:
1847         * jit/JITInlineCacheGenerator.h:
1848         * jit/JITOperations.cpp:
1849         * jit/JITPropertyAccess.cpp:
1850         * jit/JITPropertyAccess32_64.cpp:
1851
1852 2016-04-11  Skachkov Oleksandr  <gskachkov@gmail.com>
1853
1854         Remove NewArrowFunction from DFG IR
1855         https://bugs.webkit.org/show_bug.cgi?id=156439
1856
1857         Reviewed by Saam Barati.
1858
1859         It seems that NewArrowFunction was left in DFG IR during refactoring by mistake.
1860
1861         * dfg/DFGAbstractInterpreterInlines.h:
1862         * dfg/DFGClobberize.h:
1863         (JSC::DFG::clobberize):
1864         * dfg/DFGClobbersExitState.cpp:
1865         * dfg/DFGDoesGC.cpp:
1866         * dfg/DFGFixupPhase.cpp:
1867         * dfg/DFGMayExit.cpp:
1868         * dfg/DFGNode.h:
1869         (JSC::DFG::Node::convertToPhantomNewFunction):
1870         * dfg/DFGNodeType.h:
1871         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1872         * dfg/DFGPredictionPropagationPhase.cpp:
1873         * dfg/DFGSafeToExecute.h:
1874         * dfg/DFGSpeculativeJIT.cpp:
1875         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1876         * dfg/DFGSpeculativeJIT32_64.cpp:
1877         * dfg/DFGSpeculativeJIT64.cpp:
1878         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1879         * dfg/DFGStructureRegistrationPhase.cpp:
1880         * ftl/FTLCapabilities.cpp:
1881         * ftl/FTLLowerDFGToB3.cpp:
1882         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1883
1884 2016-04-05  Oliver Hunt  <oliver@apple.com>
1885
1886         Remove compile time define for SEPARATED_HEAP
1887         https://bugs.webkit.org/show_bug.cgi?id=155508
1888
1889         Reviewed by Mark Lam.
1890
1891         Remove the SEPARATED_HEAP compile time flag. The separated
1892         heap is available, but off by default, on x86_64, ARMv7, and
1893         ARM64.
1894
1895         Working through the issues that happened last time essentially
1896         required implementing the ARMv7 path for the separated heap
1897         just so I could find all the ways it was going wrong.
1898
1899         We fixed all the logic by making the branch and jump logic in
1900         the linker and assemblers take two parameters, the location to
1901         write to, and the location we'll actually be writing to. We 
1902         need to do this because it's no longer sufficient to compute
1903         jumps relative to region the linker is writing to.
1904
1905         The repatching jump, branch, and call functions only need the
1906         executable address as the patching is performed directly using
1907         performJITMemcpy function which works in terms of the executable
1908         address.
1909
1910         There is no performance impact on jsc-benchmarks with the separate
1911         heap either emabled or disabled.
1912
1913         * Configurations/FeatureDefines.xcconfig:
1914         * assembler/ARM64Assembler.h:
1915         (JSC::ARM64Assembler::linkJump):
1916         (JSC::ARM64Assembler::linkCall):
1917         (JSC::ARM64Assembler::relinkJump):
1918         (JSC::ARM64Assembler::relinkCall):
1919         (JSC::ARM64Assembler::link):
1920         (JSC::ARM64Assembler::linkJumpOrCall):
1921         (JSC::ARM64Assembler::linkCompareAndBranch):
1922         (JSC::ARM64Assembler::linkConditionalBranch):
1923         (JSC::ARM64Assembler::linkTestAndBranch):
1924         (JSC::ARM64Assembler::relinkJumpOrCall):
1925         * assembler/ARMv7Assembler.h:
1926         (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
1927         (JSC::ARMv7Assembler::revertJumpTo_movT3):
1928         (JSC::ARMv7Assembler::link):
1929         (JSC::ARMv7Assembler::linkJump):
1930         (JSC::ARMv7Assembler::relinkJump):
1931         (JSC::ARMv7Assembler::repatchCompact):
1932         (JSC::ARMv7Assembler::replaceWithJump):
1933         (JSC::ARMv7Assembler::replaceWithLoad):
1934         (JSC::ARMv7Assembler::replaceWithAddressComputation):
1935         (JSC::ARMv7Assembler::setInt32):
1936         (JSC::ARMv7Assembler::setUInt7ForLoad):
1937         (JSC::ARMv7Assembler::isB):
1938         (JSC::ARMv7Assembler::isBX):
1939         (JSC::ARMv7Assembler::isMOV_imm_T3):
1940         (JSC::ARMv7Assembler::isMOVT):
1941         (JSC::ARMv7Assembler::isNOP_T1):
1942         (JSC::ARMv7Assembler::isNOP_T2):
1943         (JSC::ARMv7Assembler::linkJumpT1):
1944         (JSC::ARMv7Assembler::linkJumpT2):
1945         (JSC::ARMv7Assembler::linkJumpT3):
1946         (JSC::ARMv7Assembler::linkJumpT4):
1947         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1948         (JSC::ARMv7Assembler::linkBX):
1949         (JSC::ARMv7Assembler::linkConditionalBX):
1950         (JSC::ARMv7Assembler::linkJumpAbsolute):
1951         * assembler/LinkBuffer.cpp:
1952         (JSC::LinkBuffer::copyCompactAndLinkCode):
1953         * assembler/MacroAssemblerARM64.h:
1954         (JSC::MacroAssemblerARM64::link):
1955         * assembler/MacroAssemblerARMv7.h:
1956         (JSC::MacroAssemblerARMv7::link):
1957         * jit/ExecutableAllocator.h:
1958         (JSC::performJITMemcpy):
1959         * jit/ExecutableAllocatorFixedVMPool.cpp:
1960         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1961         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1962         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
1963         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
1964         * runtime/Options.cpp:
1965         (JSC::recomputeDependentOptions):
1966         * runtime/Options.h:
1967
1968 2016-04-10  Filip Pizlo  <fpizlo@apple.com>
1969
1970         Clean up how we reason about the states of AccessCases
1971         https://bugs.webkit.org/show_bug.cgi?id=156454
1972
1973         Reviewed by Mark Lam.
1974         
1975         Currently when we add an AccessCase to a PolymorphicAccess stub, we regenerate the stub.
1976         That means that as we grow a stub to have N cases, we will do O(N^2) generation work. I want
1977         to explore buffering AccessCases so that we can do O(N) generation work instead. But to
1978         before I go there, I want to make sure that the statefulness of AccessCase makes sense. So,
1979         I broke it down into three different states and added assertions about the transitions. I
1980         also broke out a separate operation called AccessCase::commit(), which is the work that
1981         cannot be buffered since there cannot be any JS effects between when the AccessCase was
1982         created and when we do the work in commit().
1983         
1984         This opens up a fairly obvious path to buffering AccessCases: add them to the list without
1985         regenerating. Then when we do eventually trigger regeneration, those cases will get cloned
1986         and generated automagically. This patch doesn't implement this technique yet, but gives us
1987         an opportunity to independently test the scaffolding necessary to do it.
1988
1989         This is perf-neutral on lots of tests.
1990
1991         * bytecode/PolymorphicAccess.cpp:
1992         (JSC::AccessGenerationResult::dump):
1993         (JSC::AccessCase::clone):
1994         (JSC::AccessCase::commit):
1995         (JSC::AccessCase::guardedByStructureCheck):
1996         (JSC::AccessCase::dump):
1997         (JSC::AccessCase::generateWithGuard):
1998         (JSC::AccessCase::generate):
1999         (JSC::AccessCase::generateImpl):
2000         (JSC::PolymorphicAccess::regenerateWithCases):
2001         (JSC::PolymorphicAccess::regenerate):
2002         (WTF::printInternal):
2003         * bytecode/PolymorphicAccess.h:
2004         (JSC::AccessCase::type):
2005         (JSC::AccessCase::state):
2006         (JSC::AccessCase::offset):
2007         (JSC::AccessCase::viaProxy):
2008         (JSC::AccessCase::callLinkInfo):
2009         * bytecode/StructureStubInfo.cpp:
2010         (JSC::StructureStubInfo::addAccessCase):
2011         * bytecode/Watchpoint.h:
2012         * dfg/DFGOperations.cpp:
2013         * jit/Repatch.cpp:
2014         (JSC::repatchGetByID):
2015         (JSC::repatchPutByID):
2016         (JSC::repatchIn):
2017         * runtime/VM.cpp:
2018         (JSC::VM::dumpRegExpTrace):
2019         (JSC::VM::ensureWatchpointSetForImpureProperty):
2020         (JSC::VM::registerWatchpointForImpureProperty):
2021         (JSC::VM::addImpureProperty):
2022         * runtime/VM.h:
2023
2024 2016-04-11  Fujii Hironori  <Hironori.Fujii@jp.sony.com>
2025
2026         [CMake] Make FOLDER property INHERITED
2027         https://bugs.webkit.org/show_bug.cgi?id=156460
2028
2029         Reviewed by Brent Fulgham.
2030
2031         * CMakeLists.txt:
2032         * shell/CMakeLists.txt:
2033         * shell/PlatformWin.cmake:
2034         Set FOLDER property as a directory property not a target property
2035
2036 2016-04-09  Keith Miller  <keith_miller@apple.com>
2037
2038         tryGetById should be supported by the DFG/FTL
2039         https://bugs.webkit.org/show_bug.cgi?id=156378
2040
2041         Reviewed by Filip Pizlo.
2042
2043         This patch adds support for tryGetById in the DFG/FTL. It adds a new DFG node
2044         TryGetById, which acts similarly to the normal GetById DFG node. One key
2045         difference between GetById and TryGetById is that in the LLInt and Baseline
2046         we do not profile the result type. This profiling is unnessary for the current
2047         use case of tryGetById, which is expected to be a strict equality comparision
2048         against a specific object or undefined. In either case other DFG optimizations
2049         will make this equally fast with or without the profiling information.
2050
2051         Additionally, this patch adds new reuse modes for JSValueRegsTemporary that take
2052         an operand and attempt to reuse the registers for that operand if they are free
2053         after the current DFG node.
2054
2055         * bytecode/GetByIdStatus.cpp:
2056         (JSC::GetByIdStatus::computeFromLLInt):
2057         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2058         * dfg/DFGAbstractInterpreterInlines.h:
2059         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2060         * dfg/DFGByteCodeParser.cpp:
2061         (JSC::DFG::ByteCodeParser::handleGetById):
2062         (JSC::DFG::ByteCodeParser::parseBlock):
2063         * dfg/DFGCapabilities.cpp:
2064         (JSC::DFG::capabilityLevel):
2065         * dfg/DFGClobberize.h:
2066         (JSC::DFG::clobberize):
2067         * dfg/DFGDoesGC.cpp:
2068         (JSC::DFG::doesGC):
2069         * dfg/DFGFixupPhase.cpp:
2070         (JSC::DFG::FixupPhase::fixupNode):
2071         * dfg/DFGNode.h:
2072         (JSC::DFG::Node::hasIdentifier):
2073         * dfg/DFGNodeType.h:
2074         * dfg/DFGPredictionPropagationPhase.cpp:
2075         (JSC::DFG::PredictionPropagationPhase::propagate):
2076         * dfg/DFGSafeToExecute.h:
2077         (JSC::DFG::safeToExecute):
2078         * dfg/DFGSpeculativeJIT.cpp:
2079         (JSC::DFG::SpeculativeJIT::compileTryGetById):
2080         (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
2081         * dfg/DFGSpeculativeJIT.h:
2082         (JSC::DFG::GPRTemporary::operator=):
2083         * dfg/DFGSpeculativeJIT32_64.cpp:
2084         (JSC::DFG::SpeculativeJIT::cachedGetById):
2085         (JSC::DFG::SpeculativeJIT::compile):
2086         * dfg/DFGSpeculativeJIT64.cpp:
2087         (JSC::DFG::SpeculativeJIT::cachedGetById):
2088         (JSC::DFG::SpeculativeJIT::compile):
2089         * ftl/FTLCapabilities.cpp:
2090         (JSC::FTL::canCompile):
2091         * ftl/FTLLowerDFGToB3.cpp:
2092         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2093         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2094         (JSC::FTL::DFG::LowerDFGToB3::getById):
2095         * jit/JITOperations.cpp:
2096         * jit/JITOperations.h:
2097         * tests/stress/try-get-by-id.js:
2098         (tryGetByIdTextStrict):
2099         (get let):
2100         (let.get createBuiltin):
2101         (get throw):
2102         (getCaller.obj.1.throw.new.Error): Deleted.
2103
2104 2016-04-09  Saam barati  <sbarati@apple.com>
2105
2106         Allocation sinking SSA Defs are allowed to have replacements
2107         https://bugs.webkit.org/show_bug.cgi?id=156444
2108
2109         Reviewed by Filip Pizlo.
2110
2111         Consider the following program and the annotations that explain why
2112         the SSA defs we create in allocation sinking can have replacements.
2113
2114         function foo(a1) {
2115             let o1 = {x: 20, y: 50};
2116             let o2 = {y: 40, o1: o1};
2117             let o3 = {};
2118         
2119             // We're Defing a new variable here, call it o3_field.
2120             // o3_field is defing the value that is the result of 
2121             // a GetByOffset that gets eliminated through allocation sinking.
2122             o3.field = o1.y;
2123         
2124             dontCSE();
2125         
2126             // This control flow is here to not allow the phase to consult
2127             // its local SSA mapping (which properly handles replacements)
2128             // for the value of o3_field.
2129             if (a1) {
2130                 a1 = true; 
2131             } else {
2132                 a1 = false;
2133             }
2134         
2135             // Here, we ask for the reaching def of o3_field, and assert
2136             // it doesn't have a replacement. It does have a replacement
2137             // though. The original Def was the GetByOffset. We replaced
2138             // that GetByOffset with the value of the o1_y variable.
2139             let value = o3.field;
2140             assert(value === 50);
2141         }
2142
2143         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2144         * tests/stress/allocation-sinking-defs-may-have-replacements.js: Added.
2145         (dontCSE):
2146         (assert):
2147         (foo):
2148
2149 2016-04-09  Commit Queue  <commit-queue@webkit.org>
2150
2151         Unreviewed, rolling out r199242.
2152         https://bugs.webkit.org/show_bug.cgi?id=156442
2153
2154         Caused many many leaks (Requested by ap on #webkit).
2155
2156         Reverted changeset:
2157
2158         "Web Inspector: get rid of InspectorBasicValue and
2159         InspectorString subclasses"
2160         https://bugs.webkit.org/show_bug.cgi?id=156407
2161         http://trac.webkit.org/changeset/199242
2162
2163 2016-04-09  Filip Pizlo  <fpizlo@apple.com>
2164
2165         Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool
2166         https://bugs.webkit.org/show_bug.cgi?id=156406
2167
2168         Reviewed by Saam Barati.
2169
2170         The failure was because the GC ran from within the butterfly allocation call in a put_by_id
2171         transition AccessCase that had to deal with indexing storage. When the GC runs in a call from a stub,
2172         then we need to be extra careful:
2173
2174         1) The GC may reset the IC and delete the stub. So, the stub needs to tell the GC that it might be on
2175            the stack during GC, so that the GC keeps it alive if it's currently running.
2176         
2177         2) If the stub uses (dereferences or stores) some object after the call, then we need to ensure that
2178            the stub routine knows about that object independently of the IC.
2179         
2180         In the case of put_by_id transitions that use a helper to allocate the butterfly, we have both
2181         issues. A long time ago, we had to deal with (2), and we still had code to handle that case, although
2182         it appears to be dead. This change revives that code and glues it together with PolymorphicAccess.
2183
2184         * bytecode/PolymorphicAccess.cpp:
2185         (JSC::AccessCase::alternateBase):
2186         (JSC::AccessCase::doesCalls):
2187         (JSC::AccessCase::couldStillSucceed):
2188         (JSC::AccessCase::generate):
2189         (JSC::PolymorphicAccess::regenerate):
2190         * bytecode/PolymorphicAccess.h:
2191         (JSC::AccessCase::customSlotBase):
2192         (JSC::AccessCase::isGetter):
2193         (JSC::AccessCase::doesCalls): Deleted.
2194         * jit/GCAwareJITStubRoutine.cpp:
2195         (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
2196         (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
2197         (JSC::MarkingGCAwareJITStubRoutine::~MarkingGCAwareJITStubRoutine):
2198         (JSC::MarkingGCAwareJITStubRoutine::markRequiredObjectsInternal):
2199         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
2200         (JSC::createJITStubRoutine):
2201         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
2202         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject): Deleted.
2203         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal): Deleted.
2204         * jit/GCAwareJITStubRoutine.h:
2205         (JSC::createJITStubRoutine):
2206
2207 2016-04-08  Joseph Pecoraro  <pecoraro@apple.com>
2208
2209         Web Inspector: XHRs and Web Worker scripts are not searchable
2210         https://bugs.webkit.org/show_bug.cgi?id=154214
2211         <rdar://problem/24643587>
2212
2213         Reviewed by Timothy Hatcher.
2214
2215         * inspector/protocol/Page.json:
2216         Add optional requestId to search results properties and search
2217         parameters for when the frameId and url are not enough. XHR
2218         resources, and "Other" resources will use this.
2219
2220 2016-04-08  Guillaume Emont  <guijemont@igalia.com>
2221
2222         MIPS: support Signed cond in branchTest32()
2223         https://bugs.webkit.org/show_bug.cgi?id=156260
2224
2225         This is needed since r197688 makes use of it.
2226
2227         Reviewed by Mark Lam.
2228
2229         * assembler/MacroAssemblerMIPS.h:
2230         (JSC::MacroAssemblerMIPS::branchTest32):
2231
2232 2016-04-08  Alex Christensen  <achristensen@webkit.org>
2233
2234         Progress towards running CMake WebKit2 on Mac
2235         https://bugs.webkit.org/show_bug.cgi?id=156426
2236
2237         Reviewed by Tim Horton.
2238
2239         * PlatformMac.cmake:
2240
2241 2016-04-08  Saam barati  <sbarati@apple.com>
2242
2243         Debugger may dereference m_currentCallFrame even after the VM has gone idle
2244         https://bugs.webkit.org/show_bug.cgi?id=156413
2245
2246         Reviewed by Mark Lam.
2247
2248         There is a bug where the debugger may dereference its m_currentCallFrame
2249         pointer after that pointer becomes invalid to read from. This happens like so:
2250
2251         We may step over an instruction which causes the end of execution for the
2252         current program. This causes the VM to exit. Then, we perform a GC which
2253         causes us to collect the global object. The global object being collected
2254         causes us to detach the debugger. In detaching, we think we still have a 
2255         valid m_currentCallFrame, we dereference it, and crash. The solution is to
2256         make sure we're paused when dereferencing this pointer inside ::detach().
2257
2258         * debugger/Debugger.cpp:
2259         (JSC::Debugger::detach):
2260
2261 2016-04-08  Brian Burg  <bburg@apple.com>
2262
2263         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
2264         https://bugs.webkit.org/show_bug.cgi?id=156407
2265         <rdar://problem/25627659>
2266
2267         Reviewed by Timothy Hatcher.
2268
2269         There's no point having these subclasses as they don't save any space.
2270         Add m_stringValue to the union and merge some implementations of writeJSON.
2271         Move uses of the subclass to InspectorValue and delete redundant methods.
2272         Now, most InspectorValue methods are non-virtual so they can be templated.
2273
2274         * bindings/ScriptValue.cpp:
2275         (Deprecated::jsToInspectorValue):
2276         * inspector/InjectedScriptBase.cpp:
2277         (Inspector::InjectedScriptBase::makeCall):
2278         Don't used deleted subclasses.
2279
2280         * inspector/InspectorValues.cpp:
2281         (Inspector::InspectorValue::null):
2282         (Inspector::InspectorValue::create):
2283         (Inspector::InspectorValue::asValue):
2284         (Inspector::InspectorValue::asBoolean):
2285         (Inspector::InspectorValue::asDouble):
2286         (Inspector::InspectorValue::asInteger):
2287         (Inspector::InspectorValue::asString):
2288         These only need one implementation now.
2289
2290         (Inspector::InspectorValue::writeJSON):
2291         Still a virtual method since Object and Array need their members.
2292
2293         (Inspector::InspectorObjectBase::InspectorObjectBase):
2294         (Inspector::InspectorBasicValue::asBoolean): Deleted.
2295         (Inspector::InspectorBasicValue::asDouble): Deleted.
2296         (Inspector::InspectorBasicValue::asInteger): Deleted.
2297         (Inspector::InspectorBasicValue::writeJSON): Deleted.
2298         (Inspector::InspectorString::asString): Deleted.
2299         (Inspector::InspectorString::writeJSON): Deleted.
2300         (Inspector::InspectorString::create): Deleted.
2301         (Inspector::InspectorBasicValue::create): Deleted.
2302
2303         * inspector/InspectorValues.h:
2304         (Inspector::InspectorObjectBase::setBoolean):
2305         (Inspector::InspectorObjectBase::setInteger):
2306         (Inspector::InspectorObjectBase::setDouble):
2307         (Inspector::InspectorObjectBase::setString):
2308         (Inspector::InspectorArrayBase::pushBoolean):
2309         (Inspector::InspectorArrayBase::pushInteger):
2310         (Inspector::InspectorArrayBase::pushDouble):
2311         (Inspector::InspectorArrayBase::pushString):
2312         Use new factory methods.
2313
2314         * replay/EncodedValue.cpp:
2315         (JSC::ScalarEncodingTraits<bool>::encodeValue):
2316         (JSC::ScalarEncodingTraits<double>::encodeValue):
2317         (JSC::ScalarEncodingTraits<float>::encodeValue):
2318         (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2319         (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2320         (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2321         (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2322         * replay/EncodedValue.h:
2323         Use new factory methods.
2324
2325 2016-04-08  Filip Pizlo  <fpizlo@apple.com>
2326
2327         Add IC support for arguments.length
2328         https://bugs.webkit.org/show_bug.cgi?id=156389
2329
2330         Reviewed by Geoffrey Garen.
2331         
2332         This adds support for caching accesses to arguments.length for both DirectArguments and
2333         ScopedArguments. In strict mode, we already cached these accesses since they were just
2334         normal properties.
2335
2336         Amazingly, we also already supported caching of overridden arguments.length in both
2337         DirectArguments and ScopedArguments. This is because when you override, the property gets
2338         materialized as a normal JS property and the structure is changed.
2339         
2340         This patch painstakingly preserves our previous caching of overridden length while
2341         introducing caching of non-overridden length (i.e. the common case). In fact, we even cache
2342         the case where it could either be overridden or not, since we just end up with an AccessCase
2343         for each and they cascade to each other.
2344
2345         This is a >3x speed-up on microbenchmarks that do arguments.length in a polymorphic context.
2346         Entirely monomorphic accesses were already handled by the DFG.
2347
2348         * bytecode/PolymorphicAccess.cpp:
2349         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
2350         (JSC::AccessCase::guardedByStructureCheck):
2351         (JSC::AccessCase::generateWithGuard):
2352         (JSC::AccessCase::generate):
2353         (WTF::printInternal):
2354         * bytecode/PolymorphicAccess.h:
2355         * jit/ICStats.h:
2356         * jit/JITOperations.cpp:
2357         * jit/Repatch.cpp:
2358         (JSC::tryCacheGetByID):
2359         (JSC::tryCachePutByID):
2360         (JSC::tryRepatchIn):
2361         * tests/stress/direct-arguments-override-length-then-access-normal-length.js: Added.
2362         (args):
2363         (foo):
2364         (result.foo):
2365
2366 2016-04-08  Benjamin Poulain  <bpoulain@apple.com>
2367
2368         UInt32ToNumber should have an Int52 path
2369         https://bugs.webkit.org/show_bug.cgi?id=125704
2370
2371         Reviewed by Filip Pizlo.
2372
2373         When dealing with big numbers, fall back to Int52 instead
2374         of double when possible.
2375
2376         * dfg/DFGAbstractInterpreterInlines.h:
2377         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2378         * dfg/DFGFixupPhase.cpp:
2379         (JSC::DFG::FixupPhase::fixupNode):
2380         * dfg/DFGPredictionPropagationPhase.cpp:
2381         (JSC::DFG::PredictionPropagationPhase::propagate):
2382         * dfg/DFGSpeculativeJIT.cpp:
2383         (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
2384         * ftl/FTLLowerDFGToB3.cpp:
2385         (JSC::FTL::DFG::LowerDFGToB3::compileUInt32ToNumber):
2386
2387 2016-04-08  Brian Burg  <bburg@apple.com>
2388
2389         Web Inspector: protocol generator should emit an error when 'type' is used instead of '$ref'
2390         https://bugs.webkit.org/show_bug.cgi?id=156275
2391         <rdar://problem/25569331>
2392
2393         Reviewed by Darin Adler.
2394
2395         * inspector/protocol/Heap.json: Fix a mistake that's now caught by the protocol generator.
2396
2397         * inspector/scripts/codegen/models.py:
2398         (TypeReference.__init__): Check here if type_kind is on a whitelist of primitive types.
2399         (TypeReference.referenced_name): Update comment.
2400
2401         Add a new test specifically for the case when the type would otherwise be resolved. Rebaseline.
2402
2403         * inspector/scripts/tests/expected/fail-on-type-reference-as-primitive-type.json-error: Added.
2404         * inspector/scripts/tests/expected/fail-on-unknown-type-reference-in-type-declaration.json-error:
2405         * inspector/scripts/tests/fail-on-type-reference-as-primitive-type.json: Added.
2406
2407 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
2408
2409         Remove ENABLE(ENABLE_ES6_CLASS_SYNTAX) guards
2410         https://bugs.webkit.org/show_bug.cgi?id=156384
2411
2412         Reviewed by Ryosuke Niwa.
2413
2414         * Configurations/FeatureDefines.xcconfig:
2415         * features.json: Mark as Done.
2416         * parser/Parser.cpp:
2417         (JSC::Parser<LexerType>::parseExportDeclaration):
2418         (JSC::Parser<LexerType>::parseStatementListItem):
2419         (JSC::Parser<LexerType>::parsePrimaryExpression):
2420         (JSC::Parser<LexerType>::parseMemberExpression):
2421
2422 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
2423
2424         Implementing caching transition puts that need to reallocate with indexing storage
2425         https://bugs.webkit.org/show_bug.cgi?id=130914
2426
2427         Reviewed by Saam Barati.
2428
2429         This enables the IC's put_by_id path to handle reallocating the out-of-line storage even if
2430         the butterfly has indexing storage. Like the DFG, we do this by calling operations that
2431         reallocate the butterfly. Those use JSObject API and do all of the nasty work for us, like
2432         triggering a barrier.
2433
2434         This does a bunch of refactoring to how PolymorphicAccess makes calls. It's a lot easier to
2435         do it now because the hard work is hidden under AccessGenerationState methods. This means
2436         that custom accessors now share logic with put_by_id transitions.
2437
2438         * bytecode/PolymorphicAccess.cpp:
2439         (JSC::AccessGenerationState::succeed):
2440         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
2441         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
2442         (JSC::AccessGenerationState::originalCallSiteIndex):
2443         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2444         (JSC::AccessCase::AccessCase):
2445         (JSC::AccessCase::transition):
2446         (JSC::AccessCase::generate):
2447         (JSC::PolymorphicAccess::regenerate):
2448         * bytecode/PolymorphicAccess.h:
2449         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
2450         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
2451         * dfg/DFGOperations.cpp:
2452         * dfg/DFGOperations.h:
2453         * jit/JITOperations.cpp:
2454         * jit/JITOperations.h:
2455
2456 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
2457
2458         Remote Inspector: When disallowing remote inspection on a debuggable, a listing is still sent to debuggers
2459         https://bugs.webkit.org/show_bug.cgi?id=156380
2460         <rdar://problem/25323727>
2461
2462         Reviewed by Timothy Hatcher.
2463
2464         * inspector/remote/RemoteInspector.mm:
2465         (Inspector::RemoteInspector::updateTarget):
2466         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
2467         When a target has been updated and it no longer generates a listing,
2468         we should remove the old listing as that is now stale and should
2469         not be sent. Not generating a listing means this target is no
2470         longer allowed to be debugged.
2471
2472 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
2473
2474         Web Inspector: Not necessary to validate webinspectord connection on iOS
2475         https://bugs.webkit.org/show_bug.cgi?id=156377
2476         <rdar://problem/25612460>
2477
2478         Reviewed by Simon Fraser.
2479
2480         * inspector/remote/RemoteInspectorXPCConnection.h:
2481         * inspector/remote/RemoteInspectorXPCConnection.mm:
2482         (Inspector::RemoteInspectorXPCConnection::handleEvent):
2483
2484 2016-04-07  Keith Miller  <keith_miller@apple.com>
2485
2486         Rename ArrayMode::supportsLength to supportsSelfLength
2487         https://bugs.webkit.org/show_bug.cgi?id=156374
2488
2489         Reviewed by Filip Pizlo.
2490
2491         The name supportsLength is confusing because TypedArray have a
2492         length function however it is on the prototype and not on the
2493         instance. supportsSelfLength makes more sense since we use the
2494         function during fixup to tell if we can intrinsic the length
2495         property lookup on self accesses.
2496
2497         * dfg/DFGArrayMode.h:
2498         (JSC::DFG::ArrayMode::supportsSelfLength):
2499         (JSC::DFG::ArrayMode::supportsLength): Deleted.
2500         * dfg/DFGFixupPhase.cpp:
2501         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2502
2503 2016-04-07  Joseph Pecoraro  <pecoraro@apple.com>
2504
2505         Web Inspector: ProfileView source links are off by 1 line, worse in pretty printed code
2506         https://bugs.webkit.org/show_bug.cgi?id=156371
2507
2508         Reviewed by Timothy Hatcher.
2509
2510         * inspector/protocol/ScriptProfiler.json:
2511         Clarify that these locations are 1-based.
2512
2513 2016-04-07  Jon Davis  <jond@apple.com>
2514
2515         Add Web Animations API to Feature Status Page
2516         https://bugs.webkit.org/show_bug.cgi?id=156360
2517
2518         Reviewed by Timothy Hatcher.
2519
2520         * features.json:
2521
2522 2016-04-07  Saam barati  <sbarati@apple.com>
2523
2524         Invalid assertion inside DebuggerScope::getOwnPropertySlot
2525         https://bugs.webkit.org/show_bug.cgi?id=156357
2526
2527         Reviewed by Keith Miller.
2528
2529         The Type Profiler might profile JS code that uses DebuggerScope and accesses properties
2530         on it. Therefore, it may have a DebuggerScope object in its log. Objects in the log
2531         are subject to having their getOwnPropertySlot method called. Therefore, the DebuggerScope
2532         might not always be in a valid state when its getOwnPropertySlot method is called.
2533         Therefore, the assertion invalid.
2534
2535         * debugger/DebuggerScope.cpp:
2536         (JSC::DebuggerScope::getOwnPropertySlot):
2537
2538 2016-04-07  Saam barati  <sbarati@apple.com>
2539
2540         Initial implementation of annex b.3.3 behavior was incorrect
2541         https://bugs.webkit.org/show_bug.cgi?id=156276
2542
2543         Reviewed by Keith Miller.
2544
2545         I almost got annex B.3.3 correct in my first implementation.
2546         There is a subtlety here I got wrong. We always create a local binding for
2547         a function at the very beginning of execution of a block scope. So we
2548         hoist function declarations to their local binding within a given
2549         block scope. When we actually evaluate the function declaration statement
2550         itself, we must lookup the binding in the current scope, and bind the
2551         value to the binding in the "var" scope. We perform the following
2552         abstract operations when executing a function declaration statement.
2553
2554         f = lookupBindingInCurrentScope("func")
2555         store(varScope, "func", f)
2556
2557         I got this wrong by performing the store to the var binding at the beginning
2558         of the block scope instead of when we evaluate the function declaration statement.
2559         This behavior is observable. For example, a program could change the value
2560         of "func" before the actual function declaration statement executes.
2561         Consider the following two functions:
2562         ```
2563         function foo1() {
2564             // func === undefined
2565             {
2566                 // typeof func === "function"
2567                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
2568                 func = 20 // This sets the local "func" binding to 20.
2569             }
2570             // typeof func === "function"
2571         }
2572
2573         function foo2() {
2574             // func === undefined
2575             {
2576                 // typeof func === "function"
2577                 func = 20 // This sets the local "func" binding to 20.
2578                 function func() { } // Executing this statement binds the local "func" binding to the implicit "func" var binding.
2579             }
2580             // func === 20
2581         }
2582         ```
2583
2584         * bytecompiler/BytecodeGenerator.cpp:
2585         (JSC::BytecodeGenerator::initializeBlockScopedFunctions):
2586         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
2587         * bytecompiler/BytecodeGenerator.h:
2588         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
2589         * bytecompiler/NodesCodegen.cpp:
2590         (JSC::FuncDeclNode::emitBytecode):
2591         * tests/stress/sloppy-mode-function-hoisting.js:
2592         (test.foo):
2593         (test):
2594         (test.):
2595         (test.bar):
2596         (test.switch.case.0):
2597         (test.capFoo1):
2598         (test.switch.capFoo2):
2599         (test.outer):
2600         (foo):
2601
2602 2016-04-07  Alex Christensen  <achristensen@webkit.org>
2603
2604         Build fix after r199170
2605
2606         * CMakeLists.txt:
2607
2608 2016-04-07  Keith Miller  <keith_miller@apple.com>
2609
2610         We should support the ability to do a non-effectful getById
2611         https://bugs.webkit.org/show_bug.cgi?id=156116
2612
2613         Reviewed by Benjamin Poulain.
2614
2615         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
2616         useful because it enables us to take different code paths based on values that we would
2617         otherwise not be able to have knowledge of. This patch adds this new feature called
2618         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
2619         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
2620         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
2621         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
2622         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
2623         the global object that indicates we could not get the result.
2624
2625         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
2626         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
2627         get_by_id the same way we would for load and return the value at the appropriate offset.
2628         Additionally, in order to make sure the we can properly compare the GetterSetter object
2629         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
2630         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
2631         likely to have little to no impact on memory usage as normal accessors are generally rare.
2632
2633         * JavaScriptCore.xcodeproj/project.pbxproj:
2634         * builtins/BuiltinExecutableCreator.cpp: Added.
2635         (JSC::createBuiltinExecutable):
2636         * builtins/BuiltinExecutableCreator.h: Copied from Source/JavaScriptCore/builtins/BuiltinExecutables.h.
2637         * builtins/BuiltinExecutables.cpp:
2638         (JSC::BuiltinExecutables::createDefaultConstructor):
2639         (JSC::BuiltinExecutables::createBuiltinExecutable):
2640         (JSC::createBuiltinExecutable):
2641         (JSC::BuiltinExecutables::createExecutable):
2642         (JSC::createExecutableInternal): Deleted.
2643         * builtins/BuiltinExecutables.h:
2644         * bytecode/BytecodeIntrinsicRegistry.h:
2645         * bytecode/BytecodeList.json:
2646         * bytecode/BytecodeUseDef.h:
2647         (JSC::computeUsesForBytecodeOffset):
2648         (JSC::computeDefsForBytecodeOffset):
2649         * bytecode/CodeBlock.cpp:
2650         (JSC::CodeBlock::dumpBytecode):
2651         * bytecode/PolymorphicAccess.cpp:
2652         (JSC::AccessCase::tryGet):
2653         (JSC::AccessCase::generate):
2654         (WTF::printInternal):
2655         * bytecode/PolymorphicAccess.h:
2656         (JSC::AccessCase::isGet): Deleted.
2657         (JSC::AccessCase::isPut): Deleted.
2658         (JSC::AccessCase::isIn): Deleted.
2659         * bytecode/StructureStubInfo.cpp:
2660         (JSC::StructureStubInfo::reset):
2661         * bytecode/StructureStubInfo.h:
2662         * bytecompiler/BytecodeGenerator.cpp:
2663         (JSC::BytecodeGenerator::emitTryGetById):
2664         * bytecompiler/BytecodeGenerator.h:
2665         * bytecompiler/NodesCodegen.cpp:
2666         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
2667         * dfg/DFGSpeculativeJIT32_64.cpp:
2668         (JSC::DFG::SpeculativeJIT::cachedGetById):
2669         * dfg/DFGSpeculativeJIT64.cpp:
2670         (JSC::DFG::SpeculativeJIT::cachedGetById):
2671         * ftl/FTLLowerDFGToB3.cpp:
2672         (JSC::FTL::DFG::LowerDFGToB3::getById):
2673         * jit/JIT.cpp:
2674         (JSC::JIT::privateCompileMainPass):
2675         (JSC::JIT::privateCompileSlowCases):
2676         * jit/JIT.h:
2677         * jit/JITInlineCacheGenerator.cpp:
2678         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
2679         * jit/JITInlineCacheGenerator.h:
2680         * jit/JITInlines.h:
2681         (JSC::JIT::callOperation):
2682         * jit/JITOperations.cpp:
2683         * jit/JITOperations.h:
2684         * jit/JITPropertyAccess.cpp:
2685         (JSC::JIT::emitGetByValWithCachedId):
2686         (JSC::JIT::emit_op_try_get_by_id):
2687         (JSC::JIT::emitSlow_op_try_get_by_id):
2688         (JSC::JIT::emit_op_get_by_id):
2689         * jit/JITPropertyAccess32_64.cpp:
2690         (JSC::JIT::emitGetByValWithCachedId):
2691         (JSC::JIT::emit_op_try_get_by_id):
2692         (JSC::JIT::emitSlow_op_try_get_by_id):
2693         (JSC::JIT::emit_op_get_by_id):
2694         * jit/Repatch.cpp:
2695         (JSC::repatchByIdSelfAccess):
2696         (JSC::appropriateOptimizingGetByIdFunction):
2697         (JSC::appropriateGenericGetByIdFunction):
2698         (JSC::tryCacheGetByID):
2699         (JSC::repatchGetByID):
2700         (JSC::resetGetByID):
2701         * jit/Repatch.h:
2702         * jsc.cpp:
2703         (GlobalObject::finishCreation):
2704         (functionGetGetterSetter):
2705         (functionCreateBuiltin):
2706         * llint/LLIntData.cpp:
2707         (JSC::LLInt::Data::performAssertions):
2708         * llint/LLIntSlowPaths.cpp:
2709         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2710         * llint/LLIntSlowPaths.h:
2711         * llint/LowLevelInterpreter.asm:
2712         * runtime/GetterSetter.cpp:
2713         * runtime/GetterSetter.h:
2714         * runtime/JSType.h:
2715         * runtime/PropertySlot.cpp:
2716         (JSC::PropertySlot::getPureResult):
2717         * runtime/PropertySlot.h:
2718         * runtime/ProxyObject.cpp:
2719         (JSC::ProxyObject::getOwnPropertySlotCommon):
2720         * tests/stress/try-get-by-id.js: Added.
2721         (tryGetByIdText):
2722         (getCaller.obj.1.throw.new.Error.let.func):
2723         (getCaller.obj.1.throw.new.Error):
2724         (throw.new.Error.get let):
2725         (throw.new.Error.):
2726         (throw.new.Error.let.get createBuiltin):
2727         (get let):
2728         (let.get createBuiltin):
2729         (let.func):
2730         (get let.func):
2731         (get throw):
2732
2733 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
2734
2735         Rationalize the makeSpaceForCCall stuff
2736         https://bugs.webkit.org/show_bug.cgi?id=156352
2737
2738         Reviewed by Mark Lam.
2739
2740         I want to add more code to PolymorphicAccess that makes C calls, so that I can finally fix
2741         https://bugs.webkit.org/show_bug.cgi?id=130914 (allow transition caches to handle indexing
2742         headers).
2743
2744         When trying to understand what it takes to make a C call, I came across code that was making
2745         room on the stack for spilled arguments. This logic was guarded with some complicated
2746         condition. At first, I tried to just refactor the code so that the same ugly condition
2747         wouldn't have to be copy-pasted everywhere that we made C calls. But then I started thinking
2748         about the condition, and realized that it was probably wrong: if the outer PolymorphicAccess
2749         harness decides to reuse a register for the scratchGPR then the top of the stack will store
2750         the old value of scratchGPR, but the condition wouldn't necessarily trigger. So if the call
2751         then overwrote something on the stack, we'd have a bad time.
2752
2753         Making room on the stack for a call is a cheap operation. It's orders of magnitude cheaper
2754         than the rest of the call. Therefore, I think that it's best to just unconditionally make
2755         room on the stack.
2756
2757         This patch makes us do just that. I also made the relevant helpers not inline, because I
2758         think that we have too many inline methods in our assemblers. Now it's much easier to make
2759         C calls from PolymorphicAccess because you just call the AssemblyHelper methods for making
2760         space. There are no special conditions or anything like that.
2761
2762         * bytecode/PolymorphicAccess.cpp:
2763         (JSC::AccessCase::generate):
2764         * jit/AssemblyHelpers.cpp:
2765         (JSC::AssemblyHelpers::emitLoadStructure):
2766         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
2767         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
2768         (JSC::emitRandomThunkImpl):
2769         * jit/AssemblyHelpers.h:
2770         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall): Deleted.
2771         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall): Deleted.
2772
2773 2016-04-07  Commit Queue  <commit-queue@webkit.org>
2774
2775         Unreviewed, rolling out r199128 and r199141.
2776         https://bugs.webkit.org/show_bug.cgi?id=156348
2777
2778         Causes crashes on multiple webpages (Requested by keith_mi_ on
2779         #webkit).
2780
2781         Reverted changesets:
2782
2783         "[ES6] Add support for Symbol.isConcatSpreadable."
2784         https://bugs.webkit.org/show_bug.cgi?id=155351
2785         http://trac.webkit.org/changeset/199128
2786
2787         "Unreviewed, uncomment accidentally commented line in test."
2788         http://trac.webkit.org/changeset/199141
2789
2790 2016-04-07  Filip Pizlo  <fpizlo@apple.com>
2791
2792         Rationalize the handling of PutById transitions a bit
2793         https://bugs.webkit.org/show_bug.cgi?id=156330
2794
2795         Reviewed by Mark Lam.
2796
2797         * bytecode/PolymorphicAccess.cpp:
2798         (JSC::AccessCase::generate): Get rid of the specialized slow calls. We can just use the failAndIgnore jump target. We just need to make sure that we don't make observable effects until we're done with all of the fast path checks.
2799         * bytecode/StructureStubInfo.cpp:
2800         (JSC::StructureStubInfo::addAccessCase): MadeNoChanges indicates that we should keep trying to repatch. Currently PutById transitions might trigger the case that addAccessCase() sees null, if the transition involves an indexing header. Doing repatching in that case is probably not good. But, we should just fix this the right way eventually.
2801
2802 2016-04-07  Per Arne Vollan  <peavo@outlook.com>
2803
2804         [Win] Fix for JSC stress test failures.
2805         https://bugs.webkit.org/show_bug.cgi?id=156343
2806
2807         Reviewed by Filip Pizlo.
2808
2809         We need to make it clear to MSVC that the method loadPtr(ImplicitAddress address, RegisterID dest)
2810         should be used, and not loadPtr(const void* address, RegisterID dest).
2811
2812         * jit/CCallHelpers.cpp:
2813         (JSC::CCallHelpers::setupShadowChickenPacket):
2814
2815 2016-04-06  Benjamin Poulain  <bpoulain@apple.com>
2816
2817         [JSC] UInt32ToNumber should be NodeMustGenerate
2818         https://bugs.webkit.org/show_bug.cgi?id=156329
2819
2820         Reviewed by Filip Pizlo.
2821
2822         It exits on negative numbers on the integer path.
2823
2824         * dfg/DFGFixupPhase.cpp:
2825         (JSC::DFG::FixupPhase::fixupNode):
2826         * dfg/DFGNodeType.h:
2827
2828 2016-04-04  Geoffrey Garen  <ggaren@apple.com>
2829
2830         Unreviewed, rolling out r199016.
2831         https://bugs.webkit.org/show_bug.cgi?id=156140
2832
2833         "Perf bots are down, so I can't re-land this right now."
2834
2835         Reverted changeset:
2836
2837         CopiedBlock should be 16kB
2838         https://bugs.webkit.org/show_bug.cgi?id=156168
2839         http://trac.webkit.org/changeset/199016
2840
2841 2016-04-06  Mark Lam  <mark.lam@apple.com>
2842
2843         String.prototype.match() should be calling internal function RegExpCreate.
2844         https://bugs.webkit.org/show_bug.cgi?id=156318
2845
2846         Reviewed by Filip Pizlo.
2847
2848         RegExpCreate is not the same as the RegExp constructor.  The current implementation
2849         invokes new @RegExp which calls the constructor.  This results in failures in
2850         es6/Proxy_internal_get_calls_String.prototype.match.js, and
2851         es6/Proxy_internal_get_calls_String.prototype.search.js due to observable side
2852         effects.
2853
2854         This patch fixes this by factoring out the part of the RegExp constructor that
2855         makes the RegExpCreate function, and changing String's match and search to call
2856         RegExpCreate instead in accordance with the ES6 spec. 
2857
2858         * builtins/StringPrototype.js:
2859         (match):
2860         (search):
2861         * runtime/CommonIdentifiers.h:
2862         * runtime/JSGlobalObject.cpp:
2863         (JSC::JSGlobalObject::init):
2864         * runtime/RegExpConstructor.cpp:
2865         (JSC::toFlags):
2866         (JSC::regExpCreate):
2867         (JSC::constructRegExp):
2868         (JSC::esSpecRegExpCreate):
2869         (JSC::constructWithRegExpConstructor):
2870         * runtime/RegExpConstructor.h:
2871         (JSC::isRegExp):
2872
2873 2016-04-06  Keith Miller  <keith_miller@apple.com>
2874
2875         Unreviewed, uncomment accidentally commented line in test.
2876
2877         * tests/stress/array-concat-spread-object.js:
2878
2879 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
2880
2881         JSC should have a simple way of gathering IC statistics
2882         https://bugs.webkit.org/show_bug.cgi?id=156317
2883
2884         Reviewed by Benjamin Poulain.
2885
2886         This adds a cheap, runtime-enabled way of gathering statistics about why we take the slow
2887         paths for inline caches. This is complementary to our existing bytecode profiler. Eventually
2888         we may want to combine the two things.
2889         
2890         This is not a slow-down on anything because we only do extra work on IC slow paths and if
2891         it's disabled it's just a load-and-branch to skip the stats gathering code.
2892
2893         * CMakeLists.txt:
2894         * JavaScriptCore.xcodeproj/project.pbxproj:
2895         * jit/ICStats.cpp: Added.
2896         * jit/ICStats.h: Added.
2897         * jit/JITOperations.cpp:
2898         * runtime/JSCJSValue.h:
2899         * runtime/JSCJSValueInlines.h:
2900         (JSC::JSValue::inherits):
2901         (JSC::JSValue::classInfoOrNull):
2902         (JSC::JSValue::toThis):
2903         * runtime/Options.h:
2904
2905 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
2906
2907         32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing
2908         https://bugs.webkit.org/show_bug.cgi?id=156292
2909
2910         Reviewed by Benjamin Poulain.
2911
2912         Make sure that we stash the callsite index before calling operationReallocateStorageAndFinishPut.
2913
2914         * bytecode/PolymorphicAccess.cpp:
2915         (JSC::AccessCase::generate):
2916
2917 2016-04-06  Filip Pizlo  <fpizlo@apple.com>
2918
2919         JSC test stress/arrowfunction-lexical-bind-superproperty.js failing
2920         https://bugs.webkit.org/show_bug.cgi?id=156309
2921
2922         Reviewed by Saam Barati.
2923
2924         Just be honest about the fact that the ArgumentCount and Callee parts of inline callframe runtime
2925         meta-data can be read at any time.
2926         
2927         We only have to say this for the inline callframe forms of ArgumentCount and Callee because we don't
2928         sink any part of the machine prologue. This change just prevents us from sinking the pseudoprologue
2929         of inlined varargs or closure calls.
2930
2931         Shockingly, this is not a regression on anything.
2932
2933         * dfg/DFGClobberize.h:
2934         (JSC::DFG::clobberize):
2935
2936 2016-03-29  Keith Miller  <keith_miller@apple.com>
2937
2938         [ES6] Add support for Symbol.isConcatSpreadable.
2939         https://bugs.webkit.org/show_bug.cgi?id=155351
2940
2941         Reviewed by Saam Barati.
2942
2943         This patch adds support for Symbol.isConcatSpreadable. In order to do so it was necessary to move the
2944         Array.prototype.concat function to JS. A number of different optimizations were needed to make such the move to
2945         a builtin performant. First, four new DFG intrinsics were added.
2946
2947         1) IsArrayObject (I would have called it IsArray but we use the same name for an IndexingType): an intrinsic of
2948            the Array.isArray function.
2949         2) IsJSArray: checks the first child is a JSArray object.
2950         3) IsArrayConstructor: checks the first child is an instance of ArrayConstructor.
2951         4) CallObjectConstructor: an intrinsic of the Object constructor.
2952
2953         IsActualObject, IsJSArray, and CallObjectConstructor can all be converted into constants in the abstract interpreter if
2954         we are able to prove that the first child is an Array or for ToObject an Object.
2955
2956         In order to further improve the perfomance we also now cover more indexing types in our fast path memcpy
2957         code. Before we would only memcpy Arrays if they had the same indexing type and did not have Array storage and
2958         were not undecided. Now the memcpy code covers the following additional two cases: One array is undecided and
2959         the other is a non-array storage and the case where one array is Int32 and the other is contiguous (we map this
2960         into a contiguous array).
2961
2962         This patch also adds a new fast path for concat with more than one array argument by using memcpy to append
2963         values onto the result array. This works roughly the same as the two array fast path using the same methodology
2964         to decide if we can memcpy the other butterfly into the result butterfly.
2965
2966         Two new debugging tools are also added to the jsc cli. One is a version of the print function with a private
2967         name so it can be used for debugging builtins. The other is dumpDataLog, which takes a JSValue and runs our
2968         dataLog function on it.
2969
2970         Finally, this patch add a new constructor to JSValueRegsTemporary that allows it to reuse the the registers of a
2971         JSValueOperand if the operand's use count is one.
2972
2973         * JavaScriptCore.xcodeproj/project.pbxproj:
2974         * builtins/ArrayPrototype.js:
2975         (concatSlowPath):
2976         (concat):
2977         * bytecode/BytecodeIntrinsicRegistry.cpp:
2978         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2979         * bytecode/BytecodeIntrinsicRegistry.h:
2980         * dfg/DFGAbstractInterpreterInlines.h:
2981         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2982         * dfg/DFGByteCodeParser.cpp:
2983         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2984         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2985         * dfg/DFGClobberize.h:
2986         (JSC::DFG::clobberize):
2987         * dfg/DFGDoesGC.cpp:
2988         (JSC::DFG::doesGC):
2989         * dfg/DFGFixupPhase.cpp:
2990         (JSC::DFG::FixupPhase::fixupNode):
2991         * dfg/DFGNodeType.h:
2992         * dfg/DFGOperations.cpp:
2993         * dfg/DFGOperations.h:
2994         * dfg/DFGPredictionPropagationPhase.cpp:
2995         (JSC::DFG::PredictionPropagationPhase::propagate):
2996         * dfg/DFGSafeToExecute.h:
2997         (JSC::DFG::safeToExecute):
2998         * dfg/DFGSpeculativeJIT.cpp:
2999         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3000         (JSC::DFG::SpeculativeJIT::compileIsJSArray):
3001         (JSC::DFG::SpeculativeJIT::compileIsArrayObject):
3002         (JSC::DFG::SpeculativeJIT::compileIsArrayConstructor):
3003         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor):
3004         * dfg/DFGSpeculativeJIT.h:
3005         (JSC::DFG::SpeculativeJIT::callOperation):
3006         * dfg/DFGSpeculativeJIT32_64.cpp:
3007         (JSC::DFG::SpeculativeJIT::compile):
3008         * dfg/DFGSpeculativeJIT64.cpp:
3009         (JSC::DFG::SpeculativeJIT::compile):
3010         * ftl/FTLCapabilities.cpp:
3011         (JSC::FTL::canCompile):
3012         * ftl/FTLLowerDFGToB3.cpp:
3013         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3014         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
3015         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayObject):
3016         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
3017         (JSC::FTL::DFG::LowerDFGToB3::compileIsArrayConstructor):
3018         (JSC::FTL::DFG::LowerDFGToB3::isArray):
3019         * jit/JITOperations.h:
3020         * jsc.cpp:
3021         (WTF::RuntimeArray::createStructure):
3022         (GlobalObject::finishCreation):
3023         (functionDebug):
3024         (functionDataLogValue):
3025         * runtime/ArrayConstructor.cpp:
3026         (JSC::ArrayConstructor::finishCreation):
3027         (JSC::arrayConstructorPrivateFuncIsArrayConstructor):
3028         * runtime/ArrayConstructor.h:
3029         (JSC::isArrayConstructor):
3030         * runtime/ArrayPrototype.cpp:
3031         (JSC::ArrayPrototype::finishCreation):
3032         (JSC::arrayProtoPrivateFuncIsJSArray):
3033         (JSC::moveElements):
3034         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3035         (JSC::arrayProtoPrivateFuncAppendMemcpy):
3036         (JSC::arrayProtoFuncConcat): Deleted.
3037         * runtime/ArrayPrototype.h:
3038         (JSC::ArrayPrototype::createStructure):
3039         * runtime/CommonIdentifiers.h:
3040         * runtime/Intrinsic.h:
3041         * runtime/JSArray.cpp:
3042         (JSC::JSArray::appendMemcpy):
3043         (JSC::JSArray::fastConcatWith): Deleted.
3044         * runtime/JSArray.h:
3045         (JSC::JSArray::createStructure):
3046         (JSC::JSArray::fastConcatType): Deleted.
3047         * runtime/JSArrayInlines.h: Added.
3048         (JSC::JSArray::memCopyWithIndexingType):
3049         (JSC::JSArray::canFastCopy):
3050         * runtime/JSGlobalObject.cpp:
3051         (JSC::JSGlobalObject::init):
3052         * runtime/JSType.h:
3053         * runtime/ObjectConstructor.h:
3054         (JSC::constructObject):
3055         * tests/es6.yaml:
3056         * tests/stress/array-concat-spread-object.js: Added.
3057         (arrayEq):
3058         * tests/stress/array-concat-spread-proxy-exception-check.js: Added.
3059         (arrayEq):
3060         * tests/stress/array-concat-spread-proxy.js: Added.
3061         (arrayEq):
3062         * tests/stress/array-concat-with-slow-indexingtypes.js: Added.
3063         (arrayEq):
3064         * tests/stress/array-species-config-array-constructor.js:
3065
3066 2016-04-06  Commit Queue  <commit-queue@webkit.org>
3067
3068         Unreviewed, rolling out r199070.
3069         https://bugs.webkit.org/show_bug.cgi?id=156324
3070
3071         "It didn't fix the timeout" (Requested by saamyjoon on
3072         #webkit).
3073
3074         Reverted changeset:
3075
3076         "jsc-layout-tests.yaml/js/script-tests/regress-141098.js
3077         failing on Yosemite Debug after r198989"
3078         https://bugs.webkit.org/show_bug.cgi?id=156187
3079         http://trac.webkit.org/changeset/199070
3080
3081 2016-04-06  Geoffrey Garen  <ggaren@apple.com>
3082
3083         Unreviewed, rolling in r199016.
3084         https://bugs.webkit.org/show_bug.cgi?id=156140
3085
3086         It might work this time without regression because 16kB aligned requests
3087         now take the allocation fast path.
3088
3089         Restored changeset:
3090
3091         CopiedBlock should be 16kB
3092         https://bugs.webkit.org/show_bug.cgi?id=156168
3093         http://trac.webkit.org/changeset/199016
3094
3095 2016-04-06  Mark Lam  <mark.lam@apple.com>
3096
3097         Update es6.yaml to expect es6/Proxy_internal_get_calls_RegExp_constructor.js to pass.
3098         https://bugs.webkit.org/show_bug.cgi?id=156314
3099
3100         Reviewed by Saam Barati.
3101
3102         * tests/es6.yaml:
3103
3104 2016-04-06  Commit Queue  <commit-queue@webkit.org>
3105
3106         Unreviewed, rolling out r199104.
3107         https://bugs.webkit.org/show_bug.cgi?id=156301
3108
3109         Still breaks internal builds (Requested by keith_miller on
3110         #webkit).
3111
3112         Reverted changeset:
3113
3114         "We should support the ability to do a non-effectful getById"
3115         https://bugs.webkit.org/show_bug.cgi?id=156116
3116         http://trac.webkit.org/changeset/199104
3117
3118 2016-04-06  Keith Miller  <keith_miller@apple.com>
3119
3120         RegExp constructor should use Symbol.match and other properties
3121         https://bugs.webkit.org/show_bug.cgi?id=155873
3122
3123         Reviewed by Michael Saboff.
3124
3125         This patch updates the behavior of the RegExp constructor. Now the constructor
3126         should get the Symbol.match property and check if it exists to decide if something
3127         should be constructed like a regexp object.
3128
3129         * runtime/RegExpConstructor.cpp:
3130         (JSC::toFlags):
3131         (JSC::constructRegExp):
3132         (JSC::constructWithRegExpConstructor):
3133         (JSC::callRegExpConstructor):
3134         * runtime/RegExpConstructor.h:
3135         * tests/stress/regexp-constructor.js: Added.
3136         (assert):
3137         (throw.new.Error.get let):
3138         (throw.new.Error.):
3139         (throw.new.Error.get re):
3140
3141 2016-04-06  Keith Miller  <keith_miller@apple.com>
3142
3143         We should support the ability to do a non-effectful getById
3144         https://bugs.webkit.org/show_bug.cgi?id=156116
3145
3146         Reviewed by Benjamin Poulain.
3147
3148         Currently, there is no way in JS to do a non-effectful getById. A non-effectful getById is
3149         useful because it enables us to take different code paths based on values that we would
3150         otherwise not be able to have knowledge of. This patch adds this new feature called
3151         try_get_by_id that will attempt to do as much of a get_by_id as possible without performing
3152         an effectful behavior. Thus, try_get_by_id will return the value if the slot is a value, the
3153         GetterSetter object if the slot is a normal accessor (not a CustomGetterSetter) and
3154         undefined if the slot is unset.  If the slot is proxied or any other cases then the result
3155         is null. In theory, if we ever wanted to check for null we could add a sentinal object to
3156         the global object that indicates we could not get the result.
3157
3158         In order to implement this feature we add a new enum GetByIdKind that indicates what to do
3159         for accessor properties in PolymorphicAccess. If the GetByIdKind is pure then we treat the
3160         get_by_id the same way we would for load and return the value at the appropriate offset.
3161         Additionally, in order to make sure the we can properly compare the GetterSetter object
3162         with === GetterSetters are now JSObjects. This comes at the cost of eight extra bytes on the
3163         GetterSetter object but it vastly simplifies the patch. Additionally, the extra bytes are
3164         likely to have little to no impact on memory usage as normal accessors are generally rare.
3165
3166         * builtins/BuiltinExecutables.cpp:
3167         (JSC::BuiltinExecutables::createDefaultConstructor):
3168         (JSC::BuiltinExecutables::createBuiltinExecutable):
3169         (JSC::createBuiltinExecutable):
3170         (JSC::BuiltinExecutables::createExecutable):
3171         (JSC::createExecutableInternal): Deleted.
3172         * builtins/BuiltinExecutables.h:
3173         * bytecode/BytecodeIntrinsicRegistry.h:
3174         * bytecode/BytecodeList.json:
3175         * bytecode/BytecodeUseDef.h:
3176         (JSC::computeUsesForBytecodeOffset):
3177         (JSC::computeDefsForBytecodeOffset):
3178         * bytecode/CodeBlock.cpp:
3179         (JSC::CodeBlock::dumpBytecode):
3180         * bytecode/PolymorphicAccess.cpp:
3181         (JSC::AccessCase::tryGet):
3182         (JSC::AccessCase::generate):
3183         (WTF::printInternal):
3184         * bytecode/PolymorphicAccess.h:
3185         (JSC::AccessCase::isGet): Deleted.
3186         (JSC::AccessCase::isPut): Deleted.
3187         (JSC::AccessCase::isIn): Deleted.
3188         * bytecode/StructureStubInfo.cpp:
3189         (JSC::StructureStubInfo::reset):
3190         * bytecode/StructureStubInfo.h:
3191         * bytecompiler/BytecodeGenerator.cpp:
3192         (JSC::BytecodeGenerator::emitTryGetById):
3193         * bytecompiler/BytecodeGenerator.h:
3194         * bytecompiler/NodesCodegen.cpp:
3195         (JSC::BytecodeIntrinsicNode::emit_intrinsic_tryGetById):
3196         * dfg/DFGSpeculativeJIT32_64.cpp:
3197         (JSC::DFG::SpeculativeJIT::cachedGetById):
3198         * dfg/DFGSpeculativeJIT64.cpp:
3199         (JSC::DFG::SpeculativeJIT::cachedGetById):
3200         * ftl/FTLLowerDFGToB3.cpp:
3201         (JSC::FTL::DFG::LowerDFGToB3::getById):
3202         * jit/JIT.cpp:
3203         (JSC::JIT::privateCompileMainPass):
3204         (JSC::JIT::privateCompileSlowCases):
3205         * jit/JIT.h:
3206         * jit/JITInlineCacheGenerator.cpp:
3207         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3208         * jit/JITInlineCacheGenerator.h:
3209         * jit/JITInlines.h:
3210         (JSC::JIT::callOperation):
3211         * jit/JITOperations.cpp:
3212         * jit/JITOperations.h:
3213         * jit/JITPropertyAccess.cpp:
3214         (JSC::JIT::emitGetByValWithCachedId):
3215         (JSC::JIT::emit_op_try_get_by_id):
3216         (JSC::JIT::emitSlow_op_try_get_by_id):
3217         (JSC::JIT::emit_op_get_by_id):
3218         * jit/JITPropertyAccess32_64.cpp:
3219         (JSC::JIT::emitGetByValWithCachedId):
3220         (JSC::JIT::emit_op_try_get_by_id):
3221         (JSC::JIT::emitSlow_op_try_get_by_id):
3222         (JSC::JIT::emit_op_get_by_id):
3223         * jit/Repatch.cpp:
3224         (JSC::repatchByIdSelfAccess):
3225         (JSC::appropriateOptimizingGetByIdFunction):
3226         (JSC::appropriateGenericGetByIdFunction):
3227         (JSC::tryCacheGetByID):
3228         (JSC::repatchGetByID):
3229         (JSC::resetGetByID):
3230         * jit/Repatch.h:
3231         * jsc.cpp:
3232         (GlobalObject::finishCreation):
3233         (functionGetGetterSetter):
3234         (functionCreateBuiltin):
3235         * llint/LLIntData.cpp:
3236         (JSC::LLInt::Data::performAssertions):
3237         * llint/LLIntSlowPaths.cpp:
3238         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3239         * llint/LLIntSlowPaths.h:
3240         * llint/LowLevelInterpreter.asm:
3241         * runtime/GetterSetter.cpp:
3242         * runtime/GetterSetter.h:
3243         * runtime/JSType.h:
3244         * runtime/PropertySlot.cpp:
3245         (JSC::PropertySlot::getPureResult):
3246         * runtime/PropertySlot.h:
3247         * runtime/ProxyObject.cpp:
3248         (JSC::ProxyObject::getOwnPropertySlotCommon):
3249         * tests/stress/try-get-by-id.js: Added.
3250         (tryGetByIdText):
3251         (getCaller.obj.1.throw.new.Error.let.func):
3252         (getCaller.obj.1.throw.new.Error):
3253         (throw.new.Error.get let):
3254         (throw.new.Error.):
3255         (throw.new.Error.let.get createBuiltin):
3256         (get let):
3257         (let.get createBuiltin):
3258         (let.func):
3259         (get let.func):
3260         (get throw):
3261
3262 2016-04-05  Chris Dumez  <cdumez@apple.com>
3263
3264         Add support for [EnabledAtRuntime] operations on DOMWindow
3265         https://bugs.webkit.org/show_bug.cgi?id=156272
3266
3267         Reviewed by Alex Christensen.
3268
3269         Add identifier for 'fetch' so it can be used from the generated
3270         bindings.
3271
3272         * runtime/CommonIdentifiers.h:
3273
3274 2016-04-05  Alex Christensen  <achristensen@webkit.org>
3275
3276         Make CMake-generated binaries on Mac able to run
3277         https://bugs.webkit.org/show_bug.cgi?id=156268
3278
3279         Reviewed by Daniel Bates.
3280
3281         * CMakeLists.txt:
3282
3283 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
3284
3285         Improve some other cases of context-sensitive inlining
3286         https://bugs.webkit.org/show_bug.cgi?id=156277
3287
3288         Reviewed by Benjamin Poulain.
3289         
3290         This implements some improvements for inlining:
3291
3292         - We no longer do guarded inlining when the profiling doesn't come from a stub. Doing so would have
3293           been risky, and according to benchmarks, it wasn't common enough to matter. I think it's better to
3294           err on the side of not inlining.
3295         
3296         - The jneq_ptr pattern for variadic calls no longer breaks the basic block. Not breaking the block
3297           increases the chances of the parser seeing the callee constant. While inlining doesn't require a
3298           callee constant, sometimes it makes a difference. Note that we were previously breaking the block
3299           for no reason at all: if the boundary after jneq_ptr is a jump target from some other jump, then
3300           the parser will automatically break the block for us. There is no reason to add any block breaking
3301           ourselves since we implement jneq_ptr by ignoring the affirmative jump destination and inserting a
3302           check and falling through.
3303         
3304         - get_by_id handling now tries to apply some common sense to its status object. In particular, if
3305           the source is a NewObject and there was no interfering operation that could clobber the structure,
3306           then we know which case of a polymorphic GetByIdStatus we would take. This arises in some
3307           constructor patterns.
3308         
3309         Long term, we should address all of these cases comprehensively by having a late inliner. The inliner
3310         being part of the bytecode parser means that there is a lot of complexity in the parser and it
3311         prevents us from inlining upon learning new information from static analysis. But for now, I think
3312         it's fine to experiment with one-off hacks, if only to learn what the possibilities are.
3313         
3314         This is a 14% speed-up on Octane/raytrace.
3315
3316         * bytecode/CallLinkStatus.cpp:
3317         (JSC::CallLinkStatus::dump):
3318         * bytecode/CallLinkStatus.h:
3319         (JSC::CallLinkStatus::couldTakeSlowPath):
3320         (JSC::CallLinkStatus::setCouldTakeSlowPath):
3321         (JSC::CallLinkStatus::variants):
3322         (JSC::CallLinkStatus::size):
3323         (JSC::CallLinkStatus::at):
3324         * bytecode/GetByIdStatus.cpp:
3325         (JSC::GetByIdStatus::makesCalls):
3326         (JSC::GetByIdStatus::filter):
3327         (JSC::GetByIdStatus::dump):
3328         * bytecode/GetByIdStatus.h:
3329         (JSC::GetByIdStatus::wasSeenInJIT):
3330         * dfg/DFGByteCodeParser.cpp:
3331         (JSC::DFG::ByteCodeParser::handleCall):
3332         (JSC::DFG::ByteCodeParser::refineStatically):
3333         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3334         (JSC::DFG::ByteCodeParser::handleInlining):
3335         (JSC::DFG::ByteCodeParser::handleGetById):
3336         (JSC::DFG::ByteCodeParser::parseBlock):
3337         * runtime/Options.h:
3338
3339 2016-04-05  Saam barati  <sbarati@apple.com>
3340
3341         JSC SamplingProfiler: Use a thread + sleep loop instead of WTF::WorkQueue for taking samples
3342         https://bugs.webkit.org/show_bug.cgi?id=154017
3343
3344         Reviewed by Geoffrey Garen.
3345
3346         By moving to an explicitly created seperate thread + sample-then-sleep
3347         loop, we can remove a lot of the crufty code around WorkQueue.
3348         We're also getting sample rates that are much closer to what we're
3349         asking the OS for. When the sampling handler was built off of WorkQueue,
3350         we'd often get sample rates much higher than the 1ms we asked for. On Kraken,
3351         we would average about 1.7ms sample rates, even though we'd ask for a 1ms rate.
3352         Now, on Kraken, we're getting about 1.2ms rates. Because we're getting
3353         higher rates, this patch is a performance regression. It's slower because
3354         we're sampling more frequently.
3355
3356         Before this patch, the sampling profiler had the following overhead:
3357         - 10% on Kraken
3358         - 12% on octane
3359         - 15% on AsmBench
3360
3361         With this patch, the sampling profiler has the following overhead:
3362         - 16% on Kraken
3363         - 17% on Octane
3364         - 30% on AsmBench
3365
3366         Comparatively, this new patch has the following overhead over the old sampling profiler:
3367         - 5% on Kraken
3368         - 3.5% on Octane
3369         - 13% slower on AsmBench
3370
3371         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3372         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
3373         * runtime/SamplingProfiler.cpp:
3374         (JSC::SamplingProfiler::SamplingProfiler):
3375         (JSC::SamplingProfiler::~SamplingProfiler):
3376         (JSC::SamplingProfiler::createThreadIfNecessary):
3377         (JSC::SamplingProfiler::timerLoop):
3378         (JSC::SamplingProfiler::takeSample):
3379         (JSC::tryGetBytecodeIndex):
3380         (JSC::SamplingProfiler::shutdown):
3381         (JSC::SamplingProfiler::start):
3382         (JSC::SamplingProfiler::pause):
3383         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3384         (JSC::SamplingProfiler::noticeJSLockAcquisition):
3385         (JSC::SamplingProfiler::noticeVMEntry):
3386         (JSC::SamplingProfiler::clearData):
3387         (JSC::SamplingProfiler::stop): Deleted.
3388         (JSC::SamplingProfiler::dispatchIfNecessary): Deleted.
3389         (JSC::SamplingProfiler::dispatchFunction): Deleted.
3390         * runtime/SamplingProfiler.h:
3391         (JSC::SamplingProfiler::setTimingInterval):
3392         (JSC::SamplingProfiler::setStopWatch):
3393         * runtime/VM.cpp:
3394         (JSC::VM::VM):
3395
3396 2016-04-05  Commit Queue  <commit-queue@webkit.org>
3397
3398         Unreviewed, rolling out r199073.
3399         https://bugs.webkit.org/show_bug.cgi?id=156261
3400
3401         This change broke internal Mac builds (Requested by ryanhaddad
3402         on #webkit).
3403
3404         Reverted changeset:
3405
3406         "We should support the ability to do a non-effectful getById"
3407         https://bugs.webkit.org/show_bug.cgi?id=156116
3408         http://trac.webkit.org/changeset/199073
3409
3410 2016-04-05  Youenn Fablet  <youenn.fablet@crf.canon.fr>
3411
3412         [Fetch API] Add a runtime flag to fetch API and related constructs
3413         https://bugs.webkit.org/show_bug.cgi?id=156113
3414  
3415         Reviewed by Alex Christensen.
3416
3417         Add a fetch API runtime flag based on preferences.
3418         Disable fetch API by default.
3419  
3420         * runtime/CommonIdentifiers.h:
3421
3422 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
3423
3424         Unreviewed, fix cloop some more.
3425
3426         * runtime/RegExpInlines.h:
3427         (JSC::RegExp::hasCodeFor):
3428         (JSC::RegExp::hasMatchOnlyCodeFor):
3429
3430 2016-04-05  Filip Pizlo  <fpizlo@apple.com>
3431
3432         Unreviewed, fix cloop.
3433
3434         * jit/CCallHelpers.cpp:
3435
3436 2016-03-18  Filip Pizlo  <fpizlo@apple.com>
3437
3438         JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames
3439         https://bugs.webkit.org/show_bug.cgi?id=155598
3440
3441         Reviewed by Saam Barati.
3442         
3443         JSC is the first JSVM to have proper tail calls. This means that error.stack and the
3444         debugger will appear to "delete" strict mode stack frames, if the call that this frame made
3445         was in tail position. This is exactly what functional programmers expect - they don't want
3446         the VM to waste resources on tail-deleted frames to ensure that it's legal to loop forever
3447         using tail calls. It's also something that non-functional programmers fear. It's not clear
3448         that tail-deleted frames would actually degrade the debugging experience, but the fear is
3449         real, so it's worthwhile to do something about it.
3450
3451         It turns out that there is at least one tail call implementation that doesn't suffer from
3452         this problem. It implements proper tail calls in the sense that you won't run out of memory
3453         by tail-looping. It also has the power to show you tail-deleted frames in a backtrace, so
3454         long as you haven't yet run out of memory. It's called CHICKEN Scheme, and it's one of my
3455         favorite hacks:
3456         
3457         http://www.more-magic.net/posts/internals-gc.html
3458
3459         CHICKEN does many awesome things. The intuition from CHICKEN that we use here is a simple
3460         one: what if a tail call still kept the tail-deleted frame, and the GC actually deleted that
3461         frame only once we proved that there was insufficient memory to keep it around.
3462         
3463         CHICKEN does this by reshaping the C stack with longjmp/setjmp. We can't do that because we
3464         can have arbitrary native code, and that native code does not have relocatable stack frames.
3465         
3466         But we can do something almost like CHICKEN on a shadow stack. It's a common trick to have a
3467         VM maintain two stacks - the actual execution stack plus a shadow stack that has some extra
3468         information. The shadow stack can be reshaped, moved, etc, since the VM tightly controls its
3469         layout. The main stack can then continue to obey ABI rules.
3470
3471         This patch implements a mechanism for being able to display stack traces that include
3472         tail-deleted frames. It uses a shadow stack that behaves like a CHICKEN stack: it has all
3473         frames all the time, though we will collect the tail-deleted ones if the stack gets too big.
3474         This new mechanism is called ShadowChicken, obviously: it's CHICKEN on a shadow stack.
3475         
3476         ShadowChicken is always on, but individual CodeBlocks may make their own choices about
3477         whether to opt into it. They will do that at bytecompile time based on the debugger mode on
3478         their global object.
3479
3480         When no CodeBlock opts in, there is no overhead, since ShadowChicken ends up doing nothing
3481         in that case. Well, except when exceptions are thrown. Then it might do some work, but it's
3482         minor.
3483
3484         When all CodeBlocks opt in, there is about 6% overhead. That's too much overhead to enable
3485         this all the time, but it's low enough to justify enabling in the Inspector. It's currently
3486         enabled on all CodeBlocks only when you use an Option. Otherwise it will auto-enable if the
3487         debugger is on.
3488
3489         Note that ShadowChicken attempts to gracefully handle the presence of stack frames that have
3490         no logging. This is essential since we *can* have debugging enabled in one GlobalObject and
3491         disabled in another. Also, some frames don't do ShadowChicken because they just haven't been
3492         hacked to do it yet. Native frames fall into this category, as do the VM entry frames.
3493
3494         This doesn't yet wire ShadowChicken into DebuggerCallFrame. That will take more work. It
3495         just makes a ShadowChicken stack walk function available to jsc. It's used from the
3496         shadow-chicken tests.
3497
3498         * API/JSContextRef.cpp:
3499         (BacktraceFunctor::BacktraceFunctor):
3500         (BacktraceFunctor::operator()):
3501         (JSContextCreateBacktrace):
3502         * CMakeLists.txt:
3503         * JavaScriptCore.xcodeproj/project.pbxproj:
3504         * bytecode/BytecodeList.json:
3505         * bytecode/BytecodeUseDef.h:
3506         (JSC::computeUsesForBytecodeOffset):
3507         (JSC::computeDefsForBytecodeOffset):
3508         * bytecode/CodeBlock.cpp:
3509         (JSC::CodeBlock::dumpBytecode):
3510         (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
3511         (JSC::RecursionCheckFunctor::operator()):
3512         (JSC::CodeBlock::noticeIncomingCall):
3513         * bytecompiler/BytecodeGenerator.cpp:
3514         (JSC::BytecodeGenerator::emitEnter):
3515         (JSC::BytecodeGenerator::emitCallInTailPosition):
3516         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
3517         (JSC::BytecodeGenerator::emitCallVarargs):
3518         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
3519         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
3520         (JSC::BytecodeGenerator::emitCallDefineProperty):
3521         * bytecompiler/BytecodeGenerator.h:
3522         * debugger/DebuggerCallFrame.cpp:
3523         (JSC::LineAndColumnFunctor::operator()):
3524         (JSC::LineAndColumnFunctor::column):
3525         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
3526         (JSC::FindCallerMidStackFunctor::operator()):
3527         (JSC::DebuggerCallFrame::DebuggerCallFrame):
3528         * dfg/DFGAbstractInterpreterInlines.h:
3529         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3530         * dfg/DFGByteCodeParser.cpp:
3531         (JSC::DFG::ByteCodeParser::parseBlock):
3532         * dfg/DFGClobberize.h:
3533         (JSC::DFG::clobberize):
3534         * dfg/DFGDoesGC.cpp:
3535         (JSC::DFG::doesGC):
3536         * dfg/DFGFixupPhase.cpp:
3537         (JSC::DFG::FixupPhase::fixupNode):
3538         * dfg/DFGNodeType.h:
3539         * dfg/DFGPredictionPropagationPhase.cpp:
3540         (JSC::DFG::PredictionPropagationPhase::propagate):
3541         * dfg/DFGSafeToExecute.h:
3542         (JSC::DFG::safeToExecute):
3543         * dfg/DFGSpeculativeJIT32_64.cpp:
3544         (JSC::DFG::SpeculativeJIT::compile):
3545         * dfg/DFGSpeculativeJIT64.cpp:
3546         (JSC::DFG::SpeculativeJIT::compile):
3547         * ftl/FTLAbstractHeapRepository.cpp:
3548         * ftl/FTLAbstractHeapRepository.h:
3549         * ftl/FTLCapabilities.cpp:
3550         (JSC::FTL::canCompile):
3551         * ftl/FTLLowerDFGToB3.cpp:
3552         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3553         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
3554         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
3555         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
3556         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
3557         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3558         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket):
3559         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3560         * heap/Heap.cpp:
3561         (JSC::Heap::markRoots):
3562         (JSC::Heap::visitSamplingProfiler):
3563         (JSC::Heap::visitShadowChicken):
3564         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
3565         (JSC::Heap::collectImpl):
3566         * heap/Heap.h:
3567         * inspector/ScriptCallStackFactory.cpp:
3568         (Inspector::CreateScriptCallStackFunctor::CreateScriptCallStackFunctor):
3569         (Inspector::CreateScriptCallStackFunctor::operator()):
3570         (Inspector::createScriptCallStack):
3571         * interpreter/CallFrame.h:
3572         (JSC::ExecState::iterate):
3573         * interpreter/Interpreter.cpp:
3574         (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
3575         (JSC::DumpRegisterFunctor::operator()):
3576         (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
3577         (JSC::GetStackTraceFunctor::operator()):
3578         (JSC::Interpreter::getStackTrace):
3579         (JSC::GetCatchHandlerFunctor::handler):
3580         (JSC::GetCatchHandlerFunctor::operator()):
3581         (JSC::notifyDebuggerOfUnwinding):
3582         (JSC::UnwindFunctor::UnwindFunctor):
3583         (JSC::UnwindFunctor::operator()):
3584         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer):
3585         * interpreter/ShadowChicken.cpp: Added.
3586         (JSC::ShadowChicken::Packet::dump):
3587         (JSC::ShadowChicken::Frame::dump):
3588         (JSC::ShadowChicken::ShadowChicken):
3589         (JSC::ShadowChicken::~ShadowChicken):
3590         (JSC::ShadowChicken::log):
3591         (JSC::ShadowChicken::update):
3592         (JSC::ShadowChicken::visitChildren):
3593         (JSC::ShadowChicken::reset):
3594         (JSC::ShadowChicken::dump):
3595         (JSC::ShadowChicken::functionsOnStack):
3596         * interpreter/ShadowChicken.h: Added.
3597         (JSC::ShadowChicken::Packet::Packet):
3598         (JSC::ShadowChicken::Packet::tailMarker):
3599         (JSC::ShadowChicken::Packet::throwMarker):
3600         (JSC::ShadowChicken::Packet::prologue):
3601         (JSC::ShadowChicken::Packet::tail):
3602         (JSC::ShadowChicken::Packet::throwPacket):
3603         (JSC::ShadowChicken::Packet::operator bool):
3604         (JSC::ShadowChicken::Packet::isPrologue):
3605         (JSC::ShadowChicken::Packet::isTail):
3606         (JSC::ShadowChicken::Packet::isThrow):
3607         (JSC::ShadowChicken::Frame::Frame):
3608         (JSC::ShadowChicken::Frame::operator==):
3609         (JSC::ShadowChicken::Frame::operator!=):
3610         (JSC::ShadowChicken::log):
3611         (JSC::ShadowChicken::logSize):
3612         (JSC::ShadowChicken::addressOfLogCursor):
3613         (JSC::ShadowChicken::logEnd):
3614         * interpreter/ShadowChickenInlines.h: Added.
3615         (JSC::ShadowChicken::iterate):
3616         * interpreter/StackVisitor.h:
3617         (JSC::StackVisitor::Frame::callee):
3618         (JSC::StackVisitor::Frame::codeBlock):
3619         (JSC::StackVisitor::Frame::bytecodeOffset):
3620         (JSC::StackVisitor::Frame::inlineCallFrame):
3621         (JSC::StackVisitor::Frame::isJSFrame):
3622         (JSC::StackVisitor::Frame::isInlinedFrame):
3623         (JSC::StackVisitor::visit):
3624         * jit/CCallHelpers.cpp: Added.
3625         (JSC::CCallHelpers::logShadowChickenProloguePacket):
3626         (JSC::CCallHelpers::logShadowChickenTailPacket):
3627         (JSC::CCallHelpers::setupShadowChickenPacket):
3628         * jit/CCallHelpers.h:
3629         (JSC::CCallHelpers::prepareForTailCallSlow):
3630         * jit/JIT.cpp:
3631         (JSC::JIT::privateCompileMainPass):
3632         * jit/JIT.h:
3633         * jit/JITExceptions.cpp:
3634         (JSC::genericUnwind):
3635         * jit/JITOpcodes.cpp:
3636         (JSC::JIT::emit_op_resume):
3637         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3638         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3639         * jit/JITOperations.cpp:
3640         * jit/JITOperations.h:
3641         * jsc.cpp:
3642         (GlobalObject::finishCreation):
3643         (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
3644         (FunctionJSCStackFunctor::operator()):
3645         (functionClearSamplingFlags):
3646         (functionShadowChickenFunctionsOnStack):
3647         (functionReadline):
3648         * llint/LLIntOffsetsExtractor.cpp:
3649         * llint/LLIntSlowPaths.cpp:
3650         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3651         (JSC::LLInt::llint_throw_stack_overflow_error):
3652         * llint/LLIntSlowPaths.h:
3653         * llint/LowLevelInterpreter.asm:
3654         * profiler/ProfileGenerator.cpp:
3655         (JSC::AddParentForConsoleStartFunctor::foundParent):
3656         (JSC::AddParentForConsoleStartFunctor::operator()):
3657         * runtime/Error.cpp:
3658         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
3659         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
3660         (JSC::addErrorInfoAndGetBytecodeOffset):
3661         * runtime/JSFunction.cpp:
3662         (JSC::RetrieveArgumentsFunctor::result):
3663         (JSC::RetrieveArgumentsFunctor::operator()):
3664         (JSC::retrieveArguments):
3665         (JSC::RetrieveCallerFunctionFunctor::result):
3666         (JSC::RetrieveCallerFunctionFunctor::operator()):
3667         (JSC::retrieveCallerFunction):
3668         * runtime/JSGlobalObjectFunctions.cpp:
3669         (JSC::GlobalFuncProtoGetterFunctor::result):
3670         (JSC::GlobalFuncProtoGetterFunctor::operator()):
3671         (JSC::globalFuncProtoGetter):
3672         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
3673         (JSC::GlobalFuncProtoSetterFunctor::operator()):
3674         * runtime/NullSetterFunction.cpp:
3675         (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
3676         (JSC::GetCallerStrictnessFunctor::operator()):
3677         (JSC::GetCallerStrictnessFunctor::callerIsStrict):
3678         (JSC::callerIsStrict):
3679         * runtime/ObjectConstructor.cpp:
3680         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
3681         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
3682         (JSC::objectConstructorGetPrototypeOf):
3683         * runtime/Options.h:
3684         * runtime/VM.cpp:
3685         (JSC::VM::VM):
3686         (JSC::SetEnabledProfilerFunctor::operator()):
3687         * runtime/VM.h:
3688         (JSC::VM::shouldBuilderPCToCodeOriginMapping):
3689         (JSC::VM::bytecodeIntrinsicRegistry):
3690         (JSC::VM::shadowChicken):
3691         * tests/stress/resources/shadow-chicken-support.js: Added.
3692         (describeFunction):
3693         (describeArray):
3694         (expectStack):
3695         (initialize):
3696         * tests/stress/shadow-chicken-disabled.js: Added.
3697         (test1.foo):
3698         (test1.bar):
3699         (test1.baz):
3700         (test1):
3701         (test2.foo):
3702         (test2.bar):
3703         (test2.baz):
3704         (test2):
3705         (test3.foo):
3706         (test3.bar):
3707         (test3.baz):
3708         (test3):
3709         * tests/stress/shadow-chicken-enabled.js: Added.
3710         (test1.foo):
3711         (test1.bar):
3712         (test1.baz):
3713         (test1):
3714         (test2.foo):
3715         (test2.bar):
3716         (test2.baz):
3717         (test2):
3718         (test3.bob):
3719         (test3.thingy):
3720         (test3.foo):
3721         (test3.bar):
3722         (test3.baz):
3723         (test3):
3724         (test4.bob):
3725         (test4.thingy):
3726         (test4.foo):
3727         (test4.bar):
3728         (test4.baz):
3729         (test4):
3730         (test5.foo):
3731         (test5):
3732         * tools/JSDollarVMPrototype.cpp:
3733         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
3734         (JSC::CallerFrameJITTypeFunctor::operator()):
3735         (JSC::CallerFrameJITTypeFunctor::jitType):
3736         (JSC::functionLLintTrue):
3737         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
3738         (JSC::CellAddressCheckFunctor::operator()):
3739         (JSC::JSDollarVMPrototype::isValidCell):
3740         (JSC::JSDollarVMPrototype::isValidCodeBlock):
3741         (JSC::JSDollarVMPrototype::codeBlockForFrame):
3742         (JSC::PrintFrameFunctor::PrintFrameFunctor):
3743         (JSC::PrintFrameFunctor::operator()):
3744         (JSC::printCallFrame):
3745
3746 2016-03-19  Filip Pizlo  <fpizlo@apple.com>
3747
3748         DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace
3749         https://bugs.webkit.org/show_bug.cgi?id=155270
3750
3751         Reviewed by Saam Barati.
3752
3753         This enables constant-folding of RegExpExec, RegExpTest, and StringReplace.
3754
3755         It's now possible to run Yarr on the JIT threads. Since previous work on constant-folding
3756         strings gave the DFG an API for reasoning about JSString constants in terms of
3757         JIT-thread-local WTF::Strings, it's now super easy to just pass strings to Yarr and build IR
3758         based on the results.
3759
3760         But RegExpExec is hard: the folded version still must allocate a RegExpMatchesArray. We must
3761         use the same Structure that the code would have used or else we'll pollute the program's
3762         inline caches. Also, RegExpMatchesArray.h|cpp will allocate the array and its named
3763         properties in one go - we don't want to lose that optimization. So, this patch enables
3764         MaterializeNewObject to allocate objects or arrays with any number of indexed or named
3765         properties. Previously it could only handle objects (but not arrays) and named properties
3766         (but not indexed ones).
3767
3768         This also adds a few minor things for setting the RegExpConstructor cached result.
3769
3770         This is about a 2x speed-up on microbenchmarks when we fold a match success and about a
3771         8x speed-up when we fold a match failure. It's a 10% speed-up on Octane/regexp.
3772
3773         * JavaScriptCore.xcodeproj/project.pbxproj:
3774         * dfg/DFGAbstractInterpreterInlines.h:
3775         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3776         * dfg/DFGClobberize.h:
3777         (JSC::DFG::clobberize):
3778         * dfg/DFGDoesGC.cpp:
3779         (JSC::DFG::doesGC):
3780         * dfg/DFGFixupPhase.cpp:
3781         (JSC::DFG::FixupPhase::fixupNode):
3782         * dfg/DFGGraph.cpp:
3783         (JSC::DFG::Graph::dump):
3784         * dfg/DFGInsertionSet.cpp:
3785         (JSC::DFG::InsertionSet::insertSlow):
3786         (JSC::DFG::InsertionSet::execute):
3787         * dfg/DFGInsertionSet.h:
3788         (JSC::DFG::InsertionSet::insertCheck):
3789         * dfg/DFGLazyJSValue.cpp:
3790         (JSC::DFG::LazyJSValue::tryGetString):
3791         * dfg/DFGMayExit.cpp:
3792         (JSC::DFG::mayExit):
3793         * dfg/DFGNode.h:
3794         (JSC::DFG::StackAccessData::flushedAt):
3795         (JSC::DFG::OpInfo::OpInfo): Deleted.
3796         * dfg/DFGNodeType.h:
3797         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3798         * dfg/DFGObjectMaterializationData.cpp:
3799         (JSC::DFG::ObjectMaterializationData::dump):
3800         (JSC::DFG::PhantomPropertyValue::dump): Deleted.
3801         (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore): Deleted.
3802         (JSC::DFG::ObjectMaterializationData::similarityScore): Deleted.
3803         * dfg/DFGObjectMaterializationData.h:
3804         (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue): Deleted.
3805         (JSC::DFG::PhantomPropertyValue::operator==): Deleted.
3806         * dfg/DFGOpInfo.h: Added.
3807         (JSC::DFG::OpInfo::OpInfo):
3808         * dfg/DFGOperations.cpp:
3809         * dfg/DFGOperations.h:
3810         * dfg/DFGPredictionPropagationPhase.cpp:
3811         (JSC::DFG::PredictionPropagationPhase::propagate):
3812         * dfg/DFGPromotedHeapLocation.cpp:
3813         (WTF::printInternal):
3814         * dfg/DFGPromotedHeapLocation.h:
3815         * dfg/DFGSafeToExecute.h:
3816         (JSC::DFG::safeToExecute):
3817         * dfg/DFGSpeculativeJIT.cpp:
3818         (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
3819         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3820         (JSC::DFG::SpeculativeJIT::emitGetLength):
3821         (JSC::DFG::SpeculativeJIT::compileLazyJSConstant):
3822         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
3823         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3824         (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): Deleted.
3825         * dfg/DFGSpeculativeJIT.h:
3826         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
3827         * dfg/DFGSpeculativeJIT32_64.cpp:
3828         (JSC::DFG::SpeculativeJIT::compile):
3829         * dfg/DFGSpeculativeJIT64.cpp:
3830         (JSC::DFG::SpeculativeJIT::compile):
3831         * dfg/DFGStoreBarrierInsertionPhase.cpp:
3832         * dfg/DFGStrengthReductionPhase.cpp:
3833         (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
3834         (JSC::DFG::StrengthReductionPhase::handleNode):
3835         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
3836         (JSC::DFG::StrengthReductionPhase::executeInsertionSet):
3837         * dfg/DFGValidate.cpp:
3838         (JSC::DFG::Validate::validate):
3839         (JSC::DFG::Validate::validateCPS):
3840         * ftl/FTLAbstractHeapRepository.cpp:
3841         * ftl/FTLAbstractHeapRepository.h:
3842         * ftl/FTLCapabilities.cpp:
3843         (JSC::FTL::canCompile):
3844         * ftl/FTLLowerDFGToB3.cpp:
3845         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3846         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3847         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3848         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
3849         (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
3850         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3851         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
3852         (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
3853         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
3854         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
3855         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
3856         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
3857         * ftl/FTLOperations.cpp:
3858         (JSC::FTL::operationPopulateObjectInOSR):
3859         (JSC::FTL::operationNewObjectWithButterfly): Deleted.
3860         * ftl/FTLOperations.h:
3861         * inspector/ContentSearchUtilities.cpp:
3862         * runtime/JSObject.h:
3863         (JSC::JSObject::createRawObject):
3864         (JSC::JSFinalObject::create):
3865         * runtime/RegExp.cpp:
3866         (JSC::RegExp::compile):
3867         (JSC::RegExp::match):
3868         (JSC::RegExp::matchConcurrently):
3869         (JSC::RegExp::compileMatchOnly):
3870         (JSC::RegExp::deleteCode):
3871         * runtime/RegExp.h:
3872         * runtime/RegExpCachedResult.h:
3873         (JSC::RegExpCachedResult::offsetOfLastRegExp):
3874         (JSC::RegExpCachedResult::offsetOfLastInput):
3875         (JSC::RegExpCachedResult::offsetOfResult):
3876         (JSC::RegExpCachedResult::offsetOfReified):
3877         * runtime/RegExpConstructor.h:
3878         (JSC::RegExpConstructor::offsetOfCachedResult):
3879         * runtime/RegExpInlines.h:
3880         (JSC::RegExp::hasCodeFor):
3881         (JSC::RegExp::compileIfNecessary):
3882         (JSC::RegExp::matchInline):
3883         (JSC::RegExp::hasMatchOnlyCodeFor):
3884         (JSC::RegExp::compileIfNecessaryMatchOnly):
3885         * runtime/RegExpObjectInlines.h:
3886         (JSC::RegExpObject::execInline):
3887         * runtime/StringPrototype.cpp:
3888         (JSC::substituteBackreferencesSlow):
3889         (JSC::substituteBackreferencesInline):
3890         (JSC::substituteBackreferences):
3891         (JSC::StringRange::StringRange):
3892         * runtime/StringPrototype.h:
3893         * runtime/VM.h:
3894         * tests/stress/simple-regexp-exec-folding-fail.js: Added.
3895         (foo):
3896         * tests/stress/simple-regexp-exec-folding.js: Added.
3897         (foo):
3898         * tests/stress/simple-regexp-test-folding-fail.js: Added.
3899         (foo):
3900         * tests/stress/simple-regexp-test-folding.js: Added.
3901         (foo):
3902         * yarr/RegularExpression.cpp:
3903         * yarr/Yarr.h:
3904         * yarr/YarrInterpreter.cpp:
3905         (JSC::Yarr::Interpreter::interpret):
3906         (JSC::Yarr::ByteCompiler::ByteCompiler):
3907         (JSC::Yarr::ByteCompiler::compile):
3908         (JSC::Yarr::ByteCompiler::checkInput):
3909         (JSC::Y