[Curl] Compile errors.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-12-23  Andreas Kling  <akling@apple.com>
2
3         jsc CLI tool crashes on EOF.
4         <https://webkit.org/b/152522>
5
6         Reviewed by Benjamin Poulain.
7
8         SourceProvider should treat String() like the empty string for hashing purposes.
9         This was a subtle behavior change in r194017 due to how zero-length strings are
10         treated by StringImpl::createSubstringSharingImpl().
11
12         I made these SourceProviders store a Ref<StringImpl> internally instead of a
13         String, to codify the fact that these strings can't be null strings.
14
15         I couldn't find a way to cause this crash through the API.
16
17         * API/JSScriptRef.cpp:
18         (OpaqueJSScript::OpaqueJSScript):
19         * parser/SourceProvider.h:
20         (JSC::StringSourceProvider::StringSourceProvider):
21
22 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
23
24         FTL B3 should be able to run crypto-sha1 in eager mode
25         https://bugs.webkit.org/show_bug.cgi?id=152539
26
27         Reviewed by Saam Barati.
28
29         This patch contains one real bug fix and some other fixes that are primarily there for sanity
30         because I don't believe they are symptomatic.
31
32         The real fix is the instruction selector's handling of Phi. It was assuming that the correct
33         lowering of Phi is to do nothing and the correct lowering of Upsilon is to store into the tmp
34         that the Phi uses. But this fails for code patterns like:
35
36             @a = Phi()
37             Upsilon(@x, ^a)
38             use(@a) // this should see the value that @a had at the point that "@a = Phi()" executed.
39
40         This arises when we have a lot of Upsilons in a row and they are trying to perform a
41         shuffling. Prior to this change, "use(@a)" would see the new value of @a, i.e. @x. That's
42         wrong. So, this changes the lowering to make each Phi have a special shadow Tmp, and Upsilon
43         stores to it while Phi loads from it. Most of these assignments get copy-propagated by IRC,
44         so it doesn't really hurt us. I couldn't find any benchmarks that slowed down because of
45         this. In fact, I believe that the only time that this would lead to extra interference or
46         extra assignments is when it's actually needed to be correct.
47
48         This also contains other fixes, which are probably not for real bugs, but they make me feel
49         all warm and fuzzy:
50
51         - spillEverything() works again.  Previously, it didn't have all of IRC's smarts for handling
52           a spill of a ZDef.  I fixed this by creating a helper phase that finds all subwidth ZDefs
53           to spill slots and amends them with zero-fills of the top bits.
54
55         - IRC no longer requires precise TmpWidth analysis.  Previously, if TmpWidth gave pessimistic
56           results, the subwidth ZDef bug would return.  That probably means that it was never fixed
57           to begin with, since it's totally cool for just a single def or use of a tmp to cause it
58           to become pessimistic. But there may still have been some subwidth ZDefs.  The way that I
59           fixed this bug is to have IRC also run the ZDef fixup code that spillEverything() uses.
60           This is abstracted behind the beautifully named Air::fixSpillSlotZDef().
61
62         - B3::validate() does dominance checks!  So, if you shoot yourself in the foot by using
63           something before defining it, validate() will tell you.
64
65         - Air::TmpWidth is now easy to "turn off" - i.e. to make it go fully conservative. It's not
66           an Option; you have to hack code. But that's better than nothing, and it's consistent with
67           what we do for other super-internal compiler options that we use rarely.
68
69         - You can now run spillEverything() without hacking code.  Just use
70           Options::airSpillSeverything().
71
72         * JavaScriptCore.xcodeproj/project.pbxproj:
73         * b3/B3LowerToAir.cpp:
74         (JSC::B3::Air::LowerToAir::LowerToAir):
75         (JSC::B3::Air::LowerToAir::run):
76         (JSC::B3::Air::LowerToAir::lower):
77         * b3/B3Validate.cpp:
78         * b3/air/AirCode.h:
79         (JSC::B3::Air::Code::specials):
80         (JSC::B3::Air::Code::forAllTmps):
81         (JSC::B3::Air::Code::isFastTmp):
82         * b3/air/AirFixSpillSlotZDef.h: Added.
83         (JSC::B3::Air::fixSpillSlotZDef):
84         * b3/air/AirGenerate.cpp:
85         (JSC::B3::Air::prepareForGeneration):
86         * b3/air/AirIteratedRegisterCoalescing.cpp:
87         * b3/air/AirSpillEverything.cpp:
88         (JSC::B3::Air::spillEverything):
89         * b3/air/AirTmpWidth.cpp:
90         (JSC::B3::Air::TmpWidth::recompute):
91         * jit/JITOperations.cpp:
92         * runtime/Options.h:
93
94 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
95
96         Need a story for platform-specific Args
97         https://bugs.webkit.org/show_bug.cgi?id=152529
98
99         Reviewed by Michael Saboff.
100
101         This teaches Arg that some Arg forms are not valid on some targets. The instruction selector now
102         uses this to avoid immediates and addresses that the target wouldn't like.
103
104         This shouldn't change code generation on X86, but is meant as a step towards ARM64 support.
105
106         * b3/B3LowerToAir.cpp:
107         (JSC::B3::Air::LowerToAir::crossesInterference):
108         (JSC::B3::Air::LowerToAir::effectiveAddr):
109         (JSC::B3::Air::LowerToAir::addr):
110         (JSC::B3::Air::LowerToAir::loadPromise):
111         (JSC::B3::Air::LowerToAir::imm):
112         (JSC::B3::Air::LowerToAir::lower):
113         * b3/air/AirAllocateStack.cpp:
114         (JSC::B3::Air::allocateStack):
115         * b3/air/AirArg.h:
116         (JSC::B3::Air::Arg::Arg):
117         (JSC::B3::Air::Arg::imm):
118         (JSC::B3::Air::Arg::imm64):
119         (JSC::B3::Air::Arg::callArg):
120         (JSC::B3::Air::Arg::isValidScale):
121         (JSC::B3::Air::Arg::tmpIndex):
122         (JSC::B3::Air::Arg::withOffset):
123         (JSC::B3::Air::Arg::isValidImmForm):
124         (JSC::B3::Air::Arg::isValidAddrForm):
125         (JSC::B3::Air::Arg::isValidIndexForm):
126         (JSC::B3::Air::Arg::isValidForm):
127         (JSC::B3::Air::Arg::forEachTmpFast):
128         * b3/air/opcode_generator.rb:
129
130 2015-12-23  Keith Miller  <keith_miller@apple.com>
131
132         [JSC] Bugfix for intrinsic getters with dictionary structures.
133         https://bugs.webkit.org/show_bug.cgi?id=152538
134
135         Reviewed by Mark Lam.
136
137         Intrinsic getters did not check if an object was a dictionary. This meant, if a property on
138         the prototype chain of a dictionary was an intrinsic getter we would IC it. Later, if a
139         property is added to the dictionary the IC would still return the result of the intrinsic.
140         The fix is to no longer IC intrinsic getters if the base object is a dictionary.
141
142         * jit/Repatch.cpp:
143         (JSC::tryCacheGetByID):
144         * tests/stress/typedarray-length-dictionary.js: Added.
145         (len):
146
147 2015-12-23  Andy VanWagoner  <andy@instructure.com>
148
149         [INTL] Implement DateTime Format Functions
150         https://bugs.webkit.org/show_bug.cgi?id=147606
151
152         Reviewed by Benjamin Poulain.
153
154         Initialize a UDateFormat from the generated pattern. Use udat_format()
155         to format the value. Make sure that the UDateFormat is cleaned up when
156         the DateTimeFormat is deconstructed.
157
158         * runtime/IntlDateTimeFormat.cpp:
159         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat):
160         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
161         (JSC::IntlDateTimeFormat::format):
162         * runtime/IntlDateTimeFormat.h:
163
164 2015-12-23  Andy VanWagoner  <thetalecrafter@gmail.com>
165
166         [INTL] Implement String.prototype.localeCompare in ECMA-402
167         https://bugs.webkit.org/show_bug.cgi?id=147607
168
169         Reviewed by Benjamin Poulain.
170
171         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
172         Keep existing native implementation for use if INTL flag is disabled.
173         For the common case where no locale or options are specified, avoid creating
174         a new collator and just use the prototype which is initialized with the defaults.
175
176         * CMakeLists.txt:
177         * DerivedSources.make:
178         * JavaScriptCore.xcodeproj/project.pbxproj:
179         * builtins/StringPrototype.js: Added.
180         (localeCompare):
181         * runtime/StringPrototype.cpp:
182         (JSC::StringPrototype::finishCreation):
183
184 2015-12-23  Benjamin Poulain  <benjamin@webkit.org>
185
186         Fix x86_64 after r194388
187
188         * b3/B3LowerToAir.cpp:
189         (JSC::B3::Air::LowerToAir::appendShift):
190         (JSC::B3::Air::LowerToAir::lower):
191         (JSC::B3::Air::LowerToAir::lowerX86Div):
192
193 2015-12-23  Benjamin Poulain  <bpoulain@apple.com>
194
195         [JSC] Get the JavaScriptCore framework to build on ARM64 with B3 enabled
196         https://bugs.webkit.org/show_bug.cgi?id=152503
197
198         Reviewed by Filip Pizlo.
199
200         It is not working but it builds.
201
202         * assembler/ARM64Assembler.h:
203         (JSC::ARM64Assembler::vand):
204         (JSC::ARM64Assembler::vectorDataProcessing2Source):
205         * assembler/MacroAssemblerARM64.h:
206         (JSC::MacroAssemblerARM64::add32):
207         (JSC::MacroAssemblerARM64::add64):
208         (JSC::MacroAssemblerARM64::countLeadingZeros64):
209         (JSC::MacroAssemblerARM64::not32):
210         (JSC::MacroAssemblerARM64::not64):
211         (JSC::MacroAssemblerARM64::zeroExtend16To32):
212         (JSC::MacroAssemblerARM64::signExtend16To32):
213         (JSC::MacroAssemblerARM64::zeroExtend8To32):
214         (JSC::MacroAssemblerARM64::signExtend8To32):
215         (JSC::MacroAssemblerARM64::addFloat):
216         (JSC::MacroAssemblerARM64::ceilFloat):
217         (JSC::MacroAssemblerARM64::branchDouble):
218         (JSC::MacroAssemblerARM64::branchFloat):
219         (JSC::MacroAssemblerARM64::divFloat):
220         (JSC::MacroAssemblerARM64::moveZeroToDouble):
221         (JSC::MacroAssemblerARM64::moveFloatTo32):
222         (JSC::MacroAssemblerARM64::move32ToFloat):
223         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
224         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
225         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
226         (JSC::MacroAssemblerARM64::mulFloat):
227         (JSC::MacroAssemblerARM64::andDouble):
228         (JSC::MacroAssemblerARM64::andFloat):
229         (JSC::MacroAssemblerARM64::sqrtFloat):
230         (JSC::MacroAssemblerARM64::subFloat):
231         (JSC::MacroAssemblerARM64::signExtend32ToPtr):
232         (JSC::MacroAssemblerARM64::moveConditionally32):
233         (JSC::MacroAssemblerARM64::moveConditionally64):
234         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
235         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
236         (JSC::MacroAssemblerARM64::test32):
237         (JSC::MacroAssemblerARM64::setCarry):
238         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
239         * assembler/MacroAssemblerX86.h:
240         (JSC::MacroAssemblerX86::moveDoubleToInts):
241         (JSC::MacroAssemblerX86::moveIntsToDouble):
242         * assembler/MacroAssemblerX86Common.h:
243         (JSC::MacroAssemblerX86Common::move32ToFloat):
244         (JSC::MacroAssemblerX86Common::moveFloatTo32):
245         (JSC::MacroAssemblerX86Common::moveInt32ToPacked): Deleted.
246         (JSC::MacroAssemblerX86Common::movePackedToInt32): Deleted.
247         * b3/B3LowerToAir.cpp:
248         (JSC::B3::Air::LowerToAir::appendShift):
249         (JSC::B3::Air::LowerToAir::lower):
250         * b3/air/AirInstInlines.h:
251         (JSC::B3::Air::isX86DivHelperValid):
252         * b3/air/AirOpcode.opcodes:
253         * jit/AssemblyHelpers.h:
254         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
255         (JSC::AssemblyHelpers::emitFunctionEpilogue):
256         * jit/FPRInfo.h:
257         (JSC::FPRInfo::toArgumentRegister):
258
259 2015-12-23  Andy VanWagoner  <andy@instructure.com>
260
261         [INTL] Implement Intl.DateTimeFormat.prototype.resolvedOptions ()
262         https://bugs.webkit.org/show_bug.cgi?id=147603
263
264         Reviewed by Benjamin Poulain.
265
266         Implements InitializeDateTimeFormat and related abstract operations
267         using ICU. Lazy initialization is used for DateTimeFormat.prototype.
268         Refactor to align with Collator work.
269
270         * icu/unicode/udatpg.h: Added.
271         * icu/unicode/unumsys.h: Added.
272         * runtime/CommonIdentifiers.h:
273         * runtime/IntlDateTimeFormat.cpp:
274         (JSC::defaultTimeZone):
275         (JSC::canonicalizeTimeZoneName):
276         (JSC::localeData):
277         (JSC::toDateTimeOptions):
278         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
279         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
280         (JSC::IntlDateTimeFormat::weekdayString):
281         (JSC::IntlDateTimeFormat::eraString):
282         (JSC::IntlDateTimeFormat::yearString):
283         (JSC::IntlDateTimeFormat::monthString):
284         (JSC::IntlDateTimeFormat::dayString):
285         (JSC::IntlDateTimeFormat::hourString):
286         (JSC::IntlDateTimeFormat::minuteString):
287         (JSC::IntlDateTimeFormat::secondString):
288         (JSC::IntlDateTimeFormat::timeZoneNameString):
289         (JSC::IntlDateTimeFormat::resolvedOptions):
290         (JSC::IntlDateTimeFormat::format):
291         (JSC::IntlDateTimeFormatFuncFormatDateTime): Deleted.
292         * runtime/IntlDateTimeFormat.h:
293         * runtime/IntlDateTimeFormatConstructor.cpp:
294         (JSC::constructIntlDateTimeFormat):
295         (JSC::callIntlDateTimeFormat):
296         * runtime/IntlDateTimeFormatPrototype.cpp:
297         (JSC::IntlDateTimeFormatFuncFormatDateTime):
298         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
299         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
300         * runtime/IntlObject.cpp:
301         (JSC::resolveLocale):
302         (JSC::getNumberingSystemsForLocale):
303         * runtime/IntlObject.h:
304
305 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
306
307         REGRESSION(194382): FTL B3 no longer runs V8/encrypt
308         https://bugs.webkit.org/show_bug.cgi?id=152519
309
310         Reviewed by Saam Barati.
311
312         A "Move Imm, Tmp" instruction should turn into "Move32 Imm, Tmp" if the Tmp is spilled to a
313         32-bit slot. Changing where we check isTmp() achieves this. Since all of the logic is only
314         relevant to when we spill without introducing a Tmp, and since a Move does not have a "Move Addr,
315         Addr" form, this code ensures that the logic only happens for "Tmp, Tmp" and "Imm, Tmp".
316
317         * b3/air/AirIteratedRegisterCoalescing.cpp:
318         * dfg/DFGOperations.cpp:
319
320 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
321
322         FTL B3 should use the right type for comparison slow paths
323         https://bugs.webkit.org/show_bug.cgi?id=152521
324
325         Reviewed by Saam Barati.
326
327         Fixes a small goof that was leading to B3 validation failures.
328
329         * ftl/FTLLowerDFGToLLVM.cpp:
330         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
331
332 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
333
334         FTL B3 should be able to run richards
335         https://bugs.webkit.org/show_bug.cgi?id=152514
336
337         Reviewed by Michael Saboff.
338
339         This came down to a liveness bug and a register allocation bug.
340
341         The liveness bug was that the code that determined whether we should go around the fixpoint
342         assumed that BitVector::quickSet() would return true if the bit changed state from false to
343         true. That's not how it works. It returns the old value of the bit, so it will return false
344         if the bit changed from false to true. Since there is already a lot of code that relies on
345         this behavior, I fixed Liveness instead of changing BitVector.
346
347         The register allocation bug was that we weren't guarding some checks of tmp()'s with checks
348         that the Arg isTmp().
349
350         The liveness took a long time to track down, and I needed to add a lot of dumping to do it.
351         It's now possible to dump more of the liveness states, including liveAtHead. I found this
352         extremely helpful, so I removed the code that cleared liveAtHead.
353
354         * b3/air/AirIteratedRegisterCoalescing.cpp:
355         * b3/air/AirLiveness.h:
356         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
357         (JSC::B3::Air::AbstractLiveness::Iterable::Iterable):
358         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator):
359         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*):
360         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++):
361         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==):
362         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=):
363         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
364         (JSC::B3::Air::AbstractLiveness::Iterable::end):
365         (JSC::B3::Air::AbstractLiveness::liveAtHead):
366         (JSC::B3::Air::AbstractLiveness::liveAtTail):
367         * b3/air/AirStackSlot.h:
368         (WTF::printInternal):
369         * ftl/FTLOSRExitCompiler.cpp:
370         (JSC::FTL::compileFTLOSRExit):
371
372 2015-12-22  Saam barati  <sbarati@apple.com>
373
374         Cloop build fix after https://bugs.webkit.org/show_bug.cgi?id=152511.
375
376         Unreviewed build fix.
377
378         * runtime/Options.cpp:
379         (JSC::recomputeDependentOptions):
380
381 2015-12-22  Saam barati  <sbarati@apple.com>
382
383         Work around issue in bug #152510
384         https://bugs.webkit.org/show_bug.cgi?id=152511
385
386         Reviewed by Filip Pizlo.
387
388         * runtime/Options.cpp:
389         (JSC::recomputeDependentOptions):
390
391 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
392
393         FTL B3 does not logicalNot correctly
394         https://bugs.webkit.org/show_bug.cgi?id=152512
395
396         Reviewed by Saam Barati.
397
398         I'm working on a bug where V8/richards does not run correctly. I noticed that the codegen was
399         doing a log of Not32's followed by branches, which smelled like badness. To debug this, I
400         needed B3's origins to dump as something other than a hexed pointer to a node. The node index
401         would be better. So, I added the notion of an origin printer to Procedure.
402
403         The bug was easy enough to fix. This introduces Output::logicalNot(). In LLVM, it's the same
404         as bitNot(). In B3, it's compiled to Equal(value, 0). We could have also compiled it to
405         BitXor(value, 1), except that B3 will strength-reduce to that anyway whenever it's safe. It's
406         sort of nice that right now, you could use logicalNot() on non-bool values and get C-like
407         behavior.
408
409         Richards still doesn't run, though. There are more bugs!
410
411         * JavaScriptCore.xcodeproj/project.pbxproj:
412         * b3/B3BasicBlock.cpp:
413         (JSC::B3::BasicBlock::dump):
414         (JSC::B3::BasicBlock::deepDump):
415         * b3/B3BasicBlock.h:
416         (JSC::B3::BasicBlock::frequency):
417         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
418         (JSC::B3::DeepBasicBlockDump::dump):
419         (JSC::B3::deepDump):
420         * b3/B3LowerToAir.cpp:
421         (JSC::B3::Air::LowerToAir::run):
422         (JSC::B3::Air::LowerToAir::lower):
423         * b3/B3Origin.h:
424         (JSC::B3::Origin::data):
425         * b3/B3OriginDump.h: Added.
426         (JSC::B3::OriginDump::OriginDump):
427         (JSC::B3::OriginDump::dump):
428         * b3/B3Procedure.cpp:
429         (JSC::B3::Procedure::~Procedure):
430         (JSC::B3::Procedure::printOrigin):
431         (JSC::B3::Procedure::addBlock):
432         (JSC::B3::Procedure::dump):
433         * b3/B3Procedure.h:
434         (JSC::B3::Procedure::setOriginPrinter):
435         * b3/B3Value.cpp:
436         (JSC::B3::Value::dumpChildren):
437         (JSC::B3::Value::deepDump):
438         * b3/B3Value.h:
439         (JSC::B3::DeepValueDump::DeepValueDump):
440         (JSC::B3::DeepValueDump::dump):
441         (JSC::B3::deepDump):
442         * ftl/FTLB3Output.cpp:
443         (JSC::FTL::Output::lockedStackSlot):
444         (JSC::FTL::Output::bitNot):
445         (JSC::FTL::Output::logicalNot):
446         (JSC::FTL::Output::load):
447         * ftl/FTLB3Output.h:
448         (JSC::FTL::Output::aShr):
449         (JSC::FTL::Output::lShr):
450         (JSC::FTL::Output::ctlz32):
451         (JSC::FTL::Output::addWithOverflow32):
452         (JSC::FTL::Output::lessThanOrEqual):
453         (JSC::FTL::Output::doubleEqual):
454         (JSC::FTL::Output::doubleEqualOrUnordered):
455         (JSC::FTL::Output::doubleNotEqualOrUnordered):
456         (JSC::FTL::Output::doubleLessThan):
457         (JSC::FTL::Output::doubleLessThanOrEqual):
458         (JSC::FTL::Output::doubleGreaterThan):
459         (JSC::FTL::Output::doubleGreaterThanOrEqual):
460         (JSC::FTL::Output::doubleNotEqualAndOrdered):
461         (JSC::FTL::Output::doubleLessThanOrUnordered):
462         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
463         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
464         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
465         (JSC::FTL::Output::isZero32):
466         (JSC::FTL::Output::notZero32):
467         (JSC::FTL::Output::addIncomingToPhi):
468         (JSC::FTL::Output::bitCast):
469         (JSC::FTL::Output::bitNot): Deleted.
470         * ftl/FTLLowerDFGToLLVM.cpp:
471         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
472         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
473         (JSC::FTL::DFG::LowerDFGToLLVM::compileLogicalNot):
474         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
475         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
476         (JSC::FTL::DFG::LowerDFGToLLVM::compileCountExecution):
477         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
478         (JSC::FTL::DFG::LowerDFGToLLVM::isMisc):
479         (JSC::FTL::DFG::LowerDFGToLLVM::isNotBoolean):
480         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean):
481         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean):
482         (JSC::FTL::DFG::LowerDFGToLLVM::isNotType):
483         (JSC::FTL::DFG::LowerDFGToLLVM::speculateObject):
484         * ftl/FTLOutput.h:
485         (JSC::FTL::Output::aShr):
486         (JSC::FTL::Output::lShr):
487         (JSC::FTL::Output::bitNot):
488         (JSC::FTL::Output::logicalNot):
489         (JSC::FTL::Output::insertElement):
490         * ftl/FTLState.cpp:
491         (JSC::FTL::State::State):
492
493 2015-12-22  Keith Miller  <keith_miller@apple.com>
494
495         Remove OverridesHasInstance from TypeInfoFlags
496         https://bugs.webkit.org/show_bug.cgi?id=152005
497
498         Reviewed by Saam Barati.
499
500         Currently, we have three TypeInfo flags associated with instanceof behavior,
501         ImplementsHasInstance, ImplementDefaultHasInstance, and OverridesHasInstance. This patch
502         removes the third and moves the first to the out of line flags. In theory, we should only
503         need one flag but removing ImplementsHasInstance is more involved and should be done in a
504         separate patch.
505
506         * API/JSCallbackConstructor.h:
507         * API/JSCallbackObject.h:
508         * jit/JITOpcodes.cpp:
509         (JSC::JIT::emit_op_overrides_has_instance):
510         * jit/JITOpcodes32_64.cpp:
511         (JSC::JIT::emit_op_overrides_has_instance):
512         * llint/LLIntData.cpp:
513         (JSC::LLInt::Data::performAssertions):
514         * llint/LowLevelInterpreter.asm:
515         * runtime/InternalFunction.h:
516         * runtime/JSBoundFunction.h:
517         * runtime/JSCallee.h:
518         * runtime/JSTypeInfo.h:
519         (JSC::TypeInfo::implementsHasInstance):
520         (JSC::TypeInfo::TypeInfo): Deleted.
521         (JSC::TypeInfo::overridesHasInstance): Deleted.
522         * runtime/NumberConstructor.h:
523
524 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
525
526         FTL B3 should do tail calls
527         https://bugs.webkit.org/show_bug.cgi?id=152494
528
529         Reviewed by Michael Saboff.
530
531         OMG this was so easy.
532
533         The only shady part is that I broke a layering rule that we had so far been following: B3 was
534         sitting below the JSC runtime, and did not use JS-specific types. No more, since B3::ValueRep
535         can now turn itself into a ValueRecovery for a JSValue. This small feature makes a huge
536         difference for the readability of tail call code: it makes it plain that the call frame
537         shuffler is basically just directly consuming the stackmap generation params, and insofar as
538         there is any data transformation, it's just because it uses different classes to say the same
539         thing.
540
541         I think we should avoid adding too many JS-specific things to B3. But, so long as it's still
542         possible to use B3 to compile things that aren't JS, I think we'll be fine.
543
544         * b3/B3ValueRep.cpp:
545         (JSC::B3::ValueRep::dump):
546         (JSC::B3::ValueRep::emitRestore):
547         (JSC::B3::ValueRep::recoveryForJSValue):
548         * b3/B3ValueRep.h:
549         * ftl/FTLLowerDFGToLLVM.cpp:
550         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
551         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
552         * test/stress/ftl-tail-call.js: Added.
553
554 2015-12-21  Mark Lam  <mark.lam@apple.com>
555
556         Snippefy op_negate for the baseline JIT.
557         https://bugs.webkit.org/show_bug.cgi?id=152447
558
559         Reviewed by Benjamin Poulain.
560
561         * CMakeLists.txt:
562         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
563         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
564         * JavaScriptCore.xcodeproj/project.pbxproj:
565         * jit/JITArithmetic.cpp:
566         (JSC::JIT::emit_op_unsigned):
567         (JSC::JIT::emit_op_negate):
568         (JSC::JIT::emitSlow_op_negate):
569         (JSC::JIT::emitBitBinaryOpFastPath):
570         * jit/JITArithmetic32_64.cpp:
571         (JSC::JIT::emit_compareAndJump):
572         (JSC::JIT::emit_op_negate): Deleted.
573         (JSC::JIT::emitSlow_op_negate): Deleted.
574         * jit/JITNegGenerator.cpp: Added.
575         (JSC::JITNegGenerator::generateFastPath):
576         * jit/JITNegGenerator.h: Added.
577         (JSC::JITNegGenerator::JITNegGenerator):
578         (JSC::JITNegGenerator::didEmitFastPath):
579         (JSC::JITNegGenerator::endJumpList):
580         (JSC::JITNegGenerator::slowPathJumpList):
581
582 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
583
584         Address review feedback from Saam.  I should have landed it in r194354.
585
586         * b3/testb3.cpp:
587         (JSC::B3::testStore16Arg):
588
589 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
590
591         B3 should be able to compile Store16
592         https://bugs.webkit.org/show_bug.cgi?id=152493
593
594         Reviewed by Saam Barati.
595
596         This adds comprehensive Store16 support to our assembler, Air, and B3->Air lowering.
597
598         * assembler/MacroAssemblerX86Common.h:
599         (JSC::MacroAssemblerX86Common::store16):
600         * assembler/X86Assembler.h:
601         (JSC::X86Assembler::movb_rm):
602         (JSC::X86Assembler::movw_rm):
603         * b3/B3LowerToAir.cpp:
604         (JSC::B3::Air::LowerToAir::lower):
605         * b3/air/AirOpcode.opcodes:
606         * b3/testb3.cpp:
607         (JSC::B3::testStorePartial8BitRegisterOnX86):
608         (JSC::B3::testStore16Arg):
609         (JSC::B3::testStore16Imm):
610         (JSC::B3::testTrunc):
611         (JSC::B3::run):
612
613 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
614
615         Unreviewed, remove highBitsAreZero(), it's unused.
616
617         * b3/B3LowerToAir.cpp:
618         (JSC::B3::Air::LowerToAir::run):
619         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
620         (JSC::B3::Air::LowerToAir::highBitsAreZero): Deleted.
621
622 2015-12-21  Csaba Osztrogonác  <ossy@webkit.org>
623
624         Unreviewed, fix the !FTL_USES_B3 build after r194334.
625
626         * ftl/FTLLowerDFGToLLVM.cpp: Mark forwarding unused variable.
627         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
628
629 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
630
631         FTL B3 should do doubleToInt32
632         https://bugs.webkit.org/show_bug.cgi?id=152484
633
634         Reviewed by Saam Barati.
635
636         We used to have a DToI32 opcode in B3 that we never implemented. This removes that opcode,
637         since double-to-int conversion has dramatically different semantics on different
638         architectures. We let FTL get the conversion instruction it wants by using a patchpoint.
639
640         * b3/B3Opcode.cpp:
641         (WTF::printInternal):
642         * b3/B3Opcode.h:
643         * b3/B3Validate.cpp:
644         * b3/B3Value.cpp:
645         (JSC::B3::Value::effects):
646         (JSC::B3::Value::key):
647         (JSC::B3::Value::typeFor):
648         * b3/B3ValueKey.cpp:
649         (JSC::B3::ValueKey::materialize):
650         * ftl/FTLB3Output.cpp:
651         (JSC::FTL::Output::Output):
652         (JSC::FTL::Output::appendTo):
653         (JSC::FTL::Output::lockedStackSlot):
654         (JSC::FTL::Output::load):
655         (JSC::FTL::Output::doublePowi):
656         (JSC::FTL::Output::hasSensibleDoubleToInt):
657         (JSC::FTL::Output::doubleToInt):
658         (JSC::FTL::Output::doubleToUInt):
659         (JSC::FTL::Output::load8SignExt32):
660         (JSC::FTL::Output::load8ZeroExt32):
661         (JSC::FTL::Output::load16SignExt32):
662         (JSC::FTL::Output::load16ZeroExt32):
663         (JSC::FTL::Output::store):
664         (JSC::FTL::Output::store32As8):
665         (JSC::FTL::Output::store32As16):
666         (JSC::FTL::Output::branch):
667         * ftl/FTLB3Output.h:
668         (JSC::FTL::Output::doubleLog):
669         (JSC::FTL::Output::signExt32To64):
670         (JSC::FTL::Output::zeroExt):
671         (JSC::FTL::Output::zeroExtPtr):
672         (JSC::FTL::Output::intToDouble):
673         (JSC::FTL::Output::unsignedToDouble):
674         (JSC::FTL::Output::castToInt32):
675         (JSC::FTL::Output::hasSensibleDoubleToInt): Deleted.
676         (JSC::FTL::Output::sensibleDoubleToInt): Deleted.
677         (JSC::FTL::Output::fpToInt32): Deleted.
678         (JSC::FTL::Output::fpToUInt32): Deleted.
679         * ftl/FTLLowerDFGToLLVM.cpp:
680         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithPow):
681         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
682         (JSC::FTL::DFG::LowerDFGToLLVM::compileSwitch):
683         (JSC::FTL::DFG::LowerDFGToLLVM::doubleToInt32):
684         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
685         (JSC::FTL::DFG::LowerDFGToLLVM::convertDoubleToInt32):
686         * ftl/FTLOutput.h:
687         (JSC::FTL::Output::hasSensibleDoubleToInt):
688         (JSC::FTL::Output::doubleToInt):
689         (JSC::FTL::Output::doubleToUInt):
690         (JSC::FTL::Output::signExt32To64):
691         (JSC::FTL::Output::zeroExt):
692
693 2015-12-21  Skachkov Oleksandr  <gskachkov@gmail.com>
694
695         Unexpected exception assigning to this._property inside arrow function
696         https://bugs.webkit.org/show_bug.cgi?id=152028
697
698         Reviewed by Saam Barati.
699
700         The issue appeared in case if in arrow function created base-level lexical envioronment, and in this case 
701         |this| value was loaded from wrong scope. The problem was that loading of the |this| happened too early when
702         compiling bytecode because the bytecode generators's scope stack wasn't in sync with runtime scope stack.
703         To fix issue loading of |this| was moved after initializeDefaultParameterValuesAndSetupFunctionScopeStack 
704         in BytecodeGenerator.cpp   
705
706         * bytecompiler/BytecodeGenerator.cpp:
707         (JSC::BytecodeGenerator::BytecodeGenerator):
708         * tests/stress/arrowfunction-lexical-bind-this-2.js:
709
710 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
711
712         FTL B3 should do vararg calls
713         https://bugs.webkit.org/show_bug.cgi?id=152468
714
715         Reviewed by Benjamin Poulain.
716
717         This adds FTL->B3 lowering of all kinds of varargs calls - forwarding or not, tail or not,
718         and construct or not. Like all other such lowerings, all of the code is in one place in
719         FTLLower.
720
721         I removed code for varargs and exception spill slots from the B3 path, since it won't need
722         it. The plan is to rely on B3 doing the spilling for us by using some combination of early
723         clobber and late use.
724
725         This adds ValueRep::emitRestore(), a helpful method for emitting code to restore any ValueRep
726         into any 64-bit Reg (FPR or GPR).
727
728         I wrote new tests for vararg calls, because I wasn't sure which of the existing ones we can
729         run. These are short-running tests, so I'm not worried about bloating our test suite.
730
731         * b3/B3ValueRep.cpp:
732         (JSC::B3::ValueRep::dump):
733         (JSC::B3::ValueRep::emitRestore):
734         * b3/B3ValueRep.h:
735         * ftl/FTLLowerDFGToLLVM.cpp:
736         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
737         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
738         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
739         * ftl/FTLState.h:
740         * tests/stress/varargs-no-forward.js: Added.
741         * tests/stress/varargs-simple.js: Added.
742         * tests/stress/varargs-two-level.js: Added.
743
744 2015-12-18  Mark Lam  <mark.lam@apple.com>
745
746         Add unary operator tests to compare JIT and LLINT results.
747         https://bugs.webkit.org/show_bug.cgi?id=152453
748
749         Reviewed by Benjamin Poulain.
750
751         Also fixed a few things in the binary-op-test.js.
752
753         * tests/stress/op_negate.js: Added.
754         (o1.valueOf):
755         * tests/stress/op_postdec.js: Added.
756         (o1.valueOf):
757         * tests/stress/op_postinc.js: Added.
758         (o1.valueOf):
759         * tests/stress/op_predec.js: Added.
760         (o1.valueOf):
761         * tests/stress/op_preinc.js: Added.
762         (o1.valueOf):
763         * tests/stress/resources/binary-op-test.js:
764         (stringifyIfNeeded):
765         (isIdentical):
766         (run):
767         * tests/stress/resources/unary-op-test.js: Added.
768         (stringifyIfNeeded):
769         (generateBinaryTests):
770         (isIdentical):
771         (runTest):
772         (run):
773
774 2015-12-21  Ryan Haddad  <ryanhaddad@apple.com>
775
776         Unreviewed, rolling out r194328.
777
778         This change appears to have caused failures in JSC tests
779
780         Reverted changeset:
781
782         "[INTL] Implement String.prototype.localeCompare in ECMA-402"
783         https://bugs.webkit.org/show_bug.cgi?id=147607
784         http://trac.webkit.org/changeset/194328
785
786 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
787
788         B3->Air lowering incorrectly copy-propagates over ZExt32's
789         https://bugs.webkit.org/show_bug.cgi?id=152365
790
791         Reviewed by Benjamin Poulain.
792
793         The instruction selector thinks that Value's that return Int32's are going to always be lowered
794         to instructions that zero-extend the destination. But this isn't actually true. If you have an
795         Add32 with a destination on the stack (i.e. spilled) then it only writes 4 bytes. Then, the
796         filler will load 8 bytes from the stack at the point of use. So, the use of the Add32 will see
797         garbage in the high bits.
798
799         The fact that the spiller chose to use 8 bytes for a Tmp that gets defined by an Add32 is a
800         pretty sad bug, but:
801
802         - It's entirely up to the spiller to decide how many bytes to use for a Tmp, since we do not
803           ascribe a type to Tmps. We could ascribe types to Tmps, but then coalescing would become
804           harder. Our goal is to fix the bug while still enabling coalescing in cases like "a[i]" where
805           "i" is a 32-bit integer that is computed using operations that already do zero-extension.
806
807         - More broadly, it's strange that the instruction selector decides whether a Value will be
808           lowered to something that zero-extends. That's too constraining, since the most optimal
809           instruction selection might involve something that doesn't zero-extend in cases of spilling, so
810           the zero-extension should only happen if it's actually needed. This means that we need to
811           understand which Air instructions cause zero-extensions.
812
813         - If we know which Air instructions cause zero-extensions, then we don't need the instruction
814           selector to copy-propagate ZExt32's. We have copy-propagation in Air thanks to the register
815           allocator.
816
817         In fact, the register allocator is exactly where all of the pieces come together. It's there that
818         we want to know which operations zero-extend and which don't. It also wants to know how many bits
819         of a Tmp each instruction reads. Armed with that information, the register allocator can emit
820         more optimal spill code, use less stack space for spill slots, and coalesce Move32's. As a bonus,
821         on X86, it replaces Move's with Move32's whenever it can. On X86, Move32 is cheaper.
822
823         This fixes a crash bug in V8/encrypt. After fixing this, I only needed two minor fixes to get
824         V8/encrypt to run. We're about 10% behind LLVM on steady state throughput on this test. It
825         appears to be mostly due to excessive spilling caused by CCall slow paths. That's fixable: we
826         could make CCalls on slow paths use a variant of CCallSpecial that promises not to clobber any
827         registers, and then have it emit spill code around the call itself. LLVM probably gets this
828         optimization from its live range splitting.
829
830         I tried writing a regression test. The problem is that you need garbage on the stack for this to
831         work, and I didn't feel like writing a flaky test. It appears that running V8/encrypt will cover
832         this, so we do have coverage.
833
834         * CMakeLists.txt:
835         * JavaScriptCore.xcodeproj/project.pbxproj:
836         * assembler/AbstractMacroAssembler.h:
837         (JSC::isX86):
838         (JSC::isX86_64):
839         (JSC::optimizeForARMv7IDIVSupported):
840         (JSC::optimizeForX86):
841         (JSC::optimizeForX86_64):
842         * b3/B3LowerToAir.cpp:
843         (JSC::B3::Air::LowerToAir::highBitsAreZero):
844         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
845         (JSC::B3::Air::LowerToAir::lower):
846         * b3/B3PatchpointSpecial.cpp:
847         (JSC::B3::PatchpointSpecial::forEachArg):
848         * b3/B3StackmapSpecial.cpp:
849         (JSC::B3::StackmapSpecial::forEachArgImpl):
850         * b3/B3Value.h:
851         * b3/air/AirAllocateStack.cpp:
852         (JSC::B3::Air::allocateStack):
853         * b3/air/AirArg.cpp:
854         (WTF::printInternal):
855         * b3/air/AirArg.h:
856         (JSC::B3::Air::Arg::pointerWidth):
857         (JSC::B3::Air::Arg::isAnyUse):
858         (JSC::B3::Air::Arg::isColdUse):
859         (JSC::B3::Air::Arg::isEarlyUse):
860         (JSC::B3::Air::Arg::isDef):
861         (JSC::B3::Air::Arg::isZDef):
862         (JSC::B3::Air::Arg::widthForB3Type):
863         (JSC::B3::Air::Arg::conservativeWidth):
864         (JSC::B3::Air::Arg::minimumWidth):
865         (JSC::B3::Air::Arg::bytes):
866         (JSC::B3::Air::Arg::widthForBytes):
867         (JSC::B3::Air::Arg::Arg):
868         (JSC::B3::Air::Arg::forEachTmp):
869         * b3/air/AirCCallSpecial.cpp:
870         (JSC::B3::Air::CCallSpecial::forEachArg):
871         * b3/air/AirEliminateDeadCode.cpp:
872         (JSC::B3::Air::eliminateDeadCode):
873         * b3/air/AirFixPartialRegisterStalls.cpp:
874         (JSC::B3::Air::fixPartialRegisterStalls):
875         * b3/air/AirInst.cpp:
876         (JSC::B3::Air::Inst::hasArgEffects):
877         * b3/air/AirInst.h:
878         (JSC::B3::Air::Inst::forEachTmpFast):
879         (JSC::B3::Air::Inst::forEachTmp):
880         * b3/air/AirInstInlines.h:
881         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs):
882         * b3/air/AirIteratedRegisterCoalescing.cpp:
883         * b3/air/AirLiveness.h:
884         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
885         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
886         * b3/air/AirOpcode.opcodes:
887         * b3/air/AirSpillEverything.cpp:
888         (JSC::B3::Air::spillEverything):
889         * b3/air/AirTmpWidth.cpp: Added.
890         (JSC::B3::Air::TmpWidth::TmpWidth):
891         (JSC::B3::Air::TmpWidth::~TmpWidth):
892         * b3/air/AirTmpWidth.h: Added.
893         (JSC::B3::Air::TmpWidth::width):
894         (JSC::B3::Air::TmpWidth::defWidth):
895         (JSC::B3::Air::TmpWidth::useWidth):
896         (JSC::B3::Air::TmpWidth::Widths::Widths):
897         * b3/air/AirUseCounts.h:
898         (JSC::B3::Air::UseCounts::UseCounts):
899         * b3/air/opcode_generator.rb:
900         * b3/testb3.cpp:
901         (JSC::B3::testCheckMegaCombo):
902         (JSC::B3::testCheckTrickyMegaCombo):
903         (JSC::B3::testCheckTwoMegaCombos):
904         (JSC::B3::run):
905
906 2015-12-21  Andy VanWagoner  <thetalecrafter@gmail.com>
907
908         [INTL] Implement String.prototype.localeCompare in ECMA-402
909         https://bugs.webkit.org/show_bug.cgi?id=147607
910
911         Reviewed by Darin Adler.
912
913         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
914         Keep existing native implementation for use if INTL flag is disabled.
915
916         * CMakeLists.txt:
917         * DerivedSources.make:
918         * JavaScriptCore.xcodeproj/project.pbxproj:
919         * builtins/StringPrototype.js: Added.
920         (localeCompare):
921         * runtime/StringPrototype.cpp:
922         (JSC::StringPrototype::finishCreation):
923
924 2015-12-18  Filip Pizlo  <fpizlo@apple.com>
925
926         Implement compareDouble in B3/Air
927         https://bugs.webkit.org/show_bug.cgi?id=150903
928
929         Reviewed by Benjamin Poulain.
930
931         A hole in our coverage is that we don't fuse a double comparison into a branch, then we will
932         crash in the instruction selector. Obviously, we *really* want to fuse double comparisons,
933         but we can't guarantee that this will always happen.
934
935         This also removes all uses of WTF::Dominators verification, since it's extremely slow even in
936         a release build. This speeds up testb3 with validateGraphAtEachPhase=true by an order of
937         magnitude.
938
939         * assembler/MacroAssembler.h:
940         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
941         (JSC::MacroAssembler::compareDouble):
942         (JSC::MacroAssembler::compareFloat):
943         (JSC::MacroAssembler::lea):
944         * b3/B3Dominators.h:
945         (JSC::B3::Dominators::Dominators):
946         * b3/B3LowerToAir.cpp:
947         (JSC::B3::Air::LowerToAir::createCompare):
948         (JSC::B3::Air::LowerToAir::lower):
949         * b3/air/AirOpcode.opcodes:
950         * b3/testb3.cpp:
951         (JSC::B3::testCompare):
952         (JSC::B3::testEqualDouble):
953         (JSC::B3::simpleFunction):
954         (JSC::B3::run):
955         * dfg/DFGDominators.h:
956         (JSC::DFG::Dominators::Dominators):
957
958 2015-12-19  Dan Bernstein  <mitz@apple.com>
959
960         [Mac] WebKit contains dead source code for OS X Mavericks and earlier
961         https://bugs.webkit.org/show_bug.cgi?id=152462
962
963         Reviewed by Alexey Proskuryakov.
964
965         - Removed build setting definitions for OS X 10.9 and earlier, and simplified defintions
966           that became uniform across all OS X versions as a result:
967
968         * Configurations/DebugRelease.xcconfig:
969         * Configurations/FeatureDefines.xcconfig:
970         * Configurations/Version.xcconfig:
971
972         * API/JSBase.h: Removed check against __MAC_OS_X_VERSION_MIN_REQUIRED that was always true.
973
974 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
975
976         [JSC] Streamline Tmp indexing inside the register allocator
977         https://bugs.webkit.org/show_bug.cgi?id=152420
978
979         Reviewed by Filip Pizlo.
980
981         AirIteratedRegisterCoalescing has been accumulating a bit of mess over time.
982
983         When it started, every map addressed by Tmp was using Tmp hashing.
984         That caused massive performance problems. Everything perf sensitive was moved
985         to direct array addressing by the absolute Tmp index. This left the code
986         with half of the function using Tmp, the other half using indices.
987
988         With this patch, almost everything is moved to absolute indexing.
989         There are a few advantages to this:
990         -No more conversion churn for Floating Point registers.
991         -Most of the functions can now be shared between GP and FP.
992         -A bit of clean up since the core algorithm only deals with integers now.
993
994         This patch also changes the index type to be a template argument.
995         That will allow future specialization of "m_interferenceEdges" based
996         on the expected problem size.
997
998         Finally, the code related to the program modification (register assignment
999         and spilling) was moved to the wrapper "IteratedRegisterCoalescing".
1000
1001         The current split is:
1002         -AbstractColoringAllocator: common core. Share as much as possible between
1003          GP and FP.
1004         -ColoringAllocator: the remaining parts of the algorithm, everything that
1005          is specific to GP, FP.
1006         -IteratedRegisterCoalescing: the "iterated" part of the algorithm.
1007          Try to allocate and modify the code as needed.
1008
1009         The long term plan is:
1010         -Move selectSpill() and the coloring loop to AbstractColoringAllocator.
1011         -Specialize m_interferenceEdges to make it faster.
1012
1013         * b3/air/AirIteratedRegisterCoalescing.cpp:
1014         * b3/air/AirTmpInlines.h:
1015         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::lastMachineRegisterIndex):
1016         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::lastMachineRegisterIndex):
1017
1018 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1019
1020         [JSC] FTLB3Output generates some invalid ZExt32
1021         https://bugs.webkit.org/show_bug.cgi?id=151905
1022
1023         Reviewed by Filip Pizlo.
1024
1025         FTLLowerDFGToLLVM calls zeroExt() to int32 in some cases.
1026         We were generating ZExt32 with Int32 as return type :(
1027
1028         * ftl/FTLB3Output.h:
1029         (JSC::FTL::Output::zeroExt):
1030
1031 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1032
1033         [JSC] Add EqualOrUnordered to B3
1034         https://bugs.webkit.org/show_bug.cgi?id=152425
1035
1036         Reviewed by Mark Lam.
1037
1038         Add EqualOrUnordered to B3 and use it to implements
1039         FTL::Output's NotEqualAndOrdered.
1040
1041         * b3/B3ConstDoubleValue.cpp:
1042         (JSC::B3::ConstDoubleValue::equalOrUnordered):
1043         * b3/B3ConstDoubleValue.h:
1044         * b3/B3LowerToAir.cpp:
1045         (JSC::B3::Air::LowerToAir::createGenericCompare):
1046         (JSC::B3::Air::LowerToAir::lower):
1047         * b3/B3Opcode.cpp:
1048         (WTF::printInternal):
1049         * b3/B3Opcode.h:
1050         * b3/B3ReduceDoubleToFloat.cpp:
1051         (JSC::B3::reduceDoubleToFloat):
1052         * b3/B3ReduceStrength.cpp:
1053         * b3/B3Validate.cpp:
1054         * b3/B3Value.cpp:
1055         (JSC::B3::Value::equalOrUnordered):
1056         (JSC::B3::Value::returnsBool):
1057         (JSC::B3::Value::effects):
1058         (JSC::B3::Value::key):
1059         (JSC::B3::Value::typeFor):
1060         * b3/B3Value.h:
1061         * b3/testb3.cpp:
1062         (JSC::B3::testBranchEqualOrUnorderedArgs):
1063         (JSC::B3::testBranchNotEqualAndOrderedArgs):
1064         (JSC::B3::testBranchEqualOrUnorderedDoubleArgImm):
1065         (JSC::B3::testBranchEqualOrUnorderedFloatArgImm):
1066         (JSC::B3::testBranchEqualOrUnorderedDoubleImms):
1067         (JSC::B3::testBranchEqualOrUnorderedFloatImms):
1068         (JSC::B3::testBranchEqualOrUnorderedFloatWithUselessDoubleConversion):
1069         (JSC::B3::run):
1070         * ftl/FTLB3Output.h:
1071         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1072         (JSC::FTL::Output::doubleNotEqual): Deleted.
1073         * ftl/FTLLowerDFGToLLVM.cpp:
1074         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1075         * ftl/FTLOutput.h:
1076         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1077         (JSC::FTL::Output::doubleNotEqual): Deleted.
1078
1079 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1080
1081         [JSC] B3: Add indexed addressing when lowering BitwiseCast
1082         https://bugs.webkit.org/show_bug.cgi?id=152432
1083
1084         Reviewed by Geoffrey Garen.
1085
1086         The MacroAssembler supports it, we should use it.
1087
1088         * b3/air/AirOpcode.opcodes:
1089         * b3/testb3.cpp:
1090         (JSC::B3::testBitwiseCastOnDoubleInMemoryIndexed):
1091         (JSC::B3::testBitwiseCastOnInt64InMemoryIndexed):
1092
1093 2015-12-18  Andreas Kling  <akling@apple.com>
1094
1095         Make JSString::SafeView less of a footgun.
1096         <https://webkit.org/b/152376>
1097
1098         Reviewed by Darin Adler.
1099
1100         Remove the "operator StringView()" convenience helper on JSString::SafeString since that
1101         made it possible to casually turn the return value from JSString::view() into an unsafe
1102         StringView local on the stack with this pattern:
1103
1104             StringView view = someJSValue.toString(exec)->view(exec);
1105
1106         The JSString* returned by toString() above will go out of scope by the end of the statement
1107         and does not stick around to protect itself from garbage collection.
1108
1109         It will now look like this instead:
1110
1111             JSString::SafeView view = someJSValue.toString(exec)->view(exec);
1112
1113         To be extra clear, the following is not safe:
1114
1115             StringView view = someJSValue.toString(exec)->view(exec).get();
1116
1117         By the end of that statement, the JSString::SafeView goes out of scope, and the JSString*
1118         is no longer protected from GC.
1119
1120         I added a couple of forwarding helpers to the SafeView class, and if you need a StringView
1121         object from it, you can call .get() just like before.
1122
1123         Finally I also removed the JSString::SafeView() constructor, since nobody was instantiating
1124         empty SafeView objects anyway. This way we don't have to worry about null members.
1125
1126         * runtime/ArrayPrototype.cpp:
1127         (JSC::arrayProtoFuncJoin):
1128         * runtime/FunctionConstructor.cpp:
1129         (JSC::constructFunctionSkippingEvalEnabledCheck):
1130         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1131         (JSC::genericTypedArrayViewProtoFuncJoin):
1132         * runtime/JSGlobalObjectFunctions.cpp:
1133         (JSC::decode):
1134         (JSC::globalFuncParseInt):
1135         (JSC::globalFuncParseFloat):
1136         (JSC::globalFuncEscape):
1137         (JSC::globalFuncUnescape):
1138         * runtime/JSONObject.cpp:
1139         (JSC::JSONProtoFuncParse):
1140         * runtime/JSString.cpp:
1141         (JSC::JSString::getPrimitiveNumber):
1142         (JSC::JSString::toNumber):
1143         * runtime/JSString.h:
1144         (JSC::JSString::SafeView::is8Bit):
1145         (JSC::JSString::SafeView::length):
1146         (JSC::JSString::SafeView::characters8):
1147         (JSC::JSString::SafeView::characters16):
1148         (JSC::JSString::SafeView::operator[]):
1149         (JSC::JSString::SafeView::SafeView):
1150         (JSC::JSString::SafeView::get):
1151         (JSC::JSString::SafeView::operator StringView): Deleted.
1152         * runtime/StringPrototype.cpp:
1153         (JSC::stringProtoFuncCharAt):
1154         (JSC::stringProtoFuncCharCodeAt):
1155         (JSC::stringProtoFuncIndexOf):
1156         (JSC::stringProtoFuncNormalize):
1157
1158 2015-12-18  Saam barati  <sbarati@apple.com>
1159
1160         BytecodeGenerator::pushLexicalScopeInternal and pushLexicalScope should use enums instead of bools
1161         https://bugs.webkit.org/show_bug.cgi?id=152450
1162
1163         Reviewed by Geoffrey Garen and Joseph Pecoraro.
1164
1165         This makes comprehending the call sites of these functions
1166         easier without looking up the header of the function.
1167
1168         * bytecompiler/BytecodeGenerator.cpp:
1169         (JSC::BytecodeGenerator::BytecodeGenerator):
1170         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1171         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1172         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
1173         (JSC::BytecodeGenerator::pushLexicalScope):
1174         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1175         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1176         (JSC::BytecodeGenerator::emitPushCatchScope):
1177         * bytecompiler/BytecodeGenerator.h:
1178         (JSC::BytecodeGenerator::lastOpcodeID):
1179         * bytecompiler/NodesCodegen.cpp:
1180         (JSC::BlockNode::emitBytecode):
1181         (JSC::ForNode::emitBytecode):
1182         (JSC::ForInNode::emitMultiLoopBytecode):
1183         (JSC::ForOfNode::emitBytecode):
1184         (JSC::SwitchNode::emitBytecode):
1185         (JSC::ClassExprNode::emitBytecode):
1186
1187 2015-12-18  Michael Catanzaro  <mcatanzaro@igalia.com>
1188
1189         Avoid triggering clang's -Wundefined-bool-conversion
1190         https://bugs.webkit.org/show_bug.cgi?id=152408
1191
1192         Reviewed by Mark Lam.
1193
1194         Add ASSERT_THIS_GC_OBJECT_LOOKS_VALID and ASSERT_THIS_GC_OBJECT_INHERITS to avoid use of
1195         ASSERT(this) by ASSERT_GC_OBJECT_LOOKS_VALID and ASSERT_GC_OBJECT_INHERITS.
1196
1197         * heap/GCAssertions.h:
1198
1199 2015-12-18  Mark Lam  <mark.lam@apple.com>
1200
1201         Replace SpecialFastCase profiles with ResultProfiles.
1202         https://bugs.webkit.org/show_bug.cgi?id=152433
1203
1204         Reviewed by Saam Barati.
1205
1206         This is in preparation for upcoming work to enhance the DFG predictions to deal
1207         with untyped operands.
1208
1209         This patch also enhances some of the arithmetic slow paths (for the LLINT and
1210         baseline JIT) to collect result profiling info.  This profiling info is not put
1211         to use yet. 
1212
1213         * CMakeLists.txt:
1214         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1215         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1216         * JavaScriptCore.xcodeproj/project.pbxproj:
1217         * bytecode/CodeBlock.cpp:
1218         (JSC::CodeBlock::dumpRareCaseProfile):
1219         (JSC::CodeBlock::dumpResultProfile):
1220         (JSC::CodeBlock::printLocationAndOp):
1221         (JSC::CodeBlock::dumpBytecode):
1222         (JSC::CodeBlock::shrinkToFit):
1223         (JSC::CodeBlock::dumpValueProfiles):
1224         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
1225         (JSC::CodeBlock::resultProfileForBytecodeOffset):
1226         (JSC::CodeBlock::updateResultProfileForBytecodeOffset):
1227         (JSC::CodeBlock::capabilityLevel):
1228         * bytecode/CodeBlock.h:
1229         (JSC::CodeBlock::couldTakeSlowCase):
1230         (JSC::CodeBlock::addResultProfile):
1231         (JSC::CodeBlock::numberOfResultProfiles):
1232         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
1233         (JSC::CodeBlock::couldTakeSpecialFastCase):
1234         (JSC::CodeBlock::addSpecialFastCaseProfile): Deleted.
1235         (JSC::CodeBlock::numberOfSpecialFastCaseProfiles): Deleted.
1236         (JSC::CodeBlock::specialFastCaseProfile): Deleted.
1237         (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset): Deleted.
1238         * bytecode/ValueProfile.cpp: Added.
1239         (WTF::printInternal):
1240         * bytecode/ValueProfile.h:
1241         (JSC::getRareCaseProfileBytecodeOffset):
1242         (JSC::ResultProfile::ResultProfile):
1243         (JSC::ResultProfile::bytecodeOffset):
1244         (JSC::ResultProfile::specialFastPathCount):
1245         (JSC::ResultProfile::didObserveNonInt32):
1246         (JSC::ResultProfile::didObserveDouble):
1247         (JSC::ResultProfile::didObserveNonNegZeroDouble):
1248         (JSC::ResultProfile::didObserveNegZeroDouble):
1249         (JSC::ResultProfile::didObserveNonNumber):
1250         (JSC::ResultProfile::didObserveInt32Overflow):
1251         (JSC::ResultProfile::setObservedNonNegZeroDouble):
1252         (JSC::ResultProfile::setObservedNegZeroDouble):
1253         (JSC::ResultProfile::setObservedNonNumber):
1254         (JSC::ResultProfile::setObservedInt32Overflow):
1255         (JSC::ResultProfile::addressOfFlags):
1256         (JSC::ResultProfile::addressOfSpecialFastPathCount):
1257         (JSC::ResultProfile::hasBits):
1258         (JSC::ResultProfile::setBit):
1259         (JSC::getResultProfileBytecodeOffset):
1260         * jit/JITArithmetic.cpp:
1261         (JSC::JIT::emit_op_div):
1262         (JSC::JIT::emit_op_mul):
1263         * jit/JITDivGenerator.cpp:
1264         (JSC::JITDivGenerator::generateFastPath):
1265         * jit/JITDivGenerator.h:
1266         (JSC::JITDivGenerator::JITDivGenerator):
1267         * jit/JITMulGenerator.cpp:
1268         (JSC::JITMulGenerator::generateFastPath):
1269         * jit/JITMulGenerator.h:
1270         (JSC::JITMulGenerator::JITMulGenerator):
1271         * runtime/CommonSlowPaths.cpp:
1272         (JSC::SLOW_PATH_DECL):
1273
1274 2015-12-18  Keith Miller  <keith_miller@apple.com>
1275
1276         verboseDFGByteCodeParsing option should show the bytecode it is parsing.
1277         https://bugs.webkit.org/show_bug.cgi?id=152434
1278
1279         Reviewed by Michael Saboff.
1280
1281         * dfg/DFGByteCodeParser.cpp:
1282         (JSC::DFG::ByteCodeParser::parseBlock):
1283
1284 2015-12-18  Csaba Osztrogonác  <ossy@webkit.org>
1285
1286         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
1287         https://bugs.webkit.org/show_bug.cgi?id=152214
1288
1289         Reviewed by Mark Lam.
1290
1291         Relanding r194007 after r194248.
1292
1293         * jit/CCallHelpers.h:
1294         (JSC::CCallHelpers::setupArgumentsWithExecState):
1295
1296 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1297
1298         Web Inspector: Remove "local" scope type from the protocol
1299         https://bugs.webkit.org/show_bug.cgi?id=152409
1300
1301         Reviewed by Timothy Hatcher.
1302
1303         After r194251 the backend no longer sends this scope type.
1304         So remove it from the protocol.
1305
1306         The concept of a Local Scope should be calculatable by the
1307         frontend. In fact the way the backend used to do this could
1308         easily be done by the frontend. To be done in a follow-up.
1309
1310         * inspector/InjectedScriptSource.js:
1311         * inspector/JSJavaScriptCallFrame.h:
1312         * inspector/protocol/Debugger.json:
1313
1314 2015-12-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1315
1316         [INTL] Implement Collator Compare Functions
1317         https://bugs.webkit.org/show_bug.cgi?id=147604
1318
1319         Reviewed by Darin Adler.
1320
1321         This patch implements Intl.Collator.prototype.compare() according
1322         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1323
1324         * runtime/IntlCollator.cpp:
1325         (JSC::IntlCollator::~IntlCollator):
1326         (JSC::sortLocaleData):
1327         (JSC::searchLocaleData):
1328         (JSC::IntlCollator::initializeCollator):
1329         (JSC::IntlCollator::createCollator):
1330         (JSC::IntlCollator::compareStrings):
1331         (JSC::IntlCollator::usageString):
1332         (JSC::IntlCollator::sensitivityString):
1333         (JSC::IntlCollator::resolvedOptions):
1334         (JSC::IntlCollator::setBoundCompare):
1335         (JSC::IntlCollatorFuncCompare): Deleted.
1336         * runtime/IntlCollator.h:
1337         (JSC::IntlCollator::usage): Deleted.
1338         (JSC::IntlCollator::setUsage): Deleted.
1339         (JSC::IntlCollator::locale): Deleted.
1340         (JSC::IntlCollator::setLocale): Deleted.
1341         (JSC::IntlCollator::collation): Deleted.
1342         (JSC::IntlCollator::setCollation): Deleted.
1343         (JSC::IntlCollator::numeric): Deleted.
1344         (JSC::IntlCollator::setNumeric): Deleted.
1345         (JSC::IntlCollator::sensitivity): Deleted.
1346         (JSC::IntlCollator::setSensitivity): Deleted.
1347         (JSC::IntlCollator::ignorePunctuation): Deleted.
1348         (JSC::IntlCollator::setIgnorePunctuation): Deleted.
1349         * runtime/IntlCollatorConstructor.cpp:
1350         (JSC::constructIntlCollator):
1351         (JSC::callIntlCollator):
1352         (JSC::sortLocaleData): Deleted.
1353         (JSC::searchLocaleData): Deleted.
1354         (JSC::initializeCollator): Deleted.
1355         * runtime/IntlCollatorPrototype.cpp:
1356         (JSC::IntlCollatorFuncCompare):
1357         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1358         * runtime/IntlObject.cpp:
1359         (JSC::defaultLocale):
1360         (JSC::convertICULocaleToBCP47LanguageTag):
1361         (JSC::intlStringOption):
1362         (JSC::resolveLocale):
1363         (JSC::supportedLocales):
1364         * runtime/IntlObject.h:
1365         * runtime/JSGlobalObject.cpp:
1366         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
1367         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
1368         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
1369
1370 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1371
1372         Provide a way to distinguish a nested lexical block from a function's lexical block
1373         https://bugs.webkit.org/show_bug.cgi?id=152361
1374
1375         Reviewed by Saam Barati.
1376
1377         * bytecompiler/BytecodeGenerator.h:
1378         * bytecompiler/BytecodeGenerator.cpp:
1379         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1380         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1381         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
1382         (JSC::BytecodeGenerator::emitPushCatchScope):
1383         Each of these are specialized scopes. They are not nested lexical scopes.
1384         
1385         (JSC::BytecodeGenerator::pushLexicalScope):
1386         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1387         Include an extra parameter to mark the SymbolTable as a nested lexical or not.
1388
1389         * bytecompiler/NodesCodegen.cpp:
1390         (JSC::BlockNode::emitBytecode):
1391         (JSC::ForNode::emitBytecode):
1392         (JSC::ForInNode::emitMultiLoopBytecode):
1393         (JSC::ForOfNode::emitBytecode):
1394         (JSC::SwitchNode::emitBytecode):
1395         (JSC::ClassExprNode::emitBytecode):
1396         Each of these are cases of non-function nested lexical scopes.
1397         So mark the SymbolTable as nested.
1398
1399         * inspector/protocol/Debugger.json:
1400         * inspector/InjectedScriptSource.js:
1401         Include a new scope type.
1402
1403         * inspector/JSJavaScriptCallFrame.h:
1404         * inspector/JSJavaScriptCallFrame.cpp:
1405         (Inspector::JSJavaScriptCallFrame::scopeType):
1406         Use the new "NestedLexical" scope type for nested, non-function,
1407         lexical scopes. The Inspector can use this to better describe
1408         this scope in the frontend.
1409
1410         * debugger/DebuggerScope.cpp:
1411         (JSC::DebuggerScope::isNestedLexicalScope):
1412         * debugger/DebuggerScope.h:
1413         * runtime/JSScope.cpp:
1414         (JSC::JSScope::isNestedLexicalScope):
1415         * runtime/JSScope.h:
1416         * runtime/SymbolTable.cpp:
1417         (JSC::SymbolTable::SymbolTable):
1418         (JSC::SymbolTable::cloneScopePart):
1419         * runtime/SymbolTable.h:
1420         Access the isNestedLexicalScope bit.
1421
1422 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1423
1424         Unreviewed EFL Build Fix after r194247.
1425
1426         * interpreter/CallFrame.cpp:
1427         (JSC::CallFrame::friendlyFunctionName):
1428         Handle compilers that don't realize the switch handles all cases.
1429
1430 2015-12-17  Keith Miller  <keith_miller@apple.com>
1431
1432         [ES6] Add support for Symbol.hasInstance
1433         https://bugs.webkit.org/show_bug.cgi?id=151839
1434
1435         Reviewed by Saam Barati.
1436
1437         Fixed version of r193986, r193983, and r193974.
1438
1439         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
1440         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
1441         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
1442         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
1443         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
1444         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
1445         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
1446         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
1447         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
1448         emits a call to slow path code that computes the result.
1449
1450         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
1451         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
1452         it into a CheckTypeInfoFlags followed by a JSConstant.
1453
1454         * API/JSCallbackObject.h:
1455         * builtins/FunctionPrototype.js:
1456         (symbolHasInstance):
1457         * bytecode/BytecodeBasicBlock.cpp:
1458         (JSC::isBranch): Deleted.
1459         * bytecode/BytecodeList.json:
1460         * bytecode/BytecodeUseDef.h:
1461         (JSC::computeUsesForBytecodeOffset):
1462         (JSC::computeDefsForBytecodeOffset):
1463         * bytecode/CodeBlock.cpp:
1464         (JSC::CodeBlock::dumpBytecode):
1465         * bytecode/ExitKind.cpp:
1466         (JSC::exitKindToString):
1467         * bytecode/ExitKind.h:
1468         * bytecode/PreciseJumpTargets.cpp:
1469         (JSC::getJumpTargetsForBytecodeOffset): Deleted.
1470         * bytecompiler/BytecodeGenerator.cpp:
1471         (JSC::BytecodeGenerator::emitOverridesHasInstance):
1472         (JSC::BytecodeGenerator::emitInstanceOfCustom):
1473         (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
1474         * bytecompiler/BytecodeGenerator.h:
1475         * bytecompiler/NodesCodegen.cpp:
1476         (JSC::InstanceOfNode::emitBytecode):
1477         * dfg/DFGAbstractInterpreterInlines.h:
1478         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1479         * dfg/DFGByteCodeParser.cpp:
1480         (JSC::DFG::ByteCodeParser::parseBlock):
1481         * dfg/DFGCapabilities.cpp:
1482         (JSC::DFG::capabilityLevel):
1483         * dfg/DFGClobberize.h:
1484         (JSC::DFG::clobberize):
1485         * dfg/DFGDoesGC.cpp:
1486         (JSC::DFG::doesGC):
1487         * dfg/DFGFixupPhase.cpp:
1488         (JSC::DFG::FixupPhase::fixupNode):
1489         * dfg/DFGHeapLocation.cpp:
1490         (WTF::printInternal):
1491         * dfg/DFGHeapLocation.h:
1492         * dfg/DFGNode.h:
1493         (JSC::DFG::Node::hasCellOperand):
1494         (JSC::DFG::Node::hasTypeInfoOperand):
1495         (JSC::DFG::Node::typeInfoOperand):
1496         * dfg/DFGNodeType.h:
1497         * dfg/DFGPredictionPropagationPhase.cpp:
1498         (JSC::DFG::PredictionPropagationPhase::propagate):
1499         * dfg/DFGSafeToExecute.h:
1500         (JSC::DFG::safeToExecute):
1501         * dfg/DFGSpeculativeJIT.cpp:
1502         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1503         (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
1504         * dfg/DFGSpeculativeJIT.h:
1505         (JSC::DFG::SpeculativeJIT::callOperation):
1506         * dfg/DFGSpeculativeJIT32_64.cpp:
1507         (JSC::DFG::SpeculativeJIT::compile):
1508         * dfg/DFGSpeculativeJIT64.cpp:
1509         (JSC::DFG::SpeculativeJIT::compile):
1510         * ftl/FTLCapabilities.cpp:
1511         (JSC::FTL::canCompile):
1512         * ftl/FTLIntrinsicRepository.h:
1513         * ftl/FTLLowerDFGToLLVM.cpp:
1514         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1515         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
1516         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
1517         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
1518         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
1519         * jit/JIT.cpp:
1520         (JSC::JIT::privateCompileMainPass):
1521         (JSC::JIT::privateCompileSlowCases):
1522         * jit/JIT.h:
1523         * jit/JITInlines.h:
1524         (JSC::JIT::callOperation):
1525         * jit/JITOpcodes.cpp:
1526         (JSC::JIT::emit_op_overrides_has_instance):
1527         (JSC::JIT::emit_op_instanceof):
1528         (JSC::JIT::emit_op_instanceof_custom):
1529         (JSC::JIT::emitSlow_op_instanceof):
1530         (JSC::JIT::emitSlow_op_instanceof_custom):
1531         (JSC::JIT::emit_op_check_has_instance): Deleted.
1532         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
1533         * jit/JITOpcodes32_64.cpp:
1534         (JSC::JIT::emit_op_overrides_has_instance):
1535         (JSC::JIT::emit_op_instanceof):
1536         (JSC::JIT::emit_op_instanceof_custom):
1537         (JSC::JIT::emitSlow_op_instanceof_custom):
1538         (JSC::JIT::emit_op_check_has_instance): Deleted.
1539         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
1540         * jit/JITOperations.cpp:
1541         * jit/JITOperations.h:
1542         * llint/LLIntData.cpp:
1543         (JSC::LLInt::Data::performAssertions):
1544         * llint/LLIntSlowPaths.cpp:
1545         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1546         * llint/LLIntSlowPaths.h:
1547         * llint/LowLevelInterpreter32_64.asm:
1548         * llint/LowLevelInterpreter64.asm:
1549         * runtime/CommonIdentifiers.h:
1550         * runtime/ExceptionHelpers.cpp:
1551         (JSC::invalidParameterInstanceofSourceAppender):
1552         (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
1553         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
1554         (JSC::createInvalidInstanceofParameterErrorNotFunction):
1555         (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
1556         (JSC::createInvalidInstanceofParameterError): Deleted.
1557         * runtime/ExceptionHelpers.h:
1558         * runtime/FunctionPrototype.cpp:
1559         (JSC::FunctionPrototype::addFunctionProperties):
1560         * runtime/FunctionPrototype.h:
1561         * runtime/JSBoundFunction.cpp:
1562         (JSC::isBoundFunction):
1563         (JSC::hasInstanceBoundFunction):
1564         * runtime/JSBoundFunction.h:
1565         * runtime/JSGlobalObject.cpp:
1566         (JSC::JSGlobalObject::init):
1567         (JSC::JSGlobalObject::visitChildren):
1568         * runtime/JSGlobalObject.h:
1569         (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
1570         * runtime/JSObject.cpp:
1571         (JSC::JSObject::hasInstance):
1572         (JSC::objectPrivateFuncInstanceOf):
1573         * runtime/JSObject.h:
1574         * runtime/JSTypeInfo.h:
1575         (JSC::TypeInfo::TypeInfo):
1576         (JSC::TypeInfo::overridesHasInstance):
1577         * runtime/WriteBarrier.h:
1578         (JSC::WriteBarrierBase<Unknown>::slot):
1579         * tests/es6.yaml:
1580         * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
1581         (Constructor):
1582         (value):
1583         (instanceOf):
1584         (body):
1585         * tests/stress/symbol-hasInstance.js: Added.
1586         (Constructor):
1587         (value):
1588         (ObjectClass.Symbol.hasInstance):
1589         (NumberClass.Symbol.hasInstance):
1590
1591 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
1592
1593         Web Inspector: Improve names in Debugger Call Stack section when paused
1594         https://bugs.webkit.org/show_bug.cgi?id=152398
1595
1596         Reviewed by Brian Burg.
1597
1598         * debugger/DebuggerCallFrame.cpp:
1599         (JSC::DebuggerCallFrame::functionName):
1600         Provide a better name from the underlying CallFrame.
1601
1602         * inspector/InjectedScriptSource.js:
1603         (InjectedScript.CallFrameProxy):
1604         Just call functionName, it will provide a better
1605         than nothing function name.
1606
1607         * runtime/JSFunction.cpp:
1608         (JSC::getCalculatedDisplayName):
1609         Use emptyString().
1610
1611         * interpreter/CallFrame.h:
1612         * interpreter/CallFrame.cpp:
1613         (JSC::CallFrame::friendlyFunctionName):
1614         This is the third similiar implementation of this,
1615         but all other cases use other "StackFrame" objects.
1616         Use the expected names for program code.
1617
1618 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1619
1620         Web Inspector: Add JSContext Script Profiling
1621         https://bugs.webkit.org/show_bug.cgi?id=151899
1622
1623         Reviewed by Brian Burg.
1624
1625         Extend JSC::Debugger to include a profiling client interface
1626         that the Inspector can implement to be told about script execution
1627         entry and exit points. Add new profiledCall/Evaluate/Construct
1628         methods that are entry points that will notify the profiling
1629         client if it exists.
1630
1631         By putting the profiling client on Debugger it avoids having
1632         special code paths for a JSGlobalObject being JSContext inspected
1633         or a JSGlobalObject in a Page being Web inspected. In either case
1634         the JSGlobalObject can go through its debugger() which always
1635         reaches the correct inspector instance.
1636
1637         * CMakeLists.txt:
1638         * DerivedSources.make:
1639         * JavaScriptCore.xcodeproj/project.pbxproj:
1640         Handle new files.
1641
1642         * runtime/CallData.cpp:
1643         (JSC::profiledCall):
1644         * runtime/CallData.h:
1645         * runtime/Completion.cpp:
1646         (JSC::profiledEvaluate):
1647         * runtime/Completion.h:
1648         (JSC::profiledEvaluate):
1649         * runtime/ConstructData.cpp:
1650         (JSC::profiledConstruct):
1651         * runtime/ConstructData.h:
1652         (JSC::profiledConstruct):
1653         Create profiled versions of interpreter entry points. If a profiler client is
1654         available, this will automatically inform it of entry/exit. Include a reason
1655         why this is being profiled. Currently all reasons in JavaScriptCore are enumerated
1656         (API, Microtask) and Other is to be used by WebCore or future clients.
1657
1658         * debugger/ScriptProfilingScope.h: Added.
1659         (JSC::ScriptProfilingScope::ScriptProfilingScope):
1660         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
1661         (JSC::ScriptProfilingScope::shouldStartProfile):
1662         (JSC::ScriptProfilingScope::shouldEndProfile):
1663         At profiled entry points inform the profiling client if needed.
1664
1665         * API/JSBase.cpp:
1666         (JSEvaluateScript):
1667         * API/JSObjectRef.cpp:
1668         (JSObjectCallAsFunction):
1669         (JSObjectCallAsConstructor):
1670         * runtime/JSJob.cpp:
1671         (JSC::JSJobMicrotask::run):
1672         Use the profiled functions for API and Microtask execution entry points.
1673
1674         * runtime/JSGlobalObject.cpp:
1675         (JSC::JSGlobalObject::hasProfiler):
1676         * runtime/JSGlobalObject.h:
1677         (JSC::JSGlobalObject::hasProfiler):
1678         Extend hasProfiler to also check the new Debugger script profiler.
1679
1680         * debugger/Debugger.cpp:
1681         (JSC::Debugger::setProfilingClient):
1682         (JSC::Debugger::willEvaluateScript):
1683         (JSC::Debugger::didEvaluateScript):
1684         * debugger/Debugger.h:
1685         Pass through to the profiling client.
1686
1687         * inspector/protocol/ScriptProfiler.json: Added.
1688         * inspector/agents/InspectorScriptProfilerAgent.cpp: Added.
1689         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
1690         (Inspector::InspectorScriptProfilerAgent::~InspectorScriptProfilerAgent):
1691         (Inspector::InspectorScriptProfilerAgent::didCreateFrontendAndBackend):
1692         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
1693         (Inspector::InspectorScriptProfilerAgent::startTracking):
1694         (Inspector::InspectorScriptProfilerAgent::stopTracking):
1695         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
1696         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
1697         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
1698         (Inspector::toProtocol):
1699         (Inspector::InspectorScriptProfilerAgent::addEvent):
1700         (Inspector::buildAggregateCallInfoInspectorObject):
1701         (Inspector::buildInspectorObject):
1702         (Inspector::buildProfileInspectorObject):
1703         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
1704         * inspector/agents/InspectorScriptProfilerAgent.h: Added.
1705         New ScriptProfiler domain to just turn on / off script profiling.
1706         It introduces a start/update/complete event model which we want
1707         to include in new domains.
1708
1709         * inspector/InspectorEnvironment.h:
1710         * inspector/InjectedScriptBase.cpp:
1711         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
1712         Simplify this now that we want it to be the same for all clients.
1713
1714         * inspector/JSGlobalObjectInspectorController.h:
1715         * inspector/JSGlobalObjectInspectorController.cpp:
1716         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1717         Create the new agent.
1718
1719         * inspector/InspectorProtocolTypes.h:
1720         (Inspector::Protocol::Array::addItem):
1721         Allow pushing a double onto a Protocol::Array.
1722
1723 2015-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1724
1725         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
1726         https://bugs.webkit.org/show_bug.cgi?id=152227
1727
1728         Reviewed by Saam Barati.
1729
1730         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
1731         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
1732         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
1733
1734         Instead of extending NewFunction / PhantomNewFunction, we just added new DFG nodes, NewGeneratorFunction and PhantomNewGeneratorFunction.
1735         This is because NewGeneratorFunction will generate an object that has different class info from JSFunction (And if JSGeneratorFunction is extended, its size will become different from JSFunction).
1736         So, rather than extending NewFunction with generator flag, just adding new DFG nodes seems cleaner.
1737
1738         Object allocation sinking phase will change NewGeneratorFunction to PhantomNewGeneratorFunction and defer or eliminate its actual materialization.
1739         It is completely the same to NewFunction and PhantomNewFunction.
1740         And when OSR exit occurs, we need to execute deferred NewGeneratorFunction since Baseline JIT does not consider it.
1741         So in FTL operation, we should create JSGeneratorFunction if we see PhantomNewGeneratorFunction materialization.
1742
1743         * dfg/DFGAbstractInterpreterInlines.h:
1744         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1745         * dfg/DFGByteCodeParser.cpp:
1746         (JSC::DFG::ByteCodeParser::parseBlock):
1747         * dfg/DFGCapabilities.cpp:
1748         (JSC::DFG::capabilityLevel):
1749         * dfg/DFGClobberize.h:
1750         (JSC::DFG::clobberize):
1751         * dfg/DFGClobbersExitState.cpp:
1752         (JSC::DFG::clobbersExitState):
1753         * dfg/DFGDoesGC.cpp:
1754         (JSC::DFG::doesGC):
1755         * dfg/DFGFixupPhase.cpp:
1756         (JSC::DFG::FixupPhase::fixupNode):
1757         * dfg/DFGMayExit.cpp:
1758         (JSC::DFG::mayExit):
1759         * dfg/DFGNode.h:
1760         (JSC::DFG::Node::convertToPhantomNewFunction):
1761         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
1762         (JSC::DFG::Node::hasCellOperand):
1763         (JSC::DFG::Node::isFunctionAllocation):
1764         (JSC::DFG::Node::isPhantomFunctionAllocation):
1765         (JSC::DFG::Node::isPhantomAllocation):
1766         * dfg/DFGNodeType.h:
1767         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1768         * dfg/DFGPredictionPropagationPhase.cpp:
1769         (JSC::DFG::PredictionPropagationPhase::propagate):
1770         * dfg/DFGSafeToExecute.h:
1771         (JSC::DFG::safeToExecute):
1772         * dfg/DFGSpeculativeJIT.cpp:
1773         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1774         * dfg/DFGSpeculativeJIT32_64.cpp:
1775         (JSC::DFG::SpeculativeJIT::compile):
1776         * dfg/DFGSpeculativeJIT64.cpp:
1777         (JSC::DFG::SpeculativeJIT::compile):
1778         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1779         * dfg/DFGStructureRegistrationPhase.cpp:
1780         (JSC::DFG::StructureRegistrationPhase::run):
1781         * dfg/DFGValidate.cpp:
1782         (JSC::DFG::Validate::validateCPS):
1783         (JSC::DFG::Validate::validateSSA):
1784         * ftl/FTLCapabilities.cpp:
1785         (JSC::FTL::canCompile):
1786         * ftl/FTLLowerDFGToLLVM.cpp:
1787         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1788         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
1789         * ftl/FTLOperations.cpp:
1790         (JSC::FTL::operationPopulateObjectInOSR):
1791         (JSC::FTL::operationMaterializeObjectInOSR):
1792         * tests/stress/generator-function-create-optimized.js: Added.
1793         (shouldBe):
1794         (g):
1795         (test.return.gen):
1796         (test):
1797         (test2.gen):
1798         (test2):
1799         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
1800         (shouldBe):
1801         (GeneratorFunctionPrototype):
1802         (call):
1803         (f):
1804         (sink):
1805         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
1806         (shouldBe):
1807         (GeneratorFunctionPrototype):
1808         (g):
1809         (f):
1810         (sink):
1811         * tests/stress/generator-function-declaration-sinking-put.js: Added.
1812         (shouldBe):
1813         (GeneratorFunctionPrototype):
1814         (g):
1815         (f):
1816         (sink):
1817         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
1818         (shouldBe):
1819         (GeneratorFunctionPrototype):
1820         (call):
1821         (f):
1822         (sink):
1823         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
1824         (shouldBe):
1825         (GeneratorFunctionPrototype):
1826         (g):
1827         (sink):
1828         * tests/stress/generator-function-expression-sinking-put.js: Added.
1829         (shouldBe):
1830         (GeneratorFunctionPrototype):
1831         (g):
1832         (sink):
1833
1834 2015-12-16  Michael Saboff  <msaboff@apple.com>
1835
1836         ARM64 MacroAssembler improperly reuses data temp register in test32() and test8() calls
1837         https://bugs.webkit.org/show_bug.cgi?id=152370
1838
1839         Reviewed by Benjamin Poulain.
1840
1841         Changed the test8/32(Address, Register) flavors to use the memoryTempRegister for loading the value
1842         att Address so that it doesn't collide with the subsequent use of dataTempRegister by the
1843         test32(Register, Register) function.
1844
1845         * assembler/MacroAssemblerARM64.h:
1846         (JSC::MacroAssemblerARM64::test32):
1847         (JSC::MacroAssemblerARM64::test8):
1848
1849 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
1850
1851         FTL B3 should support switches
1852         https://bugs.webkit.org/show_bug.cgi?id=152360
1853
1854         Reviewed by Geoffrey Garen.
1855
1856         I implemented this because I was hoping it would less us run V8/crypto, but instead it just led
1857         me to file a fun bug: https://bugs.webkit.org/show_bug.cgi?id=152365.
1858
1859         * ftl/FTLB3Output.h:
1860         (JSC::FTL::Output::check):
1861         (JSC::FTL::Output::switchInstruction):
1862         (JSC::FTL::Output::ret):
1863         * ftl/FTLLowerDFGToLLVM.cpp:
1864         (JSC::FTL::DFG::ftlUnreachable):
1865         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
1866
1867 2015-12-16  Alex Christensen  <achristensen@webkit.org>
1868
1869         Fix internal Windows build
1870         https://bugs.webkit.org/show_bug.cgi?id=152364
1871
1872         Reviewed by Tim Horton.
1873
1874         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1875
1876 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
1877
1878         Improve JSObject::put performance
1879         https://bugs.webkit.org/show_bug.cgi?id=152347
1880
1881         Reviewed by Geoffrey Garen.
1882
1883         This adds a new benchmark called dynbench, which just uses the C++ API to create, modify, and
1884         query objects. This also adds some optimizations to make the JSObject::put code faster by making
1885         it inlinable in places that really need the performance, like JITOperations and LLIntSlowPaths.
1886         Inlining it is optional because the put() method is large. If you want it inlined, call
1887         putInline(). There's a putInline() variant of both JSObject::put() and JSValue::put().
1888
1889         This is up to a 20% improvement for JSObject::put calls that get inlined all the way (like from
1890         JITOperations and the new benchmark) and it's also a speed-up, albeit a smaller one, for
1891         JSObject::put calls that don't get inlined (i.e. those from the DOM and the JSC C++ library code).
1892         Specific speed-ups are as follows. Note that "dynamic context" means that we told PutPropertySlot
1893         that we're not a static put_by_id, which turns off some type inference.
1894
1895         Get By Id: 2% faster
1896         Put By Id Replace: 23% faster
1897         Put By Id Transition + object allocation: 11% faster
1898         Get By Id w/ dynamic context: 5% faster
1899         Put By Id Replace w/ dynamic context: 25% faster
1900         Put By Id Transition + object allocation w/ dynamic context: 10% faster
1901
1902         * JavaScriptCore.xcodeproj/project.pbxproj:
1903         * dynbench.cpp: Added.
1904         (JSC::benchmarkImpl):
1905         (main):
1906         * jit/CallFrameShuffler32_64.cpp:
1907         * jit/CallFrameShuffler64.cpp:
1908         * jit/JITOperations.cpp:
1909         * llint/LLIntSlowPaths.cpp:
1910         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1911         * runtime/ClassInfo.h:
1912         (JSC::ClassInfo::hasStaticProperties):
1913         * runtime/ConsoleClient.cpp:
1914         * runtime/CustomGetterSetter.h:
1915         * runtime/ErrorInstance.cpp:
1916         (JSC::ErrorInstance::finishCreation):
1917         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
1918         * runtime/GetterSetter.h:
1919         (JSC::asGetterSetter):
1920         * runtime/JSCInlines.h:
1921         * runtime/JSCJSValue.h:
1922         * runtime/JSCJSValueInlines.h:
1923         (JSC::JSValue::put):
1924         (JSC::JSValue::putInternal):
1925         (JSC::JSValue::putByIndex):
1926         * runtime/JSObject.cpp:
1927         (JSC::JSObject::put):
1928         (JSC::JSObject::putByIndex):
1929         * runtime/JSObject.h:
1930         (JSC::JSObject::getVectorLength):
1931         (JSC::JSObject::inlineGetOwnPropertySlot):
1932         (JSC::JSObject::get):
1933         (JSC::JSObject::putDirectInternal):
1934
1935 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
1936
1937         Work around a bug in LLVM by flipping the unification order
1938         https://bugs.webkit.org/show_bug.cgi?id=152341
1939         rdar://problem/23920749
1940
1941         Reviewed by Mark Lam.
1942
1943         * dfg/DFGUnificationPhase.cpp:
1944         (JSC::DFG::UnificationPhase::run):
1945
1946 2015-12-16  Saam barati  <sbarati@apple.com>
1947
1948         Add "explicit operator bool" to ScratchRegisterAllocator::PreservedState
1949         https://bugs.webkit.org/show_bug.cgi?id=152337
1950
1951         Reviewed by Mark Lam.
1952
1953         If we have a default constructor, we should also have a way
1954         to tell if a PreservedState is invalid.
1955
1956         * jit/ScratchRegisterAllocator.cpp:
1957         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
1958         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
1959         * jit/ScratchRegisterAllocator.h:
1960         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
1961         (JSC::ScratchRegisterAllocator::PreservedState::operator bool):
1962
1963 2015-12-16  Caitlin Potter  <caitp@igalia.com>
1964
1965         [JSC] fix error message for eval/arguments CoverInitializedName in strict code
1966         https://bugs.webkit.org/show_bug.cgi?id=152304
1967
1968         Reviewed by Darin Adler.
1969
1970         Because the error was originally classified as indicating a Pattern, the
1971         error in AssignmentPattern parsing causes the reported message to revert to
1972         the original Expression error message, which in this case is incorrect.
1973
1974         This change modifies the implementation of the strict code
1975         error slightly, and reclassifies the error to prevent the message revert,
1976         which improves the clarity of the message overall.
1977
1978         * parser/Parser.cpp:
1979         (JSC::Parser<LexerType>::parseAssignmentElement):
1980         (JSC::Parser<LexerType>::parseDestructuringPattern):
1981         * parser/Parser.h:
1982         (JSC::Parser::ExpressionErrorClassifier::reclassifyExpressionError):
1983         (JSC::Parser::reclassifyExpressionError):
1984         * tests/stress/destructuring-assignment-syntax.js:
1985
1986 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
1987
1988         Builtin source should be minified more
1989         https://bugs.webkit.org/show_bug.cgi?id=152290
1990
1991         Reviewed by Darin Adler.
1992
1993         * Scripts/builtins/builtins_model.py:
1994         (BuiltinFunction.fromString):
1995         Remove primarily empty lines that would just introduce clutter.
1996         We only do the minification in non-Debug configurations, which
1997         is determined by the CONFIGURATION environment variable. You can
1998         see how tests would generate differently, like so:
1999         shell> CONFIGURATION=Release ./Tools/Scripts/run-builtins-generator-tests
2000
2001 2015-12-16  Commit Queue  <commit-queue@webkit.org>
2002
2003         Unreviewed, rolling out r194135.
2004         https://bugs.webkit.org/show_bug.cgi?id=152333
2005
2006         due to missing OSR exit materialization support in FTL
2007         (Requested by yusukesuzuki on #webkit).
2008
2009         Reverted changeset:
2010
2011         "[ES6] Handle new_generator_func / new_generator_func_exp in
2012         DFG / FTL"
2013         https://bugs.webkit.org/show_bug.cgi?id=152227
2014         http://trac.webkit.org/changeset/194135
2015
2016 2015-12-16  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2017
2018         [Fetch API] Add fetch API compile time flag
2019         https://bugs.webkit.org/show_bug.cgi?id=152254
2020
2021         Reviewed by Darin Adler.
2022
2023         * Configurations/FeatureDefines.xcconfig:
2024
2025 2015-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2026
2027         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
2028         https://bugs.webkit.org/show_bug.cgi?id=152227
2029
2030         Reviewed by Saam Barati.
2031
2032         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
2033         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
2034         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
2035
2036         * dfg/DFGAbstractInterpreterInlines.h:
2037         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2038         * dfg/DFGByteCodeParser.cpp:
2039         (JSC::DFG::ByteCodeParser::parseBlock):
2040         * dfg/DFGCapabilities.cpp:
2041         (JSC::DFG::capabilityLevel):
2042         * dfg/DFGClobberize.h:
2043         (JSC::DFG::clobberize):
2044         * dfg/DFGClobbersExitState.cpp:
2045         (JSC::DFG::clobbersExitState):
2046         * dfg/DFGDoesGC.cpp:
2047         (JSC::DFG::doesGC):
2048         * dfg/DFGFixupPhase.cpp:
2049         (JSC::DFG::FixupPhase::fixupNode):
2050         * dfg/DFGMayExit.cpp:
2051         (JSC::DFG::mayExit):
2052         * dfg/DFGNode.h:
2053         (JSC::DFG::Node::convertToPhantomNewFunction):
2054         (JSC::DFG::Node::hasCellOperand):
2055         (JSC::DFG::Node::isFunctionAllocation):
2056         * dfg/DFGNodeType.h:
2057         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2058         * dfg/DFGPredictionPropagationPhase.cpp:
2059         (JSC::DFG::PredictionPropagationPhase::propagate):
2060         * dfg/DFGSafeToExecute.h:
2061         (JSC::DFG::safeToExecute):
2062         * dfg/DFGSpeculativeJIT.cpp:
2063         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2064         * dfg/DFGSpeculativeJIT32_64.cpp:
2065         (JSC::DFG::SpeculativeJIT::compile):
2066         * dfg/DFGSpeculativeJIT64.cpp:
2067         (JSC::DFG::SpeculativeJIT::compile):
2068         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2069         * dfg/DFGStructureRegistrationPhase.cpp:
2070         (JSC::DFG::StructureRegistrationPhase::run):
2071         * ftl/FTLCapabilities.cpp:
2072         (JSC::FTL::canCompile):
2073         * ftl/FTLLowerDFGToLLVM.cpp:
2074         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2075         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2076         * tests/stress/generator-function-create-optimized.js: Added.
2077         (shouldBe):
2078         (g):
2079         (test.return.gen):
2080         (test):
2081         (test2.gen):
2082         (test2):
2083         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
2084         (shouldBe):
2085         (GeneratorFunctionPrototype):
2086         (call):
2087         (f):
2088         (sink):
2089         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
2090         (shouldBe):
2091         (GeneratorFunctionPrototype):
2092         (g):
2093         (f):
2094         (sink):
2095         * tests/stress/generator-function-declaration-sinking-put.js: Added.
2096         (shouldBe):
2097         (GeneratorFunctionPrototype):
2098         (g):
2099         (f):
2100         (sink):
2101         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
2102         (shouldBe):
2103         (GeneratorFunctionPrototype):
2104         (call):
2105         (f):
2106         (sink):
2107         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
2108         (shouldBe):
2109         (GeneratorFunctionPrototype):
2110         (g):
2111         (sink):
2112         * tests/stress/generator-function-expression-sinking-put.js: Added.
2113         (shouldBe):
2114         (GeneratorFunctionPrototype):
2115         (g):
2116         (sink):
2117
2118 2015-12-15  Mark Lam  <mark.lam@apple.com>
2119
2120         Gardening: fix broken 32-bit JSC tests.  Just need to assign a scratch register.
2121         https://bugs.webkit.org/show_bug.cgi?id=152191 
2122
2123         Not reviewed.
2124
2125         * jit/JITArithmetic.cpp:
2126         (JSC::JIT::emitBitBinaryOpFastPath):
2127
2128 2015-12-15  Mark Lam  <mark.lam@apple.com>
2129
2130         Introducing ScratchRegisterAllocator::PreservedState.
2131         https://bugs.webkit.org/show_bug.cgi?id=152315
2132
2133         Reviewed by Geoffrey Garen.
2134
2135         restoreReusedRegistersByPopping() should always be called with 2 values that
2136         matches the expectation of preserveReusedRegistersByPushing().  Those 2 values
2137         are the number of bytes preserved and the ExtraStackSpace requirement.  By
2138         encapsulating them in a ScratchRegisterAllocator::PreservedState, we can make
2139         it less error prone when calling restoreReusedRegistersByPopping().  Now, we only
2140         need to pass it the appropriate PreservedState that its matching
2141         preserveReusedRegistersByPushing() returned.
2142
2143         * bytecode/PolymorphicAccess.cpp:
2144         (JSC::AccessGenerationState::restoreScratch):
2145         (JSC::AccessCase::generate):
2146         (JSC::PolymorphicAccess::regenerate):
2147         * bytecode/PolymorphicAccess.h:
2148         (JSC::AccessGenerationState::AccessGenerationState):
2149         * ftl/FTLCompileBinaryOp.cpp:
2150         (JSC::FTL::generateBinaryBitOpFastPath):
2151         (JSC::FTL::generateRightShiftFastPath):
2152         (JSC::FTL::generateBinaryArithOpFastPath):
2153         * ftl/FTLLazySlowPath.cpp:
2154         (JSC::FTL::LazySlowPath::generate):
2155         * ftl/FTLLowerDFGToLLVM.cpp:
2156         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
2157         * jit/ScratchRegisterAllocator.cpp:
2158         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
2159         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
2160         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2161         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2162         * jit/ScratchRegisterAllocator.h:
2163         (JSC::ScratchRegisterAllocator::usedRegisters):
2164         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
2165
2166 2015-12-15  Mark Lam  <mark.lam@apple.com>
2167
2168         Polymorphic operand types for DFG and FTL bit operators.
2169         https://bugs.webkit.org/show_bug.cgi?id=152191
2170
2171         Reviewed by Saam Barati.
2172
2173         * bytecode/SpeculatedType.h:
2174         (JSC::isUntypedSpeculationForBitOps):
2175         * dfg/DFGAbstractInterpreterInlines.h:
2176         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2177         * dfg/DFGNode.h:
2178         (JSC::DFG::Node::shouldSpeculateUntypedForBitOps):
2179         - Added check for types not supported by ValueToInt32, and therefore should be
2180           treated as untyped for bitops.
2181
2182         * dfg/DFGClobberize.h:
2183         (JSC::DFG::clobberize):
2184         * dfg/DFGFixupPhase.cpp:
2185         (JSC::DFG::FixupPhase::fixupNode):
2186         - Handled untyped operands.
2187
2188         * dfg/DFGOperations.cpp:
2189         * dfg/DFGOperations.h:
2190         - Added DFG slow path functions for bitops.
2191
2192         * dfg/DFGSpeculativeJIT.cpp:
2193         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
2194         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
2195         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
2196         (JSC::DFG::SpeculativeJIT::compileShiftOp):
2197         * dfg/DFGSpeculativeJIT.h:
2198         - Added DFG backend support untyped operands for bitops.
2199
2200         * dfg/DFGStrengthReductionPhase.cpp:
2201         (JSC::DFG::StrengthReductionPhase::handleNode):
2202         - Limit bitops strength reduction only to when we don't have untyped operands.
2203           This is because values that are not int32s need to be converted to int32.
2204           Without untyped operands, the ValueToInt32 node takes care of this.
2205           With untyped operands, we cannot use ValueToInt32, and need to do the conversion
2206           in the code emitted for the bitop node itself.  For example:
2207
2208               5.5 | 0; // yields 5 because ValueToInt32 converts the 5.5 to a 5.
2209               "abc" | 0; // would yield "abc" instead of the expected 0 if we let
2210                          // strength reduction do its thing.
2211
2212         * ftl/FTLCompileBinaryOp.cpp:
2213         (JSC::FTL::generateBinaryBitOpFastPath):
2214         (JSC::FTL::generateRightShiftFastPath):
2215         (JSC::FTL::generateBinaryOpFastPath):
2216
2217         * ftl/FTLInlineCacheDescriptor.h:
2218         (JSC::FTL::BitAndDescriptor::BitAndDescriptor):
2219         (JSC::FTL::BitAndDescriptor::icSize):
2220         (JSC::FTL::BitAndDescriptor::nodeType):
2221         (JSC::FTL::BitAndDescriptor::opName):
2222         (JSC::FTL::BitAndDescriptor::slowPathFunction):
2223         (JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
2224         (JSC::FTL::BitOrDescriptor::BitOrDescriptor):
2225         (JSC::FTL::BitOrDescriptor::icSize):
2226         (JSC::FTL::BitOrDescriptor::nodeType):
2227         (JSC::FTL::BitOrDescriptor::opName):
2228         (JSC::FTL::BitOrDescriptor::slowPathFunction):
2229         (JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
2230         (JSC::FTL::BitXorDescriptor::BitXorDescriptor):
2231         (JSC::FTL::BitXorDescriptor::icSize):
2232         (JSC::FTL::BitXorDescriptor::nodeType):
2233         (JSC::FTL::BitXorDescriptor::opName):
2234         (JSC::FTL::BitXorDescriptor::slowPathFunction):
2235         (JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
2236         (JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
2237         (JSC::FTL::BitLShiftDescriptor::icSize):
2238         (JSC::FTL::BitLShiftDescriptor::nodeType):
2239         (JSC::FTL::BitLShiftDescriptor::opName):
2240         (JSC::FTL::BitLShiftDescriptor::slowPathFunction):
2241         (JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
2242         (JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
2243         (JSC::FTL::BitRShiftDescriptor::icSize):
2244         (JSC::FTL::BitRShiftDescriptor::nodeType):
2245         (JSC::FTL::BitRShiftDescriptor::opName):
2246         (JSC::FTL::BitRShiftDescriptor::slowPathFunction):
2247         (JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
2248         (JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
2249         (JSC::FTL::BitURShiftDescriptor::icSize):
2250         (JSC::FTL::BitURShiftDescriptor::nodeType):
2251         (JSC::FTL::BitURShiftDescriptor::opName):
2252         (JSC::FTL::BitURShiftDescriptor::slowPathFunction):
2253         (JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):
2254         - Added support for bitop ICs.
2255
2256         * ftl/FTLInlineCacheSize.cpp:
2257         (JSC::FTL::sizeOfBitAnd):
2258         (JSC::FTL::sizeOfBitOr):
2259         (JSC::FTL::sizeOfBitXor):
2260         (JSC::FTL::sizeOfBitLShift):
2261         (JSC::FTL::sizeOfBitRShift):
2262         (JSC::FTL::sizeOfBitURShift):
2263         * ftl/FTLInlineCacheSize.h:
2264         - Added new bitop IC sizes.  These are just estimates for now that work adequately,
2265           and are shown to not impact performance on benchmarks.  We will re-tune these
2266           sizes values later in another patch once all snippet ICs have been added.
2267
2268         * ftl/FTLLowerDFGToLLVM.cpp:
2269         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2270         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2271         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2272         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2273         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2274         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2275         - Added support for bitop ICs.
2276
2277         * jit/JITLeftShiftGenerator.cpp:
2278         (JSC::JITLeftShiftGenerator::generateFastPath):
2279         * jit/JITLeftShiftGenerator.h:
2280         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
2281         * jit/JITRightShiftGenerator.cpp:
2282         (JSC::JITRightShiftGenerator::generateFastPath):
2283         - The shift MASM operatons need to ensure that the shiftAmount is not in the same
2284           register as the destination register.  With the baselineJIT and DFG, this is
2285           ensured in how we allocate these registers, and hence, the bug does not manifest.
2286           With the FTL, these registers are not guaranteed to be unique.  Hence, we need
2287           to fix the shift op snippet code to compensate for this. 
2288
2289 2015-12-15  Caitlin Potter  <caitp@igalia.com>
2290
2291         [JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code
2292         https://bugs.webkit.org/show_bug.cgi?id=152302
2293
2294         Reviewed by Mark Lam.
2295
2296         `eval` and `arguments` must not be assigned to in strict code. This
2297         change fixes `language/expressions/assignment/destructuring/obj-id-simple-strict.js`
2298         in Test262, as well as a variety of other similar tests.
2299
2300         * parser/Parser.cpp:
2301         (JSC::Parser<LexerType>::parseAssignmentElement):
2302         (JSC::Parser<LexerType>::parseDestructuringPattern):
2303         * tests/stress/destructuring-assignment-syntax.js:
2304
2305 2015-12-15  Csaba Osztrogonác  <ossy@webkit.org>
2306
2307         URTBF after 194062.
2308
2309         * assembler/MacroAssemblerARM.h:
2310         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Added.
2311         (JSC::MacroAssemblerARM::ceilDouble): Added.
2312
2313 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2314
2315         FTL B3 should account for localsOffset
2316         https://bugs.webkit.org/show_bug.cgi?id=152288
2317
2318         Reviewed by Saam Barati.
2319
2320         The DFG will build up some data structures that expect to know about offsets from FP. Those data
2321         structures may slide by some offset when the low-level compiler (either LLVM or B3) does stack
2322         allocation. So, the LLVM FTL modifies those data structures based on the real offset that it gets
2323         from LLVM's stackmaps. The B3 code needs to do the same.
2324
2325         I had previously vowed to never put more stuff into FTLB3Compile.cpp, because I didn't want it to
2326         look like FTLCompile.cpp. Up until now, I was successful because I used lambdas installed by
2327         FTLLower. But in this case, I actually think that having code that just does this explicitly in
2328         FTLB3Compile.cpp is least confusing. There is no particular place in FTLLower that would want to
2329         care about this, and we need to ensure that we do this fixup before we run any of the stackmap
2330         generators. In other words, it needs to happen before we call B3::generate(). The ordering
2331         constraints seem like a good reason to have this done explicitly rather than through lambdas.
2332
2333         I wrote a test. The test was failing in trunk because the B3 meaning of anchor().value() is
2334         different from the LLVM meaning. This caused breakage when we used this idiom:
2335
2336             ValueFromBlock foo = m_out.anchor(things);
2337             ...(foo.value()) // we were expecting that foo.value() == things
2338
2339         I never liked this idiom to begin with, so instead of trying to change B3's anchor(), I changed
2340         the idiom to:
2341
2342             LValue fooValue = things;
2343             ValueFromBlock foo = m_out.anchor(fooValue);
2344             ...(fooValue)
2345
2346         This is probably a good idea, since eventually we want B3's anchor() to just return the
2347         UpsilonValue*. To get there, we want to eliminate any situations where code assumes that
2348         ValueFromBlock is an actual object and not just a typedef for a pointer.
2349
2350         * ftl/FTLB3Compile.cpp:
2351         (JSC::FTL::compile):
2352         * ftl/FTLB3Output.cpp:
2353         (JSC::FTL::Output::appendTo):
2354         (JSC::FTL::Output::lockedStackSlot):
2355         * ftl/FTLB3Output.h:
2356         (JSC::FTL::Output::framePointer):
2357         (JSC::FTL::Output::constBool):
2358         (JSC::FTL::Output::constInt32):
2359         * ftl/FTLLowerDFGToLLVM.cpp:
2360         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2361         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2362         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
2363         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
2364         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringCharAt):
2365         (JSC::FTL::DFG::LowerDFGToLLVM::compileForwardVarargs):
2366         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty):
2367         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
2368         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
2369         * ftl/FTLState.h:
2370         (JSC::FTL::verboseCompilationEnabled):
2371         * tests/stress/ftl-function-dot-arguments-with-callee-saves.js: Added.
2372
2373 2015-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2374
2375         Math.random should have an intrinsic thunk and it should be later handled as a DFG Node
2376         https://bugs.webkit.org/show_bug.cgi?id=152133
2377
2378         Reviewed by Geoffrey Garen.
2379
2380         In this patch, we implement new RandomIntrinsic. It emits a machine code to generate random numbers efficiently.
2381         And later it will be recognized by DFG and converted to ArithRandom node.
2382         It provides type information SpecDoubleReal since Math.random only generates a number within [0, 1.0).
2383
2384         Currently, only 64bit version is supported. On 32bit environment, ArithRandom will be converted to callOperation.
2385         While it emits a function call, ArithRandom node on 32bit still represents SpecDoubleReal as a result type.
2386
2387         * dfg/DFGAbstractHeap.h:
2388         * dfg/DFGAbstractInterpreterInlines.h:
2389         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2390         * dfg/DFGByteCodeParser.cpp:
2391         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2392         * dfg/DFGClobberize.h:
2393         (JSC::DFG::clobberize):
2394         * dfg/DFGDoesGC.cpp:
2395         (JSC::DFG::doesGC):
2396         * dfg/DFGFixupPhase.cpp:
2397         (JSC::DFG::FixupPhase::fixupNode):
2398         * dfg/DFGNodeType.h:
2399         * dfg/DFGOperations.cpp:
2400         * dfg/DFGOperations.h:
2401         * dfg/DFGPredictionPropagationPhase.cpp:
2402         (JSC::DFG::PredictionPropagationPhase::propagate):
2403         * dfg/DFGSafeToExecute.h:
2404         (JSC::DFG::safeToExecute):
2405         * dfg/DFGSpeculativeJIT.h:
2406         (JSC::DFG::SpeculativeJIT::callOperation):
2407         * dfg/DFGSpeculativeJIT32_64.cpp:
2408         (JSC::DFG::SpeculativeJIT::compile):
2409         (JSC::DFG::SpeculativeJIT::compileArithRandom):
2410         * dfg/DFGSpeculativeJIT64.cpp:
2411         (JSC::DFG::SpeculativeJIT::compile):
2412         (JSC::DFG::SpeculativeJIT::compileArithRandom):
2413         * ftl/FTLCapabilities.cpp:
2414         (JSC::FTL::canCompile):
2415         * ftl/FTLLowerDFGToLLVM.cpp:
2416         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2417         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRandom):
2418         * jit/AssemblyHelpers.cpp:
2419         (JSC::emitRandomThunkImpl):
2420         (JSC::AssemblyHelpers::emitRandomThunk):
2421         * jit/AssemblyHelpers.h:
2422         * jit/JITOperations.h:
2423         * jit/ThunkGenerators.cpp:
2424         (JSC::randomThunkGenerator):
2425         * jit/ThunkGenerators.h:
2426         * runtime/Intrinsic.h:
2427         * runtime/JSGlobalObject.h:
2428         (JSC::JSGlobalObject::weakRandomOffset):
2429         * runtime/MathObject.cpp:
2430         (JSC::MathObject::finishCreation):
2431         * runtime/VM.cpp:
2432         (JSC::thunkGeneratorForIntrinsic):
2433         * tests/stress/random-53bit.js: Added.
2434         (test):
2435         * tests/stress/random-in-range.js: Added.
2436         (test):
2437
2438 2015-12-14  Benjamin Poulain  <benjamin@webkit.org>
2439
2440         Rename FTL::Output's ceil64() to doubleCeil()
2441
2442         Rubber-stamped by Filip Pizlo.
2443
2444         ceil64() was a bad name, that's the name convention we use for integers.
2445
2446         * ftl/FTLB3Output.h:
2447         (JSC::FTL::Output::doubleCeil):
2448         (JSC::FTL::Output::ceil64): Deleted.
2449         * ftl/FTLLowerDFGToLLVM.cpp:
2450         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRound):
2451
2452 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2453
2454         FTL B3 should be able to run n-body.js
2455         https://bugs.webkit.org/show_bug.cgi?id=152281
2456
2457         Reviewed by Benjamin Poulain.
2458
2459         Fix a bug where m_captured was pointing to the start of the captured vars slot rather than the
2460         end, like the rest of the FTL expected.
2461
2462         * ftl/FTLLowerDFGToLLVM.cpp:
2463         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2464
2465 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
2466
2467         Fix bad copy-paste in r194062
2468
2469         * ftl/FTLB3Output.h:
2470         (JSC::FTL::Output::ceil64):
2471
2472 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2473
2474         Unreviewed, fix cloop build.
2475
2476         * jit/GPRInfo.cpp:
2477
2478 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2479
2480         FTL B3 should do PutById
2481         https://bugs.webkit.org/show_bug.cgi?id=152268
2482
2483         Reviewed by Saam Barati.
2484
2485         * CMakeLists.txt:
2486         * JavaScriptCore.xcodeproj/project.pbxproj:
2487         * b3/B3LowerToAir.cpp:
2488         (JSC::B3::Air::LowerToAir::createGenericCompare): I realized that we were missing some useful matching rules.
2489         * b3/testb3.cpp: Added a bunch of tests.
2490         * ftl/FTLLowerDFGToLLVM.cpp:
2491         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById): Do the things.
2492         * jit/GPRInfo.cpp: Added. I had to do this yucky thing because clang was having issues compiling references to this from deeply nested lambdas.
2493         * jit/GPRInfo.h: Added a comment about how patchpointScratchRegister is bizarre and should probably die.
2494
2495 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
2496
2497         [JSC] Add ceil() support for x86 and expose it to B3
2498         https://bugs.webkit.org/show_bug.cgi?id=152231
2499
2500         Reviewed by Geoffrey Garen.
2501
2502         Most x86 CPUs we care about support ceil() natively
2503         with the round instruction.
2504
2505         This patch expose that behind a runtime flag, use it
2506         in the Math.ceil() thunk and expose it to B3.
2507
2508         * assembler/MacroAssemblerARM64.h:
2509         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil):
2510         * assembler/MacroAssemblerARMv7.h:
2511         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil):
2512         * assembler/MacroAssemblerMIPS.h:
2513         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil):
2514         * assembler/MacroAssemblerSH4.h:
2515         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil):
2516         * assembler/MacroAssemblerX86Common.cpp:
2517         * assembler/MacroAssemblerX86Common.h:
2518         (JSC::MacroAssemblerX86Common::ceilDouble):
2519         (JSC::MacroAssemblerX86Common::ceilFloat):
2520         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil):
2521         (JSC::MacroAssemblerX86Common::supportsLZCNT):
2522         * assembler/X86Assembler.h:
2523         (JSC::X86Assembler::roundss_rr):
2524         (JSC::X86Assembler::roundss_mr):
2525         (JSC::X86Assembler::roundsd_rr):
2526         (JSC::X86Assembler::roundsd_mr):
2527         (JSC::X86Assembler::mfence):
2528         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
2529         * b3/B3ConstDoubleValue.cpp:
2530         (JSC::B3::ConstDoubleValue::ceilConstant):
2531         * b3/B3ConstDoubleValue.h:
2532         * b3/B3ConstFloatValue.cpp:
2533         (JSC::B3::ConstFloatValue::ceilConstant):
2534         * b3/B3ConstFloatValue.h:
2535         * b3/B3LowerMacrosAfterOptimizations.cpp:
2536         * b3/B3LowerToAir.cpp:
2537         (JSC::B3::Air::LowerToAir::lower):
2538         * b3/B3Opcode.cpp:
2539         (WTF::printInternal):
2540         * b3/B3Opcode.h:
2541         * b3/B3ReduceDoubleToFloat.cpp:
2542         * b3/B3ReduceStrength.cpp:
2543         * b3/B3Validate.cpp:
2544         * b3/B3Value.cpp:
2545         (JSC::B3::Value::ceilConstant):
2546         (JSC::B3::Value::effects):
2547         (JSC::B3::Value::key):
2548         (JSC::B3::Value::typeFor):
2549         * b3/B3Value.h:
2550         * b3/air/AirOpcode.opcodes:
2551         * b3/testb3.cpp:
2552         (JSC::B3::testCeilArg):
2553         (JSC::B3::testCeilImm):
2554         (JSC::B3::testCeilMem):
2555         (JSC::B3::testCeilCeilArg):
2556         (JSC::B3::testCeilIToD64):
2557         (JSC::B3::testCeilIToD32):
2558         (JSC::B3::testCeilArgWithUselessDoubleConversion):
2559         (JSC::B3::testCeilArgWithEffectfulDoubleConversion):
2560         (JSC::B3::populateWithInterestingValues):
2561         (JSC::B3::run):
2562         * ftl/FTLB3Output.h:
2563         (JSC::FTL::Output::ceil64):
2564         * jit/ThunkGenerators.cpp:
2565         (JSC::ceilThunkGenerator):
2566
2567 2015-12-14  Andreas Kling  <akling@apple.com>
2568
2569         ResourceUsageOverlay should show GC timers.
2570         <https://webkit.org/b/152151>
2571
2572         Reviewed by Darin Adler.
2573
2574         Expose the next fire time (in WTF timestamp style) of a GCActivityCallback.
2575
2576         * heap/GCActivityCallback.cpp:
2577         (JSC::GCActivityCallback::scheduleTimer):
2578         (JSC::GCActivityCallback::cancelTimer):
2579         * heap/GCActivityCallback.h:
2580
2581 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2582
2583         Unreviewed, fix merge issue in a test.
2584
2585         * b3/testb3.cpp:
2586         (JSC::B3::testCheckTwoMegaCombos):
2587         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
2588
2589 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2590
2591         B3 should not give ValueReps for the non-stackmap children of a CheckValue to the generator callback
2592         https://bugs.webkit.org/show_bug.cgi?id=152224
2593
2594         Reviewed by Geoffrey Garen.
2595
2596         Previously, a stackmap generator for a Check had to know how many children the B3 value for the
2597         Check had at the time of code generation. That meant that B3 could not change the kind of Check
2598         that it was - for example it cannot turn a Check into a Patchpoint and it cannot turn a CheckAdd
2599         into a Check. But just changing the contract so that the stackmap generation params only get the
2600         stackmap children of the check means that B3 can transform Checks as it likes.
2601
2602         This is meant to aid sinking values into checks.
2603
2604         Also, I found that the effects of a Check did not include HeapRange::top(). I think it's best if
2605         exitsSideways does not imply reading top, the way that it does in DFG. In the DFG, that makes
2606         sense because the exit analysis is orthogonal, so the clobber analysis tells you about the reads
2607         not counting OSR exit - if you need to you can conditionally merge that with World based on a
2608         separate exit analysis. But in B3, the Effects object tells you about both exiting and reading,
2609         and it's computed by one analysis. Prior to this change, Check was not setting reads to top() so
2610         we were effectively saying that Effects::reads is meaningless when exitsSideways is true. It
2611         seems more sensible to instead force the analysis to set reads to top() when setting
2612         exitsSideways to true, not least because we only have one such analysis and many users. But it
2613         also makes sense for another reason: it allows us to bound the set of things that the program
2614         will read after it exits. That might not be useful to us now, but it's a nice feature to get for
2615         free. I've seen language features that have behave like exitsSideways that don't also read top,
2616         like an array bounds check that causes sudden termination without making any promises about how
2617         pretty the crash dump will look.
2618
2619         * b3/B3CheckSpecial.cpp:
2620         (JSC::B3::CheckSpecial::generate):
2621         * b3/B3Opcode.h:
2622         * b3/B3Value.cpp:
2623         (JSC::B3::Value::effects):
2624         * b3/testb3.cpp:
2625         (JSC::B3::testSimpleCheck):
2626         (JSC::B3::testCheckLessThan):
2627         (JSC::B3::testCheckMegaCombo):
2628         (JSC::B3::testCheckAddImm):
2629         (JSC::B3::testCheckAddImmCommute):
2630         (JSC::B3::testCheckAddImmSomeRegister):
2631         (JSC::B3::testCheckAdd):
2632         (JSC::B3::testCheckAdd64):
2633         (JSC::B3::testCheckSubImm):
2634         (JSC::B3::testCheckSubBadImm):
2635         (JSC::B3::testCheckSub):
2636         (JSC::B3::testCheckSub64):
2637         (JSC::B3::testCheckNeg):
2638         (JSC::B3::testCheckNeg64):
2639         (JSC::B3::testCheckMul):
2640         (JSC::B3::testCheckMulMemory):
2641         (JSC::B3::testCheckMul2):
2642         (JSC::B3::testCheckMul64):
2643         * ftl/FTLLowerDFGToLLVM.cpp:
2644         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
2645
2646 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2647
2648         Air: Support Architecture-specific forms and Opcodes
2649         https://bugs.webkit.org/show_bug.cgi?id=151736
2650
2651         Reviewed by Benjamin Poulain.
2652
2653         This adds really awesome architecture selection to the AirOpcode.opcodes file. If an opcode or
2654         opcode form is unavailable on some architecture, you can still mention its name in C++ code (it'll
2655         still be a member of the enum) but isValidForm() and all other reflective queries will tell you
2656         that it doesn't exist. This will make the instruction selector steer clear of it, and it will
2657         also ensure that the spiller doesn't try to use any unavailable architecture-specific address
2658         forms.
2659
2660         The new capability is documented extensively in a comment in AirOpcode.opcodes.
2661
2662         * b3/air/AirOpcode.opcodes:
2663         * b3/air/opcode_generator.rb:
2664
2665 2015-12-14  Mark Lam  <mark.lam@apple.com>
2666
2667         Misc. small fixes in snippet related code.
2668         https://bugs.webkit.org/show_bug.cgi?id=152259
2669
2670         Reviewed by Saam Barati.
2671
2672         * dfg/DFGSpeculativeJIT.cpp:
2673         (JSC::DFG::SpeculativeJIT::compileArithMul):
2674         - When loading a constant JSValue for a node, use the one that the node already
2675           provides instead of reconstructing it.  This is not a bug, but the fix makes
2676           the code cleaner.
2677
2678         * jit/JITBitAndGenerator.cpp:
2679         (JSC::JITBitAndGenerator::generateFastPath):
2680         - No need to do a bitand with a constant int 0xffffffff operand.
2681
2682         * jit/JITBitOrGenerator.cpp:
2683         (JSC::JITBitOrGenerator::generateFastPath):
2684         - Fix comments: bitor is '|', not '&'.
2685         - No need to do a bitor with a constant int 0 operand.
2686
2687         * jit/JITBitXorGenerator.cpp:
2688         (JSC::JITBitXorGenerator::generateFastPath):
2689         - Fix comments: bitxor is '^', not '&'.
2690
2691         * jit/JITRightShiftGenerator.cpp:
2692         (JSC::JITRightShiftGenerator::generateFastPath):
2693         - Renamed a jump target name to be clearer about its purpose.
2694
2695 2015-12-14  Mark Lam  <mark.lam@apple.com>
2696
2697         We should not employ the snippet code in the DFG if no OSR exit was previously encountered.
2698         https://bugs.webkit.org/show_bug.cgi?id=152255
2699
2700         Reviewed by Saam Barati.
2701
2702         * dfg/DFGFixupPhase.cpp:
2703         (JSC::DFG::FixupPhase::fixupNode):
2704
2705 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
2706
2707         B3->Air compare-branch fusion should fuse even if the result of the comparison is used more than once
2708         https://bugs.webkit.org/show_bug.cgi?id=152198
2709
2710         Reviewed by Benjamin Poulain.
2711
2712         If we have a comparison operation that is branched on from multiple places, then we were
2713         previously executing the comparison to get a boolean result in a register and then we were
2714         testing/branching on that register in multiple places. This is actually less efficient than
2715         just fusing the compare/branch multiple times, even though this means that the comparison
2716         executes multiple times. This would only be bad if the comparison fused loads multiple times,
2717         since duplicating loads is both wrong and inefficient. So, this adds the notion of sharing to
2718         compare/branch fusion. If a compare is shared by multiple branches, then we refuse to fuse
2719         the load.
2720
2721         To write the test, I needed to zero-extend 8 to 32. In the process of thinking about how to
2722         do this, I realized that we needed lowerings for SExt8/SExt16. And I realized that the
2723         lowerings for the other extension operations were not fully fleshed out; for example they
2724         were incapable of load fusion. This patch fixes this and also adds some smart strength
2725         reductions for BitAnd(@x, 0xff/0xffff/0xffffffff) - all of which should be lowered to a zero
2726         extension.
2727
2728         This is a big win on asm.js code. It's not enough to bridge the gap to LLVM, but it's a huge
2729         step in that direction.
2730
2731         * assembler/MacroAssemblerX86Common.h:
2732         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
2733         (JSC::MacroAssemblerX86Common::zeroExtend8To32):
2734         (JSC::MacroAssemblerX86Common::signExtend8To32):
2735         (JSC::MacroAssemblerX86Common::load16):
2736         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
2737         (JSC::MacroAssemblerX86Common::zeroExtend16To32):
2738         (JSC::MacroAssemblerX86Common::signExtend16To32):
2739         (JSC::MacroAssemblerX86Common::store32WithAddressOffsetPatch):
2740         * assembler/X86Assembler.h:
2741         (JSC::X86Assembler::movzbl_rr):
2742         (JSC::X86Assembler::movsbl_rr):
2743         (JSC::X86Assembler::movzwl_rr):
2744         (JSC::X86Assembler::movswl_rr):
2745         (JSC::X86Assembler::cmovl_rr):
2746         * b3/B3LowerToAir.cpp:
2747         (JSC::B3::Air::LowerToAir::createGenericCompare):
2748         (JSC::B3::Air::LowerToAir::lower):
2749         * b3/B3ReduceStrength.cpp:
2750         * b3/air/AirOpcode.opcodes:
2751         * b3/testb3.cpp:
2752         (JSC::B3::testCheckMegaCombo):
2753         (JSC::B3::testCheckTwoMegaCombos):
2754         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
2755         (JSC::B3::testCheckAddImm):
2756         (JSC::B3::testTruncSExt32):
2757         (JSC::B3::testSExt8):
2758         (JSC::B3::testSExt8Fold):
2759         (JSC::B3::testSExt8SExt8):
2760         (JSC::B3::testSExt8SExt16):
2761         (JSC::B3::testSExt8BitAnd):
2762         (JSC::B3::testBitAndSExt8):
2763         (JSC::B3::testSExt16):
2764         (JSC::B3::testSExt16Fold):
2765         (JSC::B3::testSExt16SExt16):
2766         (JSC::B3::testSExt16SExt8):
2767         (JSC::B3::testSExt16BitAnd):
2768         (JSC::B3::testBitAndSExt16):
2769         (JSC::B3::testSExt32BitAnd):
2770         (JSC::B3::testBitAndSExt32):
2771         (JSC::B3::testBasicSelect):
2772         (JSC::B3::run):
2773
2774 2015-12-14  Chris Dumez  <cdumez@apple.com>
2775
2776         Roll out r193974 and follow-up fixes as it caused JSC crashes
2777         https://bugs.webkit.org/show_bug.cgi?id=152256
2778
2779         Unreviewed, Roll out r193974 and follow-up fixes as it caused JSC crashes.
2780
2781         * API/JSCallbackObject.h:
2782         * builtins/FunctionPrototype.js:
2783         * bytecode/BytecodeBasicBlock.cpp:
2784         (JSC::isBranch):
2785         * bytecode/BytecodeList.json:
2786         * bytecode/BytecodeUseDef.h:
2787         (JSC::computeUsesForBytecodeOffset):
2788         (JSC::computeDefsForBytecodeOffset):
2789         * bytecode/CodeBlock.cpp:
2790         (JSC::CodeBlock::dumpBytecode):
2791         * bytecode/ExitKind.cpp:
2792         (JSC::exitKindToString): Deleted.
2793         * bytecode/ExitKind.h:
2794         * bytecode/PreciseJumpTargets.cpp:
2795         (JSC::getJumpTargetsForBytecodeOffset):
2796         * bytecompiler/BytecodeGenerator.cpp:
2797         (JSC::BytecodeGenerator::emitCheckHasInstance):
2798         (JSC::BytecodeGenerator::emitGetById): Deleted.
2799         * bytecompiler/BytecodeGenerator.h:
2800         (JSC::BytecodeGenerator::emitTypeOf): Deleted.
2801         * bytecompiler/NodesCodegen.cpp:
2802         (JSC::InstanceOfNode::emitBytecode):
2803         (JSC::LogicalOpNode::emitBytecode): Deleted.
2804         (JSC::LogicalOpNode::emitBytecodeInConditionContext): Deleted.
2805         * dfg/DFGAbstractInterpreterInlines.h:
2806         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2807         * dfg/DFGByteCodeParser.cpp:
2808         (JSC::DFG::ByteCodeParser::parseBlock):
2809         * dfg/DFGCapabilities.cpp:
2810         (JSC::DFG::capabilityLevel):
2811         * dfg/DFGClobberize.h:
2812         (JSC::DFG::clobberize):
2813         * dfg/DFGDoesGC.cpp:
2814         (JSC::DFG::doesGC):
2815         * dfg/DFGFixupPhase.cpp:
2816         (JSC::DFG::FixupPhase::fixupNode):
2817         * dfg/DFGHeapLocation.cpp:
2818         (WTF::printInternal):
2819         * dfg/DFGHeapLocation.h:
2820         * dfg/DFGNode.h:
2821         (JSC::DFG::Node::hasCellOperand): Deleted.
2822         (JSC::DFG::Node::hasTransition): Deleted.
2823         * dfg/DFGNodeType.h:
2824         * dfg/DFGPredictionPropagationPhase.cpp:
2825         (JSC::DFG::PredictionPropagationPhase::propagate):
2826         * dfg/DFGSafeToExecute.h:
2827         (JSC::DFG::safeToExecute):
2828         * dfg/DFGSpeculativeJIT.cpp:
2829         (JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
2830         (JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.
2831         * dfg/DFGSpeculativeJIT.h:
2832         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
2833         * dfg/DFGSpeculativeJIT32_64.cpp:
2834         (JSC::DFG::SpeculativeJIT::compile):
2835         * dfg/DFGSpeculativeJIT64.cpp:
2836         (JSC::DFG::SpeculativeJIT::compile):
2837         * ftl/FTLCapabilities.cpp:
2838         (JSC::FTL::canCompile):
2839         * ftl/FTLIntrinsicRepository.h:
2840         * ftl/FTLLowerDFGToLLVM.cpp:
2841         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2842         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance):
2843         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOf): Deleted.
2844         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty): Deleted.
2845         * jit/CCallHelpers.h:
2846         (JSC::CCallHelpers::setupArguments): Deleted.
2847         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
2848         * jit/JIT.cpp:
2849         (JSC::JIT::privateCompileMainPass):
2850         (JSC::JIT::privateCompileSlowCases):
2851         * jit/JIT.h:
2852         * jit/JITInlines.h:
2853         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
2854         (JSC::JIT::callOperation): Deleted.
2855         * jit/JITOpcodes.cpp:
2856         (JSC::JIT::emit_op_check_has_instance):
2857         (JSC::JIT::emit_op_instanceof):
2858         (JSC::JIT::emitSlow_op_check_has_instance):
2859         (JSC::JIT::emitSlow_op_instanceof):
2860         (JSC::JIT::emit_op_is_undefined): Deleted.
2861         (JSC::JIT::emitSlow_op_to_number): Deleted.
2862         (JSC::JIT::emitSlow_op_to_string): Deleted.
2863         * jit/JITOpcodes32_64.cpp:
2864         (JSC::JIT::emit_op_check_has_instance):
2865         (JSC::JIT::emit_op_instanceof):
2866         (JSC::JIT::emitSlow_op_check_has_instance):
2867         (JSC::JIT::emitSlow_op_instanceof):
2868         (JSC::JIT::emit_op_is_undefined): Deleted.
2869         * jit/JITOperations.cpp:
2870         * jit/JITOperations.h:
2871         * llint/LLIntData.cpp:
2872         (JSC::LLInt::Data::performAssertions): Deleted.
2873         * llint/LLIntSlowPaths.cpp:
2874         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2875         * llint/LLIntSlowPaths.h:
2876         * llint/LowLevelInterpreter32_64.asm:
2877         * llint/LowLevelInterpreter64.asm:
2878         * runtime/CommonIdentifiers.h:
2879         * runtime/ExceptionHelpers.cpp:
2880         (JSC::invalidParameterInstanceofSourceAppender):
2881         (JSC::createInvalidInstanceofParameterError):
2882         (JSC::createError): Deleted.
2883         (JSC::createNotAFunctionError): Deleted.
2884         (JSC::createNotAnObjectError): Deleted.
2885         * runtime/ExceptionHelpers.h:
2886         * runtime/FunctionPrototype.cpp:
2887         (JSC::FunctionPrototype::addFunctionProperties):
2888         * runtime/FunctionPrototype.h:
2889         * runtime/JSBoundFunction.cpp:
2890         (JSC::JSBoundFunction::create): Deleted.
2891         (JSC::JSBoundFunction::customHasInstance): Deleted.
2892         * runtime/JSBoundFunction.h:
2893         * runtime/JSGlobalObject.cpp:
2894         (JSC::JSGlobalObject::init):
2895         (JSC::JSGlobalObject::visitChildren): Deleted.
2896         * runtime/JSGlobalObject.h:
2897         (JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.
2898         * runtime/JSObject.cpp:
2899         (JSC::JSObject::hasInstance):
2900         (JSC::JSObject::defaultHasInstance): Deleted.
2901         (JSC::JSObject::getPropertyNames): Deleted.
2902         (JSC::JSObject::getOwnPropertyNames): Deleted.
2903         * runtime/JSObject.h:
2904         (JSC::JSFinalObject::create): Deleted.
2905         * runtime/JSTypeInfo.h:
2906         (JSC::TypeInfo::TypeInfo):
2907         (JSC::TypeInfo::overridesHasInstance):
2908         * runtime/WriteBarrier.h:
2909         (JSC::WriteBarrierBase<Unknown>::slot):
2910         * tests/es6.yaml:
2911         * tests/stress/instanceof-custom-hasinstancesymbol.js: Removed.
2912         * tests/stress/symbol-hasInstance.js: Removed.
2913
2914 2015-12-13  Benjamin Poulain  <bpoulain@apple.com>
2915
2916         [JSC] Remove FTL::Output's doubleEqualOrUnordered()
2917         https://bugs.webkit.org/show_bug.cgi?id=152234
2918
2919         Reviewed by Sam Weinig.
2920
2921         It is unused, one less thing to worry about.
2922
2923         * ftl/FTLB3Output.h:
2924         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
2925         * ftl/FTLOutput.h:
2926         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
2927
2928 2015-12-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2929
2930         [JSC] Should not emit get_by_id for indexed property access
2931         https://bugs.webkit.org/show_bug.cgi?id=151354
2932
2933         Reviewed by Darin Adler.
2934
2935         Before this patch, `a["1"]` is converted to `a.1` get_by_id operation in the bytecode compiler.
2936         get_by_id emits IC. IC rely on the fact that Structure transition occur when adding / removing object's properties.
2937         However, it's not true for indexed element properties. They are stored in the element storage and Structure transition does not occur.
2938
2939         For example, in the following case,
2940
2941              function getOne(a) { return a['1']; }
2942
2943              for (var i = 0; i < 36; ++i)
2944                  getOne({2: true});
2945
2946              if (!getOne({1: true}))
2947                  throw new Error("OUT");
2948
2949         In this case, `a['1']` creates get_by_id. `getOne({2: true})` calls makes getOne's get_by_id to create IC says that,
2950         "when comming this structure chain, there is no property in "1", so we should return `undefined`".
2951
2952         After that, we call `getOne({1: true})`. But in this case, `{2: true}` and `{1: true}` have the same structure chain,
2953         because indexed property addition does not occur structure transition.
2954         So previous IC fast path is used and return `undefined`. But the correct answer is returning `true`.
2955
2956         This patch fixes the above issue. When there is string bracket access, we only emits get_by_id if the given string is not an index.
2957         There are bugs in get_by_id, put_by_id, put_by_id (direct). But only get_by_id poses user observable issue.
2958         Because in the put_by_id case, the generic path just says "this put is uncacheable".
2959
2960         * bytecompiler/BytecodeGenerator.cpp:
2961         (JSC::BytecodeGenerator::emitGetById):
2962         (JSC::BytecodeGenerator::emitPutById):
2963         (JSC::BytecodeGenerator::emitDirectPutById):
2964         * bytecompiler/NodesCodegen.cpp:
2965         (JSC::isNonIndexStringElement):
2966         (JSC::BracketAccessorNode::emitBytecode):
2967         (JSC::FunctionCallBracketNode::emitBytecode):
2968         (JSC::AssignBracketNode::emitBytecode):
2969         (JSC::ObjectPatternNode::bindValue):
2970         * tests/stress/element-property-get-should-not-handled-with-get-by-id.js: Added.
2971         (getOne):
2972
2973 2015-12-13  Andreas Kling  <akling@apple.com>
2974
2975         CachedScript could have a copy-free path for all-ASCII scripts.
2976         <https://webkit.org/b/152203>
2977
2978         Reviewed by Antti Koivisto.
2979
2980         Make SourceProvider vend a StringView instead of a String.
2981         This relaxes the promises that providers have to make about string lifetimes.
2982
2983         This means that on the WebCore side, CachedScript is free to cache a String
2984         internally, while only ever exposing it as a temporary StringView.
2985
2986         A few extra copies (CPU, not memory) are introduced, none of them on hot paths.
2987
2988         * API/JSScriptRef.cpp:
2989         * bytecode/CodeBlock.cpp:
2990         (JSC::CodeBlock::sourceCodeForTools):
2991         (JSC::CodeBlock::dumpSource):
2992         * inspector/ScriptDebugServer.cpp:
2993         (Inspector::ScriptDebugServer::dispatchDidParseSource):
2994         (Inspector::ScriptDebugServer::dispatchFailedToParseSource):
2995         * interpreter/Interpreter.cpp:
2996         (JSC::Interpreter::execute):
2997         * jsc.cpp:
2998         (functionFindTypeForExpression):
2999         (functionHasBasicBlockExecuted):
3000         (functionBasicBlockExecutionCount):
3001         * parser/Lexer.cpp:
3002         (JSC::Lexer<T>::setCode):
3003         * parser/Lexer.h:
3004         (JSC::Lexer<LChar>::setCodeStart):
3005         (JSC::Lexer<UChar>::setCodeStart):
3006         * parser/Parser.h:
3007         (JSC::Parser::getToken):
3008         * parser/SourceCode.cpp:
3009         (JSC::SourceCode::toUTF8):
3010         * parser/SourceCode.h:
3011         (JSC::SourceCode::hash):
3012         (JSC::SourceCode::view):
3013         (JSC::SourceCode::toString): Deleted.
3014         * parser/SourceCodeKey.h:
3015         (JSC::SourceCodeKey::SourceCodeKey):
3016         (JSC::SourceCodeKey::string):
3017         * parser/SourceProvider.h:
3018         (JSC::SourceProvider::getRange):
3019         * runtime/Completion.cpp:
3020         (JSC::loadAndEvaluateModule):
3021         (JSC::loadModule):
3022         * runtime/ErrorInstance.cpp:
3023         (JSC::appendSourceToError):
3024         * runtime/FunctionPrototype.cpp:
3025         (JSC::functionProtoFuncToString):
3026         * tools/FunctionOverrides.cpp:
3027         (JSC::initializeOverrideInfo):
3028         (JSC::FunctionOverrides::initializeOverrideFor):
3029
3030 2015-12-12  Benjamin Poulain  <benjamin@webkit.org>
3031
3032         [JSC] Add lowering for B3's Store8 opcode
3033         https://bugs.webkit.org/show_bug.cgi?id=152208
3034
3035         Reviewed by Geoffrey Garen.
3036
3037         B3 has an opcode to store 8bit values but it had
3038         no lowering.
3039
3040         * b3/B3LowerToAir.cpp:
3041         (JSC::B3::Air::LowerToAir::createStore):
3042         (JSC::B3::Air::LowerToAir::lower):
3043         * b3/air/AirOpcode.opcodes:
3044         * b3/testb3.cpp:
3045         (JSC::B3::testStore8Arg):
3046         (JSC::B3::testStore8Imm):
3047         (JSC::B3::testStorePartial8BitRegisterOnX86):
3048         (JSC::B3::run):
3049
3050 2015-12-12  Csaba Osztrogonác  <ossy@webkit.org>
3051
3052         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
3053         https://bugs.webkit.org/show_bug.cgi?id=152214
3054
3055         Reviewed by Mark Lam.
3056
3057         * jit/CCallHelpers.h:
3058         (JSC::CCallHelpers::setupArgumentsWithExecState):
3059
3060 2015-12-11  Joseph Pecoraro  <pecoraro@apple.com>
3061
3062         Web Inspector: Too many derefs when RemoteInspectorXPCConnection fails to validate connection
3063         https://bugs.webkit.org/show_bug.cgi?id=152213
3064
3065         Rubber-stamped by Ryosuke Niwa.
3066
3067         * inspector/remote/RemoteInspectorXPCConnection.mm:
3068         (Inspector::RemoteInspectorXPCConnection::handleEvent):
3069         We should just close the XPC connection triggering XPC_ERROR_CONNECTION_INVALID
3070         which will then graceful teardown the connection as expected.
3071
3072 2015-12-11  Benjamin Poulain  <bpoulain@apple.com>
3073
3074         [JSC] Add Floating Point Abs() to B3
3075         https://bugs.webkit.org/show_bug.cgi?id=152176
3076
3077         Reviewed by Geoffrey Garen.
3078
3079         This patch adds an Abs() operation for floating point.
3080
3081         On x86, Abs() is implemented by masking the top bit
3082         of the floating point value. On ARM64, there is a builtin
3083         abs opcode.
3084
3085         To account for those differences, B3 use "Abs" as
3086         the cannonical operation. When we are about to lower
3087         to Air, Abs is extended on x86 to get a clean handling
3088         of the mask constants.
3089
3090         This patch has one cool thing related to FTL.
3091         If you do:
3092            @1 = unboxDouble(@0)
3093            @2 = abs(@1)
3094            @3 = boxDouble(@2)
3095
3096         B3ReduceStrength completely eliminate the Double-Integer
3097         conversion.
3098
3099         The strength reduction of Abs is aware that it can do a bit
3100         mask over the bitcast used by unboxing.
3101         If even works if you use floats by forcing fround: reduceDoubleToFloat()
3102         elminiates the useless conversions, followed by ReduceStrength
3103         that removes the switch from GP to FP.
3104
3105         * CMakeLists.txt:
3106         * JavaScriptCore.xcodeproj/project.pbxproj:
3107         * assembler/MacroAssemblerX86Common.h:
3108         (JSC::MacroAssemblerX86Common::andDouble):
3109         (JSC::MacroAssemblerX86Common::andFloat):
3110         * assembler/X86Assembler.h:
3111         (JSC::X86Assembler::andps_rr):
3112         * b3/B3ConstDoubleValue.cpp:
3113         (JSC::B3::ConstDoubleValue::bitAndConstant):
3114         (JSC::B3::ConstDoubleValue::absConstant):
3115         * b3/B3ConstDoubleValue.h:
3116         * b3/B3ConstFloatValue.cpp:
3117         (JSC::B3::ConstFloatValue::bitAndConstant):
3118         (JSC::B3::ConstFloatValue::absConstant):
3119         * b3/B3ConstFloatValue.h:
3120         * b3/B3Generate.cpp:
3121         (JSC::B3::generateToAir):
3122         * b3/B3LowerMacrosAfterOptimizations.cpp: Added.
3123         (JSC::B3::lowerMacrosAfterOptimizations):
3124         * b3/B3LowerMacrosAfterOptimizations.h: Added.
3125         * b3/B3LowerToAir.cpp:
3126         (JSC::B3::Air::LowerToAir::lower):
3127         * b3/B3Opcode.cpp:
3128         (WTF::printInternal):
3129         * b3/B3Opcode.h:
3130         * b3/B3ReduceDoubleToFloat.cpp:
3131         * b3/B3ReduceStrength.cpp:
3132         * b3/B3Validate.cpp:
3133         * b3/B3Value.cpp:
3134         (JSC::B3::Value::absConstant):
3135         (JSC::B3::Value::effects):
3136         (JSC::B3::Value::key):
3137         (JSC::B3::Value::typeFor):
3138         * b3/B3Value.h:
3139         * b3/air/AirOpcode.opcodes:
3140         * b3/testb3.cpp:
3141         (JSC::B3::bitAndDouble):
3142         (JSC::B3::testBitAndArgDouble):
3143         (JSC::B3::testBitAndArgsDouble):
3144         (JSC::B3::testBitAndArgImmDouble):
3145         (JSC::B3::testBitAndImmsDouble):
3146         (JSC::B3::bitAndFloat):
3147         (JSC::B3::testBitAndArgFloat):
3148         (JSC::B3::testBitAndArgsFloat):
3149         (JSC::B3::testBitAndArgImmFloat):
3150         (JSC::B3::testBitAndImmsFloat):
3151         (JSC::B3::testBitAndArgsFloatWithUselessDoubleConversion):
3152         (JSC::B3::testAbsArg):
3153         (JSC::B3::testAbsImm):
3154         (JSC::B3::testAbsMem):
3155         (JSC::B3::testAbsAbsArg):
3156         (JSC::B3::testAbsBitwiseCastArg):
3157         (JSC::B3::testBitwiseCastAbsBitwiseCastArg):
3158         (JSC::B3::testAbsArgWithUselessDoubleConversion):
3159         (JSC::B3::testAbsArgWithEffectfulDoubleConversion):
3160         (JSC::B3::run):
3161         * ftl/FTLB3Output.h:
3162         (JSC::FTL::Output::doubleAbs):
3163
3164 2015-12-11  Mark Lam  <mark.lam@apple.com>
3165
3166         Removed some dead code, and simplified some code in the baseline JIT.
3167         https://bugs.webkit.org/show_bug.cgi?id=152199
3168
3169         Reviewed by Benjamin Poulain.
3170
3171         * jit/JIT.h:
3172         * jit/JITArithmetic.cpp:
3173         (JSC::JIT::emitBitBinaryOpFastPath):
3174         (JSC::JIT::emit_op_bitand):
3175         (JSC::JIT::emitSlow_op_lshift):
3176         (JSC::JIT::emitRightShiftFastPath):
3177         (JSC::JIT::emit_op_rshift):
3178         (JSC::JIT::emitSlow_op_rshift):
3179         (JSC::JIT::emit_op_urshift):
3180         (JSC::JIT::emitSlow_op_urshift):
3181
3182 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
3183
3184         B3::reduceStrength should remove redundant Phi's
3185         https://bugs.webkit.org/show_bug.cgi?id=152184
3186
3187         Reviewed by Benjamin Poulain.
3188
3189         This adds redundant Phi removal using Aycock and Horspools SSA simplification algorithm. This
3190         is needed because even in simple asm.js code, we see a lot of CFG simplification that leaves
3191         behind totally useless Phi's.
3192
3193         * b3/B3PhiChildren.cpp:
3194         (JSC::B3::PhiChildren::PhiChildren):
3195         * b3/B3PhiChildren.h:
3196         (JSC::B3::PhiChildren::at):
3197         (JSC::B3::PhiChildren::operator[]):
3198         (JSC::B3::PhiChildren::phis):
3199         * b3/B3ReduceStrength.cpp:
3200
3201 2015-12-11  Benjamin Poulain  <benjamin@webkit.org>
3202
3203         [JSC] Add an implementation of pow() taking an integer exponent to B3
3204         https://bugs.webkit.org/show_bug.cgi?id=152165
3205
3206         Reviewed by Mark Lam.
3207
3208         LLVM has this really neat optimized opcode for
3209         raising the power of something by an integer exponent.
3210
3211         There is no such native instruction so we need to extend
3212         the existing FTLOutput API to something efficient.
3213
3214         DFG has a pretty competitive implementation. In this patch,
3215         I added a version of it to B3.
3216         I created powDoubleInt32() instead of putting the code directly
3217         in FTL for easier testing and optimization.
3218
3219         * CMakeLists.txt:
3220         * JavaScriptCore.xcodeproj/project.pbxproj:
3221         * b3/B3MathExtras.cpp: Added.
3222         (JSC::B3::powDoubleInt32):
3223         * b3/B3MathExtras.h: Added.
3224         * b3/B3MemoryValue.h:
3225         * b3/testb3.cpp:
3226         (JSC::B3::testPowDoubleByIntegerLoop):
3227         (JSC::B3::run):
3228         * dfg/DFGSpeculativeJIT.cpp:
3229         (JSC::DFG::compileArithPowIntegerFastPath):
3230         * ftl/FTLB3Output.cpp:
3231         (JSC::FTL::Output::doublePowi):
3232         * ftl/FTLB3Output.h:
3233         (JSC::FTL::Output::doublePowi): Deleted.
3234
3235 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
3236
3237         B3 should have CSE
3238         https://bugs.webkit.org/show_bug.cgi?id=150961
3239
3240         Reviewed by Benjamin Poulain.
3241
3242         This implements a very simple CSE for pure values. I need this as a prerequisite for other
3243         optimizations that I'm implementing. For now, this is neutral on imaging-gaussian-blur but a
3244         slow-down on asm.js code. I suspect that the asm.js slow-down is because of other things that are
3245         still going wrong, and anyway, I need CSE to be able to do even the most basic asm.js strength
3246         reductions.
3247
3248         * b3/B3ReduceStrength.cpp:
3249         * b3/B3ReduceStrength.h:
3250         * b3/B3Value.cpp:
3251         (JSC::B3::Value::replaceWithIdentity):
3252         (JSC::B3::Value::key):
3253
3254 2015-12-11  Mark Lam  <mark.lam@apple.com>
3255
3256         Refactoring to reduce potential cut-paste errors with the FTL ICs.
3257         https://bugs.webkit.org/show_bug.cgi?id=152185
3258
3259         Reviewed by Saam Barati.
3260
3261         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3262         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3263         * JavaScriptCore.xcodeproj/project.pbxproj:
3264
3265         * ftl/FTLCompile.cpp:
3266         - ICs now have their own names.  GetById and PutByID fast path ICs no longer just
3267           say "inline cache fast path".
3268
3269         * ftl/FTLCompileBinaryOp.cpp:
3270         (JSC::FTL::generateBinaryArithOpFastPath):
3271         - Fixed an indentation.
3272
3273         * ftl/FTLInlineCacheDescriptor.h:
3274         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
3275         (JSC::FTL::InlineCacheDescriptor::name):
3276         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
3277         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
3278         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
3279         (JSC::FTL::BinaryOpDescriptor::nodeType):
3280         (JSC::FTL::BinaryOpDescriptor::size):
3281         (JSC::FTL::BinaryOpDescriptor::slowPathFunction):
3282         (JSC::FTL::BinaryOpDescriptor::leftOperand):
3283         (JSC::FTL::BinaryOpDescriptor::BinaryOpDescriptor):
3284         (JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
3285         (JSC::FTL::ArithDivDescriptor::icSize):
3286         (JSC::FTL::ArithDivDescriptor::nodeType):
3287         (JSC::FTL::ArithDivDescriptor::opName):
3288         (JSC::FTL::ArithDivDescriptor::slowPathFunction):
3289         (JSC::FTL::ArithDivDescriptor::nonNumberSlowPathFunction):
3290         (JSC::FTL::ArithMulDescriptor::ArithMulDescriptor):
3291         (JSC::FTL::ArithMulDescriptor::icSize):
3292         (JSC::FTL::ArithMulDescriptor::nodeType):
3293         (JSC::FTL::ArithMulDescriptor::opName):
3294         (JSC::FTL::ArithMulDescriptor::slowPathFunction):
3295         (JSC::FTL::ArithMulDescriptor::nonNumberSlowPathFunction):
3296         (JSC::FTL::ArithSubDescriptor::ArithSubDescriptor):
3297         (JSC::FTL::ArithSubDescriptor::icSize):
3298         (JSC::FTL::ArithSubDescriptor::nodeType):
3299         (JSC::FTL::ArithSubDescriptor::opName):
3300         (JSC::FTL::ArithSubDescriptor::slowPathFunction):
3301         (JSC::FTL::ArithSubDescriptor::nonNumberSlowPathFunction):
3302         (JSC::FTL::ValueAddDescriptor::ValueAddDescriptor):
3303         (JSC::FTL::ValueAddDescriptor::icSize):
3304         (JSC::FTL::ValueAddDescriptor::nodeType):
3305         (JSC::FTL::ValueAddDescriptor::opName):
3306         (JSC::FTL::ValueAddDescriptor::slowPathFunction):
3307         (JSC::FTL::ValueAddDescriptor::nonNumberSlowPathFunction):
3308         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
3309         (JSC::FTL::ProbeDescriptor::ProbeDescriptor):
3310         (JSC::FTL::BinaryOpDescriptor::name): Deleted.
3311         (JSC::FTL::BinaryOpDescriptor::fastPathICName): Deleted.
3312         * ftl/FTLInlineCacheDescriptorInlines.h: Removed.
3313         - Consolidate the number of places where we have to fill in a data about new
3314           snippet ICs.  It is all done in FTLInlineCacheDescriptor.h now.   
3315
3316         * ftl/FTLJITFinalizer.cpp:
3317         (JSC::FTL::JITFinalizer::finalizeFunction):
3318
3319         * ftl/FTLLowerDFGToLLVM.cpp:
3320         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
3321         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
3322         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
3323         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
3324         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
3325         - Introduced a compileUntypedBinaryOp() template and use that at all the FTL
3326           places that need to use a snippet.  This reduces the amount of cut and paste
3327           code.
3328
3329         * ftl/FTLState.h:
3330         - Removed a bad #include.
3331
3332 2015-12-11  Keith Miller  <keith_miller@apple.com>
3333
3334         Overrides has instance should not move ValueFalse to a register then immediately to the stack in the LLInt.
3335         https://bugs.webkit.org/show_bug.cgi?id=152188
3336
3337         Reviewed by Mark Lam.
3338
3339         This fixes a minor issue with the code for the overrides_has_instance in the LLInt. Old code had an extra move,
3340         which is both slow and breaks the build on cloop.
3341
3342         * llint/LowLevelInterpreter64.asm:
3343
3344 2015-12-11  Keith Miller  <keith_miller@apple.com>
3345
3346         [ES6] Add support for Symbol.hasInstance
3347         https://bugs.webkit.org/show_bug.cgi?id=151839
3348
3349         Reviewed by Saam Barati.
3350
3351         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
3352         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
3353         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
3354         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
3355         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
3356         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
3357         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
3358         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
3359         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
3360         emits a call to slow path code that computes the result.
3361
3362         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
3363         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
3364         it into a CheckTypeInfoFlags followed by a JSConstant.
3365
3366         * API/JSCallbackObject.h:
3367         * builtins/FunctionPrototype.js:
3368         (symbolHasInstance):