Turn on gesture events when building for Yosemite
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-04  Tim Horton  <timothy_horton@apple.com>
2
3         Turn on gesture events when building for Yosemite
4         https://bugs.webkit.org/show_bug.cgi?id=152704
5         rdar://problem/24042472
6
7         Reviewed by Anders Carlsson.
8
9         * Configurations/FeatureDefines.xcconfig:
10
11 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
12
13         FTL B3 should do BitAnd binary snippets
14         https://bugs.webkit.org/show_bug.cgi?id=152713
15
16         Reviewed by Mark Lam.
17
18         Getting ready to finish up the binary bitop snippets.
19
20         * ftl/FTLLowerDFGToLLVM.cpp:
21         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
22         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
23         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
24         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
25         * tests/stress/object-bit-and.js: Added.
26         (foo):
27         (things.valueOf):
28         * tests/stress/untyped-bit-and.js: Added.
29         (foo):
30         (valueOf):
31
32 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
33
34         FTL B3 should do all of the non-bitop binary snippets
35         https://bugs.webkit.org/show_bug.cgi?id=152709
36
37         Reviewed by Mark Lam.
38
39         * ftl/FTLLowerDFGToLLVM.cpp:
40         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
41         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
42         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
43         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
44         * tests/stress/object-add.js: Added.
45         (foo):
46         (things.valueOf):
47         * tests/stress/object-div.js: Added.
48         (foo):
49         (things.valueOf):
50         * tests/stress/object-mul.js: Added.
51         (foo):
52         (things.valueOf):
53         * tests/stress/untyped-add.js: Added.
54         (foo):
55         (valueOf):
56         * tests/stress/untyped-div.js: Added.
57         (foo):
58         (valueOf):
59         * tests/stress/untyped-mul.js: Added.
60         (foo):
61         (valueOf):
62
63 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
64
65         FTL B3 should do the ArithSub binary snippet
66         https://bugs.webkit.org/show_bug.cgi?id=152705
67
68         Reviewed by Saam Barati.
69
70         This implements the ArithSub binary snippet generator in FTL B3.
71
72         While doing this, I discovered that the DFG type inference logic for ArithSub contains a
73         classic mistake: it causes the snippets to kick in when the type set does not contain numbers
74         rather than kicking in when the type set contains non-numbers. So, the original test that I
75         wrote for this doesn't work right (it runs to completion but OSR exits ad infinitum). I wrote
76         a second test that is simpler, and that one shows that the binary snippets "work". That's
77         sort of a joke though, since the only way to trigger binary snippets is to never pass numbers
78         and the only way to actually cause a binary snippet to do meaninful work is to pass numbers.
79         I filed a bug about this mess: https://bugs.webkit.org/show_bug.cgi?id=152708.
80
81         * ftl/FTLLowerDFGToLLVM.cpp:
82         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
83         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
84         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
85         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
86         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
87         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
88         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
89         * tests/stress/object-sub.js: Added.
90         (foo):
91         (things.valueOf):
92         * tests/stress/untyped-sub.js: Added.
93         (foo):
94         (valueOf):
95
96 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
97
98         Unreviewed, disable FTL B3 for now. I didn't intend to enable it yet.
99
100         * dfg/DFGCommon.h:
101
102 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
103
104         B3 patchpoints should allow requesting scratch registers
105         https://bugs.webkit.org/show_bug.cgi?id=152669
106
107         Reviewed by Benjamin Poulain.
108
109         Scratch registers are something that we often need in many patchpoint use cases. In LLVM's
110         patchpoints, we didn't have a good way to request scratch registers. So, our current FTL code
111         often does crazy scratch register allocation madness even when it would be better to just ask
112         the backend for some registers. This patch adds a mechanism for requesting scratch registers
113         in B3, and wires it all the way to all of our register allocation and liveness
114         infrastructure.
115
116         From the standpoint of a patchpoint, a "scratch register" is an instruction argument that
117         only admits Tmp and is defined early (like an early clobber register) and is used late (like
118         what we previously called LateUse, except that this time it's also a warm use). We already
119         had the beginning of support for early def's because of early clobbers, and we already
120         supported late uses albeit cold ones. I really only needed to add one new role: "Scratch",
121         which means both early def and late use in much the same way as "UseDef" means both early
122         use and late def. But, it feels better to complete the set of roles, so I added LateColdUse
123         to differentiate from LateUse (which is now a warm use) and EarlyDef to differentiate from
124         Def (which is, and always has been, a late def). Forcing the code to deal with the full
125         matrix of possibilities resulted in what is probably a progression in how we handle defs in
126         the register and stack allocators. The new Inst::forEachDef(Inst*, Inst*, callback) fully
127         recognizes that a "def" is something that can come from either the preceding instruction or
128         the succeeding one.
129
130         This doesn't add any new functionality to FTL B3 yet, but the new scratch register mechanism
131         is covered by new testb3 tests.
132
133         * b3/B3CheckSpecial.cpp:
134         (JSC::B3::CheckSpecial::isValid):
135         (JSC::B3::CheckSpecial::admitsStack):
136         (JSC::B3::CheckSpecial::generate):
137         * b3/B3LowerToAir.cpp:
138         (JSC::B3::Air::LowerToAir::lower):
139         * b3/B3PatchpointSpecial.cpp:
140         (JSC::B3::PatchpointSpecial::forEachArg):
141         (JSC::B3::PatchpointSpecial::isValid):
142         (JSC::B3::PatchpointSpecial::admitsStack):
143         (JSC::B3::PatchpointSpecial::generate):
144         * b3/B3PatchpointValue.cpp:
145         (JSC::B3::PatchpointValue::dumpMeta):
146         (JSC::B3::PatchpointValue::PatchpointValue):
147         * b3/B3PatchpointValue.h:
148         * b3/B3StackmapGenerationParams.cpp:
149         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
150         * b3/B3StackmapGenerationParams.h:
151         (JSC::B3::StackmapGenerationParams::gpScratch):
152         (JSC::B3::StackmapGenerationParams::fpScratch):
153         * b3/B3StackmapSpecial.cpp:
154         (JSC::B3::StackmapSpecial::forEachArgImpl):
155         (JSC::B3::StackmapSpecial::isValidImpl):
156         (JSC::B3::StackmapSpecial::admitsStackImpl):
157         (JSC::B3::StackmapSpecial::repsImpl):
158         (JSC::B3::StackmapSpecial::isArgValidForValue):
159         (JSC::B3::StackmapSpecial::appendRepsImpl): Deleted.
160         * b3/B3StackmapSpecial.h:
161         * b3/air/AirAllocateStack.cpp:
162         (JSC::B3::Air::allocateStack):
163         * b3/air/AirArg.cpp:
164         (WTF::printInternal):
165         * b3/air/AirArg.h:
166         (JSC::B3::Air::Arg::isAnyUse):
167         (JSC::B3::Air::Arg::isColdUse):
168         (JSC::B3::Air::Arg::isEarlyUse):
169         (JSC::B3::Air::Arg::isLateUse):
170         (JSC::B3::Air::Arg::isAnyDef):
171         (JSC::B3::Air::Arg::isEarlyDef):
172         (JSC::B3::Air::Arg::isLateDef):
173         (JSC::B3::Air::Arg::isZDef):
174         (JSC::B3::Air::Arg::Arg):
175         (JSC::B3::Air::Arg::imm):
176         (JSC::B3::Air::Arg::isDef): Deleted.
177         * b3/air/AirBasicBlock.h:
178         (JSC::B3::Air::BasicBlock::at):
179         (JSC::B3::Air::BasicBlock::get):
180         (JSC::B3::Air::BasicBlock::last):
181         * b3/air/AirEliminateDeadCode.cpp:
182         (JSC::B3::Air::eliminateDeadCode):
183         * b3/air/AirFixPartialRegisterStalls.cpp:
184         (JSC::B3::Air::fixPartialRegisterStalls):
185         * b3/air/AirInst.cpp:
186         (JSC::B3::Air::Inst::hasArgEffects):
187         * b3/air/AirInst.h:
188         * b3/air/AirInstInlines.h:
189         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
190         (JSC::B3::Air::Inst::forEachDef):
191         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
192         (JSC::B3::Air::Inst::reportUsedRegisters):
193         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs): Deleted.
194         * b3/air/AirIteratedRegisterCoalescing.cpp:
195         * b3/air/AirLiveness.h:
196         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
197         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
198         * b3/air/AirSpillEverything.cpp:
199         (JSC::B3::Air::spillEverything):
200         * b3/air/AirTmpWidth.cpp:
201         (JSC::B3::Air::TmpWidth::recompute):
202         * b3/air/AirUseCounts.h:
203         (JSC::B3::Air::UseCounts::UseCounts):
204         * b3/testb3.cpp:
205         (JSC::B3::testPatchpointAny):
206         (JSC::B3::testPatchpointGPScratch):
207         (JSC::B3::testPatchpointFPScratch):
208         (JSC::B3::testPatchpointLotsOfLateAnys):
209         (JSC::B3::run):
210
211 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
212
213         Fix the !ENABLE(INTL) build after r193493
214         https://bugs.webkit.org/show_bug.cgi?id=152689
215
216         Reviewed by Alex Christensen.
217
218         * runtime/NumberPrototype.cpp:
219         (JSC::NumberPrototype::finishCreation):
220
221 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
222
223         JSC generator scripts shouldn't have verbose output
224         https://bugs.webkit.org/show_bug.cgi?id=152382
225
226         Reviewed by Michael Catanzaro.
227
228         * b3/air/opcode_generator.rb:
229         * generate-bytecode-files:
230         * offlineasm/asm.rb:
231         * offlineasm/generate_offset_extractor.rb:
232         * offlineasm/parser.rb:
233
234 2016-01-04  Benjamin Poulain  <bpoulain@apple.com>
235
236         [JSC] Build B3 by default on iOS ARM64
237         https://bugs.webkit.org/show_bug.cgi?id=152525
238
239         Reviewed by Filip Pizlo.
240
241         Minor changes required to get testb3 to compile.
242
243         * Configurations/ToolExecutable.xcconfig:
244         We need an entitlement to allocate executable memory.
245
246         * assembler/MacroAssemblerARM64.h:
247         (JSC::MacroAssemblerARM64::scratchRegister):
248         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
249         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
250         Expose one of the scratch registers for ValueRep::emitRestore().
251         Guard the use of scratch registers when not allowed.
252
253         * b3/air/AirOpcode.opcodes:
254         ARM addressing is a bit different. Skip Addr to make things build.
255
256         * b3/testb3.cpp:
257         (JSC::B3::testPatchpointWithStackArgumentResult):
258         Add on memory only exists on x86.
259
260         * jit/RegisterSet.cpp:
261         (JSC::RegisterSet::macroScratchRegisters):
262         Add the two scratch registers, useful for patchpoints.
263
264 2016-01-03  Khem Raj  <raj.khem@gmail.com>
265
266         WebKit fails to build with musl libc library
267         https://bugs.webkit.org/show_bug.cgi?id=152625
268
269         Reviewed by Daniel Bates.
270
271         Qualify isnan() calls with std namespace.
272
273         * runtime/Options.cpp:
274         (Option::operator==): Add std namespace qualifier.
275
276 2016-01-03  Andreas Kling  <akling@apple.com>
277
278         Remove redundant StringImpl substring creation function.
279         <https://webkit.org/b/152652>
280
281         Reviewed by Daniel Bates.
282
283         Remove jsSubstring8() and make the only call site use jsSubstring().
284
285         * runtime/JSString.h:
286         (JSC::jsSubstring8): Deleted.
287         * runtime/StringPrototype.cpp:
288         (JSC::replaceUsingRegExpSearch):
289
290 2016-01-02  Khem Raj  <raj.khem@gmail.com>
291
292         Clang's builtin for clear_cache accepts char* and errors out
293         when using void*, using char* work on both gcc and clang
294         since char* is auto-converted to void* in gcc case.
295         https://bugs.webkit.org/show_bug.cgi?id=152654
296
297         Reviewed by Michael Saboff;
298
299         * assembler/ARM64Assembler.h:
300         (linuxPageFlush): Convert arguments to __builtin___clear_cache()
301         to char*.
302
303 2015-12-31  Andy Estes  <aestes@apple.com>
304
305         Replace WTF::move with WTFMove
306         https://bugs.webkit.org/show_bug.cgi?id=152601
307
308         Reviewed by Brady Eidson.
309
310         * API/ObjCCallbackFunction.mm:
311         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
312         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
313         (JSC::ObjCCallbackFunction::create):
314         (objCCallbackFunctionForInvocation):
315         * assembler/AssemblerBuffer.h:
316         (JSC::AssemblerBuffer::releaseAssemblerData):
317         * assembler/LinkBuffer.cpp:
318         (JSC::LinkBuffer::linkCode):
319         * b3/B3BlockInsertionSet.cpp:
320         (JSC::B3::BlockInsertionSet::insert):
321         (JSC::B3::BlockInsertionSet::splitForward):
322         * b3/B3LowerToAir.cpp:
323         (JSC::B3::Air::LowerToAir::run):
324         (JSC::B3::Air::LowerToAir::lower):
325         * b3/B3OpaqueByproducts.cpp:
326         (JSC::B3::OpaqueByproducts::add):
327         * b3/B3Procedure.cpp:
328         (JSC::B3::Procedure::addBlock):
329         (JSC::B3::Procedure::addDataSection):
330         * b3/B3Procedure.h:
331         (JSC::B3::Procedure::releaseByproducts):
332         * b3/B3ProcedureInlines.h:
333         (JSC::B3::Procedure::add):
334         * b3/B3Value.h:
335         * b3/air/AirCode.cpp:
336         (JSC::B3::Air::Code::addBlock):
337         (JSC::B3::Air::Code::addStackSlot):
338         (JSC::B3::Air::Code::addSpecial):
339         * b3/air/AirInst.h:
340         (JSC::B3::Air::Inst::Inst):
341         * b3/air/AirIteratedRegisterCoalescing.cpp:
342         * b3/air/AirSimplifyCFG.cpp:
343         (JSC::B3::Air::simplifyCFG):
344         * bindings/ScriptValue.cpp:
345         (Deprecated::jsToInspectorValue):
346         * builtins/BuiltinExecutables.cpp:
347         (JSC::createExecutableInternal):
348         * bytecode/BytecodeBasicBlock.cpp:
349         (JSC::computeBytecodeBasicBlocks):
350         * bytecode/CodeBlock.cpp:
351         (JSC::CodeBlock::finishCreation):
352         (JSC::CodeBlock::setCalleeSaveRegisters):
353         * bytecode/CodeBlock.h:
354         (JSC::CodeBlock::setJITCodeMap):
355         (JSC::CodeBlock::livenessAnalysis):
356         * bytecode/GetByIdStatus.cpp:
357         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
358         * bytecode/GetByIdVariant.cpp:
359         (JSC::GetByIdVariant::GetByIdVariant):
360         * bytecode/PolymorphicAccess.cpp:
361         (JSC::PolymorphicAccess::regenerateWithCases):
362         (JSC::PolymorphicAccess::regenerateWithCase):
363         (JSC::PolymorphicAccess::regenerate):
364         * bytecode/PutByIdStatus.cpp:
365         (JSC::PutByIdStatus::computeForStubInfo):
366         * bytecode/PutByIdVariant.cpp:
367         (JSC::PutByIdVariant::setter):
368         * bytecode/StructureStubClearingWatchpoint.cpp:
369         (JSC::StructureStubClearingWatchpoint::push):
370         * bytecode/StructureStubClearingWatchpoint.h:
371         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
372         * bytecode/StructureStubInfo.cpp:
373         (JSC::StructureStubInfo::addAccessCase):
374         * bytecode/UnlinkedCodeBlock.cpp:
375         (JSC::UnlinkedCodeBlock::setInstructions):
376         * bytecode/UnlinkedFunctionExecutable.cpp:
377         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
378         * bytecode/UnlinkedFunctionExecutable.h:
379         * bytecompiler/SetForScope.h:
380         (JSC::SetForScope::SetForScope):
381         * dfg/DFGGraph.cpp:
382         (JSC::DFG::Graph::livenessFor):
383         (JSC::DFG::Graph::killsFor):
384         * dfg/DFGJITCompiler.cpp:
385         (JSC::DFG::JITCompiler::link):
386         (JSC::DFG::JITCompiler::compile):
387         (JSC::DFG::JITCompiler::compileFunction):
388         * dfg/DFGJITFinalizer.cpp:
389         (JSC::DFG::JITFinalizer::JITFinalizer):
390         * dfg/DFGLivenessAnalysisPhase.cpp:
391         (JSC::DFG::LivenessAnalysisPhase::process):
392         * dfg/DFGObjectAllocationSinkingPhase.cpp:
393         * dfg/DFGSpeculativeJIT.cpp:
394         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
395         (JSC::DFG::SpeculativeJIT::compileIn):
396         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
397         * dfg/DFGSpeculativeJIT32_64.cpp:
398         (JSC::DFG::SpeculativeJIT::cachedGetById):
399         (JSC::DFG::SpeculativeJIT::cachedPutById):
400         * dfg/DFGSpeculativeJIT64.cpp:
401         (JSC::DFG::SpeculativeJIT::cachedGetById):
402         (JSC::DFG::SpeculativeJIT::cachedPutById):
403         * dfg/DFGWorklist.cpp:
404         (JSC::DFG::Worklist::finishCreation):
405         * disassembler/Disassembler.cpp:
406         (JSC::disassembleAsynchronously):
407         * ftl/FTLB3Compile.cpp:
408         (JSC::FTL::compile):
409         * ftl/FTLCompile.cpp:
410         (JSC::FTL::mmAllocateDataSection):
411         * ftl/FTLJITCode.cpp:
412         (JSC::FTL::JITCode::initializeB3Byproducts):
413         * ftl/FTLJITFinalizer.h:
414         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
415         * ftl/FTLLink.cpp:
416         (JSC::FTL::link):
417         * ftl/FTLLowerDFGToLLVM.cpp:
418         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
419         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
420         * heap/Heap.cpp:
421         (JSC::Heap::releaseDelayedReleasedObjects):
422         (JSC::Heap::markRoots):
423         (JSC::Heap::setIncrementalSweeper):
424         * heap/HeapInlines.h:
425         (JSC::Heap::releaseSoon):
426         (JSC::Heap::registerWeakGCMap):
427         * heap/WeakInlines.h:
428         * inspector/ConsoleMessage.cpp:
429         (Inspector::ConsoleMessage::addToFrontend):
430         * inspector/ContentSearchUtilities.cpp:
431         (Inspector::ContentSearchUtilities::searchInTextByLines):
432         * inspector/InjectedScript.cpp:
433         (Inspector::InjectedScript::getFunctionDetails):
434         (Inspector::InjectedScript::getProperties):
435         (Inspector::InjectedScript::getDisplayableProperties):
436         (Inspector::InjectedScript::getInternalProperties):
437         (Inspector::InjectedScript::getCollectionEntries):
438         (Inspector::InjectedScript::wrapCallFrames):
439         * inspector/InspectorAgentRegistry.cpp:
440         (Inspector::AgentRegistry::append):
441         (Inspector::AgentRegistry::appendExtraAgent):
442         * inspector/InspectorBackendDispatcher.cpp:
443         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
444         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
445         (Inspector::BackendDispatcher::BackendDispatcher):
446         (Inspector::BackendDispatcher::create):
447         (Inspector::BackendDispatcher::sendPendingErrors):
448         * inspector/InspectorProtocolTypes.h:
449         (Inspector::Protocol::Array::addItem):
450         * inspector/InspectorValues.cpp:
451         * inspector/InspectorValues.h:
452         (Inspector::InspectorObjectBase::setValue):
453         (Inspector::InspectorObjectBase::setObject):
454         (Inspector::InspectorObjectBase::setArray):
455         (Inspector::InspectorArrayBase::pushValue):
456         (Inspector::InspectorArrayBase::pushObject):
457         (Inspector::InspectorArrayBase::pushArray):
458         * inspector/JSGlobalObjectConsoleClient.cpp:
459         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
460         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
461         * inspector/JSGlobalObjectInspectorController.cpp:
462         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
463         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
464         * inspector/JSInjectedScriptHost.cpp:
465         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
466         * inspector/JSInjectedScriptHost.h:
467         (Inspector::JSInjectedScriptHost::create):
468         * inspector/agents/InspectorAgent.cpp:
469         (Inspector::InspectorAgent::activateExtraDomain):
470         * inspector/agents/InspectorConsoleAgent.cpp:
471         (Inspector::InspectorConsoleAgent::addMessageToConsole):
472         (Inspector::InspectorConsoleAgent::addConsoleMessage):
473         * inspector/agents/InspectorDebuggerAgent.cpp:
474         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
475         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
476         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
477         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
478         (Inspector::InspectorDebuggerAgent::breakProgram):
479         * inspector/agents/InspectorHeapAgent.cpp:
480         (Inspector::InspectorHeapAgent::didGarbageCollect):
481         * inspector/agents/InspectorRuntimeAgent.cpp:
482         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
483         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
484         * inspector/agents/InspectorScriptProfilerAgent.cpp:
485         (Inspector::InspectorScriptProfilerAgent::addEvent):
486         (Inspector::buildInspectorObject):
487         (Inspector::buildProfileInspectorObject):
488         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
489         * inspector/augmentable/AlternateDispatchableAgent.h:
490         * inspector/scripts/codegen/cpp_generator_templates.py:
491         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
492         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
493         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
494         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
495         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
496         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
497         (_generate_unchecked_setter_for_member):
498         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
499         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
500         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
501         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
502         * inspector/scripts/codegen/objc_generator_templates.py:
503         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
504         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
505         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
506         * inspector/scripts/tests/expected/enum-values.json-result:
507         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
508         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
509         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
510         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
511         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
512         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
513         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
514         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
515         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
516         * jit/CallFrameShuffler.cpp:
517         (JSC::CallFrameShuffler::performSafeWrites):
518         * jit/PolymorphicCallStubRoutine.cpp:
519         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
520         * jit/Repatch.cpp:
521         (JSC::tryCacheGetByID):
522         (JSC::tryCachePutByID):
523         (JSC::tryRepatchIn):
524         (JSC::linkPolymorphicCall):
525         * parser/Nodes.cpp:
526         (JSC::ProgramNode::setClosedVariables):
527         * parser/Parser.cpp:
528         (JSC::Parser<LexerType>::parseInner):
529         (JSC::Parser<LexerType>::parseFunctionInfo):
530         * parser/Parser.h:
531         (JSC::Parser::closedVariables):
532         * parser/SourceProviderCache.cpp:
533         (JSC::SourceProviderCache::add):
534         * profiler/ProfileNode.h:
535         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
536         * replay/EncodedValue.cpp:
537         (JSC::EncodedValue::get<EncodedValue>):
538         * replay/scripts/CodeGeneratorReplayInputs.py:
539         (Generator.generate_member_move_expression):
540         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
541         (Test::HandleWheelEvent::HandleWheelEvent):
542         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
543         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
544         (Test::MapInput::MapInput):
545         (JSC::InputTraits<Test::MapInput>::decode):
546         * runtime/ConsoleClient.cpp:
547         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
548         (JSC::ConsoleClient::logWithLevel):
549         (JSC::ConsoleClient::clear):
550         (JSC::ConsoleClient::dir):
551         (JSC::ConsoleClient::dirXML):
552         (JSC::ConsoleClient::table):
553         (JSC::ConsoleClient::trace):
554         (JSC::ConsoleClient::assertCondition):
555         (JSC::ConsoleClient::group):
556         (JSC::ConsoleClient::groupCollapsed):
557         (JSC::ConsoleClient::groupEnd):
558         * runtime/JSNativeStdFunction.cpp:
559         (JSC::JSNativeStdFunction::create):
560         * runtime/JSString.h:
561         (JSC::jsNontrivialString):
562         * runtime/JSStringJoiner.cpp:
563         (JSC::JSStringJoiner::join):
564         * runtime/JSStringJoiner.h:
565         (JSC::JSStringJoiner::append):
566         * runtime/NativeStdFunctionCell.cpp:
567         (JSC::NativeStdFunctionCell::create):
568         (JSC::NativeStdFunctionCell::NativeStdFunctionCell):
569         * runtime/ScopedArgumentsTable.cpp:
570         (JSC::ScopedArgumentsTable::setLength):
571         * runtime/StructureIDTable.cpp:
572         (JSC::StructureIDTable::resize):
573         * runtime/TypeSet.cpp:
574         (JSC::StructureShape::inspectorRepresentation):
575         * runtime/WeakGCMap.h:
576         (JSC::WeakGCMap::set):
577         * tools/CodeProfile.h:
578         (JSC::CodeProfile::addChild):
579         * yarr/YarrInterpreter.cpp:
580         (JSC::Yarr::ByteCompiler::compile):
581         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
582         * yarr/YarrInterpreter.h:
583         (JSC::Yarr::BytecodePattern::BytecodePattern):
584         * yarr/YarrPattern.cpp:
585         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
586         (JSC::Yarr::YarrPatternConstructor::reset):
587         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
588         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
589         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
590         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
591         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
592
593 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
594
595         Unreviewed, fix copyright dates. It's super annoying when we forget to update these, and I
596         just forgot to do so in the last commit. Also update the date of the last commit in the
597         ChangeLog.
598
599         * b3/air/AirIteratedRegisterCoalescing.cpp:
600         * b3/air/AirOpcode.opcodes:
601         * b3/air/AirTmpWidth.cpp:
602         * b3/air/AirTmpWidth.h:
603         * ftl/FTLB3Output.cpp:
604         * ftl/FTLB3Output.h:
605
606 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
607
608         FTL B3 should be able to run all of the old V8v7 tests
609         https://bugs.webkit.org/show_bug.cgi?id=152579
610
611         Reviewed by Saam Barati.
612
613         Fixes some silly bugs that were preventing us from running all of the old V8v7 tests.
614
615         IRC's analysis of when to turn a Move into a Move32 when spilling is based on the premise
616         that if the dst has a 32-bit def width, then the src must also have a 32-bit def width. But
617         that doesn't happen if the src is an immediate.
618
619         This changes that condition in IRC to use the combined use/def width of both src and dst
620         rather than being clever. This is great because it's the combined width that determines the
621         size of the spill slot.
622
623         Also added some more debug support to TmpWidth.
624
625         This also fixes Air's description of DivDouble; previously it claimed to be a 32-bit
626         operation. Also implements Output::unsignedToDouble(), since we already had everything we
627         needed to implement this optimally.
628
629         * b3/air/AirIteratedRegisterCoalescing.cpp:
630         * b3/air/AirOpcode.opcodes:
631         * b3/air/AirTmpWidth.cpp:
632         (JSC::B3::Air::TmpWidth::recompute):
633         (JSC::B3::Air::TmpWidth::Widths::dump):
634         * b3/air/AirTmpWidth.h:
635         (JSC::B3::Air::TmpWidth::Widths::Widths):
636         * ftl/FTLB3Output.cpp:
637         (JSC::FTL::Output::doubleToUInt):
638         (JSC::FTL::Output::unsignedToDouble):
639         * ftl/FTLB3Output.h:
640         (JSC::FTL::Output::zeroExt):
641         (JSC::FTL::Output::zeroExtPtr):
642         (JSC::FTL::Output::intToDouble):
643         (JSC::FTL::Output::castToInt32):
644         (JSC::FTL::Output::unsignedToDouble): Deleted.
645
646 2016-01-01  Jeff Miller  <jeffm@apple.com>
647
648         Update user-visible copyright strings to include 2016
649         https://bugs.webkit.org/show_bug.cgi?id=152531
650
651         Reviewed by Alexey Proskuryakov.
652
653         * Info.plist:
654
655 2015-12-31  Andy Estes  <aestes@apple.com>
656
657         Fix warnings uncovered by migrating to WTF_MOVE
658         https://bugs.webkit.org/show_bug.cgi?id=152601
659
660         Reviewed by Daniel Bates.
661
662         * create_regex_tables: Moving a return value prevented copy elision.
663         * ftl/FTLUnwindInfo.cpp:
664         (JSC::FTL::parseUnwindInfo): Ditto.
665         * replay/EncodedValue.h: Ditto.
666
667 2015-12-30  Aleksandr Skachkov  <gskachkov@gmail.com>
668
669         [ES6] Arrow function syntax. Arrow function specific features. Lexical bind "super"
670         https://bugs.webkit.org/show_bug.cgi?id=149615
671
672         Reviewed by Saam Barati.
673
674         Implemented lexical bind "super" property for arrow function. 'super' property can be accessed 
675         inside of the arrow function in case if arrow function is nested in constructor, method, 
676         getter or setter of class. In current patch using 'super' in arrow function, that declared out of the 
677         class, lead to wrong type of error, should be SyntaxError(https://bugs.webkit.org/show_bug.cgi?id=150893) 
678         and this will be fixed in separete patch.
679
680         * builtins/BuiltinExecutables.cpp:
681         (JSC::createExecutableInternal):
682         * bytecode/EvalCodeCache.h:
683         (JSC::EvalCodeCache::getSlow):
684         * bytecode/ExecutableInfo.h:
685         (JSC::ExecutableInfo::ExecutableInfo):
686         (JSC::ExecutableInfo::derivedContextType):
687         (JSC::ExecutableInfo::isClassContext):
688         * bytecode/UnlinkedCodeBlock.cpp:
689         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
690         * bytecode/UnlinkedCodeBlock.h:
691         (JSC::UnlinkedCodeBlock::derivedContextType):
692         (JSC::UnlinkedCodeBlock::isClassContext):
693         * bytecode/UnlinkedFunctionExecutable.cpp:
694         (JSC::generateUnlinkedFunctionCodeBlock):
695         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
696         * bytecode/UnlinkedFunctionExecutable.h:
697         * bytecompiler/BytecodeGenerator.cpp:
698         (JSC::BytecodeGenerator::BytecodeGenerator):
699         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
700         * bytecompiler/BytecodeGenerator.h:
701         (JSC::BytecodeGenerator::derivedContextType):
702         (JSC::BytecodeGenerator::isDerivedConstructorContext):
703         (JSC::BytecodeGenerator::isDerivedClassContext):
704         (JSC::BytecodeGenerator::isArrowFunction):
705         (JSC::BytecodeGenerator::makeFunction):
706         * bytecompiler/NodesCodegen.cpp:
707         (JSC::emitHomeObjectForCallee):
708         (JSC::FunctionCallValueNode::emitBytecode):
709         * debugger/DebuggerCallFrame.cpp:
710         (JSC::DebuggerCallFrame::evaluate):
711         * interpreter/Interpreter.cpp:
712         (JSC::eval):
713         * runtime/CodeCache.cpp:
714         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
715         * runtime/Executable.cpp:
716         (JSC::ScriptExecutable::ScriptExecutable):
717         (JSC::EvalExecutable::create):
718         (JSC::EvalExecutable::EvalExecutable):
719         (JSC::ProgramExecutable::ProgramExecutable):
720         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
721         (JSC::FunctionExecutable::FunctionExecutable):
722         * runtime/Executable.h:
723         (JSC::ScriptExecutable::derivedContextType):
724         * runtime/JSGlobalObjectFunctions.cpp:
725         (JSC::globalFuncEval):
726         * tests/es6.yaml:
727         * tests/stress/arrowfunction-lexical-bind-superproperty.js: Added.
728
729 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
730
731         Unreviewed, relax limitation in operationCreateThis
732         https://bugs.webkit.org/show_bug.cgi?id=152383
733
734         Unreviewed. operationCreateThis now can be called with non constructible function.
735
736         * dfg/DFGOperations.cpp:
737
738 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
739
740         [ES6][ES7] Drop Constructability of generator function
741         https://bugs.webkit.org/show_bug.cgi?id=152383
742
743         Reviewed by Saam Barati.
744
745         We drop the constructability of generator functions.
746         This functionality is already landed in ES 2016 draft[1].
747         And this simplifies the existing JSC's generator implementation;
748         dropping GeneratorThisMode flag.
749
750         [1]: https://github.com/tc39/ecma262/releases/tag/es2016-draft-20151201
751
752         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
753         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
754         * JavaScriptCore.xcodeproj/project.pbxproj:
755         * builtins/BuiltinExecutables.cpp:
756         (JSC::createExecutableInternal):
757         * bytecode/ExecutableInfo.h:
758         (JSC::ExecutableInfo::ExecutableInfo):
759         (JSC::ExecutableInfo::generatorThisMode): Deleted.
760         * bytecode/UnlinkedCodeBlock.cpp:
761         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
762         * bytecode/UnlinkedCodeBlock.h:
763         (JSC::UnlinkedCodeBlock::generatorThisMode): Deleted.
764         * bytecode/UnlinkedFunctionExecutable.cpp:
765         (JSC::generateUnlinkedFunctionCodeBlock):
766         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
767         * bytecode/UnlinkedFunctionExecutable.h:
768         * bytecompiler/BytecodeGenerator.cpp:
769         (JSC::BytecodeGenerator::BytecodeGenerator): Deleted.
770         * bytecompiler/BytecodeGenerator.h:
771         (JSC::BytecodeGenerator::makeFunction):
772         (JSC::BytecodeGenerator::generatorThisMode): Deleted.
773         * bytecompiler/NodesCodegen.cpp:
774         (JSC::ThisNode::emitBytecode):
775         * interpreter/Interpreter.cpp:
776         (JSC::eval): Deleted.
777         * runtime/CodeCache.cpp:
778         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
779         * runtime/Executable.h:
780         * runtime/GeneratorThisMode.h: Removed.
781         * tests/stress/generator-eval-this.js:
782         (shouldThrow):
783         * tests/stress/generator-is-not-constructible.js: Added.
784         (shouldThrow):
785         (A.staticGen):
786         (A.prototype.gen):
787         (A):
788         (TypeError):
789         * tests/stress/generator-this.js:
790         (shouldBe.g.next):
791         * tests/stress/generator-with-new-target.js:
792         (shouldThrow):
793
794 2015-12-27  Filip Pizlo  <fpizlo@apple.com>
795
796         FTL B3 should know that used registers are not the same thing as used registers. Rename the
797         latter to unavailable registers to avoid future confusion.
798         https://bugs.webkit.org/show_bug.cgi?id=152572
799
800         Reviewed by Saam Barati.
801
802         Prior to this change, we used the term "used registers" in two different senses:
803
804         - The set of registers that are live at some point in the current compilation unit. A
805           register is live at some point if it is read after that point on some path through that
806           point.
807
808         - The set of registers that are not available for scratch register use at some point. A
809           register may not be available if it is live or if it is a callee-save register but it is
810           not being saved by the current compilation.
811
812         In the old FTL LLVM code, we had some translations from the first sense into the second
813         sense. We forgot to do those in FTL B3, and so we get crashes, for example in V8/splay. That
814         benchmark highlighted this issue because it fired some lazy slow paths, and then used an
815         unsaved callee-save for scratch.
816  
817         Curiously, we could merge these two definitions by observing that, in some sense, an unsaved
818         callee save is live at every point in a compilation in the sense that it may contain a value
819         that will be read when the compilation returns. That's pretty cool, but it feels strange to
820         me. This isn't how we would normally define liveness of registers. It's not how the
821         Air::TmpLiveness analysis would do it for any of its other clients.
822
823         So, this changes B3 to have two different concepts:
824
825         - Used registers. These are the registers that are live.
826
827         - Unavailable registers. These are the registers that are not available for scratch. It's
828           always a superset of used registers.
829
830         This also changes FTLLower to use unavailableRegisters() pretty much everywhere that it
831         previously used usedRegisters().
832
833         This makes it possible to run V8/splay.
834
835         * b3/B3StackmapGenerationParams.cpp:
836         (JSC::B3::StackmapGenerationParams::usedRegisters):
837         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
838         (JSC::B3::StackmapGenerationParams::proc):
839         * b3/B3StackmapGenerationParams.h:
840         * ftl/FTLLowerDFGToLLVM.cpp:
841         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
842         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
843         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
844
845 2015-12-25  Andy Estes  <aestes@apple.com>
846
847         Stop moving local objects in return statements
848         https://bugs.webkit.org/show_bug.cgi?id=152557
849
850         Reviewed by Brady Eidson.
851
852         Calling std::move() on a local object in a return statement prevents the compiler from applying the return value optimization.
853
854         Clang can warn about these mistakes with -Wpessimizing-move, although only when std::move() is called directly.
855         I found these issues by temporarily replacing WTF::move with std::move and recompiling.
856
857         * inspector/ScriptCallStack.cpp:
858         (Inspector::ScriptCallStack::buildInspectorArray):
859         * inspector/agents/InspectorScriptProfilerAgent.cpp:
860         (Inspector::buildInspectorObject):
861         * jit/CallFrameShuffler.h:
862         (JSC::CallFrameShuffler::snapshot):
863         * runtime/TypeSet.cpp:
864         (JSC::TypeSet::allStructureRepresentations):
865         (JSC::StructureShape::inspectorRepresentation):
866
867 2015-12-26  Mark Lam  <mark.lam@apple.com>
868
869         Rename NodeMayOverflowInXXX to NodeMayOverflowInt32InXXX.
870         https://bugs.webkit.org/show_bug.cgi?id=152555
871
872         Reviewed by Alex Christensen.
873
874         That's because the NodeMayOverflowInBaseline and NodeMayOverflowInDFG flags only
875         indicates potential overflowing of Int32 values.  We'll be adding overflow
876         profiling for Int52 values later, and we should disambiguate between the 2 types.
877
878         This is purely a renaming patch.  There are no semantic changes.
879
880         * dfg/DFGByteCodeParser.cpp:
881         (JSC::DFG::ByteCodeParser::makeSafe):
882         (JSC::DFG::ByteCodeParser::makeDivSafe):
883         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
884         * dfg/DFGNodeFlags.cpp:
885         (JSC::DFG::dumpNodeFlags):
886         * dfg/DFGNodeFlags.h:
887         (JSC::DFG::nodeMayOverflowInt32):
888         (JSC::DFG::nodeCanSpeculateInt32):
889         (JSC::DFG::nodeMayOverflow): Deleted.
890
891 2015-12-23  Andreas Kling  <akling@apple.com>
892
893         jsc CLI tool crashes on EOF.
894         <https://webkit.org/b/152522>
895
896         Reviewed by Benjamin Poulain.
897
898         SourceProvider should treat String() like the empty string for hashing purposes.
899         This was a subtle behavior change in r194017 due to how zero-length strings are
900         treated by StringImpl::createSubstringSharingImpl().
901
902         I made these SourceProviders store a Ref<StringImpl> internally instead of a
903         String, to codify the fact that these strings can't be null strings.
904
905         I couldn't find a way to cause this crash through the API.
906
907         * API/JSScriptRef.cpp:
908         (OpaqueJSScript::OpaqueJSScript):
909         * parser/SourceProvider.h:
910         (JSC::StringSourceProvider::StringSourceProvider):
911
912 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
913
914         FTL B3 should be able to run crypto-sha1 in eager mode
915         https://bugs.webkit.org/show_bug.cgi?id=152539
916
917         Reviewed by Saam Barati.
918
919         This patch contains one real bug fix and some other fixes that are primarily there for sanity
920         because I don't believe they are symptomatic.
921
922         The real fix is the instruction selector's handling of Phi. It was assuming that the correct
923         lowering of Phi is to do nothing and the correct lowering of Upsilon is to store into the tmp
924         that the Phi uses. But this fails for code patterns like:
925
926             @a = Phi()
927             Upsilon(@x, ^a)
928             use(@a) // this should see the value that @a had at the point that "@a = Phi()" executed.
929
930         This arises when we have a lot of Upsilons in a row and they are trying to perform a
931         shuffling. Prior to this change, "use(@a)" would see the new value of @a, i.e. @x. That's
932         wrong. So, this changes the lowering to make each Phi have a special shadow Tmp, and Upsilon
933         stores to it while Phi loads from it. Most of these assignments get copy-propagated by IRC,
934         so it doesn't really hurt us. I couldn't find any benchmarks that slowed down because of
935         this. In fact, I believe that the only time that this would lead to extra interference or
936         extra assignments is when it's actually needed to be correct.
937
938         This also contains other fixes, which are probably not for real bugs, but they make me feel
939         all warm and fuzzy:
940
941         - spillEverything() works again.  Previously, it didn't have all of IRC's smarts for handling
942           a spill of a ZDef.  I fixed this by creating a helper phase that finds all subwidth ZDefs
943           to spill slots and amends them with zero-fills of the top bits.
944
945         - IRC no longer requires precise TmpWidth analysis.  Previously, if TmpWidth gave pessimistic
946           results, the subwidth ZDef bug would return.  That probably means that it was never fixed
947           to begin with, since it's totally cool for just a single def or use of a tmp to cause it
948           to become pessimistic. But there may still have been some subwidth ZDefs.  The way that I
949           fixed this bug is to have IRC also run the ZDef fixup code that spillEverything() uses.
950           This is abstracted behind the beautifully named Air::fixSpillSlotZDef().
951
952         - B3::validate() does dominance checks!  So, if you shoot yourself in the foot by using
953           something before defining it, validate() will tell you.
954
955         - Air::TmpWidth is now easy to "turn off" - i.e. to make it go fully conservative. It's not
956           an Option; you have to hack code. But that's better than nothing, and it's consistent with
957           what we do for other super-internal compiler options that we use rarely.
958
959         - You can now run spillEverything() without hacking code.  Just use
960           Options::airSpillSeverything().
961
962         * JavaScriptCore.xcodeproj/project.pbxproj:
963         * b3/B3LowerToAir.cpp:
964         (JSC::B3::Air::LowerToAir::LowerToAir):
965         (JSC::B3::Air::LowerToAir::run):
966         (JSC::B3::Air::LowerToAir::lower):
967         * b3/B3Validate.cpp:
968         * b3/air/AirCode.h:
969         (JSC::B3::Air::Code::specials):
970         (JSC::B3::Air::Code::forAllTmps):
971         (JSC::B3::Air::Code::isFastTmp):
972         * b3/air/AirFixSpillSlotZDef.h: Added.
973         (JSC::B3::Air::fixSpillSlotZDef):
974         * b3/air/AirGenerate.cpp:
975         (JSC::B3::Air::prepareForGeneration):
976         * b3/air/AirIteratedRegisterCoalescing.cpp:
977         * b3/air/AirSpillEverything.cpp:
978         (JSC::B3::Air::spillEverything):
979         * b3/air/AirTmpWidth.cpp:
980         (JSC::B3::Air::TmpWidth::recompute):
981         * jit/JITOperations.cpp:
982         * runtime/Options.h:
983
984 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
985
986         Need a story for platform-specific Args
987         https://bugs.webkit.org/show_bug.cgi?id=152529
988
989         Reviewed by Michael Saboff.
990
991         This teaches Arg that some Arg forms are not valid on some targets. The instruction selector now
992         uses this to avoid immediates and addresses that the target wouldn't like.
993
994         This shouldn't change code generation on X86, but is meant as a step towards ARM64 support.
995
996         * b3/B3LowerToAir.cpp:
997         (JSC::B3::Air::LowerToAir::crossesInterference):
998         (JSC::B3::Air::LowerToAir::effectiveAddr):
999         (JSC::B3::Air::LowerToAir::addr):
1000         (JSC::B3::Air::LowerToAir::loadPromise):
1001         (JSC::B3::Air::LowerToAir::imm):
1002         (JSC::B3::Air::LowerToAir::lower):
1003         * b3/air/AirAllocateStack.cpp:
1004         (JSC::B3::Air::allocateStack):
1005         * b3/air/AirArg.h:
1006         (JSC::B3::Air::Arg::Arg):
1007         (JSC::B3::Air::Arg::imm):
1008         (JSC::B3::Air::Arg::imm64):
1009         (JSC::B3::Air::Arg::callArg):
1010         (JSC::B3::Air::Arg::isValidScale):
1011         (JSC::B3::Air::Arg::tmpIndex):
1012         (JSC::B3::Air::Arg::withOffset):
1013         (JSC::B3::Air::Arg::isValidImmForm):
1014         (JSC::B3::Air::Arg::isValidAddrForm):
1015         (JSC::B3::Air::Arg::isValidIndexForm):
1016         (JSC::B3::Air::Arg::isValidForm):
1017         (JSC::B3::Air::Arg::forEachTmpFast):
1018         * b3/air/opcode_generator.rb:
1019
1020 2015-12-23  Keith Miller  <keith_miller@apple.com>
1021
1022         [JSC] Bugfix for intrinsic getters with dictionary structures.
1023         https://bugs.webkit.org/show_bug.cgi?id=152538
1024
1025         Reviewed by Mark Lam.
1026
1027         Intrinsic getters did not check if an object was a dictionary. This meant, if a property on
1028         the prototype chain of a dictionary was an intrinsic getter we would IC it. Later, if a
1029         property is added to the dictionary the IC would still return the result of the intrinsic.
1030         The fix is to no longer IC intrinsic getters if the base object is a dictionary.
1031
1032         * jit/Repatch.cpp:
1033         (JSC::tryCacheGetByID):
1034         * tests/stress/typedarray-length-dictionary.js: Added.
1035         (len):
1036
1037 2015-12-23  Andy VanWagoner  <andy@instructure.com>
1038
1039         [INTL] Implement DateTime Format Functions
1040         https://bugs.webkit.org/show_bug.cgi?id=147606
1041
1042         Reviewed by Benjamin Poulain.
1043
1044         Initialize a UDateFormat from the generated pattern. Use udat_format()
1045         to format the value. Make sure that the UDateFormat is cleaned up when
1046         the DateTimeFormat is deconstructed.
1047
1048         * runtime/IntlDateTimeFormat.cpp:
1049         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat):
1050         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1051         (JSC::IntlDateTimeFormat::format):
1052         * runtime/IntlDateTimeFormat.h:
1053
1054 2015-12-23  Andy VanWagoner  <thetalecrafter@gmail.com>
1055
1056         [INTL] Implement String.prototype.localeCompare in ECMA-402
1057         https://bugs.webkit.org/show_bug.cgi?id=147607
1058
1059         Reviewed by Benjamin Poulain.
1060
1061         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
1062         Keep existing native implementation for use if INTL flag is disabled.
1063         For the common case where no locale or options are specified, avoid creating
1064         a new collator and just use the prototype which is initialized with the defaults.
1065
1066         * CMakeLists.txt:
1067         * DerivedSources.make:
1068         * JavaScriptCore.xcodeproj/project.pbxproj:
1069         * builtins/StringPrototype.js: Added.
1070         (localeCompare):
1071         * runtime/StringPrototype.cpp:
1072         (JSC::StringPrototype::finishCreation):
1073
1074 2015-12-23  Benjamin Poulain  <benjamin@webkit.org>
1075
1076         Fix x86_64 after r194388
1077
1078         * b3/B3LowerToAir.cpp:
1079         (JSC::B3::Air::LowerToAir::appendShift):
1080         (JSC::B3::Air::LowerToAir::lower):
1081         (JSC::B3::Air::LowerToAir::lowerX86Div):
1082
1083 2015-12-23  Benjamin Poulain  <bpoulain@apple.com>
1084
1085         [JSC] Get the JavaScriptCore framework to build on ARM64 with B3 enabled
1086         https://bugs.webkit.org/show_bug.cgi?id=152503
1087
1088         Reviewed by Filip Pizlo.
1089
1090         It is not working but it builds.
1091
1092         * assembler/ARM64Assembler.h:
1093         (JSC::ARM64Assembler::vand):
1094         (JSC::ARM64Assembler::vectorDataProcessing2Source):
1095         * assembler/MacroAssemblerARM64.h:
1096         (JSC::MacroAssemblerARM64::add32):
1097         (JSC::MacroAssemblerARM64::add64):
1098         (JSC::MacroAssemblerARM64::countLeadingZeros64):
1099         (JSC::MacroAssemblerARM64::not32):
1100         (JSC::MacroAssemblerARM64::not64):
1101         (JSC::MacroAssemblerARM64::zeroExtend16To32):
1102         (JSC::MacroAssemblerARM64::signExtend16To32):
1103         (JSC::MacroAssemblerARM64::zeroExtend8To32):
1104         (JSC::MacroAssemblerARM64::signExtend8To32):
1105         (JSC::MacroAssemblerARM64::addFloat):
1106         (JSC::MacroAssemblerARM64::ceilFloat):
1107         (JSC::MacroAssemblerARM64::branchDouble):
1108         (JSC::MacroAssemblerARM64::branchFloat):
1109         (JSC::MacroAssemblerARM64::divFloat):
1110         (JSC::MacroAssemblerARM64::moveZeroToDouble):
1111         (JSC::MacroAssemblerARM64::moveFloatTo32):
1112         (JSC::MacroAssemblerARM64::move32ToFloat):
1113         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
1114         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
1115         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1116         (JSC::MacroAssemblerARM64::mulFloat):
1117         (JSC::MacroAssemblerARM64::andDouble):
1118         (JSC::MacroAssemblerARM64::andFloat):
1119         (JSC::MacroAssemblerARM64::sqrtFloat):
1120         (JSC::MacroAssemblerARM64::subFloat):
1121         (JSC::MacroAssemblerARM64::signExtend32ToPtr):
1122         (JSC::MacroAssemblerARM64::moveConditionally32):
1123         (JSC::MacroAssemblerARM64::moveConditionally64):
1124         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
1125         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
1126         (JSC::MacroAssemblerARM64::test32):
1127         (JSC::MacroAssemblerARM64::setCarry):
1128         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
1129         * assembler/MacroAssemblerX86.h:
1130         (JSC::MacroAssemblerX86::moveDoubleToInts):
1131         (JSC::MacroAssemblerX86::moveIntsToDouble):
1132         * assembler/MacroAssemblerX86Common.h:
1133         (JSC::MacroAssemblerX86Common::move32ToFloat):
1134         (JSC::MacroAssemblerX86Common::moveFloatTo32):
1135         (JSC::MacroAssemblerX86Common::moveInt32ToPacked): Deleted.
1136         (JSC::MacroAssemblerX86Common::movePackedToInt32): Deleted.
1137         * b3/B3LowerToAir.cpp:
1138         (JSC::B3::Air::LowerToAir::appendShift):
1139         (JSC::B3::Air::LowerToAir::lower):
1140         * b3/air/AirInstInlines.h:
1141         (JSC::B3::Air::isX86DivHelperValid):
1142         * b3/air/AirOpcode.opcodes:
1143         * jit/AssemblyHelpers.h:
1144         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
1145         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1146         * jit/FPRInfo.h:
1147         (JSC::FPRInfo::toArgumentRegister):
1148
1149 2015-12-23  Andy VanWagoner  <andy@instructure.com>
1150
1151         [INTL] Implement Intl.DateTimeFormat.prototype.resolvedOptions ()
1152         https://bugs.webkit.org/show_bug.cgi?id=147603
1153
1154         Reviewed by Benjamin Poulain.
1155
1156         Implements InitializeDateTimeFormat and related abstract operations
1157         using ICU. Lazy initialization is used for DateTimeFormat.prototype.
1158         Refactor to align with Collator work.
1159
1160         * icu/unicode/udatpg.h: Added.
1161         * icu/unicode/unumsys.h: Added.
1162         * runtime/CommonIdentifiers.h:
1163         * runtime/IntlDateTimeFormat.cpp:
1164         (JSC::defaultTimeZone):
1165         (JSC::canonicalizeTimeZoneName):
1166         (JSC::localeData):
1167         (JSC::toDateTimeOptions):
1168         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
1169         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1170         (JSC::IntlDateTimeFormat::weekdayString):
1171         (JSC::IntlDateTimeFormat::eraString):
1172         (JSC::IntlDateTimeFormat::yearString):
1173         (JSC::IntlDateTimeFormat::monthString):
1174         (JSC::IntlDateTimeFormat::dayString):
1175         (JSC::IntlDateTimeFormat::hourString):
1176         (JSC::IntlDateTimeFormat::minuteString):
1177         (JSC::IntlDateTimeFormat::secondString):
1178         (JSC::IntlDateTimeFormat::timeZoneNameString):
1179         (JSC::IntlDateTimeFormat::resolvedOptions):
1180         (JSC::IntlDateTimeFormat::format):
1181         (JSC::IntlDateTimeFormatFuncFormatDateTime): Deleted.
1182         * runtime/IntlDateTimeFormat.h:
1183         * runtime/IntlDateTimeFormatConstructor.cpp:
1184         (JSC::constructIntlDateTimeFormat):
1185         (JSC::callIntlDateTimeFormat):
1186         * runtime/IntlDateTimeFormatPrototype.cpp:
1187         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1188         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1189         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1190         * runtime/IntlObject.cpp:
1191         (JSC::resolveLocale):
1192         (JSC::getNumberingSystemsForLocale):
1193         * runtime/IntlObject.h:
1194
1195 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1196
1197         REGRESSION(194382): FTL B3 no longer runs V8/encrypt
1198         https://bugs.webkit.org/show_bug.cgi?id=152519
1199
1200         Reviewed by Saam Barati.
1201
1202         A "Move Imm, Tmp" instruction should turn into "Move32 Imm, Tmp" if the Tmp is spilled to a
1203         32-bit slot. Changing where we check isTmp() achieves this. Since all of the logic is only
1204         relevant to when we spill without introducing a Tmp, and since a Move does not have a "Move Addr,
1205         Addr" form, this code ensures that the logic only happens for "Tmp, Tmp" and "Imm, Tmp".
1206
1207         * b3/air/AirIteratedRegisterCoalescing.cpp:
1208         * dfg/DFGOperations.cpp:
1209
1210 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1211
1212         FTL B3 should use the right type for comparison slow paths
1213         https://bugs.webkit.org/show_bug.cgi?id=152521
1214
1215         Reviewed by Saam Barati.
1216
1217         Fixes a small goof that was leading to B3 validation failures.
1218
1219         * ftl/FTLLowerDFGToLLVM.cpp:
1220         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
1221
1222 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1223
1224         FTL B3 should be able to run richards
1225         https://bugs.webkit.org/show_bug.cgi?id=152514
1226
1227         Reviewed by Michael Saboff.
1228
1229         This came down to a liveness bug and a register allocation bug.
1230
1231         The liveness bug was that the code that determined whether we should go around the fixpoint
1232         assumed that BitVector::quickSet() would return true if the bit changed state from false to
1233         true. That's not how it works. It returns the old value of the bit, so it will return false
1234         if the bit changed from false to true. Since there is already a lot of code that relies on
1235         this behavior, I fixed Liveness instead of changing BitVector.
1236
1237         The register allocation bug was that we weren't guarding some checks of tmp()'s with checks
1238         that the Arg isTmp().
1239
1240         The liveness took a long time to track down, and I needed to add a lot of dumping to do it.
1241         It's now possible to dump more of the liveness states, including liveAtHead. I found this
1242         extremely helpful, so I removed the code that cleared liveAtHead.
1243
1244         * b3/air/AirIteratedRegisterCoalescing.cpp:
1245         * b3/air/AirLiveness.h:
1246         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1247         (JSC::B3::Air::AbstractLiveness::Iterable::Iterable):
1248         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator):
1249         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*):
1250         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++):
1251         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==):
1252         (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=):
1253         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
1254         (JSC::B3::Air::AbstractLiveness::Iterable::end):
1255         (JSC::B3::Air::AbstractLiveness::liveAtHead):
1256         (JSC::B3::Air::AbstractLiveness::liveAtTail):
1257         * b3/air/AirStackSlot.h:
1258         (WTF::printInternal):
1259         * ftl/FTLOSRExitCompiler.cpp:
1260         (JSC::FTL::compileFTLOSRExit):
1261
1262 2015-12-22  Saam barati  <sbarati@apple.com>
1263
1264         Cloop build fix after https://bugs.webkit.org/show_bug.cgi?id=152511.
1265
1266         Unreviewed build fix.
1267
1268         * runtime/Options.cpp:
1269         (JSC::recomputeDependentOptions):
1270
1271 2015-12-22  Saam barati  <sbarati@apple.com>
1272
1273         Work around issue in bug #152510
1274         https://bugs.webkit.org/show_bug.cgi?id=152511
1275
1276         Reviewed by Filip Pizlo.
1277
1278         * runtime/Options.cpp:
1279         (JSC::recomputeDependentOptions):
1280
1281 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1282
1283         FTL B3 does not logicalNot correctly
1284         https://bugs.webkit.org/show_bug.cgi?id=152512
1285
1286         Reviewed by Saam Barati.
1287
1288         I'm working on a bug where V8/richards does not run correctly. I noticed that the codegen was
1289         doing a log of Not32's followed by branches, which smelled like badness. To debug this, I
1290         needed B3's origins to dump as something other than a hexed pointer to a node. The node index
1291         would be better. So, I added the notion of an origin printer to Procedure.
1292
1293         The bug was easy enough to fix. This introduces Output::logicalNot(). In LLVM, it's the same
1294         as bitNot(). In B3, it's compiled to Equal(value, 0). We could have also compiled it to
1295         BitXor(value, 1), except that B3 will strength-reduce to that anyway whenever it's safe. It's
1296         sort of nice that right now, you could use logicalNot() on non-bool values and get C-like
1297         behavior.
1298
1299         Richards still doesn't run, though. There are more bugs!
1300
1301         * JavaScriptCore.xcodeproj/project.pbxproj:
1302         * b3/B3BasicBlock.cpp:
1303         (JSC::B3::BasicBlock::dump):
1304         (JSC::B3::BasicBlock::deepDump):
1305         * b3/B3BasicBlock.h:
1306         (JSC::B3::BasicBlock::frequency):
1307         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
1308         (JSC::B3::DeepBasicBlockDump::dump):
1309         (JSC::B3::deepDump):
1310         * b3/B3LowerToAir.cpp:
1311         (JSC::B3::Air::LowerToAir::run):
1312         (JSC::B3::Air::LowerToAir::lower):
1313         * b3/B3Origin.h:
1314         (JSC::B3::Origin::data):
1315         * b3/B3OriginDump.h: Added.
1316         (JSC::B3::OriginDump::OriginDump):
1317         (JSC::B3::OriginDump::dump):
1318         * b3/B3Procedure.cpp:
1319         (JSC::B3::Procedure::~Procedure):
1320         (JSC::B3::Procedure::printOrigin):
1321         (JSC::B3::Procedure::addBlock):
1322         (JSC::B3::Procedure::dump):
1323         * b3/B3Procedure.h:
1324         (JSC::B3::Procedure::setOriginPrinter):
1325         * b3/B3Value.cpp:
1326         (JSC::B3::Value::dumpChildren):
1327         (JSC::B3::Value::deepDump):
1328         * b3/B3Value.h:
1329         (JSC::B3::DeepValueDump::DeepValueDump):
1330         (JSC::B3::DeepValueDump::dump):
1331         (JSC::B3::deepDump):
1332         * ftl/FTLB3Output.cpp:
1333         (JSC::FTL::Output::lockedStackSlot):
1334         (JSC::FTL::Output::bitNot):
1335         (JSC::FTL::Output::logicalNot):
1336         (JSC::FTL::Output::load):
1337         * ftl/FTLB3Output.h:
1338         (JSC::FTL::Output::aShr):
1339         (JSC::FTL::Output::lShr):
1340         (JSC::FTL::Output::ctlz32):
1341         (JSC::FTL::Output::addWithOverflow32):
1342         (JSC::FTL::Output::lessThanOrEqual):
1343         (JSC::FTL::Output::doubleEqual):
1344         (JSC::FTL::Output::doubleEqualOrUnordered):
1345         (JSC::FTL::Output::doubleNotEqualOrUnordered):
1346         (JSC::FTL::Output::doubleLessThan):
1347         (JSC::FTL::Output::doubleLessThanOrEqual):
1348         (JSC::FTL::Output::doubleGreaterThan):
1349         (JSC::FTL::Output::doubleGreaterThanOrEqual):
1350         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1351         (JSC::FTL::Output::doubleLessThanOrUnordered):
1352         (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
1353         (JSC::FTL::Output::doubleGreaterThanOrUnordered):
1354         (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
1355         (JSC::FTL::Output::isZero32):
1356         (JSC::FTL::Output::notZero32):
1357         (JSC::FTL::Output::addIncomingToPhi):
1358         (JSC::FTL::Output::bitCast):
1359         (JSC::FTL::Output::bitNot): Deleted.
1360         * ftl/FTLLowerDFGToLLVM.cpp:
1361         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
1362         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
1363         (JSC::FTL::DFG::LowerDFGToLLVM::compileLogicalNot):
1364         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1365         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
1366         (JSC::FTL::DFG::LowerDFGToLLVM::compileCountExecution):
1367         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1368         (JSC::FTL::DFG::LowerDFGToLLVM::isMisc):
1369         (JSC::FTL::DFG::LowerDFGToLLVM::isNotBoolean):
1370         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean):
1371         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean):
1372         (JSC::FTL::DFG::LowerDFGToLLVM::isNotType):
1373         (JSC::FTL::DFG::LowerDFGToLLVM::speculateObject):
1374         * ftl/FTLOutput.h:
1375         (JSC::FTL::Output::aShr):
1376         (JSC::FTL::Output::lShr):
1377         (JSC::FTL::Output::bitNot):
1378         (JSC::FTL::Output::logicalNot):
1379         (JSC::FTL::Output::insertElement):
1380         * ftl/FTLState.cpp:
1381         (JSC::FTL::State::State):
1382
1383 2015-12-22  Keith Miller  <keith_miller@apple.com>
1384
1385         Remove OverridesHasInstance from TypeInfoFlags
1386         https://bugs.webkit.org/show_bug.cgi?id=152005
1387
1388         Reviewed by Saam Barati.
1389
1390         Currently, we have three TypeInfo flags associated with instanceof behavior,
1391         ImplementsHasInstance, ImplementDefaultHasInstance, and OverridesHasInstance. This patch
1392         removes the third and moves the first to the out of line flags. In theory, we should only
1393         need one flag but removing ImplementsHasInstance is more involved and should be done in a
1394         separate patch.
1395
1396         * API/JSCallbackConstructor.h:
1397         * API/JSCallbackObject.h:
1398         * jit/JITOpcodes.cpp:
1399         (JSC::JIT::emit_op_overrides_has_instance):
1400         * jit/JITOpcodes32_64.cpp:
1401         (JSC::JIT::emit_op_overrides_has_instance):
1402         * llint/LLIntData.cpp:
1403         (JSC::LLInt::Data::performAssertions):
1404         * llint/LowLevelInterpreter.asm:
1405         * runtime/InternalFunction.h:
1406         * runtime/JSBoundFunction.h:
1407         * runtime/JSCallee.h:
1408         * runtime/JSTypeInfo.h:
1409         (JSC::TypeInfo::implementsHasInstance):
1410         (JSC::TypeInfo::TypeInfo): Deleted.
1411         (JSC::TypeInfo::overridesHasInstance): Deleted.
1412         * runtime/NumberConstructor.h:
1413
1414 2015-12-22  Filip Pizlo  <fpizlo@apple.com>
1415
1416         FTL B3 should do tail calls
1417         https://bugs.webkit.org/show_bug.cgi?id=152494
1418
1419         Reviewed by Michael Saboff.
1420
1421         OMG this was so easy.
1422
1423         The only shady part is that I broke a layering rule that we had so far been following: B3 was
1424         sitting below the JSC runtime, and did not use JS-specific types. No more, since B3::ValueRep
1425         can now turn itself into a ValueRecovery for a JSValue. This small feature makes a huge
1426         difference for the readability of tail call code: it makes it plain that the call frame
1427         shuffler is basically just directly consuming the stackmap generation params, and insofar as
1428         there is any data transformation, it's just because it uses different classes to say the same
1429         thing.
1430
1431         I think we should avoid adding too many JS-specific things to B3. But, so long as it's still
1432         possible to use B3 to compile things that aren't JS, I think we'll be fine.
1433
1434         * b3/B3ValueRep.cpp:
1435         (JSC::B3::ValueRep::dump):
1436         (JSC::B3::ValueRep::emitRestore):
1437         (JSC::B3::ValueRep::recoveryForJSValue):
1438         * b3/B3ValueRep.h:
1439         * ftl/FTLLowerDFGToLLVM.cpp:
1440         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1441         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1442         * test/stress/ftl-tail-call.js: Added.
1443
1444 2015-12-21  Mark Lam  <mark.lam@apple.com>
1445
1446         Snippefy op_negate for the baseline JIT.
1447         https://bugs.webkit.org/show_bug.cgi?id=152447
1448
1449         Reviewed by Benjamin Poulain.
1450
1451         * CMakeLists.txt:
1452         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1453         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1454         * JavaScriptCore.xcodeproj/project.pbxproj:
1455         * jit/JITArithmetic.cpp:
1456         (JSC::JIT::emit_op_unsigned):
1457         (JSC::JIT::emit_op_negate):
1458         (JSC::JIT::emitSlow_op_negate):
1459         (JSC::JIT::emitBitBinaryOpFastPath):
1460         * jit/JITArithmetic32_64.cpp:
1461         (JSC::JIT::emit_compareAndJump):
1462         (JSC::JIT::emit_op_negate): Deleted.
1463         (JSC::JIT::emitSlow_op_negate): Deleted.
1464         * jit/JITNegGenerator.cpp: Added.
1465         (JSC::JITNegGenerator::generateFastPath):
1466         * jit/JITNegGenerator.h: Added.
1467         (JSC::JITNegGenerator::JITNegGenerator):
1468         (JSC::JITNegGenerator::didEmitFastPath):
1469         (JSC::JITNegGenerator::endJumpList):
1470         (JSC::JITNegGenerator::slowPathJumpList):
1471
1472 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1473
1474         Address review feedback from Saam.  I should have landed it in r194354.
1475
1476         * b3/testb3.cpp:
1477         (JSC::B3::testStore16Arg):
1478
1479 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1480
1481         B3 should be able to compile Store16
1482         https://bugs.webkit.org/show_bug.cgi?id=152493
1483
1484         Reviewed by Saam Barati.
1485
1486         This adds comprehensive Store16 support to our assembler, Air, and B3->Air lowering.
1487
1488         * assembler/MacroAssemblerX86Common.h:
1489         (JSC::MacroAssemblerX86Common::store16):
1490         * assembler/X86Assembler.h:
1491         (JSC::X86Assembler::movb_rm):
1492         (JSC::X86Assembler::movw_rm):
1493         * b3/B3LowerToAir.cpp:
1494         (JSC::B3::Air::LowerToAir::lower):
1495         * b3/air/AirOpcode.opcodes:
1496         * b3/testb3.cpp:
1497         (JSC::B3::testStorePartial8BitRegisterOnX86):
1498         (JSC::B3::testStore16Arg):
1499         (JSC::B3::testStore16Imm):
1500         (JSC::B3::testTrunc):
1501         (JSC::B3::run):
1502
1503 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1504
1505         Unreviewed, remove highBitsAreZero(), it's unused.
1506
1507         * b3/B3LowerToAir.cpp:
1508         (JSC::B3::Air::LowerToAir::run):
1509         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1510         (JSC::B3::Air::LowerToAir::highBitsAreZero): Deleted.
1511
1512 2015-12-21  Csaba Osztrogonác  <ossy@webkit.org>
1513
1514         Unreviewed, fix the !FTL_USES_B3 build after r194334.
1515
1516         * ftl/FTLLowerDFGToLLVM.cpp: Mark forwarding unused variable.
1517         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1518
1519 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1520
1521         FTL B3 should do doubleToInt32
1522         https://bugs.webkit.org/show_bug.cgi?id=152484
1523
1524         Reviewed by Saam Barati.
1525
1526         We used to have a DToI32 opcode in B3 that we never implemented. This removes that opcode,
1527         since double-to-int conversion has dramatically different semantics on different
1528         architectures. We let FTL get the conversion instruction it wants by using a patchpoint.
1529
1530         * b3/B3Opcode.cpp:
1531         (WTF::printInternal):
1532         * b3/B3Opcode.h:
1533         * b3/B3Validate.cpp:
1534         * b3/B3Value.cpp:
1535         (JSC::B3::Value::effects):
1536         (JSC::B3::Value::key):
1537         (JSC::B3::Value::typeFor):
1538         * b3/B3ValueKey.cpp:
1539         (JSC::B3::ValueKey::materialize):
1540         * ftl/FTLB3Output.cpp:
1541         (JSC::FTL::Output::Output):
1542         (JSC::FTL::Output::appendTo):
1543         (JSC::FTL::Output::lockedStackSlot):
1544         (JSC::FTL::Output::load):
1545         (JSC::FTL::Output::doublePowi):
1546         (JSC::FTL::Output::hasSensibleDoubleToInt):
1547         (JSC::FTL::Output::doubleToInt):
1548         (JSC::FTL::Output::doubleToUInt):
1549         (JSC::FTL::Output::load8SignExt32):
1550         (JSC::FTL::Output::load8ZeroExt32):
1551         (JSC::FTL::Output::load16SignExt32):
1552         (JSC::FTL::Output::load16ZeroExt32):
1553         (JSC::FTL::Output::store):
1554         (JSC::FTL::Output::store32As8):
1555         (JSC::FTL::Output::store32As16):
1556         (JSC::FTL::Output::branch):
1557         * ftl/FTLB3Output.h:
1558         (JSC::FTL::Output::doubleLog):
1559         (JSC::FTL::Output::signExt32To64):
1560         (JSC::FTL::Output::zeroExt):
1561         (JSC::FTL::Output::zeroExtPtr):
1562         (JSC::FTL::Output::intToDouble):
1563         (JSC::FTL::Output::unsignedToDouble):
1564         (JSC::FTL::Output::castToInt32):
1565         (JSC::FTL::Output::hasSensibleDoubleToInt): Deleted.
1566         (JSC::FTL::Output::sensibleDoubleToInt): Deleted.
1567         (JSC::FTL::Output::fpToInt32): Deleted.
1568         (JSC::FTL::Output::fpToUInt32): Deleted.
1569         * ftl/FTLLowerDFGToLLVM.cpp:
1570         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithPow):
1571         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
1572         (JSC::FTL::DFG::LowerDFGToLLVM::compileSwitch):
1573         (JSC::FTL::DFG::LowerDFGToLLVM::doubleToInt32):
1574         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
1575         (JSC::FTL::DFG::LowerDFGToLLVM::convertDoubleToInt32):
1576         * ftl/FTLOutput.h:
1577         (JSC::FTL::Output::hasSensibleDoubleToInt):
1578         (JSC::FTL::Output::doubleToInt):
1579         (JSC::FTL::Output::doubleToUInt):
1580         (JSC::FTL::Output::signExt32To64):
1581         (JSC::FTL::Output::zeroExt):
1582
1583 2015-12-21  Skachkov Oleksandr  <gskachkov@gmail.com>
1584
1585         Unexpected exception assigning to this._property inside arrow function
1586         https://bugs.webkit.org/show_bug.cgi?id=152028
1587
1588         Reviewed by Saam Barati.
1589
1590         The issue appeared in case if in arrow function created base-level lexical envioronment, and in this case 
1591         |this| value was loaded from wrong scope. The problem was that loading of the |this| happened too early when
1592         compiling bytecode because the bytecode generators's scope stack wasn't in sync with runtime scope stack.
1593         To fix issue loading of |this| was moved after initializeDefaultParameterValuesAndSetupFunctionScopeStack 
1594         in BytecodeGenerator.cpp   
1595
1596         * bytecompiler/BytecodeGenerator.cpp:
1597         (JSC::BytecodeGenerator::BytecodeGenerator):
1598         * tests/stress/arrowfunction-lexical-bind-this-2.js:
1599
1600 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1601
1602         FTL B3 should do vararg calls
1603         https://bugs.webkit.org/show_bug.cgi?id=152468
1604
1605         Reviewed by Benjamin Poulain.
1606
1607         This adds FTL->B3 lowering of all kinds of varargs calls - forwarding or not, tail or not,
1608         and construct or not. Like all other such lowerings, all of the code is in one place in
1609         FTLLower.
1610
1611         I removed code for varargs and exception spill slots from the B3 path, since it won't need
1612         it. The plan is to rely on B3 doing the spilling for us by using some combination of early
1613         clobber and late use.
1614
1615         This adds ValueRep::emitRestore(), a helpful method for emitting code to restore any ValueRep
1616         into any 64-bit Reg (FPR or GPR).
1617
1618         I wrote new tests for vararg calls, because I wasn't sure which of the existing ones we can
1619         run. These are short-running tests, so I'm not worried about bloating our test suite.
1620
1621         * b3/B3ValueRep.cpp:
1622         (JSC::B3::ValueRep::dump):
1623         (JSC::B3::ValueRep::emitRestore):
1624         * b3/B3ValueRep.h:
1625         * ftl/FTLLowerDFGToLLVM.cpp:
1626         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1627         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1628         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
1629         * ftl/FTLState.h:
1630         * tests/stress/varargs-no-forward.js: Added.
1631         * tests/stress/varargs-simple.js: Added.
1632         * tests/stress/varargs-two-level.js: Added.
1633
1634 2015-12-18  Mark Lam  <mark.lam@apple.com>
1635
1636         Add unary operator tests to compare JIT and LLINT results.
1637         https://bugs.webkit.org/show_bug.cgi?id=152453
1638
1639         Reviewed by Benjamin Poulain.
1640
1641         Also fixed a few things in the binary-op-test.js.
1642
1643         * tests/stress/op_negate.js: Added.
1644         (o1.valueOf):
1645         * tests/stress/op_postdec.js: Added.
1646         (o1.valueOf):
1647         * tests/stress/op_postinc.js: Added.
1648         (o1.valueOf):
1649         * tests/stress/op_predec.js: Added.
1650         (o1.valueOf):
1651         * tests/stress/op_preinc.js: Added.
1652         (o1.valueOf):
1653         * tests/stress/resources/binary-op-test.js:
1654         (stringifyIfNeeded):
1655         (isIdentical):
1656         (run):
1657         * tests/stress/resources/unary-op-test.js: Added.
1658         (stringifyIfNeeded):
1659         (generateBinaryTests):
1660         (isIdentical):
1661         (runTest):
1662         (run):
1663
1664 2015-12-21  Ryan Haddad  <ryanhaddad@apple.com>
1665
1666         Unreviewed, rolling out r194328.
1667
1668         This change appears to have caused failures in JSC tests
1669
1670         Reverted changeset:
1671
1672         "[INTL] Implement String.prototype.localeCompare in ECMA-402"
1673         https://bugs.webkit.org/show_bug.cgi?id=147607
1674         http://trac.webkit.org/changeset/194328
1675
1676 2015-12-21  Filip Pizlo  <fpizlo@apple.com>
1677
1678         B3->Air lowering incorrectly copy-propagates over ZExt32's
1679         https://bugs.webkit.org/show_bug.cgi?id=152365
1680
1681         Reviewed by Benjamin Poulain.
1682
1683         The instruction selector thinks that Value's that return Int32's are going to always be lowered
1684         to instructions that zero-extend the destination. But this isn't actually true. If you have an
1685         Add32 with a destination on the stack (i.e. spilled) then it only writes 4 bytes. Then, the
1686         filler will load 8 bytes from the stack at the point of use. So, the use of the Add32 will see
1687         garbage in the high bits.
1688
1689         The fact that the spiller chose to use 8 bytes for a Tmp that gets defined by an Add32 is a
1690         pretty sad bug, but:
1691
1692         - It's entirely up to the spiller to decide how many bytes to use for a Tmp, since we do not
1693           ascribe a type to Tmps. We could ascribe types to Tmps, but then coalescing would become
1694           harder. Our goal is to fix the bug while still enabling coalescing in cases like "a[i]" where
1695           "i" is a 32-bit integer that is computed using operations that already do zero-extension.
1696
1697         - More broadly, it's strange that the instruction selector decides whether a Value will be
1698           lowered to something that zero-extends. That's too constraining, since the most optimal
1699           instruction selection might involve something that doesn't zero-extend in cases of spilling, so
1700           the zero-extension should only happen if it's actually needed. This means that we need to
1701           understand which Air instructions cause zero-extensions.
1702
1703         - If we know which Air instructions cause zero-extensions, then we don't need the instruction
1704           selector to copy-propagate ZExt32's. We have copy-propagation in Air thanks to the register
1705           allocator.
1706
1707         In fact, the register allocator is exactly where all of the pieces come together. It's there that
1708         we want to know which operations zero-extend and which don't. It also wants to know how many bits
1709         of a Tmp each instruction reads. Armed with that information, the register allocator can emit
1710         more optimal spill code, use less stack space for spill slots, and coalesce Move32's. As a bonus,
1711         on X86, it replaces Move's with Move32's whenever it can. On X86, Move32 is cheaper.
1712
1713         This fixes a crash bug in V8/encrypt. After fixing this, I only needed two minor fixes to get
1714         V8/encrypt to run. We're about 10% behind LLVM on steady state throughput on this test. It
1715         appears to be mostly due to excessive spilling caused by CCall slow paths. That's fixable: we
1716         could make CCalls on slow paths use a variant of CCallSpecial that promises not to clobber any
1717         registers, and then have it emit spill code around the call itself. LLVM probably gets this
1718         optimization from its live range splitting.
1719
1720         I tried writing a regression test. The problem is that you need garbage on the stack for this to
1721         work, and I didn't feel like writing a flaky test. It appears that running V8/encrypt will cover
1722         this, so we do have coverage.
1723
1724         * CMakeLists.txt:
1725         * JavaScriptCore.xcodeproj/project.pbxproj:
1726         * assembler/AbstractMacroAssembler.h:
1727         (JSC::isX86):
1728         (JSC::isX86_64):
1729         (JSC::optimizeForARMv7IDIVSupported):
1730         (JSC::optimizeForX86):
1731         (JSC::optimizeForX86_64):
1732         * b3/B3LowerToAir.cpp:
1733         (JSC::B3::Air::LowerToAir::highBitsAreZero):
1734         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1735         (JSC::B3::Air::LowerToAir::lower):
1736         * b3/B3PatchpointSpecial.cpp:
1737         (JSC::B3::PatchpointSpecial::forEachArg):
1738         * b3/B3StackmapSpecial.cpp:
1739         (JSC::B3::StackmapSpecial::forEachArgImpl):
1740         * b3/B3Value.h:
1741         * b3/air/AirAllocateStack.cpp:
1742         (JSC::B3::Air::allocateStack):
1743         * b3/air/AirArg.cpp:
1744         (WTF::printInternal):
1745         * b3/air/AirArg.h:
1746         (JSC::B3::Air::Arg::pointerWidth):
1747         (JSC::B3::Air::Arg::isAnyUse):
1748         (JSC::B3::Air::Arg::isColdUse):
1749         (JSC::B3::Air::Arg::isEarlyUse):
1750         (JSC::B3::Air::Arg::isDef):
1751         (JSC::B3::Air::Arg::isZDef):
1752         (JSC::B3::Air::Arg::widthForB3Type):
1753         (JSC::B3::Air::Arg::conservativeWidth):
1754         (JSC::B3::Air::Arg::minimumWidth):
1755         (JSC::B3::Air::Arg::bytes):
1756         (JSC::B3::Air::Arg::widthForBytes):
1757         (JSC::B3::Air::Arg::Arg):
1758         (JSC::B3::Air::Arg::forEachTmp):
1759         * b3/air/AirCCallSpecial.cpp:
1760         (JSC::B3::Air::CCallSpecial::forEachArg):
1761         * b3/air/AirEliminateDeadCode.cpp:
1762         (JSC::B3::Air::eliminateDeadCode):
1763         * b3/air/AirFixPartialRegisterStalls.cpp:
1764         (JSC::B3::Air::fixPartialRegisterStalls):
1765         * b3/air/AirInst.cpp:
1766         (JSC::B3::Air::Inst::hasArgEffects):
1767         * b3/air/AirInst.h:
1768         (JSC::B3::Air::Inst::forEachTmpFast):
1769         (JSC::B3::Air::Inst::forEachTmp):
1770         * b3/air/AirInstInlines.h:
1771         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs):
1772         * b3/air/AirIteratedRegisterCoalescing.cpp:
1773         * b3/air/AirLiveness.h:
1774         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1775         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
1776         * b3/air/AirOpcode.opcodes:
1777         * b3/air/AirSpillEverything.cpp:
1778         (JSC::B3::Air::spillEverything):
1779         * b3/air/AirTmpWidth.cpp: Added.
1780         (JSC::B3::Air::TmpWidth::TmpWidth):
1781         (JSC::B3::Air::TmpWidth::~TmpWidth):
1782         * b3/air/AirTmpWidth.h: Added.
1783         (JSC::B3::Air::TmpWidth::width):
1784         (JSC::B3::Air::TmpWidth::defWidth):
1785         (JSC::B3::Air::TmpWidth::useWidth):
1786         (JSC::B3::Air::TmpWidth::Widths::Widths):
1787         * b3/air/AirUseCounts.h:
1788         (JSC::B3::Air::UseCounts::UseCounts):
1789         * b3/air/opcode_generator.rb:
1790         * b3/testb3.cpp:
1791         (JSC::B3::testCheckMegaCombo):
1792         (JSC::B3::testCheckTrickyMegaCombo):
1793         (JSC::B3::testCheckTwoMegaCombos):
1794         (JSC::B3::run):
1795
1796 2015-12-21  Andy VanWagoner  <thetalecrafter@gmail.com>
1797
1798         [INTL] Implement String.prototype.localeCompare in ECMA-402
1799         https://bugs.webkit.org/show_bug.cgi?id=147607
1800
1801         Reviewed by Darin Adler.
1802
1803         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
1804         Keep existing native implementation for use if INTL flag is disabled.
1805
1806         * CMakeLists.txt:
1807         * DerivedSources.make:
1808         * JavaScriptCore.xcodeproj/project.pbxproj:
1809         * builtins/StringPrototype.js: Added.
1810         (localeCompare):
1811         * runtime/StringPrototype.cpp:
1812         (JSC::StringPrototype::finishCreation):
1813
1814 2015-12-18  Filip Pizlo  <fpizlo@apple.com>
1815
1816         Implement compareDouble in B3/Air
1817         https://bugs.webkit.org/show_bug.cgi?id=150903
1818
1819         Reviewed by Benjamin Poulain.
1820
1821         A hole in our coverage is that we don't fuse a double comparison into a branch, then we will
1822         crash in the instruction selector. Obviously, we *really* want to fuse double comparisons,
1823         but we can't guarantee that this will always happen.
1824
1825         This also removes all uses of WTF::Dominators verification, since it's extremely slow even in
1826         a release build. This speeds up testb3 with validateGraphAtEachPhase=true by an order of
1827         magnitude.
1828
1829         * assembler/MacroAssembler.h:
1830         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
1831         (JSC::MacroAssembler::compareDouble):
1832         (JSC::MacroAssembler::compareFloat):
1833         (JSC::MacroAssembler::lea):
1834         * b3/B3Dominators.h:
1835         (JSC::B3::Dominators::Dominators):
1836         * b3/B3LowerToAir.cpp:
1837         (JSC::B3::Air::LowerToAir::createCompare):
1838         (JSC::B3::Air::LowerToAir::lower):
1839         * b3/air/AirOpcode.opcodes:
1840         * b3/testb3.cpp:
1841         (JSC::B3::testCompare):
1842         (JSC::B3::testEqualDouble):
1843         (JSC::B3::simpleFunction):
1844         (JSC::B3::run):
1845         * dfg/DFGDominators.h:
1846         (JSC::DFG::Dominators::Dominators):
1847
1848 2015-12-19  Dan Bernstein  <mitz@apple.com>
1849
1850         [Mac] WebKit contains dead source code for OS X Mavericks and earlier
1851         https://bugs.webkit.org/show_bug.cgi?id=152462
1852
1853         Reviewed by Alexey Proskuryakov.
1854
1855         - Removed build setting definitions for OS X 10.9 and earlier, and simplified defintions
1856           that became uniform across all OS X versions as a result:
1857
1858         * Configurations/DebugRelease.xcconfig:
1859         * Configurations/FeatureDefines.xcconfig:
1860         * Configurations/Version.xcconfig:
1861
1862         * API/JSBase.h: Removed check against __MAC_OS_X_VERSION_MIN_REQUIRED that was always true.
1863
1864 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1865
1866         [JSC] Streamline Tmp indexing inside the register allocator
1867         https://bugs.webkit.org/show_bug.cgi?id=152420
1868
1869         Reviewed by Filip Pizlo.
1870
1871         AirIteratedRegisterCoalescing has been accumulating a bit of mess over time.
1872
1873         When it started, every map addressed by Tmp was using Tmp hashing.
1874         That caused massive performance problems. Everything perf sensitive was moved
1875         to direct array addressing by the absolute Tmp index. This left the code
1876         with half of the function using Tmp, the other half using indices.
1877
1878         With this patch, almost everything is moved to absolute indexing.
1879         There are a few advantages to this:
1880         -No more conversion churn for Floating Point registers.
1881         -Most of the functions can now be shared between GP and FP.
1882         -A bit of clean up since the core algorithm only deals with integers now.
1883
1884         This patch also changes the index type to be a template argument.
1885         That will allow future specialization of "m_interferenceEdges" based
1886         on the expected problem size.
1887
1888         Finally, the code related to the program modification (register assignment
1889         and spilling) was moved to the wrapper "IteratedRegisterCoalescing".
1890
1891         The current split is:
1892         -AbstractColoringAllocator: common core. Share as much as possible between
1893          GP and FP.
1894         -ColoringAllocator: the remaining parts of the algorithm, everything that
1895          is specific to GP, FP.
1896         -IteratedRegisterCoalescing: the "iterated" part of the algorithm.
1897          Try to allocate and modify the code as needed.
1898
1899         The long term plan is:
1900         -Move selectSpill() and the coloring loop to AbstractColoringAllocator.
1901         -Specialize m_interferenceEdges to make it faster.
1902
1903         * b3/air/AirIteratedRegisterCoalescing.cpp:
1904         * b3/air/AirTmpInlines.h:
1905         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::lastMachineRegisterIndex):
1906         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::lastMachineRegisterIndex):
1907
1908 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1909
1910         [JSC] FTLB3Output generates some invalid ZExt32
1911         https://bugs.webkit.org/show_bug.cgi?id=151905
1912
1913         Reviewed by Filip Pizlo.
1914
1915         FTLLowerDFGToLLVM calls zeroExt() to int32 in some cases.
1916         We were generating ZExt32 with Int32 as return type :(
1917
1918         * ftl/FTLB3Output.h:
1919         (JSC::FTL::Output::zeroExt):
1920
1921 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1922
1923         [JSC] Add EqualOrUnordered to B3
1924         https://bugs.webkit.org/show_bug.cgi?id=152425
1925
1926         Reviewed by Mark Lam.
1927
1928         Add EqualOrUnordered to B3 and use it to implements
1929         FTL::Output's NotEqualAndOrdered.
1930
1931         * b3/B3ConstDoubleValue.cpp:
1932         (JSC::B3::ConstDoubleValue::equalOrUnordered):
1933         * b3/B3ConstDoubleValue.h:
1934         * b3/B3LowerToAir.cpp:
1935         (JSC::B3::Air::LowerToAir::createGenericCompare):
1936         (JSC::B3::Air::LowerToAir::lower):
1937         * b3/B3Opcode.cpp:
1938         (WTF::printInternal):
1939         * b3/B3Opcode.h:
1940         * b3/B3ReduceDoubleToFloat.cpp:
1941         (JSC::B3::reduceDoubleToFloat):
1942         * b3/B3ReduceStrength.cpp:
1943         * b3/B3Validate.cpp:
1944         * b3/B3Value.cpp:
1945         (JSC::B3::Value::equalOrUnordered):
1946         (JSC::B3::Value::returnsBool):
1947         (JSC::B3::Value::effects):
1948         (JSC::B3::Value::key):
1949         (JSC::B3::Value::typeFor):
1950         * b3/B3Value.h:
1951         * b3/testb3.cpp:
1952         (JSC::B3::testBranchEqualOrUnorderedArgs):
1953         (JSC::B3::testBranchNotEqualAndOrderedArgs):
1954         (JSC::B3::testBranchEqualOrUnorderedDoubleArgImm):
1955         (JSC::B3::testBranchEqualOrUnorderedFloatArgImm):
1956         (JSC::B3::testBranchEqualOrUnorderedDoubleImms):
1957         (JSC::B3::testBranchEqualOrUnorderedFloatImms):
1958         (JSC::B3::testBranchEqualOrUnorderedFloatWithUselessDoubleConversion):
1959         (JSC::B3::run):
1960         * ftl/FTLB3Output.h:
1961         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1962         (JSC::FTL::Output::doubleNotEqual): Deleted.
1963         * ftl/FTLLowerDFGToLLVM.cpp:
1964         (JSC::FTL::DFG::LowerDFGToLLVM::boolify):
1965         * ftl/FTLOutput.h:
1966         (JSC::FTL::Output::doubleNotEqualAndOrdered):
1967         (JSC::FTL::Output::doubleNotEqual): Deleted.
1968
1969 2015-12-19  Benjamin Poulain  <bpoulain@apple.com>
1970
1971         [JSC] B3: Add indexed addressing when lowering BitwiseCast
1972         https://bugs.webkit.org/show_bug.cgi?id=152432
1973
1974         Reviewed by Geoffrey Garen.
1975
1976         The MacroAssembler supports it, we should use it.
1977
1978         * b3/air/AirOpcode.opcodes:
1979         * b3/testb3.cpp:
1980         (JSC::B3::testBitwiseCastOnDoubleInMemoryIndexed):
1981         (JSC::B3::testBitwiseCastOnInt64InMemoryIndexed):
1982
1983 2015-12-18  Andreas Kling  <akling@apple.com>
1984
1985         Make JSString::SafeView less of a footgun.
1986         <https://webkit.org/b/152376>
1987
1988         Reviewed by Darin Adler.
1989
1990         Remove the "operator StringView()" convenience helper on JSString::SafeString since that
1991         made it possible to casually turn the return value from JSString::view() into an unsafe
1992         StringView local on the stack with this pattern:
1993
1994             StringView view = someJSValue.toString(exec)->view(exec);
1995
1996         The JSString* returned by toString() above will go out of scope by the end of the statement
1997         and does not stick around to protect itself from garbage collection.
1998
1999         It will now look like this instead:
2000
2001             JSString::SafeView view = someJSValue.toString(exec)->view(exec);
2002
2003         To be extra clear, the following is not safe:
2004
2005             StringView view = someJSValue.toString(exec)->view(exec).get();
2006
2007         By the end of that statement, the JSString::SafeView goes out of scope, and the JSString*
2008         is no longer protected from GC.
2009
2010         I added a couple of forwarding helpers to the SafeView class, and if you need a StringView
2011         object from it, you can call .get() just like before.
2012
2013         Finally I also removed the JSString::SafeView() constructor, since nobody was instantiating
2014         empty SafeView objects anyway. This way we don't have to worry about null members.
2015
2016         * runtime/ArrayPrototype.cpp:
2017         (JSC::arrayProtoFuncJoin):
2018         * runtime/FunctionConstructor.cpp:
2019         (JSC::constructFunctionSkippingEvalEnabledCheck):
2020         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2021         (JSC::genericTypedArrayViewProtoFuncJoin):
2022         * runtime/JSGlobalObjectFunctions.cpp:
2023         (JSC::decode):
2024         (JSC::globalFuncParseInt):
2025         (JSC::globalFuncParseFloat):
2026         (JSC::globalFuncEscape):
2027         (JSC::globalFuncUnescape):
2028         * runtime/JSONObject.cpp:
2029         (JSC::JSONProtoFuncParse):
2030         * runtime/JSString.cpp:
2031         (JSC::JSString::getPrimitiveNumber):
2032         (JSC::JSString::toNumber):
2033         * runtime/JSString.h:
2034         (JSC::JSString::SafeView::is8Bit):
2035         (JSC::JSString::SafeView::length):
2036         (JSC::JSString::SafeView::characters8):
2037         (JSC::JSString::SafeView::characters16):
2038         (JSC::JSString::SafeView::operator[]):
2039         (JSC::JSString::SafeView::SafeView):
2040         (JSC::JSString::SafeView::get):
2041         (JSC::JSString::SafeView::operator StringView): Deleted.
2042         * runtime/StringPrototype.cpp:
2043         (JSC::stringProtoFuncCharAt):
2044         (JSC::stringProtoFuncCharCodeAt):
2045         (JSC::stringProtoFuncIndexOf):
2046         (JSC::stringProtoFuncNormalize):
2047
2048 2015-12-18  Saam barati  <sbarati@apple.com>
2049
2050         BytecodeGenerator::pushLexicalScopeInternal and pushLexicalScope should use enums instead of bools
2051         https://bugs.webkit.org/show_bug.cgi?id=152450
2052
2053         Reviewed by Geoffrey Garen and Joseph Pecoraro.
2054
2055         This makes comprehending the call sites of these functions
2056         easier without looking up the header of the function.
2057
2058         * bytecompiler/BytecodeGenerator.cpp:
2059         (JSC::BytecodeGenerator::BytecodeGenerator):
2060         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2061         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2062         (JSC::BytecodeGenerator::emitPrefillStackTDZVariables):
2063         (JSC::BytecodeGenerator::pushLexicalScope):
2064         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2065         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2066         (JSC::BytecodeGenerator::emitPushCatchScope):
2067         * bytecompiler/BytecodeGenerator.h:
2068         (JSC::BytecodeGenerator::lastOpcodeID):
2069         * bytecompiler/NodesCodegen.cpp:
2070         (JSC::BlockNode::emitBytecode):
2071         (JSC::ForNode::emitBytecode):
2072         (JSC::ForInNode::emitMultiLoopBytecode):
2073         (JSC::ForOfNode::emitBytecode):
2074         (JSC::SwitchNode::emitBytecode):
2075         (JSC::ClassExprNode::emitBytecode):
2076
2077 2015-12-18  Michael Catanzaro  <mcatanzaro@igalia.com>
2078
2079         Avoid triggering clang's -Wundefined-bool-conversion
2080         https://bugs.webkit.org/show_bug.cgi?id=152408
2081
2082         Reviewed by Mark Lam.
2083
2084         Add ASSERT_THIS_GC_OBJECT_LOOKS_VALID and ASSERT_THIS_GC_OBJECT_INHERITS to avoid use of
2085         ASSERT(this) by ASSERT_GC_OBJECT_LOOKS_VALID and ASSERT_GC_OBJECT_INHERITS.
2086
2087         * heap/GCAssertions.h:
2088
2089 2015-12-18  Mark Lam  <mark.lam@apple.com>
2090
2091         Replace SpecialFastCase profiles with ResultProfiles.
2092         https://bugs.webkit.org/show_bug.cgi?id=152433
2093
2094         Reviewed by Saam Barati.
2095
2096         This is in preparation for upcoming work to enhance the DFG predictions to deal
2097         with untyped operands.
2098
2099         This patch also enhances some of the arithmetic slow paths (for the LLINT and
2100         baseline JIT) to collect result profiling info.  This profiling info is not put
2101         to use yet. 
2102
2103         * CMakeLists.txt:
2104         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2105         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2106         * JavaScriptCore.xcodeproj/project.pbxproj:
2107         * bytecode/CodeBlock.cpp:
2108         (JSC::CodeBlock::dumpRareCaseProfile):
2109         (JSC::CodeBlock::dumpResultProfile):
2110         (JSC::CodeBlock::printLocationAndOp):
2111         (JSC::CodeBlock::dumpBytecode):
2112         (JSC::CodeBlock::shrinkToFit):
2113         (JSC::CodeBlock::dumpValueProfiles):
2114         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2115         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2116         (JSC::CodeBlock::updateResultProfileForBytecodeOffset):
2117         (JSC::CodeBlock::capabilityLevel):
2118         * bytecode/CodeBlock.h:
2119         (JSC::CodeBlock::couldTakeSlowCase):
2120         (JSC::CodeBlock::addResultProfile):
2121         (JSC::CodeBlock::numberOfResultProfiles):
2122         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset):
2123         (JSC::CodeBlock::couldTakeSpecialFastCase):
2124         (JSC::CodeBlock::addSpecialFastCaseProfile): Deleted.
2125         (JSC::CodeBlock::numberOfSpecialFastCaseProfiles): Deleted.
2126         (JSC::CodeBlock::specialFastCaseProfile): Deleted.
2127         (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset): Deleted.
2128         * bytecode/ValueProfile.cpp: Added.
2129         (WTF::printInternal):
2130         * bytecode/ValueProfile.h:
2131         (JSC::getRareCaseProfileBytecodeOffset):
2132         (JSC::ResultProfile::ResultProfile):
2133         (JSC::ResultProfile::bytecodeOffset):
2134         (JSC::ResultProfile::specialFastPathCount):
2135         (JSC::ResultProfile::didObserveNonInt32):
2136         (JSC::ResultProfile::didObserveDouble):
2137         (JSC::ResultProfile::didObserveNonNegZeroDouble):
2138         (JSC::ResultProfile::didObserveNegZeroDouble):
2139         (JSC::ResultProfile::didObserveNonNumber):
2140         (JSC::ResultProfile::didObserveInt32Overflow):
2141         (JSC::ResultProfile::setObservedNonNegZeroDouble):
2142         (JSC::ResultProfile::setObservedNegZeroDouble):
2143         (JSC::ResultProfile::setObservedNonNumber):
2144         (JSC::ResultProfile::setObservedInt32Overflow):
2145         (JSC::ResultProfile::addressOfFlags):
2146         (JSC::ResultProfile::addressOfSpecialFastPathCount):
2147         (JSC::ResultProfile::hasBits):
2148         (JSC::ResultProfile::setBit):
2149         (JSC::getResultProfileBytecodeOffset):
2150         * jit/JITArithmetic.cpp:
2151         (JSC::JIT::emit_op_div):
2152         (JSC::JIT::emit_op_mul):
2153         * jit/JITDivGenerator.cpp:
2154         (JSC::JITDivGenerator::generateFastPath):
2155         * jit/JITDivGenerator.h:
2156         (JSC::JITDivGenerator::JITDivGenerator):
2157         * jit/JITMulGenerator.cpp:
2158         (JSC::JITMulGenerator::generateFastPath):
2159         * jit/JITMulGenerator.h:
2160         (JSC::JITMulGenerator::JITMulGenerator):
2161         * runtime/CommonSlowPaths.cpp:
2162         (JSC::SLOW_PATH_DECL):
2163
2164 2015-12-18  Keith Miller  <keith_miller@apple.com>
2165
2166         verboseDFGByteCodeParsing option should show the bytecode it is parsing.
2167         https://bugs.webkit.org/show_bug.cgi?id=152434
2168
2169         Reviewed by Michael Saboff.
2170
2171         * dfg/DFGByteCodeParser.cpp:
2172         (JSC::DFG::ByteCodeParser::parseBlock):
2173
2174 2015-12-18  Csaba Osztrogonác  <ossy@webkit.org>
2175
2176         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
2177         https://bugs.webkit.org/show_bug.cgi?id=152214
2178
2179         Reviewed by Mark Lam.
2180
2181         Relanding r194007 after r194248.
2182
2183         * jit/CCallHelpers.h:
2184         (JSC::CCallHelpers::setupArgumentsWithExecState):
2185
2186 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2187
2188         Web Inspector: Remove "local" scope type from the protocol
2189         https://bugs.webkit.org/show_bug.cgi?id=152409
2190
2191         Reviewed by Timothy Hatcher.
2192
2193         After r194251 the backend no longer sends this scope type.
2194         So remove it from the protocol.
2195
2196         The concept of a Local Scope should be calculatable by the
2197         frontend. In fact the way the backend used to do this could
2198         easily be done by the frontend. To be done in a follow-up.
2199
2200         * inspector/InjectedScriptSource.js:
2201         * inspector/JSJavaScriptCallFrame.h:
2202         * inspector/protocol/Debugger.json:
2203
2204 2015-12-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2205
2206         [INTL] Implement Collator Compare Functions
2207         https://bugs.webkit.org/show_bug.cgi?id=147604
2208
2209         Reviewed by Darin Adler.
2210
2211         This patch implements Intl.Collator.prototype.compare() according
2212         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2213
2214         * runtime/IntlCollator.cpp:
2215         (JSC::IntlCollator::~IntlCollator):
2216         (JSC::sortLocaleData):
2217         (JSC::searchLocaleData):
2218         (JSC::IntlCollator::initializeCollator):
2219         (JSC::IntlCollator::createCollator):
2220         (JSC::IntlCollator::compareStrings):
2221         (JSC::IntlCollator::usageString):
2222         (JSC::IntlCollator::sensitivityString):
2223         (JSC::IntlCollator::resolvedOptions):
2224         (JSC::IntlCollator::setBoundCompare):
2225         (JSC::IntlCollatorFuncCompare): Deleted.
2226         * runtime/IntlCollator.h:
2227         (JSC::IntlCollator::usage): Deleted.
2228         (JSC::IntlCollator::setUsage): Deleted.
2229         (JSC::IntlCollator::locale): Deleted.
2230         (JSC::IntlCollator::setLocale): Deleted.
2231         (JSC::IntlCollator::collation): Deleted.
2232         (JSC::IntlCollator::setCollation): Deleted.
2233         (JSC::IntlCollator::numeric): Deleted.
2234         (JSC::IntlCollator::setNumeric): Deleted.
2235         (JSC::IntlCollator::sensitivity): Deleted.
2236         (JSC::IntlCollator::setSensitivity): Deleted.
2237         (JSC::IntlCollator::ignorePunctuation): Deleted.
2238         (JSC::IntlCollator::setIgnorePunctuation): Deleted.
2239         * runtime/IntlCollatorConstructor.cpp:
2240         (JSC::constructIntlCollator):
2241         (JSC::callIntlCollator):
2242         (JSC::sortLocaleData): Deleted.
2243         (JSC::searchLocaleData): Deleted.
2244         (JSC::initializeCollator): Deleted.
2245         * runtime/IntlCollatorPrototype.cpp:
2246         (JSC::IntlCollatorFuncCompare):
2247         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2248         * runtime/IntlObject.cpp:
2249         (JSC::defaultLocale):
2250         (JSC::convertICULocaleToBCP47LanguageTag):
2251         (JSC::intlStringOption):
2252         (JSC::resolveLocale):
2253         (JSC::supportedLocales):
2254         * runtime/IntlObject.h:
2255         * runtime/JSGlobalObject.cpp:
2256         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2257         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2258         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2259
2260 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2261
2262         Provide a way to distinguish a nested lexical block from a function's lexical block
2263         https://bugs.webkit.org/show_bug.cgi?id=152361
2264
2265         Reviewed by Saam Barati.
2266
2267         * bytecompiler/BytecodeGenerator.h:
2268         * bytecompiler/BytecodeGenerator.cpp:
2269         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2270         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2271         (JSC::BytecodeGenerator::emitPushFunctionNameScope):
2272         (JSC::BytecodeGenerator::emitPushCatchScope):
2273         Each of these are specialized scopes. They are not nested lexical scopes.
2274         
2275         (JSC::BytecodeGenerator::pushLexicalScope):
2276         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
2277         Include an extra parameter to mark the SymbolTable as a nested lexical or not.
2278
2279         * bytecompiler/NodesCodegen.cpp:
2280         (JSC::BlockNode::emitBytecode):
2281         (JSC::ForNode::emitBytecode):
2282         (JSC::ForInNode::emitMultiLoopBytecode):
2283         (JSC::ForOfNode::emitBytecode):
2284         (JSC::SwitchNode::emitBytecode):
2285         (JSC::ClassExprNode::emitBytecode):
2286         Each of these are cases of non-function nested lexical scopes.
2287         So mark the SymbolTable as nested.
2288
2289         * inspector/protocol/Debugger.json:
2290         * inspector/InjectedScriptSource.js:
2291         Include a new scope type.
2292
2293         * inspector/JSJavaScriptCallFrame.h:
2294         * inspector/JSJavaScriptCallFrame.cpp:
2295         (Inspector::JSJavaScriptCallFrame::scopeType):
2296         Use the new "NestedLexical" scope type for nested, non-function,
2297         lexical scopes. The Inspector can use this to better describe
2298         this scope in the frontend.
2299
2300         * debugger/DebuggerScope.cpp:
2301         (JSC::DebuggerScope::isNestedLexicalScope):
2302         * debugger/DebuggerScope.h:
2303         * runtime/JSScope.cpp:
2304         (JSC::JSScope::isNestedLexicalScope):
2305         * runtime/JSScope.h:
2306         * runtime/SymbolTable.cpp:
2307         (JSC::SymbolTable::SymbolTable):
2308         (JSC::SymbolTable::cloneScopePart):
2309         * runtime/SymbolTable.h:
2310         Access the isNestedLexicalScope bit.
2311
2312 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2313
2314         Unreviewed EFL Build Fix after r194247.
2315
2316         * interpreter/CallFrame.cpp:
2317         (JSC::CallFrame::friendlyFunctionName):
2318         Handle compilers that don't realize the switch handles all cases.
2319
2320 2015-12-17  Keith Miller  <keith_miller@apple.com>
2321
2322         [ES6] Add support for Symbol.hasInstance
2323         https://bugs.webkit.org/show_bug.cgi?id=151839
2324
2325         Reviewed by Saam Barati.
2326
2327         Fixed version of r193986, r193983, and r193974.
2328
2329         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
2330         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
2331         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
2332         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
2333         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
2334         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
2335         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
2336         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
2337         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
2338         emits a call to slow path code that computes the result.
2339
2340         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
2341         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
2342         it into a CheckTypeInfoFlags followed by a JSConstant.
2343
2344         * API/JSCallbackObject.h:
2345         * builtins/FunctionPrototype.js:
2346         (symbolHasInstance):
2347         * bytecode/BytecodeBasicBlock.cpp:
2348         (JSC::isBranch): Deleted.
2349         * bytecode/BytecodeList.json:
2350         * bytecode/BytecodeUseDef.h:
2351         (JSC::computeUsesForBytecodeOffset):
2352         (JSC::computeDefsForBytecodeOffset):
2353         * bytecode/CodeBlock.cpp:
2354         (JSC::CodeBlock::dumpBytecode):
2355         * bytecode/ExitKind.cpp:
2356         (JSC::exitKindToString):
2357         * bytecode/ExitKind.h:
2358         * bytecode/PreciseJumpTargets.cpp:
2359         (JSC::getJumpTargetsForBytecodeOffset): Deleted.
2360         * bytecompiler/BytecodeGenerator.cpp:
2361         (JSC::BytecodeGenerator::emitOverridesHasInstance):
2362         (JSC::BytecodeGenerator::emitInstanceOfCustom):
2363         (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
2364         * bytecompiler/BytecodeGenerator.h:
2365         * bytecompiler/NodesCodegen.cpp:
2366         (JSC::InstanceOfNode::emitBytecode):
2367         * dfg/DFGAbstractInterpreterInlines.h:
2368         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2369         * dfg/DFGByteCodeParser.cpp:
2370         (JSC::DFG::ByteCodeParser::parseBlock):
2371         * dfg/DFGCapabilities.cpp:
2372         (JSC::DFG::capabilityLevel):
2373         * dfg/DFGClobberize.h:
2374         (JSC::DFG::clobberize):
2375         * dfg/DFGDoesGC.cpp:
2376         (JSC::DFG::doesGC):
2377         * dfg/DFGFixupPhase.cpp:
2378         (JSC::DFG::FixupPhase::fixupNode):
2379         * dfg/DFGHeapLocation.cpp:
2380         (WTF::printInternal):
2381         * dfg/DFGHeapLocation.h:
2382         * dfg/DFGNode.h:
2383         (JSC::DFG::Node::hasCellOperand):
2384         (JSC::DFG::Node::hasTypeInfoOperand):
2385         (JSC::DFG::Node::typeInfoOperand):
2386         * dfg/DFGNodeType.h:
2387         * dfg/DFGPredictionPropagationPhase.cpp:
2388         (JSC::DFG::PredictionPropagationPhase::propagate):
2389         * dfg/DFGSafeToExecute.h:
2390         (JSC::DFG::safeToExecute):
2391         * dfg/DFGSpeculativeJIT.cpp:
2392         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
2393         (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
2394         * dfg/DFGSpeculativeJIT.h:
2395         (JSC::DFG::SpeculativeJIT::callOperation):
2396         * dfg/DFGSpeculativeJIT32_64.cpp:
2397         (JSC::DFG::SpeculativeJIT::compile):
2398         * dfg/DFGSpeculativeJIT64.cpp:
2399         (JSC::DFG::SpeculativeJIT::compile):
2400         * ftl/FTLCapabilities.cpp:
2401         (JSC::FTL::canCompile):
2402         * ftl/FTLIntrinsicRepository.h:
2403         * ftl/FTLLowerDFGToLLVM.cpp:
2404         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2405         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
2406         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
2407         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
2408         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
2409         * jit/JIT.cpp:
2410         (JSC::JIT::privateCompileMainPass):
2411         (JSC::JIT::privateCompileSlowCases):
2412         * jit/JIT.h:
2413         * jit/JITInlines.h:
2414         (JSC::JIT::callOperation):
2415         * jit/JITOpcodes.cpp:
2416         (JSC::JIT::emit_op_overrides_has_instance):
2417         (JSC::JIT::emit_op_instanceof):
2418         (JSC::JIT::emit_op_instanceof_custom):
2419         (JSC::JIT::emitSlow_op_instanceof):
2420         (JSC::JIT::emitSlow_op_instanceof_custom):
2421         (JSC::JIT::emit_op_check_has_instance): Deleted.
2422         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
2423         * jit/JITOpcodes32_64.cpp:
2424         (JSC::JIT::emit_op_overrides_has_instance):
2425         (JSC::JIT::emit_op_instanceof):
2426         (JSC::JIT::emit_op_instanceof_custom):
2427         (JSC::JIT::emitSlow_op_instanceof_custom):
2428         (JSC::JIT::emit_op_check_has_instance): Deleted.
2429         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
2430         * jit/JITOperations.cpp:
2431         * jit/JITOperations.h:
2432         * llint/LLIntData.cpp:
2433         (JSC::LLInt::Data::performAssertions):
2434         * llint/LLIntSlowPaths.cpp:
2435         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2436         * llint/LLIntSlowPaths.h:
2437         * llint/LowLevelInterpreter32_64.asm:
2438         * llint/LowLevelInterpreter64.asm:
2439         * runtime/CommonIdentifiers.h:
2440         * runtime/ExceptionHelpers.cpp:
2441         (JSC::invalidParameterInstanceofSourceAppender):
2442         (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
2443         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
2444         (JSC::createInvalidInstanceofParameterErrorNotFunction):
2445         (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
2446         (JSC::createInvalidInstanceofParameterError): Deleted.
2447         * runtime/ExceptionHelpers.h:
2448         * runtime/FunctionPrototype.cpp:
2449         (JSC::FunctionPrototype::addFunctionProperties):
2450         * runtime/FunctionPrototype.h:
2451         * runtime/JSBoundFunction.cpp:
2452         (JSC::isBoundFunction):
2453         (JSC::hasInstanceBoundFunction):
2454         * runtime/JSBoundFunction.h:
2455         * runtime/JSGlobalObject.cpp:
2456         (JSC::JSGlobalObject::init):
2457         (JSC::JSGlobalObject::visitChildren):
2458         * runtime/JSGlobalObject.h:
2459         (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
2460         * runtime/JSObject.cpp:
2461         (JSC::JSObject::hasInstance):
2462         (JSC::objectPrivateFuncInstanceOf):
2463         * runtime/JSObject.h:
2464         * runtime/JSTypeInfo.h:
2465         (JSC::TypeInfo::TypeInfo):
2466         (JSC::TypeInfo::overridesHasInstance):
2467         * runtime/WriteBarrier.h:
2468         (JSC::WriteBarrierBase<Unknown>::slot):
2469         * tests/es6.yaml:
2470         * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
2471         (Constructor):
2472         (value):
2473         (instanceOf):
2474         (body):
2475         * tests/stress/symbol-hasInstance.js: Added.
2476         (Constructor):
2477         (value):
2478         (ObjectClass.Symbol.hasInstance):
2479         (NumberClass.Symbol.hasInstance):
2480
2481 2015-12-17  Joseph Pecoraro  <pecoraro@apple.com>
2482
2483         Web Inspector: Improve names in Debugger Call Stack section when paused
2484         https://bugs.webkit.org/show_bug.cgi?id=152398
2485
2486         Reviewed by Brian Burg.
2487
2488         * debugger/DebuggerCallFrame.cpp:
2489         (JSC::DebuggerCallFrame::functionName):
2490         Provide a better name from the underlying CallFrame.
2491
2492         * inspector/InjectedScriptSource.js:
2493         (InjectedScript.CallFrameProxy):
2494         Just call functionName, it will provide a better
2495         than nothing function name.
2496
2497         * runtime/JSFunction.cpp:
2498         (JSC::getCalculatedDisplayName):
2499         Use emptyString().
2500
2501         * interpreter/CallFrame.h:
2502         * interpreter/CallFrame.cpp:
2503         (JSC::CallFrame::friendlyFunctionName):
2504         This is the third similiar implementation of this,
2505         but all other cases use other "StackFrame" objects.
2506         Use the expected names for program code.
2507
2508 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
2509
2510         Web Inspector: Add JSContext Script Profiling
2511         https://bugs.webkit.org/show_bug.cgi?id=151899
2512
2513         Reviewed by Brian Burg.
2514
2515         Extend JSC::Debugger to include a profiling client interface
2516         that the Inspector can implement to be told about script execution
2517         entry and exit points. Add new profiledCall/Evaluate/Construct
2518         methods that are entry points that will notify the profiling
2519         client if it exists.
2520
2521         By putting the profiling client on Debugger it avoids having
2522         special code paths for a JSGlobalObject being JSContext inspected
2523         or a JSGlobalObject in a Page being Web inspected. In either case
2524         the JSGlobalObject can go through its debugger() which always
2525         reaches the correct inspector instance.
2526
2527         * CMakeLists.txt:
2528         * DerivedSources.make:
2529         * JavaScriptCore.xcodeproj/project.pbxproj:
2530         Handle new files.
2531
2532         * runtime/CallData.cpp:
2533         (JSC::profiledCall):
2534         * runtime/CallData.h:
2535         * runtime/Completion.cpp:
2536         (JSC::profiledEvaluate):
2537         * runtime/Completion.h:
2538         (JSC::profiledEvaluate):
2539         * runtime/ConstructData.cpp:
2540         (JSC::profiledConstruct):
2541         * runtime/ConstructData.h:
2542         (JSC::profiledConstruct):
2543         Create profiled versions of interpreter entry points. If a profiler client is
2544         available, this will automatically inform it of entry/exit. Include a reason
2545         why this is being profiled. Currently all reasons in JavaScriptCore are enumerated
2546         (API, Microtask) and Other is to be used by WebCore or future clients.
2547
2548         * debugger/ScriptProfilingScope.h: Added.
2549         (JSC::ScriptProfilingScope::ScriptProfilingScope):
2550         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
2551         (JSC::ScriptProfilingScope::shouldStartProfile):
2552         (JSC::ScriptProfilingScope::shouldEndProfile):
2553         At profiled entry points inform the profiling client if needed.
2554
2555         * API/JSBase.cpp:
2556         (JSEvaluateScript):
2557         * API/JSObjectRef.cpp:
2558         (JSObjectCallAsFunction):
2559         (JSObjectCallAsConstructor):
2560         * runtime/JSJob.cpp:
2561         (JSC::JSJobMicrotask::run):
2562         Use the profiled functions for API and Microtask execution entry points.
2563
2564         * runtime/JSGlobalObject.cpp:
2565         (JSC::JSGlobalObject::hasProfiler):
2566         * runtime/JSGlobalObject.h:
2567         (JSC::JSGlobalObject::hasProfiler):
2568         Extend hasProfiler to also check the new Debugger script profiler.
2569
2570         * debugger/Debugger.cpp:
2571         (JSC::Debugger::setProfilingClient):
2572         (JSC::Debugger::willEvaluateScript):
2573         (JSC::Debugger::didEvaluateScript):
2574         * debugger/Debugger.h:
2575         Pass through to the profiling client.
2576
2577         * inspector/protocol/ScriptProfiler.json: Added.
2578         * inspector/agents/InspectorScriptProfilerAgent.cpp: Added.
2579         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
2580         (Inspector::InspectorScriptProfilerAgent::~InspectorScriptProfilerAgent):
2581         (Inspector::InspectorScriptProfilerAgent::didCreateFrontendAndBackend):
2582         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
2583         (Inspector::InspectorScriptProfilerAgent::startTracking):
2584         (Inspector::InspectorScriptProfilerAgent::stopTracking):
2585         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
2586         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
2587         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
2588         (Inspector::toProtocol):
2589         (Inspector::InspectorScriptProfilerAgent::addEvent):
2590         (Inspector::buildAggregateCallInfoInspectorObject):
2591         (Inspector::buildInspectorObject):
2592         (Inspector::buildProfileInspectorObject):
2593         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2594         * inspector/agents/InspectorScriptProfilerAgent.h: Added.
2595         New ScriptProfiler domain to just turn on / off script profiling.
2596         It introduces a start/update/complete event model which we want
2597         to include in new domains.
2598
2599         * inspector/InspectorEnvironment.h:
2600         * inspector/InjectedScriptBase.cpp:
2601         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2602         Simplify this now that we want it to be the same for all clients.
2603
2604         * inspector/JSGlobalObjectInspectorController.h:
2605         * inspector/JSGlobalObjectInspectorController.cpp:
2606         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2607         Create the new agent.
2608
2609         * inspector/InspectorProtocolTypes.h:
2610         (Inspector::Protocol::Array::addItem):
2611         Allow pushing a double onto a Protocol::Array.
2612
2613 2015-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2614
2615         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
2616         https://bugs.webkit.org/show_bug.cgi?id=152227
2617
2618         Reviewed by Saam Barati.
2619
2620         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
2621         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
2622         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
2623
2624         Instead of extending NewFunction / PhantomNewFunction, we just added new DFG nodes, NewGeneratorFunction and PhantomNewGeneratorFunction.
2625         This is because NewGeneratorFunction will generate an object that has different class info from JSFunction (And if JSGeneratorFunction is extended, its size will become different from JSFunction).
2626         So, rather than extending NewFunction with generator flag, just adding new DFG nodes seems cleaner.
2627
2628         Object allocation sinking phase will change NewGeneratorFunction to PhantomNewGeneratorFunction and defer or eliminate its actual materialization.
2629         It is completely the same to NewFunction and PhantomNewFunction.
2630         And when OSR exit occurs, we need to execute deferred NewGeneratorFunction since Baseline JIT does not consider it.
2631         So in FTL operation, we should create JSGeneratorFunction if we see PhantomNewGeneratorFunction materialization.
2632
2633         * dfg/DFGAbstractInterpreterInlines.h:
2634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2635         * dfg/DFGByteCodeParser.cpp:
2636         (JSC::DFG::ByteCodeParser::parseBlock):
2637         * dfg/DFGCapabilities.cpp:
2638         (JSC::DFG::capabilityLevel):
2639         * dfg/DFGClobberize.h:
2640         (JSC::DFG::clobberize):
2641         * dfg/DFGClobbersExitState.cpp:
2642         (JSC::DFG::clobbersExitState):
2643         * dfg/DFGDoesGC.cpp:
2644         (JSC::DFG::doesGC):
2645         * dfg/DFGFixupPhase.cpp:
2646         (JSC::DFG::FixupPhase::fixupNode):
2647         * dfg/DFGMayExit.cpp:
2648         (JSC::DFG::mayExit):
2649         * dfg/DFGNode.h:
2650         (JSC::DFG::Node::convertToPhantomNewFunction):
2651         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
2652         (JSC::DFG::Node::hasCellOperand):
2653         (JSC::DFG::Node::isFunctionAllocation):
2654         (JSC::DFG::Node::isPhantomFunctionAllocation):
2655         (JSC::DFG::Node::isPhantomAllocation):
2656         * dfg/DFGNodeType.h:
2657         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2658         * dfg/DFGPredictionPropagationPhase.cpp:
2659         (JSC::DFG::PredictionPropagationPhase::propagate):
2660         * dfg/DFGSafeToExecute.h:
2661         (JSC::DFG::safeToExecute):
2662         * dfg/DFGSpeculativeJIT.cpp:
2663         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2664         * dfg/DFGSpeculativeJIT32_64.cpp:
2665         (JSC::DFG::SpeculativeJIT::compile):
2666         * dfg/DFGSpeculativeJIT64.cpp:
2667         (JSC::DFG::SpeculativeJIT::compile):
2668         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2669         * dfg/DFGStructureRegistrationPhase.cpp:
2670         (JSC::DFG::StructureRegistrationPhase::run):
2671         * dfg/DFGValidate.cpp:
2672         (JSC::DFG::Validate::validateCPS):
2673         (JSC::DFG::Validate::validateSSA):
2674         * ftl/FTLCapabilities.cpp:
2675         (JSC::FTL::canCompile):
2676         * ftl/FTLLowerDFGToLLVM.cpp:
2677         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2678         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2679         * ftl/FTLOperations.cpp:
2680         (JSC::FTL::operationPopulateObjectInOSR):
2681         (JSC::FTL::operationMaterializeObjectInOSR):
2682         * tests/stress/generator-function-create-optimized.js: Added.
2683         (shouldBe):
2684         (g):
2685         (test.return.gen):
2686         (test):
2687         (test2.gen):
2688         (test2):
2689         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
2690         (shouldBe):
2691         (GeneratorFunctionPrototype):
2692         (call):
2693         (f):
2694         (sink):
2695         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
2696         (shouldBe):
2697         (GeneratorFunctionPrototype):
2698         (g):
2699         (f):
2700         (sink):
2701         * tests/stress/generator-function-declaration-sinking-put.js: Added.
2702         (shouldBe):
2703         (GeneratorFunctionPrototype):
2704         (g):
2705         (f):
2706         (sink):
2707         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
2708         (shouldBe):
2709         (GeneratorFunctionPrototype):
2710         (call):
2711         (f):
2712         (sink):
2713         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
2714         (shouldBe):
2715         (GeneratorFunctionPrototype):
2716         (g):
2717         (sink):
2718         * tests/stress/generator-function-expression-sinking-put.js: Added.
2719         (shouldBe):
2720         (GeneratorFunctionPrototype):
2721         (g):
2722         (sink):
2723
2724 2015-12-16  Michael Saboff  <msaboff@apple.com>
2725
2726         ARM64 MacroAssembler improperly reuses data temp register in test32() and test8() calls
2727         https://bugs.webkit.org/show_bug.cgi?id=152370
2728
2729         Reviewed by Benjamin Poulain.
2730
2731         Changed the test8/32(Address, Register) flavors to use the memoryTempRegister for loading the value
2732         att Address so that it doesn't collide with the subsequent use of dataTempRegister by the
2733         test32(Register, Register) function.
2734
2735         * assembler/MacroAssemblerARM64.h:
2736         (JSC::MacroAssemblerARM64::test32):
2737         (JSC::MacroAssemblerARM64::test8):
2738
2739 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
2740
2741         FTL B3 should support switches
2742         https://bugs.webkit.org/show_bug.cgi?id=152360
2743
2744         Reviewed by Geoffrey Garen.
2745
2746         I implemented this because I was hoping it would less us run V8/crypto, but instead it just led
2747         me to file a fun bug: https://bugs.webkit.org/show_bug.cgi?id=152365.
2748
2749         * ftl/FTLB3Output.h:
2750         (JSC::FTL::Output::check):
2751         (JSC::FTL::Output::switchInstruction):
2752         (JSC::FTL::Output::ret):
2753         * ftl/FTLLowerDFGToLLVM.cpp:
2754         (JSC::FTL::DFG::ftlUnreachable):
2755         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
2756
2757 2015-12-16  Alex Christensen  <achristensen@webkit.org>
2758
2759         Fix internal Windows build
2760         https://bugs.webkit.org/show_bug.cgi?id=152364
2761
2762         Reviewed by Tim Horton.
2763
2764         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2765
2766 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
2767
2768         Improve JSObject::put performance
2769         https://bugs.webkit.org/show_bug.cgi?id=152347
2770
2771         Reviewed by Geoffrey Garen.
2772
2773         This adds a new benchmark called dynbench, which just uses the C++ API to create, modify, and
2774         query objects. This also adds some optimizations to make the JSObject::put code faster by making
2775         it inlinable in places that really need the performance, like JITOperations and LLIntSlowPaths.
2776         Inlining it is optional because the put() method is large. If you want it inlined, call
2777         putInline(). There's a putInline() variant of both JSObject::put() and JSValue::put().
2778
2779         This is up to a 20% improvement for JSObject::put calls that get inlined all the way (like from
2780         JITOperations and the new benchmark) and it's also a speed-up, albeit a smaller one, for
2781         JSObject::put calls that don't get inlined (i.e. those from the DOM and the JSC C++ library code).
2782         Specific speed-ups are as follows. Note that "dynamic context" means that we told PutPropertySlot
2783         that we're not a static put_by_id, which turns off some type inference.
2784
2785         Get By Id: 2% faster
2786         Put By Id Replace: 23% faster
2787         Put By Id Transition + object allocation: 11% faster
2788         Get By Id w/ dynamic context: 5% faster
2789         Put By Id Replace w/ dynamic context: 25% faster
2790         Put By Id Transition + object allocation w/ dynamic context: 10% faster
2791
2792         * JavaScriptCore.xcodeproj/project.pbxproj:
2793         * dynbench.cpp: Added.
2794         (JSC::benchmarkImpl):
2795         (main):
2796         * jit/CallFrameShuffler32_64.cpp:
2797         * jit/CallFrameShuffler64.cpp:
2798         * jit/JITOperations.cpp:
2799         * llint/LLIntSlowPaths.cpp:
2800         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2801         * runtime/ClassInfo.h:
2802         (JSC::ClassInfo::hasStaticProperties):
2803         * runtime/ConsoleClient.cpp:
2804         * runtime/CustomGetterSetter.h:
2805         * runtime/ErrorInstance.cpp:
2806         (JSC::ErrorInstance::finishCreation):
2807         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
2808         * runtime/GetterSetter.h:
2809         (JSC::asGetterSetter):
2810         * runtime/JSCInlines.h:
2811         * runtime/JSCJSValue.h:
2812         * runtime/JSCJSValueInlines.h:
2813         (JSC::JSValue::put):
2814         (JSC::JSValue::putInternal):
2815         (JSC::JSValue::putByIndex):
2816         * runtime/JSObject.cpp:
2817         (JSC::JSObject::put):
2818         (JSC::JSObject::putByIndex):
2819         * runtime/JSObject.h:
2820         (JSC::JSObject::getVectorLength):
2821         (JSC::JSObject::inlineGetOwnPropertySlot):
2822         (JSC::JSObject::get):
2823         (JSC::JSObject::putDirectInternal):
2824
2825 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
2826
2827         Work around a bug in LLVM by flipping the unification order
2828         https://bugs.webkit.org/show_bug.cgi?id=152341
2829         rdar://problem/23920749
2830
2831         Reviewed by Mark Lam.
2832
2833         * dfg/DFGUnificationPhase.cpp:
2834         (JSC::DFG::UnificationPhase::run):
2835
2836 2015-12-16  Saam barati  <sbarati@apple.com>
2837
2838         Add "explicit operator bool" to ScratchRegisterAllocator::PreservedState
2839         https://bugs.webkit.org/show_bug.cgi?id=152337
2840
2841         Reviewed by Mark Lam.
2842
2843         If we have a default constructor, we should also have a way
2844         to tell if a PreservedState is invalid.
2845
2846         * jit/ScratchRegisterAllocator.cpp:
2847         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2848         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2849         * jit/ScratchRegisterAllocator.h:
2850         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
2851         (JSC::ScratchRegisterAllocator::PreservedState::operator bool):
2852
2853 2015-12-16  Caitlin Potter  <caitp@igalia.com>
2854
2855         [JSC] fix error message for eval/arguments CoverInitializedName in strict code
2856         https://bugs.webkit.org/show_bug.cgi?id=152304
2857
2858         Reviewed by Darin Adler.
2859
2860         Because the error was originally classified as indicating a Pattern, the
2861         error in AssignmentPattern parsing causes the reported message to revert to
2862         the original Expression error message, which in this case is incorrect.
2863
2864         This change modifies the implementation of the strict code
2865         error slightly, and reclassifies the error to prevent the message revert,
2866         which improves the clarity of the message overall.
2867
2868         * parser/Parser.cpp:
2869         (JSC::Parser<LexerType>::parseAssignmentElement):
2870         (JSC::Parser<LexerType>::parseDestructuringPattern):
2871         * parser/Parser.h:
2872         (JSC::Parser::ExpressionErrorClassifier::reclassifyExpressionError):
2873         (JSC::Parser::reclassifyExpressionError):
2874         * tests/stress/destructuring-assignment-syntax.js:
2875
2876 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
2877
2878         Builtin source should be minified more
2879         https://bugs.webkit.org/show_bug.cgi?id=152290
2880
2881         Reviewed by Darin Adler.
2882
2883         * Scripts/builtins/builtins_model.py:
2884         (BuiltinFunction.fromString):
2885         Remove primarily empty lines that would just introduce clutter.
2886         We only do the minification in non-Debug configurations, which
2887         is determined by the CONFIGURATION environment variable. You can
2888         see how tests would generate differently, like so:
2889         shell> CONFIGURATION=Release ./Tools/Scripts/run-builtins-generator-tests
2890
2891 2015-12-16  Commit Queue  <commit-queue@webkit.org>
2892
2893         Unreviewed, rolling out r194135.
2894         https://bugs.webkit.org/show_bug.cgi?id=152333
2895
2896         due to missing OSR exit materialization support in FTL
2897         (Requested by yusukesuzuki on #webkit).
2898
2899         Reverted changeset:
2900
2901         "[ES6] Handle new_generator_func / new_generator_func_exp in
2902         DFG / FTL"
2903         https://bugs.webkit.org/show_bug.cgi?id=152227
2904         http://trac.webkit.org/changeset/194135
2905
2906 2015-12-16  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2907
2908         [Fetch API] Add fetch API compile time flag
2909         https://bugs.webkit.org/show_bug.cgi?id=152254
2910
2911         Reviewed by Darin Adler.
2912
2913         * Configurations/FeatureDefines.xcconfig:
2914
2915 2015-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2916
2917         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
2918         https://bugs.webkit.org/show_bug.cgi?id=152227
2919
2920         Reviewed by Saam Barati.
2921
2922         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
2923         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
2924         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
2925
2926         * dfg/DFGAbstractInterpreterInlines.h:
2927         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2928         * dfg/DFGByteCodeParser.cpp:
2929         (JSC::DFG::ByteCodeParser::parseBlock):
2930         * dfg/DFGCapabilities.cpp:
2931         (JSC::DFG::capabilityLevel):
2932         * dfg/DFGClobberize.h:
2933         (JSC::DFG::clobberize):
2934         * dfg/DFGClobbersExitState.cpp:
2935         (JSC::DFG::clobbersExitState):
2936         * dfg/DFGDoesGC.cpp:
2937         (JSC::DFG::doesGC):
2938         * dfg/DFGFixupPhase.cpp:
2939         (JSC::DFG::FixupPhase::fixupNode):
2940         * dfg/DFGMayExit.cpp:
2941         (JSC::DFG::mayExit):
2942         * dfg/DFGNode.h:
2943         (JSC::DFG::Node::convertToPhantomNewFunction):
2944         (JSC::DFG::Node::hasCellOperand):
2945         (JSC::DFG::Node::isFunctionAllocation):
2946         * dfg/DFGNodeType.h:
2947         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2948         * dfg/DFGPredictionPropagationPhase.cpp:
2949         (JSC::DFG::PredictionPropagationPhase::propagate):
2950         * dfg/DFGSafeToExecute.h:
2951         (JSC::DFG::safeToExecute):
2952         * dfg/DFGSpeculativeJIT.cpp:
2953         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2954         * dfg/DFGSpeculativeJIT32_64.cpp:
2955         (JSC::DFG::SpeculativeJIT::compile):
2956         * dfg/DFGSpeculativeJIT64.cpp:
2957         (JSC::DFG::SpeculativeJIT::compile):
2958         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2959         * dfg/DFGStructureRegistrationPhase.cpp:
2960         (JSC::DFG::StructureRegistrationPhase::run):
2961         * ftl/FTLCapabilities.cpp:
2962         (JSC::FTL::canCompile):
2963         * ftl/FTLLowerDFGToLLVM.cpp:
2964         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2965         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2966         * tests/stress/generator-function-create-optimized.js: Added.
2967         (shouldBe):
2968         (g):
2969         (test.return.gen):
2970         (test):
2971         (test2.gen):
2972         (test2):
2973         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
2974         (shouldBe):
2975         (GeneratorFunctionPrototype):
2976         (call):
2977         (f):
2978         (sink):
2979         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
2980         (shouldBe):
2981         (GeneratorFunctionPrototype):
2982         (g):
2983         (f):
2984         (sink):
2985         * tests/stress/generator-function-declaration-sinking-put.js: Added.
2986         (shouldBe):
2987         (GeneratorFunctionPrototype):
2988         (g):
2989         (f):
2990         (sink):
2991         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
2992         (shouldBe):
2993         (GeneratorFunctionPrototype):
2994         (call):
2995         (f):
2996         (sink):
2997         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
2998         (shouldBe):
2999         (GeneratorFunctionPrototype):
3000         (g):
3001         (sink):
3002         * tests/stress/generator-function-expression-sinking-put.js: Added.
3003         (shouldBe):
3004         (GeneratorFunctionPrototype):
3005         (g):
3006         (sink):
3007
3008 2015-12-15  Mark Lam  <mark.lam@apple.com>
3009
3010         Gardening: fix broken 32-bit JSC tests.  Just need to assign a scratch register.
3011         https://bugs.webkit.org/show_bug.cgi?id=152191 
3012
3013         Not reviewed.
3014
3015         * jit/JITArithmetic.cpp:
3016         (JSC::JIT::emitBitBinaryOpFastPath):
3017
3018 2015-12-15  Mark Lam  <mark.lam@apple.com>
3019
3020         Introducing ScratchRegisterAllocator::PreservedState.
3021         https://bugs.webkit.org/show_bug.cgi?id=152315
3022
3023         Reviewed by Geoffrey Garen.
3024
3025         restoreReusedRegistersByPopping() should always be called with 2 values that
3026         matches the expectation of preserveReusedRegistersByPushing().  Those 2 values
3027         are the number of bytes preserved and the ExtraStackSpace requirement.  By
3028         encapsulating them in a ScratchRegisterAllocator::PreservedState, we can make
3029         it less error prone when calling restoreReusedRegistersByPopping().  Now, we only
3030         need to pass it the appropriate PreservedState that its matching
3031         preserveReusedRegistersByPushing() returned.
3032
3033         * bytecode/PolymorphicAccess.cpp:
3034         (JSC::AccessGenerationState::restoreScratch):
3035         (JSC::AccessCase::generate):
3036         (JSC::PolymorphicAccess::regenerate):
3037         * bytecode/PolymorphicAccess.h:
3038         (JSC::AccessGenerationState::AccessGenerationState):
3039         * ftl/FTLCompileBinaryOp.cpp:
3040         (JSC::FTL::generateBinaryBitOpFastPath):
3041         (JSC::FTL::generateRightShiftFastPath):
3042         (JSC::FTL::generateBinaryArithOpFastPath):
3043         * ftl/FTLLazySlowPath.cpp:
3044         (JSC::FTL::LazySlowPath::generate):
3045         * ftl/FTLLowerDFGToLLVM.cpp:
3046         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
3047         * jit/ScratchRegisterAllocator.cpp:
3048         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
3049         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
3050         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3051         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3052         * jit/ScratchRegisterAllocator.h:
3053         (JSC::ScratchRegisterAllocator::usedRegisters):
3054         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
3055
3056 2015-12-15  Mark Lam  <mark.lam@apple.com>
3057
3058         Polymorphic operand types for DFG and FTL bit operators.
3059         https://bugs.webkit.org/show_bug.cgi?id=152191
3060
3061         Reviewed by Saam Barati.
3062
3063         * bytecode/SpeculatedType.h:
3064         (JSC::isUntypedSpeculationForBitOps):
3065         * dfg/DFGAbstractInterpreterInlines.h:
3066         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3067         * dfg/DFGNode.h:
3068         (JSC::DFG::Node::shouldSpeculateUntypedForBitOps):
3069         - Added check for types not supported by ValueToInt32, and therefore should be
3070           treated as untyped for bitops.
3071
3072         * dfg/DFGClobberize.h:
3073         (JSC::DFG::clobberize):
3074         * dfg/DFGFixupPhase.cpp:
3075         (JSC::DFG::FixupPhase::fixupNode):
3076         - Handled untyped operands.
3077
3078         * dfg/DFGOperations.cpp:
3079         * dfg/DFGOperations.h:
3080         - Added DFG slow path functions for bitops.
3081
3082         * dfg/DFGSpeculativeJIT.cpp:
3083         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
3084         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
3085         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
3086         (JSC::DFG::SpeculativeJIT::compileShiftOp):
3087         * dfg/DFGSpeculativeJIT.h:
3088         - Added DFG backend support untyped operands for bitops.
3089
3090         * dfg/DFGStrengthReductionPhase.cpp:
3091         (JSC::DFG::StrengthReductionPhase::handleNode):
3092         - Limit bitops strength reduction only to when we don't have untyped operands.
3093           This is because values that are not int32s need to be converted to int32.
3094           Without untyped operands, the ValueToInt32 node takes care of this.
3095           With untyped operands, we cannot use ValueToInt32, and need to do the conversion
3096           in the code emitted for the bitop node itself.  For example:
3097
3098               5.5 | 0; // yields 5 because ValueToInt32 converts the 5.5 to a 5.
3099               "abc" | 0; // would yield "abc" instead of the expected 0 if we let
3100                          // strength reduction do its thing.
3101
3102         * ftl/FTLCompileBinaryOp.cpp:
3103         (JSC::FTL::generateBinaryBitOpFastPath):
3104         (JSC::FTL::generateRightShiftFastPath):
3105         (JSC::FTL::generateBinaryOpFastPath):
3106
3107         * ftl/FTLInlineCacheDescriptor.h:
3108         (JSC::FTL::BitAndDescriptor::BitAndDescriptor):
3109         (JSC::FTL::BitAndDescriptor::icSize):
3110         (JSC::FTL::BitAndDescriptor::nodeType):
3111         (JSC::FTL::BitAndDescriptor::opName):
3112         (JSC::FTL::BitAndDescriptor::slowPathFunction):
3113         (JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
3114         (JSC::FTL::BitOrDescriptor::BitOrDescriptor):
3115         (JSC::FTL::BitOrDescriptor::icSize):
3116         (JSC::FTL::BitOrDescriptor::nodeType):
3117         (JSC::FTL::BitOrDescriptor::opName):
3118         (JSC::FTL::BitOrDescriptor::slowPathFunction):
3119         (JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
3120         (JSC::FTL::BitXorDescriptor::BitXorDescriptor):
3121         (JSC::FTL::BitXorDescriptor::icSize):
3122         (JSC::FTL::BitXorDescriptor::nodeType):
3123         (JSC::FTL::BitXorDescriptor::opName):
3124         (JSC::FTL::BitXorDescriptor::slowPathFunction):
3125         (JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
3126         (JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
3127         (JSC::FTL::BitLShiftDescriptor::icSize):
3128         (JSC::FTL::BitLShiftDescriptor::nodeType):
3129         (JSC::FTL::BitLShiftDescriptor::opName):
3130         (JSC::FTL::BitLShiftDescriptor::slowPathFunction):
3131         (JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
3132         (JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
3133         (JSC::FTL::BitRShiftDescriptor::icSize):
3134         (JSC::FTL::BitRShiftDescriptor::nodeType):
3135         (JSC::FTL::BitRShiftDescriptor::opName):
3136         (JSC::FTL::BitRShiftDescriptor::slowPathFunction):
3137         (JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
3138         (JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
3139         (JSC::FTL::BitURShiftDescriptor::icSize):
3140         (JSC::FTL::BitURShiftDescriptor::nodeType):
3141         (JSC::FTL::BitURShiftDescriptor::opName):
3142         (JSC::FTL::BitURShiftDescriptor::slowPathFunction):
3143         (JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):
3144         - Added support for bitop ICs.
3145
3146         * ftl/FTLInlineCacheSize.cpp:
3147         (JSC::FTL::sizeOfBitAnd):
3148         (JSC::FTL::sizeOfBitOr):
3149         (JSC::FTL::sizeOfBitXor):
3150         (JSC::FTL::sizeOfBitLShift):
3151         (JSC::FTL::sizeOfBitRShift):
3152         (JSC::FTL::sizeOfBitURShift):
3153         * ftl/FTLInlineCacheSize.h:
3154         - Added new bitop IC sizes.  These are just estimates for now that work adequately,
3155           and are shown to not impact performance on benchmarks.  We will re-tune these
3156           sizes values later in another patch once all snippet ICs have been added.
3157
3158         * ftl/FTLLowerDFGToLLVM.cpp:
3159         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
3160         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
3161         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
3162         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
3163         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
3164         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
3165         - Added support for bitop ICs.
3166
3167         * jit/JITLeftShiftGenerator.cpp:
3168         (JSC::JITLeftShiftGenerator::generateFastPath):
3169         * jit/JITLeftShiftGenerator.h:
3170         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
3171         * jit/JITRightShiftGenerator.cpp:
3172         (JSC::JITRightShiftGenerator::generateFastPath):
3173         - The shift MASM operatons need to ensure that the shiftAmount is not in the same
3174           register as the destination register.  With the baselineJIT and DFG, this is
3175           ensured in how we allocate these registers, and hence, the bug does not manifest.
3176           With the FTL, these registers are not guaranteed to be unique.  Hence, we need
3177           to fix the shift op snippet code to compensate for this. 
3178
3179 2015-12-15  Caitlin Potter  <caitp@igalia.com>
3180
3181         [JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code
3182         https://bugs.webkit.org/show_bug.cgi?id=152302
3183
3184         Reviewed by Mark Lam.
3185
3186         `eval` and `arguments` must not be assigned to in strict code. This
3187         change fixes `language/expressions/assignment/destructuring/obj-id-simple-strict.js`
3188         in Test262, as well as a variety of other similar tests.
3189
3190         * parser/Parser.cpp:
3191         (JSC::Parser<LexerType>::parseAssignmentElement):
3192         (JSC::Parser<LexerType>::parseDestructuringPattern):
3193         * tests/stress/destructuring-assignment-syntax.js:
3194
3195 2015-12-15  Csaba Osztrogonác  <ossy@webkit.org>
3196
3197         URTBF after 194062.
3198
3199         * assembler/MacroAssemblerARM.h:
3200         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Added.
3201         (JSC::MacroAssemblerARM::ceilDouble): Added.
3202
3203 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3204
3205         FTL B3 should account for localsOffset
3206         https://bugs.webkit.org/show_bug.cgi?id=152288
3207
3208         Reviewed by Saam Barati.
3209
3210         The DFG will build up some data structures that expect to know about offsets from FP. Those data
3211         structures may slide by some offset when the low-level compiler (either LLVM or B3) does stack
3212         allocation. So, the LLVM FTL modifies those data structures based on the real offset that it gets
3213         from LLVM's stackmaps. The B3 code needs to do the same.
3214
3215         I had previously vowed to never put more stuff into FTLB3Compile.cpp, because I didn't want it to
3216         look like FTLCompile.cpp. Up until now, I was successful because I used lambdas installed by
3217         FTLLower. But in this case, I actually think that having code that just does this explicitly in
3218         FTLB3Compile.cpp is least confusing. There is no particular place in FTLLower that would want to
3219         care about this, and we need to ensure that we do this fixup before we run any of the stackmap
3220         generators. In other words, it needs to happen before we call B3::generate(). The ordering
3221         constraints seem like a good reason to have this done explicitly rather than through lambdas.
3222
3223         I wrote a test. The test was failing in trunk because the B3 meaning of anchor().value() is
3224         different from the LLVM meaning. This caused breakage when we used this idiom:
3225
3226             ValueFromBlock foo = m_out.anchor(things);
3227             ...(foo.value()) // we were expecting that foo.value() == things
3228
3229         I never liked this idiom to begin with, so instead of trying to change B3's anchor(), I changed
3230         the idiom to:
3231
3232             LValue fooValue = things;
3233             ValueFromBlock foo = m_out.anchor(fooValue);
3234             ...(fooValue)
3235
3236         This is probably a good idea, since eventually we want B3's anchor() to just return the
3237         UpsilonValue*. To get there, we want to eliminate any situations where code assumes that
3238         ValueFromBlock is an actual object and not just a typedef for a pointer.
3239
3240         * ftl/FTLB3Compile.cpp:
3241         (JSC::FTL::compile):
3242         * ftl/FTLB3Output.cpp:
3243         (JSC::FTL::Output::appendTo):
3244         (JSC::FTL::Output::lockedStackSlot):
3245         * ftl/FTLB3Output.h:
3246         (JSC::FTL::Output::framePointer):
3247         (JSC::FTL::Output::constBool):
3248         (JSC::FTL::Output::constInt32):
3249         * ftl/FTLLowerDFGToLLVM.cpp:
3250         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3251         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
3252         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
3253         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
3254         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringCharAt):
3255         (JSC::FTL::DFG::LowerDFGToLLVM::compileForwardVarargs):
3256         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty):
3257         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
3258         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
3259         * ftl/FTLState.h:
3260         (JSC::FTL::verboseCompilationEnabled):
3261         * tests/stress/ftl-function-dot-arguments-with-callee-saves.js: Added.
3262
3263 2015-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3264
3265         Math.random should have an intrinsic thunk and it should be later handled as a DFG Node
3266         https://bugs.webkit.org/show_bug.cgi?id=152133
3267
3268         Reviewed by Geoffrey Garen.
3269
3270         In this patch, we implement new RandomIntrinsic. It emits a machine code to generate random numbers efficiently.
3271         And later it will be recognized by DFG and converted to ArithRandom node.
3272         It provides type information SpecDoubleReal since Math.random only generates a number within [0, 1.0).
3273
3274         Currently, only 64bit version is supported. On 32bit environment, ArithRandom will be converted to callOperation.
3275         While it emits a function call, ArithRandom node on 32bit still represents SpecDoubleReal as a result type.
3276
3277         * dfg/DFGAbstractHeap.h:
3278         * dfg/DFGAbstractInterpreterInlines.h:
3279         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3280         * dfg/DFGByteCodeParser.cpp:
3281         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3282         * dfg/DFGClobberize.h:
3283         (JSC::DFG::clobberize):
3284         * dfg/DFGDoesGC.cpp:
3285         (JSC::DFG::doesGC):
3286         * dfg/DFGFixupPhase.cpp:
3287         (JSC::DFG::FixupPhase::fixupNode):
3288         * dfg/DFGNodeType.h:
3289         * dfg/DFGOperations.cpp:
3290         * dfg/DFGOperations.h:
3291         * dfg/DFGPredictionPropagationPhase.cpp:
3292         (JSC::DFG::PredictionPropagationPhase::propagate):
3293         * dfg/DFGSafeToExecute.h:
3294         (JSC::DFG::safeToExecute):
3295         * dfg/DFGSpeculativeJIT.h:
3296         (JSC::DFG::SpeculativeJIT::callOperation):
3297         * dfg/DFGSpeculativeJIT32_64.cpp:
3298         (JSC::DFG::SpeculativeJIT::compile):
3299         (JSC::DFG::SpeculativeJIT::compileArithRandom):
3300         * dfg/DFGSpeculativeJIT64.cpp:
3301         (JSC::DFG::SpeculativeJIT::compile):
3302         (JSC::DFG::SpeculativeJIT::compileArithRandom):
3303         * ftl/FTLCapabilities.cpp:
3304         (JSC::FTL::canCompile):
3305         * ftl/FTLLowerDFGToLLVM.cpp:
3306         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
3307         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRandom):
3308         * jit/AssemblyHelpers.cpp:
3309         (JSC::emitRandomThunkImpl):
3310         (JSC::AssemblyHelpers::emitRandomThunk):
3311         * jit/AssemblyHelpers.h:
3312         * jit/JITOperations.h:
3313         * jit/ThunkGenerators.cpp:
3314         (JSC::randomThunkGenerator):
3315         * jit/ThunkGenerators.h:
3316         * runtime/Intrinsic.h:
3317         * runtime/JSGlobalObject.h:
3318         (JSC::JSGlobalObject::weakRandomOffset):
3319         * runtime/MathObject.cpp:
3320         (JSC::MathObject::finishCreation):
3321         * runtime/VM.cpp:
3322         (JSC::thunkGeneratorForIntrinsic):
3323         * tests/stress/random-53bit.js: Added.
3324         (test):
3325         * tests/stress/random-in-range.js: Added.
3326         (test):
3327
3328 2015-12-14  Benjamin Poulain  <benjamin@webkit.org>
3329
3330         Rename FTL::Output's ceil64() to doubleCeil()
3331
3332         Rubber-stamped by Filip Pizlo.
3333
3334         ceil64() was a bad name, that's the name convention we use for integers.
3335
3336         * ftl/FTLB3Output.h:
3337         (JSC::FTL::Output::doubleCeil):
3338         (JSC::FTL::Output::ceil64): Deleted.
3339         * ftl/FTLLowerDFGToLLVM.cpp:
3340         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRound):
3341
3342 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3343
3344         FTL B3 should be able to run n-body.js
3345         https://bugs.webkit.org/show_bug.cgi?id=152281
3346
3347         Reviewed by Benjamin Poulain.
3348
3349         Fix a bug where m_captured was pointing to the start of the captured vars slot rather than the
3350         end, like the rest of the FTL expected.
3351
3352         * ftl/FTLLowerDFGToLLVM.cpp:
3353         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3354
3355 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
3356
3357         Fix bad copy-paste in r194062
3358
3359         * ftl/FTLB3Output.h:
3360         (JSC::FTL::Output::ceil64):
3361
3362 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3363
3364         Unreviewed, fix cloop build.
3365
3366         * jit/GPRInfo.cpp:
3367
3368 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
3369
3370         FTL B3 should do PutById
3371         https://bugs.webkit.org/show_bug.cgi?id=152268