Stackmaps have problems with double register constraints
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
2
3         Stackmaps have problems with double register constraints
4         https://bugs.webkit.org/show_bug.cgi?id=154643
5
6         Reviewed by Geoffrey Garen.
7
8         This is currently a benign bug. I found it while playing.
9
10         * b3/B3LowerToAir.cpp:
11         (JSC::B3::Air::LowerToAir::fillStackmap):
12         * b3/testb3.cpp:
13         (JSC::B3::testURShiftSelf64):
14         (JSC::B3::testPatchpointDoubleRegs):
15         (JSC::B3::zero):
16         (JSC::B3::run):
17
18 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
19
20         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
21         https://bugs.webkit.org/show_bug.cgi?id=153981
22
23         Reviewed by Saam Barati.
24        
25         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
26         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
27         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
28         During syntax analyze parser store information about using variables in arrow function inside of 
29         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
30
31         * bytecode/ExecutableInfo.h:
32         (JSC::ExecutableInfo::ExecutableInfo):
33         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
34         * bytecode/UnlinkedCodeBlock.cpp:
35         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
36         * bytecode/UnlinkedCodeBlock.h:
37         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
38         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
39         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
40         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
41         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
42         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
43         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
44         * bytecode/UnlinkedFunctionExecutable.cpp:
45         (JSC::generateUnlinkedFunctionCodeBlock):
46         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
47         * bytecode/UnlinkedFunctionExecutable.h:
48         * bytecompiler/BytecodeGenerator.cpp:
49         (JSC::BytecodeGenerator::BytecodeGenerator):
50         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
51         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
52         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
53         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
54         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
55         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
56         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
57         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
58         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
59         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
60         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
61         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
62         * bytecompiler/BytecodeGenerator.h:
63         * bytecompiler/NodesCodegen.cpp:
64         (JSC::ThisNode::emitBytecode):
65         (JSC::EvalFunctionCallNode::emitBytecode):
66         (JSC::FunctionCallValueNode::emitBytecode):
67         (JSC::FunctionNode::emitBytecode):
68         * parser/ASTBuilder.h:
69         (JSC::ASTBuilder::createFunctionMetadata):
70         * parser/Nodes.cpp:
71         (JSC::FunctionMetadataNode::FunctionMetadataNode):
72         * parser/Nodes.h:
73         * parser/Parser.cpp:
74         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
75         (JSC::Parser<LexerType>::parseFunctionBody):
76         (JSC::Parser<LexerType>::parseFunctionInfo):
77         (JSC::Parser<LexerType>::parseProperty):
78         (JSC::Parser<LexerType>::parsePrimaryExpression):
79         (JSC::Parser<LexerType>::parseMemberExpression):
80         * parser/Parser.h:
81         (JSC::Scope::Scope):
82         (JSC::Scope::isArrowFunctionBoundary):
83         (JSC::Scope::innerArrowFunctionFeatures):
84         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
85         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
86         (JSC::Scope::setInnerArrowFunctionUseEval):
87         (JSC::Scope::setInnerArrowFunctionUseThis):
88         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
89         (JSC::Scope::setInnerArrowFunctionUseArguments):
90         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
91         (JSC::Scope::collectFreeVariables):
92         (JSC::Scope::mergeInnerArrowFunctionFeatures):
93         (JSC::Scope::fillParametersForSourceProviderCache):
94         (JSC::Scope::restoreFromSourceProviderCache):
95         (JSC::Scope::setIsFunction):
96         (JSC::Scope::setIsArrowFunction):
97         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
98         (JSC::Parser::pushScope):
99         (JSC::Parser::popScopeInternal):
100         * parser/ParserModes.h:
101         * parser/SourceProviderCacheItem.h:
102         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
103         * parser/SyntaxChecker.h:
104         (JSC::SyntaxChecker::createFunctionMetadata):
105         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
106         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
107         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
108         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
109         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
110
111 2016-02-23  Brian Burg  <bburg@apple.com>
112
113         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
114         https://bugs.webkit.org/show_bug.cgi?id=154615
115         <rdar://problem/24804330>
116
117         Reviewed by Timothy Hatcher.
118
119         Some of the generated Objective-C bindings are only relevant to code acting as the
120         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
121         --backend to all generators. Use the setting in a few generators to omit code that's
122         not needed.
123
124         Also fix a few places where the code emits the wrong Objective-C class prefix.
125         There is some common non-generated code that must always have the RWIProtocol prefix.
126
127         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
128         macros defined in the internal header now need to be used outside of the framework.
129
130         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
131         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
132         depending on the target framework.
133
134         * inspector/scripts/codegen/generate_objc_header.py:
135         (ObjCHeaderGenerator.generate_output):
136         For now, omit generating command protocol and event dispatchers when generating for --frontend.
137
138         (ObjCHeaderGenerator._generate_type_interface):
139         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
140
141         * inspector/scripts/codegen/generate_objc_internal_header.py:
142         Use RWIProtocolJSONObjectPrivate.h instead.
143
144         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
145         (ObjCProtocolTypesImplementationGenerator.generate_output):
146         Include the Internal header if it's being generated (only for --backend).
147
148         * inspector/scripts/codegen/generator.py:
149         (Generator.__init__):
150         (Generator.set_generator_setting):
151         (Generator):
152         (Generator.get_generator_setting):
153         Crib a simple setting system from the Framework class. Make the names more obnoxious.
154
155         (Generator.string_for_file_include):
156         Inspired by the replay input generator, this is a function that uses the proper syntax
157         for a file include depending on the file's framework and target framework.
158
159         * inspector/scripts/codegen/objc_generator.py:
160         (ObjCGenerator.and):
161         (ObjCGenerator.and.objc_prefix):
162         (ObjCGenerator):
163         (ObjCGenerator.objc_type_for_raw_name):
164         (ObjCGenerator.objc_class_for_raw_name):
165         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
166
167         * inspector/scripts/generate-inspector-protocol-bindings.py:
168         (generate_from_specification):
169         Change the generators to use for the frontend. Propagate --frontend and --backend.
170
171         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
172         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
173         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
174         * inspector/scripts/tests/expected/enum-values.json-result:
175         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
176         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
177         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
178         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
179         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
180         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
181         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
182         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
183         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
184         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
185
186 2016-02-23  Saam barati  <sbarati@apple.com>
187
188         arrayProtoFuncConcat doesn't check for an exception after allocating an array
189         https://bugs.webkit.org/show_bug.cgi?id=154621
190
191         Reviewed by Michael Saboff.
192
193         * runtime/ArrayPrototype.cpp:
194         (JSC::arrayProtoFuncConcat):
195
196 2016-02-23  Dan Bernstein  <mitz@apple.com>
197
198         [Xcode] Linker errors display mangled names, but no longer should
199         https://bugs.webkit.org/show_bug.cgi?id=154632
200
201         Reviewed by Sam Weinig.
202
203         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
204
205 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
206
207         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
208         https://bugs.webkit.org/show_bug.cgi?id=112323
209
210         Reviewed by Chris Dumez.
211
212         This feature is controlled by a runtime switch, and defaults off.
213
214         * Configurations/FeatureDefines.xcconfig:
215
216 2016-02-23  Keith Miller  <keith_miller@apple.com>
217
218         JSC stress tests' standalone-pre.js should exit on the first failure by default
219         https://bugs.webkit.org/show_bug.cgi?id=154565
220
221         Reviewed by Mark Lam.
222
223         Currently, if a test writer does not call finishJSTest() at the end of
224         any test using stress/resources/standalone-pre.js then the test can fail
225         without actually reporting an error to the harness. By default, we
226         should throw on the first error so, in the event someone does not call
227         finishJSTest() the harness will still notice the error.
228
229         * tests/stress/regress-151324.js:
230         * tests/stress/resources/standalone-pre.js:
231         (testFailed):
232
233 2016-02-23  Saam barati  <sbarati@apple.com>
234
235         Make JSObject::getMethod have fewer branches
236         https://bugs.webkit.org/show_bug.cgi?id=154603
237
238         Reviewed by Mark Lam.
239
240         Writing code with fewer branches is almost always better.
241
242         * runtime/JSObject.cpp:
243         (JSC::JSObject::getMethod):
244
245 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
246
247         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
248         https://bugs.webkit.org/show_bug.cgi?id=154592
249
250         Reviewed by Saam Barati.
251
252         If Foo has a virtual destructor, then:
253
254         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
255         subclass of Foo that overrides the destructor, this syntax will not call that override.
256
257         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
258         get the subclass's override.
259
260         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
261         This caused leaks because this didn't actually call the subclass's override. This fixes the
262         problem by using this->~Value() instead.
263
264         * b3/B3ControlValue.cpp:
265         (JSC::B3::ControlValue::convertToJump):
266         (JSC::B3::ControlValue::convertToOops):
267         * b3/B3Value.cpp:
268         (JSC::B3::Value::replaceWithIdentity):
269         (JSC::B3::Value::replaceWithNop):
270         (JSC::B3::Value::replaceWithPhi):
271
272 2016-02-23  Brian Burg  <bburg@apple.com>
273
274         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
275         https://bugs.webkit.org/show_bug.cgi?id=154596
276         <rdar://problem/24794962>
277
278         Reviewed by Timothy Hatcher.
279
280         In order to support different generated protocol sets that don't have conflicting
281         file and type names, allow the Objective-C prefix to be configurable based on the
282         target framework. Each name also has the implicit prefix 'Protocol' appended to the
283         per-target framework prefix.
284
285         For example, the existing protocol for remote inspection has the prefix 'RWI'
286         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
287         and is generated as 'AutomationProtocol'.
288
289         To make this change, convert ObjCGenerator to be a subclass of Generator and use
290         the instance method model() to find the target framework and its setting for
291         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
292         these instance methods that used to be static methods. This is a large but
293         mechanical change to use self instead of ObjCGenerator.
294
295         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
296         (ObjCBackendDispatcherHeaderGenerator):
297         (ObjCBackendDispatcherHeaderGenerator.__init__):
298         (ObjCBackendDispatcherHeaderGenerator.output_filename):
299         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
300         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
301         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
302         (ObjCConfigurationImplementationGenerator):
303         (ObjCConfigurationImplementationGenerator.__init__):
304         (ObjCConfigurationImplementationGenerator.output_filename):
305         (ObjCConfigurationImplementationGenerator.generate_output):
306         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
307         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
308         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
309         * inspector/scripts/codegen/generate_objc_configuration_header.py:
310         (ObjCConfigurationHeaderGenerator):
311         (ObjCConfigurationHeaderGenerator.__init__):
312         (ObjCConfigurationHeaderGenerator.output_filename):
313         (ObjCConfigurationHeaderGenerator.generate_output):
314         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
315         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
316         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
317         (ObjCBackendDispatcherImplementationGenerator):
318         (ObjCBackendDispatcherImplementationGenerator.__init__):
319         (ObjCBackendDispatcherImplementationGenerator.output_filename):
320         (ObjCBackendDispatcherImplementationGenerator.generate_output):
321         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
322         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
323         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
324         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
325         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
326         (ObjCConversionHelpersGenerator):
327         (ObjCConversionHelpersGenerator.__init__):
328         (ObjCConversionHelpersGenerator.output_filename):
329         (ObjCConversionHelpersGenerator.generate_output):
330         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
331         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
332         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
333         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
334         (ObjCFrontendDispatcherImplementationGenerator):
335         (ObjCFrontendDispatcherImplementationGenerator.__init__):
336         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
337         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
338         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
339         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
340         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
341         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
342         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
343         * inspector/scripts/codegen/generate_objc_header.py:
344         (ObjCHeaderGenerator):
345         (ObjCHeaderGenerator.__init__):
346         (ObjCHeaderGenerator.output_filename):
347         (ObjCHeaderGenerator.generate_output):
348         (ObjCHeaderGenerator._generate_forward_declarations):
349         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
350         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
351         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
352         (ObjCHeaderGenerator._generate_type_interface):
353         (ObjCHeaderGenerator._generate_init_method_for_required_members):
354         (ObjCHeaderGenerator._generate_member_property):
355         (ObjCHeaderGenerator._generate_command_protocols):
356         (ObjCHeaderGenerator._generate_single_command_protocol):
357         (ObjCHeaderGenerator._callback_block_for_command):
358         (ObjCHeaderGenerator._generate_event_interfaces):
359         (ObjCHeaderGenerator._generate_single_event_interface):
360         * inspector/scripts/codegen/generate_objc_internal_header.py:
361         (ObjCInternalHeaderGenerator):
362         (ObjCInternalHeaderGenerator.__init__):
363         (ObjCInternalHeaderGenerator.output_filename):
364         (ObjCInternalHeaderGenerator.generate_output):
365         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
366         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
367         (ObjCProtocolTypesImplementationGenerator):
368         (ObjCProtocolTypesImplementationGenerator.__init__):
369         (ObjCProtocolTypesImplementationGenerator.output_filename):
370         (ObjCProtocolTypesImplementationGenerator.generate_output):
371         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
372         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
373         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
374         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
375         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
376         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
377         * inspector/scripts/codegen/models.py:
378         * inspector/scripts/codegen/objc_generator.py:
379         (ObjCTypeCategory.category_for_type):
380         (ObjCGenerator):
381         (ObjCGenerator.__init__):
382         (ObjCGenerator.objc_prefix):
383         (ObjCGenerator.objc_name_for_type):
384         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
385         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
386         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
387         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
388         (ObjCGenerator.objc_class_for_type):
389         (ObjCGenerator.objc_class_for_array_type):
390         (ObjCGenerator.objc_accessor_type_for_member):
391         (ObjCGenerator.objc_accessor_type_for_member_internal):
392         (ObjCGenerator.objc_type_for_member):
393         (ObjCGenerator.objc_type_for_member_internal):
394         (ObjCGenerator.objc_type_for_param):
395         (ObjCGenerator.objc_type_for_param_internal):
396         (ObjCGenerator.objc_protocol_export_expression_for_variable):
397         (ObjCGenerator.objc_protocol_import_expression_for_member):
398         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
399         (ObjCGenerator.objc_protocol_import_expression_for_variable):
400         (ObjCGenerator.objc_to_protocol_expression_for_member):
401         (ObjCGenerator.protocol_to_objc_expression_for_member):
402
403         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
404
405         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
406         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
407         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
408         * inspector/scripts/tests/expected/enum-values.json-result:
409         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
410         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
411         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
412         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
413         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
414         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
415         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
416         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
417         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
418
419 2016-02-23  Mark Lam  <mark.lam@apple.com>
420
421         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
422         https://bugs.webkit.org/show_bug.cgi?id=154542
423
424         Reviewed by Saam Barati.
425
426         According to the spec, the constructors of the following types "are not intended
427         to be called as a function and will throw an exception".  These types are:
428             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
429             Map - https://tc39.github.io/ecma262/#sec-map-constructor
430             Set - https://tc39.github.io/ecma262/#sec-set-constructor
431             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
432             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
433             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
434             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
435             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
436             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
437
438         This patch does the foillowing:
439         1. Ensures that these constructors can be called but will throw a TypeError
440            when called.
441         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
442            in their implementation to be consistent.
443         3. Change the error message to "calling XXX constructor without new is invalid".
444            This is clearer because the error is likely due to the user forgetting to use
445            the new operator on these constructors.
446
447         * runtime/Error.h:
448         * runtime/Error.cpp:
449         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
450         - Added a convenience function to throw the TypeError.
451
452         * runtime/JSArrayBufferConstructor.cpp:
453         (JSC::constructArrayBuffer):
454         (JSC::callArrayBuffer):
455         (JSC::JSArrayBufferConstructor::getCallData):
456         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
457         (JSC::callGenericTypedArrayView):
458         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
459         * runtime/JSPromiseConstructor.cpp:
460         (JSC::callPromise):
461         * runtime/MapConstructor.cpp:
462         (JSC::callMap):
463         * runtime/ProxyConstructor.cpp:
464         (JSC::callProxy):
465         (JSC::ProxyConstructor::getCallData):
466         * runtime/SetConstructor.cpp:
467         (JSC::callSet):
468         * runtime/WeakMapConstructor.cpp:
469         (JSC::callWeakMap):
470         * runtime/WeakSetConstructor.cpp:
471         (JSC::callWeakSet):
472
473         * tests/es6.yaml:
474         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
475
476         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
477         (test):
478
479         * tests/stress/map-constructor.js:
480         (testCallTypeError):
481         * tests/stress/promise-cannot-be-called.js:
482         (shouldThrow):
483         * tests/stress/proxy-basic.js:
484         * tests/stress/set-constructor.js:
485         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
486         (i.catch):
487         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
488         (i.catch):
489         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
490         (i.catch):
491         * tests/stress/weak-map-constructor.js:
492         (testCallTypeError):
493         * tests/stress/weak-set-constructor.js:
494         - Updated error message string.
495
496 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
497
498         ASan build fix.
499
500         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
501
502         * inspector/InspectorBackendDispatcher.h:
503
504 2016-02-23  Brian Burg  <bburg@apple.com>
505
506         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
507         https://bugs.webkit.org/show_bug.cgi?id=154518
508         <rdar://problem/24761096>
509
510         Reviewed by Timothy Hatcher.
511
512         * inspector/InspectorBackendDispatcher.h:
513         Export all the classes since they are used by WebKit::WebAutomationSession.
514
515 2016-02-22  Brian Burg  <bburg@apple.com>
516
517         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
518         https://bugs.webkit.org/show_bug.cgi?id=154509
519         <rdar://problem/24759098>
520
521         Reviewed by Timothy Hatcher.
522
523         Add a new 'WebKit' framework, which is used to generate protocol code
524         in WebKit2.
525
526         Add --backend and --frontend flags to the main generator script.
527         These allow a framework to trigger two different sets of generators
528         so they can be separately generated and compiled.
529
530         * inspector/scripts/codegen/models.py:
531         (Framework.fromString):
532         (Frameworks): Add new framework.
533
534         * inspector/scripts/generate-inspector-protocol-bindings.py:
535         If neither --backend or --frontend is specified, assume both are wanted.
536         This matches the behavior for JavaScriptCore and WebInspector frameworks.
537
538         (generate_from_specification):
539         Generate C++ files for the backend and Objective-C files for the frontend.
540
541 2016-02-22  Saam barati  <sbarati@apple.com>
542
543         JSGlobalObject doesn't visit ProxyObjectStructure during GC
544         https://bugs.webkit.org/show_bug.cgi?id=154564
545
546         Rubber stamped by Mark Lam.
547
548         * runtime/JSGlobalObject.cpp:
549         (JSC::JSGlobalObject::visitChildren):
550
551 2016-02-22  Saam barati  <sbarati@apple.com>
552
553         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
554         https://bugs.webkit.org/show_bug.cgi?id=154548
555
556         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
557
558         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
559         an exception. Neither the function nor the call sites of the function took this into
560         account. This patch audits the call sites of the function to make it work in
561         the event that an exception is thrown.
562
563         * runtime/BooleanConstructor.cpp:
564         (JSC::constructWithBooleanConstructor):
565         * runtime/DateConstructor.cpp:
566         (JSC::constructDate):
567         * runtime/ErrorConstructor.cpp:
568         (JSC::Interpreter::constructWithErrorConstructor):
569         * runtime/FunctionConstructor.cpp:
570         (JSC::constructFunctionSkippingEvalEnabledCheck):
571         * runtime/InternalFunction.cpp:
572         (JSC::InternalFunction::createSubclassStructure):
573         * runtime/JSArrayBufferConstructor.cpp:
574         (JSC::constructArrayBuffer):
575         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
576         (JSC::constructGenericTypedArrayView):
577         * runtime/JSGlobalObject.h:
578         (JSC::constructEmptyArray):
579         (JSC::constructArray):
580         (JSC::constructArrayNegativeIndexed):
581         * runtime/JSPromiseConstructor.cpp:
582         (JSC::constructPromise):
583         * runtime/MapConstructor.cpp:
584         (JSC::constructMap):
585         * runtime/NativeErrorConstructor.cpp:
586         (JSC::Interpreter::constructWithNativeErrorConstructor):
587         * runtime/NumberConstructor.cpp:
588         (JSC::constructWithNumberConstructor):
589         * runtime/RegExpConstructor.cpp:
590         (JSC::getRegExpStructure):
591         (JSC::constructRegExp):
592         (JSC::constructWithRegExpConstructor):
593         * runtime/SetConstructor.cpp:
594         (JSC::constructSet):
595         * runtime/StringConstructor.cpp:
596         (JSC::constructWithStringConstructor):
597         (JSC::StringConstructor::getConstructData):
598         * runtime/WeakMapConstructor.cpp:
599         (JSC::constructWeakMap):
600         * runtime/WeakSetConstructor.cpp:
601         (JSC::constructWeakSet):
602         * tests/stress/create-subclass-structure-might-throw.js: Added.
603         (assert):
604
605 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
606
607         Fix build and implement functions to retrieve registers on FreeBSD
608         https://bugs.webkit.org/show_bug.cgi?id=152258
609
610         Reviewed by Michael Catanzaro.
611
612         * heap/MachineStackMarker.cpp:
613         (pthreadSignalHandlerSuspendResume):
614         struct ucontext is not specified in POSIX and it is not available on
615         FreeBSD. Replacing it with ucontext_t fixes the build problem.
616         (JSC::MachineThreads::Thread::Registers::stackPointer):
617         (JSC::MachineThreads::Thread::Registers::framePointer):
618         (JSC::MachineThreads::Thread::Registers::instructionPointer):
619         (JSC::MachineThreads::Thread::Registers::llintPC):
620         * heap/MachineStackMarker.h:
621
622 2016-02-22  Saam barati  <sbarati@apple.com>
623
624         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
625         https://bugs.webkit.org/show_bug.cgi?id=154552
626
627         Reviewed by Mark Lam.
628
629         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
630         They return false on a Proxy with internal [[Call]] and [[Construct]]
631         properties. It seems safest, most forward looking, and most adherent
632         to the specification to check getCallData() and getConstructData() to
633         implement these functions.
634
635         * runtime/InternalFunction.cpp:
636         (JSC::InternalFunction::createSubclassStructure):
637         * runtime/JSCJSValueInlines.h:
638         (JSC::JSValue::isFunction):
639         (JSC::JSValue::isConstructor):
640
641 2016-02-22  Keith Miller  <keith_miller@apple.com>
642
643         Bound functions should use the prototype of the function being bound
644         https://bugs.webkit.org/show_bug.cgi?id=154195
645
646         Reviewed by Geoffrey Garen.
647
648         Per ES6, the result of Function.prototype.bind should have the same
649         prototype as the the function being bound. In order to avoid creating
650         a new structure each time a function is bound we store the new
651         structure in our structure map. However, we cannot currently store
652         structures that have a different GlobalObject than their prototype.
653         In the rare case that the GlobalObject differs or the prototype of
654         the bindee is null we create a new structure each time. To further
655         minimize new structures, as well as making structure lookup faster,
656         we also store the structure in the RareData of the function we
657         are binding.
658
659         * runtime/FunctionRareData.cpp:
660         (JSC::FunctionRareData::visitChildren):
661         * runtime/FunctionRareData.h:
662         (JSC::FunctionRareData::getBoundFunctionStructure):
663         (JSC::FunctionRareData::setBoundFunctionStructure):
664         * runtime/JSBoundFunction.cpp:
665         (JSC::getBoundFunctionStructure):
666         (JSC::JSBoundFunction::create):
667         * tests/es6.yaml:
668         * tests/stress/bound-function-uses-prototype.js: Added.
669         (testChangeProto.foo):
670         (testChangeProto):
671         (testBuiltins):
672         * tests/stress/class-subclassing-function.js:
673
674 2016-02-22  Keith Miller  <keith_miller@apple.com>
675
676         Unreviewed, fix stress test to not print on success.
677
678         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
679         (catch): Deleted.
680
681 2016-02-22  Keith Miller  <keith_miller@apple.com>
682
683         Use Symbol.species in the builtin TypedArray.prototype functions
684         https://bugs.webkit.org/show_bug.cgi?id=153384
685
686         Reviewed by Geoffrey Garen.
687
688         This patch adds the use of species constructors to the TypedArray.prototype map and filter
689         functions. It also adds a new private function typedArrayGetOriginalConstructor that
690         returns the TypedArray constructor used to originally create a TypedArray instance.
691
692         There are no ES6 tests to update for this patch as species creation for these functions is
693         not tested in the compatibility table.
694
695         * builtins/TypedArrayPrototype.js:
696         (map):
697         (filter):
698         * bytecode/BytecodeIntrinsicRegistry.cpp:
699         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
700         * bytecode/BytecodeIntrinsicRegistry.h:
701         * runtime/CommonIdentifiers.h:
702         * runtime/JSGlobalObject.cpp:
703         (JSC::JSGlobalObject::init):
704         (JSC::JSGlobalObject::visitChildren):
705         * runtime/JSGlobalObject.h:
706         (JSC::JSGlobalObject::typedArrayConstructor):
707         * runtime/JSTypedArrayViewPrototype.cpp:
708         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
709         * runtime/JSTypedArrayViewPrototype.h:
710         * tests/stress/typedarray-filter.js:
711         (subclasses.typedArrays.map):
712         (prototype.accept):
713         (testSpecies):
714         (accept):
715         (forEach):
716         (subclasses.forEach):
717         (testSpeciesRemoveConstructor):
718         * tests/stress/typedarray-map.js:
719         (subclasses.typedArrays.map):
720         (prototype.id):
721         (testSpecies):
722         (id):
723         (forEach):
724         (subclasses.forEach):
725         (testSpeciesRemoveConstructor):
726
727 2016-02-22  Keith Miller  <keith_miller@apple.com>
728
729         Builtins that should not rely on iteration do.
730         https://bugs.webkit.org/show_bug.cgi?id=154475
731
732         Reviewed by Geoffrey Garen.
733
734         When changing the behavior of varargs calls to use ES6 iterators the
735         call builtin function's use of a varargs call was overlooked. The use
736         of iterators is observable outside the scope of the the call function,
737         thus it must be reimplemented.
738
739         * builtins/FunctionPrototype.js:
740         (call):
741         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
742         (test):
743         (addAll):
744         (catch):
745
746 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
747
748         [JSC shell] Don't put empty arguments array to VM.
749         https://bugs.webkit.org/show_bug.cgi?id=154516
750
751         Reviewed by Geoffrey Garen.
752
753         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
754         in jsc as well as in browser.
755
756         * jsc.cpp:
757         (GlobalObject::finishCreation):
758
759 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
760
761         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
762         https://bugs.webkit.org/show_bug.cgi?id=154450
763
764         Reviewed by Alex Christensen.
765
766         * CMakeLists.txt:
767
768 2016-02-22  Commit Queue  <commit-queue@webkit.org>
769
770         Unreviewed, rolling out r196891.
771         https://bugs.webkit.org/show_bug.cgi?id=154539
772
773         it broke Production builds (Requested by brrian on #webkit).
774
775         Reverted changeset:
776
777         "Web Inspector: add 'Automation' protocol domain and generate
778         its backend classes separately in WebKit2"
779         https://bugs.webkit.org/show_bug.cgi?id=154509
780         http://trac.webkit.org/changeset/196891
781
782 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
783
784         CodeBlock always visits its unlinked code twice
785         https://bugs.webkit.org/show_bug.cgi?id=154494
786
787         Reviewed by Saam Barati.
788
789         * bytecode/CodeBlock.cpp:
790         (JSC::CodeBlock::visitChildren):
791         The unlinked code is always visited in stronglyVisitStrongReferences.
792
793 2016-02-21  Brian Burg  <bburg@apple.com>
794
795         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
796         https://bugs.webkit.org/show_bug.cgi?id=154509
797         <rdar://problem/24759098>
798
799         Reviewed by Timothy Hatcher.
800
801         Add a new 'WebKit' framework, which is used to generate protocol code
802         in WebKit2.
803
804         Add --backend and --frontend flags to the main generator script.
805         These allow a framework to trigger two different sets of generators
806         so they can be separately generated and compiled.
807
808         * inspector/scripts/codegen/models.py:
809         (Framework.fromString):
810         (Frameworks): Add new framework.
811
812         * inspector/scripts/generate-inspector-protocol-bindings.py:
813         If neither --backend or --frontend is specified, assume both are wanted.
814         This matches the behavior for JavaScriptCore and WebInspector frameworks.
815
816         (generate_from_specification):
817         Generate C++ files for the backend and Objective-C files for the frontend.
818
819 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
820
821         Improvements to Intl code
822         https://bugs.webkit.org/show_bug.cgi?id=154486
823
824         Reviewed by Darin Adler.
825
826         This patch does several things:
827         - Use std::unique_ptr to store ICU objects.
828         - Pass Vector::size() to ICU functions that take a buffer size instead
829           of Vector::capacity().
830         - If U_SUCCESS(status) is true, it means there is no error, but there
831           could be warnings. ICU functions ignore warnings. So, there is no need
832           to reset status to U_ZERO_ERROR.
833         - Remove the initialization of the String instance variables of
834           IntlDateTimeFormat. These values are never read and cause unnecessary
835           memory allocation.
836         - Fix coding style.
837         - Some small optimization.
838
839         * runtime/IntlCollator.cpp:
840         (JSC::IntlCollator::UCollatorDeleter::operator()):
841         (JSC::IntlCollator::createCollator):
842         (JSC::IntlCollator::compareStrings):
843         (JSC::IntlCollator::~IntlCollator): Deleted.
844         * runtime/IntlCollator.h:
845         * runtime/IntlDateTimeFormat.cpp:
846         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
847         (JSC::defaultTimeZone):
848         (JSC::canonicalizeTimeZoneName):
849         (JSC::toDateTimeOptionsAnyDate):
850         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
851         (JSC::IntlDateTimeFormat::weekdayString):
852         (JSC::IntlDateTimeFormat::format):
853         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
854         (JSC::localeData): Deleted.
855         * runtime/IntlDateTimeFormat.h:
856         * runtime/IntlDateTimeFormatConstructor.cpp:
857         * runtime/IntlNumberFormatConstructor.cpp:
858         * runtime/IntlObject.cpp:
859         (JSC::numberingSystemsForLocale):
860
861 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
862
863         Remove arrowfunction test cases that rely on arguments variable in jsc
864         https://bugs.webkit.org/show_bug.cgi?id=154517
865
866         Reviewed by Yusuke Suzuki.
867
868         Allow to jsc has the same behavior in javascript as browser has
869
870         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
871         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
872
873 2016-02-21  Brian Burg  <bburg@apple.com>
874
875         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
876         https://bugs.webkit.org/show_bug.cgi?id=154508
877         <rdar://problem/24759077>
878
879         Reviewed by Timothy Hatcher.
880
881         In preparation for being able to generate protocol files for WebKit2,
882         make it possible to not emit generated code that's guarded by
883         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
884         backend dispatchers generated outside of JavaScriptCore. We can't just
885         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
886         in the configurations where the code is actually used.
887
888         Add a new opt-in Framework configuration option that turns on generating
889         this code. Adjust how the code is generated so that it can be easily excluded.
890
891         * inspector/scripts/codegen/cpp_generator_templates.py:
892         Make a separate template for the declarations that are guarded.
893         Add an initializer expression so the order of initalizers doesn't matter.
894
895         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
896         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
897         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
898         If the declarations are needed, they will be appended to the end of the
899         declarations list.
900
901         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
902         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
903         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
904
905         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
906         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
907
908         Rebaseline affected tests.
909
910         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
911         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
912         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
913         * inspector/scripts/tests/expected/enum-values.json-result:
914         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
915
916 2016-02-21  Brian Burg  <bburg@apple.com>
917
918         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
919         https://bugs.webkit.org/show_bug.cgi?id=154505
920         <rdar://problem/24758042>
921
922         Reviewed by Timothy Hatcher.
923
924         It should be possible to generate code for a framework using some generators
925         that other frameworks also use. Right now the generator selection code assumes
926         that use of a generator is mutually exclusive among non-test frameworks.
927
928         Make this code explicitly switch on the framework. Reorder generators
929         alpabetically within each case.
930
931         * inspector/scripts/generate-inspector-protocol-bindings.py:
932         (generate_from_specification):
933
934         Rebaseline tests that are affected by generator reorderings.
935
936         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
937         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
938         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
939         * inspector/scripts/tests/expected/enum-values.json-result:
940         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
941         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
942         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
943         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
944         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
945         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
946         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
947         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
948         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
949
950 2016-02-19  Saam Barati  <sbarati@apple.com>
951
952         [ES6] Implement Proxy.[[Construct]]
953         https://bugs.webkit.org/show_bug.cgi?id=154440
954
955         Reviewed by Oliver Hunt.
956
957         This patch is mostly an implementation of
958         Proxy.[[Construct]] with respect to section 9.5.13
959         of the ECMAScript spec.
960         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
961
962         This patch also changes op_create_this to accept new.target's
963         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
964         because we might construct a JSFunction with a new.target being
965         a Proxy. This will also be needed when we implement Reflect.construct.
966
967         * dfg/DFGOperations.cpp:
968         * dfg/DFGSpeculativeJIT32_64.cpp:
969         (JSC::DFG::SpeculativeJIT::compile):
970         * dfg/DFGSpeculativeJIT64.cpp:
971         (JSC::DFG::SpeculativeJIT::compile):
972         * jit/JITOpcodes.cpp:
973         (JSC::JIT::emit_op_create_this):
974         (JSC::JIT::emitSlow_op_create_this):
975         * jit/JITOpcodes32_64.cpp:
976         (JSC::JIT::emit_op_create_this):
977         (JSC::JIT::emitSlow_op_create_this):
978         * llint/LLIntData.cpp:
979         (JSC::LLInt::Data::performAssertions):
980         * llint/LowLevelInterpreter.asm:
981         * llint/LowLevelInterpreter32_64.asm:
982         * llint/LowLevelInterpreter64.asm:
983         * runtime/CommonSlowPaths.cpp:
984         (JSC::SLOW_PATH_DECL):
985         * runtime/ProxyObject.cpp:
986         (JSC::ProxyObject::finishCreation):
987         (JSC::ProxyObject::visitChildren):
988         (JSC::performProxyConstruct):
989         (JSC::ProxyObject::getConstructData):
990         * runtime/ProxyObject.h:
991         * tests/es6.yaml:
992         * tests/stress/proxy-construct.js: Added.
993         (assert):
994         (throw.new.Error.let.target):
995         (throw.new.Error):
996         (assert.let.target):
997         (assert.let.handler.get construct):
998         (let.target):
999         (let.handler.construct):
1000         (i.catch):
1001         (assert.let.handler.construct):
1002         (assert.let.construct):
1003         (assert.else.assert.let.target):
1004         (assert.else.assert.let.construct):
1005         (assert.else.assert):
1006         (new.proxy.let.target):
1007         (new.proxy.let.construct):
1008         (new.proxy):
1009
1010 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1011
1012         [INTL] Implement Number Format Functions
1013         https://bugs.webkit.org/show_bug.cgi?id=147605
1014
1015         Reviewed by Darin Adler.
1016
1017         This patch implements Intl.NumberFormat.prototype.format() according
1018         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
1019
1020         * runtime/IntlNumberFormat.cpp:
1021         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
1022         (JSC::IntlNumberFormat::initializeNumberFormat):
1023         (JSC::IntlNumberFormat::createNumberFormat):
1024         (JSC::IntlNumberFormat::formatNumber):
1025         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
1026         * runtime/IntlNumberFormat.h:
1027         * runtime/IntlNumberFormatPrototype.cpp:
1028         (JSC::IntlNumberFormatFuncFormatNumber):
1029
1030 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
1031
1032         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
1033         https://bugs.webkit.org/show_bug.cgi?id=154416
1034
1035         Reviewed by Geoff Garen.
1036
1037         Here's the bug. Suppose you call JSObject::getOwnProperty and -
1038           - PropertyName contains an index,
1039           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
1040           - The base of the access (or another object on the prototype chain) shadows that property.
1041
1042         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
1043         index, and as such walks up the prototype chain looking for non-index properties before it
1044         tries calling parseIndex.
1045
1046         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
1047         would potentially return the property) we may have already skipped over non-overriding
1048         objects that contain the property in index storage.
1049
1050         * runtime/JSObject.h:
1051         (JSC::JSObject::getOwnNonIndexPropertySlot):
1052             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
1053               added ASSERT guarding that this method never returns index properties -
1054               if it ever does, this is unsafe for getPropertySlot.
1055         (JSC::JSObject::getOwnPropertySlot):
1056             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
1057         (JSC::JSObject::getPropertySlot):
1058             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
1059         (JSC::JSObject::getNonIndexPropertySlot):
1060             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
1061               in order to avoid repeated calls to parseIndex.
1062         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
1063             - this was renamed to getOwnNonIndexPropertySlot.
1064         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
1065             - this was folded back in to getPropertySlot.
1066
1067 2016-02-19  Saam Barati  <sbarati@apple.com>
1068
1069         [ES6] Implement Proxy.[[Call]]
1070         https://bugs.webkit.org/show_bug.cgi?id=154425
1071
1072         Reviewed by Mark Lam.
1073
1074         This patch is a straight forward implementation of
1075         Proxy.[[Call]] with respect to section 9.5.12
1076         of the ECMAScript spec.
1077         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
1078
1079         * runtime/ProxyObject.cpp:
1080         (JSC::ProxyObject::finishCreation):
1081         (JSC::performProxyGet):
1082         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1083         (JSC::ProxyObject::performHasProperty):
1084         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1085         (JSC::performProxyCall):
1086         (JSC::ProxyObject::getCallData):
1087         (JSC::ProxyObject::visitChildren):
1088         * runtime/ProxyObject.h:
1089         (JSC::ProxyObject::create):
1090         * tests/es6.yaml:
1091         * tests/stress/proxy-call.js: Added.
1092         (assert):
1093         (throw.new.Error.let.target):
1094         (throw.new.Error.let.handler.apply):
1095         (throw.new.Error):
1096         (assert.let.target):
1097         (assert.let.handler.get apply):
1098         (let.target):
1099         (let.handler.apply):
1100         (i.catch):
1101         (assert.let.handler.apply):
1102
1103 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
1104
1105         Remove more LLVM related dead code after r196729
1106         https://bugs.webkit.org/show_bug.cgi?id=154387
1107
1108         Reviewed by Filip Pizlo.
1109
1110         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
1111         * Configurations/LLVMForJSC.xcconfig: Removed.
1112         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
1113         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
1114         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
1115         * JavaScriptCore.xcodeproj/project.pbxproj:
1116         * disassembler/X86Disassembler.cpp:
1117
1118 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1119
1120         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
1121         https://bugs.webkit.org/show_bug.cgi?id=154442
1122
1123         Reviewed by Saam Barati.
1124
1125         * runtime/JSString.h:
1126         (JSC::isJSString):
1127
1128 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
1129
1130         Remove unused SymbolTable::createNameScopeTable
1131         https://bugs.webkit.org/show_bug.cgi?id=154443
1132
1133         Reviewed by Saam Barati.
1134
1135         * runtime/SymbolTable.h:
1136
1137 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
1138
1139         [JSC] Improve the instruction selection of Select
1140         https://bugs.webkit.org/show_bug.cgi?id=154432
1141
1142         Reviewed by Filip Pizlo.
1143
1144         Plenty of code but this patch is pretty dumb:
1145         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
1146          to be alised to the destination. This gives more freedom to the register
1147          allocator and it is one less Move to process per Select.
1148         -On x86, introduce a fake 3 operands form and use aggressive aliasing
1149          to try to alias both sources to the destination.
1150
1151          If aliasing succeed on the "elseCase", the condition of the Select
1152          is reverted in the MacroAssembler.
1153
1154          If no aliasing is possible and we end up with 3 registers, the missing
1155          move instruction is generated by the MacroAssembler.
1156
1157          The missing move is generated after testing the values because the destination
1158          can use the same register as one of the test operand.
1159          Experimental testing seems to indicate there is no macro-fusion on CMOV,
1160          there is no measurable cost to having the move there.
1161
1162         * assembler/MacroAssembler.h:
1163         (JSC::MacroAssembler::isInvertible):
1164         (JSC::MacroAssembler::invert):
1165         * assembler/MacroAssemblerARM64.h:
1166         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
1167         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
1168         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
1169         (JSC::MacroAssemblerARM64::moveConditionally32):
1170         (JSC::MacroAssemblerARM64::moveConditionally64):
1171         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
1172         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
1173         * assembler/MacroAssemblerX86Common.h:
1174         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
1175         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
1176         (JSC::MacroAssemblerX86Common::moveConditionally32):
1177         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
1178         (JSC::MacroAssemblerX86Common::invert):
1179         (JSC::MacroAssemblerX86Common::isInvertible):
1180         * assembler/MacroAssemblerX86_64.h:
1181         (JSC::MacroAssemblerX86_64::moveConditionally64):
1182         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
1183         * b3/B3LowerToAir.cpp:
1184         (JSC::B3::Air::LowerToAir::createSelect):
1185         (JSC::B3::Air::LowerToAir::lower):
1186         * b3/air/AirInstInlines.h:
1187         (JSC::B3::Air::Inst::shouldTryAliasingDef):
1188         * b3/air/AirOpcode.opcodes:
1189
1190 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
1191
1192         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
1193         https://bugs.webkit.org/show_bug.cgi?id=154430
1194
1195         Reviewed by Saam Barati.
1196
1197         llvm isn't used anymore.
1198
1199         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
1200
1201 2016-02-18  Saam Barati  <sbarati@apple.com>
1202
1203         Implement Proxy.[[HasProperty]]
1204         https://bugs.webkit.org/show_bug.cgi?id=154313
1205
1206         Reviewed by Filip Pizlo.
1207
1208         This patch is a straight forward implementation of
1209         Proxy.[[HasProperty]] with respect to section 9.5.7
1210         of the ECMAScript spec.
1211         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
1212
1213         * runtime/ProxyObject.cpp:
1214         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1215         (JSC::ProxyObject::performHasProperty):
1216         (JSC::ProxyObject::getOwnPropertySlotCommon):
1217         * runtime/ProxyObject.h:
1218         * tests/es6.yaml:
1219         * tests/stress/proxy-basic.js:
1220         (assert):
1221         (let.handler.has):
1222         * tests/stress/proxy-has-property.js: Added.
1223         (assert):
1224         (throw.new.Error.let.handler.get has):
1225         (throw.new.Error):
1226         (assert.let.handler.has):
1227         (let.handler.has):
1228         (getOwnPropertyDescriptor):
1229         (i.catch):
1230
1231 2016-02-18  Saam Barati  <sbarati@apple.com>
1232
1233         Proxy's don't properly handle Symbols as PropertyKeys.
1234         https://bugs.webkit.org/show_bug.cgi?id=154385
1235
1236         Reviewed by Mark Lam and Yusuke Suzuki.
1237
1238         We were converting all PropertyKeys to strings, even when
1239         the PropertyName was a Symbol. In the spec, PropertyKeys are
1240         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
1241         Proxy.[[GetOwnProperty]].
1242
1243         * runtime/Completion.cpp:
1244         (JSC::profiledEvaluate):
1245         (JSC::createSymbolForEntryPointModule):
1246         (JSC::identifierToJSValue): Deleted.
1247         * runtime/Identifier.h:
1248         (JSC::parseIndex):
1249         * runtime/IdentifierInlines.h:
1250         (JSC::Identifier::fromString):
1251         (JSC::identifierToJSValue):
1252         (JSC::identifierToSafePublicJSValue):
1253         * runtime/ProxyObject.cpp:
1254         (JSC::performProxyGet):
1255         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1256         * tests/es6.yaml:
1257         * tests/stress/proxy-basic.js:
1258         (let.handler.getOwnPropertyDescriptor):
1259
1260 2016-02-18  Saam Barati  <sbarati@apple.com>
1261
1262         Follow up fix to Implement Proxy.[[GetOwnProperty]]
1263         https://bugs.webkit.org/show_bug.cgi?id=154314
1264
1265         Reviewed by Filip Pizlo.
1266
1267         Part of the implementation was broken because
1268         of how JSObject::getOwnPropertyDescriptor worked.
1269         I've fixed JSObject::getOwnPropertyDescriptor to
1270         be able to handle ProxyObject.
1271
1272         * runtime/JSObject.cpp:
1273         (JSC::JSObject::getOwnPropertyDescriptor):
1274         * runtime/ProxyObject.cpp:
1275         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1276         * tests/stress/proxy-get-own-property.js:
1277         (assert):
1278         (assert.let.handler.get getOwnPropertyDescriptor):
1279
1280 2016-02-18  Saam Barati  <sbarati@apple.com>
1281
1282         Implement Proxy.[[GetOwnProperty]]
1283         https://bugs.webkit.org/show_bug.cgi?id=154314
1284
1285         Reviewed by Filip Pizlo.
1286
1287         This patch implements Proxy.[[GetOwnProperty]].
1288         It's a straight forward implementation as described
1289         in section 9.5.5 of the specification:
1290         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1291
1292         * runtime/FunctionPrototype.cpp:
1293         (JSC::functionProtoFuncBind):
1294         * runtime/JSObject.cpp:
1295         (JSC::validateAndApplyPropertyDescriptor):
1296         (JSC::JSObject::defineOwnNonIndexProperty):
1297         (JSC::JSObject::defineOwnProperty):
1298         (JSC::JSObject::getGenericPropertyNames):
1299         (JSC::JSObject::getMethod):
1300         * runtime/JSObject.h:
1301         (JSC::JSObject::butterflyAddress):
1302         (JSC::makeIdentifier):
1303         * runtime/ProxyObject.cpp:
1304         (JSC::performProxyGet):
1305         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1306         (JSC::ProxyObject::getOwnPropertySlotCommon):
1307         (JSC::ProxyObject::getOwnPropertySlot):
1308         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1309         (JSC::ProxyObject::visitChildren):
1310         * runtime/ProxyObject.h:
1311         * tests/es6.yaml:
1312         * tests/stress/proxy-basic.js:
1313         (let.handler.get null):
1314         * tests/stress/proxy-get-own-property.js: Added.
1315         (assert):
1316         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
1317         (throw.new.Error):
1318         (let.handler.getOwnPropertyDescriptor):
1319         (i.catch):
1320         (assert.let.handler.getOwnPropertyDescriptor):
1321
1322 2016-02-18  Andreas Kling  <akling@apple.com>
1323
1324         JSString resolution of substrings should use StringImpl sharing optimization.
1325         <https://webkit.org/b/154068>
1326         <rdar://problem/24629358>
1327
1328         Reviewed by Antti Koivisto.
1329
1330         When resolving a JSString that's actually a substring of another JSString,
1331         use the StringImpl sharing optimization to create a new string pointing into
1332         the parent one, instead of copying out the bytes of the string.
1333
1334         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
1335
1336         Another approach to this would be to induce GC far more frequently due to
1337         the added cost of copying out these substrings. It would reduce the risk
1338         of prolonging the life of strings only kept alive by substrings.
1339
1340         This patch chooses to trade that risk for less GC and lower peak memory.
1341
1342         * runtime/JSString.cpp:
1343         (JSC::JSRopeString::resolveRope):
1344
1345 2016-02-18  Chris Dumez  <cdumez@apple.com>
1346
1347         Crash on SES selftest page when loading the page while WebInspector is open
1348         https://bugs.webkit.org/show_bug.cgi?id=154378
1349         <rdar://problem/24713422>
1350
1351         Reviewed by Mark Lam.
1352
1353         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
1354         returns early again if it detects that getOwnPropertySlot() returns a
1355         non-own property. This check was removed in r196676 because we assumed that
1356         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
1357         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
1358         well.
1359
1360         Not having the check would lead to crashes when using the debugger because
1361         we would get a slot with the CustomAccessor attribute but getDirect() would
1362         then fail to return the property (because it is not an own property). We
1363         would then cast the value returned by getDirect() to a CustomGetterSetter*
1364         and dereference it.
1365
1366         * runtime/JSObject.cpp:
1367         (JSC::JSObject::getOwnPropertyDescriptor):
1368
1369 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
1370
1371         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
1372         for that.
1373
1374         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1375         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1376
1377 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
1378
1379         Unreviewed, fix CMake build. This got messed up when rebasing.
1380
1381         * CMakeLists.txt:
1382
1383 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1384
1385         Fix the !ENABLE(DFG_JIT) build after r195865
1386         https://bugs.webkit.org/show_bug.cgi?id=154391
1387
1388         Reviewed by Filip Pizlo.
1389
1390         * runtime/SamplingProfiler.cpp:
1391         (JSC::tryGetBytecodeIndex):
1392
1393 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
1394
1395         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
1396         https://bugs.webkit.org/show_bug.cgi?id=154383
1397
1398         Reviewed by Saam Barati.
1399
1400         I did a grep -i llvm of all of our code and did one of the following for each occurence:
1401
1402         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
1403           backend".
1404
1405         - Removed the reference because I found it to be dead. In some cases it was a dead
1406           comment: it was telling us things about what LLVM did and that's just not relevant
1407           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
1408
1409         - Edited the comment in some smart way. There were comments talking about what LLVM did
1410           that were still of interest. In some cases, I added a FIXME to consider changing the
1411           code below the comment on the grounds that it was written in a weird way to placate
1412           LLVM and so we can do it better now.
1413
1414         * CMakeLists.txt:
1415         * JavaScriptCore.xcodeproj/project.pbxproj:
1416         * dfg/DFGArgumentsEliminationPhase.cpp:
1417         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1418         * dfg/DFGPlan.cpp:
1419         (JSC::DFG::Plan::compileInThread):
1420         (JSC::DFG::Plan::compileInThreadImpl):
1421         (JSC::DFG::Plan::compileTimeStats):
1422         * dfg/DFGPutStackSinkingPhase.cpp:
1423         * dfg/DFGSSAConversionPhase.h:
1424         * dfg/DFGStaticExecutionCountEstimationPhase.h:
1425         * dfg/DFGUnificationPhase.cpp:
1426         (JSC::DFG::UnificationPhase::run):
1427         * disassembler/ARM64Disassembler.cpp:
1428         (JSC::tryToDisassemble): Deleted.
1429         * disassembler/X86Disassembler.cpp:
1430         (JSC::tryToDisassemble):
1431         * ftl/FTLAbstractHeap.cpp:
1432         (JSC::FTL::IndexedAbstractHeap::initialize):
1433         * ftl/FTLAbstractHeap.h:
1434         * ftl/FTLFormattedValue.h:
1435         * ftl/FTLJITFinalizer.cpp:
1436         (JSC::FTL::JITFinalizer::finalizeFunction):
1437         * ftl/FTLLink.cpp:
1438         (JSC::FTL::link):
1439         * ftl/FTLLocation.cpp:
1440         (JSC::FTL::Location::restoreInto):
1441         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
1442         (JSC::FTL::DFG::ftlUnreachable):
1443         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
1444         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
1445         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
1446         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
1447         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1448         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
1449         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
1450         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
1451         (JSC::FTL::lowerDFGToB3):
1452         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
1453         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
1454         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
1455         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
1456         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
1457         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
1458         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
1459         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
1460         (JSC::FTL::lowerDFGToLLVM): Deleted.
1461         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
1462         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
1463         * ftl/FTLLowerDFGToLLVM.h: Removed.
1464         * ftl/FTLOSRExitCompiler.cpp:
1465         (JSC::FTL::compileStub):
1466         * ftl/FTLWeight.h:
1467         (JSC::FTL::Weight::frequencyClass):
1468         (JSC::FTL::Weight::inverse):
1469         (JSC::FTL::Weight::scaleToTotal): Deleted.
1470         * ftl/FTLWeightedTarget.h:
1471         (JSC::FTL::rarely):
1472         (JSC::FTL::unsure):
1473         * jit/CallFrameShuffler64.cpp:
1474         (JSC::CallFrameShuffler::emitDisplace):
1475         * jit/RegisterSet.cpp:
1476         (JSC::RegisterSet::ftlCalleeSaveRegisters):
1477         * llvm: Removed.
1478         * llvm/InitializeLLVMLinux.cpp: Removed.
1479         * llvm/InitializeLLVMWin.cpp: Removed.
1480         * llvm/library: Removed.
1481         * llvm/library/LLVMTrapCallback.h: Removed.
1482         * llvm/library/libllvmForJSC.version: Removed.
1483         * runtime/Options.cpp:
1484         (JSC::recomputeDependentOptions):
1485         (JSC::Options::initialize):
1486         * runtime/Options.h:
1487         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
1488         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
1489         * wasm/WASMFunctionParser.cpp:
1490
1491 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
1492
1493         [cmake] Build system cleanup
1494         https://bugs.webkit.org/show_bug.cgi?id=154337
1495
1496         Reviewed by Žan Doberšek.
1497
1498         * CMakeLists.txt:
1499
1500 2016-02-17  Mark Lam  <mark.lam@apple.com>
1501
1502         Callers of JSString::value() should check for exceptions thereafter.
1503         https://bugs.webkit.org/show_bug.cgi?id=154346
1504
1505         Reviewed by Geoffrey Garen.
1506
1507         JSString::value() can throw an exception if the JS string is a rope and value() 
1508         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
1509         able to resolve the rope, it will return a null string (in addition to throwing
1510         the exception).  If a caller does not check for exceptions after calling
1511         JSString::value(), they may eventually use the returned null string and crash the
1512         VM.
1513
1514         The fix is to add all the necessary exception checks, and do the appropriate
1515         handling if needed.
1516
1517         * jsc.cpp:
1518         (functionRun):
1519         (functionLoad):
1520         (functionReadFile):
1521         (functionCheckSyntax):
1522         (functionLoadWebAssembly):
1523         (functionLoadModule):
1524         (functionCheckModuleSyntax):
1525         * runtime/DateConstructor.cpp:
1526         (JSC::dateParse):
1527         (JSC::dateNow):
1528         * runtime/JSGlobalObjectFunctions.cpp:
1529         (JSC::globalFuncEval):
1530         * tools/JSDollarVMPrototype.cpp:
1531         (JSC::functionPrint):
1532
1533 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
1534
1535         [JSC] ARM64: Support the immediate format used for bit operations in Air
1536         https://bugs.webkit.org/show_bug.cgi?id=154327
1537
1538         Reviewed by Filip Pizlo.
1539
1540         ARM64 supports a pretty rich form of immediates for bit operation.
1541         There are two formats used to encode repeating patterns and common
1542         input in a dense form.
1543
1544         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
1545         Those represents the valid immediate forms for bit operation.
1546         On x86, any 32bits value is valid. On ARM64, all the encoding
1547         form are tried and the immediate is used when possible.
1548
1549         The arg type Imm64 is renamed to BigImm to better represent what
1550         it is: an immediate that does not fit into Imm.
1551
1552         * assembler/ARM64Assembler.h:
1553         (JSC::LogicalImmediate::create32): Deleted.
1554         (JSC::LogicalImmediate::create64): Deleted.
1555         (JSC::LogicalImmediate::value): Deleted.
1556         (JSC::LogicalImmediate::isValid): Deleted.
1557         (JSC::LogicalImmediate::is64bit): Deleted.
1558         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
1559         (JSC::LogicalImmediate::mask): Deleted.
1560         (JSC::LogicalImmediate::partialHSB): Deleted.
1561         (JSC::LogicalImmediate::highestSetBit): Deleted.
1562         (JSC::LogicalImmediate::findBitRange): Deleted.
1563         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
1564         * assembler/AssemblerCommon.h:
1565         (JSC::ARM64LogicalImmediate::create32):
1566         (JSC::ARM64LogicalImmediate::create64):
1567         (JSC::ARM64LogicalImmediate::value):
1568         (JSC::ARM64LogicalImmediate::isValid):
1569         (JSC::ARM64LogicalImmediate::is64bit):
1570         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
1571         (JSC::ARM64LogicalImmediate::mask):
1572         (JSC::ARM64LogicalImmediate::partialHSB):
1573         (JSC::ARM64LogicalImmediate::highestSetBit):
1574         (JSC::ARM64LogicalImmediate::findBitRange):
1575         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
1576         * assembler/MacroAssemblerARM64.h:
1577         (JSC::MacroAssemblerARM64::and64):
1578         (JSC::MacroAssemblerARM64::or64):
1579         (JSC::MacroAssemblerARM64::xor64):
1580         * b3/B3LowerToAir.cpp:
1581         (JSC::B3::Air::LowerToAir::bitImm):
1582         (JSC::B3::Air::LowerToAir::bitImm64):
1583         (JSC::B3::Air::LowerToAir::appendBinOp):
1584         * b3/air/AirArg.cpp:
1585         (JSC::B3::Air::Arg::dump):
1586         (WTF::printInternal):
1587         * b3/air/AirArg.h:
1588         (JSC::B3::Air::Arg::bitImm):
1589         (JSC::B3::Air::Arg::bitImm64):
1590         (JSC::B3::Air::Arg::isBitImm):
1591         (JSC::B3::Air::Arg::isBitImm64):
1592         (JSC::B3::Air::Arg::isSomeImm):
1593         (JSC::B3::Air::Arg::value):
1594         (JSC::B3::Air::Arg::isGP):
1595         (JSC::B3::Air::Arg::isFP):
1596         (JSC::B3::Air::Arg::hasType):
1597         (JSC::B3::Air::Arg::isValidBitImmForm):
1598         (JSC::B3::Air::Arg::isValidBitImm64Form):
1599         (JSC::B3::Air::Arg::isValidForm):
1600         (JSC::B3::Air::Arg::asTrustedImm32):
1601         (JSC::B3::Air::Arg::asTrustedImm64):
1602         * b3/air/AirOpcode.opcodes:
1603         * b3/air/opcode_generator.rb:
1604
1605 2016-02-17  Keith Miller  <keith_miller@apple.com>
1606
1607         Spread operator should be allowed when not the first argument of parameter list
1608         https://bugs.webkit.org/show_bug.cgi?id=152721
1609
1610         Reviewed by Saam Barati.
1611
1612         Spread arguments to functions should now be ES6 compliant. Before we
1613         would only take a spread operator if it was the sole argument to a
1614         function. Additionally, we would not use the Symbol.iterator on the
1615         object to generate the arguments. Instead we would do a loop up to the
1616         length mapping indexed properties to the corresponding argument. We fix
1617         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
1618         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
1619         old spread semantics). This solution has the downside of requiring the
1620         allocation of another object and copying each element twice but avoids a
1621         large change to the vm calling convention.
1622
1623         * interpreter/Interpreter.cpp:
1624         (JSC::loadVarargs):
1625         * parser/ASTBuilder.h:
1626         (JSC::ASTBuilder::createElementList):
1627         * parser/Parser.cpp:
1628         (JSC::Parser<LexerType>::parseArguments):
1629         (JSC::Parser<LexerType>::parseArgument):
1630         (JSC::Parser<LexerType>::parseMemberExpression):
1631         * parser/Parser.h:
1632         * parser/SyntaxChecker.h:
1633         (JSC::SyntaxChecker::createElementList):
1634         * tests/es6.yaml:
1635         * tests/stress/spread-calling.js: Added.
1636         (testFunction):
1637         (testEmpty):
1638         (makeObject):
1639         (otherIterator.return.next):
1640         (otherIterator):
1641         (totalIter):
1642         (throwingIter.return.next):
1643         (throwingIter):
1644         (i.catch):
1645
1646 2016-02-17  Brian Burg  <bburg@apple.com>
1647
1648         Remove a wrong cast in RemoteInspector::receivedSetupMessage
1649         https://bugs.webkit.org/show_bug.cgi?id=154361
1650         <rdar://problem/24709281>
1651
1652         Reviewed by Joseph Pecoraro.
1653
1654         * inspector/remote/RemoteInspector.mm:
1655         (Inspector::RemoteInspector::receivedSetupMessage):
1656         Not only is this cast unnecessary (the constructor accepts the base class),
1657         but it is wrong since the target could be an automation target. Remove it.
1658
1659 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
1660
1661         Rename FTLB3Blah to FTLBlah
1662         https://bugs.webkit.org/show_bug.cgi?id=154365
1663
1664         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
1665
1666         * CMakeLists.txt:
1667         * JavaScriptCore.xcodeproj/project.pbxproj:
1668         * ftl/FTLB3Compile.cpp: Removed.
1669         * ftl/FTLB3Output.cpp: Removed.
1670         * ftl/FTLB3Output.h: Removed.
1671         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
1672         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
1673         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
1674
1675 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
1676
1677         Remove LLVM dependencies from WebKit
1678         https://bugs.webkit.org/show_bug.cgi?id=154323
1679
1680         Reviewed by Antti Koivisto and Benjamin Poulain.
1681
1682         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
1683         LLVM-related code dead, including the disassembler, which was only reachable when you were on
1684         a platform that already had an in-tree disassembler.
1685
1686         * CMakeLists.txt:
1687         * JavaScriptCore.xcodeproj/project.pbxproj:
1688         * dfg/DFGCommon.h:
1689         * dfg/DFGPlan.cpp:
1690         (JSC::DFG::Plan::compileInThread):
1691         (JSC::DFG::Plan::compileInThreadImpl):
1692         (JSC::DFG::Plan::compileTimeStats):
1693         * disassembler/ARM64Disassembler.cpp:
1694         (JSC::tryToDisassemble):
1695         * disassembler/ARMv7Disassembler.cpp:
1696         (JSC::tryToDisassemble):
1697         * disassembler/Disassembler.cpp:
1698         (JSC::disassemble):
1699         (JSC::disassembleAsynchronously):
1700         * disassembler/Disassembler.h:
1701         (JSC::tryToDisassemble):
1702         * disassembler/LLVMDisassembler.cpp: Removed.
1703         * disassembler/LLVMDisassembler.h: Removed.
1704         * disassembler/UDis86Disassembler.cpp:
1705         (JSC::tryToDisassembleWithUDis86):
1706         * disassembler/UDis86Disassembler.h:
1707         (JSC::tryToDisassembleWithUDis86):
1708         * disassembler/X86Disassembler.cpp:
1709         (JSC::tryToDisassemble):
1710         * ftl/FTLAbbreviatedTypes.h:
1711         * ftl/FTLAbbreviations.h: Removed.
1712         * ftl/FTLAbstractHeap.cpp:
1713         (JSC::FTL::AbstractHeap::decorateInstruction):
1714         (JSC::FTL::AbstractHeap::dump):
1715         (JSC::FTL::AbstractField::dump):
1716         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
1717         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
1718         (JSC::FTL::IndexedAbstractHeap::baseIndex):
1719         (JSC::FTL::IndexedAbstractHeap::dump):
1720         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
1721         (JSC::FTL::NumberedAbstractHeap::dump):
1722         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
1723         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
1724         * ftl/FTLAbstractHeap.h:
1725         (JSC::FTL::AbstractHeap::AbstractHeap):
1726         (JSC::FTL::AbstractHeap::heapName):
1727         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
1728         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
1729         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
1730         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
1731         * ftl/FTLAbstractHeapRepository.cpp:
1732         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
1733         * ftl/FTLAbstractHeapRepository.h:
1734         * ftl/FTLB3Compile.cpp:
1735         * ftl/FTLB3Output.cpp:
1736         (JSC::FTL::Output::Output):
1737         (JSC::FTL::Output::check):
1738         (JSC::FTL::Output::load):
1739         (JSC::FTL::Output::store):
1740         * ftl/FTLB3Output.h:
1741         * ftl/FTLCommonValues.cpp:
1742         (JSC::FTL::CommonValues::CommonValues):
1743         (JSC::FTL::CommonValues::initializeConstants):
1744         * ftl/FTLCommonValues.h:
1745         (JSC::FTL::CommonValues::initialize): Deleted.
1746         * ftl/FTLCompile.cpp: Removed.
1747         * ftl/FTLCompileBinaryOp.cpp: Removed.
1748         * ftl/FTLCompileBinaryOp.h: Removed.
1749         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
1750         * ftl/FTLDWARFDebugLineInfo.h: Removed.
1751         * ftl/FTLDWARFRegister.cpp: Removed.
1752         * ftl/FTLDWARFRegister.h: Removed.
1753         * ftl/FTLDataSection.cpp: Removed.
1754         * ftl/FTLDataSection.h: Removed.
1755         * ftl/FTLExceptionHandlerManager.cpp: Removed.
1756         * ftl/FTLExceptionHandlerManager.h: Removed.
1757         * ftl/FTLExceptionTarget.cpp:
1758         * ftl/FTLExceptionTarget.h:
1759         * ftl/FTLExitThunkGenerator.cpp: Removed.
1760         * ftl/FTLExitThunkGenerator.h: Removed.
1761         * ftl/FTLFail.cpp:
1762         (JSC::FTL::fail):
1763         * ftl/FTLInlineCacheDescriptor.h: Removed.
1764         * ftl/FTLInlineCacheSize.cpp: Removed.
1765         * ftl/FTLInlineCacheSize.h: Removed.
1766         * ftl/FTLIntrinsicRepository.cpp: Removed.
1767         * ftl/FTLIntrinsicRepository.h: Removed.
1768         * ftl/FTLJITCode.cpp:
1769         (JSC::FTL::JITCode::~JITCode):
1770         (JSC::FTL::JITCode::initializeB3Code):
1771         (JSC::FTL::JITCode::initializeB3Byproducts):
1772         (JSC::FTL::JITCode::initializeAddressForCall):
1773         (JSC::FTL::JITCode::contains):
1774         (JSC::FTL::JITCode::ftl):
1775         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1776         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
1777         (JSC::FTL::JITCode::addHandle): Deleted.
1778         (JSC::FTL::JITCode::addDataSection): Deleted.
1779         (JSC::FTL::JITCode::exitThunks): Deleted.
1780         * ftl/FTLJITCode.h:
1781         (JSC::FTL::JITCode::b3Code):
1782         (JSC::FTL::JITCode::handles): Deleted.
1783         (JSC::FTL::JITCode::dataSections): Deleted.
1784         * ftl/FTLJITFinalizer.cpp:
1785         (JSC::FTL::JITFinalizer::codeSize):
1786         (JSC::FTL::JITFinalizer::finalizeFunction):
1787         * ftl/FTLJITFinalizer.h:
1788         * ftl/FTLJSCall.cpp: Removed.
1789         * ftl/FTLJSCall.h: Removed.
1790         * ftl/FTLJSCallBase.cpp: Removed.
1791         * ftl/FTLJSCallBase.h: Removed.
1792         * ftl/FTLJSCallVarargs.cpp: Removed.
1793         * ftl/FTLJSCallVarargs.h: Removed.
1794         * ftl/FTLJSTailCall.cpp: Removed.
1795         * ftl/FTLJSTailCall.h: Removed.
1796         * ftl/FTLLazySlowPath.cpp:
1797         (JSC::FTL::LazySlowPath::LazySlowPath):
1798         (JSC::FTL::LazySlowPath::generate):
1799         * ftl/FTLLazySlowPath.h:
1800         (JSC::FTL::LazySlowPath::createGenerator):
1801         (JSC::FTL::LazySlowPath::patchableJump):
1802         (JSC::FTL::LazySlowPath::done):
1803         (JSC::FTL::LazySlowPath::usedRegisters):
1804         (JSC::FTL::LazySlowPath::callSiteIndex):
1805         (JSC::FTL::LazySlowPath::stub):
1806         (JSC::FTL::LazySlowPath::patchpoint): Deleted.
1807         * ftl/FTLLink.cpp:
1808         (JSC::FTL::link):
1809         * ftl/FTLLocation.cpp:
1810         (JSC::FTL::Location::forValueRep):
1811         (JSC::FTL::Location::dump):
1812         (JSC::FTL::Location::forStackmaps): Deleted.
1813         * ftl/FTLLocation.h:
1814         (JSC::FTL::Location::forRegister):
1815         (JSC::FTL::Location::forIndirect):
1816         (JSC::FTL::Location::forConstant):
1817         (JSC::FTL::Location::kind):
1818         (JSC::FTL::Location::hasReg):
1819         * ftl/FTLLowerDFGToLLVM.cpp:
1820         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM):
1821         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1822         (JSC::FTL::DFG::LowerDFGToLLVM::createPhiVariables):
1823         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1824         (JSC::FTL::DFG::LowerDFGToLLVM::compileUpsilon):
1825         (JSC::FTL::DFG::LowerDFGToLLVM::compilePhi):
1826         (JSC::FTL::DFG::LowerDFGToLLVM::compileDoubleConstant):
1827         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
1828         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
1829         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1830         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1831         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
1832         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
1833         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
1834         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
1835         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
1836         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
1837         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
1838         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
1839         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1840         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
1841         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
1842         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1843         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1844         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1845         (JSC::FTL::DFG::LowerDFGToLLVM::compileLoadVarargs):
1846         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
1847         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
1848         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
1849         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
1850         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
1851         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
1852         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1853         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1854         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
1855         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
1856         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1857         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
1858         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1859         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
1860         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1861         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
1862         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
1863         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
1864         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
1865         (JSC::FTL::DFG::LowerDFGToLLVM::probe):
1866         (JSC::FTL::DFG::LowerDFGToLLVM::crash):
1867         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp): Deleted.
1868         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException): Deleted.
1869         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall): Deleted.
1870         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap): Deleted.
1871         * ftl/FTLOSRExit.cpp:
1872         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
1873         (JSC::FTL::OSRExitDescriptor::validateReferences):
1874         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
1875         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
1876         (JSC::FTL::OSRExit::OSRExit):
1877         (JSC::FTL::OSRExit::codeLocationForRepatch):
1878         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException): Deleted.
1879         (JSC::FTL::OSRExit::spillRegistersToSpillSlot): Deleted.
1880         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot): Deleted.
1881         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck): Deleted.
1882         (JSC::FTL::OSRExit::willArriveAtOSRExitFromCallOperation): Deleted.
1883         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath): Deleted.
1884         * ftl/FTLOSRExit.h:
1885         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
1886         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl): Deleted.
1887         * ftl/FTLOSRExitCompilationInfo.h: Removed.
1888         * ftl/FTLOSRExitCompiler.cpp:
1889         (JSC::FTL::compileRecovery):
1890         (JSC::FTL::compileStub):
1891         (JSC::FTL::compileFTLOSRExit):
1892         * ftl/FTLOSRExitHandle.cpp:
1893         * ftl/FTLOSRExitHandle.h:
1894         * ftl/FTLOutput.cpp: Removed.
1895         * ftl/FTLOutput.h: Removed.
1896         * ftl/FTLPatchpointExceptionHandle.cpp:
1897         * ftl/FTLPatchpointExceptionHandle.h:
1898         * ftl/FTLStackMaps.cpp: Removed.
1899         * ftl/FTLStackMaps.h: Removed.
1900         * ftl/FTLState.cpp:
1901         (JSC::FTL::State::State):
1902         (JSC::FTL::State::~State):
1903         (JSC::FTL::State::dumpState): Deleted.
1904         * ftl/FTLState.h:
1905         * ftl/FTLUnwindInfo.cpp: Removed.
1906         * ftl/FTLUnwindInfo.h: Removed.
1907         * ftl/FTLValueRange.cpp:
1908         (JSC::FTL::ValueRange::decorateInstruction):
1909         * ftl/FTLValueRange.h:
1910         (JSC::FTL::ValueRange::ValueRange):
1911         (JSC::FTL::ValueRange::begin):
1912         (JSC::FTL::ValueRange::end):
1913         * ftl/FTLWeight.h:
1914         (JSC::FTL::Weight::value):
1915         (JSC::FTL::Weight::frequencyClass):
1916         (JSC::FTL::Weight::scaleToTotal):
1917         * llvm/InitializeLLVM.cpp: Removed.
1918         * llvm/InitializeLLVM.h: Removed.
1919         * llvm/InitializeLLVMMac.cpp: Removed.
1920         * llvm/InitializeLLVMPOSIX.cpp: Removed.
1921         * llvm/InitializeLLVMPOSIX.h: Removed.
1922         * llvm/LLVMAPI.cpp: Removed.
1923         * llvm/LLVMAPI.h: Removed.
1924         * llvm/LLVMAPIFunctions.h: Removed.
1925         * llvm/LLVMHeaders.h: Removed.
1926         * llvm/library/LLVMAnchor.cpp: Removed.
1927         * llvm/library/LLVMExports.cpp: Removed.
1928         * llvm/library/LLVMOverrides.cpp: Removed.
1929         * llvm/library/config_llvm.h: Removed.
1930
1931 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
1932
1933         [JSC] Remove the overflow check on ArithAbs when possible
1934         https://bugs.webkit.org/show_bug.cgi?id=154325
1935
1936         Reviewed by Filip Pizlo.
1937
1938         This patch adds support for ArithMode for ArithAbs.
1939
1940         It is useful for kraken tests where Math.abs() is used
1941         on values for which the range is known.
1942
1943         For example, imaging-gaussian-blur has two Math.abs() with
1944         integers that are always in a small range around zero.
1945         The IntegerRangeOptimizationPhase detects the range correctly
1946         so we can just update the ArithMode depending on the input.
1947
1948         * dfg/DFGFixupPhase.cpp:
1949         (JSC::DFG::FixupPhase::fixupNode):
1950         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1951         * dfg/DFGNode.h:
1952         (JSC::DFG::Node::convertToArithNegate):
1953         (JSC::DFG::Node::hasArithMode):
1954         * dfg/DFGSpeculativeJIT64.cpp:
1955         (JSC::DFG::SpeculativeJIT::compile):
1956         * ftl/FTLLowerDFGToLLVM.cpp:
1957         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAbs):
1958         * tests/stress/arith-abs-integer-range-optimization.js: Added.
1959         (negativeRange):
1960         (negativeRangeIncludingZero):
1961         (negativeRangeWithOverflow):
1962         (positiveRange):
1963         (positiveRangeIncludingZero):
1964         (rangeWithoutOverflow):
1965         * tests/stress/arith-abs-with-bitwise-or-zero.js: Added.
1966         (opaqueAbs):
1967
1968 2016-02-17  Chris Dumez  <cdumez@apple.com>
1969
1970         SES selftest page crashes on nightly r196694
1971         https://bugs.webkit.org/show_bug.cgi?id=154350
1972         <rdar://problem/24704334>
1973
1974         Reviewed by Mark Lam.
1975
1976         SES selftest page crashes after r196001 / r196145 when calling
1977         Object.getOwnPropertyDescriptor(window, "length") after the window
1978         has been reified and "length" has been shadowed by a value property.
1979
1980         It was crashing in JSObject::getOwnPropertyDescriptor() because
1981         we are getting a slot that has attribute "CustomAccessor" but
1982         the property is not a CustomGetterSetter. In this case, since
1983         window.length is [Replaceable] and has been set to a numeric value,
1984         it makes that the property is not a CustomGetterSetter. However,
1985         the "CustomAccessor" attribute should have been dropped from the
1986         slot when window.length was shadowed. Therefore, this code path
1987         should not be exercised at all when calling
1988         getOwnPropertyDescriptor().
1989
1990         The issue was that putDirectInternal() was updating the slot
1991         attributes only if the "Accessor" flag has changed, but not
1992         the "customAccessor" flag. This patch fixes the issue.
1993
1994         * runtime/JSObject.h:
1995         (JSC::JSObject::putDirectInternal):
1996
1997 2016-02-17  Saam barati  <sbarati@apple.com>
1998
1999         Implement Proxy [[Get]]
2000         https://bugs.webkit.org/show_bug.cgi?id=154081
2001
2002         Reviewed by Michael Saboff.
2003
2004         This patch implements ProxyObject and ProxyConstructor. Their
2005         implementations are straight forward and follow the spec.
2006         The largest change in this patch is adding a second parameter
2007         to PropertySlot's constructor that specifies the internal method type of
2008         the getOwnPropertySlot inquiry. We use getOwnPropertySlot to 
2009         implement more than one Internal Method in the spec. Because 
2010         of this, we need InternalMethodType to give us context about 
2011         which Internal Method we're executing. Specifically, Proxy will 
2012         call into different handlers based on this information.
2013
2014         InternalMethodType is an enum with the following values:
2015         - Get
2016           This corresponds to [[Get]] internal method in the spec.
2017         - GetOwnProperty
2018           This corresponds to [[GetOwnProperty]] internal method in the spec.
2019         - HasProperty
2020           This corresponds to [[HasProperty]] internal method in the spec.
2021         - VMInquiry
2022           This is basically everything else that isn't one of the above
2023           types. This value also mandates that getOwnPropertySlot does
2024           not perform any user observable effects. I.e, it can't call
2025           a JS function.
2026
2027         The other non-VMInquiry InternalMethodTypes are allowed to perform user
2028         observable effects. I.e, in future patches, ProxyObject will implement
2029         InternalMethodType::HasProperty and InternalMethodType::GetOwnProperty, which will both be defined
2030         to call user defined JS functions, which clearly have the right to perform
2031         user observable effects.
2032
2033         This patch implements getOwnPropertySlot of ProxyObject under
2034         InternalMethodType::Get. 
2035
2036         * API/JSCallbackObjectFunctions.h:
2037         (JSC::JSCallbackObject<Parent>::put):
2038         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2039         * CMakeLists.txt:
2040         * JavaScriptCore.xcodeproj/project.pbxproj:
2041         * debugger/DebuggerScope.cpp:
2042         (JSC::DebuggerScope::caughtValue):
2043         * interpreter/Interpreter.cpp:
2044         (JSC::Interpreter::execute):
2045         * jit/JITOperations.cpp:
2046         * llint/LLIntSlowPaths.cpp:
2047         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2048         * runtime/ArrayPrototype.cpp:
2049         (JSC::getProperty):
2050         * runtime/CommonIdentifiers.h:
2051         * runtime/JSCJSValueInlines.h:
2052         (JSC::JSValue::get):
2053         * runtime/JSFunction.cpp:
2054         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2055         (JSC::JSFunction::put):
2056         (JSC::JSFunction::defineOwnProperty):
2057         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2058         (JSC::constructGenericTypedArrayViewWithArguments):
2059         * runtime/JSGlobalObject.cpp:
2060         (JSC::JSGlobalObject::init):
2061         (JSC::JSGlobalObject::defineOwnProperty):
2062         * runtime/JSGlobalObject.h:
2063         (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2064         (JSC::JSGlobalObject::moduleRecordStructure):
2065         (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
2066         (JSC::JSGlobalObject::proxyObjectStructure):
2067         (JSC::JSGlobalObject::wasmModuleStructure):
2068         * runtime/JSModuleEnvironment.cpp:
2069         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2070         * runtime/JSModuleNamespaceObject.cpp:
2071         (JSC::callbackGetter):
2072         * runtime/JSONObject.cpp:
2073         (JSC::Stringifier::Holder::appendNextProperty):
2074         (JSC::Walker::walk):
2075         * runtime/JSObject.cpp:
2076         (JSC::JSObject::calculatedClassName):
2077         (JSC::JSObject::putDirectNonIndexAccessor):
2078         (JSC::JSObject::hasProperty):
2079         (JSC::JSObject::deleteProperty):
2080         (JSC::JSObject::hasOwnProperty):
2081         (JSC::JSObject::getOwnPropertyDescriptor):
2082         * runtime/JSObject.h:
2083         (JSC::JSObject::getDirectIndex):
2084         (JSC::JSObject::get):
2085         * runtime/JSScope.cpp:
2086         (JSC::abstractAccess):
2087         * runtime/ObjectConstructor.cpp:
2088         (JSC::toPropertyDescriptor):
2089         * runtime/ObjectPrototype.cpp:
2090         (JSC::objectProtoFuncLookupGetter):
2091         (JSC::objectProtoFuncLookupSetter):
2092         (JSC::objectProtoFuncToString):
2093         * runtime/PropertySlot.h:
2094         (JSC::attributesForStructure):
2095         (JSC::PropertySlot::PropertySlot):
2096         (JSC::PropertySlot::isCacheableGetter):
2097         (JSC::PropertySlot::isCacheableCustom):
2098         (JSC::PropertySlot::internalMethodType):
2099         (JSC::PropertySlot::disableCaching):
2100         (JSC::PropertySlot::getValue):
2101         * runtime/ProxyConstructor.cpp: Added.
2102         (JSC::ProxyConstructor::create):
2103         (JSC::ProxyConstructor::ProxyConstructor):
2104         (JSC::ProxyConstructor::finishCreation):
2105         (JSC::constructProxyObject):
2106         (JSC::ProxyConstructor::getConstructData):
2107         (JSC::ProxyConstructor::getCallData):
2108         * runtime/ProxyConstructor.h: Added.
2109         (JSC::ProxyConstructor::createStructure):
2110         * runtime/ProxyObject.cpp: Added.
2111         (JSC::ProxyObject::ProxyObject):
2112         (JSC::ProxyObject::finishCreation):
2113         (JSC::performProxyGet):
2114         (JSC::ProxyObject::getOwnPropertySlotCommon):
2115         (JSC::ProxyObject::getOwnPropertySlot):
2116         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2117         (JSC::ProxyObject::visitChildren):
2118         * runtime/ProxyObject.h: Added.
2119         (JSC::ProxyObject::create):
2120         (JSC::ProxyObject::createStructure):
2121         (JSC::ProxyObject::target):
2122         (JSC::ProxyObject::handler):
2123         * runtime/ReflectObject.cpp:
2124         (JSC::reflectObjectGet):
2125         * runtime/SamplingProfiler.cpp:
2126         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
2127         * tests/es6.yaml:
2128         * tests/stress/proxy-basic.js: Added.
2129         (assert):
2130         (let.handler.get null):
2131         (get let):
2132         (let.handler.get switch):
2133         (let.handler):
2134         (let.theTarget.get x):
2135         * tests/stress/proxy-in-proto-chain.js: Added.
2136         (assert):
2137         * tests/stress/proxy-of-a-proxy.js: Added.
2138         (assert):
2139         (throw.new.Error.):
2140         * tests/stress/proxy-property-descriptor.js: Added.
2141         (assert):
2142         (set Object):
2143         * wasm/WASMModuleParser.cpp:
2144         (JSC::WASMModuleParser::getImportedValue):
2145
2146 2016-02-17  Mark Lam  <mark.lam@apple.com>
2147
2148         StringPrototype functions should check for exceptions after calling JSString::value().
2149         https://bugs.webkit.org/show_bug.cgi?id=154340
2150
2151         Reviewed by Filip Pizlo.
2152
2153         JSString::value() can throw an exception if the JS string is a rope and value()
2154         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
2155         able to resolve the rope, it will return a null string (in addition to throwing
2156         the exception).  If StringPrototype functions do not check for exceptions after
2157         calling JSString::value(), they may eventually use the returned null string and
2158         crash the VM.
2159
2160         The fix is to add all the necessary exception checks, and do the appropriate
2161         handling if needed.
2162
2163         Also in a few place where when an exception is detected, we return JSValue(), I
2164         changed it to return jsUndefined() instead to be consistent with the rest of the
2165         file.
2166
2167         * runtime/StringPrototype.cpp:
2168         (JSC::replaceUsingRegExpSearch):
2169         (JSC::stringProtoFuncMatch):
2170         (JSC::stringProtoFuncSlice):
2171         (JSC::stringProtoFuncSplit):
2172         (JSC::stringProtoFuncLocaleCompare):
2173         (JSC::stringProtoFuncBig):
2174         (JSC::stringProtoFuncSmall):
2175         (JSC::stringProtoFuncBlink):
2176         (JSC::stringProtoFuncBold):
2177         (JSC::stringProtoFuncFixed):
2178         (JSC::stringProtoFuncItalics):
2179         (JSC::stringProtoFuncStrike):
2180         (JSC::stringProtoFuncSub):
2181         (JSC::stringProtoFuncSup):
2182         (JSC::stringProtoFuncFontcolor):
2183         (JSC::stringProtoFuncFontsize):
2184         (JSC::stringProtoFuncAnchor):
2185         (JSC::stringProtoFuncLink):
2186         (JSC::trimString):
2187
2188 2016-02-17  Commit Queue  <commit-queue@webkit.org>
2189
2190         Unreviewed, rolling out r196675.
2191         https://bugs.webkit.org/show_bug.cgi?id=154344
2192
2193          "Causes major slowdowns on deltablue-varargs" (Requested by
2194         keith_miller on #webkit).
2195
2196         Reverted changeset:
2197
2198         "Spread operator should be allowed when not the first argument
2199         of parameter list"
2200         https://bugs.webkit.org/show_bug.cgi?id=152721
2201         http://trac.webkit.org/changeset/196675
2202
2203 2016-02-17  Gavin Barraclough  <barraclough@apple.com>
2204
2205         JSDOMWindow::put should not do the same thing twice
2206         https://bugs.webkit.org/show_bug.cgi?id=154334
2207
2208         Reviewed by Chris Dumez.
2209
2210         It either calls JSGlobalObject::put or Base::put. Hint: these are basically the same thing.
2211         In the latter case it might call lookupPut. That's redundant; JSObject::put handles static
2212         table entries.
2213
2214         * runtime/JSGlobalObject.h:
2215         (JSC::JSGlobalObject::hasOwnPropertyForWrite): Deleted.
2216             - no longer needed.
2217
2218 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2219
2220         FTL_USES_B3 should be unconditionally true
2221         https://bugs.webkit.org/show_bug.cgi?id=154324
2222
2223         Reviewed by Benjamin Poulain.
2224
2225         * dfg/DFGCommon.h:
2226
2227 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2228
2229         FTL should support CompareEq(String:, String:)
2230         https://bugs.webkit.org/show_bug.cgi?id=154269
2231         rdar://problem/24499921
2232
2233         Reviewed by Benjamin Poulain.
2234
2235         Looks like a slight pdfjs slow-down, probably because we're having some recompilations. I
2236         think we should land the increased coverage first and fix the issues after, especially since
2237         the regression is so small and doesn't have a statistically significant effect on the overall
2238         score.
2239
2240         * ftl/FTLCapabilities.cpp:
2241         (JSC::FTL::canCompile):
2242         * ftl/FTLLowerDFGToLLVM.cpp:
2243         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareEq):
2244         (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
2245         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
2246         (JSC::FTL::DFG::LowerDFGToLLVM::stringsEqual):
2247         * tests/stress/ftl-string-equality.js: Added.
2248         * tests/stress/ftl-string-ident-equality.js: Added.
2249         * tests/stress/ftl-string-strict-equality.js: Added.
2250
2251 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2252
2253         FTL should support NewTypedArray
2254         https://bugs.webkit.org/show_bug.cgi?id=154268
2255
2256         Reviewed by Saam Barati.
2257
2258         3% speed-up on pdfjs. This was already covered by many different tests.
2259
2260         Rolling this back in after fixing the butterfly argument.
2261
2262         * ftl/FTLCapabilities.cpp:
2263         (JSC::FTL::canCompile):
2264         * ftl/FTLLowerDFGToLLVM.cpp:
2265         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2266         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
2267         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
2268         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
2269         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
2270         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
2271         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
2272
2273 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
2274
2275         JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot
2276         https://bugs.webkit.org/show_bug.cgi?id=154257
2277
2278         Reviewed by Chris Dumez.
2279
2280         * runtime/Lookup.h:
2281         (JSC::getStaticPropertySlot):
2282         (JSC::getStaticFunctionSlot):
2283         (JSC::getStaticValueSlot):
2284             - this could all do with a little more love.
2285               But enforce the basic precedence:
2286                 (1) regular storage properties always win over static table properties.
2287                 (2) if properties have been reified, don't consult the static tables.
2288                 (3) only if the property is not present on the object & not reified
2289                     should the static hashtable be consulted.
2290
2291 2016-02-16  Gavin Barraclough  <barraclough@apple.com>
2292
2293         JSDOMWindow::getOwnPropertySlot should not search photo chain
2294         https://bugs.webkit.org/show_bug.cgi?id=154102
2295
2296         Reviewed by Chris Dumez.
2297
2298         Should only return *own* properties.
2299
2300         * runtime/JSObject.cpp:
2301         (JSC::JSObject::getOwnPropertyDescriptor):
2302             - remove hack/special-case for DOMWindow; we no longer need this.
2303
2304 2016-02-16  Keith Miller  <keith_miller@apple.com>
2305
2306         Spread operator should be allowed when not the first argument of parameter list
2307         https://bugs.webkit.org/show_bug.cgi?id=152721
2308
2309         Reviewed by Saam Barati.
2310
2311         Spread arguments to functions should now be ES6 compliant. Before we
2312         would only take a spread operator if it was the sole argument to a
2313         function. Additionally, we would not use the Symbol.iterator on the
2314         object to generate the arguments. Instead we would do a loop up to the
2315         length mapping indexed properties to the corresponding argument. We fix
2316         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
2317         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
2318         old spread semantics). This solution has the downside of requiring the
2319         allocation of another object and copying each element twice but avoids a
2320         large change to the vm calling convention.
2321
2322         * interpreter/Interpreter.cpp:
2323         (JSC::loadVarargs):
2324         * parser/ASTBuilder.h:
2325         (JSC::ASTBuilder::createElementList):
2326         * parser/Parser.cpp:
2327         (JSC::Parser<LexerType>::parseArguments):
2328         (JSC::Parser<LexerType>::parseArgument):
2329         (JSC::Parser<LexerType>::parseMemberExpression):
2330         * parser/Parser.h:
2331         * parser/SyntaxChecker.h:
2332         (JSC::SyntaxChecker::createElementList):
2333         * tests/es6.yaml:
2334         * tests/stress/spread-calling.js: Added.
2335         (testFunction):
2336         (testEmpty):
2337         (makeObject):
2338         (otherIterator.return.next):
2339         (otherIterator):
2340         (totalIter):
2341         (throwingIter.return.next):
2342         (throwingIter):
2343         (i.catch):
2344
2345 2016-02-16  Benjamin Poulain  <bpoulain@apple.com>
2346
2347         [JSC] Enable B3 on ARM64
2348         https://bugs.webkit.org/show_bug.cgi?id=154275
2349
2350         Reviewed by Mark Lam.
2351
2352         The port passes more tests than LLVM now, let's use it by default.
2353
2354         * dfg/DFGCommon.h:
2355
2356 2016-02-16  Commit Queue  <commit-queue@webkit.org>
2357
2358         Unreviewed, rolling out r196652.
2359         https://bugs.webkit.org/show_bug.cgi?id=154315
2360
2361         This change caused LayoutTest crashes (Requested by ryanhaddad
2362         on #webkit).
2363
2364         Reverted changeset:
2365
2366         "FTL should support NewTypedArray"
2367         https://bugs.webkit.org/show_bug.cgi?id=154268
2368         http://trac.webkit.org/changeset/196652
2369
2370 2016-02-16  Brian Burg  <bburg@apple.com>
2371
2372         RemoteInspector should forward new automation session requests to its client
2373         https://bugs.webkit.org/show_bug.cgi?id=154260
2374         <rdar://problem/24663313>
2375
2376         Reviewed by Timothy Hatcher.
2377
2378         * inspector/remote/RemoteInspector.h:
2379         * inspector/remote/RemoteInspector.mm:
2380         (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2381         (Inspector::RemoteInspector::listingForAutomationTarget):
2382         Use the correct key for the session identifier in the listing. The name()
2383         override for RemoteAutomationTarget is actually the session identifier.
2384
2385         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
2386         * inspector/remote/RemoteInspectorConstants.h: Add new constants.
2387
2388 2016-02-16  Saam barati  <sbarati@apple.com>
2389
2390         SamplingProfiler still fails with ASan enabled
2391         https://bugs.webkit.org/show_bug.cgi?id=154301
2392         <rdar://problem/24679502>
2393
2394         Reviewed by Filip Pizlo.
2395
2396         To fix this issue, I've come up with unsafe versions
2397         of all operations that load memory from the thread's call
2398         frame. All these new unsafe methods are marked with SUPPRESS_ASAN.
2399
2400         * interpreter/CallFrame.cpp:
2401         (JSC::CallFrame::callSiteAsRawBits):
2402         (JSC::CallFrame::unsafeCallSiteAsRawBits):
2403         (JSC::CallFrame::callSiteIndex):
2404         (JSC::CallFrame::unsafeCallSiteIndex):
2405         (JSC::CallFrame::stack):
2406         (JSC::CallFrame::callerFrame):
2407         (JSC::CallFrame::unsafeCallerFrame):
2408         (JSC::CallFrame::friendlyFunctionName):
2409         * interpreter/CallFrame.h:
2410         (JSC::ExecState::calleeAsValue):
2411         (JSC::ExecState::callee):
2412         (JSC::ExecState::unsafeCallee):
2413         (JSC::ExecState::codeBlock):
2414         (JSC::ExecState::unsafeCodeBlock):
2415         (JSC::ExecState::scope):
2416         (JSC::ExecState::callerFrame):
2417         (JSC::ExecState::callerFrameOrVMEntryFrame):
2418         (JSC::ExecState::unsafeCallerFrameOrVMEntryFrame):
2419         (JSC::ExecState::callerFrameOffset):
2420         (JSC::ExecState::callerFrameAndPC):
2421         (JSC::ExecState::unsafeCallerFrameAndPC):
2422         * interpreter/Register.h:
2423         (JSC::Register::codeBlock):
2424         (JSC::Register::asanUnsafeCodeBlock):
2425         (JSC::Register::unboxedInt32):
2426         (JSC::Register::tag):
2427         (JSC::Register::unsafeTag):
2428         (JSC::Register::payload):
2429         * interpreter/VMEntryRecord.h:
2430         (JSC::VMEntryRecord::prevTopCallFrame):
2431         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
2432         (JSC::VMEntryRecord::prevTopVMEntryFrame):
2433         (JSC::VMEntryRecord::unsafePrevTopVMEntryFrame):
2434         * runtime/SamplingProfiler.cpp:
2435         (JSC::FrameWalker::walk):
2436         (JSC::FrameWalker::advanceToParentFrame):
2437         (JSC::FrameWalker::isAtTop):
2438         (JSC::FrameWalker::resetAtMachineFrame):
2439
2440 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2441
2442         FTL should support NewTypedArray
2443         https://bugs.webkit.org/show_bug.cgi?id=154268
2444
2445         Reviewed by Saam Barati.
2446
2447         3% speed-up on pdfjs. This was already covered by many different tests.
2448
2449         * ftl/FTLCapabilities.cpp:
2450         (JSC::FTL::canCompile):
2451         * ftl/FTLLowerDFGToLLVM.cpp:
2452         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2453         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
2454         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewTypedArray):
2455         (JSC::FTL::DFG::LowerDFGToLLVM::compileAllocatePropertyStorage):
2456         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
2457         (JSC::FTL::DFG::LowerDFGToLLVM::allocateBasicStorage):
2458         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
2459
2460 2016-02-16  Saam barati  <sbarati@apple.com>
2461
2462         stress/sampling-profiler-deep-stack.js fails on ARM 32bit
2463         https://bugs.webkit.org/show_bug.cgi?id=154255
2464         <rdar://problem/24662996>
2465
2466         Reviewed by Mark Lam.
2467
2468         The bug here wasn't in the implementation of the sampling profiler 
2469         itself. Rather, it was a bug in the test. JSC wasn't spending a lot
2470         of time in a function that the test assumed a lot of time was spent in.
2471         That's because the DFG was doing a good job at optimizing the function
2472         at the leaf of the recursion. Because of that, we often wouldn't sample it.
2473         I fixed this by making the leaf function do more work.
2474
2475         * tests/stress/sampling-profiler-deep-stack.js:
2476         (platformSupportsSamplingProfiler.foo):
2477
2478 2016-02-16  Chris Dumez  <cdumez@apple.com>
2479
2480         [Web IDL] Operations should be on the instance for global objects or if [Unforgeable]
2481         https://bugs.webkit.org/show_bug.cgi?id=154120
2482         <rdar://problem/24613231>
2483
2484         Reviewed by Gavin Barraclough.
2485
2486         Have putEntry() take a thisValue parameter in addition to the base,
2487         instead of relying on PropertySlot::thisValue() because this did not
2488         always do the right thing. In particular, when JSDOMWindow::put() was
2489         called to set a function, it would end up setting the new value on the
2490         JSDOMWindowShell instead of the actual JSDOMWindow.
2491         JSDOMWindow::getOwnPropertySlot() would then not be able to find it.
2492         Therefore the following would fail:
2493         $ window.open = "test"
2494         $ console.log(window.open) // prints the native function instead of "test"
2495
2496         * runtime/JSObject.cpp:
2497         (JSC::JSObject::putInlineSlow):
2498         * runtime/Lookup.h:
2499         (JSC::putEntry):
2500         (JSC::lookupPut):
2501
2502 2016-02-16  Keith Miller  <keith_miller@apple.com>
2503
2504         ClonedArguments should not materialize its special properties unless they are being changed or deleted
2505         https://bugs.webkit.org/show_bug.cgi?id=154128
2506
2507         Reviewed by Filip Pizlo.
2508
2509         Before we would materialize ClonedArguments whenever they were being accessed.
2510         However this would cause the IC to miss every time as the structure for
2511         the arguments object would change as we went to IC it. Thus on the next
2512         function call we would miss the cache since the new arguments object
2513         would not have materialized the value.
2514
2515         * runtime/ClonedArguments.cpp:
2516         (JSC::ClonedArguments::getOwnPropertySlot):
2517         * tests/stress/cloned-arguments-modification.js: Added.
2518         (foo):
2519
2520 2016-02-16  Filip Pizlo  <fpizlo@apple.com>
2521
2522         FTL should support StringFromCharCode
2523         https://bugs.webkit.org/show_bug.cgi?id=154267
2524         rdar://problem/24192536
2525
2526         Reviewed by Mark Lam.
2527
2528         * dfg/DFGFixupPhase.cpp:
2529         (JSC::DFG::FixupPhase::fixupNode): Fix a bug preventing the UntypedUse from being effective.
2530         * ftl/FTLCapabilities.cpp:
2531         (JSC::FTL::canCompile):
2532         * ftl/FTLLowerDFGToLLVM.cpp:
2533         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2534         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringFromCharCode): Implement the opcode.
2535         * tests/stress/string-from-char-code-slow.js: Added.
2536
2537 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
2538
2539         [JSC] BranchAdd can override arguments of its stackmap
2540         https://bugs.webkit.org/show_bug.cgi?id=154274
2541
2542         Reviewed by Filip Pizlo.
2543
2544         With the 3 operands BranchAdd added in r196513, we can run into
2545         a register allocation such that the destination register is also
2546         used by a value in the stack map.
2547
2548         It use to be that BranchAdd was a 2 operand instruction.
2549         In that form, the destination is also one of the source and
2550         can be recovered through Sub. There is no conflict between
2551         destination and the stackmap.
2552
2553         After r196513, the destination has its own value. It is uncommon
2554         on x86 because of the aggressive aliasing but that can happen.
2555         On ARM, that's a standard form since there is no need for aliasing.
2556
2557         Since the arguments of the stackmap are of type EarlyUse,
2558         they appeared as not interfering with the destination. When the register
2559         allocator gives the same register to the destination and something in
2560         the stack map, the result of BranchAdd destroys the value kept alive
2561         for the stackmap.
2562
2563         In this patch, I introduce a concept very similar to ForceLateUse
2564         to keep the argument of the stackmap live in CheckAdd. The new
2565         role is "ForceLateUseUnlessRecoverable".
2566
2567         In this mode, anything that is not also an input argument becomes
2568         LateUse. As such, it interferes with the destination of CheckAdd.
2569         The arguments are recovered by the slow patch of CheckAdd. They
2570         remain Early use.
2571
2572         This new modes ensure that destination can be aliased to the source
2573         when that's useful, while making sure it is not aliased with another
2574         value that needs to be live on exit.
2575
2576         * b3/B3CheckSpecial.cpp:
2577         (JSC::B3::CheckSpecial::forEachArg):
2578         * b3/B3LowerToAir.cpp:
2579         (JSC::B3::Air::LowerToAir::lower):
2580         * b3/B3PatchpointSpecial.cpp:
2581         (JSC::B3::PatchpointSpecial::forEachArg):
2582         * b3/B3StackmapSpecial.cpp:
2583         (JSC::B3::StackmapSpecial::forEachArgImpl):
2584         (WTF::printInternal):
2585         * b3/B3StackmapSpecial.h:
2586         * b3/B3StackmapValue.h:
2587
2588 2016-02-15  Joseph Pecoraro  <pecoraro@apple.com>
2589
2590         Web Inspector: Web Workers have no access to console for debugging
2591         https://bugs.webkit.org/show_bug.cgi?id=26237
2592
2593         Reviewed by Timothy Hatcher.
2594
2595         * inspector/ConsoleMessage.h:
2596         Add accessor for MessageLevel.
2597
2598 2016-02-15  Mark Lam  <mark.lam@apple.com>
2599
2600         [ARMv7] stress/op_rshift.js and stress/op_urshift.js are failing.
2601         https://bugs.webkit.org/show_bug.cgi?id=151514
2602
2603         Reviewed by Filip Pizlo.
2604
2605         The issue turns out to be trivial: on ARMv7 (and traditional ARM too), arithmetic
2606         shift right (ASR) and logical shift right (LSR) takes an immediate shift amount
2607         from 1-32.  See http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cjacbgca.html.
2608         An immediate shift amount of 0 is interpreted as a shift of 32 bits.
2609
2610         Meanwhile, our macro assembler is expecting the immediate shift value to be
2611         between 0-31.  As a result, a shift amount of 0 is being wrongly encoded with 0
2612         bits which means shift right by 32 bits.
2613
2614         The fix is to check if the shift amount is 0, and if so, emit a move.  Else,
2615         emit the right shift as usual.
2616
2617         This issue does not affect left shifts, as the immediate shift amount for left
2618         shifts is between 0-31 as our macro assembler expects.
2619
2620         * assembler/MacroAssemblerARM.h:
2621         (JSC::MacroAssemblerARM::rshift32):
2622         (JSC::MacroAssemblerARM::urshift32):
2623         (JSC::MacroAssemblerARM::sub32):
2624         * assembler/MacroAssemblerARMv7.h:
2625         (JSC::MacroAssemblerARMv7::rshift32):
2626         (JSC::MacroAssemblerARMv7::urshift32):
2627
2628         * tests/stress/op_rshift.js:
2629         * tests/stress/op_urshift.js:
2630         - Un-skip these tests.  They should always pass now.
2631
2632 2016-02-15  Filip Pizlo  <fpizlo@apple.com>
2633
2634         Parser::parseVariableDeclarationList should null check the node before attempting to create a new CommaExpr
2635         https://bugs.webkit.org/show_bug.cgi?id=154244
2636         rdar://problem/24290670
2637
2638         Reviewed by Michael Saboff.
2639
2640         * parser/ASTBuilder.h:
2641         (JSC::ASTBuilder::appendToCommaExpr): Catch the bug sooner in debug.
2642         * parser/Parser.cpp:
2643         (JSC::Parser<LexerType>::parseVariableDeclarationList): Fix the bug.
2644         * tests/stress/for-let-comma.js: Added. This used to crash in debug and release.
2645
2646 2016-02-15  Benjamin Poulain  <bpoulain@apple.com>
2647
2648         [JSC] Improve the interface of Inst::shouldTryAliasingDef()
2649         https://bugs.webkit.org/show_bug.cgi?id=154227
2650
2651         Reviewed by Andreas Kling.
2652
2653         Using Optional<> instead of a bool+reference looks cleaner
2654         at the call sites.
2655
2656         * b3/B3CheckSpecial.cpp:
2657         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
2658         * b3/B3CheckSpecial.h:
2659         * b3/air/AirCustom.h:
2660         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
2661         * b3/air/AirInst.h:
2662         * b3/air/AirInstInlines.h:
2663         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2664         * b3/air/AirIteratedRegisterCoalescing.cpp:
2665         * b3/air/AirSpecial.cpp:
2666         (JSC::B3::Air::Special::shouldTryAliasingDef):
2667         * b3/air/AirSpecial.h:
2668
2669 2016-02-14  Brian Burg  <bburg@apple.com>
2670
2671         WKAutomationDelegate's requestAutomationSession should take a suggested session identifier
2672         https://bugs.webkit.org/show_bug.cgi?id=154012
2673         <rdar://problem/24557697>
2674
2675         Reviewed by Darin Adler.
2676
2677         Add a string parameter to the client method for requesting a new session.
2678
2679         * inspector/remote/RemoteInspector.h:
2680
2681 2016-02-13  Timothy Hatcher  <timothy@apple.com>
2682
2683         Fix WebAssembly bug URL in the feature list.
2684
2685         * features.json:
2686
2687 2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2688
2689         Change the last RefPtr::get() to release() in String.prototype.normalize
2690         https://bugs.webkit.org/show_bug.cgi?id=154211
2691
2692         Reviewed by Ryosuke Niwa.
2693
2694         Change the last RefPtr::get() to release() in String.prototype.normalize.
2695
2696         * runtime/StringPrototype.cpp:
2697         (JSC::normalize):
2698
2699 2016-02-12  Saam barati  <sbarati@apple.com>
2700
2701         [ES6] we have an incorrect syntax error when a callee of a function expression has the same name as a top-level lexical declaration
2702         https://bugs.webkit.org/show_bug.cgi?id=154143
2703
2704         Reviewed by Benjamin Poulain.
2705
2706         We were raising syntax errors on the following type of programs when
2707         we shouldn't have been.
2708         ```
2709         (function foo() { const foo = 20; });
2710         ```
2711
2712         * parser/Parser.cpp:
2713         (JSC::Parser<LexerType>::parseFunctionInfo):
2714         * parser/Parser.h:
2715         (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
2716         (JSC::Scope::declareCallee):
2717         (JSC::Scope::declareVariable):
2718         (JSC::Scope::hasDeclaredVariable):
2719         (JSC::Scope::hasLexicallyDeclaredVariable):
2720         (JSC::Scope::hasDeclaredParameter):
2721         (JSC::Scope::declareWrite):
2722         (JSC::Scope::getCapturedVars):
2723
2724 2016-02-12  Benjamin Poulain  <bpoulain@apple.com>
2725
2726         [JSC] ZeroExtend and SignExtend use incorrect addressing on ARM64
2727         https://bugs.webkit.org/show_bug.cgi?id=154208
2728
2729         Reviewed by Filip Pizlo.
2730
2731         When lowering:
2732             @1 = Load32(@x)
2733             @2 = SExt8(@1)
2734
2735         LowerToAir would see there is a form of SignExtend8To32 (an alias for Load8S)
2736         and use that.
2737
2738         There are two problems with that:
2739         1) If we have an Addr, it went through legalizeMemoryOffsets() for a 32bits
2740            load. If used on an other kind of load, there is no guarantee the addressing
2741            is still valid.
2742         2) If we have an Index, it is computed for the 32bits MemoryValue.
2743            The computed index is not valid for the 8bits load.
2744
2745         (2) could be fixed by changing LowerToAir to use the current instruction width
2746         instead of the B3ValueWidth but that's a bit tricky. We should just embrace
2747         that one of our target is a Load-Store architecture.
2748
2749         In this patch, I just disabled the faulty forms on ARM64. We still need those operations
2750         to be fast, this will be addressed in: https://bugs.webkit.org/show_bug.cgi?id=154207
2751
2752         I also strengthened the m_allowScratchRegister assertion. The instructions that do not
2753         invalidate the temporary did not run the assertion, making this harder to debug.
2754
2755         * assembler/MacroAssemblerARM64.h:
2756         (JSC::MacroAssemblerARM64::load8):
2757         (JSC::MacroAssemblerARM64::store64):
2758         (JSC::MacroAssemblerARM64::store32):
2759         (JSC::MacroAssemblerARM64::loadDouble):
2760         (JSC::MacroAssemblerARM64::storeDouble):
2761         (JSC::MacroAssemblerARM64::branch32):
2762         (JSC::MacroAssemblerARM64::branch64):
2763         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
2764         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
2765         (JSC::MacroAssemblerARM64::dataMemoryTempRegister):
2766         (JSC::MacroAssemblerARM64::cachedMemoryTempRegister):
2767         (JSC::MacroAssemblerARM64::load):
2768         (JSC::MacroAssemblerARM64::store):
2769         * b3/air/AirOpcode.opcodes:
2770
2771 2016-02-12  Michael Saboff  <msaboff@apple.com>
2772
2773         offlineasm: Emit Dwarf2 file and location directives to allow for debugging .asm files
2774         https://bugs.webkit.org/show_bug.cgi?id=152703
2775
2776         Reviewed by Mark Lam.
2777
2778         Added support to output Dwarf2 .file and .loc assembler directives to provide the debugging
2779         information needed to correlate the offline assembler generated code with the source lines 
2780         in the .asm files.
2781
2782         Changed the tracking of file data to include a file index that was provided to the .file
2783         directive.  That index is used when emitting the .loc directives.
2784
2785         * offlineasm/arm.rb:
2786         * offlineasm/arm64.rb:
2787         * offlineasm/asm.rb:
2788         * offlineasm/backends.rb:
2789         * offlineasm/config.rb:
2790         * offlineasm/parser.rb:
2791         * offlineasm/x86.rb:
2792
2793 2016-02-12  Saam barati  <sbarati@apple.com>
2794
2795         The parser doesn't properly protect against global variable references in builtins
2796         https://bugs.webkit.org/show_bug.cgi?id=154144
2797
2798         Reviewed by Geoffrey Garen.
2799
2800         This patch fixes our global variable reference detection
2801         algorithm that was broken. After fixing the algorithm, I
2802         detected many places where we were incorrectly using global
2803         variables. I've fixed all those.
2804
2805         * builtins/BuiltinExecutables.cpp:
2806         (JSC::createExecutableInternal):
2807         * builtins/NumberPrototype.js:
2808         (toLocaleString):
2809         * builtins/PromiseConstructor.js:
2810         (race):
2811         (reject):
2812         (resolve):
2813         * parser/Nodes.cpp:
2814         (JSC::ProgramNode::ProgramNode):
2815         (JSC::ModuleProgramNode::ModuleProgramNode):
2816         (JSC::ProgramNode::setClosedVariables): Deleted.
2817         * parser/Nodes.h:
2818         (JSC::ScopeNode::setClosedVariables): Deleted.
2819         (JSC::ProgramNode::closedVariables): Deleted.
2820         * parser/Parser.cpp:
2821         (JSC::Parser<LexerType>::parseInner):
2822         (JSC::Parser<LexerType>::didFinishParsing):
2823         * parser/Parser.h:
2824         (JSC::Scope::setIsLexicalScope):
2825         (JSC::Scope::isLexicalScope):
2826         (JSC::Scope::closedVariableCandidates):
2827         (JSC::Scope::declaredVariables):
2828         (JSC::Scope::lexicalVariables):
2829         (JSC::Scope::finalizeLexicalEnvironment):
2830         (JSC::Parser::positionBeforeLastNewline):
2831         (JSC::Parser::locationBeforeLastToken):
2832         (JSC::Parser::isFunctionMetadataNode):
2833         (JSC::parse):
2834         (JSC::Parser::closedVariables): Deleted.
2835
2836 2016-02-12  Filip Pizlo  <fpizlo@apple.com>
2837
2838         JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse map based on MAX_STORAGE_VECTOR_INDEX
2839         https://bugs.webkit.org/show_bug.cgi?id=154201
2840         rdar://problem/24291387
2841
2842         Reviewed by Saam Barati.
2843
2844         I decided against adding a test for this, because it runs for a very long time.
2845
2846         * runtime/JSObject.cpp:
2847         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): Fix the bug.
2848         * runtime/StringPrototype.cpp:
2849         (JSC::stringProtoFuncSplit): Fix a related bug: if this code creates an array that would have
2850             hit the above bug, then it would probably manifest as a spin or as swapping.
2851
2852 2016-02-12  Jonathan Davis  <jond@apple.com>
2853
2854         Add WebAssembly to the status page
2855         https://bugs.webkit.org/show_bug.cgi?id=154199
2856
2857         Reviewed by Timothy Hatcher.
2858
2859         * features.json:
2860
2861 2016-02-12  Brian Burg  <bburg@apple.com>
2862
2863         Web Inspector: disambiguate the various identifier and connection types in RemoteInspector
2864         https://bugs.webkit.org/show_bug.cgi?id=154130
2865
2866         Reviewed by Joseph Pecoraro.
2867
2868         There are multiple identifier types:
2869             - connection identifier, a string UUID for a remote debugger process.
2870             - session identifier, a string UUID for a remote driver/debugger instance.
2871             - page/target identifier, a number unique within a single process.
2872
2873         There are multiple connection types:
2874             - RemoteInspectorXPCConnection, a connection from RemoteInspectorXPCConnectionor to a relay.
2875             - RemoteConnectionToTarget, a class that bridges to targets' dispatch queues.
2876
2877         Use consistent variable and getter names so that these don't get confused and
2878         so that the code is easier to read. This is especially an improvement when working
2879         with multiple target types or connection types within the same function.
2880
2881         * inspector/remote/RemoteConnectionToTarget.h:
2882         * inspector/remote/RemoteConnectionToTarget.mm:
2883         Remove the member for m_identifier since we can ask the target for its target identifier
2884         or use a default value via WTF::Optional. There's no reason to cache the value.
2885
2886         (Inspector::RemoteTargetHandleRunSourceWithInfo):
2887         (Inspector::RemoteConnectionToTarget::targetIdentifier):
2888         (Inspector::RemoteConnectionToTarget::destination):
2889         (Inspector::RemoteConnectionToTarget::setup):
2890         (Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
2891         Bail out if the target pointer was somehow cleared and we can't get a useful target identifier.
2892
2893         (Inspector::RemoteConnectionToTarget::RemoteConnectionToTarget): Deleted.
2894         * inspector/remote/RemoteControllableTarget.h:
2895         * inspector/remote/RemoteInspectionTarget.cpp:
2896         (Inspector::RemoteInspectionTarget::pauseWaitingForAutomaticInspection):
2897         (Inspector::RemoteInspectionTarget::unpauseForInitializedInspector):
2898         * inspector/remote/RemoteInspector.h:
2899         * inspector/remote/RemoteInspector.mm:
2900         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
2901         (Inspector::RemoteInspector::registerTarget):
2902         (Inspector::RemoteInspector::unregisterTarget):
2903         (Inspector::RemoteInspector::updateTarget):
2904         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
2905         (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
2906         (Inspector::RemoteInspector::sendMessageToRemote):
2907         (Inspector::RemoteInspector::setupFailed):
2908         (Inspector::RemoteInspector::setupCompleted):
2909         (Inspector::RemoteInspector::stopInternal):
2910         (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2911         (Inspector::RemoteInspector::xpcConnectionFailed):
2912         (Inspector::RemoteInspector::listingForInspectionTarget):
2913         (Inspector::RemoteInspector::listingForAutomationTarget):
2914         (Inspector::RemoteInspector::pushListingsNow):
2915         (Inspector::RemoteInspector::pushListingsSoon):
2916         (Inspector::RemoteInspector::updateHasActiveDebugSession):
2917         (Inspector::RemoteInspector::receivedSetupMessage):
2918         (Inspector::RemoteInspector::receivedDataMessage):
2919         (Inspector::RemoteInspector::receivedDidCloseMessage):
2920         (Inspector::RemoteInspector::receivedIndicateMessage):
2921         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2922         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
2923         (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2924         (Inspector::RemoteInspector::nextAvailableIdentifier): Deleted.
2925         * inspector/remote/RemoteInspectorConstants.h:
2926
2927 2016-02-12  Benjamin Poulain  <benjamin@webkit.org>
2928
2929         [JSC] On x86, improve the selection of which value are selected for the UseDef part of commutative operations
2930         https://bugs.webkit.org/show_bug.cgi?id=154151
2931
2932         Reviewed by Filip Pizlo.
2933
2934         Previously, when an instruction destroy an argument with
2935         a UseDef use, we would try to pick a good target for the UseDef
2936         while doing instruction selection.
2937
2938         For example:
2939             @x = Add(@1, @2)
2940
2941         can be lowered to:
2942             Move @1 Tmp3
2943             Add @2 Tmp3
2944         or
2945             Move @2 Tmp3
2946             Add @1 Tmp3
2947
2948         The choice of which value ends up copied is done by preferRightForResult()
2949         at lowering time.
2950
2951         There are two common problems with the code we generate:
2952         1) It is based on UseCount. If a value is at its last use,
2953            it is a good target for coalescing even with a use-count > 1.
2954         2) When both values are at their last use, the best choice
2955            depends on the register pressure of each. We don't have that information
2956            until we do register allocation.
2957
2958         This patch implements a simple idea to minimize how many of those Moves are needed.
2959         Each commutative operation gets a 3 op variant. The register allocator then attempts
2960         to alias *both* of them to the destination.
2961         Since our aliasing is conservative, it removes as many copy as possible without causing
2962         spilling.
2963
2964         There was an unexpected cool impovement too. If you have:
2965             Move Tmp1, Tmp2
2966             BranchAdd32 Tmp3, Tmp2
2967         we would previously restore Tmp2 by substracting Tmp3 from the result.
2968         We can now just use Tmp1. That removes quite a few Sub from the slow paths.
2969
2970         The problem is that simple idea uncoverred a bunch of issues that had to be fixed too.
2971         I detail them inline below.
2972
2973         * assembler/MacroAssemblerARM64.h:
2974         (JSC::MacroAssemblerARM64::and64):
2975         * assembler/MacroAssemblerX86Common.h:
2976         Most addition are adding an Address version of the 3 operands opcodes.
2977         The reason for this is allow the complex addressing forms of instructions
2978         when spilling.
2979
2980         (JSC::MacroAssemblerX86Common::and32):
2981         (JSC::MacroAssemblerX86Common::mul32):
2982         (JSC::MacroAssemblerX86Common::or32):
2983         (JSC::MacroAssemblerX86Common::xor32):
2984         (JSC::MacroAssemblerX86Common::moveDouble):
2985         This was an unexpected discovery: removing tons of Move32 made floating-point heavy
2986         code much slower.
2987
2988         It turns out the MoveDouble we were using has partial register dependencies.
2989
2990         The x86 optimization manual, Chapter 3, section 3.4.1.13 lists the move instructions executed
2991         directly on the frontend. That's what we use now.
2992
2993         (JSC::MacroAssemblerX86Common::addDouble):
2994         (JSC::MacroAssemblerX86Common::addFloat):
2995         (JSC::MacroAssemblerX86Common::mulDouble):
2996         (JSC::MacroAssemblerX86Common::mulFloat):
2997         (JSC::MacroAssemblerX86Common::andDouble):
2998         (JSC::MacroAssemblerX86Common::andFloat):
2999         (JSC::MacroAssemblerX86Common::xorDouble):
3000         (JSC::MacroAssemblerX86Common::xorFloat):
3001         If the destination is not aliased, the version taking an address
3002         use LoadFloat/LoadDouble instead of direct addressing.
3003
3004         That is because this:
3005             Move Tmp1, Tmp2
3006             Op [Tmp3], Tmp2
3007         is slower than
3008             Move [Tmp3] Tmp2
3009             Op Tmp1, Tmp2
3010         (sometimes significantly).
3011
3012         I am not exactly sure why.
3013
3014         (JSC::MacroAssemblerX86Common::branchAdd32):
3015         * assembler/MacroAssemblerX86_64.h:
3016         (JSC::MacroAssemblerX86_64::and64):
3017         * assembler/MacroAssemblerARM64.h:
3018         (JSC::MacroAssemblerARM64::and64):
3019         * assembler/MacroAssemblerX86Common.h:
3020         (JSC::MacroAssemblerX86Common::and32):
3021         (JSC::MacroAssemblerX86Common::mul32):
3022         (JSC::MacroAssemblerX86Common::or32):
3023         (JSC::MacroAssemblerX86Common::xor32):
3024         (JSC::MacroAssemblerX86Common::moveDouble):
3025         (JSC::MacroAssemblerX86Common::addDouble):
3026         (JSC::MacroAssemblerX86Common::addFloat):
3027         (JSC::MacroAssemblerX86Common::mulDouble):
3028         (JSC::MacroAssemblerX86Common::mulFloat):
3029         (JSC::MacroAssemblerX86Common::andDouble):
3030         (JSC::MacroAssemblerX86Common::andFloat):
3031         (JSC::MacroAssemblerX86Common::xorDouble):
3032         (JSC::MacroAssemblerX86Common::xorFloat):
3033         (JSC::MacroAssemblerX86Common::branchAdd32):
3034         * assembler/MacroAssemblerX86_64.h:
3035         (JSC::MacroAssemblerX86_64::and64):
3036         (JSC::MacroAssemblerX86_64::mul64):
3037         (JSC::MacroAssemblerX86_64::xor64):
3038         (JSC::MacroAssemblerX86_64::branchAdd64):
3039         * assembler/X86Assembler.h:
3040         (JSC::X86Assembler::movapd_rr):
3041         (JSC::X86Assembler::movaps_rr):
3042         * b3/B3CheckSpecial.cpp:
3043         (JSC::B3::CheckSpecial::shouldTryAliasingDef):
3044         (JSC::B3::CheckSpecial::generate):
3045         * b3/B3CheckSpecial.h:
3046         * b3/B3LowerToAir.cpp:
3047         (JSC::B3::Air::LowerToAir::lower):
3048         * b3/air/AirCustom.h:
3049         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
3050         * b3/air/AirInst.h:
3051         * b3/air/AirInstInlines.h:
3052         (JSC::B3::Air::Inst::shouldTryAliasingDef):
3053         * b3/air/AirIteratedRegisterCoalescing.cpp:
3054         Aliasing the operands is done the same way as any coalescing.
3055
3056         There were problem with considering all those coalescing
3057         as equivalent for the result.
3058
3059         Moves are mostly generated for Upsilon-Phis. Getting rid of
3060         those tends to give better loops.
3061
3062         Sometimes, blocks have only Phis and a Jump. Coalescing
3063         those moves gets rids of the block entirely.
3064
3065         Where it go interesting was that something like:
3066             Move Tmp1, Tmp2
3067             Op Tmp3, Tmp2
3068         was significantly better than:
3069             Op Tmp1, Tmp3
3070             Move Tmp1, Tmp4
3071         even in the same basic block.
3072
3073         To get back to the same performance when, I had to prioritize
3074         regular Moves operations over argument coalescing.
3075
3076         Another argument for doing this is that the alias has a shorter
3077         life in the hardware because the operation itself gets a new
3078         virtual register from the bank.
3079
3080         * b3/air/AirOpcode.opcodes:
3081         * b3/air/AirSpecial.cpp:
3082         (JSC::B3::Air::Special::shouldTryAliasingDef):
3083         * b3/air/AirSpecial.h:
3084         * b3/testb3.cpp:
3085         (JSC::B3::testCheckAddArgumentAliasing64):
3086         (JSC::B3::testCheckAddArgumentAliasing32):
3087         (JSC::B3::testCheckAddSelfOverflow64):
3088         (JSC::B3::testCheckAddSelfOverflow32):
3089         (JSC::B3::testCheckMulArgumentAliasing64):
3090         (JSC::B3::testCheckMulArgumentAliasing32):
3091         (JSC::B3::run):
3092
3093         * dfg/DFGOSRExitCompilerCommon.cpp:
3094         (JSC::DFG::reifyInlinedCallFrames):
3095         * jit/AssemblyHelpers.h:
3096         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
3097         This ruined my week.
3098
3099         When regenerating the frame of an inlined function that
3100         was called through a tail call, we were ignoring r13 for some reason.
3101
3102         Since this patch makes it more likely to increase the degree
3103         of each Tmp, the number of register used increased and r13 was more
3104         commonly used.
3105
3106         When getting out of OSRExit, we would have that value trashed :(
3107
3108         The fix is simply to restore it like the other two Baseline callee saved
3109         register.
3110
3111 2016-02-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3112
3113         [ES6] Implement @@search
3114         https://bugs.webkit.org/show_bug.cgi?id=143889
3115
3116         Reviewed by Darin Adler.
3117
3118         Implement RegExp.prototype[@@search].
3119         In ES6, String.prototype.search delegates the actual matching to it
3120         instead of executing RegExp matching inside String.prototype.search method itself.
3121         By customizing @@search method, we can change the behavior of String.prototype.search for
3122         derived / customized RegExp object.
3123
3124         * CMakeLists.txt:
3125         * DerivedSources.make:
3126         * builtins/BuiltinNames.h:
3127         (JSC::BuiltinNames::BuiltinNames): Deleted.
3128         * builtins/BuiltinUtils.h:
3129         * builtins/StringPrototype.js:
3130         (search):
3131         * bytecode/BytecodeIntrinsicRegistry.cpp:
3132         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
3133         * bytecode/BytecodeIntrinsicRegistry.h:
3134         * runtime/CommonIdentifiers.h:
3135         * runtime/JSGlobalObject.cpp:
3136         (JSC::JSGlobalObject::init):
3137         * runtime/RegExpPrototype.cpp:
3138         (JSC::RegExpPrototype::finishCreation):
3139         (JSC::regExpProtoFuncSearch):
3140         * runtime/RegExpPrototype.h:
3141         (JSC::RegExpPrototype::create):
3142         * runtime/StringPrototype.cpp:
3143         (JSC::StringPrototype::getOwnPropertySlot):
3144         (JSC::StringPrototype::finishCreation): Deleted.
3145         (JSC::stringProtoFuncSearch): Deleted.
3146         * runtime/StringPrototype.h:
3147         * tests/es6.yaml:
3148         * tests/stress/regexp-search.js: Added.
3149         (shouldBe):
3150         (shouldThrow):
3151         (errorKey.toString):
3152         (primitive.of.primitives.shouldThrow):
3153         (testRegExpSearch):
3154         (testSearch):
3155         (testBoth):
3156         (alwaysUnmatch):
3157
3158 2016-02-12  Keith Miller  <keith_miller@apple.com>
3159
3160         AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself
3161         https://bugs.webkit.org/show_bug.cgi?id=154146
3162
3163         Reviewed by Filip Pizlo.
3164
3165         Consider the following: there is some CodeBlock, C, that is watching some object, O, with a
3166         structure, S, for replacements. Also, suppose that C has no references anymore and is due to
3167         be GCed. Now, when some new property is added to O, S will create a new structure S' and
3168         fire its transition watchpoints. Since C is watching S for replacements it will attempt to
3169         have its AdaptiveInferredPropertyValueWatchpoint relocate itself to S'. To do so, it needs
3170         it allocate RareData on S'. This allocation may cause a GC, which frees C while still
3171         executing its watchpoint handler. The solution to this is to defer GC while running
3172         AdaptiveInferredPropertyValueWatchpointBase handlers.
3173
3174         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3175         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
3176
3177 2016-02-12  Gavin Barraclough  <barraclough@apple.com>
3178
3179         Separate out !allowsAccess path in JSDOMWindowCustom getOwnPropertySlot
3180         https://bugs.webkit.org/show_bug.cgi?id=154156
3181
3182         Reviewed by Chris Dumez.
3183
3184         * runtime/CommonIdentifiers.h:
3185             - added new property names, needed by jsDOMWindowGetOwnPropertySlotDisallowAccess.
3186
3187 2016-02-12  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3188
3189         Update ICU header files to version 52
3190         https://bugs.webkit.org/show_bug.cgi?id=154160
3191
3192         Reviewed by Alex Christensen.
3193
3194         Update ICU header files to version 52 to allow the use of newer APIs.
3195
3196         * icu/unicode/localpointer.h:
3197         * icu/unicode/platform.h:
3198         * icu/unicode/ptypes.h:
3199         * icu/unicode/putil.h:
3200         * icu/unicode/ucal.h:
3201         * icu/unicode/uchar.h:
3202         * icu/unicode/ucnv.h:
3203         * icu/unicode/ucol.h:
3204         * icu/unicode/uconfig.h:
3205         * icu/unicode/udat.h:
3206         * icu/unicode/udatpg.h:
3207         * icu/unicode/udisplaycontext.h: Added.
3208         * icu/unicode/uenum.h:
3209         * icu/unicode/uformattable.h: Added.
3210         * icu/unicode/uiter.h:
3211         * icu/unicode/uloc.h:
3212         * icu/unicode/umachine.h:
3213         * icu/unicode/unorm2.h:
3214         * icu/unicode/unum.h:
3215         * icu/unicode/urename.h:
3216         * icu/unicode/uscript.h:
3217         * icu/unicode/uset.h:
3218         * icu/unicode/ustring.h:
3219         * icu/unicode/utf.h:
3220         * icu/unicode/utf16.h:
3221         * icu/unicode/utf8.h:
3222         * icu/unicode/utf_old.h:
3223         * icu/unicode/utypes.h:
3224         * icu/unicode/uvernum.h:
3225         * icu/unicode/uversion.h:
3226
3227 2016-02-12  Filip Pizlo  <fpizlo@apple.com>
3228
3229         Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn't have a value
3230         https://bugs.webkit.org/show_bug.cgi?id=154175
3231         rdar://problem/24291497
3232
3233         Reviewed by Geoffrey Garen.
3234
3235         * runtime/JSObject.cpp:
3236         (JSC::JSObject::defineOwnIndexedProperty): Fix the bug.
3237         * runtime/SparseArrayValueMap.cpp:
3238         (JSC::SparseArrayValueMap::putEntry): Catch the bug sooner in debug.
3239         (JSC::SparseArrayValueMap::putDirect):
3240         * tests/stress/sparse-define-empty-descriptor.js: Added. This used to crash in release.
3241
3242 2016-02-11  Brian Burg  <bburg@apple.com>
3243
3244         Web Inspector: RemoteInspector's listings should include whether an AutomationTarget is paired
3245         https://bugs.webkit.org/show_bug.cgi?id=154077
3246         <rdar://problem/24589133>
3247
3248         Reviewed by Joseph Pecoraro.
3249
3250         Instead of not generating a listing for the target when it is occupied,
3251         generate the listing with a 'paired' flag. The old flag was redundant
3252         because a _WKAutomationDelegate will not create a session if it doesn't
3253         support automation or it already has an active session.
3254
3255         * inspector/remote/RemoteAutomationTarget.cpp:
3256         (Inspector::RemoteAutomationTarget::setIsPaired):
3257         (Inspector::RemoteAutomationTarget::setAutomationAllowed): Deleted.
3258         * inspector/remote/RemoteAutomationTarget.h:
3259         Return false for remoteControlAllowed() if the target is already paired.
3260         This function is used by RemoteInspector to deny incoming connections.
3261
3262         * inspector/remote/RemoteInspector.mm:
3263         (Inspector::RemoteInspector::listingForAutomationTarget):
3264         * inspector/remote/RemoteInspectorConstants.h:
3265
3266 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
3267
3268         DFG::ByteCodeParser needs to null check the result of presenceLike()
3269         https://bugs.webkit.org/show_bug.cgi?id=154135
3270         rdar://problem/24291586
3271
3272         Reviewed by Geoffrey Garen.
3273
3274         ByteCodeParser::presenceLike() could return a null object property condition if it detects a
3275         contradiction. That could happen due to bogus profiling. It's totally OK - we just need to
3276         bail from using a property condition when that happens.
3277
3278         * bytecode/ObjectPropertyCondition.h:
3279         (JSC::ObjectPropertyCondition::equivalence):
3280         (JSC::ObjectPropertyCondition::operator bool):
3281         (JSC::ObjectPropertyCondition::object):
3282         (JSC::ObjectPropertyCondition::condition):
3283         (JSC::ObjectPropertyCondition::operator!): Deleted.
3284         * bytecode/PropertyCondition.h:
3285         (JSC::PropertyCondition::equivalence):
3286         (JSC::PropertyCondition::operator bool):
3287         (JSC::PropertyCondition::kind):
3288         (JSC::PropertyCondition::uid):
3289         (JSC::PropertyCondition::operator!): Deleted.
3290         * dfg/DFGByteCodeParser.cpp:
3291         (JSC::DFG::ByteCodeParser::check):
3292         (JSC::DFG::ByteCodeParser::load):
3293
3294 2016-02-11  Benjamin Poulain  <benjamin@webkit.org>
3295
3296         [JSC] SqrtFloat and CeilFloat also suffer from partial register stalls
3297         https://bugs.webkit.org/show_bug.cgi?id=154131
3298
3299         Reviewed by Filip Pizlo.
3300
3301         Looks like I forgot to update this when adding Float support.
3302         Credit to Filip for finding this issue.
3303
3304         * b3/air/AirFixPartialRegisterStalls.cpp:
3305
3306 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
3307
3308         Cannot call initializeIndex() if we didn't create the array using tryCreateUninitialized()
3309         https://bugs.webkit.org/show_bug.cgi?id=154126
3310
3311         Reviewed by Saam Barati.
3312
3313         * runtime/ArrayPrototype.cpp:
3314         (JSC::arrayProtoFuncSplice):
3315
3316 2016-02-11  Sukolsak Sakshuwong  <sukolsak@gmail.com>
3317
3318         [INTL] Implement Intl.NumberFormat.prototype.resolvedOptions ()
3319         https://bugs.webkit.org/show_bug.cgi?id=147602
3320
3321         Reviewed by Darin Adler.
3322
3323         This patch implements Intl.NumberFormat.prototype.resolvedOptions() according
3324         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
3325
3326         * runtime/IntlDateTimeFormat.cpp:
3327         (JSC::localeData):
3328         * runtime/IntlNumberFormat.cpp:
3329         (JSC::localeData):
3330         (JSC::computeCurrencySortKey):
3331         (JSC::extractCurrencySortKey):
3332         (JSC::computeCurrencyDigits):
3333         (JSC::IntlNumberFormat::initializeNumberFormat):
3334         (JSC::IntlNumberFormat::styleString):
3335         (JSC::IntlNumberFormat::currencyDisplayString):
3336         (JSC::IntlNumberFormat::resolvedOptions):
3337         (JSC::IntlNumberFormat::setBoundFormat):
3338         * runtime/IntlNumberFormat.h:
3339         * runtime/IntlNumberFormatConstructor.cpp:
3340         (JSC::constructIntlNumberFormat):
3341         (JSC::callIntlNumberFormat):
3342         * runtime/IntlNumberFormatPrototype.cpp:
3343         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3344         * runtime/IntlObject.cpp:
3345         (JSC::intlNumberOption):
3346         (JSC::numberingSystemsForLocale):
3347         (JSC::getNumberingSystemsForLocale): Deleted.
3348         * runtime/IntlObject.h:
3349
3350 2016-02-11  Filip Pizlo  <fpizlo@apple.com>
3351
3352         MacroAssemblerX86 should be happy with shift(cx, cx)
3353         https://bugs.webkit.org/show_bug.cgi?id=154124
3354
3355         Reviewed by Saam Barati.
3356
3357         Prior to this change the assembler asserted that shift_amount and dest cannot be the same.
3358         That's a good assertion for when shift_amount is not in cx. But if it's in cx already then
3359         it's OK for them to be the same. Air will sometimes do shift(cx, cx) if you do "x << x" and
3360         the coalescing got particularly clever.
3361
3362         * assembler/MacroAssemblerX86Common.h:
3363         (JSC::MacroAssemblerX86Common::lshift32):
3364         (JSC::MacroAssemblerX86Common::rshift32):
3365         (JSC::MacroAssemblerX86Common::urshift32):
3366         * assembler/MacroAssemblerX86_64.h:
3367         (JSC::MacroAssemblerX86_64::lshift64):
3368         (JSC::MacroAssemblerX86_64::rshift64):
3369         (JSC::MacroAssemblerX86_64::urshift64):
3370         * b3/testb3.cpp:
3371         (JSC::B3::testLShiftSelf32):