B3 should be able to compile a program with ChillDiv
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-11-10  Filip Pizlo  <fpizlo@apple.com>
2
3         B3 should be able to compile a program with ChillDiv
4         https://bugs.webkit.org/show_bug.cgi?id=151114
5
6         Reviewed by Benjamin Poulain.
7
8         This change is about a lot more than ChillDiv. I picked that as the next thing to lower
9         because I knew that it would force me to come up with a sensible idiom for doing
10         stepwise lowerings that require breaking basic blocks. The idea is that you want to
11         write a loop that iterates forward over the program, which turns some operations that
12         currently are just single Values into an entire little sub-CFGs. That requires splitting
13         the block that contained the original Value. That's tricky if you then want to keep
14         iterating: the index of the Value you were last looking at has now changed and your
15         InsertionSets are now invalid.
16
17         This introduces an idiom that handles this. It's BlockInsertionSet::splitBefore(). The
18         idea is that it uses the current block before the split as the continuation after the
19         split. When you call splitBefore(), you pass it your loop index and your InsertionSet
20         (if applicable). It makes sure that it changes those auxiliary things in such a way that
21         you can keep looping.
22
23         This uncovered some bugs, since this is the first time that we're compiling cross edges.
24
25         Because ChillDiv is really a division, I also had to write a bunch of code to support
26         the ordinary B3 Div. While doing that, I realized that there was asymmetry to that
27         constness of the Value constant folding methods, so I fixed that as well.
28
29         * JavaScriptCore.xcodeproj/project.pbxproj:
30         * assembler/MacroAssemblerX86Common.h:
31         (JSC::MacroAssemblerX86Common::mul32):
32         (JSC::MacroAssemblerX86Common::x86ConvertToDoubleWord32):
33         (JSC::MacroAssemblerX86Common::x86Div32):
34         (JSC::MacroAssemblerX86Common::neg32):
35         * assembler/MacroAssemblerX86_64.h:
36         (JSC::MacroAssemblerX86_64::mul64):
37         (JSC::MacroAssemblerX86_64::x86ConvertToQuadWord64):
38         (JSC::MacroAssemblerX86_64::x86Div64):
39         (JSC::MacroAssemblerX86_64::neg64):
40         * assembler/X86Assembler.h:
41         (JSC::X86Assembler::idivl_r):
42         (JSC::X86Assembler::idivq_r):
43         (JSC::X86Assembler::cmpl_rr):
44         (JSC::X86Assembler::cdq):
45         (JSC::X86Assembler::cdqq):
46         (JSC::X86Assembler::fstps):
47         * b3/B3BasicBlock.cpp:
48         (JSC::B3::BasicBlock::append):
49         (JSC::B3::BasicBlock::replaceLast):
50         (JSC::B3::BasicBlock::appendIntConstant):
51         (JSC::B3::BasicBlock::replaceSuccessor):
52         (JSC::B3::BasicBlock::addPredecessor):
53         (JSC::B3::BasicBlock::replacePredecessor):
54         (JSC::B3::BasicBlock::updatePredecessors):
55         (JSC::B3::BasicBlock::dump):
56         * b3/B3BasicBlock.h:
57         (JSC::B3::BasicBlock::values):
58         (JSC::B3::BasicBlock::numPredecessors):
59         (JSC::B3::BasicBlock::predecessor):
60         (JSC::B3::BasicBlock::frequency):
61         * b3/B3BasicBlockInlines.h:
62         (JSC::B3::BasicBlock::appendNew):
63         (JSC::B3::BasicBlock::replaceLastWithNew):
64         (JSC::B3::BasicBlock::numSuccessors):
65         * b3/B3BasicBlockUtils.h:
66         (JSC::B3::replacePredecessor):
67         (JSC::B3::updatePredecessors):
68         (JSC::B3::resetReachability):
69         * b3/B3BlockInsertionSet.cpp: Added.
70         (JSC::B3::BlockInsertionSet::BlockInsertionSet):
71         (JSC::B3::BlockInsertionSet::~BlockInsertionSet):
72         (JSC::B3::BlockInsertionSet::insert):
73         (JSC::B3::BlockInsertionSet::insertBefore):
74         (JSC::B3::BlockInsertionSet::splitForward):
75         (JSC::B3::BlockInsertionSet::execute):
76         * b3/B3BlockInsertionSet.h: Added.
77         * b3/B3Common.h:
78         (JSC::B3::isRepresentableAs):
79         (JSC::B3::chillDiv):
80         * b3/B3Const32Value.cpp:
81         (JSC::B3::Const32Value::addConstant):
82         (JSC::B3::Const32Value::subConstant):
83         (JSC::B3::Const32Value::divConstant):
84         (JSC::B3::Const32Value::bitAndConstant):
85         (JSC::B3::Const32Value::bitOrConstant):
86         (JSC::B3::Const32Value::bitXorConstant):
87         (JSC::B3::Const32Value::shlConstant):
88         (JSC::B3::Const32Value::sShrConstant):
89         (JSC::B3::Const32Value::zShrConstant):
90         (JSC::B3::Const32Value::equalConstant):
91         (JSC::B3::Const32Value::notEqualConstant):
92         (JSC::B3::Const32Value::lessThanConstant):
93         (JSC::B3::Const32Value::greaterThanConstant):
94         (JSC::B3::Const32Value::lessEqualConstant):
95         (JSC::B3::Const32Value::greaterEqualConstant):
96         (JSC::B3::Const32Value::aboveConstant):
97         (JSC::B3::Const32Value::belowConstant):
98         (JSC::B3::Const32Value::aboveEqualConstant):
99         (JSC::B3::Const32Value::belowEqualConstant):
100         * b3/B3Const32Value.h:
101         * b3/B3Const64Value.cpp:
102         (JSC::B3::Const64Value::addConstant):
103         (JSC::B3::Const64Value::subConstant):
104         (JSC::B3::Const64Value::divConstant):
105         (JSC::B3::Const64Value::bitAndConstant):
106         (JSC::B3::Const64Value::bitOrConstant):
107         (JSC::B3::Const64Value::bitXorConstant):
108         (JSC::B3::Const64Value::shlConstant):
109         (JSC::B3::Const64Value::sShrConstant):
110         (JSC::B3::Const64Value::zShrConstant):
111         (JSC::B3::Const64Value::equalConstant):
112         (JSC::B3::Const64Value::notEqualConstant):
113         (JSC::B3::Const64Value::lessThanConstant):
114         (JSC::B3::Const64Value::greaterThanConstant):
115         (JSC::B3::Const64Value::lessEqualConstant):
116         (JSC::B3::Const64Value::greaterEqualConstant):
117         (JSC::B3::Const64Value::aboveConstant):
118         (JSC::B3::Const64Value::belowConstant):
119         (JSC::B3::Const64Value::aboveEqualConstant):
120         (JSC::B3::Const64Value::belowEqualConstant):
121         * b3/B3Const64Value.h:
122         * b3/B3ConstDoubleValue.cpp:
123         (JSC::B3::ConstDoubleValue::addConstant):
124         (JSC::B3::ConstDoubleValue::subConstant):
125         (JSC::B3::ConstDoubleValue::divConstant):
126         (JSC::B3::ConstDoubleValue::equalConstant):
127         (JSC::B3::ConstDoubleValue::notEqualConstant):
128         (JSC::B3::ConstDoubleValue::lessThanConstant):
129         (JSC::B3::ConstDoubleValue::greaterThanConstant):
130         (JSC::B3::ConstDoubleValue::lessEqualConstant):
131         (JSC::B3::ConstDoubleValue::greaterEqualConstant):
132         * b3/B3ConstDoubleValue.h:
133         * b3/B3ControlValue.cpp:
134         (JSC::B3::ControlValue::~ControlValue):
135         (JSC::B3::ControlValue::replaceSuccessor):
136         (JSC::B3::ControlValue::convertToJump):
137         * b3/B3ControlValue.h:
138         * b3/B3Generate.cpp:
139         (JSC::B3::generateToAir):
140         * b3/B3GenericFrequentedBlock.h:
141         (JSC::B3::GenericFrequentedBlock::block):
142         (JSC::B3::GenericFrequentedBlock::frequency):
143         (JSC::B3::GenericFrequentedBlock::dump):
144         * b3/B3InsertionSet.cpp:
145         (JSC::B3::InsertionSet::insertIntConstant):
146         (JSC::B3::InsertionSet::execute):
147         * b3/B3InsertionSet.h:
148         * b3/B3LowerMacros.cpp: Added.
149         (JSC::B3::lowerMacros):
150         * b3/B3LowerMacros.h: Added.
151         * b3/B3LowerToAir.cpp:
152         (JSC::B3::Air::LowerToAir::lower):
153         * b3/B3Opcode.h:
154         * b3/B3Procedure.cpp:
155         (JSC::B3::Procedure::addBlock):
156         (JSC::B3::Procedure::addIntConstant):
157         (JSC::B3::Procedure::addBoolConstant):
158         (JSC::B3::Procedure::resetValueOwners):
159         * b3/B3Procedure.h:
160         (JSC::B3::Procedure::takeByproducts):
161         * b3/B3ReduceStrength.cpp:
162         * b3/B3Validate.cpp:
163         * b3/B3Value.cpp:
164         (JSC::B3::Value::addConstant):
165         (JSC::B3::Value::subConstant):
166         (JSC::B3::Value::divConstant):
167         (JSC::B3::Value::bitAndConstant):
168         (JSC::B3::Value::bitOrConstant):
169         (JSC::B3::Value::bitXorConstant):
170         (JSC::B3::Value::shlConstant):
171         (JSC::B3::Value::sShrConstant):
172         (JSC::B3::Value::zShrConstant):
173         (JSC::B3::Value::equalConstant):
174         (JSC::B3::Value::notEqualConstant):
175         (JSC::B3::Value::lessThanConstant):
176         (JSC::B3::Value::greaterThanConstant):
177         (JSC::B3::Value::lessEqualConstant):
178         (JSC::B3::Value::greaterEqualConstant):
179         (JSC::B3::Value::aboveConstant):
180         (JSC::B3::Value::belowConstant):
181         (JSC::B3::Value::aboveEqualConstant):
182         (JSC::B3::Value::belowEqualConstant):
183         * b3/B3Value.h:
184         * b3/air/AirGenerate.cpp:
185         (JSC::B3::Air::generate):
186         * b3/air/AirInstInlines.h:
187         (JSC::B3::Air::isUrshift64Valid):
188         (JSC::B3::Air::isX86DivHelperValid):
189         (JSC::B3::Air::isX86ConvertToDoubleWord32Valid):
190         (JSC::B3::Air::isX86ConvertToDoubleWord64Valid):
191         (JSC::B3::Air::isX86Div32Valid):
192         (JSC::B3::Air::isX86Div64Valid):
193         * b3/air/AirOpcode.opcodes:
194         * b3/air/AirSimplifyCFG.cpp:
195         (JSC::B3::Air::simplifyCFG):
196         * b3/testb3.cpp:
197         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
198         (JSC::B3::testChillDiv):
199         (JSC::B3::testChillDivTwice):
200         (JSC::B3::testChillDiv64):
201         (JSC::B3::run):
202         * dfg/DFGBlockInsertionSet.h:
203         * dfg/DFGSpeculativeJIT.cpp:
204         (JSC::DFG::SpeculativeJIT::compileArithDiv):
205         (JSC::DFG::SpeculativeJIT::compileArithMod):
206         * jit/JITArithmetic.cpp:
207         (JSC::JIT::emit_op_mod):
208         * jit/JITArithmetic32_64.cpp:
209         (JSC::JIT::emit_op_mod):
210         * wasm/WASMFunctionCompiler.h:
211         (JSC::WASMFunctionCompiler::buildBinaryI32):
212
213 2015-11-10  Benjamin Poulain  <bpoulain@apple.com>
214
215         Air should allocate registers
216         https://bugs.webkit.org/show_bug.cgi?id=150457
217
218         Reviewed by Filip Pizlo.
219
220         This is a direct implementation of the Iterated Register Coalescing allocator.
221
222         * JavaScriptCore.xcodeproj/project.pbxproj:
223         * b3/air/AirGenerate.cpp:
224         (JSC::B3::Air::generate):
225         * b3/air/AirInstInlines.h:
226         * b3/air/AirIteratedRegisterCoalescing.cpp: Added.
227         (JSC::B3::Air::MoveInstHelper<Arg::GP>::mayBeCoalescable):
228         (JSC::B3::Air::MoveInstHelper<Arg::FP>::mayBeCoalescable):
229         (JSC::B3::Air::AbsoluteTmpHelper<Arg::GP>::absoluteIndex):
230         (JSC::B3::Air::AbsoluteTmpHelper<Arg::GP>::tmpFromAbsoluteIndex):
231         (JSC::B3::Air::AbsoluteTmpHelper<Arg::FP>::absoluteIndex):
232         (JSC::B3::Air::AbsoluteTmpHelper<Arg::FP>::tmpFromAbsoluteIndex):
233         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::IteratedRegisterCoalescingAllocator):
234         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::build):
235         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::allocate):
236         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::getAlias):
237         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::spilledTmp):
238         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::allocatedReg):
239         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::tmpArraySize):
240         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::initializeDegrees):
241         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::addEdges):
242         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::addEdge):
243         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::makeWorkList):
244         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::simplify):
245         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::forEachAdjacent):
246         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::hasBeenSimplified):
247         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::decrementDegree):
248         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::forEachNodeMoves):
249         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::isMoveRelated):
250         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::enableMovesOnValue):
251         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::enableMovesOnValueAndAdjacents):
252         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::coalesce):
253         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::canBeSafelyCoalesced):
254         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::precoloredCoalescingHeuristic):
255         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::conservativeHeuristic):
256         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::addWorkList):
257         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::combine):
258         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::freeze):
259         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::freezeMoves):
260         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::selectSpill):
261         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::assignColors):
262         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::dumpInterferenceGraphInDot):
263         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::dumpWorkLists):
264         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::InterferenceEdge::InterferenceEdge):
265         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::InterferenceEdge::first):
266         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::InterferenceEdge::second):
267         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::InterferenceEdge::operator==):
268         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::InterferenceEdge::isHashTableDeletedValue):
269         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::InterferenceEdge::hash):
270         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::InterferenceEdgeHash::hash):
271         (JSC::B3::Air::IteratedRegisterCoalescingAllocator::InterferenceEdgeHash::equal):
272         (JSC::B3::Air::isUselessMoveInst):
273         (JSC::B3::Air::assignRegisterToTmpInProgram):
274         (JSC::B3::Air::addSpillAndFillToProgram):
275         (JSC::B3::Air::iteratedRegisterCoalescingOnType):
276         (JSC::B3::Air::iteratedRegisterCoalescing):
277         * b3/air/AirIteratedRegisterCoalescing.h: Added.
278         * b3/air/AirTmp.h:
279         (JSC::B3::Air::Tmp::internalValue):
280         (JSC::B3::Air::Tmp::tmpForInternalValue):
281         * b3/testb3.cpp:
282         (JSC::B3::testSpillGP):
283         (JSC::B3::run):
284
285 2015-11-10  Filip Pizlo  <fpizlo@apple.com>
286
287         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=151128.
288
289         * b3/air/AirInstInlines.h:
290
291 2015-11-10  Saam barati  <sbarati@apple.com>
292
293         Create an FTLExceptionHandlerManager abstraction
294         https://bugs.webkit.org/show_bug.cgi?id=151079
295
296         Reviewed by Mark Lam.
297
298         Before, we used to manage the {stackmapRecordIndex => OSRExit} relationship
299         for exception handlers with a locally allocated HashMap and a few different
300         lambdas and random checks. It's cleaner and more manageable to just create 
301         a class that handles this abstraction for us. This class provides nice helper 
302         functions for everything we need. This abstraction makes reading the code easier.
303         And it will also makes hacking on the code in the future easier.
304
305         * CMakeLists.txt:
306         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
307         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
308         * JavaScriptCore.xcodeproj/project.pbxproj:
309         * dfg/DFGOSRExitBase.h:
310         (JSC::DFG::OSRExitBase::OSRExitBase):
311         * ftl/FTLCompile.cpp:
312         (JSC::FTL::mmAllocateDataSection):
313         * ftl/FTLExceptionHandlerManager.cpp: Added.
314         (JSC::FTL::ExceptionHandlerManager::ExceptionHandlerManager):
315         (JSC::FTL::ExceptionHandlerManager::addNewExit):
316         (JSC::FTL::ExceptionHandlerManager::getOrPutByIdCallOperationExceptionTarget):
317         (JSC::FTL::ExceptionHandlerManager::lazySlowPathExceptionTarget):
318         (JSC::FTL::ExceptionHandlerManager::getByIdOSRExit):
319         (JSC::FTL::ExceptionHandlerManager::getCallOSRExitCommon):
320         (JSC::FTL::ExceptionHandlerManager::getCallOSRExit):
321         (JSC::FTL::ExceptionHandlerManager::procureCallSiteIndex):
322         * ftl/FTLExceptionHandlerManager.h: Added.
323
324 2015-11-10  Michael Saboff  <msaboff@apple.com>
325
326         X86_64 support for compareDouble(DoubleCondition, FPRegisterID left, FPRegisterID right, RegisterID dest)
327         https://bugs.webkit.org/show_bug.cgi?id=151009
328
329         Reviewed by Filip Pizlo.
330
331         Added compareDouble() macro assembler function and the supporting setnp_r() and setp_r() X86 assembler functions.
332         Hand tested.
333
334         * assembler/MacroAssemblerX86_64.h:
335         (JSC::MacroAssemblerX86_64::compare64):
336         (JSC::MacroAssemblerX86_64::compareDouble):
337         (JSC::MacroAssemblerX86_64::branch64):
338         * assembler/X86Assembler.h:
339         (JSC::X86Assembler::setnz_r):
340         (JSC::X86Assembler::setnp_r):
341         (JSC::X86Assembler::setp_r):
342         (JSC::X86Assembler::cdq):
343
344 2015-11-10  Saam barati  <sbarati@apple.com>
345
346         Rename FTL's ExitArgumentList to something more indicative of what it is
347         https://bugs.webkit.org/show_bug.cgi?id=151078
348
349         Reviewed by Geoffrey Garen.
350
351         New name is: StackmapArgumentList
352         We use this to build patchpoint and stackmap intrinsics in FTLLowerDFGToLLVM.
353
354         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
355         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
356         * JavaScriptCore.xcodeproj/project.pbxproj:
357         * ftl/FTLExitArgumentList.h: Removed.
358         * ftl/FTLJSTailCall.h:
359         * ftl/FTLLowerDFGToLLVM.cpp:
360         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
361         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
362         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
363         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
364         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
365         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
366         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
367         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
368         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
369         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
370         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
371         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap):
372         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForAvailability):
373         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
374         (JSC::FTL::DFG::LowerDFGToLLVM::exitArgument):
375         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForTailCall):
376         * ftl/FTLOSRExit.cpp:
377         * ftl/FTLOSRExit.h:
378         * ftl/FTLStackmapArgumentList.h: Copied from Source/JavaScriptCore/ftl/FTLExitArgumentList.h.
379
380 2015-11-09  Filip Pizlo  <fpizlo@apple.com>
381
382         [B3] Add more tests for Check and fix bugs this found
383         https://bugs.webkit.org/show_bug.cgi?id=151073
384
385         Reviewed by Saam Barati.
386
387         Adds tests for compare/Check fusion. The "MegaCombo" test found a bug in our implementation
388         of forEachArg: Air::spillEverything() was expecting that the Arg& to point to the actual Arg
389         so that it can mutate it. But this wasn't the case in B3::CheckSpecial. This fixes that bug.
390
391         * b3/B3CheckSpecial.cpp:
392         (JSC::B3::Air::numB3Args):
393         (JSC::B3::CheckSpecial::hiddenBranch):
394         (JSC::B3::CheckSpecial::commitHiddenBranch):
395         (JSC::B3::CheckSpecial::forEachArg):
396         * b3/B3CheckSpecial.h:
397         * b3/testb3.cpp:
398         (JSC::B3::testSimpleCheck):
399         (JSC::B3::testCheckLessThan):
400         (JSC::B3::testCheckMegaCombo):
401         (JSC::B3::genericTestCompare):
402         (JSC::B3::run):
403
404 2015-11-09  Filip Pizlo  <fpizlo@apple.com>
405
406         [B3] Add a test for CCall with double arguments and results
407         https://bugs.webkit.org/show_bug.cgi?id=151064
408
409         Reviewed by Saam Barati.
410
411         The test already passed on trunk. But when looking at the disassembly, I realized that I had
412         made a rookie mistake in the call argument marshalling: the stores to the stack went after the
413         moves to argument registers! This means that arguments that go to stack would be made to
414         interfere with all argument registers. That's some severe register pressure right there. So,
415         this change fixes that as well, and adds a FIXME to do it in a more principled manner in Air.
416
417         * b3/B3LowerToAir.cpp:
418         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
419         (JSC::B3::Air::LowerToAir::createStore):
420         (JSC::B3::Air::LowerToAir::appendStore):
421         (JSC::B3::Air::LowerToAir::moveForType):
422         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
423         * b3/testb3.cpp:
424         (JSC::B3::testReturnDouble):
425         (JSC::B3::simpleFunctionDouble):
426         (JSC::B3::testCallSimpleDouble):
427         (JSC::B3::functionWithHellaDoubleArguments):
428         (JSC::B3::testCallFunctionWithHellaDoubleArguments):
429         (JSC::B3::run):
430
431 2015-11-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
432
433         Remove create_hash_table options and simplify build system
434         https://bugs.webkit.org/show_bug.cgi?id=151081
435
436         Reviewed by Darin Adler.
437
438         * CMakeLists.txt: Merged native and builtin object sources and removed create_hash_table options.
439         * DerivedSources.make: Ditto.
440         * create_hash_table: Removed -b and -i options.
441
442 2015-11-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
443
444         create_hash_table should know whether a function is JSBuiltin or not.
445         https://bugs.webkit.org/show_bug.cgi?id=151016
446
447         Reviewed by Darin Adler.
448
449         lut description information can explicitly state that a function is to be implemented as a JS built-in.
450         To do so, the field used to give the C++ function must be set to "JSBuiltin".
451         Updated create_hash_table script to handle that.
452         create_hash_table only includes JSCBuiltins.h if at least one function is set to "JSBuiltin".
453
454         Updated builtin generator to remove XX_BUILTIN_EXIST macro.
455         A further patch should simplify the build system by removing create_hash_table -b option.
456
457         Changes to the builtin generator are covered by rebased expectations.
458
459         Moved all lut information to using JSBuiltin whenever needed.
460
461         * Scripts/builtins/builtins_generate_combined_header.py:
462         (generate_section_for_object): Deleted.
463         (generate_section_for_code_table_macro): Deleted.
464         * Scripts/builtins/builtins_templates.py:
465         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
466         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
467         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
468         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
469         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
470         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
471         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
472         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
473         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
474         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
475         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
476         * create_hash_table:
477         * runtime/ArrayConstructor.cpp:
478         * runtime/ArrayIteratorPrototype.cpp:
479         * runtime/InspectorInstrumentationObject.cpp:
480         * runtime/JSInternalPromiseConstructor.cpp:
481         * runtime/JSPromiseConstructor.cpp:
482         * runtime/JSPromisePrototype.cpp:
483         * runtime/ModuleLoaderObject.cpp:
484         * runtime/ObjectConstructor.cpp:
485         * runtime/ReflectObject.cpp:
486         * runtime/StringConstructor.cpp:
487         * runtime/StringIteratorPrototype.cpp:
488
489 2015-11-09  Saam barati  <sbarati@apple.com>
490
491         Implement try/catch in the FTL
492         https://bugs.webkit.org/show_bug.cgi?id=149409
493
494         Reviewed by Filip Pizlo.
495
496         This patch implements try/catch in the FTL in a similar
497         way to how it's implemented in the DFG. The main idea is
498         this: anytime an exception is thrown in a try block, 
499         we OSR exit into the baseline JIT's corresponding catch
500         block. We compile OSR exits in a few forms:
501         1) Explicit exception checks that check VM's exception
502         pointer. This is modeled explicitly in LLVM IR.
503         2) OSR exits that are arrived at from genericUnwind 
504         caused by an exception being thrown in a JS call (including
505         getters and setters).
506         3) Exception from lazy slow paths.
507         4) Exception from when an IC misses and makes a slow path C Call.
508
509         All stackmaps associated with the above types of exits all 
510         take arguments that correspond to variables that are 
511         bytecode-live in the catch block.
512
513         1) Item 1 is the simplest implementation. When inside
514         a try block, exception checks will emit a branch to
515         an OSR exit stackmap intrinsic. This stackmap intrinsic
516         takes as arguments the live catch variables.
517
518         2) All forms of calls and GetByIds and PutByIds are implemented
519         as patchpoints in LLVM. As a patchpoint, they have a stackmap ID.
520         We use the same stackmap ID for the OSR exit. The OSR exit arguments
521         are appended to the end of the normal arguments for the patchpoint. These
522         types of OSR exits are only reached indirectly via genericUnwind.
523         Therefore, the LLVM IR we generate never has a direct branch to them.
524         These are the OSR exits we store in the CodeBlock's exception handling
525         table. The exception handlers' code locations point to the beginning
526         of the corresponding OSR exit. There is an interesting story here
527         about how we preserve registers. LLVM patchpoints assume late clobber,
528         i.e, they assume we use the patchpoint arguments before we clobber them.
529         Therefore, it's sound for LLVM to pass us arguments in volatile registers.
530         We must take care to store the arguments in volatile registers to the
531         stack before making a call. We ensure we have stack space for these
532         by using LLVM's alloca instruction. Then, when making a call inside
533         a try block, we spill the needed registers, and if that call throws,
534         we make sure the OSR exit fills the corresponding registers.
535
536         3) Exceptions from lazy slow paths are similar to (2) except they
537         don't go through generic unwind. These OSR Exits are arrived at from explicit
538         exception checks in the generated lazy slow path. Therefore, the callframe
539         is intact when arriving at the OSR exit. We make sure such lazy slow
540         paths exception check are linked to the OSR exit's code location.
541
542         4) This has a really interesting register preservation story.
543         We may have a GetById that has an IC miss and therefore goes
544         through the FTL's callOperation machinery. LLVM may also
545         ask for the result to be placed in the same register as the
546         base. Therefore, after the call, when storing to the result,
547         we overwrite the base. This can't fly with exceptions because
548         operationGetByIdOptimize may throw an exception and return "undefined". What
549         we really want is the original base value for OSR exit value
550         recovery. In this case, we take special care to flush the base 
551         value to the stack before the callOperation GetById slow path. 
552         Like call OSR exits, these types of exits will recover the base 
553         value from the stack when necessary.
554
555         * bytecode/CodeBlock.cpp:
556         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
557         * dfg/DFGGraph.cpp:
558         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
559         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
560         * dfg/DFGGraph.h:
561         * dfg/DFGJITCompiler.cpp:
562         (JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
563         (JSC::DFG::JITCompiler::exceptionCheck):
564         (JSC::DFG::JITCompiler::recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded):
565         (JSC::DFG::JITCompiler::willCatchExceptionInMachineFrame): Deleted.
566         * dfg/DFGJITCompiler.h:
567         * dfg/DFGNodeOrigin.h:
568         (JSC::DFG::NodeOrigin::withSemantic):
569         (JSC::DFG::NodeOrigin::withForExitAndExitOK):
570         (JSC::DFG::NodeOrigin::withExitOK):
571         * dfg/DFGOSRExit.cpp:
572         (JSC::DFG::OSRExit::OSRExit):
573         * dfg/DFGOSRExit.h:
574         (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
575         * dfg/DFGOSRExitBase.h:
576         (JSC::DFG::OSRExitBase::OSRExitBase):
577         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
578         * dfg/DFGOSRExitCompilerCommon.cpp:
579         (JSC::DFG::reifyInlinedCallFrames):
580         * dfg/DFGPutStackSinkingPhase.cpp:
581         * dfg/DFGTierUpCheckInjectionPhase.cpp:
582         (JSC::DFG::TierUpCheckInjectionPhase::run):
583         * ftl/FTLCompile.cpp:
584         (JSC::FTL::mmAllocateDataSection):
585         * ftl/FTLExitArgument.h:
586         (JSC::FTL::ExitArgument::withFormat):
587         (JSC::FTL::ExitArgument::representation):
588         * ftl/FTLExitThunkGenerator.cpp:
589         (JSC::FTL::ExitThunkGenerator::~ExitThunkGenerator):
590         (JSC::FTL::ExitThunkGenerator::emitThunk):
591         (JSC::FTL::ExitThunkGenerator::emitThunks):
592         * ftl/FTLExitThunkGenerator.h:
593         (JSC::FTL::ExitThunkGenerator::didThings):
594         * ftl/FTLExitValue.h:
595         (JSC::FTL::ExitValue::isArgument):
596         (JSC::FTL::ExitValue::isRecovery):
597         (JSC::FTL::ExitValue::isObjectMaterialization):
598         (JSC::FTL::ExitValue::hasIndexInStackmapLocations):
599         (JSC::FTL::ExitValue::exitArgument):
600         (JSC::FTL::ExitValue::rightRecoveryArgument):
601         (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
602         (JSC::FTL::ExitValue::recoveryFormat):
603         * ftl/FTLJITCode.cpp:
604         (JSC::FTL::JITCode::validateReferences):
605         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
606         * ftl/FTLJSCall.cpp:
607         (JSC::FTL::JSCall::JSCall):
608         (JSC::FTL::JSCall::emit):
609         * ftl/FTLJSCall.h:
610         (JSC::FTL::JSCall::stackmapID):
611         * ftl/FTLJSCallBase.cpp:
612         (JSC::FTL::JSCallBase::JSCallBase):
613         (JSC::FTL::JSCallBase::emit):
614         * ftl/FTLJSCallBase.h:
615         (JSC::FTL::JSCallBase::setCallSiteIndex):
616         (JSC::FTL::JSCallBase::callSiteDescriptionOrigin):
617         (JSC::FTL::JSCallBase::setCorrespondingGenericUnwindOSRExit):
618         * ftl/FTLJSCallVarargs.cpp:
619         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
620         (JSC::FTL::JSCallVarargs::emit):
621         * ftl/FTLJSCallVarargs.h:
622         (JSC::FTL::JSCallVarargs::stackmapID):
623         (JSC::FTL::JSCallVarargs::operator<):
624         (JSC::FTL::JSCallVarargs::setCallSiteIndex):
625         (JSC::FTL::JSCallVarargs::callSiteDescriptionOrigin):
626         (JSC::FTL::JSCallVarargs::setCorrespondingGenericUnwindOSRExit):
627         * ftl/FTLLowerDFGToLLVM.cpp:
628         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
629         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
630         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
631         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
632         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
633         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
634         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
635         (JSC::FTL::DFG::LowerDFGToLLVM::terminate):
636         (JSC::FTL::DFG::LowerDFGToLLVM::appendTypeCheck):
637         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
638         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
639         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
640         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException):
641         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
642         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
643         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
644         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
645         * ftl/FTLOSRExit.cpp:
646         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
647         (JSC::FTL::OSRExit::OSRExit):
648         (JSC::FTL::OSRExit::codeLocationForRepatch):
649         (JSC::FTL::OSRExit::gatherRegistersToSpillForCallIfException):
650         (JSC::FTL::OSRExit::spillRegistersToSpillSlot):
651         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot):
652         * ftl/FTLOSRExit.h:
653         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
654         * ftl/FTLOSRExitCompilationInfo.h:
655         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
656         * ftl/FTLOSRExitCompiler.cpp:
657         (JSC::FTL::compileStub):
658         (JSC::FTL::compileFTLOSRExit):
659         * ftl/FTLState.cpp:
660         (JSC::FTL::State::State):
661         * ftl/FTLState.h:
662         * interpreter/Interpreter.cpp:
663         (JSC::findExceptionHandler):
664         * jit/RegisterSet.cpp:
665         (JSC::RegisterSet::specialRegisters):
666         (JSC::RegisterSet::volatileRegistersForJSCall):
667         (JSC::RegisterSet::stubUnavailableRegisters):
668         * jit/RegisterSet.h:
669         * tests/stress/ftl-try-catch-getter-ic-fail-to-call-operation-throw-error.js: Added.
670         (assert):
671         (let.oThrow.get f):
672         (let.o2.get f):
673         (foo):
674         (f):
675         * tests/stress/ftl-try-catch-getter-throw.js: Added.
676         (assert):
677         (random):
678         (foo):
679         (f):
680         (let.o2.get f):
681         * tests/stress/ftl-try-catch-oom-error-lazy-slow-path.js: Added.
682         (assert):
683         (a):
684         (b):
685         (c):
686         (d):
687         (e):
688         (f):
689         (g):
690         (foo):
691         (blah):
692         * tests/stress/ftl-try-catch-patchpoint-with-volatile-registers.js: Added.
693         (assert):
694         (o1.get f):
695         (a):
696         (b):
697         (c):
698         (d):
699         (e):
700         (f):
701         (g):
702         (o2.get f):
703         (foo):
704         * tests/stress/ftl-try-catch-setter-throw.js: Added.
705         (foo):
706         (assert):
707         (f):
708         (let.o2.set f):
709         * tests/stress/ftl-try-catch-tail-call-inilned-caller.js: Added.
710         (value):
711         (assert):
712         (validate):
713         (bar):
714         (baz):
715         (jaz):
716         * tests/stress/ftl-try-catch-varargs-call-throws.js: Added.
717         (foo):
718         (f):
719         * tests/stress/try-catch-stub-routine-replaced.js:
720         (hello):
721         (foo):
722
723 2015-11-09  Youenn Fablet  <youenn.fablet@crf.canon.fr>
724
725         Built-in generator should check that there are no duplicate in JS built-in internal functions
726         https://bugs.webkit.org/show_bug.cgi?id=151018
727
728         Reviewed by Brian Burg.
729
730         Added @internal to corresponding JS built-in files.
731         Added check in built-in generator so that clashing names result in an error.
732
733         * Scripts/builtins/builtins_generate_combined_header.py:
734         (generate_section_for_code_name_macro):
735         * Scripts/builtins/builtins_model.py:
736         (BuiltinsCollection.all_internal_functions):
737         * builtins/GlobalObject.js:
738         * builtins/Operations.Promise.js:
739         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-error: Added.
740         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result: Added.
741
742 2015-11-09  Saam barati  <sbarati@apple.com>
743
744         DFG::PutStackSinkingPhase should not treat the stack variables written by LoadVarargs/ForwardVarargs as being live
745         https://bugs.webkit.org/show_bug.cgi?id=145295
746
747         Reviewed by Filip Pizlo.
748
749         This patch fixes PutStackSinkingPhase to no longer escape the stack
750         locations that LoadVarargs and ForwardVarargs write to. We used
751         to consider sinking PutStacks right before a LoadVarargs/ForwardVarargs
752         because we considered them uses of such stack locations. They aren't
753         uses of those stack locations, they unconditionally write to those
754         stack locations. Sinking PutStacks to these nodes was not needed before,
755         but seemed mostly innocent. But I ran into a problem with this while implementing 
756         FTL try/catch where we would end up having to generate a value for a sunken PutStack 
757         right before a LoadVarargs. This would cause us to issue a GetStack that loaded garbage that 
758         was then forwarded into a Phi that was used as the source as the PutStack. This caused the
759         abstract interpreter to confuse itself on type information for the garbage GetStack
760         that was fed into the Phi, which would cause the abstract interpreter to then claim 
761         that the basic block with the PutStack in it would never be reached. This isn't true, the 
762         block would indeed be reached. The solution here is to be more precise about the 
763         liveness of locals w.r.t LoadVarargs and ForwardVarargs.
764
765         * dfg/DFGPreciseLocalClobberize.h:
766         (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
767         (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
768         * dfg/DFGPutStackSinkingPhase.cpp:
769         * dfg/DFGSSACalculator.h:
770
771 2015-11-09  Filip Pizlo  <fpizlo@apple.com>
772
773         B3->Air lowering should support CCall
774         https://bugs.webkit.org/show_bug.cgi?id=151043
775
776         Reviewed by Geoffrey Garen.
777
778         Adds support for lowering CCall to Air, and adds a test that makes calls. I cannot test doubles
779         until https://bugs.webkit.org/show_bug.cgi?id=151002 lands, but this does test integer
780         arguments pretty thoroughly including a test for lots of arguments. That test ensures that the
781         arguments go to registers and the stack in the right order and such.
782
783         * b3/B3LowerToAir.cpp:
784         (JSC::B3::Air::LowerToAir::createCompare):
785         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
786         (JSC::B3::Air::LowerToAir::lower):
787         * b3/B3Opcode.h:
788         * b3/air/AirCCallSpecial.cpp:
789         (JSC::B3::Air::CCallSpecial::forEachArg):
790         (JSC::B3::Air::CCallSpecial::isValid):
791         (JSC::B3::Air::CCallSpecial::admitsStack):
792         (JSC::B3::Air::CCallSpecial::generate):
793         * b3/air/AirCCallSpecial.h:
794         * b3/testb3.cpp:
795         (JSC::B3::testCompare):
796         (JSC::B3::simpleFunction):
797         (JSC::B3::testCallSimple):
798         (JSC::B3::functionWithHellaArguments):
799         (JSC::B3::testCallFunctionWithHellaArguments):
800         (JSC::B3::run):
801         * jit/FPRInfo.h:
802
803 2015-11-09  Joseph Pecoraro  <pecoraro@apple.com>
804
805         Web Inspector: $0 stops working after navigating to a different domain
806         https://bugs.webkit.org/show_bug.cgi?id=147962
807
808         Reviewed by Brian Burg.
809
810         Extract the per-GlobalObject cache of JSValue wrappers for
811         InjectedScriptHost objects to be reused by WebCore for its
812         CommandLineAPIHost objects injected into multiple contexts.
813
814         * CMakeLists.txt:
815         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
816         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
817         * JavaScriptCore.xcodeproj/project.pbxproj:
818         Add new files.
819
820         * inspector/PerGlobalObjectWrapperWorld.h:
821         * inspector/PerGlobalObjectWrapperWorld.cpp:
822         (Inspector::PerGlobalObjectWrapperWorld::getWrapper):
823         (Inspector::PerGlobalObjectWrapperWorld::addWrapper):
824         (Inspector::PerGlobalObjectWrapperWorld::clearAllWrappers):
825         Hold a bunch of per-global-object wrappers for an object
826         that will outlive the global object. This inspector does this
827         for host objects that it exposes into scripts it injects into
828         each execution context created by the page.
829
830         * inspector/InjectedScriptHost.cpp:
831         (Inspector::InjectedScriptHost::wrapper):
832         (Inspector::InjectedScriptHost::clearAllWrappers):
833         (Inspector::InjectedScriptHost::jsWrapper): Deleted.
834         (Inspector::clearWrapperFromValue): Deleted.
835         (Inspector::InjectedScriptHost::clearWrapper): Deleted.
836         Extract and simplify the Per-GlobalObject wrapping into a class.
837         Simplify object construction as well.
838
839         * inspector/InjectedScriptHost.h:
840         * inspector/InjectedScriptManager.cpp:
841         (Inspector::InjectedScriptManager::createInjectedScript):
842         (Inspector::InjectedScriptManager::discardInjectedScripts):
843         Make discarding virtual so subclasses may also discard injected scripts.
844
845         * inspector/JSInjectedScriptHost.cpp:
846         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
847         (Inspector::JSInjectedScriptHost::releaseImpl): Deleted.
848         (Inspector::JSInjectedScriptHost::~JSInjectedScriptHost): Deleted.
849         (Inspector::toJS): Deleted.
850         (Inspector::toJSInjectedScriptHost): Deleted.
851         * inspector/JSInjectedScriptHost.h:
852         (Inspector::JSInjectedScriptHost::create):
853         (Inspector::JSInjectedScriptHost::impl):
854         Update this code originally copied from older generated bindings to
855         be more like new generated bindings and remove some now unused code.
856
857 2015-11-08  Filip Pizlo  <fpizlo@apple.com>
858
859         B3 should be able to compile a program with a double constant
860         https://bugs.webkit.org/show_bug.cgi?id=151002
861
862         Reviewed by Benjamin Poulain.
863
864         This implements a bunch of annoying stuff that is necessary to support constants that need a
865         data section, such as double constants on X86_64:
866
867         - B3::Procedure can now tell you what to keep alive in addition to the MacroAssemblerCodeRef.
868           We call this the B3::OpaqueByproducts. It's the client's responsibility to keep this alive
869           after calling B3::generate().
870
871         - Added a new helper for compiling B3 code, called B3::Compilation. Constructing a
872           Compilation runs the compiler. Then you can pass around a Compilation the way you would
873           have passed around a MacroAssemblerCodeRef.
874
875         - Added a constant motion phase, called moveConstants(). This does very simple constant
876           hoisting/sinking: it makes sure that each constant is only materialized in one place in
877           each basic block. It uses a DataSection, which is a kind of OpaqueByproduct, to store
878           double constants.
879
880         - The way I wanted to do constant motion is to basically track what constants are of interest
881           and then recreate them as needed, so the original Values become irrelevant in the process.
882           To do that, I needed an abstraction that is almost identical to the DFG PureValue
883           abstraction that we use for CSE. So, I created such a thing, and called it ValueKey. It
884           can be used to compare and hash pure Values, and to recreate them as needed.
885
886         - Fixed the lowering's handling of constants so that we don't perturb the placement of the
887           constant materializations.
888
889         * JavaScriptCore.xcodeproj/project.pbxproj:
890         * assembler/MacroAssemblerX86Common.h:
891         (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
892         (JSC::MacroAssemblerX86Common::moveZeroToDouble):
893         (JSC::MacroAssemblerX86Common::branchDoubleNonZero):
894         * b3/B3Common.h:
895         (JSC::B3::isIdentical):
896         (JSC::B3::isRepresentableAsImpl):
897         * b3/B3Compilation.cpp: Added.
898         (JSC::B3::Compilation::Compilation):
899         (JSC::B3::Compilation::~Compilation):
900         * b3/B3Compilation.h: Added.
901         (JSC::B3::Compilation::code):
902         * b3/B3ConstDoubleValue.h:
903         (JSC::B3::ConstDoubleValue::accepts): Deleted.
904         * b3/B3DataSection.cpp: Added.
905         (JSC::B3::DataSection::DataSection):
906         (JSC::B3::DataSection::~DataSection):
907         (JSC::B3::DataSection::dump):
908         * b3/B3DataSection.h: Added.
909         (JSC::B3::DataSection::data):
910         (JSC::B3::DataSection::size):
911         * b3/B3Generate.cpp:
912         (JSC::B3::generate):
913         (JSC::B3::generateToAir):
914         * b3/B3LowerToAir.cpp:
915         (JSC::B3::Air::LowerToAir::imm):
916         (JSC::B3::Air::LowerToAir::immOrTmp):
917         (JSC::B3::Air::LowerToAir::fillStackmap):
918         (JSC::B3::Air::LowerToAir::lower):
919         (JSC::B3::Air::LowerToAir::immForMove): Deleted.
920         (JSC::B3::Air::LowerToAir::immOrTmpForMove): Deleted.
921         * b3/B3MoveConstants.cpp: Added.
922         (JSC::B3::moveConstants):
923         * b3/B3MoveConstants.h: Added.
924         * b3/B3OpaqueByproduct.h: Added.
925         (JSC::B3::OpaqueByproduct::OpaqueByproduct):
926         (JSC::B3::OpaqueByproduct::~OpaqueByproduct):
927         * b3/B3OpaqueByproducts.cpp: Added.
928         (JSC::B3::OpaqueByproducts::OpaqueByproducts):
929         (JSC::B3::OpaqueByproducts::~OpaqueByproducts):
930         (JSC::B3::OpaqueByproducts::add):
931         (JSC::B3::OpaqueByproducts::dump):
932         * b3/B3OpaqueByproducts.h: Added.
933         (JSC::B3::OpaqueByproducts::count):
934         * b3/B3Opcode.h:
935         (JSC::B3::constPtrOpcode):
936         * b3/B3Procedure.cpp:
937         (JSC::B3::Procedure::Procedure):
938         (JSC::B3::Procedure::dump):
939         (JSC::B3::Procedure::blocksInPreOrder):
940         (JSC::B3::Procedure::deleteValue):
941         (JSC::B3::Procedure::addDataSection):
942         (JSC::B3::Procedure::addValueIndex):
943         * b3/B3Procedure.h:
944         (JSC::B3::Procedure::lastPhaseName):
945         (JSC::B3::Procedure::byproducts):
946         (JSC::B3::Procedure::takeByproducts):
947         * b3/B3Type.h:
948         * b3/B3Value.cpp:
949         (JSC::B3::Value::effects):
950         (JSC::B3::Value::key):
951         (JSC::B3::Value::performSubstitution):
952         * b3/B3Value.h:
953         * b3/B3ValueKey.cpp: Added.
954         (JSC::B3::ValueKey::dump):
955         (JSC::B3::ValueKey::materialize):
956         * b3/B3ValueKey.h: Added.
957         (JSC::B3::ValueKey::ValueKey):
958         (JSC::B3::ValueKey::opcode):
959         (JSC::B3::ValueKey::type):
960         (JSC::B3::ValueKey::childIndex):
961         (JSC::B3::ValueKey::value):
962         (JSC::B3::ValueKey::doubleValue):
963         (JSC::B3::ValueKey::operator==):
964         (JSC::B3::ValueKey::operator!=):
965         (JSC::B3::ValueKey::hash):
966         (JSC::B3::ValueKey::operator bool):
967         (JSC::B3::ValueKey::canMaterialize):
968         (JSC::B3::ValueKey::isHashTableDeletedValue):
969         (JSC::B3::ValueKeyHash::hash):
970         (JSC::B3::ValueKeyHash::equal):
971         * b3/B3ValueKeyInlines.h: Added.
972         (JSC::B3::ValueKey::ValueKey):
973         (JSC::B3::ValueKey::child):
974         * b3/air/AirCode.cpp:
975         (JSC::B3::Air::Code::Code):
976         * b3/air/AirCode.h:
977         (JSC::B3::Air::Code::proc):
978         (JSC::B3::Air::Code::lastPhaseName):
979         * b3/air/AirOpcode.opcodes:
980         * b3/testb3.cpp:
981         (JSC::B3::compile):
982         (JSC::B3::invoke):
983         (JSC::B3::compileAndRun):
984         (JSC::B3::test42):
985         (JSC::B3::testBranch):
986         (JSC::B3::testBranchPtr):
987         (JSC::B3::testDiamond):
988         (JSC::B3::testBranchNotEqual):
989         (JSC::B3::testBranchNotEqualCommute):
990         (JSC::B3::testBranchNotEqualNotEqual):
991         (JSC::B3::testBranchEqual):
992         (JSC::B3::testBranchEqualEqual):
993         (JSC::B3::testBranchEqualCommute):
994         (JSC::B3::testBranchEqualEqual1):
995         (JSC::B3::testBranchFold):
996         (JSC::B3::testSimpleCheck):
997         (JSC::B3::testCompare):
998         (JSC::B3::testReturnDouble):
999         (JSC::B3::run):
1000
1001 2015-11-09  Michael Saboff  <msaboff@apple.com>
1002
1003         Need a function that will provide Nth argument register
1004         https://bugs.webkit.org/show_bug.cgi?id=151041
1005
1006         Reviewed by Filip Pizlo.
1007
1008         For 64 bit platforms, return the Nth architected argument register, otherwise InvalidGPRReg.
1009
1010         * jit/GPRInfo.h:
1011         (JSC::argumentRegisterFor): Added to return the Nth architected argument register if defined
1012         for a platform or InvalidGPRReg if not.
1013
1014 2015-11-09  Csaba Osztrogonác  <ossy@webkit.org>
1015
1016         [FTL] Fix the build with LLVM 3.7
1017         https://bugs.webkit.org/show_bug.cgi?id=150595
1018
1019         Reviewed by Darin Adler.
1020
1021         * llvm/LLVMAPIFunctions.h: Removed the unused BuildLandingPad function.
1022
1023 2015-11-09  Xabier Rodriguez Calvar  <calvaris@igalia.com>
1024
1025         [Streams API] Shield implementation from mangling then and catch promise methods
1026         https://bugs.webkit.org/show_bug.cgi?id=150934
1027
1028         Reviewed by Youenn Fablet.
1029
1030         Since the prototype is not deletable and readonly we only have to care about ensuring that it has the right
1031         @then and @catch internal methods.
1032
1033         * runtime/JSPromisePrototype.h:
1034         * runtime/JSPromisePrototype.cpp:
1035         (JSC::JSPromisePrototype::addOwnInternalSlots): Added to create the proper @then and @catch internal slots.
1036         (JSC::JSPromisePrototype::create): Call addOwnInternalSlots.
1037
1038 2015-11-09  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1039
1040         JS Built-ins functions should be able to assert
1041         https://bugs.webkit.org/show_bug.cgi?id=150333
1042
1043         Reviewed by Yusuke Suzuki.
1044
1045         Introduced @assert to enable asserting in JS built-ins.
1046         Adding a new bytecode 'assert' to implement it.
1047         In debug builds, @assert generates 'assert' bytecodes.
1048         In release builds, no byte code is produced for @assert.
1049
1050         In case assert is false, the JS built-in and the line number are dumped.
1051
1052         * bytecode/BytecodeList.json:
1053         * bytecode/BytecodeUseDef.h:
1054         (JSC::computeUsesForBytecodeOffset):
1055         (JSC::computeDefsForBytecodeOffset):
1056         * bytecode/CodeBlock.cpp:
1057         (JSC::CodeBlock::dumpBytecode):
1058         * bytecompiler/BytecodeGenerator.cpp:
1059         (JSC::BytecodeGenerator::emitAssert):
1060         * bytecompiler/BytecodeGenerator.h:
1061         * bytecompiler/NodesCodegen.cpp: Generating op_assert bytecode for @assert for Debug builds.
1062         (JSC::BytecodeIntrinsicNode::emit_intrinsic_assert):
1063         * jit/JIT.cpp:
1064         (JSC::JIT::privateCompileMainPass):
1065         * jit/JIT.h:
1066         * jit/JITOpcodes.cpp:
1067         (JSC::JIT::emit_op_assert):
1068         * jit/JITOpcodes32_64.cpp:
1069         (JSC::JIT::emit_op_create_assert):
1070         * llint/LowLevelInterpreter.asm:
1071         * runtime/CommonIdentifiers.h: Adding @assert identifier as intrinsic.
1072         * runtime/CommonSlowPaths.cpp:
1073         (JSC::SLOW_PATH_DECL):
1074         * runtime/CommonSlowPaths.h:
1075
1076 2015-11-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1077
1078         [ES6] Minimize ES6_CLASS_SYNTAX ifdefs
1079         https://bugs.webkit.org/show_bug.cgi?id=151006
1080
1081         Reviewed by Darin Adler.
1082
1083         This patch minimizes ENABLE_ES6_CLASS_SYNTAX ifdefs.
1084         It keeps several ENABLE_ES6_CLASS_SYNTAX ifdefs in Parser.cpp.
1085
1086         - super meta property
1087         - class declaration parsing
1088         - class expression parsing
1089         - class with import declaration
1090
1091         This change makes difference minimal between the enabled and disabled configurations;
1092         reducing accidental build breaks of the disabled configuration.
1093
1094         * bytecompiler/BytecodeGenerator.h:
1095         (JSC::BytecodeGenerator::constructorKind): Deleted.
1096         * bytecompiler/NodesCodegen.cpp:
1097         * parser/ASTBuilder.h:
1098         * parser/NodeConstructors.h:
1099         * parser/Nodes.h:
1100         * parser/Parser.cpp:
1101         * parser/Parser.h:
1102         (JSC::Scope::hasDirectSuper): Deleted.
1103         (JSC::Scope::needsSuperBinding): Deleted.
1104         * parser/ParserFunctionInfo.h:
1105         * parser/ParserTokens.h:
1106         * parser/SyntaxChecker.h:
1107
1108 2015-11-08  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1109
1110         Use StringView::upconvertedCharacters() to make a 16-bit copy in String.prototype.normalize
1111         https://bugs.webkit.org/show_bug.cgi?id=151005
1112
1113         Reviewed by Michael Saboff.
1114
1115         The ICU's unorm_normalize function used by String.prototype.normalize
1116         requires a 16-bit string. This patch uses StringView::upconvertedCharacters()
1117         to make a 16-bit copy of a string.
1118
1119         * runtime/StringPrototype.cpp:
1120         (JSC::stringProtoFuncNormalize):
1121
1122 2015-11-08  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1123
1124         generate-js-builtins.js should support @internal annotation
1125         https://bugs.webkit.org/show_bug.cgi?id=150929
1126
1127         Reviewed by Darin Adler.
1128
1129         * Scripts/builtins/builtins_generate_separate_header.py:
1130         (BuiltinsSeparateHeaderGenerator.generate_output): Generate internal boilerplate code only if @internal annotation is available.
1131         * Scripts/builtins/builtins_templates.py: Split boilerplate in two templates (one that is used for all built-ins and one dedicated to internals).
1132         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Removed internal boilerplate.
1133         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
1134         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
1135
1136 2015-11-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1137
1138         [ES6] Minimize ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX ifdefs
1139         https://bugs.webkit.org/show_bug.cgi?id=150998
1140
1141         Reviewed by Geoffrey Garen.
1142
1143         This patch minimizes ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX ifdefs.
1144         It only keeps 2 ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX in Parser.cpp, one for
1145         template literals and one for tagged templates.
1146         This change makes difference minimal between the enabled and disabled configurations;
1147         reducing accidental build breaks of the disabled configuration.
1148
1149         * bytecompiler/BytecodeGenerator.cpp:
1150         * bytecompiler/BytecodeGenerator.h:
1151         * bytecompiler/NodesCodegen.cpp:
1152         * parser/ASTBuilder.h:
1153         * parser/Lexer.cpp:
1154         (JSC::Lexer<T>::Lexer): Deleted.
1155         (JSC::Lexer<T>::lex): Deleted.
1156         * parser/Lexer.h:
1157         * parser/NodeConstructors.h:
1158         * parser/Nodes.h:
1159         * parser/Parser.cpp:
1160         * parser/Parser.h:
1161         * parser/SyntaxChecker.h:
1162
1163 2015-11-06  Filip Pizlo  <fpizlo@apple.com>
1164
1165         B3->Air lowering should do pattern matching the old fashioned way
1166         https://bugs.webkit.org/show_bug.cgi?id=150994
1167
1168         Reviewed by Geoffrey Garen.
1169
1170         When I first wrote the B3->Air lowering prototype, I was convinced that the patterns would get
1171         so gnarly that we'd want a pattern language to write them in. So I made one, and that's what
1172         the lowering has used. But as we've worked with the IR, we've found that it's very easy to
1173         pattern match in C++ using the B3 API, and we've also found that most of the patterns we wrote
1174         using the pattern language were mostly trivial. So this change removes the pattern match code
1175         generator and the patterns files, and redoes the lowering using good old fashioned switch
1176         statements. This actually reduces the total code of the lowering.
1177
1178         I also took the opportunity to refactoring UnOp and BinOp lowering. We had a lot of repetetive
1179         code for 32-vs-64-bit opcode selection, so I factored that out into a helper. This also saves a
1180         lot of code.
1181
1182         * CMakeLists.txt:
1183         * DerivedSources.make:
1184         * b3/B3AddressMatcher.patterns: Removed.
1185         * b3/B3LowerToAir.cpp:
1186         (JSC::B3::Air::LowerToAir::LowerToAir):
1187         (JSC::B3::Air::LowerToAir::run):
1188         (JSC::B3::Air::LowerToAir::highBitsAreZero):
1189         (JSC::B3::Air::LowerToAir::tmp):
1190         (JSC::B3::Air::LowerToAir::canBeInternal):
1191         (JSC::B3::Air::LowerToAir::commitInternal):
1192         (JSC::B3::Air::LowerToAir::crossesInterference):
1193         (JSC::B3::Air::LowerToAir::effectiveAddr):
1194         (JSC::B3::Air::LowerToAir::addr):
1195         (JSC::B3::Air::LowerToAir::loadPromise):
1196         (JSC::B3::Air::LowerToAir::imm):
1197         (JSC::B3::Air::LowerToAir::immForMove):
1198         (JSC::B3::Air::LowerToAir::immOrTmpForMove):
1199         (JSC::B3::Air::LowerToAir::tryOpcodeForType):
1200         (JSC::B3::Air::LowerToAir::opcodeForType):
1201         (JSC::B3::Air::LowerToAir::appendUnOp):
1202         (JSC::B3::Air::LowerToAir::appendBinOp):
1203         (JSC::B3::Air::LowerToAir::appendShift):
1204         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
1205         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
1206         (JSC::B3::Air::LowerToAir::append):
1207         (JSC::B3::Air::LowerToAir::ensureSpecial):
1208         (JSC::B3::Air::LowerToAir::fillStackmap):
1209         (JSC::B3::Air::LowerToAir::createGenericCompare):
1210         (JSC::B3::Air::LowerToAir::createBranch):
1211         (JSC::B3::Air::LowerToAir::createCompare):
1212         (JSC::B3::Air::LowerToAir::lower):
1213         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
1214         (JSC::B3::Air::LowerToAir::AddressSelector::AddressSelector): Deleted.
1215         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot): Deleted.
1216         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRootLate): Deleted.
1217         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternals): Deleted.
1218         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternalsLate): Deleted.
1219         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperands): Deleted.
1220         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperandsLate): Deleted.
1221         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift1): Deleted.
1222         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift2): Deleted.
1223         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd): Deleted.
1224         (JSC::B3::Air::LowerToAir::AddressSelector::tryFramePointer): Deleted.
1225         (JSC::B3::Air::LowerToAir::AddressSelector::tryStackSlot): Deleted.
1226         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect): Deleted.
1227         (JSC::B3::Air::LowerToAir::acceptRoot): Deleted.
1228         (JSC::B3::Air::LowerToAir::acceptRootLate): Deleted.
1229         (JSC::B3::Air::LowerToAir::acceptInternals): Deleted.
1230         (JSC::B3::Air::LowerToAir::acceptInternalsLate): Deleted.
1231         (JSC::B3::Air::LowerToAir::acceptOperands): Deleted.
1232         (JSC::B3::Air::LowerToAir::acceptOperandsLate): Deleted.
1233         (JSC::B3::Air::LowerToAir::tryLoad): Deleted.
1234         (JSC::B3::Air::LowerToAir::tryLoad8S): Deleted.
1235         (JSC::B3::Air::LowerToAir::tryLoad8Z): Deleted.
1236         (JSC::B3::Air::LowerToAir::tryLoad16S): Deleted.
1237         (JSC::B3::Air::LowerToAir::tryLoad16Z): Deleted.
1238         (JSC::B3::Air::LowerToAir::tryAdd): Deleted.
1239         (JSC::B3::Air::LowerToAir::trySub): Deleted.
1240         (JSC::B3::Air::LowerToAir::tryAnd): Deleted.
1241         (JSC::B3::Air::LowerToAir::tryOr): Deleted.
1242         (JSC::B3::Air::LowerToAir::tryXor): Deleted.
1243         (JSC::B3::Air::LowerToAir::tryShl): Deleted.
1244         (JSC::B3::Air::LowerToAir::trySShr): Deleted.
1245         (JSC::B3::Air::LowerToAir::tryZShr): Deleted.
1246         (JSC::B3::Air::LowerToAir::tryStoreAddLoad): Deleted.
1247         (JSC::B3::Air::LowerToAir::tryStoreSubLoad): Deleted.
1248         (JSC::B3::Air::LowerToAir::tryStoreAndLoad): Deleted.
1249         (JSC::B3::Air::LowerToAir::tryStore): Deleted.
1250         (JSC::B3::Air::LowerToAir::tryTrunc): Deleted.
1251         (JSC::B3::Air::LowerToAir::tryZExt32): Deleted.
1252         (JSC::B3::Air::LowerToAir::tryArgumentReg): Deleted.
1253         (JSC::B3::Air::LowerToAir::tryConst32): Deleted.
1254         (JSC::B3::Air::LowerToAir::tryConst64): Deleted.
1255         (JSC::B3::Air::LowerToAir::tryFramePointer): Deleted.
1256         (JSC::B3::Air::LowerToAir::tryStackSlot): Deleted.
1257         (JSC::B3::Air::LowerToAir::tryEqual): Deleted.
1258         (JSC::B3::Air::LowerToAir::tryNotEqual): Deleted.
1259         (JSC::B3::Air::LowerToAir::tryLessThan): Deleted.
1260         (JSC::B3::Air::LowerToAir::tryGreaterThan): Deleted.
1261         (JSC::B3::Air::LowerToAir::tryLessEqual): Deleted.
1262         (JSC::B3::Air::LowerToAir::tryGreaterEqual): Deleted.
1263         (JSC::B3::Air::LowerToAir::tryAbove): Deleted.
1264         (JSC::B3::Air::LowerToAir::tryBelow): Deleted.
1265         (JSC::B3::Air::LowerToAir::tryAboveEqual): Deleted.
1266         (JSC::B3::Air::LowerToAir::tryBelowEqual): Deleted.
1267         (JSC::B3::Air::LowerToAir::tryPatchpoint): Deleted.
1268         (JSC::B3::Air::LowerToAir::tryCheck): Deleted.
1269         (JSC::B3::Air::LowerToAir::tryUpsilon): Deleted.
1270         (JSC::B3::Air::LowerToAir::tryPhi): Deleted.
1271         (JSC::B3::Air::LowerToAir::tryBranch): Deleted.
1272         (JSC::B3::Air::LowerToAir::tryJump): Deleted.
1273         (JSC::B3::Air::LowerToAir::tryIdentity): Deleted.
1274         (JSC::B3::Air::LowerToAir::tryReturn): Deleted.
1275         * b3/B3LoweringMatcher.patterns: Removed.
1276         * b3/generate_pattern_matcher.rb: Removed.
1277
1278 2015-11-07  Michael Saboff  <msaboff@apple.com>
1279
1280         Add conditional moves to the MacroAssembler
1281         https://bugs.webkit.org/show_bug.cgi?id=150761
1282
1283         Reviewed by Filip Pizlo.
1284
1285         Added moveConditionally, moveConditionallyTest & moveConditionallyDouble to X86 macro assemblers.
1286         Bench tested correct opcodes and operations on X86-64 and X86 for a select number of comparisons.
1287
1288         * assembler/MacroAssemblerX86Common.h:
1289         (JSC::MacroAssemblerX86Common::moveConditionally):
1290         (JSC::MacroAssemblerX86Common::moveConditionallyTest):
1291         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
1292         * assembler/X86Assembler.h:
1293         (JSC::X86Assembler::cmovcc):
1294         (JSC::X86Assembler::cmovl_rr):
1295         (JSC::X86Assembler::cmovl_mr):
1296         (JSC::X86Assembler::cmovel_rr):
1297         (JSC::X86Assembler::cmovnel_rr):
1298         (JSC::X86Assembler::cmovpl_rr):
1299         (JSC::X86Assembler::cmovnpl_rr):
1300         (JSC::X86Assembler::cmovq_rr):
1301         (JSC::X86Assembler::cmovq_mr):
1302         (JSC::X86Assembler::cmoveq_rr):
1303         (JSC::X86Assembler::cmovneq_rr):
1304         (JSC::X86Assembler::cmovpq_rr):
1305         (JSC::X86Assembler::cmovnpq_rr):
1306         (JSC::X86Assembler::X86InstructionFormatter::twoByteOp64):
1307
1308 2015-11-06  Saam barati  <sbarati@apple.com>
1309
1310         Control Flow Profiler should keep execution counts of basic blocks
1311         https://bugs.webkit.org/show_bug.cgi?id=146099
1312
1313         Reviewed by Mark Lam.
1314
1315         This patch changes the control flow profiler to now
1316         keep track of execution counts for each basic block
1317         instead of a boolean indicating if the basic block has 
1318         executed at all.  This has the consequence of us having to 
1319         always compile all op_profile_control_flows in the baseline and DFG.
1320
1321         This patch adds a new "executionCount" field to the inspector protocol
1322         corresponding to the execution of a basic block. This patch, for now,
1323         still maintains the previous field of "hasExecuted" even though this is
1324         redundant with "executionCount".
1325
1326         * dfg/DFGSpeculativeJIT32_64.cpp:
1327         (JSC::DFG::SpeculativeJIT::compile):
1328         * dfg/DFGSpeculativeJIT64.cpp:
1329         (JSC::DFG::SpeculativeJIT::compile):
1330         * inspector/agents/InspectorRuntimeAgent.cpp:
1331         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1332         * inspector/protocol/Runtime.json:
1333         * jit/JITOpcodes.cpp:
1334         (JSC::JIT::emit_op_profile_control_flow):
1335         (JSC::JIT::emit_op_create_direct_arguments):
1336         * jsc.cpp:
1337         (GlobalObject::finishCreation):
1338         (functionHasBasicBlockExecuted):
1339         (functionBasicBlockExecutionCount):
1340         (functionEnableExceptionFuzz):
1341         (functionDrainMicrotasks):
1342         (functionIs32BitPlatform):
1343         (functionLoadWebAssembly):
1344         * llint/LowLevelInterpreter.asm:
1345         * llint/LowLevelInterpreter32_64.asm:
1346         * llint/LowLevelInterpreter64.asm:
1347         * runtime/BasicBlockLocation.cpp:
1348         (JSC::BasicBlockLocation::BasicBlockLocation):
1349         (JSC::BasicBlockLocation::dumpData):
1350         (JSC::BasicBlockLocation::emitExecuteCode):
1351         * runtime/BasicBlockLocation.h:
1352         (JSC::BasicBlockLocation::endOffset):
1353         (JSC::BasicBlockLocation::setStartOffset):
1354         (JSC::BasicBlockLocation::setEndOffset):
1355         (JSC::BasicBlockLocation::hasExecuted):
1356         (JSC::BasicBlockLocation::executionCount):
1357         * runtime/ControlFlowProfiler.cpp:
1358         (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
1359         (JSC::findBasicBlockAtTextOffset):
1360         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
1361         (JSC::ControlFlowProfiler::basicBlockExecutionCountAtTextOffset):
1362         * runtime/ControlFlowProfiler.h:
1363         (JSC::ControlFlowProfiler::dummyBasicBlock):
1364         * tests/controlFlowProfiler/execution-count.js: Added.
1365         (noop):
1366         (foo):
1367         (a):
1368         (b):
1369         (baz):
1370         (jaz):
1371         (testWhile):
1372         (is32BitPlatform.testMax):
1373         (is32BitPlatform):
1374
1375 2015-11-06  Filip Pizlo  <fpizlo@apple.com>
1376
1377         B3 and Air should simplify CFGs
1378         https://bugs.webkit.org/show_bug.cgi?id=150960
1379
1380         Reviewed by Geoffrey Garen.
1381
1382         This adds CFG simplification to both B3 and Air.
1383
1384         In B3, the simplification is done inside the B3::reduceStrength() fixpoint because we expect
1385         that it will help to reveal more optimization opportunities. This is going to be particularly
1386         true when we add Phi elimination.
1387
1388         In Air, the simplification is its own phase. We expect it to produce most of its benefits once
1389         we have coalescing. Then, CFG simplification in Air will unbreak critial edges.
1390
1391         * JavaScriptCore.xcodeproj/project.pbxproj:
1392         * assembler/AbortReason.h:
1393         * assembler/MacroAssembler.h:
1394         (JSC::MacroAssembler::oops): Reveal this as a method so that we can have an Oops instruction.
1395         * b3/B3BasicBlock.h:
1396         (JSC::B3::BasicBlock::predecessor):
1397         (JSC::B3::BasicBlock::predecessors):
1398         (JSC::B3::BasicBlock::containsPredecessor):
1399         * b3/B3BasicBlockUtils.h: Bunch of fixes for blocks being killed.
1400         (JSC::B3::replacePredecessor):
1401         (JSC::B3::resetReachability):
1402         * b3/B3ReduceStrength.cpp: Implement B3 CFG simplification.
1403         * b3/B3ReduceStrength.h:
1404         * b3/air/AirBasicBlock.h:
1405         (JSC::B3::Air::BasicBlock::resize):
1406         (JSC::B3::Air::BasicBlock::insts):
1407         (JSC::B3::Air::BasicBlock::appendInst):
1408         (JSC::B3::Air::BasicBlock::containsPredecessor):
1409         * b3/air/AirGenerate.cpp:
1410         (JSC::B3::Air::generate):
1411         * b3/air/AirInst.cpp:
1412         (JSC::B3::Air::Inst::hasArgEffects):
1413         (JSC::B3::Air::Inst::dump):
1414         * b3/air/AirInst.h:
1415         * b3/air/AirLiveness.h:
1416         (JSC::B3::Air::Liveness::Liveness): Fix for when blocks were killed.
1417         * b3/air/AirOpcode.opcodes:
1418         * b3/air/AirSimplifyCFG.cpp: Added.
1419         (JSC::B3::Air::simplifyCFG):
1420         * b3/air/AirSimplifyCFG.h: Added.
1421
1422 2015-11-05  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
1423
1424         Add runtime and compile time flags for enabling Web Animations API and model.
1425         https://bugs.webkit.org/show_bug.cgi?id=150914
1426
1427         Reviewed by Benjamin Poulain.
1428
1429         Add ENABLE_WEB_ANIMATIONS compile time flag, runtime flag webAnimationsEnabled and Expose WK2 preference for runtime flag.
1430
1431         * Configurations/FeatureDefines.xcconfig:
1432
1433 2015-11-05  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1434
1435         Layout Test js/intl-collator.html is crashing on win 7 debug
1436         https://bugs.webkit.org/show_bug.cgi?id=150943
1437
1438         Reviewed by Geoffrey Garen.
1439
1440         The string length returned by ICU's uenum_next seems to be unreliable
1441         on an old version of ICU. Since uenum_next returns a null-terminated
1442         string anyway, this patch removes the use of the length.
1443
1444         * runtime/IntlCollatorConstructor.cpp:
1445         (JSC::sortLocaleData):
1446
1447 2015-11-05  Filip Pizlo  <fpizlo@apple.com>
1448
1449         Unreviewed, add FIXMEs referencing https://bugs.webkit.org/show_bug.cgi?id=150958 and
1450         https://bugs.webkit.org/show_bug.cgi?id=150954.
1451
1452         * b3/B3LowerToAir.cpp:
1453         (JSC::B3::Air::LowerToAir::createGenericCompare):
1454         * b3/B3ReduceStrength.cpp:
1455
1456 2015-11-05  Aleksandr Skachkov  <gskachkov@gmail.com>
1457
1458         Using emitResolveScope & emitGetFromScope with 'this' that is TDZ lead to segfault in DFG
1459         https://bugs.webkit.org/show_bug.cgi?id=150902
1460
1461         Reviewed by Geoffrey Garen.
1462
1463         Tiny fix provided by Saam Barati. This fix prevent segfault error in arrow function, 
1464         when it uses in constructor of derived class, before 'super' is called.
1465
1466         * dfg/DFGAbstractInterpreterInlines.h:
1467         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1468
1469 2015-11-05  Filip Pizlo  <fpizlo@apple.com>
1470
1471         B3->Air lowering should have a story for compare-branch fusion
1472         https://bugs.webkit.org/show_bug.cgi?id=150721
1473
1474         Reviewed by Geoffrey Garen.
1475
1476         This adds comprehensive support for compares and compare/branch fusion to B3. The fusion is
1477         super aggressive. It can even handle things like Branch(LessThan(Load8S(...), constant)). It
1478         can even handle flipping the operands to the branch, and flipping the comparison condition,
1479         if it enables a more efficient instruction. This happens when there is asymmetry in the
1480         admitted argument kinds. For example, Branch32 will only accept an Imm as a second operand.
1481         If we do a LessThan(constant, load) then we will generate it as:
1482
1483             Branch32 GreaterThan, (addr), $imm
1484
1485         This also supports compiling and fusing tests, and to some extent, compiling and fusing
1486         double compares. Though we cannot test doubles yet because we don't have enough support for
1487         that.
1488
1489         This also supports fusing compare/branches in Checks. We basically get that for free.
1490
1491         Because I wanted to fuse comparisons with sub-32-bit loads, I added support for those loads
1492         directly, too.
1493
1494         The tests are now getting super big, so I made testb3 run tests in parallel.
1495
1496         Finally, this slightly changes the semantics of Branch and Check. Previously they would have
1497         accepted a double to branch on. I found that this is awkward. It's especially awkward since
1498         we want to be explicit about when a double zero constant is materialized. So, from now on, we
1499         require that to branch on a double being non-zero, you have to do Branch(NotEqual(value, 0)).
1500
1501         * assembler/MacroAssembler.h:
1502         (JSC::MacroAssembler::invert):
1503         (JSC::MacroAssembler::isInvertible):
1504         (JSC::MacroAssembler::flip):
1505         (JSC::MacroAssembler::isSigned):
1506         (JSC::MacroAssembler::isUnsigned):
1507         * assembler/MacroAssemblerX86Common.h:
1508         (JSC::MacroAssemblerX86Common::test32):
1509         (JSC::MacroAssemblerX86Common::invert):
1510         * b3/B3CheckSpecial.cpp:
1511         (JSC::B3::CheckSpecial::Key::Key):
1512         (JSC::B3::CheckSpecial::Key::dump):
1513         (JSC::B3::CheckSpecial::CheckSpecial):
1514         (JSC::B3::CheckSpecial::~CheckSpecial):
1515         * b3/B3CheckSpecial.h:
1516         (JSC::B3::CheckSpecial::Key::Key):
1517         (JSC::B3::CheckSpecial::Key::operator==):
1518         (JSC::B3::CheckSpecial::Key::operator!=):
1519         (JSC::B3::CheckSpecial::Key::operator bool):
1520         (JSC::B3::CheckSpecial::Key::opcode):
1521         (JSC::B3::CheckSpecial::Key::numArgs):
1522         (JSC::B3::CheckSpecial::Key::isHashTableDeletedValue):
1523         (JSC::B3::CheckSpecial::Key::hash):
1524         (JSC::B3::CheckSpecialKeyHash::hash):
1525         (JSC::B3::CheckSpecialKeyHash::equal):
1526         * b3/B3Const32Value.cpp:
1527         (JSC::B3::Const32Value::zShrConstant):
1528         (JSC::B3::Const32Value::equalConstant):
1529         (JSC::B3::Const32Value::notEqualConstant):
1530         (JSC::B3::Const32Value::lessThanConstant):
1531         (JSC::B3::Const32Value::greaterThanConstant):
1532         (JSC::B3::Const32Value::lessEqualConstant):
1533         (JSC::B3::Const32Value::greaterEqualConstant):
1534         (JSC::B3::Const32Value::aboveConstant):
1535         (JSC::B3::Const32Value::belowConstant):
1536         (JSC::B3::Const32Value::aboveEqualConstant):
1537         (JSC::B3::Const32Value::belowEqualConstant):
1538         (JSC::B3::Const32Value::dumpMeta):
1539         * b3/B3Const32Value.h:
1540         * b3/B3Const64Value.cpp:
1541         (JSC::B3::Const64Value::zShrConstant):
1542         (JSC::B3::Const64Value::equalConstant):
1543         (JSC::B3::Const64Value::notEqualConstant):
1544         (JSC::B3::Const64Value::lessThanConstant):
1545         (JSC::B3::Const64Value::greaterThanConstant):
1546         (JSC::B3::Const64Value::lessEqualConstant):
1547         (JSC::B3::Const64Value::greaterEqualConstant):
1548         (JSC::B3::Const64Value::aboveConstant):
1549         (JSC::B3::Const64Value::belowConstant):
1550         (JSC::B3::Const64Value::aboveEqualConstant):
1551         (JSC::B3::Const64Value::belowEqualConstant):
1552         (JSC::B3::Const64Value::dumpMeta):
1553         * b3/B3Const64Value.h:
1554         * b3/B3ConstDoubleValue.cpp:
1555         (JSC::B3::ConstDoubleValue::subConstant):
1556         (JSC::B3::ConstDoubleValue::equalConstant):
1557         (JSC::B3::ConstDoubleValue::notEqualConstant):
1558         (JSC::B3::ConstDoubleValue::lessThanConstant):
1559         (JSC::B3::ConstDoubleValue::greaterThanConstant):
1560         (JSC::B3::ConstDoubleValue::lessEqualConstant):
1561         (JSC::B3::ConstDoubleValue::greaterEqualConstant):
1562         (JSC::B3::ConstDoubleValue::dumpMeta):
1563         * b3/B3ConstDoubleValue.h:
1564         * b3/B3LowerToAir.cpp:
1565         (JSC::B3::Air::LowerToAir::LowerToAir):
1566         (JSC::B3::Air::LowerToAir::run):
1567         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1568         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise):
1569         (JSC::B3::Air::LowerToAir::ArgPromise::tmp):
1570         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool):
1571         (JSC::B3::Air::LowerToAir::ArgPromise::kind):
1572         (JSC::B3::Air::LowerToAir::ArgPromise::peek):
1573         (JSC::B3::Air::LowerToAir::ArgPromise::consume):
1574         (JSC::B3::Air::LowerToAir::tmp):
1575         (JSC::B3::Air::LowerToAir::tmpPromise):
1576         (JSC::B3::Air::LowerToAir::canBeInternal):
1577         (JSC::B3::Air::LowerToAir::addr):
1578         (JSC::B3::Air::LowerToAir::loadPromise):
1579         (JSC::B3::Air::LowerToAir::imm):
1580         (JSC::B3::Air::LowerToAir::appendBinOp):
1581         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
1582         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
1583         (JSC::B3::Air::LowerToAir::createGenericCompare):
1584         (JSC::B3::Air::LowerToAir::createBranch):
1585         (JSC::B3::Air::LowerToAir::createCompare):
1586         (JSC::B3::Air::LowerToAir::tryLoad):
1587         (JSC::B3::Air::LowerToAir::tryLoad8S):
1588         (JSC::B3::Air::LowerToAir::tryLoad8Z):
1589         (JSC::B3::Air::LowerToAir::tryLoad16S):
1590         (JSC::B3::Air::LowerToAir::tryLoad16Z):
1591         (JSC::B3::Air::LowerToAir::tryAdd):
1592         (JSC::B3::Air::LowerToAir::tryStackSlot):
1593         (JSC::B3::Air::LowerToAir::tryEqual):
1594         (JSC::B3::Air::LowerToAir::tryNotEqual):
1595         (JSC::B3::Air::LowerToAir::tryLessThan):
1596         (JSC::B3::Air::LowerToAir::tryGreaterThan):
1597         (JSC::B3::Air::LowerToAir::tryLessEqual):
1598         (JSC::B3::Air::LowerToAir::tryGreaterEqual):
1599         (JSC::B3::Air::LowerToAir::tryAbove):
1600         (JSC::B3::Air::LowerToAir::tryBelow):
1601         (JSC::B3::Air::LowerToAir::tryAboveEqual):
1602         (JSC::B3::Air::LowerToAir::tryBelowEqual):
1603         (JSC::B3::Air::LowerToAir::tryPatchpoint):
1604         (JSC::B3::Air::LowerToAir::tryCheck):
1605         (JSC::B3::Air::LowerToAir::tryBranch):
1606         (JSC::B3::Air::LowerToAir::loadAddr): Deleted.
1607         * b3/B3LoweringMatcher.patterns:
1608         * b3/B3Opcode.cpp:
1609         (JSC::B3::invertedCompare):
1610         * b3/B3Opcode.h:
1611         (JSC::B3::isCheckMath):
1612         * b3/B3Procedure.cpp:
1613         (JSC::B3::Procedure::addBlock):
1614         (JSC::B3::Procedure::addIntConstant):
1615         (JSC::B3::Procedure::addBoolConstant):
1616         (JSC::B3::Procedure::resetValueOwners):
1617         * b3/B3Procedure.h:
1618         * b3/B3ReduceStrength.cpp:
1619         * b3/B3Validate.cpp:
1620         * b3/B3Value.cpp:
1621         (JSC::B3::Value::zShrConstant):
1622         (JSC::B3::Value::equalConstant):
1623         (JSC::B3::Value::notEqualConstant):
1624         (JSC::B3::Value::lessThanConstant):
1625         (JSC::B3::Value::greaterThanConstant):
1626         (JSC::B3::Value::lessEqualConstant):
1627         (JSC::B3::Value::greaterEqualConstant):
1628         (JSC::B3::Value::aboveConstant):
1629         (JSC::B3::Value::belowConstant):
1630         (JSC::B3::Value::aboveEqualConstant):
1631         (JSC::B3::Value::belowEqualConstant):
1632         (JSC::B3::Value::invertedCompare):
1633         * b3/B3Value.h:
1634         * b3/air/AirArg.cpp:
1635         (JSC::B3::Air::Arg::isRepresentableAs):
1636         (JSC::B3::Air::Arg::dump):
1637         (WTF::printInternal):
1638         * b3/air/AirArg.h:
1639         (JSC::B3::Air::Arg::isUse):
1640         (JSC::B3::Air::Arg::typeForB3Type):
1641         (JSC::B3::Air::Arg::widthForB3Type):
1642         (JSC::B3::Air::Arg::Arg):
1643         (JSC::B3::Air::Arg::value):
1644         (JSC::B3::Air::Arg::isRepresentableAs):
1645         (JSC::B3::Air::Arg::asNumber):
1646         (JSC::B3::Air::Arg::pointerValue):
1647         (JSC::B3::Air::Arg::asDoubleCondition):
1648         (JSC::B3::Air::Arg::inverted):
1649         (JSC::B3::Air::Arg::flipped):
1650         (JSC::B3::Air::Arg::isSignedCond):
1651         (JSC::B3::Air::Arg::isUnsignedCond):
1652         * b3/air/AirInst.h:
1653         (JSC::B3::Air::Inst::Inst):
1654         (JSC::B3::Air::Inst::operator bool):
1655         * b3/air/AirOpcode.opcodes:
1656         * b3/air/opcode_generator.rb:
1657         * b3/testb3.cpp:
1658         (hiddenTruthBecauseNoReturnIsStupid):
1659         (JSC::B3::testStoreLoadStackSlot):
1660         (JSC::B3::modelLoad):
1661         (JSC::B3::testLoad):
1662         (JSC::B3::testBranch):
1663         (JSC::B3::testComplex):
1664         (JSC::B3::testSimplePatchpoint):
1665         (JSC::B3::testSimpleCheck):
1666         (JSC::B3::genericTestCompare):
1667         (JSC::B3::modelCompare):
1668         (JSC::B3::testCompareLoad):
1669         (JSC::B3::testCompareImpl):
1670         (JSC::B3::testCompare):
1671         (JSC::B3::run):
1672         (main):
1673         * dfg/DFGSpeculativeJIT.cpp:
1674         (JSC::DFG::SpeculativeJIT::compileArithMod):
1675         * jit/JITPropertyAccess.cpp:
1676         (JSC::JIT::emitIntTypedArrayGetByVal):
1677         (JSC::JIT::emitIntTypedArrayPutByVal):
1678
1679 2015-11-05  Joseph Pecoraro  <pecoraro@apple.com>
1680
1681         Web Inspector: Clean up InjectedScript uses
1682         https://bugs.webkit.org/show_bug.cgi?id=150921
1683
1684         Reviewed by Timothy Hatcher.
1685
1686         * inspector/InjectedScript.cpp:
1687         (Inspector::InjectedScript::wrapCallFrames):
1688         * inspector/InjectedScript.h:
1689         * inspector/InjectedScriptBase.cpp:
1690         (Inspector::InjectedScriptBase::initialize): Deleted.
1691         * inspector/InjectedScriptBase.h:
1692         * inspector/InjectedScriptManager.cpp:
1693         (Inspector::InjectedScriptManager::didCreateInjectedScript):
1694         * inspector/InjectedScriptManager.h:
1695         * inspector/InjectedScriptModule.cpp:
1696         (Inspector::InjectedScriptModule::ensureInjected):
1697         * inspector/InjectedScriptModule.h:
1698         * inspector/agents/InspectorDebuggerAgent.cpp:
1699         (Inspector::InspectorDebuggerAgent::currentCallFrames):
1700         * inspector/agents/InspectorDebuggerAgent.h:
1701
1702 2015-11-05  Joseph Pecoraro  <pecoraro@apple.com>
1703
1704         Web Inspector: Put ScriptDebugServer into InspectorEnvironment and cleanup duplicate references
1705         https://bugs.webkit.org/show_bug.cgi?id=150869
1706
1707         Reviewed by Brian Burg.
1708
1709         ScriptDebugServer (JSC::Debugger) is being used by more and more agents
1710         for instrumentation into JavaScriptCore. Currently the ScriptDebugServer
1711         is owned by DebuggerAgent subclasses that make their own ScriptDebugServer
1712         subclass. As more agents want to use it there was added boilerplate.
1713         Instead, put the ScriptDebugServer in the InspectorEnvironment (Controllers).
1714         Then each agent can access it during construction through the environment.
1715
1716         Do the same clean up for RuntimeAgent::globalVM, which is now just a
1717         duplication of InspectorEnvironment::vm.
1718
1719         * inspector/InspectorEnvironment.h:
1720         Add scriptDebugServer().
1721
1722         * inspector/JSGlobalObjectInspectorController.h:
1723         * inspector/JSGlobalObjectInspectorController.cpp:
1724         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1725         (Inspector::JSGlobalObjectInspectorController::scriptDebugServer):
1726         Own the JSGlobalObjectScriptDebugServer.
1727
1728         * inspector/agents/InspectorDebuggerAgent.h:
1729         * inspector/agents/InspectorDebuggerAgent.cpp:
1730         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
1731         (Inspector::InspectorDebuggerAgent::enable):
1732         (Inspector::InspectorDebuggerAgent::disable):
1733         (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
1734         (Inspector::InspectorDebuggerAgent::isPaused):
1735         (Inspector::InspectorDebuggerAgent::setSuppressAllPauses):
1736         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
1737         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1738         (Inspector::InspectorDebuggerAgent::continueToLocation):
1739         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
1740         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1741         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
1742         (Inspector::InspectorDebuggerAgent::resume):
1743         (Inspector::InspectorDebuggerAgent::stepOver):
1744         (Inspector::InspectorDebuggerAgent::stepInto):
1745         (Inspector::InspectorDebuggerAgent::stepOut):
1746         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1747         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1748         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
1749         (Inspector::InspectorDebuggerAgent::didPause):
1750         (Inspector::InspectorDebuggerAgent::breakProgram):
1751         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
1752         * inspector/agents/InspectorRuntimeAgent.h:
1753         * inspector/agents/InspectorRuntimeAgent.cpp:
1754         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
1755         (Inspector::setPauseOnExceptionsState):
1756         (Inspector::InspectorRuntimeAgent::parse):
1757         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1758         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
1759         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1760         Use VM and ScriptDebugServer passed during construction.
1761
1762         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1763         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1764         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
1765         (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent): Deleted.
1766         One special case needed by this subclass as a convenience to access the global object.
1767
1768         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1769         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1770         (Inspector::JSGlobalObjectRuntimeAgent::globalVM): Deleted.
1771         This virtual method is no longer needed, the base class has everything now.
1772
1773 2015-11-05  Xabier Rodriguez Calvar  <calvaris@igalia.com>
1774
1775         [Streams API] Shield implementation from user mangling Promise.reject and resolve methods
1776         https://bugs.webkit.org/show_bug.cgi?id=150895
1777
1778         Reviewed by Youenn Fablet.
1779
1780         Keep Promise.resolve and reject also as internal slots for the Promise constructor given that there is no way to
1781         retrieve the former implementation if the user decides to replace it. This allows to safely create vended
1782         promises even if the user changes the constructor methods.
1783
1784         * runtime/JSPromiseConstructor.h:
1785         * runtime/JSPromiseConstructor.cpp:
1786         (JSC::JSPromiseConstructor::addOwnInternalSlots): Added to include @reject and @resolve.
1787         (JSC::JSPromiseConstructor::create): Call addOwnInternalSlots.
1788
1789 2015-11-04  Benjamin Poulain  <bpoulain@apple.com>
1790
1791         [JSC] Add B3-to-Air lowering for the shift opcodes
1792         https://bugs.webkit.org/show_bug.cgi?id=150919
1793
1794         Reviewed by Filip Pizlo.
1795
1796         * assembler/MacroAssemblerX86_64.h:
1797         (JSC::MacroAssemblerX86_64::rshift64):
1798         (JSC::MacroAssemblerX86_64::urshift64):
1799         * assembler/X86Assembler.h:
1800         (JSC::X86Assembler::shrq_CLr):
1801         * b3/B3Const32Value.cpp:
1802         (JSC::B3::Const32Value::shlConstant):
1803         (JSC::B3::Const32Value::sShrConstant):
1804         (JSC::B3::Const32Value::zShrConstant):
1805         * b3/B3Const32Value.h:
1806         * b3/B3Const64Value.cpp:
1807         (JSC::B3::Const64Value::shlConstant):
1808         (JSC::B3::Const64Value::sShrConstant):
1809         (JSC::B3::Const64Value::zShrConstant):
1810         * b3/B3Const64Value.h:
1811         * b3/B3LowerToAir.cpp:
1812         (JSC::B3::Air::LowerToAir::appendShift):
1813         (JSC::B3::Air::LowerToAir::tryShl):
1814         (JSC::B3::Air::LowerToAir::trySShr):
1815         (JSC::B3::Air::LowerToAir::tryZShr):
1816         * b3/B3LoweringMatcher.patterns:
1817         * b3/B3Opcode.h:
1818         * b3/B3ReduceStrength.cpp:
1819         * b3/B3Value.cpp:
1820         (JSC::B3::Value::shlConstant):
1821         (JSC::B3::Value::sShrConstant):
1822         (JSC::B3::Value::zShrConstant):
1823         * b3/B3Value.h:
1824         * b3/air/AirInstInlines.h:
1825         (JSC::B3::Air::isShiftValid):
1826         (JSC::B3::Air::isRshift32Valid):
1827         (JSC::B3::Air::isRshift64Valid):
1828         (JSC::B3::Air::isUrshift32Valid):
1829         (JSC::B3::Air::isUrshift64Valid):
1830         * b3/air/AirOpcode.opcodes:
1831         * b3/testb3.cpp:
1832         (JSC::B3::testShlArgs):
1833         (JSC::B3::testShlImms):
1834         (JSC::B3::testShlArgImm):
1835         (JSC::B3::testShlArgs32):
1836         (JSC::B3::testShlImms32):
1837         (JSC::B3::testShlArgImm32):
1838         (JSC::B3::testSShrArgs):
1839         (JSC::B3::testSShrImms):
1840         (JSC::B3::testSShrArgImm):
1841         (JSC::B3::testSShrArgs32):
1842         (JSC::B3::testSShrImms32):
1843         (JSC::B3::testSShrArgImm32):
1844         (JSC::B3::testZShrArgs):
1845         (JSC::B3::testZShrImms):
1846         (JSC::B3::testZShrArgImm):
1847         (JSC::B3::testZShrArgs32):
1848         (JSC::B3::testZShrImms32):
1849         (JSC::B3::testZShrArgImm32):
1850         (JSC::B3::run):
1851
1852 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
1853
1854         B3 should be able to compile a Check
1855         https://bugs.webkit.org/show_bug.cgi?id=150878
1856
1857         Reviewed by Saam Barati.
1858
1859         The Check opcode in B3 is going to be our main OSR exit mechanism. It is a stackmap
1860         value, so you can pass it any number of additional arguments, and you will get to find
1861         out how those arguments are represented at the point that the value lands in the machine
1862         code. Unlike a Patchpoint, a Check branches on a value, with the goal of supporting full
1863         compare/branch fusion. The stackmap's generator runs in an out-of-line path to which
1864         that branch is linked.
1865
1866         This change fills in the glue necessary to compile a Check and it includes a simple
1867         test of this functionality. That test also happens to check that such simple code will
1868         never use callee-saves, which I think is sensible.
1869
1870         * b3/B3LowerToAir.cpp:
1871         (JSC::B3::Air::LowerToAir::append):
1872         (JSC::B3::Air::LowerToAir::ensureSpecial):
1873         (JSC::B3::Air::LowerToAir::fillStackmap):
1874         (JSC::B3::Air::LowerToAir::tryStackSlot):
1875         (JSC::B3::Air::LowerToAir::tryPatchpoint):
1876         (JSC::B3::Air::LowerToAir::tryCheck):
1877         (JSC::B3::Air::LowerToAir::tryUpsilon):
1878         * b3/B3LoweringMatcher.patterns:
1879         * b3/testb3.cpp:
1880         (JSC::B3::testSimplePatchpoint):
1881         (JSC::B3::testSimpleCheck):
1882         (JSC::B3::run):
1883
1884 2015-10-30  Keith Miller  <keith_miller@apple.com>
1885
1886         Fix endless OSR exits when creating a rope that contains an object that ToPrimitive's to a number.
1887         https://bugs.webkit.org/show_bug.cgi?id=150583
1888
1889         Reviewed by Benjamin Poulain.
1890
1891         Before we assumed that the result of ToPrimitive on any object was a string.
1892         This had a couple of negative effects. First, the result ToPrimitive on an
1893         object can be overridden to be any primitive type. In fact, as of ES6, ToPrimitive,
1894         when part of a addition expression, will type hint a number value. Second, even after
1895         repeatedly exiting with a bad type we would continue to think that the result
1896         of ToPrimitive would be a string so we continue to convert StrCats into MakeRope.
1897
1898         The fix is to make Prediction Propagation match the behavior of Fixup and move
1899         canOptimizeStringObjectAccess to DFGGraph.
1900
1901         * bytecode/SpeculatedType.h:
1902         * dfg/DFGFixupPhase.cpp:
1903         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1904         (JSC::DFG::FixupPhase::fixupToPrimitive):
1905         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1906         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1907         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): Deleted.
1908         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): Deleted.
1909         * dfg/DFGGraph.cpp:
1910         (JSC::DFG::Graph::isStringPrototypeMethodSane):
1911         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
1912         * dfg/DFGGraph.h:
1913         * dfg/DFGPredictionPropagationPhase.cpp:
1914         (JSC::DFG::PredictionPropagationPhase::resultOfToPrimitive):
1915         (JSC::DFG::resultOfToPrimitive): Deleted.
1916
1917         * bytecode/SpeculatedType.h:
1918         * dfg/DFGFixupPhase.cpp:
1919         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1920         (JSC::DFG::FixupPhase::fixupToPrimitive):
1921         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
1922         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1923         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): Deleted.
1924         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): Deleted.
1925         * dfg/DFGGraph.cpp:
1926         (JSC::DFG::Graph::isStringPrototypeMethodSane):
1927         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
1928         * dfg/DFGGraph.h:
1929         * dfg/DFGPredictionPropagationPhase.cpp:
1930         (JSC::DFG::PredictionPropagationPhase::resultOfToPrimitive):
1931         (JSC::DFG::resultOfToPrimitive): Deleted.
1932         * tests/stress/string-rope-with-custom-valueof.js: Added.
1933         (catNumber):
1934         (number.valueOf):
1935         (catBool):
1936         (bool.valueOf):
1937         (catUndefined):
1938         (undef.valueOf):
1939         (catRandom):
1940         (random.valueOf):
1941
1942 2015-11-04  Xabier Rodriguez Calvar  <calvaris@igalia.com>
1943
1944         Remove bogus global internal functions for properties and prototype retrieval
1945         https://bugs.webkit.org/show_bug.cgi?id=150892
1946
1947         Reviewed by Darin Adler.
1948
1949         Global @getOwnPropertyNames and @getPrototypeOf point to the floor function, so it is bogus dead code.
1950
1951         * runtime/JSGlobalObject.cpp:
1952         (JSC::JSGlobalObject::init): Removed global @getOwnPropertyNames and @getPrototypeOf.
1953
1954 2015-11-03  Benjamin Poulain  <bpoulain@apple.com>
1955
1956         [JSC] Add B3-to-Air lowering for BitXor
1957         https://bugs.webkit.org/show_bug.cgi?id=150872
1958
1959         Reviewed by Filip Pizlo.
1960
1961         * assembler/MacroAssemblerX86Common.h:
1962         (JSC::MacroAssemblerX86Common::xor32):
1963         Fix the indentation.
1964
1965         * b3/B3Const32Value.cpp:
1966         (JSC::B3::Const32Value::bitXorConstant):
1967         * b3/B3Const32Value.h:
1968         * b3/B3Const64Value.cpp:
1969         (JSC::B3::Const64Value::bitXorConstant):
1970         * b3/B3Const64Value.h:
1971         * b3/B3LowerToAir.cpp:
1972         (JSC::B3::Air::LowerToAir::tryXor):
1973         * b3/B3LoweringMatcher.patterns:
1974         * b3/B3ReduceStrength.cpp:
1975         * b3/B3Value.cpp:
1976         (JSC::B3::Value::bitXorConstant):
1977         * b3/B3Value.h:
1978         * b3/air/AirOpcode.opcodes:
1979         * b3/testb3.cpp:
1980         (JSC::B3::testBitXorArgs):
1981         (JSC::B3::testBitXorSameArg):
1982         (JSC::B3::testBitXorImms):
1983         (JSC::B3::testBitXorArgImm):
1984         (JSC::B3::testBitXorImmArg):
1985         (JSC::B3::testBitXorBitXorArgImmImm):
1986         (JSC::B3::testBitXorImmBitXorArgImm):
1987         (JSC::B3::testBitXorArgs32):
1988         (JSC::B3::testBitXorSameArg32):
1989         (JSC::B3::testBitXorImms32):
1990         (JSC::B3::testBitXorArgImm32):
1991         (JSC::B3::testBitXorImmArg32):
1992         (JSC::B3::testBitXorBitXorArgImmImm32):
1993         (JSC::B3::testBitXorImmBitXorArgImm32):
1994         (JSC::B3::run):
1995
1996 2015-11-03  Mark Lam  <mark.lam@apple.com>
1997
1998         Add op_add tests to compare behavior of JIT generated code to the LLINT's.
1999         https://bugs.webkit.org/show_bug.cgi?id=150864
2000
2001         Reviewed by Saam Barati.
2002
2003         * tests/stress/op_add.js: Added.
2004         (o1.valueOf):
2005         (generateScenarios):
2006         (printScenarios):
2007         (testCases.func):
2008         (func):
2009         (initializeTestCases):
2010         (runTest):
2011
2012 2015-11-03  Mark Lam  <mark.lam@apple.com>
2013
2014         Rename DFG's compileAdd to compileArithAdd.
2015         https://bugs.webkit.org/show_bug.cgi?id=150866
2016
2017         Reviewed by Benjamin Poulain.
2018
2019         The function is only supposed to generate code to do arithmetic addition on
2020         numeric types.  Naming it compileArithAdd() is more accurate, and is consistent
2021         with the name of the node it emits code for (i.e. ArithAdd) as well as other
2022         compiler functions for analogous operations e.g. compileArithSub.
2023
2024         * dfg/DFGSpeculativeJIT.cpp:
2025         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2026         (JSC::DFG::SpeculativeJIT::compileArithAdd):
2027         (JSC::DFG::SpeculativeJIT::compileAdd): Deleted.
2028         * dfg/DFGSpeculativeJIT.h:
2029         * dfg/DFGSpeculativeJIT32_64.cpp:
2030         (JSC::DFG::SpeculativeJIT::compile):
2031         * dfg/DFGSpeculativeJIT64.cpp:
2032         (JSC::DFG::SpeculativeJIT::compile):
2033
2034 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
2035
2036         Web Inspector: Remove duplication among ScriptDebugServer subclasses
2037         https://bugs.webkit.org/show_bug.cgi?id=150860
2038
2039         Reviewed by Timothy Hatcher.
2040
2041         ScriptDebugServer expects a list of listeners to dispatch events to.
2042         However each of its subclasses had their own implementation of the
2043         list because of different handling when the first was added or when
2044         the last was removed. Extract common code into ScriptDebugServer
2045         which simplifies things.
2046
2047         Subclasses now only implement a virtual methods "attachDebugger"
2048         and "detachDebugger" which is the unique work done when the first
2049         listener is added or last is removed.
2050
2051         * inspector/JSGlobalObjectScriptDebugServer.cpp:
2052         (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
2053         (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
2054         (Inspector::JSGlobalObjectScriptDebugServer::addListener): Deleted.
2055         (Inspector::JSGlobalObjectScriptDebugServer::removeListener): Deleted.
2056         * inspector/JSGlobalObjectScriptDebugServer.h:
2057         * inspector/ScriptDebugServer.cpp:
2058         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
2059         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
2060         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
2061         (Inspector::ScriptDebugServer::sourceParsed):
2062         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
2063         (Inspector::ScriptDebugServer::addListener):
2064         (Inspector::ScriptDebugServer::removeListener):
2065         * inspector/ScriptDebugServer.h:
2066         * inspector/agents/InspectorDebuggerAgent.cpp:
2067         (Inspector::InspectorDebuggerAgent::enable):
2068         (Inspector::InspectorDebuggerAgent::disable):
2069         * inspector/agents/InspectorDebuggerAgent.h:
2070         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2071         (Inspector::JSGlobalObjectDebuggerAgent::startListeningScriptDebugServer): Deleted.
2072         (Inspector::JSGlobalObjectDebuggerAgent::stopListeningScriptDebugServer): Deleted.
2073         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2074
2075         * inspector/ScriptDebugListener.h:
2076         (Inspector::ScriptDebugListener::Script::Script):
2077         Drive-by convert Script to a struct, it has public fields and is used as such.
2078
2079 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
2080
2081         B3::LowerToAir should recognize Neg (i.e. Sub($0, value))
2082         https://bugs.webkit.org/show_bug.cgi?id=150759
2083
2084         Reviewed by Benjamin Poulain.
2085
2086         Adds various forms of Sub(0, value) and compiles them as Neg. Also fixes a bug in
2087         StoreSubLoad. This bug was correctness-benign, so I couldn't add a test for it.
2088
2089         * b3/B3LowerToAir.cpp:
2090         (JSC::B3::Air::LowerToAir::immOrTmp):
2091         (JSC::B3::Air::LowerToAir::appendUnOp):
2092         (JSC::B3::Air::LowerToAir::appendBinOp):
2093         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
2094         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2095         (JSC::B3::Air::LowerToAir::trySub):
2096         (JSC::B3::Air::LowerToAir::tryStoreSubLoad):
2097         * b3/B3LoweringMatcher.patterns:
2098         * b3/air/AirOpcode.opcodes:
2099         * b3/testb3.cpp:
2100         (JSC::B3::testAdd1Ptr):
2101         (JSC::B3::testNeg32):
2102         (JSC::B3::testNegPtr):
2103         (JSC::B3::testStoreAddLoad):
2104         (JSC::B3::testStoreAddAndLoad):
2105         (JSC::B3::testStoreNegLoad32):
2106         (JSC::B3::testStoreNegLoadPtr):
2107         (JSC::B3::testAdd1Uncommuted):
2108         (JSC::B3::run):
2109
2110 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
2111
2112         B3::Values that have effects should allow specification of custom HeapRanges
2113         https://bugs.webkit.org/show_bug.cgi?id=150535
2114
2115         Reviewed by Benjamin Poulain.
2116
2117         Add a Effects field to calls and patchpoints. Add a HeapRange to MemoryValues.
2118
2119         In the process, I created a class for the CCall opcode, so that it has somewhere to put
2120         the Effects field.
2121
2122         While doing this, I realized that we didn't have a good way of ensuring that an opcode
2123         that requires a specific subclass was actually created with that subclass. So, I added
2124         assertions for this.
2125
2126         * CMakeLists.txt:
2127         * JavaScriptCore.xcodeproj/project.pbxproj:
2128         * b3/B3ArgumentRegValue.h:
2129         * b3/B3CCallValue.cpp: Added.
2130         * b3/B3CCallValue.h: Added.
2131         * b3/B3CheckValue.h:
2132         * b3/B3Const32Value.h:
2133         * b3/B3Const64Value.h:
2134         * b3/B3ConstDoubleValue.h:
2135         (JSC::B3::ConstDoubleValue::ConstDoubleValue):
2136         * b3/B3ControlValue.h:
2137         * b3/B3Effects.h:
2138         (JSC::B3::Effects::forCall):
2139         (JSC::B3::Effects::mustExecute):
2140         * b3/B3MemoryValue.h:
2141         * b3/B3PatchpointValue.h:
2142         * b3/B3StackSlotValue.h:
2143         * b3/B3UpsilonValue.h:
2144         * b3/B3Value.cpp:
2145         (JSC::B3::Value::effects):
2146         (JSC::B3::Value::dumpMeta):
2147         (JSC::B3::Value::checkOpcode):
2148         (JSC::B3::Value::typeFor):
2149         * b3/B3Value.h:
2150
2151 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
2152
2153         B3::Stackmap should be a superclass of B3::PatchpointValue and B3::CheckValue rather than being one of their members
2154         https://bugs.webkit.org/show_bug.cgi?id=150831
2155
2156         Rubber stamped by Benjamin Poulain.
2157
2158         Previously, Stackmap was a value that PatchpointValue and CheckValue would hold as a field.
2159         We'd have convenient ways of getting this field, like via Value::stackmap(). But this was a
2160         bit ridiculous, since Stackmap is logically just a common supertype for Patchpointvalue and
2161         CheckValue. This patch makes this reality by replacing Stackmap with StackmapValue. This makes
2162         the code a lot more reasonable.
2163
2164         I also needed to make dumping a bit more customizable, so I changed dumpMeta() to take a
2165         CommaPrinter&. This gives subclasses better control over whether or not to emit a comma. Also
2166         it's now possible for subclasses of Value to customize how children are printed. StackmapValue
2167         uses this to print the children and their reps together like:
2168
2169             Int32 @2 = Patchpoint(@0:SomeRegister, @1:SomeRegister, generator = 0x1107ec010, clobbered = [], usedRegisters = [], ExitsSideways|ControlDependent|Writes:Top|Reads:Top)
2170
2171         This has no behavior change, it's just a big refactoring. You can see how much simpler this
2172         makes things by looking at the testSimplePatchpoint() test.
2173
2174         * CMakeLists.txt:
2175         * JavaScriptCore.xcodeproj/project.pbxproj:
2176         * b3/B3ArgumentRegValue.cpp:
2177         (JSC::B3::ArgumentRegValue::~ArgumentRegValue):
2178         (JSC::B3::ArgumentRegValue::dumpMeta):
2179         * b3/B3ArgumentRegValue.h:
2180         * b3/B3CheckSpecial.cpp:
2181         (JSC::B3::CheckSpecial::generate):
2182         * b3/B3CheckValue.cpp:
2183         (JSC::B3::CheckValue::~CheckValue):
2184         (JSC::B3::CheckValue::CheckValue):
2185         (JSC::B3::CheckValue::dumpMeta): Deleted.
2186         * b3/B3CheckValue.h:
2187         (JSC::B3::CheckValue::accepts):
2188         * b3/B3Const32Value.cpp:
2189         (JSC::B3::Const32Value::notEqualConstant):
2190         (JSC::B3::Const32Value::dumpMeta):
2191         * b3/B3Const32Value.h:
2192         * b3/B3Const64Value.cpp:
2193         (JSC::B3::Const64Value::notEqualConstant):
2194         (JSC::B3::Const64Value::dumpMeta):
2195         * b3/B3Const64Value.h:
2196         * b3/B3ConstDoubleValue.cpp:
2197         (JSC::B3::ConstDoubleValue::notEqualConstant):
2198         (JSC::B3::ConstDoubleValue::dumpMeta):
2199         * b3/B3ConstDoubleValue.h:
2200         * b3/B3ConstrainedValue.cpp: Added.
2201         (JSC::B3::ConstrainedValue::dump):
2202         * b3/B3ConstrainedValue.h: Added.
2203         (JSC::B3::ConstrainedValue::ConstrainedValue):
2204         (JSC::B3::ConstrainedValue::operator bool):
2205         (JSC::B3::ConstrainedValue::value):
2206         (JSC::B3::ConstrainedValue::rep):
2207         * b3/B3ControlValue.cpp:
2208         (JSC::B3::ControlValue::convertToJump):
2209         (JSC::B3::ControlValue::dumpMeta):
2210         * b3/B3ControlValue.h:
2211         * b3/B3LowerToAir.cpp:
2212         (JSC::B3::Air::LowerToAir::tryPatchpoint):
2213         * b3/B3MemoryValue.cpp:
2214         (JSC::B3::MemoryValue::accessByteSize):
2215         (JSC::B3::MemoryValue::dumpMeta):
2216         * b3/B3MemoryValue.h:
2217         * b3/B3PatchpointSpecial.cpp:
2218         (JSC::B3::PatchpointSpecial::generate):
2219         * b3/B3PatchpointValue.cpp:
2220         (JSC::B3::PatchpointValue::~PatchpointValue):
2221         (JSC::B3::PatchpointValue::PatchpointValue):
2222         (JSC::B3::PatchpointValue::dumpMeta): Deleted.
2223         * b3/B3PatchpointValue.h:
2224         (JSC::B3::PatchpointValue::accepts):
2225         * b3/B3StackSlotValue.cpp:
2226         (JSC::B3::StackSlotValue::~StackSlotValue):
2227         (JSC::B3::StackSlotValue::dumpMeta):
2228         * b3/B3StackSlotValue.h:
2229         * b3/B3Stackmap.cpp: Removed.
2230         * b3/B3Stackmap.h: Removed.
2231         * b3/B3StackmapSpecial.cpp:
2232         (JSC::B3::StackmapSpecial::reportUsedRegisters):
2233         (JSC::B3::StackmapSpecial::extraClobberedRegs):
2234         (JSC::B3::StackmapSpecial::forEachArgImpl):
2235         (JSC::B3::StackmapSpecial::isValidImpl):
2236         (JSC::B3::StackmapSpecial::admitsStackImpl):
2237         * b3/B3StackmapSpecial.h:
2238         * b3/B3StackmapValue.cpp: Added.
2239         (JSC::B3::StackmapValue::~StackmapValue):
2240         (JSC::B3::StackmapValue::append):
2241         (JSC::B3::StackmapValue::setConstrainedChild):
2242         (JSC::B3::StackmapValue::setConstraint):
2243         (JSC::B3::StackmapValue::dumpChildren):
2244         (JSC::B3::StackmapValue::dumpMeta):
2245         (JSC::B3::StackmapValue::StackmapValue):
2246         * b3/B3StackmapValue.h: Added.
2247         * b3/B3SwitchValue.cpp:
2248         (JSC::B3::SwitchValue::appendCase):
2249         (JSC::B3::SwitchValue::dumpMeta):
2250         (JSC::B3::SwitchValue::SwitchValue):
2251         * b3/B3SwitchValue.h:
2252         * b3/B3UpsilonValue.cpp:
2253         (JSC::B3::UpsilonValue::~UpsilonValue):
2254         (JSC::B3::UpsilonValue::dumpMeta):
2255         * b3/B3UpsilonValue.h:
2256         * b3/B3Validate.cpp:
2257         * b3/B3Value.cpp:
2258         (JSC::B3::Value::dump):
2259         (JSC::B3::Value::dumpChildren):
2260         (JSC::B3::Value::deepDump):
2261         (JSC::B3::Value::performSubstitution):
2262         (JSC::B3::Value::dumpMeta):
2263         * b3/B3Value.h:
2264         * b3/B3ValueInlines.h:
2265         (JSC::B3::Value::asNumber):
2266         (JSC::B3::Value::stackmap): Deleted.
2267         * b3/B3ValueRep.h:
2268         (JSC::B3::ValueRep::kind):
2269         (JSC::B3::ValueRep::operator==):
2270         (JSC::B3::ValueRep::operator!=):
2271         (JSC::B3::ValueRep::operator bool):
2272         (JSC::B3::ValueRep::isAny):
2273         * b3/air/AirInstInlines.h:
2274         * b3/testb3.cpp:
2275         (JSC::B3::testSimplePatchpoint):
2276
2277 2015-11-03  Benjamin Poulain  <bpoulain@apple.com>
2278
2279         [JSC] Add Air lowering for BitOr and impove BitAnd
2280         https://bugs.webkit.org/show_bug.cgi?id=150827
2281
2282         Reviewed by Filip Pizlo.
2283
2284         In this patch:
2285         -B3 to Air lowering for BirOr.
2286         -Codegen for BitOr.
2287         -Strength reduction for BitOr and BitAnd.
2288         -Tests for BitAnd and BitOr.
2289         -Bug fix: Move64 with a negative value was destroying the top bits.
2290
2291         * b3/B3Const32Value.cpp:
2292         (JSC::B3::Const32Value::bitAndConstant):
2293         (JSC::B3::Const32Value::bitOrConstant):
2294         * b3/B3Const32Value.h:
2295         * b3/B3Const64Value.cpp:
2296         (JSC::B3::Const64Value::bitAndConstant):
2297         (JSC::B3::Const64Value::bitOrConstant):
2298         * b3/B3Const64Value.h:
2299         * b3/B3LowerToAir.cpp:
2300         (JSC::B3::Air::LowerToAir::immForMove):
2301         (JSC::B3::Air::LowerToAir::immOrTmpForMove):
2302         (JSC::B3::Air::LowerToAir::tryOr):
2303         (JSC::B3::Air::LowerToAir::tryConst64):
2304         (JSC::B3::Air::LowerToAir::tryUpsilon):
2305         (JSC::B3::Air::LowerToAir::tryIdentity):
2306         (JSC::B3::Air::LowerToAir::tryReturn):
2307         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
2308         * b3/B3LoweringMatcher.patterns:
2309         * b3/B3ReduceStrength.cpp:
2310         * b3/B3Value.cpp:
2311         (JSC::B3::Value::bitAndConstant):
2312         (JSC::B3::Value::bitOrConstant):
2313         * b3/B3Value.h:
2314         * b3/air/AirOpcode.opcodes:
2315         * b3/testb3.cpp:
2316         (JSC::B3::testReturnConst64):
2317         (JSC::B3::testBitAndArgs):
2318         (JSC::B3::testBitAndSameArg):
2319         (JSC::B3::testBitAndImms):
2320         (JSC::B3::testBitAndArgImm):
2321         (JSC::B3::testBitAndImmArg):
2322         (JSC::B3::testBitAndBitAndArgImmImm):
2323         (JSC::B3::testBitAndImmBitAndArgImm):
2324         (JSC::B3::testBitAndArgs32):
2325         (JSC::B3::testBitAndSameArg32):
2326         (JSC::B3::testBitAndImms32):
2327         (JSC::B3::testBitAndArgImm32):
2328         (JSC::B3::testBitAndImmArg32):
2329         (JSC::B3::testBitAndBitAndArgImmImm32):
2330         (JSC::B3::testBitAndImmBitAndArgImm32):
2331         (JSC::B3::testBitOrArgs):
2332         (JSC::B3::testBitOrSameArg):
2333         (JSC::B3::testBitOrImms):
2334         (JSC::B3::testBitOrArgImm):
2335         (JSC::B3::testBitOrImmArg):
2336         (JSC::B3::testBitOrBitOrArgImmImm):
2337         (JSC::B3::testBitOrImmBitOrArgImm):
2338         (JSC::B3::testBitOrArgs32):
2339         (JSC::B3::testBitOrSameArg32):
2340         (JSC::B3::testBitOrImms32):
2341         (JSC::B3::testBitOrArgImm32):
2342         (JSC::B3::testBitOrImmArg32):
2343         (JSC::B3::testBitOrBitOrArgImmImm32):
2344         (JSC::B3::testBitOrImmBitOrArgImm32):
2345         (JSC::B3::run):
2346
2347 2015-11-03  Saam barati  <sbarati@apple.com>
2348
2349         Rewrite "const" as "var" for iTunes/iBooks on the Mac
2350         https://bugs.webkit.org/show_bug.cgi?id=150852
2351
2352         Reviewed by Geoffrey Garen.
2353
2354         VM now has a setting indicating if we should treat
2355         "const" variables as "var" to more closely match
2356         JSC's previous implementation of "const" before ES6.
2357
2358         * parser/Parser.h:
2359         (JSC::Parser::next):
2360         (JSC::Parser::nextExpectIdentifier):
2361         * runtime/VM.h:
2362         (JSC::VM::setShouldRewriteConstAsVar):
2363         (JSC::VM::shouldRewriteConstAsVar):
2364
2365 2015-11-03  Mark Lam  <mark.lam@apple.com>
2366
2367         Fix some inefficiencies in the baseline usage of JITAddGenerator.
2368         https://bugs.webkit.org/show_bug.cgi?id=150850
2369
2370         Reviewed by Michael Saboff.
2371
2372         1. emit_op_add() was loading the operands twice.  Removed the redundant load.
2373         2. The snippet may decide that it wants to go the slow path route all the time.
2374            In that case, emit_op_add will end up emitting a branch to an out of line
2375            slow path followed by some dead code to store the result of the fast path
2376            on to the stack.
2377            We now check if the snippet determined that there's no fast path, and just
2378            emit the slow path inline, and skip the dead store of the fast path result.
2379
2380         * jit/JITArithmetic.cpp:
2381         (JSC::JIT::emit_op_add):
2382
2383 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
2384
2385         B3::LowerToAir should do copy propagation
2386         https://bugs.webkit.org/show_bug.cgi?id=150775
2387
2388         Reviewed by Geoffrey Garen.
2389
2390         What we are trying to do is remove the unnecessary Move's and Move32's from Trunc and ZExt32.
2391         You could think of this as an Air optimization, and indeed, Air is powerful enough that we
2392         could write a phase that does copy propagation through Move's and Move32's. For Move32's it
2393         would only copy-propagate if it proved that the value was already zero-extended. We could
2394         know this by just adding a Def32 role to Air.
2395
2396         But this patch takes a different approach: we ensure that we don't generate such redundant
2397         Move's and Move32's to begin with. The reason is that it's much cheaper to do analysis over
2398         B3 than over Air. So, whenever possible, and optimization should be implemented in B3. In
2399         this case the optimization can't quite be implemented in B3 because you cannot remove a Trunc
2400         or ZExt32 without violating the B3 type system. So, the best place to do this optimization is
2401         during lowering: we can use B3 for our analysis and we can use Air to express the
2402         transformation.
2403
2404         Copy propagating during B3->Air lowering is natural because we are creating "SSA-like" Tmps
2405         from the B3 Values. They are SSA-like in the sense that except the tmp for a Phi, we know
2406         that the Tmp will be assigned once and that the assignment will dominate all uses. So, if we
2407         see an operation like Trunc that is semantically just a Move, we can skip the Move and just
2408         claim that the Trunc has the same Tmp as its child. We do something similar for ZExt32,
2409         except with that one we have to analyze IR to ensure that the value will actually be zero
2410         extended. Note that this kind of reasoning about how Tmps work in Air is only possible in the
2411         B3->Air lowering, since at that point we know for sure which Tmps behave this way. If we
2412         wanted to do anything like this as a later Air phase, we'd have to do more analysis to first
2413         prove that Tmps behave in this way.
2414
2415         * b3/B3LowerToAir.cpp:
2416         (JSC::B3::Air::LowerToAir::run):
2417         (JSC::B3::Air::LowerToAir::highBitsAreZero):
2418         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
2419         (JSC::B3::Air::LowerToAir::tmp):
2420         (JSC::B3::Air::LowerToAir::tryStore):
2421         (JSC::B3::Air::LowerToAir::tryTrunc):
2422         (JSC::B3::Air::LowerToAir::tryZExt32):
2423         (JSC::B3::Air::LowerToAir::tryIdentity):
2424         (JSC::B3::Air::LowerToAir::tryTruncArgumentReg): Deleted.
2425         * b3/B3LoweringMatcher.patterns:
2426
2427 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
2428
2429         Web Inspector: Move ScriptDebugServer::Task to WorkerScriptDebugServer where it is actually used
2430         https://bugs.webkit.org/show_bug.cgi?id=150847
2431
2432         Reviewed by Timothy Hatcher.
2433
2434         * inspector/ScriptDebugServer.h:
2435         Remove Task from here, it isn't needed in the general case.
2436
2437         * parser/SourceProvider.h:
2438         Remove unimplemented method.
2439
2440 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
2441
2442         Web Inspector: Handle or Remove ParseHTML Timeline Event Records
2443         https://bugs.webkit.org/show_bug.cgi?id=150689
2444
2445         Reviewed by Timothy Hatcher.
2446
2447         * inspector/protocol/Timeline.json:
2448
2449 2015-11-03  Michael Saboff  <msaboff@apple.com>
2450
2451         Rename InlineCallFrame:: getCallerSkippingDeadFrames to something more descriptive
2452         https://bugs.webkit.org/show_bug.cgi?id=150832
2453
2454         Reviewed by Geoffrey Garen.
2455
2456         Renamed InlineCallFrame::getCallerSkippingDeadFrames() to getCallerSkippingTailCalls().
2457         Did similar renaming to helper InlineCallFrame::computeCallerSkippingTailCalls() and
2458         InlineCallFrame::getCallerInlineFrameSkippingTailCalls().
2459
2460         * bytecode/InlineCallFrame.h:
2461         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
2462         (JSC::InlineCallFrame::getCallerSkippingTailCalls):
2463         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
2464         (JSC::InlineCallFrame::computeCallerSkippingDeadFrames): Deleted.
2465         (JSC::InlineCallFrame::getCallerSkippingDeadFrames): Deleted.
2466         (JSC::InlineCallFrame::getCallerInlineFrameSkippingDeadFrames): Deleted.
2467         * dfg/DFGByteCodeParser.cpp:
2468         (JSC::DFG::ByteCodeParser::allInlineFramesAreTailCalls):
2469         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
2470         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
2471         * dfg/DFGGraph.cpp:
2472         (JSC::DFG::Graph::isLiveInBytecode):
2473         * dfg/DFGGraph.h:
2474         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2475         * dfg/DFGOSRExitCompilerCommon.cpp:
2476         (JSC::DFG::reifyInlinedCallFrames):
2477         * dfg/DFGPreciseLocalClobberize.h:
2478         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2479         * dfg/DFGSpeculativeJIT32_64.cpp:
2480         (JSC::DFG::SpeculativeJIT::emitCall):
2481         * dfg/DFGSpeculativeJIT64.cpp:
2482         (JSC::DFG::SpeculativeJIT::emitCall):
2483         * ftl/FTLLowerDFGToLLVM.cpp:
2484         (JSC::FTL::DFG::LowerDFGToLLVM::codeOriginDescriptionOfCallSite):
2485         * interpreter/StackVisitor.cpp:
2486         (JSC::StackVisitor::gotoNextFrame):
2487
2488 2015-11-02  Filip Pizlo  <fpizlo@apple.com>
2489
2490         B3/Air should use bubble sort for their insertion sets, because it's faster than std::stable_sort
2491         https://bugs.webkit.org/show_bug.cgi?id=150828
2492
2493         Reviewed by Geoffrey Garen.
2494
2495         Undo the 2% compile time regression caused by http://trac.webkit.org/changeset/191913.
2496
2497         * b3/B3InsertionSet.cpp:
2498         (JSC::B3::InsertionSet::execute): Switch to bubble sort.
2499         * b3/air/AirInsertionSet.cpp:
2500         (JSC::B3::Air::InsertionSet::execute): Switch to bubble sort.
2501         * dfg/DFGBlockInsertionSet.cpp:
2502         (JSC::DFG::BlockInsertionSet::execute): Switch back to quicksort.
2503
2504 2015-11-03  Csaba Osztrogonác  <ossy@webkit.org>
2505
2506         Unreviewed, partially revert r191952.
2507
2508         Removed GCC compiler workarounds (unreachable returns).
2509
2510         * b3/B3Type.h:
2511         (JSC::B3::sizeofType):
2512         * b3/air/AirArg.h:
2513         (JSC::B3::Air::Arg::isUse):
2514         (JSC::B3::Air::Arg::isDef):
2515         (JSC::B3::Air::Arg::isGP):
2516         (JSC::B3::Air::Arg::isFP):
2517         (JSC::B3::Air::Arg::isType):
2518         * b3/air/AirCode.h:
2519         (JSC::B3::Air::Code::newTmp):
2520         (JSC::B3::Air::Code::numTmps):
2521
2522 2015-11-03  Csaba Osztrogonác  <ossy@webkit.org>
2523
2524         Fix the ENABLE(B3_JIT) build on Linux
2525         https://bugs.webkit.org/show_bug.cgi?id=150794
2526
2527         Reviewed by Darin Adler.
2528
2529         * CMakeLists.txt:
2530         * b3/B3HeapRange.h:
2531         * b3/B3IndexSet.h:
2532         (JSC::B3::IndexSet::Iterable::iterator::operator++):
2533         * b3/B3Type.h:
2534         (JSC::B3::sizeofType):
2535         * b3/air/AirArg.cpp:
2536         (JSC::B3::Air::Arg::dump):
2537         * b3/air/AirArg.h:
2538         (JSC::B3::Air::Arg::isUse):
2539         (JSC::B3::Air::Arg::isDef):
2540         (JSC::B3::Air::Arg::isGP):
2541         (JSC::B3::Air::Arg::isFP):
2542         (JSC::B3::Air::Arg::isType):
2543         * b3/air/AirCode.h:
2544         (JSC::B3::Air::Code::newTmp):
2545         (JSC::B3::Air::Code::numTmps):
2546         * b3/air/AirSpecial.cpp:
2547
2548 2015-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2549
2550         Clean up ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep minimal set of them
2551         https://bugs.webkit.org/show_bug.cgi?id=150793
2552
2553         Reviewed by Darin Adler.
2554
2555         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r191875.
2556         This patch drops many ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep only one of them;
2557         the ifdef in parseAssignmentExpression.
2558         This prevents functionality of parsing arrow function syntax.
2559
2560         * parser/Lexer.cpp:
2561         (JSC::Lexer<T>::lex):
2562         * parser/Parser.cpp:
2563         (JSC::Parser<LexerType>::parseInner): Deleted.
2564         * parser/Parser.h:
2565         (JSC::Parser::isArrowFunctionParamters): Deleted.
2566         * parser/ParserTokens.h:
2567
2568 2015-11-02  Michael Saboff  <msaboff@apple.com>
2569
2570         WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
2571         https://bugs.webkit.org/show_bug.cgi?id=150745
2572
2573         Reviewed by Geoffrey Garen.
2574
2575         During OSR exit, reifyInlinedCallFrames() was using the call kind from a tail call to
2576         find the CallLinkInfo / StubInfo to find the return PC.  Instead we need to get the call
2577         type of the true caller, that is the function we'll be returning to.
2578
2579         This can be found by remembering the last call type we find while walking up the inlined
2580         frames in InlineCallFrame::getCallerSkippingDeadFrames().
2581
2582         We can also return directly back to a getter or setter callsite without using a thunk.
2583
2584         * bytecode/InlineCallFrame.h:
2585         (JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
2586         (JSC::InlineCallFrame::getCallerSkippingDeadFrames):
2587         * dfg/DFGOSRExitCompilerCommon.cpp:
2588         (JSC::DFG::reifyInlinedCallFrames):
2589         * jit/JITPropertyAccess.cpp:
2590         (JSC::JIT::emit_op_get_by_id): Need to eliminate the stack pointer check, as it is wrong
2591         for reified inlined frames created during OSR exit. 
2592         * jit/ThunkGenerators.cpp:
2593         (JSC::baselineGetterReturnThunkGenerator): Deleted.
2594         (JSC::baselineSetterReturnThunkGenerator): Deleted.
2595         * jit/ThunkGenerators.h:
2596
2597 2015-11-02  Saam barati  <sbarati@apple.com>
2598
2599         Wrong value recovery for DFG try/catch with a getter that throws during an IC miss
2600         https://bugs.webkit.org/show_bug.cgi?id=150760
2601
2602         Reviewed by Geoffrey Garen.
2603
2604         This is related to using PhantomLocal instead of Flush as 
2605         the liveness preservation mechanism for live catch variables. 
2606         I'm temporarily switching things back to Flush. This will be a
2607         performance hit for try/catch in the DFG. Landing this patch,
2608         though, will allow me to land try/catch in the FTL. It also
2609         makes try/catch in the DFG sound. I have opened another
2610         bug to further investigate using PhantomLocal as the
2611         liveness preservation mechanism: https://bugs.webkit.org/show_bug.cgi?id=150824
2612
2613         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2614         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
2615         * tests/stress/dfg-try-catch-wrong-value-recovery-on-ic-miss.js: Added.
2616         (assert):
2617         (let.oThrow.get f):
2618         (let.o2.get f):
2619         (foo):
2620         (f):
2621
2622 2015-11-02  Andy Estes  <aestes@apple.com>
2623
2624         [Cocoa] Add tvOS and watchOS to SUPPORTED_PLATFORMS
2625         https://bugs.webkit.org/show_bug.cgi?id=150819
2626
2627         Reviewed by Dan Bernstein.
2628
2629         This tells Xcode to include these platforms in its Devices dropdown, making it possible to build in the IDE.
2630
2631         * Configurations/Base.xcconfig:
2632
2633 2015-11-02  Brent Fulgham  <bfulgham@apple.com>
2634
2635         [Win] MiniBrowser unable to use WebInspector
2636         https://bugs.webkit.org/show_bug.cgi?id=150810
2637         <rdar://problem/23358514>
2638
2639         Reviewed by Timothy Hatcher.
2640
2641         The CMakeList rule for creating the InjectedScriptSource.min.js was improperly including
2642         the quote characters in the text prepended to InjectedScriptSource.min.js. This caused a
2643         parsing error in the JS file.
2644         
2645         The solution was to switch from using "COMMAND echo" to use the more cross-platform
2646         compatible command "COMMAND ${CMAKE_COMMAND} -E echo ...", which handles the string
2647         escaping properly on all platforms.
2648
2649         * CMakeLists.txt: Switch the 'echo' command syntax to be more cross-platform.
2650
2651 2015-11-02  Filip Pizlo  <fpizlo@apple.com>
2652
2653         B3 should be able to compile a Patchpoint
2654         https://bugs.webkit.org/show_bug.cgi?id=150750
2655
2656         Reviewed by Geoffrey Garen.
2657
2658         This adds the glue in B3::LowerToAir that turns a B3::PatchpointValue into an Air::Patch
2659         with a B3::PatchpointSpecial.
2660
2661         Along the way, I found some bugs. For starters, it became clear that I wanted to be able
2662         to append constraints to a Stackmap, and I wanted to have more flexibility in how I
2663         created a PatchpointValue. I also wanted more helper methods in ValueRep, since
2664         otherwise I would have had to write a lot of boilerplate.
2665
2666         I discovered, and fixed, a minor goof in Air::Code dumping when there are specials.
2667
2668         There were a ton of indexing bugs in B3StackmapSpecial.
2669
2670         The spiller was broken in case the Def was not the last Arg, since it was adding things
2671         to the insertion set both at instIndex and instIndex + 1, and the two types of additions
2672         could occur in the wrong (i.e. the +1 case first) order with an early Def. We often have
2673         bugs like this. In the DFG, we were paranoid about performance so we only admit out-of-
2674         order insertions as a rare case. I think that we don't really need to be so paranoid.
2675         So, I made the new insertion sets use a stable_sort to ensure that everything happens in
2676         the right order. I changed DFG::BlockInsertionSet to also use stable_sort; it previously
2677         used sort, which is slightly wrong.
2678
2679         This adds a new test that uses Patchpoint to implement a 32-bit add. It works!
2680
2681         * b3/B3InsertionSet.cpp:
2682         (JSC::B3::InsertionSet::execute):
2683         * b3/B3LowerToAir.cpp:
2684         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2685         (JSC::B3::Air::LowerToAir::appendStore):
2686         (JSC::B3::Air::LowerToAir::moveForType):
2687         (JSC::B3::Air::LowerToAir::append):
2688         (JSC::B3::Air::LowerToAir::ensureSpecial):
2689         (JSC::B3::Air::LowerToAir::tryStore):
2690         (JSC::B3::Air::LowerToAir::tryStackSlot):
2691         (JSC::B3::Air::LowerToAir::tryPatchpoint):
2692         (JSC::B3::Air::LowerToAir::tryUpsilon):
2693         * b3/B3LoweringMatcher.patterns:
2694         * b3/B3PatchpointValue.h:
2695         (JSC::B3::PatchpointValue::accepts): Deleted.
2696         (JSC::B3::PatchpointValue::PatchpointValue): Deleted.
2697         * b3/B3Stackmap.h:
2698         (JSC::B3::Stackmap::constrain):
2699         (JSC::B3::Stackmap::appendConstraint):
2700         (JSC::B3::Stackmap::reps):
2701         (JSC::B3::Stackmap::clobber):
2702         * b3/B3StackmapSpecial.cpp:
2703         (JSC::B3::StackmapSpecial::forEachArgImpl):
2704         (JSC::B3::StackmapSpecial::isValidImpl):
2705         * b3/B3Value.h:
2706         * b3/B3ValueRep.h:
2707         (JSC::B3::ValueRep::ValueRep):
2708         (JSC::B3::ValueRep::reg):
2709         (JSC::B3::ValueRep::operator bool):
2710         (JSC::B3::ValueRep::isAny):
2711         (JSC::B3::ValueRep::isSomeRegister):
2712         (JSC::B3::ValueRep::isReg):
2713         (JSC::B3::ValueRep::isGPR):
2714         (JSC::B3::ValueRep::isFPR):
2715         (JSC::B3::ValueRep::gpr):
2716         (JSC::B3::ValueRep::fpr):
2717         (JSC::B3::ValueRep::isStack):
2718         (JSC::B3::ValueRep::offsetFromFP):
2719         (JSC::B3::ValueRep::isStackArgument):
2720         (JSC::B3::ValueRep::offsetFromSP):
2721         (JSC::B3::ValueRep::isConstant):
2722         (JSC::B3::ValueRep::value):
2723         * b3/air/AirCode.cpp:
2724         (JSC::B3::Air::Code::dump):
2725         * b3/air/AirInsertionSet.cpp:
2726         (JSC::B3::Air::InsertionSet::execute):
2727         * b3/testb3.cpp:
2728         (JSC::B3::testComplex):
2729         (JSC::B3::testSimplePatchpoint):
2730         (JSC::B3::run):
2731         * dfg/DFGBlockInsertionSet.cpp:
2732         (JSC::DFG::BlockInsertionSet::execute):
2733
2734 2015-11-02  Mark Lam  <mark.lam@apple.com>
2735
2736         Snippefy op_add for the baseline JIT.
2737         https://bugs.webkit.org/show_bug.cgi?id=150129
2738
2739         Reviewed by Geoffrey Garen and Saam Barati.
2740
2741         Performance is neutral for both 32-bit and 64-bit on X86_64.
2742
2743         * CMakeLists.txt:
2744         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2745         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2746         * JavaScriptCore.xcodeproj/project.pbxproj:
2747         * jit/JIT.h:
2748         (JSC::JIT::getOperandConstantInt):
2749         - Move getOperandConstantInt() from the JSVALUE64 section to the common section
2750           because the snippet needs it.
2751
2752         * jit/JITAddGenerator.cpp: Added.
2753         (JSC::JITAddGenerator::generateFastPath):
2754         * jit/JITAddGenerator.h: Added.
2755         (JSC::JITAddGenerator::JITAddGenerator):
2756         (JSC::JITAddGenerator::endJumpList):
2757         (JSC::JITAddGenerator::slowPathJumpList):
2758         - JITAddGenerator implements an optimization for the case where 1 of the 2 operands
2759           is a constant int32_t.  It does not implement an optimization for the case where
2760           both operands are constant int32_t.  This is because:
2761           1. For the baseline JIT, the ASTBuilder will fold the 2 constants together.
2762           2. For the DFG, the AbstractInterpreter will also fold the 2 constants.
2763
2764           Hence, such an optimization path (for 2 constant int32_t operands) would never
2765           be taken, and is why we won't implement it.
2766
2767         * jit/JITArithmetic.cpp:
2768         (JSC::JIT::compileBinaryArithOp):
2769         (JSC::JIT::compileBinaryArithOpSlowCase):
2770         - Removed op_add cases.  These are no longer used by the op_add emitters.
2771
2772         (JSC::JIT::emit_op_add):
2773         (JSC::JIT::emitSlow_op_add):
2774         - Moved out from the JSVALUE64 section to the common section, and reimplemented
2775           using the snippet.
2776
2777         * jit/JITArithmetic32_64.cpp:
2778         (JSC::JIT::emitBinaryDoubleOp):
2779         (JSC::JIT::emit_op_add): Deleted.
2780         (JSC::JIT::emitAdd32Constant): Deleted.
2781         (JSC::JIT::emitSlow_op_add): Deleted.
2782         - Remove 32-bit specific version of op_add.  The snippet serves both 32-bit
2783           and 64-bit implementations.
2784
2785         * jit/JITInlines.h:
2786         (JSC::JIT::getOperandConstantInt):
2787         - Move getOperandConstantInt() from the JSVALUE64 section to the common section
2788           because the snippet needs it.
2789
2790 2015-11-02  Brian Burg  <bburg@apple.com>
2791
2792         Run sort-Xcode-project-file for the JavaScriptCore project.
2793
2794         Unreviewed. Many things were out of order following recent B3 commits.
2795
2796         * JavaScriptCore.xcodeproj/project.pbxproj:
2797
2798 2015-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2799
2800         Rename op_put_getter_setter to op_put_getter_setter_by_id
2801         https://bugs.webkit.org/show_bug.cgi?id=150773
2802
2803         Reviewed by Mark Lam.
2804
2805         Renaming op_put_getter_setter to op_put_getter_setter_by_id makes this op name consistent with
2806         the other ops' names like op_put_getter_by_id etc.
2807
2808         And to fix build dependencies in Xcode, we added LLIntAssembly.h into Xcode project file.
2809
2810         * JavaScriptCore.xcodeproj/project.pbxproj:
2811         * bytecode/BytecodeList.json:
2812         * bytecode/BytecodeUseDef.h:
2813         (JSC::computeUsesForBytecodeOffset):
2814         (JSC::computeDefsForBytecodeOffset):
2815         * bytecode/CodeBlock.cpp:
2816         (JSC::CodeBlock::dumpBytecode):
2817         * bytecompiler/BytecodeGenerator.cpp:
2818         (JSC::BytecodeGenerator::emitPutGetterSetter):
2819         * dfg/DFGByteCodeParser.cpp:
2820         (JSC::DFG::ByteCodeParser::parseBlock):
2821         * dfg/DFGCapabilities.cpp:
2822         (JSC::DFG::capabilityLevel):
2823         * jit/JIT.cpp:
2824         (JSC::JIT::privateCompileMainPass):
2825         * jit/JIT.h:
2826         * jit/JITPropertyAccess.cpp:
2827         (JSC::JIT::emit_op_put_getter_setter_by_id):
2828         (JSC::JIT::emit_op_put_getter_setter): Deleted.
2829         * jit/JITPropertyAccess32_64.cpp:
2830         (JSC::JIT::emit_op_put_getter_setter_by_id):
2831         (JSC::JIT::emit_op_put_getter_setter): Deleted.
2832         * llint/LLIntSlowPaths.cpp:
2833         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2834         * llint/LLIntSlowPaths.h:
2835         * llint/LowLevelInterpreter.asm:
2836
2837 2015-11-02  Csaba Osztrogonác  <ossy@webkit.org>
2838
2839         Fix the FTL JIT build with system LLVM on Linux
2840         https://bugs.webkit.org/show_bug.cgi?id=150795
2841
2842         Reviewed by Filip Pizlo.
2843
2844         * CMakeLists.txt:
2845
2846 2015-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2847
2848         [ES6] Support Generator Syntax
2849         https://bugs.webkit.org/show_bug.cgi?id=150769
2850
2851         Reviewed by Geoffrey Garen.
2852
2853         This patch implements syntax part of ES6 Generators.
2854
2855         1. Add ENABLE_ES6_GENERATORS compile time flag. It is disabled by default, and will be enabled once ES6 generator functionality is implemented.
2856         2. Add lexer support for YIELD. It changes "yield" from reserved-if-strict word to keyword. And it is correct under the ES6 spec.
2857         3. Implement parsing functionality and YieldExprNode stub. YieldExprNode does not emit meaningful bytecodes yet. This should be implemented in the future patch.
2858         4. Accept "yield" Identifier as an label etc. under sloppy mode && non-generator code. http://ecma-international.org/ecma-262/6.0/#sec-generator-function-definitions-static-semantics-early-errors
2859
2860         * Configurations/FeatureDefines.xcconfig:
2861         * bytecompiler/NodesCodegen.cpp:
2862         (JSC::YieldExprNode::emitBytecode):
2863         * parser/ASTBuilder.h:
2864         (JSC::ASTBuilder::createYield):
2865         * parser/Keywords.table:
2866         * parser/NodeConstructors.h:
2867         (JSC::YieldExprNode::YieldExprNode):
2868         * parser/Nodes.h:
2869         * parser/Parser.cpp:
2870         (JSC::Parser<LexerType>::Parser):
2871         (JSC::Parser<LexerType>::parseInner):
2872         (JSC::Parser<LexerType>::parseStatementListItem):
2873         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2874         (JSC::Parser<LexerType>::parseDestructuringPattern):
2875         (JSC::Parser<LexerType>::parseBreakStatement):
2876         (JSC::Parser<LexerType>::parseContinueStatement):
2877         (JSC::Parser<LexerType>::parseTryStatement):
2878         (JSC::Parser<LexerType>::parseStatement):
2879         (JSC::stringForFunctionMode):
2880         (JSC::Parser<LexerType>::parseFunctionParameters):
2881         (JSC::Parser<LexerType>::parseFunctionInfo):
2882         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2883         (JSC::Parser<LexerType>::parseClass):
2884         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
2885         (JSC::Parser<LexerType>::parseExportDeclaration):
2886         (JSC::Parser<LexerType>::parseAssignmentExpression):
2887         (JSC::Parser<LexerType>::parseYieldExpression):
2888         (JSC::Parser<LexerType>::parseProperty):
2889         (JSC::Parser<LexerType>::parsePropertyMethod):
2890         (JSC::Parser<LexerType>::parseGetterSetter):
2891         (JSC::Parser<LexerType>::parseFunctionExpression):
2892         (JSC::Parser<LexerType>::parsePrimaryExpression):
2893         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
2894         * parser/Parser.h:
2895         (JSC::Scope::Scope):
2896         (JSC::Scope::setSourceParseMode):
2897         (JSC::Scope::isGenerator):
2898         (JSC::Scope::setIsFunction):
2899         (JSC::Scope::setIsGenerator):
2900         (JSC::Scope::setIsModule):
2901         (JSC::Parser::pushScope):
2902         (JSC::Parser::isYIELDMaskedAsIDENT):
2903         (JSC::Parser::matchSpecIdentifier):
2904         (JSC::Parser::saveState):
2905         (JSC::Parser::restoreState):
2906         * parser/ParserModes.h:
2907         (JSC::isFunctionParseMode):
2908         (JSC::isModuleParseMode):
2909         (JSC::isProgramParseMode):
2910         * parser/ParserTokens.h:
2911         * parser/SyntaxChecker.h:
2912         (JSC::SyntaxChecker::createYield):
2913         * tests/stress/generator-methods.js: Added.
2914         (Hello.prototype.gen):
2915         (Hello.gen):
2916         (Hello):
2917         (Hello.prototype.set get string_appeared_here):
2918         (Hello.string_appeared_here):
2919         (Hello.prototype.20):
2920         (Hello.20):
2921         (Hello.prototype.42):
2922         (Hello.42):
2923         (let.object.gen):
2924         (let.object.set get string_appeared_here):
2925         (let.object.20):
2926         (let.object.42):
2927         * tests/stress/generator-syntax.js: Added.
2928         (testSyntax):
2929         (testSyntaxError):
2930         (testSyntaxError.Hello.prototype.get gen):
2931         (testSyntaxError.Hello):
2932         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.Hello.prototype.set gen):
2933         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.Hello):
2934         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.gen):
2935         (testSyntaxError.value):
2936         (testSyntaxError.gen.ng):
2937         (testSyntaxError.gen):
2938         (testSyntax.gen):
2939         * tests/stress/yield-and-line-terminator.js: Added.
2940         (testSyntax):
2941         (testSyntaxError):
2942         (testSyntax.gen):
2943         (testSyntaxError.gen):
2944         * tests/stress/yield-label-generator.js: Added.
2945         (testSyntax):
2946         (testSyntaxError):
2947         (testSyntaxError.test):
2948         (SyntaxError.Unexpected.keyword.string_appeared_here.Expected.an.identifier.as.the.target.a.continue.statement.testSyntax.test):
2949         * tests/stress/yield-label.js: Added.
2950         (yield):
2951         (testSyntaxError):
2952         (testSyntaxError.test):
2953         * tests/stress/yield-named-accessors-generator.js: Added.
2954         (t1.let.object.get yield):
2955         (t1.let.object.set yield):
2956         (t1):
2957         (t2.let.object.get yield):
2958         (t2.let.object.set yield):
2959         (t2):
2960         * tests/stress/yield-named-accessors.js: Added.
2961         (t1.let.object.get yield):
2962         (t1.let.object.set yield):
2963         (t1):
2964         (t2.let.object.get yield):
2965         (t2.let.object.set yield):
2966         (t2):
2967         * tests/stress/yield-named-variable-generator.js: Added.
2968         (testSyntax):
2969         (testSyntaxError):
2970         (testSyntaxError.t1):
2971         (testSyntaxError.t1.yield):
2972         (testSyntax.t1.yield):
2973         (testSyntax.t1):
2974         * tests/stress/yield-named-variable.js: Added.
2975         (testSyntax):
2976         (testSyntaxError):
2977         (testSyntax.t1):
2978         (testSyntaxError.t1):
2979         (testSyntax.t1.yield):
2980         (testSyntaxError.t1.yield):
2981         * tests/stress/yield-out-of-generator.js: Added.
2982         (testSyntax):
2983         (testSyntaxError):
2984         (testSyntaxError.hello):
2985         (testSyntaxError.gen.hello):
2986         (testSyntaxError.gen):
2987         (testSyntax.gen):
2988         (testSyntax.gen.ok):
2989         (testSyntaxError.gen.ok):
2990
2991 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
2992
2993         Dominators should be factored out of the DFG
2994         https://bugs.webkit.org/show_bug.cgi?id=150764
2995
2996         Reviewed by Geoffrey Garen.
2997
2998         Factored DFGDominators.h/DFGDominators.cpp into WTF. To do this, I made two changes to the
2999         DFG:
3000
3001         1) DFG now has a CFG abstraction called DFG::CFG. The cool thing about this is that in the
3002            future if we wanted to support inverted dominators, we could do it by just creating a
3003            DFG::BackwardCFG.
3004
3005         2) Got rid of DFG::Analysis. From now on, an Analysis being invalidated is expressed by the
3006            DFG::Graph having a null pointer for that analysis. When we "run" the analysis, we
3007            just instantiate it. This makes it much more natural to integrate WTF::Dominators into
3008            the DFG.
3009
3010         * CMakeLists.txt:
3011         * JavaScriptCore.xcodeproj/project.pbxproj:
3012         * dfg/DFGAnalysis.h: Removed.
3013         * dfg/DFGCFG.h: Added.
3014         (JSC::DFG::CFG::CFG):
3015         (JSC::DFG::CFG::root):
3016         (JSC::DFG::CFG::newMap<T>):
3017         (JSC::DFG::CFG::successors):
3018         (JSC::DFG::CFG::predecessors):
3019         (JSC::DFG::CFG::index):
3020         (JSC::DFG::CFG::node):
3021         (JSC::DFG::CFG::numNodes):
3022         (JSC::DFG::CFG::dump):
3023         * dfg/DFGCSEPhase.cpp:
3024         * dfg/DFGDisassembler.cpp:
3025         (JSC::DFG::Disassembler::createDumpList):
3026         * dfg/DFGDominators.cpp: Removed.
3027         * dfg/DFGDominators.h:
3028         (JSC::DFG::Dominators::Dominators):
3029         (JSC::DFG::Dominators::strictlyDominates): Deleted.
3030         (JSC::DFG::Dominators::dominates): Deleted.
3031         (JSC::DFG::Dominators::immediateDominatorOf): Deleted.
3032         (JSC::DFG::Dominators::forAllStrictDominatorsOf): Deleted.
3033         (JSC::DFG::Dominators::forAllDominatorsOf): Deleted.
3034         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy): Deleted.
3035         (JSC::DFG::Dominators::forAllBlocksDominatedBy): Deleted.
3036         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf): Deleted.
3037         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf): Deleted.
3038         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf): Deleted.
3039         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl): Deleted.
3040         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl): Deleted.
3041         (JSC::DFG::Dominators::BlockData::BlockData): Deleted.
3042         * dfg/DFGEdgeDominates.h:
3043         (JSC::DFG::EdgeDominates::operator()):
3044         * dfg/DFGGraph.cpp:
3045         (JSC::DFG::Graph::Graph):
3046         (JSC::DFG::Graph::dumpBlockHeader):
3047         (JSC::DFG::Graph::invalidateCFG):
3048         (JSC::DFG::Graph::substituteGetLocal):
3049         (JSC::DFG::Graph::handleAssertionFailure):
3050         (JSC::DFG::Graph::ensureDominators):
3051         (JSC::DFG::Graph::ensurePrePostNumbering):
3052         (JSC::DFG::Graph::ensureNaturalLoops):
3053         (JSC::DFG::Graph::valueProfileFor):
3054         * dfg/DFGGraph.h:
3055         (JSC::DFG::Graph::hasDebuggerEnabled):
3056         * dfg/DFGLICMPhase.cpp:
3057         (JSC::DFG::LICMPhase::run):
3058         (JSC::DFG::LICMPhase::attemptHoist):
3059         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3060         (JSC::DFG::createPreHeader):
3061         (JSC::DFG::LoopPreHeaderCreationPhase::run):
3062         * dfg/DFGNaturalLoops.cpp:
3063         (JSC::DFG::NaturalLoop::dump):
3064         (JSC::DFG::NaturalLoops::NaturalLoops):
3065         (JSC::DFG::NaturalLoops::~NaturalLoops):
3066         (JSC::DFG::NaturalLoops::loopsOf):
3067         (JSC::DFG::NaturalLoops::computeDependencies): Deleted.
3068         (JSC::DFG::NaturalLoops::compute): Deleted.
3069         * dfg/DFGNaturalLoops.h:
3070         (JSC::DFG::NaturalLoops::numLoops):
3071         * dfg/DFGNode.h:
3072         (JSC::DFG::Node::SuccessorsIterable::end):
3073         (JSC::DFG::Node::SuccessorsIterable::size):
3074         (JSC::DFG::Node::SuccessorsIterable::at):
3075         (JSC::DFG::Node::SuccessorsIterable::operator[]):
3076         * dfg/DFGOSREntrypointCreationPhase.cpp:
3077         (JSC::DFG::OSREntrypointCreationPhase::run):
3078         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3079         * dfg/DFGPlan.cpp:
3080         (JSC::DFG::Plan::compileInThreadImpl):
3081         * dfg/DFGPrePostNumbering.cpp:
3082         (JSC::DFG::PrePostNumbering::PrePostNumbering):
3083         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
3084         (JSC::DFG::PrePostNumbering::compute): Deleted.
3085         * dfg/DFGPrePostNumbering.h:
3086         (JSC::DFG::PrePostNumbering::preNumber):
3087         (JSC::DFG::PrePostNumbering::postNumber):
3088         * dfg/DFGPutStackSinkingPhase.cpp:
3089         * dfg/DFGSSACalculator.cpp:
3090         (JSC::DFG::SSACalculator::nonLocalReachingDef):
3091         (JSC::DFG::SSACalculator::reachingDefAtTail):
3092         * dfg/DFGSSACalculator.h:
3093         (JSC::DFG::SSACalculator::computePhis):
3094         * dfg/DFGSSAConversionPhase.cpp:
3095         (JSC::DFG::SSAConversionPhase::run):
3096         * ftl/FTLLink.cpp:
3097         (JSC::FTL::link):
3098         * ftl/FTLLowerDFGToLLVM.cpp:
3099         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3100         (JSC::FTL::DFG::LowerDFGToLLVM::safelyInvalidateAfterTermination):
3101         (JSC::FTL::DFG::LowerDFGToLLVM::isValid):
3102
3103 2015-10-31  Filip Pizlo  <fpizlo@apple.com>
3104
3105         B3::reduceStrength's DCE should be more agro and less wrong
3106         https://bugs.webkit.org/show_bug.cgi?id=150748
3107
3108         Reviewed by Geoffrey Garen.
3109
3110         First of all, our DCE had a bug where it would keep Upsilons after it deleted the Phis that
3111         they referenced. But our B3 DCE was also not aggressive enough. It would not eliminate
3112         cycles. It was also probably slower than it needed to be, since it would eliminate all
3113         never-referenced things on each fixpoint.
3114
3115         This adds a presume-everyone-is-dead-and-find-live-things style DCE. This is very natural to
3116         write, except for Upsilons. For everything but Upsilons, it's just a worklist algorithm. For
3117         Upsilons, it's a fixpoint. It works fine in the end.
3118
3119         I kept finding bugs in this algorithm when I tested it against my "Complex" test that I was
3120         writing as a compile time benchmark. So, I include that test in this change. I also include
3121         the small lowering extensions that it needed - shifting and zero extending.
3122
3123         This change also adds an LLVM version of the Complex test. Though the LLVM version feels
3124         more natural to write because LLVM has traditional Phi's rather than our quirky Phi's, in
3125         the end LLVM ends up performing very badly - 10x to 20x worse than B3. Some of that gap will
3126         close once we give B3 a register allocator, but still, that's pretty good news for our B3
3127         strategy.
3128
3129         * JavaScriptCore.xcodeproj/project.pbxproj:
3130         * assembler/MacroAssemblerX86_64.h:
3131         (JSC::MacroAssemblerX86_64::lshift64):
3132         (JSC::MacroAssemblerX86_64::rshift64):
3133         * assembler/X86Assembler.h:
3134         (JSC::X86Assembler::shlq_i8r):
3135         (JSC::X86Assembler::shlq_CLr):
3136         (JSC::X86Assembler::imull_rr):
3137         * b3/B3BasicBlock.cpp:
3138         (JSC::B3::BasicBlock::replacePredecessor):
3139         (JSC::B3::BasicBlock::dump):
3140         (JSC::B3::BasicBlock::removeNops): Deleted.
3141         * b3/B3BasicBlock.h:
3142         (JSC::B3::BasicBlock::frequency):
3143         * b3/B3Common.cpp:
3144         (JSC::B3::shouldSaveIRBeforePhase):
3145         (JSC::B3::shouldMeasurePhaseTiming):
3146         * b3/B3Common.h:
3147         (JSC::B3::isRepresentableAsImpl):
3148         * b3/B3Generate.cpp:
3149         (JSC::B3::generate):
3150         (JSC::B3::generateToAir):
3151         * b3/B3LowerToAir.cpp:
3152         (JSC::B3::Air::LowerToAir::tryAnd):
3153         (JSC::B3::Air::LowerToAir::tryShl):
3154         (JSC::B3::Air::LowerToAir::tryStoreAddLoad):
3155         (JSC::B3::Air::LowerToAir::tryTrunc):
3156         (JSC::B3::Air::LowerToAir::tryZExt32):
3157         (JSC::B3::Air::LowerToAir::tryArgumentReg):
3158         * b3/B3LoweringMatcher.patterns:
3159         * b3/B3PhaseScope.cpp:
3160         (JSC::B3::PhaseScope::PhaseScope):
3161         * b3/B3PhaseScope.h:
3162         * b3/B3ReduceStrength.cpp:
3163         * b3/B3TimingScope.cpp: Added.
3164         (JSC::B3::TimingScope::TimingScope):
3165         (JSC::B3::TimingScope::~TimingScope):
3166         * b3/B3TimingScope.h: Added.
3167         * b3/B3Validate.cpp:
3168         * b3/air/AirAllocateStack.cpp:
3169         (JSC::B3::Air::allocateStack):
3170         * b3/air/AirGenerate.cpp:
3171         (JSC::B3::Air::generate):
3172         * b3/air/AirInstInlines.h:
3173         (JSC::B3::Air::ForEach<Arg>::forEach):
3174         (JSC::B3::Air::Inst::forEach):
3175         (JSC::B3::Air::isLshift32Valid):
3176         (JSC::B3::Air::isLshift64Valid):
3177         * b3/air/AirLiveness.h:
3178         (JSC::B3::Air::Liveness::isAlive):
3179         (JSC::B3::Air::Liveness::Liveness):
3180         (JSC::B3::Air::Liveness::LocalCalc::execute):
3181         * b3/air/AirOpcode.opcodes:
3182         * b3/air/AirPhaseScope.cpp:
3183         (JSC::B3::Air::PhaseScope::PhaseScope):
3184         * b3/air/AirPhaseScope.h:
3185         * b3/testb3.cpp:
3186         (JSC::B3::testBranchEqualFoldPtr):
3187         (JSC::B3::testComplex):
3188         (JSC::B3::run):
3189         * runtime/Options.h:
3190
3191 2015-11-01  Alexey Proskuryakov  <ap@apple.com>
3192
3193         [ES6] Add support for toStringTag
3194         https://bugs.webkit.org/show_bug.cgi?id=150696
3195
3196         Re-landing, as this wasn't the culprit.
3197
3198         * runtime/ArrayIteratorPrototype.cpp:
3199         (JSC::ArrayIteratorPrototype::finishCreation):
3200         * runtime/CommonIdentifiers.h:
3201         * runtime/JSArrayBufferPrototype.cpp:
3202         (JSC::JSArrayBufferPrototype::finishCreation):
3203         (JSC::JSArrayBufferPrototype::create):
3204         * runtime/JSDataViewPrototype.cpp:
3205         (JSC::JSDataViewPrototype::create):
3206         (JSC::JSDataViewPrototype::finishCreation):
3207         (JSC::JSDataViewPrototype::createStructure):
3208         * runtime/JSDataViewPrototype.h:
3209         * runtime/JSModuleNamespaceObject.cpp:
3210         (JSC::JSModuleNamespaceObject::finishCreation):
3211         * runtime/JSONObject.cpp:
3212         (JSC::JSONObject::finishCreation):
3213         * runtime/JSPromisePrototype.cpp:
3214         (JSC::JSPromisePrototype::finishCreation):
3215         (JSC::JSPromisePrototype::getOwnPropertySlot):
3216         * runtime/JSTypedArrayViewPrototype.cpp:
3217         (JSC::typedArrayViewProtoFuncValues):
3218         (JSC::typedArrayViewProtoGetterFuncToStringTag):
3219         (JSC::JSTypedArrayViewPrototype::JSTypedArrayViewPrototype):
3220         (JSC::JSTypedArrayViewPrototype::finishCreation):
3221         * runtime/MapIteratorPrototype.cpp:
3222         (JSC::MapIteratorPrototype::finishCreation):
3223         (JSC::MapIteratorPrototypeFuncNext):
3224         * runtime/MapPrototype.cpp:
3225         (JSC::MapPrototype::finishCreation):
3226         * runtime/MathObject.cpp:
3227         (JSC::MathObject::finishCreation):
3228         * runtime/ObjectPrototype.cpp:
3229         (JSC::objectProtoFuncToString):
3230         * runtime/SetIteratorPrototype.cpp:
3231         (JSC::SetIteratorPrototype::finishCreation):
3232         (JSC::SetIteratorPrototypeFuncNext):
3233         * runtime/SetPrototype.cpp:
3234         (JSC::SetPrototype::finishCreation):
3235         * runtime/SmallStrings.cpp:
3236         (JSC::SmallStrings::SmallStrings):
3237         (JSC::SmallStrings::initializeCommonStrings):
3238         (JSC::SmallStrings::visitStrongReferences):
3239         * runtime/SmallStrings.h:
3240         (JSC::SmallStrings::typeString):
3241         (JSC::SmallStrings::objectStringStart):
3242         (JSC::SmallStrings::nullObjectString):
3243         (JSC::SmallStrings::undefinedObjectString):
3244         * runtime/StringIteratorPrototype.cpp:
3245         (JSC::StringIteratorPrototype::finishCreation):
3246         * runtime/SymbolPrototype.cpp:
3247         (JSC::SymbolPrototype::finishCreation):
3248         * runtime/WeakMapPrototype.cpp:
3249         (JSC::WeakMapPrototype::finishCreation):
3250         (JSC::getWeakMapData):
3251         * runtime/WeakSetPrototype.cpp:
3252         (JSC::WeakSetPrototype::finishCreation):
3253         (JSC::getWeakMapData):
3254         * tests/es6.yaml:
3255         * tests/modules/namespace.js:
3256         * tests/stress/symbol-tostringtag.js: Copied from Source/JavaScriptCore/tests/stress/symbol-tostringtag.js.
3257
3258 2015-11-01  Commit Queue  <commit-queue@webkit.org>
3259
3260         Unreviewed, rolling out r191815 and r191821.
3261         https://bugs.webkit.org/show_bug.cgi?id=150781
3262
3263         Seems to have broken JSC API tests on some platforms
3264         (Requested by ap on #webkit).
3265
3266         Reverted changesets:
3267
3268         "[ES6] Add support for toStringTag"
3269         https://bugs.webkit.org/show_bug.cgi?id=150696
3270         http://trac.webkit.org/changeset/191815
3271
3272         "Unreviewed, forgot to mark tests as passing for new feature."
3273         http://trac.webkit.org/changeset/191821
3274
3275 2015-11-01  Commit Queue  <commit-queue@webkit.org>
3276
3277         Unreviewed, rolling out r191858.
3278         https://bugs.webkit.org/show_bug.cgi?id=150780
3279
3280         Broke the build (Requested by ap on #webkit).
3281
3282         Reverted changeset:
3283
3284         "Rename op_put_getter_setter to op_put_getter_setter_by_id"
3285         https://bugs.webkit.org/show_bug.cgi?id=150773
3286         http://trac.webkit.org/changeset/191858
3287
3288 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
3289
3290         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150777.
3291
3292         * b3/B3LowerToAir.cpp:
3293         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot):
3294
3295 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
3296
3297         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150775.
3298
3299         * b3/B3LowerToAir.cpp:
3300         (JSC::B3::Air::LowerToAir::tryTrunc):
3301
3302 2015-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3303
3304         Rename op_put_getter_setter to op_put_getter_setter_by_id
3305         https://bugs.webkit.org/show_bug.cgi?id=150773
3306
3307         Reviewed by Mark Lam.
3308
3309         Renaming op_put_getter_setter to op_put_getter_setter_by_id makes this op name consistent with
3310         the other ops' names like op_put_getter_by_id etc.
3311
3312         * bytecode/BytecodeList.json:
3313         * bytecode/BytecodeUseDef.h:
3314         (JSC::computeUsesForBytecodeOffset):
3315         (JSC::computeDefsForBytecodeOffset):
3316         * bytecode/CodeBlock.cpp:
3317         (JSC::CodeBlock::dumpBytecode):
3318         * bytecompiler/BytecodeGenerator.cpp:
3319         (JSC::BytecodeGenerator::emitPutGetterSetter):
3320         * dfg/DFGByteCodeParser.cpp:
3321         (JSC::DFG::ByteCodeParser::parseBlock):
3322         * dfg/DFGCapabilities.cpp:
3323         (JSC::DFG::capabilityLevel):
3324         * jit/JIT.cpp:
3325         (JSC::JIT::privateCompileMainPass):
3326         * jit/JIT.h:
3327         * jit/JITPropertyAccess.cpp:
3328         (JSC::JIT::emit_op_put_getter_setter_by_id):
3329         (JSC::JIT::emit_op_put_getter_setter): Deleted.
3330         * jit/JITPropertyAccess32_64.cpp:
3331         (JSC::JIT::emit_op_put_getter_setter_by_id):
3332         (JSC::JIT::emit_op_put_getter_setter): Deleted.
3333         * llint/LLIntSlowPaths.cpp:
3334         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3335         * llint/LLIntSlowPaths.h:
3336         * llint/LowLevelInterpreter.asm:
3337
3338 2015-10-31  Andreas Kling  <akling@apple.com>
3339
3340         Add a debug overlay with information about web process resource usage.
3341         <https://webkit.org/b/150599>
3342
3343         Reviewed by Darin Adler.
3344
3345         Have Heap track the exact number of bytes allocated in CopiedBlock, MarkedBlock and
3346         WeakBlock objects, keeping them in a single location that can be sampled by the
3347         resource usage overlay thread.
3348
3349         The bulk of these changes is threading a Heap& through from sites where blocks are
3350         allocated or freed.
3351