Fix internal Windows build
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-12-16  Alex Christensen  <achristensen@webkit.org>
2
3         Fix internal Windows build
4         https://bugs.webkit.org/show_bug.cgi?id=152364
5
6         Reviewed by Tim Horton.
7
8         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
9
10 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
11
12         Improve JSObject::put performance
13         https://bugs.webkit.org/show_bug.cgi?id=152347
14
15         Reviewed by Geoffrey Garen.
16
17         This adds a new benchmark called dynbench, which just uses the C++ API to create, modify, and
18         query objects. This also adds some optimizations to make the JSObject::put code faster by making
19         it inlinable in places that really need the performance, like JITOperations and LLIntSlowPaths.
20         Inlining it is optional because the put() method is large. If you want it inlined, call
21         putInline(). There's a putInline() variant of both JSObject::put() and JSValue::put().
22
23         This is up to a 20% improvement for JSObject::put calls that get inlined all the way (like from
24         JITOperations and the new benchmark) and it's also a speed-up, albeit a smaller one, for
25         JSObject::put calls that don't get inlined (i.e. those from the DOM and the JSC C++ library code).
26         Specific speed-ups are as follows. Note that "dynamic context" means that we told PutPropertySlot
27         that we're not a static put_by_id, which turns off some type inference.
28
29         Get By Id: 2% faster
30         Put By Id Replace: 23% faster
31         Put By Id Transition + object allocation: 11% faster
32         Get By Id w/ dynamic context: 5% faster
33         Put By Id Replace w/ dynamic context: 25% faster
34         Put By Id Transition + object allocation w/ dynamic context: 10% faster
35
36         * JavaScriptCore.xcodeproj/project.pbxproj:
37         * dynbench.cpp: Added.
38         (JSC::benchmarkImpl):
39         (main):
40         * jit/CallFrameShuffler32_64.cpp:
41         * jit/CallFrameShuffler64.cpp:
42         * jit/JITOperations.cpp:
43         * llint/LLIntSlowPaths.cpp:
44         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
45         * runtime/ClassInfo.h:
46         (JSC::ClassInfo::hasStaticProperties):
47         * runtime/ConsoleClient.cpp:
48         * runtime/CustomGetterSetter.h:
49         * runtime/ErrorInstance.cpp:
50         (JSC::ErrorInstance::finishCreation):
51         (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
52         * runtime/GetterSetter.h:
53         (JSC::asGetterSetter):
54         * runtime/JSCInlines.h:
55         * runtime/JSCJSValue.h:
56         * runtime/JSCJSValueInlines.h:
57         (JSC::JSValue::put):
58         (JSC::JSValue::putInternal):
59         (JSC::JSValue::putByIndex):
60         * runtime/JSObject.cpp:
61         (JSC::JSObject::put):
62         (JSC::JSObject::putByIndex):
63         * runtime/JSObject.h:
64         (JSC::JSObject::getVectorLength):
65         (JSC::JSObject::inlineGetOwnPropertySlot):
66         (JSC::JSObject::get):
67         (JSC::JSObject::putDirectInternal):
68
69 2015-12-16  Filip Pizlo  <fpizlo@apple.com>
70
71         Work around a bug in LLVM by flipping the unification order
72         https://bugs.webkit.org/show_bug.cgi?id=152341
73         rdar://problem/23920749
74
75         Reviewed by Mark Lam.
76
77         * dfg/DFGUnificationPhase.cpp:
78         (JSC::DFG::UnificationPhase::run):
79
80 2015-12-16  Saam barati  <sbarati@apple.com>
81
82         Add "explicit operator bool" to ScratchRegisterAllocator::PreservedState
83         https://bugs.webkit.org/show_bug.cgi?id=152337
84
85         Reviewed by Mark Lam.
86
87         If we have a default constructor, we should also have a way
88         to tell if a PreservedState is invalid.
89
90         * jit/ScratchRegisterAllocator.cpp:
91         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
92         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
93         * jit/ScratchRegisterAllocator.h:
94         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
95         (JSC::ScratchRegisterAllocator::PreservedState::operator bool):
96
97 2015-12-16  Caitlin Potter  <caitp@igalia.com>
98
99         [JSC] fix error message for eval/arguments CoverInitializedName in strict code
100         https://bugs.webkit.org/show_bug.cgi?id=152304
101
102         Reviewed by Darin Adler.
103
104         Because the error was originally classified as indicating a Pattern, the
105         error in AssignmentPattern parsing causes the reported message to revert to
106         the original Expression error message, which in this case is incorrect.
107
108         This change modifies the implementation of the strict code
109         error slightly, and reclassifies the error to prevent the message revert,
110         which improves the clarity of the message overall.
111
112         * parser/Parser.cpp:
113         (JSC::Parser<LexerType>::parseAssignmentElement):
114         (JSC::Parser<LexerType>::parseDestructuringPattern):
115         * parser/Parser.h:
116         (JSC::Parser::ExpressionErrorClassifier::reclassifyExpressionError):
117         (JSC::Parser::reclassifyExpressionError):
118         * tests/stress/destructuring-assignment-syntax.js:
119
120 2015-12-16  Joseph Pecoraro  <pecoraro@apple.com>
121
122         Builtin source should be minified more
123         https://bugs.webkit.org/show_bug.cgi?id=152290
124
125         Reviewed by Darin Adler.
126
127         * Scripts/builtins/builtins_model.py:
128         (BuiltinFunction.fromString):
129         Remove primarily empty lines that would just introduce clutter.
130         We only do the minification in non-Debug configurations, which
131         is determined by the CONFIGURATION environment variable. You can
132         see how tests would generate differently, like so:
133         shell> CONFIGURATION=Release ./Tools/Scripts/run-builtins-generator-tests
134
135 2015-12-16  Commit Queue  <commit-queue@webkit.org>
136
137         Unreviewed, rolling out r194135.
138         https://bugs.webkit.org/show_bug.cgi?id=152333
139
140         due to missing OSR exit materialization support in FTL
141         (Requested by yusukesuzuki on #webkit).
142
143         Reverted changeset:
144
145         "[ES6] Handle new_generator_func / new_generator_func_exp in
146         DFG / FTL"
147         https://bugs.webkit.org/show_bug.cgi?id=152227
148         http://trac.webkit.org/changeset/194135
149
150 2015-12-16  Youenn Fablet  <youenn.fablet@crf.canon.fr>
151
152         [Fetch API] Add fetch API compile time flag
153         https://bugs.webkit.org/show_bug.cgi?id=152254
154
155         Reviewed by Darin Adler.
156
157         * Configurations/FeatureDefines.xcconfig:
158
159 2015-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
160
161         [ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL
162         https://bugs.webkit.org/show_bug.cgi?id=152227
163
164         Reviewed by Saam Barati.
165
166         This patch introduces new_generator_func / new_generator_func_exp into DFG and FTL.
167         We add a new DFG Node, NewGeneratorFunction. It will construct a function with GeneratorFunction's structure.
168         The structure of GeneratorFunction is different from one of Function because GeneratorFunction has the different __proto__.
169
170         * dfg/DFGAbstractInterpreterInlines.h:
171         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
172         * dfg/DFGByteCodeParser.cpp:
173         (JSC::DFG::ByteCodeParser::parseBlock):
174         * dfg/DFGCapabilities.cpp:
175         (JSC::DFG::capabilityLevel):
176         * dfg/DFGClobberize.h:
177         (JSC::DFG::clobberize):
178         * dfg/DFGClobbersExitState.cpp:
179         (JSC::DFG::clobbersExitState):
180         * dfg/DFGDoesGC.cpp:
181         (JSC::DFG::doesGC):
182         * dfg/DFGFixupPhase.cpp:
183         (JSC::DFG::FixupPhase::fixupNode):
184         * dfg/DFGMayExit.cpp:
185         (JSC::DFG::mayExit):
186         * dfg/DFGNode.h:
187         (JSC::DFG::Node::convertToPhantomNewFunction):
188         (JSC::DFG::Node::hasCellOperand):
189         (JSC::DFG::Node::isFunctionAllocation):
190         * dfg/DFGNodeType.h:
191         * dfg/DFGObjectAllocationSinkingPhase.cpp:
192         * dfg/DFGPredictionPropagationPhase.cpp:
193         (JSC::DFG::PredictionPropagationPhase::propagate):
194         * dfg/DFGSafeToExecute.h:
195         (JSC::DFG::safeToExecute):
196         * dfg/DFGSpeculativeJIT.cpp:
197         (JSC::DFG::SpeculativeJIT::compileNewFunction):
198         * dfg/DFGSpeculativeJIT32_64.cpp:
199         (JSC::DFG::SpeculativeJIT::compile):
200         * dfg/DFGSpeculativeJIT64.cpp:
201         (JSC::DFG::SpeculativeJIT::compile):
202         * dfg/DFGStoreBarrierInsertionPhase.cpp:
203         * dfg/DFGStructureRegistrationPhase.cpp:
204         (JSC::DFG::StructureRegistrationPhase::run):
205         * ftl/FTLCapabilities.cpp:
206         (JSC::FTL::canCompile):
207         * ftl/FTLLowerDFGToLLVM.cpp:
208         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
209         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
210         * tests/stress/generator-function-create-optimized.js: Added.
211         (shouldBe):
212         (g):
213         (test.return.gen):
214         (test):
215         (test2.gen):
216         (test2):
217         * tests/stress/generator-function-declaration-sinking-no-double-allocate.js: Added.
218         (shouldBe):
219         (GeneratorFunctionPrototype):
220         (call):
221         (f):
222         (sink):
223         * tests/stress/generator-function-declaration-sinking-osrexit.js: Added.
224         (shouldBe):
225         (GeneratorFunctionPrototype):
226         (g):
227         (f):
228         (sink):
229         * tests/stress/generator-function-declaration-sinking-put.js: Added.
230         (shouldBe):
231         (GeneratorFunctionPrototype):
232         (g):
233         (f):
234         (sink):
235         * tests/stress/generator-function-expression-sinking-no-double-allocate.js: Added.
236         (shouldBe):
237         (GeneratorFunctionPrototype):
238         (call):
239         (f):
240         (sink):
241         * tests/stress/generator-function-expression-sinking-osrexit.js: Added.
242         (shouldBe):
243         (GeneratorFunctionPrototype):
244         (g):
245         (sink):
246         * tests/stress/generator-function-expression-sinking-put.js: Added.
247         (shouldBe):
248         (GeneratorFunctionPrototype):
249         (g):
250         (sink):
251
252 2015-12-15  Mark Lam  <mark.lam@apple.com>
253
254         Gardening: fix broken 32-bit JSC tests.  Just need to assign a scratch register.
255         https://bugs.webkit.org/show_bug.cgi?id=152191 
256
257         Not reviewed.
258
259         * jit/JITArithmetic.cpp:
260         (JSC::JIT::emitBitBinaryOpFastPath):
261
262 2015-12-15  Mark Lam  <mark.lam@apple.com>
263
264         Introducing ScratchRegisterAllocator::PreservedState.
265         https://bugs.webkit.org/show_bug.cgi?id=152315
266
267         Reviewed by Geoffrey Garen.
268
269         restoreReusedRegistersByPopping() should always be called with 2 values that
270         matches the expectation of preserveReusedRegistersByPushing().  Those 2 values
271         are the number of bytes preserved and the ExtraStackSpace requirement.  By
272         encapsulating them in a ScratchRegisterAllocator::PreservedState, we can make
273         it less error prone when calling restoreReusedRegistersByPopping().  Now, we only
274         need to pass it the appropriate PreservedState that its matching
275         preserveReusedRegistersByPushing() returned.
276
277         * bytecode/PolymorphicAccess.cpp:
278         (JSC::AccessGenerationState::restoreScratch):
279         (JSC::AccessCase::generate):
280         (JSC::PolymorphicAccess::regenerate):
281         * bytecode/PolymorphicAccess.h:
282         (JSC::AccessGenerationState::AccessGenerationState):
283         * ftl/FTLCompileBinaryOp.cpp:
284         (JSC::FTL::generateBinaryBitOpFastPath):
285         (JSC::FTL::generateRightShiftFastPath):
286         (JSC::FTL::generateBinaryArithOpFastPath):
287         * ftl/FTLLazySlowPath.cpp:
288         (JSC::FTL::LazySlowPath::generate):
289         * ftl/FTLLowerDFGToLLVM.cpp:
290         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
291         * jit/ScratchRegisterAllocator.cpp:
292         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
293         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
294         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
295         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
296         * jit/ScratchRegisterAllocator.h:
297         (JSC::ScratchRegisterAllocator::usedRegisters):
298         (JSC::ScratchRegisterAllocator::PreservedState::PreservedState):
299
300 2015-12-15  Mark Lam  <mark.lam@apple.com>
301
302         Polymorphic operand types for DFG and FTL bit operators.
303         https://bugs.webkit.org/show_bug.cgi?id=152191
304
305         Reviewed by Saam Barati.
306
307         * bytecode/SpeculatedType.h:
308         (JSC::isUntypedSpeculationForBitOps):
309         * dfg/DFGAbstractInterpreterInlines.h:
310         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
311         * dfg/DFGNode.h:
312         (JSC::DFG::Node::shouldSpeculateUntypedForBitOps):
313         - Added check for types not supported by ValueToInt32, and therefore should be
314           treated as untyped for bitops.
315
316         * dfg/DFGClobberize.h:
317         (JSC::DFG::clobberize):
318         * dfg/DFGFixupPhase.cpp:
319         (JSC::DFG::FixupPhase::fixupNode):
320         - Handled untyped operands.
321
322         * dfg/DFGOperations.cpp:
323         * dfg/DFGOperations.h:
324         - Added DFG slow path functions for bitops.
325
326         * dfg/DFGSpeculativeJIT.cpp:
327         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
328         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
329         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
330         (JSC::DFG::SpeculativeJIT::compileShiftOp):
331         * dfg/DFGSpeculativeJIT.h:
332         - Added DFG backend support untyped operands for bitops.
333
334         * dfg/DFGStrengthReductionPhase.cpp:
335         (JSC::DFG::StrengthReductionPhase::handleNode):
336         - Limit bitops strength reduction only to when we don't have untyped operands.
337           This is because values that are not int32s need to be converted to int32.
338           Without untyped operands, the ValueToInt32 node takes care of this.
339           With untyped operands, we cannot use ValueToInt32, and need to do the conversion
340           in the code emitted for the bitop node itself.  For example:
341
342               5.5 | 0; // yields 5 because ValueToInt32 converts the 5.5 to a 5.
343               "abc" | 0; // would yield "abc" instead of the expected 0 if we let
344                          // strength reduction do its thing.
345
346         * ftl/FTLCompileBinaryOp.cpp:
347         (JSC::FTL::generateBinaryBitOpFastPath):
348         (JSC::FTL::generateRightShiftFastPath):
349         (JSC::FTL::generateBinaryOpFastPath):
350
351         * ftl/FTLInlineCacheDescriptor.h:
352         (JSC::FTL::BitAndDescriptor::BitAndDescriptor):
353         (JSC::FTL::BitAndDescriptor::icSize):
354         (JSC::FTL::BitAndDescriptor::nodeType):
355         (JSC::FTL::BitAndDescriptor::opName):
356         (JSC::FTL::BitAndDescriptor::slowPathFunction):
357         (JSC::FTL::BitAndDescriptor::nonNumberSlowPathFunction):
358         (JSC::FTL::BitOrDescriptor::BitOrDescriptor):
359         (JSC::FTL::BitOrDescriptor::icSize):
360         (JSC::FTL::BitOrDescriptor::nodeType):
361         (JSC::FTL::BitOrDescriptor::opName):
362         (JSC::FTL::BitOrDescriptor::slowPathFunction):
363         (JSC::FTL::BitOrDescriptor::nonNumberSlowPathFunction):
364         (JSC::FTL::BitXorDescriptor::BitXorDescriptor):
365         (JSC::FTL::BitXorDescriptor::icSize):
366         (JSC::FTL::BitXorDescriptor::nodeType):
367         (JSC::FTL::BitXorDescriptor::opName):
368         (JSC::FTL::BitXorDescriptor::slowPathFunction):
369         (JSC::FTL::BitXorDescriptor::nonNumberSlowPathFunction):
370         (JSC::FTL::BitLShiftDescriptor::BitLShiftDescriptor):
371         (JSC::FTL::BitLShiftDescriptor::icSize):
372         (JSC::FTL::BitLShiftDescriptor::nodeType):
373         (JSC::FTL::BitLShiftDescriptor::opName):
374         (JSC::FTL::BitLShiftDescriptor::slowPathFunction):
375         (JSC::FTL::BitLShiftDescriptor::nonNumberSlowPathFunction):
376         (JSC::FTL::BitRShiftDescriptor::BitRShiftDescriptor):
377         (JSC::FTL::BitRShiftDescriptor::icSize):
378         (JSC::FTL::BitRShiftDescriptor::nodeType):
379         (JSC::FTL::BitRShiftDescriptor::opName):
380         (JSC::FTL::BitRShiftDescriptor::slowPathFunction):
381         (JSC::FTL::BitRShiftDescriptor::nonNumberSlowPathFunction):
382         (JSC::FTL::BitURShiftDescriptor::BitURShiftDescriptor):
383         (JSC::FTL::BitURShiftDescriptor::icSize):
384         (JSC::FTL::BitURShiftDescriptor::nodeType):
385         (JSC::FTL::BitURShiftDescriptor::opName):
386         (JSC::FTL::BitURShiftDescriptor::slowPathFunction):
387         (JSC::FTL::BitURShiftDescriptor::nonNumberSlowPathFunction):
388         - Added support for bitop ICs.
389
390         * ftl/FTLInlineCacheSize.cpp:
391         (JSC::FTL::sizeOfBitAnd):
392         (JSC::FTL::sizeOfBitOr):
393         (JSC::FTL::sizeOfBitXor):
394         (JSC::FTL::sizeOfBitLShift):
395         (JSC::FTL::sizeOfBitRShift):
396         (JSC::FTL::sizeOfBitURShift):
397         * ftl/FTLInlineCacheSize.h:
398         - Added new bitop IC sizes.  These are just estimates for now that work adequately,
399           and are shown to not impact performance on benchmarks.  We will re-tune these
400           sizes values later in another patch once all snippet ICs have been added.
401
402         * ftl/FTLLowerDFGToLLVM.cpp:
403         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
404         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
405         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
406         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
407         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
408         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
409         - Added support for bitop ICs.
410
411         * jit/JITLeftShiftGenerator.cpp:
412         (JSC::JITLeftShiftGenerator::generateFastPath):
413         * jit/JITLeftShiftGenerator.h:
414         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
415         * jit/JITRightShiftGenerator.cpp:
416         (JSC::JITRightShiftGenerator::generateFastPath):
417         - The shift MASM operatons need to ensure that the shiftAmount is not in the same
418           register as the destination register.  With the baselineJIT and DFG, this is
419           ensured in how we allocate these registers, and hence, the bug does not manifest.
420           With the FTL, these registers are not guaranteed to be unique.  Hence, we need
421           to fix the shift op snippet code to compensate for this. 
422
423 2015-12-15  Caitlin Potter  <caitp@igalia.com>
424
425         [JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code
426         https://bugs.webkit.org/show_bug.cgi?id=152302
427
428         Reviewed by Mark Lam.
429
430         `eval` and `arguments` must not be assigned to in strict code. This
431         change fixes `language/expressions/assignment/destructuring/obj-id-simple-strict.js`
432         in Test262, as well as a variety of other similar tests.
433
434         * parser/Parser.cpp:
435         (JSC::Parser<LexerType>::parseAssignmentElement):
436         (JSC::Parser<LexerType>::parseDestructuringPattern):
437         * tests/stress/destructuring-assignment-syntax.js:
438
439 2015-12-15  Csaba Osztrogonác  <ossy@webkit.org>
440
441         URTBF after 194062.
442
443         * assembler/MacroAssemblerARM.h:
444         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Added.
445         (JSC::MacroAssemblerARM::ceilDouble): Added.
446
447 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
448
449         FTL B3 should account for localsOffset
450         https://bugs.webkit.org/show_bug.cgi?id=152288
451
452         Reviewed by Saam Barati.
453
454         The DFG will build up some data structures that expect to know about offsets from FP. Those data
455         structures may slide by some offset when the low-level compiler (either LLVM or B3) does stack
456         allocation. So, the LLVM FTL modifies those data structures based on the real offset that it gets
457         from LLVM's stackmaps. The B3 code needs to do the same.
458
459         I had previously vowed to never put more stuff into FTLB3Compile.cpp, because I didn't want it to
460         look like FTLCompile.cpp. Up until now, I was successful because I used lambdas installed by
461         FTLLower. But in this case, I actually think that having code that just does this explicitly in
462         FTLB3Compile.cpp is least confusing. There is no particular place in FTLLower that would want to
463         care about this, and we need to ensure that we do this fixup before we run any of the stackmap
464         generators. In other words, it needs to happen before we call B3::generate(). The ordering
465         constraints seem like a good reason to have this done explicitly rather than through lambdas.
466
467         I wrote a test. The test was failing in trunk because the B3 meaning of anchor().value() is
468         different from the LLVM meaning. This caused breakage when we used this idiom:
469
470             ValueFromBlock foo = m_out.anchor(things);
471             ...(foo.value()) // we were expecting that foo.value() == things
472
473         I never liked this idiom to begin with, so instead of trying to change B3's anchor(), I changed
474         the idiom to:
475
476             LValue fooValue = things;
477             ValueFromBlock foo = m_out.anchor(fooValue);
478             ...(fooValue)
479
480         This is probably a good idea, since eventually we want B3's anchor() to just return the
481         UpsilonValue*. To get there, we want to eliminate any situations where code assumes that
482         ValueFromBlock is an actual object and not just a typedef for a pointer.
483
484         * ftl/FTLB3Compile.cpp:
485         (JSC::FTL::compile):
486         * ftl/FTLB3Output.cpp:
487         (JSC::FTL::Output::appendTo):
488         (JSC::FTL::Output::lockedStackSlot):
489         * ftl/FTLB3Output.h:
490         (JSC::FTL::Output::framePointer):
491         (JSC::FTL::Output::constBool):
492         (JSC::FTL::Output::constInt32):
493         * ftl/FTLLowerDFGToLLVM.cpp:
494         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
495         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
496         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
497         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
498         (JSC::FTL::DFG::LowerDFGToLLVM::compileStringCharAt):
499         (JSC::FTL::DFG::LowerDFGToLLVM::compileForwardVarargs):
500         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty):
501         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
502         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
503         * ftl/FTLState.h:
504         (JSC::FTL::verboseCompilationEnabled):
505         * tests/stress/ftl-function-dot-arguments-with-callee-saves.js: Added.
506
507 2015-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
508
509         Math.random should have an intrinsic thunk and it should be later handled as a DFG Node
510         https://bugs.webkit.org/show_bug.cgi?id=152133
511
512         Reviewed by Geoffrey Garen.
513
514         In this patch, we implement new RandomIntrinsic. It emits a machine code to generate random numbers efficiently.
515         And later it will be recognized by DFG and converted to ArithRandom node.
516         It provides type information SpecDoubleReal since Math.random only generates a number within [0, 1.0).
517
518         Currently, only 64bit version is supported. On 32bit environment, ArithRandom will be converted to callOperation.
519         While it emits a function call, ArithRandom node on 32bit still represents SpecDoubleReal as a result type.
520
521         * dfg/DFGAbstractHeap.h:
522         * dfg/DFGAbstractInterpreterInlines.h:
523         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
524         * dfg/DFGByteCodeParser.cpp:
525         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
526         * dfg/DFGClobberize.h:
527         (JSC::DFG::clobberize):
528         * dfg/DFGDoesGC.cpp:
529         (JSC::DFG::doesGC):
530         * dfg/DFGFixupPhase.cpp:
531         (JSC::DFG::FixupPhase::fixupNode):
532         * dfg/DFGNodeType.h:
533         * dfg/DFGOperations.cpp:
534         * dfg/DFGOperations.h:
535         * dfg/DFGPredictionPropagationPhase.cpp:
536         (JSC::DFG::PredictionPropagationPhase::propagate):
537         * dfg/DFGSafeToExecute.h:
538         (JSC::DFG::safeToExecute):
539         * dfg/DFGSpeculativeJIT.h:
540         (JSC::DFG::SpeculativeJIT::callOperation):
541         * dfg/DFGSpeculativeJIT32_64.cpp:
542         (JSC::DFG::SpeculativeJIT::compile):
543         (JSC::DFG::SpeculativeJIT::compileArithRandom):
544         * dfg/DFGSpeculativeJIT64.cpp:
545         (JSC::DFG::SpeculativeJIT::compile):
546         (JSC::DFG::SpeculativeJIT::compileArithRandom):
547         * ftl/FTLCapabilities.cpp:
548         (JSC::FTL::canCompile):
549         * ftl/FTLLowerDFGToLLVM.cpp:
550         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
551         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRandom):
552         * jit/AssemblyHelpers.cpp:
553         (JSC::emitRandomThunkImpl):
554         (JSC::AssemblyHelpers::emitRandomThunk):
555         * jit/AssemblyHelpers.h:
556         * jit/JITOperations.h:
557         * jit/ThunkGenerators.cpp:
558         (JSC::randomThunkGenerator):
559         * jit/ThunkGenerators.h:
560         * runtime/Intrinsic.h:
561         * runtime/JSGlobalObject.h:
562         (JSC::JSGlobalObject::weakRandomOffset):
563         * runtime/MathObject.cpp:
564         (JSC::MathObject::finishCreation):
565         * runtime/VM.cpp:
566         (JSC::thunkGeneratorForIntrinsic):
567         * tests/stress/random-53bit.js: Added.
568         (test):
569         * tests/stress/random-in-range.js: Added.
570         (test):
571
572 2015-12-14  Benjamin Poulain  <benjamin@webkit.org>
573
574         Rename FTL::Output's ceil64() to doubleCeil()
575
576         Rubber-stamped by Filip Pizlo.
577
578         ceil64() was a bad name, that's the name convention we use for integers.
579
580         * ftl/FTLB3Output.h:
581         (JSC::FTL::Output::doubleCeil):
582         (JSC::FTL::Output::ceil64): Deleted.
583         * ftl/FTLLowerDFGToLLVM.cpp:
584         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithRound):
585
586 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
587
588         FTL B3 should be able to run n-body.js
589         https://bugs.webkit.org/show_bug.cgi?id=152281
590
591         Reviewed by Benjamin Poulain.
592
593         Fix a bug where m_captured was pointing to the start of the captured vars slot rather than the
594         end, like the rest of the FTL expected.
595
596         * ftl/FTLLowerDFGToLLVM.cpp:
597         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
598
599 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
600
601         Fix bad copy-paste in r194062
602
603         * ftl/FTLB3Output.h:
604         (JSC::FTL::Output::ceil64):
605
606 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
607
608         Unreviewed, fix cloop build.
609
610         * jit/GPRInfo.cpp:
611
612 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
613
614         FTL B3 should do PutById
615         https://bugs.webkit.org/show_bug.cgi?id=152268
616
617         Reviewed by Saam Barati.
618
619         * CMakeLists.txt:
620         * JavaScriptCore.xcodeproj/project.pbxproj:
621         * b3/B3LowerToAir.cpp:
622         (JSC::B3::Air::LowerToAir::createGenericCompare): I realized that we were missing some useful matching rules.
623         * b3/testb3.cpp: Added a bunch of tests.
624         * ftl/FTLLowerDFGToLLVM.cpp:
625         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById): Do the things.
626         * jit/GPRInfo.cpp: Added. I had to do this yucky thing because clang was having issues compiling references to this from deeply nested lambdas.
627         * jit/GPRInfo.h: Added a comment about how patchpointScratchRegister is bizarre and should probably die.
628
629 2015-12-14  Benjamin Poulain  <bpoulain@apple.com>
630
631         [JSC] Add ceil() support for x86 and expose it to B3
632         https://bugs.webkit.org/show_bug.cgi?id=152231
633
634         Reviewed by Geoffrey Garen.
635
636         Most x86 CPUs we care about support ceil() natively
637         with the round instruction.
638
639         This patch expose that behind a runtime flag, use it
640         in the Math.ceil() thunk and expose it to B3.
641
642         * assembler/MacroAssemblerARM64.h:
643         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil):
644         * assembler/MacroAssemblerARMv7.h:
645         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil):
646         * assembler/MacroAssemblerMIPS.h:
647         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil):
648         * assembler/MacroAssemblerSH4.h:
649         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil):
650         * assembler/MacroAssemblerX86Common.cpp:
651         * assembler/MacroAssemblerX86Common.h:
652         (JSC::MacroAssemblerX86Common::ceilDouble):
653         (JSC::MacroAssemblerX86Common::ceilFloat):
654         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil):
655         (JSC::MacroAssemblerX86Common::supportsLZCNT):
656         * assembler/X86Assembler.h:
657         (JSC::X86Assembler::roundss_rr):
658         (JSC::X86Assembler::roundss_mr):
659         (JSC::X86Assembler::roundsd_rr):
660         (JSC::X86Assembler::roundsd_mr):
661         (JSC::X86Assembler::mfence):
662         (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
663         * b3/B3ConstDoubleValue.cpp:
664         (JSC::B3::ConstDoubleValue::ceilConstant):
665         * b3/B3ConstDoubleValue.h:
666         * b3/B3ConstFloatValue.cpp:
667         (JSC::B3::ConstFloatValue::ceilConstant):
668         * b3/B3ConstFloatValue.h:
669         * b3/B3LowerMacrosAfterOptimizations.cpp:
670         * b3/B3LowerToAir.cpp:
671         (JSC::B3::Air::LowerToAir::lower):
672         * b3/B3Opcode.cpp:
673         (WTF::printInternal):
674         * b3/B3Opcode.h:
675         * b3/B3ReduceDoubleToFloat.cpp:
676         * b3/B3ReduceStrength.cpp:
677         * b3/B3Validate.cpp:
678         * b3/B3Value.cpp:
679         (JSC::B3::Value::ceilConstant):
680         (JSC::B3::Value::effects):
681         (JSC::B3::Value::key):
682         (JSC::B3::Value::typeFor):
683         * b3/B3Value.h:
684         * b3/air/AirOpcode.opcodes:
685         * b3/testb3.cpp:
686         (JSC::B3::testCeilArg):
687         (JSC::B3::testCeilImm):
688         (JSC::B3::testCeilMem):
689         (JSC::B3::testCeilCeilArg):
690         (JSC::B3::testCeilIToD64):
691         (JSC::B3::testCeilIToD32):
692         (JSC::B3::testCeilArgWithUselessDoubleConversion):
693         (JSC::B3::testCeilArgWithEffectfulDoubleConversion):
694         (JSC::B3::populateWithInterestingValues):
695         (JSC::B3::run):
696         * ftl/FTLB3Output.h:
697         (JSC::FTL::Output::ceil64):
698         * jit/ThunkGenerators.cpp:
699         (JSC::ceilThunkGenerator):
700
701 2015-12-14  Andreas Kling  <akling@apple.com>
702
703         ResourceUsageOverlay should show GC timers.
704         <https://webkit.org/b/152151>
705
706         Reviewed by Darin Adler.
707
708         Expose the next fire time (in WTF timestamp style) of a GCActivityCallback.
709
710         * heap/GCActivityCallback.cpp:
711         (JSC::GCActivityCallback::scheduleTimer):
712         (JSC::GCActivityCallback::cancelTimer):
713         * heap/GCActivityCallback.h:
714
715 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
716
717         Unreviewed, fix merge issue in a test.
718
719         * b3/testb3.cpp:
720         (JSC::B3::testCheckTwoMegaCombos):
721         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
722
723 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
724
725         B3 should not give ValueReps for the non-stackmap children of a CheckValue to the generator callback
726         https://bugs.webkit.org/show_bug.cgi?id=152224
727
728         Reviewed by Geoffrey Garen.
729
730         Previously, a stackmap generator for a Check had to know how many children the B3 value for the
731         Check had at the time of code generation. That meant that B3 could not change the kind of Check
732         that it was - for example it cannot turn a Check into a Patchpoint and it cannot turn a CheckAdd
733         into a Check. But just changing the contract so that the stackmap generation params only get the
734         stackmap children of the check means that B3 can transform Checks as it likes.
735
736         This is meant to aid sinking values into checks.
737
738         Also, I found that the effects of a Check did not include HeapRange::top(). I think it's best if
739         exitsSideways does not imply reading top, the way that it does in DFG. In the DFG, that makes
740         sense because the exit analysis is orthogonal, so the clobber analysis tells you about the reads
741         not counting OSR exit - if you need to you can conditionally merge that with World based on a
742         separate exit analysis. But in B3, the Effects object tells you about both exiting and reading,
743         and it's computed by one analysis. Prior to this change, Check was not setting reads to top() so
744         we were effectively saying that Effects::reads is meaningless when exitsSideways is true. It
745         seems more sensible to instead force the analysis to set reads to top() when setting
746         exitsSideways to true, not least because we only have one such analysis and many users. But it
747         also makes sense for another reason: it allows us to bound the set of things that the program
748         will read after it exits. That might not be useful to us now, but it's a nice feature to get for
749         free. I've seen language features that have behave like exitsSideways that don't also read top,
750         like an array bounds check that causes sudden termination without making any promises about how
751         pretty the crash dump will look.
752
753         * b3/B3CheckSpecial.cpp:
754         (JSC::B3::CheckSpecial::generate):
755         * b3/B3Opcode.h:
756         * b3/B3Value.cpp:
757         (JSC::B3::Value::effects):
758         * b3/testb3.cpp:
759         (JSC::B3::testSimpleCheck):
760         (JSC::B3::testCheckLessThan):
761         (JSC::B3::testCheckMegaCombo):
762         (JSC::B3::testCheckAddImm):
763         (JSC::B3::testCheckAddImmCommute):
764         (JSC::B3::testCheckAddImmSomeRegister):
765         (JSC::B3::testCheckAdd):
766         (JSC::B3::testCheckAdd64):
767         (JSC::B3::testCheckSubImm):
768         (JSC::B3::testCheckSubBadImm):
769         (JSC::B3::testCheckSub):
770         (JSC::B3::testCheckSub64):
771         (JSC::B3::testCheckNeg):
772         (JSC::B3::testCheckNeg64):
773         (JSC::B3::testCheckMul):
774         (JSC::B3::testCheckMulMemory):
775         (JSC::B3::testCheckMul2):
776         (JSC::B3::testCheckMul64):
777         * ftl/FTLLowerDFGToLLVM.cpp:
778         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
779
780 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
781
782         Air: Support Architecture-specific forms and Opcodes
783         https://bugs.webkit.org/show_bug.cgi?id=151736
784
785         Reviewed by Benjamin Poulain.
786
787         This adds really awesome architecture selection to the AirOpcode.opcodes file. If an opcode or
788         opcode form is unavailable on some architecture, you can still mention its name in C++ code (it'll
789         still be a member of the enum) but isValidForm() and all other reflective queries will tell you
790         that it doesn't exist. This will make the instruction selector steer clear of it, and it will
791         also ensure that the spiller doesn't try to use any unavailable architecture-specific address
792         forms.
793
794         The new capability is documented extensively in a comment in AirOpcode.opcodes.
795
796         * b3/air/AirOpcode.opcodes:
797         * b3/air/opcode_generator.rb:
798
799 2015-12-14  Mark Lam  <mark.lam@apple.com>
800
801         Misc. small fixes in snippet related code.
802         https://bugs.webkit.org/show_bug.cgi?id=152259
803
804         Reviewed by Saam Barati.
805
806         * dfg/DFGSpeculativeJIT.cpp:
807         (JSC::DFG::SpeculativeJIT::compileArithMul):
808         - When loading a constant JSValue for a node, use the one that the node already
809           provides instead of reconstructing it.  This is not a bug, but the fix makes
810           the code cleaner.
811
812         * jit/JITBitAndGenerator.cpp:
813         (JSC::JITBitAndGenerator::generateFastPath):
814         - No need to do a bitand with a constant int 0xffffffff operand.
815
816         * jit/JITBitOrGenerator.cpp:
817         (JSC::JITBitOrGenerator::generateFastPath):
818         - Fix comments: bitor is '|', not '&'.
819         - No need to do a bitor with a constant int 0 operand.
820
821         * jit/JITBitXorGenerator.cpp:
822         (JSC::JITBitXorGenerator::generateFastPath):
823         - Fix comments: bitxor is '^', not '&'.
824
825         * jit/JITRightShiftGenerator.cpp:
826         (JSC::JITRightShiftGenerator::generateFastPath):
827         - Renamed a jump target name to be clearer about its purpose.
828
829 2015-12-14  Mark Lam  <mark.lam@apple.com>
830
831         We should not employ the snippet code in the DFG if no OSR exit was previously encountered.
832         https://bugs.webkit.org/show_bug.cgi?id=152255
833
834         Reviewed by Saam Barati.
835
836         * dfg/DFGFixupPhase.cpp:
837         (JSC::DFG::FixupPhase::fixupNode):
838
839 2015-12-14  Filip Pizlo  <fpizlo@apple.com>
840
841         B3->Air compare-branch fusion should fuse even if the result of the comparison is used more than once
842         https://bugs.webkit.org/show_bug.cgi?id=152198
843
844         Reviewed by Benjamin Poulain.
845
846         If we have a comparison operation that is branched on from multiple places, then we were
847         previously executing the comparison to get a boolean result in a register and then we were
848         testing/branching on that register in multiple places. This is actually less efficient than
849         just fusing the compare/branch multiple times, even though this means that the comparison
850         executes multiple times. This would only be bad if the comparison fused loads multiple times,
851         since duplicating loads is both wrong and inefficient. So, this adds the notion of sharing to
852         compare/branch fusion. If a compare is shared by multiple branches, then we refuse to fuse
853         the load.
854
855         To write the test, I needed to zero-extend 8 to 32. In the process of thinking about how to
856         do this, I realized that we needed lowerings for SExt8/SExt16. And I realized that the
857         lowerings for the other extension operations were not fully fleshed out; for example they
858         were incapable of load fusion. This patch fixes this and also adds some smart strength
859         reductions for BitAnd(@x, 0xff/0xffff/0xffffffff) - all of which should be lowered to a zero
860         extension.
861
862         This is a big win on asm.js code. It's not enough to bridge the gap to LLVM, but it's a huge
863         step in that direction.
864
865         * assembler/MacroAssemblerX86Common.h:
866         (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
867         (JSC::MacroAssemblerX86Common::zeroExtend8To32):
868         (JSC::MacroAssemblerX86Common::signExtend8To32):
869         (JSC::MacroAssemblerX86Common::load16):
870         (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
871         (JSC::MacroAssemblerX86Common::zeroExtend16To32):
872         (JSC::MacroAssemblerX86Common::signExtend16To32):
873         (JSC::MacroAssemblerX86Common::store32WithAddressOffsetPatch):
874         * assembler/X86Assembler.h:
875         (JSC::X86Assembler::movzbl_rr):
876         (JSC::X86Assembler::movsbl_rr):
877         (JSC::X86Assembler::movzwl_rr):
878         (JSC::X86Assembler::movswl_rr):
879         (JSC::X86Assembler::cmovl_rr):
880         * b3/B3LowerToAir.cpp:
881         (JSC::B3::Air::LowerToAir::createGenericCompare):
882         (JSC::B3::Air::LowerToAir::lower):
883         * b3/B3ReduceStrength.cpp:
884         * b3/air/AirOpcode.opcodes:
885         * b3/testb3.cpp:
886         (JSC::B3::testCheckMegaCombo):
887         (JSC::B3::testCheckTwoMegaCombos):
888         (JSC::B3::testCheckTwoNonRedundantMegaCombos):
889         (JSC::B3::testCheckAddImm):
890         (JSC::B3::testTruncSExt32):
891         (JSC::B3::testSExt8):
892         (JSC::B3::testSExt8Fold):
893         (JSC::B3::testSExt8SExt8):
894         (JSC::B3::testSExt8SExt16):
895         (JSC::B3::testSExt8BitAnd):
896         (JSC::B3::testBitAndSExt8):
897         (JSC::B3::testSExt16):
898         (JSC::B3::testSExt16Fold):
899         (JSC::B3::testSExt16SExt16):
900         (JSC::B3::testSExt16SExt8):
901         (JSC::B3::testSExt16BitAnd):
902         (JSC::B3::testBitAndSExt16):
903         (JSC::B3::testSExt32BitAnd):
904         (JSC::B3::testBitAndSExt32):
905         (JSC::B3::testBasicSelect):
906         (JSC::B3::run):
907
908 2015-12-14  Chris Dumez  <cdumez@apple.com>
909
910         Roll out r193974 and follow-up fixes as it caused JSC crashes
911         https://bugs.webkit.org/show_bug.cgi?id=152256
912
913         Unreviewed, Roll out r193974 and follow-up fixes as it caused JSC crashes.
914
915         * API/JSCallbackObject.h:
916         * builtins/FunctionPrototype.js:
917         * bytecode/BytecodeBasicBlock.cpp:
918         (JSC::isBranch):
919         * bytecode/BytecodeList.json:
920         * bytecode/BytecodeUseDef.h:
921         (JSC::computeUsesForBytecodeOffset):
922         (JSC::computeDefsForBytecodeOffset):
923         * bytecode/CodeBlock.cpp:
924         (JSC::CodeBlock::dumpBytecode):
925         * bytecode/ExitKind.cpp:
926         (JSC::exitKindToString): Deleted.
927         * bytecode/ExitKind.h:
928         * bytecode/PreciseJumpTargets.cpp:
929         (JSC::getJumpTargetsForBytecodeOffset):
930         * bytecompiler/BytecodeGenerator.cpp:
931         (JSC::BytecodeGenerator::emitCheckHasInstance):
932         (JSC::BytecodeGenerator::emitGetById): Deleted.
933         * bytecompiler/BytecodeGenerator.h:
934         (JSC::BytecodeGenerator::emitTypeOf): Deleted.
935         * bytecompiler/NodesCodegen.cpp:
936         (JSC::InstanceOfNode::emitBytecode):
937         (JSC::LogicalOpNode::emitBytecode): Deleted.
938         (JSC::LogicalOpNode::emitBytecodeInConditionContext): Deleted.
939         * dfg/DFGAbstractInterpreterInlines.h:
940         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
941         * dfg/DFGByteCodeParser.cpp:
942         (JSC::DFG::ByteCodeParser::parseBlock):
943         * dfg/DFGCapabilities.cpp:
944         (JSC::DFG::capabilityLevel):
945         * dfg/DFGClobberize.h:
946         (JSC::DFG::clobberize):
947         * dfg/DFGDoesGC.cpp:
948         (JSC::DFG::doesGC):
949         * dfg/DFGFixupPhase.cpp:
950         (JSC::DFG::FixupPhase::fixupNode):
951         * dfg/DFGHeapLocation.cpp:
952         (WTF::printInternal):
953         * dfg/DFGHeapLocation.h:
954         * dfg/DFGNode.h:
955         (JSC::DFG::Node::hasCellOperand): Deleted.
956         (JSC::DFG::Node::hasTransition): Deleted.
957         * dfg/DFGNodeType.h:
958         * dfg/DFGPredictionPropagationPhase.cpp:
959         (JSC::DFG::PredictionPropagationPhase::propagate):
960         * dfg/DFGSafeToExecute.h:
961         (JSC::DFG::safeToExecute):
962         * dfg/DFGSpeculativeJIT.cpp:
963         (JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
964         (JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.
965         * dfg/DFGSpeculativeJIT.h:
966         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
967         * dfg/DFGSpeculativeJIT32_64.cpp:
968         (JSC::DFG::SpeculativeJIT::compile):
969         * dfg/DFGSpeculativeJIT64.cpp:
970         (JSC::DFG::SpeculativeJIT::compile):
971         * ftl/FTLCapabilities.cpp:
972         (JSC::FTL::canCompile):
973         * ftl/FTLIntrinsicRepository.h:
974         * ftl/FTLLowerDFGToLLVM.cpp:
975         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
976         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance):
977         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOf): Deleted.
978         (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty): Deleted.
979         * jit/CCallHelpers.h:
980         (JSC::CCallHelpers::setupArguments): Deleted.
981         (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
982         * jit/JIT.cpp:
983         (JSC::JIT::privateCompileMainPass):
984         (JSC::JIT::privateCompileSlowCases):
985         * jit/JIT.h:
986         * jit/JITInlines.h:
987         (JSC::JIT::callOperationNoExceptionCheck): Deleted.
988         (JSC::JIT::callOperation): Deleted.
989         * jit/JITOpcodes.cpp:
990         (JSC::JIT::emit_op_check_has_instance):
991         (JSC::JIT::emit_op_instanceof):
992         (JSC::JIT::emitSlow_op_check_has_instance):
993         (JSC::JIT::emitSlow_op_instanceof):
994         (JSC::JIT::emit_op_is_undefined): Deleted.
995         (JSC::JIT::emitSlow_op_to_number): Deleted.
996         (JSC::JIT::emitSlow_op_to_string): Deleted.
997         * jit/JITOpcodes32_64.cpp:
998         (JSC::JIT::emit_op_check_has_instance):
999         (JSC::JIT::emit_op_instanceof):
1000         (JSC::JIT::emitSlow_op_check_has_instance):
1001         (JSC::JIT::emitSlow_op_instanceof):
1002         (JSC::JIT::emit_op_is_undefined): Deleted.
1003         * jit/JITOperations.cpp:
1004         * jit/JITOperations.h:
1005         * llint/LLIntData.cpp:
1006         (JSC::LLInt::Data::performAssertions): Deleted.
1007         * llint/LLIntSlowPaths.cpp:
1008         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1009         * llint/LLIntSlowPaths.h:
1010         * llint/LowLevelInterpreter32_64.asm:
1011         * llint/LowLevelInterpreter64.asm:
1012         * runtime/CommonIdentifiers.h:
1013         * runtime/ExceptionHelpers.cpp:
1014         (JSC::invalidParameterInstanceofSourceAppender):
1015         (JSC::createInvalidInstanceofParameterError):
1016         (JSC::createError): Deleted.
1017         (JSC::createNotAFunctionError): Deleted.
1018         (JSC::createNotAnObjectError): Deleted.
1019         * runtime/ExceptionHelpers.h:
1020         * runtime/FunctionPrototype.cpp:
1021         (JSC::FunctionPrototype::addFunctionProperties):
1022         * runtime/FunctionPrototype.h:
1023         * runtime/JSBoundFunction.cpp:
1024         (JSC::JSBoundFunction::create): Deleted.
1025         (JSC::JSBoundFunction::customHasInstance): Deleted.
1026         * runtime/JSBoundFunction.h:
1027         * runtime/JSGlobalObject.cpp:
1028         (JSC::JSGlobalObject::init):
1029         (JSC::JSGlobalObject::visitChildren): Deleted.
1030         * runtime/JSGlobalObject.h:
1031         (JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.
1032         * runtime/JSObject.cpp:
1033         (JSC::JSObject::hasInstance):
1034         (JSC::JSObject::defaultHasInstance): Deleted.
1035         (JSC::JSObject::getPropertyNames): Deleted.
1036         (JSC::JSObject::getOwnPropertyNames): Deleted.
1037         * runtime/JSObject.h:
1038         (JSC::JSFinalObject::create): Deleted.
1039         * runtime/JSTypeInfo.h:
1040         (JSC::TypeInfo::TypeInfo):
1041         (JSC::TypeInfo::overridesHasInstance):
1042         * runtime/WriteBarrier.h:
1043         (JSC::WriteBarrierBase<Unknown>::slot):
1044         * tests/es6.yaml:
1045         * tests/stress/instanceof-custom-hasinstancesymbol.js: Removed.
1046         * tests/stress/symbol-hasInstance.js: Removed.
1047
1048 2015-12-13  Benjamin Poulain  <bpoulain@apple.com>
1049
1050         [JSC] Remove FTL::Output's doubleEqualOrUnordered()
1051         https://bugs.webkit.org/show_bug.cgi?id=152234
1052
1053         Reviewed by Sam Weinig.
1054
1055         It is unused, one less thing to worry about.
1056
1057         * ftl/FTLB3Output.h:
1058         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
1059         * ftl/FTLOutput.h:
1060         (JSC::FTL::Output::doubleEqualOrUnordered): Deleted.
1061
1062 2015-12-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1063
1064         [JSC] Should not emit get_by_id for indexed property access
1065         https://bugs.webkit.org/show_bug.cgi?id=151354
1066
1067         Reviewed by Darin Adler.
1068
1069         Before this patch, `a["1"]` is converted to `a.1` get_by_id operation in the bytecode compiler.
1070         get_by_id emits IC. IC rely on the fact that Structure transition occur when adding / removing object's properties.
1071         However, it's not true for indexed element properties. They are stored in the element storage and Structure transition does not occur.
1072
1073         For example, in the following case,
1074
1075              function getOne(a) { return a['1']; }
1076
1077              for (var i = 0; i < 36; ++i)
1078                  getOne({2: true});
1079
1080              if (!getOne({1: true}))
1081                  throw new Error("OUT");
1082
1083         In this case, `a['1']` creates get_by_id. `getOne({2: true})` calls makes getOne's get_by_id to create IC says that,
1084         "when comming this structure chain, there is no property in "1", so we should return `undefined`".
1085
1086         After that, we call `getOne({1: true})`. But in this case, `{2: true}` and `{1: true}` have the same structure chain,
1087         because indexed property addition does not occur structure transition.
1088         So previous IC fast path is used and return `undefined`. But the correct answer is returning `true`.
1089
1090         This patch fixes the above issue. When there is string bracket access, we only emits get_by_id if the given string is not an index.
1091         There are bugs in get_by_id, put_by_id, put_by_id (direct). But only get_by_id poses user observable issue.
1092         Because in the put_by_id case, the generic path just says "this put is uncacheable".
1093
1094         * bytecompiler/BytecodeGenerator.cpp:
1095         (JSC::BytecodeGenerator::emitGetById):
1096         (JSC::BytecodeGenerator::emitPutById):
1097         (JSC::BytecodeGenerator::emitDirectPutById):
1098         * bytecompiler/NodesCodegen.cpp:
1099         (JSC::isNonIndexStringElement):
1100         (JSC::BracketAccessorNode::emitBytecode):
1101         (JSC::FunctionCallBracketNode::emitBytecode):
1102         (JSC::AssignBracketNode::emitBytecode):
1103         (JSC::ObjectPatternNode::bindValue):
1104         * tests/stress/element-property-get-should-not-handled-with-get-by-id.js: Added.
1105         (getOne):
1106
1107 2015-12-13  Andreas Kling  <akling@apple.com>
1108
1109         CachedScript could have a copy-free path for all-ASCII scripts.
1110         <https://webkit.org/b/152203>
1111
1112         Reviewed by Antti Koivisto.
1113
1114         Make SourceProvider vend a StringView instead of a String.
1115         This relaxes the promises that providers have to make about string lifetimes.
1116
1117         This means that on the WebCore side, CachedScript is free to cache a String
1118         internally, while only ever exposing it as a temporary StringView.
1119
1120         A few extra copies (CPU, not memory) are introduced, none of them on hot paths.
1121
1122         * API/JSScriptRef.cpp:
1123         * bytecode/CodeBlock.cpp:
1124         (JSC::CodeBlock::sourceCodeForTools):
1125         (JSC::CodeBlock::dumpSource):
1126         * inspector/ScriptDebugServer.cpp:
1127         (Inspector::ScriptDebugServer::dispatchDidParseSource):
1128         (Inspector::ScriptDebugServer::dispatchFailedToParseSource):
1129         * interpreter/Interpreter.cpp:
1130         (JSC::Interpreter::execute):
1131         * jsc.cpp:
1132         (functionFindTypeForExpression):
1133         (functionHasBasicBlockExecuted):
1134         (functionBasicBlockExecutionCount):
1135         * parser/Lexer.cpp:
1136         (JSC::Lexer<T>::setCode):
1137         * parser/Lexer.h:
1138         (JSC::Lexer<LChar>::setCodeStart):
1139         (JSC::Lexer<UChar>::setCodeStart):
1140         * parser/Parser.h:
1141         (JSC::Parser::getToken):
1142         * parser/SourceCode.cpp:
1143         (JSC::SourceCode::toUTF8):
1144         * parser/SourceCode.h:
1145         (JSC::SourceCode::hash):
1146         (JSC::SourceCode::view):
1147         (JSC::SourceCode::toString): Deleted.
1148         * parser/SourceCodeKey.h:
1149         (JSC::SourceCodeKey::SourceCodeKey):
1150         (JSC::SourceCodeKey::string):
1151         * parser/SourceProvider.h:
1152         (JSC::SourceProvider::getRange):
1153         * runtime/Completion.cpp:
1154         (JSC::loadAndEvaluateModule):
1155         (JSC::loadModule):
1156         * runtime/ErrorInstance.cpp:
1157         (JSC::appendSourceToError):
1158         * runtime/FunctionPrototype.cpp:
1159         (JSC::functionProtoFuncToString):
1160         * tools/FunctionOverrides.cpp:
1161         (JSC::initializeOverrideInfo):
1162         (JSC::FunctionOverrides::initializeOverrideFor):
1163
1164 2015-12-12  Benjamin Poulain  <benjamin@webkit.org>
1165
1166         [JSC] Add lowering for B3's Store8 opcode
1167         https://bugs.webkit.org/show_bug.cgi?id=152208
1168
1169         Reviewed by Geoffrey Garen.
1170
1171         B3 has an opcode to store 8bit values but it had
1172         no lowering.
1173
1174         * b3/B3LowerToAir.cpp:
1175         (JSC::B3::Air::LowerToAir::createStore):
1176         (JSC::B3::Air::LowerToAir::lower):
1177         * b3/air/AirOpcode.opcodes:
1178         * b3/testb3.cpp:
1179         (JSC::B3::testStore8Arg):
1180         (JSC::B3::testStore8Imm):
1181         (JSC::B3::testStorePartial8BitRegisterOnX86):
1182         (JSC::B3::run):
1183
1184 2015-12-12  Csaba Osztrogonác  <ossy@webkit.org>
1185
1186         [ARM] Add the missing setupArgumentsWithExecState functions after r193974
1187         https://bugs.webkit.org/show_bug.cgi?id=152214
1188
1189         Reviewed by Mark Lam.
1190
1191         * jit/CCallHelpers.h:
1192         (JSC::CCallHelpers::setupArgumentsWithExecState):
1193
1194 2015-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1195
1196         Web Inspector: Too many derefs when RemoteInspectorXPCConnection fails to validate connection
1197         https://bugs.webkit.org/show_bug.cgi?id=152213
1198
1199         Rubber-stamped by Ryosuke Niwa.
1200
1201         * inspector/remote/RemoteInspectorXPCConnection.mm:
1202         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1203         We should just close the XPC connection triggering XPC_ERROR_CONNECTION_INVALID
1204         which will then graceful teardown the connection as expected.
1205
1206 2015-12-11  Benjamin Poulain  <bpoulain@apple.com>
1207
1208         [JSC] Add Floating Point Abs() to B3
1209         https://bugs.webkit.org/show_bug.cgi?id=152176
1210
1211         Reviewed by Geoffrey Garen.
1212
1213         This patch adds an Abs() operation for floating point.
1214
1215         On x86, Abs() is implemented by masking the top bit
1216         of the floating point value. On ARM64, there is a builtin
1217         abs opcode.
1218
1219         To account for those differences, B3 use "Abs" as
1220         the cannonical operation. When we are about to lower
1221         to Air, Abs is extended on x86 to get a clean handling
1222         of the mask constants.
1223
1224         This patch has one cool thing related to FTL.
1225         If you do:
1226            @1 = unboxDouble(@0)
1227            @2 = abs(@1)
1228            @3 = boxDouble(@2)
1229
1230         B3ReduceStrength completely eliminate the Double-Integer
1231         conversion.
1232
1233         The strength reduction of Abs is aware that it can do a bit
1234         mask over the bitcast used by unboxing.
1235         If even works if you use floats by forcing fround: reduceDoubleToFloat()
1236         elminiates the useless conversions, followed by ReduceStrength
1237         that removes the switch from GP to FP.
1238
1239         * CMakeLists.txt:
1240         * JavaScriptCore.xcodeproj/project.pbxproj:
1241         * assembler/MacroAssemblerX86Common.h:
1242         (JSC::MacroAssemblerX86Common::andDouble):
1243         (JSC::MacroAssemblerX86Common::andFloat):
1244         * assembler/X86Assembler.h:
1245         (JSC::X86Assembler::andps_rr):
1246         * b3/B3ConstDoubleValue.cpp:
1247         (JSC::B3::ConstDoubleValue::bitAndConstant):
1248         (JSC::B3::ConstDoubleValue::absConstant):
1249         * b3/B3ConstDoubleValue.h:
1250         * b3/B3ConstFloatValue.cpp:
1251         (JSC::B3::ConstFloatValue::bitAndConstant):
1252         (JSC::B3::ConstFloatValue::absConstant):
1253         * b3/B3ConstFloatValue.h:
1254         * b3/B3Generate.cpp:
1255         (JSC::B3::generateToAir):
1256         * b3/B3LowerMacrosAfterOptimizations.cpp: Added.
1257         (JSC::B3::lowerMacrosAfterOptimizations):
1258         * b3/B3LowerMacrosAfterOptimizations.h: Added.
1259         * b3/B3LowerToAir.cpp:
1260         (JSC::B3::Air::LowerToAir::lower):
1261         * b3/B3Opcode.cpp:
1262         (WTF::printInternal):
1263         * b3/B3Opcode.h:
1264         * b3/B3ReduceDoubleToFloat.cpp:
1265         * b3/B3ReduceStrength.cpp:
1266         * b3/B3Validate.cpp:
1267         * b3/B3Value.cpp:
1268         (JSC::B3::Value::absConstant):
1269         (JSC::B3::Value::effects):
1270         (JSC::B3::Value::key):
1271         (JSC::B3::Value::typeFor):
1272         * b3/B3Value.h:
1273         * b3/air/AirOpcode.opcodes:
1274         * b3/testb3.cpp:
1275         (JSC::B3::bitAndDouble):
1276         (JSC::B3::testBitAndArgDouble):
1277         (JSC::B3::testBitAndArgsDouble):
1278         (JSC::B3::testBitAndArgImmDouble):
1279         (JSC::B3::testBitAndImmsDouble):
1280         (JSC::B3::bitAndFloat):
1281         (JSC::B3::testBitAndArgFloat):
1282         (JSC::B3::testBitAndArgsFloat):
1283         (JSC::B3::testBitAndArgImmFloat):
1284         (JSC::B3::testBitAndImmsFloat):
1285         (JSC::B3::testBitAndArgsFloatWithUselessDoubleConversion):
1286         (JSC::B3::testAbsArg):
1287         (JSC::B3::testAbsImm):
1288         (JSC::B3::testAbsMem):
1289         (JSC::B3::testAbsAbsArg):
1290         (JSC::B3::testAbsBitwiseCastArg):
1291         (JSC::B3::testBitwiseCastAbsBitwiseCastArg):
1292         (JSC::B3::testAbsArgWithUselessDoubleConversion):
1293         (JSC::B3::testAbsArgWithEffectfulDoubleConversion):
1294         (JSC::B3::run):
1295         * ftl/FTLB3Output.h:
1296         (JSC::FTL::Output::doubleAbs):
1297
1298 2015-12-11  Mark Lam  <mark.lam@apple.com>
1299
1300         Removed some dead code, and simplified some code in the baseline JIT.
1301         https://bugs.webkit.org/show_bug.cgi?id=152199
1302
1303         Reviewed by Benjamin Poulain.
1304
1305         * jit/JIT.h:
1306         * jit/JITArithmetic.cpp:
1307         (JSC::JIT::emitBitBinaryOpFastPath):
1308         (JSC::JIT::emit_op_bitand):
1309         (JSC::JIT::emitSlow_op_lshift):
1310         (JSC::JIT::emitRightShiftFastPath):
1311         (JSC::JIT::emit_op_rshift):
1312         (JSC::JIT::emitSlow_op_rshift):
1313         (JSC::JIT::emit_op_urshift):
1314         (JSC::JIT::emitSlow_op_urshift):
1315
1316 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
1317
1318         B3::reduceStrength should remove redundant Phi's
1319         https://bugs.webkit.org/show_bug.cgi?id=152184
1320
1321         Reviewed by Benjamin Poulain.
1322
1323         This adds redundant Phi removal using Aycock and Horspools SSA simplification algorithm. This
1324         is needed because even in simple asm.js code, we see a lot of CFG simplification that leaves
1325         behind totally useless Phi's.
1326
1327         * b3/B3PhiChildren.cpp:
1328         (JSC::B3::PhiChildren::PhiChildren):
1329         * b3/B3PhiChildren.h:
1330         (JSC::B3::PhiChildren::at):
1331         (JSC::B3::PhiChildren::operator[]):
1332         (JSC::B3::PhiChildren::phis):
1333         * b3/B3ReduceStrength.cpp:
1334
1335 2015-12-11  Benjamin Poulain  <benjamin@webkit.org>
1336
1337         [JSC] Add an implementation of pow() taking an integer exponent to B3
1338         https://bugs.webkit.org/show_bug.cgi?id=152165
1339
1340         Reviewed by Mark Lam.
1341
1342         LLVM has this really neat optimized opcode for
1343         raising the power of something by an integer exponent.
1344
1345         There is no such native instruction so we need to extend
1346         the existing FTLOutput API to something efficient.
1347
1348         DFG has a pretty competitive implementation. In this patch,
1349         I added a version of it to B3.
1350         I created powDoubleInt32() instead of putting the code directly
1351         in FTL for easier testing and optimization.
1352
1353         * CMakeLists.txt:
1354         * JavaScriptCore.xcodeproj/project.pbxproj:
1355         * b3/B3MathExtras.cpp: Added.
1356         (JSC::B3::powDoubleInt32):
1357         * b3/B3MathExtras.h: Added.
1358         * b3/B3MemoryValue.h:
1359         * b3/testb3.cpp:
1360         (JSC::B3::testPowDoubleByIntegerLoop):
1361         (JSC::B3::run):
1362         * dfg/DFGSpeculativeJIT.cpp:
1363         (JSC::DFG::compileArithPowIntegerFastPath):
1364         * ftl/FTLB3Output.cpp:
1365         (JSC::FTL::Output::doublePowi):
1366         * ftl/FTLB3Output.h:
1367         (JSC::FTL::Output::doublePowi): Deleted.
1368
1369 2015-12-11  Filip Pizlo  <fpizlo@apple.com>
1370
1371         B3 should have CSE
1372         https://bugs.webkit.org/show_bug.cgi?id=150961
1373
1374         Reviewed by Benjamin Poulain.
1375
1376         This implements a very simple CSE for pure values. I need this as a prerequisite for other
1377         optimizations that I'm implementing. For now, this is neutral on imaging-gaussian-blur but a
1378         slow-down on asm.js code. I suspect that the asm.js slow-down is because of other things that are
1379         still going wrong, and anyway, I need CSE to be able to do even the most basic asm.js strength
1380         reductions.
1381
1382         * b3/B3ReduceStrength.cpp:
1383         * b3/B3ReduceStrength.h:
1384         * b3/B3Value.cpp:
1385         (JSC::B3::Value::replaceWithIdentity):
1386         (JSC::B3::Value::key):
1387
1388 2015-12-11  Mark Lam  <mark.lam@apple.com>
1389
1390         Refactoring to reduce potential cut-paste errors with the FTL ICs.
1391         https://bugs.webkit.org/show_bug.cgi?id=152185
1392
1393         Reviewed by Saam Barati.
1394
1395         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1396         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1397         * JavaScriptCore.xcodeproj/project.pbxproj:
1398
1399         * ftl/FTLCompile.cpp:
1400         - ICs now have their own names.  GetById and PutByID fast path ICs no longer just
1401           say "inline cache fast path".
1402
1403         * ftl/FTLCompileBinaryOp.cpp:
1404         (JSC::FTL::generateBinaryArithOpFastPath):
1405         - Fixed an indentation.
1406
1407         * ftl/FTLInlineCacheDescriptor.h:
1408         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
1409         (JSC::FTL::InlineCacheDescriptor::name):
1410         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
1411         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
1412         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
1413         (JSC::FTL::BinaryOpDescriptor::nodeType):
1414         (JSC::FTL::BinaryOpDescriptor::size):
1415         (JSC::FTL::BinaryOpDescriptor::slowPathFunction):
1416         (JSC::FTL::BinaryOpDescriptor::leftOperand):
1417         (JSC::FTL::BinaryOpDescriptor::BinaryOpDescriptor):
1418         (JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
1419         (JSC::FTL::ArithDivDescriptor::icSize):
1420         (JSC::FTL::ArithDivDescriptor::nodeType):
1421         (JSC::FTL::ArithDivDescriptor::opName):
1422         (JSC::FTL::ArithDivDescriptor::slowPathFunction):
1423         (JSC::FTL::ArithDivDescriptor::nonNumberSlowPathFunction):
1424         (JSC::FTL::ArithMulDescriptor::ArithMulDescriptor):
1425         (JSC::FTL::ArithMulDescriptor::icSize):
1426         (JSC::FTL::ArithMulDescriptor::nodeType):
1427         (JSC::FTL::ArithMulDescriptor::opName):
1428         (JSC::FTL::ArithMulDescriptor::slowPathFunction):
1429         (JSC::FTL::ArithMulDescriptor::nonNumberSlowPathFunction):
1430         (JSC::FTL::ArithSubDescriptor::ArithSubDescriptor):
1431         (JSC::FTL::ArithSubDescriptor::icSize):
1432         (JSC::FTL::ArithSubDescriptor::nodeType):
1433         (JSC::FTL::ArithSubDescriptor::opName):
1434         (JSC::FTL::ArithSubDescriptor::slowPathFunction):
1435         (JSC::FTL::ArithSubDescriptor::nonNumberSlowPathFunction):
1436         (JSC::FTL::ValueAddDescriptor::ValueAddDescriptor):
1437         (JSC::FTL::ValueAddDescriptor::icSize):
1438         (JSC::FTL::ValueAddDescriptor::nodeType):
1439         (JSC::FTL::ValueAddDescriptor::opName):
1440         (JSC::FTL::ValueAddDescriptor::slowPathFunction):
1441         (JSC::FTL::ValueAddDescriptor::nonNumberSlowPathFunction):
1442         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
1443         (JSC::FTL::ProbeDescriptor::ProbeDescriptor):
1444         (JSC::FTL::BinaryOpDescriptor::name): Deleted.
1445         (JSC::FTL::BinaryOpDescriptor::fastPathICName): Deleted.
1446         * ftl/FTLInlineCacheDescriptorInlines.h: Removed.
1447         - Consolidate the number of places where we have to fill in a data about new
1448           snippet ICs.  It is all done in FTLInlineCacheDescriptor.h now.   
1449
1450         * ftl/FTLJITFinalizer.cpp:
1451         (JSC::FTL::JITFinalizer::finalizeFunction):
1452
1453         * ftl/FTLLowerDFGToLLVM.cpp:
1454         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
1455         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
1456         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1457         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1458         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
1459         - Introduced a compileUntypedBinaryOp() template and use that at all the FTL
1460           places that need to use a snippet.  This reduces the amount of cut and paste
1461           code.
1462
1463         * ftl/FTLState.h:
1464         - Removed a bad #include.
1465
1466 2015-12-11  Keith Miller  <keith_miller@apple.com>
1467
1468         Overrides has instance should not move ValueFalse to a register then immediately to the stack in the LLInt.
1469         https://bugs.webkit.org/show_bug.cgi?id=152188
1470
1471         Reviewed by Mark Lam.
1472
1473         This fixes a minor issue with the code for the overrides_has_instance in the LLInt. Old code had an extra move,
1474         which is both slow and breaks the build on cloop.
1475
1476         * llint/LowLevelInterpreter64.asm:
1477
1478 2015-12-11  Keith Miller  <keith_miller@apple.com>
1479
1480         [ES6] Add support for Symbol.hasInstance
1481         https://bugs.webkit.org/show_bug.cgi?id=151839
1482
1483         Reviewed by Saam Barati.
1484
1485         This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
1486         regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
1487         when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
1488         then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
1489         new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
1490         a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
1491         needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
1492         Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
1493         we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
1494         emits a call to slow path code that computes the result.
1495
1496         In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
1497         OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
1498         it into a CheckTypeInfoFlags followed by a JSConstant.
1499
1500         * API/JSCallbackObject.h:
1501         * builtins/FunctionPrototype.js:
1502         (symbolHasInstance):
1503         * bytecode/BytecodeBasicBlock.cpp:
1504         (JSC::isBranch): Deleted.
1505         * bytecode/BytecodeList.json:
1506         * bytecode/BytecodeUseDef.h:
1507         (JSC::computeUsesForBytecodeOffset):
1508         (JSC::computeDefsForBytecodeOffset):
1509         * bytecode/CodeBlock.cpp:
1510         (JSC::CodeBlock::dumpBytecode):
1511         * bytecode/ExitKind.cpp:
1512         (JSC::exitKindToString):
1513         * bytecode/ExitKind.h:
1514         * bytecode/PreciseJumpTargets.cpp:
1515         (JSC::getJumpTargetsForBytecodeOffset): Deleted.
1516         * bytecompiler/BytecodeGenerator.cpp:
1517         (JSC::BytecodeGenerator::emitOverridesHasInstance):
1518         (JSC::BytecodeGenerator::emitInstanceOfCustom):
1519         (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
1520         * bytecompiler/BytecodeGenerator.h:
1521         * bytecompiler/NodesCodegen.cpp:
1522         (JSC::InstanceOfNode::emitBytecode):
1523         * dfg/DFGAbstractInterpreterInlines.h:
1524         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1525         * dfg/DFGByteCodeParser.cpp:
1526         (JSC::DFG::ByteCodeParser::parseBlock):
1527         * dfg/DFGCapabilities.cpp:
1528         (JSC::DFG::capabilityLevel):
1529         * dfg/DFGClobberize.h:
1530         (JSC::DFG::clobberize):
1531         * dfg/DFGDoesGC.cpp:
1532         (JSC::DFG::doesGC):
1533         * dfg/DFGFixupPhase.cpp:
1534         (JSC::DFG::FixupPhase::fixupNode):
1535         * dfg/DFGHeapLocation.cpp:
1536         (WTF::printInternal):
1537         * dfg/DFGHeapLocation.h:
1538         * dfg/DFGNode.h:
1539         (JSC::DFG::Node::hasCellOperand):
1540         (JSC::DFG::Node::hasTypeInfoOperand):
1541         (JSC::DFG::Node::typeInfoOperand):
1542         * dfg/DFGNodeType.h:
1543         * dfg/DFGPredictionPropagationPhase.cpp:
1544         (JSC::DFG::PredictionPropagationPhase::propagate):
1545         * dfg/DFGSafeToExecute.h:
1546         (JSC::DFG::safeToExecute):
1547         * dfg/DFGSpeculativeJIT.cpp:
1548         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
1549         (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
1550         * dfg/DFGSpeculativeJIT.h:
1551         (JSC::DFG::SpeculativeJIT::callOperation):
1552         * dfg/DFGSpeculativeJIT32_64.cpp:
1553         (JSC::DFG::SpeculativeJIT::compile):
1554         * dfg/DFGSpeculativeJIT64.cpp:
1555         (JSC::DFG::SpeculativeJIT::compile):
1556         * ftl/FTLCapabilities.cpp:
1557         (JSC::FTL::canCompile):
1558         * ftl/FTLIntrinsicRepository.h:
1559         * ftl/FTLLowerDFGToLLVM.cpp:
1560         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1561         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
1562         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
1563         (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
1564         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
1565         * jit/JIT.cpp:
1566         (JSC::JIT::privateCompileMainPass):
1567         (JSC::JIT::privateCompileSlowCases):
1568         * jit/JIT.h:
1569         * jit/JITInlines.h:
1570         (JSC::JIT::callOperation):
1571         * jit/JITOpcodes.cpp:
1572         (JSC::JIT::emit_op_overrides_has_instance):
1573         (JSC::JIT::emit_op_instanceof):
1574         (JSC::JIT::emit_op_instanceof_custom):
1575         (JSC::JIT::emitSlow_op_instanceof):
1576         (JSC::JIT::emitSlow_op_instanceof_custom):
1577         (JSC::JIT::emit_op_check_has_instance): Deleted.
1578         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
1579         * jit/JITOpcodes32_64.cpp:
1580         (JSC::JIT::emit_op_overrides_has_instance):
1581         (JSC::JIT::emit_op_instanceof):
1582         (JSC::JIT::emit_op_instanceof_custom):
1583         (JSC::JIT::emitSlow_op_instanceof_custom):
1584         (JSC::JIT::emit_op_check_has_instance): Deleted.
1585         (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
1586         * jit/JITOperations.cpp:
1587         * jit/JITOperations.h:
1588         * llint/LLIntData.cpp:
1589         (JSC::LLInt::Data::performAssertions):
1590         * llint/LLIntSlowPaths.cpp:
1591         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1592         * llint/LLIntSlowPaths.h:
1593         * llint/LowLevelInterpreter32_64.asm:
1594         * llint/LowLevelInterpreter64.asm:
1595         * runtime/CommonIdentifiers.h:
1596         * runtime/ExceptionHelpers.cpp:
1597         (JSC::invalidParameterInstanceofSourceAppender):
1598         (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
1599         (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
1600         (JSC::createInvalidInstanceofParameterErrorNotFunction):
1601         (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
1602         (JSC::createInvalidInstanceofParameterError): Deleted.
1603         * runtime/ExceptionHelpers.h:
1604         * runtime/FunctionPrototype.cpp:
1605         (JSC::FunctionPrototype::addFunctionProperties):
1606         * runtime/FunctionPrototype.h:
1607         * runtime/JSBoundFunction.cpp:
1608         (JSC::isBoundFunction):
1609         (JSC::hasInstanceBoundFunction):
1610         * runtime/JSBoundFunction.h:
1611         * runtime/JSGlobalObject.cpp:
1612         (JSC::JSGlobalObject::init):
1613         (JSC::JSGlobalObject::visitChildren):
1614         * runtime/JSGlobalObject.h:
1615         (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
1616         * runtime/JSObject.cpp:
1617         (JSC::JSObject::hasInstance):
1618         (JSC::objectPrivateFuncInstanceOf):
1619         * runtime/JSObject.h:
1620         * runtime/JSTypeInfo.h:
1621         (JSC::TypeInfo::TypeInfo):
1622         (JSC::TypeInfo::overridesHasInstance):
1623         * runtime/WriteBarrier.h:
1624         (JSC::WriteBarrierBase<Unknown>::slot):
1625         * tests/es6.yaml:
1626         * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
1627         (Constructor):
1628         (value):
1629         (instanceOf):
1630         (body):
1631         * tests/stress/symbol-hasInstance.js: Added.
1632         (Constructor):
1633         (value):
1634         (ObjectClass.Symbol.hasInstance):
1635         (NumberClass.Symbol.hasInstance):
1636
1637 2015-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1638
1639         check-for-inappropriate-objc-class-names should check all class names, not just externally visible ones
1640         https://bugs.webkit.org/show_bug.cgi?id=152156
1641
1642         Reviewed by Dan Bernstein.
1643
1644         * llvm/InitializeLLVMMac.cpp:
1645         Remove stale comment. The ObjC class this comment referenced
1646         has already been removed.
1647
1648 2015-12-11  Benjamin Poulain  <benjamin@webkit.org>
1649
1650         [JSC] Little cleanup of FTLOutput type casts and conversions
1651         https://bugs.webkit.org/show_bug.cgi?id=152166
1652
1653         Reviewed by Geoffrey Garen.
1654
1655         Clean up:
1656         -Change fpCast() to explicit conversion doubleToFloat() and floatToDouble()
1657          to match B3's opcodes.
1658         -Remove unused conversion functions.
1659         -Use the most specific cast function when possible.
1660         -Functions that are only used inside FTLOutput are made private.
1661          In FTLB3Output, those functions were removed.
1662
1663         * ftl/FTLB3Output.h:
1664         (JSC::FTL::Output::doubleToFloat):
1665         (JSC::FTL::Output::floatToDouble):
1666         (JSC::FTL::Output::fround):
1667         (JSC::FTL::Output::fpToInt): Deleted.
1668         (JSC::FTL::Output::fpToUInt): Deleted.
1669         (JSC::FTL::Output::intToFP): Deleted.
1670         (JSC::FTL::Output::unsignedToFP): Deleted.
1671         (JSC::FTL::Output::intCast): Deleted.
1672         (JSC::FTL::Output::fpCast): Deleted.
1673         (JSC::FTL::Output::intToPtr): Deleted.
1674         (JSC::FTL::Output::ptrToInt): Deleted.
1675         * ftl/FTLLowerDFGToLLVM.cpp:
1676         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
1677         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
1678         * ftl/FTLOutput.h:
1679         (JSC::FTL::Output::doubleToFloat):
1680         (JSC::FTL::Output::floatToDouble):
1681         (JSC::FTL::Output::intCast):
1682         (JSC::FTL::Output::fpToInt):
1683         (JSC::FTL::Output::fpToUInt):
1684         (JSC::FTL::Output::fpCast):
1685         (JSC::FTL::Output::intToFP):
1686         (JSC::FTL::Output::unsignedToFP):
1687
1688 2015-12-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
1689
1690         Binding and builtin generators should lowercase RTCXX as rtcXX and not rTCXX
1691         https://bugs.webkit.org/show_bug.cgi?id=152121
1692
1693         Reviewed by Darin Adler.
1694
1695         * Scripts/builtins/builtins_generator.py:
1696         (WK_lcfirst): Added RTC special rule.
1697
1698 2015-12-09  Filip Pizlo  <fpizlo@apple.com>
1699
1700         FTL B3 should be able to run quicksort asm.js test
1701         https://bugs.webkit.org/show_bug.cgi?id=152105
1702
1703         Reviewed by Geoffrey Garen.
1704
1705         This covers making all of the changes needed to run quicksort.js from AsmBench.
1706
1707         - Reintroduced float types to FTLLower since we now have B3::Float.
1708
1709         - Gave FTL::Output the ability to speak of load types and store types separately from LValue
1710           types. This dodges the problem that B3 doesn't have types for Int8 and Int16 but supports loads
1711           and stores of that type.
1712
1713         - Implemented Mod in B3 and wrote tests.
1714
1715         I also fixed a pre-existing bug in a test that appeared to only manifest in release builds.
1716
1717         Currently, B3's performance on asm.js tests is not good. It should be easy to fix:
1718
1719         - B3 should strength-reduce the shifting madness that happens in asm.js memory accesses
1720           https://bugs.webkit.org/show_bug.cgi?id=152106
1721
1722         - B3 constant hoisting should have a story for the asm.js heap constant
1723           https://bugs.webkit.org/show_bug.cgi?id=152107
1724
1725         * b3/B3CCallValue.h:
1726         * b3/B3Const32Value.cpp:
1727         (JSC::B3::Const32Value::divConstant):
1728         (JSC::B3::Const32Value::modConstant):
1729         (JSC::B3::Const32Value::bitAndConstant):
1730         * b3/B3Const32Value.h:
1731         * b3/B3Const64Value.cpp:
1732         (JSC::B3::Const64Value::divConstant):
1733         (JSC::B3::Const64Value::modConstant):
1734         (JSC::B3::Const64Value::bitAndConstant):
1735         * b3/B3Const64Value.h:
1736         * b3/B3ReduceStrength.cpp:
1737         * b3/B3Validate.cpp:
1738         * b3/B3Value.cpp:
1739         (JSC::B3::Value::divConstant):
1740         (JSC::B3::Value::modConstant):
1741         (JSC::B3::Value::bitAndConstant):
1742         * b3/B3Value.h:
1743         * b3/testb3.cpp:
1744         (JSC::B3::testChillDiv64):
1745         (JSC::B3::testMod):
1746         (JSC::B3::testSwitch):
1747         (JSC::B3::run):
1748         * ftl/FTLB3Output.cpp:
1749         (JSC::FTL::Output::load16ZeroExt32):
1750         (JSC::FTL::Output::store):
1751         (JSC::FTL::Output::store32As8):
1752         (JSC::FTL::Output::store32As16):
1753         (JSC::FTL::Output::loadFloatToDouble): Deleted.
1754         * ftl/FTLB3Output.h:
1755         (JSC::FTL::Output::mul):
1756         (JSC::FTL::Output::div):
1757         (JSC::FTL::Output::chillDiv):
1758         (JSC::FTL::Output::rem):
1759         (JSC::FTL::Output::neg):
1760         (JSC::FTL::Output::load32):
1761         (JSC::FTL::Output::load64):
1762         (JSC::FTL::Output::loadPtr):
1763         (JSC::FTL::Output::loadFloat):
1764         (JSC::FTL::Output::loadDouble):
1765         (JSC::FTL::Output::store32):
1766         (JSC::FTL::Output::store64):
1767         (JSC::FTL::Output::storePtr):
1768         (JSC::FTL::Output::storeFloat):
1769         (JSC::FTL::Output::storeDouble):
1770         (JSC::FTL::Output::addPtr):
1771         (JSC::FTL::Output::extractValue):
1772         (JSC::FTL::Output::call):
1773         (JSC::FTL::Output::operation):
1774         * ftl/FTLLowerDFGToLLVM.cpp:
1775         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetByVal):
1776         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutByVal):
1777         (JSC::FTL::DFG::LowerDFGToLLVM::compileArrayPush):
1778         (JSC::FTL::DFG::LowerDFGToLLVM::compileArrayPop):
1779         * ftl/FTLOutput.cpp:
1780         (JSC::FTL::Output::Output):
1781         (JSC::FTL::Output::store):
1782         (JSC::FTL::Output::check):
1783         (JSC::FTL::Output::load):
1784         * ftl/FTLOutput.h:
1785         (JSC::FTL::Output::load32):
1786         (JSC::FTL::Output::load64):
1787         (JSC::FTL::Output::loadPtr):
1788         (JSC::FTL::Output::loadFloat):
1789         (JSC::FTL::Output::loadDouble):
1790         (JSC::FTL::Output::store32As8):
1791         (JSC::FTL::Output::store32As16):
1792         (JSC::FTL::Output::store32):
1793         (JSC::FTL::Output::store64):
1794         (JSC::FTL::Output::storePtr):
1795         (JSC::FTL::Output::storeFloat):
1796         (JSC::FTL::Output::storeDouble):
1797         (JSC::FTL::Output::addPtr):
1798         (JSC::FTL::Output::loadFloatToDouble): Deleted.
1799         (JSC::FTL::Output::store16): Deleted.
1800
1801 2015-12-10  Filip Pizlo  <fpizlo@apple.com>
1802
1803         Consider still matching an address expression even if B3 has already assigned a Tmp to it
1804         https://bugs.webkit.org/show_bug.cgi?id=150777
1805
1806         Reviewed by Geoffrey Garen.
1807
1808         We need some heuristic for when an address should be computed as a separate instruction. It's
1809         usually profitable to sink the address into the memory access. The previous heuristic meant that
1810         the address would get separate instructions if it was in a separate block from the memory access.
1811         This was messing up codegen of things like PutByVal out-of-bounds, where the address is computed
1812         in one block and then used in another. I don't think that which block owns the address
1813         computation should factor into any heuristic here, since it's so fragile: the compiler may lower
1814         something by splitting blocks and we don't want this to ruin performance.
1815
1816         So, this replaces that heuristic with a more sensible one: the address computation gets its own
1817         instruction if it has a lot of uses. In practice this means that we always sink the address
1818         computation into the memory access.
1819
1820         * b3/B3LowerToAir.cpp:
1821         (JSC::B3::Air::LowerToAir::effectiveAddr):
1822
1823 2015-12-10  Daniel Bates  <dabates@apple.com>
1824
1825         [CSP] eval() is not blocked for stringified literals
1826         https://bugs.webkit.org/show_bug.cgi?id=152158
1827         <rdar://problem/15775625>
1828
1829         Reviewed by Saam Barati.
1830
1831         Fixes an issue where stringified literals can be eval()ed despite being disallowed by
1832         Content Security Policy of the page.
1833
1834         * interpreter/Interpreter.cpp:
1835         (JSC::eval): Throw a JavaScript EvalError exception if eval() is disallowed for the page
1836         and return undefined.
1837         * runtime/JSGlobalObjectFunctions.cpp:
1838         (JSC::globalFuncEval): Ditto.
1839
1840 2015-12-10  Joseph Pecoraro  <pecoraro@apple.com>
1841
1842         Fix jsc symlink creation on iOS
1843         https://bugs.webkit.org/show_bug.cgi?id=152155
1844
1845         Reviewed by Dan Bernstein.
1846
1847         * JavaScriptCore.xcodeproj/project.pbxproj:
1848         Switch from INSTALL_PATH_ACTUAL to just INSTALL_PATH.
1849         Remove now unnecessary INSTALL_PATH_PREFIX use as well.
1850
1851 2015-12-10  Joseph Pecoraro  <pecoraro@apple.com>
1852
1853         Remote Inspector: Verify the identity of the other side of XPC connections
1854         https://bugs.webkit.org/show_bug.cgi?id=152153
1855
1856         Reviewed by Brian Burg.
1857
1858         * JavaScriptCore.xcodeproj/project.pbxproj:
1859         Link with the Security framework.
1860
1861         * inspector/remote/RemoteInspectorXPCConnection.h:
1862         * inspector/remote/RemoteInspectorXPCConnection.mm:
1863         (auditTokenHasEntitlement):
1864         (Inspector::RemoteInspectorXPCConnection::handleEvent):
1865         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): Deleted.
1866         When receiving the first message, verify the XPC connection
1867         is connected to who we thought we were connected to and
1868         Bail if it isn't.
1869
1870 2015-12-10  Benjamin Poulain  <bpoulain@apple.com>
1871
1872         [JSC] Add a Modulo operator to B3, and a chill variant
1873         https://bugs.webkit.org/show_bug.cgi?id=152110
1874
1875         Reviewed by Geoffrey Garen.
1876
1877         It is basically refactoring the Div and ChillDiv
1878         code to be used by both opcodes.
1879
1880         * b3/B3Common.h:
1881         (JSC::B3::chillDiv):
1882         (JSC::B3::chillMod):
1883         * b3/B3Const32Value.cpp:
1884         (JSC::B3::Const32Value::modConstant):
1885         * b3/B3Const32Value.h:
1886         * b3/B3Const64Value.cpp:
1887         (JSC::B3::Const64Value::modConstant):
1888         * b3/B3Const64Value.h:
1889         * b3/B3ConstDoubleValue.cpp:
1890         (JSC::B3::ConstDoubleValue::modConstant):
1891         * b3/B3ConstDoubleValue.h:
1892         * b3/B3LowerMacros.cpp:
1893         * b3/B3LowerToAir.cpp:
1894         (JSC::B3::Air::LowerToAir::lower):
1895         (JSC::B3::Air::LowerToAir::lowerX86Div):
1896         * b3/B3Opcode.cpp:
1897         (WTF::printInternal):
1898         * b3/B3Opcode.h:
1899         * b3/B3ReduceStrength.cpp:
1900         * b3/B3Validate.cpp:
1901         * b3/B3Value.cpp:
1902         (JSC::B3::Value::modConstant):
1903         (JSC::B3::Value::effects):
1904         (JSC::B3::Value::key):
1905         (JSC::B3::Value::typeFor):
1906         * b3/B3Value.h:
1907         * b3/testb3.cpp:
1908         (JSC::B3::testModArgDouble):
1909         (JSC::B3::testModArgsDouble):
1910         (JSC::B3::testModArgImmDouble):
1911         (JSC::B3::testModImmArgDouble):
1912         (JSC::B3::testModImmsDouble):
1913         (JSC::B3::testModArgFloat):
1914         (JSC::B3::testModArgsFloat):
1915         (JSC::B3::testModArgImmFloat):
1916         (JSC::B3::testModImmArgFloat):
1917         (JSC::B3::testModImmsFloat):
1918         (JSC::B3::testModArg):
1919         (JSC::B3::testModArgs):
1920         (JSC::B3::testModImms):
1921         (JSC::B3::testModArg32):
1922         (JSC::B3::testModArgs32):
1923         (JSC::B3::testModImms32):
1924         (JSC::B3::testChillModArg):
1925         (JSC::B3::testChillModArgs):
1926         (JSC::B3::testChillModImms):
1927         (JSC::B3::testChillModArg32):
1928         (JSC::B3::testChillModArgs32):
1929         (JSC::B3::testChillModImms32):
1930         (JSC::B3::run):
1931         * ftl/FTLB3Output.h:
1932         (JSC::FTL::Output::mod):
1933         (JSC::FTL::Output::chillMod):
1934         (JSC::FTL::Output::doubleMod):
1935         (JSC::FTL::Output::rem): Deleted.
1936         (JSC::FTL::Output::doubleRem): Deleted.
1937         * ftl/FTLLowerDFGToLLVM.cpp:
1938         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
1939         * ftl/FTLOutput.cpp:
1940         (JSC::FTL::Output::chillMod):
1941         * ftl/FTLOutput.h:
1942         (JSC::FTL::Output::mod):
1943         (JSC::FTL::Output::doubleMod):
1944         (JSC::FTL::Output::rem): Deleted.
1945         (JSC::FTL::Output::doubleRem): Deleted.
1946
1947 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1948
1949         [B3] Add new files to the cmake build system
1950         https://bugs.webkit.org/show_bug.cgi?id=152120
1951
1952         Reviewed by Filip Pizlo.
1953
1954         * CMakeLists.txt:
1955
1956 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1957
1958         [B3] Use mark pragmas only if it is supported
1959         https://bugs.webkit.org/show_bug.cgi?id=152123
1960
1961         Reviewed by Mark Lam.
1962
1963         * ftl/FTLB3Output.h:
1964
1965 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1966
1967         [B3] Typo fix in testb3.cpp
1968         https://bugs.webkit.org/show_bug.cgi?id=152126
1969
1970         Reviewed by Mark Lam.
1971
1972         * b3/testb3.cpp:
1973         (JSC::B3::populateWithInterestingValues):
1974
1975 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1976
1977         [B3] Fix unused-but-set-variable warning
1978         https://bugs.webkit.org/show_bug.cgi?id=152122
1979
1980         Reviewed by Mark Lam.
1981
1982         * ftl/FTLLowerDFGToLLVM.cpp:
1983         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1984
1985 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1986
1987         [B3] Make GCC ignore warnings in FTLB3Output.h
1988         https://bugs.webkit.org/show_bug.cgi?id=152124
1989
1990         Reviewed by Mark Lam.
1991
1992         * ftl/FTLB3Output.h:
1993
1994 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
1995
1996         [EFL] Remove the unused IncrementalSweeper::m_isTimerFrozen member after r193749
1997         https://bugs.webkit.org/show_bug.cgi?id=152127
1998
1999         Reviewed by Mark Lam.
2000
2001         * heap/IncrementalSweeper.h:
2002
2003 2015-12-10  Csaba Osztrogonác  <ossy@webkit.org>
2004
2005         Source/JavaScriptCore/create_hash_table shouldn't be too verbose
2006         https://bugs.webkit.org/show_bug.cgi?id=151861
2007
2008         Reviewed by Darin Adler.
2009
2010         * create_hash_table:
2011
2012 2015-12-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
2013
2014         JSC Builtins should use safe array methods
2015         https://bugs.webkit.org/show_bug.cgi?id=151501
2016
2017         Reviewed by Darin Adler.
2018
2019         Adding @push and @shift to Array prototype.
2020         Using @push in TypedArray built-in.
2021
2022         Covered by added test in LayoutTests/js/builtins
2023
2024         * builtins/TypedArray.prototype.js:
2025         (filter):
2026         * runtime/ArrayPrototype.cpp:
2027         (JSC::ArrayPrototype::finishCreation):
2028         * runtime/CommonIdentifiers.h:
2029
2030 2015-12-08  Filip Pizlo  <fpizlo@apple.com>
2031
2032         FTL B3 should have basic GetById support
2033         https://bugs.webkit.org/show_bug.cgi?id=152035
2034
2035         Reviewed by Saam Barati.
2036
2037         Adds basic GetById support. This was so easy to do. Unlike the LLVM code for this, the B3 code is
2038         entirely self-contained within the getById() method in LowerDFG.
2039
2040         I discovered that we weren't folding Check(NotEqual(x, 0)) to Check(x). This was preventing us
2041         from generating good code for Check(NotEqual(BitAnd(x, tagMask), 0)), since the BitAnd was
2042         concealed. This was an easy strength reduction rule to add.
2043
2044         Finally, I found it easier to say append(value, rep) than append(ConstrainedValue(value, rep)), so
2045         I added that API. The old ConstrainedValue form is still super useful in other places, like
2046         compileCallOrConstruct(), where the two-argument form would be awkward. It's great to have both
2047         APIs to pick from.
2048
2049         * b3/B3ReduceStrength.cpp:
2050         * b3/B3StackmapValue.cpp:
2051         (JSC::B3::StackmapValue::~StackmapValue):
2052         (JSC::B3::StackmapValue::append):
2053         * b3/B3StackmapValue.h:
2054         * dfg/DFGCommon.h:
2055         * ftl/FTLLowerDFGToLLVM.cpp:
2056         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2057
2058 2015-12-09  Saam barati  <sbarati@apple.com>
2059
2060         Update generators' features.json to indicate that we have a spec compliant implementation
2061         https://bugs.webkit.org/show_bug.cgi?id=152085
2062
2063         Reviewed by Joseph Pecoraro.
2064
2065         * features.json:
2066
2067 2015-12-09  Saam barati  <sbarati@apple.com>
2068
2069         Update features.json w.r.t tail calls
2070         https://bugs.webkit.org/show_bug.cgi?id=152072
2071
2072         Reviewed by Michael Saboff.
2073
2074         * features.json:
2075
2076 2015-12-09  Saam barati  <sbarati@apple.com>
2077
2078         we should emit op_watchdog after op_enter
2079         https://bugs.webkit.org/show_bug.cgi?id=151972
2080
2081         Reviewed by Mark Lam.
2082
2083         This also solves the issue of watchdog not being
2084         observed when we loop purely through tail calls.
2085
2086         * API/tests/ExecutionTimeLimitTest.cpp:
2087         (testExecutionTimeLimit):
2088         * bytecompiler/BytecodeGenerator.cpp:
2089         (JSC::BytecodeGenerator::BytecodeGenerator):
2090         (JSC::BytecodeGenerator::emitProfiledOpcode):
2091         (JSC::BytecodeGenerator::emitEnter):
2092         (JSC::BytecodeGenerator::emitLoopHint):
2093         * bytecompiler/BytecodeGenerator.h:
2094
2095 2015-12-08  Benjamin Poulain  <bpoulain@apple.com>
2096
2097         [JSC] Improve how B3 lowers Add() and Sub() on x86
2098         https://bugs.webkit.org/show_bug.cgi?id=152026
2099
2100         Reviewed by Geoffrey Garen.
2101
2102         The assembler was missing some important x86 forms of
2103         ADD and SUB that were making our lowering
2104         unfriendly with register allocation.
2105
2106         First, we were missing a 3 operand version of Add
2107         implement with LEA. As a result, an Add would
2108         be lowered as:
2109             Move op1->srcDest
2110             Add op2, srcDest
2111         The problem with such code is that op2 and srcDest
2112         interferes. It is impossible to assign them the same
2113         machine register.
2114
2115         With the new Add form, we have:
2116             Add op1, op2, dest
2117         without interferences between any of those values.
2118         The add is implement by a LEA without scaling or displacement.
2119
2120         This patch also adds missing forms of Add and Sub with
2121         direct addressing for arguments. This avoids dealing with Tmps
2122         that only exist for those operations.
2123
2124         Finally, the lowering of adding something to itself was updated accordingly.
2125         Such operation is transformed in Shl by 2. The lowering of Shl
2126         was adding an explicit Move, preventing the use of LEA when it
2127         is useful.
2128         Instead of having an explicit move, I changed the direct addressing
2129         forms to only be selected if the two operands are different.
2130         A Move is then added by appendBinOp() if needed.
2131
2132         * assembler/MacroAssemblerX86Common.h:
2133         (JSC::MacroAssemblerX86Common::add32):
2134         (JSC::MacroAssemblerX86Common::x86Lea32):
2135         * assembler/MacroAssemblerX86_64.h:
2136         (JSC::MacroAssemblerX86_64::add64):
2137         (JSC::MacroAssemblerX86_64::x86Lea64):
2138         (JSC::MacroAssemblerX86_64::sub64):
2139         * assembler/X86Assembler.h:
2140         (JSC::X86Assembler::addq_rm):
2141         (JSC::X86Assembler::subq_mr):
2142         (JSC::X86Assembler::subq_rm):
2143         (JSC::X86Assembler::subq_im):
2144         (JSC::X86Assembler::leal_mr):
2145         (JSC::X86Assembler::leaq_mr):
2146         * b3/B3LowerToAir.cpp:
2147         (JSC::B3::Air::LowerToAir::appendBinOp):
2148         (JSC::B3::Air::LowerToAir::lower):
2149         * b3/air/AirOpcode.opcodes:
2150         * b3/testb3.cpp:
2151         (JSC::B3::testAddArgMem):
2152         (JSC::B3::testAddMemArg):
2153         (JSC::B3::testAddImmMem):
2154         (JSC::B3::testAddArg32):
2155         (JSC::B3::testAddArgMem32):
2156         (JSC::B3::testAddMemArg32):
2157         (JSC::B3::testAddImmMem32):
2158         (JSC::B3::testSubArgMem):
2159         (JSC::B3::testSubMemArg):
2160         (JSC::B3::testSubImmMem):
2161         (JSC::B3::testSubMemImm):
2162         (JSC::B3::testSubMemArg32):
2163         (JSC::B3::testSubArgMem32):
2164         (JSC::B3::testSubImmMem32):
2165         (JSC::B3::testSubMemImm32):
2166         (JSC::B3::run):
2167
2168 2015-12-08  Mark Lam  <mark.lam@apple.com>
2169
2170         Factoring out common DFG code for bitwise and shift operators.
2171         https://bugs.webkit.org/show_bug.cgi?id=152019
2172
2173         Reviewed by Michael Saboff.
2174
2175         * dfg/DFGSpeculativeJIT.cpp:
2176         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
2177         (JSC::DFG::SpeculativeJIT::compileShiftOp):
2178         * dfg/DFGSpeculativeJIT.h:
2179         * dfg/DFGSpeculativeJIT32_64.cpp:
2180         (JSC::DFG::SpeculativeJIT::compile):
2181         * dfg/DFGSpeculativeJIT64.cpp:
2182         (JSC::DFG::SpeculativeJIT::compile):
2183
2184 2015-12-08  Mark Lam  <mark.lam@apple.com>
2185
2186         DFG and FTL should be resilient against cases where both snippet operands are constant.
2187         https://bugs.webkit.org/show_bug.cgi?id=152017
2188
2189         Reviewed by Michael Saboff.
2190
2191         The DFG front end may not always constant fold cases where both operands are
2192         constant.  As a result, the DFG and FTL back ends needs to be resilient against
2193         this when using snippet generators since the generators do not support the case
2194         where both operands are constant.  The strategy for handling this 2 const operands
2195         case is to treat at least one of them as a variable if both are constant. 
2196
2197         * dfg/DFGSpeculativeJIT.cpp:
2198         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2199         - Also remove the case for folding 2 constant operands.  It is the front end's
2200           job to do so, not the back end here.
2201
2202         (JSC::DFG::SpeculativeJIT::compileArithSub):
2203         (JSC::DFG::SpeculativeJIT::compileArithMul):
2204         * ftl/FTLLowerDFGToLLVM.cpp:
2205         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2206         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2207
2208 2015-12-08  Mark Lam  <mark.lam@apple.com>
2209
2210         Snippefy shift operators for the baseline JIT.
2211         https://bugs.webkit.org/show_bug.cgi?id=151875
2212
2213         Reviewed by Geoffrey Garen.
2214
2215         * CMakeLists.txt:
2216         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2217         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2218         * JavaScriptCore.xcodeproj/project.pbxproj:
2219         * jit/JIT.h:
2220
2221         * jit/JITArithmetic.cpp:
2222         (JSC::JIT::emitBitBinaryOpFastPath):
2223         - Don't need GPRInfo:: qualifiers.  Removed them to reduce verbosity.
2224         - Also removed the emitStoreInt32() case for storing the result on 32-bit ports.
2225           This is because:
2226           1. The client should not make assumptions about whether the snippet fast path
2227              only include cases where the result tag already contain the IntTag.
2228           2. The "(op1 == result || op2 == result)" condition for skipping the IntTag
2229              storage, is only valid for the bitand, bitor, and bitxor implementations.
2230              It is invalid for the lshift implementation that uses this code now.
2231           Instead, we'll always unconditionally store what the result tag that the
2232           snippet computed for us.
2233
2234         (JSC::JIT::emit_op_lshift):
2235         (JSC::JIT::emitSlow_op_lshift):
2236         (JSC::JIT::emitRightShiftFastPath):
2237         (JSC::JIT::emit_op_rshift):
2238         (JSC::JIT::emitSlow_op_rshift):
2239         (JSC::JIT::emit_op_urshift):
2240         (JSC::JIT::emitSlow_op_urshift):
2241
2242         * jit/JITArithmetic32_64.cpp:
2243         (JSC::JIT::emit_op_lshift): Deleted.
2244         (JSC::JIT::emitSlow_op_lshift): Deleted.
2245         (JSC::JIT::emitRightShift): Deleted.
2246         (JSC::JIT::emitRightShiftSlowCase): Deleted.
2247         (JSC::JIT::emit_op_rshift): Deleted.
2248         (JSC::JIT::emitSlow_op_rshift): Deleted.
2249         (JSC::JIT::emit_op_urshift): Deleted.
2250         (JSC::JIT::emitSlow_op_urshift): Deleted.
2251
2252         * jit/JITLeftShiftGenerator.cpp: Added.
2253         (JSC::JITLeftShiftGenerator::generateFastPath):
2254         * jit/JITLeftShiftGenerator.h: Added.
2255         (JSC::JITLeftShiftGenerator::JITLeftShiftGenerator):
2256         * jit/JITRightShiftGenerator.cpp: Added.
2257         (JSC::JITRightShiftGenerator::generateFastPath):
2258         * jit/JITRightShiftGenerator.h: Added.
2259         (JSC::JITRightShiftGenerator::JITRightShiftGenerator):
2260
2261         * tests/stress/op_lshift.js:
2262         * tests/stress/op_rshift.js:
2263         * tests/stress/op_urshift.js:
2264         - Fixed some values and added others that are meaningful for testing shifts.
2265
2266         * tests/stress/resources/binary-op-test.js:
2267         (stringifyIfNeeded):
2268         (generateBinaryTests):
2269         - Fixed the test generator to give unique names to all the generated test
2270           functions.  Without this, multiple tests may end up using the same global
2271           test function.  As a result, with enough test values to test, the function may
2272           get prematurely JITted, and the computed expected result which is supposed to
2273           be computed by the LLINT, may end up being computed by a JIT instead.
2274
2275 2015-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2276
2277         Create a Sandbox SPI header
2278         https://bugs.webkit.org/show_bug.cgi?id=151981
2279
2280         Reviewed by Andy Estes.
2281
2282         * inspector/remote/RemoteInspector.mm:
2283
2284 2015-12-08  Filip Pizlo  <fpizlo@apple.com>
2285
2286         DFG::UnificationPhase should merge isProfitableToUnbox, since this may have been set in ByteCodeParser
2287         https://bugs.webkit.org/show_bug.cgi?id=152011
2288         rdar://problem/23777875
2289
2290         Reviewed by Michael Saboff.
2291
2292         Previously UnificationPhase did not merge this because we used to only set this in FixupPhase, which runs after unification. But now
2293         ByteCodeParser may set isProfitableToUnbox as part of how it handles the ArgumentCount of an inlined varargs call, so UnificationPhase
2294         needs to merge it after unifying.
2295
2296         Also changed the order of unification since this makes the bug more obvious and easier to test.
2297
2298         * dfg/DFGUnificationPhase.cpp:
2299         (JSC::DFG::UnificationPhase::run):
2300         * tests/stress/varargs-with-unused-count.js: Added.
2301
2302 2015-12-08  Mark Lam  <mark.lam@apple.com>
2303
2304         Polymorphic operand types for DFG and FTL div.
2305         https://bugs.webkit.org/show_bug.cgi?id=151747
2306
2307         Reviewed by Geoffrey Garen.
2308
2309         Perf on benchmarks is neutral.  The new JSRegress ftl-object-div test shows
2310         a speed up not from the div operator itself, but from the fact that the
2311         polymorphic operand types support now allow the test function to run without OSR
2312         exiting, thereby realizing the DFG and FTL's speed up on other work that the test
2313         function does.
2314
2315         This patch has passed the layout tests on x86_64 with a debug build.
2316         It passed the JSC tests with x86 and x86_64 debug builds.
2317
2318         * dfg/DFGAbstractInterpreterInlines.h:
2319         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2320         * dfg/DFGClobberize.h:
2321         (JSC::DFG::clobberize):
2322         * dfg/DFGFixupPhase.cpp:
2323         (JSC::DFG::FixupPhase::fixupNode):
2324         * dfg/DFGOperations.cpp:
2325         * dfg/DFGOperations.h:
2326         * dfg/DFGPredictionPropagationPhase.cpp:
2327         (JSC::DFG::PredictionPropagationPhase::propagate):
2328
2329         * dfg/DFGSpeculativeJIT.cpp:
2330         (JSC::DFG::SpeculativeJIT::compileArithDiv):
2331
2332         * ftl/FTLCompileBinaryOp.cpp:
2333         (JSC::FTL::generateBinaryArithOpFastPath):
2334         (JSC::FTL::generateBinaryOpFastPath):
2335
2336         * ftl/FTLInlineCacheDescriptor.h:
2337         * ftl/FTLInlineCacheDescriptorInlines.h:
2338         (JSC::FTL::ArithDivDescriptor::ArithDivDescriptor):
2339         (JSC::FTL::ArithDivDescriptor::icSize):
2340
2341         * ftl/FTLInlineCacheSize.cpp:
2342         (JSC::FTL::sizeOfArithDiv):
2343         * ftl/FTLInlineCacheSize.h:
2344
2345         * ftl/FTLLowerDFGToLLVM.cpp:
2346         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2347         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2348         - Fixed a cut-paste bug where the op_mul IC was using the op_sub IC size.
2349           This bug is benign because the op_sub IC size turns out to be larger
2350           than op_mul needs.
2351         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2352
2353         * jit/JITArithmetic.cpp:
2354         (JSC::JIT::emit_op_div):
2355         - Fixed a bug where the scratchFPR was not allocated for the 64bit port.
2356           This bug is benign because the scratchFPR is only needed if we are
2357           using scratchGPR register (used for branchConvertDoubleToInt32()) is
2358           >= X86Registers::r8.  Since we're always using regT2 for the scratchT2,
2359           the scratchFPR is never needed.   However, we should fix this anyway to
2360           be correct.
2361
2362         * tests/stress/op_div.js:
2363         - Fixed some test values.
2364
2365 2015-12-05 Aleksandr Skachkov   <gskachkov@gmail.com>
2366
2367         [ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment
2368         https://bugs.webkit.org/show_bug.cgi?id=149338
2369
2370         Reviewed by Saam Barati.
2371
2372         Implemented new version of the lexically bound 'this' in arrow function. In current version 
2373         'this' is stored inside of the lexical environment of the function. To store and load we use
2374         op_get_from_scope and op_put_to_scope operations. Also new implementation prevent raising TDZ
2375         error for arrow functions that are declared before super() but invoke after.
2376
2377         * builtins/BuiltinExecutables.cpp:
2378         (JSC::createExecutableInternal):
2379         * bytecode/BytecodeList.json:
2380         * bytecode/BytecodeUseDef.h:
2381         * bytecode/CodeBlock.cpp:
2382         (JSC::CodeBlock::dumpBytecode):
2383         * bytecode/EvalCodeCache.h:
2384         (JSC::EvalCodeCache::getSlow):
2385         * bytecode/ExecutableInfo.h:
2386         (JSC::ExecutableInfo::ExecutableInfo):
2387         (JSC::ExecutableInfo::isDerivedConstructorContext):
2388         (JSC::ExecutableInfo::isArrowFunctionContext):
2389         * bytecode/UnlinkedCodeBlock.cpp:
2390         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2391         * bytecode/UnlinkedCodeBlock.h:
2392         (JSC::UnlinkedCodeBlock::isArrowFunction):
2393         (JSC::UnlinkedCodeBlock::isDerivedConstructorContext):
2394         (JSC::UnlinkedCodeBlock::isArrowFunctionContext):
2395         * bytecode/UnlinkedFunctionExecutable.cpp:
2396         (JSC::generateUnlinkedFunctionCodeBlock):
2397         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2398         * bytecode/UnlinkedFunctionExecutable.h:
2399         * bytecompiler/BytecodeGenerator.cpp:
2400         (JSC::BytecodeGenerator::BytecodeGenerator):
2401         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2402         (JSC::BytecodeGenerator::variable):
2403         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
2404         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2405         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
2406         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
2407         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
2408         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
2409         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2410         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
2411         * bytecompiler/BytecodeGenerator.h:
2412         (JSC::BytecodeGenerator::isDerivedConstructorContext):
2413         (JSC::BytecodeGenerator::usesArrowFunction):
2414         (JSC::BytecodeGenerator::needsToUpdateArrowFunctionContext):
2415         (JSC::BytecodeGenerator::usesEval):
2416         (JSC::BytecodeGenerator::usesThis):
2417         (JSC::BytecodeGenerator::newTarget):
2418         (JSC::BytecodeGenerator::makeFunction):
2419         * bytecompiler/NodesCodegen.cpp:
2420         (JSC::ThisNode::emitBytecode):
2421         (JSC::SuperNode::emitBytecode):
2422         (JSC::EvalFunctionCallNode::emitBytecode):
2423         (JSC::FunctionCallValueNode::emitBytecode):
2424         (JSC::FunctionNode::emitBytecode):
2425         * debugger/DebuggerCallFrame.cpp:
2426         (JSC::DebuggerCallFrame::evaluate):
2427         * dfg/DFGAbstractInterpreterInlines.h:
2428         * dfg/DFGByteCodeParser.cpp:
2429         (JSC::DFG::ByteCodeParser::parseBlock):
2430         * dfg/DFGCapabilities.cpp:
2431         * dfg/DFGClobberize.h:
2432         * dfg/DFGDoesGC.cpp:
2433         * dfg/DFGFixupPhase.cpp:
2434         * dfg/DFGNodeType.h:
2435         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2436         * dfg/DFGPredictionPropagationPhase.cpp:
2437         * dfg/DFGPromotedHeapLocation.cpp:
2438         * dfg/DFGPromotedHeapLocation.h:
2439         * dfg/DFGSafeToExecute.h:
2440         * dfg/DFGSpeculativeJIT.cpp:
2441         * dfg/DFGSpeculativeJIT.h:
2442         * dfg/DFGSpeculativeJIT32_64.cpp:
2443         * dfg/DFGSpeculativeJIT64.cpp:
2444         * ftl/FTLCapabilities.cpp:
2445         * ftl/FTLLowerDFGToLLVM.cpp:
2446         * ftl/FTLOperations.cpp:
2447         (JSC::FTL::operationMaterializeObjectInOSR):
2448         * interpreter/Interpreter.cpp:
2449         (JSC::eval):
2450         * jit/JIT.cpp:
2451         * jit/JIT.h:
2452         * jit/JITOpcodes.cpp:
2453         (JSC::JIT::emitNewFuncExprCommon):
2454         * jit/JITOpcodes32_64.cpp:
2455         * llint/LLIntSlowPaths.cpp:
2456         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2457         * llint/LowLevelInterpreter.asm:
2458         * llint/LowLevelInterpreter32_64.asm:
2459         * llint/LowLevelInterpreter64.asm:
2460         * parser/ASTBuilder.h:
2461         (JSC::ASTBuilder::createArrowFunctionExpr):
2462         (JSC::ASTBuilder::usesArrowFunction):
2463         * parser/Nodes.h:
2464         (JSC::ScopeNode::usesArrowFunction):
2465         * parser/Parser.cpp:
2466         (JSC::Parser<LexerType>::parseFunctionInfo):
2467         * parser/ParserModes.h:
2468         * runtime/CodeCache.cpp:
2469         (JSC::CodeCache::getGlobalCodeBlock):
2470         (JSC::CodeCache::getProgramCodeBlock):
2471         (JSC::CodeCache::getEvalCodeBlock):
2472         (JSC::CodeCache::getModuleProgramCodeBlock):
2473         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2474         * runtime/CodeCache.h:
2475         * runtime/CommonIdentifiers.h:
2476         * runtime/CommonSlowPaths.cpp:
2477         (JSC::SLOW_PATH_DECL):
2478         * runtime/Executable.cpp:
2479         (JSC::ScriptExecutable::ScriptExecutable):
2480         (JSC::EvalExecutable::create):
2481         (JSC::EvalExecutable::EvalExecutable):
2482         (JSC::ProgramExecutable::ProgramExecutable):
2483         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2484         (JSC::FunctionExecutable::FunctionExecutable):
2485         * runtime/Executable.h:
2486         (JSC::ScriptExecutable::isArrowFunctionContext):
2487         (JSC::ScriptExecutable::isDerivedConstructorContext):
2488         * runtime/JSGlobalObject.cpp:
2489         (JSC::JSGlobalObject::createEvalCodeBlock):
2490         * runtime/JSGlobalObject.h:
2491         * runtime/JSGlobalObjectFunctions.cpp:
2492         (JSC::globalFuncEval):
2493         * tests/es6.yaml:
2494         * tests/stress/arrowfunction-activation-sink-osrexit.js:
2495         * tests/stress/arrowfunction-activation-sink.js:
2496         * tests/stress/arrowfunction-lexical-bind-newtarget.js: Added.
2497         * tests/stress/arrowfunction-lexical-bind-supercall-1.js: Added.
2498         * tests/stress/arrowfunction-lexical-bind-supercall-2.js: Added.
2499         * tests/stress/arrowfunction-lexical-bind-supercall-3.js: Added.
2500         * tests/stress/arrowfunction-lexical-bind-supercall-4.js: Added.
2501         * tests/stress/arrowfunction-lexical-bind-this-1.js:
2502         * tests/stress/arrowfunction-lexical-bind-this-7.js: Added.
2503         * tests/stress/arrowfunction-tdz-1.js: Added.
2504         * tests/stress/arrowfunction-tdz-2.js: Added.
2505         * tests/stress/arrowfunction-tdz-3.js: Added.
2506         * tests/stress/arrowfunction-tdz-4.js: Added.
2507         * tests/stress/arrowfunction-tdz.js: Removed.
2508
2509 2015-12-08  Csaba Osztrogonác  <ossy@webkit.org>
2510
2511         Fix the !ENABLE(DFG_JIT) build after r193649
2512         https://bugs.webkit.org/show_bug.cgi?id=151985
2513
2514         Reviewed by Saam Barati.
2515
2516         * jit/JITOpcodes.cpp:
2517         (JSC::JIT::emitSlow_op_loop_hint):
2518
2519 2015-12-08  Alberto Garcia  <berto@igalia.com>
2520
2521         Unreviewed. Remove unnecessary check for 0 in commitSize().
2522
2523         Change suggested by Darin Adler in bug #130237.
2524
2525         * interpreter/JSStack.cpp:
2526         (JSC::commitSize):
2527
2528 2015-12-08  Ryuan Choi  <ryuan.choi@navercorp.com>
2529
2530         [EFL] Remove the flag to check timer state in IncrementalSweeper
2531         https://bugs.webkit.org/show_bug.cgi?id=151988
2532
2533         Reviewed by Gyuyoung Kim.
2534
2535         * heap/IncrementalSweeper.cpp:
2536         (JSC::IncrementalSweeper::scheduleTimer):
2537         (JSC::IncrementalSweeper::IncrementalSweeper):
2538         (JSC::IncrementalSweeper::cancelTimer):
2539
2540 2015-12-08  Philippe Normand  <pnormand@igalia.com>
2541
2542         [Mac][GTK] Fix JSC FTL build
2543         https://bugs.webkit.org/show_bug.cgi?id=151915
2544
2545         Reviewed by Csaba Osztrogonác.
2546
2547         * CMakeLists.txt: Don't pass version-script option to ld on Darwin because this platform's linker
2548         doesn't support this option.
2549
2550 2015-12-08  Alberto Garcia  <berto@igalia.com>
2551
2552         Unreviewed. Use pageSize() instead of getpagesize() after r193648
2553
2554         * interpreter/JSStack.cpp:
2555         (JSC::commitSize):
2556
2557 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
2558
2559         Small style fixes in B3MoveConstants.cpp
2560         https://bugs.webkit.org/show_bug.cgi?id=151980
2561
2562         Reviewed by Benjamin Poulain.
2563
2564         * b3/B3MoveConstants.cpp:
2565
2566 2015-12-07  Benjamin Poulain  <bpoulain@apple.com>
2567
2568         [JSC] On x86, we should XOR registers instead of moving a zero immediate
2569         https://bugs.webkit.org/show_bug.cgi?id=151977
2570
2571         Reviewed by Filip Pizlo.
2572
2573         It is smaller and the frontend has special support
2574         for xor.
2575
2576         * assembler/MacroAssemblerX86Common.h:
2577         (JSC::MacroAssemblerX86Common::move):
2578         (JSC::MacroAssemblerX86Common::signExtend32ToPtr):
2579
2580 2015-12-07  Benjamin Poulain  <bpoulain@apple.com>
2581
2582         Fix a typo from r193683
2583
2584         * ftl/FTLCommonValues.cpp:
2585         (JSC::FTL::CommonValues::CommonValues):
2586
2587 2015-12-07  Benjamin Poulain  <bpoulain@apple.com>
2588
2589         [JSC] Add Float support to B3
2590         https://bugs.webkit.org/show_bug.cgi?id=151974
2591
2592         Reviewed by Filip Pizlo.
2593
2594         This patch adds comprehensive float support to B3.
2595
2596         The new phase reduceDoubleToFloat() gives us a primitive
2597         version of what LLVM was giving us on floats.
2598         It needs to support conversions accross Phis but that can
2599         be added later.
2600
2601         * CMakeLists.txt:
2602         * JavaScriptCore.xcodeproj/project.pbxproj:
2603         * assembler/MacroAssembler.h:
2604         (JSC::MacroAssembler::moveDoubleConditionallyFloat):
2605         * assembler/MacroAssemblerX86Common.h:
2606         (JSC::MacroAssemblerX86Common::sqrtFloat):
2607         (JSC::MacroAssemblerX86Common::loadFloat):
2608         (JSC::MacroAssemblerX86Common::storeFloat):
2609         (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
2610         (JSC::MacroAssemblerX86Common::convertFloatToDouble):
2611         (JSC::MacroAssemblerX86Common::addFloat):
2612         (JSC::MacroAssemblerX86Common::divFloat):
2613         (JSC::MacroAssemblerX86Common::subFloat):
2614         (JSC::MacroAssemblerX86Common::mulFloat):
2615         (JSC::MacroAssemblerX86Common::branchDouble):
2616         (JSC::MacroAssemblerX86Common::branchFloat):
2617         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2618         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2619         (JSC::MacroAssemblerX86Common::jumpAfterFloatingPointCompare):
2620         (JSC::MacroAssemblerX86Common::moveConditionallyAfterFloatingPointCompare):
2621         * assembler/X86Assembler.h:
2622         (JSC::X86Assembler::addss_rr):
2623         (JSC::X86Assembler::addss_mr):
2624         (JSC::X86Assembler::cvtsd2ss_mr):
2625         (JSC::X86Assembler::cvtss2sd_mr):
2626         (JSC::X86Assembler::movss_rm):
2627         (JSC::X86Assembler::movss_mr):
2628         (JSC::X86Assembler::mulss_rr):
2629         (JSC::X86Assembler::mulss_mr):
2630         (JSC::X86Assembler::subss_rr):
2631         (JSC::X86Assembler::subss_mr):
2632         (JSC::X86Assembler::ucomiss_rr):
2633         (JSC::X86Assembler::ucomiss_mr):
2634         (JSC::X86Assembler::divss_rr):
2635         (JSC::X86Assembler::divss_mr):
2636         (JSC::X86Assembler::sqrtss_rr):
2637         (JSC::X86Assembler::sqrtss_mr):
2638         * b3/B3Const32Value.cpp:
2639         (JSC::B3::Const32Value::bitwiseCastConstant):
2640         * b3/B3Const32Value.h:
2641         * b3/B3ConstDoubleValue.cpp:
2642         (JSC::B3::ConstDoubleValue::doubleToFloatConstant):
2643         (JSC::B3::ConstDoubleValue::sqrtConstant):
2644         * b3/B3ConstDoubleValue.h:
2645         * b3/B3ConstFloatValue.cpp: Added.
2646         (JSC::B3::ConstFloatValue::~ConstFloatValue):
2647         (JSC::B3::ConstFloatValue::negConstant):
2648         (JSC::B3::ConstFloatValue::addConstant):
2649         (JSC::B3::ConstFloatValue::subConstant):
2650         (JSC::B3::ConstFloatValue::mulConstant):
2651         (JSC::B3::ConstFloatValue::bitwiseCastConstant):
2652         (JSC::B3::ConstFloatValue::floatToDoubleConstant):
2653         (JSC::B3::ConstFloatValue::sqrtConstant):
2654         (JSC::B3::ConstFloatValue::divConstant):
2655         (JSC::B3::ConstFloatValue::equalConstant):
2656         (JSC::B3::ConstFloatValue::notEqualConstant):
2657         (JSC::B3::ConstFloatValue::lessThanConstant):
2658         (JSC::B3::ConstFloatValue::greaterThanConstant):
2659         (JSC::B3::ConstFloatValue::lessEqualConstant):
2660         (JSC::B3::ConstFloatValue::greaterEqualConstant):
2661         (JSC::B3::ConstFloatValue::dumpMeta):
2662         * b3/B3ConstFloatValue.h: Copied from Source/JavaScriptCore/b3/B3ConstDoubleValue.h.
2663         * b3/B3Generate.cpp:
2664         (JSC::B3::generateToAir):
2665         * b3/B3LowerToAir.cpp:
2666         (JSC::B3::Air::LowerToAir::tryOpcodeForType):
2667         (JSC::B3::Air::LowerToAir::opcodeForType):
2668         (JSC::B3::Air::LowerToAir::appendUnOp):
2669         (JSC::B3::Air::LowerToAir::appendBinOp):
2670         (JSC::B3::Air::LowerToAir::appendShift):
2671         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
2672         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2673         (JSC::B3::Air::LowerToAir::moveForType):
2674         (JSC::B3::Air::LowerToAir::relaxedMoveForType):
2675         (JSC::B3::Air::LowerToAir::createGenericCompare):
2676         (JSC::B3::Air::LowerToAir::createBranch):
2677         (JSC::B3::Air::LowerToAir::createCompare):
2678         (JSC::B3::Air::LowerToAir::createSelect):
2679         (JSC::B3::Air::LowerToAir::lower):
2680         * b3/B3MemoryValue.cpp:
2681         (JSC::B3::MemoryValue::accessByteSize): Deleted.
2682         * b3/B3MemoryValue.h:
2683         * b3/B3MoveConstants.cpp:
2684         * b3/B3Opcode.cpp:
2685         (WTF::printInternal):
2686         * b3/B3Opcode.h:
2687         * b3/B3Procedure.cpp:
2688         (JSC::B3::Procedure::addIntConstant):
2689         * b3/B3ReduceDoubleToFloat.cpp: Added.
2690         (JSC::B3::reduceDoubleToFloat):
2691         * b3/B3ReduceDoubleToFloat.h: Copied from Source/JavaScriptCore/b3/B3Type.cpp.
2692         * b3/B3ReduceStrength.cpp:
2693         * b3/B3Type.cpp:
2694         (WTF::printInternal):
2695         * b3/B3Type.h:
2696         (JSC::B3::isFloat):
2697         (JSC::B3::sizeofType):
2698         * b3/B3Validate.cpp:
2699         * b3/B3Value.cpp:
2700         (JSC::B3::Value::doubleToFloatConstant):
2701         (JSC::B3::Value::floatToDoubleConstant):
2702         (JSC::B3::Value::sqrtConstant):
2703         (JSC::B3::Value::asTriState):
2704         (JSC::B3::Value::effects):
2705         (JSC::B3::Value::key):
2706         (JSC::B3::Value::checkOpcode):
2707         (JSC::B3::Value::typeFor):
2708         * b3/B3Value.h:
2709         * b3/B3ValueInlines.h:
2710         (JSC::B3::Value::isConstant):
2711         (JSC::B3::Value::hasFloat):
2712         (JSC::B3::Value::asFloat):
2713         (JSC::B3::Value::hasNumber):
2714         (JSC::B3::Value::isNegativeZero):
2715         (JSC::B3::Value::representableAs):
2716         (JSC::B3::Value::asNumber):
2717         * b3/B3ValueKey.cpp:
2718         (JSC::B3::ValueKey::materialize):
2719         * b3/B3ValueKey.h:
2720         (JSC::B3::ValueKey::ValueKey):
2721         (JSC::B3::ValueKey::floatValue):
2722         * b3/air/AirArg.h:
2723         (JSC::B3::Air::Arg::typeForB3Type):
2724         (JSC::B3::Air::Arg::widthForB3Type):
2725         * b3/air/AirFixPartialRegisterStalls.cpp:
2726         * b3/air/AirOpcode.opcodes:
2727         * b3/testb3.cpp:
2728         (JSC::B3::testAddArgFloat):
2729         (JSC::B3::testAddArgsFloat):
2730         (JSC::B3::testAddArgImmFloat):
2731         (JSC::B3::testAddImmArgFloat):
2732         (JSC::B3::testAddImmsFloat):
2733         (JSC::B3::testAddArgFloatWithUselessDoubleConversion):
2734         (JSC::B3::testAddArgsFloatWithUselessDoubleConversion):
2735         (JSC::B3::testAddArgsFloatWithEffectfulDoubleConversion):
2736         (JSC::B3::testMulArgFloat):
2737         (JSC::B3::testMulArgsFloat):
2738         (JSC::B3::testMulArgImmFloat):
2739         (JSC::B3::testMulImmArgFloat):
2740         (JSC::B3::testMulImmsFloat):
2741         (JSC::B3::testMulArgFloatWithUselessDoubleConversion):
2742         (JSC::B3::testMulArgsFloatWithUselessDoubleConversion):
2743         (JSC::B3::testMulArgsFloatWithEffectfulDoubleConversion):
2744         (JSC::B3::testDivArgFloat):
2745         (JSC::B3::testDivArgsFloat):
2746         (JSC::B3::testDivArgImmFloat):
2747         (JSC::B3::testDivImmArgFloat):
2748         (JSC::B3::testDivImmsFloat):
2749         (JSC::B3::testDivArgFloatWithUselessDoubleConversion):
2750         (JSC::B3::testDivArgsFloatWithUselessDoubleConversion):
2751         (JSC::B3::testDivArgsFloatWithEffectfulDoubleConversion):
2752         (JSC::B3::testSubArgFloat):
2753         (JSC::B3::testSubArgsFloat):
2754         (JSC::B3::testSubArgImmFloat):
2755         (JSC::B3::testSubImmArgFloat):
2756         (JSC::B3::testSubImmsFloat):
2757         (JSC::B3::testSubArgFloatWithUselessDoubleConversion):
2758         (JSC::B3::testSubArgsFloatWithUselessDoubleConversion):
2759         (JSC::B3::testSubArgsFloatWithEffectfulDoubleConversion):
2760         (JSC::B3::testClzMem32):
2761         (JSC::B3::testSqrtArg):
2762         (JSC::B3::testSqrtImm):
2763         (JSC::B3::testSqrtMem):
2764         (JSC::B3::testSqrtArgWithUselessDoubleConversion):
2765         (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
2766         (JSC::B3::testDoubleArgToInt64BitwiseCast):
2767         (JSC::B3::testDoubleImmToInt64BitwiseCast):
2768         (JSC::B3::testTwoBitwiseCastOnDouble):
2769         (JSC::B3::testBitwiseCastOnDoubleInMemory):
2770         (JSC::B3::testInt64BArgToDoubleBitwiseCast):
2771         (JSC::B3::testInt64BImmToDoubleBitwiseCast):
2772         (JSC::B3::testTwoBitwiseCastOnInt64):
2773         (JSC::B3::testBitwiseCastOnInt64InMemory):
2774         (JSC::B3::testFloatImmToInt32BitwiseCast):
2775         (JSC::B3::testBitwiseCastOnFloatInMemory):
2776         (JSC::B3::testInt32BArgToFloatBitwiseCast):
2777         (JSC::B3::testInt32BImmToFloatBitwiseCast):
2778         (JSC::B3::testTwoBitwiseCastOnInt32):
2779         (JSC::B3::testBitwiseCastOnInt32InMemory):
2780         (JSC::B3::testConvertDoubleToFloatArg):
2781         (JSC::B3::testConvertDoubleToFloatImm):
2782         (JSC::B3::testConvertDoubleToFloatMem):
2783         (JSC::B3::testConvertFloatToDoubleArg):
2784         (JSC::B3::testConvertFloatToDoubleImm):
2785         (JSC::B3::testConvertFloatToDoubleMem):
2786         (JSC::B3::testConvertDoubleToFloatToDoubleToFloat):
2787         (JSC::B3::testLoadFloatConvertDoubleConvertFloatStoreFloat):
2788         (JSC::B3::testFroundArg):
2789         (JSC::B3::testFroundMem):
2790         (JSC::B3::testStore32):
2791         (JSC::B3::modelLoad):
2792         (JSC::B3::float>):
2793         (JSC::B3::double>):
2794         (JSC::B3::testLoad):
2795         (JSC::B3::testStoreFloat):
2796         (JSC::B3::testReturnFloat):
2797         (JSC::B3::simpleFunctionFloat):
2798         (JSC::B3::testCallSimpleFloat):
2799         (JSC::B3::functionWithHellaFloatArguments):
2800         (JSC::B3::testCallFunctionWithHellaFloatArguments):
2801         (JSC::B3::testSelectCompareFloat):
2802         (JSC::B3::testSelectCompareFloatToDouble):
2803         (JSC::B3::testSelectDoubleCompareFloat):
2804         (JSC::B3::testSelectFloatCompareFloat):
2805         (JSC::B3::populateWithInterestingValues):
2806         (JSC::B3::floatingPointOperands):
2807         (JSC::B3::int64Operands):
2808         (JSC::B3::run):
2809         (JSC::B3::testStore): Deleted.
2810         (JSC::B3::posInfinity): Deleted.
2811         (JSC::B3::negInfinity): Deleted.
2812         (JSC::B3::doubleOperands): Deleted.
2813         * ftl/FTLB3Output.cpp:
2814         (JSC::FTL::Output::loadFloatToDouble):
2815         * ftl/FTLB3Output.h:
2816         (JSC::FTL::Output::fround):
2817         * ftl/FTLCommonValues.cpp:
2818         (JSC::FTL::CommonValues::CommonValues):
2819         * ftl/FTLCommonValues.h:
2820
2821 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
2822
2823         FTL B3 should be able to flag the tag constants as being super important so that B3 can hoist them and Air can force them into registers
2824         https://bugs.webkit.org/show_bug.cgi?id=151955
2825
2826         Reviewed by Geoffrey Garen.
2827
2828         Taught B3 about the concept of "fast constants". A client of B3 can now tell B3 which
2829         constants are super important. B3 will not spill the constant in that case and will ensure
2830         that the constant is materialized only once: statically once, and dynamically once per
2831         procedure execution. The hoistFastConstants() algorithm in B3MoveConstants.cpp achieves this
2832         by first picking the lowest common dominator of all uses of each fast constant, and then
2833         picking the materialization point by finding the lowest dominator of that dominator that is
2834         tied for lowest block frequency. In practice, the second step ensures that this is the lowest
2835         point in the program that is not in a loop (i.e. executes no more than once dynamically per
2836         procedure invocation).
2837
2838         Taught Air about the concept of "fast tmps". B3 tells Air that a tmp is fast if it is used to
2839         hold the materialization of a fast constant. IRC will use the lowest possible spill score for
2840         fast tmps. In practice, this ensures that fast constants are never spilled.
2841
2842         Added a small snippet of code to FTL::LowerDFGToLLVM that makes both of the tag constants
2843         into fast constants.
2844
2845         My hope is that this very brute-force heuristic is good enough that we don't have to think
2846         about constants for a while. Based on my experience with how LLVM's constant hoisting works
2847         out, the heuristic in this patch is going to be tough to beat. LLVM's constant hoisting does
2848         good things when it hoists the tags, and usually causes nothing but problems when it hoists
2849         anything else. This is because there is no way a low-level compiler to really understand how
2850         a constant materialization impacts some operation's contribution to the overall execution
2851         time of a procedure. But, in the FTL we know that constant materializations for type checks
2852         are a bummer because we are super comfortable placing type checks on the hottest of paths. So
2853         those are the last paths where extra instructions should be added by the compiler. On the
2854         other hand, all other large constant uses are on relatively cold paths, or paths that are
2855         already expensive for other reasons. For example, global variable accesses have to
2856         materialize a pointer to the global. But that's not really a big deal, since a load from a
2857         global involves first the load itself and then type checks on the result - so probably the
2858         constant materialization is just not interesting. A store to a global often involves a store
2859         barrier, so the constant materialization is really not interesting. This patch codifies this
2860         heuristic in a pact between Air, B3, and the FTL: FTL demands that B3 pin the two tags in
2861         registers, and B3 relays the demand to Air.
2862
2863         * JavaScriptCore.xcodeproj/project.pbxproj:
2864         * b3/B3CFG.h: Added.
2865         (JSC::B3::CFG::CFG):
2866         (JSC::B3::CFG::root):
2867         (JSC::B3::CFG::newMap):
2868         (JSC::B3::CFG::successors):
2869         (JSC::B3::CFG::predecessors):
2870         (JSC::B3::CFG::index):
2871         (JSC::B3::CFG::node):
2872         (JSC::B3::CFG::numNodes):
2873         (JSC::B3::CFG::dump):
2874         * b3/B3Dominators.h: Added.
2875         (JSC::B3::Dominators::Dominators):
2876         * b3/B3IndexMap.h:
2877         (JSC::B3::IndexMap::resize):
2878         (JSC::B3::IndexMap::size):
2879         (JSC::B3::IndexMap::operator[]):
2880         * b3/B3LowerMacros.cpp:
2881         * b3/B3LowerToAir.cpp:
2882         (JSC::B3::Air::LowerToAir::tmp):
2883         * b3/B3MoveConstants.cpp:
2884         * b3/B3Opcode.h:
2885         (JSC::B3::constPtrOpcode):
2886         (JSC::B3::isConstant):
2887         * b3/B3Procedure.cpp:
2888         (JSC::B3::Procedure::Procedure):
2889         (JSC::B3::Procedure::resetReachability):
2890         (JSC::B3::Procedure::invalidateCFG):
2891         (JSC::B3::Procedure::dump):
2892         (JSC::B3::Procedure::deleteValue):
2893         (JSC::B3::Procedure::dominators):
2894         (JSC::B3::Procedure::addFastConstant):
2895         (JSC::B3::Procedure::isFastConstant):
2896         (JSC::B3::Procedure::addDataSection):
2897         * b3/B3Procedure.h:
2898         (JSC::B3::Procedure::size):
2899         (JSC::B3::Procedure::cfg):
2900         (JSC::B3::Procedure::setLastPhaseName):
2901         * b3/B3ReduceStrength.cpp:
2902         * b3/B3ValueInlines.h:
2903         (JSC::B3::Value::isConstant):
2904         (JSC::B3::Value::isInteger):
2905         * b3/B3ValueKey.h:
2906         (JSC::B3::ValueKey::canMaterialize):
2907         (JSC::B3::ValueKey::isConstant):
2908         * b3/air/AirCode.cpp:
2909         (JSC::B3::Air::Code::findNextBlock):
2910         (JSC::B3::Air::Code::addFastTmp):
2911         * b3/air/AirCode.h:
2912         (JSC::B3::Air::Code::specials):
2913         (JSC::B3::Air::Code::isFastTmp):
2914         (JSC::B3::Air::Code::setLastPhaseName):
2915         * b3/air/AirIteratedRegisterCoalescing.cpp:
2916         * dfg/DFGDominators.h:
2917         * dfg/DFGSSACalculator.cpp:
2918         * ftl/FTLLowerDFGToLLVM.cpp:
2919         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2920
2921 2015-12-07  Andy VanWagoner  <thetalecrafter@gmail.com>
2922
2923         [INTL] Implement String.prototype.toLocaleUpperCase in ECMA-402
2924         https://bugs.webkit.org/show_bug.cgi?id=147609
2925
2926         Reviewed by Benjamin Poulain.
2927
2928         Refactor most of toLocaleLowerCase to static function used by both
2929         toLocaleUpperCase and toLocaleLowerCase.
2930         Add toLocaleUpperCase using icu u_strToUpper.
2931
2932         * runtime/StringPrototype.cpp:
2933         (JSC::StringPrototype::finishCreation):
2934         (JSC::toLocaleCase):
2935         (JSC::stringProtoFuncToLocaleLowerCase):
2936         (JSC::stringProtoFuncToLocaleUpperCase):
2937
2938 2015-12-07  Michael Saboff  <msaboff@apple.com>
2939
2940         CRASH: CodeBlock::setOptimizationThresholdBasedOnCompilationResult + 567
2941         https://bugs.webkit.org/show_bug.cgi?id=151892
2942
2943         Reviewed by Geoffrey Garen.
2944
2945         Reverted the change made in change set r193491.
2946
2947         The updated change is to finish all concurrent compilations and install the resulting
2948         code blocks before we make any state changes due to debugger activity.  After all code
2949         blocks have been installed, we make the debugger state changes, including jettisoning
2950         all optimized code blocks.
2951
2952         This means that we will discard the optimized code blocks we just installed,
2953         but we won't do that while on the install code block path.
2954
2955         * bytecode/CodeBlock.cpp:
2956         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): Reverted r193491.
2957         * debugger/Debugger.cpp:
2958         (JSC::Debugger::setSteppingMode):
2959         (JSC::Debugger::registerCodeBlock):
2960         (JSC::Debugger::toggleBreakpoint):
2961         (JSC::Debugger::clearBreakpoints):
2962         (JSC::Debugger::clearDebuggerRequests):
2963         Call Heap::completeAllDFGPlans() before updating code blocks for debugging changes.
2964
2965         * heap/Heap.h: Made completeAllDFGPlans() public.
2966
2967 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
2968
2969         FTL lowering should tell B3 the right block frequencies
2970         https://bugs.webkit.org/show_bug.cgi?id=151531
2971
2972         Reviewed by Geoffrey Garen.
2973
2974         This glues together the DFG's view of basic block execution counts and B3's block frequencies.
2975         This further improves our performance on imaging-gaussian-blur. It appears to improve the steady
2976         state throughput by almost 4%.
2977
2978         * ftl/FTLB3Output.h:
2979         (JSC::FTL::Output::setFrequency):
2980         (JSC::FTL::Output::newBlock):
2981         (JSC::FTL::Output::insertNewBlocksBefore):
2982         (JSC::FTL::Output::callWithoutSideEffects):
2983         * ftl/FTLLowerDFGToLLVM.cpp:
2984         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2985         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock):
2986         * ftl/FTLOutput.h:
2987         (JSC::FTL::Output::setFrequency):
2988         (JSC::FTL::Output::insertNewBlocksBefore):
2989
2990 2015-12-07  Saam barati  <sbarati@apple.com>
2991
2992         Update JSC feature list for rest parameters and generators
2993         https://bugs.webkit.org/show_bug.cgi?id=151740
2994
2995         Reviewed by Joseph Pecoraro.
2996
2997         * features.json:
2998
2999 2015-12-07  Filip Pizlo  <fpizlo@apple.com>
3000
3001         DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure).
3002         https://bugs.webkit.org/show_bug.cgi?id=151952
3003
3004         Reviewed by Mark Lam.
3005
3006         Fix a bug revealed by the new ftl-has-a-bad-time.js test. It turns out that our handling of
3007         structures reachable from the compiler wasn't accounting for having a bad time.
3008
3009         * dfg/DFGStructureRegistrationPhase.cpp:
3010         (JSC::DFG::StructureRegistrationPhase::run):
3011
3012 2015-12-07  Saam barati  <sbarati@apple.com>
3013
3014         Add op_watchdog opcode that is generated when VM has a watchdog
3015         https://bugs.webkit.org/show_bug.cgi?id=151954
3016
3017         Reviewed by Mark Lam.
3018
3019         This patch also makes watchdog a private member
3020         of VM and adds a getter function.
3021
3022         * API/JSContextRef.cpp:
3023         (JSContextGroupClearExecutionTimeLimit):
3024         * bytecode/BytecodeList.json:
3025         * bytecode/BytecodeUseDef.h:
3026         (JSC::computeUsesForBytecodeOffset):
3027         (JSC::computeDefsForBytecodeOffset):
3028         * bytecode/CodeBlock.cpp:
3029         (JSC::CodeBlock::dumpBytecode):
3030         * bytecompiler/BytecodeGenerator.cpp:
3031         (JSC::BytecodeGenerator::emitLoopHint):
3032         (JSC::BytecodeGenerator::emitWatchdog):
3033         (JSC::BytecodeGenerator::retrieveLastBinaryOp):
3034         * bytecompiler/BytecodeGenerator.h:
3035         * dfg/DFGByteCodeParser.cpp:
3036         (JSC::DFG::ByteCodeParser::parseBlock):
3037         * dfg/DFGCapabilities.cpp:
3038         (JSC::DFG::capabilityLevel):
3039         * dfg/DFGSpeculativeJIT32_64.cpp:
3040         (JSC::DFG::SpeculativeJIT::compile):
3041         * dfg/DFGSpeculativeJIT64.cpp:
3042         (JSC::DFG::SpeculativeJIT::compile):
3043         * ftl/FTLLowerDFGToLLVM.cpp:
3044         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
3045         * jit/JIT.cpp:
3046         (JSC::JIT::privateCompileMainPass):
3047         (JSC::JIT::privateCompileSlowCases):
3048         * jit/JIT.h:
3049         * jit/JITOpcodes.cpp:
3050         (JSC::JIT::emit_op_loop_hint):
3051         (JSC::JIT::emitSlow_op_loop_hint):
3052         (JSC::JIT::emit_op_watchdog):
3053         (JSC::JIT::emitSlow_op_watchdog):
3054         (JSC::JIT::emit_op_new_regexp):
3055         * llint/LLIntSlowPaths.cpp:
3056         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3057         * llint/LowLevelInterpreter.asm:
3058         * runtime/VM.cpp:
3059         (JSC::VM::ensureWatchdog):
3060         * runtime/VM.h:
3061         (JSC::VM::watchdog):
3062         * runtime/VMEntryScope.cpp:
3063         (JSC::VMEntryScope::VMEntryScope):
3064         (JSC::VMEntryScope::~VMEntryScope):
3065         * runtime/VMInlines.h:
3066         (JSC::VM::shouldTriggerTermination):
3067
3068 2015-12-07  Alberto Garcia  <berto@igalia.com>
3069
3070         Crashes on PPC64 due to mprotect() on address not aligned to the page size
3071         https://bugs.webkit.org/show_bug.cgi?id=130237
3072
3073         Reviewed by Mark Lam.
3074
3075         Make sure that commitSize is at least as big as the page size.
3076
3077         * interpreter/JSStack.cpp:
3078         (JSC::commitSize):
3079         (JSC::JSStack::JSStack):
3080         (JSC::JSStack::growSlowCase):
3081         * interpreter/JSStack.h:
3082
3083 2015-12-06  Filip Pizlo  <fpizlo@apple.com>
3084
3085         FTL B3 should be able to make JS->JS calls
3086         https://bugs.webkit.org/show_bug.cgi?id=151901
3087
3088         Reviewed by Saam Barati.
3089
3090         This adds support for the Call and InvalidationPoint opcodes in DFG IR. This required doing some
3091         clean-up in the OSR exit code. We don't want the B3 FTL to use a bunch of vectors to hold
3092         side-state, so the use of OSRExitDescriptorImpl is not right. It makes sense in the LLVM FTL
3093         because that code needs some way of saving some state from LowerDFGToLLVM to compile(), but
3094         that's not how B3 FTL works. It turns out that for B3 FTL, there isn't anything in
3095         OSRExitDescriptorImpl that the code in LowerDFGToLLVM can't just capture in a lambda.
3096
3097         This also simplifies some stackmap-related APIs, since I got tired of writing boilerplate.
3098
3099         * CMakeLists.txt:
3100         * JavaScriptCore.xcodeproj/project.pbxproj:
3101         * assembler/AbstractMacroAssembler.h:
3102         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
3103         (JSC::AbstractMacroAssembler::addLinkTask):
3104         * b3/B3CheckSpecial.cpp:
3105         (JSC::B3::CheckSpecial::generate):
3106         * b3/B3Effects.h:
3107         * b3/B3PatchpointSpecial.cpp:
3108         (JSC::B3::PatchpointSpecial::generate):
3109         * b3/B3Procedure.cpp:
3110         (JSC::B3::Procedure::addDataSection):
3111         (JSC::B3::Procedure::callArgAreaSize):
3112         (JSC::B3::Procedure::requestCallArgAreaSize):
3113         (JSC::B3::Procedure::frameSize):
3114         * b3/B3Procedure.h:
3115         (JSC::B3::Procedure::releaseByproducts):
3116         (JSC::B3::Procedure::code):
3117         * b3/B3StackmapGenerationParams.cpp: Added.
3118         (JSC::B3::StackmapGenerationParams::usedRegisters):
3119         (JSC::B3::StackmapGenerationParams::proc):
3120         (JSC::B3::StackmapGenerationParams::StackmapGenerationParams):
3121         * b3/B3StackmapGenerationParams.h: Added.
3122         (JSC::B3::StackmapGenerationParams::value):
3123         (JSC::B3::StackmapGenerationParams::reps):
3124         (JSC::B3::StackmapGenerationParams::size):
3125         (JSC::B3::StackmapGenerationParams::at):
3126         (JSC::B3::StackmapGenerationParams::operator[]):
3127         (JSC::B3::StackmapGenerationParams::begin):
3128         (JSC::B3::StackmapGenerationParams::end):
3129         (JSC::B3::StackmapGenerationParams::context):
3130         (JSC::B3::StackmapGenerationParams::addLatePath):
3131         * b3/B3StackmapValue.h:
3132         * b3/B3ValueRep.h:
3133         (JSC::B3::ValueRep::doubleValue):
3134         (JSC::B3::ValueRep::withOffset):
3135         * b3/air/AirGenerationContext.h:
3136         * b3/testb3.cpp:
3137         (JSC::B3::testSimplePatchpoint):
3138         (JSC::B3::testSimplePatchpointWithoutOuputClobbersGPArgs):
3139         (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
3140         (JSC::B3::testSimplePatchpointWithoutOuputClobbersFPArgs):
3141         (JSC::B3::testSimplePatchpointWithOuputClobbersFPArgs):
3142         (JSC::B3::testPatchpointWithEarlyClobber):
3143         (JSC::B3::testPatchpointCallArg):
3144         (JSC::B3::testPatchpointFixedRegister):
3145         (JSC::B3::testPatchpointAny):
3146         (JSC::B3::testPatchpointLotsOfLateAnys):
3147         (JSC::B3::testPatchpointAnyImm):
3148         (JSC::B3::testPatchpointManyImms):
3149         (JSC::B3::testPatchpointWithRegisterResult):
3150         (JSC::B3::testPatchpointWithStackArgumentResult):
3151         (JSC::B3::testPatchpointWithAnyResult):
3152         (JSC::B3::testSimpleCheck):
3153         (JSC::B3::testCheckLessThan):
3154         (JSC::B3::testCheckMegaCombo):
3155         (JSC::B3::testCheckAddImm):
3156         (JSC::B3::testCheckAddImmCommute):
3157         (JSC::B3::testCheckAddImmSomeRegister):
3158         (JSC::B3::testCheckAdd):
3159         (JSC::B3::testCheckAdd64):
3160         (JSC::B3::testCheckSubImm):
3161         (JSC::B3::testCheckSubBadImm):
3162         (JSC::B3::testCheckSub):
3163         (JSC::B3::testCheckSub64):
3164         (JSC::B3::testCheckNeg):
3165         (JSC::B3::testCheckNeg64):
3166         (JSC::B3::testCheckMul):
3167         (JSC::B3::testCheckMulMemory):
3168         (JSC::B3::testCheckMul2):
3169         (JSC::B3::testCheckMul64):
3170         (JSC::B3::genericTestCompare):
3171         * ftl/FTLExceptionHandlerManager.cpp:
3172         * ftl/FTLExceptionHandlerManager.h:
3173         * ftl/FTLJSCall.cpp:
3174         * ftl/FTLJSCall.h:
3175         * ftl/FTLJSCallBase.cpp:
3176         (JSC::FTL::JSCallBase::emit):
3177         * ftl/FTLJSCallBase.h:
3178         * ftl/FTLJSCallVarargs.cpp:
3179         * ftl/FTLJSCallVarargs.h:
3180         * ftl/FTLJSTailCall.cpp:
3181         (JSC::FTL::DFG::getRegisterWithAddend):
3182         (JSC::FTL::JSTailCall::emit):
3183         (JSC::FTL::JSTailCall::JSTailCall): Deleted.
3184         * ftl/FTLJSTailCall.h:
3185         (JSC::FTL::JSTailCall::stackmapID):
3186         (JSC::FTL::JSTailCall::estimatedSize):
3187         (JSC::FTL::JSTailCall::operator<):
3188         (JSC::FTL::JSTailCall::patchpoint): Deleted.
3189         * ftl/FTLLowerDFGToLLVM.cpp:
3190         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
3191         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
3192         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3193         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
3194         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
3195         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException):
3196         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
3197         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
3198         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3199         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
3200         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
3201         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
3202         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):
3203         * ftl/FTLOSRExit.cpp:
3204         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
3205         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
3206         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
3207         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
3208         (JSC::FTL::OSRExit::OSRExit):
3209         (JSC::FTL::OSRExit::codeLocationForRepatch):
3210         (JSC::FTL::OSRExit::recoverRegistersFromSpillSlot):
3211         (JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck):
3212         (JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath):
3213         * ftl/FTLOSRExit.h:
3214         (JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl):
3215         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
3216         * ftl/FTLOSRExitCompiler.cpp:
3217         (JSC::FTL::compileStub):
3218         (JSC::FTL::compileFTLOSRExit):
3219         * ftl/FTLState.h:
3220
3221 2015-12-07  Saam barati  <sbarati@apple.com>
3222
3223         Rename Watchdog::didFire to Watchdog::shouldTerminate because that's what didFire really meant
3224         https://bugs.webkit.org/show_bug.cgi?id=151944
3225
3226         Reviewed by Mark Lam.
3227
3228         * interpreter/Interpreter.cpp:
3229         (JSC::Interpreter::execute):
3230         * runtime/VMInlines.h:
3231         (JSC::VM::shouldTriggerTermination):
3232         * runtime/Watchdog.cpp:
3233         (JSC::Watchdog::terminateSoon):
3234         (JSC::Watchdog::shouldTerminateSlow):
3235         (JSC::Watchdog::didFireSlow): Deleted.
3236         * runtime/Watchdog.h:
3237         (JSC::Watchdog::shouldTerminate):
3238         (JSC::Watchdog::didFire): Deleted.
3239
3240 2015-12-07  Mark Lam  <mark.lam@apple.com>
3241
3242         Rename JITBitwiseBinaryOpGenerator to JITBitBinaryOpGenerator.
3243         https://bugs.webkit.org/show_bug.cgi?id=151945
3244
3245         Reviewed by Saam Barati.
3246
3247         The lshift operator also need to inherit from JITBitBinaryOpGenerator.  Calling
3248         it "BitBinaryOp" makes more sense than "BitwiseBinaryOp" in that case, and still
3249         makes sense for the bitand, bitor, and bitxor operators.
3250
3251         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3252         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3253         * JavaScriptCore.xcodeproj/project.pbxproj:
3254         * jit/JIT.h:
3255         * jit/JITArithmetic.cpp:
3256         (JSC::JIT::emitBitBinaryOpFastPath):
3257         (JSC::JIT::emit_op_bitand):
3258         (JSC::JIT::emitSlow_op_bitand):
3259         (JSC::JIT::emit_op_bitor):
3260         (JSC::JIT::emitSlow_op_bitor):
3261         (JSC::JIT::emit_op_bitxor):
3262         (JSC::JIT::emitSlow_op_bitxor):
3263         (JSC::JIT::emitBitwiseBinaryOpFastPath): Deleted.
3264         * jit/JITBitAndGenerator.h:
3265         (JSC::JITBitAndGenerator::JITBitAndGenerator):
3266         * jit/JITBitBinaryOpGenerator.h: Copied from Source/JavaScriptCore/jit/JITBitwiseBinaryOpGenerator.h.
3267         (JSC::JITBitBinaryOpGenerator::JITBitBinaryOpGenerator):
3268         (JSC::JITBitwiseBinaryOpGenerator::JITBitwiseBinaryOpGenerator): Deleted.
3269         * jit/JITBitOrGenerator.h:
3270         (JSC::JITBitOrGenerator::JITBitOrGenerator):
3271         * jit/JITBitXorGenerator.h:
3272         (JSC::JITBitXorGenerator::JITBitXorGenerator):
3273         * jit/JITBitwiseBinaryOpGenerator.h: Removed.
3274
3275 2015-12-07  Csaba Osztrogonác  <ossy@webkit.org>
3276
3277         [B3] Typo fix after r193386 to fix the build
3278         https://bugs.webkit.org/show_bug.cgi?id=151860
3279
3280         Reviewed by Filip Pizlo.
3281
3282         * b3/B3StackmapSpecial.cpp:
3283         (JSC::B3::StackmapSpecial::isArgValidForValue):
3284
3285 2015-12-07  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
3286
3287         [EFL] Implement scheduleTimer and cancelTimer in IncrementalSweeper class
3288         https://bugs.webkit.org/show_bug.cgi?id=151656
3289
3290         Reviewed by Csaba Osztrogonác.
3291
3292         Support IncremntalSweeper using Ecore_Timer.
3293
3294         * heap/IncrementalSweeper.cpp:
3295         (JSC::IncrementalSweeper::IncrementalSweeper):
3296         (JSC::IncrementalSweeper::scheduleTimer):
3297         (JSC::IncrementalSweeper::cancelTimer):
3298         * heap/IncrementalSweeper.h:
3299
3300 2015-12-06  Andy VanWagoner  <thetalecrafter@gmail.com>
3301
3302         [INTL] Implement String.prototype.toLocaleLowerCase in ECMA-402
3303         https://bugs.webkit.org/show_bug.cgi?id=147608
3304
3305         Reviewed by Benjamin Poulain.
3306
3307         Add toLocaleLowerCase using icu u_strToLower.
3308
3309         * runtime/IntlObject.cpp:
3310         (JSC::defaultLocale): Expose.
3311         (JSC::bestAvailableLocale): Expose.
3312         (JSC::removeUnicodeLocaleExtension): Expose.
3313         * runtime/IntlObject.h:
3314         * runtime/StringPrototype.cpp:
3315         (JSC::StringPrototype::finishCreation):
3316         (JSC::stringProtoFuncToLocaleLowerCase): Add.
3317
3318 2015-12-06  David Kilzer  <ddkilzer@apple.com>
3319
3320         REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
3321         https://bugs.webkit.org/show_bug.cgi?id=151929
3322
3323         Reverted changeset:
3324
3325         "[ES6] "super" and "this" should be lexically bound inside an
3326         arrow function and should live in a JSLexicalEnvironment"
3327         https://bugs.webkit.org/show_bug.cgi?id=149338
3328         http://trac.webkit.org/changeset/193584
3329
3330 2015-12-06  Skachkov Oleksandr  <gskachkov@gmail.com>
3331
3332         [es6] Arrow function syntax. Fix tests after 149338 landing
3333         https://bugs.webkit.org/show_bug.cgi?id=151927
3334
3335         Reviewed by Saam Barati.
3336
3337         After landing patch for 149338 errors appear in for ES6 Generator. Current fix is removed assert 
3338         that was removed by patch with implemenation of ES6 Generator.
3339  
3340         * runtime/CommonSlowPaths.cpp:
3341
3342 2015-12-05 Aleksandr Skachkov   <gskachkov@gmail.com>
3343
3344         [ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment
3345         https://bugs.webkit.org/show_bug.cgi?id=149338
3346
3347         Reviewed by Saam Barati.
3348
3349         Implemented new version of the lexically bound 'this' in arrow function. In current version 
3350         'this' is stored inside of the lexical environment of the function. To store and load we use
3351         op_get_from_scope and op_put_to_scope operations. Also new implementation prevent raising TDZ
3352         error for arrow functions that are declared before super() but invoke after.
3353
3354         * builtins/BuiltinExecutables.cpp:
3355         (JSC::createExecutableInternal):
3356         * bytecode/BytecodeList.json:
3357         * bytecode/BytecodeUseDef.h:
3358         * bytecode/CodeBlock.cpp:
3359         (JSC::CodeBlock::dumpBytecode):
3360         * bytecode/EvalCodeCache.h:
3361         (JSC::EvalCodeCache::getSlow):
3362         * bytecode/ExecutableInfo.h:
3363         (JSC::ExecutableInfo::ExecutableInfo):
3364         (JSC::ExecutableInfo::isDerivedConstructorContext):
3365         (JSC::ExecutableInfo::isArrowFunctionContext):
3366         * bytecode/UnlinkedCodeBlock.cpp:
3367         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3368         * bytecode/UnlinkedCodeBlock.h:
3369         (JSC::UnlinkedCodeBlock::isArrowFunction):
3370         (JSC::UnlinkedCodeBlock::isDerivedConstructorContext):
3371         (JSC::UnlinkedCodeBlock::isArrowFunctionContext):
3372         * bytecode/UnlinkedFunctionExecutable.cpp:
3373         (JSC::generateUnlinkedFunctionCodeBlock):
3374         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3375         * bytecode/UnlinkedFunctionExecutable.h:
3376         * bytecompiler/BytecodeGenerator.cpp:
3377         (JSC::BytecodeGenerator::BytecodeGenerator):
3378         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
3379         (JSC::BytecodeGenerator::variable):
3380         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
3381         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
3382         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
3383         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
3384         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
3385         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
3386         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
3387         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
3388         * bytecompiler/BytecodeGenerator.h:
3389         (JSC::BytecodeGenerator::isDerivedConstructorContext):