Layout Test js/intl-collator.html is crashing on win 7 debug
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-11-05  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2
3         Layout Test js/intl-collator.html is crashing on win 7 debug
4         https://bugs.webkit.org/show_bug.cgi?id=150943
5
6         Reviewed by Geoffrey Garen.
7
8         The string length returned by ICU's uenum_next seems to be unreliable
9         on an old version of ICU. Since uenum_next returns a null-terminated
10         string anyway, this patch removes the use of the length.
11
12         * runtime/IntlCollatorConstructor.cpp:
13         (JSC::sortLocaleData):
14
15 2015-11-05  Filip Pizlo  <fpizlo@apple.com>
16
17         Unreviewed, add FIXMEs referencing https://bugs.webkit.org/show_bug.cgi?id=150958 and
18         https://bugs.webkit.org/show_bug.cgi?id=150954.
19
20         * b3/B3LowerToAir.cpp:
21         (JSC::B3::Air::LowerToAir::createGenericCompare):
22         * b3/B3ReduceStrength.cpp:
23
24 2015-11-05  Aleksandr Skachkov  <gskachkov@gmail.com>
25
26         Using emitResolveScope & emitGetFromScope with 'this' that is TDZ lead to segfault in DFG
27         https://bugs.webkit.org/show_bug.cgi?id=150902
28
29         Reviewed by Geoffrey Garen.
30
31         Tiny fix provided by Saam Barati. This fix prevent segfault error in arrow function, 
32         when it uses in constructor of derived class, before 'super' is called.
33
34         * dfg/DFGAbstractInterpreterInlines.h:
35         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
36
37 2015-11-05  Filip Pizlo  <fpizlo@apple.com>
38
39         B3->Air lowering should have a story for compare-branch fusion
40         https://bugs.webkit.org/show_bug.cgi?id=150721
41
42         Reviewed by Geoffrey Garen.
43
44         This adds comprehensive support for compares and compare/branch fusion to B3. The fusion is
45         super aggressive. It can even handle things like Branch(LessThan(Load8S(...), constant)). It
46         can even handle flipping the operands to the branch, and flipping the comparison condition,
47         if it enables a more efficient instruction. This happens when there is asymmetry in the
48         admitted argument kinds. For example, Branch32 will only accept an Imm as a second operand.
49         If we do a LessThan(constant, load) then we will generate it as:
50
51             Branch32 GreaterThan, (addr), $imm
52
53         This also supports compiling and fusing tests, and to some extent, compiling and fusing
54         double compares. Though we cannot test doubles yet because we don't have enough support for
55         that.
56
57         This also supports fusing compare/branches in Checks. We basically get that for free.
58
59         Because I wanted to fuse comparisons with sub-32-bit loads, I added support for those loads
60         directly, too.
61
62         The tests are now getting super big, so I made testb3 run tests in parallel.
63
64         Finally, this slightly changes the semantics of Branch and Check. Previously they would have
65         accepted a double to branch on. I found that this is awkward. It's especially awkward since
66         we want to be explicit about when a double zero constant is materialized. So, from now on, we
67         require that to branch on a double being non-zero, you have to do Branch(NotEqual(value, 0)).
68
69         * assembler/MacroAssembler.h:
70         (JSC::MacroAssembler::invert):
71         (JSC::MacroAssembler::isInvertible):
72         (JSC::MacroAssembler::flip):
73         (JSC::MacroAssembler::isSigned):
74         (JSC::MacroAssembler::isUnsigned):
75         * assembler/MacroAssemblerX86Common.h:
76         (JSC::MacroAssemblerX86Common::test32):
77         (JSC::MacroAssemblerX86Common::invert):
78         * b3/B3CheckSpecial.cpp:
79         (JSC::B3::CheckSpecial::Key::Key):
80         (JSC::B3::CheckSpecial::Key::dump):
81         (JSC::B3::CheckSpecial::CheckSpecial):
82         (JSC::B3::CheckSpecial::~CheckSpecial):
83         * b3/B3CheckSpecial.h:
84         (JSC::B3::CheckSpecial::Key::Key):
85         (JSC::B3::CheckSpecial::Key::operator==):
86         (JSC::B3::CheckSpecial::Key::operator!=):
87         (JSC::B3::CheckSpecial::Key::operator bool):
88         (JSC::B3::CheckSpecial::Key::opcode):
89         (JSC::B3::CheckSpecial::Key::numArgs):
90         (JSC::B3::CheckSpecial::Key::isHashTableDeletedValue):
91         (JSC::B3::CheckSpecial::Key::hash):
92         (JSC::B3::CheckSpecialKeyHash::hash):
93         (JSC::B3::CheckSpecialKeyHash::equal):
94         * b3/B3Const32Value.cpp:
95         (JSC::B3::Const32Value::zShrConstant):
96         (JSC::B3::Const32Value::equalConstant):
97         (JSC::B3::Const32Value::notEqualConstant):
98         (JSC::B3::Const32Value::lessThanConstant):
99         (JSC::B3::Const32Value::greaterThanConstant):
100         (JSC::B3::Const32Value::lessEqualConstant):
101         (JSC::B3::Const32Value::greaterEqualConstant):
102         (JSC::B3::Const32Value::aboveConstant):
103         (JSC::B3::Const32Value::belowConstant):
104         (JSC::B3::Const32Value::aboveEqualConstant):
105         (JSC::B3::Const32Value::belowEqualConstant):
106         (JSC::B3::Const32Value::dumpMeta):
107         * b3/B3Const32Value.h:
108         * b3/B3Const64Value.cpp:
109         (JSC::B3::Const64Value::zShrConstant):
110         (JSC::B3::Const64Value::equalConstant):
111         (JSC::B3::Const64Value::notEqualConstant):
112         (JSC::B3::Const64Value::lessThanConstant):
113         (JSC::B3::Const64Value::greaterThanConstant):
114         (JSC::B3::Const64Value::lessEqualConstant):
115         (JSC::B3::Const64Value::greaterEqualConstant):
116         (JSC::B3::Const64Value::aboveConstant):
117         (JSC::B3::Const64Value::belowConstant):
118         (JSC::B3::Const64Value::aboveEqualConstant):
119         (JSC::B3::Const64Value::belowEqualConstant):
120         (JSC::B3::Const64Value::dumpMeta):
121         * b3/B3Const64Value.h:
122         * b3/B3ConstDoubleValue.cpp:
123         (JSC::B3::ConstDoubleValue::subConstant):
124         (JSC::B3::ConstDoubleValue::equalConstant):
125         (JSC::B3::ConstDoubleValue::notEqualConstant):
126         (JSC::B3::ConstDoubleValue::lessThanConstant):
127         (JSC::B3::ConstDoubleValue::greaterThanConstant):
128         (JSC::B3::ConstDoubleValue::lessEqualConstant):
129         (JSC::B3::ConstDoubleValue::greaterEqualConstant):
130         (JSC::B3::ConstDoubleValue::dumpMeta):
131         * b3/B3ConstDoubleValue.h:
132         * b3/B3LowerToAir.cpp:
133         (JSC::B3::Air::LowerToAir::LowerToAir):
134         (JSC::B3::Air::LowerToAir::run):
135         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
136         (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise):
137         (JSC::B3::Air::LowerToAir::ArgPromise::tmp):
138         (JSC::B3::Air::LowerToAir::ArgPromise::operator bool):
139         (JSC::B3::Air::LowerToAir::ArgPromise::kind):
140         (JSC::B3::Air::LowerToAir::ArgPromise::peek):
141         (JSC::B3::Air::LowerToAir::ArgPromise::consume):
142         (JSC::B3::Air::LowerToAir::tmp):
143         (JSC::B3::Air::LowerToAir::tmpPromise):
144         (JSC::B3::Air::LowerToAir::canBeInternal):
145         (JSC::B3::Air::LowerToAir::addr):
146         (JSC::B3::Air::LowerToAir::loadPromise):
147         (JSC::B3::Air::LowerToAir::imm):
148         (JSC::B3::Air::LowerToAir::appendBinOp):
149         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
150         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
151         (JSC::B3::Air::LowerToAir::createGenericCompare):
152         (JSC::B3::Air::LowerToAir::createBranch):
153         (JSC::B3::Air::LowerToAir::createCompare):
154         (JSC::B3::Air::LowerToAir::tryLoad):
155         (JSC::B3::Air::LowerToAir::tryLoad8S):
156         (JSC::B3::Air::LowerToAir::tryLoad8Z):
157         (JSC::B3::Air::LowerToAir::tryLoad16S):
158         (JSC::B3::Air::LowerToAir::tryLoad16Z):
159         (JSC::B3::Air::LowerToAir::tryAdd):
160         (JSC::B3::Air::LowerToAir::tryStackSlot):
161         (JSC::B3::Air::LowerToAir::tryEqual):
162         (JSC::B3::Air::LowerToAir::tryNotEqual):
163         (JSC::B3::Air::LowerToAir::tryLessThan):
164         (JSC::B3::Air::LowerToAir::tryGreaterThan):
165         (JSC::B3::Air::LowerToAir::tryLessEqual):
166         (JSC::B3::Air::LowerToAir::tryGreaterEqual):
167         (JSC::B3::Air::LowerToAir::tryAbove):
168         (JSC::B3::Air::LowerToAir::tryBelow):
169         (JSC::B3::Air::LowerToAir::tryAboveEqual):
170         (JSC::B3::Air::LowerToAir::tryBelowEqual):
171         (JSC::B3::Air::LowerToAir::tryPatchpoint):
172         (JSC::B3::Air::LowerToAir::tryCheck):
173         (JSC::B3::Air::LowerToAir::tryBranch):
174         (JSC::B3::Air::LowerToAir::loadAddr): Deleted.
175         * b3/B3LoweringMatcher.patterns:
176         * b3/B3Opcode.cpp:
177         (JSC::B3::invertedCompare):
178         * b3/B3Opcode.h:
179         (JSC::B3::isCheckMath):
180         * b3/B3Procedure.cpp:
181         (JSC::B3::Procedure::addBlock):
182         (JSC::B3::Procedure::addIntConstant):
183         (JSC::B3::Procedure::addBoolConstant):
184         (JSC::B3::Procedure::resetValueOwners):
185         * b3/B3Procedure.h:
186         * b3/B3ReduceStrength.cpp:
187         * b3/B3Validate.cpp:
188         * b3/B3Value.cpp:
189         (JSC::B3::Value::zShrConstant):
190         (JSC::B3::Value::equalConstant):
191         (JSC::B3::Value::notEqualConstant):
192         (JSC::B3::Value::lessThanConstant):
193         (JSC::B3::Value::greaterThanConstant):
194         (JSC::B3::Value::lessEqualConstant):
195         (JSC::B3::Value::greaterEqualConstant):
196         (JSC::B3::Value::aboveConstant):
197         (JSC::B3::Value::belowConstant):
198         (JSC::B3::Value::aboveEqualConstant):
199         (JSC::B3::Value::belowEqualConstant):
200         (JSC::B3::Value::invertedCompare):
201         * b3/B3Value.h:
202         * b3/air/AirArg.cpp:
203         (JSC::B3::Air::Arg::isRepresentableAs):
204         (JSC::B3::Air::Arg::dump):
205         (WTF::printInternal):
206         * b3/air/AirArg.h:
207         (JSC::B3::Air::Arg::isUse):
208         (JSC::B3::Air::Arg::typeForB3Type):
209         (JSC::B3::Air::Arg::widthForB3Type):
210         (JSC::B3::Air::Arg::Arg):
211         (JSC::B3::Air::Arg::value):
212         (JSC::B3::Air::Arg::isRepresentableAs):
213         (JSC::B3::Air::Arg::asNumber):
214         (JSC::B3::Air::Arg::pointerValue):
215         (JSC::B3::Air::Arg::asDoubleCondition):
216         (JSC::B3::Air::Arg::inverted):
217         (JSC::B3::Air::Arg::flipped):
218         (JSC::B3::Air::Arg::isSignedCond):
219         (JSC::B3::Air::Arg::isUnsignedCond):
220         * b3/air/AirInst.h:
221         (JSC::B3::Air::Inst::Inst):
222         (JSC::B3::Air::Inst::operator bool):
223         * b3/air/AirOpcode.opcodes:
224         * b3/air/opcode_generator.rb:
225         * b3/testb3.cpp:
226         (hiddenTruthBecauseNoReturnIsStupid):
227         (JSC::B3::testStoreLoadStackSlot):
228         (JSC::B3::modelLoad):
229         (JSC::B3::testLoad):
230         (JSC::B3::testBranch):
231         (JSC::B3::testComplex):
232         (JSC::B3::testSimplePatchpoint):
233         (JSC::B3::testSimpleCheck):
234         (JSC::B3::genericTestCompare):
235         (JSC::B3::modelCompare):
236         (JSC::B3::testCompareLoad):
237         (JSC::B3::testCompareImpl):
238         (JSC::B3::testCompare):
239         (JSC::B3::run):
240         (main):
241         * dfg/DFGSpeculativeJIT.cpp:
242         (JSC::DFG::SpeculativeJIT::compileArithMod):
243         * jit/JITPropertyAccess.cpp:
244         (JSC::JIT::emitIntTypedArrayGetByVal):
245         (JSC::JIT::emitIntTypedArrayPutByVal):
246
247 2015-11-05  Joseph Pecoraro  <pecoraro@apple.com>
248
249         Web Inspector: Clean up InjectedScript uses
250         https://bugs.webkit.org/show_bug.cgi?id=150921
251
252         Reviewed by Timothy Hatcher.
253
254         * inspector/InjectedScript.cpp:
255         (Inspector::InjectedScript::wrapCallFrames):
256         * inspector/InjectedScript.h:
257         * inspector/InjectedScriptBase.cpp:
258         (Inspector::InjectedScriptBase::initialize): Deleted.
259         * inspector/InjectedScriptBase.h:
260         * inspector/InjectedScriptManager.cpp:
261         (Inspector::InjectedScriptManager::didCreateInjectedScript):
262         * inspector/InjectedScriptManager.h:
263         * inspector/InjectedScriptModule.cpp:
264         (Inspector::InjectedScriptModule::ensureInjected):
265         * inspector/InjectedScriptModule.h:
266         * inspector/agents/InspectorDebuggerAgent.cpp:
267         (Inspector::InspectorDebuggerAgent::currentCallFrames):
268         * inspector/agents/InspectorDebuggerAgent.h:
269
270 2015-11-05  Joseph Pecoraro  <pecoraro@apple.com>
271
272         Web Inspector: Put ScriptDebugServer into InspectorEnvironment and cleanup duplicate references
273         https://bugs.webkit.org/show_bug.cgi?id=150869
274
275         Reviewed by Brian Burg.
276
277         ScriptDebugServer (JSC::Debugger) is being used by more and more agents
278         for instrumentation into JavaScriptCore. Currently the ScriptDebugServer
279         is owned by DebuggerAgent subclasses that make their own ScriptDebugServer
280         subclass. As more agents want to use it there was added boilerplate.
281         Instead, put the ScriptDebugServer in the InspectorEnvironment (Controllers).
282         Then each agent can access it during construction through the environment.
283
284         Do the same clean up for RuntimeAgent::globalVM, which is now just a
285         duplication of InspectorEnvironment::vm.
286
287         * inspector/InspectorEnvironment.h:
288         Add scriptDebugServer().
289
290         * inspector/JSGlobalObjectInspectorController.h:
291         * inspector/JSGlobalObjectInspectorController.cpp:
292         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
293         (Inspector::JSGlobalObjectInspectorController::scriptDebugServer):
294         Own the JSGlobalObjectScriptDebugServer.
295
296         * inspector/agents/InspectorDebuggerAgent.h:
297         * inspector/agents/InspectorDebuggerAgent.cpp:
298         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
299         (Inspector::InspectorDebuggerAgent::enable):
300         (Inspector::InspectorDebuggerAgent::disable):
301         (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
302         (Inspector::InspectorDebuggerAgent::isPaused):
303         (Inspector::InspectorDebuggerAgent::setSuppressAllPauses):
304         (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
305         (Inspector::InspectorDebuggerAgent::removeBreakpoint):
306         (Inspector::InspectorDebuggerAgent::continueToLocation):
307         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
308         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
309         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
310         (Inspector::InspectorDebuggerAgent::resume):
311         (Inspector::InspectorDebuggerAgent::stepOver):
312         (Inspector::InspectorDebuggerAgent::stepInto):
313         (Inspector::InspectorDebuggerAgent::stepOut):
314         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
315         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
316         (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
317         (Inspector::InspectorDebuggerAgent::didPause):
318         (Inspector::InspectorDebuggerAgent::breakProgram):
319         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
320         * inspector/agents/InspectorRuntimeAgent.h:
321         * inspector/agents/InspectorRuntimeAgent.cpp:
322         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
323         (Inspector::setPauseOnExceptionsState):
324         (Inspector::InspectorRuntimeAgent::parse):
325         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
326         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
327         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
328         Use VM and ScriptDebugServer passed during construction.
329
330         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
331         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
332         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
333         (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent): Deleted.
334         One special case needed by this subclass as a convenience to access the global object.
335
336         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
337         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
338         (Inspector::JSGlobalObjectRuntimeAgent::globalVM): Deleted.
339         This virtual method is no longer needed, the base class has everything now.
340
341 2015-11-05  Xabier Rodriguez Calvar  <calvaris@igalia.com>
342
343         [Streams API] Shield implementation from user mangling Promise.reject and resolve methods
344         https://bugs.webkit.org/show_bug.cgi?id=150895
345
346         Reviewed by Youenn Fablet.
347
348         Keep Promise.resolve and reject also as internal slots for the Promise constructor given that there is no way to
349         retrieve the former implementation if the user decides to replace it. This allows to safely create vended
350         promises even if the user changes the constructor methods.
351
352         * runtime/JSPromiseConstructor.h:
353         * runtime/JSPromiseConstructor.cpp:
354         (JSC::JSPromiseConstructor::addOwnInternalSlots): Added to include @reject and @resolve.
355         (JSC::JSPromiseConstructor::create): Call addOwnInternalSlots.
356
357 2015-11-04  Benjamin Poulain  <bpoulain@apple.com>
358
359         [JSC] Add B3-to-Air lowering for the shift opcodes
360         https://bugs.webkit.org/show_bug.cgi?id=150919
361
362         Reviewed by Filip Pizlo.
363
364         * assembler/MacroAssemblerX86_64.h:
365         (JSC::MacroAssemblerX86_64::rshift64):
366         (JSC::MacroAssemblerX86_64::urshift64):
367         * assembler/X86Assembler.h:
368         (JSC::X86Assembler::shrq_CLr):
369         * b3/B3Const32Value.cpp:
370         (JSC::B3::Const32Value::shlConstant):
371         (JSC::B3::Const32Value::sShrConstant):
372         (JSC::B3::Const32Value::zShrConstant):
373         * b3/B3Const32Value.h:
374         * b3/B3Const64Value.cpp:
375         (JSC::B3::Const64Value::shlConstant):
376         (JSC::B3::Const64Value::sShrConstant):
377         (JSC::B3::Const64Value::zShrConstant):
378         * b3/B3Const64Value.h:
379         * b3/B3LowerToAir.cpp:
380         (JSC::B3::Air::LowerToAir::appendShift):
381         (JSC::B3::Air::LowerToAir::tryShl):
382         (JSC::B3::Air::LowerToAir::trySShr):
383         (JSC::B3::Air::LowerToAir::tryZShr):
384         * b3/B3LoweringMatcher.patterns:
385         * b3/B3Opcode.h:
386         * b3/B3ReduceStrength.cpp:
387         * b3/B3Value.cpp:
388         (JSC::B3::Value::shlConstant):
389         (JSC::B3::Value::sShrConstant):
390         (JSC::B3::Value::zShrConstant):
391         * b3/B3Value.h:
392         * b3/air/AirInstInlines.h:
393         (JSC::B3::Air::isShiftValid):
394         (JSC::B3::Air::isRshift32Valid):
395         (JSC::B3::Air::isRshift64Valid):
396         (JSC::B3::Air::isUrshift32Valid):
397         (JSC::B3::Air::isUrshift64Valid):
398         * b3/air/AirOpcode.opcodes:
399         * b3/testb3.cpp:
400         (JSC::B3::testShlArgs):
401         (JSC::B3::testShlImms):
402         (JSC::B3::testShlArgImm):
403         (JSC::B3::testShlArgs32):
404         (JSC::B3::testShlImms32):
405         (JSC::B3::testShlArgImm32):
406         (JSC::B3::testSShrArgs):
407         (JSC::B3::testSShrImms):
408         (JSC::B3::testSShrArgImm):
409         (JSC::B3::testSShrArgs32):
410         (JSC::B3::testSShrImms32):
411         (JSC::B3::testSShrArgImm32):
412         (JSC::B3::testZShrArgs):
413         (JSC::B3::testZShrImms):
414         (JSC::B3::testZShrArgImm):
415         (JSC::B3::testZShrArgs32):
416         (JSC::B3::testZShrImms32):
417         (JSC::B3::testZShrArgImm32):
418         (JSC::B3::run):
419
420 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
421
422         B3 should be able to compile a Check
423         https://bugs.webkit.org/show_bug.cgi?id=150878
424
425         Reviewed by Saam Barati.
426
427         The Check opcode in B3 is going to be our main OSR exit mechanism. It is a stackmap
428         value, so you can pass it any number of additional arguments, and you will get to find
429         out how those arguments are represented at the point that the value lands in the machine
430         code. Unlike a Patchpoint, a Check branches on a value, with the goal of supporting full
431         compare/branch fusion. The stackmap's generator runs in an out-of-line path to which
432         that branch is linked.
433
434         This change fills in the glue necessary to compile a Check and it includes a simple
435         test of this functionality. That test also happens to check that such simple code will
436         never use callee-saves, which I think is sensible.
437
438         * b3/B3LowerToAir.cpp:
439         (JSC::B3::Air::LowerToAir::append):
440         (JSC::B3::Air::LowerToAir::ensureSpecial):
441         (JSC::B3::Air::LowerToAir::fillStackmap):
442         (JSC::B3::Air::LowerToAir::tryStackSlot):
443         (JSC::B3::Air::LowerToAir::tryPatchpoint):
444         (JSC::B3::Air::LowerToAir::tryCheck):
445         (JSC::B3::Air::LowerToAir::tryUpsilon):
446         * b3/B3LoweringMatcher.patterns:
447         * b3/testb3.cpp:
448         (JSC::B3::testSimplePatchpoint):
449         (JSC::B3::testSimpleCheck):
450         (JSC::B3::run):
451
452 2015-10-30  Keith Miller  <keith_miller@apple.com>
453
454         Fix endless OSR exits when creating a rope that contains an object that ToPrimitive's to a number.
455         https://bugs.webkit.org/show_bug.cgi?id=150583
456
457         Reviewed by Benjamin Poulain.
458
459         Before we assumed that the result of ToPrimitive on any object was a string.
460         This had a couple of negative effects. First, the result ToPrimitive on an
461         object can be overridden to be any primitive type. In fact, as of ES6, ToPrimitive,
462         when part of a addition expression, will type hint a number value. Second, even after
463         repeatedly exiting with a bad type we would continue to think that the result
464         of ToPrimitive would be a string so we continue to convert StrCats into MakeRope.
465
466         The fix is to make Prediction Propagation match the behavior of Fixup and move
467         canOptimizeStringObjectAccess to DFGGraph.
468
469         * bytecode/SpeculatedType.h:
470         * dfg/DFGFixupPhase.cpp:
471         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
472         (JSC::DFG::FixupPhase::fixupToPrimitive):
473         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
474         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
475         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): Deleted.
476         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): Deleted.
477         * dfg/DFGGraph.cpp:
478         (JSC::DFG::Graph::isStringPrototypeMethodSane):
479         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
480         * dfg/DFGGraph.h:
481         * dfg/DFGPredictionPropagationPhase.cpp:
482         (JSC::DFG::PredictionPropagationPhase::resultOfToPrimitive):
483         (JSC::DFG::resultOfToPrimitive): Deleted.
484
485         * bytecode/SpeculatedType.h:
486         * dfg/DFGFixupPhase.cpp:
487         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
488         (JSC::DFG::FixupPhase::fixupToPrimitive):
489         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
490         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
491         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): Deleted.
492         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): Deleted.
493         * dfg/DFGGraph.cpp:
494         (JSC::DFG::Graph::isStringPrototypeMethodSane):
495         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
496         * dfg/DFGGraph.h:
497         * dfg/DFGPredictionPropagationPhase.cpp:
498         (JSC::DFG::PredictionPropagationPhase::resultOfToPrimitive):
499         (JSC::DFG::resultOfToPrimitive): Deleted.
500         * tests/stress/string-rope-with-custom-valueof.js: Added.
501         (catNumber):
502         (number.valueOf):
503         (catBool):
504         (bool.valueOf):
505         (catUndefined):
506         (undef.valueOf):
507         (catRandom):
508         (random.valueOf):
509
510 2015-11-04  Xabier Rodriguez Calvar  <calvaris@igalia.com>
511
512         Remove bogus global internal functions for properties and prototype retrieval
513         https://bugs.webkit.org/show_bug.cgi?id=150892
514
515         Reviewed by Darin Adler.
516
517         Global @getOwnPropertyNames and @getPrototypeOf point to the floor function, so it is bogus dead code.
518
519         * runtime/JSGlobalObject.cpp:
520         (JSC::JSGlobalObject::init): Removed global @getOwnPropertyNames and @getPrototypeOf.
521
522 2015-11-03  Benjamin Poulain  <bpoulain@apple.com>
523
524         [JSC] Add B3-to-Air lowering for BitXor
525         https://bugs.webkit.org/show_bug.cgi?id=150872
526
527         Reviewed by Filip Pizlo.
528
529         * assembler/MacroAssemblerX86Common.h:
530         (JSC::MacroAssemblerX86Common::xor32):
531         Fix the indentation.
532
533         * b3/B3Const32Value.cpp:
534         (JSC::B3::Const32Value::bitXorConstant):
535         * b3/B3Const32Value.h:
536         * b3/B3Const64Value.cpp:
537         (JSC::B3::Const64Value::bitXorConstant):
538         * b3/B3Const64Value.h:
539         * b3/B3LowerToAir.cpp:
540         (JSC::B3::Air::LowerToAir::tryXor):
541         * b3/B3LoweringMatcher.patterns:
542         * b3/B3ReduceStrength.cpp:
543         * b3/B3Value.cpp:
544         (JSC::B3::Value::bitXorConstant):
545         * b3/B3Value.h:
546         * b3/air/AirOpcode.opcodes:
547         * b3/testb3.cpp:
548         (JSC::B3::testBitXorArgs):
549         (JSC::B3::testBitXorSameArg):
550         (JSC::B3::testBitXorImms):
551         (JSC::B3::testBitXorArgImm):
552         (JSC::B3::testBitXorImmArg):
553         (JSC::B3::testBitXorBitXorArgImmImm):
554         (JSC::B3::testBitXorImmBitXorArgImm):
555         (JSC::B3::testBitXorArgs32):
556         (JSC::B3::testBitXorSameArg32):
557         (JSC::B3::testBitXorImms32):
558         (JSC::B3::testBitXorArgImm32):
559         (JSC::B3::testBitXorImmArg32):
560         (JSC::B3::testBitXorBitXorArgImmImm32):
561         (JSC::B3::testBitXorImmBitXorArgImm32):
562         (JSC::B3::run):
563
564 2015-11-03  Mark Lam  <mark.lam@apple.com>
565
566         Add op_add tests to compare behavior of JIT generated code to the LLINT's.
567         https://bugs.webkit.org/show_bug.cgi?id=150864
568
569         Reviewed by Saam Barati.
570
571         * tests/stress/op_add.js: Added.
572         (o1.valueOf):
573         (generateScenarios):
574         (printScenarios):
575         (testCases.func):
576         (func):
577         (initializeTestCases):
578         (runTest):
579
580 2015-11-03  Mark Lam  <mark.lam@apple.com>
581
582         Rename DFG's compileAdd to compileArithAdd.
583         https://bugs.webkit.org/show_bug.cgi?id=150866
584
585         Reviewed by Benjamin Poulain.
586
587         The function is only supposed to generate code to do arithmetic addition on
588         numeric types.  Naming it compileArithAdd() is more accurate, and is consistent
589         with the name of the node it emits code for (i.e. ArithAdd) as well as other
590         compiler functions for analogous operations e.g. compileArithSub.
591
592         * dfg/DFGSpeculativeJIT.cpp:
593         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
594         (JSC::DFG::SpeculativeJIT::compileArithAdd):
595         (JSC::DFG::SpeculativeJIT::compileAdd): Deleted.
596         * dfg/DFGSpeculativeJIT.h:
597         * dfg/DFGSpeculativeJIT32_64.cpp:
598         (JSC::DFG::SpeculativeJIT::compile):
599         * dfg/DFGSpeculativeJIT64.cpp:
600         (JSC::DFG::SpeculativeJIT::compile):
601
602 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
603
604         Web Inspector: Remove duplication among ScriptDebugServer subclasses
605         https://bugs.webkit.org/show_bug.cgi?id=150860
606
607         Reviewed by Timothy Hatcher.
608
609         ScriptDebugServer expects a list of listeners to dispatch events to.
610         However each of its subclasses had their own implementation of the
611         list because of different handling when the first was added or when
612         the last was removed. Extract common code into ScriptDebugServer
613         which simplifies things.
614
615         Subclasses now only implement a virtual methods "attachDebugger"
616         and "detachDebugger" which is the unique work done when the first
617         listener is added or last is removed.
618
619         * inspector/JSGlobalObjectScriptDebugServer.cpp:
620         (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
621         (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
622         (Inspector::JSGlobalObjectScriptDebugServer::addListener): Deleted.
623         (Inspector::JSGlobalObjectScriptDebugServer::removeListener): Deleted.
624         * inspector/JSGlobalObjectScriptDebugServer.h:
625         * inspector/ScriptDebugServer.cpp:
626         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
627         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
628         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
629         (Inspector::ScriptDebugServer::sourceParsed):
630         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
631         (Inspector::ScriptDebugServer::addListener):
632         (Inspector::ScriptDebugServer::removeListener):
633         * inspector/ScriptDebugServer.h:
634         * inspector/agents/InspectorDebuggerAgent.cpp:
635         (Inspector::InspectorDebuggerAgent::enable):
636         (Inspector::InspectorDebuggerAgent::disable):
637         * inspector/agents/InspectorDebuggerAgent.h:
638         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
639         (Inspector::JSGlobalObjectDebuggerAgent::startListeningScriptDebugServer): Deleted.
640         (Inspector::JSGlobalObjectDebuggerAgent::stopListeningScriptDebugServer): Deleted.
641         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
642
643         * inspector/ScriptDebugListener.h:
644         (Inspector::ScriptDebugListener::Script::Script):
645         Drive-by convert Script to a struct, it has public fields and is used as such.
646
647 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
648
649         B3::LowerToAir should recognize Neg (i.e. Sub($0, value))
650         https://bugs.webkit.org/show_bug.cgi?id=150759
651
652         Reviewed by Benjamin Poulain.
653
654         Adds various forms of Sub(0, value) and compiles them as Neg. Also fixes a bug in
655         StoreSubLoad. This bug was correctness-benign, so I couldn't add a test for it.
656
657         * b3/B3LowerToAir.cpp:
658         (JSC::B3::Air::LowerToAir::immOrTmp):
659         (JSC::B3::Air::LowerToAir::appendUnOp):
660         (JSC::B3::Air::LowerToAir::appendBinOp):
661         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
662         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
663         (JSC::B3::Air::LowerToAir::trySub):
664         (JSC::B3::Air::LowerToAir::tryStoreSubLoad):
665         * b3/B3LoweringMatcher.patterns:
666         * b3/air/AirOpcode.opcodes:
667         * b3/testb3.cpp:
668         (JSC::B3::testAdd1Ptr):
669         (JSC::B3::testNeg32):
670         (JSC::B3::testNegPtr):
671         (JSC::B3::testStoreAddLoad):
672         (JSC::B3::testStoreAddAndLoad):
673         (JSC::B3::testStoreNegLoad32):
674         (JSC::B3::testStoreNegLoadPtr):
675         (JSC::B3::testAdd1Uncommuted):
676         (JSC::B3::run):
677
678 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
679
680         B3::Values that have effects should allow specification of custom HeapRanges
681         https://bugs.webkit.org/show_bug.cgi?id=150535
682
683         Reviewed by Benjamin Poulain.
684
685         Add a Effects field to calls and patchpoints. Add a HeapRange to MemoryValues.
686
687         In the process, I created a class for the CCall opcode, so that it has somewhere to put
688         the Effects field.
689
690         While doing this, I realized that we didn't have a good way of ensuring that an opcode
691         that requires a specific subclass was actually created with that subclass. So, I added
692         assertions for this.
693
694         * CMakeLists.txt:
695         * JavaScriptCore.xcodeproj/project.pbxproj:
696         * b3/B3ArgumentRegValue.h:
697         * b3/B3CCallValue.cpp: Added.
698         * b3/B3CCallValue.h: Added.
699         * b3/B3CheckValue.h:
700         * b3/B3Const32Value.h:
701         * b3/B3Const64Value.h:
702         * b3/B3ConstDoubleValue.h:
703         (JSC::B3::ConstDoubleValue::ConstDoubleValue):
704         * b3/B3ControlValue.h:
705         * b3/B3Effects.h:
706         (JSC::B3::Effects::forCall):
707         (JSC::B3::Effects::mustExecute):
708         * b3/B3MemoryValue.h:
709         * b3/B3PatchpointValue.h:
710         * b3/B3StackSlotValue.h:
711         * b3/B3UpsilonValue.h:
712         * b3/B3Value.cpp:
713         (JSC::B3::Value::effects):
714         (JSC::B3::Value::dumpMeta):
715         (JSC::B3::Value::checkOpcode):
716         (JSC::B3::Value::typeFor):
717         * b3/B3Value.h:
718
719 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
720
721         B3::Stackmap should be a superclass of B3::PatchpointValue and B3::CheckValue rather than being one of their members
722         https://bugs.webkit.org/show_bug.cgi?id=150831
723
724         Rubber stamped by Benjamin Poulain.
725
726         Previously, Stackmap was a value that PatchpointValue and CheckValue would hold as a field.
727         We'd have convenient ways of getting this field, like via Value::stackmap(). But this was a
728         bit ridiculous, since Stackmap is logically just a common supertype for Patchpointvalue and
729         CheckValue. This patch makes this reality by replacing Stackmap with StackmapValue. This makes
730         the code a lot more reasonable.
731
732         I also needed to make dumping a bit more customizable, so I changed dumpMeta() to take a
733         CommaPrinter&. This gives subclasses better control over whether or not to emit a comma. Also
734         it's now possible for subclasses of Value to customize how children are printed. StackmapValue
735         uses this to print the children and their reps together like:
736
737             Int32 @2 = Patchpoint(@0:SomeRegister, @1:SomeRegister, generator = 0x1107ec010, clobbered = [], usedRegisters = [], ExitsSideways|ControlDependent|Writes:Top|Reads:Top)
738
739         This has no behavior change, it's just a big refactoring. You can see how much simpler this
740         makes things by looking at the testSimplePatchpoint() test.
741
742         * CMakeLists.txt:
743         * JavaScriptCore.xcodeproj/project.pbxproj:
744         * b3/B3ArgumentRegValue.cpp:
745         (JSC::B3::ArgumentRegValue::~ArgumentRegValue):
746         (JSC::B3::ArgumentRegValue::dumpMeta):
747         * b3/B3ArgumentRegValue.h:
748         * b3/B3CheckSpecial.cpp:
749         (JSC::B3::CheckSpecial::generate):
750         * b3/B3CheckValue.cpp:
751         (JSC::B3::CheckValue::~CheckValue):
752         (JSC::B3::CheckValue::CheckValue):
753         (JSC::B3::CheckValue::dumpMeta): Deleted.
754         * b3/B3CheckValue.h:
755         (JSC::B3::CheckValue::accepts):
756         * b3/B3Const32Value.cpp:
757         (JSC::B3::Const32Value::notEqualConstant):
758         (JSC::B3::Const32Value::dumpMeta):
759         * b3/B3Const32Value.h:
760         * b3/B3Const64Value.cpp:
761         (JSC::B3::Const64Value::notEqualConstant):
762         (JSC::B3::Const64Value::dumpMeta):
763         * b3/B3Const64Value.h:
764         * b3/B3ConstDoubleValue.cpp:
765         (JSC::B3::ConstDoubleValue::notEqualConstant):
766         (JSC::B3::ConstDoubleValue::dumpMeta):
767         * b3/B3ConstDoubleValue.h:
768         * b3/B3ConstrainedValue.cpp: Added.
769         (JSC::B3::ConstrainedValue::dump):
770         * b3/B3ConstrainedValue.h: Added.
771         (JSC::B3::ConstrainedValue::ConstrainedValue):
772         (JSC::B3::ConstrainedValue::operator bool):
773         (JSC::B3::ConstrainedValue::value):
774         (JSC::B3::ConstrainedValue::rep):
775         * b3/B3ControlValue.cpp:
776         (JSC::B3::ControlValue::convertToJump):
777         (JSC::B3::ControlValue::dumpMeta):
778         * b3/B3ControlValue.h:
779         * b3/B3LowerToAir.cpp:
780         (JSC::B3::Air::LowerToAir::tryPatchpoint):
781         * b3/B3MemoryValue.cpp:
782         (JSC::B3::MemoryValue::accessByteSize):
783         (JSC::B3::MemoryValue::dumpMeta):
784         * b3/B3MemoryValue.h:
785         * b3/B3PatchpointSpecial.cpp:
786         (JSC::B3::PatchpointSpecial::generate):
787         * b3/B3PatchpointValue.cpp:
788         (JSC::B3::PatchpointValue::~PatchpointValue):
789         (JSC::B3::PatchpointValue::PatchpointValue):
790         (JSC::B3::PatchpointValue::dumpMeta): Deleted.
791         * b3/B3PatchpointValue.h:
792         (JSC::B3::PatchpointValue::accepts):
793         * b3/B3StackSlotValue.cpp:
794         (JSC::B3::StackSlotValue::~StackSlotValue):
795         (JSC::B3::StackSlotValue::dumpMeta):
796         * b3/B3StackSlotValue.h:
797         * b3/B3Stackmap.cpp: Removed.
798         * b3/B3Stackmap.h: Removed.
799         * b3/B3StackmapSpecial.cpp:
800         (JSC::B3::StackmapSpecial::reportUsedRegisters):
801         (JSC::B3::StackmapSpecial::extraClobberedRegs):
802         (JSC::B3::StackmapSpecial::forEachArgImpl):
803         (JSC::B3::StackmapSpecial::isValidImpl):
804         (JSC::B3::StackmapSpecial::admitsStackImpl):
805         * b3/B3StackmapSpecial.h:
806         * b3/B3StackmapValue.cpp: Added.
807         (JSC::B3::StackmapValue::~StackmapValue):
808         (JSC::B3::StackmapValue::append):
809         (JSC::B3::StackmapValue::setConstrainedChild):
810         (JSC::B3::StackmapValue::setConstraint):
811         (JSC::B3::StackmapValue::dumpChildren):
812         (JSC::B3::StackmapValue::dumpMeta):
813         (JSC::B3::StackmapValue::StackmapValue):
814         * b3/B3StackmapValue.h: Added.
815         * b3/B3SwitchValue.cpp:
816         (JSC::B3::SwitchValue::appendCase):
817         (JSC::B3::SwitchValue::dumpMeta):
818         (JSC::B3::SwitchValue::SwitchValue):
819         * b3/B3SwitchValue.h:
820         * b3/B3UpsilonValue.cpp:
821         (JSC::B3::UpsilonValue::~UpsilonValue):
822         (JSC::B3::UpsilonValue::dumpMeta):
823         * b3/B3UpsilonValue.h:
824         * b3/B3Validate.cpp:
825         * b3/B3Value.cpp:
826         (JSC::B3::Value::dump):
827         (JSC::B3::Value::dumpChildren):
828         (JSC::B3::Value::deepDump):
829         (JSC::B3::Value::performSubstitution):
830         (JSC::B3::Value::dumpMeta):
831         * b3/B3Value.h:
832         * b3/B3ValueInlines.h:
833         (JSC::B3::Value::asNumber):
834         (JSC::B3::Value::stackmap): Deleted.
835         * b3/B3ValueRep.h:
836         (JSC::B3::ValueRep::kind):
837         (JSC::B3::ValueRep::operator==):
838         (JSC::B3::ValueRep::operator!=):
839         (JSC::B3::ValueRep::operator bool):
840         (JSC::B3::ValueRep::isAny):
841         * b3/air/AirInstInlines.h:
842         * b3/testb3.cpp:
843         (JSC::B3::testSimplePatchpoint):
844
845 2015-11-03  Benjamin Poulain  <bpoulain@apple.com>
846
847         [JSC] Add Air lowering for BitOr and impove BitAnd
848         https://bugs.webkit.org/show_bug.cgi?id=150827
849
850         Reviewed by Filip Pizlo.
851
852         In this patch:
853         -B3 to Air lowering for BirOr.
854         -Codegen for BitOr.
855         -Strength reduction for BitOr and BitAnd.
856         -Tests for BitAnd and BitOr.
857         -Bug fix: Move64 with a negative value was destroying the top bits.
858
859         * b3/B3Const32Value.cpp:
860         (JSC::B3::Const32Value::bitAndConstant):
861         (JSC::B3::Const32Value::bitOrConstant):
862         * b3/B3Const32Value.h:
863         * b3/B3Const64Value.cpp:
864         (JSC::B3::Const64Value::bitAndConstant):
865         (JSC::B3::Const64Value::bitOrConstant):
866         * b3/B3Const64Value.h:
867         * b3/B3LowerToAir.cpp:
868         (JSC::B3::Air::LowerToAir::immForMove):
869         (JSC::B3::Air::LowerToAir::immOrTmpForMove):
870         (JSC::B3::Air::LowerToAir::tryOr):
871         (JSC::B3::Air::LowerToAir::tryConst64):
872         (JSC::B3::Air::LowerToAir::tryUpsilon):
873         (JSC::B3::Air::LowerToAir::tryIdentity):
874         (JSC::B3::Air::LowerToAir::tryReturn):
875         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
876         * b3/B3LoweringMatcher.patterns:
877         * b3/B3ReduceStrength.cpp:
878         * b3/B3Value.cpp:
879         (JSC::B3::Value::bitAndConstant):
880         (JSC::B3::Value::bitOrConstant):
881         * b3/B3Value.h:
882         * b3/air/AirOpcode.opcodes:
883         * b3/testb3.cpp:
884         (JSC::B3::testReturnConst64):
885         (JSC::B3::testBitAndArgs):
886         (JSC::B3::testBitAndSameArg):
887         (JSC::B3::testBitAndImms):
888         (JSC::B3::testBitAndArgImm):
889         (JSC::B3::testBitAndImmArg):
890         (JSC::B3::testBitAndBitAndArgImmImm):
891         (JSC::B3::testBitAndImmBitAndArgImm):
892         (JSC::B3::testBitAndArgs32):
893         (JSC::B3::testBitAndSameArg32):
894         (JSC::B3::testBitAndImms32):
895         (JSC::B3::testBitAndArgImm32):
896         (JSC::B3::testBitAndImmArg32):
897         (JSC::B3::testBitAndBitAndArgImmImm32):
898         (JSC::B3::testBitAndImmBitAndArgImm32):
899         (JSC::B3::testBitOrArgs):
900         (JSC::B3::testBitOrSameArg):
901         (JSC::B3::testBitOrImms):
902         (JSC::B3::testBitOrArgImm):
903         (JSC::B3::testBitOrImmArg):
904         (JSC::B3::testBitOrBitOrArgImmImm):
905         (JSC::B3::testBitOrImmBitOrArgImm):
906         (JSC::B3::testBitOrArgs32):
907         (JSC::B3::testBitOrSameArg32):
908         (JSC::B3::testBitOrImms32):
909         (JSC::B3::testBitOrArgImm32):
910         (JSC::B3::testBitOrImmArg32):
911         (JSC::B3::testBitOrBitOrArgImmImm32):
912         (JSC::B3::testBitOrImmBitOrArgImm32):
913         (JSC::B3::run):
914
915 2015-11-03  Saam barati  <sbarati@apple.com>
916
917         Rewrite "const" as "var" for iTunes/iBooks on the Mac
918         https://bugs.webkit.org/show_bug.cgi?id=150852
919
920         Reviewed by Geoffrey Garen.
921
922         VM now has a setting indicating if we should treat
923         "const" variables as "var" to more closely match
924         JSC's previous implementation of "const" before ES6.
925
926         * parser/Parser.h:
927         (JSC::Parser::next):
928         (JSC::Parser::nextExpectIdentifier):
929         * runtime/VM.h:
930         (JSC::VM::setShouldRewriteConstAsVar):
931         (JSC::VM::shouldRewriteConstAsVar):
932
933 2015-11-03  Mark Lam  <mark.lam@apple.com>
934
935         Fix some inefficiencies in the baseline usage of JITAddGenerator.
936         https://bugs.webkit.org/show_bug.cgi?id=150850
937
938         Reviewed by Michael Saboff.
939
940         1. emit_op_add() was loading the operands twice.  Removed the redundant load.
941         2. The snippet may decide that it wants to go the slow path route all the time.
942            In that case, emit_op_add will end up emitting a branch to an out of line
943            slow path followed by some dead code to store the result of the fast path
944            on to the stack.
945            We now check if the snippet determined that there's no fast path, and just
946            emit the slow path inline, and skip the dead store of the fast path result.
947
948         * jit/JITArithmetic.cpp:
949         (JSC::JIT::emit_op_add):
950
951 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
952
953         B3::LowerToAir should do copy propagation
954         https://bugs.webkit.org/show_bug.cgi?id=150775
955
956         Reviewed by Geoffrey Garen.
957
958         What we are trying to do is remove the unnecessary Move's and Move32's from Trunc and ZExt32.
959         You could think of this as an Air optimization, and indeed, Air is powerful enough that we
960         could write a phase that does copy propagation through Move's and Move32's. For Move32's it
961         would only copy-propagate if it proved that the value was already zero-extended. We could
962         know this by just adding a Def32 role to Air.
963
964         But this patch takes a different approach: we ensure that we don't generate such redundant
965         Move's and Move32's to begin with. The reason is that it's much cheaper to do analysis over
966         B3 than over Air. So, whenever possible, and optimization should be implemented in B3. In
967         this case the optimization can't quite be implemented in B3 because you cannot remove a Trunc
968         or ZExt32 without violating the B3 type system. So, the best place to do this optimization is
969         during lowering: we can use B3 for our analysis and we can use Air to express the
970         transformation.
971
972         Copy propagating during B3->Air lowering is natural because we are creating "SSA-like" Tmps
973         from the B3 Values. They are SSA-like in the sense that except the tmp for a Phi, we know
974         that the Tmp will be assigned once and that the assignment will dominate all uses. So, if we
975         see an operation like Trunc that is semantically just a Move, we can skip the Move and just
976         claim that the Trunc has the same Tmp as its child. We do something similar for ZExt32,
977         except with that one we have to analyze IR to ensure that the value will actually be zero
978         extended. Note that this kind of reasoning about how Tmps work in Air is only possible in the
979         B3->Air lowering, since at that point we know for sure which Tmps behave this way. If we
980         wanted to do anything like this as a later Air phase, we'd have to do more analysis to first
981         prove that Tmps behave in this way.
982
983         * b3/B3LowerToAir.cpp:
984         (JSC::B3::Air::LowerToAir::run):
985         (JSC::B3::Air::LowerToAir::highBitsAreZero):
986         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
987         (JSC::B3::Air::LowerToAir::tmp):
988         (JSC::B3::Air::LowerToAir::tryStore):
989         (JSC::B3::Air::LowerToAir::tryTrunc):
990         (JSC::B3::Air::LowerToAir::tryZExt32):
991         (JSC::B3::Air::LowerToAir::tryIdentity):
992         (JSC::B3::Air::LowerToAir::tryTruncArgumentReg): Deleted.
993         * b3/B3LoweringMatcher.patterns:
994
995 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
996
997         Web Inspector: Move ScriptDebugServer::Task to WorkerScriptDebugServer where it is actually used
998         https://bugs.webkit.org/show_bug.cgi?id=150847
999
1000         Reviewed by Timothy Hatcher.
1001
1002         * inspector/ScriptDebugServer.h:
1003         Remove Task from here, it isn't needed in the general case.
1004
1005         * parser/SourceProvider.h:
1006         Remove unimplemented method.
1007
1008 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
1009
1010         Web Inspector: Handle or Remove ParseHTML Timeline Event Records
1011         https://bugs.webkit.org/show_bug.cgi?id=150689
1012
1013         Reviewed by Timothy Hatcher.
1014
1015         * inspector/protocol/Timeline.json:
1016
1017 2015-11-03  Michael Saboff  <msaboff@apple.com>
1018
1019         Rename InlineCallFrame:: getCallerSkippingDeadFrames to something more descriptive
1020         https://bugs.webkit.org/show_bug.cgi?id=150832
1021
1022         Reviewed by Geoffrey Garen.
1023
1024         Renamed InlineCallFrame::getCallerSkippingDeadFrames() to getCallerSkippingTailCalls().
1025         Did similar renaming to helper InlineCallFrame::computeCallerSkippingTailCalls() and
1026         InlineCallFrame::getCallerInlineFrameSkippingTailCalls().
1027
1028         * bytecode/InlineCallFrame.h:
1029         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
1030         (JSC::InlineCallFrame::getCallerSkippingTailCalls):
1031         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
1032         (JSC::InlineCallFrame::computeCallerSkippingDeadFrames): Deleted.
1033         (JSC::InlineCallFrame::getCallerSkippingDeadFrames): Deleted.
1034         (JSC::InlineCallFrame::getCallerInlineFrameSkippingDeadFrames): Deleted.
1035         * dfg/DFGByteCodeParser.cpp:
1036         (JSC::DFG::ByteCodeParser::allInlineFramesAreTailCalls):
1037         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
1038         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1039         * dfg/DFGGraph.cpp:
1040         (JSC::DFG::Graph::isLiveInBytecode):
1041         * dfg/DFGGraph.h:
1042         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
1043         * dfg/DFGOSRExitCompilerCommon.cpp:
1044         (JSC::DFG::reifyInlinedCallFrames):
1045         * dfg/DFGPreciseLocalClobberize.h:
1046         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1047         * dfg/DFGSpeculativeJIT32_64.cpp:
1048         (JSC::DFG::SpeculativeJIT::emitCall):
1049         * dfg/DFGSpeculativeJIT64.cpp:
1050         (JSC::DFG::SpeculativeJIT::emitCall):
1051         * ftl/FTLLowerDFGToLLVM.cpp:
1052         (JSC::FTL::DFG::LowerDFGToLLVM::codeOriginDescriptionOfCallSite):
1053         * interpreter/StackVisitor.cpp:
1054         (JSC::StackVisitor::gotoNextFrame):
1055
1056 2015-11-02  Filip Pizlo  <fpizlo@apple.com>
1057
1058         B3/Air should use bubble sort for their insertion sets, because it's faster than std::stable_sort
1059         https://bugs.webkit.org/show_bug.cgi?id=150828
1060
1061         Reviewed by Geoffrey Garen.
1062
1063         Undo the 2% compile time regression caused by http://trac.webkit.org/changeset/191913.
1064
1065         * b3/B3InsertionSet.cpp:
1066         (JSC::B3::InsertionSet::execute): Switch to bubble sort.
1067         * b3/air/AirInsertionSet.cpp:
1068         (JSC::B3::Air::InsertionSet::execute): Switch to bubble sort.
1069         * dfg/DFGBlockInsertionSet.cpp:
1070         (JSC::DFG::BlockInsertionSet::execute): Switch back to quicksort.
1071
1072 2015-11-03  Csaba Osztrogonác  <ossy@webkit.org>
1073
1074         Unreviewed, partially revert r191952.
1075
1076         Removed GCC compiler workarounds (unreachable returns).
1077
1078         * b3/B3Type.h:
1079         (JSC::B3::sizeofType):
1080         * b3/air/AirArg.h:
1081         (JSC::B3::Air::Arg::isUse):
1082         (JSC::B3::Air::Arg::isDef):
1083         (JSC::B3::Air::Arg::isGP):
1084         (JSC::B3::Air::Arg::isFP):
1085         (JSC::B3::Air::Arg::isType):
1086         * b3/air/AirCode.h:
1087         (JSC::B3::Air::Code::newTmp):
1088         (JSC::B3::Air::Code::numTmps):
1089
1090 2015-11-03  Csaba Osztrogonác  <ossy@webkit.org>
1091
1092         Fix the ENABLE(B3_JIT) build on Linux
1093         https://bugs.webkit.org/show_bug.cgi?id=150794
1094
1095         Reviewed by Darin Adler.
1096
1097         * CMakeLists.txt:
1098         * b3/B3HeapRange.h:
1099         * b3/B3IndexSet.h:
1100         (JSC::B3::IndexSet::Iterable::iterator::operator++):
1101         * b3/B3Type.h:
1102         (JSC::B3::sizeofType):
1103         * b3/air/AirArg.cpp:
1104         (JSC::B3::Air::Arg::dump):
1105         * b3/air/AirArg.h:
1106         (JSC::B3::Air::Arg::isUse):
1107         (JSC::B3::Air::Arg::isDef):
1108         (JSC::B3::Air::Arg::isGP):
1109         (JSC::B3::Air::Arg::isFP):
1110         (JSC::B3::Air::Arg::isType):
1111         * b3/air/AirCode.h:
1112         (JSC::B3::Air::Code::newTmp):
1113         (JSC::B3::Air::Code::numTmps):
1114         * b3/air/AirSpecial.cpp:
1115
1116 2015-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1117
1118         Clean up ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep minimal set of them
1119         https://bugs.webkit.org/show_bug.cgi?id=150793
1120
1121         Reviewed by Darin Adler.
1122
1123         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r191875.
1124         This patch drops many ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep only one of them;
1125         the ifdef in parseAssignmentExpression.
1126         This prevents functionality of parsing arrow function syntax.
1127
1128         * parser/Lexer.cpp:
1129         (JSC::Lexer<T>::lex):
1130         * parser/Parser.cpp:
1131         (JSC::Parser<LexerType>::parseInner): Deleted.
1132         * parser/Parser.h:
1133         (JSC::Parser::isArrowFunctionParamters): Deleted.
1134         * parser/ParserTokens.h:
1135
1136 2015-11-02  Michael Saboff  <msaboff@apple.com>
1137
1138         WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
1139         https://bugs.webkit.org/show_bug.cgi?id=150745
1140
1141         Reviewed by Geoffrey Garen.
1142
1143         During OSR exit, reifyInlinedCallFrames() was using the call kind from a tail call to
1144         find the CallLinkInfo / StubInfo to find the return PC.  Instead we need to get the call
1145         type of the true caller, that is the function we'll be returning to.
1146
1147         This can be found by remembering the last call type we find while walking up the inlined
1148         frames in InlineCallFrame::getCallerSkippingDeadFrames().
1149
1150         We can also return directly back to a getter or setter callsite without using a thunk.
1151
1152         * bytecode/InlineCallFrame.h:
1153         (JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
1154         (JSC::InlineCallFrame::getCallerSkippingDeadFrames):
1155         * dfg/DFGOSRExitCompilerCommon.cpp:
1156         (JSC::DFG::reifyInlinedCallFrames):
1157         * jit/JITPropertyAccess.cpp:
1158         (JSC::JIT::emit_op_get_by_id): Need to eliminate the stack pointer check, as it is wrong
1159         for reified inlined frames created during OSR exit. 
1160         * jit/ThunkGenerators.cpp:
1161         (JSC::baselineGetterReturnThunkGenerator): Deleted.
1162         (JSC::baselineSetterReturnThunkGenerator): Deleted.
1163         * jit/ThunkGenerators.h:
1164
1165 2015-11-02  Saam barati  <sbarati@apple.com>
1166
1167         Wrong value recovery for DFG try/catch with a getter that throws during an IC miss
1168         https://bugs.webkit.org/show_bug.cgi?id=150760
1169
1170         Reviewed by Geoffrey Garen.
1171
1172         This is related to using PhantomLocal instead of Flush as 
1173         the liveness preservation mechanism for live catch variables. 
1174         I'm temporarily switching things back to Flush. This will be a
1175         performance hit for try/catch in the DFG. Landing this patch,
1176         though, will allow me to land try/catch in the FTL. It also
1177         makes try/catch in the DFG sound. I have opened another
1178         bug to further investigate using PhantomLocal as the
1179         liveness preservation mechanism: https://bugs.webkit.org/show_bug.cgi?id=150824
1180
1181         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1182         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
1183         * tests/stress/dfg-try-catch-wrong-value-recovery-on-ic-miss.js: Added.
1184         (assert):
1185         (let.oThrow.get f):
1186         (let.o2.get f):
1187         (foo):
1188         (f):
1189
1190 2015-11-02  Andy Estes  <aestes@apple.com>
1191
1192         [Cocoa] Add tvOS and watchOS to SUPPORTED_PLATFORMS
1193         https://bugs.webkit.org/show_bug.cgi?id=150819
1194
1195         Reviewed by Dan Bernstein.
1196
1197         This tells Xcode to include these platforms in its Devices dropdown, making it possible to build in the IDE.
1198
1199         * Configurations/Base.xcconfig:
1200
1201 2015-11-02  Brent Fulgham  <bfulgham@apple.com>
1202
1203         [Win] MiniBrowser unable to use WebInspector
1204         https://bugs.webkit.org/show_bug.cgi?id=150810
1205         <rdar://problem/23358514>
1206
1207         Reviewed by Timothy Hatcher.
1208
1209         The CMakeList rule for creating the InjectedScriptSource.min.js was improperly including
1210         the quote characters in the text prepended to InjectedScriptSource.min.js. This caused a
1211         parsing error in the JS file.
1212         
1213         The solution was to switch from using "COMMAND echo" to use the more cross-platform
1214         compatible command "COMMAND ${CMAKE_COMMAND} -E echo ...", which handles the string
1215         escaping properly on all platforms.
1216
1217         * CMakeLists.txt: Switch the 'echo' command syntax to be more cross-platform.
1218
1219 2015-11-02  Filip Pizlo  <fpizlo@apple.com>
1220
1221         B3 should be able to compile a Patchpoint
1222         https://bugs.webkit.org/show_bug.cgi?id=150750
1223
1224         Reviewed by Geoffrey Garen.
1225
1226         This adds the glue in B3::LowerToAir that turns a B3::PatchpointValue into an Air::Patch
1227         with a B3::PatchpointSpecial.
1228
1229         Along the way, I found some bugs. For starters, it became clear that I wanted to be able
1230         to append constraints to a Stackmap, and I wanted to have more flexibility in how I
1231         created a PatchpointValue. I also wanted more helper methods in ValueRep, since
1232         otherwise I would have had to write a lot of boilerplate.
1233
1234         I discovered, and fixed, a minor goof in Air::Code dumping when there are specials.
1235
1236         There were a ton of indexing bugs in B3StackmapSpecial.
1237
1238         The spiller was broken in case the Def was not the last Arg, since it was adding things
1239         to the insertion set both at instIndex and instIndex + 1, and the two types of additions
1240         could occur in the wrong (i.e. the +1 case first) order with an early Def. We often have
1241         bugs like this. In the DFG, we were paranoid about performance so we only admit out-of-
1242         order insertions as a rare case. I think that we don't really need to be so paranoid.
1243         So, I made the new insertion sets use a stable_sort to ensure that everything happens in
1244         the right order. I changed DFG::BlockInsertionSet to also use stable_sort; it previously
1245         used sort, which is slightly wrong.
1246
1247         This adds a new test that uses Patchpoint to implement a 32-bit add. It works!
1248
1249         * b3/B3InsertionSet.cpp:
1250         (JSC::B3::InsertionSet::execute):
1251         * b3/B3LowerToAir.cpp:
1252         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
1253         (JSC::B3::Air::LowerToAir::appendStore):
1254         (JSC::B3::Air::LowerToAir::moveForType):
1255         (JSC::B3::Air::LowerToAir::append):
1256         (JSC::B3::Air::LowerToAir::ensureSpecial):
1257         (JSC::B3::Air::LowerToAir::tryStore):
1258         (JSC::B3::Air::LowerToAir::tryStackSlot):
1259         (JSC::B3::Air::LowerToAir::tryPatchpoint):
1260         (JSC::B3::Air::LowerToAir::tryUpsilon):
1261         * b3/B3LoweringMatcher.patterns:
1262         * b3/B3PatchpointValue.h:
1263         (JSC::B3::PatchpointValue::accepts): Deleted.
1264         (JSC::B3::PatchpointValue::PatchpointValue): Deleted.
1265         * b3/B3Stackmap.h:
1266         (JSC::B3::Stackmap::constrain):
1267         (JSC::B3::Stackmap::appendConstraint):
1268         (JSC::B3::Stackmap::reps):
1269         (JSC::B3::Stackmap::clobber):
1270         * b3/B3StackmapSpecial.cpp:
1271         (JSC::B3::StackmapSpecial::forEachArgImpl):
1272         (JSC::B3::StackmapSpecial::isValidImpl):
1273         * b3/B3Value.h:
1274         * b3/B3ValueRep.h:
1275         (JSC::B3::ValueRep::ValueRep):
1276         (JSC::B3::ValueRep::reg):
1277         (JSC::B3::ValueRep::operator bool):
1278         (JSC::B3::ValueRep::isAny):
1279         (JSC::B3::ValueRep::isSomeRegister):
1280         (JSC::B3::ValueRep::isReg):
1281         (JSC::B3::ValueRep::isGPR):
1282         (JSC::B3::ValueRep::isFPR):
1283         (JSC::B3::ValueRep::gpr):
1284         (JSC::B3::ValueRep::fpr):
1285         (JSC::B3::ValueRep::isStack):
1286         (JSC::B3::ValueRep::offsetFromFP):
1287         (JSC::B3::ValueRep::isStackArgument):
1288         (JSC::B3::ValueRep::offsetFromSP):
1289         (JSC::B3::ValueRep::isConstant):
1290         (JSC::B3::ValueRep::value):
1291         * b3/air/AirCode.cpp:
1292         (JSC::B3::Air::Code::dump):
1293         * b3/air/AirInsertionSet.cpp:
1294         (JSC::B3::Air::InsertionSet::execute):
1295         * b3/testb3.cpp:
1296         (JSC::B3::testComplex):
1297         (JSC::B3::testSimplePatchpoint):
1298         (JSC::B3::run):
1299         * dfg/DFGBlockInsertionSet.cpp:
1300         (JSC::DFG::BlockInsertionSet::execute):
1301
1302 2015-11-02  Mark Lam  <mark.lam@apple.com>
1303
1304         Snippefy op_add for the baseline JIT.
1305         https://bugs.webkit.org/show_bug.cgi?id=150129
1306
1307         Reviewed by Geoffrey Garen and Saam Barati.
1308
1309         Performance is neutral for both 32-bit and 64-bit on X86_64.
1310
1311         * CMakeLists.txt:
1312         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1313         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1314         * JavaScriptCore.xcodeproj/project.pbxproj:
1315         * jit/JIT.h:
1316         (JSC::JIT::getOperandConstantInt):
1317         - Move getOperandConstantInt() from the JSVALUE64 section to the common section
1318           because the snippet needs it.
1319
1320         * jit/JITAddGenerator.cpp: Added.
1321         (JSC::JITAddGenerator::generateFastPath):
1322         * jit/JITAddGenerator.h: Added.
1323         (JSC::JITAddGenerator::JITAddGenerator):
1324         (JSC::JITAddGenerator::endJumpList):
1325         (JSC::JITAddGenerator::slowPathJumpList):
1326         - JITAddGenerator implements an optimization for the case where 1 of the 2 operands
1327           is a constant int32_t.  It does not implement an optimization for the case where
1328           both operands are constant int32_t.  This is because:
1329           1. For the baseline JIT, the ASTBuilder will fold the 2 constants together.
1330           2. For the DFG, the AbstractInterpreter will also fold the 2 constants.
1331
1332           Hence, such an optimization path (for 2 constant int32_t operands) would never
1333           be taken, and is why we won't implement it.
1334
1335         * jit/JITArithmetic.cpp:
1336         (JSC::JIT::compileBinaryArithOp):
1337         (JSC::JIT::compileBinaryArithOpSlowCase):
1338         - Removed op_add cases.  These are no longer used by the op_add emitters.
1339
1340         (JSC::JIT::emit_op_add):
1341         (JSC::JIT::emitSlow_op_add):
1342         - Moved out from the JSVALUE64 section to the common section, and reimplemented
1343           using the snippet.
1344
1345         * jit/JITArithmetic32_64.cpp:
1346         (JSC::JIT::emitBinaryDoubleOp):
1347         (JSC::JIT::emit_op_add): Deleted.
1348         (JSC::JIT::emitAdd32Constant): Deleted.
1349         (JSC::JIT::emitSlow_op_add): Deleted.
1350         - Remove 32-bit specific version of op_add.  The snippet serves both 32-bit
1351           and 64-bit implementations.
1352
1353         * jit/JITInlines.h:
1354         (JSC::JIT::getOperandConstantInt):
1355         - Move getOperandConstantInt() from the JSVALUE64 section to the common section
1356           because the snippet needs it.
1357
1358 2015-11-02  Brian Burg  <bburg@apple.com>
1359
1360         Run sort-Xcode-project-file for the JavaScriptCore project.
1361
1362         Unreviewed. Many things were out of order following recent B3 commits.
1363
1364         * JavaScriptCore.xcodeproj/project.pbxproj:
1365
1366 2015-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1367
1368         Rename op_put_getter_setter to op_put_getter_setter_by_id
1369         https://bugs.webkit.org/show_bug.cgi?id=150773
1370
1371         Reviewed by Mark Lam.
1372
1373         Renaming op_put_getter_setter to op_put_getter_setter_by_id makes this op name consistent with
1374         the other ops' names like op_put_getter_by_id etc.
1375
1376         And to fix build dependencies in Xcode, we added LLIntAssembly.h into Xcode project file.
1377
1378         * JavaScriptCore.xcodeproj/project.pbxproj:
1379         * bytecode/BytecodeList.json:
1380         * bytecode/BytecodeUseDef.h:
1381         (JSC::computeUsesForBytecodeOffset):
1382         (JSC::computeDefsForBytecodeOffset):
1383         * bytecode/CodeBlock.cpp:
1384         (JSC::CodeBlock::dumpBytecode):
1385         * bytecompiler/BytecodeGenerator.cpp:
1386         (JSC::BytecodeGenerator::emitPutGetterSetter):
1387         * dfg/DFGByteCodeParser.cpp:
1388         (JSC::DFG::ByteCodeParser::parseBlock):
1389         * dfg/DFGCapabilities.cpp:
1390         (JSC::DFG::capabilityLevel):
1391         * jit/JIT.cpp:
1392         (JSC::JIT::privateCompileMainPass):
1393         * jit/JIT.h:
1394         * jit/JITPropertyAccess.cpp:
1395         (JSC::JIT::emit_op_put_getter_setter_by_id):
1396         (JSC::JIT::emit_op_put_getter_setter): Deleted.
1397         * jit/JITPropertyAccess32_64.cpp:
1398         (JSC::JIT::emit_op_put_getter_setter_by_id):
1399         (JSC::JIT::emit_op_put_getter_setter): Deleted.
1400         * llint/LLIntSlowPaths.cpp:
1401         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1402         * llint/LLIntSlowPaths.h:
1403         * llint/LowLevelInterpreter.asm:
1404
1405 2015-11-02  Csaba Osztrogonác  <ossy@webkit.org>
1406
1407         Fix the FTL JIT build with system LLVM on Linux
1408         https://bugs.webkit.org/show_bug.cgi?id=150795
1409
1410         Reviewed by Filip Pizlo.
1411
1412         * CMakeLists.txt:
1413
1414 2015-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1415
1416         [ES6] Support Generator Syntax
1417         https://bugs.webkit.org/show_bug.cgi?id=150769
1418
1419         Reviewed by Geoffrey Garen.
1420
1421         This patch implements syntax part of ES6 Generators.
1422
1423         1. Add ENABLE_ES6_GENERATORS compile time flag. It is disabled by default, and will be enabled once ES6 generator functionality is implemented.
1424         2. Add lexer support for YIELD. It changes "yield" from reserved-if-strict word to keyword. And it is correct under the ES6 spec.
1425         3. Implement parsing functionality and YieldExprNode stub. YieldExprNode does not emit meaningful bytecodes yet. This should be implemented in the future patch.
1426         4. Accept "yield" Identifier as an label etc. under sloppy mode && non-generator code. http://ecma-international.org/ecma-262/6.0/#sec-generator-function-definitions-static-semantics-early-errors
1427
1428         * Configurations/FeatureDefines.xcconfig:
1429         * bytecompiler/NodesCodegen.cpp:
1430         (JSC::YieldExprNode::emitBytecode):
1431         * parser/ASTBuilder.h:
1432         (JSC::ASTBuilder::createYield):
1433         * parser/Keywords.table:
1434         * parser/NodeConstructors.h:
1435         (JSC::YieldExprNode::YieldExprNode):
1436         * parser/Nodes.h:
1437         * parser/Parser.cpp:
1438         (JSC::Parser<LexerType>::Parser):
1439         (JSC::Parser<LexerType>::parseInner):
1440         (JSC::Parser<LexerType>::parseStatementListItem):
1441         (JSC::Parser<LexerType>::parseVariableDeclarationList):
1442         (JSC::Parser<LexerType>::parseDestructuringPattern):
1443         (JSC::Parser<LexerType>::parseBreakStatement):
1444         (JSC::Parser<LexerType>::parseContinueStatement):
1445         (JSC::Parser<LexerType>::parseTryStatement):
1446         (JSC::Parser<LexerType>::parseStatement):
1447         (JSC::stringForFunctionMode):
1448         (JSC::Parser<LexerType>::parseFunctionParameters):
1449         (JSC::Parser<LexerType>::parseFunctionInfo):
1450         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1451         (JSC::Parser<LexerType>::parseClass):
1452         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1453         (JSC::Parser<LexerType>::parseExportDeclaration):
1454         (JSC::Parser<LexerType>::parseAssignmentExpression):
1455         (JSC::Parser<LexerType>::parseYieldExpression):
1456         (JSC::Parser<LexerType>::parseProperty):
1457         (JSC::Parser<LexerType>::parsePropertyMethod):
1458         (JSC::Parser<LexerType>::parseGetterSetter):
1459         (JSC::Parser<LexerType>::parseFunctionExpression):
1460         (JSC::Parser<LexerType>::parsePrimaryExpression):
1461         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1462         * parser/Parser.h:
1463         (JSC::Scope::Scope):
1464         (JSC::Scope::setSourceParseMode):
1465         (JSC::Scope::isGenerator):
1466         (JSC::Scope::setIsFunction):
1467         (JSC::Scope::setIsGenerator):
1468         (JSC::Scope::setIsModule):
1469         (JSC::Parser::pushScope):
1470         (JSC::Parser::isYIELDMaskedAsIDENT):
1471         (JSC::Parser::matchSpecIdentifier):
1472         (JSC::Parser::saveState):
1473         (JSC::Parser::restoreState):
1474         * parser/ParserModes.h:
1475         (JSC::isFunctionParseMode):
1476         (JSC::isModuleParseMode):
1477         (JSC::isProgramParseMode):
1478         * parser/ParserTokens.h:
1479         * parser/SyntaxChecker.h:
1480         (JSC::SyntaxChecker::createYield):
1481         * tests/stress/generator-methods.js: Added.
1482         (Hello.prototype.gen):
1483         (Hello.gen):
1484         (Hello):
1485         (Hello.prototype.set get string_appeared_here):
1486         (Hello.string_appeared_here):
1487         (Hello.prototype.20):
1488         (Hello.20):
1489         (Hello.prototype.42):
1490         (Hello.42):
1491         (let.object.gen):
1492         (let.object.set get string_appeared_here):
1493         (let.object.20):
1494         (let.object.42):
1495         * tests/stress/generator-syntax.js: Added.
1496         (testSyntax):
1497         (testSyntaxError):
1498         (testSyntaxError.Hello.prototype.get gen):
1499         (testSyntaxError.Hello):
1500         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.Hello.prototype.set gen):
1501         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.Hello):
1502         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.gen):
1503         (testSyntaxError.value):
1504         (testSyntaxError.gen.ng):
1505         (testSyntaxError.gen):
1506         (testSyntax.gen):
1507         * tests/stress/yield-and-line-terminator.js: Added.
1508         (testSyntax):
1509         (testSyntaxError):
1510         (testSyntax.gen):
1511         (testSyntaxError.gen):
1512         * tests/stress/yield-label-generator.js: Added.
1513         (testSyntax):
1514         (testSyntaxError):
1515         (testSyntaxError.test):
1516         (SyntaxError.Unexpected.keyword.string_appeared_here.Expected.an.identifier.as.the.target.a.continue.statement.testSyntax.test):
1517         * tests/stress/yield-label.js: Added.
1518         (yield):
1519         (testSyntaxError):
1520         (testSyntaxError.test):
1521         * tests/stress/yield-named-accessors-generator.js: Added.
1522         (t1.let.object.get yield):
1523         (t1.let.object.set yield):
1524         (t1):
1525         (t2.let.object.get yield):
1526         (t2.let.object.set yield):
1527         (t2):
1528         * tests/stress/yield-named-accessors.js: Added.
1529         (t1.let.object.get yield):
1530         (t1.let.object.set yield):
1531         (t1):
1532         (t2.let.object.get yield):
1533         (t2.let.object.set yield):
1534         (t2):
1535         * tests/stress/yield-named-variable-generator.js: Added.
1536         (testSyntax):
1537         (testSyntaxError):
1538         (testSyntaxError.t1):
1539         (testSyntaxError.t1.yield):
1540         (testSyntax.t1.yield):
1541         (testSyntax.t1):
1542         * tests/stress/yield-named-variable.js: Added.
1543         (testSyntax):
1544         (testSyntaxError):
1545         (testSyntax.t1):
1546         (testSyntaxError.t1):
1547         (testSyntax.t1.yield):
1548         (testSyntaxError.t1.yield):
1549         * tests/stress/yield-out-of-generator.js: Added.
1550         (testSyntax):
1551         (testSyntaxError):
1552         (testSyntaxError.hello):
1553         (testSyntaxError.gen.hello):
1554         (testSyntaxError.gen):
1555         (testSyntax.gen):
1556         (testSyntax.gen.ok):
1557         (testSyntaxError.gen.ok):
1558
1559 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
1560
1561         Dominators should be factored out of the DFG
1562         https://bugs.webkit.org/show_bug.cgi?id=150764
1563
1564         Reviewed by Geoffrey Garen.
1565
1566         Factored DFGDominators.h/DFGDominators.cpp into WTF. To do this, I made two changes to the
1567         DFG:
1568
1569         1) DFG now has a CFG abstraction called DFG::CFG. The cool thing about this is that in the
1570            future if we wanted to support inverted dominators, we could do it by just creating a
1571            DFG::BackwardCFG.
1572
1573         2) Got rid of DFG::Analysis. From now on, an Analysis being invalidated is expressed by the
1574            DFG::Graph having a null pointer for that analysis. When we "run" the analysis, we
1575            just instantiate it. This makes it much more natural to integrate WTF::Dominators into
1576            the DFG.
1577
1578         * CMakeLists.txt:
1579         * JavaScriptCore.xcodeproj/project.pbxproj:
1580         * dfg/DFGAnalysis.h: Removed.
1581         * dfg/DFGCFG.h: Added.
1582         (JSC::DFG::CFG::CFG):
1583         (JSC::DFG::CFG::root):
1584         (JSC::DFG::CFG::newMap<T>):
1585         (JSC::DFG::CFG::successors):
1586         (JSC::DFG::CFG::predecessors):
1587         (JSC::DFG::CFG::index):
1588         (JSC::DFG::CFG::node):
1589         (JSC::DFG::CFG::numNodes):
1590         (JSC::DFG::CFG::dump):
1591         * dfg/DFGCSEPhase.cpp:
1592         * dfg/DFGDisassembler.cpp:
1593         (JSC::DFG::Disassembler::createDumpList):
1594         * dfg/DFGDominators.cpp: Removed.
1595         * dfg/DFGDominators.h:
1596         (JSC::DFG::Dominators::Dominators):
1597         (JSC::DFG::Dominators::strictlyDominates): Deleted.
1598         (JSC::DFG::Dominators::dominates): Deleted.
1599         (JSC::DFG::Dominators::immediateDominatorOf): Deleted.
1600         (JSC::DFG::Dominators::forAllStrictDominatorsOf): Deleted.
1601         (JSC::DFG::Dominators::forAllDominatorsOf): Deleted.
1602         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy): Deleted.
1603         (JSC::DFG::Dominators::forAllBlocksDominatedBy): Deleted.
1604         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf): Deleted.
1605         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf): Deleted.
1606         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf): Deleted.
1607         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl): Deleted.
1608         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl): Deleted.
1609         (JSC::DFG::Dominators::BlockData::BlockData): Deleted.
1610         * dfg/DFGEdgeDominates.h:
1611         (JSC::DFG::EdgeDominates::operator()):
1612         * dfg/DFGGraph.cpp:
1613         (JSC::DFG::Graph::Graph):
1614         (JSC::DFG::Graph::dumpBlockHeader):
1615         (JSC::DFG::Graph::invalidateCFG):
1616         (JSC::DFG::Graph::substituteGetLocal):
1617         (JSC::DFG::Graph::handleAssertionFailure):
1618         (JSC::DFG::Graph::ensureDominators):
1619         (JSC::DFG::Graph::ensurePrePostNumbering):
1620         (JSC::DFG::Graph::ensureNaturalLoops):
1621         (JSC::DFG::Graph::valueProfileFor):
1622         * dfg/DFGGraph.h:
1623         (JSC::DFG::Graph::hasDebuggerEnabled):
1624         * dfg/DFGLICMPhase.cpp:
1625         (JSC::DFG::LICMPhase::run):
1626         (JSC::DFG::LICMPhase::attemptHoist):
1627         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1628         (JSC::DFG::createPreHeader):
1629         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1630         * dfg/DFGNaturalLoops.cpp:
1631         (JSC::DFG::NaturalLoop::dump):
1632         (JSC::DFG::NaturalLoops::NaturalLoops):
1633         (JSC::DFG::NaturalLoops::~NaturalLoops):
1634         (JSC::DFG::NaturalLoops::loopsOf):
1635         (JSC::DFG::NaturalLoops::computeDependencies): Deleted.
1636         (JSC::DFG::NaturalLoops::compute): Deleted.
1637         * dfg/DFGNaturalLoops.h:
1638         (JSC::DFG::NaturalLoops::numLoops):
1639         * dfg/DFGNode.h:
1640         (JSC::DFG::Node::SuccessorsIterable::end):
1641         (JSC::DFG::Node::SuccessorsIterable::size):
1642         (JSC::DFG::Node::SuccessorsIterable::at):
1643         (JSC::DFG::Node::SuccessorsIterable::operator[]):
1644         * dfg/DFGOSREntrypointCreationPhase.cpp:
1645         (JSC::DFG::OSREntrypointCreationPhase::run):
1646         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1647         * dfg/DFGPlan.cpp:
1648         (JSC::DFG::Plan::compileInThreadImpl):
1649         * dfg/DFGPrePostNumbering.cpp:
1650         (JSC::DFG::PrePostNumbering::PrePostNumbering):
1651         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
1652         (JSC::DFG::PrePostNumbering::compute): Deleted.
1653         * dfg/DFGPrePostNumbering.h:
1654         (JSC::DFG::PrePostNumbering::preNumber):
1655         (JSC::DFG::PrePostNumbering::postNumber):
1656         * dfg/DFGPutStackSinkingPhase.cpp:
1657         * dfg/DFGSSACalculator.cpp:
1658         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1659         (JSC::DFG::SSACalculator::reachingDefAtTail):
1660         * dfg/DFGSSACalculator.h:
1661         (JSC::DFG::SSACalculator::computePhis):
1662         * dfg/DFGSSAConversionPhase.cpp:
1663         (JSC::DFG::SSAConversionPhase::run):
1664         * ftl/FTLLink.cpp:
1665         (JSC::FTL::link):
1666         * ftl/FTLLowerDFGToLLVM.cpp:
1667         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1668         (JSC::FTL::DFG::LowerDFGToLLVM::safelyInvalidateAfterTermination):
1669         (JSC::FTL::DFG::LowerDFGToLLVM::isValid):
1670
1671 2015-10-31  Filip Pizlo  <fpizlo@apple.com>
1672
1673         B3::reduceStrength's DCE should be more agro and less wrong
1674         https://bugs.webkit.org/show_bug.cgi?id=150748
1675
1676         Reviewed by Geoffrey Garen.
1677
1678         First of all, our DCE had a bug where it would keep Upsilons after it deleted the Phis that
1679         they referenced. But our B3 DCE was also not aggressive enough. It would not eliminate
1680         cycles. It was also probably slower than it needed to be, since it would eliminate all
1681         never-referenced things on each fixpoint.
1682
1683         This adds a presume-everyone-is-dead-and-find-live-things style DCE. This is very natural to
1684         write, except for Upsilons. For everything but Upsilons, it's just a worklist algorithm. For
1685         Upsilons, it's a fixpoint. It works fine in the end.
1686
1687         I kept finding bugs in this algorithm when I tested it against my "Complex" test that I was
1688         writing as a compile time benchmark. So, I include that test in this change. I also include
1689         the small lowering extensions that it needed - shifting and zero extending.
1690
1691         This change also adds an LLVM version of the Complex test. Though the LLVM version feels
1692         more natural to write because LLVM has traditional Phi's rather than our quirky Phi's, in
1693         the end LLVM ends up performing very badly - 10x to 20x worse than B3. Some of that gap will
1694         close once we give B3 a register allocator, but still, that's pretty good news for our B3
1695         strategy.
1696
1697         * JavaScriptCore.xcodeproj/project.pbxproj:
1698         * assembler/MacroAssemblerX86_64.h:
1699         (JSC::MacroAssemblerX86_64::lshift64):
1700         (JSC::MacroAssemblerX86_64::rshift64):
1701         * assembler/X86Assembler.h:
1702         (JSC::X86Assembler::shlq_i8r):
1703         (JSC::X86Assembler::shlq_CLr):
1704         (JSC::X86Assembler::imull_rr):
1705         * b3/B3BasicBlock.cpp:
1706         (JSC::B3::BasicBlock::replacePredecessor):
1707         (JSC::B3::BasicBlock::dump):
1708         (JSC::B3::BasicBlock::removeNops): Deleted.
1709         * b3/B3BasicBlock.h:
1710         (JSC::B3::BasicBlock::frequency):
1711         * b3/B3Common.cpp:
1712         (JSC::B3::shouldSaveIRBeforePhase):
1713         (JSC::B3::shouldMeasurePhaseTiming):
1714         * b3/B3Common.h:
1715         (JSC::B3::isRepresentableAsImpl):
1716         * b3/B3Generate.cpp:
1717         (JSC::B3::generate):
1718         (JSC::B3::generateToAir):
1719         * b3/B3LowerToAir.cpp:
1720         (JSC::B3::Air::LowerToAir::tryAnd):
1721         (JSC::B3::Air::LowerToAir::tryShl):
1722         (JSC::B3::Air::LowerToAir::tryStoreAddLoad):
1723         (JSC::B3::Air::LowerToAir::tryTrunc):
1724         (JSC::B3::Air::LowerToAir::tryZExt32):
1725         (JSC::B3::Air::LowerToAir::tryArgumentReg):
1726         * b3/B3LoweringMatcher.patterns:
1727         * b3/B3PhaseScope.cpp:
1728         (JSC::B3::PhaseScope::PhaseScope):
1729         * b3/B3PhaseScope.h:
1730         * b3/B3ReduceStrength.cpp:
1731         * b3/B3TimingScope.cpp: Added.
1732         (JSC::B3::TimingScope::TimingScope):
1733         (JSC::B3::TimingScope::~TimingScope):
1734         * b3/B3TimingScope.h: Added.
1735         * b3/B3Validate.cpp:
1736         * b3/air/AirAllocateStack.cpp:
1737         (JSC::B3::Air::allocateStack):
1738         * b3/air/AirGenerate.cpp:
1739         (JSC::B3::Air::generate):
1740         * b3/air/AirInstInlines.h:
1741         (JSC::B3::Air::ForEach<Arg>::forEach):
1742         (JSC::B3::Air::Inst::forEach):
1743         (JSC::B3::Air::isLshift32Valid):
1744         (JSC::B3::Air::isLshift64Valid):
1745         * b3/air/AirLiveness.h:
1746         (JSC::B3::Air::Liveness::isAlive):
1747         (JSC::B3::Air::Liveness::Liveness):
1748         (JSC::B3::Air::Liveness::LocalCalc::execute):
1749         * b3/air/AirOpcode.opcodes:
1750         * b3/air/AirPhaseScope.cpp:
1751         (JSC::B3::Air::PhaseScope::PhaseScope):
1752         * b3/air/AirPhaseScope.h:
1753         * b3/testb3.cpp:
1754         (JSC::B3::testBranchEqualFoldPtr):
1755         (JSC::B3::testComplex):
1756         (JSC::B3::run):
1757         * runtime/Options.h:
1758
1759 2015-11-01  Alexey Proskuryakov  <ap@apple.com>
1760
1761         [ES6] Add support for toStringTag
1762         https://bugs.webkit.org/show_bug.cgi?id=150696
1763
1764         Re-landing, as this wasn't the culprit.
1765
1766         * runtime/ArrayIteratorPrototype.cpp:
1767         (JSC::ArrayIteratorPrototype::finishCreation):
1768         * runtime/CommonIdentifiers.h:
1769         * runtime/JSArrayBufferPrototype.cpp:
1770         (JSC::JSArrayBufferPrototype::finishCreation):
1771         (JSC::JSArrayBufferPrototype::create):
1772         * runtime/JSDataViewPrototype.cpp:
1773         (JSC::JSDataViewPrototype::create):
1774         (JSC::JSDataViewPrototype::finishCreation):
1775         (JSC::JSDataViewPrototype::createStructure):
1776         * runtime/JSDataViewPrototype.h:
1777         * runtime/JSModuleNamespaceObject.cpp:
1778         (JSC::JSModuleNamespaceObject::finishCreation):
1779         * runtime/JSONObject.cpp:
1780         (JSC::JSONObject::finishCreation):
1781         * runtime/JSPromisePrototype.cpp:
1782         (JSC::JSPromisePrototype::finishCreation):
1783         (JSC::JSPromisePrototype::getOwnPropertySlot):
1784         * runtime/JSTypedArrayViewPrototype.cpp:
1785         (JSC::typedArrayViewProtoFuncValues):
1786         (JSC::typedArrayViewProtoGetterFuncToStringTag):
1787         (JSC::JSTypedArrayViewPrototype::JSTypedArrayViewPrototype):
1788         (JSC::JSTypedArrayViewPrototype::finishCreation):
1789         * runtime/MapIteratorPrototype.cpp:
1790         (JSC::MapIteratorPrototype::finishCreation):
1791         (JSC::MapIteratorPrototypeFuncNext):
1792         * runtime/MapPrototype.cpp:
1793         (JSC::MapPrototype::finishCreation):
1794         * runtime/MathObject.cpp:
1795         (JSC::MathObject::finishCreation):
1796         * runtime/ObjectPrototype.cpp:
1797         (JSC::objectProtoFuncToString):
1798         * runtime/SetIteratorPrototype.cpp:
1799         (JSC::SetIteratorPrototype::finishCreation):
1800         (JSC::SetIteratorPrototypeFuncNext):
1801         * runtime/SetPrototype.cpp:
1802         (JSC::SetPrototype::finishCreation):
1803         * runtime/SmallStrings.cpp:
1804         (JSC::SmallStrings::SmallStrings):
1805         (JSC::SmallStrings::initializeCommonStrings):
1806         (JSC::SmallStrings::visitStrongReferences):
1807         * runtime/SmallStrings.h:
1808         (JSC::SmallStrings::typeString):
1809         (JSC::SmallStrings::objectStringStart):
1810         (JSC::SmallStrings::nullObjectString):
1811         (JSC::SmallStrings::undefinedObjectString):
1812         * runtime/StringIteratorPrototype.cpp:
1813         (JSC::StringIteratorPrototype::finishCreation):
1814         * runtime/SymbolPrototype.cpp:
1815         (JSC::SymbolPrototype::finishCreation):
1816         * runtime/WeakMapPrototype.cpp:
1817         (JSC::WeakMapPrototype::finishCreation):
1818         (JSC::getWeakMapData):
1819         * runtime/WeakSetPrototype.cpp:
1820         (JSC::WeakSetPrototype::finishCreation):
1821         (JSC::getWeakMapData):
1822         * tests/es6.yaml:
1823         * tests/modules/namespace.js:
1824         * tests/stress/symbol-tostringtag.js: Copied from Source/JavaScriptCore/tests/stress/symbol-tostringtag.js.
1825
1826 2015-11-01  Commit Queue  <commit-queue@webkit.org>
1827
1828         Unreviewed, rolling out r191815 and r191821.
1829         https://bugs.webkit.org/show_bug.cgi?id=150781
1830
1831         Seems to have broken JSC API tests on some platforms
1832         (Requested by ap on #webkit).
1833
1834         Reverted changesets:
1835
1836         "[ES6] Add support for toStringTag"
1837         https://bugs.webkit.org/show_bug.cgi?id=150696
1838         http://trac.webkit.org/changeset/191815
1839
1840         "Unreviewed, forgot to mark tests as passing for new feature."
1841         http://trac.webkit.org/changeset/191821
1842
1843 2015-11-01  Commit Queue  <commit-queue@webkit.org>
1844
1845         Unreviewed, rolling out r191858.
1846         https://bugs.webkit.org/show_bug.cgi?id=150780
1847
1848         Broke the build (Requested by ap on #webkit).
1849
1850         Reverted changeset:
1851
1852         "Rename op_put_getter_setter to op_put_getter_setter_by_id"
1853         https://bugs.webkit.org/show_bug.cgi?id=150773
1854         http://trac.webkit.org/changeset/191858
1855
1856 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
1857
1858         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150777.
1859
1860         * b3/B3LowerToAir.cpp:
1861         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot):
1862
1863 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
1864
1865         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150775.
1866
1867         * b3/B3LowerToAir.cpp:
1868         (JSC::B3::Air::LowerToAir::tryTrunc):
1869
1870 2015-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1871
1872         Rename op_put_getter_setter to op_put_getter_setter_by_id
1873         https://bugs.webkit.org/show_bug.cgi?id=150773
1874
1875         Reviewed by Mark Lam.
1876
1877         Renaming op_put_getter_setter to op_put_getter_setter_by_id makes this op name consistent with
1878         the other ops' names like op_put_getter_by_id etc.
1879
1880         * bytecode/BytecodeList.json:
1881         * bytecode/BytecodeUseDef.h:
1882         (JSC::computeUsesForBytecodeOffset):
1883         (JSC::computeDefsForBytecodeOffset):
1884         * bytecode/CodeBlock.cpp:
1885         (JSC::CodeBlock::dumpBytecode):
1886         * bytecompiler/BytecodeGenerator.cpp:
1887         (JSC::BytecodeGenerator::emitPutGetterSetter):
1888         * dfg/DFGByteCodeParser.cpp:
1889         (JSC::DFG::ByteCodeParser::parseBlock):
1890         * dfg/DFGCapabilities.cpp:
1891         (JSC::DFG::capabilityLevel):
1892         * jit/JIT.cpp:
1893         (JSC::JIT::privateCompileMainPass):
1894         * jit/JIT.h:
1895         * jit/JITPropertyAccess.cpp:
1896         (JSC::JIT::emit_op_put_getter_setter_by_id):
1897         (JSC::JIT::emit_op_put_getter_setter): Deleted.
1898         * jit/JITPropertyAccess32_64.cpp:
1899         (JSC::JIT::emit_op_put_getter_setter_by_id):
1900         (JSC::JIT::emit_op_put_getter_setter): Deleted.
1901         * llint/LLIntSlowPaths.cpp:
1902         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1903         * llint/LLIntSlowPaths.h:
1904         * llint/LowLevelInterpreter.asm:
1905
1906 2015-10-31  Andreas Kling  <akling@apple.com>
1907
1908         Add a debug overlay with information about web process resource usage.
1909         <https://webkit.org/b/150599>
1910
1911         Reviewed by Darin Adler.
1912
1913         Have Heap track the exact number of bytes allocated in CopiedBlock, MarkedBlock and
1914         WeakBlock objects, keeping them in a single location that can be sampled by the
1915         resource usage overlay thread.
1916
1917         The bulk of these changes is threading a Heap& through from sites where blocks are
1918         allocated or freed.
1919
1920         * heap/CopiedBlock.cpp:
1921         (JSC::CopiedBlock::createNoZeroFill):
1922         (JSC::CopiedBlock::destroy):
1923         (JSC::CopiedBlock::create):
1924         * heap/CopiedBlock.h:
1925         * heap/CopiedSpace.cpp:
1926         (JSC::CopiedSpace::~CopiedSpace):
1927         (JSC::CopiedSpace::tryAllocateOversize):
1928         (JSC::CopiedSpace::tryReallocateOversize):
1929         * heap/CopiedSpaceInlines.h:
1930         (JSC::CopiedSpace::recycleEvacuatedBlock):
1931         (JSC::CopiedSpace::recycleBorrowedBlock):
1932         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
1933         (JSC::CopiedSpace::allocateBlock):
1934         (JSC::CopiedSpace::startedCopying):
1935         * heap/Heap.cpp:
1936         (JSC::Heap::~Heap):
1937         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock):
1938         * heap/Heap.h:
1939         (JSC::Heap::blockBytesAllocated):
1940         * heap/HeapInlines.h:
1941         (JSC::Heap::didAllocateBlock):
1942         (JSC::Heap::didFreeBlock):
1943         * heap/MarkedAllocator.cpp:
1944         (JSC::MarkedAllocator::allocateBlock):
1945         * heap/MarkedBlock.cpp:
1946         (JSC::MarkedBlock::create):
1947         (JSC::MarkedBlock::destroy):
1948         * heap/MarkedBlock.h:
1949         * heap/MarkedSpace.cpp:
1950         (JSC::MarkedSpace::freeBlock):
1951         * heap/WeakBlock.cpp:
1952         (JSC::WeakBlock::create):
1953         (JSC::WeakBlock::destroy):
1954         * heap/WeakBlock.h:
1955         * heap/WeakSet.cpp:
1956         (JSC::WeakSet::~WeakSet):
1957         (JSC::WeakSet::addAllocator):
1958         (JSC::WeakSet::removeAllocator):
1959
1960 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
1961
1962         Air should eliminate dead code
1963         https://bugs.webkit.org/show_bug.cgi?id=150746
1964
1965         Reviewed by Geoffrey Garen.
1966
1967         This adds a very simple dead code elimination to Air. It simply looks at whether a Tmp or
1968         StackSlot has ever been used by a live instruction. An instruction is live if it has non-arg
1969         effects (branching, returning, calling, etc) or if it stores to a live Arg. An Arg is live if
1970         it references a live Tmp or StackSlot, or if it is neither a Tmp nor a StackSlot. The phase
1971         runs these rules to fixpoint, and then removes the dead instructions.
1972
1973         This also changes the AirOpcodes parser to handle multiple attributes per opcode, so that we
1974         could conceivably say things like "FooBar /branch /effects". It also adds the /effects
1975         attribute, which we currently use for Breakpoint and nothing else. C calls, patchpoints, and
1976         checks are all Specials, and the Special base class by default always claims that the
1977         instruction has effects. In the future, we could have B3 use a Patch in Air to implement
1978         exotic math constructs; then the Special associated with that thing would claim that there
1979         are no effects.
1980
1981         * JavaScriptCore.xcodeproj/project.pbxproj:
1982         * b3/air/AirBasicBlock.h:
1983         (JSC::B3::Air::BasicBlock::begin):
1984         (JSC::B3::Air::BasicBlock::end):
1985         (JSC::B3::Air::BasicBlock::at):
1986         (JSC::B3::Air::BasicBlock::last):
1987         (JSC::B3::Air::BasicBlock::resize):
1988         (JSC::B3::Air::BasicBlock::appendInst):
1989         * b3/air/AirEliminateDeadCode.cpp: Added.
1990         (JSC::B3::Air::eliminateDeadCode):
1991         * b3/air/AirEliminateDeadCode.h: Added.
1992         * b3/air/AirGenerate.cpp:
1993         (JSC::B3::Air::generate):
1994         * b3/air/AirInst.h:
1995         * b3/air/AirOpcode.opcodes:
1996         * b3/air/AirSpecial.cpp:
1997         (JSC::B3::Air::Special::name):
1998         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
1999         (JSC::B3::Air::Special::dump):
2000         * b3/air/AirSpecial.h:
2001         * b3/air/opcode_generator.rb:
2002
2003 2015-10-31  Filip Pizlo  <fpizlo@apple.com>
2004
2005         Air needs a late register liveness phase that calls Special::reportUsedRegisters()
2006         https://bugs.webkit.org/show_bug.cgi?id=150511
2007
2008         Reviewed by Saam Barati.
2009
2010         This change adds such a phase. In the process of writing it, I was reminded about the
2011         glaring efficiency bugs in Air::Liveness and so I filed a bug and added FIXMEs.
2012
2013         * JavaScriptCore.xcodeproj/project.pbxproj:
2014         * b3/air/AirAllocateStack.cpp:
2015         (JSC::B3::Air::allocateStack):
2016         * b3/air/AirGenerate.cpp:
2017         (JSC::B3::Air::generate):
2018         * b3/air/AirReportUsedRegisters.cpp: Added.
2019         (JSC::B3::Air::reportUsedRegisters):
2020         * b3/air/AirReportUsedRegisters.h: Added.
2021
2022 2015-10-31  Brian Burg  <bburg@apple.com>
2023
2024         Builtins generator should put WebCore-only wrappers in the per-builtin header
2025         https://bugs.webkit.org/show_bug.cgi?id=150539
2026
2027         Reviewed by Youenn Fablet.
2028
2029         If generating for WebCore, put the XXXWrapper and related boilerplate
2030         in the per-builtin header instead of making a separate XXXWrapper.h.
2031
2032         Rebaseline the tests.
2033
2034         * CMakeLists.txt:
2035         * DerivedSources.make:
2036         * Scripts/builtins/builtins.py:
2037         * Scripts/builtins/builtins_generate_separate_header.py:
2038         (BuiltinsSeparateHeaderGenerator.generate_output):
2039         (generate_header_includes):
2040         * Scripts/builtins/builtins_generate_separate_wrapper.py: Deleted.
2041         * Scripts/builtins/builtins_templates.py: Be consistent with variables.
2042         * Scripts/generate-js-builtins.py:
2043         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2044         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2045         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2046         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2047
2048 2015-10-31  Saam barati  <sbarati@apple.com>
2049
2050         JSC should have a forceGCSlowPaths option
2051         https://bugs.webkit.org/show_bug.cgi?id=150744
2052
2053         Reviewed by Filip Pizlo.
2054
2055         This patch implements the forceGCSlowPaths option.
2056         It defaults to false, but when it is set to true,
2057         the JITs will always allocate objects along the slow
2058         path. This will be helpful for writing a certain class
2059         of tests. This may also come in handy for debugging
2060         later.
2061
2062         This patch also adds the "forceGCSlowPaths" function
2063         in jsc.cpp which sets the option to true. If you
2064         use this function in a jsc stress test, it's best
2065         to call it as the first thing in the program before
2066         we JIT anything.
2067
2068         * dfg/DFGSpeculativeJIT.h:
2069         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2070         * ftl/FTLLowerDFGToLLVM.cpp:
2071         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2072         * jit/JITInlines.h:
2073         (JSC::JIT::emitAllocateJSObject):
2074         * jsc.cpp:
2075         (GlobalObject::finishCreation):
2076         (functionEdenGC):
2077         (functionForceGCSlowPaths):
2078         (functionHeapSize):
2079         * runtime/Options.h:
2080
2081 2015-10-30  Joseph Pecoraro  <pecoraro@apple.com>
2082
2083         Web Inspector: Test Debugger.scriptParsed events received after opening inspector frontend
2084         https://bugs.webkit.org/show_bug.cgi?id=150753
2085
2086         Reviewed by Timothy Hatcher.
2087
2088         * parser/Parser.h:
2089         (JSC::Parser<LexerType>::parse):
2090         Only set the directives on the SourceProvider if we were parsing the
2091         entire file (Program or Module), not if we are in function parsing mode.
2092         This was inadvertently clearing the directives stored on the
2093         SourceProvider when the function parse didn't see directives and reset
2094         the values on the source provider.
2095
2096 2015-10-30  Benjamin Poulain  <bpoulain@apple.com>
2097
2098         [JSC] Add lowering for B3's Sub operation with integers
2099         https://bugs.webkit.org/show_bug.cgi?id=150749
2100
2101         Reviewed by Filip Pizlo.
2102
2103         * b3/B3LowerToAir.cpp:
2104         (JSC::B3::Air::LowerToAir::trySub):
2105         (JSC::B3::Air::LowerToAir::tryStoreSubLoad):
2106         * b3/B3LoweringMatcher.patterns:
2107         Identical to Add but obviously NotCommutative.
2108
2109         * b3/B3ReduceStrength.cpp:
2110         Turn Add/Sub with zero into an identity. I only added for
2111         Add since Sub with a constant is always turned into an Add.
2112
2113         Also switched the Sub optimizations to put the strongest first.
2114
2115         * b3/air/AirOpcode.opcodes:
2116         * b3/testb3.cpp:
2117         (JSC::B3::testAddArgImm):
2118         (JSC::B3::testAddImmArg):
2119         (JSC::B3::testSubArgs):
2120         (JSC::B3::testSubArgImm):
2121         (JSC::B3::testSubImmArg):
2122         (JSC::B3::testSubArgs32):
2123         (JSC::B3::testSubArgImm32):
2124         (JSC::B3::testSubImmArg32):
2125         (JSC::B3::testStoreSubLoad):
2126         (JSC::B3::run):
2127
2128 2015-10-30  Benjamin Poulain  <bpoulain@apple.com>
2129
2130         [JSC] Add the Air Opcode definitions to the Xcode project file
2131         https://bugs.webkit.org/show_bug.cgi?id=150701
2132
2133         Reviewed by Geoffrey Garen.
2134
2135         * JavaScriptCore.xcodeproj/project.pbxproj:
2136         Easier for those who use Xcode :)
2137
2138 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
2139
2140         Unreviewed, removing FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150540.
2141
2142         * b3/B3ValueRep.h:
2143
2144 2015-10-30  Michael Saboff  <msaboff@apple.com>
2145
2146         Windows X86-64 change for Crash making a tail call from a getter to a host function
2147         https://bugs.webkit.org/show_bug.cgi?id=150737
2148
2149         Reviewed by Geoffrey Garen.
2150
2151         Need to make the same change for Windows X86-64 as was made in change set
2152         http://trac.webkit.org/changeset/191765.
2153
2154         * jit/JITStubsMSVC64.asm:
2155
2156 2015-10-30  Keith Miller  <keith_miller@apple.com>
2157
2158         Unreviewed, forgot to mark tests as passing for new feature.
2159
2160         * tests/es6.yaml:
2161
2162 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
2163
2164         B3 should be able to compile a control flow diamond
2165         https://bugs.webkit.org/show_bug.cgi?id=150720
2166
2167         Reviewed by Benjamin Poulain.
2168
2169         Adds support for Branch, Jump, Upsilon, and Phi. Adds some basic strength reduction for
2170         comparisons and boolean-like operations.
2171
2172         * assembler/MacroAssembler.cpp:
2173         (WTF::printInternal):
2174         * assembler/MacroAssembler.h:
2175         * b3/B3BasicBlockUtils.h:
2176         (JSC::B3::replacePredecessor):
2177         (JSC::B3::resetReachability):
2178         * b3/B3CheckValue.h:
2179         * b3/B3Common.h:
2180         (JSC::B3::isRepresentableAsImpl):
2181         (JSC::B3::isRepresentableAs):
2182         * b3/B3Const32Value.cpp:
2183         (JSC::B3::Const32Value::subConstant):
2184         (JSC::B3::Const32Value::equalConstant):
2185         (JSC::B3::Const32Value::notEqualConstant):
2186         (JSC::B3::Const32Value::dumpMeta):
2187         * b3/B3Const32Value.h:
2188         * b3/B3Const64Value.cpp:
2189         (JSC::B3::Const64Value::subConstant):
2190         (JSC::B3::Const64Value::equalConstant):
2191         (JSC::B3::Const64Value::notEqualConstant):
2192         (JSC::B3::Const64Value::dumpMeta):
2193         * b3/B3Const64Value.h:
2194         * b3/B3ConstDoubleValue.cpp:
2195         (JSC::B3::ConstDoubleValue::subConstant):
2196         (JSC::B3::ConstDoubleValue::equalConstant):
2197         (JSC::B3::ConstDoubleValue::notEqualConstant):
2198         (JSC::B3::ConstDoubleValue::dumpMeta):
2199         * b3/B3ConstDoubleValue.h:
2200         * b3/B3ControlValue.cpp:
2201         (JSC::B3::ControlValue::~ControlValue):
2202         (JSC::B3::ControlValue::convertToJump):
2203         (JSC::B3::ControlValue::dumpMeta):
2204         * b3/B3ControlValue.h:
2205         * b3/B3LowerToAir.cpp:
2206         (JSC::B3::Air::LowerToAir::imm):
2207         (JSC::B3::Air::LowerToAir::tryStackSlot):
2208         (JSC::B3::Air::LowerToAir::tryUpsilon):
2209         (JSC::B3::Air::LowerToAir::tryPhi):
2210         (JSC::B3::Air::LowerToAir::tryBranch):
2211         (JSC::B3::Air::LowerToAir::tryJump):
2212         (JSC::B3::Air::LowerToAir::tryIdentity):
2213         * b3/B3LoweringMatcher.patterns:
2214         * b3/B3Opcode.h:
2215         * b3/B3Procedure.cpp:
2216         (JSC::B3::Procedure::resetReachability):
2217         (JSC::B3::Procedure::dump):
2218         * b3/B3ReduceStrength.cpp:
2219         * b3/B3UpsilonValue.cpp:
2220         (JSC::B3::UpsilonValue::dumpMeta):
2221         * b3/B3UpsilonValue.h:
2222         (JSC::B3::UpsilonValue::accepts): Deleted.
2223         (JSC::B3::UpsilonValue::phi): Deleted.
2224         (JSC::B3::UpsilonValue::UpsilonValue): Deleted.
2225         * b3/B3Validate.cpp:
2226         * b3/B3Value.cpp:
2227         (JSC::B3::Value::subConstant):
2228         (JSC::B3::Value::equalConstant):
2229         (JSC::B3::Value::notEqualConstant):
2230         (JSC::B3::Value::returnsBool):
2231         (JSC::B3::Value::asTriState):
2232         (JSC::B3::Value::effects):
2233         * b3/B3Value.h:
2234         * b3/B3ValueInlines.h:
2235         (JSC::B3::Value::asInt32):
2236         (JSC::B3::Value::isInt32):
2237         (JSC::B3::Value::hasInt64):
2238         (JSC::B3::Value::asInt64):
2239         (JSC::B3::Value::isInt64):
2240         (JSC::B3::Value::hasInt):
2241         (JSC::B3::Value::asIntPtr):
2242         (JSC::B3::Value::isIntPtr):
2243         (JSC::B3::Value::hasDouble):
2244         (JSC::B3::Value::asDouble):
2245         (JSC::B3::Value::isEqualToDouble):
2246         (JSC::B3::Value::hasNumber):
2247         (JSC::B3::Value::representableAs):
2248         (JSC::B3::Value::asNumber):
2249         (JSC::B3::Value::stackmap):
2250         * b3/air/AirArg.cpp:
2251         (JSC::B3::Air::Arg::dump):
2252         * b3/air/AirArg.h:
2253         (JSC::B3::Air::Arg::resCond):
2254         (JSC::B3::Air::Arg::doubleCond):
2255         (JSC::B3::Air::Arg::special):
2256         (JSC::B3::Air::Arg::isResCond):
2257         (JSC::B3::Air::Arg::isDoubleCond):
2258         (JSC::B3::Air::Arg::isSpecial):
2259         (JSC::B3::Air::Arg::isGP):
2260         (JSC::B3::Air::Arg::isFP):
2261         (JSC::B3::Air::Arg::asResultCondition):
2262         (JSC::B3::Air::Arg::asDoubleCondition):
2263         (JSC::B3::Air::Arg::Arg):
2264         * b3/air/AirCode.cpp:
2265         (JSC::B3::Air::Code::resetReachability):
2266         (JSC::B3::Air::Code::dump):
2267         * b3/air/AirOpcode.opcodes:
2268         * b3/air/opcode_generator.rb:
2269         * b3/testb3.cpp:
2270         (hiddenTruthBecauseNoReturnIsStupid):
2271         (usage):
2272         (JSC::B3::compile):
2273         (JSC::B3::invoke):
2274         (JSC::B3::compileAndRun):
2275         (JSC::B3::test42):
2276         (JSC::B3::testStoreLoadStackSlot):
2277         (JSC::B3::testBranch):
2278         (JSC::B3::testDiamond):
2279         (JSC::B3::testBranchNotEqual):
2280         (JSC::B3::testBranchFold):
2281         (JSC::B3::testDiamondFold):
2282         (JSC::B3::run):
2283         (run):
2284         (main):
2285
2286 2015-10-30  Keith Miller  <keith_miller@apple.com>
2287
2288         [ES6] Add support for toStringTag
2289         https://bugs.webkit.org/show_bug.cgi?id=150696
2290
2291         Reviewed by Geoffrey Garen.
2292
2293         This patch adds support for Symbol.toStringTag. This is a simple
2294         feature, if an object passed to Object.prototype.toString() has a
2295         toStringTag we use the tag in the string rather than the class info.
2296         Added a test that checks this works for all the default supported classes
2297         along with the corresponding prototype and custom cases.
2298
2299         * runtime/ArrayIteratorPrototype.cpp:
2300         (JSC::ArrayIteratorPrototype::finishCreation):
2301         * runtime/CommonIdentifiers.h:
2302         * runtime/JSArrayBufferPrototype.cpp:
2303         (JSC::JSArrayBufferPrototype::finishCreation):
2304         * runtime/JSDataViewPrototype.cpp:
2305         (JSC::JSDataViewPrototype::finishCreation):
2306         * runtime/JSDataViewPrototype.h:
2307         * runtime/JSModuleNamespaceObject.cpp:
2308         (JSC::JSModuleNamespaceObject::finishCreation):
2309         * runtime/JSONObject.cpp:
2310         (JSC::JSONObject::finishCreation):
2311         * runtime/JSPromisePrototype.cpp:
2312         (JSC::JSPromisePrototype::finishCreation):
2313         * runtime/JSTypedArrayViewPrototype.cpp:
2314         (JSC::typedArrayViewProtoGetterFuncToStringTag):
2315         (JSC::JSTypedArrayViewPrototype::finishCreation):
2316         * runtime/MapIteratorPrototype.cpp:
2317         (JSC::MapIteratorPrototype::finishCreation):
2318         * runtime/MapPrototype.cpp:
2319         (JSC::MapPrototype::finishCreation):
2320         * runtime/MathObject.cpp:
2321         (JSC::MathObject::finishCreation):
2322         * runtime/ObjectPrototype.cpp:
2323         (JSC::objectProtoFuncToString):
2324         * runtime/SetIteratorPrototype.cpp:
2325         (JSC::SetIteratorPrototype::finishCreation):
2326         * runtime/SetPrototype.cpp:
2327         (JSC::SetPrototype::finishCreation):
2328         * runtime/SmallStrings.cpp:
2329         (JSC::SmallStrings::SmallStrings):
2330         (JSC::SmallStrings::initializeCommonStrings):
2331         (JSC::SmallStrings::visitStrongReferences):
2332         * runtime/SmallStrings.h:
2333         (JSC::SmallStrings::objectStringStart):
2334         * runtime/StringIteratorPrototype.cpp:
2335         (JSC::StringIteratorPrototype::finishCreation):
2336         * runtime/SymbolPrototype.cpp:
2337         (JSC::SymbolPrototype::finishCreation):
2338         * runtime/WeakMapPrototype.cpp:
2339         (JSC::WeakMapPrototype::finishCreation):
2340         * runtime/WeakSetPrototype.cpp:
2341         (JSC::WeakSetPrototype::finishCreation):
2342         * tests/modules/namespace.js:
2343         * tests/stress/symbol-tostringtag.js: Added.
2344         (toStr):
2345         (strName):
2346         (classes.string_appeared_here):
2347
2348 2015-10-29  Joseph Pecoraro  <pecoraro@apple.com>
2349
2350         Web Inspector: Do not show JavaScriptCore builtins in inspector
2351         https://bugs.webkit.org/show_bug.cgi?id=146049
2352
2353         Reviewed by Geoffrey Garen.
2354
2355         * debugger/Debugger.cpp:
2356         When gathering scripts to notify the inspector / debuggers about
2357         skip over sources containing host / built-in functions as those
2358         for those won't contain source code developers expect to see.
2359
2360 2015-10-29  Joseph Pecoraro  <pecoraro@apple.com>
2361
2362         Fix typo in "use strict" in TypedArray builtins
2363         https://bugs.webkit.org/show_bug.cgi?id=150709
2364
2365         Reviewed by Geoffrey Garen.
2366
2367         * builtins/TypedArray.prototype.js:
2368         (toLocaleString):
2369
2370 2015-10-29  Philippe Normand  <pnormand@igalia.com>
2371
2372         [GTK][Mac] disable OBJC JSC API
2373         https://bugs.webkit.org/show_bug.cgi?id=150500
2374
2375         Reviewed by Alex Christensen.
2376
2377         * API/JSBase.h: Disable the Objective-C API on Mac for the GTK port.
2378
2379 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2380
2381         Air::handleCalleeSaves shouldn't save/restore the frame pointer
2382         https://bugs.webkit.org/show_bug.cgi?id=150688
2383
2384         Reviewed by Michael Saboff.
2385
2386         We save/restore the FP inside Air::generate().
2387
2388         * b3/air/AirHandleCalleeSaves.cpp:
2389         (JSC::B3::Air::handleCalleeSaves):
2390
2391 2015-10-29  Michael Saboff  <msaboff@apple.com>
2392
2393         Crash making a tail call from a getter to a host function
2394         https://bugs.webkit.org/show_bug.cgi?id=150663
2395
2396         Reviewed by Geoffrey Garen.
2397
2398         Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
2399         call frame to getHostCallReturnValueWithExecState().  We were passing the caller's frame address.
2400
2401         * jit/JITOperations.cpp:
2402
2403 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2404
2405         B3::LowerToAir::imm() should work for both 32-bit and 64-bit immediates
2406         https://bugs.webkit.org/show_bug.cgi?id=150685
2407
2408         Reviewed by Geoffrey Garen.
2409
2410         In B3, a constant must match the type of its use. In Air, immediates don't have type, they
2411         only have representation. A 32-bit immediate (i.e. Arg::imm) can be used either for 32-bit
2412         operations or for 64-bit operations. The only difference from a Arg::imm64 is that it
2413         requires fewer bits.
2414
2415         In the B3->Air lowering, we have a lot of code that is effectively polymorphic over integer
2416         type. That code should still be able to use Arg::imm, and it should work even for 64-bit
2417         immediates - so long as they are representable as 32-bit immediates. Therefore, the imm()
2418         helper should happily accept either Const32Value or Const64Value.
2419
2420         We already sort of had this with immAnyType(), but it just turns out that anyone using
2421         immAnyType() should really be using imm().
2422
2423         * b3/B3LowerToAir.cpp:
2424         (JSC::B3::Air::LowerToAir::imm):
2425         (JSC::B3::Air::LowerToAir::tryStore):
2426         (JSC::B3::Air::LowerToAir::tryConst64):
2427         (JSC::B3::Air::LowerToAir::immAnyInt): Deleted.
2428         * b3/testb3.cpp:
2429         (JSC::B3::testAdd1):
2430         (JSC::B3::testAdd1Ptr):
2431         (JSC::B3::testStoreAddLoad):
2432         (JSC::B3::run):
2433
2434 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2435
2436         StoreOpLoad pattern matching should check effects between the Store and Load
2437         https://bugs.webkit.org/show_bug.cgi?id=150534
2438
2439         Reviewed by Geoffrey Garen.
2440
2441         If we turn:
2442
2443             a = Load(addr)
2444             b = Add(a, 42)
2445             Store(b, addr)
2446
2447         Into:
2448
2449             Add $42, (addr)
2450
2451         Then we must make sure that we didn't really have this to begin with:
2452
2453             a = Load(addr)
2454             Store(666, addr)
2455             b = Add(a, 42)
2456             Store(b, addr)
2457
2458         That's because pattern matching doesn't care about control flow, and it finds the Load
2459         just using data flow. This patch fleshes out B3's aliasing analysis, and makes it powerful
2460         enough to broadly ask questions about whether such a code motion of the Load is legal.
2461
2462         * b3/B3Effects.cpp:
2463         (JSC::B3::Effects::interferes):
2464         (JSC::B3::Effects::dump):
2465         * b3/B3Effects.h:
2466         (JSC::B3::Effects::mustExecute):
2467         * b3/B3LowerToAir.cpp:
2468         (JSC::B3::Air::LowerToAir::run):
2469         (JSC::B3::Air::LowerToAir::commitInternal):
2470         (JSC::B3::Air::LowerToAir::crossesInterference):
2471         (JSC::B3::Air::LowerToAir::effectiveAddr):
2472         (JSC::B3::Air::LowerToAir::loadAddr):
2473         * b3/B3Procedure.cpp:
2474         (JSC::B3::Procedure::addBlock):
2475         (JSC::B3::Procedure::resetValueOwners):
2476         (JSC::B3::Procedure::resetReachability):
2477         * b3/B3Procedure.h:
2478         * b3/B3Value.cpp:
2479         (JSC::B3::Value::effects):
2480         * b3/B3Value.h:
2481         * b3/testb3.cpp:
2482         (JSC::B3::testStoreAddLoad):
2483         (JSC::B3::testStoreAddLoadInterference):
2484         (JSC::B3::testStoreAddAndLoad):
2485         (JSC::B3::testLoadOffsetUsingAdd):
2486         (JSC::B3::testLoadOffsetUsingAddInterference):
2487         (JSC::B3::testLoadOffsetUsingAddNotConstant):
2488         (JSC::B3::run):
2489
2490 2015-10-29  Brady Eidson  <beidson@apple.com>
2491
2492         Modern IDB: deleteObjectStore support.
2493         https://bugs.webkit.org/show_bug.cgi?id=150673
2494
2495         Reviewed by Alex Christensen.
2496
2497         * runtime/VM.h:
2498
2499 2015-10-29  Mark Lam  <mark.lam@apple.com>
2500
2501         cdjs-tests.yaml/main.js.ftl fails due to FTL ArithSub code for supporting UntypedUse operands.
2502         https://bugs.webkit.org/show_bug.cgi?id=150687
2503
2504         Unreviewed.
2505
2506         Disabling the feature while it is being debugged.  I'm doing this by effectively
2507         rolling out only the changes in FTLCapabilities.cpp.
2508
2509         * ftl/FTLCapabilities.cpp:
2510         (JSC::FTL::canCompile):
2511
2512 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2513
2514         Unreviewed, fix iOS build.
2515
2516         * assembler/MacroAssemblerARM64.h:
2517         (JSC::MacroAssemblerARM64::store64):
2518
2519 2015-10-29  Alex Christensen  <achristensen@webkit.org>
2520
2521         Fix Mac CMake build
2522         https://bugs.webkit.org/show_bug.cgi?id=150686
2523
2524         Reviewed by Filip Pizlo.
2525
2526         * API/ObjCCallbackFunction.mm:
2527         * CMakeLists.txt:
2528         * PlatformMac.cmake:
2529
2530 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2531
2532         Air needs syntax for escaping StackSlots
2533         https://bugs.webkit.org/show_bug.cgi?id=150430
2534
2535         Reviewed by Geoffrey Garen.
2536
2537         This adds lowering for FramePointer and StackSlot, and to enable this, it adds the Lea
2538         instruction for getting the value of an address. This is necessary to support arbitrary
2539         lowerings of StackSlot, since the only way to get the "value" of a StackSlot in Air is with
2540         this new instruction.
2541
2542         Lea uses a new Role, called UseAddr. This describes exactly what the Intel-style LEA opcode
2543         would do: it evaluates an address, but does not load from it or store to it.
2544
2545         Lea is also the only way to escape a StackSlot. Well, more accurately, UseAddr is the only
2546         way to escape and UseAddr is only used by Lea. The stack allocation phase now understands
2547         that StackSlots may escape, and factors this into its analysis.
2548
2549         * assembler/MacroAssembler.h:
2550         (JSC::MacroAssembler::lea):
2551         * b3/B3AddressMatcher.patterns:
2552         * b3/B3LowerToAir.cpp:
2553         (JSC::B3::Air::LowerToAir::run):
2554         (JSC::B3::Air::LowerToAir::addr):
2555         (JSC::B3::Air::LowerToAir::loadAddr):
2556         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
2557         (JSC::B3::Air::LowerToAir::AddressSelector::tryFramePointer):
2558         (JSC::B3::Air::LowerToAir::AddressSelector::tryStackSlot):
2559         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
2560         (JSC::B3::Air::LowerToAir::tryConst64):
2561         (JSC::B3::Air::LowerToAir::tryFramePointer):
2562         (JSC::B3::Air::LowerToAir::tryStackSlot):
2563         (JSC::B3::Air::LowerToAir::tryIdentity):
2564         * b3/B3LoweringMatcher.patterns:
2565         * b3/B3MemoryValue.cpp:
2566         (JSC::B3::MemoryValue::~MemoryValue):
2567         (JSC::B3::MemoryValue::accessByteSize):
2568         (JSC::B3::MemoryValue::dumpMeta):
2569         * b3/B3MemoryValue.h:
2570         * b3/B3ReduceStrength.cpp:
2571         * b3/B3StackSlotValue.h:
2572         (JSC::B3::StackSlotValue::accepts): Deleted.
2573         * b3/B3Type.h:
2574         (JSC::B3::pointerType):
2575         (JSC::B3::sizeofType):
2576         * b3/B3Validate.cpp:
2577         * b3/B3Value.h:
2578         * b3/air/AirAllocateStack.cpp:
2579         (JSC::B3::Air::allocateStack):
2580         * b3/air/AirArg.h:
2581         (JSC::B3::Air::Arg::isUse):
2582         (JSC::B3::Air::Arg::isDef):
2583         (JSC::B3::Air::Arg::forEachTmp):
2584         * b3/air/AirCode.cpp:
2585         (JSC::B3::Air::Code::addStackSlot):
2586         (JSC::B3::Air::Code::addSpecial):
2587         * b3/air/AirCode.h:
2588         * b3/air/AirOpcode.opcodes:
2589         * b3/air/AirSpillEverything.cpp:
2590         (JSC::B3::Air::spillEverything):
2591         * b3/air/AirStackSlot.h:
2592         (JSC::B3::Air::StackSlot::byteSize):
2593         (JSC::B3::Air::StackSlot::kind):
2594         (JSC::B3::Air::StackSlot::isLocked):
2595         (JSC::B3::Air::StackSlot::index):
2596         (JSC::B3::Air::StackSlot::alignment):
2597         * b3/air/opcode_generator.rb:
2598         * b3/testb3.cpp:
2599         (JSC::B3::testLoadOffsetUsingAddNotConstant):
2600         (JSC::B3::testFramePointer):
2601         (JSC::B3::testStackSlot):
2602         (JSC::B3::testLoadFromFramePointer):
2603         (JSC::B3::testStoreLoadStackSlot):
2604         (JSC::B3::run):
2605
2606 2015-10-29  Saam barati  <sbarati@apple.com>
2607
2608         we're incorrectly adjusting a stack location with respect to the localsOffset in FTLCompile
2609         https://bugs.webkit.org/show_bug.cgi?id=150655
2610
2611         Reviewed by Filip Pizlo.
2612
2613         We're recomputing this value for an *OSRExitDescriptor* for every one
2614         of its corresponding *OSRExits*. This is having a multiplicative
2615         effect on offsets because each computation is relative to the previous
2616         value. We must do this computation just once per OSRExitDescriptor.
2617
2618         * ftl/FTLCompile.cpp:
2619         (JSC::FTL::mmAllocateDataSection):
2620
2621 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2622
2623         Air::spillEverything() should try to replace tmps with spill slots without using registers whenever possible
2624         https://bugs.webkit.org/show_bug.cgi?id=150657
2625
2626         Reviewed by Geoffrey Garen.
2627
2628         Also added the ability to store an immediate to memory.
2629
2630         * assembler/MacroAssembler.h:
2631         (JSC::MacroAssembler::storePtr):
2632         * assembler/MacroAssemblerARM64.h:
2633         (JSC::MacroAssemblerARM64::store64):
2634         * assembler/MacroAssemblerX86_64.h:
2635         (JSC::MacroAssemblerX86_64::store64):
2636         * b3/B3LowerToAir.cpp:
2637         (JSC::B3::Air::LowerToAir::imm):
2638         (JSC::B3::Air::LowerToAir::immAnyInt):
2639         (JSC::B3::Air::LowerToAir::immOrTmp):
2640         (JSC::B3::Air::LowerToAir::tryStore):
2641         * b3/air/AirOpcode.opcodes:
2642         * b3/air/AirSpillEverything.cpp:
2643         (JSC::B3::Air::spillEverything):
2644         * b3/testb3.cpp:
2645         (JSC::B3::testStore):
2646         (JSC::B3::testStoreConstant):
2647         (JSC::B3::testStoreConstantPtr):
2648         (JSC::B3::testTrunc):
2649         (JSC::B3::run):
2650
2651 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
2652
2653         Web Inspector: Rename InspectorResourceAgent to InspectorNetworkAgent
2654         https://bugs.webkit.org/show_bug.cgi?id=150654
2655
2656         Reviewed by Geoffrey Garen.
2657
2658         * inspector/scripts/codegen/generator.py:
2659
2660 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2661
2662         B3::reduceStrength() should do DCE
2663         https://bugs.webkit.org/show_bug.cgi?id=150656
2664
2665         Reviewed by Saam Barati.
2666
2667         * b3/B3BasicBlock.cpp:
2668         (JSC::B3::BasicBlock::removeNops): This now deletes the values from the procedure, to preserve the invariant that valuesInProc == valuesInBlocks.
2669         * b3/B3BasicBlock.h:
2670         * b3/B3Procedure.cpp:
2671         (JSC::B3::Procedure::deleteValue): Add a utility used by removeNops().
2672         (JSC::B3::Procedure::addValueIndex): Make sure that we reuse Value indices so that m_values doesn't get too sparse.
2673         * b3/B3Procedure.h:
2674         (JSC::B3::Procedure::ValuesCollection::iterator::iterator): Teach this that m_values can be slightly sparse.
2675         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
2676         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):
2677         (JSC::B3::Procedure::ValuesCollection::iterator::findNext):
2678         (JSC::B3::Procedure::values):
2679         * b3/B3ProcedureInlines.h:
2680         (JSC::B3::Procedure::add): Use addValueIndex() instead of always creating a new index.
2681         * b3/B3ReduceStrength.cpp: Implement the optimization using UseCounts and Effects.
2682
2683 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
2684
2685         Web Inspector: Remove unused / duplicate WebSocket timeline records
2686         https://bugs.webkit.org/show_bug.cgi?id=150647
2687
2688         Reviewed by Timothy Hatcher.
2689
2690         * inspector/protocol/Timeline.json:
2691
2692 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2693
2694         B3::LowerToAir should not duplicate Loads
2695         https://bugs.webkit.org/show_bug.cgi?id=150651
2696
2697         Reviewed by Benjamin Poulain.
2698
2699         The instruction selector may decide to fuse two Values into one. This ordinarily only happens
2700         if we haven't already emitted code that uses the Value and the Value has only one direct
2701         user. Once we have emitted such code, we ensure that everyone knows that we have "locked" the
2702         Value: we won't emit any more code for it in the future.
2703
2704         The optimization to fuse Loads was forgetting to do all of these things, and so generated
2705         code would have a lot of duplicated Loads. That's bad and this change fixes that.
2706
2707         Ordinarily, this is far less tricky because the pattern matcher does this for us via
2708         acceptInternals() and acceptInternalsLate(). I added a comment to this effect. I hope that we
2709         won't need to do this manually very often.
2710
2711         Also found an uninitialized value bug in UseCounts. That was making all of this super hard to
2712         debug.
2713
2714         * b3/B3IndexMap.h:
2715         (JSC::B3::IndexMap::IndexMap):
2716         (JSC::B3::IndexMap::resize):
2717         (JSC::B3::IndexMap::operator[]):
2718         * b3/B3LowerToAir.cpp:
2719         (JSC::B3::Air::LowerToAir::tmp):
2720         (JSC::B3::Air::LowerToAir::canBeInternal):
2721         (JSC::B3::Air::LowerToAir::commitInternal):
2722         (JSC::B3::Air::LowerToAir::effectiveAddr):
2723         (JSC::B3::Air::LowerToAir::loadAddr):
2724         (JSC::B3::Air::LowerToAir::appendBinOp):
2725         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2726         (JSC::B3::Air::LowerToAir::acceptInternals):
2727         * b3/B3UseCounts.cpp:
2728         (JSC::B3::UseCounts::UseCounts):
2729
2730 2015-10-28  Mark Lam  <mark.lam@apple.com>
2731
2732         JITSubGenerator::generateFastPath() does not need to be inlined.
2733         https://bugs.webkit.org/show_bug.cgi?id=150645
2734
2735         Reviewed by Geoffrey Garen.
2736
2737         Moving it to a .cpp file to reduce code size.  Benchmarks shows this to be
2738         perf neutral.
2739
2740         * CMakeLists.txt:
2741         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2742         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2743         * JavaScriptCore.xcodeproj/project.pbxproj:
2744         * ftl/FTLCompile.cpp:
2745         * jit/JITSubGenerator.cpp: Added.
2746         (JSC::JITSubGenerator::generateFastPath):
2747         * jit/JITSubGenerator.h:
2748         (JSC::JITSubGenerator::JITSubGenerator):
2749         (JSC::JITSubGenerator::endJumpList):
2750         (JSC::JITSubGenerator::slowPathJumpList):
2751         (JSC::JITSubGenerator::generateFastPath): Deleted.
2752
2753 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2754
2755         [B3] handleCommutativity should canonicalize commutative operations over non-constants
2756         https://bugs.webkit.org/show_bug.cgi?id=150649
2757
2758         Reviewed by Saam Barati.
2759
2760         Turn this: Add(value1, value2)
2761         Into this: Add(value2, value1)
2762
2763         But ony if value2 should come before value1 according to our total ordering. This will allow
2764         CSE to observe the equality between commuted versions of the same operation, since we will
2765         first canonicalize them into the same order.
2766
2767         * b3/B3ReduceStrength.cpp:
2768
2769 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2770
2771         Unreviewed, fix the build for case sensitive file systems.
2772
2773         * b3/air/AirBasicBlock.h:
2774         * b3/air/AirStackSlot.h:
2775
2776 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2777
2778         Create a super rough prototype of B3
2779         https://bugs.webkit.org/show_bug.cgi?id=150280
2780
2781         Reviewed by Benjamin Poulain.
2782
2783         This changeset adds the basic scaffolding of the B3 compiler. B3 stands for Bare Bones
2784         Backend. It's a low-level SSA-based language-agnostic compiler. The basic structure allows
2785         for aggressive C-level optimizations and an awesome portable backend. The backend, called
2786         Air (Assembly IR), is a reflective abstraction over our MacroAssembler. The abstraction is
2787         defined using a spec file (AirOpcode.opcodes) which describes the various kinds of
2788         instructions that we wish to support. Then, the B3::LowerToAir phase, which does our
2789         instruction selection, reflectively selects Air opcodes by querying which instruction forms
2790         are possible. Air allows for optimal register allocation and stack layout. Currently the
2791         register allocator isn't written, but the stack layout is.
2792
2793         Of course this isn't done yet. It can only compile simple programs, seen in the "test suite"
2794         called "testb3.cpp". There's a lot of optimizations that have to be written and a lot of
2795         stuff added to the instruction selector. But it's a neat start.
2796
2797         * CMakeLists.txt:
2798         * DerivedSources.make:
2799         * JavaScriptCore.xcodeproj/project.pbxproj:
2800         * assembler/MacroAssembler.cpp:
2801         (WTF::printInternal):
2802         * assembler/MacroAssembler.h:
2803         * b3: Added.
2804         * b3/B3AddressMatcher.patterns: Added.
2805         * b3/B3ArgumentRegValue.cpp: Added.
2806         (JSC::B3::ArgumentRegValue::~ArgumentRegValue):
2807         (JSC::B3::ArgumentRegValue::dumpMeta):
2808         * b3/B3ArgumentRegValue.h: Added.
2809         * b3/B3BasicBlock.cpp: Added.
2810         (JSC::B3::BasicBlock::BasicBlock):
2811         (JSC::B3::BasicBlock::~BasicBlock):
2812         (JSC::B3::BasicBlock::append):
2813         (JSC::B3::BasicBlock::addPredecessor):
2814         (JSC::B3::BasicBlock::removePredecessor):
2815         (JSC::B3::BasicBlock::replacePredecessor):
2816         (JSC::B3::BasicBlock::removeNops):
2817         (JSC::B3::BasicBlock::dump):
2818         (JSC::B3::BasicBlock::deepDump):
2819         * b3/B3BasicBlock.h: Added.
2820         (JSC::B3::BasicBlock::index):
2821         (JSC::B3::BasicBlock::begin):
2822         (JSC::B3::BasicBlock::end):
2823         (JSC::B3::BasicBlock::size):
2824         (JSC::B3::BasicBlock::at):
2825         (JSC::B3::BasicBlock::last):
2826         (JSC::B3::BasicBlock::values):
2827         (JSC::B3::BasicBlock::numPredecessors):
2828         (JSC::B3::BasicBlock::predecessor):
2829         (JSC::B3::BasicBlock::predecessors):
2830         (JSC::B3::BasicBlock::frequency):
2831         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
2832         (JSC::B3::DeepBasicBlockDump::dump):
2833         (JSC::B3::deepDump):
2834         * b3/B3BasicBlockInlines.h: Added.
2835         (JSC::B3::BasicBlock::appendNew):
2836         (JSC::B3::BasicBlock::numSuccessors):
2837         (JSC::B3::BasicBlock::successor):
2838         (JSC::B3::BasicBlock::successors):
2839         (JSC::B3::BasicBlock::successorBlock):
2840         (JSC::B3::BasicBlock::successorBlocks):
2841         * b3/B3BasicBlockUtils.h: Added.
2842         (JSC::B3::addPredecessor):
2843         (JSC::B3::removePredecessor):
2844         (JSC::B3::replacePredecessor):
2845         (JSC::B3::resetReachability):
2846         (JSC::B3::blocksInPreOrder):
2847         (JSC::B3::blocksInPostOrder):
2848         * b3/B3BlockWorklist.h: Added.
2849         * b3/B3CheckSpecial.cpp: Added.
2850         (JSC::B3::Air::numB3Args):
2851         (JSC::B3::CheckSpecial::CheckSpecial):
2852         (JSC::B3::CheckSpecial::~CheckSpecial):
2853         (JSC::B3::CheckSpecial::hiddenBranch):
2854         (JSC::B3::CheckSpecial::forEachArg):
2855         (JSC::B3::CheckSpecial::isValid):
2856         (JSC::B3::CheckSpecial::admitsStack):
2857         (JSC::B3::CheckSpecial::generate):
2858         (JSC::B3::CheckSpecial::dumpImpl):
2859         (JSC::B3::CheckSpecial::deepDumpImpl):
2860         * b3/B3CheckSpecial.h: Added.
2861         * b3/B3CheckValue.cpp: Added.
2862         (JSC::B3::CheckValue::~CheckValue):
2863         (JSC::B3::CheckValue::dumpMeta):
2864         * b3/B3CheckValue.h: Added.
2865         * b3/B3Common.cpp: Added.
2866         (JSC::B3::shouldDumpIR):
2867         (JSC::B3::shouldDumpIRAtEachPhase):
2868         (JSC::B3::shouldValidateIR):
2869         (JSC::B3::shouldValidateIRAtEachPhase):
2870         (JSC::B3::shouldSaveIRBeforePhase):
2871         * b3/B3Common.h: Added.
2872         (JSC::B3::is64Bit):
2873         (JSC::B3::is32Bit):
2874         * b3/B3Commutativity.cpp: Added.
2875         (WTF::printInternal):
2876         * b3/B3Commutativity.h: Added.
2877         * b3/B3Const32Value.cpp: Added.
2878         (JSC::B3::Const32Value::~Const32Value):
2879         (JSC::B3::Const32Value::negConstant):
2880         (JSC::B3::Const32Value::addConstant):
2881         (JSC::B3::Const32Value::subConstant):
2882         (JSC::B3::Const32Value::dumpMeta):
2883         * b3/B3Const32Value.h: Added.
2884         * b3/B3Const64Value.cpp: Added.
2885         (JSC::B3::Const64Value::~Const64Value):
2886         (JSC::B3::Const64Value::negConstant):
2887         (JSC::B3::Const64Value::addConstant):
2888         (JSC::B3::Const64Value::subConstant):
2889         (JSC::B3::Const64Value::dumpMeta):
2890         * b3/B3Const64Value.h: Added.
2891         * b3/B3ConstDoubleValue.cpp: Added.
2892         (JSC::B3::ConstDoubleValue::~ConstDoubleValue):
2893         (JSC::B3::ConstDoubleValue::negConstant):
2894         (JSC::B3::ConstDoubleValue::addConstant):
2895         (JSC::B3::ConstDoubleValue::subConstant):
2896         (JSC::B3::ConstDoubleValue::dumpMeta):
2897         * b3/B3ConstDoubleValue.h: Added.
2898         (JSC::B3::ConstDoubleValue::accepts):
2899         (JSC::B3::ConstDoubleValue::value):
2900         (JSC::B3::ConstDoubleValue::ConstDoubleValue):
2901         * b3/B3ConstPtrValue.h: Added.
2902         (JSC::B3::ConstPtrValue::value):
2903         (JSC::B3::ConstPtrValue::ConstPtrValue):
2904         * b3/B3ControlValue.cpp: Added.
2905         (JSC::B3::ControlValue::~ControlValue):
2906         (JSC::B3::ControlValue::dumpMeta):
2907         * b3/B3ControlValue.h: Added.
2908         * b3/B3Effects.cpp: Added.
2909         (JSC::B3::Effects::dump):
2910         * b3/B3Effects.h: Added.
2911         (JSC::B3::Effects::mustExecute):
2912         * b3/B3FrequencyClass.cpp: Added.
2913         (WTF::printInternal):
2914         * b3/B3FrequencyClass.h: Added.
2915         * b3/B3FrequentedBlock.h: Added.
2916         * b3/B3Generate.cpp: Added.
2917         (JSC::B3::generate):
2918         (JSC::B3::generateToAir):
2919         * b3/B3Generate.h: Added.
2920         * b3/B3GenericFrequentedBlock.h: Added.
2921         (JSC::B3::GenericFrequentedBlock::GenericFrequentedBlock):
2922         (JSC::B3::GenericFrequentedBlock::operator==):
2923         (JSC::B3::GenericFrequentedBlock::operator!=):
2924         (JSC::B3::GenericFrequentedBlock::operator bool):
2925         (JSC::B3::GenericFrequentedBlock::block):
2926         (JSC::B3::GenericFrequentedBlock::frequency):
2927         (JSC::B3::GenericFrequentedBlock::dump):
2928         * b3/B3HeapRange.cpp: Added.
2929         (JSC::B3::HeapRange::dump):
2930         * b3/B3HeapRange.h: Added.
2931         (JSC::B3::HeapRange::HeapRange):
2932         (JSC::B3::HeapRange::top):
2933         (JSC::B3::HeapRange::operator==):
2934         (JSC::B3::HeapRange::operator!=):
2935         (JSC::B3::HeapRange::operator bool):
2936         (JSC::B3::HeapRange::begin):
2937         (JSC::B3::HeapRange::end):
2938         (JSC::B3::HeapRange::overlaps):
2939         * b3/B3IndexMap.h: Added.
2940         (JSC::B3::IndexMap::IndexMap):
2941         (JSC::B3::IndexMap::resize):
2942         (JSC::B3::IndexMap::operator[]):
2943         * b3/B3IndexSet.h: Added.
2944         (JSC::B3::IndexSet::IndexSet):
2945         (JSC::B3::IndexSet::add):
2946         (JSC::B3::IndexSet::contains):
2947         (JSC::B3::IndexSet::Iterable::Iterable):
2948         (JSC::B3::IndexSet::Iterable::iterator::iterator):
2949         (JSC::B3::IndexSet::Iterable::iterator::operator*):
2950         (JSC::B3::IndexSet::Iterable::iterator::operator++):
2951         (JSC::B3::IndexSet::Iterable::iterator::operator==):
2952         (JSC::B3::IndexSet::Iterable::iterator::operator!=):
2953         (JSC::B3::IndexSet::Iterable::begin):
2954         (JSC::B3::IndexSet::Iterable::end):
2955         (JSC::B3::IndexSet::values):
2956         (JSC::B3::IndexSet::indices):
2957         (JSC::B3::IndexSet::dump):
2958         * b3/B3InsertionSet.cpp: Added.
2959         (JSC::B3::InsertionSet::execute):
2960         * b3/B3InsertionSet.h: Added.
2961         (JSC::B3::InsertionSet::InsertionSet):
2962         (JSC::B3::InsertionSet::code):
2963         (JSC::B3::InsertionSet::appendInsertion):
2964         (JSC::B3::InsertionSet::insertValue):
2965         * b3/B3InsertionSetInlines.h: Added.
2966         (JSC::B3::InsertionSet::insert):
2967         * b3/B3LowerToAir.cpp: Added.
2968         (JSC::B3::Air::LowerToAir::LowerToAir):
2969         (JSC::B3::Air::LowerToAir::run):
2970         (JSC::B3::Air::LowerToAir::tmp):
2971         (JSC::B3::Air::LowerToAir::effectiveAddr):
2972         (JSC::B3::Air::LowerToAir::addr):
2973         (JSC::B3::Air::LowerToAir::loadAddr):
2974         (JSC::B3::Air::LowerToAir::imm):
2975         (JSC::B3::Air::LowerToAir::immOrTmp):
2976         (JSC::B3::Air::LowerToAir::appendBinOp):
2977         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2978         (JSC::B3::Air::LowerToAir::moveForType):
2979         (JSC::B3::Air::LowerToAir::relaxedMoveForType):
2980         (JSC::B3::Air::LowerToAir::append):
2981         (JSC::B3::Air::LowerToAir::AddressSelector::AddressSelector):
2982         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot):
2983         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRootLate):
2984         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternals):
2985         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternalsLate):
2986         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperands):
2987         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperandsLate):
2988         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift1):
2989         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift2):
2990         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
2991         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
2992         (JSC::B3::Air::LowerToAir::acceptRoot):
2993         (JSC::B3::Air::LowerToAir::acceptRootLate):
2994         (JSC::B3::Air::LowerToAir::acceptInternals):
2995         (JSC::B3::Air::LowerToAir::acceptInternalsLate):
2996         (JSC::B3::Air::LowerToAir::acceptOperands):
2997         (JSC::B3::Air::LowerToAir::acceptOperandsLate):
2998         (JSC::B3::Air::LowerToAir::tryLoad):
2999         (JSC::B3::Air::LowerToAir::tryAdd):
3000         (JSC::B3::Air::LowerToAir::tryAnd):
3001         (JSC::B3::Air::LowerToAir::tryStoreAddLoad):
3002         (JSC::B3::Air::LowerToAir::tryStoreAndLoad):
3003         (JSC::B3::Air::LowerToAir::tryStore):
3004         (JSC::B3::Air::LowerToAir::tryTruncArgumentReg):
3005         (JSC::B3::Air::LowerToAir::tryTrunc):
3006         (JSC::B3::Air::LowerToAir::tryArgumentReg):
3007         (JSC::B3::Air::LowerToAir::tryConst32):
3008         (JSC::B3::Air::LowerToAir::tryConst64):
3009         (JSC::B3::Air::LowerToAir::tryIdentity):
3010         (JSC::B3::Air::LowerToAir::tryReturn):
3011         (JSC::B3::lowerToAir):
3012         * b3/B3LowerToAir.h: Added.
3013         * b3/B3LoweringMatcher.patterns: Added.
3014         * b3/B3MemoryValue.cpp: Added.
3015         (JSC::B3::MemoryValue::~MemoryValue):
3016         (JSC::B3::MemoryValue::dumpMeta):
3017         * b3/B3MemoryValue.h: Added.
3018         * b3/B3Opcode.cpp: Added.
3019         (WTF::printInternal):
3020         * b3/B3Opcode.h: Added.
3021         (JSC::B3::isCheckMath):
3022         * b3/B3Origin.cpp: Added.
3023         (JSC::B3::Origin::dump):
3024         * b3/B3Origin.h: Added.
3025         (JSC::B3::Origin::Origin):
3026         (JSC::B3::Origin::operator bool):
3027         (JSC::B3::Origin::data):
3028         * b3/B3PatchpointSpecial.cpp: Added.
3029         (JSC::B3::PatchpointSpecial::PatchpointSpecial):
3030         (JSC::B3::PatchpointSpecial::~PatchpointSpecial):
3031         (JSC::B3::PatchpointSpecial::forEachArg):
3032         (JSC::B3::PatchpointSpecial::isValid):
3033         (JSC::B3::PatchpointSpecial::admitsStack):
3034         (JSC::B3::PatchpointSpecial::generate):
3035         (JSC::B3::PatchpointSpecial::dumpImpl):
3036         (JSC::B3::PatchpointSpecial::deepDumpImpl):
3037         * b3/B3PatchpointSpecial.h: Added.
3038         * b3/B3PatchpointValue.cpp: Added.
3039         (JSC::B3::PatchpointValue::~PatchpointValue):
3040         (JSC::B3::PatchpointValue::dumpMeta):
3041         * b3/B3PatchpointValue.h: Added.
3042         (JSC::B3::PatchpointValue::accepts):
3043         (JSC::B3::PatchpointValue::PatchpointValue):
3044         * b3/B3PhaseScope.cpp: Added.
3045         (JSC::B3::PhaseScope::PhaseScope):
3046         (JSC::B3::PhaseScope::~PhaseScope):
3047         * b3/B3PhaseScope.h: Added.
3048         * b3/B3Procedure.cpp: Added.
3049         (JSC::B3::Procedure::Procedure):
3050         (JSC::B3::Procedure::~Procedure):
3051         (JSC::B3::Procedure::addBlock):
3052         (JSC::B3::Procedure::resetReachability):
3053         (JSC::B3::Procedure::dump):
3054         (JSC::B3::Procedure::blocksInPreOrder):
3055         (JSC::B3::Procedure::blocksInPostOrder):
3056         * b3/B3Procedure.h: Added.
3057         (JSC::B3::Procedure::size):
3058         (JSC::B3::Procedure::at):
3059         (JSC::B3::Procedure::operator[]):
3060         (JSC::B3::Procedure::iterator::iterator):
3061         (JSC::B3::Procedure::iterator::operator*):
3062         (JSC::B3::Procedure::iterator::operator++):
3063         (JSC::B3::Procedure::iterator::operator==):
3064         (JSC::B3::Procedure::iterator::operator!=):
3065         (JSC::B3::Procedure::iterator::findNext):
3066         (JSC::B3::Procedure::begin):
3067         (JSC::B3::Procedure::end):
3068         (JSC::B3::Procedure::ValuesCollection::ValuesCollection):
3069         (JSC::B3::Procedure::ValuesCollection::iterator::iterator):
3070         (JSC::B3::Procedure::ValuesCollection::iterator::operator*):
3071         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
3072         (JSC::B3::Procedure::ValuesCollection::iterator::operator==):
3073         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):
3074         (JSC::B3::Procedure::ValuesCollection::begin):
3075         (JSC::B3::Procedure::ValuesCollection::end):
3076         (JSC::B3::Procedure::ValuesCollection::size):
3077         (JSC::B3::Procedure::ValuesCollection::at):
3078         (JSC::B3::Procedure::ValuesCollection::operator[]):
3079         (JSC::B3::Procedure::values):
3080         (JSC::B3::Procedure::setLastPhaseName):
3081         (JSC::B3::Procedure::lastPhaseName):
3082         * b3/B3ProcedureInlines.h: Added.
3083         (JSC::B3::Procedure::add):
3084         * b3/B3ReduceStrength.cpp: Added.
3085         (JSC::B3::reduceStrength):
3086         * b3/B3ReduceStrength.h: Added.
3087         * b3/B3StackSlotKind.cpp: Added.
3088         (WTF::printInternal):
3089         * b3/B3StackSlotKind.h: Added.
3090         * b3/B3StackSlotValue.cpp: Added.
3091         (JSC::B3::StackSlotValue::~StackSlotValue):
3092         (JSC::B3::StackSlotValue::dumpMeta):
3093         * b3/B3StackSlotValue.h: Added.
3094         (JSC::B3::StackSlotValue::accepts):
3095         (JSC::B3::StackSlotValue::byteSize):
3096         (JSC::B3::StackSlotValue::kind):
3097         (JSC::B3::StackSlotValue::offsetFromFP):
3098         (JSC::B3::StackSlotValue::setOffsetFromFP):
3099         (JSC::B3::StackSlotValue::StackSlotValue):
3100         * b3/B3Stackmap.cpp: Added.
3101         (JSC::B3::Stackmap::Stackmap):
3102         (JSC::B3::Stackmap::~Stackmap):
3103         (JSC::B3::Stackmap::dump):
3104         * b3/B3Stackmap.h: Added.
3105         (JSC::B3::Stackmap::constrain):
3106         (JSC::B3::Stackmap::reps):
3107         (JSC::B3::Stackmap::clobber):
3108         (JSC::B3::Stackmap::clobbered):
3109         (JSC::B3::Stackmap::setGenerator):
3110         * b3/B3StackmapSpecial.cpp: Added.
3111         (JSC::B3::StackmapSpecial::StackmapSpecial):
3112         (JSC::B3::StackmapSpecial::~StackmapSpecial):
3113         (JSC::B3::StackmapSpecial::reportUsedRegisters):
3114         (JSC::B3::StackmapSpecial::extraClobberedRegs):
3115         (JSC::B3::StackmapSpecial::forEachArgImpl):
3116         (JSC::B3::StackmapSpecial::isValidImpl):
3117         (JSC::B3::StackmapSpecial::admitsStackImpl):
3118         (JSC::B3::StackmapSpecial::appendRepsImpl):
3119         (JSC::B3::StackmapSpecial::repForArg):
3120         * b3/B3StackmapSpecial.h: Added.
3121         * b3/B3SuccessorCollection.h: Added.
3122         (JSC::B3::SuccessorCollection::SuccessorCollection):
3123         (JSC::B3::SuccessorCollection::size):
3124         (JSC::B3::SuccessorCollection::at):
3125         (JSC::B3::SuccessorCollection::operator[]):
3126         (JSC::B3::SuccessorCollection::iterator::iterator):
3127         (JSC::B3::SuccessorCollection::iterator::operator*):
3128         (JSC::B3::SuccessorCollection::iterator::operator++):
3129         (JSC::B3::SuccessorCollection::iterator::operator==):
3130         (JSC::B3::SuccessorCollection::iterator::operator!=):
3131         (JSC::B3::SuccessorCollection::begin):
3132         (JSC::B3::SuccessorCollection::end):
3133         * b3/B3SwitchCase.cpp: Added.
3134         (JSC::B3::SwitchCase::dump):
3135         * b3/B3SwitchCase.h: Added.
3136         (JSC::B3::SwitchCase::SwitchCase):
3137         (JSC::B3::SwitchCase::operator bool):
3138         (JSC::B3::SwitchCase::caseValue):
3139         (JSC::B3::SwitchCase::target):
3140         (JSC::B3::SwitchCase::targetBlock):
3141         * b3/B3SwitchValue.cpp: Added.
3142         (JSC::B3::SwitchValue::~SwitchValue):
3143         (JSC::B3::SwitchValue::removeCase):
3144         (JSC::B3::SwitchValue::appendCase):
3145         (JSC::B3::SwitchValue::dumpMeta):
3146         (JSC::B3::SwitchValue::SwitchValue):
3147         * b3/B3SwitchValue.h: Added.
3148         (JSC::B3::SwitchValue::accepts):
3149         (JSC::B3::SwitchValue::numCaseValues):
3150         (JSC::B3::SwitchValue::caseValue):
3151         (JSC::B3::SwitchValue::caseValues):
3152         (JSC::B3::SwitchValue::fallThrough):
3153         (JSC::B3::SwitchValue::size):
3154         (JSC::B3::SwitchValue::at):
3155         (JSC::B3::SwitchValue::operator[]):
3156         (JSC::B3::SwitchValue::iterator::iterator):
3157         (JSC::B3::SwitchValue::iterator::operator*):
3158         (JSC::B3::SwitchValue::iterator::operator++):
3159         (JSC::B3::SwitchValue::iterator::operator==):
3160         (JSC::B3::SwitchValue::iterator::operator!=):
3161         (JSC::B3::SwitchValue::begin):
3162         (JSC::B3::SwitchValue::end):
3163         * b3/B3Type.cpp: Added.
3164         (WTF::printInternal):
3165         * b3/B3Type.h: Added.
3166         (JSC::B3::isInt):
3167         (JSC::B3::isFloat):
3168         (JSC::B3::pointerType):
3169         * b3/B3UpsilonValue.cpp: Added.
3170         (JSC::B3::UpsilonValue::~UpsilonValue):
3171         (JSC::B3::UpsilonValue::dumpMeta):
3172         * b3/B3UpsilonValue.h: Added.
3173         (JSC::B3::UpsilonValue::accepts):
3174         (JSC::B3::UpsilonValue::phi):
3175         (JSC::B3::UpsilonValue::UpsilonValue):
3176         * b3/B3UseCounts.cpp: Added.
3177         (JSC::B3::UseCounts::UseCounts):
3178         (JSC::B3::UseCounts::~UseCounts):
3179         * b3/B3UseCounts.h: Added.
3180         (JSC::B3::UseCounts::operator[]):
3181         * b3/B3Validate.cpp: Added.
3182         (JSC::B3::validate):
3183         * b3/B3Validate.h: Added.
3184         * b3/B3Value.cpp: Added.
3185         (JSC::B3::Value::~Value):
3186         (JSC::B3::Value::replaceWithIdentity):
3187         (JSC::B3::Value::replaceWithNop):
3188         (JSC::B3::Value::dump):
3189         (JSC::B3::Value::deepDump):
3190         (JSC::B3::Value::negConstant):
3191         (JSC::B3::Value::addConstant):
3192         (JSC::B3::Value::subConstant):
3193         (JSC::B3::Value::effects):
3194         (JSC::B3::Value::performSubstitution):
3195         (JSC::B3::Value::dumpMeta):
3196         (JSC::B3::Value::typeFor):
3197         * b3/B3Value.h: Added.
3198         (JSC::B3::DeepValueDump::DeepValueDump):
3199         (JSC::B3::DeepValueDump::dump):
3200         (JSC::B3::deepDump):
3201         * b3/B3ValueInlines.h: Added.
3202         (JSC::B3::Value::as):
3203         (JSC::B3::Value::isConstant):
3204         (JSC::B3::Value::hasInt32):
3205         (JSC::B3::Value::asInt32):
3206         (JSC::B3::Value::hasInt64):
3207         (JSC::B3::Value::asInt64):
3208         (JSC::B3::Value::hasInt):
3209         (JSC::B3::Value::asInt):
3210         (JSC::B3::Value::isInt):
3211         (JSC::B3::Value::hasIntPtr):
3212         (JSC::B3::Value::asIntPtr):
3213         (JSC::B3::Value::hasDouble):
3214         (JSC::B3::Value::asDouble):
3215         (JSC::B3::Value::stackmap):
3216         * b3/B3ValueRep.cpp: Added.
3217         (JSC::B3::ValueRep::dump):
3218         (WTF::printInternal):
3219         * b3/B3ValueRep.h: Added.
3220         (JSC::B3::ValueRep::ValueRep):
3221         (JSC::B3::ValueRep::reg):
3222         (JSC::B3::ValueRep::stack):
3223         (JSC::B3::ValueRep::stackArgument):
3224         (JSC::B3::ValueRep::constant):
3225         (JSC::B3::ValueRep::constantDouble):
3226         (JSC::B3::ValueRep::kind):
3227         (JSC::B3::ValueRep::operator bool):
3228         (JSC::B3::ValueRep::offsetFromFP):
3229         (JSC::B3::ValueRep::offsetFromSP):
3230         (JSC::B3::ValueRep::value):
3231         (JSC::B3::ValueRep::doubleValue):
3232         * b3/air: Added.
3233         * b3/air/AirAllocateStack.cpp: Added.
3234         (JSC::B3::Air::allocateStack):
3235         * b3/air/AirAllocateStack.h: Added.
3236         * b3/air/AirArg.cpp: Added.
3237         (JSC::B3::Air::Arg::dump):
3238         * b3/air/AirArg.h: Added.
3239         (JSC::B3::Air::Arg::isUse):
3240         (JSC::B3::Air::Arg::isDef):
3241         (JSC::B3::Air::Arg::typeForB3Type):
3242         (JSC::B3::Air::Arg::Arg):
3243         (JSC::B3::Air::Arg::imm):
3244         (JSC::B3::Air::Arg::imm64):
3245         (JSC::B3::Air::Arg::addr):
3246         (JSC::B3::Air::Arg::stack):
3247         (JSC::B3::Air::Arg::callArg):
3248         (JSC::B3::Air::Arg::isValidScale):
3249         (JSC::B3::Air::Arg::logScale):
3250         (JSC::B3::Air::Arg::index):
3251         (JSC::B3::Air::Arg::relCond):
3252         (JSC::B3::Air::Arg::resCond):
3253         (JSC::B3::Air::Arg::special):
3254         (JSC::B3::Air::Arg::operator==):
3255         (JSC::B3::Air::Arg::operator!=):
3256         (JSC::B3::Air::Arg::operator bool):
3257         (JSC::B3::Air::Arg::kind):
3258         (JSC::B3::Air::Arg::isTmp):
3259         (JSC::B3::Air::Arg::isImm):
3260         (JSC::B3::Air::Arg::isImm64):
3261         (JSC::B3::Air::Arg::isAddr):
3262         (JSC::B3::Air::Arg::isStack):
3263         (JSC::B3::Air::Arg::isCallArg):
3264         (JSC::B3::Air::Arg::isIndex):
3265         (JSC::B3::Air::Arg::isRelCond):
3266         (JSC::B3::Air::Arg::isResCond):
3267         (JSC::B3::Air::Arg::isSpecial):
3268         (JSC::B3::Air::Arg::isAlive):
3269         (JSC::B3::Air::Arg::tmp):
3270         (JSC::B3::Air::Arg::value):
3271         (JSC::B3::Air::Arg::pointerValue):
3272         (JSC::B3::Air::Arg::base):
3273         (JSC::B3::Air::Arg::hasOffset):
3274         (JSC::B3::Air::Arg::offset):
3275         (JSC::B3::Air::Arg::stackSlot):
3276         (JSC::B3::Air::Arg::scale):
3277         (JSC::B3::Air::Arg::isGPTmp):
3278         (JSC::B3::Air::Arg::isFPTmp):
3279         (JSC::B3::Air::Arg::isGP):
3280         (JSC::B3::Air::Arg::isFP):
3281         (JSC::B3::Air::Arg::hasType):
3282         (JSC::B3::Air::Arg::type):
3283         (JSC::B3::Air::Arg::isType):
3284         (JSC::B3::Air::Arg::isGPR):
3285         (JSC::B3::Air::Arg::gpr):
3286         (JSC::B3::Air::Arg::isFPR):
3287         (JSC::B3::Air::Arg::fpr):
3288         (JSC::B3::Air::Arg::isReg):
3289         (JSC::B3::Air::Arg::reg):
3290         (JSC::B3::Air::Arg::gpTmpIndex):
3291         (JSC::B3::Air::Arg::fpTmpIndex):
3292         (JSC::B3::Air::Arg::tmpIndex):
3293         (JSC::B3::Air::Arg::withOffset):
3294         (JSC::B3::Air::Arg::forEachTmpFast):
3295         (JSC::B3::Air::Arg::forEachTmp):
3296         (JSC::B3::Air::Arg::asTrustedImm32):
3297         (JSC::B3::Air::Arg::asTrustedImm64):
3298         (JSC::B3::Air::Arg::asTrustedImmPtr):
3299         (JSC::B3::Air::Arg::asAddress):
3300         (JSC::B3::Air::Arg::asBaseIndex):
3301         (JSC::B3::Air::Arg::asRelationalCondition):
3302         (JSC::B3::Air::Arg::asResultCondition):
3303         (JSC::B3::Air::Arg::isHashTableDeletedValue):
3304         (JSC::B3::Air::Arg::hash):
3305         (JSC::B3::Air::ArgHash::hash):
3306         (JSC::B3::Air::ArgHash::equal):
3307         * b3/air/AirBasicBlock.cpp: Added.
3308         (JSC::B3::Air::BasicBlock::addPredecessor):
3309         (JSC::B3::Air::BasicBlock::removePredecessor):
3310         (JSC::B3::Air::BasicBlock::replacePredecessor):
3311         (JSC::B3::Air::BasicBlock::dump):
3312         (JSC::B3::Air::BasicBlock::deepDump):
3313         (JSC::B3::Air::BasicBlock::BasicBlock):
3314         * b3/air/AirBasicBlock.h: Added.
3315         (JSC::B3::Air::BasicBlock::index):
3316         (JSC::B3::Air::BasicBlock::size):
3317         (JSC::B3::Air::BasicBlock::begin):
3318         (JSC::B3::Air::BasicBlock::end):
3319         (JSC::B3::Air::BasicBlock::at):
3320         (JSC::B3::Air::BasicBlock::last):
3321         (JSC::B3::Air::BasicBlock::appendInst):
3322         (JSC::B3::Air::BasicBlock::append):
3323         (JSC::B3::Air::BasicBlock::numSuccessors):
3324         (JSC::B3::Air::BasicBlock::successor):
3325         (JSC::B3::Air::BasicBlock::successors):
3326         (JSC::B3::Air::BasicBlock::successorBlock):
3327         (JSC::B3::Air::BasicBlock::successorBlocks):
3328         (JSC::B3::Air::BasicBlock::numPredecessors):
3329         (JSC::B3::Air::BasicBlock::predecessor):
3330         (JSC::B3::Air::BasicBlock::predecessors):
3331         (JSC::B3::Air::DeepBasicBlockDump::DeepBasicBlockDump):
3332         (JSC::B3::Air::DeepBasicBlockDump::dump):
3333         (JSC::B3::Air::deepDump):
3334         * b3/air/AirCCallSpecial.cpp: Added.
3335         (JSC::B3::Air::CCallSpecial::CCallSpecial):
3336         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
3337         (JSC::B3::Air::CCallSpecial::forEachArg):
3338         (JSC::B3::Air::CCallSpecial::isValid):
3339         (JSC::B3::Air::CCallSpecial::admitsStack):
3340         (JSC::B3::Air::CCallSpecial::reportUsedRegisters):
3341         (JSC::B3::Air::CCallSpecial::generate):
3342         (JSC::B3::Air::CCallSpecial::extraClobberedRegs):
3343         (JSC::B3::Air::CCallSpecial::dumpImpl):
3344         (JSC::B3::Air::CCallSpecial::deepDumpImpl):
3345         * b3/air/AirCCallSpecial.h: Added.
3346         * b3/air/AirCode.cpp: Added.
3347         (JSC::B3::Air::Code::Code):
3348         (JSC::B3::Air::Code::~Code):
3349         (JSC::B3::Air::Code::addBlock):
3350         (JSC::B3::Air::Code::addStackSlot):
3351         (JSC::B3::Air::Code::addSpecial):
3352         (JSC::B3::Air::Code::cCallSpecial):
3353         (JSC::B3::Air::Code::resetReachability):
3354         (JSC::B3::Air::Code::dump):
3355         (JSC::B3::Air::Code::findFirstBlockIndex):
3356         (JSC::B3::Air::Code::findNextBlockIndex):
3357         (JSC::B3::Air::Code::findNextBlock):
3358         * b3/air/AirCode.h: Added.
3359         (JSC::B3::Air::Code::newTmp):
3360         (JSC::B3::Air::Code::numTmps):
3361         (JSC::B3::Air::Code::callArgAreaSize):
3362         (JSC::B3::Air::Code::requestCallArgAreaSize):
3363         (JSC::B3::Air::Code::frameSize):
3364         (JSC::B3::Air::Code::setFrameSize):
3365         (JSC::B3::Air::Code::calleeSaveRegisters):
3366         (JSC::B3::Air::Code::size):
3367         (JSC::B3::Air::Code::at):
3368         (JSC::B3::Air::Code::operator[]):
3369         (JSC::B3::Air::Code::iterator::iterator):
3370         (JSC::B3::Air::Code::iterator::operator*):
3371         (JSC::B3::Air::Code::iterator::operator++):
3372         (JSC::B3::Air::Code::iterator::operator==):
3373         (JSC::B3::Air::Code::iterator::operator!=):
3374         (JSC::B3::Air::Code::begin):
3375         (JSC::B3::Air::Code::end):
3376         (JSC::B3::Air::Code::StackSlotsCollection::StackSlotsCollection):
3377         (JSC::B3::Air::Code::StackSlotsCollection::size):
3378         (JSC::B3::Air::Code::StackSlotsCollection::at):
3379         (JSC::B3::Air::Code::StackSlotsCollection::operator[]):
3380         (JSC::B3::Air::Code::StackSlotsCollection::iterator::iterator):
3381         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator*):
3382         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator++):
3383         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator==):
3384         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator!=):
3385         (JSC::B3::Air::Code::StackSlotsCollection::begin):
3386         (JSC::B3::Air::Code::StackSlotsCollection::end):
3387         (JSC::B3::Air::Code::stackSlots):
3388         (JSC::B3::Air::Code::SpecialsCollection::SpecialsCollection):
3389         (JSC::B3::Air::Code::SpecialsCollection::size):
3390         (JSC::B3::Air::Code::SpecialsCollection::at):
3391         (JSC::B3::Air::Code::SpecialsCollection::operator[]):
3392         (JSC::B3::Air::Code::SpecialsCollection::iterator::iterator):
3393         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator*):