Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-04  Saam Barati  <sbarati@apple.com>
2
3         Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time
4         https://bugs.webkit.org/show_bug.cgi?id=151241
5
6         Reviewed by Benjamin Poulain.
7
8         This patch rolls back in the jettisoning policy from https://bugs.webkit.org/show_bug.cgi?id=149727.
9         We can now jettison a CodeBlock when it has been alive for a long time
10         and is only pointed to by its owner executable. I haven't been able to get this
11         patch to crash on anything it used to crash on, so I suspect we've fixed the bugs that
12         were causing this before. I've also added some stress options for this feature that
13         will cause us to either eagerly old-age jettison or to old-age jettison whenever it's legal.
14         These options helped me find a bug where we would ask an Executable to create a CodeBlock,
15         and then the Executable would do some other allocations, causing a GC, immediately causing
16         the CodeBlock to jettison. There is a small chance that this was the bug we were seeing before,
17         however, it's unlikely given that the previous timing metrics require at least 5 second between
18         compiling to jettisoning.
19
20         This patch also enables the stress options for various modes
21         of JSC stress tests.
22
23         * bytecode/CodeBlock.cpp:
24         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
25         (JSC::timeToLive):
26         (JSC::CodeBlock::shouldJettisonDueToOldAge):
27         * interpreter/CallFrame.h:
28         (JSC::ExecState::callee):
29         (JSC::ExecState::unsafeCallee):
30         (JSC::ExecState::codeBlock):
31         (JSC::ExecState::addressOfCodeBlock):
32         (JSC::ExecState::unsafeCodeBlock):
33         (JSC::ExecState::scope):
34         * interpreter/Interpreter.cpp:
35         (JSC::Interpreter::execute):
36         (JSC::Interpreter::executeCall):
37         (JSC::Interpreter::executeConstruct):
38         (JSC::Interpreter::prepareForRepeatCall):
39         * jit/JITOperations.cpp:
40         * llint/LLIntSlowPaths.cpp:
41         (JSC::LLInt::setUpCall):
42         * runtime/Executable.cpp:
43         (JSC::ScriptExecutable::installCode):
44         (JSC::setupJIT):
45         (JSC::ScriptExecutable::prepareForExecutionImpl):
46         * runtime/Executable.h:
47         (JSC::ScriptExecutable::prepareForExecution):
48         * runtime/Options.h:
49
50 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
51
52         [ES6] JSModuleNamespaceObject's Symbol.iterator function should have name
53         https://bugs.webkit.org/show_bug.cgi?id=160549
54
55         Reviewed by Saam Barati.
56
57         ES6 Module's namespace[Symbol.iterator] function should have the name, "[Symbol.iterator]".
58
59         * runtime/JSModuleNamespaceObject.cpp:
60         (JSC::JSModuleNamespaceObject::finishCreation):
61
62 2016-08-04  Keith Miller  <keith_miller@apple.com>
63
64         ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
65         https://bugs.webkit.org/show_bug.cgi?id=160562
66         <rdar://problem/27704825>
67
68         Reviewed by Mark Lam.
69
70         This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
71         convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
72         associated with the assumption that this could not happen.
73
74         * dfg/DFGSpeculativeJIT64.cpp:
75         (JSC::DFG::SpeculativeJIT::compile):
76         * ftl/FTLLowerDFGToB3.cpp:
77         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
78
79 2016-08-04  Keith Miller  <keith_miller@apple.com>
80
81         Remove unused intrinsic member of NativeExecutable
82         https://bugs.webkit.org/show_bug.cgi?id=160560
83
84         Reviewed by Saam Barati.
85
86         NativeExecutable has an Intrinsic member. It appears that this member is never
87         used. Instead we use the Intrinsic member NativeExecutable's super class,
88         ExecutableBase.
89
90         * runtime/Executable.h:
91
92 2016-08-04  Benjamin Poulain  <bpoulain@apple.com>
93
94         [JSC] Speed up InPlaceAbstractState::endBasicBlock()
95         https://bugs.webkit.org/show_bug.cgi?id=160539
96
97         Reviewed by Mark Lam.
98
99         This patch does small improvements to our handling
100         of value propagation to the successors.
101
102         One key insight is that using HashMap to map Nodes
103         to Value in valuesAtTail is too inefficient at the scale
104         we use it. Instead, I reuse our existing mapping
105         from every Node to its value, abstracted by forNode().
106
107         Since we are not going to use the mapping after endBasicBlock()
108         I can replace whatever we had there. The next beginBasicBlock()
109         will setup the new value as needed.
110
111         In endBasicBlock(), valuesAtTail is now a vector of all values live
112         at tail. For each node, I merge the previous live at tail with
113         the new value, then replace the value in the mapping.
114         Liveness Analysis guarantees we won't have duplicates there which
115         make the replacement sound.
116
117         Next, when propagating, I take the vector of values lives at head
118         and use the global node->value mapping to find its new abstract value.
119         Again, Liveness Analysis guarantees I won't find a value live at head
120         that was not replaced by the merging at tail of the predecessor.
121
122         All our live lists have become vectors instead of HashTable.
123         The mapping from Node to Value is always done by array indexing.
124         Same big-O, much smaller constant.
125
126         * dfg/DFGAtTailAbstractState.cpp:
127         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
128         (JSC::DFG::AtTailAbstractState::createValueForNode):
129         (JSC::DFG::AtTailAbstractState::forNode):
130         * dfg/DFGAtTailAbstractState.h:
131         I did not look much into this state, I just made it equivalent
132         to the previous mapping.
133
134         * dfg/DFGBasicBlock.h:
135         * dfg/DFGCFAPhase.cpp:
136         (JSC::DFG::CFAPhase::performBlockCFA):
137         * dfg/DFGGraph.cpp:
138         (JSC::DFG::Graph::dump):
139         * dfg/DFGInPlaceAbstractState.cpp:
140         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
141
142         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
143         AbstractValue is big enough that we really don't want to copy it twice.
144
145         (JSC::DFG::InPlaceAbstractState::merge):
146         (JSC::DFG::setLiveValues): Deleted.
147         * dfg/DFGInPlaceAbstractState.h:
148
149         * dfg/DFGPhiChildren.h:
150         This is heap allocated by AbstractInterpreter. It should use fastMalloc().
151
152 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
153
154         [ES7] Update features.json for exponentiation expression
155         https://bugs.webkit.org/show_bug.cgi?id=160541
156
157         Reviewed by Mark Lam.
158
159         * features.json:
160
161 2016-08-03  Chris Dumez  <cdumez@apple.com>
162
163         Drop DocumentType.internalSubset attribute
164         https://bugs.webkit.org/show_bug.cgi?id=160530
165
166         Reviewed by Alex Christensen.
167
168         Drop DocumentType.internalSubset attribute.
169
170         * inspector/protocol/DOM.json:
171
172 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
173
174         [JSC] Improve the memory locality of DFG Node's AbstractValues
175         https://bugs.webkit.org/show_bug.cgi?id=160443
176
177         Reviewed by Mark Lam.
178
179         The AbstractInterpreter spends a lot of time on memory operations
180         for AbstractValues. This patch attempts to improve the situation
181         by putting the values closer together in memory.
182
183         First, AbstractValue is moved out of DFG::Node and it kept in
184         a vector addressed by node indices.
185
186         I initially moved them to InPlaceAbstractState but I quickly discovered
187         initializing the values in the vector was costly.
188         I moved the vector to Graph as a cache shared by every instantiation of
189         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
190         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
191         should also help eventually.
192
193         I instrumented CFA to find how packed is SparseCollection.
194         The answer is it can be very sparse, which is bad for CFA.
195         I added packIndices() to repack the collection before running
196         liveness since that's where we start using the memory intensively.
197         This is a measurable improvement but it implies we can no longer
198         keep indices on a side channel between phases since they may change.
199
200         * b3/B3SparseCollection.h:
201         (JSC::B3::SparseCollection::packIndices):
202         * dfg/DFGGraph.cpp:
203         (JSC::DFG::Graph::packNodeIndices):
204         * dfg/DFGGraph.h:
205         (JSC::DFG::Graph::abstractValuesCache):
206         * dfg/DFGInPlaceAbstractState.cpp:
207         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
208         * dfg/DFGInPlaceAbstractState.h:
209         (JSC::DFG::InPlaceAbstractState::forNode):
210         * dfg/DFGLivenessAnalysisPhase.cpp:
211         (JSC::DFG::performLivenessAnalysis):
212         * dfg/DFGNode.h:
213
214 2016-08-03  Caitlin Potter  <caitp@igalia.com>
215
216         Clarify SyntaxErrors around yield and unskip tests
217         https://bugs.webkit.org/show_bug.cgi?id=158460
218
219         Reviewed by Saam Barati.
220
221         Fix and unskip tests which erroneously asserted that `yield` is not a
222         valid BindingIdentifier, and improve error message for YieldExpressions
223         occuring in Arrow formal parameters.
224
225         * parser/Parser.cpp:
226         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
227         (JSC::Parser<LexerType>::parseFunctionInfo):
228         (JSC::Parser<LexerType>::parseYieldExpression):
229         * parser/Parser.h:
230
231 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
232
233         REGRESSION(r203368): broke some test262 tests
234         https://bugs.webkit.org/show_bug.cgi?id=160479
235
236         Reviewed by Mark Lam.
237         
238         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
239         Accessor properties.
240
241         * runtime/Structure.cpp:
242         (JSC::Structure::nonPropertyTransition):
243         * runtime/StructureTransitionTable.h:
244         (JSC::setsDontDeleteOnAllProperties):
245         (JSC::setsReadOnlyOnNonAccessorProperties):
246         (JSC::setsReadOnlyOnAllProperties): Deleted.
247
248 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
249
250         Lacking support on a arm-traditional disassembler.
251         https://bugs.webkit.org/show_bug.cgi?id=123717
252
253         Reviewed by Mark Lam.
254
255         * CMakeLists.txt:
256         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
257         (JSC::tryToDisassemble):
258
259 2016-08-03  Saam Barati  <sbarati@apple.com>
260
261         Implement nested rest destructuring w.r.t the ES7 spec
262         https://bugs.webkit.org/show_bug.cgi?id=160423
263
264         Reviewed by Filip Pizlo.
265
266         The spec has updated the BindingRestElement grammar production to be:
267         BindingRestElement:
268            BindingIdentifier
269            BindingingPattern.
270
271         It used to only allow BindingIdentifier in the grammar production.
272         I've updated our engine to account for this. The semantics are exactly
273         what you'd expect.  For example:
274         `let [a, ...[b, ...c]] = expr();`
275         means that we create an array for the first rest element `...[b, ...c]`
276         and then perform the binding of `[b, ...c]` to that array. And so on, 
277         applied recursively through the pattern.
278
279         * bytecompiler/NodesCodegen.cpp:
280         (JSC::RestParameterNode::collectBoundIdentifiers):
281         (JSC::RestParameterNode::toString):
282         (JSC::RestParameterNode::bindValue):
283         (JSC::RestParameterNode::emit):
284         * parser/ASTBuilder.h:
285         (JSC::ASTBuilder::createBindingLocation):
286         (JSC::ASTBuilder::createRestParameter):
287         (JSC::ASTBuilder::createAssignmentElement):
288         * parser/NodeConstructors.h:
289         (JSC::AssignmentElementNode::AssignmentElementNode):
290         (JSC::RestParameterNode::RestParameterNode):
291         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
292         * parser/Nodes.h:
293         (JSC::RestParameterNode::name): Deleted.
294         * parser/Parser.cpp:
295         (JSC::Parser<LexerType>::parseDestructuringPattern):
296         (JSC::Parser<LexerType>::parseFormalParameters):
297         * parser/SyntaxChecker.h:
298         (JSC::SyntaxChecker::operatorStackPop):
299
300 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
301
302         [JSC] Fix Windows build after r204065
303
304         * dfg/DFGAbstractValue.cpp:
305         (JSC::DFG::AbstractValue::observeTransitions):
306         AbstractValue is bigger on Windows for an unknown reason.
307
308 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
309
310         [JSC] Fix 32bits jsc after r204065
311
312         Default constructed JSValue() are not equal to zero in 32bits.
313
314         * dfg/DFGAbstractValue.h:
315         (JSC::DFG::AbstractValue::AbstractValue):
316
317 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
318
319         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
320         https://bugs.webkit.org/show_bug.cgi?id=160370
321
322         Reviewed by Saam Barati.
323
324         We use a ton of AbstractValue to run the Abstract Interpreter.
325
326         When we set up the initial values, the compiler sets
327         a zero on a first word, a one on a second word, and a zero
328         again on a third word.
329         Since no vector or double-store can deal with 3 words, unrolling
330         is done by repeating those instructions.
331
332         The reason for the one was TinyPtrSet. It needed a flag for
333         empty value to identify the set as thin. I flipped the flag to "fat"
334         to make sure TinyPtrSet is initialized to zero.
335
336         With that done, I just had to clean some places to make
337         the initialization shorter.
338         It makes the binary easier to follow but this does not help with
339         the bigger problem: the time spent per block on Abstract Interpreter.
340
341         * bytecode/Operands.h:
342         The traits were useless, no client code defines it.
343
344         (JSC::Operands::Operands):
345         (JSC::Operands::ensureLocals):
346         Because of the size of the function, llvm is not inlining it.
347         We were literally loading 3 registers from memory and storing
348         them in the vector.
349         Now that AbstractValue has a VectorTraits, we should just rely
350         on the memset of Vector when possible.
351
352         (JSC::Operands::getLocal):
353         (JSC::Operands::setArgumentFirstTime):
354         (JSC::Operands::setLocalFirstTime):
355         (JSC::Operands::clear):
356         (JSC::OperandValueTraits::defaultValue): Deleted.
357         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
358         * bytecode/OperandsInlines.h:
359         (JSC::Operands<T>::dumpInContext):
360         (JSC::Operands<T>::dump):
361         (JSC::Traits>::dumpInContext): Deleted.
362         (JSC::Traits>::dump): Deleted.
363         * dfg/DFGAbstractValue.cpp:
364         * dfg/DFGAbstractValue.h:
365         (JSC::DFG::AbstractValue::AbstractValue):
366
367 2016-08-02  Saam Barati  <sbarati@apple.com>
368
369         update a class extending null w.r.t the ES7 spec
370         https://bugs.webkit.org/show_bug.cgi?id=160417
371
372         Reviewed by Keith Miller.
373
374         When a class extends null, it should not be marked as a derived class.
375         This was changed in the ES2016 spec, and this patch makes the needed
376         changes in JSC to follow the spec. This allows classes to extend
377         null and have their default constructor invoked without throwing an exception.
378         This also prevents |this| from being under TDZ at the start of the constructor.
379         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
380         syntax, we don't know statically if a constructor is extending null or not.
381         Therefore, we don't always know statically if it's a base or derived constructor.
382         I solved this by putting a boolean on the constructor function under a private
383         symbol named isDerivedConstructor when doing class construction. We only need
384         to put this boolean on constructors that may extend null. Constructors that are
385         declared in a class with no extends syntax can tell statically that they are a base constructor.
386
387         I've also renamed the ConstructorKind::Derived enum value to be
388         ConstructorKind::Extends to better indicate that we can't answer
389         the "am I a derived constructor?" question statically.
390
391         * builtins/BuiltinExecutables.cpp:
392         (JSC::BuiltinExecutables::createDefaultConstructor):
393         * builtins/BuiltinNames.h:
394         * bytecompiler/BytecodeGenerator.cpp:
395         (JSC::BytecodeGenerator::BytecodeGenerator):
396         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
397         (JSC::BytecodeGenerator::emitReturn):
398         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
399         (JSC::BytecodeGenerator::ensureThis):
400         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
401         * bytecompiler/BytecodeGenerator.h:
402         (JSC::BytecodeGenerator::makeFunction):
403         * bytecompiler/NodesCodegen.cpp:
404         (JSC::EvalFunctionCallNode::emitBytecode):
405         (JSC::FunctionCallValueNode::emitBytecode):
406         (JSC::FunctionNode::emitBytecode):
407         (JSC::ClassExprNode::emitBytecode):
408         * parser/Parser.cpp:
409         (JSC::Parser<LexerType>::Parser):
410         (JSC::Parser<LexerType>::parseFunctionInfo):
411         (JSC::Parser<LexerType>::parseClass):
412         (JSC::Parser<LexerType>::parseMemberExpression):
413         * parser/ParserModes.h:
414
415 2016-08-02  Enrica Casucci  <enrica@apple.com>
416
417         Allow building with content filtering disabled.
418         https://bugs.webkit.org/show_bug.cgi?id=160454
419
420         Reviewed by Simon Fraser.
421
422         * Configurations/FeatureDefines.xcconfig:
423
424 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
425
426         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
427         https://bugs.webkit.org/show_bug.cgi?id=159759
428
429         Reviewed by Saam Barati.
430
431         * jit/JITMathIC.h:
432         (JSC::JITMathIC::generateInline):
433
434 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
435
436         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
437         https://bugs.webkit.org/show_bug.cgi?id=160438
438
439         Reviewed by Mark Lam.
440         
441         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
442         catching stack overflow due to large parameter count. It would only catch regular old stack
443         overflow, like if the frame pointer was already past the limit.
444         
445         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
446         the stack due to large parameter count were not going down that path at all, so we haven't had
447         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
448         case.
449
450         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
451         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
452         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
453         some choices here. I could have forced anyone who is rolling back to always skip VM entry
454         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
455         a stack frame roll back normally does, since exception unwinding needs to see the current value
456         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
457         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
458         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
459         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
460         To signal this, I could have either made topCallFrame point to the real top JS call frame
461         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
462         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
463         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
464         engine against this case.
465         
466         * interpreter/StackVisitor.cpp:
467         (JSC::StackVisitor::StackVisitor):
468         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
469         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
470         StackVisitor is the only place that needs to be taught about this at this time, because it's
471         one of the few things that access topCallFrame along this special path.
472         
473         * jit/JITOperations.cpp: Roll back the top call frame.
474         * runtime/CommonSlowPaths.cpp:
475         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
476
477 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
478
479         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
480         https://bugs.webkit.org/show_bug.cgi?id=160439
481
482         Reviewed by Filip Pizlo.
483
484         * assembler/MacroAssemblerARM64.h:
485         (JSC::MacroAssemblerARM64::branchTest64):
486         * b3/air/AirOpcode.opcodes:
487         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
488
489 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
490
491         [B3] Fusing immediates into test instructions should work again
492         https://bugs.webkit.org/show_bug.cgi?id=160073
493
494         Reviewed by Sam Weinig.
495
496         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
497         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
498         was still using Imm!  This meant that isValidForm() always returned false.
499         
500         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
501         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
502         with the scratch register).
503         
504         This is not an obvious progression on anything, so I added comprehensive tests to
505         testb3, which check that we selected the optimal instruction in a variety of situations.
506         We should add more tests like this!
507
508         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
509         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
510         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
511
512         * b3/B3BasicBlock.h:
513         (JSC::B3::BasicBlock::successorBlock):
514         * b3/B3LowerToAir.cpp:
515         (JSC::B3::Air::LowerToAir::createGenericCompare):
516         * b3/B3LowerToAir.h:
517         * b3/air/AirArg.cpp:
518         (JSC::B3::Air::Arg::isRepresentableAs):
519         (JSC::B3::Air::Arg::usesTmp):
520         * b3/air/AirArg.h:
521         (JSC::B3::Air::Arg::isRepresentableAs):
522         (JSC::B3::Air::Arg::castToType):
523         (JSC::B3::Air::Arg::asNumber):
524         * b3/air/AirCode.h:
525         (JSC::B3::Air::Code::size):
526         (JSC::B3::Air::Code::at):
527         * b3/air/AirOpcode.opcodes:
528         * b3/air/AirValidate.h:
529         * b3/air/opcode_generator.rb:
530         * b3/testb3.cpp:
531         (JSC::B3::compile):
532         (JSC::B3::compileAndRun):
533         (JSC::B3::lowerToAirForTesting):
534         (JSC::B3::testSomeEarlyRegister):
535         (JSC::B3::testBranchBitAndImmFusion):
536         (JSC::B3::zero):
537         (JSC::B3::run):
538
539 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
540
541         Rationalize varargs stack overflow checks
542         https://bugs.webkit.org/show_bug.cgi?id=160425
543
544         Reviewed by Michael Saboff.
545
546         * ftl/FTLLink.cpp:
547         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
548         * runtime/CommonSlowPaths.h:
549         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
550
551 2016-08-01  Saam Barati  <sbarati@apple.com>
552
553         Sub should be a Math IC
554         https://bugs.webkit.org/show_bug.cgi?id=160270
555
556         Reviewed by Mark Lam.
557
558         This makes Sub an IC like Mul and Add. I'm seeing the following
559         improvements of average Sub size on Unity and JetStream:
560
561                    |   JetStream  |  Unity 3D  |
562              ------| -------------|--------------
563               Old  |   202 bytes  |  205 bytes |
564              ------| -------------|--------------
565               New  |   134  bytes |  134 bytes |
566              ------------------------------------
567
568         * bytecode/CodeBlock.cpp:
569         (JSC::CodeBlock::addJITMulIC):
570         (JSC::CodeBlock::addJITSubIC):
571         (JSC::CodeBlock::findStubInfo):
572         (JSC::CodeBlock::dumpMathICStats):
573         * bytecode/CodeBlock.h:
574         (JSC::CodeBlock::stubInfoBegin):
575         (JSC::CodeBlock::stubInfoEnd):
576         * dfg/DFGSpeculativeJIT.cpp:
577         (JSC::DFG::SpeculativeJIT::compileArithSub):
578         * ftl/FTLLowerDFGToB3.cpp:
579         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
580         * jit/JITArithmetic.cpp:
581         (JSC::JIT::emit_op_sub):
582         (JSC::JIT::emitSlow_op_sub):
583         (JSC::JIT::emit_op_pow):
584         * jit/JITMathIC.h:
585         * jit/JITMathICForwards.h:
586         * jit/JITOperations.cpp:
587         * jit/JITOperations.h:
588         * jit/JITSubGenerator.cpp:
589         (JSC::JITSubGenerator::generateInline):
590         (JSC::JITSubGenerator::generateFastPath):
591         * jit/JITSubGenerator.h:
592         (JSC::JITSubGenerator::JITSubGenerator):
593         (JSC::JITSubGenerator::isLeftOperandValidConstant):
594         (JSC::JITSubGenerator::isRightOperandValidConstant):
595         (JSC::JITSubGenerator::arithProfile):
596         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
597         (JSC::JITSubGenerator::endJumpList): Deleted.
598         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
599
600 2016-08-01  Keith Miller  <keith_miller@apple.com>
601
602         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
603         https://bugs.webkit.org/show_bug.cgi?id=160372
604
605         Rubber stamped by Geoffrey Garen.
606
607         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
608         a new top level directory, JSTests. Having the tests in the Source directory
609         was both confusing an inconvenient for people that just want to checkout the
610         source code of WebKit. Since there is no other obvious place to put all the
611         JavaScript tests a new top level directory seemed the most sensible.
612
613         * tests/: Deleted.
614
615 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
616
617         [JSC] Should check Test262Error correctly
618         https://bugs.webkit.org/show_bug.cgi?id=159862
619
620         Reviewed by Saam Barati.
621
622         Test262Error in the harness does not have "name" property.
623         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
624
625         * jsc.cpp:
626         (checkUncaughtException):
627         * runtime/JSObject.h:
628         * tests/test262.yaml:
629
630 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
631
632         [ES6] Module binding can be exported by multiple names
633         https://bugs.webkit.org/show_bug.cgi?id=160343
634
635         Reviewed by Saam Barati.
636
637         ES6 Module can export the same local binding by using multiple names.
638         For example,
639
640             ```
641             var value = 42;
642
643             export { value };
644             export { value as value2 };
645             ```
646
647         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
648         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
649
650         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
651         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
652         this information when creating the export entries in ModuleAnalyzer.
653
654         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
655         names should be managed per-module, not per-scope.
656
657         This change fixes several test262 failures.
658
659         * JavaScriptCore.xcodeproj/project.pbxproj:
660         * parser/ModuleAnalyzer.cpp:
661         (JSC::ModuleAnalyzer::exportVariable):
662         (JSC::ModuleAnalyzer::analyze):
663         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
664         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
665         * parser/ModuleAnalyzer.h:
666         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
667         (JSC::ModuleScopeData::create):
668         (JSC::ModuleScopeData::exportedBindings):
669         (JSC::ModuleScopeData::exportName):
670         (JSC::ModuleScopeData::exportBinding):
671         * parser/Nodes.cpp:
672         (JSC::ProgramNode::ProgramNode):
673         (JSC::ModuleProgramNode::ModuleProgramNode):
674         (JSC::EvalNode::EvalNode):
675         (JSC::FunctionNode::FunctionNode):
676         * parser/Nodes.h:
677         (JSC::ModuleProgramNode::moduleScopeData):
678         * parser/NodesAnalyzeModule.cpp:
679         (JSC::ExportDefaultDeclarationNode::analyzeModule):
680         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
681         * parser/Parser.cpp:
682         (JSC::Parser<LexerType>::Parser):
683         (JSC::Parser<LexerType>::parseModuleSourceElements):
684         (JSC::Parser<LexerType>::parseVariableDeclarationList):
685         (JSC::Parser<LexerType>::createBindingPattern):
686         (JSC::Parser<LexerType>::parseFunctionDeclaration):
687         (JSC::Parser<LexerType>::parseClassDeclaration):
688         (JSC::Parser<LexerType>::parseExportSpecifier):
689         (JSC::Parser<LexerType>::parseExportDeclaration):
690         * parser/Parser.h:
691         (JSC::Parser::exportName):
692         (JSC::Parser<LexerType>::parse):
693         (JSC::ModuleScopeData::create): Deleted.
694         (JSC::ModuleScopeData::exportedBindings): Deleted.
695         (JSC::ModuleScopeData::exportName): Deleted.
696         (JSC::ModuleScopeData::exportBinding): Deleted.
697         (JSC::Scope::Scope): Deleted.
698         (JSC::Scope::setSourceParseMode): Deleted.
699         (JSC::Scope::moduleScopeData): Deleted.
700         (JSC::Scope::setIsModule): Deleted.
701         * tests/modules/aliased-names.js: Added.
702         * tests/modules/aliased-names/main.js: Added.
703         (change):
704         * tests/stress/modules-syntax-error-with-names.js:
705         (export.Cocoa):
706         (SyntaxError.Cannot.export.a.duplicate.name):
707         * tests/test262.yaml:
708
709 2016-07-30  Mark Lam  <mark.lam@apple.com>
710
711         Assertion failure while setting the length of an ArrayClass array.
712         https://bugs.webkit.org/show_bug.cgi?id=160381
713         <rdar://problem/27328703>
714
715         Reviewed by Filip Pizlo.
716
717         When setting large length values, we're currently treating ArrayClass as a
718         ContiguousIndexingType array.  This results in an assertion failure.  This is
719         now fixed.
720
721         There are currently only 2 places where we create arrays with indexing type
722         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
723         takes care of ArrayPrototype.
724
725         RuntimeArray already checks for the setting of its length property, and will
726         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
727         Instead, I added some test cases ensure that the check and throw behavior does
728         not change without notice.
729
730         * runtime/JSArray.cpp:
731         (JSC::JSArray::setLength):
732         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
733         (toString):
734         (assertEqual):
735         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
736         (toString):
737         (assertEqual):
738
739 2016-07-29  Keith Miller  <keith_miller@apple.com>
740
741         TypedArray super constructor has some incompatabilities
742         https://bugs.webkit.org/show_bug.cgi?id=160369
743
744         Reviewed by Filip Pizlo.
745
746         This patch fixes the length proprety of the TypedArray super constructor.
747         Additionally, the TypedArray super constructor should no longer be callable.
748
749         Also, this patch fixes the expected result of some test262 tests.
750
751         * runtime/JSTypedArrayViewConstructor.cpp:
752         (JSC::JSTypedArrayViewConstructor::finishCreation):
753         (JSC::constructTypedArrayView):
754         (JSC::JSTypedArrayViewConstructor::getCallData):
755         * tests/test262.yaml:
756
757 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
758
759         Undefined Behavior in JSValue cast from NaN
760         https://bugs.webkit.org/show_bug.cgi?id=160322
761
762         Reviewed by Mark Lam.
763
764         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
765
766         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
767         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
768         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
769         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
770         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
771
772         * runtime/JSCJSValueInlines.h:
773         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
774
775 2016-07-29  Michael Saboff  <msaboff@apple.com>
776
777         Refactor DFG::Node::hasLocal() to accessesStack()
778         https://bugs.webkit.org/show_bug.cgi?id=160357
779
780         Reviewed by Filip Pizlo.
781
782         Refactoring in preparation for using register arguments for JavaScript calls.
783
784         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
785         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
786         use guards stack operation logic associated with the Node's VariableAccessData.
787
788         The hasVariableAccessData() check now implies no more than the node has a
789         VariableAccessData and nothing about its use of that data to coordinate stack   
790         accesses.
791
792         * dfg/DFGGraph.cpp:
793         (JSC::DFG::Graph::dump):
794         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
795         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
796         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
797         * dfg/DFGMaximalFlushInsertionPhase.cpp:
798         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
799         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
800         * dfg/DFGNode.h:
801         (JSC::DFG::Node::containsMovHint):
802         (JSC::DFG::Node::accessesStack):
803         (JSC::DFG::Node::hasLocal): Deleted.
804         * dfg/DFGPredictionInjectionPhase.cpp:
805         (JSC::DFG::PredictionInjectionPhase::run):
806         * dfg/DFGValidate.cpp:
807
808 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
809
810         [JSC] Use the same data structures for DFG and Air Liveness Analysis
811         https://bugs.webkit.org/show_bug.cgi?id=160346
812
813         Reviewed by Geoffrey Garen.
814
815         In Air, we minimized memory accesses during liveness analysis
816         with a couple of tricks:
817         -Use a single Sparse Set ADT for the live value of each block.
818         -Manipulate compact positive indices instead of hashing values.
819
820         This patch brings the same ideas to DFG.
821
822         This patch still uses the same fixpoint algorithms.
823         The reason is Edge's KillStatus used by other phases. We cannot
824         use a block-boundary liveness algorithm and update KillStatus
825         simultaneously. It's something I'll probably revisit at some point.
826
827         * dfg/DFGAbstractInterpreterInlines.h:
828         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
829         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
830         * dfg/DFGBasicBlock.h:
831         * dfg/DFGGraph.h:
832         (JSC::DFG::Graph::maxNodeCount):
833         (JSC::DFG::Graph::nodeAt):
834         * dfg/DFGInPlaceAbstractState.cpp:
835         (JSC::DFG::setLiveValues):
836         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
837         * dfg/DFGLivenessAnalysisPhase.cpp:
838         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
839         (JSC::DFG::LivenessAnalysisPhase::run):
840         (JSC::DFG::LivenessAnalysisPhase::processBlock):
841         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
842         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
843
844 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
845
846         Unreviewed, ByValInfo is only used in JIT enabled environments
847         https://bugs.webkit.org/show_bug.cgi?id=158908
848
849         * bytecode/CodeBlock.cpp:
850         (JSC::CodeBlock::stronglyVisitStrongReferences):
851
852 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
853
854         JSC::Symbol should be hash-consed
855         https://bugs.webkit.org/show_bug.cgi?id=158908
856
857         Reviewed by Filip Pizlo.
858
859         Previously, SymbolImpls held by symbols represent identity of symbols.
860         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
861
862         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
863         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
864         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
865         pointer-comparison to query the equality of symbols.
866
867         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
868         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
869         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
870         case is handled by CheckCell.
871
872         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
873
874         The performance effects in the related benchmarks are the followings.
875
876                                                                baseline                   patch
877
878             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
879             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
880             fold-put-by-val-with-symbol-to-multi-put-by-offset
881                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
882             inlined-put-by-val-with-symbol-transition
883                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
884             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
885             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
886                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
887             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
888             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
889             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
890             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
891             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
892                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
893             get-by-val-with-symbol-chain-from-try-block
894                                                             2.2316+-0.0179            2.2137+-0.0210
895             get-by-val-with-symbol-bimorphic-check-structure-elimination
896                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
897             get-by-val-with-symbol-check-structure-elimination
898                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
899             put-by-val-with-symbol-slightly-polymorphic
900                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
901             put-by-val-with-symbol-replace-and-transition
902                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
903
904             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
905
906         * bytecode/ByValInfo.h:
907         * bytecode/CodeBlock.cpp:
908         (JSC::CodeBlock::stronglyVisitStrongReferences):
909         * dfg/DFGAbstractInterpreterInlines.h:
910         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
911         * dfg/DFGByteCodeParser.cpp:
912         (JSC::DFG::ByteCodeParser::parseBlock):
913         * dfg/DFGClobberize.h:
914         (JSC::DFG::clobberize):
915         * dfg/DFGConstantFoldingPhase.cpp:
916         (JSC::DFG::ConstantFoldingPhase::foldConstants):
917         * dfg/DFGDoesGC.cpp:
918         (JSC::DFG::doesGC):
919         * dfg/DFGFixupPhase.cpp:
920         (JSC::DFG::FixupPhase::fixupNode):
921         * dfg/DFGNode.h:
922         (JSC::DFG::Node::hasUidOperand):
923         * dfg/DFGNodeType.h:
924         * dfg/DFGPredictionPropagationPhase.cpp:
925         * dfg/DFGSafeToExecute.h:
926         (JSC::DFG::safeToExecute):
927         * dfg/DFGSpeculativeJIT.cpp:
928         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
929         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
930         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
931         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
932         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
933         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
934         * dfg/DFGSpeculativeJIT.h:
935         * dfg/DFGSpeculativeJIT32_64.cpp:
936         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
937         (JSC::DFG::SpeculativeJIT::compile):
938         * dfg/DFGSpeculativeJIT64.cpp:
939         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
940         (JSC::DFG::SpeculativeJIT::compile):
941         * ftl/FTLAbstractHeapRepository.h:
942         * ftl/FTLCapabilities.cpp:
943         (JSC::FTL::canCompile):
944         * ftl/FTLLowerDFGToB3.cpp:
945         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
946         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
947         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
948         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
949         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
950         * jit/JIT.h:
951         * jit/JITOperations.cpp:
952         (JSC::tryGetByValOptimize):
953         * jit/JITPropertyAccess.cpp:
954         (JSC::JIT::emitGetByValWithCachedId):
955         (JSC::JIT::emitPutByValWithCachedId):
956         (JSC::JIT::emitByValIdentifierCheck):
957         (JSC::JIT::privateCompileGetByValWithCachedId):
958         (JSC::JIT::privateCompilePutByValWithCachedId):
959         (JSC::JIT::emitIdentifierCheck): Deleted.
960         * jit/JITPropertyAccess32_64.cpp:
961         (JSC::JIT::emitGetByValWithCachedId):
962         (JSC::JIT::emitPutByValWithCachedId):
963         * runtime/JSCJSValue.cpp:
964         (JSC::JSValue::dumpInContextAssumingStructure):
965         * runtime/JSCJSValueInlines.h:
966         (JSC::JSValue::equalSlowCaseInline):
967         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
968         * runtime/JSFunction.cpp:
969         (JSC::JSFunction::setFunctionName):
970         * runtime/MapData.h:
971         * runtime/MapDataInlines.h:
972         (JSC::JSIterator>::clear): Deleted.
973         (JSC::JSIterator>::find): Deleted.
974         (JSC::JSIterator>::add): Deleted.
975         (JSC::JSIterator>::remove): Deleted.
976         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
977         * runtime/Symbol.cpp:
978         (JSC::Symbol::finishCreation):
979         (JSC::Symbol::create):
980         * runtime/Symbol.h:
981         * runtime/VM.cpp:
982         (JSC::VM::VM):
983         * runtime/VM.h:
984         * tests/stress/symbol-equality-over-gc.js: Added.
985         (shouldBe):
986         (test):
987
988 2016-07-28  Mark Lam  <mark.lam@apple.com>
989
990         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
991         https://bugs.webkit.org/show_bug.cgi?id=160324
992         <rdar://problem/27389572>
993
994         Reviewed by Keith Miller.
995
996         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
997         generate the error string even when the name string can be a single character
998         string.  This is incorrect.  We should be using jsString() instead.
999
1000         * runtime/ErrorPrototype.cpp:
1001         (JSC::errorProtoFuncToString):
1002         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
1003
1004 2016-07-28  Michael Saboff  <msaboff@apple.com>
1005
1006         ARM64: Fused left shift with a right shift can create NaNs from integers
1007         https://bugs.webkit.org/show_bug.cgi?id=160329
1008
1009         Reviewed by Geoffrey Garen.
1010
1011         When we fuse a left shift and a right shift of integers where the shift amounts
1012         are the same and the size of the quantity being shifted is 8 bits, we rightly
1013         generate a sign extend byte instruction.  On ARM64, we were sign extending
1014         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
1015
1016         Checking the ARM64 marco assembler and we were extending to 64 bits for all
1017         four combinations of zero / sign and 8 / 16 bits.
1018         
1019         * assembler/MacroAssemblerARM64.h:
1020         (JSC::MacroAssemblerARM64::zeroExtend16To32):
1021         (JSC::MacroAssemblerARM64::signExtend16To32):
1022         (JSC::MacroAssemblerARM64::zeroExtend8To32):
1023         (JSC::MacroAssemblerARM64::signExtend8To32):
1024         * tests/stress/regress-160329.js: New test added.
1025         (narrow):
1026
1027 2016-07-28  Mark Lam  <mark.lam@apple.com>
1028
1029         StringView should have an explicit m_is8Bit field.
1030         https://bugs.webkit.org/show_bug.cgi?id=160282
1031         <rdar://problem/27327943>
1032
1033         Reviewed by Benjamin Poulain.
1034
1035         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
1036         (catch):
1037
1038 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
1039
1040         [ARM] Typo fix after r121885
1041         https://bugs.webkit.org/show_bug.cgi?id=160288
1042
1043         Reviewed by Zoltan Herczeg.
1044
1045         * assembler/MacroAssemblerARM.h:
1046         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
1047
1048 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
1049
1050         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
1051         https://bugs.webkit.org/show_bug.cgi?id=159711
1052
1053         Reviewed by Mark Lam.
1054
1055         * assembler/ARMAssembler.cpp:
1056         (JSC::ARMAssembler::prepareExecutableCopy):
1057
1058 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
1059
1060         [JSC] Remove some unused code from FTL
1061         https://bugs.webkit.org/show_bug.cgi?id=160285
1062
1063         Reviewed by Mark Lam.
1064
1065         All the liveness and swapping is done inside B3,
1066         this code is no longer needed.
1067
1068         * dfg/DFGEdge.h:
1069         (JSC::DFG::Edge::doesNotKill): Deleted.
1070         * ftl/FTLLowerDFGToB3.cpp:
1071         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
1072
1073 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
1074
1075         [JSC] DFG::Node should not have its own allocator
1076         https://bugs.webkit.org/show_bug.cgi?id=160098
1077
1078         Reviewed by Geoffrey Garen.
1079
1080         We need some design changes for DFG::Node:
1081         -Accessing the index must be fast. B3 uses indices for sets
1082          and maps, it is a lot faster than hashing pointers.
1083         -We should be able to subclass DFG::Node to specialize it.
1084
1085         * CMakeLists.txt:
1086         * JavaScriptCore.xcodeproj/project.pbxproj:
1087         * dfg/DFGAllocator.h: Removed.
1088         (JSC::DFG::Allocator::Region::size): Deleted.
1089         (JSC::DFG::Allocator::Region::headerSize): Deleted.
1090         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
1091         (JSC::DFG::Allocator::Region::data): Deleted.
1092         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
1093         (JSC::DFG::Allocator::Region::regionFor): Deleted.
1094         (JSC::DFG::Allocator<T>::Allocator): Deleted.
1095         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
1096         (JSC::DFG::Allocator<T>::allocate): Deleted.
1097         (JSC::DFG::Allocator<T>::free): Deleted.
1098         (JSC::DFG::Allocator<T>::freeAll): Deleted.
1099         (JSC::DFG::Allocator<T>::reset): Deleted.
1100         (JSC::DFG::Allocator<T>::indexOf): Deleted.
1101         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
1102         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
1103         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
1104         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
1105         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
1106         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
1107         * dfg/DFGByteCodeParser.cpp:
1108         (JSC::DFG::ByteCodeParser::addToGraph):
1109         * dfg/DFGCPSRethreadingPhase.cpp:
1110         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1111         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1112         * dfg/DFGCleanUpPhase.cpp:
1113         (JSC::DFG::CleanUpPhase::run):
1114         * dfg/DFGConstantFoldingPhase.cpp:
1115         (JSC::DFG::ConstantFoldingPhase::run):
1116         * dfg/DFGConstantHoistingPhase.cpp:
1117         * dfg/DFGDCEPhase.cpp:
1118         (JSC::DFG::DCEPhase::fixupBlock):
1119         * dfg/DFGDriver.cpp:
1120         (JSC::DFG::compileImpl):
1121         * dfg/DFGGraph.cpp:
1122         (JSC::DFG::Graph::Graph):
1123         (JSC::DFG::Graph::deleteNode):
1124         (JSC::DFG::Graph::killBlockAndItsContents):
1125         (JSC::DFG::Graph::~Graph): Deleted.
1126         * dfg/DFGGraph.h:
1127         (JSC::DFG::Graph::addNode):
1128         * dfg/DFGLICMPhase.cpp:
1129         (JSC::DFG::LICMPhase::attemptHoist):
1130         * dfg/DFGLongLivedState.cpp: Removed.
1131         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
1132         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
1133         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
1134         * dfg/DFGLongLivedState.h: Removed.
1135         * dfg/DFGNode.cpp:
1136         (JSC::DFG::Node::index): Deleted.
1137         * dfg/DFGNode.h:
1138         (JSC::DFG::Node::index):
1139         * dfg/DFGNodeAllocator.h: Removed.
1140         (operator new ): Deleted.
1141         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1142         * dfg/DFGPlan.cpp:
1143         (JSC::DFG::Plan::compileInThread):
1144         (JSC::DFG::Plan::compileInThreadImpl):
1145         * dfg/DFGPlan.h:
1146         * dfg/DFGSSAConversionPhase.cpp:
1147         (JSC::DFG::SSAConversionPhase::run):
1148         * dfg/DFGWorklist.cpp:
1149         (JSC::DFG::Worklist::runThread):
1150         * runtime/VM.cpp:
1151         (JSC::VM::VM): Deleted.
1152         * runtime/VM.h:
1153
1154 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
1155
1156         [JSC] Fix a bunch of use-after-free of DFG::Node
1157         https://bugs.webkit.org/show_bug.cgi?id=160228
1158
1159         Reviewed by Mark Lam.
1160
1161         FTL had a few places where we use a node after it has been
1162         deleted. The dangling pointers come from the SSA liveness information
1163         kept on the basic blocks.
1164
1165         This patch fixes the issues I could find and adds liveness invalidation
1166         to help finding dependencies like these.
1167
1168         * dfg/DFGBasicBlock.h:
1169         (JSC::DFG::BasicBlock::SSAData::invalidate):
1170
1171         * dfg/DFGConstantFoldingPhase.cpp:
1172         (JSC::DFG::ConstantFoldingPhase::run):
1173         Constant folding phase was deleting nodes in the loop over basic blocks.
1174         The problem is the deleted nodes can be referenced by other blocks.
1175         When the abstract interpreter was manipulating the abstract values of those
1176         it was doing so on the dead nodes.
1177
1178         * dfg/DFGConstantHoistingPhase.cpp:
1179         Just invalidation. Nothing wrong here since the useless nodes were
1180         kept live while iterating the blocks.
1181
1182         * dfg/DFGGraph.cpp:
1183         (JSC::DFG::Graph::killBlockAndItsContents):
1184         (JSC::DFG::Graph::killUnreachableBlocks):
1185         (JSC::DFG::Graph::invalidateNodeLiveness):
1186
1187         * dfg/DFGGraph.h:
1188         * dfg/DFGPlan.cpp:
1189         (JSC::DFG::Plan::compileInThreadImpl):
1190         We had a lot of use-after-free in LCIM because we were using the stale
1191         live nodes deleted by previous phases.
1192
1193 2016-07-27  Keith Miller  <keith_miller@apple.com>
1194
1195         concatAppendOne should allocate using the indexing type of the array if it cannot merge
1196         https://bugs.webkit.org/show_bug.cgi?id=160261
1197         <rdar://problem/27530122>
1198
1199         Reviewed by Mark Lam.
1200
1201         Before, if we could not merge the indexing types for copying, we would allocate the
1202         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
1203         array's indexing type.
1204
1205         * runtime/ArrayPrototype.cpp:
1206         (JSC::concatAppendOne):
1207         * tests/stress/concat-append-one-with-sparse-array.js: Added.
1208
1209 2016-07-27  Saam Barati  <sbarati@apple.com>
1210
1211         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
1212         https://bugs.webkit.org/show_bug.cgi?id=160211
1213         <rdar://problem/27572612>
1214
1215         Reviewed by Geoffrey Garen.
1216
1217         The fast for-in iteration mode assumes all inline/out-of-line properties
1218         can be iterated in linear order. This is not true if we have Symbols
1219         because Symbols should not be iterated by for-in.
1220
1221         * runtime/Structure.cpp:
1222         (JSC::Structure::add):
1223         * tests/stress/symbol-should-not-break-for-in.js: Added.
1224         (assert):
1225         (foo):
1226
1227 2016-07-27  Mark Lam  <mark.lam@apple.com>
1228
1229         The second argument for Function.prototype.apply should be array-like or null/undefined.
1230         https://bugs.webkit.org/show_bug.cgi?id=160212
1231         <rdar://problem/27328525>
1232
1233         Reviewed by Filip Pizlo.
1234
1235         The spec for Function.prototype.apply says its second argument can only be null,
1236         undefined, or must be array-like.  See
1237         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
1238         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
1239
1240         Our previous implementation was not handling this correctly for SymbolType.
1241         This is now fixed.
1242
1243         * interpreter/Interpreter.cpp:
1244         (JSC::sizeOfVarargs):
1245         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
1246
1247 2016-07-27  Saam Barati  <sbarati@apple.com>
1248
1249         MathICs should be able to emit only a jump along the inline path when they don't have any type data
1250         https://bugs.webkit.org/show_bug.cgi?id=160110
1251
1252         Reviewed by Mark Lam.
1253
1254         This patch allows for MathIC fast-path generation to be delayed.
1255         We delay when we don't see any observed type information for
1256         the lhs/rhs operand, which implies that the MathIC has never
1257         executed. This is profitable for two main reasons:
1258         1. If the math operation never executes, we emit much less code.
1259         2. Once we get type information for the lhs/rhs, we can emit better code.
1260
1261         To implement this, we just emit a jump to the slow path call
1262         that will repatch on first execution.
1263
1264         New data for add:
1265                    |   JetStream  |  Unity 3D  |
1266              ------| -------------|--------------
1267               Old  |   148 bytes  |  143 bytes |
1268              ------| -------------|--------------
1269               New  |   116  bytes |  113 bytes |
1270              ------------------------------------
1271
1272         New data for mul:
1273                    |   JetStream  |  Unity 3D  |
1274              ------| -------------|--------------
1275               Old  |   210 bytes  |  185 bytes |
1276              ------| -------------|--------------
1277               New  |   170  bytes |  137 bytes |
1278              ------------------------------------
1279
1280         * jit/JITAddGenerator.cpp:
1281         (JSC::JITAddGenerator::generateInline):
1282         * jit/JITAddGenerator.h:
1283         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1284         (JSC::JITAddGenerator::isRightOperandValidConstant):
1285         (JSC::JITAddGenerator::arithProfile):
1286         * jit/JITMathIC.h:
1287         (JSC::JITMathIC::generateInline):
1288         (JSC::JITMathIC::generateOutOfLine):
1289         (JSC::JITMathIC::finalizeInlineCode):
1290         * jit/JITMathICInlineResult.h:
1291         * jit/JITMulGenerator.cpp:
1292         (JSC::JITMulGenerator::generateInline):
1293         * jit/JITMulGenerator.h:
1294         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1295         (JSC::JITMulGenerator::isRightOperandValidConstant):
1296         (JSC::JITMulGenerator::arithProfile):
1297         * jit/JITOperations.cpp:
1298
1299 2016-07-26  Saam Barati  <sbarati@apple.com>
1300
1301         rollout r203666
1302         https://bugs.webkit.org/show_bug.cgi?id=160226
1303
1304         Unreviewed rollout.
1305
1306         * b3/B3BasicBlock.h:
1307         (JSC::B3::BasicBlock::successorBlock):
1308         * b3/B3LowerToAir.cpp:
1309         (JSC::B3::Air::LowerToAir::createGenericCompare):
1310         * b3/B3LowerToAir.h:
1311         * b3/air/AirArg.cpp:
1312         (JSC::B3::Air::Arg::isRepresentableAs):
1313         (JSC::B3::Air::Arg::usesTmp):
1314         * b3/air/AirArg.h:
1315         (JSC::B3::Air::Arg::isRepresentableAs):
1316         (JSC::B3::Air::Arg::asNumber):
1317         (JSC::B3::Air::Arg::castToType): Deleted.
1318         * b3/air/AirCode.h:
1319         (JSC::B3::Air::Code::size):
1320         (JSC::B3::Air::Code::at):
1321         * b3/air/AirOpcode.opcodes:
1322         * b3/air/AirValidate.h:
1323         * b3/air/opcode_generator.rb:
1324         * b3/testb3.cpp:
1325         (JSC::B3::compileAndRun):
1326         (JSC::B3::testSomeEarlyRegister):
1327         (JSC::B3::zero):
1328         (JSC::B3::run):
1329         (JSC::B3::lowerToAirForTesting): Deleted.
1330         (JSC::B3::testBranchBitAndImmFusion): Deleted.
1331
1332 2016-07-26  Caitlin Potter  <caitp@igalia.com>
1333
1334         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
1335         https://bugs.webkit.org/show_bug.cgi?id=159409
1336
1337         Reviewed by Geoffrey Garen.
1338
1339         * runtime/ObjectConstructor.cpp:
1340         (JSC::objectConstructorGetOwnPropertyDescriptors):
1341         * tests/es6.yaml:
1342         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
1343         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
1344         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
1345         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
1346         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
1347
1348 2016-07-26  Mark Lam  <mark.lam@apple.com>
1349
1350         Remove unused DEBUG_WITH_BREAKPOINT configuration.
1351         https://bugs.webkit.org/show_bug.cgi?id=160203
1352
1353         Reviewed by Keith Miller.
1354
1355         * bytecompiler/BytecodeGenerator.cpp:
1356         (JSC::BytecodeGenerator::emitDebugHook):
1357
1358 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
1359
1360         Unreviewed, rolling out r203703.
1361
1362         It breaks some internal tests
1363
1364         Reverted changeset:
1365
1366         "[JSC] DFG::Node should not have its own allocator"
1367         https://bugs.webkit.org/show_bug.cgi?id=160098
1368         http://trac.webkit.org/changeset/203703
1369
1370 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
1371
1372         [JSC] DFG::Node should not have its own allocator
1373         https://bugs.webkit.org/show_bug.cgi?id=160098
1374
1375         Reviewed by Geoffrey Garen.
1376
1377         We need some design changes for DFG::Node:
1378         -Accessing the index must be fast. B3 uses indices for sets
1379          and maps, it is a lot faster than hashing pointers.
1380         -We should be able to subclass DFG::Node to specialize it.
1381
1382         * CMakeLists.txt:
1383         * JavaScriptCore.xcodeproj/project.pbxproj:
1384         * dfg/DFGAllocator.h: Removed.
1385         (JSC::DFG::Allocator::Region::size): Deleted.
1386         (JSC::DFG::Allocator::Region::headerSize): Deleted.
1387         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
1388         (JSC::DFG::Allocator::Region::data): Deleted.
1389         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
1390         (JSC::DFG::Allocator::Region::regionFor): Deleted.
1391         (JSC::DFG::Allocator<T>::Allocator): Deleted.
1392         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
1393         (JSC::DFG::Allocator<T>::allocate): Deleted.
1394         (JSC::DFG::Allocator<T>::free): Deleted.
1395         (JSC::DFG::Allocator<T>::freeAll): Deleted.
1396         (JSC::DFG::Allocator<T>::reset): Deleted.
1397         (JSC::DFG::Allocator<T>::indexOf): Deleted.
1398         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
1399         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
1400         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
1401         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
1402         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
1403         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
1404         * dfg/DFGByteCodeParser.cpp:
1405         (JSC::DFG::ByteCodeParser::addToGraph):
1406         * dfg/DFGCPSRethreadingPhase.cpp:
1407         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1408         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1409         * dfg/DFGCleanUpPhase.cpp:
1410         (JSC::DFG::CleanUpPhase::run):
1411         * dfg/DFGConstantFoldingPhase.cpp:
1412         (JSC::DFG::ConstantFoldingPhase::run):
1413         * dfg/DFGConstantHoistingPhase.cpp:
1414         * dfg/DFGDCEPhase.cpp:
1415         (JSC::DFG::DCEPhase::fixupBlock):
1416         * dfg/DFGDriver.cpp:
1417         (JSC::DFG::compileImpl):
1418         * dfg/DFGGraph.cpp:
1419         (JSC::DFG::Graph::Graph):
1420         (JSC::DFG::Graph::deleteNode):
1421         (JSC::DFG::Graph::killBlockAndItsContents):
1422         (JSC::DFG::Graph::~Graph): Deleted.
1423         * dfg/DFGGraph.h:
1424         (JSC::DFG::Graph::addNode):
1425         * dfg/DFGLICMPhase.cpp:
1426         (JSC::DFG::LICMPhase::attemptHoist):
1427         * dfg/DFGLongLivedState.cpp: Removed.
1428         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
1429         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
1430         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
1431         * dfg/DFGLongLivedState.h: Removed.
1432         * dfg/DFGNode.cpp:
1433         (JSC::DFG::Node::index): Deleted.
1434         * dfg/DFGNode.h:
1435         (JSC::DFG::Node::index):
1436         * dfg/DFGNodeAllocator.h: Removed.
1437         (operator new ): Deleted.
1438         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1439         * dfg/DFGPlan.cpp:
1440         (JSC::DFG::Plan::compileInThread):
1441         (JSC::DFG::Plan::compileInThreadImpl):
1442         * dfg/DFGPlan.h:
1443         * dfg/DFGSSAConversionPhase.cpp:
1444         (JSC::DFG::SSAConversionPhase::run):
1445         * dfg/DFGWorklist.cpp:
1446         (JSC::DFG::Worklist::runThread):
1447         * runtime/VM.cpp:
1448         (JSC::VM::VM): Deleted.
1449         * runtime/VM.h:
1450
1451 2016-07-25  Filip Pizlo  <fpizlo@apple.com>
1452
1453         AssemblyHelpers should own all of the cell allocation methods
1454         https://bugs.webkit.org/show_bug.cgi?id=160171
1455
1456         Reviewed by Saam Barati.
1457         
1458         Prior to this change we had some code in DFGSpeculativeJIT.h and some code in JIT.h that
1459         did cell allocation.
1460         
1461         This change moves all of that code into AssemblyHelpers.h.
1462
1463         * dfg/DFGSpeculativeJIT.h:
1464         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1465         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1466         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1467         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
1468         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
1469         * jit/AssemblyHelpers.h:
1470         (JSC::AssemblyHelpers::emitAllocate):
1471         (JSC::AssemblyHelpers::emitAllocateJSCell):
1472         (JSC::AssemblyHelpers::emitAllocateJSObject):
1473         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1474         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1475         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1476         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1477         * jit/JIT.h:
1478         * jit/JITInlines.h:
1479         (JSC::JIT::isOperandConstantChar):
1480         (JSC::JIT::emitValueProfilingSite):
1481         (JSC::JIT::emitAllocateJSObject): Deleted.
1482         * jit/JITOpcodes.cpp:
1483         (JSC::JIT::emit_op_new_object):
1484         (JSC::JIT::emit_op_create_this):
1485         * jit/JITOpcodes32_64.cpp:
1486         (JSC::JIT::emit_op_new_object):
1487         (JSC::JIT::emit_op_create_this):
1488
1489 2016-07-25  Saam Barati  <sbarati@apple.com>
1490
1491         MathICs should be able to take and dump stats about code size
1492         https://bugs.webkit.org/show_bug.cgi?id=160148
1493
1494         Reviewed by Filip Pizlo.
1495
1496         This will make testing changes on MathIC going forward much easier.
1497         We will be able to easily see if modifications to MathIC will lead
1498         to us generating smaller code. We now only dump average size when we
1499         regenerate any MathIC. This works out for large tests/pages, but is not
1500         great for testing small programs. We can add more dump points later if
1501         we find that we want to dump stats while running small small programs.
1502
1503         * bytecode/CodeBlock.cpp:
1504         (JSC::CodeBlock::jitSoon):
1505         (JSC::CodeBlock::dumpMathICStats):
1506         * bytecode/CodeBlock.h:
1507         (JSC::CodeBlock::isStrictMode):
1508         (JSC::CodeBlock::ecmaMode):
1509         * dfg/DFGSpeculativeJIT.cpp:
1510         (JSC::DFG::SpeculativeJIT::compileMathIC):
1511         * ftl/FTLLowerDFGToB3.cpp:
1512         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
1513         * jit/JITArithmetic.cpp:
1514         (JSC::JIT::emitMathICFast):
1515         (JSC::JIT::emitMathICSlow):
1516         * jit/JITMathIC.h:
1517         (JSC::JITMathIC::finalizeInlineCode):
1518         (JSC::JITMathIC::codeSize):
1519         * jit/JITOperations.cpp:
1520
1521 2016-07-25  Saam Barati  <sbarati@apple.com>
1522
1523         op_mul/ArithMul(Untyped,Untyped) should be an IC
1524         https://bugs.webkit.org/show_bug.cgi?id=160108
1525
1526         Reviewed by Mark Lam.
1527
1528         This patch makes Mul a type based IC in much the same way that we made
1529         Add a type-based IC. I implemented Mul in the same way. I abstracted the
1530         implementation of the Add IC in the various JITs to allow for it to
1531         work over arbitrary IC snippets. This will make adding Div/Sub/Pow in the
1532         future easy. This patch also adds a new boolean argument to the various
1533         snippet generateFastPath() methods to indicate if we should emit result profiling.
1534         I added this because we want this profiling to be emitted for Mul in
1535         the baseline, but not in the DFG. We used to indicate this through passing
1536         in a nullptr for the ArithProfile, but we no longer do that in the upper
1537         JIT tiers. So we are passing an explicit request from the JIT tier about
1538         whether or not it's worth it for the IC to emit profiling.
1539
1540         We now emit much less code for Mul. Here is some data on the average
1541         Mul snippet/IC size:
1542
1543                    |   JetStream  |  Unity 3D  |
1544              ------| -------------|--------------
1545               Old  |  ~280 bytes  | ~280 bytes |
1546              ------| -------------|--------------
1547               New  |   210  bytes |  185 bytes |
1548              ------------------------------------
1549
1550         * bytecode/CodeBlock.cpp:
1551         (JSC::CodeBlock::addJITAddIC):
1552         (JSC::CodeBlock::addJITMulIC):
1553         (JSC::CodeBlock::findStubInfo):
1554         * bytecode/CodeBlock.h:
1555         (JSC::CodeBlock::stubInfoBegin):
1556         (JSC::CodeBlock::stubInfoEnd):
1557         * dfg/DFGSpeculativeJIT.cpp:
1558         (JSC::DFG::GPRTemporary::adopt):
1559         (JSC::DFG::FPRTemporary::FPRTemporary):
1560         (JSC::DFG::SpeculativeJIT::compileValueAdd):
1561         (JSC::DFG::SpeculativeJIT::compileMathIC):
1562         (JSC::DFG::SpeculativeJIT::compileArithMul):
1563         * dfg/DFGSpeculativeJIT.h:
1564         (JSC::DFG::SpeculativeJIT::callOperation):
1565         (JSC::DFG::GPRTemporary::GPRTemporary):
1566         (JSC::DFG::GPRTemporary::operator=):
1567         (JSC::DFG::FPRTemporary::~FPRTemporary):
1568         (JSC::DFG::FPRTemporary::fpr):
1569         * ftl/FTLLowerDFGToB3.cpp:
1570         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1571         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1572         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
1573         (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
1574         * jit/JIT.h:
1575         (JSC::JIT::getSlowCase):
1576         * jit/JITAddGenerator.cpp:
1577         (JSC::JITAddGenerator::generateInline):
1578         (JSC::JITAddGenerator::generateFastPath):
1579         * jit/JITAddGenerator.h:
1580         (JSC::JITAddGenerator::JITAddGenerator):
1581         (JSC::JITAddGenerator::isLeftOperandValidConstant):
1582         (JSC::JITAddGenerator::isRightOperandValidConstant):
1583         * jit/JITArithmetic.cpp:
1584         (JSC::JIT::emit_op_add):
1585         (JSC::JIT::emitSlow_op_add):
1586         (JSC::JIT::emitMathICFast):
1587         (JSC::JIT::emitMathICSlow):
1588         (JSC::JIT::emit_op_mul):
1589         (JSC::JIT::emitSlow_op_mul):
1590         (JSC::JIT::emit_op_sub):
1591         * jit/JITInlines.h:
1592         (JSC::JIT::callOperation):
1593         * jit/JITMathIC.h:
1594         (JSC::JITMathIC::slowPathStartLocation):
1595         (JSC::JITMathIC::slowPathCallLocation):
1596         (JSC::JITMathIC::isLeftOperandValidConstant):
1597         (JSC::JITMathIC::isRightOperandValidConstant):
1598         (JSC::JITMathIC::generateInline):
1599         (JSC::JITMathIC::generateOutOfLine):
1600         * jit/JITMathICForwards.h:
1601         * jit/JITMulGenerator.cpp:
1602         (JSC::JITMulGenerator::generateInline):
1603         (JSC::JITMulGenerator::generateFastPath):
1604         * jit/JITMulGenerator.h:
1605         (JSC::JITMulGenerator::JITMulGenerator):
1606         (JSC::JITMulGenerator::isLeftOperandValidConstant):
1607         (JSC::JITMulGenerator::isRightOperandValidConstant):
1608         (JSC::JITMulGenerator::didEmitFastPath): Deleted.
1609         (JSC::JITMulGenerator::endJumpList): Deleted.
1610         (JSC::JITMulGenerator::slowPathJumpList): Deleted.
1611         * jit/JITOperations.cpp:
1612         * jit/JITOperations.h:
1613
1614 2016-07-25  Darin Adler  <darin@apple.com>
1615
1616         Speed up make process slightly by improving "list of files" idiom
1617         https://bugs.webkit.org/show_bug.cgi?id=160164
1618
1619         Reviewed by Mark Lam.
1620
1621         * DerivedSources.make: Change rules that build lists of files to only run when
1622         DerivedSources.make has been modified since the last time they were run. Since the
1623         list of files are inside this file, this is safe, and this is faster than always
1624         comparing and regenerating the file containing the list of files each time.
1625
1626 2016-07-24  Youenn Fablet  <youenn@apple.com>
1627
1628         [Fetch API] Request should be created with any HeadersInit data
1629         https://bugs.webkit.org/show_bug.cgi?id=159672
1630
1631         Reviewed by Sam Weinig.
1632
1633         * Scripts/builtins/builtins_generator.py:
1634         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
1635
1636 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
1637
1638         B3 should support multiple entrypoints
1639         https://bugs.webkit.org/show_bug.cgi?id=159391
1640
1641         Reviewed by Saam Barati.
1642         
1643         This teaches B3 how to compile procedures with multiple entrypoints in the best way ever.
1644         
1645         Multiple entrypoints are useful. We could use them to reduce the cost of compiling OSR
1646         entrypoints. We could use them to implement better try/catch.
1647         
1648         Multiple entrypoints are hard to support. All of the code that assumed that the root block
1649         is the entrypoint would have to be changed. Transformations like moveConstants() would have
1650         to do crazy things if the existence of multiple entrypoints prevented it from finding a
1651         single common dominator.
1652         
1653         Therefore, we want to add multiple entrypoints without actually teaching the compiler that
1654         there is such a thing. That's sort of what this change does.
1655         
1656         This adds a new opcode to both B3 and Air called EntrySwitch. It's a terminal that takes
1657         one or more successors and no value children. The number of successors must match
1658         Procedure::numEntrypoints(), which could be arbitrarily large. The semantics of EntrySwitch
1659         are:
1660         
1661         - Each of the entrypoints sets a hidden Entry variable to that entrypoint's index and jumps
1662           to the procedure's root block.
1663         
1664         - An EntrySwitch is a switch statement over this hidden Entry variable.
1665         
1666         The way that we actually implement this is that Air has a very late phase - after all
1667         register and stack layout - that clones all code where the Entry variable is live; i.e all
1668         code in the closure over predecessors of all blocks that do EntrySwitch.
1669         
1670         Usually, you would use this by creating an EntrySwitch in the root block, but you don't
1671         have to do that. Just remember that the code before EntrySwitch gets cloned for each
1672         entrypoint. We allow cloning of an arbitrarily large amount of code because restricting it,
1673         and so restricing the placement of EntrySwitches, would be unelegant. It would be hard to
1674         preserve this invariant. For example we wouldn't be able to lower any value before an
1675         EntrySwitch to a control flow diamond.
1676         
1677         This patch gives us an easy-to-use way to use B3 to compile code with multiple entrypoints.
1678         Inside the compiler, only code that runs very late in Air has to know about this feature.
1679         We get the best of both worlds!
1680         
1681         Also, I finally got rid of the requirement that you explicitly cast BasicBlock* to
1682         FrequentedBlock. I can no longer remember why I thought that was a good idea. Removing it
1683         doesn't cause any problems and it makes code easier to write.
1684
1685         * CMakeLists.txt:
1686         * JavaScriptCore.xcodeproj/project.pbxproj:
1687         * b3/B3BasicBlockUtils.h:
1688         (JSC::B3::updatePredecessorsAfter):
1689         (JSC::B3::clearPredecessors):
1690         (JSC::B3::recomputePredecessors):
1691         * b3/B3FrequencyClass.h:
1692         (JSC::B3::maxFrequency):
1693         * b3/B3Generate.h:
1694         * b3/B3LowerToAir.cpp:
1695         (JSC::B3::Air::LowerToAir::lower):
1696         * b3/B3MoveConstants.cpp:
1697         * b3/B3Opcode.cpp:
1698         (WTF::printInternal):
1699         * b3/B3Opcode.h:
1700         * b3/B3Procedure.cpp:
1701         (JSC::B3::Procedure::isFastConstant):
1702         (JSC::B3::Procedure::entrypointLabel):
1703         (JSC::B3::Procedure::addDataSection):
1704         * b3/B3Procedure.h:
1705         (JSC::B3::Procedure::numEntrypoints):
1706         (JSC::B3::Procedure::setNumEntrypoints):
1707         (JSC::B3::Procedure::setLastPhaseName):
1708         * b3/B3Validate.cpp:
1709         * b3/B3Value.cpp:
1710         (JSC::B3::Value::effects):
1711         (JSC::B3::Value::typeFor):
1712         * b3/B3Value.h:
1713         * b3/air/AirCode.cpp:
1714         (JSC::B3::Air::Code::cCallSpecial):
1715         (JSC::B3::Air::Code::isEntrypoint):
1716         (JSC::B3::Air::Code::resetReachability):
1717         (JSC::B3::Air::Code::dump):
1718         * b3/air/AirCode.h:
1719         (JSC::B3::Air::Code::setFrameSize):
1720         (JSC::B3::Air::Code::numEntrypoints):
1721         (JSC::B3::Air::Code::entrypoints):
1722         (JSC::B3::Air::Code::entrypoint):
1723         (JSC::B3::Air::Code::setEntrypoints):
1724         (JSC::B3::Air::Code::entrypointLabel):
1725         (JSC::B3::Air::Code::setEntrypointLabels):
1726         (JSC::B3::Air::Code::calleeSaveRegisters):
1727         * b3/air/AirCustom.h:
1728         (JSC::B3::Air::PatchCustom::isTerminal):
1729         (JSC::B3::Air::PatchCustom::hasNonArgEffects):
1730         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
1731         (JSC::B3::Air::PatchCustom::generate):
1732         (JSC::B3::Air::CommonCustomBase::hasNonArgEffects):
1733         (JSC::B3::Air::CCallCustom::forEachArg):
1734         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1735         (JSC::B3::Air::ShuffleCustom::forEachArg):
1736         (JSC::B3::Air::EntrySwitchCustom::forEachArg):
1737         (JSC::B3::Air::EntrySwitchCustom::isValidFormStatic):
1738         (JSC::B3::Air::EntrySwitchCustom::isValidForm):
1739         (JSC::B3::Air::EntrySwitchCustom::admitsStack):
1740         (JSC::B3::Air::EntrySwitchCustom::isTerminal):
1741         (JSC::B3::Air::EntrySwitchCustom::hasNonArgNonControlEffects):
1742         (JSC::B3::Air::EntrySwitchCustom::generate):
1743         * b3/air/AirGenerate.cpp:
1744         (JSC::B3::Air::prepareForGeneration):
1745         (JSC::B3::Air::generate):
1746         * b3/air/AirLowerEntrySwitch.cpp: Added.
1747         (JSC::B3::Air::lowerEntrySwitch):
1748         * b3/air/AirLowerEntrySwitch.h: Added.
1749         * b3/air/AirOpcode.opcodes:
1750         * b3/air/AirOptimizeBlockOrder.cpp:
1751         (JSC::B3::Air::blocksInOptimizedOrder):
1752         * b3/air/AirSpecial.cpp:
1753         (JSC::B3::Air::Special::isTerminal):
1754         (JSC::B3::Air::Special::hasNonArgEffects):
1755         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
1756         * b3/air/AirSpecial.h:
1757         * b3/air/AirValidate.cpp:
1758         * b3/air/opcode_generator.rb:
1759         * b3/testb3.cpp:
1760
1761 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
1762
1763         Unreviewed, fix broken test. I don't know why I goofed this up without seeing it before landing.
1764
1765         * b3/air/AirOpcode.opcodes:
1766         * b3/testb3.cpp:
1767         (JSC::B3::run):
1768
1769 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
1770
1771         [B3] Fusing immediates into test instructions should work again
1772         https://bugs.webkit.org/show_bug.cgi?id=160073
1773
1774         Reviewed by Sam Weinig.
1775
1776         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
1777         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
1778         was still using Imm!  This meant that isValidForm() always returned false.
1779         
1780         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
1781         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
1782         with the scratch register).
1783         
1784         This is not an obvious progression on anything, so I added comprehensive tests to
1785         testb3, which check that we selected the optimal instruction in a variety of situations.
1786         We should add more tests like this!
1787
1788         * b3/B3BasicBlock.h:
1789         (JSC::B3::BasicBlock::successorBlock):
1790         * b3/B3LowerToAir.cpp:
1791         (JSC::B3::Air::LowerToAir::createGenericCompare):
1792         * b3/B3LowerToAir.h:
1793         * b3/air/AirArg.cpp:
1794         (JSC::B3::Air::Arg::isRepresentableAs):
1795         (JSC::B3::Air::Arg::usesTmp):
1796         * b3/air/AirArg.h:
1797         (JSC::B3::Air::Arg::isRepresentableAs):
1798         (JSC::B3::Air::Arg::castToType):
1799         (JSC::B3::Air::Arg::asNumber):
1800         * b3/air/AirCode.h:
1801         (JSC::B3::Air::Code::size):
1802         (JSC::B3::Air::Code::at):
1803         * b3/air/AirOpcode.opcodes:
1804         * b3/air/AirValidate.h:
1805         * b3/air/opcode_generator.rb:
1806         * b3/testb3.cpp:
1807         (JSC::B3::compile):
1808         (JSC::B3::compileAndRun):
1809         (JSC::B3::lowerToAirForTesting):
1810         (JSC::B3::testSomeEarlyRegister):
1811         (JSC::B3::testBranchBitAndImmFusion):
1812         (JSC::B3::zero):
1813         (JSC::B3::run):
1814
1815 2016-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1816
1817         Unreviewed, update the exponentiation expression error message
1818         https://bugs.webkit.org/show_bug.cgi?id=159969
1819
1820         Follow up patch for r203499.
1821
1822         * parser/Parser.cpp:
1823         (JSC::Parser<LexerType>::parseBinaryExpression):
1824         * tests/stress/pow-expects-update-expression-on-lhs.js:
1825         (throw.new.Error):
1826
1827 2016-07-24  Darin Adler  <darin@apple.com>
1828
1829         Adding a new WebCore JavaScript built-in source file does not trigger rebuild of WebCoreJSBuiltins*
1830         https://bugs.webkit.org/show_bug.cgi?id=160115
1831
1832         Reviewed by Youenn Fablet.
1833
1834         * make-generated-sources.sh: Removed. Was unused.
1835
1836 2016-07-23  Commit Queue  <commit-queue@webkit.org>
1837
1838         Unreviewed, rolling out r203641.
1839         https://bugs.webkit.org/show_bug.cgi?id=160116
1840
1841         It broke make-based builds (Requested by youenn on #webkit).
1842
1843         Reverted changeset:
1844
1845         "[Fetch API] Request should be created with any HeadersInit
1846         data"
1847         https://bugs.webkit.org/show_bug.cgi?id=159672
1848         http://trac.webkit.org/changeset/203641
1849
1850 2016-07-23  Youenn Fablet  <youenn@apple.com>
1851
1852         [Fetch API] Request should be created with any HeadersInit data
1853         https://bugs.webkit.org/show_bug.cgi?id=159672
1854
1855         Reviewed by Sam Weinig.
1856
1857         * Scripts/builtins/builtins_generator.py:
1858         (WK_lcfirst): Synchronized with CodeGenerator.pm version.
1859
1860 2016-07-21  Filip Pizlo  <fpizlo@apple.com>
1861
1862         Teach MarkedSpace how to allocate auxiliary storage
1863         https://bugs.webkit.org/show_bug.cgi?id=160053
1864
1865         Reviewed by Sam Weinig.
1866         
1867         Previously, we had two kinds of subspaces in MarkedSpace: destructor and non-destructor. This
1868         was described using "bool needsDestruction" that would get passed around. We'd iterate over
1869         these spaces using duplicated code - one loop for destructors and one for non-destructors, or
1870         a single loop that does one thing for destructors and one for non-destructors.
1871         
1872         But now we want a third subspace: non-destructor non-JSCell, aka Auxiliary.
1873         
1874         So, this changes all of the reflection and iteration over subspaces to use functors, so that
1875         the looping is written once and reused. Most places don't even have to know that there is a
1876         third subspace; they just know that they must do things for each subspace, for each
1877         allocator, or for each block - and the functor magic handles it for you.
1878         
1879         To make this somewhat nice, this change also fixes how we describe subspaces. Instead of a
1880         bool, we now have AllocatorAttributes, which is a struct. If we ever add more subspaces, we
1881         can add fields to AllocatorAttributes to describe how those subspaces differ. For now it just
1882         contains two properties: a DestructionMode and a HeapCell::Kind. The DesctructionMode
1883         replaces bool needsDestruction. I deliberately used a non-class enum to avoid tautologies.
1884         DestructionMode has two members: NeedsDestruction and DoesNotNeedDestruction. I almost went
1885         with DestructionMode::Needed and DestructionMode::NotNeeded, but I felt like that involves
1886         more typing and doesn't actually avoid any kind of namespace issues.
1887         
1888         This is intended to have no behavior change other than the addition of a totally unused
1889         space, which should always be empty. So hopefully it doesn't cost anything.
1890
1891         * CMakeLists.txt:
1892         * JavaScriptCore.xcodeproj/project.pbxproj:
1893         * heap/AllocatorAttributes.cpp: Added.
1894         (JSC::AllocatorAttributes::dump):
1895         * heap/AllocatorAttributes.h: Added.
1896         (JSC::AllocatorAttributes::AllocatorAttributes):
1897         * heap/DestructionMode.cpp: Added.
1898         (WTF::printInternal):
1899         * heap/DestructionMode.h: Added.
1900         * heap/Heap.h:
1901         * heap/MarkedAllocator.cpp:
1902         (JSC::MarkedAllocator::allocateBlock):
1903         (JSC::MarkedAllocator::addBlock):
1904         * heap/MarkedAllocator.h:
1905         (JSC::MarkedAllocator::cellSize):
1906         (JSC::MarkedAllocator::attributes):
1907         (JSC::MarkedAllocator::needsDestruction):
1908         (JSC::MarkedAllocator::destruction):
1909         (JSC::MarkedAllocator::cellKind):
1910         (JSC::MarkedAllocator::heap):
1911         (JSC::MarkedAllocator::takeLastActiveBlock):
1912         (JSC::MarkedAllocator::MarkedAllocator):
1913         (JSC::MarkedAllocator::init):
1914         (JSC::MarkedAllocator::allocate):
1915         * heap/MarkedBlock.cpp:
1916         (JSC::MarkedBlock::create):
1917         (JSC::MarkedBlock::destroy):
1918         (JSC::MarkedBlock::MarkedBlock):
1919         (JSC::MarkedBlock::callDestructor):
1920         (JSC::MarkedBlock::sweep):
1921         (JSC::MarkedBlock::stopAllocating):
1922         (JSC::MarkedBlock::didRetireBlock):
1923         * heap/MarkedBlock.h:
1924         (JSC::MarkedBlock::cellSize):
1925         (JSC::MarkedBlock::attributes):
1926         (JSC::MarkedBlock::needsDestruction):
1927         (JSC::MarkedBlock::destruction):
1928         (JSC::MarkedBlock::cellKind):
1929         (JSC::MarkedBlock::size):
1930         (JSC::MarkedBlock::forEachCell):
1931         (JSC::MarkedBlock::forEachLiveCell):
1932         (JSC::MarkedBlock::forEachDeadCell):
1933         * heap/MarkedSpace.cpp:
1934         (JSC::MarkedSpace::MarkedSpace):
1935         (JSC::MarkedSpace::~MarkedSpace):
1936         (JSC::MarkedSpace::lastChanceToFinalize):
1937         (JSC::MarkedSpace::resetAllocators):
1938         (JSC::MarkedSpace::forEachAllocator):
1939         (JSC::MarkedSpace::stopAllocating):
1940         (JSC::MarkedSpace::resumeAllocating):
1941         (JSC::MarkedSpace::isPagedOut):
1942         (JSC::MarkedSpace::freeBlock):
1943         (JSC::MarkedSpace::shrink):
1944         (JSC::MarkedSpace::clearNewlyAllocated):
1945         (JSC::clearNewlyAllocatedInBlock): Deleted.
1946         * heap/MarkedSpace.h:
1947         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1948         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
1949         (JSC::MarkedSpace::subspaceForAuxiliaryData):
1950         (JSC::MarkedSpace::allocatorFor):
1951         (JSC::MarkedSpace::destructorAllocatorFor):
1952         (JSC::MarkedSpace::auxiliaryAllocatorFor):
1953         (JSC::MarkedSpace::allocateWithoutDestructor):
1954         (JSC::MarkedSpace::allocateWithDestructor):
1955         (JSC::MarkedSpace::allocateAuxiliary):
1956         (JSC::MarkedSpace::forEachBlock):
1957         (JSC::MarkedSpace::didAddBlock):
1958         (JSC::MarkedSpace::capacity):
1959         (JSC::MarkedSpace::forEachSubspace):
1960
1961 2016-07-22  Saam Barati  <sbarati@apple.com>
1962
1963         REGRESSION(r203537): It made many tests crash on ARMv7 Linux platforms
1964         https://bugs.webkit.org/show_bug.cgi?id=160082
1965
1966         Reviewed by Keith Miller.
1967
1968         We were improperly linking the Jump in the link buffer.
1969         It caused us to be linking against the executable address
1970         which always has bit 0 set. We shouldn't be doing that.
1971         This patch fixes this, by using the same idiom that
1972         PolymorphicAccess uses to link a jump to out of line code.
1973
1974         * jit/JITMathIC.h:
1975         (JSC::JITMathIC::generateOutOfLine):
1976
1977 2016-07-22  Commit Queue  <commit-queue@webkit.org>
1978
1979         Unreviewed, rolling out r203603.
1980         https://bugs.webkit.org/show_bug.cgi?id=160096
1981
1982         Caused CLoop tests to fail with assertions (Requested by
1983         perarne on #webkit).
1984
1985         Reverted changeset:
1986
1987         "[Win] jsc.exe sometimes never exits."
1988         https://bugs.webkit.org/show_bug.cgi?id=158073
1989         http://trac.webkit.org/changeset/203603
1990
1991 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
1992
1993         [Win] jsc.exe sometimes never exits.
1994         https://bugs.webkit.org/show_bug.cgi?id=158073
1995
1996         Reviewed by Mark Lam.
1997
1998         Make sure the VM is deleted after the test has finished. This will gracefully stop the sampling profiler thread,
1999         and give the thread the opportunity to release the machine thread lock aquired in SamplingProfiler::takeSample.  
2000         If the sampling profiler thread was terminated while holding the machine thread lock, the machine thread will
2001         not be able to grab the lock afterwards. 
2002  
2003         * jsc.cpp:
2004         (jscmain):
2005
2006 2016-07-22  Per Arne Vollan  <pvollan@apple.com>
2007
2008         Fix the Windows 64-bit build after r203537
2009         https://bugs.webkit.org/show_bug.cgi?id=160080
2010
2011         Reviewed by Csaba Osztrogonác.
2012
2013         Added new version of setupArgumentsWithExecState method.
2014
2015         * jit/CCallHelpers.h:
2016         (JSC::CCallHelpers::setupArgumentsWithExecState):
2017
2018 2016-07-22  Csaba Osztrogonác  <ossy@webkit.org>
2019
2020         [ARM] Unreviewed EABI buildfix after r203537.
2021
2022         * jit/CCallHelpers.h:
2023         (JSC::CCallHelpers::setupArgumentsWithExecState): Added.
2024
2025 2016-07-22  Youenn Fablet  <youenn@apple.com>
2026
2027         run-builtins-generator-tests should be able to test WebCore builtins wrapper with more than one file
2028         https://bugs.webkit.org/show_bug.cgi?id=159921
2029
2030         Reviewed by Brian Burg.
2031
2032         Updated built-in generator to generate only wrapper files when passed the --wrappers-only option.
2033         When this option is used, wrapper files are generated but no individual file is generated.
2034         When this option is not used, individual files are generated but not wrapper file is generated.
2035         This allows the builtin generator test runner to generate a single WebCore-Wrappers.h-result generated for all
2036         WebCore test files, like used for real in WebCore.
2037         Previously wrapper code was generated individually for each WebCore test file.
2038
2039         Added new built-in test file to cover the case of concatenating several guards in generated WebCore wrapper files.
2040
2041         * Scripts/generate-js-builtins.py:
2042         (concatenated_output_filename): Compute a decent name for wrapper files in case of test mode.
2043         (generate_bindings_for_builtins_files): When --wrappers-only is activated, this generates only the wrapper files, not the individual files.
2044         * Scripts/tests/builtins/WebCore-AnotherGuardedInternalBuiltin-Separate.js: Added.
2045         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result: Added.
2046         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Removed wrapper code.
2047         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
2048         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
2049         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
2050         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Removed wrapper code.
2051         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result: Added, contains wrapper code for all WebCore valid test cases.
2052
2053 2016-07-21  Saam Barati  <sbarati@apple.com>
2054
2055         callOperation(.) variants in the DFG that explicitly take a tag/payload register should take a JSValueRegs instead
2056         https://bugs.webkit.org/show_bug.cgi?id=160007
2057
2058         Reviewed by Filip Pizlo.
2059
2060         This patch is the first step in my plan to remove all callOperation(.) variants
2061         in the various JITs and to unify them using a couple template variations.
2062         The steps are as follows:
2063         1. Replace all explicit tag/payload pairs with JSValueRegs in the DFG
2064         2. Replace all explicit tag/payload pairs with JSValueRegs in the baseline
2065         3. remove callOperation(.) variants and teach setupArgumentsWithExecState
2066            about JSValueRegs.
2067
2068         * dfg/DFGSpeculativeJIT.cpp:
2069         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2070         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2071         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
2072         (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
2073         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2074         * dfg/DFGSpeculativeJIT.h:
2075         (JSC::DFG::SpeculativeJIT::callOperation):
2076         * dfg/DFGSpeculativeJIT32_64.cpp:
2077         (JSC::DFG::SpeculativeJIT::cachedGetById):
2078         (JSC::DFG::SpeculativeJIT::cachedPutById):
2079         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2080         (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal):
2081         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2082         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2083         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2084         (JSC::DFG::SpeculativeJIT::emitCall):
2085         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2086         (JSC::DFG::SpeculativeJIT::emitBranch):
2087         (JSC::DFG::SpeculativeJIT::compile):
2088
2089 2016-07-21  Saam Barati  <sbarati@apple.com>
2090
2091         op_add/ValueAdd should be an IC in all JIT tiers
2092         https://bugs.webkit.org/show_bug.cgi?id=159649
2093
2094         Reviewed by Benjamin Poulain.
2095
2096         This patch makes Add an IC inside all JIT tiers. It does so in a
2097         simple, but effective, way. We will try to generate an int+int add
2098         that will repatch itself if its type checks fail. Sometimes though,
2099         we have runtime type data saying that the add won't be int+int.
2100         In those cases, we will just generate a full snippet that doesn't patch itself.
2101         Other times, we may generate no inline code and defer to making a C call. A lot
2102         of this patch is just refactoring ResultProfile into what we're now calling ArithProfile.
2103         ArithProfile does everything ResultProfile used to do, and more. It records simple type
2104         data about the LHS/RHS operands it sees. This allows us to determine if an op_add
2105         has only seen int+int operands, etc. ArithProfile will also contain the ResultType
2106         for the LHS/RHS that the parser feeds into op_add. ArithProfile now fits into 32-bits.
2107         This means instead of having a side table like we did for ResultProfile, we just
2108         inject the ArithProfile into the bytecode instruction stream. This makes asking
2109         for ArithProfile faster; we no longer need to lock around this operation.
2110
2111         The size of an Add has gone down on average, but we can still do better.
2112         We still generate a lot of code because we generate calls to the slow path.
2113         I think we can make this better by moving the slow path to a shared thunk
2114         system. This patch mostly lays the foundation for future improvements to Add,
2115         and a framework to move all other arithmetic operations to be typed-based ICs.
2116
2117         Here is some data I took on the average op_add/ValueAdd size on various benchmarks:
2118                    |   JetStream  |  Speedometer |  Unity 3D  |
2119              ------| -------------|-----------------------------
2120               Old  |  189 bytes   |  169 bytes   |  192 bytes |
2121              ------| -------------|-----------------------------
2122               New  |  148 bytes   |  124 bytes   |  143 bytes |
2123              ---------------------------------------------------
2124
2125         Making an arithmetic IC is now easy. The JITMathIC class will hold a snippet
2126         generator as a member variable. To make a snippet an IC, you need to implement
2127         a generateInline(.) method, which generates the inline IC. Then, you need to
2128         generate the IC where you used to generate the snippet. When generating the
2129         IC, we need to inform JITMathIC of various data like we do with StructureStubInfo.
2130         We need to tell it about where the slow path starts, where the slow path call is, etc.
2131         When generating a JITMathIC, it may tell you that it didn't generate any code inline.
2132         This is a request to the user of JITMathIC to just generate a C call along the
2133         fast path. JITMathIC may also have the snippet tell it to just generate the full
2134         snippet instead of the int+int path along the fast path.
2135
2136         In subsequent patches, we can improve upon how we decide to generate int+int or
2137         the full snippet. I tried to get clever by having double+double, double+int, int+double,
2138         fast paths, but they didn't work out nearly as well as the int+int fast path. I ended up
2139         generating a lot of code when I did this and ended up using more memory than just generating
2140         the full snippet. There is probably some way we can be clever and generate specialized fast
2141         paths that are more successful than what I tried implementing, but I think that's worth deferring
2142         this to follow up patches once the JITMathIC foundation has landed.
2143
2144         This patch also fixes a bug inside the slow path lambdas in the DFG.
2145         Before, it was not legal to emit an exception check inside them. Now,
2146         it is. So it's now easy to define arbitrary late paths using the DFG
2147         slow path lambda API.
2148
2149         * CMakeLists.txt:
2150         * JavaScriptCore.xcodeproj/project.pbxproj:
2151         * bytecode/ArithProfile.cpp: Added.
2152         (JSC::ArithProfile::emitObserveResult):
2153         (JSC::ArithProfile::shouldEmitSetDouble):
2154         (JSC::ArithProfile::emitSetDouble):
2155         (JSC::ArithProfile::shouldEmitSetNonNumber):
2156         (JSC::ArithProfile::emitSetNonNumber):
2157         (WTF::printInternal):
2158         * bytecode/ArithProfile.h: Added.
2159         (JSC::ObservedType::ObservedType):
2160         (JSC::ObservedType::sawInt32):
2161         (JSC::ObservedType::isOnlyInt32):
2162         (JSC::ObservedType::sawNumber):
2163         (JSC::ObservedType::isOnlyNumber):
2164         (JSC::ObservedType::sawNonNumber):
2165         (JSC::ObservedType::isOnlyNonNumber):
2166         (JSC::ObservedType::isEmpty):
2167         (JSC::ObservedType::bits):
2168         (JSC::ObservedType::withInt32):
2169         (JSC::ObservedType::withNumber):
2170         (JSC::ObservedType::withNonNumber):
2171         (JSC::ObservedType::withoutNonNumber):
2172         (JSC::ObservedType::operator==):
2173         (JSC::ArithProfile::ArithProfile):
2174         (JSC::ArithProfile::fromInt):
2175         (JSC::ArithProfile::lhsResultType):
2176         (JSC::ArithProfile::rhsResultType):
2177         (JSC::ArithProfile::lhsObservedType):
2178         (JSC::ArithProfile::rhsObservedType):
2179         (JSC::ArithProfile::setLhsObservedType):
2180         (JSC::ArithProfile::setRhsObservedType):
2181         (JSC::ArithProfile::tookSpecialFastPath):
2182         (JSC::ArithProfile::didObserveNonInt32):
2183         (JSC::ArithProfile::didObserveDouble):
2184         (JSC::ArithProfile::didObserveNonNegZeroDouble):
2185         (JSC::ArithProfile::didObserveNegZeroDouble):
2186         (JSC::ArithProfile::didObserveNonNumber):
2187         (JSC::ArithProfile::didObserveInt32Overflow):
2188         (JSC::ArithProfile::didObserveInt52Overflow):
2189         (JSC::ArithProfile::setObservedNonNegZeroDouble):
2190         (JSC::ArithProfile::setObservedNegZeroDouble):
2191         (JSC::ArithProfile::setObservedNonNumber):
2192         (JSC::ArithProfile::setObservedInt32Overflow):
2193         (JSC::ArithProfile::setObservedInt52Overflow):
2194         (JSC::ArithProfile::addressOfBits):
2195         (JSC::ArithProfile::observeResult):
2196         (JSC::ArithProfile::lhsSawInt32):
2197         (JSC::ArithProfile::lhsSawNumber):
2198         (JSC::ArithProfile::lhsSawNonNumber):
2199         (JSC::ArithProfile::rhsSawInt32):
2200         (JSC::ArithProfile::rhsSawNumber):
2201         (JSC::ArithProfile::rhsSawNonNumber):
2202         (JSC::ArithProfile::observeLHSAndRHS):
2203         (JSC::ArithProfile::bits):
2204         (JSC::ArithProfile::hasBits):
2205         (JSC::ArithProfile::setBit):
2206         * bytecode/CodeBlock.cpp:
2207         (JSC::CodeBlock::dumpRareCaseProfile):
2208         (JSC::CodeBlock::dumpArithProfile):
2209         (JSC::CodeBlock::dumpBytecode):
2210         (JSC::CodeBlock::addStubInfo):
2211         (JSC::CodeBlock::addJITAddIC):
2212         (JSC::CodeBlock::findStubInfo):
2213         (JSC::CodeBlock::resetJITData):
2214         (JSC::CodeBlock::shrinkToFit):
2215         (JSC::CodeBlock::dumpValueProfiles):
2216         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2217         (JSC::CodeBlock::arithProfileForBytecodeOffset):
2218         (JSC::CodeBlock::arithProfileForPC):
2219         (JSC::CodeBlock::couldTakeSpecialFastCase):
2220         (JSC::CodeBlock::dumpResultProfile): Deleted.
2221         (JSC::CodeBlock::resultProfileForBytecodeOffset): Deleted.
2222         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset): Deleted.
2223         (JSC::CodeBlock::ensureResultProfile): Deleted.
2224         * bytecode/CodeBlock.h:
2225         (JSC::CodeBlock::stubInfoBegin):
2226         (JSC::CodeBlock::stubInfoEnd):
2227         (JSC::CodeBlock::couldTakeSlowCase):
2228         (JSC::CodeBlock::numberOfResultProfiles): Deleted.
2229         * bytecode/MethodOfGettingAValueProfile.cpp:
2230         (JSC::MethodOfGettingAValueProfile::emitReportValue):
2231         * bytecode/MethodOfGettingAValueProfile.h:
2232         (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
2233         * bytecode/ValueProfile.cpp:
2234         (JSC::ResultProfile::emitDetectNumericness): Deleted.
2235         (JSC::ResultProfile::emitSetDouble): Deleted.
2236         (JSC::ResultProfile::emitSetNonNumber): Deleted.
2237         (WTF::printInternal): Deleted.
2238         * bytecode/ValueProfile.h:
2239         (JSC::getRareCaseProfileBytecodeOffset):
2240         (JSC::ResultProfile::ResultProfile): Deleted.
2241         (JSC::ResultProfile::bytecodeOffset): Deleted.
2242         (JSC::ResultProfile::specialFastPathCount): Deleted.
2243         (JSC::ResultProfile::didObserveNonInt32): Deleted.
2244         (JSC::ResultProfile::didObserveDouble): Deleted.
2245         (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
2246         (JSC::ResultProfile::didObserveNegZeroDouble): Deleted.
2247         (JSC::ResultProfile::didObserveNonNumber): Deleted.
2248         (JSC::ResultProfile::didObserveInt32Overflow): Deleted.
2249         (JSC::ResultProfile::didObserveInt52Overflow): Deleted.
2250         (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
2251         (JSC::ResultProfile::setObservedNegZeroDouble): Deleted.
2252         (JSC::ResultProfile::setObservedNonNumber): Deleted.
2253         (JSC::ResultProfile::setObservedInt32Overflow): Deleted.
2254         (JSC::ResultProfile::setObservedInt52Overflow): Deleted.
2255         (JSC::ResultProfile::addressOfFlags): Deleted.
2256         (JSC::ResultProfile::addressOfSpecialFastPathCount): Deleted.
2257         (JSC::ResultProfile::detectNumericness): Deleted.
2258         (JSC::ResultProfile::hasBits): Deleted.
2259         (JSC::ResultProfile::setBit): Deleted.
2260         (JSC::getResultProfileBytecodeOffset): Deleted.
2261         * bytecompiler/BytecodeGenerator.cpp:
2262         (JSC::BytecodeGenerator::emitBinaryOp):
2263         * dfg/DFGByteCodeParser.cpp:
2264         (JSC::DFG::ByteCodeParser::makeSafe):
2265         * dfg/DFGGraph.cpp:
2266         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2267         * dfg/DFGJITCompiler.cpp:
2268         (JSC::DFG::JITCompiler::exceptionCheck):
2269         * dfg/DFGSlowPathGenerator.h:
2270         (JSC::DFG::SlowPathGenerator::generate):
2271         * dfg/DFGSpeculativeJIT.cpp:
2272         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
2273         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
2274         (JSC::DFG::SpeculativeJIT::compileValueAdd):
2275         * dfg/DFGSpeculativeJIT.h:
2276         (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
2277         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
2278         (JSC::DFG::SpeculativeJIT::callOperation):
2279         * ftl/FTLLowerDFGToB3.cpp:
2280         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
2281         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
2282         * jit/CCallHelpers.h:
2283         (JSC::CCallHelpers::setupArgumentsWithExecState):
2284         (JSC::CCallHelpers::setupArguments):
2285         * jit/JIT.h:
2286         * jit/JITAddGenerator.cpp:
2287         (JSC::JITAddGenerator::generateInline):
2288         (JSC::JITAddGenerator::generateFastPath):
2289         * jit/JITAddGenerator.h:
2290         (JSC::JITAddGenerator::JITAddGenerator):
2291         (JSC::JITAddGenerator::didEmitFastPath): Deleted.
2292         (JSC::JITAddGenerator::endJumpList): Deleted.
2293         (JSC::JITAddGenerator::slowPathJumpList): Deleted.
2294         * jit/JITArithmetic.cpp:
2295         (JSC::JIT::emit_op_jless):
2296         (JSC::JIT::emitSlow_op_urshift):
2297         (JSC::getOperandTypes):
2298         (JSC::JIT::emit_op_add):
2299         (JSC::JIT::emitSlow_op_add):
2300         (JSC::JIT::emit_op_div):
2301         (JSC::JIT::emit_op_mul):
2302         (JSC::JIT::emitSlow_op_mul):
2303         (JSC::JIT::emit_op_sub):
2304         (JSC::JIT::emitSlow_op_sub):
2305         * jit/JITDivGenerator.cpp:
2306         (JSC::JITDivGenerator::generateFastPath):
2307         * jit/JITDivGenerator.h:
2308         (JSC::JITDivGenerator::JITDivGenerator):
2309         * jit/JITInlines.h:
2310         (JSC::JIT::callOperation):
2311         * jit/JITMathIC.h: Added.
2312         (JSC::JITMathIC::doneLocation):
2313         (JSC::JITMathIC::slowPathStartLocation):
2314         (JSC::JITMathIC::slowPathCallLocation):
2315         (JSC::JITMathIC::generateInline):
2316         (JSC::JITMathIC::generateOutOfLine):
2317         (JSC::JITMathIC::finalizeInlineCode):
2318         * jit/JITMathICForwards.h: Added.
2319         * jit/JITMathICInlineResult.h: Added.
2320         * jit/JITMulGenerator.cpp:
2321         (JSC::JITMulGenerator::generateFastPath):
2322         * jit/JITMulGenerator.h:
2323         (JSC::JITMulGenerator::JITMulGenerator):
2324         * jit/JITOperations.cpp:
2325         * jit/JITOperations.h:
2326         * jit/JITSubGenerator.cpp:
2327         (JSC::JITSubGenerator::generateFastPath):
2328         * jit/JITSubGenerator.h:
2329         (JSC::JITSubGenerator::JITSubGenerator):
2330         * jit/Repatch.cpp:
2331         (JSC::readCallTarget):
2332         (JSC::ftlThunkAwareRepatchCall):
2333         (JSC::tryCacheGetByID):
2334         (JSC::repatchGetByID):
2335         (JSC::appropriateGenericPutByIdFunction):
2336         (JSC::tryCachePutByID):
2337         (JSC::repatchPutByID):
2338         (JSC::tryRepatchIn):
2339         (JSC::repatchIn):
2340         (JSC::linkSlowFor):
2341         (JSC::resetGetByID):
2342         (JSC::resetPutByID):
2343         (JSC::repatchCall): Deleted.
2344         * jit/Repatch.h:
2345         * llint/LLIntData.cpp:
2346         (JSC::LLInt::Data::performAssertions):
2347         * llint/LowLevelInterpreter.asm:
2348         * llint/LowLevelInterpreter32_64.asm:
2349         * llint/LowLevelInterpreter64.asm:
2350         * parser/ResultType.h:
2351         (JSC::ResultType::ResultType):
2352         (JSC::ResultType::isInt32):
2353         (JSC::ResultType::definitelyIsNumber):
2354         (JSC::ResultType::definitelyIsString):
2355         (JSC::ResultType::definitelyIsBoolean):
2356         (JSC::ResultType::mightBeNumber):
2357         (JSC::ResultType::isNotNumber):
2358         (JSC::ResultType::forBitOp):
2359         (JSC::ResultType::bits):
2360         (JSC::OperandTypes::OperandTypes):
2361         * runtime/CommonSlowPaths.cpp:
2362         (JSC::SLOW_PATH_DECL):
2363         (JSC::updateArithProfileForBinaryArithOp):
2364         (JSC::updateResultProfileForBinaryArithOp): Deleted.
2365         * tests/stress/op-add-exceptions.js: Added.
2366         (assert):
2367         (f1):
2368         (f2):
2369         (f3):
2370         (let.oException.valueOf):
2371         (foo):
2372         (ident):
2373         (bar):
2374
2375 2016-07-21  Csaba Osztrogonác  <ossy@webkit.org>
2376
2377         Clarify testing mode names in run-jsc-stress-tests
2378         https://bugs.webkit.org/show_bug.cgi?id=160021
2379
2380         Reviewed by Mark Lam.
2381
2382         Default should mean really default, not default with disabled FTL, renamed
2383         - runMozillaTestDefault to runMozillaTestNoFTL
2384         - runMozillaTestDefaultFTL to runMozillaTestDefault
2385         - runDefault to runNoFTL
2386         - runDefaultFTL to runDefault
2387         - runLayoutTestDefault to runLayoutTestNoFTL
2388         - runLayoutTestDefaultFTL to runLayoutTestDefault
2389         - runNoisyTestDefault to runNoisyTestNoFTL
2390         - runNoisyTestDefaultFTL to runNoisyTestDefault
2391
2392         * tests/mozilla/mozilla-tests.yaml:
2393         * tests/stress/lift-tdz-bypass-catch.js:
2394         * tests/stress/obscure-error-message-dont-crash.js:
2395         * tests/stress/shadow-chicken-disabled.js:
2396
2397 2016-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2398
2399         [ES7] Introduce exponentiation expression
2400         https://bugs.webkit.org/show_bug.cgi?id=159969
2401
2402         Reviewed by Saam Barati.
2403
2404         This patch implements the exponentiation expression, e.g. `x ** y`.
2405         The exponentiation expression is introduced in ECMA262 2016 and ECMA262 2016
2406         is already released. So this is not the draft spec.
2407
2408         The exponentiation expression has 2 interesting points.
2409
2410         1. Right associative
2411
2412             To follow the Math expression, ** operator is right associative.
2413             When we execute `x ** y ** z`, this is handled as `x ** (y ** z)`, not `(x ** y) ** z`.
2414             This patch introduces the right associativity to the binary operator and handles it
2415             in the operator precedence parser in Parser.cpp.
2416
2417         2. LHS of the exponentiation expression is UpdateExpression
2418
2419             ExponentiationExpression[Yield]:
2420                 UnaryExpression[?Yield]
2421                 UpdateExpression[?Yield] ** ExponentiationExpression[?Yield]
2422
2423             As we can see, the left hand side of the ExponentiationExpression is UpdateExpression, not UnaryExpression.
2424             It means that `+x ** y` becomes a syntax error. This is intentional. Without superscript in JS,
2425             `-x**y` is confusing between `-(x ** y)` and `(-x) ** y`. So ECMA262 intentionally avoids UnaryExpression here.
2426             If we need to use a negated value, we need to write parentheses explicitly e.g. `(-x) ** y`.
2427             In this patch, we ensure that the left hand side is not an unary expression by checking an operator in
2428             parseBinaryExpression. This works since `**` has the highest operator precedence in the binary operators.
2429
2430         We introduce a new bytecode, op_pow. That simply works as similar as the other binary operators.
2431         And it is converted to ArithPow in DFG and handled in DFG and FTL.
2432         In this patch, we take the approach just introducing a new bytecode instead of calling Math.pow.
2433         This is because we would like to execute ToNumber in the caller side, not in the callee (Math.pow) side.
2434         And we don't want to compile ** into the following.
2435
2436             lhsNumber = to_number (lhs)
2437             rhsNumber = to_number (rhs)
2438             call Math.pow(lhsNumber, rhsNumber)
2439
2440         We ensure that this patch passes all the test262 tests related to the exponentiation expression.
2441
2442         The only sensitive part to the performance is the parser changes.
2443         So we measured the code-load performance and it is neutral in my x64 Linux box (hanayamata).
2444
2445             Collected 30 samples per benchmark/VM, with 30 VM invocations per benchmark. Emitted a call to
2446             gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used
2447             the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark
2448             execution times with 95% confidence intervals in milliseconds.
2449
2450                                      baseline                  patched
2451
2452             closure              0.60499+-0.00250          0.60180+-0.00244
2453             jquery               7.89175+-0.02433    ?     7.91287+-0.04759       ?
2454
2455             <geometric>          2.18499+-0.00523          2.18207+-0.00689         might be 1.0013x faster
2456
2457         * bytecode/BytecodeList.json:
2458         * bytecode/BytecodeUseDef.h:
2459         (JSC::computeUsesForBytecodeOffset):
2460         (JSC::computeDefsForBytecodeOffset):
2461         * bytecode/CodeBlock.cpp:
2462         (JSC::CodeBlock::dumpBytecode):
2463         * bytecompiler/NodesCodegen.cpp:
2464         (JSC::emitReadModifyAssignment):
2465         * dfg/DFGByteCodeParser.cpp:
2466         (JSC::DFG::ByteCodeParser::parseBlock):
2467         * dfg/DFGCapabilities.cpp:
2468         (JSC::DFG::capabilityLevel):
2469         * jit/JIT.cpp:
2470         (JSC::JIT::privateCompileMainPass):
2471         * jit/JIT.h:
2472         * jit/JITArithmetic.cpp:
2473         (JSC::JIT::emit_op_pow):
2474         * llint/LowLevelInterpreter.asm:
2475         * parser/ASTBuilder.h:
2476         (JSC::ASTBuilder::operatorStackShouldReduce):
2477         (JSC::ASTBuilder::makePowNode):
2478         (JSC::ASTBuilder::makeMultNode):
2479         (JSC::ASTBuilder::makeDivNode):
2480         (JSC::ASTBuilder::makeModNode):
2481         (JSC::ASTBuilder::makeSubNode):
2482         (JSC::ASTBuilder::makeBinaryNode):
2483         (JSC::ASTBuilder::operatorStackHasHigherPrecedence): Deleted.
2484         * parser/Lexer.cpp:
2485         (JSC::Lexer<T>::lex):
2486         * parser/NodeConstructors.h:
2487         (JSC::PowNode::PowNode):
2488         * parser/Nodes.h:
2489         * parser/Parser.cpp:
2490         (JSC::Parser<LexerType>::parseAssignmentExpression):
2491         (JSC::isUnaryOpExcludingUpdateOp):
2492         (JSC::Parser<LexerType>::parseBinaryExpression):
2493         (JSC::isUnaryOp): Deleted.
2494         * parser/ParserTokens.h:
2495         (JSC::isUpdateOp):
2496         (JSC::isUnaryOp):
2497         * parser/SyntaxChecker.h:
2498         (JSC::SyntaxChecker::operatorStackPop):
2499         * runtime/CommonSlowPaths.cpp:
2500         (JSC::SLOW_PATH_DECL):
2501         * runtime/CommonSlowPaths.h:
2502         * tests/stress/pow-basics.js: Added.
2503         (valuesAreClose):
2504         (mathPowDoubleDouble1):
2505         (mathPowDoubleInt1):
2506         (test1):
2507         (mathPowDoubleDouble2):
2508         (mathPowDoubleInt2):
2509         (test2):
2510         (mathPowDoubleDouble3):
2511         (mathPowDoubleInt3):
2512         (test3):
2513         (mathPowDoubleDouble4):
2514         (mathPowDoubleInt4):
2515         (test4):
2516         (mathPowDoubleDouble5):
2517         (mathPowDoubleInt5):
2518         (test5):
2519         (mathPowDoubleDouble6):
2520         (mathPowDoubleInt6):
2521         (test6):
2522         (mathPowDoubleDouble7):
2523         (mathPowDoubleInt7):
2524         (test7):
2525         (mathPowDoubleDouble8):
2526         (mathPowDoubleInt8):
2527         (test8):
2528         (mathPowDoubleDouble9):
2529         (mathPowDoubleInt9):
2530         (test9):
2531         (mathPowDoubleDouble10):
2532         (mathPowDoubleInt10):
2533         (test10):
2534         (mathPowDoubleDouble11):
2535         (mathPowDoubleInt11):
2536         (test11):
2537         * tests/stress/pow-coherency.js: Added.
2538         (pow42):
2539         (build42AsDouble.opaqueAdd):
2540         (build42AsDouble):
2541         (powDouble42):
2542         (clobber):
2543         (pow42NoConstantFolding):
2544         (powDouble42NoConstantFolding):
2545         * tests/stress/pow-evaluation-order.js: Added.
2546         (shouldBe):
2547         (throw.new.Error):
2548         * tests/stress/pow-expects-update-expression-on-lhs.js: Added.
2549         (testSyntax):
2550         (testSyntaxError):
2551         (throw.new.Error):
2552         (let.token.of.tokens.testSyntax.pow):
2553         (testSyntax.pow):
2554         * tests/stress/pow-integer-exponent-fastpath.js: Added.
2555         (valuesAreClose):
2556         (mathPowDoubleDoubleTestExponentFifty):
2557         (mathPowDoubleIntTestExponentFifty):
2558         (testExponentFifty):
2559         (mathPowDoubleDoubleTestExponentTenThousands):
2560         (mathPowDoubleIntTestExponentTenThousands):
2561         (testExponentTenThousands):
2562         * tests/stress/pow-nan-behaviors.js: Added.
2563         (testIntegerBaseWithNaNExponentStatic):
2564         (mathPowIntegerBaseWithNaNExponentDynamic):
2565         (testIntegerBaseWithNaNExponentDynamic):
2566         (testFloatingPointBaseWithNaNExponentStatic):
2567         (mathPowFloatingPointBaseWithNaNExponentDynamic):
2568         (testFloatingPointBaseWithNaNExponentDynamic):
2569         (testNaNBaseStatic):
2570         (mathPowNaNBaseDynamic1):
2571         (mathPowNaNBaseDynamic2):
2572         (mathPowNaNBaseDynamic3):
2573         (mathPowNaNBaseDynamic4):
2574         (testNaNBaseDynamic):
2575         (infiniteExponentsStatic):
2576         (mathPowInfiniteExponentsDynamic1):
2577         (mathPowInfiniteExponentsDynamic2):
2578         (mathPowInfiniteExponentsDynamic3):
2579         (mathPowInfiniteExponentsDynamic4):
2580         (infiniteExponentsDynamic):
2581         * tests/stress/pow-simple.js: Added.
2582         (shouldBe):
2583         (throw.new.Error):
2584         * tests/stress/pow-stable-results.js: Added.
2585         (opaquePow):
2586         (isIdentical):
2587         * tests/stress/pow-to-number-should-be-executed-in-code-side.js: Added.
2588         (shouldBe):
2589         (throw.new.Error):
2590         * tests/stress/pow-with-constants.js: Added.
2591         (exponentIsZero):
2592         (testExponentIsZero):
2593         (exponentIsOne):
2594         (testExponentIsOne):
2595         (powUsedAsSqrt):
2596         (testPowUsedAsSqrt):
2597         (powUsedAsOneOverSqrt):
2598         (testPowUsedAsOneOverSqrt):
2599         (powUsedAsSquare):
2600         (testPowUsedAsSquare):
2601         (intIntConstantsSmallNumbers):
2602         (intIntConstantsLargeNumbers):
2603         (intIntSmallConstants):
2604         (intDoubleConstants):
2605         (doubleDoubleConstants):
2606         (doubleIntConstants):
2607         (testBaseAndExponentConstantLiterals):
2608         (exponentIsIntegerConstant):
2609         (testExponentIsIntegerConstant):
2610         (exponentIsDoubleConstant):
2611         (testExponentIsDoubleConstant):
2612         (exponentIsInfinityConstant):
2613         (testExponentIsInfinityConstant):
2614         (exponentIsNegativeInfinityConstant):
2615         (testExponentIsNegativeInfinityConstant):
2616         * tests/stress/pow-with-never-NaN-exponent.js: Added.
2617         (exponentIsNonNanDouble1):
2618         (exponentIsNonNanDouble2):
2619         (testExponentIsDoubleConstant):
2620         * tests/test262.yaml:
2621
2622 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
2623
2624         Switching on symbols should be fast
2625         https://bugs.webkit.org/show_bug.cgi?id=158892
2626
2627         Reviewed by Keith Miller.
2628         
2629         This does two things: fixes some goofs in our lowering of symbol equality and adds a new phase
2630         to B3 to infer switch statements from linear chains of branches.
2631         
2632         This changes how we compile equality to Symbols to constant-fold the load of the Symbol's UID.
2633         This is necessary for making switches on Symbols inferrable. This also gives us the ability to
2634         efficiently compile strict equality comparisons of SymbolUse and UntypedUse.
2635
2636         This adds a new phase to B3, which finds chains of branches that test for (in)equality on the
2637         same value and constants, and turns them into a Switch. This can turn O(n) code into
2638         O(log n) code, or even O(1) code if the switch cases are dense.
2639         
2640         This can make a big difference in JS. Say you write a switch in which the case statements are
2641         variable resolutions. The bytecode generator cannot use a bytecode switch in this case, since
2642         we're required to evaluate the resolutions in order. But in DFG IR, we will often turn those
2643         variable resolutions into constants, since we do that for any immutable singleton. This means
2644         that B3 will see a chain of Branches: the else case of one Branch will point to a basic block
2645         that does nothing but Branch on equality on the same value as the first Branch.
2646
2647         The inference algorithm is quite simple. The basic building block is the ability to summarize
2648         a block's switch behavior. For a block that ends in a switch, this is just the collection of
2649         switch cases. For a block that ends in a branch, we recognize Branch(Equal(value, const)),
2650         Branch(NotEqual(value, const)), and Branch(value). Each of these are summarized as if they
2651         were one-case switches. We infer a new switch if both some block and its sole predecessor
2652         can be described as switches on the same value, nothing shady is going on (like loops), and
2653         the block in question does no work other than this switch. In that case, the block is killed
2654         and its cases (which we get from the summary) are added to the predecessor's switch. This
2655         algorithm runs to fixpoint.
2656         
2657         * CMakeLists.txt:
2658         * JavaScriptCore.xcodeproj/project.pbxproj:
2659         * b3/B3Generate.cpp:
2660         (JSC::B3::generateToAir):
2661         * b3/B3InferSwitches.cpp: Added.
2662         (JSC::B3::inferSwitches):
2663         * b3/B3InferSwitches.h: Added.
2664         * b3/B3Procedure.h:
2665         (JSC::B3::Procedure::cfg):
2666         * b3/B3ReduceStrength.cpp:
2667         * b3/B3Value.cpp:
2668         (JSC::B3::Value::performSubstitution):
2669         (JSC::B3::Value::isFree):
2670         (JSC::B3::Value::dumpMeta):
2671         * b3/B3Value.h:
2672         * ftl/FTLLowerDFGToB3.cpp:
2673         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent):
2674         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2675         (JSC::FTL::DFG::LowerDFGToB3::lowSymbol):
2676         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID):
2677         (JSC::FTL::DFG::LowerDFGToB3::lowNonNullObject):
2678
2679 2016-07-20  Filip Pizlo  <fpizlo@apple.com>
2680
2681         FTL snippet generators should be able to request a different register for output and input
2682         https://bugs.webkit.org/show_bug.cgi?id=160010
2683         rdar://problem/27439330
2684
2685         Reviewed by Saam Barati.
2686         
2687         The BitOr and BitXor snippet generators have problems if the register for the right input is
2688         the same as the register for the result. We could fix those generators, but I'm not convinced
2689         that the other snippet generators don't have this bug. So, the approach that this patch takes
2690         is to teach the FTL to request that B3 to use a different register for the result than for
2691         any input to the snippet patchpoint.
2692         
2693         Air already has the ability to let any instruction do an EarlyDef, which means exactly this.
2694         But B3 did not expose this via ValueRep. This patch exposes this in ValueRep as
2695         SomeEarlyRegister. That's most of the change.
2696         
2697         This adds a testb3 test for SomeEarlyRegister and a regression test for this particular
2698         problem. The regression test failed on trunk JSC before this.
2699
2700         * b3/B3LowerToAir.cpp:
2701         (JSC::B3::Air::LowerToAir::lower):
2702         * b3/B3PatchpointSpecial.cpp:
2703         (JSC::B3::PatchpointSpecial::forEachArg):
2704         (JSC::B3::PatchpointSpecial::admitsStack):
2705         * b3/B3StackmapSpecial.cpp:
2706         (JSC::B3::StackmapSpecial::forEachArgImpl):
2707         (JSC::B3::StackmapSpecial::isArgValidForRep):
2708         * b3/B3Validate.cpp:
2709         * b3/B3ValueRep.cpp:
2710         (JSC::B3::ValueRep::addUsedRegistersTo):
2711         (JSC::B3::ValueRep::dump):
2712         (WTF::printInternal):
2713         * b3/B3ValueRep.h:
2714         (JSC::B3::ValueRep::ValueRep):
2715         (JSC::B3::ValueRep::reg):
2716         (JSC::B3::ValueRep::isAny):
2717         (JSC::B3::ValueRep::isReg):
2718         (JSC::B3::ValueRep::isSomeRegister): Deleted.
2719         * b3/testb3.cpp:
2720         * ftl/FTLLowerDFGToB3.cpp:
2721         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
2722         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
2723         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
2724         * tests/stress/ftl-bit-xor-right-result-interference.js: Added.
2725
2726 2016-07-20  Michael Saboff  <msaboff@apple.com>
2727
2728         CrashOnOverflow in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets
2729         https://bugs.webkit.org/show_bug.cgi?id=159954
2730
2731         Reviewed by Benjamin Poulain.
2732
2733         YarrPatternConstructor::setupAlternativeOffsets() is using the checked arithmetic class
2734         Checked<>, for offset calculations.  However the default use will just crash on
2735         overflow.  Instead we should stop processing and propagate the error up the call stack.
2736
2737         Consolidated explicit error string with the common RegExp parsing error logic.
2738         Moved that logic to YarrPattern as that seems like a better common place to put it.
2739
2740         * jit/JITOperations.cpp:
2741         * llint/LLIntSlowPaths.cpp:
2742         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2743         * tests/stress/regress-159954.js: New test.
2744         * yarr/YarrParser.h:
2745         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
2746         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
2747         (JSC::Yarr::Parser::Parser):
2748         (JSC::Yarr::Parser::isIdentityEscapeAnError):
2749         (JSC::Yarr::Parser::parseEscape):
2750         (JSC::Yarr::Parser::parseCharacterClass):
2751         (JSC::Yarr::Parser::parseParenthesesBegin):
2752         (JSC::Yarr::Parser::parseParenthesesEnd):
2753         (JSC::Yarr::Parser::parseQuantifier):
2754         (JSC::Yarr::Parser::parseTokens):
2755         (JSC::Yarr::Parser::parse):
2756         * yarr/YarrPattern.cpp:
2757         (JSC::Yarr::YarrPatternConstructor::disjunction):
2758         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
2759         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
2760         (JSC::Yarr::YarrPattern::errorMessage):
2761         (JSC::Yarr::YarrPattern::compile):
2762         * yarr/YarrPattern.h:
2763         (JSC::Yarr::YarrPattern::reset):
2764
2765 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2766
2767         The default testing mode should not involve disabling the FTL JIT
2768         https://bugs.webkit.org/show_bug.cgi?id=159929
2769
2770         Rubber stamped by Mark Lam and Saam Barati.
2771         
2772         Use the new powers to make some tests run only in the default configuration (i.e. FTL,
2773         concurrent JIT).
2774
2775         * tests/mozilla/mozilla-tests.yaml:
2776
2777 2016-07-19  Keith Miller  <keith_miller@apple.com>
2778
2779         Test262 should have a file with the revision and url
2780         https://bugs.webkit.org/show_bug.cgi?id=159937
2781
2782         Reviewed by Mark Lam.
2783
2784         The file.
2785
2786         * tests/test262/test262-Revision.txt: Added.
2787
2788 2016-07-19  Anders Carlsson  <andersca@apple.com>
2789
2790         WebCore-7602.1.42 fails to build: error: private field 'm_vm' is not used
2791         https://bugs.webkit.org/show_bug.cgi?id=159944
2792         rdar://problem/27420308
2793
2794         Reviewed by Dan Bernstein.
2795
2796         Wrap the m_vm declaration and initialization in conditional guards.
2797
2798         * Scripts/builtins/builtins_generate_internals_wrapper_header.py:
2799         (generate_members):
2800         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2801         (BuiltinsInternalsWrapperImplementationGenerator.generate_constructor):
2802         Add guards.
2803
2804         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2805         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2806         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2807         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2808         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2809         Update expected results.
2810
2811 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2812
2813         REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
2814         https://bugs.webkit.org/show_bug.cgi?id=159930
2815
2816         Reviewed by Geoffrey Garen.
2817         
2818         The problem is that the 32-bit DFG can flush the scope register as an unboxed cell, but the
2819         Register::scope() method was causing us to assert that it's a JSValue with proper cell
2820         boxing. We could have forced the DFG to flush it as a boxed JSValue, but I don't think that
2821         would have made anything better. This fixes the issue by teaching Register::scope() that it
2822         might see unboxed cells.
2823
2824         * runtime/JSScope.h:
2825         (JSC::Register::scope):
2826         (JSC::ExecState::lexicalGlobalObject):
2827
2828 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
2829
2830         B3 methods that mutate the successors array should take FrequentedBlock by value
2831         https://bugs.webkit.org/show_bug.cgi?id=159935
2832
2833         Reviewed by Michael Saboff.
2834         
2835         This bug was found by ASan testing. setSuccessors() takes a const FrequentedBlock&, and the
2836         caller that caused the ASan crash was doing:
2837
2838         block->setSuccessors(block->notTaken())
2839
2840         So, inside setSuccessors(), after we resize() the successors array, the const
2841         FrequentedBlock& points to nonsense.
2842
2843         The fix is to pass FrequentedBlock by value in all of these kinds of methods.
2844         
2845         No new tests, but ASan testing catches this instantly for anything that triggers CFG
2846         simplification in B3. So like half of our tests.
2847
2848         * b3/B3BasicBlock.cpp:
2849         (JSC::B3::BasicBlock::clearSuccessors):
2850         (JSC::B3::BasicBlock::appendSuccessor):
2851         (JSC::B3::BasicBlock::setSuccessors):
2852         * b3/B3BasicBlock.h:
2853         (JSC::B3::BasicBlock::successors):
2854         (JSC::B3::BasicBlock::successorBlock):
2855         * b3/B3Value.cpp:
2856         (JSC::B3::Value::replaceWithPhi):
2857         (JSC::B3::Value::replaceWithJump):
2858         (JSC::B3::Value::replaceWithOops):
2859         * b3/B3Value.h:
2860
2861 2016-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2862
2863         Make builtin TypeErrors consistent
2864         https://bugs.webkit.org/show_bug.cgi?id=159899
2865
2866         Reviewed by Keith Miller.
2867
2868         Converge on the single TypeError for non-coercible this objects in builtins.
2869         Also update some other style to be more consistent with-in builtins.
2870
2871         * builtins/ArrayIteratorPrototype.js:
2872         (next):
2873         * builtins/ArrayPrototype.js:
2874         (values):
2875         (keys):
2876         (entries):
2877         (reduce):
2878         (reduceRight):
2879         (every):
2880         (forEach):
2881         (filter):
2882         (map):
2883         (some):
2884         (fill):
2885         (find):
2886         (findIndex):
2887         (includes):
2888         (sort):
2889         (concatSlowPath):
2890         (copyWithin):
2891         * builtins/StringPrototype.js:
2892         (match):
2893         (repeat):
2894         (padStart):
2895         (padEnd):
2896         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
2897         (localeCompare):
2898         (search):
2899         (split):
2900         * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
2901         * tests/es6/String.prototype_methods_String.prototype.padStart.js:
2902         * tests/stress/array-iterators-next-error-messages.js:
2903         (catch):
2904         * tests/stress/array-iterators-next-with-call.js:
2905         * tests/stress/regexp-match.js:
2906         (shouldThrow):
2907         * tests/stress/regexp-search.js:
2908         (shouldThrow):
2909
2910 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
2911
2912         Implement table-based switches in B3/Air
2913         https://bugs.webkit.org/show_bug.cgi?id=151141
2914
2915         Reviewed by Benjamin Poulain.
2916
2917         If a switch statement gets large, it's better to express it as an indirect jump rather than
2918         using a binary switch (divide-and-conquer tree of comparisons leading to O(log n) branches to
2919         get to the switch case). When dealing with integer switches, FTL will already use the B3
2920         Switch and expect this to get lowered as efficiently as possible; it's a bug that B3 will
2921         always use a binary switch rather than indirect jumps. When dealing with switches over some
2922         more sophisticated types, we'd want FTL to build an indirect jump table itself and use
2923         something like a hashtable to feed it. In that case, there will be no B3 Switch; we'll want
2924         some way for the FTL to directly express an indirection jump when emitting B3.
2925         
2926         This implies that we want B3 to have the ability to lower Switch to indirect jumps and to
2927         expose those indirect jumps in IR so that the FTL could do its own indirect jumps for
2928         switches over more complicated things like strings. But indirect jumps are tough to express
2929         in IR. For example, the LLVM approach ("indirectbr" and "blockaddress", see
2930         http://blog.llvm.org/2010/01/address-of-label-and-indirect-branches.html) means that some
2931         control flow edges cannot be split. Indirectbr takes an address as input and jumps to it, and
2932         blockaddress lets you build jump tables out of basic block addresses. This means that the
2933         compiler can never change any successor of an indirectbr, since the client will have already
2934         arranged for that indirectbr to jump to exactly those successors. We don't want such
2935         restrictions in B3, since B3 relies on being able to break critical edges for SSA conversion.
2936         Also, indirectbr is not cloneable, which would break any hope of doing specialization-based
2937         transformations like we want to do for multiple entrypoints (bug 159391). The goal of this
2938         change is to let clients do indirect jumps without placing any restrictions on IR.
2939         
2940         The trick is to allow Patchpoints to be used as block terminals. Patchpoints already allow
2941         clients of B3 to emit whatever code they like. Patchpoints are friendly to B3's other
2942         transformations because the client of the patchpoint has to play along with whatever
2943         decisions B3 had made around the patchpoint: what registers got used, what the control flow
2944         looks like, etc. Patchpoints can even be cloned by B3, and the client has to accommodate this
2945         in their patchpoint generator. It turns out that using Patchpoints as terminals is quite
2946         natural. We accomplish this by moving the successor edges out of ControlValue and into
2947         BasicBlock, and removing ControlValue entirely. This way, any Value subclass can be a
2948         terminal. It was already true that a Value is a terminal if value->effects().terminal, which
2949         works great with Patchpoints since they control their effects via PatchpointValue::effects.
2950         You can make your Patchpoint into a terminal by placing it at the end of a block and doing:
2951         
2952         patchpoint->effects.terminal = true;
2953         
2954         A Patchpoints in terminal position gets access to additional API in StackmapGenerationParams.
2955         The generator can get a Box<Label> for each successor to its owning block. For example, to
2956         implement a jump-table-based switch, you would make your patchpoint take the table index as
2957         its sole input. Inside the generator, you allocate the jump table and emit a BaseIndex jump
2958         that uses the jump table pointer (which will be a constant known to the generator since it
2959         just allocated it) as the base and the patchpoint input as an index. The jump table can be
2960         populated by MacroAssemblerCodePtr's computed by installing a link task to resolve the labels
2961         to concrete locations. This change makes LowerMacros do such a lowering for Switches that can
2962         benefit from jump tables. This happens recursively: if the original Switch is too sparse, we
2963         will divide-and-conquer as before. If at any recursion step we find that the remaining cases
2964         are dense and large enough to profit from a jump table, then those cases will be lowered to a
2965         Patchpoint that does the table jump. This is a fun way to do stepwise lowering: LowerMacros
2966         is essentially pre-lowering the Switch directly to machine code, and wrapping that machine
2967         code in a Patchpoint so that the rest of the compiler doesn't have to know anything about
2968         what happened. I suspect that in the future we will want to do other pre-lowerings this way,
2969         whenever the B3 IR phases have some special knowledge about what machine code should be
2970         emitted and it would be annoying to drag that knowledge through the rest of the compiler.
2971         
2972         One downside of this change is that we used ControlValue in so many places. Most of this
2973         patch involves removing references to ControlValue. It would be less than 100kb if it wasn't
2974         for that. To make this a bit easier, I added "appendNewControlValue" methods to BasicBlock,
2975         which allocate a Value and set the successors as if you had done "appendNew<ControlValue>".
2976         This made for an easy search-and-replace in testb3 and FTLOutput. I filed bug 159440 to
2977         remove this ugly stopgap method.
2978         
2979         I think that we will also end up using this facility to extend our use of snippets. We
2980         already use shared snippet generators for the generic forms of arithmetic. We will probably
2981         also want to do this for generic forms of branches. This wouldn't have been possible prior to
2982         this change, since there would have been no way to emit a control snippet in FTL. Now we can
2983         emit control snippets using terminal patchpoints.
2984
2985         This is a ~30% speed-up on microbenchmarks that have big switch statements (~60 cases). It's
2986         not a speed-up on mainstream benchmarks.
2987         
2988         This also adds a new test to testb3 for terminal Patchpoints, Get, and Set. The FTL does not
2989         currently use terminal Patchpoints directly, but we want this to be possible. It also doesn't
2990         use Get/Set directly even though we want this to be possible. It's important to test these
2991         since opcodes that result from lowering don't affect early phases, so we could have
2992         regressions in early phases related to these opcodes that wouldn't be caught by any JS test.
2993         So, this adds a very basic threaded interpreter to testb3 for a Brainfuck-style language, and
2994         tests it by having it run a program that prints the numbers 1..100 in a loop. Unlike a real
2995         threaded interpreter, it uses a common dispatch block rather than having dispatch at the
2996         terminus of each opcode. That's necessary because PolyJump is not cloneable. The state of the
2997         interpreter is represented using Variables that we Get and Set, so it tests Get/Set as well.
2998
2999         * CMakeLists.txt:
3000         * JavaScriptCore.xcodeproj/project.pbxproj:
3001         * assembler/MacroAssemblerARM64.h:
3002         (JSC::MacroAssemblerARM64::jump):
3003         * assembler/MacroAssemblerX86Common.h:
3004         (JSC::MacroAssemblerX86Common::jump):
3005         * assembler/X86Assembler.h:
3006         (JSC::X86Assembler::jmp_m):
3007         * b3/B3BasicBlock.cpp:
3008         (JSC::B3::BasicBlock::append):
3009         (JSC::B3::BasicBlock::appendNonTerminal):
3010         (JSC::B3::BasicBlock::removeLast):
3011         (JSC::B3::BasicBlock::appendIntConstant):
3012         (JSC::B3::BasicBlock::clearSuccessors):
3013         (JSC::B3::BasicBlock::appendSuccessor):
3014         (JSC::B3::BasicBlock::setSuccessors):
3015         (JSC::B3::BasicBlock::replaceSuccessor):
3016         (JSC::B3::BasicBlock::addPredecessor):
3017         (JSC::B3::BasicBlock::deepDump):
3018         (JSC::B3::BasicBlock::appendNewControlValue):
3019         * b3/B3BasicBlock.h:
3020         (JSC::B3::BasicBlock::numSuccessors):
3021         (JSC::B3::BasicBlock::successor):
3022         (JSC::B3::BasicBlock::successors):
3023         (JSC::B3::BasicBlock::successorBlock):
3024         (JSC::B3::BasicBlock::successorBlocks):
3025         (JSC::B3::BasicBlock::numPredecessors):
3026         (JSC::B3::BasicBlock::predecessor):
3027         (JSC::B3::BasicBlock::frequency):
3028         * b3/B3BasicBlockInlines.h:
3029         (JSC::B3::BasicBlock::replaceLastWithNew):
3030         (JSC::B3::BasicBlock::taken):
3031         (JSC::B3::BasicBlock::notTaken):
3032         (JSC::B3::BasicBlock::fallThrough):
3033         (JSC::B3::BasicBlock::numSuccessors): Deleted.
3034         (JSC::B3::BasicBlock::successor): Deleted.
3035         (JSC::B3::BasicBlock::successors): Deleted.
3036         (JSC::B3::BasicBlock::successorBlock): Deleted.
3037         (JSC::B3::BasicBlock::successorBlocks): Deleted.
3038         * b3/B3BlockInsertionSet.cpp:
3039         (JSC::B3::BlockInsertionSet::splitForward):
3040         * b3/B3BreakCriticalEdges.cpp:
3041         (JSC::B3::breakCriticalEdges):
3042         * b3/B3CaseCollection.cpp: Added.
3043         (JSC::B3::CaseCollection::dump):
3044         * b3/B3CaseCollection.h: Added.
3045         (JSC::B3::CaseCollection::CaseCollection):
3046         (JSC::B3::CaseCollection::operator[]):
3047         (JSC::B3::CaseCollection::iterator::iterator):
3048         (JSC::B3::CaseCollection::iterator::operator*):
3049         (JSC::B3::CaseCollection::iterator::operator++):
3050         (JSC::B3::CaseCollection::iterator::operator==):
3051         (JSC::B3::CaseCollection::iterator::operator!=):
3052         (JSC::B3::CaseCollection::begin):
3053         (JSC::B3::CaseCollection::end):
3054         * b3/B3CaseCollectionInlines.h: Added.
3055         (JSC::B3::CaseCollection::fallThrough):
3056         (JSC::B3::CaseCollection::size):
3057         (JSC::B3::CaseCollection::at):
3058         * b3/B3CheckSpecial.cpp:
3059         (JSC::B3::CheckSpecial::CheckSpecial):
3060         (JSC::B3::CheckSpecial::hiddenBranch):
3061         * b3/B3Common.h:
3062         (JSC::B3::is64Bit):
3063         * b3/B3ControlValue.cpp: Removed.
3064         * b3/B3ControlValue.h: Removed.
3065         * b3/B3DataSection.cpp:
3066         (JSC::B3::DataSection::DataSection):
3067         * b3/B3DuplicateTails.cpp:
3068         * b3/B3FixSSA.cpp:
3069         * b3/B3FoldPathConstants.cpp:
3070         * b3/B3LowerMacros.cpp:
3071         * b3/B3LowerToAir.cpp:
3072         (JSC::B3::Air::LowerToAir::run):
3073         (JSC::B3::Air::LowerToAir::lower):
3074         * b3/B3MathExtras.cpp:
3075         (JSC::B3::powDoubleInt32):
3076         * b3/B3Opcode.h:
3077         (JSC::B3::isConstant):
3078         (JSC::B3::isDefinitelyTerminal):
3079         * b3/B3PatchpointSpecial.cpp:
3080         (JSC::B3::PatchpointSpecial::generate):
3081         (JSC::B3::PatchpointSpecial::isTerminal):
3082         (JSC::B3::PatchpointSpecial::dumpImpl):
3083         * b3/B3PatchpointSpecial.h:
3084         * b3/B3Procedure.cpp:
3085         (JSC::B3::Procedure::resetReachability):
3086         * b3/B3Procedure.h:
3087         (JSC::B3::Procedure::lastPhaseName):
3088         (JSC::B3::Procedure::byproducts):
3089         * b3/B3ReduceStrength.cpp:
3090         * b3/B3StackmapGenerationParams.cpp:
3091         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
3092         (JSC::B3::StackmapGenerationParams::successorLabels):
3093         (JSC::B3::StackmapGenerationParams::fallsThroughToSuccessor):
3094         (JSC::B3::StackmapGenerationParams::proc):
3095         * b3/B3StackmapGenerationParams.h:
3096         (JSC::B3::StackmapGenerationParams::gpScratch):
3097         (JSC::B3::StackmapGenerationParams::fpScratch):
3098         * b3/B3SwitchValue.cpp:
3099         (JSC::B3::SwitchValue::~SwitchValue):
3100         (JSC::B3::SwitchValue::removeCase):
3101         (JSC::B3::SwitchValue::hasFallThrough):
3102         (JSC::B3::SwitchValue::setFallThrough):
3103         (JSC::B3::SwitchValue::appendCase):
3104         (JSC::B3::SwitchValue::dumpSuccessors):
3105         (JSC::B3::SwitchValue::dumpMeta):
3106         (JSC::B3::SwitchValue::cloneImpl):
3107         (JSC::B3::SwitchValue::SwitchValue):
3108         * b3/B3SwitchValue.h:
3109         (JSC::B3::SwitchValue::accepts):
3110         (JSC::B3::SwitchValue::caseValues):
3111         (JSC::B3::SwitchValue::cases):
3112         (JSC::B3::SwitchValue::fallThrough): Deleted.
3113         (JSC::B3::SwitchValue::size): Deleted.
3114         (JSC::B3::SwitchValue::at): Deleted.
3115         (JSC::B3::SwitchValue::operator[]): Deleted.
3116         (JSC::B3::SwitchValue::iterator::iterator): Deleted.
3117         (JSC::B3::SwitchValue::iterator::operator*): Deleted.
3118         (JSC::B3::SwitchValue::iterator::operator++): Deleted.
3119         (JSC::B3::SwitchValue::iterator::operator==): Deleted.
3120         (JSC::B3::SwitchValue::iterator::operator!=): Deleted.
3121         (JSC::B3::SwitchValue::begin): Deleted.
3122         (JSC::B3::SwitchValue::end): Deleted.
3123         * b3/B3Validate.cpp:
3124         * b3/B3Value.cpp:
3125         (JSC::B3::Value::replaceWithPhi):
3126         (JSC::B3::Value::replaceWithJump):
3127         (JSC::B3::Value::replaceWithOops):
3128         (JSC::B3::Value::dump):
3129         (JSC::B3::Value::deepDump):
3130         (JSC::B3::Value::dumpSuccessors):
3131         (JSC::B3::Value::negConstant):
3132         (JSC::B3::Value::typeFor):
3133         * b3/B3Value.h:
3134         * b3/air/AirCode.cpp:
3135         (JSC::B3::Air::Code::addFastTmp):
3136         (JSC::B3::Air::Code::addDataSection):
3137         (JSC::B3::Air::Code::jsHash):
3138         * b3/air/AirCode.h:
3139         (JSC::B3::Air::Code::isFastTmp):
3140         (JSC::B3::Air::Code::setLastPhaseName):
3141         * b3/air/AirCustom.h:
3142         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
3143         (JSC::B3::Air::PatchCustom::isTerminal):
3144         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
3145         (JSC::B3::Air::PatchCustom::generate):
3146         (JSC::B3::Air::CCallCustom::admitsStack):
3147         (JSC::B3::Air::CCallCustom::isTerminal):
3148         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
3149         (JSC::B3::Air::ShuffleCustom::admitsStack):
3150         (JSC::B3::Air::ShuffleCustom::isTerminal):
3151         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
3152         * b3/air/AirGenerate.cpp:
3153         (JSC::B3::Air::generate):
3154         * b3/air/AirGenerationContext.h:
3155         * b3/air/AirInst.h:
3156         (JSC::B3::Air::Inst::hasNonControlEffects):
3157         * b3/air/AirSimplifyCFG.cpp:
3158         (JSC::B3::Air::simplifyCFG):
3159         * b3/air/AirSpecial.cpp:
3160         (JSC::B3::Air::Special::shouldTryAliasingDef):
3161         (JSC::B3::Air::Special::isTerminal):
3162         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
3163         * b3/air/AirSpecial.h:
3164         * b3/air/AirValidate.cpp:
3165         * b3/air/opcode_generator.rb:
3166         * b3/testb3.cpp:
3167         * ftl/FTLLowerDFGToB3.cpp:
3168         * ftl/FTLOutput.cpp:
3169         (JSC::FTL::Output::jump):
3170         (JSC::FTL::Output::branch):
3171         (JSC::FTL::Output::ret):
3172         (JSC::FTL::Output::unreachable):
3173         (JSC::FTL::Output::speculate):
3174         (JSC::FTL::Output::trap):
3175         (JSC::FTL::Output::anchor):
3176         (JSC::FTL::Output::decrementSuperSamplerCount):
3177         (JSC::FTL::Output::addIncomingToPhi):
3178         * ftl/FTLOutput.h:
3179         (JSC::FTL::Output::constIntPtr):
3180         (JSC::FTL::Output::callWithoutSideEffects):
3181         (JSC::FTL::Output::switchInstruction):
3182         (JSC::FTL::Output::phi):
3183         (JSC::FTL::Output::addIncomingToPhi):
3184
3185 2016-07-18  Anders Carlsson  <andersca@apple.com>
3186
3187         WebKit nightly fails to build on macOS Sierra
3188         https://bugs.webkit.org/show_bug.cgi?id=159902
3189         rdar://problem/27365672
3190
3191         Reviewed by Tim Horton.
3192
3193         * icu/unicode/ucurr.h: Added.
3194         Add ucurr.h from ICU.
3195
3196 2016-07-18  Michael Saboff  <msaboff@apple.com>
3197
3198         ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp
3199         https://bugs.webkit.org/show_bug.cgi?id=159883
3200
3201         Reviewed by Filip Pizlo.
3202
3203         New test.
3204
3205         * tests/stress/regress-159883.js: Added.
3206
3207 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
3208
3209         MarkedBlocks should know that they can be used for more than JSCells
3210         https://bugs.webkit.org/show_bug.cgi?id=159643
3211
3212         Reviewed by Geoffrey Garen.
3213         
3214         This teaches the Heap that a MarkedBlock may hold either JSCells, or Auxiliary, which is
3215         not a JSCell. It teaches the heap and all of the things that walk the heap to ignore
3216         non-JSCells whenever they are looking for global objects, JSObjects, and things to trace
3217         for debugging or profiling. The idea is that we will be able to allocate butterflies and
3218         typed array backing stores as Auxiliary in MarkedSpace rather than allocating those things
3219         in CopiedSpace. That's what bug 159658 is all about.
3220         
3221         This gives us a new type, called HeapCell, which is just meant to be a class distinct from
3222         JSCell or any type we would use for Auxiliary. For convenience, JSCell is a subclass of
3223         HeapCell. HeapCell has an enum called HeapCell::Kind, which is either HeapCell::JSCell or
3224         HeapCell::Auxiliary. MarkedSpace no longer speaks of JSCells directly except when dealing
3225         with destruction.
3226         
3227         This change required doing a lot of stuff to all of those functor callbacks, since they
3228         now take HeapCell* instead of JSCell* and they take an extra HeapCell::Kind argument to
3229         tell them if they are dealing with JSCells or Auxiliary. I figured that this would be as
3230         good a time as any to convert those functors to being lambda-compatible. This means that
3231         operator() must be const. In some cases, converting the operator() to be const would have
3232         taken more work than just turning the whole thing into a lambda. Whenever this was the
3233         case, I converted the code to use lambdas. I left a lot of functors alone. In cases where
3234         the functor would benefit from being a lambda, for example because it would get rid of
3235         const_casts or mutables, I put in a FIXME referencing bug 159644.
3236
3237         * CMakeLists.txt:
3238         * JavaScriptCore.xcodeproj/project.pbxproj:
3239         * debugger/Debugger.cpp:
3240         (JSC::Debugger::SetSteppingModeFunctor::SetSteppingModeFunctor):
3241         (JSC::Debugger::SetSteppingModeFunctor::operator()):
3242         (JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor):
3243         (JSC::Debugger::ToggleBreakpointFunctor::operator()):
3244         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::ClearCodeBlockDebuggerRequestsFunctor):
3245         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator()):
3246         (JSC::Debugger::ClearDebuggerRequestsFunctor::ClearDebuggerRequestsFunctor):
3247         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator()):
3248         * heap/CodeBlockSet.h:
3249         (JSC::CodeBlockSet::iterate):
3250         * heap/HandleSet.h:
3251         (JSC::HandleNode::next):
3252         (JSC::HandleSet::forEachStrongHandle):
3253         * heap/Heap.cpp:
3254         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
3255         (JSC::GatherHeapSnapshotData::operator()):
3256         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
3257         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
3258         (JSC::Heap::protectedGlobalObjectCount):
3259         (JSC::Heap::globalObjectCount):
3260         (JSC::Heap::protectedObjectCount):
3261         (JSC::Heap::protectedObjectTypeCounts):
3262         (JSC::Heap::objectTypeCounts):
3263         (JSC::Heap::deleteAllCodeBlocks):
3264         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
3265         (JSC::MarkedBlockSnapshotFunctor::operator()):
3266         (JSC::Zombify::visit):
3267         (JSC::Zombify::operator()):
3268         (JSC::Heap::zombifyDeadObjects):
3269         (JSC::Heap::flushWriteBarrierBuffer):
3270         * heap/Heap.h:
3271         (JSC::Heap::handleSet):
3272         (JSC::Heap::handleStack):
3273         * heap/HeapCell.cpp: Added.
3274         (WTF::printInternal):
3275         * heap/HeapCell.h: Added.
3276         (JSC::HeapCell::HeapCell):
3277         (JSC::HeapCell::zap):
3278         (JSC::HeapCell::isZapped):
3279         * heap/HeapInlines.h:
3280         (JSC::Heap::deprecatedReportExtraMemory):
3281         (JSC::Heap::forEachCodeBlock):
3282         (JSC::Heap::forEachProtectedCell):
3283         (JSC::Heap::allocateWithDestructor):
3284         * heap/HeapStatistics.cpp:
3285         (JSC::StorageStatistics::visit):