[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-06-01  Filip Pizlo  <fpizlo@apple.com>

        Structure::previousID() races with Structure::allocateRareData()
        https://bugs.webkit.org/show_bug.cgi?id=158280

        Reviewed by Mark Lam.
        
        The problem is that previousID() would test hasRareData() and then either load the
        previous Structure from the rare data, or load it directly. allocateRareData() would set
        the hasRareData() bit separately from moving the Structure pointer into the rare data. So
        we'd have a race that would cause previousID() to sometimes return the rarae data instead
        of the previous Structure.

        The fix is to get rid of the hasRareData bit. We can use the structureID of the
        previousOrRareData cell to determine if it's the previousID or the RareData. This fixes the
        race and it's probably not any slower.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::allocateRareData):
        * runtime/Structure.h:

2016-06-01  Michael Saboff  <msaboff@apple.com>

        Runaway WebContent process CPU & memory @ foxnews.com
        https://bugs.webkit.org/show_bug.cgi?id=158290

        Reviewed by Mark Lam.

        Clear the thrown value at the end of the catch block so that the stack scanner won't
        find the value during GC.

        Added a new stress test.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::TryNode::emitBytecode):
        * tests/stress/recursive-try-catch.js: Added.
        (logError):
        (tryCallingBadFunction):
        (recurse):
        (test):

2016-06-01  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Some setters for components of Date do not timeClip() their result
        https://bugs.webkit.org/show_bug.cgi?id=158278
        rdar://problem/25131426

        Reviewed by Geoffrey Garen.

        Many of the setters where not doing timeClip() on the computed UTC
        time since Epoch.

        See http://www.ecma-international.org/ecma-262/6.0/#sec-date.prototype.setdate
        and the following sections for the definition.

        * runtime/DatePrototype.cpp:
        (JSC::setNewValueFromTimeArgs):
        (JSC::setNewValueFromDateArgs):

2016-06-01  Keith Miller  <keith_miller@apple.com>

        canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=158291

        Reviewed by Benjamin Poulain.

        The old StringObject primitive access code used structure watchpoints. This meant that
        if you set a watchpoint on String.prototype prior to tiering up to the DFG then added
        a new property to String.prototype then we would never use StringObject optimizations.
        This made property caching in the LLInt bad because it meant we would watchpoint
        String.prototype very early in the program, which hurt date-format-xpab.js since that
        benchmark relies on the StringObject optimizations.

        This patch also extends ObjectPropertyConditionSet to be able to handle a slotBase
        equivalence condition. Since that makes the code for generating the DFG watchpoints
        significantly cleaner.

        * bytecode/ObjectPropertyCondition.cpp:
        (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
        (JSC::ObjectPropertyConditionSet::slotBaseCondition):
        (JSC::generateConditionsForPrototypeEquivalenceConcurrently):
        * bytecode/ObjectPropertyConditionSet.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::isStringPrototypeMethodSane):
        (JSC::DFG::Graph::canOptimizeStringObjectAccess):
        * dfg/DFGGraph.h:

2016-06-01  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed, rolling in r201436.
        https://bugs.webkit.org/show_bug.cgi?id=158143

        r201562 should haved fixed the Dromaeo DOM core regression.

        Restored changeset:

        "REGRESSION: JSBench spends a lot of time transitioning
        to/from dictionary"
        https://bugs.webkit.org/show_bug.cgi?id=158045
        http://trac.webkit.org/changeset/201436


2016-06-01  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r201488.
        https://bugs.webkit.org/show_bug.cgi?id=158268

        Caused 23% regression on JetStream's crypto-md5 (Requested by
        rniwa on #webkit).

        Reverted changeset:

        "[ESNext] Support trailing commas in function param lists"
        https://bugs.webkit.org/show_bug.cgi?id=158020
        http://trac.webkit.org/changeset/201488

2016-05-31  Geoffrey Garen  <ggaren@apple.com>

        Dictionary property access should be fast
        https://bugs.webkit.org/show_bug.cgi?id=158250

        Reviewed by Keith Miller.

        We have some remnant code that unnecessarily takes a slow path for
        dictionaries. This caused the Dromaeo regression in r201436. Let's fix
        that.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID): Attempt to flatten a dictionary if necessary, but
        not too much. This is our idiom in other places.

        (JSC::tryCachePutByID): See tryCacheGetByID.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setupGetByIdPrototypeCache): See tryCacheGetByID.

        * runtime/JSObject.cpp:
        (JSC::JSObject::fillGetterPropertySlot):
        * runtime/JSObject.h:
        (JSC::JSObject::fillCustomGetterPropertySlot): The rules for caching a
        getter are the same as the rules for caching anything else: We're
        allowed to cache even in dictionaries, as long as they're cacheable
        dictionaries. Any transition that would change to/from getter/setter
        or change other attributes requires a structure transition.

2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop "replace" from JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET
        https://bugs.webkit.org/show_bug.cgi?id=158223

        Reviewed by Darin Adler.

        This list maintains "not implemented yet" well-known symbols.
        `Symbol.replace` is already implemented.

        * runtime/CommonIdentifiers.h:

2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, roll out r201481, r201523: 0.3% regression in Octane code-load
        https://bugs.webkit.org/show_bug.cgi?id=158249

        * API/JSScriptRef.cpp:
        (parseScript):
        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/AsyncFunctionPrototype.js: Removed.
        (asyncFunctionResume): Deleted.
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutable):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset): Deleted.
        (JSC::computeDefsForBytecodeOffset): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::dumpBytecode): Deleted.
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::isArrowFunction):
        (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction): Deleted.
        (JSC::UnlinkedCodeBlock::isAsyncArrowFunction): Deleted.
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
        (JSC::BytecodeGenerator::emitNewMethodDefinition):
        (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
        (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon): Deleted.
        (JSC::BytecodeGenerator::emitNewFunction): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionNode::emitBytecode): Deleted.
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::parse):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass): Deleted.
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitNewFuncCommon): Deleted.
        (JSC::JIT::emit_op_new_async_func): Deleted.
        (JSC::JIT::emitNewFuncExprCommon): Deleted.
        (JSC::JIT::emit_op_new_async_func_exp): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jsc.cpp:
        (runInteractive):
        (printUsageStatement): Deleted.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createAsyncFunctionBody): Deleted.
        * parser/Keywords.table:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::isArrowFunctionParameters):
        (JSC::Parser<LexerType>::parseStatementListItem):
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::parseFunctionParameters):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseImportClauseItem):
        (JSC::Parser<LexerType>::parseImportDeclaration):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parsePropertyMethod):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):
        (JSC::Parser<LexerType>::parseArrowFunctionExpression):
        (JSC::Parser<LexerType>::printUnexpectedTokenText):
        (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements): Deleted.
        (JSC::Parser<LexerType>::parseVariableDeclarationList): Deleted.
        (JSC::Parser<LexerType>::parseDestructuringPattern): Deleted.
        (JSC::Parser<LexerType>::parseFunctionDeclarationStatement): Deleted.
        (JSC::Parser<LexerType>::parseFormalParameters): Deleted.
        (JSC::stringForFunctionMode): Deleted.
        (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration): Deleted.
        (JSC::Parser<LexerType>::parseExpressionOrLabelStatement): Deleted.
        (JSC::Parser<LexerType>::parseAwaitExpression): Deleted.
        (JSC::Parser<LexerType>::parseAsyncFunctionExpression): Deleted.
        (JSC::Parser<LexerType>::parseUnaryExpression): Deleted.
        * parser/Parser.h:
        (JSC::Scope::Scope):
        (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
        (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
        (JSC::Parser::pushScope):
        (JSC::Parser::popScopeInternal):
        (JSC::Parser::matchSpecIdentifier):
        (JSC::parse):
        (JSC::Scope::setSourceParseMode): Deleted.
        (JSC::Scope::isAsyncFunction): Deleted.
        (JSC::Scope::isAsyncFunctionBoundary): Deleted.
        (JSC::Scope::isModule): Deleted.
        (JSC::Scope::setIsFunction): Deleted.
        (JSC::Scope::setIsAsyncArrowFunction): Deleted.
        (JSC::Scope::setIsAsyncFunction): Deleted.
        (JSC::Scope::setIsAsyncFunctionBody): Deleted.
        (JSC::Scope::setIsAsyncArrowFunctionBody): Deleted.
        (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError): Deleted.
        (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction): Deleted.
        (JSC::Parser::forceClassifyExpressionError): Deleted.
        (JSC::Parser::declarationTypeToVariableKind): Deleted.
        (JSC::Parser::upperScope): Deleted.
        (JSC::Parser::isDisallowedIdentifierAwait): Deleted.
        (JSC::Parser::disallowedIdentifierAwaitReason): Deleted.
        * parser/ParserModes.h:
        (JSC::isFunctionParseMode):
        (JSC::isModuleParseMode):
        (JSC::isProgramParseMode):
        (JSC::SourceParseModeSet::SourceParseModeSet): Deleted.
        (JSC::SourceParseModeSet::contains): Deleted.
        (JSC::SourceParseModeSet::mergeSourceParseModes): Deleted.
        (JSC::isAsyncFunctionParseMode): Deleted.
        (JSC::isAsyncArrowFunctionParseMode): Deleted.
        (JSC::isAsyncFunctionWrapperParseMode): Deleted.
        (JSC::isAsyncFunctionBodyParseMode): Deleted.
        (JSC::constructAbilityForParseMode): Deleted.
        * parser/ParserTokens.h:
        * parser/SourceCodeKey.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::operator==):
        (JSC::SourceCodeKey::runtimeFlags): Deleted.
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createAsyncFunctionBody): Deleted.
        * runtime/AsyncFunctionConstructor.cpp: Removed.
        (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor): Deleted.
        (JSC::AsyncFunctionConstructor::finishCreation): Deleted.
        (JSC::callAsyncFunctionConstructor): Deleted.
        (JSC::constructAsyncFunctionConstructor): Deleted.
        (JSC::AsyncFunctionConstructor::getCallData): Deleted.
        (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
        * runtime/AsyncFunctionConstructor.h: Removed.
        (JSC::AsyncFunctionConstructor::create): Deleted.
        (JSC::AsyncFunctionConstructor::createStructure): Deleted.
        * runtime/AsyncFunctionPrototype.cpp: Removed.
        (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype): Deleted.
        (JSC::AsyncFunctionPrototype::finishCreation): Deleted.
        * runtime/AsyncFunctionPrototype.h: Removed.
        (JSC::AsyncFunctionPrototype::create): Deleted.
        (JSC::AsyncFunctionPrototype::createStructure): Deleted.
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        * runtime/CommonIdentifiers.h:
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::checkModuleSyntax):
        * runtime/Completion.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ProgramExecutable::checkSyntax):
        * runtime/Executable.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h:
        * runtime/JSAsyncFunction.cpp: Removed.
        (JSC::JSAsyncFunction::JSAsyncFunction): Deleted.
        (JSC::JSAsyncFunction::createImpl): Deleted.
        (JSC::JSAsyncFunction::create): Deleted.
        (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint): Deleted.
        * runtime/JSAsyncFunction.h: Removed.
        (JSC::JSAsyncFunction::allocationSize): Deleted.
        (JSC::JSAsyncFunction::createStructure): Deleted.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        (JSC::JSGlobalObject::init): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::asyncFunctionPrototype): Deleted.
        (JSC::JSGlobalObject::asyncFunctionStructure): Deleted.
        * runtime/ModuleLoaderObject.cpp:
        (JSC::moduleLoaderObjectParseModule):
        * runtime/RuntimeFlags.h:
        (JSC::RuntimeFlags::operator==): Deleted.
        (JSC::RuntimeFlags::operator!=): Deleted.
        * tests/stress/async-await-basic.js: Removed.
        (shouldBe): Deleted.
        (shouldBeAsync): Deleted.
        (shouldThrow): Deleted.
        (shouldThrowAsync): Deleted.
        (shouldThrowSyntaxError): Deleted.
        (let.AsyncFunction.async): Deleted.
        (async.asyncFunctionForProto): Deleted.
        (Object.getPrototypeOf.async): Deleted.
        (Object.getPrototypeOf.async.method): Deleted.
        (async): Deleted.
        (async.method): Deleted.
        (async.asyncNonConstructorDecl): Deleted.
        (shouldThrow.new.async): Deleted.
        (shouldThrow.new.async.nonConstructor): Deleted.
        (async.asyncDecl): Deleted.
        (async.f): Deleted.
        (MyError): Deleted.
        (async.asyncDeclThrower): Deleted.
        (shouldThrowAsync.async): Deleted.
        (resolveLater): Deleted.
        (rejectLater): Deleted.
        (async.resumeAfterNormal): Deleted.
        (O.async.resumeAfterNormal): Deleted.
        (resumeAfterNormalArrow.async): Deleted.
        (async.resumeAfterThrow): Deleted.
        (O.async.resumeAfterThrow): Deleted.
        (resumeAfterThrowArrow.async): Deleted.
        (catch): Deleted.
        * tests/stress/async-await-module-reserved-word.js: Removed.
        (shouldThrow): Deleted.
        (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await): Deleted.
        (checkModuleSyntaxError.String.raw.await): Deleted.
        (checkModuleSyntaxError.String.raw.async.await): Deleted.
        (SyntaxError.Cannot.declare.named): Deleted.
        * tests/stress/async-await-mozilla.js: Removed.
        (shouldBe): Deleted.
        (shouldBeAsync): Deleted.
        (shouldThrow): Deleted.
        (shouldThrowAsync): Deleted.
        (assert): Deleted.
        (shouldThrowSyntaxError): Deleted.
        (mozSemantics.async.empty): Deleted.
        (mozSemantics.async.simpleReturn): Deleted.
        (mozSemantics.async.simpleAwait): Deleted.
        (mozSemantics.async.simpleAwaitAsync): Deleted.
        (mozSemantics.async.returnOtherAsync): Deleted.
        (mozSemantics.async.simpleThrower): Deleted.
        (mozSemantics.async.delegatedThrower): Deleted.
        (mozSemantics.async.tryCatch): Deleted.
        (mozSemantics.async.tryCatchThrow): Deleted.
        (mozSemantics.async.wellFinally): Deleted.
        (mozSemantics.async.finallyMayFail): Deleted.
        (mozSemantics.async.embedded.async.inner): Deleted.
        (mozSemantics.async.embedded): Deleted.
        (mozSemantics.async.fib): Deleted.
        (mozSemantics.async.isOdd.async.isEven): Deleted.
        (mozSemantics.async.isOdd): Deleted.
        (mozSemantics.hardcoreFib.async.fib2): Deleted.
        (mozSemantics.namedAsyncExpr.async.simple): Deleted.
        (mozSemantics.async.executionOrder.async.first): Deleted.
        (mozSemantics.async.executionOrder.async.second): Deleted.
        (mozSemantics.async.executionOrder.async.third): Deleted.
        (mozSemantics.async.executionOrder): Deleted.
        (mozSemantics.async.miscellaneous): Deleted.
        (mozSemantics.thrower): Deleted.
        (mozSemantics.async.defaultArgs): Deleted.
        (mozSemantics.shouldThrow): Deleted.
        (mozSemantics): Deleted.
        (mozMethods.X): Deleted.
        (mozMethods.X.prototype.async.getValue): Deleted.
        (mozMethods.X.prototype.setValue): Deleted.
        (mozMethods.X.prototype.async.increment): Deleted.
        (mozMethods.X.prototype.async.getBaseClassName): Deleted.
        (mozMethods.X.async.getStaticValue): Deleted.
        (mozMethods.Y.prototype.async.getBaseClassName): Deleted.
        (mozMethods.Y): Deleted.
        (mozFunctionNameInferrence.async.test): Deleted.
        (mozSyntaxErrors): Deleted.
        * tests/stress/async-await-reserved-word.js: Removed.
        (assert): Deleted.
        (shouldThrowSyntaxError): Deleted.
        (AsyncFunction.async): Deleted.
        * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Removed.
        (shouldBe): Deleted.
        (shouldBeAsync): Deleted.
        (shouldThrowAsync): Deleted.
        (noArgumentsArrow2.async): Deleted.
        * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Removed.
        (shouldBe): Deleted.
        (shouldBeAsync): Deleted.
        (shouldThrowAsync): Deleted.
        (C1): Deleted.
        (C2): Deleted.
        (shouldThrowAsync.async): Deleted.
        * tests/stress/async_arrow_functions_lexical_super_binding.js: Removed.
        (shouldBe): Deleted.
        (shouldBeAsync): Deleted.
        (BaseClass.prototype.baseClassValue): Deleted.
        (BaseClass.prototype.get property): Deleted.
        (BaseClass): Deleted.
        (ChildClass.prototype.asyncSuperProp): Deleted.
        (ChildClass.prototype.asyncSuperProp2): Deleted.
        (ChildClass): Deleted.
        (ChildClass2): Deleted.
        * tests/stress/async_arrow_functions_lexical_this_binding.js: Removed.
        (shouldBe): Deleted.
        (shouldBeAsync): Deleted.
        (d.y): Deleted.

2016-05-31  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r201363 and r201456.
        https://bugs.webkit.org/show_bug.cgi?id=158240

        "40% regression on date-format-xparb" (Requested by
        keith_miller on #webkit).

        Reverted changesets:

        "LLInt should be able to cache prototype loads for values in
        GetById"
        https://bugs.webkit.org/show_bug.cgi?id=158032
        http://trac.webkit.org/changeset/201363

        "get_by_id should support caching unset properties in the
        LLInt"
        https://bugs.webkit.org/show_bug.cgi?id=158136
        http://trac.webkit.org/changeset/201456

2016-05-31  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r201359.
        https://bugs.webkit.org/show_bug.cgi?id=158238

        "It was not a speedup on anything" (Requested by saamyjoon on
        #webkit).

        Reverted changeset:

        "We can cache lookups to JSScope::abstractResolve inside
        CodeBlock::finishCreation"
        https://bugs.webkit.org/show_bug.cgi?id=158036
        http://trac.webkit.org/changeset/201359

2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Recover parser performance regression by async support
        https://bugs.webkit.org/show_bug.cgi?id=158228

        Reviewed by Saam Barati.

        This patch recovers parser performance regression caused in r201481.

        Compared to the version that reverts r201481, still ~1% regression remains.
        But compared to ToT, this patch significantly improves the code-load performance.

        In Linux x64 JSCOnly port, with GCC 5.3.1.

        reverted v.s. patched.
                                 reverted                  patched

        closure              0.61805+-0.00376    ?     0.62280+-0.00525       ?
        jquery               8.03778+-0.02114          8.03453+-0.04646

        <geometric>          2.22883+-0.00836    ?     2.23688+-0.00995       ? might be 1.0036x slower

        ToT v.s. patched.
                                 baseline                  patched

        closure              0.65490+-0.00351    ^     0.62473+-0.00363       ^ definitely 1.0483x faster
        jquery               8.25373+-0.06256    ^     8.04701+-0.03455       ^ definitely 1.0257x faster

        <geometric>          2.32488+-0.00921    ^     2.24210+-0.00592       ^ definitely 1.0369x faster

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedFunctionExecutable.h:
        Extend SourceParseMode.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::isArrowFunctionParameters):
        Do not call `matchSpecIdentifier()` as much as we can. This greatly improves the performance.

        (JSC::Parser<LexerType>::parseStatementListItem):
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::parseFunctionParameters):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        Do not touch `currentScope()->isGenerator()` even if it is unnecessary in parseFunctionInfo.
        And accidental `syntaxChecker => context` changes are fixed.

        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
        (JSC::Parser<LexerType>::parseImportClauseItem):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        Do not use matchSpecIdentifier() in the hot paths.

        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):
        (JSC::Parser<LexerType>::parseUnaryExpression):
        (JSC::Parser<LexerType>::printUnexpectedTokenText): Deleted.
        * parser/Parser.h:
        (JSC::isIdentifierOrKeyword):
        AWAIT shoud be one of the keywords. This AWAIT check is unnecessary.

        (JSC::Parser::upperScope):
        (JSC::Parser::matchSpecIdentifier):
        Touching currentScope() and its member causes significant performance degradation.
        We carefully remove the above access in the hot paths.

        (JSC::Parser::isDisallowedIdentifierAwait):
        * parser/ParserModes.h:
        (JSC::SourceParseModeSet::SourceParseModeSet):
        (JSC::SourceParseModeSet::contains):
        (JSC::SourceParseModeSet::mergeSourceParseModes):
        (JSC::isFunctionParseMode):
        (JSC::isAsyncFunctionParseMode):
        (JSC::isAsyncArrowFunctionParseMode):
        (JSC::isAsyncFunctionWrapperParseMode):
        (JSC::isAsyncFunctionBodyParseMode):
        (JSC::isModuleParseMode):
        (JSC::isProgramParseMode):
        (JSC::constructAbilityForParseMode):
        The parser frequently checks SourceParseMode. And variety of SourceParseMode becomes many.
        So using switch onto SourceParseMode degrades the performance. Instead, we use bit tests to guard against
        many SourceParseModes. We expect that this will be efficiently compiled into test & jmp.

        * parser/ParserTokens.h:
        Change AWAIT to one of the keywords, as the same to YIELD / LET.

2016-05-31  Saam Barati  <sbarati@apple.com>

        Web Inspector: capturing with Allocations timeline causes GC to take 100x longer and cause frame drops
        https://bugs.webkit.org/show_bug.cgi?id=158054
        <rdar://problem/25280762>

        Reviewed by Joseph Pecoraro.

        HeapSnapshot::sweepCell was taking a long time on 
        http://bl.ocks.org/syntagmatic/6c149c08fc9cde682635
        because it has to do a binary search to find if
        an item is or is not in the list. 90% of the binary searches
        would not find anything. This resulted in a lot of wasted time.

        This patch adds a TinyBloomFilter member variable to HeapSnapshot.
        We use this filter to try to bypass doing a binary search when the
        filter tells us that a particular JSCell is definitely not in our
        list. This is a 2x speedup on the steady state GC of the above
        website.

        * heap/HeapSnapshot.cpp:
        (JSC::HeapSnapshot::appendNode):
        (JSC::HeapSnapshot::sweepCell):
        (JSC::HeapSnapshot::shrinkToFit):
        (JSC::HeapSnapshot::nodeForCell):
        * heap/HeapSnapshot.h:

2016-05-29  Saam barati  <sbarati@apple.com>

        Stack overflow crashes with deep or cyclic proxy prototype chains
        https://bugs.webkit.org/show_bug.cgi?id=157087

        Reviewed by Filip Pizlo and Mark Lam.

        Because a Proxy can call back into the JS runtime in arbitrary
        ways, we may have effectively cyclic prototype chains and property lookups
        by using a Proxy. We may also have arbitrarily long Proxy chains
        where we call into a C frame for each link in the Proxy chain.
        This means that every Proxy hook must be aware that it can stack overflow.
        Before, only certain hooks were aware of this fact. That was a bug,
        all hooks must assume they can stack overflow.

        Also, because we may have effectively cyclic prototype chains, we
        compile ProxyObject.cpp with -fno-optimize-sibling-calls. This prevents
        tail call optimization from happening on any of the calls from
        ProxyObject.cpp. We do this because we rely on the machine stack
        growing for throwing a stack overflow error. It's better for developers
        to be able to see a stack overflow error than to have their program
        infinite loop because the compiler performed TCO.

        This patch also fixes a couple call sites of various methods
        where we didn't check for an exception.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/Interpreter.cpp:
        (JSC::sizeOfVarargs):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/JSArray.h:
        (JSC::getLength):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::getOwnPropertySlotCommon):
        (JSC::ProxyObject::performPut):
        (JSC::performProxyCall):
        (JSC::performProxyConstruct):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        (JSC::ProxyObject::getOwnPropertyNames):
        (JSC::ProxyObject::getPropertyNames):
        (JSC::ProxyObject::getOwnNonIndexPropertyNames):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::performGetPrototype):
        * runtime/ProxyObject.h:
        (JSC::ProxyObject::create):
        * tests/stress/proxy-stack-overflow-exceptions.js: Added.
        (shouldThrowStackOverflow):
        (const.emptyFunction):
        (makeLongProxyChain):
        (shouldThrowStackOverflow.longProxyChain):
        (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain1):
        (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain2):
        (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain3):
        (shouldThrowStackOverflow.longProxyChainBind):
        (shouldThrowStackOverflow.longProxyChainPropertyAccess):
        (shouldThrowStackOverflow.longProxyChainReflectConstruct):
        (shouldThrowStackOverflow.longProxyChainReflectSet):
        (shouldThrowStackOverflow.longProxyChainReflectOwnKeys):
        (shouldThrowStackOverflow.longProxyChainGetPrototypeOf):
        (shouldThrowStackOverflow.longProxyChainSetPrototypeOf):
        (shouldThrowStackOverflow.longProxyChainGetOwnPropertyDescriptor):
        (shouldThrowStackOverflow.longProxyChainDefineProperty):
        (shouldThrowStackOverflow.longProxyChainIsExtensible):
        (shouldThrowStackOverflow.longProxyChainPreventExtensions):
        (shouldThrowStackOverflow.longProxyChainDeleteProperty):
        (shouldThrowStackOverflow.longProxyChainWithScope):
        (shouldThrowStackOverflow.longProxyChainWithScope2):
        (shouldThrowStackOverflow.longProxyChainWithScope3):
        (shouldThrowStackOverflow.longProxyChainArrayPrototypePush):
        (shouldThrowStackOverflow.longProxyChainWithScope4):
        (shouldThrowStackOverflow.longProxyChainCall):
        (shouldThrowStackOverflow.longProxyChainConstruct):
        (shouldThrowStackOverflow.longProxyChainHas):

2016-05-28  Andreas Kling  <akling@apple.com>

        JSGlobalLexicalEnvironment leaks SegmentedVector due to lack of destructor.
        <https://webkit.org/b/158186>

        Reviewed by Saam Barati.

        Give JSGlobalLexicalEnvironment a destroy() and set up a finalizer for it
        like we do with JSGlobalObject. (This is needed because they don't inherit
        from JSDestructibleObjects and thus can't use JSCell::needsDestruction to
        ask for allocation in destructor space.)

        This stops us from leaking all the SegmentedVector backing stores.

        * runtime/JSGlobalLexicalEnvironment.cpp:
        (JSC::JSGlobalLexicalEnvironment::destroy):
        * runtime/JSGlobalLexicalEnvironment.h:
        (JSC::JSGlobalLexicalEnvironment::create):

2016-05-28  Skachkov Oleksandr  <gskachkov@gmail.com>
        [ESNext] Trailing commas in function parameters.
        https://bugs.webkit.org/show_bug.cgi?id=158020

        Reviewed by Keith Miller.

        ESNext allow to add trailing commas in function parameters and function arguments.
        Link to spec - https://jeffmo.github.io/es-trailing-function-commas 
        Example of using - (function (a, b,) { return a + b; })(1,2,);

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFormalParameters):
        (JSC::Parser<LexerType>::parseArguments):
        * tests/stress/trailing-comma-in-function-paramters.js: Added.

2016-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] op_new_arrow_func_exp is no longer necessary
        https://bugs.webkit.org/show_bug.cgi?id=158180

        Reviewed by Saam Barati.

        This patch removes op_new_arrow_func_exp bytecode since
        what op_new_arrow_func_exp is doing is completely the same to op_new_func_exp.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset): Deleted.
        (JSC::computeDefsForBytecodeOffset): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode): Deleted.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass): Deleted.
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitNewFuncExprCommon):
        (JSC::JIT::emit_op_new_arrow_func_exp): Deleted.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:

2016-05-27  Caitlin Potter  <caitp@igalia.com>

        [JSC] implement async functions proposal
        https://bugs.webkit.org/show_bug.cgi?id=156147

        Reviewed by Yusuke Suzuki.

        Adds support for `async` functions, proposed in https://tc39.github.io/ecmascript-asyncawait/.

        On the front-end side, "await" becomes a contextual keyword when used within an async function,
        which triggers parsing an AwaitExpression. "await" becomes an illegal identifier name within
        these contexts. The bytecode generated from an "await" expression is identical to that generated
        in a "yield" expression in a Generator, as AsyncFunction reuses generator's state machine mechanism.

        There are numerous syntactic forms for language features, including a variation on ArrowFunctions,
        requiring the keyword `async` to precede ArrowFormalParameters, and similarly, MethodDefinitions,
        which are ordinary MethodDefinitions preceded by the keyword `async`.

        An async function desugars to the following:

        ```
        async function asyncFn() {
        }

        becomes:

        function asyncFn() {
            let generator = {
                @generatorNext: function(@generator, @generatorState, @generatorValue, @generatorResumeMode) {
                  // generator state machine stuff here
                },
                @generatorState: 0,
                @generatorThis: this,
                @generatorFrame: null
            };
            return @asyncFunctionResume(generator, undefined, GeneratorResumeMode::NormalMode);
        }
        ```

        `@asyncFunctionResume()` is similar to `@generatorResume`, with the exception that it will wrap the
        result of invoking `@generatorNext()` in a Promise, and will avoid allocating an iterator result
        object.

        If the generator has yielded (an AwaitExpression has occurred), resumption will occur automatically
        once the await-expression operand is finished, via Promise chaining.

        * API/JSScriptRef.cpp:
        (parseScript):
        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/AsyncFunctionPrototype.js: Added.
        (asyncFunctionResume):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutable):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finishCreation):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::isArrowFunction):
        (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction):
        (JSC::UnlinkedCodeBlock::isAsyncArrowFunction):
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
        (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
        (JSC::BytecodeGenerator::emitNewMethodDefinition):
        (JSC::BytecodeGenerator::emitNewFunction):
        (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionNode::emitBytecode):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::parse):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitNewFuncCommon):
        (JSC::JIT::emit_op_new_async_func):
        (JSC::JIT::emitNewFuncExprCommon):
        (JSC::JIT::emit_op_new_async_func_exp):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jsc.cpp:
        (runInteractive):
        (printUsageStatement):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createAsyncFunctionBody):
        * parser/Keywords.table:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::isArrowFunctionParameters):
        (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
        (JSC::Parser<LexerType>::parseStatementListItem):
        (JSC::Parser<LexerType>::parseVariableDeclarationList):
        (JSC::Parser<LexerType>::parseDestructuringPattern):
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
        (JSC::Parser<LexerType>::parseFormalParameters):
        (JSC::stringForFunctionMode):
        (JSC::Parser<LexerType>::parseFunctionParameters):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
        (JSC::Parser<LexerType>::parseImportClauseItem):
        (JSC::Parser<LexerType>::parseImportDeclaration):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        (JSC::Parser<LexerType>::parseAwaitExpression):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parsePropertyMethod):
        (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):
        (JSC::Parser<LexerType>::parseArrowFunctionExpression):
        (JSC::Parser<LexerType>::parseUnaryExpression):
        (JSC::Parser<LexerType>::printUnexpectedTokenText):
        * parser/Parser.h:
        (JSC::isIdentifierOrKeyword):
        (JSC::Scope::Scope):
        (JSC::Scope::setSourceParseMode):
        (JSC::Scope::isAsyncFunction):
        (JSC::Scope::isAsyncFunctionBoundary):
        (JSC::Scope::isModule):
        (JSC::Scope::setIsFunction):
        (JSC::Scope::setIsAsyncArrowFunction):
        (JSC::Scope::setIsAsyncFunction):
        (JSC::Scope::setIsAsyncFunctionBody):
        (JSC::Scope::setIsAsyncArrowFunctionBody):
        (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError):
        (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
        (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction):
        (JSC::Parser::forceClassifyExpressionError):
        (JSC::Parser::declarationTypeToVariableKind):
        (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
        (JSC::Parser::pushScope):
        (JSC::Parser::popScopeInternal):
        (JSC::Parser::matchSpecIdentifier):
        (JSC::Parser::isDisallowedIdentifierAwait):
        (JSC::Parser::disallowedIdentifierAwaitReason):
        (JSC::parse):
        * parser/ParserModes.h:
        (JSC::isFunctionParseMode):
        (JSC::isAsyncFunctionParseMode):
        (JSC::isAsyncArrowFunctionParseMode):
        (JSC::isAsyncFunctionWrapperParseMode):
        (JSC::isAsyncFunctionBodyParseMode):
        (JSC::isModuleParseMode):
        (JSC::isProgramParseMode):
        (JSC::constructAbilityForParseMode):
        * parser/ParserTokens.h:
        * parser/SourceCodeKey.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::runtimeFlags):
        (JSC::SourceCodeKey::operator==):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createAsyncFunctionBody):
        * runtime/AsyncFunctionConstructor.cpp: Added.
        (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
        (JSC::AsyncFunctionConstructor::finishCreation):
        (JSC::callAsyncFunctionConstructor):
        (JSC::constructAsyncFunctionConstructor):
        (JSC::AsyncFunctionConstructor::getCallData):
        (JSC::AsyncFunctionConstructor::getConstructData):
        * runtime/AsyncFunctionConstructor.h: Added.
        (JSC::AsyncFunctionConstructor::create):
        (JSC::AsyncFunctionConstructor::createStructure):
        * runtime/AsyncFunctionPrototype.cpp: Added.
        (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype):
        (JSC::AsyncFunctionPrototype::finishCreation):
        * runtime/AsyncFunctionPrototype.h: Added.
        (JSC::AsyncFunctionPrototype::create):
        (JSC::AsyncFunctionPrototype::createStructure):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        * runtime/CommonIdentifiers.h:
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::checkModuleSyntax):
        * runtime/Completion.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ProgramExecutable::checkSyntax):
        * runtime/Executable.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h:
        * runtime/JSAsyncFunction.cpp: Added.
        (JSC::JSAsyncFunction::JSAsyncFunction):
        (JSC::JSAsyncFunction::createImpl):
        (JSC::JSAsyncFunction::create):
        (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
        * runtime/JSAsyncFunction.h: Added.
        (JSC::JSAsyncFunction::allocationSize):
        (JSC::JSAsyncFunction::createStructure):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::asyncFunctionPrototype):
        (JSC::JSGlobalObject::asyncFunctionStructure):
        * runtime/ModuleLoaderObject.cpp:
        (JSC::moduleLoaderObjectParseModule):
        * runtime/RuntimeFlags.h:
        (JSC::RuntimeFlags::operator==):
        (JSC::RuntimeFlags::operator!=):
        * tests/stress/async-await-basic.js: Added.
        (shouldBe):
        (shouldBeAsync):
        (shouldThrow):
        (shouldThrowAsync):
        (let.AsyncFunction.async):
        (async.asyncFunctionForProto):
        (Object.getPrototypeOf.async):
        (Object.getPrototypeOf.async.method):
        (async):
        (async.method):
        (async.asyncNonConstructorDecl):
        (shouldThrow.new.async):
        (shouldThrow.new.async.nonConstructor):
        (async.asyncDecl):
        (async.f):
        (MyError):
        (async.asyncDeclThrower):
        (shouldThrowAsync.async):
        (resolveLater):
        (rejectLater):
        (async.resumeAfterNormal):
        (O.async.resumeAfterNormal):
        (resumeAfterNormalArrow.async):
        (async.resumeAfterThrow):
        (O.async.resumeAfterThrow):
        (resumeAfterThrowArrow.async):
        (catch):
        * tests/stress/async-await-module-reserved-word.js: Added.
        (shouldThrow):
        (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await):
        (checkModuleSyntaxError.String.raw.await):
        (checkModuleSyntaxError.String.raw.async.await):
        (SyntaxError.Cannot.declare.named):
        * tests/stress/async-await-mozilla.js: Added.
        (shouldBe):
        (shouldBeAsync):
        (shouldThrow):
        (shouldThrowAsync):
        (assert):
        (shouldThrowSyntaxError):
        (mozSemantics.async.empty):
        (mozSemantics.async.simpleReturn):
        (mozSemantics.async.simpleAwait):
        (mozSemantics.async.simpleAwaitAsync):
        (mozSemantics.async.returnOtherAsync):
        (mozSemantics.async.simpleThrower):
        (mozSemantics.async.delegatedThrower):
        (mozSemantics.async.tryCatch):
        (mozSemantics.async.tryCatchThrow):
        (mozSemantics.async.wellFinally):
        (mozSemantics.async.finallyMayFail):
        (mozSemantics.async.embedded.async.inner):
        (mozSemantics.async.embedded):
        (mozSemantics.async.fib):
        (mozSemantics.async.isOdd.async.isEven):
        (mozSemantics.async.isOdd):
        (mozSemantics.hardcoreFib.async.fib2):
        (mozSemantics.namedAsyncExpr.async.simple):
        (mozSemantics.async.executionOrder.async.first):
        (mozSemantics.async.executionOrder.async.second):
        (mozSemantics.async.executionOrder.async.third):
        (mozSemantics.async.executionOrder):
        (mozSemantics.async.miscellaneous):
        (mozSemantics.thrower):
        (mozSemantics.async.defaultArgs):
        (mozSemantics.shouldThrow):
        (mozSemantics):
        (mozMethods.X):
        (mozMethods.X.prototype.async.getValue):
        (mozMethods.X.prototype.setValue):
        (mozMethods.X.prototype.async.increment):
        (mozMethods.X.prototype.async.getBaseClassName):
        (mozMethods.X.async.getStaticValue):
        (mozMethods.Y.prototype.async.getBaseClassName):
        (mozMethods.Y):
        (mozFunctionNameInferrence.async.test):
        (mozSyntaxErrors):
        * tests/stress/async-await-reserved-word.js: Added.
        (assert):
        (shouldThrowSyntaxError):
        (AsyncFunction.async):
        * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Added.
        (shouldBe):
        (shouldBeAsync):
        (shouldThrowAsync):
        (noArgumentsArrow2.async):
        * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Added.
        (shouldBe):
        (shouldBeAsync):
        (shouldThrowAsync):
        (C1):
        (C2):
        (shouldThrowAsync.async):
        * tests/stress/async_arrow_functions_lexical_super_binding.js: Added.
        (shouldBe):
        (shouldBeAsync):
        (BaseClass.prototype.baseClassValue):
        (BaseClass):
        (ChildClass.prototype.asyncSuperProp):
        (ChildClass.prototype.asyncSuperProp2):
        (ChildClass):
        * tests/stress/async_arrow_functions_lexical_this_binding.js: Added.
        (shouldBe):
        (shouldBeAsync):
        (d.y):

2016-05-27  Saam barati  <sbarati@apple.com>

        DebuggerCallFrame crashes when updated with the globalExec because neither ShadowChicken's algorithm nor StackVisitor's algorithm reasons about the globalExec
        https://bugs.webkit.org/show_bug.cgi?id=158104

        Reviewed by Filip Pizlo.

        I think globalExec is a special enough case that it should be handled
        at the layers above ShadowChicken and StackVisitor. Those APIs should
        deal with real stack frames on the machine stack, not a heap constructed frame.

        This patch makes DebuggerCallFrame::create aware that it may be
        created with the globalObject->globalExec() by having it construct
        a single DebuggerCallFrame that wraps the globalExec.

        This fixes a crasher because we will construct a DebuggerCallFrame
        with the globalExec when the Inspector is set to pause on all uncaught
        exceptions and the JS program has a syntax error. Because the program
        hasn't begun execution, there is no machine JS stack frame yet. So
        DebuggerCallFrame is created with globalExec, which will cause it
        to hit an assertion that dictates that the stack have size greater
        than zero.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::create):

2016-05-27  Filip Pizlo  <fpizlo@apple.com>

        DFG::LazyJSValue::tryGetStringImpl() crashes for empty values
        https://bugs.webkit.org/show_bug.cgi?id=158170

        Reviewed by Michael Saboff.

        The problem here is that jsDynamicCast<>() is evil! It avoids checking for the empty
        value, presumably because this makes it soooper fast. In DFG IR, empty values can appear
        anywhere because of TDZ.
        
        This patch doesn't change jsDynamicCast<>(), but it hardens our wrappers for it in the DFG
        and it has the affected code use one of those wrappers.
        
        * dfg/DFGFrozenValue.h:
        (JSC::DFG::FrozenValue::dynamicCast): Harden this.
        (JSC::DFG::FrozenValue::cast):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::tryGetStringImpl): Use the hardened wrapper.
        * tests/stress/strcat-emtpy.js: Added. This used to crash every time.
        (foo):
        (i.catch):

2016-05-27  Filip Pizlo  <fpizlo@apple.com>

        regExpProtoFuncSplitFast should OOM before it swaps
        https://bugs.webkit.org/show_bug.cgi?id=158157

        Reviewed by Mark Lam.
        
        This is a huge speed-up on some jsfunfuzz test cases because it makes us realize much
        sooner that running a regexp split will result in swapping. It uses the same basic
        approach as http://trac.webkit.org/changeset/201451: if the result array crosses a certain
        size threshold, we proceed with a dry run to see how big the array will get before
        allocating anything else. This way, bogus uses of split that would have OOMed only after
        killing the user's machine will now OOM before killing the user's machine.
        
        This is an enormous speed-up on some jsfunfuzz tests: they go from running for a long
        time to running instantly.

        * runtime/RegExpPrototype.cpp:
        (JSC::advanceStringIndex):
        (JSC::genericSplit):
        (JSC::regExpProtoFuncSplitFast):
        * runtime/StringObject.h:
        (JSC::jsStringWithReuse):
        (JSC::jsSubstring):
        * tests/stress/big-split-captures.js: Added.
        * tests/stress/big-split.js: Added.

2016-05-27  Saam barati  <sbarati@apple.com>

        ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
        https://bugs.webkit.org/show_bug.cgi?id=158131

        Reviewed by Yusuke Suzuki.

        There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
        frame(s) are tail deleted.

        DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
        tail deleted. This is clearly wrong. The following program proves that this assertion
        was misguided:
        ```
        "use strict";
        setTimeout(function foo() { return bar(); }, 0);
        ```

        ShadowChicken had a very subtle bug when creating the shadow stack when 
        the entry frames of the stack were tail deleted. Because it places frames into its shadow
        stack by walking the machine frame and looking up entries in the log,
        the machine frame doesn't have any notion of those tail deleted frames
        at the entry of execution. ShadowChicken would never find those frames
        because it would look for tail deleted frames *before* consulting the
        current machine frame. This is wrong because if the entry frames
        are tail deleted, then there is no machine frame for them because there
        is no machine frame before them! Therefore, we must search for tail deleted
        frames *after* consulting a machine frame. This is sound because we will always
        have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
        So when we consult the machine frame that is the entry frame on the machine stack,
        we will search for tail deleted frames that come before it in the shadow stack.
        This will allow us to find those tail deleted frames that are the entry frames
        for the shadow stack.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::create):
        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::Packet::dump):
        (JSC::ShadowChicken::update):
        (JSC::ShadowChicken::dump):

2016-05-27  Chris Dumez  <cdumez@apple.com>

        WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables
        https://bugs.webkit.org/show_bug.cgi?id=158111

        Reviewed by Darin Adler.

        WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables.
        These are often used cross-thread and copying the captured lambda variables can be
        dangerous (e.g. we do not want to copy a String after calling isolatedCopy() upon
        capture).

        * runtime/Watchdog.cpp:
        (JSC::Watchdog::startTimer):
        (JSC::Watchdog::Watchdog): Deleted.
        (JSC::Watchdog::setTimeLimit): Deleted.
        * runtime/Watchdog.h:

2016-05-27  Konstantin Tokarev  <annulen@yandex.ru>

        Removed unused headers from ExecutableAllocatorFixedVMPool.cpp.
        https://bugs.webkit.org/show_bug.cgi?id=158159

        Reviewed by Darin Adler.

        * jit/ExecutableAllocatorFixedVMPool.cpp:

2016-05-27  Keith Miller  <keith_miller@apple.com>

        get_by_id should support caching unset properties in the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=158136

        Reviewed by Benjamin Poulain.

        Recently, we started supporting prototype load caching for get_by_id
        in the LLInt. This patch extends that to caching unset properties.
        While it is uncommon in general for a program to see a single structure
        without a given property, the Array.prototype.concat function needs to
        lookup the Symbol.isConcatSpreadable property. For any existing code
        That property will never be set as it did not exist prior to ES6.

        Similarly to the get_by_id_proto_load bytecode, this patch adds a new
        bytecode, get_by_id_unset that checks the structureID of the base and
        assigns undefined to the result.

        There are no new tests here since we already have many tests that
        incidentally cover this change.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setupGetByIdPrototypeCache):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2016-05-26  Filip Pizlo  <fpizlo@apple.com>

        Bogus uses of regexp matching should realize that they will OOM before they start swapping
        https://bugs.webkit.org/show_bug.cgi?id=158142

        Reviewed by Michael Saboff.
        
        Refactored the RegExpObject::matchGlobal() code so that there is less duplication. Took
        advantage of this to make the code more resilient in case of absurd situations: if the
        result array gets large, it proceeds with a dry run to detect how many matches there will
        be. This allows it to OOM before it starts swapping.
        
        This also improves the overall performance of the code by using lightweight substrings and
        skipping the whole intermediate argument array.
        
        This makes some jsfunfuzz tests run a lot faster and use a lot less memory.
        
        * builtins/RegExpPrototype.js:
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/MatchResult.cpp: Added.
        (JSC::MatchResult::dump):
        * runtime/MatchResult.h:
        (JSC::MatchResult::empty):
        (MatchResult::empty): Deleted.
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::match):
        (JSC::collectMatches):
        (JSC::RegExpObject::matchGlobal):
        * runtime/StringObject.h:
        (JSC::jsStringWithReuse):
        (JSC::jsSubstring):
        * tests/stress/big-match.js: Added. Make sure that this optimization doesn't break big matches.

2016-05-26  Gavin & Ellie Barraclough  <barraclough@apple.com>

        Static table property lookup should not require getOwnPropertySlot override.
        https://bugs.webkit.org/show_bug.cgi?id=158059

        Reviewed by Darin Adler.

        Currently JSObject does not handle property lookup of entries in the static
        table. Each subclass with static properties mut override getOwnPropertySlot,
        and explicitly call the lookup functions. This has the following drawbacks:

        - Performance: for any class with static properties, property acces becomes
          virtual (via method table).
        - Poor encapsulation: implementation detail of static property access is
          spread throughout & cross projects, rather than being contained in JSObject.
        - Code size: this results in a great many additional functions.
        - Inconsistency: static table presence has to be be taken into account in many
          other operations, e.g. presence of read-only properties for put.
        - Memory: in order to avoid the virtual lookup, DOM prototypes eagerly reify
          all properties. This is likely suboptimal.

        Instead, JSObject::getPropertySlot / JSObject::getOwnPropertySlot should be
        able to handle static properties.

        This is actually a fairly small & simple change.

        The common pattern is for subclasses of JObject to override getOwnPropertySlot
        to first defer to JSObject for property storage lookup, and only if this fails
        consult the static table. They just want the static tables to be consulted after
        regular property storgae lookup. So just add a fast flag in TypeInfo for JSObject
        to check, and where it is set, do so. Then it's just a question of switching
        classes over to start setting this flag, and drop the override.

        The new mechanism does change static table lookup order from oldest-ancestor
        first to most-derived first. The new ordering makes more sense (means derived
        class static tables can now override entries from parents), and shoudn't affect
        any existing code (since overriding didn't previously work, there likely aren't
        shadowing properties in more derived types).

        This patch changes all classes in JavaScriptCore over to using the new mechanism,
        except JSGlobalObject. I'll move classes in WebCore over as a separate patch
        (this is also why I've not moved JSGlobalObject in this patch - doing so would
        move JSDOMWindow, and I'd rather handle that separately).

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::hasStaticPropertyTable):
            - Add HasStaticPropertyTable flag.
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
            - Change setUpStaticFunctionSlot to take a VM&.
        * runtime/Lookup.h:
        (JSC::getStaticPropertySlotFromTable):
            - Added helper function to perform static lookup alone.
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
            - setUpStaticFunctionSlot changed to take a VM&.
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnStaticPropertySlot):
            - Added, walks ClassInfo chain looking for static properties.
        * runtime/JSObject.h:
        (JSC::JSObject::getOwnNonIndexPropertySlot):
            - getOwnNonIndexPropertySlot is used internally by getPropertySlot
              & getOwnPropertySlot. If property is not present in storage array
              then check the static table.
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        (JSC::constructArrayWithSizeQuirk):
        (JSC::ArrayConstructor::getOwnPropertySlot): Deleted.
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::create):
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        (JSC::ArrayIteratorPrototype::getOwnPropertySlot): Deleted.
        * runtime/ArrayIteratorPrototype.h:
        (JSC::ArrayIteratorPrototype::create):
        (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::finishCreation):
        (JSC::booleanProtoFuncToString):
        (JSC::BooleanPrototype::getOwnPropertySlot): Deleted.
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::create):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::finishCreation):
        (JSC::millisecondsFromComponents):
        (JSC::DateConstructor::getOwnPropertySlot): Deleted.
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::create):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::finishCreation):
        (JSC::dateProtoFuncToString):
        (JSC::DatePrototype::getOwnPropertySlot): Deleted.
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::create):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::finishCreation):
        (JSC::ErrorPrototype::getOwnPropertySlot): Deleted.
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/GeneratorPrototype.cpp:
        (JSC::GeneratorPrototype::finishCreation):
        (JSC::GeneratorPrototype::getOwnPropertySlot): Deleted.
        * runtime/GeneratorPrototype.h:
        (JSC::GeneratorPrototype::create):
        (JSC::GeneratorPrototype::createStructure):
        (JSC::GeneratorPrototype::GeneratorPrototype):
        * runtime/InspectorInstrumentationObject.cpp:
        (JSC::InspectorInstrumentationObject::finishCreation):
        (JSC::InspectorInstrumentationObject::isEnabled):
        (JSC::InspectorInstrumentationObject::getOwnPropertySlot): Deleted.
        * runtime/InspectorInstrumentationObject.h:
        (JSC::InspectorInstrumentationObject::create):
        (JSC::InspectorInstrumentationObject::createStructure):
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::IntlCollatorConstructor::getCallData):
        (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
        (JSC::IntlCollatorConstructor::getOwnPropertySlot): Deleted.
        * runtime/IntlCollatorConstructor.h:
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototype::finishCreation):
        (JSC::IntlCollatorFuncCompare):
        (JSC::IntlCollatorPrototype::getOwnPropertySlot): Deleted.
        * runtime/IntlCollatorPrototype.h:
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::IntlDateTimeFormatConstructor::getCallData):
        (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
        (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot): Deleted.
        * runtime/IntlDateTimeFormatConstructor.h:
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototype::finishCreation):
        (JSC::IntlDateTimeFormatFuncFormatDateTime):
        (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot): Deleted.
        * runtime/IntlDateTimeFormatPrototype.h:
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::IntlNumberFormatConstructor::getCallData):
        (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
        (JSC::IntlNumberFormatConstructor::getOwnPropertySlot): Deleted.
        * runtime/IntlNumberFormatConstructor.h:
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototype::finishCreation):
        (JSC::IntlNumberFormatFuncFormatNumber):
        (JSC::IntlNumberFormatPrototype::getOwnPropertySlot): Deleted.
        * runtime/IntlNumberFormatPrototype.h:
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSDataViewPrototype::createStructure):
        (JSC::getData):
        (JSC::JSDataViewPrototype::getOwnPropertySlot): Deleted.
        * runtime/JSDataViewPrototype.h:
        * runtime/JSInternalPromiseConstructor.cpp:
        (JSC::JSInternalPromiseConstructor::getCallData):
        (JSC::JSInternalPromiseConstructor::getOwnPropertySlot): Deleted.
        * runtime/JSInternalPromiseConstructor.h:
        * runtime/JSONObject.cpp:
        (JSC::Walker::Walker):
        (JSC::JSONObject::getOwnPropertySlot): Deleted.
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::getCallData):
        (JSC::JSPromiseConstructor::getOwnPropertySlot): Deleted.
        * runtime/JSPromiseConstructor.h:
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototype::addOwnInternalSlots):
        (JSC::JSPromisePrototype::getOwnPropertySlot): Deleted.
        * runtime/JSPromisePrototype.h:
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        (JSC::getMap):
        (JSC::MapPrototype::getOwnPropertySlot): Deleted.
        * runtime/MapPrototype.h:
        (JSC::MapPrototype::create):
        (JSC::MapPrototype::MapPrototype):
        * runtime/ModuleLoaderObject.cpp:
        (JSC::ModuleLoaderObject::finishCreation):
        (JSC::printableModuleKey):
        (JSC::ModuleLoaderObject::getOwnPropertySlot): Deleted.
        * runtime/ModuleLoaderObject.h:
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::finishCreation):
        (JSC::toThisNumber):
        (JSC::NumberPrototype::getOwnPropertySlot): Deleted.
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::create):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::addDefineProperty):
        (JSC::constructObject):
        (JSC::ObjectConstructor::getOwnPropertySlot): Deleted.
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::create):
        (JSC::ObjectConstructor::createStructure):
        * runtime/ReflectObject.cpp:
        (JSC::ReflectObject::finishCreation):
        (JSC::ReflectObject::getOwnPropertySlot): Deleted.
        * runtime/ReflectObject.h:
        (JSC::ReflectObject::create):
        (JSC::ReflectObject::createStructure):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getRightContext):
        (JSC::regExpConstructorDollar):
        (JSC::RegExpConstructor::getOwnPropertySlot): Deleted.
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        (JSC::RegExpConstructor::createStructure):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        (JSC::getSet):
        (JSC::SetPrototype::getOwnPropertySlot): Deleted.
        * runtime/SetPrototype.h:
        (JSC::SetPrototype::create):
        (JSC::SetPrototype::SetPrototype):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::finishCreation):
        (JSC::stringFromCharCodeSlowCase):
        (JSC::StringConstructor::getOwnPropertySlot): Deleted.
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::create):
        * runtime/StringIteratorPrototype.cpp:
        (JSC::StringIteratorPrototype::finishCreation):
        (JSC::StringIteratorPrototype::getOwnPropertySlot): Deleted.
        * runtime/StringIteratorPrototype.h:
        (JSC::StringIteratorPrototype::create):
        (JSC::StringIteratorPrototype::StringIteratorPrototype):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::create):
        (JSC::substituteBackreferencesSlow):
        (JSC::StringPrototype::getOwnPropertySlot): Deleted.
        * runtime/StringPrototype.h:
        * runtime/SymbolConstructor.cpp:
        (JSC::SymbolConstructor::finishCreation):
        (JSC::callSymbol):
        (JSC::SymbolConstructor::getOwnPropertySlot): Deleted.
        * runtime/SymbolConstructor.h:
        (JSC::SymbolConstructor::create):
        * runtime/SymbolPrototype.cpp:
        (JSC::SymbolPrototype::finishCreation):
        (JSC::SymbolPrototype::getOwnPropertySlot): Deleted.
        * runtime/SymbolPrototype.h:
        (JSC::SymbolPrototype::create):
            - remove getOwnPropertySlot, replace OverridesGetOwnPropertySlot flag with HasStaticPropertyTable.

2016-05-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r201436.
        https://bugs.webkit.org/show_bug.cgi?id=158143

        Caused 30% regression on Dromaeo DOM core tests (Requested by
        rniwa on #webkit).

        Reverted changeset:

        "REGRESSION: JSBench spends a lot of time transitioning
        to/from dictionary"
        https://bugs.webkit.org/show_bug.cgi?id=158045
        http://trac.webkit.org/changeset/201436

2016-05-26  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION: JSBench spends a lot of time transitioning to/from dictionary
        https://bugs.webkit.org/show_bug.cgi?id=158045

        Reviewed by Saam Barati.

        15% speedup on jsbench-amazon-firefox, possibly 5% speedup overall on jsbench.

        This regression seems to have two parts:

        (1) Transitioning the window object to/from dictionary is more expensive
        than it used to be to because the window object has lots more properties.
        The window object has more properties because, for WebIDL compatibility,
        we reify DOM APIs as properties when you delete.

        (2) DOM prototypes transition to/from dictionary upon creation
        because, once again for WebIDL compatibility, we reify their static
        APIs eagerly.

        The solution is to chill out a bit on dictionary transitions.

        * bytecode/ObjectPropertyConditionSet.cpp: Don't flatten a dictionary
        if we've already done so before. This avoids pathological churn, and it
        is our idiom in other places.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute): Do flatten the global object unconditionally
        if it is an uncacheable dictionary because the global object is super
        important.

        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): Deleted.
        Don't transition away from dictionary after a batched set of property
        puts because normal dictionaries are cacheable and that's a perfectly
        fine state to be in -- and the transition is expensive.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Do start the global object out as a cacheable
        dictionary because it will inevitably have enough properties to become
        a dictionary.

        * runtime/Operations.h:
        (JSC::normalizePrototypeChain): Same as ObjectPropertyConditionSet.cpp.

2016-05-25  Geoffrey Garen  <ggaren@apple.com>

        replaceable own properties seem to ignore replacement after property caching
        https://bugs.webkit.org/show_bug.cgi?id=158091

        Reviewed by Darin Adler.

        * runtime/Lookup.h:
        (JSC::replaceStaticPropertySlot): New helper function for replacing a
        static property with a direct property. We need to do an attribute changed
        transition because client code might have cached our static property.

2016-05-25  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr
        https://bugs.webkit.org/show_bug.cgi?id=158011
        rdar://problem/25946592

        Reviewed by Saam Barati.

        When generating the meta-data required for compilation,
        Yarr uses a recursive function over the various expression in the pattern.

        If you have many nested expressions, you can run out of stack
        and crash the WebProcess.
        This patch changes that into a soft failure. The expression is just
        considered invalid.

        * runtime/RegExp.cpp:
        (JSC::RegExp::finishCreation):
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
        (JSC::Yarr::YarrPatternConstructor::setupOffsets):
        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
        (JSC::Yarr::YarrPattern::compile):
        (JSC::Yarr::YarrPattern::YarrPattern):
        (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): Deleted.
        (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): Deleted.
        * yarr/YarrPattern.h:

2016-05-25  Alex Christensen  <achristensen@webkit.org>

        Fix Win64 build after r201335
        https://bugs.webkit.org/show_bug.cgi?id=158078

        Reviewed by Mark Lam.

        * offlineasm/x86.rb:
        Add intel implementations for loadbs and loadhs

2016-05-25  Carlos Garcia Campos  <cgarcia@igalia.com>

        REGRESSION(r201066): [GTK] Several intl tests started to fail in GTK+ bot after r201066
        https://bugs.webkit.org/show_bug.cgi?id=158066

        Reviewed by Darin Adler.

        run-javascriptcore-tests does $ENV{LANG}="en_US.UTF-8"; but we are not actually honoring the environment
        variables at all when using jsc binary. We are using setlocale() with a nullptr locale to get the current one, but
        the current one is always "C", because to set the locale according to the environment variables we need to call
        setlocale with an empty string as locale. That's done by gtk_init(), which is called by all our binaries (web
        process, network process, etc.), but not by jsc (because jsc doesn't depend on GTK+). The reason why it has
        always worked for EFL is because they call ecore_init() in jsc that calls setlocale.

        * jsc.cpp:
        (main): Call setlocale(LC_ALL, "") on GTK+.

2016-05-25  Csaba Osztrogonác  <ossy@webkit.org>

        [ARM] Fix the Wcast-align warning in LinkBuffer.cpp
        https://bugs.webkit.org/show_bug.cgi?id=157889

        Reviewed by Darin Adler.

        * assembler/LinkBuffer.cpp:
        (JSC::recordLinkOffsets):

2016-05-24  Keith Miller  <keith_miller@apple.com>

        TypedArray.prototype.slice should not throw if no arguments are provided
        https://bugs.webkit.org/show_bug.cgi?id=158044
        <rdar://problem/26433280>

        Reviewed by Geoffrey Garen.

        We were throwing an exception if the TypedArray.prototype.slice function
        was not provided arguments. This was wrong. Instead we should just assume
        the first argument was 0.

        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::genericTypedArrayViewProtoFuncSlice): Deleted.
        * tests/stress/typedarray-slice.js:

2016-05-24  Keith Miller  <keith_miller@apple.com>

        LLInt should be able to cache prototype loads for values in GetById
        https://bugs.webkit.org/show_bug.cgi?id=158032

        Reviewed by Filip Pizlo.

        This patch adds prototype value caching to the LLInt for op_get_by_id.
        Two previously unused words in the op_get_by_id bytecode have been
        repurposed to hold extra information for the cache. The first is a
        counter that records the number of get_by_ids that hit a cacheable value
        on a prototype. When the counter is decremented from one to zero we
        attempt to cache the prototype load, which will be discussed further
        below. The second word is used to hold the prototype object when we have
        started caching.

        When the counter is decremented to zero we first attempt to generate and
        watch the property conditions needed to ensure the validity of prototype
        load. If the watchpoints are successfully created and installed we
        replace the op_get_by_id opcode with the new op_get_by_id_proto_load
        opcode, which tells the LLInt to use the cache prototype object for the
        load rather than the base value.

        Prior to this patch there was not LLInt specific data onCodeBlocks.
        Since the CodeBlock needs to own the Watchpoints for the cache, a weak
        map from each base structure to a bag of Watchpoints created for that
        structure by some op_get_by_id has been added to the CodeBlock. During
        GC, if we find that the a structure in the map has not been marked we
        free the associated bag on the CodeBlock.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::llintGetByIdWatchpointMap):
        (JSC::clearLLIntGetByIdCache):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Added.
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Added.
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::ObjectPropertyConditionSet::isValidAndWatchable):
        * bytecode/ObjectPropertyConditionSet.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetById):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setupGetByIdPrototypeCache):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/Options.h:
        * tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js: Added.
        (test):

2016-05-24  Keith Miller  <keith_miller@apple.com>

        We should be able to use the sampling profiler with DRT/WTR.
        https://bugs.webkit.org/show_bug.cgi?id=158041

        Reviewed by Saam Barati.

        This patch makes the sampling profiler use a new option, samplingProfilerPath, which
        specifies the path to a directory to output sampling profiler data when the program
        terminates or the VM is destroyed. Additionally, it fixes some other issues with the
        bytecode profiler that would cause crashes on debug builds.

        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::ensureBytecodesFor):
        (JSC::Profiler::Database::performAtExitSave):
        * runtime/Options.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::registerForReportAtExit):
        (JSC::SamplingProfiler::reportDataToOptionFile):
        (JSC::SamplingProfiler::reportTopFunctions):
        (JSC::SamplingProfiler::reportTopBytecodes):
        * runtime/SamplingProfiler.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):

2016-05-24  Saam barati  <sbarati@apple.com>

        We can cache lookups to JSScope::abstractResolve inside CodeBlock::finishCreation
        https://bugs.webkit.org/show_bug.cgi?id=158036

        Reviewed by Geoffrey Garen.

        This patch implements a 1 item cache for JSScope::abstractResolve. I also tried
        implementing the cache as a HashMap, but it seemed either less profitable on some
        benchmarks or just as profitable on others. Therefore, it's cleaner to just
        use a 1 item cache.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::AbstractResolveKey::AbstractResolveKey):
        (JSC::AbstractResolveKey::operator==):
        (JSC::AbstractResolveKey::isEmptyValue):
        (JSC::CodeBlock::finishCreation):
        * runtime/GetPutInfo.h:
        (JSC::needsVarInjectionChecks):
        (JSC::ResolveOp::ResolveOp):

2016-05-24  Filip Pizlo  <fpizlo@apple.com>

        Unreviwed, add a comment to describe the test's failure mode. Suggested by mlam.

        * tests/stress/override-map-constructor.js:
        (Map):

2016-05-24  Filip Pizlo  <fpizlo@apple.com>

        Map should not be in JSGlobalObject's static hashtable because it's initialized eagerly via FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR
        https://bugs.webkit.org/show_bug.cgi?id=158031
        rdar://problem/26353661

        Reviewed by Geoffrey Garen.
        
        We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
        not a LazyClassStructure<> and there is nothing lazy about it.

        * runtime/JSGlobalObject.cpp: The fix is to remove Map here.
        * runtime/Lookup.cpp: Add some dumping on the assert path.
        (JSC::setUpStaticFunctionSlot):
        * tests/stress/override-map-constructor.js: Added. This test used to crash.
        (Map):

2016-05-24  Filip Pizlo  <fpizlo@apple.com>

        LLInt64 should have typed array fast paths for get_by_val
        https://bugs.webkit.org/show_bug.cgi?id=157931

        Reviewed by Keith Miller.

        I think that the LLInt should be able to access typed arrays more quickly than it does now.
        Ideally we would have fast paths for every major typed array operation and we would use
        inline cache optimizations. I don't want to do this all in one go, so my plan is to
        incrementally add support for this as time allows.
        
        This change just adds the easy typed array fast paths for get_by_val in the 64-bit version
        of LLInt.
        
        Another bug, https://bugs.webkit.org/show_bug.cgi?id=157922, tracks the overall task of
        adding all typed array fast paths to both versions of the LLInt.
        
        This is a 30% speed-up on typed array benchmarks in LLInt. This is not a speed-up when the
        JITs are enabled.

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/backends.rb:
        * runtime/JSArrayBufferView.h:
        * runtime/JSType.h:

2016-05-24  Saam barati  <sbarati@apple.com> and Yusuke Suzuki <utatane.tea@gmail.com>

        ThisTDZMode is no longer needed
        https://bugs.webkit.org/show_bug.cgi?id=157209

        Reviewed by Saam Barati.

        ThisTDZMode is no longer needed because we have ConstructorKind
        and DerivedContextType. The value of ThisTDZMode is strictly less
        expressive than the combination of those two values. We were
        using those values anyways, and this patch just makes it official
        by removing ThisTDZMode.

        This patch also cleans up caching keys. We extract SourceCodeFlags
        from SourceCodeKey and use it in EvalCodeCache. It correctly
        contains needed cache attributes: EvalContextType, DerivedContextType,
        etc. Here, we still use specialized keys for EvalCodeCache instead
        of SourceCodeKey for performance; it does not include name String and
        does not allocate SourceCode.

        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::CacheKey::CacheKey):
        (JSC::EvalCodeCache::CacheKey::operator==):
        (JSC::EvalCodeCache::CacheKey::Hash::equal):
        (JSC::EvalCodeCache::tryGet):
        (JSC::EvalCodeCache::getSlow):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThisNode::emitBytecode): Deleted.
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createThisExpr):
        * parser/NodeConstructors.h:
        (JSC::ThisNode::ThisNode):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * parser/SourceCodeKey.h:
        (JSC::SourceCodeFlags::SourceCodeFlags):
        (JSC::SourceCodeFlags::operator==):
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::Hash::hash):
        (JSC::SourceCodeKey::Hash::equal):
        (JSC::SourceCodeKey::HashTraits::isEmptyValue):
        (JSC::SourceCodeKeyHash::hash): Deleted.
        (JSC::SourceCodeKeyHash::equal): Deleted.
        (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createThisExpr):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::create):
        * runtime/Executable.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createEvalCodeBlock):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * tests/stress/code-cache-incorrect-caching.js: Added.
        (shouldBe):
        (hello):
        (catch):
        (shouldBe.test.hello):
        (globalEval.ok):
        (global.hello.hello):

2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>

        Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
        https://bugs.webkit.org/show_bug.cgi?id=157080

        Reviewed by Saam Barati.

        In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
        In this patch, we add a new parameter, "slotBase". This represents the base value offering
        this custom getter. And use it in ProxyObject's performGet custom accessor getter.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateImpl):
        In PolymorphicAccess case, the thisValue and the slotBase are always cells.
        This is because IC is enabled in the case that the base value is a cell.
        And slotBase is always on the prototype chain from this base value.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jsc.cpp:
        (WTF::CustomGetter::customGetter):
        (WTF::RuntimeArray::lengthGetter):
        * runtime/CustomGetterSetter.cpp:
        (JSC::callCustomSetter):
        * runtime/JSBoundSlotBaseFunction.cpp:
        (JSC::boundSlotBaseFunctionCall):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        * runtime/JSFunction.h:
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::callbackGetter):
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::customGetter):
        * runtime/PropertySlot.h:
        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        * runtime/RegExpConstructor.cpp:
        (JSC::regExpConstructorDollar):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        (JSC::regExpConstructorDollar1): Deleted.
        (JSC::regExpConstructorDollar2): Deleted.
        (JSC::regExpConstructorDollar3): Deleted.
        (JSC::regExpConstructorDollar4): Deleted.
        (JSC::regExpConstructorDollar5): Deleted.
        (JSC::regExpConstructorDollar6): Deleted.
        (JSC::regExpConstructorDollar7): Deleted.
        (JSC::regExpConstructorDollar8): Deleted.
        (JSC::regExpConstructorDollar9): Deleted.
        * tests/stress/proxy-get-with-primitive-receiver.js: Added.
        (shouldBe):

2016-05-23  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION (196374): deleting a global property is expensive
        https://bugs.webkit.org/show_bug.cgi?id=158005

        Reviewed by Chris Dumez.

        * runtime/JSObject.cpp:
        (JSC::JSObject::deleteProperty): We only need to reify static properties
        if the name being deleted matches a static property. Otherwise, we can
        be sure that delete won't observe any static properties.

2016-05-23  Saam barati  <sbarati@apple.com>

        The baseline JIT crashes when compiling "(1,1)/1"
        https://bugs.webkit.org/show_bug.cgi?id=157933

        Reviewed by Benjamin Poulain.

        op_div in the baseline JIT needed to better handle when both the lhs
        and rhs are constants. It needs to make sure to load either the lhs or
        the rhs into a register since the div generator can't handle both
        the lhs and rhs being constants.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_div):
        * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
        (assert):
        (test):

2016-05-23  Saam barati  <sbarati@apple.com>

        String template don't handle let initialization properly inside eval
        https://bugs.webkit.org/show_bug.cgi?id=157991

        Reviewed by Oliver Hunt.

        The fix is to make sure we emit TDZ checks. 

        * bytecompiler/NodesCodegen.cpp:
        (JSC::TaggedTemplateNode::emitBytecode):
        * tests/stress/tagged-template-tdz.js: Added.
        (shouldThrowTDZ):
        (test):

2016-05-22  Saam barati  <sbarati@apple.com>

        Unreviewed. Fixed debug assertion failures from r201235.

        * runtime/JSScope.cpp:
        (JSC::abstractAccess):

2016-05-22  Brady Eidson  <beidson@apple.com>

        Attempted Yosemite build fix after http://trac.webkit.org/changeset/201255

        Suggested by and reviewed by Anders Carlsson.

        * b3/B3CCallValue.h: Initialize the effects member more conventionally.

2016-05-22  Brady Eidson  <beidson@apple.com>

        Move to C++14.
        https://bugs.webkit.org/show_bug.cgi?id=157948

        Reviewed by Michael Catanzaro.

        * Configurations/Base.xcconfig:

2016-05-22  Saam barati  <sbarati@apple.com>

        REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
        https://bugs.webkit.org/show_bug.cgi?id=157968
        <rdar://problem/26404735>

        Reviewed by Ryosuke Niwa and Filip Pizlo.

        There was a bug in the DFG where we were checking a condition
        on the wrong variable.

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):

2016-05-22  Chris Dumez  <cdumez@apple.com>

        Remove uses of PassRefPtr in JS bindings code
        https://bugs.webkit.org/show_bug.cgi?id=157949

        Reviewed by Andreas Kling.

        Remove uses of PassRefPtr in JS bindings code.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::queueMicrotask):
        * runtime/JSGlobalObject.h:

2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>

        Remove LegacyProfiler
        https://bugs.webkit.org/show_bug.cgi?id=153565

        Reviewed by Mark Lam.

        JavaScriptCore now provides a sampling profiler and it is enabled
        by all ports. Web Inspector switched months ago to using the
        sampling profiler and displaying its data. Remove the legacy
        profiler, as it is no longer being used by anything other then
        console.profile and tests. We will update console.profile's
        behavior soon to have new behavior and use the sampling data.

        * API/JSProfilerPrivate.cpp: Removed.
        * API/JSProfilerPrivate.h: Removed.
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset): Deleted.
        (JSC::computeDefsForBytecodeOffset): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode): Deleted.
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::profileHookRegister): Deleted.
        (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::CallArguments::CallArguments): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel): Deleted.
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize): Deleted.
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC): Deleted.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::operator()): Deleted.
        (JSC::Interpreter::execute): Deleted.
        (JSC::Interpreter::executeCall): Deleted.
        (JSC::Interpreter::executeConstruct): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass): Deleted.
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_will_call): Deleted.
        (JSC::JIT::emit_op_profile_did_call): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_will_call): Deleted.
        (JSC::JIT::emit_op_profile_did_call): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/ParserModes.h:
        * profiler/CallIdentifier.h: Removed.
        * profiler/LegacyProfiler.cpp: Removed.
        * profiler/LegacyProfiler.h: Removed.
        * profiler/Profile.cpp: Removed.
        * profiler/Profile.h: Removed.
        * profiler/ProfileGenerator.cpp: Removed.
        * profiler/ProfileGenerator.h: Removed.
        * profiler/ProfileNode.cpp: Removed.
        * profiler/ProfileNode.h: Removed.
        * profiler/ProfilerJettisonReason.cpp:
        (WTF::printInternal): Deleted.
        * profiler/ProfilerJettisonReason.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
        (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
        * runtime/JSGlobalObject.h:
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::VM): Deleted.
        (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
        (JSC::VM::setEnabledProfiler): Deleted.
        * runtime/VM.h:
        (JSC::VM::enabledProfiler): Deleted.
        (JSC::VM::enabledProfilerAddress): Deleted.

2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>

        Remove LegacyProfiler
        https://bugs.webkit.org/show_bug.cgi?id=153565

        Reviewed by Saam Barati.

        * inspector/protocol/Timeline.json:
        * jsc.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::hasLegacyProfiler):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.

2016-05-20  Saam barati  <sbarati@apple.com>

        JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference
        https://bugs.webkit.org/show_bug.cgi?id=157956

        Reviewed by Geoffrey Garen.

        A SymbolTableEntry may be a FatEntry. Copying a FatEntry is slow because we have to
        malloc memory for it, then free the malloced memory once the entry goes out of
        scope. abstractAccess uses a SymbolTableEntry temporarily when performing scope
        accesses during bytecode linking. It copies out the SymbolTableEntry every time
        it does a SymbolTable lookup. This is not cheap when the entry happens to be a
        FatEntry. We should really just be using a reference to the entry because
        there is no need to copy it in such a scenario.

        * runtime/JSScope.cpp:
        (JSC::abstractAccess):

2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: retained size for typed arrays does not count native backing store
        https://bugs.webkit.org/show_bug.cgi?id=157945
        <rdar://problem/26392238>

        Reviewed by Geoffrey Garen.

        * runtime/JSArrayBuffer.h:
        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::estimatedSize):
        Include an estimatedSize implementation for JSArrayBuffer.
        ArrayBuffer has a unique path, different from other data
        stored in the Heap.

        * tests/heapProfiler/typed-array-sizes.js: Added.
        Test sizes of TypedArray with and without an ArrayBuffer.
        When the TypedArray is a view wrapping an ArrayBuffer, the
        ArrayBuffer has the size.

2016-05-20  Geoffrey Garen  <ggaren@apple.com>

        reifyAllStaticProperties makes two copies of every string
        https://bugs.webkit.org/show_bug.cgi?id=157953

        Reviewed by Mark Lam.

        Let's not do that.

        * runtime/JSObject.cpp:
        (JSC::JSObject::reifyAllStaticProperties): Pass our Identifier to
        reifyStaticProperty so it doesn't have to make its own.

        * runtime/Lookup.h:
        (JSC::reifyStaticProperty): No need to null check because callers never
        pass null anymore. No need to make an identifier because callers pass
        us one.

        (JSC::reifyStaticProperties): Honor new interface.

2016-05-20  Geoffrey Garen  <ggaren@apple.com>

        JSBench regression: CodeBlock linking always copies the symbol table
        https://bugs.webkit.org/show_bug.cgi?id=157951

        Reviewed by Saam Barati.

        We always put a SymbolTable into the constant pool, even in simple
        functions in which it won't be used -- i.e., there's on eval and there
        are no captured variables and so on.

        This is costly because linking must copy any provided symbol tables.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitProfileType): Only add the symbol table
        as a constant if we will use it at runtime.

2016-05-19  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Improve int->float conversion in FTL
        https://bugs.webkit.org/show_bug.cgi?id=157936

        Reviewed by Filip Pizlo.

        The integer -> floating point lowering was very barebone.

        For example, converting a constant integer to double
        was doing:
            mov #const, %eax
            xor %xmm0, %xmm0
            cvtsi2sd %eax, %xmm0

        Conversion from integer to float was also missing.
        We were always converting to double then rounding the double
        to float.

        This patch adds the basics:
        -Constant folding.
        -Integer to Float opcode.
        -Reducing int->double to int->float when used by DoubleToFloat.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
        (JSC::MacroAssemblerX86_64::convertInt64ToFloat):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::cvtsi2ss_rr):
        (JSC::X86Assembler::cvtsi2ssq_rr):
        (JSC::X86Assembler::cvtsi2sdq_mr):
        (JSC::X86Assembler::cvtsi2ssq_mr):
        (JSC::X86Assembler::cvtsi2ss_mr):
        * assembler/MacroAssemblerARM64.h:
        * b3/B3Const32Value.cpp:
        (JSC::B3::Const32Value::iToDConstant):
        (JSC::B3::Const32Value::iToFConstant):
        * b3/B3Const32Value.h:
        * b3/B3Const64Value.cpp:
        (JSC::B3::Const64Value::iToDConstant):
        (JSC::B3::Const64Value::iToFConstant):
        * b3/B3Const64Value.h:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::lower):
        * b3/B3Opcode.cpp:
        (WTF::printInternal):
        * b3/B3Opcode.h:
        * b3/B3ReduceDoubleToFloat.cpp:
        * b3/B3ReduceStrength.cpp:
        * b3/B3Validate.cpp:
        * b3/B3Value.cpp:
        (JSC::B3::Value::iToDConstant):
        (JSC::B3::Value::iToFConstant):
        (JSC::B3::Value::isRounded):
        (JSC::B3::Value::effects):
        (JSC::B3::Value::key):
        (JSC::B3::Value::typeFor):
        * b3/B3Value.h:
        * b3/B3ValueKey.cpp:
        (JSC::B3::ValueKey::materialize):
        * b3/air/AirFixPartialRegisterStalls.cpp:
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::int64Operands):
        (JSC::B3::testIToD64Arg):
        (JSC::B3::testIToF64Arg):
        (JSC::B3::testIToD32Arg):
        (JSC::B3::testIToF32Arg):
        (JSC::B3::testIToD64Mem):
        (JSC::B3::testIToF64Mem):
        (JSC::B3::testIToD32Mem):
        (JSC::B3::testIToF32Mem):
        (JSC::B3::testIToD64Imm):
        (JSC::B3::testIToF64Imm):
        (JSC::B3::testIToD32Imm):
        (JSC::B3::testIToF32Imm):
        (JSC::B3::testIToDReducedToIToF64Arg):
        (JSC::B3::testIToDReducedToIToF32Arg):
        (JSC::B3::run):

2016-05-19  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] FTL can crash on stack overflow
        https://bugs.webkit.org/show_bug.cgi?id=157881
        rdar://problem/24665964

        Reviewed by Michael Saboff.

        The VM's m_largestFTLStackSize was never set anywhere (updateFTLLargestStackSize()
        was never called). We forgot to change that when implementing B3.

        Even when it is set, we still have a problem on OSR Exit.
        If the last frame is a FTL frame and it OSR Exits, the space required for
        that frame becomes significantly larger. What happens is we crash in the OSR Exit
        instead of the FTL frame (this is what happens in rdar://problem/24665964).

        This patch changes the stack boundary checks in FTL to be the same as DFG:
        we verify that we have enough space for the current optimized function but
        also for the baseline version (including inlining) in case of exit.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack): Deleted.
        * runtime/VM.cpp:
        (JSC::VM::VM): Deleted.
        (JSC::VM::updateStackLimit): Deleted.
        (JSC::VM::updateFTLLargestStackSize): Deleted.
        * runtime/VM.h:
        (JSC::VM::addressOfFTLStackLimit): Deleted.

2016-05-18  Filip Pizlo  <fpizlo@apple.com>

        DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header
        https://bugs.webkit.org/show_bug.cgi?id=144527

        Reviewed by Saam Barati.
        
        This adds a control flow equivalence analysis (called ControlEquivalenceAnalysis) based on
        dominator analysis over the backwards CFG. Two basic blocks are control flow equivalent if
        the execution of one implies that the other one must also execute. It means that the two
        blocks' forward and backward dominance are reciprocated: (A dom B and B backdom A) or (B dom
        A and A backdom B). LICM now uses it to become more conservative about hoisting checks, if
        this has caused problems in the past. If we hoist something that may exit from a block that
        was not control equivalent to the pre-header then it's possible that the node's speculation
        will fail even though it wouldn't have if it wasn't hoisted. So, we flag these nodes'
        origins as being "wasHoisted" and we track all of their exits as "HoistingFailed". LICM will
        turn off such speculative hoisting if the CodeBlock from which we are hoisting had the
        HoistingFailed exit kind.
        
        Note that this deliberately still allows us to hoist things that may exit even if they are
        not control equivalent to the pre-header. This is necessary because the profitability of
        hoisting is so huge in all of the cases that we're aware of that it's worth giving it a
        shot.
        
        This is neutral on macrobenchmarks since none of the benchmarks we track have a hoistable
        operation that would exit only if hoisted. I added microbenchmarks to illustrate the problem
        and two of them speed up by ~40% while one of them is neutral (Int52 saves us from having
        problems on that program even though LICM previously did the wrong thing).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * dfg/DFGAtTailAbstractState.h:
        (JSC::DFG::AtTailAbstractState::operator bool):
        (JSC::DFG::AtTailAbstractState::initializeTo):
        * dfg/DFGBackwardsCFG.h: Added.
        (JSC::DFG::BackwardsCFG::BackwardsCFG):
        * dfg/DFGBackwardsDominators.h: Added.
        (JSC::DFG::BackwardsDominators::BackwardsDominators):
        * dfg/DFGCommon.h:
        (JSC::DFG::checkAndSet): Deleted.
        * dfg/DFGControlEquivalenceAnalysis.h: Added.
        (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
        (JSC::DFG::ControlEquivalenceAnalysis::dominatesEquivalently):
        (JSC::DFG::ControlEquivalenceAnalysis::areEquivalent):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Graph::invalidateCFG):
        (JSC::DFG::Graph::substituteGetLocal):
        (JSC::DFG::Graph::handleAssertionFailure):
        (JSC::DFG::Graph::ensureDominators):
        (JSC::DFG::Graph::ensurePrePostNumbering):
        (JSC::DFG::Graph::ensureNaturalLoops):
        (JSC::DFG::Graph::ensureBackwardsCFG):
        (JSC::DFG::Graph::ensureBackwardsDominators):
        (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::hasDebuggerEnabled):
        * dfg/DFGInPlaceAbstractState.h:
        (JSC::DFG::InPlaceAbstractState::operator bool):
        (JSC::DFG::InPlaceAbstractState::createValueForNode):
        (JSC::DFG::InPlaceAbstractState::forNode):
        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::run):
        (JSC::DFG::LICMPhase::attemptHoist):
        * dfg/DFGMayExit.cpp:
        (JSC::DFG::mayExit):
        * dfg/DFGMayExit.h:
        * dfg/DFGNode.h:
        * dfg/DFGNodeOrigin.cpp:
        (JSC::DFG::NodeOrigin::dump):
        * dfg/DFGNodeOrigin.h:
        (JSC::DFG::NodeOrigin::takeValidExit):
        (JSC::DFG::NodeOrigin::withWasHoisted):
        (JSC::DFG::NodeOrigin::forInsertingAfter):
        * dfg/DFGNullAbstractState.h: Added.
        (JSC::DFG::NullAbstractState::NullAbstractState):
        (JSC::DFG::NullAbstractState::operator bool):
        (JSC::DFG::NullAbstractState::forNode):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExitBase.cpp:
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExitBase.h:
        (JSC::DFG::OSRExitBase::OSRExitBase):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::run):
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
        (JSC::FTL::OSRExit::OSRExit):
        * ftl/FTLOSRExit.h:

2016-05-19  Mark Lam  <mark.lam@apple.com>

        Code that null checks the VM pointer before any use should ref the VM.
        https://bugs.webkit.org/show_bug.cgi?id=157864

        Reviewed by Filip Pizlo and Keith Miller.

        JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
        through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
        after their null checks.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::vm):
        (JSC::CodeBlock::setVM): Deleted.
        - Not used, and suggests that it can be changed during the lifetime of the
          CodeBlock (which should not be).

        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):
        * runtime/JSLock.cpp:
        (JSC::JSLock::willReleaseLock):
        - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
          the raw VM pointer.  This makes the null check a strong guarantee that the
          VM pointer is valid while these functions are using it.

2016-05-19  Saam barati  <sbarati@apple.com>

        arrow function lexical environment should reuse the same environment as the function's lexical environment where possible
        https://bugs.webkit.org/show_bug.cgi?id=157908

        Reviewed by Filip Pizlo.

        We can safely combine these two environment when we have
        a simple parameter list (no default parameters, no destructring parameters).

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
        * bytecompiler/BytecodeGenerator.h:

2016-05-19  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix.

        Skipping this new test as it times out on the bots.

        Issue tracked in https://bugs.webkit.org/show_bug.cgi?id=157903

        * tests/stress/regress-157595.js:
        (MyRegExp):

2016-05-19  Guillaume Emont  <guijemont@igalia.com>

        JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis
        https://bugs.webkit.org/show_bug.cgi?id=157741

        Reviewed by Saam Barati.

        The PutByValWithThis case needs a special case for MIPS because we
        don't have enough registers. The special case needs to be different
        from the x86 one because we have a different ABI.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2016-05-19  Brian Burg  <bburg@apple.com>

        Web Inspector: use a consistent prefix for injected scripts
        https://bugs.webkit.org/show_bug.cgi?id=157715
        <rdar://problem/26287188>

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:
        * DerivedSources.make:
        * inspector/InjectedScriptSource.js:

2016-05-19  Csaba Osztrogonác  <ossy@webkit.org>

        [ARM] Remove redefined macro after r200606
        https://bugs.webkit.org/show_bug.cgi?id=157890

        Reviewed by Michael Saboff.

        * bytecode/PolymorphicAccess.cpp:
        * jit/CCallHelpers.h:

2016-05-18  Saam barati  <sbarati@apple.com>

        Function with default parameter values that are arrow functions that capture this isn't working
        https://bugs.webkit.org/show_bug.cgi?id=157786
        <rdar://problem/26327329>

        Reviewed by Geoffrey Garen.

        To make the scopes ordered properly, I needed to initialize the arrow 
        function lexical environment before initializing default parameter values.
        I also made the code easier to reason about by never reusing the function's
        var lexical environment for the arrow function lexical environment. The
        reason for this is that that code was wrong, and we just didn't have code to
        that properly tested it. It was easy for that code to be wrong because
        sometimes the function's lexical environment isn't the top-most scope
        (namely, when a function's parameter list is non-simple) and sometimes
        it is (when the function's parameter list is simple).

        Also, because a function's default parameter values may capture the
        'arguments' variable inside an arrow function, I needed to take care
        to initialize the 'arguments' variable as part of whichever scope
        is the top-most scope. It's either the function's var environment
        if the parameter list is simple, or it's the function's parameter
        environment if the parameter list is non-simple.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
        (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
        (JSC::BytecodeGenerator::initializeParameters):
        (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
        (JSC::BytecodeGenerator::visibleNameForParameter):
        * bytecompiler/BytecodeGenerator.h:
        * tests/stress/arrow-functions-as-default-parameter-values.js: Added.
        (assert):
        (test):
        (test.foo):
        * tests/stress/op-push-name-scope-crashes-profiler.js:
        (test):

2016-05-18  Michael Saboff  <msaboff@apple.com>

        r199812 broke test262
        https://bugs.webkit.org/show_bug.cgi?id=157595

        Reviewed by Filip Pizlo.

        Added a reasonable limit to the size of the match result array to catch possible
        infinite loops when matching.
        Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
        by creating a subclass of RegExp where the base RegExp's global flag is false and
        the subclass overrides .global with a getter that always returns true.

        * builtins/RegExpPrototype.js:
        (match):
        * tests/stress/regress-157595.js: Added.
        (MyRegExp):
        (MyRegExp.prototype.get global):
        (test):
        (catch):

2016-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Namespace object re-export should be handled as local export
        https://bugs.webkit.org/show_bug.cgi?id=157806

        Reviewed by Mark Lam.

        We align the implementation of ExportEntry to the spec; remove Type::Namespace.
        This Type::Namespace is used for re-exported namespace object binding. For example,

            import * as namespace from "namespace.js"
            export { namespace }

        In the above case, we used ExportEntry(Type::Namespace). In this patch, we drop this
        and use normal local export (Type::Local) instead because namespace object actually has
        the local binding in the above module environment. And this handling strictly meets the
        spec (Sec 15.2.1.16.1 step 11-a-ii-2-b).

        And we also clean up the ExportEntry implementation; dropping unnecessary information.
        This change fixes the test262/test/language/module-code/instn-star-equality.js crash.

        * parser/ModuleAnalyzer.cpp:
        (JSC::ModuleAnalyzer::exportVariable):
        * runtime/JSModuleRecord.cpp:
        (JSC::getExportedNames):
        (JSC::JSModuleRecord::dump): Deleted.
        * runtime/JSModuleRecord.h:
        * tests/modules/namespace-re-export.js: Added.
        * tests/modules/namespace-re-export/namespace-re-export-fixture.js: Added.
        * tests/modules/namespace-re-export/namespace-re-export.js: Added.
        * tests/modules/resources/assert.js:
        (export.shouldNotBe):

2016-05-17  Filip Pizlo  <fpizlo@apple.com>

        JSC should detect the right default locale even when it's not embedded in WebCore
        https://bugs.webkit.org/show_bug.cgi?id=157755
        rdar://problem/24665424

        Reviewed by Keith Miller.
        
        This makes JSC try to use WTF's platform user preferred language detection if the DOM did
        not register a defaultLanguage callback. The result is that when JSC runs standalone it
        will detect the platform user preferred language almost the same way as when it's embedded
        in WebCore. The only difference is that WebCore may have its own additional overrides via
        the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
        back to.
        
        We first found this bug because on iOS, the intl tests would fail because ICU would report
        a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
        back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
        OS X, just less so. For example, setting things to Poland did not result in the jsc shell
        printing dates Polish-style. Now it will print them Polish-style if your system preferences
        say so. Also, the tests don't fail on iOS anymore.
        
        * runtime/IntlObject.cpp:
        (JSC::defaultLocale):

2016-05-17  Dean Jackson  <dino@apple.com>

        Remove ES6_GENERATORS flag
        https://bugs.webkit.org/show_bug.cgi?id=157815
        <rdar://problem/26332894>

        Reviewed by Geoffrey Garen.

        This flag isn't needed. Generators are enabled everywhere and
        part of a stable specification.

        * Configurations/FeatureDefines.xcconfig:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
        (JSC::Parser<LexerType>::parseClass): Deleted.
        (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
        (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
        (JSC::Parser<LexerType>::parseProperty): Deleted.
        (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.

2016-05-17  Keith Miller  <keith_miller@apple.com>

        Rollout r200426 since it causes PLT regressions.
        https://bugs.webkit.org/show_bug.cgi?id=157812

        Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.

2016-05-17  Keith Miller  <keith_miller@apple.com>

        Add test262 harness support code
        https://bugs.webkit.org/show_bug.cgi?id=157797

        Reviewed by Filip Pizlo.

        This patch adds some new tooling needed to run Test262 with the jsc
        CLI. There were three options that needed to be added for Test262:

        1) "--test262-async" This option overrides the print function in the test runner to look for
        'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
        and that string is not passed then the test is marked as failing.

        2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
        passed file before passing the source code to the VM. This option can, in theory, be passed
        multiple times.

        3) "--exception=<name>" This option asserts that at the end of the last script file passed
        the VM has an uncaught exception with its name property equal to the passed name.

        * jsc.cpp:
        (Script::Script):
        (fillBufferWithContentsOfFile):
        (functionPrint):
        (checkUncaughtException):
        (runWithScripts):
        (printUsageStatement):
        (CommandLine::parseArguments):
        (runJSC):

2016-05-17  Filip Pizlo  <fpizlo@apple.com>

        WTF should know about Language
        https://bugs.webkit.org/show_bug.cgi?id=157756

        Reviewed by Geoffrey Garen.

        Teach our scripts that a ObjC class beginning with WTF is totally cool.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2016-05-17  Joseph Pecoraro  <pecoraro@apple.com>

        console namespace breaks putting properties on console.__proto__
        https://bugs.webkit.org/show_bug.cgi?id=157782
        <rdar://problem/26250526>

        Reviewed by Geoffrey Garen.

        Some websites currently depend on console.__proto__ existing and being
        a separate object from Object.prototype. This patch adds back a basic
        console.__proto__ object, but all the console functions are left on
        the ConsoleObject itself.

        * runtime/JSGlobalObject.cpp:
        (JSC::createConsoleProperty):

2016-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, dump more information when math-pow-stable-results.js failed
        https://bugs.webkit.org/show_bug.cgi?id=157168

        * tests/stress/math-pow-stable-results.js:

2016-05-16  Saam barati  <sbarati@apple.com>

        ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
        https://bugs.webkit.org/show_bug.cgi?id=157770

        Reviewed by Filip Pizlo.

        ShadowChicken was reading the scope from a half formed
        frame as it threw a stack overflow exception. The frame had
        a valid CodeBlock pointer, but it did not have a valid scope.
        The code in ShadowChicken's throw packet logging mechanism didn't
        account for this. The fix is to respect whether genericUnwind wants
        to unwind from the current frame or the caller's frame. For stack
        overflow errors, we always unwind the caller's frame.

        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):

2016-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        REGRESSION(r200208): It made 2 JSC stress tests fail on x86
        https://bugs.webkit.org/show_bug.cgi?id=157168

        Reviewed by Benjamin Poulain.

        The fast path in operationMathPow produces different results between x87 and the other environments.
        This is because x87 calculates the double value in 80bit precision.
        The situation is the following: in x86 32bit environment, floating point operations are compiled to
        x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
        if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
        and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
        problem since x87 has 80bit precision while SSE2 has 64bit precision.

        In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
        is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
        occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.

        * b3/B3MathExtras.cpp:
        (JSC::B3::powDoubleInt32):
        * runtime/MathCommon.cpp:
        (JSC::operationMathPow):

2016-05-16  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] "return this" in a constructor does not need a branch on isObject(this)
        https://bugs.webkit.org/show_bug.cgi?id=157775

        Reviewed by Saam Barati and Ryosuke Niwa.

        When returning "this" in a constructor, the bytecode generator was generating:
            is_object         locX, this
            jtrue             locX, 5(->second ret)
            ret               this
            ret               this

        That code is eliminated in DFG but it is pretty costly lower tiers.

        This patch changes bytecode generation to avoid the is_object test
        when possible and not generate two ret if they encode the same thing.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitReturn):

2016-05-16  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Remove the index check from op_get_by_val/op_put_by_val when the index is constant
        https://bugs.webkit.org/show_bug.cgi?id=157766

        Reviewed by Geoffrey Garen.

        If the index is an integer constant, do not generate the index check.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):

2016-05-16  Benjamin Poulain  <bpoulain@apple.com>

        [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
        https://bugs.webkit.org/show_bug.cgi?id=157700

        Reviewed by Michael Saboff.

        In general, fillSpeculateInt32() originate from SpeculateInt32
        and the user does not care about the tag.

        This is particularily obvious on Sunspider's math-spectral-norm.js.
        In that test, registers are frequently spilled because of x86's DIV.

        When they are re-filled, they were always tagged.
        Since the loops are small, all the tagging adds up.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):

2016-05-16  Saam barati  <sbarati@apple.com>

        Unreviewed Cloop build fix.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):

2016-05-16  Saam barati  <sbarati@apple.com>

        Hook up ShadowChicken to the debugger to show tail deleted frames
        https://bugs.webkit.org/show_bug.cgi?id=156685
        <rdar://problem/25770521>

        Reviewed by Filip Pizlo and Mark Lam and Joseph Pecoraro.

        The heart of this patch hooks up ShadowChicken to DebuggerCallFrame to
        allow the Web Inspector to display the ShadowChicken's shadow stack.
        This means the Web Inspector can now display tail deleted frames.
        To make this work, I made the necessary changes to ShadowChicken and
        DebuggerCallFrame to allow DebuggerCallFrame to keep the same API
        when representing both machine frames and tail deleted frames.

        - ShadowChicken prologue packets now log the current scope. Tail packets
          log the current scope, the 'this' value, the CodeBlock, and the
          CallSiteIndex. This allows the inspector to not only show the
          tail deleted frame, but also show exactly where the tail call happened (line and column numbers),
          with which scope it executed, and with which 'this' value. This
          patch also allows DebuggerCallFrame to execute console statements
          in a tail deleted frame.

        - I changed ShadowChicken's stack resizing algorithm. ShadowChicken
          now only keeps a maximum number of tail deleted frames in its shadow stack.
          It will happily represent all machine frames without limit. Right now, the
          maximum number of tail deleted frames I chose to keep alive is 128.
          We will keep frames alive starting from the top of the stack. This
          allows us to have a strong defense against runaway memory usage. We will only
          keep around at most 128 "shadow" frames that wouldn't have naturally been kept
          alive by the executing program. We can play around with this number
          if we find that 128 is either too many or too few frames.

        - DebuggerCallFrame is no longer a cheap class to create. When it is created,
          we will eagerly create the entire virtual debugger stack. So I modified the
          existing code to lazily create DebuggerCallFrames only when necessary. We
          used to eagerly create them at each op_debug statement even though we would
          just throw them away if we didn't hit a breakpoint.

        - A valid DebuggerCallFrame will always have a valid CallFrame* pointer
          into the stack. This pointer won't always refer to the logical frame
          that the DebuggerCallFrame represents because a DebuggerCallFrame can
          now represent a tail deleted frame. To do this, DebuggerCallFrame now
          has a ShadowChicken::Frame member variable. This allows DebuggerCallFrame
          to know when it represents a tail deleted frame and gives DebuggerCallFrame
          a mechanism to ask the tail deleted frame for interesting information
          (like its 'this' value, scope, CodeBlock, etc). A tail deleted frame's
          machine frame pointer will be the machine caller of the tail deleted frame
          (or the machine caller of the first of a series of consecutive tail calls).

        - I added a new flag to UnlinkedCodeBlock to indicate when it is compiled
          with debugging opcodes. I did this because ShadowChicken may read a JSScope
          from the machine stack. This is only safe if the machine CodeBlock was
          compiled with debugging opcodes. This is safer than asking if the
          CodeBlock's global object has an interactive debugger enabled because
          it's theoretically possible for the debugger to be enabled while code
          compiled without a debugger is still live on the stack. This field is
          also now used to indicate to the DFGGraph that the interactive debugger
          is enabled.

        - Finally, this patch adds a new field to the Inspector's CallFrame protocol
          object called 'isTailDeleted' to allow the Inspector to know when a
          CallFrame represents a tail deleted frame.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::findPC):
        (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::clearDebuggerRequests):
        (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes):
        (JSC::UnlinkedCodeBlock::finishCreation):
        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitEnter):
        (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
        (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
        (JSC::BytecodeGenerator::emitCallDefineProperty):
        * debugger/Debugger.cpp:
        (JSC::DebuggerPausedScope::DebuggerPausedScope):
        (JSC::DebuggerPausedScope::~DebuggerPausedScope):
        (JSC::Debugger::didReachBreakpoint):
        (JSC::Debugger::currentDebuggerCallFrame):
        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::LineAndColumnFunctor::operator()):
        (JSC::DebuggerCallFrame::create):
        (JSC::DebuggerCallFrame::DebuggerCallFrame):
        (JSC::DebuggerCallFrame::callerFrame):
        (JSC::DebuggerCallFrame::globalExec):
        (JSC::DebuggerCallFrame::vmEntryGlobalObject):
        (JSC::DebuggerCallFrame::sourceID):
        (JSC::DebuggerCallFrame::functionName):
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::type):
        (JSC::DebuggerCallFrame::thisValue):
        (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
        (JSC::DebuggerCallFrame::invalidate):
        (JSC::DebuggerCallFrame::currentPosition):
        (JSC::DebuggerCallFrame::positionForCallFrame):
        (JSC::DebuggerCallFrame::sourceIDForCallFrame):
        (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): Deleted.
        (JSC::FindCallerMidStackFunctor::operator()): Deleted.
        (JSC::FindCallerMidStackFunctor::getCallerFrame): Deleted.
        (JSC::DebuggerCallFrame::thisValueForCallFrame): Deleted.
        * debugger/DebuggerCallFrame.h:
        (JSC::DebuggerCallFrame::isValid):
        (JSC::DebuggerCallFrame::isTailDeleted):
        (JSC::DebuggerCallFrame::create): Deleted.
        (JSC::DebuggerCallFrame::exec): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::~Graph):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addCallSite):
        (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
        (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
        (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
        (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
        (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket): Deleted.
        * inspector/InjectedScriptSource.js:
        (InjectedScript.CallFrameProxy):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::thisObject):
        (Inspector::JSJavaScriptCallFrame::isTailDeleted):
        (Inspector::JSJavaScriptCallFrame::type):
        * inspector/JSJavaScriptCallFrame.h:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
        (Inspector::jsJavaScriptCallFrameAttributeType):
        (Inspector::jsJavaScriptCallFrameIsTailDeleted):
        * inspector/JavaScriptCallFrame.h:
        (Inspector::JavaScriptCallFrame::type):
        (Inspector::JavaScriptCallFrame::scopeChain):
        (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
        (Inspector::JavaScriptCallFrame::isTailDeleted):
        (Inspector::JavaScriptCallFrame::thisValue):
        (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::evaluateBreakpointAction):
        * inspector/protocol/Debugger.json:
        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):
        (JSC::ShadowChicken::visitChildren):
        (JSC::ShadowChicken::reset):
        * interpreter/ShadowChicken.h:
        (JSC::ShadowChicken::Packet::throwMarker):
        (JSC::ShadowChicken::Packet::prologue):
        (JSC::ShadowChicken::Packet::tail):
        (JSC::ShadowChicken::Frame::Frame):
        (JSC::ShadowChicken::Frame::operator==):
        * jit/CCallHelpers.cpp:
        (JSC::CCallHelpers::logShadowChickenProloguePacket):
        (JSC::CCallHelpers::logShadowChickenTailPacket):
        (JSC::CCallHelpers::ensureShadowChickenPacket):
        (JSC::CCallHelpers::setupShadowChickenPacket): Deleted.
        * jit/CCallHelpers.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_type):
        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
        (JSC::JIT::emit_op_log_shadow_chicken_tail):
        (JSC::JIT::emit_op_get_enumerable_length):
        (JSC::JIT::emit_op_resume):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_type):
        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
        (JSC::JIT::emit_op_log_shadow_chicken_tail):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
        (JSC::RegisterSet::argumentGPRS):
        (JSC::RegisterSet::registersToNotSaveForJSCall):
        * jit/RegisterSet.h:
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        * runtime/Options.h:
        * tests/stress/shadow-chicken-enabled.js:
        (test5a.foo):
        (test5a):
        (test5b.foo):
        (test5b):
        (test6.foo):
        (test6):

2016-05-16  Saam barati  <sbarati@apple.com>

        TypeSet/StructureShape have a flawed sense of JS prototype chains
        https://bugs.webkit.org/show_bug.cgi?id=157760

        Reviewed by Joseph Pecoraro.

        There was an assumption that we would bottom out in "Object". This is
        not true for many reasons. JS objects may not end in Object.prototype.
        Also, our mechanism of grabbing an Object's class name may also not
        bottom out in "Object". We were seeing this in the JS objects we use
        in the InjectedScriptSource.js inspector script.

        * runtime/TypeSet.cpp:
        (JSC::StructureShape::leastCommonAncestor):
        * tests/typeProfiler/weird-prototype-chain.js: Added.
        (wrapper.foo):
        (wrapper.let.o2):
        (wrapper):

2016-05-16  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.

        * API/JSProfilerPrivate.cpp: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
        (JSStartProfiling):
        (JSEndProfiling):
        * API/JSProfilerPrivate.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::profileHookRegister):
        (JSC::BytecodeGenerator::shouldEmitProfileHooks):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
        * inspector/protocol/Timeline.json:
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::operator()):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_will_call):
        (JSC::JIT::emit_op_profile_did_call):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_will_call):
        (JSC::JIT::emit_op_profile_did_call):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jsc.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/ParserModes.h:
        * profiler/CallIdentifier.h: Added.
        (JSC::CallIdentifier::CallIdentifier):
        (JSC::CallIdentifier::functionName):
        (JSC::CallIdentifier::url):
        (JSC::CallIdentifier::lineNumber):
        (JSC::CallIdentifier::columnNumber):
        (JSC::CallIdentifier::operator==):
        (JSC::CallIdentifier::operator!=):
        (JSC::CallIdentifier::Hash::hash):
        (JSC::CallIdentifier::Hash::equal):
        (JSC::CallIdentifier::hash):
        (JSC::CallIdentifier::operator const char*):
        (JSC::CallIdentifier::c_str):
        (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
        (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
        * profiler/LegacyProfiler.cpp: Added.
        (JSC::LegacyProfiler::profiler):
        (JSC::LegacyProfiler::startProfiling):
        (JSC::LegacyProfiler::stopProfiling):
        (JSC::callFunctionForProfilesWithGroup):
        (JSC::LegacyProfiler::suspendProfiling):
        (JSC::LegacyProfiler::unsuspendProfiling):
        (JSC::LegacyProfiler::willExecute):
        (JSC::LegacyProfiler::didExecute):
        (JSC::LegacyProfiler::exceptionUnwind):
        (JSC::LegacyProfiler::createCallIdentifier):
        (JSC::createCallIdentifierFromFunctionImp):
        * profiler/LegacyProfiler.h: Added.
        (JSC::LegacyProfiler::currentProfiles):
        * profiler/Profile.cpp: Added.
        (JSC::Profile::create):
        (JSC::Profile::Profile):
        (JSC::Profile::~Profile):
        (JSC::Profile::debugPrint):
        (JSC::functionNameCountPairComparator):
        (JSC::Profile::debugPrintSampleStyle):
        * profiler/Profile.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
        * profiler/ProfileGenerator.cpp: Added.
        (JSC::ProfileGenerator::create):
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
        (JSC::AddParentForConsoleStartFunctor::foundParent):
        (JSC::AddParentForConsoleStartFunctor::operator()):
        (JSC::ProfileGenerator::addParentForConsoleStart):
        (JSC::ProfileGenerator::title):
        (JSC::ProfileGenerator::beginCallEntry):
        (JSC::ProfileGenerator::endCallEntry):
        (JSC::ProfileGenerator::willExecute):
        (JSC::ProfileGenerator::didExecute):
        (JSC::ProfileGenerator::exceptionUnwind):
        (JSC::ProfileGenerator::stopProfiling):
        (JSC::ProfileGenerator::removeProfileStart):
        (JSC::ProfileGenerator::removeProfileEnd):
        * profiler/ProfileGenerator.h: Added.
        (JSC::ProfileGenerator::profile):
        (JSC::ProfileGenerator::origin):
        (JSC::ProfileGenerator::profileGroup):
        (JSC::ProfileGenerator::setIsSuspended):
        * profiler/ProfileNode.cpp: Added.
        (JSC::ProfileNode::ProfileNode):
        (JSC::ProfileNode::addChild):
        (JSC::ProfileNode::removeChild):
        (JSC::ProfileNode::spliceNode):
        (JSC::ProfileNode::traverseNextNodePostOrder):
        (JSC::ProfileNode::debugPrint):
        (JSC::ProfileNode::debugPrintSampleStyle):
        (JSC::ProfileNode::debugPrintRecursively):
        (JSC::ProfileNode::debugPrintSampleStyleRecursively):
        * profiler/ProfileNode.h: Added.
        (JSC::ProfileNode::create):
        (JSC::ProfileNode::Call::Call):
        (JSC::ProfileNode::Call::startTime):
        (JSC::ProfileNode::Call::setStartTime):
        (JSC::ProfileNode::Call::elapsedTime):
        (JSC::ProfileNode::Call::setElapsedTime):
        (JSC::ProfileNode::operator==):
        (JSC::ProfileNode::callerCallFrame):
        (JSC::ProfileNode::callIdentifier):
        (JSC::ProfileNode::id):
        (JSC::ProfileNode::functionName):
        (JSC::ProfileNode::url):
        (JSC::ProfileNode::lineNumber):
        (JSC::ProfileNode::columnNumber):
        (JSC::ProfileNode::parent):
        (JSC::ProfileNode::setParent):
        (JSC::ProfileNode::calls):
        (JSC::ProfileNode::lastCall):
        (JSC::ProfileNode::appendCall):
        (JSC::ProfileNode::children):
        (JSC::ProfileNode::firstChild):
        (JSC::ProfileNode::lastChild):
        (JSC::ProfileNode::nextSibling):
        (JSC::ProfileNode::setNextSibling):
        (JSC::ProfileNode::forEachNodePostorder):
        (JSC::CalculateProfileSubtreeDataFunctor::operator()):
        (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
        * profiler/ProfilerJettisonReason.cpp:
        (WTF::printInternal):
        * profiler/ProfilerJettisonReason.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::~JSGlobalObject):
        (JSC::JSGlobalObject::hasLegacyProfiler):
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::supportsLegacyProfiling):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::SetEnabledProfilerFunctor::operator()):
        (JSC::VM::setEnabledProfiler):
        * runtime/VM.h:
        (JSC::VM::enabledProfiler):
        (JSC::VM::enabledProfilerAddress):

2016-05-16  Konstantin Tokarev  <annulen@yandex.ru>

        Unreviewed, fixed typo in a comment.

        * assembler/MacroAssembler.h: Replaced "onvenience" with
        "convenience".

2016-05-16  Filip Pizlo  <fpizlo@apple.com>

        FixupPhase should be more eager to demote bit math to untyped
        https://bugs.webkit.org/show_bug.cgi?id=157746

        Reviewed by Mark Lam.
        
        This just makes the logic for how we fixup bit math match the way we do it in other places.
        This doesn't affect performance on any major benchmark but it's a big win on new
        microbenchmarks added in this change.
        
        Details:

        object-and                                     11.1610+-0.7602     ^      4.8105+-0.1690        ^ definitely 2.3201x faster
        object-or                                      11.0845+-0.2487     ^      4.7146+-0.0374        ^ definitely 2.3511x faster
        object-xor                                     10.2946+-0.9946     ^      4.7278+-0.0814        ^ definitely 2.1775x faster
        object-lshift                                  10.4896+-1.0867     ^      4.7699+-0.0721        ^ definitely 2.1991x faster
        object-rshift                                  11.1239+-0.5010     ^      4.7194+-0.0445        ^ definitely 2.3570x faster
        object-urshift                                 10.9745+-0.1315     ^      4.7848+-0.0479        ^ definitely 2.2936x faster

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2016-05-15  Michael Saboff  <msaboff@apple.com>

        RegExp /y flag incorrect handling of mixed-length alternation
        https://bugs.webkit.org/show_bug.cgi?id=157723

        Reviewed by Filip Pizlo.

        Previously for sticky patterns, we were bailing out and exiting when backtracking
        alternatives with dissimilar match lengths.  Deleted that code.  Instead, for
        sticky patterns we need to process the backtracking except for advancing to the
        next input index.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrack):

2016-05-15  Filip Pizlo  <fpizlo@apple.com>

        DFG::Plan shouldn't read from its VM once it's been cancelled
        https://bugs.webkit.org/show_bug.cgi?id=157726

        Reviewed by Saam Barati.
        
        Plan::vm was a reference, not a pointer, and so wasn't nulled by Plan::cancel(). So, a
        cancelled plan may have a dangling pointer to a VM: we could delete the VM after cancelling
        the plan.
        
        Prior to http://trac.webkit.org/changeset/200705, this was probably fine because nobody
        would read Plan::vm if the plan was cancelled. But r200705 changed that. It was a hard
        regression to spot because usually a cancelled plan will still refer to a valid VM.
        
        This change fixes the regression and makes it a lot easier to spot the regression in the
        future. Plan::vm is now a pointer and we null it in Plan::cancel(). Now if you make this
        mistake, you will get a crash anytime the Plan is cancelled, not just anytime the plan is
        cancelled and the VM gets deleted. Also, it's now very clear what to do when you want to
        use Plan::vm on the cancel path: you can null-check vm; if it's null, assume the worst.
        
        Because we null the VM of a cancelled plan, we cannot have Safepoint::vm() return the
        plan's VM anymore. That's because when we cancel a plan that is at a safepoint, we use the
        safepoint's VM to determine whether this is one of our safepoints *after* the plan is
        already cancelled. So, Safepoint now has its own copy of m_vm, and that copy gets nulled
        when the Safepoint is cancelled. The Safepoint's m_vm will be nulled moments after Plan's
        vm gets nulled (see Worklist::removeDeadPlans(), which has a cancel path for Plans in one
        loop and a cancel path for Safepoints in the loop after it).

        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalizeCommon):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::computeCompileTimes):
        (JSC::DFG::Plan::reportCompileTimes):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::reallyAdd):
        (JSC::DFG::Plan::notifyCompiling):
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        (JSC::DFG::Plan::cancel):
        * dfg/DFGPlan.h:
        (JSC::DFG::Plan::canTierUpAndOSREnter):
        * dfg/DFGSafepoint.cpp:
        (JSC::DFG::Safepoint::cancel):
        (JSC::DFG::Safepoint::vm):
        * dfg/DFGSafepoint.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::isActiveForVM):
        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
        (JSC::DFG::Worklist::removeAllReadyPlansForVM):
        (JSC::DFG::Worklist::rememberCodeBlocks):
        (JSC::DFG::Worklist::visitWeakReferences):
        (JSC::DFG::Worklist::removeDeadPlans):
        (JSC::DFG::Worklist::runThread):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):

2016-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        Modernize Intl constructors; using InternalFunction::createSubclassStructure
        https://bugs.webkit.org/show_bug.cgi?id=157082

        Reviewed by Darin Adler.

        Previously, Intl constructors retrieve "prototype" to inherit the "new.target".
        At that time, this mis-assumed that getDirect() always returns meaningful JS value.
        Actually, it returns an empty value if a property does not exist.

        Instead of fixing this assertion, we now use InternalFunction::createSubclassStructure
        in Intl constructors. It is modern and preferable way since it can cache the derived
        structures in InternalFunction.

        This patch also cleans up the workaround in Intl.NumberFormat and Intl.DateTimeFormat.
        Those code are largely duplicate. This is now extracted into
        constructIntlInstanceWithWorkaroundForLegacyIntlConstructor. This clean up does not
        have any behavior changes. They are already tested in LayoutTests/js/intl-datetimeformat
        and LayoutTests/js/intl-numberformat.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::create):
        * runtime/IntlCollator.h:
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::constructIntlCollator):
        (JSC::callIntlCollator):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::create):
        * runtime/IntlDateTimeFormat.h:
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::constructIntlDateTimeFormat):
        (JSC::callIntlDateTimeFormat):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
        (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::create):
        * runtime/IntlNumberFormat.h:
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::constructIntlNumberFormat):
        (JSC::callIntlNumberFormat):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
        * runtime/IntlObjectInlines.h: Added.
        (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
        * tests/stress/intl-constructors-with-proxy.js: Added.
        (shouldBe):
        (throw.new.Error.Empty):
        (throw.new.Error):
        (shouldBe.Empty):

2016-05-14  Joseph Pecoraro  <pecoraro@apple.com>

        Remove LegacyProfiler
        https://bugs.webkit.org/show_bug.cgi?id=153565

        Reviewed by Mark Lam.

        JavaScriptCore now provides a sampling profiler and it is enabled
        by all ports. Web Inspector switched months ago to using the
        sampling profiler and displaying its data. Remove the legacy
        profiler, as it is no longer being used by anything other then
        console.profile and tests. We will update console.profile's
        behavior soon to have new behavior and use the sampling data.

        * API/JSProfilerPrivate.cpp: Removed.
        * API/JSProfilerPrivate.h: Removed.
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset): Deleted.
        (JSC::computeDefsForBytecodeOffset): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode): Deleted.
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::profileHookRegister): Deleted.
        (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::CallArguments::CallArguments): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel): Deleted.
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize): Deleted.
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC): Deleted.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Deleted.
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
        * inspector/protocol/Timeline.json:
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::operator()): Deleted.
        (JSC::Interpreter::execute): Deleted.
        (JSC::Interpreter::executeCall): Deleted.
        (JSC::Interpreter::executeConstruct): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass): Deleted.
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_will_call): Deleted.
        (JSC::JIT::emit_op_profile_did_call): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_will_call): Deleted.
        (JSC::JIT::emit_op_profile_did_call): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jsc.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/ParserModes.h:
        * profiler/CallIdentifier.h: Removed.
        * profiler/LegacyProfiler.cpp: Removed.
        * profiler/LegacyProfiler.h: Removed.
        * profiler/Profile.cpp: Removed.
        * profiler/Profile.h: Removed.
        * profiler/ProfileGenerator.cpp: Removed.
        * profiler/ProfileGenerator.h: Removed.
        * profiler/ProfileNode.cpp: Removed.
        * profiler/ProfileNode.h: Removed.
        * profiler/ProfilerJettisonReason.cpp:
        (WTF::printInternal): Deleted.
        * profiler/ProfilerJettisonReason.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getModuleProgramCodeBlock):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
        (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::VM): Deleted.
        (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
        (JSC::VM::setEnabledProfiler): Deleted.
        * runtime/VM.h:
        (JSC::VM::enabledProfiler): Deleted.
        (JSC::VM::enabledProfilerAddress): Deleted.

2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>

        jsc: samplingProfilerStackTraces() without starting sampling should not cause jsc to crash
        https://bugs.webkit.org/show_bug.cgi?id=157704

        Reviewed by Saam Barati.

        * jsc.cpp:
        (functionStartSamplingProfiler):
        (functionSamplingProfilerStackTraces):
        Throw an exception instead of crashing if we haven't started sampling.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::InspectorScriptProfilerAgent::startTracking):
        * runtime/VM.h:
        * runtime/VM.cpp:
        (JSC::VM::ensureSamplingProfiler):
        Switch ensure to returning a reference, like most other ensures.

2016-05-13  Saam barati  <sbarati@apple.com>

        DFG/FTL have a few bugs in their reasoning about the scope
        https://bugs.webkit.org/show_bug.cgi?id=157696

        Reviewed by Benjamin Poulain.

        1. When the debugger is enabled, it is easier for the DFG to reason
        about the scope register by simply claiming all nodes read the scope
        register. This prevents us from ever entering the runtime where we
        may take a stack trace but there isn't a scope on the stack.

        2. This patch fixes a bug where the FTL compilation wasn't properly
        setting the CodeBlock register. It was only doing this when there
        was inline data, but when the debugger is enabled, we never inline.
        So this code just needed to be removed from that loop. It was never
        right for it to be inside the loop.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2016-05-13  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] SetLocal without exit do not need phantoms
        https://bugs.webkit.org/show_bug.cgi?id=157653

        Reviewed by Filip Pizlo.

        I made a mistake in r200498.

        If a SetLocal cannot possibly exit, we were not clearing
        the source of the operand. As a result, we sometime kept
        a value alive up to the end of the block.

        That's uncommon because SetLocal typically appear
        toward the end of blocks. That's probably why there was
        no perf impact with that fix.

        * dfg/DFGPhantomInsertionPhase.cpp:

2016-05-13  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Move the CheckTierUp function calls out of the main path
        https://bugs.webkit.org/show_bug.cgi?id=157668

        Reviewed by Mark Lam.

        If you have a tiny tiny loop (for example, Sunspider's bits-in-byte),
        the size of CheckTierUp is a problem.

        On multi-issue CPUs, the node is so big that we do not
        get to run anything from the loop in the instruction fetch.

        On x86, having a bigger loop also pushes us out of the LSD.

        This is a 6% improvement on bits-in-byte. Other Sunspider tests
        only improves marginally.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentSpill):
        (JSC::DFG::SpeculativeJIT::silentFill):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2016-05-13  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used
        https://bugs.webkit.org/show_bug.cgi?id=157671

        Reviewed by Mark Lam.

        This improves the chances of having a value
        when issuing the TEST.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitLoadWithStructureCheck):

2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Inform augmenting client when inspector controller is destroyed
        https://bugs.webkit.org/show_bug.cgi?id=157688
        <rdar://problem/25832724>

        Reviewed by Timothy Hatcher.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
        * inspector/augmentable/AugmentableInspectorControllerClient.h:
        There is a weak relationship between the InspectorController and the
        AugmentingClient. Let the augmenting client know when the controller
        is destroyed so it doesn't try to use us anymore.

2016-05-13  Geoffrey Garen  <ggaren@apple.com>

        Runaway malloc memory usage in this simple JSC program
        https://bugs.webkit.org/show_bug.cgi?id=157682

        Reviewed by Mark Lam.

        * heap/WeakSet.cpp:
        (JSC::WeakSet::sweep): Whenever we might add a block to
        m_logicallyEmptyWeakBlocks, be sure also to sweep a block in
        m_logicallyEmptyWeakBlocks. Otherwise, additions might outpace removals
        even when all memory is freed.

        We do this whenever we *might* add a block and not just whenever we *do*
        add a block because we'd like to sweep the entries in
        m_logicallyEmptyWeakBlocks promptly even when it's not growing, and this
        is a reasonably rate-limited opportunity to do so.

2016-05-13  Mark Lam  <mark.lam@apple.com>

        We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
        https://bugs.webkit.org/show_bug.cgi?id=157537
        <rdar://problem/24794845>

        Reviewed by Michael Saboff.

        The pre-existing code behaves this way:

        1. When JS code throws an exception, it saves callee save registers in
           the VM calleeSaveRegistersBuffer.  These values are meant to be restored
           to the callee save registers later either at the catch handler or at the
           uncaught exception handler.

        2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
           the exception.  That C++ code can change the values of the callee save
           registers.

           The inspector code in turn re-enters the VM to execute JS inspector code.

           The JS inspector code can run hot enough that we do an enterOptimizationCheck
           on it.  The enterOptimizationCheck first saves all callee save registers
           into the VM calleeSaveRegistersBuffer.

           This effectively overwrites the values in the VM calleeSaveRegistersBuffer
           from (1).

        3. Eventually, execution returns to the catch handler or the uncaught exception
           handler which restores the overwritten values in the VM
           calleeSaveRegistersBuffer to the callee save registers.

           When execution returns to the C++ code that entered the VM before (1), the
           values in the callee registers are not what that code expects, and badness
           and/or crashes ensues.

        This patch applies the following fix:
        
        1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
           This ensures that each VM entry session has its own buffer to use, and will
           not corrupt the one from the previous VM entry session.

           Delete the VM calleeSaveRegistersBuffer.

        2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
           calleeSaveRegistersBuffer in the current VMEntryFrame.

        3. Renamed all uses of the term "VMCalleeSavesBuffer" to
           "VMEntryFrameCalleeSavesBuffer".

        This fix has been tested on the following configurations:
        1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
        2. JSC tests on a release ASan build for 32-bit x86.
        3. JSC tests on a release normal (non-ASan) build for ARM64.
        4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
        5. JSC tests on a release ASan CLOOP build for x86_64.

        These test runs did not produce any new crashes.  The ASan CLOOP has some
        pre-existing crashes which are not due to this patch.

        This bug can be tested by running the inspector/debugger/regress-133182.html test
        on an ASan build.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):