More stack limit and reserved zone renaming.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-07-12  Mark Lam  <mark.lam@apple.com>
2
3         More stack limit and reserved zone renaming.
4         https://bugs.webkit.org/show_bug.cgi?id=159690
5
6         Rubber-stamped by Geoffrey Garen.
7
8         We should rename the following:
9             osStackLimitWithReserve => softStackLimit
10             reservedZoneSize => softReservedZoneSize
11             errorModeReservedZoneSize => reservedZoneSize
12
13         * API/tests/PingPongStackOverflowTest.cpp:
14         (testPingPongStackOverflow):
15         * dfg/DFGJITCompiler.cpp:
16         (JSC::DFG::JITCompiler::compile):
17         (JSC::DFG::JITCompiler::compileFunction):
18         * ftl/FTLLowerDFGToB3.cpp:
19         (JSC::FTL::DFG::LowerDFGToB3::lower):
20         * interpreter/CLoopStack.cpp:
21         (JSC::CLoopStack::CLoopStack):
22         (JSC::CLoopStack::grow):
23         (JSC::CLoopStack::releaseExcessCapacity):
24         (JSC::CLoopStack::addToCommittedByteCount):
25         (JSC::CLoopStack::setSoftReservedZoneSize):
26         (JSC::CLoopStack::setReservedZoneSize): Deleted.
27         * interpreter/CLoopStack.h:
28         (JSC::CLoopStack::size):
29         * interpreter/CLoopStackInlines.h:
30         (JSC::CLoopStack::shrink):
31         * jit/JIT.cpp:
32         (JSC::JIT::compileWithoutLinking):
33         * jit/SetupVarargsFrame.cpp:
34         (JSC::emitSetupVarargsFrameFastCase):
35         * llint/LLIntSlowPaths.cpp:
36         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
37         * llint/LowLevelInterpreter.asm:
38         * llint/LowLevelInterpreter32_64.asm:
39         * llint/LowLevelInterpreter64.asm:
40         * runtime/ErrorHandlingScope.cpp:
41         (JSC::ErrorHandlingScope::ErrorHandlingScope):
42         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
43         * runtime/ErrorHandlingScope.h:
44         * runtime/Options.h:
45         * runtime/RegExp.cpp:
46         (JSC::RegExp::finishCreation):
47         (JSC::RegExp::compile):
48         (JSC::RegExp::compileMatchOnly):
49         * runtime/VM.cpp:
50         (JSC::VM::VM):
51         (JSC::VM::setStackPointerAtVMEntry):
52         (JSC::VM::updateSoftReservedZoneSize):
53         (JSC::VM::updateStackLimit):
54         (JSC::VM::updateReservedZoneSize): Deleted.
55         * runtime/VM.h:
56         (JSC::VM::stackPointerAtVMEntry):
57         (JSC::VM::softReservedZoneSize):
58         (JSC::VM::softStackLimit):
59         (JSC::VM::addressOfSoftStackLimit):
60         (JSC::VM::cloopStackLimit):
61         (JSC::VM::setCLoopStackLimit):
62         (JSC::VM::isSafeToRecurse):
63         (JSC::VM::reservedZoneSize): Deleted.
64         (JSC::VM::osStackLimitWithReserve): Deleted.
65         (JSC::VM::addressOfOSStackLimitWithReserve): Deleted.
66         * runtime/VMInlines.h:
67         (JSC::VM::ensureStackCapacityFor):
68         * wasm/WASMFunctionCompiler.h:
69         (JSC::WASMFunctionCompiler::startFunction):
70
71 2016-07-12  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
72
73         Remove ENABLE_CSS3_TEXT_LINE_BREAK flag
74         https://bugs.webkit.org/show_bug.cgi?id=159671
75
76         Reviewed by Csaba Osztrogonác.
77
78         ENABLE_CSS3_TEXT_LINE_BREAK feature was implemented without guards.
79         https://bugs.webkit.org/show_bug.cgi?id=89235
80
81         So this guard can be removed in build scripts.
82
83         * Configurations/FeatureDefines.xcconfig:
84
85 2016-07-12  Per Arne Vollan  <pvollan@apple.com>
86
87         [Win] DLLs are missing version information.
88         https://bugs.webkit.org/show_bug.cgi?id=159349
89
90         Reviewed by Brent Fulgham.
91
92         Generate autoversion.h and run perl version stamp utility.
93
94         * CMakeLists.txt:
95
96 2016-07-11  Caio Lima  <ticaiolima@gmail.com>
97
98         ECMAScript 2016: %TypedArray%.prototype.includes implementation
99         https://bugs.webkit.org/show_bug.cgi?id=159385
100
101         Reviewed by Benjamin Poulain.
102
103         This patch implements the ECMAScript 2016:
104         %TypedArray%.prototype.includes
105         following spec 22.2.3.14
106         https://tc39.github.io/ecma262/2016/#sec-%typedarray%.prototype.includes
107
108         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
109         (JSC::genericTypedArrayViewProtoFuncIncludes):
110         * runtime/JSTypedArrayViewPrototype.cpp:
111         (JSC::typedArrayViewProtoFuncIncludes):
112         (JSC::JSTypedArrayViewPrototype::finishCreation):
113
114 2016-07-11  Benjamin Poulain  <benjamin@webkit.org>
115
116         [JSC] Array.from() and Array.of() try to build objects even if "this" is not a constructor
117         https://bugs.webkit.org/show_bug.cgi?id=159604
118
119         Reviewed by Yusuke Suzuki.
120
121         The spec says IsConstructor(), we were just checking if "this"
122         is any function.
123
124         * builtins/ArrayConstructor.js:
125         (of):
126         (from):
127
128 2016-07-11  Keith Miller  <keith_miller@apple.com>
129
130         defineProperty on a index of a TypedArray should throw if configurable
131         https://bugs.webkit.org/show_bug.cgi?id=159653
132
133         Reviewed by Saam Barati.
134
135         When I fixed this before I misread the spec and thought it said we
136         should throw if the descriptor said the proprety is not
137         configurable. This is the opposite. We should throw if the
138         descriptor says the property is configurable.
139
140         * runtime/JSGenericTypedArrayViewInlines.h:
141         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
142         * tests/stress/typedarray-access-monomorphic-neutered.js:
143         * tests/stress/typedarray-access-neutered.js:
144         * tests/stress/typedarray-configure-index.js: Added.
145         (assert):
146         (assertThrows):
147         (makeDescriptor):
148         (test):
149
150 2016-07-11  Saam Barati  <sbarati@apple.com>
151
152         some paths in Array.prototype.splice don't account for the array not having certain indexed properties
153         https://bugs.webkit.org/show_bug.cgi?id=159641
154         <rdar://problem/27171999>
155
156         Reviewed by Filip Pizlo and Keith Miller.
157
158         Array.prototype.splice was incorrectly putting properties on
159         the result array even if the |this| array didn't have those
160         properties. This is not the behavior of the spec. However, this
161         could also cause a crash because we can construct a program where
162         we would putByIndex on a typed array where the value we are
163         putting is JSValue(). This is bad because the typed array will
164         try to convert JSValue() into an integer.
165
166         * runtime/ArrayPrototype.cpp:
167         (JSC::arrayProtoFuncSplice):
168         * tests/stress/array-prototype-splice-making-typed-array.js: Added.
169         (assert):
170         (test):
171
172 2016-07-11  Mark Lam  <mark.lam@apple.com>
173
174         Refactor JSStack to only be the stack data structure for the C Loop.
175         https://bugs.webkit.org/show_bug.cgi?id=159545
176
177         Reviewed by Geoffrey Garen.
178
179         Changes made:
180         1. Renamed JSStack to CLoopStack.
181         2. Made all of CLoopStack code to conditional on #if !ENABLE(JIT) i.e. they will
182            only be in effect for the C Loop build.
183         3. Changed clients of JSStack to use new equivalent VM APIs:
184             a. JSStack::ensureCapacityFor() => VM::ensureStackCapacityFor()
185             b. JSStack::committedByteCount() => VM::committedStackByteCount()
186         4. Made VM::updateReservedZoneSize() call CLoopStack::setReservedZoneSize()
187            instead of calling it from all the clients of VM::updateReservedZoneSize().
188         5. Removed all unnecessary references to JSStack.
189
190         * CMakeLists.txt:
191         * JavaScriptCore.xcodeproj/project.pbxproj:
192         * assembler/MaxFrameExtentForSlowPathCall.h:
193         * bytecode/BytecodeConventions.h:
194         * dfg/DFGGraph.h:
195         * dfg/DFGOSREntry.cpp:
196         (JSC::DFG::prepareOSREntry):
197         * ftl/FTLOSREntry.cpp:
198         (JSC::FTL::prepareOSREntry):
199         * heap/Heap.cpp:
200         (JSC::Heap::finalizeUnconditionalFinalizers):
201         (JSC::Heap::willStartIterating):
202         (JSC::Heap::gatherJSStackRoots):
203         (JSC::Heap::stack): Deleted.
204         * heap/Heap.h:
205         * interpreter/CLoopStack.cpp: Copied from Source/JavaScriptCore/interpreter/JSStack.cpp.
206         (JSC::commitSize):
207         (JSC::CLoopStack::CLoopStack):
208         (JSC::CLoopStack::~CLoopStack):
209         (JSC::CLoopStack::grow):
210         (JSC::CLoopStack::gatherConservativeRoots):
211         (JSC::CLoopStack::sanitizeStack):
212         (JSC::CLoopStack::releaseExcessCapacity):
213         (JSC::CLoopStack::addToCommittedByteCount):
214         (JSC::CLoopStack::setReservedZoneSize):
215         (JSC::CLoopStack::committedByteCount):
216         (JSC::JSStack::JSStack): Deleted.
217         (JSC::JSStack::~JSStack): Deleted.
218         (JSC::JSStack::growSlowCase): Deleted.
219         (JSC::JSStack::gatherConservativeRoots): Deleted.
220         (JSC::JSStack::sanitizeStack): Deleted.
221         (JSC::JSStack::releaseExcessCapacity): Deleted.
222         (JSC::JSStack::addToCommittedByteCount): Deleted.
223         (JSC::JSStack::setReservedZoneSize): Deleted.
224         (JSC::JSStack::lowAddress): Deleted.
225         (JSC::JSStack::highAddress): Deleted.
226         (JSC::JSStack::committedByteCount): Deleted.
227         * interpreter/CLoopStack.h: Copied from Source/JavaScriptCore/interpreter/JSStack.h.
228         (JSC::CLoopStack::containsAddress):
229         (JSC::CLoopStack::lowAddress):
230         (JSC::CLoopStack::highAddress):
231         (JSC::CLoopStack::reservationTop):
232         (JSC::JSStack::containsAddress): Deleted.
233         (JSC::JSStack::lowAddress): Deleted.
234         (JSC::JSStack::highAddress): Deleted.
235         (JSC::JSStack::reservationTop): Deleted.
236         * interpreter/CLoopStackInlines.h: Copied from Source/JavaScriptCore/interpreter/JSStackInlines.h.
237         (JSC::CLoopStack::ensureCapacityFor):
238         (JSC::CLoopStack::topOfFrameFor):
239         (JSC::CLoopStack::topOfStack):
240         (JSC::CLoopStack::shrink):
241         (JSC::CLoopStack::setCLoopStackLimit):
242         (JSC::JSStack::ensureCapacityFor): Deleted.
243         (JSC::JSStack::topOfFrameFor): Deleted.
244         (JSC::JSStack::topOfStack): Deleted.
245         (JSC::JSStack::shrink): Deleted.
246         (JSC::JSStack::grow): Deleted.
247         (JSC::JSStack::setCLoopStackLimit): Deleted.
248         * interpreter/CallFrame.cpp:
249         (JSC::CallFrame::unsafeCallSiteIndex):
250         (JSC::CallFrame::currentVPC):
251         (JSC::CallFrame::stack): Deleted.
252         * interpreter/CallFrame.h:
253         (JSC::ExecState::callerFrameAndPC):
254         (JSC::ExecState::unsafeCallerFrameAndPC):
255         * interpreter/Interpreter.cpp:
256         (JSC::sizeOfVarargs):
257         (JSC::sizeFrameForForwardArguments):
258         (JSC::sizeFrameForVarargs):
259         (JSC::Interpreter::Interpreter):
260         * interpreter/Interpreter.h:
261         (JSC::Interpreter::cloopStack):
262         (JSC::Interpreter::getOpcode):
263         (JSC::Interpreter::isCallBytecode):
264         (JSC::Interpreter::stack): Deleted.
265         * interpreter/JSStack.cpp: Removed.
266         * interpreter/JSStack.h: Removed.
267         * interpreter/JSStackInlines.h: Removed.
268         * interpreter/StackVisitor.cpp:
269         (JSC::StackVisitor::Frame::dump):
270         * jit/JIT.h:
271         * jit/JITOperations.cpp:
272         * jit/JSInterfaceJIT.h:
273         * jit/SpecializedThunkJIT.h:
274         * jit/ThunkGenerators.cpp:
275         * llint/LLIntOffsetsExtractor.cpp:
276         * llint/LLIntSlowPaths.cpp:
277         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
278         (JSC::LLInt::llint_stack_check_at_vm_entry):
279         * llint/LLIntThunks.cpp:
280         * llint/LowLevelInterpreter.cpp:
281         (JSC::CLoop::execute):
282         * runtime/CommonSlowPaths.cpp:
283         (JSC::SLOW_PATH_DECL):
284         * runtime/CommonSlowPaths.h:
285         (JSC::CommonSlowPaths::arityCheckFor):
286         * runtime/ErrorHandlingScope.cpp:
287         (JSC::ErrorHandlingScope::ErrorHandlingScope):
288         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
289         * runtime/JSGlobalObject.h:
290         * runtime/MemoryStatistics.cpp:
291         (JSC::globalMemoryStatistics):
292         * runtime/StackAlignment.h:
293         * runtime/VM.cpp:
294         (JSC::VM::VM):
295         (JSC::VM::updateReservedZoneSize):
296         (JSC::sanitizeStackForVM):
297         (JSC::VM::committedStackByteCount):
298         * runtime/VM.h:
299         (JSC::VM::reservedZoneSize):
300         (JSC::VM::osStackLimitWithReserve):
301         (JSC::VM::addressOfOSStackLimitWithReserve):
302         * runtime/VMInlines.h:
303         (JSC::VM::ensureStackCapacityFor):
304         (JSC::VM::shouldTriggerTermination):
305
306 2016-07-11  Keith Miller  <keith_miller@apple.com>
307
308         STP TypedArray.subarray 5x slowdown compared to 9.1
309         https://bugs.webkit.org/show_bug.cgi?id=156404
310         <rdar://problem/26493032>
311
312         Reviewed by Geoffrey Garen.
313
314         This patch moves the species constructor work for
315         %TypedArray%.prototype.subarray to a js wrapper. By moving the
316         species constructor work to JS we are able to completely optimize
317         it out in DFG. The actual work of creating a TypedArray is still
318         done in C++ since we are able to avoid calling into the
319         constructor, which is expensive. This patch also changes the error
320         message when a %TypedArray%.prototype function is passed a non-typed
321         array this value. Finally, we used to check that the this value
322         had not been detached, however, this behavior was incorrect.
323
324         * builtins/BuiltinNames.h:
325         * builtins/TypedArrayPrototype.js:
326         (globalPrivate.typedArraySpeciesConstructor):
327         (subarray):
328         * runtime/ConstructData.cpp:
329         (JSC::construct):
330         * runtime/ConstructData.h:
331         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
332         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
333         (JSC::genericTypedArrayViewProtoFuncSubarray): Deleted.
334         * runtime/JSGlobalObject.cpp:
335         (JSC::JSGlobalObject::init):
336         * runtime/JSTypedArrayViewPrototype.cpp:
337         (JSC::typedArrayViewPrivateFuncLength):
338         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
339         (JSC::JSTypedArrayViewPrototype::finishCreation):
340         (JSC::typedArrayViewProtoFuncSubarray): Deleted.
341         * runtime/JSTypedArrayViewPrototype.h:
342
343 2016-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
344
345         REGRESSION(r202992): JSC varargs tests are broken
346         https://bugs.webkit.org/show_bug.cgi?id=159616
347
348         Reviewed by Csaba Osztrogonác.
349
350         The substitution miss in r202992 causes varargs tests failures in GTK port.
351
352         * jit/SetupVarargsFrame.cpp:
353         (JSC::emitSetupVarargsFrameFastCase):
354
355 2016-07-10  Yusuke Suzuki  <utatane.tea@gmail.com>
356
357         [ES6] Promise.{all,race} no longer use @@species
358         https://bugs.webkit.org/show_bug.cgi?id=159615
359
360         Reviewed by Keith Miller.
361
362         As per the latest ES draft, Promise.{all,race} no longer use @@species.
363         So, this patch drops FIXMEs.
364
365         * builtins/PromiseConstructor.js:
366         (all):
367         (race):
368         * tests/stress/ignore-promise-species.js: Added.
369         (shouldBe):
370         (DerivedPromise.prototype.get Symbol):
371         (DerivedPromise):
372
373 2016-07-10  Commit Queue  <commit-queue@webkit.org>
374
375         Unreviewed, rolling out r203037.
376         https://bugs.webkit.org/show_bug.cgi?id=159614
377
378         The JSC tests are breaking in elcapitan-debug-tests-jsc and
379         elcapitan-release-tests-jsc (Requested by caiolima on
380         #webkit).
381
382         Reverted changeset:
383
384         "ECMAScript 2016: %TypedArray%.prototype.includes
385         implementation"
386         https://bugs.webkit.org/show_bug.cgi?id=159385
387         http://trac.webkit.org/changeset/203037
388
389 2016-07-10  Caio Lima  <ticaiolima@gmail.com>
390
391         ECMAScript 2016: %TypedArray%.prototype.includes implementation
392         https://bugs.webkit.org/show_bug.cgi?id=159385
393
394         Reviewed by Benjamin Poulain.
395
396         This patch implements the ECMAScript 2016:
397         %TypedArray%.prototype.includes
398         following spec 22.2.3.14
399         https://tc39.github.io/ecma262/2016/#sec-%typedarray%.prototype.includes
400
401         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
402         (JSC::genericTypedArrayViewProtoFuncIncludes):
403         * runtime/JSTypedArrayViewPrototype.cpp:
404         (JSC::typedArrayViewProtoFuncIncludes):
405         (JSC::JSTypedArrayViewPrototype::finishCreation):
406
407 2016-07-09  Filip Pizlo  <fpizlo@apple.com>
408
409         REGRESSION(201900): validation failure for GetByOffset/PutByOffset in VALIDATE((node), node->child1().node() == node->child2().node() || node->child1()->result() == NodeResultStorage)
410         https://bugs.webkit.org/show_bug.cgi?id=159603
411
412         Reviewed by Keith Miller.
413         
414         This removes an incorrect validation rule and replaces it with a FIXME about how to make this
415         aspect of IR easier to validate soundly.
416         
417         It's not valid to assert that two children of a node are the same. It should always be valid
418         to take:
419         
420         Foo(@x, @x)
421         
422         and turn it into:
423         
424         a: ValueRep(@x)
425         b: ValueRep(@x)
426         Foo(@a, @b)
427         
428         or even something like:
429         
430         y: Identity(@y)
431         Foo(@x, @y)
432         
433         That's because it should be possible to rewire any data flow edge something that produces an
434         equivalent value.
435         
436         The validation rule that this patch removes meant that such rewirings were invalid on
437         GetByOffset/PutByOffset. FixupPhase did such a rewiring sometimes.
438
439         * dfg/DFGValidate.cpp:
440         * tests/stress/get-by-offset-double.js: Added.
441
442 2016-07-09  Keith Miller  <keith_miller@apple.com>
443
444         appendMemcpy might fail in concatAppendOne
445         https://bugs.webkit.org/show_bug.cgi?id=159601
446         <rdar://problem/27211300>
447
448         Reviewed by Mark Lam.
449
450         There are multiple reasons why we might fail appendMemcpy. One
451         reason, which I suspect was the source of the crashes, is that one
452         of the Array prototypes has an indexed property. This patch
453         consolidates the two old cases by just creating an array then
454         attempting to memcpy append. If that fails, we fall back to
455         moveElements.
456
457         * runtime/ArrayPrototype.cpp:
458         (JSC::concatAppendOne):
459         * tests/stress/concat-with-holesMustForwardToPrototype.js: Added.
460         (arrayEq):
461
462 2016-07-09  Benjamin Poulain  <bpoulain@apple.com>
463
464         [JSC] Fix the Template Raw Value of \ (escape) + LineTerminatorSequence
465         https://bugs.webkit.org/show_bug.cgi?id=159595
466
467         Reviewed by Yusuke Suzuki.
468
469         The spec (https://tc39.github.io/ecma262/#sec-static-semantics-tv-and-trv)
470         says:
471         "The TRV of LineContinuation::\LineTerminatorSequence is the sequence
472          consisting of the code unit value 0x005C followed by the code units
473          of TRV of LineTerminatorSequence."
474         
475         We were not normalizing the LineTerminatorSequence in that case, but it should
476         be as it is the TRV of LineTerminatorSequence.
477
478         * parser/Lexer.cpp:
479         (JSC::Lexer<T>::parseTemplateLiteral):
480         * tests/stress/tagged-templates-raw-strings.js:
481
482 2016-07-08  Saam Barati  <sbarati@apple.com>
483
484         We may add a ReadOnly property without setting the corresponding bit on Structure
485         https://bugs.webkit.org/show_bug.cgi?id=159542
486         <rdar://problem/27084591>
487
488         Reviewed by Benjamin Poulain.
489
490         The reason this usually is OK is due to happenstance. Often, instances that putDirectWithoutTransition
491         also happen to have a static property table. Having a static property table causes the
492         HasReadOnlyOrGetterSetterPropertiesExcludingProto on the structure to be set. However, 
493         there are times where an object calls putDirectWithoutTransition, and it doesn't have a
494         static property hash table. The fix is simple, putDirectWithTransition needs to set the
495         HasReadOnlyOrGetterSetterPropertiesExcludingProto if it puts a ReadOnly property.
496
497         * runtime/JSObject.h:
498         (JSC::JSObject::putDirectWithoutTransition):
499         * tests/stress/proper-property-store-with-prototype-property-that-is-not-writable.js: Added.
500         (assert):
501
502 2016-07-08  Michael Saboff  <msaboff@apple.com>
503
504         ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *)
505         https://bugs.webkit.org/show_bug.cgi?id=159588
506
507         Reviewed by Geoffrey Garen.
508
509         We were jettisoning a CodeBlock during GC that won't survive and its owning script
510         won't survive either.  We can't install any code on the owning script as that involves
511         a write barrier that will "pull" the script back into the remembered set.  Badness would
512         ensue.  Added an early return in CodeBlock::jettison() when we are garbage collecting
513         and the owning script isn't marked.
514
515         * bytecode/CodeBlock.cpp:
516         (JSC::CodeBlock::jettison):
517
518 2016-07-08  Mark Lam  <mark.lam@apple.com>
519
520         Move CallFrame header info from JSStack.h to CallFrame.h
521         https://bugs.webkit.org/show_bug.cgi?id=159549
522
523         Reviewed by Geoffrey Garen.
524
525         CallFrame.h is a much better location for CallFrame header info.
526
527         Replaced CallFrame::init() with ExecState::initGlobalExec() because normal
528         CallFrames are setup by a different mechanism now.  Only the globalExec is still
529         using it.  So, might as well change it to be specifically for the globalExec.
530
531         Removed the use of JSStack::containsAddress() in ExecState::initGlobalExec()
532         because it is not relevant to the globalExec.
533
534         Also removed some unused code: JSStack::gatherConservativeRoots() and
535         JSStack::sanitizeStack() is never called for JIT builds.
536
537         * bytecode/PolymorphicAccess.cpp:
538         (JSC::AccessCase::generateImpl):
539         * bytecode/VirtualRegister.h:
540         (JSC::VirtualRegister::isValid):
541         (JSC::VirtualRegister::isLocal):
542         (JSC::VirtualRegister::isArgument):
543         (JSC::VirtualRegister::isHeader):
544         (JSC::VirtualRegister::isConstant):
545         (JSC::VirtualRegister::toLocal):
546         (JSC::VirtualRegister::toArgument):
547         * bytecompiler/BytecodeGenerator.cpp:
548         (JSC::BytecodeGenerator::BytecodeGenerator):
549         (JSC::BytecodeGenerator::emitCall):
550         (JSC::BytecodeGenerator::emitConstruct):
551         * bytecompiler/BytecodeGenerator.h:
552         (JSC::CallArguments::thisRegister):
553         (JSC::CallArguments::argumentRegister):
554         (JSC::CallArguments::stackOffset):
555         (JSC::CallArguments::argumentCountIncludingThis):
556         (JSC::CallArguments::argumentsNode):
557         (JSC::BytecodeGenerator::registerFor):
558         * bytecompiler/NodesCodegen.cpp:
559         (JSC::emitHomeObjectForCallee):
560         (JSC::emitGetSuperFunctionForConstruct):
561         (JSC::CallArguments::CallArguments):
562         * dfg/DFGArgumentsEliminationPhase.cpp:
563         * dfg/DFGArgumentsUtilities.cpp:
564         (JSC::DFG::argumentsInvolveStackSlot):
565         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
566         * dfg/DFGByteCodeParser.cpp:
567         (JSC::DFG::ByteCodeParser::get):
568         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
569         (JSC::DFG::ByteCodeParser::flush):
570         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
571         (JSC::DFG::ByteCodeParser::getArgumentCount):
572         (JSC::DFG::ByteCodeParser::inlineCall):
573         (JSC::DFG::ByteCodeParser::handleInlining):
574         (JSC::DFG::ByteCodeParser::handleGetById):
575         (JSC::DFG::ByteCodeParser::handlePutById):
576         (JSC::DFG::ByteCodeParser::parseBlock):
577         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
578         * dfg/DFGClobberize.h:
579         (JSC::DFG::clobberize):
580         * dfg/DFGGraph.cpp:
581         (JSC::DFG::Graph::isLiveInBytecode):
582         * dfg/DFGGraph.h:
583         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
584         * dfg/DFGJITCompiler.cpp:
585         (JSC::DFG::JITCompiler::compileEntry):
586         (JSC::DFG::JITCompiler::compileSetupRegistersForEntry):
587         (JSC::DFG::JITCompiler::compileFunction):
588         * dfg/DFGJITCompiler.h:
589         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
590         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
591         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
592         * dfg/DFGOSREntry.cpp:
593         (JSC::DFG::prepareOSREntry):
594         * dfg/DFGOSRExitCompiler.cpp:
595         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
596         * dfg/DFGOSRExitCompilerCommon.cpp:
597         (JSC::DFG::reifyInlinedCallFrames):
598         * dfg/DFGOSRExitCompilerCommon.h:
599         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
600         * dfg/DFGPreciseLocalClobberize.h:
601         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
602         * dfg/DFGSpeculativeJIT.cpp:
603         (JSC::DFG::SpeculativeJIT::emitGetLength):
604         (JSC::DFG::SpeculativeJIT::emitGetCallee):
605         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
606         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
607         * dfg/DFGSpeculativeJIT32_64.cpp:
608         (JSC::DFG::SpeculativeJIT::emitCall):
609         (JSC::DFG::SpeculativeJIT::compile):
610         * dfg/DFGSpeculativeJIT64.cpp:
611         (JSC::DFG::SpeculativeJIT::emitCall):
612         (JSC::DFG::SpeculativeJIT::compile):
613         * dfg/DFGStackLayoutPhase.cpp:
614         (JSC::DFG::StackLayoutPhase::run):
615         * dfg/DFGThunks.cpp:
616         (JSC::DFG::osrEntryThunkGenerator):
617         * ftl/FTLLink.cpp:
618         (JSC::FTL::link):
619         * ftl/FTLLowerDFGToB3.cpp:
620         (JSC::FTL::DFG::LowerDFGToB3::lower):
621         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
622         (JSC::FTL::DFG::LowerDFGToB3::compileGetCallee):
623         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
624         (JSC::FTL::DFG::LowerDFGToB3::compileGetScope):
625         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
626         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
627         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
628         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
629         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
630         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
631         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
632         (JSC::FTL::DFG::LowerDFGToB3::callPreflight):
633         * ftl/FTLOSRExitCompiler.cpp:
634         (JSC::FTL::compileStub):
635         * ftl/FTLSlowPathCall.h:
636         (JSC::FTL::callOperation):
637         * interpreter/CallFrame.cpp:
638         (JSC::ExecState::initGlobalExec):
639         (JSC::CallFrame::callSiteBitsAreBytecodeOffset):
640         (JSC::CallFrame::callSiteAsRawBits):
641         (JSC::CallFrame::unsafeCallSiteAsRawBits):
642         (JSC::CallFrame::callSiteIndex):
643         (JSC::CallFrame::setCurrentVPC):
644         (JSC::CallFrame::callSiteBitsAsBytecodeOffset):
645         * interpreter/CallFrame.h:
646         (JSC::CallSiteIndex::CallSiteIndex):
647         (JSC::ExecState::calleeAsValue):
648         (JSC::ExecState::callee):
649         (JSC::ExecState::unsafeCallee):
650         (JSC::ExecState::codeBlock):
651         (JSC::ExecState::unsafeCodeBlock):
652         (JSC::ExecState::scope):
653         (JSC::ExecState::setCallerFrame):
654         (JSC::ExecState::setScope):
655         (JSC::ExecState::argumentCount):
656         (JSC::ExecState::argumentCountIncludingThis):
657         (JSC::ExecState::argumentOffset):
658         (JSC::ExecState::argumentOffsetIncludingThis):
659         (JSC::ExecState::offsetFor):
660         (JSC::ExecState::noCaller):
661         (JSC::ExecState::setArgumentCountIncludingThis):
662         (JSC::ExecState::setCallee):
663         (JSC::ExecState::setCodeBlock):
664         (JSC::ExecState::setReturnPC):
665         (JSC::ExecState::argIndexForRegister):
666         (JSC::ExecState::callerFrameAndPC):
667         (JSC::ExecState::unsafeCallerFrameAndPC):
668         (JSC::ExecState::init): Deleted.
669         * interpreter/Interpreter.cpp:
670         (JSC::Interpreter::dumpRegisters):
671         * interpreter/Interpreter.h:
672         (JSC::calleeFrameForVarargs):
673         * interpreter/JSStack.h:
674         (JSC::JSStack::containsAddress):
675         (JSC::JSStack::gatherConservativeRoots): Deleted.
676         (JSC::JSStack::sanitizeStack): Deleted.
677         * jit/AssemblyHelpers.cpp:
678         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
679         (JSC::AssemblyHelpers::emitRandomThunk):
680         * jit/AssemblyHelpers.h:
681         (JSC::AssemblyHelpers::restoreReturnAddressBeforeReturn):
682         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
683         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
684         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
685         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
686         (JSC::AssemblyHelpers::emitPutToCallFrameHeaderBeforePrologue):
687         (JSC::AssemblyHelpers::emitPutPayloadToCallFrameHeaderBeforePrologue):
688         (JSC::AssemblyHelpers::emitPutTagToCallFrameHeaderBeforePrologue):
689         (JSC::AssemblyHelpers::calleeFrameSlot):
690         * jit/CCallHelpers.cpp:
691         (JSC::CCallHelpers::logShadowChickenProloguePacket):
692         * jit/CCallHelpers.h:
693         (JSC::CCallHelpers::prepareForTailCallSlow):
694         * jit/CallFrameShuffler.cpp:
695         (JSC::CallFrameShuffler::CallFrameShuffler):
696         (JSC::CallFrameShuffler::dump):
697         (JSC::CallFrameShuffler::extendFrameIfNeeded):
698         (JSC::CallFrameShuffler::prepareForSlowPath):
699         (JSC::CallFrameShuffler::prepareForTailCall):
700         (JSC::CallFrameShuffler::prepareAny):
701         * jit/CallFrameShuffler.h:
702         (JSC::CallFrameShuffler::snapshot):
703         (JSC::CallFrameShuffler::setCalleeJSValueRegs):
704         (JSC::CallFrameShuffler::assumeCalleeIsCell):
705         (JSC::CallFrameShuffler::numLocals):
706         (JSC::CallFrameShuffler::getOld):
707         (JSC::CallFrameShuffler::setOld):
708         (JSC::CallFrameShuffler::firstOld):
709         (JSC::CallFrameShuffler::lastOld):
710         (JSC::CallFrameShuffler::isValidOld):
711         (JSC::CallFrameShuffler::argCount):
712         (JSC::CallFrameShuffler::getNew):
713         * jit/JIT.cpp:
714         (JSC::JIT::compileWithoutLinking):
715         * jit/JIT.h:
716         * jit/JITCall.cpp:
717         (JSC::JIT::compileSetupVarargsFrame):
718         (JSC::JIT::compileCallEvalSlowCase):
719         (JSC::JIT::compileOpCall):
720         * jit/JITCall32_64.cpp:
721         (JSC::JIT::compileSetupVarargsFrame):
722         (JSC::JIT::compileCallEvalSlowCase):
723         (JSC::JIT::compileOpCall):
724         * jit/JITInlines.h:
725         (JSC::JIT::getConstantOperand):
726         (JSC::JIT::emitPutIntToCallFrameHeader):
727         (JSC::JIT::updateTopCallFrame):
728         * jit/JITOpcodes.cpp:
729         (JSC::JIT::emit_op_get_scope):
730         (JSC::JIT::emit_op_argument_count):
731         (JSC::JIT::emit_op_get_rest_length):
732         * jit/JITOpcodes32_64.cpp:
733         (JSC::JIT::privateCompileCTINativeCall):
734         (JSC::JIT::emit_op_get_scope):
735         * jit/JSInterfaceJIT.h:
736         (JSC::JSInterfaceJIT::emitJumpIfNotType):
737         (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr):
738         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
739         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
740         * jit/SetupVarargsFrame.cpp:
741         (JSC::emitSetVarargsFrame):
742         (JSC::emitSetupVarargsFrameFastCase):
743         * jit/SpecializedThunkJIT.h:
744         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
745         * jit/ThunkGenerators.cpp:
746         (JSC::nativeForGenerator):
747         (JSC::arityFixupGenerator):
748         (JSC::boundThisNoArgsFunctionCallGenerator):
749         * llint/LLIntData.cpp:
750         (JSC::LLInt::Data::performAssertions):
751         * llint/LLIntSlowPaths.cpp:
752         (JSC::LLInt::genericCall):
753         (JSC::LLInt::varargsSetup):
754         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
755         * runtime/CommonSlowPaths.h:
756         (JSC::CommonSlowPaths::arityCheckFor):
757         * runtime/JSGlobalObject.cpp:
758         (JSC::JSGlobalObject::init):
759         * runtime/JSGlobalObject.h:
760         * runtime/StackAlignment.h:
761         (JSC::roundArgumentCountToAlignFrame):
762         (JSC::roundLocalRegisterCountForFramePointerOffset):
763         (JSC::logStackAlignmentRegisters):
764         * wasm/WASMFunctionCompiler.h:
765         (JSC::WASMFunctionCompiler::startFunction):
766         (JSC::WASMFunctionCompiler::endFunction):
767         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
768         (JSC::WASMFunctionCompiler::callAndUnboxResult):
769         * wasm/WASMFunctionSyntaxChecker.h:
770         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall):
771
772 2016-07-08  Chris Dumez  <cdumez@apple.com>
773
774         Object.defineProperty() should maintain existing getter / setter if not overridden in the new descriptor
775         https://bugs.webkit.org/show_bug.cgi?id=159576
776         <rdar://problem/27242197>
777
778         Reviewed by Mark Lam.
779
780         Object.defineProperty() should maintain existing getter / setter if not
781         overridden in the new descriptor. Previously, if the property is a had
782         a custom getter / setter, and if the new descriptor only had a setter
783         (or only a getter), JSC would clear the existing getter (or setter).
784         This behavior did not match the EcmaScript specification or Firefox /
785         Chrome. This patch fixes the issue.
786
787         This fixes searching and search suggestions on www.iciba.com.
788
789         * runtime/JSObject.cpp:
790         (JSC::validateAndApplyPropertyDescriptor):
791
792 2016-07-08  Michael Saboff  <msaboff@apple.com>
793
794         Dumping the object graph doesn't work with verbose GC logging
795         https://bugs.webkit.org/show_bug.cgi?id=159569
796
797         Reviewed by Mark Lam.
798
799         The current object graph logging code tries to revisits the graph.  This doesn't work
800         correctly and asking around it isn't used.  The only way to dump the true object graph
801         is to log while we GC and that has obvious performance implications.
802         Therefore I eliminated GCLogging::dumpObjectGraph() and related code.  
803
804         * heap/GCLogging.cpp:
805         (JSC::GCLogging::levelAsString):
806         (JSC::LoggingFunctor::LoggingFunctor): Deleted.
807         (JSC::LoggingFunctor::~LoggingFunctor): Deleted.
808         (JSC::LoggingFunctor::operator()): Deleted.
809         (JSC::LoggingFunctor::log): Deleted.
810         (JSC::LoggingFunctor::reviveCells): Deleted.
811         (JSC::LoggingFunctor::returnValue): Deleted.
812         (JSC::GCLogging::dumpObjectGraph): Deleted.
813         * heap/Heap.cpp:
814         (JSC::Heap::didFinishCollection):
815
816 2016-07-08  Keith Miller  <keith_miller@apple.com>
817
818         speculateTypedArrayIsNotNeutered has an inverted speculation
819         https://bugs.webkit.org/show_bug.cgi?id=159571
820
821         Reviewed by Mark Lam.
822
823         For some confusing reason FTLLowerDFGToB3 takes the condition the
824         speculation wants to be false. This issue caused
825         typedarray-access-monomorphic-neutered.js to fail on the bots.
826
827         * ftl/FTLLowerDFGToB3.cpp:
828         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
829
830 2016-07-08  Mark Lam  <mark.lam@apple.com>
831
832         Rename jsCPUStackLimit to osStackLimitWithReserve and jsEmulatedStackLimit to cloopStackLimit.
833         https://bugs.webkit.org/show_bug.cgi?id=159544
834
835         Reviewed by Geoffrey Garen.
836
837         This patch does the following refactoring:
838         1. Rename jsCPUStackLimit to osStackLimitWithReserve.
839         2. Rename jsEmulatedStackLimit to cloopStackLimit.
840         2. Remove llintStackLimit (which previously is either an alias for
841            jsCPUStackLimit or jsEmulatedStackLimit depending on whether we have a JIT or
842            C Loop build).  Instead, we'll change the LLINT to conditionally use the
843            osStackLimitWithReserve or cloopStackLimit.
844
845         There are no semantic changes.
846
847         * dfg/DFGJITCompiler.cpp:
848         (JSC::DFG::JITCompiler::compile):
849         (JSC::DFG::JITCompiler::compileFunction):
850         * ftl/FTLLowerDFGToB3.cpp:
851         (JSC::FTL::DFG::LowerDFGToB3::lower):
852         * interpreter/JSStack.cpp:
853         (JSC::JSStack::JSStack):
854         (JSC::JSStack::growSlowCase):
855         (JSC::JSStack::lowAddress):
856         (JSC::JSStack::highAddress):
857         * interpreter/JSStack.h:
858         * interpreter/JSStackInlines.h:
859         (JSC::JSStack::ensureCapacityFor):
860         (JSC::JSStack::shrink):
861         (JSC::JSStack::grow):
862         (JSC::JSStack::setCLoopStackLimit):
863         (JSC::JSStack::setJSEmulatedStackLimit): Deleted.
864         * jit/JIT.cpp:
865         (JSC::JIT::compileWithoutLinking):
866         * jit/SetupVarargsFrame.cpp:
867         (JSC::emitSetupVarargsFrameFastCase):
868         * llint/LLIntSlowPaths.cpp:
869         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
870         * llint/LowLevelInterpreter.asm:
871         * llint/LowLevelInterpreter32_64.asm:
872         * llint/LowLevelInterpreter64.asm:
873         * runtime/RegExp.cpp:
874         (JSC::RegExp::finishCreation):
875         (JSC::RegExp::compile):
876         (JSC::RegExp::compileMatchOnly):
877         * runtime/VM.cpp:
878         (JSC::VM::updateStackLimit):
879         * runtime/VM.h:
880         (JSC::VM::reservedZoneSize):
881         (JSC::VM::osStackLimitWithReserve):
882         (JSC::VM::addressOfOSStackLimitWithReserve):
883         (JSC::VM::cloopStackLimit):
884         (JSC::VM::setCLoopStackLimit):
885         (JSC::VM::isSafeToRecurse):
886         (JSC::VM::jsCPUStackLimit): Deleted.
887         (JSC::VM::addressOfJSCPUStackLimit): Deleted.
888         (JSC::VM::jsEmulatedStackLimit): Deleted.
889         (JSC::VM::setJSEmulatedStackLimit): Deleted.
890         * wasm/WASMFunctionCompiler.h:
891         (JSC::WASMFunctionCompiler::startFunction):
892
893 2016-07-08  Commit Queue  <commit-queue@webkit.org>
894
895         Unreviewed, rolling out r202799.
896         https://bugs.webkit.org/show_bug.cgi?id=159568
897
898         Caused build failure (Requested by perarne on #webkit).
899
900         Reverted changeset:
901
902         "[Win] DLLs are missing version information."
903         https://bugs.webkit.org/show_bug.cgi?id=159349
904         http://trac.webkit.org/changeset/202799
905
906 2016-07-08  Youenn Fablet  <youenn@apple.com>
907
908         Built-in generator should generate files with a default copyright
909         https://bugs.webkit.org/show_bug.cgi?id=159561
910
911         Reviewed by Alex Christensen.
912
913         * Scripts/builtins/builtins_model.py:
914         (BuiltinsCollection._parse_copyright_lines): Adding default copyright to the parsed copyrights.
915         * Scripts/builtins/builtins_templates.py:
916         (BuiltinsGeneratorTemplates): Adding a default copyright.
917         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: Rebasing with added default copyright.
918         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result: Ditto.
919         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result: Ditto.
920         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result: Ditto.
921         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: Ditto.
922         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result: Ditto.
923         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result: Ditto.
924         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Ditto.
925         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
926         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
927         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
928         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Ditto.
929
930
931 2016-07-08  Keith Miller  <keith_miller@apple.com>
932
933         TypedArrays need more isNeutered checks.
934         https://bugs.webkit.org/show_bug.cgi?id=159231
935
936         Reviewed by Filip Pizlo.
937
938         According to the ES6 spec if a user tries to get, set, or define a
939         property on a neutered TypedArray we should throw an
940         exception. Currently, if a user tries to get an out of bounds
941         access on a TypedArray we will always OSR.  This makes handling
942         the exception easy as all we need to do is make out of bounds gets
943         in PolymorphicAccess go to the slow path, which will then throw
944         the appropriate exception. For the case of set, we need ensure we
945         don't OSR on each out of bounds put since, for some confusing
946         reason, people do this.  Thus, for GetByVal in the DFG/FTL if the
947         user accesses out of bounds we then need to check if the view has
948         been neutered. If it is neutered then we will OSR.
949
950         Additionally, this patch adds a bunch of isNeutered checks to
951         various prototype functions for TypedArray, which are needed for
952         correctness.
953
954         * dfg/DFGSpeculativeJIT.cpp:
955         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
956         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
957         (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
958         * dfg/DFGSpeculativeJIT.h:
959         * ftl/FTLLowerDFGToB3.cpp:
960         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
961         (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
962         * jit/JITPropertyAccess.cpp:
963         (JSC::JIT::emitIntTypedArrayPutByVal):
964         (JSC::JIT::emitFloatTypedArrayPutByVal):
965         * runtime/JSArrayBufferView.h:
966         * runtime/JSCJSValue.h:
967         (JSC::encodedJSUndefined):
968         (JSC::encodedJSValue):
969         * runtime/JSGenericTypedArrayView.h:
970         * runtime/JSGenericTypedArrayViewInlines.h:
971         (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError):
972         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
973         (JSC::JSGenericTypedArrayView<Adaptor>::put):
974         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
975         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
976         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
977         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
978         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
979         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
980         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
981         (JSC::genericTypedArrayViewProtoFuncFill):
982         (JSC::genericTypedArrayViewProtoFuncIndexOf):
983         (JSC::genericTypedArrayViewProtoFuncJoin):
984         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
985         (JSC::genericTypedArrayViewProtoFuncSlice):
986         (JSC::genericTypedArrayViewProtoFuncSubarray):
987         * tests/stress/fold-typed-array-properties.js:
988         * tests/stress/typedarray-access-monomorphic-neutered.js: Added.
989         (check):
990         (test):
991         (testFTL):
992         * tests/stress/typedarray-access-neutered.js: Added.
993         (check):
994         (test):
995         * tests/stress/typedarray-functions-with-neutered.js:
996         (defaultForArg):
997         (callWithArgs):
998         (checkArgumentsForType):
999         (checkArguments):
1000         * tests/stress/typedarray-view-string-properties-neutered.js: Added.
1001         (call):
1002         (test):
1003
1004 2016-07-08  Youenn Fablet  <youenn@apple.com>
1005
1006         Generate WebCore builtin wrapper files
1007         https://bugs.webkit.org/show_bug.cgi?id=159461
1008
1009         Reviewed by Brian Burg.
1010
1011         Updating builtin generator to generate wrapper files used in WebCore (See WebCore change log).
1012         Rebasing builtins generator test results according generator changes by activating wrapper file generation for
1013         WebCore builtins tests.
1014
1015         * CMakeLists.txt:
1016         * DerivedSources.make:
1017         * JavaScriptCore.xcodeproj/project.pbxproj:
1018         * Scripts/builtins/builtins.py: Adding new generators.
1019         * Scripts/builtins/builtins_generate_internals_wrapper_header.py: Added to generate WebCoreJSBuiltinInternals.h.
1020         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py: Added to generate WebCoreJSBuiltinInternals.cpp.
1021         * Scripts/builtins/builtins_generate_wrapper_header.py: Added to generate WebCoreJSBuiltins.h.
1022         * Scripts/builtins/builtins_generate_wrapper_implementation.py: Added to generate WebCoreJSBuiltins.cpp.
1023         * Scripts/generate-js-builtins.py: Adding new option to activate generation of the wrapper files.
1024         (generate_bindings_for_builtins_files):
1025         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1026         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1027         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1028         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1029         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1030
1031 2016-07-07  Joseph Pecoraro  <pecoraro@apple.com>
1032
1033         padStart/padEnd with Infinity produces unexpected result
1034         https://bugs.webkit.org/show_bug.cgi?id=159543
1035
1036         Reviewed by Benjamin Poulain.
1037
1038         * builtins/GlobalOperations.js:
1039         (globalPrivate.toLength):
1040         Fix style.
1041
1042         * builtins/StringPrototype.js:
1043         (padStart):
1044         (padEnd):
1045         After all observable operations, and after empty string has been handled,
1046         throw an out of memory error if the resulting string would be greater
1047         than the maximum string size.
1048
1049         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
1050         (shouldThrow): Deleted.
1051         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:
1052         (shouldThrow):
1053         (testMeta):
1054         * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
1055         (shouldThrow):
1056         (TestToLength):
1057         (TestMemoryLimits):
1058         (TestMeta): Deleted.
1059         * tests/es6/String.prototype_methods_String.prototype.padStart.js:
1060         (shouldThrow):
1061         (TestToLength):
1062         (TestMemoryLimits):
1063         Replace incorrect shouldThrow(..., errorType) with explicit shouldThrow(..., errorMessage).
1064         The old shouldThrow would incorrectly succeed if the expected error type was just "Error".
1065         Now we explicitly check the error message.
1066
1067 2016-07-07  Benjamin Poulain  <benjamin@webkit.org>
1068
1069         [JSC] String.prototype[Symbol.iterator] needs a name
1070         https://bugs.webkit.org/show_bug.cgi?id=159541
1071
1072         Reviewed by Yusuke Suzuki.
1073
1074         A man needs a name.
1075         Spec: https://tc39.github.io/ecma262/#sec-string.prototype-@@iterator
1076
1077         * runtime/StringPrototype.cpp:
1078         (JSC::StringPrototype::finishCreation):
1079
1080 2016-07-07  Michael Saboff  <msaboff@apple.com>
1081
1082         REGRESSION(184445): Need to insert a StoreBarrier when we don't know child's epoch
1083         https://bugs.webkit.org/show_bug.cgi?id=159537
1084
1085         Reviewed by Benjamin Poulain.
1086
1087         We weren't checking the case of a child node with a null epoch.  The problem surfaces
1088         when the base node of a PutByVal variant has a non-null epoch, because it represents an
1089         allocation in the current function, while the child of the same node has an unknown epoch.
1090         Added a check that the child node is not null before comparing the epochs of the base and
1091         child nodes.
1092
1093         The added test creates the problem circumstance by doing a full GC to place an array in
1094         remembered space, allocating a new object followed by an eden GC.  The new object is
1095         only referenced by the array and therefore won't be visited Without the store barrier.
1096         The test may crash or more likely get the wrong answer with the bug.
1097
1098         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1099         * tests/stress/regress-159537.js: Added test.
1100         (MyNumber):
1101         (MyNumber.prototype.plusOne):
1102         (bar):
1103         (foo):
1104         (test):
1105
1106 2016-07-07  Joseph Pecoraro  <pecoraro@apple.com>
1107
1108         Unexpected "Out of memory" error for "x".repeat(-1)
1109         https://bugs.webkit.org/show_bug.cgi?id=159529
1110
1111         Reviewed by Benjamin Poulain.
1112
1113         * builtins/StringPrototype.js:
1114         (globalPrivate.repeatSlowPath):
1115         (repeat):
1116         Move the @toInteger and range checking to the always path,
1117         since the spec does say it should always happen. Also remove
1118         the duplication of the fast path here.
1119
1120         * runtime/StringPrototype.cpp:
1121         (JSC::repeatCharacter):
1122         Remove unused function.
1123
1124         (JSC::stringProtoFuncRepeatCharacter):
1125         ASSERT if given a negative number. This is a private function
1126         only used internally.
1127
1128         * tests/stress/string-repeat-edge-cases.js:
1129         (shouldThrow):
1130         Update expected error message.
1131
1132 2016-07-07  Benjamin Poulain  <benjamin@webkit.org>
1133
1134         [JSC] Array.prototype[Symbol.unscopables] should have the "includes" property
1135         https://bugs.webkit.org/show_bug.cgi?id=159504
1136
1137         Reviewed by Keith Miller.
1138
1139         The property "includes" was missing.
1140         Spec: https://tc39.github.io/ecma262/#sec-array.prototype-@@unscopables
1141
1142         * runtime/ArrayPrototype.cpp:
1143         (JSC::ArrayPrototype::finishCreation):
1144         * tests/stress/unscopables.js:
1145
1146 2016-07-07  Saam Barati  <sbarati@apple.com>
1147
1148         ToThis constant folding in DFG is incorrect when the structure indicates that toThis is overridden
1149         https://bugs.webkit.org/show_bug.cgi?id=159501
1150         <rdar://problem/27109354>
1151
1152         Reviewed by Mark Lam.
1153
1154         We *cannot* constant fold ToThis when the structure of an object
1155         indicates that toThis() is overridden. isToThisAnIdentity() inside
1156         AbstractInterpreterInlines accidentally wrote the opposite rule.
1157         The rule was written as we can constant fold ToThis only when
1158         toThis() is overridden. To fix the bug, we must write the rule
1159         as isToThisAnIdentity() can only be true as long as the structure
1160         set indicates that no structures override toThis().
1161
1162         We could probably get more clever in the future and notice
1163         when we're dealing with a constant |this| values. For example,
1164         a ToThis might occur on a constant JSLexicalEnvironment. We could
1165         implement the rules of JSLexicalEnvironment's toThis() implementation
1166         inside AI/constant folding.
1167
1168         * dfg/DFGAbstractInterpreterInlines.h:
1169         (JSC::DFG::isToThisAnIdentity):
1170         * tests/stress/to-this-on-constant-lexical-environment.js: Added.
1171         (foo.bar):
1172         (foo.inner):
1173         (foo):
1174
1175 2016-07-07  Benjamin Poulain  <benjamin@webkit.org>
1176
1177         [JSC] Array.prototype.includes uses ToInt32 instead of ToInteger on the index argument
1178         https://bugs.webkit.org/show_bug.cgi?id=159505
1179
1180         Reviewed by Mark Lam.
1181
1182         The code was using (value)|0 which is effectively a ToInt32.
1183         This fails on large integers and +-Infinity.
1184
1185         Spec: https://tc39.github.io/ecma262/#sec-array.prototype.includes
1186
1187         * builtins/ArrayPrototype.js:
1188         (includes):
1189
1190 2016-07-07  Benjamin Poulain  <benjamin@webkit.org>
1191
1192         [JSC] String.prototype.normalize should have a length of zero
1193         https://bugs.webkit.org/show_bug.cgi?id=159506
1194
1195         Reviewed by Yusuke Suzuki.
1196
1197         Spec: https://tc39.github.io/ecma262/#sec-string.prototype.normalize
1198         The argument is optional, the length should be zero.
1199
1200         * runtime/StringPrototype.cpp:
1201         (JSC::StringPrototype::finishCreation):
1202
1203 2016-07-07  Csaba Osztrogonác  <ossy@webkit.org>
1204
1205         [ARMv7] REGRESSION(r197655): ASSERTION FAILED: (cond == Zero) || (cond == NonZero)
1206         https://bugs.webkit.org/show_bug.cgi?id=159419
1207
1208         Reviewed by Benjamin Poulain.
1209
1210         Allow Signed and PositiveOrZero conditions too because tst instruction updates N and Z flags.
1211
1212         * assembler/MacroAssemblerARM.h:
1213         (JSC::MacroAssemblerARM::branchTest32):
1214         * assembler/MacroAssemblerARMv7.h:
1215         (JSC::MacroAssemblerARMv7::branchTest32): Add assertions to avoid possible bugs in the future.
1216
1217 2016-07-06  Youenn Fablet  <youenn@apple.com>
1218
1219         Builtin generator should use pragma once for header files
1220         https://bugs.webkit.org/show_bug.cgi?id=159462
1221
1222         Reviewed by Alex Christensen.
1223
1224         * Scripts/builtins/builtins_generate_combined_header.py:
1225         (BuiltinsCombinedHeaderGenerator.generate_output): 
1226         * Scripts/builtins/builtins_generate_separate_header.py:
1227         (BuiltinsSeparateHeaderGenerator.generate_output):
1228         * Scripts/builtins/builtins_templates.py:
1229         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1230         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1231         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1232         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1233         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1234         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1235         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1236         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1237         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1238         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1239         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1240         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1241
1242 2016-07-06  Benjamin Poulain  <bpoulain@apple.com>
1243
1244         [JSC] Unify how we throw TypeError from C++
1245         https://bugs.webkit.org/show_bug.cgi?id=159500
1246
1247         Reviewed by Saam Barati.
1248
1249         Throwing a TypeError is an uncommon case. We should minimize the impact
1250         on the call sites.
1251
1252         This patch does that by:
1253         -Replace the 2 calls createTypeError()->throwException() by throwTypeError().
1254         -Use ASCIILiteral when possible.
1255         -Add an overload of throwTypeError() taking ASCIILiteral directly
1256          (that way, the String creation and destruction is done by the callee).
1257
1258         On x86_64, this reduces the __TEXT__ segment by 29kb.
1259
1260         * inspector/JSInjectedScriptHost.cpp:
1261         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1262         * inspector/JSJavaScriptCallFrame.cpp:
1263         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1264         * interpreter/Interpreter.cpp:
1265         (JSC::Interpreter::execute):
1266         * jit/JITOperations.cpp:
1267         * runtime/DatePrototype.cpp:
1268         (JSC::dateProtoFuncToJSON):
1269         * runtime/Error.cpp:
1270         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
1271         (JSC::throwTypeError):
1272         * runtime/Error.h:
1273         (JSC::throwVMTypeError):
1274         * runtime/JSArrayBufferPrototype.cpp:
1275         (JSC::arrayBufferProtoFuncSlice):
1276         * runtime/JSCJSValue.cpp:
1277         (JSC::JSValue::putToPrimitive):
1278         (JSC::JSValue::toStringSlowCase):
1279         * runtime/JSCJSValueInlines.h:
1280         (JSC::toPreferredPrimitiveType):
1281         * runtime/JSDataViewPrototype.cpp:
1282         (JSC::getData):
1283         (JSC::setData):
1284         * runtime/JSFunction.cpp:
1285         (JSC::JSFunction::defineOwnProperty):
1286         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1287         (JSC::constructGenericTypedArrayViewFromIterator):
1288         (JSC::constructGenericTypedArrayViewWithArguments):
1289         (JSC::constructGenericTypedArrayView):
1290         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1291         (JSC::speciesConstruct):
1292         (JSC::genericTypedArrayViewProtoFuncSet):
1293         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1294         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1295         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1296         (JSC::genericTypedArrayViewProtoFuncSubarray):
1297         * runtime/JSGlobalObjectFunctions.cpp:
1298         (JSC::globalFuncProtoGetter):
1299         (JSC::globalFuncProtoSetter):
1300         * runtime/JSONObject.cpp:
1301         (JSC::Stringifier::appendStringifiedValue):
1302         * runtime/JSObject.cpp:
1303         (JSC::JSObject::setPrototypeWithCycleCheck):
1304         (JSC::callToPrimitiveFunction):
1305         (JSC::JSObject::ordinaryToPrimitive):
1306         (JSC::JSObject::defaultHasInstance):
1307         (JSC::validateAndApplyPropertyDescriptor):
1308         * runtime/JSTypedArrayViewConstructor.cpp:
1309         (JSC::constructTypedArrayView):
1310         * runtime/JSTypedArrayViewPrototype.cpp:
1311         (JSC::typedArrayViewPrivateFuncLength):
1312         (JSC::typedArrayViewProtoFuncSet):
1313         (JSC::typedArrayViewProtoFuncCopyWithin):
1314         (JSC::typedArrayViewProtoFuncFill):
1315         (JSC::typedArrayViewProtoFuncLastIndexOf):
1316         (JSC::typedArrayViewProtoFuncIndexOf):
1317         (JSC::typedArrayViewProtoFuncJoin):
1318         (JSC::typedArrayViewProtoGetterFuncBuffer):
1319         (JSC::typedArrayViewProtoGetterFuncLength):
1320         (JSC::typedArrayViewProtoGetterFuncByteLength):
1321         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1322         (JSC::typedArrayViewProtoFuncReverse):
1323         (JSC::typedArrayViewProtoFuncSubarray):
1324         (JSC::typedArrayViewProtoFuncSlice):
1325         * runtime/ObjectConstructor.cpp:
1326         (JSC::toPropertyDescriptor):
1327         (JSC::objectConstructorDefineProperty):
1328         (JSC::objectConstructorDefineProperties):
1329         (JSC::objectConstructorCreate):
1330         * runtime/ObjectPrototype.cpp:
1331         (JSC::objectProtoFuncDefineGetter):
1332         (JSC::objectProtoFuncDefineSetter):
1333         * runtime/RegExpPrototype.cpp:
1334         (JSC::regExpProtoFuncCompile):
1335         * runtime/Symbol.cpp:
1336         (JSC::Symbol::toNumber):
1337
1338 2016-07-06  Saam Barati  <sbarati@apple.com>
1339
1340         InlineAccess::sizeForLengthAccess() is wrong on some platforms because it should also consider "length" not being array length
1341         https://bugs.webkit.org/show_bug.cgi?id=159429
1342
1343         Reviewed by Filip Pizlo.
1344
1345         The calculation inside sizeForLengthAccess() was not taking into
1346         account that an access to a "length" property might not be an
1347         array length access. sizeForLengthAccess() should always have enough
1348         room for a regular self property accesses. This only changes how
1349         much of a nop sled we emit if array length access size is smaller
1350         than self access size. This matters on ARM64.
1351
1352         * bytecode/InlineAccess.h:
1353         (JSC::InlineAccess::sizeForPropertyAccess):
1354         (JSC::InlineAccess::sizeForPropertyReplace):
1355         (JSC::InlineAccess::sizeForLengthAccess):
1356
1357 2016-07-06  Commit Queue  <commit-queue@webkit.org>
1358
1359         Unreviewed, rolling out r198928 and r198985.
1360         https://bugs.webkit.org/show_bug.cgi?id=159478
1361
1362         "It's breaking some websites" (Requested by saamyjoon on
1363         #webkit).
1364
1365         Reverted changesets:
1366
1367         "[ES6] Disallow var assignments in for-in loops"
1368         https://bugs.webkit.org/show_bug.cgi?id=155451
1369         http://trac.webkit.org/changeset/198928
1370
1371         "Unreviewed, turn ES6 for-in loop test success"
1372         https://bugs.webkit.org/show_bug.cgi?id=155451
1373         http://trac.webkit.org/changeset/198985
1374
1375 2016-07-05  Mark Lam  <mark.lam@apple.com>
1376
1377         Rename VM stack limit fields to better describe their purpose.
1378         https://bugs.webkit.org/show_bug.cgi?id=159451
1379
1380         Reviewed by Keith Miller.
1381
1382         This is in preparation for an upcoming patch that changes what stack limit values
1383         are used under various circumstances.  This patch aims to do some minimal work to
1384         rename the fields so that it will be easier to reason about the upcoming patch.
1385     
1386         In this patch, we make the following changes:
1387
1388         1. Rename VM::m_stackLimit to VM::m_jsCPUStackLimit.
1389
1390         2. VM::m_jsStackLimit used to have an overloaded meaning:
1391            a. For JIT builds, m_jsStackLimit is synonymous with m_stackLimit.
1392            b. For C Loop builds, m_jsStackLimit is a separate pointer that points to the
1393               emulated JS stack that the C Loop uses.
1394
1395            In place of m_jsStackLimit, this patch introduces 2 new fields:
1396            VM::m_jsEmulatedStackLimit and VM::m_llintStackLimit.
1397
1398            m_llintStackLimit is the limit that the LLInt assembly uses for its stack
1399            check.  m_llintStackLimit behaves like the old m_jsStackLimit in that:
1400            a. For JIT builds, m_llintStackLimit is synonymous with m_jsCPUStackLimit.
1401            b. For C Loop builds, m_llintStackLimit is synonymous with m_jsEmulatedStackLimit.
1402
1403            m_jsEmulatedStackLimit is used for the emulated stack that the C Loop uses.
1404
1405         3. Rename the following methods to match the above:
1406              VM::stackLimit() ==> VM::jsCPUStackLimit()
1407              VM::addressOfStackLimit() ==> VM::addressOfJSCPUStackLimit()
1408              VM::jsStackLimit() ==> VM::jsEmulatedStackLimit()
1409              VM::setJSStackLimit() ==> VM::setJSEmulatedStackLimit()
1410              JSStack::setStackLimit() ==> JSStack::setEmulatedStackLimit()
1411
1412         4. With change (2) and (3), the limits will be used as follows:
1413            a. VM code doing stack recursion checks will only use m_jsCPUStackLimit.
1414            b. JIT code will only use m_jsCPUStackLimit.
1415            c. C Loop emulated stack code in JSStack will only use m_jsEmulatedStackLimit.
1416               Note: the part of JSStack that operates on a JIT build will use
1417                     m_jsCPUStackLimit as expected.
1418            d. LLINT assembly code will only use m_llintStackLimit.
1419
1420         This patch only contains the above refactoring changes.  There is no behavior
1421         change.
1422
1423         * dfg/DFGJITCompiler.cpp:
1424         (JSC::DFG::JITCompiler::compile):
1425         (JSC::DFG::JITCompiler::compileFunction):
1426         * ftl/FTLLowerDFGToB3.cpp:
1427         (JSC::FTL::DFG::LowerDFGToB3::lower):
1428         * interpreter/JSStack.cpp:
1429         (JSC::JSStack::JSStack):
1430         (JSC::JSStack::growSlowCase):
1431         (JSC::JSStack::lowAddress):
1432         (JSC::JSStack::highAddress):
1433         * interpreter/JSStack.h:
1434         * interpreter/JSStackInlines.h:
1435         (JSC::JSStack::ensureCapacityFor):
1436         (JSC::JSStack::shrink):
1437         (JSC::JSStack::grow):
1438         (JSC::JSStack::setJSEmulatedStackLimit):
1439         (JSC::JSStack::setStackLimit): Deleted.
1440         * jit/JIT.cpp:
1441         (JSC::JIT::compileWithoutLinking):
1442         * jit/SetupVarargsFrame.cpp:
1443         (JSC::emitSetupVarargsFrameFastCase):
1444         * llint/LLIntSlowPaths.cpp:
1445         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1446         * llint/LowLevelInterpreter.asm:
1447         * llint/LowLevelInterpreter32_64.asm:
1448         * llint/LowLevelInterpreter64.asm:
1449         * runtime/RegExp.cpp:
1450         (JSC::RegExp::finishCreation):
1451         (JSC::RegExp::compile):
1452         (JSC::RegExp::compileMatchOnly):
1453         * runtime/VM.cpp:
1454         (JSC::VM::VM):
1455         (JSC::VM::updateStackLimit):
1456         * runtime/VM.h:
1457         (JSC::VM::reservedZoneSize):
1458         (JSC::VM::jsCPUStackLimit):
1459         (JSC::VM::addressOfJSCPUStackLimit):
1460         (JSC::VM::jsEmulatedStackLimit):
1461         (JSC::VM::setJSEmulatedStackLimit):
1462         (JSC::VM::isSafeToRecurse):
1463         (JSC::VM::jsStackLimit): Deleted.
1464         (JSC::VM::setJSStackLimit): Deleted.
1465         (JSC::VM::stackLimit): Deleted.
1466         (JSC::VM::addressOfStackLimit): Deleted.
1467         * wasm/WASMFunctionCompiler.h:
1468         (JSC::WASMFunctionCompiler::startFunction):
1469
1470 2016-07-05  Saam Barati  <sbarati@apple.com>
1471
1472         StackVisitor::unwindToMachineCodeBlockFrame() may unwind past a VM entry frame when catching an exception and the frame has inlined tail calls
1473         https://bugs.webkit.org/show_bug.cgi?id=159448
1474         <rdar://problem/27084459>
1475
1476         Reviewed by Mark Lam.
1477
1478         Consider the following stack trace:
1479         (machine) foo -> VM entry frame -> (machine) bar -> (inlined tailcall) baz
1480
1481         If an exception is thrown at 'baz', we will do exception unwinding,
1482         which will eventually call unwindToMachineCodeBlockFrame() which will call
1483         gotoNextFrame() on the 'baz' frame. The next logical frame for 'baz' is 'foo' because
1484         'bar' tail called 'baz' even though there is a machine frame for 'bar' on the stack.
1485         This is a bug. unwindToMachineCodeBlockFrame() should not care about the next
1486         logical frame, it just wants to move StackVisitor's state to the current machine
1487         frame. The bug here is that we would end up unwinding past the VM entry frame
1488         which can have all kinds of terrible consequences.
1489
1490         This bug fixes unwindToMachineCodeBlockFrame() by having it not rely
1491         on gotoNextFrame() and instead using its own mechanism for setting
1492         the StackVisotor's state to the current machine frame.
1493
1494         * interpreter/StackVisitor.cpp:
1495         (JSC::StackVisitor::unwindToMachineCodeBlockFrame):
1496         * tests/stress/dont-unwind-past-vm-entry-frame.js: Added.
1497         (let.p.new.Proxy):
1498         (let.p.new.Proxy.apply):
1499         (bar):
1500         (let.good):
1501         (getItem):
1502         (start):
1503
1504 2016-07-05  Joseph Pecoraro  <pecoraro@apple.com>
1505
1506         RELEASE_ASSERT(!thisObject) in ObjCCallbackFunctionImpl::call when calling JSExport ObjC Constructor without operator new
1507         https://bugs.webkit.org/show_bug.cgi?id=159446
1508
1509         Reviewed by Mark Lam.
1510
1511         Treat ObjC JSExport init constructors like ES6 Class Constructors
1512         and throw a TypeError when called without 'new'.
1513
1514         * API/ObjCCallbackFunction.mm:
1515         (JSC::ObjCCallbackFunctionImpl::type):
1516         (JSC::objCCallbackFunctionCallAsFunction):
1517         When calling an init method as a function instead of construction
1518         throw a TypeError.
1519
1520         * bytecompiler/BytecodeGenerator.cpp:
1521         (JSC::BytecodeGenerator::BytecodeGenerator):
1522         Improve error message.
1523
1524         * API/tests/testapi.mm:
1525         (testObjectiveCAPIMain):
1526         Test we get an exception when calling an ObjC constructor without 'new'.
1527
1528 2016-07-05  Mark Lam  <mark.lam@apple.com>
1529
1530         Remove some unneeded #include "CachedCall.h".
1531         https://bugs.webkit.org/show_bug.cgi?id=159449
1532
1533         Reviewed by Saam Barati.
1534
1535         * runtime/ArrayPrototype.cpp:
1536         * runtime/JSArray.cpp:
1537         * runtime/MapPrototype.cpp:
1538         * runtime/SetPrototype.cpp:
1539
1540 2016-07-05  Geoffrey Garen  <ggaren@apple.com>
1541
1542         Crash @ bankofamerica.com, University of Vienna
1543         https://bugs.webkit.org/show_bug.cgi?id=159439
1544
1545         Reviewed by Saam Barati.
1546
1547         * ftl/FTLLink.cpp:
1548         (JSC::FTL::link): Do check for stack overflow in the arity mismatch thunk
1549         because it can happen. Don't store a CallSiteIndex because we haven't
1550         stored a CodeBlock yet, and our stack frame is not fully constructed,
1551         so it would be an error for any client to try to load this value (and
1552         operationCallArityCheck does not load this value).
1553
1554         * tests/stress/arity-check-ftl-throw.js: Added. New test case for stressing
1555         a stack overflow with arity mismatch. Sadly, after hours of fiddling, I
1556         can't seem to get this to fail in trunk. Still, it's good to have some
1557         more testing in this area.
1558
1559 2016-07-05  Benjamin Poulain  <bpoulain@apple.com>
1560
1561         [JSC] The prototype cycle checks throws the wrong error type
1562         https://bugs.webkit.org/show_bug.cgi?id=159393
1563
1564         Reviewed by Geoffrey Garen.
1565
1566         We were supposed to throw the TypeError:
1567         -https://tc39.github.io/ecma262/#sec-set-object.prototype.__proto__
1568
1569         * runtime/JSObject.cpp:
1570         (JSC::JSObject::setPrototypeWithCycleCheck):
1571
1572 2016-07-05  Saam Barati  <sbarati@apple.com>
1573
1574         our parsing for "use strict" is wrong when we first parse other directives that are not "use strict" but are located in a place where "use strict" would be valid
1575         https://bugs.webkit.org/show_bug.cgi?id=159376
1576         <rdar://problem/27108773>
1577
1578         Reviewed by Benjamin Poulain.
1579
1580         Our strict mode detection algorithm used to break if we ever saw a directive
1581         that is not "use strict" but is syntactically located in a location where our
1582         parser looks for "use strict". It broke as follows:
1583
1584         If a function started with a non "use strict" string literal, we will allow
1585         "use strict" to be in any arbitrary statement inside the top level block in
1586         the function body. For example, this meant that if we parsed a sequence of string
1587         literals, followed by arbitrary statements, followed by "use strict", we would parse
1588         the function as if it's in strict mode. This is the wrong behavior with respect to
1589         the spec. This has consequences in other ways that break invariants of the language.
1590         For example, we used to allow functions that are lexically nested inside what we deemed
1591         a strict function to be non-strict. This used to fire an assertion if we ever skipped over
1592         that function using the source provider cache, but it worked just fine in release builds.
1593
1594         This patch fixes this bug.
1595
1596         * parser/Parser.cpp:
1597         (JSC::Parser<LexerType>::parseSourceElements):
1598         (JSC::Parser<LexerType>::parseStatement):
1599         * tests/stress/ensure-proper-strict-mode-parsing.js: Added.
1600         (foo.bar):
1601         (foo):
1602         (bar.foo):
1603         (bar):
1604         (bar.call.undefined.this.throw.new.Error.string_appeared_here.baz):
1605         (baz.call.undefined.undefined.throw.new.Error.string_appeared_here.jaz):
1606         (jaz.call.undefined.this.throw.new.Error.string_appeared_here.vaz):
1607
1608 2016-07-05  Saam Barati  <sbarati@apple.com>
1609
1610         reportAbandonedObjectGraph should report abandoned bytes based on capacity() so it works even if a GC has never happened
1611         https://bugs.webkit.org/show_bug.cgi?id=159222
1612         <rdar://problem/27001991>
1613
1614         Reviewed by Geoffrey Garen.
1615
1616         When reportAbandonedObjectGraph() was called before the first GC, it used to
1617         not indicate to the GC timers that we have memory that needs to be collected
1618         because the calculation was based on m_sizeAfterLastCollect (which was zero).
1619         This patch makes the calculation based on capacity() which is a valid number
1620         even before the first GC.
1621
1622         * heap/Heap.cpp:
1623         (JSC::Heap::reportAbandonedObjectGraph):
1624         (JSC::Heap::protect):
1625         (JSC::Heap::didAbandon): Deleted.
1626         * heap/Heap.h:
1627         (JSC::Heap::jitStubRoutines):
1628
1629 2016-07-05  Csaba Osztrogonác  <ossy@webkit.org>
1630
1631         Typo fix after r202214
1632         https://bugs.webkit.org/show_bug.cgi?id=159416
1633
1634         Reviewed by Saam Barati.
1635
1636         * bytecode/InlineAccess.h:
1637
1638 2016-07-03  Per Arne Vollan  <pvollan@apple.com>
1639
1640         [Win] DLLs are missing version information.
1641         https://bugs.webkit.org/show_bug.cgi?id=159349
1642
1643         Reviewed by Brent Fulgham.
1644
1645         Run perl version stamp utility.
1646         
1647         * CMakeLists.txt:
1648
1649 2016-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1650
1651         [JSC] MacroAssemblerX86::branch8 should accept unsigned 8bit value
1652         https://bugs.webkit.org/show_bug.cgi?id=159334
1653
1654         Reviewed by Benjamin Poulain.
1655
1656         As described in branchTest8 functions, byte in TrustedImm32 is not well defined.
1657         So the assertion here should be a little permissive; accepting -128 to 255.
1658
1659         This assertion is originally fired when executing misc-bugs-847389-jpeg2000 benchmark in Debug build.
1660         So this patch includes misc-bugs-847389-jpeg2000 benchmark.
1661
1662         * assembler/MacroAssemblerX86Common.h:
1663         (JSC::MacroAssemblerX86Common::branchTest8):
1664         (JSC::MacroAssemblerX86Common::branch8):
1665         * b3/testb3.cpp:
1666         (JSC::B3::testBranch8WithLoad8ZIndex):
1667         (JSC::B3::run):
1668
1669 2016-07-03  Benjamin Poulain  <bpoulain@apple.com>
1670
1671         [JSC] __lookupGetter__ and __lookupSetter__ should not ignore exceptions
1672         https://bugs.webkit.org/show_bug.cgi?id=159390
1673
1674         Reviewed by Mark Lam.
1675
1676         See:
1677         -https://tc39.github.io/ecma262/#sec-object.prototype.__lookupGetter__
1678         -https://tc39.github.io/ecma262/#sec-object.prototype.__lookupSetter__
1679
1680         They are both supposed to be regular [[GetOwnProperty]].
1681
1682         * runtime/ObjectPrototype.cpp:
1683         (JSC::objectProtoFuncLookupGetter):
1684         (JSC::objectProtoFuncLookupSetter):
1685
1686 2016-07-03  Saam Barati  <sbarati@apple.com>
1687
1688         BytecodeGenerator::getVariablesUnderTDZ is too conservative
1689         https://bugs.webkit.org/show_bug.cgi?id=159387
1690
1691         Reviewed by Filip Pizlo.
1692
1693         We were too conservative in the following type of programs:
1694         ```
1695         {
1696             {
1697                 let x;
1698                 ...
1699             }
1700             let x;
1701         }
1702         ```
1703         We used to report "x" as under TDZ when calling getVariablesUnderTDZ at the
1704         "...", even though "x" is not under TDZ. This patch removes this conservatism
1705         and makes the algorithm precise.
1706
1707         * bytecompiler/BytecodeGenerator.cpp:
1708         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1709         * bytecompiler/BytecodeGenerator.h:
1710
1711 2016-07-03  Filip Pizlo  <fpizlo@apple.com>
1712
1713         FTL should refer to B3 types directly
1714         https://bugs.webkit.org/show_bug.cgi?id=159389
1715
1716         Reviewed by Saam Barati.
1717         
1718         When we used LLVM, types were objects that were allocated by the LLVMContext. We had to
1719         remember pointers to them or else call through the C API every time we wanted the type. We
1720         stored the type pointers inside FTL::CommonValues.
1721         
1722         But in B3, types are just members of an enum. We don't have to remember pointers to them.
1723         
1724         This change replaces all prior uses of things like "m_out.int32" with just "Int32", and
1725         likewise for m_out.boolean, m_out.int64, m_out.intPtr, m_out.floatType, m_out.doubleType,
1726         and m_out.voidType.
1727         
1728         We still use FTL::CommonValues for common constants that we have pre-hoisted. Hopefully we
1729         will come up with a better story for those eventually, since that's still kinda ugly.
1730
1731         * ftl/FTLCommonValues.cpp:
1732         (JSC::FTL::CommonValues::CommonValues):
1733         * ftl/FTLCommonValues.h:
1734         * ftl/FTLLowerDFGToB3.cpp:
1735         (JSC::FTL::DFG::LowerDFGToB3::createPhiVariables):
1736         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
1737         (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
1738         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
1739         (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
1740         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
1741         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
1742         (JSC::FTL::DFG::LowerDFGToB3::compileArithMinOrMax):
1743         (JSC::FTL::DFG::LowerDFGToB3::compileArithPow):
1744         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1745         (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure):
1746         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
1747         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
1748         (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
1749         (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
1750         (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
1751         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1752         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1753         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1754         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1755         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1756         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1757         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById):
1758         (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById):
1759         (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal):
1760         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
1761         (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
1762         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1763         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1764         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1765         (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments):
1766         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
1767         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest):
1768         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
1769         (JSC::FTL::DFG::LowerDFGToB3::compileNewObject):
1770         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1771         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1772         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1773         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1774         (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
1775         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
1776         (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
1777         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1778         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1779         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1780         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1781         (JSC::FTL::DFG::LowerDFGToB3::compileGetByOffset):
1782         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
1783         (JSC::FTL::DFG::LowerDFGToB3::compilePutByOffset):
1784         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1785         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
1786         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
1787         (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
1788         (JSC::FTL::DFG::LowerDFGToB3::compileIsString):
1789         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray):
1790         (JSC::FTL::DFG::LowerDFGToB3::compileIsObject):
1791         (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
1792         (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
1793         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject):
1794         (JSC::FTL::DFG::LowerDFGToB3::compileIsTypedArrayView):
1795         (JSC::FTL::DFG::LowerDFGToB3::compileTypeOf):
1796         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1797         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
1798         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTypeInfoFlags):
1799         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
1800         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
1801         (JSC::FTL::DFG::LowerDFGToB3::compileCountExecution):
1802         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1803         (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty):
1804         (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
1805         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1806         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumerableLength):
1807         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
1808         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
1809         (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
1810         (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString):
1811         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureImmediate):
1812         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1813         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1814         (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
1815         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
1816         (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
1817         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1818         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
1819         (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
1820         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1821         (JSC::FTL::DFG::LowerDFGToB3::getById):
1822         (JSC::FTL::DFG::LowerDFGToB3::compare):
1823         (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
1824         (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
1825         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
1826         (JSC::FTL::DFG::LowerDFGToB3::speculateTruthyObject):
1827         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
1828         (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
1829         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1830         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1831         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1832         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
1833         (JSC::FTL::DFG::LowerDFGToB3::boolify):
1834         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
1835         (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
1836         (JSC::FTL::DFG::LowerDFGToB3::buildSwitch):
1837         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
1838         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
1839         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
1840         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToJSValue):
1841         (JSC::FTL::DFG::LowerDFGToB3::strictInt52ToInt52):
1842         (JSC::FTL::DFG::LowerDFGToB3::unboxInt32):
1843         (JSC::FTL::DFG::LowerDFGToB3::boxInt32):
1844         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
1845         (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
1846         (JSC::FTL::DFG::LowerDFGToB3::boxDouble):
1847         (JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
1848         (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
1849         (JSC::FTL::DFG::LowerDFGToB3::convertDoubleToInt32):
1850         (JSC::FTL::DFG::LowerDFGToB3::callCheck):
1851         (JSC::FTL::DFG::LowerDFGToB3::crash):
1852         * ftl/FTLOutput.cpp:
1853         (JSC::FTL::Output::bitCast):
1854
1855 2016-07-02  Filip Pizlo  <fpizlo@apple.com>
1856
1857         DFG LICM needs to go all-in on the idea that some loops can't be LICMed
1858         https://bugs.webkit.org/show_bug.cgi?id=159388
1859
1860         Reviewed by Mark Lam.
1861         
1862         Some time ago I acknowledged that LICM required loops to meet certain requirements that
1863         may get broken by the time we do LICM, like that the terminal of the pre-header is ExitOK.
1864         It used to be that we just ignored that requirement and would hoist anyway, but since
1865         r189126 we've stopped hoisting out of loops that don't have ExitOK.  We also added tests
1866         for the case that the pre-header doesn't exist or is invalid.
1867
1868         It turns out that this patch didn't go far enough: even though it made LICM avoid loops
1869         that had an invalid pre-header, the part that updated the AI state in nested loops still
1870         assumed that these loops had valid pre-headers.  We would crash in null dereference in
1871         that loop if a nested loop had an invalid pre-header.
1872
1873         The fix is simple: don't update the AI state of nested loops that don't have pre-headers,
1874         since we won't try to hoist out of those loops anyway.
1875
1876         * dfg/DFGLICMPhase.cpp:
1877         (JSC::DFG::LICMPhase::attemptHoist):
1878         * tests/stress/licm-no-pre-header-nested.js: Added. This would always crash before this fix.
1879         (foo):
1880         * tests/stress/licm-pre-header-cannot-exit-nested.js: Added. This was a failed attempt at a test, but I figure it's good to have weird code anyway.
1881         (foo):
1882         (valueOf):
1883
1884 2016-06-30  Filip Pizlo  <fpizlo@apple.com>
1885
1886         Scopes that are not under TDZ should still push their variables onto the TDZ stack so that lifting TDZ doesn't bypass that scope
1887         https://bugs.webkit.org/show_bug.cgi?id=159332
1888         rdar://problem/27018958
1889
1890         Reviewed by Saam Barati.
1891         
1892         This fixes an instacrash in this code:
1893         
1894             try{}catch(e){}print(e);let e;
1895         
1896         We lift TDZ for "e" in "catch (e){}", but since that scope doesn't push anything onto the
1897         TDZ stack, we lift TDZ from "let e".
1898         
1899         The problem is that we weren't tracking the set of variables that do not have TDZ. We need
1900         to track them to "block" the traversal that lifts TDZ. This change fixes this issue by
1901         using a map that tracks all known variables, and tells you if they are under TDZ or not.
1902
1903         * bytecode/CodeBlock.h:
1904         (JSC::CodeBlock::numParameters):
1905         * bytecode/CodeOrigin.h:
1906         * bytecompiler/BytecodeGenerator.cpp:
1907         (JSC::Label::setLocation):
1908         (JSC::Variable::dump):
1909         (JSC::BytecodeGenerator::generate):
1910         (JSC::BytecodeGenerator::BytecodeGenerator):
1911         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
1912         (JSC::BytecodeGenerator::popLexicalScope):
1913         (JSC::BytecodeGenerator::popLexicalScopeInternal):
1914         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
1915         (JSC::BytecodeGenerator::variable):
1916         (JSC::BytecodeGenerator::needsTDZCheck):
1917         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
1918         (JSC::BytecodeGenerator::pushTDZVariables):
1919         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
1920         (JSC::BytecodeGenerator::endGenerator):
1921         (WTF::printInternal):
1922         * bytecompiler/BytecodeGenerator.h:
1923         (JSC::Variable::isConst):
1924         (JSC::Variable::setIsReadOnly):
1925         * interpreter/CallFrame.h:
1926         (JSC::ExecState::topOfFrame):
1927         * tests/stress/lift-tdz-bypass-catch.js: Added.
1928         (foo):
1929         (catch):
1930
1931 2016-07-01  Benjamin Poulain  <bpoulain@apple.com>
1932
1933         [JSC] RegExp.compile is not returning the regexp when it succeed
1934         https://bugs.webkit.org/show_bug.cgi?id=159381
1935
1936         Reviewed by Mark Lam.
1937
1938         Spec:
1939         -https://tc39.github.io/ecma262/#sec-regexp.prototype.compile
1940         -https://tc39.github.io/ecma262/#sec-regexpinitialize
1941
1942         * runtime/RegExpPrototype.cpp:
1943         (JSC::regExpProtoFuncCompile):
1944
1945 2016-07-01  Saam Barati  <sbarati@apple.com>
1946
1947         fix "ASSERTION FAILED: currentOffset() >= currentLineStartOffset()"
1948         https://bugs.webkit.org/show_bug.cgi?id=158572
1949         <rdar://problem/26884092>
1950
1951         Reviewed by Mark Lam.
1952
1953         There is a bug in our lexer when we notice the pattern:
1954         ```<return|continue|break|...etc> // some comment here```
1955         Our code will say that the token for the comment is a semicolon.
1956         This is the correct semantics, however, it would give the semicolon
1957         a start offset of the comment, but it will give its line start offset
1958         the newline after the comment.  This breaks the invariant in the lexer/parser
1959         that the offset for the current line starting point must be less than or equal to
1960         than the start offset of any token on that line. This invariant was broken because
1961         the line start offset was greater than the token start offset. To maintain this
1962         invariant, we claim that the semicolon token is located where the comment starts,
1963         and that its line start offset is the line start offset for the line with the
1964         comment on it.  There are other solutions that maintain this invariant, but this
1965         solution provides the best error messages.
1966
1967         * parser/Lexer.cpp:
1968         (JSC::Lexer<T>::lex):
1969         * parser/Parser.h:
1970         (JSC::Parser::internalSaveLexerState):
1971         * tests/stress/obscure-error-message-dont-crash.js: Added.
1972         (try.eval.or.catch):
1973
1974 2016-07-01  Benjamin Poulain  <bpoulain@apple.com>
1975
1976         __defineGetter__/__defineSetter__ should throw exceptions
1977         https://bugs.webkit.org/show_bug.cgi?id=142934
1978
1979         Reviewed by Mark Lam.
1980
1981         * runtime/ObjectPrototype.cpp:
1982         (JSC::objectProtoFuncDefineGetter):
1983         (JSC::objectProtoFuncDefineSetter):
1984
1985 2016-07-01  Jon Davis  <jond@apple.com>
1986
1987         Moved Web Animations and Resource Timing feature entries to WebCore.
1988         https://bugs.webkit.org/show_bug.cgi?id=159356
1989
1990         Reviewed by Timothy Hatcher.
1991
1992         * features.json:
1993
1994 2016-07-01  Benjamin Poulain  <bpoulain@apple.com>
1995
1996         [JSC] Date.toGMTString should be the Date.toUTCString function
1997         https://bugs.webkit.org/show_bug.cgi?id=159318
1998
1999         Reviewed by Mark Lam.
2000
2001         See https://tc39.github.io/ecma262/#sec-date.prototype.togmtstring
2002
2003         * runtime/DatePrototype.cpp:
2004         (JSC::DatePrototype::finishCreation):
2005         (JSC::dateProtoFuncToGMTString): Deleted.
2006
2007 2016-07-01  Mark Lam  <mark.lam@apple.com>
2008
2009         Update JSC_functionOverrides to handle the new SourceCode strings that have params.
2010         https://bugs.webkit.org/show_bug.cgi?id=159321
2011
2012         Reviewed by Geoffrey Garen.
2013
2014         And add tests so that this won't fail silently and bit rot anymore.
2015
2016         * API/tests/FunctionOverridesTest.cpp: Added.
2017         (testFunctionOverrides):
2018         * API/tests/FunctionOverridesTest.h: Added.
2019         * API/tests/testapi-function-overrides.js: Added.
2020         * API/tests/testapi.c:
2021         (main):
2022         * JavaScriptCore.xcodeproj/project.pbxproj:
2023         * bytecode/UnlinkedFunctionExecutable.cpp:
2024         (JSC::UnlinkedFunctionExecutable::link):
2025         * shell/PlatformWin.cmake:
2026         * tools/FunctionOverrides.cpp:
2027         (JSC::FunctionOverrides::FunctionOverrides):
2028         (JSC::FunctionOverrides::reinstallOverrides):
2029         (JSC::initializeOverrideInfo):
2030         (JSC::FunctionOverrides::initializeOverrideFor):
2031         * tools/FunctionOverrides.h:
2032         (JSC::FunctionOverrides::clear):
2033
2034 2016-07-01  Caio Lima  <ticaiolima@gmail.com>
2035
2036         ES6: Implement HasRestrictedGlobalProperty when checking for global lexical tier conflicts
2037         https://bugs.webkit.org/show_bug.cgi?id=148763
2038
2039         Reviewed by Saam Barati
2040
2041         I've implemented the ES6 spec 8.1.1.4.14
2042         (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-hasrestrictedglobalproperty)
2043         that defines when a global property can be shadowed.
2044
2045         Added some test cases into global-lexical-redeclare-variable.js
2046
2047         * runtime/Executable.cpp:
2048         (JSC::ProgramExecutable::initializeGlobalProperties):
2049         * tests/stress/global-lexical-redeclare-variable.js:
2050         (catch):
2051         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/eighth.js: Added.
2052         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/nineth.js: Added.
2053         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/seventh.js: Added.
2054         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/sixth.js:
2055         * tests/stress/multiple-files-tests/global-lexical-redeclare-variable/tenth.js: Added.
2056
2057 2016-07-01  Youenn Fablet  <youennf@gmail.com>
2058
2059         Add a runtime flag for DOM iterators
2060         https://bugs.webkit.org/show_bug.cgi?id=159300
2061
2062         Reviewed by Alex Christensen.
2063
2064         * runtime/CommonIdentifiers.h:
2065
2066 2016-06-30  Joseph Pecoraro  <pecoraro@apple.com>
2067
2068         Web Inspector: Wrong function name next to scope
2069         https://bugs.webkit.org/show_bug.cgi?id=158210
2070         <rdar://problem/26543093>
2071
2072         Reviewed by Timothy Hatcher.
2073
2074         * CMakeLists.txt:
2075         * JavaScriptCore.xcodeproj/project.pbxproj:
2076         Add DebuggerLocation. A helper for describing a unique location.
2077
2078         * bytecode/CodeBlock.cpp:
2079         (JSC::CodeBlock::setConstantRegisters):
2080         When compiled with debug info, add a SymbolTable rare data pointer
2081         back to the CodeBlock. This will be used later to get JSScope debug
2082         info if Web Inspector pauses.
2083
2084         * runtime/SymbolTable.h:
2085         * runtime/SymbolTable.cpp:
2086         (JSC::SymbolTable::cloneScopePart):
2087         (JSC::SymbolTable::prepareForTypeProfiling):
2088         (JSC::SymbolTable::uniqueIDForVariable):
2089         (JSC::SymbolTable::uniqueIDForOffset):
2090         (JSC::SymbolTable::globalTypeSetForOffset):
2091         (JSC::SymbolTable::globalTypeSetForVariable):
2092         Rename rareData and include a CodeBlock pointer.
2093
2094         (JSC::SymbolTable::rareDataCodeBlock):
2095         (JSC::SymbolTable::setRareDataCodeBlock):
2096         Setter and getter for the rare data. It should only be set once.
2097
2098         (JSC::SymbolTable::visitChildren):
2099         Visit the rare data code block if we have one.
2100
2101         * runtime/JSSymbolTableObject.h:
2102         * runtime/JSSymbolTableObject.cpp:
2103         (JSC::JSSymbolTableObject::deleteProperty):
2104         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2105         Give JSSymbolTable its own class info. JSWithScope was unexpectedly
2106         inheriting from JSSymbolTable since it did not have its own and
2107         was using JSScope's class info. Also do a bit of cleanup.
2108
2109         * debugger/DebuggerLocation.cpp: Added.
2110         (JSC::DebuggerLocation::DebuggerLocation):
2111         * debugger/DebuggerLocation.h: Added.
2112         (JSC::DebuggerLocation::DebuggerLocation):
2113         Construction from a ScriptExecutable.
2114
2115         * runtime/JSScope.cpp:
2116         (JSC::JSScope::symbolTable):
2117         * runtime/JSScope.h:
2118         * debugger/DebuggerScope.h:
2119         * debugger/DebuggerScope.cpp:
2120         (JSC::DebuggerScope::name):
2121         (JSC::DebuggerScope::location):
2122         Name and location for a scope. This uses:
2123         JSScope -> SymbolTable -> CodeBlock -> Executable
2124
2125         * inspector/protocol/Debugger.json:
2126         * inspector/InjectedScriptSource.js:
2127         (InjectedScript.CallFrameProxy.prototype._wrapScopeChain):
2128         (InjectedScript.CallFrameProxy._createScopeJson):
2129         * inspector/JSJavaScriptCallFrame.cpp:
2130         (Inspector::valueForScopeType):
2131         (Inspector::valueForScopeLocation):
2132         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2133         (Inspector::JSJavaScriptCallFrame::scopeType): Deleted.
2134         * inspector/JSJavaScriptCallFrame.h:
2135         * inspector/JSJavaScriptCallFramePrototype.cpp:
2136         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
2137         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
2138         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType): Deleted.
2139         Simplify this code to build the objects we will send across the protocol
2140         to descript a Scope.
2141
2142 2016-06-30  Saam Barati  <sbarati@apple.com>
2143
2144         missing exception checks in arrayProtoFuncReverse
2145         https://bugs.webkit.org/show_bug.cgi?id=159319
2146         <rdar://problem/27083696>
2147
2148         Reviewed by Filip Pizlo.
2149
2150         * runtime/ArrayPrototype.cpp:
2151         (JSC::arrayProtoFuncToString):
2152         (JSC::arrayProtoFuncReverse):
2153
2154 2016-06-30  Saam Barati  <sbarati@apple.com>
2155
2156         get_by_id_with_this does not trigger a to_this in caller.
2157         https://bugs.webkit.org/show_bug.cgi?id=159226
2158
2159         Reviewed by Keith Miller.
2160
2161         This is a bug if the caller is in sloppy mode and the callee is in strict
2162         mode. This can't happen with ES6 classes because they're all in strict mode,
2163         but it can happen with method syntax on an object literal. The caller must
2164         to_this on |this| when it knows that it performs super property accesses.
2165
2166         * bytecompiler/BytecodeGenerator.cpp:
2167         (JSC::BytecodeGenerator::BytecodeGenerator):
2168         * tests/stress/super-property-access-object-literal-to-this-2.js: Added.
2169         (assert):
2170         (test):
2171         (let.o1.get foo):
2172         (let.o2.a):
2173         (let.o2.aa):
2174         * tests/stress/super-property-access-object-literal-to-this.js: Added.
2175         (assert):
2176         (test):
2177         (let.o1.get foo):
2178         (let.o2.a):
2179         (let.o2.aa):
2180         (let.o2.b):
2181         (let.o2.bb):
2182         * tests/stress/super-property-access-to-this.js: Added.
2183         (assert):
2184         (test):
2185         (Base.prototype.get foo):
2186         (Base):
2187         (Child.prototype.a):
2188         (Child.prototype.b):
2189         (Child):
2190
2191 2016-06-30  Saam Barati  <sbarati@apple.com>
2192
2193         We need to to_this when an inner arrow function uses 'this'
2194         https://bugs.webkit.org/show_bug.cgi?id=159290
2195         <rdar://problem/27058322>
2196
2197         Reviewed by Geoffrey Garen.
2198
2199         We put the |this| value into the closure object when there
2200         is an arrow function that uses |this|. However, an arrow function
2201         using |this| wasn't causing the creator of the closure that
2202         holds |this| to to_this its value before putting it in the
2203         closure. That's a huge bug because it means some arrow functions
2204         can capture the raw |this| value, which might be a JSLexicalEnvironment.
2205         This patch fixes this by adding an easy to check to see if any
2206         inner arrow functions use |this|, and if any do, it will to_this
2207         the |this| value.
2208
2209         * bytecompiler/BytecodeGenerator.cpp:
2210         (JSC::BytecodeGenerator::BytecodeGenerator):
2211         * tests/stress/to-this-before-arrow-function-closes-over-this-that-starts-as-lexical-environment.js: Added.
2212         (assert):
2213         (obj):
2214         (foo.capture):
2215         (foo.wrapper.let.x.):
2216         (foo2.capture):
2217         (foo2.wrapper.let.x.):
2218         (foo2.wrapper.bar):
2219
2220 2016-06-29  Filip Pizlo  <fpizlo@apple.com>
2221
2222         Generators violate bytecode liveness validation
2223         https://bugs.webkit.org/show_bug.cgi?id=159279
2224
2225         Reviewed by Yusuke Suzuki.
2226         
2227         Fix a liveness bug found by Basic. The problem is that resume's intended liveness rule is:
2228         "live-in is just the token argument", but the liveness analysis thought that the rule was
2229         "live-in is live-out minus defs plus live-at-catch". Clearly these two rules are quite
2230         different. The way this sort of worked before is that we would define the defs of resume
2231         as being equal to our prediction of what the live-outs would be. We did this in the hope
2232         that we would subtract all live-outs. But, this misses the live-at-catch part. So, this
2233         change adds another hack to neutralize live-at-catch.
2234         
2235         This would make a lot more sense if we wrote a new liveness analysis that was just for
2236         generator conversion. It could reuse BytecodeUseDef but otherwise it would be a new thing.
2237         It would be easy to write crazy rules for save/resume in such an analysis, especially if
2238         that analysis rewrote the bytecode. We could then just have an op_yield that is a no-op.
2239         We would just record the live-outs of op_yield and use that for rewriting the code in terms
2240         of a switch statement.
2241
2242         * bytecode/BytecodeLivenessAnalysis.cpp:
2243         (JSC::stepOverInstruction):
2244         (JSC::BytecodeLivenessAnalysis::dumpResults):
2245         * bytecode/CodeBlock.cpp:
2246         (JSC::CodeBlock::dumpBytecode):
2247
2248 2016-06-30  Commit Queue  <commit-queue@webkit.org>
2249
2250         Unreviewed, rolling out r202659.
2251         https://bugs.webkit.org/show_bug.cgi?id=159305
2252
2253         The test for this change times out on mac-wk2 debug and caused
2254         an existing test to crash. (Requested by ryanhaddad on
2255         #webkit).
2256
2257         Reverted changeset:
2258
2259         "Web Inspector: Wrong function name next to scope"
2260         https://bugs.webkit.org/show_bug.cgi?id=158210
2261         http://trac.webkit.org/changeset/202659
2262
2263 2016-06-30  Benjamin Poulain  <bpoulain@apple.com>
2264
2265         [JSC] Date.setYear() misses timeClip()
2266         https://bugs.webkit.org/show_bug.cgi?id=159289
2267
2268         Reviewed by Geoffrey Garen.
2269
2270         * runtime/DatePrototype.cpp:
2271         (JSC::dateProtoFuncSetYear):
2272
2273 2016-06-30  Joseph Pecoraro  <pecoraro@apple.com> and Yusuke Suzuki  <utatane.tea@gmail.com>
2274
2275         [JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values
2276         https://bugs.webkit.org/show_bug.cgi?id=154022
2277
2278         Reviewed by Filip Pizlo.
2279
2280         We aim at optimizing @toInteger operation.
2281         While it still has an unoptimized part[1], this patch should be a first step.
2282
2283         We introduce the @toNumber builtin intrinsic operation.
2284         This converts the given value to the JS number by emitting op_to_number bytecode.
2285         Previously @toInteger called C++ @Number constructor for that purpose.
2286
2287         And in DFG, op_to_number is converted to DFG ToNumber node.
2288         During DFG, we attempt to convert this to edge filtering and Identity, but if we fail,
2289         we just fall back to calling the C++ function.
2290
2291         To utilize ToNumber in user-land side, we add a path attempting to convert Number constructor calls
2292         to ToNumber DFG nodes. This conversion is useful because `Number(value)` is used to convert a value to a number in JS.
2293
2294         Before this patch, we emit simple edge filtering (NumberUse) instead of emitting DFG node like ToNumber for op_to_number.
2295         But emitting ToNumber is useful, because in the case of `Number(value)`, considering `value` may not be a number is reasonable.
2296
2297         By leveraging @toNumber operation, we rewrite Number.{isFinite, isNaN}, global.{isFinite, isNaN} and @toInteger.
2298
2299         ToNumber DFG node has a value profiling. This profiling is leveraged to determine the result number type of the ToNumber operation.
2300         This value profiling is provided from either NumberConstructor's call operation or op_to_number.
2301
2302         The results (with the added performance tests) show that, while existing cases are performance neutral, the newly added cases gain the performance benefit.
2303         And ASMBench/n-body.c also shows stable ~2% progression.
2304
2305         [1]: https://bugs.webkit.org/show_bug.cgi?id=153738
2306
2307         * CMakeLists.txt:
2308         * DerivedSources.make:
2309         * JavaScriptCore.xcodeproj/project.pbxproj:
2310         * builtins/BuiltinNames.h:
2311         * builtins/GlobalObject.js:
2312         (globalPrivate.isFinite):
2313         (globalPrivate.isNaN):
2314         (globalPrivate.toInteger): Deleted.
2315         (globalPrivate.toLength): Deleted.
2316         (globalPrivate.isDictionary): Deleted.
2317         (globalPrivate.speciesGetter): Deleted.
2318         (globalPrivate.speciesConstructor): Deleted.
2319         * builtins/GlobalOperations.js: Copied from Source/JavaScriptCore/builtins/GlobalObject.js.
2320         (globalPrivate.toInteger):
2321         (globalPrivate.toLength):
2322         (globalPrivate.isDictionary):
2323         (globalPrivate.speciesGetter):
2324         (globalPrivate.speciesConstructor):
2325         * builtins/NumberConstructor.js: Added.
2326         (isFinite):
2327         (isNaN):
2328         * bytecode/BytecodeIntrinsicRegistry.cpp:
2329         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2330         * bytecode/BytecodeIntrinsicRegistry.h:
2331         * bytecode/BytecodeList.json:
2332         * bytecode/CodeBlock.cpp:
2333         (JSC::CodeBlock::dumpBytecode):
2334         (JSC::CodeBlock::finishCreation):
2335         * bytecompiler/BytecodeGenerator.cpp:
2336         (JSC::BytecodeGenerator::emitUnaryOp):
2337         (JSC::BytecodeGenerator::emitUnaryOpProfiled):
2338         * bytecompiler/BytecodeGenerator.h:
2339         (JSC::BytecodeGenerator::emitToNumber):
2340         * bytecompiler/NodesCodegen.cpp:
2341         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
2342         (JSC::UnaryPlusNode::emitBytecode):
2343         * dfg/DFGAbstractInterpreterInlines.h:
2344         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2345         * dfg/DFGBackwardsPropagationPhase.cpp:
2346         (JSC::DFG::BackwardsPropagationPhase::propagate):
2347         * dfg/DFGByteCodeParser.cpp:
2348         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2349         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2350         (JSC::DFG::ByteCodeParser::parseBlock):
2351         We use `getPrediction()` to retrieve the heap prediction from the to_number bytecode.
2352         According to the benchmark results, choosing `getPredictionWithoutOSRExit()` causes performance regression (1.5%) in kraken stanford-crypto-aes.
2353
2354         * dfg/DFGClobberize.h:
2355         (JSC::DFG::clobberize):
2356         * dfg/DFGConstantFoldingPhase.cpp:
2357         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2358         * dfg/DFGDoesGC.cpp:
2359         (JSC::DFG::doesGC):
2360         * dfg/DFGFixupPhase.cpp:
2361         (JSC::DFG::FixupPhase::fixupNode):
2362         (JSC::DFG::FixupPhase::fixupToNumber):
2363         * dfg/DFGNode.h:
2364         (JSC::DFG::Node::hasHeapPrediction):
2365         * dfg/DFGNodeType.h:
2366         * dfg/DFGOperations.cpp:
2367         * dfg/DFGOperations.h:
2368         * dfg/DFGPredictionPropagationPhase.cpp:
2369         Always on the heap prediction.
2370
2371         * dfg/DFGSafeToExecute.h:
2372         (JSC::DFG::safeToExecute):
2373         * dfg/DFGSpeculativeJIT32_64.cpp:
2374         (JSC::DFG::SpeculativeJIT::compile):
2375         As of 64bit version, we carefully manage the register reuse. The largest difference between 32bit and 64bit is
2376         `branchIfNotNumber()` requires the temporary register. We should not use the result registers for that since
2377         it may be reuse the argument registers and it can break the argument registers before using them to call the operation.
2378         Currently, we allocate the additional temporary register for that scratch register.
2379
2380         * dfg/DFGSpeculativeJIT64.cpp:
2381         (JSC::DFG::SpeculativeJIT::compile):
2382         Reuse the argument register for the result if possible. And manually decrement the use count in the middle of the node.
2383         This is similar technique used in ToPrimitive. Typically, the child of ToNumber is only used by this ToNumber node since
2384         we would like to perform the type conversion onto this child node here. So this careful register reuse effectively removes
2385         the spills to call the operation. The example of the actually emitted code is the following.
2386
2387         76:<!2:loc11>     ToNumber(Untyped:@68, JS|MustGen|UseAsOther, DoubleimpurenanTopEmpty, R:World, W:Heap, Exits, ClobbersExit, bc#48)  predicting DoubleimpurenanTopEmpty
2388             0x7f986d5fe693: test %rax, %r14
2389             0x7f986d5fe696: jz 0x7f986d5fe6a1
2390             0x7f986d5fe69c: jmp 0x7f986d5fe6d1
2391             0x7f986d5fe6a1: mov %rax, %rsi
2392             0x7f986d5fe6a4: mov %rbp, %rdi
2393             0x7f986d5fe6a7: mov $0x2, 0x24(%rbp)
2394             0x7f986d5fe6ae: mov $0x7f98711ea5f0, %r11
2395             0x7f986d5fe6b8: call *%r11
2396             0x7f986d5fe6bb: mov $0x7f982d3f72d0, %r11
2397             0x7f986d5fe6c5: mov (%r11), %r11
2398             0x7f986d5fe6c8: test %r11, %r11
2399             0x7f986d5fe6cb: jnz 0x7f986d5fe88c
2400
2401         It effectively removes the unnecessary spill to call the operation!
2402
2403         * ftl/FTLCapabilities.cpp:
2404         (JSC::FTL::canCompile):
2405         * ftl/FTLLowerDFGToB3.cpp:
2406         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2407         (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
2408         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2409         * jit/AssemblyHelpers.h:
2410         (JSC::AssemblyHelpers::branchIfNumber):
2411         (JSC::AssemblyHelpers::branchIfNotNumber):
2412         * jit/JITOpcodes.cpp:
2413         (JSC::JIT::emit_op_to_number):
2414         * jit/JITOpcodes32_64.cpp:
2415         (JSC::JIT::emit_op_to_number):
2416         * llint/LowLevelInterpreter32_64.asm:
2417         * llint/LowLevelInterpreter64.asm:
2418         * parser/Nodes.h:
2419         (JSC::UnaryOpNode::opcodeID):
2420         * runtime/CommonSlowPaths.cpp:
2421         (JSC::SLOW_PATH_DECL):
2422         * runtime/JSGlobalObject.cpp:
2423         (JSC::JSGlobalObject::init):
2424         * runtime/JSGlobalObjectFunctions.cpp:
2425         (JSC::globalFuncIsNaN): Deleted.
2426         (JSC::globalFuncIsFinite): Deleted.
2427         * runtime/JSGlobalObjectFunctions.h:
2428         * runtime/MathCommon.h:
2429         (JSC::maxSafeInteger):
2430         (JSC::minSafeInteger):
2431         * runtime/NumberConstructor.cpp:
2432         (JSC::NumberConstructor::finishCreation):
2433         (JSC::numberConstructorFuncIsFinite): Deleted.
2434         (JSC::numberConstructorFuncIsNaN): Deleted.
2435         * runtime/NumberConstructor.h:
2436         * tests/stress/Number-isNaN-basics.js: Added.
2437         (numberIsNaNOnInteger):
2438         (testNumberIsNaNOnIntegers):
2439         (verifyNumberIsNaNOnIntegerWithOtherTypes):
2440         (numberIsNaNOnDouble):
2441         (testNumberIsNaNOnDoubles):
2442         (verifyNumberIsNaNOnDoublesWithOtherTypes):
2443         (numberIsNaNNoArguments):
2444         (numberIsNaNTooManyArguments):
2445         (testNumberIsNaNOnConstants):
2446         (numberIsNaNStructTransition):
2447         (Number.isNaN):
2448         * tests/stress/global-is-finite.js: Added.
2449         (shouldBe):
2450         * tests/stress/global-is-nan.js: Added.
2451         (shouldBe):
2452         * tests/stress/global-isNaN-basics.js: Added.
2453         (isNaNOnInteger):
2454         (testIsNaNOnIntegers):
2455         (verifyIsNaNOnIntegerWithOtherTypes):
2456         (isNaNOnDouble):
2457         (testIsNaNOnDoubles):
2458         (verifyIsNaNOnDoublesWithOtherTypes):
2459         (verifyIsNaNOnCoercedTypes):
2460         (isNaNNoArguments):
2461         (isNaNTooManyArguments):
2462         (testIsNaNOnConstants):
2463         (isNaNTypeCoercionSideEffects):
2464         (i.value.isNaNTypeCoercionSideEffects.valueOf):
2465         (isNaNStructTransition):
2466         (isNaN):
2467         * tests/stress/number-is-finite.js: Added.
2468         (shouldBe):
2469         (test2):
2470         (test3):
2471         * tests/stress/number-is-nan.js: Added.
2472         (shouldBe):
2473         (test2):
2474         (test3):
2475         * tests/stress/to-number-basics.js: Added.
2476         (shouldBe):
2477         * tests/stress/to-number-convert-identity-without-execution.js: Added.
2478         (shouldBe):
2479         (object.valueOf):
2480         (valueOf):
2481         * tests/stress/to-number-int52.js: Added.
2482         (shouldBe):
2483         (object.valueOf):
2484         * tests/stress/to-number-intrinsic-convert-to-identity-without-execution.js: Added.
2485         (shouldBe):
2486         (object.valueOf):
2487         (valueOf):
2488         * tests/stress/to-number-intrinsic-int52.js: Added.
2489         (shouldBe):
2490         (object.valueOf):
2491         * tests/stress/to-number-intrinsic-object-without-execution.js: Added.
2492         (shouldBe):
2493         (object.valueOf):
2494         * tests/stress/to-number-intrinsic-value-profiling.js: Added.
2495         (shouldBe):
2496         (object.valueOf):
2497         * tests/stress/to-number-object-without-execution.js: Added.
2498         (shouldBe):
2499         (object.valueOf):
2500         * tests/stress/to-number-object.js: Added.
2501         (shouldBe):
2502         (test12):
2503         (object1.valueOf):
2504         (test2):
2505         (test22):
2506         (object2.valueOf):
2507         (test3):
2508         (test32):
2509         (object3.valueOf):
2510         * tests/stress/to-number-value-profiling.js: Added.
2511         (shouldBe):
2512         (object.valueOf):
2513
2514 2016-06-29  Benjamin Poulain  <benjamin@webkit.org>
2515
2516         Fix the debug build after r202667
2517
2518         * runtime/JSTypedArrayViewPrototype.cpp:
2519         (JSC::JSTypedArrayViewPrototype::finishCreation):
2520         The putDirect was missing the Accessor flag for the GetterSetter.
2521
2522 2016-06-29  Michael Saboff  <msaboff@apple.com>
2523
2524         REGRESSION(200114): Netflix app does not see ChromeCast
2525         https://bugs.webkit.org/show_bug.cgi?id=159287
2526
2527         Reviewed by Benjamin Poulain.
2528
2529         Change set 200114 changed the behavior of how we check for whether or not we
2530         wrap Objective C init methods in JavaScript constructors.  The prior method
2531         checked the version of JavaScriptCore that was linked with the application.
2532         If the application was not directly linked with JavaScriptCore the prior
2533         method indicated that we shouldn't create constructors.  The new method uses
2534         the SDK the application was compiled with.  Using the new method, an
2535         application compiled with iOS SDK 8.0 or greater would create constructors
2536         and not export init methods to JavaScript.  The problem is that an existing
2537         application that hasn't been recompiled will get a different answer using
2538         the new method.  We need to come up with a method that works in a compatible
2539         way with existing programs, but provides a newly compiled program with the
2540         "is built with SDK N or greater" check.
2541         
2542         Added back the prior check of the version of JavaScriptCore the program was
2543         directly linked against.  However we only use this check if we directly linked
2544         with JavaScriptCore.  Otherwise we fall through to check against the SDK the
2545         program was built with.  Changed the iOS SDK version we check
2546         against to be the new version of iOS, iOS 10.
2547
2548         This provides compatible behavior for existing programs.  It may be the case
2549         that some of those programs may require changes when they are rebuilt with the
2550         iOS 10 SDK or later.
2551
2552         * API/JSWrapperMap.mm:
2553         (supportsInitMethodConstructors):
2554
2555 2016-06-29  Benjamin Poulain  <bpoulain@apple.com>
2556
2557         [JSC] Minor TypedArray fixes
2558         https://bugs.webkit.org/show_bug.cgi?id=159286
2559
2560         Reviewed by Keith Miller.
2561
2562         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2563         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
2564         See https://tc39.github.io/ecma262/#sec-%typedarray%
2565
2566         * runtime/JSTypedArrayViewPrototype.cpp:
2567         (JSC::typedArrayViewPrivateFuncLength):
2568         See https://tc39.github.io/ecma262/#sec-get-%typedarray%.prototype.length
2569
2570         (JSC::typedArrayViewProtoGetterFuncToStringTag):
2571         Yep, that's odd.
2572         See https://tc39.github.io/ecma262/#sec-get-%typedarray%.prototype-@@tostringtag
2573
2574         (JSC::JSTypedArrayViewPrototype::finishCreation):
2575         See the last paragraph of https://tc39.github.io/ecma262/#sec-ecmascript-standard-built-in-objects
2576
2577 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
2578
2579         Web Inspector: API View of Native DOM APIs looks poor (TypeErrors for native getters)
2580         https://bugs.webkit.org/show_bug.cgi?id=158334
2581         <rdar://problem/26615366>
2582
2583         Reviewed by Timothy Hatcher.
2584
2585         * inspector/InjectedScriptSource.js:
2586         (InjectedScript.prototype._getProperties):
2587         (InjectedScript.prototype._propertyDescriptors):
2588         Do not create fake value property descriptors for native accessors
2589         unless requested. This means, getProperties for a native prototype
2590         should return  accessors for native accessors just like it does
2591         for normal non-native accessors (getters/setters).
2592
2593         (InjectedScript.prototype.getProperties):
2594         Do not produce fake value accessors for native accessors.
2595
2596         (InjectedScript.prototype.getDisplayableProperties):
2597         (InjectedScript.RemoteObject.prototype._generatePreview):
2598         Do produce fake value accessors for native accessors.
2599
2600 2016-06-29  Saam barati  <sbarati@apple.com>
2601
2602         JSGlobalLexicalEnvironment needs a toThis implementation
2603         https://bugs.webkit.org/show_bug.cgi?id=159285
2604
2605         Reviewed by Mark Lam.
2606
2607         This was a huge oversight of my original implementation. It gave users
2608         of the language direct access to the JSGlobalLexicalEnvironment object.
2609
2610         * runtime/JSGlobalLexicalEnvironment.cpp:
2611         (JSC::JSGlobalLexicalEnvironment::isConstVariable):
2612         (JSC::JSGlobalLexicalEnvironment::toThis):
2613         * runtime/JSGlobalLexicalEnvironment.h:
2614         (JSC::JSGlobalLexicalEnvironment::isEmpty):
2615         * tests/stress/global-lexical-environment-to-this.js: Added.
2616         (assert):
2617         (let.f):
2618         (let.fStrict):
2619
2620 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
2621
2622         Web Inspector: Wrong function name next to scope
2623         https://bugs.webkit.org/show_bug.cgi?id=158210
2624         <rdar://problem/26543093>
2625
2626         Reviewed by Brian Burg.
2627
2628         * CMakeLists.txt:
2629         * JavaScriptCore.xcodeproj/project.pbxproj:
2630         Add DebuggerLocation. A helper for describing a unique location.
2631
2632         * bytecode/CodeBlock.cpp:
2633         (JSC::CodeBlock::setConstantRegisters):
2634         When compiled with debug info, add a SymbolTable rare data pointer
2635         back to the CodeBlock. This will be used later to get JSScope debug
2636         info if Web Inspector pauses.
2637
2638         * runtime/SymbolTable.h:
2639         * runtime/SymbolTable.cpp:
2640         (JSC::SymbolTable::cloneScopePart):
2641         (JSC::SymbolTable::prepareForTypeProfiling):
2642         (JSC::SymbolTable::uniqueIDForVariable):
2643         (JSC::SymbolTable::uniqueIDForOffset):
2644         (JSC::SymbolTable::globalTypeSetForOffset):
2645         (JSC::SymbolTable::globalTypeSetForVariable):
2646         Rename rareData and include a CodeBlock pointer.
2647
2648         (JSC::SymbolTable::rareDataCodeBlock):
2649         (JSC::SymbolTable::setRareDataCodeBlock):
2650         Setter and getter for the rare data. It should only be set once.
2651
2652         (JSC::SymbolTable::visitChildren):
2653         Visit the rare data code block if we have one.
2654
2655         * debugger/DebuggerLocation.cpp: Added.
2656         (JSC::DebuggerLocation::DebuggerLocation):
2657         * debugger/DebuggerLocation.h: Added.
2658         (JSC::DebuggerLocation::DebuggerLocation):
2659         Construction from a ScriptExecutable.
2660
2661         * runtime/JSScope.cpp:
2662         (JSC::JSScope::symbolTable):
2663         * runtime/JSScope.h:
2664         * debugger/DebuggerScope.h:
2665         * debugger/DebuggerScope.cpp:
2666         (JSC::DebuggerScope::name):
2667         (JSC::DebuggerScope::location):
2668         Name and location for a scope. This uses:
2669         JSScope -> SymbolTable -> CodeBlock -> Executable
2670
2671         * inspector/protocol/Debugger.json:
2672         * inspector/InjectedScriptSource.js:
2673         (InjectedScript.CallFrameProxy.prototype._wrapScopeChain):
2674         (InjectedScript.CallFrameProxy._createScopeJson):
2675         * inspector/JSJavaScriptCallFrame.cpp:
2676         (Inspector::valueForScopeType):
2677         (Inspector::valueForScopeLocation):
2678         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
2679         (Inspector::JSJavaScriptCallFrame::scopeType): Deleted.
2680         * inspector/JSJavaScriptCallFrame.h:
2681         * inspector/JSJavaScriptCallFramePrototype.cpp:
2682         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
2683         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
2684         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType): Deleted.
2685         Simplify this code to build the objects we will send across the protocol
2686         to descript a Scope.
2687
2688 2016-06-29  Saam barati  <sbarati@apple.com>
2689
2690         We don't emit TDZ checks for call_eval
2691         https://bugs.webkit.org/show_bug.cgi?id=159277
2692         <rdar://problem/27018801>
2693
2694         Reviewed by Benjamin Poulain.
2695
2696         This is a problem if you're trying to call a TDZ variable
2697         that is named 'eval'.
2698
2699         * bytecompiler/NodesCodegen.cpp:
2700         (JSC::EvalFunctionCallNode::emitBytecode):
2701         * tests/stress/variable-named-eval-under-tdz.js: Added.
2702         (shouldThrowTDZ):
2703         (test):
2704         (test.foo):
2705         (throw.new.Error):
2706
2707 2016-06-29  Mark Lam  <mark.lam@apple.com>
2708
2709         Add support for collecting cumulative LLINT stats via a JSC_llintStatsFile option.
2710         https://bugs.webkit.org/show_bug.cgi?id=159274
2711
2712         Reviewed by Keith Miller.
2713
2714         * jsc.cpp:
2715         (main):
2716         * llint/LLIntData.cpp:
2717         (JSC::LLInt::initialize):
2718         (JSC::LLInt::Data::finalizeStats):
2719         (JSC::LLInt::compareStats):
2720         (JSC::LLInt::Data::dumpStats):
2721         (JSC::LLInt::Data::ensureStats):
2722         (JSC::LLInt::Data::loadStats):
2723         (JSC::LLInt::Data::resetStats):
2724         (JSC::LLInt::Data::saveStats):
2725         * llint/LLIntData.h:
2726         (JSC::LLInt::Data::opcodeStats):
2727         * runtime/Options.cpp:
2728         (JSC::Options::isAvailable):
2729         (JSC::recomputeDependentOptions):
2730         (JSC::Options::initialize):
2731         * runtime/Options.h:
2732
2733 2016-06-29  Saam barati  <sbarati@apple.com>
2734
2735         Destructuring variable declaration is missing a validation of the syntax of a sub production when there is a rhs
2736         https://bugs.webkit.org/show_bug.cgi?id=159267
2737
2738         Reviewed by Mark Lam.
2739
2740         We were parsing something without checking if it had a syntax error.
2741         This is wrong for many reasons, but it could actually cause a crash
2742         in a debug build if you parsed particular programs.
2743
2744         * parser/Parser.cpp:
2745         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2746
2747 2016-06-29  Joseph Pecoraro  <pecoraro@apple.com>
2748
2749         Web Inspector: Show Shadow Root type in DOM Tree
2750         https://bugs.webkit.org/show_bug.cgi?id=159236
2751         <rdar://problem/27068521>
2752
2753         Reviewed by Timothy Hatcher.
2754
2755         * inspector/protocol/DOM.json:
2756         Include optional shadowRootType property for DOMNodes.
2757
2758 2016-06-29  Commit Queue  <commit-queue@webkit.org>
2759
2760         Unreviewed, rolling out r202627.
2761         https://bugs.webkit.org/show_bug.cgi?id=159266
2762
2763         patch is broken on arm (Requested by keith_miller on #webkit).
2764
2765         Reverted changeset:
2766
2767         "LLInt should support other types of prototype GetById
2768         caching."
2769         https://bugs.webkit.org/show_bug.cgi?id=158083
2770         http://trac.webkit.org/changeset/202627
2771
2772 2016-06-29  Benjamin Poulain  <bpoulain@apple.com>
2773
2774         [JSC] Fix small issues of TypedArray prototype
2775         https://bugs.webkit.org/show_bug.cgi?id=159248
2776
2777         Reviewed by Saam Barati.
2778
2779         First, TypedArray's toString and Array's toString
2780         should be the same function.
2781         I moved the function to GlobalObject and each array type
2782         gets it as needed.
2783
2784         Then TypedArray length was supposed to be configurable.
2785         I removed the "DontDelete" flag accordingly.
2786
2787         * runtime/ArrayPrototype.cpp:
2788         (JSC::ArrayPrototype::finishCreation):
2789         * runtime/JSGlobalObject.cpp:
2790         (JSC::JSGlobalObject::init):
2791         (JSC::JSGlobalObject::visitChildren):
2792         * runtime/JSGlobalObject.h:
2793         (JSC::JSGlobalObject::arrayProtoToStringFunction):
2794         * runtime/JSTypedArrayViewPrototype.cpp:
2795         (JSC::JSTypedArrayViewPrototype::finishCreation):
2796
2797 2016-06-29  Caio Lima  <ticaiolima@gmail.com>
2798
2799         LLInt should support other types of prototype GetById caching.
2800         https://bugs.webkit.org/show_bug.cgi?id=158083
2801
2802         Recently, we started supporting prototype load caching for get_by_id
2803         in the LLInt. This patch is expading the caching strategy to enable
2804         cache the prototype accessor and custom acessors.
2805
2806         Similarly to the get_by_id_proto_load bytecode, we are adding new
2807         bytecodes called get_by_id_proto_accessor that uses the calculated
2808         offset of a object to call a getter function and get_by_id_proto_custom
2809         that stores the pointer to the custom function and call them directly
2810         from LowLevelInterpreter.
2811
2812         Reviewed by Keith Miller
2813
2814         * bytecode/BytecodeList.json:
2815         * bytecode/BytecodeUseDef.h:
2816         (JSC::computeUsesForBytecodeOffset):
2817         (JSC::computeDefsForBytecodeOffset):
2818         * bytecode/CodeBlock.cpp:
2819         (JSC::CodeBlock::printGetByIdOp):
2820         (JSC::CodeBlock::dumpBytecode):
2821         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2822         * bytecode/GetByIdStatus.cpp:
2823         (JSC::GetByIdStatus::computeFromLLInt):
2824         * dfg/DFGByteCodeParser.cpp:
2825         (JSC::DFG::ByteCodeParser::parseBlock):
2826         * dfg/DFGCapabilities.cpp:
2827         (JSC::DFG::capabilityLevel):
2828         * jit/JIT.cpp:
2829         (JSC::JIT::privateCompileMainPass):
2830         (JSC::JIT::privateCompileSlowCases):
2831         * llint/LLIntSlowPaths.cpp:
2832         (JSC::LLInt::setupGetByIdPrototypeCache):
2833         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2834         * llint/LLIntSlowPaths.h:
2835         * llint/LowLevelInterpreter32_64.asm:
2836         * llint/LowLevelInterpreter64.asm:
2837
2838 2016-06-28  Commit Queue  <commit-queue@webkit.org>
2839
2840         Unreviewed, rolling out r202580.
2841         https://bugs.webkit.org/show_bug.cgi?id=159245
2842
2843         Caused all WKTR tests to fail on GuardMalloc and Production
2844         only for unknown reasons, investigating offline. (Requested by
2845         brrian on #webkit).
2846
2847         Reverted changeset:
2848
2849         "RunLoop::Timer should use constructor templates instead of
2850         class templates"
2851         https://bugs.webkit.org/show_bug.cgi?id=159153
2852         http://trac.webkit.org/changeset/202580
2853
2854 2016-06-28  Keith Miller  <keith_miller@apple.com>
2855
2856         We should not crash there is a finally inside a for-in loop
2857         https://bugs.webkit.org/show_bug.cgi?id=159243
2858         <rdar://problem/27018910>
2859
2860         Reviewed by Benjamin Poulain.
2861
2862         Previously we would swap the m_forInContext with an empty vector
2863         then attempt to shrink the size of m_forInContext by the amount
2864         we expected. This meant that if there was more than one ForInContext
2865         on the stack and we wanted to pop exactly one off we would crash.
2866         This patch makes ForInContexts RefCounted so they can be duplicated
2867         into other vectors. It also has ForInContexts copy the entire stack
2868         rather than do the swap that we did before. This makes ForInContexts
2869         work the same as the other contexts.
2870
2871         * bytecompiler/BytecodeGenerator.cpp:
2872         (JSC::BytecodeGenerator::emitComplexPopScopes):
2873         (JSC::BytecodeGenerator::pushIndexedForInScope):
2874         (JSC::BytecodeGenerator::pushStructureForInScope):
2875         * bytecompiler/BytecodeGenerator.h:
2876         * tests/stress/finally-for-in.js: Added.
2877         (repeat):
2878         (createSimple):
2879
2880 2016-06-28  Saam Barati  <sbarati@apple.com>
2881
2882         Assertion failure or crash when accessing let-variable in TDZ with eval with a function in it that returns let variable
2883         https://bugs.webkit.org/show_bug.cgi?id=158796
2884         <rdar://problem/26984659>
2885
2886         Reviewed by Michael Saboff.
2887
2888         There was a bug where some functions inside of an eval were
2889         omitting a necessary TDZ check. This obviously leads to bad
2890         things because a variable under TDZ is the null pointer.
2891         The eval's bytecode was generated with the correct TDZ set, but 
2892         it created all its functions before pushing that TDZ set onto
2893         the stack. That's a mistake. Those functions need to be created with
2894         that TDZ set. The solution is simple, the TDZ set that the eval
2895         is created with needs to be pushed onto the TDZ stack before
2896         the eval creates any functions.
2897
2898         * bytecompiler/BytecodeGenerator.cpp:
2899         (JSC::BytecodeGenerator::BytecodeGenerator):
2900         * tests/stress/variable-under-tdz-eval-tricky.js: Added.
2901         (assert):
2902         (throw.new.Error):
2903         (assert.try.underTDZ):
2904
2905 2016-06-28  Michael Saboff  <msaboff@apple.com>
2906
2907         REGRESSION (r200946): Improper backtracking from last alternative in sticky patterns
2908         https://bugs.webkit.org/show_bug.cgi?id=159233
2909
2910         Reviewed by Mark Lam.
2911
2912         Jump to fail exit code when the last alternative of a sticky pattern fails.
2913
2914         * yarr/YarrJIT.cpp:
2915         (JSC::Yarr::YarrGenerator::backtrack):
2916
2917 2016-06-28  Saam Barati  <sbarati@apple.com>
2918
2919         some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct
2920         https://bugs.webkit.org/show_bug.cgi?id=159198
2921         <rdar://problem/26302360>
2922
2923         Reviewed by Filip Pizlo.
2924
2925         Firing a watchpoint may cause a GC to happen. This GC could destroy various
2926         Watchpoints themselves while they're in the process of firing. It's not safe
2927         for most Watchpoints to be destructed while they're in the middle of firing.
2928         This GC could also destroy the WatchpointSet itself, and it's not in a safe
2929         state to be destroyed. WatchpointSet::fireAllWatchpoints now defers gc for a
2930         while. This prevents a GC from destructing any Watchpoints while they're
2931         in the process of firing. This bug was being hit by the stress GC bots
2932         because we would destruct a particular Watchpoint while it was firing,
2933         and then we would access its field after it had already been destroyed.
2934         This was causing all kinds of weird symptoms. Also, this was easier to
2935         catch when running with guard malloc because the first access after
2936         destruction would lead to a crash.
2937
2938         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2939         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2940         * bytecode/CodeBlock.cpp:
2941         (JSC::CodeBlock::finishCreation):
2942         * bytecode/VariableWriteFireDetail.cpp:
2943         (JSC::VariableWriteFireDetail::dump):
2944         (JSC::VariableWriteFireDetail::touch):
2945         * bytecode/VariableWriteFireDetail.h:
2946         * bytecode/Watchpoint.cpp:
2947         (JSC::WatchpointSet::add):
2948         (JSC::WatchpointSet::fireAllSlow):
2949         (JSC::WatchpointSet::fireAllWatchpoints):
2950         (JSC::InlineWatchpointSet::add):
2951         (JSC::InlineWatchpointSet::fireAll):
2952         (JSC::InlineWatchpointSet::inflateSlow):
2953         * bytecode/Watchpoint.h:
2954         (JSC::WatchpointSet::startWatching):
2955         (JSC::WatchpointSet::fireAll):
2956         (JSC::WatchpointSet::touch):
2957         (JSC::WatchpointSet::invalidate):
2958         (JSC::WatchpointSet::isBeingWatched):
2959         (JSC::WatchpointSet::offsetOfState):
2960         (JSC::WatchpointSet::addressOfSetIsNotEmpty):
2961         (JSC::InlineWatchpointSet::startWatching):
2962         (JSC::InlineWatchpointSet::fireAll):
2963         (JSC::InlineWatchpointSet::invalidate):
2964         (JSC::InlineWatchpointSet::touch):
2965         * bytecompiler/BytecodeGenerator.cpp:
2966         (JSC::BytecodeGenerator::BytecodeGenerator):
2967         * dfg/DFGOperations.cpp:
2968         * interpreter/Interpreter.cpp:
2969         (JSC::Interpreter::execute):
2970         * jit/JITOperations.cpp:
2971         * jsc.cpp:
2972         (WTF::Masquerader::create):
2973         * llint/LLIntSlowPaths.cpp:
2974         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2975         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2976         (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
2977         * runtime/FunctionRareData.cpp:
2978         (JSC::FunctionRareData::clear):
2979         * runtime/InferredType.cpp:
2980         (JSC::InferredType::willStoreValueSlow):
2981         (JSC::InferredType::makeTopSlow):
2982         (JSC::InferredType::set):
2983         (JSC::InferredType::removeStructure):
2984         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
2985         * runtime/InferredValue.cpp:
2986         (JSC::InferredValue::notifyWriteSlow):
2987         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
2988         * runtime/InferredValue.h:
2989         (JSC::InferredValue::notifyWrite):
2990         (JSC::InferredValue::invalidate):
2991         * runtime/JSGlobalObject.cpp:
2992         (JSC::JSGlobalObject::haveABadTime):
2993         * runtime/JSSymbolTableObject.h:
2994         (JSC::symbolTablePutTouchWatchpointSet):
2995         (JSC::symbolTablePutInvalidateWatchpointSet):
2996         * runtime/Structure.cpp:
2997         (JSC::Structure::didCachePropertyReplacement):
2998         (JSC::Structure::startWatchingInternalProperties):
2999         (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
3000         (JSC::DeferredStructureTransitionWatchpointFire::add):
3001         (JSC::Structure::didTransitionFromThisStructure):
3002         (JSC::Structure::prototypeForLookup):
3003         * runtime/StructureInlines.h:
3004         (JSC::Structure::didReplaceProperty):
3005         (JSC::Structure::propertyReplacementWatchpointSet):
3006         * runtime/SymbolTable.h:
3007         (JSC::SymbolTableEntry::isDontEnum):
3008         (JSC::SymbolTableEntry::disableWatching):
3009         * runtime/VM.cpp:
3010         (JSC::VM::addImpureProperty):
3011         (JSC::enableProfilerWithRespectToCount):
3012
3013 2016-06-28  Filip Pizlo  <fpizlo@apple.com>
3014
3015         JSRopeString should use release asserts, not debug asserts, about substring bounds
3016         https://bugs.webkit.org/show_bug.cgi?id=159227
3017
3018         Reviewed by Saam Barati.
3019         
3020         According to my experiments this change costs nothing.  That's not surprising since the
3021         most common way to construct a rope these days is inlined into the JIT, which does its own
3022         safety checks.  This makes us crash sooner rather than corrupting memory.
3023
3024         * runtime/JSString.h:
3025
3026 2016-06-28  Brian Burg  <bburg@apple.com>
3027
3028         RunLoop::Timer should use constructor templates instead of class templates
3029         https://bugs.webkit.org/show_bug.cgi?id=159153
3030
3031         Reviewed by Alex Christensen.
3032
3033         Remove the RunLoop::Timer class template argument, and pass its constructor
3034         a reference to `this` instead of a pointer to `this`.
3035
3036         * inspector/agents/InspectorHeapAgent.cpp:
3037         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
3038
3039 2016-06-28  Joseph Pecoraro  <pecoraro@apple.com>
3040
3041         Web Inspector: selectElement.options shows unexpected entries in console (named indexes beyond collection length)
3042         https://bugs.webkit.org/show_bug.cgi?id=159192
3043
3044         Reviewed by Timothy Hatcher.
3045
3046         * inspector/InjectedScriptSource.js:
3047         (InjectedScript.prototype.arrayIndexPropertyNames):
3048         Start with an empty array because we just push valid indexes.
3049
3050         (InjectedScript.prototype._propertyDescriptors):
3051         Avoid the >100 length requirement, and always treat the
3052         array-like objects the same. The frontend currently
3053         doesn't show named indexes for arrays anyways, so they
3054         would have been unused.
3055
3056 2016-06-28  Per Arne Vollan  <pvollan@apple.com>
3057
3058         [Win] Skip failing INTL test.
3059         https://bugs.webkit.org/show_bug.cgi?id=159141
3060
3061         Reviewed by Brent Fulgham.
3062
3063         INTL is not enabled on Windows.
3064
3065         * tests/stress/intl-constructors-with-proxy.js:
3066         (shouldBe):
3067
3068 2016-06-28  Joonghun Park  <jh718.park@samsung.com>
3069
3070         [JSC] Fix build break since r202502 - 2
3071         https://bugs.webkit.org/show_bug.cgi?id=159194
3072
3073         Reviewed by Gyuyoung Kim.
3074
3075         Fix about the error message below.
3076         error: control reaches end of non-void function [-Werror=return-type]
3077
3078         * b3/B3TypeMap.h: add #pragma GCC diagnostic ignored "-Wreturn-type".
3079
3080 2016-06-28  Joonghun Park  <jh718.park@samsung.com>
3081
3082         [JSC] Fix build break since r202502
3083         https://bugs.webkit.org/show_bug.cgi?id=159194
3084
3085         Reviewed by Alex Christensen.
3086
3087         Fix about the error message below.
3088         error: control reaches end of non-void function [-Werror=return-type]
3089
3090         * b3/B3TypeMap.h:
3091         (JSC::B3::TypeMap::at): add missing ASSERT_NOT_REACHED().
3092
3093 2016-06-27  Keith Miller  <keith_miller@apple.com>
3094
3095         Fix bad assert in StructureRareData::setObjectToStringValue
3096         https://bugs.webkit.org/show_bug.cgi?id=159171
3097         <rdar://problem/26987355>
3098
3099         Reviewed by Mark Lam.
3100
3101         We should not have expected the generateConditionsForPrototypePropertyHit would succeed.
3102         There are many reasons it might fail including that there is a proxy somewhere on the
3103         prototype chain of the object.
3104
3105         * runtime/StructureRareData.cpp:
3106         (JSC::StructureRareData::setObjectToStringValue):
3107         * tests/stress/object-toString-with-proxy.js: Added.
3108         (get target):
3109
3110 2016-06-27  Filip Pizlo  <fpizlo@apple.com>
3111
3112         Crashing at an unreachable code trap in FTL should give more information
3113         https://bugs.webkit.org/show_bug.cgi?id=159177
3114
3115         Reviewed by Saam Barati.
3116         
3117         This stuffs information into registers so that we have some chance of seeing what happened
3118         by looking at the register dumps.
3119
3120         * assembler/AbortReason.h:
3121         * ftl/FTLLowerDFGToB3.cpp:
3122         (JSC::FTL::DFG::ftlUnreachable):
3123         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
3124         (JSC::FTL::DFG::LowerDFGToB3::crash):
3125
3126 2016-06-27  Filip Pizlo  <fpizlo@apple.com>
3127
3128         Clean up resetting reachability in B3/Air
3129         https://bugs.webkit.org/show_bug.cgi?id=159170
3130
3131         Reviewed by Geoffrey Garen.
3132         
3133         When I fixed bug 159165, I took the brute force approach. I still used the
3134         B3::resetReachability() method, and changed the callback to record the set of deleted values
3135         instead of deleting them eagerly. But this means tracking the set of deleted values, even
3136         though resetReachability() already internally tracks the set of deleted blocks. You can find
3137         out if a value is deleted by asking if its owning block was deleted.
3138         
3139         So, this change refactors B3::resetReachability() into a new helper called
3140         B3::recomputePredecessors(). This new helper skips the block deletion step, and lets the
3141         client delete blocks. This lets Air delete blocks the same way that it did before, and it
3142         lets B3 use the isBlockDead() method (which is a glorified proxy for
3143         block->predecessors().isEmpty()) to track which values are deleted. This allows B3 to turn
3144         Upsilons that point to dead Phis into Nops before deleting the blocks.
3145         
3146         This shouldn't affect performance or anything real. It just makes the code cleaner.
3147
3148         * b3/B3BasicBlockUtils.h:
3149         (JSC::B3::updatePredecessorsAfter):
3150         (JSC::B3::recomputePredecessors):
3151         (JSC::B3::isBlockDead):
3152         (JSC::B3::resetReachability): Deleted.
3153         * b3/B3Procedure.cpp:
3154         (JSC::B3::Procedure::resetReachability):
3155         (JSC::B3::Procedure::invalidateCFG):
3156         * b3/air/AirCode.cpp:
3157         (JSC::B3::Air::Code::resetReachability):
3158         (JSC::B3::Air::Code::dump):
3159
3160 2016-06-27  Brian Burg  <bburg@apple.com>
3161
3162         Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbageCollected + 552 when closing frontend/inspected page
3163         https://bugs.webkit.org/show_bug.cgi?id=159075
3164         <rdar://problem/26094341>
3165
3166         Reviewed by Filip Pizlo.
3167
3168         This change caused JSC stress tests to all hit an assertion in RunLoop.
3169         We should use RunLoop::current() to create the RunLoop::Timer since JSC-only
3170         clients like testapi and jsc don't ever call initializeMainRunLoop().
3171
3172         * inspector/agents/InspectorHeapAgent.cpp:
3173         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
3174
3175 2016-06-27  Filip Pizlo  <fpizlo@apple.com>
3176
3177         B3::Procedure::resetReachability() can create dangling references from Upsilons to Phis
3178         https://bugs.webkit.org/show_bug.cgi?id=159165
3179
3180         Reviewed by Mark Lam.
3181         
3182         You can delete an unreachable block that has a Phi but some prior block may still have an
3183         Upsilon pointing to that Phi. This can happen if the Upsilon precedes a Check that always
3184         exits or it can happen if we remove some successor of a block and this block had an Upsilon
3185         for one of the removed successors. These things are valid IR even if they are not canonical.
3186         Our policy for not-canonical-but-valid IR is that the compiler should still emit valid code
3187         in the end.
3188         
3189         The solution is to have Procedure::resetReachability() turn those Upsilons into Nops.
3190
3191         * b3/B3Procedure.cpp:
3192         (JSC::B3::Procedure::resetReachability): Fix the bug.
3193         * b3/B3Validate.h:
3194         * b3/testb3.cpp:
3195         (JSC::B3::testResetReachabilityDanglingReference): Add a test. This always crashes prior to this change.
3196         * dfg/DFGGraph.cpp:
3197         (JSC::DFG::Graph::killUnreachableBlocks): Add a FIXME about a possible similar bug.
3198
3199 2016-06-27  Keith Miller  <keith_miller@apple.com>
3200
3201         Add comment to Module feature in features.json
3202         https://bugs.webkit.org/show_bug.cgi?id=159159
3203
3204         Reviewed by Saam Barati.
3205
3206         * features.json:
3207
3208 2016-06-27  Keith Miller  <keith_miller@apple.com>
3209
3210         Update features.json for ES6 completed features.
3211         https://bugs.webkit.org/show_bug.cgi?id=159152
3212
3213         Reviewed by Mark Lam.
3214
3215         * features.json:
3216
3217 2016-06-25  Filip Pizlo  <fpizlo@apple.com>
3218
3219         B3 should not use Nops when deleting unreachable code
3220         https://bugs.webkit.org/show_bug.cgi?id=159120
3221         rdar://problem/26500743
3222
3223         Reviewed by Michael Saboff.
3224         
3225         Prior to this change, transformations that obviated the need for some value could choose
3226         from these ways to kill it:
3227         
3228         - replaceWithIdentity() if we're replacing with another value.
3229         - replaceWithNop() if the type is Void or if we know that we'll fix any users of this
3230           value.
3231         - deleteValue() if the code is unreachable.
3232         
3233         The bug here is that reduceStrength() was being clever about how to get rid of a value.
3234         reduceStrength() may find a Check that must always exit. The goal is to remove any code
3235         dominated by the Check. But it would be awkward to eagerly delete all of the blocks
3236         dominated by this one. So this code took a much simpler approach: it would
3237         replaceWithNop() for all of the values in this block after the Check and it would replace
3238         the terminal with Oops.
3239         
3240         But this corrupts the IR in a subtle way: some of those values may have been non-Void but
3241         now they are Nops so they are Void. reduceStrength() will not yet realize that the blocks
3242         dominated by the one with the Check are unreachable, so it will run all sorts of
3243         optimizations on those blocks. This could have probably manifested as many different kinds
3244         of badness, but the way I found out about this issue was through a crash in
3245         IntRange::top(Type) when inlined into ReduceStrength::rangeFor(). We'd die in a switch
3246         statement over a child's type.
3247         
3248         We could fix this by making rangeFor() tolerate Void. But I think that this would be
3249         dangerous. There could easily be other places in reduceStrength() that assume that value's
3250         children are non-Void. So, this change fixes the Check optimization and adds mechanisms to
3251         prevent other optimizations from breaking the children-are-not-Void rule.
3252         
3253         This introduces two high-level changes:
3254         
3255         - It's no longer legal to replaceWithNop() if the value is not Void. This change alone
3256           would cause reduceStrength() to instacrash in its Check optimization. Almost all other
3257           uses of replaceWithNop() were already following this rule, so they were fine. One other
3258           place was using replaceWithNop() on non-Void values after arranging for them to no
3259           longer have any parents. That was changed to call replaceWithNopIgnoringType(), which
3260           doesn't have any type assertions.
3261         
3262         - For reduceStrength() there is a new Value::replaceWithBottom() method that works with
3263           Void or non-Void and behaves like you would want replaceWithNop() to behave: if you know
3264           that the code is unreachable then it produces something that is guaranteed to be deleted
3265           by later optimizations, and if it's not unreachable, then it's guaranteed to be compiled
3266           to something harmless and cheap. This means replacing the value with an identity that
3267           points to a bottom constant (the 0 for whatever type we have), or just replacing it with
3268           Nop if it's Void.
3269         
3270         This also adds a test case for the reason why we do this: we may have two blocks, where
3271         the first block unconditionally exits while dominating the second block. The second block
3272         references values in the part of the first block that is unreachable. In trunk, this test
3273         would assert in ReduceStrength::rangeFor() because the CheckAdd in the second block would
3274         reference a Nop in the first block.
3275         
3276         This fixes a high volume crash in ReduceStrength::rangeFor(). This crash was very
3277         confusing. Even though we were crashing at a RELEASE_ASSERT_NOT_REACHED() in a switch
3278         statement in IntRange::top(Type), clang was merging that trap with the trap it used for
3279         Vector OOB. The top of the stack in crash dumps looked like:
3280         
3281             JSC::B3::(anonymous namespace)::ReduceStrength::rangeFor(JSC::B3::Value*, unsigned int) + 4477 (Vector.h:655)
3282         
3283         Where Vector.h:655 is:
3284         
3285             OverflowHandler::overflowed();
3286
3287         But this crash was not at Vector.h:655. It was at B3ReduceStrength.cpp:121. The two lines
3288         are both traps, so they got merged despite differences in debug info. This bug would have
3289         been so much easier to fix if I had the right line number.
3290
3291         * b3/B3BottomProvider.h: Added. This is a utility for creating bottom values.
3292         (JSC::B3::BottomProvider::BottomProvider):
3293         (JSC::B3::BottomProvider::operator()):
3294         * b3/B3InsertionSet.cpp: Optimized adding bottom values a bit. We will no longer create pointless duplicates.
3295         (JSC::B3::InsertionSet::insertBottom):
3296         (JSC::B3::InsertionSet::execute):
3297         (JSC::B3::InsertionSet::bottomForType):
3298         * b3/B3InsertionSet.h:
3299         * b3/B3MoveConstants.cpp: Use replaceWithNopIgnoringType() because we *know* that we can replaceWithNop even for non-Void.
3300         * b3/B3Procedure.h:
3301         * b3/B3ReduceStrength.cpp: Use replaceWithBottom().
3302         * b3/B3ReduceStrength.h:
3303         * b3/B3TypeMap.h: I figured if I wrote type-casing code like this once then I'd never want to write it again.
3304         * b3/B3Value.cpp:
3305         (JSC::B3::Value::replaceWithIdentity):
3306         (JSC::B3::Value::replaceWithNop):
3307         (JSC::B3::Value::replaceWithNopIgnoringType):
3308         * b3/B3Value.h:
3309         * b3/B3ValueInlines.h:
3310         (JSC::B3::Value::replaceWithBottom): This is the new method of killing unreachable code.
3311         (JSC::B3::Value::as):
3312         * b3/testb3.cpp: Add new tests!
3313         (JSC::B3::testLateRegister):
3314         (JSC::B3::testReduceStrengthCheckBottomUseInAnotherBlock):
3315         (JSC::B3::zero):
3316         (JSC::B3::run):
3317
3318 2016-06-27  Joseph Pecoraro  <pecoraro@apple.com>
3319
3320         REGRESSION: Web Inspector: Text search broken in resources with <CR>
3321         https://bugs.webkit.org/show_bug.cgi?id=159110
3322         <rdar://problem/27008485>
3323
3324         Reviewed by Brian Burg.
3325
3326         * inspector/ContentSearchUtilities.cpp:
3327         (Inspector::ContentSearchUtilities::lineEndings):
3328         The frontend moved to only treated newlines as line endings in
3329         the TextEditor. The backend however was looking for many
3330         different types of line endings (\r\n, \r, \n). This caused
3331         the line endings to ultimately differ between the frontend
3332         and the backend, so the frontend couldn't find the lines that
3333         the backend was claiming search results were on. Change the
3334         backend to only look for \n line endings.
3335
3336 2016-06-27  Brian Burg  <bburg@apple.com>
3337
3338         Web Inspector: CRASH in backend at Inspector::HeapFrontendDispatcher::garbageCollected + 552 when closing frontend/inspected page
3339         https://bugs.webkit.org/show_bug.cgi?id=159075
3340         <rdar://problem/26094341>
3341
3342         Reviewed by Timothy Hatcher.
3343
3344         Move the asynchronous work to a task class that can be cancelled when the
3345         heap agent is reset, disabled or destroyed.
3346
3347         * inspector/agents/InspectorHeapAgent.cpp:
3348         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
3349         (Inspector::SendGarbageCollectionEventsTask::addGarbageCollection):
3350         (Inspector::SendGarbageCollectionEventsTask::reset):
3351         (Inspector::SendGarbageCollectionEventsTask::timerFired):
3352         Added. This holds onto GarbageCollectionData that needs to be sent asynchronously.
3353         It uses the RunLoop variant of Timer and can queue multiple collections to be sent.
3354         The data vector is guarded with a lock so that garbageCollected() can safely add
3355         collection data from a non-main thread while the main thread sends out events.
3356