Unreviewed, rolling out r204697
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         Unreviewed, rolling out r204697
4         https://bugs.webkit.org/show_bug.cgi?id=161029
5
6         32bit is OK. DFGSpeculativeJIT64.cpp shortcut also need some cares.
7
8         * dfg/DFGFixupPhase.cpp:
9         (JSC::DFG::FixupPhase::fixupNode):
10
11 2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
12
13         [DFG] Should not fixup AnyIntUse in 32_64
14         https://bugs.webkit.org/show_bug.cgi?id=161029
15
16         Reviewed by Saam Barati.
17
18         DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
19         If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
20
21         And this patch also fixes the case that the type set only contains TypeNumber. Previously,
22         we used NumberUse edge filtering. But it misses AnyInt logging: While the NumberUse filter
23         passes both TypeAnyInt and TypeNumber, the type set only logged TypeNumber.
24
25         * dfg/DFGFixupPhase.cpp:
26         (JSC::DFG::FixupPhase::fixupNode):
27
28 2016-08-20  Brian Burg  <bburg@apple.com>
29
30         Remote Inspector: some methods don't need to be marked virtual anymore
31         https://bugs.webkit.org/show_bug.cgi?id=161033
32
33         Reviewed by Darin Adler.
34
35         This probably happened when this code was last refactored and moved around.
36
37         * inspector/remote/RemoteConnectionToTarget.h:
38
39 2016-08-19  Sam Weinig  <sam@webkit.org>
40
41         Location.ancestorOrigins should return a FrozenArray<USVString>
42         https://bugs.webkit.org/show_bug.cgi?id=161018
43
44         Reviewed by Ryosuke Niwa and Chris Dumez.
45
46         * runtime/ObjectConstructor.h:
47         (JSC::objectConstructorFreeze):
48         Export objectConstructorFreeze so it can be used to freeze DOM FrozenArrays.
49
50 2016-08-19  Benjamin Poulain  <bpoulain@apple.com>
51
52         [JSC] ArithSqrt should work with any argument type
53         https://bugs.webkit.org/show_bug.cgi?id=160954
54
55         Reviewed by Saam Barati.
56
57         Previsouly, ArithSqrt would always OSR Exit if the argument
58         is not typed Integer, Double, or Boolean.
59         Since we can't recover by generalizing to those, we continuously
60         OSR Exit and recompile the same code over and over again.
61
62         This patch introduces a fallback to handle the remaining types.
63
64         * dfg/DFGAbstractInterpreterInlines.h:
65         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
66         * dfg/DFGClobberize.h:
67         (JSC::DFG::clobberize):
68         * dfg/DFGFixupPhase.cpp:
69         (JSC::DFG::FixupPhase::fixupNode):
70
71         * dfg/DFGMayExit.cpp:
72         This is somewhat unrelated. While discussing the design of this
73         with Filip, we decided not to use ToNumber+ArithSqrt despite
74         the guarantee that ToNumber does not OSR Exit.
75         Since it does not OSR Exit, we should say so in mayExitImpl().
76
77         * dfg/DFGNodeType.h:
78         * dfg/DFGOperations.cpp:
79         * dfg/DFGOperations.h:
80         * dfg/DFGSpeculativeJIT.cpp:
81         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
82         * dfg/DFGSpeculativeJIT.h:
83         (JSC::DFG::SpeculativeJIT::callOperation):
84         * ftl/FTLLowerDFGToB3.cpp:
85         (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
86
87 2016-08-19  Joseph Pecoraro  <pecoraro@apple.com>
88
89         Make custom Error properties (line, column, sourceURL) configurable and writable
90         https://bugs.webkit.org/show_bug.cgi?id=160984
91         <rdar://problem/27905979>
92
93         Reviewed by Saam Barati.
94
95         * runtime/Error.cpp:
96         (JSC::addErrorInfoAndGetBytecodeOffset):
97         (JSC::addErrorInfo):
98
99 2016-08-19  Joseph Pecoraro  <pecoraro@apple.com>
100
101         Remove empty files and empty namespace blocks
102         https://bugs.webkit.org/show_bug.cgi?id=160990
103
104         Reviewed by Alex Christensen.
105
106         * CMakeLists.txt:
107         * JavaScriptCore.xcodeproj/project.pbxproj:
108         * bytecode/ValueProfile.cpp: Removed.
109         * runtime/WatchdogMac.cpp: Removed.
110         * runtime/WatchdogNone.cpp: Removed.
111
112         * runtime/StringIteratorPrototype.cpp:
113         Remove empty namespace block.
114
115         * runtime/JSDestructibleObject.h:
116         Drive-by add missing copyright.
117
118 2016-08-19  Per Arne Vollan  <pvollan@apple.com>
119
120         [Win] Warning fix.
121         https://bugs.webkit.org/show_bug.cgi?id=160995
122
123         Avoid setting unknown compile option on source file.
124
125         Reviewed by Anders Carlsson.
126
127         * CMakeLists.txt:
128
129 2016-08-18  Mark Lam  <mark.lam@apple.com>
130
131         ScopedArguments is using the wrong owner object for a write barrier.
132         https://bugs.webkit.org/show_bug.cgi?id=160976
133         <rdar://problem/27328506>
134
135         Reviewed by Keith Miller.
136
137         * runtime/ScopedArguments.h:
138         (JSC::ScopedArguments::setIndexQuickly):
139
140 2016-08-18  Mark Lam  <mark.lam@apple.com>
141
142         Add LLINT probe() macro for X86_64.
143         https://bugs.webkit.org/show_bug.cgi?id=160968
144
145         Reviewed by Geoffrey Garen.
146
147         * llint/LowLevelInterpreter.asm:
148
149 2016-08-18  Mark Lam  <mark.lam@apple.com>
150
151         Remove unused SlotVisitor::append() variant.
152         https://bugs.webkit.org/show_bug.cgi?id=160961
153
154         Reviewed by Saam Barati.
155
156         * heap/SlotVisitor.h:
157         * jit/JITWriteBarrier.h:
158         (JSC::JITWriteBarrier::get):
159         (JSC::SlotVisitor::append): Deleted.
160
161 2016-08-18  Saam Barati  <sbarati@apple.com>
162
163         Make @Array(size) a bytecode intrinsic
164         https://bugs.webkit.org/show_bug.cgi?id=160867
165
166         Reviewed by Mark Lam.
167
168         There were a few places in the code where we were emitting `@Array(size)`
169         or `new @Array(size)`. Since we have a bytecode operation that already
170         represents this, called new_array_with_size, it's faster to just make a
171         bytecode intrinsic for the this operation. This patch does that and
172         the intrinsic is called `@newArrayWithSize`. This might be around a
173         1% speedup on ES6 sample bench, but it's within the noise. This is just
174         a good bytecode operation to have because it's common enough to
175         create arrays and it's good to make that fast in all tiers.
176
177         * builtins/ArrayConstructor.js:
178         (of):
179         (from):
180         * builtins/ArrayPrototype.js:
181         (filter):
182         (map):
183         (sort.stringSort):
184         (sort):
185         (concatSlowPath):
186         * bytecode/BytecodeIntrinsicRegistry.h:
187         * bytecompiler/NodesCodegen.cpp:
188         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
189         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newArrayWithSize):
190
191 2016-08-18  Rawinder Singh  <rawinder.singh-webkit@cisra.canon.com.au>
192
193         [web-animations] Add Animatable, AnimationEffect, KeyframeEffect and Animation interface
194         https://bugs.webkit.org/show_bug.cgi?id=156096
195
196         Reviewed by Dean Jackson.
197
198         Adds:
199         - Animatable interface and implementation of getAnimations in Element.
200         - Interface and implementation for Document getAnimations method.
201         - AnimationEffect interface and class stub.
202         - KeyframeEffect interface and constructor implementation.
203         - 'Animation' interface, constructor and query methods for effect and timeline.
204         - Remove runtime condition on Web animation interfaces (compile time flag is specified).
205
206         * runtime/CommonIdentifiers.h:
207
208 2016-08-17  Keith Miller  <keith_miller@apple.com>
209
210         Add WASM support for i64 simple opcodes.
211         https://bugs.webkit.org/show_bug.cgi?id=160928
212
213         Reviewed by Michael Saboff.
214
215         This patch also removes the unsigned int32 mod operator, which is not supported by B3 yet.
216
217         * wasm/WASMB3IRGenerator.cpp:
218         (JSC::WASM::toB3Op):
219         (JSC::WASM::B3IRGenerator::unaryOp):
220         * wasm/WASMFunctionParser.h:
221         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
222         * wasm/WASMOps.h:
223
224 2016-08-17  JF Bastien  <jfbastien@apple.com>
225
226         We allow assignments to const variables when in a for-in/for-of loop
227         https://bugs.webkit.org/show_bug.cgi?id=156673
228
229         Reviewed by Filip Pizlo.
230
231         for-in and for-of weren't checking whether iteration variable from
232         parent scopes were const. Assigning to such variables should
233         throw, but used not to.
234
235         * bytecompiler/NodesCodegen.cpp:
236         (JSC::ForInNode::emitLoopHeader):
237         (JSC::ForOfNode::emitBytecode):
238
239 2016-08-17  Geoffrey Garen  <ggaren@apple.com>
240
241         Fixed a potential bug in MarkedArgumentBuffer.
242         https://bugs.webkit.org/show_bug.cgi?id=160948
243         <rdar://problem/27889416>
244
245         Reviewed by Oliver Hunt.
246
247         I haven't been able to produce an observable test case after some trying.
248
249         * runtime/ArgList.cpp:
250         (JSC::MarkedArgumentBuffer::addMarkSet): New helper function -- I broke
251         this out from existing code for clarity, but the behavior is the same.
252
253         (JSC::MarkedArgumentBuffer::expandCapacity): Ditto.
254
255         (JSC::MarkedArgumentBuffer::slowAppend): Always addMarkSet() on the slow
256         path. This is faster than the old linear scan, and I think it might
257         avoid cases the old scan could miss.
258
259         * runtime/ArgList.h:
260         (JSC::MarkedArgumentBuffer::append): Account for the case where someone
261         has called clear() or removeLast().
262
263         (JSC::MarkedArgumentBuffer::mallocBase): No behavior change -- but it's
264         clearer to test the buffers directly instead of inferring what they
265         might be based on capacity.
266
267 2016-08-17  Mark Lam  <mark.lam@apple.com>
268
269         Remove an invalid assertion in the DFG backend's GetById emitter.
270         https://bugs.webkit.org/show_bug.cgi?id=160925
271         <rdar://problem/27248961>
272
273         Reviewed by Filip Pizlo.
274
275         The DFG backend's GetById assertion that the node's prediction not be SpecNone
276         is just plain wrong.  It assumes that we can never have a GetById node without a
277         type prediction, but this is not true.  The following test case proves otherwise:
278
279             function foo() {
280                 "use strict";
281                 return --arguments["callee"];
282             }
283
284         Will remove the assertion.  Nothing else needs to change as the DFG is working
285         correctly without the assertion.
286
287         * dfg/DFGSpeculativeJIT32_64.cpp:
288         (JSC::DFG::SpeculativeJIT::compile):
289         * dfg/DFGSpeculativeJIT64.cpp:
290         (JSC::DFG::SpeculativeJIT::compile):
291
292 2016-08-16  Mark Lam  <mark.lam@apple.com>
293
294         Heap::collectAllGarbage() should work with JSC_useImmortalObjects=true.
295         https://bugs.webkit.org/show_bug.cgi?id=160917
296
297         Reviewed by Filip Pizlo.
298
299         If we do an synchronous GC when JSC_useImmortalObjects=true, we'll get a
300         RELEASE_ASSERT failure:
301
302             $ JSC_useImmortalObjects=true jsc
303             >>> gc()
304             Trace/BPT trap: 5
305
306         This is because Heap::collectAllGarbage() is doing an explicit sweep of the
307         MarkedSpace, and the sweeper is expecting to see no RetiredBlocks.  However, we
308         make objects immortal by retiring their blocks.  As a result, there is a mismatch
309         in expectancy.
310
311         The fix is simply to not run the sweeper when JSC_useImmortalObjects=true.
312
313         * heap/Heap.cpp:
314         (JSC::Heap::collectAllGarbage):
315
316 2016-08-16  Keith Miller  <keith_miller@apple.com>
317
318         Add WASM I32 simple operators.
319         https://bugs.webkit.org/show_bug.cgi?id=160914
320
321         Reviewed by Benjamin Poulain.
322
323         This patch adds support for the i32 simple binary operators.
324
325         * wasm/WASMB3IRGenerator.cpp:
326         (JSC::WASM::toB3Op):
327         (JSC::WASM::B3IRGenerator::binaryOp):
328         * wasm/WASMFunctionParser.h:
329         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
330         * wasm/WASMOps.h:
331
332 2016-08-15  Ryosuke Niwa  <rniwa@webkit.org>
333
334         Conversion to sequence<T> is broken for iterable objects
335         https://bugs.webkit.org/show_bug.cgi?id=160801
336
337         Reviewed by Darin Adler.
338
339         Export functions used to iterate over iterable objects.
340
341         * runtime/IteratorOperations.h:
342         (JSC::forEachInIterable):
343
344 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
345
346         [Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid()
347         https://bugs.webkit.org/show_bug.cgi?id=160881
348
349         Reviewed by Mark Lam.
350
351         * dfg/DFGSpeculativeJIT32_64.cpp:
352         (JSC::DFG::SpeculativeJIT::compile):
353         We were trying to set the result of the Identity node to the same
354         value as the source of the Identity.
355         That is pretty messed up.
356
357 2016-08-15  Saam Barati  <sbarati@apple.com>
358
359         Web Inspector: Introduce a method to enable code coverage profiler without enabling type profiler
360         https://bugs.webkit.org/show_bug.cgi?id=160750
361         <rdar://problem/27793469>
362
363         Reviewed by Joseph Pecoraro.
364
365         * inspector/agents/InspectorRuntimeAgent.cpp:
366         (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
367         (Inspector::InspectorRuntimeAgent::enableControlFlowProfiler):
368         (Inspector::InspectorRuntimeAgent::disableControlFlowProfiler):
369         (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
370         (Inspector::InspectorRuntimeAgent::setControlFlowProfilerEnabledState):
371         * inspector/agents/InspectorRuntimeAgent.h:
372         * inspector/protocol/Runtime.json:
373
374 2016-08-15  Saam Barati  <sbarati@apple.com>
375
376         Array.prototype.map builtin should go on the fast path when constructor===@Array
377         https://bugs.webkit.org/show_bug.cgi?id=160836
378
379         Reviewed by Keith Miller.
380
381         In the FTL, we were not compiling the result array in Array.prototype.map
382         efficiently when the result array should use the Array constructor
383         (which is the common case). We used to compile it as:
384         x: JSConstant(Array)
385         y: Construct(@x, ...)
386         instead of
387         y: NewArrayWithSize(...)
388
389         This patch changes the builtin to go down the fast path when certain
390         conditions are met. Often, the check to go down the fast path will
391         be constant folded because we always create a normal array from the
392         Array constructor.
393
394         This is around a 5% speedup on ES6 Sample Bench.
395
396         I also made similar changes for Array.prototype.filter
397         and Array.prototype.concat on its slow path.
398
399         * builtins/ArrayPrototype.js:
400
401 2016-08-15  Mark Lam  <mark.lam@apple.com>
402
403         Make JSValue::strictEqual() handle failures to resolve JSRopeStrings.
404         https://bugs.webkit.org/show_bug.cgi?id=160832
405         <rdar://problem/27577556>
406
407         Reviewed by Geoffrey Garen.
408
409         Currently, JSValue::strictEqualSlowCaseInline() (and peers) will blindly try to
410         access the StringImpl of a JSRopeString that fails to resolve its rope.  As a
411         result, we'll crash with null pointer dereferences.
412
413         We can fix this by introducing a JSString::equal() method that will do the
414         equality comparison, but is aware of the potential failures to resolve ropes.
415         JSValue::strictEqualSlowCaseInline() (and peers) will now call JSString::equal()
416         instead of accessing the underlying StringImpl directly.
417
418         Also added some exception checks.
419
420         * JavaScriptCore.xcodeproj/project.pbxproj:
421         * jit/JITOperations.cpp:
422         * runtime/ArrayPrototype.cpp:
423         (JSC::arrayProtoFuncIndexOf):
424         (JSC::arrayProtoFuncLastIndexOf):
425         * runtime/JSCJSValueInlines.h:
426         (JSC::JSValue::equalSlowCaseInline):
427         (JSC::JSValue::strictEqualSlowCaseInline):
428         * runtime/JSString.cpp:
429         (JSC::JSString::equalSlowCase):
430         * runtime/JSString.h:
431         * runtime/JSStringInlines.h: Added.
432         (JSC::JSString::equal):
433
434 2016-08-15  Keith Miller  <keith_miller@apple.com>
435
436         Implement WASM Parser and B3 IR generator
437         https://bugs.webkit.org/show_bug.cgi?id=160681
438
439         Reviewed by Benjamin Poulain.
440
441         This patch adds the skeleton for a WebAssembly pipeline. The
442         pipeline is designed in order to make it easy to have as much of
443         the compilation process threaded as possible. The flow of the
444         pipeline roughly goes as follows:
445
446         1) Create a WASMPlan with the VM and a Vector of the
447         assembly. Currently the plan will process all the work
448         synchronously, however, in the future this can be offloaded to
449         other threads.
450
451         2) The plan will run the WASMModuleParser, which collates all the
452         information needed to compile each module function
453         independently. Since, we are still in the early phases, the only
454         information is the starting and ending byte of the function's
455         body. The module parser, however, still scans both and
456         semi-validates the type and the function sections.
457
458         3) Each function is decoded and compiled. In the future this
459         should also include a opcode validation phase. The
460         WASMFunctionParser is templatized so that a validator should be
461         able to use most of the same code the B3 IR generator does.
462
463         4) When the plan has finished it will fill a Vector of
464         B3::Compilation objects that correspond to the respective function
465         in the WASM module.
466
467
468         The current testing plan for the modules is to inline the the
469         binary generated by the spec's OCaml prototype. The inlined binary
470         is passed to a WASMPlan then invoked to check the result of the
471         function. In the future we should add a more robust testing
472         infrastructure.
473
474         * JavaScriptCore.xcodeproj/project.pbxproj:
475         * testWASM.cpp:
476         (printUsageStatement):
477         (CommandLine::parseArguments):
478         (invoke):
479         (runWASMTests):
480         (main):
481         * wasm/JSWASMModule.h:
482         (JSC::JSWASMModule::globalVariableTypes):
483         * wasm/WASMB3IRGenerator.cpp: Added.
484         (JSC::WASM::B3IRGenerator::B3IRGenerator):
485         (JSC::WASM::B3IRGenerator::addLocal):
486         (JSC::WASM::B3IRGenerator::binaryOp):
487         (JSC::WASM::B3IRGenerator::addConstant):
488         (JSC::WASM::B3IRGenerator::addBlock):
489         (JSC::WASM::B3IRGenerator::endBlock):
490         (JSC::WASM::B3IRGenerator::addReturn):
491         (JSC::WASM::B3IRGenerator::unify):
492         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
493         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel):
494         (JSC::WASM::B3IRGenerator::stackForControlLevel):
495         (JSC::WASM::B3IRGenerator::blockForControlLevel):
496         (JSC::WASM::parseAndCompile):
497         * wasm/WASMB3IRGenerator.h: Copied from Source/WTF/wtf/DataLog.h.
498         * wasm/WASMFormat.h:
499         * wasm/WASMFunctionParser.h: Added.
500         (JSC::WASM::WASMFunctionParser<Context>::WASMFunctionParser):
501         (JSC::WASM::WASMFunctionParser<Context>::parse):
502         (JSC::WASM::WASMFunctionParser<Context>::parseBlock):
503         (JSC::WASM::WASMFunctionParser<Context>::parseExpression):
504         * wasm/WASMModuleParser.cpp: Added.
505         (JSC::WASM::WASMModuleParser::parse):
506         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
507         (JSC::WASM::WASMModuleParser::parseFunctionSignatures):
508         (JSC::WASM::WASMModuleParser::parseFunctionDefinitions):
509         * wasm/WASMModuleParser.h: Copied from Source/WTF/wtf/DataLog.h.
510         (JSC::WASM::WASMModuleParser::WASMModuleParser):
511         (JSC::WASM::WASMModuleParser::functionInformation):
512         * wasm/WASMOps.h: Copied from Source/WTF/wtf/DataLog.h.
513         * wasm/WASMParser.h: Added.
514         (JSC::WASM::WASMParser::parseVarUInt32):
515         (JSC::WASM::WASMParser::WASMParser):
516         (JSC::WASM::WASMParser::consumeCharacter):
517         (JSC::WASM::WASMParser::consumeString):
518         (JSC::WASM::WASMParser::parseUInt32):
519         (JSC::WASM::WASMParser::parseUInt7):
520         (JSC::WASM::WASMParser::parseVarUInt1):
521         (JSC::WASM::WASMParser::parseValueType):
522         * wasm/WASMPlan.cpp: Copied from Source/WTF/wtf/DataLog.h.
523         (JSC::WASM::Plan::Plan):
524         * wasm/WASMPlan.h: Copied from Source/WTF/wtf/DataLog.h.
525         * wasm/WASMSections.cpp: Copied from Source/WTF/wtf/DataLog.h.
526         (JSC::WASM::WASMSections::lookup):
527         * wasm/WASMSections.h: Copied from Source/WTF/wtf/DataLog.h.
528         (JSC::WASM::WASMSections::validateOrder):
529
530 2016-08-15  Benjamin Poulain  <bpoulain@apple.com>
531
532         [JSC] B3 Neg opcode should support float
533         https://bugs.webkit.org/show_bug.cgi?id=160795
534
535         Reviewed by Geoffrey Garen.
536
537         This is required to implement WASM f32.neg opcode.
538
539         * assembler/MacroAssemblerARM64.h:
540         (JSC::MacroAssemblerARM64::negateFloat):
541         * b3/B3LowerToAir.cpp:
542         (JSC::B3::Air::LowerToAir::lower):
543         * b3/B3ReduceDoubleToFloat.cpp:
544         * b3/air/AirOpcode.opcodes:
545         * b3/testb3.cpp:
546         (JSC::B3::testNegDouble):
547         (JSC::B3::testNegFloat):
548         (JSC::B3::testNegFloatWithUselessDoubleConversion):
549         (JSC::B3::run):
550
551 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
552
553         Use #pragma once in inspector headers
554         https://bugs.webkit.org/show_bug.cgi?id=160861
555
556         Reviewed by Mark Lam.
557
558         * inspector/*.h:
559
560 2016-08-15  Daniel Bates  <dabates@apple.com>
561
562         Cannot build WebKit for iOS device using Xcode 7.3/iOS 9.3 public SDK due to missing
563         private frameworks and libraries
564         https://bugs.webkit.org/show_bug.cgi?id=155931
565         <rdar://problem/25807989>
566
567         Reviewed by Dan Bernstein.
568
569         Add directory WebKitLibraries/WebKitPrivateFrameworkStubs/iOS/X to the framework search path
570         where X is the major version of the active iOS SDK.
571
572         * Configurations/Base.xcconfig:
573
574 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
575
576         Reduce includes of Debugger.h
577         https://bugs.webkit.org/show_bug.cgi?id=160827
578
579         Reviewed by Mark Lam.
580
581         * API/JSTypedArray.cpp:
582         * bytecode/UnlinkedCodeBlock.h:
583         * bytecode/UnlinkedFunctionExecutable.cpp:
584         * bytecode/UnlinkedFunctionExecutable.h:
585         * bytecompiler/BytecodeGenerator.h:
586         * bytecompiler/NodesCodegen.cpp:
587         * dfg/DFGPlan.cpp:
588         * dfg/DFGSpeculativeJIT32_64.cpp:
589         * dfg/DFGSpeculativeJIT64.cpp:
590         * ftl/FTLJITCode.h:
591         * inspector/ScriptCallStackFactory.cpp:
592         * inspector/agents/InspectorDebuggerAgent.h:
593         * jit/JITOpcodes.cpp:
594         * jit/JITOpcodes32_64.cpp:
595         * jit/JITOperations.cpp:
596         * llint/LLIntOffsetsExtractor.cpp:
597         * parser/Nodes.cpp:
598         * parser/Parser.cpp:
599         * parser/Parser.h:
600         * runtime/Completion.cpp:
601         * runtime/Executable.cpp:
602         * runtime/Executable.h:
603         * runtime/FunctionConstructor.cpp:
604         * runtime/SamplingProfiler.cpp:
605         * runtime/SamplingProfiler.h:
606         * runtime/VMEntryScope.cpp:
607
608 2016-08-15  Joseph Pecoraro  <pecoraro@apple.com>
609
610         Remove unused includes of wtf headers
611         https://bugs.webkit.org/show_bug.cgi?id=160839
612
613         Reviewed by Alex Christensen.
614
615         * Lots of files.
616
617 2016-08-13  Per Arne Vollan  <pvollan@apple.com>
618
619         [Win] Warning fixes.
620         https://bugs.webkit.org/show_bug.cgi?id=160803
621
622         Reviewed by Brent Fulgham.
623
624         Initialize local variables.
625
626         * jit/JIT.cpp:
627         (JSC::JIT::compileWithoutLinking):
628         * runtime/Error.cpp:
629         (JSC::addErrorInfoAndGetBytecodeOffset):
630
631 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
632
633         Remove always true JSC::Debugger::needPauseHandling virtual method
634         https://bugs.webkit.org/show_bug.cgi?id=160822
635
636         Reviewed by Mark Lam.
637
638         All subclasses return true for this method. Just remove the method.
639
640         * debugger/Debugger.cpp:
641         (JSC::Debugger::pauseIfNeeded):
642         * inspector/ScriptDebugServer.h:
643
644 2016-08-12  Saam Barati  <sbarati@apple.com>
645
646         Inline store loop for CopyRest in DFG and FTL for certain array modes
647         https://bugs.webkit.org/show_bug.cgi?id=159612
648
649         Reviewed by Filip Pizlo.
650
651         This patch changes the old copy_rest bytecode to actually allocate the rest array itself.
652         The bytecode is now called create_rest with an analogous CreateRest node in the DFG/FTL.
653         This allows the bytecode to be in control of what type of indexingType the array is allocated
654         with. We always allocate using ArrayWithContiguous storage unless we're havingABadTime().
655         This also makes allocating and writing into the array fast. On the fast path, the DFG/FTL
656         JIT will fast allocate the array and its storage, and we will do a memmove from the rest
657         region of arguments into the array's storage.
658
659         I'm seeing a 1-2% speedup on ES6SampleBench, and about a 2x speedup
660         on micro benchmarks that just test rest creation speed.
661
662         * bytecode/BytecodeList.json:
663         * bytecode/BytecodeUseDef.h:
664         (JSC::computeUsesForBytecodeOffset):
665         (JSC::computeDefsForBytecodeOffset):
666         * bytecode/CodeBlock.cpp:
667         (JSC::CodeBlock::dumpBytecode):
668         * bytecompiler/BytecodeGenerator.cpp:
669         (JSC::BytecodeGenerator::emitRestParameter):
670         * dfg/DFGAbstractInterpreterInlines.h:
671         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
672         * dfg/DFGByteCodeParser.cpp:
673         (JSC::DFG::ByteCodeParser::parseBlock):
674         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
675         (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
676         * dfg/DFGCapabilities.cpp:
677         (JSC::DFG::capabilityLevel):
678         * dfg/DFGClobberize.h:
679         (JSC::DFG::clobberize):
680         * dfg/DFGDoesGC.cpp:
681         (JSC::DFG::doesGC):
682         * dfg/DFGFixupPhase.cpp:
683         (JSC::DFG::FixupPhase::fixupNode):
684         * dfg/DFGGraph.h:
685         (JSC::DFG::Graph::uses):
686         (JSC::DFG::Graph::isWatchingHavingABadTimeWatchpoint):
687         (JSC::DFG::Graph::compilation):
688         * dfg/DFGNode.h:
689         (JSC::DFG::Node::numberOfArgumentsToSkip):
690         * dfg/DFGNodeType.h:
691         * dfg/DFGOperations.cpp:
692         * dfg/DFGOperations.h:
693         * dfg/DFGPredictionPropagationPhase.cpp:
694         * dfg/DFGSafeToExecute.h:
695         (JSC::DFG::safeToExecute):
696         * dfg/DFGSpeculativeJIT.cpp:
697         (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
698         (JSC::DFG::SpeculativeJIT::compileCreateRest):
699         (JSC::DFG::SpeculativeJIT::compileGetRestLength):
700         (JSC::DFG::SpeculativeJIT::compileCopyRest): Deleted.
701         * dfg/DFGSpeculativeJIT.h:
702         (JSC::DFG::SpeculativeJIT::callOperation):
703         * dfg/DFGSpeculativeJIT32_64.cpp:
704         (JSC::DFG::SpeculativeJIT::compile):
705         (JSC::DFG::SpeculativeJIT::compileArithRandom):
706         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
707         * dfg/DFGSpeculativeJIT64.cpp:
708         (JSC::DFG::SpeculativeJIT::compile):
709         (JSC::DFG::SpeculativeJIT::compileArithRandom):
710         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
711         * ftl/FTLCapabilities.cpp:
712         (JSC::FTL::canCompile):
713         * ftl/FTLLowerDFGToB3.cpp:
714         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
715         (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
716         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
717         (JSC::FTL::DFG::LowerDFGToB3::compileGetRestLength):
718         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
719         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
720         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
721         (JSC::FTL::DFG::LowerDFGToB3::compileCopyRest): Deleted.
722         * interpreter/CallFrame.h:
723         (JSC::ExecState::addressOfArgumentsStart):
724         (JSC::ExecState::argument):
725         * jit/JIT.cpp:
726         (JSC::JIT::privateCompileMainPass):
727         * jit/JIT.h:
728         * jit/JITOpcodes.cpp:
729         (JSC::JIT::emit_op_argument_count):
730         (JSC::JIT::emit_op_create_rest):
731         (JSC::JIT::emit_op_copy_rest): Deleted.
732         * jit/JITOperations.h:
733         * llint/LowLevelInterpreter.asm:
734         * runtime/CommonSlowPaths.cpp:
735         (JSC::SLOW_PATH_DECL):
736         * runtime/CommonSlowPaths.h:
737
738 2016-08-12  Ryosuke Niwa  <rniwa@webkit.org>
739
740         Add a helper class for enumerating elements in an iterable object
741         https://bugs.webkit.org/show_bug.cgi?id=160800
742
743         Reviewed by Benjamin Poulain.
744
745         Added iteratorForIterable which provides an abstraction for iterating over an iterable object,
746         and deployed it in the constructors of Set, WeakSet, Map, and WeakMap.
747
748         Also added a helper function iteratorForIterable, which retrieves the iterator out of an iterable object.
749
750         * runtime/IteratorOperations.cpp:
751         (JSC::iteratorForIterable): Added.
752         * runtime/IteratorOperations.h:
753         (JSC::forEachInIterable): Added.
754         * runtime/MapConstructor.cpp:
755         (JSC::constructMap):
756         * runtime/SetConstructor.cpp:
757         (JSC::constructSet):
758         * runtime/WeakMapConstructor.cpp:
759         (JSC::constructWeakMap):
760         * runtime/WeakSetConstructor.cpp:
761         (JSC::constructWeakSet):
762
763 2016-08-12  Joseph Pecoraro  <pecoraro@apple.com>
764
765         Remove unused includes of RefCountedLeakCounter.h
766         https://bugs.webkit.org/show_bug.cgi?id=160817
767
768         Reviewed by Mark Lam.
769
770         * parser/Nodes.cpp:
771         * runtime/Structure.cpp:
772
773 2016-08-12  Pranjal Jumde  <pjumde@apple.com>
774
775         ASSERTION FAILED: : line >= firstLine in BytecodeGenerator::emitExpressionInfo.
776         https://bugs.webkit.org/show_bug.cgi?id=160535
777         <rdar://problem/27328151>
778         
779         Reviewed by Saam Barati.
780
781         lineNumber from the savePoint was not being restored before calling next() causing discrepancy in the offset and line for the token
782
783         * parser/Parser.h:
784         (JSC::Parser::restoreLexerState):
785
786 2016-08-12  Skachkov Oleksandr  <gskachkov@gmail.com>
787
788         [ES2016] Implement Object.entries
789         https://bugs.webkit.org/show_bug.cgi?id=160412
790
791         Reviewed by Saam Barati.
792
793         This patch adds entries function to Object that returns list of 
794         key+values pairs. Patch did according to the point of
795         spec https://tc39.github.io/ecma262/#sec-object.entries
796
797         * builtins/ObjectConstructor.js:
798         (globalPrivate.enumerableOwnProperties):
799         (entries):
800         * runtime/ObjectConstructor.cpp:
801
802 2016-08-11  Mark Lam  <mark.lam@apple.com>
803
804         OverridesHasInstance should not branch across register allocations.
805         https://bugs.webkit.org/show_bug.cgi?id=160792
806         <rdar://problem/27361778>
807
808         Reviewed by Benjamin Poulain.
809
810         The OverrideHasInstance node has a branch test that is emitted conditionally.
811         It also has a bug where it allocated a register after this branch, which is not
812         allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
813         From the ChangeLog for r145931:
814
815         "This [assertion that register allocations are not branched around] protects
816         against the case where an allocation could have spilled register contents to free
817         up a register and that spill only occurs on one path of many through the code.
818         A subsequent fill of the spilled register may load garbage."
819
820         Because the branch isn't always emitted, this bug has gone unnoticed until now.
821         This patch fixes this issue by pre-allocating the registers before emitting the
822         branch in OverrideHasInstance.
823
824         Note: this issue is only present in DFGSpeculativeJIT64.cpp.  The 32-bit version
825         is doing it right.
826
827         * dfg/DFGSpeculativeJIT64.cpp:
828         (JSC::DFG::SpeculativeJIT::compile):
829
830 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
831
832         [JSC] Make B3 Return opcode work without arguments
833         https://bugs.webkit.org/show_bug.cgi?id=160787
834
835         Reviewed by Keith Miller.
836
837         We need a way to create functions that do not return values.
838
839         * assembler/MacroAssembler.h:
840         (JSC::MacroAssembler::retVoid):
841         * b3/B3BasicBlock.cpp:
842         (JSC::B3::BasicBlock::appendNewControlValue):
843         * b3/B3LowerToAir.cpp:
844         (JSC::B3::Air::LowerToAir::lower):
845         * b3/B3Validate.cpp:
846         * b3/B3Value.h:
847         * b3/air/AirOpcode.opcodes:
848         * b3/testb3.cpp:
849         (JSC::B3::testReturnVoid):
850         (JSC::B3::run):
851
852 2016-08-11  Mark Lam  <mark.lam@apple.com>
853
854         Gardening: fix gcc builds after r204387. 
855
856         Not reviewed.
857
858         Apparently, gcc is not sophisticated enough to realize that the end of the
859         function is unreachable, and is wrongly complaining about "control reaches end of
860         non-void function".  I'm restoring the RELEASE_ASSERT_NOT_REACHED() and return
861         statement at the end of MarkedBlock::sweepHelper() to appease gcc.
862
863         * heap/MarkedBlock.cpp:
864         (JSC::MarkedBlock::sweepHelper):
865
866 2016-08-11  Alex Christensen  <achristensen@webkit.org>
867
868         Use StringBuilder::appendLiteral when possible don't append result of makeString
869         https://bugs.webkit.org/show_bug.cgi?id=160772
870
871         Reviewed by Sam Weinig.
872
873         * API/tests/ExecutionTimeLimitTest.cpp:
874         (testExecutionTimeLimit):
875         * API/tests/PingPongStackOverflowTest.cpp:
876         (PingPongStackOverflowObject_hasInstance):
877         * bytecompiler/NodesCodegen.cpp:
878         (JSC::ArrayPatternNode::toString):
879         (JSC::RestParameterNode::toString):
880         * runtime/ErrorInstance.cpp:
881         (JSC::ErrorInstance::sanitizedToString):
882         * runtime/Options.cpp:
883         (JSC::Options::dumpOption):
884
885 2016-08-11  Benjamin Poulain  <bpoulain@apple.com>
886
887         [JSC] Revert most of r203808
888         https://bugs.webkit.org/show_bug.cgi?id=160784
889
890         Reviewed by Geoffrey Garen.
891
892         Switching to fastMalloc() caused regressions on Jetstream and Octane
893         on MacBook Air. I was able to get back some of it in the following
894         patches but the tests that never go to FTL are still regressed.
895
896         This patch revert r203808 except of the node index.
897         Nodes are allocated with the custom allocator like before but they are
898         now also kept in a table, addressed by the node index.
899
900         * CMakeLists.txt:
901         * JavaScriptCore.xcodeproj/project.pbxproj:
902         * b3/B3SparseCollection.h:
903         (JSC::B3::SparseCollection::packIndices): Deleted.
904         * dfg/DFGAllocator.h: Added.
905         (JSC::DFG::Allocator::Region::size):
906         (JSC::DFG::Allocator::Region::headerSize):
907         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
908         (JSC::DFG::Allocator::Region::data):
909         (JSC::DFG::Allocator::Region::isInThisRegion):
910         (JSC::DFG::Allocator::Region::regionFor):
911         (JSC::DFG::Allocator<T>::Allocator):
912         (JSC::DFG::Allocator<T>::~Allocator):
913         (JSC::DFG::Allocator<T>::allocate):
914         (JSC::DFG::Allocator<T>::free):
915         (JSC::DFG::Allocator<T>::freeAll):
916         (JSC::DFG::Allocator<T>::reset):
917         (JSC::DFG::Allocator<T>::indexOf):
918         (JSC::DFG::Allocator<T>::allocatorOf):
919         (JSC::DFG::Allocator<T>::bumpAllocate):
920         (JSC::DFG::Allocator<T>::freeListAllocate):
921         (JSC::DFG::Allocator<T>::allocateSlow):
922         (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
923         (JSC::DFG::Allocator<T>::startBumpingIn):
924         * dfg/DFGDriver.cpp:
925         (JSC::DFG::compileImpl):
926         * dfg/DFGGraph.cpp:
927         (JSC::DFG::Graph::Graph):
928         (JSC::DFG::Graph::~Graph):
929         (JSC::DFG::Graph::addNodeToMapByIndex):
930         (JSC::DFG::Graph::deleteNode):
931         (JSC::DFG::Graph::packNodeIndices):
932         * dfg/DFGGraph.h:
933         (JSC::DFG::Graph::addNode):
934         (JSC::DFG::Graph::maxNodeCount):
935         (JSC::DFG::Graph::nodeAt):
936         * dfg/DFGLongLivedState.cpp: Added.
937         (JSC::DFG::LongLivedState::LongLivedState):
938         (JSC::DFG::LongLivedState::~LongLivedState):
939         (JSC::DFG::LongLivedState::shrinkToFit):
940         * dfg/DFGLongLivedState.h: Added.
941         * dfg/DFGNode.h:
942         * dfg/DFGNodeAllocator.h: Added.
943         (operator new ):
944         * dfg/DFGPlan.cpp:
945         (JSC::DFG::Plan::compileInThread):
946         (JSC::DFG::Plan::compileInThreadImpl):
947         * dfg/DFGPlan.h:
948         * dfg/DFGWorklist.cpp:
949         (JSC::DFG::Worklist::runThread):
950         * runtime/VM.cpp:
951         (JSC::VM::VM):
952         * runtime/VM.h:
953
954 2016-08-11  Mark Lam  <mark.lam@apple.com>
955
956         The jsc shell's Element host constructor should throw if it fails to construct an object.
957         https://bugs.webkit.org/show_bug.cgi?id=160773
958         <rdar://problem/27328608>
959
960         Reviewed by Saam Barati.
961
962         The Element object is a test object provided in the jsc shell for testing use only.
963         JavaScriptCore expects host constructors to either throw an error or return a
964         constructed object.  Element has a host constructor that did not obey this contract.
965         As a result, the following statement will fail a RELEASE_ASSERT:
966
967             new (Element.bind())
968
969         This is now fixed.
970
971         * jsc.cpp:
972         (functionCreateElement):
973
974 2016-08-11  Mark Lam  <mark.lam@apple.com>
975
976         Disallow synchronous sweeping for eden GCs.
977         https://bugs.webkit.org/show_bug.cgi?id=160716
978
979         Reviewed by Geoffrey Garen.
980
981         * heap/Heap.cpp:
982         (JSC::Heap::collectAllGarbage):
983         (JSC::Heap::collectAndSweep): Deleted.
984         * heap/Heap.h:
985         (JSC::Heap::collectAllGarbage): Deleted.
986         - No need for a separate collectAndSweep() anymore since we only call it for
987           FullCollections.
988         - Since we've already swept all the blocks, I cleared m_blockSnapshot so that the
989           IncrementalSweeper can bail earlier when it runs later.
990
991         * heap/MarkedBlock.cpp:
992         (JSC::MarkedBlock::sweepHelper):
993         - Removed the unreachable return statement.
994
995         * heap/MarkedBlock.h:
996         - Document what "Retired" means.
997
998         * tools/JSDollarVMPrototype.cpp:
999         (JSC::JSDollarVMPrototype::edenGC):
1000
1001 2016-08-11  Per Arne Vollan  <pvollan@apple.com>
1002
1003         [Win] Warning fix.
1004         https://bugs.webkit.org/show_bug.cgi?id=160734
1005
1006         Reviewed by Sam Weinig.
1007
1008         Add static cast from int to uint32_t.
1009
1010         * bytecode/ArithProfile.h:
1011
1012 2016-08-10  Michael Saboff  <msaboff@apple.com>
1013
1014         Baseline GetByVal and PutByVal for cache ID stubs need to handle exceptions
1015         https://bugs.webkit.org/show_bug.cgi?id=160749
1016
1017         Reviewed by Filip Pizlo.
1018
1019         We were emitting "callOperation()" calls in emitGetByValWithCachedId() and
1020         emitPutByValWithCachedId() without linking the exception checks created by the
1021         code emitted.  This manifested itself in various ways depending on the processor.
1022         This is due to what the destination is for an unlinked branch.  On X86, an unlinked
1023         branch goes tot he next instructions.  On ARM64, we end up with an infinite loop
1024         as we branch to the same instruction.  On ARM we branch to 0 as the branch is to
1025         an absolute address of 0.
1026
1027         Now we save the exception handler address for the original generated function and
1028         link the exception cases for these by-val stubs to this handler.
1029
1030         * bytecode/ByValInfo.h:
1031         (JSC::ByValInfo::ByValInfo): Added the address of the exception handler we should
1032         link to.
1033
1034         * jit/JIT.cpp:
1035         (JSC::JIT::link): Compute the linked exception handler address and pass it to
1036         the ByValInfo constructor.
1037         (JSC::JIT::privateCompileExceptionHandlers): Make sure that we generate the
1038         exception handler if we have any by-val handlers.
1039
1040         * jit/JIT.h:
1041         Added a label for the exception handler.  We'll link this later for the
1042         by value handlers.
1043
1044         * jit/JITPropertyAccess.cpp:
1045         (JSC::JIT::privateCompileGetByValWithCachedId):
1046         (JSC::JIT::privateCompilePutByValWithCachedId):
1047         Link exception branches to the exception handler for the main function.
1048
1049 2016-08-10  Mark Lam  <mark.lam@apple.com>
1050
1051         DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals.
1052         https://bugs.webkit.org/show_bug.cgi?id=160755
1053         <rdar://problem/27488507>
1054
1055         Reviewed by Filip Pizlo.
1056
1057         If the DFG sees that an inlined function will result in an OSR exit every time,
1058         it will treat all downstream blocks as dead.  However, it still needs to keep
1059         locals that are alive in the bytecode alive for the compiled function so that
1060         those locals are properly written to the stack by the OSR exit ramp.
1061
1062         The existing code neglected to do this.  This patch remedies this issue.
1063
1064         * dfg/DFGByteCodeParser.cpp:
1065         (JSC::DFG::ByteCodeParser::flushDirect):
1066         (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal):
1067         (JSC::DFG::ByteCodeParser::phantomLocalDirect):
1068         (JSC::DFG::ByteCodeParser::flushForTerminal):
1069
1070 2016-08-09  Skachkov Oleksandr  <gskachkov@gmail.com>
1071
1072         [ES2016] Implement Object.values
1073         https://bugs.webkit.org/show_bug.cgi?id=160410
1074
1075         Reviewed by Saam Barati, Yusuke Suzuki.
1076
1077         This patch adds values function to Object that return list of 
1078         own values of the object. Patch did according to the point of 
1079         spec http://tc39.github.io/ecma262/#sec-object.values
1080         
1081         Also patch adds generic builtin intrinsic constants: 
1082         @IterationKindKey/@IterationKindValue/@IterationKindKeyValue 
1083         that is used in  EnumerableOwnProperties to set Kind of operation  
1084         and replace own IterationKind enums in following iterators: 
1085         ArrayIterator, MapIterator, and SetIterator 
1086
1087         * JavaScriptCore.xcodeproj/project.pbxproj:
1088         * builtins/ObjectConstructor.js:
1089         (globalPrivate.enumerableOwnProperties):
1090         (values):
1091         * bytecode/BytecodeIntrinsicRegistry.cpp:
1092         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1093         * bytecode/BytecodeIntrinsicRegistry.h:
1094         * inspector/JSInjectedScriptHost.cpp:
1095         (Inspector::JSInjectedScriptHost::getInternalProperties):
1096         * runtime/ArrayIteratorPrototype.h:
1097         * runtime/IterationKind.h: Copied from Source/JavaScriptCore/builtins/ObjectConstructor.js.
1098         * runtime/JSMapIterator.h:
1099         (JSC::JSMapIterator::create):
1100         (JSC::JSMapIterator::next):
1101         (JSC::JSMapIterator::kind):
1102         (JSC::JSMapIterator::JSMapIterator):
1103         * runtime/JSSetIterator.h:
1104         (JSC::JSSetIterator::create):
1105         (JSC::JSSetIterator::next):
1106         (JSC::JSSetIterator::kind):
1107         (JSC::JSSetIterator::JSSetIterator):
1108         * runtime/MapPrototype.cpp:
1109         (JSC::mapProtoFuncValues):
1110         (JSC::mapProtoFuncEntries):
1111         (JSC::mapProtoFuncKeys):
1112         (JSC::privateFuncMapIterator):
1113         * runtime/ObjectConstructor.cpp:
1114         * runtime/SetPrototype.cpp:
1115         (JSC::setProtoFuncValues):
1116         (JSC::setProtoFuncEntries):
1117         (JSC::privateFuncSetIterator):
1118
1119 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1120
1121         [JSC] Speed up SparseCollection & related maps
1122         https://bugs.webkit.org/show_bug.cgi?id=160733
1123
1124         Reviewed by Saam Barati.
1125
1126         On MBA, Graph::addNode() shows up in profiles due to SparseCollection::add().
1127         This is unfortunate.
1128
1129         The first improvement is to build the new unique_ptr in the empty slot
1130         instead of moving a new value into it.
1131
1132         Previously, the code would load the previous value, test if it is null
1133         then invoke the destructor and finally fastFree(). The initial test
1134         obviously fails so that's a whole bunch of code that is never executed.
1135
1136         With the new code, we just have a store.
1137
1138         I also removed the bounds checking on our maps based on node index.
1139         Those bounds checks are never eliminated by clang because the index
1140         is always loaded from memory instead of being computed.
1141         There are unfortunately too many nodes processed and the bounds checks
1142         get costly.
1143
1144         * b3/B3SparseCollection.h:
1145         (JSC::B3::SparseCollection::add):
1146         * dfg/DFGGraph.h:
1147         (JSC::DFG::Graph::abstractValuesCache):
1148         * dfg/DFGInPlaceAbstractState.h:
1149
1150 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1151
1152         [JSC] Remove some useless code I left when rewriting CSE's large maps
1153         https://bugs.webkit.org/show_bug.cgi?id=160720
1154
1155         Reviewed by Michael Saboff.
1156
1157         * dfg/DFGCSEPhase.cpp:
1158         The maps m_worldMap && m_sideStateMap are useless. They come from the previous
1159         iteration that had weaker constraints.
1160
1161         Also move m_heapMap after m_fallbackStackMap since that is the order
1162         in which they are used in the algorithm.
1163
1164 2016-08-10  Benjamin Poulain  <bpoulain@apple.com>
1165
1166         Remove AbstractInterpreter::executeEdges(unsigned), it is no longer used anywhere
1167         https://bugs.webkit.org/show_bug.cgi?id=160708
1168
1169         Reviewed by Mark Lam.
1170
1171         * dfg/DFGAbstractInterpreter.h:
1172         * dfg/DFGAbstractInterpreterInlines.h:
1173         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges): Deleted.
1174
1175 2016-08-10  Simon Fraser  <simon.fraser@apple.com>
1176
1177         Sort the feature flags in the FEATURE_DEFINES lines
1178         https://bugs.webkit.org/show_bug.cgi?id=160742
1179
1180         Reviewed by Anders Carlsson.
1181
1182         * Configurations/FeatureDefines.xcconfig:
1183
1184 2016-08-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1185
1186         [ES6] Add ModuleLoaderPrototype and move methods to it
1187         https://bugs.webkit.org/show_bug.cgi?id=160633
1188
1189         Reviewed by Saam Barati.
1190
1191         In the future, we need to add the ability to create the new Loader object (by users).
1192         So rather than holding all the methods in the ModuleLoaderObject instance, moving them
1193         to ModuleLoaderPrototype and create the default JSModuleLoader instance is better.
1194
1195         No behavior change.
1196
1197         * CMakeLists.txt:
1198         * DerivedSources.make:
1199         * JavaScriptCore.xcodeproj/project.pbxproj:
1200         * builtins/ModuleLoaderObject.js:
1201         (setStateToMax): Deleted.
1202         (newRegistryEntry): Deleted.
1203         (ensureRegistered): Deleted.
1204         (forceFulfillPromise): Deleted.
1205         (fulfillFetch): Deleted.
1206         (fulfillTranslate): Deleted.
1207         (fulfillInstantiate): Deleted.
1208         (commitInstantiated): Deleted.
1209         (instantiation): Deleted.
1210         (requestFetch): Deleted.
1211         (requestTranslate): Deleted.
1212         (requestInstantiate): Deleted.
1213         (requestResolveDependencies.): Deleted.
1214         (requestResolveDependencies): Deleted.
1215         (requestInstantiateAll): Deleted.
1216         (requestLink): Deleted.
1217         (requestReady): Deleted.
1218         (link): Deleted.
1219         (moduleEvaluation): Deleted.
1220         (provide): Deleted.
1221         (loadAndEvaluateModule): Deleted.
1222         (loadModule): Deleted.
1223         (linkAndEvaluateModule): Deleted.
1224         * builtins/ModuleLoaderPrototype.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderObject.js.
1225         (setStateToMax):
1226         (newRegistryEntry):
1227         (ensureRegistered):
1228         (forceFulfillPromise):
1229         (fulfillFetch):
1230         (fulfillTranslate):
1231         (fulfillInstantiate):
1232         (commitInstantiated):
1233         (instantiation):
1234         (requestFetch):
1235         (requestTranslate):
1236         (requestInstantiate):
1237         (requestResolveDependencies.):
1238         (requestResolveDependencies):
1239         (requestInstantiateAll):
1240         (requestLink):
1241         (requestReady):
1242         (link):
1243         (moduleEvaluation):
1244         (provide):
1245         (loadAndEvaluateModule):
1246         (loadModule):
1247         (linkAndEvaluateModule):
1248         * bytecode/BytecodeIntrinsicRegistry.cpp:
1249         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1250         * jsc.cpp:
1251         (GlobalObject::moduleLoaderResolve):
1252         (GlobalObject::moduleLoaderFetch):
1253         * runtime/Completion.cpp:
1254         (JSC::loadAndEvaluateModule):
1255         (JSC::loadModule):
1256         * runtime/JSGlobalObject.cpp:
1257         (JSC::JSGlobalObject::init):
1258         (JSC::JSGlobalObject::visitChildren):
1259         * runtime/JSGlobalObject.h:
1260         (JSC::JSGlobalObject::moduleLoader):
1261         (JSC::JSGlobalObject::moduleLoaderStructure):
1262         * runtime/JSModuleLoader.cpp: Added.
1263         (JSC::JSModuleLoader::JSModuleLoader):
1264         (JSC::JSModuleLoader::finishCreation):
1265         (JSC::printableModuleKey):
1266         (JSC::JSModuleLoader::provide):
1267         (JSC::JSModuleLoader::loadAndEvaluateModule):
1268         (JSC::JSModuleLoader::loadModule):
1269         (JSC::JSModuleLoader::linkAndEvaluateModule):
1270         (JSC::JSModuleLoader::resolve):
1271         (JSC::JSModuleLoader::fetch):
1272         (JSC::JSModuleLoader::translate):
1273         (JSC::JSModuleLoader::instantiate):
1274         (JSC::JSModuleLoader::evaluate):
1275         * runtime/JSModuleLoader.h: Copied from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1276         (JSC::JSModuleLoader::create):
1277         (JSC::JSModuleLoader::createStructure):
1278         * runtime/JSModuleRecord.h:
1279         * runtime/ModuleLoaderObject.cpp: Removed.
1280         (JSC::ModuleLoaderObject::ModuleLoaderObject): Deleted.
1281         (JSC::ModuleLoaderObject::finishCreation): Deleted.
1282         (JSC::printableModuleKey): Deleted.
1283         (JSC::ModuleLoaderObject::provide): Deleted.
1284         (JSC::ModuleLoaderObject::loadAndEvaluateModule): Deleted.
1285         (JSC::ModuleLoaderObject::loadModule): Deleted.
1286         (JSC::ModuleLoaderObject::linkAndEvaluateModule): Deleted.
1287         (JSC::ModuleLoaderObject::resolve): Deleted.
1288         (JSC::ModuleLoaderObject::fetch): Deleted.
1289         (JSC::ModuleLoaderObject::translate): Deleted.
1290         (JSC::ModuleLoaderObject::instantiate): Deleted.
1291         (JSC::ModuleLoaderObject::evaluate): Deleted.
1292         (JSC::moduleLoaderObjectParseModule): Deleted.
1293         (JSC::moduleLoaderObjectRequestedModules): Deleted.
1294         (JSC::moduleLoaderObjectModuleDeclarationInstantiation): Deleted.
1295         (JSC::moduleLoaderObjectResolve): Deleted.
1296         (JSC::moduleLoaderObjectFetch): Deleted.
1297         (JSC::moduleLoaderObjectTranslate): Deleted.
1298         (JSC::moduleLoaderObjectInstantiate): Deleted.
1299         (JSC::moduleLoaderObjectEvaluate): Deleted.
1300         * runtime/ModuleLoaderObject.h:
1301         (JSC::ModuleLoaderObject::create): Deleted.
1302         (JSC::ModuleLoaderObject::createStructure): Deleted.
1303         * runtime/ModuleLoaderPrototype.cpp: Added.
1304         (JSC::ModuleLoaderPrototype::ModuleLoaderPrototype):
1305         (JSC::moduleLoaderPrototypeParseModule):
1306         (JSC::moduleLoaderPrototypeRequestedModules):
1307         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1308         (JSC::moduleLoaderPrototypeResolve):
1309         (JSC::moduleLoaderPrototypeFetch):
1310         (JSC::moduleLoaderPrototypeTranslate):
1311         (JSC::moduleLoaderPrototypeInstantiate):
1312         (JSC::moduleLoaderPrototypeEvaluate):
1313         * runtime/ModuleLoaderPrototype.h: Renamed from Source/JavaScriptCore/runtime/ModuleLoaderObject.h.
1314         (JSC::ModuleLoaderPrototype::create):
1315         (JSC::ModuleLoaderPrototype::createStructure):
1316
1317 2016-08-09  Saam Barati  <sbarati@apple.com>
1318
1319         JSBoundFunction should lazily generate its name string
1320         https://bugs.webkit.org/show_bug.cgi?id=160678
1321         <rdar://problem/27043194>
1322
1323         Reviewed by Mark Lam.
1324
1325         We were eagerly allocating the BoundFunction's 'name' string
1326         by prepending the "bound " prefix. This patch makes the 'name'
1327         string creation lazy like we do with ordinary JSFunctions.
1328
1329         This is a 25% speedup on the microbenchmark I added that measures
1330         bound function creation speed. Hopefully this also helps us recover
1331         from a 1% Speedometer regression that was introduced in the original
1332         bound function "bound " prefixing patch.
1333
1334         * runtime/JSBoundFunction.cpp:
1335         (JSC::JSBoundFunction::create):
1336         (JSC::JSBoundFunction::JSBoundFunction):
1337         (JSC::JSBoundFunction::finishCreation):
1338         * runtime/JSBoundFunction.h:
1339         * runtime/JSFunction.cpp:
1340         (JSC::JSFunction::finishCreation):
1341         (JSC::JSFunction::getOwnPropertySlot):
1342         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1343         (JSC::JSFunction::put):
1344         (JSC::JSFunction::deleteProperty):
1345         (JSC::JSFunction::defineOwnProperty):
1346         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1347         (JSC::JSFunction::reifyBoundNameIfNeeded):
1348         * runtime/JSFunction.h:
1349
1350 2016-08-09  George Ruan  <gruan@apple.com>
1351
1352         Implement functionality of media capture on iOS
1353         https://bugs.webkit.org/show_bug.cgi?id=158945
1354         <rdar://problem/26893343>
1355
1356         Reviewed by Tim Horton.
1357
1358         * Configurations/FeatureDefines.xcconfig: Enable media capture feature
1359         for iOS.
1360
1361 2016-08-09  Saam Barati  <sbarati@apple.com>
1362
1363         Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached.
1364         https://bugs.webkit.org/show_bug.cgi?id=160671
1365         <rdar://problem/27756112>
1366
1367         Reviewed by Mark Lam.
1368
1369         There was a bug in our captured variable analysis when a function has a default
1370         parameter expression that is a function that captures something from the parent scope.
1371         The bug was that we were relying on the SourceProviderCache to succeed for the
1372         analysis to work. This is obviously wrong. I've fixed this to work regardless
1373         of getting a cache hit. To prevent future bugs that rely on the success of the
1374         SourceProviderCache, I've made the validate testing mode disable the SourceProviderCache
1375
1376         * parser/Parser.cpp:
1377         (JSC::Parser<LexerType>::parseFunctionInfo):
1378         * parser/Parser.h:
1379         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1380         (JSC::Scope::addClosedVariableCandidateUnconditionally):
1381         (JSC::Scope::collectFreeVariables):
1382         * runtime/Options.h:
1383
1384 2016-08-08  Mark Lam  <mark.lam@apple.com>
1385
1386         ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
1387         https://bugs.webkit.org/show_bug.cgi?id=160666
1388
1389         Reviewed by Keith Miller.
1390
1391         This assertion is benign.  JSFinalObject::visitChildren() calls
1392         JSObject::inlineStorage() to get a pointer to the object's inline storage, and
1393         later passes it to visitor.appendValuesHidden() with a previously computed
1394         storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.
1395         However, before we get there, JSObject::inlineStorage() will be asserting
1396         hasInlineStorage() and this assertion will fail when storageSize is 0.
1397
1398         We can fix this assertion failure by simply adding a storageSize check before
1399         calling hasInlineStorage() and visitor.appendValuesHidden().
1400
1401         * runtime/JSObject.cpp:
1402         (JSC::JSFinalObject::visitChildren):
1403
1404 2016-08-08  Brian Burg  <bburg@apple.com>
1405
1406         Web Inspector: clean up prefixing of Automation protocol generated files
1407         https://bugs.webkit.org/show_bug.cgi?id=160635
1408         <rdar://problem/27735327>
1409
1410         Reviewed by Timothy Hatcher.
1411
1412         Introduce different settings for the 'protocol group' name for C++ vs. Objective-C.
1413
1414         Use 'WD' as the prefix for generated Objective-C frontend dispatchers and helpers.
1415         Continue using 'Automation' as the prefix for generated C++ backend dispatchers.
1416
1417         * inspector/scripts/codegen/cpp_generator.py:
1418         (CppGenerator.protocol_name):
1419         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1420         (ObjCProtocolTypeConversionsImplementationGenerator.generate_output):
1421         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_interface):
1422         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_category_implementation):
1423         Adjust the class name. Generate one category per protocol domain to keep it easy to read.
1424
1425         * inspector/scripts/codegen/models.py:
1426         * inspector/scripts/codegen/objc_generator.py:
1427         (ObjCGenerator.protocol_name):
1428
1429         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1430         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1431         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1432         * inspector/scripts/tests/expected/enum-values.json-result:
1433         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1434         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1435         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1436         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1437         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1438         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1439         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1440         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1441         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1442         Rebaseline test results.
1443
1444 2016-08-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1445
1446         [ES6] Module namespace object should not allow unset IC
1447         https://bugs.webkit.org/show_bug.cgi?id=160553
1448
1449         Reviewed by Saam Barati.
1450
1451         Previously, module namespace object accidentally allow "unset IC". But this "unsetness" does not rely on
1452         the structure. We should disable inline caching onto the namespace object. Once it is needed, we should
1453         create the special caching for namespace object like the following: it should be similar to monomorphic IC,
1454         but it caches the object itself instead of the structure. It checks the object itself (And in DFG, it should be
1455         CheckCell) and loads the value from the target module environment directly[1].
1456
1457         And this patch also set setIsTaintedByProxy for the module namespace object to notify to the caller that
1458         this object has impure ::getOwnPropertySlot. Then this function is now renamed to setIsTaintedByOpaqueObject.
1459
1460         We drop the hack in JSModuleNamespaceObject::getOwnPropertySlot since we already introduced InternalMethodType
1461         for ProxyObject. Previously we cannot distinguish ::HasProperty and ::GetOwnProperty. So not to throw any
1462         errors for ::HasProperty case, we used slot.setCustom to delay the observable operation.
1463         But, this hack lacks the support for hasOwnProperty: hasOwnProperty uses [[GetOwnProperty]], so it should throw an error.
1464         However the previous implementation does not throw an error since the delayed observable part (custom function part) is
1465         skipped in hasOwnProperty implementation. We now remove this custom property hack and fix the corresponding failure
1466         in test262.
1467
1468         [1]: https://bugs.webkit.org/show_bug.cgi?id=160590
1469
1470         * jit/JITOperations.cpp:
1471         * runtime/ArrayPrototype.cpp:
1472         (JSC::getProperty):
1473         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1474         (JSC::constructGenericTypedArrayViewWithArguments):
1475         * runtime/JSModuleNamespaceObject.cpp:
1476         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1477         (JSC::callbackGetter): Deleted.
1478         * runtime/JSModuleNamespaceObject.h:
1479         * runtime/PropertySlot.cpp:
1480         (JSC::PropertySlot::getPureResult):
1481         * runtime/PropertySlot.h:
1482         (JSC::PropertySlot::PropertySlot):
1483         (JSC::PropertySlot::setIsTaintedByOpaqueObject):
1484         (JSC::PropertySlot::isTaintedByOpaqueObject):
1485         (JSC::PropertySlot::setIsTaintedByProxy): Deleted.
1486         (JSC::PropertySlot::isTaintedByProxy): Deleted.
1487         * runtime/ProxyObject.cpp:
1488         (JSC::ProxyObject::getOwnPropertySlotCommon):
1489
1490 2016-08-05  Keith Miller  <keith_miller@apple.com>
1491
1492         Add LEBDecoder and tests
1493         https://bugs.webkit.org/show_bug.cgi?id=160625
1494
1495         Reviewed by Benjamin Poulain.
1496
1497         Adds a new target testWASM that is currently used to test the LEB decoder.
1498         In the future, if we add more support for WASM we will put more tests
1499         here.
1500
1501         * JavaScriptCore.xcodeproj/project.pbxproj:
1502         * testWASM.cpp: Added.
1503         (CommandLine::CommandLine):
1504         (printUsageStatement):
1505         (CommandLine::parseArguments):
1506         (runLEBTests):
1507         (main):
1508
1509 2016-08-05  Keith Miller  <keith_miller@apple.com>
1510
1511         32-bit JSC test failure: stress/instanceof-late-constant-folding.js
1512         https://bugs.webkit.org/show_bug.cgi?id=160620
1513
1514         Reviewed by Filip Pizlo.
1515
1516         * dfg/DFGSpeculativeJIT32_64.cpp:
1517         (JSC::DFG::SpeculativeJIT::compile):
1518
1519 2016-08-05  Benjamin Poulain  <bpoulain@apple.com>
1520
1521         [JSC] Remove the first LocalCSE
1522         https://bugs.webkit.org/show_bug.cgi?id=160615
1523
1524         Reviewed by Saam Barati.
1525
1526         LocalCSE is the most expensive phase in DFG (excluding FTL).
1527
1528         The combination of two LocalCSEs does not seem to pay for its cost.
1529         Doing a single LocalCSE is always after ConstantFolding and StrengthReduction
1530         is always a win on my machine.
1531
1532         * dfg/DFGCleanUpPhase.cpp:
1533         (JSC::DFG::CleanUpPhase::run):
1534         * dfg/DFGPlan.cpp:
1535         (JSC::DFG::Plan::compileInThreadImpl):
1536
1537 2016-08-05  Saam Barati  <sbarati@apple.com>
1538
1539         various math operations don't properly check for an exception after calling toNumber() on the lhs
1540         https://bugs.webkit.org/show_bug.cgi?id=160154
1541
1542         Reviewed by Mark Lam.
1543
1544         We must check for an exception after calling toNumber() on the lhs
1545         because this can throw an exception. If we called toNumber() on
1546         the rhs without first checking for an exception after the toNumber()
1547         on the lhs, this can lead us to execute effectful code or deviate
1548         from the standard in subtle ways. I fixed this bug in various places
1549         by always checking for an exception after calling toNumber() on the
1550         lhs for the various bit and arithmetic operations.
1551
1552         This patch also found a commutativity bug inside DFGStrengthReduction.
1553         We could end up commuting the lhs and rhs of say an "|" expression
1554         even when the lhs/rhs may not be numbers. This is wrong because
1555         executing toNumber() on the lhs/rhs has strict ordering guarantees
1556         by the specification and is observable by user programs.
1557
1558         * dfg/DFGOperations.cpp:
1559         * dfg/DFGStrengthReductionPhase.cpp:
1560         (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1561         * jit/JITOperations.cpp:
1562         * runtime/CommonSlowPaths.cpp:
1563         (JSC::SLOW_PATH_DECL):
1564         * runtime/Operations.cpp:
1565         (JSC::jsAddSlowCase):
1566
1567 2016-08-05  Michael Saboff  <msaboff@apple.com>
1568
1569         compilePutByValForIntTypedArray() has a slow path in the middle of its processing
1570         https://bugs.webkit.org/show_bug.cgi?id=160614
1571
1572         Reviewed by Keith Miller.
1573
1574         In compilePutByValForIntTypedArray() we were calling out to the slow path
1575         operationToInt32() and then returning back to the middle of code to finish
1576         the processing of writing the value to the array.  When we make the slow
1577         path call, we trash any temporary registers that have been allocated.
1578         In general slow path calls should finish the operation in progress and
1579         continue processing at the beginning of the next node.
1580
1581         This was discovered while working on the register argument changes, when
1582         we SpeculateStrictInt32Operand on the value child node.  That child node's
1583         value was live in register with a spill format of DataFormatJSInt32.  In that
1584         case we allocate a new temporary register and copy just the lower 32 bits from
1585         the child register to the new temp register.  That temp register gets trashed
1586         when we make the operationToInt32() slow path call.
1587
1588         I spent some time trying to devise a test with the current code base and wasn't
1589         successful.  This case is tested with the register argument changes in progress.
1590
1591         * dfg/DFGSpeculativeJIT.cpp:
1592         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1593
1594 2016-08-05  Saam Barati  <sbarati@apple.com>
1595
1596         Assertion failure when accessing TDZ variable in catch through eval
1597         https://bugs.webkit.org/show_bug.cgi?id=160554
1598
1599         Reviewed by Mark Lam and Keith Miller.
1600
1601         When we were calculating the variables under TDZ from a JSScope,
1602         the algorithm was not taking into account that a catch scope
1603         has variables under TDZ.
1604
1605         * runtime/JSScope.cpp:
1606         (JSC::JSScope::collectVariablesUnderTDZ):
1607
1608 2016-08-05  Keith Miller  <keith_miller@apple.com>
1609
1610         Delete out of date WASM code.
1611         https://bugs.webkit.org/show_bug.cgi?id=160603
1612
1613         Reviewed by Saam Barati.
1614
1615         This patch removes a bunch of the wasm files that we are unlikey to use
1616         with the newer wasm spec. If we end up needing any of the deleted code
1617         later we can restore it at that time.
1618
1619         * CMakeLists.txt:
1620         * JavaScriptCore.xcodeproj/project.pbxproj:
1621         * jit/JITOperations.cpp:
1622         * jsc.cpp:
1623         (GlobalObject::finishCreation): Deleted.
1624         (functionLoadWebAssembly): Deleted.
1625         * llint/LLIntSlowPaths.cpp:
1626         (JSC::LLInt::setUpCall): Deleted.
1627         * runtime/Executable.cpp:
1628         (JSC::WebAssemblyExecutable::prepareForExecution): Deleted.
1629         * runtime/JSGlobalObject.cpp:
1630         (JSC::JSGlobalObject::init): Deleted.
1631         (JSC::JSGlobalObject::visitChildren): Deleted.
1632         * runtime/JSGlobalObject.h:
1633         (JSC::JSGlobalObject::wasmModuleStructure): Deleted.
1634         * wasm/WASMConstants.h: Removed.
1635         * wasm/WASMFunctionB3IRGenerator.h: Removed.
1636         (JSC::WASMFunctionB3IRGenerator::MemoryAddress::MemoryAddress): Deleted.
1637         (JSC::WASMFunctionB3IRGenerator::startFunction): Deleted.
1638         (JSC::WASMFunctionB3IRGenerator::endFunction): Deleted.
1639         (JSC::WASMFunctionB3IRGenerator::buildSetLocal): Deleted.
1640         (JSC::WASMFunctionB3IRGenerator::buildSetGlobal): Deleted.
1641         (JSC::WASMFunctionB3IRGenerator::buildReturn): Deleted.
1642         (JSC::WASMFunctionB3IRGenerator::buildImmediateI32): Deleted.
1643         (JSC::WASMFunctionB3IRGenerator::buildImmediateF32): Deleted.
1644         (JSC::WASMFunctionB3IRGenerator::buildImmediateF64): Deleted.
1645         (JSC::WASMFunctionB3IRGenerator::buildGetLocal): Deleted.
1646         (JSC::WASMFunctionB3IRGenerator::buildGetGlobal): Deleted.
1647         (JSC::WASMFunctionB3IRGenerator::buildConvertType): Deleted.
1648         (JSC::WASMFunctionB3IRGenerator::buildLoad): Deleted.
1649         (JSC::WASMFunctionB3IRGenerator::buildStore): Deleted.
1650         (JSC::WASMFunctionB3IRGenerator::buildUnaryI32): Deleted.
1651         (JSC::WASMFunctionB3IRGenerator::buildUnaryF32): Deleted.
1652         (JSC::WASMFunctionB3IRGenerator::buildUnaryF64): Deleted.
1653         (JSC::WASMFunctionB3IRGenerator::buildBinaryI32): Deleted.
1654         (JSC::WASMFunctionB3IRGenerator::buildBinaryF32): Deleted.
1655         (JSC::WASMFunctionB3IRGenerator::buildBinaryF64): Deleted.
1656         (JSC::WASMFunctionB3IRGenerator::buildRelationalI32): Deleted.
1657         (JSC::WASMFunctionB3IRGenerator::buildRelationalF32): Deleted.
1658         (JSC::WASMFunctionB3IRGenerator::buildRelationalF64): Deleted.
1659         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxI32): Deleted.
1660         (JSC::WASMFunctionB3IRGenerator::buildMinOrMaxF64): Deleted.
1661         (JSC::WASMFunctionB3IRGenerator::buildCallInternal): Deleted.
1662         (JSC::WASMFunctionB3IRGenerator::buildCallIndirect): Deleted.
1663         (JSC::WASMFunctionB3IRGenerator::buildCallImport): Deleted.
1664         (JSC::WASMFunctionB3IRGenerator::appendExpressionList): Deleted.
1665         (JSC::WASMFunctionB3IRGenerator::discard): Deleted.
1666         (JSC::WASMFunctionB3IRGenerator::linkTarget): Deleted.
1667         (JSC::WASMFunctionB3IRGenerator::jumpToTarget): Deleted.
1668         (JSC::WASMFunctionB3IRGenerator::jumpToTargetIf): Deleted.
1669         (JSC::WASMFunctionB3IRGenerator::startLoop): Deleted.
1670         (JSC::WASMFunctionB3IRGenerator::endLoop): Deleted.
1671         (JSC::WASMFunctionB3IRGenerator::startSwitch): Deleted.
1672         (JSC::WASMFunctionB3IRGenerator::endSwitch): Deleted.
1673         (JSC::WASMFunctionB3IRGenerator::startLabel): Deleted.
1674         (JSC::WASMFunctionB3IRGenerator::endLabel): Deleted.
1675         (JSC::WASMFunctionB3IRGenerator::breakTarget): Deleted.
1676         (JSC::WASMFunctionB3IRGenerator::continueTarget): Deleted.
1677         (JSC::WASMFunctionB3IRGenerator::breakLabelTarget): Deleted.
1678         (JSC::WASMFunctionB3IRGenerator::continueLabelTarget): Deleted.
1679         (JSC::WASMFunctionB3IRGenerator::buildSwitch): Deleted.
1680         * wasm/WASMFunctionCompiler.h: Removed.
1681         (JSC::operationConvertJSValueToInt32): Deleted.
1682         (JSC::operationConvertJSValueToDouble): Deleted.
1683         (JSC::operationDiv): Deleted.
1684         (JSC::operationMod): Deleted.
1685         (JSC::operationUnsignedDiv): Deleted.
1686         (JSC::operationUnsignedMod): Deleted.
1687         (JSC::operationConvertUnsignedInt32ToDouble): Deleted.
1688         (JSC::sizeOfMemoryType): Deleted.
1689         (JSC::WASMFunctionCompiler::MemoryAddress::MemoryAddress): Deleted.
1690         (JSC::WASMFunctionCompiler::WASMFunctionCompiler): Deleted.
1691         (JSC::WASMFunctionCompiler::startFunction): Deleted.
1692         (JSC::WASMFunctionCompiler::endFunction): Deleted.
1693         (JSC::WASMFunctionCompiler::buildSetLocal): Deleted.
1694         (JSC::WASMFunctionCompiler::buildSetGlobal): Deleted.
1695         (JSC::WASMFunctionCompiler::buildReturn): Deleted.
1696         (JSC::WASMFunctionCompiler::buildImmediateI32): Deleted.
1697         (JSC::WASMFunctionCompiler::buildImmediateF32): Deleted.
1698         (JSC::WASMFunctionCompiler::buildImmediateF64): Deleted.
1699         (JSC::WASMFunctionCompiler::buildGetLocal): Deleted.
1700         (JSC::WASMFunctionCompiler::buildGetGlobal): Deleted.
1701         (JSC::WASMFunctionCompiler::buildConvertType): Deleted.
1702         (JSC::WASMFunctionCompiler::buildLoad): Deleted.
1703         (JSC::WASMFunctionCompiler::buildStore): Deleted.
1704         (JSC::WASMFunctionCompiler::buildUnaryI32): Deleted.
1705         (JSC::WASMFunctionCompiler::buildUnaryF32): Deleted.
1706         (JSC::WASMFunctionCompiler::buildUnaryF64): Deleted.
1707         (JSC::WASMFunctionCompiler::buildBinaryI32): Deleted.
1708         (JSC::WASMFunctionCompiler::buildBinaryF32): Deleted.
1709         (JSC::WASMFunctionCompiler::buildBinaryF64): Deleted.
1710         (JSC::WASMFunctionCompiler::buildRelationalI32): Deleted.
1711         (JSC::WASMFunctionCompiler::buildRelationalF32): Deleted.
1712         (JSC::WASMFunctionCompiler::buildRelationalF64): Deleted.
1713         (JSC::WASMFunctionCompiler::buildMinOrMaxI32): Deleted.
1714         (JSC::WASMFunctionCompiler::buildMinOrMaxF64): Deleted.
1715         (JSC::WASMFunctionCompiler::buildCallInternal): Deleted.
1716         (JSC::WASMFunctionCompiler::buildCallIndirect): Deleted.
1717         (JSC::WASMFunctionCompiler::buildCallImport): Deleted.
1718         (JSC::WASMFunctionCompiler::appendExpressionList): Deleted.
1719         (JSC::WASMFunctionCompiler::discard): Deleted.
1720         (JSC::WASMFunctionCompiler::linkTarget): Deleted.
1721         (JSC::WASMFunctionCompiler::jumpToTarget): Deleted.
1722         (JSC::WASMFunctionCompiler::jumpToTargetIf): Deleted.
1723         (JSC::WASMFunctionCompiler::startLoop): Deleted.
1724         (JSC::WASMFunctionCompiler::endLoop): Deleted.
1725         (JSC::WASMFunctionCompiler::startSwitch): Deleted.
1726         (JSC::WASMFunctionCompiler::endSwitch): Deleted.
1727         (JSC::WASMFunctionCompiler::startLabel): Deleted.
1728         (JSC::WASMFunctionCompiler::endLabel): Deleted.
1729         (JSC::WASMFunctionCompiler::breakTarget): Deleted.
1730         (JSC::WASMFunctionCompiler::continueTarget): Deleted.
1731         (JSC::WASMFunctionCompiler::breakLabelTarget): Deleted.
1732         (JSC::WASMFunctionCompiler::continueLabelTarget): Deleted.
1733         (JSC::WASMFunctionCompiler::buildSwitch): Deleted.
1734         (JSC::WASMFunctionCompiler::localAddress): Deleted.
1735         (JSC::WASMFunctionCompiler::temporaryAddress): Deleted.
1736         (JSC::WASMFunctionCompiler::appendCall): Deleted.
1737         (JSC::WASMFunctionCompiler::appendCallWithExceptionCheck): Deleted.
1738         (JSC::WASMFunctionCompiler::emitNakedCall): Deleted.
1739         (JSC::WASMFunctionCompiler::appendCallSetResult): Deleted.
1740         (JSC::WASMFunctionCompiler::callOperation): Deleted.
1741         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer): Deleted.
1742         (JSC::WASMFunctionCompiler::callAndUnboxResult): Deleted.
1743         (JSC::WASMFunctionCompiler::convertValueToInt32): Deleted.
1744         (JSC::WASMFunctionCompiler::convertValueToDouble): Deleted.
1745         (JSC::WASMFunctionCompiler::convertDoubleToValue): Deleted.
1746         * wasm/WASMFunctionParser.cpp: Removed.
1747         (JSC::nameOfType): Deleted.
1748         (JSC::WASMFunctionParser::checkSyntax): Deleted.
1749         (JSC::WASMFunctionParser::compile): Deleted.
1750         (JSC::WASMFunctionParser::parseFunction): Deleted.
1751         (JSC::WASMFunctionParser::parseLocalVariables): Deleted.
1752         (JSC::WASMFunctionParser::parseStatement): Deleted.
1753         (JSC::WASMFunctionParser::parseReturnStatement): Deleted.
1754         (JSC::WASMFunctionParser::parseBlockStatement): Deleted.
1755         (JSC::WASMFunctionParser::parseIfStatement): Deleted.
1756         (JSC::WASMFunctionParser::parseIfElseStatement): Deleted.
1757         (JSC::WASMFunctionParser::parseWhileStatement): Deleted.
1758         (JSC::WASMFunctionParser::parseDoStatement): Deleted.
1759         (JSC::WASMFunctionParser::parseLabelStatement): Deleted.
1760         (JSC::WASMFunctionParser::parseBreakStatement): Deleted.
1761         (JSC::WASMFunctionParser::parseBreakLabelStatement): Deleted.
1762         (JSC::WASMFunctionParser::parseContinueStatement): Deleted.
1763         (JSC::WASMFunctionParser::parseContinueLabelStatement): Deleted.
1764         (JSC::WASMFunctionParser::parseSwitchStatement): Deleted.
1765         (JSC::WASMFunctionParser::parseExpression): Deleted.
1766         (JSC::WASMFunctionParser::parseExpressionI32): Deleted.
1767         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionI32): Deleted.
1768         (JSC::WASMFunctionParser::parseImmediateExpressionI32): Deleted.
1769         (JSC::WASMFunctionParser::parseUnaryExpressionI32): Deleted.
1770         (JSC::WASMFunctionParser::parseBinaryExpressionI32): Deleted.
1771         (JSC::WASMFunctionParser::parseRelationalI32ExpressionI32): Deleted.
1772         (JSC::WASMFunctionParser::parseRelationalF32ExpressionI32): Deleted.
1773         (JSC::WASMFunctionParser::parseRelationalF64ExpressionI32): Deleted.
1774         (JSC::WASMFunctionParser::parseMinOrMaxExpressionI32): Deleted.
1775         (JSC::WASMFunctionParser::parseExpressionF32): Deleted.
1776         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF32): Deleted.
1777         (JSC::WASMFunctionParser::parseImmediateExpressionF32): Deleted.
1778         (JSC::WASMFunctionParser::parseUnaryExpressionF32): Deleted.
1779         (JSC::WASMFunctionParser::parseBinaryExpressionF32): Deleted.
1780         (JSC::WASMFunctionParser::parseExpressionF64): Deleted.
1781         (JSC::WASMFunctionParser::parseConstantPoolIndexExpressionF64): Deleted.
1782         (JSC::WASMFunctionParser::parseImmediateExpressionF64): Deleted.
1783         (JSC::WASMFunctionParser::parseUnaryExpressionF64): Deleted.
1784         (JSC::WASMFunctionParser::parseBinaryExpressionF64): Deleted.
1785         (JSC::WASMFunctionParser::parseMinOrMaxExpressionF64): Deleted.
1786         (JSC::WASMFunctionParser::parseExpressionVoid): Deleted.
1787         (JSC::WASMFunctionParser::parseGetLocalExpression): Deleted.
1788         (JSC::WASMFunctionParser::parseGetGlobalExpression): Deleted.
1789         (JSC::WASMFunctionParser::parseSetLocal): Deleted.
1790         (JSC::WASMFunctionParser::parseSetGlobal): Deleted.
1791         (JSC::WASMFunctionParser::parseMemoryAddress): Deleted.
1792         (JSC::WASMFunctionParser::parseLoad): Deleted.
1793         (JSC::WASMFunctionParser::parseStore): Deleted.
1794         (JSC::WASMFunctionParser::parseCallArguments): Deleted.
1795         (JSC::WASMFunctionParser::parseCallInternal): Deleted.
1796         (JSC::WASMFunctionParser::parseCallIndirect): Deleted.
1797         (JSC::WASMFunctionParser::parseCallImport): Deleted.
1798         (JSC::WASMFunctionParser::parseConditional): Deleted.
1799         (JSC::WASMFunctionParser::parseComma): Deleted.
1800         (JSC::WASMFunctionParser::parseConvertType): Deleted.
1801         * wasm/WASMFunctionParser.h: Removed.
1802         (JSC::WASMFunctionParser::WASMFunctionParser): Deleted.
1803         * wasm/WASMFunctionSyntaxChecker.h: Removed.
1804         (JSC::WASMFunctionSyntaxChecker::MemoryAddress::MemoryAddress): Deleted.
1805         (JSC::WASMFunctionSyntaxChecker::startFunction): Deleted.
1806         (JSC::WASMFunctionSyntaxChecker::endFunction): Deleted.
1807         (JSC::WASMFunctionSyntaxChecker::buildSetLocal): Deleted.
1808         (JSC::WASMFunctionSyntaxChecker::buildSetGlobal): Deleted.
1809         (JSC::WASMFunctionSyntaxChecker::buildReturn): Deleted.
1810         (JSC::WASMFunctionSyntaxChecker::buildImmediateI32): Deleted.
1811         (JSC::WASMFunctionSyntaxChecker::buildImmediateF32): Deleted.
1812         (JSC::WASMFunctionSyntaxChecker::buildImmediateF64): Deleted.
1813         (JSC::WASMFunctionSyntaxChecker::buildGetLocal): Deleted.
1814         (JSC::WASMFunctionSyntaxChecker::buildGetGlobal): Deleted.
1815         (JSC::WASMFunctionSyntaxChecker::buildConvertType): Deleted.
1816         (JSC::WASMFunctionSyntaxChecker::buildLoad): Deleted.
1817         (JSC::WASMFunctionSyntaxChecker::buildStore): Deleted.
1818         (JSC::WASMFunctionSyntaxChecker::buildUnaryI32): Deleted.
1819         (JSC::WASMFunctionSyntaxChecker::buildUnaryF32): Deleted.
1820         (JSC::WASMFunctionSyntaxChecker::buildUnaryF64): Deleted.
1821         (JSC::WASMFunctionSyntaxChecker::buildBinaryI32): Deleted.
1822         (JSC::WASMFunctionSyntaxChecker::buildBinaryF32): Deleted.
1823         (JSC::WASMFunctionSyntaxChecker::buildBinaryF64): Deleted.
1824         (JSC::WASMFunctionSyntaxChecker::buildRelationalI32): Deleted.
1825         (JSC::WASMFunctionSyntaxChecker::buildRelationalF32): Deleted.
1826         (JSC::WASMFunctionSyntaxChecker::buildRelationalF64): Deleted.
1827         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxI32): Deleted.
1828         (JSC::WASMFunctionSyntaxChecker::buildMinOrMaxF64): Deleted.
1829         (JSC::WASMFunctionSyntaxChecker::buildCallInternal): Deleted.
1830         (JSC::WASMFunctionSyntaxChecker::buildCallImport): Deleted.
1831         (JSC::WASMFunctionSyntaxChecker::buildCallIndirect): Deleted.
1832         (JSC::WASMFunctionSyntaxChecker::appendExpressionList): Deleted.
1833         (JSC::WASMFunctionSyntaxChecker::discard): Deleted.
1834         (JSC::WASMFunctionSyntaxChecker::linkTarget): Deleted.
1835         (JSC::WASMFunctionSyntaxChecker::jumpToTarget): Deleted.
1836         (JSC::WASMFunctionSyntaxChecker::jumpToTargetIf): Deleted.
1837         (JSC::WASMFunctionSyntaxChecker::startLoop): Deleted.
1838         (JSC::WASMFunctionSyntaxChecker::endLoop): Deleted.
1839         (JSC::WASMFunctionSyntaxChecker::startSwitch): Deleted.
1840         (JSC::WASMFunctionSyntaxChecker::endSwitch): Deleted.
1841         (JSC::WASMFunctionSyntaxChecker::startLabel): Deleted.
1842         (JSC::WASMFunctionSyntaxChecker::endLabel): Deleted.
1843         (JSC::WASMFunctionSyntaxChecker::breakTarget): Deleted.
1844         (JSC::WASMFunctionSyntaxChecker::continueTarget): Deleted.
1845         (JSC::WASMFunctionSyntaxChecker::breakLabelTarget): Deleted.
1846         (JSC::WASMFunctionSyntaxChecker::continueLabelTarget): Deleted.
1847         (JSC::WASMFunctionSyntaxChecker::buildSwitch): Deleted.
1848         (JSC::WASMFunctionSyntaxChecker::stackHeight): Deleted.
1849         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeight): Deleted.
1850         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall): Deleted.
1851         * wasm/WASMModuleParser.cpp: Removed.
1852         (JSC::WASMModuleParser::WASMModuleParser): Deleted.
1853         (JSC::WASMModuleParser::parse): Deleted.
1854         (JSC::WASMModuleParser::parseModule): Deleted.
1855         (JSC::WASMModuleParser::parseConstantPoolSection): Deleted.
1856         (JSC::WASMModuleParser::parseSignatureSection): Deleted.
1857         (JSC::WASMModuleParser::parseFunctionImportSection): Deleted.
1858         (JSC::WASMModuleParser::parseGlobalSection): Deleted.
1859         (JSC::WASMModuleParser::parseFunctionDeclarationSection): Deleted.
1860         (JSC::WASMModuleParser::parseFunctionPointerTableSection): Deleted.
1861         (JSC::WASMModuleParser::parseFunctionDefinitionSection): Deleted.
1862         (JSC::WASMModuleParser::parseFunctionDefinition): Deleted.
1863         (JSC::WASMModuleParser::parseExportSection): Deleted.
1864         (JSC::WASMModuleParser::getImportedValue): Deleted.
1865         (JSC::parseWebAssembly): Deleted.
1866         * wasm/WASMModuleParser.h: Removed.
1867         * wasm/WASMReader.cpp: Removed.
1868         (JSC::WASMReader::readUInt32): Deleted.
1869         (JSC::WASMReader::readFloat): Deleted.
1870         (JSC::WASMReader::readDouble): Deleted.
1871         (JSC::WASMReader::readCompactInt32): Deleted.
1872         (JSC::WASMReader::readCompactUInt32): Deleted.
1873         (JSC::WASMReader::readString): Deleted.
1874         (JSC::WASMReader::readType): Deleted.
1875         (JSC::WASMReader::readExpressionType): Deleted.
1876         (JSC::WASMReader::readExportFormat): Deleted.
1877         (JSC::WASMReader::readByte): Deleted.
1878         (JSC::WASMReader::readOpStatement): Deleted.
1879         (JSC::WASMReader::readOpExpressionI32): Deleted.
1880         (JSC::WASMReader::readOpExpressionF32): Deleted.
1881         (JSC::WASMReader::readOpExpressionF64): Deleted.
1882         (JSC::WASMReader::readOpExpressionVoid): Deleted.
1883         (JSC::WASMReader::readVariableTypes): Deleted.
1884         (JSC::WASMReader::readOp): Deleted.
1885         (JSC::WASMReader::readSwitchCase): Deleted.
1886         * wasm/WASMReader.h: Removed.
1887         (JSC::WASMReader::WASMReader): Deleted.
1888         (JSC::WASMReader::offset): Deleted.
1889         (JSC::WASMReader::setOffset): Deleted.
1890
1891 2016-08-05  Keith Miller  <keith_miller@apple.com>
1892
1893         Fix 32-bit OverridesHasInstance in the DFG.
1894         https://bugs.webkit.org/show_bug.cgi?id=160600
1895
1896         Reviewed by Mark Lam.
1897
1898         In https://trac.webkit.org/changeset/204140, we fixed an issue where the DFG might
1899         do the wrong thing if it proved that the Symbol.hasInstance value for a constructor
1900         was a constant late in compilation. That fix was ommited from the 32-bit version,
1901         causing the new test to fail.
1902
1903         * dfg/DFGSpeculativeJIT32_64.cpp:
1904         (JSC::DFG::SpeculativeJIT::compile):
1905
1906 2016-08-04  Saam Barati  <sbarati@apple.com>
1907
1908         Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time
1909         https://bugs.webkit.org/show_bug.cgi?id=151241
1910
1911         Reviewed by Benjamin Poulain.
1912
1913         This patch rolls back in the jettisoning policy from https://bugs.webkit.org/show_bug.cgi?id=149727.
1914         We can now jettison a CodeBlock when it has been alive for a long time
1915         and is only pointed to by its owner executable. I haven't been able to get this
1916         patch to crash on anything it used to crash on, so I suspect we've fixed the bugs that
1917         were causing this before. I've also added some stress options for this feature that
1918         will cause us to either eagerly old-age jettison or to old-age jettison whenever it's legal.
1919         These options helped me find a bug where we would ask an Executable to create a CodeBlock,
1920         and then the Executable would do some other allocations, causing a GC, immediately causing
1921         the CodeBlock to jettison. There is a small chance that this was the bug we were seeing before,
1922         however, it's unlikely given that the previous timing metrics require at least 5 second between
1923         compiling to jettisoning.
1924
1925         This patch also enables the stress options for various modes
1926         of JSC stress tests.
1927
1928         * bytecode/CodeBlock.cpp:
1929         (JSC::CodeBlock::shouldJettisonDueToWeakReference):
1930         (JSC::timeToLive):
1931         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1932         * interpreter/CallFrame.h:
1933         (JSC::ExecState::callee):
1934         (JSC::ExecState::unsafeCallee):
1935         (JSC::ExecState::codeBlock):
1936         (JSC::ExecState::addressOfCodeBlock):
1937         (JSC::ExecState::unsafeCodeBlock):
1938         (JSC::ExecState::scope):
1939         * interpreter/Interpreter.cpp:
1940         (JSC::Interpreter::execute):
1941         (JSC::Interpreter::executeCall):
1942         (JSC::Interpreter::executeConstruct):
1943         (JSC::Interpreter::prepareForRepeatCall):
1944         * jit/JITOperations.cpp:
1945         * llint/LLIntSlowPaths.cpp:
1946         (JSC::LLInt::setUpCall):
1947         * runtime/Executable.cpp:
1948         (JSC::ScriptExecutable::installCode):
1949         (JSC::setupJIT):
1950         (JSC::ScriptExecutable::prepareForExecutionImpl):
1951         * runtime/Executable.h:
1952         (JSC::ScriptExecutable::prepareForExecution):
1953         * runtime/Options.h:
1954
1955 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1956
1957         [ES6] JSModuleNamespaceObject's Symbol.iterator function should have name
1958         https://bugs.webkit.org/show_bug.cgi?id=160549
1959
1960         Reviewed by Saam Barati.
1961
1962         ES6 Module's namespace[Symbol.iterator] function should have the name, "[Symbol.iterator]".
1963
1964         * runtime/JSModuleNamespaceObject.cpp:
1965         (JSC::JSModuleNamespaceObject::finishCreation):
1966
1967 2016-08-04  Keith Miller  <keith_miller@apple.com>
1968
1969         ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
1970         https://bugs.webkit.org/show_bug.cgi?id=160562
1971         <rdar://problem/27704825>
1972
1973         Reviewed by Mark Lam.
1974
1975         This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
1976         convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
1977         associated with the assumption that this could not happen.
1978
1979         * dfg/DFGSpeculativeJIT64.cpp:
1980         (JSC::DFG::SpeculativeJIT::compile):
1981         * ftl/FTLLowerDFGToB3.cpp:
1982         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
1983
1984 2016-08-04  Keith Miller  <keith_miller@apple.com>
1985
1986         Remove unused intrinsic member of NativeExecutable
1987         https://bugs.webkit.org/show_bug.cgi?id=160560
1988
1989         Reviewed by Saam Barati.
1990
1991         NativeExecutable has an Intrinsic member. It appears that this member is never
1992         used. Instead we use the Intrinsic member NativeExecutable's super class,
1993         ExecutableBase.
1994
1995         * runtime/Executable.h:
1996
1997 2016-08-04  Benjamin Poulain  <bpoulain@apple.com>
1998
1999         [JSC] Speed up InPlaceAbstractState::endBasicBlock()
2000         https://bugs.webkit.org/show_bug.cgi?id=160539
2001
2002         Reviewed by Mark Lam.
2003
2004         This patch does small improvements to our handling
2005         of value propagation to the successors.
2006
2007         One key insight is that using HashMap to map Nodes
2008         to Value in valuesAtTail is too inefficient at the scale
2009         we use it. Instead, I reuse our existing mapping
2010         from every Node to its value, abstracted by forNode().
2011
2012         Since we are not going to use the mapping after endBasicBlock()
2013         I can replace whatever we had there. The next beginBasicBlock()
2014         will setup the new value as needed.
2015
2016         In endBasicBlock(), valuesAtTail is now a vector of all values live
2017         at tail. For each node, I merge the previous live at tail with
2018         the new value, then replace the value in the mapping.
2019         Liveness Analysis guarantees we won't have duplicates there which
2020         make the replacement sound.
2021
2022         Next, when propagating, I take the vector of values lives at head
2023         and use the global node->value mapping to find its new abstract value.
2024         Again, Liveness Analysis guarantees I won't find a value live at head
2025         that was not replaced by the merging at tail of the predecessor.
2026
2027         All our live lists have become vectors instead of HashTable.
2028         The mapping from Node to Value is always done by array indexing.
2029         Same big-O, much smaller constant.
2030
2031         * dfg/DFGAtTailAbstractState.cpp:
2032         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2033         (JSC::DFG::AtTailAbstractState::createValueForNode):
2034         (JSC::DFG::AtTailAbstractState::forNode):
2035         * dfg/DFGAtTailAbstractState.h:
2036         I did not look much into this state, I just made it equivalent
2037         to the previous mapping.
2038
2039         * dfg/DFGBasicBlock.h:
2040         * dfg/DFGCFAPhase.cpp:
2041         (JSC::DFG::CFAPhase::performBlockCFA):
2042         * dfg/DFGGraph.cpp:
2043         (JSC::DFG::Graph::dump):
2044         * dfg/DFGInPlaceAbstractState.cpp:
2045         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2046
2047         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
2048         AbstractValue is big enough that we really don't want to copy it twice.
2049
2050         (JSC::DFG::InPlaceAbstractState::merge):
2051         (JSC::DFG::setLiveValues): Deleted.
2052         * dfg/DFGInPlaceAbstractState.h:
2053
2054         * dfg/DFGPhiChildren.h:
2055         This is heap allocated by AbstractInterpreter. It should use fastMalloc().
2056
2057 2016-08-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2058
2059         [ES7] Update features.json for exponentiation expression
2060         https://bugs.webkit.org/show_bug.cgi?id=160541
2061
2062         Reviewed by Mark Lam.
2063
2064         * features.json:
2065
2066 2016-08-03  Chris Dumez  <cdumez@apple.com>
2067
2068         Drop DocumentType.internalSubset attribute
2069         https://bugs.webkit.org/show_bug.cgi?id=160530
2070
2071         Reviewed by Alex Christensen.
2072
2073         Drop DocumentType.internalSubset attribute.
2074
2075         * inspector/protocol/DOM.json:
2076
2077 2016-08-03  Benjamin Poulain  <bpoulain@apple.com>
2078
2079         [JSC] Improve the memory locality of DFG Node's AbstractValues
2080         https://bugs.webkit.org/show_bug.cgi?id=160443
2081
2082         Reviewed by Mark Lam.
2083
2084         The AbstractInterpreter spends a lot of time on memory operations
2085         for AbstractValues. This patch attempts to improve the situation
2086         by putting the values closer together in memory.
2087
2088         First, AbstractValue is moved out of DFG::Node and it kept in
2089         a vector addressed by node indices.
2090
2091         I initially moved them to InPlaceAbstractState but I quickly discovered
2092         initializing the values in the vector was costly.
2093         I moved the vector to Graph as a cache shared by every instantiation of
2094         InPlaceAbstractState. It is mainly there to avoid constructors and destructors
2095         of AbstractValue. The patch of https://bugs.webkit.org/show_bug.cgi?id=160370
2096         should also help eventually.
2097
2098         I instrumented CFA to find how packed is SparseCollection.
2099         The answer is it can be very sparse, which is bad for CFA.
2100         I added packIndices() to repack the collection before running
2101         liveness since that's where we start using the memory intensively.
2102         This is a measurable improvement but it implies we can no longer
2103         keep indices on a side channel between phases since they may change.
2104
2105         * b3/B3SparseCollection.h:
2106         (JSC::B3::SparseCollection::packIndices):
2107         * dfg/DFGGraph.cpp:
2108         (JSC::DFG::Graph::packNodeIndices):
2109         * dfg/DFGGraph.h:
2110         (JSC::DFG::Graph::abstractValuesCache):
2111         * dfg/DFGInPlaceAbstractState.cpp:
2112         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
2113         * dfg/DFGInPlaceAbstractState.h:
2114         (JSC::DFG::InPlaceAbstractState::forNode):
2115         * dfg/DFGLivenessAnalysisPhase.cpp:
2116         (JSC::DFG::performLivenessAnalysis):
2117         * dfg/DFGNode.h:
2118
2119 2016-08-03  Caitlin Potter  <caitp@igalia.com>
2120
2121         Clarify SyntaxErrors around yield and unskip tests
2122         https://bugs.webkit.org/show_bug.cgi?id=158460
2123
2124         Reviewed by Saam Barati.
2125
2126         Fix and unskip tests which erroneously asserted that `yield` is not a
2127         valid BindingIdentifier, and improve error message for YieldExpressions
2128         occuring in Arrow formal parameters.
2129
2130         * parser/Parser.cpp:
2131         (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
2132         (JSC::Parser<LexerType>::parseFunctionInfo):
2133         (JSC::Parser<LexerType>::parseYieldExpression):
2134         * parser/Parser.h:
2135
2136 2016-08-03  Filip Pizlo  <fpizlo@apple.com>
2137
2138         REGRESSION(r203368): broke some test262 tests
2139         https://bugs.webkit.org/show_bug.cgi?id=160479
2140
2141         Reviewed by Mark Lam.
2142         
2143         The optimization in r203368 overlooked a subtle detail: freezing should not set ReadOnly on
2144         Accessor properties.
2145
2146         * runtime/Structure.cpp:
2147         (JSC::Structure::nonPropertyTransition):
2148         * runtime/StructureTransitionTable.h:
2149         (JSC::setsDontDeleteOnAllProperties):
2150         (JSC::setsReadOnlyOnNonAccessorProperties):
2151         (JSC::setsReadOnlyOnAllProperties): Deleted.
2152
2153 2016-08-03  Csaba Osztrogonác  <ossy@webkit.org>
2154
2155         Lacking support on a arm-traditional disassembler.
2156         https://bugs.webkit.org/show_bug.cgi?id=123717
2157
2158         Reviewed by Mark Lam.
2159
2160         * CMakeLists.txt:
2161         * disassembler/ARMLLVMDisassembler.cpp: Added, based on pre r196729 LLVMDisassembler, but it is ARM traditional only now.
2162         (JSC::tryToDisassemble):
2163
2164 2016-08-03  Saam Barati  <sbarati@apple.com>
2165
2166         Implement nested rest destructuring w.r.t the ES7 spec
2167         https://bugs.webkit.org/show_bug.cgi?id=160423
2168
2169         Reviewed by Filip Pizlo.
2170
2171         The spec has updated the BindingRestElement grammar production to be:
2172         BindingRestElement:
2173            BindingIdentifier
2174            BindingingPattern.
2175
2176         It used to only allow BindingIdentifier in the grammar production.
2177         I've updated our engine to account for this. The semantics are exactly
2178         what you'd expect.  For example:
2179         `let [a, ...[b, ...c]] = expr();`
2180         means that we create an array for the first rest element `...[b, ...c]`
2181         and then perform the binding of `[b, ...c]` to that array. And so on, 
2182         applied recursively through the pattern.
2183
2184         * bytecompiler/NodesCodegen.cpp:
2185         (JSC::RestParameterNode::collectBoundIdentifiers):
2186         (JSC::RestParameterNode::toString):
2187         (JSC::RestParameterNode::bindValue):
2188         (JSC::RestParameterNode::emit):
2189         * parser/ASTBuilder.h:
2190         (JSC::ASTBuilder::createBindingLocation):
2191         (JSC::ASTBuilder::createRestParameter):
2192         (JSC::ASTBuilder::createAssignmentElement):
2193         * parser/NodeConstructors.h:
2194         (JSC::AssignmentElementNode::AssignmentElementNode):
2195         (JSC::RestParameterNode::RestParameterNode):
2196         (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
2197         * parser/Nodes.h:
2198         (JSC::RestParameterNode::name): Deleted.
2199         * parser/Parser.cpp:
2200         (JSC::Parser<LexerType>::parseDestructuringPattern):
2201         (JSC::Parser<LexerType>::parseFormalParameters):
2202         * parser/SyntaxChecker.h:
2203         (JSC::SyntaxChecker::operatorStackPop):
2204
2205 2016-08-03  Benjamin Poulain  <benjamin@webkit.org>
2206
2207         [JSC] Fix Windows build after r204065
2208
2209         * dfg/DFGAbstractValue.cpp:
2210         (JSC::DFG::AbstractValue::observeTransitions):
2211         AbstractValue is bigger on Windows for an unknown reason.
2212
2213 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2214
2215         [JSC] Fix 32bits jsc after r204065
2216
2217         Default constructed JSValue() are not equal to zero in 32bits.
2218
2219         * dfg/DFGAbstractValue.h:
2220         (JSC::DFG::AbstractValue::AbstractValue):
2221
2222 2016-08-02  Benjamin Poulain  <benjamin@webkit.org>
2223
2224         [JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter
2225         https://bugs.webkit.org/show_bug.cgi?id=160370
2226
2227         Reviewed by Saam Barati.
2228
2229         We use a ton of AbstractValue to run the Abstract Interpreter.
2230
2231         When we set up the initial values, the compiler sets
2232         a zero on a first word, a one on a second word, and a zero
2233         again on a third word.
2234         Since no vector or double-store can deal with 3 words, unrolling
2235         is done by repeating those instructions.
2236
2237         The reason for the one was TinyPtrSet. It needed a flag for
2238         empty value to identify the set as thin. I flipped the flag to "fat"
2239         to make sure TinyPtrSet is initialized to zero.
2240
2241         With that done, I just had to clean some places to make
2242         the initialization shorter.
2243         It makes the binary easier to follow but this does not help with
2244         the bigger problem: the time spent per block on Abstract Interpreter.
2245
2246         * bytecode/Operands.h:
2247         The traits were useless, no client code defines it.
2248
2249         (JSC::Operands::Operands):
2250         (JSC::Operands::ensureLocals):
2251         Because of the size of the function, llvm is not inlining it.
2252         We were literally loading 3 registers from memory and storing
2253         them in the vector.
2254         Now that AbstractValue has a VectorTraits, we should just rely
2255         on the memset of Vector when possible.
2256
2257         (JSC::Operands::getLocal):
2258         (JSC::Operands::setArgumentFirstTime):
2259         (JSC::Operands::setLocalFirstTime):
2260         (JSC::Operands::clear):
2261         (JSC::OperandValueTraits::defaultValue): Deleted.
2262         (JSC::OperandValueTraits::isEmptyForDump): Deleted.
2263         * bytecode/OperandsInlines.h:
2264         (JSC::Operands<T>::dumpInContext):
2265         (JSC::Operands<T>::dump):
2266         (JSC::Traits>::dumpInContext): Deleted.
2267         (JSC::Traits>::dump): Deleted.
2268         * dfg/DFGAbstractValue.cpp:
2269         * dfg/DFGAbstractValue.h:
2270         (JSC::DFG::AbstractValue::AbstractValue):
2271
2272 2016-08-02  Saam Barati  <sbarati@apple.com>
2273
2274         update a class extending null w.r.t the ES7 spec
2275         https://bugs.webkit.org/show_bug.cgi?id=160417
2276
2277         Reviewed by Keith Miller.
2278
2279         When a class extends null, it should not be marked as a derived class.
2280         This was changed in the ES2016 spec, and this patch makes the needed
2281         changes in JSC to follow the spec. This allows classes to extend
2282         null and have their default constructor invoked without throwing an exception.
2283         This also prevents |this| from being under TDZ at the start of the constructor.
2284         Because ES6 allows arbitrary expressions in the `class <ident> extends <expr>`
2285         syntax, we don't know statically if a constructor is extending null or not.
2286         Therefore, we don't always know statically if it's a base or derived constructor.
2287         I solved this by putting a boolean on the constructor function under a private
2288         symbol named isDerivedConstructor when doing class construction. We only need
2289         to put this boolean on constructors that may extend null. Constructors that are
2290         declared in a class with no extends syntax can tell statically that they are a base constructor.
2291
2292         I've also renamed the ConstructorKind::Derived enum value to be
2293         ConstructorKind::Extends to better indicate that we can't answer
2294         the "am I a derived constructor?" question statically.
2295
2296         * builtins/BuiltinExecutables.cpp:
2297         (JSC::BuiltinExecutables::createDefaultConstructor):
2298         * builtins/BuiltinNames.h:
2299         * bytecompiler/BytecodeGenerator.cpp:
2300         (JSC::BytecodeGenerator::BytecodeGenerator):
2301         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2302         (JSC::BytecodeGenerator::emitReturn):
2303         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
2304         (JSC::BytecodeGenerator::ensureThis):
2305         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
2306         * bytecompiler/BytecodeGenerator.h:
2307         (JSC::BytecodeGenerator::makeFunction):
2308         * bytecompiler/NodesCodegen.cpp:
2309         (JSC::EvalFunctionCallNode::emitBytecode):
2310         (JSC::FunctionCallValueNode::emitBytecode):
2311         (JSC::FunctionNode::emitBytecode):
2312         (JSC::ClassExprNode::emitBytecode):
2313         * parser/Parser.cpp:
2314         (JSC::Parser<LexerType>::Parser):
2315         (JSC::Parser<LexerType>::parseFunctionInfo):
2316         (JSC::Parser<LexerType>::parseClass):
2317         (JSC::Parser<LexerType>::parseMemberExpression):
2318         * parser/ParserModes.h:
2319
2320 2016-08-02  Enrica Casucci  <enrica@apple.com>
2321
2322         Allow building with content filtering disabled.
2323         https://bugs.webkit.org/show_bug.cgi?id=160454
2324
2325         Reviewed by Simon Fraser.
2326
2327         * Configurations/FeatureDefines.xcconfig:
2328
2329 2016-08-02  Csaba Osztrogonác  <ossy@webkit.org>
2330
2331         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
2332         https://bugs.webkit.org/show_bug.cgi?id=159759
2333
2334         Reviewed by Saam Barati.
2335
2336         * jit/JITMathIC.h:
2337         (JSC::JITMathIC::generateInline):
2338
2339 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2340
2341         REGRESSION (r203990): JSC Debug test stress/arity-check-ftl-throw.js failing
2342         https://bugs.webkit.org/show_bug.cgi?id=160438
2343
2344         Reviewed by Mark Lam.
2345         
2346         In r203990 I fixed a bug where CommonSlowPaths.h/arityCheckFor() was basically failing at
2347         catching stack overflow due to large parameter count. It would only catch regular old stack
2348         overflow, like if the frame pointer was already past the limit.
2349         
2350         This had a secondary problem: unfortunately all of our tests for what happens when you overflow
2351         the stack due to large parameter count were not going down that path at all, so we haven't had
2352         test coverage for this in ages.  There were bugs in all tiers of the engine when handling this
2353         case.
2354
2355         We need to be able to roll back the topCallFrame on paths that are meant to throw an exception
2356         from the caller. Otherwise, we'd crash in StackVisitor because it would see a busted stack
2357         frame. Rolling back like this "just works" except when the caller is the VM entry frame. I had
2358         some choices here. I could have forced anyone who is rolling back to always skip VM entry
2359         frames. They can't do it in a way that changes the value of VM::topVMEntryFrame, which is what
2360         a stack frame roll back normally does, since exception unwinding needs to see the current value
2361         of topVMEntryFrame. So, we have a choice to either try to magically avoid all of the paths that
2362         look at topCallFrame, or give topCallFrame a state that unambiguously signals that we are
2363         sitting right on top of a VM entry frame without having succeeded at making a JS call. The only
2364         place that really needs to know is StackVisitor, which wants to start scanning at topCallFrame.
2365         To signal this, I could have either made topCallFrame point to the real top JS call frame
2366         without also rolling back topVMEntryFrame, or I could make topCallFrame == topVMEntryFrame. The
2367         latter felt somehow cleaner. I filed a bug (https://bugs.webkit.org/show_bug.cgi?id=160441) for
2368         converting topCallFrame to a void*, which would give us a chance to harden the rest of the
2369         engine against this case.
2370         
2371         * interpreter/StackVisitor.cpp:
2372         (JSC::StackVisitor::StackVisitor):
2373         We may do ShadowChicken processing, which invokes StackVisitor, when we have topCallFrame
2374         pointing at topVMEntryFrame. This teaches StackVisitor how to handle this case. I believe that
2375         StackVisitor is the only place that needs to be taught about this at this time, because it's
2376         one of the few things that access topCallFrame along this special path.
2377         
2378         * jit/JITOperations.cpp: Roll back the top call frame.
2379         * runtime/CommonSlowPaths.cpp:
2380         (JSC::SLOW_PATH_DECL): Roll back the top call frame.
2381
2382 2016-08-01  Benjamin Poulain  <bpoulain@apple.com>
2383
2384         [JSC][ARM64] Fix branchTest32/64 taking an immediate as mask
2385         https://bugs.webkit.org/show_bug.cgi?id=160439
2386
2387         Reviewed by Filip Pizlo.
2388
2389         * assembler/MacroAssemblerARM64.h:
2390         (JSC::MacroAssemblerARM64::branchTest64):
2391         * b3/air/AirOpcode.opcodes:
2392         Fix the ARM64 codegen to lower BitImm64 without using a scratch register.
2393
2394 2016-07-22  Filip Pizlo  <fpizlo@apple.com>
2395
2396         [B3] Fusing immediates into test instructions should work again
2397         https://bugs.webkit.org/show_bug.cgi?id=160073
2398
2399         Reviewed by Sam Weinig.
2400
2401         When we introduced BitImm, we forgot to change the Branch(BitAnd(value, constant))
2402         fusion.  This emits test instructions, so it should use BitImm for the constant.  But it
2403         was still using Imm!  This meant that isValidForm() always returned false.
2404         
2405         This fixes the code path to use BitImm, and turns off our use of BitImm64 on x86 since
2406         it provides no benefit on x86 and has some risk (the code appears to play fast and loose
2407         with the scratch register).
2408         
2409         This is not an obvious progression on anything, so I added comprehensive tests to
2410         testb3, which check that we selected the optimal instruction in a variety of situations.
2411         We should add more tests like this!
2412
2413         Rolling this back in after fixing ARM64. The bug was that branchTest32|64 on ARM64 doesn't
2414         actually support BitImm or BitImm64, at least not yet. Disabling that in AirOpcodes makes
2415         this patch not a regression on ARM64. That change was reviewed by Benjamin Poulain.
2416
2417         * b3/B3BasicBlock.h:
2418         (JSC::B3::BasicBlock::successorBlock):
2419         * b3/B3LowerToAir.cpp:
2420         (JSC::B3::Air::LowerToAir::createGenericCompare):
2421         * b3/B3LowerToAir.h:
2422         * b3/air/AirArg.cpp:
2423         (JSC::B3::Air::Arg::isRepresentableAs):
2424         (JSC::B3::Air::Arg::usesTmp):
2425         * b3/air/AirArg.h:
2426         (JSC::B3::Air::Arg::isRepresentableAs):
2427         (JSC::B3::Air::Arg::castToType):
2428         (JSC::B3::Air::Arg::asNumber):
2429         * b3/air/AirCode.h:
2430         (JSC::B3::Air::Code::size):
2431         (JSC::B3::Air::Code::at):
2432         * b3/air/AirOpcode.opcodes:
2433         * b3/air/AirValidate.h:
2434         * b3/air/opcode_generator.rb:
2435         * b3/testb3.cpp:
2436         (JSC::B3::compile):
2437         (JSC::B3::compileAndRun):
2438         (JSC::B3::lowerToAirForTesting):
2439         (JSC::B3::testSomeEarlyRegister):
2440         (JSC::B3::testBranchBitAndImmFusion):
2441         (JSC::B3::zero):
2442         (JSC::B3::run):
2443
2444 2016-08-01  Filip Pizlo  <fpizlo@apple.com>
2445
2446         Rationalize varargs stack overflow checks
2447         https://bugs.webkit.org/show_bug.cgi?id=160425
2448
2449         Reviewed by Michael Saboff.
2450
2451         * ftl/FTLLink.cpp:
2452         (JSC::FTL::link): AboveOrEqual 0 is a tautology. The code meant GreaterThanOrEqual, since the error code is -1.
2453         * runtime/CommonSlowPaths.h:
2454         (JSC::CommonSlowPaths::arityCheckFor): Use roundUpToMultipleOf(), which is almost certainly what we meant when we said %.
2455
2456 2016-08-01  Saam Barati  <sbarati@apple.com>
2457
2458         Sub should be a Math IC
2459         https://bugs.webkit.org/show_bug.cgi?id=160270
2460
2461         Reviewed by Mark Lam.
2462
2463         This makes Sub an IC like Mul and Add. I'm seeing the following
2464         improvements of average Sub size on Unity and JetStream:
2465
2466                    |   JetStream  |  Unity 3D  |
2467              ------| -------------|--------------
2468               Old  |   202 bytes  |  205 bytes |
2469              ------| -------------|--------------
2470               New  |   134  bytes |  134 bytes |
2471              ------------------------------------
2472
2473         * bytecode/CodeBlock.cpp:
2474         (JSC::CodeBlock::addJITMulIC):
2475         (JSC::CodeBlock::addJITSubIC):
2476         (JSC::CodeBlock::findStubInfo):
2477         (JSC::CodeBlock::dumpMathICStats):
2478         * bytecode/CodeBlock.h:
2479         (JSC::CodeBlock::stubInfoBegin):
2480         (JSC::CodeBlock::stubInfoEnd):
2481         * dfg/DFGSpeculativeJIT.cpp:
2482         (JSC::DFG::SpeculativeJIT::compileArithSub):
2483         * ftl/FTLLowerDFGToB3.cpp:
2484         (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
2485         * jit/JITArithmetic.cpp:
2486         (JSC::JIT::emit_op_sub):
2487         (JSC::JIT::emitSlow_op_sub):
2488         (JSC::JIT::emit_op_pow):
2489         * jit/JITMathIC.h:
2490         * jit/JITMathICForwards.h:
2491         * jit/JITOperations.cpp:
2492         * jit/JITOperations.h:
2493         * jit/JITSubGenerator.cpp:
2494         (JSC::JITSubGenerator::generateInline):
2495         (JSC::JITSubGenerator::generateFastPath):
2496         * jit/JITSubGenerator.h:
2497         (JSC::JITSubGenerator::JITSubGenerator):
2498         (JSC::JITSubGenerator::isLeftOperandValidConstant):
2499         (JSC::JITSubGenerator::isRightOperandValidConstant):
2500         (JSC::JITSubGenerator::arithProfile):
2501         (JSC::JITSubGenerator::didEmitFastPath): Deleted.
2502         (JSC::JITSubGenerator::endJumpList): Deleted.
2503         (JSC::JITSubGenerator::slowPathJumpList): Deleted.
2504
2505 2016-08-01  Keith Miller  <keith_miller@apple.com>
2506
2507         We should not keep the JavaScript tests inside the Source/JavaScriptCore/ directory.
2508         https://bugs.webkit.org/show_bug.cgi?id=160372
2509
2510         Rubber stamped by Geoffrey Garen.
2511
2512         This patch moves all the JavaScript tests from Source/JavaScriptCore/tests to
2513         a new top level directory, JSTests. Having the tests in the Source directory
2514         was both confusing an inconvenient for people that just want to checkout the
2515         source code of WebKit. Since there is no other obvious place to put all the
2516         JavaScript tests a new top level directory seemed the most sensible.
2517
2518         * tests/: Deleted.
2519
2520 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2521
2522         [JSC] Should check Test262Error correctly
2523         https://bugs.webkit.org/show_bug.cgi?id=159862
2524
2525         Reviewed by Saam Barati.
2526
2527         Test262Error in the harness does not have "name" property.
2528         Rather than checking "name" property, peforming `instanceof` is better to check the class of the exception.
2529
2530         * jsc.cpp:
2531         (checkUncaughtException):
2532         * runtime/JSObject.h:
2533         * tests/test262.yaml:
2534
2535 2016-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         [ES6] Module binding can be exported by multiple names
2538         https://bugs.webkit.org/show_bug.cgi?id=160343
2539
2540         Reviewed by Saam Barati.
2541
2542         ES6 Module can export the same local binding by using multiple names.
2543         For example,
2544
2545             ```
2546             var value = 42;
2547
2548             export { value };
2549             export { value as value2 };
2550             ```
2551
2552         Currently, we only allowed one local binding to be exported with one name. So, in the above case,
2553         the local binding "value" is exported as "value2" and "value" name is not exported. This is wrong.
2554
2555         To fix this issue, we collect the correspondence (local name => exported name) to the local bindings
2556         in the parser. Previously, we only maintained the exported local bindings in the parser. And utilize
2557         this information when creating the export entries in ModuleAnalyzer.
2558
2559         And this patch also moves ModuleScopeData from the Scope object to the Parser class since exported
2560         names should be managed per-module, not per-scope.
2561
2562         This change fixes several test262 failures.
2563
2564         * JavaScriptCore.xcodeproj/project.pbxproj:
2565         * parser/ModuleAnalyzer.cpp:
2566         (JSC::ModuleAnalyzer::exportVariable):
2567         (JSC::ModuleAnalyzer::analyze):
2568         (JSC::ModuleAnalyzer::exportedBinding): Deleted.
2569         (JSC::ModuleAnalyzer::declareExportAlias): Deleted.
2570         * parser/ModuleAnalyzer.h:
2571         * parser/ModuleScopeData.h: Copied from Source/JavaScriptCore/parser/ModuleAnalyzer.h.
2572         (JSC::ModuleScopeData::create):
2573         (JSC::ModuleScopeData::exportedBindings):
2574         (JSC::ModuleScopeData::exportName):
2575         (JSC::ModuleScopeData::exportBinding):
2576         * parser/Nodes.cpp:
2577         (JSC::ProgramNode::ProgramNode):
2578         (JSC::ModuleProgramNode::ModuleProgramNode):
2579         (JSC::EvalNode::EvalNode):
2580         (JSC::FunctionNode::FunctionNode):
2581         * parser/Nodes.h:
2582         (JSC::ModuleProgramNode::moduleScopeData):
2583         * parser/NodesAnalyzeModule.cpp:
2584         (JSC::ExportDefaultDeclarationNode::analyzeModule):
2585         (JSC::ExportNamedDeclarationNode::analyzeModule): Deleted.
2586         * parser/Parser.cpp:
2587         (JSC::Parser<LexerType>::Parser):
2588         (JSC::Parser<LexerType>::parseModuleSourceElements):
2589         (JSC::Parser<LexerType>::parseVariableDeclarationList):
2590         (JSC::Parser<LexerType>::createBindingPattern):
2591         (JSC::Parser<LexerType>::parseFunctionDeclaration):
2592         (JSC::Parser<LexerType>::parseClassDeclaration):
2593         (JSC::Parser<LexerType>::parseExportSpecifier):
2594         (JSC::Parser<LexerType>::parseExportDeclaration):
2595         * parser/Parser.h:
2596         (JSC::Parser::exportName):
2597         (JSC::Parser<LexerType>::parse):
2598         (JSC::ModuleScopeData::create): Deleted.
2599         (JSC::ModuleScopeData::exportedBindings): Deleted.
2600         (JSC::ModuleScopeData::exportName): Deleted.
2601         (JSC::ModuleScopeData::exportBinding): Deleted.
2602         (JSC::Scope::Scope): Deleted.
2603         (JSC::Scope::setSourceParseMode): Deleted.
2604         (JSC::Scope::moduleScopeData): Deleted.
2605         (JSC::Scope::setIsModule): Deleted.
2606         * tests/modules/aliased-names.js: Added.
2607         * tests/modules/aliased-names/main.js: Added.
2608         (change):
2609         * tests/stress/modules-syntax-error-with-names.js:
2610         (export.Cocoa):
2611         (SyntaxError.Cannot.export.a.duplicate.name):
2612         * tests/test262.yaml:
2613
2614 2016-07-30  Mark Lam  <mark.lam@apple.com>
2615
2616         Assertion failure while setting the length of an ArrayClass array.
2617         https://bugs.webkit.org/show_bug.cgi?id=160381
2618         <rdar://problem/27328703>
2619
2620         Reviewed by Filip Pizlo.
2621
2622         When setting large length values, we're currently treating ArrayClass as a
2623         ContiguousIndexingType array.  This results in an assertion failure.  This is
2624         now fixed.
2625
2626         There are currently only 2 places where we create arrays with indexing type
2627         ArrayClass: ArrayPrototype and RuntimeArray.  The fix in JSArray:;setLength()
2628         takes care of ArrayPrototype.
2629
2630         RuntimeArray already checks for the setting of its length property, and will
2631         throw a RangeError.  Hence, there's no change is needed for the RuntimeArray.
2632         Instead, I added some test cases ensure that the check and throw behavior does
2633         not change without notice.
2634
2635         * runtime/JSArray.cpp:
2636         (JSC::JSArray::setLength):
2637         * tests/stress/array-setLength-on-ArrayClass-with-large-length.js: Added.
2638         (toString):
2639         (assertEqual):
2640         * tests/stress/array-setLength-on-ArrayClass-with-small-length.js: Added.
2641         (toString):
2642         (assertEqual):
2643
2644 2016-07-29  Keith Miller  <keith_miller@apple.com>
2645
2646         TypedArray super constructor has some incompatabilities
2647         https://bugs.webkit.org/show_bug.cgi?id=160369
2648
2649         Reviewed by Filip Pizlo.
2650
2651         This patch fixes the length proprety of the TypedArray super constructor.
2652         Additionally, the TypedArray super constructor should no longer be callable.
2653
2654         Also, this patch fixes the expected result of some test262 tests.
2655
2656         * runtime/JSTypedArrayViewConstructor.cpp:
2657         (JSC::JSTypedArrayViewConstructor::finishCreation):
2658         (JSC::constructTypedArrayView):
2659         (JSC::JSTypedArrayViewConstructor::getCallData):
2660         * tests/test262.yaml:
2661
2662 2016-07-29  Jonathan Bedard  <jbedard@apple.com>
2663
2664         Undefined Behavior in JSValue cast from NaN
2665         https://bugs.webkit.org/show_bug.cgi?id=160322
2666
2667         Reviewed by Mark Lam.
2668
2669         JSValues can be constructed from doubles, and in some cases, are deliberately constructed with NaN values.
2670
2671         In circumstances where NaN is bound through the default JSValue constructor, however, an undefined conversion
2672         to int32_t occurs.  While the subsequent if statement should fail and construct the JSValue through the explicit
2673         double constructor, given that the deliberate use of NaN is fairly common, it seems that the jsNaN() function
2674         should immediately call the explicit double constructor both for efficiency and to prevent inadvertent
2675         suppressing of any other bugs which may be instantiating a JSValue with a NaN double.
2676
2677         * runtime/JSCJSValueInlines.h:
2678         (JSC::jsNaN): Explicit double construction for NaN JSValues to avoid undefined behavior.
2679
2680 2016-07-29  Michael Saboff  <msaboff@apple.com>
2681
2682         Refactor DFG::Node::hasLocal() to accessesStack()
2683         https://bugs.webkit.org/show_bug.cgi?id=160357
2684
2685         Reviewed by Filip Pizlo.
2686
2687         Refactoring in preparation for using register arguments for JavaScript calls.
2688
2689         Renamed Node::hasLocal() to Node::accessesStack() and changed all uses accordingly.
2690         Also changed uses of Node::hasVariableAccessData() to accessesStack() where that
2691         use guards stack operation logic associated with the Node's VariableAccessData.
2692
2693         The hasVariableAccessData() check now implies no more than the node has a
2694         VariableAccessData and nothing about its use of that data to coordinate stack   
2695         accesses.
2696
2697         * dfg/DFGGraph.cpp:
2698         (JSC::DFG::Graph::dump):
2699         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2700         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
2701         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
2702         * dfg/DFGMaximalFlushInsertionPhase.cpp:
2703         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
2704         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
2705         * dfg/DFGNode.h:
2706         (JSC::DFG::Node::containsMovHint):
2707         (JSC::DFG::Node::accessesStack):
2708         (JSC::DFG::Node::hasLocal): Deleted.
2709         * dfg/DFGPredictionInjectionPhase.cpp:
2710         (JSC::DFG::PredictionInjectionPhase::run):
2711         * dfg/DFGValidate.cpp:
2712
2713 2016-07-29  Benjamin Poulain  <benjamin@webkit.org>
2714
2715         [JSC] Use the same data structures for DFG and Air Liveness Analysis
2716         https://bugs.webkit.org/show_bug.cgi?id=160346
2717
2718         Reviewed by Geoffrey Garen.
2719
2720         In Air, we minimized memory accesses during liveness analysis
2721         with a couple of tricks:
2722         -Use a single Sparse Set ADT for the live value of each block.
2723         -Manipulate compact positive indices instead of hashing values.
2724
2725         This patch brings the same ideas to DFG.
2726
2727         This patch still uses the same fixpoint algorithms.
2728         The reason is Edge's KillStatus used by other phases. We cannot
2729         use a block-boundary liveness algorithm and update KillStatus
2730         simultaneously. It's something I'll probably revisit at some point.
2731
2732         * dfg/DFGAbstractInterpreterInlines.h:
2733         (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
2734         (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
2735         * dfg/DFGBasicBlock.h:
2736         * dfg/DFGGraph.h:
2737         (JSC::DFG::Graph::maxNodeCount):
2738         (JSC::DFG::Graph::nodeAt):
2739         * dfg/DFGInPlaceAbstractState.cpp:
2740         (JSC::DFG::setLiveValues):
2741         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
2742         * dfg/DFGLivenessAnalysisPhase.cpp:
2743         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
2744         (JSC::DFG::LivenessAnalysisPhase::run):
2745         (JSC::DFG::LivenessAnalysisPhase::processBlock):
2746         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
2747         (JSC::DFG::LivenessAnalysisPhase::process): Deleted.
2748
2749 2016-07-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2750
2751         Unreviewed, ByValInfo is only used in JIT enabled environments
2752         https://bugs.webkit.org/show_bug.cgi?id=158908
2753
2754         * bytecode/CodeBlock.cpp:
2755         (JSC::CodeBlock::stronglyVisitStrongReferences):
2756
2757 2016-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2758
2759         JSC::Symbol should be hash-consed
2760         https://bugs.webkit.org/show_bug.cgi?id=158908
2761
2762         Reviewed by Filip Pizlo.
2763
2764         Previously, SymbolImpls held by symbols represent identity of symbols.
2765         When we check the equality between symbols, we need to load SymbolImpls of symbols and compare them.
2766
2767         This patch performs hash-consing onto the symbols. We cache symbols in per-VM's SymbolImpl-keyed WeakGCMap.
2768         When creating a new symbol from SymbolImpl, we first query to this map and reuse the previously created symbol
2769         if it is found. This ensures that one-on-one correspondence between SymbolImpl and symbol. So now, we can use
2770         pointer-comparison to query the equality of symbols.
2771
2772         This change drops SymbolImpl loads when checking the equality. Furthermore, we can use DFG CheckCell to symbol
2773         when we would like to ensure that the given value is the expected symbol. This cleans up GetByVal's symbol-keyd
2774         caching. Then, we changed CheckIdent to CheckStringIdent since it only checks the string case now. The symbol
2775         case is handled by CheckCell.
2776
2777         Additionally, this patch also cleans up Map / Set implementation since we can use the logic for JSCell to symbols.
2778
2779         The performance effects in the related benchmarks are the followings.
2780
2781                                                                baseline                   patch
2782
2783             bigswitch-indirect-symbol-or-undefined         85.6214+-1.0063     ^     63.0522+-0.8615        ^ definitely 1.3579x faster
2784             bigswitch-indirect-symbol                      84.9653+-0.6258     ^     80.4900+-0.8008        ^ definitely 1.0556x faster
2785             fold-put-by-val-with-symbol-to-multi-put-by-offset
2786                                                             9.4396+-0.3726            9.2941+-0.3311          might be 1.0157x faster
2787             inlined-put-by-val-with-symbol-transition
2788                                                            49.5477+-0.2401     ?     49.7533+-0.3369        ?
2789             get-by-val-with-symbol-self-or-proto           11.9740+-0.0798     ?     12.1706+-0.2723        ? might be 1.0164x slower
2790             get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
2791                                                             4.1364+-0.0841            4.0872+-0.0925          might be 1.0120x faster
2792             put-by-val-with-symbol                         11.3709+-0.0223           11.3613+-0.0264
2793             get-by-val-with-symbol-proto-or-self           11.8984+-0.0706     ?     11.9030+-0.0787        ?
2794             polymorphic-put-by-val-with-symbol             31.4176+-0.0558           31.3825+-0.0447
2795             implicit-bigswitch-indirect-symbol             61.3115+-0.6577     ^     58.0098+-0.1212        ^ definitely 1.0569x faster
2796             get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
2797                                                             3.3139+-0.0565     ^      2.9947+-0.0732        ^ definitely 1.1066x faster
2798             get-by-val-with-symbol-chain-from-try-block
2799                                                             2.2316+-0.0179            2.2137+-0.0210
2800             get-by-val-with-symbol-bimorphic-check-structure-elimination
2801                                                            10.6031+-0.2216     ^     10.0939+-0.1977        ^ definitely 1.0504x faster
2802             get-by-val-with-symbol-check-structure-elimination
2803                                                             8.5576+-0.1521     ^      7.7107+-0.1308        ^ definitely 1.1098x faster
2804             put-by-val-with-symbol-slightly-polymorphic
2805                                                             3.1957+-0.0538     ^      2.9181+-0.0708        ^ definitely 1.0951x faster
2806             put-by-val-with-symbol-replace-and-transition
2807                                                            11.8253+-0.0757     ^     11.6590+-0.0351        ^ definitely 1.0143x faster
2808
2809             <geometric>                                    13.3911+-0.0527     ^     12.7376+-0.0457        ^ definitely 1.0513x faster
2810
2811         * bytecode/ByValInfo.h:
2812         * bytecode/CodeBlock.cpp:
2813         (JSC::CodeBlock::stronglyVisitStrongReferences):
2814         * dfg/DFGAbstractInterpreterInlines.h:
2815         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2816         * dfg/DFGByteCodeParser.cpp:
2817         (JSC::DFG::ByteCodeParser::parseBlock):
2818         * dfg/DFGClobberize.h:
2819         (JSC::DFG::clobberize):
2820         * dfg/DFGConstantFoldingPhase.cpp:
2821         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2822         * dfg/DFGDoesGC.cpp:
2823         (JSC::DFG::doesGC):
2824         * dfg/DFGFixupPhase.cpp:
2825         (JSC::DFG::FixupPhase::fixupNode):
2826         * dfg/DFGNode.h:
2827         (JSC::DFG::Node::hasUidOperand):
2828         * dfg/DFGNodeType.h:
2829         * dfg/DFGPredictionPropagationPhase.cpp:
2830         * dfg/DFGSafeToExecute.h:
2831         (JSC::DFG::safeToExecute):
2832         * dfg/DFGSpeculativeJIT.cpp:
2833         (JSC::DFG::SpeculativeJIT::compileSymbolEquality):
2834         (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality):
2835         (JSC::DFG::SpeculativeJIT::compileCheckStringIdent):
2836         (JSC::DFG::SpeculativeJIT::extractStringImplFromBinarySymbols): Deleted.
2837         (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
2838         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality): Deleted.
2839         * dfg/DFGSpeculativeJIT.h:
2840         * dfg/DFGSpeculativeJIT32_64.cpp:
2841         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2842         (JSC::DFG::SpeculativeJIT::compile):
2843         * dfg/DFGSpeculativeJIT64.cpp:
2844         (JSC::DFG::SpeculativeJIT::compileSymbolUntypedEquality):
2845         (JSC::DFG::SpeculativeJIT::compile):
2846         * ftl/FTLAbstractHeapRepository.h:
2847         * ftl/FTLCapabilities.cpp:
2848         (JSC::FTL::canCompile):
2849         * ftl/FTLLowerDFGToB3.cpp:
2850         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2851         (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):
2852         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
2853         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent): Deleted.
2854         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID): Deleted.
2855         * jit/JIT.h:
2856         * jit/JITOperations.cpp:
2857         (JSC::tryGetByValOptimize):
2858         * jit/JITPropertyAccess.cpp:
2859         (JSC::JIT::emitGetByValWithCachedId):
2860         (JSC::JIT::emitPutByValWithCachedId):
2861         (JSC::JIT::emitByValIdentifierCheck):
2862         (JSC::JIT::privateCompileGetByValWithCachedId):
2863         (JSC::JIT::privateCompilePutByValWithCachedId):
2864         (JSC::JIT::emitIdentifierCheck): Deleted.
2865         * jit/JITPropertyAccess32_64.cpp:
2866         (JSC::JIT::emitGetByValWithCachedId):
2867         (JSC::JIT::emitPutByValWithCachedId):
2868         * runtime/JSCJSValue.cpp:
2869         (JSC::JSValue::dumpInContextAssumingStructure):
2870         * runtime/JSCJSValueInlines.h:
2871         (JSC::JSValue::equalSlowCaseInline):
2872         (JSC::JSValue::strictEqualSlowCaseInline): Deleted.
2873         * runtime/JSFunction.cpp:
2874         (JSC::JSFunction::setFunctionName):
2875         * runtime/MapData.h:
2876         * runtime/MapDataInlines.h:
2877         (JSC::JSIterator>::clear): Deleted.
2878         (JSC::JSIterator>::find): Deleted.
2879         (JSC::JSIterator>::add): Deleted.
2880         (JSC::JSIterator>::remove): Deleted.
2881         (JSC::JSIterator>::replaceAndPackBackingStore): Deleted.
2882         * runtime/Symbol.cpp:
2883         (JSC::Symbol::finishCreation):
2884         (JSC::Symbol::create):
2885         * runtime/Symbol.h:
2886         * runtime/VM.cpp:
2887         (JSC::VM::VM):
2888         * runtime/VM.h:
2889         * tests/stress/symbol-equality-over-gc.js: Added.
2890         (shouldBe):
2891         (test):
2892
2893 2016-07-28  Mark Lam  <mark.lam@apple.com>
2894
2895         ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string.
2896         https://bugs.webkit.org/show_bug.cgi?id=160324
2897         <rdar://problem/27389572>
2898
2899         Reviewed by Keith Miller.
2900
2901         The issue is that errorProtoFuncToString() was using jsNontrivialString() to
2902         generate the error string even when the name string can be a single character
2903         string.  This is incorrect.  We should be using jsString() instead.
2904
2905         * runtime/ErrorPrototype.cpp:
2906         (JSC::errorProtoFuncToString):
2907         * tests/stress/errors-with-simple-names-or-messages-should-not-crash-toString.js: Added.
2908
2909 2016-07-28  Michael Saboff  <msaboff@apple.com>
2910
2911         ARM64: Fused left shift with a right shift can create NaNs from integers
2912         https://bugs.webkit.org/show_bug.cgi?id=160329
2913
2914         Reviewed by Geoffrey Garen.
2915
2916         When we fuse a left shift and a right shift of integers where the shift amounts
2917         are the same and the size of the quantity being shifted is 8 bits, we rightly
2918         generate a sign extend byte instruction.  On ARM64, we were sign extending
2919         to a 64 bit quantity, when we really wanted to sign extend to a 32 bit quantity.
2920
2921         Checking the ARM64 marco assembler and we were extending to 64 bits for all
2922         four combinations of zero / sign and 8 / 16 bits.
2923         
2924         * assembler/MacroAssemblerARM64.h:
2925         (JSC::MacroAssemblerARM64::zeroExtend16To32):
2926         (JSC::MacroAssemblerARM64::signExtend16To32):
2927         (JSC::MacroAssemblerARM64::zeroExtend8To32):
2928         (JSC::MacroAssemblerARM64::signExtend8To32):
2929         * tests/stress/regress-160329.js: New test added.
2930         (narrow):
2931
2932 2016-07-28  Mark Lam  <mark.lam@apple.com>
2933
2934         StringView should have an explicit m_is8Bit field.
2935         https://bugs.webkit.org/show_bug.cgi?id=160282
2936         <rdar://problem/27327943>
2937
2938         Reviewed by Benjamin Poulain.
2939
2940         * tests/stress/string-joining-long-strings-should-not-crash.js: Added.
2941         (catch):
2942
2943 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2944
2945         [ARM] Typo fix after r121885
2946         https://bugs.webkit.org/show_bug.cgi?id=160288
2947
2948         Reviewed by Zoltan Herczeg.
2949
2950         * assembler/MacroAssemblerARM.h:
2951         (JSC::MacroAssemblerARM::maxJumpReplacementSize):
2952
2953 2016-07-28  Csaba Osztrogonác  <ossy@webkit.org>
2954
2955         64-bit alignment check isn't necessary in ARMAssembler::prepareExecutableCopy after r202214
2956         https://bugs.webkit.org/show_bug.cgi?id=159711
2957
2958         Reviewed by Mark Lam.
2959
2960         * assembler/ARMAssembler.cpp:
2961         (JSC::ARMAssembler::prepareExecutableCopy):
2962
2963 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2964
2965         [JSC] Remove some unused code from FTL
2966         https://bugs.webkit.org/show_bug.cgi?id=160285
2967
2968         Reviewed by Mark Lam.
2969
2970         All the liveness and swapping is done inside B3,
2971         this code is no longer needed.
2972
2973         * dfg/DFGEdge.h:
2974         (JSC::DFG::Edge::doesNotKill): Deleted.
2975         * ftl/FTLLowerDFGToB3.cpp:
2976         (JSC::FTL::DFG::LowerDFGToB3::doesKill): Deleted.
2977
2978 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
2979
2980         [JSC] DFG::Node should not have its own allocator
2981         https://bugs.webkit.org/show_bug.cgi?id=160098
2982
2983         Reviewed by Geoffrey Garen.
2984
2985         We need some design changes for DFG::Node:
2986         -Accessing the index must be fast. B3 uses indices for sets
2987          and maps, it is a lot faster than hashing pointers.
2988         -We should be able to subclass DFG::Node to specialize it.
2989
2990         * CMakeLists.txt:
2991         * JavaScriptCore.xcodeproj/project.pbxproj:
2992         * dfg/DFGAllocator.h: Removed.
2993         (JSC::DFG::Allocator::Region::size): Deleted.
2994         (JSC::DFG::Allocator::Region::headerSize): Deleted.
2995         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
2996         (JSC::DFG::Allocator::Region::data): Deleted.
2997         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
2998         (JSC::DFG::Allocator::Region::regionFor): Deleted.
2999         (JSC::DFG::Allocator<T>::Allocator): Deleted.
3000         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
3001         (JSC::DFG::Allocator<T>::allocate): Deleted.
3002         (JSC::DFG::Allocator<T>::free): Deleted.
3003         (JSC::DFG::Allocator<T>::freeAll): Deleted.
3004         (JSC::DFG::Allocator<T>::reset): Deleted.
3005         (JSC::DFG::Allocator<T>::indexOf): Deleted.
3006         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
3007         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
3008         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
3009         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3010         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3011         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3012         * dfg/DFGByteCodeParser.cpp:
3013         (JSC::DFG::ByteCodeParser::addToGraph):
3014         * dfg/DFGCPSRethreadingPhase.cpp:
3015         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3016         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3017         * dfg/DFGCleanUpPhase.cpp:
3018         (JSC::DFG::CleanUpPhase::run):
3019         * dfg/DFGConstantFoldingPhase.cpp:
3020         (JSC::DFG::ConstantFoldingPhase::run):
3021         * dfg/DFGConstantHoistingPhase.cpp:
3022         * dfg/DFGDCEPhase.cpp:
3023         (JSC::DFG::DCEPhase::fixupBlock):
3024         * dfg/DFGDriver.cpp:
3025         (JSC::DFG::compileImpl):
3026         * dfg/DFGGraph.cpp:
3027         (JSC::DFG::Graph::Graph):
3028         (JSC::DFG::Graph::deleteNode):
3029         (JSC::DFG::Graph::killBlockAndItsContents):
3030         (JSC::DFG::Graph::~Graph): Deleted.
3031         * dfg/DFGGraph.h:
3032         (JSC::DFG::Graph::addNode):
3033         * dfg/DFGLICMPhase.cpp:
3034         (JSC::DFG::LICMPhase::attemptHoist):
3035         * dfg/DFGLongLivedState.cpp: Removed.
3036         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3037         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3038         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3039         * dfg/DFGLongLivedState.h: Removed.
3040         * dfg/DFGNode.cpp:
3041         (JSC::DFG::Node::index): Deleted.
3042         * dfg/DFGNode.h:
3043         (JSC::DFG::Node::index):
3044         * dfg/DFGNodeAllocator.h: Removed.
3045         (operator new ): Deleted.
3046         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3047         * dfg/DFGPlan.cpp:
3048         (JSC::DFG::Plan::compileInThread):
3049         (JSC::DFG::Plan::compileInThreadImpl):
3050         * dfg/DFGPlan.h:
3051         * dfg/DFGSSAConversionPhase.cpp:
3052         (JSC::DFG::SSAConversionPhase::run):
3053         * dfg/DFGWorklist.cpp:
3054         (JSC::DFG::Worklist::runThread):
3055         * runtime/VM.cpp:
3056         (JSC::VM::VM): Deleted.
3057         * runtime/VM.h:
3058
3059 2016-07-27  Benjamin Poulain  <bpoulain@apple.com>
3060
3061         [JSC] Fix a bunch of use-after-free of DFG::Node
3062         https://bugs.webkit.org/show_bug.cgi?id=160228
3063
3064         Reviewed by Mark Lam.
3065
3066         FTL had a few places where we use a node after it has been
3067         deleted. The dangling pointers come from the SSA liveness information
3068         kept on the basic blocks.
3069
3070         This patch fixes the issues I could find and adds liveness invalidation
3071         to help finding dependencies like these.
3072
3073         * dfg/DFGBasicBlock.h:
3074         (JSC::DFG::BasicBlock::SSAData::invalidate):
3075
3076         * dfg/DFGConstantFoldingPhase.cpp:
3077         (JSC::DFG::ConstantFoldingPhase::run):
3078         Constant folding phase was deleting nodes in the loop over basic blocks.
3079         The problem is the deleted nodes can be referenced by other blocks.
3080         When the abstract interpreter was manipulating the abstract values of those
3081         it was doing so on the dead nodes.
3082
3083         * dfg/DFGConstantHoistingPhase.cpp:
3084         Just invalidation. Nothing wrong here since the useless nodes were
3085         kept live while iterating the blocks.
3086
3087         * dfg/DFGGraph.cpp:
3088         (JSC::DFG::Graph::killBlockAndItsContents):
3089         (JSC::DFG::Graph::killUnreachableBlocks):
3090         (JSC::DFG::Graph::invalidateNodeLiveness):
3091
3092         * dfg/DFGGraph.h:
3093         * dfg/DFGPlan.cpp:
3094         (JSC::DFG::Plan::compileInThreadImpl):
3095         We had a lot of use-after-free in LCIM because we were using the stale
3096         live nodes deleted by previous phases.
3097
3098 2016-07-27  Keith Miller  <keith_miller@apple.com>
3099
3100         concatAppendOne should allocate using the indexing type of the array if it cannot merge
3101         https://bugs.webkit.org/show_bug.cgi?id=160261
3102         <rdar://problem/27530122>
3103
3104         Reviewed by Mark Lam.
3105
3106         Before, if we could not merge the indexing types for copying, we would allocate the
3107         the array as ArrayWithUndecided. Instead, we should allocate an array with the original
3108         array's indexing type.
3109
3110         * runtime/ArrayPrototype.cpp:
3111         (JSC::concatAppendOne):
3112         * tests/stress/concat-append-one-with-sparse-array.js: Added.
3113
3114 2016-07-27  Saam Barati  <sbarati@apple.com>
3115
3116         We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
3117         https://bugs.webkit.org/show_bug.cgi?id=160211
3118         <rdar://problem/27572612>
3119
3120         Reviewed by Geoffrey Garen.
3121
3122         The fast for-in iteration mode assumes all inline/out-of-line properties
3123         can be iterated in linear order. This is not true if we have Symbols
3124         because Symbols should not be iterated by for-in.
3125
3126         * runtime/Structure.cpp:
3127         (JSC::Structure::add):
3128         * tests/stress/symbol-should-not-break-for-in.js: Added.
3129         (assert):
3130         (foo):
3131
3132 2016-07-27  Mark Lam  <mark.lam@apple.com>
3133
3134         The second argument for Function.prototype.apply should be array-like or null/undefined.
3135         https://bugs.webkit.org/show_bug.cgi?id=160212
3136         <rdar://problem/27328525>
3137
3138         Reviewed by Filip Pizlo.
3139
3140         The spec for Function.prototype.apply says its second argument can only be null,
3141         undefined, or must be array-like.  See
3142         https://tc39.github.io/ecma262/#sec-function.prototype.apply and
3143         https://tc39.github.io/ecma262/#sec-createlistfromarraylike.
3144
3145         Our previous implementation was not handling this correctly for SymbolType.
3146         This is now fixed.
3147
3148         * interpreter/Interpreter.cpp:
3149         (JSC::sizeOfVarargs):
3150         * tests/stress/apply-second-argument-must-be-array-like.js: Added.
3151
3152 2016-07-27  Saam Barati  <sbarati@apple.com>
3153
3154         MathICs should be able to emit only a jump along the inline path when they don't have any type data
3155         https://bugs.webkit.org/show_bug.cgi?id=160110
3156
3157         Reviewed by Mark Lam.
3158
3159         This patch allows for MathIC fast-path generation to be delayed.
3160         We delay when we don't see any observed type information for
3161         the lhs/rhs operand, which implies that the MathIC has never
3162         executed. This is profitable for two main reasons:
3163         1. If the math operation never executes, we emit much less code.
3164         2. Once we get type information for the lhs/rhs, we can emit better code.
3165
3166         To implement this, we just emit a jump to the slow path call
3167         that will repatch on first execution.
3168
3169         New data for add:
3170                    |   JetStream  |  Unity 3D  |
3171              ------| -------------|--------------
3172               Old  |   148 bytes  |  143 bytes |
3173              ------| -------------|--------------
3174               New  |   116  bytes |  113 bytes |
3175              ------------------------------------
3176
3177         New data for mul:
3178                    |   JetStream  |  Unity 3D  |
3179              ------| -------------|--------------
3180               Old  |   210 bytes  |  185 bytes |
3181              ------| -------------|--------------
3182               New  |   170  bytes |  137 bytes |
3183              ------------------------------------
3184
3185         * jit/JITAddGenerator.cpp:
3186         (JSC::JITAddGenerator::generateInline):
3187         * jit/JITAddGenerator.h:
3188         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3189         (JSC::JITAddGenerator::isRightOperandValidConstant):
3190         (JSC::JITAddGenerator::arithProfile):
3191         * jit/JITMathIC.h:
3192         (JSC::JITMathIC::generateInline):
3193         (JSC::JITMathIC::generateOutOfLine):
3194         (JSC::JITMathIC::finalizeInlineCode):
3195         * jit/JITMathICInlineResult.h:
3196         * jit/JITMulGenerator.cpp:
3197         (JSC::JITMulGenerator::generateInline):
3198         * jit/JITMulGenerator.h:
3199         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3200         (JSC::JITMulGenerator::isRightOperandValidConstant):
3201         (JSC::JITMulGenerator::arithProfile):
3202         * jit/JITOperations.cpp:
3203
3204 2016-07-26  Saam Barati  <sbarati@apple.com>
3205
3206         rollout r203666
3207         https://bugs.webkit.org/show_bug.cgi?id=160226
3208
3209         Unreviewed rollout.
3210
3211         * b3/B3BasicBlock.h:
3212         (JSC::B3::BasicBlock::successorBlock):
3213         * b3/B3LowerToAir.cpp:
3214         (JSC::B3::Air::LowerToAir::createGenericCompare):
3215         * b3/B3LowerToAir.h:
3216         * b3/air/AirArg.cpp:
3217         (JSC::B3::Air::Arg::isRepresentableAs):
3218         (JSC::B3::Air::Arg::usesTmp):
3219         * b3/air/AirArg.h:
3220         (JSC::B3::Air::Arg::isRepresentableAs):
3221         (JSC::B3::Air::Arg::asNumber):
3222         (JSC::B3::Air::Arg::castToType): Deleted.
3223         * b3/air/AirCode.h:
3224         (JSC::B3::Air::Code::size):
3225         (JSC::B3::Air::Code::at):
3226         * b3/air/AirOpcode.opcodes:
3227         * b3/air/AirValidate.h:
3228         * b3/air/opcode_generator.rb:
3229         * b3/testb3.cpp:
3230         (JSC::B3::compileAndRun):
3231         (JSC::B3::testSomeEarlyRegister):
3232         (JSC::B3::zero):
3233         (JSC::B3::run):
3234         (JSC::B3::lowerToAirForTesting): Deleted.
3235         (JSC::B3::testBranchBitAndImmFusion): Deleted.
3236
3237 2016-07-26  Caitlin Potter  <caitp@igalia.com>
3238
3239         [JSC] Object.getOwnPropertyDescriptors should not add undefined props to result
3240         https://bugs.webkit.org/show_bug.cgi?id=159409
3241
3242         Reviewed by Geoffrey Garen.
3243
3244         * runtime/ObjectConstructor.cpp:
3245         (JSC::objectConstructorGetOwnPropertyDescriptors):
3246         * tests/es6.yaml:
3247         * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js:
3248         (testPropertiesIndexedSetterOnPrototypeThrows.set get var): Deleted.
3249         (testPropertiesIndexedSetterOnPrototypeThrows): Deleted.
3250         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors-proxy.js.
3251         * tests/stress/Object_static_methods_Object.getOwnPropertyDescriptors.js: Renamed from Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js.
3252
3253 2016-07-26  Mark Lam  <mark.lam@apple.com>
3254
3255         Remove unused DEBUG_WITH_BREAKPOINT configuration.
3256         https://bugs.webkit.org/show_bug.cgi?id=160203
3257
3258         Reviewed by Keith Miller.
3259
3260         * bytecompiler/BytecodeGenerator.cpp:
3261         (JSC::BytecodeGenerator::emitDebugHook):
3262
3263 2016-07-25  Benjamin Poulain  <benjamin@webkit.org>
3264
3265         Unreviewed, rolling out r203703.
3266
3267         It breaks some internal tests
3268
3269         Reverted changeset:
3270
3271         "[JSC] DFG::Node should not have its own allocator"
3272         https://bugs.webkit.org/show_bug.cgi?id=160098
3273         http://trac.webkit.org/changeset/203703
3274
3275 2016-07-25  Benjamin Poulain  <bpoulain@apple.com>
3276
3277         [JSC] DFG::Node should not have its own allocator
3278         https://bugs.webkit.org/show_bug.cgi?id=160098
3279
3280         Reviewed by Geoffrey Garen.
3281
3282         We need some design changes for DFG::Node:
3283         -Accessing the index must be fast. B3 uses indices for sets
3284          and maps, it is a lot faster than hashing pointers.
3285         -We should be able to subclass DFG::Node to specialize it.
3286
3287         * CMakeLists.txt:
3288         * JavaScriptCore.xcodeproj/project.pbxproj:
3289         * dfg/DFGAllocator.h: Removed.
3290         (JSC::DFG::Allocator::Region::size): Deleted.
3291         (JSC::DFG::Allocator::Region::headerSize): Deleted.
3292         (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): Deleted.
3293         (JSC::DFG::Allocator::Region::data): Deleted.
3294         (JSC::DFG::Allocator::Region::isInThisRegion): Deleted.
3295         (JSC::DFG::Allocator::Region::regionFor): Deleted.
3296         (JSC::DFG::Allocator<T>::Allocator): Deleted.
3297         (JSC::DFG::Allocator<T>::~Allocator): Deleted.
3298         (JSC::DFG::Allocator<T>::allocate): Deleted.
3299         (JSC::DFG::Allocator<T>::free): Deleted.
3300         (JSC::DFG::Allocator<T>::freeAll): Deleted.
3301         (JSC::DFG::Allocator<T>::reset): Deleted.
3302         (JSC::DFG::Allocator<T>::indexOf): Deleted.
3303         (JSC::DFG::Allocator<T>::allocatorOf): Deleted.
3304         (JSC::DFG::Allocator<T>::bumpAllocate): Deleted.
3305         (JSC::DFG::Allocator<T>::freeListAllocate): Deleted.
3306         (JSC::DFG::Allocator<T>::allocateSlow): Deleted.
3307         (JSC::DFG::Allocator<T>::freeRegionsStartingAt): Deleted.
3308         (JSC::DFG::Allocator<T>::startBumpingIn): Deleted.
3309         * dfg/DFGByteCodeParser.cpp:
3310         (JSC::DFG::ByteCodeParser::addToGraph):
3311         * dfg/DFGCPSRethreadingPhase.cpp:
3312         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3313         (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
3314         * dfg/DFGCleanUpPhase.cpp:
3315         (JSC::DFG::CleanUpPhase::run):
3316         * dfg/DFGConstantFoldingPhase.cpp:
3317         (JSC::DFG::ConstantFoldingPhase::run):
3318         * dfg/DFGConstantHoistingPhase.cpp:
3319         * dfg/DFGDCEPhase.cpp:
3320         (JSC::DFG::DCEPhase::fixupBlock):
3321         * dfg/DFGDriver.cpp:
3322         (JSC::DFG::compileImpl):
3323         * dfg/DFGGraph.cpp:
3324         (JSC::DFG::Graph::Graph):
3325         (JSC::DFG::Graph::deleteNode):
3326         (JSC::DFG::Graph::killBlockAndItsContents):
3327         (JSC::DFG::Graph::~Graph): Deleted.
3328         * dfg/DFGGraph.h:
3329         (JSC::DFG::Graph::addNode):
3330         * dfg/DFGLICMPhase.cpp:
3331         (JSC::DFG::LICMPhase::attemptHoist):
3332         * dfg/DFGLongLivedState.cpp: Removed.
3333         (JSC::DFG::LongLivedState::LongLivedState): Deleted.
3334         (JSC::DFG::LongLivedState::~LongLivedState): Deleted.
3335         (JSC::DFG::LongLivedState::shrinkToFit): Deleted.
3336         * dfg/DFGLongLivedState.h: Removed.
3337         * dfg/DFGNode.cpp:
3338         (JSC::DFG::Node::index): Deleted.
3339         * dfg/DFGNode.h:
3340         (JSC::DFG::Node::index):
3341         * dfg/DFGNodeAllocator.h: Removed.
3342         (operator new ): Deleted.
3343         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3344         * dfg/DFGPlan.cpp:
3345         (JSC::DFG::Plan::compileInThread):
3346         (JSC::DFG::Plan::compileInThreadImpl):
3347         * dfg/DFGPlan.h:
3348         * dfg/DFGSSAConversionPhase.cpp: