[INTL] Implement Date.prototype.toLocaleTimeString in ECMA-402
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-20  Andy VanWagoner  <thetalecrafter@gmail.com>
2
3         [INTL] Implement Date.prototype.toLocaleTimeString in ECMA-402
4         https://bugs.webkit.org/show_bug.cgi?id=147613
5
6         Reviewed by Darin Adler.
7
8         Implement toLocaleTimeString in builtin JavaScript.
9
10         * builtins/DatePrototype.js:
11         (toLocaleTimeString.toDateTimeOptionsTimeTime):
12         (toLocaleTimeString):
13         * runtime/DatePrototype.cpp:
14         (JSC::DatePrototype::finishCreation):
15
16 2016-01-20  Saam barati  <sbarati@apple.com>
17
18         Web Inspector: Hook the sampling profiler into the Timelines UI
19         https://bugs.webkit.org/show_bug.cgi?id=152766
20         <rdar://problem/24066360>
21
22         Reviewed by Joseph Pecoraro.
23
24         This patch adds some necessary functions to SamplingProfiler::StackFrame
25         to allow it to give data to the Inspector for the timelines UI. i.e, the
26         sourceID of the executable of a stack frame.
27
28         This patch also swaps in the SamplingProfiler in place of the
29         LegacyProfiler inside InspectorScriptProfilerAgent. It adds
30         the necessary protocol data to allow the SamplingProfiler's
31         data to hook into the timelines UI.
32
33         * debugger/Debugger.cpp:
34         (JSC::Debugger::setProfilingClient):
35         (JSC::Debugger::willEvaluateScript):
36         (JSC::Debugger::didEvaluateScript):
37         (JSC::Debugger::toggleBreakpoint):
38         * debugger/Debugger.h:
39         * debugger/ScriptProfilingScope.h:
40         (JSC::ScriptProfilingScope::ScriptProfilingScope):
41         (JSC::ScriptProfilingScope::~ScriptProfilingScope):
42         * inspector/agents/InspectorScriptProfilerAgent.cpp:
43         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
44         (Inspector::InspectorScriptProfilerAgent::startTracking):
45         (Inspector::InspectorScriptProfilerAgent::stopTracking):
46         (Inspector::InspectorScriptProfilerAgent::isAlreadyProfiling):
47         (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
48         (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
49         (Inspector::InspectorScriptProfilerAgent::addEvent):
50         (Inspector::buildSamples):
51         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
52         (Inspector::buildAggregateCallInfoInspectorObject): Deleted.
53         (Inspector::buildInspectorObject): Deleted.
54         (Inspector::buildProfileInspectorObject): Deleted.
55         * inspector/agents/InspectorScriptProfilerAgent.h:
56         * inspector/protocol/ScriptProfiler.json:
57         * jsc.cpp:
58         (functionSamplingProfilerStackTraces):
59         * runtime/SamplingProfiler.cpp:
60         (JSC::SamplingProfiler::start):
61         (JSC::SamplingProfiler::stop):
62         (JSC::SamplingProfiler::clearData):
63         (JSC::SamplingProfiler::StackFrame::displayName):
64         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
65         (JSC::SamplingProfiler::StackFrame::startLine):
66         (JSC::SamplingProfiler::StackFrame::startColumn):
67         (JSC::SamplingProfiler::StackFrame::sourceID):
68         (JSC::SamplingProfiler::StackFrame::url):
69         (JSC::SamplingProfiler::stackTraces):
70         (JSC::SamplingProfiler::stackTracesAsJSON):
71         (JSC::displayName): Deleted.
72         (JSC::SamplingProfiler::stacktracesAsJSON): Deleted.
73         * runtime/SamplingProfiler.h:
74         (JSC::SamplingProfiler::StackFrame::StackFrame):
75         (JSC::SamplingProfiler::getLock):
76         (JSC::SamplingProfiler::setTimingInterval):
77         (JSC::SamplingProfiler::totalTime):
78         (JSC::SamplingProfiler::setStopWatch):
79         (JSC::SamplingProfiler::stackTraces): Deleted.
80         * tests/stress/sampling-profiler-anonymous-function.js:
81         (platformSupportsSamplingProfiler.baz):
82         (platformSupportsSamplingProfiler):
83         * tests/stress/sampling-profiler-basic.js:
84         (platformSupportsSamplingProfiler.nothing):
85         (platformSupportsSamplingProfiler.top):
86         * tests/stress/sampling-profiler/samplingProfiler.js:
87         (doesTreeHaveStackTrace):
88
89 2016-01-20  Keith Miller  <keith_miller@apple.com>
90
91         TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation.
92         https://bugs.webkit.org/show_bug.cgi?id=153281
93
94         Reviewed by Geoffrey Garen.
95
96         When creating an JSArrayBuffer we should make sure that the backing ArrayBuffer uses the
97         new JSArrayBuffer as its wrapper. This causes issues when we get the buffer of a Typed Array
98         created by passing a JSArrayBuffer as the backing ArrayBuffer does not have a reference to
99         the original JSArrayBuffer and a new object is created.
100
101         * runtime/JSArrayBuffer.cpp:
102         (JSC::JSArrayBuffer::finishCreation):
103         * tests/stress/typedarray-buffer-neutered.js: Added.
104         (arrays.typedArrays.map):
105
106 2016-01-20  Andreas Kling  <akling@apple.com>
107
108         Pack RegisterAtOffset harder.
109         <https://webkit.org/b/152501>
110
111         Reviewed by Michael Saboff.
112
113         Pack the register index and the offset into a single pointer-sized word instead of two.
114         This reduces memory consumption by 620 kB on mobile theverge.com.
115
116         The packing doesn't succeed on MSVC for some reason, so I've left out the static
117         assertion about class size in those builds.
118
119         * jit/RegisterAtOffset.cpp:
120         * jit/RegisterAtOffset.h:
121
122 2016-01-20  Per Arne Vollan  <peavo@outlook.com>
123
124         [B3][Win64] Compile fix.
125         https://bugs.webkit.org/show_bug.cgi?id=153278
126
127         Reviewed by Filip Pizlo.
128
129         MSVC does not accept that a class declared as exported also have members declared as exported.
130
131         * b3/B3Const32Value.h:
132         * b3/B3ControlValue.h:
133
134 2016-01-19  Keith Miller  <keith_miller@apple.com>
135
136         [ES6] Fix various issues with TypedArrays.
137         https://bugs.webkit.org/show_bug.cgi?id=153245
138
139         Reviewed by Geoffrey Garen.
140
141         This patch fixes a couple of issues with TypedArrays:
142
143         1) We were not checking if a view had been neutered and throwing an error
144         if it had in the our TypedArray.prototype functions.
145
146         2) The TypedArray.prototype.set function had a couple of minor issues with
147         checking for the offset being negative.
148
149         3) The JSArrayBufferView class did not check if the backing store had
150         been neutered when computing the offset even though the view's vector
151         pointer had been set to NULL. This meant that under some conditions we
152         could, occasionally, return a garbage number as the offset. Now, we only
153         neuter views if the backing ArrayBuffer's view is actually transfered.
154
155         * jsc.cpp:
156         (GlobalObject::finishCreation):
157         (functionNeuterTypedArray):
158         * runtime/JSArrayBufferView.h:
159         (JSC::JSArrayBufferView::isNeutered):
160         * runtime/JSArrayBufferViewInlines.h:
161         (JSC::JSArrayBufferView::byteOffset):
162         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
163         (JSC::genericTypedArrayViewProtoFuncSet):
164         (JSC::genericTypedArrayViewProtoFuncEntries):
165         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
166         (JSC::genericTypedArrayViewProtoFuncFill):
167         (JSC::genericTypedArrayViewProtoFuncIndexOf):
168         (JSC::genericTypedArrayViewProtoFuncJoin):
169         (JSC::genericTypedArrayViewProtoFuncKeys):
170         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
171         (JSC::genericTypedArrayViewProtoFuncReverse):
172         (JSC::genericTypedArrayViewPrivateFuncSort):
173         (JSC::genericTypedArrayViewProtoFuncSlice):
174         (JSC::genericTypedArrayViewProtoFuncSubarray):
175         (JSC::typedArrayViewProtoFuncValues):
176         * runtime/JSTypedArrayViewPrototype.cpp:
177         (JSC::typedArrayViewPrivateFuncLength):
178         (JSC::typedArrayViewPrivateFuncSort): Deleted.
179         * tests/stress/typedarray-functions-with-neutered.js: Added.
180         (getGetter):
181         (unit):
182         (args.new.Int32Array):
183         (arrays.typedArrays.map):
184         (checkProtoFunc.throwsCorrectError):
185         (checkProtoFunc):
186         (test):
187
188 2016-01-19  Andy VanWagoner  <thetalecrafter@gmail.com>
189
190         [INTL] Implement Date.prototype.toLocaleDateString in ECMA-402
191         https://bugs.webkit.org/show_bug.cgi?id=147612
192
193         Reviewed by Benjamin Poulain.
194
195         Implement toLocaleDateString in builtin JavaScript. Remove comments with
196         spec steps, and instead link to the new HTML version of the spec.
197
198         Avoids creating an extra empty object in the prototype chain of the options
199         object in ToDateTimeOptions. The version used in toLocaleString was updated
200         to match as well.
201
202         * builtins/DatePrototype.js:
203         (toLocaleString.toDateTimeOptionsAnyAll):
204         (toLocaleString):
205         (toLocaleDateString.toDateTimeOptionsDateDate):
206         (toLocaleDateString):
207         * runtime/DatePrototype.cpp:
208         (JSC::DatePrototype::finishCreation):
209
210 2016-01-19  Benjamin Poulain  <bpoulain@apple.com>
211
212         [JSC] fixSpillSlotZDef() crashes on ARM64
213         https://bugs.webkit.org/show_bug.cgi?id=153246
214
215         Reviewed by Geoffrey Garen.
216
217         Moving an immediate to memory is not a valid instruction on ARM64.
218         This patch adds a small workaround for this specific case: an instruction
219         to zero a chunk of memory.
220
221         * assembler/MacroAssemblerARM64.h:
222         (JSC::MacroAssemblerARM64::storeZero32):
223         * assembler/MacroAssemblerX86Common.h:
224         (JSC::MacroAssemblerX86Common::storeZero32):
225         * b3/air/AirFixSpillSlotZDef.h:
226         (JSC::B3::Air::fixSpillSlotZDef):
227         * b3/air/AirOpcode.opcodes:
228
229 2016-01-19  Enrica Casucci  <enrica@apple.com>
230
231         Add support for DataDetectors in WK (iOS).
232         https://bugs.webkit.org/show_bug.cgi?id=152989
233         rdar://problem/22855960
234
235         Reviewed by Tim Horton.
236
237         Adding feature definition for data detection.
238
239         * Configurations/FeatureDefines.xcconfig:
240
241 2016-01-19  Per Arne Vollan  <peavo@outlook.com>
242
243         [B3][Win64] Compile and warning fixes.
244         https://bugs.webkit.org/show_bug.cgi?id=153234
245
246         Reviewed by Alex Christensen.
247
248         The size of 'long' is 4 bytes on Win64. We can use 'long long' instead,
249         when we want the size to be 8 bytes.
250
251         * b3/B3LowerMacrosAfterOptimizations.cpp:
252         * b3/B3ReduceStrength.cpp:
253
254 2016-01-19  Csaba Osztrogonác  <ossy@webkit.org>
255
256         [cmake] Fix the B3 build after r195159
257         https://bugs.webkit.org/show_bug.cgi?id=153232
258
259         Reviewed by Yusuke Suzuki.
260
261         * CMakeLists.txt:
262
263 2016-01-19  Commit Queue  <commit-queue@webkit.org>
264
265         Unreviewed, rolling out r195300.
266         https://bugs.webkit.org/show_bug.cgi?id=153244
267
268         enrica wants more time to fix Windows (Requested by thorton on
269         #webkit).
270
271         Reverted changeset:
272
273         "Add support for DataDetectors in WK (iOS)."
274         https://bugs.webkit.org/show_bug.cgi?id=152989
275         http://trac.webkit.org/changeset/195300
276
277 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
278
279         Reconsider B3's constant motion policy
280         https://bugs.webkit.org/show_bug.cgi?id=152202
281
282         Reviewed by Geoffrey Garen.
283
284         This changes moveConstants() to hoist constants. This is a speed-up on things like mandreel.
285         It has a generally positive impact on the Octane score, but it's within margin of error.
286
287         This also changes IRC to make it a bit more likely to spill constants. We don't want it to
288         spill them too much, because we can't rely on fixObviousSpills() to always replace a load of
289         a constant from the stack with the constant itself, especially in case of instructions that
290         need an extra register to materialize the immediate.
291
292         Also fixed DFG graph dumping to print a bit less things. It was trying to print the results of
293         constant property inference, and this sometimes caused crashes when you dumped the graph at an
294         inopportune time.
295
296         * JavaScriptCore.xcodeproj/project.pbxproj:
297         * b3/B3MoveConstants.cpp:
298         * b3/air/AirArg.h:
299         * b3/air/AirArgInlines.h: Added.
300         (JSC::B3::Air::ArgThingHelper<Tmp>::is):
301         (JSC::B3::Air::ArgThingHelper<Tmp>::as):
302         (JSC::B3::Air::ArgThingHelper<Tmp>::forEachFast):
303         (JSC::B3::Air::ArgThingHelper<Tmp>::forEach):
304         (JSC::B3::Air::ArgThingHelper<Arg>::is):
305         (JSC::B3::Air::ArgThingHelper<Arg>::as):
306         (JSC::B3::Air::ArgThingHelper<Arg>::forEachFast):
307         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
308         (JSC::B3::Air::Arg::is):
309         (JSC::B3::Air::Arg::as):
310         (JSC::B3::Air::Arg::forEachFast):
311         (JSC::B3::Air::Arg::forEach):
312         * b3/air/AirIteratedRegisterCoalescing.cpp:
313         * b3/air/AirUseCounts.h:
314         (JSC::B3::Air::UseCounts::UseCounts):
315         * dfg/DFGGraph.cpp:
316         (JSC::DFG::Graph::dump):
317
318 2016-01-19  Enrica Casucci  <enrica@apple.com>
319
320         Add support for DataDetectors in WK (iOS).
321         https://bugs.webkit.org/show_bug.cgi?id=152989
322         rdar://problem/22855960
323
324         Reviewed by Tim Horton.
325
326         Adding feature definition.
327
328         * Configurations/FeatureDefines.xcconfig:
329
330 2016-01-17  Filip Pizlo  <fpizlo@apple.com>
331
332         FTL B3 should be just as fast as FTL LLVM on Octane/crypto
333         https://bugs.webkit.org/show_bug.cgi?id=153113
334
335         Reviewed by Saam Barati.
336
337         This is the result of a hacking rampage to close the gap between FTL B3 and FTL LLVM on
338         Octane/crypto. It was a very successful rampage.
339
340         The biggest change in this patch is the introduction of a phase called fixObviousSpills()
341         that fixes patterns like:
342
343         Store register to stack slot and then use stack slot:
344             Move %rcx, (stack42)
345             Foo use:(stack42) // replace (stack42) with %rcx here.
346
347         Load stack slot into register and then use stack slot:
348             Move (stack42), %rcx
349             Foo use:(stack42) // replace (stack42) with %rcx here.
350
351         Store constant into stack slot and then use stack slot:
352             Move $42, %rcx
353             Move %rcx, (stack42)
354             Bar def:%rcx // %rcx isn't available anymore, but we still know that (stack42) is $42
355             Foo use:(stack42) // replace (stack42) with $42 here.
356
357         This phases does these fixups by doing a global forward flow that propagates sets of
358         must-aliases.
359
360         Also added a phase to report register pressure. It pretty-prints code alongside the set of
361         in-use registers above each instruction. Using this phase, I found that our register
362         allocator is actually doing a pretty awesome job. I had previously feared that we'd have to
363         make substantial changes to register allocation. I don't have such a fear anymore, at least
364         for Octane/crypto. In the future, we can check how the regalloc is performing just by
365         enabling logAirRegisterPressure.
366
367         Also fixed some FTL codegen pathologies. We were using bitOr where we meant to use a
368         conditional or. LLVM likes to canonicalize boolean expressions this way. B3, on the other
369         hand, doesn't do this canonicalization and doesn't have logic to decompose it into sequences
370         of branches.
371
372         Also added strength reductions for checked arithmetic. It turns out that LLVM learned how to
373         reduce checked multiply to unchecked multiply in some obvious cases that our existing DFG
374         optimizations lacked. Ideally, our DFG integer range optimization phase would cover this. But
375         the cases of interest were dead simple - the incoming values to the CheckMul were obviously
376         too small to cause overflow. I added such reasoning to B3's strength reduction.
377
378         Finally, this fixes some bugs with how we were handling subwidth spill slots. The register
379         allocator was making two mistakes. First, it might cause a Width64 def or use of a 4-byte
380         spill slot. In that case, it would extend the size of the spill slot to ensure that the use
381         or def is safe. Second, it emulates ZDef on Tmp behavior by emitting a Move32 to initialize
382         the high bits of a spill slot. But this is unsound because of the liveness semantics of spill
383         slots. They cannot have more than one def to initialize their value. I fixed that by making
384         allocateStack() be the thing that fixes ZDefs. That's a change to ZDef semantics: now, ZDef
385         on an anonymous stack slot means that the high bits are zero-filled. I wasn't able to
386         construct a test for this. It might be a hypothetical bug, but still, I like how this
387         simplifies the register allocator.
388
389         This is a ~0.7% speed-up on Octane.
390
391         * CMakeLists.txt:
392         * JavaScriptCore.xcodeproj/project.pbxproj:
393         * b3/B3CheckSpecial.cpp:
394         (JSC::B3::CheckSpecial::hiddenBranch):
395         (JSC::B3::CheckSpecial::forEachArg):
396         (JSC::B3::CheckSpecial::commitHiddenBranch): Deleted.
397         * b3/B3CheckSpecial.h:
398         * b3/B3LowerToAir.cpp:
399         (JSC::B3::Air::LowerToAir::fillStackmap):
400         (JSC::B3::Air::LowerToAir::lower):
401         * b3/B3StackmapValue.h:
402         * b3/air/AirAllocateStack.cpp:
403         (JSC::B3::Air::allocateStack):
404         * b3/air/AirAllocateStack.h:
405         * b3/air/AirArg.h:
406         (JSC::B3::Air::Arg::callArg):
407         (JSC::B3::Air::Arg::stackAddr):
408         (JSC::B3::Air::Arg::isValidScale):
409         * b3/air/AirBasicBlock.cpp:
410         (JSC::B3::Air::BasicBlock::deepDump):
411         (JSC::B3::Air::BasicBlock::dumpHeader):
412         (JSC::B3::Air::BasicBlock::dumpFooter):
413         * b3/air/AirBasicBlock.h:
414         * b3/air/AirCCallSpecial.cpp:
415         (JSC::B3::Air::CCallSpecial::CCallSpecial):
416         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
417         * b3/air/AirCode.h:
418         (JSC::B3::Air::Code::lastPhaseName):
419         (JSC::B3::Air::Code::setEnableRCRS):
420         (JSC::B3::Air::Code::enableRCRS):
421         * b3/air/AirCustom.cpp:
422         (JSC::B3::Air::PatchCustom::isValidForm):
423         (JSC::B3::Air::CCallCustom::isValidForm):
424         * b3/air/AirCustom.h:
425         (JSC::B3::Air::PatchCustom::isValidFormStatic):
426         (JSC::B3::Air::PatchCustom::admitsStack):
427         (JSC::B3::Air::PatchCustom::isValidForm): Deleted.
428         * b3/air/AirEmitShuffle.cpp:
429         (JSC::B3::Air::ShufflePair::dump):
430         (JSC::B3::Air::createShuffle):
431         (JSC::B3::Air::emitShuffle):
432         * b3/air/AirEmitShuffle.h:
433         * b3/air/AirFixObviousSpills.cpp: Added.
434         (JSC::B3::Air::fixObviousSpills):
435         * b3/air/AirFixObviousSpills.h: Added.
436         * b3/air/AirFixSpillSlotZDef.h: Removed.
437         * b3/air/AirGenerate.cpp:
438         (JSC::B3::Air::prepareForGeneration):
439         (JSC::B3::Air::generate):
440         * b3/air/AirHandleCalleeSaves.cpp:
441         (JSC::B3::Air::handleCalleeSaves):
442         * b3/air/AirInst.h:
443         * b3/air/AirInstInlines.h:
444         (JSC::B3::Air::Inst::reportUsedRegisters):
445         (JSC::B3::Air::Inst::admitsStack):
446         (JSC::B3::Air::isShiftValid):
447         * b3/air/AirIteratedRegisterCoalescing.cpp:
448         * b3/air/AirLiveness.h:
449         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
450         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin):
451         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end):
452         (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains):
453         (JSC::B3::Air::AbstractLiveness::LocalCalc::live):
454         (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive):
455         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
456         (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
457         (JSC::B3::Air::AbstractLiveness::Iterable::begin):
458         (JSC::B3::Air::AbstractLiveness::Iterable::end):
459         (JSC::B3::Air::AbstractLiveness::Iterable::contains):
460         (JSC::B3::Air::AbstractLiveness::liveAtTail):
461         (JSC::B3::Air::AbstractLiveness::workset):
462         * b3/air/AirLogRegisterPressure.cpp: Added.
463         (JSC::B3::Air::logRegisterPressure):
464         * b3/air/AirLogRegisterPressure.h: Added.
465         * b3/air/AirOptimizeBlockOrder.cpp:
466         (JSC::B3::Air::blocksInOptimizedOrder):
467         (JSC::B3::Air::optimizeBlockOrder):
468         * b3/air/AirOptimizeBlockOrder.h:
469         * b3/air/AirReportUsedRegisters.cpp:
470         (JSC::B3::Air::reportUsedRegisters):
471         * b3/air/AirReportUsedRegisters.h:
472         * b3/air/AirSpillEverything.cpp:
473         (JSC::B3::Air::spillEverything):
474         * b3/air/AirStackSlot.h:
475         (JSC::B3::Air::StackSlot::isLocked):
476         (JSC::B3::Air::StackSlot::index):
477         (JSC::B3::Air::StackSlot::ensureSize):
478         (JSC::B3::Air::StackSlot::alignment):
479         * b3/air/AirValidate.cpp:
480         * ftl/FTLB3Compile.cpp:
481         (JSC::FTL::compile):
482         * ftl/FTLLowerDFGToLLVM.cpp:
483         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
484         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
485         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMod):
486         * jit/RegisterSet.h:
487         (JSC::RegisterSet::get):
488         (JSC::RegisterSet::setAll):
489         (JSC::RegisterSet::merge):
490         (JSC::RegisterSet::filter):
491         * runtime/Options.h:
492
493 2016-01-19  Filip Pizlo  <fpizlo@apple.com>
494
495         Unreviewed, undo unintended commit.
496
497         * dfg/DFGCommon.h:
498
499 2016-01-18  Filip Pizlo  <fpizlo@apple.com>
500
501         Fix Air shuffling assertions
502         https://bugs.webkit.org/show_bug.cgi?id=153213
503
504         Reviewed by Saam Barati.
505
506         Fixes some assertions that I was seeing running JSC tests. Adds a new Air test.
507
508         * assembler/MacroAssemblerX86Common.h:
509         (JSC::MacroAssemblerX86Common::store8):
510         (JSC::MacroAssemblerX86Common::getUnusedRegister):
511         * b3/air/AirEmitShuffle.cpp:
512         (JSC::B3::Air::emitShuffle):
513         * b3/air/AirLowerAfterRegAlloc.cpp:
514         (JSC::B3::Air::lowerAfterRegAlloc):
515         * b3/air/testair.cpp:
516         (JSC::B3::Air::testShuffleRotateWithFringe):
517         (JSC::B3::Air::testShuffleRotateWithFringeInWeirdOrder):
518         (JSC::B3::Air::testShuffleRotateWithLongFringe):
519         (JSC::B3::Air::run):
520
521 2016-01-19  Konstantin Tokarev  <annulen@yandex.ru>
522
523         [mips] Logical instructions allow immediates in range 0..0xffff, not 0x7fff
524         https://bugs.webkit.org/show_bug.cgi?id=152693
525
526         Reviewed by Michael Saboff.
527
528         * offlineasm/mips.rb:
529
530 2016-01-18  Saam barati  <sbarati@apple.com>
531
532         assertions in BytecodeUseDef.h about opcode length are off by one
533         https://bugs.webkit.org/show_bug.cgi?id=153215
534
535         Reviewed by Dan Bernstein.
536
537         * bytecode/BytecodeUseDef.h:
538         (JSC::computeUsesForBytecodeOffset):
539
540 2016-01-18  Saam barati  <sbarati@apple.com>
541
542         FTL doesn't do proper spilling for exception handling when GetById/Snippets go to slow path
543         https://bugs.webkit.org/show_bug.cgi?id=153186
544
545         Reviewed by Michael Saboff.
546
547         Michael was investigating a bug he found while doing the new JSC calling 
548         convention work and it turns out to be a latent bug in FTL try/catch machinery.
549         After I looked at the code again, I realized that what I had previously
550         written is wrong in a subtle way. The FTL callOperation machinery will remove
551         its result register from the set of registers it needs to spill. This is not
552         correct when we have try/catch. We may want to do value recovery on
553         the value that the result register is prior to the call after the call
554         throws an exception. The case that we were solving before was when the 
555         resultRegister == baseRegister in a GetById, or left/rightRegister == resultRegister in a Snippet.
556         This code is correct in wanting to spill in that case, even though it might spill
557         when we don't need it to (i.e the result is not needed for value recovery). Once I
558         investigated this bug further, I realized that the previous rule is just a
559         partial subset of the rule that says we should spill anytime the result is
560         a register we might do value recovery on. This patch implements the rule that
561         says we always want to spill the result when we will do value recovery on it 
562         if an exception is thrown.
563
564         * ftl/FTLCompile.cpp:
565         (JSC::FTL::mmAllocateDataSection):
566         * tests/stress/ftl-try-catch-getter-throw-interesting-value-recovery.js: Added.
567         (assert):
568         (random):
569         (identity):
570         (let.o2.get f):
571         (let.o3.get f):
572         (foo):
573         (i.else):
574
575 2016-01-18  Konstantin Tokarev  <annulen@yandex.ru>
576
577         [MIPS] LLInt: fix calculation of Global Offset Table
578         https://bugs.webkit.org/show_bug.cgi?id=150381
579
580         Offlineasm adds a .cpload $t9 when we create a label in MIPS, which
581         computes address of GOT. However, this instruction requires $t9 to
582         contain address of current function. So we need to set $t9 to pcBase,
583         otherwise GOT-related calculations will be invalid.
584
585         Since offlineasm does not allow direct move to $t9 on MIPS, added new
586         instruction setcallreg which does exactly that.
587
588         Reviewed by Michael Saboff.
589
590         * llint/LowLevelInterpreter.asm:
591         * offlineasm/instructions.rb:
592         * offlineasm/mips.rb:
593
594 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
595
596         REGRESSION(r194601): Fix the jsc timeout option of jsc.cpp
597         https://bugs.webkit.org/show_bug.cgi?id=153204
598
599         Reviewed by Michael Catanzaro.
600
601         * jsc.cpp:
602         (main):
603
604 2016-01-18  Csaba Osztrogonác  <ossy@webkit.org>
605
606         [cmake] Add testair to the build system
607         https://bugs.webkit.org/show_bug.cgi?id=153126
608
609         Reviewed by Michael Catanzaro.
610
611         * shell/CMakeLists.txt:
612
613 2016-01-17  Jeremy Huddleston Sequoia  <jeremyhu@apple.com>
614
615         Ensure that CF_AVAILABLE is undefined when building webkit-gtk
616
617         https://bugs.webkit.org/show_bug.cgi?id=152720
618
619         This change ensures that CF_AVAILABLE is correctly a no-op to
620         address build failure that was observed when building on older
621         versions of OSX.  Previously, CF_AVAILABLE may have been unexpectedly
622         re-defined to the system header value based on include-order.
623
624         Reviewed by Michael Catanzaro.
625
626         * API/WebKitAvailability.h:
627
628 2016-01-17  Julien Brianceau  <jbriance@cisco.com>
629
630         [mips] Fix regT2 and regT3 trampling in MacroAssembler
631         https://bugs.webkit.org/show_bug.cgi?id=153131
632
633         Mips $t2 and $t3 registers were used as temporary registers
634         in MacroAssemblerMIPS.h, whereas they are mapped to regT2
635         and regT3 in LLInt and GPRInfo.
636
637         This patch rearranges register mapping for the mips architecture:
638         - use $t0 and $t1 as temp registers in LLInt (as in MacroAssembler)
639         - use $t7 and $t8 as temp registers in MacroAssembler (as in LLInt)
640         - remove $t6 from temp registers list in LLInt
641         - update GPRInfo.h accordingly
642         - add mips macroScratchRegisters() list in RegisterSet.cpp
643
644         Reviewed by Michael Saboff.
645
646         * assembler/MacroAssemblerMIPS.h:
647         * jit/GPRInfo.h:
648         (JSC::GPRInfo::toRegister):
649         (JSC::GPRInfo::toIndex):
650         * jit/RegisterSet.cpp:
651         (JSC::RegisterSet::macroScratchRegisters):
652         (JSC::RegisterSet::calleeSaveRegisters):
653         * offlineasm/mips.rb:
654
655 2016-01-16  Skachkov Oleksandr  <gskachkov@gmail.com>
656
657         [ES6] Arrow function syntax. Arrow function should support the destructuring parameters.
658         https://bugs.webkit.org/show_bug.cgi?id=146934
659
660         Reviewed by Saam Barati.
661         
662         Added support of destructuring parameters, before arrow function expect only simple parameters,
663         e.g. (), (x), (x, y) or x in assigment expressio. To support destructuring parameters added
664         additional check that check for destructuring paramters if check does not pass for simple parameters.
665
666         * parser/Parser.cpp:
667         (JSC::Parser<LexerType>::isArrowFunctionParameters):
668         (JSC::Parser<LexerType>::parseAssignmentExpression):
669         * parser/Parser.h:
670
671 2016-01-15  Benjamin Poulain  <bpoulain@apple.com>
672
673         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
674         https://bugs.webkit.org/show_bug.cgi?id=153065
675
676         Reviewed by Mark Lam.
677         Reviewed by Filip Pizlo.
678
679         On ARM64, we cannot use signed 32bits offset for memory addressing.
680         There are two available addressing: signed 9bits and unsigned scaled 12bits.
681         Air already knows about it.
682
683         In this patch, the offsets are changed to something valid for ARM64
684         prior to lowering. When an offset is invalid, it is just computed
685         before the instruction and used as the base for addressing.
686
687         * JavaScriptCore.xcodeproj/project.pbxproj:
688         * b3/B3Generate.cpp:
689         (JSC::B3::generateToAir):
690         * b3/B3LegalizeMemoryOffsets.cpp: Added.
691         (JSC::B3::legalizeMemoryOffsets):
692         * b3/B3LegalizeMemoryOffsets.h: Added.
693         * b3/B3LowerToAir.cpp:
694         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
695         * b3/testb3.cpp:
696         (JSC::B3::testLoadWithOffsetImpl):
697         (JSC::B3::testLoadOffsetImm9Max):
698         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
699         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
700         (JSC::B3::testLoadOffsetImm9Min):
701         (JSC::B3::testLoadOffsetImm9MinMinusOne):
702         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
703         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
704         (JSC::B3::run):
705
706 2016-01-15  Alex Christensen  <achristensen@webkit.org>
707
708         Fix internal Windows build
709         https://bugs.webkit.org/show_bug.cgi?id=153142
710
711         Reviewed by Brent Fulgham.
712
713         The internal Windows build builds JavaScriptCore from a directory that is not called JavaScriptCore.
714         Searching for JavaScriptCore/API/APICast.h fails because it is in SomethingElse/API/APICast.h.
715         Since we are including the JavaScriptCore directory, it is not necessary to have JavaScriptCore in
716         the forwarding headers, but removing it allows builds form directories that are not named JavaScriptCore.
717
718         * ForwardingHeaders/JavaScriptCore/APICast.h:
719         * ForwardingHeaders/JavaScriptCore/JSBase.h:
720         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h:
721         * ForwardingHeaders/JavaScriptCore/JSContextRef.h:
722         * ForwardingHeaders/JavaScriptCore/JSObjectRef.h:
723         * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h:
724         * ForwardingHeaders/JavaScriptCore/JSStringRef.h:
725         * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h:
726         * ForwardingHeaders/JavaScriptCore/JSValueRef.h:
727         * ForwardingHeaders/JavaScriptCore/JavaScript.h:
728         * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h:
729         * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h:
730         * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h:
731
732 2016-01-15  Per Arne Vollan  <peavo@outlook.com>
733
734         [B3][Win64] Compile fixes.
735         https://bugs.webkit.org/show_bug.cgi?id=153127
736
737         Reviewed by Alex Christensen.
738
739         MSVC have several overloads of fmod, pow, and ceil. We need to suggest to MSVC
740         which one we want to use.
741
742         * b3/B3LowerMacros.cpp:
743         * b3/B3LowerMacrosAfterOptimizations.cpp:
744         * b3/B3MathExtras.cpp:
745         (JSC::B3::powDoubleInt32):
746         * b3/B3ReduceStrength.cpp:
747
748 2016-01-15  Filip Pizlo  <fpizlo@apple.com>
749
750         Air needs a Shuffle instruction
751         https://bugs.webkit.org/show_bug.cgi?id=152952
752
753         Reviewed by Saam Barati.
754
755         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
756         multiple moves to perform arbitrary permutations over registers and memory. We call these
757         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
758         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
759         use immediates as their source.
760
761         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
762         takes any number of triplets of arguments, where each triplet describes one mapping of the
763         shuffle. For example, to represent (a => b, b => c), we might say:
764
765             Shuffle %a, %b, 64, %b, %c, 64
766
767         Note the "64"s, those are width arguments that describe how many bits of the register are
768         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
769         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
770         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
771
772         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
773         how to use it:
774
775         - C calling convention argument marshalling. Previously we used move instructions. But that's
776           problematic since it introduces artificial interference between the argument registers and
777           the inputs. Using Shuffle removes that interference. This helps a bit.
778
779         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
780           a cold path, then we want it to appear to the register allocator like it doesn't clobber
781           any registers. Only after register allocation should we handle the clobbering by simply
782           saving all of the live volatile registers to the stack. If you imagine the saving and the
783           argument marshalling, you can see how before the call, we want to have a Shuffle that does
784           both of those things. This is important. If argument marshalling was separate from the
785           saving, then we'd still appear to clobber argument registers. Doing them together as one
786           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
787
788         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
789         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
790         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
791         functionality we will need to implement other optimizations.
792
793         Relanding after fixing production build.
794
795         * CMakeLists.txt:
796         * JavaScriptCore.xcodeproj/project.pbxproj:
797         * assembler/AbstractMacroAssembler.h:
798         (JSC::isX86_64):
799         (JSC::isIOS):
800         (JSC::optimizeForARMv7IDIVSupported):
801         * assembler/MacroAssemblerX86Common.h:
802         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
803         (JSC::MacroAssemblerX86Common::swap32):
804         (JSC::MacroAssemblerX86Common::moveConditionally32):
805         * assembler/MacroAssemblerX86_64.h:
806         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
807         (JSC::MacroAssemblerX86_64::swap64):
808         (JSC::MacroAssemblerX86_64::move64ToDouble):
809         * assembler/X86Assembler.h:
810         (JSC::X86Assembler::xchgl_rr):
811         (JSC::X86Assembler::xchgl_rm):
812         (JSC::X86Assembler::xchgq_rr):
813         (JSC::X86Assembler::xchgq_rm):
814         (JSC::X86Assembler::movl_rr):
815         * b3/B3CCallValue.h:
816         * b3/B3Compilation.cpp:
817         (JSC::B3::Compilation::Compilation):
818         (JSC::B3::Compilation::~Compilation):
819         * b3/B3Compilation.h:
820         (JSC::B3::Compilation::code):
821         * b3/B3LowerToAir.cpp:
822         (JSC::B3::Air::LowerToAir::run):
823         (JSC::B3::Air::LowerToAir::createSelect):
824         (JSC::B3::Air::LowerToAir::lower):
825         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
826         * b3/B3OpaqueByproducts.h:
827         (JSC::B3::OpaqueByproducts::count):
828         * b3/B3StackmapSpecial.cpp:
829         (JSC::B3::StackmapSpecial::isArgValidForValue):
830         (JSC::B3::StackmapSpecial::isArgValidForRep):
831         * b3/air/AirArg.cpp:
832         (JSC::B3::Air::Arg::isStackMemory):
833         (JSC::B3::Air::Arg::isRepresentableAs):
834         (JSC::B3::Air::Arg::usesTmp):
835         (JSC::B3::Air::Arg::canRepresent):
836         (JSC::B3::Air::Arg::isCompatibleType):
837         (JSC::B3::Air::Arg::dump):
838         (WTF::printInternal):
839         * b3/air/AirArg.h:
840         (JSC::B3::Air::Arg::forEachType):
841         (JSC::B3::Air::Arg::isWarmUse):
842         (JSC::B3::Air::Arg::cooled):
843         (JSC::B3::Air::Arg::isEarlyUse):
844         (JSC::B3::Air::Arg::imm64):
845         (JSC::B3::Air::Arg::immPtr):
846         (JSC::B3::Air::Arg::addr):
847         (JSC::B3::Air::Arg::special):
848         (JSC::B3::Air::Arg::widthArg):
849         (JSC::B3::Air::Arg::operator==):
850         (JSC::B3::Air::Arg::isImm64):
851         (JSC::B3::Air::Arg::isSomeImm):
852         (JSC::B3::Air::Arg::isAddr):
853         (JSC::B3::Air::Arg::isIndex):
854         (JSC::B3::Air::Arg::isMemory):
855         (JSC::B3::Air::Arg::isRelCond):
856         (JSC::B3::Air::Arg::isSpecial):
857         (JSC::B3::Air::Arg::isWidthArg):
858         (JSC::B3::Air::Arg::isAlive):
859         (JSC::B3::Air::Arg::base):
860         (JSC::B3::Air::Arg::hasOffset):
861         (JSC::B3::Air::Arg::offset):
862         (JSC::B3::Air::Arg::width):
863         (JSC::B3::Air::Arg::isGPTmp):
864         (JSC::B3::Air::Arg::isGP):
865         (JSC::B3::Air::Arg::isFP):
866         (JSC::B3::Air::Arg::isType):
867         (JSC::B3::Air::Arg::isGPR):
868         (JSC::B3::Air::Arg::isValidForm):
869         (JSC::B3::Air::Arg::forEachTmpFast):
870         * b3/air/AirBasicBlock.h:
871         (JSC::B3::Air::BasicBlock::insts):
872         (JSC::B3::Air::BasicBlock::appendInst):
873         (JSC::B3::Air::BasicBlock::append):
874         * b3/air/AirCCallingConvention.cpp: Added.
875         (JSC::B3::Air::computeCCallingConvention):
876         (JSC::B3::Air::cCallResult):
877         (JSC::B3::Air::buildCCall):
878         * b3/air/AirCCallingConvention.h: Added.
879         * b3/air/AirCode.h:
880         (JSC::B3::Air::Code::proc):
881         * b3/air/AirCustom.cpp: Added.
882         (JSC::B3::Air::CCallCustom::isValidForm):
883         (JSC::B3::Air::CCallCustom::generate):
884         (JSC::B3::Air::ShuffleCustom::isValidForm):
885         (JSC::B3::Air::ShuffleCustom::generate):
886         * b3/air/AirCustom.h:
887         (JSC::B3::Air::PatchCustom::forEachArg):
888         (JSC::B3::Air::PatchCustom::generate):
889         (JSC::B3::Air::CCallCustom::forEachArg):
890         (JSC::B3::Air::CCallCustom::isValidFormStatic):
891         (JSC::B3::Air::CCallCustom::admitsStack):
892         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
893         (JSC::B3::Air::ColdCCallCustom::forEachArg):
894         (JSC::B3::Air::ShuffleCustom::forEachArg):
895         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
896         (JSC::B3::Air::ShuffleCustom::admitsStack):
897         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
898         * b3/air/AirEmitShuffle.cpp: Added.
899         (JSC::B3::Air::ShufflePair::dump):
900         (JSC::B3::Air::emitShuffle):
901         * b3/air/AirEmitShuffle.h: Added.
902         (JSC::B3::Air::ShufflePair::ShufflePair):
903         (JSC::B3::Air::ShufflePair::src):
904         (JSC::B3::Air::ShufflePair::dst):
905         (JSC::B3::Air::ShufflePair::width):
906         * b3/air/AirGenerate.cpp:
907         (JSC::B3::Air::prepareForGeneration):
908         * b3/air/AirGenerate.h:
909         * b3/air/AirInsertionSet.cpp:
910         (JSC::B3::Air::InsertionSet::insertInsts):
911         (JSC::B3::Air::InsertionSet::execute):
912         * b3/air/AirInsertionSet.h:
913         (JSC::B3::Air::InsertionSet::insertInst):
914         (JSC::B3::Air::InsertionSet::insert):
915         * b3/air/AirInst.h:
916         (JSC::B3::Air::Inst::operator bool):
917         (JSC::B3::Air::Inst::append):
918         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
919         (JSC::B3::Air::lowerAfterRegAlloc):
920         * b3/air/AirLowerAfterRegAlloc.h: Added.
921         * b3/air/AirLowerMacros.cpp: Added.
922         (JSC::B3::Air::lowerMacros):
923         * b3/air/AirLowerMacros.h: Added.
924         * b3/air/AirOpcode.opcodes:
925         * b3/air/AirRegisterPriority.h:
926         (JSC::B3::Air::regsInPriorityOrder):
927         * b3/air/testair.cpp: Added.
928         (hiddenTruthBecauseNoReturnIsStupid):
929         (usage):
930         (JSC::B3::Air::compile):
931         (JSC::B3::Air::invoke):
932         (JSC::B3::Air::compileAndRun):
933         (JSC::B3::Air::testSimple):
934         (JSC::B3::Air::loadConstantImpl):
935         (JSC::B3::Air::loadConstant):
936         (JSC::B3::Air::loadDoubleConstant):
937         (JSC::B3::Air::testShuffleSimpleSwap):
938         (JSC::B3::Air::testShuffleSimpleShift):
939         (JSC::B3::Air::testShuffleLongShift):
940         (JSC::B3::Air::testShuffleLongShiftBackwards):
941         (JSC::B3::Air::testShuffleSimpleRotate):
942         (JSC::B3::Air::testShuffleSimpleBroadcast):
943         (JSC::B3::Air::testShuffleBroadcastAllRegs):
944         (JSC::B3::Air::testShuffleTreeShift):
945         (JSC::B3::Air::testShuffleTreeShiftBackward):
946         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
947         (JSC::B3::Air::testShuffleMultipleShifts):
948         (JSC::B3::Air::testShuffleRotateWithFringe):
949         (JSC::B3::Air::testShuffleRotateWithLongFringe):
950         (JSC::B3::Air::testShuffleMultipleRotates):
951         (JSC::B3::Air::testShuffleShiftAndRotate):
952         (JSC::B3::Air::testShuffleShiftAllRegs):
953         (JSC::B3::Air::testShuffleRotateAllRegs):
954         (JSC::B3::Air::testShuffleSimpleSwap64):
955         (JSC::B3::Air::testShuffleSimpleShift64):
956         (JSC::B3::Air::testShuffleSwapMixedWidth):
957         (JSC::B3::Air::testShuffleShiftMixedWidth):
958         (JSC::B3::Air::testShuffleShiftMemory):
959         (JSC::B3::Air::testShuffleShiftMemoryLong):
960         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
961         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
962         (JSC::B3::Air::combineHiLo):
963         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
964         (JSC::B3::Air::testShuffleRotateMemory):
965         (JSC::B3::Air::testShuffleRotateMemory64):
966         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
967         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
968         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
969         (JSC::B3::Air::testShuffleSwapDouble):
970         (JSC::B3::Air::testShuffleShiftDouble):
971         (JSC::B3::Air::run):
972         (run):
973         (main):
974         * b3/testb3.cpp:
975         (JSC::B3::testCallSimple):
976         (JSC::B3::testCallRare):
977         (JSC::B3::testCallRareLive):
978         (JSC::B3::testCallSimplePure):
979         (JSC::B3::run):
980
981 2016-01-15  Andy VanWagoner  <thetalecrafter@gmail.com>
982
983         [INTL] Implement Date.prototype.toLocaleString in ECMA-402
984         https://bugs.webkit.org/show_bug.cgi?id=147611
985
986         Reviewed by Benjamin Poulain.
987
988         Expose dateProtoFuncGetTime as thisTimeValue for builtins.
989         Remove unused code in DateTimeFormat toDateTimeOptions, and make the
990         function specific to the call in initializeDateTimeFormat. Properly
991         throw when the options parameter is null.
992         Add toLocaleString in builtin JavaScript, with it's own specific branch
993         of toDateTimeOptions.
994
995         * CMakeLists.txt:
996         * DerivedSources.make:
997         * JavaScriptCore.xcodeproj/project.pbxproj:
998         * builtins/DatePrototype.js: Added.
999         (toLocaleString.toDateTimeOptionsAnyAll):
1000         (toLocaleString):
1001         * runtime/CommonIdentifiers.h:
1002         * runtime/DatePrototype.cpp:
1003         (JSC::DatePrototype::finishCreation):
1004         * runtime/DatePrototype.h:
1005         * runtime/IntlDateTimeFormat.cpp:
1006         (JSC::toDateTimeOptionsAnyDate):
1007         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1008         (JSC::toDateTimeOptions): Deleted.
1009         * runtime/JSGlobalObject.cpp:
1010         (JSC::JSGlobalObject::init):
1011
1012 2016-01-15  Konstantin Tokarev  <annulen@yandex.ru>
1013
1014         [mips] Implemented emitFunctionPrologue/Epilogue
1015         https://bugs.webkit.org/show_bug.cgi?id=152947
1016
1017         Reviewed by Michael Saboff.
1018
1019         * assembler/MacroAssemblerMIPS.h:
1020         (JSC::MacroAssemblerMIPS::popPair):
1021         (JSC::MacroAssemblerMIPS::pushPair):
1022         * jit/AssemblyHelpers.h:
1023         (JSC::AssemblyHelpers::emitFunctionPrologue):
1024         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
1025         (JSC::AssemblyHelpers::emitFunctionEpilogue):
1026
1027 2016-01-15  Commit Queue  <commit-queue@webkit.org>
1028
1029         Unreviewed, rolling out r195084.
1030         https://bugs.webkit.org/show_bug.cgi?id=153132
1031
1032         Broke Production build (Requested by ap on #webkit).
1033
1034         Reverted changeset:
1035
1036         "Air needs a Shuffle instruction"
1037         https://bugs.webkit.org/show_bug.cgi?id=152952
1038         http://trac.webkit.org/changeset/195084
1039
1040 2016-01-15  Julien Brianceau  <jbriance@cisco.com>
1041
1042         [mips] Add countLeadingZeros32 implementation in macro assembler
1043         https://bugs.webkit.org/show_bug.cgi?id=152886
1044
1045         Reviewed by Michael Saboff.
1046
1047         * assembler/MIPSAssembler.h:
1048         (JSC::MIPSAssembler::lui):
1049         (JSC::MIPSAssembler::clz):
1050         (JSC::MIPSAssembler::addiu):
1051         * assembler/MacroAssemblerMIPS.h:
1052         (JSC::MacroAssemblerMIPS::and32):
1053         (JSC::MacroAssemblerMIPS::countLeadingZeros32):
1054         (JSC::MacroAssemblerMIPS::lshift32):
1055
1056 2016-01-14  Filip Pizlo  <fpizlo@apple.com>
1057
1058         Air needs a Shuffle instruction
1059         https://bugs.webkit.org/show_bug.cgi?id=152952
1060
1061         Reviewed by Saam Barati.
1062
1063         This adds an instruction called Shuffle. Shuffle allows you to simultaneously perform
1064         multiple moves to perform arbitrary permutations over registers and memory. We call these
1065         rotations. It also allows you to perform "shifts", like (a => b, b => c): after the shift,
1066         c will have b's old value, b will have a's old value, and a will be unchanged. Shifts can
1067         use immediates as their source.
1068
1069         Shuffle is added as a custom instruction, since it has a variable number of arguments. It
1070         takes any number of triplets of arguments, where each triplet describes one mapping of the
1071         shuffle. For example, to represent (a => b, b => c), we might say:
1072
1073             Shuffle %a, %b, 64, %b, %c, 64
1074
1075         Note the "64"s, those are width arguments that describe how many bits of the register are
1076         being moved. Each triplet is referred to as a "shuffle pair". We call it a pair because the
1077         most relevant part of it is the pair of registers or memroy locations (i.e. %a, %b form one
1078         of the pairs in the example). For GP arguments, the width follows ZDef semantics.
1079
1080         In the future, we will be able to use Shuffle for a lot of things. This patch is modest about
1081         how to use it:
1082
1083         - C calling convention argument marshalling. Previously we used move instructions. But that's
1084           problematic since it introduces artificial interference between the argument registers and
1085           the inputs. Using Shuffle removes that interference. This helps a bit.
1086
1087         - Cold C calls. This is what really motivated me to write this patch. If we have a C call on
1088           a cold path, then we want it to appear to the register allocator like it doesn't clobber
1089           any registers. Only after register allocation should we handle the clobbering by simply
1090           saving all of the live volatile registers to the stack. If you imagine the saving and the
1091           argument marshalling, you can see how before the call, we want to have a Shuffle that does
1092           both of those things. This is important. If argument marshalling was separate from the
1093           saving, then we'd still appear to clobber argument registers. Doing them together as one
1094           Shuffle means that the cold call doesn't appear to even clobber the argument registers.
1095
1096         Unfortunately, I was wrong about cold C calls being the dominant problem with our register
1097         allocator right now. Fixing this revealed other problems in my current tuning benchmark,
1098         Octane/encrypt. Nonetheless, this is a small speed-up across the board, and gives us some
1099         functionality we will need to implement other optimizations.
1100
1101         * CMakeLists.txt:
1102         * JavaScriptCore.xcodeproj/project.pbxproj:
1103         * assembler/AbstractMacroAssembler.h:
1104         (JSC::isX86_64):
1105         (JSC::isIOS):
1106         (JSC::optimizeForARMv7IDIVSupported):
1107         * assembler/MacroAssemblerX86Common.h:
1108         (JSC::MacroAssemblerX86Common::zeroExtend32ToPtr):
1109         (JSC::MacroAssemblerX86Common::swap32):
1110         (JSC::MacroAssemblerX86Common::moveConditionally32):
1111         * assembler/MacroAssemblerX86_64.h:
1112         (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
1113         (JSC::MacroAssemblerX86_64::swap64):
1114         (JSC::MacroAssemblerX86_64::move64ToDouble):
1115         * assembler/X86Assembler.h:
1116         (JSC::X86Assembler::xchgl_rr):
1117         (JSC::X86Assembler::xchgl_rm):
1118         (JSC::X86Assembler::xchgq_rr):
1119         (JSC::X86Assembler::xchgq_rm):
1120         (JSC::X86Assembler::movl_rr):
1121         * b3/B3CCallValue.h:
1122         * b3/B3Compilation.cpp:
1123         (JSC::B3::Compilation::Compilation):
1124         (JSC::B3::Compilation::~Compilation):
1125         * b3/B3Compilation.h:
1126         (JSC::B3::Compilation::code):
1127         * b3/B3LowerToAir.cpp:
1128         (JSC::B3::Air::LowerToAir::run):
1129         (JSC::B3::Air::LowerToAir::createSelect):
1130         (JSC::B3::Air::LowerToAir::lower):
1131         (JSC::B3::Air::LowerToAir::marshallCCallArgument): Deleted.
1132         * b3/B3OpaqueByproducts.h:
1133         (JSC::B3::OpaqueByproducts::count):
1134         * b3/B3StackmapSpecial.cpp:
1135         (JSC::B3::StackmapSpecial::isArgValidForValue):
1136         (JSC::B3::StackmapSpecial::isArgValidForRep):
1137         * b3/air/AirArg.cpp:
1138         (JSC::B3::Air::Arg::isStackMemory):
1139         (JSC::B3::Air::Arg::isRepresentableAs):
1140         (JSC::B3::Air::Arg::usesTmp):
1141         (JSC::B3::Air::Arg::canRepresent):
1142         (JSC::B3::Air::Arg::isCompatibleType):
1143         (JSC::B3::Air::Arg::dump):
1144         (WTF::printInternal):
1145         * b3/air/AirArg.h:
1146         (JSC::B3::Air::Arg::forEachType):
1147         (JSC::B3::Air::Arg::isWarmUse):
1148         (JSC::B3::Air::Arg::cooled):
1149         (JSC::B3::Air::Arg::isEarlyUse):
1150         (JSC::B3::Air::Arg::imm64):
1151         (JSC::B3::Air::Arg::immPtr):
1152         (JSC::B3::Air::Arg::addr):
1153         (JSC::B3::Air::Arg::special):
1154         (JSC::B3::Air::Arg::widthArg):
1155         (JSC::B3::Air::Arg::operator==):
1156         (JSC::B3::Air::Arg::isImm64):
1157         (JSC::B3::Air::Arg::isSomeImm):
1158         (JSC::B3::Air::Arg::isAddr):
1159         (JSC::B3::Air::Arg::isIndex):
1160         (JSC::B3::Air::Arg::isMemory):
1161         (JSC::B3::Air::Arg::isRelCond):
1162         (JSC::B3::Air::Arg::isSpecial):
1163         (JSC::B3::Air::Arg::isWidthArg):
1164         (JSC::B3::Air::Arg::isAlive):
1165         (JSC::B3::Air::Arg::base):
1166         (JSC::B3::Air::Arg::hasOffset):
1167         (JSC::B3::Air::Arg::offset):
1168         (JSC::B3::Air::Arg::width):
1169         (JSC::B3::Air::Arg::isGPTmp):
1170         (JSC::B3::Air::Arg::isGP):
1171         (JSC::B3::Air::Arg::isFP):
1172         (JSC::B3::Air::Arg::isType):
1173         (JSC::B3::Air::Arg::isGPR):
1174         (JSC::B3::Air::Arg::isValidForm):
1175         (JSC::B3::Air::Arg::forEachTmpFast):
1176         * b3/air/AirBasicBlock.h:
1177         (JSC::B3::Air::BasicBlock::insts):
1178         (JSC::B3::Air::BasicBlock::appendInst):
1179         (JSC::B3::Air::BasicBlock::append):
1180         * b3/air/AirCCallingConvention.cpp: Added.
1181         (JSC::B3::Air::computeCCallingConvention):
1182         (JSC::B3::Air::cCallResult):
1183         (JSC::B3::Air::buildCCall):
1184         * b3/air/AirCCallingConvention.h: Added.
1185         * b3/air/AirCode.h:
1186         (JSC::B3::Air::Code::proc):
1187         * b3/air/AirCustom.cpp: Added.
1188         (JSC::B3::Air::CCallCustom::isValidForm):
1189         (JSC::B3::Air::CCallCustom::generate):
1190         (JSC::B3::Air::ShuffleCustom::isValidForm):
1191         (JSC::B3::Air::ShuffleCustom::generate):
1192         * b3/air/AirCustom.h:
1193         (JSC::B3::Air::PatchCustom::forEachArg):
1194         (JSC::B3::Air::PatchCustom::generate):
1195         (JSC::B3::Air::CCallCustom::forEachArg):
1196         (JSC::B3::Air::CCallCustom::isValidFormStatic):
1197         (JSC::B3::Air::CCallCustom::admitsStack):
1198         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1199         (JSC::B3::Air::ColdCCallCustom::forEachArg):
1200         (JSC::B3::Air::ShuffleCustom::forEachArg):
1201         (JSC::B3::Air::ShuffleCustom::isValidFormStatic):
1202         (JSC::B3::Air::ShuffleCustom::admitsStack):
1203         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1204         * b3/air/AirEmitShuffle.cpp: Added.
1205         (JSC::B3::Air::ShufflePair::dump):
1206         (JSC::B3::Air::emitShuffle):
1207         * b3/air/AirEmitShuffle.h: Added.
1208         (JSC::B3::Air::ShufflePair::ShufflePair):
1209         (JSC::B3::Air::ShufflePair::src):
1210         (JSC::B3::Air::ShufflePair::dst):
1211         (JSC::B3::Air::ShufflePair::width):
1212         * b3/air/AirGenerate.cpp:
1213         (JSC::B3::Air::prepareForGeneration):
1214         * b3/air/AirGenerate.h:
1215         * b3/air/AirInsertionSet.cpp:
1216         (JSC::B3::Air::InsertionSet::insertInsts):
1217         (JSC::B3::Air::InsertionSet::execute):
1218         * b3/air/AirInsertionSet.h:
1219         (JSC::B3::Air::InsertionSet::insertInst):
1220         (JSC::B3::Air::InsertionSet::insert):
1221         * b3/air/AirInst.h:
1222         (JSC::B3::Air::Inst::operator bool):
1223         (JSC::B3::Air::Inst::append):
1224         * b3/air/AirLowerAfterRegAlloc.cpp: Added.
1225         (JSC::B3::Air::lowerAfterRegAlloc):
1226         * b3/air/AirLowerAfterRegAlloc.h: Added.
1227         * b3/air/AirLowerMacros.cpp: Added.
1228         (JSC::B3::Air::lowerMacros):
1229         * b3/air/AirLowerMacros.h: Added.
1230         * b3/air/AirOpcode.opcodes:
1231         * b3/air/AirRegisterPriority.h:
1232         (JSC::B3::Air::regsInPriorityOrder):
1233         * b3/air/testair.cpp: Added.
1234         (hiddenTruthBecauseNoReturnIsStupid):
1235         (usage):
1236         (JSC::B3::Air::compile):
1237         (JSC::B3::Air::invoke):
1238         (JSC::B3::Air::compileAndRun):
1239         (JSC::B3::Air::testSimple):
1240         (JSC::B3::Air::loadConstantImpl):
1241         (JSC::B3::Air::loadConstant):
1242         (JSC::B3::Air::loadDoubleConstant):
1243         (JSC::B3::Air::testShuffleSimpleSwap):
1244         (JSC::B3::Air::testShuffleSimpleShift):
1245         (JSC::B3::Air::testShuffleLongShift):
1246         (JSC::B3::Air::testShuffleLongShiftBackwards):
1247         (JSC::B3::Air::testShuffleSimpleRotate):
1248         (JSC::B3::Air::testShuffleSimpleBroadcast):
1249         (JSC::B3::Air::testShuffleBroadcastAllRegs):
1250         (JSC::B3::Air::testShuffleTreeShift):
1251         (JSC::B3::Air::testShuffleTreeShiftBackward):
1252         (JSC::B3::Air::testShuffleTreeShiftOtherBackward):
1253         (JSC::B3::Air::testShuffleMultipleShifts):
1254         (JSC::B3::Air::testShuffleRotateWithFringe):
1255         (JSC::B3::Air::testShuffleRotateWithLongFringe):
1256         (JSC::B3::Air::testShuffleMultipleRotates):
1257         (JSC::B3::Air::testShuffleShiftAndRotate):
1258         (JSC::B3::Air::testShuffleShiftAllRegs):
1259         (JSC::B3::Air::testShuffleRotateAllRegs):
1260         (JSC::B3::Air::testShuffleSimpleSwap64):
1261         (JSC::B3::Air::testShuffleSimpleShift64):
1262         (JSC::B3::Air::testShuffleSwapMixedWidth):
1263         (JSC::B3::Air::testShuffleShiftMixedWidth):
1264         (JSC::B3::Air::testShuffleShiftMemory):
1265         (JSC::B3::Air::testShuffleShiftMemoryLong):
1266         (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
1267         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
1268         (JSC::B3::Air::combineHiLo):
1269         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
1270         (JSC::B3::Air::testShuffleRotateMemory):
1271         (JSC::B3::Air::testShuffleRotateMemory64):
1272         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth):
1273         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
1274         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
1275         (JSC::B3::Air::testShuffleSwapDouble):
1276         (JSC::B3::Air::testShuffleShiftDouble):
1277         (JSC::B3::Air::run):
1278         (run):
1279         (main):
1280         * b3/testb3.cpp:
1281         (JSC::B3::testCallSimple):
1282         (JSC::B3::testCallRare):
1283         (JSC::B3::testCallRareLive):
1284         (JSC::B3::testCallSimplePure):
1285         (JSC::B3::run):
1286
1287 2016-01-14  Keith Miller  <keith_miller@apple.com>
1288
1289         Unreviewed mark passing es6 tests as no longer failing.
1290
1291         * tests/es6.yaml:
1292
1293 2016-01-14  Keith Miller  <keith_miller@apple.com>
1294
1295         [ES6] Support subclassing Function.
1296         https://bugs.webkit.org/show_bug.cgi?id=153081
1297
1298         Reviewed by Geoffrey Garen.
1299
1300         This patch enables subclassing the Function object. It also fixes an existing
1301         bug that prevented users from subclassing functions that have a function in
1302         the superclass's prototype property.
1303
1304         * bytecompiler/NodesCodegen.cpp:
1305         (JSC::ClassExprNode::emitBytecode):
1306         * runtime/FunctionConstructor.cpp:
1307         (JSC::constructWithFunctionConstructor):
1308         (JSC::constructFunction):
1309         (JSC::constructFunctionSkippingEvalEnabledCheck):
1310         * runtime/FunctionConstructor.h:
1311         * runtime/JSFunction.cpp:
1312         (JSC::JSFunction::create):
1313         * runtime/JSFunction.h:
1314         (JSC::JSFunction::createImpl):
1315         * runtime/JSFunctionInlines.h:
1316         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1317         (JSC::JSFunction::JSFunction): Deleted.
1318         * tests/stress/class-subclassing-function.js: Added.
1319
1320 2016-01-13  Carlos Garcia Campos  <cgarcia@igalia.com>
1321
1322         [CMake] Do not use LLVM static libraries for FTL JIT
1323         https://bugs.webkit.org/show_bug.cgi?id=151559
1324
1325         Reviewed by Michael Catanzaro.
1326
1327         Allow ports decide whether to prefer linking to llvm static or
1328         dynamic libraries. This patch only changes the behavior of the GTK
1329         port, other ports can change the default behavior by setting
1330         llvmForJSC_LIBRARIES in their platform specific cmake files.
1331
1332         * CMakeLists.txt: Move llvmForJSC library definition after the
1333         WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS, to allow platform specific
1334         files to set their own llvmForJSC_LIBRARIES. When not set, it
1335         defaults to LLVM_STATIC_LIBRARIES. The command to create
1336         WebKitLLVMLibraryToken.h no longer depends on the static
1337         libraries, since we are going to make the build fail anyway when
1338         not found in case of linking to the static libraries. If platform
1339         specific file defined llvmForJSC_INSTALL_DIR llvmForJSC is also
1340         installed to the given destination.
1341         * PlatformGTK.cmake: Set llvmForJSC_LIBRARIES and
1342         llvmForJSC_INSTALL_DIR.
1343
1344 2016-01-13  Saam barati  <sbarati@apple.com>
1345
1346         NativeExecutable should have a name field
1347         https://bugs.webkit.org/show_bug.cgi?id=153083
1348
1349         Reviewed by Geoffrey Garen.
1350
1351         This is going to help the SamplingProfiler come up
1352         with names for NativeExecutable objects it encounters.
1353
1354         * jit/JITThunks.cpp:
1355         (JSC::JITThunks::finalize):
1356         (JSC::JITThunks::hostFunctionStub):
1357         * jit/JITThunks.h:
1358         * runtime/Executable.h:
1359         * runtime/JSBoundFunction.cpp:
1360         (JSC::JSBoundFunction::create):
1361         * runtime/JSFunction.cpp:
1362         (JSC::JSFunction::create):
1363         (JSC::JSFunction::lookUpOrCreateNativeExecutable):
1364         * runtime/JSFunction.h:
1365         (JSC::JSFunction::createImpl):
1366         * runtime/JSNativeStdFunction.cpp:
1367         (JSC::JSNativeStdFunction::create):
1368         * runtime/VM.cpp:
1369         (JSC::thunkGeneratorForIntrinsic):
1370         (JSC::VM::getHostFunction):
1371         * runtime/VM.h:
1372         (JSC::VM::getCTIStub):
1373         (JSC::VM::exceptionOffset):
1374
1375 2016-01-13  Keith Miller  <keith_miller@apple.com>
1376
1377         [ES6] Support subclassing the String builtin object
1378         https://bugs.webkit.org/show_bug.cgi?id=153068
1379
1380         Reviewed by Michael Saboff.
1381
1382         This patch adds subclassing of strings. Also, this patch fixes a bug where we could have
1383         the wrong indexing type for builtins constructed without storage.
1384
1385         * runtime/PrototypeMap.cpp:
1386         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1387         * runtime/StringConstructor.cpp:
1388         (JSC::constructWithStringConstructor):
1389         * tests/stress/class-subclassing-string.js: Added.
1390         (test):
1391
1392 2016-01-13  Mark Lam  <mark.lam@apple.com>
1393
1394         The StringFromCharCode DFG intrinsic should support untyped operands.
1395         https://bugs.webkit.org/show_bug.cgi?id=153046
1396
1397         Reviewed by Geoffrey Garen.
1398
1399         The current StringFromCharCode DFG intrinsic assumes that its operand charCode
1400         must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
1401         crypto-aes benchmark.  With support for Untyped operands, the number of OSR
1402         exits drops to 202.
1403
1404         * dfg/DFGClobberize.h:
1405         (JSC::DFG::clobberize):
1406         * dfg/DFGFixupPhase.cpp:
1407         (JSC::DFG::FixupPhase::fixupNode):
1408         * dfg/DFGOperations.cpp:
1409         * dfg/DFGOperations.h:
1410         * dfg/DFGSpeculativeJIT.cpp:
1411         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1412         * dfg/DFGSpeculativeJIT.h:
1413         (JSC::DFG::SpeculativeJIT::callOperation):
1414         * dfg/DFGValidate.cpp:
1415         (JSC::DFG::Validate::validate):
1416         * runtime/JSCJSValueInlines.h:
1417         (JSC::JSValue::toUInt32):
1418
1419 2016-01-13  Mark Lam  <mark.lam@apple.com>
1420
1421         Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
1422         https://bugs.webkit.org/show_bug.cgi?id=153080
1423
1424         Reviewed by Geoffrey Garen.
1425
1426         We currently have Graph::mulShouldSpeculateInt32/machineInt() and
1427         Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
1428         the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
1429         many other arith nodes in the DFG.  This patch renames these functions as
1430         Graph::binaryArithShouldSpeculateInt32/machineInt() and
1431         Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
1432         in the DFG.
1433
1434         * dfg/DFGFixupPhase.cpp:
1435         (JSC::DFG::FixupPhase::fixupNode):
1436         * dfg/DFGGraph.h:
1437         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
1438         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
1439         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
1440         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
1441         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
1442         (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
1443         (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
1444         (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
1445         (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
1446         * dfg/DFGPredictionPropagationPhase.cpp:
1447         (JSC::DFG::PredictionPropagationPhase::propagate):
1448         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1449
1450 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
1451
1452         Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
1453         https://bugs.webkit.org/show_bug.cgi?id=153072
1454         <rdar://problem/24168312>
1455
1456         Reviewed by Timothy Hatcher.
1457
1458         * parser/Lexer.cpp:
1459         (JSC::Lexer<T>::parseCommentDirective):
1460         Just keep overwriting the member variable so we end up with
1461         the last directive value.
1462
1463 2016-01-13  Commit Queue  <commit-queue@webkit.org>
1464
1465         Unreviewed, rolling out r194969.
1466         https://bugs.webkit.org/show_bug.cgi?id=153075
1467
1468         This change broke the iOS build (Requested by ryanhaddad on
1469         #webkit).
1470
1471         Reverted changeset:
1472
1473         "[JSC] Legalize Memory Offsets for ARM64 before lowering to
1474         Air"
1475         https://bugs.webkit.org/show_bug.cgi?id=153065
1476         http://trac.webkit.org/changeset/194969
1477
1478 2016-01-13  Benjamin Poulain  <bpoulain@apple.com>
1479
1480         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
1481         https://bugs.webkit.org/show_bug.cgi?id=153065
1482
1483         Reviewed by Mark Lam.
1484         Reviewed by Filip Pizlo.
1485
1486         On ARM64, we cannot use signed 32bits offset for memory addressing.
1487         There are two available addressing: signed 9bits and unsigned scaled 12bits.
1488         Air already knows about it.
1489
1490         In this patch, the offsets are changed to something valid for ARM64
1491         prior to lowering. When an offset is invalid, it is just computed
1492         before the instruction and used as the base for addressing.
1493
1494         * JavaScriptCore.xcodeproj/project.pbxproj:
1495         * b3/B3Generate.cpp:
1496         (JSC::B3::generateToAir):
1497         * b3/B3LegalizeMemoryOffsets.cpp: Added.
1498         (JSC::B3::legalizeMemoryOffsets):
1499         * b3/B3LegalizeMemoryOffsets.h: Added.
1500         * b3/B3LowerToAir.cpp:
1501         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
1502         * b3/testb3.cpp:
1503         (JSC::B3::testLoadWithOffsetImpl):
1504         (JSC::B3::testLoadOffsetImm9Max):
1505         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
1506         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
1507         (JSC::B3::testLoadOffsetImm9Min):
1508         (JSC::B3::testLoadOffsetImm9MinMinusOne):
1509         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
1510         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
1511         (JSC::B3::run):
1512
1513 2016-01-12  Per Arne Vollan  <peavo@outlook.com>
1514
1515         [FTL][Win64] Compile error.
1516         https://bugs.webkit.org/show_bug.cgi?id=153031
1517
1518         Reviewed by Brent Fulgham.
1519
1520         The header file dlfcn.h does not exist on Windows.
1521
1522         * ftl/FTLLowerDFGToLLVM.cpp:
1523
1524 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
1525
1526         Add a build flag for custom element
1527         https://bugs.webkit.org/show_bug.cgi?id=153005
1528
1529         Reviewed by Alex Christensen.
1530
1531         * Configurations/FeatureDefines.xcconfig:
1532
1533 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
1534
1535         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
1536         https://bugs.webkit.org/show_bug.cgi?id=153024
1537
1538         Reviewed by Michael Saboff.
1539
1540         * b3/B3BasicBlock.h:
1541         Export the symbols for testb3.
1542
1543         * b3/air/AirOpcode.opcodes:
1544         We had 2 invalid opcodes:
1545         -Compare with immediate just does not exist.
1546         -Test64 with immediate exists but Air does not recognize
1547          the valid form of bit-immediates.
1548
1549         * b3/testb3.cpp:
1550         (JSC::B3::genericTestCompare):
1551         (JSC::B3::testCompareImpl):
1552         Extend the tests to cover what was invalid.
1553
1554 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
1555
1556         [JSC] JSC does not build with FTL_USES_B3 on ARM64
1557         https://bugs.webkit.org/show_bug.cgi?id=153011
1558
1559         Reviewed by Saam Barati.
1560
1561         Apparently the static const member can only be used for constexpr.
1562         C++ is weird.
1563
1564         * jit/GPRInfo.cpp:
1565         * jit/GPRInfo.h:
1566
1567 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
1568
1569         Web Inspector: console.count() shouldn't show a colon in front of a number
1570         https://bugs.webkit.org/show_bug.cgi?id=152038
1571
1572         Reviewed by Brian Burg.
1573
1574         * inspector/agents/InspectorConsoleAgent.cpp:
1575         (Inspector::InspectorConsoleAgent::count):
1576         Do not include title and colon if the title is empty.
1577
1578 2016-01-11  Dan Bernstein  <mitz@apple.com>
1579
1580         Reverted r194317.
1581
1582         Reviewed by Joseph Pecoraro.
1583
1584         r194317 did not contain a change log entry, did not explain the motivation, did not name a
1585         reviewer, and does not seem necessary.
1586
1587         * JavaScriptCore.xcodeproj/project.pbxproj:
1588
1589 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
1590
1591         keywords ("super", "delete", etc) should be valid method names
1592         https://bugs.webkit.org/show_bug.cgi?id=144281
1593
1594         Reviewed by Ryosuke Niwa.
1595
1596         * parser/Parser.cpp:
1597         (JSC::Parser<LexerType>::parseClass):
1598         - When parsing "static(" treat it as a method named "static" and not a static method.
1599         - When parsing a keyword treat it like a string method name (get and set are not keywords)
1600         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
1601
1602         (JSC::Parser<LexerType>::parseGetterSetter):
1603         - When parsing the getter / setter's name, allow it to be a keyword.
1604
1605 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
1606
1607         [JSC] Add Div/Mod and fix Mul for B3 ARM64
1608         https://bugs.webkit.org/show_bug.cgi?id=152978
1609
1610         Reviewed by Filip Pizlo.
1611
1612         Add the 3 operands forms of Mul.
1613         Remove the form taking immediate on ARM64, there are no such instruction.
1614
1615         Add Div with sdiv.
1616
1617         Unfortunately, I discovered ChillMod's division by zero
1618         makes it non-trivial on ARM64. I just made it into a macro like on x86.
1619
1620         * assembler/MacroAssemblerARM64.h:
1621         (JSC::MacroAssemblerARM64::mul32):
1622         (JSC::MacroAssemblerARM64::mul64):
1623         (JSC::MacroAssemblerARM64::div32):
1624         (JSC::MacroAssemblerARM64::div64):
1625         * b3/B3LowerMacros.cpp:
1626         * b3/B3LowerToAir.cpp:
1627         (JSC::B3::Air::LowerToAir::lower):
1628         * b3/air/AirOpcode.opcodes:
1629
1630 2016-01-11  Keith Miller  <keith_miller@apple.com>
1631
1632         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
1633         https://bugs.webkit.org/show_bug.cgi?id=152949
1634
1635         Reviewed by Michael Saboff.
1636
1637         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
1638
1639         * runtime/ArrayConstructor.cpp:
1640         (JSC::constructArrayWithSizeQuirk):
1641         (JSC::constructWithArrayConstructor):
1642         * runtime/InternalFunction.h:
1643         (JSC::InternalFunction::createStructure):
1644         * runtime/JSGlobalObject.h:
1645         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
1646         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
1647         (JSC::constructEmptyArray):
1648         (JSC::constructArray):
1649         (JSC::constructArrayNegativeIndexed):
1650         * runtime/PrototypeMap.cpp:
1651         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1652         * runtime/Structure.h:
1653         * runtime/StructureInlines.h:
1654
1655 2016-01-08  Keith Miller  <keith_miller@apple.com>
1656
1657         Use a profile to store allocation structures for subclasses of InternalFunctions
1658         https://bugs.webkit.org/show_bug.cgi?id=152942
1659
1660         Reviewed by Michael Saboff.
1661
1662         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
1663         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
1664         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
1665         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
1666         constructor as a new.target to any other constructor. This means that a user can pass some
1667         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
1668         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
1669         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
1670         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
1671         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
1672         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
1673
1674         Additionally, this patch adds subclassing to some omitted classes.
1675
1676         * API/JSObjectRef.cpp:
1677         (JSObjectMakeDate):
1678         (JSObjectMakeRegExp):
1679         * JavaScriptCore.xcodeproj/project.pbxproj:
1680         * bytecode/InternalFunctionAllocationProfile.h: Added.
1681         (JSC::InternalFunctionAllocationProfile::structure):
1682         (JSC::InternalFunctionAllocationProfile::clear):
1683         (JSC::InternalFunctionAllocationProfile::visitAggregate):
1684         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
1685         * dfg/DFGByteCodeParser.cpp:
1686         (JSC::DFG::ByteCodeParser::parseBlock):
1687         * dfg/DFGOperations.cpp:
1688         * dfg/DFGSpeculativeJIT32_64.cpp:
1689         (JSC::DFG::SpeculativeJIT::compile):
1690         * dfg/DFGSpeculativeJIT64.cpp:
1691         (JSC::DFG::SpeculativeJIT::compile):
1692         * jit/JITOpcodes.cpp:
1693         (JSC::JIT::emit_op_create_this):
1694         * jit/JITOpcodes32_64.cpp:
1695         (JSC::JIT::emit_op_create_this):
1696         * llint/LowLevelInterpreter32_64.asm:
1697         * llint/LowLevelInterpreter64.asm:
1698         * runtime/BooleanConstructor.cpp:
1699         (JSC::constructWithBooleanConstructor):
1700         * runtime/CommonSlowPaths.cpp:
1701         (JSC::SLOW_PATH_DECL):
1702         * runtime/DateConstructor.cpp:
1703         (JSC::constructDate):
1704         (JSC::constructWithDateConstructor):
1705         * runtime/DateConstructor.h:
1706         * runtime/ErrorConstructor.cpp:
1707         (JSC::Interpreter::constructWithErrorConstructor):
1708         * runtime/FunctionRareData.cpp:
1709         (JSC::FunctionRareData::create):
1710         (JSC::FunctionRareData::visitChildren):
1711         (JSC::FunctionRareData::FunctionRareData):
1712         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1713         (JSC::FunctionRareData::clear):
1714         (JSC::FunctionRareData::finishCreation): Deleted.
1715         (JSC::FunctionRareData::initialize): Deleted.
1716         * runtime/FunctionRareData.h:
1717         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
1718         (JSC::FunctionRareData::objectAllocationProfile):
1719         (JSC::FunctionRareData::objectAllocationStructure):
1720         (JSC::FunctionRareData::allocationProfileWatchpointSet):
1721         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
1722         (JSC::FunctionRareData::internalFunctionAllocationStructure):
1723         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
1724         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
1725         (JSC::FunctionRareData::allocationProfile): Deleted.
1726         (JSC::FunctionRareData::allocationStructure): Deleted.
1727         (JSC::FunctionRareData::isInitialized): Deleted.
1728         * runtime/InternalFunction.cpp:
1729         (JSC::InternalFunction::createSubclassStructure):
1730         * runtime/InternalFunction.h:
1731         * runtime/JSArrayBufferConstructor.cpp:
1732         (JSC::constructArrayBuffer):
1733         * runtime/JSFunction.cpp:
1734         (JSC::JSFunction::allocateRareData):
1735         (JSC::JSFunction::allocateAndInitializeRareData):
1736         (JSC::JSFunction::initializeRareData):
1737         * runtime/JSFunction.h:
1738         (JSC::JSFunction::rareData):
1739         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1740         (JSC::constructGenericTypedArrayView):
1741         * runtime/JSObject.h:
1742         (JSC::JSFinalObject::typeInfo):
1743         (JSC::JSFinalObject::createStructure):
1744         * runtime/JSPromiseConstructor.cpp:
1745         (JSC::constructPromise):
1746         * runtime/JSPromiseConstructor.h:
1747         * runtime/JSWeakMap.cpp:
1748         * runtime/JSWeakSet.cpp:
1749         * runtime/MapConstructor.cpp:
1750         (JSC::constructMap):
1751         * runtime/NativeErrorConstructor.cpp:
1752         (JSC::Interpreter::constructWithNativeErrorConstructor):
1753         * runtime/NumberConstructor.cpp:
1754         (JSC::constructWithNumberConstructor):
1755         * runtime/PrototypeMap.cpp:
1756         (JSC::PrototypeMap::createEmptyStructure):
1757         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
1758         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
1759         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1760         * runtime/PrototypeMap.h:
1761         * runtime/RegExpConstructor.cpp:
1762         (JSC::getRegExpStructure):
1763         (JSC::constructRegExp):
1764         (JSC::constructWithRegExpConstructor):
1765         * runtime/RegExpConstructor.h:
1766         * runtime/SetConstructor.cpp:
1767         (JSC::constructSet):
1768         * runtime/WeakMapConstructor.cpp:
1769         (JSC::constructWeakMap):
1770         * runtime/WeakSetConstructor.cpp:
1771         (JSC::constructWeakSet):
1772         * tests/stress/class-subclassing-misc.js:
1773         (A):
1774         (D):
1775         (E):
1776         (WM):
1777         (WS):
1778         (test):
1779         * tests/stress/class-subclassing-typedarray.js: Added.
1780         (test):
1781
1782 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
1783
1784         [B3][Win64] Compile error.
1785         https://bugs.webkit.org/show_bug.cgi?id=152984
1786
1787         Reviewed by Alex Christensen.
1788
1789         Windows does not have bzero, use memset instead.
1790
1791         * b3/air/AirIteratedRegisterCoalescing.cpp:
1792
1793 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
1794
1795         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
1796         https://bugs.webkit.org/show_bug.cgi?id=152923
1797
1798         Reviewed by Alex Christensen.
1799
1800         * jit/CallFrameShuffler.h:
1801         (JSC::CallFrameShuffler::assumeCalleeIsCell):
1802
1803 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
1804
1805         [B3] Fix control reaches end of non-void function GCC warnings on Linux
1806         https://bugs.webkit.org/show_bug.cgi?id=152887
1807
1808         Reviewed by Mark Lam.
1809
1810         * b3/B3LowerToAir.cpp:
1811         (JSC::B3::Air::LowerToAir::createBranch):
1812         (JSC::B3::Air::LowerToAir::createCompare):
1813         (JSC::B3::Air::LowerToAir::createSelect):
1814         * b3/B3Type.h:
1815         (JSC::B3::sizeofType):
1816         * b3/air/AirArg.cpp:
1817         (JSC::B3::Air::Arg::isRepresentableAs):
1818         * b3/air/AirArg.h:
1819         (JSC::B3::Air::Arg::isAnyUse):
1820         (JSC::B3::Air::Arg::isColdUse):
1821         (JSC::B3::Air::Arg::isEarlyUse):
1822         (JSC::B3::Air::Arg::isLateUse):
1823         (JSC::B3::Air::Arg::isAnyDef):
1824         (JSC::B3::Air::Arg::isEarlyDef):
1825         (JSC::B3::Air::Arg::isLateDef):
1826         (JSC::B3::Air::Arg::isZDef):
1827         (JSC::B3::Air::Arg::widthForB3Type):
1828         (JSC::B3::Air::Arg::isGP):
1829         (JSC::B3::Air::Arg::isFP):
1830         (JSC::B3::Air::Arg::isType):
1831         (JSC::B3::Air::Arg::isValidForm):
1832         * b3/air/AirCode.h:
1833         (JSC::B3::Air::Code::newTmp):
1834         (JSC::B3::Air::Code::numTmps):
1835
1836 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
1837
1838         Make it easier to introduce exotic instructions to Air
1839         https://bugs.webkit.org/show_bug.cgi?id=152953
1840
1841         Reviewed by Benjamin Poulain.
1842
1843         Currently, you can define new "opcodes" in Air using either:
1844
1845         1) New opcode declared in AirOpcode.opcodes.
1846         2) Patch opcode with a new implementation of Air::Special.
1847
1848         With (1), you are limited to fixed-argument-length instructions. There are other
1849         restrictions as well, like that you can only use the roles that the AirOpcode syntax
1850         supports.
1851
1852         With (2), you can do anything you like, but the instruction will be harder to match
1853         since it will share the same opcode as any other Patch. Also, the instruction will have
1854         the Special argument, which means more busy-work when creating the instruction and
1855         validating it.
1856
1857         This introduces an in-between facility called "custom". This replaces what AirOpcode
1858         previously called "special". A custom instruction is one whose behavior is defined by a
1859         FooCustom struct with some static methods. Calls to those methods are emitted by
1860         opcode_generator.rb.
1861
1862         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
1863         that we now treat the Patch instruction specially in a few places. Those places were
1864         already effectively treating it specially by assuming that only Patch instructions have
1865         a Special as their first argument.
1866
1867         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
1868         for performance work.
1869
1870         * JavaScriptCore.xcodeproj/project.pbxproj:
1871         * b3/air/AirCustom.h: Added.
1872         (JSC::B3::Air::PatchCustom::forEachArg):
1873         (JSC::B3::Air::PatchCustom::isValidFormStatic):
1874         (JSC::B3::Air::PatchCustom::isValidForm):
1875         (JSC::B3::Air::PatchCustom::admitsStack):
1876         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
1877         (JSC::B3::Air::PatchCustom::generate):
1878         * b3/air/AirHandleCalleeSaves.cpp:
1879         (JSC::B3::Air::handleCalleeSaves):
1880         * b3/air/AirInst.h:
1881         * b3/air/AirInstInlines.h:
1882         (JSC::B3::Air::Inst::forEach):
1883         (JSC::B3::Air::Inst::extraClobberedRegs):
1884         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
1885         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
1886         (JSC::B3::Air::Inst::reportUsedRegisters):
1887         (JSC::B3::Air::Inst::hasSpecial): Deleted.
1888         * b3/air/AirOpcode.opcodes:
1889         * b3/air/AirReportUsedRegisters.cpp:
1890         (JSC::B3::Air::reportUsedRegisters):
1891         * b3/air/opcode_generator.rb:
1892
1893 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
1894
1895         Turn Check(true) into Patchpoint() followed by Oops
1896         https://bugs.webkit.org/show_bug.cgi?id=152968
1897
1898         Reviewed by Benjamin Poulain.
1899
1900         This is an obvious strength reduction to have, especially since if we discover that the
1901         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
1902         of the basic block unlocks CFG simplification opportunities.
1903
1904         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
1905         implement sinking (bug 152162).
1906
1907         * b3/B3ControlValue.cpp:
1908         (JSC::B3::ControlValue::convertToJump):
1909         (JSC::B3::ControlValue::convertToOops):
1910         (JSC::B3::ControlValue::dumpMeta):
1911         * b3/B3ControlValue.h:
1912         * b3/B3InsertionSet.h:
1913         (JSC::B3::InsertionSet::insertValue):
1914         * b3/B3InsertionSetInlines.h:
1915         (JSC::B3::InsertionSet::insert):
1916         * b3/B3ReduceStrength.cpp:
1917         * b3/B3StackmapValue.h:
1918         * b3/B3Value.h:
1919         * tests/stress/ftl-force-osr-exit.js: Added.
1920
1921 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
1922
1923         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
1924         https://bugs.webkit.org/show_bug.cgi?id=152840
1925
1926         Reviewed by Mark Lam.
1927
1928         ARM64 has two kinds of addressing with immediates:
1929         -Signed 9bits direct (really only -256 to 255).
1930         -Unsigned 12bits scaled by the load/store size.
1931
1932         When resolving the stack addresses, we easily run
1933         past -256 bytes from FP. Addressing from SP gives us more
1934         room to address the stack efficiently because we can
1935         use unsigned immediates.
1936
1937         * b3/B3StackmapSpecial.cpp:
1938         (JSC::B3::StackmapSpecial::repForArg):
1939         * b3/air/AirAllocateStack.cpp:
1940         (JSC::B3::Air::allocateStack):
1941
1942 2016-01-10  Saam barati  <sbarati@apple.com>
1943
1944         Implement a sampling profiler
1945         https://bugs.webkit.org/show_bug.cgi?id=151713
1946
1947         Reviewed by Filip Pizlo.
1948
1949         This patch implements a sampling profiler for JavaScriptCore
1950         that will be used in the Inspector UI. The implementation works as follows:
1951         We queue the sampling profiler to run a task on a background
1952         thread every 1ms. When the queued task executes, the sampling profiler
1953         will pause the JSC execution thread and attempt to take a stack trace. 
1954         The sampling profiler does everything it can to be very careful
1955         while taking this stack trace. Because it's reading arbitrary memory,
1956         the sampling profiler must validate every pointer it reads from.
1957
1958         The sampling profiler tries to get an ExecutableBase for every call frame
1959         it reads. It first tries to read the CodeBlock slot. It does this because
1960         it can be 100% certain that a pointer is a CodeBlock while it's taking a
1961         stack trace. But, not every call frame will have a CodeBlock. So we must read
1962         the call frame's callee. For these stack traces where we read the callee, we
1963         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
1964         on the main JSC execution thread, and not on the thread taking the stack
1965         trace. We do this verification either before we run the marking phase in
1966         GC, or when somebody asks the SamplingProfiler to materialize its data.
1967
1968         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
1969         thread is paused (this means it can't do anything that mallocs) because
1970         that could cause a deadlock. Therefore, the sampling profiler grabs
1971         locks for all data structures it consults before it pauses the JSC
1972         execution thread.
1973
1974         * CMakeLists.txt:
1975         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1976         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1977         * JavaScriptCore.xcodeproj/project.pbxproj:
1978         * bytecode/CodeBlock.h:
1979         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
1980         (JSC::CodeBlockSet::mark):
1981         * dfg/DFGNodeType.h:
1982         * heap/CodeBlockSet.cpp:
1983         (JSC::CodeBlockSet::add):
1984         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
1985         (JSC::CodeBlockSet::clearMarksForFullCollection):
1986         (JSC::CodeBlockSet::lastChanceToFinalize):
1987         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1988         (JSC::CodeBlockSet::contains):
1989         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
1990         (JSC::CodeBlockSet::remove): Deleted.
1991         * heap/CodeBlockSet.h:
1992         (JSC::CodeBlockSet::getLock):
1993         (JSC::CodeBlockSet::iterate):
1994         The sampling pofiler uses the heap's CodeBlockSet to validate
1995         CodeBlock pointers. This data structure must now be under a lock
1996         because we must be certain we're not pausing the JSC execution thread
1997         while it's manipulating this data structure.
1998
1999         * heap/ConservativeRoots.cpp:
2000         (JSC::ConservativeRoots::ConservativeRoots):
2001         (JSC::ConservativeRoots::grow):
2002         (JSC::ConservativeRoots::genericAddPointer):
2003         (JSC::ConservativeRoots::genericAddSpan):
2004         (JSC::ConservativeRoots::add):
2005         (JSC::CompositeMarkHook::CompositeMarkHook):
2006         (JSC::CompositeMarkHook::mark):
2007         * heap/ConservativeRoots.h:
2008         * heap/Heap.cpp:
2009         (JSC::Heap::markRoots):
2010         (JSC::Heap::visitHandleStack):
2011         (JSC::Heap::visitSamplingProfiler):
2012         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2013         (JSC::Heap::snapshotMarkedSpace):
2014         * heap/Heap.h:
2015         (JSC::Heap::structureIDTable):
2016         (JSC::Heap::codeBlockSet):
2017         * heap/MachineStackMarker.cpp:
2018         (pthreadSignalHandlerSuspendResume):
2019         (JSC::getCurrentPlatformThread):
2020         (JSC::MachineThreads::MachineThreads):
2021         (JSC::MachineThreads::~MachineThreads):
2022         (JSC::MachineThreads::Thread::createForCurrentThread):
2023         (JSC::MachineThreads::Thread::operator==):
2024         (JSC::isThreadInList):
2025         (JSC::MachineThreads::addCurrentThread):
2026         (JSC::MachineThreads::machineThreadForCurrentThread):
2027         (JSC::MachineThreads::removeThread):
2028         (JSC::MachineThreads::gatherFromCurrentThread):
2029         (JSC::MachineThreads::Thread::Thread):
2030         (JSC::MachineThreads::Thread::~Thread):
2031         (JSC::MachineThreads::Thread::suspend):
2032         (JSC::MachineThreads::Thread::resume):
2033         (JSC::MachineThreads::Thread::getRegisters):
2034         (JSC::MachineThreads::Thread::Registers::stackPointer):
2035         (JSC::MachineThreads::Thread::Registers::framePointer):
2036         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2037         (JSC::MachineThreads::Thread::freeRegisters):
2038         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2039         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2040         (JSC::MachineThreads::Thread::operator!=): Deleted.
2041         * heap/MachineStackMarker.h:
2042         (JSC::MachineThreads::Thread::operator!=):
2043         (JSC::MachineThreads::getLock):
2044         (JSC::MachineThreads::threadsListHead):
2045         We can now ask a MachineThreads::Thread for its frame pointer
2046         and program counter on darwin and windows platforms. efl
2047         and gtk implementations will happen in another patch.
2048
2049         * heap/MarkedBlockSet.h:
2050         (JSC::MarkedBlockSet::getLock):
2051         (JSC::MarkedBlockSet::add):
2052         (JSC::MarkedBlockSet::remove):
2053         (JSC::MarkedBlockSet::recomputeFilter):
2054         (JSC::MarkedBlockSet::filter):
2055         (JSC::MarkedBlockSet::set):
2056         * heap/MarkedSpace.cpp:
2057         (JSC::Free::Free):
2058         (JSC::Free::operator()):
2059         (JSC::FreeOrShrink::FreeOrShrink):
2060         (JSC::FreeOrShrink::operator()):
2061         (JSC::MarkedSpace::~MarkedSpace):
2062         (JSC::MarkedSpace::isPagedOut):
2063         (JSC::MarkedSpace::freeBlock):
2064         (JSC::MarkedSpace::freeOrShrinkBlock):
2065         (JSC::MarkedSpace::shrink):
2066         * heap/MarkedSpace.h:
2067         (JSC::MarkedSpace::forEachLiveCell):
2068         (JSC::MarkedSpace::forEachDeadCell):
2069         * interpreter/CallFrame.h:
2070         (JSC::ExecState::calleeAsValue):
2071         (JSC::ExecState::callee):
2072         (JSC::ExecState::unsafeCallee):
2073         (JSC::ExecState::codeBlock):
2074         (JSC::ExecState::scope):
2075         * jit/ExecutableAllocator.cpp:
2076         (JSC::ExecutableAllocator::dumpProfile):
2077         (JSC::ExecutableAllocator::getLock):
2078         (JSC::ExecutableAllocator::isValidExecutableMemory):
2079         * jit/ExecutableAllocator.h:
2080         * jit/ExecutableAllocatorFixedVMPool.cpp:
2081         (JSC::ExecutableAllocator::allocate):
2082         (JSC::ExecutableAllocator::isValidExecutableMemory):
2083         (JSC::ExecutableAllocator::getLock):
2084         (JSC::ExecutableAllocator::committedByteCount):
2085         The sampling profiler consults the ExecutableAllocator to check
2086         if the frame pointer it reads is in executable allocated memory.
2087
2088         * jsc.cpp:
2089         (GlobalObject::finishCreation):
2090         (functionCheckModuleSyntax):
2091         (functionStartSamplingProfiler):
2092         (functionSamplingProfilerStackTraces):
2093         * llint/LLIntPCRanges.h: Added.
2094         (JSC::LLInt::isLLIntPC):
2095         * offlineasm/asm.rb:
2096         I added the ability to test whether the PC is executing
2097         LLInt code because this code is not part of the memory
2098         our executable allocator allocates.
2099
2100         * runtime/Executable.h:
2101         (JSC::ExecutableBase::isModuleProgramExecutable):
2102         (JSC::ExecutableBase::isExecutableType):
2103         (JSC::ExecutableBase::isHostFunction):
2104         * runtime/JSLock.cpp:
2105         (JSC::JSLock::didAcquireLock):
2106         (JSC::JSLock::unlock):
2107         * runtime/Options.h:
2108         * runtime/SamplingProfiler.cpp: Added.
2109         (JSC::reportStats):
2110         (JSC::FrameWalker::FrameWalker):
2111         (JSC::FrameWalker::walk):
2112         (JSC::FrameWalker::wasValidWalk):
2113         (JSC::FrameWalker::advanceToParentFrame):
2114         (JSC::FrameWalker::isAtTop):
2115         (JSC::FrameWalker::resetAtMachineFrame):
2116         (JSC::FrameWalker::isValidFramePointer):
2117         (JSC::FrameWalker::isValidCodeBlock):
2118         (JSC::FrameWalker::tryToGetExecutableFromCallee):
2119         The FrameWalker class is used to walk the stack in a safe
2120         manner. It doesn't do anything that would deadlock, and it
2121         validates all pointers that it sees.
2122
2123         (JSC::SamplingProfiler::SamplingProfiler):
2124         (JSC::SamplingProfiler::~SamplingProfiler):
2125         (JSC::SamplingProfiler::visit):
2126         (JSC::SamplingProfiler::shutdown):
2127         (JSC::SamplingProfiler::start):
2128         (JSC::SamplingProfiler::stop):
2129         (JSC::SamplingProfiler::pause):
2130         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2131         (JSC::SamplingProfiler::dispatchIfNecessary):
2132         (JSC::SamplingProfiler::dispatchFunction):
2133         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2134         (JSC::SamplingProfiler::noticeVMEntry):
2135         (JSC::SamplingProfiler::observeStackTrace):
2136         (JSC::SamplingProfiler::clearData):
2137         (JSC::displayName):
2138         (JSC::startLine):
2139         (JSC::startColumn):
2140         (JSC::sourceID):
2141         (JSC::url):
2142         (JSC::SamplingProfiler::stacktracesAsJSON):
2143         * runtime/SamplingProfiler.h: Added.
2144         (JSC::SamplingProfiler::getLock):
2145         (JSC::SamplingProfiler::setTimingInterval):
2146         (JSC::SamplingProfiler::stackTraces):
2147         * runtime/VM.cpp:
2148         (JSC::VM::VM):
2149         (JSC::VM::~VM):
2150         (JSC::VM::setLastStackTop):
2151         (JSC::VM::createContextGroup):
2152         (JSC::VM::ensureWatchdog):
2153         (JSC::VM::ensureSamplingProfiler):
2154         (JSC::thunkGeneratorForIntrinsic):
2155         * runtime/VM.h:
2156         (JSC::VM::watchdog):
2157         (JSC::VM::isSafeToRecurse):
2158         (JSC::VM::lastStackTop):
2159         (JSC::VM::scratchBufferForSize):
2160         (JSC::VM::samplingProfiler):
2161         (JSC::VM::setShouldRewriteConstAsVar):
2162         (JSC::VM::setLastStackTop): Deleted.
2163         * runtime/VMEntryScope.cpp:
2164         (JSC::VMEntryScope::VMEntryScope):
2165         * tests/stress/sampling-profiler: Added.
2166         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2167         (foo):
2168         (baz):
2169         * tests/stress/sampling-profiler-basic.js: Added.
2170         (bar):
2171         (foo):
2172         (nothing):
2173         (top):
2174         (jaz):
2175         (kaz):
2176         (checkInlining):
2177         * tests/stress/sampling-profiler-deep-stack.js: Added.
2178         (foo):
2179         (hellaDeep):
2180         (start):
2181         * tests/stress/sampling-profiler-microtasks.js: Added.
2182         (testResults):
2183         (loop.jaz):
2184         (loop):
2185         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2186         (assert):
2187         (let.nodePrototype.makeChildIfNeeded):
2188         (makeNode):
2189         (updateCallingContextTree):
2190         (doesTreeHaveStackTrace):
2191         (makeTree):
2192         (runTest):
2193         (dumpTree):
2194         * tools/JSDollarVMPrototype.cpp:
2195         (JSC::JSDollarVMPrototype::isInObjectSpace):
2196         (JSC::JSDollarVMPrototype::isInStorageSpace):
2197         * yarr/YarrJIT.cpp:
2198         (JSC::Yarr::YarrGenerator::generateEnter):
2199         (JSC::Yarr::YarrGenerator::generateReturn):
2200         (JSC::Yarr::YarrGenerator::YarrGenerator):
2201         (JSC::Yarr::YarrGenerator::compile):
2202         (JSC::Yarr::jitCompile):
2203         We now have a boolean that's set to true when
2204         we're executing a RegExp, and to false otherwise.
2205         The boolean lives off of VM.
2206
2207         * CMakeLists.txt:
2208         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2209         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2210         * JavaScriptCore.xcodeproj/project.pbxproj:
2211         * bytecode/CodeBlock.h:
2212         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
2213         (JSC::CodeBlockSet::mark):
2214         * dfg/DFGNodeType.h:
2215         * heap/CodeBlockSet.cpp:
2216         (JSC::CodeBlockSet::add):
2217         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2218         (JSC::CodeBlockSet::clearMarksForFullCollection):
2219         (JSC::CodeBlockSet::lastChanceToFinalize):
2220         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2221         (JSC::CodeBlockSet::contains):
2222         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
2223         (JSC::CodeBlockSet::remove): Deleted.
2224         * heap/CodeBlockSet.h:
2225         (JSC::CodeBlockSet::getLock):
2226         (JSC::CodeBlockSet::iterate):
2227         * heap/ConservativeRoots.cpp:
2228         (JSC::ConservativeRoots::ConservativeRoots):
2229         (JSC::ConservativeRoots::genericAddPointer):
2230         (JSC::ConservativeRoots::add):
2231         (JSC::CompositeMarkHook::CompositeMarkHook):
2232         (JSC::CompositeMarkHook::mark):
2233         * heap/ConservativeRoots.h:
2234         * heap/Heap.cpp:
2235         (JSC::Heap::markRoots):
2236         (JSC::Heap::visitHandleStack):
2237         (JSC::Heap::visitSamplingProfiler):
2238         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2239         * heap/Heap.h:
2240         (JSC::Heap::structureIDTable):
2241         (JSC::Heap::codeBlockSet):
2242         * heap/HeapInlines.h:
2243         (JSC::Heap::didFreeBlock):
2244         (JSC::Heap::isPointerGCObject):
2245         (JSC::Heap::isValueGCObject):
2246         * heap/MachineStackMarker.cpp:
2247         (pthreadSignalHandlerSuspendResume):
2248         (JSC::getCurrentPlatformThread):
2249         (JSC::MachineThreads::MachineThreads):
2250         (JSC::MachineThreads::~MachineThreads):
2251         (JSC::MachineThreads::Thread::createForCurrentThread):
2252         (JSC::MachineThreads::Thread::operator==):
2253         (JSC::isThreadInList):
2254         (JSC::MachineThreads::addCurrentThread):
2255         (JSC::MachineThreads::machineThreadForCurrentThread):
2256         (JSC::MachineThreads::removeThread):
2257         (JSC::MachineThreads::gatherFromCurrentThread):
2258         (JSC::MachineThreads::Thread::Thread):
2259         (JSC::MachineThreads::Thread::~Thread):
2260         (JSC::MachineThreads::Thread::suspend):
2261         (JSC::MachineThreads::Thread::resume):
2262         (JSC::MachineThreads::Thread::getRegisters):
2263         (JSC::MachineThreads::Thread::Registers::stackPointer):
2264         (JSC::MachineThreads::Thread::Registers::framePointer):
2265         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2266         (JSC::MachineThreads::Thread::freeRegisters):
2267         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
2268         (JSC::MachineThreads::Thread::operator!=): Deleted.
2269         * heap/MachineStackMarker.h:
2270         (JSC::MachineThreads::Thread::operator!=):
2271         (JSC::MachineThreads::getLock):
2272         (JSC::MachineThreads::threadsListHead):
2273         * heap/MarkedBlockSet.h:
2274         * heap/MarkedSpace.cpp:
2275         (JSC::Free::Free):
2276         (JSC::Free::operator()):
2277         (JSC::FreeOrShrink::FreeOrShrink):
2278         (JSC::FreeOrShrink::operator()):
2279         * interpreter/CallFrame.h:
2280         (JSC::ExecState::calleeAsValue):
2281         (JSC::ExecState::callee):
2282         (JSC::ExecState::unsafeCallee):
2283         (JSC::ExecState::codeBlock):
2284         (JSC::ExecState::scope):
2285         * jit/ExecutableAllocator.cpp:
2286         (JSC::ExecutableAllocator::dumpProfile):
2287         (JSC::ExecutableAllocator::getLock):
2288         (JSC::ExecutableAllocator::isValidExecutableMemory):
2289         * jit/ExecutableAllocator.h:
2290         * jit/ExecutableAllocatorFixedVMPool.cpp:
2291         (JSC::ExecutableAllocator::allocate):
2292         (JSC::ExecutableAllocator::isValidExecutableMemory):
2293         (JSC::ExecutableAllocator::getLock):
2294         (JSC::ExecutableAllocator::committedByteCount):
2295         * jsc.cpp:
2296         (GlobalObject::finishCreation):
2297         (functionCheckModuleSyntax):
2298         (functionPlatformSupportsSamplingProfiler):
2299         (functionStartSamplingProfiler):
2300         (functionSamplingProfilerStackTraces):
2301         * llint/LLIntPCRanges.h: Added.
2302         (JSC::LLInt::isLLIntPC):
2303         * offlineasm/asm.rb:
2304         * runtime/Executable.h:
2305         (JSC::ExecutableBase::isModuleProgramExecutable):
2306         (JSC::ExecutableBase::isExecutableType):
2307         (JSC::ExecutableBase::isHostFunction):
2308         * runtime/JSLock.cpp:
2309         (JSC::JSLock::didAcquireLock):
2310         (JSC::JSLock::unlock):
2311         * runtime/Options.h:
2312         * runtime/SamplingProfiler.cpp: Added.
2313         (JSC::reportStats):
2314         (JSC::FrameWalker::FrameWalker):
2315         (JSC::FrameWalker::walk):
2316         (JSC::FrameWalker::wasValidWalk):
2317         (JSC::FrameWalker::advanceToParentFrame):
2318         (JSC::FrameWalker::isAtTop):
2319         (JSC::FrameWalker::resetAtMachineFrame):
2320         (JSC::FrameWalker::isValidFramePointer):
2321         (JSC::FrameWalker::isValidCodeBlock):
2322         (JSC::SamplingProfiler::SamplingProfiler):
2323         (JSC::SamplingProfiler::~SamplingProfiler):
2324         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2325         (JSC::SamplingProfiler::visit):
2326         (JSC::SamplingProfiler::shutdown):
2327         (JSC::SamplingProfiler::start):
2328         (JSC::SamplingProfiler::stop):
2329         (JSC::SamplingProfiler::pause):
2330         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2331         (JSC::SamplingProfiler::dispatchIfNecessary):
2332         (JSC::SamplingProfiler::dispatchFunction):
2333         (JSC::SamplingProfiler::noticeJSLockAcquisition):
2334         (JSC::SamplingProfiler::noticeVMEntry):
2335         (JSC::SamplingProfiler::clearData):
2336         (JSC::displayName):
2337         (JSC::SamplingProfiler::stacktracesAsJSON):
2338         (WTF::printInternal):
2339         * runtime/SamplingProfiler.h: Added.
2340         (JSC::SamplingProfiler::StackFrame::StackFrame):
2341         (JSC::SamplingProfiler::getLock):
2342         (JSC::SamplingProfiler::setTimingInterval):
2343         (JSC::SamplingProfiler::stackTraces):
2344         * runtime/VM.cpp:
2345         (JSC::VM::VM):
2346         (JSC::VM::~VM):
2347         (JSC::VM::setLastStackTop):
2348         (JSC::VM::createContextGroup):
2349         (JSC::VM::ensureWatchdog):
2350         (JSC::VM::ensureSamplingProfiler):
2351         (JSC::thunkGeneratorForIntrinsic):
2352         * runtime/VM.h:
2353         (JSC::VM::watchdog):
2354         (JSC::VM::samplingProfiler):
2355         (JSC::VM::isSafeToRecurse):
2356         (JSC::VM::lastStackTop):
2357         (JSC::VM::scratchBufferForSize):
2358         (JSC::VM::setLastStackTop): Deleted.
2359         * runtime/VMEntryScope.cpp:
2360         (JSC::VMEntryScope::VMEntryScope):
2361         * tests/stress/sampling-profiler: Added.
2362         * tests/stress/sampling-profiler-anonymous-function.js: Added.
2363         (platformSupportsSamplingProfiler.foo):
2364         (platformSupportsSamplingProfiler.baz):
2365         (platformSupportsSamplingProfiler):
2366         * tests/stress/sampling-profiler-basic.js: Added.
2367         (platformSupportsSamplingProfiler.bar):
2368         (platformSupportsSamplingProfiler.foo):
2369         (platformSupportsSamplingProfiler.nothing):
2370         (platformSupportsSamplingProfiler.top):
2371         (platformSupportsSamplingProfiler.jaz):
2372         (platformSupportsSamplingProfiler.kaz):
2373         (platformSupportsSamplingProfiler.checkInlining):
2374         (platformSupportsSamplingProfiler):
2375         * tests/stress/sampling-profiler-deep-stack.js: Added.
2376         (platformSupportsSamplingProfiler.foo):
2377         (platformSupportsSamplingProfiler.let.hellaDeep):
2378         (platformSupportsSamplingProfiler.let.start):
2379         (platformSupportsSamplingProfiler):
2380         * tests/stress/sampling-profiler-microtasks.js: Added.
2381         (platformSupportsSamplingProfiler.testResults):
2382         (platformSupportsSamplingProfiler):
2383         (platformSupportsSamplingProfiler.loop.jaz):
2384         (platformSupportsSamplingProfiler.loop):
2385         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
2386         (assert):
2387         (let.nodePrototype.makeChildIfNeeded):
2388         (makeNode):
2389         (updateCallingContextTree):
2390         (doesTreeHaveStackTrace):
2391         (makeTree):
2392         (runTest):
2393         (dumpTree):
2394         * yarr/YarrJIT.cpp:
2395         (JSC::Yarr::YarrGenerator::generateEnter):
2396         (JSC::Yarr::YarrGenerator::generateReturn):
2397         (JSC::Yarr::YarrGenerator::YarrGenerator):
2398         (JSC::Yarr::YarrGenerator::compile):
2399         (JSC::Yarr::jitCompile):
2400
2401 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2402
2403         [JSC] Iterating over a Set/Map is too slow
2404         https://bugs.webkit.org/show_bug.cgi?id=152691
2405
2406         Reviewed by Saam Barati.
2407
2408         Set#forEach and Set & for-of are very slow. There are 2 reasons.
2409
2410         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
2411
2412         C++ to JS transition seems costly. perf result in Linux machine shows this.
2413
2414             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
2415             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
2416             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
2417              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
2418              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
2419              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
2420
2421         Writing forEach in JS eliminates this.
2422
2423             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
2424             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
2425             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
2426              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
2427              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
2428              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
2429              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
2430              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
2431
2432         2. Iterator result object allocation is costly.
2433
2434         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
2435
2436             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
2437             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
2438             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
2439             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
2440             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
2441              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
2442
2443         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
2444         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
2445         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
2446         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
2447
2448         After these improvements, the micro benchmark[1] shows the following.
2449
2450         old:
2451             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
2452             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
2453             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
2454             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
2455             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
2456             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
2457
2458         new:
2459             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
2460             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
2461             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
2462             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
2463             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
2464             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
2465
2466         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
2467         After this optimizations, they are still much slower than linked list and array.
2468         This should be optimized in the long term.
2469
2470         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
2471
2472         * CMakeLists.txt:
2473         * DerivedSources.make:
2474         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2475         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2476         * JavaScriptCore.xcodeproj/project.pbxproj:
2477         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2478         (forEach):
2479         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
2480         (forEach):
2481         * runtime/CommonIdentifiers.h:
2482         * runtime/IteratorOperations.cpp:
2483         (JSC::createIteratorResultObjectStructure):
2484         (JSC::createIteratorResultObject):
2485         * runtime/IteratorOperations.h:
2486         * runtime/JSGlobalObject.cpp:
2487         (JSC::JSGlobalObject::init):
2488         (JSC::JSGlobalObject::visitChildren):
2489         * runtime/JSGlobalObject.h:
2490         (JSC::JSGlobalObject::iteratorResultObjectStructure):
2491         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
2492         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
2493         * runtime/MapPrototype.cpp:
2494         (JSC::MapPrototype::getOwnPropertySlot):
2495         (JSC::privateFuncIsMap):
2496         (JSC::privateFuncMapIterator):
2497         (JSC::privateFuncMapIteratorNext):
2498         (JSC::MapPrototype::finishCreation): Deleted.
2499         (JSC::mapProtoFuncForEach): Deleted.
2500         * runtime/MapPrototype.h:
2501         * runtime/SetPrototype.cpp:
2502         (JSC::SetPrototype::getOwnPropertySlot):
2503         (JSC::privateFuncIsSet):
2504         (JSC::privateFuncSetIterator):
2505         (JSC::privateFuncSetIteratorNext):
2506         (JSC::SetPrototype::finishCreation): Deleted.
2507         (JSC::setProtoFuncForEach): Deleted.
2508         * runtime/SetPrototype.h:
2509
2510 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2511
2512         Unreviewed, fix ARM64 build.
2513
2514         * b3/air/AirOpcode.opcodes:
2515
2516 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2517
2518         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
2519         https://bugs.webkit.org/show_bug.cgi?id=152955
2520
2521         Reviewed by Saam Barati.
2522
2523         This happens when we box an int32 and then immediately unbox it.
2524
2525         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
2526         benchmark. It's neutral elsewhere.
2527
2528         * b3/B3ReduceStrength.cpp:
2529         * b3/testb3.cpp:
2530         (JSC::B3::testPowDoubleByIntegerLoop):
2531         (JSC::B3::testTruncOrHigh):
2532         (JSC::B3::testTruncOrLow):
2533         (JSC::B3::testBitAndOrHigh):
2534         (JSC::B3::testBitAndOrLow):
2535         (JSC::B3::zero):
2536         (JSC::B3::run):
2537
2538 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
2539
2540         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
2541         https://bugs.webkit.org/show_bug.cgi?id=149855
2542
2543         Reviewed by Saam Barati.
2544
2545         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
2546         'this', 'arguments' and 'super'
2547
2548         * CMakeLists.txt:
2549         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2550         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2551         * JavaScriptCore.xcodeproj/project.pbxproj:
2552         * dfg/DFGAbstractInterpreterInlines.h:
2553         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2554         * dfg/DFGSpeculativeJIT.cpp:
2555         (JSC::DFG::SpeculativeJIT::compileNewFunction):
2556         * dfg/DFGStructureRegistrationPhase.cpp:
2557         (JSC::DFG::StructureRegistrationPhase::run):
2558         * ftl/FTLAbstractHeapRepository.cpp:
2559         * ftl/FTLAbstractHeapRepository.h:
2560         * ftl/FTLLowerDFGToLLVM.cpp:
2561         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2562         * interpreter/Interpreter.cpp:
2563         * interpreter/Interpreter.h:
2564         * jit/JITOpcodes.cpp:
2565         * jit/JITOpcodes32_64.cpp:
2566         * jit/JITOperations.cpp:
2567         * jit/JITOperations.h:
2568         * llint/LLIntOffsetsExtractor.cpp:
2569         * llint/LLIntSlowPaths.cpp:
2570         * runtime/JSArrowFunction.cpp: Removed.
2571         * runtime/JSArrowFunction.h: Removed.
2572         * runtime/JSGlobalObject.cpp:
2573         * runtime/JSGlobalObject.h:
2574
2575 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
2576
2577         It should be possible to run liveness over registers without also tracking Tmps
2578         https://bugs.webkit.org/show_bug.cgi?id=152963
2579
2580         Reviewed by Saam Barati.
2581
2582         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
2583         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
2584         code like that for handling cold function calls. It also makes code like that somewhat more
2585         scalable, since we're no longer using HashSets.
2586
2587         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
2588         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
2589         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
2590         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
2591         think that this is good, because the lack of set methods (add/remove/contains) has caused
2592         bugs in the past. This makes BitVector have methods both for set operations on bits and array
2593         operations on bits. I think that's good, since BitVector gets used in both contexts.
2594
2595         * b3/B3IndexSet.h:
2596         (JSC::B3::IndexSet::Iterable::iterator::iterator):
2597         (JSC::B3::IndexSet::Iterable::begin):
2598         (JSC::B3::IndexSet::dump):
2599         * b3/air/AirInstInlines.h:
2600         (JSC::B3::Air::ForEach<Tmp>::forEach):
2601         (JSC::B3::Air::ForEach<Arg>::forEach):
2602         (JSC::B3::Air::ForEach<Reg>::forEach):
2603         (JSC::B3::Air::Inst::forEach):
2604         * b3/air/AirLiveness.h:
2605         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
2606         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
2607         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
2608         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
2609         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
2610         * b3/air/AirReportUsedRegisters.cpp:
2611         (JSC::B3::Air::reportUsedRegisters):
2612         * jit/Reg.h:
2613         (JSC::Reg::next):
2614         (JSC::Reg::index):
2615         (JSC::Reg::maxIndex):
2616         (JSC::Reg::isSet):
2617         (JSC::Reg::operator bool):
2618         * jit/RegisterSet.h:
2619         (JSC::RegisterSet::forEach):
2620
2621 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
2622
2623         [JSC] Make branchMul functional in ARM B3 and minor fixes
2624         https://bugs.webkit.org/show_bug.cgi?id=152889
2625
2626         Reviewed by Mark Lam.
2627
2628         ARM64 does not have a "S" version of MUL setting the flags.
2629         What we do is abstract that in the MacroAssembler. The problem
2630         is that form requires scratch registers.
2631
2632         For simplicity, I just exposed the two scratch registers
2633         for Air. Filip already added the concept of Scratch role,
2634         all I needed was to expose it for opcodes.
2635
2636         * assembler/MacroAssemblerARM64.h:
2637         (JSC::MacroAssemblerARM64::branchMul32):
2638         (JSC::MacroAssemblerARM64::branchMul64):
2639         Expose a version with the scratch registers as arguments.
2640
2641         * b3/B3LowerToAir.cpp:
2642         (JSC::B3::Air::LowerToAir::lower):
2643         Add the new form of CheckMul lowering.
2644
2645         * b3/air/AirOpcode.opcodes:
2646         Expose the new BranchMuls.
2647         Remove all the Test variants that use immediates
2648         since Air can't handle those immediates correctly yet.
2649
2650         * b3/air/opcode_generator.rb:
2651         Expose the Scratch role.
2652
2653         * b3/testb3.cpp:
2654         (JSC::B3::testPatchpointLotsOfLateAnys):
2655         Ooops, the scratch registers were not clobbered. We were just lucky
2656         on x86.
2657
2658 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
2659
2660         [JSC] B3 is unable to do function calls on ARM64
2661         https://bugs.webkit.org/show_bug.cgi?id=152895
2662
2663         Reviewed by Mark Lam.
2664
2665         Apparently iOS does not follow the ARM64 ABI for function calls.
2666         Instead of giving each value a 8 bytes slot, it must be packed
2667         while preserving alignment.
2668
2669         This patch adds a #ifdef to make function calls functional.
2670
2671         * b3/B3LowerToAir.cpp:
2672         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
2673         (JSC::B3::Air::LowerToAir::lower):
2674
2675 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
2676
2677         Air should support Branch64 with immediates
2678         https://bugs.webkit.org/show_bug.cgi?id=152951
2679
2680         Reviewed by Oliver Hunt.
2681
2682         This doesn't significantly improve performance on any benchmarks, but it's great to get this
2683         obvious omission out of the way.
2684
2685         * assembler/MacroAssemblerX86_64.h:
2686         (JSC::MacroAssemblerX86_64::branch64):
2687         * b3/air/AirOpcode.opcodes:
2688         * b3/testb3.cpp:
2689         (JSC::B3::testPowDoubleByIntegerLoop):
2690         (JSC::B3::testBranch64Equal):
2691         (JSC::B3::testBranch64EqualImm):
2692         (JSC::B3::testBranch64EqualMem):
2693         (JSC::B3::testBranch64EqualMemImm):
2694         (JSC::B3::zero):
2695         (JSC::B3::run):
2696
2697 2016-01-09  Dan Bernstein  <mitz@apple.com>
2698
2699         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
2700         https://bugs.webkit.org/show_bug.cgi?id=152926
2701
2702         Reviewed by Tim Horton.
2703
2704         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
2705         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
2706         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
2707
2708         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
2709
2710         * Configurations/Base.xcconfig:
2711         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
2712           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
2713         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
2714         * Configurations/JSC.xcconfig:
2715           Add quotes to account for spaces.
2716         * Configurations/ToolExecutable.xcconfig:
2717           Ditto.
2718         * postprocess-headers.sh:
2719           Ditto.
2720
2721 2016-01-09  Mark Lam  <mark.lam@apple.com>
2722
2723         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
2724         https://bugs.webkit.org/show_bug.cgi?id=152918
2725
2726         Reviewed by Filip Pizlo and Saam Barati.
2727
2728         * ftl/FTLCompile.cpp:
2729         - Updated a comment.
2730         * ftl/FTLLowerDFGToLLVM.cpp:
2731         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2732         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
2733           extra slot for BinaryOps that don't have Untyped operands, and failing to
2734           allocate that extra slot for some binary ops.  This is now fixed.
2735
2736         * tests/stress/ftl-shr-exception.js:
2737         * tests/stress/ftl-xor-exception.js:
2738         - Un-skipped these tests.  They now pass with this patch.
2739
2740 2016-01-09  Andreas Kling  <akling@apple.com>
2741
2742         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
2743         <https://webkit.org/b/152902>
2744
2745         Reviewed by Anders Carlsson.
2746
2747         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
2748
2749         * API/JSAPIWrapperObject.mm:
2750         (jsAPIWrapperObjectHandleOwner):
2751         * API/JSManagedValue.mm:
2752         (managedValueHandleOwner):
2753         * inspector/agents/InspectorDebuggerAgent.cpp:
2754         (Inspector::objectGroupForBreakpointAction):
2755         * jit/ExecutableAllocator.cpp:
2756         (JSC::DemandExecutableAllocator::allocators):
2757
2758 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2759
2760         FTL B3 should do varargs tail calls and stack overflows
2761         https://bugs.webkit.org/show_bug.cgi?id=152934
2762
2763         Reviewed by Saam Barati.
2764
2765         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
2766         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
2767         why I have two fixes in one change. Now the test passes.
2768
2769         This reduces the number of failures from 13 to 0.
2770
2771         * ftl/FTLLowerDFGToLLVM.cpp:
2772         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
2773         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
2774         append an Oops (i.e. "unreachable").
2775
2776 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2777
2778         B3 needs Neg()
2779         https://bugs.webkit.org/show_bug.cgi?id=152925
2780
2781         Reviewed by Mark Lam.
2782
2783         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
2784         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
2785
2786         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
2787         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
2788         to use bitops to represent floating point operations. Whatever cuteness this would have
2789         bought us would be outweighed by the annoyance of having to write code that matches
2790         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
2791         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
2792         Also, I suspect that the omission of Neg would cause others to make the mistake of using
2793         Sub to represent floating point negation.
2794
2795         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
2796         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
2797         floats, we lower it to BitXor(x, -0) on x86.
2798
2799         This reduces the number of failures from 13 to 12.
2800
2801         * assembler/MacroAssemblerX86Common.h:
2802         (JSC::MacroAssemblerX86Common::andFloat):
2803         (JSC::MacroAssemblerX86Common::xorDouble):
2804         (JSC::MacroAssemblerX86Common::xorFloat):
2805         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
2806         * b3/B3LowerMacrosAfterOptimizations.cpp:
2807         * b3/B3LowerToAir.cpp:
2808         (JSC::B3::Air::LowerToAir::lower):
2809         * b3/B3Opcode.cpp:
2810         (WTF::printInternal):
2811         * b3/B3Opcode.h:
2812         * b3/B3ReduceStrength.cpp:
2813         * b3/B3Validate.cpp:
2814         * b3/B3Value.cpp:
2815         (JSC::B3::Value::effects):
2816         (JSC::B3::Value::key):
2817         (JSC::B3::Value::typeFor):
2818         * b3/air/AirOpcode.opcodes:
2819         * ftl/FTLB3Output.cpp:
2820         (JSC::FTL::Output::lockedStackSlot):
2821         (JSC::FTL::Output::neg):
2822         (JSC::FTL::Output::bitNot):
2823         * ftl/FTLB3Output.h:
2824         (JSC::FTL::Output::chillDiv):
2825         (JSC::FTL::Output::mod):
2826         (JSC::FTL::Output::chillMod):
2827         (JSC::FTL::Output::doubleAdd):
2828         (JSC::FTL::Output::doubleSub):
2829         (JSC::FTL::Output::doubleMul):
2830         (JSC::FTL::Output::doubleDiv):
2831         (JSC::FTL::Output::doubleMod):
2832         (JSC::FTL::Output::doubleNeg):
2833         (JSC::FTL::Output::bitAnd):
2834         (JSC::FTL::Output::bitOr):
2835         (JSC::FTL::Output::neg): Deleted.
2836         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
2837         it's such a glaring bug, I thought having a test for it specifically would be good.
2838
2839 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2840
2841         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
2842         https://bugs.webkit.org/show_bug.cgi?id=152922
2843
2844         Reviewed by Saam Barati.
2845
2846         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
2847         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
2848         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
2849         clear the handlers before generation, sort of like FTL LLVM does.
2850
2851         Also added some stuff to make it easier to inspect the handler table.
2852
2853         This reduces the numbe rof failures from 25 to 13.
2854
2855         * bytecode/CodeBlock.cpp:
2856         (JSC::CodeBlock::dumpBytecode):
2857         (JSC::CodeBlock::dumpExceptionHandlers):
2858         (JSC::CodeBlock::beginDumpProfiling):
2859         * bytecode/CodeBlock.h:
2860         * ftl/FTLB3Compile.cpp:
2861         (JSC::FTL::compile):
2862
2863 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2864
2865         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
2866         https://bugs.webkit.org/show_bug.cgi?id=152916
2867
2868         Reviewed by Mark Lam.
2869
2870         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
2871
2872         This reduces the number of failures from 27 to 25.
2873
2874         * b3/B3ReduceStrength.cpp:
2875
2876 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2877
2878         FTL B3 allocateCell() should not crash
2879         https://bugs.webkit.org/show_bug.cgi?id=152909
2880
2881         Reviewed by Mark Lam.
2882
2883         This code was crashing in some tests that forced GC slow paths because it was stubbed out
2884         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
2885         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
2886         any LLVM optimizations by using undef.
2887
2888         This reduces the number of failures from 35 to 27.
2889
2890         * ftl/FTLLowerDFGToLLVM.cpp:
2891         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2892
2893 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
2894
2895         FTL B3 fails to realize that binary snippets might choose to omit their fast path
2896         https://bugs.webkit.org/show_bug.cgi?id=152901
2897
2898         Reviewed by Mark Lam.
2899
2900         This reduces the number of failures from 99 to 35.
2901
2902         * ftl/FTLLowerDFGToLLVM.cpp:
2903         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2904
2905 2016-01-08  Saam barati  <sbarati@apple.com>
2906
2907         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
2908         https://bugs.webkit.org/show_bug.cgi?id=152879
2909
2910         Reviewed by Filip Pizlo.
2911
2912         We were clobbering a register we needed when picking
2913         a scratch register inside an FTL OSR Exit.
2914
2915         * dfg/DFGThunks.cpp:
2916         (JSC::DFG::osrEntryThunkGenerator):
2917         * jit/AssemblyHelpers.cpp:
2918         (JSC::AssemblyHelpers::emitRandomThunk):
2919         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
2920         * jit/AssemblyHelpers.h:
2921         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
2922         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
2923         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
2924         (foo):
2925
2926 2016-01-08  Mark Lam  <mark.lam@apple.com>
2927
2928         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
2929         https://bugs.webkit.org/show_bug.cgi?id=152897
2930
2931         Not reviewed.
2932
2933         * dfg/DFGAbstractInterpreterInlines.h:
2934         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2935         * dfg/DFGByteCodeParser.cpp:
2936         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2937         * dfg/DFGClobberize.h:
2938         (JSC::DFG::clobberize):
2939         * dfg/DFGDoesGC.cpp:
2940         (JSC::DFG::doesGC):
2941         * dfg/DFGFixupPhase.cpp:
2942         (JSC::DFG::FixupPhase::fixupNode):
2943         * dfg/DFGNodeType.h:
2944         * dfg/DFGOperations.cpp:
2945         * dfg/DFGOperations.h:
2946         * dfg/DFGPredictionPropagationPhase.cpp:
2947         (JSC::DFG::PredictionPropagationPhase::propagate):
2948         * dfg/DFGSafeToExecute.h:
2949         (JSC::DFG::safeToExecute):
2950         * dfg/DFGSpeculativeJIT.cpp:
2951         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
2952         * dfg/DFGSpeculativeJIT32_64.cpp:
2953         (JSC::DFG::SpeculativeJIT::compile):
2954         * dfg/DFGSpeculativeJIT64.cpp:
2955         (JSC::DFG::SpeculativeJIT::compile):
2956         * runtime/StringConstructor.cpp:
2957         (JSC::stringFromCharCode):
2958         (JSC::stringFromSingleCharCode): Deleted.
2959         * runtime/StringConstructor.h:
2960
2961 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
2962
2963         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
2964         https://bugs.webkit.org/show_bug.cgi?id=152893
2965
2966         Reviewed by Mark Lam.
2967
2968         Use std::call_once since pthreads is not present on all platforms.
2969
2970         * llvm/InitializeLLVM.cpp:
2971         (JSC::initializeLLVMImpl):
2972         (JSC::initializeLLVM):
2973
2974 2016-01-08  Mark Lam  <mark.lam@apple.com>
2975
2976         Rename StringFromCharCode to StringFromSingleCharCode.
2977         https://bugs.webkit.org/show_bug.cgi?id=152897
2978
2979         Reviewed by Daniel Bates.
2980
2981         StringFromSingleCharCode is a better name because the intrinsic it represents
2982         only applies when we are converting from a single char code.  This is purely
2983         a refactoring patch.  There is no semantic change.
2984
2985         * dfg/DFGAbstractInterpreterInlines.h:
2986         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2987         * dfg/DFGByteCodeParser.cpp:
2988         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2989         * dfg/DFGClobberize.h:
2990         (JSC::DFG::clobberize):
2991         * dfg/DFGDoesGC.cpp:
2992         (JSC::DFG::doesGC):
2993         * dfg/DFGFixupPhase.cpp:
2994         (JSC::DFG::FixupPhase::fixupNode):
2995         * dfg/DFGNodeType.h:
2996         * dfg/DFGOperations.cpp:
2997         * dfg/DFGOperations.h:
2998         * dfg/DFGPredictionPropagationPhase.cpp:
2999         (JSC::DFG::PredictionPropagationPhase::propagate):
3000         * dfg/DFGSafeToExecute.h:
3001         (JSC::DFG::safeToExecute):
3002         * dfg/DFGSpeculativeJIT.cpp:
3003         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
3004         * dfg/DFGSpeculativeJIT32_64.cpp:
3005         (JSC::DFG::SpeculativeJIT::compile):
3006         * dfg/DFGSpeculativeJIT64.cpp:
3007         (JSC::DFG::SpeculativeJIT::compile):
3008         * runtime/StringConstructor.cpp:
3009         (JSC::stringFromCharCode):
3010         (JSC::stringFromSingleCharCode):
3011         * runtime/StringConstructor.h:
3012
3013 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
3014
3015         [mips] Fixed unused parameter warnings
3016         https://bugs.webkit.org/show_bug.cgi?id=152885
3017
3018         Reviewed by Mark Lam.
3019
3020         * jit/CCallHelpers.h:
3021         (JSC::CCallHelpers::setupArgumentsWithExecState):
3022
3023 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
3024
3025         [mips] Max value of immediate arg of logical ops is 0xffff
3026         https://bugs.webkit.org/show_bug.cgi?id=152884
3027
3028         Reviewed by Michael Saboff.
3029
3030         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
3031
3032         * assembler/MacroAssemblerMIPS.h:
3033         (JSC::MacroAssemblerMIPS::and32):
3034         (JSC::MacroAssemblerMIPS::or32):
3035
3036 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
3037
3038         [mips] Add new or32 implementation after r194613
3039         https://bugs.webkit.org/show_bug.cgi?id=152865
3040
3041         Reviewed by Michael Saboff.
3042
3043         * assembler/MacroAssemblerMIPS.h:
3044         (JSC::MacroAssemblerMIPS::or32):
3045
3046 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3047
3048         FTL B3 lazy slow paths should do exceptions
3049         https://bugs.webkit.org/show_bug.cgi?id=152853
3050
3051         Reviewed by Saam Barati.
3052
3053         This reduces the number of JSC test failures to 97.
3054
3055         * ftl/FTLLowerDFGToLLVM.cpp:
3056         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3057         * tests/stress/ftl-new-negative-array-size.js: Added.
3058         (foo):
3059
3060 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3061
3062         Unreviewed, skip more tests that fail.
3063
3064         * tests/stress/ftl-shr-exception.js:
3065         (foo):
3066         * tests/stress/ftl-xor-exception.js:
3067         (foo):
3068
3069 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3070
3071         FTL B3 binary snippets should do exceptions
3072         https://bugs.webkit.org/show_bug.cgi?id=152852
3073
3074         Reviewed by Saam Barati.
3075
3076         This reduces the number of JSC test failures to 110.
3077
3078         * ftl/FTLLowerDFGToLLVM.cpp:
3079         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3080         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
3081         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
3082         * tests/stress/ftl-shr-exception.js: Added.
3083         (foo):
3084         (result.foo.valueOf):
3085         * tests/stress/ftl-sub-exception.js: Added.
3086         (foo):
3087         (result.foo.valueOf):
3088         * tests/stress/ftl-xor-exception.js: Added.
3089         (foo):
3090         (result.foo.valueOf):
3091
3092 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3093
3094         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
3095
3096         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
3097         (foo):
3098
3099 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3100
3101         Unreviewed, skipping this test. Looks like LLVM can't handle it.
3102
3103         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
3104         (foo):
3105
3106 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3107
3108         FTL B3 JS calls should do exceptions
3109         https://bugs.webkit.org/show_bug.cgi?id=152851
3110
3111         Reviewed by Geoffrey Garen.
3112
3113         This reduces the number of JSC test failures with FTL B3 to 111.
3114
3115         * dfg/DFGSpeculativeJIT64.cpp:
3116         (JSC::DFG::SpeculativeJIT::emitCall):
3117         * ftl/FTLLowerDFGToLLVM.cpp:
3118         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
3119         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
3120         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
3121         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
3122         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
3123         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
3124         * tests/stress/ftl-call-exception-no-catch.js: Added.
3125         * tests/stress/ftl-call-exception.js: Added.
3126         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
3127         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
3128         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
3129         * tests/stress/ftl-call-varargs-exception.js: Added.
3130
3131 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3132
3133         FTL B3 PutById should do exceptions
3134         https://bugs.webkit.org/show_bug.cgi?id=152850
3135
3136         Reviewed by Saam Barati.
3137
3138         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
3139         number of JSC test failures to 128.
3140
3141         * ftl/FTLLowerDFGToLLVM.cpp:
3142         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
3143         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
3144         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
3145         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
3146         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
3147         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
3148         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
3149
3150 2016-01-07  Commit Queue  <commit-queue@webkit.org>
3151
3152         Unreviewed, rolling out r194714.
3153         https://bugs.webkit.org/show_bug.cgi?id=152864
3154
3155         it broke many JSC tests when FTL B3 is enabled (Requested by
3156         pizlo on #webkit).
3157
3158         Reverted changeset:
3159
3160         "[JSC] When resolving Stack arguments, use addressing from SP
3161         when addressing from FP is invalid"
3162         https://bugs.webkit.org/show_bug.cgi?id=152840
3163         http://trac.webkit.org/changeset/194714
3164
3165 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3166
3167         [mips] Lower immediates of logical operations.
3168         https://bugs.webkit.org/show_bug.cgi?id=152693
3169
3170         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
3171         non-negative numbers.
3172
3173         Reviewed by Michael Saboff.
3174
3175         * offlineasm/mips.rb:
3176
3177 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3178
3179         [JSC] Update testCheckSubBadImm() for ARM64
3180         https://bugs.webkit.org/show_bug.cgi?id=152846
3181
3182         Reviewed by Mark Lam.
3183
3184         * b3/testb3.cpp:
3185         (JSC::B3::testCheckSubBadImm):
3186         The test was assuming the constant can always be used
3187         as immediate. That's obviously not the case on ARM64.
3188
3189 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
3190
3191         FTL B3 getById() should do exceptions
3192         https://bugs.webkit.org/show_bug.cgi?id=152810
3193
3194         Reviewed by Saam Barati.
3195
3196         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
3197         exceptions from GetById. This covers all of the following ways that a GetById might throw an
3198         exceptions:
3199
3200         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
3201         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
3202         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
3203         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
3204         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
3205         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
3206
3207         This requires having a default exception target in FTL-generated code, and ensuring that this
3208         target is generated regardless of whether we have branches to the B3 basic block of the
3209         default exception target. This also requires adding some extra arguments to a
3210         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
3211         else. This also requires associating the CallSiteIndex of the patchpoint with the register
3212         set used for exit and with the OSR exit label for the unwind exit.
3213
3214         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
3215         is covered by the new PatchpointExceptionHandle object. You create one by calling
3216         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
3217         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
3218         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
3219         for operation calls and OSR exits for unwind. You call the
3220         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
3221         actually get OSR exits.
3222
3223         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
3224         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
3225         you use this API, it automatically registers a link task that will link the JumpList to the
3226         actual OSR exit label.
3227
3228         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
3229         to use the Box<JumpList> approach, but if you really just need the label, you can also get
3230         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
3231         to vend you the OSR exit label at link-time.
3232
3233         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
3234         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
3235         passes all of these new tests. Note that I'm not counting the new tests as part of the
3236         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
3237
3238         After this change, it should be easy to make all of the other patchpoints also handle
3239         exceptions by just following the preparePatchpointForExceptions() idiom.
3240
3241         * CMakeLists.txt:
3242         * JavaScriptCore.xcodeproj/project.pbxproj:
3243         * b3/B3StackmapValue.h:
3244         * b3/B3ValueRep.cpp:
3245         (JSC::B3::ValueRep::addUsedRegistersTo):
3246         (JSC::B3::ValueRep::usedRegisters):
3247         (JSC::B3::ValueRep::dump):
3248         * b3/B3ValueRep.h:
3249         (JSC::B3::ValueRep::doubleValue):
3250         (JSC::B3::ValueRep::withOffset):
3251         (JSC::B3::ValueRep::usedRegisters):
3252         * ftl/FTLB3Compile.cpp:
3253         (JSC::FTL::compile):
3254         * ftl/FTLB3Output.h:
3255         (JSC::FTL::Output::unreachable):
3256         (JSC::FTL::Output::speculate):
3257         * ftl/FTLExceptionTarget.cpp: Added.
3258         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
3259         (JSC::FTL::ExceptionTarget::label):
3260         (JSC::FTL::ExceptionTarget::jumps):
3261         (JSC::FTL::ExceptionTarget::ExceptionTarget):
3262         * ftl/FTLExceptionTarget.h: Added.
3263         * ftl/FTLJITCode.cpp:
3264         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3265         * ftl/FTLLowerDFGToLLVM.cpp:
3266         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
3267         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
3268         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
3269         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
3270         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
3271         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
3272         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
3273         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
3274         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
3275         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
3276         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
3277         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
3278         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
3279         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
3280         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
3281         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
3282         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
3283         * ftl/FTLPatchpointExceptionHandle.cpp: Added.
3284         (JSC::FTL::PatchpointExceptionHandle::create):
3285         (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
3286         (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
3287         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
3288         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
3289         (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
3290         (JSC::FTL::PatchpointExceptionHandle::createHandle):
3291         * ftl/FTLPatchpointExceptionHandle.h: Added.
3292         * ftl/FTLState.cpp:
3293         * ftl/FTLState.h:
3294         (JSC::FTL::verboseCompilationEnabled):
3295         * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
3296         * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
3297         * tests/stress/ftl-get-by-id-getter-exception.js: Added.
3298         * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
3299         * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
3300         * tests/stress/ftl-get-by-id-slow-exception.js: Added.
3301         * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
3302         * tests/stress/ftl-operation-exception-no-catch.js: Added.
3303
3304 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3305
3306         [mips] Implemented missing branch patching methods.
3307         https://bugs.webkit.org/show_bug.cgi?id=152845
3308
3309         Reviewed by Michael Saboff.
3310
3311         * assembler/MacroAssemblerMIPS.h:
3312         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
3313         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
3314         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
3315
3316 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
3317
3318         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
3319         https://bugs.webkit.org/show_bug.cgi?id=152840
3320
3321         Reviewed by Mark Lam.
3322
3323         ARM64 has two kinds of addressing with immediates:
3324         -Signed 9bits direct (really only -256 to 255).
3325         -Unsigned 12bits scaled by the load/store size.
3326
3327         When resolving the stack addresses, we easily run
3328         past -256 bytes from FP. Addressing from SP gives us more
3329         room to address the stack efficiently because we can
3330         use unsigned immediates.
3331
3332         * b3/B3StackmapSpecial.cpp:
3333         (JSC::B3::StackmapSpecial::repForArg):
3334         * b3/air/AirAllocateStack.cpp:
3335         (JSC::B3::Air::allocateStack):
3336
3337 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3338
3339         [mips] Make repatchCall public to fix compilation.
3340         https://bugs.webkit.org/show_bug.cgi?id=152843
3341
3342         Reviewed by Michael Saboff.
3343
3344         * assembler/MacroAssemblerMIPS.h:
3345         (JSC::MacroAssemblerMIPS::repatchCall):
3346         (JSC::MacroAssemblerMIPS::linkCall): Deleted.
3347
3348 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
3349
3350         [mips] Replaced subi with addi in getHostCallReturnValue
3351         https://bugs.webkit.org/show_bug.cgi?id=152841
3352
3353         Reviewed by Michael Saboff.
3354
3355         MIPS architecture does not have subi instruction, addi with negative
3356         number should be used instead.
3357
3358         * jit/JITOperations.cpp:
3359
3360 2016-01-07  Mark Lam  <mark.lam@apple.com>
3361
3362         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
3363         https://bugs.webkit.org/show_bug.cgi?id=152833
3364
3365         Reviewed by Michael Saboff.
3366
3367         Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
3368         store32.
3369
3370         * assembler/MacroAssemblerARM64.h:
3371         (JSC::MacroAssemblerARM64::or32):
3372         (JSC::MacroAssemblerARM64::store):