[ES6] Arrow function. Some not used byte code is emited
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-01  Skachkov Oleksandr  <gskachkov@gmail.com>
2
3         [ES6] Arrow function. Some not used byte code is emited
4         https://bugs.webkit.org/show_bug.cgi?id=154639
5
6         Reviewed by Saam Barati.
7
8         Currently bytecode that is generated for arrow function is not optimal. 
9         Current fix removed following unnecessary bytecode:
10         1.create_lexical_environment not emited always for arrow function, only if some of 
11         features(this/super/arguments/eval) is used inside of the arrow function. 
12         2.load 'this' from arrow function scope in constructor is done only if super 
13         contains in arrow function 
14
15         * bytecompiler/BytecodeGenerator.cpp:
16         (JSC::BytecodeGenerator::BytecodeGenerator):
17         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
18         * bytecompiler/BytecodeGenerator.h:
19         * bytecompiler/NodesCodegen.cpp:
20         (JSC::ThisNode::emitBytecode):
21         (JSC::FunctionNode::emitBytecode):
22         * parser/Nodes.h:
23         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
24         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
25
26 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
27
28         Turn String.prototype.replace into an intrinsic
29         https://bugs.webkit.org/show_bug.cgi?id=154835
30
31         Reviewed by Michael Saboff.
32
33         Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
34         of checks to see if the parameters are what they are likely to often be (a string, a
35         regexp, and a string). The intuition of this patch is that it's good to remove those checks
36         and it's good to call the native function as directly as possible.
37
38         This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
39         It also improves Octane/jquery.
40
41         This is only the beginning of what I want to do with replace optimizations. The other
42         optimizations will rely on StringReplace being revealed as a construct in DFG IR.
43
44         * JavaScriptCore.xcodeproj/project.pbxproj:
45         * bytecode/SpeculatedType.cpp:
46         (JSC::dumpSpeculation):
47         (JSC::speculationToAbbreviatedString):
48         (JSC::speculationFromClassInfo):
49         * bytecode/SpeculatedType.h:
50         (JSC::isStringOrStringObjectSpeculation):
51         (JSC::isRegExpObjectSpeculation):
52         (JSC::isBoolInt32Speculation):
53         * dfg/DFGAbstractInterpreterInlines.h:
54         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
55         * dfg/DFGByteCodeParser.cpp:
56         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
57         * dfg/DFGClobberize.h:
58         (JSC::DFG::clobberize):
59         * dfg/DFGDoesGC.cpp:
60         (JSC::DFG::doesGC):
61         * dfg/DFGFixupPhase.cpp:
62         (JSC::DFG::FixupPhase::fixupNode):
63         * dfg/DFGNode.h:
64         (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
65         (JSC::DFG::Node::shouldSpeculateRegExpObject):
66         (JSC::DFG::Node::shouldSpeculateSymbol):
67         * dfg/DFGNodeType.h:
68         * dfg/DFGPredictionPropagationPhase.cpp:
69         (JSC::DFG::PredictionPropagationPhase::propagate):
70         * dfg/DFGSafeToExecute.h:
71         (JSC::DFG::SafeToExecuteEdge::operator()):
72         (JSC::DFG::safeToExecute):
73         * dfg/DFGSpeculativeJIT.cpp:
74         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
75         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
76         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
77         (JSC::DFG::SpeculativeJIT::speculate):
78         * dfg/DFGSpeculativeJIT.h:
79         * dfg/DFGSpeculativeJIT32_64.cpp:
80         (JSC::DFG::SpeculativeJIT::compile):
81         * dfg/DFGSpeculativeJIT64.cpp:
82         (JSC::DFG::SpeculativeJIT::compile):
83         * dfg/DFGUseKind.cpp:
84         (WTF::printInternal):
85         * dfg/DFGUseKind.h:
86         (JSC::DFG::typeFilterFor):
87         (JSC::DFG::isCell):
88         * ftl/FTLCapabilities.cpp:
89         (JSC::FTL::canCompile):
90         * ftl/FTLLowerDFGToB3.cpp:
91         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
92         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
93         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
94         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
95         (JSC::FTL::DFG::LowerDFGToB3::speculate):
96         (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
97         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
98         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
99         * jit/JITOperations.h:
100         * runtime/Intrinsic.h:
101         * runtime/JSType.h:
102         * runtime/RegExpObject.h:
103         (JSC::RegExpObject::createStructure):
104         * runtime/StringPrototype.cpp:
105         (JSC::StringPrototype::finishCreation):
106         (JSC::removeUsingRegExpSearch):
107         (JSC::replaceUsingRegExpSearch):
108         (JSC::operationStringProtoFuncReplaceRegExpString):
109         (JSC::replaceUsingStringSearch):
110         (JSC::stringProtoFuncRepeat):
111         (JSC::replace):
112         (JSC::stringProtoFuncReplace):
113         (JSC::operationStringProtoFuncReplaceGeneric):
114         (JSC::stringProtoFuncToString):
115         * runtime/StringPrototype.h:
116
117 2016-03-01  Commit Queue  <commit-queue@webkit.org>
118
119         Unreviewed, rolling out r197056.
120         https://bugs.webkit.org/show_bug.cgi?id=154870
121
122         broke win ews (Requested by alexchristensen on #webkit).
123
124         Reverted changeset:
125
126         "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
127         https://bugs.webkit.org/show_bug.cgi?id=154651
128         http://trac.webkit.org/changeset/197056
129
130 2016-02-29  Saam barati  <sbarati@apple.com>
131
132         [[PreventExtensions]] should be a virtual method in the method table.
133         https://bugs.webkit.org/show_bug.cgi?id=154800
134
135         Reviewed by Yusuke Suzuki.
136
137         This patch makes us more consistent with how the ES6 specification models the
138         [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable 
139         is a prerequisite for implementing Proxy.[[PreventExtensions]].
140
141         * runtime/ClassInfo.h:
142         * runtime/JSCell.cpp:
143         (JSC::JSCell::getGenericPropertyNames):
144         (JSC::JSCell::preventExtensions):
145         * runtime/JSCell.h:
146         * runtime/JSModuleNamespaceObject.cpp:
147         (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
148         (JSC::JSModuleNamespaceObject::finishCreation):
149         (JSC::JSModuleNamespaceObject::destroy):
150         * runtime/JSModuleNamespaceObject.h:
151         (JSC::JSModuleNamespaceObject::create):
152         (JSC::JSModuleNamespaceObject::moduleRecord):
153         * runtime/JSObject.cpp:
154         (JSC::JSObject::freeze):
155         (JSC::JSObject::preventExtensions):
156         (JSC::JSObject::reifyAllStaticProperties):
157         * runtime/JSObject.h:
158         (JSC::JSObject::isSealed):
159         (JSC::JSObject::isFrozen):
160         (JSC::JSObject::isExtensible):
161         * runtime/ObjectConstructor.cpp:
162         (JSC::objectConstructorSeal):
163         (JSC::objectConstructorFreeze):
164         (JSC::objectConstructorPreventExtensions):
165         (JSC::objectConstructorIsSealed):
166         * runtime/ReflectObject.cpp:
167         (JSC::reflectObjectPreventExtensions):
168         * runtime/Structure.cpp:
169         (JSC::Structure::Structure):
170         (JSC::Structure::preventExtensionsTransition):
171         * runtime/Structure.h:
172
173 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
174
175         [JSC] Private symbols should not be trapped by proxy handler
176         https://bugs.webkit.org/show_bug.cgi?id=154817
177
178         Reviewed by Mark Lam.
179
180         Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
181         For example, in ArrayIteratorPrototype.js
182
183             var itemKind = this.@arrayIterationKind;
184             if (itemKind === @undefined)
185                 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
186
187         Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
188         But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
189
190         To avoid these situation, we perform the default operations onto property operations with private symbols.
191
192         * runtime/ProxyObject.cpp:
193         (JSC::performProxyGet):
194         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
195         (JSC::ProxyObject::performHasProperty):
196         (JSC::ProxyObject::performPut):
197         (JSC::ProxyObject::performDelete):
198         (JSC::ProxyObject::deleteProperty):
199         (JSC::ProxyObject::deletePropertyByIndex):
200         * tests/stress/proxy-basic.js:
201         * tests/stress/proxy-with-private-symbols.js: Added.
202         (assert):
203         (let.handler.getOwnPropertyDescriptor):
204
205 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
206
207         regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
208         https://bugs.webkit.org/show_bug.cgi?id=154841
209
210         Reviewed by Benjamin Poulain.
211
212         Here's the deadlock:
213
214         Main thread:
215             1) Change an InferredType.  This acquires InferredType::m_lock.
216             2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires
217                CodeBlock::m_lock.
218
219         DFG thread:
220             1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
221             2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.
222
223         I think that the DFG thread's ordering should be legal, because the best logic for lock
224         hierarchies is that locks that protect the largest set of stuff should be acquired first.
225
226         This means that the main thread shouldn't be holding the InferredType::m_lock when firing
227         watchpoint sets.  That's what this patch ensures.
228
229         At the time of writing, this test was deadlocking for me on trunk 100% of the time.  With
230         this change I cannot get it to deadlock.
231
232         * runtime/InferredType.cpp:
233         (JSC::InferredType::willStoreValueSlow):
234         (JSC::InferredType::makeTopSlow):
235         (JSC::InferredType::set):
236         (JSC::InferredType::removeStructure):
237         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
238         * runtime/InferredType.h:
239
240 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
241
242         [DFG][FTL][B3] Support floor and ceil
243         https://bugs.webkit.org/show_bug.cgi?id=154683
244
245         Reviewed by Filip Pizlo.
246
247         This patch implements and fixes the following things.
248
249         1. Implement Ceil and Floor in DFG, FTL and B3
250
251         x86 SSE 4.2 and ARM64 have round instructions that can directly perform Ceil or Floor.
252         This patch leverages this functionality. We introduce ArithFloor and ArithCeil.
253         During DFG phase, these nodes attempt to convert itself to Identity (in Fixup phase).
254         As the same to ArithRound, it tracks arith rounding mode.
255         And if these nodes are required to emit machine codes, we emit rounding machine code
256         if it is supported in the current machine. For example, in x86, we emit `round`.
257
258         This `Floor` functionality is nice for @toInteger in builtin.
259         That is used for Array.prototype.{forEach, map, every, some, reduce...}
260         And according to the benchmark results, Kraken audio-oscillator is slightly improved
261         due to its frequent Math.round and Math.floor calls.
262
263         2. Implement Floor in B3 and Air
264
265         As the same to Ceil in B3, we add a new B3 IR and Air opcode, Floor.
266         This Floor is leveraged to implement ArithFloor in DFG.
267
268         3. Fix ArithRound operation
269
270         Currently, we used cvtsd2si (in x86) to convert double value to int32.
271         And we also used this to implement Math.round, like, cvtsd2si(value + 0.5).
272         However, this implementation is not correct. Because cvtsd2si is not floor operation.
273         It is trucate operation. This is OK for positive numbers. But NG for negative numbers.
274         For example, the current implementation accidentally rounds `-0.6` to `-0.0`. This should be `-1.0`.
275         Using Ceil and Floor instructions, we implement correct ArithRound.
276
277         * assembler/MacroAssemblerARM.h:
278         (JSC::MacroAssemblerARM::supportsFloatingPointRounding):
279         (JSC::MacroAssemblerARM::ceilDouble):
280         (JSC::MacroAssemblerARM::floorDouble):
281         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Deleted.
282         * assembler/MacroAssemblerARM64.h:
283         (JSC::MacroAssemblerARM64::supportsFloatingPointRounding):
284         (JSC::MacroAssemblerARM64::floorFloat):
285         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil): Deleted.
286         * assembler/MacroAssemblerARMv7.h:
287         (JSC::MacroAssemblerARMv7::supportsFloatingPointRounding):
288         (JSC::MacroAssemblerARMv7::ceilDouble):
289         (JSC::MacroAssemblerARMv7::floorDouble):
290         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil): Deleted.
291         * assembler/MacroAssemblerMIPS.h:
292         (JSC::MacroAssemblerMIPS::ceilDouble):
293         (JSC::MacroAssemblerMIPS::floorDouble):
294         (JSC::MacroAssemblerMIPS::supportsFloatingPointRounding):
295         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil): Deleted.
296         * assembler/MacroAssemblerSH4.h:
297         (JSC::MacroAssemblerSH4::supportsFloatingPointRounding):
298         (JSC::MacroAssemblerSH4::ceilDouble):
299         (JSC::MacroAssemblerSH4::floorDouble):
300         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil): Deleted.
301         * assembler/MacroAssemblerX86Common.h:
302         (JSC::MacroAssemblerX86Common::floorDouble):
303         (JSC::MacroAssemblerX86Common::floorFloat):
304         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
305         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil): Deleted.
306         * b3/B3ConstDoubleValue.cpp:
307         (JSC::B3::ConstDoubleValue::floorConstant):
308         * b3/B3ConstDoubleValue.h:
309         * b3/B3ConstFloatValue.cpp:
310         (JSC::B3::ConstFloatValue::floorConstant):
311         * b3/B3ConstFloatValue.h:
312         * b3/B3LowerMacrosAfterOptimizations.cpp:
313         * b3/B3LowerToAir.cpp:
314         (JSC::B3::Air::LowerToAir::lower):
315         * b3/B3Opcode.cpp:
316         (WTF::printInternal):
317         * b3/B3Opcode.h:
318         * b3/B3ReduceDoubleToFloat.cpp:
319         * b3/B3ReduceStrength.cpp:
320         * b3/B3Validate.cpp:
321         * b3/B3Value.cpp:
322         (JSC::B3::Value::floorConstant):
323         (JSC::B3::Value::isRounded):
324         (JSC::B3::Value::effects):
325         (JSC::B3::Value::key):
326         (JSC::B3::Value::typeFor):
327         * b3/B3Value.h:
328         * b3/air/AirFixPartialRegisterStalls.cpp:
329         * b3/air/AirOpcode.opcodes:
330         * b3/testb3.cpp:
331         (JSC::B3::testFloorCeilArg):
332         (JSC::B3::testFloorArg):
333         (JSC::B3::testFloorImm):
334         (JSC::B3::testFloorMem):
335         (JSC::B3::testFloorFloorArg):
336         (JSC::B3::testCeilFloorArg):
337         (JSC::B3::testFloorIToD64):
338         (JSC::B3::testFloorIToD32):
339         (JSC::B3::testFloorArgWithUselessDoubleConversion):
340         (JSC::B3::testFloorArgWithEffectfulDoubleConversion):
341         (JSC::B3::run):
342         * dfg/DFGAbstractInterpreterInlines.h:
343         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
344         * dfg/DFGArithMode.cpp:
345         (WTF::printInternal):
346         * dfg/DFGArithMode.h:
347         * dfg/DFGByteCodeParser.cpp:
348         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
349         * dfg/DFGClobberize.h:
350         (JSC::DFG::clobberize):
351         * dfg/DFGDoesGC.cpp:
352         (JSC::DFG::doesGC):
353         * dfg/DFGFixupPhase.cpp:
354         (JSC::DFG::FixupPhase::fixupNode):
355         * dfg/DFGGraph.cpp:
356         (JSC::DFG::Graph::dump):
357         * dfg/DFGGraph.h:
358         (JSC::DFG::Graph::roundShouldSpeculateInt32):
359         * dfg/DFGNode.h:
360         (JSC::DFG::Node::arithNodeFlags):
361         (JSC::DFG::Node::hasHeapPrediction):
362         (JSC::DFG::Node::hasArithRoundingMode):
363         * dfg/DFGNodeType.h:
364         * dfg/DFGPredictionPropagationPhase.cpp:
365         (JSC::DFG::PredictionPropagationPhase::propagate):
366         * dfg/DFGSafeToExecute.h:
367         (JSC::DFG::safeToExecute):
368         * dfg/DFGSpeculativeJIT.cpp:
369         (JSC::DFG::SpeculativeJIT::compileArithRounding):
370         (JSC::DFG::SpeculativeJIT::compileArithRound): Deleted.
371         * dfg/DFGSpeculativeJIT.h:
372         * dfg/DFGSpeculativeJIT32_64.cpp:
373         (JSC::DFG::SpeculativeJIT::compile):
374         * dfg/DFGSpeculativeJIT64.cpp:
375         (JSC::DFG::SpeculativeJIT::compile):
376         * ftl/FTLCapabilities.cpp:
377         (JSC::FTL::canCompile):
378         * ftl/FTLLowerDFGToB3.cpp:
379         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
380         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
381         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
382         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
383         * ftl/FTLOutput.h:
384         (JSC::FTL::Output::doubleFloor):
385         * jit/ThunkGenerators.cpp:
386         (JSC::ceilThunkGenerator):
387         * tests/stress/math-ceil-arith-rounding-mode.js: Added.
388         (firstCareAboutZeroSecondDoesNot):
389         (firstDoNotCareAboutZeroSecondDoes):
390         (warmup):
391         (verifyNegativeZeroIsPreserved):
392         * tests/stress/math-ceil-basics.js: Added.
393         (mathCeilOnIntegers):
394         (mathCeilOnDoubles):
395         (mathCeilOnBooleans):
396         (uselessMathCeil):
397         (mathCeilWithOverflow):
398         (mathCeilConsumedAsDouble):
399         (mathCeilDoesNotCareAboutMinusZero):
400         (mathCeilNoArguments):
401         (mathCeilTooManyArguments):
402         (testMathCeilOnConstants):
403         (mathCeilStructTransition):
404         (Math.ceil):
405         * tests/stress/math-floor-arith-rounding-mode.js: Added.
406         (firstCareAboutZeroSecondDoesNot):
407         (firstDoNotCareAboutZeroSecondDoes):
408         (warmup):
409         (verifyNegativeZeroIsPreserved):
410         * tests/stress/math-floor-basics.js: Added.
411         (mathFloorOnIntegers):
412         (mathFloorOnDoubles):
413         (mathFloorOnBooleans):
414         (uselessMathFloor):
415         (mathFloorWithOverflow):
416         (mathFloorConsumedAsDouble):
417         (mathFloorDoesNotCareAboutMinusZero):
418         (mathFloorNoArguments):
419         (mathFloorTooManyArguments):
420         (testMathFloorOnConstants):
421         (mathFloorStructTransition):
422         (Math.floor):
423         * tests/stress/math-round-should-not-use-truncate.js: Added.
424         (mathRoundDoesNotCareAboutMinusZero):
425         * tests/stress/math-rounding-infinity.js: Added.
426         (shouldBe):
427         (testRound):
428         (testFloor):
429         (testCeil):
430         * tests/stress/math-rounding-nan.js: Added.
431         (shouldBe):
432         (testRound):
433         (testFloor):
434         (testCeil):
435         * tests/stress/math-rounding-negative-zero.js: Added.
436         (shouldBe):
437         (testRound):
438         (testFloor):
439         (testCeil):
440         (testRoundNonNegativeZero):
441         (testRoundNonNegativeZero2):
442
443 2016-02-29  Joseph Pecoraro  <pecoraro@apple.com>
444
445         Add new MethodTable method to get an estimated size for a cell
446         https://bugs.webkit.org/show_bug.cgi?id=154838
447
448         Reviewed by Filip Pizlo.
449
450         The new class method estimatedSize(JSCell*) estimates the size for a single cell.
451         As the name implies, this is meant to be an approximation. It is more important
452         that big objects report a large size, then to get perfect size information for
453         all objects in the heap.
454
455             Base implementation (JSCell):
456               - returns the MarkedBlock bucket size for this cell.
457               - This gets us the object size include inline storage. Basically a better sizeof.
458
459             Subclasses with "Extra Memory Cost":
460               - Any class that reports extra memory (reportExtraMemoryVisited) should include that in the estimated size.
461               - E.g. CodeBlock, JSGenericTypedArrayView, WeakMapData, etc.
462
463             Subclasses with "Copied Space" storage:
464               - Any class with data in copied space (copyBackingStore) should include that in the estimated size.
465               - E.g. JSObject, JSGenericTypedArrayView, JSMap, JSSet, DirectArguments, etc.
466
467         Add reportExtraMemoryVisited for UnlinkedCodeBlock's compressed unlinked
468         instructions because this can be larger than 1kb, which is significant.
469
470         This has one special case for RegExp generated bytecode / JIT code, which
471         does not currently fall into the extra memory cost or copied space storage.
472         In practice I haven't seen this grow to a significant cost.
473
474         * runtime/ClassInfo.h:
475         Add the new estimatedSize method to the table.
476
477         * bytecode/UnlinkedCodeBlock.cpp:
478         (JSC::UnlinkedCodeBlock::visitChildren):
479         (JSC::UnlinkedCodeBlock::estimatedSize):
480         (JSC::UnlinkedCodeBlock::setInstructions):
481         * bytecode/UnlinkedCodeBlock.h:
482         Report an extra memory cost for unlinked code blocks like
483         we do for linked code blocks.
484
485         * bytecode/CodeBlock.cpp:
486         (JSC::CodeBlock::estimatedSize):
487         * bytecode/CodeBlock.h:
488         * bytecode/UnlinkedInstructionStream.cpp:
489         (JSC::UnlinkedInstructionStream::sizeInBytes):
490         * bytecode/UnlinkedInstructionStream.h:
491         * runtime/DirectArguments.cpp:
492         (JSC::DirectArguments::estimatedSize):
493         * runtime/DirectArguments.h:
494         * runtime/JSCell.cpp:
495         (JSC::JSCell::estimatedSizeInBytes):
496         (JSC::JSCell::estimatedSize):
497         * runtime/JSCell.h:
498         * runtime/JSGenericTypedArrayView.h:
499         * runtime/JSGenericTypedArrayViewInlines.h:
500         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
501         * runtime/JSMap.cpp:
502         (JSC::JSMap::estimatedSize):
503         * runtime/JSMap.h:
504         * runtime/JSObject.cpp:
505         (JSC::JSObject::visitButterfly):
506         * runtime/JSObject.h:
507         * runtime/JSSet.cpp:
508         (JSC::JSSet::estimatedSize):
509         * runtime/JSSet.h:
510         * runtime/JSString.cpp:
511         (JSC::JSString::estimatedSize):
512         * runtime/JSString.h:
513         * runtime/MapData.h:
514         (JSC::MapDataImpl::capacityInBytes):
515         * runtime/WeakMapData.cpp:
516         (JSC::WeakMapData::estimatedSize):
517         (JSC::WeakMapData::visitChildren):
518         * runtime/WeakMapData.h:
519         Implement estimated size following the pattern of reporting
520         extra visited size, or copy space memory.
521
522         * runtime/RegExp.cpp:
523         (JSC::RegExp::estimatedSize):
524         * runtime/RegExp.h:
525         * yarr/YarrInterpreter.h:
526         (JSC::Yarr::ByteDisjunction::estimatedSizeInBytes):
527         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
528         * yarr/YarrJIT.h:
529         (JSC::Yarr::YarrCodeBlock::size):
530         Include generated bytecode / JITCode to a RegExp's size.
531
532 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
533
534         SpeculatedType should be easier to edit
535         https://bugs.webkit.org/show_bug.cgi?id=154840
536
537         Reviewed by Mark Lam.
538
539         We used to specify the bitmasks in SpeculatedType.h using hex codes. This used to work
540         great because we didn't have so many masks and you could use the mask to visually see
541         which ones overlapped. It also made it easy to visualize subset relationships.
542
543         But now we have a lot of masks with a lot of confusing overlaps, and it's no longer
544         possible to just see their relationship by looking at hex codes. Worse, the use of hex
545         codes makes it super annoying to move the bits around. For example, right now we have two
546         bits free, but if we wanted to reclaim them by editing the old hex masks, it would be a
547         nightmare.
548
549         So this patch replaces the hex masks with shift expressions (1u << 15 for example) and it
550         makes any derived masks (i.e. masks that are the bit-or of other masks) be expressed using
551         an or expression (SpecFoo | SpecBar | SpecBaz for example).
552
553         This makes it easier to see the relationships and it makes it easier to take bits for new
554         types.
555
556         * bytecode/SpeculatedType.h:
557
558 2016-02-29  Keith Miller  <keith_miller@apple.com>
559
560         OverridesHasInstance constant folding is wrong
561         https://bugs.webkit.org/show_bug.cgi?id=154833
562
563         Reviewed by Filip Pizlo.
564
565         The current implementation of OverridesHasInstance constant folding
566         is incorrect. Since it relies on OSR exit information it has been
567         moved to the StrengthReductionPhase. Normally, such an optimazation would be
568         put in FixupPhase, however, there are a number of cases where we don't
569         determine an edge of OverridesHasInstance is a constant until after fixup.
570         Performing the optimization during StrengthReductionPhase means we can defer
571         our decision until later.
572
573         In the future we should consider creating a version of this optimization
574         that does not depend on OSR exit information and move the optimization back
575         to ConstantFoldingPhase.
576
577         * dfg/DFGConstantFoldingPhase.cpp:
578         (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
579         * dfg/DFGStrengthReductionPhase.cpp:
580         (JSC::DFG::StrengthReductionPhase::handleNode):
581
582 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
583
584         B3 should have global store elimination
585         https://bugs.webkit.org/show_bug.cgi?id=154658
586
587         Reviewed by Benjamin Poulain.
588
589         Implements fairly comprehensive global store elimination:
590
591         1) If you store the result of a load with no interference in between, remove the store.
592
593         2) If you store the same thing you stored previously, remove the store.
594
595         3) If you store something that you either loaded previously or stored previously along
596            arbitrarily many paths, remove the store.
597
598         4) If you store to something that is stored to again in the future with no interference in
599            between, remove the store.
600
601         Rule (4) is super relevant to FTL since the DFG does not eliminate redundant PutStructures.
602         A constructor that produces a large object will have many redundant stores to the same base
603         pointer, offset, and heap range, with no code to observe that heap raneg in between.
604
605         This doesn't have a decisive effect on major benchmarks, but it's an enormous win for
606         microbenchmarks:
607
608         - 30% faster to construct an object with many fields.
609
610         - 5x faster to do many stores to a global variable.
611
612         The compile time cost should be very small. Although the optimization is global, it aborts as
613         soon as it sees anything that would confound store elimination. For rules (1)-(3), we
614         piggy-back the existing load elimination, which gives up on interfering stores. For rule (4),
615         we search forward through the current block and then globally a block at a time (skipping
616         block contents thanks to summary data), which could be expensive. But rule (4) aborts as soon
617         as it sees a read, write, or end block (Return or Oops). Any Check will claim to read TOP. Any
618         Patchpoint that results from an InvalidationPoint will claim to read TOP, as will any
619         Patchpoints for ICs. Those are usually sprinkled all over the program.
620
621         In other words, this optimization rarely kicks in. When it does kick in, it makes programs run
622         faster. When it doesn't kick in, it's usually O(1) because there are reasons for aborting all
623         over a "normal" program so the search will halt almost immediately. This of course raises the
624         question: how much more in compile time do we pay when the optimization does kick in? The
625         optimization kicks in the most for the microbenchmarks I wrote for this patch. Amazingly, the
626         effect of the optimization a wash for compile time: whatever cost we pay doing the O(n^2)
627         searches is balanced by the massive reduction in work in the backend. On one of the two
628         microbenchmarks, overall compile time actually shrank with this optimization even though CSE
629         itself cost more. That's not too surprising - the backend costs much more per instruction, so
630         things that remove instructions before we get to the backend tend to be a good idea.
631
632         We could consider adding a more aggressive version of this in the future, which could sink
633         stores into checks. That could be crazy fun: https://bugs.webkit.org/show_bug.cgi?id=152162#c3
634
635         But mainly, I'm adding this optimization because it was super fun to implement during the
636         WebAssembly CG summit.
637
638         * b3/B3EliminateCommonSubexpressions.cpp:
639         * b3/B3MemoryValue.h:
640         * b3/B3SuccessorCollection.h:
641         (JSC::B3::SuccessorCollection::begin):
642         (JSC::B3::SuccessorCollection::end):
643         (JSC::B3::SuccessorCollection::const_iterator::const_iterator):
644         (JSC::B3::SuccessorCollection::const_iterator::operator*):
645         (JSC::B3::SuccessorCollection::const_iterator::operator++):
646         (JSC::B3::SuccessorCollection::const_iterator::operator==):
647         (JSC::B3::SuccessorCollection::const_iterator::operator!=):
648
649 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
650
651         Make it cheap to #include "JITOperations.h"
652         https://bugs.webkit.org/show_bug.cgi?id=154836
653
654         Reviewed by Mark Lam.
655
656         Prior to this change, this header included the whole world even though it did't have any
657         definitions. This patch turns almost all of the includes into forward declarations. Right
658         now this header is very cheap to include.
659
660         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
661         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
662         * JavaScriptCore.xcodeproj/project.pbxproj:
663         * dfg/DFGSpeculativeJIT.h:
664         * jit/JITOperations.cpp:
665         * jit/JITOperations.h:
666         * jit/Repatch.h:
667         * runtime/CommonSlowPaths.h:
668         (JSC::encodeResult): Deleted.
669         (JSC::decodeResult): Deleted.
670         * runtime/SlowPathReturnType.h: Added.
671         (JSC::encodeResult):
672         (JSC::decodeResult):
673
674 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
675
676         FTL should be able to run everything in Octane/regexp
677         https://bugs.webkit.org/show_bug.cgi?id=154266
678
679         Reviewed by Saam Barati.
680
681         Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
682         make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
683         DFG backend optimization anyway - if we need this optimization then it should be a
684         strength reduction rule over IR. That way, it can be shared by all backends.
685
686         I measured whether removing that optimization had any effect on performance separately
687         from measuring the performance of this patch. Removing that optimization did not change
688         our score on any benchmarks.
689
690         This patch does have an overall negative effect on the Octane/regexp score. This is
691         presumably because tiering up to the FTL has no value to the code in the regexp test. Or
692         maybe it's something else. No matter - the overall effect on the Octane score is not
693         statistically significant and we don't want this kind of coverage blocked by the fact
694         that adding coverage hurts a benchmark.
695
696         * dfg/DFGByteCodeParser.cpp:
697         (JSC::DFG::ByteCodeParser::parseBlock):
698         * dfg/DFGNode.h:
699         (JSC::DFG::Node::setIndexingType):
700         (JSC::DFG::Node::hasRegexpIndex):
701         * dfg/DFGSpeculativeJIT.cpp:
702         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
703         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
704         (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
705         * dfg/DFGSpeculativeJIT32_64.cpp:
706         (JSC::DFG::SpeculativeJIT::compile):
707         * dfg/DFGSpeculativeJIT64.cpp:
708         (JSC::DFG::SpeculativeJIT::compile):
709         * ftl/FTLCapabilities.cpp:
710         (JSC::FTL::canCompile):
711         * ftl/FTLLowerDFGToB3.cpp:
712         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
713         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
714         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
715         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
716         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
717         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
718         * tests/stress/ftl-regexp-exec.js: Added.
719         * tests/stress/ftl-regexp-test.js: Added.
720
721 2016-02-28  Andreas Kling  <akling@apple.com>
722
723         Make JSFunction.name allocation fully lazy.
724         <https://webkit.org/b/154806>
725
726         Reviewed by Saam Barati.
727
728         We were reifying the "name" field on functions lazily, but created the string
729         value itself up front. This patch gets rid of the up-front allocation,
730         saving us a JSString allocation per function in most cases.
731
732         * builtins/BuiltinExecutables.cpp:
733         (JSC::createExecutableInternal):
734         * bytecode/UnlinkedFunctionExecutable.cpp:
735         (JSC::UnlinkedFunctionExecutable::visitChildren):
736         * bytecode/UnlinkedFunctionExecutable.h:
737         * runtime/CodeCache.cpp:
738         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
739         * runtime/Executable.h:
740         * runtime/JSFunction.cpp:
741         (JSC::JSFunction::reifyName):
742
743 2016-02-28  Andreas Kling  <akling@apple.com>
744
745         REGRESSION(r197303): 4 jsc tests failing on bots.
746
747         Unreviewed follow-up fix.
748
749         * bytecode/UnlinkedCodeBlock.cpp:
750         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
751         can still get called with !m_rareData, in case the type profiler is active but this
752         particular code block doesn't have type profiler data. Handle it gracefully.
753
754 2016-02-28  Andreas Kling  <akling@apple.com>
755
756         Shrink UnlinkedCodeBlock a bit.
757         <https://webkit.org/b/154797>
758
759         Reviewed by Anders Carlsson.
760
761         Move profiler-related members of UnlinkedCodeBlock into its RareData
762         structure, saving 40 bytes, and then reorder the other members of
763         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
764
765         The VM member was removed entirely since UnlinkedCodeBlock is a cell
766         and can retrieve its VM through MarkedBlock header lookup.
767
768         * bytecode/UnlinkedCodeBlock.cpp:
769         (JSC::UnlinkedCodeBlock::vm):
770         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
771         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
772         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
773         * bytecode/UnlinkedCodeBlock.h:
774         (JSC::UnlinkedCodeBlock::addRegExp):
775         (JSC::UnlinkedCodeBlock::addConstant):
776         (JSC::UnlinkedCodeBlock::addFunctionDecl):
777         (JSC::UnlinkedCodeBlock::addFunctionExpr):
778         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
779         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
780         (JSC::UnlinkedCodeBlock::vm): Deleted.
781
782 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
783
784         FTL should lower its abstract heaps to B3 heap ranges
785         https://bugs.webkit.org/show_bug.cgi?id=154782
786
787         Reviewed by Saam Barati.
788
789         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
790         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
791         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
792         notion - the HeapRange. That's what this patch fixes.
793
794         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
795         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
796         affects by specifying a heap range: a begin...end pair that says that the operation
797         affects all abstract heaps H such that begin <= H < end.
798
799         This peculiar scheme was a deliberate attempt to distill what the abstract heap
800         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
801
802         - A heap's end is greater than its begin.
803         - A heap's begin is greater than or equal to its parent's begin.
804         - A heap's end is less than or equal to its parent's end.
805
806         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
807         went for the iterative traversal, which is a splendid algorithm, but it's totally
808         unnecessary here since we tightly control the height of the heap hierarchy.
809
810         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
811         generate new ones for field names and constant indices we encounter, we can't actually
812         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
813         new abstract heap to the hierarchy after ranges were already computed would require
814         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
815         patch solves that problem by recording the associations between abstract heaps and their
816         intended roles in the generated IR, and then decorating all of the relevant B3 values
817         after we compute the ranges of the hierarchy after lowering.
818
819         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
820         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
821         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
822         already been getting the big ones even without alias analysis.
823
824         Even without a speed-up, this patch is valuable because it makes it easier to implement
825         other optimizations, like store elimination.
826
827         * b3/B3HeapRange.h:
828         (JSC::B3::HeapRange::HeapRange):
829         * ftl/FTLAbstractHeap.cpp:
830         (JSC::FTL::AbstractHeap::AbstractHeap):
831         (JSC::FTL::AbstractHeap::changeParent):
832         (JSC::FTL::AbstractHeap::compute):
833         (JSC::FTL::AbstractHeap::shallowDump):
834         (JSC::FTL::AbstractHeap::dump):
835         (JSC::FTL::AbstractHeap::deepDump):
836         (JSC::FTL::AbstractHeap::badRangeError):
837         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
838         (JSC::FTL::IndexedAbstractHeap::baseIndex):
839         (JSC::FTL::IndexedAbstractHeap::atSlow):
840         (JSC::FTL::IndexedAbstractHeap::initialize):
841         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
842         (JSC::FTL::AbstractField::dump): Deleted.
843         * ftl/FTLAbstractHeap.h:
844         (JSC::FTL::AbstractHeap::AbstractHeap):
845         (JSC::FTL::AbstractHeap::isInitialized):
846         (JSC::FTL::AbstractHeap::initialize):
847         (JSC::FTL::AbstractHeap::parent):
848         (JSC::FTL::AbstractHeap::heapName):
849         (JSC::FTL::AbstractHeap::range):
850         (JSC::FTL::AbstractHeap::offset):
851         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
852         (JSC::FTL::IndexedAbstractHeap::at):
853         (JSC::FTL::IndexedAbstractHeap::operator[]):
854         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
855         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
856         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
857         (JSC::FTL::AbstractHeap::changeParent): Deleted.
858         (JSC::FTL::AbstractField::AbstractField): Deleted.
859         (JSC::FTL::AbstractField::initialize): Deleted.
860         (JSC::FTL::AbstractField::offset): Deleted.
861         * ftl/FTLAbstractHeapRepository.cpp:
862         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
863         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
864         (JSC::FTL::AbstractHeapRepository::decorateMemory):
865         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
866         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
867         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
868         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
869         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
870         * ftl/FTLAbstractHeapRepository.h:
871         (JSC::FTL::AbstractHeapRepository::forArrayType):
872         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
873         * ftl/FTLLowerDFGToB3.cpp:
874         (JSC::FTL::DFG::LowerDFGToB3::lower):
875         * ftl/FTLOutput.cpp:
876         (JSC::FTL::Output::load):
877         (JSC::FTL::Output::load8SignExt32):
878         (JSC::FTL::Output::load8ZeroExt32):
879         (JSC::FTL::Output::load16SignExt32):
880         (JSC::FTL::Output::load16ZeroExt32):
881         (JSC::FTL::Output::store):
882         (JSC::FTL::Output::store32As8):
883         (JSC::FTL::Output::store32As16):
884         (JSC::FTL::Output::baseIndex):
885         * ftl/FTLOutput.h:
886         (JSC::FTL::Output::address):
887         (JSC::FTL::Output::absolute):
888         (JSC::FTL::Output::load8SignExt32):
889         (JSC::FTL::Output::load8ZeroExt32):
890         (JSC::FTL::Output::load16SignExt32):
891         (JSC::FTL::Output::load16ZeroExt32):
892         (JSC::FTL::Output::load32):
893         (JSC::FTL::Output::load64):
894         (JSC::FTL::Output::loadPtr):
895         (JSC::FTL::Output::loadDouble):
896         (JSC::FTL::Output::store32):
897         (JSC::FTL::Output::store64):
898         (JSC::FTL::Output::storePtr):
899         (JSC::FTL::Output::storeDouble):
900         (JSC::FTL::Output::ascribeRange):
901         (JSC::FTL::Output::nonNegative32):
902         (JSC::FTL::Output::load32NonNegative):
903         (JSC::FTL::Output::equal):
904         (JSC::FTL::Output::notEqual):
905         * ftl/FTLTypedPointer.h:
906         (JSC::FTL::TypedPointer::operator!):
907         (JSC::FTL::TypedPointer::heap):
908         (JSC::FTL::TypedPointer::value):
909
910 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
911
912         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
913         https://bugs.webkit.org/show_bug.cgi?id=153981
914
915         Reviewed by Saam Barati.
916        
917         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
918         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
919         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
920         During syntax analyze parser store information about using variables in arrow function inside of 
921         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
922
923         * bytecompiler/BytecodeGenerator.cpp:
924         (JSC::BytecodeGenerator::BytecodeGenerator):
925         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
926         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
927         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
928         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
929         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
930         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
931         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
932         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
933         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
934         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
935         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
936         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
937         * bytecompiler/BytecodeGenerator.h:
938         * bytecompiler/NodesCodegen.cpp:
939         (JSC::ThisNode::emitBytecode):
940         (JSC::EvalFunctionCallNode::emitBytecode):
941         (JSC::FunctionNode::emitBytecode):
942         * parser/ASTBuilder.h:
943         (JSC::ASTBuilder::createBracketAccess):
944         (JSC::ASTBuilder::createDotAccess):
945         (JSC::ASTBuilder::usesSuperCall):
946         (JSC::ASTBuilder::usesSuperProperty):
947         (JSC::ASTBuilder::makeFunctionCallNode):
948         * parser/Nodes.cpp:
949         (JSC::ScopeNode::ScopeNode):
950         (JSC::ProgramNode::ProgramNode):
951         (JSC::ModuleProgramNode::ModuleProgramNode):
952         (JSC::EvalNode::EvalNode):
953         (JSC::FunctionNode::FunctionNode):
954         * parser/Nodes.h:
955         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
956         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
957         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
958         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
959         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
960         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
961         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
962         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
963         (JSC::ScopeNode::usesSuperCall):
964         (JSC::ScopeNode::usesSuperProperty):
965         * parser/Parser.cpp:
966         (JSC::Parser<LexerType>::parseProperty):
967         (JSC::Parser<LexerType>::parsePrimaryExpression):
968         (JSC::Parser<LexerType>::parseMemberExpression):
969         * parser/Parser.h:
970         (JSC::Scope::Scope):
971         (JSC::Scope::isArrowFunctionBoundary):
972         (JSC::Scope::innerArrowFunctionFeatures):
973         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
974         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
975         (JSC::Scope::setInnerArrowFunctionUsesEval):
976         (JSC::Scope::setInnerArrowFunctionUsesThis):
977         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
978         (JSC::Scope::setInnerArrowFunctionUsesArguments):
979         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
980         (JSC::Scope::collectFreeVariables):
981         (JSC::Scope::mergeInnerArrowFunctionFeatures):
982         (JSC::Scope::fillParametersForSourceProviderCache):
983         (JSC::Scope::restoreFromSourceProviderCache):
984         (JSC::Scope::setIsFunction):
985         (JSC::Scope::setIsArrowFunction):
986         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
987         (JSC::Parser::pushScope):
988         (JSC::Parser::popScopeInternal):
989         (JSC::Parser<LexerType>::parse):
990         * parser/ParserModes.h:
991         * parser/SourceProviderCacheItem.h:
992         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
993         * parser/SyntaxChecker.h:
994         (JSC::SyntaxChecker::createFunctionMetadata):
995         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
996         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
997         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
998         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
999         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1000
1001 2016-02-28  Saam barati  <sbarati@apple.com>
1002
1003         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
1004         https://bugs.webkit.org/show_bug.cgi?id=154768
1005
1006         Reviewed by Ryosuke Niwa.
1007
1008         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
1009         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1010         We weren't correctly propagating the result of this operation to the
1011         out PropertySlot& parameter. This patch fixes that and adds tests.
1012
1013         * runtime/ObjectConstructor.cpp:
1014         (JSC::objectConstructorGetOwnPropertyDescriptor):
1015         I added a missing exception check after object allocation
1016         because I saw that it was missing while reading the code.
1017
1018         * runtime/PropertyDescriptor.cpp:
1019         (JSC::PropertyDescriptor::setUndefined):
1020         (JSC::PropertyDescriptor::slowGetterSetter):
1021         (JSC::PropertyDescriptor::getter):
1022         * runtime/PropertyDescriptor.h:
1023         (JSC::PropertyDescriptor::attributes):
1024         (JSC::PropertyDescriptor::value):
1025         * runtime/ProxyObject.cpp:
1026         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1027         * tests/es6.yaml:
1028         * tests/stress/proxy-get-own-property.js:
1029         (let.handler.getOwnPropertyDescriptor):
1030         (set get let.handler.return):
1031         (set get let.handler.getOwnPropertyDescriptor):
1032         (set get let):
1033         (set get let.a):
1034         (let.b):
1035         (let.setter):
1036         (let.getter):
1037
1038 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
1039
1040         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
1041         https://bugs.webkit.org/show_bug.cgi?id=152448
1042
1043         Reviewed by Darin Adler.
1044
1045         Add defaultLanguage to the globalObjectMethodTable and use it for the
1046         default locale in Intl object initializations. Fall back to ICU default
1047         locale only if the defaultLanguage function is null, or returns an
1048         empty string.
1049
1050         * jsc.cpp:
1051         * runtime/IntlCollator.cpp:
1052         (JSC::IntlCollator::initializeCollator):
1053         * runtime/IntlDateTimeFormat.cpp:
1054         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1055         * runtime/IntlNumberFormat.cpp:
1056         (JSC::IntlNumberFormat::initializeNumberFormat):
1057         * runtime/IntlObject.cpp:
1058         (JSC::defaultLocale):
1059         (JSC::lookupMatcher):
1060         (JSC::bestFitMatcher):
1061         (JSC::resolveLocale):
1062         * runtime/IntlObject.h:
1063         * runtime/JSGlobalObject.cpp:
1064         * runtime/JSGlobalObject.h:
1065         * runtime/StringPrototype.cpp:
1066         (JSC::toLocaleCase):
1067
1068 2016-02-27  Oliver Hunt  <oliver@apple.com>
1069
1070         CLoop build fix.
1071
1072         * jit/ExecutableAllocatorFixedVMPool.cpp:
1073
1074 2016-02-26  Oliver Hunt  <oliver@apple.com>
1075
1076         Remove the on demand executable allocator
1077         https://bugs.webkit.org/show_bug.cgi?id=154749
1078
1079         Reviewed by Geoffrey Garen.
1080
1081         Remove all the DemandExecutable code and executable allocator ifdefs.
1082
1083         * CMakeLists.txt:
1084         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1085         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1086         * JavaScriptCore.xcodeproj/project.pbxproj:
1087         * jit/ExecutableAllocator.cpp: Removed.
1088         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
1089         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
1090         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
1091         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
1092         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
1093         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
1094         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
1095         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
1096         (JSC::DemandExecutableAllocator::allocators): Deleted.
1097         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
1098         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
1099         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
1100         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
1101         (JSC::ExecutableAllocator::isValid): Deleted.
1102         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
1103         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
1104         (JSC::ExecutableAllocator::allocate): Deleted.
1105         (JSC::ExecutableAllocator::committedByteCount): Deleted.
1106         (JSC::ExecutableAllocator::dumpProfile): Deleted.
1107         (JSC::ExecutableAllocator::getLock): Deleted.
1108         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
1109         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
1110         * jit/ExecutableAllocator.h:
1111         * jit/ExecutableAllocatorFixedVMPool.cpp:
1112         * jit/JITStubRoutine.h:
1113         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
1114         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
1115         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
1116
1117 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
1118
1119         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
1120         https://bugs.webkit.org/show_bug.cgi?id=154751
1121
1122         Reviewed by Mark Lam.
1123
1124         * runtime/Structure.cpp:
1125         (JSC::Structure::toStructureShape):
1126         This property name iteration is identical to Structure::forEachPropertyConcurrently.
1127         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
1128
1129 2016-02-26  Mark Lam  <mark.lam@apple.com>
1130
1131         Function.name and Function.length should be configurable.
1132         https://bugs.webkit.org/show_bug.cgi?id=154604
1133
1134         Reviewed by Saam Barati.
1135
1136         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
1137         "Unless otherwise specified, the name property of a built-in Function object,
1138         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
1139         [[Configurable]]: true }."
1140
1141         Similarly, "the length property of a built-in Function object has the attributes
1142         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
1143
1144         This patch makes Function.name and Function.length configurable.
1145
1146         We do this by lazily reifying the JSFunction name and length properties on first
1147         access.  We track whether each of these properties have been reified using flags
1148         in the FunctionRareData.  On first access, if not already reified, we will put
1149         the property into the object with its default value and attributes and set the
1150         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
1151         property.
1152
1153         Also, lots of test results have to be re-baselined because the old Function.length
1154         has attribute DontDelete, which is in conflict with the ES6 requirement that it
1155         is configurable.
1156
1157         * runtime/FunctionRareData.h:
1158         (JSC::FunctionRareData::hasReifiedLength):
1159         (JSC::FunctionRareData::setHasReifiedLength):
1160         (JSC::FunctionRareData::hasReifiedName):
1161         (JSC::FunctionRareData::setHasReifiedName):
1162         - Flags for tracking whether each property has been reified.
1163
1164         * runtime/JSFunction.cpp:
1165         (JSC::JSFunction::finishCreation):
1166         (JSC::JSFunction::createBuiltinFunction):
1167         - Host and builtin functions currently always reify their name and length
1168           properties.  Currently, for builtins, the default names that are used may
1169           differ from the executable name.  For now, we'll stay with keeping this
1170           alternate approach to getting the name and length properties for host and
1171           builtin functions.
1172           However, we need their default attribute to be configurable as well.
1173
1174         (JSC::JSFunction::getOwnPropertySlot):
1175         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1176         (JSC::JSFunction::put):
1177         (JSC::JSFunction::deleteProperty):
1178         (JSC::JSFunction::defineOwnProperty):
1179         (JSC::JSFunction::reifyLength):
1180         (JSC::JSFunction::reifyName):
1181         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1182         (JSC::JSFunction::lengthGetter): Deleted.
1183         (JSC::JSFunction::nameGetter): Deleted.
1184         * runtime/JSFunction.h:
1185         * runtime/JSFunctionInlines.h:
1186         (JSC::JSFunction::hasReifiedLength):
1187         (JSC::JSFunction::hasReifiedName):
1188
1189         * tests/es6.yaml:
1190         - 4 new passing tests.
1191
1192         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
1193         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
1194         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
1195         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
1196         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
1197         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
1198         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
1199         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
1200         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
1201         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
1202         * tests/mozilla/ecma/String/15.5.4.10-1.js:
1203         * tests/mozilla/ecma/String/15.5.4.11-1.js:
1204         * tests/mozilla/ecma/String/15.5.4.11-5.js:
1205         * tests/mozilla/ecma/String/15.5.4.12-1.js:
1206         * tests/mozilla/ecma/String/15.5.4.6-2.js:
1207         * tests/mozilla/ecma/String/15.5.4.7-2.js:
1208         * tests/mozilla/ecma/String/15.5.4.8-1.js:
1209         * tests/mozilla/ecma/String/15.5.4.9-1.js:
1210         - Rebase expected test results.
1211
1212         * tests/stress/function-configurable-properties.js: Added.
1213
1214 2016-02-26  Keith Miller  <keith_miller@apple.com>
1215
1216         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
1217         https://bugs.webkit.org/show_bug.cgi?id=154743
1218
1219         Reviewed by Mark Lam.
1220
1221         * dfg/DFGConstantFoldingPhase.cpp:
1222         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1223         * dfg/DFGFixupPhase.cpp:
1224         (JSC::DFG::FixupPhase::fixupNode):
1225
1226 2016-02-26  Keith Miller  <keith_miller@apple.com>
1227
1228         Native Typed Array functions should use Symbol.species
1229         https://bugs.webkit.org/show_bug.cgi?id=154569
1230
1231         Reviewed by Michael Saboff.
1232
1233         This patch adds support for Symbol.species in the native Typed Array prototype
1234         functions. Additionally, now that other types of typedarrays are creatable inside
1235         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
1236         up, to put everything into the correct place.
1237
1238         * runtime/JSDataView.cpp:
1239         (JSC::JSDataView::set):
1240         * runtime/JSDataView.h:
1241         * runtime/JSGenericTypedArrayView.h:
1242         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1243         (JSC::constructGenericTypedArrayViewFromIterator):
1244         (JSC::constructGenericTypedArrayViewWithArguments):
1245         (JSC::constructGenericTypedArrayView):
1246         * runtime/JSGenericTypedArrayViewInlines.h:
1247         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
1248         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1249         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1250         (JSC::speciesConstruct):
1251         (JSC::genericTypedArrayViewProtoFuncSet):
1252         (JSC::genericTypedArrayViewProtoFuncSlice):
1253         (JSC::genericTypedArrayViewProtoFuncSubarray):
1254         * tests/stress/typedarray-slice.js:
1255         (subclasses.typedArrays.map):
1256         (testSpecies):
1257         (forEach):
1258         (subclasses.forEach):
1259         (testSpeciesRemoveConstructor):
1260         (testSpeciesWithSameBuffer):
1261         * tests/stress/typedarray-subarray.js: Added.
1262         (subclasses.typedArrays.map):
1263         (testSpecies):
1264         (forEach):
1265         (subclasses.forEach):
1266         (testSpeciesRemoveConstructor):
1267
1268 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
1269
1270         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
1271         https://bugs.webkit.org/show_bug.cgi?id=154704
1272
1273         Reviewed by Geoffrey Garen.
1274
1275         If the Imm is zero, we should still zero the top bits
1276         to match the definition in AirOpcodes.
1277
1278         * assembler/MacroAssemblerX86Common.h:
1279         (JSC::MacroAssemblerX86Common::add32):
1280         * b3/testb3.cpp:
1281
1282 2016-02-26  Oliver Hunt  <oliver@apple.com>
1283
1284         Make testRegExp not crash when given an invalid regexp
1285         https://bugs.webkit.org/show_bug.cgi?id=154732
1286
1287         Reviewed by Mark Lam.
1288
1289         * testRegExp.cpp:
1290         (parseRegExpLine):
1291
1292 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
1293
1294         [JSC] Add the test for r197155
1295         https://bugs.webkit.org/show_bug.cgi?id=154715
1296
1297         Reviewed by Mark Lam.
1298
1299         Silly me. I forgot the test in the latest patch update.
1300
1301         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
1302
1303 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1304
1305         [DFG] Drop unnecessary proved type branch in ToPrimitive
1306         https://bugs.webkit.org/show_bug.cgi?id=154716
1307
1308         Reviewed by Geoffrey Garen.
1309
1310         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
1311         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
1312         This patch removes the remaining JIT32_64 case.
1313
1314         * dfg/DFGSpeculativeJIT32_64.cpp:
1315         (JSC::DFG::SpeculativeJIT::compile):
1316
1317 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1318
1319         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
1320         https://bugs.webkit.org/show_bug.cgi?id=154575
1321
1322         Reviewed by Filip Pizlo.
1323
1324         I noticed that imaging-gaussian-blur spends most of its
1325         samples in DFG code despite executing most of the loop
1326         iterations in FTL.
1327
1328         On this particular test, the main function is only entered
1329         once and have a very heavy loop there. What happens is DFG
1330         starts by compiling the full function in FTL. That takes about
1331         8 to 10 milliseconds during which the DFG code makes very little
1332         progress. The calls to triggerOSREntryNow() try to OSR Enter
1333         for a while then finally start compiling something. By the time
1334         the function is ready, we have wasted a lot of time in DFG code.
1335
1336         What this patch does is set a flag when a DFG function is entered.
1337         If we try to triggerOSREntryNow() and the flag was never set,
1338         we start compiling both the full function and the one for OSR Entry.
1339
1340         * dfg/DFGJITCode.h:
1341         * dfg/DFGJITCompiler.cpp:
1342         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
1343         (JSC::DFG::JITCompiler::compile):
1344         (JSC::DFG::JITCompiler::compileFunction):
1345         * dfg/DFGJITCompiler.h:
1346         * dfg/DFGOperations.cpp:
1347         * dfg/DFGPlan.cpp:
1348         (JSC::DFG::Plan::Plan): Deleted.
1349         * dfg/DFGPlan.h:
1350         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1351         (JSC::DFG::TierUpCheckInjectionPhase::run):
1352
1353 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
1354
1355         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
1356         https://bugs.webkit.org/show_bug.cgi?id=154664
1357
1358         Reviewed by Saam Barati.
1359
1360         When doing OSR Enter into a constructor, we lose the information
1361         that this may have been set to empty by a previously executed block.
1362
1363         All the code just assumed the type for a FlushedJS value and thus
1364         not an empty value. It was then okay to eliminate the TDZ checks.
1365
1366         In this patch, the values on root entry now assume they may be empty.
1367         As a result, the SetArgument() for "this" has "empty" as possible
1368         type and the TDZ checks are no longer eliminated.
1369
1370         * dfg/DFGInPlaceAbstractState.cpp:
1371         (JSC::DFG::InPlaceAbstractState::initialize):
1372
1373 2016-02-25  Ada Chan  <adachan@apple.com>
1374
1375         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
1376         https://bugs.webkit.org/show_bug.cgi?id=154702
1377
1378         Reviewed by Dan Bernstein.
1379
1380         * Configurations/FeatureDefines.xcconfig:
1381
1382 2016-02-25  Saam barati  <sbarati@apple.com>
1383
1384         [ES6] for...in iteration doesn't comply with the specification
1385         https://bugs.webkit.org/show_bug.cgi?id=154665
1386
1387         Reviewed by Michael Saboff.
1388
1389         If you read ForIn/OfHeadEvaluation inside the spec:
1390         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
1391         It calls EnumerateObjectProperties(obj) to get a set of properties
1392         to enumerate over (it models this "set" as en ES6 generator function).
1393         EnumerateObjectProperties is defined in section 13.7.5.15:
1394         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
1395         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
1396         properties it sees. We must do the same by modeling the operation as
1397         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
1398
1399         * jit/JITOperations.cpp:
1400         * jit/JITOperations.h:
1401         * runtime/CommonSlowPaths.cpp:
1402         (JSC::SLOW_PATH_DECL):
1403         * runtime/JSObject.cpp:
1404         (JSC::JSObject::hasProperty):
1405         (JSC::JSObject::hasPropertyGeneric):
1406         * runtime/JSObject.h:
1407         * tests/stress/proxy-get-own-property.js:
1408         (assert):
1409         (let.handler.getOwnPropertyDescriptor):
1410         (i.set assert):
1411
1412 2016-02-25  Saam barati  <sbarati@apple.com>
1413
1414         [ES6] Implement Proxy.[[Set]]
1415         https://bugs.webkit.org/show_bug.cgi?id=154511
1416
1417         Reviewed by Filip Pizlo.
1418
1419         This patch is mostly an implementation of
1420         Proxy.[[Set]] with respect to section 9.5.9
1421         of the ECMAScript spec.
1422         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
1423
1424         This patch also changes JSObject::putInline and JSObject::putByIndex
1425         to be aware that a Proxy in the prototype chain will intercept
1426         property accesses.
1427
1428         * runtime/JSObject.cpp:
1429         (JSC::JSObject::putInlineSlow):
1430         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1431         * runtime/JSObject.h:
1432         * runtime/JSObjectInlines.h:
1433         (JSC::JSObject::canPerformFastPutInline):
1434         (JSC::JSObject::putInline):
1435         * runtime/JSType.h:
1436         * runtime/ProxyObject.cpp:
1437         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1438         (JSC::ProxyObject::performPut):
1439         (JSC::ProxyObject::put):
1440         (JSC::ProxyObject::putByIndexCommon):
1441         (JSC::ProxyObject::putByIndex):
1442         (JSC::performProxyCall):
1443         (JSC::ProxyObject::getCallData):
1444         (JSC::performProxyConstruct):
1445         (JSC::ProxyObject::deletePropertyByIndex):
1446         (JSC::ProxyObject::visitChildren):
1447         * runtime/ProxyObject.h:
1448         (JSC::ProxyObject::create):
1449         (JSC::ProxyObject::createStructure):
1450         (JSC::ProxyObject::target):
1451         (JSC::ProxyObject::handler):
1452         * tests/es6.yaml:
1453         * tests/stress/proxy-set.js: Added.
1454         (assert):
1455         (throw.new.Error.let.handler.set 45):
1456         (throw.new.Error):
1457         (let.target.set x):
1458         (let.target.get x):
1459         (set let):
1460
1461 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1462
1463         [JSC] Remove a useless "Move" in the lowering of Select
1464         https://bugs.webkit.org/show_bug.cgi?id=154670
1465
1466         Reviewed by Geoffrey Garen.
1467
1468         I left the Move instruction when creating the aliasing form
1469         of Select.
1470
1471         On ARM64, that meant a useless move for any case that can't
1472         be coalesced.
1473
1474         On x86, that meant an extra constraint on child2, making it
1475         stupidly hard to alias child1.
1476
1477         * b3/B3LowerToAir.cpp:
1478         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1479
1480 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
1481
1482         Web Inspector: Expose Proxy target and handler internal properties to Inspector
1483         https://bugs.webkit.org/show_bug.cgi?id=154663
1484
1485         Reviewed by Timothy Hatcher.
1486
1487         * inspector/JSInjectedScriptHost.cpp:
1488         (Inspector::JSInjectedScriptHost::getInternalProperties):
1489         Expose the ProxyObject's target and handler.
1490
1491 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
1492
1493         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
1494         https://bugs.webkit.org/show_bug.cgi?id=151688
1495
1496         Reviewed by Dean Jackson.
1497
1498         Enables the WEB_ANIMATIONS compiler switch.
1499
1500         * Configurations/FeatureDefines.xcconfig:
1501
1502 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
1503
1504         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
1505         https://bugs.webkit.org/show_bug.cgi?id=154651
1506
1507         Reviewed by Alex Christensen.
1508
1509         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
1510
1511 2016-02-24  Commit Queue  <commit-queue@webkit.org>
1512
1513         Unreviewed, rolling out r197033.
1514         https://bugs.webkit.org/show_bug.cgi?id=154649
1515
1516         "It broke JSC tests when 'this' was loaded from global scope"
1517         (Requested by saamyjoon on #webkit).
1518
1519         Reverted changeset:
1520
1521         "[ES6] Arrow function syntax. Emit loading&putting this/super
1522         only if they are used in arrow function"
1523         https://bugs.webkit.org/show_bug.cgi?id=153981
1524         http://trac.webkit.org/changeset/197033
1525
1526 2016-02-24  Saam Barati  <sbarati@apple.com>
1527
1528         [ES6] Implement Proxy.[[Delete]]
1529         https://bugs.webkit.org/show_bug.cgi?id=154607
1530
1531         Reviewed by Mark Lam.
1532
1533         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
1534         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
1535
1536         * runtime/ProxyObject.cpp:
1537         (JSC::ProxyObject::getConstructData):
1538         (JSC::ProxyObject::performDelete):
1539         (JSC::ProxyObject::deleteProperty):
1540         (JSC::ProxyObject::deletePropertyByIndex):
1541         * runtime/ProxyObject.h:
1542         * tests/es6.yaml:
1543         * tests/stress/proxy-delete.js: Added.
1544         (assert):
1545         (throw.new.Error.let.handler.get deleteProperty):
1546         (throw.new.Error):
1547         (assert.let.handler.deleteProperty):
1548         (let.handler.deleteProperty):
1549
1550 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
1551
1552         Stackmaps have problems with double register constraints
1553         https://bugs.webkit.org/show_bug.cgi?id=154643
1554
1555         Reviewed by Geoffrey Garen.
1556
1557         This is currently a benign bug. I found it while playing.
1558
1559         * b3/B3LowerToAir.cpp:
1560         (JSC::B3::Air::LowerToAir::fillStackmap):
1561         * b3/testb3.cpp:
1562         (JSC::B3::testURShiftSelf64):
1563         (JSC::B3::testPatchpointDoubleRegs):
1564         (JSC::B3::zero):
1565         (JSC::B3::run):
1566
1567 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
1568
1569         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
1570         https://bugs.webkit.org/show_bug.cgi?id=153981
1571
1572         Reviewed by Saam Barati.
1573        
1574         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
1575         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
1576         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
1577         During syntax analyze parser store information about using variables in arrow function inside of 
1578         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
1579
1580         * bytecode/ExecutableInfo.h:
1581         (JSC::ExecutableInfo::ExecutableInfo):
1582         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
1583         * bytecode/UnlinkedCodeBlock.cpp:
1584         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1585         * bytecode/UnlinkedCodeBlock.h:
1586         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
1587         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
1588         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
1589         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
1590         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
1591         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
1592         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
1593         * bytecode/UnlinkedFunctionExecutable.cpp:
1594         (JSC::generateUnlinkedFunctionCodeBlock):
1595         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1596         * bytecode/UnlinkedFunctionExecutable.h:
1597         * bytecompiler/BytecodeGenerator.cpp:
1598         (JSC::BytecodeGenerator::BytecodeGenerator):
1599         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1600         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1601         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1602         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1603         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1604         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1605         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1606         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1607         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1608         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1609         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1610         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1611         * bytecompiler/BytecodeGenerator.h:
1612         * bytecompiler/NodesCodegen.cpp:
1613         (JSC::ThisNode::emitBytecode):
1614         (JSC::EvalFunctionCallNode::emitBytecode):
1615         (JSC::FunctionCallValueNode::emitBytecode):
1616         (JSC::FunctionNode::emitBytecode):
1617         * parser/ASTBuilder.h:
1618         (JSC::ASTBuilder::createFunctionMetadata):
1619         * parser/Nodes.cpp:
1620         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1621         * parser/Nodes.h:
1622         * parser/Parser.cpp:
1623         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1624         (JSC::Parser<LexerType>::parseFunctionBody):
1625         (JSC::Parser<LexerType>::parseFunctionInfo):
1626         (JSC::Parser<LexerType>::parseProperty):
1627         (JSC::Parser<LexerType>::parsePrimaryExpression):
1628         (JSC::Parser<LexerType>::parseMemberExpression):
1629         * parser/Parser.h:
1630         (JSC::Scope::Scope):
1631         (JSC::Scope::isArrowFunctionBoundary):
1632         (JSC::Scope::innerArrowFunctionFeatures):
1633         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
1634         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
1635         (JSC::Scope::setInnerArrowFunctionUseEval):
1636         (JSC::Scope::setInnerArrowFunctionUseThis):
1637         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
1638         (JSC::Scope::setInnerArrowFunctionUseArguments):
1639         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
1640         (JSC::Scope::collectFreeVariables):
1641         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1642         (JSC::Scope::fillParametersForSourceProviderCache):
1643         (JSC::Scope::restoreFromSourceProviderCache):
1644         (JSC::Scope::setIsFunction):
1645         (JSC::Scope::setIsArrowFunction):
1646         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1647         (JSC::Parser::pushScope):
1648         (JSC::Parser::popScopeInternal):
1649         * parser/ParserModes.h:
1650         * parser/SourceProviderCacheItem.h:
1651         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1652         * parser/SyntaxChecker.h:
1653         (JSC::SyntaxChecker::createFunctionMetadata):
1654         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1655         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1656         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1657         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1658         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1659
1660 2016-02-23  Brian Burg  <bburg@apple.com>
1661
1662         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
1663         https://bugs.webkit.org/show_bug.cgi?id=154615
1664         <rdar://problem/24804330>
1665
1666         Reviewed by Timothy Hatcher.
1667
1668         Some of the generated Objective-C bindings are only relevant to code acting as the
1669         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
1670         --backend to all generators. Use the setting in a few generators to omit code that's
1671         not needed.
1672
1673         Also fix a few places where the code emits the wrong Objective-C class prefix.
1674         There is some common non-generated code that must always have the RWIProtocol prefix.
1675
1676         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1677         macros defined in the internal header now need to be used outside of the framework.
1678
1679         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1680         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1681         depending on the target framework.
1682
1683         * inspector/scripts/codegen/generate_objc_header.py:
1684         (ObjCHeaderGenerator.generate_output):
1685         For now, omit generating command protocol and event dispatchers when generating for --frontend.
1686
1687         (ObjCHeaderGenerator._generate_type_interface):
1688         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1689
1690         * inspector/scripts/codegen/generate_objc_internal_header.py:
1691         Use RWIProtocolJSONObjectPrivate.h instead.
1692
1693         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1694         (ObjCProtocolTypesImplementationGenerator.generate_output):
1695         Include the Internal header if it's being generated (only for --backend).
1696
1697         * inspector/scripts/codegen/generator.py:
1698         (Generator.__init__):
1699         (Generator.set_generator_setting):
1700         (Generator):
1701         (Generator.get_generator_setting):
1702         Crib a simple setting system from the Framework class. Make the names more obnoxious.
1703
1704         (Generator.string_for_file_include):
1705         Inspired by the replay input generator, this is a function that uses the proper syntax
1706         for a file include depending on the file's framework and target framework.
1707
1708         * inspector/scripts/codegen/objc_generator.py:
1709         (ObjCGenerator.and):
1710         (ObjCGenerator.and.objc_prefix):
1711         (ObjCGenerator):
1712         (ObjCGenerator.objc_type_for_raw_name):
1713         (ObjCGenerator.objc_class_for_raw_name):
1714         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1715
1716         * inspector/scripts/generate-inspector-protocol-bindings.py:
1717         (generate_from_specification):
1718         Change the generators to use for the frontend. Propagate --frontend and --backend.
1719
1720         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1721         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1722         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1723         * inspector/scripts/tests/expected/enum-values.json-result:
1724         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1725         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1726         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1727         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1728         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1729         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1730         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1731         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1732         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1733         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1734
1735 2016-02-23  Saam barati  <sbarati@apple.com>
1736
1737         arrayProtoFuncConcat doesn't check for an exception after allocating an array
1738         https://bugs.webkit.org/show_bug.cgi?id=154621
1739
1740         Reviewed by Michael Saboff.
1741
1742         * runtime/ArrayPrototype.cpp:
1743         (JSC::arrayProtoFuncConcat):
1744
1745 2016-02-23  Dan Bernstein  <mitz@apple.com>
1746
1747         [Xcode] Linker errors display mangled names, but no longer should
1748         https://bugs.webkit.org/show_bug.cgi?id=154632
1749
1750         Reviewed by Sam Weinig.
1751
1752         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1753
1754 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
1755
1756         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1757         https://bugs.webkit.org/show_bug.cgi?id=112323
1758
1759         Reviewed by Chris Dumez.
1760
1761         This feature is controlled by a runtime switch, and defaults off.
1762
1763         * Configurations/FeatureDefines.xcconfig:
1764
1765 2016-02-23  Keith Miller  <keith_miller@apple.com>
1766
1767         JSC stress tests' standalone-pre.js should exit on the first failure by default
1768         https://bugs.webkit.org/show_bug.cgi?id=154565
1769
1770         Reviewed by Mark Lam.
1771
1772         Currently, if a test writer does not call finishJSTest() at the end of
1773         any test using stress/resources/standalone-pre.js then the test can fail
1774         without actually reporting an error to the harness. By default, we
1775         should throw on the first error so, in the event someone does not call
1776         finishJSTest() the harness will still notice the error.
1777
1778         * tests/stress/regress-151324.js:
1779         * tests/stress/resources/standalone-pre.js:
1780         (testFailed):
1781
1782 2016-02-23  Saam barati  <sbarati@apple.com>
1783
1784         Make JSObject::getMethod have fewer branches
1785         https://bugs.webkit.org/show_bug.cgi?id=154603
1786
1787         Reviewed by Mark Lam.
1788
1789         Writing code with fewer branches is almost always better.
1790
1791         * runtime/JSObject.cpp:
1792         (JSC::JSObject::getMethod):
1793
1794 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
1795
1796         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1797         https://bugs.webkit.org/show_bug.cgi?id=154592
1798
1799         Reviewed by Saam Barati.
1800
1801         If Foo has a virtual destructor, then:
1802
1803         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1804         subclass of Foo that overrides the destructor, this syntax will not call that override.
1805
1806         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1807         get the subclass's override.
1808
1809         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1810         This caused leaks because this didn't actually call the subclass's override. This fixes the
1811         problem by using this->~Value() instead.
1812
1813         * b3/B3ControlValue.cpp:
1814         (JSC::B3::ControlValue::convertToJump):
1815         (JSC::B3::ControlValue::convertToOops):
1816         * b3/B3Value.cpp:
1817         (JSC::B3::Value::replaceWithIdentity):
1818         (JSC::B3::Value::replaceWithNop):
1819         (JSC::B3::Value::replaceWithPhi):
1820
1821 2016-02-23  Brian Burg  <bburg@apple.com>
1822
1823         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1824         https://bugs.webkit.org/show_bug.cgi?id=154596
1825         <rdar://problem/24794962>
1826
1827         Reviewed by Timothy Hatcher.
1828
1829         In order to support different generated protocol sets that don't have conflicting
1830         file and type names, allow the Objective-C prefix to be configurable based on the
1831         target framework. Each name also has the implicit prefix 'Protocol' appended to the
1832         per-target framework prefix.
1833
1834         For example, the existing protocol for remote inspection has the prefix 'RWI'
1835         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1836         and is generated as 'AutomationProtocol'.
1837
1838         To make this change, convert ObjCGenerator to be a subclass of Generator and use
1839         the instance method model() to find the target framework and its setting for
1840         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1841         these instance methods that used to be static methods. This is a large but
1842         mechanical change to use self instead of ObjCGenerator.
1843
1844         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1845         (ObjCBackendDispatcherHeaderGenerator):
1846         (ObjCBackendDispatcherHeaderGenerator.__init__):
1847         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1848         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1849         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1850         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1851         (ObjCConfigurationImplementationGenerator):
1852         (ObjCConfigurationImplementationGenerator.__init__):
1853         (ObjCConfigurationImplementationGenerator.output_filename):
1854         (ObjCConfigurationImplementationGenerator.generate_output):
1855         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1856         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1857         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1858         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1859         (ObjCConfigurationHeaderGenerator):
1860         (ObjCConfigurationHeaderGenerator.__init__):
1861         (ObjCConfigurationHeaderGenerator.output_filename):
1862         (ObjCConfigurationHeaderGenerator.generate_output):
1863         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1864         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1865         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1866         (ObjCBackendDispatcherImplementationGenerator):
1867         (ObjCBackendDispatcherImplementationGenerator.__init__):
1868         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1869         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1870         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1871         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1872         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1873         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1874         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1875         (ObjCConversionHelpersGenerator):
1876         (ObjCConversionHelpersGenerator.__init__):
1877         (ObjCConversionHelpersGenerator.output_filename):
1878         (ObjCConversionHelpersGenerator.generate_output):
1879         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1880         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1881         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1882         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1883         (ObjCFrontendDispatcherImplementationGenerator):
1884         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1885         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1886         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1887         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1888         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1889         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1890         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1891         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1892         * inspector/scripts/codegen/generate_objc_header.py:
1893         (ObjCHeaderGenerator):
1894         (ObjCHeaderGenerator.__init__):
1895         (ObjCHeaderGenerator.output_filename):
1896         (ObjCHeaderGenerator.generate_output):
1897         (ObjCHeaderGenerator._generate_forward_declarations):
1898         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1899         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1900         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1901         (ObjCHeaderGenerator._generate_type_interface):
1902         (ObjCHeaderGenerator._generate_init_method_for_required_members):
1903         (ObjCHeaderGenerator._generate_member_property):
1904         (ObjCHeaderGenerator._generate_command_protocols):
1905         (ObjCHeaderGenerator._generate_single_command_protocol):
1906         (ObjCHeaderGenerator._callback_block_for_command):
1907         (ObjCHeaderGenerator._generate_event_interfaces):
1908         (ObjCHeaderGenerator._generate_single_event_interface):
1909         * inspector/scripts/codegen/generate_objc_internal_header.py:
1910         (ObjCInternalHeaderGenerator):
1911         (ObjCInternalHeaderGenerator.__init__):
1912         (ObjCInternalHeaderGenerator.output_filename):
1913         (ObjCInternalHeaderGenerator.generate_output):
1914         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1915         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1916         (ObjCProtocolTypesImplementationGenerator):
1917         (ObjCProtocolTypesImplementationGenerator.__init__):
1918         (ObjCProtocolTypesImplementationGenerator.output_filename):
1919         (ObjCProtocolTypesImplementationGenerator.generate_output):
1920         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1921         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1922         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1923         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1924         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1925         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1926         * inspector/scripts/codegen/models.py:
1927         * inspector/scripts/codegen/objc_generator.py:
1928         (ObjCTypeCategory.category_for_type):
1929         (ObjCGenerator):
1930         (ObjCGenerator.__init__):
1931         (ObjCGenerator.objc_prefix):
1932         (ObjCGenerator.objc_name_for_type):
1933         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
1934         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
1935         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
1936         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
1937         (ObjCGenerator.objc_class_for_type):
1938         (ObjCGenerator.objc_class_for_array_type):
1939         (ObjCGenerator.objc_accessor_type_for_member):
1940         (ObjCGenerator.objc_accessor_type_for_member_internal):
1941         (ObjCGenerator.objc_type_for_member):
1942         (ObjCGenerator.objc_type_for_member_internal):
1943         (ObjCGenerator.objc_type_for_param):
1944         (ObjCGenerator.objc_type_for_param_internal):
1945         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1946         (ObjCGenerator.objc_protocol_import_expression_for_member):
1947         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
1948         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1949         (ObjCGenerator.objc_to_protocol_expression_for_member):
1950         (ObjCGenerator.protocol_to_objc_expression_for_member):
1951
1952         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
1953
1954         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1955         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1956         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1957         * inspector/scripts/tests/expected/enum-values.json-result:
1958         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1959         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1960         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1961         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1962         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1963         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1964         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1965         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1966         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1967
1968 2016-02-23  Mark Lam  <mark.lam@apple.com>
1969
1970         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
1971         https://bugs.webkit.org/show_bug.cgi?id=154542
1972
1973         Reviewed by Saam Barati.
1974
1975         According to the spec, the constructors of the following types "are not intended
1976         to be called as a function and will throw an exception".  These types are:
1977             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
1978             Map - https://tc39.github.io/ecma262/#sec-map-constructor
1979             Set - https://tc39.github.io/ecma262/#sec-set-constructor
1980             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
1981             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
1982             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
1983             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
1984             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
1985             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
1986
1987         This patch does the foillowing:
1988         1. Ensures that these constructors can be called but will throw a TypeError
1989            when called.
1990         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
1991            in their implementation to be consistent.
1992         3. Change the error message to "calling XXX constructor without new is invalid".
1993            This is clearer because the error is likely due to the user forgetting to use
1994            the new operator on these constructors.
1995
1996         * runtime/Error.h:
1997         * runtime/Error.cpp:
1998         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
1999         - Added a convenience function to throw the TypeError.
2000
2001         * runtime/JSArrayBufferConstructor.cpp:
2002         (JSC::constructArrayBuffer):
2003         (JSC::callArrayBuffer):
2004         (JSC::JSArrayBufferConstructor::getCallData):
2005         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2006         (JSC::callGenericTypedArrayView):
2007         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2008         * runtime/JSPromiseConstructor.cpp:
2009         (JSC::callPromise):
2010         * runtime/MapConstructor.cpp:
2011         (JSC::callMap):
2012         * runtime/ProxyConstructor.cpp:
2013         (JSC::callProxy):
2014         (JSC::ProxyConstructor::getCallData):
2015         * runtime/SetConstructor.cpp:
2016         (JSC::callSet):
2017         * runtime/WeakMapConstructor.cpp:
2018         (JSC::callWeakMap):
2019         * runtime/WeakSetConstructor.cpp:
2020         (JSC::callWeakSet):
2021
2022         * tests/es6.yaml:
2023         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
2024
2025         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
2026         (test):
2027
2028         * tests/stress/map-constructor.js:
2029         (testCallTypeError):
2030         * tests/stress/promise-cannot-be-called.js:
2031         (shouldThrow):
2032         * tests/stress/proxy-basic.js:
2033         * tests/stress/set-constructor.js:
2034         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
2035         (i.catch):
2036         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
2037         (i.catch):
2038         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
2039         (i.catch):
2040         * tests/stress/weak-map-constructor.js:
2041         (testCallTypeError):
2042         * tests/stress/weak-set-constructor.js:
2043         - Updated error message string.
2044
2045 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
2046
2047         ASan build fix.
2048
2049         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
2050
2051         * inspector/InspectorBackendDispatcher.h:
2052
2053 2016-02-23  Brian Burg  <bburg@apple.com>
2054
2055         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
2056         https://bugs.webkit.org/show_bug.cgi?id=154518
2057         <rdar://problem/24761096>
2058
2059         Reviewed by Timothy Hatcher.
2060
2061         * inspector/InspectorBackendDispatcher.h:
2062         Export all the classes since they are used by WebKit::WebAutomationSession.
2063
2064 2016-02-22  Brian Burg  <bburg@apple.com>
2065
2066         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2067         https://bugs.webkit.org/show_bug.cgi?id=154509
2068         <rdar://problem/24759098>
2069
2070         Reviewed by Timothy Hatcher.
2071
2072         Add a new 'WebKit' framework, which is used to generate protocol code
2073         in WebKit2.
2074
2075         Add --backend and --frontend flags to the main generator script.
2076         These allow a framework to trigger two different sets of generators
2077         so they can be separately generated and compiled.
2078
2079         * inspector/scripts/codegen/models.py:
2080         (Framework.fromString):
2081         (Frameworks): Add new framework.
2082
2083         * inspector/scripts/generate-inspector-protocol-bindings.py:
2084         If neither --backend or --frontend is specified, assume both are wanted.
2085         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2086
2087         (generate_from_specification):
2088         Generate C++ files for the backend and Objective-C files for the frontend.
2089
2090 2016-02-22  Saam barati  <sbarati@apple.com>
2091
2092         JSGlobalObject doesn't visit ProxyObjectStructure during GC
2093         https://bugs.webkit.org/show_bug.cgi?id=154564
2094
2095         Rubber stamped by Mark Lam.
2096
2097         * runtime/JSGlobalObject.cpp:
2098         (JSC::JSGlobalObject::visitChildren):
2099
2100 2016-02-22  Saam barati  <sbarati@apple.com>
2101
2102         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
2103         https://bugs.webkit.org/show_bug.cgi?id=154548
2104
2105         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
2106
2107         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
2108         an exception. Neither the function nor the call sites of the function took this into
2109         account. This patch audits the call sites of the function to make it work in
2110         the event that an exception is thrown.
2111
2112         * runtime/BooleanConstructor.cpp:
2113         (JSC::constructWithBooleanConstructor):
2114         * runtime/DateConstructor.cpp:
2115         (JSC::constructDate):
2116         * runtime/ErrorConstructor.cpp:
2117         (JSC::Interpreter::constructWithErrorConstructor):
2118         * runtime/FunctionConstructor.cpp:
2119         (JSC::constructFunctionSkippingEvalEnabledCheck):
2120         * runtime/InternalFunction.cpp:
2121         (JSC::InternalFunction::createSubclassStructure):
2122         * runtime/JSArrayBufferConstructor.cpp:
2123         (JSC::constructArrayBuffer):
2124         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2125         (JSC::constructGenericTypedArrayView):
2126         * runtime/JSGlobalObject.h:
2127         (JSC::constructEmptyArray):
2128         (JSC::constructArray):
2129         (JSC::constructArrayNegativeIndexed):
2130         * runtime/JSPromiseConstructor.cpp:
2131         (JSC::constructPromise):
2132         * runtime/MapConstructor.cpp:
2133         (JSC::constructMap):
2134         * runtime/NativeErrorConstructor.cpp:
2135         (JSC::Interpreter::constructWithNativeErrorConstructor):
2136         * runtime/NumberConstructor.cpp:
2137         (JSC::constructWithNumberConstructor):
2138         * runtime/RegExpConstructor.cpp:
2139         (JSC::getRegExpStructure):
2140         (JSC::constructRegExp):
2141         (JSC::constructWithRegExpConstructor):
2142         * runtime/SetConstructor.cpp:
2143         (JSC::constructSet):
2144         * runtime/StringConstructor.cpp:
2145         (JSC::constructWithStringConstructor):
2146         (JSC::StringConstructor::getConstructData):
2147         * runtime/WeakMapConstructor.cpp:
2148         (JSC::constructWeakMap):
2149         * runtime/WeakSetConstructor.cpp:
2150         (JSC::constructWeakSet):
2151         * tests/stress/create-subclass-structure-might-throw.js: Added.
2152         (assert):
2153
2154 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
2155
2156         Fix build and implement functions to retrieve registers on FreeBSD
2157         https://bugs.webkit.org/show_bug.cgi?id=152258
2158
2159         Reviewed by Michael Catanzaro.
2160
2161         * heap/MachineStackMarker.cpp:
2162         (pthreadSignalHandlerSuspendResume):
2163         struct ucontext is not specified in POSIX and it is not available on
2164         FreeBSD. Replacing it with ucontext_t fixes the build problem.
2165         (JSC::MachineThreads::Thread::Registers::stackPointer):
2166         (JSC::MachineThreads::Thread::Registers::framePointer):
2167         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2168         (JSC::MachineThreads::Thread::Registers::llintPC):
2169         * heap/MachineStackMarker.h:
2170
2171 2016-02-22  Saam barati  <sbarati@apple.com>
2172
2173         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
2174         https://bugs.webkit.org/show_bug.cgi?id=154552
2175
2176         Reviewed by Mark Lam.
2177
2178         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
2179         They return false on a Proxy with internal [[Call]] and [[Construct]]
2180         properties. It seems safest, most forward looking, and most adherent
2181         to the specification to check getCallData() and getConstructData() to
2182         implement these functions.
2183
2184         * runtime/InternalFunction.cpp:
2185         (JSC::InternalFunction::createSubclassStructure):
2186         * runtime/JSCJSValueInlines.h:
2187         (JSC::JSValue::isFunction):
2188         (JSC::JSValue::isConstructor):
2189
2190 2016-02-22  Keith Miller  <keith_miller@apple.com>
2191
2192         Bound functions should use the prototype of the function being bound
2193         https://bugs.webkit.org/show_bug.cgi?id=154195
2194
2195         Reviewed by Geoffrey Garen.
2196
2197         Per ES6, the result of Function.prototype.bind should have the same
2198         prototype as the the function being bound. In order to avoid creating
2199         a new structure each time a function is bound we store the new
2200         structure in our structure map. However, we cannot currently store
2201         structures that have a different GlobalObject than their prototype.
2202         In the rare case that the GlobalObject differs or the prototype of
2203         the bindee is null we create a new structure each time. To further
2204         minimize new structures, as well as making structure lookup faster,
2205         we also store the structure in the RareData of the function we
2206         are binding.
2207
2208         * runtime/FunctionRareData.cpp:
2209         (JSC::FunctionRareData::visitChildren):
2210         * runtime/FunctionRareData.h:
2211         (JSC::FunctionRareData::getBoundFunctionStructure):
2212         (JSC::FunctionRareData::setBoundFunctionStructure):
2213         * runtime/JSBoundFunction.cpp:
2214         (JSC::getBoundFunctionStructure):
2215         (JSC::JSBoundFunction::create):
2216         * tests/es6.yaml:
2217         * tests/stress/bound-function-uses-prototype.js: Added.
2218         (testChangeProto.foo):
2219         (testChangeProto):
2220         (testBuiltins):
2221         * tests/stress/class-subclassing-function.js:
2222
2223 2016-02-22  Keith Miller  <keith_miller@apple.com>
2224
2225         Unreviewed, fix stress test to not print on success.
2226
2227         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
2228         (catch): Deleted.
2229
2230 2016-02-22  Keith Miller  <keith_miller@apple.com>
2231
2232         Use Symbol.species in the builtin TypedArray.prototype functions
2233         https://bugs.webkit.org/show_bug.cgi?id=153384
2234
2235         Reviewed by Geoffrey Garen.
2236
2237         This patch adds the use of species constructors to the TypedArray.prototype map and filter
2238         functions. It also adds a new private function typedArrayGetOriginalConstructor that
2239         returns the TypedArray constructor used to originally create a TypedArray instance.
2240
2241         There are no ES6 tests to update for this patch as species creation for these functions is
2242         not tested in the compatibility table.
2243
2244         * builtins/TypedArrayPrototype.js:
2245         (map):
2246         (filter):
2247         * bytecode/BytecodeIntrinsicRegistry.cpp:
2248         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2249         * bytecode/BytecodeIntrinsicRegistry.h:
2250         * runtime/CommonIdentifiers.h:
2251         * runtime/JSGlobalObject.cpp:
2252         (JSC::JSGlobalObject::init):
2253         (JSC::JSGlobalObject::visitChildren):
2254         * runtime/JSGlobalObject.h:
2255         (JSC::JSGlobalObject::typedArrayConstructor):
2256         * runtime/JSTypedArrayViewPrototype.cpp:
2257         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
2258         * runtime/JSTypedArrayViewPrototype.h:
2259         * tests/stress/typedarray-filter.js:
2260         (subclasses.typedArrays.map):
2261         (prototype.accept):
2262         (testSpecies):
2263         (accept):
2264         (forEach):
2265         (subclasses.forEach):
2266         (testSpeciesRemoveConstructor):
2267         * tests/stress/typedarray-map.js:
2268         (subclasses.typedArrays.map):
2269         (prototype.id):
2270         (testSpecies):
2271         (id):
2272         (forEach):
2273         (subclasses.forEach):
2274         (testSpeciesRemoveConstructor):
2275
2276 2016-02-22  Keith Miller  <keith_miller@apple.com>
2277
2278         Builtins that should not rely on iteration do.
2279         https://bugs.webkit.org/show_bug.cgi?id=154475
2280
2281         Reviewed by Geoffrey Garen.
2282
2283         When changing the behavior of varargs calls to use ES6 iterators the
2284         call builtin function's use of a varargs call was overlooked. The use
2285         of iterators is observable outside the scope of the the call function,
2286         thus it must be reimplemented.
2287
2288         * builtins/FunctionPrototype.js:
2289         (call):
2290         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
2291         (test):
2292         (addAll):
2293         (catch):
2294
2295 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2296
2297         [JSC shell] Don't put empty arguments array to VM.
2298         https://bugs.webkit.org/show_bug.cgi?id=154516
2299
2300         Reviewed by Geoffrey Garen.
2301
2302         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
2303         in jsc as well as in browser.
2304
2305         * jsc.cpp:
2306         (GlobalObject::finishCreation):
2307
2308 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2309
2310         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
2311         https://bugs.webkit.org/show_bug.cgi?id=154450
2312
2313         Reviewed by Alex Christensen.
2314
2315         * CMakeLists.txt:
2316
2317 2016-02-22  Commit Queue  <commit-queue@webkit.org>
2318
2319         Unreviewed, rolling out r196891.
2320         https://bugs.webkit.org/show_bug.cgi?id=154539
2321
2322         it broke Production builds (Requested by brrian on #webkit).
2323
2324         Reverted changeset:
2325
2326         "Web Inspector: add 'Automation' protocol domain and generate
2327         its backend classes separately in WebKit2"
2328         https://bugs.webkit.org/show_bug.cgi?id=154509
2329         http://trac.webkit.org/changeset/196891
2330
2331 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2332
2333         CodeBlock always visits its unlinked code twice
2334         https://bugs.webkit.org/show_bug.cgi?id=154494
2335
2336         Reviewed by Saam Barati.
2337
2338         * bytecode/CodeBlock.cpp:
2339         (JSC::CodeBlock::visitChildren):
2340         The unlinked code is always visited in stronglyVisitStrongReferences.
2341
2342 2016-02-21  Brian Burg  <bburg@apple.com>
2343
2344         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2345         https://bugs.webkit.org/show_bug.cgi?id=154509
2346         <rdar://problem/24759098>
2347
2348         Reviewed by Timothy Hatcher.
2349
2350         Add a new 'WebKit' framework, which is used to generate protocol code
2351         in WebKit2.
2352
2353         Add --backend and --frontend flags to the main generator script.
2354         These allow a framework to trigger two different sets of generators
2355         so they can be separately generated and compiled.
2356
2357         * inspector/scripts/codegen/models.py:
2358         (Framework.fromString):
2359         (Frameworks): Add new framework.
2360
2361         * inspector/scripts/generate-inspector-protocol-bindings.py:
2362         If neither --backend or --frontend is specified, assume both are wanted.
2363         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2364
2365         (generate_from_specification):
2366         Generate C++ files for the backend and Objective-C files for the frontend.
2367
2368 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2369
2370         Improvements to Intl code
2371         https://bugs.webkit.org/show_bug.cgi?id=154486
2372
2373         Reviewed by Darin Adler.
2374
2375         This patch does several things:
2376         - Use std::unique_ptr to store ICU objects.
2377         - Pass Vector::size() to ICU functions that take a buffer size instead
2378           of Vector::capacity().
2379         - If U_SUCCESS(status) is true, it means there is no error, but there
2380           could be warnings. ICU functions ignore warnings. So, there is no need
2381           to reset status to U_ZERO_ERROR.
2382         - Remove the initialization of the String instance variables of
2383           IntlDateTimeFormat. These values are never read and cause unnecessary
2384           memory allocation.
2385         - Fix coding style.
2386         - Some small optimization.
2387
2388         * runtime/IntlCollator.cpp:
2389         (JSC::IntlCollator::UCollatorDeleter::operator()):
2390         (JSC::IntlCollator::createCollator):
2391         (JSC::IntlCollator::compareStrings):
2392         (JSC::IntlCollator::~IntlCollator): Deleted.
2393         * runtime/IntlCollator.h:
2394         * runtime/IntlDateTimeFormat.cpp:
2395         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
2396         (JSC::defaultTimeZone):
2397         (JSC::canonicalizeTimeZoneName):
2398         (JSC::toDateTimeOptionsAnyDate):
2399         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2400         (JSC::IntlDateTimeFormat::weekdayString):
2401         (JSC::IntlDateTimeFormat::format):
2402         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
2403         (JSC::localeData): Deleted.
2404         * runtime/IntlDateTimeFormat.h:
2405         * runtime/IntlDateTimeFormatConstructor.cpp:
2406         * runtime/IntlNumberFormatConstructor.cpp:
2407         * runtime/IntlObject.cpp:
2408         (JSC::numberingSystemsForLocale):
2409
2410 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
2411
2412         Remove arrowfunction test cases that rely on arguments variable in jsc
2413         https://bugs.webkit.org/show_bug.cgi?id=154517
2414
2415         Reviewed by Yusuke Suzuki.
2416
2417         Allow to jsc has the same behavior in javascript as browser has
2418
2419         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
2420         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
2421
2422 2016-02-21  Brian Burg  <bburg@apple.com>
2423
2424         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
2425         https://bugs.webkit.org/show_bug.cgi?id=154508
2426         <rdar://problem/24759077>
2427
2428         Reviewed by Timothy Hatcher.
2429
2430         In preparation for being able to generate protocol files for WebKit2,
2431         make it possible to not emit generated code that's guarded by
2432         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
2433         backend dispatchers generated outside of JavaScriptCore. We can't just
2434         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
2435         in the configurations where the code is actually used.
2436
2437         Add a new opt-in Framework configuration option that turns on generating
2438         this code. Adjust how the code is generated so that it can be easily excluded.
2439
2440         * inspector/scripts/codegen/cpp_generator_templates.py:
2441         Make a separate template for the declarations that are guarded.
2442         Add an initializer expression so the order of initalizers doesn't matter.
2443
2444         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2445         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
2446         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2447         If the declarations are needed, they will be appended to the end of the
2448         declarations list.
2449
2450         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2451         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
2452         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
2453
2454         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
2455         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
2456
2457         Rebaseline affected tests.
2458
2459         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2460         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2461         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2462         * inspector/scripts/tests/expected/enum-values.json-result:
2463         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2464
2465 2016-02-21  Brian Burg  <bburg@apple.com>
2466
2467         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
2468         https://bugs.webkit.org/show_bug.cgi?id=154505
2469         <rdar://problem/24758042>
2470
2471         Reviewed by Timothy Hatcher.
2472
2473         It should be possible to generate code for a framework using some generators
2474         that other frameworks also use. Right now the generator selection code assumes
2475         that use of a generator is mutually exclusive among non-test frameworks.
2476
2477         Make this code explicitly switch on the framework. Reorder generators
2478         alpabetically within each case.
2479
2480         * inspector/scripts/generate-inspector-protocol-bindings.py:
2481         (generate_from_specification):
2482
2483         Rebaseline tests that are affected by generator reorderings.
2484
2485         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2486         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2487         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2488         * inspector/scripts/tests/expected/enum-values.json-result:
2489         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2490         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2491         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2492         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2493         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2494         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2495         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2496         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2497         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2498
2499 2016-02-19  Saam Barati  <sbarati@apple.com>
2500
2501         [ES6] Implement Proxy.[[Construct]]
2502         https://bugs.webkit.org/show_bug.cgi?id=154440
2503
2504         Reviewed by Oliver Hunt.
2505
2506         This patch is mostly an implementation of
2507         Proxy.[[Construct]] with respect to section 9.5.13
2508         of the ECMAScript spec.
2509         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
2510
2511         This patch also changes op_create_this to accept new.target's
2512         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
2513         because we might construct a JSFunction with a new.target being
2514         a Proxy. This will also be needed when we implement Reflect.construct.
2515
2516         * dfg/DFGOperations.cpp:
2517         * dfg/DFGSpeculativeJIT32_64.cpp:
2518         (JSC::DFG::SpeculativeJIT::compile):
2519         * dfg/DFGSpeculativeJIT64.cpp:
2520         (JSC::DFG::SpeculativeJIT::compile):
2521         * jit/JITOpcodes.cpp:
2522         (JSC::JIT::emit_op_create_this):
2523         (JSC::JIT::emitSlow_op_create_this):
2524         * jit/JITOpcodes32_64.cpp:
2525         (JSC::JIT::emit_op_create_this):
2526         (JSC::JIT::emitSlow_op_create_this):
2527         * llint/LLIntData.cpp:
2528         (JSC::LLInt::Data::performAssertions):
2529         * llint/LowLevelInterpreter.asm:
2530         * llint/LowLevelInterpreter32_64.asm:
2531         * llint/LowLevelInterpreter64.asm:
2532         * runtime/CommonSlowPaths.cpp:
2533         (JSC::SLOW_PATH_DECL):
2534         * runtime/ProxyObject.cpp:
2535         (JSC::ProxyObject::finishCreation):
2536         (JSC::ProxyObject::visitChildren):
2537         (JSC::performProxyConstruct):
2538         (JSC::ProxyObject::getConstructData):
2539         * runtime/ProxyObject.h:
2540         * tests/es6.yaml:
2541         * tests/stress/proxy-construct.js: Added.
2542         (assert):
2543         (throw.new.Error.let.target):
2544         (throw.new.Error):
2545         (assert.let.target):
2546         (assert.let.handler.get construct):
2547         (let.target):
2548         (let.handler.construct):
2549         (i.catch):
2550         (assert.let.handler.construct):
2551         (assert.let.construct):
2552         (assert.else.assert.let.target):
2553         (assert.else.assert.let.construct):
2554         (assert.else.assert):
2555         (new.proxy.let.target):
2556         (new.proxy.let.construct):
2557         (new.proxy):
2558
2559 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2560
2561         [INTL] Implement Number Format Functions
2562         https://bugs.webkit.org/show_bug.cgi?id=147605
2563
2564         Reviewed by Darin Adler.
2565
2566         This patch implements Intl.NumberFormat.prototype.format() according
2567         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2568
2569         * runtime/IntlNumberFormat.cpp:
2570         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
2571         (JSC::IntlNumberFormat::initializeNumberFormat):
2572         (JSC::IntlNumberFormat::createNumberFormat):
2573         (JSC::IntlNumberFormat::formatNumber):
2574         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
2575         * runtime/IntlNumberFormat.h:
2576         * runtime/IntlNumberFormatPrototype.cpp:
2577         (JSC::IntlNumberFormatFuncFormatNumber):
2578
2579 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
2580
2581         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
2582         https://bugs.webkit.org/show_bug.cgi?id=154416
2583
2584         Reviewed by Geoff Garen.
2585
2586         Here's the bug. Suppose you call JSObject::getOwnProperty and -
2587           - PropertyName contains an index,
2588           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
2589           - The base of the access (or another object on the prototype chain) shadows that property.
2590
2591         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
2592         index, and as such walks up the prototype chain looking for non-index properties before it
2593         tries calling parseIndex.
2594
2595         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
2596         would potentially return the property) we may have already skipped over non-overriding
2597         objects that contain the property in index storage.
2598
2599         * runtime/JSObject.h:
2600         (JSC::JSObject::getOwnNonIndexPropertySlot):
2601             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
2602               added ASSERT guarding that this method never returns index properties -
2603               if it ever does, this is unsafe for getPropertySlot.
2604         (JSC::JSObject::getOwnPropertySlot):
2605             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
2606         (JSC::JSObject::getPropertySlot):
2607             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
2608         (JSC::JSObject::getNonIndexPropertySlot):
2609             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
2610               in order to avoid repeated calls to parseIndex.
2611         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
2612             - this was renamed to getOwnNonIndexPropertySlot.
2613         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
2614             - this was folded back in to getPropertySlot.
2615
2616 2016-02-19  Saam Barati  <sbarati@apple.com>
2617
2618         [ES6] Implement Proxy.[[Call]]
2619         https://bugs.webkit.org/show_bug.cgi?id=154425
2620
2621         Reviewed by Mark Lam.
2622
2623         This patch is a straight forward implementation of
2624         Proxy.[[Call]] with respect to section 9.5.12
2625         of the ECMAScript spec.
2626         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
2627
2628         * runtime/ProxyObject.cpp:
2629         (JSC::ProxyObject::finishCreation):
2630         (JSC::performProxyGet):
2631         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2632         (JSC::ProxyObject::performHasProperty):
2633         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2634         (JSC::performProxyCall):
2635         (JSC::ProxyObject::getCallData):
2636         (JSC::ProxyObject::visitChildren):
2637         * runtime/ProxyObject.h:
2638         (JSC::ProxyObject::create):
2639         * tests/es6.yaml:
2640         * tests/stress/proxy-call.js: Added.
2641         (assert):
2642         (throw.new.Error.let.target):
2643         (throw.new.Error.let.handler.apply):
2644         (throw.new.Error):
2645         (assert.let.target):
2646         (assert.let.handler.get apply):
2647         (let.target):
2648         (let.handler.apply):
2649         (i.catch):
2650         (assert.let.handler.apply):
2651
2652 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
2653
2654         Remove more LLVM related dead code after r196729
2655         https://bugs.webkit.org/show_bug.cgi?id=154387
2656
2657         Reviewed by Filip Pizlo.
2658
2659         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
2660         * Configurations/LLVMForJSC.xcconfig: Removed.
2661         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
2662         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
2663         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
2664         * JavaScriptCore.xcodeproj/project.pbxproj:
2665         * disassembler/X86Disassembler.cpp:
2666
2667 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2668
2669         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
2670         https://bugs.webkit.org/show_bug.cgi?id=154442
2671
2672         Reviewed by Saam Barati.
2673
2674         * runtime/JSString.h:
2675         (JSC::isJSString):
2676
2677 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2678
2679         Remove unused SymbolTable::createNameScopeTable
2680         https://bugs.webkit.org/show_bug.cgi?id=154443
2681
2682         Reviewed by Saam Barati.
2683
2684         * runtime/SymbolTable.h:
2685
2686 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
2687
2688         [JSC] Improve the instruction selection of Select
2689         https://bugs.webkit.org/show_bug.cgi?id=154432
2690
2691         Reviewed by Filip Pizlo.
2692
2693         Plenty of code but this patch is pretty dumb:
2694         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2695          to be alised to the destination. This gives more freedom to the register
2696          allocator and it is one less Move to process per Select.
2697         -On x86, introduce a fake 3 operands form and use aggressive aliasing
2698          to try to alias both sources to the destination.
2699
2700          If aliasing succeed on the "elseCase", the condition of the Select
2701          is reverted in the MacroAssembler.
2702
2703          If no aliasing is possible and we end up with 3 registers, the missing
2704          move instruction is generated by the MacroAssembler.
2705
2706          The missing move is generated after testing the values because the destination
2707          can use the same register as one of the test operand.
2708          Experimental testing seems to indicate there is no macro-fusion on CMOV,
2709          there is no measurable cost to having the move there.
2710
2711         * assembler/MacroAssembler.h:
2712         (JSC::MacroAssembler::isInvertible):
2713         (JSC::MacroAssembler::invert):
2714         * assembler/MacroAssemblerARM64.h:
2715         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2716         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2717         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2718         (JSC::MacroAssemblerARM64::moveConditionally32):
2719         (JSC::MacroAssemblerARM64::moveConditionally64):
2720         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2721         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2722         * assembler/MacroAssemblerX86Common.h:
2723         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2724         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2725         (JSC::MacroAssemblerX86Common::moveConditionally32):
2726         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2727         (JSC::MacroAssemblerX86Common::invert):
2728         (JSC::MacroAssemblerX86Common::isInvertible):
2729         * assembler/MacroAssemblerX86_64.h:
2730         (JSC::MacroAssemblerX86_64::moveConditionally64):
2731         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2732         * b3/B3LowerToAir.cpp:
2733         (JSC::B3::Air::LowerToAir::createSelect):
2734         (JSC::B3::Air::LowerToAir::lower):
2735         * b3/air/AirInstInlines.h:
2736         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2737         * b3/air/AirOpcode.opcodes:
2738
2739 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2740
2741         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2742         https://bugs.webkit.org/show_bug.cgi?id=154430
2743
2744         Reviewed by Saam Barati.
2745
2746         llvm isn't used anymore.
2747
2748         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2749
2750 2016-02-18  Saam Barati  <sbarati@apple.com>
2751
2752         Implement Proxy.[[HasProperty]]
2753         https://bugs.webkit.org/show_bug.cgi?id=154313
2754
2755         Reviewed by Filip Pizlo.
2756
2757         This patch is a straight forward implementation of
2758         Proxy.[[HasProperty]] with respect to section 9.5.7
2759         of the ECMAScript spec.
2760         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2761
2762         * runtime/ProxyObject.cpp:
2763         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2764         (JSC::ProxyObject::performHasProperty):
2765         (JSC::ProxyObject::getOwnPropertySlotCommon):
2766         * runtime/ProxyObject.h:
2767         * tests/es6.yaml:
2768         * tests/stress/proxy-basic.js:
2769         (assert):
2770         (let.handler.has):
2771         * tests/stress/proxy-has-property.js: Added.
2772         (assert):
2773         (throw.new.Error.let.handler.get has):
2774         (throw.new.Error):
2775         (assert.let.handler.has):
2776         (let.handler.has):
2777         (getOwnPropertyDescriptor):
2778         (i.catch):
2779
2780 2016-02-18  Saam Barati  <sbarati@apple.com>
2781
2782         Proxy's don't properly handle Symbols as PropertyKeys.
2783         https://bugs.webkit.org/show_bug.cgi?id=154385
2784
2785         Reviewed by Mark Lam and Yusuke Suzuki.
2786
2787         We were converting all PropertyKeys to strings, even when
2788         the PropertyName was a Symbol. In the spec, PropertyKeys are
2789         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2790         Proxy.[[GetOwnProperty]].
2791
2792         * runtime/Completion.cpp:
2793         (JSC::profiledEvaluate):
2794         (JSC::createSymbolForEntryPointModule):
2795         (JSC::identifierToJSValue): Deleted.
2796         * runtime/Identifier.h:
2797         (JSC::parseIndex):
2798         * runtime/IdentifierInlines.h:
2799         (JSC::Identifier::fromString):
2800         (JSC::identifierToJSValue):
2801         (JSC::identifierToSafePublicJSValue):
2802         * runtime/ProxyObject.cpp:
2803         (JSC::performProxyGet):
2804         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2805         * tests/es6.yaml:
2806         * tests/stress/proxy-basic.js:
2807         (let.handler.getOwnPropertyDescriptor):
2808
2809 2016-02-18  Saam Barati  <sbarati@apple.com>
2810
2811         Follow up fix to Implement Proxy.[[GetOwnProperty]]
2812         https://bugs.webkit.org/show_bug.cgi?id=154314
2813
2814         Reviewed by Filip Pizlo.
2815
2816         Part of the implementation was broken because
2817         of how JSObject::getOwnPropertyDescriptor worked.
2818         I've fixed JSObject::getOwnPropertyDescriptor to
2819         be able to handle ProxyObject.
2820
2821         * runtime/JSObject.cpp:
2822         (JSC::JSObject::getOwnPropertyDescriptor):
2823         * runtime/ProxyObject.cpp:
2824         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2825         * tests/stress/proxy-get-own-property.js:
2826         (assert):
2827         (assert.let.handler.get getOwnPropertyDescriptor):
2828
2829 2016-02-18  Saam Barati  <sbarati@apple.com>
2830
2831         Implement Proxy.[[GetOwnProperty]]
2832         https://bugs.webkit.org/show_bug.cgi?id=154314
2833
2834         Reviewed by Filip Pizlo.
2835
2836         This patch implements Proxy.[[GetOwnProperty]].
2837         It's a straight forward implementation as described
2838         in section 9.5.5 of the specification:
2839         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2840
2841         * runtime/FunctionPrototype.cpp:
2842         (JSC::functionProtoFuncBind):
2843         * runtime/JSObject.cpp:
2844         (JSC::validateAndApplyPropertyDescriptor):
2845         (JSC::JSObject::defineOwnNonIndexProperty):
2846         (JSC::JSObject::defineOwnProperty):
2847         (JSC::JSObject::getGenericPropertyNames):
2848         (JSC::JSObject::getMethod):
2849         * runtime/JSObject.h:
2850         (JSC::JSObject::butterflyAddress):
2851         (JSC::makeIdentifier):
2852         * runtime/ProxyObject.cpp:
2853         (JSC::performProxyGet):
2854         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2855         (JSC::ProxyObject::getOwnPropertySlotCommon):
2856         (JSC::ProxyObject::getOwnPropertySlot):
2857         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2858         (JSC::ProxyObject::visitChildren):
2859         * runtime/ProxyObject.h:
2860         * tests/es6.yaml:
2861         * tests/stress/proxy-basic.js:
2862         (let.handler.get null):
2863         * tests/stress/proxy-get-own-property.js: Added.
2864         (assert):
2865         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2866         (throw.new.Error):
2867         (let.handler.getOwnPropertyDescriptor):
2868         (i.catch):
2869         (assert.let.handler.getOwnPropertyDescriptor):
2870
2871 2016-02-18  Andreas Kling  <akling@apple.com>
2872
2873         JSString resolution of substrings should use StringImpl sharing optimization.
2874         <https://webkit.org/b/154068>
2875         <rdar://problem/24629358>
2876
2877         Reviewed by Antti Koivisto.
2878
2879         When resolving a JSString that's actually a substring of another JSString,
2880         use the StringImpl sharing optimization to create a new string pointing into
2881         the parent one, instead of copying out the bytes of the string.
2882
2883         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2884
2885         Another approach to this would be to induce GC far more frequently due to
2886         the added cost of copying out these substrings. It would reduce the risk
2887         of prolonging the life of strings only kept alive by substrings.
2888
2889         This patch chooses to trade that risk for less GC and lower peak memory.
2890
2891         * runtime/JSString.cpp:
2892         (JSC::JSRopeString::resolveRope):
2893
2894 2016-02-18  Chris Dumez  <cdumez@apple.com>
2895
2896         Crash on SES selftest page when loading the page while WebInspector is open
2897         https://bugs.webkit.org/show_bug.cgi?id=154378
2898         <rdar://problem/24713422>
2899
2900         Reviewed by Mark Lam.
2901
2902         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2903         returns early again if it detects that getOwnPropertySlot() returns a
2904         non-own property. This check was removed in r196676 because we assumed that
2905         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2906         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2907         well.
2908
2909         Not having the check would lead to crashes when using the debugger because
2910         we would get a slot with the CustomAccessor attribute but getDirect() would
2911         then fail to return the property (because it is not an own property). We
2912         would then cast the value returned by getDirect() to a CustomGetterSetter*
2913         and dereference it.
2914
2915         * runtime/JSObject.cpp:
2916         (JSC::JSObject::getOwnPropertyDescriptor):
2917
2918 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2919
2920         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2921         for that.
2922
2923         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2924         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2925
2926 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2927
2928         Unreviewed, fix CMake build. This got messed up when rebasing.
2929
2930         * CMakeLists.txt:
2931
2932 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
2933
2934         Fix the !ENABLE(DFG_JIT) build after r195865
2935         https://bugs.webkit.org/show_bug.cgi?id=154391
2936
2937         Reviewed by Filip Pizlo.
2938
2939         * runtime/SamplingProfiler.cpp:
2940         (JSC::tryGetBytecodeIndex):
2941
2942 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
2943
2944         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
2945         https://bugs.webkit.org/show_bug.cgi?id=154383
2946
2947         Reviewed by Saam Barati.
2948
2949         I did a grep -i llvm of all of our code and did one of the following for each occurence:
2950
2951         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
2952           backend".
2953
2954         - Removed the reference because I found it to be dead. In some cases it was a dead
2955           comment: it was telling us things about what LLVM did and that's just not relevant
2956           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
2957
2958         - Edited the comment in some smart way. There were comments talking about what LLVM did
2959           that were still of interest. In some cases, I added a FIXME to consider changing the
2960           code below the comment on the grounds that it was written in a weird way to placate
2961           LLVM and so we can do it better now.
2962
2963         * CMakeLists.txt:
2964         * JavaScriptCore.xcodeproj/project.pbxproj:
2965         * dfg/DFGArgumentsEliminationPhase.cpp:
2966         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2967         * dfg/DFGPlan.cpp:
2968         (JSC::DFG::Plan::compileInThread):
2969         (JSC::DFG::Plan::compileInThreadImpl):
2970         (JSC::DFG::Plan::compileTimeStats):
2971         * dfg/DFGPutStackSinkingPhase.cpp:
2972         * dfg/DFGSSAConversionPhase.h:
2973         * dfg/DFGStaticExecutionCountEstimationPhase.h:
2974         * dfg/DFGUnificationPhase.cpp:
2975         (JSC::DFG::UnificationPhase::run):
2976         * disassembler/ARM64Disassembler.cpp:
2977         (JSC::tryToDisassemble): Deleted.
2978         * disassembler/X86Disassembler.cpp:
2979         (JSC::tryToDisassemble):
2980         * ftl/FTLAbstractHeap.cpp:
2981         (JSC::FTL::IndexedAbstractHeap::initialize):
2982         * ftl/FTLAbstractHeap.h:
2983         * ftl/FTLFormattedValue.h:
2984         * ftl/FTLJITFinalizer.cpp:
2985         (JSC::FTL::JITFinalizer::finalizeFunction):
2986         * ftl/FTLLink.cpp:
2987         (JSC::FTL::link):
2988         * ftl/FTLLocation.cpp:
2989         (JSC::FTL::Location::restoreInto):
2990         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
2991         (JSC::FTL::DFG::ftlUnreachable):
2992         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
2993         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
2994         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
2995         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
2996         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
2997         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
2998         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
2999         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3000         (JSC::FTL::lowerDFGToB3):
3001         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
3002         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
3003         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
3004         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
3005         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
3006         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
3007         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
3008         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
3009         (JSC::FTL::lowerDFGToLLVM): Deleted.
3010         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
3011         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
3012         * ftl/FTLLowerDFGToLLVM.h: Removed.
3013         * ftl/FTLOSRExitCompiler.cpp:
3014         (JSC::FTL::compileStub):
3015         * ftl/FTLWeight.h:
3016         (JSC::FTL::Weight::frequencyClass):
3017         (JSC::FTL::Weight::inverse):
3018         (JSC::FTL::Weight::scaleToTotal): Deleted.
3019         * ftl/FTLWeightedTarget.h:
3020         (JSC::FTL::rarely):
3021         (JSC::FTL::unsure):
3022         * jit/CallFrameShuffler64.cpp:
3023         (JSC::CallFrameShuffler::emitDisplace):
3024         * jit/RegisterSet.cpp:
3025         (JSC::RegisterSet::ftlCalleeSaveRegisters):
3026         * llvm: Removed.
3027         * llvm/InitializeLLVMLinux.cpp: Removed.
3028         * llvm/InitializeLLVMWin.cpp: Removed.
3029         * llvm/library: Removed.
3030         * llvm/library/LLVMTrapCallback.h: Removed.
3031         * llvm/library/libllvmForJSC.version: Removed.
3032         * runtime/Options.cpp:
3033         (JSC::recomputeDependentOptions):
3034         (JSC::Options::initialize):
3035         * runtime/Options.h:
3036         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
3037         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
3038         * wasm/WASMFunctionParser.cpp:
3039
3040 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
3041
3042         [cmake] Build system cleanup
3043         https://bugs.webkit.org/show_bug.cgi?id=154337
3044
3045         Reviewed by Žan Doberšek.
3046
3047         * CMakeLists.txt:
3048
3049 2016-02-17  Mark Lam  <mark.lam@apple.com>
3050
3051         Callers of JSString::value() should check for exceptions thereafter.
3052         https://bugs.webkit.org/show_bug.cgi?id=154346
3053
3054         Reviewed by Geoffrey Garen.
3055
3056         JSString::value() can throw an exception if the JS string is a rope and value() 
3057         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
3058         able to resolve the rope, it will return a null string (in addition to throwing
3059         the exception).  If a caller does not check for exceptions after calling
3060         JSString::value(), they may eventually use the returned null string and crash the
3061         VM.
3062
3063         The fix is to add all the necessary exception checks, and do the appropriate
3064         handling if needed.
3065
3066         * jsc.cpp:
3067         (functionRun):
3068         (functionLoad):
3069         (functionReadFile):
3070         (functionCheckSyntax):
3071         (functionLoadWebAssembly):
3072         (functionLoadModule):
3073         (functionCheckModuleSyntax):
3074         * runtime/DateConstructor.cpp:
3075         (JSC::dateParse):
3076         (JSC::dateNow):
3077         * runtime/JSGlobalObjectFunctions.cpp:
3078         (JSC::globalFuncEval):
3079         * tools/JSDollarVMPrototype.cpp:
3080         (JSC::functionPrint):
3081
3082 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
3083
3084         [JSC] ARM64: Support the immediate format used for bit operations in Air
3085         https://bugs.webkit.org/show_bug.cgi?id=154327
3086
3087         Reviewed by Filip Pizlo.
3088
3089         ARM64 supports a pretty rich form of immediates for bit operation.
3090         There are two formats used to encode repeating patterns and common
3091         input in a dense form.
3092
3093         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
3094         Those represents the valid immediate forms for bit operation.
3095         On x86, any 32bits value is valid. On ARM64, all the encoding
3096         form are tried and the immediate is used when possible.
3097
3098         The arg type Imm64 is renamed to BigImm to better represent what
3099         it is: an immediate that does not fit into Imm.
3100
3101         * assembler/ARM64Assembler.h:
3102         (JSC::LogicalImmediate::create32): Deleted.
3103         (JSC::LogicalImmediate::create64): Deleted.
3104         (JSC::LogicalImmediate::value): Deleted.
3105         (JSC::LogicalImmediate::isValid): Deleted.
3106         (JSC::LogicalImmediate::is64bit): Deleted.
3107         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
3108         (JSC::LogicalImmediate::mask): Deleted.
3109         (JSC::LogicalImmediate::partialHSB): Deleted.
3110         (JSC::LogicalImmediate::highestSetBit): Deleted.
3111         (JSC::LogicalImmediate::findBitRange): Deleted.
3112         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
3113         * assembler/AssemblerCommon.h:
3114         (JSC::ARM64LogicalImmediate::create32):
3115         (JSC::ARM64LogicalImmediate::create64):
3116         (JSC::ARM64LogicalImmediate::value):
3117         (JSC::ARM64LogicalImmediate::isValid):
3118         (JSC::ARM64LogicalImmediate::is64bit):
3119         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
3120         (JSC::ARM64LogicalImmediate::mask):
3121         (JSC::ARM64LogicalImmediate::partialHSB):
3122         (JSC::ARM64LogicalImmediate::highestSetBit):
3123         (JSC::ARM64LogicalImmediate::findBitRange):
3124         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
3125         * assembler/MacroAssemblerARM64.h:
3126         (JSC::MacroAssemblerARM64::and64):
3127         (JSC::MacroAssemblerARM64::or64):
3128         (JSC::MacroAssemblerARM64::xor64):
3129         * b3/B3LowerToAir.cpp:
3130         (JSC::B3::Air::LowerToAir::bitImm):
3131         (JSC::B3::Air::LowerToAir::bitImm64):
3132         (JSC::B3::Air::LowerToAir::appendBinOp):
3133         * b3/air/AirArg.cpp:
3134         (JSC::B3::Air::Arg::dump):
3135         (WTF::printInternal):
3136         * b3/air/AirArg.h:
3137         (JSC::B3::Air::Arg::bitImm):
3138         (JSC::B3::Air::Arg::bitImm64):
3139         (JSC::B3::Air::Arg::isBitImm):
3140         (JSC::B3::Air::Arg::isBitImm64):
3141         (JSC::B3::Air::Arg::isSomeImm):
3142         (JSC::B3::Air::Arg::value):
3143         (JSC::B3::Air::Arg::isGP):
3144         (JSC::B3::Air::Arg::isFP):
3145         (JSC::B3::Air::Arg::hasType):
3146         (JSC::B3::Air::Arg::isValidBitImmForm):
3147         (JSC::B3::Air::Arg::isValidBitImm64Form):
3148         (JSC::B3::Air::Arg::isValidForm):
3149         (JSC::B3::Air::Arg::asTrustedImm32):
3150         (JSC::B3::Air::Arg::asTrustedImm64):
3151         * b3/air/AirOpcode.opcodes:
3152         * b3/air/opcode_generator.rb:
3153
3154 2016-02-17  Keith Miller  <keith_miller@apple.com>
3155
3156         Spread operator should be allowed when not the first argument of parameter list
3157         https://bugs.webkit.org/show_bug.cgi?id=152721
3158
3159         Reviewed by Saam Barati.
3160
3161         Spread arguments to functions should now be ES6 compliant. Before we
3162         would only take a spread operator if it was the sole argument to a
3163         function. Additionally, we would not use the Symbol.iterator on the
3164         object to generate the arguments. Instead we would do a loop up to the
3165         length mapping indexed properties to the corresponding argument. We fix
3166         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3167         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3168         old spread semantics). This solution has the downside of requiring the
3169         allocation of another object and copying each element twice but avoids a
3170         large change to the vm calling convention.
3171
3172         * interpreter/Interpreter.cpp:
3173         (JSC::loadVarargs):
3174         * parser/ASTBuilder.h:
3175         (JSC::ASTBuilder::createElementList):
3176         * parser/Parser.cpp:
3177         (JSC::Parser<LexerType>::parseArguments):
3178         (JSC::Parser<LexerType>::parseArgument):
3179         (JSC::Parser<LexerType>::parseMemberExpression):
3180         * parser/Parser.h:
3181         * parser/SyntaxChecker.h:
3182         (JSC::SyntaxChecker::createElementList):
3183         * tests/es6.yaml:
3184         * tests/stress/spread-calling.js: Added.
3185         (testFunction):
3186         (testEmpty):
3187         (makeObject):
3188         (otherIterator.return.next):
3189         (otherIterator):
3190         (totalIter):
3191         (throwingIter.return.next):
3192         (throwingIter):
3193         (i.catch):
3194
3195 2016-02-17  Brian Burg  <bburg@apple.com>
3196
3197         Remove a wrong cast in RemoteInspector::receivedSetupMessage
3198         https://bugs.webkit.org/show_bug.cgi?id=154361
3199         <rdar://problem/24709281>
3200
3201         Reviewed by Joseph Pecoraro.
3202
3203         * inspector/remote/RemoteInspector.mm:
3204         (Inspector::RemoteInspector::receivedSetupMessage):
3205         Not only is this cast unnecessary (the constructor accepts the base class),
3206         but it is wrong since the target could be an automation target. Remove it.
3207
3208 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3209
3210         Rename FTLB3Blah to FTLBlah
3211         https://bugs.webkit.org/show_bug.cgi?id=154365
3212
3213         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
3214
3215         * CMakeLists.txt:
3216         * JavaScriptCore.xcodeproj/project.pbxproj:
3217         * ftl/FTLB3Compile.cpp: Removed.
3218         * ftl/FTLB3Output.cpp: Removed.
3219         * ftl/FTLB3Output.h: Removed.
3220         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
3221         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
3222         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
3223
3224 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3225
3226         Remove LLVM dependencies from WebKit
3227         https://bugs.webkit.org/show_bug.cgi?id=154323
3228
3229         Reviewed by Antti Koivisto and Benjamin Poulain.
3230
3231         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
3232         LLVM-related code dead, including the disassembler, which was only reachable when you were on
3233         a platform that already had an in-tree disassembler.
3234
3235         * CMakeLists.txt:
3236         * JavaScriptCore.xcodeproj/project.pbxproj:
3237         * dfg/DFGCommon.h:
3238         * dfg/DFGPlan.cpp:
3239         (JSC::DFG::Plan::compileInThread):
3240         (JSC::DFG::Plan::compileInThreadImpl):
3241         (JSC::DFG::Plan::compileTimeStats):
3242         * disassembler/ARM64Disassembler.cpp:
3243         (JSC::tryToDisassemble):
3244         * disassembler/ARMv7Disassembler.cpp:
3245         (JSC::tryToDisassemble):
3246         * disassembler/Disassembler.cpp:
3247         (JSC::disassemble):
3248         (JSC::disassembleAsynchronously):
3249         * disassembler/Disassembler.h:
3250         (JSC::tryToDisassemble):
3251         * disassembler/LLVMDisassembler.cpp: Removed.
3252         * disassembler/LLVMDisassembler.h: Removed.
3253         * disassembler/UDis86Disassembler.cpp:
3254         (JSC::tryToDisassembleWithUDis86):
3255         * disassembler/UDis86Disassembler.h:
3256         (JSC::tryToDisassembleWithUDis86):
3257         * disassembler/X86Disassembler.cpp:
3258         (JSC::tryToDisassemble):
3259         * ftl/FTLAbbreviatedTypes.h:
3260         * ftl/FTLAbbreviations.h: Removed.
3261         * ftl/FTLAbstractHeap.cpp:
3262         (JSC::FTL::AbstractHeap::decorateInstruction):
3263         (JSC::FTL::AbstractHeap::dump):
3264         (JSC::FTL::AbstractField::dump):
3265         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
3266         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
3267         (JSC::FTL::IndexedAbstractHeap::baseIndex):
3268         (JSC::FTL::IndexedAbstractHeap::dump):
3269         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
3270         (JSC::FTL::NumberedAbstractHeap::dump):
3271         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
3272         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
3273         * ftl/FTLAbstractHeap.h:
3274         (JSC::FTL::AbstractHeap::AbstractHeap):
3275         (JSC::FTL::AbstractHeap::heapName):
3276         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
3277         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
3278         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
3279         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
3280         * ftl/FTLAbstractHeapRepository.cpp:
3281         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3282         * ftl/FTLAbstractHeapRepository.h:
3283         * ftl/FTLB3Compile.cpp:
3284         * ftl/FTLB3Output.cpp:
3285         (JSC::FTL::Output::Output):
3286         (JSC::FTL::Output::check):
3287         (JSC::FTL::Output::load):
3288         (JSC::FTL::Output::store):
3289         * ftl/FTLB3Output.h:
3290         * ftl/FTLCommonValues.cpp:
3291         (JSC::FTL::CommonValues::CommonValues):
3292         (JSC::FTL::CommonValues::initializeConstants):
3293         * ftl/FTLCommonValues.h:
3294         (JSC::FTL::CommonValues::initialize): Deleted.
3295         * ftl/FTLCompile.cpp: Removed.
3296         * ftl/FTLCompileBinaryOp.cpp: Removed.
3297         * ftl/FTLCompileBinaryOp.h: Removed.
3298         * ftl/FTLDWARFDebugLineInfo.cpp: Removed.
3299         * ftl/FTLDWARFDebugLineInfo.h: Removed.
3300         * ftl/FTLDWARFRegister.cpp: Removed.
3301         * ftl/FTLDWARFRegister.h: Removed.
3302         * ftl/FTLDataSection.cpp: Removed.
3303         * ftl/FTLDataSection.h: Removed.
3304         * ftl/FTLExceptionHandlerManager.cpp: Removed.
3305         * ftl/FTLExceptionHandlerManager.h: Removed.
3306         * ftl/FTLExceptionTarget.cpp:
3307         * ftl/FTLExceptionTarget.h:
3308         * ftl/FTLExitThunkGenerator.cpp: Removed.
3309         * ftl/FTLExitThunkGenerator.h: Removed.
3310         * ftl/FTLFail.cpp:
3311         (JSC::FTL::fail):
3312         * ftl/FTLInlineCacheDescriptor.h: Removed.
3313         * ftl/FTLInlineCacheSize.cpp: Removed.
3314         * ftl/FTLInlineCacheSize.h: Removed.
3315         * ftl/FTLIntrinsicRepository.cpp: Removed.
3316         * ftl/FTLIntrinsicRepository.h: Removed.
3317         * ftl/FTLJITCode.cpp:
3318         (JSC::FTL::JITCode::~JITCode):
3319         (JSC::FTL::JITCode::initializeB3Code):
3320         (JSC::FTL::JITCode::initializeB3Byproducts):
3321         (JSC::FTL::JITCode::initializeAddressForCall):
3322         (JSC::FTL::JITCode::contains):
3323         (JSC::FTL::JITCode::ftl):
3324         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3325         (JSC::FTL::JITCode::initializeExitThunks): Deleted.
3326         (JSC::FTL::JITCode::addHandle): Deleted.
3327         (JSC::FTL::JITCode::addDataSection): Deleted.
3328         (JSC::FTL::JITCode::exitThunks): Deleted.
3329         * ftl/FTLJITCode.h:
3330         (JSC::FTL::JITCode::b3Code):
3331         (JSC::FTL::JITCode::handles): Deleted.
3332         (JSC::FTL::JITCode::dataSections): Deleted.
3333         * ftl/FTLJITFinalizer.cpp:
3334         (JSC::FTL::JITFinalizer::codeSize):
3335         (JSC::FTL::JITFinalizer::finalizeFunction):
3336         * ftl/FTLJITFinalizer.h:
3337         * ftl/FTLJSCall.cpp: Removed.
3338         * ftl/FTLJSCall.h: Removed.
3339         * ftl/FTLJSCallBase.cpp: Removed.
3340         * ftl/FTLJSCallBase.h: Removed.
3341         * ftl/FTLJSCallVarargs.cpp: Removed.
3342         * ftl/FTLJSCallVarargs.h: Removed.
3343         * ftl/FTLJSTailCall.cpp: Removed.
3344         * ftl/FTLJSTailCall.h: Removed.
3345         * ftl/FTLLazySlowPath.cpp:
3346         (JSC::FTL::LazySlowPath::LazySlowPath):
3347         (JSC::FTL::LazySlowPath::generate):
3348         * ftl/FTLLazySlowPath.h:
3349         (JSC::FTL::LazySlowPath::createGenerator):
3350         (JSC::FTL::LazySlowPath::patchableJump):
3351         (JSC::FTL::LazySlowPath::done):
3352         (JSC::FTL::LazySlowPath::usedRegisters):