56ddc3df493531b500f7ba488234a3fc59be9ab2
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-13  Mark Lam  <mark.lam@apple.com>
2
3         The StringFromCharCode DFG intrinsic should support untyped operands.
4         https://bugs.webkit.org/show_bug.cgi?id=153046
5
6         Reviewed by Geoffrey Garen.
7
8         The current StringFromCharCode DFG intrinsic assumes that its operand charCode
9         must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
10         crypto-aes benchmark.  With support for Untyped operands, the number of OSR
11         exits drops to 202.
12
13         * dfg/DFGClobberize.h:
14         (JSC::DFG::clobberize):
15         * dfg/DFGFixupPhase.cpp:
16         (JSC::DFG::FixupPhase::fixupNode):
17         * dfg/DFGOperations.cpp:
18         * dfg/DFGOperations.h:
19         * dfg/DFGSpeculativeJIT.cpp:
20         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
21         * dfg/DFGSpeculativeJIT.h:
22         (JSC::DFG::SpeculativeJIT::callOperation):
23         * dfg/DFGValidate.cpp:
24         (JSC::DFG::Validate::validate):
25         * runtime/JSCJSValueInlines.h:
26         (JSC::JSValue::toUInt32):
27
28 2016-01-13  Mark Lam  <mark.lam@apple.com>
29
30         Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
31         https://bugs.webkit.org/show_bug.cgi?id=153080
32
33         Reviewed by Geoffrey Garen.
34
35         We currently have Graph::mulShouldSpeculateInt32/machineInt() and
36         Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
37         the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
38         many other arith nodes in the DFG.  This patch renames these functions as
39         Graph::binaryArithShouldSpeculateInt32/machineInt() and
40         Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
41         in the DFG.
42
43         * dfg/DFGFixupPhase.cpp:
44         (JSC::DFG::FixupPhase::fixupNode):
45         * dfg/DFGGraph.h:
46         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
47         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
48         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
49         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
50         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
51         (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
52         (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
53         (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
54         (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
55         * dfg/DFGPredictionPropagationPhase.cpp:
56         (JSC::DFG::PredictionPropagationPhase::propagate):
57         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
58
59 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
60
61         Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
62         https://bugs.webkit.org/show_bug.cgi?id=153072
63         <rdar://problem/24168312>
64
65         Reviewed by Timothy Hatcher.
66
67         * parser/Lexer.cpp:
68         (JSC::Lexer<T>::parseCommentDirective):
69         Just keep overwriting the member variable so we end up with
70         the last directive value.
71
72 2016-01-13  Commit Queue  <commit-queue@webkit.org>
73
74         Unreviewed, rolling out r194969.
75         https://bugs.webkit.org/show_bug.cgi?id=153075
76
77         This change broke the iOS build (Requested by ryanhaddad on
78         #webkit).
79
80         Reverted changeset:
81
82         "[JSC] Legalize Memory Offsets for ARM64 before lowering to
83         Air"
84         https://bugs.webkit.org/show_bug.cgi?id=153065
85         http://trac.webkit.org/changeset/194969
86
87 2016-01-13  Benjamin Poulain  <bpoulain@apple.com>
88
89         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
90         https://bugs.webkit.org/show_bug.cgi?id=153065
91
92         Reviewed by Mark Lam.
93         Reviewed by Filip Pizlo.
94
95         On ARM64, we cannot use signed 32bits offset for memory addressing.
96         There are two available addressing: signed 9bits and unsigned scaled 12bits.
97         Air already knows about it.
98
99         In this patch, the offsets are changed to something valid for ARM64
100         prior to lowering. When an offset is invalid, it is just computed
101         before the instruction and used as the base for addressing.
102
103         * JavaScriptCore.xcodeproj/project.pbxproj:
104         * b3/B3Generate.cpp:
105         (JSC::B3::generateToAir):
106         * b3/B3LegalizeMemoryOffsets.cpp: Added.
107         (JSC::B3::legalizeMemoryOffsets):
108         * b3/B3LegalizeMemoryOffsets.h: Added.
109         * b3/B3LowerToAir.cpp:
110         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
111         * b3/testb3.cpp:
112         (JSC::B3::testLoadWithOffsetImpl):
113         (JSC::B3::testLoadOffsetImm9Max):
114         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
115         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
116         (JSC::B3::testLoadOffsetImm9Min):
117         (JSC::B3::testLoadOffsetImm9MinMinusOne):
118         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
119         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
120         (JSC::B3::run):
121
122 2016-01-12  Per Arne Vollan  <peavo@outlook.com>
123
124         [FTL][Win64] Compile error.
125         https://bugs.webkit.org/show_bug.cgi?id=153031
126
127         Reviewed by Brent Fulgham.
128
129         The header file dlfcn.h does not exist on Windows.
130
131         * ftl/FTLLowerDFGToLLVM.cpp:
132
133 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
134
135         Add a build flag for custom element
136         https://bugs.webkit.org/show_bug.cgi?id=153005
137
138         Reviewed by Alex Christensen.
139
140         * Configurations/FeatureDefines.xcconfig:
141
142 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
143
144         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
145         https://bugs.webkit.org/show_bug.cgi?id=153024
146
147         Reviewed by Michael Saboff.
148
149         * b3/B3BasicBlock.h:
150         Export the symbols for testb3.
151
152         * b3/air/AirOpcode.opcodes:
153         We had 2 invalid opcodes:
154         -Compare with immediate just does not exist.
155         -Test64 with immediate exists but Air does not recognize
156          the valid form of bit-immediates.
157
158         * b3/testb3.cpp:
159         (JSC::B3::genericTestCompare):
160         (JSC::B3::testCompareImpl):
161         Extend the tests to cover what was invalid.
162
163 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
164
165         [JSC] JSC does not build with FTL_USES_B3 on ARM64
166         https://bugs.webkit.org/show_bug.cgi?id=153011
167
168         Reviewed by Saam Barati.
169
170         Apparently the static const member can only be used for constexpr.
171         C++ is weird.
172
173         * jit/GPRInfo.cpp:
174         * jit/GPRInfo.h:
175
176 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
177
178         Web Inspector: console.count() shouldn't show a colon in front of a number
179         https://bugs.webkit.org/show_bug.cgi?id=152038
180
181         Reviewed by Brian Burg.
182
183         * inspector/agents/InspectorConsoleAgent.cpp:
184         (Inspector::InspectorConsoleAgent::count):
185         Do not include title and colon if the title is empty.
186
187 2016-01-11  Dan Bernstein  <mitz@apple.com>
188
189         Reverted r194317.
190
191         Reviewed by Joseph Pecoraro.
192
193         r194317 did not contain a change log entry, did not explain the motivation, did not name a
194         reviewer, and does not seem necessary.
195
196         * JavaScriptCore.xcodeproj/project.pbxproj:
197
198 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
199
200         keywords ("super", "delete", etc) should be valid method names
201         https://bugs.webkit.org/show_bug.cgi?id=144281
202
203         Reviewed by Ryosuke Niwa.
204
205         * parser/Parser.cpp:
206         (JSC::Parser<LexerType>::parseClass):
207         - When parsing "static(" treat it as a method named "static" and not a static method.
208         - When parsing a keyword treat it like a string method name (get and set are not keywords)
209         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
210
211         (JSC::Parser<LexerType>::parseGetterSetter):
212         - When parsing the getter / setter's name, allow it to be a keyword.
213
214 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
215
216         [JSC] Add Div/Mod and fix Mul for B3 ARM64
217         https://bugs.webkit.org/show_bug.cgi?id=152978
218
219         Reviewed by Filip Pizlo.
220
221         Add the 3 operands forms of Mul.
222         Remove the form taking immediate on ARM64, there are no such instruction.
223
224         Add Div with sdiv.
225
226         Unfortunately, I discovered ChillMod's division by zero
227         makes it non-trivial on ARM64. I just made it into a macro like on x86.
228
229         * assembler/MacroAssemblerARM64.h:
230         (JSC::MacroAssemblerARM64::mul32):
231         (JSC::MacroAssemblerARM64::mul64):
232         (JSC::MacroAssemblerARM64::div32):
233         (JSC::MacroAssemblerARM64::div64):
234         * b3/B3LowerMacros.cpp:
235         * b3/B3LowerToAir.cpp:
236         (JSC::B3::Air::LowerToAir::lower):
237         * b3/air/AirOpcode.opcodes:
238
239 2016-01-11  Keith Miller  <keith_miller@apple.com>
240
241         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
242         https://bugs.webkit.org/show_bug.cgi?id=152949
243
244         Reviewed by Michael Saboff.
245
246         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
247
248         * runtime/ArrayConstructor.cpp:
249         (JSC::constructArrayWithSizeQuirk):
250         (JSC::constructWithArrayConstructor):
251         * runtime/InternalFunction.h:
252         (JSC::InternalFunction::createStructure):
253         * runtime/JSGlobalObject.h:
254         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
255         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
256         (JSC::constructEmptyArray):
257         (JSC::constructArray):
258         (JSC::constructArrayNegativeIndexed):
259         * runtime/PrototypeMap.cpp:
260         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
261         * runtime/Structure.h:
262         * runtime/StructureInlines.h:
263
264 2016-01-08  Keith Miller  <keith_miller@apple.com>
265
266         Use a profile to store allocation structures for subclasses of InternalFunctions
267         https://bugs.webkit.org/show_bug.cgi?id=152942
268
269         Reviewed by Michael Saboff.
270
271         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
272         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
273         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
274         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
275         constructor as a new.target to any other constructor. This means that a user can pass some
276         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
277         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
278         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
279         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
280         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
281         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
282
283         Additionally, this patch adds subclassing to some omitted classes.
284
285         * API/JSObjectRef.cpp:
286         (JSObjectMakeDate):
287         (JSObjectMakeRegExp):
288         * JavaScriptCore.xcodeproj/project.pbxproj:
289         * bytecode/InternalFunctionAllocationProfile.h: Added.
290         (JSC::InternalFunctionAllocationProfile::structure):
291         (JSC::InternalFunctionAllocationProfile::clear):
292         (JSC::InternalFunctionAllocationProfile::visitAggregate):
293         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
294         * dfg/DFGByteCodeParser.cpp:
295         (JSC::DFG::ByteCodeParser::parseBlock):
296         * dfg/DFGOperations.cpp:
297         * dfg/DFGSpeculativeJIT32_64.cpp:
298         (JSC::DFG::SpeculativeJIT::compile):
299         * dfg/DFGSpeculativeJIT64.cpp:
300         (JSC::DFG::SpeculativeJIT::compile):
301         * jit/JITOpcodes.cpp:
302         (JSC::JIT::emit_op_create_this):
303         * jit/JITOpcodes32_64.cpp:
304         (JSC::JIT::emit_op_create_this):
305         * llint/LowLevelInterpreter32_64.asm:
306         * llint/LowLevelInterpreter64.asm:
307         * runtime/BooleanConstructor.cpp:
308         (JSC::constructWithBooleanConstructor):
309         * runtime/CommonSlowPaths.cpp:
310         (JSC::SLOW_PATH_DECL):
311         * runtime/DateConstructor.cpp:
312         (JSC::constructDate):
313         (JSC::constructWithDateConstructor):
314         * runtime/DateConstructor.h:
315         * runtime/ErrorConstructor.cpp:
316         (JSC::Interpreter::constructWithErrorConstructor):
317         * runtime/FunctionRareData.cpp:
318         (JSC::FunctionRareData::create):
319         (JSC::FunctionRareData::visitChildren):
320         (JSC::FunctionRareData::FunctionRareData):
321         (JSC::FunctionRareData::initializeObjectAllocationProfile):
322         (JSC::FunctionRareData::clear):
323         (JSC::FunctionRareData::finishCreation): Deleted.
324         (JSC::FunctionRareData::initialize): Deleted.
325         * runtime/FunctionRareData.h:
326         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
327         (JSC::FunctionRareData::objectAllocationProfile):
328         (JSC::FunctionRareData::objectAllocationStructure):
329         (JSC::FunctionRareData::allocationProfileWatchpointSet):
330         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
331         (JSC::FunctionRareData::internalFunctionAllocationStructure):
332         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
333         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
334         (JSC::FunctionRareData::allocationProfile): Deleted.
335         (JSC::FunctionRareData::allocationStructure): Deleted.
336         (JSC::FunctionRareData::isInitialized): Deleted.
337         * runtime/InternalFunction.cpp:
338         (JSC::InternalFunction::createSubclassStructure):
339         * runtime/InternalFunction.h:
340         * runtime/JSArrayBufferConstructor.cpp:
341         (JSC::constructArrayBuffer):
342         * runtime/JSFunction.cpp:
343         (JSC::JSFunction::allocateRareData):
344         (JSC::JSFunction::allocateAndInitializeRareData):
345         (JSC::JSFunction::initializeRareData):
346         * runtime/JSFunction.h:
347         (JSC::JSFunction::rareData):
348         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
349         (JSC::constructGenericTypedArrayView):
350         * runtime/JSObject.h:
351         (JSC::JSFinalObject::typeInfo):
352         (JSC::JSFinalObject::createStructure):
353         * runtime/JSPromiseConstructor.cpp:
354         (JSC::constructPromise):
355         * runtime/JSPromiseConstructor.h:
356         * runtime/JSWeakMap.cpp:
357         * runtime/JSWeakSet.cpp:
358         * runtime/MapConstructor.cpp:
359         (JSC::constructMap):
360         * runtime/NativeErrorConstructor.cpp:
361         (JSC::Interpreter::constructWithNativeErrorConstructor):
362         * runtime/NumberConstructor.cpp:
363         (JSC::constructWithNumberConstructor):
364         * runtime/PrototypeMap.cpp:
365         (JSC::PrototypeMap::createEmptyStructure):
366         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
367         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
368         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
369         * runtime/PrototypeMap.h:
370         * runtime/RegExpConstructor.cpp:
371         (JSC::getRegExpStructure):
372         (JSC::constructRegExp):
373         (JSC::constructWithRegExpConstructor):
374         * runtime/RegExpConstructor.h:
375         * runtime/SetConstructor.cpp:
376         (JSC::constructSet):
377         * runtime/WeakMapConstructor.cpp:
378         (JSC::constructWeakMap):
379         * runtime/WeakSetConstructor.cpp:
380         (JSC::constructWeakSet):
381         * tests/stress/class-subclassing-misc.js:
382         (A):
383         (D):
384         (E):
385         (WM):
386         (WS):
387         (test):
388         * tests/stress/class-subclassing-typedarray.js: Added.
389         (test):
390
391 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
392
393         [B3][Win64] Compile error.
394         https://bugs.webkit.org/show_bug.cgi?id=152984
395
396         Reviewed by Alex Christensen.
397
398         Windows does not have bzero, use memset instead.
399
400         * b3/air/AirIteratedRegisterCoalescing.cpp:
401
402 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
403
404         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
405         https://bugs.webkit.org/show_bug.cgi?id=152923
406
407         Reviewed by Alex Christensen.
408
409         * jit/CallFrameShuffler.h:
410         (JSC::CallFrameShuffler::assumeCalleeIsCell):
411
412 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
413
414         [B3] Fix control reaches end of non-void function GCC warnings on Linux
415         https://bugs.webkit.org/show_bug.cgi?id=152887
416
417         Reviewed by Mark Lam.
418
419         * b3/B3LowerToAir.cpp:
420         (JSC::B3::Air::LowerToAir::createBranch):
421         (JSC::B3::Air::LowerToAir::createCompare):
422         (JSC::B3::Air::LowerToAir::createSelect):
423         * b3/B3Type.h:
424         (JSC::B3::sizeofType):
425         * b3/air/AirArg.cpp:
426         (JSC::B3::Air::Arg::isRepresentableAs):
427         * b3/air/AirArg.h:
428         (JSC::B3::Air::Arg::isAnyUse):
429         (JSC::B3::Air::Arg::isColdUse):
430         (JSC::B3::Air::Arg::isEarlyUse):
431         (JSC::B3::Air::Arg::isLateUse):
432         (JSC::B3::Air::Arg::isAnyDef):
433         (JSC::B3::Air::Arg::isEarlyDef):
434         (JSC::B3::Air::Arg::isLateDef):
435         (JSC::B3::Air::Arg::isZDef):
436         (JSC::B3::Air::Arg::widthForB3Type):
437         (JSC::B3::Air::Arg::isGP):
438         (JSC::B3::Air::Arg::isFP):
439         (JSC::B3::Air::Arg::isType):
440         (JSC::B3::Air::Arg::isValidForm):
441         * b3/air/AirCode.h:
442         (JSC::B3::Air::Code::newTmp):
443         (JSC::B3::Air::Code::numTmps):
444
445 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
446
447         Make it easier to introduce exotic instructions to Air
448         https://bugs.webkit.org/show_bug.cgi?id=152953
449
450         Reviewed by Benjamin Poulain.
451
452         Currently, you can define new "opcodes" in Air using either:
453
454         1) New opcode declared in AirOpcode.opcodes.
455         2) Patch opcode with a new implementation of Air::Special.
456
457         With (1), you are limited to fixed-argument-length instructions. There are other
458         restrictions as well, like that you can only use the roles that the AirOpcode syntax
459         supports.
460
461         With (2), you can do anything you like, but the instruction will be harder to match
462         since it will share the same opcode as any other Patch. Also, the instruction will have
463         the Special argument, which means more busy-work when creating the instruction and
464         validating it.
465
466         This introduces an in-between facility called "custom". This replaces what AirOpcode
467         previously called "special". A custom instruction is one whose behavior is defined by a
468         FooCustom struct with some static methods. Calls to those methods are emitted by
469         opcode_generator.rb.
470
471         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
472         that we now treat the Patch instruction specially in a few places. Those places were
473         already effectively treating it specially by assuming that only Patch instructions have
474         a Special as their first argument.
475
476         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
477         for performance work.
478
479         * JavaScriptCore.xcodeproj/project.pbxproj:
480         * b3/air/AirCustom.h: Added.
481         (JSC::B3::Air::PatchCustom::forEachArg):
482         (JSC::B3::Air::PatchCustom::isValidFormStatic):
483         (JSC::B3::Air::PatchCustom::isValidForm):
484         (JSC::B3::Air::PatchCustom::admitsStack):
485         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
486         (JSC::B3::Air::PatchCustom::generate):
487         * b3/air/AirHandleCalleeSaves.cpp:
488         (JSC::B3::Air::handleCalleeSaves):
489         * b3/air/AirInst.h:
490         * b3/air/AirInstInlines.h:
491         (JSC::B3::Air::Inst::forEach):
492         (JSC::B3::Air::Inst::extraClobberedRegs):
493         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
494         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
495         (JSC::B3::Air::Inst::reportUsedRegisters):
496         (JSC::B3::Air::Inst::hasSpecial): Deleted.
497         * b3/air/AirOpcode.opcodes:
498         * b3/air/AirReportUsedRegisters.cpp:
499         (JSC::B3::Air::reportUsedRegisters):
500         * b3/air/opcode_generator.rb:
501
502 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
503
504         Turn Check(true) into Patchpoint() followed by Oops
505         https://bugs.webkit.org/show_bug.cgi?id=152968
506
507         Reviewed by Benjamin Poulain.
508
509         This is an obvious strength reduction to have, especially since if we discover that the
510         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
511         of the basic block unlocks CFG simplification opportunities.
512
513         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
514         implement sinking (bug 152162).
515
516         * b3/B3ControlValue.cpp:
517         (JSC::B3::ControlValue::convertToJump):
518         (JSC::B3::ControlValue::convertToOops):
519         (JSC::B3::ControlValue::dumpMeta):
520         * b3/B3ControlValue.h:
521         * b3/B3InsertionSet.h:
522         (JSC::B3::InsertionSet::insertValue):
523         * b3/B3InsertionSetInlines.h:
524         (JSC::B3::InsertionSet::insert):
525         * b3/B3ReduceStrength.cpp:
526         * b3/B3StackmapValue.h:
527         * b3/B3Value.h:
528         * tests/stress/ftl-force-osr-exit.js: Added.
529
530 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
531
532         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
533         https://bugs.webkit.org/show_bug.cgi?id=152840
534
535         Reviewed by Mark Lam.
536
537         ARM64 has two kinds of addressing with immediates:
538         -Signed 9bits direct (really only -256 to 255).
539         -Unsigned 12bits scaled by the load/store size.
540
541         When resolving the stack addresses, we easily run
542         past -256 bytes from FP. Addressing from SP gives us more
543         room to address the stack efficiently because we can
544         use unsigned immediates.
545
546         * b3/B3StackmapSpecial.cpp:
547         (JSC::B3::StackmapSpecial::repForArg):
548         * b3/air/AirAllocateStack.cpp:
549         (JSC::B3::Air::allocateStack):
550
551 2016-01-10  Saam barati  <sbarati@apple.com>
552
553         Implement a sampling profiler
554         https://bugs.webkit.org/show_bug.cgi?id=151713
555
556         Reviewed by Filip Pizlo.
557
558         This patch implements a sampling profiler for JavaScriptCore
559         that will be used in the Inspector UI. The implementation works as follows:
560         We queue the sampling profiler to run a task on a background
561         thread every 1ms. When the queued task executes, the sampling profiler
562         will pause the JSC execution thread and attempt to take a stack trace. 
563         The sampling profiler does everything it can to be very careful
564         while taking this stack trace. Because it's reading arbitrary memory,
565         the sampling profiler must validate every pointer it reads from.
566
567         The sampling profiler tries to get an ExecutableBase for every call frame
568         it reads. It first tries to read the CodeBlock slot. It does this because
569         it can be 100% certain that a pointer is a CodeBlock while it's taking a
570         stack trace. But, not every call frame will have a CodeBlock. So we must read
571         the call frame's callee. For these stack traces where we read the callee, we
572         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
573         on the main JSC execution thread, and not on the thread taking the stack
574         trace. We do this verification either before we run the marking phase in
575         GC, or when somebody asks the SamplingProfiler to materialize its data.
576
577         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
578         thread is paused (this means it can't do anything that mallocs) because
579         that could cause a deadlock. Therefore, the sampling profiler grabs
580         locks for all data structures it consults before it pauses the JSC
581         execution thread.
582
583         * CMakeLists.txt:
584         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
585         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
586         * JavaScriptCore.xcodeproj/project.pbxproj:
587         * bytecode/CodeBlock.h:
588         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
589         (JSC::CodeBlockSet::mark):
590         * dfg/DFGNodeType.h:
591         * heap/CodeBlockSet.cpp:
592         (JSC::CodeBlockSet::add):
593         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
594         (JSC::CodeBlockSet::clearMarksForFullCollection):
595         (JSC::CodeBlockSet::lastChanceToFinalize):
596         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
597         (JSC::CodeBlockSet::contains):
598         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
599         (JSC::CodeBlockSet::remove): Deleted.
600         * heap/CodeBlockSet.h:
601         (JSC::CodeBlockSet::getLock):
602         (JSC::CodeBlockSet::iterate):
603         The sampling pofiler uses the heap's CodeBlockSet to validate
604         CodeBlock pointers. This data structure must now be under a lock
605         because we must be certain we're not pausing the JSC execution thread
606         while it's manipulating this data structure.
607
608         * heap/ConservativeRoots.cpp:
609         (JSC::ConservativeRoots::ConservativeRoots):
610         (JSC::ConservativeRoots::grow):
611         (JSC::ConservativeRoots::genericAddPointer):
612         (JSC::ConservativeRoots::genericAddSpan):
613         (JSC::ConservativeRoots::add):
614         (JSC::CompositeMarkHook::CompositeMarkHook):
615         (JSC::CompositeMarkHook::mark):
616         * heap/ConservativeRoots.h:
617         * heap/Heap.cpp:
618         (JSC::Heap::markRoots):
619         (JSC::Heap::visitHandleStack):
620         (JSC::Heap::visitSamplingProfiler):
621         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
622         (JSC::Heap::snapshotMarkedSpace):
623         * heap/Heap.h:
624         (JSC::Heap::structureIDTable):
625         (JSC::Heap::codeBlockSet):
626         * heap/MachineStackMarker.cpp:
627         (pthreadSignalHandlerSuspendResume):
628         (JSC::getCurrentPlatformThread):
629         (JSC::MachineThreads::MachineThreads):
630         (JSC::MachineThreads::~MachineThreads):
631         (JSC::MachineThreads::Thread::createForCurrentThread):
632         (JSC::MachineThreads::Thread::operator==):
633         (JSC::isThreadInList):
634         (JSC::MachineThreads::addCurrentThread):
635         (JSC::MachineThreads::machineThreadForCurrentThread):
636         (JSC::MachineThreads::removeThread):
637         (JSC::MachineThreads::gatherFromCurrentThread):
638         (JSC::MachineThreads::Thread::Thread):
639         (JSC::MachineThreads::Thread::~Thread):
640         (JSC::MachineThreads::Thread::suspend):
641         (JSC::MachineThreads::Thread::resume):
642         (JSC::MachineThreads::Thread::getRegisters):
643         (JSC::MachineThreads::Thread::Registers::stackPointer):
644         (JSC::MachineThreads::Thread::Registers::framePointer):
645         (JSC::MachineThreads::Thread::Registers::instructionPointer):
646         (JSC::MachineThreads::Thread::freeRegisters):
647         (JSC::MachineThreads::tryCopyOtherThreadStacks):
648         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
649         (JSC::MachineThreads::Thread::operator!=): Deleted.
650         * heap/MachineStackMarker.h:
651         (JSC::MachineThreads::Thread::operator!=):
652         (JSC::MachineThreads::getLock):
653         (JSC::MachineThreads::threadsListHead):
654         We can now ask a MachineThreads::Thread for its frame pointer
655         and program counter on darwin and windows platforms. efl
656         and gtk implementations will happen in another patch.
657
658         * heap/MarkedBlockSet.h:
659         (JSC::MarkedBlockSet::getLock):
660         (JSC::MarkedBlockSet::add):
661         (JSC::MarkedBlockSet::remove):
662         (JSC::MarkedBlockSet::recomputeFilter):
663         (JSC::MarkedBlockSet::filter):
664         (JSC::MarkedBlockSet::set):
665         * heap/MarkedSpace.cpp:
666         (JSC::Free::Free):
667         (JSC::Free::operator()):
668         (JSC::FreeOrShrink::FreeOrShrink):
669         (JSC::FreeOrShrink::operator()):
670         (JSC::MarkedSpace::~MarkedSpace):
671         (JSC::MarkedSpace::isPagedOut):
672         (JSC::MarkedSpace::freeBlock):
673         (JSC::MarkedSpace::freeOrShrinkBlock):
674         (JSC::MarkedSpace::shrink):
675         * heap/MarkedSpace.h:
676         (JSC::MarkedSpace::forEachLiveCell):
677         (JSC::MarkedSpace::forEachDeadCell):
678         * interpreter/CallFrame.h:
679         (JSC::ExecState::calleeAsValue):
680         (JSC::ExecState::callee):
681         (JSC::ExecState::unsafeCallee):
682         (JSC::ExecState::codeBlock):
683         (JSC::ExecState::scope):
684         * jit/ExecutableAllocator.cpp:
685         (JSC::ExecutableAllocator::dumpProfile):
686         (JSC::ExecutableAllocator::getLock):
687         (JSC::ExecutableAllocator::isValidExecutableMemory):
688         * jit/ExecutableAllocator.h:
689         * jit/ExecutableAllocatorFixedVMPool.cpp:
690         (JSC::ExecutableAllocator::allocate):
691         (JSC::ExecutableAllocator::isValidExecutableMemory):
692         (JSC::ExecutableAllocator::getLock):
693         (JSC::ExecutableAllocator::committedByteCount):
694         The sampling profiler consults the ExecutableAllocator to check
695         if the frame pointer it reads is in executable allocated memory.
696
697         * jsc.cpp:
698         (GlobalObject::finishCreation):
699         (functionCheckModuleSyntax):
700         (functionStartSamplingProfiler):
701         (functionSamplingProfilerStackTraces):
702         * llint/LLIntPCRanges.h: Added.
703         (JSC::LLInt::isLLIntPC):
704         * offlineasm/asm.rb:
705         I added the ability to test whether the PC is executing
706         LLInt code because this code is not part of the memory
707         our executable allocator allocates.
708
709         * runtime/Executable.h:
710         (JSC::ExecutableBase::isModuleProgramExecutable):
711         (JSC::ExecutableBase::isExecutableType):
712         (JSC::ExecutableBase::isHostFunction):
713         * runtime/JSLock.cpp:
714         (JSC::JSLock::didAcquireLock):
715         (JSC::JSLock::unlock):
716         * runtime/Options.h:
717         * runtime/SamplingProfiler.cpp: Added.
718         (JSC::reportStats):
719         (JSC::FrameWalker::FrameWalker):
720         (JSC::FrameWalker::walk):
721         (JSC::FrameWalker::wasValidWalk):
722         (JSC::FrameWalker::advanceToParentFrame):
723         (JSC::FrameWalker::isAtTop):
724         (JSC::FrameWalker::resetAtMachineFrame):
725         (JSC::FrameWalker::isValidFramePointer):
726         (JSC::FrameWalker::isValidCodeBlock):
727         (JSC::FrameWalker::tryToGetExecutableFromCallee):
728         The FrameWalker class is used to walk the stack in a safe
729         manner. It doesn't do anything that would deadlock, and it
730         validates all pointers that it sees.
731
732         (JSC::SamplingProfiler::SamplingProfiler):
733         (JSC::SamplingProfiler::~SamplingProfiler):
734         (JSC::SamplingProfiler::visit):
735         (JSC::SamplingProfiler::shutdown):
736         (JSC::SamplingProfiler::start):
737         (JSC::SamplingProfiler::stop):
738         (JSC::SamplingProfiler::pause):
739         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
740         (JSC::SamplingProfiler::dispatchIfNecessary):
741         (JSC::SamplingProfiler::dispatchFunction):
742         (JSC::SamplingProfiler::noticeJSLockAcquisition):
743         (JSC::SamplingProfiler::noticeVMEntry):
744         (JSC::SamplingProfiler::observeStackTrace):
745         (JSC::SamplingProfiler::clearData):
746         (JSC::displayName):
747         (JSC::startLine):
748         (JSC::startColumn):
749         (JSC::sourceID):
750         (JSC::url):
751         (JSC::SamplingProfiler::stacktracesAsJSON):
752         * runtime/SamplingProfiler.h: Added.
753         (JSC::SamplingProfiler::getLock):
754         (JSC::SamplingProfiler::setTimingInterval):
755         (JSC::SamplingProfiler::stackTraces):
756         * runtime/VM.cpp:
757         (JSC::VM::VM):
758         (JSC::VM::~VM):
759         (JSC::VM::setLastStackTop):
760         (JSC::VM::createContextGroup):
761         (JSC::VM::ensureWatchdog):
762         (JSC::VM::ensureSamplingProfiler):
763         (JSC::thunkGeneratorForIntrinsic):
764         * runtime/VM.h:
765         (JSC::VM::watchdog):
766         (JSC::VM::isSafeToRecurse):
767         (JSC::VM::lastStackTop):
768         (JSC::VM::scratchBufferForSize):
769         (JSC::VM::samplingProfiler):
770         (JSC::VM::setShouldRewriteConstAsVar):
771         (JSC::VM::setLastStackTop): Deleted.
772         * runtime/VMEntryScope.cpp:
773         (JSC::VMEntryScope::VMEntryScope):
774         * tests/stress/sampling-profiler: Added.
775         * tests/stress/sampling-profiler-anonymous-function.js: Added.
776         (foo):
777         (baz):
778         * tests/stress/sampling-profiler-basic.js: Added.
779         (bar):
780         (foo):
781         (nothing):
782         (top):
783         (jaz):
784         (kaz):
785         (checkInlining):
786         * tests/stress/sampling-profiler-deep-stack.js: Added.
787         (foo):
788         (hellaDeep):
789         (start):
790         * tests/stress/sampling-profiler-microtasks.js: Added.
791         (testResults):
792         (loop.jaz):
793         (loop):
794         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
795         (assert):
796         (let.nodePrototype.makeChildIfNeeded):
797         (makeNode):
798         (updateCallingContextTree):
799         (doesTreeHaveStackTrace):
800         (makeTree):
801         (runTest):
802         (dumpTree):
803         * tools/JSDollarVMPrototype.cpp:
804         (JSC::JSDollarVMPrototype::isInObjectSpace):
805         (JSC::JSDollarVMPrototype::isInStorageSpace):
806         * yarr/YarrJIT.cpp:
807         (JSC::Yarr::YarrGenerator::generateEnter):
808         (JSC::Yarr::YarrGenerator::generateReturn):
809         (JSC::Yarr::YarrGenerator::YarrGenerator):
810         (JSC::Yarr::YarrGenerator::compile):
811         (JSC::Yarr::jitCompile):
812         We now have a boolean that's set to true when
813         we're executing a RegExp, and to false otherwise.
814         The boolean lives off of VM.
815
816         * CMakeLists.txt:
817         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
818         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
819         * JavaScriptCore.xcodeproj/project.pbxproj:
820         * bytecode/CodeBlock.h:
821         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
822         (JSC::CodeBlockSet::mark):
823         * dfg/DFGNodeType.h:
824         * heap/CodeBlockSet.cpp:
825         (JSC::CodeBlockSet::add):
826         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
827         (JSC::CodeBlockSet::clearMarksForFullCollection):
828         (JSC::CodeBlockSet::lastChanceToFinalize):
829         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
830         (JSC::CodeBlockSet::contains):
831         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
832         (JSC::CodeBlockSet::remove): Deleted.
833         * heap/CodeBlockSet.h:
834         (JSC::CodeBlockSet::getLock):
835         (JSC::CodeBlockSet::iterate):
836         * heap/ConservativeRoots.cpp:
837         (JSC::ConservativeRoots::ConservativeRoots):
838         (JSC::ConservativeRoots::genericAddPointer):
839         (JSC::ConservativeRoots::add):
840         (JSC::CompositeMarkHook::CompositeMarkHook):
841         (JSC::CompositeMarkHook::mark):
842         * heap/ConservativeRoots.h:
843         * heap/Heap.cpp:
844         (JSC::Heap::markRoots):
845         (JSC::Heap::visitHandleStack):
846         (JSC::Heap::visitSamplingProfiler):
847         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
848         * heap/Heap.h:
849         (JSC::Heap::structureIDTable):
850         (JSC::Heap::codeBlockSet):
851         * heap/HeapInlines.h:
852         (JSC::Heap::didFreeBlock):
853         (JSC::Heap::isPointerGCObject):
854         (JSC::Heap::isValueGCObject):
855         * heap/MachineStackMarker.cpp:
856         (pthreadSignalHandlerSuspendResume):
857         (JSC::getCurrentPlatformThread):
858         (JSC::MachineThreads::MachineThreads):
859         (JSC::MachineThreads::~MachineThreads):
860         (JSC::MachineThreads::Thread::createForCurrentThread):
861         (JSC::MachineThreads::Thread::operator==):
862         (JSC::isThreadInList):
863         (JSC::MachineThreads::addCurrentThread):
864         (JSC::MachineThreads::machineThreadForCurrentThread):
865         (JSC::MachineThreads::removeThread):
866         (JSC::MachineThreads::gatherFromCurrentThread):
867         (JSC::MachineThreads::Thread::Thread):
868         (JSC::MachineThreads::Thread::~Thread):
869         (JSC::MachineThreads::Thread::suspend):
870         (JSC::MachineThreads::Thread::resume):
871         (JSC::MachineThreads::Thread::getRegisters):
872         (JSC::MachineThreads::Thread::Registers::stackPointer):
873         (JSC::MachineThreads::Thread::Registers::framePointer):
874         (JSC::MachineThreads::Thread::Registers::instructionPointer):
875         (JSC::MachineThreads::Thread::freeRegisters):
876         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
877         (JSC::MachineThreads::Thread::operator!=): Deleted.
878         * heap/MachineStackMarker.h:
879         (JSC::MachineThreads::Thread::operator!=):
880         (JSC::MachineThreads::getLock):
881         (JSC::MachineThreads::threadsListHead):
882         * heap/MarkedBlockSet.h:
883         * heap/MarkedSpace.cpp:
884         (JSC::Free::Free):
885         (JSC::Free::operator()):
886         (JSC::FreeOrShrink::FreeOrShrink):
887         (JSC::FreeOrShrink::operator()):
888         * interpreter/CallFrame.h:
889         (JSC::ExecState::calleeAsValue):
890         (JSC::ExecState::callee):
891         (JSC::ExecState::unsafeCallee):
892         (JSC::ExecState::codeBlock):
893         (JSC::ExecState::scope):
894         * jit/ExecutableAllocator.cpp:
895         (JSC::ExecutableAllocator::dumpProfile):
896         (JSC::ExecutableAllocator::getLock):
897         (JSC::ExecutableAllocator::isValidExecutableMemory):
898         * jit/ExecutableAllocator.h:
899         * jit/ExecutableAllocatorFixedVMPool.cpp:
900         (JSC::ExecutableAllocator::allocate):
901         (JSC::ExecutableAllocator::isValidExecutableMemory):
902         (JSC::ExecutableAllocator::getLock):
903         (JSC::ExecutableAllocator::committedByteCount):
904         * jsc.cpp:
905         (GlobalObject::finishCreation):
906         (functionCheckModuleSyntax):
907         (functionPlatformSupportsSamplingProfiler):
908         (functionStartSamplingProfiler):
909         (functionSamplingProfilerStackTraces):
910         * llint/LLIntPCRanges.h: Added.
911         (JSC::LLInt::isLLIntPC):
912         * offlineasm/asm.rb:
913         * runtime/Executable.h:
914         (JSC::ExecutableBase::isModuleProgramExecutable):
915         (JSC::ExecutableBase::isExecutableType):
916         (JSC::ExecutableBase::isHostFunction):
917         * runtime/JSLock.cpp:
918         (JSC::JSLock::didAcquireLock):
919         (JSC::JSLock::unlock):
920         * runtime/Options.h:
921         * runtime/SamplingProfiler.cpp: Added.
922         (JSC::reportStats):
923         (JSC::FrameWalker::FrameWalker):
924         (JSC::FrameWalker::walk):
925         (JSC::FrameWalker::wasValidWalk):
926         (JSC::FrameWalker::advanceToParentFrame):
927         (JSC::FrameWalker::isAtTop):
928         (JSC::FrameWalker::resetAtMachineFrame):
929         (JSC::FrameWalker::isValidFramePointer):
930         (JSC::FrameWalker::isValidCodeBlock):
931         (JSC::SamplingProfiler::SamplingProfiler):
932         (JSC::SamplingProfiler::~SamplingProfiler):
933         (JSC::SamplingProfiler::processUnverifiedStackTraces):
934         (JSC::SamplingProfiler::visit):
935         (JSC::SamplingProfiler::shutdown):
936         (JSC::SamplingProfiler::start):
937         (JSC::SamplingProfiler::stop):
938         (JSC::SamplingProfiler::pause):
939         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
940         (JSC::SamplingProfiler::dispatchIfNecessary):
941         (JSC::SamplingProfiler::dispatchFunction):
942         (JSC::SamplingProfiler::noticeJSLockAcquisition):
943         (JSC::SamplingProfiler::noticeVMEntry):
944         (JSC::SamplingProfiler::clearData):
945         (JSC::displayName):
946         (JSC::SamplingProfiler::stacktracesAsJSON):
947         (WTF::printInternal):
948         * runtime/SamplingProfiler.h: Added.
949         (JSC::SamplingProfiler::StackFrame::StackFrame):
950         (JSC::SamplingProfiler::getLock):
951         (JSC::SamplingProfiler::setTimingInterval):
952         (JSC::SamplingProfiler::stackTraces):
953         * runtime/VM.cpp:
954         (JSC::VM::VM):
955         (JSC::VM::~VM):
956         (JSC::VM::setLastStackTop):
957         (JSC::VM::createContextGroup):
958         (JSC::VM::ensureWatchdog):
959         (JSC::VM::ensureSamplingProfiler):
960         (JSC::thunkGeneratorForIntrinsic):
961         * runtime/VM.h:
962         (JSC::VM::watchdog):
963         (JSC::VM::samplingProfiler):
964         (JSC::VM::isSafeToRecurse):
965         (JSC::VM::lastStackTop):
966         (JSC::VM::scratchBufferForSize):
967         (JSC::VM::setLastStackTop): Deleted.
968         * runtime/VMEntryScope.cpp:
969         (JSC::VMEntryScope::VMEntryScope):
970         * tests/stress/sampling-profiler: Added.
971         * tests/stress/sampling-profiler-anonymous-function.js: Added.
972         (platformSupportsSamplingProfiler.foo):
973         (platformSupportsSamplingProfiler.baz):
974         (platformSupportsSamplingProfiler):
975         * tests/stress/sampling-profiler-basic.js: Added.
976         (platformSupportsSamplingProfiler.bar):
977         (platformSupportsSamplingProfiler.foo):
978         (platformSupportsSamplingProfiler.nothing):
979         (platformSupportsSamplingProfiler.top):
980         (platformSupportsSamplingProfiler.jaz):
981         (platformSupportsSamplingProfiler.kaz):
982         (platformSupportsSamplingProfiler.checkInlining):
983         (platformSupportsSamplingProfiler):
984         * tests/stress/sampling-profiler-deep-stack.js: Added.
985         (platformSupportsSamplingProfiler.foo):
986         (platformSupportsSamplingProfiler.let.hellaDeep):
987         (platformSupportsSamplingProfiler.let.start):
988         (platformSupportsSamplingProfiler):
989         * tests/stress/sampling-profiler-microtasks.js: Added.
990         (platformSupportsSamplingProfiler.testResults):
991         (platformSupportsSamplingProfiler):
992         (platformSupportsSamplingProfiler.loop.jaz):
993         (platformSupportsSamplingProfiler.loop):
994         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
995         (assert):
996         (let.nodePrototype.makeChildIfNeeded):
997         (makeNode):
998         (updateCallingContextTree):
999         (doesTreeHaveStackTrace):
1000         (makeTree):
1001         (runTest):
1002         (dumpTree):
1003         * yarr/YarrJIT.cpp:
1004         (JSC::Yarr::YarrGenerator::generateEnter):
1005         (JSC::Yarr::YarrGenerator::generateReturn):
1006         (JSC::Yarr::YarrGenerator::YarrGenerator):
1007         (JSC::Yarr::YarrGenerator::compile):
1008         (JSC::Yarr::jitCompile):
1009
1010 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1011
1012         [JSC] Iterating over a Set/Map is too slow
1013         https://bugs.webkit.org/show_bug.cgi?id=152691
1014
1015         Reviewed by Saam Barati.
1016
1017         Set#forEach and Set & for-of are very slow. There are 2 reasons.
1018
1019         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
1020
1021         C++ to JS transition seems costly. perf result in Linux machine shows this.
1022
1023             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
1024             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
1025             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
1026              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
1027              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
1028              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
1029
1030         Writing forEach in JS eliminates this.
1031
1032             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
1033             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
1034             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
1035              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
1036              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
1037              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
1038              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
1039              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
1040
1041         2. Iterator result object allocation is costly.
1042
1043         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
1044
1045             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
1046             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
1047             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
1048             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
1049             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
1050              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
1051
1052         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
1053         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
1054         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
1055         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
1056
1057         After these improvements, the micro benchmark[1] shows the following.
1058
1059         old:
1060             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
1061             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
1062             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
1063             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
1064             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
1065             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
1066
1067         new:
1068             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
1069             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
1070             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
1071             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
1072             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
1073             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
1074
1075         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
1076         After this optimizations, they are still much slower than linked list and array.
1077         This should be optimized in the long term.
1078
1079         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
1080
1081         * CMakeLists.txt:
1082         * DerivedSources.make:
1083         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1084         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1085         * JavaScriptCore.xcodeproj/project.pbxproj:
1086         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
1087         (forEach):
1088         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
1089         (forEach):
1090         * runtime/CommonIdentifiers.h:
1091         * runtime/IteratorOperations.cpp:
1092         (JSC::createIteratorResultObjectStructure):
1093         (JSC::createIteratorResultObject):
1094         * runtime/IteratorOperations.h:
1095         * runtime/JSGlobalObject.cpp:
1096         (JSC::JSGlobalObject::init):
1097         (JSC::JSGlobalObject::visitChildren):
1098         * runtime/JSGlobalObject.h:
1099         (JSC::JSGlobalObject::iteratorResultObjectStructure):
1100         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
1101         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
1102         * runtime/MapPrototype.cpp:
1103         (JSC::MapPrototype::getOwnPropertySlot):
1104         (JSC::privateFuncIsMap):
1105         (JSC::privateFuncMapIterator):
1106         (JSC::privateFuncMapIteratorNext):
1107         (JSC::MapPrototype::finishCreation): Deleted.
1108         (JSC::mapProtoFuncForEach): Deleted.
1109         * runtime/MapPrototype.h:
1110         * runtime/SetPrototype.cpp:
1111         (JSC::SetPrototype::getOwnPropertySlot):
1112         (JSC::privateFuncIsSet):
1113         (JSC::privateFuncSetIterator):
1114         (JSC::privateFuncSetIteratorNext):
1115         (JSC::SetPrototype::finishCreation): Deleted.
1116         (JSC::setProtoFuncForEach): Deleted.
1117         * runtime/SetPrototype.h:
1118
1119 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
1120
1121         Unreviewed, fix ARM64 build.
1122
1123         * b3/air/AirOpcode.opcodes:
1124
1125 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
1126
1127         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
1128         https://bugs.webkit.org/show_bug.cgi?id=152955
1129
1130         Reviewed by Saam Barati.
1131
1132         This happens when we box an int32 and then immediately unbox it.
1133
1134         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
1135         benchmark. It's neutral elsewhere.
1136
1137         * b3/B3ReduceStrength.cpp:
1138         * b3/testb3.cpp:
1139         (JSC::B3::testPowDoubleByIntegerLoop):
1140         (JSC::B3::testTruncOrHigh):
1141         (JSC::B3::testTruncOrLow):
1142         (JSC::B3::testBitAndOrHigh):
1143         (JSC::B3::testBitAndOrLow):
1144         (JSC::B3::zero):
1145         (JSC::B3::run):
1146
1147 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
1148
1149         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
1150         https://bugs.webkit.org/show_bug.cgi?id=149855
1151
1152         Reviewed by Saam Barati.
1153
1154         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
1155         'this', 'arguments' and 'super'
1156
1157         * CMakeLists.txt:
1158         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1159         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1160         * JavaScriptCore.xcodeproj/project.pbxproj:
1161         * dfg/DFGAbstractInterpreterInlines.h:
1162         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1163         * dfg/DFGSpeculativeJIT.cpp:
1164         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1165         * dfg/DFGStructureRegistrationPhase.cpp:
1166         (JSC::DFG::StructureRegistrationPhase::run):
1167         * ftl/FTLAbstractHeapRepository.cpp:
1168         * ftl/FTLAbstractHeapRepository.h:
1169         * ftl/FTLLowerDFGToLLVM.cpp:
1170         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
1171         * interpreter/Interpreter.cpp:
1172         * interpreter/Interpreter.h:
1173         * jit/JITOpcodes.cpp:
1174         * jit/JITOpcodes32_64.cpp:
1175         * jit/JITOperations.cpp:
1176         * jit/JITOperations.h:
1177         * llint/LLIntOffsetsExtractor.cpp:
1178         * llint/LLIntSlowPaths.cpp:
1179         * runtime/JSArrowFunction.cpp: Removed.
1180         * runtime/JSArrowFunction.h: Removed.
1181         * runtime/JSGlobalObject.cpp:
1182         * runtime/JSGlobalObject.h:
1183
1184 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
1185
1186         It should be possible to run liveness over registers without also tracking Tmps
1187         https://bugs.webkit.org/show_bug.cgi?id=152963
1188
1189         Reviewed by Saam Barati.
1190
1191         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
1192         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
1193         code like that for handling cold function calls. It also makes code like that somewhat more
1194         scalable, since we're no longer using HashSets.
1195
1196         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
1197         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
1198         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
1199         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
1200         think that this is good, because the lack of set methods (add/remove/contains) has caused
1201         bugs in the past. This makes BitVector have methods both for set operations on bits and array
1202         operations on bits. I think that's good, since BitVector gets used in both contexts.
1203
1204         * b3/B3IndexSet.h:
1205         (JSC::B3::IndexSet::Iterable::iterator::iterator):
1206         (JSC::B3::IndexSet::Iterable::begin):
1207         (JSC::B3::IndexSet::dump):
1208         * b3/air/AirInstInlines.h:
1209         (JSC::B3::Air::ForEach<Tmp>::forEach):
1210         (JSC::B3::Air::ForEach<Arg>::forEach):
1211         (JSC::B3::Air::ForEach<Reg>::forEach):
1212         (JSC::B3::Air::Inst::forEach):
1213         * b3/air/AirLiveness.h:
1214         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
1215         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
1216         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
1217         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
1218         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
1219         * b3/air/AirReportUsedRegisters.cpp:
1220         (JSC::B3::Air::reportUsedRegisters):
1221         * jit/Reg.h:
1222         (JSC::Reg::next):
1223         (JSC::Reg::index):
1224         (JSC::Reg::maxIndex):
1225         (JSC::Reg::isSet):
1226         (JSC::Reg::operator bool):
1227         * jit/RegisterSet.h:
1228         (JSC::RegisterSet::forEach):
1229
1230 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
1231
1232         [JSC] Make branchMul functional in ARM B3 and minor fixes
1233         https://bugs.webkit.org/show_bug.cgi?id=152889
1234
1235         Reviewed by Mark Lam.
1236
1237         ARM64 does not have a "S" version of MUL setting the flags.
1238         What we do is abstract that in the MacroAssembler. The problem
1239         is that form requires scratch registers.
1240
1241         For simplicity, I just exposed the two scratch registers
1242         for Air. Filip already added the concept of Scratch role,
1243         all I needed was to expose it for opcodes.
1244
1245         * assembler/MacroAssemblerARM64.h:
1246         (JSC::MacroAssemblerARM64::branchMul32):
1247         (JSC::MacroAssemblerARM64::branchMul64):
1248         Expose a version with the scratch registers as arguments.
1249
1250         * b3/B3LowerToAir.cpp:
1251         (JSC::B3::Air::LowerToAir::lower):
1252         Add the new form of CheckMul lowering.
1253
1254         * b3/air/AirOpcode.opcodes:
1255         Expose the new BranchMuls.
1256         Remove all the Test variants that use immediates
1257         since Air can't handle those immediates correctly yet.
1258
1259         * b3/air/opcode_generator.rb:
1260         Expose the Scratch role.
1261
1262         * b3/testb3.cpp:
1263         (JSC::B3::testPatchpointLotsOfLateAnys):
1264         Ooops, the scratch registers were not clobbered. We were just lucky
1265         on x86.
1266
1267 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
1268
1269         [JSC] B3 is unable to do function calls on ARM64
1270         https://bugs.webkit.org/show_bug.cgi?id=152895
1271
1272         Reviewed by Mark Lam.
1273
1274         Apparently iOS does not follow the ARM64 ABI for function calls.
1275         Instead of giving each value a 8 bytes slot, it must be packed
1276         while preserving alignment.
1277
1278         This patch adds a #ifdef to make function calls functional.
1279
1280         * b3/B3LowerToAir.cpp:
1281         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
1282         (JSC::B3::Air::LowerToAir::lower):
1283
1284 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
1285
1286         Air should support Branch64 with immediates
1287         https://bugs.webkit.org/show_bug.cgi?id=152951
1288
1289         Reviewed by Oliver Hunt.
1290
1291         This doesn't significantly improve performance on any benchmarks, but it's great to get this
1292         obvious omission out of the way.
1293
1294         * assembler/MacroAssemblerX86_64.h:
1295         (JSC::MacroAssemblerX86_64::branch64):
1296         * b3/air/AirOpcode.opcodes:
1297         * b3/testb3.cpp:
1298         (JSC::B3::testPowDoubleByIntegerLoop):
1299         (JSC::B3::testBranch64Equal):
1300         (JSC::B3::testBranch64EqualImm):
1301         (JSC::B3::testBranch64EqualMem):
1302         (JSC::B3::testBranch64EqualMemImm):
1303         (JSC::B3::zero):
1304         (JSC::B3::run):
1305
1306 2016-01-09  Dan Bernstein  <mitz@apple.com>
1307
1308         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
1309         https://bugs.webkit.org/show_bug.cgi?id=152926
1310
1311         Reviewed by Tim Horton.
1312
1313         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
1314         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
1315         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
1316
1317         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
1318
1319         * Configurations/Base.xcconfig:
1320         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
1321           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
1322         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
1323         * Configurations/JSC.xcconfig:
1324           Add quotes to account for spaces.
1325         * Configurations/ToolExecutable.xcconfig:
1326           Ditto.
1327         * postprocess-headers.sh:
1328           Ditto.
1329
1330 2016-01-09  Mark Lam  <mark.lam@apple.com>
1331
1332         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
1333         https://bugs.webkit.org/show_bug.cgi?id=152918
1334
1335         Reviewed by Filip Pizlo and Saam Barati.
1336
1337         * ftl/FTLCompile.cpp:
1338         - Updated a comment.
1339         * ftl/FTLLowerDFGToLLVM.cpp:
1340         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1341         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
1342           extra slot for BinaryOps that don't have Untyped operands, and failing to
1343           allocate that extra slot for some binary ops.  This is now fixed.
1344
1345         * tests/stress/ftl-shr-exception.js:
1346         * tests/stress/ftl-xor-exception.js:
1347         - Un-skipped these tests.  They now pass with this patch.
1348
1349 2016-01-09  Andreas Kling  <akling@apple.com>
1350
1351         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
1352         <https://webkit.org/b/152902>
1353
1354         Reviewed by Anders Carlsson.
1355
1356         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
1357
1358         * API/JSAPIWrapperObject.mm:
1359         (jsAPIWrapperObjectHandleOwner):
1360         * API/JSManagedValue.mm:
1361         (managedValueHandleOwner):
1362         * inspector/agents/InspectorDebuggerAgent.cpp:
1363         (Inspector::objectGroupForBreakpointAction):
1364         * jit/ExecutableAllocator.cpp:
1365         (JSC::DemandExecutableAllocator::allocators):
1366
1367 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1368
1369         FTL B3 should do varargs tail calls and stack overflows
1370         https://bugs.webkit.org/show_bug.cgi?id=152934
1371
1372         Reviewed by Saam Barati.
1373
1374         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
1375         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
1376         why I have two fixes in one change. Now the test passes.
1377
1378         This reduces the number of failures from 13 to 0.
1379
1380         * ftl/FTLLowerDFGToLLVM.cpp:
1381         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
1382         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
1383         append an Oops (i.e. "unreachable").
1384
1385 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1386
1387         B3 needs Neg()
1388         https://bugs.webkit.org/show_bug.cgi?id=152925
1389
1390         Reviewed by Mark Lam.
1391
1392         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
1393         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
1394
1395         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
1396         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
1397         to use bitops to represent floating point operations. Whatever cuteness this would have
1398         bought us would be outweighed by the annoyance of having to write code that matches
1399         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
1400         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
1401         Also, I suspect that the omission of Neg would cause others to make the mistake of using
1402         Sub to represent floating point negation.
1403
1404         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
1405         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
1406         floats, we lower it to BitXor(x, -0) on x86.
1407
1408         This reduces the number of failures from 13 to 12.
1409
1410         * assembler/MacroAssemblerX86Common.h:
1411         (JSC::MacroAssemblerX86Common::andFloat):
1412         (JSC::MacroAssemblerX86Common::xorDouble):
1413         (JSC::MacroAssemblerX86Common::xorFloat):
1414         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
1415         * b3/B3LowerMacrosAfterOptimizations.cpp:
1416         * b3/B3LowerToAir.cpp:
1417         (JSC::B3::Air::LowerToAir::lower):
1418         * b3/B3Opcode.cpp:
1419         (WTF::printInternal):
1420         * b3/B3Opcode.h:
1421         * b3/B3ReduceStrength.cpp:
1422         * b3/B3Validate.cpp:
1423         * b3/B3Value.cpp:
1424         (JSC::B3::Value::effects):
1425         (JSC::B3::Value::key):
1426         (JSC::B3::Value::typeFor):
1427         * b3/air/AirOpcode.opcodes:
1428         * ftl/FTLB3Output.cpp:
1429         (JSC::FTL::Output::lockedStackSlot):
1430         (JSC::FTL::Output::neg):
1431         (JSC::FTL::Output::bitNot):
1432         * ftl/FTLB3Output.h:
1433         (JSC::FTL::Output::chillDiv):
1434         (JSC::FTL::Output::mod):
1435         (JSC::FTL::Output::chillMod):
1436         (JSC::FTL::Output::doubleAdd):
1437         (JSC::FTL::Output::doubleSub):
1438         (JSC::FTL::Output::doubleMul):
1439         (JSC::FTL::Output::doubleDiv):
1440         (JSC::FTL::Output::doubleMod):
1441         (JSC::FTL::Output::doubleNeg):
1442         (JSC::FTL::Output::bitAnd):
1443         (JSC::FTL::Output::bitOr):
1444         (JSC::FTL::Output::neg): Deleted.
1445         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
1446         it's such a glaring bug, I thought having a test for it specifically would be good.
1447
1448 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1449
1450         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
1451         https://bugs.webkit.org/show_bug.cgi?id=152922
1452
1453         Reviewed by Saam Barati.
1454
1455         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
1456         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
1457         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
1458         clear the handlers before generation, sort of like FTL LLVM does.
1459
1460         Also added some stuff to make it easier to inspect the handler table.
1461
1462         This reduces the numbe rof failures from 25 to 13.
1463
1464         * bytecode/CodeBlock.cpp:
1465         (JSC::CodeBlock::dumpBytecode):
1466         (JSC::CodeBlock::dumpExceptionHandlers):
1467         (JSC::CodeBlock::beginDumpProfiling):
1468         * bytecode/CodeBlock.h:
1469         * ftl/FTLB3Compile.cpp:
1470         (JSC::FTL::compile):
1471
1472 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1473
1474         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
1475         https://bugs.webkit.org/show_bug.cgi?id=152916
1476
1477         Reviewed by Mark Lam.
1478
1479         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
1480
1481         This reduces the number of failures from 27 to 25.
1482
1483         * b3/B3ReduceStrength.cpp:
1484
1485 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1486
1487         FTL B3 allocateCell() should not crash
1488         https://bugs.webkit.org/show_bug.cgi?id=152909
1489
1490         Reviewed by Mark Lam.
1491
1492         This code was crashing in some tests that forced GC slow paths because it was stubbed out
1493         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
1494         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
1495         any LLVM optimizations by using undef.
1496
1497         This reduces the number of failures from 35 to 27.
1498
1499         * ftl/FTLLowerDFGToLLVM.cpp:
1500         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1501
1502 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1503
1504         FTL B3 fails to realize that binary snippets might choose to omit their fast path
1505         https://bugs.webkit.org/show_bug.cgi?id=152901
1506
1507         Reviewed by Mark Lam.
1508
1509         This reduces the number of failures from 99 to 35.
1510
1511         * ftl/FTLLowerDFGToLLVM.cpp:
1512         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1513
1514 2016-01-08  Saam barati  <sbarati@apple.com>
1515
1516         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
1517         https://bugs.webkit.org/show_bug.cgi?id=152879
1518
1519         Reviewed by Filip Pizlo.
1520
1521         We were clobbering a register we needed when picking
1522         a scratch register inside an FTL OSR Exit.
1523
1524         * dfg/DFGThunks.cpp:
1525         (JSC::DFG::osrEntryThunkGenerator):
1526         * jit/AssemblyHelpers.cpp:
1527         (JSC::AssemblyHelpers::emitRandomThunk):
1528         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
1529         * jit/AssemblyHelpers.h:
1530         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
1531         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
1532         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
1533         (foo):
1534
1535 2016-01-08  Mark Lam  <mark.lam@apple.com>
1536
1537         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
1538         https://bugs.webkit.org/show_bug.cgi?id=152897
1539
1540         Not reviewed.
1541
1542         * dfg/DFGAbstractInterpreterInlines.h:
1543         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1544         * dfg/DFGByteCodeParser.cpp:
1545         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1546         * dfg/DFGClobberize.h:
1547         (JSC::DFG::clobberize):
1548         * dfg/DFGDoesGC.cpp:
1549         (JSC::DFG::doesGC):
1550         * dfg/DFGFixupPhase.cpp:
1551         (JSC::DFG::FixupPhase::fixupNode):
1552         * dfg/DFGNodeType.h:
1553         * dfg/DFGOperations.cpp:
1554         * dfg/DFGOperations.h:
1555         * dfg/DFGPredictionPropagationPhase.cpp:
1556         (JSC::DFG::PredictionPropagationPhase::propagate):
1557         * dfg/DFGSafeToExecute.h:
1558         (JSC::DFG::safeToExecute):
1559         * dfg/DFGSpeculativeJIT.cpp:
1560         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1561         * dfg/DFGSpeculativeJIT32_64.cpp:
1562         (JSC::DFG::SpeculativeJIT::compile):
1563         * dfg/DFGSpeculativeJIT64.cpp:
1564         (JSC::DFG::SpeculativeJIT::compile):
1565         * runtime/StringConstructor.cpp:
1566         (JSC::stringFromCharCode):
1567         (JSC::stringFromSingleCharCode): Deleted.
1568         * runtime/StringConstructor.h:
1569
1570 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
1571
1572         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
1573         https://bugs.webkit.org/show_bug.cgi?id=152893
1574
1575         Reviewed by Mark Lam.
1576
1577         Use std::call_once since pthreads is not present on all platforms.
1578
1579         * llvm/InitializeLLVM.cpp:
1580         (JSC::initializeLLVMImpl):
1581         (JSC::initializeLLVM):
1582
1583 2016-01-08  Mark Lam  <mark.lam@apple.com>
1584
1585         Rename StringFromCharCode to StringFromSingleCharCode.
1586         https://bugs.webkit.org/show_bug.cgi?id=152897
1587
1588         Reviewed by Daniel Bates.
1589
1590         StringFromSingleCharCode is a better name because the intrinsic it represents
1591         only applies when we are converting from a single char code.  This is purely
1592         a refactoring patch.  There is no semantic change.
1593
1594         * dfg/DFGAbstractInterpreterInlines.h:
1595         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1596         * dfg/DFGByteCodeParser.cpp:
1597         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1598         * dfg/DFGClobberize.h:
1599         (JSC::DFG::clobberize):
1600         * dfg/DFGDoesGC.cpp:
1601         (JSC::DFG::doesGC):
1602         * dfg/DFGFixupPhase.cpp:
1603         (JSC::DFG::FixupPhase::fixupNode):
1604         * dfg/DFGNodeType.h:
1605         * dfg/DFGOperations.cpp:
1606         * dfg/DFGOperations.h:
1607         * dfg/DFGPredictionPropagationPhase.cpp:
1608         (JSC::DFG::PredictionPropagationPhase::propagate):
1609         * dfg/DFGSafeToExecute.h:
1610         (JSC::DFG::safeToExecute):
1611         * dfg/DFGSpeculativeJIT.cpp:
1612         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1613         * dfg/DFGSpeculativeJIT32_64.cpp:
1614         (JSC::DFG::SpeculativeJIT::compile):
1615         * dfg/DFGSpeculativeJIT64.cpp:
1616         (JSC::DFG::SpeculativeJIT::compile):
1617         * runtime/StringConstructor.cpp:
1618         (JSC::stringFromCharCode):
1619         (JSC::stringFromSingleCharCode):
1620         * runtime/StringConstructor.h:
1621
1622 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1623
1624         [mips] Fixed unused parameter warnings
1625         https://bugs.webkit.org/show_bug.cgi?id=152885
1626
1627         Reviewed by Mark Lam.
1628
1629         * jit/CCallHelpers.h:
1630         (JSC::CCallHelpers::setupArgumentsWithExecState):
1631
1632 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1633
1634         [mips] Max value of immediate arg of logical ops is 0xffff
1635         https://bugs.webkit.org/show_bug.cgi?id=152884
1636
1637         Reviewed by Michael Saboff.
1638
1639         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
1640
1641         * assembler/MacroAssemblerMIPS.h:
1642         (JSC::MacroAssemblerMIPS::and32):
1643         (JSC::MacroAssemblerMIPS::or32):
1644
1645 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1646
1647         [mips] Add new or32 implementation after r194613
1648         https://bugs.webkit.org/show_bug.cgi?id=152865
1649
1650         Reviewed by Michael Saboff.
1651
1652         * assembler/MacroAssemblerMIPS.h:
1653         (JSC::MacroAssemblerMIPS::or32):
1654
1655 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1656
1657         FTL B3 lazy slow paths should do exceptions
1658         https://bugs.webkit.org/show_bug.cgi?id=152853
1659
1660         Reviewed by Saam Barati.
1661
1662         This reduces the number of JSC test failures to 97.
1663
1664         * ftl/FTLLowerDFGToLLVM.cpp:
1665         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
1666         * tests/stress/ftl-new-negative-array-size.js: Added.
1667         (foo):
1668
1669 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1670
1671         Unreviewed, skip more tests that fail.
1672
1673         * tests/stress/ftl-shr-exception.js:
1674         (foo):
1675         * tests/stress/ftl-xor-exception.js:
1676         (foo):
1677
1678 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1679
1680         FTL B3 binary snippets should do exceptions
1681         https://bugs.webkit.org/show_bug.cgi?id=152852
1682
1683         Reviewed by Saam Barati.
1684
1685         This reduces the number of JSC test failures to 110.
1686
1687         * ftl/FTLLowerDFGToLLVM.cpp:
1688         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1689         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1690         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1691         * tests/stress/ftl-shr-exception.js: Added.
1692         (foo):
1693         (result.foo.valueOf):
1694         * tests/stress/ftl-sub-exception.js: Added.
1695         (foo):
1696         (result.foo.valueOf):
1697         * tests/stress/ftl-xor-exception.js: Added.
1698         (foo):
1699         (result.foo.valueOf):
1700
1701 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1702
1703         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
1704
1705         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
1706         (foo):
1707
1708 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1709
1710         Unreviewed, skipping this test. Looks like LLVM can't handle it.
1711
1712         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
1713         (foo):
1714
1715 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1716
1717         FTL B3 JS calls should do exceptions
1718         https://bugs.webkit.org/show_bug.cgi?id=152851
1719
1720         Reviewed by Geoffrey Garen.
1721
1722         This reduces the number of JSC test failures with FTL B3 to 111.
1723
1724         * dfg/DFGSpeculativeJIT64.cpp:
1725         (JSC::DFG::SpeculativeJIT::emitCall):
1726         * ftl/FTLLowerDFGToLLVM.cpp:
1727         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1728         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1729         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1730         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
1731         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
1732         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
1733         * tests/stress/ftl-call-exception-no-catch.js: Added.
1734         * tests/stress/ftl-call-exception.js: Added.
1735         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
1736         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
1737         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
1738         * tests/stress/ftl-call-varargs-exception.js: Added.
1739
1740 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1741
1742         FTL B3 PutById should do exceptions
1743         https://bugs.webkit.org/show_bug.cgi?id=152850
1744
1745         Reviewed by Saam Barati.
1746
1747         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
1748         number of JSC test failures to 128.
1749
1750         * ftl/FTLLowerDFGToLLVM.cpp:
1751         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1752         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
1753         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
1754         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
1755         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
1756         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
1757         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
1758
1759 2016-01-07  Commit Queue  <commit-queue@webkit.org>
1760
1761         Unreviewed, rolling out r194714.
1762         https://bugs.webkit.org/show_bug.cgi?id=152864
1763
1764         it broke many JSC tests when FTL B3 is enabled (Requested by
1765         pizlo on #webkit).
1766
1767         Reverted changeset:
1768
1769         "[JSC] When resolving Stack arguments, use addressing from SP
1770         when addressing from FP is invalid"
1771         https://bugs.webkit.org/show_bug.cgi?id=152840
1772         http://trac.webkit.org/changeset/194714
1773
1774 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1775
1776         [mips] Lower immediates of logical operations.
1777         https://bugs.webkit.org/show_bug.cgi?id=152693
1778
1779         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
1780         non-negative numbers.
1781
1782         Reviewed by Michael Saboff.
1783
1784         * offlineasm/mips.rb:
1785
1786 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1787
1788         [JSC] Update testCheckSubBadImm() for ARM64
1789         https://bugs.webkit.org/show_bug.cgi?id=152846
1790
1791         Reviewed by Mark Lam.
1792
1793         * b3/testb3.cpp:
1794         (JSC::B3::testCheckSubBadImm):
1795         The test was assuming the constant can always be used
1796         as immediate. That's obviously not the case on ARM64.
1797
1798 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1799
1800         FTL B3 getById() should do exceptions
1801         https://bugs.webkit.org/show_bug.cgi?id=152810
1802
1803         Reviewed by Saam Barati.
1804
1805         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
1806         exceptions from GetById. This covers all of the following ways that a GetById might throw an
1807         exceptions:
1808
1809         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
1810         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
1811         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
1812         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
1813         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
1814         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
1815
1816         This requires having a default exception target in FTL-generated code, and ensuring that this
1817         target is generated regardless of whether we have branches to the B3 basic block of the
1818         default exception target. This also requires adding some extra arguments to a
1819         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
1820         else. This also requires associating the CallSiteIndex of the patchpoint with the register
1821         set used for exit and with the OSR exit label for the unwind exit.
1822
1823         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
1824         is covered by the new PatchpointExceptionHandle object. You create one by calling
1825         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
1826         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
1827         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
1828         for operation calls and OSR exits for unwind. You call the
1829         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
1830         actually get OSR exits.
1831
1832         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
1833         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
1834         you use this API, it automatically registers a link task that will link the JumpList to the
1835         actual OSR exit label.
1836
1837         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
1838         to use the Box<JumpList> approach, but if you really just need the label, you can also get
1839         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
1840         to vend you the OSR exit label at link-time.
1841
1842         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
1843         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
1844         passes all of these new tests. Note that I'm not counting the new tests as part of the
1845         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
1846
1847         After this change, it should be easy to make all of the other patchpoints also handle
1848         exceptions by just following the preparePatchpointForExceptions() idiom.
1849
1850         * CMakeLists.txt:
1851         * JavaScriptCore.xcodeproj/project.pbxproj:
1852         * b3/B3StackmapValue.h:
1853         * b3/B3ValueRep.cpp:
1854         (JSC::B3::ValueRep::addUsedRegistersTo):
1855         (JSC::B3::ValueRep::usedRegisters):
1856         (JSC::B3::ValueRep::dump):
1857         * b3/B3ValueRep.h:
1858         (JSC::B3::ValueRep::doubleValue):
1859         (JSC::B3::ValueRep::withOffset):
1860         (JSC::B3::ValueRep::usedRegisters):
1861         * ftl/FTLB3Compile.cpp:
1862         (JSC::FTL::compile):
1863         * ftl/FTLB3Output.h:
1864         (JSC::FTL::Output::unreachable):
1865         (JSC::FTL::Output::speculate):
1866         * ftl/FTLExceptionTarget.cpp: Added.
1867         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
1868         (JSC::FTL::ExceptionTarget::label):
1869         (JSC::FTL::ExceptionTarget::jumps):
1870         (JSC::FTL::ExceptionTarget::ExceptionTarget):
1871         * ftl/FTLExceptionTarget.h: Added.
1872         * ftl/FTLJITCode.cpp:
1873         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1874         * ftl/FTLLowerDFGToLLVM.cpp:
1875         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1876         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1877         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1878         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1879         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
1880         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1881         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
1882         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
1883         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1884         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1885         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1886         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1887         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
1888         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
1889         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1890         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1891         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
1892         * ftl/FTLPatchpointExceptionHandle.cpp: Added.
1893         (JSC::FTL::PatchpointExceptionHandle::create):
1894         (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
1895         (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
1896         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
1897         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1898         (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
1899         (JSC::FTL::PatchpointExceptionHandle::createHandle):
1900         * ftl/FTLPatchpointExceptionHandle.h: Added.
1901         * ftl/FTLState.cpp:
1902         * ftl/FTLState.h:
1903         (JSC::FTL::verboseCompilationEnabled):
1904         * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
1905         * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
1906         * tests/stress/ftl-get-by-id-getter-exception.js: Added.
1907         * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
1908         * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
1909         * tests/stress/ftl-get-by-id-slow-exception.js: Added.
1910         * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
1911         * tests/stress/ftl-operation-exception-no-catch.js: Added.
1912
1913 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1914
1915         [mips] Implemented missing branch patching methods.
1916         https://bugs.webkit.org/show_bug.cgi?id=152845
1917
1918         Reviewed by Michael Saboff.
1919
1920         * assembler/MacroAssemblerMIPS.h:
1921         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
1922         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1923         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1924
1925 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1926
1927         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
1928         https://bugs.webkit.org/show_bug.cgi?id=152840
1929
1930         Reviewed by Mark Lam.
1931
1932         ARM64 has two kinds of addressing with immediates:
1933         -Signed 9bits direct (really only -256 to 255).
1934         -Unsigned 12bits scaled by the load/store size.
1935
1936         When resolving the stack addresses, we easily run
1937         past -256 bytes from FP. Addressing from SP gives us more
1938         room to address the stack efficiently because we can
1939         use unsigned immediates.
1940
1941         * b3/B3StackmapSpecial.cpp:
1942         (JSC::B3::StackmapSpecial::repForArg):
1943         * b3/air/AirAllocateStack.cpp:
1944         (JSC::B3::Air::allocateStack):
1945
1946 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1947
1948         [mips] Make repatchCall public to fix compilation.
1949         https://bugs.webkit.org/show_bug.cgi?id=152843
1950
1951         Reviewed by Michael Saboff.
1952
1953         * assembler/MacroAssemblerMIPS.h:
1954         (JSC::MacroAssemblerMIPS::repatchCall):
1955         (JSC::MacroAssemblerMIPS::linkCall): Deleted.
1956
1957 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1958
1959         [mips] Replaced subi with addi in getHostCallReturnValue
1960         https://bugs.webkit.org/show_bug.cgi?id=152841
1961
1962         Reviewed by Michael Saboff.
1963
1964         MIPS architecture does not have subi instruction, addi with negative
1965         number should be used instead.
1966
1967         * jit/JITOperations.cpp:
1968
1969 2016-01-07  Mark Lam  <mark.lam@apple.com>
1970
1971         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
1972         https://bugs.webkit.org/show_bug.cgi?id=152833
1973
1974         Reviewed by Michael Saboff.
1975
1976         Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
1977         store32.
1978
1979         * assembler/MacroAssemblerARM64.h:
1980         (JSC::MacroAssemblerARM64::or32):
1981         (JSC::MacroAssemblerARM64::store):
1982
1983 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1984
1985         [mips] GPRInfo::toArgumentRegister missing
1986         https://bugs.webkit.org/show_bug.cgi?id=152838
1987
1988         Reviewed by Michael Saboff.
1989
1990         * jit/GPRInfo.h:
1991         (JSC::GPRInfo::toArgumentRegister):
1992
1993 2016-01-07  Mark Lam  <mark.lam@apple.com>
1994
1995         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
1996         https://bugs.webkit.org/show_bug.cgi?id=152833
1997
1998         Reviewed by Benjamin Poulain.
1999
2000         * assembler/MacroAssemblerARM.h:
2001         (JSC::MacroAssemblerARM::or32):
2002         - Added some assertions to make sure it is safe to use ARMRegisters::S0 as a temp.
2003         * assembler/MacroAssemblerARM64.h:
2004         (JSC::MacroAssemblerARM64::or32):
2005         - Implement an optimization that avoids reloading the memoryTempRegister when
2006           the immediate is encodable as an instruction immediate.
2007         * assembler/MacroAssemblerARMv7.h:
2008         (JSC::MacroAssemblerARMv7::or32):
2009         - Added an assertion to make sure it is safe to use the dataTempRegister as a temp.
2010         - Implement an optimization that avoids reloading the memoryTempRegister when
2011           the immediate is encodable as an instruction immediate.  In the event that we
2012           cannot encode the immediate, we'll use the addressTempRegister as a temp, and
2013           reload it later.
2014
2015 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
2016
2017         [CMake] JSC shell sources should include JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
2018         https://bugs.webkit.org/show_bug.cgi?id=152664
2019
2020         Reviewed by Alex Christensen.
2021
2022         * shell/CMakeLists.txt:
2023
2024 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
2025
2026         Web Inspector: CRASH Attempting to pause on CSP violation not inside of script
2027         https://bugs.webkit.org/show_bug.cgi?id=152825
2028         <rdar://problem/24021276>
2029
2030         Reviewed by Timothy Hatcher.
2031
2032         * debugger/Debugger.cpp:
2033         (JSC::Debugger::breakProgram):
2034         We cannot pause if we are not evaluating JavaScript, so bail.
2035
2036 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
2037
2038         [JSC] Re-enable lea() in Air on ARM64
2039         https://bugs.webkit.org/show_bug.cgi?id=152832
2040
2041         Reviewed by Michael Saboff.
2042
2043         Lea() on the MacroAssembler is not the full x86 Lea (the real one being
2044         x86Lea32()). Instead, it is a addPtr() with SP and a constant.
2045
2046         The instruction is required to implement B3's StackSlot. It is not
2047         safe for big offsets but none of the stack operations are at the moment.
2048
2049         * b3/air/AirOpcode.opcodes:
2050
2051 2016-01-07  Julien Brianceau  <jbriance@cisco.com>
2052
2053         [mips] Add two missing abortWithReason implementations
2054         https://bugs.webkit.org/show_bug.cgi?id=136753
2055
2056         Reviewed by Benjamin Poulain.
2057
2058         * assembler/MacroAssemblerMIPS.h:
2059         (JSC::MacroAssemblerMIPS::memoryFence):
2060         (JSC::MacroAssemblerMIPS::abortWithReason):
2061         (JSC::MacroAssemblerMIPS::readCallTarget):
2062
2063 2016-01-07  Csaba Osztrogonác  <ossy@webkit.org>
2064
2065         Add new or32 implementation to MacroAssemblerARM after r194613
2066         https://bugs.webkit.org/show_bug.cgi?id=152784
2067
2068         Reviewed by Benjamin Poulain.
2069
2070         * assembler/MacroAssemblerARM.h:
2071         (JSC::MacroAssemblerARM::or32):
2072
2073 2016-01-06  Mark Lam  <mark.lam@apple.com>
2074
2075         REGRESSION(r194613): JITMulGenerator needs a scratch GPR on 32-bit too.
2076         https://bugs.webkit.org/show_bug.cgi?id=152805
2077
2078         Reviewed by Michael Saboff.
2079
2080         There aren't enough registers on x86 32-bit to allocate the needed scratch GPR.
2081         So, we'll continue to use one of the result registers as the scratch, and
2082         re-compute the result at the end.
2083
2084         * jit/JITMulGenerator.cpp:
2085         (JSC::JITMulGenerator::generateFastPath):
2086
2087 2016-01-06  Anders Carlsson  <andersca@apple.com>
2088
2089         Add a smart block pointer
2090         https://bugs.webkit.org/show_bug.cgi?id=152799
2091
2092         Reviewed by Tim Horton.
2093
2094         Get rid of RemoteTargetBlock and replace it with WTF::BlockPtr<void ()>.
2095
2096         * inspector/remote/RemoteConnectionToTarget.h:
2097         (Inspector::RemoteTargetBlock::RemoteTargetBlock): Deleted.
2098         (Inspector::RemoteTargetBlock::~RemoteTargetBlock): Deleted.
2099         (Inspector::RemoteTargetBlock::operator=): Deleted.
2100         (Inspector::RemoteTargetBlock::operator()): Deleted.
2101         * inspector/remote/RemoteConnectionToTarget.mm:
2102         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
2103         (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
2104
2105 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
2106
2107         [JSC] More B3 tests passing on ARM64
2108         https://bugs.webkit.org/show_bug.cgi?id=152787
2109
2110         Reviewed by Michael Saboff.
2111
2112         Some more minor bugs.
2113
2114         * assembler/MacroAssemblerARM64.h:
2115         (JSC::MacroAssemblerARM64::urshift64):
2116         The offset was being truncated. That code was just copied
2117         from the 32bits version of urshift.
2118
2119         * b3/B3LowerToAir.cpp:
2120         (JSC::B3::Air::LowerToAir::createGenericCompare):
2121         Very few instructions can encode -1 as immediate.
2122         TST certainly can't. The fallback works for ARM.
2123
2124         * b3/air/AirOpcode.opcodes:
2125         Bit instructions have very specific immediate encoding.
2126         B3 cannot express that properly yet. I disabled those
2127         forms for now. Immediates encoding is something we'll really 
2128         have to look into at some point for B3 ARM64.
2129
2130 2016-01-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2131
2132         Silence -Wtautological-compare
2133         https://bugs.webkit.org/show_bug.cgi?id=152768
2134
2135         Reviewed by Saam Barati.
2136
2137         * runtime/Options.cpp:
2138         (JSC::Options::setAliasedOption):
2139
2140 2016-01-06  Filip Pizlo  <fpizlo@apple.com>
2141
2142         Make sure that the basic throw-from-operation mode of throwing makes sense in FTL B3
2143         https://bugs.webkit.org/show_bug.cgi?id=152798
2144
2145         Reviewed by Oliver Hunt.
2146
2147         This really just contains one change: we inline emitBranchToOSRExitIfWillCatchException()
2148         into callCheck(), since that was its only caller. This makes it a bit more clear what is
2149         going on.
2150
2151         It turns out that FTL B3 already handled this case properly. I added a test that I believe
2152         illustrates this. Note that although the test uses GetById, which ordinarily throws
2153         exceptions from inside a patchpoint, it uses it in such a way that the exception is thrown
2154         from the operation call for the non-cell bypass path of a GetById(UntypedUse:).
2155
2156         * ftl/FTLLowerDFGToLLVM.cpp:
2157         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2158         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
2159         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2160         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException): Deleted.
2161         * tests/stress/ftl-operation-exception.js: Added.
2162         (foo):
2163
2164 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
2165
2166         Web Inspector: Remove duplicate check
2167         https://bugs.webkit.org/show_bug.cgi?id=152792
2168
2169         Reviewed by Timothy Hatcher.
2170
2171         * inspector/InjectedScriptSource.js:
2172         (InjectedScript.RemoteObject.prototype._generatePreview): Deleted.
2173         This method is only called from one place, and it does an equivalent
2174         check before calling this function. Remove the duplicate check.
2175
2176 2016-01-06  Brian Burg  <bburg@apple.com>
2177
2178         Add a WebKit SPI for registering an automation controller with RemoteInspector
2179         https://bugs.webkit.org/show_bug.cgi?id=151576
2180
2181         Reviewed by Dan Bernstein and Joseph Pecoraro.
2182
2183         Given a RemoteInspector endpoint that is instantiated in UIProcess, there
2184         should be a way to delegate automation-related functionality and policy to
2185         clients of WebKit.
2186
2187         This class adds a RemoteInspector::Client interface that serves a delegate.
2188         This is ultimately delegated via _WKAutomationDelegate, which is an SPI
2189         that allows clients to install an Objective-C delegate for automation.
2190
2191         The setting for whether remote automation is allowed is included in the
2192         listing that RemoteInspector sends out. It is updated when RemoteInspector::Client
2193         is assigned, or when the client signals that its capabilities have changed.
2194
2195         * inspector/remote/RemoteInspector.h:
2196         * inspector/remote/RemoteInspector.mm:
2197         (Inspector::RemoteInspector::setRemoteInspectorClient): Added.
2198         (Inspector::RemoteInspector::pushListingsNow):
2199
2200             In the listing, include whether the application supports remote automation.
2201
2202         * inspector/remote/RemoteInspectorConstants.h: Add a constant.
2203
2204 2016-01-05  Keith Miller  <keith_miller@apple.com>
2205
2206         [ES6] Boolean, Number, Map, RegExp, and Set should be subclassable
2207         https://bugs.webkit.org/show_bug.cgi?id=152765
2208
2209         Reviewed by Michael Saboff.
2210
2211         This patch enables subclassing of five more builtins: Boolean, Number, Map, RegExp, and Set.
2212
2213         * runtime/BooleanConstructor.cpp:
2214         (JSC::constructWithBooleanConstructor):
2215         (JSC::constructBoolean): Deleted.
2216         * runtime/BooleanConstructor.h:
2217         * runtime/MapConstructor.cpp:
2218         (JSC::constructMap):
2219         * runtime/NumberConstructor.cpp:
2220         (JSC::constructWithNumberConstructor):
2221         * runtime/RegExpConstructor.cpp:
2222         (JSC::getRegExpStructure):
2223         (JSC::constructRegExp):
2224         * runtime/SetConstructor.cpp:
2225         (JSC::constructSet):
2226         * tests/es6.yaml:
2227         * tests/stress/class-subclassing-misc.js: Added.
2228         (B):
2229         (N):
2230         (M):
2231         (R):
2232         (S):
2233         (test):
2234
2235 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2236
2237         [mips] Fix branchTruncateDoubleToUint32 implementation in macro assembler
2238         https://bugs.webkit.org/show_bug.cgi?id=152782
2239
2240         Reviewed by Benjamin Poulain.
2241
2242         Already covered by LayoutTests/js/dfg-uint32array-overflow-values test.
2243
2244         * assembler/MacroAssemblerMIPS.h:
2245         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
2246
2247 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2248
2249         [mips] Fix or32 implementation in macro assembler
2250         https://bugs.webkit.org/show_bug.cgi?id=152781
2251
2252         Reviewed by Michael Saboff.
2253
2254         * assembler/MacroAssemblerMIPS.h:
2255         (JSC::MacroAssemblerMIPS::or32):
2256
2257 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2258
2259         [mips] Add missing branchAdd32 implementation in macro assembler
2260         https://bugs.webkit.org/show_bug.cgi?id=152785
2261
2262         Reviewed by Michael Saboff.
2263
2264         * assembler/MacroAssemblerMIPS.h:
2265         (JSC::MacroAssemblerMIPS::branchAdd32):
2266
2267 2016-01-06  Andy VanWagoner  <thetalecrafter@gmail.com>
2268
2269         [ES6] Date.prototype should be a plain object
2270         https://bugs.webkit.org/show_bug.cgi?id=152574
2271
2272         Reviewed by Benjamin Poulain.
2273
2274         * runtime/DateConstructor.cpp:
2275         (JSC::DateConstructor::finishCreation):
2276         * runtime/DatePrototype.cpp:
2277         (JSC::DatePrototype::DatePrototype):
2278         * runtime/DatePrototype.h:
2279         * tests/mozilla/mozilla-tests.yaml: Expect errors from old Date.prototype as Date instance tests.
2280
2281 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
2282
2283         [JSC] Get more of testb3 to pass on ARM64
2284         https://bugs.webkit.org/show_bug.cgi?id=152737
2285
2286         Reviewed by Geoffrey Garen.
2287
2288         A bunch of minor bugs and missing function to make most of testb3
2289         run on ARM64.
2290
2291         * JavaScriptCore.xcodeproj/project.pbxproj:
2292         * assembler/ARM64Assembler.h:
2293         (JSC::ARM64Assembler::canEncodePImmOffset):
2294         (JSC::ARM64Assembler::canEncodeSImmOffset):
2295         (JSC::isInt9): Deleted.
2296         (JSC::isUInt12): Deleted.
2297         * assembler/ARMv7Assembler.h:
2298         * assembler/AssemblerCommon.h: Added.
2299         (JSC::isInt9):
2300         (JSC::isUInt12):
2301         (JSC::isValidScaledUImm12):
2302         (JSC::isValidSignedImm9):
2303         * assembler/MacroAssemblerARM64.h:
2304         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
2305         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
2306         (JSC::MacroAssemblerARM64::store16):
2307         (JSC::MacroAssemblerARM64::absFloat):
2308         (JSC::MacroAssemblerARM64::loadFloat):
2309         (JSC::MacroAssemblerARM64::storeFloat):
2310         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate):
2311         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate):
2312         (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
2313         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<8>):
2314         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<16>):
2315         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<8>):
2316         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<16>):
2317         * assembler/X86Assembler.h:
2318         * b3/B3LowerToAir.cpp:
2319         (JSC::B3::Air::LowerToAir::effectiveAddr):
2320         (JSC::B3::Air::LowerToAir::lower):
2321         * b3/air/AirArg.h:
2322         (JSC::B3::Air::Arg::isValidImmForm):
2323         (JSC::B3::Air::Arg::isValidAddrForm):
2324         (JSC::B3::Air::Arg::isValidForm):
2325         * b3/air/AirOpcode.opcodes:
2326
2327 2016-01-05  Zan Dobersek  <zdobersek@igalia.com>
2328
2329         [CMake] Remove USE_UDIS86 variable
2330         https://bugs.webkit.org/show_bug.cgi?id=152731
2331
2332         Reviewed by Gyuyoung Kim.
2333
2334         * CMakeLists.txt: Unconditionally build the Udis86-specific files.
2335
2336 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2337
2338         FTL B3 fails cdjs-tests.yaml/red_black_tree_test.js.ftl-eager-no-cjit
2339         https://bugs.webkit.org/show_bug.cgi?id=152770
2340
2341         Reviewed by Mark Lam.
2342
2343         It turns out that liveness didn't know that the return value GPR or FPR is live at the
2344         return. Consequently, we can end up with code that clobbers the return value register after
2345         the move of the return value into that register. This could happen if we start with
2346         something like:
2347
2348             Move 42(%tmp1), %tmp2
2349             Move 50(%tmp1), %tmp3
2350             Move %tmp3, 58(%tmp1)
2351             Move %tmp2, %rax
2352             Ret
2353
2354         Then we might coalesce %tmp2 with %rax:
2355
2356             Move 42(%tmp1), %rax
2357             Move 50(%tmp1), %tmp3
2358             Move %tmp3, 58(%tmp1)
2359             Ret
2360
2361         But now there is no use of %rax after that first instruction, so %rax appears dead at the
2362         other two Move's. So, the register allocator could then do this:
2363
2364             Move 42(%tmp1), %rax
2365             Move 50(%tmp1), %rax
2366             Move %rax, 58(%tmp1)
2367             Ret
2368
2369         And that's clearly wrong. This patch solves this issue by replacing the old Ret instruction
2370         with Ret32, Ret64, RetFloat, and RetDouble. These all take the return value register as an
2371         argument. They also tell Air which parts of the return value register the caller will
2372         observe. That's great for width analysis.
2373
2374         This resolves a test failure in the CDjs red_black_tree_test. This reduces the total number
2375         of JSC test failures from 217 to 191.
2376
2377         * assembler/MacroAssembler.h:
2378         (JSC::MacroAssembler::oops):
2379         (JSC::MacroAssembler::ret32):
2380         (JSC::MacroAssembler::ret64):
2381         (JSC::MacroAssembler::retFloat):
2382         (JSC::MacroAssembler::retDouble):
2383         (JSC::MacroAssembler::shouldConsiderBlinding):
2384         * b3/B3LowerToAir.cpp:
2385         (JSC::B3::Air::LowerToAir::lower):
2386         * b3/air/AirGenerate.cpp:
2387         (JSC::B3::Air::generate):
2388         * b3/air/AirHandleCalleeSaves.cpp:
2389         (JSC::B3::Air::handleCalleeSaves):
2390         * b3/air/AirOpcode.opcodes:
2391         * b3/air/opcode_generator.rb:
2392
2393 2016-01-05  Keith Miller  <keith_miller@apple.com>
2394
2395         Unreviewed build fix. A symbol was being exported that should not have been.
2396
2397         * runtime/Structure.h:
2398
2399 2016-01-05  Commit Queue  <commit-queue@webkit.org>
2400
2401         Unreviewed, rolling out r194603.
2402         https://bugs.webkit.org/show_bug.cgi?id=152762
2403
2404         This change introduced JSC test failures (Requested by
2405         ryanhaddad on #webkit).
2406
2407         Reverted changeset:
2408
2409         "[ES6] Date.prototype should be a plain object"
2410         https://bugs.webkit.org/show_bug.cgi?id=152574
2411         http://trac.webkit.org/changeset/194603
2412
2413 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2414
2415         stress/v8-crypto-strict.js.ftl-eager-no-cjit in FTL B3 fails with an assertion in the callframe shuffler
2416         https://bugs.webkit.org/show_bug.cgi?id=152756
2417
2418         Reviewed by Saam Barati.
2419
2420         This fixes a really obvious and dumb tail call bug in FTL B3. I think that tail calls work
2421         for real now. I have no idea why I got any tail call tests to pass before this fix.
2422
2423         * ftl/FTLLowerDFGToLLVM.cpp:
2424         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2425
2426 2016-01-04  Mark Lam  <mark.lam@apple.com>
2427
2428         Profiling should detect when multiplication overflows but does not create negative zero.
2429         https://bugs.webkit.org/show_bug.cgi?id=132470
2430
2431         Reviewed by Geoffrey Garen.
2432
2433         * assembler/MacroAssemblerARM64.h:
2434         (JSC::MacroAssemblerARM64::or32):
2435         * assembler/MacroAssemblerARMv7.h:
2436         (JSC::MacroAssemblerARMv7::or32):
2437         - New or32 emitter needed by the mul snippet.
2438
2439         * bytecode/CodeBlock.cpp:
2440         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2441         (JSC::CodeBlock::updateResultProfileForBytecodeOffset): Deleted.
2442         * bytecode/CodeBlock.h:
2443         (JSC::CodeBlock::ensureResultProfile):
2444         (JSC::CodeBlock::addResultProfile): Deleted.
2445         (JSC::CodeBlock::likelyToTakeDeepestSlowCase): Deleted.
2446         - Added a m_bytecodeOffsetToResultProfileIndexMap because we can now add result
2447           profiles in any order (based on runtime execution), not necessarily in bytecode
2448           order at baseline compilation time.
2449
2450         * bytecode/ValueProfile.cpp:
2451         (WTF::printInternal):
2452         * bytecode/ValueProfile.h:
2453         (JSC::ResultProfile::didObserveInt52Overflow):
2454         (JSC::ResultProfile::setObservedInt52Overflow):
2455         - Add new Int52Overflow flags.
2456
2457         * dfg/DFGByteCodeParser.cpp:
2458         (JSC::DFG::ByteCodeParser::makeSafe):
2459         - Now with more straightforward mapping of profiling info.
2460
2461         * dfg/DFGCommon.h:
2462         - Fixed a typo in a comment.
2463
2464         * dfg/DFGNode.h:
2465         (JSC::DFG::Node::arithNodeFlags):
2466         (JSC::DFG::Node::mayHaveNonIntResult):
2467         (JSC::DFG::Node::hasConstantBuffer):
2468         * dfg/DFGNodeFlags.cpp:
2469         (JSC::DFG::dumpNodeFlags):
2470         * dfg/DFGNodeFlags.h:
2471         (JSC::DFG::nodeMayOverflowInt52):
2472         (JSC::DFG::nodeCanSpeculateInt52):
2473         * dfg/DFGPredictionPropagationPhase.cpp:
2474         (JSC::DFG::PredictionPropagationPhase::propagate):
2475         - We now have profiling info for whether the result was ever seen to be a non-Int.
2476           Use this to make a better prediction.
2477
2478         * jit/JITArithmetic.cpp:
2479         (JSC::JIT::emit_op_div):
2480         (JSC::JIT::emit_op_mul):
2481         - Switch to using CodeBlock::ensureResultProfile().  ResultProfiles can now be
2482           created at any time (including the slow path), not just in bytecode order
2483           during baseline compilation.
2484
2485         * jit/JITMulGenerator.cpp:
2486         (JSC::JITMulGenerator::generateFastPath):
2487         - Removed the fast path profiling code for NegZero because we'll go to the slow
2488           path anyway.  Let the slow path do the profiling for us.
2489         - Added profiling for NegZero and potential Int52 overflows in the fast path
2490           that does double math.
2491
2492         * runtime/CommonSlowPaths.cpp:
2493         (JSC::updateResultProfileForBinaryArithOp):
2494         - Removed the RETURN_WITH_RESULT_PROFILING macro (2 less macros), and just use
2495           the RETURN_WITH_PROFILING macro instead with a call to
2496           updateResultProfileForBinaryArithOp().  This makes it clear what we're doing
2497           to do profiling in each case, and also allows us to do custom profiling for
2498           each opcode if needed.  However, so far, we always call
2499           updateResultProfileForBinaryArithOp().
2500
2501 2016-01-05  Keith Miller  <keith_miller@apple.com>
2502
2503         [ES6] Arrays should be subclassable.
2504         https://bugs.webkit.org/show_bug.cgi?id=152706
2505
2506         Reviewed by Benjamin Poulain.
2507
2508         This patch enables full subclassing of Arrays. We do this by fetching the new.target's prototype property
2509         in the Array constructor and transitioning the old structure to have the new prototype. This method has
2510         two downsides. The first is that we clobber the transition watchpoint on the base structure. The second,
2511         which is currently very significant but should be fixed in a future patch, is that we allocate a new
2512         structure for each new derived class we allocate.
2513
2514         * runtime/ArrayConstructor.cpp:
2515         (JSC::constructArrayWithSizeQuirk):
2516         (JSC::constructWithArrayConstructor):
2517         (JSC::callArrayConstructor):
2518         * runtime/ArrayConstructor.h:
2519         * runtime/JSGlobalObject.h:
2520         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
2521         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
2522         (JSC::constructEmptyArray):
2523         (JSC::constructArray):
2524         (JSC::constructArrayNegativeIndexed):
2525         * runtime/PrototypeMap.h:
2526         * runtime/Structure.h:
2527         * runtime/StructureInlines.h:
2528         (JSC::Structure::createSubclassStructure):
2529         * tests/es6.yaml:
2530         * tests/stress/class-subclassing-array.js: Added.
2531         (A):
2532         (B.prototype.get 1):
2533         (B):
2534         (C):
2535         (test):
2536
2537 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2538
2539         regress/script-tests/deltablue-varargs.js.ftl-no-cjit-no-put-stack-validate on FTL B3 gets a B3 validation failure
2540         https://bugs.webkit.org/show_bug.cgi?id=152754
2541
2542         Reviewed by Geoffrey Garen and Saam Barati.
2543
2544         It turns out that the FTL was creating orphans. Rather than making the FTL handle them by
2545         itself, I gave B3 the power to eliminate them for you. I also made the dumper print them
2546         since otherwise, you wouldn't know anything about the orphan when looking at a validation
2547         failure or other kind of procedure dump.
2548
2549         * b3/B3IndexSet.h:
2550         (JSC::B3::IndexSet::add):
2551         (JSC::B3::IndexSet::addAll):
2552         (JSC::B3::IndexSet::remove):
2553         * b3/B3Procedure.cpp:
2554         (JSC::B3::Procedure::dump):
2555         (JSC::B3::Procedure::deleteValue):
2556         (JSC::B3::Procedure::deleteOrphans):
2557         (JSC::B3::Procedure::dominators):
2558         * b3/B3Procedure.h:
2559         (JSC::B3::Procedure::cfg):
2560         * ftl/FTLLowerDFGToLLVM.cpp:
2561         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2562
2563 2015-12-24  Mark Lam  <mark.lam@apple.com>
2564
2565         Re-landing: Add validation of JSC options to catch typos.
2566         https://bugs.webkit.org/show_bug.cgi?id=152549
2567
2568         Reviewed by Benjamin Poulain.
2569
2570         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
2571            an error message.
2572         2. If a --xxx jsc option is specified, but xxx is not a valid option, we will
2573            now log an error message.
2574         3. Added JSC_validateOptions, which if set to true will cause the VM to crash if
2575            an invalid option was seen during options parsing.
2576
2577         In this version for re-landing, I removed the change where I disallowed -- options
2578         after the script name.  Apparently, we have some test harnesses that do append the
2579         -- options after the script name.
2580
2581         * jsc.cpp:
2582         (CommandLine::parseArguments):
2583         * runtime/Options.cpp:
2584         (JSC::Options::initialize):
2585         * runtime/Options.h:
2586
2587 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2588
2589         FTL B3 should do ArithNegate
2590         https://bugs.webkit.org/show_bug.cgi?id=152745
2591
2592         Reviewed by Geoffrey Garen.
2593
2594         * ftl/FTLLowerDFGToLLVM.cpp:
2595         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2596
2597 2016-01-05  Andy VanWagoner  <thetalecrafter@gmail.com>
2598
2599         [ES6] Date.prototype should be a plain object
2600         https://bugs.webkit.org/show_bug.cgi?id=152574
2601
2602         Reviewed by Benjamin Poulain.
2603
2604         * runtime/DateConstructor.cpp:
2605         (JSC::DateConstructor::finishCreation):
2606         * runtime/DatePrototype.cpp:
2607         (JSC::DatePrototype::DatePrototype):
2608         * runtime/DatePrototype.h:
2609
2610 2016-01-05  Commit Queue  <commit-queue@webkit.org>
2611
2612         Unreviewed, rolling out r194590.
2613         https://bugs.webkit.org/show_bug.cgi?id=152751
2614
2615         "Causes bot failures" (Requested by mlam on #webkit).
2616
2617         Reverted changeset:
2618
2619         "Add validation of JSC options to catch typos."
2620         https://bugs.webkit.org/show_bug.cgi?id=152549
2621         http://trac.webkit.org/changeset/194590
2622
2623 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2624
2625         FTL B3 should do In
2626         https://bugs.webkit.org/show_bug.cgi?id=152744
2627
2628         Reviewed by Michael Saboff.
2629
2630         This was easy; I just used the same idiom that we already established for ICs in FTL B3.
2631
2632         * ftl/FTLLowerDFGToLLVM.cpp:
2633         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2634
2635 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2636
2637         Implement B3 version of FTL::Output::check()
2638         https://bugs.webkit.org/show_bug.cgi?id=152743
2639
2640         Reviewed by Geoffrey Garen.
2641
2642         Turns out this was just like the LLVM version.
2643
2644         * ftl/FTLB3Output.cpp:
2645         (JSC::FTL::Output::branch):
2646         (JSC::FTL::Output::check):
2647         * ftl/FTLB3Output.h:
2648         (JSC::FTL::Output::switchInstruction):
2649         (JSC::FTL::Output::check): Deleted.
2650
2651 2016-01-05  Mark Lam  <mark.lam@apple.com>
2652
2653         Add support for aliasing JSC Options.
2654         https://bugs.webkit.org/show_bug.cgi?id=152551
2655
2656         Reviewed by Filip Pizlo.
2657
2658         This allows us to use old options names as well.  This is for the benefit of
2659         third party tools which may have been built to rely on those old options.  The
2660         old option names will be mapped to the current option names in setOption().
2661
2662         For some options, the old option name specifies the inverse boolean value of the
2663         current option name.  setOption() will take care of inverting the value before
2664         applying it to the option.
2665
2666         * jsc.cpp:
2667         (CommandLine::parseArguments):
2668         - Switch to dumping only overridden options here.  Verbose dumping is too much
2669           for common usage.
2670         * runtime/Options.cpp:
2671         (JSC::overrideOptionWithHeuristic):
2672         (JSC::Options::overrideAliasedOptionWithHeuristic):
2673         (JSC::computeNumberOfWorkerThreads):
2674         (JSC::Options::initialize):
2675         (JSC::Options::setOptionWithoutAlias):
2676         (JSC::invertBoolOptionValue):
2677         (JSC::Options::setAliasedOption):
2678         (JSC::Options::setOption):
2679         (JSC::Options::dumpAllOptions):
2680         - String.ascii() converts newline characters to '?', and this was messing up the
2681           printing of the options.  Switched to using String.utf8() instead.
2682         (JSC::Options::dumpOption):
2683         * runtime/Options.h:
2684
2685 2016-01-05  Mark Lam  <mark.lam@apple.com>
2686
2687         Add validation of JSC options to catch typos.
2688         https://bugs.webkit.org/show_bug.cgi?id=152549
2689
2690         Reviewed by Benjamin Poulain.
2691
2692         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
2693            an error message.
2694         2. The jsc app is commonly used as follows:
2695
2696                $ jsc [jsc options] [scripts]
2697      
2698            Previously, we'll continue to parse for [jsc options] after [scripts] is seen.
2699            We won't do this anymore.  Any --xxx jsc options must precede the [scripts]
2700            arguments.
2701
2702         3. If a --xxx jsc option is specified, but xxx is not a valid option, we will
2703            now log an error message.
2704
2705         4. Added JSC_validateOptions, which if set to true will cause the VM to crash if
2706            an invalid option was seen during options parsing.
2707
2708         * jsc.cpp:
2709         (CommandLine::parseArguments):
2710         * runtime/Options.cpp:
2711         (JSC::Options::initialize):
2712         * runtime/Options.h:
2713
2714 2016-01-04  Keith Miller  <keith_miller@apple.com>
2715
2716         Turn off Internal Function inlining in the DFG for super calls.
2717         https://bugs.webkit.org/show_bug.cgi?id=152695
2718
2719         Reviewed by Geoffrey Garen.
2720
2721         Currently, we inline several InternalFunctions into an alloctation with a
2722         fixed structure in the DFG. This optimization is not valid when the
2723         InternalFunction is called via a super call.
2724
2725         * dfg/DFGByteCodeParser.cpp:
2726         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2727         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2728
2729 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2730
2731         FTL B3 should do binary snippets
2732         https://bugs.webkit.org/show_bug.cgi?id=152668
2733
2734         Reviewed by Mark Lam.
2735
2736         This finishes all of the rest of the snippets.
2737
2738         * ftl/FTLLowerDFGToLLVM.cpp:
2739         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2740         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2741         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2742         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2743         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2744         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2745         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2746         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2747         * tests/stress/object-bit-or.js: Added.
2748         (foo):
2749         (things.valueOf):
2750         * tests/stress/object-bit-xor.js: Added.
2751         (foo):
2752         (things.valueOf):
2753         * tests/stress/object-lshift.js: Added.
2754         (foo):
2755         (things.valueOf):
2756         * tests/stress/object-rshift.js: Added.
2757         (foo):
2758         (things.valueOf):
2759         * tests/stress/object-urshift.js: Added.
2760         (foo):
2761         (things.valueOf):
2762         * tests/stress/untyped-bit-or.js: Added.
2763         (foo):
2764         (valueOf):
2765         * tests/stress/untyped-bit-xor.js: Added.
2766         (foo):
2767         (valueOf):
2768         * tests/stress/untyped-lshift.js: Added.
2769         (foo):
2770         (valueOf):
2771         * tests/stress/untyped-rshift.js: Added.
2772         (foo):
2773         (valueOf):
2774         * tests/stress/untyped-urshift.js: Added.
2775         (foo):
2776         (valueOf):
2777
2778 2016-01-04  Mark Lam  <mark.lam@apple.com>
2779
2780         isUntypedSpeculationForArithmetic is wrong.
2781         https://bugs.webkit.org/show_bug.cgi?id=152708
2782
2783         Reviewed by Filip Pizlo.
2784
2785         The isUntypedSpeculation...() checks should return true is we ever see
2786         non-numeric types, regardless of whether numeric types are seen or not.
2787         Previously, they only return true if we only see non-numeric types, and false if
2788         we ever see numeric types.
2789
2790         This patch is perf neutral on both x86_64 and x86.
2791
2792         * bytecode/SpeculatedType.h:
2793         (JSC::isUntypedSpeculationForArithmetic):
2794         (JSC::isUntypedSpeculationForBitOps):
2795
2796 2016-01-04  Tim Horton  <timothy_horton@apple.com>
2797
2798         Turn on gesture events when building for Yosemite
2799         https://bugs.webkit.org/show_bug.cgi?id=152704
2800         rdar://problem/24042472
2801
2802         Reviewed by Anders Carlsson.
2803
2804         * Configurations/FeatureDefines.xcconfig:
2805
2806 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2807
2808         FTL B3 should do BitAnd binary snippets
2809         https://bugs.webkit.org/show_bug.cgi?id=152713
2810
2811         Reviewed by Mark Lam.
2812
2813         Getting ready to finish up the binary bitop snippets.
2814
2815         * ftl/FTLLowerDFGToLLVM.cpp:
2816         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2817         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2818         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2819         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2820         * tests/stress/object-bit-and.js: Added.
2821         (foo):
2822         (things.valueOf):
2823         * tests/stress/untyped-bit-and.js: Added.
2824         (foo):
2825         (valueOf):
2826
2827 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2828
2829         FTL B3 should do all of the non-bitop binary snippets
2830         https://bugs.webkit.org/show_bug.cgi?id=152709
2831
2832         Reviewed by Mark Lam.
2833
2834         * ftl/FTLLowerDFGToLLVM.cpp:
2835         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2836         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2837         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2838         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2839         * tests/stress/object-add.js: Added.
2840         (foo):
2841         (things.valueOf):
2842         * tests/stress/object-div.js: Added.
2843         (foo):
2844         (things.valueOf):
2845         * tests/stress/object-mul.js: Added.
2846         (foo):
2847         (things.valueOf):
2848         * tests/stress/untyped-add.js: Added.
2849         (foo):
2850         (valueOf):
2851         * tests/stress/untyped-div.js: Added.
2852         (foo):
2853         (valueOf):
2854         * tests/stress/untyped-mul.js: Added.
2855         (foo):
2856         (valueOf):
2857
2858 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2859
2860         FTL B3 should do the ArithSub binary snippet
2861         https://bugs.webkit.org/show_bug.cgi?id=152705
2862
2863         Reviewed by Saam Barati.
2864
2865         This implements the ArithSub binary snippet generator in FTL B3.
2866
2867         While doing this, I discovered that the DFG type inference logic for ArithSub contains a
2868         classic mistake: it causes the snippets to kick in when the type set does not contain numbers
2869         rather than kicking in when the type set contains non-numbers. So, the original test that I
2870         wrote for this doesn't work right (it runs to completion but OSR exits ad infinitum). I wrote
2871         a second test that is simpler, and that one shows that the binary snippets "work". That's
2872         sort of a joke though, since the only way to trigger binary snippets is to never pass numbers
2873         and the only way to actually cause a binary snippet to do meaninful work is to pass numbers.
2874         I filed a bug about this mess: https://bugs.webkit.org/show_bug.cgi?id=152708.
2875
2876         * ftl/FTLLowerDFGToLLVM.cpp:
2877         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
2878         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2879         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
2880         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2881         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2882         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2883         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2884         * tests/stress/object-sub.js: Added.
2885         (foo):
2886         (things.valueOf):
2887         * tests/stress/untyped-sub.js: Added.
2888         (foo):
2889         (valueOf):
2890
2891 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2892
2893         Unreviewed, disable FTL B3 for now. I didn't intend to enable it yet.
2894
2895         * dfg/DFGCommon.h:
2896
2897 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2898
2899         B3 patchpoints should allow requesting scratch registers
2900         https://bugs.webkit.org/show_bug.cgi?id=152669
2901
2902         Reviewed by Benjamin Poulain.
2903
2904         Scratch registers are something that we often need in many patchpoint use cases. In LLVM's
2905         patchpoints, we didn't have a good way to request scratch registers. So, our current FTL code
2906         often does crazy scratch register allocation madness even when it would be better to just ask
2907         the backend for some registers. This patch adds a mechanism for requesting scratch registers
2908         in B3, and wires it all the way to all of our register allocation and liveness
2909         infrastructure.
2910
2911         From the standpoint of a patchpoint, a "scratch register" is an instruction argument that
2912         only admits Tmp and is defined early (like an early clobber register) and is used late (like
2913         what we previously called LateUse, except that this time it's also a warm use). We already
2914         had the beginning of support for early def's because of early clobbers, and we already
2915         supported late uses albeit cold ones. I really only needed to add one new role: "Scratch",
2916         which means both early def and late use in much the same way as "UseDef" means both early
2917         use and late def. But, it feels better to complete the set of roles, so I added LateColdUse
2918         to differentiate from LateUse (which is now a warm use) and EarlyDef to differentiate from
2919         Def (which is, and always has been, a late def). Forcing the code to deal with the full
2920         matrix of possibilities resulted in what is probably a progression in how we handle defs in
2921         the register and stack allocators. The new Inst::forEachDef(Inst*, Inst*, callback) fully
2922         recognizes that a "def" is something that can come from either the preceding instruction or
2923         the succeeding one.
2924
2925         This doesn't add any new functionality to FTL B3 yet, but the new scratch register mechanism
2926         is covered by new testb3 tests.
2927
2928         * b3/B3CheckSpecial.cpp:
2929         (JSC::B3::CheckSpecial::isValid):
2930         (JSC::B3::CheckSpecial::admitsStack):
2931         (JSC::B3::CheckSpecial::generate):
2932         * b3/B3LowerToAir.cpp:
2933         (JSC::B3::Air::LowerToAir::lower):
2934         * b3/B3PatchpointSpecial.cpp:
2935         (JSC::B3::PatchpointSpecial::forEachArg):
2936         (JSC::B3::PatchpointSpecial::isValid):
2937         (JSC::B3::PatchpointSpecial::admitsStack):
2938         (JSC::B3::PatchpointSpecial::generate):
2939         * b3/B3PatchpointValue.cpp:
2940         (JSC::B3::PatchpointValue::dumpMeta):
2941         (JSC::B3::PatchpointValue::PatchpointValue):
2942         * b3/B3PatchpointValue.h:
2943         * b3/B3StackmapGenerationParams.cpp:
2944         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
2945         * b3/B3StackmapGenerationParams.h:
2946         (JSC::B3::StackmapGenerationParams::gpScratch):
2947         (JSC::B3::StackmapGenerationParams::fpScratch):
2948         * b3/B3StackmapSpecial.cpp:
2949         (JSC::B3::StackmapSpecial::forEachArgImpl):
2950         (JSC::B3::StackmapSpecial::isValidImpl):
2951         (JSC::B3::StackmapSpecial::admitsStackImpl):
2952         (JSC::B3::StackmapSpecial::repsImpl):
2953         (JSC::B3::StackmapSpecial::isArgValidForValue):
2954         (JSC::B3::StackmapSpecial::appendRepsImpl): Deleted.
2955         * b3/B3StackmapSpecial.h:
2956         * b3/air/AirAllocateStack.cpp:
2957         (JSC::B3::Air::allocateStack):
2958         * b3/air/AirArg.cpp:
2959         (WTF::printInternal):
2960         * b3/air/AirArg.h:
2961         (JSC::B3::Air::Arg::isAnyUse):
2962         (JSC::B3::Air::Arg::isColdUse):
2963         (JSC::B3::Air::Arg::isEarlyUse):
2964         (JSC::B3::Air::Arg::isLateUse):
2965         (JSC::B3::Air::Arg::isAnyDef):
2966         (JSC::B3::Air::Arg::isEarlyDef):
2967         (JSC::B3::Air::Arg::isLateDef):
2968         (JSC::B3::Air::Arg::isZDef):
2969         (JSC::B3::Air::Arg::Arg):
2970         (JSC::B3::Air::Arg::imm):
2971         (JSC::B3::Air::Arg::isDef): Deleted.
2972         * b3/air/AirBasicBlock.h:
2973         (JSC::B3::Air::BasicBlock::at):
2974         (JSC::B3::Air::BasicBlock::get):
2975         (JSC::B3::Air::BasicBlock::last):
2976         * b3/air/AirEliminateDeadCode.cpp:
2977         (JSC::B3::Air::eliminateDeadCode):
2978         * b3/air/AirFixPartialRegisterStalls.cpp:
2979         (JSC::B3::Air::fixPartialRegisterStalls):
2980         * b3/air/AirInst.cpp:
2981         (JSC::B3::Air::Inst::hasArgEffects):
2982         * b3/air/AirInst.h:
2983         * b3/air/AirInstInlines.h:
2984         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
2985         (JSC::B3::Air::Inst::forEachDef):
2986         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
2987         (JSC::B3::Air::Inst::reportUsedRegisters):
2988         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs): Deleted.
2989         * b3/air/AirIteratedRegisterCoalescing.cpp:
2990         * b3/air/AirLiveness.h:
2991         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
2992         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
2993         * b3/air/AirSpillEverything.cpp:
2994         (JSC::B3::Air::spillEverything):
2995         * b3/air/AirTmpWidth.cpp:
2996         (JSC::B3::Air::TmpWidth::recompute):
2997         * b3/air/AirUseCounts.h:
2998         (JSC::B3::Air::UseCounts::UseCounts):
2999         * b3/testb3.cpp:
3000         (JSC::B3::testPatchpointAny):
3001         (JSC::B3::testPatchpointGPScratch):
3002         (JSC::B3::testPatchpointFPScratch):
3003         (JSC::B3::testPatchpointLotsOfLateAnys):
3004         (JSC::B3::run):
3005
3006 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
3007
3008         Fix the !ENABLE(INTL) build after r193493
3009         https://bugs.webkit.org/show_bug.cgi?id=152689
3010
3011         Reviewed by Alex Christensen.
3012
3013         * runtime/NumberPrototype.cpp:
3014         (JSC::NumberPrototype::finishCreation):
3015
3016 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
3017
3018         JSC generator scripts shouldn't have verbose output
3019         https://bugs.webkit.org/show_bug.cgi?id=152382
3020
3021         Reviewed by Michael Catanzaro.
3022
3023         * b3/air/opcode_generator.rb:
3024         * generate-bytecode-files:
3025         * offlineasm/asm.rb:
3026         * offlineasm/generate_offset_extractor.rb:
3027         * offlineasm/parser.rb:
3028
3029 2016-01-04  Benjamin Poulain  <bpoulain@apple.com>
3030
3031         [JSC] Build B3 by default on iOS ARM64
3032         https://bugs.webkit.org/show_bug.cgi?id=152525
3033
3034         Reviewed by Filip Pizlo.
3035
3036         Minor changes required to get testb3 to compile.
3037
3038         * Configurations/ToolExecutable.xcconfig:
3039         We need an entitlement to allocate executable memory.
3040
3041         * assembler/MacroAssemblerARM64.h:
3042         (JSC::MacroAssemblerARM64::scratchRegister):
3043         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
3044         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
3045         Expose one of the scratch registers for ValueRep::emitRestore().
3046         Guard the use of scratch registers when not allowed.
3047
3048         * b3/air/AirOpcode.opcodes:
3049         ARM addressing is a bit different. Skip Addr to make things build.
3050
3051         * b3/testb3.cpp:
3052         (JSC::B3::testPatchpointWithStackArgumentResult):
3053         Add on memory only exists on x86.
3054
3055         * jit/RegisterSet.cpp:
3056         (JSC::RegisterSet::macroScratchRegisters):
3057         Add the two scratch registers, useful for patchpoints.
3058
3059 2016-01-03  Khem Raj  <raj.khem@gmail.com>
3060
3061         WebKit fails to build with musl libc library
3062         https://bugs.webkit.org/show_bug.cgi?id=152625
3063
3064         Reviewed by Daniel Bates.
3065
3066         Qualify isnan() calls with std namespace.
3067
3068         * runtime/Options.cpp:
3069         (Option::operator==): Add std namespace qualifier.
3070
3071 2016-01-03  Andreas Kling  <akling@apple.com>
3072
3073         Remove redundant StringImpl substring creation function.
3074         <https://webkit.org/b/152652>
3075
3076         Reviewed by Daniel Bates.
3077
3078         Remove jsSubstring8() and make the only call site use jsSubstring().
3079
3080         * runtime/JSString.h:
3081         (JSC::jsSubstring8): Deleted.
3082         * runtime/StringPrototype.cpp:
3083         (JSC::replaceUsingRegExpSearch):
3084
3085 2016-01-02  Khem Raj  <raj.khem@gmail.com>
3086
3087         Clang's builtin for clear_cache accepts char* and errors out
3088         when using void*, using char* work on both gcc and clang
3089         since char* is auto-converted to void* in gcc case.
3090         https://bugs.webkit.org/show_bug.cgi?id=152654
3091
3092         Reviewed by Michael Saboff;
3093
3094         * assembler/ARM64Assembler.h:
3095         (linuxPageFlush): Convert arguments to __builtin___clear_cache()
3096         to char*.
3097
3098 2015-12-31  Andy Estes  <aestes@apple.com>
3099
3100         Replace WTF::move with WTFMove
3101         https://bugs.webkit.org/show_bug.cgi?id=152601
3102
3103         Reviewed by Brady Eidson.
3104
3105         * API/ObjCCallbackFunction.mm:
3106         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3107         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3108         (JSC::ObjCCallbackFunction::create):
3109         (objCCallbackFunctionForInvocation):
3110         * assembler/AssemblerBuffer.h:
3111         (JSC::AssemblerBuffer::releaseAssemblerData):
3112         * assembler/LinkBuffer.cpp:
3113         (JSC::LinkBuffer::linkCode):
3114         * b3/B3BlockInsertionSet.cpp:
3115         (JSC::B3::BlockInsertionSet::insert):
3116         (JSC::B3::BlockInsertionSet::splitForward):
3117         * b3/B3LowerToAir.cpp:
3118         (JSC::B3::Air::LowerToAir::run):
3119         (JSC::B3::Air::LowerToAir::lower):
3120         * b3/B3OpaqueByproducts.cpp:
3121         (JSC::B3::OpaqueByproducts::add):
3122         * b3/B3Procedure.cpp:
3123         (JSC::B3::Procedure::addBlock):
3124         (JSC::B3::Procedure::addDataSection):
3125         * b3/B3Procedure.h:
3126         (JSC::B3::Procedure::releaseByproducts):
3127         * b3/B3ProcedureInlines.h:
3128         (JSC::B3::Procedure::add):
3129         * b3/B3Value.h:
3130         * b3/air/AirCode.cpp:
3131         (JSC::B3::Air::Code::addBlock):
3132         (JSC::B3::Air::Code::addStackSlot):
3133         (JSC::B3::Air::Code::addSpecial):
3134         * b3/air/AirInst.h:
3135         (JSC::B3::Air::Inst::Inst):
3136         * b3/air/AirIteratedRegisterCoalescing.cpp:
3137         * b3/air/AirSimplifyCFG.cpp:
3138         (JSC::B3::Air::simplifyCFG):
3139         * bindings/ScriptValue.cpp:
3140         (Deprecated::jsToInspectorValue):
3141         * builtins/BuiltinExecutables.cpp:
3142         (JSC::createExecutableInternal):
3143         * bytecode/BytecodeBasicBlock.cpp:
3144         (JSC::computeBytecodeBasicBlocks):
3145         * bytecode/CodeBlock.cpp:
3146         (JSC::CodeBlock::finishCreation):
3147         (JSC::CodeBlock::setCalleeSaveRegisters):
3148         * bytecode/CodeBlock.h:
3149         (JSC::CodeBlock::setJITCodeMap):
3150         (JSC::CodeBlock::livenessAnalysis):
3151         * bytecode/GetByIdStatus.cpp:
3152         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3153         * bytecode/GetByIdVariant.cpp:
3154         (JSC::GetByIdVariant::GetByIdVariant):
3155         * bytecode/PolymorphicAccess.cpp:
3156         (JSC::PolymorphicAccess::regenerateWithCases):
3157         (JSC::PolymorphicAccess::regenerateWithCase):
3158         (JSC::PolymorphicAccess::regenerate):
3159         * bytecode/PutByIdStatus.cpp:
3160         (JSC::PutByIdStatus::computeForStubInfo):
3161         * bytecode/PutByIdVariant.cpp:
3162         (JSC::PutByIdVariant::setter):
3163         * bytecode/StructureStubClearingWatchpoint.cpp:
3164         (JSC::StructureStubClearingWatchpoint::push):
3165         * bytecode/StructureStubClearingWatchpoint.h:
3166         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
3167         * bytecode/StructureStubInfo.cpp:
3168         (JSC::StructureStubInfo::addAccessCase):
3169         * bytecode/UnlinkedCodeBlock.cpp:
3170         (JSC::UnlinkedCodeBlock::setInstructions):
3171         * bytecode/UnlinkedFunctionExecutable.cpp:
3172         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3173         * bytecode/UnlinkedFunctionExecutable.h:
3174         * bytecompiler/SetForScope.h:
3175         (JSC::SetForScope::SetForScope):
3176         * dfg/DFGGraph.cpp:
3177         (JSC::DFG::Graph::livenessFor):
3178         (JSC::DFG::Graph::killsFor):
3179         * dfg/DFGJITCompiler.cpp:
3180         (JSC::DFG::JITCompiler::link):
3181         (JSC::DFG::JITCompiler::compile):
3182         (JSC::DFG::JITCompiler::compileFunction):
3183         * dfg/DFGJITFinalizer.cpp:
3184         (JSC::DFG::JITFinalizer::JITFinalizer):
3185         * dfg/DFGLivenessAnalysisPhase.cpp:
3186         (JSC::DFG::LivenessAnalysisPhase::process):
3187         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3188         * dfg/DFGSpeculativeJIT.cpp:
3189         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
3190         (JSC::DFG::SpeculativeJIT::compileIn):
3191         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3192         * dfg/DFGSpeculativeJIT32_64.cpp:
3193         (JSC::DFG::SpeculativeJIT::cachedGetById):
3194         (JSC::DFG::SpeculativeJIT::cachedPutById):
3195         * dfg/DFGSpeculativeJIT64.cpp:
3196         (JSC::DFG::SpeculativeJIT::cachedGetById):
3197         (JSC::DFG::SpeculativeJIT::cachedPutById):
3198         * dfg/DFGWorklist.cpp:
3199         (JSC::DFG::Worklist::finishCreation):
3200         * disassembler/Disassembler.cpp:
3201         (JSC::disassembleAsynchronously):
3202         * ftl/FTLB3Compile.cpp:
3203         (JSC::FTL::compile):
3204         * ftl/FTLCompile.cpp:
3205         (JSC::FTL::mmAllocateDataSection):
3206         * ftl/FTLJITCode.cpp:
3207         (JSC::FTL::JITCode::initializeB3Byproducts):
3208         * ftl/FTLJITFinalizer.h:
3209         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
3210         * ftl/FTLLink.cpp:
3211         (JSC::FTL::link):
3212         * ftl/FTLLowerDFGToLLVM.cpp:
3213         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
3214         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3215         * heap/Heap.cpp:
3216         (JSC::Heap::releaseDelayedReleasedObjects):
3217         (JSC::Heap::markRoots):
3218         (JSC::Heap::setIncrementalSweeper):
3219         * heap/HeapInlines.h:
3220         (JSC::Heap::releaseSoon):
3221         (JSC::Heap::registerWeakGCMap):
3222         * heap/WeakInlines.h:
3223         * inspector/ConsoleMessage.cpp:
3224         (Inspector::ConsoleMessage::addToFrontend):
3225         * inspector/ContentSearchUtilities.cpp:
3226         (Inspector::ContentSearchUtilities::searchInTextByLines):
3227         * inspector/InjectedScript.cpp:
3228         (Inspector::InjectedScript::getFunctionDetails):
3229         (Inspector::InjectedScript::getProperties):
3230         (Inspector::InjectedScript::getDisplayableProperties):
3231         (Inspector::InjectedScript::getInternalProperties):
3232         (Inspector::InjectedScript::getCollectionEntries):
3233         (Inspector::InjectedScript::wrapCallFrames):
3234         * inspector/InspectorAgentRegistry.cpp:
3235         (Inspector::AgentRegistry::append):
3236         (Inspector::AgentRegistry::appendExtraAgent):
3237         * inspector/InspectorBackendDispatcher.cpp:
3238         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
3239         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
3240         (Inspector::BackendDispatcher::BackendDispatcher):
3241         (Inspector::BackendDispatcher::create):
3242         (Inspector::BackendDispatcher::sendPendingErrors):
3243         * inspector/InspectorProtocolTypes.h:
3244         (Inspector::Protocol::Array::addItem):
3245         * inspector/InspectorValues.cpp:
3246         * inspector/InspectorValues.h:
3247         (Inspector::InspectorObjectBase::setValue):
3248         (Inspector::InspectorObjectBase::setObject):
3249         (Inspector::InspectorObjectBase::setArray):
3250         (Inspector::InspectorArrayBase::pushValue):
3251         (Inspector::InspectorArrayBase::pushObject):
3252         (Inspector::InspectorArrayBase::pushArray):
3253         * inspector/JSGlobalObjectConsoleClient.cpp:
3254         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3255         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3256         * inspector/JSGlobalObjectInspectorController.cpp:
3257         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3258         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
3259         * inspector/JSInjectedScriptHost.cpp:
3260         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
3261         * inspector/JSInjectedScriptHost.h:
3262         (Inspector::JSInjectedScriptHost::create):
3263         * inspector/agents/InspectorAgent.cpp:
3264         (Inspector::InspectorAgent::activateExtraDomain):
3265         * inspector/agents/InspectorConsoleAgent.cpp:
3266         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3267         (Inspector::InspectorConsoleAgent::addConsoleMessage):
3268         * inspector/agents/InspectorDebuggerAgent.cpp:
3269         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3270         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3271         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3272         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3273         (Inspector::InspectorDebuggerAgent::breakProgram):
3274         * inspector/agents/InspectorHeapAgent.cpp:
3275         (Inspector::InspectorHeapAgent::didGarbageCollect):
3276         * inspector/agents/InspectorRuntimeAgent.cpp:
3277         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3278         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3279         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3280         (Inspector::InspectorScriptProfilerAgent::addEvent):
3281         (Inspector::buildInspectorObject):
3282         (Inspector::buildProfileInspectorObject):
3283         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
3284         * inspector/augmentable/AlternateDispatchableAgent.h:
3285         * inspector/scripts/codegen/cpp_generator_templates.py:
3286         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3287         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3288         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3289         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3290         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3291         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3292         (_generate_unchecked_setter_for_member):
3293         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3294         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3295         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3296         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3297         * inspector/scripts/codegen/objc_generator_templates.py:
3298         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3299         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3300         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3301         * inspector/scripts/tests/expected/enum-values.json-result:
3302         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3303         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3304         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3305         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3306         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3307         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3308         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3309         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3310         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3311         * jit/CallFrameShuffler.cpp:
3312         (JSC::CallFrameShuffler::performSafeWrites):
3313         * jit/PolymorphicCallStubRoutine.cpp:
3314         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
3315         * jit/Repatch.cpp:
3316         (JSC::tryCacheGetByID):
3317         (JSC::tryCachePutByID):
3318         (JSC::tryRepatchIn):
3319         (JSC::linkPolymorphicCall):
3320         * parser/Nodes.cpp:
3321         (JSC::ProgramNode::setClosedVariables):
3322         * parser/Parser.cpp:
3323         (JSC::Parser<LexerType>::parseInner):
3324         (JSC::Parser<LexerType>::parseFunctionInfo):
3325         * parser/Parser.h:
3326         (JSC::Parser::closedVariables):
3327         * parser/SourceProviderCache.cpp:
3328         (JSC::SourceProviderCache::add):
3329         * profiler/ProfileNode.h:
3330         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
3331         * replay/EncodedValue.cpp:
3332         (JSC::EncodedValue::get<EncodedValue>):
3333         * replay/scripts/CodeGeneratorReplayInputs.py:
3334         (Generator.generate_member_move_expression):
3335         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
3336         (Test::HandleWheelEvent::HandleWheelEvent):
3337         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
3338         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
3339         (Test::MapInput::MapInput):
3340         (JSC::InputTraits<Test::MapInput>::decode):
3341         * runtime/ConsoleClient.cpp:
3342         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3343         (JSC::ConsoleClient::logWithLevel):
3344         (JSC::ConsoleClient::clear):
3345         (JSC::ConsoleClient::dir):
3346         (JSC::ConsoleClient::dirXML):
3347         (JSC::ConsoleClient::table):
3348         (JSC::ConsoleClient::trace):
3349         (JSC::ConsoleClient::assertCondition):
3350         (JSC::ConsoleClient::group):
3351         (JSC::ConsoleClient::groupCollapsed):
3352         (JSC::ConsoleClient::groupEnd):
3353         * runtime/JSNativeStdFunction.cpp:
3354         (JSC::JSNativeStdFunction::create):
3355         * runtime/JSString.h:
3356         (JSC::jsNontrivialString):
3357         * runtime/JSStringJoiner.cpp:
3358         (JSC::JSStringJoiner::join):
3359         * runtime/JSStringJoiner.h:
3360         (JSC::JSStringJoiner::append):
3361         * runtime/NativeStdFunctionCell.cpp:
3362         (JSC::NativeStdFunctionCell::create):
3363         (JSC::NativeStdFunctionCell::NativeStdFunctionCell):
3364         * runtime/ScopedArgumentsTable.cpp:
3365         (JSC::ScopedArgumentsTable::setLength):
3366         * runtime/StructureIDTable.cpp:
3367         (JSC::StructureIDTable::resize):
3368         * runtime/TypeSet.cpp:
3369         (JSC::StructureShape::inspectorRepresentation):
3370         * runtime/WeakGCMap.h:
3371         (JSC::WeakGCMap::set):
3372         * tools/CodeProfile.h:
3373         (JSC::CodeProfile::addChild):
3374         * yarr/YarrInterpreter.cpp:
3375         (JSC::Yarr::ByteCompiler::compile):
3376         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
3377         * yarr/YarrInterpreter.h:
3378         (JSC::Yarr::BytecodePattern::BytecodePattern):
3379         * yarr/YarrPattern.cpp:
3380         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
3381         (JSC::Yarr::YarrPatternConstructor::reset):
3382         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
3383         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
3384         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
3385         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
3386         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
3387
3388 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
3389
3390         Unreviewed, fix copyright dates. It's super annoying when we forget to update these, and I
3391         just forgot to do so in the last commit. Also update the date of the last commit in the
3392         ChangeLog.
3393
3394         * b3/air/AirIteratedRegisterCoalescing.cpp:
3395         * b3/air/AirOpcode.opcodes:
3396         * b3/air/AirTmpWidth.cpp:
3397         * b3/air/AirTmpWidth.h:
3398         * ftl/FTLB3Output.cpp:
3399         * ftl/FTLB3Output.h:
3400
3401 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
3402
3403         FTL B3 should be able to run all of the old V8v7 tests
3404         https://bugs.webkit.org/show_bug.cgi?id=152579
3405
3406         Reviewed by Saam Barati.
3407
3408         Fixes some silly bugs that were preventing us from running all of the old V8v7 tests.
3409
3410         IRC's analysis of when to turn a Move into a Move32 when spilling is based on the premise
3411         that if the dst has a 32-bit def width, then the src must also have a 32-bit def width. But
3412         that doesn't happen if the src is an immediate.
3413
3414         This changes that condition in IRC to use the combined use/def width of both src and dst
3415         rather than being clever. This is great because it's the combined width that determines the
3416         size of the spill slot.
3417
3418         Also added some more debug support to TmpWidth.
3419
3420         This also fixes Air's description of DivDouble; previously it claimed to be a 32-bit
3421         operation. Also implements Output::unsignedToDouble(), since we already had everything we
3422         needed to implement this optimally.
3423
3424         * b3/air/AirIteratedRegisterCoalescing.cpp:
3425         * b3/air/AirOpcode.opcodes:
3426         * b3/air/AirTmpWidth.cpp:
3427         (JSC::B3::Air::TmpWidth::recompute):
3428         (JSC::B3::Air::TmpWidth::Widths::dump):
3429         * b3/air/AirTmpWidth.h:
3430         (JSC::B3::Air::TmpWidth::Widths::Widths):
3431         * ftl/FTLB3Output.cpp:
3432         (JSC::FTL::Output::doubleToUInt):
3433         (JSC::FTL::Output::unsignedToDouble):
3434         * ftl/FTLB3Output.h:
3435         (JSC::FTL::Output::zeroExt):
3436         (JSC::FTL::Output::zeroExtPtr):
3437         (JSC::FTL::Output::intToDouble):
3438         (JSC::FTL::Output::castToInt32):
3439         (JSC::FTL::Output::unsignedToDouble): Deleted.
3440
3441 2016-01-01  Jeff Miller  <jeffm@apple.com>
3442
3443         Update user-visible copyright strings to include 2016
3444         https://bugs.webkit.org/show_bug.cgi?id=152531
3445
3446         Reviewed by Alexey Proskuryakov.
3447
3448         * Info.plist:
3449
3450 2015-12-31  Andy Estes  <aestes@apple.com>
3451
3452         Fix warnings uncovered by migrating to WTF_MOVE
3453         https://bugs.webkit.org/show_bug.cgi?id=152601
3454
3455         Reviewed by Daniel Bates.
3456
3457         * create_regex_tables: Moving a return value prevented copy elision.
3458         * ftl/FTLUnwindInfo.cpp:
3459         (JSC::FTL::parseUnwindInfo): Ditto.
3460         * replay/EncodedValue.h: Ditto.
3461
3462 2015-12-30  Aleksandr Skachkov  <gskachkov@gmail.com>
3463
3464         [ES6] Arrow function syntax. Arrow function specific features. Lexical bind "super"
3465         https://bugs.webkit.org/show_bug.cgi?id=149615
3466
3467         Reviewed by Saam Barati.
3468
3469         Implemented lexical bind "super" property for arrow function. 'super' property can be accessed 
3470         inside of the arrow function in case if arrow function is nested in constructor, method, 
3471         getter or setter of class. In current patch using 'super' in arrow function, that declared out of the 
3472         class, lead to wrong type of error, should be SyntaxError(https://bugs.webkit.org/show_bug.cgi?id=150893) 
3473         and this will be fixed in separete patch.
3474
3475         * builtins/BuiltinExecutables.cpp:
3476         (JSC::createExecutableInternal):
3477         * bytecode/EvalCodeCache.h:
3478         (JSC::EvalCodeCache::getSlow):
3479         * bytecode/ExecutableInfo.h:
3480         (JSC::ExecutableInfo::ExecutableInfo):
3481         (JSC::ExecutableInfo::derivedContextType):
3482         (JSC::ExecutableInfo::isClassContext):
3483         * bytecode/UnlinkedCodeBlock.cpp:
3484         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3485         * bytecode/UnlinkedCodeBlock.h:
3486         (JSC::UnlinkedCodeBlock::derivedContextType):
3487         (JSC::UnlinkedCodeBlock::isClassContext):
3488         * bytecode/UnlinkedFunctionExecutable.cpp:
3489         (JSC::generateUnlinkedFunctionCodeBlock):
3490         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3491         * bytecode/UnlinkedFunctionExecutable.h:
3492         * bytecompiler/BytecodeGenerator.cpp:
3493         (JSC::BytecodeGenerator::BytecodeGenerator):
3494         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
3495         * bytecompiler/BytecodeGenerator.h:
3496         (JSC::BytecodeGenerator::derivedContextType):
3497         (JSC::BytecodeGenerator::isDerivedConstructorContext):
3498         (JSC::BytecodeGenerator::isDerivedClassContext):
3499         (JSC::BytecodeGenerator::isArrowFunction):
3500         (JSC::BytecodeGenerator::makeFunction):
3501         * bytecompiler/NodesCodegen.cpp:
3502         (JSC::emitHomeObjectForCallee):
3503         (JSC::FunctionCallValueNode::emitBytecode):
3504         * debugger/DebuggerCallFrame.cpp:
3505         (JSC::DebuggerCallFrame::evaluate):
3506         * interpreter/Interpreter.cpp:
3507         (JSC::eval):
3508         * runtime/CodeCache.cpp:
3509         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3510         * runtime/Executable.cpp:
3511         (JSC::ScriptExecutable::ScriptExecutable):
3512         (JSC::EvalExecutable::create):
3513         (JSC::EvalExecutable::EvalExecutable):
3514         (JSC::ProgramExecutable::ProgramExecutable):
3515         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
3516         (JSC::FunctionExecutable::FunctionExecutable):
3517         * runtime/Executable.h:
3518         (JSC::ScriptExecutable::derivedContextType):
3519         * runtime/JSGlobalObjectFunctions.cpp:
3520         (JSC::globalFuncEval):
3521         * tests/es6.yaml:
3522         * tests/stress/arrowfunction-lexical-bind-superproperty.js: Added.
3523
3524 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3525
3526         Unreviewed, relax limitation in operationCreateThis
3527         https://bugs.webkit.org/show_bug.cgi?id=152383
3528
3529         Unreviewed. operationCreateThis now can be called with non constructible function.
3530
3531         * dfg/DFGOperations.cpp:
3532
3533 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3534
3535         [ES6][ES7] Drop Constructability of generator function
3536         https://bugs.webkit.org/show_bug.cgi?id=152383
3537
3538         Reviewed by Saam Barati.
3539
3540         We drop the constructability of generator functions.
3541         This functionality is already landed in ES 2016 draft[1].
3542         And this simplifies the existing JSC's generator implementation;
3543         dropping GeneratorThisMode flag.
3544
3545         [1]: https://github.com/tc39/ecma262/releases/tag/es2016-draft-20151201
3546
3547         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3548         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3549         * JavaScriptCore.xcodeproj/project.pbxproj:
3550         * builtins/BuiltinExecutables.cpp:
3551         (JSC::createExecutableInternal):
3552         * bytecode/ExecutableInfo.h:
3553         (JSC::ExecutableInfo::ExecutableInfo):
3554         (JSC::ExecutableInfo::generatorThisMode): Deleted.
3555         * bytecode/UnlinkedCodeBlock.cpp:
3556         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
3557         * bytecode/UnlinkedCodeBlock.h:
3558         (JSC::UnlinkedCodeBlock::generatorThisMode): Deleted.
3559         * bytecode/UnlinkedFunctionExecutable.cpp:
3560         (JSC::generateUnlinkedFunctionCodeBlock):
3561         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3562         * bytecode/UnlinkedFunctionExecutable.h:
3563         * bytecompiler/BytecodeGenerator.cpp:
3564         (JSC::BytecodeGenerator::BytecodeGenerator): Deleted.
3565         * bytecompiler/BytecodeGenerator.h:
3566         (JSC::BytecodeGenerator::makeFunction):
3567         (JSC::BytecodeGenerator::generatorThisMode): Deleted.
3568         * bytecompiler/NodesCodegen.cpp:
3569         (JSC::ThisNode::emitBytecode):
3570         * interpreter/Interpreter.cpp:
3571         (JSC::eval): Deleted.
3572         * runtime/CodeCache.cpp:
3573         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3574         * runtime/Executable.h:
3575         * runtime/GeneratorThisMode.h: Removed.
3576         * tests/stress/generator-eval-this.js:
3577         (shouldThrow):
3578         * tests/stress/generator-is-not-constructible.js: Added.
3579         (shouldThrow):
3580         (A.staticGen):
3581         (A.prototype.gen):
3582         (A):
3583         (TypeError):
3584         * tests/stress/generator-this.js:
3585         (shouldBe.g.next):
3586         * tests/stress/generator-with-new-target.js:
3587         (shouldThrow):
3588
3589 2015-12-27  Filip Pizlo  <fpizlo@apple.com>
3590
3591         FTL B3 should know that used registers are not the same thing as used registers. Rename the
3592         latter to unavailable registers to avoid future confusion.
3593         https://bugs.webkit.org/show_bug.cgi?id=152572
3594
3595         Reviewed by Saam Barati.
3596
3597         Prior to this change, we used the term "used registers" in two different senses:
3598
3599         - The set of registers that are live at some point in the current compilation unit. A
3600           register is live at some point if it is read after that point on some path through that
3601           point.
3602
3603         - The set of registers that are not available for scratch register use at some point. A
3604           register may not be available if it is live or if it is a callee-save register but it is
3605           not being saved by the current compilation.
3606
3607         In the old FTL LLVM code, we had some translations from the first sense into the second
3608         sense. We forgot to do those in FTL B3, and so we get crashes, for example in V8/splay. That
3609         benchmark highlighted this issue because it fired some lazy slow paths, and then used an
3610         unsaved callee-save for scratch.
3611  
3612         Curiously, we could merge these two definitions by observing that, in some sense, an unsaved
3613         callee save is live at every point in a compilation in the sense that it may contain a value
3614         that will be read when the compilation returns. That's pretty cool, but it feels strange to
3615         me. This isn't how we would normally define liveness of registers. It's not how the
3616         Air::TmpLiveness analysis would do it for any of its other clients.
3617
3618         So, this changes B3 to have two different concepts:
3619
3620         - Used registers. These are the registers that are live.
3621
3622         - Unavailable registers. These are the registers that are not available for scratch. It's
3623           always a superset of used registers.
3624
3625         This also changes FTLLower to use unavailableRegisters() pretty much everywhere that it
3626         previously used usedRegisters().
3627
3628         This makes it possible to run V8/splay.
3629
3630         * b3/B3StackmapGenerationParams.cpp:
3631         (JSC::B3::StackmapGenerationParams::usedRegisters):
3632         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
3633         (JSC::B3::StackmapGenerationParams::proc):
3634         * b3/B3StackmapGenerationParams.h:
3635         * ftl/FTLLowerDFGToLLVM.cpp:
3636         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
3637         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
3638         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3639
3640 2015-12-25  Andy Estes  <aestes@apple.com>
3641
3642         Stop moving local objects in return statements
3643         https://bugs.webkit.org/show_bug.cgi?id=152557
3644
3645         Reviewed by Brady Eidson.
3646
3647         Calling std::move() on a local object in a return statement prevents the compiler from applying the return value optimization.
3648
3649         Clang can warn about these mistakes with -Wpessimizing-move, although only when std::move() is called directly.
3650         I found these issues by temporarily replacing WTF::move with std::move and recompiling.
3651
3652         * inspector/ScriptCallStack.cpp:
3653         (Inspector::ScriptCallStack::buildInspectorArray):
3654         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3655         (Inspector::buildInspectorObject):
3656         * jit/CallFrameShuffler.h:
3657         (JSC::CallFrameShuffler::snapshot):
3658         * runtime/TypeSet.cpp:
3659         (JSC::TypeSet::allStructureRepresentations):
3660         (JSC::StructureShape::inspectorRepresentation):
3661
3662 2015-12-26  Mark Lam  <mark.lam@apple.com>
3663
3664         Rename NodeMayOverflowInXXX to NodeMayOverflowInt32InXXX.
3665         https://bugs.webkit.org/show_bug.cgi?id=152555
3666
3667         Reviewed by Alex Christensen.
3668
3669         That's because the NodeMayOverflowInBaseline and NodeMayOverflowInDFG flags only
3670         indicates potential overflowing of Int32 values.  We'll be adding overflow
3671         profiling for Int52 values later, and we should disambiguate between the 2 types.
3672
3673         This is purely a renaming patch.  There are no semantic changes.
3674
3675         * dfg/DFGByteCodeParser.cpp:
3676         (JSC::DFG::ByteCodeParser::makeSafe):
3677         (JSC::DFG::ByteCodeParser::makeDivSafe):
3678         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3679         * dfg/DFGNodeFlags.cpp:
3680         (JSC::DFG::dumpNodeFlags):
3681         * dfg/DFGNodeFlags.h:
3682         (JSC::DFG::nodeMayOverflowInt32):
3683         (JSC::DFG::nodeCanSpeculateInt32):
3684         (JSC::DFG::nodeMayOverflow): Deleted.
3685
3686 2015-12-23  Andreas Kling  <akling@apple.com>
3687
3688         jsc CLI tool crashes on EOF.
3689         <https://webkit.org/b/152522>
3690
3691         Reviewed by Benjamin Poulain.
3692
3693         SourceProvider should treat String() like the empty string for hashing purposes.
3694         This was a subtle behavior change in r194017 due to how zero-length strings are
3695         treated by StringImpl::createSubstringSharingImpl().
3696
3697         I made these SourceProviders store a Ref<StringImpl> internally instead of a
3698         String, to codify the fact that these strings can't be null strings.
3699
3700         I couldn't find a way to cause this crash through the API.
3701
3702         * API/JSScriptRef.cpp:
3703         (OpaqueJSScript::OpaqueJSScript):
3704         * parser/SourceProvider.h:
3705         (JSC::StringSourceProvider::StringSourceProvider):
3706
3707 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
3708
3709         FTL B3 should be able to run crypto-sha1 in eager mode
3710         https://bugs.webkit.org/show_bug.cgi?id=152539
3711
3712         Reviewed by Saam Barati.
3713
3714         This patch contains one real bug fix and some other fixes that are primarily there for sanity
3715         because I don't believe they are symptomatic.
3716
3717         The real fix is the instruction selector's handling of Phi. It was assuming that the correct
3718         lowering of Phi is to do nothing and the correct lowering of Upsilon is to store into the tmp
3719         that the Phi uses. But this fails for code patterns like:
3720
3721             @a = Phi()
3722             Upsilon(@x, ^a)
3723             use(@a) // this should see the value that @a had at the point that "@a = Phi()" executed.
3724
3725         This arises when we have a lot of Upsilons in a row and they are trying to perform a
3726         shuffling. Prior to this change, "use(@a)" would see the new value of @a, i.e. @x. That's
3727         wrong. So, this changes the lowering to make each Phi have a special shadow Tmp, and Upsilon
3728         stores to it while Phi loads from it. Most of these assignments get copy-propagated by IRC,
3729         so it doesn't really hurt us. I couldn't find any benchmarks that slowed down because of
3730         this. In fact, I believe that the only time that this would lead to extra interference or
3731         extra assignments is when it's actually needed to be correct.
3732
3733         This also contains other fixes, which are probably not for real bugs, but they make me feel
3734         all warm and fuzzy:
3735
3736         - spillEverything() works again.  Previously, it didn't have all of IRC's smarts for handling
3737           a spill of a ZDef.  I fixed this by creating a helper phase that finds all subwidth ZDefs
3738           to spill slots and amends them with zero-fills of the top bits.
3739
3740         - IRC no longer requires precise TmpWidth analysis.  Previously, if TmpWidth gave pessimistic
3741           results, the subwidth ZDef bug would return.  That probably means that it was never fixed
3742           to begin with, since it's totally cool for just a single def or use of a tmp to cause it
3743           to become pessimistic. But there may still have been some subwidth ZDefs.  The way that I
3744           fixed this bug is to have IRC also run the ZDef fixup code that spillEverything() uses.
3745           This is abstracted behind the beautifully named Air::fixSpillSlotZDef().
3746
3747         - B3::validate() does dominance checks!  So, if you shoot yourself in the foot by using
3748           something before defining it, validate() will tell you.
3749
3750         - Air::TmpWidth is now easy to "turn off" - i.e. to make it go fully conservative. It's not
3751           an Option; you have to hack code. But that's better than nothing, and it's consistent with
3752           what we do for other super-internal compiler options that we use rarely.
3753
3754         - You can now run spillEverything() without hacking code.  Just use
3755           Options::airSpillSeverything().
3756
3757         * JavaScriptCore.xcodeproj/project.pbxproj:
3758         * b3/B3LowerToAir.cpp:
3759         (JSC::B3::Air::LowerToAir::LowerToAir):
3760         (JSC::B3::Air::LowerToAir::run):
3761         (JSC::B3::Air::LowerToAir::lower):
3762         * b3/B3Validate.cpp:
3763         * b3/air/AirCode.h:
3764         (JSC::B3::Air::Code::specials):
3765         (JSC::B3::Air::Code::forAllTmps):
3766         (JSC::B3::Air::Code::isFastTmp):
3767         * b3/air/AirFixSpillSlotZDef.h: Added.
3768         (JSC::B3::Air::fixSpillSlotZDef):
3769         * b3/air/AirGenerate.cpp:
3770         (JSC::B3::Air::prepareForGeneration):
3771         * b3/air/AirIteratedRegisterCoalescing.cpp:
3772         * b3/air/AirSpillEverything.cpp:
3773         (JSC::B3::Air::spillEverything):
3774         * b3/air/AirTmpWidth.cpp:
3775         (JSC::B3::Air::TmpWidth::recompute):
3776         * jit/JITOperations.cpp:
3777         * runtime/Options.h:
3778
3779 2015-12-23  Filip Pizlo  <fpizlo@apple.com>
3780
3781         Need a story for platform-specific Args
3782         https://bugs.webkit.org/show_bug.cgi?id=152529
3783
3784         Reviewed by Michael Saboff.
3785
3786         This teaches Arg that some Arg forms are not valid on some targets. The instruction selector now
3787         uses this to avoid immediates and addresses that the target wouldn't like.
3788
3789         This shouldn't change code generation on X86, but is meant as a step towards ARM64 support.
3790
3791         * b3/B3LowerToAir.cpp:
3792         (JSC::B3::Air::LowerToAir::crossesInterference):
3793         (JSC::B3::Air::LowerToAir::effectiveAddr):
3794         (JSC::B3::Air::LowerToAir::addr):
3795         (JSC::B3::Air::LowerToAir::loadPromise):
3796         (JSC::B3::Air::LowerToAir::imm):
3797         (JSC::B3::Air::LowerToAir::lower):
3798         * b3/air/AirAllocateStack.cpp:
3799         (JSC::B3::Air::allocateStack):
3800         * b3/air/AirArg.h:
3801         (JSC::B3::Air::Arg::Arg):
3802         (JSC::B3::Air::Arg::imm):
3803         (JSC::B3::Air::Arg::imm64):
3804         (JSC::B3::Air::Arg::callArg):
3805         (JSC::B3::Air::Arg::isValidScale):
3806         (JSC::B3::Air::Arg::tmpIndex):
3807         (JSC::B3::Air::Arg::withOffset):
3808         (JSC::B3::Air::Arg::isValidImmForm):
3809         (JSC::B3::Air::Arg::isValidAddrForm):
3810         (JSC::B3::Air::Arg::isValidIndexForm):
3811         (JSC::B3::Air::Arg::isValidForm):
3812         (JSC::B3::Air::Arg::forEachTmpFast):
3813         * b3/air/opcode_generator.rb:
3814
3815 2015-12-23  Keith Miller  <keith_miller@apple.com>
3816
3817         [JSC] Bugfix for intrinsic getters with dictionary structures.
3818         https://bugs.webkit.org/show_bug.cgi?id=152538
3819
3820         Reviewed by Mark Lam.
3821
3822         Intrinsic getters did not check if an object was a dictionary. This meant, if a property on
3823         the prototype chain of a dictionary was an intrinsic getter we would IC it. Later, if a
3824         property is added to the dictionary the IC would still return the result of the intrinsic.
3825         The fix is to no longer IC intrinsic getters if the base object is a dictionary.
3826
3827         * jit/Repatch.cpp:
3828         (JSC::tryCacheGetByID):
3829         * tests/stress/typedarray-length-dictionary.js: Added.
3830         (len):
3831
3832 2015-12-23  Andy VanWagoner  <andy@instructure.com>
3833
3834         [INTL] Implement DateTime Format Functions
3835         https://bugs.webkit.org/show_bug.cgi?id=147606
3836
3837         Reviewed by Benjamin Poulain.
3838
3839         Initialize a UDateFormat from the generated pattern. Use udat_format()
3840         to format the value. Make sure that the UDateFormat is cleaned up when
3841         the DateTimeFormat is deconstructed.
3842
3843         * runtime/IntlDateTimeFormat.cpp:
3844         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat):
3845         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3846         (JSC::IntlDateTimeFormat::format):
3847         * runtime/IntlDateTimeFormat.h:
3848
3849 2015-12-23  Andy VanWagoner  <thetalecrafter@gmail.com>
3850
3851         [INTL] Implement String.prototype.localeCompare in ECMA-402
3852         https://bugs.webkit.org/show_bug.cgi?id=147607
3853
3854         Reviewed by Benjamin Poulain.
3855
3856         Add localeCompare in builtin JavaScript that delegates comparing to Intl.Collator.
3857         Keep existing native implementation for use if INTL flag is disabled.
3858         For the common case where no locale or options are specified, avoid creating
3859         a new collator and just use the prototype which is initialized with the defaults.
3860
3861         * CMakeLists.txt:
3862         * DerivedSources.make:
3863         * JavaScriptCore.xcodeproj/project.pbxproj:
3864         * builtins/StringPrototype.js: Added.
3865         (localeCompare):
3866         * runtime/StringPrototype.cpp:
3867         (JSC::StringPrototype::finishCreation):
3868
3869 2015-12-23  Benjamin Poulain  <benjamin@webkit.org>
3870
3871         Fix x86_64 after r194388
3872
3873         * b3/B3LowerToAir.cpp:
3874         (JSC::B3::Air::LowerToAir::appendShift):
3875         (JSC::B3::Air::LowerToAir::lower):
3876         (JSC::B3::Air::LowerToAir::lowerX86Div):
3877
3878 2015-12-23  Benjamin Poulain  <bpoulain@apple.com>
3879
3880         [JSC] Get the JavaScriptCore framework to build on ARM64 with B3 enabled
3881         https://bugs.webkit.org/show_bug.cgi?id=152503
3882
3883         Reviewed by Filip Pizlo.
3884
3885         It is not working but it builds.
3886
3887         * assembler/ARM64Assembler.h:
3888         (JSC::ARM64Assembler::vand):
3889         (JSC::ARM64Assembler::vectorDataProcessing2Source):
3890         * assembler/MacroAssemblerARM64.h:
3891         (JSC::MacroAssemblerARM64::add32):
3892         (JSC::MacroAssemblerARM64::add64):
3893         (JSC::MacroAssemblerARM64::countLeadingZeros64):
3894         (JSC::MacroAssemblerARM64::not32):
3895         (JSC::MacroAssemblerARM64::not64):
3896         (JSC::MacroAssemblerARM64::zeroExtend16To32):
3897         (JSC::MacroAssemblerARM64::signExtend16To32):
3898         (JSC::MacroAssemblerARM64::zeroExtend8To32):
3899         (JSC::MacroAssemblerARM64::signExtend8To32):
3900         (JSC::MacroAssemblerARM64::addFloat):
3901         (JSC::MacroAssemblerARM64::ceilFloat):
3902         (JSC::MacroAssemblerARM64::branchDouble):
3903         (JSC::MacroAssemblerARM64::branchFloat):
3904         (JSC::MacroAssemblerARM64::divFloat):
3905         (JSC::MacroAssemblerARM64::moveZeroToDouble):
3906         (JSC::MacroAssemblerARM64::moveFloatTo32):
3907         (JSC::MacroAssemblerARM64::move32ToFloat):
3908         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
3909         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
3910         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
3911         (JSC::MacroAssemblerARM64::mulFloat):
3912         (JSC::MacroAssemblerARM64::andDouble):
3913         (JSC::MacroAssemblerARM64::andFloat):
3914         (JSC::MacroAssemblerARM64::sqrtFloat):
3915         (JSC::MacroAssemblerARM64::subFloat):
3916         (JSC::MacroAssemblerARM64::signExtend32ToPtr):
3917         (JSC::MacroAssemblerARM64::moveConditionally32):
3918         (JSC::MacroAssemblerARM64::moveConditionally64):
3919         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
3920         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
3921         (JSC::MacroAssemblerARM64::test32):
3922         (JSC::MacroAssemblerARM64::setCarry):
3923         (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
3924         * assembler/MacroAssemblerX86.h:
3925         (JSC::MacroAssemblerX86::moveDoubleToInts):
3926         (JSC::MacroAssemblerX86::moveIntsToDouble):
3927         * assembler/MacroAssemblerX86Common.h:
3928         (JSC::MacroAssemblerX86Common::move32ToFloat):
3929         (JSC::MacroAssemblerX86Common::moveFloatTo32):
3930         (JSC::MacroAssemblerX86Common::moveInt32ToPacked): Deleted.
3931         (JSC::MacroAssemblerX86Common::movePackedToInt32): Deleted.
3932         * b3/B3LowerToAir.cpp:
3933         (JSC::B3::Air::LowerToAir::appendShift):
3934         (JSC::B3::Air::LowerToAir::lower):
3935         * b3/air/AirInstInlines.h:
3936         (JSC::B3::Air::isX86DivHelperValid):
3937         * b3/air/AirOpcode.opcodes:
3938         * jit/AssemblyHelpers.h:
3939         (JSC::AssemblyHelpers::emitFunctionEpilogueWithEmptyFrame):
3940         (JSC::AssemblyHelpers::emitFunctionEpilogue):
3941         * jit/FPRInfo.h:
3942         (JSC::FPRInfo::toArgumentRegister):
3943
3944 2015-12-23  Andy VanWagoner  <andy@instructure.com>
3945
3946         [INTL] Implement Intl.DateTimeFormat.prototype.resolvedOptions ()
3947         https://bugs.webkit.org/show_bug.cgi?id=147603
3948
3949         Reviewed by Benjamin Poulain.
3950
3951         Implements InitializeDateTimeFormat and related abstract operations
3952         using ICU. Lazy initialization is used for DateTimeFormat.prototype.
3953         Refactor to align with Collator work.
3954