Fix endless OSR exits when creating a rope that contains an object that ToPrimitive...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-10-30  Keith Miller  <keith_miller@apple.com>
2
3         Fix endless OSR exits when creating a rope that contains an object that ToPrimitive's to a number.
4         https://bugs.webkit.org/show_bug.cgi?id=150583
5
6         Reviewed by Benjamin Poulain.
7
8         Before we assumed that the result of ToPrimitive on any object was a string.
9         This had a couple of negative effects. First, the result ToPrimitive on an
10         object can be overridden to be any primitive type. In fact, as of ES6, ToPrimitive,
11         when part of a addition expression, will type hint a number value. Second, even after
12         repeatedly exiting with a bad type we would continue to think that the result
13         of ToPrimitive would be a string so we continue to convert StrCats into MakeRope.
14
15         The fix is to make Prediction Propagation match the behavior of Fixup and move
16         canOptimizeStringObjectAccess to DFGGraph.
17
18         * bytecode/SpeculatedType.h:
19         * dfg/DFGFixupPhase.cpp:
20         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
21         (JSC::DFG::FixupPhase::fixupToPrimitive):
22         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
23         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
24         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): Deleted.
25         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): Deleted.
26         * dfg/DFGGraph.cpp:
27         (JSC::DFG::Graph::isStringPrototypeMethodSane):
28         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
29         * dfg/DFGGraph.h:
30         * dfg/DFGPredictionPropagationPhase.cpp:
31         (JSC::DFG::PredictionPropagationPhase::resultOfToPrimitive):
32         (JSC::DFG::resultOfToPrimitive): Deleted.
33
34         * bytecode/SpeculatedType.h:
35         * dfg/DFGFixupPhase.cpp:
36         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
37         (JSC::DFG::FixupPhase::fixupToPrimitive):
38         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
39         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
40         (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): Deleted.
41         (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): Deleted.
42         * dfg/DFGGraph.cpp:
43         (JSC::DFG::Graph::isStringPrototypeMethodSane):
44         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
45         * dfg/DFGGraph.h:
46         * dfg/DFGPredictionPropagationPhase.cpp:
47         (JSC::DFG::PredictionPropagationPhase::resultOfToPrimitive):
48         (JSC::DFG::resultOfToPrimitive): Deleted.
49         * tests/stress/string-rope-with-custom-valueof.js: Added.
50         (catNumber):
51         (number.valueOf):
52         (catBool):
53         (bool.valueOf):
54         (catUndefined):
55         (undef.valueOf):
56         (catRandom):
57         (random.valueOf):
58
59 2015-11-04  Xabier Rodriguez Calvar  <calvaris@igalia.com>
60
61         Remove bogus global internal functions for properties and prototype retrieval
62         https://bugs.webkit.org/show_bug.cgi?id=150892
63
64         Reviewed by Darin Adler.
65
66         Global @getOwnPropertyNames and @getPrototypeOf point to the floor function, so it is bogus dead code.
67
68         * runtime/JSGlobalObject.cpp:
69         (JSC::JSGlobalObject::init): Removed global @getOwnPropertyNames and @getPrototypeOf.
70
71 2015-11-03  Benjamin Poulain  <bpoulain@apple.com>
72
73         [JSC] Add B3-to-Air lowering for BitXor
74         https://bugs.webkit.org/show_bug.cgi?id=150872
75
76         Reviewed by Filip Pizlo.
77
78         * assembler/MacroAssemblerX86Common.h:
79         (JSC::MacroAssemblerX86Common::xor32):
80         Fix the indentation.
81
82         * b3/B3Const32Value.cpp:
83         (JSC::B3::Const32Value::bitXorConstant):
84         * b3/B3Const32Value.h:
85         * b3/B3Const64Value.cpp:
86         (JSC::B3::Const64Value::bitXorConstant):
87         * b3/B3Const64Value.h:
88         * b3/B3LowerToAir.cpp:
89         (JSC::B3::Air::LowerToAir::tryXor):
90         * b3/B3LoweringMatcher.patterns:
91         * b3/B3ReduceStrength.cpp:
92         * b3/B3Value.cpp:
93         (JSC::B3::Value::bitXorConstant):
94         * b3/B3Value.h:
95         * b3/air/AirOpcode.opcodes:
96         * b3/testb3.cpp:
97         (JSC::B3::testBitXorArgs):
98         (JSC::B3::testBitXorSameArg):
99         (JSC::B3::testBitXorImms):
100         (JSC::B3::testBitXorArgImm):
101         (JSC::B3::testBitXorImmArg):
102         (JSC::B3::testBitXorBitXorArgImmImm):
103         (JSC::B3::testBitXorImmBitXorArgImm):
104         (JSC::B3::testBitXorArgs32):
105         (JSC::B3::testBitXorSameArg32):
106         (JSC::B3::testBitXorImms32):
107         (JSC::B3::testBitXorArgImm32):
108         (JSC::B3::testBitXorImmArg32):
109         (JSC::B3::testBitXorBitXorArgImmImm32):
110         (JSC::B3::testBitXorImmBitXorArgImm32):
111         (JSC::B3::run):
112
113 2015-11-03  Mark Lam  <mark.lam@apple.com>
114
115         Add op_add tests to compare behavior of JIT generated code to the LLINT's.
116         https://bugs.webkit.org/show_bug.cgi?id=150864
117
118         Reviewed by Saam Barati.
119
120         * tests/stress/op_add.js: Added.
121         (o1.valueOf):
122         (generateScenarios):
123         (printScenarios):
124         (testCases.func):
125         (func):
126         (initializeTestCases):
127         (runTest):
128
129 2015-11-03  Mark Lam  <mark.lam@apple.com>
130
131         Rename DFG's compileAdd to compileArithAdd.
132         https://bugs.webkit.org/show_bug.cgi?id=150866
133
134         Reviewed by Benjamin Poulain.
135
136         The function is only supposed to generate code to do arithmetic addition on
137         numeric types.  Naming it compileArithAdd() is more accurate, and is consistent
138         with the name of the node it emits code for (i.e. ArithAdd) as well as other
139         compiler functions for analogous operations e.g. compileArithSub.
140
141         * dfg/DFGSpeculativeJIT.cpp:
142         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
143         (JSC::DFG::SpeculativeJIT::compileArithAdd):
144         (JSC::DFG::SpeculativeJIT::compileAdd): Deleted.
145         * dfg/DFGSpeculativeJIT.h:
146         * dfg/DFGSpeculativeJIT32_64.cpp:
147         (JSC::DFG::SpeculativeJIT::compile):
148         * dfg/DFGSpeculativeJIT64.cpp:
149         (JSC::DFG::SpeculativeJIT::compile):
150
151 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
152
153         Web Inspector: Remove duplication among ScriptDebugServer subclasses
154         https://bugs.webkit.org/show_bug.cgi?id=150860
155
156         Reviewed by Timothy Hatcher.
157
158         ScriptDebugServer expects a list of listeners to dispatch events to.
159         However each of its subclasses had their own implementation of the
160         list because of different handling when the first was added or when
161         the last was removed. Extract common code into ScriptDebugServer
162         which simplifies things.
163
164         Subclasses now only implement a virtual methods "attachDebugger"
165         and "detachDebugger" which is the unique work done when the first
166         listener is added or last is removed.
167
168         * inspector/JSGlobalObjectScriptDebugServer.cpp:
169         (Inspector::JSGlobalObjectScriptDebugServer::attachDebugger):
170         (Inspector::JSGlobalObjectScriptDebugServer::detachDebugger):
171         (Inspector::JSGlobalObjectScriptDebugServer::addListener): Deleted.
172         (Inspector::JSGlobalObjectScriptDebugServer::removeListener): Deleted.
173         * inspector/JSGlobalObjectScriptDebugServer.h:
174         * inspector/ScriptDebugServer.cpp:
175         (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
176         (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
177         (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
178         (Inspector::ScriptDebugServer::sourceParsed):
179         (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
180         (Inspector::ScriptDebugServer::addListener):
181         (Inspector::ScriptDebugServer::removeListener):
182         * inspector/ScriptDebugServer.h:
183         * inspector/agents/InspectorDebuggerAgent.cpp:
184         (Inspector::InspectorDebuggerAgent::enable):
185         (Inspector::InspectorDebuggerAgent::disable):
186         * inspector/agents/InspectorDebuggerAgent.h:
187         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
188         (Inspector::JSGlobalObjectDebuggerAgent::startListeningScriptDebugServer): Deleted.
189         (Inspector::JSGlobalObjectDebuggerAgent::stopListeningScriptDebugServer): Deleted.
190         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
191
192         * inspector/ScriptDebugListener.h:
193         (Inspector::ScriptDebugListener::Script::Script):
194         Drive-by convert Script to a struct, it has public fields and is used as such.
195
196 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
197
198         B3::LowerToAir should recognize Neg (i.e. Sub($0, value))
199         https://bugs.webkit.org/show_bug.cgi?id=150759
200
201         Reviewed by Benjamin Poulain.
202
203         Adds various forms of Sub(0, value) and compiles them as Neg. Also fixes a bug in
204         StoreSubLoad. This bug was correctness-benign, so I couldn't add a test for it.
205
206         * b3/B3LowerToAir.cpp:
207         (JSC::B3::Air::LowerToAir::immOrTmp):
208         (JSC::B3::Air::LowerToAir::appendUnOp):
209         (JSC::B3::Air::LowerToAir::appendBinOp):
210         (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
211         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
212         (JSC::B3::Air::LowerToAir::trySub):
213         (JSC::B3::Air::LowerToAir::tryStoreSubLoad):
214         * b3/B3LoweringMatcher.patterns:
215         * b3/air/AirOpcode.opcodes:
216         * b3/testb3.cpp:
217         (JSC::B3::testAdd1Ptr):
218         (JSC::B3::testNeg32):
219         (JSC::B3::testNegPtr):
220         (JSC::B3::testStoreAddLoad):
221         (JSC::B3::testStoreAddAndLoad):
222         (JSC::B3::testStoreNegLoad32):
223         (JSC::B3::testStoreNegLoadPtr):
224         (JSC::B3::testAdd1Uncommuted):
225         (JSC::B3::run):
226
227 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
228
229         B3::Values that have effects should allow specification of custom HeapRanges
230         https://bugs.webkit.org/show_bug.cgi?id=150535
231
232         Reviewed by Benjamin Poulain.
233
234         Add a Effects field to calls and patchpoints. Add a HeapRange to MemoryValues.
235
236         In the process, I created a class for the CCall opcode, so that it has somewhere to put
237         the Effects field.
238
239         While doing this, I realized that we didn't have a good way of ensuring that an opcode
240         that requires a specific subclass was actually created with that subclass. So, I added
241         assertions for this.
242
243         * CMakeLists.txt:
244         * JavaScriptCore.xcodeproj/project.pbxproj:
245         * b3/B3ArgumentRegValue.h:
246         * b3/B3CCallValue.cpp: Added.
247         * b3/B3CCallValue.h: Added.
248         * b3/B3CheckValue.h:
249         * b3/B3Const32Value.h:
250         * b3/B3Const64Value.h:
251         * b3/B3ConstDoubleValue.h:
252         (JSC::B3::ConstDoubleValue::ConstDoubleValue):
253         * b3/B3ControlValue.h:
254         * b3/B3Effects.h:
255         (JSC::B3::Effects::forCall):
256         (JSC::B3::Effects::mustExecute):
257         * b3/B3MemoryValue.h:
258         * b3/B3PatchpointValue.h:
259         * b3/B3StackSlotValue.h:
260         * b3/B3UpsilonValue.h:
261         * b3/B3Value.cpp:
262         (JSC::B3::Value::effects):
263         (JSC::B3::Value::dumpMeta):
264         (JSC::B3::Value::checkOpcode):
265         (JSC::B3::Value::typeFor):
266         * b3/B3Value.h:
267
268 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
269
270         B3::Stackmap should be a superclass of B3::PatchpointValue and B3::CheckValue rather than being one of their members
271         https://bugs.webkit.org/show_bug.cgi?id=150831
272
273         Rubber stamped by Benjamin Poulain.
274
275         Previously, Stackmap was a value that PatchpointValue and CheckValue would hold as a field.
276         We'd have convenient ways of getting this field, like via Value::stackmap(). But this was a
277         bit ridiculous, since Stackmap is logically just a common supertype for Patchpointvalue and
278         CheckValue. This patch makes this reality by replacing Stackmap with StackmapValue. This makes
279         the code a lot more reasonable.
280
281         I also needed to make dumping a bit more customizable, so I changed dumpMeta() to take a
282         CommaPrinter&. This gives subclasses better control over whether or not to emit a comma. Also
283         it's now possible for subclasses of Value to customize how children are printed. StackmapValue
284         uses this to print the children and their reps together like:
285
286             Int32 @2 = Patchpoint(@0:SomeRegister, @1:SomeRegister, generator = 0x1107ec010, clobbered = [], usedRegisters = [], ExitsSideways|ControlDependent|Writes:Top|Reads:Top)
287
288         This has no behavior change, it's just a big refactoring. You can see how much simpler this
289         makes things by looking at the testSimplePatchpoint() test.
290
291         * CMakeLists.txt:
292         * JavaScriptCore.xcodeproj/project.pbxproj:
293         * b3/B3ArgumentRegValue.cpp:
294         (JSC::B3::ArgumentRegValue::~ArgumentRegValue):
295         (JSC::B3::ArgumentRegValue::dumpMeta):
296         * b3/B3ArgumentRegValue.h:
297         * b3/B3CheckSpecial.cpp:
298         (JSC::B3::CheckSpecial::generate):
299         * b3/B3CheckValue.cpp:
300         (JSC::B3::CheckValue::~CheckValue):
301         (JSC::B3::CheckValue::CheckValue):
302         (JSC::B3::CheckValue::dumpMeta): Deleted.
303         * b3/B3CheckValue.h:
304         (JSC::B3::CheckValue::accepts):
305         * b3/B3Const32Value.cpp:
306         (JSC::B3::Const32Value::notEqualConstant):
307         (JSC::B3::Const32Value::dumpMeta):
308         * b3/B3Const32Value.h:
309         * b3/B3Const64Value.cpp:
310         (JSC::B3::Const64Value::notEqualConstant):
311         (JSC::B3::Const64Value::dumpMeta):
312         * b3/B3Const64Value.h:
313         * b3/B3ConstDoubleValue.cpp:
314         (JSC::B3::ConstDoubleValue::notEqualConstant):
315         (JSC::B3::ConstDoubleValue::dumpMeta):
316         * b3/B3ConstDoubleValue.h:
317         * b3/B3ConstrainedValue.cpp: Added.
318         (JSC::B3::ConstrainedValue::dump):
319         * b3/B3ConstrainedValue.h: Added.
320         (JSC::B3::ConstrainedValue::ConstrainedValue):
321         (JSC::B3::ConstrainedValue::operator bool):
322         (JSC::B3::ConstrainedValue::value):
323         (JSC::B3::ConstrainedValue::rep):
324         * b3/B3ControlValue.cpp:
325         (JSC::B3::ControlValue::convertToJump):
326         (JSC::B3::ControlValue::dumpMeta):
327         * b3/B3ControlValue.h:
328         * b3/B3LowerToAir.cpp:
329         (JSC::B3::Air::LowerToAir::tryPatchpoint):
330         * b3/B3MemoryValue.cpp:
331         (JSC::B3::MemoryValue::accessByteSize):
332         (JSC::B3::MemoryValue::dumpMeta):
333         * b3/B3MemoryValue.h:
334         * b3/B3PatchpointSpecial.cpp:
335         (JSC::B3::PatchpointSpecial::generate):
336         * b3/B3PatchpointValue.cpp:
337         (JSC::B3::PatchpointValue::~PatchpointValue):
338         (JSC::B3::PatchpointValue::PatchpointValue):
339         (JSC::B3::PatchpointValue::dumpMeta): Deleted.
340         * b3/B3PatchpointValue.h:
341         (JSC::B3::PatchpointValue::accepts):
342         * b3/B3StackSlotValue.cpp:
343         (JSC::B3::StackSlotValue::~StackSlotValue):
344         (JSC::B3::StackSlotValue::dumpMeta):
345         * b3/B3StackSlotValue.h:
346         * b3/B3Stackmap.cpp: Removed.
347         * b3/B3Stackmap.h: Removed.
348         * b3/B3StackmapSpecial.cpp:
349         (JSC::B3::StackmapSpecial::reportUsedRegisters):
350         (JSC::B3::StackmapSpecial::extraClobberedRegs):
351         (JSC::B3::StackmapSpecial::forEachArgImpl):
352         (JSC::B3::StackmapSpecial::isValidImpl):
353         (JSC::B3::StackmapSpecial::admitsStackImpl):
354         * b3/B3StackmapSpecial.h:
355         * b3/B3StackmapValue.cpp: Added.
356         (JSC::B3::StackmapValue::~StackmapValue):
357         (JSC::B3::StackmapValue::append):
358         (JSC::B3::StackmapValue::setConstrainedChild):
359         (JSC::B3::StackmapValue::setConstraint):
360         (JSC::B3::StackmapValue::dumpChildren):
361         (JSC::B3::StackmapValue::dumpMeta):
362         (JSC::B3::StackmapValue::StackmapValue):
363         * b3/B3StackmapValue.h: Added.
364         * b3/B3SwitchValue.cpp:
365         (JSC::B3::SwitchValue::appendCase):
366         (JSC::B3::SwitchValue::dumpMeta):
367         (JSC::B3::SwitchValue::SwitchValue):
368         * b3/B3SwitchValue.h:
369         * b3/B3UpsilonValue.cpp:
370         (JSC::B3::UpsilonValue::~UpsilonValue):
371         (JSC::B3::UpsilonValue::dumpMeta):
372         * b3/B3UpsilonValue.h:
373         * b3/B3Validate.cpp:
374         * b3/B3Value.cpp:
375         (JSC::B3::Value::dump):
376         (JSC::B3::Value::dumpChildren):
377         (JSC::B3::Value::deepDump):
378         (JSC::B3::Value::performSubstitution):
379         (JSC::B3::Value::dumpMeta):
380         * b3/B3Value.h:
381         * b3/B3ValueInlines.h:
382         (JSC::B3::Value::asNumber):
383         (JSC::B3::Value::stackmap): Deleted.
384         * b3/B3ValueRep.h:
385         (JSC::B3::ValueRep::kind):
386         (JSC::B3::ValueRep::operator==):
387         (JSC::B3::ValueRep::operator!=):
388         (JSC::B3::ValueRep::operator bool):
389         (JSC::B3::ValueRep::isAny):
390         * b3/air/AirInstInlines.h:
391         * b3/testb3.cpp:
392         (JSC::B3::testSimplePatchpoint):
393
394 2015-11-03  Benjamin Poulain  <bpoulain@apple.com>
395
396         [JSC] Add Air lowering for BitOr and impove BitAnd
397         https://bugs.webkit.org/show_bug.cgi?id=150827
398
399         Reviewed by Filip Pizlo.
400
401         In this patch:
402         -B3 to Air lowering for BirOr.
403         -Codegen for BitOr.
404         -Strength reduction for BitOr and BitAnd.
405         -Tests for BitAnd and BitOr.
406         -Bug fix: Move64 with a negative value was destroying the top bits.
407
408         * b3/B3Const32Value.cpp:
409         (JSC::B3::Const32Value::bitAndConstant):
410         (JSC::B3::Const32Value::bitOrConstant):
411         * b3/B3Const32Value.h:
412         * b3/B3Const64Value.cpp:
413         (JSC::B3::Const64Value::bitAndConstant):
414         (JSC::B3::Const64Value::bitOrConstant):
415         * b3/B3Const64Value.h:
416         * b3/B3LowerToAir.cpp:
417         (JSC::B3::Air::LowerToAir::immForMove):
418         (JSC::B3::Air::LowerToAir::immOrTmpForMove):
419         (JSC::B3::Air::LowerToAir::tryOr):
420         (JSC::B3::Air::LowerToAir::tryConst64):
421         (JSC::B3::Air::LowerToAir::tryUpsilon):
422         (JSC::B3::Air::LowerToAir::tryIdentity):
423         (JSC::B3::Air::LowerToAir::tryReturn):
424         (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
425         * b3/B3LoweringMatcher.patterns:
426         * b3/B3ReduceStrength.cpp:
427         * b3/B3Value.cpp:
428         (JSC::B3::Value::bitAndConstant):
429         (JSC::B3::Value::bitOrConstant):
430         * b3/B3Value.h:
431         * b3/air/AirOpcode.opcodes:
432         * b3/testb3.cpp:
433         (JSC::B3::testReturnConst64):
434         (JSC::B3::testBitAndArgs):
435         (JSC::B3::testBitAndSameArg):
436         (JSC::B3::testBitAndImms):
437         (JSC::B3::testBitAndArgImm):
438         (JSC::B3::testBitAndImmArg):
439         (JSC::B3::testBitAndBitAndArgImmImm):
440         (JSC::B3::testBitAndImmBitAndArgImm):
441         (JSC::B3::testBitAndArgs32):
442         (JSC::B3::testBitAndSameArg32):
443         (JSC::B3::testBitAndImms32):
444         (JSC::B3::testBitAndArgImm32):
445         (JSC::B3::testBitAndImmArg32):
446         (JSC::B3::testBitAndBitAndArgImmImm32):
447         (JSC::B3::testBitAndImmBitAndArgImm32):
448         (JSC::B3::testBitOrArgs):
449         (JSC::B3::testBitOrSameArg):
450         (JSC::B3::testBitOrImms):
451         (JSC::B3::testBitOrArgImm):
452         (JSC::B3::testBitOrImmArg):
453         (JSC::B3::testBitOrBitOrArgImmImm):
454         (JSC::B3::testBitOrImmBitOrArgImm):
455         (JSC::B3::testBitOrArgs32):
456         (JSC::B3::testBitOrSameArg32):
457         (JSC::B3::testBitOrImms32):
458         (JSC::B3::testBitOrArgImm32):
459         (JSC::B3::testBitOrImmArg32):
460         (JSC::B3::testBitOrBitOrArgImmImm32):
461         (JSC::B3::testBitOrImmBitOrArgImm32):
462         (JSC::B3::run):
463
464 2015-11-03  Saam barati  <sbarati@apple.com>
465
466         Rewrite "const" as "var" for iTunes/iBooks on the Mac
467         https://bugs.webkit.org/show_bug.cgi?id=150852
468
469         Reviewed by Geoffrey Garen.
470
471         VM now has a setting indicating if we should treat
472         "const" variables as "var" to more closely match
473         JSC's previous implementation of "const" before ES6.
474
475         * parser/Parser.h:
476         (JSC::Parser::next):
477         (JSC::Parser::nextExpectIdentifier):
478         * runtime/VM.h:
479         (JSC::VM::setShouldRewriteConstAsVar):
480         (JSC::VM::shouldRewriteConstAsVar):
481
482 2015-11-03  Mark Lam  <mark.lam@apple.com>
483
484         Fix some inefficiencies in the baseline usage of JITAddGenerator.
485         https://bugs.webkit.org/show_bug.cgi?id=150850
486
487         Reviewed by Michael Saboff.
488
489         1. emit_op_add() was loading the operands twice.  Removed the redundant load.
490         2. The snippet may decide that it wants to go the slow path route all the time.
491            In that case, emit_op_add will end up emitting a branch to an out of line
492            slow path followed by some dead code to store the result of the fast path
493            on to the stack.
494            We now check if the snippet determined that there's no fast path, and just
495            emit the slow path inline, and skip the dead store of the fast path result.
496
497         * jit/JITArithmetic.cpp:
498         (JSC::JIT::emit_op_add):
499
500 2015-11-03  Filip Pizlo  <fpizlo@apple.com>
501
502         B3::LowerToAir should do copy propagation
503         https://bugs.webkit.org/show_bug.cgi?id=150775
504
505         Reviewed by Geoffrey Garen.
506
507         What we are trying to do is remove the unnecessary Move's and Move32's from Trunc and ZExt32.
508         You could think of this as an Air optimization, and indeed, Air is powerful enough that we
509         could write a phase that does copy propagation through Move's and Move32's. For Move32's it
510         would only copy-propagate if it proved that the value was already zero-extended. We could
511         know this by just adding a Def32 role to Air.
512
513         But this patch takes a different approach: we ensure that we don't generate such redundant
514         Move's and Move32's to begin with. The reason is that it's much cheaper to do analysis over
515         B3 than over Air. So, whenever possible, and optimization should be implemented in B3. In
516         this case the optimization can't quite be implemented in B3 because you cannot remove a Trunc
517         or ZExt32 without violating the B3 type system. So, the best place to do this optimization is
518         during lowering: we can use B3 for our analysis and we can use Air to express the
519         transformation.
520
521         Copy propagating during B3->Air lowering is natural because we are creating "SSA-like" Tmps
522         from the B3 Values. They are SSA-like in the sense that except the tmp for a Phi, we know
523         that the Tmp will be assigned once and that the assignment will dominate all uses. So, if we
524         see an operation like Trunc that is semantically just a Move, we can skip the Move and just
525         claim that the Trunc has the same Tmp as its child. We do something similar for ZExt32,
526         except with that one we have to analyze IR to ensure that the value will actually be zero
527         extended. Note that this kind of reasoning about how Tmps work in Air is only possible in the
528         B3->Air lowering, since at that point we know for sure which Tmps behave this way. If we
529         wanted to do anything like this as a later Air phase, we'd have to do more analysis to first
530         prove that Tmps behave in this way.
531
532         * b3/B3LowerToAir.cpp:
533         (JSC::B3::Air::LowerToAir::run):
534         (JSC::B3::Air::LowerToAir::highBitsAreZero):
535         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
536         (JSC::B3::Air::LowerToAir::tmp):
537         (JSC::B3::Air::LowerToAir::tryStore):
538         (JSC::B3::Air::LowerToAir::tryTrunc):
539         (JSC::B3::Air::LowerToAir::tryZExt32):
540         (JSC::B3::Air::LowerToAir::tryIdentity):
541         (JSC::B3::Air::LowerToAir::tryTruncArgumentReg): Deleted.
542         * b3/B3LoweringMatcher.patterns:
543
544 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
545
546         Web Inspector: Move ScriptDebugServer::Task to WorkerScriptDebugServer where it is actually used
547         https://bugs.webkit.org/show_bug.cgi?id=150847
548
549         Reviewed by Timothy Hatcher.
550
551         * inspector/ScriptDebugServer.h:
552         Remove Task from here, it isn't needed in the general case.
553
554         * parser/SourceProvider.h:
555         Remove unimplemented method.
556
557 2015-11-03  Joseph Pecoraro  <pecoraro@apple.com>
558
559         Web Inspector: Handle or Remove ParseHTML Timeline Event Records
560         https://bugs.webkit.org/show_bug.cgi?id=150689
561
562         Reviewed by Timothy Hatcher.
563
564         * inspector/protocol/Timeline.json:
565
566 2015-11-03  Michael Saboff  <msaboff@apple.com>
567
568         Rename InlineCallFrame:: getCallerSkippingDeadFrames to something more descriptive
569         https://bugs.webkit.org/show_bug.cgi?id=150832
570
571         Reviewed by Geoffrey Garen.
572
573         Renamed InlineCallFrame::getCallerSkippingDeadFrames() to getCallerSkippingTailCalls().
574         Did similar renaming to helper InlineCallFrame::computeCallerSkippingTailCalls() and
575         InlineCallFrame::getCallerInlineFrameSkippingTailCalls().
576
577         * bytecode/InlineCallFrame.h:
578         (JSC::InlineCallFrame::computeCallerSkippingTailCalls):
579         (JSC::InlineCallFrame::getCallerSkippingTailCalls):
580         (JSC::InlineCallFrame::getCallerInlineFrameSkippingTailCalls):
581         (JSC::InlineCallFrame::computeCallerSkippingDeadFrames): Deleted.
582         (JSC::InlineCallFrame::getCallerSkippingDeadFrames): Deleted.
583         (JSC::InlineCallFrame::getCallerInlineFrameSkippingDeadFrames): Deleted.
584         * dfg/DFGByteCodeParser.cpp:
585         (JSC::DFG::ByteCodeParser::allInlineFramesAreTailCalls):
586         (JSC::DFG::ByteCodeParser::currentCodeOrigin):
587         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
588         * dfg/DFGGraph.cpp:
589         (JSC::DFG::Graph::isLiveInBytecode):
590         * dfg/DFGGraph.h:
591         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
592         * dfg/DFGOSRExitCompilerCommon.cpp:
593         (JSC::DFG::reifyInlinedCallFrames):
594         * dfg/DFGPreciseLocalClobberize.h:
595         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
596         * dfg/DFGSpeculativeJIT32_64.cpp:
597         (JSC::DFG::SpeculativeJIT::emitCall):
598         * dfg/DFGSpeculativeJIT64.cpp:
599         (JSC::DFG::SpeculativeJIT::emitCall):
600         * ftl/FTLLowerDFGToLLVM.cpp:
601         (JSC::FTL::DFG::LowerDFGToLLVM::codeOriginDescriptionOfCallSite):
602         * interpreter/StackVisitor.cpp:
603         (JSC::StackVisitor::gotoNextFrame):
604
605 2015-11-02  Filip Pizlo  <fpizlo@apple.com>
606
607         B3/Air should use bubble sort for their insertion sets, because it's faster than std::stable_sort
608         https://bugs.webkit.org/show_bug.cgi?id=150828
609
610         Reviewed by Geoffrey Garen.
611
612         Undo the 2% compile time regression caused by http://trac.webkit.org/changeset/191913.
613
614         * b3/B3InsertionSet.cpp:
615         (JSC::B3::InsertionSet::execute): Switch to bubble sort.
616         * b3/air/AirInsertionSet.cpp:
617         (JSC::B3::Air::InsertionSet::execute): Switch to bubble sort.
618         * dfg/DFGBlockInsertionSet.cpp:
619         (JSC::DFG::BlockInsertionSet::execute): Switch back to quicksort.
620
621 2015-11-03  Csaba Osztrogonác  <ossy@webkit.org>
622
623         Unreviewed, partially revert r191952.
624
625         Removed GCC compiler workarounds (unreachable returns).
626
627         * b3/B3Type.h:
628         (JSC::B3::sizeofType):
629         * b3/air/AirArg.h:
630         (JSC::B3::Air::Arg::isUse):
631         (JSC::B3::Air::Arg::isDef):
632         (JSC::B3::Air::Arg::isGP):
633         (JSC::B3::Air::Arg::isFP):
634         (JSC::B3::Air::Arg::isType):
635         * b3/air/AirCode.h:
636         (JSC::B3::Air::Code::newTmp):
637         (JSC::B3::Air::Code::numTmps):
638
639 2015-11-03  Csaba Osztrogonác  <ossy@webkit.org>
640
641         Fix the ENABLE(B3_JIT) build on Linux
642         https://bugs.webkit.org/show_bug.cgi?id=150794
643
644         Reviewed by Darin Adler.
645
646         * CMakeLists.txt:
647         * b3/B3HeapRange.h:
648         * b3/B3IndexSet.h:
649         (JSC::B3::IndexSet::Iterable::iterator::operator++):
650         * b3/B3Type.h:
651         (JSC::B3::sizeofType):
652         * b3/air/AirArg.cpp:
653         (JSC::B3::Air::Arg::dump):
654         * b3/air/AirArg.h:
655         (JSC::B3::Air::Arg::isUse):
656         (JSC::B3::Air::Arg::isDef):
657         (JSC::B3::Air::Arg::isGP):
658         (JSC::B3::Air::Arg::isFP):
659         (JSC::B3::Air::Arg::isType):
660         * b3/air/AirCode.h:
661         (JSC::B3::Air::Code::newTmp):
662         (JSC::B3::Air::Code::numTmps):
663         * b3/air/AirSpecial.cpp:
664
665 2015-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
666
667         Clean up ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep minimal set of them
668         https://bugs.webkit.org/show_bug.cgi?id=150793
669
670         Reviewed by Darin Adler.
671
672         Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r191875.
673         This patch drops many ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep only one of them;
674         the ifdef in parseAssignmentExpression.
675         This prevents functionality of parsing arrow function syntax.
676
677         * parser/Lexer.cpp:
678         (JSC::Lexer<T>::lex):
679         * parser/Parser.cpp:
680         (JSC::Parser<LexerType>::parseInner): Deleted.
681         * parser/Parser.h:
682         (JSC::Parser::isArrowFunctionParamters): Deleted.
683         * parser/ParserTokens.h:
684
685 2015-11-02  Michael Saboff  <msaboff@apple.com>
686
687         WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
688         https://bugs.webkit.org/show_bug.cgi?id=150745
689
690         Reviewed by Geoffrey Garen.
691
692         During OSR exit, reifyInlinedCallFrames() was using the call kind from a tail call to
693         find the CallLinkInfo / StubInfo to find the return PC.  Instead we need to get the call
694         type of the true caller, that is the function we'll be returning to.
695
696         This can be found by remembering the last call type we find while walking up the inlined
697         frames in InlineCallFrame::getCallerSkippingDeadFrames().
698
699         We can also return directly back to a getter or setter callsite without using a thunk.
700
701         * bytecode/InlineCallFrame.h:
702         (JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
703         (JSC::InlineCallFrame::getCallerSkippingDeadFrames):
704         * dfg/DFGOSRExitCompilerCommon.cpp:
705         (JSC::DFG::reifyInlinedCallFrames):
706         * jit/JITPropertyAccess.cpp:
707         (JSC::JIT::emit_op_get_by_id): Need to eliminate the stack pointer check, as it is wrong
708         for reified inlined frames created during OSR exit. 
709         * jit/ThunkGenerators.cpp:
710         (JSC::baselineGetterReturnThunkGenerator): Deleted.
711         (JSC::baselineSetterReturnThunkGenerator): Deleted.
712         * jit/ThunkGenerators.h:
713
714 2015-11-02  Saam barati  <sbarati@apple.com>
715
716         Wrong value recovery for DFG try/catch with a getter that throws during an IC miss
717         https://bugs.webkit.org/show_bug.cgi?id=150760
718
719         Reviewed by Geoffrey Garen.
720
721         This is related to using PhantomLocal instead of Flush as 
722         the liveness preservation mechanism for live catch variables. 
723         I'm temporarily switching things back to Flush. This will be a
724         performance hit for try/catch in the DFG. Landing this patch,
725         though, will allow me to land try/catch in the FTL. It also
726         makes try/catch in the DFG sound. I have opened another
727         bug to further investigate using PhantomLocal as the
728         liveness preservation mechanism: https://bugs.webkit.org/show_bug.cgi?id=150824
729
730         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
731         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
732         * tests/stress/dfg-try-catch-wrong-value-recovery-on-ic-miss.js: Added.
733         (assert):
734         (let.oThrow.get f):
735         (let.o2.get f):
736         (foo):
737         (f):
738
739 2015-11-02  Andy Estes  <aestes@apple.com>
740
741         [Cocoa] Add tvOS and watchOS to SUPPORTED_PLATFORMS
742         https://bugs.webkit.org/show_bug.cgi?id=150819
743
744         Reviewed by Dan Bernstein.
745
746         This tells Xcode to include these platforms in its Devices dropdown, making it possible to build in the IDE.
747
748         * Configurations/Base.xcconfig:
749
750 2015-11-02  Brent Fulgham  <bfulgham@apple.com>
751
752         [Win] MiniBrowser unable to use WebInspector
753         https://bugs.webkit.org/show_bug.cgi?id=150810
754         <rdar://problem/23358514>
755
756         Reviewed by Timothy Hatcher.
757
758         The CMakeList rule for creating the InjectedScriptSource.min.js was improperly including
759         the quote characters in the text prepended to InjectedScriptSource.min.js. This caused a
760         parsing error in the JS file.
761         
762         The solution was to switch from using "COMMAND echo" to use the more cross-platform
763         compatible command "COMMAND ${CMAKE_COMMAND} -E echo ...", which handles the string
764         escaping properly on all platforms.
765
766         * CMakeLists.txt: Switch the 'echo' command syntax to be more cross-platform.
767
768 2015-11-02  Filip Pizlo  <fpizlo@apple.com>
769
770         B3 should be able to compile a Patchpoint
771         https://bugs.webkit.org/show_bug.cgi?id=150750
772
773         Reviewed by Geoffrey Garen.
774
775         This adds the glue in B3::LowerToAir that turns a B3::PatchpointValue into an Air::Patch
776         with a B3::PatchpointSpecial.
777
778         Along the way, I found some bugs. For starters, it became clear that I wanted to be able
779         to append constraints to a Stackmap, and I wanted to have more flexibility in how I
780         created a PatchpointValue. I also wanted more helper methods in ValueRep, since
781         otherwise I would have had to write a lot of boilerplate.
782
783         I discovered, and fixed, a minor goof in Air::Code dumping when there are specials.
784
785         There were a ton of indexing bugs in B3StackmapSpecial.
786
787         The spiller was broken in case the Def was not the last Arg, since it was adding things
788         to the insertion set both at instIndex and instIndex + 1, and the two types of additions
789         could occur in the wrong (i.e. the +1 case first) order with an early Def. We often have
790         bugs like this. In the DFG, we were paranoid about performance so we only admit out-of-
791         order insertions as a rare case. I think that we don't really need to be so paranoid.
792         So, I made the new insertion sets use a stable_sort to ensure that everything happens in
793         the right order. I changed DFG::BlockInsertionSet to also use stable_sort; it previously
794         used sort, which is slightly wrong.
795
796         This adds a new test that uses Patchpoint to implement a 32-bit add. It works!
797
798         * b3/B3InsertionSet.cpp:
799         (JSC::B3::InsertionSet::execute):
800         * b3/B3LowerToAir.cpp:
801         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
802         (JSC::B3::Air::LowerToAir::appendStore):
803         (JSC::B3::Air::LowerToAir::moveForType):
804         (JSC::B3::Air::LowerToAir::append):
805         (JSC::B3::Air::LowerToAir::ensureSpecial):
806         (JSC::B3::Air::LowerToAir::tryStore):
807         (JSC::B3::Air::LowerToAir::tryStackSlot):
808         (JSC::B3::Air::LowerToAir::tryPatchpoint):
809         (JSC::B3::Air::LowerToAir::tryUpsilon):
810         * b3/B3LoweringMatcher.patterns:
811         * b3/B3PatchpointValue.h:
812         (JSC::B3::PatchpointValue::accepts): Deleted.
813         (JSC::B3::PatchpointValue::PatchpointValue): Deleted.
814         * b3/B3Stackmap.h:
815         (JSC::B3::Stackmap::constrain):
816         (JSC::B3::Stackmap::appendConstraint):
817         (JSC::B3::Stackmap::reps):
818         (JSC::B3::Stackmap::clobber):
819         * b3/B3StackmapSpecial.cpp:
820         (JSC::B3::StackmapSpecial::forEachArgImpl):
821         (JSC::B3::StackmapSpecial::isValidImpl):
822         * b3/B3Value.h:
823         * b3/B3ValueRep.h:
824         (JSC::B3::ValueRep::ValueRep):
825         (JSC::B3::ValueRep::reg):
826         (JSC::B3::ValueRep::operator bool):
827         (JSC::B3::ValueRep::isAny):
828         (JSC::B3::ValueRep::isSomeRegister):
829         (JSC::B3::ValueRep::isReg):
830         (JSC::B3::ValueRep::isGPR):
831         (JSC::B3::ValueRep::isFPR):
832         (JSC::B3::ValueRep::gpr):
833         (JSC::B3::ValueRep::fpr):
834         (JSC::B3::ValueRep::isStack):
835         (JSC::B3::ValueRep::offsetFromFP):
836         (JSC::B3::ValueRep::isStackArgument):
837         (JSC::B3::ValueRep::offsetFromSP):
838         (JSC::B3::ValueRep::isConstant):
839         (JSC::B3::ValueRep::value):
840         * b3/air/AirCode.cpp:
841         (JSC::B3::Air::Code::dump):
842         * b3/air/AirInsertionSet.cpp:
843         (JSC::B3::Air::InsertionSet::execute):
844         * b3/testb3.cpp:
845         (JSC::B3::testComplex):
846         (JSC::B3::testSimplePatchpoint):
847         (JSC::B3::run):
848         * dfg/DFGBlockInsertionSet.cpp:
849         (JSC::DFG::BlockInsertionSet::execute):
850
851 2015-11-02  Mark Lam  <mark.lam@apple.com>
852
853         Snippefy op_add for the baseline JIT.
854         https://bugs.webkit.org/show_bug.cgi?id=150129
855
856         Reviewed by Geoffrey Garen and Saam Barati.
857
858         Performance is neutral for both 32-bit and 64-bit on X86_64.
859
860         * CMakeLists.txt:
861         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
862         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
863         * JavaScriptCore.xcodeproj/project.pbxproj:
864         * jit/JIT.h:
865         (JSC::JIT::getOperandConstantInt):
866         - Move getOperandConstantInt() from the JSVALUE64 section to the common section
867           because the snippet needs it.
868
869         * jit/JITAddGenerator.cpp: Added.
870         (JSC::JITAddGenerator::generateFastPath):
871         * jit/JITAddGenerator.h: Added.
872         (JSC::JITAddGenerator::JITAddGenerator):
873         (JSC::JITAddGenerator::endJumpList):
874         (JSC::JITAddGenerator::slowPathJumpList):
875         - JITAddGenerator implements an optimization for the case where 1 of the 2 operands
876           is a constant int32_t.  It does not implement an optimization for the case where
877           both operands are constant int32_t.  This is because:
878           1. For the baseline JIT, the ASTBuilder will fold the 2 constants together.
879           2. For the DFG, the AbstractInterpreter will also fold the 2 constants.
880
881           Hence, such an optimization path (for 2 constant int32_t operands) would never
882           be taken, and is why we won't implement it.
883
884         * jit/JITArithmetic.cpp:
885         (JSC::JIT::compileBinaryArithOp):
886         (JSC::JIT::compileBinaryArithOpSlowCase):
887         - Removed op_add cases.  These are no longer used by the op_add emitters.
888
889         (JSC::JIT::emit_op_add):
890         (JSC::JIT::emitSlow_op_add):
891         - Moved out from the JSVALUE64 section to the common section, and reimplemented
892           using the snippet.
893
894         * jit/JITArithmetic32_64.cpp:
895         (JSC::JIT::emitBinaryDoubleOp):
896         (JSC::JIT::emit_op_add): Deleted.
897         (JSC::JIT::emitAdd32Constant): Deleted.
898         (JSC::JIT::emitSlow_op_add): Deleted.
899         - Remove 32-bit specific version of op_add.  The snippet serves both 32-bit
900           and 64-bit implementations.
901
902         * jit/JITInlines.h:
903         (JSC::JIT::getOperandConstantInt):
904         - Move getOperandConstantInt() from the JSVALUE64 section to the common section
905           because the snippet needs it.
906
907 2015-11-02  Brian Burg  <bburg@apple.com>
908
909         Run sort-Xcode-project-file for the JavaScriptCore project.
910
911         Unreviewed. Many things were out of order following recent B3 commits.
912
913         * JavaScriptCore.xcodeproj/project.pbxproj:
914
915 2015-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
916
917         Rename op_put_getter_setter to op_put_getter_setter_by_id
918         https://bugs.webkit.org/show_bug.cgi?id=150773
919
920         Reviewed by Mark Lam.
921
922         Renaming op_put_getter_setter to op_put_getter_setter_by_id makes this op name consistent with
923         the other ops' names like op_put_getter_by_id etc.
924
925         And to fix build dependencies in Xcode, we added LLIntAssembly.h into Xcode project file.
926
927         * JavaScriptCore.xcodeproj/project.pbxproj:
928         * bytecode/BytecodeList.json:
929         * bytecode/BytecodeUseDef.h:
930         (JSC::computeUsesForBytecodeOffset):
931         (JSC::computeDefsForBytecodeOffset):
932         * bytecode/CodeBlock.cpp:
933         (JSC::CodeBlock::dumpBytecode):
934         * bytecompiler/BytecodeGenerator.cpp:
935         (JSC::BytecodeGenerator::emitPutGetterSetter):
936         * dfg/DFGByteCodeParser.cpp:
937         (JSC::DFG::ByteCodeParser::parseBlock):
938         * dfg/DFGCapabilities.cpp:
939         (JSC::DFG::capabilityLevel):
940         * jit/JIT.cpp:
941         (JSC::JIT::privateCompileMainPass):
942         * jit/JIT.h:
943         * jit/JITPropertyAccess.cpp:
944         (JSC::JIT::emit_op_put_getter_setter_by_id):
945         (JSC::JIT::emit_op_put_getter_setter): Deleted.
946         * jit/JITPropertyAccess32_64.cpp:
947         (JSC::JIT::emit_op_put_getter_setter_by_id):
948         (JSC::JIT::emit_op_put_getter_setter): Deleted.
949         * llint/LLIntSlowPaths.cpp:
950         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
951         * llint/LLIntSlowPaths.h:
952         * llint/LowLevelInterpreter.asm:
953
954 2015-11-02  Csaba Osztrogonác  <ossy@webkit.org>
955
956         Fix the FTL JIT build with system LLVM on Linux
957         https://bugs.webkit.org/show_bug.cgi?id=150795
958
959         Reviewed by Filip Pizlo.
960
961         * CMakeLists.txt:
962
963 2015-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
964
965         [ES6] Support Generator Syntax
966         https://bugs.webkit.org/show_bug.cgi?id=150769
967
968         Reviewed by Geoffrey Garen.
969
970         This patch implements syntax part of ES6 Generators.
971
972         1. Add ENABLE_ES6_GENERATORS compile time flag. It is disabled by default, and will be enabled once ES6 generator functionality is implemented.
973         2. Add lexer support for YIELD. It changes "yield" from reserved-if-strict word to keyword. And it is correct under the ES6 spec.
974         3. Implement parsing functionality and YieldExprNode stub. YieldExprNode does not emit meaningful bytecodes yet. This should be implemented in the future patch.
975         4. Accept "yield" Identifier as an label etc. under sloppy mode && non-generator code. http://ecma-international.org/ecma-262/6.0/#sec-generator-function-definitions-static-semantics-early-errors
976
977         * Configurations/FeatureDefines.xcconfig:
978         * bytecompiler/NodesCodegen.cpp:
979         (JSC::YieldExprNode::emitBytecode):
980         * parser/ASTBuilder.h:
981         (JSC::ASTBuilder::createYield):
982         * parser/Keywords.table:
983         * parser/NodeConstructors.h:
984         (JSC::YieldExprNode::YieldExprNode):
985         * parser/Nodes.h:
986         * parser/Parser.cpp:
987         (JSC::Parser<LexerType>::Parser):
988         (JSC::Parser<LexerType>::parseInner):
989         (JSC::Parser<LexerType>::parseStatementListItem):
990         (JSC::Parser<LexerType>::parseVariableDeclarationList):
991         (JSC::Parser<LexerType>::parseDestructuringPattern):
992         (JSC::Parser<LexerType>::parseBreakStatement):
993         (JSC::Parser<LexerType>::parseContinueStatement):
994         (JSC::Parser<LexerType>::parseTryStatement):
995         (JSC::Parser<LexerType>::parseStatement):
996         (JSC::stringForFunctionMode):
997         (JSC::Parser<LexerType>::parseFunctionParameters):
998         (JSC::Parser<LexerType>::parseFunctionInfo):
999         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1000         (JSC::Parser<LexerType>::parseClass):
1001         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
1002         (JSC::Parser<LexerType>::parseExportDeclaration):
1003         (JSC::Parser<LexerType>::parseAssignmentExpression):
1004         (JSC::Parser<LexerType>::parseYieldExpression):
1005         (JSC::Parser<LexerType>::parseProperty):
1006         (JSC::Parser<LexerType>::parsePropertyMethod):
1007         (JSC::Parser<LexerType>::parseGetterSetter):
1008         (JSC::Parser<LexerType>::parseFunctionExpression):
1009         (JSC::Parser<LexerType>::parsePrimaryExpression):
1010         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1011         * parser/Parser.h:
1012         (JSC::Scope::Scope):
1013         (JSC::Scope::setSourceParseMode):
1014         (JSC::Scope::isGenerator):
1015         (JSC::Scope::setIsFunction):
1016         (JSC::Scope::setIsGenerator):
1017         (JSC::Scope::setIsModule):
1018         (JSC::Parser::pushScope):
1019         (JSC::Parser::isYIELDMaskedAsIDENT):
1020         (JSC::Parser::matchSpecIdentifier):
1021         (JSC::Parser::saveState):
1022         (JSC::Parser::restoreState):
1023         * parser/ParserModes.h:
1024         (JSC::isFunctionParseMode):
1025         (JSC::isModuleParseMode):
1026         (JSC::isProgramParseMode):
1027         * parser/ParserTokens.h:
1028         * parser/SyntaxChecker.h:
1029         (JSC::SyntaxChecker::createYield):
1030         * tests/stress/generator-methods.js: Added.
1031         (Hello.prototype.gen):
1032         (Hello.gen):
1033         (Hello):
1034         (Hello.prototype.set get string_appeared_here):
1035         (Hello.string_appeared_here):
1036         (Hello.prototype.20):
1037         (Hello.20):
1038         (Hello.prototype.42):
1039         (Hello.42):
1040         (let.object.gen):
1041         (let.object.set get string_appeared_here):
1042         (let.object.20):
1043         (let.object.42):
1044         * tests/stress/generator-syntax.js: Added.
1045         (testSyntax):
1046         (testSyntaxError):
1047         (testSyntaxError.Hello.prototype.get gen):
1048         (testSyntaxError.Hello):
1049         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.Hello.prototype.set gen):
1050         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.Hello):
1051         (SyntaxError.Unexpected.token.string_appeared_here.Expected.an.opening.string_appeared_here.before.a.method.testSyntaxError.gen):
1052         (testSyntaxError.value):
1053         (testSyntaxError.gen.ng):
1054         (testSyntaxError.gen):
1055         (testSyntax.gen):
1056         * tests/stress/yield-and-line-terminator.js: Added.
1057         (testSyntax):
1058         (testSyntaxError):
1059         (testSyntax.gen):
1060         (testSyntaxError.gen):
1061         * tests/stress/yield-label-generator.js: Added.
1062         (testSyntax):
1063         (testSyntaxError):
1064         (testSyntaxError.test):
1065         (SyntaxError.Unexpected.keyword.string_appeared_here.Expected.an.identifier.as.the.target.a.continue.statement.testSyntax.test):
1066         * tests/stress/yield-label.js: Added.
1067         (yield):
1068         (testSyntaxError):
1069         (testSyntaxError.test):
1070         * tests/stress/yield-named-accessors-generator.js: Added.
1071         (t1.let.object.get yield):
1072         (t1.let.object.set yield):
1073         (t1):
1074         (t2.let.object.get yield):
1075         (t2.let.object.set yield):
1076         (t2):
1077         * tests/stress/yield-named-accessors.js: Added.
1078         (t1.let.object.get yield):
1079         (t1.let.object.set yield):
1080         (t1):
1081         (t2.let.object.get yield):
1082         (t2.let.object.set yield):
1083         (t2):
1084         * tests/stress/yield-named-variable-generator.js: Added.
1085         (testSyntax):
1086         (testSyntaxError):
1087         (testSyntaxError.t1):
1088         (testSyntaxError.t1.yield):
1089         (testSyntax.t1.yield):
1090         (testSyntax.t1):
1091         * tests/stress/yield-named-variable.js: Added.
1092         (testSyntax):
1093         (testSyntaxError):
1094         (testSyntax.t1):
1095         (testSyntaxError.t1):
1096         (testSyntax.t1.yield):
1097         (testSyntaxError.t1.yield):
1098         * tests/stress/yield-out-of-generator.js: Added.
1099         (testSyntax):
1100         (testSyntaxError):
1101         (testSyntaxError.hello):
1102         (testSyntaxError.gen.hello):
1103         (testSyntaxError.gen):
1104         (testSyntax.gen):
1105         (testSyntax.gen.ok):
1106         (testSyntaxError.gen.ok):
1107
1108 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
1109
1110         Dominators should be factored out of the DFG
1111         https://bugs.webkit.org/show_bug.cgi?id=150764
1112
1113         Reviewed by Geoffrey Garen.
1114
1115         Factored DFGDominators.h/DFGDominators.cpp into WTF. To do this, I made two changes to the
1116         DFG:
1117
1118         1) DFG now has a CFG abstraction called DFG::CFG. The cool thing about this is that in the
1119            future if we wanted to support inverted dominators, we could do it by just creating a
1120            DFG::BackwardCFG.
1121
1122         2) Got rid of DFG::Analysis. From now on, an Analysis being invalidated is expressed by the
1123            DFG::Graph having a null pointer for that analysis. When we "run" the analysis, we
1124            just instantiate it. This makes it much more natural to integrate WTF::Dominators into
1125            the DFG.
1126
1127         * CMakeLists.txt:
1128         * JavaScriptCore.xcodeproj/project.pbxproj:
1129         * dfg/DFGAnalysis.h: Removed.
1130         * dfg/DFGCFG.h: Added.
1131         (JSC::DFG::CFG::CFG):
1132         (JSC::DFG::CFG::root):
1133         (JSC::DFG::CFG::newMap<T>):
1134         (JSC::DFG::CFG::successors):
1135         (JSC::DFG::CFG::predecessors):
1136         (JSC::DFG::CFG::index):
1137         (JSC::DFG::CFG::node):
1138         (JSC::DFG::CFG::numNodes):
1139         (JSC::DFG::CFG::dump):
1140         * dfg/DFGCSEPhase.cpp:
1141         * dfg/DFGDisassembler.cpp:
1142         (JSC::DFG::Disassembler::createDumpList):
1143         * dfg/DFGDominators.cpp: Removed.
1144         * dfg/DFGDominators.h:
1145         (JSC::DFG::Dominators::Dominators):
1146         (JSC::DFG::Dominators::strictlyDominates): Deleted.
1147         (JSC::DFG::Dominators::dominates): Deleted.
1148         (JSC::DFG::Dominators::immediateDominatorOf): Deleted.
1149         (JSC::DFG::Dominators::forAllStrictDominatorsOf): Deleted.
1150         (JSC::DFG::Dominators::forAllDominatorsOf): Deleted.
1151         (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy): Deleted.
1152         (JSC::DFG::Dominators::forAllBlocksDominatedBy): Deleted.
1153         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf): Deleted.
1154         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf): Deleted.
1155         (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf): Deleted.
1156         (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl): Deleted.
1157         (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl): Deleted.
1158         (JSC::DFG::Dominators::BlockData::BlockData): Deleted.
1159         * dfg/DFGEdgeDominates.h:
1160         (JSC::DFG::EdgeDominates::operator()):
1161         * dfg/DFGGraph.cpp:
1162         (JSC::DFG::Graph::Graph):
1163         (JSC::DFG::Graph::dumpBlockHeader):
1164         (JSC::DFG::Graph::invalidateCFG):
1165         (JSC::DFG::Graph::substituteGetLocal):
1166         (JSC::DFG::Graph::handleAssertionFailure):
1167         (JSC::DFG::Graph::ensureDominators):
1168         (JSC::DFG::Graph::ensurePrePostNumbering):
1169         (JSC::DFG::Graph::ensureNaturalLoops):
1170         (JSC::DFG::Graph::valueProfileFor):
1171         * dfg/DFGGraph.h:
1172         (JSC::DFG::Graph::hasDebuggerEnabled):
1173         * dfg/DFGLICMPhase.cpp:
1174         (JSC::DFG::LICMPhase::run):
1175         (JSC::DFG::LICMPhase::attemptHoist):
1176         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1177         (JSC::DFG::createPreHeader):
1178         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1179         * dfg/DFGNaturalLoops.cpp:
1180         (JSC::DFG::NaturalLoop::dump):
1181         (JSC::DFG::NaturalLoops::NaturalLoops):
1182         (JSC::DFG::NaturalLoops::~NaturalLoops):
1183         (JSC::DFG::NaturalLoops::loopsOf):
1184         (JSC::DFG::NaturalLoops::computeDependencies): Deleted.
1185         (JSC::DFG::NaturalLoops::compute): Deleted.
1186         * dfg/DFGNaturalLoops.h:
1187         (JSC::DFG::NaturalLoops::numLoops):
1188         * dfg/DFGNode.h:
1189         (JSC::DFG::Node::SuccessorsIterable::end):
1190         (JSC::DFG::Node::SuccessorsIterable::size):
1191         (JSC::DFG::Node::SuccessorsIterable::at):
1192         (JSC::DFG::Node::SuccessorsIterable::operator[]):
1193         * dfg/DFGOSREntrypointCreationPhase.cpp:
1194         (JSC::DFG::OSREntrypointCreationPhase::run):
1195         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1196         * dfg/DFGPlan.cpp:
1197         (JSC::DFG::Plan::compileInThreadImpl):
1198         * dfg/DFGPrePostNumbering.cpp:
1199         (JSC::DFG::PrePostNumbering::PrePostNumbering):
1200         (JSC::DFG::PrePostNumbering::~PrePostNumbering):
1201         (JSC::DFG::PrePostNumbering::compute): Deleted.
1202         * dfg/DFGPrePostNumbering.h:
1203         (JSC::DFG::PrePostNumbering::preNumber):
1204         (JSC::DFG::PrePostNumbering::postNumber):
1205         * dfg/DFGPutStackSinkingPhase.cpp:
1206         * dfg/DFGSSACalculator.cpp:
1207         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1208         (JSC::DFG::SSACalculator::reachingDefAtTail):
1209         * dfg/DFGSSACalculator.h:
1210         (JSC::DFG::SSACalculator::computePhis):
1211         * dfg/DFGSSAConversionPhase.cpp:
1212         (JSC::DFG::SSAConversionPhase::run):
1213         * ftl/FTLLink.cpp:
1214         (JSC::FTL::link):
1215         * ftl/FTLLowerDFGToLLVM.cpp:
1216         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1217         (JSC::FTL::DFG::LowerDFGToLLVM::safelyInvalidateAfterTermination):
1218         (JSC::FTL::DFG::LowerDFGToLLVM::isValid):
1219
1220 2015-10-31  Filip Pizlo  <fpizlo@apple.com>
1221
1222         B3::reduceStrength's DCE should be more agro and less wrong
1223         https://bugs.webkit.org/show_bug.cgi?id=150748
1224
1225         Reviewed by Geoffrey Garen.
1226
1227         First of all, our DCE had a bug where it would keep Upsilons after it deleted the Phis that
1228         they referenced. But our B3 DCE was also not aggressive enough. It would not eliminate
1229         cycles. It was also probably slower than it needed to be, since it would eliminate all
1230         never-referenced things on each fixpoint.
1231
1232         This adds a presume-everyone-is-dead-and-find-live-things style DCE. This is very natural to
1233         write, except for Upsilons. For everything but Upsilons, it's just a worklist algorithm. For
1234         Upsilons, it's a fixpoint. It works fine in the end.
1235
1236         I kept finding bugs in this algorithm when I tested it against my "Complex" test that I was
1237         writing as a compile time benchmark. So, I include that test in this change. I also include
1238         the small lowering extensions that it needed - shifting and zero extending.
1239
1240         This change also adds an LLVM version of the Complex test. Though the LLVM version feels
1241         more natural to write because LLVM has traditional Phi's rather than our quirky Phi's, in
1242         the end LLVM ends up performing very badly - 10x to 20x worse than B3. Some of that gap will
1243         close once we give B3 a register allocator, but still, that's pretty good news for our B3
1244         strategy.
1245
1246         * JavaScriptCore.xcodeproj/project.pbxproj:
1247         * assembler/MacroAssemblerX86_64.h:
1248         (JSC::MacroAssemblerX86_64::lshift64):
1249         (JSC::MacroAssemblerX86_64::rshift64):
1250         * assembler/X86Assembler.h:
1251         (JSC::X86Assembler::shlq_i8r):
1252         (JSC::X86Assembler::shlq_CLr):
1253         (JSC::X86Assembler::imull_rr):
1254         * b3/B3BasicBlock.cpp:
1255         (JSC::B3::BasicBlock::replacePredecessor):
1256         (JSC::B3::BasicBlock::dump):
1257         (JSC::B3::BasicBlock::removeNops): Deleted.
1258         * b3/B3BasicBlock.h:
1259         (JSC::B3::BasicBlock::frequency):
1260         * b3/B3Common.cpp:
1261         (JSC::B3::shouldSaveIRBeforePhase):
1262         (JSC::B3::shouldMeasurePhaseTiming):
1263         * b3/B3Common.h:
1264         (JSC::B3::isRepresentableAsImpl):
1265         * b3/B3Generate.cpp:
1266         (JSC::B3::generate):
1267         (JSC::B3::generateToAir):
1268         * b3/B3LowerToAir.cpp:
1269         (JSC::B3::Air::LowerToAir::tryAnd):
1270         (JSC::B3::Air::LowerToAir::tryShl):
1271         (JSC::B3::Air::LowerToAir::tryStoreAddLoad):
1272         (JSC::B3::Air::LowerToAir::tryTrunc):
1273         (JSC::B3::Air::LowerToAir::tryZExt32):
1274         (JSC::B3::Air::LowerToAir::tryArgumentReg):
1275         * b3/B3LoweringMatcher.patterns:
1276         * b3/B3PhaseScope.cpp:
1277         (JSC::B3::PhaseScope::PhaseScope):
1278         * b3/B3PhaseScope.h:
1279         * b3/B3ReduceStrength.cpp:
1280         * b3/B3TimingScope.cpp: Added.
1281         (JSC::B3::TimingScope::TimingScope):
1282         (JSC::B3::TimingScope::~TimingScope):
1283         * b3/B3TimingScope.h: Added.
1284         * b3/B3Validate.cpp:
1285         * b3/air/AirAllocateStack.cpp:
1286         (JSC::B3::Air::allocateStack):
1287         * b3/air/AirGenerate.cpp:
1288         (JSC::B3::Air::generate):
1289         * b3/air/AirInstInlines.h:
1290         (JSC::B3::Air::ForEach<Arg>::forEach):
1291         (JSC::B3::Air::Inst::forEach):
1292         (JSC::B3::Air::isLshift32Valid):
1293         (JSC::B3::Air::isLshift64Valid):
1294         * b3/air/AirLiveness.h:
1295         (JSC::B3::Air::Liveness::isAlive):
1296         (JSC::B3::Air::Liveness::Liveness):
1297         (JSC::B3::Air::Liveness::LocalCalc::execute):
1298         * b3/air/AirOpcode.opcodes:
1299         * b3/air/AirPhaseScope.cpp:
1300         (JSC::B3::Air::PhaseScope::PhaseScope):
1301         * b3/air/AirPhaseScope.h:
1302         * b3/testb3.cpp:
1303         (JSC::B3::testBranchEqualFoldPtr):
1304         (JSC::B3::testComplex):
1305         (JSC::B3::run):
1306         * runtime/Options.h:
1307
1308 2015-11-01  Alexey Proskuryakov  <ap@apple.com>
1309
1310         [ES6] Add support for toStringTag
1311         https://bugs.webkit.org/show_bug.cgi?id=150696
1312
1313         Re-landing, as this wasn't the culprit.
1314
1315         * runtime/ArrayIteratorPrototype.cpp:
1316         (JSC::ArrayIteratorPrototype::finishCreation):
1317         * runtime/CommonIdentifiers.h:
1318         * runtime/JSArrayBufferPrototype.cpp:
1319         (JSC::JSArrayBufferPrototype::finishCreation):
1320         (JSC::JSArrayBufferPrototype::create):
1321         * runtime/JSDataViewPrototype.cpp:
1322         (JSC::JSDataViewPrototype::create):
1323         (JSC::JSDataViewPrototype::finishCreation):
1324         (JSC::JSDataViewPrototype::createStructure):
1325         * runtime/JSDataViewPrototype.h:
1326         * runtime/JSModuleNamespaceObject.cpp:
1327         (JSC::JSModuleNamespaceObject::finishCreation):
1328         * runtime/JSONObject.cpp:
1329         (JSC::JSONObject::finishCreation):
1330         * runtime/JSPromisePrototype.cpp:
1331         (JSC::JSPromisePrototype::finishCreation):
1332         (JSC::JSPromisePrototype::getOwnPropertySlot):
1333         * runtime/JSTypedArrayViewPrototype.cpp:
1334         (JSC::typedArrayViewProtoFuncValues):
1335         (JSC::typedArrayViewProtoGetterFuncToStringTag):
1336         (JSC::JSTypedArrayViewPrototype::JSTypedArrayViewPrototype):
1337         (JSC::JSTypedArrayViewPrototype::finishCreation):
1338         * runtime/MapIteratorPrototype.cpp:
1339         (JSC::MapIteratorPrototype::finishCreation):
1340         (JSC::MapIteratorPrototypeFuncNext):
1341         * runtime/MapPrototype.cpp:
1342         (JSC::MapPrototype::finishCreation):
1343         * runtime/MathObject.cpp:
1344         (JSC::MathObject::finishCreation):
1345         * runtime/ObjectPrototype.cpp:
1346         (JSC::objectProtoFuncToString):
1347         * runtime/SetIteratorPrototype.cpp:
1348         (JSC::SetIteratorPrototype::finishCreation):
1349         (JSC::SetIteratorPrototypeFuncNext):
1350         * runtime/SetPrototype.cpp:
1351         (JSC::SetPrototype::finishCreation):
1352         * runtime/SmallStrings.cpp:
1353         (JSC::SmallStrings::SmallStrings):
1354         (JSC::SmallStrings::initializeCommonStrings):
1355         (JSC::SmallStrings::visitStrongReferences):
1356         * runtime/SmallStrings.h:
1357         (JSC::SmallStrings::typeString):
1358         (JSC::SmallStrings::objectStringStart):
1359         (JSC::SmallStrings::nullObjectString):
1360         (JSC::SmallStrings::undefinedObjectString):
1361         * runtime/StringIteratorPrototype.cpp:
1362         (JSC::StringIteratorPrototype::finishCreation):
1363         * runtime/SymbolPrototype.cpp:
1364         (JSC::SymbolPrototype::finishCreation):
1365         * runtime/WeakMapPrototype.cpp:
1366         (JSC::WeakMapPrototype::finishCreation):
1367         (JSC::getWeakMapData):
1368         * runtime/WeakSetPrototype.cpp:
1369         (JSC::WeakSetPrototype::finishCreation):
1370         (JSC::getWeakMapData):
1371         * tests/es6.yaml:
1372         * tests/modules/namespace.js:
1373         * tests/stress/symbol-tostringtag.js: Copied from Source/JavaScriptCore/tests/stress/symbol-tostringtag.js.
1374
1375 2015-11-01  Commit Queue  <commit-queue@webkit.org>
1376
1377         Unreviewed, rolling out r191815 and r191821.
1378         https://bugs.webkit.org/show_bug.cgi?id=150781
1379
1380         Seems to have broken JSC API tests on some platforms
1381         (Requested by ap on #webkit).
1382
1383         Reverted changesets:
1384
1385         "[ES6] Add support for toStringTag"
1386         https://bugs.webkit.org/show_bug.cgi?id=150696
1387         http://trac.webkit.org/changeset/191815
1388
1389         "Unreviewed, forgot to mark tests as passing for new feature."
1390         http://trac.webkit.org/changeset/191821
1391
1392 2015-11-01  Commit Queue  <commit-queue@webkit.org>
1393
1394         Unreviewed, rolling out r191858.
1395         https://bugs.webkit.org/show_bug.cgi?id=150780
1396
1397         Broke the build (Requested by ap on #webkit).
1398
1399         Reverted changeset:
1400
1401         "Rename op_put_getter_setter to op_put_getter_setter_by_id"
1402         https://bugs.webkit.org/show_bug.cgi?id=150773
1403         http://trac.webkit.org/changeset/191858
1404
1405 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
1406
1407         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150777.
1408
1409         * b3/B3LowerToAir.cpp:
1410         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot):
1411
1412 2015-11-01  Filip Pizlo  <fpizlo@apple.com>
1413
1414         Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150775.
1415
1416         * b3/B3LowerToAir.cpp:
1417         (JSC::B3::Air::LowerToAir::tryTrunc):
1418
1419 2015-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1420
1421         Rename op_put_getter_setter to op_put_getter_setter_by_id
1422         https://bugs.webkit.org/show_bug.cgi?id=150773
1423
1424         Reviewed by Mark Lam.
1425
1426         Renaming op_put_getter_setter to op_put_getter_setter_by_id makes this op name consistent with
1427         the other ops' names like op_put_getter_by_id etc.
1428
1429         * bytecode/BytecodeList.json:
1430         * bytecode/BytecodeUseDef.h:
1431         (JSC::computeUsesForBytecodeOffset):
1432         (JSC::computeDefsForBytecodeOffset):
1433         * bytecode/CodeBlock.cpp:
1434         (JSC::CodeBlock::dumpBytecode):
1435         * bytecompiler/BytecodeGenerator.cpp:
1436         (JSC::BytecodeGenerator::emitPutGetterSetter):
1437         * dfg/DFGByteCodeParser.cpp:
1438         (JSC::DFG::ByteCodeParser::parseBlock):
1439         * dfg/DFGCapabilities.cpp:
1440         (JSC::DFG::capabilityLevel):
1441         * jit/JIT.cpp:
1442         (JSC::JIT::privateCompileMainPass):
1443         * jit/JIT.h:
1444         * jit/JITPropertyAccess.cpp:
1445         (JSC::JIT::emit_op_put_getter_setter_by_id):
1446         (JSC::JIT::emit_op_put_getter_setter): Deleted.
1447         * jit/JITPropertyAccess32_64.cpp:
1448         (JSC::JIT::emit_op_put_getter_setter_by_id):
1449         (JSC::JIT::emit_op_put_getter_setter): Deleted.
1450         * llint/LLIntSlowPaths.cpp:
1451         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1452         * llint/LLIntSlowPaths.h:
1453         * llint/LowLevelInterpreter.asm:
1454
1455 2015-10-31  Andreas Kling  <akling@apple.com>
1456
1457         Add a debug overlay with information about web process resource usage.
1458         <https://webkit.org/b/150599>
1459
1460         Reviewed by Darin Adler.
1461
1462         Have Heap track the exact number of bytes allocated in CopiedBlock, MarkedBlock and
1463         WeakBlock objects, keeping them in a single location that can be sampled by the
1464         resource usage overlay thread.
1465
1466         The bulk of these changes is threading a Heap& through from sites where blocks are
1467         allocated or freed.
1468
1469         * heap/CopiedBlock.cpp:
1470         (JSC::CopiedBlock::createNoZeroFill):
1471         (JSC::CopiedBlock::destroy):
1472         (JSC::CopiedBlock::create):
1473         * heap/CopiedBlock.h:
1474         * heap/CopiedSpace.cpp:
1475         (JSC::CopiedSpace::~CopiedSpace):
1476         (JSC::CopiedSpace::tryAllocateOversize):
1477         (JSC::CopiedSpace::tryReallocateOversize):
1478         * heap/CopiedSpaceInlines.h:
1479         (JSC::CopiedSpace::recycleEvacuatedBlock):
1480         (JSC::CopiedSpace::recycleBorrowedBlock):
1481         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
1482         (JSC::CopiedSpace::allocateBlock):
1483         (JSC::CopiedSpace::startedCopying):
1484         * heap/Heap.cpp:
1485         (JSC::Heap::~Heap):
1486         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock):
1487         * heap/Heap.h:
1488         (JSC::Heap::blockBytesAllocated):
1489         * heap/HeapInlines.h:
1490         (JSC::Heap::didAllocateBlock):
1491         (JSC::Heap::didFreeBlock):
1492         * heap/MarkedAllocator.cpp:
1493         (JSC::MarkedAllocator::allocateBlock):
1494         * heap/MarkedBlock.cpp:
1495         (JSC::MarkedBlock::create):
1496         (JSC::MarkedBlock::destroy):
1497         * heap/MarkedBlock.h:
1498         * heap/MarkedSpace.cpp:
1499         (JSC::MarkedSpace::freeBlock):
1500         * heap/WeakBlock.cpp:
1501         (JSC::WeakBlock::create):
1502         (JSC::WeakBlock::destroy):
1503         * heap/WeakBlock.h:
1504         * heap/WeakSet.cpp:
1505         (JSC::WeakSet::~WeakSet):
1506         (JSC::WeakSet::addAllocator):
1507         (JSC::WeakSet::removeAllocator):
1508
1509 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
1510
1511         Air should eliminate dead code
1512         https://bugs.webkit.org/show_bug.cgi?id=150746
1513
1514         Reviewed by Geoffrey Garen.
1515
1516         This adds a very simple dead code elimination to Air. It simply looks at whether a Tmp or
1517         StackSlot has ever been used by a live instruction. An instruction is live if it has non-arg
1518         effects (branching, returning, calling, etc) or if it stores to a live Arg. An Arg is live if
1519         it references a live Tmp or StackSlot, or if it is neither a Tmp nor a StackSlot. The phase
1520         runs these rules to fixpoint, and then removes the dead instructions.
1521
1522         This also changes the AirOpcodes parser to handle multiple attributes per opcode, so that we
1523         could conceivably say things like "FooBar /branch /effects". It also adds the /effects
1524         attribute, which we currently use for Breakpoint and nothing else. C calls, patchpoints, and
1525         checks are all Specials, and the Special base class by default always claims that the
1526         instruction has effects. In the future, we could have B3 use a Patch in Air to implement
1527         exotic math constructs; then the Special associated with that thing would claim that there
1528         are no effects.
1529
1530         * JavaScriptCore.xcodeproj/project.pbxproj:
1531         * b3/air/AirBasicBlock.h:
1532         (JSC::B3::Air::BasicBlock::begin):
1533         (JSC::B3::Air::BasicBlock::end):
1534         (JSC::B3::Air::BasicBlock::at):
1535         (JSC::B3::Air::BasicBlock::last):
1536         (JSC::B3::Air::BasicBlock::resize):
1537         (JSC::B3::Air::BasicBlock::appendInst):
1538         * b3/air/AirEliminateDeadCode.cpp: Added.
1539         (JSC::B3::Air::eliminateDeadCode):
1540         * b3/air/AirEliminateDeadCode.h: Added.
1541         * b3/air/AirGenerate.cpp:
1542         (JSC::B3::Air::generate):
1543         * b3/air/AirInst.h:
1544         * b3/air/AirOpcode.opcodes:
1545         * b3/air/AirSpecial.cpp:
1546         (JSC::B3::Air::Special::name):
1547         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
1548         (JSC::B3::Air::Special::dump):
1549         * b3/air/AirSpecial.h:
1550         * b3/air/opcode_generator.rb:
1551
1552 2015-10-31  Filip Pizlo  <fpizlo@apple.com>
1553
1554         Air needs a late register liveness phase that calls Special::reportUsedRegisters()
1555         https://bugs.webkit.org/show_bug.cgi?id=150511
1556
1557         Reviewed by Saam Barati.
1558
1559         This change adds such a phase. In the process of writing it, I was reminded about the
1560         glaring efficiency bugs in Air::Liveness and so I filed a bug and added FIXMEs.
1561
1562         * JavaScriptCore.xcodeproj/project.pbxproj:
1563         * b3/air/AirAllocateStack.cpp:
1564         (JSC::B3::Air::allocateStack):
1565         * b3/air/AirGenerate.cpp:
1566         (JSC::B3::Air::generate):
1567         * b3/air/AirReportUsedRegisters.cpp: Added.
1568         (JSC::B3::Air::reportUsedRegisters):
1569         * b3/air/AirReportUsedRegisters.h: Added.
1570
1571 2015-10-31  Brian Burg  <bburg@apple.com>
1572
1573         Builtins generator should put WebCore-only wrappers in the per-builtin header
1574         https://bugs.webkit.org/show_bug.cgi?id=150539
1575
1576         Reviewed by Youenn Fablet.
1577
1578         If generating for WebCore, put the XXXWrapper and related boilerplate
1579         in the per-builtin header instead of making a separate XXXWrapper.h.
1580
1581         Rebaseline the tests.
1582
1583         * CMakeLists.txt:
1584         * DerivedSources.make:
1585         * Scripts/builtins/builtins.py:
1586         * Scripts/builtins/builtins_generate_separate_header.py:
1587         (BuiltinsSeparateHeaderGenerator.generate_output):
1588         (generate_header_includes):
1589         * Scripts/builtins/builtins_generate_separate_wrapper.py: Deleted.
1590         * Scripts/builtins/builtins_templates.py: Be consistent with variables.
1591         * Scripts/generate-js-builtins.py:
1592         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1593         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1594         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1595         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1596
1597 2015-10-31  Saam barati  <sbarati@apple.com>
1598
1599         JSC should have a forceGCSlowPaths option
1600         https://bugs.webkit.org/show_bug.cgi?id=150744
1601
1602         Reviewed by Filip Pizlo.
1603
1604         This patch implements the forceGCSlowPaths option.
1605         It defaults to false, but when it is set to true,
1606         the JITs will always allocate objects along the slow
1607         path. This will be helpful for writing a certain class
1608         of tests. This may also come in handy for debugging
1609         later.
1610
1611         This patch also adds the "forceGCSlowPaths" function
1612         in jsc.cpp which sets the option to true. If you
1613         use this function in a jsc stress test, it's best
1614         to call it as the first thing in the program before
1615         we JIT anything.
1616
1617         * dfg/DFGSpeculativeJIT.h:
1618         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1619         * ftl/FTLLowerDFGToLLVM.cpp:
1620         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1621         * jit/JITInlines.h:
1622         (JSC::JIT::emitAllocateJSObject):
1623         * jsc.cpp:
1624         (GlobalObject::finishCreation):
1625         (functionEdenGC):
1626         (functionForceGCSlowPaths):
1627         (functionHeapSize):
1628         * runtime/Options.h:
1629
1630 2015-10-30  Joseph Pecoraro  <pecoraro@apple.com>
1631
1632         Web Inspector: Test Debugger.scriptParsed events received after opening inspector frontend
1633         https://bugs.webkit.org/show_bug.cgi?id=150753
1634
1635         Reviewed by Timothy Hatcher.
1636
1637         * parser/Parser.h:
1638         (JSC::Parser<LexerType>::parse):
1639         Only set the directives on the SourceProvider if we were parsing the
1640         entire file (Program or Module), not if we are in function parsing mode.
1641         This was inadvertently clearing the directives stored on the
1642         SourceProvider when the function parse didn't see directives and reset
1643         the values on the source provider.
1644
1645 2015-10-30  Benjamin Poulain  <bpoulain@apple.com>
1646
1647         [JSC] Add lowering for B3's Sub operation with integers
1648         https://bugs.webkit.org/show_bug.cgi?id=150749
1649
1650         Reviewed by Filip Pizlo.
1651
1652         * b3/B3LowerToAir.cpp:
1653         (JSC::B3::Air::LowerToAir::trySub):
1654         (JSC::B3::Air::LowerToAir::tryStoreSubLoad):
1655         * b3/B3LoweringMatcher.patterns:
1656         Identical to Add but obviously NotCommutative.
1657
1658         * b3/B3ReduceStrength.cpp:
1659         Turn Add/Sub with zero into an identity. I only added for
1660         Add since Sub with a constant is always turned into an Add.
1661
1662         Also switched the Sub optimizations to put the strongest first.
1663
1664         * b3/air/AirOpcode.opcodes:
1665         * b3/testb3.cpp:
1666         (JSC::B3::testAddArgImm):
1667         (JSC::B3::testAddImmArg):
1668         (JSC::B3::testSubArgs):
1669         (JSC::B3::testSubArgImm):
1670         (JSC::B3::testSubImmArg):
1671         (JSC::B3::testSubArgs32):
1672         (JSC::B3::testSubArgImm32):
1673         (JSC::B3::testSubImmArg32):
1674         (JSC::B3::testStoreSubLoad):
1675         (JSC::B3::run):
1676
1677 2015-10-30  Benjamin Poulain  <bpoulain@apple.com>
1678
1679         [JSC] Add the Air Opcode definitions to the Xcode project file
1680         https://bugs.webkit.org/show_bug.cgi?id=150701
1681
1682         Reviewed by Geoffrey Garen.
1683
1684         * JavaScriptCore.xcodeproj/project.pbxproj:
1685         Easier for those who use Xcode :)
1686
1687 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
1688
1689         Unreviewed, removing FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150540.
1690
1691         * b3/B3ValueRep.h:
1692
1693 2015-10-30  Michael Saboff  <msaboff@apple.com>
1694
1695         Windows X86-64 change for Crash making a tail call from a getter to a host function
1696         https://bugs.webkit.org/show_bug.cgi?id=150737
1697
1698         Reviewed by Geoffrey Garen.
1699
1700         Need to make the same change for Windows X86-64 as was made in change set
1701         http://trac.webkit.org/changeset/191765.
1702
1703         * jit/JITStubsMSVC64.asm:
1704
1705 2015-10-30  Keith Miller  <keith_miller@apple.com>
1706
1707         Unreviewed, forgot to mark tests as passing for new feature.
1708
1709         * tests/es6.yaml:
1710
1711 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
1712
1713         B3 should be able to compile a control flow diamond
1714         https://bugs.webkit.org/show_bug.cgi?id=150720
1715
1716         Reviewed by Benjamin Poulain.
1717
1718         Adds support for Branch, Jump, Upsilon, and Phi. Adds some basic strength reduction for
1719         comparisons and boolean-like operations.
1720
1721         * assembler/MacroAssembler.cpp:
1722         (WTF::printInternal):
1723         * assembler/MacroAssembler.h:
1724         * b3/B3BasicBlockUtils.h:
1725         (JSC::B3::replacePredecessor):
1726         (JSC::B3::resetReachability):
1727         * b3/B3CheckValue.h:
1728         * b3/B3Common.h:
1729         (JSC::B3::isRepresentableAsImpl):
1730         (JSC::B3::isRepresentableAs):
1731         * b3/B3Const32Value.cpp:
1732         (JSC::B3::Const32Value::subConstant):
1733         (JSC::B3::Const32Value::equalConstant):
1734         (JSC::B3::Const32Value::notEqualConstant):
1735         (JSC::B3::Const32Value::dumpMeta):
1736         * b3/B3Const32Value.h:
1737         * b3/B3Const64Value.cpp:
1738         (JSC::B3::Const64Value::subConstant):
1739         (JSC::B3::Const64Value::equalConstant):
1740         (JSC::B3::Const64Value::notEqualConstant):
1741         (JSC::B3::Const64Value::dumpMeta):
1742         * b3/B3Const64Value.h:
1743         * b3/B3ConstDoubleValue.cpp:
1744         (JSC::B3::ConstDoubleValue::subConstant):
1745         (JSC::B3::ConstDoubleValue::equalConstant):
1746         (JSC::B3::ConstDoubleValue::notEqualConstant):
1747         (JSC::B3::ConstDoubleValue::dumpMeta):
1748         * b3/B3ConstDoubleValue.h:
1749         * b3/B3ControlValue.cpp:
1750         (JSC::B3::ControlValue::~ControlValue):
1751         (JSC::B3::ControlValue::convertToJump):
1752         (JSC::B3::ControlValue::dumpMeta):
1753         * b3/B3ControlValue.h:
1754         * b3/B3LowerToAir.cpp:
1755         (JSC::B3::Air::LowerToAir::imm):
1756         (JSC::B3::Air::LowerToAir::tryStackSlot):
1757         (JSC::B3::Air::LowerToAir::tryUpsilon):
1758         (JSC::B3::Air::LowerToAir::tryPhi):
1759         (JSC::B3::Air::LowerToAir::tryBranch):
1760         (JSC::B3::Air::LowerToAir::tryJump):
1761         (JSC::B3::Air::LowerToAir::tryIdentity):
1762         * b3/B3LoweringMatcher.patterns:
1763         * b3/B3Opcode.h:
1764         * b3/B3Procedure.cpp:
1765         (JSC::B3::Procedure::resetReachability):
1766         (JSC::B3::Procedure::dump):
1767         * b3/B3ReduceStrength.cpp:
1768         * b3/B3UpsilonValue.cpp:
1769         (JSC::B3::UpsilonValue::dumpMeta):
1770         * b3/B3UpsilonValue.h:
1771         (JSC::B3::UpsilonValue::accepts): Deleted.
1772         (JSC::B3::UpsilonValue::phi): Deleted.
1773         (JSC::B3::UpsilonValue::UpsilonValue): Deleted.
1774         * b3/B3Validate.cpp:
1775         * b3/B3Value.cpp:
1776         (JSC::B3::Value::subConstant):
1777         (JSC::B3::Value::equalConstant):
1778         (JSC::B3::Value::notEqualConstant):
1779         (JSC::B3::Value::returnsBool):
1780         (JSC::B3::Value::asTriState):
1781         (JSC::B3::Value::effects):
1782         * b3/B3Value.h:
1783         * b3/B3ValueInlines.h:
1784         (JSC::B3::Value::asInt32):
1785         (JSC::B3::Value::isInt32):
1786         (JSC::B3::Value::hasInt64):
1787         (JSC::B3::Value::asInt64):
1788         (JSC::B3::Value::isInt64):
1789         (JSC::B3::Value::hasInt):
1790         (JSC::B3::Value::asIntPtr):
1791         (JSC::B3::Value::isIntPtr):
1792         (JSC::B3::Value::hasDouble):
1793         (JSC::B3::Value::asDouble):
1794         (JSC::B3::Value::isEqualToDouble):
1795         (JSC::B3::Value::hasNumber):
1796         (JSC::B3::Value::representableAs):
1797         (JSC::B3::Value::asNumber):
1798         (JSC::B3::Value::stackmap):
1799         * b3/air/AirArg.cpp:
1800         (JSC::B3::Air::Arg::dump):
1801         * b3/air/AirArg.h:
1802         (JSC::B3::Air::Arg::resCond):
1803         (JSC::B3::Air::Arg::doubleCond):
1804         (JSC::B3::Air::Arg::special):
1805         (JSC::B3::Air::Arg::isResCond):
1806         (JSC::B3::Air::Arg::isDoubleCond):
1807         (JSC::B3::Air::Arg::isSpecial):
1808         (JSC::B3::Air::Arg::isGP):
1809         (JSC::B3::Air::Arg::isFP):
1810         (JSC::B3::Air::Arg::asResultCondition):
1811         (JSC::B3::Air::Arg::asDoubleCondition):
1812         (JSC::B3::Air::Arg::Arg):
1813         * b3/air/AirCode.cpp:
1814         (JSC::B3::Air::Code::resetReachability):
1815         (JSC::B3::Air::Code::dump):
1816         * b3/air/AirOpcode.opcodes:
1817         * b3/air/opcode_generator.rb:
1818         * b3/testb3.cpp:
1819         (hiddenTruthBecauseNoReturnIsStupid):
1820         (usage):
1821         (JSC::B3::compile):
1822         (JSC::B3::invoke):
1823         (JSC::B3::compileAndRun):
1824         (JSC::B3::test42):
1825         (JSC::B3::testStoreLoadStackSlot):
1826         (JSC::B3::testBranch):
1827         (JSC::B3::testDiamond):
1828         (JSC::B3::testBranchNotEqual):
1829         (JSC::B3::testBranchFold):
1830         (JSC::B3::testDiamondFold):
1831         (JSC::B3::run):
1832         (run):
1833         (main):
1834
1835 2015-10-30  Keith Miller  <keith_miller@apple.com>
1836
1837         [ES6] Add support for toStringTag
1838         https://bugs.webkit.org/show_bug.cgi?id=150696
1839
1840         Reviewed by Geoffrey Garen.
1841
1842         This patch adds support for Symbol.toStringTag. This is a simple
1843         feature, if an object passed to Object.prototype.toString() has a
1844         toStringTag we use the tag in the string rather than the class info.
1845         Added a test that checks this works for all the default supported classes
1846         along with the corresponding prototype and custom cases.
1847
1848         * runtime/ArrayIteratorPrototype.cpp:
1849         (JSC::ArrayIteratorPrototype::finishCreation):
1850         * runtime/CommonIdentifiers.h:
1851         * runtime/JSArrayBufferPrototype.cpp:
1852         (JSC::JSArrayBufferPrototype::finishCreation):
1853         * runtime/JSDataViewPrototype.cpp:
1854         (JSC::JSDataViewPrototype::finishCreation):
1855         * runtime/JSDataViewPrototype.h:
1856         * runtime/JSModuleNamespaceObject.cpp:
1857         (JSC::JSModuleNamespaceObject::finishCreation):
1858         * runtime/JSONObject.cpp:
1859         (JSC::JSONObject::finishCreation):
1860         * runtime/JSPromisePrototype.cpp:
1861         (JSC::JSPromisePrototype::finishCreation):
1862         * runtime/JSTypedArrayViewPrototype.cpp:
1863         (JSC::typedArrayViewProtoGetterFuncToStringTag):
1864         (JSC::JSTypedArrayViewPrototype::finishCreation):
1865         * runtime/MapIteratorPrototype.cpp:
1866         (JSC::MapIteratorPrototype::finishCreation):
1867         * runtime/MapPrototype.cpp:
1868         (JSC::MapPrototype::finishCreation):
1869         * runtime/MathObject.cpp:
1870         (JSC::MathObject::finishCreation):
1871         * runtime/ObjectPrototype.cpp:
1872         (JSC::objectProtoFuncToString):
1873         * runtime/SetIteratorPrototype.cpp:
1874         (JSC::SetIteratorPrototype::finishCreation):
1875         * runtime/SetPrototype.cpp:
1876         (JSC::SetPrototype::finishCreation):
1877         * runtime/SmallStrings.cpp:
1878         (JSC::SmallStrings::SmallStrings):
1879         (JSC::SmallStrings::initializeCommonStrings):
1880         (JSC::SmallStrings::visitStrongReferences):
1881         * runtime/SmallStrings.h:
1882         (JSC::SmallStrings::objectStringStart):
1883         * runtime/StringIteratorPrototype.cpp:
1884         (JSC::StringIteratorPrototype::finishCreation):
1885         * runtime/SymbolPrototype.cpp:
1886         (JSC::SymbolPrototype::finishCreation):
1887         * runtime/WeakMapPrototype.cpp:
1888         (JSC::WeakMapPrototype::finishCreation):
1889         * runtime/WeakSetPrototype.cpp:
1890         (JSC::WeakSetPrototype::finishCreation):
1891         * tests/modules/namespace.js:
1892         * tests/stress/symbol-tostringtag.js: Added.
1893         (toStr):
1894         (strName):
1895         (classes.string_appeared_here):
1896
1897 2015-10-29  Joseph Pecoraro  <pecoraro@apple.com>
1898
1899         Web Inspector: Do not show JavaScriptCore builtins in inspector
1900         https://bugs.webkit.org/show_bug.cgi?id=146049
1901
1902         Reviewed by Geoffrey Garen.
1903
1904         * debugger/Debugger.cpp:
1905         When gathering scripts to notify the inspector / debuggers about
1906         skip over sources containing host / built-in functions as those
1907         for those won't contain source code developers expect to see.
1908
1909 2015-10-29  Joseph Pecoraro  <pecoraro@apple.com>
1910
1911         Fix typo in "use strict" in TypedArray builtins
1912         https://bugs.webkit.org/show_bug.cgi?id=150709
1913
1914         Reviewed by Geoffrey Garen.
1915
1916         * builtins/TypedArray.prototype.js:
1917         (toLocaleString):
1918
1919 2015-10-29  Philippe Normand  <pnormand@igalia.com>
1920
1921         [GTK][Mac] disable OBJC JSC API
1922         https://bugs.webkit.org/show_bug.cgi?id=150500
1923
1924         Reviewed by Alex Christensen.
1925
1926         * API/JSBase.h: Disable the Objective-C API on Mac for the GTK port.
1927
1928 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
1929
1930         Air::handleCalleeSaves shouldn't save/restore the frame pointer
1931         https://bugs.webkit.org/show_bug.cgi?id=150688
1932
1933         Reviewed by Michael Saboff.
1934
1935         We save/restore the FP inside Air::generate().
1936
1937         * b3/air/AirHandleCalleeSaves.cpp:
1938         (JSC::B3::Air::handleCalleeSaves):
1939
1940 2015-10-29  Michael Saboff  <msaboff@apple.com>
1941
1942         Crash making a tail call from a getter to a host function
1943         https://bugs.webkit.org/show_bug.cgi?id=150663
1944
1945         Reviewed by Geoffrey Garen.
1946
1947         Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
1948         call frame to getHostCallReturnValueWithExecState().  We were passing the caller's frame address.
1949
1950         * jit/JITOperations.cpp:
1951
1952 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
1953
1954         B3::LowerToAir::imm() should work for both 32-bit and 64-bit immediates
1955         https://bugs.webkit.org/show_bug.cgi?id=150685
1956
1957         Reviewed by Geoffrey Garen.
1958
1959         In B3, a constant must match the type of its use. In Air, immediates don't have type, they
1960         only have representation. A 32-bit immediate (i.e. Arg::imm) can be used either for 32-bit
1961         operations or for 64-bit operations. The only difference from a Arg::imm64 is that it
1962         requires fewer bits.
1963
1964         In the B3->Air lowering, we have a lot of code that is effectively polymorphic over integer
1965         type. That code should still be able to use Arg::imm, and it should work even for 64-bit
1966         immediates - so long as they are representable as 32-bit immediates. Therefore, the imm()
1967         helper should happily accept either Const32Value or Const64Value.
1968
1969         We already sort of had this with immAnyType(), but it just turns out that anyone using
1970         immAnyType() should really be using imm().
1971
1972         * b3/B3LowerToAir.cpp:
1973         (JSC::B3::Air::LowerToAir::imm):
1974         (JSC::B3::Air::LowerToAir::tryStore):
1975         (JSC::B3::Air::LowerToAir::tryConst64):
1976         (JSC::B3::Air::LowerToAir::immAnyInt): Deleted.
1977         * b3/testb3.cpp:
1978         (JSC::B3::testAdd1):
1979         (JSC::B3::testAdd1Ptr):
1980         (JSC::B3::testStoreAddLoad):
1981         (JSC::B3::run):
1982
1983 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
1984
1985         StoreOpLoad pattern matching should check effects between the Store and Load
1986         https://bugs.webkit.org/show_bug.cgi?id=150534
1987
1988         Reviewed by Geoffrey Garen.
1989
1990         If we turn:
1991
1992             a = Load(addr)
1993             b = Add(a, 42)
1994             Store(b, addr)
1995
1996         Into:
1997
1998             Add $42, (addr)
1999
2000         Then we must make sure that we didn't really have this to begin with:
2001
2002             a = Load(addr)
2003             Store(666, addr)
2004             b = Add(a, 42)
2005             Store(b, addr)
2006
2007         That's because pattern matching doesn't care about control flow, and it finds the Load
2008         just using data flow. This patch fleshes out B3's aliasing analysis, and makes it powerful
2009         enough to broadly ask questions about whether such a code motion of the Load is legal.
2010
2011         * b3/B3Effects.cpp:
2012         (JSC::B3::Effects::interferes):
2013         (JSC::B3::Effects::dump):
2014         * b3/B3Effects.h:
2015         (JSC::B3::Effects::mustExecute):
2016         * b3/B3LowerToAir.cpp:
2017         (JSC::B3::Air::LowerToAir::run):
2018         (JSC::B3::Air::LowerToAir::commitInternal):
2019         (JSC::B3::Air::LowerToAir::crossesInterference):
2020         (JSC::B3::Air::LowerToAir::effectiveAddr):
2021         (JSC::B3::Air::LowerToAir::loadAddr):
2022         * b3/B3Procedure.cpp:
2023         (JSC::B3::Procedure::addBlock):
2024         (JSC::B3::Procedure::resetValueOwners):
2025         (JSC::B3::Procedure::resetReachability):
2026         * b3/B3Procedure.h:
2027         * b3/B3Value.cpp:
2028         (JSC::B3::Value::effects):
2029         * b3/B3Value.h:
2030         * b3/testb3.cpp:
2031         (JSC::B3::testStoreAddLoad):
2032         (JSC::B3::testStoreAddLoadInterference):
2033         (JSC::B3::testStoreAddAndLoad):
2034         (JSC::B3::testLoadOffsetUsingAdd):
2035         (JSC::B3::testLoadOffsetUsingAddInterference):
2036         (JSC::B3::testLoadOffsetUsingAddNotConstant):
2037         (JSC::B3::run):
2038
2039 2015-10-29  Brady Eidson  <beidson@apple.com>
2040
2041         Modern IDB: deleteObjectStore support.
2042         https://bugs.webkit.org/show_bug.cgi?id=150673
2043
2044         Reviewed by Alex Christensen.
2045
2046         * runtime/VM.h:
2047
2048 2015-10-29  Mark Lam  <mark.lam@apple.com>
2049
2050         cdjs-tests.yaml/main.js.ftl fails due to FTL ArithSub code for supporting UntypedUse operands.
2051         https://bugs.webkit.org/show_bug.cgi?id=150687
2052
2053         Unreviewed.
2054
2055         Disabling the feature while it is being debugged.  I'm doing this by effectively
2056         rolling out only the changes in FTLCapabilities.cpp.
2057
2058         * ftl/FTLCapabilities.cpp:
2059         (JSC::FTL::canCompile):
2060
2061 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2062
2063         Unreviewed, fix iOS build.
2064
2065         * assembler/MacroAssemblerARM64.h:
2066         (JSC::MacroAssemblerARM64::store64):
2067
2068 2015-10-29  Alex Christensen  <achristensen@webkit.org>
2069
2070         Fix Mac CMake build
2071         https://bugs.webkit.org/show_bug.cgi?id=150686
2072
2073         Reviewed by Filip Pizlo.
2074
2075         * API/ObjCCallbackFunction.mm:
2076         * CMakeLists.txt:
2077         * PlatformMac.cmake:
2078
2079 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
2080
2081         Air needs syntax for escaping StackSlots
2082         https://bugs.webkit.org/show_bug.cgi?id=150430
2083
2084         Reviewed by Geoffrey Garen.
2085
2086         This adds lowering for FramePointer and StackSlot, and to enable this, it adds the Lea
2087         instruction for getting the value of an address. This is necessary to support arbitrary
2088         lowerings of StackSlot, since the only way to get the "value" of a StackSlot in Air is with
2089         this new instruction.
2090
2091         Lea uses a new Role, called UseAddr. This describes exactly what the Intel-style LEA opcode
2092         would do: it evaluates an address, but does not load from it or store to it.
2093
2094         Lea is also the only way to escape a StackSlot. Well, more accurately, UseAddr is the only
2095         way to escape and UseAddr is only used by Lea. The stack allocation phase now understands
2096         that StackSlots may escape, and factors this into its analysis.
2097
2098         * assembler/MacroAssembler.h:
2099         (JSC::MacroAssembler::lea):
2100         * b3/B3AddressMatcher.patterns:
2101         * b3/B3LowerToAir.cpp:
2102         (JSC::B3::Air::LowerToAir::run):
2103         (JSC::B3::Air::LowerToAir::addr):
2104         (JSC::B3::Air::LowerToAir::loadAddr):
2105         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
2106         (JSC::B3::Air::LowerToAir::AddressSelector::tryFramePointer):
2107         (JSC::B3::Air::LowerToAir::AddressSelector::tryStackSlot):
2108         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
2109         (JSC::B3::Air::LowerToAir::tryConst64):
2110         (JSC::B3::Air::LowerToAir::tryFramePointer):
2111         (JSC::B3::Air::LowerToAir::tryStackSlot):
2112         (JSC::B3::Air::LowerToAir::tryIdentity):
2113         * b3/B3LoweringMatcher.patterns:
2114         * b3/B3MemoryValue.cpp:
2115         (JSC::B3::MemoryValue::~MemoryValue):
2116         (JSC::B3::MemoryValue::accessByteSize):
2117         (JSC::B3::MemoryValue::dumpMeta):
2118         * b3/B3MemoryValue.h:
2119         * b3/B3ReduceStrength.cpp:
2120         * b3/B3StackSlotValue.h:
2121         (JSC::B3::StackSlotValue::accepts): Deleted.
2122         * b3/B3Type.h:
2123         (JSC::B3::pointerType):
2124         (JSC::B3::sizeofType):
2125         * b3/B3Validate.cpp:
2126         * b3/B3Value.h:
2127         * b3/air/AirAllocateStack.cpp:
2128         (JSC::B3::Air::allocateStack):
2129         * b3/air/AirArg.h:
2130         (JSC::B3::Air::Arg::isUse):
2131         (JSC::B3::Air::Arg::isDef):
2132         (JSC::B3::Air::Arg::forEachTmp):
2133         * b3/air/AirCode.cpp:
2134         (JSC::B3::Air::Code::addStackSlot):
2135         (JSC::B3::Air::Code::addSpecial):
2136         * b3/air/AirCode.h:
2137         * b3/air/AirOpcode.opcodes:
2138         * b3/air/AirSpillEverything.cpp:
2139         (JSC::B3::Air::spillEverything):
2140         * b3/air/AirStackSlot.h:
2141         (JSC::B3::Air::StackSlot::byteSize):
2142         (JSC::B3::Air::StackSlot::kind):
2143         (JSC::B3::Air::StackSlot::isLocked):
2144         (JSC::B3::Air::StackSlot::index):
2145         (JSC::B3::Air::StackSlot::alignment):
2146         * b3/air/opcode_generator.rb:
2147         * b3/testb3.cpp:
2148         (JSC::B3::testLoadOffsetUsingAddNotConstant):
2149         (JSC::B3::testFramePointer):
2150         (JSC::B3::testStackSlot):
2151         (JSC::B3::testLoadFromFramePointer):
2152         (JSC::B3::testStoreLoadStackSlot):
2153         (JSC::B3::run):
2154
2155 2015-10-29  Saam barati  <sbarati@apple.com>
2156
2157         we're incorrectly adjusting a stack location with respect to the localsOffset in FTLCompile
2158         https://bugs.webkit.org/show_bug.cgi?id=150655
2159
2160         Reviewed by Filip Pizlo.
2161
2162         We're recomputing this value for an *OSRExitDescriptor* for every one
2163         of its corresponding *OSRExits*. This is having a multiplicative
2164         effect on offsets because each computation is relative to the previous
2165         value. We must do this computation just once per OSRExitDescriptor.
2166
2167         * ftl/FTLCompile.cpp:
2168         (JSC::FTL::mmAllocateDataSection):
2169
2170 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2171
2172         Air::spillEverything() should try to replace tmps with spill slots without using registers whenever possible
2173         https://bugs.webkit.org/show_bug.cgi?id=150657
2174
2175         Reviewed by Geoffrey Garen.
2176
2177         Also added the ability to store an immediate to memory.
2178
2179         * assembler/MacroAssembler.h:
2180         (JSC::MacroAssembler::storePtr):
2181         * assembler/MacroAssemblerARM64.h:
2182         (JSC::MacroAssemblerARM64::store64):
2183         * assembler/MacroAssemblerX86_64.h:
2184         (JSC::MacroAssemblerX86_64::store64):
2185         * b3/B3LowerToAir.cpp:
2186         (JSC::B3::Air::LowerToAir::imm):
2187         (JSC::B3::Air::LowerToAir::immAnyInt):
2188         (JSC::B3::Air::LowerToAir::immOrTmp):
2189         (JSC::B3::Air::LowerToAir::tryStore):
2190         * b3/air/AirOpcode.opcodes:
2191         * b3/air/AirSpillEverything.cpp:
2192         (JSC::B3::Air::spillEverything):
2193         * b3/testb3.cpp:
2194         (JSC::B3::testStore):
2195         (JSC::B3::testStoreConstant):
2196         (JSC::B3::testStoreConstantPtr):
2197         (JSC::B3::testTrunc):
2198         (JSC::B3::run):
2199
2200 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
2201
2202         Web Inspector: Rename InspectorResourceAgent to InspectorNetworkAgent
2203         https://bugs.webkit.org/show_bug.cgi?id=150654
2204
2205         Reviewed by Geoffrey Garen.
2206
2207         * inspector/scripts/codegen/generator.py:
2208
2209 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2210
2211         B3::reduceStrength() should do DCE
2212         https://bugs.webkit.org/show_bug.cgi?id=150656
2213
2214         Reviewed by Saam Barati.
2215
2216         * b3/B3BasicBlock.cpp:
2217         (JSC::B3::BasicBlock::removeNops): This now deletes the values from the procedure, to preserve the invariant that valuesInProc == valuesInBlocks.
2218         * b3/B3BasicBlock.h:
2219         * b3/B3Procedure.cpp:
2220         (JSC::B3::Procedure::deleteValue): Add a utility used by removeNops().
2221         (JSC::B3::Procedure::addValueIndex): Make sure that we reuse Value indices so that m_values doesn't get too sparse.
2222         * b3/B3Procedure.h:
2223         (JSC::B3::Procedure::ValuesCollection::iterator::iterator): Teach this that m_values can be slightly sparse.
2224         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
2225         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):
2226         (JSC::B3::Procedure::ValuesCollection::iterator::findNext):
2227         (JSC::B3::Procedure::values):
2228         * b3/B3ProcedureInlines.h:
2229         (JSC::B3::Procedure::add): Use addValueIndex() instead of always creating a new index.
2230         * b3/B3ReduceStrength.cpp: Implement the optimization using UseCounts and Effects.
2231
2232 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
2233
2234         Web Inspector: Remove unused / duplicate WebSocket timeline records
2235         https://bugs.webkit.org/show_bug.cgi?id=150647
2236
2237         Reviewed by Timothy Hatcher.
2238
2239         * inspector/protocol/Timeline.json:
2240
2241 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2242
2243         B3::LowerToAir should not duplicate Loads
2244         https://bugs.webkit.org/show_bug.cgi?id=150651
2245
2246         Reviewed by Benjamin Poulain.
2247
2248         The instruction selector may decide to fuse two Values into one. This ordinarily only happens
2249         if we haven't already emitted code that uses the Value and the Value has only one direct
2250         user. Once we have emitted such code, we ensure that everyone knows that we have "locked" the
2251         Value: we won't emit any more code for it in the future.
2252
2253         The optimization to fuse Loads was forgetting to do all of these things, and so generated
2254         code would have a lot of duplicated Loads. That's bad and this change fixes that.
2255
2256         Ordinarily, this is far less tricky because the pattern matcher does this for us via
2257         acceptInternals() and acceptInternalsLate(). I added a comment to this effect. I hope that we
2258         won't need to do this manually very often.
2259
2260         Also found an uninitialized value bug in UseCounts. That was making all of this super hard to
2261         debug.
2262
2263         * b3/B3IndexMap.h:
2264         (JSC::B3::IndexMap::IndexMap):
2265         (JSC::B3::IndexMap::resize):
2266         (JSC::B3::IndexMap::operator[]):
2267         * b3/B3LowerToAir.cpp:
2268         (JSC::B3::Air::LowerToAir::tmp):
2269         (JSC::B3::Air::LowerToAir::canBeInternal):
2270         (JSC::B3::Air::LowerToAir::commitInternal):
2271         (JSC::B3::Air::LowerToAir::effectiveAddr):
2272         (JSC::B3::Air::LowerToAir::loadAddr):
2273         (JSC::B3::Air::LowerToAir::appendBinOp):
2274         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2275         (JSC::B3::Air::LowerToAir::acceptInternals):
2276         * b3/B3UseCounts.cpp:
2277         (JSC::B3::UseCounts::UseCounts):
2278
2279 2015-10-28  Mark Lam  <mark.lam@apple.com>
2280
2281         JITSubGenerator::generateFastPath() does not need to be inlined.
2282         https://bugs.webkit.org/show_bug.cgi?id=150645
2283
2284         Reviewed by Geoffrey Garen.
2285
2286         Moving it to a .cpp file to reduce code size.  Benchmarks shows this to be
2287         perf neutral.
2288
2289         * CMakeLists.txt:
2290         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2291         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2292         * JavaScriptCore.xcodeproj/project.pbxproj:
2293         * ftl/FTLCompile.cpp:
2294         * jit/JITSubGenerator.cpp: Added.
2295         (JSC::JITSubGenerator::generateFastPath):
2296         * jit/JITSubGenerator.h:
2297         (JSC::JITSubGenerator::JITSubGenerator):
2298         (JSC::JITSubGenerator::endJumpList):
2299         (JSC::JITSubGenerator::slowPathJumpList):
2300         (JSC::JITSubGenerator::generateFastPath): Deleted.
2301
2302 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2303
2304         [B3] handleCommutativity should canonicalize commutative operations over non-constants
2305         https://bugs.webkit.org/show_bug.cgi?id=150649
2306
2307         Reviewed by Saam Barati.
2308
2309         Turn this: Add(value1, value2)
2310         Into this: Add(value2, value1)
2311
2312         But ony if value2 should come before value1 according to our total ordering. This will allow
2313         CSE to observe the equality between commuted versions of the same operation, since we will
2314         first canonicalize them into the same order.
2315
2316         * b3/B3ReduceStrength.cpp:
2317
2318 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2319
2320         Unreviewed, fix the build for case sensitive file systems.
2321
2322         * b3/air/AirBasicBlock.h:
2323         * b3/air/AirStackSlot.h:
2324
2325 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
2326
2327         Create a super rough prototype of B3
2328         https://bugs.webkit.org/show_bug.cgi?id=150280
2329
2330         Reviewed by Benjamin Poulain.
2331
2332         This changeset adds the basic scaffolding of the B3 compiler. B3 stands for Bare Bones
2333         Backend. It's a low-level SSA-based language-agnostic compiler. The basic structure allows
2334         for aggressive C-level optimizations and an awesome portable backend. The backend, called
2335         Air (Assembly IR), is a reflective abstraction over our MacroAssembler. The abstraction is
2336         defined using a spec file (AirOpcode.opcodes) which describes the various kinds of
2337         instructions that we wish to support. Then, the B3::LowerToAir phase, which does our
2338         instruction selection, reflectively selects Air opcodes by querying which instruction forms
2339         are possible. Air allows for optimal register allocation and stack layout. Currently the
2340         register allocator isn't written, but the stack layout is.
2341
2342         Of course this isn't done yet. It can only compile simple programs, seen in the "test suite"
2343         called "testb3.cpp". There's a lot of optimizations that have to be written and a lot of
2344         stuff added to the instruction selector. But it's a neat start.
2345
2346         * CMakeLists.txt:
2347         * DerivedSources.make:
2348         * JavaScriptCore.xcodeproj/project.pbxproj:
2349         * assembler/MacroAssembler.cpp:
2350         (WTF::printInternal):
2351         * assembler/MacroAssembler.h:
2352         * b3: Added.
2353         * b3/B3AddressMatcher.patterns: Added.
2354         * b3/B3ArgumentRegValue.cpp: Added.
2355         (JSC::B3::ArgumentRegValue::~ArgumentRegValue):
2356         (JSC::B3::ArgumentRegValue::dumpMeta):
2357         * b3/B3ArgumentRegValue.h: Added.
2358         * b3/B3BasicBlock.cpp: Added.
2359         (JSC::B3::BasicBlock::BasicBlock):
2360         (JSC::B3::BasicBlock::~BasicBlock):
2361         (JSC::B3::BasicBlock::append):
2362         (JSC::B3::BasicBlock::addPredecessor):
2363         (JSC::B3::BasicBlock::removePredecessor):
2364         (JSC::B3::BasicBlock::replacePredecessor):
2365         (JSC::B3::BasicBlock::removeNops):
2366         (JSC::B3::BasicBlock::dump):
2367         (JSC::B3::BasicBlock::deepDump):
2368         * b3/B3BasicBlock.h: Added.
2369         (JSC::B3::BasicBlock::index):
2370         (JSC::B3::BasicBlock::begin):
2371         (JSC::B3::BasicBlock::end):
2372         (JSC::B3::BasicBlock::size):
2373         (JSC::B3::BasicBlock::at):
2374         (JSC::B3::BasicBlock::last):
2375         (JSC::B3::BasicBlock::values):
2376         (JSC::B3::BasicBlock::numPredecessors):
2377         (JSC::B3::BasicBlock::predecessor):
2378         (JSC::B3::BasicBlock::predecessors):
2379         (JSC::B3::BasicBlock::frequency):
2380         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
2381         (JSC::B3::DeepBasicBlockDump::dump):
2382         (JSC::B3::deepDump):
2383         * b3/B3BasicBlockInlines.h: Added.
2384         (JSC::B3::BasicBlock::appendNew):
2385         (JSC::B3::BasicBlock::numSuccessors):
2386         (JSC::B3::BasicBlock::successor):
2387         (JSC::B3::BasicBlock::successors):
2388         (JSC::B3::BasicBlock::successorBlock):
2389         (JSC::B3::BasicBlock::successorBlocks):
2390         * b3/B3BasicBlockUtils.h: Added.
2391         (JSC::B3::addPredecessor):
2392         (JSC::B3::removePredecessor):
2393         (JSC::B3::replacePredecessor):
2394         (JSC::B3::resetReachability):
2395         (JSC::B3::blocksInPreOrder):
2396         (JSC::B3::blocksInPostOrder):
2397         * b3/B3BlockWorklist.h: Added.
2398         * b3/B3CheckSpecial.cpp: Added.
2399         (JSC::B3::Air::numB3Args):
2400         (JSC::B3::CheckSpecial::CheckSpecial):
2401         (JSC::B3::CheckSpecial::~CheckSpecial):
2402         (JSC::B3::CheckSpecial::hiddenBranch):
2403         (JSC::B3::CheckSpecial::forEachArg):
2404         (JSC::B3::CheckSpecial::isValid):
2405         (JSC::B3::CheckSpecial::admitsStack):
2406         (JSC::B3::CheckSpecial::generate):
2407         (JSC::B3::CheckSpecial::dumpImpl):
2408         (JSC::B3::CheckSpecial::deepDumpImpl):
2409         * b3/B3CheckSpecial.h: Added.
2410         * b3/B3CheckValue.cpp: Added.
2411         (JSC::B3::CheckValue::~CheckValue):
2412         (JSC::B3::CheckValue::dumpMeta):
2413         * b3/B3CheckValue.h: Added.
2414         * b3/B3Common.cpp: Added.
2415         (JSC::B3::shouldDumpIR):
2416         (JSC::B3::shouldDumpIRAtEachPhase):
2417         (JSC::B3::shouldValidateIR):
2418         (JSC::B3::shouldValidateIRAtEachPhase):
2419         (JSC::B3::shouldSaveIRBeforePhase):
2420         * b3/B3Common.h: Added.
2421         (JSC::B3::is64Bit):
2422         (JSC::B3::is32Bit):
2423         * b3/B3Commutativity.cpp: Added.
2424         (WTF::printInternal):
2425         * b3/B3Commutativity.h: Added.
2426         * b3/B3Const32Value.cpp: Added.
2427         (JSC::B3::Const32Value::~Const32Value):
2428         (JSC::B3::Const32Value::negConstant):
2429         (JSC::B3::Const32Value::addConstant):
2430         (JSC::B3::Const32Value::subConstant):
2431         (JSC::B3::Const32Value::dumpMeta):
2432         * b3/B3Const32Value.h: Added.
2433         * b3/B3Const64Value.cpp: Added.
2434         (JSC::B3::Const64Value::~Const64Value):
2435         (JSC::B3::Const64Value::negConstant):
2436         (JSC::B3::Const64Value::addConstant):
2437         (JSC::B3::Const64Value::subConstant):
2438         (JSC::B3::Const64Value::dumpMeta):
2439         * b3/B3Const64Value.h: Added.
2440         * b3/B3ConstDoubleValue.cpp: Added.
2441         (JSC::B3::ConstDoubleValue::~ConstDoubleValue):
2442         (JSC::B3::ConstDoubleValue::negConstant):
2443         (JSC::B3::ConstDoubleValue::addConstant):
2444         (JSC::B3::ConstDoubleValue::subConstant):
2445         (JSC::B3::ConstDoubleValue::dumpMeta):
2446         * b3/B3ConstDoubleValue.h: Added.
2447         (JSC::B3::ConstDoubleValue::accepts):
2448         (JSC::B3::ConstDoubleValue::value):
2449         (JSC::B3::ConstDoubleValue::ConstDoubleValue):
2450         * b3/B3ConstPtrValue.h: Added.
2451         (JSC::B3::ConstPtrValue::value):
2452         (JSC::B3::ConstPtrValue::ConstPtrValue):
2453         * b3/B3ControlValue.cpp: Added.
2454         (JSC::B3::ControlValue::~ControlValue):
2455         (JSC::B3::ControlValue::dumpMeta):
2456         * b3/B3ControlValue.h: Added.
2457         * b3/B3Effects.cpp: Added.
2458         (JSC::B3::Effects::dump):
2459         * b3/B3Effects.h: Added.
2460         (JSC::B3::Effects::mustExecute):
2461         * b3/B3FrequencyClass.cpp: Added.
2462         (WTF::printInternal):
2463         * b3/B3FrequencyClass.h: Added.
2464         * b3/B3FrequentedBlock.h: Added.
2465         * b3/B3Generate.cpp: Added.
2466         (JSC::B3::generate):
2467         (JSC::B3::generateToAir):
2468         * b3/B3Generate.h: Added.
2469         * b3/B3GenericFrequentedBlock.h: Added.
2470         (JSC::B3::GenericFrequentedBlock::GenericFrequentedBlock):
2471         (JSC::B3::GenericFrequentedBlock::operator==):
2472         (JSC::B3::GenericFrequentedBlock::operator!=):
2473         (JSC::B3::GenericFrequentedBlock::operator bool):
2474         (JSC::B3::GenericFrequentedBlock::block):
2475         (JSC::B3::GenericFrequentedBlock::frequency):
2476         (JSC::B3::GenericFrequentedBlock::dump):
2477         * b3/B3HeapRange.cpp: Added.
2478         (JSC::B3::HeapRange::dump):
2479         * b3/B3HeapRange.h: Added.
2480         (JSC::B3::HeapRange::HeapRange):
2481         (JSC::B3::HeapRange::top):
2482         (JSC::B3::HeapRange::operator==):
2483         (JSC::B3::HeapRange::operator!=):
2484         (JSC::B3::HeapRange::operator bool):
2485         (JSC::B3::HeapRange::begin):
2486         (JSC::B3::HeapRange::end):
2487         (JSC::B3::HeapRange::overlaps):
2488         * b3/B3IndexMap.h: Added.
2489         (JSC::B3::IndexMap::IndexMap):
2490         (JSC::B3::IndexMap::resize):
2491         (JSC::B3::IndexMap::operator[]):
2492         * b3/B3IndexSet.h: Added.
2493         (JSC::B3::IndexSet::IndexSet):
2494         (JSC::B3::IndexSet::add):
2495         (JSC::B3::IndexSet::contains):
2496         (JSC::B3::IndexSet::Iterable::Iterable):
2497         (JSC::B3::IndexSet::Iterable::iterator::iterator):
2498         (JSC::B3::IndexSet::Iterable::iterator::operator*):
2499         (JSC::B3::IndexSet::Iterable::iterator::operator++):
2500         (JSC::B3::IndexSet::Iterable::iterator::operator==):
2501         (JSC::B3::IndexSet::Iterable::iterator::operator!=):
2502         (JSC::B3::IndexSet::Iterable::begin):
2503         (JSC::B3::IndexSet::Iterable::end):
2504         (JSC::B3::IndexSet::values):
2505         (JSC::B3::IndexSet::indices):
2506         (JSC::B3::IndexSet::dump):
2507         * b3/B3InsertionSet.cpp: Added.
2508         (JSC::B3::InsertionSet::execute):
2509         * b3/B3InsertionSet.h: Added.
2510         (JSC::B3::InsertionSet::InsertionSet):
2511         (JSC::B3::InsertionSet::code):
2512         (JSC::B3::InsertionSet::appendInsertion):
2513         (JSC::B3::InsertionSet::insertValue):
2514         * b3/B3InsertionSetInlines.h: Added.
2515         (JSC::B3::InsertionSet::insert):
2516         * b3/B3LowerToAir.cpp: Added.
2517         (JSC::B3::Air::LowerToAir::LowerToAir):
2518         (JSC::B3::Air::LowerToAir::run):
2519         (JSC::B3::Air::LowerToAir::tmp):
2520         (JSC::B3::Air::LowerToAir::effectiveAddr):
2521         (JSC::B3::Air::LowerToAir::addr):
2522         (JSC::B3::Air::LowerToAir::loadAddr):
2523         (JSC::B3::Air::LowerToAir::imm):
2524         (JSC::B3::Air::LowerToAir::immOrTmp):
2525         (JSC::B3::Air::LowerToAir::appendBinOp):
2526         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
2527         (JSC::B3::Air::LowerToAir::moveForType):
2528         (JSC::B3::Air::LowerToAir::relaxedMoveForType):
2529         (JSC::B3::Air::LowerToAir::append):
2530         (JSC::B3::Air::LowerToAir::AddressSelector::AddressSelector):
2531         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot):
2532         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRootLate):
2533         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternals):
2534         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternalsLate):
2535         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperands):
2536         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperandsLate):
2537         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift1):
2538         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift2):
2539         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
2540         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
2541         (JSC::B3::Air::LowerToAir::acceptRoot):
2542         (JSC::B3::Air::LowerToAir::acceptRootLate):
2543         (JSC::B3::Air::LowerToAir::acceptInternals):
2544         (JSC::B3::Air::LowerToAir::acceptInternalsLate):
2545         (JSC::B3::Air::LowerToAir::acceptOperands):
2546         (JSC::B3::Air::LowerToAir::acceptOperandsLate):
2547         (JSC::B3::Air::LowerToAir::tryLoad):
2548         (JSC::B3::Air::LowerToAir::tryAdd):
2549         (JSC::B3::Air::LowerToAir::tryAnd):
2550         (JSC::B3::Air::LowerToAir::tryStoreAddLoad):
2551         (JSC::B3::Air::LowerToAir::tryStoreAndLoad):
2552         (JSC::B3::Air::LowerToAir::tryStore):
2553         (JSC::B3::Air::LowerToAir::tryTruncArgumentReg):
2554         (JSC::B3::Air::LowerToAir::tryTrunc):
2555         (JSC::B3::Air::LowerToAir::tryArgumentReg):
2556         (JSC::B3::Air::LowerToAir::tryConst32):
2557         (JSC::B3::Air::LowerToAir::tryConst64):
2558         (JSC::B3::Air::LowerToAir::tryIdentity):
2559         (JSC::B3::Air::LowerToAir::tryReturn):
2560         (JSC::B3::lowerToAir):
2561         * b3/B3LowerToAir.h: Added.
2562         * b3/B3LoweringMatcher.patterns: Added.
2563         * b3/B3MemoryValue.cpp: Added.
2564         (JSC::B3::MemoryValue::~MemoryValue):
2565         (JSC::B3::MemoryValue::dumpMeta):
2566         * b3/B3MemoryValue.h: Added.
2567         * b3/B3Opcode.cpp: Added.
2568         (WTF::printInternal):
2569         * b3/B3Opcode.h: Added.
2570         (JSC::B3::isCheckMath):
2571         * b3/B3Origin.cpp: Added.
2572         (JSC::B3::Origin::dump):
2573         * b3/B3Origin.h: Added.
2574         (JSC::B3::Origin::Origin):
2575         (JSC::B3::Origin::operator bool):
2576         (JSC::B3::Origin::data):
2577         * b3/B3PatchpointSpecial.cpp: Added.
2578         (JSC::B3::PatchpointSpecial::PatchpointSpecial):
2579         (JSC::B3::PatchpointSpecial::~PatchpointSpecial):
2580         (JSC::B3::PatchpointSpecial::forEachArg):
2581         (JSC::B3::PatchpointSpecial::isValid):
2582         (JSC::B3::PatchpointSpecial::admitsStack):
2583         (JSC::B3::PatchpointSpecial::generate):
2584         (JSC::B3::PatchpointSpecial::dumpImpl):
2585         (JSC::B3::PatchpointSpecial::deepDumpImpl):
2586         * b3/B3PatchpointSpecial.h: Added.
2587         * b3/B3PatchpointValue.cpp: Added.
2588         (JSC::B3::PatchpointValue::~PatchpointValue):
2589         (JSC::B3::PatchpointValue::dumpMeta):
2590         * b3/B3PatchpointValue.h: Added.
2591         (JSC::B3::PatchpointValue::accepts):
2592         (JSC::B3::PatchpointValue::PatchpointValue):
2593         * b3/B3PhaseScope.cpp: Added.
2594         (JSC::B3::PhaseScope::PhaseScope):
2595         (JSC::B3::PhaseScope::~PhaseScope):
2596         * b3/B3PhaseScope.h: Added.
2597         * b3/B3Procedure.cpp: Added.
2598         (JSC::B3::Procedure::Procedure):
2599         (JSC::B3::Procedure::~Procedure):
2600         (JSC::B3::Procedure::addBlock):
2601         (JSC::B3::Procedure::resetReachability):
2602         (JSC::B3::Procedure::dump):
2603         (JSC::B3::Procedure::blocksInPreOrder):
2604         (JSC::B3::Procedure::blocksInPostOrder):
2605         * b3/B3Procedure.h: Added.
2606         (JSC::B3::Procedure::size):
2607         (JSC::B3::Procedure::at):
2608         (JSC::B3::Procedure::operator[]):
2609         (JSC::B3::Procedure::iterator::iterator):
2610         (JSC::B3::Procedure::iterator::operator*):
2611         (JSC::B3::Procedure::iterator::operator++):
2612         (JSC::B3::Procedure::iterator::operator==):
2613         (JSC::B3::Procedure::iterator::operator!=):
2614         (JSC::B3::Procedure::iterator::findNext):
2615         (JSC::B3::Procedure::begin):
2616         (JSC::B3::Procedure::end):
2617         (JSC::B3::Procedure::ValuesCollection::ValuesCollection):
2618         (JSC::B3::Procedure::ValuesCollection::iterator::iterator):
2619         (JSC::B3::Procedure::ValuesCollection::iterator::operator*):
2620         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
2621         (JSC::B3::Procedure::ValuesCollection::iterator::operator==):
2622         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):
2623         (JSC::B3::Procedure::ValuesCollection::begin):
2624         (JSC::B3::Procedure::ValuesCollection::end):
2625         (JSC::B3::Procedure::ValuesCollection::size):
2626         (JSC::B3::Procedure::ValuesCollection::at):
2627         (JSC::B3::Procedure::ValuesCollection::operator[]):
2628         (JSC::B3::Procedure::values):
2629         (JSC::B3::Procedure::setLastPhaseName):
2630         (JSC::B3::Procedure::lastPhaseName):
2631         * b3/B3ProcedureInlines.h: Added.
2632         (JSC::B3::Procedure::add):
2633         * b3/B3ReduceStrength.cpp: Added.
2634         (JSC::B3::reduceStrength):
2635         * b3/B3ReduceStrength.h: Added.
2636         * b3/B3StackSlotKind.cpp: Added.
2637         (WTF::printInternal):
2638         * b3/B3StackSlotKind.h: Added.
2639         * b3/B3StackSlotValue.cpp: Added.
2640         (JSC::B3::StackSlotValue::~StackSlotValue):
2641         (JSC::B3::StackSlotValue::dumpMeta):
2642         * b3/B3StackSlotValue.h: Added.
2643         (JSC::B3::StackSlotValue::accepts):
2644         (JSC::B3::StackSlotValue::byteSize):
2645         (JSC::B3::StackSlotValue::kind):
2646         (JSC::B3::StackSlotValue::offsetFromFP):
2647         (JSC::B3::StackSlotValue::setOffsetFromFP):
2648         (JSC::B3::StackSlotValue::StackSlotValue):
2649         * b3/B3Stackmap.cpp: Added.
2650         (JSC::B3::Stackmap::Stackmap):
2651         (JSC::B3::Stackmap::~Stackmap):
2652         (JSC::B3::Stackmap::dump):
2653         * b3/B3Stackmap.h: Added.
2654         (JSC::B3::Stackmap::constrain):
2655         (JSC::B3::Stackmap::reps):
2656         (JSC::B3::Stackmap::clobber):
2657         (JSC::B3::Stackmap::clobbered):
2658         (JSC::B3::Stackmap::setGenerator):
2659         * b3/B3StackmapSpecial.cpp: Added.
2660         (JSC::B3::StackmapSpecial::StackmapSpecial):
2661         (JSC::B3::StackmapSpecial::~StackmapSpecial):
2662         (JSC::B3::StackmapSpecial::reportUsedRegisters):
2663         (JSC::B3::StackmapSpecial::extraClobberedRegs):
2664         (JSC::B3::StackmapSpecial::forEachArgImpl):
2665         (JSC::B3::StackmapSpecial::isValidImpl):
2666         (JSC::B3::StackmapSpecial::admitsStackImpl):
2667         (JSC::B3::StackmapSpecial::appendRepsImpl):
2668         (JSC::B3::StackmapSpecial::repForArg):
2669         * b3/B3StackmapSpecial.h: Added.
2670         * b3/B3SuccessorCollection.h: Added.
2671         (JSC::B3::SuccessorCollection::SuccessorCollection):
2672         (JSC::B3::SuccessorCollection::size):
2673         (JSC::B3::SuccessorCollection::at):
2674         (JSC::B3::SuccessorCollection::operator[]):
2675         (JSC::B3::SuccessorCollection::iterator::iterator):
2676         (JSC::B3::SuccessorCollection::iterator::operator*):
2677         (JSC::B3::SuccessorCollection::iterator::operator++):
2678         (JSC::B3::SuccessorCollection::iterator::operator==):
2679         (JSC::B3::SuccessorCollection::iterator::operator!=):
2680         (JSC::B3::SuccessorCollection::begin):
2681         (JSC::B3::SuccessorCollection::end):
2682         * b3/B3SwitchCase.cpp: Added.
2683         (JSC::B3::SwitchCase::dump):
2684         * b3/B3SwitchCase.h: Added.
2685         (JSC::B3::SwitchCase::SwitchCase):
2686         (JSC::B3::SwitchCase::operator bool):
2687         (JSC::B3::SwitchCase::caseValue):
2688         (JSC::B3::SwitchCase::target):
2689         (JSC::B3::SwitchCase::targetBlock):
2690         * b3/B3SwitchValue.cpp: Added.
2691         (JSC::B3::SwitchValue::~SwitchValue):
2692         (JSC::B3::SwitchValue::removeCase):
2693         (JSC::B3::SwitchValue::appendCase):
2694         (JSC::B3::SwitchValue::dumpMeta):
2695         (JSC::B3::SwitchValue::SwitchValue):
2696         * b3/B3SwitchValue.h: Added.
2697         (JSC::B3::SwitchValue::accepts):
2698         (JSC::B3::SwitchValue::numCaseValues):
2699         (JSC::B3::SwitchValue::caseValue):
2700         (JSC::B3::SwitchValue::caseValues):
2701         (JSC::B3::SwitchValue::fallThrough):
2702         (JSC::B3::SwitchValue::size):
2703         (JSC::B3::SwitchValue::at):
2704         (JSC::B3::SwitchValue::operator[]):
2705         (JSC::B3::SwitchValue::iterator::iterator):
2706         (JSC::B3::SwitchValue::iterator::operator*):
2707         (JSC::B3::SwitchValue::iterator::operator++):
2708         (JSC::B3::SwitchValue::iterator::operator==):
2709         (JSC::B3::SwitchValue::iterator::operator!=):
2710         (JSC::B3::SwitchValue::begin):
2711         (JSC::B3::SwitchValue::end):
2712         * b3/B3Type.cpp: Added.
2713         (WTF::printInternal):
2714         * b3/B3Type.h: Added.
2715         (JSC::B3::isInt):
2716         (JSC::B3::isFloat):
2717         (JSC::B3::pointerType):
2718         * b3/B3UpsilonValue.cpp: Added.
2719         (JSC::B3::UpsilonValue::~UpsilonValue):
2720         (JSC::B3::UpsilonValue::dumpMeta):
2721         * b3/B3UpsilonValue.h: Added.
2722         (JSC::B3::UpsilonValue::accepts):
2723         (JSC::B3::UpsilonValue::phi):
2724         (JSC::B3::UpsilonValue::UpsilonValue):
2725         * b3/B3UseCounts.cpp: Added.
2726         (JSC::B3::UseCounts::UseCounts):
2727         (JSC::B3::UseCounts::~UseCounts):
2728         * b3/B3UseCounts.h: Added.
2729         (JSC::B3::UseCounts::operator[]):
2730         * b3/B3Validate.cpp: Added.
2731         (JSC::B3::validate):
2732         * b3/B3Validate.h: Added.
2733         * b3/B3Value.cpp: Added.
2734         (JSC::B3::Value::~Value):
2735         (JSC::B3::Value::replaceWithIdentity):
2736         (JSC::B3::Value::replaceWithNop):
2737         (JSC::B3::Value::dump):
2738         (JSC::B3::Value::deepDump):
2739         (JSC::B3::Value::negConstant):
2740         (JSC::B3::Value::addConstant):
2741         (JSC::B3::Value::subConstant):
2742         (JSC::B3::Value::effects):
2743         (JSC::B3::Value::performSubstitution):
2744         (JSC::B3::Value::dumpMeta):
2745         (JSC::B3::Value::typeFor):
2746         * b3/B3Value.h: Added.
2747         (JSC::B3::DeepValueDump::DeepValueDump):
2748         (JSC::B3::DeepValueDump::dump):
2749         (JSC::B3::deepDump):
2750         * b3/B3ValueInlines.h: Added.
2751         (JSC::B3::Value::as):
2752         (JSC::B3::Value::isConstant):
2753         (JSC::B3::Value::hasInt32):
2754         (JSC::B3::Value::asInt32):
2755         (JSC::B3::Value::hasInt64):
2756         (JSC::B3::Value::asInt64):
2757         (JSC::B3::Value::hasInt):
2758         (JSC::B3::Value::asInt):
2759         (JSC::B3::Value::isInt):
2760         (JSC::B3::Value::hasIntPtr):
2761         (JSC::B3::Value::asIntPtr):
2762         (JSC::B3::Value::hasDouble):
2763         (JSC::B3::Value::asDouble):
2764         (JSC::B3::Value::stackmap):
2765         * b3/B3ValueRep.cpp: Added.
2766         (JSC::B3::ValueRep::dump):
2767         (WTF::printInternal):
2768         * b3/B3ValueRep.h: Added.
2769         (JSC::B3::ValueRep::ValueRep):
2770         (JSC::B3::ValueRep::reg):
2771         (JSC::B3::ValueRep::stack):
2772         (JSC::B3::ValueRep::stackArgument):
2773         (JSC::B3::ValueRep::constant):
2774         (JSC::B3::ValueRep::constantDouble):
2775         (JSC::B3::ValueRep::kind):
2776         (JSC::B3::ValueRep::operator bool):
2777         (JSC::B3::ValueRep::offsetFromFP):
2778         (JSC::B3::ValueRep::offsetFromSP):
2779         (JSC::B3::ValueRep::value):
2780         (JSC::B3::ValueRep::doubleValue):
2781         * b3/air: Added.
2782         * b3/air/AirAllocateStack.cpp: Added.
2783         (JSC::B3::Air::allocateStack):
2784         * b3/air/AirAllocateStack.h: Added.
2785         * b3/air/AirArg.cpp: Added.
2786         (JSC::B3::Air::Arg::dump):
2787         * b3/air/AirArg.h: Added.
2788         (JSC::B3::Air::Arg::isUse):
2789         (JSC::B3::Air::Arg::isDef):
2790         (JSC::B3::Air::Arg::typeForB3Type):
2791         (JSC::B3::Air::Arg::Arg):
2792         (JSC::B3::Air::Arg::imm):
2793         (JSC::B3::Air::Arg::imm64):
2794         (JSC::B3::Air::Arg::addr):
2795         (JSC::B3::Air::Arg::stack):
2796         (JSC::B3::Air::Arg::callArg):
2797         (JSC::B3::Air::Arg::isValidScale):
2798         (JSC::B3::Air::Arg::logScale):
2799         (JSC::B3::Air::Arg::index):
2800         (JSC::B3::Air::Arg::relCond):
2801         (JSC::B3::Air::Arg::resCond):
2802         (JSC::B3::Air::Arg::special):
2803         (JSC::B3::Air::Arg::operator==):
2804         (JSC::B3::Air::Arg::operator!=):
2805         (JSC::B3::Air::Arg::operator bool):
2806         (JSC::B3::Air::Arg::kind):
2807         (JSC::B3::Air::Arg::isTmp):
2808         (JSC::B3::Air::Arg::isImm):
2809         (JSC::B3::Air::Arg::isImm64):
2810         (JSC::B3::Air::Arg::isAddr):
2811         (JSC::B3::Air::Arg::isStack):
2812         (JSC::B3::Air::Arg::isCallArg):
2813         (JSC::B3::Air::Arg::isIndex):
2814         (JSC::B3::Air::Arg::isRelCond):
2815         (JSC::B3::Air::Arg::isResCond):
2816         (JSC::B3::Air::Arg::isSpecial):
2817         (JSC::B3::Air::Arg::isAlive):
2818         (JSC::B3::Air::Arg::tmp):
2819         (JSC::B3::Air::Arg::value):
2820         (JSC::B3::Air::Arg::pointerValue):
2821         (JSC::B3::Air::Arg::base):
2822         (JSC::B3::Air::Arg::hasOffset):
2823         (JSC::B3::Air::Arg::offset):
2824         (JSC::B3::Air::Arg::stackSlot):
2825         (JSC::B3::Air::Arg::scale):
2826         (JSC::B3::Air::Arg::isGPTmp):
2827         (JSC::B3::Air::Arg::isFPTmp):
2828         (JSC::B3::Air::Arg::isGP):
2829         (JSC::B3::Air::Arg::isFP):
2830         (JSC::B3::Air::Arg::hasType):
2831         (JSC::B3::Air::Arg::type):
2832         (JSC::B3::Air::Arg::isType):
2833         (JSC::B3::Air::Arg::isGPR):
2834         (JSC::B3::Air::Arg::gpr):
2835         (JSC::B3::Air::Arg::isFPR):
2836         (JSC::B3::Air::Arg::fpr):
2837         (JSC::B3::Air::Arg::isReg):
2838         (JSC::B3::Air::Arg::reg):
2839         (JSC::B3::Air::Arg::gpTmpIndex):
2840         (JSC::B3::Air::Arg::fpTmpIndex):
2841         (JSC::B3::Air::Arg::tmpIndex):
2842         (JSC::B3::Air::Arg::withOffset):
2843         (JSC::B3::Air::Arg::forEachTmpFast):
2844         (JSC::B3::Air::Arg::forEachTmp):
2845         (JSC::B3::Air::Arg::asTrustedImm32):
2846         (JSC::B3::Air::Arg::asTrustedImm64):
2847         (JSC::B3::Air::Arg::asTrustedImmPtr):
2848         (JSC::B3::Air::Arg::asAddress):
2849         (JSC::B3::Air::Arg::asBaseIndex):
2850         (JSC::B3::Air::Arg::asRelationalCondition):
2851         (JSC::B3::Air::Arg::asResultCondition):
2852         (JSC::B3::Air::Arg::isHashTableDeletedValue):
2853         (JSC::B3::Air::Arg::hash):
2854         (JSC::B3::Air::ArgHash::hash):
2855         (JSC::B3::Air::ArgHash::equal):
2856         * b3/air/AirBasicBlock.cpp: Added.
2857         (JSC::B3::Air::BasicBlock::addPredecessor):
2858         (JSC::B3::Air::BasicBlock::removePredecessor):
2859         (JSC::B3::Air::BasicBlock::replacePredecessor):
2860         (JSC::B3::Air::BasicBlock::dump):
2861         (JSC::B3::Air::BasicBlock::deepDump):
2862         (JSC::B3::Air::BasicBlock::BasicBlock):
2863         * b3/air/AirBasicBlock.h: Added.
2864         (JSC::B3::Air::BasicBlock::index):
2865         (JSC::B3::Air::BasicBlock::size):
2866         (JSC::B3::Air::BasicBlock::begin):
2867         (JSC::B3::Air::BasicBlock::end):
2868         (JSC::B3::Air::BasicBlock::at):
2869         (JSC::B3::Air::BasicBlock::last):
2870         (JSC::B3::Air::BasicBlock::appendInst):
2871         (JSC::B3::Air::BasicBlock::append):
2872         (JSC::B3::Air::BasicBlock::numSuccessors):
2873         (JSC::B3::Air::BasicBlock::successor):
2874         (JSC::B3::Air::BasicBlock::successors):
2875         (JSC::B3::Air::BasicBlock::successorBlock):
2876         (JSC::B3::Air::BasicBlock::successorBlocks):
2877         (JSC::B3::Air::BasicBlock::numPredecessors):
2878         (JSC::B3::Air::BasicBlock::predecessor):
2879         (JSC::B3::Air::BasicBlock::predecessors):
2880         (JSC::B3::Air::DeepBasicBlockDump::DeepBasicBlockDump):
2881         (JSC::B3::Air::DeepBasicBlockDump::dump):
2882         (JSC::B3::Air::deepDump):
2883         * b3/air/AirCCallSpecial.cpp: Added.
2884         (JSC::B3::Air::CCallSpecial::CCallSpecial):
2885         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
2886         (JSC::B3::Air::CCallSpecial::forEachArg):
2887         (JSC::B3::Air::CCallSpecial::isValid):
2888         (JSC::B3::Air::CCallSpecial::admitsStack):
2889         (JSC::B3::Air::CCallSpecial::reportUsedRegisters):
2890         (JSC::B3::Air::CCallSpecial::generate):
2891         (JSC::B3::Air::CCallSpecial::extraClobberedRegs):
2892         (JSC::B3::Air::CCallSpecial::dumpImpl):
2893         (JSC::B3::Air::CCallSpecial::deepDumpImpl):
2894         * b3/air/AirCCallSpecial.h: Added.
2895         * b3/air/AirCode.cpp: Added.
2896         (JSC::B3::Air::Code::Code):
2897         (JSC::B3::Air::Code::~Code):
2898         (JSC::B3::Air::Code::addBlock):
2899         (JSC::B3::Air::Code::addStackSlot):
2900         (JSC::B3::Air::Code::addSpecial):
2901         (JSC::B3::Air::Code::cCallSpecial):
2902         (JSC::B3::Air::Code::resetReachability):
2903         (JSC::B3::Air::Code::dump):
2904         (JSC::B3::Air::Code::findFirstBlockIndex):
2905         (JSC::B3::Air::Code::findNextBlockIndex):
2906         (JSC::B3::Air::Code::findNextBlock):
2907         * b3/air/AirCode.h: Added.
2908         (JSC::B3::Air::Code::newTmp):
2909         (JSC::B3::Air::Code::numTmps):
2910         (JSC::B3::Air::Code::callArgAreaSize):
2911         (JSC::B3::Air::Code::requestCallArgAreaSize):
2912         (JSC::B3::Air::Code::frameSize):
2913         (JSC::B3::Air::Code::setFrameSize):
2914         (JSC::B3::Air::Code::calleeSaveRegisters):
2915         (JSC::B3::Air::Code::size):
2916         (JSC::B3::Air::Code::at):
2917         (JSC::B3::Air::Code::operator[]):
2918         (JSC::B3::Air::Code::iterator::iterator):
2919         (JSC::B3::Air::Code::iterator::operator*):
2920         (JSC::B3::Air::Code::iterator::operator++):
2921         (JSC::B3::Air::Code::iterator::operator==):
2922         (JSC::B3::Air::Code::iterator::operator!=):
2923         (JSC::B3::Air::Code::begin):
2924         (JSC::B3::Air::Code::end):
2925         (JSC::B3::Air::Code::StackSlotsCollection::StackSlotsCollection):
2926         (JSC::B3::Air::Code::StackSlotsCollection::size):
2927         (JSC::B3::Air::Code::StackSlotsCollection::at):
2928         (JSC::B3::Air::Code::StackSlotsCollection::operator[]):
2929         (JSC::B3::Air::Code::StackSlotsCollection::iterator::iterator):
2930         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator*):
2931         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator++):
2932         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator==):
2933         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator!=):
2934         (JSC::B3::Air::Code::StackSlotsCollection::begin):
2935         (JSC::B3::Air::Code::StackSlotsCollection::end):
2936         (JSC::B3::Air::Code::stackSlots):
2937         (JSC::B3::Air::Code::SpecialsCollection::SpecialsCollection):
2938         (JSC::B3::Air::Code::SpecialsCollection::size):
2939         (JSC::B3::Air::Code::SpecialsCollection::at):
2940         (JSC::B3::Air::Code::SpecialsCollection::operator[]):
2941         (JSC::B3::Air::Code::SpecialsCollection::iterator::iterator):
2942         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator*):
2943         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator++):
2944         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator==):
2945         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator!=):
2946         (JSC::B3::Air::Code::SpecialsCollection::begin):
2947         (JSC::B3::Air::Code::SpecialsCollection::end):
2948         (JSC::B3::Air::Code::specials):
2949         (JSC::B3::Air::Code::setLastPhaseName):
2950         (JSC::B3::Air::Code::lastPhaseName):
2951         * b3/air/AirFrequentedBlock.h: Added.
2952         * b3/air/AirGenerate.cpp: Added.
2953         (JSC::B3::Air::generate):
2954         * b3/air/AirGenerate.h: Added.
2955         * b3/air/AirGenerated.cpp: Added.
2956         * b3/air/AirGenerationContext.h: Added.
2957         * b3/air/AirHandleCalleeSaves.cpp: Added.
2958         (JSC::B3::Air::handleCalleeSaves):
2959         * b3/air/AirHandleCalleeSaves.h: Added.
2960         * b3/air/AirInsertionSet.cpp: Added.
2961         (JSC::B3::Air::InsertionSet::execute):
2962         * b3/air/AirInsertionSet.h: Added.
2963         (JSC::B3::Air::InsertionSet::InsertionSet):
2964         (JSC::B3::Air::InsertionSet::code):
2965         (JSC::B3::Air::InsertionSet::appendInsertion):
2966         (JSC::B3::Air::InsertionSet::insertInst):
2967         (JSC::B3::Air::InsertionSet::insert):
2968         * b3/air/AirInst.cpp: Added.
2969         (JSC::B3::Air::Inst::dump):
2970         * b3/air/AirInst.h: Added.
2971         (JSC::B3::Air::Inst::Inst):
2972         (JSC::B3::Air::Inst::opcode):
2973         (JSC::B3::Air::Inst::forEachTmpFast):
2974         (JSC::B3::Air::Inst::forEachTmp):
2975         * b3/air/AirInstInlines.h: Added.
2976         (JSC::B3::Air::ForEach<Tmp>::forEach):
2977         (JSC::B3::Air::ForEach<Arg>::forEach):
2978         (JSC::B3::Air::Inst::forEach):
2979         (JSC::B3::Air::Inst::hasSpecial):
2980         (JSC::B3::Air::Inst::extraClobberedRegs):
2981         (JSC::B3::Air::Inst::reportUsedRegisters):
2982         (JSC::B3::Air::isShiftValid):
2983         (JSC::B3::Air::isLshift32Valid):
2984         * b3/air/AirLiveness.h: Added.
2985         (JSC::B3::Air::Liveness::Liveness):
2986         (JSC::B3::Air::Liveness::liveAtHead):
2987         (JSC::B3::Air::Liveness::liveAtTail):
2988         (JSC::B3::Air::Liveness::LocalCalc::LocalCalc):
2989         (JSC::B3::Air::Liveness::LocalCalc::live):
2990         (JSC::B3::Air::Liveness::LocalCalc::takeLive):
2991         (JSC::B3::Air::Liveness::LocalCalc::execute):
2992         * b3/air/AirOpcode.opcodes: Added.
2993         * b3/air/AirPhaseScope.cpp: Added.
2994         (JSC::B3::Air::PhaseScope::PhaseScope):
2995         (JSC::B3::Air::PhaseScope::~PhaseScope):
2996         * b3/air/AirPhaseScope.h: Added.
2997         * b3/air/AirRegisterPriority.cpp: Added.
2998         (JSC::B3::Air::gprsInPriorityOrder):
2999         (JSC::B3::Air::fprsInPriorityOrder):
3000         (JSC::B3::Air::regsInPriorityOrder):
3001         * b3/air/AirRegisterPriority.h: Added.
3002         (JSC::B3::Air::RegistersInPriorityOrder<GPRInfo>::inPriorityOrder):
3003         (JSC::B3::Air::RegistersInPriorityOrder<FPRInfo>::inPriorityOrder):
3004         (JSC::B3::Air::regsInPriorityOrder):
3005         * b3/air/AirSpecial.cpp: Added.
3006         (JSC::B3::Air::Special::Special):
3007         (JSC::B3::Air::Special::~Special):
3008         (JSC::B3::Air::Special::name):
3009         (JSC::B3::Air::Special::dump):
3010         (JSC::B3::Air::Special::deepDump):
3011         * b3/air/AirSpecial.h: Added.
3012         (JSC::B3::Air::DeepSpecialDump::DeepSpecialDump):
3013         (JSC::B3::Air::DeepSpecialDump::dump):
3014         (JSC::B3::Air::deepDump):
3015         * b3/air/AirSpillEverything.cpp: Added.
3016         (JSC::B3::Air::spillEverything):
3017         * b3/air/AirSpillEverything.h: Added.
3018         * b3/air/AirStackSlot.cpp: Added.
3019         (JSC::B3::Air::StackSlot::setOffsetFromFP):
3020         (JSC::B3::Air::StackSlot::dump):
3021         (JSC::B3::Air::StackSlot::deepDump):
3022         (JSC::B3::Air::StackSlot::StackSlot):
3023         * b3/air/AirStackSlot.h: Added.
3024         (JSC::B3::Air::StackSlot::byteSize):
3025         (JSC::B3::Air::StackSlot::kind):
3026         (JSC::B3::Air::StackSlot::index):
3027         (JSC::B3::Air::StackSlot::alignment):
3028         (JSC::B3::Air::StackSlot::value):
3029         (JSC::B3::Air::StackSlot::offsetFromFP):
3030         (JSC::B3::Air::DeepStackSlotDump::DeepStackSlotDump):
3031         (JSC::B3::Air::DeepStackSlotDump::dump):
3032         (JSC::B3::Air::deepDump):
3033         * b3/air/AirTmp.cpp: Added.
3034         (JSC::B3::Air::Tmp::dump):
3035         * b3/air/AirTmp.h: Added.
3036         (JSC::B3::Air::Tmp::Tmp):
3037         (JSC::B3::Air::Tmp::gpTmpForIndex):
3038         (JSC::B3::Air::Tmp::fpTmpForIndex):
3039         (JSC::B3::Air::Tmp::operator bool):
3040         (JSC::B3::Air::Tmp::isGP):
3041         (JSC::B3::Air::Tmp::isFP):
3042         (JSC::B3::Air::Tmp::isGPR):
3043         (JSC::B3::Air::Tmp::isFPR):
3044         (JSC::B3::Air::Tmp::isReg):
3045         (JSC::B3::Air::Tmp::gpr):
3046         (JSC::B3::Air::Tmp::fpr):
3047         (JSC::B3::Air::Tmp::reg):
3048         (JSC::B3::Air::Tmp::hasTmpIndex):
3049         (JSC::B3::Air::Tmp::gpTmpIndex):
3050         (JSC::B3::Air::Tmp::fpTmpIndex):
3051         (JSC::B3::Air::Tmp::tmpIndex):
3052         (JSC::B3::Air::Tmp::isAlive):
3053         (JSC::B3::Air::Tmp::operator==):
3054         (JSC::B3::Air::Tmp::operator!=):
3055         (JSC::B3::Air::Tmp::isHashTableDeletedValue):
3056         (JSC::B3::Air::Tmp::hash):
3057         (JSC::B3::Air::Tmp::encodeGP):
3058         (JSC::B3::Air::Tmp::encodeFP):
3059         (JSC::B3::Air::Tmp::encodeGPR):
3060         (JSC::B3::Air::Tmp::encodeFPR):
3061         (JSC::B3::Air::Tmp::encodeGPTmp):
3062         (JSC::B3::Air::Tmp::encodeFPTmp):
3063         (JSC::B3::Air::Tmp::isEncodedGP):
3064         (JSC::B3::Air::Tmp::isEncodedFP):
3065         (JSC::B3::Air::Tmp::isEncodedGPR):
3066         (JSC::B3::Air::Tmp::isEncodedFPR):
3067         (JSC::B3::Air::Tmp::isEncodedGPTmp):
3068         (JSC::B3::Air::Tmp::isEncodedFPTmp):
3069         (JSC::B3::Air::Tmp::decodeGPR):
3070         (JSC::B3::Air::Tmp::decodeFPR):
3071         (JSC::B3::Air::Tmp::decodeGPTmp):
3072         (JSC::B3::Air::Tmp::decodeFPTmp):
3073         (JSC::B3::Air::TmpHash::hash):
3074         (JSC::B3::Air::TmpHash::equal):
3075         * b3/air/AirTmpInlines.h: Added.
3076         (JSC::B3::Air::Tmp::Tmp):
3077         * b3/air/AirValidate.cpp: Added.
3078         (JSC::B3::Air::validate):
3079         * b3/air/AirValidate.h: Added.
3080         * b3/air/opcode_generator.rb: Added.
3081         * b3/generate_pattern_matcher.rb: Added.
3082         * b3/testb3.cpp: Added.
3083         (JSC::B3::compileAndRun):
3084         (JSC::B3::test42):
3085         (JSC::B3::testLoad42):
3086         (JSC::B3::testArg):
3087         (JSC::B3::testAddArgs):
3088         (JSC::B3::testAddArgs32):
3089         (JSC::B3::testStore):
3090         (JSC::B3::testTrunc):
3091         (JSC::B3::testAdd1):
3092         (JSC::B3::testStoreAddLoad):
3093         (JSC::B3::testStoreAddAndLoad):
3094         (JSC::B3::testAdd1Uncommuted):
3095         (JSC::B3::testLoadOffset):
3096         (JSC::B3::testLoadOffsetNotConstant):
3097         (JSC::B3::testLoadOffsetUsingAdd):
3098         (JSC::B3::testLoadOffsetUsingAddNotConstant):
3099         (JSC::B3::run):
3100         (run):
3101         (main):
3102         * bytecode/CodeBlock.h:
3103         (JSC::CodeBlock::specializationKind):
3104         * jit/Reg.h:
3105         (JSC::Reg::index):
3106         (JSC::Reg::isSet):
3107         (JSC::Reg::operator bool):
3108         (JSC::Reg::isHashTableDeletedValue):
3109         (JSC::Reg::AllRegsIterable::iterator::iterator):
3110         (JSC::Reg::AllRegsIterable::iterator::operator*):
3111         (JSC::Reg::AllRegsIterable::iterator::operator++):
3112         (JSC::Reg::AllRegsIterable::iterator::operator==):
3113         (JSC::Reg::AllRegsIterable::iterator::operator!=):
3114         (JSC::Reg::AllRegsIterable::begin):
3115         (JSC::Reg::AllRegsIterable::end):
3116         (JSC::Reg::all):
3117         (JSC::Reg::invalid):
3118         (JSC::Reg::operator!): Deleted.
3119         * jit/RegisterAtOffsetList.cpp:
3120         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
3121         * jit/RegisterAtOffsetList.h:
3122         (JSC::RegisterAtOffsetList::clear):
3123         (JSC::RegisterAtOffsetList::size):
3124         (JSC::RegisterAtOffsetList::begin):
3125         (JSC::RegisterAtOffsetList::end):
3126         * jit/RegisterSet.h:
3127         (JSC::RegisterSet::operator==):
3128         (JSC::RegisterSet::hash):
3129         (JSC::RegisterSet::forEach):
3130         (JSC::RegisterSet::setAny):
3131
3132 2015-10-28  Mark Lam  <mark.lam@apple.com>
3133
3134         Rename MacroAssembler::callProbe() to probe().
3135         https://bugs.webkit.org/show_bug.cgi?id=150641
3136
3137         Reviewed by Saam Barati.
3138
3139         To do this, I needed to disambiguate between the low-level probe() from the
3140         high-level version that takes a std::function.  I did this by changing the low-
3141         level version to not take default args anymore.
3142
3143         * assembler/AbstractMacroAssembler.h:
3144         * assembler/MacroAssembler.cpp:
3145         (JSC::stdFunctionCallback):
3146         (JSC::MacroAssembler::probe):
3147         (JSC::MacroAssembler::callProbe): Deleted.
3148         * assembler/MacroAssembler.h:
3149         (JSC::MacroAssembler::urshift32):
3150         * assembler/MacroAssemblerARM.h:
3151         (JSC::MacroAssemblerARM::repatchCall):
3152         * assembler/MacroAssemblerARM64.h:
3153         (JSC::MacroAssemblerARM64::repatchCall):
3154         * assembler/MacroAssemblerARMv7.h:
3155         (JSC::MacroAssemblerARMv7::repatchCall):
3156         * assembler/MacroAssemblerPrinter.h:
3157         (JSC::MacroAssemblerPrinter::print):
3158         * assembler/MacroAssemblerX86Common.h:
3159         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
3160
3161 2015-10-28  Timothy Hatcher  <timothy@apple.com>
3162
3163         Web Inspector: jsmin.py mistakenly removes whitespace from template literal strings
3164         https://bugs.webkit.org/show_bug.cgi?id=148728
3165
3166         Reviewed by Joseph Pecoraro.
3167
3168         * Scripts/jsmin.py:
3169         (JavascriptMinify.minify): Make backtick a quoting character.
3170
3171 2015-10-28  Brian Burg  <bburg@apple.com>
3172
3173         Builtins generator should emit ENABLE(FEATURE) guards based on @conditional annotation
3174         https://bugs.webkit.org/show_bug.cgi?id=150536
3175
3176         Reviewed by Yusuke Suzuki.
3177
3178         Scan JS builtin files for @key=value and @flag annotations in single-line comments.
3179         For @conditional=CONDITIONAL, emit CONDITIONAL guards around the relevant object's code.
3180
3181         Generate primary header includes separately from secondary header includes so we can
3182         put the guard between the two header groups, as is customary in WebKit C++ code.
3183
3184         New tests:
3185
3186         Scripts/tests/builtins/WebCore-ArbitraryConditionalGuard-Separate.js
3187         Scripts/tests/builtins/WebCore-DuplicateFlagAnnotation-Separate.js
3188         Scripts/tests/builtins/WebCore-DuplicateKeyValueAnnotation-Separate.js
3189
3190         * Scripts/builtins/builtins_generate_combined_implementation.py:
3191         (BuiltinsCombinedImplementationGenerator.generate_output):
3192         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3193         (BuiltinsCombinedImplementationGenerator.generate_header_includes): Deleted.
3194         * Scripts/builtins/builtins_generate_separate_header.py:
3195         (BuiltinsSeparateHeaderGenerator.generate_output):
3196         (generate_secondary_header_includes):
3197         (generate_header_includes): Deleted.
3198         * Scripts/builtins/builtins_generate_separate_implementation.py:
3199         (BuiltinsSeparateImplementationGenerator.generate_output):
3200         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3201         (BuiltinsSeparateImplementationGenerator.generate_header_includes): Deleted.
3202         * Scripts/builtins/builtins_generate_separate_wrapper.py:
3203         (BuiltinsSeparateWrapperGenerator.generate_output):
3204         (BuiltinsSeparateWrapperGenerator.generate_secondary_header_includes):
3205         (BuiltinsSeparateWrapperGenerator.generate_header_includes): Deleted.
3206         * Scripts/builtins/builtins_generator.py:
3207         (BuiltinsGenerator.generate_includes_from_entries):
3208         (BuiltinsGenerator):
3209         (BuiltinsGenerator.generate_primary_header_includes):
3210         * Scripts/builtins/builtins_model.py:
3211         (BuiltinObject.__init__):
3212         (BuiltinsCollection.parse_builtins_file):
3213         (BuiltinsCollection._parse_annotations):
3214         * Scripts/tests/builtins/WebCore-ArbitraryConditionalGuard-Separate.js: Added.
3215         * Scripts/tests/builtins/WebCore-DuplicateFlagAnnotation-Separate.js: Added.
3216         * Scripts/tests/builtins/WebCore-DuplicateKeyValueAnnotation-Separate.js: Added.
3217         * Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js: Simplify.
3218         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js: Simplify.
3219         * Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js: Simplify.
3220         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Added.
3221         * Scripts/tests/builtins/expected/WebCore-DuplicateFlagAnnotation-Separate.js-error: Added.
3222         * Scripts/tests/builtins/expected/WebCore-DuplicateKeyValueAnnotation-Separate.js-error: Added.
3223         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3224         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3225         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3226         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3227
3228 2015-10-28  Mark Lam  <mark.lam@apple.com>
3229
3230         Update FTL to support UntypedUse operands for op_sub.
3231         https://bugs.webkit.org/show_bug.cgi?id=150562
3232
3233         Reviewed by Geoffrey Garen.
3234
3235         * assembler/MacroAssemblerARM64.h:
3236         - make the dataTempRegister and memoryTempRegister public so that we can
3237           move input registers out of them if needed.
3238
3239         * ftl/FTLCapabilities.cpp:
3240         (JSC::FTL::canCompile):
3241         - We can now compile ArithSub.
3242
3243         * ftl/FTLCompile.cpp:
3244         - Added BinaryArithGenerationContext to shuffle registers into a state that is
3245           expected by the baseline snippet generator.  This includes:
3246           1. Making sure that the input and output registers are not in the tag or
3247              scratch registers.
3248           2. Loading the tag registers with expected values.
3249           3. Restoring the registers to their original value on return.
3250         - Added code to implement the ArithSub inline cache.
3251
3252         * ftl/FTLInlineCacheDescriptor.h:
3253         (JSC::FTL::ArithSubDescriptor::ArithSubDescriptor):
3254         (JSC::FTL::ArithSubDescriptor::leftType):
3255         (JSC::FTL::ArithSubDescriptor::rightType):
3256
3257         * ftl/FTLInlineCacheSize.cpp:
3258         (JSC::FTL::sizeOfArithSub):
3259         * ftl/FTLInlineCacheSize.h:
3260
3261         * ftl/FTLLowerDFGToLLVM.cpp:
3262         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
3263         - Added handling for UnusedType for the ArithSub case.
3264
3265         * ftl/FTLState.h:
3266         * jit/GPRInfo.h:
3267         (JSC::GPRInfo::reservedRegisters):
3268
3269         * jit/JITSubGenerator.h:
3270         (JSC::JITSubGenerator::generateFastPath):
3271         - When the result is in the same as one of the input registers, we'll end up
3272           corrupting the input in fast path even if we determine that we need to go to
3273           the slow path.  We now move the input into the scratch register and operate
3274           on that instead and only move the result into the result register only after
3275           the fast path has succeeded.
3276
3277         * tests/stress/op_sub.js:
3278         (o1.valueOf):
3279         (runTest):
3280         - Added some debugging tools: flags for verbose logging, and eager abort on fail.
3281
3282 2015-10-28  Mark Lam  <mark.lam@apple.com>
3283
3284         Fix a typo in ProbeContext::fpr().
3285         https://bugs.webkit.org/show_bug.cgi?id=150629
3286
3287         Reviewed by Yusuke Suzuki.
3288
3289         ProbeContext::fpr() should be calling CPUState::fpr(), not CPUState::gpr().
3290
3291         * assembler/AbstractMacroAssembler.h:
3292         (JSC::AbstractMacroAssembler::ProbeContext::fpr):
3293
3294 2015-10-28  Mark Lam  <mark.lam@apple.com>
3295
3296         Add ability to print the PC register from JIT'ed code.
3297         https://bugs.webkit.org/show_bug.cgi?id=150561
3298
3299         Reviewed by Geoffrey Garen.
3300
3301         * assembler/MacroAssemblerPrinter.cpp:
3302         (JSC::printPC):
3303         (JSC::MacroAssemblerPrinter::printCallback):
3304         * assembler/MacroAssemblerPrinter.h:
3305         (JSC::MacroAssemblerPrinter::PrintArg::PrintArg):
3306
3307 2015-10-27  Joseph Pecoraro  <pecoraro@apple.com>
3308
3309         Web Inspector: Remove Timeline MarkDOMContent and MarkLoad, data is already available
3310         https://bugs.webkit.org/show_bug.cgi?id=150615
3311
3312         Reviewed by Timothy Hatcher.
3313
3314         * inspector/protocol/Timeline.json:
3315
3316 2015-10-27  Joseph Pecoraro  <pecoraro@apple.com>
3317
3318         Web Inspector: Remove unused / duplicated XHR timeline instrumentation
3319         https://bugs.webkit.org/show_bug.cgi?id=150605
3320
3321         Reviewed by Timothy Hatcher.
3322
3323         * inspector/protocol/Timeline.json:
3324
3325 2015-10-27  Michael Saboff  <msaboff@apple.com>
3326
3327         REGRESSION (r191360): Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL:: + 386
3328         https://bugs.webkit.org/show_bug.cgi?id=150580
3329
3330         Reviewed by Mark Lam.
3331
3332         Changed code to box 32 bit integers and booleans arguments when generating the call instead of boxing
3333         them in the shuffler.
3334
3335         The ASSERT in CallFrameShuffler::extendFrameIfNeeded is wrong when called from CallFrameShuffler::spill(),
3336         as we could be making space to spill a register so that we have a spare that we can use for the new
3337         frame's base pointer.
3338
3339         * ftl/FTLJSTailCall.cpp:
3340         (JSC::FTL::DFG::recoveryFor): Added RELEASE_ASSERT to check that we never see unboxed 32 bit
3341         arguments stored in the stack.
3342         * ftl/FTLLowerDFGToLLVM.cpp:
3343         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForTailCall):
3344         * jit/CallFrameShuffler.cpp:
3345         (JSC::CallFrameShuffler::extendFrameIfNeeded): Removed unneeded ASSERT.
3346
3347 2015-10-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3348
3349         [ES6] Add DFG/FTL support for accessor put operations
3350         https://bugs.webkit.org/show_bug.cgi?id=148860
3351
3352         Reviewed by Geoffrey Garen.
3353
3354         This patch introduces accessor defining ops into DFG and FTL.
3355         The following DFG nodes are introduced.
3356
3357             op_put_getter_by_id  => PutGetterById
3358             op_put_setter_by_id  => PutSetterById
3359             op_put_getter_setter => PutGetterSetterById
3360             op_put_getter_by_val => PutGetterByVal
3361             op_put_setter_by_val => PutSetterByVal
3362
3363         These DFG nodes just call operations. But it does not prevent compiling in DFG/FTL.
3364
3365         To use operations defined for baseline JIT, we clean up existing operations.
3366         And reuse these operations in DFG and FTL.
3367
3368         * dfg/DFGAbstractInterpreterInlines.h:
3369         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3370         * dfg/DFGByteCodeParser.cpp:
3371         (JSC::DFG::ByteCodeParser::parseBlock):
3372         * dfg/DFGCapabilities.cpp:
3373         (JSC::DFG::capabilityLevel):
3374         * dfg/DFGClobberize.h:
3375         (JSC::DFG::clobberize):
3376         * dfg/DFGDoesGC.cpp:
3377         (JSC::DFG::doesGC):
3378         * dfg/DFGFixupPhase.cpp:
3379         (JSC::DFG::FixupPhase::fixupNode):
3380         * dfg/DFGNode.h:
3381         (JSC::DFG::Node::hasIdentifier):
3382         (JSC::DFG::Node::hasAccessorAttributes):
3383         (JSC::DFG::Node::accessorAttributes):
3384         * dfg/DFGNodeType.h:
3385         * dfg/DFGPredictionPropagationPhase.cpp:
3386         (JSC::DFG::PredictionPropagationPhase::propagate):
3387         * dfg/DFGSafeToExecute.h:
3388         (JSC::DFG::safeToExecute):
3389         * dfg/DFGSpeculativeJIT.cpp:
3390         (JSC::DFG::SpeculativeJIT::compilePutAccessorById):
3391         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
3392         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
3393         We should fill all GPRs before calling flushRegisters().
3394         * dfg/DFGSpeculativeJIT.h:
3395         (JSC::DFG::SpeculativeJIT::callOperation):
3396         * dfg/DFGSpeculativeJIT32_64.cpp:
3397         (JSC::DFG::SpeculativeJIT::c