906da00d519a79979d322742190524d2a03a0235
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-03-01  Alex Christensen  <achristensen@webkit.org>
2
3         Reduce size of internal windows build output
4         https://bugs.webkit.org/show_bug.cgi?id=154763
5
6         Reviewed by Brent Fulgham.
7
8         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
9
10 2016-03-01  Saam barati  <sbarati@apple.com>
11
12         [[IsExtensible]] should be a virtual method in the method table
13         https://bugs.webkit.org/show_bug.cgi?id=154799
14
15         Reviewed by Mark Lam.
16
17         This patch makes us more consistent with how the ES6 specification models the
18         [[IsExtensible]] trap. Moving this method into ClassInfo::methodTable 
19         is a prerequisite for implementing Proxy.[[IsExtensible]].
20
21         * runtime/ClassInfo.h:
22         * runtime/JSCell.cpp:
23         (JSC::JSCell::preventExtensions):
24         (JSC::JSCell::isExtensible):
25         * runtime/JSCell.h:
26         * runtime/JSGlobalObjectFunctions.cpp:
27         (JSC::globalFuncProtoSetter):
28         * runtime/JSObject.cpp:
29         (JSC::JSObject::preventExtensions):
30         (JSC::JSObject::isExtensible):
31         (JSC::JSObject::reifyAllStaticProperties):
32         (JSC::JSObject::defineOwnIndexedProperty):
33         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
34         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
35         (JSC::JSObject::defineOwnNonIndexProperty):
36         (JSC::JSObject::defineOwnProperty):
37         * runtime/JSObject.h:
38         (JSC::JSObject::isSealed):
39         (JSC::JSObject::isFrozen):
40         (JSC::JSObject::isExtensibleImpl):
41         (JSC::JSObject::isStructureExtensible):
42         (JSC::JSObject::isExtensibleInline):
43         (JSC::JSObject::indexingShouldBeSparse):
44         (JSC::JSObject::putDirectInternal):
45         (JSC::JSObject::isExtensible): Deleted.
46         * runtime/ObjectConstructor.cpp:
47         (JSC::objectConstructorSetPrototypeOf):
48         (JSC::objectConstructorIsSealed):
49         (JSC::objectConstructorIsFrozen):
50         (JSC::objectConstructorIsExtensible):
51         (JSC::objectConstructorIs):
52         * runtime/ProxyObject.cpp:
53         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
54         (JSC::ProxyObject::performHasProperty):
55         * runtime/ReflectObject.cpp:
56         (JSC::reflectObjectIsExtensible):
57         (JSC::reflectObjectSetPrototypeOf):
58         * runtime/SparseArrayValueMap.cpp:
59         (JSC::SparseArrayValueMap::putEntry):
60         (JSC::SparseArrayValueMap::putDirect):
61         * runtime/StringObject.cpp:
62         (JSC::StringObject::defineOwnProperty):
63         * runtime/Structure.cpp:
64         (JSC::Structure::isSealed):
65         (JSC::Structure::isFrozen):
66         * runtime/Structure.h:
67
68 2016-03-01  Filip Pizlo  <fpizlo@apple.com>
69
70         Unreviewed, fix CLOOP build.
71
72         * jit/JITOperations.h:
73
74 2016-03-01  Skachkov Oleksandr  <gskachkov@gmail.com>
75
76         [ES6] Arrow function. Some not used byte code is emited
77         https://bugs.webkit.org/show_bug.cgi?id=154639
78
79         Reviewed by Saam Barati.
80
81         Currently bytecode that is generated for arrow function is not optimal. 
82         Current fix removed following unnecessary bytecode:
83         1.create_lexical_environment not emited always for arrow function, only if some of 
84         features(this/super/arguments/eval) is used inside of the arrow function. 
85         2.load 'this' from arrow function scope in constructor is done only if super 
86         contains in arrow function 
87
88         * bytecompiler/BytecodeGenerator.cpp:
89         (JSC::BytecodeGenerator::BytecodeGenerator):
90         (JSC::BytecodeGenerator::isSuperCallUsedInInnerArrowFunction):
91         * bytecompiler/BytecodeGenerator.h:
92         * bytecompiler/NodesCodegen.cpp:
93         (JSC::ThisNode::emitBytecode):
94         (JSC::FunctionNode::emitBytecode):
95         * parser/Nodes.h:
96         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseAnyFeature):
97         * tests/stress/arrowfunction-lexical-bind-supercall-4.js:
98
99 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
100
101         Turn String.prototype.replace into an intrinsic
102         https://bugs.webkit.org/show_bug.cgi?id=154835
103
104         Reviewed by Michael Saboff.
105
106         Octane/regexp spends a lot of time in String.prototype.replace(). That function does a lot
107         of checks to see if the parameters are what they are likely to often be (a string, a
108         regexp, and a string). The intuition of this patch is that it's good to remove those checks
109         and it's good to call the native function as directly as possible.
110
111         This yields a 10% speed-up on a replace microbenchmark and a 3% speed-up on Octane/regexp.
112         It also improves Octane/jquery.
113
114         This is only the beginning of what I want to do with replace optimizations. The other
115         optimizations will rely on StringReplace being revealed as a construct in DFG IR.
116
117         * JavaScriptCore.xcodeproj/project.pbxproj:
118         * bytecode/SpeculatedType.cpp:
119         (JSC::dumpSpeculation):
120         (JSC::speculationToAbbreviatedString):
121         (JSC::speculationFromClassInfo):
122         * bytecode/SpeculatedType.h:
123         (JSC::isStringOrStringObjectSpeculation):
124         (JSC::isRegExpObjectSpeculation):
125         (JSC::isBoolInt32Speculation):
126         * dfg/DFGAbstractInterpreterInlines.h:
127         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
128         * dfg/DFGByteCodeParser.cpp:
129         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
130         * dfg/DFGClobberize.h:
131         (JSC::DFG::clobberize):
132         * dfg/DFGDoesGC.cpp:
133         (JSC::DFG::doesGC):
134         * dfg/DFGFixupPhase.cpp:
135         (JSC::DFG::FixupPhase::fixupNode):
136         * dfg/DFGNode.h:
137         (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
138         (JSC::DFG::Node::shouldSpeculateRegExpObject):
139         (JSC::DFG::Node::shouldSpeculateSymbol):
140         * dfg/DFGNodeType.h:
141         * dfg/DFGPredictionPropagationPhase.cpp:
142         (JSC::DFG::PredictionPropagationPhase::propagate):
143         * dfg/DFGSafeToExecute.h:
144         (JSC::DFG::SafeToExecuteEdge::operator()):
145         (JSC::DFG::safeToExecute):
146         * dfg/DFGSpeculativeJIT.cpp:
147         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
148         (JSC::DFG::SpeculativeJIT::speculateRegExpObject):
149         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
150         (JSC::DFG::SpeculativeJIT::speculate):
151         * dfg/DFGSpeculativeJIT.h:
152         * dfg/DFGSpeculativeJIT32_64.cpp:
153         (JSC::DFG::SpeculativeJIT::compile):
154         * dfg/DFGSpeculativeJIT64.cpp:
155         (JSC::DFG::SpeculativeJIT::compile):
156         * dfg/DFGUseKind.cpp:
157         (WTF::printInternal):
158         * dfg/DFGUseKind.h:
159         (JSC::DFG::typeFilterFor):
160         (JSC::DFG::isCell):
161         * ftl/FTLCapabilities.cpp:
162         (JSC::FTL::canCompile):
163         * ftl/FTLLowerDFGToB3.cpp:
164         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
165         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
166         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
167         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
168         (JSC::FTL::DFG::LowerDFGToB3::speculate):
169         (JSC::FTL::DFG::LowerDFGToB3::speculateFinalObject):
170         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject):
171         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
172         * jit/JITOperations.h:
173         * runtime/Intrinsic.h:
174         * runtime/JSType.h:
175         * runtime/RegExpObject.h:
176         (JSC::RegExpObject::createStructure):
177         * runtime/StringPrototype.cpp:
178         (JSC::StringPrototype::finishCreation):
179         (JSC::removeUsingRegExpSearch):
180         (JSC::replaceUsingRegExpSearch):
181         (JSC::operationStringProtoFuncReplaceRegExpString):
182         (JSC::replaceUsingStringSearch):
183         (JSC::stringProtoFuncRepeat):
184         (JSC::replace):
185         (JSC::stringProtoFuncReplace):
186         (JSC::operationStringProtoFuncReplaceGeneric):
187         (JSC::stringProtoFuncToString):
188         * runtime/StringPrototype.h:
189
190 2016-03-01  Commit Queue  <commit-queue@webkit.org>
191
192         Unreviewed, rolling out r197056.
193         https://bugs.webkit.org/show_bug.cgi?id=154870
194
195         broke win ews (Requested by alexchristensen on #webkit).
196
197         Reverted changeset:
198
199         "[cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK."
200         https://bugs.webkit.org/show_bug.cgi?id=154651
201         http://trac.webkit.org/changeset/197056
202
203 2016-02-29  Saam barati  <sbarati@apple.com>
204
205         [[PreventExtensions]] should be a virtual method in the method table.
206         https://bugs.webkit.org/show_bug.cgi?id=154800
207
208         Reviewed by Yusuke Suzuki.
209
210         This patch makes us more consistent with how the ES6 specification models the
211         [[PreventExtensions]] trap. Moving this method into ClassInfo::methodTable 
212         is a prerequisite for implementing Proxy.[[PreventExtensions]].
213
214         * runtime/ClassInfo.h:
215         * runtime/JSCell.cpp:
216         (JSC::JSCell::getGenericPropertyNames):
217         (JSC::JSCell::preventExtensions):
218         * runtime/JSCell.h:
219         * runtime/JSModuleNamespaceObject.cpp:
220         (JSC::JSModuleNamespaceObject::JSModuleNamespaceObject):
221         (JSC::JSModuleNamespaceObject::finishCreation):
222         (JSC::JSModuleNamespaceObject::destroy):
223         * runtime/JSModuleNamespaceObject.h:
224         (JSC::JSModuleNamespaceObject::create):
225         (JSC::JSModuleNamespaceObject::moduleRecord):
226         * runtime/JSObject.cpp:
227         (JSC::JSObject::freeze):
228         (JSC::JSObject::preventExtensions):
229         (JSC::JSObject::reifyAllStaticProperties):
230         * runtime/JSObject.h:
231         (JSC::JSObject::isSealed):
232         (JSC::JSObject::isFrozen):
233         (JSC::JSObject::isExtensible):
234         * runtime/ObjectConstructor.cpp:
235         (JSC::objectConstructorSeal):
236         (JSC::objectConstructorFreeze):
237         (JSC::objectConstructorPreventExtensions):
238         (JSC::objectConstructorIsSealed):
239         * runtime/ReflectObject.cpp:
240         (JSC::reflectObjectPreventExtensions):
241         * runtime/Structure.cpp:
242         (JSC::Structure::Structure):
243         (JSC::Structure::preventExtensionsTransition):
244         * runtime/Structure.h:
245
246 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
247
248         [JSC] Private symbols should not be trapped by proxy handler
249         https://bugs.webkit.org/show_bug.cgi?id=154817
250
251         Reviewed by Mark Lam.
252
253         Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
254         For example, in ArrayIteratorPrototype.js
255
256             var itemKind = this.@arrayIterationKind;
257             if (itemKind === @undefined)
258                 throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
259
260         Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
261         But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.
262
263         To avoid these situation, we perform the default operations onto property operations with private symbols.
264
265         * runtime/ProxyObject.cpp:
266         (JSC::performProxyGet):
267         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
268         (JSC::ProxyObject::performHasProperty):
269         (JSC::ProxyObject::performPut):
270         (JSC::ProxyObject::performDelete):
271         (JSC::ProxyObject::deleteProperty):
272         (JSC::ProxyObject::deletePropertyByIndex):
273         * tests/stress/proxy-basic.js:
274         * tests/stress/proxy-with-private-symbols.js: Added.
275         (assert):
276         (let.handler.getOwnPropertyDescriptor):
277
278 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
279
280         regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
281         https://bugs.webkit.org/show_bug.cgi?id=154841
282
283         Reviewed by Benjamin Poulain.
284
285         Here's the deadlock:
286
287         Main thread:
288             1) Change an InferredType.  This acquires InferredType::m_lock.
289             2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires
290                CodeBlock::m_lock.
291
292         DFG thread:
293             1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
294             2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.
295
296         I think that the DFG thread's ordering should be legal, because the best logic for lock
297         hierarchies is that locks that protect the largest set of stuff should be acquired first.
298
299         This means that the main thread shouldn't be holding the InferredType::m_lock when firing
300         watchpoint sets.  That's what this patch ensures.
301
302         At the time of writing, this test was deadlocking for me on trunk 100% of the time.  With
303         this change I cannot get it to deadlock.
304
305         * runtime/InferredType.cpp:
306         (JSC::InferredType::willStoreValueSlow):
307         (JSC::InferredType::makeTopSlow):
308         (JSC::InferredType::set):
309         (JSC::InferredType::removeStructure):
310         (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
311         * runtime/InferredType.h:
312
313 2016-02-29  Yusuke Suzuki  <utatane.tea@gmail.com>
314
315         [DFG][FTL][B3] Support floor and ceil
316         https://bugs.webkit.org/show_bug.cgi?id=154683
317
318         Reviewed by Filip Pizlo.
319
320         This patch implements and fixes the following things.
321
322         1. Implement Ceil and Floor in DFG, FTL and B3
323
324         x86 SSE 4.2 and ARM64 have round instructions that can directly perform Ceil or Floor.
325         This patch leverages this functionality. We introduce ArithFloor and ArithCeil.
326         During DFG phase, these nodes attempt to convert itself to Identity (in Fixup phase).
327         As the same to ArithRound, it tracks arith rounding mode.
328         And if these nodes are required to emit machine codes, we emit rounding machine code
329         if it is supported in the current machine. For example, in x86, we emit `round`.
330
331         This `Floor` functionality is nice for @toInteger in builtin.
332         That is used for Array.prototype.{forEach, map, every, some, reduce...}
333         And according to the benchmark results, Kraken audio-oscillator is slightly improved
334         due to its frequent Math.round and Math.floor calls.
335
336         2. Implement Floor in B3 and Air
337
338         As the same to Ceil in B3, we add a new B3 IR and Air opcode, Floor.
339         This Floor is leveraged to implement ArithFloor in DFG.
340
341         3. Fix ArithRound operation
342
343         Currently, we used cvtsd2si (in x86) to convert double value to int32.
344         And we also used this to implement Math.round, like, cvtsd2si(value + 0.5).
345         However, this implementation is not correct. Because cvtsd2si is not floor operation.
346         It is trucate operation. This is OK for positive numbers. But NG for negative numbers.
347         For example, the current implementation accidentally rounds `-0.6` to `-0.0`. This should be `-1.0`.
348         Using Ceil and Floor instructions, we implement correct ArithRound.
349
350         * assembler/MacroAssemblerARM.h:
351         (JSC::MacroAssemblerARM::supportsFloatingPointRounding):
352         (JSC::MacroAssemblerARM::ceilDouble):
353         (JSC::MacroAssemblerARM::floorDouble):
354         (JSC::MacroAssemblerARM::supportsFloatingPointCeil): Deleted.
355         * assembler/MacroAssemblerARM64.h:
356         (JSC::MacroAssemblerARM64::supportsFloatingPointRounding):
357         (JSC::MacroAssemblerARM64::floorFloat):
358         (JSC::MacroAssemblerARM64::supportsFloatingPointCeil): Deleted.
359         * assembler/MacroAssemblerARMv7.h:
360         (JSC::MacroAssemblerARMv7::supportsFloatingPointRounding):
361         (JSC::MacroAssemblerARMv7::ceilDouble):
362         (JSC::MacroAssemblerARMv7::floorDouble):
363         (JSC::MacroAssemblerARMv7::supportsFloatingPointCeil): Deleted.
364         * assembler/MacroAssemblerMIPS.h:
365         (JSC::MacroAssemblerMIPS::ceilDouble):
366         (JSC::MacroAssemblerMIPS::floorDouble):
367         (JSC::MacroAssemblerMIPS::supportsFloatingPointRounding):
368         (JSC::MacroAssemblerMIPS::supportsFloatingPointCeil): Deleted.
369         * assembler/MacroAssemblerSH4.h:
370         (JSC::MacroAssemblerSH4::supportsFloatingPointRounding):
371         (JSC::MacroAssemblerSH4::ceilDouble):
372         (JSC::MacroAssemblerSH4::floorDouble):
373         (JSC::MacroAssemblerSH4::supportsFloatingPointCeil): Deleted.
374         * assembler/MacroAssemblerX86Common.h:
375         (JSC::MacroAssemblerX86Common::floorDouble):
376         (JSC::MacroAssemblerX86Common::floorFloat):
377         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
378         (JSC::MacroAssemblerX86Common::supportsFloatingPointCeil): Deleted.
379         * b3/B3ConstDoubleValue.cpp:
380         (JSC::B3::ConstDoubleValue::floorConstant):
381         * b3/B3ConstDoubleValue.h:
382         * b3/B3ConstFloatValue.cpp:
383         (JSC::B3::ConstFloatValue::floorConstant):
384         * b3/B3ConstFloatValue.h:
385         * b3/B3LowerMacrosAfterOptimizations.cpp:
386         * b3/B3LowerToAir.cpp:
387         (JSC::B3::Air::LowerToAir::lower):
388         * b3/B3Opcode.cpp:
389         (WTF::printInternal):
390         * b3/B3Opcode.h:
391         * b3/B3ReduceDoubleToFloat.cpp:
392         * b3/B3ReduceStrength.cpp:
393         * b3/B3Validate.cpp:
394         * b3/B3Value.cpp:
395         (JSC::B3::Value::floorConstant):
396         (JSC::B3::Value::isRounded):
397         (JSC::B3::Value::effects):
398         (JSC::B3::Value::key):
399         (JSC::B3::Value::typeFor):
400         * b3/B3Value.h:
401         * b3/air/AirFixPartialRegisterStalls.cpp:
402         * b3/air/AirOpcode.opcodes:
403         * b3/testb3.cpp:
404         (JSC::B3::testFloorCeilArg):
405         (JSC::B3::testFloorArg):
406         (JSC::B3::testFloorImm):
407         (JSC::B3::testFloorMem):
408         (JSC::B3::testFloorFloorArg):
409         (JSC::B3::testCeilFloorArg):
410         (JSC::B3::testFloorIToD64):
411         (JSC::B3::testFloorIToD32):
412         (JSC::B3::testFloorArgWithUselessDoubleConversion):
413         (JSC::B3::testFloorArgWithEffectfulDoubleConversion):
414         (JSC::B3::run):
415         * dfg/DFGAbstractInterpreterInlines.h:
416         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
417         * dfg/DFGArithMode.cpp:
418         (WTF::printInternal):
419         * dfg/DFGArithMode.h:
420         * dfg/DFGByteCodeParser.cpp:
421         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
422         * dfg/DFGClobberize.h:
423         (JSC::DFG::clobberize):
424         * dfg/DFGDoesGC.cpp:
425         (JSC::DFG::doesGC):
426         * dfg/DFGFixupPhase.cpp:
427         (JSC::DFG::FixupPhase::fixupNode):
428         * dfg/DFGGraph.cpp:
429         (JSC::DFG::Graph::dump):
430         * dfg/DFGGraph.h:
431         (JSC::DFG::Graph::roundShouldSpeculateInt32):
432         * dfg/DFGNode.h:
433         (JSC::DFG::Node::arithNodeFlags):
434         (JSC::DFG::Node::hasHeapPrediction):
435         (JSC::DFG::Node::hasArithRoundingMode):
436         * dfg/DFGNodeType.h:
437         * dfg/DFGPredictionPropagationPhase.cpp:
438         (JSC::DFG::PredictionPropagationPhase::propagate):
439         * dfg/DFGSafeToExecute.h:
440         (JSC::DFG::safeToExecute):
441         * dfg/DFGSpeculativeJIT.cpp:
442         (JSC::DFG::SpeculativeJIT::compileArithRounding):
443         (JSC::DFG::SpeculativeJIT::compileArithRound): Deleted.
444         * dfg/DFGSpeculativeJIT.h:
445         * dfg/DFGSpeculativeJIT32_64.cpp:
446         (JSC::DFG::SpeculativeJIT::compile):
447         * dfg/DFGSpeculativeJIT64.cpp:
448         (JSC::DFG::SpeculativeJIT::compile):
449         * ftl/FTLCapabilities.cpp:
450         (JSC::FTL::canCompile):
451         * ftl/FTLLowerDFGToB3.cpp:
452         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
453         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
454         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
455         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
456         * ftl/FTLOutput.h:
457         (JSC::FTL::Output::doubleFloor):
458         * jit/ThunkGenerators.cpp:
459         (JSC::ceilThunkGenerator):
460         * tests/stress/math-ceil-arith-rounding-mode.js: Added.
461         (firstCareAboutZeroSecondDoesNot):
462         (firstDoNotCareAboutZeroSecondDoes):
463         (warmup):
464         (verifyNegativeZeroIsPreserved):
465         * tests/stress/math-ceil-basics.js: Added.
466         (mathCeilOnIntegers):
467         (mathCeilOnDoubles):
468         (mathCeilOnBooleans):
469         (uselessMathCeil):
470         (mathCeilWithOverflow):
471         (mathCeilConsumedAsDouble):
472         (mathCeilDoesNotCareAboutMinusZero):
473         (mathCeilNoArguments):
474         (mathCeilTooManyArguments):
475         (testMathCeilOnConstants):
476         (mathCeilStructTransition):
477         (Math.ceil):
478         * tests/stress/math-floor-arith-rounding-mode.js: Added.
479         (firstCareAboutZeroSecondDoesNot):
480         (firstDoNotCareAboutZeroSecondDoes):
481         (warmup):
482         (verifyNegativeZeroIsPreserved):
483         * tests/stress/math-floor-basics.js: Added.
484         (mathFloorOnIntegers):
485         (mathFloorOnDoubles):
486         (mathFloorOnBooleans):
487         (uselessMathFloor):
488         (mathFloorWithOverflow):
489         (mathFloorConsumedAsDouble):
490         (mathFloorDoesNotCareAboutMinusZero):
491         (mathFloorNoArguments):
492         (mathFloorTooManyArguments):
493         (testMathFloorOnConstants):
494         (mathFloorStructTransition):
495         (Math.floor):
496         * tests/stress/math-round-should-not-use-truncate.js: Added.
497         (mathRoundDoesNotCareAboutMinusZero):
498         * tests/stress/math-rounding-infinity.js: Added.
499         (shouldBe):
500         (testRound):
501         (testFloor):
502         (testCeil):
503         * tests/stress/math-rounding-nan.js: Added.
504         (shouldBe):
505         (testRound):
506         (testFloor):
507         (testCeil):
508         * tests/stress/math-rounding-negative-zero.js: Added.
509         (shouldBe):
510         (testRound):
511         (testFloor):
512         (testCeil):
513         (testRoundNonNegativeZero):
514         (testRoundNonNegativeZero2):
515
516 2016-02-29  Joseph Pecoraro  <pecoraro@apple.com>
517
518         Add new MethodTable method to get an estimated size for a cell
519         https://bugs.webkit.org/show_bug.cgi?id=154838
520
521         Reviewed by Filip Pizlo.
522
523         The new class method estimatedSize(JSCell*) estimates the size for a single cell.
524         As the name implies, this is meant to be an approximation. It is more important
525         that big objects report a large size, then to get perfect size information for
526         all objects in the heap.
527
528             Base implementation (JSCell):
529               - returns the MarkedBlock bucket size for this cell.
530               - This gets us the object size include inline storage. Basically a better sizeof.
531
532             Subclasses with "Extra Memory Cost":
533               - Any class that reports extra memory (reportExtraMemoryVisited) should include that in the estimated size.
534               - E.g. CodeBlock, JSGenericTypedArrayView, WeakMapData, etc.
535
536             Subclasses with "Copied Space" storage:
537               - Any class with data in copied space (copyBackingStore) should include that in the estimated size.
538               - E.g. JSObject, JSGenericTypedArrayView, JSMap, JSSet, DirectArguments, etc.
539
540         Add reportExtraMemoryVisited for UnlinkedCodeBlock's compressed unlinked
541         instructions because this can be larger than 1kb, which is significant.
542
543         This has one special case for RegExp generated bytecode / JIT code, which
544         does not currently fall into the extra memory cost or copied space storage.
545         In practice I haven't seen this grow to a significant cost.
546
547         * runtime/ClassInfo.h:
548         Add the new estimatedSize method to the table.
549
550         * bytecode/UnlinkedCodeBlock.cpp:
551         (JSC::UnlinkedCodeBlock::visitChildren):
552         (JSC::UnlinkedCodeBlock::estimatedSize):
553         (JSC::UnlinkedCodeBlock::setInstructions):
554         * bytecode/UnlinkedCodeBlock.h:
555         Report an extra memory cost for unlinked code blocks like
556         we do for linked code blocks.
557
558         * bytecode/CodeBlock.cpp:
559         (JSC::CodeBlock::estimatedSize):
560         * bytecode/CodeBlock.h:
561         * bytecode/UnlinkedInstructionStream.cpp:
562         (JSC::UnlinkedInstructionStream::sizeInBytes):
563         * bytecode/UnlinkedInstructionStream.h:
564         * runtime/DirectArguments.cpp:
565         (JSC::DirectArguments::estimatedSize):
566         * runtime/DirectArguments.h:
567         * runtime/JSCell.cpp:
568         (JSC::JSCell::estimatedSizeInBytes):
569         (JSC::JSCell::estimatedSize):
570         * runtime/JSCell.h:
571         * runtime/JSGenericTypedArrayView.h:
572         * runtime/JSGenericTypedArrayViewInlines.h:
573         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
574         * runtime/JSMap.cpp:
575         (JSC::JSMap::estimatedSize):
576         * runtime/JSMap.h:
577         * runtime/JSObject.cpp:
578         (JSC::JSObject::visitButterfly):
579         * runtime/JSObject.h:
580         * runtime/JSSet.cpp:
581         (JSC::JSSet::estimatedSize):
582         * runtime/JSSet.h:
583         * runtime/JSString.cpp:
584         (JSC::JSString::estimatedSize):
585         * runtime/JSString.h:
586         * runtime/MapData.h:
587         (JSC::MapDataImpl::capacityInBytes):
588         * runtime/WeakMapData.cpp:
589         (JSC::WeakMapData::estimatedSize):
590         (JSC::WeakMapData::visitChildren):
591         * runtime/WeakMapData.h:
592         Implement estimated size following the pattern of reporting
593         extra visited size, or copy space memory.
594
595         * runtime/RegExp.cpp:
596         (JSC::RegExp::estimatedSize):
597         * runtime/RegExp.h:
598         * yarr/YarrInterpreter.h:
599         (JSC::Yarr::ByteDisjunction::estimatedSizeInBytes):
600         (JSC::Yarr::BytecodePattern::estimatedSizeInBytes):
601         * yarr/YarrJIT.h:
602         (JSC::Yarr::YarrCodeBlock::size):
603         Include generated bytecode / JITCode to a RegExp's size.
604
605 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
606
607         SpeculatedType should be easier to edit
608         https://bugs.webkit.org/show_bug.cgi?id=154840
609
610         Reviewed by Mark Lam.
611
612         We used to specify the bitmasks in SpeculatedType.h using hex codes. This used to work
613         great because we didn't have so many masks and you could use the mask to visually see
614         which ones overlapped. It also made it easy to visualize subset relationships.
615
616         But now we have a lot of masks with a lot of confusing overlaps, and it's no longer
617         possible to just see their relationship by looking at hex codes. Worse, the use of hex
618         codes makes it super annoying to move the bits around. For example, right now we have two
619         bits free, but if we wanted to reclaim them by editing the old hex masks, it would be a
620         nightmare.
621
622         So this patch replaces the hex masks with shift expressions (1u << 15 for example) and it
623         makes any derived masks (i.e. masks that are the bit-or of other masks) be expressed using
624         an or expression (SpecFoo | SpecBar | SpecBaz for example).
625
626         This makes it easier to see the relationships and it makes it easier to take bits for new
627         types.
628
629         * bytecode/SpeculatedType.h:
630
631 2016-02-29  Keith Miller  <keith_miller@apple.com>
632
633         OverridesHasInstance constant folding is wrong
634         https://bugs.webkit.org/show_bug.cgi?id=154833
635
636         Reviewed by Filip Pizlo.
637
638         The current implementation of OverridesHasInstance constant folding
639         is incorrect. Since it relies on OSR exit information it has been
640         moved to the StrengthReductionPhase. Normally, such an optimazation would be
641         put in FixupPhase, however, there are a number of cases where we don't
642         determine an edge of OverridesHasInstance is a constant until after fixup.
643         Performing the optimization during StrengthReductionPhase means we can defer
644         our decision until later.
645
646         In the future we should consider creating a version of this optimization
647         that does not depend on OSR exit information and move the optimization back
648         to ConstantFoldingPhase.
649
650         * dfg/DFGConstantFoldingPhase.cpp:
651         (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
652         * dfg/DFGStrengthReductionPhase.cpp:
653         (JSC::DFG::StrengthReductionPhase::handleNode):
654
655 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
656
657         B3 should have global store elimination
658         https://bugs.webkit.org/show_bug.cgi?id=154658
659
660         Reviewed by Benjamin Poulain.
661
662         Implements fairly comprehensive global store elimination:
663
664         1) If you store the result of a load with no interference in between, remove the store.
665
666         2) If you store the same thing you stored previously, remove the store.
667
668         3) If you store something that you either loaded previously or stored previously along
669            arbitrarily many paths, remove the store.
670
671         4) If you store to something that is stored to again in the future with no interference in
672            between, remove the store.
673
674         Rule (4) is super relevant to FTL since the DFG does not eliminate redundant PutStructures.
675         A constructor that produces a large object will have many redundant stores to the same base
676         pointer, offset, and heap range, with no code to observe that heap raneg in between.
677
678         This doesn't have a decisive effect on major benchmarks, but it's an enormous win for
679         microbenchmarks:
680
681         - 30% faster to construct an object with many fields.
682
683         - 5x faster to do many stores to a global variable.
684
685         The compile time cost should be very small. Although the optimization is global, it aborts as
686         soon as it sees anything that would confound store elimination. For rules (1)-(3), we
687         piggy-back the existing load elimination, which gives up on interfering stores. For rule (4),
688         we search forward through the current block and then globally a block at a time (skipping
689         block contents thanks to summary data), which could be expensive. But rule (4) aborts as soon
690         as it sees a read, write, or end block (Return or Oops). Any Check will claim to read TOP. Any
691         Patchpoint that results from an InvalidationPoint will claim to read TOP, as will any
692         Patchpoints for ICs. Those are usually sprinkled all over the program.
693
694         In other words, this optimization rarely kicks in. When it does kick in, it makes programs run
695         faster. When it doesn't kick in, it's usually O(1) because there are reasons for aborting all
696         over a "normal" program so the search will halt almost immediately. This of course raises the
697         question: how much more in compile time do we pay when the optimization does kick in? The
698         optimization kicks in the most for the microbenchmarks I wrote for this patch. Amazingly, the
699         effect of the optimization a wash for compile time: whatever cost we pay doing the O(n^2)
700         searches is balanced by the massive reduction in work in the backend. On one of the two
701         microbenchmarks, overall compile time actually shrank with this optimization even though CSE
702         itself cost more. That's not too surprising - the backend costs much more per instruction, so
703         things that remove instructions before we get to the backend tend to be a good idea.
704
705         We could consider adding a more aggressive version of this in the future, which could sink
706         stores into checks. That could be crazy fun: https://bugs.webkit.org/show_bug.cgi?id=152162#c3
707
708         But mainly, I'm adding this optimization because it was super fun to implement during the
709         WebAssembly CG summit.
710
711         * b3/B3EliminateCommonSubexpressions.cpp:
712         * b3/B3MemoryValue.h:
713         * b3/B3SuccessorCollection.h:
714         (JSC::B3::SuccessorCollection::begin):
715         (JSC::B3::SuccessorCollection::end):
716         (JSC::B3::SuccessorCollection::const_iterator::const_iterator):
717         (JSC::B3::SuccessorCollection::const_iterator::operator*):
718         (JSC::B3::SuccessorCollection::const_iterator::operator++):
719         (JSC::B3::SuccessorCollection::const_iterator::operator==):
720         (JSC::B3::SuccessorCollection::const_iterator::operator!=):
721
722 2016-02-29  Filip Pizlo  <fpizlo@apple.com>
723
724         Make it cheap to #include "JITOperations.h"
725         https://bugs.webkit.org/show_bug.cgi?id=154836
726
727         Reviewed by Mark Lam.
728
729         Prior to this change, this header included the whole world even though it did't have any
730         definitions. This patch turns almost all of the includes into forward declarations. Right
731         now this header is very cheap to include.
732
733         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
734         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
735         * JavaScriptCore.xcodeproj/project.pbxproj:
736         * dfg/DFGSpeculativeJIT.h:
737         * jit/JITOperations.cpp:
738         * jit/JITOperations.h:
739         * jit/Repatch.h:
740         * runtime/CommonSlowPaths.h:
741         (JSC::encodeResult): Deleted.
742         (JSC::decodeResult): Deleted.
743         * runtime/SlowPathReturnType.h: Added.
744         (JSC::encodeResult):
745         (JSC::decodeResult):
746
747 2016-02-28  Filip Pizlo  <fpizlo@apple.com>
748
749         FTL should be able to run everything in Octane/regexp
750         https://bugs.webkit.org/show_bug.cgi?id=154266
751
752         Reviewed by Saam Barati.
753
754         Adds FTL support for NewRegexp, RegExpTest, and RegExpExec. I couldn't figure out how to
755         make the RegExpExec peephole optimization work in FTL. This optimizations shouldn't be a
756         DFG backend optimization anyway - if we need this optimization then it should be a
757         strength reduction rule over IR. That way, it can be shared by all backends.
758
759         I measured whether removing that optimization had any effect on performance separately
760         from measuring the performance of this patch. Removing that optimization did not change
761         our score on any benchmarks.
762
763         This patch does have an overall negative effect on the Octane/regexp score. This is
764         presumably because tiering up to the FTL has no value to the code in the regexp test. Or
765         maybe it's something else. No matter - the overall effect on the Octane score is not
766         statistically significant and we don't want this kind of coverage blocked by the fact
767         that adding coverage hurts a benchmark.
768
769         * dfg/DFGByteCodeParser.cpp:
770         (JSC::DFG::ByteCodeParser::parseBlock):
771         * dfg/DFGNode.h:
772         (JSC::DFG::Node::setIndexingType):
773         (JSC::DFG::Node::hasRegexpIndex):
774         * dfg/DFGSpeculativeJIT.cpp:
775         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
776         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
777         (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
778         * dfg/DFGSpeculativeJIT32_64.cpp:
779         (JSC::DFG::SpeculativeJIT::compile):
780         * dfg/DFGSpeculativeJIT64.cpp:
781         (JSC::DFG::SpeculativeJIT::compile):
782         * ftl/FTLCapabilities.cpp:
783         (JSC::FTL::canCompile):
784         * ftl/FTLLowerDFGToB3.cpp:
785         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
786         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer):
787         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
788         (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
789         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
790         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack):
791         * tests/stress/ftl-regexp-exec.js: Added.
792         * tests/stress/ftl-regexp-test.js: Added.
793
794 2016-02-28  Andreas Kling  <akling@apple.com>
795
796         Make JSFunction.name allocation fully lazy.
797         <https://webkit.org/b/154806>
798
799         Reviewed by Saam Barati.
800
801         We were reifying the "name" field on functions lazily, but created the string
802         value itself up front. This patch gets rid of the up-front allocation,
803         saving us a JSString allocation per function in most cases.
804
805         * builtins/BuiltinExecutables.cpp:
806         (JSC::createExecutableInternal):
807         * bytecode/UnlinkedFunctionExecutable.cpp:
808         (JSC::UnlinkedFunctionExecutable::visitChildren):
809         * bytecode/UnlinkedFunctionExecutable.h:
810         * runtime/CodeCache.cpp:
811         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
812         * runtime/Executable.h:
813         * runtime/JSFunction.cpp:
814         (JSC::JSFunction::reifyName):
815
816 2016-02-28  Andreas Kling  <akling@apple.com>
817
818         REGRESSION(r197303): 4 jsc tests failing on bots.
819
820         Unreviewed follow-up fix.
821
822         * bytecode/UnlinkedCodeBlock.cpp:
823         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): This function
824         can still get called with !m_rareData, in case the type profiler is active but this
825         particular code block doesn't have type profiler data. Handle it gracefully.
826
827 2016-02-28  Andreas Kling  <akling@apple.com>
828
829         Shrink UnlinkedCodeBlock a bit.
830         <https://webkit.org/b/154797>
831
832         Reviewed by Anders Carlsson.
833
834         Move profiler-related members of UnlinkedCodeBlock into its RareData
835         structure, saving 40 bytes, and then reorder the other members of
836         UnlinkedCodeBlock to save another 24 bytes, netting a nice total 64.
837
838         The VM member was removed entirely since UnlinkedCodeBlock is a cell
839         and can retrieve its VM through MarkedBlock header lookup.
840
841         * bytecode/UnlinkedCodeBlock.cpp:
842         (JSC::UnlinkedCodeBlock::vm):
843         (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
844         (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
845         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): Deleted.
846         * bytecode/UnlinkedCodeBlock.h:
847         (JSC::UnlinkedCodeBlock::addRegExp):
848         (JSC::UnlinkedCodeBlock::addConstant):
849         (JSC::UnlinkedCodeBlock::addFunctionDecl):
850         (JSC::UnlinkedCodeBlock::addFunctionExpr):
851         (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
852         (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
853         (JSC::UnlinkedCodeBlock::vm): Deleted.
854
855 2016-02-27  Filip Pizlo  <fpizlo@apple.com>
856
857         FTL should lower its abstract heaps to B3 heap ranges
858         https://bugs.webkit.org/show_bug.cgi?id=154782
859
860         Reviewed by Saam Barati.
861
862         The FTL can describe the abstract heaps (points-to sets) that a memory operation will
863         affect. The abstract heaps are arranged as a hierarchy. We used to transform this into
864         TBAA hierarchies in LLVM, but we never got around to wiring this up to B3's equivalent
865         notion - the HeapRange. That's what this patch fixes.
866
867         B3 has a minimalistic alias analysis. It represents abstract heaps using unsigned 32-bit
868         integers. There are 1<<32 abstract heaps. The B3 client can describe what an operation
869         affects by specifying a heap range: a begin...end pair that says that the operation
870         affects all abstract heaps H such that begin <= H < end.
871
872         This peculiar scheme was a deliberate attempt to distill what the abstract heap
873         hierarchy is all about. We can assign begin...end numbers to abstract heaps so that:
874
875         - A heap's end is greater than its begin.
876         - A heap's begin is greater than or equal to its parent's begin.
877         - A heap's end is less than or equal to its parent's end.
878
879         This is easy to do using a recursive traversal of the abstract heap hierarchy. I almost
880         went for the iterative traversal, which is a splendid algorithm, but it's totally
881         unnecessary here since we tightly control the height of the heap hierarchy.
882
883         Because abstract heaps are produced on-the-fly by FTL lowering, due to the fact that we
884         generate new ones for field names and constant indices we encounter, we can't actually
885         decorate the B3 instructions we create in lowering until all lowering is done. Adding a
886         new abstract heap to the hierarchy after ranges were already computed would require
887         updating the ranges of any heaps "to the right" of that heap in the hierarchy. This
888         patch solves that problem by recording the associations between abstract heaps and their
889         intended roles in the generated IR, and then decorating all of the relevant B3 values
890         after we compute the ranges of the hierarchy after lowering.
891
892         This is perf-neutral. I was hoping for a small speed-up, but I could not detect a
893         speed-up on any benchmark. That's not too surprising. We already have very precise CSE
894         in the DFG, so there aren't many opportunities left for the B3 CSE and it may have
895         already been getting the big ones even without alias analysis.
896
897         Even without a speed-up, this patch is valuable because it makes it easier to implement
898         other optimizations, like store elimination.
899
900         * b3/B3HeapRange.h:
901         (JSC::B3::HeapRange::HeapRange):
902         * ftl/FTLAbstractHeap.cpp:
903         (JSC::FTL::AbstractHeap::AbstractHeap):
904         (JSC::FTL::AbstractHeap::changeParent):
905         (JSC::FTL::AbstractHeap::compute):
906         (JSC::FTL::AbstractHeap::shallowDump):
907         (JSC::FTL::AbstractHeap::dump):
908         (JSC::FTL::AbstractHeap::deepDump):
909         (JSC::FTL::AbstractHeap::badRangeError):
910         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
911         (JSC::FTL::IndexedAbstractHeap::baseIndex):
912         (JSC::FTL::IndexedAbstractHeap::atSlow):
913         (JSC::FTL::IndexedAbstractHeap::initialize):
914         (JSC::FTL::AbstractHeap::decorateInstruction): Deleted.
915         (JSC::FTL::AbstractField::dump): Deleted.
916         * ftl/FTLAbstractHeap.h:
917         (JSC::FTL::AbstractHeap::AbstractHeap):
918         (JSC::FTL::AbstractHeap::isInitialized):
919         (JSC::FTL::AbstractHeap::initialize):
920         (JSC::FTL::AbstractHeap::parent):
921         (JSC::FTL::AbstractHeap::heapName):
922         (JSC::FTL::AbstractHeap::range):
923         (JSC::FTL::AbstractHeap::offset):
924         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
925         (JSC::FTL::IndexedAbstractHeap::at):
926         (JSC::FTL::IndexedAbstractHeap::operator[]):
927         (JSC::FTL::IndexedAbstractHeap::returnInitialized):
928         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::constructDeletedValue):
929         (JSC::FTL::IndexedAbstractHeap::WithoutZeroOrOneHashTraits::isDeletedValue):
930         (JSC::FTL::AbstractHeap::changeParent): Deleted.
931         (JSC::FTL::AbstractField::AbstractField): Deleted.
932         (JSC::FTL::AbstractField::initialize): Deleted.
933         (JSC::FTL::AbstractField::offset): Deleted.
934         * ftl/FTLAbstractHeapRepository.cpp:
935         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
936         (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
937         (JSC::FTL::AbstractHeapRepository::decorateMemory):
938         (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
939         (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
940         (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
941         (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
942         (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
943         * ftl/FTLAbstractHeapRepository.h:
944         (JSC::FTL::AbstractHeapRepository::forArrayType):
945         (JSC::FTL::AbstractHeapRepository::HeapForValue::HeapForValue):
946         * ftl/FTLLowerDFGToB3.cpp:
947         (JSC::FTL::DFG::LowerDFGToB3::lower):
948         * ftl/FTLOutput.cpp:
949         (JSC::FTL::Output::load):
950         (JSC::FTL::Output::load8SignExt32):
951         (JSC::FTL::Output::load8ZeroExt32):
952         (JSC::FTL::Output::load16SignExt32):
953         (JSC::FTL::Output::load16ZeroExt32):
954         (JSC::FTL::Output::store):
955         (JSC::FTL::Output::store32As8):
956         (JSC::FTL::Output::store32As16):
957         (JSC::FTL::Output::baseIndex):
958         * ftl/FTLOutput.h:
959         (JSC::FTL::Output::address):
960         (JSC::FTL::Output::absolute):
961         (JSC::FTL::Output::load8SignExt32):
962         (JSC::FTL::Output::load8ZeroExt32):
963         (JSC::FTL::Output::load16SignExt32):
964         (JSC::FTL::Output::load16ZeroExt32):
965         (JSC::FTL::Output::load32):
966         (JSC::FTL::Output::load64):
967         (JSC::FTL::Output::loadPtr):
968         (JSC::FTL::Output::loadDouble):
969         (JSC::FTL::Output::store32):
970         (JSC::FTL::Output::store64):
971         (JSC::FTL::Output::storePtr):
972         (JSC::FTL::Output::storeDouble):
973         (JSC::FTL::Output::ascribeRange):
974         (JSC::FTL::Output::nonNegative32):
975         (JSC::FTL::Output::load32NonNegative):
976         (JSC::FTL::Output::equal):
977         (JSC::FTL::Output::notEqual):
978         * ftl/FTLTypedPointer.h:
979         (JSC::FTL::TypedPointer::operator!):
980         (JSC::FTL::TypedPointer::heap):
981         (JSC::FTL::TypedPointer::value):
982
983 2016-02-28  Skachkov Oleksandr  <gskachkov@gmail.com>
984
985         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
986         https://bugs.webkit.org/show_bug.cgi?id=153981
987
988         Reviewed by Saam Barati.
989        
990         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
991         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
992         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
993         During syntax analyze parser store information about using variables in arrow function inside of 
994         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
995
996         * bytecompiler/BytecodeGenerator.cpp:
997         (JSC::BytecodeGenerator::BytecodeGenerator):
998         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
999         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1000         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1001         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1002         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1003         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1004         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1005         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1006         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1007         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1008         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1009         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1010         * bytecompiler/BytecodeGenerator.h:
1011         * bytecompiler/NodesCodegen.cpp:
1012         (JSC::ThisNode::emitBytecode):
1013         (JSC::EvalFunctionCallNode::emitBytecode):
1014         (JSC::FunctionNode::emitBytecode):
1015         * parser/ASTBuilder.h:
1016         (JSC::ASTBuilder::createBracketAccess):
1017         (JSC::ASTBuilder::createDotAccess):
1018         (JSC::ASTBuilder::usesSuperCall):
1019         (JSC::ASTBuilder::usesSuperProperty):
1020         (JSC::ASTBuilder::makeFunctionCallNode):
1021         * parser/Nodes.cpp:
1022         (JSC::ScopeNode::ScopeNode):
1023         (JSC::ProgramNode::ProgramNode):
1024         (JSC::ModuleProgramNode::ModuleProgramNode):
1025         (JSC::EvalNode::EvalNode):
1026         (JSC::FunctionNode::FunctionNode):
1027         * parser/Nodes.h:
1028         (JSC::ScopeNode::innerArrowFunctionCodeFeatures):
1029         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseArguments):
1030         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperCall):
1031         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseSuperProperty):
1032         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseEval):
1033         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseThis):
1034         (JSC::ScopeNode::doAnyInnerArrowFunctionsUseNewTarget):
1035         (JSC::ScopeNode::doAnyInnerArrowFunctionUseAnyFeature):
1036         (JSC::ScopeNode::usesSuperCall):
1037         (JSC::ScopeNode::usesSuperProperty):
1038         * parser/Parser.cpp:
1039         (JSC::Parser<LexerType>::parseProperty):
1040         (JSC::Parser<LexerType>::parsePrimaryExpression):
1041         (JSC::Parser<LexerType>::parseMemberExpression):
1042         * parser/Parser.h:
1043         (JSC::Scope::Scope):
1044         (JSC::Scope::isArrowFunctionBoundary):
1045         (JSC::Scope::innerArrowFunctionFeatures):
1046         (JSC::Scope::setInnerArrowFunctionUsesSuperCall):
1047         (JSC::Scope::setInnerArrowFunctionUsesSuperProperty):
1048         (JSC::Scope::setInnerArrowFunctionUsesEval):
1049         (JSC::Scope::setInnerArrowFunctionUsesThis):
1050         (JSC::Scope::setInnerArrowFunctionUsesNewTarget):
1051         (JSC::Scope::setInnerArrowFunctionUsesArguments):
1052         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
1053         (JSC::Scope::collectFreeVariables):
1054         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1055         (JSC::Scope::fillParametersForSourceProviderCache):
1056         (JSC::Scope::restoreFromSourceProviderCache):
1057         (JSC::Scope::setIsFunction):
1058         (JSC::Scope::setIsArrowFunction):
1059         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1060         (JSC::Parser::pushScope):
1061         (JSC::Parser::popScopeInternal):
1062         (JSC::Parser<LexerType>::parse):
1063         * parser/ParserModes.h:
1064         * parser/SourceProviderCacheItem.h:
1065         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1066         * parser/SyntaxChecker.h:
1067         (JSC::SyntaxChecker::createFunctionMetadata):
1068         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1069         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1070         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1071         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1072         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1073
1074 2016-02-28  Saam barati  <sbarati@apple.com>
1075
1076         ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot
1077         https://bugs.webkit.org/show_bug.cgi?id=154768
1078
1079         Reviewed by Ryosuke Niwa.
1080
1081         This fixes a big bug with ProxyObject.[[GetOwnProperty]]:
1082         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
1083         We weren't correctly propagating the result of this operation to the
1084         out PropertySlot& parameter. This patch fixes that and adds tests.
1085
1086         * runtime/ObjectConstructor.cpp:
1087         (JSC::objectConstructorGetOwnPropertyDescriptor):
1088         I added a missing exception check after object allocation
1089         because I saw that it was missing while reading the code.
1090
1091         * runtime/PropertyDescriptor.cpp:
1092         (JSC::PropertyDescriptor::setUndefined):
1093         (JSC::PropertyDescriptor::slowGetterSetter):
1094         (JSC::PropertyDescriptor::getter):
1095         * runtime/PropertyDescriptor.h:
1096         (JSC::PropertyDescriptor::attributes):
1097         (JSC::PropertyDescriptor::value):
1098         * runtime/ProxyObject.cpp:
1099         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1100         * tests/es6.yaml:
1101         * tests/stress/proxy-get-own-property.js:
1102         (let.handler.getOwnPropertyDescriptor):
1103         (set get let.handler.return):
1104         (set get let.handler.getOwnPropertyDescriptor):
1105         (set get let):
1106         (set get let.a):
1107         (let.b):
1108         (let.setter):
1109         (let.getter):
1110
1111 2016-02-27  Andy VanWagoner  <thetalecrafter@gmail.com>
1112
1113         Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator)
1114         https://bugs.webkit.org/show_bug.cgi?id=152448
1115
1116         Reviewed by Darin Adler.
1117
1118         Add defaultLanguage to the globalObjectMethodTable and use it for the
1119         default locale in Intl object initializations. Fall back to ICU default
1120         locale only if the defaultLanguage function is null, or returns an
1121         empty string.
1122
1123         * jsc.cpp:
1124         * runtime/IntlCollator.cpp:
1125         (JSC::IntlCollator::initializeCollator):
1126         * runtime/IntlDateTimeFormat.cpp:
1127         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1128         * runtime/IntlNumberFormat.cpp:
1129         (JSC::IntlNumberFormat::initializeNumberFormat):
1130         * runtime/IntlObject.cpp:
1131         (JSC::defaultLocale):
1132         (JSC::lookupMatcher):
1133         (JSC::bestFitMatcher):
1134         (JSC::resolveLocale):
1135         * runtime/IntlObject.h:
1136         * runtime/JSGlobalObject.cpp:
1137         * runtime/JSGlobalObject.h:
1138         * runtime/StringPrototype.cpp:
1139         (JSC::toLocaleCase):
1140
1141 2016-02-27  Oliver Hunt  <oliver@apple.com>
1142
1143         CLoop build fix.
1144
1145         * jit/ExecutableAllocatorFixedVMPool.cpp:
1146
1147 2016-02-26  Oliver Hunt  <oliver@apple.com>
1148
1149         Remove the on demand executable allocator
1150         https://bugs.webkit.org/show_bug.cgi?id=154749
1151
1152         Reviewed by Geoffrey Garen.
1153
1154         Remove all the DemandExecutable code and executable allocator ifdefs.
1155
1156         * CMakeLists.txt:
1157         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1158         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1159         * JavaScriptCore.xcodeproj/project.pbxproj:
1160         * jit/ExecutableAllocator.cpp: Removed.
1161         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
1162         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
1163         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
1164         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
1165         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
1166         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
1167         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
1168         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
1169         (JSC::DemandExecutableAllocator::allocators): Deleted.
1170         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
1171         (JSC::ExecutableAllocator::initializeAllocator): Deleted.
1172         (JSC::ExecutableAllocator::ExecutableAllocator): Deleted.
1173         (JSC::ExecutableAllocator::~ExecutableAllocator): Deleted.
1174         (JSC::ExecutableAllocator::isValid): Deleted.
1175         (JSC::ExecutableAllocator::underMemoryPressure): Deleted.
1176         (JSC::ExecutableAllocator::memoryPressureMultiplier): Deleted.
1177         (JSC::ExecutableAllocator::allocate): Deleted.
1178         (JSC::ExecutableAllocator::committedByteCount): Deleted.
1179         (JSC::ExecutableAllocator::dumpProfile): Deleted.
1180         (JSC::ExecutableAllocator::getLock): Deleted.
1181         (JSC::ExecutableAllocator::isValidExecutableMemory): Deleted.
1182         (JSC::ExecutableAllocator::reprotectRegion): Deleted.
1183         * jit/ExecutableAllocator.h:
1184         * jit/ExecutableAllocatorFixedVMPool.cpp:
1185         * jit/JITStubRoutine.h:
1186         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
1187         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
1188         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
1189
1190 2016-02-26  Joseph Pecoraro  <pecoraro@apple.com>
1191
1192         Reduce direct callers of Structure::findStructuresAndMapForMaterialization
1193         https://bugs.webkit.org/show_bug.cgi?id=154751
1194
1195         Reviewed by Mark Lam.
1196
1197         * runtime/Structure.cpp:
1198         (JSC::Structure::toStructureShape):
1199         This property name iteration is identical to Structure::forEachPropertyConcurrently.
1200         Share the code and reduce callers to the subtle findStructuresAndMapForMaterialization.
1201
1202 2016-02-26  Mark Lam  <mark.lam@apple.com>
1203
1204         Function.name and Function.length should be configurable.
1205         https://bugs.webkit.org/show_bug.cgi?id=154604
1206
1207         Reviewed by Saam Barati.
1208
1209         According to https://tc39.github.io/ecma262/#sec-ecmascript-language-functions-and-classes,
1210         "Unless otherwise specified, the name property of a built-in Function object,
1211         if it exists, has the attributes { [[Writable]]: false, [[Enumerable]]: false,
1212         [[Configurable]]: true }."
1213
1214         Similarly, "the length property of a built-in Function object has the attributes
1215         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }."
1216
1217         This patch makes Function.name and Function.length configurable.
1218
1219         We do this by lazily reifying the JSFunction name and length properties on first
1220         access.  We track whether each of these properties have been reified using flags
1221         in the FunctionRareData.  On first access, if not already reified, we will put
1222         the property into the object with its default value and attributes and set the
1223         reified flag.  Thereafter, we rely on the base JSObject to handle access to the
1224         property.
1225
1226         Also, lots of test results have to be re-baselined because the old Function.length
1227         has attribute DontDelete, which is in conflict with the ES6 requirement that it
1228         is configurable.
1229
1230         * runtime/FunctionRareData.h:
1231         (JSC::FunctionRareData::hasReifiedLength):
1232         (JSC::FunctionRareData::setHasReifiedLength):
1233         (JSC::FunctionRareData::hasReifiedName):
1234         (JSC::FunctionRareData::setHasReifiedName):
1235         - Flags for tracking whether each property has been reified.
1236
1237         * runtime/JSFunction.cpp:
1238         (JSC::JSFunction::finishCreation):
1239         (JSC::JSFunction::createBuiltinFunction):
1240         - Host and builtin functions currently always reify their name and length
1241           properties.  Currently, for builtins, the default names that are used may
1242           differ from the executable name.  For now, we'll stay with keeping this
1243           alternate approach to getting the name and length properties for host and
1244           builtin functions.
1245           However, we need their default attribute to be configurable as well.
1246
1247         (JSC::JSFunction::getOwnPropertySlot):
1248         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1249         (JSC::JSFunction::put):
1250         (JSC::JSFunction::deleteProperty):
1251         (JSC::JSFunction::defineOwnProperty):
1252         (JSC::JSFunction::reifyLength):
1253         (JSC::JSFunction::reifyName):
1254         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1255         (JSC::JSFunction::lengthGetter): Deleted.
1256         (JSC::JSFunction::nameGetter): Deleted.
1257         * runtime/JSFunction.h:
1258         * runtime/JSFunctionInlines.h:
1259         (JSC::JSFunction::hasReifiedLength):
1260         (JSC::JSFunction::hasReifiedName):
1261
1262         * tests/es6.yaml:
1263         - 4 new passing tests.
1264
1265         * tests/mozilla/ecma/Array/15.4.4.3-1.js:
1266         * tests/mozilla/ecma/Array/15.4.4.4-1.js:
1267         * tests/mozilla/ecma/Array/15.4.4.4-2.js:
1268         * tests/mozilla/ecma/GlobalObject/15.1.2.1-1.js:
1269         * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
1270         * tests/mozilla/ecma/GlobalObject/15.1.2.3-1.js:
1271         * tests/mozilla/ecma/GlobalObject/15.1.2.4.js:
1272         * tests/mozilla/ecma/GlobalObject/15.1.2.5-1.js:
1273         * tests/mozilla/ecma/GlobalObject/15.1.2.6.js:
1274         * tests/mozilla/ecma/GlobalObject/15.1.2.7.js:
1275         * tests/mozilla/ecma/String/15.5.4.10-1.js:
1276         * tests/mozilla/ecma/String/15.5.4.11-1.js:
1277         * tests/mozilla/ecma/String/15.5.4.11-5.js:
1278         * tests/mozilla/ecma/String/15.5.4.12-1.js:
1279         * tests/mozilla/ecma/String/15.5.4.6-2.js:
1280         * tests/mozilla/ecma/String/15.5.4.7-2.js:
1281         * tests/mozilla/ecma/String/15.5.4.8-1.js:
1282         * tests/mozilla/ecma/String/15.5.4.9-1.js:
1283         - Rebase expected test results.
1284
1285         * tests/stress/function-configurable-properties.js: Added.
1286
1287 2016-02-26  Keith Miller  <keith_miller@apple.com>
1288
1289         Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup
1290         https://bugs.webkit.org/show_bug.cgi?id=154743
1291
1292         Reviewed by Mark Lam.
1293
1294         * dfg/DFGConstantFoldingPhase.cpp:
1295         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1296         * dfg/DFGFixupPhase.cpp:
1297         (JSC::DFG::FixupPhase::fixupNode):
1298
1299 2016-02-26  Keith Miller  <keith_miller@apple.com>
1300
1301         Native Typed Array functions should use Symbol.species
1302         https://bugs.webkit.org/show_bug.cgi?id=154569
1303
1304         Reviewed by Michael Saboff.
1305
1306         This patch adds support for Symbol.species in the native Typed Array prototype
1307         functions. Additionally, now that other types of typedarrays are creatable inside
1308         the slice we use the JSGenericTypedArrayView::set function, which has been beefed
1309         up, to put everything into the correct place.
1310
1311         * runtime/JSDataView.cpp:
1312         (JSC::JSDataView::set):
1313         * runtime/JSDataView.h:
1314         * runtime/JSGenericTypedArrayView.h:
1315         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1316         (JSC::constructGenericTypedArrayViewFromIterator):
1317         (JSC::constructGenericTypedArrayViewWithArguments):
1318         (JSC::constructGenericTypedArrayView):
1319         * runtime/JSGenericTypedArrayViewInlines.h:
1320         (JSC::JSGenericTypedArrayView<Adaptor>::setWithSpecificType):
1321         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1322         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1323         (JSC::speciesConstruct):
1324         (JSC::genericTypedArrayViewProtoFuncSet):
1325         (JSC::genericTypedArrayViewProtoFuncSlice):
1326         (JSC::genericTypedArrayViewProtoFuncSubarray):
1327         * tests/stress/typedarray-slice.js:
1328         (subclasses.typedArrays.map):
1329         (testSpecies):
1330         (forEach):
1331         (subclasses.forEach):
1332         (testSpeciesRemoveConstructor):
1333         (testSpeciesWithSameBuffer):
1334         * tests/stress/typedarray-subarray.js: Added.
1335         (subclasses.typedArrays.map):
1336         (testSpecies):
1337         (forEach):
1338         (subclasses.forEach):
1339         (testSpeciesRemoveConstructor):
1340
1341 2016-02-26  Benjamin Poulain  <bpoulain@apple.com>
1342
1343         [JSC] Add32(Imm, Tmp, Tmp) does not ZDef the destination if Imm is zero
1344         https://bugs.webkit.org/show_bug.cgi?id=154704
1345
1346         Reviewed by Geoffrey Garen.
1347
1348         If the Imm is zero, we should still zero the top bits
1349         to match the definition in AirOpcodes.
1350
1351         * assembler/MacroAssemblerX86Common.h:
1352         (JSC::MacroAssemblerX86Common::add32):
1353         * b3/testb3.cpp:
1354
1355 2016-02-26  Oliver Hunt  <oliver@apple.com>
1356
1357         Make testRegExp not crash when given an invalid regexp
1358         https://bugs.webkit.org/show_bug.cgi?id=154732
1359
1360         Reviewed by Mark Lam.
1361
1362         * testRegExp.cpp:
1363         (parseRegExpLine):
1364
1365 2016-02-26  Benjamin Poulain  <benjamin@webkit.org>
1366
1367         [JSC] Add the test for r197155
1368         https://bugs.webkit.org/show_bug.cgi?id=154715
1369
1370         Reviewed by Mark Lam.
1371
1372         Silly me. I forgot the test in the latest patch update.
1373
1374         * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
1375
1376 2016-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1377
1378         [DFG] Drop unnecessary proved type branch in ToPrimitive
1379         https://bugs.webkit.org/show_bug.cgi?id=154716
1380
1381         Reviewed by Geoffrey Garen.
1382
1383         This branching based on the proved types is unnecessary because this is already handled in constant folding phase.
1384         In fact, the DFGSpeculativeJIT64.cpp case is already removed in r164243.
1385         This patch removes the remaining JIT32_64 case.
1386
1387         * dfg/DFGSpeculativeJIT32_64.cpp:
1388         (JSC::DFG::SpeculativeJIT::compile):
1389
1390 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1391
1392         [JSC] Be aggressive with OSR Entry to FTL if the DFG function was only used for OSR Entry itself
1393         https://bugs.webkit.org/show_bug.cgi?id=154575
1394
1395         Reviewed by Filip Pizlo.
1396
1397         I noticed that imaging-gaussian-blur spends most of its
1398         samples in DFG code despite executing most of the loop
1399         iterations in FTL.
1400
1401         On this particular test, the main function is only entered
1402         once and have a very heavy loop there. What happens is DFG
1403         starts by compiling the full function in FTL. That takes about
1404         8 to 10 milliseconds during which the DFG code makes very little
1405         progress. The calls to triggerOSREntryNow() try to OSR Enter
1406         for a while then finally start compiling something. By the time
1407         the function is ready, we have wasted a lot of time in DFG code.
1408
1409         What this patch does is set a flag when a DFG function is entered.
1410         If we try to triggerOSREntryNow() and the flag was never set,
1411         we start compiling both the full function and the one for OSR Entry.
1412
1413         * dfg/DFGJITCode.h:
1414         * dfg/DFGJITCompiler.cpp:
1415         (JSC::DFG::JITCompiler::compileEntryExecutionFlag):
1416         (JSC::DFG::JITCompiler::compile):
1417         (JSC::DFG::JITCompiler::compileFunction):
1418         * dfg/DFGJITCompiler.h:
1419         * dfg/DFGOperations.cpp:
1420         * dfg/DFGPlan.cpp:
1421         (JSC::DFG::Plan::Plan): Deleted.
1422         * dfg/DFGPlan.h:
1423         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1424         (JSC::DFG::TierUpCheckInjectionPhase::run):
1425
1426 2016-02-25  Benjamin Poulain  <benjamin@webkit.org>
1427
1428         [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
1429         https://bugs.webkit.org/show_bug.cgi?id=154664
1430
1431         Reviewed by Saam Barati.
1432
1433         When doing OSR Enter into a constructor, we lose the information
1434         that this may have been set to empty by a previously executed block.
1435
1436         All the code just assumed the type for a FlushedJS value and thus
1437         not an empty value. It was then okay to eliminate the TDZ checks.
1438
1439         In this patch, the values on root entry now assume they may be empty.
1440         As a result, the SetArgument() for "this" has "empty" as possible
1441         type and the TDZ checks are no longer eliminated.
1442
1443         * dfg/DFGInPlaceAbstractState.cpp:
1444         (JSC::DFG::InPlaceAbstractState::initialize):
1445
1446 2016-02-25  Ada Chan  <adachan@apple.com>
1447
1448         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform
1449         https://bugs.webkit.org/show_bug.cgi?id=154702
1450
1451         Reviewed by Dan Bernstein.
1452
1453         * Configurations/FeatureDefines.xcconfig:
1454
1455 2016-02-25  Saam barati  <sbarati@apple.com>
1456
1457         [ES6] for...in iteration doesn't comply with the specification
1458         https://bugs.webkit.org/show_bug.cgi?id=154665
1459
1460         Reviewed by Michael Saboff.
1461
1462         If you read ForIn/OfHeadEvaluation inside the spec:
1463         https://tc39.github.io/ecma262/#sec-runtime-semantics-forin-div-ofheadevaluation-tdznames-expr-iterationkind
1464         It calls EnumerateObjectProperties(obj) to get a set of properties
1465         to enumerate over (it models this "set" as en ES6 generator function).
1466         EnumerateObjectProperties is defined in section 13.7.5.15:
1467         https://tc39.github.io/ecma262/#sec-enumerate-object-properties
1468         The implementation calls Reflect.getOwnPropertyDescriptor(.) on the
1469         properties it sees. We must do the same by modeling the operation as
1470         a [[GetOwnProperty]] instead of a [[HasProperty]] internal method call.
1471
1472         * jit/JITOperations.cpp:
1473         * jit/JITOperations.h:
1474         * runtime/CommonSlowPaths.cpp:
1475         (JSC::SLOW_PATH_DECL):
1476         * runtime/JSObject.cpp:
1477         (JSC::JSObject::hasProperty):
1478         (JSC::JSObject::hasPropertyGeneric):
1479         * runtime/JSObject.h:
1480         * tests/stress/proxy-get-own-property.js:
1481         (assert):
1482         (let.handler.getOwnPropertyDescriptor):
1483         (i.set assert):
1484
1485 2016-02-25  Saam barati  <sbarati@apple.com>
1486
1487         [ES6] Implement Proxy.[[Set]]
1488         https://bugs.webkit.org/show_bug.cgi?id=154511
1489
1490         Reviewed by Filip Pizlo.
1491
1492         This patch is mostly an implementation of
1493         Proxy.[[Set]] with respect to section 9.5.9
1494         of the ECMAScript spec.
1495         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver
1496
1497         This patch also changes JSObject::putInline and JSObject::putByIndex
1498         to be aware that a Proxy in the prototype chain will intercept
1499         property accesses.
1500
1501         * runtime/JSObject.cpp:
1502         (JSC::JSObject::putInlineSlow):
1503         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1504         * runtime/JSObject.h:
1505         * runtime/JSObjectInlines.h:
1506         (JSC::JSObject::canPerformFastPutInline):
1507         (JSC::JSObject::putInline):
1508         * runtime/JSType.h:
1509         * runtime/ProxyObject.cpp:
1510         (JSC::ProxyObject::getOwnPropertySlotByIndex):
1511         (JSC::ProxyObject::performPut):
1512         (JSC::ProxyObject::put):
1513         (JSC::ProxyObject::putByIndexCommon):
1514         (JSC::ProxyObject::putByIndex):
1515         (JSC::performProxyCall):
1516         (JSC::ProxyObject::getCallData):
1517         (JSC::performProxyConstruct):
1518         (JSC::ProxyObject::deletePropertyByIndex):
1519         (JSC::ProxyObject::visitChildren):
1520         * runtime/ProxyObject.h:
1521         (JSC::ProxyObject::create):
1522         (JSC::ProxyObject::createStructure):
1523         (JSC::ProxyObject::target):
1524         (JSC::ProxyObject::handler):
1525         * tests/es6.yaml:
1526         * tests/stress/proxy-set.js: Added.
1527         (assert):
1528         (throw.new.Error.let.handler.set 45):
1529         (throw.new.Error):
1530         (let.target.set x):
1531         (let.target.get x):
1532         (set let):
1533
1534 2016-02-25  Benjamin Poulain  <bpoulain@apple.com>
1535
1536         [JSC] Remove a useless "Move" in the lowering of Select
1537         https://bugs.webkit.org/show_bug.cgi?id=154670
1538
1539         Reviewed by Geoffrey Garen.
1540
1541         I left the Move instruction when creating the aliasing form
1542         of Select.
1543
1544         On ARM64, that meant a useless move for any case that can't
1545         be coalesced.
1546
1547         On x86, that meant an extra constraint on child2, making it
1548         stupidly hard to alias child1.
1549
1550         * b3/B3LowerToAir.cpp:
1551         (JSC::B3::Air::LowerToAir::createSelect): Deleted.
1552
1553 2016-02-24  Joseph Pecoraro  <pecoraro@apple.com>
1554
1555         Web Inspector: Expose Proxy target and handler internal properties to Inspector
1556         https://bugs.webkit.org/show_bug.cgi?id=154663
1557
1558         Reviewed by Timothy Hatcher.
1559
1560         * inspector/JSInjectedScriptHost.cpp:
1561         (Inspector::JSInjectedScriptHost::getInternalProperties):
1562         Expose the ProxyObject's target and handler.
1563
1564 2016-02-24  Nikos Andronikos  <nikos.andronikos-webkit@cisra.canon.com.au>
1565
1566         [web-animations] Add AnimationTimeline, DocumentTimeline and add extensions to Document interface
1567         https://bugs.webkit.org/show_bug.cgi?id=151688
1568
1569         Reviewed by Dean Jackson.
1570
1571         Enables the WEB_ANIMATIONS compiler switch.
1572
1573         * Configurations/FeatureDefines.xcconfig:
1574
1575 2016-02-24  Konstantin Tokarev  <annulen@yandex.ru>
1576
1577         [cmake] Moved PRE/POST_BUILD_COMMAND to WEBKIT_FRAMEWORK.
1578         https://bugs.webkit.org/show_bug.cgi?id=154651
1579
1580         Reviewed by Alex Christensen.
1581
1582         * CMakeLists.txt: Moved shared code to WEBKIT_FRAMEWORK macro.
1583
1584 2016-02-24  Commit Queue  <commit-queue@webkit.org>
1585
1586         Unreviewed, rolling out r197033.
1587         https://bugs.webkit.org/show_bug.cgi?id=154649
1588
1589         "It broke JSC tests when 'this' was loaded from global scope"
1590         (Requested by saamyjoon on #webkit).
1591
1592         Reverted changeset:
1593
1594         "[ES6] Arrow function syntax. Emit loading&putting this/super
1595         only if they are used in arrow function"
1596         https://bugs.webkit.org/show_bug.cgi?id=153981
1597         http://trac.webkit.org/changeset/197033
1598
1599 2016-02-24  Saam Barati  <sbarati@apple.com>
1600
1601         [ES6] Implement Proxy.[[Delete]]
1602         https://bugs.webkit.org/show_bug.cgi?id=154607
1603
1604         Reviewed by Mark Lam.
1605
1606         This patch implements Proxy.[[Delete]] with respect to section 9.5.10 of the ECMAScript spec.
1607         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-delete-p
1608
1609         * runtime/ProxyObject.cpp:
1610         (JSC::ProxyObject::getConstructData):
1611         (JSC::ProxyObject::performDelete):
1612         (JSC::ProxyObject::deleteProperty):
1613         (JSC::ProxyObject::deletePropertyByIndex):
1614         * runtime/ProxyObject.h:
1615         * tests/es6.yaml:
1616         * tests/stress/proxy-delete.js: Added.
1617         (assert):
1618         (throw.new.Error.let.handler.get deleteProperty):
1619         (throw.new.Error):
1620         (assert.let.handler.deleteProperty):
1621         (let.handler.deleteProperty):
1622
1623 2016-02-24  Filip Pizlo  <fpizlo@apple.com>
1624
1625         Stackmaps have problems with double register constraints
1626         https://bugs.webkit.org/show_bug.cgi?id=154643
1627
1628         Reviewed by Geoffrey Garen.
1629
1630         This is currently a benign bug. I found it while playing.
1631
1632         * b3/B3LowerToAir.cpp:
1633         (JSC::B3::Air::LowerToAir::fillStackmap):
1634         * b3/testb3.cpp:
1635         (JSC::B3::testURShiftSelf64):
1636         (JSC::B3::testPatchpointDoubleRegs):
1637         (JSC::B3::zero):
1638         (JSC::B3::run):
1639
1640 2016-02-24  Skachkov Oleksandr  <gskachkov@gmail.com>
1641
1642         [ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function
1643         https://bugs.webkit.org/show_bug.cgi?id=153981
1644
1645         Reviewed by Saam Barati.
1646        
1647         In first iteration of implemenation arrow function, we emit load and store variables 'this', 'arguments',
1648         'super', 'new.target' in case if arrow function is exist even variables are not used in arrow function. 
1649         Current patch added logic that prevent from emiting those varibles if they are not used in arrow function.
1650         During syntax analyze parser store information about using variables in arrow function inside of 
1651         the ordinary function scope and then put to BytecodeGenerator through UnlinkedCodeBlock
1652
1653         * bytecode/ExecutableInfo.h:
1654         (JSC::ExecutableInfo::ExecutableInfo):
1655         (JSC::ExecutableInfo::arrowFunctionCodeFeatures):
1656         * bytecode/UnlinkedCodeBlock.cpp:
1657         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1658         * bytecode/UnlinkedCodeBlock.h:
1659         (JSC::UnlinkedCodeBlock::arrowFunctionCodeFeatures):
1660         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseArguments):
1661         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperCall):
1662         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseSuperProperty):
1663         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseEval):
1664         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseThis):
1665         (JSC::UnlinkedCodeBlock::doAnyInnerArrowFunctionsUseNewTarget):
1666         * bytecode/UnlinkedFunctionExecutable.cpp:
1667         (JSC::generateUnlinkedFunctionCodeBlock):
1668         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1669         * bytecode/UnlinkedFunctionExecutable.h:
1670         * bytecompiler/BytecodeGenerator.cpp:
1671         (JSC::BytecodeGenerator::BytecodeGenerator):
1672         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
1673         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
1674         (JSC::BytecodeGenerator::emitLoadThisFromArrowFunctionLexicalEnvironment):
1675         (JSC::BytecodeGenerator::emitLoadNewTargetFromArrowFunctionLexicalEnvironment):
1676         (JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
1677         (JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
1678         (JSC::BytecodeGenerator::isArgumentsUsedInInnerArrowFunction):
1679         (JSC::BytecodeGenerator::isNewTargetUsedInInnerArrowFunction):
1680         (JSC::BytecodeGenerator::isSuperUsedInInnerArrowFunction):
1681         (JSC::BytecodeGenerator::emitPutNewTargetToArrowFunctionContextScope):
1682         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
1683         (JSC::BytecodeGenerator::emitPutThisToArrowFunctionContextScope):
1684         * bytecompiler/BytecodeGenerator.h:
1685         * bytecompiler/NodesCodegen.cpp:
1686         (JSC::ThisNode::emitBytecode):
1687         (JSC::EvalFunctionCallNode::emitBytecode):
1688         (JSC::FunctionCallValueNode::emitBytecode):
1689         (JSC::FunctionNode::emitBytecode):
1690         * parser/ASTBuilder.h:
1691         (JSC::ASTBuilder::createFunctionMetadata):
1692         * parser/Nodes.cpp:
1693         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1694         * parser/Nodes.h:
1695         * parser/Parser.cpp:
1696         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1697         (JSC::Parser<LexerType>::parseFunctionBody):
1698         (JSC::Parser<LexerType>::parseFunctionInfo):
1699         (JSC::Parser<LexerType>::parseProperty):
1700         (JSC::Parser<LexerType>::parsePrimaryExpression):
1701         (JSC::Parser<LexerType>::parseMemberExpression):
1702         * parser/Parser.h:
1703         (JSC::Scope::Scope):
1704         (JSC::Scope::isArrowFunctionBoundary):
1705         (JSC::Scope::innerArrowFunctionFeatures):
1706         (JSC::Scope::setInnerArrowFunctionUseSuperCall):
1707         (JSC::Scope::setInnerArrowFunctionUseSuperProperty):
1708         (JSC::Scope::setInnerArrowFunctionUseEval):
1709         (JSC::Scope::setInnerArrowFunctionUseThis):
1710         (JSC::Scope::setInnerArrowFunctionUseNewTarget):
1711         (JSC::Scope::setInnerArrowFunctionUseArguments):
1712         (JSC::Scope::setInnerArrowFunctionUseEvalAndUseArgumentsIfNeeded):
1713         (JSC::Scope::collectFreeVariables):
1714         (JSC::Scope::mergeInnerArrowFunctionFeatures):
1715         (JSC::Scope::fillParametersForSourceProviderCache):
1716         (JSC::Scope::restoreFromSourceProviderCache):
1717         (JSC::Scope::setIsFunction):
1718         (JSC::Scope::setIsArrowFunction):
1719         (JSC::Parser::closestParentNonArrowFunctionNonLexicalScope):
1720         (JSC::Parser::pushScope):
1721         (JSC::Parser::popScopeInternal):
1722         * parser/ParserModes.h:
1723         * parser/SourceProviderCacheItem.h:
1724         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1725         * parser/SyntaxChecker.h:
1726         (JSC::SyntaxChecker::createFunctionMetadata):
1727         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
1728         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
1729         * tests/stress/arrowfunction-lexical-bind-newtarget.js:
1730         * tests/stress/arrowfunction-lexical-bind-superproperty.js:
1731         * tests/stress/arrowfunction-lexical-bind-this-8.js: Added.
1732
1733 2016-02-23  Brian Burg  <bburg@apple.com>
1734
1735         Web Inspector: teach the Objective-C protocol generators about --frontend and --backend directives
1736         https://bugs.webkit.org/show_bug.cgi?id=154615
1737         <rdar://problem/24804330>
1738
1739         Reviewed by Timothy Hatcher.
1740
1741         Some of the generated Objective-C bindings are only relevant to code acting as the
1742         protocol backend. Add a per-generator setting mechanism and propagate --frontend and
1743         --backend to all generators. Use the setting in a few generators to omit code that's
1744         not needed.
1745
1746         Also fix a few places where the code emits the wrong Objective-C class prefix.
1747         There is some common non-generated code that must always have the RWIProtocol prefix.
1748
1749         Lastly, change includes to use RWIProtocolJSONObjectPrivate.h instead of *Internal.h. The
1750         macros defined in the internal header now need to be used outside of the framework.
1751
1752         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1753         Use OBJC_STATIC_PREFIX along with the file name and use different include syntax
1754         depending on the target framework.
1755
1756         * inspector/scripts/codegen/generate_objc_header.py:
1757         (ObjCHeaderGenerator.generate_output):
1758         For now, omit generating command protocol and event dispatchers when generating for --frontend.
1759
1760         (ObjCHeaderGenerator._generate_type_interface):
1761         Use OBJC_STATIC_PREFIX along with the unprefixed file name.
1762
1763         * inspector/scripts/codegen/generate_objc_internal_header.py:
1764         Use RWIProtocolJSONObjectPrivate.h instead.
1765
1766         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1767         (ObjCProtocolTypesImplementationGenerator.generate_output):
1768         Include the Internal header if it's being generated (only for --backend).
1769
1770         * inspector/scripts/codegen/generator.py:
1771         (Generator.__init__):
1772         (Generator.set_generator_setting):
1773         (Generator):
1774         (Generator.get_generator_setting):
1775         Crib a simple setting system from the Framework class. Make the names more obnoxious.
1776
1777         (Generator.string_for_file_include):
1778         Inspired by the replay input generator, this is a function that uses the proper syntax
1779         for a file include depending on the file's framework and target framework.
1780
1781         * inspector/scripts/codegen/objc_generator.py:
1782         (ObjCGenerator.and):
1783         (ObjCGenerator.and.objc_prefix):
1784         (ObjCGenerator):
1785         (ObjCGenerator.objc_type_for_raw_name):
1786         (ObjCGenerator.objc_class_for_raw_name):
1787         Whitelist the 'Automation' domain for the ObjC generators. Revise use of OBJC_STATIC_PREFIX.
1788
1789         * inspector/scripts/generate-inspector-protocol-bindings.py:
1790         (generate_from_specification):
1791         Change the generators to use for the frontend. Propagate --frontend and --backend.
1792
1793         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1794         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1795         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1796         * inspector/scripts/tests/expected/enum-values.json-result:
1797         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
1798         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1799         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
1800         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
1801         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
1802         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
1803         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
1804         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
1805         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1806         Rebaseline tests. They now correctly include RWIProtocolJSONObject.h and the like.
1807
1808 2016-02-23  Saam barati  <sbarati@apple.com>
1809
1810         arrayProtoFuncConcat doesn't check for an exception after allocating an array
1811         https://bugs.webkit.org/show_bug.cgi?id=154621
1812
1813         Reviewed by Michael Saboff.
1814
1815         * runtime/ArrayPrototype.cpp:
1816         (JSC::arrayProtoFuncConcat):
1817
1818 2016-02-23  Dan Bernstein  <mitz@apple.com>
1819
1820         [Xcode] Linker errors display mangled names, but no longer should
1821         https://bugs.webkit.org/show_bug.cgi?id=154632
1822
1823         Reviewed by Sam Weinig.
1824
1825         * Configurations/Base.xcconfig: Stop setting LINKER_DISPLAYS_MANGLED_NAMES to YES.
1826
1827 2016-02-23  Gavin Barraclough  <barraclough@apple.com>
1828
1829         Remove HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define
1830         https://bugs.webkit.org/show_bug.cgi?id=112323
1831
1832         Reviewed by Chris Dumez.
1833
1834         This feature is controlled by a runtime switch, and defaults off.
1835
1836         * Configurations/FeatureDefines.xcconfig:
1837
1838 2016-02-23  Keith Miller  <keith_miller@apple.com>
1839
1840         JSC stress tests' standalone-pre.js should exit on the first failure by default
1841         https://bugs.webkit.org/show_bug.cgi?id=154565
1842
1843         Reviewed by Mark Lam.
1844
1845         Currently, if a test writer does not call finishJSTest() at the end of
1846         any test using stress/resources/standalone-pre.js then the test can fail
1847         without actually reporting an error to the harness. By default, we
1848         should throw on the first error so, in the event someone does not call
1849         finishJSTest() the harness will still notice the error.
1850
1851         * tests/stress/regress-151324.js:
1852         * tests/stress/resources/standalone-pre.js:
1853         (testFailed):
1854
1855 2016-02-23  Saam barati  <sbarati@apple.com>
1856
1857         Make JSObject::getMethod have fewer branches
1858         https://bugs.webkit.org/show_bug.cgi?id=154603
1859
1860         Reviewed by Mark Lam.
1861
1862         Writing code with fewer branches is almost always better.
1863
1864         * runtime/JSObject.cpp:
1865         (JSC::JSObject::getMethod):
1866
1867 2016-02-23  Filip Pizlo  <fpizlo@apple.com>
1868
1869         B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
1870         https://bugs.webkit.org/show_bug.cgi?id=154592
1871
1872         Reviewed by Saam Barati.
1873
1874         If Foo has a virtual destructor, then:
1875
1876         foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
1877         subclass of Foo that overrides the destructor, this syntax will not call that override.
1878
1879         foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
1880         get the subclass's override.
1881
1882         In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
1883         This caused leaks because this didn't actually call the subclass's override. This fixes the
1884         problem by using this->~Value() instead.
1885
1886         * b3/B3ControlValue.cpp:
1887         (JSC::B3::ControlValue::convertToJump):
1888         (JSC::B3::ControlValue::convertToOops):
1889         * b3/B3Value.cpp:
1890         (JSC::B3::Value::replaceWithIdentity):
1891         (JSC::B3::Value::replaceWithNop):
1892         (JSC::B3::Value::replaceWithPhi):
1893
1894 2016-02-23  Brian Burg  <bburg@apple.com>
1895
1896         Web Inspector: the protocol generator's Objective-C name prefix should be configurable
1897         https://bugs.webkit.org/show_bug.cgi?id=154596
1898         <rdar://problem/24794962>
1899
1900         Reviewed by Timothy Hatcher.
1901
1902         In order to support different generated protocol sets that don't have conflicting
1903         file and type names, allow the Objective-C prefix to be configurable based on the
1904         target framework. Each name also has the implicit prefix 'Protocol' appended to the
1905         per-target framework prefix.
1906
1907         For example, the existing protocol for remote inspection has the prefix 'RWI'
1908         and is generated as 'RWIProtocol'. The WebKit framework has the 'Automation' prefix
1909         and is generated as 'AutomationProtocol'.
1910
1911         To make this change, convert ObjCGenerator to be a subclass of Generator and use
1912         the instance method model() to find the target framework and its setting for
1913         'objc_prefix'. Make all ObjC generators subclass ObjCGenerator so they can use
1914         these instance methods that used to be static methods. This is a large but
1915         mechanical change to use self instead of ObjCGenerator.
1916
1917         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
1918         (ObjCBackendDispatcherHeaderGenerator):
1919         (ObjCBackendDispatcherHeaderGenerator.__init__):
1920         (ObjCBackendDispatcherHeaderGenerator.output_filename):
1921         (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
1922         (ObjCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
1923         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1924         (ObjCConfigurationImplementationGenerator):
1925         (ObjCConfigurationImplementationGenerator.__init__):
1926         (ObjCConfigurationImplementationGenerator.output_filename):
1927         (ObjCConfigurationImplementationGenerator.generate_output):
1928         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
1929         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command.and):
1930         (ObjCConfigurationImplementationGenerator._generate_conversions_for_command):
1931         * inspector/scripts/codegen/generate_objc_configuration_header.py:
1932         (ObjCConfigurationHeaderGenerator):
1933         (ObjCConfigurationHeaderGenerator.__init__):
1934         (ObjCConfigurationHeaderGenerator.output_filename):
1935         (ObjCConfigurationHeaderGenerator.generate_output):
1936         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
1937         (ObjCConfigurationHeaderGenerator._generate_properties_for_domain):
1938         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
1939         (ObjCBackendDispatcherImplementationGenerator):
1940         (ObjCBackendDispatcherImplementationGenerator.__init__):
1941         (ObjCBackendDispatcherImplementationGenerator.output_filename):
1942         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1943         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
1944         (ObjCBackendDispatcherImplementationGenerator._generate_ivars):
1945         (ObjCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
1946         (ObjCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
1947         * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
1948         (ObjCConversionHelpersGenerator):
1949         (ObjCConversionHelpersGenerator.__init__):
1950         (ObjCConversionHelpersGenerator.output_filename):
1951         (ObjCConversionHelpersGenerator.generate_output):
1952         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
1953         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
1954         (ObjCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
1955         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1956         (ObjCFrontendDispatcherImplementationGenerator):
1957         (ObjCFrontendDispatcherImplementationGenerator.__init__):
1958         (ObjCFrontendDispatcherImplementationGenerator.output_filename):
1959         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1960         (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
1961         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1962         (ObjCFrontendDispatcherImplementationGenerator._generate_event.and):
1963         (ObjCFrontendDispatcherImplementationGenerator._generate_event_signature):
1964         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1965         * inspector/scripts/codegen/generate_objc_header.py:
1966         (ObjCHeaderGenerator):
1967         (ObjCHeaderGenerator.__init__):
1968         (ObjCHeaderGenerator.output_filename):
1969         (ObjCHeaderGenerator.generate_output):
1970         (ObjCHeaderGenerator._generate_forward_declarations):
1971         (ObjCHeaderGenerator._generate_anonymous_enum_for_declaration):
1972         (ObjCHeaderGenerator._generate_anonymous_enum_for_member):
1973         (ObjCHeaderGenerator._generate_anonymous_enum_for_parameter):
1974         (ObjCHeaderGenerator._generate_type_interface):
1975         (ObjCHeaderGenerator._generate_init_method_for_required_members):
1976         (ObjCHeaderGenerator._generate_member_property):
1977         (ObjCHeaderGenerator._generate_command_protocols):
1978         (ObjCHeaderGenerator._generate_single_command_protocol):
1979         (ObjCHeaderGenerator._callback_block_for_command):
1980         (ObjCHeaderGenerator._generate_event_interfaces):
1981         (ObjCHeaderGenerator._generate_single_event_interface):
1982         * inspector/scripts/codegen/generate_objc_internal_header.py:
1983         (ObjCInternalHeaderGenerator):
1984         (ObjCInternalHeaderGenerator.__init__):
1985         (ObjCInternalHeaderGenerator.output_filename):
1986         (ObjCInternalHeaderGenerator.generate_output):
1987         (ObjCInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
1988         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1989         (ObjCProtocolTypesImplementationGenerator):
1990         (ObjCProtocolTypesImplementationGenerator.__init__):
1991         (ObjCProtocolTypesImplementationGenerator.output_filename):
1992         (ObjCProtocolTypesImplementationGenerator.generate_output):
1993         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1994         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
1995         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members.and):
1996         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
1997         (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member.and):
1998         (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
1999         * inspector/scripts/codegen/models.py:
2000         * inspector/scripts/codegen/objc_generator.py:
2001         (ObjCTypeCategory.category_for_type):
2002         (ObjCGenerator):
2003         (ObjCGenerator.__init__):
2004         (ObjCGenerator.objc_prefix):
2005         (ObjCGenerator.objc_name_for_type):
2006         (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
2007         (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
2008         (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
2009         (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
2010         (ObjCGenerator.objc_class_for_type):
2011         (ObjCGenerator.objc_class_for_array_type):
2012         (ObjCGenerator.objc_accessor_type_for_member):
2013         (ObjCGenerator.objc_accessor_type_for_member_internal):
2014         (ObjCGenerator.objc_type_for_member):
2015         (ObjCGenerator.objc_type_for_member_internal):
2016         (ObjCGenerator.objc_type_for_param):
2017         (ObjCGenerator.objc_type_for_param_internal):
2018         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2019         (ObjCGenerator.objc_protocol_import_expression_for_member):
2020         (ObjCGenerator.objc_protocol_import_expression_for_parameter):
2021         (ObjCGenerator.objc_protocol_import_expression_for_variable):
2022         (ObjCGenerator.objc_to_protocol_expression_for_member):
2023         (ObjCGenerator.protocol_to_objc_expression_for_member):
2024
2025         Change the prefix for the 'Test' target framework to be 'Test.' Rebaseline results.
2026
2027         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2028         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2029         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2030         * inspector/scripts/tests/expected/enum-values.json-result:
2031         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2032         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2033         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2034         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2035         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2036         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2037         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2038         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2039         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2040
2041 2016-02-23  Mark Lam  <mark.lam@apple.com>
2042
2043         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.
2044         https://bugs.webkit.org/show_bug.cgi?id=154542
2045
2046         Reviewed by Saam Barati.
2047
2048         According to the spec, the constructors of the following types "are not intended
2049         to be called as a function and will throw an exception".  These types are:
2050             TypedArrays - https://tc39.github.io/ecma262/#sec-typedarray-constructors
2051             Map - https://tc39.github.io/ecma262/#sec-map-constructor
2052             Set - https://tc39.github.io/ecma262/#sec-set-constructor
2053             WeakMap - https://tc39.github.io/ecma262/#sec-weakmap-constructor
2054             WeakSet - https://tc39.github.io/ecma262/#sec-weakset-constructor
2055             ArrayBuffer - https://tc39.github.io/ecma262/#sec-arraybuffer-constructor
2056             DataView - https://tc39.github.io/ecma262/#sec-dataview-constructor
2057             Promise - https://tc39.github.io/ecma262/#sec-promise-constructor
2058             Proxy - https://tc39.github.io/ecma262/#sec-proxy-constructor
2059
2060         This patch does the foillowing:
2061         1. Ensures that these constructors can be called but will throw a TypeError
2062            when called.
2063         2. Makes all these objects use throwConstructorCannotBeCalledAsFunctionTypeError()
2064            in their implementation to be consistent.
2065         3. Change the error message to "calling XXX constructor without new is invalid".
2066            This is clearer because the error is likely due to the user forgetting to use
2067            the new operator on these constructors.
2068
2069         * runtime/Error.h:
2070         * runtime/Error.cpp:
2071         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
2072         - Added a convenience function to throw the TypeError.
2073
2074         * runtime/JSArrayBufferConstructor.cpp:
2075         (JSC::constructArrayBuffer):
2076         (JSC::callArrayBuffer):
2077         (JSC::JSArrayBufferConstructor::getCallData):
2078         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2079         (JSC::callGenericTypedArrayView):
2080         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
2081         * runtime/JSPromiseConstructor.cpp:
2082         (JSC::callPromise):
2083         * runtime/MapConstructor.cpp:
2084         (JSC::callMap):
2085         * runtime/ProxyConstructor.cpp:
2086         (JSC::callProxy):
2087         (JSC::ProxyConstructor::getCallData):
2088         * runtime/SetConstructor.cpp:
2089         (JSC::callSet):
2090         * runtime/WeakMapConstructor.cpp:
2091         (JSC::callWeakMap):
2092         * runtime/WeakSetConstructor.cpp:
2093         (JSC::callWeakSet):
2094
2095         * tests/es6.yaml:
2096         - The typed_arrays_%TypedArray%[Symbol.species].js test now passes.
2097
2098         * tests/stress/call-non-calleable-constructors-as-function.js: Added.
2099         (test):
2100
2101         * tests/stress/map-constructor.js:
2102         (testCallTypeError):
2103         * tests/stress/promise-cannot-be-called.js:
2104         (shouldThrow):
2105         * tests/stress/proxy-basic.js:
2106         * tests/stress/set-constructor.js:
2107         * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js:
2108         (i.catch):
2109         * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js:
2110         (i.catch):
2111         * tests/stress/throw-from-ftl-call-ic-slow-path.js:
2112         (i.catch):
2113         * tests/stress/weak-map-constructor.js:
2114         (testCallTypeError):
2115         * tests/stress/weak-set-constructor.js:
2116         - Updated error message string.
2117
2118 2016-02-23  Alexey Proskuryakov  <ap@apple.com>
2119
2120         ASan build fix.
2121
2122         Let's not export a template function that is only used in InspectorBackendDispatcher.cpp.
2123
2124         * inspector/InspectorBackendDispatcher.h:
2125
2126 2016-02-23  Brian Burg  <bburg@apple.com>
2127
2128         Connect WebAutomationSession to its backend dispatcher as if it were an agent and add stub implementations
2129         https://bugs.webkit.org/show_bug.cgi?id=154518
2130         <rdar://problem/24761096>
2131
2132         Reviewed by Timothy Hatcher.
2133
2134         * inspector/InspectorBackendDispatcher.h:
2135         Export all the classes since they are used by WebKit::WebAutomationSession.
2136
2137 2016-02-22  Brian Burg  <bburg@apple.com>
2138
2139         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2140         https://bugs.webkit.org/show_bug.cgi?id=154509
2141         <rdar://problem/24759098>
2142
2143         Reviewed by Timothy Hatcher.
2144
2145         Add a new 'WebKit' framework, which is used to generate protocol code
2146         in WebKit2.
2147
2148         Add --backend and --frontend flags to the main generator script.
2149         These allow a framework to trigger two different sets of generators
2150         so they can be separately generated and compiled.
2151
2152         * inspector/scripts/codegen/models.py:
2153         (Framework.fromString):
2154         (Frameworks): Add new framework.
2155
2156         * inspector/scripts/generate-inspector-protocol-bindings.py:
2157         If neither --backend or --frontend is specified, assume both are wanted.
2158         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2159
2160         (generate_from_specification):
2161         Generate C++ files for the backend and Objective-C files for the frontend.
2162
2163 2016-02-22  Saam barati  <sbarati@apple.com>
2164
2165         JSGlobalObject doesn't visit ProxyObjectStructure during GC
2166         https://bugs.webkit.org/show_bug.cgi?id=154564
2167
2168         Rubber stamped by Mark Lam.
2169
2170         * runtime/JSGlobalObject.cpp:
2171         (JSC::JSGlobalObject::visitChildren):
2172
2173 2016-02-22  Saam barati  <sbarati@apple.com>
2174
2175         InternalFunction::createSubclassStructure doesn't take into account that get() might throw
2176         https://bugs.webkit.org/show_bug.cgi?id=154548
2177
2178         Reviewed by Mark Lam and Geoffrey Garen and Andreas Kling.
2179
2180         InternalFunction::createSubclassStructure calls newTarget.get(...) which can throw 
2181         an exception. Neither the function nor the call sites of the function took this into
2182         account. This patch audits the call sites of the function to make it work in
2183         the event that an exception is thrown.
2184
2185         * runtime/BooleanConstructor.cpp:
2186         (JSC::constructWithBooleanConstructor):
2187         * runtime/DateConstructor.cpp:
2188         (JSC::constructDate):
2189         * runtime/ErrorConstructor.cpp:
2190         (JSC::Interpreter::constructWithErrorConstructor):
2191         * runtime/FunctionConstructor.cpp:
2192         (JSC::constructFunctionSkippingEvalEnabledCheck):
2193         * runtime/InternalFunction.cpp:
2194         (JSC::InternalFunction::createSubclassStructure):
2195         * runtime/JSArrayBufferConstructor.cpp:
2196         (JSC::constructArrayBuffer):
2197         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2198         (JSC::constructGenericTypedArrayView):
2199         * runtime/JSGlobalObject.h:
2200         (JSC::constructEmptyArray):
2201         (JSC::constructArray):
2202         (JSC::constructArrayNegativeIndexed):
2203         * runtime/JSPromiseConstructor.cpp:
2204         (JSC::constructPromise):
2205         * runtime/MapConstructor.cpp:
2206         (JSC::constructMap):
2207         * runtime/NativeErrorConstructor.cpp:
2208         (JSC::Interpreter::constructWithNativeErrorConstructor):
2209         * runtime/NumberConstructor.cpp:
2210         (JSC::constructWithNumberConstructor):
2211         * runtime/RegExpConstructor.cpp:
2212         (JSC::getRegExpStructure):
2213         (JSC::constructRegExp):
2214         (JSC::constructWithRegExpConstructor):
2215         * runtime/SetConstructor.cpp:
2216         (JSC::constructSet):
2217         * runtime/StringConstructor.cpp:
2218         (JSC::constructWithStringConstructor):
2219         (JSC::StringConstructor::getConstructData):
2220         * runtime/WeakMapConstructor.cpp:
2221         (JSC::constructWeakMap):
2222         * runtime/WeakSetConstructor.cpp:
2223         (JSC::constructWeakSet):
2224         * tests/stress/create-subclass-structure-might-throw.js: Added.
2225         (assert):
2226
2227 2016-02-22  Ting-Wei Lan  <lantw44@gmail.com>
2228
2229         Fix build and implement functions to retrieve registers on FreeBSD
2230         https://bugs.webkit.org/show_bug.cgi?id=152258
2231
2232         Reviewed by Michael Catanzaro.
2233
2234         * heap/MachineStackMarker.cpp:
2235         (pthreadSignalHandlerSuspendResume):
2236         struct ucontext is not specified in POSIX and it is not available on
2237         FreeBSD. Replacing it with ucontext_t fixes the build problem.
2238         (JSC::MachineThreads::Thread::Registers::stackPointer):
2239         (JSC::MachineThreads::Thread::Registers::framePointer):
2240         (JSC::MachineThreads::Thread::Registers::instructionPointer):
2241         (JSC::MachineThreads::Thread::Registers::llintPC):
2242         * heap/MachineStackMarker.h:
2243
2244 2016-02-22  Saam barati  <sbarati@apple.com>
2245
2246         JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData
2247         https://bugs.webkit.org/show_bug.cgi?id=154552
2248
2249         Reviewed by Mark Lam.
2250
2251         ES6 Proxy breaks our isFunction() and isConstructor() JSValue methods.
2252         They return false on a Proxy with internal [[Call]] and [[Construct]]
2253         properties. It seems safest, most forward looking, and most adherent
2254         to the specification to check getCallData() and getConstructData() to
2255         implement these functions.
2256
2257         * runtime/InternalFunction.cpp:
2258         (JSC::InternalFunction::createSubclassStructure):
2259         * runtime/JSCJSValueInlines.h:
2260         (JSC::JSValue::isFunction):
2261         (JSC::JSValue::isConstructor):
2262
2263 2016-02-22  Keith Miller  <keith_miller@apple.com>
2264
2265         Bound functions should use the prototype of the function being bound
2266         https://bugs.webkit.org/show_bug.cgi?id=154195
2267
2268         Reviewed by Geoffrey Garen.
2269
2270         Per ES6, the result of Function.prototype.bind should have the same
2271         prototype as the the function being bound. In order to avoid creating
2272         a new structure each time a function is bound we store the new
2273         structure in our structure map. However, we cannot currently store
2274         structures that have a different GlobalObject than their prototype.
2275         In the rare case that the GlobalObject differs or the prototype of
2276         the bindee is null we create a new structure each time. To further
2277         minimize new structures, as well as making structure lookup faster,
2278         we also store the structure in the RareData of the function we
2279         are binding.
2280
2281         * runtime/FunctionRareData.cpp:
2282         (JSC::FunctionRareData::visitChildren):
2283         * runtime/FunctionRareData.h:
2284         (JSC::FunctionRareData::getBoundFunctionStructure):
2285         (JSC::FunctionRareData::setBoundFunctionStructure):
2286         * runtime/JSBoundFunction.cpp:
2287         (JSC::getBoundFunctionStructure):
2288         (JSC::JSBoundFunction::create):
2289         * tests/es6.yaml:
2290         * tests/stress/bound-function-uses-prototype.js: Added.
2291         (testChangeProto.foo):
2292         (testChangeProto):
2293         (testBuiltins):
2294         * tests/stress/class-subclassing-function.js:
2295
2296 2016-02-22  Keith Miller  <keith_miller@apple.com>
2297
2298         Unreviewed, fix stress test to not print on success.
2299
2300         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js:
2301         (catch): Deleted.
2302
2303 2016-02-22  Keith Miller  <keith_miller@apple.com>
2304
2305         Use Symbol.species in the builtin TypedArray.prototype functions
2306         https://bugs.webkit.org/show_bug.cgi?id=153384
2307
2308         Reviewed by Geoffrey Garen.
2309
2310         This patch adds the use of species constructors to the TypedArray.prototype map and filter
2311         functions. It also adds a new private function typedArrayGetOriginalConstructor that
2312         returns the TypedArray constructor used to originally create a TypedArray instance.
2313
2314         There are no ES6 tests to update for this patch as species creation for these functions is
2315         not tested in the compatibility table.
2316
2317         * builtins/TypedArrayPrototype.js:
2318         (map):
2319         (filter):
2320         * bytecode/BytecodeIntrinsicRegistry.cpp:
2321         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2322         * bytecode/BytecodeIntrinsicRegistry.h:
2323         * runtime/CommonIdentifiers.h:
2324         * runtime/JSGlobalObject.cpp:
2325         (JSC::JSGlobalObject::init):
2326         (JSC::JSGlobalObject::visitChildren):
2327         * runtime/JSGlobalObject.h:
2328         (JSC::JSGlobalObject::typedArrayConstructor):
2329         * runtime/JSTypedArrayViewPrototype.cpp:
2330         (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
2331         * runtime/JSTypedArrayViewPrototype.h:
2332         * tests/stress/typedarray-filter.js:
2333         (subclasses.typedArrays.map):
2334         (prototype.accept):
2335         (testSpecies):
2336         (accept):
2337         (forEach):
2338         (subclasses.forEach):
2339         (testSpeciesRemoveConstructor):
2340         * tests/stress/typedarray-map.js:
2341         (subclasses.typedArrays.map):
2342         (prototype.id):
2343         (testSpecies):
2344         (id):
2345         (forEach):
2346         (subclasses.forEach):
2347         (testSpeciesRemoveConstructor):
2348
2349 2016-02-22  Keith Miller  <keith_miller@apple.com>
2350
2351         Builtins that should not rely on iteration do.
2352         https://bugs.webkit.org/show_bug.cgi?id=154475
2353
2354         Reviewed by Geoffrey Garen.
2355
2356         When changing the behavior of varargs calls to use ES6 iterators the
2357         call builtin function's use of a varargs call was overlooked. The use
2358         of iterators is observable outside the scope of the the call function,
2359         thus it must be reimplemented.
2360
2361         * builtins/FunctionPrototype.js:
2362         (call):
2363         * tests/stress/call-apply-builtin-functions-dont-use-iterators.js: Added.
2364         (test):
2365         (addAll):
2366         (catch):
2367
2368 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2369
2370         [JSC shell] Don't put empty arguments array to VM.
2371         https://bugs.webkit.org/show_bug.cgi?id=154516
2372
2373         Reviewed by Geoffrey Garen.
2374
2375         This allows arrowfunction-lexical-bind-arguments-top-level test to pass
2376         in jsc as well as in browser.
2377
2378         * jsc.cpp:
2379         (GlobalObject::finishCreation):
2380
2381 2016-02-22  Konstantin Tokarev  <annulen@yandex.ru>
2382
2383         [cmake] Moved library setup code to WEBKIT_FRAMEWORK macro.
2384         https://bugs.webkit.org/show_bug.cgi?id=154450
2385
2386         Reviewed by Alex Christensen.
2387
2388         * CMakeLists.txt:
2389
2390 2016-02-22  Commit Queue  <commit-queue@webkit.org>
2391
2392         Unreviewed, rolling out r196891.
2393         https://bugs.webkit.org/show_bug.cgi?id=154539
2394
2395         it broke Production builds (Requested by brrian on #webkit).
2396
2397         Reverted changeset:
2398
2399         "Web Inspector: add 'Automation' protocol domain and generate
2400         its backend classes separately in WebKit2"
2401         https://bugs.webkit.org/show_bug.cgi?id=154509
2402         http://trac.webkit.org/changeset/196891
2403
2404 2016-02-21  Joseph Pecoraro  <pecoraro@apple.com>
2405
2406         CodeBlock always visits its unlinked code twice
2407         https://bugs.webkit.org/show_bug.cgi?id=154494
2408
2409         Reviewed by Saam Barati.
2410
2411         * bytecode/CodeBlock.cpp:
2412         (JSC::CodeBlock::visitChildren):
2413         The unlinked code is always visited in stronglyVisitStrongReferences.
2414
2415 2016-02-21  Brian Burg  <bburg@apple.com>
2416
2417         Web Inspector: add 'Automation' protocol domain and generate its backend classes separately in WebKit2
2418         https://bugs.webkit.org/show_bug.cgi?id=154509
2419         <rdar://problem/24759098>
2420
2421         Reviewed by Timothy Hatcher.
2422
2423         Add a new 'WebKit' framework, which is used to generate protocol code
2424         in WebKit2.
2425
2426         Add --backend and --frontend flags to the main generator script.
2427         These allow a framework to trigger two different sets of generators
2428         so they can be separately generated and compiled.
2429
2430         * inspector/scripts/codegen/models.py:
2431         (Framework.fromString):
2432         (Frameworks): Add new framework.
2433
2434         * inspector/scripts/generate-inspector-protocol-bindings.py:
2435         If neither --backend or --frontend is specified, assume both are wanted.
2436         This matches the behavior for JavaScriptCore and WebInspector frameworks.
2437
2438         (generate_from_specification):
2439         Generate C++ files for the backend and Objective-C files for the frontend.
2440
2441 2016-02-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2442
2443         Improvements to Intl code
2444         https://bugs.webkit.org/show_bug.cgi?id=154486
2445
2446         Reviewed by Darin Adler.
2447
2448         This patch does several things:
2449         - Use std::unique_ptr to store ICU objects.
2450         - Pass Vector::size() to ICU functions that take a buffer size instead
2451           of Vector::capacity().
2452         - If U_SUCCESS(status) is true, it means there is no error, but there
2453           could be warnings. ICU functions ignore warnings. So, there is no need
2454           to reset status to U_ZERO_ERROR.
2455         - Remove the initialization of the String instance variables of
2456           IntlDateTimeFormat. These values are never read and cause unnecessary
2457           memory allocation.
2458         - Fix coding style.
2459         - Some small optimization.
2460
2461         * runtime/IntlCollator.cpp:
2462         (JSC::IntlCollator::UCollatorDeleter::operator()):
2463         (JSC::IntlCollator::createCollator):
2464         (JSC::IntlCollator::compareStrings):
2465         (JSC::IntlCollator::~IntlCollator): Deleted.
2466         * runtime/IntlCollator.h:
2467         * runtime/IntlDateTimeFormat.cpp:
2468         (JSC::IntlDateTimeFormat::UDateFormatDeleter::operator()):
2469         (JSC::defaultTimeZone):
2470         (JSC::canonicalizeTimeZoneName):
2471         (JSC::toDateTimeOptionsAnyDate):
2472         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2473         (JSC::IntlDateTimeFormat::weekdayString):
2474         (JSC::IntlDateTimeFormat::format):
2475         (JSC::IntlDateTimeFormat::~IntlDateTimeFormat): Deleted.
2476         (JSC::localeData): Deleted.
2477         * runtime/IntlDateTimeFormat.h:
2478         * runtime/IntlDateTimeFormatConstructor.cpp:
2479         * runtime/IntlNumberFormatConstructor.cpp:
2480         * runtime/IntlObject.cpp:
2481         (JSC::numberingSystemsForLocale):
2482
2483 2016-02-21  Skachkov Oleksandr  <gskachkov@gmail.com>
2484
2485         Remove arrowfunction test cases that rely on arguments variable in jsc
2486         https://bugs.webkit.org/show_bug.cgi?id=154517
2487
2488         Reviewed by Yusuke Suzuki.
2489
2490         Allow to jsc has the same behavior in javascript as browser has
2491
2492         * tests/stress/arrowfunction-lexical-bind-arguments-non-strict-1.js:
2493         * tests/stress/arrowfunction-lexical-bind-arguments-strict.js:
2494
2495 2016-02-21  Brian Burg  <bburg@apple.com>
2496
2497         Web Inspector: it should be possible to omit generated code guarded by INSPECTOR_ALTERNATE_DISPATCHERS
2498         https://bugs.webkit.org/show_bug.cgi?id=154508
2499         <rdar://problem/24759077>
2500
2501         Reviewed by Timothy Hatcher.
2502
2503         In preparation for being able to generate protocol files for WebKit2,
2504         make it possible to not emit generated code that's guarded by
2505         ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS). This code is not needed by
2506         backend dispatchers generated outside of JavaScriptCore. We can't just
2507         define it to 0 for WebKit2, since it's defined to 1 in <wtf/Platform.h>
2508         in the configurations where the code is actually used.
2509
2510         Add a new opt-in Framework configuration option that turns on generating
2511         this code. Adjust how the code is generated so that it can be easily excluded.
2512
2513         * inspector/scripts/codegen/cpp_generator_templates.py:
2514         Make a separate template for the declarations that are guarded.
2515         Add an initializer expression so the order of initalizers doesn't matter.
2516
2517         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2518         (CppBackendDispatcherHeaderGenerator.generate_output): Add a setting check.
2519         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2520         If the declarations are needed, they will be appended to the end of the
2521         declarations list.
2522
2523         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2524         (CppBackendDispatcherImplementationGenerator.generate_output): Add a setting check.
2525         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Add a setting check.
2526
2527         * inspector/scripts/codegen/models.py: Set the 'alternate_dispatchers' setting
2528         to True for Framework.JavaScriptCore only. It's not needed elsewhere.
2529
2530         Rebaseline affected tests.
2531
2532         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2533         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2534         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2535         * inspector/scripts/tests/expected/enum-values.json-result:
2536         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2537
2538 2016-02-21  Brian Burg  <bburg@apple.com>
2539
2540         Web Inspector: clean up generator selection in generate-inspector-protocol-bindings.py
2541         https://bugs.webkit.org/show_bug.cgi?id=154505
2542         <rdar://problem/24758042>
2543
2544         Reviewed by Timothy Hatcher.
2545
2546         It should be possible to generate code for a framework using some generators
2547         that other frameworks also use. Right now the generator selection code assumes
2548         that use of a generator is mutually exclusive among non-test frameworks.
2549
2550         Make this code explicitly switch on the framework. Reorder generators
2551         alpabetically within each case.
2552
2553         * inspector/scripts/generate-inspector-protocol-bindings.py:
2554         (generate_from_specification):
2555
2556         Rebaseline tests that are affected by generator reorderings.
2557
2558         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2559         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2560         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2561         * inspector/scripts/tests/expected/enum-values.json-result:
2562         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2563         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2564         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2565         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2566         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2567         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2568         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2569         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2570         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2571
2572 2016-02-19  Saam Barati  <sbarati@apple.com>
2573
2574         [ES6] Implement Proxy.[[Construct]]
2575         https://bugs.webkit.org/show_bug.cgi?id=154440
2576
2577         Reviewed by Oliver Hunt.
2578
2579         This patch is mostly an implementation of
2580         Proxy.[[Construct]] with respect to section 9.5.13
2581         of the ECMAScript spec.
2582         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-construct-argumentslist-newtarget
2583
2584         This patch also changes op_create_this to accept new.target's
2585         that aren't JSFunctions. This is necessary implementing Proxy.[[Construct]] 
2586         because we might construct a JSFunction with a new.target being
2587         a Proxy. This will also be needed when we implement Reflect.construct.
2588
2589         * dfg/DFGOperations.cpp:
2590         * dfg/DFGSpeculativeJIT32_64.cpp:
2591         (JSC::DFG::SpeculativeJIT::compile):
2592         * dfg/DFGSpeculativeJIT64.cpp:
2593         (JSC::DFG::SpeculativeJIT::compile):
2594         * jit/JITOpcodes.cpp:
2595         (JSC::JIT::emit_op_create_this):
2596         (JSC::JIT::emitSlow_op_create_this):
2597         * jit/JITOpcodes32_64.cpp:
2598         (JSC::JIT::emit_op_create_this):
2599         (JSC::JIT::emitSlow_op_create_this):
2600         * llint/LLIntData.cpp:
2601         (JSC::LLInt::Data::performAssertions):
2602         * llint/LowLevelInterpreter.asm:
2603         * llint/LowLevelInterpreter32_64.asm:
2604         * llint/LowLevelInterpreter64.asm:
2605         * runtime/CommonSlowPaths.cpp:
2606         (JSC::SLOW_PATH_DECL):
2607         * runtime/ProxyObject.cpp:
2608         (JSC::ProxyObject::finishCreation):
2609         (JSC::ProxyObject::visitChildren):
2610         (JSC::performProxyConstruct):
2611         (JSC::ProxyObject::getConstructData):
2612         * runtime/ProxyObject.h:
2613         * tests/es6.yaml:
2614         * tests/stress/proxy-construct.js: Added.
2615         (assert):
2616         (throw.new.Error.let.target):
2617         (throw.new.Error):
2618         (assert.let.target):
2619         (assert.let.handler.get construct):
2620         (let.target):
2621         (let.handler.construct):
2622         (i.catch):
2623         (assert.let.handler.construct):
2624         (assert.let.construct):
2625         (assert.else.assert.let.target):
2626         (assert.else.assert.let.construct):
2627         (assert.else.assert):
2628         (new.proxy.let.target):
2629         (new.proxy.let.construct):
2630         (new.proxy):
2631
2632 2016-02-19  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2633
2634         [INTL] Implement Number Format Functions
2635         https://bugs.webkit.org/show_bug.cgi?id=147605
2636
2637         Reviewed by Darin Adler.
2638
2639         This patch implements Intl.NumberFormat.prototype.format() according
2640         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2641
2642         * runtime/IntlNumberFormat.cpp:
2643         (JSC::IntlNumberFormat::UNumberFormatDeleter::operator()):
2644         (JSC::IntlNumberFormat::initializeNumberFormat):
2645         (JSC::IntlNumberFormat::createNumberFormat):
2646         (JSC::IntlNumberFormat::formatNumber):
2647         (JSC::IntlNumberFormatFuncFormatNumber): Deleted.
2648         * runtime/IntlNumberFormat.h:
2649         * runtime/IntlNumberFormatPrototype.cpp:
2650         (JSC::IntlNumberFormatFuncFormatNumber):
2651
2652 2016-02-18  Gavin Barraclough  <barraclough@apple.com>
2653
2654         JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
2655         https://bugs.webkit.org/show_bug.cgi?id=154416
2656
2657         Reviewed by Geoff Garen.
2658
2659         Here's the bug. Suppose you call JSObject::getOwnProperty and -
2660           - PropertyName contains an index,
2661           - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
2662           - The base of the access (or another object on the prototype chain) shadows that property.
2663
2664         JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
2665         index, and as such walks up the prototype chain looking for non-index properties before it
2666         tries calling parseIndex.
2667
2668         At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
2669         would potentially return the property) we may have already skipped over non-overriding
2670         objects that contain the property in index storage.
2671
2672         * runtime/JSObject.h:
2673         (JSC::JSObject::getOwnNonIndexPropertySlot):
2674             - renamed from inlineGetOwnPropertySlot to better describe behaviour;
2675               added ASSERT guarding that this method never returns index properties -
2676               if it ever does, this is unsafe for getPropertySlot.
2677         (JSC::JSObject::getOwnPropertySlot):
2678             - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
2679         (JSC::JSObject::getPropertySlot):
2680             - In case of object overriding getOwnPropertySlot check if propertyName is an index.
2681         (JSC::JSObject::getNonIndexPropertySlot):
2682             - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
2683               in order to avoid repeated calls to parseIndex.
2684         (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
2685             - this was renamed to getOwnNonIndexPropertySlot.
2686         (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
2687             - this was folded back in to getPropertySlot.
2688
2689 2016-02-19  Saam Barati  <sbarati@apple.com>
2690
2691         [ES6] Implement Proxy.[[Call]]
2692         https://bugs.webkit.org/show_bug.cgi?id=154425
2693
2694         Reviewed by Mark Lam.
2695
2696         This patch is a straight forward implementation of
2697         Proxy.[[Call]] with respect to section 9.5.12
2698         of the ECMAScript spec.
2699         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-call-thisargument-argumentslist
2700
2701         * runtime/ProxyObject.cpp:
2702         (JSC::ProxyObject::finishCreation):
2703         (JSC::performProxyGet):
2704         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2705         (JSC::ProxyObject::performHasProperty):
2706         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2707         (JSC::performProxyCall):
2708         (JSC::ProxyObject::getCallData):
2709         (JSC::ProxyObject::visitChildren):
2710         * runtime/ProxyObject.h:
2711         (JSC::ProxyObject::create):
2712         * tests/es6.yaml:
2713         * tests/stress/proxy-call.js: Added.
2714         (assert):
2715         (throw.new.Error.let.target):
2716         (throw.new.Error.let.handler.apply):
2717         (throw.new.Error):
2718         (assert.let.target):
2719         (assert.let.handler.get apply):
2720         (let.target):
2721         (let.handler.apply):
2722         (i.catch):
2723         (assert.let.handler.apply):
2724
2725 2016-02-19  Csaba Osztrogonác  <ossy@webkit.org>
2726
2727         Remove more LLVM related dead code after r196729
2728         https://bugs.webkit.org/show_bug.cgi?id=154387
2729
2730         Reviewed by Filip Pizlo.
2731
2732         * Configurations/CompileRuntimeToLLVMIR.xcconfig: Removed.
2733         * Configurations/LLVMForJSC.xcconfig: Removed.
2734         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Removed.
2735         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Removed.
2736         * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Removed.
2737         * JavaScriptCore.xcodeproj/project.pbxproj:
2738         * disassembler/X86Disassembler.cpp:
2739
2740 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2741
2742         Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
2743         https://bugs.webkit.org/show_bug.cgi?id=154442
2744
2745         Reviewed by Saam Barati.
2746
2747         * runtime/JSString.h:
2748         (JSC::isJSString):
2749
2750 2016-02-19  Joseph Pecoraro  <pecoraro@apple.com>
2751
2752         Remove unused SymbolTable::createNameScopeTable
2753         https://bugs.webkit.org/show_bug.cgi?id=154443
2754
2755         Reviewed by Saam Barati.
2756
2757         * runtime/SymbolTable.h:
2758
2759 2016-02-18  Benjamin Poulain  <bpoulain@apple.com>
2760
2761         [JSC] Improve the instruction selection of Select
2762         https://bugs.webkit.org/show_bug.cgi?id=154432
2763
2764         Reviewed by Filip Pizlo.
2765
2766         Plenty of code but this patch is pretty dumb:
2767         -On ARM64: use the 3 operand form of CSEL instead of forcing a source
2768          to be alised to the destination. This gives more freedom to the register
2769          allocator and it is one less Move to process per Select.
2770         -On x86, introduce a fake 3 operands form and use aggressive aliasing
2771          to try to alias both sources to the destination.
2772
2773          If aliasing succeed on the "elseCase", the condition of the Select
2774          is reverted in the MacroAssembler.
2775
2776          If no aliasing is possible and we end up with 3 registers, the missing
2777          move instruction is generated by the MacroAssembler.
2778
2779          The missing move is generated after testing the values because the destination
2780          can use the same register as one of the test operand.
2781          Experimental testing seems to indicate there is no macro-fusion on CMOV,
2782          there is no measurable cost to having the move there.
2783
2784         * assembler/MacroAssembler.h:
2785         (JSC::MacroAssembler::isInvertible):
2786         (JSC::MacroAssembler::invert):
2787         * assembler/MacroAssemblerARM64.h:
2788         (JSC::MacroAssemblerARM64::moveConditionallyDouble):
2789         (JSC::MacroAssemblerARM64::moveConditionallyFloat):
2790         (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
2791         (JSC::MacroAssemblerARM64::moveConditionally32):
2792         (JSC::MacroAssemblerARM64::moveConditionally64):
2793         (JSC::MacroAssemblerARM64::moveConditionallyTest32):
2794         (JSC::MacroAssemblerARM64::moveConditionallyTest64):
2795         * assembler/MacroAssemblerX86Common.h:
2796         (JSC::MacroAssemblerX86Common::moveConditionallyDouble):
2797         (JSC::MacroAssemblerX86Common::moveConditionallyFloat):
2798         (JSC::MacroAssemblerX86Common::moveConditionally32):
2799         (JSC::MacroAssemblerX86Common::moveConditionallyTest32):
2800         (JSC::MacroAssemblerX86Common::invert):
2801         (JSC::MacroAssemblerX86Common::isInvertible):
2802         * assembler/MacroAssemblerX86_64.h:
2803         (JSC::MacroAssemblerX86_64::moveConditionally64):
2804         (JSC::MacroAssemblerX86_64::moveConditionallyTest64):
2805         * b3/B3LowerToAir.cpp:
2806         (JSC::B3::Air::LowerToAir::createSelect):
2807         (JSC::B3::Air::LowerToAir::lower):
2808         * b3/air/AirInstInlines.h:
2809         (JSC::B3::Air::Inst::shouldTryAliasingDef):
2810         * b3/air/AirOpcode.opcodes:
2811
2812 2016-02-18  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2813
2814         [CMake][GTK] Clean up llvm guard in PlatformGTK.cmake
2815         https://bugs.webkit.org/show_bug.cgi?id=154430
2816
2817         Reviewed by Saam Barati.
2818
2819         llvm isn't used anymore.
2820
2821         * PlatformGTK.cmake: Remove USE_LLVM_DISASSEMBLER guard.
2822
2823 2016-02-18  Saam Barati  <sbarati@apple.com>
2824
2825         Implement Proxy.[[HasProperty]]
2826         https://bugs.webkit.org/show_bug.cgi?id=154313
2827
2828         Reviewed by Filip Pizlo.
2829
2830         This patch is a straight forward implementation of
2831         Proxy.[[HasProperty]] with respect to section 9.5.7
2832         of the ECMAScript spec.
2833         https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-hasproperty-p
2834
2835         * runtime/ProxyObject.cpp:
2836         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2837         (JSC::ProxyObject::performHasProperty):
2838         (JSC::ProxyObject::getOwnPropertySlotCommon):
2839         * runtime/ProxyObject.h:
2840         * tests/es6.yaml:
2841         * tests/stress/proxy-basic.js:
2842         (assert):
2843         (let.handler.has):
2844         * tests/stress/proxy-has-property.js: Added.
2845         (assert):
2846         (throw.new.Error.let.handler.get has):
2847         (throw.new.Error):
2848         (assert.let.handler.has):
2849         (let.handler.has):
2850         (getOwnPropertyDescriptor):
2851         (i.catch):
2852
2853 2016-02-18  Saam Barati  <sbarati@apple.com>
2854
2855         Proxy's don't properly handle Symbols as PropertyKeys.
2856         https://bugs.webkit.org/show_bug.cgi?id=154385
2857
2858         Reviewed by Mark Lam and Yusuke Suzuki.
2859
2860         We were converting all PropertyKeys to strings, even when
2861         the PropertyName was a Symbol. In the spec, PropertyKeys are
2862         either a Symbol or a String. We now respect that in Proxy.[[Get]] and
2863         Proxy.[[GetOwnProperty]].
2864
2865         * runtime/Completion.cpp:
2866         (JSC::profiledEvaluate):
2867         (JSC::createSymbolForEntryPointModule):
2868         (JSC::identifierToJSValue): Deleted.
2869         * runtime/Identifier.h:
2870         (JSC::parseIndex):
2871         * runtime/IdentifierInlines.h:
2872         (JSC::Identifier::fromString):
2873         (JSC::identifierToJSValue):
2874         (JSC::identifierToSafePublicJSValue):
2875         * runtime/ProxyObject.cpp:
2876         (JSC::performProxyGet):
2877         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2878         * tests/es6.yaml:
2879         * tests/stress/proxy-basic.js:
2880         (let.handler.getOwnPropertyDescriptor):
2881
2882 2016-02-18  Saam Barati  <sbarati@apple.com>
2883
2884         Follow up fix to Implement Proxy.[[GetOwnProperty]]
2885         https://bugs.webkit.org/show_bug.cgi?id=154314
2886
2887         Reviewed by Filip Pizlo.
2888
2889         Part of the implementation was broken because
2890         of how JSObject::getOwnPropertyDescriptor worked.
2891         I've fixed JSObject::getOwnPropertyDescriptor to
2892         be able to handle ProxyObject.
2893
2894         * runtime/JSObject.cpp:
2895         (JSC::JSObject::getOwnPropertyDescriptor):
2896         * runtime/ProxyObject.cpp:
2897         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2898         * tests/stress/proxy-get-own-property.js:
2899         (assert):
2900         (assert.let.handler.get getOwnPropertyDescriptor):
2901
2902 2016-02-18  Saam Barati  <sbarati@apple.com>
2903
2904         Implement Proxy.[[GetOwnProperty]]
2905         https://bugs.webkit.org/show_bug.cgi?id=154314
2906
2907         Reviewed by Filip Pizlo.
2908
2909         This patch implements Proxy.[[GetOwnProperty]].
2910         It's a straight forward implementation as described
2911         in section 9.5.5 of the specification:
2912         http://www.ecma-international.org/ecma-262/6.0/index.html#sec-proxy-object-internal-methods-and-internal-slots-getownproperty-p
2913
2914         * runtime/FunctionPrototype.cpp:
2915         (JSC::functionProtoFuncBind):
2916         * runtime/JSObject.cpp:
2917         (JSC::validateAndApplyPropertyDescriptor):
2918         (JSC::JSObject::defineOwnNonIndexProperty):
2919         (JSC::JSObject::defineOwnProperty):
2920         (JSC::JSObject::getGenericPropertyNames):
2921         (JSC::JSObject::getMethod):
2922         * runtime/JSObject.h:
2923         (JSC::JSObject::butterflyAddress):
2924         (JSC::makeIdentifier):
2925         * runtime/ProxyObject.cpp:
2926         (JSC::performProxyGet):
2927         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2928         (JSC::ProxyObject::getOwnPropertySlotCommon):
2929         (JSC::ProxyObject::getOwnPropertySlot):
2930         (JSC::ProxyObject::getOwnPropertySlotByIndex):
2931         (JSC::ProxyObject::visitChildren):
2932         * runtime/ProxyObject.h:
2933         * tests/es6.yaml:
2934         * tests/stress/proxy-basic.js:
2935         (let.handler.get null):
2936         * tests/stress/proxy-get-own-property.js: Added.
2937         (assert):
2938         (throw.new.Error.let.handler.getOwnPropertyDescriptor):
2939         (throw.new.Error):
2940         (let.handler.getOwnPropertyDescriptor):
2941         (i.catch):
2942         (assert.let.handler.getOwnPropertyDescriptor):
2943
2944 2016-02-18  Andreas Kling  <akling@apple.com>
2945
2946         JSString resolution of substrings should use StringImpl sharing optimization.
2947         <https://webkit.org/b/154068>
2948         <rdar://problem/24629358>
2949
2950         Reviewed by Antti Koivisto.
2951
2952         When resolving a JSString that's actually a substring of another JSString,
2953         use the StringImpl sharing optimization to create a new string pointing into
2954         the parent one, instead of copying out the bytes of the string.
2955
2956         This dramatically reduces peak memory usage on Gerrit diff viewer pages.
2957
2958         Another approach to this would be to induce GC far more frequently due to
2959         the added cost of copying out these substrings. It would reduce the risk
2960         of prolonging the life of strings only kept alive by substrings.
2961
2962         This patch chooses to trade that risk for less GC and lower peak memory.
2963
2964         * runtime/JSString.cpp:
2965         (JSC::JSRopeString::resolveRope):
2966
2967 2016-02-18  Chris Dumez  <cdumez@apple.com>
2968
2969         Crash on SES selftest page when loading the page while WebInspector is open
2970         https://bugs.webkit.org/show_bug.cgi?id=154378
2971         <rdar://problem/24713422>
2972
2973         Reviewed by Mark Lam.
2974
2975         Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
2976         returns early again if it detects that getOwnPropertySlot() returns a
2977         non-own property. This check was removed in r196676 because we assumed that
2978         only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
2979         However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
2980         well.
2981
2982         Not having the check would lead to crashes when using the debugger because
2983         we would get a slot with the CustomAccessor attribute but getDirect() would
2984         then fail to return the property (because it is not an own property). We
2985         would then cast the value returned by getDirect() to a CustomGetterSetter*
2986         and dereference it.
2987
2988         * runtime/JSObject.cpp:
2989         (JSC::JSObject::getOwnPropertyDescriptor):
2990
2991 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
2992
2993         Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
2994         for that.
2995
2996         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2997         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2998
2999 2016-02-18  Filip Pizlo  <fpizlo@apple.com>
3000
3001         Unreviewed, fix CMake build. This got messed up when rebasing.
3002
3003         * CMakeLists.txt:
3004
3005 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
3006
3007         Fix the !ENABLE(DFG_JIT) build after r195865
3008         https://bugs.webkit.org/show_bug.cgi?id=154391
3009
3010         Reviewed by Filip Pizlo.
3011
3012         * runtime/SamplingProfiler.cpp:
3013         (JSC::tryGetBytecodeIndex):
3014
3015 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3016
3017         Remove remaining references to LLVM, and make sure comments refer to the backend as "B3" not "LLVM"
3018         https://bugs.webkit.org/show_bug.cgi?id=154383
3019
3020         Reviewed by Saam Barati.
3021
3022         I did a grep -i llvm of all of our code and did one of the following for each occurence:
3023
3024         - Renamed it to B3. This is appropriate when we were using "LLVM" to mean "the FTL
3025           backend".
3026
3027         - Removed the reference because I found it to be dead. In some cases it was a dead
3028           comment: it was telling us things about what LLVM did and that's just not relevant
3029           anymore. In other cases it was dead code that I forgot to delete in a previous patch.
3030
3031         - Edited the comment in some smart way. There were comments talking about what LLVM did
3032           that were still of interest. In some cases, I added a FIXME to consider changing the
3033           code below the comment on the grounds that it was written in a weird way to placate
3034           LLVM and so we can do it better now.
3035
3036         * CMakeLists.txt:
3037         * JavaScriptCore.xcodeproj/project.pbxproj:
3038         * dfg/DFGArgumentsEliminationPhase.cpp:
3039         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
3040         * dfg/DFGPlan.cpp:
3041         (JSC::DFG::Plan::compileInThread):
3042         (JSC::DFG::Plan::compileInThreadImpl):
3043         (JSC::DFG::Plan::compileTimeStats):
3044         * dfg/DFGPutStackSinkingPhase.cpp:
3045         * dfg/DFGSSAConversionPhase.h:
3046         * dfg/DFGStaticExecutionCountEstimationPhase.h:
3047         * dfg/DFGUnificationPhase.cpp:
3048         (JSC::DFG::UnificationPhase::run):
3049         * disassembler/ARM64Disassembler.cpp:
3050         (JSC::tryToDisassemble): Deleted.
3051         * disassembler/X86Disassembler.cpp:
3052         (JSC::tryToDisassemble):
3053         * ftl/FTLAbstractHeap.cpp:
3054         (JSC::FTL::IndexedAbstractHeap::initialize):
3055         * ftl/FTLAbstractHeap.h:
3056         * ftl/FTLFormattedValue.h:
3057         * ftl/FTLJITFinalizer.cpp:
3058         (JSC::FTL::JITFinalizer::finalizeFunction):
3059         * ftl/FTLLink.cpp:
3060         (JSC::FTL::link):
3061         * ftl/FTLLocation.cpp:
3062         (JSC::FTL::Location::restoreInto):
3063         * ftl/FTLLowerDFGToB3.cpp: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp.
3064         (JSC::FTL::DFG::ftlUnreachable):
3065         (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
3066         (JSC::FTL::DFG::LowerDFGToB3::compileBlock):
3067         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
3068         (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
3069         (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
3070         (JSC::FTL::DFG::LowerDFGToB3::isBoolean):
3071         (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean):
3072         (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
3073         (JSC::FTL::lowerDFGToB3):
3074         (JSC::FTL::DFG::LowerDFGToLLVM::LowerDFGToLLVM): Deleted.
3075         (JSC::FTL::DFG::LowerDFGToLLVM::compileBlock): Deleted.
3076         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate): Deleted.
3077         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset): Deleted.
3078         (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance): Deleted.
3079         (JSC::FTL::DFG::LowerDFGToLLVM::isBoolean): Deleted.
3080         (JSC::FTL::DFG::LowerDFGToLLVM::unboxBoolean): Deleted.
3081         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier): Deleted.
3082         (JSC::FTL::lowerDFGToLLVM): Deleted.
3083         * ftl/FTLLowerDFGToB3.h: Copied from Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.h.
3084         * ftl/FTLLowerDFGToLLVM.cpp: Removed.
3085         * ftl/FTLLowerDFGToLLVM.h: Removed.
3086         * ftl/FTLOSRExitCompiler.cpp:
3087         (JSC::FTL::compileStub):
3088         * ftl/FTLWeight.h:
3089         (JSC::FTL::Weight::frequencyClass):
3090         (JSC::FTL::Weight::inverse):
3091         (JSC::FTL::Weight::scaleToTotal): Deleted.
3092         * ftl/FTLWeightedTarget.h:
3093         (JSC::FTL::rarely):
3094         (JSC::FTL::unsure):
3095         * jit/CallFrameShuffler64.cpp:
3096         (JSC::CallFrameShuffler::emitDisplace):
3097         * jit/RegisterSet.cpp:
3098         (JSC::RegisterSet::ftlCalleeSaveRegisters):
3099         * llvm: Removed.
3100         * llvm/InitializeLLVMLinux.cpp: Removed.
3101         * llvm/InitializeLLVMWin.cpp: Removed.
3102         * llvm/library: Removed.
3103         * llvm/library/LLVMTrapCallback.h: Removed.
3104         * llvm/library/libllvmForJSC.version: Removed.
3105         * runtime/Options.cpp:
3106         (JSC::recomputeDependentOptions):
3107         (JSC::Options::initialize):
3108         * runtime/Options.h:
3109         * wasm/WASMFunctionB3IRGenerator.h: Copied from Source/JavaScriptCore/wasm/WASMFunctionLLVMIRGenerator.h.
3110         * wasm/WASMFunctionLLVMIRGenerator.h: Removed.
3111         * wasm/WASMFunctionParser.cpp:
3112
3113 2016-02-18  Csaba Osztrogonác  <ossy@webkit.org>
3114
3115         [cmake] Build system cleanup
3116         https://bugs.webkit.org/show_bug.cgi?id=154337
3117
3118         Reviewed by Žan Doberšek.
3119
3120         * CMakeLists.txt:
3121
3122 2016-02-17  Mark Lam  <mark.lam@apple.com>
3123
3124         Callers of JSString::value() should check for exceptions thereafter.
3125         https://bugs.webkit.org/show_bug.cgi?id=154346
3126
3127         Reviewed by Geoffrey Garen.
3128
3129         JSString::value() can throw an exception if the JS string is a rope and value() 
3130         needs to resolve the rope but encounters an OutOfMemory error.  If value() is not
3131         able to resolve the rope, it will return a null string (in addition to throwing
3132         the exception).  If a caller does not check for exceptions after calling
3133         JSString::value(), they may eventually use the returned null string and crash the
3134         VM.
3135
3136         The fix is to add all the necessary exception checks, and do the appropriate
3137         handling if needed.
3138
3139         * jsc.cpp:
3140         (functionRun):
3141         (functionLoad):
3142         (functionReadFile):
3143         (functionCheckSyntax):
3144         (functionLoadWebAssembly):
3145         (functionLoadModule):
3146         (functionCheckModuleSyntax):
3147         * runtime/DateConstructor.cpp:
3148         (JSC::dateParse):
3149         (JSC::dateNow):
3150         * runtime/JSGlobalObjectFunctions.cpp:
3151         (JSC::globalFuncEval):
3152         * tools/JSDollarVMPrototype.cpp:
3153         (JSC::functionPrint):
3154
3155 2016-02-17  Benjamin Poulain  <bpoulain@apple.com>
3156
3157         [JSC] ARM64: Support the immediate format used for bit operations in Air
3158         https://bugs.webkit.org/show_bug.cgi?id=154327
3159
3160         Reviewed by Filip Pizlo.
3161
3162         ARM64 supports a pretty rich form of immediates for bit operation.
3163         There are two formats used to encode repeating patterns and common
3164         input in a dense form.
3165
3166         In this patch, I add 2 new type of Arg: BitImm32 and BitImm64.
3167         Those represents the valid immediate forms for bit operation.
3168         On x86, any 32bits value is valid. On ARM64, all the encoding
3169         form are tried and the immediate is used when possible.
3170
3171         The arg type Imm64 is renamed to BigImm to better represent what
3172         it is: an immediate that does not fit into Imm.
3173
3174         * assembler/ARM64Assembler.h:
3175         (JSC::LogicalImmediate::create32): Deleted.
3176         (JSC::LogicalImmediate::create64): Deleted.
3177         (JSC::LogicalImmediate::value): Deleted.
3178         (JSC::LogicalImmediate::isValid): Deleted.
3179         (JSC::LogicalImmediate::is64bit): Deleted.
3180         (JSC::LogicalImmediate::LogicalImmediate): Deleted.
3181         (JSC::LogicalImmediate::mask): Deleted.
3182         (JSC::LogicalImmediate::partialHSB): Deleted.
3183         (JSC::LogicalImmediate::highestSetBit): Deleted.
3184         (JSC::LogicalImmediate::findBitRange): Deleted.
3185         (JSC::LogicalImmediate::encodeLogicalImmediate): Deleted.
3186         * assembler/AssemblerCommon.h:
3187         (JSC::ARM64LogicalImmediate::create32):
3188         (JSC::ARM64LogicalImmediate::create64):
3189         (JSC::ARM64LogicalImmediate::value):
3190         (JSC::ARM64LogicalImmediate::isValid):
3191         (JSC::ARM64LogicalImmediate::is64bit):
3192         (JSC::ARM64LogicalImmediate::ARM64LogicalImmediate):
3193         (JSC::ARM64LogicalImmediate::mask):
3194         (JSC::ARM64LogicalImmediate::partialHSB):
3195         (JSC::ARM64LogicalImmediate::highestSetBit):
3196         (JSC::ARM64LogicalImmediate::findBitRange):
3197         (JSC::ARM64LogicalImmediate::encodeLogicalImmediate):
3198         * assembler/MacroAssemblerARM64.h:
3199         (JSC::MacroAssemblerARM64::and64):
3200         (JSC::MacroAssemblerARM64::or64):
3201         (JSC::MacroAssemblerARM64::xor64):
3202         * b3/B3LowerToAir.cpp:
3203         (JSC::B3::Air::LowerToAir::bitImm):
3204         (JSC::B3::Air::LowerToAir::bitImm64):
3205         (JSC::B3::Air::LowerToAir::appendBinOp):
3206         * b3/air/AirArg.cpp:
3207         (JSC::B3::Air::Arg::dump):
3208         (WTF::printInternal):
3209         * b3/air/AirArg.h:
3210         (JSC::B3::Air::Arg::bitImm):
3211         (JSC::B3::Air::Arg::bitImm64):
3212         (JSC::B3::Air::Arg::isBitImm):
3213         (JSC::B3::Air::Arg::isBitImm64):
3214         (JSC::B3::Air::Arg::isSomeImm):
3215         (JSC::B3::Air::Arg::value):
3216         (JSC::B3::Air::Arg::isGP):
3217         (JSC::B3::Air::Arg::isFP):
3218         (JSC::B3::Air::Arg::hasType):
3219         (JSC::B3::Air::Arg::isValidBitImmForm):
3220         (JSC::B3::Air::Arg::isValidBitImm64Form):
3221         (JSC::B3::Air::Arg::isValidForm):
3222         (JSC::B3::Air::Arg::asTrustedImm32):
3223         (JSC::B3::Air::Arg::asTrustedImm64):
3224         * b3/air/AirOpcode.opcodes:
3225         * b3/air/opcode_generator.rb:
3226
3227 2016-02-17  Keith Miller  <keith_miller@apple.com>
3228
3229         Spread operator should be allowed when not the first argument of parameter list
3230         https://bugs.webkit.org/show_bug.cgi?id=152721
3231
3232         Reviewed by Saam Barati.
3233
3234         Spread arguments to functions should now be ES6 compliant. Before we
3235         would only take a spread operator if it was the sole argument to a
3236         function. Additionally, we would not use the Symbol.iterator on the
3237         object to generate the arguments. Instead we would do a loop up to the
3238         length mapping indexed properties to the corresponding argument. We fix
3239         both these issues by doing an AST transformation from foo(...a, b, ...c, d)
3240         to foo(...[...a, b, ...c, d]) (where the spread on the rhs uses the
3241         old spread semantics). This solution has the downside of requiring the
3242         allocation of another object and copying each element twice but avoids a
3243         large change to the vm calling convention.
3244
3245         * interpreter/Interpreter.cpp:
3246         (JSC::loadVarargs):
3247         * parser/ASTBuilder.h:
3248         (JSC::ASTBuilder::createElementList):
3249         * parser/Parser.cpp:
3250         (JSC::Parser<LexerType>::parseArguments):
3251         (JSC::Parser<LexerType>::parseArgument):
3252         (JSC::Parser<LexerType>::parseMemberExpression):
3253         * parser/Parser.h:
3254         * parser/SyntaxChecker.h:
3255         (JSC::SyntaxChecker::createElementList):
3256         * tests/es6.yaml:
3257         * tests/stress/spread-calling.js: Added.
3258         (testFunction):
3259         (testEmpty):
3260         (makeObject):
3261         (otherIterator.return.next):
3262         (otherIterator):
3263         (totalIter):
3264         (throwingIter.return.next):
3265         (throwingIter):
3266         (i.catch):
3267
3268 2016-02-17  Brian Burg  <bburg@apple.com>
3269
3270         Remove a wrong cast in RemoteInspector::receivedSetupMessage
3271         https://bugs.webkit.org/show_bug.cgi?id=154361
3272         <rdar://problem/24709281>
3273
3274         Reviewed by Joseph Pecoraro.
3275
3276         * inspector/remote/RemoteInspector.mm:
3277         (Inspector::RemoteInspector::receivedSetupMessage):
3278         Not only is this cast unnecessary (the constructor accepts the base class),
3279         but it is wrong since the target could be an automation target. Remove it.
3280
3281 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3282
3283         Rename FTLB3Blah to FTLBlah
3284         https://bugs.webkit.org/show_bug.cgi?id=154365
3285
3286         Rubber stamped by Geoffrey Garen, Benjamin Poulain, Awesome Kling, and Saam Barati.
3287
3288         * CMakeLists.txt:
3289         * JavaScriptCore.xcodeproj/project.pbxproj:
3290         * ftl/FTLB3Compile.cpp: Removed.
3291         * ftl/FTLB3Output.cpp: Removed.
3292         * ftl/FTLB3Output.h: Removed.
3293         * ftl/FTLCompile.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Compile.cpp.
3294         * ftl/FTLOutput.cpp: Copied from Source/JavaScriptCore/ftl/FTLB3Output.cpp.
3295         * ftl/FTLOutput.h: Copied from Source/JavaScriptCore/ftl/FTLB3Output.h.
3296
3297 2016-02-17  Filip Pizlo  <fpizlo@apple.com>
3298
3299         Remove LLVM dependencies from WebKit
3300         https://bugs.webkit.org/show_bug.cgi?id=154323
3301
3302         Reviewed by Antti Koivisto and Benjamin Poulain.
3303
3304         We have switched all ports that use the FTL JIT to using B3 as the backend. This renders all
3305         LLVM-related code dead, including the disassembler, which was only reachable when you were on
3306         a platform that already had an in-tree disassembler.
3307
3308         * CMakeLists.txt:
3309         * JavaScriptCore.xcodeproj/project.pbxproj:
3310         * dfg/DFGCommon.h:
3311         * dfg/DFGPlan.cpp:
3312         (JSC::DFG::Plan::compileInThread):
3313         (JSC::DFG::Plan::compileInThreadImpl):
3314         (JSC::DFG::Plan::compileTimeStats):
3315         * disassembler/ARM64Disassembler.cpp:
3316         (JSC::tryToDisassemble):
3317         * disassembler/ARMv7Disassembler.cpp:
3318         (JSC::tryToDisassemble):
3319         * disassembler/Disassembler.cpp:
3320         (JSC::disassemble):
3321         (JSC::disassembleAsynchronously):
3322         * disassembler/Disassembler.h:
3323         (JSC::tryToDisassemble):
3324         * disassembler/LLVMDisassembler.cpp: Removed.
3325         * disassembler/LLVMDisassembler.h: Removed.
3326         * disassembler/UDis86Disassembler.cpp:
3327         (JSC::tryToDisassembleWithUDis86):
3328         * disassembler/UDis86Disassembler.h:
3329         (JSC::tryToDisassembleWithUDis86):
3330         * disassembler/X86Disassembler.cpp:
3331         (JSC::tryToDisassemble):
3332         * ftl/FTLAbbreviatedTypes.h:
3333         * ftl/FTLAbbreviations.h: Removed.
3334         * ftl/FTLAbstractHeap.cpp:
3335         (JSC::FTL::AbstractHeap::decorateInstruction):
3336         (JSC::FTL::AbstractHeap::dump):
3337         (JSC::FTL::AbstractField::dump):
3338         (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
3339         (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
3340         (JSC::FTL::IndexedAbstractHeap::baseIndex):
3341         (JSC::FTL::IndexedAbstractHeap::dump):
3342         (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
3343         (JSC::FTL::NumberedAbstractHeap::dump):
3344         (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
3345         (JSC::FTL::AbstractHeap::tbaaMetadataSlow): Deleted.
3346         * ftl/FTLAbstractHeap.h:
3347         (JSC::FTL::AbstractHeap::AbstractHeap):
3348         (JSC::FTL::AbstractHeap::heapName):
3349         (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
3350         (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
3351         (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
3352         (JSC::FTL::AbstractHeap::tbaaMetadata): Deleted.
3353         * ftl/FTLAbstractHeapRepository.cpp:
3354         (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
3355         * ftl/FTLAbstractHeapRepository.h:
3356         * ftl/FTLB3Compile.cpp:
3357         * ftl/FTLB3Output.cpp:
3358         (JSC::FTL::Output::Output):
3359   &nb