Air needs a late register liveness phase that calls Special::reportUsedRegisters()
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-10-31  Filip Pizlo  <fpizlo@apple.com>
2
3         Air needs a late register liveness phase that calls Special::reportUsedRegisters()
4         https://bugs.webkit.org/show_bug.cgi?id=150511
5
6         Reviewed by Saam Barati.
7
8         This change adds such a phase. In the process of writing it, I was reminded about the
9         glaring efficiency bugs in Air::Liveness and so I filed a bug and added FIXMEs.
10
11         * JavaScriptCore.xcodeproj/project.pbxproj:
12         * b3/air/AirAllocateStack.cpp:
13         (JSC::B3::Air::allocateStack):
14         * b3/air/AirGenerate.cpp:
15         (JSC::B3::Air::generate):
16         * b3/air/AirReportUsedRegisters.cpp: Added.
17         (JSC::B3::Air::reportUsedRegisters):
18         * b3/air/AirReportUsedRegisters.h: Added.
19
20 2015-10-31  Brian Burg  <bburg@apple.com>
21
22         Builtins generator should put WebCore-only wrappers in the per-builtin header
23         https://bugs.webkit.org/show_bug.cgi?id=150539
24
25         Reviewed by Youenn Fablet.
26
27         If generating for WebCore, put the XXXWrapper and related boilerplate
28         in the per-builtin header instead of making a separate XXXWrapper.h.
29
30         Rebaseline the tests.
31
32         * CMakeLists.txt:
33         * DerivedSources.make:
34         * Scripts/builtins/builtins.py:
35         * Scripts/builtins/builtins_generate_separate_header.py:
36         (BuiltinsSeparateHeaderGenerator.generate_output):
37         (generate_header_includes):
38         * Scripts/builtins/builtins_generate_separate_wrapper.py: Deleted.
39         * Scripts/builtins/builtins_templates.py: Be consistent with variables.
40         * Scripts/generate-js-builtins.py:
41         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
42         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
43         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
44         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
45
46 2015-10-31  Saam barati  <sbarati@apple.com>
47
48         JSC should have a forceGCSlowPaths option
49         https://bugs.webkit.org/show_bug.cgi?id=150744
50
51         Reviewed by Filip Pizlo.
52
53         This patch implements the forceGCSlowPaths option.
54         It defaults to false, but when it is set to true,
55         the JITs will always allocate objects along the slow
56         path. This will be helpful for writing a certain class
57         of tests. This may also come in handy for debugging
58         later.
59
60         This patch also adds the "forceGCSlowPaths" function
61         in jsc.cpp which sets the option to true. If you
62         use this function in a jsc stress test, it's best
63         to call it as the first thing in the program before
64         we JIT anything.
65
66         * dfg/DFGSpeculativeJIT.h:
67         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
68         * ftl/FTLLowerDFGToLLVM.cpp:
69         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
70         * jit/JITInlines.h:
71         (JSC::JIT::emitAllocateJSObject):
72         * jsc.cpp:
73         (GlobalObject::finishCreation):
74         (functionEdenGC):
75         (functionForceGCSlowPaths):
76         (functionHeapSize):
77         * runtime/Options.h:
78
79 2015-10-30  Joseph Pecoraro  <pecoraro@apple.com>
80
81         Web Inspector: Test Debugger.scriptParsed events received after opening inspector frontend
82         https://bugs.webkit.org/show_bug.cgi?id=150753
83
84         Reviewed by Timothy Hatcher.
85
86         * parser/Parser.h:
87         (JSC::Parser<LexerType>::parse):
88         Only set the directives on the SourceProvider if we were parsing the
89         entire file (Program or Module), not if we are in function parsing mode.
90         This was inadvertently clearing the directives stored on the
91         SourceProvider when the function parse didn't see directives and reset
92         the values on the source provider.
93
94 2015-10-30  Benjamin Poulain  <bpoulain@apple.com>
95
96         [JSC] Add lowering for B3's Sub operation with integers
97         https://bugs.webkit.org/show_bug.cgi?id=150749
98
99         Reviewed by Filip Pizlo.
100
101         * b3/B3LowerToAir.cpp:
102         (JSC::B3::Air::LowerToAir::trySub):
103         (JSC::B3::Air::LowerToAir::tryStoreSubLoad):
104         * b3/B3LoweringMatcher.patterns:
105         Identical to Add but obviously NotCommutative.
106
107         * b3/B3ReduceStrength.cpp:
108         Turn Add/Sub with zero into an identity. I only added for
109         Add since Sub with a constant is always turned into an Add.
110
111         Also switched the Sub optimizations to put the strongest first.
112
113         * b3/air/AirOpcode.opcodes:
114         * b3/testb3.cpp:
115         (JSC::B3::testAddArgImm):
116         (JSC::B3::testAddImmArg):
117         (JSC::B3::testSubArgs):
118         (JSC::B3::testSubArgImm):
119         (JSC::B3::testSubImmArg):
120         (JSC::B3::testSubArgs32):
121         (JSC::B3::testSubArgImm32):
122         (JSC::B3::testSubImmArg32):
123         (JSC::B3::testStoreSubLoad):
124         (JSC::B3::run):
125
126 2015-10-30  Benjamin Poulain  <bpoulain@apple.com>
127
128         [JSC] Add the Air Opcode definitions to the Xcode project file
129         https://bugs.webkit.org/show_bug.cgi?id=150701
130
131         Reviewed by Geoffrey Garen.
132
133         * JavaScriptCore.xcodeproj/project.pbxproj:
134         Easier for those who use Xcode :)
135
136 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
137
138         Unreviewed, removing FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=150540.
139
140         * b3/B3ValueRep.h:
141
142 2015-10-30  Michael Saboff  <msaboff@apple.com>
143
144         Windows X86-64 change for Crash making a tail call from a getter to a host function
145         https://bugs.webkit.org/show_bug.cgi?id=150737
146
147         Reviewed by Geoffrey Garen.
148
149         Need to make the same change for Windows X86-64 as was made in change set
150         http://trac.webkit.org/changeset/191765.
151
152         * jit/JITStubsMSVC64.asm:
153
154 2015-10-30  Keith Miller  <keith_miller@apple.com>
155
156         Unreviewed, forgot to mark tests as passing for new feature.
157
158         * tests/es6.yaml:
159
160 2015-10-30  Filip Pizlo  <fpizlo@apple.com>
161
162         B3 should be able to compile a control flow diamond
163         https://bugs.webkit.org/show_bug.cgi?id=150720
164
165         Reviewed by Benjamin Poulain.
166
167         Adds support for Branch, Jump, Upsilon, and Phi. Adds some basic strength reduction for
168         comparisons and boolean-like operations.
169
170         * assembler/MacroAssembler.cpp:
171         (WTF::printInternal):
172         * assembler/MacroAssembler.h:
173         * b3/B3BasicBlockUtils.h:
174         (JSC::B3::replacePredecessor):
175         (JSC::B3::resetReachability):
176         * b3/B3CheckValue.h:
177         * b3/B3Common.h:
178         (JSC::B3::isRepresentableAsImpl):
179         (JSC::B3::isRepresentableAs):
180         * b3/B3Const32Value.cpp:
181         (JSC::B3::Const32Value::subConstant):
182         (JSC::B3::Const32Value::equalConstant):
183         (JSC::B3::Const32Value::notEqualConstant):
184         (JSC::B3::Const32Value::dumpMeta):
185         * b3/B3Const32Value.h:
186         * b3/B3Const64Value.cpp:
187         (JSC::B3::Const64Value::subConstant):
188         (JSC::B3::Const64Value::equalConstant):
189         (JSC::B3::Const64Value::notEqualConstant):
190         (JSC::B3::Const64Value::dumpMeta):
191         * b3/B3Const64Value.h:
192         * b3/B3ConstDoubleValue.cpp:
193         (JSC::B3::ConstDoubleValue::subConstant):
194         (JSC::B3::ConstDoubleValue::equalConstant):
195         (JSC::B3::ConstDoubleValue::notEqualConstant):
196         (JSC::B3::ConstDoubleValue::dumpMeta):
197         * b3/B3ConstDoubleValue.h:
198         * b3/B3ControlValue.cpp:
199         (JSC::B3::ControlValue::~ControlValue):
200         (JSC::B3::ControlValue::convertToJump):
201         (JSC::B3::ControlValue::dumpMeta):
202         * b3/B3ControlValue.h:
203         * b3/B3LowerToAir.cpp:
204         (JSC::B3::Air::LowerToAir::imm):
205         (JSC::B3::Air::LowerToAir::tryStackSlot):
206         (JSC::B3::Air::LowerToAir::tryUpsilon):
207         (JSC::B3::Air::LowerToAir::tryPhi):
208         (JSC::B3::Air::LowerToAir::tryBranch):
209         (JSC::B3::Air::LowerToAir::tryJump):
210         (JSC::B3::Air::LowerToAir::tryIdentity):
211         * b3/B3LoweringMatcher.patterns:
212         * b3/B3Opcode.h:
213         * b3/B3Procedure.cpp:
214         (JSC::B3::Procedure::resetReachability):
215         (JSC::B3::Procedure::dump):
216         * b3/B3ReduceStrength.cpp:
217         * b3/B3UpsilonValue.cpp:
218         (JSC::B3::UpsilonValue::dumpMeta):
219         * b3/B3UpsilonValue.h:
220         (JSC::B3::UpsilonValue::accepts): Deleted.
221         (JSC::B3::UpsilonValue::phi): Deleted.
222         (JSC::B3::UpsilonValue::UpsilonValue): Deleted.
223         * b3/B3Validate.cpp:
224         * b3/B3Value.cpp:
225         (JSC::B3::Value::subConstant):
226         (JSC::B3::Value::equalConstant):
227         (JSC::B3::Value::notEqualConstant):
228         (JSC::B3::Value::returnsBool):
229         (JSC::B3::Value::asTriState):
230         (JSC::B3::Value::effects):
231         * b3/B3Value.h:
232         * b3/B3ValueInlines.h:
233         (JSC::B3::Value::asInt32):
234         (JSC::B3::Value::isInt32):
235         (JSC::B3::Value::hasInt64):
236         (JSC::B3::Value::asInt64):
237         (JSC::B3::Value::isInt64):
238         (JSC::B3::Value::hasInt):
239         (JSC::B3::Value::asIntPtr):
240         (JSC::B3::Value::isIntPtr):
241         (JSC::B3::Value::hasDouble):
242         (JSC::B3::Value::asDouble):
243         (JSC::B3::Value::isEqualToDouble):
244         (JSC::B3::Value::hasNumber):
245         (JSC::B3::Value::representableAs):
246         (JSC::B3::Value::asNumber):
247         (JSC::B3::Value::stackmap):
248         * b3/air/AirArg.cpp:
249         (JSC::B3::Air::Arg::dump):
250         * b3/air/AirArg.h:
251         (JSC::B3::Air::Arg::resCond):
252         (JSC::B3::Air::Arg::doubleCond):
253         (JSC::B3::Air::Arg::special):
254         (JSC::B3::Air::Arg::isResCond):
255         (JSC::B3::Air::Arg::isDoubleCond):
256         (JSC::B3::Air::Arg::isSpecial):
257         (JSC::B3::Air::Arg::isGP):
258         (JSC::B3::Air::Arg::isFP):
259         (JSC::B3::Air::Arg::asResultCondition):
260         (JSC::B3::Air::Arg::asDoubleCondition):
261         (JSC::B3::Air::Arg::Arg):
262         * b3/air/AirCode.cpp:
263         (JSC::B3::Air::Code::resetReachability):
264         (JSC::B3::Air::Code::dump):
265         * b3/air/AirOpcode.opcodes:
266         * b3/air/opcode_generator.rb:
267         * b3/testb3.cpp:
268         (hiddenTruthBecauseNoReturnIsStupid):
269         (usage):
270         (JSC::B3::compile):
271         (JSC::B3::invoke):
272         (JSC::B3::compileAndRun):
273         (JSC::B3::test42):
274         (JSC::B3::testStoreLoadStackSlot):
275         (JSC::B3::testBranch):
276         (JSC::B3::testDiamond):
277         (JSC::B3::testBranchNotEqual):
278         (JSC::B3::testBranchFold):
279         (JSC::B3::testDiamondFold):
280         (JSC::B3::run):
281         (run):
282         (main):
283
284 2015-10-30  Keith Miller  <keith_miller@apple.com>
285
286         [ES6] Add support for toStringTag
287         https://bugs.webkit.org/show_bug.cgi?id=150696
288
289         Reviewed by Geoffrey Garen.
290
291         This patch adds support for Symbol.toStringTag. This is a simple
292         feature, if an object passed to Object.prototype.toString() has a
293         toStringTag we use the tag in the string rather than the class info.
294         Added a test that checks this works for all the default supported classes
295         along with the corresponding prototype and custom cases.
296
297         * runtime/ArrayIteratorPrototype.cpp:
298         (JSC::ArrayIteratorPrototype::finishCreation):
299         * runtime/CommonIdentifiers.h:
300         * runtime/JSArrayBufferPrototype.cpp:
301         (JSC::JSArrayBufferPrototype::finishCreation):
302         * runtime/JSDataViewPrototype.cpp:
303         (JSC::JSDataViewPrototype::finishCreation):
304         * runtime/JSDataViewPrototype.h:
305         * runtime/JSModuleNamespaceObject.cpp:
306         (JSC::JSModuleNamespaceObject::finishCreation):
307         * runtime/JSONObject.cpp:
308         (JSC::JSONObject::finishCreation):
309         * runtime/JSPromisePrototype.cpp:
310         (JSC::JSPromisePrototype::finishCreation):
311         * runtime/JSTypedArrayViewPrototype.cpp:
312         (JSC::typedArrayViewProtoGetterFuncToStringTag):
313         (JSC::JSTypedArrayViewPrototype::finishCreation):
314         * runtime/MapIteratorPrototype.cpp:
315         (JSC::MapIteratorPrototype::finishCreation):
316         * runtime/MapPrototype.cpp:
317         (JSC::MapPrototype::finishCreation):
318         * runtime/MathObject.cpp:
319         (JSC::MathObject::finishCreation):
320         * runtime/ObjectPrototype.cpp:
321         (JSC::objectProtoFuncToString):
322         * runtime/SetIteratorPrototype.cpp:
323         (JSC::SetIteratorPrototype::finishCreation):
324         * runtime/SetPrototype.cpp:
325         (JSC::SetPrototype::finishCreation):
326         * runtime/SmallStrings.cpp:
327         (JSC::SmallStrings::SmallStrings):
328         (JSC::SmallStrings::initializeCommonStrings):
329         (JSC::SmallStrings::visitStrongReferences):
330         * runtime/SmallStrings.h:
331         (JSC::SmallStrings::objectStringStart):
332         * runtime/StringIteratorPrototype.cpp:
333         (JSC::StringIteratorPrototype::finishCreation):
334         * runtime/SymbolPrototype.cpp:
335         (JSC::SymbolPrototype::finishCreation):
336         * runtime/WeakMapPrototype.cpp:
337         (JSC::WeakMapPrototype::finishCreation):
338         * runtime/WeakSetPrototype.cpp:
339         (JSC::WeakSetPrototype::finishCreation):
340         * tests/modules/namespace.js:
341         * tests/stress/symbol-tostringtag.js: Added.
342         (toStr):
343         (strName):
344         (classes.string_appeared_here):
345
346 2015-10-29  Joseph Pecoraro  <pecoraro@apple.com>
347
348         Web Inspector: Do not show JavaScriptCore builtins in inspector
349         https://bugs.webkit.org/show_bug.cgi?id=146049
350
351         Reviewed by Geoffrey Garen.
352
353         * debugger/Debugger.cpp:
354         When gathering scripts to notify the inspector / debuggers about
355         skip over sources containing host / built-in functions as those
356         for those won't contain source code developers expect to see.
357
358 2015-10-29  Joseph Pecoraro  <pecoraro@apple.com>
359
360         Fix typo in "use strict" in TypedArray builtins
361         https://bugs.webkit.org/show_bug.cgi?id=150709
362
363         Reviewed by Geoffrey Garen.
364
365         * builtins/TypedArray.prototype.js:
366         (toLocaleString):
367
368 2015-10-29  Philippe Normand  <pnormand@igalia.com>
369
370         [GTK][Mac] disable OBJC JSC API
371         https://bugs.webkit.org/show_bug.cgi?id=150500
372
373         Reviewed by Alex Christensen.
374
375         * API/JSBase.h: Disable the Objective-C API on Mac for the GTK port.
376
377 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
378
379         Air::handleCalleeSaves shouldn't save/restore the frame pointer
380         https://bugs.webkit.org/show_bug.cgi?id=150688
381
382         Reviewed by Michael Saboff.
383
384         We save/restore the FP inside Air::generate().
385
386         * b3/air/AirHandleCalleeSaves.cpp:
387         (JSC::B3::Air::handleCalleeSaves):
388
389 2015-10-29  Michael Saboff  <msaboff@apple.com>
390
391         Crash making a tail call from a getter to a host function
392         https://bugs.webkit.org/show_bug.cgi?id=150663
393
394         Reviewed by Geoffrey Garen.
395
396         Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
397         call frame to getHostCallReturnValueWithExecState().  We were passing the caller's frame address.
398
399         * jit/JITOperations.cpp:
400
401 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
402
403         B3::LowerToAir::imm() should work for both 32-bit and 64-bit immediates
404         https://bugs.webkit.org/show_bug.cgi?id=150685
405
406         Reviewed by Geoffrey Garen.
407
408         In B3, a constant must match the type of its use. In Air, immediates don't have type, they
409         only have representation. A 32-bit immediate (i.e. Arg::imm) can be used either for 32-bit
410         operations or for 64-bit operations. The only difference from a Arg::imm64 is that it
411         requires fewer bits.
412
413         In the B3->Air lowering, we have a lot of code that is effectively polymorphic over integer
414         type. That code should still be able to use Arg::imm, and it should work even for 64-bit
415         immediates - so long as they are representable as 32-bit immediates. Therefore, the imm()
416         helper should happily accept either Const32Value or Const64Value.
417
418         We already sort of had this with immAnyType(), but it just turns out that anyone using
419         immAnyType() should really be using imm().
420
421         * b3/B3LowerToAir.cpp:
422         (JSC::B3::Air::LowerToAir::imm):
423         (JSC::B3::Air::LowerToAir::tryStore):
424         (JSC::B3::Air::LowerToAir::tryConst64):
425         (JSC::B3::Air::LowerToAir::immAnyInt): Deleted.
426         * b3/testb3.cpp:
427         (JSC::B3::testAdd1):
428         (JSC::B3::testAdd1Ptr):
429         (JSC::B3::testStoreAddLoad):
430         (JSC::B3::run):
431
432 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
433
434         StoreOpLoad pattern matching should check effects between the Store and Load
435         https://bugs.webkit.org/show_bug.cgi?id=150534
436
437         Reviewed by Geoffrey Garen.
438
439         If we turn:
440
441             a = Load(addr)
442             b = Add(a, 42)
443             Store(b, addr)
444
445         Into:
446
447             Add $42, (addr)
448
449         Then we must make sure that we didn't really have this to begin with:
450
451             a = Load(addr)
452             Store(666, addr)
453             b = Add(a, 42)
454             Store(b, addr)
455
456         That's because pattern matching doesn't care about control flow, and it finds the Load
457         just using data flow. This patch fleshes out B3's aliasing analysis, and makes it powerful
458         enough to broadly ask questions about whether such a code motion of the Load is legal.
459
460         * b3/B3Effects.cpp:
461         (JSC::B3::Effects::interferes):
462         (JSC::B3::Effects::dump):
463         * b3/B3Effects.h:
464         (JSC::B3::Effects::mustExecute):
465         * b3/B3LowerToAir.cpp:
466         (JSC::B3::Air::LowerToAir::run):
467         (JSC::B3::Air::LowerToAir::commitInternal):
468         (JSC::B3::Air::LowerToAir::crossesInterference):
469         (JSC::B3::Air::LowerToAir::effectiveAddr):
470         (JSC::B3::Air::LowerToAir::loadAddr):
471         * b3/B3Procedure.cpp:
472         (JSC::B3::Procedure::addBlock):
473         (JSC::B3::Procedure::resetValueOwners):
474         (JSC::B3::Procedure::resetReachability):
475         * b3/B3Procedure.h:
476         * b3/B3Value.cpp:
477         (JSC::B3::Value::effects):
478         * b3/B3Value.h:
479         * b3/testb3.cpp:
480         (JSC::B3::testStoreAddLoad):
481         (JSC::B3::testStoreAddLoadInterference):
482         (JSC::B3::testStoreAddAndLoad):
483         (JSC::B3::testLoadOffsetUsingAdd):
484         (JSC::B3::testLoadOffsetUsingAddInterference):
485         (JSC::B3::testLoadOffsetUsingAddNotConstant):
486         (JSC::B3::run):
487
488 2015-10-29  Brady Eidson  <beidson@apple.com>
489
490         Modern IDB: deleteObjectStore support.
491         https://bugs.webkit.org/show_bug.cgi?id=150673
492
493         Reviewed by Alex Christensen.
494
495         * runtime/VM.h:
496
497 2015-10-29  Mark Lam  <mark.lam@apple.com>
498
499         cdjs-tests.yaml/main.js.ftl fails due to FTL ArithSub code for supporting UntypedUse operands.
500         https://bugs.webkit.org/show_bug.cgi?id=150687
501
502         Unreviewed.
503
504         Disabling the feature while it is being debugged.  I'm doing this by effectively
505         rolling out only the changes in FTLCapabilities.cpp.
506
507         * ftl/FTLCapabilities.cpp:
508         (JSC::FTL::canCompile):
509
510 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
511
512         Unreviewed, fix iOS build.
513
514         * assembler/MacroAssemblerARM64.h:
515         (JSC::MacroAssemblerARM64::store64):
516
517 2015-10-29  Alex Christensen  <achristensen@webkit.org>
518
519         Fix Mac CMake build
520         https://bugs.webkit.org/show_bug.cgi?id=150686
521
522         Reviewed by Filip Pizlo.
523
524         * API/ObjCCallbackFunction.mm:
525         * CMakeLists.txt:
526         * PlatformMac.cmake:
527
528 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
529
530         Air needs syntax for escaping StackSlots
531         https://bugs.webkit.org/show_bug.cgi?id=150430
532
533         Reviewed by Geoffrey Garen.
534
535         This adds lowering for FramePointer and StackSlot, and to enable this, it adds the Lea
536         instruction for getting the value of an address. This is necessary to support arbitrary
537         lowerings of StackSlot, since the only way to get the "value" of a StackSlot in Air is with
538         this new instruction.
539
540         Lea uses a new Role, called UseAddr. This describes exactly what the Intel-style LEA opcode
541         would do: it evaluates an address, but does not load from it or store to it.
542
543         Lea is also the only way to escape a StackSlot. Well, more accurately, UseAddr is the only
544         way to escape and UseAddr is only used by Lea. The stack allocation phase now understands
545         that StackSlots may escape, and factors this into its analysis.
546
547         * assembler/MacroAssembler.h:
548         (JSC::MacroAssembler::lea):
549         * b3/B3AddressMatcher.patterns:
550         * b3/B3LowerToAir.cpp:
551         (JSC::B3::Air::LowerToAir::run):
552         (JSC::B3::Air::LowerToAir::addr):
553         (JSC::B3::Air::LowerToAir::loadAddr):
554         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
555         (JSC::B3::Air::LowerToAir::AddressSelector::tryFramePointer):
556         (JSC::B3::Air::LowerToAir::AddressSelector::tryStackSlot):
557         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
558         (JSC::B3::Air::LowerToAir::tryConst64):
559         (JSC::B3::Air::LowerToAir::tryFramePointer):
560         (JSC::B3::Air::LowerToAir::tryStackSlot):
561         (JSC::B3::Air::LowerToAir::tryIdentity):
562         * b3/B3LoweringMatcher.patterns:
563         * b3/B3MemoryValue.cpp:
564         (JSC::B3::MemoryValue::~MemoryValue):
565         (JSC::B3::MemoryValue::accessByteSize):
566         (JSC::B3::MemoryValue::dumpMeta):
567         * b3/B3MemoryValue.h:
568         * b3/B3ReduceStrength.cpp:
569         * b3/B3StackSlotValue.h:
570         (JSC::B3::StackSlotValue::accepts): Deleted.
571         * b3/B3Type.h:
572         (JSC::B3::pointerType):
573         (JSC::B3::sizeofType):
574         * b3/B3Validate.cpp:
575         * b3/B3Value.h:
576         * b3/air/AirAllocateStack.cpp:
577         (JSC::B3::Air::allocateStack):
578         * b3/air/AirArg.h:
579         (JSC::B3::Air::Arg::isUse):
580         (JSC::B3::Air::Arg::isDef):
581         (JSC::B3::Air::Arg::forEachTmp):
582         * b3/air/AirCode.cpp:
583         (JSC::B3::Air::Code::addStackSlot):
584         (JSC::B3::Air::Code::addSpecial):
585         * b3/air/AirCode.h:
586         * b3/air/AirOpcode.opcodes:
587         * b3/air/AirSpillEverything.cpp:
588         (JSC::B3::Air::spillEverything):
589         * b3/air/AirStackSlot.h:
590         (JSC::B3::Air::StackSlot::byteSize):
591         (JSC::B3::Air::StackSlot::kind):
592         (JSC::B3::Air::StackSlot::isLocked):
593         (JSC::B3::Air::StackSlot::index):
594         (JSC::B3::Air::StackSlot::alignment):
595         * b3/air/opcode_generator.rb:
596         * b3/testb3.cpp:
597         (JSC::B3::testLoadOffsetUsingAddNotConstant):
598         (JSC::B3::testFramePointer):
599         (JSC::B3::testStackSlot):
600         (JSC::B3::testLoadFromFramePointer):
601         (JSC::B3::testStoreLoadStackSlot):
602         (JSC::B3::run):
603
604 2015-10-29  Saam barati  <sbarati@apple.com>
605
606         we're incorrectly adjusting a stack location with respect to the localsOffset in FTLCompile
607         https://bugs.webkit.org/show_bug.cgi?id=150655
608
609         Reviewed by Filip Pizlo.
610
611         We're recomputing this value for an *OSRExitDescriptor* for every one
612         of its corresponding *OSRExits*. This is having a multiplicative
613         effect on offsets because each computation is relative to the previous
614         value. We must do this computation just once per OSRExitDescriptor.
615
616         * ftl/FTLCompile.cpp:
617         (JSC::FTL::mmAllocateDataSection):
618
619 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
620
621         Air::spillEverything() should try to replace tmps with spill slots without using registers whenever possible
622         https://bugs.webkit.org/show_bug.cgi?id=150657
623
624         Reviewed by Geoffrey Garen.
625
626         Also added the ability to store an immediate to memory.
627
628         * assembler/MacroAssembler.h:
629         (JSC::MacroAssembler::storePtr):
630         * assembler/MacroAssemblerARM64.h:
631         (JSC::MacroAssemblerARM64::store64):
632         * assembler/MacroAssemblerX86_64.h:
633         (JSC::MacroAssemblerX86_64::store64):
634         * b3/B3LowerToAir.cpp:
635         (JSC::B3::Air::LowerToAir::imm):
636         (JSC::B3::Air::LowerToAir::immAnyInt):
637         (JSC::B3::Air::LowerToAir::immOrTmp):
638         (JSC::B3::Air::LowerToAir::tryStore):
639         * b3/air/AirOpcode.opcodes:
640         * b3/air/AirSpillEverything.cpp:
641         (JSC::B3::Air::spillEverything):
642         * b3/testb3.cpp:
643         (JSC::B3::testStore):
644         (JSC::B3::testStoreConstant):
645         (JSC::B3::testStoreConstantPtr):
646         (JSC::B3::testTrunc):
647         (JSC::B3::run):
648
649 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
650
651         Web Inspector: Rename InspectorResourceAgent to InspectorNetworkAgent
652         https://bugs.webkit.org/show_bug.cgi?id=150654
653
654         Reviewed by Geoffrey Garen.
655
656         * inspector/scripts/codegen/generator.py:
657
658 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
659
660         B3::reduceStrength() should do DCE
661         https://bugs.webkit.org/show_bug.cgi?id=150656
662
663         Reviewed by Saam Barati.
664
665         * b3/B3BasicBlock.cpp:
666         (JSC::B3::BasicBlock::removeNops): This now deletes the values from the procedure, to preserve the invariant that valuesInProc == valuesInBlocks.
667         * b3/B3BasicBlock.h:
668         * b3/B3Procedure.cpp:
669         (JSC::B3::Procedure::deleteValue): Add a utility used by removeNops().
670         (JSC::B3::Procedure::addValueIndex): Make sure that we reuse Value indices so that m_values doesn't get too sparse.
671         * b3/B3Procedure.h:
672         (JSC::B3::Procedure::ValuesCollection::iterator::iterator): Teach this that m_values can be slightly sparse.
673         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
674         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):
675         (JSC::B3::Procedure::ValuesCollection::iterator::findNext):
676         (JSC::B3::Procedure::values):
677         * b3/B3ProcedureInlines.h:
678         (JSC::B3::Procedure::add): Use addValueIndex() instead of always creating a new index.
679         * b3/B3ReduceStrength.cpp: Implement the optimization using UseCounts and Effects.
680
681 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
682
683         Web Inspector: Remove unused / duplicate WebSocket timeline records
684         https://bugs.webkit.org/show_bug.cgi?id=150647
685
686         Reviewed by Timothy Hatcher.
687
688         * inspector/protocol/Timeline.json:
689
690 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
691
692         B3::LowerToAir should not duplicate Loads
693         https://bugs.webkit.org/show_bug.cgi?id=150651
694
695         Reviewed by Benjamin Poulain.
696
697         The instruction selector may decide to fuse two Values into one. This ordinarily only happens
698         if we haven't already emitted code that uses the Value and the Value has only one direct
699         user. Once we have emitted such code, we ensure that everyone knows that we have "locked" the
700         Value: we won't emit any more code for it in the future.
701
702         The optimization to fuse Loads was forgetting to do all of these things, and so generated
703         code would have a lot of duplicated Loads. That's bad and this change fixes that.
704
705         Ordinarily, this is far less tricky because the pattern matcher does this for us via
706         acceptInternals() and acceptInternalsLate(). I added a comment to this effect. I hope that we
707         won't need to do this manually very often.
708
709         Also found an uninitialized value bug in UseCounts. That was making all of this super hard to
710         debug.
711
712         * b3/B3IndexMap.h:
713         (JSC::B3::IndexMap::IndexMap):
714         (JSC::B3::IndexMap::resize):
715         (JSC::B3::IndexMap::operator[]):
716         * b3/B3LowerToAir.cpp:
717         (JSC::B3::Air::LowerToAir::tmp):
718         (JSC::B3::Air::LowerToAir::canBeInternal):
719         (JSC::B3::Air::LowerToAir::commitInternal):
720         (JSC::B3::Air::LowerToAir::effectiveAddr):
721         (JSC::B3::Air::LowerToAir::loadAddr):
722         (JSC::B3::Air::LowerToAir::appendBinOp):
723         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
724         (JSC::B3::Air::LowerToAir::acceptInternals):
725         * b3/B3UseCounts.cpp:
726         (JSC::B3::UseCounts::UseCounts):
727
728 2015-10-28  Mark Lam  <mark.lam@apple.com>
729
730         JITSubGenerator::generateFastPath() does not need to be inlined.
731         https://bugs.webkit.org/show_bug.cgi?id=150645
732
733         Reviewed by Geoffrey Garen.
734
735         Moving it to a .cpp file to reduce code size.  Benchmarks shows this to be
736         perf neutral.
737
738         * CMakeLists.txt:
739         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
740         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
741         * JavaScriptCore.xcodeproj/project.pbxproj:
742         * ftl/FTLCompile.cpp:
743         * jit/JITSubGenerator.cpp: Added.
744         (JSC::JITSubGenerator::generateFastPath):
745         * jit/JITSubGenerator.h:
746         (JSC::JITSubGenerator::JITSubGenerator):
747         (JSC::JITSubGenerator::endJumpList):
748         (JSC::JITSubGenerator::slowPathJumpList):
749         (JSC::JITSubGenerator::generateFastPath): Deleted.
750
751 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
752
753         [B3] handleCommutativity should canonicalize commutative operations over non-constants
754         https://bugs.webkit.org/show_bug.cgi?id=150649
755
756         Reviewed by Saam Barati.
757
758         Turn this: Add(value1, value2)
759         Into this: Add(value2, value1)
760
761         But ony if value2 should come before value1 according to our total ordering. This will allow
762         CSE to observe the equality between commuted versions of the same operation, since we will
763         first canonicalize them into the same order.
764
765         * b3/B3ReduceStrength.cpp:
766
767 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
768
769         Unreviewed, fix the build for case sensitive file systems.
770
771         * b3/air/AirBasicBlock.h:
772         * b3/air/AirStackSlot.h:
773
774 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
775
776         Create a super rough prototype of B3
777         https://bugs.webkit.org/show_bug.cgi?id=150280
778
779         Reviewed by Benjamin Poulain.
780
781         This changeset adds the basic scaffolding of the B3 compiler. B3 stands for Bare Bones
782         Backend. It's a low-level SSA-based language-agnostic compiler. The basic structure allows
783         for aggressive C-level optimizations and an awesome portable backend. The backend, called
784         Air (Assembly IR), is a reflective abstraction over our MacroAssembler. The abstraction is
785         defined using a spec file (AirOpcode.opcodes) which describes the various kinds of
786         instructions that we wish to support. Then, the B3::LowerToAir phase, which does our
787         instruction selection, reflectively selects Air opcodes by querying which instruction forms
788         are possible. Air allows for optimal register allocation and stack layout. Currently the
789         register allocator isn't written, but the stack layout is.
790
791         Of course this isn't done yet. It can only compile simple programs, seen in the "test suite"
792         called "testb3.cpp". There's a lot of optimizations that have to be written and a lot of
793         stuff added to the instruction selector. But it's a neat start.
794
795         * CMakeLists.txt:
796         * DerivedSources.make:
797         * JavaScriptCore.xcodeproj/project.pbxproj:
798         * assembler/MacroAssembler.cpp:
799         (WTF::printInternal):
800         * assembler/MacroAssembler.h:
801         * b3: Added.
802         * b3/B3AddressMatcher.patterns: Added.
803         * b3/B3ArgumentRegValue.cpp: Added.
804         (JSC::B3::ArgumentRegValue::~ArgumentRegValue):
805         (JSC::B3::ArgumentRegValue::dumpMeta):
806         * b3/B3ArgumentRegValue.h: Added.
807         * b3/B3BasicBlock.cpp: Added.
808         (JSC::B3::BasicBlock::BasicBlock):
809         (JSC::B3::BasicBlock::~BasicBlock):
810         (JSC::B3::BasicBlock::append):
811         (JSC::B3::BasicBlock::addPredecessor):
812         (JSC::B3::BasicBlock::removePredecessor):
813         (JSC::B3::BasicBlock::replacePredecessor):
814         (JSC::B3::BasicBlock::removeNops):
815         (JSC::B3::BasicBlock::dump):
816         (JSC::B3::BasicBlock::deepDump):
817         * b3/B3BasicBlock.h: Added.
818         (JSC::B3::BasicBlock::index):
819         (JSC::B3::BasicBlock::begin):
820         (JSC::B3::BasicBlock::end):
821         (JSC::B3::BasicBlock::size):
822         (JSC::B3::BasicBlock::at):
823         (JSC::B3::BasicBlock::last):
824         (JSC::B3::BasicBlock::values):
825         (JSC::B3::BasicBlock::numPredecessors):
826         (JSC::B3::BasicBlock::predecessor):
827         (JSC::B3::BasicBlock::predecessors):
828         (JSC::B3::BasicBlock::frequency):
829         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
830         (JSC::B3::DeepBasicBlockDump::dump):
831         (JSC::B3::deepDump):
832         * b3/B3BasicBlockInlines.h: Added.
833         (JSC::B3::BasicBlock::appendNew):
834         (JSC::B3::BasicBlock::numSuccessors):
835         (JSC::B3::BasicBlock::successor):
836         (JSC::B3::BasicBlock::successors):
837         (JSC::B3::BasicBlock::successorBlock):
838         (JSC::B3::BasicBlock::successorBlocks):
839         * b3/B3BasicBlockUtils.h: Added.
840         (JSC::B3::addPredecessor):
841         (JSC::B3::removePredecessor):
842         (JSC::B3::replacePredecessor):
843         (JSC::B3::resetReachability):
844         (JSC::B3::blocksInPreOrder):
845         (JSC::B3::blocksInPostOrder):
846         * b3/B3BlockWorklist.h: Added.
847         * b3/B3CheckSpecial.cpp: Added.
848         (JSC::B3::Air::numB3Args):
849         (JSC::B3::CheckSpecial::CheckSpecial):
850         (JSC::B3::CheckSpecial::~CheckSpecial):
851         (JSC::B3::CheckSpecial::hiddenBranch):
852         (JSC::B3::CheckSpecial::forEachArg):
853         (JSC::B3::CheckSpecial::isValid):
854         (JSC::B3::CheckSpecial::admitsStack):
855         (JSC::B3::CheckSpecial::generate):
856         (JSC::B3::CheckSpecial::dumpImpl):
857         (JSC::B3::CheckSpecial::deepDumpImpl):
858         * b3/B3CheckSpecial.h: Added.
859         * b3/B3CheckValue.cpp: Added.
860         (JSC::B3::CheckValue::~CheckValue):
861         (JSC::B3::CheckValue::dumpMeta):
862         * b3/B3CheckValue.h: Added.
863         * b3/B3Common.cpp: Added.
864         (JSC::B3::shouldDumpIR):
865         (JSC::B3::shouldDumpIRAtEachPhase):
866         (JSC::B3::shouldValidateIR):
867         (JSC::B3::shouldValidateIRAtEachPhase):
868         (JSC::B3::shouldSaveIRBeforePhase):
869         * b3/B3Common.h: Added.
870         (JSC::B3::is64Bit):
871         (JSC::B3::is32Bit):
872         * b3/B3Commutativity.cpp: Added.
873         (WTF::printInternal):
874         * b3/B3Commutativity.h: Added.
875         * b3/B3Const32Value.cpp: Added.
876         (JSC::B3::Const32Value::~Const32Value):
877         (JSC::B3::Const32Value::negConstant):
878         (JSC::B3::Const32Value::addConstant):
879         (JSC::B3::Const32Value::subConstant):
880         (JSC::B3::Const32Value::dumpMeta):
881         * b3/B3Const32Value.h: Added.
882         * b3/B3Const64Value.cpp: Added.
883         (JSC::B3::Const64Value::~Const64Value):
884         (JSC::B3::Const64Value::negConstant):
885         (JSC::B3::Const64Value::addConstant):
886         (JSC::B3::Const64Value::subConstant):
887         (JSC::B3::Const64Value::dumpMeta):
888         * b3/B3Const64Value.h: Added.
889         * b3/B3ConstDoubleValue.cpp: Added.
890         (JSC::B3::ConstDoubleValue::~ConstDoubleValue):
891         (JSC::B3::ConstDoubleValue::negConstant):
892         (JSC::B3::ConstDoubleValue::addConstant):
893         (JSC::B3::ConstDoubleValue::subConstant):
894         (JSC::B3::ConstDoubleValue::dumpMeta):
895         * b3/B3ConstDoubleValue.h: Added.
896         (JSC::B3::ConstDoubleValue::accepts):
897         (JSC::B3::ConstDoubleValue::value):
898         (JSC::B3::ConstDoubleValue::ConstDoubleValue):
899         * b3/B3ConstPtrValue.h: Added.
900         (JSC::B3::ConstPtrValue::value):
901         (JSC::B3::ConstPtrValue::ConstPtrValue):
902         * b3/B3ControlValue.cpp: Added.
903         (JSC::B3::ControlValue::~ControlValue):
904         (JSC::B3::ControlValue::dumpMeta):
905         * b3/B3ControlValue.h: Added.
906         * b3/B3Effects.cpp: Added.
907         (JSC::B3::Effects::dump):
908         * b3/B3Effects.h: Added.
909         (JSC::B3::Effects::mustExecute):
910         * b3/B3FrequencyClass.cpp: Added.
911         (WTF::printInternal):
912         * b3/B3FrequencyClass.h: Added.
913         * b3/B3FrequentedBlock.h: Added.
914         * b3/B3Generate.cpp: Added.
915         (JSC::B3::generate):
916         (JSC::B3::generateToAir):
917         * b3/B3Generate.h: Added.
918         * b3/B3GenericFrequentedBlock.h: Added.
919         (JSC::B3::GenericFrequentedBlock::GenericFrequentedBlock):
920         (JSC::B3::GenericFrequentedBlock::operator==):
921         (JSC::B3::GenericFrequentedBlock::operator!=):
922         (JSC::B3::GenericFrequentedBlock::operator bool):
923         (JSC::B3::GenericFrequentedBlock::block):
924         (JSC::B3::GenericFrequentedBlock::frequency):
925         (JSC::B3::GenericFrequentedBlock::dump):
926         * b3/B3HeapRange.cpp: Added.
927         (JSC::B3::HeapRange::dump):
928         * b3/B3HeapRange.h: Added.
929         (JSC::B3::HeapRange::HeapRange):
930         (JSC::B3::HeapRange::top):
931         (JSC::B3::HeapRange::operator==):
932         (JSC::B3::HeapRange::operator!=):
933         (JSC::B3::HeapRange::operator bool):
934         (JSC::B3::HeapRange::begin):
935         (JSC::B3::HeapRange::end):
936         (JSC::B3::HeapRange::overlaps):
937         * b3/B3IndexMap.h: Added.
938         (JSC::B3::IndexMap::IndexMap):
939         (JSC::B3::IndexMap::resize):
940         (JSC::B3::IndexMap::operator[]):
941         * b3/B3IndexSet.h: Added.
942         (JSC::B3::IndexSet::IndexSet):
943         (JSC::B3::IndexSet::add):
944         (JSC::B3::IndexSet::contains):
945         (JSC::B3::IndexSet::Iterable::Iterable):
946         (JSC::B3::IndexSet::Iterable::iterator::iterator):
947         (JSC::B3::IndexSet::Iterable::iterator::operator*):
948         (JSC::B3::IndexSet::Iterable::iterator::operator++):
949         (JSC::B3::IndexSet::Iterable::iterator::operator==):
950         (JSC::B3::IndexSet::Iterable::iterator::operator!=):
951         (JSC::B3::IndexSet::Iterable::begin):
952         (JSC::B3::IndexSet::Iterable::end):
953         (JSC::B3::IndexSet::values):
954         (JSC::B3::IndexSet::indices):
955         (JSC::B3::IndexSet::dump):
956         * b3/B3InsertionSet.cpp: Added.
957         (JSC::B3::InsertionSet::execute):
958         * b3/B3InsertionSet.h: Added.
959         (JSC::B3::InsertionSet::InsertionSet):
960         (JSC::B3::InsertionSet::code):
961         (JSC::B3::InsertionSet::appendInsertion):
962         (JSC::B3::InsertionSet::insertValue):
963         * b3/B3InsertionSetInlines.h: Added.
964         (JSC::B3::InsertionSet::insert):
965         * b3/B3LowerToAir.cpp: Added.
966         (JSC::B3::Air::LowerToAir::LowerToAir):
967         (JSC::B3::Air::LowerToAir::run):
968         (JSC::B3::Air::LowerToAir::tmp):
969         (JSC::B3::Air::LowerToAir::effectiveAddr):
970         (JSC::B3::Air::LowerToAir::addr):
971         (JSC::B3::Air::LowerToAir::loadAddr):
972         (JSC::B3::Air::LowerToAir::imm):
973         (JSC::B3::Air::LowerToAir::immOrTmp):
974         (JSC::B3::Air::LowerToAir::appendBinOp):
975         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
976         (JSC::B3::Air::LowerToAir::moveForType):
977         (JSC::B3::Air::LowerToAir::relaxedMoveForType):
978         (JSC::B3::Air::LowerToAir::append):
979         (JSC::B3::Air::LowerToAir::AddressSelector::AddressSelector):
980         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot):
981         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRootLate):
982         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternals):
983         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternalsLate):
984         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperands):
985         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperandsLate):
986         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift1):
987         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift2):
988         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
989         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
990         (JSC::B3::Air::LowerToAir::acceptRoot):
991         (JSC::B3::Air::LowerToAir::acceptRootLate):
992         (JSC::B3::Air::LowerToAir::acceptInternals):
993         (JSC::B3::Air::LowerToAir::acceptInternalsLate):
994         (JSC::B3::Air::LowerToAir::acceptOperands):
995         (JSC::B3::Air::LowerToAir::acceptOperandsLate):
996         (JSC::B3::Air::LowerToAir::tryLoad):
997         (JSC::B3::Air::LowerToAir::tryAdd):
998         (JSC::B3::Air::LowerToAir::tryAnd):
999         (JSC::B3::Air::LowerToAir::tryStoreAddLoad):
1000         (JSC::B3::Air::LowerToAir::tryStoreAndLoad):
1001         (JSC::B3::Air::LowerToAir::tryStore):
1002         (JSC::B3::Air::LowerToAir::tryTruncArgumentReg):
1003         (JSC::B3::Air::LowerToAir::tryTrunc):
1004         (JSC::B3::Air::LowerToAir::tryArgumentReg):
1005         (JSC::B3::Air::LowerToAir::tryConst32):
1006         (JSC::B3::Air::LowerToAir::tryConst64):
1007         (JSC::B3::Air::LowerToAir::tryIdentity):
1008         (JSC::B3::Air::LowerToAir::tryReturn):
1009         (JSC::B3::lowerToAir):
1010         * b3/B3LowerToAir.h: Added.
1011         * b3/B3LoweringMatcher.patterns: Added.
1012         * b3/B3MemoryValue.cpp: Added.
1013         (JSC::B3::MemoryValue::~MemoryValue):
1014         (JSC::B3::MemoryValue::dumpMeta):
1015         * b3/B3MemoryValue.h: Added.
1016         * b3/B3Opcode.cpp: Added.
1017         (WTF::printInternal):
1018         * b3/B3Opcode.h: Added.
1019         (JSC::B3::isCheckMath):
1020         * b3/B3Origin.cpp: Added.
1021         (JSC::B3::Origin::dump):
1022         * b3/B3Origin.h: Added.
1023         (JSC::B3::Origin::Origin):
1024         (JSC::B3::Origin::operator bool):
1025         (JSC::B3::Origin::data):
1026         * b3/B3PatchpointSpecial.cpp: Added.
1027         (JSC::B3::PatchpointSpecial::PatchpointSpecial):
1028         (JSC::B3::PatchpointSpecial::~PatchpointSpecial):
1029         (JSC::B3::PatchpointSpecial::forEachArg):
1030         (JSC::B3::PatchpointSpecial::isValid):
1031         (JSC::B3::PatchpointSpecial::admitsStack):
1032         (JSC::B3::PatchpointSpecial::generate):
1033         (JSC::B3::PatchpointSpecial::dumpImpl):
1034         (JSC::B3::PatchpointSpecial::deepDumpImpl):
1035         * b3/B3PatchpointSpecial.h: Added.
1036         * b3/B3PatchpointValue.cpp: Added.
1037         (JSC::B3::PatchpointValue::~PatchpointValue):
1038         (JSC::B3::PatchpointValue::dumpMeta):
1039         * b3/B3PatchpointValue.h: Added.
1040         (JSC::B3::PatchpointValue::accepts):
1041         (JSC::B3::PatchpointValue::PatchpointValue):
1042         * b3/B3PhaseScope.cpp: Added.
1043         (JSC::B3::PhaseScope::PhaseScope):
1044         (JSC::B3::PhaseScope::~PhaseScope):
1045         * b3/B3PhaseScope.h: Added.
1046         * b3/B3Procedure.cpp: Added.
1047         (JSC::B3::Procedure::Procedure):
1048         (JSC::B3::Procedure::~Procedure):
1049         (JSC::B3::Procedure::addBlock):
1050         (JSC::B3::Procedure::resetReachability):
1051         (JSC::B3::Procedure::dump):
1052         (JSC::B3::Procedure::blocksInPreOrder):
1053         (JSC::B3::Procedure::blocksInPostOrder):
1054         * b3/B3Procedure.h: Added.
1055         (JSC::B3::Procedure::size):
1056         (JSC::B3::Procedure::at):
1057         (JSC::B3::Procedure::operator[]):
1058         (JSC::B3::Procedure::iterator::iterator):
1059         (JSC::B3::Procedure::iterator::operator*):
1060         (JSC::B3::Procedure::iterator::operator++):
1061         (JSC::B3::Procedure::iterator::operator==):
1062         (JSC::B3::Procedure::iterator::operator!=):
1063         (JSC::B3::Procedure::iterator::findNext):
1064         (JSC::B3::Procedure::begin):
1065         (JSC::B3::Procedure::end):
1066         (JSC::B3::Procedure::ValuesCollection::ValuesCollection):
1067         (JSC::B3::Procedure::ValuesCollection::iterator::iterator):
1068         (JSC::B3::Procedure::ValuesCollection::iterator::operator*):
1069         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
1070         (JSC::B3::Procedure::ValuesCollection::iterator::operator==):
1071         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):
1072         (JSC::B3::Procedure::ValuesCollection::begin):
1073         (JSC::B3::Procedure::ValuesCollection::end):
1074         (JSC::B3::Procedure::ValuesCollection::size):
1075         (JSC::B3::Procedure::ValuesCollection::at):
1076         (JSC::B3::Procedure::ValuesCollection::operator[]):
1077         (JSC::B3::Procedure::values):
1078         (JSC::B3::Procedure::setLastPhaseName):
1079         (JSC::B3::Procedure::lastPhaseName):
1080         * b3/B3ProcedureInlines.h: Added.
1081         (JSC::B3::Procedure::add):
1082         * b3/B3ReduceStrength.cpp: Added.
1083         (JSC::B3::reduceStrength):
1084         * b3/B3ReduceStrength.h: Added.
1085         * b3/B3StackSlotKind.cpp: Added.
1086         (WTF::printInternal):
1087         * b3/B3StackSlotKind.h: Added.
1088         * b3/B3StackSlotValue.cpp: Added.
1089         (JSC::B3::StackSlotValue::~StackSlotValue):
1090         (JSC::B3::StackSlotValue::dumpMeta):
1091         * b3/B3StackSlotValue.h: Added.
1092         (JSC::B3::StackSlotValue::accepts):
1093         (JSC::B3::StackSlotValue::byteSize):
1094         (JSC::B3::StackSlotValue::kind):
1095         (JSC::B3::StackSlotValue::offsetFromFP):
1096         (JSC::B3::StackSlotValue::setOffsetFromFP):
1097         (JSC::B3::StackSlotValue::StackSlotValue):
1098         * b3/B3Stackmap.cpp: Added.
1099         (JSC::B3::Stackmap::Stackmap):
1100         (JSC::B3::Stackmap::~Stackmap):
1101         (JSC::B3::Stackmap::dump):
1102         * b3/B3Stackmap.h: Added.
1103         (JSC::B3::Stackmap::constrain):
1104         (JSC::B3::Stackmap::reps):
1105         (JSC::B3::Stackmap::clobber):
1106         (JSC::B3::Stackmap::clobbered):
1107         (JSC::B3::Stackmap::setGenerator):
1108         * b3/B3StackmapSpecial.cpp: Added.
1109         (JSC::B3::StackmapSpecial::StackmapSpecial):
1110         (JSC::B3::StackmapSpecial::~StackmapSpecial):
1111         (JSC::B3::StackmapSpecial::reportUsedRegisters):
1112         (JSC::B3::StackmapSpecial::extraClobberedRegs):
1113         (JSC::B3::StackmapSpecial::forEachArgImpl):
1114         (JSC::B3::StackmapSpecial::isValidImpl):
1115         (JSC::B3::StackmapSpecial::admitsStackImpl):
1116         (JSC::B3::StackmapSpecial::appendRepsImpl):
1117         (JSC::B3::StackmapSpecial::repForArg):
1118         * b3/B3StackmapSpecial.h: Added.
1119         * b3/B3SuccessorCollection.h: Added.
1120         (JSC::B3::SuccessorCollection::SuccessorCollection):
1121         (JSC::B3::SuccessorCollection::size):
1122         (JSC::B3::SuccessorCollection::at):
1123         (JSC::B3::SuccessorCollection::operator[]):
1124         (JSC::B3::SuccessorCollection::iterator::iterator):
1125         (JSC::B3::SuccessorCollection::iterator::operator*):
1126         (JSC::B3::SuccessorCollection::iterator::operator++):
1127         (JSC::B3::SuccessorCollection::iterator::operator==):
1128         (JSC::B3::SuccessorCollection::iterator::operator!=):
1129         (JSC::B3::SuccessorCollection::begin):
1130         (JSC::B3::SuccessorCollection::end):
1131         * b3/B3SwitchCase.cpp: Added.
1132         (JSC::B3::SwitchCase::dump):
1133         * b3/B3SwitchCase.h: Added.
1134         (JSC::B3::SwitchCase::SwitchCase):
1135         (JSC::B3::SwitchCase::operator bool):
1136         (JSC::B3::SwitchCase::caseValue):
1137         (JSC::B3::SwitchCase::target):
1138         (JSC::B3::SwitchCase::targetBlock):
1139         * b3/B3SwitchValue.cpp: Added.
1140         (JSC::B3::SwitchValue::~SwitchValue):
1141         (JSC::B3::SwitchValue::removeCase):
1142         (JSC::B3::SwitchValue::appendCase):
1143         (JSC::B3::SwitchValue::dumpMeta):
1144         (JSC::B3::SwitchValue::SwitchValue):
1145         * b3/B3SwitchValue.h: Added.
1146         (JSC::B3::SwitchValue::accepts):
1147         (JSC::B3::SwitchValue::numCaseValues):
1148         (JSC::B3::SwitchValue::caseValue):
1149         (JSC::B3::SwitchValue::caseValues):
1150         (JSC::B3::SwitchValue::fallThrough):
1151         (JSC::B3::SwitchValue::size):
1152         (JSC::B3::SwitchValue::at):
1153         (JSC::B3::SwitchValue::operator[]):
1154         (JSC::B3::SwitchValue::iterator::iterator):
1155         (JSC::B3::SwitchValue::iterator::operator*):
1156         (JSC::B3::SwitchValue::iterator::operator++):
1157         (JSC::B3::SwitchValue::iterator::operator==):
1158         (JSC::B3::SwitchValue::iterator::operator!=):
1159         (JSC::B3::SwitchValue::begin):
1160         (JSC::B3::SwitchValue::end):
1161         * b3/B3Type.cpp: Added.
1162         (WTF::printInternal):
1163         * b3/B3Type.h: Added.
1164         (JSC::B3::isInt):
1165         (JSC::B3::isFloat):
1166         (JSC::B3::pointerType):
1167         * b3/B3UpsilonValue.cpp: Added.
1168         (JSC::B3::UpsilonValue::~UpsilonValue):
1169         (JSC::B3::UpsilonValue::dumpMeta):
1170         * b3/B3UpsilonValue.h: Added.
1171         (JSC::B3::UpsilonValue::accepts):
1172         (JSC::B3::UpsilonValue::phi):
1173         (JSC::B3::UpsilonValue::UpsilonValue):
1174         * b3/B3UseCounts.cpp: Added.
1175         (JSC::B3::UseCounts::UseCounts):
1176         (JSC::B3::UseCounts::~UseCounts):
1177         * b3/B3UseCounts.h: Added.
1178         (JSC::B3::UseCounts::operator[]):
1179         * b3/B3Validate.cpp: Added.
1180         (JSC::B3::validate):
1181         * b3/B3Validate.h: Added.
1182         * b3/B3Value.cpp: Added.
1183         (JSC::B3::Value::~Value):
1184         (JSC::B3::Value::replaceWithIdentity):
1185         (JSC::B3::Value::replaceWithNop):
1186         (JSC::B3::Value::dump):
1187         (JSC::B3::Value::deepDump):
1188         (JSC::B3::Value::negConstant):
1189         (JSC::B3::Value::addConstant):
1190         (JSC::B3::Value::subConstant):
1191         (JSC::B3::Value::effects):
1192         (JSC::B3::Value::performSubstitution):
1193         (JSC::B3::Value::dumpMeta):
1194         (JSC::B3::Value::typeFor):
1195         * b3/B3Value.h: Added.
1196         (JSC::B3::DeepValueDump::DeepValueDump):
1197         (JSC::B3::DeepValueDump::dump):
1198         (JSC::B3::deepDump):
1199         * b3/B3ValueInlines.h: Added.
1200         (JSC::B3::Value::as):
1201         (JSC::B3::Value::isConstant):
1202         (JSC::B3::Value::hasInt32):
1203         (JSC::B3::Value::asInt32):
1204         (JSC::B3::Value::hasInt64):
1205         (JSC::B3::Value::asInt64):
1206         (JSC::B3::Value::hasInt):
1207         (JSC::B3::Value::asInt):
1208         (JSC::B3::Value::isInt):
1209         (JSC::B3::Value::hasIntPtr):
1210         (JSC::B3::Value::asIntPtr):
1211         (JSC::B3::Value::hasDouble):
1212         (JSC::B3::Value::asDouble):
1213         (JSC::B3::Value::stackmap):
1214         * b3/B3ValueRep.cpp: Added.
1215         (JSC::B3::ValueRep::dump):
1216         (WTF::printInternal):
1217         * b3/B3ValueRep.h: Added.
1218         (JSC::B3::ValueRep::ValueRep):
1219         (JSC::B3::ValueRep::reg):
1220         (JSC::B3::ValueRep::stack):
1221         (JSC::B3::ValueRep::stackArgument):
1222         (JSC::B3::ValueRep::constant):
1223         (JSC::B3::ValueRep::constantDouble):
1224         (JSC::B3::ValueRep::kind):
1225         (JSC::B3::ValueRep::operator bool):
1226         (JSC::B3::ValueRep::offsetFromFP):
1227         (JSC::B3::ValueRep::offsetFromSP):
1228         (JSC::B3::ValueRep::value):
1229         (JSC::B3::ValueRep::doubleValue):
1230         * b3/air: Added.
1231         * b3/air/AirAllocateStack.cpp: Added.
1232         (JSC::B3::Air::allocateStack):
1233         * b3/air/AirAllocateStack.h: Added.
1234         * b3/air/AirArg.cpp: Added.
1235         (JSC::B3::Air::Arg::dump):
1236         * b3/air/AirArg.h: Added.
1237         (JSC::B3::Air::Arg::isUse):
1238         (JSC::B3::Air::Arg::isDef):
1239         (JSC::B3::Air::Arg::typeForB3Type):
1240         (JSC::B3::Air::Arg::Arg):
1241         (JSC::B3::Air::Arg::imm):
1242         (JSC::B3::Air::Arg::imm64):
1243         (JSC::B3::Air::Arg::addr):
1244         (JSC::B3::Air::Arg::stack):
1245         (JSC::B3::Air::Arg::callArg):
1246         (JSC::B3::Air::Arg::isValidScale):
1247         (JSC::B3::Air::Arg::logScale):
1248         (JSC::B3::Air::Arg::index):
1249         (JSC::B3::Air::Arg::relCond):
1250         (JSC::B3::Air::Arg::resCond):
1251         (JSC::B3::Air::Arg::special):
1252         (JSC::B3::Air::Arg::operator==):
1253         (JSC::B3::Air::Arg::operator!=):
1254         (JSC::B3::Air::Arg::operator bool):
1255         (JSC::B3::Air::Arg::kind):
1256         (JSC::B3::Air::Arg::isTmp):
1257         (JSC::B3::Air::Arg::isImm):
1258         (JSC::B3::Air::Arg::isImm64):
1259         (JSC::B3::Air::Arg::isAddr):
1260         (JSC::B3::Air::Arg::isStack):
1261         (JSC::B3::Air::Arg::isCallArg):
1262         (JSC::B3::Air::Arg::isIndex):
1263         (JSC::B3::Air::Arg::isRelCond):
1264         (JSC::B3::Air::Arg::isResCond):
1265         (JSC::B3::Air::Arg::isSpecial):
1266         (JSC::B3::Air::Arg::isAlive):
1267         (JSC::B3::Air::Arg::tmp):
1268         (JSC::B3::Air::Arg::value):
1269         (JSC::B3::Air::Arg::pointerValue):
1270         (JSC::B3::Air::Arg::base):
1271         (JSC::B3::Air::Arg::hasOffset):
1272         (JSC::B3::Air::Arg::offset):
1273         (JSC::B3::Air::Arg::stackSlot):
1274         (JSC::B3::Air::Arg::scale):
1275         (JSC::B3::Air::Arg::isGPTmp):
1276         (JSC::B3::Air::Arg::isFPTmp):
1277         (JSC::B3::Air::Arg::isGP):
1278         (JSC::B3::Air::Arg::isFP):
1279         (JSC::B3::Air::Arg::hasType):
1280         (JSC::B3::Air::Arg::type):
1281         (JSC::B3::Air::Arg::isType):
1282         (JSC::B3::Air::Arg::isGPR):
1283         (JSC::B3::Air::Arg::gpr):
1284         (JSC::B3::Air::Arg::isFPR):
1285         (JSC::B3::Air::Arg::fpr):
1286         (JSC::B3::Air::Arg::isReg):
1287         (JSC::B3::Air::Arg::reg):
1288         (JSC::B3::Air::Arg::gpTmpIndex):
1289         (JSC::B3::Air::Arg::fpTmpIndex):
1290         (JSC::B3::Air::Arg::tmpIndex):
1291         (JSC::B3::Air::Arg::withOffset):
1292         (JSC::B3::Air::Arg::forEachTmpFast):
1293         (JSC::B3::Air::Arg::forEachTmp):
1294         (JSC::B3::Air::Arg::asTrustedImm32):
1295         (JSC::B3::Air::Arg::asTrustedImm64):
1296         (JSC::B3::Air::Arg::asTrustedImmPtr):
1297         (JSC::B3::Air::Arg::asAddress):
1298         (JSC::B3::Air::Arg::asBaseIndex):
1299         (JSC::B3::Air::Arg::asRelationalCondition):
1300         (JSC::B3::Air::Arg::asResultCondition):
1301         (JSC::B3::Air::Arg::isHashTableDeletedValue):
1302         (JSC::B3::Air::Arg::hash):
1303         (JSC::B3::Air::ArgHash::hash):
1304         (JSC::B3::Air::ArgHash::equal):
1305         * b3/air/AirBasicBlock.cpp: Added.
1306         (JSC::B3::Air::BasicBlock::addPredecessor):
1307         (JSC::B3::Air::BasicBlock::removePredecessor):
1308         (JSC::B3::Air::BasicBlock::replacePredecessor):
1309         (JSC::B3::Air::BasicBlock::dump):
1310         (JSC::B3::Air::BasicBlock::deepDump):
1311         (JSC::B3::Air::BasicBlock::BasicBlock):
1312         * b3/air/AirBasicBlock.h: Added.
1313         (JSC::B3::Air::BasicBlock::index):
1314         (JSC::B3::Air::BasicBlock::size):
1315         (JSC::B3::Air::BasicBlock::begin):
1316         (JSC::B3::Air::BasicBlock::end):
1317         (JSC::B3::Air::BasicBlock::at):
1318         (JSC::B3::Air::BasicBlock::last):
1319         (JSC::B3::Air::BasicBlock::appendInst):
1320         (JSC::B3::Air::BasicBlock::append):
1321         (JSC::B3::Air::BasicBlock::numSuccessors):
1322         (JSC::B3::Air::BasicBlock::successor):
1323         (JSC::B3::Air::BasicBlock::successors):
1324         (JSC::B3::Air::BasicBlock::successorBlock):
1325         (JSC::B3::Air::BasicBlock::successorBlocks):
1326         (JSC::B3::Air::BasicBlock::numPredecessors):
1327         (JSC::B3::Air::BasicBlock::predecessor):
1328         (JSC::B3::Air::BasicBlock::predecessors):
1329         (JSC::B3::Air::DeepBasicBlockDump::DeepBasicBlockDump):
1330         (JSC::B3::Air::DeepBasicBlockDump::dump):
1331         (JSC::B3::Air::deepDump):
1332         * b3/air/AirCCallSpecial.cpp: Added.
1333         (JSC::B3::Air::CCallSpecial::CCallSpecial):
1334         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
1335         (JSC::B3::Air::CCallSpecial::forEachArg):
1336         (JSC::B3::Air::CCallSpecial::isValid):
1337         (JSC::B3::Air::CCallSpecial::admitsStack):
1338         (JSC::B3::Air::CCallSpecial::reportUsedRegisters):
1339         (JSC::B3::Air::CCallSpecial::generate):
1340         (JSC::B3::Air::CCallSpecial::extraClobberedRegs):
1341         (JSC::B3::Air::CCallSpecial::dumpImpl):
1342         (JSC::B3::Air::CCallSpecial::deepDumpImpl):
1343         * b3/air/AirCCallSpecial.h: Added.
1344         * b3/air/AirCode.cpp: Added.
1345         (JSC::B3::Air::Code::Code):
1346         (JSC::B3::Air::Code::~Code):
1347         (JSC::B3::Air::Code::addBlock):
1348         (JSC::B3::Air::Code::addStackSlot):
1349         (JSC::B3::Air::Code::addSpecial):
1350         (JSC::B3::Air::Code::cCallSpecial):
1351         (JSC::B3::Air::Code::resetReachability):
1352         (JSC::B3::Air::Code::dump):
1353         (JSC::B3::Air::Code::findFirstBlockIndex):
1354         (JSC::B3::Air::Code::findNextBlockIndex):
1355         (JSC::B3::Air::Code::findNextBlock):
1356         * b3/air/AirCode.h: Added.
1357         (JSC::B3::Air::Code::newTmp):
1358         (JSC::B3::Air::Code::numTmps):
1359         (JSC::B3::Air::Code::callArgAreaSize):
1360         (JSC::B3::Air::Code::requestCallArgAreaSize):
1361         (JSC::B3::Air::Code::frameSize):
1362         (JSC::B3::Air::Code::setFrameSize):
1363         (JSC::B3::Air::Code::calleeSaveRegisters):
1364         (JSC::B3::Air::Code::size):
1365         (JSC::B3::Air::Code::at):
1366         (JSC::B3::Air::Code::operator[]):
1367         (JSC::B3::Air::Code::iterator::iterator):
1368         (JSC::B3::Air::Code::iterator::operator*):
1369         (JSC::B3::Air::Code::iterator::operator++):
1370         (JSC::B3::Air::Code::iterator::operator==):
1371         (JSC::B3::Air::Code::iterator::operator!=):
1372         (JSC::B3::Air::Code::begin):
1373         (JSC::B3::Air::Code::end):
1374         (JSC::B3::Air::Code::StackSlotsCollection::StackSlotsCollection):
1375         (JSC::B3::Air::Code::StackSlotsCollection::size):
1376         (JSC::B3::Air::Code::StackSlotsCollection::at):
1377         (JSC::B3::Air::Code::StackSlotsCollection::operator[]):
1378         (JSC::B3::Air::Code::StackSlotsCollection::iterator::iterator):
1379         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator*):
1380         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator++):
1381         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator==):
1382         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator!=):
1383         (JSC::B3::Air::Code::StackSlotsCollection::begin):
1384         (JSC::B3::Air::Code::StackSlotsCollection::end):
1385         (JSC::B3::Air::Code::stackSlots):
1386         (JSC::B3::Air::Code::SpecialsCollection::SpecialsCollection):
1387         (JSC::B3::Air::Code::SpecialsCollection::size):
1388         (JSC::B3::Air::Code::SpecialsCollection::at):
1389         (JSC::B3::Air::Code::SpecialsCollection::operator[]):
1390         (JSC::B3::Air::Code::SpecialsCollection::iterator::iterator):
1391         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator*):
1392         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator++):
1393         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator==):
1394         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator!=):
1395         (JSC::B3::Air::Code::SpecialsCollection::begin):
1396         (JSC::B3::Air::Code::SpecialsCollection::end):
1397         (JSC::B3::Air::Code::specials):
1398         (JSC::B3::Air::Code::setLastPhaseName):
1399         (JSC::B3::Air::Code::lastPhaseName):
1400         * b3/air/AirFrequentedBlock.h: Added.
1401         * b3/air/AirGenerate.cpp: Added.
1402         (JSC::B3::Air::generate):
1403         * b3/air/AirGenerate.h: Added.
1404         * b3/air/AirGenerated.cpp: Added.
1405         * b3/air/AirGenerationContext.h: Added.
1406         * b3/air/AirHandleCalleeSaves.cpp: Added.
1407         (JSC::B3::Air::handleCalleeSaves):
1408         * b3/air/AirHandleCalleeSaves.h: Added.
1409         * b3/air/AirInsertionSet.cpp: Added.
1410         (JSC::B3::Air::InsertionSet::execute):
1411         * b3/air/AirInsertionSet.h: Added.
1412         (JSC::B3::Air::InsertionSet::InsertionSet):
1413         (JSC::B3::Air::InsertionSet::code):
1414         (JSC::B3::Air::InsertionSet::appendInsertion):
1415         (JSC::B3::Air::InsertionSet::insertInst):
1416         (JSC::B3::Air::InsertionSet::insert):
1417         * b3/air/AirInst.cpp: Added.
1418         (JSC::B3::Air::Inst::dump):
1419         * b3/air/AirInst.h: Added.
1420         (JSC::B3::Air::Inst::Inst):
1421         (JSC::B3::Air::Inst::opcode):
1422         (JSC::B3::Air::Inst::forEachTmpFast):
1423         (JSC::B3::Air::Inst::forEachTmp):
1424         * b3/air/AirInstInlines.h: Added.
1425         (JSC::B3::Air::ForEach<Tmp>::forEach):
1426         (JSC::B3::Air::ForEach<Arg>::forEach):
1427         (JSC::B3::Air::Inst::forEach):
1428         (JSC::B3::Air::Inst::hasSpecial):
1429         (JSC::B3::Air::Inst::extraClobberedRegs):
1430         (JSC::B3::Air::Inst::reportUsedRegisters):
1431         (JSC::B3::Air::isShiftValid):
1432         (JSC::B3::Air::isLshift32Valid):
1433         * b3/air/AirLiveness.h: Added.
1434         (JSC::B3::Air::Liveness::Liveness):
1435         (JSC::B3::Air::Liveness::liveAtHead):
1436         (JSC::B3::Air::Liveness::liveAtTail):
1437         (JSC::B3::Air::Liveness::LocalCalc::LocalCalc):
1438         (JSC::B3::Air::Liveness::LocalCalc::live):
1439         (JSC::B3::Air::Liveness::LocalCalc::takeLive):
1440         (JSC::B3::Air::Liveness::LocalCalc::execute):
1441         * b3/air/AirOpcode.opcodes: Added.
1442         * b3/air/AirPhaseScope.cpp: Added.
1443         (JSC::B3::Air::PhaseScope::PhaseScope):
1444         (JSC::B3::Air::PhaseScope::~PhaseScope):
1445         * b3/air/AirPhaseScope.h: Added.
1446         * b3/air/AirRegisterPriority.cpp: Added.
1447         (JSC::B3::Air::gprsInPriorityOrder):
1448         (JSC::B3::Air::fprsInPriorityOrder):
1449         (JSC::B3::Air::regsInPriorityOrder):
1450         * b3/air/AirRegisterPriority.h: Added.
1451         (JSC::B3::Air::RegistersInPriorityOrder<GPRInfo>::inPriorityOrder):
1452         (JSC::B3::Air::RegistersInPriorityOrder<FPRInfo>::inPriorityOrder):
1453         (JSC::B3::Air::regsInPriorityOrder):
1454         * b3/air/AirSpecial.cpp: Added.
1455         (JSC::B3::Air::Special::Special):
1456         (JSC::B3::Air::Special::~Special):
1457         (JSC::B3::Air::Special::name):
1458         (JSC::B3::Air::Special::dump):
1459         (JSC::B3::Air::Special::deepDump):
1460         * b3/air/AirSpecial.h: Added.
1461         (JSC::B3::Air::DeepSpecialDump::DeepSpecialDump):
1462         (JSC::B3::Air::DeepSpecialDump::dump):
1463         (JSC::B3::Air::deepDump):
1464         * b3/air/AirSpillEverything.cpp: Added.
1465         (JSC::B3::Air::spillEverything):
1466         * b3/air/AirSpillEverything.h: Added.
1467         * b3/air/AirStackSlot.cpp: Added.
1468         (JSC::B3::Air::StackSlot::setOffsetFromFP):
1469         (JSC::B3::Air::StackSlot::dump):
1470         (JSC::B3::Air::StackSlot::deepDump):
1471         (JSC::B3::Air::StackSlot::StackSlot):
1472         * b3/air/AirStackSlot.h: Added.
1473         (JSC::B3::Air::StackSlot::byteSize):
1474         (JSC::B3::Air::StackSlot::kind):
1475         (JSC::B3::Air::StackSlot::index):
1476         (JSC::B3::Air::StackSlot::alignment):
1477         (JSC::B3::Air::StackSlot::value):
1478         (JSC::B3::Air::StackSlot::offsetFromFP):
1479         (JSC::B3::Air::DeepStackSlotDump::DeepStackSlotDump):
1480         (JSC::B3::Air::DeepStackSlotDump::dump):
1481         (JSC::B3::Air::deepDump):
1482         * b3/air/AirTmp.cpp: Added.
1483         (JSC::B3::Air::Tmp::dump):
1484         * b3/air/AirTmp.h: Added.
1485         (JSC::B3::Air::Tmp::Tmp):
1486         (JSC::B3::Air::Tmp::gpTmpForIndex):
1487         (JSC::B3::Air::Tmp::fpTmpForIndex):
1488         (JSC::B3::Air::Tmp::operator bool):
1489         (JSC::B3::Air::Tmp::isGP):
1490         (JSC::B3::Air::Tmp::isFP):
1491         (JSC::B3::Air::Tmp::isGPR):
1492         (JSC::B3::Air::Tmp::isFPR):
1493         (JSC::B3::Air::Tmp::isReg):
1494         (JSC::B3::Air::Tmp::gpr):
1495         (JSC::B3::Air::Tmp::fpr):
1496         (JSC::B3::Air::Tmp::reg):
1497         (JSC::B3::Air::Tmp::hasTmpIndex):
1498         (JSC::B3::Air::Tmp::gpTmpIndex):
1499         (JSC::B3::Air::Tmp::fpTmpIndex):
1500         (JSC::B3::Air::Tmp::tmpIndex):
1501         (JSC::B3::Air::Tmp::isAlive):
1502         (JSC::B3::Air::Tmp::operator==):
1503         (JSC::B3::Air::Tmp::operator!=):
1504         (JSC::B3::Air::Tmp::isHashTableDeletedValue):
1505         (JSC::B3::Air::Tmp::hash):
1506         (JSC::B3::Air::Tmp::encodeGP):
1507         (JSC::B3::Air::Tmp::encodeFP):
1508         (JSC::B3::Air::Tmp::encodeGPR):
1509         (JSC::B3::Air::Tmp::encodeFPR):
1510         (JSC::B3::Air::Tmp::encodeGPTmp):
1511         (JSC::B3::Air::Tmp::encodeFPTmp):
1512         (JSC::B3::Air::Tmp::isEncodedGP):
1513         (JSC::B3::Air::Tmp::isEncodedFP):
1514         (JSC::B3::Air::Tmp::isEncodedGPR):
1515         (JSC::B3::Air::Tmp::isEncodedFPR):
1516         (JSC::B3::Air::Tmp::isEncodedGPTmp):
1517         (JSC::B3::Air::Tmp::isEncodedFPTmp):
1518         (JSC::B3::Air::Tmp::decodeGPR):
1519         (JSC::B3::Air::Tmp::decodeFPR):
1520         (JSC::B3::Air::Tmp::decodeGPTmp):
1521         (JSC::B3::Air::Tmp::decodeFPTmp):
1522         (JSC::B3::Air::TmpHash::hash):
1523         (JSC::B3::Air::TmpHash::equal):
1524         * b3/air/AirTmpInlines.h: Added.
1525         (JSC::B3::Air::Tmp::Tmp):
1526         * b3/air/AirValidate.cpp: Added.
1527         (JSC::B3::Air::validate):
1528         * b3/air/AirValidate.h: Added.
1529         * b3/air/opcode_generator.rb: Added.
1530         * b3/generate_pattern_matcher.rb: Added.
1531         * b3/testb3.cpp: Added.
1532         (JSC::B3::compileAndRun):
1533         (JSC::B3::test42):
1534         (JSC::B3::testLoad42):
1535         (JSC::B3::testArg):
1536         (JSC::B3::testAddArgs):
1537         (JSC::B3::testAddArgs32):
1538         (JSC::B3::testStore):
1539         (JSC::B3::testTrunc):
1540         (JSC::B3::testAdd1):
1541         (JSC::B3::testStoreAddLoad):
1542         (JSC::B3::testStoreAddAndLoad):
1543         (JSC::B3::testAdd1Uncommuted):
1544         (JSC::B3::testLoadOffset):
1545         (JSC::B3::testLoadOffsetNotConstant):
1546         (JSC::B3::testLoadOffsetUsingAdd):
1547         (JSC::B3::testLoadOffsetUsingAddNotConstant):
1548         (JSC::B3::run):
1549         (run):
1550         (main):
1551         * bytecode/CodeBlock.h:
1552         (JSC::CodeBlock::specializationKind):
1553         * jit/Reg.h:
1554         (JSC::Reg::index):
1555         (JSC::Reg::isSet):
1556         (JSC::Reg::operator bool):
1557         (JSC::Reg::isHashTableDeletedValue):
1558         (JSC::Reg::AllRegsIterable::iterator::iterator):
1559         (JSC::Reg::AllRegsIterable::iterator::operator*):
1560         (JSC::Reg::AllRegsIterable::iterator::operator++):
1561         (JSC::Reg::AllRegsIterable::iterator::operator==):
1562         (JSC::Reg::AllRegsIterable::iterator::operator!=):
1563         (JSC::Reg::AllRegsIterable::begin):
1564         (JSC::Reg::AllRegsIterable::end):
1565         (JSC::Reg::all):
1566         (JSC::Reg::invalid):
1567         (JSC::Reg::operator!): Deleted.
1568         * jit/RegisterAtOffsetList.cpp:
1569         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
1570         * jit/RegisterAtOffsetList.h:
1571         (JSC::RegisterAtOffsetList::clear):
1572         (JSC::RegisterAtOffsetList::size):
1573         (JSC::RegisterAtOffsetList::begin):
1574         (JSC::RegisterAtOffsetList::end):
1575         * jit/RegisterSet.h:
1576         (JSC::RegisterSet::operator==):
1577         (JSC::RegisterSet::hash):
1578         (JSC::RegisterSet::forEach):
1579         (JSC::RegisterSet::setAny):
1580
1581 2015-10-28  Mark Lam  <mark.lam@apple.com>
1582
1583         Rename MacroAssembler::callProbe() to probe().
1584         https://bugs.webkit.org/show_bug.cgi?id=150641
1585
1586         Reviewed by Saam Barati.
1587
1588         To do this, I needed to disambiguate between the low-level probe() from the
1589         high-level version that takes a std::function.  I did this by changing the low-
1590         level version to not take default args anymore.
1591
1592         * assembler/AbstractMacroAssembler.h:
1593         * assembler/MacroAssembler.cpp:
1594         (JSC::stdFunctionCallback):
1595         (JSC::MacroAssembler::probe):
1596         (JSC::MacroAssembler::callProbe): Deleted.
1597         * assembler/MacroAssembler.h:
1598         (JSC::MacroAssembler::urshift32):
1599         * assembler/MacroAssemblerARM.h:
1600         (JSC::MacroAssemblerARM::repatchCall):
1601         * assembler/MacroAssemblerARM64.h:
1602         (JSC::MacroAssemblerARM64::repatchCall):
1603         * assembler/MacroAssemblerARMv7.h:
1604         (JSC::MacroAssemblerARMv7::repatchCall):
1605         * assembler/MacroAssemblerPrinter.h:
1606         (JSC::MacroAssemblerPrinter::print):
1607         * assembler/MacroAssemblerX86Common.h:
1608         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
1609
1610 2015-10-28  Timothy Hatcher  <timothy@apple.com>
1611
1612         Web Inspector: jsmin.py mistakenly removes whitespace from template literal strings
1613         https://bugs.webkit.org/show_bug.cgi?id=148728
1614
1615         Reviewed by Joseph Pecoraro.
1616
1617         * Scripts/jsmin.py:
1618         (JavascriptMinify.minify): Make backtick a quoting character.
1619
1620 2015-10-28  Brian Burg  <bburg@apple.com>
1621
1622         Builtins generator should emit ENABLE(FEATURE) guards based on @conditional annotation
1623         https://bugs.webkit.org/show_bug.cgi?id=150536
1624
1625         Reviewed by Yusuke Suzuki.
1626
1627         Scan JS builtin files for @key=value and @flag annotations in single-line comments.
1628         For @conditional=CONDITIONAL, emit CONDITIONAL guards around the relevant object's code.
1629
1630         Generate primary header includes separately from secondary header includes so we can
1631         put the guard between the two header groups, as is customary in WebKit C++ code.
1632
1633         New tests:
1634
1635         Scripts/tests/builtins/WebCore-ArbitraryConditionalGuard-Separate.js
1636         Scripts/tests/builtins/WebCore-DuplicateFlagAnnotation-Separate.js
1637         Scripts/tests/builtins/WebCore-DuplicateKeyValueAnnotation-Separate.js
1638
1639         * Scripts/builtins/builtins_generate_combined_implementation.py:
1640         (BuiltinsCombinedImplementationGenerator.generate_output):
1641         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
1642         (BuiltinsCombinedImplementationGenerator.generate_header_includes): Deleted.
1643         * Scripts/builtins/builtins_generate_separate_header.py:
1644         (BuiltinsSeparateHeaderGenerator.generate_output):
1645         (generate_secondary_header_includes):
1646         (generate_header_includes): Deleted.
1647         * Scripts/builtins/builtins_generate_separate_implementation.py:
1648         (BuiltinsSeparateImplementationGenerator.generate_output):
1649         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
1650         (BuiltinsSeparateImplementationGenerator.generate_header_includes): Deleted.
1651         * Scripts/builtins/builtins_generate_separate_wrapper.py:
1652         (BuiltinsSeparateWrapperGenerator.generate_output):
1653         (BuiltinsSeparateWrapperGenerator.generate_secondary_header_includes):
1654         (BuiltinsSeparateWrapperGenerator.generate_header_includes): Deleted.
1655         * Scripts/builtins/builtins_generator.py:
1656         (BuiltinsGenerator.generate_includes_from_entries):
1657         (BuiltinsGenerator):
1658         (BuiltinsGenerator.generate_primary_header_includes):
1659         * Scripts/builtins/builtins_model.py:
1660         (BuiltinObject.__init__):
1661         (BuiltinsCollection.parse_builtins_file):
1662         (BuiltinsCollection._parse_annotations):
1663         * Scripts/tests/builtins/WebCore-ArbitraryConditionalGuard-Separate.js: Added.
1664         * Scripts/tests/builtins/WebCore-DuplicateFlagAnnotation-Separate.js: Added.
1665         * Scripts/tests/builtins/WebCore-DuplicateKeyValueAnnotation-Separate.js: Added.
1666         * Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js: Simplify.
1667         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js: Simplify.
1668         * Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js: Simplify.
1669         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Added.
1670         * Scripts/tests/builtins/expected/WebCore-DuplicateFlagAnnotation-Separate.js-error: Added.
1671         * Scripts/tests/builtins/expected/WebCore-DuplicateKeyValueAnnotation-Separate.js-error: Added.
1672         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1673         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1674         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1675         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1676
1677 2015-10-28  Mark Lam  <mark.lam@apple.com>
1678
1679         Update FTL to support UntypedUse operands for op_sub.
1680         https://bugs.webkit.org/show_bug.cgi?id=150562
1681
1682         Reviewed by Geoffrey Garen.
1683
1684         * assembler/MacroAssemblerARM64.h:
1685         - make the dataTempRegister and memoryTempRegister public so that we can
1686           move input registers out of them if needed.
1687
1688         * ftl/FTLCapabilities.cpp:
1689         (JSC::FTL::canCompile):
1690         - We can now compile ArithSub.
1691
1692         * ftl/FTLCompile.cpp:
1693         - Added BinaryArithGenerationContext to shuffle registers into a state that is
1694           expected by the baseline snippet generator.  This includes:
1695           1. Making sure that the input and output registers are not in the tag or
1696              scratch registers.
1697           2. Loading the tag registers with expected values.
1698           3. Restoring the registers to their original value on return.
1699         - Added code to implement the ArithSub inline cache.
1700
1701         * ftl/FTLInlineCacheDescriptor.h:
1702         (JSC::FTL::ArithSubDescriptor::ArithSubDescriptor):
1703         (JSC::FTL::ArithSubDescriptor::leftType):
1704         (JSC::FTL::ArithSubDescriptor::rightType):
1705
1706         * ftl/FTLInlineCacheSize.cpp:
1707         (JSC::FTL::sizeOfArithSub):
1708         * ftl/FTLInlineCacheSize.h:
1709
1710         * ftl/FTLLowerDFGToLLVM.cpp:
1711         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1712         - Added handling for UnusedType for the ArithSub case.
1713
1714         * ftl/FTLState.h:
1715         * jit/GPRInfo.h:
1716         (JSC::GPRInfo::reservedRegisters):
1717
1718         * jit/JITSubGenerator.h:
1719         (JSC::JITSubGenerator::generateFastPath):
1720         - When the result is in the same as one of the input registers, we'll end up
1721           corrupting the input in fast path even if we determine that we need to go to
1722           the slow path.  We now move the input into the scratch register and operate
1723           on that instead and only move the result into the result register only after
1724           the fast path has succeeded.
1725
1726         * tests/stress/op_sub.js:
1727         (o1.valueOf):
1728         (runTest):
1729         - Added some debugging tools: flags for verbose logging, and eager abort on fail.
1730
1731 2015-10-28  Mark Lam  <mark.lam@apple.com>
1732
1733         Fix a typo in ProbeContext::fpr().
1734         https://bugs.webkit.org/show_bug.cgi?id=150629
1735
1736         Reviewed by Yusuke Suzuki.
1737
1738         ProbeContext::fpr() should be calling CPUState::fpr(), not CPUState::gpr().
1739
1740         * assembler/AbstractMacroAssembler.h:
1741         (JSC::AbstractMacroAssembler::ProbeContext::fpr):
1742
1743 2015-10-28  Mark Lam  <mark.lam@apple.com>
1744
1745         Add ability to print the PC register from JIT'ed code.
1746         https://bugs.webkit.org/show_bug.cgi?id=150561
1747
1748         Reviewed by Geoffrey Garen.
1749
1750         * assembler/MacroAssemblerPrinter.cpp:
1751         (JSC::printPC):
1752         (JSC::MacroAssemblerPrinter::printCallback):
1753         * assembler/MacroAssemblerPrinter.h:
1754         (JSC::MacroAssemblerPrinter::PrintArg::PrintArg):
1755
1756 2015-10-27  Joseph Pecoraro  <pecoraro@apple.com>
1757
1758         Web Inspector: Remove Timeline MarkDOMContent and MarkLoad, data is already available
1759         https://bugs.webkit.org/show_bug.cgi?id=150615
1760
1761         Reviewed by Timothy Hatcher.
1762
1763         * inspector/protocol/Timeline.json:
1764
1765 2015-10-27  Joseph Pecoraro  <pecoraro@apple.com>
1766
1767         Web Inspector: Remove unused / duplicated XHR timeline instrumentation
1768         https://bugs.webkit.org/show_bug.cgi?id=150605
1769
1770         Reviewed by Timothy Hatcher.
1771
1772         * inspector/protocol/Timeline.json:
1773
1774 2015-10-27  Michael Saboff  <msaboff@apple.com>
1775
1776         REGRESSION (r191360): Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL:: + 386
1777         https://bugs.webkit.org/show_bug.cgi?id=150580
1778
1779         Reviewed by Mark Lam.
1780
1781         Changed code to box 32 bit integers and booleans arguments when generating the call instead of boxing
1782         them in the shuffler.
1783
1784         The ASSERT in CallFrameShuffler::extendFrameIfNeeded is wrong when called from CallFrameShuffler::spill(),
1785         as we could be making space to spill a register so that we have a spare that we can use for the new
1786         frame's base pointer.
1787
1788         * ftl/FTLJSTailCall.cpp:
1789         (JSC::FTL::DFG::recoveryFor): Added RELEASE_ASSERT to check that we never see unboxed 32 bit
1790         arguments stored in the stack.
1791         * ftl/FTLLowerDFGToLLVM.cpp:
1792         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForTailCall):
1793         * jit/CallFrameShuffler.cpp:
1794         (JSC::CallFrameShuffler::extendFrameIfNeeded): Removed unneeded ASSERT.
1795
1796 2015-10-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1797
1798         [ES6] Add DFG/FTL support for accessor put operations
1799         https://bugs.webkit.org/show_bug.cgi?id=148860
1800
1801         Reviewed by Geoffrey Garen.
1802
1803         This patch introduces accessor defining ops into DFG and FTL.
1804         The following DFG nodes are introduced.
1805
1806             op_put_getter_by_id  => PutGetterById
1807             op_put_setter_by_id  => PutSetterById
1808             op_put_getter_setter => PutGetterSetterById
1809             op_put_getter_by_val => PutGetterByVal
1810             op_put_setter_by_val => PutSetterByVal
1811
1812         These DFG nodes just call operations. But it does not prevent compiling in DFG/FTL.
1813
1814         To use operations defined for baseline JIT, we clean up existing operations.
1815         And reuse these operations in DFG and FTL.
1816
1817         * dfg/DFGAbstractInterpreterInlines.h:
1818         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1819         * dfg/DFGByteCodeParser.cpp:
1820         (JSC::DFG::ByteCodeParser::parseBlock):
1821         * dfg/DFGCapabilities.cpp:
1822         (JSC::DFG::capabilityLevel):
1823         * dfg/DFGClobberize.h:
1824         (JSC::DFG::clobberize):
1825         * dfg/DFGDoesGC.cpp:
1826         (JSC::DFG::doesGC):
1827         * dfg/DFGFixupPhase.cpp:
1828         (JSC::DFG::FixupPhase::fixupNode):
1829         * dfg/DFGNode.h:
1830         (JSC::DFG::Node::hasIdentifier):
1831         (JSC::DFG::Node::hasAccessorAttributes):
1832         (JSC::DFG::Node::accessorAttributes):
1833         * dfg/DFGNodeType.h:
1834         * dfg/DFGPredictionPropagationPhase.cpp:
1835         (JSC::DFG::PredictionPropagationPhase::propagate):
1836         * dfg/DFGSafeToExecute.h:
1837         (JSC::DFG::safeToExecute):
1838         * dfg/DFGSpeculativeJIT.cpp:
1839         (JSC::DFG::SpeculativeJIT::compilePutAccessorById):
1840         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
1841         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
1842         We should fill all GPRs before calling flushRegisters().
1843         * dfg/DFGSpeculativeJIT.h:
1844         (JSC::DFG::SpeculativeJIT::callOperation):
1845         * dfg/DFGSpeculativeJIT32_64.cpp:
1846         (JSC::DFG::SpeculativeJIT::compile):
1847         * dfg/DFGSpeculativeJIT64.cpp:
1848         (JSC::DFG::SpeculativeJIT::compile):
1849         * ftl/FTLCapabilities.cpp:
1850         (JSC::FTL::canCompile):
1851         * ftl/FTLIntrinsicRepository.h:
1852         * ftl/FTLLowerDFGToLLVM.cpp:
1853         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1854         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutAccessorById):
1855         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutGetterSetterById):
1856         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutAccessorByVal):
1857         * jit/JIT.h:
1858         * jit/JITInlines.h:
1859         (JSC::JIT::callOperation):
1860         * jit/JITOperations.cpp:
1861         * jit/JITOperations.h:
1862         * jit/JITPropertyAccess.cpp:
1863         (JSC::JIT::emit_op_put_getter_by_id):
1864         (JSC::JIT::emit_op_put_setter_by_id):
1865         (JSC::JIT::emit_op_put_getter_setter):
1866         * jit/JITPropertyAccess32_64.cpp:
1867         (JSC::JIT::emit_op_put_getter_by_id):
1868         (JSC::JIT::emit_op_put_setter_by_id):
1869         (JSC::JIT::emit_op_put_getter_setter):
1870         * tests/stress/dfg-put-accessors-by-id-class.js: Added.
1871         (shouldBe):
1872         (testAttribute):
1873         (getter.Cocoa.prototype.get hello):
1874         (getter.Cocoa):
1875         (getter):
1876         (setter.Cocoa):
1877         (setter.Cocoa.prototype.set hello):
1878         (setter):
1879         (accessors.Cocoa):
1880         (accessors.Cocoa.prototype.get hello):
1881         (accessors.Cocoa.prototype.set hello):
1882         (accessors):
1883         * tests/stress/dfg-put-accessors-by-id.js: Added.
1884         (shouldBe):
1885         (testAttribute):
1886         (getter.object.get hello):
1887         (getter):
1888         (setter.object.set hello):
1889         (setter):
1890         (accessors.object.get hello):
1891         (accessors.object.set hello):
1892         (accessors):
1893         * tests/stress/dfg-put-getter-by-id-class.js: Added.
1894         (shouldBe):
1895         (testAttribute):
1896         (getter.Cocoa):
1897         (getter.Cocoa.prototype.get hello):
1898         (getter.Cocoa.prototype.get name):
1899         (getter):
1900         * tests/stress/dfg-put-getter-by-id.js: Added.
1901         (shouldBe):
1902         (testAttribute):
1903         (getter.object.get hello):
1904         (getter):
1905         * tests/stress/dfg-put-getter-by-val-class.js: Added.
1906         (shouldBe):
1907         (testAttribute):
1908         (getter.Cocoa):
1909         (getter.Cocoa.prototype.get name):
1910         (getter):
1911         * tests/stress/dfg-put-getter-by-val.js: Added.
1912         (shouldBe):
1913         (testAttribute):
1914         (getter.object.get name):
1915         (getter):
1916         * tests/stress/dfg-put-setter-by-id-class.js: Added.
1917         (shouldBe):
1918         (testAttribute):
1919         (getter.Cocoa):
1920         (getter.Cocoa.prototype.set hello):
1921         (getter.Cocoa.prototype.get name):
1922         (getter):
1923         * tests/stress/dfg-put-setter-by-id.js: Added.
1924         (shouldBe):
1925         (testAttribute):
1926         (setter.object.set hello):
1927         (setter):
1928         * tests/stress/dfg-put-setter-by-val-class.js: Added.
1929         (shouldBe):
1930         (testAttribute):
1931         (setter.Cocoa):
1932         (setter.Cocoa.prototype.set name):
1933         (setter):
1934         * tests/stress/dfg-put-setter-by-val.js: Added.
1935         (shouldBe):
1936         (testAttribute):
1937         (setter.object.set name):
1938         (setter):
1939
1940 2015-10-26  Mark Lam  <mark.lam@apple.com>
1941
1942         Add logging to warn about under-estimated FTL inline cache sizes.
1943         https://bugs.webkit.org/show_bug.cgi?id=150570
1944
1945         Reviewed by Geoffrey Garen.
1946
1947         Added 2 options:
1948         1. JSC_dumpFailedICSizing - dumps an error message if the FTL encounters IC size
1949            estimates that are less than the actual needed code size.
1950
1951            This option is useful for when we add a new IC and want to compute an
1952            estimated size for the IC.  To do this:
1953            1. Build jsc for the target port with a very small IC size (enough to
1954               store the jump instruction needed for the out of line fallback
1955               implementation).
1956            2. Implement a test suite with scenarios that exercise all the code paths in
1957               the IC generator.
1958            3. Run jsc with JSC_dumpFailedICSizing=true on the test suite.
1959            4. The max value reported by the dumps will be the worst case size needed to
1960               store the IC.  We should use this value for our estimate.
1961            5. Update the IC's estimated size and rebuild jsc.
1962            6. Re-run (3) and confirm that there are no more error messages about the
1963               IC sizing.
1964
1965         2. JSC_assertICSizing - same as JSC_dumpFailedICSizing except that it also
1966            crashes the VM each time it encounters an inadequate IC size estimate.
1967
1968            This option is useful for regression testing to ensure that our estimates
1969            do not regress.
1970
1971         * ftl/FTLCompile.cpp:
1972         (JSC::FTL::generateInlineIfPossibleOutOfLineIfNot):
1973         * runtime/Options.h:
1974
1975 2015-10-26  Saam barati  <sbarati@apple.com>
1976
1977         r190735 Caused us to maybe trample the base's tag-GPR on 32-bit inline cache when the cache allocates a scratch register and then jumps to the slow path
1978         https://bugs.webkit.org/show_bug.cgi?id=150532
1979
1980         Reviewed by Geoffrey Garen.
1981
1982         The base's tag register used to show up in the used register set
1983         before r190735 because of how the DFG kept track of used register. I changed this 
1984         in my work on inline caching because we don't want to spill these registers
1985         when we have a GetByIdFlush/PutByIdFlush and we use the used register set
1986         as the metric of what to spill. That said, these registers should be locked
1987         and not used as scratch registers by the scratch register allocator. The
1988         reason is that our inline cache may fail and jump to the slow path. The slow
1989         path then uses the base's tag register. If the inline cache used the base's tag
1990         register as a scratch and the inline cache fails and jumps to the slow path, we
1991         have a problem because the tag may now be trampled.
1992
1993         Note that this doesn't mean that we can't trample the base's tag register when making
1994         a call. We can totally trample the register as long as the inline cache succeeds in a GetByIdFlush/PutByIdFlush.
1995         The problem is only when we trample it and then jump to the slow path.
1996
1997         This patch fixes this bug by making StructureStubInfo keep track of the base's
1998         tag GPR. PolymorphicAccess then locks this register when using the ScratchRegisterAllocator.
1999
2000         * bytecode/PolymorphicAccess.cpp:
2001         (JSC::AccessCase::generate):
2002         (JSC::PolymorphicAccess::regenerate):
2003         * bytecode/StructureStubInfo.h:
2004         * dfg/DFGSpeculativeJIT.cpp:
2005         (JSC::DFG::SpeculativeJIT::compileIn):
2006         * jit/JITInlineCacheGenerator.cpp:
2007         (JSC::JITByIdGenerator::JITByIdGenerator):
2008         * tests/stress/regress-150532.js: Added.
2009         (assert):
2010         (randomFunction):
2011         (foo):
2012         (i.switch):
2013
2014 2015-10-24  Brian Burg  <bburg@apple.com>
2015
2016         Teach create_hash_table to omit builtins macros when generating tables for native-only objects
2017         https://bugs.webkit.org/show_bug.cgi?id=150491
2018
2019         Reviewed by Yusuke Suzuki.
2020
2021         In order to support separate compilation for generated builtins files, we need to be able to
2022         include specific builtins headers from generated .lut.h files. However, the create_hash_table
2023         script isn't smart enough to figure out when a generated file might actually contain a builtin.
2024         Without further help, we'd have to include an all-in-one header, mostly defeating the point of
2025         generating separate .h and .cpp files for every builtin.
2026
2027         This patch segregates the pure native and partially builtin sources in the build system, and
2028         gives hints to create_hash_table so that it doesn't even generate checks for builtins if the
2029         input file has no builtin method implementations. Also do some modernization and code cleanup.
2030
2031         * CMakeLists.txt:
2032
2033         Generate each group with different flags to create_hash_table. Change the macro to take
2034         flags through the variable LUT_GENERATOR_FLAGS. Set this as necessary before calling macro.
2035         Add an additional hint to CMake that the .cpp source file depends on the generated file.
2036
2037         * DerivedSources.make:
2038
2039         Generate each group with different flags to create_hash_table. Clean up the 'all' target
2040         so that static dependencies are listed first. Use static patterns to decide which .lut.h
2041         files require which flags. Reduce fragile usages of implicit variables.
2042
2043         * JavaScriptCore.xcodeproj/project.pbxproj:
2044
2045         Add some missing .lut.h files to the Derived Sources group. Sort the project.
2046
2047         * create_hash_table:
2048
2049         Parse options in a sane way using GetOpt::Long. Remove ability to specify a custom namespace
2050         since this isn't actually used anywhere. Normalize placement of newlines in quoted strings.
2051         Only generate builtins macros and includes if the source file is known to have some builtins.
2052
2053 2015-10-23  Joseph Pecoraro  <pecoraro@apple.com>
2054
2055         Web Inspector: Remove unused ScrollLayer Timeline EventType
2056         https://bugs.webkit.org/show_bug.cgi?id=150518
2057
2058         Reviewed by Timothy Hatcher.
2059
2060         * inspector/protocol/Timeline.json:
2061
2062 2015-10-23  Joseph Pecoraro  <pecoraro@apple.com>
2063
2064         Web Inspector: Clean up InspectorInstrumentation includes
2065         https://bugs.webkit.org/show_bug.cgi?id=150523
2066
2067         Reviewed by Timothy Hatcher.
2068
2069         * inspector/agents/InspectorConsoleAgent.cpp:
2070         (Inspector::InspectorConsoleAgent::consoleMessageArgumentCounts): Deleted.
2071         * inspector/agents/InspectorConsoleAgent.h:
2072
2073 2015-10-23  Michael Saboff  <msaboff@apple.com>
2074
2075         REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant, JSC::RegisterPreservationMode) + 1584
2076         https://bugs.webkit.org/show_bug.cgi?id=150513
2077
2078         Reviewed by Saam Barati.
2079
2080         Add check in linkPolymorphicCall() to make sure we have a CodeBlock for the newly added variant.
2081         If not, we turn the call into a virtual call.
2082
2083         The bug was caused by a stack overflow when preparing the function for execution.  This properly
2084         threw an exception, however linkPolymorphicCall() didn't check for this error case.
2085
2086         Added a new test function "failNextNewCodeBlock()" to test tools to simplify the testing.
2087
2088         * API/JSCTestRunnerUtils.cpp:
2089         (JSC::failNextNewCodeBlock):
2090         (JSC::numberOfDFGCompiles):
2091         * API/JSCTestRunnerUtils.h:
2092         * jit/Repatch.cpp:
2093         (JSC::linkPolymorphicCall):
2094         * jsc.cpp:
2095         (GlobalObject::finishCreation):
2096         (functionTransferArrayBuffer):
2097         (functionFailNextNewCodeBlock):
2098         (functionQuit):
2099         * runtime/Executable.cpp:
2100         (JSC::ScriptExecutable::prepareForExecutionImpl):
2101         * runtime/TestRunnerUtils.cpp:
2102         (JSC::optimizeNextInvocation):
2103         (JSC::failNextNewCodeBlock):
2104         (JSC::numberOfDFGCompiles):
2105         * runtime/TestRunnerUtils.h:
2106         * runtime/VM.h:
2107         (JSC::VM::setFailNextNewCodeBlock):
2108         (JSC::VM::getAndClearFailNextNewCodeBlock):
2109         (JSC::VM::stackPointerAtVMEntry):
2110
2111 2015-10-23  Commit Queue  <commit-queue@webkit.org>
2112
2113         Unreviewed, rolling out r191500.
2114         https://bugs.webkit.org/show_bug.cgi?id=150526
2115
2116         Broke two JSC regression tests (Requested by msaboff on
2117         #webkit).
2118
2119         Reverted changeset:
2120
2121         "[ES6] Add DFG/FTL support for accessor put operations"
2122         https://bugs.webkit.org/show_bug.cgi?id=148860
2123         http://trac.webkit.org/changeset/191500
2124
2125 2015-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2126
2127         [ES6] Add DFG/FTL support for accessor put operations
2128         https://bugs.webkit.org/show_bug.cgi?id=148860
2129
2130         Reviewed by Geoffrey Garen.
2131
2132         This patch introduces accessor defining ops into DFG and FTL.
2133         The following DFG nodes are introduced.
2134
2135             op_put_getter_by_id  => PutGetterById
2136             op_put_setter_by_id  => PutSetterById
2137             op_put_getter_setter => PutGetterSetterById
2138             op_put_getter_by_val => PutGetterByVal
2139             op_put_setter_by_val => PutSetterByVal
2140
2141         These DFG nodes just call operations. But it does not prevent compiling in DFG/FTL.
2142
2143         To use operations defined for baseline JIT, we clean up existing operations.
2144         And reuse these operations in DFG and FTL.
2145
2146         * dfg/DFGAbstractInterpreterInlines.h:
2147         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2148         * dfg/DFGByteCodeParser.cpp:
2149         (JSC::DFG::ByteCodeParser::parseBlock):
2150         * dfg/DFGCapabilities.cpp:
2151         (JSC::DFG::capabilityLevel):
2152         * dfg/DFGClobberize.h:
2153         (JSC::DFG::clobberize):
2154         * dfg/DFGDoesGC.cpp:
2155         (JSC::DFG::doesGC):
2156         * dfg/DFGFixupPhase.cpp:
2157         (JSC::DFG::FixupPhase::fixupNode):
2158         * dfg/DFGNode.h:
2159         (JSC::DFG::Node::hasIdentifier):
2160         (JSC::DFG::Node::hasAccessorAttributes):
2161         (JSC::DFG::Node::accessorAttributes):
2162         * dfg/DFGNodeType.h:
2163         * dfg/DFGPredictionPropagationPhase.cpp:
2164         (JSC::DFG::PredictionPropagationPhase::propagate):
2165         * dfg/DFGSafeToExecute.h:
2166         (JSC::DFG::safeToExecute):
2167         * dfg/DFGSpeculativeJIT.cpp:
2168         (JSC::DFG::SpeculativeJIT::compilePutAccessorById):
2169         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
2170         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
2171         * dfg/DFGSpeculativeJIT.h:
2172         (JSC::DFG::SpeculativeJIT::callOperation):
2173         * dfg/DFGSpeculativeJIT32_64.cpp:
2174         (JSC::DFG::SpeculativeJIT::compile):
2175         * dfg/DFGSpeculativeJIT64.cpp:
2176         (JSC::DFG::SpeculativeJIT::compile):
2177         * ftl/FTLCapabilities.cpp:
2178         (JSC::FTL::canCompile):
2179         * ftl/FTLIntrinsicRepository.h:
2180         * ftl/FTLLowerDFGToLLVM.cpp:
2181         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2182         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutAccessorById):
2183         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutGetterSetterById):
2184         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutAccessorByVal):
2185         * jit/JIT.h:
2186         * jit/JITInlines.h:
2187         (JSC::JIT::callOperation):
2188         * jit/JITOperations.cpp:
2189         * jit/JITOperations.h:
2190         * jit/JITPropertyAccess.cpp:
2191         (JSC::JIT::emit_op_put_getter_by_id):
2192         (JSC::JIT::emit_op_put_setter_by_id):
2193         (JSC::JIT::emit_op_put_getter_setter):
2194         * jit/JITPropertyAccess32_64.cpp:
2195         (JSC::JIT::emit_op_put_getter_by_id):
2196         (JSC::JIT::emit_op_put_setter_by_id):
2197         (JSC::JIT::emit_op_put_getter_setter):
2198         * tests/stress/dfg-put-accessors-by-id-class.js: Added.
2199         (shouldBe):
2200         (testAttribute):
2201         (getter.Cocoa.prototype.get hello):
2202         (getter.Cocoa):
2203         (getter):
2204         (setter.Cocoa):
2205         (setter.Cocoa.prototype.set hello):
2206         (setter):
2207         (accessors.Cocoa):
2208         (accessors.Cocoa.prototype.get hello):
2209         (accessors.Cocoa.prototype.set hello):
2210         (accessors):
2211         * tests/stress/dfg-put-accessors-by-id.js: Added.
2212         (shouldBe):
2213         (testAttribute):
2214         (getter.object.get hello):
2215         (getter):
2216         (setter.object.set hello):
2217         (setter):
2218         (accessors.object.get hello):
2219         (accessors.object.set hello):
2220         (accessors):
2221         * tests/stress/dfg-put-getter-by-id-class.js: Added.
2222         (shouldBe):
2223         (testAttribute):
2224         (getter.Cocoa):
2225         (getter.Cocoa.prototype.get hello):
2226         (getter.Cocoa.prototype.get name):
2227         (getter):
2228         * tests/stress/dfg-put-getter-by-id.js: Added.
2229         (shouldBe):
2230         (testAttribute):
2231         (getter.object.get hello):
2232         (getter):
2233         * tests/stress/dfg-put-getter-by-val-class.js: Added.
2234         (shouldBe):
2235         (testAttribute):
2236         (getter.Cocoa):
2237         (getter.Cocoa.prototype.get name):
2238         (getter):
2239         * tests/stress/dfg-put-getter-by-val.js: Added.
2240         (shouldBe):
2241         (testAttribute):
2242         (getter.object.get name):
2243         (getter):
2244         * tests/stress/dfg-put-setter-by-id-class.js: Added.
2245         (shouldBe):
2246         (testAttribute):
2247         (getter.Cocoa):
2248         (getter.Cocoa.prototype.set hello):
2249         (getter.Cocoa.prototype.get name):
2250         (getter):
2251         * tests/stress/dfg-put-setter-by-id.js: Added.
2252         (shouldBe):
2253         (testAttribute):
2254         (setter.object.set hello):
2255         (setter):
2256         * tests/stress/dfg-put-setter-by-val-class.js: Added.
2257         (shouldBe):
2258         (testAttribute):
2259         (setter.Cocoa):
2260         (setter.Cocoa.prototype.set name):
2261         (setter):
2262         * tests/stress/dfg-put-setter-by-val.js: Added.
2263         (shouldBe):
2264         (testAttribute):
2265         (setter.object.set name):
2266         (setter):
2267
2268 2015-10-22  Joseph Pecoraro  <pecoraro@apple.com>
2269
2270         Web Inspector: Remove unused Timeline GCEvent Record type
2271         https://bugs.webkit.org/show_bug.cgi?id=150477
2272
2273         Reviewed by Timothy Hatcher.
2274
2275         Garbage Collection events go through the Heap domain, not the
2276         Timeline domain (long time ago for Chromium).
2277
2278         * inspector/protocol/Timeline.json:
2279
2280 2015-10-22  Michael Saboff  <msaboff@apple.com>
2281
2282         REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at JavaScriptCore:JSC::ExecState::bytecodeOffset + 174
2283         https://bugs.webkit.org/show_bug.cgi?id=150434
2284
2285         Reviewed by Mark Lam.
2286
2287         Pass the current frame instead of the caller frame to operationVMHandleException when processing an
2288         exception in one of the native thunks.
2289
2290         * jit/JITExceptions.cpp:
2291         (JSC::genericUnwind): Made debug printing of CodeBlock safe for call frames without one.
2292         * jit/JITOpcodes32_64.cpp:
2293         (JSC::JIT::privateCompileCTINativeCall):
2294         * jit/ThunkGenerators.cpp:
2295         (JSC::nativeForGenerator):
2296
2297 2015-10-21  Brian Burg  <bburg@apple.com>
2298
2299         Restructure generate-js-bindings script to be modular and testable
2300         https://bugs.webkit.org/show_bug.cgi?id=149929
2301
2302         Reviewed by Alex Christensen.
2303
2304         This is a new code generator, based on the replay inputs code generator and
2305         the inspector protocol code generator, which produces various files for JS
2306         builtins.
2307
2308         Relative to the generator it replaces, this one consolidates two scripts in
2309         JavaScriptCore and WebCore into a single script with multiple files. Parsed
2310         information about the builtins file is stored in backend-independent model
2311         objects. Each output file has its own code generator that uses the model to
2312         produce resulting code. Generators are additionally parameterized by the target
2313         framework (to choose correct macros and includes) and output mode (one
2314         header/implementation file per builtin or per framework).
2315
2316         It includes a few simple tests of the generator's functionality. These result-
2317         based tests will become increasingly more important as we start to add support
2318         for builtins annotation such as @optional, @internal, etc. to the code generator.
2319
2320         Some of these complexities, such as having two output modes, will be removed in
2321         subsequent patches. This patch is intended to exactly replace the existing
2322         functionality with a unified script that makes additional cleanups straightforward.
2323
2324         Additional cleanup and consolidation between inspector code generator scripts
2325         and this script will be pursued in followup patches.
2326
2327         New tests:
2328
2329         Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Combined.js
2330         Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Separate.js
2331         Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js
2332         Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js
2333         Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Combined.js
2334         Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Separate.js
2335         Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js
2336         Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js
2337         Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js
2338         Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js
2339
2340
2341         * CMakeLists.txt:
2342
2343             Copy the scripts that are used by other targets to a staging directory inside
2344             ${DERIVED_SOURCES_DIR}/ForwardingHeaders/JavaScriptCore/Scripts.
2345             Define JavaScriptCore_SCRIPTS_DIR to point here so that the add_custom_command
2346             and shared file lists are identical between JavaScriptCore and WebCore. The staged
2347             scripts are a dependency of the main JavaScriptCore target so that they are
2348             always staged, even if JavaScriptCore itself does not use a particular script.
2349
2350             The output files additionally depend on all builtin generator script files
2351             and input files that are combined into the single header/implementation file.
2352
2353         * DerivedSources.make:
2354
2355             Define JavaScriptCore_SCRIPTS_DIR explicitly so the rule for code generation and
2356             shared file lists are identical between JavaScriptCore and WebCore.
2357
2358             The output files additionally depend on all builtin generator script files
2359             and input files that are combined into the single header/implementation file.
2360
2361         * JavaScriptCore.xcodeproj/project.pbxproj:
2362
2363             Mark the new builtins generator files as private headers so we can use them from
2364             WebCore.
2365
2366         * Scripts/UpdateContents.py: Renamed from Source/JavaScriptCore/UpdateContents.py.
2367         * Scripts/builtins/__init__.py: Added.
2368         * Scripts/builtins/builtins.py: Added.
2369         * Scripts/builtins/builtins_generator.py: Added. This file contains the base generator.
2370         (WK_lcfirst):
2371         (WK_ucfirst):
2372         (BuiltinsGenerator):
2373         (BuiltinsGenerator.__init__):
2374         (BuiltinsGenerator.model):
2375         (BuiltinsGenerator.generate_license):
2376         (BuiltinsGenerator.generate_includes_from_entries):
2377         (BuiltinsGenerator.generate_output):
2378         (BuiltinsGenerator.output_filename):
2379         (BuiltinsGenerator.mangledNameForFunction):
2380         (BuiltinsGenerator.mangledNameForFunction.toCamel):
2381         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
2382         * Scripts/builtins/builtins_model.py: Added. This file contains builtins model objects.
2383         (ParseException):
2384         (Framework):
2385         (Framework.__init__):
2386         (Framework.setting):
2387         (Framework.fromString):
2388         (Frameworks):
2389         (BuiltinObject):
2390         (BuiltinObject.__init__):
2391         (BuiltinFunction):
2392         (BuiltinFunction.__init__):
2393         (BuiltinFunction.fromString):
2394         (BuiltinFunction.__str__):
2395         (BuiltinsCollection):
2396         (BuiltinsCollection.__init__):
2397         (BuiltinsCollection.parse_builtins_file):
2398         (BuiltinsCollection.copyrights):
2399         (BuiltinsCollection.all_functions):
2400         (BuiltinsCollection._parse_copyright_lines):
2401         (BuiltinsCollection._parse_functions):
2402         * Scripts/builtins/builtins_templates.py: Added.
2403         (BuiltinsGeneratorTemplates):
2404         * Scripts/builtins/builtins_generate_combined_header.py: Added.
2405         (BuiltinsCombinedHeaderGenerator):
2406         (BuiltinsCombinedHeaderGenerator.__init__):
2407         (BuiltinsCombinedHeaderGenerator.output_filename):
2408         (BuiltinsCombinedHeaderGenerator.generate_output):
2409         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
2410         (FunctionExecutable):
2411         (VM):
2412         (ConstructAbility):
2413         (generate_section_for_object):
2414         (generate_externs_for_object):
2415         (generate_macros_for_object):
2416         (generate_defines_for_object):
2417         (generate_section_for_code_table_macro):
2418         (generate_section_for_code_name_macro):
2419         * Scripts/builtins/builtins_generate_combined_implementation.py: Added.
2420         (BuiltinsCombinedImplementationGenerator):
2421         (BuiltinsCombinedImplementationGenerator.__init__):
2422         (BuiltinsCombinedImplementationGenerator.output_filename):
2423         (BuiltinsCombinedImplementationGenerator.generate_output):
2424         (BuiltinsCombinedImplementationGenerator.generate_header_includes):
2425         * Scripts/builtins/builtins_generate_separate_header.py: Added.
2426         (BuiltinsSeparateHeaderGenerator):
2427         (BuiltinsSeparateHeaderGenerator.__init__):
2428         (BuiltinsSeparateHeaderGenerator.output_filename):
2429         (BuiltinsSeparateHeaderGenerator.macro_prefix):
2430         (BuiltinsSeparateHeaderGenerator.generate_output):
2431         (BuiltinsSeparateHeaderGenerator.generate_forward_declarations):
2432         (FunctionExecutable):
2433         (generate_header_includes):
2434         (generate_section_for_object):
2435         (generate_externs_for_object):
2436         (generate_macros_for_object):
2437         (generate_defines_for_object):
2438         (generate_section_for_code_table_macro):
2439         (generate_section_for_code_name_macro):
2440         * Scripts/builtins/builtins_generate_separate_implementation.py: Added.
2441         (BuiltinsSeparateImplementationGenerator):
2442         (BuiltinsSeparateImplementationGenerator.__init__):
2443         (BuiltinsSeparateImplementationGenerator.output_filename):
2444         (BuiltinsSeparateImplementationGenerator.macro_prefix):
2445         (BuiltinsSeparateImplementationGenerator.generate_output):
2446         (BuiltinsSeparateImplementationGenerator.generate_header_includes):
2447         * Scripts/builtins/builtins_generate_separate_wrapper.py: Added.
2448         (BuiltinsSeparateWrapperGenerator):
2449         (BuiltinsSeparateWrapperGenerator.__init__):
2450         (BuiltinsSeparateWrapperGenerator.output_filename):
2451         (BuiltinsSeparateWrapperGenerator.macro_prefix):
2452         (BuiltinsSeparateWrapperGenerator.generate_output):
2453         (BuiltinsSeparateWrapperGenerator.generate_header_includes):
2454         * Scripts/generate-js-builtins.py: Added.
2455
2456             Parse command line options, decide which generators and output modes to use.
2457
2458         (generate_bindings_for_builtins_files):
2459         * Scripts/lazywriter.py: Copied from the inspector protocol generator.
2460         (LazyFileWriter):
2461         (LazyFileWriter.__init__):
2462         (LazyFileWriter.write):
2463         (LazyFileWriter.close):
2464         * Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Combined.js: Added.
2465         * Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Separate.js: Added.
2466         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js: Added.
2467         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js: Added.
2468         * Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Combined.js: Added.
2469         * Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Separate.js: Added.
2470         * Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js: Added.
2471         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js: Added.
2472         * Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js: Added.
2473         * Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js: Added.
2474         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: Added.
2475         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result: Added.
2476         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result: Added.
2477         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result: Added.
2478         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: Added.
2479         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result: Added.
2480         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Added.
2481         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Added.
2482         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Added.
2483         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Added.
2484         * builtins/BuiltinExecutables.cpp:
2485         (JSC::BuiltinExecutables::BuiltinExecutables):
2486         * builtins/BuiltinExecutables.h:
2487         * create_hash_table:
2488
2489             Update the generated builtin macro names.
2490
2491         * generate-js-builtins: Removed.
2492
2493 2015-10-21  Benjamin Poulain  <bpoulain@apple.com>
2494
2495         [JSC] Remove FTL Native Inlining, it is dead code
2496         https://bugs.webkit.org/show_bug.cgi?id=150429
2497
2498         Reviewed by Filip Pizlo.
2499
2500         The code is not used and it is in the way of other changes.
2501
2502         * ftl/FTLAbbreviations.h:
2503         (JSC::FTL::getFirstInstruction): Deleted.
2504         (JSC::FTL::getNextInstruction): Deleted.
2505         (JSC::FTL::getFirstBasicBlock): Deleted.
2506         (JSC::FTL::getNextBasicBlock): Deleted.
2507         * ftl/FTLLowerDFGToLLVM.cpp:
2508         (JSC::FTL::DFG::LowerDFGToLLVM::isInlinableSize): Deleted.
2509         * runtime/Options.h:
2510
2511 2015-10-21  Benjamin Poulain  <bpoulain@apple.com>
2512
2513         [JSC] Remove two useless temporaries from the PutByOffset codegen
2514         https://bugs.webkit.org/show_bug.cgi?id=150421
2515
2516         Reviewed by Geoffrey Garen.
2517
2518         * dfg/DFGSpeculativeJIT64.cpp:
2519         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2520         Looks like they were added by accident in r160796.
2521
2522 2015-10-21  Filip Pizlo  <fpizlo@apple.com>
2523
2524         Factor out the graph node worklists from DFG into WTF
2525         https://bugs.webkit.org/show_bug.cgi?id=150411
2526
2527         Reviewed by Geoffrey Garen.
2528
2529         Rewrite the DFGBlockWorklist.h file as a bunch of typedefs and aliases for things in
2530         wtf/GraphNodeWorklist.h. Most users won't notice, except that some small things got
2531         renamed. For example PreOrder becomes VisitOrder::Pre and item.block becomes item.node.
2532
2533         * CMakeLists.txt:
2534         * JavaScriptCore.xcodeproj/project.pbxproj:
2535         * dfg/DFGBlockWorklist.cpp: Removed.
2536         * dfg/DFGBlockWorklist.h:
2537         (JSC::DFG::BlockWorklist::notEmpty): Deleted.
2538         (JSC::DFG::BlockWith::BlockWith): Deleted.
2539         (JSC::DFG::BlockWith::operator bool): Deleted.
2540         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist): Deleted.
2541         (JSC::DFG::ExtendedBlockWorklist::forcePush): Deleted.
2542         (JSC::DFG::ExtendedBlockWorklist::push): Deleted.
2543         (JSC::DFG::ExtendedBlockWorklist::notEmpty): Deleted.
2544         (JSC::DFG::ExtendedBlockWorklist::pop): Deleted.
2545         (JSC::DFG::BlockWithOrder::BlockWithOrder): Deleted.
2546         (JSC::DFG::BlockWithOrder::operator bool): Deleted.
2547         (JSC::DFG::PostOrderBlockWorklist::push): Deleted.
2548         (JSC::DFG::PostOrderBlockWorklist::notEmpty): Deleted.
2549         * dfg/DFGDominators.cpp:
2550         (JSC::DFG::Dominators::compute):
2551         * dfg/DFGGraph.cpp:
2552         (JSC::DFG::Graph::blocksInPostOrder):
2553         * dfg/DFGPrePostNumbering.cpp:
2554         (JSC::DFG::PrePostNumbering::compute):
2555
2556 2015-10-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2557
2558         [INTL] Implement Intl.Collator.prototype.resolvedOptions ()
2559         https://bugs.webkit.org/show_bug.cgi?id=147601
2560
2561         Reviewed by Benjamin Poulain.
2562
2563         This patch implements Intl.Collator.prototype.resolvedOptions() according
2564         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2565         It also implements the abstract operations InitializeCollator, ResolveLocale,
2566         LookupMatcher, and BestFitMatcher.
2567
2568         * runtime/CommonIdentifiers.h:
2569         * runtime/IntlCollator.h:
2570         (JSC::IntlCollator::usage):
2571         (JSC::IntlCollator::setUsage):
2572         (JSC::IntlCollator::locale):
2573         (JSC::IntlCollator::setLocale):
2574         (JSC::IntlCollator::collation):
2575         (JSC::IntlCollator::setCollation):
2576         (JSC::IntlCollator::numeric):
2577         (JSC::IntlCollator::setNumeric):
2578         (JSC::IntlCollator::sensitivity):
2579         (JSC::IntlCollator::setSensitivity):
2580         (JSC::IntlCollator::ignorePunctuation):
2581         (JSC::IntlCollator::setIgnorePunctuation):
2582         * runtime/IntlCollatorConstructor.cpp:
2583         (JSC::sortLocaleData):
2584         (JSC::searchLocaleData):
2585         (JSC::initializeCollator):
2586         (JSC::constructIntlCollator):
2587         (JSC::callIntlCollator):
2588         * runtime/IntlCollatorPrototype.cpp:
2589         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2590         * runtime/IntlObject.cpp:
2591         (JSC::defaultLocale):
2592         (JSC::getIntlBooleanOption):
2593         (JSC::getIntlStringOption):
2594         (JSC::removeUnicodeLocaleExtension):
2595         (JSC::lookupMatcher):
2596         (JSC::bestFitMatcher):
2597         (JSC::resolveLocale):
2598         (JSC::lookupSupportedLocales):
2599         * runtime/IntlObject.h:
2600
2601 2015-10-21  Saam barati  <sbarati@apple.com>
2602
2603         C calls in PolymorphicAccess shouldn't assume that the top of the stack looks like a JSC JIT frame and enable *ByIdFlush in FTL
2604         https://bugs.webkit.org/show_bug.cgi?id=125711
2605
2606         Reviewed by Filip Pizlo.
2607
2608         This patch ensures that anytime we need to make a C call inside
2609         PolymorphicAccess, we ensure there is enough space on the stack to do so.
2610
2611         This patch also enables GetByIdFlush/PutByIdFlush inside the FTL.
2612         Because PolymorphicAccess now spills the necessary registers
2613         before making a JS/C call, any registers that LLVM report as
2614         being in use for the patchpoint will be spilled before making
2615         a call by PolymorphicAccess.
2616
2617         * bytecode/PolymorphicAccess.cpp:
2618         (JSC::AccessGenerationState::restoreScratch):
2619         (JSC::AccessGenerationState::succeed):
2620         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
2621         (JSC::AccessCase::generate):
2622         (JSC::PolymorphicAccess::regenerate):
2623         * ftl/FTLCapabilities.cpp:
2624         (JSC::FTL::canCompile):
2625         * ftl/FTLLowerDFGToLLVM.cpp:
2626         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2627         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetById):
2628         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
2629         * jit/AssemblyHelpers.h:
2630         (JSC::AssemblyHelpers::emitTypeOf):
2631         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
2632         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
2633         * jit/RegisterSet.cpp:
2634         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
2635         (JSC::RegisterSet::registersToNotSaveForJSCall):
2636         (JSC::RegisterSet::registersToNotSaveForCCall):
2637         (JSC::RegisterSet::allGPRs):
2638         (JSC::RegisterSet::registersToNotSaveForCall): Deleted.
2639         * jit/RegisterSet.h:
2640         (JSC::RegisterSet::set):
2641         * jit/ScratchRegisterAllocator.cpp:
2642         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
2643         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
2644         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2645         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2646         These methods now take an extra parameter indicating if they
2647         should create space for a C call at the top of the stack if
2648         there are any reused registers to spill.
2649
2650         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
2651         * jit/ScratchRegisterAllocator.h:
2652         (JSC::ScratchRegisterAllocator::usedRegisters):
2653
2654 2015-10-21  Joseph Pecoraro  <pecoraro@apple.com>
2655
2656         Web Inspector: Array previews with Symbol objects have too few preview values
2657         https://bugs.webkit.org/show_bug.cgi?id=150404
2658
2659         Reviewed by Timothy Hatcher.
2660
2661         * inspector/InjectedScriptSource.js:
2662         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
2663         We should be continuing inside this loop not returning.
2664
2665 2015-10-21  Filip Pizlo  <fpizlo@apple.com>
2666
2667         Failures in PutStackSinkingPhase should be less severe
2668         https://bugs.webkit.org/show_bug.cgi?id=150400
2669
2670         Reviewed by Geoffrey Garen.
2671
2672         Make the PutStackSinkingPhase abort instead of asserting. To test that it's OK to not have
2673         PutStackSinkingPhase run, this adds a test mode where we run without PutStackSinkingPhase.
2674
2675         * dfg/DFGPlan.cpp: Make it possible to not run PutStackSinkingPhase for tests.
2676         (JSC::DFG::Plan::compileInThreadImpl):
2677         * dfg/DFGPutStackSinkingPhase.cpp: PutStackSinkingPhase should abort instead of asserting, except when validation is enabled.
2678         * runtime/Options.h: Add an option for disabling PutStackSinkingPhase.
2679
2680 2015-10-21  Saam barati  <sbarati@apple.com>
2681
2682         The FTL should place the CallSiteIndex on the call frame for JS calls when it fills in the patchpoint
2683         https://bugs.webkit.org/show_bug.cgi?id=150104
2684
2685         Reviewed by Filip Pizlo.
2686
2687         We lower JS Calls to patchpoints in LLVM. LLVM may decide to duplicate
2688         these patchpoints (or remove them). We eagerly store the CallSiteIndex on the 
2689         call frame when lowering DFG to LLVM. But, because the patchpoint we lower to may
2690         be duplicated, we really don't know the unique CallSiteIndex until we've
2691         actually seen the resulting patchpoints after LLVM has completed its transformations.
2692         To solve this, we now store the unique CallSiteIndex on the call frame header 
2693         when generating code to fill into the patchpoint.
2694
2695         * ftl/FTLCompile.cpp:
2696         (JSC::FTL::mmAllocateDataSection):
2697         * ftl/FTLJSCall.cpp:
2698         (JSC::FTL::JSCall::JSCall):
2699         (JSC::FTL::JSCall::emit):
2700         * ftl/FTLJSCall.h:
2701         (JSC::FTL::JSCall::stackmapID):
2702         * ftl/FTLJSCallBase.cpp:
2703         (JSC::FTL::JSCallBase::JSCallBase):
2704         (JSC::FTL::JSCallBase::emit):
2705         (JSC::FTL::JSCallBase::link):
2706         * ftl/FTLJSCallBase.h:
2707         * ftl/FTLJSCallVarargs.cpp:
2708         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2709         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
2710         (JSC::FTL::JSCallVarargs::emit):
2711         * ftl/FTLJSCallVarargs.h:
2712         (JSC::FTL::JSCallVarargs::node):
2713         (JSC::FTL::JSCallVarargs::stackmapID):
2714         * ftl/FTLJSTailCall.cpp:
2715         (JSC::FTL::JSTailCall::JSTailCall):
2716         (JSC::FTL::m_instructionOffset):
2717         (JSC::FTL::JSTailCall::emit):
2718         * ftl/FTLLowerDFGToLLVM.cpp:
2719         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2720         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2721         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
2722         (JSC::FTL::DFG::LowerDFGToLLVM::codeOriginDescriptionOfCallSite):
2723         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2724
2725 2015-10-21  Geoffrey Garen  <ggaren@apple.com>
2726
2727         Date creation should share a little code
2728         https://bugs.webkit.org/show_bug.cgi?id=150399
2729
2730         Reviewed by Filip Pizlo.
2731
2732         I want to fix a bug in this code, but I don't want to fix it in two
2733         different places. (See https://bugs.webkit.org/show_bug.cgi?id=150386.)
2734
2735         * runtime/DateConstructor.cpp:
2736         (JSC::DateConstructor::getOwnPropertySlot):
2737         (JSC::milliseconds): Factored out a shared helper function. If you look
2738         closely, you'll see that one copy of this code previously checked isfinite
2739         while the other checked isnan. isnan returning nan was obviously a no-op,
2740         so I removed it. isfinite, it turns out, is also a no-op -- but less
2741         obviously so, so I kept it for now.
2742
2743         (JSC::constructDate):
2744         (JSC::dateUTC): Use the helper function.
2745
2746 2015-10-21  Guillaume Emont  <guijemont@igalia.com>
2747
2748         llint: align stack pointer on mips too
2749
2750         [MIPS] LLInt: align stack pointer on MIPS too
2751         https://bugs.webkit.org/show_bug.cgi?id=150380
2752
2753         Reviewed by Michael Saboff.
2754
2755         * llint/LowLevelInterpreter32_64.asm:
2756
2757 2015-10-20  Mark Lam  <mark.lam@apple.com>
2758
2759         YarrPatternConstructor::containsCapturingTerms() should not assume that its terms.size() is greater than 0.
2760         https://bugs.webkit.org/show_bug.cgi?id=150372
2761
2762         Reviewed by Geoffrey Garen.
2763
2764         * yarr/YarrPattern.cpp:
2765         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2766         (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
2767         (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
2768         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2769
2770 2015-10-20  Michael Saboff  <msaboff@apple.com>
2771
2772         REGRESSION (r191175): OSR Exit from an inlined tail callee trashes callee save registers
2773         https://bugs.webkit.org/show_bug.cgi?id=150336
2774
2775         Reviewed by Mark Lam.
2776
2777         During OSR exit, we need to restore and transform the active stack into what the baseline
2778         JIT expects.  Inlined call frames become true call frames.  When we reify an inlined call
2779         frame and it is a tail call which we will be continuing from, we need to restore the tag
2780         constant callee save registers with what was saved by the outermost caller.
2781
2782         Re-enabled tail calls and restored tests for tail calls.
2783
2784         * dfg/DFGOSRExitCompilerCommon.cpp:
2785         (JSC::DFG::reifyInlinedCallFrames): Select whether or not we use the callee save tag register
2786         contents or what was saved by the inlining caller when populating an inlined callee's
2787         callee save registers.
2788         * jit/AssemblyHelpers.h:
2789         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor): This function no longer needs a stack offset.
2790         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor): New helper.
2791         * runtime/Options.h: Turned tail calls back on.
2792         * tests/es6.yaml:
2793         * tests/stress/dfg-tail-calls.js:
2794         (nonInlinedTailCall.callee):
2795         * tests/stress/mutual-tail-call-no-stack-overflow.js:
2796         (shouldThrow):
2797         * tests/stress/tail-call-in-inline-cache.js:
2798         (tail):
2799         * tests/stress/tail-call-no-stack-overflow.js:
2800         (shouldThrow):
2801         * tests/stress/tail-call-recognize.js:
2802         (callerMustBeRun):
2803         * tests/stress/tail-call-varargs-no-stack-overflow.js:
2804         (shouldThrow):
2805
2806 2015-10-20  Joseph Pecoraro  <pecoraro@apple.com>
2807
2808         Web Inspector: JavaScriptCore should parse sourceURL and sourceMappingURL directives
2809         https://bugs.webkit.org/show_bug.cgi?id=150096
2810
2811         Reviewed by Geoffrey Garen.
2812
2813         * inspector/ContentSearchUtilities.cpp:
2814         (Inspector::ContentSearchUtilities::scriptCommentPattern): Deleted.
2815         (Inspector::ContentSearchUtilities::findScriptSourceURL): Deleted.
2816         (Inspector::ContentSearchUtilities::findScriptSourceMapURL): Deleted.
2817         * inspector/ContentSearchUtilities.h:
2818         No longer need to search script content.
2819
2820         * inspector/ScriptDebugServer.cpp:
2821         (Inspector::ScriptDebugServer::dispatchDidParseSource):
2822         Carry over the sourceURL and sourceMappingURL from the SourceProvider.
2823
2824         * inspector/agents/InspectorDebuggerAgent.cpp:
2825         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
2826         (Inspector::InspectorDebuggerAgent::didParseSource):
2827         No longer do content searching.
2828
2829         * parser/Lexer.cpp:
2830         (JSC::Lexer<T>::setCode):
2831         (JSC::Lexer<T>::skipWhitespace):
2832         (JSC::Lexer<T>::parseCommentDirective):
2833         (JSC::Lexer<T>::parseCommentDirectiveValue):
2834         (JSC::Lexer<T>::consume):
2835         (JSC::Lexer<T>::lex):
2836         * parser/Lexer.h:
2837         (JSC::Lexer::sourceURL):
2838         (JSC::Lexer::sourceMappingURL):
2839         (JSC::Lexer::sourceProvider): Deleted.
2840         Give lexer the ability to detect script comment directives.
2841         This just consumes characters in single line comments and
2842         ultimately sets the sourceURL or sourceMappingURL found.
2843
2844         * parser/Parser.h:
2845         (JSC::Parser<LexerType>::parse):
2846         * parser/SourceProvider.h:
2847         (JSC::SourceProvider::url):
2848         (JSC::SourceProvider::sourceURL):
2849         (JSC::SourceProvider::sourceMappingURL):
2850         (JSC::SourceProvider::setSourceURL):
2851         (JSC::SourceProvider::setSourceMappingURL):
2852         After parsing a script, update the Source Provider with the
2853         value of directives that may have been found in the script.
2854
2855 2015-10-20  Saam barati  <sbarati@apple.com>
2856
2857         GCAwareJITStubRoutineWithExceptionHandler has a stale CodeBlock pointer in its destructor
2858         https://bugs.webkit.org/show_bug.cgi?id=150351
2859
2860         Reviewed by Mark Lam.
2861
2862         We may regenerate many GCAwareJITStubRoutineWithExceptionHandler stubs per one PolymorphicAccess.
2863         Only the last GCAwareJITStubRoutineWithExceptionHandler stub that was generated will get the CodeBlock's aboutToDie()
2864         notification. All other GCAwareJITStubRoutineWithExceptionHandler stubs will still be holding a stale CodeBlock pointer
2865         that they will use in their destructor. The solution is to have GCAwareJITStubRoutineWithExceptionHandler remove its
2866         exception handler in observeZeroRefCount() instead of its destructor. observeZeroRefCount() will run when a PolymorphicAccess
2867         replaces its m_stubRoutine.
2868
2869         * jit/GCAwareJITStubRoutine.cpp:
2870         (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
2871         (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
2872         (JSC::createJITStubRoutine):
2873         (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler): Deleted.
2874         * jit/GCAwareJITStubRoutine.h:
2875
2876 >>>>>>> .r191351
2877 2015-10-20  Tim Horton  <timothy_horton@apple.com>
2878
2879         Try to fix the build by disabling MAC_GESTURE_EVENTS on 10.9 and 10.10
2880
2881         * Configurations/FeatureDefines.xcconfig:
2882
2883 2015-10-20  Xabier Rodriguez Calvar  <calvaris@igalia.com>
2884
2885         [Streams API] Rework some readable stream internals that can be common to writable streams
2886         https://bugs.webkit.org/show_bug.cgi?id=150133
2887
2888         Reviewed by Darin Adler.
2889
2890         * runtime/CommonIdentifiers.h:
2891         * runtime/JSGlobalObject.cpp:
2892         (JSC::JSGlobalObject::init): Added RangeError also as native functions.
2893
2894 2015-10-20  Yoav Weiss  <yoav@yoav.ws>
2895
2896         Rename the PICTURE_SIZES flag to CURRENTSRC
2897         https://bugs.webkit.org/show_bug.cgi?id=150275
2898
2899         Reviewed by Dean Jackson.
2900
2901         * Configurations/FeatureDefines.xcconfig:
2902
2903 2015-10-19  Saam barati  <sbarati@apple.com>
2904
2905         FTL should generate a unique OSR exit for each duplicated OSR exit stackmap intrinsic.
2906         https://bugs.webkit.org/show_bug.cgi?id=149970
2907
2908         Reviewed by Filip Pizlo.
2909
2910         When we lower DFG to LLVM, we generate a stackmap intrnsic for OSR 
2911         exits. We also recorded the OSR exit inside FTL::JITCode during lowering.
2912         This stackmap intrinsic may be duplicated or even removed by LLVM.
2913         When the stackmap intrinsic is duplicated, we used to generate just
2914         a single OSR exit data structure. Then, when we compiled an OSR exit, we 
2915         would look for the first record in the record list that had the same stackmap ID
2916         as what the OSR exit data structure had. We did this even when the OSR exit
2917         stackmap intrinsic was duplicated. This would lead us to grab the wrong FTL::StackMaps::Record.
2918
2919         Now, each OSR exit knows exactly which FTL::StackMaps::Record it corresponds to.
2920         We accomplish this by having an OSRExitDescriptor that is recorded during
2921         lowering. Each descriptor may be referenced my zero, one, or more OSRExits.
2922         Now, no more than one stackmap intrinsic corresponds to the same index inside 
2923         JITCode's OSRExit Vector. Also, each OSRExit jump now jumps to a code location.
2924
2925         * ftl/FTLCompile.cpp:
2926         (JSC::FTL::mmAllocateDataSection):
2927         * ftl/FTLJITCode.cpp:
2928         (JSC::FTL::JITCode::validateReferences):
2929         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2930         * ftl/FTLJITCode.h:
2931         * ftl/FTLJITFinalizer.cpp:
2932         (JSC::FTL::JITFinalizer::finalizeFunction):
2933         * ftl/FTLLowerDFGToLLVM.cpp:
2934         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2935         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
2936         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2937         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
2938         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2939         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap):
2940         * ftl/FTLOSRExit.cpp:
2941         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2942         (JSC::FTL::OSRExitDescriptor::validateReferences):
2943         (JSC::FTL::OSRExit::OSRExit):
2944         (JSC::FTL::OSRExit::codeLocationForRepatch):
2945         (JSC::FTL::OSRExit::validateReferences): Deleted.
2946         * ftl/FTLOSRExit.h:
2947         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2948         * ftl/FTLOSRExitCompilationInfo.h:
2949         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
2950         * ftl/FTLOSRExitCompiler.cpp:
2951         (JSC::FTL::compileStub):
2952         (JSC::FTL::compileFTLOSRExit):
2953         * ftl/FTLStackMaps.cpp:
2954         (JSC::FTL::StackMaps::computeRecordMap):
2955         * ftl/FTLStackMaps.h:
2956
2957 2015-10-16  Brian Burg  <bburg@apple.com>
2958
2959         Unify handling of JavaScriptCore scripts that are used in WebCore
2960         https://bugs.webkit.org/show_bug.cgi?id=150245
2961
2962         Reviewed by Alex Christensen.
2963
2964         Move all standalone JavaScriptCore scripts that are used by WebCore into the
2965         JavaScriptCore/Scripts directory. Use JavaScriptCore_SCRIPTS_DIR to refer
2966         to the path for these scripts.
2967
2968         * DerivedSources.make:
2969
2970             Define and use JavaScriptCore_SCRIPTS_DIR.
2971
2972         * JavaScriptCore.xcodeproj/project.pbxproj:
2973
2974             Make a new group in the Xcode project and clean up references.
2975
2976         * PlatformWin.cmake:
2977
2978             For Windows, copy these scripts over to ForwardingHeaders/Scripts since they
2979             cannot be used directly from JAVASCRIPTCORE_DIR in AppleWin builds. Do the same
2980             thing for both Windows variants to be consistent about it.
2981
2982         * Scripts/cssmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/cssmin.py.
2983         * Scripts/generate-combined-inspector-json.py: Renamed from Source/JavaScriptCore/inspector/scripts/generate-combined-inspector-json.py.
2984         * Scripts/generate-js-builtins: Renamed from Source/JavaScriptCore/generate-js-builtins.
2985         * Scripts/inline-and-minify-stylesheets-and-scripts.py: Renamed from Source/JavaScriptCore/inspector/scripts/inline-and-minify-stylesheets-and-scripts.py.
2986         * Scripts/jsmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/jsmin.py.
2987         * Scripts/xxd.pl: Renamed from Source/JavaScriptCore/inspector/scripts/xxd.pl.
2988
2989 2015-10-19  Tim Horton  <timothy_horton@apple.com>
2990
2991         Try to fix the iOS build
2992
2993         * Configurations/FeatureDefines.xcconfig:
2994
2995 2015-10-17  Keith Miller  <keith_miller@apple.com>
2996
2997         Add regression tests for TypedArray.prototype functions' error messages.
2998         https://bugs.webkit.org/show_bug.cgi?id=150288
2999
3000         Reviewed by Darin Adler.
3001
3002         Fix a typo in the text passed by TypedArrray.prototype.filter type error message.
3003         Add tests that check the actual error message text for all the TypeArray.prototype
3004         functions that throw.
3005
3006         * builtins/TypedArray.prototype.js:
3007         (filter):
3008         * tests/stress/typedarray-every.js:
3009         * tests/stress/typedarray-filter.js:
3010         * tests/stress/typedarray-find.js:
3011         * tests/stress/typedarray-findIndex.js:
3012         * tests/stress/typedarray-forEach.js:
3013         * tests/stress/typedarray-map.js:
3014         * tests/stress/typedarray-reduce.js:
3015         * tests/stress/typedarray-reduceRight.js:
3016         * tests/stress/typedarray-some.js:
3017
3018 2015-10-19  Tim Horton  <timothy_horton@apple.com>
3019
3020         Add magnify and rotate gesture event support for Mac
3021         https://bugs.webkit.org/show_bug.cgi?id=150179
3022         <rdar://problem/8036240>
3023
3024         Reviewed by Darin Adler.
3025
3026         * Configurations/FeatureDefines.xcconfig:
3027         New feature flag.
3028
3029 2015-10-19  Csaba Osztrogon√°c  <ossy@webkit.org>
3030
3031         Fix the ENABLE(WEBASSEMBLY) build after r190827
3032         https://bugs.webkit.org/show_bug.cgi?id=150330
3033
3034         Reviewed by Geoffrey Garen.
3035
3036         * bytecode/CodeBlock.cpp:
3037         (JSC::CodeBlock::CodeBlock): Removed the duplicated VM argument.
3038         * bytecode/CodeBlock.h:
3039         (JSC::WebAssemblyCodeBlock::create): Added new parameters to finishCreation() calls.
3040         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Change VM parameter to pointer to match *CodeBlock classes.
3041         * runtime/Executable.cpp:
3042         (JSC::WebAssemblyExecutable::prepareForExecution): Removed extra ")" and pass pointer as it is expected.
3043
3044 2015-10-19  Mark Lam  <mark.lam@apple.com>
3045
3046         DoubleRep fails to convert SpecBoolean values.
3047         https://bugs.webkit.org/show_bug.cgi?id=150313
3048
3049         Reviewed by Geoffrey Garen.
3050
3051         This was uncovered by the op_sub stress test on 32-bit builds.  On 32-bit builds,
3052         DoubleRep will erroneously convert 'true' to a 'NaN' instead of a double 1.
3053         On 64-bit, the same issue exists but is masked by another bug in DoubleRep where
3054         boolean values will always erroneously trigger a BadType OSR exit.
3055
3056         The erroneous conversion of 'true' to 'NaN' is because the 'true' case in
3057         compileDoubleRep() is missing a jump to the "done" destination.  Instead, it
3058         fall through to the "isUndefined" case where it produces a NaN.
3059
3060         The 64-bit erroneous BadType OSR exit is due to the boolean type check being
3061         implemented incorrectly.  It was checking if any bits other than bit 0 were set.
3062         However, boolean JS values always have TagBitBool (the 3rd bit) set.  Hence, the
3063         check will always fail if we have a boolean value.
3064
3065         This patch fixes both of these issues.
3066
3067         No new test is needed because these issues are already covered by scenarios in
3068         the op_sub.js stress test.  This patch also fixes the op_sub.js test to throw an
3069         exception if any failures are encountered (as expected by the stress test
3070         harness).  This patch also re-worked the test code to provide more accurate
3071         descriptions of each test scenario for error reporting.
3072
3073         * dfg/DFGSpeculativeJIT.cpp:
3074         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3075
3076         * tests/stress/op_sub.js:
3077         (generateScenarios):
3078         (func):
3079         (initializeTestCases):
3080         (runTest):
3081         (stringify): Deleted.
3082
3083 2015-10-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3084
3085         Drop !newTarget check since it always becomes true
3086         https://bugs.webkit.org/show_bug.cgi?id=150308
3087
3088         Reviewed by Geoffrey Garen.
3089
3090         In a context of calling a constructor, `newTarget` should not become JSEmpty.
3091         So `!newTarget` always becomes true. This patch drops this unneccessary check.
3092         And to ensure the implementation of the constructor is only called under
3093         the context of calling it as a constructor, we change these functions to
3094         static and only use them for constructor implementations of InternalFunction.
3095
3096         * runtime/IntlCollatorConstructor.cpp:
3097         (JSC::constructIntlCollator):
3098         (JSC::callIntlCollator):
3099         * runtime/IntlCollatorConstructor.h:
3100         * runtime/IntlDateTimeFormatConstructor.cpp:
3101         (JSC::constructIntlDateTimeFormat):
3102         (JSC::callIntlDateTimeFormat):
3103         * runtime/IntlDateTimeFormatConstructor.h:
3104         * runtime/IntlNumberFormatConstructor.cpp:
3105         (JSC::constructIntlNumberFormat):
3106         (JSC::callIntlNumberFormat):
3107         * runtime/IntlNumberFormatConstructor.h:
3108         * runtime/JSPromiseConstructor.cpp:
3109         (JSC::constructPromise):
3110
3111 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3112
3113         Promise constructor should throw when not called with "new"
3114         https://bugs.webkit.org/show_bug.cgi?id=149380
3115
3116         Reviewed by Darin Adler.
3117
3118         Implement handling new.target in Promise constructor. And
3119         prohibiting Promise constructor call without "new".
3120
3121         * runtime/JSPromiseConstructor.cpp:
3122         (JSC::constructPromise):
3123         (JSC::callPromise):
3124         (JSC::JSPromiseConstructor::getCallData):
3125         * tests/es6.yaml:
3126         * tests/stress/promise-cannot-be-called.js: Added.
3127         (shouldBe):
3128         (shouldThrow):
3129         (Deferred):
3130         (super):
3131
3132 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3133
3134         [ES6] Handle asynchronous tests in tests/es6
3135         https://bugs.webkit.org/show_bug.cgi?id=150293
3136
3137         Reviewed by Darin Adler.
3138
3139         Since JSC can handle microtasks, some of ES6 Promise tests can be executed under the JSC shell.
3140         Some of them still fail because it uses setTimeout that invokes macrotasks with explicit delay.
3141
3142         * tests/es6.yaml:
3143         * tests/es6/Promise_Promise.all.js:
3144         (test.asyncTestPassed):
3145         (test):
3146         * tests/es6/Promise_Promise.all_generic_iterables.js:
3147         (test.asyncTestPassed):
3148         (test):
3149         * tests/es6/Promise_Promise.race.js:
3150         (test.asyncTestPassed):
3151         (test):
3152         * tests/es6/Promise_Promise.race_generic_iterables.js:
3153         (test.asyncTestPassed):
3154         (test):
3155         * tests/es6/Promise_basic_functionality.js:
3156         (test.asyncTestPassed):
3157         (test):
3158         * tests/es6/Promise_is_subclassable_Promise.all.js:
3159         (test.asyncTestPassed):
3160         (test):
3161         * tests/es6/Promise_is_subclassable_Promise.race.js:
3162         (test.asyncTestPassed):
3163         (test):
3164         * tests/es6/Promise_is_subclassable_basic_functionality.js:
3165         (test.asyncTestPassed):
3166         (test):
3167
3168 2015-10-18  Sungmann Cho  <sungmann.cho@navercorp.com>
3169
3170         [Win] Fix the Windows builds.
3171         https://bugs.webkit.org/show_bug.cgi?id=150300
3172
3173         Reviewed by Darin Adler.
3174
3175         Add missing files to JavaScriptCore.vcxproj.
3176
3177         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3178         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3179
3180 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
3181
3182         Fix some generational heap growth pathologies
3183         https://bugs.webkit.org/show_bug.cgi?id=150270
3184
3185         Reviewed by Andreas Kling.
3186
3187         When doing generational copying, we would pretend that the size of old space was increased
3188         just by the amount of bytes we copied. In reality, it would be increased by the number of
3189         bytes used by the copied blocks we created. This is a larger number, and in some simple
3190         pathological programs, the difference can be huge.
3191
3192         Fixing this bug was relatively easy, and the only really meaningful change here is in
3193         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
3194         add some debugging code and I had to refactor some stuff so that it made more sense.
3195
3196         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
3197         release builds to decide how much heap we are using at the end of collection. But I added a
3198         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
3199         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
3200
3201         Relanding with build fix.
3202
3203         * CMakeLists.txt:
3204         * JavaScriptCore.xcodeproj/project.pbxproj:
3205         * heap/CopiedBlock.cpp: Added.
3206         (JSC::CopiedBlock::createNoZeroFill):
3207         (JSC::CopiedBlock::destroy):
3208         (JSC::CopiedBlock::create):
3209         (JSC::CopiedBlock::zeroFillWilderness):
3210         (JSC::CopiedBlock::CopiedBlock):
3211         * heap/CopiedBlock.h:
3212         (JSC::CopiedBlock::didSurviveGC):
3213         (JSC::CopiedBlock::createNoZeroFill): Deleted.
3214         (JSC::CopiedBlock::destroy): Deleted.
3215         (JSC::CopiedBlock::create): Deleted.
3216         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
3217         (JSC::CopiedBlock::CopiedBlock): Deleted.
3218         * heap/CopiedSpaceInlines.h:
3219         (JSC::CopiedSpace::startedCopying):
3220         * heap/Heap.cpp:
3221         (JSC::Heap::updateObjectCounts):
3222         (JSC::Heap::resetVisitors):
3223         (JSC::Heap::capacity):
3224         (JSC::Heap::protectedGlobalObjectCount):
3225         (JSC::Heap::collectImpl):
3226         (JSC::Heap::willStartCollection):
3227         (JSC::Heap::updateAllocationLimits):
3228         (JSC::Heap::didFinishCollection):
3229         (JSC::Heap::sizeAfterCollect): Deleted.
3230         * heap/Heap.h:
3231         * heap/HeapInlines.h:
3232         (JSC::Heap::shouldCollect):
3233         (JSC::Heap::isBusy):
3234         (JSC::Heap::collectIfNecessaryOrDefer):
3235         * heap/MarkedBlock.cpp:
3236         (JSC::MarkedBlock::create):
3237         (JSC::MarkedBlock::destroy):
3238
3239 2015-10-17  Commit Queue  <commit-queue@webkit.org>
3240
3241         Unreviewed, rolling out r191240.
3242         https://bugs.webkit.org/show_bug.cgi?id=150281
3243
3244         Broke 32-bit builds (Requested by smfr on #webkit).
3245
3246         Reverted changeset:
3247
3248         "Fix some generational heap growth pathologies"
3249         https://bugs.webkit.org/show_bug.cgi?id=150270
3250         http://trac.webkit.org/changeset/191240
3251
3252 2015-10-17  Sungmann Cho  <sungmann.cho@navercorp.com>
3253
3254         [Win] Fix the Windows build.
3255         https://bugs.webkit.org/show_bug.cgi?id=150278
3256
3257         Reviewed by Brent Fulgham.
3258
3259         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3260         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3261
3262 2015-10-17  Mark Lam  <mark.lam@apple.com>
3263
3264         Fixed typos from r191224.
3265
3266         Not reviewed.
3267
3268         * jit/JITSubGenerator.h:
3269         (JSC::JITSubGenerator::generateFastPath):
3270
3271 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
3272
3273         Fix some generational heap growth pathologies
3274         https://bugs.webkit.org/show_bug.cgi?id=150270
3275
3276         Reviewed by Andreas Kling.
3277
3278         When doing generational copying, we would pretend that the size of old space was increased
3279         just by the amount of bytes we copied. In reality, it would be increased by the number of
3280         bytes used by the copied blocks we created. This is a larger number, and in some simple
3281         pathological programs, the difference can be huge.
3282
3283         Fixing this bug was relatively easy, and the only really meaningful change here is in
3284         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
3285         add some debugging code and I had to refactor some stuff so that it made more sense.
3286
3287         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
3288         release builds to decide how much heap we are using at the end of collection. But I added a
3289         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
3290         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
3291
3292         * CMakeLists.txt:
3293         * JavaScriptCore.xcodeproj/project.pbxproj:
3294         * heap/CopiedBlock.cpp: Added.
3295         (JSC::CopiedBlock::createNoZeroFill):
3296         (JSC::CopiedBlock::destroy):
3297         (JSC::CopiedBlock::create):
3298         (JSC::CopiedBlock::zeroFillWilderness):
3299         (JSC::CopiedBlock::CopiedBlock):
3300         * heap/CopiedBlock.h:
3301         (JSC::CopiedBlock::didSurviveGC):
3302         (JSC::CopiedBlock::createNoZeroFill): Deleted.
3303         (JSC::CopiedBlock::destroy): Deleted.
3304         (JSC::CopiedBlock::create): Deleted.
3305         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
3306         (JSC::CopiedBlock::CopiedBlock): Deleted.
3307         * heap/CopiedSpaceInlines.h:
3308         (JSC::CopiedSpace::startedCopying):
3309         * heap/Heap.cpp:
3310         (JSC::Heap::updateObjectCounts):
3311         (JSC::Heap::resetVisitors):
3312         (JSC::Heap::capacity):
3313         (JSC::Heap::protectedGlobalObjectCount):
3314         (JSC::Heap::collectImpl):
3315         (JSC::Heap::willStartCollection):
3316         (JSC::Heap::updateAllocationLimits):
3317         (JSC::Heap::didFinishCollection):
3318         (JSC::Heap::sizeAfterCollect): Deleted.
3319         * heap/Heap.h:
3320         * heap/HeapInlines.h:
3321         (JSC::Heap::shouldCollect):
3322         (JSC::Heap::isBusy):
3323         (JSC::Heap::collectIfNecessaryOrDefer):
3324         * heap/MarkedBlock.cpp:
3325         (JSC::MarkedBlock::create):
3326         (JSC::MarkedBlock::destroy):
3327
3328 2015-10-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3329
3330         [ES6] Implement String.prototype.normalize
3331         https://bugs.webkit.org/show_bug.cgi?id=150094
3332
3333         Reviewed by Geoffrey Garen.
3334
3335         This patch implements String.prototype.normalize leveraging ICU.
3336         It can provide the feature applying {NFC, NFD, NFKC, NFKD} normalization to a given string.
3337
3338         * runtime/StringPrototype.cpp:
3339         (JSC::StringPrototype::finishCreation):
3340         (JSC::normalize):
3341         (JSC::stringProtoFuncNormalize):
3342         * tests/es6.yaml:
3343         * tests/stress/string-normalize.js: Added.
3344         (unicode):
3345         (shouldBe):
3346         (shouldThrow):
3347         (normalizeTest):
3348
3349 2015-10-16  Geoffrey Garen  <ggaren@apple.com>
3350
3351         Update JavaScriptCore API docs
3352         https://bugs.webkit.org/show_bug.cgi?id=150262
3353
3354         Reviewed by Mark Lam.
3355
3356         Apply some edits for clarity. These came out of a docs review.
3357
3358         * API/JSContext.h:
3359         * API/JSExport.h:
3360         * API/JSManagedValue.h:
3361         * API/JSValue.h:
3362
3363 2015-10-16  Keith Miller  <keith_miller@apple.com>
3364
3365         Unreviewed. Fix typo in TypeError messages in TypedArray.prototype.forEach/filter.
3366
3367         * builtins/TypedArray.prototype.js:
3368         (forEach):
3369         (filter):
3370
3371 2015-10-16  Mark Lam  <mark.lam@apple.com>
3372
3373         Use JITSubGenerator to support UntypedUse operands for op_sub in the DFG.
3374         https://bugs.webkit.org/show_bug.cgi?id=150038
3375
3376         Reviewed by Geoffrey Garen.
3377
3378         * bytecode/SpeculatedType.h:
3379         (JSC::isUntypedSpeculationForArithmetic): Added
3380         - Also fixed some comments.
3381         
3382         * dfg/DFGAbstractInterpreterInlines.h:
3383         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3384
3385         * dfg/DFGAbstractValue.cpp:
3386         (JSC::DFG::AbstractValue::resultType):
3387         * dfg/DFGAbstractValue.h:
3388         - Added function to compute the ResultType of an operand from its SpeculatedType.
3389
3390         * dfg/DFGFixupPhase.cpp:
3391         (JSC::DFG::FixupPhase::fixupNode):
3392         - Fix up ArithSub to speculate its operands to be numbers.  But if an OSR exit
3393           due to a BadType was seen at this&