a996447f918d1d8cf1763bdf13e2ecc914ff7a12
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
2
3         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
4         https://bugs.webkit.org/show_bug.cgi?id=153024
5
6         Reviewed by Michael Saboff.
7
8         * b3/B3BasicBlock.h:
9         Export the symbols for testb3.
10
11         * b3/air/AirOpcode.opcodes:
12         We had 2 invalid opcodes:
13         -Compare with immediate just does not exist.
14         -Test64 with immediate exists but Air does not recognize
15          the valid form of bit-immediates.
16
17         * b3/testb3.cpp:
18         (JSC::B3::genericTestCompare):
19         (JSC::B3::testCompareImpl):
20         Extend the tests to cover what was invalid.
21
22 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
23
24         [JSC] JSC does not build with FTL_USES_B3 on ARM64
25         https://bugs.webkit.org/show_bug.cgi?id=153011
26
27         Reviewed by Saam Barati.
28
29         Apparently the static const member can only be used for constexpr.
30         C++ is weird.
31
32         * jit/GPRInfo.cpp:
33         * jit/GPRInfo.h:
34
35 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
36
37         Web Inspector: console.count() shouldn't show a colon in front of a number
38         https://bugs.webkit.org/show_bug.cgi?id=152038
39
40         Reviewed by Brian Burg.
41
42         * inspector/agents/InspectorConsoleAgent.cpp:
43         (Inspector::InspectorConsoleAgent::count):
44         Do not include title and colon if the title is empty.
45
46 2016-01-11  Dan Bernstein  <mitz@apple.com>
47
48         Reverted r194317.
49
50         Reviewed by Joseph Pecoraro.
51
52         r194317 did not contain a change log entry, did not explain the motivation, did not name a
53         reviewer, and does not seem necessary.
54
55         * JavaScriptCore.xcodeproj/project.pbxproj:
56
57 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
58
59         keywords ("super", "delete", etc) should be valid method names
60         https://bugs.webkit.org/show_bug.cgi?id=144281
61
62         Reviewed by Ryosuke Niwa.
63
64         * parser/Parser.cpp:
65         (JSC::Parser<LexerType>::parseClass):
66         - When parsing "static(" treat it as a method named "static" and not a static method.
67         - When parsing a keyword treat it like a string method name (get and set are not keywords)
68         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
69
70         (JSC::Parser<LexerType>::parseGetterSetter):
71         - When parsing the getter / setter's name, allow it to be a keyword.
72
73 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
74
75         [JSC] Add Div/Mod and fix Mul for B3 ARM64
76         https://bugs.webkit.org/show_bug.cgi?id=152978
77
78         Reviewed by Filip Pizlo.
79
80         Add the 3 operands forms of Mul.
81         Remove the form taking immediate on ARM64, there are no such instruction.
82
83         Add Div with sdiv.
84
85         Unfortunately, I discovered ChillMod's division by zero
86         makes it non-trivial on ARM64. I just made it into a macro like on x86.
87
88         * assembler/MacroAssemblerARM64.h:
89         (JSC::MacroAssemblerARM64::mul32):
90         (JSC::MacroAssemblerARM64::mul64):
91         (JSC::MacroAssemblerARM64::div32):
92         (JSC::MacroAssemblerARM64::div64):
93         * b3/B3LowerMacros.cpp:
94         * b3/B3LowerToAir.cpp:
95         (JSC::B3::Air::LowerToAir::lower):
96         * b3/air/AirOpcode.opcodes:
97
98 2016-01-11  Keith Miller  <keith_miller@apple.com>
99
100         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
101         https://bugs.webkit.org/show_bug.cgi?id=152949
102
103         Reviewed by Michael Saboff.
104
105         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
106
107         * runtime/ArrayConstructor.cpp:
108         (JSC::constructArrayWithSizeQuirk):
109         (JSC::constructWithArrayConstructor):
110         * runtime/InternalFunction.h:
111         (JSC::InternalFunction::createStructure):
112         * runtime/JSGlobalObject.h:
113         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
114         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
115         (JSC::constructEmptyArray):
116         (JSC::constructArray):
117         (JSC::constructArrayNegativeIndexed):
118         * runtime/PrototypeMap.cpp:
119         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
120         * runtime/Structure.h:
121         * runtime/StructureInlines.h:
122
123 2016-01-08  Keith Miller  <keith_miller@apple.com>
124
125         Use a profile to store allocation structures for subclasses of InternalFunctions
126         https://bugs.webkit.org/show_bug.cgi?id=152942
127
128         Reviewed by Michael Saboff.
129
130         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
131         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
132         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
133         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
134         constructor as a new.target to any other constructor. This means that a user can pass some
135         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
136         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
137         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
138         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
139         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
140         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
141
142         Additionally, this patch adds subclassing to some omitted classes.
143
144         * API/JSObjectRef.cpp:
145         (JSObjectMakeDate):
146         (JSObjectMakeRegExp):
147         * JavaScriptCore.xcodeproj/project.pbxproj:
148         * bytecode/InternalFunctionAllocationProfile.h: Added.
149         (JSC::InternalFunctionAllocationProfile::structure):
150         (JSC::InternalFunctionAllocationProfile::clear):
151         (JSC::InternalFunctionAllocationProfile::visitAggregate):
152         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
153         * dfg/DFGByteCodeParser.cpp:
154         (JSC::DFG::ByteCodeParser::parseBlock):
155         * dfg/DFGOperations.cpp:
156         * dfg/DFGSpeculativeJIT32_64.cpp:
157         (JSC::DFG::SpeculativeJIT::compile):
158         * dfg/DFGSpeculativeJIT64.cpp:
159         (JSC::DFG::SpeculativeJIT::compile):
160         * jit/JITOpcodes.cpp:
161         (JSC::JIT::emit_op_create_this):
162         * jit/JITOpcodes32_64.cpp:
163         (JSC::JIT::emit_op_create_this):
164         * llint/LowLevelInterpreter32_64.asm:
165         * llint/LowLevelInterpreter64.asm:
166         * runtime/BooleanConstructor.cpp:
167         (JSC::constructWithBooleanConstructor):
168         * runtime/CommonSlowPaths.cpp:
169         (JSC::SLOW_PATH_DECL):
170         * runtime/DateConstructor.cpp:
171         (JSC::constructDate):
172         (JSC::constructWithDateConstructor):
173         * runtime/DateConstructor.h:
174         * runtime/ErrorConstructor.cpp:
175         (JSC::Interpreter::constructWithErrorConstructor):
176         * runtime/FunctionRareData.cpp:
177         (JSC::FunctionRareData::create):
178         (JSC::FunctionRareData::visitChildren):
179         (JSC::FunctionRareData::FunctionRareData):
180         (JSC::FunctionRareData::initializeObjectAllocationProfile):
181         (JSC::FunctionRareData::clear):
182         (JSC::FunctionRareData::finishCreation): Deleted.
183         (JSC::FunctionRareData::initialize): Deleted.
184         * runtime/FunctionRareData.h:
185         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
186         (JSC::FunctionRareData::objectAllocationProfile):
187         (JSC::FunctionRareData::objectAllocationStructure):
188         (JSC::FunctionRareData::allocationProfileWatchpointSet):
189         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
190         (JSC::FunctionRareData::internalFunctionAllocationStructure):
191         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
192         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
193         (JSC::FunctionRareData::allocationProfile): Deleted.
194         (JSC::FunctionRareData::allocationStructure): Deleted.
195         (JSC::FunctionRareData::isInitialized): Deleted.
196         * runtime/InternalFunction.cpp:
197         (JSC::InternalFunction::createSubclassStructure):
198         * runtime/InternalFunction.h:
199         * runtime/JSArrayBufferConstructor.cpp:
200         (JSC::constructArrayBuffer):
201         * runtime/JSFunction.cpp:
202         (JSC::JSFunction::allocateRareData):
203         (JSC::JSFunction::allocateAndInitializeRareData):
204         (JSC::JSFunction::initializeRareData):
205         * runtime/JSFunction.h:
206         (JSC::JSFunction::rareData):
207         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
208         (JSC::constructGenericTypedArrayView):
209         * runtime/JSObject.h:
210         (JSC::JSFinalObject::typeInfo):
211         (JSC::JSFinalObject::createStructure):
212         * runtime/JSPromiseConstructor.cpp:
213         (JSC::constructPromise):
214         * runtime/JSPromiseConstructor.h:
215         * runtime/JSWeakMap.cpp:
216         * runtime/JSWeakSet.cpp:
217         * runtime/MapConstructor.cpp:
218         (JSC::constructMap):
219         * runtime/NativeErrorConstructor.cpp:
220         (JSC::Interpreter::constructWithNativeErrorConstructor):
221         * runtime/NumberConstructor.cpp:
222         (JSC::constructWithNumberConstructor):
223         * runtime/PrototypeMap.cpp:
224         (JSC::PrototypeMap::createEmptyStructure):
225         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
226         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
227         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
228         * runtime/PrototypeMap.h:
229         * runtime/RegExpConstructor.cpp:
230         (JSC::getRegExpStructure):
231         (JSC::constructRegExp):
232         (JSC::constructWithRegExpConstructor):
233         * runtime/RegExpConstructor.h:
234         * runtime/SetConstructor.cpp:
235         (JSC::constructSet):
236         * runtime/WeakMapConstructor.cpp:
237         (JSC::constructWeakMap):
238         * runtime/WeakSetConstructor.cpp:
239         (JSC::constructWeakSet):
240         * tests/stress/class-subclassing-misc.js:
241         (A):
242         (D):
243         (E):
244         (WM):
245         (WS):
246         (test):
247         * tests/stress/class-subclassing-typedarray.js: Added.
248         (test):
249
250 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
251
252         [B3][Win64] Compile error.
253         https://bugs.webkit.org/show_bug.cgi?id=152984
254
255         Reviewed by Alex Christensen.
256
257         Windows does not have bzero, use memset instead.
258
259         * b3/air/AirIteratedRegisterCoalescing.cpp:
260
261 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
262
263         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
264         https://bugs.webkit.org/show_bug.cgi?id=152923
265
266         Reviewed by Alex Christensen.
267
268         * jit/CallFrameShuffler.h:
269         (JSC::CallFrameShuffler::assumeCalleeIsCell):
270
271 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
272
273         [B3] Fix control reaches end of non-void function GCC warnings on Linux
274         https://bugs.webkit.org/show_bug.cgi?id=152887
275
276         Reviewed by Mark Lam.
277
278         * b3/B3LowerToAir.cpp:
279         (JSC::B3::Air::LowerToAir::createBranch):
280         (JSC::B3::Air::LowerToAir::createCompare):
281         (JSC::B3::Air::LowerToAir::createSelect):
282         * b3/B3Type.h:
283         (JSC::B3::sizeofType):
284         * b3/air/AirArg.cpp:
285         (JSC::B3::Air::Arg::isRepresentableAs):
286         * b3/air/AirArg.h:
287         (JSC::B3::Air::Arg::isAnyUse):
288         (JSC::B3::Air::Arg::isColdUse):
289         (JSC::B3::Air::Arg::isEarlyUse):
290         (JSC::B3::Air::Arg::isLateUse):
291         (JSC::B3::Air::Arg::isAnyDef):
292         (JSC::B3::Air::Arg::isEarlyDef):
293         (JSC::B3::Air::Arg::isLateDef):
294         (JSC::B3::Air::Arg::isZDef):
295         (JSC::B3::Air::Arg::widthForB3Type):
296         (JSC::B3::Air::Arg::isGP):
297         (JSC::B3::Air::Arg::isFP):
298         (JSC::B3::Air::Arg::isType):
299         (JSC::B3::Air::Arg::isValidForm):
300         * b3/air/AirCode.h:
301         (JSC::B3::Air::Code::newTmp):
302         (JSC::B3::Air::Code::numTmps):
303
304 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
305
306         Make it easier to introduce exotic instructions to Air
307         https://bugs.webkit.org/show_bug.cgi?id=152953
308
309         Reviewed by Benjamin Poulain.
310
311         Currently, you can define new "opcodes" in Air using either:
312
313         1) New opcode declared in AirOpcode.opcodes.
314         2) Patch opcode with a new implementation of Air::Special.
315
316         With (1), you are limited to fixed-argument-length instructions. There are other
317         restrictions as well, like that you can only use the roles that the AirOpcode syntax
318         supports.
319
320         With (2), you can do anything you like, but the instruction will be harder to match
321         since it will share the same opcode as any other Patch. Also, the instruction will have
322         the Special argument, which means more busy-work when creating the instruction and
323         validating it.
324
325         This introduces an in-between facility called "custom". This replaces what AirOpcode
326         previously called "special". A custom instruction is one whose behavior is defined by a
327         FooCustom struct with some static methods. Calls to those methods are emitted by
328         opcode_generator.rb.
329
330         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
331         that we now treat the Patch instruction specially in a few places. Those places were
332         already effectively treating it specially by assuming that only Patch instructions have
333         a Special as their first argument.
334
335         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
336         for performance work.
337
338         * JavaScriptCore.xcodeproj/project.pbxproj:
339         * b3/air/AirCustom.h: Added.
340         (JSC::B3::Air::PatchCustom::forEachArg):
341         (JSC::B3::Air::PatchCustom::isValidFormStatic):
342         (JSC::B3::Air::PatchCustom::isValidForm):
343         (JSC::B3::Air::PatchCustom::admitsStack):
344         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
345         (JSC::B3::Air::PatchCustom::generate):
346         * b3/air/AirHandleCalleeSaves.cpp:
347         (JSC::B3::Air::handleCalleeSaves):
348         * b3/air/AirInst.h:
349         * b3/air/AirInstInlines.h:
350         (JSC::B3::Air::Inst::forEach):
351         (JSC::B3::Air::Inst::extraClobberedRegs):
352         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
353         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
354         (JSC::B3::Air::Inst::reportUsedRegisters):
355         (JSC::B3::Air::Inst::hasSpecial): Deleted.
356         * b3/air/AirOpcode.opcodes:
357         * b3/air/AirReportUsedRegisters.cpp:
358         (JSC::B3::Air::reportUsedRegisters):
359         * b3/air/opcode_generator.rb:
360
361 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
362
363         Turn Check(true) into Patchpoint() followed by Oops
364         https://bugs.webkit.org/show_bug.cgi?id=152968
365
366         Reviewed by Benjamin Poulain.
367
368         This is an obvious strength reduction to have, especially since if we discover that the
369         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
370         of the basic block unlocks CFG simplification opportunities.
371
372         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
373         implement sinking (bug 152162).
374
375         * b3/B3ControlValue.cpp:
376         (JSC::B3::ControlValue::convertToJump):
377         (JSC::B3::ControlValue::convertToOops):
378         (JSC::B3::ControlValue::dumpMeta):
379         * b3/B3ControlValue.h:
380         * b3/B3InsertionSet.h:
381         (JSC::B3::InsertionSet::insertValue):
382         * b3/B3InsertionSetInlines.h:
383         (JSC::B3::InsertionSet::insert):
384         * b3/B3ReduceStrength.cpp:
385         * b3/B3StackmapValue.h:
386         * b3/B3Value.h:
387         * tests/stress/ftl-force-osr-exit.js: Added.
388
389 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
390
391         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
392         https://bugs.webkit.org/show_bug.cgi?id=152840
393
394         Reviewed by Mark Lam.
395
396         ARM64 has two kinds of addressing with immediates:
397         -Signed 9bits direct (really only -256 to 255).
398         -Unsigned 12bits scaled by the load/store size.
399
400         When resolving the stack addresses, we easily run
401         past -256 bytes from FP. Addressing from SP gives us more
402         room to address the stack efficiently because we can
403         use unsigned immediates.
404
405         * b3/B3StackmapSpecial.cpp:
406         (JSC::B3::StackmapSpecial::repForArg):
407         * b3/air/AirAllocateStack.cpp:
408         (JSC::B3::Air::allocateStack):
409
410 2016-01-10  Saam barati  <sbarati@apple.com>
411
412         Implement a sampling profiler
413         https://bugs.webkit.org/show_bug.cgi?id=151713
414
415         Reviewed by Filip Pizlo.
416
417         This patch implements a sampling profiler for JavaScriptCore
418         that will be used in the Inspector UI. The implementation works as follows:
419         We queue the sampling profiler to run a task on a background
420         thread every 1ms. When the queued task executes, the sampling profiler
421         will pause the JSC execution thread and attempt to take a stack trace. 
422         The sampling profiler does everything it can to be very careful
423         while taking this stack trace. Because it's reading arbitrary memory,
424         the sampling profiler must validate every pointer it reads from.
425
426         The sampling profiler tries to get an ExecutableBase for every call frame
427         it reads. It first tries to read the CodeBlock slot. It does this because
428         it can be 100% certain that a pointer is a CodeBlock while it's taking a
429         stack trace. But, not every call frame will have a CodeBlock. So we must read
430         the call frame's callee. For these stack traces where we read the callee, we
431         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
432         on the main JSC execution thread, and not on the thread taking the stack
433         trace. We do this verification either before we run the marking phase in
434         GC, or when somebody asks the SamplingProfiler to materialize its data.
435
436         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
437         thread is paused (this means it can't do anything that mallocs) because
438         that could cause a deadlock. Therefore, the sampling profiler grabs
439         locks for all data structures it consults before it pauses the JSC
440         execution thread.
441
442         * CMakeLists.txt:
443         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
444         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
445         * JavaScriptCore.xcodeproj/project.pbxproj:
446         * bytecode/CodeBlock.h:
447         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
448         (JSC::CodeBlockSet::mark):
449         * dfg/DFGNodeType.h:
450         * heap/CodeBlockSet.cpp:
451         (JSC::CodeBlockSet::add):
452         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
453         (JSC::CodeBlockSet::clearMarksForFullCollection):
454         (JSC::CodeBlockSet::lastChanceToFinalize):
455         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
456         (JSC::CodeBlockSet::contains):
457         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
458         (JSC::CodeBlockSet::remove): Deleted.
459         * heap/CodeBlockSet.h:
460         (JSC::CodeBlockSet::getLock):
461         (JSC::CodeBlockSet::iterate):
462         The sampling pofiler uses the heap's CodeBlockSet to validate
463         CodeBlock pointers. This data structure must now be under a lock
464         because we must be certain we're not pausing the JSC execution thread
465         while it's manipulating this data structure.
466
467         * heap/ConservativeRoots.cpp:
468         (JSC::ConservativeRoots::ConservativeRoots):
469         (JSC::ConservativeRoots::grow):
470         (JSC::ConservativeRoots::genericAddPointer):
471         (JSC::ConservativeRoots::genericAddSpan):
472         (JSC::ConservativeRoots::add):
473         (JSC::CompositeMarkHook::CompositeMarkHook):
474         (JSC::CompositeMarkHook::mark):
475         * heap/ConservativeRoots.h:
476         * heap/Heap.cpp:
477         (JSC::Heap::markRoots):
478         (JSC::Heap::visitHandleStack):
479         (JSC::Heap::visitSamplingProfiler):
480         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
481         (JSC::Heap::snapshotMarkedSpace):
482         * heap/Heap.h:
483         (JSC::Heap::structureIDTable):
484         (JSC::Heap::codeBlockSet):
485         * heap/MachineStackMarker.cpp:
486         (pthreadSignalHandlerSuspendResume):
487         (JSC::getCurrentPlatformThread):
488         (JSC::MachineThreads::MachineThreads):
489         (JSC::MachineThreads::~MachineThreads):
490         (JSC::MachineThreads::Thread::createForCurrentThread):
491         (JSC::MachineThreads::Thread::operator==):
492         (JSC::isThreadInList):
493         (JSC::MachineThreads::addCurrentThread):
494         (JSC::MachineThreads::machineThreadForCurrentThread):
495         (JSC::MachineThreads::removeThread):
496         (JSC::MachineThreads::gatherFromCurrentThread):
497         (JSC::MachineThreads::Thread::Thread):
498         (JSC::MachineThreads::Thread::~Thread):
499         (JSC::MachineThreads::Thread::suspend):
500         (JSC::MachineThreads::Thread::resume):
501         (JSC::MachineThreads::Thread::getRegisters):
502         (JSC::MachineThreads::Thread::Registers::stackPointer):
503         (JSC::MachineThreads::Thread::Registers::framePointer):
504         (JSC::MachineThreads::Thread::Registers::instructionPointer):
505         (JSC::MachineThreads::Thread::freeRegisters):
506         (JSC::MachineThreads::tryCopyOtherThreadStacks):
507         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
508         (JSC::MachineThreads::Thread::operator!=): Deleted.
509         * heap/MachineStackMarker.h:
510         (JSC::MachineThreads::Thread::operator!=):
511         (JSC::MachineThreads::getLock):
512         (JSC::MachineThreads::threadsListHead):
513         We can now ask a MachineThreads::Thread for its frame pointer
514         and program counter on darwin and windows platforms. efl
515         and gtk implementations will happen in another patch.
516
517         * heap/MarkedBlockSet.h:
518         (JSC::MarkedBlockSet::getLock):
519         (JSC::MarkedBlockSet::add):
520         (JSC::MarkedBlockSet::remove):
521         (JSC::MarkedBlockSet::recomputeFilter):
522         (JSC::MarkedBlockSet::filter):
523         (JSC::MarkedBlockSet::set):
524         * heap/MarkedSpace.cpp:
525         (JSC::Free::Free):
526         (JSC::Free::operator()):
527         (JSC::FreeOrShrink::FreeOrShrink):
528         (JSC::FreeOrShrink::operator()):
529         (JSC::MarkedSpace::~MarkedSpace):
530         (JSC::MarkedSpace::isPagedOut):
531         (JSC::MarkedSpace::freeBlock):
532         (JSC::MarkedSpace::freeOrShrinkBlock):
533         (JSC::MarkedSpace::shrink):
534         * heap/MarkedSpace.h:
535         (JSC::MarkedSpace::forEachLiveCell):
536         (JSC::MarkedSpace::forEachDeadCell):
537         * interpreter/CallFrame.h:
538         (JSC::ExecState::calleeAsValue):
539         (JSC::ExecState::callee):
540         (JSC::ExecState::unsafeCallee):
541         (JSC::ExecState::codeBlock):
542         (JSC::ExecState::scope):
543         * jit/ExecutableAllocator.cpp:
544         (JSC::ExecutableAllocator::dumpProfile):
545         (JSC::ExecutableAllocator::getLock):
546         (JSC::ExecutableAllocator::isValidExecutableMemory):
547         * jit/ExecutableAllocator.h:
548         * jit/ExecutableAllocatorFixedVMPool.cpp:
549         (JSC::ExecutableAllocator::allocate):
550         (JSC::ExecutableAllocator::isValidExecutableMemory):
551         (JSC::ExecutableAllocator::getLock):
552         (JSC::ExecutableAllocator::committedByteCount):
553         The sampling profiler consults the ExecutableAllocator to check
554         if the frame pointer it reads is in executable allocated memory.
555
556         * jsc.cpp:
557         (GlobalObject::finishCreation):
558         (functionCheckModuleSyntax):
559         (functionStartSamplingProfiler):
560         (functionSamplingProfilerStackTraces):
561         * llint/LLIntPCRanges.h: Added.
562         (JSC::LLInt::isLLIntPC):
563         * offlineasm/asm.rb:
564         I added the ability to test whether the PC is executing
565         LLInt code because this code is not part of the memory
566         our executable allocator allocates.
567
568         * runtime/Executable.h:
569         (JSC::ExecutableBase::isModuleProgramExecutable):
570         (JSC::ExecutableBase::isExecutableType):
571         (JSC::ExecutableBase::isHostFunction):
572         * runtime/JSLock.cpp:
573         (JSC::JSLock::didAcquireLock):
574         (JSC::JSLock::unlock):
575         * runtime/Options.h:
576         * runtime/SamplingProfiler.cpp: Added.
577         (JSC::reportStats):
578         (JSC::FrameWalker::FrameWalker):
579         (JSC::FrameWalker::walk):
580         (JSC::FrameWalker::wasValidWalk):
581         (JSC::FrameWalker::advanceToParentFrame):
582         (JSC::FrameWalker::isAtTop):
583         (JSC::FrameWalker::resetAtMachineFrame):
584         (JSC::FrameWalker::isValidFramePointer):
585         (JSC::FrameWalker::isValidCodeBlock):
586         (JSC::FrameWalker::tryToGetExecutableFromCallee):
587         The FrameWalker class is used to walk the stack in a safe
588         manner. It doesn't do anything that would deadlock, and it
589         validates all pointers that it sees.
590
591         (JSC::SamplingProfiler::SamplingProfiler):
592         (JSC::SamplingProfiler::~SamplingProfiler):
593         (JSC::SamplingProfiler::visit):
594         (JSC::SamplingProfiler::shutdown):
595         (JSC::SamplingProfiler::start):
596         (JSC::SamplingProfiler::stop):
597         (JSC::SamplingProfiler::pause):
598         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
599         (JSC::SamplingProfiler::dispatchIfNecessary):
600         (JSC::SamplingProfiler::dispatchFunction):
601         (JSC::SamplingProfiler::noticeJSLockAcquisition):
602         (JSC::SamplingProfiler::noticeVMEntry):
603         (JSC::SamplingProfiler::observeStackTrace):
604         (JSC::SamplingProfiler::clearData):
605         (JSC::displayName):
606         (JSC::startLine):
607         (JSC::startColumn):
608         (JSC::sourceID):
609         (JSC::url):
610         (JSC::SamplingProfiler::stacktracesAsJSON):
611         * runtime/SamplingProfiler.h: Added.
612         (JSC::SamplingProfiler::getLock):
613         (JSC::SamplingProfiler::setTimingInterval):
614         (JSC::SamplingProfiler::stackTraces):
615         * runtime/VM.cpp:
616         (JSC::VM::VM):
617         (JSC::VM::~VM):
618         (JSC::VM::setLastStackTop):
619         (JSC::VM::createContextGroup):
620         (JSC::VM::ensureWatchdog):
621         (JSC::VM::ensureSamplingProfiler):
622         (JSC::thunkGeneratorForIntrinsic):
623         * runtime/VM.h:
624         (JSC::VM::watchdog):
625         (JSC::VM::isSafeToRecurse):
626         (JSC::VM::lastStackTop):
627         (JSC::VM::scratchBufferForSize):
628         (JSC::VM::samplingProfiler):
629         (JSC::VM::setShouldRewriteConstAsVar):
630         (JSC::VM::setLastStackTop): Deleted.
631         * runtime/VMEntryScope.cpp:
632         (JSC::VMEntryScope::VMEntryScope):
633         * tests/stress/sampling-profiler: Added.
634         * tests/stress/sampling-profiler-anonymous-function.js: Added.
635         (foo):
636         (baz):
637         * tests/stress/sampling-profiler-basic.js: Added.
638         (bar):
639         (foo):
640         (nothing):
641         (top):
642         (jaz):
643         (kaz):
644         (checkInlining):
645         * tests/stress/sampling-profiler-deep-stack.js: Added.
646         (foo):
647         (hellaDeep):
648         (start):
649         * tests/stress/sampling-profiler-microtasks.js: Added.
650         (testResults):
651         (loop.jaz):
652         (loop):
653         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
654         (assert):
655         (let.nodePrototype.makeChildIfNeeded):
656         (makeNode):
657         (updateCallingContextTree):
658         (doesTreeHaveStackTrace):
659         (makeTree):
660         (runTest):
661         (dumpTree):
662         * tools/JSDollarVMPrototype.cpp:
663         (JSC::JSDollarVMPrototype::isInObjectSpace):
664         (JSC::JSDollarVMPrototype::isInStorageSpace):
665         * yarr/YarrJIT.cpp:
666         (JSC::Yarr::YarrGenerator::generateEnter):
667         (JSC::Yarr::YarrGenerator::generateReturn):
668         (JSC::Yarr::YarrGenerator::YarrGenerator):
669         (JSC::Yarr::YarrGenerator::compile):
670         (JSC::Yarr::jitCompile):
671         We now have a boolean that's set to true when
672         we're executing a RegExp, and to false otherwise.
673         The boolean lives off of VM.
674
675         * CMakeLists.txt:
676         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
677         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
678         * JavaScriptCore.xcodeproj/project.pbxproj:
679         * bytecode/CodeBlock.h:
680         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
681         (JSC::CodeBlockSet::mark):
682         * dfg/DFGNodeType.h:
683         * heap/CodeBlockSet.cpp:
684         (JSC::CodeBlockSet::add):
685         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
686         (JSC::CodeBlockSet::clearMarksForFullCollection):
687         (JSC::CodeBlockSet::lastChanceToFinalize):
688         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
689         (JSC::CodeBlockSet::contains):
690         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
691         (JSC::CodeBlockSet::remove): Deleted.
692         * heap/CodeBlockSet.h:
693         (JSC::CodeBlockSet::getLock):
694         (JSC::CodeBlockSet::iterate):
695         * heap/ConservativeRoots.cpp:
696         (JSC::ConservativeRoots::ConservativeRoots):
697         (JSC::ConservativeRoots::genericAddPointer):
698         (JSC::ConservativeRoots::add):
699         (JSC::CompositeMarkHook::CompositeMarkHook):
700         (JSC::CompositeMarkHook::mark):
701         * heap/ConservativeRoots.h:
702         * heap/Heap.cpp:
703         (JSC::Heap::markRoots):
704         (JSC::Heap::visitHandleStack):
705         (JSC::Heap::visitSamplingProfiler):
706         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
707         * heap/Heap.h:
708         (JSC::Heap::structureIDTable):
709         (JSC::Heap::codeBlockSet):
710         * heap/HeapInlines.h:
711         (JSC::Heap::didFreeBlock):
712         (JSC::Heap::isPointerGCObject):
713         (JSC::Heap::isValueGCObject):
714         * heap/MachineStackMarker.cpp:
715         (pthreadSignalHandlerSuspendResume):
716         (JSC::getCurrentPlatformThread):
717         (JSC::MachineThreads::MachineThreads):
718         (JSC::MachineThreads::~MachineThreads):
719         (JSC::MachineThreads::Thread::createForCurrentThread):
720         (JSC::MachineThreads::Thread::operator==):
721         (JSC::isThreadInList):
722         (JSC::MachineThreads::addCurrentThread):
723         (JSC::MachineThreads::machineThreadForCurrentThread):
724         (JSC::MachineThreads::removeThread):
725         (JSC::MachineThreads::gatherFromCurrentThread):
726         (JSC::MachineThreads::Thread::Thread):
727         (JSC::MachineThreads::Thread::~Thread):
728         (JSC::MachineThreads::Thread::suspend):
729         (JSC::MachineThreads::Thread::resume):
730         (JSC::MachineThreads::Thread::getRegisters):
731         (JSC::MachineThreads::Thread::Registers::stackPointer):
732         (JSC::MachineThreads::Thread::Registers::framePointer):
733         (JSC::MachineThreads::Thread::Registers::instructionPointer):
734         (JSC::MachineThreads::Thread::freeRegisters):
735         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
736         (JSC::MachineThreads::Thread::operator!=): Deleted.
737         * heap/MachineStackMarker.h:
738         (JSC::MachineThreads::Thread::operator!=):
739         (JSC::MachineThreads::getLock):
740         (JSC::MachineThreads::threadsListHead):
741         * heap/MarkedBlockSet.h:
742         * heap/MarkedSpace.cpp:
743         (JSC::Free::Free):
744         (JSC::Free::operator()):
745         (JSC::FreeOrShrink::FreeOrShrink):
746         (JSC::FreeOrShrink::operator()):
747         * interpreter/CallFrame.h:
748         (JSC::ExecState::calleeAsValue):
749         (JSC::ExecState::callee):
750         (JSC::ExecState::unsafeCallee):
751         (JSC::ExecState::codeBlock):
752         (JSC::ExecState::scope):
753         * jit/ExecutableAllocator.cpp:
754         (JSC::ExecutableAllocator::dumpProfile):
755         (JSC::ExecutableAllocator::getLock):
756         (JSC::ExecutableAllocator::isValidExecutableMemory):
757         * jit/ExecutableAllocator.h:
758         * jit/ExecutableAllocatorFixedVMPool.cpp:
759         (JSC::ExecutableAllocator::allocate):
760         (JSC::ExecutableAllocator::isValidExecutableMemory):
761         (JSC::ExecutableAllocator::getLock):
762         (JSC::ExecutableAllocator::committedByteCount):
763         * jsc.cpp:
764         (GlobalObject::finishCreation):
765         (functionCheckModuleSyntax):
766         (functionPlatformSupportsSamplingProfiler):
767         (functionStartSamplingProfiler):
768         (functionSamplingProfilerStackTraces):
769         * llint/LLIntPCRanges.h: Added.
770         (JSC::LLInt::isLLIntPC):
771         * offlineasm/asm.rb:
772         * runtime/Executable.h:
773         (JSC::ExecutableBase::isModuleProgramExecutable):
774         (JSC::ExecutableBase::isExecutableType):
775         (JSC::ExecutableBase::isHostFunction):
776         * runtime/JSLock.cpp:
777         (JSC::JSLock::didAcquireLock):
778         (JSC::JSLock::unlock):
779         * runtime/Options.h:
780         * runtime/SamplingProfiler.cpp: Added.
781         (JSC::reportStats):
782         (JSC::FrameWalker::FrameWalker):
783         (JSC::FrameWalker::walk):
784         (JSC::FrameWalker::wasValidWalk):
785         (JSC::FrameWalker::advanceToParentFrame):
786         (JSC::FrameWalker::isAtTop):
787         (JSC::FrameWalker::resetAtMachineFrame):
788         (JSC::FrameWalker::isValidFramePointer):
789         (JSC::FrameWalker::isValidCodeBlock):
790         (JSC::SamplingProfiler::SamplingProfiler):
791         (JSC::SamplingProfiler::~SamplingProfiler):
792         (JSC::SamplingProfiler::processUnverifiedStackTraces):
793         (JSC::SamplingProfiler::visit):
794         (JSC::SamplingProfiler::shutdown):
795         (JSC::SamplingProfiler::start):
796         (JSC::SamplingProfiler::stop):
797         (JSC::SamplingProfiler::pause):
798         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
799         (JSC::SamplingProfiler::dispatchIfNecessary):
800         (JSC::SamplingProfiler::dispatchFunction):
801         (JSC::SamplingProfiler::noticeJSLockAcquisition):
802         (JSC::SamplingProfiler::noticeVMEntry):
803         (JSC::SamplingProfiler::clearData):
804         (JSC::displayName):
805         (JSC::SamplingProfiler::stacktracesAsJSON):
806         (WTF::printInternal):
807         * runtime/SamplingProfiler.h: Added.
808         (JSC::SamplingProfiler::StackFrame::StackFrame):
809         (JSC::SamplingProfiler::getLock):
810         (JSC::SamplingProfiler::setTimingInterval):
811         (JSC::SamplingProfiler::stackTraces):
812         * runtime/VM.cpp:
813         (JSC::VM::VM):
814         (JSC::VM::~VM):
815         (JSC::VM::setLastStackTop):
816         (JSC::VM::createContextGroup):
817         (JSC::VM::ensureWatchdog):
818         (JSC::VM::ensureSamplingProfiler):
819         (JSC::thunkGeneratorForIntrinsic):
820         * runtime/VM.h:
821         (JSC::VM::watchdog):
822         (JSC::VM::samplingProfiler):
823         (JSC::VM::isSafeToRecurse):
824         (JSC::VM::lastStackTop):
825         (JSC::VM::scratchBufferForSize):
826         (JSC::VM::setLastStackTop): Deleted.
827         * runtime/VMEntryScope.cpp:
828         (JSC::VMEntryScope::VMEntryScope):
829         * tests/stress/sampling-profiler: Added.
830         * tests/stress/sampling-profiler-anonymous-function.js: Added.
831         (platformSupportsSamplingProfiler.foo):
832         (platformSupportsSamplingProfiler.baz):
833         (platformSupportsSamplingProfiler):
834         * tests/stress/sampling-profiler-basic.js: Added.
835         (platformSupportsSamplingProfiler.bar):
836         (platformSupportsSamplingProfiler.foo):
837         (platformSupportsSamplingProfiler.nothing):
838         (platformSupportsSamplingProfiler.top):
839         (platformSupportsSamplingProfiler.jaz):
840         (platformSupportsSamplingProfiler.kaz):
841         (platformSupportsSamplingProfiler.checkInlining):
842         (platformSupportsSamplingProfiler):
843         * tests/stress/sampling-profiler-deep-stack.js: Added.
844         (platformSupportsSamplingProfiler.foo):
845         (platformSupportsSamplingProfiler.let.hellaDeep):
846         (platformSupportsSamplingProfiler.let.start):
847         (platformSupportsSamplingProfiler):
848         * tests/stress/sampling-profiler-microtasks.js: Added.
849         (platformSupportsSamplingProfiler.testResults):
850         (platformSupportsSamplingProfiler):
851         (platformSupportsSamplingProfiler.loop.jaz):
852         (platformSupportsSamplingProfiler.loop):
853         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
854         (assert):
855         (let.nodePrototype.makeChildIfNeeded):
856         (makeNode):
857         (updateCallingContextTree):
858         (doesTreeHaveStackTrace):
859         (makeTree):
860         (runTest):
861         (dumpTree):
862         * yarr/YarrJIT.cpp:
863         (JSC::Yarr::YarrGenerator::generateEnter):
864         (JSC::Yarr::YarrGenerator::generateReturn):
865         (JSC::Yarr::YarrGenerator::YarrGenerator):
866         (JSC::Yarr::YarrGenerator::compile):
867         (JSC::Yarr::jitCompile):
868
869 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
870
871         [JSC] Iterating over a Set/Map is too slow
872         https://bugs.webkit.org/show_bug.cgi?id=152691
873
874         Reviewed by Saam Barati.
875
876         Set#forEach and Set & for-of are very slow. There are 2 reasons.
877
878         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
879
880         C++ to JS transition seems costly. perf result in Linux machine shows this.
881
882             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
883             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
884             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
885              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
886              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
887              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
888
889         Writing forEach in JS eliminates this.
890
891             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
892             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
893             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
894              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
895              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
896              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
897              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
898              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
899
900         2. Iterator result object allocation is costly.
901
902         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
903
904             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
905             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
906             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
907             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
908             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
909              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
910
911         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
912         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
913         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
914         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
915
916         After these improvements, the micro benchmark[1] shows the following.
917
918         old:
919             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
920             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
921             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
922             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
923             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
924             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
925
926         new:
927             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
928             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
929             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
930             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
931             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
932             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
933
934         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
935         After this optimizations, they are still much slower than linked list and array.
936         This should be optimized in the long term.
937
938         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
939
940         * CMakeLists.txt:
941         * DerivedSources.make:
942         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
943         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
944         * JavaScriptCore.xcodeproj/project.pbxproj:
945         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
946         (forEach):
947         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
948         (forEach):
949         * runtime/CommonIdentifiers.h:
950         * runtime/IteratorOperations.cpp:
951         (JSC::createIteratorResultObjectStructure):
952         (JSC::createIteratorResultObject):
953         * runtime/IteratorOperations.h:
954         * runtime/JSGlobalObject.cpp:
955         (JSC::JSGlobalObject::init):
956         (JSC::JSGlobalObject::visitChildren):
957         * runtime/JSGlobalObject.h:
958         (JSC::JSGlobalObject::iteratorResultObjectStructure):
959         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
960         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
961         * runtime/MapPrototype.cpp:
962         (JSC::MapPrototype::getOwnPropertySlot):
963         (JSC::privateFuncIsMap):
964         (JSC::privateFuncMapIterator):
965         (JSC::privateFuncMapIteratorNext):
966         (JSC::MapPrototype::finishCreation): Deleted.
967         (JSC::mapProtoFuncForEach): Deleted.
968         * runtime/MapPrototype.h:
969         * runtime/SetPrototype.cpp:
970         (JSC::SetPrototype::getOwnPropertySlot):
971         (JSC::privateFuncIsSet):
972         (JSC::privateFuncSetIterator):
973         (JSC::privateFuncSetIteratorNext):
974         (JSC::SetPrototype::finishCreation): Deleted.
975         (JSC::setProtoFuncForEach): Deleted.
976         * runtime/SetPrototype.h:
977
978 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
979
980         Unreviewed, fix ARM64 build.
981
982         * b3/air/AirOpcode.opcodes:
983
984 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
985
986         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
987         https://bugs.webkit.org/show_bug.cgi?id=152955
988
989         Reviewed by Saam Barati.
990
991         This happens when we box an int32 and then immediately unbox it.
992
993         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
994         benchmark. It's neutral elsewhere.
995
996         * b3/B3ReduceStrength.cpp:
997         * b3/testb3.cpp:
998         (JSC::B3::testPowDoubleByIntegerLoop):
999         (JSC::B3::testTruncOrHigh):
1000         (JSC::B3::testTruncOrLow):
1001         (JSC::B3::testBitAndOrHigh):
1002         (JSC::B3::testBitAndOrLow):
1003         (JSC::B3::zero):
1004         (JSC::B3::run):
1005
1006 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
1007
1008         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
1009         https://bugs.webkit.org/show_bug.cgi?id=149855
1010
1011         Reviewed by Saam Barati.
1012
1013         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
1014         'this', 'arguments' and 'super'
1015
1016         * CMakeLists.txt:
1017         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1018         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1019         * JavaScriptCore.xcodeproj/project.pbxproj:
1020         * dfg/DFGAbstractInterpreterInlines.h:
1021         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1022         * dfg/DFGSpeculativeJIT.cpp:
1023         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1024         * dfg/DFGStructureRegistrationPhase.cpp:
1025         (JSC::DFG::StructureRegistrationPhase::run):
1026         * ftl/FTLAbstractHeapRepository.cpp:
1027         * ftl/FTLAbstractHeapRepository.h:
1028         * ftl/FTLLowerDFGToLLVM.cpp:
1029         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
1030         * interpreter/Interpreter.cpp:
1031         * interpreter/Interpreter.h:
1032         * jit/JITOpcodes.cpp:
1033         * jit/JITOpcodes32_64.cpp:
1034         * jit/JITOperations.cpp:
1035         * jit/JITOperations.h:
1036         * llint/LLIntOffsetsExtractor.cpp:
1037         * llint/LLIntSlowPaths.cpp:
1038         * runtime/JSArrowFunction.cpp: Removed.
1039         * runtime/JSArrowFunction.h: Removed.
1040         * runtime/JSGlobalObject.cpp:
1041         * runtime/JSGlobalObject.h:
1042
1043 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
1044
1045         It should be possible to run liveness over registers without also tracking Tmps
1046         https://bugs.webkit.org/show_bug.cgi?id=152963
1047
1048         Reviewed by Saam Barati.
1049
1050         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
1051         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
1052         code like that for handling cold function calls. It also makes code like that somewhat more
1053         scalable, since we're no longer using HashSets.
1054
1055         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
1056         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
1057         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
1058         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
1059         think that this is good, because the lack of set methods (add/remove/contains) has caused
1060         bugs in the past. This makes BitVector have methods both for set operations on bits and array
1061         operations on bits. I think that's good, since BitVector gets used in both contexts.
1062
1063         * b3/B3IndexSet.h:
1064         (JSC::B3::IndexSet::Iterable::iterator::iterator):
1065         (JSC::B3::IndexSet::Iterable::begin):
1066         (JSC::B3::IndexSet::dump):
1067         * b3/air/AirInstInlines.h:
1068         (JSC::B3::Air::ForEach<Tmp>::forEach):
1069         (JSC::B3::Air::ForEach<Arg>::forEach):
1070         (JSC::B3::Air::ForEach<Reg>::forEach):
1071         (JSC::B3::Air::Inst::forEach):
1072         * b3/air/AirLiveness.h:
1073         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
1074         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
1075         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
1076         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
1077         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
1078         * b3/air/AirReportUsedRegisters.cpp:
1079         (JSC::B3::Air::reportUsedRegisters):
1080         * jit/Reg.h:
1081         (JSC::Reg::next):
1082         (JSC::Reg::index):
1083         (JSC::Reg::maxIndex):
1084         (JSC::Reg::isSet):
1085         (JSC::Reg::operator bool):
1086         * jit/RegisterSet.h:
1087         (JSC::RegisterSet::forEach):
1088
1089 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
1090
1091         [JSC] Make branchMul functional in ARM B3 and minor fixes
1092         https://bugs.webkit.org/show_bug.cgi?id=152889
1093
1094         Reviewed by Mark Lam.
1095
1096         ARM64 does not have a "S" version of MUL setting the flags.
1097         What we do is abstract that in the MacroAssembler. The problem
1098         is that form requires scratch registers.
1099
1100         For simplicity, I just exposed the two scratch registers
1101         for Air. Filip already added the concept of Scratch role,
1102         all I needed was to expose it for opcodes.
1103
1104         * assembler/MacroAssemblerARM64.h:
1105         (JSC::MacroAssemblerARM64::branchMul32):
1106         (JSC::MacroAssemblerARM64::branchMul64):
1107         Expose a version with the scratch registers as arguments.
1108
1109         * b3/B3LowerToAir.cpp:
1110         (JSC::B3::Air::LowerToAir::lower):
1111         Add the new form of CheckMul lowering.
1112
1113         * b3/air/AirOpcode.opcodes:
1114         Expose the new BranchMuls.
1115         Remove all the Test variants that use immediates
1116         since Air can't handle those immediates correctly yet.
1117
1118         * b3/air/opcode_generator.rb:
1119         Expose the Scratch role.
1120
1121         * b3/testb3.cpp:
1122         (JSC::B3::testPatchpointLotsOfLateAnys):
1123         Ooops, the scratch registers were not clobbered. We were just lucky
1124         on x86.
1125
1126 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
1127
1128         [JSC] B3 is unable to do function calls on ARM64
1129         https://bugs.webkit.org/show_bug.cgi?id=152895
1130
1131         Reviewed by Mark Lam.
1132
1133         Apparently iOS does not follow the ARM64 ABI for function calls.
1134         Instead of giving each value a 8 bytes slot, it must be packed
1135         while preserving alignment.
1136
1137         This patch adds a #ifdef to make function calls functional.
1138
1139         * b3/B3LowerToAir.cpp:
1140         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
1141         (JSC::B3::Air::LowerToAir::lower):
1142
1143 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
1144
1145         Air should support Branch64 with immediates
1146         https://bugs.webkit.org/show_bug.cgi?id=152951
1147
1148         Reviewed by Oliver Hunt.
1149
1150         This doesn't significantly improve performance on any benchmarks, but it's great to get this
1151         obvious omission out of the way.
1152
1153         * assembler/MacroAssemblerX86_64.h:
1154         (JSC::MacroAssemblerX86_64::branch64):
1155         * b3/air/AirOpcode.opcodes:
1156         * b3/testb3.cpp:
1157         (JSC::B3::testPowDoubleByIntegerLoop):
1158         (JSC::B3::testBranch64Equal):
1159         (JSC::B3::testBranch64EqualImm):
1160         (JSC::B3::testBranch64EqualMem):
1161         (JSC::B3::testBranch64EqualMemImm):
1162         (JSC::B3::zero):
1163         (JSC::B3::run):
1164
1165 2016-01-09  Dan Bernstein  <mitz@apple.com>
1166
1167         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
1168         https://bugs.webkit.org/show_bug.cgi?id=152926
1169
1170         Reviewed by Tim Horton.
1171
1172         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
1173         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
1174         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
1175
1176         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
1177
1178         * Configurations/Base.xcconfig:
1179         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
1180           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
1181         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
1182         * Configurations/JSC.xcconfig:
1183           Add quotes to account for spaces.
1184         * Configurations/ToolExecutable.xcconfig:
1185           Ditto.
1186         * postprocess-headers.sh:
1187           Ditto.
1188
1189 2016-01-09  Mark Lam  <mark.lam@apple.com>
1190
1191         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
1192         https://bugs.webkit.org/show_bug.cgi?id=152918
1193
1194         Reviewed by Filip Pizlo and Saam Barati.
1195
1196         * ftl/FTLCompile.cpp:
1197         - Updated a comment.
1198         * ftl/FTLLowerDFGToLLVM.cpp:
1199         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1200         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
1201           extra slot for BinaryOps that don't have Untyped operands, and failing to
1202           allocate that extra slot for some binary ops.  This is now fixed.
1203
1204         * tests/stress/ftl-shr-exception.js:
1205         * tests/stress/ftl-xor-exception.js:
1206         - Un-skipped these tests.  They now pass with this patch.
1207
1208 2016-01-09  Andreas Kling  <akling@apple.com>
1209
1210         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
1211         <https://webkit.org/b/152902>
1212
1213         Reviewed by Anders Carlsson.
1214
1215         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
1216
1217         * API/JSAPIWrapperObject.mm:
1218         (jsAPIWrapperObjectHandleOwner):
1219         * API/JSManagedValue.mm:
1220         (managedValueHandleOwner):
1221         * inspector/agents/InspectorDebuggerAgent.cpp:
1222         (Inspector::objectGroupForBreakpointAction):
1223         * jit/ExecutableAllocator.cpp:
1224         (JSC::DemandExecutableAllocator::allocators):
1225
1226 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1227
1228         FTL B3 should do varargs tail calls and stack overflows
1229         https://bugs.webkit.org/show_bug.cgi?id=152934
1230
1231         Reviewed by Saam Barati.
1232
1233         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
1234         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
1235         why I have two fixes in one change. Now the test passes.
1236
1237         This reduces the number of failures from 13 to 0.
1238
1239         * ftl/FTLLowerDFGToLLVM.cpp:
1240         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
1241         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
1242         append an Oops (i.e. "unreachable").
1243
1244 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1245
1246         B3 needs Neg()
1247         https://bugs.webkit.org/show_bug.cgi?id=152925
1248
1249         Reviewed by Mark Lam.
1250
1251         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
1252         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
1253
1254         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
1255         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
1256         to use bitops to represent floating point operations. Whatever cuteness this would have
1257         bought us would be outweighed by the annoyance of having to write code that matches
1258         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
1259         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
1260         Also, I suspect that the omission of Neg would cause others to make the mistake of using
1261         Sub to represent floating point negation.
1262
1263         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
1264         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
1265         floats, we lower it to BitXor(x, -0) on x86.
1266
1267         This reduces the number of failures from 13 to 12.
1268
1269         * assembler/MacroAssemblerX86Common.h:
1270         (JSC::MacroAssemblerX86Common::andFloat):
1271         (JSC::MacroAssemblerX86Common::xorDouble):
1272         (JSC::MacroAssemblerX86Common::xorFloat):
1273         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
1274         * b3/B3LowerMacrosAfterOptimizations.cpp:
1275         * b3/B3LowerToAir.cpp:
1276         (JSC::B3::Air::LowerToAir::lower):
1277         * b3/B3Opcode.cpp:
1278         (WTF::printInternal):
1279         * b3/B3Opcode.h:
1280         * b3/B3ReduceStrength.cpp:
1281         * b3/B3Validate.cpp:
1282         * b3/B3Value.cpp:
1283         (JSC::B3::Value::effects):
1284         (JSC::B3::Value::key):
1285         (JSC::B3::Value::typeFor):
1286         * b3/air/AirOpcode.opcodes:
1287         * ftl/FTLB3Output.cpp:
1288         (JSC::FTL::Output::lockedStackSlot):
1289         (JSC::FTL::Output::neg):
1290         (JSC::FTL::Output::bitNot):
1291         * ftl/FTLB3Output.h:
1292         (JSC::FTL::Output::chillDiv):
1293         (JSC::FTL::Output::mod):
1294         (JSC::FTL::Output::chillMod):
1295         (JSC::FTL::Output::doubleAdd):
1296         (JSC::FTL::Output::doubleSub):
1297         (JSC::FTL::Output::doubleMul):
1298         (JSC::FTL::Output::doubleDiv):
1299         (JSC::FTL::Output::doubleMod):
1300         (JSC::FTL::Output::doubleNeg):
1301         (JSC::FTL::Output::bitAnd):
1302         (JSC::FTL::Output::bitOr):
1303         (JSC::FTL::Output::neg): Deleted.
1304         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
1305         it's such a glaring bug, I thought having a test for it specifically would be good.
1306
1307 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1308
1309         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
1310         https://bugs.webkit.org/show_bug.cgi?id=152922
1311
1312         Reviewed by Saam Barati.
1313
1314         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
1315         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
1316         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
1317         clear the handlers before generation, sort of like FTL LLVM does.
1318
1319         Also added some stuff to make it easier to inspect the handler table.
1320
1321         This reduces the numbe rof failures from 25 to 13.
1322
1323         * bytecode/CodeBlock.cpp:
1324         (JSC::CodeBlock::dumpBytecode):
1325         (JSC::CodeBlock::dumpExceptionHandlers):
1326         (JSC::CodeBlock::beginDumpProfiling):
1327         * bytecode/CodeBlock.h:
1328         * ftl/FTLB3Compile.cpp:
1329         (JSC::FTL::compile):
1330
1331 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1332
1333         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
1334         https://bugs.webkit.org/show_bug.cgi?id=152916
1335
1336         Reviewed by Mark Lam.
1337
1338         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
1339
1340         This reduces the number of failures from 27 to 25.
1341
1342         * b3/B3ReduceStrength.cpp:
1343
1344 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1345
1346         FTL B3 allocateCell() should not crash
1347         https://bugs.webkit.org/show_bug.cgi?id=152909
1348
1349         Reviewed by Mark Lam.
1350
1351         This code was crashing in some tests that forced GC slow paths because it was stubbed out
1352         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
1353         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
1354         any LLVM optimizations by using undef.
1355
1356         This reduces the number of failures from 35 to 27.
1357
1358         * ftl/FTLLowerDFGToLLVM.cpp:
1359         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1360
1361 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1362
1363         FTL B3 fails to realize that binary snippets might choose to omit their fast path
1364         https://bugs.webkit.org/show_bug.cgi?id=152901
1365
1366         Reviewed by Mark Lam.
1367
1368         This reduces the number of failures from 99 to 35.
1369
1370         * ftl/FTLLowerDFGToLLVM.cpp:
1371         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1372
1373 2016-01-08  Saam barati  <sbarati@apple.com>
1374
1375         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
1376         https://bugs.webkit.org/show_bug.cgi?id=152879
1377
1378         Reviewed by Filip Pizlo.
1379
1380         We were clobbering a register we needed when picking
1381         a scratch register inside an FTL OSR Exit.
1382
1383         * dfg/DFGThunks.cpp:
1384         (JSC::DFG::osrEntryThunkGenerator):
1385         * jit/AssemblyHelpers.cpp:
1386         (JSC::AssemblyHelpers::emitRandomThunk):
1387         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
1388         * jit/AssemblyHelpers.h:
1389         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
1390         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
1391         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
1392         (foo):
1393
1394 2016-01-08  Mark Lam  <mark.lam@apple.com>
1395
1396         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
1397         https://bugs.webkit.org/show_bug.cgi?id=152897
1398
1399         Not reviewed.
1400
1401         * dfg/DFGAbstractInterpreterInlines.h:
1402         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1403         * dfg/DFGByteCodeParser.cpp:
1404         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1405         * dfg/DFGClobberize.h:
1406         (JSC::DFG::clobberize):
1407         * dfg/DFGDoesGC.cpp:
1408         (JSC::DFG::doesGC):
1409         * dfg/DFGFixupPhase.cpp:
1410         (JSC::DFG::FixupPhase::fixupNode):
1411         * dfg/DFGNodeType.h:
1412         * dfg/DFGOperations.cpp:
1413         * dfg/DFGOperations.h:
1414         * dfg/DFGPredictionPropagationPhase.cpp:
1415         (JSC::DFG::PredictionPropagationPhase::propagate):
1416         * dfg/DFGSafeToExecute.h:
1417         (JSC::DFG::safeToExecute):
1418         * dfg/DFGSpeculativeJIT.cpp:
1419         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1420         * dfg/DFGSpeculativeJIT32_64.cpp:
1421         (JSC::DFG::SpeculativeJIT::compile):
1422         * dfg/DFGSpeculativeJIT64.cpp:
1423         (JSC::DFG::SpeculativeJIT::compile):
1424         * runtime/StringConstructor.cpp:
1425         (JSC::stringFromCharCode):
1426         (JSC::stringFromSingleCharCode): Deleted.
1427         * runtime/StringConstructor.h:
1428
1429 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
1430
1431         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
1432         https://bugs.webkit.org/show_bug.cgi?id=152893
1433
1434         Reviewed by Mark Lam.
1435
1436         Use std::call_once since pthreads is not present on all platforms.
1437
1438         * llvm/InitializeLLVM.cpp:
1439         (JSC::initializeLLVMImpl):
1440         (JSC::initializeLLVM):
1441
1442 2016-01-08  Mark Lam  <mark.lam@apple.com>
1443
1444         Rename StringFromCharCode to StringFromSingleCharCode.
1445         https://bugs.webkit.org/show_bug.cgi?id=152897
1446
1447         Reviewed by Daniel Bates.
1448
1449         StringFromSingleCharCode is a better name because the intrinsic it represents
1450         only applies when we are converting from a single char code.  This is purely
1451         a refactoring patch.  There is no semantic change.
1452
1453         * dfg/DFGAbstractInterpreterInlines.h:
1454         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1455         * dfg/DFGByteCodeParser.cpp:
1456         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1457         * dfg/DFGClobberize.h:
1458         (JSC::DFG::clobberize):
1459         * dfg/DFGDoesGC.cpp:
1460         (JSC::DFG::doesGC):
1461         * dfg/DFGFixupPhase.cpp:
1462         (JSC::DFG::FixupPhase::fixupNode):
1463         * dfg/DFGNodeType.h:
1464         * dfg/DFGOperations.cpp:
1465         * dfg/DFGOperations.h:
1466         * dfg/DFGPredictionPropagationPhase.cpp:
1467         (JSC::DFG::PredictionPropagationPhase::propagate):
1468         * dfg/DFGSafeToExecute.h:
1469         (JSC::DFG::safeToExecute):
1470         * dfg/DFGSpeculativeJIT.cpp:
1471         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1472         * dfg/DFGSpeculativeJIT32_64.cpp:
1473         (JSC::DFG::SpeculativeJIT::compile):
1474         * dfg/DFGSpeculativeJIT64.cpp:
1475         (JSC::DFG::SpeculativeJIT::compile):
1476         * runtime/StringConstructor.cpp:
1477         (JSC::stringFromCharCode):
1478         (JSC::stringFromSingleCharCode):
1479         * runtime/StringConstructor.h:
1480
1481 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1482
1483         [mips] Fixed unused parameter warnings
1484         https://bugs.webkit.org/show_bug.cgi?id=152885
1485
1486         Reviewed by Mark Lam.
1487
1488         * jit/CCallHelpers.h:
1489         (JSC::CCallHelpers::setupArgumentsWithExecState):
1490
1491 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1492
1493         [mips] Max value of immediate arg of logical ops is 0xffff
1494         https://bugs.webkit.org/show_bug.cgi?id=152884
1495
1496         Reviewed by Michael Saboff.
1497
1498         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
1499
1500         * assembler/MacroAssemblerMIPS.h:
1501         (JSC::MacroAssemblerMIPS::and32):
1502         (JSC::MacroAssemblerMIPS::or32):
1503
1504 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1505
1506         [mips] Add new or32 implementation after r194613
1507         https://bugs.webkit.org/show_bug.cgi?id=152865
1508
1509         Reviewed by Michael Saboff.
1510
1511         * assembler/MacroAssemblerMIPS.h:
1512         (JSC::MacroAssemblerMIPS::or32):
1513
1514 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1515
1516         FTL B3 lazy slow paths should do exceptions
1517         https://bugs.webkit.org/show_bug.cgi?id=152853
1518
1519         Reviewed by Saam Barati.
1520
1521         This reduces the number of JSC test failures to 97.
1522
1523         * ftl/FTLLowerDFGToLLVM.cpp:
1524         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
1525         * tests/stress/ftl-new-negative-array-size.js: Added.
1526         (foo):
1527
1528 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1529
1530         Unreviewed, skip more tests that fail.
1531
1532         * tests/stress/ftl-shr-exception.js:
1533         (foo):
1534         * tests/stress/ftl-xor-exception.js:
1535         (foo):
1536
1537 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1538
1539         FTL B3 binary snippets should do exceptions
1540         https://bugs.webkit.org/show_bug.cgi?id=152852
1541
1542         Reviewed by Saam Barati.
1543
1544         This reduces the number of JSC test failures to 110.
1545
1546         * ftl/FTLLowerDFGToLLVM.cpp:
1547         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1548         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1549         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1550         * tests/stress/ftl-shr-exception.js: Added.
1551         (foo):
1552         (result.foo.valueOf):
1553         * tests/stress/ftl-sub-exception.js: Added.
1554         (foo):
1555         (result.foo.valueOf):
1556         * tests/stress/ftl-xor-exception.js: Added.
1557         (foo):
1558         (result.foo.valueOf):
1559
1560 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1561
1562         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
1563
1564         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
1565         (foo):
1566
1567 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1568
1569         Unreviewed, skipping this test. Looks like LLVM can't handle it.
1570
1571         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
1572         (foo):
1573
1574 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1575
1576         FTL B3 JS calls should do exceptions
1577         https://bugs.webkit.org/show_bug.cgi?id=152851
1578
1579         Reviewed by Geoffrey Garen.
1580
1581         This reduces the number of JSC test failures with FTL B3 to 111.
1582
1583         * dfg/DFGSpeculativeJIT64.cpp:
1584         (JSC::DFG::SpeculativeJIT::emitCall):
1585         * ftl/FTLLowerDFGToLLVM.cpp:
1586         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1587         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1588         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1589         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
1590         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
1591         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
1592         * tests/stress/ftl-call-exception-no-catch.js: Added.
1593         * tests/stress/ftl-call-exception.js: Added.
1594         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
1595         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
1596         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
1597         * tests/stress/ftl-call-varargs-exception.js: Added.
1598
1599 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1600
1601         FTL B3 PutById should do exceptions
1602         https://bugs.webkit.org/show_bug.cgi?id=152850
1603
1604         Reviewed by Saam Barati.
1605
1606         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
1607         number of JSC test failures to 128.
1608
1609         * ftl/FTLLowerDFGToLLVM.cpp:
1610         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1611         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
1612         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
1613         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
1614         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
1615         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
1616         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
1617
1618 2016-01-07  Commit Queue  <commit-queue@webkit.org>
1619
1620         Unreviewed, rolling out r194714.
1621         https://bugs.webkit.org/show_bug.cgi?id=152864
1622
1623         it broke many JSC tests when FTL B3 is enabled (Requested by
1624         pizlo on #webkit).
1625
1626         Reverted changeset:
1627
1628         "[JSC] When resolving Stack arguments, use addressing from SP
1629         when addressing from FP is invalid"
1630         https://bugs.webkit.org/show_bug.cgi?id=152840
1631         http://trac.webkit.org/changeset/194714
1632
1633 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1634
1635         [mips] Lower immediates of logical operations.
1636         https://bugs.webkit.org/show_bug.cgi?id=152693
1637
1638         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
1639         non-negative numbers.
1640
1641         Reviewed by Michael Saboff.
1642
1643         * offlineasm/mips.rb:
1644
1645 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1646
1647         [JSC] Update testCheckSubBadImm() for ARM64
1648         https://bugs.webkit.org/show_bug.cgi?id=152846
1649
1650         Reviewed by Mark Lam.
1651
1652         * b3/testb3.cpp:
1653         (JSC::B3::testCheckSubBadImm):
1654         The test was assuming the constant can always be used
1655         as immediate. That's obviously not the case on ARM64.
1656
1657 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1658
1659         FTL B3 getById() should do exceptions
1660         https://bugs.webkit.org/show_bug.cgi?id=152810
1661
1662         Reviewed by Saam Barati.
1663
1664         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
1665         exceptions from GetById. This covers all of the following ways that a GetById might throw an
1666         exceptions:
1667
1668         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
1669         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
1670         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
1671         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
1672         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
1673         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
1674
1675         This requires having a default exception target in FTL-generated code, and ensuring that this
1676         target is generated regardless of whether we have branches to the B3 basic block of the
1677         default exception target. This also requires adding some extra arguments to a
1678         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
1679         else. This also requires associating the CallSiteIndex of the patchpoint with the register
1680         set used for exit and with the OSR exit label for the unwind exit.
1681
1682         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
1683         is covered by the new PatchpointExceptionHandle object. You create one by calling
1684         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
1685         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
1686         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
1687         for operation calls and OSR exits for unwind. You call the
1688         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
1689         actually get OSR exits.
1690
1691         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
1692         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
1693         you use this API, it automatically registers a link task that will link the JumpList to the
1694         actual OSR exit label.
1695
1696         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
1697         to use the Box<JumpList> approach, but if you really just need the label, you can also get
1698         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
1699         to vend you the OSR exit label at link-time.
1700
1701         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
1702         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
1703         passes all of these new tests. Note that I'm not counting the new tests as part of the
1704         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
1705
1706         After this change, it should be easy to make all of the other patchpoints also handle
1707         exceptions by just following the preparePatchpointForExceptions() idiom.
1708
1709         * CMakeLists.txt:
1710         * JavaScriptCore.xcodeproj/project.pbxproj:
1711         * b3/B3StackmapValue.h:
1712         * b3/B3ValueRep.cpp:
1713         (JSC::B3::ValueRep::addUsedRegistersTo):
1714         (JSC::B3::ValueRep::usedRegisters):
1715         (JSC::B3::ValueRep::dump):
1716         * b3/B3ValueRep.h:
1717         (JSC::B3::ValueRep::doubleValue):
1718         (JSC::B3::ValueRep::withOffset):
1719         (JSC::B3::ValueRep::usedRegisters):
1720         * ftl/FTLB3Compile.cpp:
1721         (JSC::FTL::compile):
1722         * ftl/FTLB3Output.h:
1723         (JSC::FTL::Output::unreachable):
1724         (JSC::FTL::Output::speculate):
1725         * ftl/FTLExceptionTarget.cpp: Added.
1726         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
1727         (JSC::FTL::ExceptionTarget::label):
1728         (JSC::FTL::ExceptionTarget::jumps):
1729         (JSC::FTL::ExceptionTarget::ExceptionTarget):
1730         * ftl/FTLExceptionTarget.h: Added.
1731         * ftl/FTLJITCode.cpp:
1732         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1733         * ftl/FTLLowerDFGToLLVM.cpp:
1734         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1735         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1736         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1737         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1738         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
1739         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1740         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
1741         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
1742         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1743         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1744         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1745         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1746         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
1747         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
1748         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1749         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1750         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
1751         * ftl/FTLPatchpointExceptionHandle.cpp: Added.
1752         (JSC::FTL::PatchpointExceptionHandle::create):
1753         (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
1754         (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
1755         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
1756         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1757         (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
1758         (JSC::FTL::PatchpointExceptionHandle::createHandle):
1759         * ftl/FTLPatchpointExceptionHandle.h: Added.
1760         * ftl/FTLState.cpp:
1761         * ftl/FTLState.h:
1762         (JSC::FTL::verboseCompilationEnabled):
1763         * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
1764         * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
1765         * tests/stress/ftl-get-by-id-getter-exception.js: Added.
1766         * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
1767         * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
1768         * tests/stress/ftl-get-by-id-slow-exception.js: Added.
1769         * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
1770         * tests/stress/ftl-operation-exception-no-catch.js: Added.
1771
1772 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1773
1774         [mips] Implemented missing branch patching methods.
1775         https://bugs.webkit.org/show_bug.cgi?id=152845
1776
1777         Reviewed by Michael Saboff.
1778
1779         * assembler/MacroAssemblerMIPS.h:
1780         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
1781         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1782         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1783
1784 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1785
1786         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
1787         https://bugs.webkit.org/show_bug.cgi?id=152840
1788
1789         Reviewed by Mark Lam.
1790
1791         ARM64 has two kinds of addressing with immediates:
1792         -Signed 9bits direct (really only -256 to 255).
1793         -Unsigned 12bits scaled by the load/store size.
1794
1795         When resolving the stack addresses, we easily run
1796         past -256 bytes from FP. Addressing from SP gives us more
1797         room to address the stack efficiently because we can
1798         use unsigned immediates.
1799
1800         * b3/B3StackmapSpecial.cpp:
1801         (JSC::B3::StackmapSpecial::repForArg):
1802         * b3/air/AirAllocateStack.cpp:
1803         (JSC::B3::Air::allocateStack):
1804
1805 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1806
1807         [mips] Make repatchCall public to fix compilation.
1808         https://bugs.webkit.org/show_bug.cgi?id=152843
1809
1810         Reviewed by Michael Saboff.
1811
1812         * assembler/MacroAssemblerMIPS.h:
1813         (JSC::MacroAssemblerMIPS::repatchCall):
1814         (JSC::MacroAssemblerMIPS::linkCall): Deleted.
1815
1816 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1817
1818         [mips] Replaced subi with addi in getHostCallReturnValue
1819         https://bugs.webkit.org/show_bug.cgi?id=152841
1820
1821         Reviewed by Michael Saboff.
1822
1823         MIPS architecture does not have subi instruction, addi with negative
1824         number should be used instead.
1825
1826         * jit/JITOperations.cpp:
1827
1828 2016-01-07  Mark Lam  <mark.lam@apple.com>
1829
1830         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
1831         https://bugs.webkit.org/show_bug.cgi?id=152833
1832
1833         Reviewed by Michael Saboff.
1834
1835         Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
1836         store32.
1837
1838         * assembler/MacroAssemblerARM64.h:
1839         (JSC::MacroAssemblerARM64::or32):
1840         (JSC::MacroAssemblerARM64::store):
1841
1842 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1843
1844         [mips] GPRInfo::toArgumentRegister missing
1845         https://bugs.webkit.org/show_bug.cgi?id=152838
1846
1847         Reviewed by Michael Saboff.
1848
1849         * jit/GPRInfo.h:
1850         (JSC::GPRInfo::toArgumentRegister):
1851
1852 2016-01-07  Mark Lam  <mark.lam@apple.com>
1853
1854         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
1855         https://bugs.webkit.org/show_bug.cgi?id=152833
1856
1857         Reviewed by Benjamin Poulain.
1858
1859         * assembler/MacroAssemblerARM.h:
1860         (JSC::MacroAssemblerARM::or32):
1861         - Added some assertions to make sure it is safe to use ARMRegisters::S0 as a temp.
1862         * assembler/MacroAssemblerARM64.h:
1863         (JSC::MacroAssemblerARM64::or32):
1864         - Implement an optimization that avoids reloading the memoryTempRegister when
1865           the immediate is encodable as an instruction immediate.
1866         * assembler/MacroAssemblerARMv7.h:
1867         (JSC::MacroAssemblerARMv7::or32):
1868         - Added an assertion to make sure it is safe to use the dataTempRegister as a temp.
1869         - Implement an optimization that avoids reloading the memoryTempRegister when
1870           the immediate is encodable as an instruction immediate.  In the event that we
1871           cannot encode the immediate, we'll use the addressTempRegister as a temp, and
1872           reload it later.
1873
1874 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1875
1876         [CMake] JSC shell sources should include JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
1877         https://bugs.webkit.org/show_bug.cgi?id=152664
1878
1879         Reviewed by Alex Christensen.
1880
1881         * shell/CMakeLists.txt:
1882
1883 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
1884
1885         Web Inspector: CRASH Attempting to pause on CSP violation not inside of script
1886         https://bugs.webkit.org/show_bug.cgi?id=152825
1887         <rdar://problem/24021276>
1888
1889         Reviewed by Timothy Hatcher.
1890
1891         * debugger/Debugger.cpp:
1892         (JSC::Debugger::breakProgram):
1893         We cannot pause if we are not evaluating JavaScript, so bail.
1894
1895 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1896
1897         [JSC] Re-enable lea() in Air on ARM64
1898         https://bugs.webkit.org/show_bug.cgi?id=152832
1899
1900         Reviewed by Michael Saboff.
1901
1902         Lea() on the MacroAssembler is not the full x86 Lea (the real one being
1903         x86Lea32()). Instead, it is a addPtr() with SP and a constant.
1904
1905         The instruction is required to implement B3's StackSlot. It is not
1906         safe for big offsets but none of the stack operations are at the moment.
1907
1908         * b3/air/AirOpcode.opcodes:
1909
1910 2016-01-07  Julien Brianceau  <jbriance@cisco.com>
1911
1912         [mips] Add two missing abortWithReason implementations
1913         https://bugs.webkit.org/show_bug.cgi?id=136753
1914
1915         Reviewed by Benjamin Poulain.
1916
1917         * assembler/MacroAssemblerMIPS.h:
1918         (JSC::MacroAssemblerMIPS::memoryFence):
1919         (JSC::MacroAssemblerMIPS::abortWithReason):
1920         (JSC::MacroAssemblerMIPS::readCallTarget):
1921
1922 2016-01-07  Csaba Osztrogonác  <ossy@webkit.org>
1923
1924         Add new or32 implementation to MacroAssemblerARM after r194613
1925         https://bugs.webkit.org/show_bug.cgi?id=152784
1926
1927         Reviewed by Benjamin Poulain.
1928
1929         * assembler/MacroAssemblerARM.h:
1930         (JSC::MacroAssemblerARM::or32):
1931
1932 2016-01-06  Mark Lam  <mark.lam@apple.com>
1933
1934         REGRESSION(r194613): JITMulGenerator needs a scratch GPR on 32-bit too.
1935         https://bugs.webkit.org/show_bug.cgi?id=152805
1936
1937         Reviewed by Michael Saboff.
1938
1939         There aren't enough registers on x86 32-bit to allocate the needed scratch GPR.
1940         So, we'll continue to use one of the result registers as the scratch, and
1941         re-compute the result at the end.
1942
1943         * jit/JITMulGenerator.cpp:
1944         (JSC::JITMulGenerator::generateFastPath):
1945
1946 2016-01-06  Anders Carlsson  <andersca@apple.com>
1947
1948         Add a smart block pointer
1949         https://bugs.webkit.org/show_bug.cgi?id=152799
1950
1951         Reviewed by Tim Horton.
1952
1953         Get rid of RemoteTargetBlock and replace it with WTF::BlockPtr<void ()>.
1954
1955         * inspector/remote/RemoteConnectionToTarget.h:
1956         (Inspector::RemoteTargetBlock::RemoteTargetBlock): Deleted.
1957         (Inspector::RemoteTargetBlock::~RemoteTargetBlock): Deleted.
1958         (Inspector::RemoteTargetBlock::operator=): Deleted.
1959         (Inspector::RemoteTargetBlock::operator()): Deleted.
1960         * inspector/remote/RemoteConnectionToTarget.mm:
1961         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
1962         (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
1963
1964 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
1965
1966         [JSC] More B3 tests passing on ARM64
1967         https://bugs.webkit.org/show_bug.cgi?id=152787
1968
1969         Reviewed by Michael Saboff.
1970
1971         Some more minor bugs.
1972
1973         * assembler/MacroAssemblerARM64.h:
1974         (JSC::MacroAssemblerARM64::urshift64):
1975         The offset was being truncated. That code was just copied
1976         from the 32bits version of urshift.
1977
1978         * b3/B3LowerToAir.cpp:
1979         (JSC::B3::Air::LowerToAir::createGenericCompare):
1980         Very few instructions can encode -1 as immediate.
1981         TST certainly can't. The fallback works for ARM.
1982
1983         * b3/air/AirOpcode.opcodes:
1984         Bit instructions have very specific immediate encoding.
1985         B3 cannot express that properly yet. I disabled those
1986         forms for now. Immediates encoding is something we'll really 
1987         have to look into at some point for B3 ARM64.
1988
1989 2016-01-06  Michael Catanzaro  <mcatanzaro@igalia.com>
1990
1991         Silence -Wtautological-compare
1992         https://bugs.webkit.org/show_bug.cgi?id=152768
1993
1994         Reviewed by Saam Barati.
1995
1996         * runtime/Options.cpp:
1997         (JSC::Options::setAliasedOption):
1998
1999 2016-01-06  Filip Pizlo  <fpizlo@apple.com>
2000
2001         Make sure that the basic throw-from-operation mode of throwing makes sense in FTL B3
2002         https://bugs.webkit.org/show_bug.cgi?id=152798
2003
2004         Reviewed by Oliver Hunt.
2005
2006         This really just contains one change: we inline emitBranchToOSRExitIfWillCatchException()
2007         into callCheck(), since that was its only caller. This makes it a bit more clear what is
2008         going on.
2009
2010         It turns out that FTL B3 already handled this case properly. I added a test that I believe
2011         illustrates this. Note that although the test uses GetById, which ordinarily throws
2012         exceptions from inside a patchpoint, it uses it in such a way that the exception is thrown
2013         from the operation call for the non-cell bypass path of a GetById(UntypedUse:).
2014
2015         * ftl/FTLLowerDFGToLLVM.cpp:
2016         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2017         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
2018         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2019         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException): Deleted.
2020         * tests/stress/ftl-operation-exception.js: Added.
2021         (foo):
2022
2023 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
2024
2025         Web Inspector: Remove duplicate check
2026         https://bugs.webkit.org/show_bug.cgi?id=152792
2027
2028         Reviewed by Timothy Hatcher.
2029
2030         * inspector/InjectedScriptSource.js:
2031         (InjectedScript.RemoteObject.prototype._generatePreview): Deleted.
2032         This method is only called from one place, and it does an equivalent
2033         check before calling this function. Remove the duplicate check.
2034
2035 2016-01-06  Brian Burg  <bburg@apple.com>
2036
2037         Add a WebKit SPI for registering an automation controller with RemoteInspector
2038         https://bugs.webkit.org/show_bug.cgi?id=151576
2039
2040         Reviewed by Dan Bernstein and Joseph Pecoraro.
2041
2042         Given a RemoteInspector endpoint that is instantiated in UIProcess, there
2043         should be a way to delegate automation-related functionality and policy to
2044         clients of WebKit.
2045
2046         This class adds a RemoteInspector::Client interface that serves a delegate.
2047         This is ultimately delegated via _WKAutomationDelegate, which is an SPI
2048         that allows clients to install an Objective-C delegate for automation.
2049
2050         The setting for whether remote automation is allowed is included in the
2051         listing that RemoteInspector sends out. It is updated when RemoteInspector::Client
2052         is assigned, or when the client signals that its capabilities have changed.
2053
2054         * inspector/remote/RemoteInspector.h:
2055         * inspector/remote/RemoteInspector.mm:
2056         (Inspector::RemoteInspector::setRemoteInspectorClient): Added.
2057         (Inspector::RemoteInspector::pushListingsNow):
2058
2059             In the listing, include whether the application supports remote automation.
2060
2061         * inspector/remote/RemoteInspectorConstants.h: Add a constant.
2062
2063 2016-01-05  Keith Miller  <keith_miller@apple.com>
2064
2065         [ES6] Boolean, Number, Map, RegExp, and Set should be subclassable
2066         https://bugs.webkit.org/show_bug.cgi?id=152765
2067
2068         Reviewed by Michael Saboff.
2069
2070         This patch enables subclassing of five more builtins: Boolean, Number, Map, RegExp, and Set.
2071
2072         * runtime/BooleanConstructor.cpp:
2073         (JSC::constructWithBooleanConstructor):
2074         (JSC::constructBoolean): Deleted.
2075         * runtime/BooleanConstructor.h:
2076         * runtime/MapConstructor.cpp:
2077         (JSC::constructMap):
2078         * runtime/NumberConstructor.cpp:
2079         (JSC::constructWithNumberConstructor):
2080         * runtime/RegExpConstructor.cpp:
2081         (JSC::getRegExpStructure):
2082         (JSC::constructRegExp):
2083         * runtime/SetConstructor.cpp:
2084         (JSC::constructSet):
2085         * tests/es6.yaml:
2086         * tests/stress/class-subclassing-misc.js: Added.
2087         (B):
2088         (N):
2089         (M):
2090         (R):
2091         (S):
2092         (test):
2093
2094 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2095
2096         [mips] Fix branchTruncateDoubleToUint32 implementation in macro assembler
2097         https://bugs.webkit.org/show_bug.cgi?id=152782
2098
2099         Reviewed by Benjamin Poulain.
2100
2101         Already covered by LayoutTests/js/dfg-uint32array-overflow-values test.
2102
2103         * assembler/MacroAssemblerMIPS.h:
2104         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
2105
2106 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2107
2108         [mips] Fix or32 implementation in macro assembler
2109         https://bugs.webkit.org/show_bug.cgi?id=152781
2110
2111         Reviewed by Michael Saboff.
2112
2113         * assembler/MacroAssemblerMIPS.h:
2114         (JSC::MacroAssemblerMIPS::or32):
2115
2116 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2117
2118         [mips] Add missing branchAdd32 implementation in macro assembler
2119         https://bugs.webkit.org/show_bug.cgi?id=152785
2120
2121         Reviewed by Michael Saboff.
2122
2123         * assembler/MacroAssemblerMIPS.h:
2124         (JSC::MacroAssemblerMIPS::branchAdd32):
2125
2126 2016-01-06  Andy VanWagoner  <thetalecrafter@gmail.com>
2127
2128         [ES6] Date.prototype should be a plain object
2129         https://bugs.webkit.org/show_bug.cgi?id=152574
2130
2131         Reviewed by Benjamin Poulain.
2132
2133         * runtime/DateConstructor.cpp:
2134         (JSC::DateConstructor::finishCreation):
2135         * runtime/DatePrototype.cpp:
2136         (JSC::DatePrototype::DatePrototype):
2137         * runtime/DatePrototype.h:
2138         * tests/mozilla/mozilla-tests.yaml: Expect errors from old Date.prototype as Date instance tests.
2139
2140 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
2141
2142         [JSC] Get more of testb3 to pass on ARM64
2143         https://bugs.webkit.org/show_bug.cgi?id=152737
2144
2145         Reviewed by Geoffrey Garen.
2146
2147         A bunch of minor bugs and missing function to make most of testb3
2148         run on ARM64.
2149
2150         * JavaScriptCore.xcodeproj/project.pbxproj:
2151         * assembler/ARM64Assembler.h:
2152         (JSC::ARM64Assembler::canEncodePImmOffset):
2153         (JSC::ARM64Assembler::canEncodeSImmOffset):
2154         (JSC::isInt9): Deleted.
2155         (JSC::isUInt12): Deleted.
2156         * assembler/ARMv7Assembler.h:
2157         * assembler/AssemblerCommon.h: Added.
2158         (JSC::isInt9):
2159         (JSC::isUInt12):
2160         (JSC::isValidScaledUImm12):
2161         (JSC::isValidSignedImm9):
2162         * assembler/MacroAssemblerARM64.h:
2163         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
2164         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
2165         (JSC::MacroAssemblerARM64::store16):
2166         (JSC::MacroAssemblerARM64::absFloat):
2167         (JSC::MacroAssemblerARM64::loadFloat):
2168         (JSC::MacroAssemblerARM64::storeFloat):
2169         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate):
2170         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate):
2171         (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
2172         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<8>):
2173         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<16>):
2174         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<8>):
2175         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<16>):
2176         * assembler/X86Assembler.h:
2177         * b3/B3LowerToAir.cpp:
2178         (JSC::B3::Air::LowerToAir::effectiveAddr):
2179         (JSC::B3::Air::LowerToAir::lower):
2180         * b3/air/AirArg.h:
2181         (JSC::B3::Air::Arg::isValidImmForm):
2182         (JSC::B3::Air::Arg::isValidAddrForm):
2183         (JSC::B3::Air::Arg::isValidForm):
2184         * b3/air/AirOpcode.opcodes:
2185
2186 2016-01-05  Zan Dobersek  <zdobersek@igalia.com>
2187
2188         [CMake] Remove USE_UDIS86 variable
2189         https://bugs.webkit.org/show_bug.cgi?id=152731
2190
2191         Reviewed by Gyuyoung Kim.
2192
2193         * CMakeLists.txt: Unconditionally build the Udis86-specific files.
2194
2195 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2196
2197         FTL B3 fails cdjs-tests.yaml/red_black_tree_test.js.ftl-eager-no-cjit
2198         https://bugs.webkit.org/show_bug.cgi?id=152770
2199
2200         Reviewed by Mark Lam.
2201
2202         It turns out that liveness didn't know that the return value GPR or FPR is live at the
2203         return. Consequently, we can end up with code that clobbers the return value register after
2204         the move of the return value into that register. This could happen if we start with
2205         something like:
2206
2207             Move 42(%tmp1), %tmp2
2208             Move 50(%tmp1), %tmp3
2209             Move %tmp3, 58(%tmp1)
2210             Move %tmp2, %rax
2211             Ret
2212
2213         Then we might coalesce %tmp2 with %rax:
2214
2215             Move 42(%tmp1), %rax
2216             Move 50(%tmp1), %tmp3
2217             Move %tmp3, 58(%tmp1)
2218             Ret
2219
2220         But now there is no use of %rax after that first instruction, so %rax appears dead at the
2221         other two Move's. So, the register allocator could then do this:
2222
2223             Move 42(%tmp1), %rax
2224             Move 50(%tmp1), %rax
2225             Move %rax, 58(%tmp1)
2226             Ret
2227
2228         And that's clearly wrong. This patch solves this issue by replacing the old Ret instruction
2229         with Ret32, Ret64, RetFloat, and RetDouble. These all take the return value register as an
2230         argument. They also tell Air which parts of the return value register the caller will
2231         observe. That's great for width analysis.
2232
2233         This resolves a test failure in the CDjs red_black_tree_test. This reduces the total number
2234         of JSC test failures from 217 to 191.
2235
2236         * assembler/MacroAssembler.h:
2237         (JSC::MacroAssembler::oops):
2238         (JSC::MacroAssembler::ret32):
2239         (JSC::MacroAssembler::ret64):
2240         (JSC::MacroAssembler::retFloat):
2241         (JSC::MacroAssembler::retDouble):
2242         (JSC::MacroAssembler::shouldConsiderBlinding):
2243         * b3/B3LowerToAir.cpp:
2244         (JSC::B3::Air::LowerToAir::lower):
2245         * b3/air/AirGenerate.cpp:
2246         (JSC::B3::Air::generate):
2247         * b3/air/AirHandleCalleeSaves.cpp:
2248         (JSC::B3::Air::handleCalleeSaves):
2249         * b3/air/AirOpcode.opcodes:
2250         * b3/air/opcode_generator.rb:
2251
2252 2016-01-05  Keith Miller  <keith_miller@apple.com>
2253
2254         Unreviewed build fix. A symbol was being exported that should not have been.
2255
2256         * runtime/Structure.h:
2257
2258 2016-01-05  Commit Queue  <commit-queue@webkit.org>
2259
2260         Unreviewed, rolling out r194603.
2261         https://bugs.webkit.org/show_bug.cgi?id=152762
2262
2263         This change introduced JSC test failures (Requested by
2264         ryanhaddad on #webkit).
2265
2266         Reverted changeset:
2267
2268         "[ES6] Date.prototype should be a plain object"
2269         https://bugs.webkit.org/show_bug.cgi?id=152574
2270         http://trac.webkit.org/changeset/194603
2271
2272 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2273
2274         stress/v8-crypto-strict.js.ftl-eager-no-cjit in FTL B3 fails with an assertion in the callframe shuffler
2275         https://bugs.webkit.org/show_bug.cgi?id=152756
2276
2277         Reviewed by Saam Barati.
2278
2279         This fixes a really obvious and dumb tail call bug in FTL B3. I think that tail calls work
2280         for real now. I have no idea why I got any tail call tests to pass before this fix.
2281
2282         * ftl/FTLLowerDFGToLLVM.cpp:
2283         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2284
2285 2016-01-04  Mark Lam  <mark.lam@apple.com>
2286
2287         Profiling should detect when multiplication overflows but does not create negative zero.
2288         https://bugs.webkit.org/show_bug.cgi?id=132470
2289
2290         Reviewed by Geoffrey Garen.
2291
2292         * assembler/MacroAssemblerARM64.h:
2293         (JSC::MacroAssemblerARM64::or32):
2294         * assembler/MacroAssemblerARMv7.h:
2295         (JSC::MacroAssemblerARMv7::or32):
2296         - New or32 emitter needed by the mul snippet.
2297
2298         * bytecode/CodeBlock.cpp:
2299         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2300         (JSC::CodeBlock::updateResultProfileForBytecodeOffset): Deleted.
2301         * bytecode/CodeBlock.h:
2302         (JSC::CodeBlock::ensureResultProfile):
2303         (JSC::CodeBlock::addResultProfile): Deleted.
2304         (JSC::CodeBlock::likelyToTakeDeepestSlowCase): Deleted.
2305         - Added a m_bytecodeOffsetToResultProfileIndexMap because we can now add result
2306           profiles in any order (based on runtime execution), not necessarily in bytecode
2307           order at baseline compilation time.
2308
2309         * bytecode/ValueProfile.cpp:
2310         (WTF::printInternal):
2311         * bytecode/ValueProfile.h:
2312         (JSC::ResultProfile::didObserveInt52Overflow):
2313         (JSC::ResultProfile::setObservedInt52Overflow):
2314         - Add new Int52Overflow flags.
2315
2316         * dfg/DFGByteCodeParser.cpp:
2317         (JSC::DFG::ByteCodeParser::makeSafe):
2318         - Now with more straightforward mapping of profiling info.
2319
2320         * dfg/DFGCommon.h:
2321         - Fixed a typo in a comment.
2322
2323         * dfg/DFGNode.h:
2324         (JSC::DFG::Node::arithNodeFlags):
2325         (JSC::DFG::Node::mayHaveNonIntResult):
2326         (JSC::DFG::Node::hasConstantBuffer):
2327         * dfg/DFGNodeFlags.cpp:
2328         (JSC::DFG::dumpNodeFlags):
2329         * dfg/DFGNodeFlags.h:
2330         (JSC::DFG::nodeMayOverflowInt52):
2331         (JSC::DFG::nodeCanSpeculateInt52):
2332         * dfg/DFGPredictionPropagationPhase.cpp:
2333         (JSC::DFG::PredictionPropagationPhase::propagate):
2334         - We now have profiling info for whether the result was ever seen to be a non-Int.
2335           Use this to make a better prediction.
2336
2337         * jit/JITArithmetic.cpp:
2338         (JSC::JIT::emit_op_div):
2339         (JSC::JIT::emit_op_mul):
2340         - Switch to using CodeBlock::ensureResultProfile().  ResultProfiles can now be
2341           created at any time (including the slow path), not just in bytecode order
2342           during baseline compilation.
2343
2344         * jit/JITMulGenerator.cpp:
2345         (JSC::JITMulGenerator::generateFastPath):
2346         - Removed the fast path profiling code for NegZero because we'll go to the slow
2347           path anyway.  Let the slow path do the profiling for us.
2348         - Added profiling for NegZero and potential Int52 overflows in the fast path
2349           that does double math.
2350
2351         * runtime/CommonSlowPaths.cpp:
2352         (JSC::updateResultProfileForBinaryArithOp):
2353         - Removed the RETURN_WITH_RESULT_PROFILING macro (2 less macros), and just use
2354           the RETURN_WITH_PROFILING macro instead with a call to
2355           updateResultProfileForBinaryArithOp().  This makes it clear what we're doing
2356           to do profiling in each case, and also allows us to do custom profiling for
2357           each opcode if needed.  However, so far, we always call
2358           updateResultProfileForBinaryArithOp().
2359
2360 2016-01-05  Keith Miller  <keith_miller@apple.com>
2361
2362         [ES6] Arrays should be subclassable.
2363         https://bugs.webkit.org/show_bug.cgi?id=152706
2364
2365         Reviewed by Benjamin Poulain.
2366
2367         This patch enables full subclassing of Arrays. We do this by fetching the new.target's prototype property
2368         in the Array constructor and transitioning the old structure to have the new prototype. This method has
2369         two downsides. The first is that we clobber the transition watchpoint on the base structure. The second,
2370         which is currently very significant but should be fixed in a future patch, is that we allocate a new
2371         structure for each new derived class we allocate.
2372
2373         * runtime/ArrayConstructor.cpp:
2374         (JSC::constructArrayWithSizeQuirk):
2375         (JSC::constructWithArrayConstructor):
2376         (JSC::callArrayConstructor):
2377         * runtime/ArrayConstructor.h:
2378         * runtime/JSGlobalObject.h:
2379         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
2380         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
2381         (JSC::constructEmptyArray):
2382         (JSC::constructArray):
2383         (JSC::constructArrayNegativeIndexed):
2384         * runtime/PrototypeMap.h:
2385         * runtime/Structure.h:
2386         * runtime/StructureInlines.h:
2387         (JSC::Structure::createSubclassStructure):
2388         * tests/es6.yaml:
2389         * tests/stress/class-subclassing-array.js: Added.
2390         (A):
2391         (B.prototype.get 1):
2392         (B):
2393         (C):
2394         (test):
2395
2396 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2397
2398         regress/script-tests/deltablue-varargs.js.ftl-no-cjit-no-put-stack-validate on FTL B3 gets a B3 validation failure
2399         https://bugs.webkit.org/show_bug.cgi?id=152754
2400
2401         Reviewed by Geoffrey Garen and Saam Barati.
2402
2403         It turns out that the FTL was creating orphans. Rather than making the FTL handle them by
2404         itself, I gave B3 the power to eliminate them for you. I also made the dumper print them
2405         since otherwise, you wouldn't know anything about the orphan when looking at a validation
2406         failure or other kind of procedure dump.
2407
2408         * b3/B3IndexSet.h:
2409         (JSC::B3::IndexSet::add):
2410         (JSC::B3::IndexSet::addAll):
2411         (JSC::B3::IndexSet::remove):
2412         * b3/B3Procedure.cpp:
2413         (JSC::B3::Procedure::dump):
2414         (JSC::B3::Procedure::deleteValue):
2415         (JSC::B3::Procedure::deleteOrphans):
2416         (JSC::B3::Procedure::dominators):
2417         * b3/B3Procedure.h:
2418         (JSC::B3::Procedure::cfg):
2419         * ftl/FTLLowerDFGToLLVM.cpp:
2420         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2421
2422 2015-12-24  Mark Lam  <mark.lam@apple.com>
2423
2424         Re-landing: Add validation of JSC options to catch typos.
2425         https://bugs.webkit.org/show_bug.cgi?id=152549
2426
2427         Reviewed by Benjamin Poulain.
2428
2429         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
2430            an error message.
2431         2. If a --xxx jsc option is specified, but xxx is not a valid option, we will
2432            now log an error message.
2433         3. Added JSC_validateOptions, which if set to true will cause the VM to crash if
2434            an invalid option was seen during options parsing.
2435
2436         In this version for re-landing, I removed the change where I disallowed -- options
2437         after the script name.  Apparently, we have some test harnesses that do append the
2438         -- options after the script name.
2439
2440         * jsc.cpp:
2441         (CommandLine::parseArguments):
2442         * runtime/Options.cpp:
2443         (JSC::Options::initialize):
2444         * runtime/Options.h:
2445
2446 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2447
2448         FTL B3 should do ArithNegate
2449         https://bugs.webkit.org/show_bug.cgi?id=152745
2450
2451         Reviewed by Geoffrey Garen.
2452
2453         * ftl/FTLLowerDFGToLLVM.cpp:
2454         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2455
2456 2016-01-05  Andy VanWagoner  <thetalecrafter@gmail.com>
2457
2458         [ES6] Date.prototype should be a plain object
2459         https://bugs.webkit.org/show_bug.cgi?id=152574
2460
2461         Reviewed by Benjamin Poulain.
2462
2463         * runtime/DateConstructor.cpp:
2464         (JSC::DateConstructor::finishCreation):
2465         * runtime/DatePrototype.cpp:
2466         (JSC::DatePrototype::DatePrototype):
2467         * runtime/DatePrototype.h:
2468
2469 2016-01-05  Commit Queue  <commit-queue@webkit.org>
2470
2471         Unreviewed, rolling out r194590.
2472         https://bugs.webkit.org/show_bug.cgi?id=152751
2473
2474         "Causes bot failures" (Requested by mlam on #webkit).
2475
2476         Reverted changeset:
2477
2478         "Add validation of JSC options to catch typos."
2479         https://bugs.webkit.org/show_bug.cgi?id=152549
2480         http://trac.webkit.org/changeset/194590
2481
2482 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2483
2484         FTL B3 should do In
2485         https://bugs.webkit.org/show_bug.cgi?id=152744
2486
2487         Reviewed by Michael Saboff.
2488
2489         This was easy; I just used the same idiom that we already established for ICs in FTL B3.
2490
2491         * ftl/FTLLowerDFGToLLVM.cpp:
2492         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2493
2494 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2495
2496         Implement B3 version of FTL::Output::check()
2497         https://bugs.webkit.org/show_bug.cgi?id=152743
2498
2499         Reviewed by Geoffrey Garen.
2500
2501         Turns out this was just like the LLVM version.
2502
2503         * ftl/FTLB3Output.cpp:
2504         (JSC::FTL::Output::branch):
2505         (JSC::FTL::Output::check):
2506         * ftl/FTLB3Output.h:
2507         (JSC::FTL::Output::switchInstruction):
2508         (JSC::FTL::Output::check): Deleted.
2509
2510 2016-01-05  Mark Lam  <mark.lam@apple.com>
2511
2512         Add support for aliasing JSC Options.
2513         https://bugs.webkit.org/show_bug.cgi?id=152551
2514
2515         Reviewed by Filip Pizlo.
2516
2517         This allows us to use old options names as well.  This is for the benefit of
2518         third party tools which may have been built to rely on those old options.  The
2519         old option names will be mapped to the current option names in setOption().
2520
2521         For some options, the old option name specifies the inverse boolean value of the
2522         current option name.  setOption() will take care of inverting the value before
2523         applying it to the option.
2524
2525         * jsc.cpp:
2526         (CommandLine::parseArguments):
2527         - Switch to dumping only overridden options here.  Verbose dumping is too much
2528           for common usage.
2529         * runtime/Options.cpp:
2530         (JSC::overrideOptionWithHeuristic):
2531         (JSC::Options::overrideAliasedOptionWithHeuristic):
2532         (JSC::computeNumberOfWorkerThreads):
2533         (JSC::Options::initialize):
2534         (JSC::Options::setOptionWithoutAlias):
2535         (JSC::invertBoolOptionValue):
2536         (JSC::Options::setAliasedOption):
2537         (JSC::Options::setOption):
2538         (JSC::Options::dumpAllOptions):
2539         - String.ascii() converts newline characters to '?', and this was messing up the
2540           printing of the options.  Switched to using String.utf8() instead.
2541         (JSC::Options::dumpOption):
2542         * runtime/Options.h:
2543
2544 2016-01-05  Mark Lam  <mark.lam@apple.com>
2545
2546         Add validation of JSC options to catch typos.
2547         https://bugs.webkit.org/show_bug.cgi?id=152549
2548
2549         Reviewed by Benjamin Poulain.
2550
2551         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
2552            an error message.
2553         2. The jsc app is commonly used as follows:
2554
2555                $ jsc [jsc options] [scripts]
2556      
2557            Previously, we'll continue to parse for [jsc options] after [scripts] is seen.
2558            We won't do this anymore.  Any --xxx jsc options must precede the [scripts]
2559            arguments.
2560
2561         3. If a --xxx jsc option is specified, but xxx is not a valid option, we will
2562            now log an error message.
2563
2564         4. Added JSC_validateOptions, which if set to true will cause the VM to crash if
2565            an invalid option was seen during options parsing.
2566
2567         * jsc.cpp:
2568         (CommandLine::parseArguments):
2569         * runtime/Options.cpp:
2570         (JSC::Options::initialize):
2571         * runtime/Options.h:
2572
2573 2016-01-04  Keith Miller  <keith_miller@apple.com>
2574
2575         Turn off Internal Function inlining in the DFG for super calls.
2576         https://bugs.webkit.org/show_bug.cgi?id=152695
2577
2578         Reviewed by Geoffrey Garen.
2579
2580         Currently, we inline several InternalFunctions into an alloctation with a
2581         fixed structure in the DFG. This optimization is not valid when the
2582         InternalFunction is called via a super call.
2583
2584         * dfg/DFGByteCodeParser.cpp:
2585         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2586         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2587
2588 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2589
2590         FTL B3 should do binary snippets
2591         https://bugs.webkit.org/show_bug.cgi?id=152668
2592
2593         Reviewed by Mark Lam.
2594
2595         This finishes all of the rest of the snippets.
2596
2597         * ftl/FTLLowerDFGToLLVM.cpp:
2598         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2599         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2600         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2601         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2602         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2603         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2604         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2605         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2606         * tests/stress/object-bit-or.js: Added.
2607         (foo):
2608         (things.valueOf):
2609         * tests/stress/object-bit-xor.js: Added.
2610         (foo):
2611         (things.valueOf):
2612         * tests/stress/object-lshift.js: Added.
2613         (foo):
2614         (things.valueOf):
2615         * tests/stress/object-rshift.js: Added.
2616         (foo):
2617         (things.valueOf):
2618         * tests/stress/object-urshift.js: Added.
2619         (foo):
2620         (things.valueOf):
2621         * tests/stress/untyped-bit-or.js: Added.
2622         (foo):
2623         (valueOf):
2624         * tests/stress/untyped-bit-xor.js: Added.
2625         (foo):
2626         (valueOf):
2627         * tests/stress/untyped-lshift.js: Added.
2628         (foo):
2629         (valueOf):
2630         * tests/stress/untyped-rshift.js: Added.
2631         (foo):
2632         (valueOf):
2633         * tests/stress/untyped-urshift.js: Added.
2634         (foo):
2635         (valueOf):
2636
2637 2016-01-04  Mark Lam  <mark.lam@apple.com>
2638
2639         isUntypedSpeculationForArithmetic is wrong.
2640         https://bugs.webkit.org/show_bug.cgi?id=152708
2641
2642         Reviewed by Filip Pizlo.
2643
2644         The isUntypedSpeculation...() checks should return true is we ever see
2645         non-numeric types, regardless of whether numeric types are seen or not.
2646         Previously, they only return true if we only see non-numeric types, and false if
2647         we ever see numeric types.
2648
2649         This patch is perf neutral on both x86_64 and x86.
2650
2651         * bytecode/SpeculatedType.h:
2652         (JSC::isUntypedSpeculationForArithmetic):
2653         (JSC::isUntypedSpeculationForBitOps):
2654
2655 2016-01-04  Tim Horton  <timothy_horton@apple.com>
2656
2657         Turn on gesture events when building for Yosemite
2658         https://bugs.webkit.org/show_bug.cgi?id=152704
2659         rdar://problem/24042472
2660
2661         Reviewed by Anders Carlsson.
2662
2663         * Configurations/FeatureDefines.xcconfig:
2664
2665 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2666
2667         FTL B3 should do BitAnd binary snippets
2668         https://bugs.webkit.org/show_bug.cgi?id=152713
2669
2670         Reviewed by Mark Lam.
2671
2672         Getting ready to finish up the binary bitop snippets.
2673
2674         * ftl/FTLLowerDFGToLLVM.cpp:
2675         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2676         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2677         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2678         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2679         * tests/stress/object-bit-and.js: Added.
2680         (foo):
2681         (things.valueOf):
2682         * tests/stress/untyped-bit-and.js: Added.
2683         (foo):
2684         (valueOf):
2685
2686 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2687
2688         FTL B3 should do all of the non-bitop binary snippets
2689         https://bugs.webkit.org/show_bug.cgi?id=152709
2690
2691         Reviewed by Mark Lam.
2692
2693         * ftl/FTLLowerDFGToLLVM.cpp:
2694         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2695         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2696         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2697         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2698         * tests/stress/object-add.js: Added.
2699         (foo):
2700         (things.valueOf):
2701         * tests/stress/object-div.js: Added.
2702         (foo):
2703         (things.valueOf):
2704         * tests/stress/object-mul.js: Added.
2705         (foo):
2706         (things.valueOf):
2707         * tests/stress/untyped-add.js: Added.
2708         (foo):
2709         (valueOf):
2710         * tests/stress/untyped-div.js: Added.
2711         (foo):
2712         (valueOf):
2713         * tests/stress/untyped-mul.js: Added.
2714         (foo):
2715         (valueOf):
2716
2717 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2718
2719         FTL B3 should do the ArithSub binary snippet
2720         https://bugs.webkit.org/show_bug.cgi?id=152705
2721
2722         Reviewed by Saam Barati.
2723
2724         This implements the ArithSub binary snippet generator in FTL B3.
2725
2726         While doing this, I discovered that the DFG type inference logic for ArithSub contains a
2727         classic mistake: it causes the snippets to kick in when the type set does not contain numbers
2728         rather than kicking in when the type set contains non-numbers. So, the original test that I
2729         wrote for this doesn't work right (it runs to completion but OSR exits ad infinitum). I wrote
2730         a second test that is simpler, and that one shows that the binary snippets "work". That's
2731         sort of a joke though, since the only way to trigger binary snippets is to never pass numbers
2732         and the only way to actually cause a binary snippet to do meaninful work is to pass numbers.
2733         I filed a bug about this mess: https://bugs.webkit.org/show_bug.cgi?id=152708.
2734
2735         * ftl/FTLLowerDFGToLLVM.cpp:
2736         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
2737         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2738         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
2739         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2740         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2741         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2742         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2743         * tests/stress/object-sub.js: Added.
2744         (foo):
2745         (things.valueOf):
2746         * tests/stress/untyped-sub.js: Added.
2747         (foo):
2748         (valueOf):
2749
2750 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2751
2752         Unreviewed, disable FTL B3 for now. I didn't intend to enable it yet.
2753
2754         * dfg/DFGCommon.h:
2755
2756 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2757
2758         B3 patchpoints should allow requesting scratch registers
2759         https://bugs.webkit.org/show_bug.cgi?id=152669
2760
2761         Reviewed by Benjamin Poulain.
2762
2763         Scratch registers are something that we often need in many patchpoint use cases. In LLVM's
2764         patchpoints, we didn't have a good way to request scratch registers. So, our current FTL code
2765         often does crazy scratch register allocation madness even when it would be better to just ask
2766         the backend for some registers. This patch adds a mechanism for requesting scratch registers
2767         in B3, and wires it all the way to all of our register allocation and liveness
2768         infrastructure.
2769
2770         From the standpoint of a patchpoint, a "scratch register" is an instruction argument that
2771         only admits Tmp and is defined early (like an early clobber register) and is used late (like
2772         what we previously called LateUse, except that this time it's also a warm use). We already
2773         had the beginning of support for early def's because of early clobbers, and we already
2774         supported late uses albeit cold ones. I really only needed to add one new role: "Scratch",
2775         which means both early def and late use in much the same way as "UseDef" means both early
2776         use and late def. But, it feels better to complete the set of roles, so I added LateColdUse
2777         to differentiate from LateUse (which is now a warm use) and EarlyDef to differentiate from
2778         Def (which is, and always has been, a late def). Forcing the code to deal with the full
2779         matrix of possibilities resulted in what is probably a progression in how we handle defs in
2780         the register and stack allocators. The new Inst::forEachDef(Inst*, Inst*, callback) fully
2781         recognizes that a "def" is something that can come from either the preceding instruction or
2782         the succeeding one.
2783
2784         This doesn't add any new functionality to FTL B3 yet, but the new scratch register mechanism
2785         is covered by new testb3 tests.
2786
2787         * b3/B3CheckSpecial.cpp:
2788         (JSC::B3::CheckSpecial::isValid):
2789         (JSC::B3::CheckSpecial::admitsStack):
2790         (JSC::B3::CheckSpecial::generate):
2791         * b3/B3LowerToAir.cpp:
2792         (JSC::B3::Air::LowerToAir::lower):
2793         * b3/B3PatchpointSpecial.cpp:
2794         (JSC::B3::PatchpointSpecial::forEachArg):
2795         (JSC::B3::PatchpointSpecial::isValid):
2796         (JSC::B3::PatchpointSpecial::admitsStack):
2797         (JSC::B3::PatchpointSpecial::generate):
2798         * b3/B3PatchpointValue.cpp:
2799         (JSC::B3::PatchpointValue::dumpMeta):
2800         (JSC::B3::PatchpointValue::PatchpointValue):
2801         * b3/B3PatchpointValue.h:
2802         * b3/B3StackmapGenerationParams.cpp:
2803         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
2804         * b3/B3StackmapGenerationParams.h:
2805         (JSC::B3::StackmapGenerationParams::gpScratch):
2806         (JSC::B3::StackmapGenerationParams::fpScratch):
2807         * b3/B3StackmapSpecial.cpp:
2808         (JSC::B3::StackmapSpecial::forEachArgImpl):
2809         (JSC::B3::StackmapSpecial::isValidImpl):
2810         (JSC::B3::StackmapSpecial::admitsStackImpl):
2811         (JSC::B3::StackmapSpecial::repsImpl):
2812         (JSC::B3::StackmapSpecial::isArgValidForValue):
2813         (JSC::B3::StackmapSpecial::appendRepsImpl): Deleted.
2814         * b3/B3StackmapSpecial.h:
2815         * b3/air/AirAllocateStack.cpp:
2816         (JSC::B3::Air::allocateStack):
2817         * b3/air/AirArg.cpp:
2818         (WTF::printInternal):
2819         * b3/air/AirArg.h:
2820         (JSC::B3::Air::Arg::isAnyUse):
2821         (JSC::B3::Air::Arg::isColdUse):
2822         (JSC::B3::Air::Arg::isEarlyUse):
2823         (JSC::B3::Air::Arg::isLateUse):
2824         (JSC::B3::Air::Arg::isAnyDef):
2825         (JSC::B3::Air::Arg::isEarlyDef):
2826         (JSC::B3::Air::Arg::isLateDef):
2827         (JSC::B3::Air::Arg::isZDef):
2828         (JSC::B3::Air::Arg::Arg):
2829         (JSC::B3::Air::Arg::imm):
2830         (JSC::B3::Air::Arg::isDef): Deleted.
2831         * b3/air/AirBasicBlock.h:
2832         (JSC::B3::Air::BasicBlock::at):
2833         (JSC::B3::Air::BasicBlock::get):
2834         (JSC::B3::Air::BasicBlock::last):
2835         * b3/air/AirEliminateDeadCode.cpp:
2836         (JSC::B3::Air::eliminateDeadCode):
2837         * b3/air/AirFixPartialRegisterStalls.cpp:
2838         (JSC::B3::Air::fixPartialRegisterStalls):
2839         * b3/air/AirInst.cpp:
2840         (JSC::B3::Air::Inst::hasArgEffects):
2841         * b3/air/AirInst.h:
2842         * b3/air/AirInstInlines.h:
2843         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
2844         (JSC::B3::Air::Inst::forEachDef):
2845         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
2846         (JSC::B3::Air::Inst::reportUsedRegisters):
2847         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs): Deleted.
2848         * b3/air/AirIteratedRegisterCoalescing.cpp:
2849         * b3/air/AirLiveness.h:
2850         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
2851         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
2852         * b3/air/AirSpillEverything.cpp:
2853         (JSC::B3::Air::spillEverything):
2854         * b3/air/AirTmpWidth.cpp:
2855         (JSC::B3::Air::TmpWidth::recompute):
2856         * b3/air/AirUseCounts.h:
2857         (JSC::B3::Air::UseCounts::UseCounts):
2858         * b3/testb3.cpp:
2859         (JSC::B3::testPatchpointAny):
2860         (JSC::B3::testPatchpointGPScratch):
2861         (JSC::B3::testPatchpointFPScratch):
2862         (JSC::B3::testPatchpointLotsOfLateAnys):
2863         (JSC::B3::run):
2864
2865 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
2866
2867         Fix the !ENABLE(INTL) build after r193493
2868         https://bugs.webkit.org/show_bug.cgi?id=152689
2869
2870         Reviewed by Alex Christensen.
2871
2872         * runtime/NumberPrototype.cpp:
2873         (JSC::NumberPrototype::finishCreation):
2874
2875 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
2876
2877         JSC generator scripts shouldn't have verbose output
2878         https://bugs.webkit.org/show_bug.cgi?id=152382
2879
2880         Reviewed by Michael Catanzaro.
2881
2882         * b3/air/opcode_generator.rb:
2883         * generate-bytecode-files:
2884         * offlineasm/asm.rb:
2885         * offlineasm/generate_offset_extractor.rb:
2886         * offlineasm/parser.rb:
2887
2888 2016-01-04  Benjamin Poulain  <bpoulain@apple.com>
2889
2890         [JSC] Build B3 by default on iOS ARM64
2891         https://bugs.webkit.org/show_bug.cgi?id=152525
2892
2893         Reviewed by Filip Pizlo.
2894
2895         Minor changes required to get testb3 to compile.
2896
2897         * Configurations/ToolExecutable.xcconfig:
2898         We need an entitlement to allocate executable memory.
2899
2900         * assembler/MacroAssemblerARM64.h:
2901         (JSC::MacroAssemblerARM64::scratchRegister):
2902         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
2903         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
2904         Expose one of the scratch registers for ValueRep::emitRestore().
2905         Guard the use of scratch registers when not allowed.
2906
2907         * b3/air/AirOpcode.opcodes:
2908         ARM addressing is a bit different. Skip Addr to make things build.
2909
2910         * b3/testb3.cpp:
2911         (JSC::B3::testPatchpointWithStackArgumentResult):
2912         Add on memory only exists on x86.
2913
2914         * jit/RegisterSet.cpp:
2915         (JSC::RegisterSet::macroScratchRegisters):
2916         Add the two scratch registers, useful for patchpoints.
2917
2918 2016-01-03  Khem Raj  <raj.khem@gmail.com>
2919
2920         WebKit fails to build with musl libc library
2921         https://bugs.webkit.org/show_bug.cgi?id=152625
2922
2923         Reviewed by Daniel Bates.
2924
2925         Qualify isnan() calls with std namespace.
2926
2927         * runtime/Options.cpp:
2928         (Option::operator==): Add std namespace qualifier.
2929
2930 2016-01-03  Andreas Kling  <akling@apple.com>
2931
2932         Remove redundant StringImpl substring creation function.
2933         <https://webkit.org/b/152652>
2934
2935         Reviewed by Daniel Bates.
2936
2937         Remove jsSubstring8() and make the only call site use jsSubstring().
2938
2939         * runtime/JSString.h:
2940         (JSC::jsSubstring8): Deleted.
2941         * runtime/StringPrototype.cpp:
2942         (JSC::replaceUsingRegExpSearch):
2943
2944 2016-01-02  Khem Raj  <raj.khem@gmail.com>
2945
2946         Clang's builtin for clear_cache accepts char* and errors out
2947         when using void*, using char* work on both gcc and clang
2948         since char* is auto-converted to void* in gcc case.
2949         https://bugs.webkit.org/show_bug.cgi?id=152654
2950
2951         Reviewed by Michael Saboff;
2952
2953         * assembler/ARM64Assembler.h:
2954         (linuxPageFlush): Convert arguments to __builtin___clear_cache()
2955         to char*.
2956
2957 2015-12-31  Andy Estes  <aestes@apple.com>
2958
2959         Replace WTF::move with WTFMove
2960         https://bugs.webkit.org/show_bug.cgi?id=152601
2961
2962         Reviewed by Brady Eidson.
2963
2964         * API/ObjCCallbackFunction.mm:
2965         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
2966         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
2967         (JSC::ObjCCallbackFunction::create):
2968         (objCCallbackFunctionForInvocation):
2969         * assembler/AssemblerBuffer.h:
2970         (JSC::AssemblerBuffer::releaseAssemblerData):
2971         * assembler/LinkBuffer.cpp:
2972         (JSC::LinkBuffer::linkCode):
2973         * b3/B3BlockInsertionSet.cpp:
2974         (JSC::B3::BlockInsertionSet::insert):
2975         (JSC::B3::BlockInsertionSet::splitForward):
2976         * b3/B3LowerToAir.cpp:
2977         (JSC::B3::Air::LowerToAir::run):
2978         (JSC::B3::Air::LowerToAir::lower):
2979         * b3/B3OpaqueByproducts.cpp:
2980         (JSC::B3::OpaqueByproducts::add):
2981         * b3/B3Procedure.cpp:
2982         (JSC::B3::Procedure::addBlock):
2983         (JSC::B3::Procedure::addDataSection):
2984         * b3/B3Procedure.h:
2985         (JSC::B3::Procedure::releaseByproducts):
2986         * b3/B3ProcedureInlines.h:
2987         (JSC::B3::Procedure::add):
2988         * b3/B3Value.h:
2989         * b3/air/AirCode.cpp:
2990         (JSC::B3::Air::Code::addBlock):
2991         (JSC::B3::Air::Code::addStackSlot):
2992         (JSC::B3::Air::Code::addSpecial):
2993         * b3/air/AirInst.h:
2994         (JSC::B3::Air::Inst::Inst):
2995         * b3/air/AirIteratedRegisterCoalescing.cpp:
2996         * b3/air/AirSimplifyCFG.cpp:
2997         (JSC::B3::Air::simplifyCFG):
2998         * bindings/ScriptValue.cpp:
2999         (Deprecated::jsToInspectorValue):
3000         * builtins/BuiltinExecutables.cpp:
3001         (JSC::createExecutableInternal):
3002         * bytecode/BytecodeBasicBlock.cpp:
3003         (JSC::computeBytecodeBasicBlocks):
3004         * bytecode/CodeBlock.cpp:
3005         (JSC::CodeBlock::finishCreation):
3006         (JSC::CodeBlock::setCalleeSaveRegisters):
3007         * bytecode/CodeBlock.h:
3008         (JSC::CodeBlock::setJITCodeMap):
3009         (JSC::CodeBlock::livenessAnalysis):
3010         * bytecode/GetByIdStatus.cpp:
3011         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3012         * bytecode/GetByIdVariant.cpp:
3013         (JSC::GetByIdVariant::GetByIdVariant):
3014         * bytecode/PolymorphicAccess.cpp:
3015         (JSC::PolymorphicAccess::regenerateWithCases):
3016         (JSC::PolymorphicAccess::regenerateWithCase):
3017         (JSC::PolymorphicAccess::regenerate):
3018         * bytecode/PutByIdStatus.cpp:
3019         (JSC::PutByIdStatus::computeForStubInfo):
3020         * bytecode/PutByIdVariant.cpp:
3021         (JSC::PutByIdVariant::setter):
3022         * bytecode/StructureStubClearingWatchpoint.cpp:
3023         (JSC::StructureStubClearingWatchpoint::push):
3024         * bytecode/StructureStubClearingWatchpoint.h:
3025         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
3026         * bytecode/StructureStubInfo.cpp:
3027         (JSC::StructureStubInfo::addAccessCase):
3028         * bytecode/UnlinkedCodeBlock.cpp:
3029         (JSC::UnlinkedCodeBlock::setInstructions):
3030         * bytecode/UnlinkedFunctionExecutable.cpp:
3031         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3032         * bytecode/UnlinkedFunctionExecutable.h:
3033         * bytecompiler/SetForScope.h:
3034         (JSC::SetForScope::SetForScope):
3035         * dfg/DFGGraph.cpp:
3036         (JSC::DFG::Graph::livenessFor):
3037         (JSC::DFG::Graph::killsFor):
3038         * dfg/DFGJITCompiler.cpp:
3039         (JSC::DFG::JITCompiler::link):
3040         (JSC::DFG::JITCompiler::compile):
3041         (JSC::DFG::JITCompiler::compileFunction):
3042         * dfg/DFGJITFinalizer.cpp:
3043         (JSC::DFG::JITFinalizer::JITFinalizer):
3044         * dfg/DFGLivenessAnalysisPhase.cpp:
3045         (JSC::DFG::LivenessAnalysisPhase::process):
3046         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3047         * dfg/DFGSpeculativeJIT.cpp:
3048         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
3049         (JSC::DFG::SpeculativeJIT::compileIn):
3050         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3051         * dfg/DFGSpeculativeJIT32_64.cpp:
3052         (JSC::DFG::SpeculativeJIT::cachedGetById):
3053         (JSC::DFG::SpeculativeJIT::cachedPutById):
3054         * dfg/DFGSpeculativeJIT64.cpp:
3055         (JSC::DFG::SpeculativeJIT::cachedGetById):
3056         (JSC::DFG::SpeculativeJIT::cachedPutById):
3057         * dfg/DFGWorklist.cpp:
3058         (JSC::DFG::Worklist::finishCreation):
3059         * disassembler/Disassembler.cpp:
3060         (JSC::disassembleAsynchronously):
3061         * ftl/FTLB3Compile.cpp:
3062         (JSC::FTL::compile):
3063         * ftl/FTLCompile.cpp:
3064         (JSC::FTL::mmAllocateDataSection):
3065         * ftl/FTLJITCode.cpp:
3066         (JSC::FTL::JITCode::initializeB3Byproducts):
3067         * ftl/FTLJITFinalizer.h:
3068         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
3069         * ftl/FTLLink.cpp:
3070         (JSC::FTL::link):
3071         * ftl/FTLLowerDFGToLLVM.cpp:
3072         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
3073         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3074         * heap/Heap.cpp:
3075         (JSC::Heap::releaseDelayedReleasedObjects):
3076         (JSC::Heap::markRoots):
3077         (JSC::Heap::setIncrementalSweeper):
3078         * heap/HeapInlines.h:
3079         (JSC::Heap::releaseSoon):
3080         (JSC::Heap::registerWeakGCMap):
3081         * heap/WeakInlines.h:
3082         * inspector/ConsoleMessage.cpp:
3083         (Inspector::ConsoleMessage::addToFrontend):
3084         * inspector/ContentSearchUtilities.cpp:
3085         (Inspector::ContentSearchUtilities::searchInTextByLines):
3086         * inspector/InjectedScript.cpp:
3087         (Inspector::InjectedScript::getFunctionDetails):
3088         (Inspector::InjectedScript::getProperties):
3089         (Inspector::InjectedScript::getDisplayableProperties):
3090         (Inspector::InjectedScript::getInternalProperties):
3091         (Inspector::InjectedScript::getCollectionEntries):
3092         (Inspector::InjectedScript::wrapCallFrames):
3093         * inspector/InspectorAgentRegistry.cpp:
3094         (Inspector::AgentRegistry::append):
3095         (Inspector::AgentRegistry::appendExtraAgent):
3096         * inspector/InspectorBackendDispatcher.cpp:
3097         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
3098         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
3099         (Inspector::BackendDispatcher::BackendDispatcher):
3100         (Inspector::BackendDispatcher::create):
3101         (Inspector::BackendDispatcher::sendPendingErrors):
3102         * inspector/InspectorProtocolTypes.h:
3103         (Inspector::Protocol::Array::addItem):
3104         * inspector/InspectorValues.cpp:
3105         * inspector/InspectorValues.h:
3106         (Inspector::InspectorObjectBase::setValue):
3107         (Inspector::InspectorObjectBase::setObject):
3108         (Inspector::InspectorObjectBase::setArray):
3109         (Inspector::InspectorArrayBase::pushValue):
3110         (Inspector::InspectorArrayBase::pushObject):
3111         (Inspector::InspectorArrayBase::pushArray):
3112         * inspector/JSGlobalObjectConsoleClient.cpp:
3113         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3114         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3115         * inspector/JSGlobalObjectInspectorController.cpp:
3116         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3117         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
3118         * inspector/JSInjectedScriptHost.cpp:
3119         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
3120         * inspector/JSInjectedScriptHost.h:
3121         (Inspector::JSInjectedScriptHost::create):
3122         * inspector/agents/InspectorAgent.cpp:
3123         (Inspector::InspectorAgent::activateExtraDomain):
3124         * inspector/agents/InspectorConsoleAgent.cpp:
3125         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3126         (Inspector::InspectorConsoleAgent::addConsoleMessage):
3127         * inspector/agents/InspectorDebuggerAgent.cpp:
3128         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3129         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3130         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3131         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3132         (Inspector::InspectorDebuggerAgent::breakProgram):
3133         * inspector/agents/InspectorHeapAgent.cpp:
3134         (Inspector::InspectorHeapAgent::didGarbageCollect):
3135         * inspector/agents/InspectorRuntimeAgent.cpp:
3136         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3137         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3138         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3139         (Inspector::InspectorScriptProfilerAgent::addEvent):
3140         (Inspector::buildInspectorObject):
3141         (Inspector::buildProfileInspectorObject):
3142         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
3143         * inspector/augmentable/AlternateDispatchableAgent.h:
3144         * inspector/scripts/codegen/cpp_generator_templates.py:
3145         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3146         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3147         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3148         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3149         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3150         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3151         (_generate_unchecked_setter_for_member):
3152         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3153         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3154         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3155         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3156         * inspector/scripts/codegen/objc_generator_templates.py:
3157         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3158         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3159         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3160         * inspector/scripts/tests/expected/enum-values.json-result:
3161         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3162         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3163         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3164         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3165         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3166         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3167         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3168         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3169         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3170         * jit/CallFrameShuffler.cpp:
3171         (JSC::CallFrameShuffler::performSafeWrites):
3172         * jit/PolymorphicCallStubRoutine.cpp:
3173         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
3174         * jit/Repatch.cpp:
3175         (JSC::tryCacheGetByID):
3176         (JSC::tryCachePutByID):
3177         (JSC::tryRepatchIn):
3178         (JSC::linkPolymorphicCall):
3179         * parser/Nodes.cpp:
3180         (JSC::ProgramNode::setClosedVariables):
3181         * parser/Parser.cpp:
3182         (JSC::Parser<LexerType>::parseInner):
3183         (JSC::Parser<LexerType>::parseFunctionInfo):
3184         * parser/Parser.h:
3185         (JSC::Parser::closedVariables):
3186         * parser/SourceProviderCache.cpp:
3187         (JSC::SourceProviderCache::add):
3188         * profiler/ProfileNode.h:
3189         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
3190         * replay/EncodedValue.cpp:
3191         (JSC::EncodedValue::get<EncodedValue>):
3192         * replay/scripts/CodeGeneratorReplayInputs.py:
3193         (Generator.generate_member_move_expression):
3194         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
3195         (Test::HandleWheelEvent::HandleWheelEvent):
3196         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
3197         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
3198         (Test::MapInput::MapInput):
3199         (JSC::InputTraits<Test::MapInput>::decode):
3200         * runtime/ConsoleClient.cpp:
3201         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3202         (JSC::ConsoleClient::logWithLevel):
3203         (JSC::ConsoleClient::clear):
3204         (JSC::ConsoleClient::dir):
3205         (JSC::ConsoleClient::dirXML):
3206         (JSC::ConsoleClient::table):
3207         (JSC::ConsoleClient::trace):
3208         (JSC::ConsoleClient::assertCondition):
3209         (JSC::ConsoleClient::group):
3210         (JSC::ConsoleClient::groupCollapsed):
3211         (JSC::ConsoleClient::groupEnd):
3212         * runtime/JSNativeStdFunction.cpp:
3213         (JSC::JSNativeStdFunction::create):
3214         * runtime/JSString.h:
3215         (JSC::jsNontrivialString):
3216         * runtime/JSStringJoiner.cpp:
3217         (JSC::JSStringJoiner::join):
3218         * runtime/JSStringJoiner.h:
3219         (JSC::JSStringJoiner::append):
3220         * runtime/NativeStdFunctionCell.cpp:
3221         (JSC::NativeStdFunctionCell::create):
3222         (JSC::NativeStdFunctionCell::NativeStdFunctionCell):
3223         * runtime/ScopedArgumentsTable.cpp:
3224         (JSC::ScopedArgumentsTable::setLength):
3225         * runtime/StructureIDTable.cpp:
3226         (JSC::StructureIDTable::resize):
3227         * runtime/TypeSet.cpp:
3228         (JSC::StructureShape::inspectorRepresentation):
3229         * runtime/WeakGCMap.h:
3230         (JSC::WeakGCMap::set):
3231         * tools/CodeProfile.h:
3232         (JSC::CodeProfile::addChild):
3233         * yarr/YarrInterpreter.cpp:
3234         (JSC::Yarr::ByteCompiler::compile):
3235         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
3236         * yarr/YarrInterpreter.h:
3237         (JSC::Yarr::BytecodePattern::BytecodePattern):
3238         * yarr/YarrPattern.cpp:
3239         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
3240         (JSC::Yarr::YarrPatternConstructor::reset):
3241         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
3242         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
3243         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
3244         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
3245         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
3246
3247 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
3248
3249         Unreviewed, fix copyright dates. It's super annoying when we forget to update these, and I
3250         just forgot to do so in the last commit. Also update the date of the last commit in the
3251         ChangeLog.
3252
3253         * b3/air/AirIteratedRegisterCoalescing.cpp:
3254         * b3/air/AirOpcode.opcodes:
3255         * b3/air/AirTmpWidth.cpp:
3256         * b3/air/AirTmpWidth.h:
3257         * ftl/FTLB3Output.cpp:
3258         * ftl/FTLB3Output.h:
3259
3260 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
3261
3262         FTL B3 should be able to run all of the old V8v7 tests
3263         https://bugs.webkit.org/show_bug.cgi?id=152579
3264
3265         Reviewed by Saam Barati.
3266
3267         Fixes some silly bugs that were preventing us from running all of the old V8v7 tests.
3268
3269         IRC's analysis of when to turn a Move into a Move32 when spilling is based on the premise
3270         that if the dst has a 32-bit def width, then the src must also have a 32-bit def width. But
3271         that doesn't happen if the src is an immediate.
3272
3273         This changes that condition in IRC to use the combined use/def width of both src and dst
3274         rather than being clever. This is great because it's the combined width that determines the
3275         size of the spill slot.
3276
3277         Also added some more debug support to TmpWidth.
3278
3279         This also fixes Air's description of DivDouble; previously it claimed to be a 32-bit
3280         operation. Also implements Output::unsignedToDouble(), since we already had everything we
3281         needed to implement this optimally.
3282
3283         * b3/air/AirIteratedRegisterCoalescing.cpp:
3284         * b3/air/AirOpcode.opcodes:
3285         * b3/air/AirTmpWidth.cpp:
3286         (JSC::B3::Air::TmpWidth::recompute):
3287         (JSC::B3::Air::TmpWidth::Widths::dump):
3288         * b3/air/AirTmpWidth.h:
3289         (JSC::B3::Air::TmpWidth::Widths::Widths):
3290         * ftl/FTLB3Output.cpp:
3291         (JSC::FTL::Output::doubleToUInt):
3292         (JSC::FTL::Output::unsignedToDouble):
3293         * ftl/FTLB3Output.h:
3294         (JSC::FTL::Output::zeroExt):
3295         (JSC::FTL::Output::zeroExtPtr):
3296         (JSC::FTL::Output::intToDouble):
3297         (JSC::FTL::Output::castToInt32):
3298         (JSC::FTL::Output::unsignedToDouble): Deleted.
3299
3300 2016-01-01  Jeff Miller  <jeffm@apple.com>
3301
3302         Update user-visible copyright strings to include 2016
3303         https://bugs.webkit.org/show_bug.cgi?id=152531
3304
3305         Reviewed by Alexey Proskuryakov.
3306
3307         * Info.plist:
3308
3309 2015-12-31  Andy Estes  <aestes@apple.com>
3310
3311         Fix warnings uncovered by migrating to WTF_MOVE
3312         https://bugs.webkit.org/show_bug.cgi?id=152601
3313
3314         Reviewed by Daniel Bates.
3315
3316         * create_regex_tables: Moving a return value prevented copy elision.
3317         * ftl/FTLUnwindInfo.cpp:
3318         (JSC::FTL::parseUnwindInfo): Ditto.
3319         * replay/EncodedValue.h: Ditto.
3320
3321 2015-12-30  Aleksandr Skachkov  <gskachkov@gmail.com>
3322
3323         [ES6] Arrow function syntax. Arrow function specific features. Lexical bind "super"
3324         https://bugs.webkit.org/show_bug.cgi?id=149615
3325
3326         Reviewed by Saam Barati.
3327
3328         Implemented lexical bind "super" property for arrow function. 'super' property can be accessed 
3329         inside of the arrow function in case if arrow function is nested in constructor, method, 
3330         getter or setter of class. In current patch using 'super' in arrow function, that declared out of the 
3331         class, lead to wrong type of error, should be SyntaxError(https://bugs.webkit.org/show_bug.cgi?id=150893) 
3332         and this will be fixed in separete patch.
3333
3334         * builtins/BuiltinExecutables.cpp:
3335         (JSC::createExecutableInternal):
3336         * bytecode/EvalCodeCache.h:
3337         (JSC::EvalCodeCache::getSlow):
3338         * bytecode/ExecutableInfo.h:
3339         (JSC::ExecutableInfo::ExecutableInfo):
3340         (JSC::ExecutableInfo::derivedContextType):
3341         (JSC::ExecutableInfo::isClassContext):
3342         * bytecode/UnlinkedCodeBlock.cpp:
3343         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3344         * bytecode/UnlinkedCodeBlock.h:
3345         (JSC::UnlinkedCodeBlock::derivedContextType):
3346         (JSC::UnlinkedCodeBlock::isClassContext):
3347         * bytecode/UnlinkedFunctionExecutable.cpp:
3348         (JSC::generateUnlinkedFunctionCodeBlock):
3349         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3350         * bytecode/UnlinkedFunctionExecutable.h:
3351         * bytecompiler/BytecodeGenerator.cpp:
3352         (JSC::BytecodeGenerator::BytecodeGenerator):
3353         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
3354         * bytecompiler/BytecodeGenerator.h:
3355         (JSC::BytecodeGenerator::derivedContextType):
3356         (JSC::BytecodeGenerator::isDerivedConstructorContext):
3357         (JSC::BytecodeGenerator::isDerivedClassContext):
3358         (JSC::BytecodeGenerator::isArrowFunction):
3359         (JSC::BytecodeGenerator::makeFunction):
3360         * bytecompiler/NodesCodegen.cpp:
3361         (JSC::emitHomeObjectForCallee):
3362         (JSC::FunctionCallValueNode::emitBytecode):
3363         * debugger/DebuggerCallFrame.cpp:
3364         (JSC::DebuggerCallFrame::evaluate):
3365         * interpreter/Interpreter.cpp:
3366         (JSC::eval):
3367         * runtime/CodeCache.cpp:
3368         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3369         * runtime/Executable.cpp:
3370         (JSC::ScriptExecutable::ScriptExecutable):
3371         (JSC::EvalExecutable::create):
3372         (JSC::EvalExecutable::EvalExecutable):
3373         (JSC::ProgramExecutable::ProgramExecutable):
3374         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
3375         (JSC::FunctionExecutable::FunctionExecutable):
3376         * runtime/Executable.h:
3377         (JSC::ScriptExecutable::derivedContextType):
3378         * runtime/JSGlobalObjectFunctions.cpp:
3379         (JSC::globalFuncEval):
3380         * tests/es6.yaml:
3381         * tests/stress/arrowfunction-lexical-bind-superproperty.js: Added.
3382
3383 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3384
3385         Unreviewed, relax limitation in operationCreateThis
3386         https://bugs.webkit.org/show_bug.cgi?id=152383
3387
3388         Unreviewed. operationCreateThis now can be called with non constructible function.
3389
3390         * dfg/DFGOperations.cpp:
3391
3392 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3393
3394         [ES6][ES7] Drop Constructability of generator function