Crash making a tail call from a getter to a host function
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-10-29  Michael Saboff  <msaboff@apple.com>
2
3         Crash making a tail call from a getter to a host function
4         https://bugs.webkit.org/show_bug.cgi?id=150663
5
6         Reviewed by Geoffrey Garen.
7
8         Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
9         call frame to getHostCallReturnValueWithExecState().  We were passing the caller's frame address.
10
11         * jit/JITOperations.cpp:
12
13 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
14
15         B3::LowerToAir::imm() should work for both 32-bit and 64-bit immediates
16         https://bugs.webkit.org/show_bug.cgi?id=150685
17
18         Reviewed by Geoffrey Garen.
19
20         In B3, a constant must match the type of its use. In Air, immediates don't have type, they
21         only have representation. A 32-bit immediate (i.e. Arg::imm) can be used either for 32-bit
22         operations or for 64-bit operations. The only difference from a Arg::imm64 is that it
23         requires fewer bits.
24
25         In the B3->Air lowering, we have a lot of code that is effectively polymorphic over integer
26         type. That code should still be able to use Arg::imm, and it should work even for 64-bit
27         immediates - so long as they are representable as 32-bit immediates. Therefore, the imm()
28         helper should happily accept either Const32Value or Const64Value.
29
30         We already sort of had this with immAnyType(), but it just turns out that anyone using
31         immAnyType() should really be using imm().
32
33         * b3/B3LowerToAir.cpp:
34         (JSC::B3::Air::LowerToAir::imm):
35         (JSC::B3::Air::LowerToAir::tryStore):
36         (JSC::B3::Air::LowerToAir::tryConst64):
37         (JSC::B3::Air::LowerToAir::immAnyInt): Deleted.
38         * b3/testb3.cpp:
39         (JSC::B3::testAdd1):
40         (JSC::B3::testAdd1Ptr):
41         (JSC::B3::testStoreAddLoad):
42         (JSC::B3::run):
43
44 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
45
46         StoreOpLoad pattern matching should check effects between the Store and Load
47         https://bugs.webkit.org/show_bug.cgi?id=150534
48
49         Reviewed by Geoffrey Garen.
50
51         If we turn:
52
53             a = Load(addr)
54             b = Add(a, 42)
55             Store(b, addr)
56
57         Into:
58
59             Add $42, (addr)
60
61         Then we must make sure that we didn't really have this to begin with:
62
63             a = Load(addr)
64             Store(666, addr)
65             b = Add(a, 42)
66             Store(b, addr)
67
68         That's because pattern matching doesn't care about control flow, and it finds the Load
69         just using data flow. This patch fleshes out B3's aliasing analysis, and makes it powerful
70         enough to broadly ask questions about whether such a code motion of the Load is legal.
71
72         * b3/B3Effects.cpp:
73         (JSC::B3::Effects::interferes):
74         (JSC::B3::Effects::dump):
75         * b3/B3Effects.h:
76         (JSC::B3::Effects::mustExecute):
77         * b3/B3LowerToAir.cpp:
78         (JSC::B3::Air::LowerToAir::run):
79         (JSC::B3::Air::LowerToAir::commitInternal):
80         (JSC::B3::Air::LowerToAir::crossesInterference):
81         (JSC::B3::Air::LowerToAir::effectiveAddr):
82         (JSC::B3::Air::LowerToAir::loadAddr):
83         * b3/B3Procedure.cpp:
84         (JSC::B3::Procedure::addBlock):
85         (JSC::B3::Procedure::resetValueOwners):
86         (JSC::B3::Procedure::resetReachability):
87         * b3/B3Procedure.h:
88         * b3/B3Value.cpp:
89         (JSC::B3::Value::effects):
90         * b3/B3Value.h:
91         * b3/testb3.cpp:
92         (JSC::B3::testStoreAddLoad):
93         (JSC::B3::testStoreAddLoadInterference):
94         (JSC::B3::testStoreAddAndLoad):
95         (JSC::B3::testLoadOffsetUsingAdd):
96         (JSC::B3::testLoadOffsetUsingAddInterference):
97         (JSC::B3::testLoadOffsetUsingAddNotConstant):
98         (JSC::B3::run):
99
100 2015-10-29  Brady Eidson  <beidson@apple.com>
101
102         Modern IDB: deleteObjectStore support.
103         https://bugs.webkit.org/show_bug.cgi?id=150673
104
105         Reviewed by Alex Christensen.
106
107         * runtime/VM.h:
108
109 2015-10-29  Mark Lam  <mark.lam@apple.com>
110
111         cdjs-tests.yaml/main.js.ftl fails due to FTL ArithSub code for supporting UntypedUse operands.
112         https://bugs.webkit.org/show_bug.cgi?id=150687
113
114         Unreviewed.
115
116         Disabling the feature while it is being debugged.  I'm doing this by effectively
117         rolling out only the changes in FTLCapabilities.cpp.
118
119         * ftl/FTLCapabilities.cpp:
120         (JSC::FTL::canCompile):
121
122 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
123
124         Unreviewed, fix iOS build.
125
126         * assembler/MacroAssemblerARM64.h:
127         (JSC::MacroAssemblerARM64::store64):
128
129 2015-10-29  Alex Christensen  <achristensen@webkit.org>
130
131         Fix Mac CMake build
132         https://bugs.webkit.org/show_bug.cgi?id=150686
133
134         Reviewed by Filip Pizlo.
135
136         * API/ObjCCallbackFunction.mm:
137         * CMakeLists.txt:
138         * PlatformMac.cmake:
139
140 2015-10-29  Filip Pizlo  <fpizlo@apple.com>
141
142         Air needs syntax for escaping StackSlots
143         https://bugs.webkit.org/show_bug.cgi?id=150430
144
145         Reviewed by Geoffrey Garen.
146
147         This adds lowering for FramePointer and StackSlot, and to enable this, it adds the Lea
148         instruction for getting the value of an address. This is necessary to support arbitrary
149         lowerings of StackSlot, since the only way to get the "value" of a StackSlot in Air is with
150         this new instruction.
151
152         Lea uses a new Role, called UseAddr. This describes exactly what the Intel-style LEA opcode
153         would do: it evaluates an address, but does not load from it or store to it.
154
155         Lea is also the only way to escape a StackSlot. Well, more accurately, UseAddr is the only
156         way to escape and UseAddr is only used by Lea. The stack allocation phase now understands
157         that StackSlots may escape, and factors this into its analysis.
158
159         * assembler/MacroAssembler.h:
160         (JSC::MacroAssembler::lea):
161         * b3/B3AddressMatcher.patterns:
162         * b3/B3LowerToAir.cpp:
163         (JSC::B3::Air::LowerToAir::run):
164         (JSC::B3::Air::LowerToAir::addr):
165         (JSC::B3::Air::LowerToAir::loadAddr):
166         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
167         (JSC::B3::Air::LowerToAir::AddressSelector::tryFramePointer):
168         (JSC::B3::Air::LowerToAir::AddressSelector::tryStackSlot):
169         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
170         (JSC::B3::Air::LowerToAir::tryConst64):
171         (JSC::B3::Air::LowerToAir::tryFramePointer):
172         (JSC::B3::Air::LowerToAir::tryStackSlot):
173         (JSC::B3::Air::LowerToAir::tryIdentity):
174         * b3/B3LoweringMatcher.patterns:
175         * b3/B3MemoryValue.cpp:
176         (JSC::B3::MemoryValue::~MemoryValue):
177         (JSC::B3::MemoryValue::accessByteSize):
178         (JSC::B3::MemoryValue::dumpMeta):
179         * b3/B3MemoryValue.h:
180         * b3/B3ReduceStrength.cpp:
181         * b3/B3StackSlotValue.h:
182         (JSC::B3::StackSlotValue::accepts): Deleted.
183         * b3/B3Type.h:
184         (JSC::B3::pointerType):
185         (JSC::B3::sizeofType):
186         * b3/B3Validate.cpp:
187         * b3/B3Value.h:
188         * b3/air/AirAllocateStack.cpp:
189         (JSC::B3::Air::allocateStack):
190         * b3/air/AirArg.h:
191         (JSC::B3::Air::Arg::isUse):
192         (JSC::B3::Air::Arg::isDef):
193         (JSC::B3::Air::Arg::forEachTmp):
194         * b3/air/AirCode.cpp:
195         (JSC::B3::Air::Code::addStackSlot):
196         (JSC::B3::Air::Code::addSpecial):
197         * b3/air/AirCode.h:
198         * b3/air/AirOpcode.opcodes:
199         * b3/air/AirSpillEverything.cpp:
200         (JSC::B3::Air::spillEverything):
201         * b3/air/AirStackSlot.h:
202         (JSC::B3::Air::StackSlot::byteSize):
203         (JSC::B3::Air::StackSlot::kind):
204         (JSC::B3::Air::StackSlot::isLocked):
205         (JSC::B3::Air::StackSlot::index):
206         (JSC::B3::Air::StackSlot::alignment):
207         * b3/air/opcode_generator.rb:
208         * b3/testb3.cpp:
209         (JSC::B3::testLoadOffsetUsingAddNotConstant):
210         (JSC::B3::testFramePointer):
211         (JSC::B3::testStackSlot):
212         (JSC::B3::testLoadFromFramePointer):
213         (JSC::B3::testStoreLoadStackSlot):
214         (JSC::B3::run):
215
216 2015-10-29  Saam barati  <sbarati@apple.com>
217
218         we're incorrectly adjusting a stack location with respect to the localsOffset in FTLCompile
219         https://bugs.webkit.org/show_bug.cgi?id=150655
220
221         Reviewed by Filip Pizlo.
222
223         We're recomputing this value for an *OSRExitDescriptor* for every one
224         of its corresponding *OSRExits*. This is having a multiplicative
225         effect on offsets because each computation is relative to the previous
226         value. We must do this computation just once per OSRExitDescriptor.
227
228         * ftl/FTLCompile.cpp:
229         (JSC::FTL::mmAllocateDataSection):
230
231 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
232
233         Air::spillEverything() should try to replace tmps with spill slots without using registers whenever possible
234         https://bugs.webkit.org/show_bug.cgi?id=150657
235
236         Reviewed by Geoffrey Garen.
237
238         Also added the ability to store an immediate to memory.
239
240         * assembler/MacroAssembler.h:
241         (JSC::MacroAssembler::storePtr):
242         * assembler/MacroAssemblerARM64.h:
243         (JSC::MacroAssemblerARM64::store64):
244         * assembler/MacroAssemblerX86_64.h:
245         (JSC::MacroAssemblerX86_64::store64):
246         * b3/B3LowerToAir.cpp:
247         (JSC::B3::Air::LowerToAir::imm):
248         (JSC::B3::Air::LowerToAir::immAnyInt):
249         (JSC::B3::Air::LowerToAir::immOrTmp):
250         (JSC::B3::Air::LowerToAir::tryStore):
251         * b3/air/AirOpcode.opcodes:
252         * b3/air/AirSpillEverything.cpp:
253         (JSC::B3::Air::spillEverything):
254         * b3/testb3.cpp:
255         (JSC::B3::testStore):
256         (JSC::B3::testStoreConstant):
257         (JSC::B3::testStoreConstantPtr):
258         (JSC::B3::testTrunc):
259         (JSC::B3::run):
260
261 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
262
263         Web Inspector: Rename InspectorResourceAgent to InspectorNetworkAgent
264         https://bugs.webkit.org/show_bug.cgi?id=150654
265
266         Reviewed by Geoffrey Garen.
267
268         * inspector/scripts/codegen/generator.py:
269
270 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
271
272         B3::reduceStrength() should do DCE
273         https://bugs.webkit.org/show_bug.cgi?id=150656
274
275         Reviewed by Saam Barati.
276
277         * b3/B3BasicBlock.cpp:
278         (JSC::B3::BasicBlock::removeNops): This now deletes the values from the procedure, to preserve the invariant that valuesInProc == valuesInBlocks.
279         * b3/B3BasicBlock.h:
280         * b3/B3Procedure.cpp:
281         (JSC::B3::Procedure::deleteValue): Add a utility used by removeNops().
282         (JSC::B3::Procedure::addValueIndex): Make sure that we reuse Value indices so that m_values doesn't get too sparse.
283         * b3/B3Procedure.h:
284         (JSC::B3::Procedure::ValuesCollection::iterator::iterator): Teach this that m_values can be slightly sparse.
285         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
286         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):
287         (JSC::B3::Procedure::ValuesCollection::iterator::findNext):
288         (JSC::B3::Procedure::values):
289         * b3/B3ProcedureInlines.h:
290         (JSC::B3::Procedure::add): Use addValueIndex() instead of always creating a new index.
291         * b3/B3ReduceStrength.cpp: Implement the optimization using UseCounts and Effects.
292
293 2015-10-28  Joseph Pecoraro  <pecoraro@apple.com>
294
295         Web Inspector: Remove unused / duplicate WebSocket timeline records
296         https://bugs.webkit.org/show_bug.cgi?id=150647
297
298         Reviewed by Timothy Hatcher.
299
300         * inspector/protocol/Timeline.json:
301
302 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
303
304         B3::LowerToAir should not duplicate Loads
305         https://bugs.webkit.org/show_bug.cgi?id=150651
306
307         Reviewed by Benjamin Poulain.
308
309         The instruction selector may decide to fuse two Values into one. This ordinarily only happens
310         if we haven't already emitted code that uses the Value and the Value has only one direct
311         user. Once we have emitted such code, we ensure that everyone knows that we have "locked" the
312         Value: we won't emit any more code for it in the future.
313
314         The optimization to fuse Loads was forgetting to do all of these things, and so generated
315         code would have a lot of duplicated Loads. That's bad and this change fixes that.
316
317         Ordinarily, this is far less tricky because the pattern matcher does this for us via
318         acceptInternals() and acceptInternalsLate(). I added a comment to this effect. I hope that we
319         won't need to do this manually very often.
320
321         Also found an uninitialized value bug in UseCounts. That was making all of this super hard to
322         debug.
323
324         * b3/B3IndexMap.h:
325         (JSC::B3::IndexMap::IndexMap):
326         (JSC::B3::IndexMap::resize):
327         (JSC::B3::IndexMap::operator[]):
328         * b3/B3LowerToAir.cpp:
329         (JSC::B3::Air::LowerToAir::tmp):
330         (JSC::B3::Air::LowerToAir::canBeInternal):
331         (JSC::B3::Air::LowerToAir::commitInternal):
332         (JSC::B3::Air::LowerToAir::effectiveAddr):
333         (JSC::B3::Air::LowerToAir::loadAddr):
334         (JSC::B3::Air::LowerToAir::appendBinOp):
335         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
336         (JSC::B3::Air::LowerToAir::acceptInternals):
337         * b3/B3UseCounts.cpp:
338         (JSC::B3::UseCounts::UseCounts):
339
340 2015-10-28  Mark Lam  <mark.lam@apple.com>
341
342         JITSubGenerator::generateFastPath() does not need to be inlined.
343         https://bugs.webkit.org/show_bug.cgi?id=150645
344
345         Reviewed by Geoffrey Garen.
346
347         Moving it to a .cpp file to reduce code size.  Benchmarks shows this to be
348         perf neutral.
349
350         * CMakeLists.txt:
351         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
352         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
353         * JavaScriptCore.xcodeproj/project.pbxproj:
354         * ftl/FTLCompile.cpp:
355         * jit/JITSubGenerator.cpp: Added.
356         (JSC::JITSubGenerator::generateFastPath):
357         * jit/JITSubGenerator.h:
358         (JSC::JITSubGenerator::JITSubGenerator):
359         (JSC::JITSubGenerator::endJumpList):
360         (JSC::JITSubGenerator::slowPathJumpList):
361         (JSC::JITSubGenerator::generateFastPath): Deleted.
362
363 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
364
365         [B3] handleCommutativity should canonicalize commutative operations over non-constants
366         https://bugs.webkit.org/show_bug.cgi?id=150649
367
368         Reviewed by Saam Barati.
369
370         Turn this: Add(value1, value2)
371         Into this: Add(value2, value1)
372
373         But ony if value2 should come before value1 according to our total ordering. This will allow
374         CSE to observe the equality between commuted versions of the same operation, since we will
375         first canonicalize them into the same order.
376
377         * b3/B3ReduceStrength.cpp:
378
379 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
380
381         Unreviewed, fix the build for case sensitive file systems.
382
383         * b3/air/AirBasicBlock.h:
384         * b3/air/AirStackSlot.h:
385
386 2015-10-28  Filip Pizlo  <fpizlo@apple.com>
387
388         Create a super rough prototype of B3
389         https://bugs.webkit.org/show_bug.cgi?id=150280
390
391         Reviewed by Benjamin Poulain.
392
393         This changeset adds the basic scaffolding of the B3 compiler. B3 stands for Bare Bones
394         Backend. It's a low-level SSA-based language-agnostic compiler. The basic structure allows
395         for aggressive C-level optimizations and an awesome portable backend. The backend, called
396         Air (Assembly IR), is a reflective abstraction over our MacroAssembler. The abstraction is
397         defined using a spec file (AirOpcode.opcodes) which describes the various kinds of
398         instructions that we wish to support. Then, the B3::LowerToAir phase, which does our
399         instruction selection, reflectively selects Air opcodes by querying which instruction forms
400         are possible. Air allows for optimal register allocation and stack layout. Currently the
401         register allocator isn't written, but the stack layout is.
402
403         Of course this isn't done yet. It can only compile simple programs, seen in the "test suite"
404         called "testb3.cpp". There's a lot of optimizations that have to be written and a lot of
405         stuff added to the instruction selector. But it's a neat start.
406
407         * CMakeLists.txt:
408         * DerivedSources.make:
409         * JavaScriptCore.xcodeproj/project.pbxproj:
410         * assembler/MacroAssembler.cpp:
411         (WTF::printInternal):
412         * assembler/MacroAssembler.h:
413         * b3: Added.
414         * b3/B3AddressMatcher.patterns: Added.
415         * b3/B3ArgumentRegValue.cpp: Added.
416         (JSC::B3::ArgumentRegValue::~ArgumentRegValue):
417         (JSC::B3::ArgumentRegValue::dumpMeta):
418         * b3/B3ArgumentRegValue.h: Added.
419         * b3/B3BasicBlock.cpp: Added.
420         (JSC::B3::BasicBlock::BasicBlock):
421         (JSC::B3::BasicBlock::~BasicBlock):
422         (JSC::B3::BasicBlock::append):
423         (JSC::B3::BasicBlock::addPredecessor):
424         (JSC::B3::BasicBlock::removePredecessor):
425         (JSC::B3::BasicBlock::replacePredecessor):
426         (JSC::B3::BasicBlock::removeNops):
427         (JSC::B3::BasicBlock::dump):
428         (JSC::B3::BasicBlock::deepDump):
429         * b3/B3BasicBlock.h: Added.
430         (JSC::B3::BasicBlock::index):
431         (JSC::B3::BasicBlock::begin):
432         (JSC::B3::BasicBlock::end):
433         (JSC::B3::BasicBlock::size):
434         (JSC::B3::BasicBlock::at):
435         (JSC::B3::BasicBlock::last):
436         (JSC::B3::BasicBlock::values):
437         (JSC::B3::BasicBlock::numPredecessors):
438         (JSC::B3::BasicBlock::predecessor):
439         (JSC::B3::BasicBlock::predecessors):
440         (JSC::B3::BasicBlock::frequency):
441         (JSC::B3::DeepBasicBlockDump::DeepBasicBlockDump):
442         (JSC::B3::DeepBasicBlockDump::dump):
443         (JSC::B3::deepDump):
444         * b3/B3BasicBlockInlines.h: Added.
445         (JSC::B3::BasicBlock::appendNew):
446         (JSC::B3::BasicBlock::numSuccessors):
447         (JSC::B3::BasicBlock::successor):
448         (JSC::B3::BasicBlock::successors):
449         (JSC::B3::BasicBlock::successorBlock):
450         (JSC::B3::BasicBlock::successorBlocks):
451         * b3/B3BasicBlockUtils.h: Added.
452         (JSC::B3::addPredecessor):
453         (JSC::B3::removePredecessor):
454         (JSC::B3::replacePredecessor):
455         (JSC::B3::resetReachability):
456         (JSC::B3::blocksInPreOrder):
457         (JSC::B3::blocksInPostOrder):
458         * b3/B3BlockWorklist.h: Added.
459         * b3/B3CheckSpecial.cpp: Added.
460         (JSC::B3::Air::numB3Args):
461         (JSC::B3::CheckSpecial::CheckSpecial):
462         (JSC::B3::CheckSpecial::~CheckSpecial):
463         (JSC::B3::CheckSpecial::hiddenBranch):
464         (JSC::B3::CheckSpecial::forEachArg):
465         (JSC::B3::CheckSpecial::isValid):
466         (JSC::B3::CheckSpecial::admitsStack):
467         (JSC::B3::CheckSpecial::generate):
468         (JSC::B3::CheckSpecial::dumpImpl):
469         (JSC::B3::CheckSpecial::deepDumpImpl):
470         * b3/B3CheckSpecial.h: Added.
471         * b3/B3CheckValue.cpp: Added.
472         (JSC::B3::CheckValue::~CheckValue):
473         (JSC::B3::CheckValue::dumpMeta):
474         * b3/B3CheckValue.h: Added.
475         * b3/B3Common.cpp: Added.
476         (JSC::B3::shouldDumpIR):
477         (JSC::B3::shouldDumpIRAtEachPhase):
478         (JSC::B3::shouldValidateIR):
479         (JSC::B3::shouldValidateIRAtEachPhase):
480         (JSC::B3::shouldSaveIRBeforePhase):
481         * b3/B3Common.h: Added.
482         (JSC::B3::is64Bit):
483         (JSC::B3::is32Bit):
484         * b3/B3Commutativity.cpp: Added.
485         (WTF::printInternal):
486         * b3/B3Commutativity.h: Added.
487         * b3/B3Const32Value.cpp: Added.
488         (JSC::B3::Const32Value::~Const32Value):
489         (JSC::B3::Const32Value::negConstant):
490         (JSC::B3::Const32Value::addConstant):
491         (JSC::B3::Const32Value::subConstant):
492         (JSC::B3::Const32Value::dumpMeta):
493         * b3/B3Const32Value.h: Added.
494         * b3/B3Const64Value.cpp: Added.
495         (JSC::B3::Const64Value::~Const64Value):
496         (JSC::B3::Const64Value::negConstant):
497         (JSC::B3::Const64Value::addConstant):
498         (JSC::B3::Const64Value::subConstant):
499         (JSC::B3::Const64Value::dumpMeta):
500         * b3/B3Const64Value.h: Added.
501         * b3/B3ConstDoubleValue.cpp: Added.
502         (JSC::B3::ConstDoubleValue::~ConstDoubleValue):
503         (JSC::B3::ConstDoubleValue::negConstant):
504         (JSC::B3::ConstDoubleValue::addConstant):
505         (JSC::B3::ConstDoubleValue::subConstant):
506         (JSC::B3::ConstDoubleValue::dumpMeta):
507         * b3/B3ConstDoubleValue.h: Added.
508         (JSC::B3::ConstDoubleValue::accepts):
509         (JSC::B3::ConstDoubleValue::value):
510         (JSC::B3::ConstDoubleValue::ConstDoubleValue):
511         * b3/B3ConstPtrValue.h: Added.
512         (JSC::B3::ConstPtrValue::value):
513         (JSC::B3::ConstPtrValue::ConstPtrValue):
514         * b3/B3ControlValue.cpp: Added.
515         (JSC::B3::ControlValue::~ControlValue):
516         (JSC::B3::ControlValue::dumpMeta):
517         * b3/B3ControlValue.h: Added.
518         * b3/B3Effects.cpp: Added.
519         (JSC::B3::Effects::dump):
520         * b3/B3Effects.h: Added.
521         (JSC::B3::Effects::mustExecute):
522         * b3/B3FrequencyClass.cpp: Added.
523         (WTF::printInternal):
524         * b3/B3FrequencyClass.h: Added.
525         * b3/B3FrequentedBlock.h: Added.
526         * b3/B3Generate.cpp: Added.
527         (JSC::B3::generate):
528         (JSC::B3::generateToAir):
529         * b3/B3Generate.h: Added.
530         * b3/B3GenericFrequentedBlock.h: Added.
531         (JSC::B3::GenericFrequentedBlock::GenericFrequentedBlock):
532         (JSC::B3::GenericFrequentedBlock::operator==):
533         (JSC::B3::GenericFrequentedBlock::operator!=):
534         (JSC::B3::GenericFrequentedBlock::operator bool):
535         (JSC::B3::GenericFrequentedBlock::block):
536         (JSC::B3::GenericFrequentedBlock::frequency):
537         (JSC::B3::GenericFrequentedBlock::dump):
538         * b3/B3HeapRange.cpp: Added.
539         (JSC::B3::HeapRange::dump):
540         * b3/B3HeapRange.h: Added.
541         (JSC::B3::HeapRange::HeapRange):
542         (JSC::B3::HeapRange::top):
543         (JSC::B3::HeapRange::operator==):
544         (JSC::B3::HeapRange::operator!=):
545         (JSC::B3::HeapRange::operator bool):
546         (JSC::B3::HeapRange::begin):
547         (JSC::B3::HeapRange::end):
548         (JSC::B3::HeapRange::overlaps):
549         * b3/B3IndexMap.h: Added.
550         (JSC::B3::IndexMap::IndexMap):
551         (JSC::B3::IndexMap::resize):
552         (JSC::B3::IndexMap::operator[]):
553         * b3/B3IndexSet.h: Added.
554         (JSC::B3::IndexSet::IndexSet):
555         (JSC::B3::IndexSet::add):
556         (JSC::B3::IndexSet::contains):
557         (JSC::B3::IndexSet::Iterable::Iterable):
558         (JSC::B3::IndexSet::Iterable::iterator::iterator):
559         (JSC::B3::IndexSet::Iterable::iterator::operator*):
560         (JSC::B3::IndexSet::Iterable::iterator::operator++):
561         (JSC::B3::IndexSet::Iterable::iterator::operator==):
562         (JSC::B3::IndexSet::Iterable::iterator::operator!=):
563         (JSC::B3::IndexSet::Iterable::begin):
564         (JSC::B3::IndexSet::Iterable::end):
565         (JSC::B3::IndexSet::values):
566         (JSC::B3::IndexSet::indices):
567         (JSC::B3::IndexSet::dump):
568         * b3/B3InsertionSet.cpp: Added.
569         (JSC::B3::InsertionSet::execute):
570         * b3/B3InsertionSet.h: Added.
571         (JSC::B3::InsertionSet::InsertionSet):
572         (JSC::B3::InsertionSet::code):
573         (JSC::B3::InsertionSet::appendInsertion):
574         (JSC::B3::InsertionSet::insertValue):
575         * b3/B3InsertionSetInlines.h: Added.
576         (JSC::B3::InsertionSet::insert):
577         * b3/B3LowerToAir.cpp: Added.
578         (JSC::B3::Air::LowerToAir::LowerToAir):
579         (JSC::B3::Air::LowerToAir::run):
580         (JSC::B3::Air::LowerToAir::tmp):
581         (JSC::B3::Air::LowerToAir::effectiveAddr):
582         (JSC::B3::Air::LowerToAir::addr):
583         (JSC::B3::Air::LowerToAir::loadAddr):
584         (JSC::B3::Air::LowerToAir::imm):
585         (JSC::B3::Air::LowerToAir::immOrTmp):
586         (JSC::B3::Air::LowerToAir::appendBinOp):
587         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
588         (JSC::B3::Air::LowerToAir::moveForType):
589         (JSC::B3::Air::LowerToAir::relaxedMoveForType):
590         (JSC::B3::Air::LowerToAir::append):
591         (JSC::B3::Air::LowerToAir::AddressSelector::AddressSelector):
592         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRoot):
593         (JSC::B3::Air::LowerToAir::AddressSelector::acceptRootLate):
594         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternals):
595         (JSC::B3::Air::LowerToAir::AddressSelector::acceptInternalsLate):
596         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperands):
597         (JSC::B3::Air::LowerToAir::AddressSelector::acceptOperandsLate):
598         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift1):
599         (JSC::B3::Air::LowerToAir::AddressSelector::tryAddShift2):
600         (JSC::B3::Air::LowerToAir::AddressSelector::tryAdd):
601         (JSC::B3::Air::LowerToAir::AddressSelector::tryDirect):
602         (JSC::B3::Air::LowerToAir::acceptRoot):
603         (JSC::B3::Air::LowerToAir::acceptRootLate):
604         (JSC::B3::Air::LowerToAir::acceptInternals):
605         (JSC::B3::Air::LowerToAir::acceptInternalsLate):
606         (JSC::B3::Air::LowerToAir::acceptOperands):
607         (JSC::B3::Air::LowerToAir::acceptOperandsLate):
608         (JSC::B3::Air::LowerToAir::tryLoad):
609         (JSC::B3::Air::LowerToAir::tryAdd):
610         (JSC::B3::Air::LowerToAir::tryAnd):
611         (JSC::B3::Air::LowerToAir::tryStoreAddLoad):
612         (JSC::B3::Air::LowerToAir::tryStoreAndLoad):
613         (JSC::B3::Air::LowerToAir::tryStore):
614         (JSC::B3::Air::LowerToAir::tryTruncArgumentReg):
615         (JSC::B3::Air::LowerToAir::tryTrunc):
616         (JSC::B3::Air::LowerToAir::tryArgumentReg):
617         (JSC::B3::Air::LowerToAir::tryConst32):
618         (JSC::B3::Air::LowerToAir::tryConst64):
619         (JSC::B3::Air::LowerToAir::tryIdentity):
620         (JSC::B3::Air::LowerToAir::tryReturn):
621         (JSC::B3::lowerToAir):
622         * b3/B3LowerToAir.h: Added.
623         * b3/B3LoweringMatcher.patterns: Added.
624         * b3/B3MemoryValue.cpp: Added.
625         (JSC::B3::MemoryValue::~MemoryValue):
626         (JSC::B3::MemoryValue::dumpMeta):
627         * b3/B3MemoryValue.h: Added.
628         * b3/B3Opcode.cpp: Added.
629         (WTF::printInternal):
630         * b3/B3Opcode.h: Added.
631         (JSC::B3::isCheckMath):
632         * b3/B3Origin.cpp: Added.
633         (JSC::B3::Origin::dump):
634         * b3/B3Origin.h: Added.
635         (JSC::B3::Origin::Origin):
636         (JSC::B3::Origin::operator bool):
637         (JSC::B3::Origin::data):
638         * b3/B3PatchpointSpecial.cpp: Added.
639         (JSC::B3::PatchpointSpecial::PatchpointSpecial):
640         (JSC::B3::PatchpointSpecial::~PatchpointSpecial):
641         (JSC::B3::PatchpointSpecial::forEachArg):
642         (JSC::B3::PatchpointSpecial::isValid):
643         (JSC::B3::PatchpointSpecial::admitsStack):
644         (JSC::B3::PatchpointSpecial::generate):
645         (JSC::B3::PatchpointSpecial::dumpImpl):
646         (JSC::B3::PatchpointSpecial::deepDumpImpl):
647         * b3/B3PatchpointSpecial.h: Added.
648         * b3/B3PatchpointValue.cpp: Added.
649         (JSC::B3::PatchpointValue::~PatchpointValue):
650         (JSC::B3::PatchpointValue::dumpMeta):
651         * b3/B3PatchpointValue.h: Added.
652         (JSC::B3::PatchpointValue::accepts):
653         (JSC::B3::PatchpointValue::PatchpointValue):
654         * b3/B3PhaseScope.cpp: Added.
655         (JSC::B3::PhaseScope::PhaseScope):
656         (JSC::B3::PhaseScope::~PhaseScope):
657         * b3/B3PhaseScope.h: Added.
658         * b3/B3Procedure.cpp: Added.
659         (JSC::B3::Procedure::Procedure):
660         (JSC::B3::Procedure::~Procedure):
661         (JSC::B3::Procedure::addBlock):
662         (JSC::B3::Procedure::resetReachability):
663         (JSC::B3::Procedure::dump):
664         (JSC::B3::Procedure::blocksInPreOrder):
665         (JSC::B3::Procedure::blocksInPostOrder):
666         * b3/B3Procedure.h: Added.
667         (JSC::B3::Procedure::size):
668         (JSC::B3::Procedure::at):
669         (JSC::B3::Procedure::operator[]):
670         (JSC::B3::Procedure::iterator::iterator):
671         (JSC::B3::Procedure::iterator::operator*):
672         (JSC::B3::Procedure::iterator::operator++):
673         (JSC::B3::Procedure::iterator::operator==):
674         (JSC::B3::Procedure::iterator::operator!=):
675         (JSC::B3::Procedure::iterator::findNext):
676         (JSC::B3::Procedure::begin):
677         (JSC::B3::Procedure::end):
678         (JSC::B3::Procedure::ValuesCollection::ValuesCollection):
679         (JSC::B3::Procedure::ValuesCollection::iterator::iterator):
680         (JSC::B3::Procedure::ValuesCollection::iterator::operator*):
681         (JSC::B3::Procedure::ValuesCollection::iterator::operator++):
682         (JSC::B3::Procedure::ValuesCollection::iterator::operator==):
683         (JSC::B3::Procedure::ValuesCollection::iterator::operator!=):
684         (JSC::B3::Procedure::ValuesCollection::begin):
685         (JSC::B3::Procedure::ValuesCollection::end):
686         (JSC::B3::Procedure::ValuesCollection::size):
687         (JSC::B3::Procedure::ValuesCollection::at):
688         (JSC::B3::Procedure::ValuesCollection::operator[]):
689         (JSC::B3::Procedure::values):
690         (JSC::B3::Procedure::setLastPhaseName):
691         (JSC::B3::Procedure::lastPhaseName):
692         * b3/B3ProcedureInlines.h: Added.
693         (JSC::B3::Procedure::add):
694         * b3/B3ReduceStrength.cpp: Added.
695         (JSC::B3::reduceStrength):
696         * b3/B3ReduceStrength.h: Added.
697         * b3/B3StackSlotKind.cpp: Added.
698         (WTF::printInternal):
699         * b3/B3StackSlotKind.h: Added.
700         * b3/B3StackSlotValue.cpp: Added.
701         (JSC::B3::StackSlotValue::~StackSlotValue):
702         (JSC::B3::StackSlotValue::dumpMeta):
703         * b3/B3StackSlotValue.h: Added.
704         (JSC::B3::StackSlotValue::accepts):
705         (JSC::B3::StackSlotValue::byteSize):
706         (JSC::B3::StackSlotValue::kind):
707         (JSC::B3::StackSlotValue::offsetFromFP):
708         (JSC::B3::StackSlotValue::setOffsetFromFP):
709         (JSC::B3::StackSlotValue::StackSlotValue):
710         * b3/B3Stackmap.cpp: Added.
711         (JSC::B3::Stackmap::Stackmap):
712         (JSC::B3::Stackmap::~Stackmap):
713         (JSC::B3::Stackmap::dump):
714         * b3/B3Stackmap.h: Added.
715         (JSC::B3::Stackmap::constrain):
716         (JSC::B3::Stackmap::reps):
717         (JSC::B3::Stackmap::clobber):
718         (JSC::B3::Stackmap::clobbered):
719         (JSC::B3::Stackmap::setGenerator):
720         * b3/B3StackmapSpecial.cpp: Added.
721         (JSC::B3::StackmapSpecial::StackmapSpecial):
722         (JSC::B3::StackmapSpecial::~StackmapSpecial):
723         (JSC::B3::StackmapSpecial::reportUsedRegisters):
724         (JSC::B3::StackmapSpecial::extraClobberedRegs):
725         (JSC::B3::StackmapSpecial::forEachArgImpl):
726         (JSC::B3::StackmapSpecial::isValidImpl):
727         (JSC::B3::StackmapSpecial::admitsStackImpl):
728         (JSC::B3::StackmapSpecial::appendRepsImpl):
729         (JSC::B3::StackmapSpecial::repForArg):
730         * b3/B3StackmapSpecial.h: Added.
731         * b3/B3SuccessorCollection.h: Added.
732         (JSC::B3::SuccessorCollection::SuccessorCollection):
733         (JSC::B3::SuccessorCollection::size):
734         (JSC::B3::SuccessorCollection::at):
735         (JSC::B3::SuccessorCollection::operator[]):
736         (JSC::B3::SuccessorCollection::iterator::iterator):
737         (JSC::B3::SuccessorCollection::iterator::operator*):
738         (JSC::B3::SuccessorCollection::iterator::operator++):
739         (JSC::B3::SuccessorCollection::iterator::operator==):
740         (JSC::B3::SuccessorCollection::iterator::operator!=):
741         (JSC::B3::SuccessorCollection::begin):
742         (JSC::B3::SuccessorCollection::end):
743         * b3/B3SwitchCase.cpp: Added.
744         (JSC::B3::SwitchCase::dump):
745         * b3/B3SwitchCase.h: Added.
746         (JSC::B3::SwitchCase::SwitchCase):
747         (JSC::B3::SwitchCase::operator bool):
748         (JSC::B3::SwitchCase::caseValue):
749         (JSC::B3::SwitchCase::target):
750         (JSC::B3::SwitchCase::targetBlock):
751         * b3/B3SwitchValue.cpp: Added.
752         (JSC::B3::SwitchValue::~SwitchValue):
753         (JSC::B3::SwitchValue::removeCase):
754         (JSC::B3::SwitchValue::appendCase):
755         (JSC::B3::SwitchValue::dumpMeta):
756         (JSC::B3::SwitchValue::SwitchValue):
757         * b3/B3SwitchValue.h: Added.
758         (JSC::B3::SwitchValue::accepts):
759         (JSC::B3::SwitchValue::numCaseValues):
760         (JSC::B3::SwitchValue::caseValue):
761         (JSC::B3::SwitchValue::caseValues):
762         (JSC::B3::SwitchValue::fallThrough):
763         (JSC::B3::SwitchValue::size):
764         (JSC::B3::SwitchValue::at):
765         (JSC::B3::SwitchValue::operator[]):
766         (JSC::B3::SwitchValue::iterator::iterator):
767         (JSC::B3::SwitchValue::iterator::operator*):
768         (JSC::B3::SwitchValue::iterator::operator++):
769         (JSC::B3::SwitchValue::iterator::operator==):
770         (JSC::B3::SwitchValue::iterator::operator!=):
771         (JSC::B3::SwitchValue::begin):
772         (JSC::B3::SwitchValue::end):
773         * b3/B3Type.cpp: Added.
774         (WTF::printInternal):
775         * b3/B3Type.h: Added.
776         (JSC::B3::isInt):
777         (JSC::B3::isFloat):
778         (JSC::B3::pointerType):
779         * b3/B3UpsilonValue.cpp: Added.
780         (JSC::B3::UpsilonValue::~UpsilonValue):
781         (JSC::B3::UpsilonValue::dumpMeta):
782         * b3/B3UpsilonValue.h: Added.
783         (JSC::B3::UpsilonValue::accepts):
784         (JSC::B3::UpsilonValue::phi):
785         (JSC::B3::UpsilonValue::UpsilonValue):
786         * b3/B3UseCounts.cpp: Added.
787         (JSC::B3::UseCounts::UseCounts):
788         (JSC::B3::UseCounts::~UseCounts):
789         * b3/B3UseCounts.h: Added.
790         (JSC::B3::UseCounts::operator[]):
791         * b3/B3Validate.cpp: Added.
792         (JSC::B3::validate):
793         * b3/B3Validate.h: Added.
794         * b3/B3Value.cpp: Added.
795         (JSC::B3::Value::~Value):
796         (JSC::B3::Value::replaceWithIdentity):
797         (JSC::B3::Value::replaceWithNop):
798         (JSC::B3::Value::dump):
799         (JSC::B3::Value::deepDump):
800         (JSC::B3::Value::negConstant):
801         (JSC::B3::Value::addConstant):
802         (JSC::B3::Value::subConstant):
803         (JSC::B3::Value::effects):
804         (JSC::B3::Value::performSubstitution):
805         (JSC::B3::Value::dumpMeta):
806         (JSC::B3::Value::typeFor):
807         * b3/B3Value.h: Added.
808         (JSC::B3::DeepValueDump::DeepValueDump):
809         (JSC::B3::DeepValueDump::dump):
810         (JSC::B3::deepDump):
811         * b3/B3ValueInlines.h: Added.
812         (JSC::B3::Value::as):
813         (JSC::B3::Value::isConstant):
814         (JSC::B3::Value::hasInt32):
815         (JSC::B3::Value::asInt32):
816         (JSC::B3::Value::hasInt64):
817         (JSC::B3::Value::asInt64):
818         (JSC::B3::Value::hasInt):
819         (JSC::B3::Value::asInt):
820         (JSC::B3::Value::isInt):
821         (JSC::B3::Value::hasIntPtr):
822         (JSC::B3::Value::asIntPtr):
823         (JSC::B3::Value::hasDouble):
824         (JSC::B3::Value::asDouble):
825         (JSC::B3::Value::stackmap):
826         * b3/B3ValueRep.cpp: Added.
827         (JSC::B3::ValueRep::dump):
828         (WTF::printInternal):
829         * b3/B3ValueRep.h: Added.
830         (JSC::B3::ValueRep::ValueRep):
831         (JSC::B3::ValueRep::reg):
832         (JSC::B3::ValueRep::stack):
833         (JSC::B3::ValueRep::stackArgument):
834         (JSC::B3::ValueRep::constant):
835         (JSC::B3::ValueRep::constantDouble):
836         (JSC::B3::ValueRep::kind):
837         (JSC::B3::ValueRep::operator bool):
838         (JSC::B3::ValueRep::offsetFromFP):
839         (JSC::B3::ValueRep::offsetFromSP):
840         (JSC::B3::ValueRep::value):
841         (JSC::B3::ValueRep::doubleValue):
842         * b3/air: Added.
843         * b3/air/AirAllocateStack.cpp: Added.
844         (JSC::B3::Air::allocateStack):
845         * b3/air/AirAllocateStack.h: Added.
846         * b3/air/AirArg.cpp: Added.
847         (JSC::B3::Air::Arg::dump):
848         * b3/air/AirArg.h: Added.
849         (JSC::B3::Air::Arg::isUse):
850         (JSC::B3::Air::Arg::isDef):
851         (JSC::B3::Air::Arg::typeForB3Type):
852         (JSC::B3::Air::Arg::Arg):
853         (JSC::B3::Air::Arg::imm):
854         (JSC::B3::Air::Arg::imm64):
855         (JSC::B3::Air::Arg::addr):
856         (JSC::B3::Air::Arg::stack):
857         (JSC::B3::Air::Arg::callArg):
858         (JSC::B3::Air::Arg::isValidScale):
859         (JSC::B3::Air::Arg::logScale):
860         (JSC::B3::Air::Arg::index):
861         (JSC::B3::Air::Arg::relCond):
862         (JSC::B3::Air::Arg::resCond):
863         (JSC::B3::Air::Arg::special):
864         (JSC::B3::Air::Arg::operator==):
865         (JSC::B3::Air::Arg::operator!=):
866         (JSC::B3::Air::Arg::operator bool):
867         (JSC::B3::Air::Arg::kind):
868         (JSC::B3::Air::Arg::isTmp):
869         (JSC::B3::Air::Arg::isImm):
870         (JSC::B3::Air::Arg::isImm64):
871         (JSC::B3::Air::Arg::isAddr):
872         (JSC::B3::Air::Arg::isStack):
873         (JSC::B3::Air::Arg::isCallArg):
874         (JSC::B3::Air::Arg::isIndex):
875         (JSC::B3::Air::Arg::isRelCond):
876         (JSC::B3::Air::Arg::isResCond):
877         (JSC::B3::Air::Arg::isSpecial):
878         (JSC::B3::Air::Arg::isAlive):
879         (JSC::B3::Air::Arg::tmp):
880         (JSC::B3::Air::Arg::value):
881         (JSC::B3::Air::Arg::pointerValue):
882         (JSC::B3::Air::Arg::base):
883         (JSC::B3::Air::Arg::hasOffset):
884         (JSC::B3::Air::Arg::offset):
885         (JSC::B3::Air::Arg::stackSlot):
886         (JSC::B3::Air::Arg::scale):
887         (JSC::B3::Air::Arg::isGPTmp):
888         (JSC::B3::Air::Arg::isFPTmp):
889         (JSC::B3::Air::Arg::isGP):
890         (JSC::B3::Air::Arg::isFP):
891         (JSC::B3::Air::Arg::hasType):
892         (JSC::B3::Air::Arg::type):
893         (JSC::B3::Air::Arg::isType):
894         (JSC::B3::Air::Arg::isGPR):
895         (JSC::B3::Air::Arg::gpr):
896         (JSC::B3::Air::Arg::isFPR):
897         (JSC::B3::Air::Arg::fpr):
898         (JSC::B3::Air::Arg::isReg):
899         (JSC::B3::Air::Arg::reg):
900         (JSC::B3::Air::Arg::gpTmpIndex):
901         (JSC::B3::Air::Arg::fpTmpIndex):
902         (JSC::B3::Air::Arg::tmpIndex):
903         (JSC::B3::Air::Arg::withOffset):
904         (JSC::B3::Air::Arg::forEachTmpFast):
905         (JSC::B3::Air::Arg::forEachTmp):
906         (JSC::B3::Air::Arg::asTrustedImm32):
907         (JSC::B3::Air::Arg::asTrustedImm64):
908         (JSC::B3::Air::Arg::asTrustedImmPtr):
909         (JSC::B3::Air::Arg::asAddress):
910         (JSC::B3::Air::Arg::asBaseIndex):
911         (JSC::B3::Air::Arg::asRelationalCondition):
912         (JSC::B3::Air::Arg::asResultCondition):
913         (JSC::B3::Air::Arg::isHashTableDeletedValue):
914         (JSC::B3::Air::Arg::hash):
915         (JSC::B3::Air::ArgHash::hash):
916         (JSC::B3::Air::ArgHash::equal):
917         * b3/air/AirBasicBlock.cpp: Added.
918         (JSC::B3::Air::BasicBlock::addPredecessor):
919         (JSC::B3::Air::BasicBlock::removePredecessor):
920         (JSC::B3::Air::BasicBlock::replacePredecessor):
921         (JSC::B3::Air::BasicBlock::dump):
922         (JSC::B3::Air::BasicBlock::deepDump):
923         (JSC::B3::Air::BasicBlock::BasicBlock):
924         * b3/air/AirBasicBlock.h: Added.
925         (JSC::B3::Air::BasicBlock::index):
926         (JSC::B3::Air::BasicBlock::size):
927         (JSC::B3::Air::BasicBlock::begin):
928         (JSC::B3::Air::BasicBlock::end):
929         (JSC::B3::Air::BasicBlock::at):
930         (JSC::B3::Air::BasicBlock::last):
931         (JSC::B3::Air::BasicBlock::appendInst):
932         (JSC::B3::Air::BasicBlock::append):
933         (JSC::B3::Air::BasicBlock::numSuccessors):
934         (JSC::B3::Air::BasicBlock::successor):
935         (JSC::B3::Air::BasicBlock::successors):
936         (JSC::B3::Air::BasicBlock::successorBlock):
937         (JSC::B3::Air::BasicBlock::successorBlocks):
938         (JSC::B3::Air::BasicBlock::numPredecessors):
939         (JSC::B3::Air::BasicBlock::predecessor):
940         (JSC::B3::Air::BasicBlock::predecessors):
941         (JSC::B3::Air::DeepBasicBlockDump::DeepBasicBlockDump):
942         (JSC::B3::Air::DeepBasicBlockDump::dump):
943         (JSC::B3::Air::deepDump):
944         * b3/air/AirCCallSpecial.cpp: Added.
945         (JSC::B3::Air::CCallSpecial::CCallSpecial):
946         (JSC::B3::Air::CCallSpecial::~CCallSpecial):
947         (JSC::B3::Air::CCallSpecial::forEachArg):
948         (JSC::B3::Air::CCallSpecial::isValid):
949         (JSC::B3::Air::CCallSpecial::admitsStack):
950         (JSC::B3::Air::CCallSpecial::reportUsedRegisters):
951         (JSC::B3::Air::CCallSpecial::generate):
952         (JSC::B3::Air::CCallSpecial::extraClobberedRegs):
953         (JSC::B3::Air::CCallSpecial::dumpImpl):
954         (JSC::B3::Air::CCallSpecial::deepDumpImpl):
955         * b3/air/AirCCallSpecial.h: Added.
956         * b3/air/AirCode.cpp: Added.
957         (JSC::B3::Air::Code::Code):
958         (JSC::B3::Air::Code::~Code):
959         (JSC::B3::Air::Code::addBlock):
960         (JSC::B3::Air::Code::addStackSlot):
961         (JSC::B3::Air::Code::addSpecial):
962         (JSC::B3::Air::Code::cCallSpecial):
963         (JSC::B3::Air::Code::resetReachability):
964         (JSC::B3::Air::Code::dump):
965         (JSC::B3::Air::Code::findFirstBlockIndex):
966         (JSC::B3::Air::Code::findNextBlockIndex):
967         (JSC::B3::Air::Code::findNextBlock):
968         * b3/air/AirCode.h: Added.
969         (JSC::B3::Air::Code::newTmp):
970         (JSC::B3::Air::Code::numTmps):
971         (JSC::B3::Air::Code::callArgAreaSize):
972         (JSC::B3::Air::Code::requestCallArgAreaSize):
973         (JSC::B3::Air::Code::frameSize):
974         (JSC::B3::Air::Code::setFrameSize):
975         (JSC::B3::Air::Code::calleeSaveRegisters):
976         (JSC::B3::Air::Code::size):
977         (JSC::B3::Air::Code::at):
978         (JSC::B3::Air::Code::operator[]):
979         (JSC::B3::Air::Code::iterator::iterator):
980         (JSC::B3::Air::Code::iterator::operator*):
981         (JSC::B3::Air::Code::iterator::operator++):
982         (JSC::B3::Air::Code::iterator::operator==):
983         (JSC::B3::Air::Code::iterator::operator!=):
984         (JSC::B3::Air::Code::begin):
985         (JSC::B3::Air::Code::end):
986         (JSC::B3::Air::Code::StackSlotsCollection::StackSlotsCollection):
987         (JSC::B3::Air::Code::StackSlotsCollection::size):
988         (JSC::B3::Air::Code::StackSlotsCollection::at):
989         (JSC::B3::Air::Code::StackSlotsCollection::operator[]):
990         (JSC::B3::Air::Code::StackSlotsCollection::iterator::iterator):
991         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator*):
992         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator++):
993         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator==):
994         (JSC::B3::Air::Code::StackSlotsCollection::iterator::operator!=):
995         (JSC::B3::Air::Code::StackSlotsCollection::begin):
996         (JSC::B3::Air::Code::StackSlotsCollection::end):
997         (JSC::B3::Air::Code::stackSlots):
998         (JSC::B3::Air::Code::SpecialsCollection::SpecialsCollection):
999         (JSC::B3::Air::Code::SpecialsCollection::size):
1000         (JSC::B3::Air::Code::SpecialsCollection::at):
1001         (JSC::B3::Air::Code::SpecialsCollection::operator[]):
1002         (JSC::B3::Air::Code::SpecialsCollection::iterator::iterator):
1003         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator*):
1004         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator++):
1005         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator==):
1006         (JSC::B3::Air::Code::SpecialsCollection::iterator::operator!=):
1007         (JSC::B3::Air::Code::SpecialsCollection::begin):
1008         (JSC::B3::Air::Code::SpecialsCollection::end):
1009         (JSC::B3::Air::Code::specials):
1010         (JSC::B3::Air::Code::setLastPhaseName):
1011         (JSC::B3::Air::Code::lastPhaseName):
1012         * b3/air/AirFrequentedBlock.h: Added.
1013         * b3/air/AirGenerate.cpp: Added.
1014         (JSC::B3::Air::generate):
1015         * b3/air/AirGenerate.h: Added.
1016         * b3/air/AirGenerated.cpp: Added.
1017         * b3/air/AirGenerationContext.h: Added.
1018         * b3/air/AirHandleCalleeSaves.cpp: Added.
1019         (JSC::B3::Air::handleCalleeSaves):
1020         * b3/air/AirHandleCalleeSaves.h: Added.
1021         * b3/air/AirInsertionSet.cpp: Added.
1022         (JSC::B3::Air::InsertionSet::execute):
1023         * b3/air/AirInsertionSet.h: Added.
1024         (JSC::B3::Air::InsertionSet::InsertionSet):
1025         (JSC::B3::Air::InsertionSet::code):
1026         (JSC::B3::Air::InsertionSet::appendInsertion):
1027         (JSC::B3::Air::InsertionSet::insertInst):
1028         (JSC::B3::Air::InsertionSet::insert):
1029         * b3/air/AirInst.cpp: Added.
1030         (JSC::B3::Air::Inst::dump):
1031         * b3/air/AirInst.h: Added.
1032         (JSC::B3::Air::Inst::Inst):
1033         (JSC::B3::Air::Inst::opcode):
1034         (JSC::B3::Air::Inst::forEachTmpFast):
1035         (JSC::B3::Air::Inst::forEachTmp):
1036         * b3/air/AirInstInlines.h: Added.
1037         (JSC::B3::Air::ForEach<Tmp>::forEach):
1038         (JSC::B3::Air::ForEach<Arg>::forEach):
1039         (JSC::B3::Air::Inst::forEach):
1040         (JSC::B3::Air::Inst::hasSpecial):
1041         (JSC::B3::Air::Inst::extraClobberedRegs):
1042         (JSC::B3::Air::Inst::reportUsedRegisters):
1043         (JSC::B3::Air::isShiftValid):
1044         (JSC::B3::Air::isLshift32Valid):
1045         * b3/air/AirLiveness.h: Added.
1046         (JSC::B3::Air::Liveness::Liveness):
1047         (JSC::B3::Air::Liveness::liveAtHead):
1048         (JSC::B3::Air::Liveness::liveAtTail):
1049         (JSC::B3::Air::Liveness::LocalCalc::LocalCalc):
1050         (JSC::B3::Air::Liveness::LocalCalc::live):
1051         (JSC::B3::Air::Liveness::LocalCalc::takeLive):
1052         (JSC::B3::Air::Liveness::LocalCalc::execute):
1053         * b3/air/AirOpcode.opcodes: Added.
1054         * b3/air/AirPhaseScope.cpp: Added.
1055         (JSC::B3::Air::PhaseScope::PhaseScope):
1056         (JSC::B3::Air::PhaseScope::~PhaseScope):
1057         * b3/air/AirPhaseScope.h: Added.
1058         * b3/air/AirRegisterPriority.cpp: Added.
1059         (JSC::B3::Air::gprsInPriorityOrder):
1060         (JSC::B3::Air::fprsInPriorityOrder):
1061         (JSC::B3::Air::regsInPriorityOrder):
1062         * b3/air/AirRegisterPriority.h: Added.
1063         (JSC::B3::Air::RegistersInPriorityOrder<GPRInfo>::inPriorityOrder):
1064         (JSC::B3::Air::RegistersInPriorityOrder<FPRInfo>::inPriorityOrder):
1065         (JSC::B3::Air::regsInPriorityOrder):
1066         * b3/air/AirSpecial.cpp: Added.
1067         (JSC::B3::Air::Special::Special):
1068         (JSC::B3::Air::Special::~Special):
1069         (JSC::B3::Air::Special::name):
1070         (JSC::B3::Air::Special::dump):
1071         (JSC::B3::Air::Special::deepDump):
1072         * b3/air/AirSpecial.h: Added.
1073         (JSC::B3::Air::DeepSpecialDump::DeepSpecialDump):
1074         (JSC::B3::Air::DeepSpecialDump::dump):
1075         (JSC::B3::Air::deepDump):
1076         * b3/air/AirSpillEverything.cpp: Added.
1077         (JSC::B3::Air::spillEverything):
1078         * b3/air/AirSpillEverything.h: Added.
1079         * b3/air/AirStackSlot.cpp: Added.
1080         (JSC::B3::Air::StackSlot::setOffsetFromFP):
1081         (JSC::B3::Air::StackSlot::dump):
1082         (JSC::B3::Air::StackSlot::deepDump):
1083         (JSC::B3::Air::StackSlot::StackSlot):
1084         * b3/air/AirStackSlot.h: Added.
1085         (JSC::B3::Air::StackSlot::byteSize):
1086         (JSC::B3::Air::StackSlot::kind):
1087         (JSC::B3::Air::StackSlot::index):
1088         (JSC::B3::Air::StackSlot::alignment):
1089         (JSC::B3::Air::StackSlot::value):
1090         (JSC::B3::Air::StackSlot::offsetFromFP):
1091         (JSC::B3::Air::DeepStackSlotDump::DeepStackSlotDump):
1092         (JSC::B3::Air::DeepStackSlotDump::dump):
1093         (JSC::B3::Air::deepDump):
1094         * b3/air/AirTmp.cpp: Added.
1095         (JSC::B3::Air::Tmp::dump):
1096         * b3/air/AirTmp.h: Added.
1097         (JSC::B3::Air::Tmp::Tmp):
1098         (JSC::B3::Air::Tmp::gpTmpForIndex):
1099         (JSC::B3::Air::Tmp::fpTmpForIndex):
1100         (JSC::B3::Air::Tmp::operator bool):
1101         (JSC::B3::Air::Tmp::isGP):
1102         (JSC::B3::Air::Tmp::isFP):
1103         (JSC::B3::Air::Tmp::isGPR):
1104         (JSC::B3::Air::Tmp::isFPR):
1105         (JSC::B3::Air::Tmp::isReg):
1106         (JSC::B3::Air::Tmp::gpr):
1107         (JSC::B3::Air::Tmp::fpr):
1108         (JSC::B3::Air::Tmp::reg):
1109         (JSC::B3::Air::Tmp::hasTmpIndex):
1110         (JSC::B3::Air::Tmp::gpTmpIndex):
1111         (JSC::B3::Air::Tmp::fpTmpIndex):
1112         (JSC::B3::Air::Tmp::tmpIndex):
1113         (JSC::B3::Air::Tmp::isAlive):
1114         (JSC::B3::Air::Tmp::operator==):
1115         (JSC::B3::Air::Tmp::operator!=):
1116         (JSC::B3::Air::Tmp::isHashTableDeletedValue):
1117         (JSC::B3::Air::Tmp::hash):
1118         (JSC::B3::Air::Tmp::encodeGP):
1119         (JSC::B3::Air::Tmp::encodeFP):
1120         (JSC::B3::Air::Tmp::encodeGPR):
1121         (JSC::B3::Air::Tmp::encodeFPR):
1122         (JSC::B3::Air::Tmp::encodeGPTmp):
1123         (JSC::B3::Air::Tmp::encodeFPTmp):
1124         (JSC::B3::Air::Tmp::isEncodedGP):
1125         (JSC::B3::Air::Tmp::isEncodedFP):
1126         (JSC::B3::Air::Tmp::isEncodedGPR):
1127         (JSC::B3::Air::Tmp::isEncodedFPR):
1128         (JSC::B3::Air::Tmp::isEncodedGPTmp):
1129         (JSC::B3::Air::Tmp::isEncodedFPTmp):
1130         (JSC::B3::Air::Tmp::decodeGPR):
1131         (JSC::B3::Air::Tmp::decodeFPR):
1132         (JSC::B3::Air::Tmp::decodeGPTmp):
1133         (JSC::B3::Air::Tmp::decodeFPTmp):
1134         (JSC::B3::Air::TmpHash::hash):
1135         (JSC::B3::Air::TmpHash::equal):
1136         * b3/air/AirTmpInlines.h: Added.
1137         (JSC::B3::Air::Tmp::Tmp):
1138         * b3/air/AirValidate.cpp: Added.
1139         (JSC::B3::Air::validate):
1140         * b3/air/AirValidate.h: Added.
1141         * b3/air/opcode_generator.rb: Added.
1142         * b3/generate_pattern_matcher.rb: Added.
1143         * b3/testb3.cpp: Added.
1144         (JSC::B3::compileAndRun):
1145         (JSC::B3::test42):
1146         (JSC::B3::testLoad42):
1147         (JSC::B3::testArg):
1148         (JSC::B3::testAddArgs):
1149         (JSC::B3::testAddArgs32):
1150         (JSC::B3::testStore):
1151         (JSC::B3::testTrunc):
1152         (JSC::B3::testAdd1):
1153         (JSC::B3::testStoreAddLoad):
1154         (JSC::B3::testStoreAddAndLoad):
1155         (JSC::B3::testAdd1Uncommuted):
1156         (JSC::B3::testLoadOffset):
1157         (JSC::B3::testLoadOffsetNotConstant):
1158         (JSC::B3::testLoadOffsetUsingAdd):
1159         (JSC::B3::testLoadOffsetUsingAddNotConstant):
1160         (JSC::B3::run):
1161         (run):
1162         (main):
1163         * bytecode/CodeBlock.h:
1164         (JSC::CodeBlock::specializationKind):
1165         * jit/Reg.h:
1166         (JSC::Reg::index):
1167         (JSC::Reg::isSet):
1168         (JSC::Reg::operator bool):
1169         (JSC::Reg::isHashTableDeletedValue):
1170         (JSC::Reg::AllRegsIterable::iterator::iterator):
1171         (JSC::Reg::AllRegsIterable::iterator::operator*):
1172         (JSC::Reg::AllRegsIterable::iterator::operator++):
1173         (JSC::Reg::AllRegsIterable::iterator::operator==):
1174         (JSC::Reg::AllRegsIterable::iterator::operator!=):
1175         (JSC::Reg::AllRegsIterable::begin):
1176         (JSC::Reg::AllRegsIterable::end):
1177         (JSC::Reg::all):
1178         (JSC::Reg::invalid):
1179         (JSC::Reg::operator!): Deleted.
1180         * jit/RegisterAtOffsetList.cpp:
1181         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
1182         * jit/RegisterAtOffsetList.h:
1183         (JSC::RegisterAtOffsetList::clear):
1184         (JSC::RegisterAtOffsetList::size):
1185         (JSC::RegisterAtOffsetList::begin):
1186         (JSC::RegisterAtOffsetList::end):
1187         * jit/RegisterSet.h:
1188         (JSC::RegisterSet::operator==):
1189         (JSC::RegisterSet::hash):
1190         (JSC::RegisterSet::forEach):
1191         (JSC::RegisterSet::setAny):
1192
1193 2015-10-28  Mark Lam  <mark.lam@apple.com>
1194
1195         Rename MacroAssembler::callProbe() to probe().
1196         https://bugs.webkit.org/show_bug.cgi?id=150641
1197
1198         Reviewed by Saam Barati.
1199
1200         To do this, I needed to disambiguate between the low-level probe() from the
1201         high-level version that takes a std::function.  I did this by changing the low-
1202         level version to not take default args anymore.
1203
1204         * assembler/AbstractMacroAssembler.h:
1205         * assembler/MacroAssembler.cpp:
1206         (JSC::stdFunctionCallback):
1207         (JSC::MacroAssembler::probe):
1208         (JSC::MacroAssembler::callProbe): Deleted.
1209         * assembler/MacroAssembler.h:
1210         (JSC::MacroAssembler::urshift32):
1211         * assembler/MacroAssemblerARM.h:
1212         (JSC::MacroAssemblerARM::repatchCall):
1213         * assembler/MacroAssemblerARM64.h:
1214         (JSC::MacroAssemblerARM64::repatchCall):
1215         * assembler/MacroAssemblerARMv7.h:
1216         (JSC::MacroAssemblerARMv7::repatchCall):
1217         * assembler/MacroAssemblerPrinter.h:
1218         (JSC::MacroAssemblerPrinter::print):
1219         * assembler/MacroAssemblerX86Common.h:
1220         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
1221
1222 2015-10-28  Timothy Hatcher  <timothy@apple.com>
1223
1224         Web Inspector: jsmin.py mistakenly removes whitespace from template literal strings
1225         https://bugs.webkit.org/show_bug.cgi?id=148728
1226
1227         Reviewed by Joseph Pecoraro.
1228
1229         * Scripts/jsmin.py:
1230         (JavascriptMinify.minify): Make backtick a quoting character.
1231
1232 2015-10-28  Brian Burg  <bburg@apple.com>
1233
1234         Builtins generator should emit ENABLE(FEATURE) guards based on @conditional annotation
1235         https://bugs.webkit.org/show_bug.cgi?id=150536
1236
1237         Reviewed by Yusuke Suzuki.
1238
1239         Scan JS builtin files for @key=value and @flag annotations in single-line comments.
1240         For @conditional=CONDITIONAL, emit CONDITIONAL guards around the relevant object's code.
1241
1242         Generate primary header includes separately from secondary header includes so we can
1243         put the guard between the two header groups, as is customary in WebKit C++ code.
1244
1245         New tests:
1246
1247         Scripts/tests/builtins/WebCore-ArbitraryConditionalGuard-Separate.js
1248         Scripts/tests/builtins/WebCore-DuplicateFlagAnnotation-Separate.js
1249         Scripts/tests/builtins/WebCore-DuplicateKeyValueAnnotation-Separate.js
1250
1251         * Scripts/builtins/builtins_generate_combined_implementation.py:
1252         (BuiltinsCombinedImplementationGenerator.generate_output):
1253         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
1254         (BuiltinsCombinedImplementationGenerator.generate_header_includes): Deleted.
1255         * Scripts/builtins/builtins_generate_separate_header.py:
1256         (BuiltinsSeparateHeaderGenerator.generate_output):
1257         (generate_secondary_header_includes):
1258         (generate_header_includes): Deleted.
1259         * Scripts/builtins/builtins_generate_separate_implementation.py:
1260         (BuiltinsSeparateImplementationGenerator.generate_output):
1261         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
1262         (BuiltinsSeparateImplementationGenerator.generate_header_includes): Deleted.
1263         * Scripts/builtins/builtins_generate_separate_wrapper.py:
1264         (BuiltinsSeparateWrapperGenerator.generate_output):
1265         (BuiltinsSeparateWrapperGenerator.generate_secondary_header_includes):
1266         (BuiltinsSeparateWrapperGenerator.generate_header_includes): Deleted.
1267         * Scripts/builtins/builtins_generator.py:
1268         (BuiltinsGenerator.generate_includes_from_entries):
1269         (BuiltinsGenerator):
1270         (BuiltinsGenerator.generate_primary_header_includes):
1271         * Scripts/builtins/builtins_model.py:
1272         (BuiltinObject.__init__):
1273         (BuiltinsCollection.parse_builtins_file):
1274         (BuiltinsCollection._parse_annotations):
1275         * Scripts/tests/builtins/WebCore-ArbitraryConditionalGuard-Separate.js: Added.
1276         * Scripts/tests/builtins/WebCore-DuplicateFlagAnnotation-Separate.js: Added.
1277         * Scripts/tests/builtins/WebCore-DuplicateKeyValueAnnotation-Separate.js: Added.
1278         * Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js: Simplify.
1279         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js: Simplify.
1280         * Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js: Simplify.
1281         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Added.
1282         * Scripts/tests/builtins/expected/WebCore-DuplicateFlagAnnotation-Separate.js-error: Added.
1283         * Scripts/tests/builtins/expected/WebCore-DuplicateKeyValueAnnotation-Separate.js-error: Added.
1284         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1285         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1286         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1287         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1288
1289 2015-10-28  Mark Lam  <mark.lam@apple.com>
1290
1291         Update FTL to support UntypedUse operands for op_sub.
1292         https://bugs.webkit.org/show_bug.cgi?id=150562
1293
1294         Reviewed by Geoffrey Garen.
1295
1296         * assembler/MacroAssemblerARM64.h:
1297         - make the dataTempRegister and memoryTempRegister public so that we can
1298           move input registers out of them if needed.
1299
1300         * ftl/FTLCapabilities.cpp:
1301         (JSC::FTL::canCompile):
1302         - We can now compile ArithSub.
1303
1304         * ftl/FTLCompile.cpp:
1305         - Added BinaryArithGenerationContext to shuffle registers into a state that is
1306           expected by the baseline snippet generator.  This includes:
1307           1. Making sure that the input and output registers are not in the tag or
1308              scratch registers.
1309           2. Loading the tag registers with expected values.
1310           3. Restoring the registers to their original value on return.
1311         - Added code to implement the ArithSub inline cache.
1312
1313         * ftl/FTLInlineCacheDescriptor.h:
1314         (JSC::FTL::ArithSubDescriptor::ArithSubDescriptor):
1315         (JSC::FTL::ArithSubDescriptor::leftType):
1316         (JSC::FTL::ArithSubDescriptor::rightType):
1317
1318         * ftl/FTLInlineCacheSize.cpp:
1319         (JSC::FTL::sizeOfArithSub):
1320         * ftl/FTLInlineCacheSize.h:
1321
1322         * ftl/FTLLowerDFGToLLVM.cpp:
1323         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1324         - Added handling for UnusedType for the ArithSub case.
1325
1326         * ftl/FTLState.h:
1327         * jit/GPRInfo.h:
1328         (JSC::GPRInfo::reservedRegisters):
1329
1330         * jit/JITSubGenerator.h:
1331         (JSC::JITSubGenerator::generateFastPath):
1332         - When the result is in the same as one of the input registers, we'll end up
1333           corrupting the input in fast path even if we determine that we need to go to
1334           the slow path.  We now move the input into the scratch register and operate
1335           on that instead and only move the result into the result register only after
1336           the fast path has succeeded.
1337
1338         * tests/stress/op_sub.js:
1339         (o1.valueOf):
1340         (runTest):
1341         - Added some debugging tools: flags for verbose logging, and eager abort on fail.
1342
1343 2015-10-28  Mark Lam  <mark.lam@apple.com>
1344
1345         Fix a typo in ProbeContext::fpr().
1346         https://bugs.webkit.org/show_bug.cgi?id=150629
1347
1348         Reviewed by Yusuke Suzuki.
1349
1350         ProbeContext::fpr() should be calling CPUState::fpr(), not CPUState::gpr().
1351
1352         * assembler/AbstractMacroAssembler.h:
1353         (JSC::AbstractMacroAssembler::ProbeContext::fpr):
1354
1355 2015-10-28  Mark Lam  <mark.lam@apple.com>
1356
1357         Add ability to print the PC register from JIT'ed code.
1358         https://bugs.webkit.org/show_bug.cgi?id=150561
1359
1360         Reviewed by Geoffrey Garen.
1361
1362         * assembler/MacroAssemblerPrinter.cpp:
1363         (JSC::printPC):
1364         (JSC::MacroAssemblerPrinter::printCallback):
1365         * assembler/MacroAssemblerPrinter.h:
1366         (JSC::MacroAssemblerPrinter::PrintArg::PrintArg):
1367
1368 2015-10-27  Joseph Pecoraro  <pecoraro@apple.com>
1369
1370         Web Inspector: Remove Timeline MarkDOMContent and MarkLoad, data is already available
1371         https://bugs.webkit.org/show_bug.cgi?id=150615
1372
1373         Reviewed by Timothy Hatcher.
1374
1375         * inspector/protocol/Timeline.json:
1376
1377 2015-10-27  Joseph Pecoraro  <pecoraro@apple.com>
1378
1379         Web Inspector: Remove unused / duplicated XHR timeline instrumentation
1380         https://bugs.webkit.org/show_bug.cgi?id=150605
1381
1382         Reviewed by Timothy Hatcher.
1383
1384         * inspector/protocol/Timeline.json:
1385
1386 2015-10-27  Michael Saboff  <msaboff@apple.com>
1387
1388         REGRESSION (r191360): Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL:: + 386
1389         https://bugs.webkit.org/show_bug.cgi?id=150580
1390
1391         Reviewed by Mark Lam.
1392
1393         Changed code to box 32 bit integers and booleans arguments when generating the call instead of boxing
1394         them in the shuffler.
1395
1396         The ASSERT in CallFrameShuffler::extendFrameIfNeeded is wrong when called from CallFrameShuffler::spill(),
1397         as we could be making space to spill a register so that we have a spare that we can use for the new
1398         frame's base pointer.
1399
1400         * ftl/FTLJSTailCall.cpp:
1401         (JSC::FTL::DFG::recoveryFor): Added RELEASE_ASSERT to check that we never see unboxed 32 bit
1402         arguments stored in the stack.
1403         * ftl/FTLLowerDFGToLLVM.cpp:
1404         (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForTailCall):
1405         * jit/CallFrameShuffler.cpp:
1406         (JSC::CallFrameShuffler::extendFrameIfNeeded): Removed unneeded ASSERT.
1407
1408 2015-10-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1409
1410         [ES6] Add DFG/FTL support for accessor put operations
1411         https://bugs.webkit.org/show_bug.cgi?id=148860
1412
1413         Reviewed by Geoffrey Garen.
1414
1415         This patch introduces accessor defining ops into DFG and FTL.
1416         The following DFG nodes are introduced.
1417
1418             op_put_getter_by_id  => PutGetterById
1419             op_put_setter_by_id  => PutSetterById
1420             op_put_getter_setter => PutGetterSetterById
1421             op_put_getter_by_val => PutGetterByVal
1422             op_put_setter_by_val => PutSetterByVal
1423
1424         These DFG nodes just call operations. But it does not prevent compiling in DFG/FTL.
1425
1426         To use operations defined for baseline JIT, we clean up existing operations.
1427         And reuse these operations in DFG and FTL.
1428
1429         * dfg/DFGAbstractInterpreterInlines.h:
1430         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1431         * dfg/DFGByteCodeParser.cpp:
1432         (JSC::DFG::ByteCodeParser::parseBlock):
1433         * dfg/DFGCapabilities.cpp:
1434         (JSC::DFG::capabilityLevel):
1435         * dfg/DFGClobberize.h:
1436         (JSC::DFG::clobberize):
1437         * dfg/DFGDoesGC.cpp:
1438         (JSC::DFG::doesGC):
1439         * dfg/DFGFixupPhase.cpp:
1440         (JSC::DFG::FixupPhase::fixupNode):
1441         * dfg/DFGNode.h:
1442         (JSC::DFG::Node::hasIdentifier):
1443         (JSC::DFG::Node::hasAccessorAttributes):
1444         (JSC::DFG::Node::accessorAttributes):
1445         * dfg/DFGNodeType.h:
1446         * dfg/DFGPredictionPropagationPhase.cpp:
1447         (JSC::DFG::PredictionPropagationPhase::propagate):
1448         * dfg/DFGSafeToExecute.h:
1449         (JSC::DFG::safeToExecute):
1450         * dfg/DFGSpeculativeJIT.cpp:
1451         (JSC::DFG::SpeculativeJIT::compilePutAccessorById):
1452         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
1453         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
1454         We should fill all GPRs before calling flushRegisters().
1455         * dfg/DFGSpeculativeJIT.h:
1456         (JSC::DFG::SpeculativeJIT::callOperation):
1457         * dfg/DFGSpeculativeJIT32_64.cpp:
1458         (JSC::DFG::SpeculativeJIT::compile):
1459         * dfg/DFGSpeculativeJIT64.cpp:
1460         (JSC::DFG::SpeculativeJIT::compile):
1461         * ftl/FTLCapabilities.cpp:
1462         (JSC::FTL::canCompile):
1463         * ftl/FTLIntrinsicRepository.h:
1464         * ftl/FTLLowerDFGToLLVM.cpp:
1465         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1466         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutAccessorById):
1467         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutGetterSetterById):
1468         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutAccessorByVal):
1469         * jit/JIT.h:
1470         * jit/JITInlines.h:
1471         (JSC::JIT::callOperation):
1472         * jit/JITOperations.cpp:
1473         * jit/JITOperations.h:
1474         * jit/JITPropertyAccess.cpp:
1475         (JSC::JIT::emit_op_put_getter_by_id):
1476         (JSC::JIT::emit_op_put_setter_by_id):
1477         (JSC::JIT::emit_op_put_getter_setter):
1478         * jit/JITPropertyAccess32_64.cpp:
1479         (JSC::JIT::emit_op_put_getter_by_id):
1480         (JSC::JIT::emit_op_put_setter_by_id):
1481         (JSC::JIT::emit_op_put_getter_setter):
1482         * tests/stress/dfg-put-accessors-by-id-class.js: Added.
1483         (shouldBe):
1484         (testAttribute):
1485         (getter.Cocoa.prototype.get hello):
1486         (getter.Cocoa):
1487         (getter):
1488         (setter.Cocoa):
1489         (setter.Cocoa.prototype.set hello):
1490         (setter):
1491         (accessors.Cocoa):
1492         (accessors.Cocoa.prototype.get hello):
1493         (accessors.Cocoa.prototype.set hello):
1494         (accessors):
1495         * tests/stress/dfg-put-accessors-by-id.js: Added.
1496         (shouldBe):
1497         (testAttribute):
1498         (getter.object.get hello):
1499         (getter):
1500         (setter.object.set hello):
1501         (setter):
1502         (accessors.object.get hello):
1503         (accessors.object.set hello):
1504         (accessors):
1505         * tests/stress/dfg-put-getter-by-id-class.js: Added.
1506         (shouldBe):
1507         (testAttribute):
1508         (getter.Cocoa):
1509         (getter.Cocoa.prototype.get hello):
1510         (getter.Cocoa.prototype.get name):
1511         (getter):
1512         * tests/stress/dfg-put-getter-by-id.js: Added.
1513         (shouldBe):
1514         (testAttribute):
1515         (getter.object.get hello):
1516         (getter):
1517         * tests/stress/dfg-put-getter-by-val-class.js: Added.
1518         (shouldBe):
1519         (testAttribute):
1520         (getter.Cocoa):
1521         (getter.Cocoa.prototype.get name):
1522         (getter):
1523         * tests/stress/dfg-put-getter-by-val.js: Added.
1524         (shouldBe):
1525         (testAttribute):
1526         (getter.object.get name):
1527         (getter):
1528         * tests/stress/dfg-put-setter-by-id-class.js: Added.
1529         (shouldBe):
1530         (testAttribute):
1531         (getter.Cocoa):
1532         (getter.Cocoa.prototype.set hello):
1533         (getter.Cocoa.prototype.get name):
1534         (getter):
1535         * tests/stress/dfg-put-setter-by-id.js: Added.
1536         (shouldBe):
1537         (testAttribute):
1538         (setter.object.set hello):
1539         (setter):
1540         * tests/stress/dfg-put-setter-by-val-class.js: Added.
1541         (shouldBe):
1542         (testAttribute):
1543         (setter.Cocoa):
1544         (setter.Cocoa.prototype.set name):
1545         (setter):
1546         * tests/stress/dfg-put-setter-by-val.js: Added.
1547         (shouldBe):
1548         (testAttribute):
1549         (setter.object.set name):
1550         (setter):
1551
1552 2015-10-26  Mark Lam  <mark.lam@apple.com>
1553
1554         Add logging to warn about under-estimated FTL inline cache sizes.
1555         https://bugs.webkit.org/show_bug.cgi?id=150570
1556
1557         Reviewed by Geoffrey Garen.
1558
1559         Added 2 options:
1560         1. JSC_dumpFailedICSizing - dumps an error message if the FTL encounters IC size
1561            estimates that are less than the actual needed code size.
1562
1563            This option is useful for when we add a new IC and want to compute an
1564            estimated size for the IC.  To do this:
1565            1. Build jsc for the target port with a very small IC size (enough to
1566               store the jump instruction needed for the out of line fallback
1567               implementation).
1568            2. Implement a test suite with scenarios that exercise all the code paths in
1569               the IC generator.
1570            3. Run jsc with JSC_dumpFailedICSizing=true on the test suite.
1571            4. The max value reported by the dumps will be the worst case size needed to
1572               store the IC.  We should use this value for our estimate.
1573            5. Update the IC's estimated size and rebuild jsc.
1574            6. Re-run (3) and confirm that there are no more error messages about the
1575               IC sizing.
1576
1577         2. JSC_assertICSizing - same as JSC_dumpFailedICSizing except that it also
1578            crashes the VM each time it encounters an inadequate IC size estimate.
1579
1580            This option is useful for regression testing to ensure that our estimates
1581            do not regress.
1582
1583         * ftl/FTLCompile.cpp:
1584         (JSC::FTL::generateInlineIfPossibleOutOfLineIfNot):
1585         * runtime/Options.h:
1586
1587 2015-10-26  Saam barati  <sbarati@apple.com>
1588
1589         r190735 Caused us to maybe trample the base's tag-GPR on 32-bit inline cache when the cache allocates a scratch register and then jumps to the slow path
1590         https://bugs.webkit.org/show_bug.cgi?id=150532
1591
1592         Reviewed by Geoffrey Garen.
1593
1594         The base's tag register used to show up in the used register set
1595         before r190735 because of how the DFG kept track of used register. I changed this 
1596         in my work on inline caching because we don't want to spill these registers
1597         when we have a GetByIdFlush/PutByIdFlush and we use the used register set
1598         as the metric of what to spill. That said, these registers should be locked
1599         and not used as scratch registers by the scratch register allocator. The
1600         reason is that our inline cache may fail and jump to the slow path. The slow
1601         path then uses the base's tag register. If the inline cache used the base's tag
1602         register as a scratch and the inline cache fails and jumps to the slow path, we
1603         have a problem because the tag may now be trampled.
1604
1605         Note that this doesn't mean that we can't trample the base's tag register when making
1606         a call. We can totally trample the register as long as the inline cache succeeds in a GetByIdFlush/PutByIdFlush.
1607         The problem is only when we trample it and then jump to the slow path.
1608
1609         This patch fixes this bug by making StructureStubInfo keep track of the base's
1610         tag GPR. PolymorphicAccess then locks this register when using the ScratchRegisterAllocator.
1611
1612         * bytecode/PolymorphicAccess.cpp:
1613         (JSC::AccessCase::generate):
1614         (JSC::PolymorphicAccess::regenerate):
1615         * bytecode/StructureStubInfo.h:
1616         * dfg/DFGSpeculativeJIT.cpp:
1617         (JSC::DFG::SpeculativeJIT::compileIn):
1618         * jit/JITInlineCacheGenerator.cpp:
1619         (JSC::JITByIdGenerator::JITByIdGenerator):
1620         * tests/stress/regress-150532.js: Added.
1621         (assert):
1622         (randomFunction):
1623         (foo):
1624         (i.switch):
1625
1626 2015-10-24  Brian Burg  <bburg@apple.com>
1627
1628         Teach create_hash_table to omit builtins macros when generating tables for native-only objects
1629         https://bugs.webkit.org/show_bug.cgi?id=150491
1630
1631         Reviewed by Yusuke Suzuki.
1632
1633         In order to support separate compilation for generated builtins files, we need to be able to
1634         include specific builtins headers from generated .lut.h files. However, the create_hash_table
1635         script isn't smart enough to figure out when a generated file might actually contain a builtin.
1636         Without further help, we'd have to include an all-in-one header, mostly defeating the point of
1637         generating separate .h and .cpp files for every builtin.
1638
1639         This patch segregates the pure native and partially builtin sources in the build system, and
1640         gives hints to create_hash_table so that it doesn't even generate checks for builtins if the
1641         input file has no builtin method implementations. Also do some modernization and code cleanup.
1642
1643         * CMakeLists.txt:
1644
1645         Generate each group with different flags to create_hash_table. Change the macro to take
1646         flags through the variable LUT_GENERATOR_FLAGS. Set this as necessary before calling macro.
1647         Add an additional hint to CMake that the .cpp source file depends on the generated file.
1648
1649         * DerivedSources.make:
1650
1651         Generate each group with different flags to create_hash_table. Clean up the 'all' target
1652         so that static dependencies are listed first. Use static patterns to decide which .lut.h
1653         files require which flags. Reduce fragile usages of implicit variables.
1654
1655         * JavaScriptCore.xcodeproj/project.pbxproj:
1656
1657         Add some missing .lut.h files to the Derived Sources group. Sort the project.
1658
1659         * create_hash_table:
1660
1661         Parse options in a sane way using GetOpt::Long. Remove ability to specify a custom namespace
1662         since this isn't actually used anywhere. Normalize placement of newlines in quoted strings.
1663         Only generate builtins macros and includes if the source file is known to have some builtins.
1664
1665 2015-10-23  Joseph Pecoraro  <pecoraro@apple.com>
1666
1667         Web Inspector: Remove unused ScrollLayer Timeline EventType
1668         https://bugs.webkit.org/show_bug.cgi?id=150518
1669
1670         Reviewed by Timothy Hatcher.
1671
1672         * inspector/protocol/Timeline.json:
1673
1674 2015-10-23  Joseph Pecoraro  <pecoraro@apple.com>
1675
1676         Web Inspector: Clean up InspectorInstrumentation includes
1677         https://bugs.webkit.org/show_bug.cgi?id=150523
1678
1679         Reviewed by Timothy Hatcher.
1680
1681         * inspector/agents/InspectorConsoleAgent.cpp:
1682         (Inspector::InspectorConsoleAgent::consoleMessageArgumentCounts): Deleted.
1683         * inspector/agents/InspectorConsoleAgent.h:
1684
1685 2015-10-23  Michael Saboff  <msaboff@apple.com>
1686
1687         REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant, JSC::RegisterPreservationMode) + 1584
1688         https://bugs.webkit.org/show_bug.cgi?id=150513
1689
1690         Reviewed by Saam Barati.
1691
1692         Add check in linkPolymorphicCall() to make sure we have a CodeBlock for the newly added variant.
1693         If not, we turn the call into a virtual call.
1694
1695         The bug was caused by a stack overflow when preparing the function for execution.  This properly
1696         threw an exception, however linkPolymorphicCall() didn't check for this error case.
1697
1698         Added a new test function "failNextNewCodeBlock()" to test tools to simplify the testing.
1699
1700         * API/JSCTestRunnerUtils.cpp:
1701         (JSC::failNextNewCodeBlock):
1702         (JSC::numberOfDFGCompiles):
1703         * API/JSCTestRunnerUtils.h:
1704         * jit/Repatch.cpp:
1705         (JSC::linkPolymorphicCall):
1706         * jsc.cpp:
1707         (GlobalObject::finishCreation):
1708         (functionTransferArrayBuffer):
1709         (functionFailNextNewCodeBlock):
1710         (functionQuit):
1711         * runtime/Executable.cpp:
1712         (JSC::ScriptExecutable::prepareForExecutionImpl):
1713         * runtime/TestRunnerUtils.cpp:
1714         (JSC::optimizeNextInvocation):
1715         (JSC::failNextNewCodeBlock):
1716         (JSC::numberOfDFGCompiles):
1717         * runtime/TestRunnerUtils.h:
1718         * runtime/VM.h:
1719         (JSC::VM::setFailNextNewCodeBlock):
1720         (JSC::VM::getAndClearFailNextNewCodeBlock):
1721         (JSC::VM::stackPointerAtVMEntry):
1722
1723 2015-10-23  Commit Queue  <commit-queue@webkit.org>
1724
1725         Unreviewed, rolling out r191500.
1726         https://bugs.webkit.org/show_bug.cgi?id=150526
1727
1728         Broke two JSC regression tests (Requested by msaboff on
1729         #webkit).
1730
1731         Reverted changeset:
1732
1733         "[ES6] Add DFG/FTL support for accessor put operations"
1734         https://bugs.webkit.org/show_bug.cgi?id=148860
1735         http://trac.webkit.org/changeset/191500
1736
1737 2015-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1738
1739         [ES6] Add DFG/FTL support for accessor put operations
1740         https://bugs.webkit.org/show_bug.cgi?id=148860
1741
1742         Reviewed by Geoffrey Garen.
1743
1744         This patch introduces accessor defining ops into DFG and FTL.
1745         The following DFG nodes are introduced.
1746
1747             op_put_getter_by_id  => PutGetterById
1748             op_put_setter_by_id  => PutSetterById
1749             op_put_getter_setter => PutGetterSetterById
1750             op_put_getter_by_val => PutGetterByVal
1751             op_put_setter_by_val => PutSetterByVal
1752
1753         These DFG nodes just call operations. But it does not prevent compiling in DFG/FTL.
1754
1755         To use operations defined for baseline JIT, we clean up existing operations.
1756         And reuse these operations in DFG and FTL.
1757
1758         * dfg/DFGAbstractInterpreterInlines.h:
1759         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1760         * dfg/DFGByteCodeParser.cpp:
1761         (JSC::DFG::ByteCodeParser::parseBlock):
1762         * dfg/DFGCapabilities.cpp:
1763         (JSC::DFG::capabilityLevel):
1764         * dfg/DFGClobberize.h:
1765         (JSC::DFG::clobberize):
1766         * dfg/DFGDoesGC.cpp:
1767         (JSC::DFG::doesGC):
1768         * dfg/DFGFixupPhase.cpp:
1769         (JSC::DFG::FixupPhase::fixupNode):
1770         * dfg/DFGNode.h:
1771         (JSC::DFG::Node::hasIdentifier):
1772         (JSC::DFG::Node::hasAccessorAttributes):
1773         (JSC::DFG::Node::accessorAttributes):
1774         * dfg/DFGNodeType.h:
1775         * dfg/DFGPredictionPropagationPhase.cpp:
1776         (JSC::DFG::PredictionPropagationPhase::propagate):
1777         * dfg/DFGSafeToExecute.h:
1778         (JSC::DFG::safeToExecute):
1779         * dfg/DFGSpeculativeJIT.cpp:
1780         (JSC::DFG::SpeculativeJIT::compilePutAccessorById):
1781         (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById):
1782         (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
1783         * dfg/DFGSpeculativeJIT.h:
1784         (JSC::DFG::SpeculativeJIT::callOperation):
1785         * dfg/DFGSpeculativeJIT32_64.cpp:
1786         (JSC::DFG::SpeculativeJIT::compile):
1787         * dfg/DFGSpeculativeJIT64.cpp:
1788         (JSC::DFG::SpeculativeJIT::compile):
1789         * ftl/FTLCapabilities.cpp:
1790         (JSC::FTL::canCompile):
1791         * ftl/FTLIntrinsicRepository.h:
1792         * ftl/FTLLowerDFGToLLVM.cpp:
1793         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
1794         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutAccessorById):
1795         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutGetterSetterById):
1796         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutAccessorByVal):
1797         * jit/JIT.h:
1798         * jit/JITInlines.h:
1799         (JSC::JIT::callOperation):
1800         * jit/JITOperations.cpp:
1801         * jit/JITOperations.h:
1802         * jit/JITPropertyAccess.cpp:
1803         (JSC::JIT::emit_op_put_getter_by_id):
1804         (JSC::JIT::emit_op_put_setter_by_id):
1805         (JSC::JIT::emit_op_put_getter_setter):
1806         * jit/JITPropertyAccess32_64.cpp:
1807         (JSC::JIT::emit_op_put_getter_by_id):
1808         (JSC::JIT::emit_op_put_setter_by_id):
1809         (JSC::JIT::emit_op_put_getter_setter):
1810         * tests/stress/dfg-put-accessors-by-id-class.js: Added.
1811         (shouldBe):
1812         (testAttribute):
1813         (getter.Cocoa.prototype.get hello):
1814         (getter.Cocoa):
1815         (getter):
1816         (setter.Cocoa):
1817         (setter.Cocoa.prototype.set hello):
1818         (setter):
1819         (accessors.Cocoa):
1820         (accessors.Cocoa.prototype.get hello):
1821         (accessors.Cocoa.prototype.set hello):
1822         (accessors):
1823         * tests/stress/dfg-put-accessors-by-id.js: Added.
1824         (shouldBe):
1825         (testAttribute):
1826         (getter.object.get hello):
1827         (getter):
1828         (setter.object.set hello):
1829         (setter):
1830         (accessors.object.get hello):
1831         (accessors.object.set hello):
1832         (accessors):
1833         * tests/stress/dfg-put-getter-by-id-class.js: Added.
1834         (shouldBe):
1835         (testAttribute):
1836         (getter.Cocoa):
1837         (getter.Cocoa.prototype.get hello):
1838         (getter.Cocoa.prototype.get name):
1839         (getter):
1840         * tests/stress/dfg-put-getter-by-id.js: Added.
1841         (shouldBe):
1842         (testAttribute):
1843         (getter.object.get hello):
1844         (getter):
1845         * tests/stress/dfg-put-getter-by-val-class.js: Added.
1846         (shouldBe):
1847         (testAttribute):
1848         (getter.Cocoa):
1849         (getter.Cocoa.prototype.get name):
1850         (getter):
1851         * tests/stress/dfg-put-getter-by-val.js: Added.
1852         (shouldBe):
1853         (testAttribute):
1854         (getter.object.get name):
1855         (getter):
1856         * tests/stress/dfg-put-setter-by-id-class.js: Added.
1857         (shouldBe):
1858         (testAttribute):
1859         (getter.Cocoa):
1860         (getter.Cocoa.prototype.set hello):
1861         (getter.Cocoa.prototype.get name):
1862         (getter):
1863         * tests/stress/dfg-put-setter-by-id.js: Added.
1864         (shouldBe):
1865         (testAttribute):
1866         (setter.object.set hello):
1867         (setter):
1868         * tests/stress/dfg-put-setter-by-val-class.js: Added.
1869         (shouldBe):
1870         (testAttribute):
1871         (setter.Cocoa):
1872         (setter.Cocoa.prototype.set name):
1873         (setter):
1874         * tests/stress/dfg-put-setter-by-val.js: Added.
1875         (shouldBe):
1876         (testAttribute):
1877         (setter.object.set name):
1878         (setter):
1879
1880 2015-10-22  Joseph Pecoraro  <pecoraro@apple.com>
1881
1882         Web Inspector: Remove unused Timeline GCEvent Record type
1883         https://bugs.webkit.org/show_bug.cgi?id=150477
1884
1885         Reviewed by Timothy Hatcher.
1886
1887         Garbage Collection events go through the Heap domain, not the
1888         Timeline domain (long time ago for Chromium).
1889
1890         * inspector/protocol/Timeline.json:
1891
1892 2015-10-22  Michael Saboff  <msaboff@apple.com>
1893
1894         REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at JavaScriptCore:JSC::ExecState::bytecodeOffset + 174
1895         https://bugs.webkit.org/show_bug.cgi?id=150434
1896
1897         Reviewed by Mark Lam.
1898
1899         Pass the current frame instead of the caller frame to operationVMHandleException when processing an
1900         exception in one of the native thunks.
1901
1902         * jit/JITExceptions.cpp:
1903         (JSC::genericUnwind): Made debug printing of CodeBlock safe for call frames without one.
1904         * jit/JITOpcodes32_64.cpp:
1905         (JSC::JIT::privateCompileCTINativeCall):
1906         * jit/ThunkGenerators.cpp:
1907         (JSC::nativeForGenerator):
1908
1909 2015-10-21  Brian Burg  <bburg@apple.com>
1910
1911         Restructure generate-js-bindings script to be modular and testable
1912         https://bugs.webkit.org/show_bug.cgi?id=149929
1913
1914         Reviewed by Alex Christensen.
1915
1916         This is a new code generator, based on the replay inputs code generator and
1917         the inspector protocol code generator, which produces various files for JS
1918         builtins.
1919
1920         Relative to the generator it replaces, this one consolidates two scripts in
1921         JavaScriptCore and WebCore into a single script with multiple files. Parsed
1922         information about the builtins file is stored in backend-independent model
1923         objects. Each output file has its own code generator that uses the model to
1924         produce resulting code. Generators are additionally parameterized by the target
1925         framework (to choose correct macros and includes) and output mode (one
1926         header/implementation file per builtin or per framework).
1927
1928         It includes a few simple tests of the generator's functionality. These result-
1929         based tests will become increasingly more important as we start to add support
1930         for builtins annotation such as @optional, @internal, etc. to the code generator.
1931
1932         Some of these complexities, such as having two output modes, will be removed in
1933         subsequent patches. This patch is intended to exactly replace the existing
1934         functionality with a unified script that makes additional cleanups straightforward.
1935
1936         Additional cleanup and consolidation between inspector code generator scripts
1937         and this script will be pursued in followup patches.
1938
1939         New tests:
1940
1941         Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Combined.js
1942         Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Separate.js
1943         Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js
1944         Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js
1945         Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Combined.js
1946         Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Separate.js
1947         Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js
1948         Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js
1949         Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js
1950         Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js
1951
1952
1953         * CMakeLists.txt:
1954
1955             Copy the scripts that are used by other targets to a staging directory inside
1956             ${DERIVED_SOURCES_DIR}/ForwardingHeaders/JavaScriptCore/Scripts.
1957             Define JavaScriptCore_SCRIPTS_DIR to point here so that the add_custom_command
1958             and shared file lists are identical between JavaScriptCore and WebCore. The staged
1959             scripts are a dependency of the main JavaScriptCore target so that they are
1960             always staged, even if JavaScriptCore itself does not use a particular script.
1961
1962             The output files additionally depend on all builtin generator script files
1963             and input files that are combined into the single header/implementation file.
1964
1965         * DerivedSources.make:
1966
1967             Define JavaScriptCore_SCRIPTS_DIR explicitly so the rule for code generation and
1968             shared file lists are identical between JavaScriptCore and WebCore.
1969
1970             The output files additionally depend on all builtin generator script files
1971             and input files that are combined into the single header/implementation file.
1972
1973         * JavaScriptCore.xcodeproj/project.pbxproj:
1974
1975             Mark the new builtins generator files as private headers so we can use them from
1976             WebCore.
1977
1978         * Scripts/UpdateContents.py: Renamed from Source/JavaScriptCore/UpdateContents.py.
1979         * Scripts/builtins/__init__.py: Added.
1980         * Scripts/builtins/builtins.py: Added.
1981         * Scripts/builtins/builtins_generator.py: Added. This file contains the base generator.
1982         (WK_lcfirst):
1983         (WK_ucfirst):
1984         (BuiltinsGenerator):
1985         (BuiltinsGenerator.__init__):
1986         (BuiltinsGenerator.model):
1987         (BuiltinsGenerator.generate_license):
1988         (BuiltinsGenerator.generate_includes_from_entries):
1989         (BuiltinsGenerator.generate_output):
1990         (BuiltinsGenerator.output_filename):
1991         (BuiltinsGenerator.mangledNameForFunction):
1992         (BuiltinsGenerator.mangledNameForFunction.toCamel):
1993         (BuiltinsGenerator.generate_embedded_code_string_section_for_function):
1994         * Scripts/builtins/builtins_model.py: Added. This file contains builtins model objects.
1995         (ParseException):
1996         (Framework):
1997         (Framework.__init__):
1998         (Framework.setting):
1999         (Framework.fromString):
2000         (Frameworks):
2001         (BuiltinObject):
2002         (BuiltinObject.__init__):
2003         (BuiltinFunction):
2004         (BuiltinFunction.__init__):
2005         (BuiltinFunction.fromString):
2006         (BuiltinFunction.__str__):
2007         (BuiltinsCollection):
2008         (BuiltinsCollection.__init__):
2009         (BuiltinsCollection.parse_builtins_file):
2010         (BuiltinsCollection.copyrights):
2011         (BuiltinsCollection.all_functions):
2012         (BuiltinsCollection._parse_copyright_lines):
2013         (BuiltinsCollection._parse_functions):
2014         * Scripts/builtins/builtins_templates.py: Added.
2015         (BuiltinsGeneratorTemplates):
2016         * Scripts/builtins/builtins_generate_combined_header.py: Added.
2017         (BuiltinsCombinedHeaderGenerator):
2018         (BuiltinsCombinedHeaderGenerator.__init__):
2019         (BuiltinsCombinedHeaderGenerator.output_filename):
2020         (BuiltinsCombinedHeaderGenerator.generate_output):
2021         (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
2022         (FunctionExecutable):
2023         (VM):
2024         (ConstructAbility):
2025         (generate_section_for_object):
2026         (generate_externs_for_object):
2027         (generate_macros_for_object):
2028         (generate_defines_for_object):
2029         (generate_section_for_code_table_macro):
2030         (generate_section_for_code_name_macro):
2031         * Scripts/builtins/builtins_generate_combined_implementation.py: Added.
2032         (BuiltinsCombinedImplementationGenerator):
2033         (BuiltinsCombinedImplementationGenerator.__init__):
2034         (BuiltinsCombinedImplementationGenerator.output_filename):
2035         (BuiltinsCombinedImplementationGenerator.generate_output):
2036         (BuiltinsCombinedImplementationGenerator.generate_header_includes):
2037         * Scripts/builtins/builtins_generate_separate_header.py: Added.
2038         (BuiltinsSeparateHeaderGenerator):
2039         (BuiltinsSeparateHeaderGenerator.__init__):
2040         (BuiltinsSeparateHeaderGenerator.output_filename):
2041         (BuiltinsSeparateHeaderGenerator.macro_prefix):
2042         (BuiltinsSeparateHeaderGenerator.generate_output):
2043         (BuiltinsSeparateHeaderGenerator.generate_forward_declarations):
2044         (FunctionExecutable):
2045         (generate_header_includes):
2046         (generate_section_for_object):
2047         (generate_externs_for_object):
2048         (generate_macros_for_object):
2049         (generate_defines_for_object):
2050         (generate_section_for_code_table_macro):
2051         (generate_section_for_code_name_macro):
2052         * Scripts/builtins/builtins_generate_separate_implementation.py: Added.
2053         (BuiltinsSeparateImplementationGenerator):
2054         (BuiltinsSeparateImplementationGenerator.__init__):
2055         (BuiltinsSeparateImplementationGenerator.output_filename):
2056         (BuiltinsSeparateImplementationGenerator.macro_prefix):
2057         (BuiltinsSeparateImplementationGenerator.generate_output):
2058         (BuiltinsSeparateImplementationGenerator.generate_header_includes):
2059         * Scripts/builtins/builtins_generate_separate_wrapper.py: Added.
2060         (BuiltinsSeparateWrapperGenerator):
2061         (BuiltinsSeparateWrapperGenerator.__init__):
2062         (BuiltinsSeparateWrapperGenerator.output_filename):
2063         (BuiltinsSeparateWrapperGenerator.macro_prefix):
2064         (BuiltinsSeparateWrapperGenerator.generate_output):
2065         (BuiltinsSeparateWrapperGenerator.generate_header_includes):
2066         * Scripts/generate-js-builtins.py: Added.
2067
2068             Parse command line options, decide which generators and output modes to use.
2069
2070         (generate_bindings_for_builtins_files):
2071         * Scripts/lazywriter.py: Copied from the inspector protocol generator.
2072         (LazyFileWriter):
2073         (LazyFileWriter.__init__):
2074         (LazyFileWriter.write):
2075         (LazyFileWriter.close):
2076         * Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Combined.js: Added.
2077         * Scripts/tests/builtins/JavaScriptCore-Builtin.Promise-Separate.js: Added.
2078         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js: Added.
2079         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js: Added.
2080         * Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Combined.js: Added.
2081         * Scripts/tests/builtins/JavaScriptCore-BuiltinConstructor-Separate.js: Added.
2082         * Scripts/tests/builtins/WebCore-GuardedBuiltin-Separate.js: Added.
2083         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js: Added.
2084         * Scripts/tests/builtins/WebCore-UnguardedBuiltin-Separate.js: Added.
2085         * Scripts/tests/builtins/WebCore-xmlCasingTest-Separate.js: Added.
2086         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result: Added.
2087         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result: Added.
2088         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result: Added.
2089         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result: Added.
2090         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result: Added.
2091         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result: Added.
2092         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Added.
2093         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Added.
2094         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Added.
2095         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Added.
2096         * builtins/BuiltinExecutables.cpp:
2097         (JSC::BuiltinExecutables::BuiltinExecutables):
2098         * builtins/BuiltinExecutables.h:
2099         * create_hash_table:
2100
2101             Update the generated builtin macro names.
2102
2103         * generate-js-builtins: Removed.
2104
2105 2015-10-21  Benjamin Poulain  <bpoulain@apple.com>
2106
2107         [JSC] Remove FTL Native Inlining, it is dead code
2108         https://bugs.webkit.org/show_bug.cgi?id=150429
2109
2110         Reviewed by Filip Pizlo.
2111
2112         The code is not used and it is in the way of other changes.
2113
2114         * ftl/FTLAbbreviations.h:
2115         (JSC::FTL::getFirstInstruction): Deleted.
2116         (JSC::FTL::getNextInstruction): Deleted.
2117         (JSC::FTL::getFirstBasicBlock): Deleted.
2118         (JSC::FTL::getNextBasicBlock): Deleted.
2119         * ftl/FTLLowerDFGToLLVM.cpp:
2120         (JSC::FTL::DFG::LowerDFGToLLVM::isInlinableSize): Deleted.
2121         * runtime/Options.h:
2122
2123 2015-10-21  Benjamin Poulain  <bpoulain@apple.com>
2124
2125         [JSC] Remove two useless temporaries from the PutByOffset codegen
2126         https://bugs.webkit.org/show_bug.cgi?id=150421
2127
2128         Reviewed by Geoffrey Garen.
2129
2130         * dfg/DFGSpeculativeJIT64.cpp:
2131         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2132         Looks like they were added by accident in r160796.
2133
2134 2015-10-21  Filip Pizlo  <fpizlo@apple.com>
2135
2136         Factor out the graph node worklists from DFG into WTF
2137         https://bugs.webkit.org/show_bug.cgi?id=150411
2138
2139         Reviewed by Geoffrey Garen.
2140
2141         Rewrite the DFGBlockWorklist.h file as a bunch of typedefs and aliases for things in
2142         wtf/GraphNodeWorklist.h. Most users won't notice, except that some small things got
2143         renamed. For example PreOrder becomes VisitOrder::Pre and item.block becomes item.node.
2144
2145         * CMakeLists.txt:
2146         * JavaScriptCore.xcodeproj/project.pbxproj:
2147         * dfg/DFGBlockWorklist.cpp: Removed.
2148         * dfg/DFGBlockWorklist.h:
2149         (JSC::DFG::BlockWorklist::notEmpty): Deleted.
2150         (JSC::DFG::BlockWith::BlockWith): Deleted.
2151         (JSC::DFG::BlockWith::operator bool): Deleted.
2152         (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist): Deleted.
2153         (JSC::DFG::ExtendedBlockWorklist::forcePush): Deleted.
2154         (JSC::DFG::ExtendedBlockWorklist::push): Deleted.
2155         (JSC::DFG::ExtendedBlockWorklist::notEmpty): Deleted.
2156         (JSC::DFG::ExtendedBlockWorklist::pop): Deleted.
2157         (JSC::DFG::BlockWithOrder::BlockWithOrder): Deleted.
2158         (JSC::DFG::BlockWithOrder::operator bool): Deleted.
2159         (JSC::DFG::PostOrderBlockWorklist::push): Deleted.
2160         (JSC::DFG::PostOrderBlockWorklist::notEmpty): Deleted.
2161         * dfg/DFGDominators.cpp:
2162         (JSC::DFG::Dominators::compute):
2163         * dfg/DFGGraph.cpp:
2164         (JSC::DFG::Graph::blocksInPostOrder):
2165         * dfg/DFGPrePostNumbering.cpp:
2166         (JSC::DFG::PrePostNumbering::compute):
2167
2168 2015-10-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2169
2170         [INTL] Implement Intl.Collator.prototype.resolvedOptions ()
2171         https://bugs.webkit.org/show_bug.cgi?id=147601
2172
2173         Reviewed by Benjamin Poulain.
2174
2175         This patch implements Intl.Collator.prototype.resolvedOptions() according
2176         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
2177         It also implements the abstract operations InitializeCollator, ResolveLocale,
2178         LookupMatcher, and BestFitMatcher.
2179
2180         * runtime/CommonIdentifiers.h:
2181         * runtime/IntlCollator.h:
2182         (JSC::IntlCollator::usage):
2183         (JSC::IntlCollator::setUsage):
2184         (JSC::IntlCollator::locale):
2185         (JSC::IntlCollator::setLocale):
2186         (JSC::IntlCollator::collation):
2187         (JSC::IntlCollator::setCollation):
2188         (JSC::IntlCollator::numeric):
2189         (JSC::IntlCollator::setNumeric):
2190         (JSC::IntlCollator::sensitivity):
2191         (JSC::IntlCollator::setSensitivity):
2192         (JSC::IntlCollator::ignorePunctuation):
2193         (JSC::IntlCollator::setIgnorePunctuation):
2194         * runtime/IntlCollatorConstructor.cpp:
2195         (JSC::sortLocaleData):
2196         (JSC::searchLocaleData):
2197         (JSC::initializeCollator):
2198         (JSC::constructIntlCollator):
2199         (JSC::callIntlCollator):
2200         * runtime/IntlCollatorPrototype.cpp:
2201         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2202         * runtime/IntlObject.cpp:
2203         (JSC::defaultLocale):
2204         (JSC::getIntlBooleanOption):
2205         (JSC::getIntlStringOption):
2206         (JSC::removeUnicodeLocaleExtension):
2207         (JSC::lookupMatcher):
2208         (JSC::bestFitMatcher):
2209         (JSC::resolveLocale):
2210         (JSC::lookupSupportedLocales):
2211         * runtime/IntlObject.h:
2212
2213 2015-10-21  Saam barati  <sbarati@apple.com>
2214
2215         C calls in PolymorphicAccess shouldn't assume that the top of the stack looks like a JSC JIT frame and enable *ByIdFlush in FTL
2216         https://bugs.webkit.org/show_bug.cgi?id=125711
2217
2218         Reviewed by Filip Pizlo.
2219
2220         This patch ensures that anytime we need to make a C call inside
2221         PolymorphicAccess, we ensure there is enough space on the stack to do so.
2222
2223         This patch also enables GetByIdFlush/PutByIdFlush inside the FTL.
2224         Because PolymorphicAccess now spills the necessary registers
2225         before making a JS/C call, any registers that LLVM report as
2226         being in use for the patchpoint will be spilled before making
2227         a call by PolymorphicAccess.
2228
2229         * bytecode/PolymorphicAccess.cpp:
2230         (JSC::AccessGenerationState::restoreScratch):
2231         (JSC::AccessGenerationState::succeed):
2232         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
2233         (JSC::AccessCase::generate):
2234         (JSC::PolymorphicAccess::regenerate):
2235         * ftl/FTLCapabilities.cpp:
2236         (JSC::FTL::canCompile):
2237         * ftl/FTLLowerDFGToLLVM.cpp:
2238         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2239         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetById):
2240         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
2241         * jit/AssemblyHelpers.h:
2242         (JSC::AssemblyHelpers::emitTypeOf):
2243         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
2244         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
2245         * jit/RegisterSet.cpp:
2246         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
2247         (JSC::RegisterSet::registersToNotSaveForJSCall):
2248         (JSC::RegisterSet::registersToNotSaveForCCall):
2249         (JSC::RegisterSet::allGPRs):
2250         (JSC::RegisterSet::registersToNotSaveForCall): Deleted.
2251         * jit/RegisterSet.h:
2252         (JSC::RegisterSet::set):
2253         * jit/ScratchRegisterAllocator.cpp:
2254         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
2255         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
2256         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
2257         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
2258         These methods now take an extra parameter indicating if they
2259         should create space for a C call at the top of the stack if
2260         there are any reused registers to spill.
2261
2262         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
2263         * jit/ScratchRegisterAllocator.h:
2264         (JSC::ScratchRegisterAllocator::usedRegisters):
2265
2266 2015-10-21  Joseph Pecoraro  <pecoraro@apple.com>
2267
2268         Web Inspector: Array previews with Symbol objects have too few preview values
2269         https://bugs.webkit.org/show_bug.cgi?id=150404
2270
2271         Reviewed by Timothy Hatcher.
2272
2273         * inspector/InjectedScriptSource.js:
2274         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
2275         We should be continuing inside this loop not returning.
2276
2277 2015-10-21  Filip Pizlo  <fpizlo@apple.com>
2278
2279         Failures in PutStackSinkingPhase should be less severe
2280         https://bugs.webkit.org/show_bug.cgi?id=150400
2281
2282         Reviewed by Geoffrey Garen.
2283
2284         Make the PutStackSinkingPhase abort instead of asserting. To test that it's OK to not have
2285         PutStackSinkingPhase run, this adds a test mode where we run without PutStackSinkingPhase.
2286
2287         * dfg/DFGPlan.cpp: Make it possible to not run PutStackSinkingPhase for tests.
2288         (JSC::DFG::Plan::compileInThreadImpl):
2289         * dfg/DFGPutStackSinkingPhase.cpp: PutStackSinkingPhase should abort instead of asserting, except when validation is enabled.
2290         * runtime/Options.h: Add an option for disabling PutStackSinkingPhase.
2291
2292 2015-10-21  Saam barati  <sbarati@apple.com>
2293
2294         The FTL should place the CallSiteIndex on the call frame for JS calls when it fills in the patchpoint
2295         https://bugs.webkit.org/show_bug.cgi?id=150104
2296
2297         Reviewed by Filip Pizlo.
2298
2299         We lower JS Calls to patchpoints in LLVM. LLVM may decide to duplicate
2300         these patchpoints (or remove them). We eagerly store the CallSiteIndex on the 
2301         call frame when lowering DFG to LLVM. But, because the patchpoint we lower to may
2302         be duplicated, we really don't know the unique CallSiteIndex until we've
2303         actually seen the resulting patchpoints after LLVM has completed its transformations.
2304         To solve this, we now store the unique CallSiteIndex on the call frame header 
2305         when generating code to fill into the patchpoint.
2306
2307         * ftl/FTLCompile.cpp:
2308         (JSC::FTL::mmAllocateDataSection):
2309         * ftl/FTLJSCall.cpp:
2310         (JSC::FTL::JSCall::JSCall):
2311         (JSC::FTL::JSCall::emit):
2312         * ftl/FTLJSCall.h:
2313         (JSC::FTL::JSCall::stackmapID):
2314         * ftl/FTLJSCallBase.cpp:
2315         (JSC::FTL::JSCallBase::JSCallBase):
2316         (JSC::FTL::JSCallBase::emit):
2317         (JSC::FTL::JSCallBase::link):
2318         * ftl/FTLJSCallBase.h:
2319         * ftl/FTLJSCallVarargs.cpp:
2320         (JSC::FTL::JSCallVarargs::JSCallVarargs):
2321         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
2322         (JSC::FTL::JSCallVarargs::emit):
2323         * ftl/FTLJSCallVarargs.h:
2324         (JSC::FTL::JSCallVarargs::node):
2325         (JSC::FTL::JSCallVarargs::stackmapID):
2326         * ftl/FTLJSTailCall.cpp:
2327         (JSC::FTL::JSTailCall::JSTailCall):
2328         (JSC::FTL::m_instructionOffset):
2329         (JSC::FTL::JSTailCall::emit):
2330         * ftl/FTLLowerDFGToLLVM.cpp:
2331         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
2332         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
2333         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
2334         (JSC::FTL::DFG::LowerDFGToLLVM::codeOriginDescriptionOfCallSite):
2335         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2336
2337 2015-10-21  Geoffrey Garen  <ggaren@apple.com>
2338
2339         Date creation should share a little code
2340         https://bugs.webkit.org/show_bug.cgi?id=150399
2341
2342         Reviewed by Filip Pizlo.
2343
2344         I want to fix a bug in this code, but I don't want to fix it in two
2345         different places. (See https://bugs.webkit.org/show_bug.cgi?id=150386.)
2346
2347         * runtime/DateConstructor.cpp:
2348         (JSC::DateConstructor::getOwnPropertySlot):
2349         (JSC::milliseconds): Factored out a shared helper function. If you look
2350         closely, you'll see that one copy of this code previously checked isfinite
2351         while the other checked isnan. isnan returning nan was obviously a no-op,
2352         so I removed it. isfinite, it turns out, is also a no-op -- but less
2353         obviously so, so I kept it for now.
2354
2355         (JSC::constructDate):
2356         (JSC::dateUTC): Use the helper function.
2357
2358 2015-10-21  Guillaume Emont  <guijemont@igalia.com>
2359
2360         llint: align stack pointer on mips too
2361
2362         [MIPS] LLInt: align stack pointer on MIPS too
2363         https://bugs.webkit.org/show_bug.cgi?id=150380
2364
2365         Reviewed by Michael Saboff.
2366
2367         * llint/LowLevelInterpreter32_64.asm:
2368
2369 2015-10-20  Mark Lam  <mark.lam@apple.com>
2370
2371         YarrPatternConstructor::containsCapturingTerms() should not assume that its terms.size() is greater than 0.
2372         https://bugs.webkit.org/show_bug.cgi?id=150372
2373
2374         Reviewed by Geoffrey Garen.
2375
2376         * yarr/YarrPattern.cpp:
2377         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2378         (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
2379         (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
2380         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2381
2382 2015-10-20  Michael Saboff  <msaboff@apple.com>
2383
2384         REGRESSION (r191175): OSR Exit from an inlined tail callee trashes callee save registers
2385         https://bugs.webkit.org/show_bug.cgi?id=150336
2386
2387         Reviewed by Mark Lam.
2388
2389         During OSR exit, we need to restore and transform the active stack into what the baseline
2390         JIT expects.  Inlined call frames become true call frames.  When we reify an inlined call
2391         frame and it is a tail call which we will be continuing from, we need to restore the tag
2392         constant callee save registers with what was saved by the outermost caller.
2393
2394         Re-enabled tail calls and restored tests for tail calls.
2395
2396         * dfg/DFGOSRExitCompilerCommon.cpp:
2397         (JSC::DFG::reifyInlinedCallFrames): Select whether or not we use the callee save tag register
2398         contents or what was saved by the inlining caller when populating an inlined callee's
2399         callee save registers.
2400         * jit/AssemblyHelpers.h:
2401         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor): This function no longer needs a stack offset.
2402         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor): New helper.
2403         * runtime/Options.h: Turned tail calls back on.
2404         * tests/es6.yaml:
2405         * tests/stress/dfg-tail-calls.js:
2406         (nonInlinedTailCall.callee):
2407         * tests/stress/mutual-tail-call-no-stack-overflow.js:
2408         (shouldThrow):
2409         * tests/stress/tail-call-in-inline-cache.js:
2410         (tail):
2411         * tests/stress/tail-call-no-stack-overflow.js:
2412         (shouldThrow):
2413         * tests/stress/tail-call-recognize.js:
2414         (callerMustBeRun):
2415         * tests/stress/tail-call-varargs-no-stack-overflow.js:
2416         (shouldThrow):
2417
2418 2015-10-20  Joseph Pecoraro  <pecoraro@apple.com>
2419
2420         Web Inspector: JavaScriptCore should parse sourceURL and sourceMappingURL directives
2421         https://bugs.webkit.org/show_bug.cgi?id=150096
2422
2423         Reviewed by Geoffrey Garen.
2424
2425         * inspector/ContentSearchUtilities.cpp:
2426         (Inspector::ContentSearchUtilities::scriptCommentPattern): Deleted.
2427         (Inspector::ContentSearchUtilities::findScriptSourceURL): Deleted.
2428         (Inspector::ContentSearchUtilities::findScriptSourceMapURL): Deleted.
2429         * inspector/ContentSearchUtilities.h:
2430         No longer need to search script content.
2431
2432         * inspector/ScriptDebugServer.cpp:
2433         (Inspector::ScriptDebugServer::dispatchDidParseSource):
2434         Carry over the sourceURL and sourceMappingURL from the SourceProvider.
2435
2436         * inspector/agents/InspectorDebuggerAgent.cpp:
2437         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
2438         (Inspector::InspectorDebuggerAgent::didParseSource):
2439         No longer do content searching.
2440
2441         * parser/Lexer.cpp:
2442         (JSC::Lexer<T>::setCode):
2443         (JSC::Lexer<T>::skipWhitespace):
2444         (JSC::Lexer<T>::parseCommentDirective):
2445         (JSC::Lexer<T>::parseCommentDirectiveValue):
2446         (JSC::Lexer<T>::consume):
2447         (JSC::Lexer<T>::lex):
2448         * parser/Lexer.h:
2449         (JSC::Lexer::sourceURL):
2450         (JSC::Lexer::sourceMappingURL):
2451         (JSC::Lexer::sourceProvider): Deleted.
2452         Give lexer the ability to detect script comment directives.
2453         This just consumes characters in single line comments and
2454         ultimately sets the sourceURL or sourceMappingURL found.
2455
2456         * parser/Parser.h:
2457         (JSC::Parser<LexerType>::parse):
2458         * parser/SourceProvider.h:
2459         (JSC::SourceProvider::url):
2460         (JSC::SourceProvider::sourceURL):
2461         (JSC::SourceProvider::sourceMappingURL):
2462         (JSC::SourceProvider::setSourceURL):
2463         (JSC::SourceProvider::setSourceMappingURL):
2464         After parsing a script, update the Source Provider with the
2465         value of directives that may have been found in the script.
2466
2467 2015-10-20  Saam barati  <sbarati@apple.com>
2468
2469         GCAwareJITStubRoutineWithExceptionHandler has a stale CodeBlock pointer in its destructor
2470         https://bugs.webkit.org/show_bug.cgi?id=150351
2471
2472         Reviewed by Mark Lam.
2473
2474         We may regenerate many GCAwareJITStubRoutineWithExceptionHandler stubs per one PolymorphicAccess.
2475         Only the last GCAwareJITStubRoutineWithExceptionHandler stub that was generated will get the CodeBlock's aboutToDie()
2476         notification. All other GCAwareJITStubRoutineWithExceptionHandler stubs will still be holding a stale CodeBlock pointer
2477         that they will use in their destructor. The solution is to have GCAwareJITStubRoutineWithExceptionHandler remove its
2478         exception handler in observeZeroRefCount() instead of its destructor. observeZeroRefCount() will run when a PolymorphicAccess
2479         replaces its m_stubRoutine.
2480
2481         * jit/GCAwareJITStubRoutine.cpp:
2482         (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
2483         (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
2484         (JSC::createJITStubRoutine):
2485         (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler): Deleted.
2486         * jit/GCAwareJITStubRoutine.h:
2487
2488 >>>>>>> .r191351
2489 2015-10-20  Tim Horton  <timothy_horton@apple.com>
2490
2491         Try to fix the build by disabling MAC_GESTURE_EVENTS on 10.9 and 10.10
2492
2493         * Configurations/FeatureDefines.xcconfig:
2494
2495 2015-10-20  Xabier Rodriguez Calvar  <calvaris@igalia.com>
2496
2497         [Streams API] Rework some readable stream internals that can be common to writable streams
2498         https://bugs.webkit.org/show_bug.cgi?id=150133
2499
2500         Reviewed by Darin Adler.
2501
2502         * runtime/CommonIdentifiers.h:
2503         * runtime/JSGlobalObject.cpp:
2504         (JSC::JSGlobalObject::init): Added RangeError also as native functions.
2505
2506 2015-10-20  Yoav Weiss  <yoav@yoav.ws>
2507
2508         Rename the PICTURE_SIZES flag to CURRENTSRC
2509         https://bugs.webkit.org/show_bug.cgi?id=150275
2510
2511         Reviewed by Dean Jackson.
2512
2513         * Configurations/FeatureDefines.xcconfig:
2514
2515 2015-10-19  Saam barati  <sbarati@apple.com>
2516
2517         FTL should generate a unique OSR exit for each duplicated OSR exit stackmap intrinsic.
2518         https://bugs.webkit.org/show_bug.cgi?id=149970
2519
2520         Reviewed by Filip Pizlo.
2521
2522         When we lower DFG to LLVM, we generate a stackmap intrnsic for OSR 
2523         exits. We also recorded the OSR exit inside FTL::JITCode during lowering.
2524         This stackmap intrinsic may be duplicated or even removed by LLVM.
2525         When the stackmap intrinsic is duplicated, we used to generate just
2526         a single OSR exit data structure. Then, when we compiled an OSR exit, we 
2527         would look for the first record in the record list that had the same stackmap ID
2528         as what the OSR exit data structure had. We did this even when the OSR exit
2529         stackmap intrinsic was duplicated. This would lead us to grab the wrong FTL::StackMaps::Record.
2530
2531         Now, each OSR exit knows exactly which FTL::StackMaps::Record it corresponds to.
2532         We accomplish this by having an OSRExitDescriptor that is recorded during
2533         lowering. Each descriptor may be referenced my zero, one, or more OSRExits.
2534         Now, no more than one stackmap intrinsic corresponds to the same index inside 
2535         JITCode's OSRExit Vector. Also, each OSRExit jump now jumps to a code location.
2536
2537         * ftl/FTLCompile.cpp:
2538         (JSC::FTL::mmAllocateDataSection):
2539         * ftl/FTLJITCode.cpp:
2540         (JSC::FTL::JITCode::validateReferences):
2541         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2542         * ftl/FTLJITCode.h:
2543         * ftl/FTLJITFinalizer.cpp:
2544         (JSC::FTL::JITFinalizer::finalizeFunction):
2545         * ftl/FTLLowerDFGToLLVM.cpp:
2546         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
2547         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
2548         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
2549         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
2550         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
2551         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap):
2552         * ftl/FTLOSRExit.cpp:
2553         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
2554         (JSC::FTL::OSRExitDescriptor::validateReferences):
2555         (JSC::FTL::OSRExit::OSRExit):
2556         (JSC::FTL::OSRExit::codeLocationForRepatch):
2557         (JSC::FTL::OSRExit::validateReferences): Deleted.
2558         * ftl/FTLOSRExit.h:
2559         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
2560         * ftl/FTLOSRExitCompilationInfo.h:
2561         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
2562         * ftl/FTLOSRExitCompiler.cpp:
2563         (JSC::FTL::compileStub):
2564         (JSC::FTL::compileFTLOSRExit):
2565         * ftl/FTLStackMaps.cpp:
2566         (JSC::FTL::StackMaps::computeRecordMap):
2567         * ftl/FTLStackMaps.h:
2568
2569 2015-10-16  Brian Burg  <bburg@apple.com>
2570
2571         Unify handling of JavaScriptCore scripts that are used in WebCore
2572         https://bugs.webkit.org/show_bug.cgi?id=150245
2573
2574         Reviewed by Alex Christensen.
2575
2576         Move all standalone JavaScriptCore scripts that are used by WebCore into the
2577         JavaScriptCore/Scripts directory. Use JavaScriptCore_SCRIPTS_DIR to refer
2578         to the path for these scripts.
2579
2580         * DerivedSources.make:
2581
2582             Define and use JavaScriptCore_SCRIPTS_DIR.
2583
2584         * JavaScriptCore.xcodeproj/project.pbxproj:
2585
2586             Make a new group in the Xcode project and clean up references.
2587
2588         * PlatformWin.cmake:
2589
2590             For Windows, copy these scripts over to ForwardingHeaders/Scripts since they
2591             cannot be used directly from JAVASCRIPTCORE_DIR in AppleWin builds. Do the same
2592             thing for both Windows variants to be consistent about it.
2593
2594         * Scripts/cssmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/cssmin.py.
2595         * Scripts/generate-combined-inspector-json.py: Renamed from Source/JavaScriptCore/inspector/scripts/generate-combined-inspector-json.py.
2596         * Scripts/generate-js-builtins: Renamed from Source/JavaScriptCore/generate-js-builtins.
2597         * Scripts/inline-and-minify-stylesheets-and-scripts.py: Renamed from Source/JavaScriptCore/inspector/scripts/inline-and-minify-stylesheets-and-scripts.py.
2598         * Scripts/jsmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/jsmin.py.
2599         * Scripts/xxd.pl: Renamed from Source/JavaScriptCore/inspector/scripts/xxd.pl.
2600
2601 2015-10-19  Tim Horton  <timothy_horton@apple.com>
2602
2603         Try to fix the iOS build
2604
2605         * Configurations/FeatureDefines.xcconfig:
2606
2607 2015-10-17  Keith Miller  <keith_miller@apple.com>
2608
2609         Add regression tests for TypedArray.prototype functions' error messages.
2610         https://bugs.webkit.org/show_bug.cgi?id=150288
2611
2612         Reviewed by Darin Adler.
2613
2614         Fix a typo in the text passed by TypedArrray.prototype.filter type error message.
2615         Add tests that check the actual error message text for all the TypeArray.prototype
2616         functions that throw.
2617
2618         * builtins/TypedArray.prototype.js:
2619         (filter):
2620         * tests/stress/typedarray-every.js:
2621         * tests/stress/typedarray-filter.js:
2622         * tests/stress/typedarray-find.js:
2623         * tests/stress/typedarray-findIndex.js:
2624         * tests/stress/typedarray-forEach.js:
2625         * tests/stress/typedarray-map.js:
2626         * tests/stress/typedarray-reduce.js:
2627         * tests/stress/typedarray-reduceRight.js:
2628         * tests/stress/typedarray-some.js:
2629
2630 2015-10-19  Tim Horton  <timothy_horton@apple.com>
2631
2632         Add magnify and rotate gesture event support for Mac
2633         https://bugs.webkit.org/show_bug.cgi?id=150179
2634         <rdar://problem/8036240>
2635
2636         Reviewed by Darin Adler.
2637
2638         * Configurations/FeatureDefines.xcconfig:
2639         New feature flag.
2640
2641 2015-10-19  Csaba Osztrogon√°c  <ossy@webkit.org>
2642
2643         Fix the ENABLE(WEBASSEMBLY) build after r190827
2644         https://bugs.webkit.org/show_bug.cgi?id=150330
2645
2646         Reviewed by Geoffrey Garen.
2647
2648         * bytecode/CodeBlock.cpp:
2649         (JSC::CodeBlock::CodeBlock): Removed the duplicated VM argument.
2650         * bytecode/CodeBlock.h:
2651         (JSC::WebAssemblyCodeBlock::create): Added new parameters to finishCreation() calls.
2652         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Change VM parameter to pointer to match *CodeBlock classes.
2653         * runtime/Executable.cpp:
2654         (JSC::WebAssemblyExecutable::prepareForExecution): Removed extra ")" and pass pointer as it is expected.
2655
2656 2015-10-19  Mark Lam  <mark.lam@apple.com>
2657
2658         DoubleRep fails to convert SpecBoolean values.
2659         https://bugs.webkit.org/show_bug.cgi?id=150313
2660
2661         Reviewed by Geoffrey Garen.
2662
2663         This was uncovered by the op_sub stress test on 32-bit builds.  On 32-bit builds,
2664         DoubleRep will erroneously convert 'true' to a 'NaN' instead of a double 1.
2665         On 64-bit, the same issue exists but is masked by another bug in DoubleRep where
2666         boolean values will always erroneously trigger a BadType OSR exit.
2667
2668         The erroneous conversion of 'true' to 'NaN' is because the 'true' case in
2669         compileDoubleRep() is missing a jump to the "done" destination.  Instead, it
2670         fall through to the "isUndefined" case where it produces a NaN.
2671
2672         The 64-bit erroneous BadType OSR exit is due to the boolean type check being
2673         implemented incorrectly.  It was checking if any bits other than bit 0 were set.
2674         However, boolean JS values always have TagBitBool (the 3rd bit) set.  Hence, the
2675         check will always fail if we have a boolean value.
2676
2677         This patch fixes both of these issues.
2678
2679         No new test is needed because these issues are already covered by scenarios in
2680         the op_sub.js stress test.  This patch also fixes the op_sub.js test to throw an
2681         exception if any failures are encountered (as expected by the stress test
2682         harness).  This patch also re-worked the test code to provide more accurate
2683         descriptions of each test scenario for error reporting.
2684
2685         * dfg/DFGSpeculativeJIT.cpp:
2686         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2687
2688         * tests/stress/op_sub.js:
2689         (generateScenarios):
2690         (func):
2691         (initializeTestCases):
2692         (runTest):
2693         (stringify): Deleted.
2694
2695 2015-10-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2696
2697         Drop !newTarget check since it always becomes true
2698         https://bugs.webkit.org/show_bug.cgi?id=150308
2699
2700         Reviewed by Geoffrey Garen.
2701
2702         In a context of calling a constructor, `newTarget` should not become JSEmpty.
2703         So `!newTarget` always becomes true. This patch drops this unneccessary check.
2704         And to ensure the implementation of the constructor is only called under
2705         the context of calling it as a constructor, we change these functions to
2706         static and only use them for constructor implementations of InternalFunction.
2707
2708         * runtime/IntlCollatorConstructor.cpp:
2709         (JSC::constructIntlCollator):
2710         (JSC::callIntlCollator):
2711         * runtime/IntlCollatorConstructor.h:
2712         * runtime/IntlDateTimeFormatConstructor.cpp:
2713         (JSC::constructIntlDateTimeFormat):
2714         (JSC::callIntlDateTimeFormat):
2715         * runtime/IntlDateTimeFormatConstructor.h:
2716         * runtime/IntlNumberFormatConstructor.cpp:
2717         (JSC::constructIntlNumberFormat):
2718         (JSC::callIntlNumberFormat):
2719         * runtime/IntlNumberFormatConstructor.h:
2720         * runtime/JSPromiseConstructor.cpp:
2721         (JSC::constructPromise):
2722
2723 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2724
2725         Promise constructor should throw when not called with "new"
2726         https://bugs.webkit.org/show_bug.cgi?id=149380
2727
2728         Reviewed by Darin Adler.
2729
2730         Implement handling new.target in Promise constructor. And
2731         prohibiting Promise constructor call without "new".
2732
2733         * runtime/JSPromiseConstructor.cpp:
2734         (JSC::constructPromise):
2735         (JSC::callPromise):
2736         (JSC::JSPromiseConstructor::getCallData):
2737         * tests/es6.yaml:
2738         * tests/stress/promise-cannot-be-called.js: Added.
2739         (shouldBe):
2740         (shouldThrow):
2741         (Deferred):
2742         (super):
2743
2744 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2745
2746         [ES6] Handle asynchronous tests in tests/es6
2747         https://bugs.webkit.org/show_bug.cgi?id=150293
2748
2749         Reviewed by Darin Adler.
2750
2751         Since JSC can handle microtasks, some of ES6 Promise tests can be executed under the JSC shell.
2752         Some of them still fail because it uses setTimeout that invokes macrotasks with explicit delay.
2753
2754         * tests/es6.yaml:
2755         * tests/es6/Promise_Promise.all.js:
2756         (test.asyncTestPassed):
2757         (test):
2758         * tests/es6/Promise_Promise.all_generic_iterables.js:
2759         (test.asyncTestPassed):
2760         (test):
2761         * tests/es6/Promise_Promise.race.js:
2762         (test.asyncTestPassed):
2763         (test):
2764         * tests/es6/Promise_Promise.race_generic_iterables.js:
2765         (test.asyncTestPassed):
2766         (test):
2767         * tests/es6/Promise_basic_functionality.js:
2768         (test.asyncTestPassed):
2769         (test):
2770         * tests/es6/Promise_is_subclassable_Promise.all.js:
2771         (test.asyncTestPassed):
2772         (test):
2773         * tests/es6/Promise_is_subclassable_Promise.race.js:
2774         (test.asyncTestPassed):
2775         (test):
2776         * tests/es6/Promise_is_subclassable_basic_functionality.js:
2777         (test.asyncTestPassed):
2778         (test):
2779
2780 2015-10-18  Sungmann Cho  <sungmann.cho@navercorp.com>
2781
2782         [Win] Fix the Windows builds.
2783         https://bugs.webkit.org/show_bug.cgi?id=150300
2784
2785         Reviewed by Darin Adler.
2786
2787         Add missing files to JavaScriptCore.vcxproj.
2788
2789         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2790         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2791
2792 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
2793
2794         Fix some generational heap growth pathologies
2795         https://bugs.webkit.org/show_bug.cgi?id=150270
2796
2797         Reviewed by Andreas Kling.
2798
2799         When doing generational copying, we would pretend that the size of old space was increased
2800         just by the amount of bytes we copied. In reality, it would be increased by the number of
2801         bytes used by the copied blocks we created. This is a larger number, and in some simple
2802         pathological programs, the difference can be huge.
2803
2804         Fixing this bug was relatively easy, and the only really meaningful change here is in
2805         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
2806         add some debugging code and I had to refactor some stuff so that it made more sense.
2807
2808         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
2809         release builds to decide how much heap we are using at the end of collection. But I added a
2810         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
2811         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
2812
2813         Relanding with build fix.
2814
2815         * CMakeLists.txt:
2816         * JavaScriptCore.xcodeproj/project.pbxproj:
2817         * heap/CopiedBlock.cpp: Added.
2818         (JSC::CopiedBlock::createNoZeroFill):
2819         (JSC::CopiedBlock::destroy):
2820         (JSC::CopiedBlock::create):
2821         (JSC::CopiedBlock::zeroFillWilderness):
2822         (JSC::CopiedBlock::CopiedBlock):
2823         * heap/CopiedBlock.h:
2824         (JSC::CopiedBlock::didSurviveGC):
2825         (JSC::CopiedBlock::createNoZeroFill): Deleted.
2826         (JSC::CopiedBlock::destroy): Deleted.
2827         (JSC::CopiedBlock::create): Deleted.
2828         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
2829         (JSC::CopiedBlock::CopiedBlock): Deleted.
2830         * heap/CopiedSpaceInlines.h:
2831         (JSC::CopiedSpace::startedCopying):
2832         * heap/Heap.cpp:
2833         (JSC::Heap::updateObjectCounts):
2834         (JSC::Heap::resetVisitors):
2835         (JSC::Heap::capacity):
2836         (JSC::Heap::protectedGlobalObjectCount):
2837         (JSC::Heap::collectImpl):
2838         (JSC::Heap::willStartCollection):
2839         (JSC::Heap::updateAllocationLimits):
2840         (JSC::Heap::didFinishCollection):
2841         (JSC::Heap::sizeAfterCollect): Deleted.
2842         * heap/Heap.h:
2843         * heap/HeapInlines.h:
2844         (JSC::Heap::shouldCollect):
2845         (JSC::Heap::isBusy):
2846         (JSC::Heap::collectIfNecessaryOrDefer):
2847         * heap/MarkedBlock.cpp:
2848         (JSC::MarkedBlock::create):
2849         (JSC::MarkedBlock::destroy):
2850
2851 2015-10-17  Commit Queue  <commit-queue@webkit.org>
2852
2853         Unreviewed, rolling out r191240.
2854         https://bugs.webkit.org/show_bug.cgi?id=150281
2855
2856         Broke 32-bit builds (Requested by smfr on #webkit).
2857
2858         Reverted changeset:
2859
2860         "Fix some generational heap growth pathologies"
2861         https://bugs.webkit.org/show_bug.cgi?id=150270
2862         http://trac.webkit.org/changeset/191240
2863
2864 2015-10-17  Sungmann Cho  <sungmann.cho@navercorp.com>
2865
2866         [Win] Fix the Windows build.
2867         https://bugs.webkit.org/show_bug.cgi?id=150278
2868
2869         Reviewed by Brent Fulgham.
2870
2871         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2872         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2873
2874 2015-10-17  Mark Lam  <mark.lam@apple.com>
2875
2876         Fixed typos from r191224.
2877
2878         Not reviewed.
2879
2880         * jit/JITSubGenerator.h:
2881         (JSC::JITSubGenerator::generateFastPath):
2882
2883 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
2884
2885         Fix some generational heap growth pathologies
2886         https://bugs.webkit.org/show_bug.cgi?id=150270
2887
2888         Reviewed by Andreas Kling.
2889
2890         When doing generational copying, we would pretend that the size of old space was increased
2891         just by the amount of bytes we copied. In reality, it would be increased by the number of
2892         bytes used by the copied blocks we created. This is a larger number, and in some simple
2893         pathological programs, the difference can be huge.
2894
2895         Fixing this bug was relatively easy, and the only really meaningful change here is in
2896         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
2897         add some debugging code and I had to refactor some stuff so that it made more sense.
2898
2899         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
2900         release builds to decide how much heap we are using at the end of collection. But I added a
2901         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
2902         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
2903
2904         * CMakeLists.txt:
2905         * JavaScriptCore.xcodeproj/project.pbxproj:
2906         * heap/CopiedBlock.cpp: Added.
2907         (JSC::CopiedBlock::createNoZeroFill):
2908         (JSC::CopiedBlock::destroy):
2909         (JSC::CopiedBlock::create):
2910         (JSC::CopiedBlock::zeroFillWilderness):
2911         (JSC::CopiedBlock::CopiedBlock):
2912         * heap/CopiedBlock.h:
2913         (JSC::CopiedBlock::didSurviveGC):
2914         (JSC::CopiedBlock::createNoZeroFill): Deleted.
2915         (JSC::CopiedBlock::destroy): Deleted.
2916         (JSC::CopiedBlock::create): Deleted.
2917         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
2918         (JSC::CopiedBlock::CopiedBlock): Deleted.
2919         * heap/CopiedSpaceInlines.h:
2920         (JSC::CopiedSpace::startedCopying):
2921         * heap/Heap.cpp:
2922         (JSC::Heap::updateObjectCounts):
2923         (JSC::Heap::resetVisitors):
2924         (JSC::Heap::capacity):
2925         (JSC::Heap::protectedGlobalObjectCount):
2926         (JSC::Heap::collectImpl):
2927         (JSC::Heap::willStartCollection):
2928         (JSC::Heap::updateAllocationLimits):
2929         (JSC::Heap::didFinishCollection):
2930         (JSC::Heap::sizeAfterCollect): Deleted.
2931         * heap/Heap.h:
2932         * heap/HeapInlines.h:
2933         (JSC::Heap::shouldCollect):
2934         (JSC::Heap::isBusy):
2935         (JSC::Heap::collectIfNecessaryOrDefer):
2936         * heap/MarkedBlock.cpp:
2937         (JSC::MarkedBlock::create):
2938         (JSC::MarkedBlock::destroy):
2939
2940 2015-10-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2941
2942         [ES6] Implement String.prototype.normalize
2943         https://bugs.webkit.org/show_bug.cgi?id=150094
2944
2945         Reviewed by Geoffrey Garen.
2946
2947         This patch implements String.prototype.normalize leveraging ICU.
2948         It can provide the feature applying {NFC, NFD, NFKC, NFKD} normalization to a given string.
2949
2950         * runtime/StringPrototype.cpp:
2951         (JSC::StringPrototype::finishCreation):
2952         (JSC::normalize):
2953         (JSC::stringProtoFuncNormalize):
2954         * tests/es6.yaml:
2955         * tests/stress/string-normalize.js: Added.
2956         (unicode):
2957         (shouldBe):
2958         (shouldThrow):
2959         (normalizeTest):
2960
2961 2015-10-16  Geoffrey Garen  <ggaren@apple.com>
2962
2963         Update JavaScriptCore API docs
2964         https://bugs.webkit.org/show_bug.cgi?id=150262
2965
2966         Reviewed by Mark Lam.
2967
2968         Apply some edits for clarity. These came out of a docs review.
2969
2970         * API/JSContext.h:
2971         * API/JSExport.h:
2972         * API/JSManagedValue.h:
2973         * API/JSValue.h:
2974
2975 2015-10-16  Keith Miller  <keith_miller@apple.com>
2976
2977         Unreviewed. Fix typo in TypeError messages in TypedArray.prototype.forEach/filter.
2978
2979         * builtins/TypedArray.prototype.js:
2980         (forEach):
2981         (filter):
2982
2983 2015-10-16  Mark Lam  <mark.lam@apple.com>
2984
2985         Use JITSubGenerator to support UntypedUse operands for op_sub in the DFG.
2986         https://bugs.webkit.org/show_bug.cgi?id=150038
2987
2988         Reviewed by Geoffrey Garen.
2989
2990         * bytecode/SpeculatedType.h:
2991         (JSC::isUntypedSpeculationForArithmetic): Added
2992         - Also fixed some comments.
2993         
2994         * dfg/DFGAbstractInterpreterInlines.h:
2995         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2996
2997         * dfg/DFGAbstractValue.cpp:
2998         (JSC::DFG::AbstractValue::resultType):
2999         * dfg/DFGAbstractValue.h:
3000         - Added function to compute the ResultType of an operand from its SpeculatedType.
3001
3002         * dfg/DFGFixupPhase.cpp:
3003         (JSC::DFG::FixupPhase::fixupNode):
3004         - Fix up ArithSub to speculate its operands to be numbers.  But if an OSR exit
3005           due to a BadType was seen at this node, we'll fix it up to expect UntypedUse
3006           operands.  This gives the generated code a change to run fast if it only
3007           receives numeric operands.
3008
3009         * dfg/DFGNode.h:
3010         (JSC::DFG::Node::shouldSpeculateUntypedForArithmetic):
3011
3012         * dfg/DFGOperations.cpp:
3013         * dfg/DFGOperations.h:
3014         - Add the C++ runtime function to implement op_sub when we really encounter the
3015           hard types in the operands.
3016
3017         * dfg/DFGSpeculativeJIT.cpp:
3018         (JSC::DFG::SpeculativeJIT::compileArithSub):
3019         - Added support for UntypedUse operands using the JITSubGenerator.
3020
3021         * dfg/DFGSpeculativeJIT.h:
3022         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
3023         (JSC::DFG::SpeculativeJIT::pickCanTrample):
3024         (JSC::DFG::SpeculativeJIT::callOperation):
3025
3026         * ftl/FTLCapabilities.cpp:
3027         (JSC::FTL::canCompile):
3028         - Just refuse to FTL compile functions with UntypedUse op_sub operands for now.
3029
3030         * jit/AssemblyHelpers.h:
3031         (JSC::AssemblyHelpers::boxDouble):
3032         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
3033         (JSC::AssemblyHelpers::unboxDouble):
3034         (JSC::AssemblyHelpers::boxBooleanPayload):
3035         * jit/JITArithmetic.cpp:
3036         (JSC::JIT::emit_op_sub):
3037
3038         * jit/JITSubGenerator.h:
3039         (JSC::JITSubGenerator::generateFastPath):
3040         (JSC::JITSubGenerator::endJumpList):
3041         - Added some asserts to document the contract that this generator expects in
3042           terms of its incoming registers.
3043
3044           Also fixed the generated code to not be destructive with regards to incoming
3045           registers.  The DFG expects this.
3046
3047           Also added an endJumpList so that we don't have to jump twice for the fast
3048           path where both operands are ints.
3049
3050         * parser/ResultType.h:
3051         (JSC::ResultType::ResultType):
3052         - Make the internal Type bits and the constructor private.  Clients should only
3053           create ResultType values using one of the provided factory methods.
3054
3055         * tests/stress/op_sub.js: Added.
3056         (o1.valueOf):
3057         (stringify):
3058         (generateScenarios):
3059         (printScenarios):
3060         (testCases.func):
3061         (func):
3062         (initializeTestCases):
3063         (runTest):
3064         - test op_sub results by comparing one LLINT result against the output of
3065           multiple LLINT, and JIT runs.  This test assume that we'll at least get the
3066           right result some of the time (if not all the time), and confirms that the
3067           various engines produce consistent results for all the various value pairs
3068           being tested.
3069
3070 2015-10-15  Filip Pizlo  <fpizlo@apple.com>
3071
3072         CopyBarrier must be avoided for slow TypedArrays
3073         https://bugs.webkit.org/show_bug.cgi?id=150217
3074         rdar://problem/23128791
3075
3076         Reviewed by Michael Saboff.
3077
3078         Change how we access array buffer views so that we don't fire the barrier slow path, and
3079         don't mask off the spaceBits, if the view is not FastTypedArray. That's because in that case
3080         m_vector could be misaligned and so have meaningful non-space data in the spaceBits. Also in
3081         that case, m_vector does not point into copied space.
3082
3083         * dfg/DFGSpeculativeJIT.cpp:
3084         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3085         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3086         * ftl/FTLLowerDFGToLLVM.cpp:
3087         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
3088         (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
3089         (JSC::FTL::DFG::LowerDFGToLLVM::isInToSpace):
3090         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
3091         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
3092         (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
3093         (JSC::FTL::DFG::LowerDFGToLLVM::isFastTypedArray):
3094         (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
3095         * heap/CopyBarrier.h:
3096         (JSC::CopyBarrierBase::getWithoutBarrier):
3097         (JSC::CopyBarrierBase::getPredicated):
3098         (JSC::CopyBarrierBase::get):
3099         (JSC::CopyBarrierBase::copyState):
3100         (JSC::CopyBarrier::get):
3101         (JSC::CopyBarrier::getPredicated):
3102         (JSC::CopyBarrier::set):
3103         * heap/Heap.cpp:
3104         (JSC::Heap::copyBarrier):
3105         * jit/AssemblyHelpers.cpp:
3106         (JSC::AssemblyHelpers::branchIfNotType):
3107         (JSC::AssemblyHelpers::branchIfFastTypedArray):
3108         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
3109         (JSC::AssemblyHelpers::loadTypedArrayVector):
3110         (JSC::AssemblyHelpers::purifyNaN):
3111         * jit/AssemblyHelpers.h:
3112         (JSC::AssemblyHelpers::branchStructure):
3113         (JSC::AssemblyHelpers::branchIfToSpace):
3114         (JSC::AssemblyHelpers::branchIfNotToSpace):
3115         (JSC::AssemblyHelpers::removeSpaceBits):
3116         (JSC::AssemblyHelpers::addressForByteOffset):
3117         * jit/JITPropertyAccess.cpp:
3118         (JSC::JIT::emitIntTypedArrayGetByVal):
3119         (JSC::JIT::emitFloatTypedArrayGetByVal):
3120         (JSC::JIT::emitIntTypedArrayPutByVal):
3121         (JSC::JIT::emitFloatTypedArrayPutByVal):
3122         * runtime/JSArrayBufferView.h:
3123         (JSC::JSArrayBufferView::vector):
3124         (JSC::JSArrayBufferView::length):
3125         * runtime/JSArrayBufferViewInlines.h:
3126         (JSC::JSArrayBufferView::byteOffset):
3127         * runtime/JSGenericTypedArrayView.h:
3128         (JSC::JSGenericTypedArrayView::typedVector):
3129         * runtime/JSGenericTypedArrayViewInlines.h:
3130         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
3131         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3132         * tests/stress/misaligned-int8-view-byte-offset.js: Added.
3133         * tests/stress/misaligned-int8-view-read.js: Added.
3134         * tests/stress/misaligned-int8-view-write.js: Added.
3135
3136 2015-10-16  Keith Miller  <keith_miller@apple.com>
3137
3138         Unreviewed. Build fix for 191215.
3139
3140         * jit/IntrinsicEmitter.cpp:
3141
3142 2015-10-16  Keith Miller  <keith@Keiths-MacBook-Pro-5.local>
3143
3144         Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties.
3145         https://bugs.webkit.org/show_bug.cgi?id=149687
3146
3147         Reviewed by Geoffrey Garen.
3148
3149         Add the ability to create intrinsic getters in both the inline cache and the DFG/FTL. When the
3150         getter fetched by a GetById has an intrinsic we know about we add a new intrinsic access case.
3151         Once we get to the DFG, we observe that the access case was an intrinsic and add an appropriate
3152         GetByIdVariant. We then parse the intrinsic into an appropriate DFG node.
3153
3154         The first intrinsics are the new TypedArray prototype getters length, byteLength, and byteOffset.
3155
3156         * CMakeLists.txt:
3157         * JavaScriptCore.xcodeproj/project.pbxproj:
3158         * bytecode/GetByIdStatus.cpp:
3159         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3160         (JSC::GetByIdStatus::computeFor):
3161         * bytecode/GetByIdVariant.cpp:
3162         (JSC::GetByIdVariant::GetByIdVariant):
3163         (JSC::GetByIdVariant::operator=):
3164         (JSC::GetByIdVariant::canMergeIntrinsicStructures):
3165         (JSC::GetByIdVariant::attemptToMerge):
3166         (JSC::GetByIdVariant::dumpInContext):
3167         * bytecode/GetByIdVariant.h:
3168         (JSC::GetByIdVariant::intrinsicFunction):
3169         (JSC::GetByIdVariant::intrinsic):
3170         (JSC::GetByIdVariant::callLinkStatus): Deleted.
3171         * bytecode/PolymorphicAccess.cpp:
3172         (JSC::AccessGenerationState::addWatchpoint):
3173         (JSC::AccessGenerationState::restoreScratch):
3174         (JSC::AccessGenerationState::succeed):
3175         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3176         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
3177         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
3178         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
3179         (JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
3180         (JSC::AccessGenerationState::originalExceptionHandler):
3181         (JSC::AccessGenerationState::originalCallSiteIndex):
3182         (JSC::AccessCase::getIntrinsic):
3183         (JSC::AccessCase::clone):
3184         (JSC::AccessCase::visitWeak):
3185         (JSC::AccessCase::generate):
3186         (WTF::printInternal):
3187         (JSC::AccessCase::AccessCase): Deleted.
3188         (JSC::AccessCase::get): Deleted.
3189         (JSC::AccessCase::replace): Deleted.
3190         (JSC::AccessCase::transition): Deleted.
3191         * bytecode/PolymorphicAccess.h:
3192         (JSC::AccessCase::isGet):
3193         (JSC::AccessCase::isPut):
3194         (JSC::AccessCase::isIn):
3195         (JSC::AccessCase::intrinsicFunction):
3196         (JSC::AccessCase::intrinsic):
3197         (JSC::AccessGenerationState::AccessGenerationState):
3198         (JSC::AccessGenerationState::liveRegistersForCall):
3199         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
3200         (JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation):
3201         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
3202         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
3203         * bytecode/PutByIdVariant.h:
3204         (JSC::PutByIdVariant::intrinsic):
3205         * dfg/DFGAbstractInterpreterInlines.h:
3206         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3207         * dfg/DFGArrayMode.cpp:
3208         (JSC::DFG::ArrayMode::alreadyChecked):
3209         (JSC::DFG::arrayTypeToString):
3210         (JSC::DFG::toTypedArrayType):
3211         (JSC::DFG::refineTypedArrayType):
3212         (JSC::DFG::permitsBoundsCheckLowering):
3213         * dfg/DFGArrayMode.h:
3214         (JSC::DFG::ArrayMode::supportsLength):
3215         (JSC::DFG::ArrayMode::isSomeTypedArrayView):
3216         * dfg/DFGByteCodeParser.cpp:
3217         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3218         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3219         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3220         (JSC::DFG::ByteCodeParser::load):
3221         (JSC::DFG::ByteCodeParser::handleGetById):
3222         (JSC::DFG::ByteCodeParser::presenceLike): Deleted.
3223         (JSC::DFG::ByteCodeParser::store): Deleted.
3224         * dfg/DFGClobberize.h:
3225         (JSC::DFG::clobberize):
3226         * dfg/DFGFixupPhase.cpp:
3227         (JSC::DFG::FixupPhase::fixupNode):
3228         (JSC::DFG::FixupPhase::convertToGetArrayLength): Deleted.
3229         (JSC::DFG::FixupPhase::prependGetArrayLength): Deleted.
3230         (JSC::DFG::FixupPhase::fixupChecksInBlock): Deleted.
3231         * dfg/DFGGraph.cpp:
3232         (JSC::DFG::Graph::tryGetFoldableView):
3233         * dfg/DFGPredictionPropagationPhase.cpp:
3234         (JSC::DFG::PredictionPropagationPhase::propagate):
3235         * dfg/DFGSpeculativeJIT.cpp:
3236         (JSC::DFG::SpeculativeJIT::checkArray):
3237         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3238         * ftl/FTLCapabilities.cpp:
3239         (JSC::FTL::canCompile):
3240         * ftl/FTLLowerDFGToLLVM.cpp:
3241         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetArrayLength):
3242         * jit/IntrinsicEmitter.cpp: Added.
3243         (JSC::AccessCase::canEmitIntrinsicGetter):
3244         (JSC::AccessCase::emitIntrinsicGetter):
3245         * jit/Repatch.cpp:
3246         (JSC::tryCacheGetByID):
3247         * runtime/Intrinsic.h:
3248         * runtime/JSArrayBufferView.cpp:
3249         (JSC::JSArrayBufferView::put):
3250         (JSC::JSArrayBufferView::defineOwnProperty):
3251         (JSC::JSArrayBufferView::deleteProperty):
3252         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
3253         (JSC::JSArrayBufferView::getOwnPropertySlot): Deleted.
3254         (JSC::JSArrayBufferView::finalize): Deleted.
3255         * runtime/JSDataView.cpp:
3256         (JSC::JSDataView::getOwnPropertySlot):
3257         (JSC::JSDataView::put):
3258         (JSC::JSDataView::defineOwnProperty):
3259         (JSC::JSDataView::deleteProperty):
3260         (JSC::JSDataView::getOwnNonIndexPropertyNames):
3261         * runtime/JSDataView.h:
3262         * runtime/JSFunction.h:
3263         * runtime/JSFunctionInlines.h:
3264         (JSC::JSFunction::intrinsic):
3265         * runtime/JSGenericTypedArrayView.h:
3266         * runtime/JSGenericTypedArrayViewInlines.h:
3267         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
3268         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
3269         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
3270         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex): Deleted.
3271         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
3272         * runtime/JSObject.cpp:
3273         (JSC::JSObject::putDirectNativeIntrinsicGetter):
3274         * runtime/JSObject.h:
3275         * runtime/JSTypedArrayViewPrototype.cpp:
3276         (JSC::JSTypedArrayViewPrototype::finishCreation):
3277         * tests/stress/typedarray-add-property-to-base-object.js: Added.
3278         (body.foo):
3279         (body):
3280         * tests/stress/typedarray-bad-getter.js: Added.
3281         (body.foo):
3282         (body.get Bar):
3283         (body):
3284         * tests/stress/typedarray-getter-on-self.js: Added.
3285         (body.foo):
3286         (body.bar):
3287         (body.baz):
3288         (body.get for):
3289         (body):
3290         * tests/stress/typedarray-intrinsic-getters-change-prototype.js: Added.
3291         (body.foo):
3292         (body.bar):
3293         (body.baz):
3294         (body):
3295
3296 2015-10-16  Keith Miller  <keith_miller@apple.com>
3297
3298         Fix some issues with TypedArrays
3299         https://bugs.webkit.org/show_bug.cgi?id=150216
3300
3301         Reviewed by Geoffrey Garen.
3302
3303         This fixes a couple of issues:
3304         1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
3305            Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
3306            the two cases have been merged.
3307         2) If the length property on an object was unset then the construction could crash.
3308         3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
3309            length of the source object when the source object is a TypedArray.
3310         4) The conditions that were used to decide if the iterator could be skipped were incorrect.
3311            Instead of checking for have a bad time we should have checked the Indexing type did not allow for
3312            indexed accessors.
3313
3314         * dfg/DFGOperations.cpp:
3315         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3316         (JSC::constructGenericTypedArrayViewWithArguments):
3317         (JSC::constructGenericTypedArrayView):
3318         (JSC::constructGenericTypedArrayViewWithFirstArgument): Deleted.
3319
3320 2015-10-16  Anders Carlsson  <andersca@apple.com>
3321
3322         Fix Windows build.
3323
3324         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3325         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3326
3327 2015-10-16  Michael Saboff  <msaboff@apple.com>
3328
3329         REGRESSION (r191175): Still crashing when clicking back button on netflix.com
3330         https://bugs.webkit.org/show_bug.cgi?id=150251
3331
3332         Rubber stamped by Filip Pizlo.
3333
3334         Turning off Tail Calls and disabling tests until the crash is fixed.
3335
3336         * runtime/Options.h:
3337         * tests/es6.yaml:
3338         * tests/stress/dfg-tail-calls.js:
3339         (nonInlinedTailCall.callee):
3340         * tests/stress/mutual-tail-call-no-stack-overflow.js:
3341         (shouldThrow):
3342         * tests/stress/tail-call-in-inline-cache.js:
3343         (tail):
3344         * tests/stress/tail-call-no-stack-overflow.js:
3345         (shouldThrow):
3346         * tests/stress/tail-call-recognize.js:
3347         (callerMustBeRun):
3348         * tests/stress/tail-call-varargs-no-stack-overflow.js:
3349         (shouldThrow):
3350
3351 2015-10-16  Mark Lam  <mark.lam@apple.com>
3352
3353         Add MacroAssembler::callProbe() for supporting lambda JIT probes.
3354         https://bugs.webkit.org/show_bug.cgi?id=150186
3355
3356         Reviewed by Geoffrey Garen.
3357
3358         With callProbe(), we can now make probes that are lambdas.  For example, we can
3359         now conveniently add probes like so: 
3360
3361             // When you know exactly which register you want to inspect:
3362             jit.callProbe([] (MacroAssembler::ProbeContext* context) {
3363                 intptr_t value = reinterpret_cast<intptr_t>(context->cpu.eax);
3364                 dataLogF("eax %p\n", context->cpu.eax); // Inspect the register.
3365                 ASSERT(value > 10); // Add test code for debugging.
3366             });
3367
3368             // When you want to inspect whichever register the JIT allocated:
3369             auto reg = op1.gpr();
3370             jit.callProbe([reg] (MacroAssembler::ProbeContext* context) {
3371                 intptr_t value = reinterpret_cast<intptr_t>(context->gpr(reg));
3372                 dataLogF("reg %s: %ld\n", context->gprName(reg), value);
3373                 ASSERT(value > 10);
3374             });
3375
3376         callProbe() is only meant to be used for debugging sessions.  It is not