[l10n] Updated French translation for WebKitGTK+
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
2
3         [JSC] JSC does not build with FTL_USES_B3 on ARM64
4         https://bugs.webkit.org/show_bug.cgi?id=153011
5
6         Reviewed by Saam Barati.
7
8         Apparently the static const member can only be used for constexpr.
9         C++ is weird.
10
11         * jit/GPRInfo.cpp:
12         * jit/GPRInfo.h:
13
14 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
15
16         Web Inspector: console.count() shouldn't show a colon in front of a number
17         https://bugs.webkit.org/show_bug.cgi?id=152038
18
19         Reviewed by Brian Burg.
20
21         * inspector/agents/InspectorConsoleAgent.cpp:
22         (Inspector::InspectorConsoleAgent::count):
23         Do not include title and colon if the title is empty.
24
25 2016-01-11  Dan Bernstein  <mitz@apple.com>
26
27         Reverted r194317.
28
29         Reviewed by Joseph Pecoraro.
30
31         r194317 did not contain a change log entry, did not explain the motivation, did not name a
32         reviewer, and does not seem necessary.
33
34         * JavaScriptCore.xcodeproj/project.pbxproj:
35
36 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
37
38         keywords ("super", "delete", etc) should be valid method names
39         https://bugs.webkit.org/show_bug.cgi?id=144281
40
41         Reviewed by Ryosuke Niwa.
42
43         * parser/Parser.cpp:
44         (JSC::Parser<LexerType>::parseClass):
45         - When parsing "static(" treat it as a method named "static" and not a static method.
46         - When parsing a keyword treat it like a string method name (get and set are not keywords)
47         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
48
49         (JSC::Parser<LexerType>::parseGetterSetter):
50         - When parsing the getter / setter's name, allow it to be a keyword.
51
52 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
53
54         [JSC] Add Div/Mod and fix Mul for B3 ARM64
55         https://bugs.webkit.org/show_bug.cgi?id=152978
56
57         Reviewed by Filip Pizlo.
58
59         Add the 3 operands forms of Mul.
60         Remove the form taking immediate on ARM64, there are no such instruction.
61
62         Add Div with sdiv.
63
64         Unfortunately, I discovered ChillMod's division by zero
65         makes it non-trivial on ARM64. I just made it into a macro like on x86.
66
67         * assembler/MacroAssemblerARM64.h:
68         (JSC::MacroAssemblerARM64::mul32):
69         (JSC::MacroAssemblerARM64::mul64):
70         (JSC::MacroAssemblerARM64::div32):
71         (JSC::MacroAssemblerARM64::div64):
72         * b3/B3LowerMacros.cpp:
73         * b3/B3LowerToAir.cpp:
74         (JSC::B3::Air::LowerToAir::lower):
75         * b3/air/AirOpcode.opcodes:
76
77 2016-01-11  Keith Miller  <keith_miller@apple.com>
78
79         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
80         https://bugs.webkit.org/show_bug.cgi?id=152949
81
82         Reviewed by Michael Saboff.
83
84         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
85
86         * runtime/ArrayConstructor.cpp:
87         (JSC::constructArrayWithSizeQuirk):
88         (JSC::constructWithArrayConstructor):
89         * runtime/InternalFunction.h:
90         (JSC::InternalFunction::createStructure):
91         * runtime/JSGlobalObject.h:
92         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
93         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
94         (JSC::constructEmptyArray):
95         (JSC::constructArray):
96         (JSC::constructArrayNegativeIndexed):
97         * runtime/PrototypeMap.cpp:
98         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
99         * runtime/Structure.h:
100         * runtime/StructureInlines.h:
101
102 2016-01-08  Keith Miller  <keith_miller@apple.com>
103
104         Use a profile to store allocation structures for subclasses of InternalFunctions
105         https://bugs.webkit.org/show_bug.cgi?id=152942
106
107         Reviewed by Michael Saboff.
108
109         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
110         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
111         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
112         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
113         constructor as a new.target to any other constructor. This means that a user can pass some
114         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
115         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
116         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
117         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
118         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
119         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
120
121         Additionally, this patch adds subclassing to some omitted classes.
122
123         * API/JSObjectRef.cpp:
124         (JSObjectMakeDate):
125         (JSObjectMakeRegExp):
126         * JavaScriptCore.xcodeproj/project.pbxproj:
127         * bytecode/InternalFunctionAllocationProfile.h: Added.
128         (JSC::InternalFunctionAllocationProfile::structure):
129         (JSC::InternalFunctionAllocationProfile::clear):
130         (JSC::InternalFunctionAllocationProfile::visitAggregate):
131         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
132         * dfg/DFGByteCodeParser.cpp:
133         (JSC::DFG::ByteCodeParser::parseBlock):
134         * dfg/DFGOperations.cpp:
135         * dfg/DFGSpeculativeJIT32_64.cpp:
136         (JSC::DFG::SpeculativeJIT::compile):
137         * dfg/DFGSpeculativeJIT64.cpp:
138         (JSC::DFG::SpeculativeJIT::compile):
139         * jit/JITOpcodes.cpp:
140         (JSC::JIT::emit_op_create_this):
141         * jit/JITOpcodes32_64.cpp:
142         (JSC::JIT::emit_op_create_this):
143         * llint/LowLevelInterpreter32_64.asm:
144         * llint/LowLevelInterpreter64.asm:
145         * runtime/BooleanConstructor.cpp:
146         (JSC::constructWithBooleanConstructor):
147         * runtime/CommonSlowPaths.cpp:
148         (JSC::SLOW_PATH_DECL):
149         * runtime/DateConstructor.cpp:
150         (JSC::constructDate):
151         (JSC::constructWithDateConstructor):
152         * runtime/DateConstructor.h:
153         * runtime/ErrorConstructor.cpp:
154         (JSC::Interpreter::constructWithErrorConstructor):
155         * runtime/FunctionRareData.cpp:
156         (JSC::FunctionRareData::create):
157         (JSC::FunctionRareData::visitChildren):
158         (JSC::FunctionRareData::FunctionRareData):
159         (JSC::FunctionRareData::initializeObjectAllocationProfile):
160         (JSC::FunctionRareData::clear):
161         (JSC::FunctionRareData::finishCreation): Deleted.
162         (JSC::FunctionRareData::initialize): Deleted.
163         * runtime/FunctionRareData.h:
164         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
165         (JSC::FunctionRareData::objectAllocationProfile):
166         (JSC::FunctionRareData::objectAllocationStructure):
167         (JSC::FunctionRareData::allocationProfileWatchpointSet):
168         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
169         (JSC::FunctionRareData::internalFunctionAllocationStructure):
170         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
171         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
172         (JSC::FunctionRareData::allocationProfile): Deleted.
173         (JSC::FunctionRareData::allocationStructure): Deleted.
174         (JSC::FunctionRareData::isInitialized): Deleted.
175         * runtime/InternalFunction.cpp:
176         (JSC::InternalFunction::createSubclassStructure):
177         * runtime/InternalFunction.h:
178         * runtime/JSArrayBufferConstructor.cpp:
179         (JSC::constructArrayBuffer):
180         * runtime/JSFunction.cpp:
181         (JSC::JSFunction::allocateRareData):
182         (JSC::JSFunction::allocateAndInitializeRareData):
183         (JSC::JSFunction::initializeRareData):
184         * runtime/JSFunction.h:
185         (JSC::JSFunction::rareData):
186         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
187         (JSC::constructGenericTypedArrayView):
188         * runtime/JSObject.h:
189         (JSC::JSFinalObject::typeInfo):
190         (JSC::JSFinalObject::createStructure):
191         * runtime/JSPromiseConstructor.cpp:
192         (JSC::constructPromise):
193         * runtime/JSPromiseConstructor.h:
194         * runtime/JSWeakMap.cpp:
195         * runtime/JSWeakSet.cpp:
196         * runtime/MapConstructor.cpp:
197         (JSC::constructMap):
198         * runtime/NativeErrorConstructor.cpp:
199         (JSC::Interpreter::constructWithNativeErrorConstructor):
200         * runtime/NumberConstructor.cpp:
201         (JSC::constructWithNumberConstructor):
202         * runtime/PrototypeMap.cpp:
203         (JSC::PrototypeMap::createEmptyStructure):
204         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
205         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
206         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
207         * runtime/PrototypeMap.h:
208         * runtime/RegExpConstructor.cpp:
209         (JSC::getRegExpStructure):
210         (JSC::constructRegExp):
211         (JSC::constructWithRegExpConstructor):
212         * runtime/RegExpConstructor.h:
213         * runtime/SetConstructor.cpp:
214         (JSC::constructSet):
215         * runtime/WeakMapConstructor.cpp:
216         (JSC::constructWeakMap):
217         * runtime/WeakSetConstructor.cpp:
218         (JSC::constructWeakSet):
219         * tests/stress/class-subclassing-misc.js:
220         (A):
221         (D):
222         (E):
223         (WM):
224         (WS):
225         (test):
226         * tests/stress/class-subclassing-typedarray.js: Added.
227         (test):
228
229 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
230
231         [B3][Win64] Compile error.
232         https://bugs.webkit.org/show_bug.cgi?id=152984
233
234         Reviewed by Alex Christensen.
235
236         Windows does not have bzero, use memset instead.
237
238         * b3/air/AirIteratedRegisterCoalescing.cpp:
239
240 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
241
242         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
243         https://bugs.webkit.org/show_bug.cgi?id=152923
244
245         Reviewed by Alex Christensen.
246
247         * jit/CallFrameShuffler.h:
248         (JSC::CallFrameShuffler::assumeCalleeIsCell):
249
250 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
251
252         [B3] Fix control reaches end of non-void function GCC warnings on Linux
253         https://bugs.webkit.org/show_bug.cgi?id=152887
254
255         Reviewed by Mark Lam.
256
257         * b3/B3LowerToAir.cpp:
258         (JSC::B3::Air::LowerToAir::createBranch):
259         (JSC::B3::Air::LowerToAir::createCompare):
260         (JSC::B3::Air::LowerToAir::createSelect):
261         * b3/B3Type.h:
262         (JSC::B3::sizeofType):
263         * b3/air/AirArg.cpp:
264         (JSC::B3::Air::Arg::isRepresentableAs):
265         * b3/air/AirArg.h:
266         (JSC::B3::Air::Arg::isAnyUse):
267         (JSC::B3::Air::Arg::isColdUse):
268         (JSC::B3::Air::Arg::isEarlyUse):
269         (JSC::B3::Air::Arg::isLateUse):
270         (JSC::B3::Air::Arg::isAnyDef):
271         (JSC::B3::Air::Arg::isEarlyDef):
272         (JSC::B3::Air::Arg::isLateDef):
273         (JSC::B3::Air::Arg::isZDef):
274         (JSC::B3::Air::Arg::widthForB3Type):
275         (JSC::B3::Air::Arg::isGP):
276         (JSC::B3::Air::Arg::isFP):
277         (JSC::B3::Air::Arg::isType):
278         (JSC::B3::Air::Arg::isValidForm):
279         * b3/air/AirCode.h:
280         (JSC::B3::Air::Code::newTmp):
281         (JSC::B3::Air::Code::numTmps):
282
283 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
284
285         Make it easier to introduce exotic instructions to Air
286         https://bugs.webkit.org/show_bug.cgi?id=152953
287
288         Reviewed by Benjamin Poulain.
289
290         Currently, you can define new "opcodes" in Air using either:
291
292         1) New opcode declared in AirOpcode.opcodes.
293         2) Patch opcode with a new implementation of Air::Special.
294
295         With (1), you are limited to fixed-argument-length instructions. There are other
296         restrictions as well, like that you can only use the roles that the AirOpcode syntax
297         supports.
298
299         With (2), you can do anything you like, but the instruction will be harder to match
300         since it will share the same opcode as any other Patch. Also, the instruction will have
301         the Special argument, which means more busy-work when creating the instruction and
302         validating it.
303
304         This introduces an in-between facility called "custom". This replaces what AirOpcode
305         previously called "special". A custom instruction is one whose behavior is defined by a
306         FooCustom struct with some static methods. Calls to those methods are emitted by
307         opcode_generator.rb.
308
309         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
310         that we now treat the Patch instruction specially in a few places. Those places were
311         already effectively treating it specially by assuming that only Patch instructions have
312         a Special as their first argument.
313
314         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
315         for performance work.
316
317         * JavaScriptCore.xcodeproj/project.pbxproj:
318         * b3/air/AirCustom.h: Added.
319         (JSC::B3::Air::PatchCustom::forEachArg):
320         (JSC::B3::Air::PatchCustom::isValidFormStatic):
321         (JSC::B3::Air::PatchCustom::isValidForm):
322         (JSC::B3::Air::PatchCustom::admitsStack):
323         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
324         (JSC::B3::Air::PatchCustom::generate):
325         * b3/air/AirHandleCalleeSaves.cpp:
326         (JSC::B3::Air::handleCalleeSaves):
327         * b3/air/AirInst.h:
328         * b3/air/AirInstInlines.h:
329         (JSC::B3::Air::Inst::forEach):
330         (JSC::B3::Air::Inst::extraClobberedRegs):
331         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
332         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
333         (JSC::B3::Air::Inst::reportUsedRegisters):
334         (JSC::B3::Air::Inst::hasSpecial): Deleted.
335         * b3/air/AirOpcode.opcodes:
336         * b3/air/AirReportUsedRegisters.cpp:
337         (JSC::B3::Air::reportUsedRegisters):
338         * b3/air/opcode_generator.rb:
339
340 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
341
342         Turn Check(true) into Patchpoint() followed by Oops
343         https://bugs.webkit.org/show_bug.cgi?id=152968
344
345         Reviewed by Benjamin Poulain.
346
347         This is an obvious strength reduction to have, especially since if we discover that the
348         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
349         of the basic block unlocks CFG simplification opportunities.
350
351         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
352         implement sinking (bug 152162).
353
354         * b3/B3ControlValue.cpp:
355         (JSC::B3::ControlValue::convertToJump):
356         (JSC::B3::ControlValue::convertToOops):
357         (JSC::B3::ControlValue::dumpMeta):
358         * b3/B3ControlValue.h:
359         * b3/B3InsertionSet.h:
360         (JSC::B3::InsertionSet::insertValue):
361         * b3/B3InsertionSetInlines.h:
362         (JSC::B3::InsertionSet::insert):
363         * b3/B3ReduceStrength.cpp:
364         * b3/B3StackmapValue.h:
365         * b3/B3Value.h:
366         * tests/stress/ftl-force-osr-exit.js: Added.
367
368 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
369
370         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
371         https://bugs.webkit.org/show_bug.cgi?id=152840
372
373         Reviewed by Mark Lam.
374
375         ARM64 has two kinds of addressing with immediates:
376         -Signed 9bits direct (really only -256 to 255).
377         -Unsigned 12bits scaled by the load/store size.
378
379         When resolving the stack addresses, we easily run
380         past -256 bytes from FP. Addressing from SP gives us more
381         room to address the stack efficiently because we can
382         use unsigned immediates.
383
384         * b3/B3StackmapSpecial.cpp:
385         (JSC::B3::StackmapSpecial::repForArg):
386         * b3/air/AirAllocateStack.cpp:
387         (JSC::B3::Air::allocateStack):
388
389 2016-01-10  Saam barati  <sbarati@apple.com>
390
391         Implement a sampling profiler
392         https://bugs.webkit.org/show_bug.cgi?id=151713
393
394         Reviewed by Filip Pizlo.
395
396         This patch implements a sampling profiler for JavaScriptCore
397         that will be used in the Inspector UI. The implementation works as follows:
398         We queue the sampling profiler to run a task on a background
399         thread every 1ms. When the queued task executes, the sampling profiler
400         will pause the JSC execution thread and attempt to take a stack trace. 
401         The sampling profiler does everything it can to be very careful
402         while taking this stack trace. Because it's reading arbitrary memory,
403         the sampling profiler must validate every pointer it reads from.
404
405         The sampling profiler tries to get an ExecutableBase for every call frame
406         it reads. It first tries to read the CodeBlock slot. It does this because
407         it can be 100% certain that a pointer is a CodeBlock while it's taking a
408         stack trace. But, not every call frame will have a CodeBlock. So we must read
409         the call frame's callee. For these stack traces where we read the callee, we
410         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
411         on the main JSC execution thread, and not on the thread taking the stack
412         trace. We do this verification either before we run the marking phase in
413         GC, or when somebody asks the SamplingProfiler to materialize its data.
414
415         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
416         thread is paused (this means it can't do anything that mallocs) because
417         that could cause a deadlock. Therefore, the sampling profiler grabs
418         locks for all data structures it consults before it pauses the JSC
419         execution thread.
420
421         * CMakeLists.txt:
422         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
423         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
424         * JavaScriptCore.xcodeproj/project.pbxproj:
425         * bytecode/CodeBlock.h:
426         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
427         (JSC::CodeBlockSet::mark):
428         * dfg/DFGNodeType.h:
429         * heap/CodeBlockSet.cpp:
430         (JSC::CodeBlockSet::add):
431         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
432         (JSC::CodeBlockSet::clearMarksForFullCollection):
433         (JSC::CodeBlockSet::lastChanceToFinalize):
434         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
435         (JSC::CodeBlockSet::contains):
436         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
437         (JSC::CodeBlockSet::remove): Deleted.
438         * heap/CodeBlockSet.h:
439         (JSC::CodeBlockSet::getLock):
440         (JSC::CodeBlockSet::iterate):
441         The sampling pofiler uses the heap's CodeBlockSet to validate
442         CodeBlock pointers. This data structure must now be under a lock
443         because we must be certain we're not pausing the JSC execution thread
444         while it's manipulating this data structure.
445
446         * heap/ConservativeRoots.cpp:
447         (JSC::ConservativeRoots::ConservativeRoots):
448         (JSC::ConservativeRoots::grow):
449         (JSC::ConservativeRoots::genericAddPointer):
450         (JSC::ConservativeRoots::genericAddSpan):
451         (JSC::ConservativeRoots::add):
452         (JSC::CompositeMarkHook::CompositeMarkHook):
453         (JSC::CompositeMarkHook::mark):
454         * heap/ConservativeRoots.h:
455         * heap/Heap.cpp:
456         (JSC::Heap::markRoots):
457         (JSC::Heap::visitHandleStack):
458         (JSC::Heap::visitSamplingProfiler):
459         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
460         (JSC::Heap::snapshotMarkedSpace):
461         * heap/Heap.h:
462         (JSC::Heap::structureIDTable):
463         (JSC::Heap::codeBlockSet):
464         * heap/MachineStackMarker.cpp:
465         (pthreadSignalHandlerSuspendResume):
466         (JSC::getCurrentPlatformThread):
467         (JSC::MachineThreads::MachineThreads):
468         (JSC::MachineThreads::~MachineThreads):
469         (JSC::MachineThreads::Thread::createForCurrentThread):
470         (JSC::MachineThreads::Thread::operator==):
471         (JSC::isThreadInList):
472         (JSC::MachineThreads::addCurrentThread):
473         (JSC::MachineThreads::machineThreadForCurrentThread):
474         (JSC::MachineThreads::removeThread):
475         (JSC::MachineThreads::gatherFromCurrentThread):
476         (JSC::MachineThreads::Thread::Thread):
477         (JSC::MachineThreads::Thread::~Thread):
478         (JSC::MachineThreads::Thread::suspend):
479         (JSC::MachineThreads::Thread::resume):
480         (JSC::MachineThreads::Thread::getRegisters):
481         (JSC::MachineThreads::Thread::Registers::stackPointer):
482         (JSC::MachineThreads::Thread::Registers::framePointer):
483         (JSC::MachineThreads::Thread::Registers::instructionPointer):
484         (JSC::MachineThreads::Thread::freeRegisters):
485         (JSC::MachineThreads::tryCopyOtherThreadStacks):
486         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
487         (JSC::MachineThreads::Thread::operator!=): Deleted.
488         * heap/MachineStackMarker.h:
489         (JSC::MachineThreads::Thread::operator!=):
490         (JSC::MachineThreads::getLock):
491         (JSC::MachineThreads::threadsListHead):
492         We can now ask a MachineThreads::Thread for its frame pointer
493         and program counter on darwin and windows platforms. efl
494         and gtk implementations will happen in another patch.
495
496         * heap/MarkedBlockSet.h:
497         (JSC::MarkedBlockSet::getLock):
498         (JSC::MarkedBlockSet::add):
499         (JSC::MarkedBlockSet::remove):
500         (JSC::MarkedBlockSet::recomputeFilter):
501         (JSC::MarkedBlockSet::filter):
502         (JSC::MarkedBlockSet::set):
503         * heap/MarkedSpace.cpp:
504         (JSC::Free::Free):
505         (JSC::Free::operator()):
506         (JSC::FreeOrShrink::FreeOrShrink):
507         (JSC::FreeOrShrink::operator()):
508         (JSC::MarkedSpace::~MarkedSpace):
509         (JSC::MarkedSpace::isPagedOut):
510         (JSC::MarkedSpace::freeBlock):
511         (JSC::MarkedSpace::freeOrShrinkBlock):
512         (JSC::MarkedSpace::shrink):
513         * heap/MarkedSpace.h:
514         (JSC::MarkedSpace::forEachLiveCell):
515         (JSC::MarkedSpace::forEachDeadCell):
516         * interpreter/CallFrame.h:
517         (JSC::ExecState::calleeAsValue):
518         (JSC::ExecState::callee):
519         (JSC::ExecState::unsafeCallee):
520         (JSC::ExecState::codeBlock):
521         (JSC::ExecState::scope):
522         * jit/ExecutableAllocator.cpp:
523         (JSC::ExecutableAllocator::dumpProfile):
524         (JSC::ExecutableAllocator::getLock):
525         (JSC::ExecutableAllocator::isValidExecutableMemory):
526         * jit/ExecutableAllocator.h:
527         * jit/ExecutableAllocatorFixedVMPool.cpp:
528         (JSC::ExecutableAllocator::allocate):
529         (JSC::ExecutableAllocator::isValidExecutableMemory):
530         (JSC::ExecutableAllocator::getLock):
531         (JSC::ExecutableAllocator::committedByteCount):
532         The sampling profiler consults the ExecutableAllocator to check
533         if the frame pointer it reads is in executable allocated memory.
534
535         * jsc.cpp:
536         (GlobalObject::finishCreation):
537         (functionCheckModuleSyntax):
538         (functionStartSamplingProfiler):
539         (functionSamplingProfilerStackTraces):
540         * llint/LLIntPCRanges.h: Added.
541         (JSC::LLInt::isLLIntPC):
542         * offlineasm/asm.rb:
543         I added the ability to test whether the PC is executing
544         LLInt code because this code is not part of the memory
545         our executable allocator allocates.
546
547         * runtime/Executable.h:
548         (JSC::ExecutableBase::isModuleProgramExecutable):
549         (JSC::ExecutableBase::isExecutableType):
550         (JSC::ExecutableBase::isHostFunction):
551         * runtime/JSLock.cpp:
552         (JSC::JSLock::didAcquireLock):
553         (JSC::JSLock::unlock):
554         * runtime/Options.h:
555         * runtime/SamplingProfiler.cpp: Added.
556         (JSC::reportStats):
557         (JSC::FrameWalker::FrameWalker):
558         (JSC::FrameWalker::walk):
559         (JSC::FrameWalker::wasValidWalk):
560         (JSC::FrameWalker::advanceToParentFrame):
561         (JSC::FrameWalker::isAtTop):
562         (JSC::FrameWalker::resetAtMachineFrame):
563         (JSC::FrameWalker::isValidFramePointer):
564         (JSC::FrameWalker::isValidCodeBlock):
565         (JSC::FrameWalker::tryToGetExecutableFromCallee):
566         The FrameWalker class is used to walk the stack in a safe
567         manner. It doesn't do anything that would deadlock, and it
568         validates all pointers that it sees.
569
570         (JSC::SamplingProfiler::SamplingProfiler):
571         (JSC::SamplingProfiler::~SamplingProfiler):
572         (JSC::SamplingProfiler::visit):
573         (JSC::SamplingProfiler::shutdown):
574         (JSC::SamplingProfiler::start):
575         (JSC::SamplingProfiler::stop):
576         (JSC::SamplingProfiler::pause):
577         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
578         (JSC::SamplingProfiler::dispatchIfNecessary):
579         (JSC::SamplingProfiler::dispatchFunction):
580         (JSC::SamplingProfiler::noticeJSLockAcquisition):
581         (JSC::SamplingProfiler::noticeVMEntry):
582         (JSC::SamplingProfiler::observeStackTrace):
583         (JSC::SamplingProfiler::clearData):
584         (JSC::displayName):
585         (JSC::startLine):
586         (JSC::startColumn):
587         (JSC::sourceID):
588         (JSC::url):
589         (JSC::SamplingProfiler::stacktracesAsJSON):
590         * runtime/SamplingProfiler.h: Added.
591         (JSC::SamplingProfiler::getLock):
592         (JSC::SamplingProfiler::setTimingInterval):
593         (JSC::SamplingProfiler::stackTraces):
594         * runtime/VM.cpp:
595         (JSC::VM::VM):
596         (JSC::VM::~VM):
597         (JSC::VM::setLastStackTop):
598         (JSC::VM::createContextGroup):
599         (JSC::VM::ensureWatchdog):
600         (JSC::VM::ensureSamplingProfiler):
601         (JSC::thunkGeneratorForIntrinsic):
602         * runtime/VM.h:
603         (JSC::VM::watchdog):
604         (JSC::VM::isSafeToRecurse):
605         (JSC::VM::lastStackTop):
606         (JSC::VM::scratchBufferForSize):
607         (JSC::VM::samplingProfiler):
608         (JSC::VM::setShouldRewriteConstAsVar):
609         (JSC::VM::setLastStackTop): Deleted.
610         * runtime/VMEntryScope.cpp:
611         (JSC::VMEntryScope::VMEntryScope):
612         * tests/stress/sampling-profiler: Added.
613         * tests/stress/sampling-profiler-anonymous-function.js: Added.
614         (foo):
615         (baz):
616         * tests/stress/sampling-profiler-basic.js: Added.
617         (bar):
618         (foo):
619         (nothing):
620         (top):
621         (jaz):
622         (kaz):
623         (checkInlining):
624         * tests/stress/sampling-profiler-deep-stack.js: Added.
625         (foo):
626         (hellaDeep):
627         (start):
628         * tests/stress/sampling-profiler-microtasks.js: Added.
629         (testResults):
630         (loop.jaz):
631         (loop):
632         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
633         (assert):
634         (let.nodePrototype.makeChildIfNeeded):
635         (makeNode):
636         (updateCallingContextTree):
637         (doesTreeHaveStackTrace):
638         (makeTree):
639         (runTest):
640         (dumpTree):
641         * tools/JSDollarVMPrototype.cpp:
642         (JSC::JSDollarVMPrototype::isInObjectSpace):
643         (JSC::JSDollarVMPrototype::isInStorageSpace):
644         * yarr/YarrJIT.cpp:
645         (JSC::Yarr::YarrGenerator::generateEnter):
646         (JSC::Yarr::YarrGenerator::generateReturn):
647         (JSC::Yarr::YarrGenerator::YarrGenerator):
648         (JSC::Yarr::YarrGenerator::compile):
649         (JSC::Yarr::jitCompile):
650         We now have a boolean that's set to true when
651         we're executing a RegExp, and to false otherwise.
652         The boolean lives off of VM.
653
654         * CMakeLists.txt:
655         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
656         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
657         * JavaScriptCore.xcodeproj/project.pbxproj:
658         * bytecode/CodeBlock.h:
659         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
660         (JSC::CodeBlockSet::mark):
661         * dfg/DFGNodeType.h:
662         * heap/CodeBlockSet.cpp:
663         (JSC::CodeBlockSet::add):
664         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
665         (JSC::CodeBlockSet::clearMarksForFullCollection):
666         (JSC::CodeBlockSet::lastChanceToFinalize):
667         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
668         (JSC::CodeBlockSet::contains):
669         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
670         (JSC::CodeBlockSet::remove): Deleted.
671         * heap/CodeBlockSet.h:
672         (JSC::CodeBlockSet::getLock):
673         (JSC::CodeBlockSet::iterate):
674         * heap/ConservativeRoots.cpp:
675         (JSC::ConservativeRoots::ConservativeRoots):
676         (JSC::ConservativeRoots::genericAddPointer):
677         (JSC::ConservativeRoots::add):
678         (JSC::CompositeMarkHook::CompositeMarkHook):
679         (JSC::CompositeMarkHook::mark):
680         * heap/ConservativeRoots.h:
681         * heap/Heap.cpp:
682         (JSC::Heap::markRoots):
683         (JSC::Heap::visitHandleStack):
684         (JSC::Heap::visitSamplingProfiler):
685         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
686         * heap/Heap.h:
687         (JSC::Heap::structureIDTable):
688         (JSC::Heap::codeBlockSet):
689         * heap/HeapInlines.h:
690         (JSC::Heap::didFreeBlock):
691         (JSC::Heap::isPointerGCObject):
692         (JSC::Heap::isValueGCObject):
693         * heap/MachineStackMarker.cpp:
694         (pthreadSignalHandlerSuspendResume):
695         (JSC::getCurrentPlatformThread):
696         (JSC::MachineThreads::MachineThreads):
697         (JSC::MachineThreads::~MachineThreads):
698         (JSC::MachineThreads::Thread::createForCurrentThread):
699         (JSC::MachineThreads::Thread::operator==):
700         (JSC::isThreadInList):
701         (JSC::MachineThreads::addCurrentThread):
702         (JSC::MachineThreads::machineThreadForCurrentThread):
703         (JSC::MachineThreads::removeThread):
704         (JSC::MachineThreads::gatherFromCurrentThread):
705         (JSC::MachineThreads::Thread::Thread):
706         (JSC::MachineThreads::Thread::~Thread):
707         (JSC::MachineThreads::Thread::suspend):
708         (JSC::MachineThreads::Thread::resume):
709         (JSC::MachineThreads::Thread::getRegisters):
710         (JSC::MachineThreads::Thread::Registers::stackPointer):
711         (JSC::MachineThreads::Thread::Registers::framePointer):
712         (JSC::MachineThreads::Thread::Registers::instructionPointer):
713         (JSC::MachineThreads::Thread::freeRegisters):
714         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
715         (JSC::MachineThreads::Thread::operator!=): Deleted.
716         * heap/MachineStackMarker.h:
717         (JSC::MachineThreads::Thread::operator!=):
718         (JSC::MachineThreads::getLock):
719         (JSC::MachineThreads::threadsListHead):
720         * heap/MarkedBlockSet.h:
721         * heap/MarkedSpace.cpp:
722         (JSC::Free::Free):
723         (JSC::Free::operator()):
724         (JSC::FreeOrShrink::FreeOrShrink):
725         (JSC::FreeOrShrink::operator()):
726         * interpreter/CallFrame.h:
727         (JSC::ExecState::calleeAsValue):
728         (JSC::ExecState::callee):
729         (JSC::ExecState::unsafeCallee):
730         (JSC::ExecState::codeBlock):
731         (JSC::ExecState::scope):
732         * jit/ExecutableAllocator.cpp:
733         (JSC::ExecutableAllocator::dumpProfile):
734         (JSC::ExecutableAllocator::getLock):
735         (JSC::ExecutableAllocator::isValidExecutableMemory):
736         * jit/ExecutableAllocator.h:
737         * jit/ExecutableAllocatorFixedVMPool.cpp:
738         (JSC::ExecutableAllocator::allocate):
739         (JSC::ExecutableAllocator::isValidExecutableMemory):
740         (JSC::ExecutableAllocator::getLock):
741         (JSC::ExecutableAllocator::committedByteCount):
742         * jsc.cpp:
743         (GlobalObject::finishCreation):
744         (functionCheckModuleSyntax):
745         (functionPlatformSupportsSamplingProfiler):
746         (functionStartSamplingProfiler):
747         (functionSamplingProfilerStackTraces):
748         * llint/LLIntPCRanges.h: Added.
749         (JSC::LLInt::isLLIntPC):
750         * offlineasm/asm.rb:
751         * runtime/Executable.h:
752         (JSC::ExecutableBase::isModuleProgramExecutable):
753         (JSC::ExecutableBase::isExecutableType):
754         (JSC::ExecutableBase::isHostFunction):
755         * runtime/JSLock.cpp:
756         (JSC::JSLock::didAcquireLock):
757         (JSC::JSLock::unlock):
758         * runtime/Options.h:
759         * runtime/SamplingProfiler.cpp: Added.
760         (JSC::reportStats):
761         (JSC::FrameWalker::FrameWalker):
762         (JSC::FrameWalker::walk):
763         (JSC::FrameWalker::wasValidWalk):
764         (JSC::FrameWalker::advanceToParentFrame):
765         (JSC::FrameWalker::isAtTop):
766         (JSC::FrameWalker::resetAtMachineFrame):
767         (JSC::FrameWalker::isValidFramePointer):
768         (JSC::FrameWalker::isValidCodeBlock):
769         (JSC::SamplingProfiler::SamplingProfiler):
770         (JSC::SamplingProfiler::~SamplingProfiler):
771         (JSC::SamplingProfiler::processUnverifiedStackTraces):
772         (JSC::SamplingProfiler::visit):
773         (JSC::SamplingProfiler::shutdown):
774         (JSC::SamplingProfiler::start):
775         (JSC::SamplingProfiler::stop):
776         (JSC::SamplingProfiler::pause):
777         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
778         (JSC::SamplingProfiler::dispatchIfNecessary):
779         (JSC::SamplingProfiler::dispatchFunction):
780         (JSC::SamplingProfiler::noticeJSLockAcquisition):
781         (JSC::SamplingProfiler::noticeVMEntry):
782         (JSC::SamplingProfiler::clearData):
783         (JSC::displayName):
784         (JSC::SamplingProfiler::stacktracesAsJSON):
785         (WTF::printInternal):
786         * runtime/SamplingProfiler.h: Added.
787         (JSC::SamplingProfiler::StackFrame::StackFrame):
788         (JSC::SamplingProfiler::getLock):
789         (JSC::SamplingProfiler::setTimingInterval):
790         (JSC::SamplingProfiler::stackTraces):
791         * runtime/VM.cpp:
792         (JSC::VM::VM):
793         (JSC::VM::~VM):
794         (JSC::VM::setLastStackTop):
795         (JSC::VM::createContextGroup):
796         (JSC::VM::ensureWatchdog):
797         (JSC::VM::ensureSamplingProfiler):
798         (JSC::thunkGeneratorForIntrinsic):
799         * runtime/VM.h:
800         (JSC::VM::watchdog):
801         (JSC::VM::samplingProfiler):
802         (JSC::VM::isSafeToRecurse):
803         (JSC::VM::lastStackTop):
804         (JSC::VM::scratchBufferForSize):
805         (JSC::VM::setLastStackTop): Deleted.
806         * runtime/VMEntryScope.cpp:
807         (JSC::VMEntryScope::VMEntryScope):
808         * tests/stress/sampling-profiler: Added.
809         * tests/stress/sampling-profiler-anonymous-function.js: Added.
810         (platformSupportsSamplingProfiler.foo):
811         (platformSupportsSamplingProfiler.baz):
812         (platformSupportsSamplingProfiler):
813         * tests/stress/sampling-profiler-basic.js: Added.
814         (platformSupportsSamplingProfiler.bar):
815         (platformSupportsSamplingProfiler.foo):
816         (platformSupportsSamplingProfiler.nothing):
817         (platformSupportsSamplingProfiler.top):
818         (platformSupportsSamplingProfiler.jaz):
819         (platformSupportsSamplingProfiler.kaz):
820         (platformSupportsSamplingProfiler.checkInlining):
821         (platformSupportsSamplingProfiler):
822         * tests/stress/sampling-profiler-deep-stack.js: Added.
823         (platformSupportsSamplingProfiler.foo):
824         (platformSupportsSamplingProfiler.let.hellaDeep):
825         (platformSupportsSamplingProfiler.let.start):
826         (platformSupportsSamplingProfiler):
827         * tests/stress/sampling-profiler-microtasks.js: Added.
828         (platformSupportsSamplingProfiler.testResults):
829         (platformSupportsSamplingProfiler):
830         (platformSupportsSamplingProfiler.loop.jaz):
831         (platformSupportsSamplingProfiler.loop):
832         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
833         (assert):
834         (let.nodePrototype.makeChildIfNeeded):
835         (makeNode):
836         (updateCallingContextTree):
837         (doesTreeHaveStackTrace):
838         (makeTree):
839         (runTest):
840         (dumpTree):
841         * yarr/YarrJIT.cpp:
842         (JSC::Yarr::YarrGenerator::generateEnter):
843         (JSC::Yarr::YarrGenerator::generateReturn):
844         (JSC::Yarr::YarrGenerator::YarrGenerator):
845         (JSC::Yarr::YarrGenerator::compile):
846         (JSC::Yarr::jitCompile):
847
848 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
849
850         [JSC] Iterating over a Set/Map is too slow
851         https://bugs.webkit.org/show_bug.cgi?id=152691
852
853         Reviewed by Saam Barati.
854
855         Set#forEach and Set & for-of are very slow. There are 2 reasons.
856
857         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
858
859         C++ to JS transition seems costly. perf result in Linux machine shows this.
860
861             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
862             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
863             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
864              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
865              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
866              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
867
868         Writing forEach in JS eliminates this.
869
870             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
871             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
872             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
873              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
874              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
875              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
876              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
877              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
878
879         2. Iterator result object allocation is costly.
880
881         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
882
883             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
884             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
885             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
886             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
887             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
888              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
889
890         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
891         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
892         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
893         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
894
895         After these improvements, the micro benchmark[1] shows the following.
896
897         old:
898             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
899             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
900             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
901             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
902             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
903             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
904
905         new:
906             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
907             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
908             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
909             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
910             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
911             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
912
913         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
914         After this optimizations, they are still much slower than linked list and array.
915         This should be optimized in the long term.
916
917         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
918
919         * CMakeLists.txt:
920         * DerivedSources.make:
921         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
922         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
923         * JavaScriptCore.xcodeproj/project.pbxproj:
924         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
925         (forEach):
926         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
927         (forEach):
928         * runtime/CommonIdentifiers.h:
929         * runtime/IteratorOperations.cpp:
930         (JSC::createIteratorResultObjectStructure):
931         (JSC::createIteratorResultObject):
932         * runtime/IteratorOperations.h:
933         * runtime/JSGlobalObject.cpp:
934         (JSC::JSGlobalObject::init):
935         (JSC::JSGlobalObject::visitChildren):
936         * runtime/JSGlobalObject.h:
937         (JSC::JSGlobalObject::iteratorResultObjectStructure):
938         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
939         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
940         * runtime/MapPrototype.cpp:
941         (JSC::MapPrototype::getOwnPropertySlot):
942         (JSC::privateFuncIsMap):
943         (JSC::privateFuncMapIterator):
944         (JSC::privateFuncMapIteratorNext):
945         (JSC::MapPrototype::finishCreation): Deleted.
946         (JSC::mapProtoFuncForEach): Deleted.
947         * runtime/MapPrototype.h:
948         * runtime/SetPrototype.cpp:
949         (JSC::SetPrototype::getOwnPropertySlot):
950         (JSC::privateFuncIsSet):
951         (JSC::privateFuncSetIterator):
952         (JSC::privateFuncSetIteratorNext):
953         (JSC::SetPrototype::finishCreation): Deleted.
954         (JSC::setProtoFuncForEach): Deleted.
955         * runtime/SetPrototype.h:
956
957 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
958
959         Unreviewed, fix ARM64 build.
960
961         * b3/air/AirOpcode.opcodes:
962
963 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
964
965         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
966         https://bugs.webkit.org/show_bug.cgi?id=152955
967
968         Reviewed by Saam Barati.
969
970         This happens when we box an int32 and then immediately unbox it.
971
972         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
973         benchmark. It's neutral elsewhere.
974
975         * b3/B3ReduceStrength.cpp:
976         * b3/testb3.cpp:
977         (JSC::B3::testPowDoubleByIntegerLoop):
978         (JSC::B3::testTruncOrHigh):
979         (JSC::B3::testTruncOrLow):
980         (JSC::B3::testBitAndOrHigh):
981         (JSC::B3::testBitAndOrLow):
982         (JSC::B3::zero):
983         (JSC::B3::run):
984
985 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
986
987         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
988         https://bugs.webkit.org/show_bug.cgi?id=149855
989
990         Reviewed by Saam Barati.
991
992         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
993         'this', 'arguments' and 'super'
994
995         * CMakeLists.txt:
996         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
997         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
998         * JavaScriptCore.xcodeproj/project.pbxproj:
999         * dfg/DFGAbstractInterpreterInlines.h:
1000         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1001         * dfg/DFGSpeculativeJIT.cpp:
1002         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1003         * dfg/DFGStructureRegistrationPhase.cpp:
1004         (JSC::DFG::StructureRegistrationPhase::run):
1005         * ftl/FTLAbstractHeapRepository.cpp:
1006         * ftl/FTLAbstractHeapRepository.h:
1007         * ftl/FTLLowerDFGToLLVM.cpp:
1008         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
1009         * interpreter/Interpreter.cpp:
1010         * interpreter/Interpreter.h:
1011         * jit/JITOpcodes.cpp:
1012         * jit/JITOpcodes32_64.cpp:
1013         * jit/JITOperations.cpp:
1014         * jit/JITOperations.h:
1015         * llint/LLIntOffsetsExtractor.cpp:
1016         * llint/LLIntSlowPaths.cpp:
1017         * runtime/JSArrowFunction.cpp: Removed.
1018         * runtime/JSArrowFunction.h: Removed.
1019         * runtime/JSGlobalObject.cpp:
1020         * runtime/JSGlobalObject.h:
1021
1022 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
1023
1024         It should be possible to run liveness over registers without also tracking Tmps
1025         https://bugs.webkit.org/show_bug.cgi?id=152963
1026
1027         Reviewed by Saam Barati.
1028
1029         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
1030         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
1031         code like that for handling cold function calls. It also makes code like that somewhat more
1032         scalable, since we're no longer using HashSets.
1033
1034         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
1035         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
1036         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
1037         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
1038         think that this is good, because the lack of set methods (add/remove/contains) has caused
1039         bugs in the past. This makes BitVector have methods both for set operations on bits and array
1040         operations on bits. I think that's good, since BitVector gets used in both contexts.
1041
1042         * b3/B3IndexSet.h:
1043         (JSC::B3::IndexSet::Iterable::iterator::iterator):
1044         (JSC::B3::IndexSet::Iterable::begin):
1045         (JSC::B3::IndexSet::dump):
1046         * b3/air/AirInstInlines.h:
1047         (JSC::B3::Air::ForEach<Tmp>::forEach):
1048         (JSC::B3::Air::ForEach<Arg>::forEach):
1049         (JSC::B3::Air::ForEach<Reg>::forEach):
1050         (JSC::B3::Air::Inst::forEach):
1051         * b3/air/AirLiveness.h:
1052         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
1053         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
1054         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
1055         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
1056         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
1057         * b3/air/AirReportUsedRegisters.cpp:
1058         (JSC::B3::Air::reportUsedRegisters):
1059         * jit/Reg.h:
1060         (JSC::Reg::next):
1061         (JSC::Reg::index):
1062         (JSC::Reg::maxIndex):
1063         (JSC::Reg::isSet):
1064         (JSC::Reg::operator bool):
1065         * jit/RegisterSet.h:
1066         (JSC::RegisterSet::forEach):
1067
1068 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
1069
1070         [JSC] Make branchMul functional in ARM B3 and minor fixes
1071         https://bugs.webkit.org/show_bug.cgi?id=152889
1072
1073         Reviewed by Mark Lam.
1074
1075         ARM64 does not have a "S" version of MUL setting the flags.
1076         What we do is abstract that in the MacroAssembler. The problem
1077         is that form requires scratch registers.
1078
1079         For simplicity, I just exposed the two scratch registers
1080         for Air. Filip already added the concept of Scratch role,
1081         all I needed was to expose it for opcodes.
1082
1083         * assembler/MacroAssemblerARM64.h:
1084         (JSC::MacroAssemblerARM64::branchMul32):
1085         (JSC::MacroAssemblerARM64::branchMul64):
1086         Expose a version with the scratch registers as arguments.
1087
1088         * b3/B3LowerToAir.cpp:
1089         (JSC::B3::Air::LowerToAir::lower):
1090         Add the new form of CheckMul lowering.
1091
1092         * b3/air/AirOpcode.opcodes:
1093         Expose the new BranchMuls.
1094         Remove all the Test variants that use immediates
1095         since Air can't handle those immediates correctly yet.
1096
1097         * b3/air/opcode_generator.rb:
1098         Expose the Scratch role.
1099
1100         * b3/testb3.cpp:
1101         (JSC::B3::testPatchpointLotsOfLateAnys):
1102         Ooops, the scratch registers were not clobbered. We were just lucky
1103         on x86.
1104
1105 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
1106
1107         [JSC] B3 is unable to do function calls on ARM64
1108         https://bugs.webkit.org/show_bug.cgi?id=152895
1109
1110         Reviewed by Mark Lam.
1111
1112         Apparently iOS does not follow the ARM64 ABI for function calls.
1113         Instead of giving each value a 8 bytes slot, it must be packed
1114         while preserving alignment.
1115
1116         This patch adds a #ifdef to make function calls functional.
1117
1118         * b3/B3LowerToAir.cpp:
1119         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
1120         (JSC::B3::Air::LowerToAir::lower):
1121
1122 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
1123
1124         Air should support Branch64 with immediates
1125         https://bugs.webkit.org/show_bug.cgi?id=152951
1126
1127         Reviewed by Oliver Hunt.
1128
1129         This doesn't significantly improve performance on any benchmarks, but it's great to get this
1130         obvious omission out of the way.
1131
1132         * assembler/MacroAssemblerX86_64.h:
1133         (JSC::MacroAssemblerX86_64::branch64):
1134         * b3/air/AirOpcode.opcodes:
1135         * b3/testb3.cpp:
1136         (JSC::B3::testPowDoubleByIntegerLoop):
1137         (JSC::B3::testBranch64Equal):
1138         (JSC::B3::testBranch64EqualImm):
1139         (JSC::B3::testBranch64EqualMem):
1140         (JSC::B3::testBranch64EqualMemImm):
1141         (JSC::B3::zero):
1142         (JSC::B3::run):
1143
1144 2016-01-09  Dan Bernstein  <mitz@apple.com>
1145
1146         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
1147         https://bugs.webkit.org/show_bug.cgi?id=152926
1148
1149         Reviewed by Tim Horton.
1150
1151         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
1152         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
1153         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
1154
1155         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
1156
1157         * Configurations/Base.xcconfig:
1158         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
1159           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
1160         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
1161         * Configurations/JSC.xcconfig:
1162           Add quotes to account for spaces.
1163         * Configurations/ToolExecutable.xcconfig:
1164           Ditto.
1165         * postprocess-headers.sh:
1166           Ditto.
1167
1168 2016-01-09  Mark Lam  <mark.lam@apple.com>
1169
1170         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
1171         https://bugs.webkit.org/show_bug.cgi?id=152918
1172
1173         Reviewed by Filip Pizlo and Saam Barati.
1174
1175         * ftl/FTLCompile.cpp:
1176         - Updated a comment.
1177         * ftl/FTLLowerDFGToLLVM.cpp:
1178         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1179         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
1180           extra slot for BinaryOps that don't have Untyped operands, and failing to
1181           allocate that extra slot for some binary ops.  This is now fixed.
1182
1183         * tests/stress/ftl-shr-exception.js:
1184         * tests/stress/ftl-xor-exception.js:
1185         - Un-skipped these tests.  They now pass with this patch.
1186
1187 2016-01-09  Andreas Kling  <akling@apple.com>
1188
1189         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
1190         <https://webkit.org/b/152902>
1191
1192         Reviewed by Anders Carlsson.
1193
1194         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
1195
1196         * API/JSAPIWrapperObject.mm:
1197         (jsAPIWrapperObjectHandleOwner):
1198         * API/JSManagedValue.mm:
1199         (managedValueHandleOwner):
1200         * inspector/agents/InspectorDebuggerAgent.cpp:
1201         (Inspector::objectGroupForBreakpointAction):
1202         * jit/ExecutableAllocator.cpp:
1203         (JSC::DemandExecutableAllocator::allocators):
1204
1205 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1206
1207         FTL B3 should do varargs tail calls and stack overflows
1208         https://bugs.webkit.org/show_bug.cgi?id=152934
1209
1210         Reviewed by Saam Barati.
1211
1212         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
1213         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
1214         why I have two fixes in one change. Now the test passes.
1215
1216         This reduces the number of failures from 13 to 0.
1217
1218         * ftl/FTLLowerDFGToLLVM.cpp:
1219         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
1220         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
1221         append an Oops (i.e. "unreachable").
1222
1223 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1224
1225         B3 needs Neg()
1226         https://bugs.webkit.org/show_bug.cgi?id=152925
1227
1228         Reviewed by Mark Lam.
1229
1230         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
1231         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
1232
1233         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
1234         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
1235         to use bitops to represent floating point operations. Whatever cuteness this would have
1236         bought us would be outweighed by the annoyance of having to write code that matches
1237         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
1238         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
1239         Also, I suspect that the omission of Neg would cause others to make the mistake of using
1240         Sub to represent floating point negation.
1241
1242         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
1243         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
1244         floats, we lower it to BitXor(x, -0) on x86.
1245
1246         This reduces the number of failures from 13 to 12.
1247
1248         * assembler/MacroAssemblerX86Common.h:
1249         (JSC::MacroAssemblerX86Common::andFloat):
1250         (JSC::MacroAssemblerX86Common::xorDouble):
1251         (JSC::MacroAssemblerX86Common::xorFloat):
1252         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
1253         * b3/B3LowerMacrosAfterOptimizations.cpp:
1254         * b3/B3LowerToAir.cpp:
1255         (JSC::B3::Air::LowerToAir::lower):
1256         * b3/B3Opcode.cpp:
1257         (WTF::printInternal):
1258         * b3/B3Opcode.h:
1259         * b3/B3ReduceStrength.cpp:
1260         * b3/B3Validate.cpp:
1261         * b3/B3Value.cpp:
1262         (JSC::B3::Value::effects):
1263         (JSC::B3::Value::key):
1264         (JSC::B3::Value::typeFor):
1265         * b3/air/AirOpcode.opcodes:
1266         * ftl/FTLB3Output.cpp:
1267         (JSC::FTL::Output::lockedStackSlot):
1268         (JSC::FTL::Output::neg):
1269         (JSC::FTL::Output::bitNot):
1270         * ftl/FTLB3Output.h:
1271         (JSC::FTL::Output::chillDiv):
1272         (JSC::FTL::Output::mod):
1273         (JSC::FTL::Output::chillMod):
1274         (JSC::FTL::Output::doubleAdd):
1275         (JSC::FTL::Output::doubleSub):
1276         (JSC::FTL::Output::doubleMul):
1277         (JSC::FTL::Output::doubleDiv):
1278         (JSC::FTL::Output::doubleMod):
1279         (JSC::FTL::Output::doubleNeg):
1280         (JSC::FTL::Output::bitAnd):
1281         (JSC::FTL::Output::bitOr):
1282         (JSC::FTL::Output::neg): Deleted.
1283         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
1284         it's such a glaring bug, I thought having a test for it specifically would be good.
1285
1286 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1287
1288         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
1289         https://bugs.webkit.org/show_bug.cgi?id=152922
1290
1291         Reviewed by Saam Barati.
1292
1293         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
1294         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
1295         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
1296         clear the handlers before generation, sort of like FTL LLVM does.
1297
1298         Also added some stuff to make it easier to inspect the handler table.
1299
1300         This reduces the numbe rof failures from 25 to 13.
1301
1302         * bytecode/CodeBlock.cpp:
1303         (JSC::CodeBlock::dumpBytecode):
1304         (JSC::CodeBlock::dumpExceptionHandlers):
1305         (JSC::CodeBlock::beginDumpProfiling):
1306         * bytecode/CodeBlock.h:
1307         * ftl/FTLB3Compile.cpp:
1308         (JSC::FTL::compile):
1309
1310 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1311
1312         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
1313         https://bugs.webkit.org/show_bug.cgi?id=152916
1314
1315         Reviewed by Mark Lam.
1316
1317         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
1318
1319         This reduces the number of failures from 27 to 25.
1320
1321         * b3/B3ReduceStrength.cpp:
1322
1323 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1324
1325         FTL B3 allocateCell() should not crash
1326         https://bugs.webkit.org/show_bug.cgi?id=152909
1327
1328         Reviewed by Mark Lam.
1329
1330         This code was crashing in some tests that forced GC slow paths because it was stubbed out
1331         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
1332         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
1333         any LLVM optimizations by using undef.
1334
1335         This reduces the number of failures from 35 to 27.
1336
1337         * ftl/FTLLowerDFGToLLVM.cpp:
1338         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1339
1340 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1341
1342         FTL B3 fails to realize that binary snippets might choose to omit their fast path
1343         https://bugs.webkit.org/show_bug.cgi?id=152901
1344
1345         Reviewed by Mark Lam.
1346
1347         This reduces the number of failures from 99 to 35.
1348
1349         * ftl/FTLLowerDFGToLLVM.cpp:
1350         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1351
1352 2016-01-08  Saam barati  <sbarati@apple.com>
1353
1354         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
1355         https://bugs.webkit.org/show_bug.cgi?id=152879
1356
1357         Reviewed by Filip Pizlo.
1358
1359         We were clobbering a register we needed when picking
1360         a scratch register inside an FTL OSR Exit.
1361
1362         * dfg/DFGThunks.cpp:
1363         (JSC::DFG::osrEntryThunkGenerator):
1364         * jit/AssemblyHelpers.cpp:
1365         (JSC::AssemblyHelpers::emitRandomThunk):
1366         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
1367         * jit/AssemblyHelpers.h:
1368         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
1369         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
1370         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
1371         (foo):
1372
1373 2016-01-08  Mark Lam  <mark.lam@apple.com>
1374
1375         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
1376         https://bugs.webkit.org/show_bug.cgi?id=152897
1377
1378         Not reviewed.
1379
1380         * dfg/DFGAbstractInterpreterInlines.h:
1381         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1382         * dfg/DFGByteCodeParser.cpp:
1383         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1384         * dfg/DFGClobberize.h:
1385         (JSC::DFG::clobberize):
1386         * dfg/DFGDoesGC.cpp:
1387         (JSC::DFG::doesGC):
1388         * dfg/DFGFixupPhase.cpp:
1389         (JSC::DFG::FixupPhase::fixupNode):
1390         * dfg/DFGNodeType.h:
1391         * dfg/DFGOperations.cpp:
1392         * dfg/DFGOperations.h:
1393         * dfg/DFGPredictionPropagationPhase.cpp:
1394         (JSC::DFG::PredictionPropagationPhase::propagate):
1395         * dfg/DFGSafeToExecute.h:
1396         (JSC::DFG::safeToExecute):
1397         * dfg/DFGSpeculativeJIT.cpp:
1398         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1399         * dfg/DFGSpeculativeJIT32_64.cpp:
1400         (JSC::DFG::SpeculativeJIT::compile):
1401         * dfg/DFGSpeculativeJIT64.cpp:
1402         (JSC::DFG::SpeculativeJIT::compile):
1403         * runtime/StringConstructor.cpp:
1404         (JSC::stringFromCharCode):
1405         (JSC::stringFromSingleCharCode): Deleted.
1406         * runtime/StringConstructor.h:
1407
1408 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
1409
1410         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
1411         https://bugs.webkit.org/show_bug.cgi?id=152893
1412
1413         Reviewed by Mark Lam.
1414
1415         Use std::call_once since pthreads is not present on all platforms.
1416
1417         * llvm/InitializeLLVM.cpp:
1418         (JSC::initializeLLVMImpl):
1419         (JSC::initializeLLVM):
1420
1421 2016-01-08  Mark Lam  <mark.lam@apple.com>
1422
1423         Rename StringFromCharCode to StringFromSingleCharCode.
1424         https://bugs.webkit.org/show_bug.cgi?id=152897
1425
1426         Reviewed by Daniel Bates.
1427
1428         StringFromSingleCharCode is a better name because the intrinsic it represents
1429         only applies when we are converting from a single char code.  This is purely
1430         a refactoring patch.  There is no semantic change.
1431
1432         * dfg/DFGAbstractInterpreterInlines.h:
1433         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1434         * dfg/DFGByteCodeParser.cpp:
1435         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1436         * dfg/DFGClobberize.h:
1437         (JSC::DFG::clobberize):
1438         * dfg/DFGDoesGC.cpp:
1439         (JSC::DFG::doesGC):
1440         * dfg/DFGFixupPhase.cpp:
1441         (JSC::DFG::FixupPhase::fixupNode):
1442         * dfg/DFGNodeType.h:
1443         * dfg/DFGOperations.cpp:
1444         * dfg/DFGOperations.h:
1445         * dfg/DFGPredictionPropagationPhase.cpp:
1446         (JSC::DFG::PredictionPropagationPhase::propagate):
1447         * dfg/DFGSafeToExecute.h:
1448         (JSC::DFG::safeToExecute):
1449         * dfg/DFGSpeculativeJIT.cpp:
1450         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1451         * dfg/DFGSpeculativeJIT32_64.cpp:
1452         (JSC::DFG::SpeculativeJIT::compile):
1453         * dfg/DFGSpeculativeJIT64.cpp:
1454         (JSC::DFG::SpeculativeJIT::compile):
1455         * runtime/StringConstructor.cpp:
1456         (JSC::stringFromCharCode):
1457         (JSC::stringFromSingleCharCode):
1458         * runtime/StringConstructor.h:
1459
1460 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1461
1462         [mips] Fixed unused parameter warnings
1463         https://bugs.webkit.org/show_bug.cgi?id=152885
1464
1465         Reviewed by Mark Lam.
1466
1467         * jit/CCallHelpers.h:
1468         (JSC::CCallHelpers::setupArgumentsWithExecState):
1469
1470 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1471
1472         [mips] Max value of immediate arg of logical ops is 0xffff
1473         https://bugs.webkit.org/show_bug.cgi?id=152884
1474
1475         Reviewed by Michael Saboff.
1476
1477         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
1478
1479         * assembler/MacroAssemblerMIPS.h:
1480         (JSC::MacroAssemblerMIPS::and32):
1481         (JSC::MacroAssemblerMIPS::or32):
1482
1483 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1484
1485         [mips] Add new or32 implementation after r194613
1486         https://bugs.webkit.org/show_bug.cgi?id=152865
1487
1488         Reviewed by Michael Saboff.
1489
1490         * assembler/MacroAssemblerMIPS.h:
1491         (JSC::MacroAssemblerMIPS::or32):
1492
1493 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1494
1495         FTL B3 lazy slow paths should do exceptions
1496         https://bugs.webkit.org/show_bug.cgi?id=152853
1497
1498         Reviewed by Saam Barati.
1499
1500         This reduces the number of JSC test failures to 97.
1501
1502         * ftl/FTLLowerDFGToLLVM.cpp:
1503         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
1504         * tests/stress/ftl-new-negative-array-size.js: Added.
1505         (foo):
1506
1507 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1508
1509         Unreviewed, skip more tests that fail.
1510
1511         * tests/stress/ftl-shr-exception.js:
1512         (foo):
1513         * tests/stress/ftl-xor-exception.js:
1514         (foo):
1515
1516 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1517
1518         FTL B3 binary snippets should do exceptions
1519         https://bugs.webkit.org/show_bug.cgi?id=152852
1520
1521         Reviewed by Saam Barati.
1522
1523         This reduces the number of JSC test failures to 110.
1524
1525         * ftl/FTLLowerDFGToLLVM.cpp:
1526         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1527         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1528         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1529         * tests/stress/ftl-shr-exception.js: Added.
1530         (foo):
1531         (result.foo.valueOf):
1532         * tests/stress/ftl-sub-exception.js: Added.
1533         (foo):
1534         (result.foo.valueOf):
1535         * tests/stress/ftl-xor-exception.js: Added.
1536         (foo):
1537         (result.foo.valueOf):
1538
1539 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1540
1541         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
1542
1543         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
1544         (foo):
1545
1546 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1547
1548         Unreviewed, skipping this test. Looks like LLVM can't handle it.
1549
1550         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
1551         (foo):
1552
1553 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1554
1555         FTL B3 JS calls should do exceptions
1556         https://bugs.webkit.org/show_bug.cgi?id=152851
1557
1558         Reviewed by Geoffrey Garen.
1559
1560         This reduces the number of JSC test failures with FTL B3 to 111.
1561
1562         * dfg/DFGSpeculativeJIT64.cpp:
1563         (JSC::DFG::SpeculativeJIT::emitCall):
1564         * ftl/FTLLowerDFGToLLVM.cpp:
1565         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1566         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1567         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1568         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
1569         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
1570         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
1571         * tests/stress/ftl-call-exception-no-catch.js: Added.
1572         * tests/stress/ftl-call-exception.js: Added.
1573         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
1574         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
1575         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
1576         * tests/stress/ftl-call-varargs-exception.js: Added.
1577
1578 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1579
1580         FTL B3 PutById should do exceptions
1581         https://bugs.webkit.org/show_bug.cgi?id=152850
1582
1583         Reviewed by Saam Barati.
1584
1585         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
1586         number of JSC test failures to 128.
1587
1588         * ftl/FTLLowerDFGToLLVM.cpp:
1589         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1590         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
1591         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
1592         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
1593         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
1594         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
1595         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
1596
1597 2016-01-07  Commit Queue  <commit-queue@webkit.org>
1598
1599         Unreviewed, rolling out r194714.
1600         https://bugs.webkit.org/show_bug.cgi?id=152864
1601
1602         it broke many JSC tests when FTL B3 is enabled (Requested by
1603         pizlo on #webkit).
1604
1605         Reverted changeset:
1606
1607         "[JSC] When resolving Stack arguments, use addressing from SP
1608         when addressing from FP is invalid"
1609         https://bugs.webkit.org/show_bug.cgi?id=152840
1610         http://trac.webkit.org/changeset/194714
1611
1612 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1613
1614         [mips] Lower immediates of logical operations.
1615         https://bugs.webkit.org/show_bug.cgi?id=152693
1616
1617         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
1618         non-negative numbers.
1619
1620         Reviewed by Michael Saboff.
1621
1622         * offlineasm/mips.rb:
1623
1624 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1625
1626         [JSC] Update testCheckSubBadImm() for ARM64
1627         https://bugs.webkit.org/show_bug.cgi?id=152846
1628
1629         Reviewed by Mark Lam.
1630
1631         * b3/testb3.cpp:
1632         (JSC::B3::testCheckSubBadImm):
1633         The test was assuming the constant can always be used
1634         as immediate. That's obviously not the case on ARM64.
1635
1636 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1637
1638         FTL B3 getById() should do exceptions
1639         https://bugs.webkit.org/show_bug.cgi?id=152810
1640
1641         Reviewed by Saam Barati.
1642
1643         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
1644         exceptions from GetById. This covers all of the following ways that a GetById might throw an
1645         exceptions:
1646
1647         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
1648         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
1649         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
1650         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
1651         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
1652         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
1653
1654         This requires having a default exception target in FTL-generated code, and ensuring that this
1655         target is generated regardless of whether we have branches to the B3 basic block of the
1656         default exception target. This also requires adding some extra arguments to a
1657         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
1658         else. This also requires associating the CallSiteIndex of the patchpoint with the register
1659         set used for exit and with the OSR exit label for the unwind exit.
1660
1661         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
1662         is covered by the new PatchpointExceptionHandle object. You create one by calling
1663         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
1664         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
1665         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
1666         for operation calls and OSR exits for unwind. You call the
1667         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
1668         actually get OSR exits.
1669
1670         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
1671         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
1672         you use this API, it automatically registers a link task that will link the JumpList to the
1673         actual OSR exit label.
1674
1675         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
1676         to use the Box<JumpList> approach, but if you really just need the label, you can also get
1677         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
1678         to vend you the OSR exit label at link-time.
1679
1680         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
1681         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
1682         passes all of these new tests. Note that I'm not counting the new tests as part of the
1683         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
1684
1685         After this change, it should be easy to make all of the other patchpoints also handle
1686         exceptions by just following the preparePatchpointForExceptions() idiom.
1687
1688         * CMakeLists.txt:
1689         * JavaScriptCore.xcodeproj/project.pbxproj:
1690         * b3/B3StackmapValue.h:
1691         * b3/B3ValueRep.cpp:
1692         (JSC::B3::ValueRep::addUsedRegistersTo):
1693         (JSC::B3::ValueRep::usedRegisters):
1694         (JSC::B3::ValueRep::dump):
1695         * b3/B3ValueRep.h:
1696         (JSC::B3::ValueRep::doubleValue):
1697         (JSC::B3::ValueRep::withOffset):
1698         (JSC::B3::ValueRep::usedRegisters):
1699         * ftl/FTLB3Compile.cpp:
1700         (JSC::FTL::compile):
1701         * ftl/FTLB3Output.h:
1702         (JSC::FTL::Output::unreachable):
1703         (JSC::FTL::Output::speculate):
1704         * ftl/FTLExceptionTarget.cpp: Added.
1705         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
1706         (JSC::FTL::ExceptionTarget::label):
1707         (JSC::FTL::ExceptionTarget::jumps):
1708         (JSC::FTL::ExceptionTarget::ExceptionTarget):
1709         * ftl/FTLExceptionTarget.h: Added.
1710         * ftl/FTLJITCode.cpp:
1711         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1712         * ftl/FTLLowerDFGToLLVM.cpp:
1713         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1714         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1715         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1716         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1717         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
1718         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1719         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
1720         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
1721         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1722         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1723         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1724         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1725         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
1726         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
1727         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1728         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1729         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
1730         * ftl/FTLPatchpointExceptionHandle.cpp: Added.
1731         (JSC::FTL::PatchpointExceptionHandle::create):
1732         (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
1733         (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
1734         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
1735         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1736         (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
1737         (JSC::FTL::PatchpointExceptionHandle::createHandle):
1738         * ftl/FTLPatchpointExceptionHandle.h: Added.
1739         * ftl/FTLState.cpp:
1740         * ftl/FTLState.h:
1741         (JSC::FTL::verboseCompilationEnabled):
1742         * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
1743         * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
1744         * tests/stress/ftl-get-by-id-getter-exception.js: Added.
1745         * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
1746         * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
1747         * tests/stress/ftl-get-by-id-slow-exception.js: Added.
1748         * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
1749         * tests/stress/ftl-operation-exception-no-catch.js: Added.
1750
1751 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1752
1753         [mips] Implemented missing branch patching methods.
1754         https://bugs.webkit.org/show_bug.cgi?id=152845
1755
1756         Reviewed by Michael Saboff.
1757
1758         * assembler/MacroAssemblerMIPS.h:
1759         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
1760         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1761         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1762
1763 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1764
1765         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
1766         https://bugs.webkit.org/show_bug.cgi?id=152840
1767
1768         Reviewed by Mark Lam.
1769
1770         ARM64 has two kinds of addressing with immediates:
1771         -Signed 9bits direct (really only -256 to 255).
1772         -Unsigned 12bits scaled by the load/store size.
1773
1774         When resolving the stack addresses, we easily run
1775         past -256 bytes from FP. Addressing from SP gives us more
1776         room to address the stack efficiently because we can
1777         use unsigned immediates.
1778
1779         * b3/B3StackmapSpecial.cpp:
1780         (JSC::B3::StackmapSpecial::repForArg):
1781         * b3/air/AirAllocateStack.cpp:
1782         (JSC::B3::Air::allocateStack):
1783
1784 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1785
1786         [mips] Make repatchCall public to fix compilation.
1787         https://bugs.webkit.org/show_bug.cgi?id=152843
1788
1789         Reviewed by Michael Saboff.
1790
1791         * assembler/MacroAssemblerMIPS.h:
1792         (JSC::MacroAssemblerMIPS::repatchCall):
1793         (JSC::MacroAssemblerMIPS::linkCall): Deleted.
1794
1795 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1796
1797         [mips] Replaced subi with addi in getHostCallReturnValue
1798         https://bugs.webkit.org/show_bug.cgi?id=152841
1799
1800         Reviewed by Michael Saboff.
1801
1802         MIPS architecture does not have subi instruction, addi with negative
1803         number should be used instead.
1804
1805         * jit/JITOperations.cpp:
1806
1807 2016-01-07  Mark Lam  <mark.lam@apple.com>
1808
1809         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
1810         https://bugs.webkit.org/show_bug.cgi?id=152833
1811
1812         Reviewed by Michael Saboff.
1813
1814         Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
1815         store32.
1816
1817         * assembler/MacroAssemblerARM64.h:
1818         (JSC::MacroAssemblerARM64::or32):
1819         (JSC::MacroAssemblerARM64::store):
1820
1821 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1822
1823         [mips] GPRInfo::toArgumentRegister missing
1824         https://bugs.webkit.org/show_bug.cgi?id=152838
1825
1826         Reviewed by Michael Saboff.
1827
1828         * jit/GPRInfo.h:
1829         (JSC::GPRInfo::toArgumentRegister):
1830
1831 2016-01-07  Mark Lam  <mark.lam@apple.com>
1832
1833         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
1834         https://bugs.webkit.org/show_bug.cgi?id=152833
1835
1836         Reviewed by Benjamin Poulain.
1837
1838         * assembler/MacroAssemblerARM.h:
1839         (JSC::MacroAssemblerARM::or32):
1840         - Added some assertions to make sure it is safe to use ARMRegisters::S0 as a temp.
1841         * assembler/MacroAssemblerARM64.h:
1842         (JSC::MacroAssemblerARM64::or32):
1843         - Implement an optimization that avoids reloading the memoryTempRegister when
1844           the immediate is encodable as an instruction immediate.
1845         * assembler/MacroAssemblerARMv7.h:
1846         (JSC::MacroAssemblerARMv7::or32):
1847         - Added an assertion to make sure it is safe to use the dataTempRegister as a temp.
1848         - Implement an optimization that avoids reloading the memoryTempRegister when
1849           the immediate is encodable as an instruction immediate.  In the event that we
1850           cannot encode the immediate, we'll use the addressTempRegister as a temp, and
1851           reload it later.
1852
1853 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1854
1855         [CMake] JSC shell sources should include JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
1856         https://bugs.webkit.org/show_bug.cgi?id=152664
1857
1858         Reviewed by Alex Christensen.
1859
1860         * shell/CMakeLists.txt:
1861
1862 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
1863
1864         Web Inspector: CRASH Attempting to pause on CSP violation not inside of script
1865         https://bugs.webkit.org/show_bug.cgi?id=152825
1866         <rdar://problem/24021276>
1867
1868         Reviewed by Timothy Hatcher.
1869
1870         * debugger/Debugger.cpp:
1871         (JSC::Debugger::breakProgram):
1872         We cannot pause if we are not evaluating JavaScript, so bail.
1873
1874 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1875
1876         [JSC] Re-enable lea() in Air on ARM64
1877         https://bugs.webkit.org/show_bug.cgi?id=152832
1878
1879         Reviewed by Michael Saboff.
1880
1881         Lea() on the MacroAssembler is not the full x86 Lea (the real one being
1882         x86Lea32()). Instead, it is a addPtr() with SP and a constant.
1883
1884         The instruction is required to implement B3's StackSlot. It is not
1885         safe for big offsets but none of the stack operations are at the moment.
1886
1887         * b3/air/AirOpcode.opcodes:
1888
1889 2016-01-07  Julien Brianceau  <jbriance@cisco.com>
1890
1891         [mips] Add two missing abortWithReason implementations
1892         https://bugs.webkit.org/show_bug.cgi?id=136753
1893
1894         Reviewed by Benjamin Poulain.
1895
1896         * assembler/MacroAssemblerMIPS.h:
1897         (JSC::MacroAssemblerMIPS::memoryFence):
1898         (JSC::MacroAssemblerMIPS::abortWithReason):
1899         (JSC::MacroAssemblerMIPS::readCallTarget):
1900
1901 2016-01-07  Csaba Osztrogonác  <ossy@webkit.org>
1902
1903         Add new or32 implementation to MacroAssemblerARM after r194613
1904         https://bugs.webkit.org/show_bug.cgi?id=152784
1905
1906         Reviewed by Benjamin Poulain.
1907
1908         * assembler/MacroAssemblerARM.h:
1909         (JSC::MacroAssemblerARM::or32):
1910
1911 2016-01-06  Mark Lam  <mark.lam@apple.com>
1912
1913         REGRESSION(r194613): JITMulGenerator needs a scratch GPR on 32-bit too.
1914         https://bugs.webkit.org/show_bug.cgi?id=152805
1915
1916         Reviewed by Michael Saboff.
1917
1918         There aren't enough registers on x86 32-bit to allocate the needed scratch GPR.
1919         So, we'll continue to use one of the result registers as the scratch, and
1920         re-compute the result at the end.
1921
1922         * jit/JITMulGenerator.cpp:
1923         (JSC::JITMulGenerator::generateFastPath):
1924
1925 2016-01-06  Anders Carlsson  <andersca@apple.com>
1926
1927         Add a smart block pointer
1928         https://bugs.webkit.org/show_bug.cgi?id=152799
1929
1930         Reviewed by Tim Horton.
1931
1932         Get rid of RemoteTargetBlock and replace it with WTF::BlockPtr<void ()>.
1933
1934         * inspector/remote/RemoteConnectionToTarget.h:
1935         (Inspector::RemoteTargetBlock::RemoteTargetBlock): Deleted.
1936         (Inspector::RemoteTargetBlock::~RemoteTargetBlock): Deleted.
1937         (Inspector::RemoteTargetBlock::operator=): Deleted.
1938         (Inspector::RemoteTargetBlock::operator()): Deleted.
1939         * inspector/remote/RemoteConnectionToTarget.mm:
1940         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
1941         (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
1942
1943 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
1944
1945         [JSC] More B3 tests passing on ARM64
1946         https://bugs.webkit.org/show_bug.cgi?id=152787
1947
1948         Reviewed by Michael Saboff.
1949
1950         Some more minor bugs.
1951
1952         * assembler/MacroAssemblerARM64.h:
1953         (JSC::MacroAssemblerARM64::urshift64):
1954         The offset was being truncated. That code was just copied
1955         from the 32bits version of urshift.
1956
1957         * b3/B3LowerToAir.cpp:
1958         (JSC::B3::Air::LowerToAir::createGenericCompare):
1959         Very few instructions can encode -1 as immediate.
1960         TST certainly can't. The fallback works for ARM.
1961
1962         * b3/air/AirOpcode.opcodes:
1963         Bit instructions have very specific immediate encoding.
1964         B3 cannot express that properly yet. I disabled those
1965         forms for now. Immediates encoding is something we'll really 
1966         have to look into at some point for B3 ARM64.
1967
1968 2016-01-06  Michael Catanzaro  <mcatanzaro@igalia.com>
1969
1970         Silence -Wtautological-compare
1971         https://bugs.webkit.org/show_bug.cgi?id=152768
1972
1973         Reviewed by Saam Barati.
1974
1975         * runtime/Options.cpp:
1976         (JSC::Options::setAliasedOption):
1977
1978 2016-01-06  Filip Pizlo  <fpizlo@apple.com>
1979
1980         Make sure that the basic throw-from-operation mode of throwing makes sense in FTL B3
1981         https://bugs.webkit.org/show_bug.cgi?id=152798
1982
1983         Reviewed by Oliver Hunt.
1984
1985         This really just contains one change: we inline emitBranchToOSRExitIfWillCatchException()
1986         into callCheck(), since that was its only caller. This makes it a bit more clear what is
1987         going on.
1988
1989         It turns out that FTL B3 already handled this case properly. I added a test that I believe
1990         illustrates this. Note that although the test uses GetById, which ordinarily throws
1991         exceptions from inside a patchpoint, it uses it in such a way that the exception is thrown
1992         from the operation call for the non-cell bypass path of a GetById(UntypedUse:).
1993
1994         * ftl/FTLLowerDFGToLLVM.cpp:
1995         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1996         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
1997         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1998         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException): Deleted.
1999         * tests/stress/ftl-operation-exception.js: Added.
2000         (foo):
2001
2002 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
2003
2004         Web Inspector: Remove duplicate check
2005         https://bugs.webkit.org/show_bug.cgi?id=152792
2006
2007         Reviewed by Timothy Hatcher.
2008
2009         * inspector/InjectedScriptSource.js:
2010         (InjectedScript.RemoteObject.prototype._generatePreview): Deleted.
2011         This method is only called from one place, and it does an equivalent
2012         check before calling this function. Remove the duplicate check.
2013
2014 2016-01-06  Brian Burg  <bburg@apple.com>
2015
2016         Add a WebKit SPI for registering an automation controller with RemoteInspector
2017         https://bugs.webkit.org/show_bug.cgi?id=151576
2018
2019         Reviewed by Dan Bernstein and Joseph Pecoraro.
2020
2021         Given a RemoteInspector endpoint that is instantiated in UIProcess, there
2022         should be a way to delegate automation-related functionality and policy to
2023         clients of WebKit.
2024
2025         This class adds a RemoteInspector::Client interface that serves a delegate.
2026         This is ultimately delegated via _WKAutomationDelegate, which is an SPI
2027         that allows clients to install an Objective-C delegate for automation.
2028
2029         The setting for whether remote automation is allowed is included in the
2030         listing that RemoteInspector sends out. It is updated when RemoteInspector::Client
2031         is assigned, or when the client signals that its capabilities have changed.
2032
2033         * inspector/remote/RemoteInspector.h:
2034         * inspector/remote/RemoteInspector.mm:
2035         (Inspector::RemoteInspector::setRemoteInspectorClient): Added.
2036         (Inspector::RemoteInspector::pushListingsNow):
2037
2038             In the listing, include whether the application supports remote automation.
2039
2040         * inspector/remote/RemoteInspectorConstants.h: Add a constant.
2041
2042 2016-01-05  Keith Miller  <keith_miller@apple.com>
2043
2044         [ES6] Boolean, Number, Map, RegExp, and Set should be subclassable
2045         https://bugs.webkit.org/show_bug.cgi?id=152765
2046
2047         Reviewed by Michael Saboff.
2048
2049         This patch enables subclassing of five more builtins: Boolean, Number, Map, RegExp, and Set.
2050
2051         * runtime/BooleanConstructor.cpp:
2052         (JSC::constructWithBooleanConstructor):
2053         (JSC::constructBoolean): Deleted.
2054         * runtime/BooleanConstructor.h:
2055         * runtime/MapConstructor.cpp:
2056         (JSC::constructMap):
2057         * runtime/NumberConstructor.cpp:
2058         (JSC::constructWithNumberConstructor):
2059         * runtime/RegExpConstructor.cpp:
2060         (JSC::getRegExpStructure):
2061         (JSC::constructRegExp):
2062         * runtime/SetConstructor.cpp:
2063         (JSC::constructSet):
2064         * tests/es6.yaml:
2065         * tests/stress/class-subclassing-misc.js: Added.
2066         (B):
2067         (N):
2068         (M):
2069         (R):
2070         (S):
2071         (test):
2072
2073 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2074
2075         [mips] Fix branchTruncateDoubleToUint32 implementation in macro assembler
2076         https://bugs.webkit.org/show_bug.cgi?id=152782
2077
2078         Reviewed by Benjamin Poulain.
2079
2080         Already covered by LayoutTests/js/dfg-uint32array-overflow-values test.
2081
2082         * assembler/MacroAssemblerMIPS.h:
2083         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
2084
2085 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2086
2087         [mips] Fix or32 implementation in macro assembler
2088         https://bugs.webkit.org/show_bug.cgi?id=152781
2089
2090         Reviewed by Michael Saboff.
2091
2092         * assembler/MacroAssemblerMIPS.h:
2093         (JSC::MacroAssemblerMIPS::or32):
2094
2095 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2096
2097         [mips] Add missing branchAdd32 implementation in macro assembler
2098         https://bugs.webkit.org/show_bug.cgi?id=152785
2099
2100         Reviewed by Michael Saboff.
2101
2102         * assembler/MacroAssemblerMIPS.h:
2103         (JSC::MacroAssemblerMIPS::branchAdd32):
2104
2105 2016-01-06  Andy VanWagoner  <thetalecrafter@gmail.com>
2106
2107         [ES6] Date.prototype should be a plain object
2108         https://bugs.webkit.org/show_bug.cgi?id=152574
2109
2110         Reviewed by Benjamin Poulain.
2111
2112         * runtime/DateConstructor.cpp:
2113         (JSC::DateConstructor::finishCreation):
2114         * runtime/DatePrototype.cpp:
2115         (JSC::DatePrototype::DatePrototype):
2116         * runtime/DatePrototype.h:
2117         * tests/mozilla/mozilla-tests.yaml: Expect errors from old Date.prototype as Date instance tests.
2118
2119 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
2120
2121         [JSC] Get more of testb3 to pass on ARM64
2122         https://bugs.webkit.org/show_bug.cgi?id=152737
2123
2124         Reviewed by Geoffrey Garen.
2125
2126         A bunch of minor bugs and missing function to make most of testb3
2127         run on ARM64.
2128
2129         * JavaScriptCore.xcodeproj/project.pbxproj:
2130         * assembler/ARM64Assembler.h:
2131         (JSC::ARM64Assembler::canEncodePImmOffset):
2132         (JSC::ARM64Assembler::canEncodeSImmOffset):
2133         (JSC::isInt9): Deleted.
2134         (JSC::isUInt12): Deleted.
2135         * assembler/ARMv7Assembler.h:
2136         * assembler/AssemblerCommon.h: Added.
2137         (JSC::isInt9):
2138         (JSC::isUInt12):
2139         (JSC::isValidScaledUImm12):
2140         (JSC::isValidSignedImm9):
2141         * assembler/MacroAssemblerARM64.h:
2142         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
2143         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
2144         (JSC::MacroAssemblerARM64::store16):
2145         (JSC::MacroAssemblerARM64::absFloat):
2146         (JSC::MacroAssemblerARM64::loadFloat):
2147         (JSC::MacroAssemblerARM64::storeFloat):
2148         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate):
2149         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate):
2150         (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
2151         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<8>):
2152         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<16>):
2153         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<8>):
2154         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<16>):
2155         * assembler/X86Assembler.h:
2156         * b3/B3LowerToAir.cpp:
2157         (JSC::B3::Air::LowerToAir::effectiveAddr):
2158         (JSC::B3::Air::LowerToAir::lower):
2159         * b3/air/AirArg.h:
2160         (JSC::B3::Air::Arg::isValidImmForm):
2161         (JSC::B3::Air::Arg::isValidAddrForm):
2162         (JSC::B3::Air::Arg::isValidForm):
2163         * b3/air/AirOpcode.opcodes:
2164
2165 2016-01-05  Zan Dobersek  <zdobersek@igalia.com>
2166
2167         [CMake] Remove USE_UDIS86 variable
2168         https://bugs.webkit.org/show_bug.cgi?id=152731
2169
2170         Reviewed by Gyuyoung Kim.
2171
2172         * CMakeLists.txt: Unconditionally build the Udis86-specific files.
2173
2174 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2175
2176         FTL B3 fails cdjs-tests.yaml/red_black_tree_test.js.ftl-eager-no-cjit
2177         https://bugs.webkit.org/show_bug.cgi?id=152770
2178
2179         Reviewed by Mark Lam.
2180
2181         It turns out that liveness didn't know that the return value GPR or FPR is live at the
2182         return. Consequently, we can end up with code that clobbers the return value register after
2183         the move of the return value into that register. This could happen if we start with
2184         something like:
2185
2186             Move 42(%tmp1), %tmp2
2187             Move 50(%tmp1), %tmp3
2188             Move %tmp3, 58(%tmp1)
2189             Move %tmp2, %rax
2190             Ret
2191
2192         Then we might coalesce %tmp2 with %rax:
2193
2194             Move 42(%tmp1), %rax
2195             Move 50(%tmp1), %tmp3
2196             Move %tmp3, 58(%tmp1)
2197             Ret
2198
2199         But now there is no use of %rax after that first instruction, so %rax appears dead at the
2200         other two Move's. So, the register allocator could then do this:
2201
2202             Move 42(%tmp1), %rax
2203             Move 50(%tmp1), %rax
2204             Move %rax, 58(%tmp1)
2205             Ret
2206
2207         And that's clearly wrong. This patch solves this issue by replacing the old Ret instruction
2208         with Ret32, Ret64, RetFloat, and RetDouble. These all take the return value register as an
2209         argument. They also tell Air which parts of the return value register the caller will
2210         observe. That's great for width analysis.
2211
2212         This resolves a test failure in the CDjs red_black_tree_test. This reduces the total number
2213         of JSC test failures from 217 to 191.
2214
2215         * assembler/MacroAssembler.h:
2216         (JSC::MacroAssembler::oops):
2217         (JSC::MacroAssembler::ret32):
2218         (JSC::MacroAssembler::ret64):
2219         (JSC::MacroAssembler::retFloat):
2220         (JSC::MacroAssembler::retDouble):
2221         (JSC::MacroAssembler::shouldConsiderBlinding):
2222         * b3/B3LowerToAir.cpp:
2223         (JSC::B3::Air::LowerToAir::lower):
2224         * b3/air/AirGenerate.cpp:
2225         (JSC::B3::Air::generate):
2226         * b3/air/AirHandleCalleeSaves.cpp:
2227         (JSC::B3::Air::handleCalleeSaves):
2228         * b3/air/AirOpcode.opcodes:
2229         * b3/air/opcode_generator.rb:
2230
2231 2016-01-05  Keith Miller  <keith_miller@apple.com>
2232
2233         Unreviewed build fix. A symbol was being exported that should not have been.
2234
2235         * runtime/Structure.h:
2236
2237 2016-01-05  Commit Queue  <commit-queue@webkit.org>
2238
2239         Unreviewed, rolling out r194603.
2240         https://bugs.webkit.org/show_bug.cgi?id=152762
2241
2242         This change introduced JSC test failures (Requested by
2243         ryanhaddad on #webkit).
2244
2245         Reverted changeset:
2246
2247         "[ES6] Date.prototype should be a plain object"
2248         https://bugs.webkit.org/show_bug.cgi?id=152574
2249         http://trac.webkit.org/changeset/194603
2250
2251 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2252
2253         stress/v8-crypto-strict.js.ftl-eager-no-cjit in FTL B3 fails with an assertion in the callframe shuffler
2254         https://bugs.webkit.org/show_bug.cgi?id=152756
2255
2256         Reviewed by Saam Barati.
2257
2258         This fixes a really obvious and dumb tail call bug in FTL B3. I think that tail calls work
2259         for real now. I have no idea why I got any tail call tests to pass before this fix.
2260
2261         * ftl/FTLLowerDFGToLLVM.cpp:
2262         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2263
2264 2016-01-04  Mark Lam  <mark.lam@apple.com>
2265
2266         Profiling should detect when multiplication overflows but does not create negative zero.
2267         https://bugs.webkit.org/show_bug.cgi?id=132470
2268
2269         Reviewed by Geoffrey Garen.
2270
2271         * assembler/MacroAssemblerARM64.h:
2272         (JSC::MacroAssemblerARM64::or32):
2273         * assembler/MacroAssemblerARMv7.h:
2274         (JSC::MacroAssemblerARMv7::or32):
2275         - New or32 emitter needed by the mul snippet.
2276
2277         * bytecode/CodeBlock.cpp:
2278         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2279         (JSC::CodeBlock::updateResultProfileForBytecodeOffset): Deleted.
2280         * bytecode/CodeBlock.h:
2281         (JSC::CodeBlock::ensureResultProfile):
2282         (JSC::CodeBlock::addResultProfile): Deleted.
2283         (JSC::CodeBlock::likelyToTakeDeepestSlowCase): Deleted.
2284         - Added a m_bytecodeOffsetToResultProfileIndexMap because we can now add result
2285           profiles in any order (based on runtime execution), not necessarily in bytecode
2286           order at baseline compilation time.
2287
2288         * bytecode/ValueProfile.cpp:
2289         (WTF::printInternal):
2290         * bytecode/ValueProfile.h:
2291         (JSC::ResultProfile::didObserveInt52Overflow):
2292         (JSC::ResultProfile::setObservedInt52Overflow):
2293         - Add new Int52Overflow flags.
2294
2295         * dfg/DFGByteCodeParser.cpp:
2296         (JSC::DFG::ByteCodeParser::makeSafe):
2297         - Now with more straightforward mapping of profiling info.
2298
2299         * dfg/DFGCommon.h:
2300         - Fixed a typo in a comment.
2301
2302         * dfg/DFGNode.h:
2303         (JSC::DFG::Node::arithNodeFlags):
2304         (JSC::DFG::Node::mayHaveNonIntResult):
2305         (JSC::DFG::Node::hasConstantBuffer):
2306         * dfg/DFGNodeFlags.cpp:
2307         (JSC::DFG::dumpNodeFlags):
2308         * dfg/DFGNodeFlags.h:
2309         (JSC::DFG::nodeMayOverflowInt52):
2310         (JSC::DFG::nodeCanSpeculateInt52):
2311         * dfg/DFGPredictionPropagationPhase.cpp:
2312         (JSC::DFG::PredictionPropagationPhase::propagate):
2313         - We now have profiling info for whether the result was ever seen to be a non-Int.
2314           Use this to make a better prediction.
2315
2316         * jit/JITArithmetic.cpp:
2317         (JSC::JIT::emit_op_div):
2318         (JSC::JIT::emit_op_mul):
2319         - Switch to using CodeBlock::ensureResultProfile().  ResultProfiles can now be
2320           created at any time (including the slow path), not just in bytecode order
2321           during baseline compilation.
2322
2323         * jit/JITMulGenerator.cpp:
2324         (JSC::JITMulGenerator::generateFastPath):
2325         - Removed the fast path profiling code for NegZero because we'll go to the slow
2326           path anyway.  Let the slow path do the profiling for us.
2327         - Added profiling for NegZero and potential Int52 overflows in the fast path
2328           that does double math.
2329
2330         * runtime/CommonSlowPaths.cpp:
2331         (JSC::updateResultProfileForBinaryArithOp):
2332         - Removed the RETURN_WITH_RESULT_PROFILING macro (2 less macros), and just use
2333           the RETURN_WITH_PROFILING macro instead with a call to
2334           updateResultProfileForBinaryArithOp().  This makes it clear what we're doing
2335           to do profiling in each case, and also allows us to do custom profiling for
2336           each opcode if needed.  However, so far, we always call
2337           updateResultProfileForBinaryArithOp().
2338
2339 2016-01-05  Keith Miller  <keith_miller@apple.com>
2340
2341         [ES6] Arrays should be subclassable.
2342         https://bugs.webkit.org/show_bug.cgi?id=152706
2343
2344         Reviewed by Benjamin Poulain.
2345
2346         This patch enables full subclassing of Arrays. We do this by fetching the new.target's prototype property
2347         in the Array constructor and transitioning the old structure to have the new prototype. This method has
2348         two downsides. The first is that we clobber the transition watchpoint on the base structure. The second,
2349         which is currently very significant but should be fixed in a future patch, is that we allocate a new
2350         structure for each new derived class we allocate.
2351
2352         * runtime/ArrayConstructor.cpp:
2353         (JSC::constructArrayWithSizeQuirk):
2354         (JSC::constructWithArrayConstructor):
2355         (JSC::callArrayConstructor):
2356         * runtime/ArrayConstructor.h:
2357         * runtime/JSGlobalObject.h:
2358         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
2359         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
2360         (JSC::constructEmptyArray):
2361         (JSC::constructArray):
2362         (JSC::constructArrayNegativeIndexed):
2363         * runtime/PrototypeMap.h:
2364         * runtime/Structure.h:
2365         * runtime/StructureInlines.h:
2366         (JSC::Structure::createSubclassStructure):
2367         * tests/es6.yaml:
2368         * tests/stress/class-subclassing-array.js: Added.
2369         (A):
2370         (B.prototype.get 1):
2371         (B):
2372         (C):
2373         (test):
2374
2375 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2376
2377         regress/script-tests/deltablue-varargs.js.ftl-no-cjit-no-put-stack-validate on FTL B3 gets a B3 validation failure
2378         https://bugs.webkit.org/show_bug.cgi?id=152754
2379
2380         Reviewed by Geoffrey Garen and Saam Barati.
2381
2382         It turns out that the FTL was creating orphans. Rather than making the FTL handle them by
2383         itself, I gave B3 the power to eliminate them for you. I also made the dumper print them
2384         since otherwise, you wouldn't know anything about the orphan when looking at a validation
2385         failure or other kind of procedure dump.
2386
2387         * b3/B3IndexSet.h:
2388         (JSC::B3::IndexSet::add):
2389         (JSC::B3::IndexSet::addAll):
2390         (JSC::B3::IndexSet::remove):
2391         * b3/B3Procedure.cpp:
2392         (JSC::B3::Procedure::dump):
2393         (JSC::B3::Procedure::deleteValue):
2394         (JSC::B3::Procedure::deleteOrphans):
2395         (JSC::B3::Procedure::dominators):
2396         * b3/B3Procedure.h:
2397         (JSC::B3::Procedure::cfg):
2398         * ftl/FTLLowerDFGToLLVM.cpp:
2399         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2400
2401 2015-12-24  Mark Lam  <mark.lam@apple.com>
2402
2403         Re-landing: Add validation of JSC options to catch typos.
2404         https://bugs.webkit.org/show_bug.cgi?id=152549
2405
2406         Reviewed by Benjamin Poulain.
2407
2408         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
2409            an error message.
2410         2. If a --xxx jsc option is specified, but xxx is not a valid option, we will
2411            now log an error message.
2412         3. Added JSC_validateOptions, which if set to true will cause the VM to crash if
2413            an invalid option was seen during options parsing.
2414
2415         In this version for re-landing, I removed the change where I disallowed -- options
2416         after the script name.  Apparently, we have some test harnesses that do append the
2417         -- options after the script name.
2418
2419         * jsc.cpp:
2420         (CommandLine::parseArguments):
2421         * runtime/Options.cpp:
2422         (JSC::Options::initialize):
2423         * runtime/Options.h:
2424
2425 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2426
2427         FTL B3 should do ArithNegate
2428         https://bugs.webkit.org/show_bug.cgi?id=152745
2429
2430         Reviewed by Geoffrey Garen.
2431
2432         * ftl/FTLLowerDFGToLLVM.cpp:
2433         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2434
2435 2016-01-05  Andy VanWagoner  <thetalecrafter@gmail.com>
2436
2437         [ES6] Date.prototype should be a plain object
2438         https://bugs.webkit.org/show_bug.cgi?id=152574
2439
2440         Reviewed by Benjamin Poulain.
2441
2442         * runtime/DateConstructor.cpp:
2443         (JSC::DateConstructor::finishCreation):
2444         * runtime/DatePrototype.cpp:
2445         (JSC::DatePrototype::DatePrototype):
2446         * runtime/DatePrototype.h:
2447
2448 2016-01-05  Commit Queue  <commit-queue@webkit.org>
2449
2450         Unreviewed, rolling out r194590.
2451         https://bugs.webkit.org/show_bug.cgi?id=152751
2452
2453         "Causes bot failures" (Requested by mlam on #webkit).
2454
2455         Reverted changeset:
2456
2457         "Add validation of JSC options to catch typos."
2458         https://bugs.webkit.org/show_bug.cgi?id=152549
2459         http://trac.webkit.org/changeset/194590
2460
2461 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2462
2463         FTL B3 should do In
2464         https://bugs.webkit.org/show_bug.cgi?id=152744
2465
2466         Reviewed by Michael Saboff.
2467
2468         This was easy; I just used the same idiom that we already established for ICs in FTL B3.
2469
2470         * ftl/FTLLowerDFGToLLVM.cpp:
2471         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2472
2473 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2474
2475         Implement B3 version of FTL::Output::check()
2476         https://bugs.webkit.org/show_bug.cgi?id=152743
2477
2478         Reviewed by Geoffrey Garen.
2479
2480         Turns out this was just like the LLVM version.
2481
2482         * ftl/FTLB3Output.cpp:
2483         (JSC::FTL::Output::branch):
2484         (JSC::FTL::Output::check):
2485         * ftl/FTLB3Output.h:
2486         (JSC::FTL::Output::switchInstruction):
2487         (JSC::FTL::Output::check): Deleted.
2488
2489 2016-01-05  Mark Lam  <mark.lam@apple.com>
2490
2491         Add support for aliasing JSC Options.
2492         https://bugs.webkit.org/show_bug.cgi?id=152551
2493
2494         Reviewed by Filip Pizlo.
2495
2496         This allows us to use old options names as well.  This is for the benefit of
2497         third party tools which may have been built to rely on those old options.  The
2498         old option names will be mapped to the current option names in setOption().
2499
2500         For some options, the old option name specifies the inverse boolean value of the
2501         current option name.  setOption() will take care of inverting the value before
2502         applying it to the option.
2503
2504         * jsc.cpp:
2505         (CommandLine::parseArguments):
2506         - Switch to dumping only overridden options here.  Verbose dumping is too much
2507           for common usage.
2508         * runtime/Options.cpp:
2509         (JSC::overrideOptionWithHeuristic):
2510         (JSC::Options::overrideAliasedOptionWithHeuristic):
2511         (JSC::computeNumberOfWorkerThreads):
2512         (JSC::Options::initialize):
2513         (JSC::Options::setOptionWithoutAlias):
2514         (JSC::invertBoolOptionValue):
2515         (JSC::Options::setAliasedOption):
2516         (JSC::Options::setOption):
2517         (JSC::Options::dumpAllOptions):
2518         - String.ascii() converts newline characters to '?', and this was messing up the
2519           printing of the options.  Switched to using String.utf8() instead.
2520         (JSC::Options::dumpOption):
2521         * runtime/Options.h:
2522
2523 2016-01-05  Mark Lam  <mark.lam@apple.com>
2524
2525         Add validation of JSC options to catch typos.
2526         https://bugs.webkit.org/show_bug.cgi?id=152549
2527
2528         Reviewed by Benjamin Poulain.
2529
2530         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
2531            an error message.
2532         2. The jsc app is commonly used as follows:
2533
2534                $ jsc [jsc options] [scripts]
2535      
2536            Previously, we'll continue to parse for [jsc options] after [scripts] is seen.
2537            We won't do this anymore.  Any --xxx jsc options must precede the [scripts]
2538            arguments.
2539
2540         3. If a --xxx jsc option is specified, but xxx is not a valid option, we will
2541            now log an error message.
2542
2543         4. Added JSC_validateOptions, which if set to true will cause the VM to crash if
2544            an invalid option was seen during options parsing.
2545
2546         * jsc.cpp:
2547         (CommandLine::parseArguments):
2548         * runtime/Options.cpp:
2549         (JSC::Options::initialize):
2550         * runtime/Options.h:
2551
2552 2016-01-04  Keith Miller  <keith_miller@apple.com>
2553
2554         Turn off Internal Function inlining in the DFG for super calls.
2555         https://bugs.webkit.org/show_bug.cgi?id=152695
2556
2557         Reviewed by Geoffrey Garen.
2558
2559         Currently, we inline several InternalFunctions into an alloctation with a
2560         fixed structure in the DFG. This optimization is not valid when the
2561         InternalFunction is called via a super call.
2562
2563         * dfg/DFGByteCodeParser.cpp:
2564         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2565         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2566
2567 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2568
2569         FTL B3 should do binary snippets
2570         https://bugs.webkit.org/show_bug.cgi?id=152668
2571
2572         Reviewed by Mark Lam.
2573
2574         This finishes all of the rest of the snippets.
2575
2576         * ftl/FTLLowerDFGToLLVM.cpp:
2577         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2578         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2579         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2580         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2581         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2582         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2583         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2584         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2585         * tests/stress/object-bit-or.js: Added.
2586         (foo):
2587         (things.valueOf):
2588         * tests/stress/object-bit-xor.js: Added.
2589         (foo):
2590         (things.valueOf):
2591         * tests/stress/object-lshift.js: Added.
2592         (foo):
2593         (things.valueOf):
2594         * tests/stress/object-rshift.js: Added.
2595         (foo):
2596         (things.valueOf):
2597         * tests/stress/object-urshift.js: Added.
2598         (foo):
2599         (things.valueOf):
2600         * tests/stress/untyped-bit-or.js: Added.
2601         (foo):
2602         (valueOf):
2603         * tests/stress/untyped-bit-xor.js: Added.
2604         (foo):
2605         (valueOf):
2606         * tests/stress/untyped-lshift.js: Added.
2607         (foo):
2608         (valueOf):
2609         * tests/stress/untyped-rshift.js: Added.
2610         (foo):
2611         (valueOf):
2612         * tests/stress/untyped-urshift.js: Added.
2613         (foo):
2614         (valueOf):
2615
2616 2016-01-04  Mark Lam  <mark.lam@apple.com>
2617
2618         isUntypedSpeculationForArithmetic is wrong.
2619         https://bugs.webkit.org/show_bug.cgi?id=152708
2620
2621         Reviewed by Filip Pizlo.
2622
2623         The isUntypedSpeculation...() checks should return true is we ever see
2624         non-numeric types, regardless of whether numeric types are seen or not.
2625         Previously, they only return true if we only see non-numeric types, and false if
2626         we ever see numeric types.
2627
2628         This patch is perf neutral on both x86_64 and x86.
2629
2630         * bytecode/SpeculatedType.h:
2631         (JSC::isUntypedSpeculationForArithmetic):
2632         (JSC::isUntypedSpeculationForBitOps):
2633
2634 2016-01-04  Tim Horton  <timothy_horton@apple.com>
2635
2636         Turn on gesture events when building for Yosemite
2637         https://bugs.webkit.org/show_bug.cgi?id=152704
2638         rdar://problem/24042472
2639
2640         Reviewed by Anders Carlsson.
2641
2642         * Configurations/FeatureDefines.xcconfig:
2643
2644 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2645
2646         FTL B3 should do BitAnd binary snippets
2647         https://bugs.webkit.org/show_bug.cgi?id=152713
2648
2649         Reviewed by Mark Lam.
2650
2651         Getting ready to finish up the binary bitop snippets.
2652
2653         * ftl/FTLLowerDFGToLLVM.cpp:
2654         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2655         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2656         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2657         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2658         * tests/stress/object-bit-and.js: Added.
2659         (foo):
2660         (things.valueOf):
2661         * tests/stress/untyped-bit-and.js: Added.
2662         (foo):
2663         (valueOf):
2664
2665 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2666
2667         FTL B3 should do all of the non-bitop binary snippets
2668         https://bugs.webkit.org/show_bug.cgi?id=152709
2669
2670         Reviewed by Mark Lam.
2671
2672         * ftl/FTLLowerDFGToLLVM.cpp:
2673         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2674         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2675         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2676         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2677         * tests/stress/object-add.js: Added.
2678         (foo):
2679         (things.valueOf):
2680         * tests/stress/object-div.js: Added.
2681         (foo):
2682         (things.valueOf):
2683         * tests/stress/object-mul.js: Added.
2684         (foo):
2685         (things.valueOf):
2686         * tests/stress/untyped-add.js: Added.
2687         (foo):
2688         (valueOf):
2689         * tests/stress/untyped-div.js: Added.
2690         (foo):
2691         (valueOf):
2692         * tests/stress/untyped-mul.js: Added.
2693         (foo):
2694         (valueOf):
2695
2696 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2697
2698         FTL B3 should do the ArithSub binary snippet
2699         https://bugs.webkit.org/show_bug.cgi?id=152705
2700
2701         Reviewed by Saam Barati.
2702
2703         This implements the ArithSub binary snippet generator in FTL B3.
2704
2705         While doing this, I discovered that the DFG type inference logic for ArithSub contains a
2706         classic mistake: it causes the snippets to kick in when the type set does not contain numbers
2707         rather than kicking in when the type set contains non-numbers. So, the original test that I
2708         wrote for this doesn't work right (it runs to completion but OSR exits ad infinitum). I wrote
2709         a second test that is simpler, and that one shows that the binary snippets "work". That's
2710         sort of a joke though, since the only way to trigger binary snippets is to never pass numbers
2711         and the only way to actually cause a binary snippet to do meaninful work is to pass numbers.
2712         I filed a bug about this mess: https://bugs.webkit.org/show_bug.cgi?id=152708.
2713
2714         * ftl/FTLLowerDFGToLLVM.cpp:
2715         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
2716         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2717         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
2718         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2719         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2720         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2721         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2722         * tests/stress/object-sub.js: Added.
2723         (foo):
2724         (things.valueOf):
2725         * tests/stress/untyped-sub.js: Added.
2726         (foo):
2727         (valueOf):
2728
2729 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2730
2731         Unreviewed, disable FTL B3 for now. I didn't intend to enable it yet.
2732
2733         * dfg/DFGCommon.h:
2734
2735 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2736
2737         B3 patchpoints should allow requesting scratch registers
2738         https://bugs.webkit.org/show_bug.cgi?id=152669
2739
2740         Reviewed by Benjamin Poulain.
2741
2742         Scratch registers are something that we often need in many patchpoint use cases. In LLVM's
2743         patchpoints, we didn't have a good way to request scratch registers. So, our current FTL code
2744         often does crazy scratch register allocation madness even when it would be better to just ask
2745         the backend for some registers. This patch adds a mechanism for requesting scratch registers
2746         in B3, and wires it all the way to all of our register allocation and liveness
2747         infrastructure.
2748
2749         From the standpoint of a patchpoint, a "scratch register" is an instruction argument that
2750         only admits Tmp and is defined early (like an early clobber register) and is used late (like
2751         what we previously called LateUse, except that this time it's also a warm use). We already
2752         had the beginning of support for early def's because of early clobbers, and we already
2753         supported late uses albeit cold ones. I really only needed to add one new role: "Scratch",
2754         which means both early def and late use in much the same way as "UseDef" means both early
2755         use and late def. But, it feels better to complete the set of roles, so I added LateColdUse
2756         to differentiate from LateUse (which is now a warm use) and EarlyDef to differentiate from
2757         Def (which is, and always has been, a late def). Forcing the code to deal with the full
2758         matrix of possibilities resulted in what is probably a progression in how we handle defs in
2759         the register and stack allocators. The new Inst::forEachDef(Inst*, Inst*, callback) fully
2760         recognizes that a "def" is something that can come from either the preceding instruction or
2761         the succeeding one.
2762
2763         This doesn't add any new functionality to FTL B3 yet, but the new scratch register mechanism
2764         is covered by new testb3 tests.
2765
2766         * b3/B3CheckSpecial.cpp:
2767         (JSC::B3::CheckSpecial::isValid):
2768         (JSC::B3::CheckSpecial::admitsStack):
2769         (JSC::B3::CheckSpecial::generate):
2770         * b3/B3LowerToAir.cpp:
2771         (JSC::B3::Air::LowerToAir::lower):
2772         * b3/B3PatchpointSpecial.cpp:
2773         (JSC::B3::PatchpointSpecial::forEachArg):
2774         (JSC::B3::PatchpointSpecial::isValid):
2775         (JSC::B3::PatchpointSpecial::admitsStack):
2776         (JSC::B3::PatchpointSpecial::generate):
2777         * b3/B3PatchpointValue.cpp:
2778         (JSC::B3::PatchpointValue::dumpMeta):
2779         (JSC::B3::PatchpointValue::PatchpointValue):
2780         * b3/B3PatchpointValue.h:
2781         * b3/B3StackmapGenerationParams.cpp:
2782         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
2783         * b3/B3StackmapGenerationParams.h:
2784         (JSC::B3::StackmapGenerationParams::gpScratch):
2785         (JSC::B3::StackmapGenerationParams::fpScratch):
2786         * b3/B3StackmapSpecial.cpp:
2787         (JSC::B3::StackmapSpecial::forEachArgImpl):
2788         (JSC::B3::StackmapSpecial::isValidImpl):
2789         (JSC::B3::StackmapSpecial::admitsStackImpl):
2790         (JSC::B3::StackmapSpecial::repsImpl):
2791         (JSC::B3::StackmapSpecial::isArgValidForValue):
2792         (JSC::B3::StackmapSpecial::appendRepsImpl): Deleted.
2793         * b3/B3StackmapSpecial.h:
2794         * b3/air/AirAllocateStack.cpp:
2795         (JSC::B3::Air::allocateStack):
2796         * b3/air/AirArg.cpp:
2797         (WTF::printInternal):
2798         * b3/air/AirArg.h:
2799         (JSC::B3::Air::Arg::isAnyUse):
2800         (JSC::B3::Air::Arg::isColdUse):
2801         (JSC::B3::Air::Arg::isEarlyUse):
2802         (JSC::B3::Air::Arg::isLateUse):
2803         (JSC::B3::Air::Arg::isAnyDef):
2804         (JSC::B3::Air::Arg::isEarlyDef):
2805         (JSC::B3::Air::Arg::isLateDef):
2806         (JSC::B3::Air::Arg::isZDef):
2807         (JSC::B3::Air::Arg::Arg):
2808         (JSC::B3::Air::Arg::imm):
2809         (JSC::B3::Air::Arg::isDef): Deleted.
2810         * b3/air/AirBasicBlock.h:
2811         (JSC::B3::Air::BasicBlock::at):
2812         (JSC::B3::Air::BasicBlock::get):
2813         (JSC::B3::Air::BasicBlock::last):
2814         * b3/air/AirEliminateDeadCode.cpp:
2815         (JSC::B3::Air::eliminateDeadCode):
2816         * b3/air/AirFixPartialRegisterStalls.cpp:
2817         (JSC::B3::Air::fixPartialRegisterStalls):
2818         * b3/air/AirInst.cpp:
2819         (JSC::B3::Air::Inst::hasArgEffects):
2820         * b3/air/AirInst.h:
2821         * b3/air/AirInstInlines.h:
2822         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
2823         (JSC::B3::Air::Inst::forEachDef):
2824         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
2825         (JSC::B3::Air::Inst::reportUsedRegisters):
2826         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs): Deleted.
2827         * b3/air/AirIteratedRegisterCoalescing.cpp:
2828         * b3/air/AirLiveness.h:
2829         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
2830         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
2831         * b3/air/AirSpillEverything.cpp:
2832         (JSC::B3::Air::spillEverything):
2833         * b3/air/AirTmpWidth.cpp:
2834         (JSC::B3::Air::TmpWidth::recompute):
2835         * b3/air/AirUseCounts.h:
2836         (JSC::B3::Air::UseCounts::UseCounts):
2837         * b3/testb3.cpp:
2838         (JSC::B3::testPatchpointAny):
2839         (JSC::B3::testPatchpointGPScratch):
2840         (JSC::B3::testPatchpointFPScratch):
2841         (JSC::B3::testPatchpointLotsOfLateAnys):
2842         (JSC::B3::run):
2843
2844 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
2845
2846         Fix the !ENABLE(INTL) build after r193493
2847         https://bugs.webkit.org/show_bug.cgi?id=152689
2848
2849         Reviewed by Alex Christensen.
2850
2851         * runtime/NumberPrototype.cpp:
2852         (JSC::NumberPrototype::finishCreation):
2853
2854 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
2855
2856         JSC generator scripts shouldn't have verbose output
2857         https://bugs.webkit.org/show_bug.cgi?id=152382
2858
2859         Reviewed by Michael Catanzaro.
2860
2861         * b3/air/opcode_generator.rb:
2862         * generate-bytecode-files:
2863         * offlineasm/asm.rb:
2864         * offlineasm/generate_offset_extractor.rb:
2865         * offlineasm/parser.rb:
2866
2867 2016-01-04  Benjamin Poulain  <bpoulain@apple.com>
2868
2869         [JSC] Build B3 by default on iOS ARM64
2870         https://bugs.webkit.org/show_bug.cgi?id=152525
2871
2872         Reviewed by Filip Pizlo.
2873
2874         Minor changes required to get testb3 to compile.
2875
2876         * Configurations/ToolExecutable.xcconfig:
2877         We need an entitlement to allocate executable memory.
2878
2879         * assembler/MacroAssemblerARM64.h:
2880         (JSC::MacroAssemblerARM64::scratchRegister):
2881         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
2882         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
2883         Expose one of the scratch registers for ValueRep::emitRestore().
2884         Guard the use of scratch registers when not allowed.
2885
2886         * b3/air/AirOpcode.opcodes:
2887         ARM addressing is a bit different. Skip Addr to make things build.
2888
2889         * b3/testb3.cpp:
2890         (JSC::B3::testPatchpointWithStackArgumentResult):
2891         Add on memory only exists on x86.
2892
2893         * jit/RegisterSet.cpp:
2894         (JSC::RegisterSet::macroScratchRegisters):
2895         Add the two scratch registers, useful for patchpoints.
2896
2897 2016-01-03  Khem Raj  <raj.khem@gmail.com>
2898
2899         WebKit fails to build with musl libc library
2900         https://bugs.webkit.org/show_bug.cgi?id=152625
2901
2902         Reviewed by Daniel Bates.
2903
2904         Qualify isnan() calls with std namespace.
2905
2906         * runtime/Options.cpp:
2907         (Option::operator==): Add std namespace qualifier.
2908
2909 2016-01-03  Andreas Kling  <akling@apple.com>
2910
2911         Remove redundant StringImpl substring creation function.
2912         <https://webkit.org/b/152652>
2913
2914         Reviewed by Daniel Bates.
2915
2916         Remove jsSubstring8() and make the only call site use jsSubstring().
2917
2918         * runtime/JSString.h:
2919         (JSC::jsSubstring8): Deleted.
2920         * runtime/StringPrototype.cpp:
2921         (JSC::replaceUsingRegExpSearch):
2922
2923 2016-01-02  Khem Raj  <raj.khem@gmail.com>
2924
2925         Clang's builtin for clear_cache accepts char* and errors out
2926         when using void*, using char* work on both gcc and clang
2927         since char* is auto-converted to void* in gcc case.
2928         https://bugs.webkit.org/show_bug.cgi?id=152654
2929
2930         Reviewed by Michael Saboff;
2931
2932         * assembler/ARM64Assembler.h:
2933         (linuxPageFlush): Convert arguments to __builtin___clear_cache()
2934         to char*.
2935
2936 2015-12-31  Andy Estes  <aestes@apple.com>
2937
2938         Replace WTF::move with WTFMove
2939         https://bugs.webkit.org/show_bug.cgi?id=152601
2940
2941         Reviewed by Brady Eidson.
2942
2943         * API/ObjCCallbackFunction.mm:
2944         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
2945         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
2946         (JSC::ObjCCallbackFunction::create):
2947         (objCCallbackFunctionForInvocation):
2948         * assembler/AssemblerBuffer.h:
2949         (JSC::AssemblerBuffer::releaseAssemblerData):
2950         * assembler/LinkBuffer.cpp:
2951         (JSC::LinkBuffer::linkCode):
2952         * b3/B3BlockInsertionSet.cpp:
2953         (JSC::B3::BlockInsertionSet::insert):
2954         (JSC::B3::BlockInsertionSet::splitForward):
2955         * b3/B3LowerToAir.cpp:
2956         (JSC::B3::Air::LowerToAir::run):
2957         (JSC::B3::Air::LowerToAir::lower):
2958         * b3/B3OpaqueByproducts.cpp:
2959         (JSC::B3::OpaqueByproducts::add):
2960         * b3/B3Procedure.cpp:
2961         (JSC::B3::Procedure::addBlock):
2962         (JSC::B3::Procedure::addDataSection):
2963         * b3/B3Procedure.h:
2964         (JSC::B3::Procedure::releaseByproducts):
2965         * b3/B3ProcedureInlines.h:
2966         (JSC::B3::Procedure::add):
2967         * b3/B3Value.h:
2968         * b3/air/AirCode.cpp:
2969         (JSC::B3::Air::Code::addBlock):
2970         (JSC::B3::Air::Code::addStackSlot):
2971         (JSC::B3::Air::Code::addSpecial):
2972         * b3/air/AirInst.h:
2973         (JSC::B3::Air::Inst::Inst):
2974         * b3/air/AirIteratedRegisterCoalescing.cpp:
2975         * b3/air/AirSimplifyCFG.cpp:
2976         (JSC::B3::Air::simplifyCFG):
2977         * bindings/ScriptValue.cpp:
2978         (Deprecated::jsToInspectorValue):
2979         * builtins/BuiltinExecutables.cpp:
2980         (JSC::createExecutableInternal):
2981         * bytecode/BytecodeBasicBlock.cpp:
2982         (JSC::computeBytecodeBasicBlocks):
2983         * bytecode/CodeBlock.cpp:
2984         (JSC::CodeBlock::finishCreation):
2985         (JSC::CodeBlock::setCalleeSaveRegisters):
2986         * bytecode/CodeBlock.h:
2987         (JSC::CodeBlock::setJITCodeMap):
2988         (JSC::CodeBlock::livenessAnalysis):
2989         * bytecode/GetByIdStatus.cpp:
2990         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2991         * bytecode/GetByIdVariant.cpp:
2992         (JSC::GetByIdVariant::GetByIdVariant):
2993         * bytecode/PolymorphicAccess.cpp:
2994         (JSC::PolymorphicAccess::regenerateWithCases):
2995         (JSC::PolymorphicAccess::regenerateWithCase):
2996         (JSC::PolymorphicAccess::regenerate):
2997         * bytecode/PutByIdStatus.cpp:
2998         (JSC::PutByIdStatus::computeForStubInfo):
2999         * bytecode/PutByIdVariant.cpp:
3000         (JSC::PutByIdVariant::setter):
3001         * bytecode/StructureStubClearingWatchpoint.cpp:
3002         (JSC::StructureStubClearingWatchpoint::push):
3003         * bytecode/StructureStubClearingWatchpoint.h:
3004         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
3005         * bytecode/StructureStubInfo.cpp:
3006         (JSC::StructureStubInfo::addAccessCase):
3007         * bytecode/UnlinkedCodeBlock.cpp:
3008         (JSC::UnlinkedCodeBlock::setInstructions):
3009         * bytecode/UnlinkedFunctionExecutable.cpp:
3010         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3011         * bytecode/UnlinkedFunctionExecutable.h:
3012         * bytecompiler/SetForScope.h:
3013         (JSC::SetForScope::SetForScope):
3014         * dfg/DFGGraph.cpp:
3015         (JSC::DFG::Graph::livenessFor):
3016         (JSC::DFG::Graph::killsFor):
3017         * dfg/DFGJITCompiler.cpp:
3018         (JSC::DFG::JITCompiler::link):
3019         (JSC::DFG::JITCompiler::compile):
3020         (JSC::DFG::JITCompiler::compileFunction):
3021         * dfg/DFGJITFinalizer.cpp:
3022         (JSC::DFG::JITFinalizer::JITFinalizer):
3023         * dfg/DFGLivenessAnalysisPhase.cpp:
3024         (JSC::DFG::LivenessAnalysisPhase::process):
3025         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3026         * dfg/DFGSpeculativeJIT.cpp:
3027         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
3028         (JSC::DFG::SpeculativeJIT::compileIn):
3029         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3030         * dfg/DFGSpeculativeJIT32_64.cpp:
3031         (JSC::DFG::SpeculativeJIT::cachedGetById):
3032         (JSC::DFG::SpeculativeJIT::cachedPutById):
3033         * dfg/DFGSpeculativeJIT64.cpp:
3034         (JSC::DFG::SpeculativeJIT::cachedGetById):
3035         (JSC::DFG::SpeculativeJIT::cachedPutById):
3036         * dfg/DFGWorklist.cpp:
3037         (JSC::DFG::Worklist::finishCreation):
3038         * disassembler/Disassembler.cpp:
3039         (JSC::disassembleAsynchronously):
3040         * ftl/FTLB3Compile.cpp:
3041         (JSC::FTL::compile):
3042         * ftl/FTLCompile.cpp:
3043         (JSC::FTL::mmAllocateDataSection):
3044         * ftl/FTLJITCode.cpp:
3045         (JSC::FTL::JITCode::initializeB3Byproducts):
3046         * ftl/FTLJITFinalizer.h:
3047         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
3048         * ftl/FTLLink.cpp:
3049         (JSC::FTL::link):
3050         * ftl/FTLLowerDFGToLLVM.cpp:
3051         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
3052         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3053         * heap/Heap.cpp:
3054         (JSC::Heap::releaseDelayedReleasedObjects):
3055         (JSC::Heap::markRoots):
3056         (JSC::Heap::setIncrementalSweeper):
3057         * heap/HeapInlines.h:
3058         (JSC::Heap::releaseSoon):
3059         (JSC::Heap::registerWeakGCMap):
3060         * heap/WeakInlines.h:
3061         * inspector/ConsoleMessage.cpp:
3062         (Inspector::ConsoleMessage::addToFrontend):
3063         * inspector/ContentSearchUtilities.cpp:
3064         (Inspector::ContentSearchUtilities::searchInTextByLines):
3065         * inspector/InjectedScript.cpp:
3066         (Inspector::InjectedScript::getFunctionDetails):
3067         (Inspector::InjectedScript::getProperties):
3068         (Inspector::InjectedScript::getDisplayableProperties):
3069         (Inspector::InjectedScript::getInternalProperties):
3070         (Inspector::InjectedScript::getCollectionEntries):
3071         (Inspector::InjectedScript::wrapCallFrames):
3072         * inspector/InspectorAgentRegistry.cpp:
3073         (Inspector::AgentRegistry::append):
3074         (Inspector::AgentRegistry::appendExtraAgent):
3075         * inspector/InspectorBackendDispatcher.cpp:
3076         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
3077         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
3078         (Inspector::BackendDispatcher::BackendDispatcher):
3079         (Inspector::BackendDispatcher::create):
3080         (Inspector::BackendDispatcher::sendPendingErrors):
3081         * inspector/InspectorProtocolTypes.h:
3082         (Inspector::Protocol::Array::addItem):
3083         * inspector/InspectorValues.cpp:
3084         * inspector/InspectorValues.h:
3085         (Inspector::InspectorObjectBase::setValue):
3086         (Inspector::InspectorObjectBase::setObject):
3087         (Inspector::InspectorObjectBase::setArray):
3088         (Inspector::InspectorArrayBase::pushValue):
3089         (Inspector::InspectorArrayBase::pushObject):
3090         (Inspector::InspectorArrayBase::pushArray):
3091         * inspector/JSGlobalObjectConsoleClient.cpp:
3092         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3093         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3094         * inspector/JSGlobalObjectInspectorController.cpp:
3095         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3096         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
3097         * inspector/JSInjectedScriptHost.cpp:
3098         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
3099         * inspector/JSInjectedScriptHost.h:
3100         (Inspector::JSInjectedScriptHost::create):
3101         * inspector/agents/InspectorAgent.cpp:
3102         (Inspector::InspectorAgent::activateExtraDomain):
3103         * inspector/agents/InspectorConsoleAgent.cpp:
3104         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3105         (Inspector::InspectorConsoleAgent::addConsoleMessage):
3106         * inspector/agents/InspectorDebuggerAgent.cpp:
3107         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3108         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3109         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3110         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3111         (Inspector::InspectorDebuggerAgent::breakProgram):
3112         * inspector/agents/InspectorHeapAgent.cpp:
3113         (Inspector::InspectorHeapAgent::didGarbageCollect):
3114         * inspector/agents/InspectorRuntimeAgent.cpp:
3115         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3116         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3117         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3118         (Inspector::InspectorScriptProfilerAgent::addEvent):
3119         (Inspector::buildInspectorObject):
3120         (Inspector::buildProfileInspectorObject):
3121         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
3122         * inspector/augmentable/AlternateDispatchableAgent.h:
3123         * inspector/scripts/codegen/cpp_generator_templates.py:
3124         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3125         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3126         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3127         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3128         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3129         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3130         (_generate_unchecked_setter_for_member):
3131         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3132         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3133         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3134         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3135         * inspector/scripts/codegen/objc_generator_templates.py:
3136         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3137         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3138         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3139         * inspector/scripts/tests/expected/enum-values.json-result:
3140         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3141         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3142         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3143         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3144         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3145         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3146         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3147         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3148         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3149         * jit/CallFrameShuffler.cpp:
3150         (JSC::CallFrameShuffler::performSafeWrites):
3151         * jit/PolymorphicCallStubRoutine.cpp:
3152         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
3153         * jit/Repatch.cpp:
3154         (JSC::tryCacheGetByID):
3155         (JSC::tryCachePutByID):
3156         (JSC::tryRepatchIn):
3157         (JSC::linkPolymorphicCall):
3158         * parser/Nodes.cpp:
3159         (JSC::ProgramNode::setClosedVariables):
3160         * parser/Parser.cpp:
3161         (JSC::Parser<LexerType>::parseInner):
3162         (JSC::Parser<LexerType>::parseFunctionInfo):
3163         * parser/Parser.h:
3164         (JSC::Parser::closedVariables):
3165         * parser/SourceProviderCache.cpp:
3166         (JSC::SourceProviderCache::add):
3167         * profiler/ProfileNode.h:
3168         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
3169         * replay/EncodedValue.cpp:
3170         (JSC::EncodedValue::get<EncodedValue>):
3171         * replay/scripts/CodeGeneratorReplayInputs.py:
3172         (Generator.generate_member_move_expression):
3173         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
3174         (Test::HandleWheelEvent::HandleWheelEvent):
3175         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
3176         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
3177         (Test::MapInput::MapInput):
3178         (JSC::InputTraits<Test::MapInput>::decode):
3179         * runtime/ConsoleClient.cpp:
3180         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3181         (JSC::ConsoleClient::logWithLevel):
3182         (JSC::ConsoleClient::clear):
3183         (JSC::ConsoleClient::dir):
3184         (JSC::ConsoleClient::dirXML):
3185         (JSC::ConsoleClient::table):
3186         (JSC::ConsoleClient::trace):
3187         (JSC::ConsoleClient::assertCondition):
3188         (JSC::ConsoleClient::group):
3189         (JSC::ConsoleClient::groupCollapsed):
3190         (JSC::ConsoleClient::groupEnd):
3191         * runtime/JSNativeStdFunction.cpp:
3192         (JSC::JSNativeStdFunction::create):
3193         * runtime/JSString.h:
3194         (JSC::jsNontrivialString):
3195         * runtime/JSStringJoiner.cpp:
3196         (JSC::JSStringJoiner::join):
3197         * runtime/JSStringJoiner.h:
3198         (JSC::JSStringJoiner::append):
3199         * runtime/NativeStdFunctionCell.cpp:
3200         (JSC::NativeStdFunctionCell::create):
3201         (JSC::NativeStdFunctionCell::NativeStdFunctionCell):
3202         * runtime/ScopedArgumentsTable.cpp:
3203         (JSC::ScopedArgumentsTable::setLength):
3204         * runtime/StructureIDTable.cpp:
3205         (JSC::StructureIDTable::resize):
3206         * runtime/TypeSet.cpp:
3207         (JSC::StructureShape::inspectorRepresentation):
3208         * runtime/WeakGCMap.h:
3209         (JSC::WeakGCMap::set):
3210         * tools/CodeProfile.h:
3211         (JSC::CodeProfile::addChild):
3212         * yarr/YarrInterpreter.cpp:
3213         (JSC::Yarr::ByteCompiler::compile):
3214         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
3215         * yarr/YarrInterpreter.h:
3216         (JSC::Yarr::BytecodePattern::BytecodePattern):
3217         * yarr/YarrPattern.cpp:
3218         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
3219         (JSC::Yarr::YarrPatternConstructor::reset):
3220         (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
3221         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
3222         (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
3223         (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
3224         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
3225
3226 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
3227
3228         Unreviewed, fix copyright dates. It's super annoying when we forget to update these, and I
3229         just forgot to do so in the last commit. Also update the date of the last commit in the
3230         ChangeLog.
3231
3232         * b3/air/AirIteratedRegisterCoalescing.cpp:
3233         * b3/air/AirOpcode.opcodes:
3234         * b3/air/AirTmpWidth.cpp:
3235         * b3/air/AirTmpWidth.h:
3236         * ftl/FTLB3Output.cpp:
3237         * ftl/FTLB3Output.h:
3238
3239 2016-01-01  Filip Pizlo  <fpizlo@apple.com>
3240
3241         FTL B3 should be able to run all of the old V8v7 tests
3242         https://bugs.webkit.org/show_bug.cgi?id=152579
3243
3244         Reviewed by Saam Barati.
3245
3246         Fixes some silly bugs that were preventing us from running all of the old V8v7 tests.
3247
3248         IRC's analysis of when to turn a Move into a Move32 when spilling is based on the premise
3249         that if the dst has a 32-bit def width, then the src must also have a 32-bit def width. But
3250         that doesn't happen if the src is an immediate.
3251
3252         This changes that condition in IRC to use the combined use/def width of both src and dst
3253         rather than being clever. This is great because it's the combined width that determines the
3254         size of the spill slot.
3255
3256         Also added some more debug support to TmpWidth.
3257
3258         This also fixes Air's description of DivDouble; previously it claimed to be a 32-bit
3259         operation. Also implements Output::unsignedToDouble(), since we already had everything we
3260         needed to implement this optimally.
3261
3262         * b3/air/AirIteratedRegisterCoalescing.cpp:
3263         * b3/air/AirOpcode.opcodes:
3264         * b3/air/AirTmpWidth.cpp:
3265         (JSC::B3::Air::TmpWidth::recompute):
3266         (JSC::B3::Air::TmpWidth::Widths::dump):
3267         * b3/air/AirTmpWidth.h:
3268         (JSC::B3::Air::TmpWidth::Widths::Widths):
3269         * ftl/FTLB3Output.cpp:
3270         (JSC::FTL::Output::doubleToUInt):
3271         (JSC::FTL::Output::unsignedToDouble):
3272         * ftl/FTLB3Output.h:
3273         (JSC::FTL::Output::zeroExt):
3274         (JSC::FTL::Output::zeroExtPtr):
3275         (JSC::FTL::Output::intToDouble):
3276         (JSC::FTL::Output::castToInt32):
3277         (JSC::FTL::Output::unsignedToDouble): Deleted.
3278
3279 2016-01-01  Jeff Miller  <jeffm@apple.com>
3280
3281         Update user-visible copyright strings to include 2016
3282         https://bugs.webkit.org/show_bug.cgi?id=152531
3283
3284         Reviewed by Alexey Proskuryakov.
3285
3286         * Info.plist:
3287
3288 2015-12-31  Andy Estes  <aestes@apple.com>
3289
3290         Fix warnings uncovered by migrating to WTF_MOVE
3291         https://bugs.webkit.org/show_bug.cgi?id=152601
3292
3293         Reviewed by Daniel Bates.
3294
3295         * create_regex_tables: Moving a return value prevented copy elision.
3296         * ftl/FTLUnwindInfo.cpp:
3297         (JSC::FTL::parseUnwindInfo): Ditto.
3298         * replay/EncodedValue.h: Ditto.
3299
3300 2015-12-30  Aleksandr Skachkov  <gskachkov@gmail.com>
3301
3302         [ES6] Arrow function syntax. Arrow function specific features. Lexical bind "super"
3303         https://bugs.webkit.org/show_bug.cgi?id=149615
3304
3305         Reviewed by Saam Barati.
3306
3307         Implemented lexical bind "super" property for arrow function. 'super' property can be accessed 
3308         inside of the arrow function in case if arrow function is nested in constructor, method, 
3309         getter or setter of class. In current patch using 'super' in arrow function, that declared out of the 
3310         class, lead to wrong type of error, should be SyntaxError(https://bugs.webkit.org/show_bug.cgi?id=150893) 
3311         and this will be fixed in separete patch.
3312
3313         * builtins/BuiltinExecutables.cpp:
3314         (JSC::createExecutableInternal):
3315         * bytecode/EvalCodeCache.h:
3316         (JSC::EvalCodeCache::getSlow):
3317         * bytecode/ExecutableInfo.h:
3318         (JSC::ExecutableInfo::ExecutableInfo):
3319         (JSC::ExecutableInfo::derivedContextType):
3320         (JSC::ExecutableInfo::isClassContext):
3321         * bytecode/UnlinkedCodeBlock.cpp:
3322         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3323         * bytecode/UnlinkedCodeBlock.h:
3324         (JSC::UnlinkedCodeBlock::derivedContextType):
3325         (JSC::UnlinkedCodeBlock::isClassContext):
3326         * bytecode/UnlinkedFunctionExecutable.cpp:
3327         (JSC::generateUnlinkedFunctionCodeBlock):
3328         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3329         * bytecode/UnlinkedFunctionExecutable.h:
3330         * bytecompiler/BytecodeGenerator.cpp:
3331         (JSC::BytecodeGenerator::BytecodeGenerator):
3332         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
3333         * bytecompiler/BytecodeGenerator.h:
3334         (JSC::BytecodeGenerator::derivedContextType):
3335         (JSC::BytecodeGenerator::isDerivedConstructorContext):
3336         (JSC::BytecodeGenerator::isDerivedClassContext):
3337         (JSC::BytecodeGenerator::isArrowFunction):
3338         (JSC::BytecodeGenerator::makeFunction):
3339         * bytecompiler/NodesCodegen.cpp:
3340         (JSC::emitHomeObjectForCallee):
3341         (JSC::FunctionCallValueNode::emitBytecode):
3342         * debugger/DebuggerCallFrame.cpp:
3343         (JSC::DebuggerCallFrame::evaluate):
3344         * interpreter/Interpreter.cpp:
3345         (JSC::eval):
3346         * runtime/CodeCache.cpp:
3347         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3348         * runtime/Executable.cpp:
3349         (JSC::ScriptExecutable::ScriptExecutable):
3350         (JSC::EvalExecutable::create):
3351         (JSC::EvalExecutable::EvalExecutable):
3352         (JSC::ProgramExecutable::ProgramExecutable):
3353         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
3354         (JSC::FunctionExecutable::FunctionExecutable):
3355         * runtime/Executable.h:
3356         (JSC::ScriptExecutable::derivedContextType):
3357         * runtime/JSGlobalObjectFunctions.cpp:
3358         (JSC::globalFuncEval):
3359         * tests/es6.yaml:
3360         * tests/stress/arrowfunction-lexical-bind-superproperty.js: Added.
3361
3362 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3363
3364         Unreviewed, relax limitation in operationCreateThis
3365         https://bugs.webkit.org/show_bug.cgi?id=152383
3366
3367         Unreviewed. operationCreateThis now can be called with non constructible function.
3368
3369         * dfg/DFGOperations.cpp:
3370
3371 2015-12-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3372
3373         [ES6][ES7] Drop Constructability of generator function
3374         https://bugs.webkit.org/show_bug.cgi?id=152383
3375
3376         Reviewed by Saam Barati.
3377
3378         We drop the constructability of generator functions.
3379         This functionality is already landed in ES 2016 draft[1].
3380         And this simplifies the existing JSC's generator implementation;
3381         dropping GeneratorThisMode flag.
3382
3383         [1]: https://github.com/tc39/ecma262/releases/tag/es2016-draft-20151201
3384
3385         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3386         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3387         * JavaScriptCore.xcodeproj/project.pbxproj:
3388         * builtins/BuiltinExecutables.cpp:
3389         (JSC::createExecutableInternal):
3390         * bytecode/ExecutableInfo.h: