[INTL] Implement Intl.Collator.prototype.resolvedOptions ()
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-10-21  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2
3         [INTL] Implement Intl.Collator.prototype.resolvedOptions ()
4         https://bugs.webkit.org/show_bug.cgi?id=147601
5
6         Reviewed by Benjamin Poulain.
7
8         This patch implements Intl.Collator.prototype.resolvedOptions() according
9         to the ECMAScript 2015 Internationalization API spec (ECMA-402 2nd edition.)
10         It also implements the abstract operations InitializeCollator, ResolveLocale,
11         LookupMatcher, and BestFitMatcher.
12
13         * runtime/CommonIdentifiers.h:
14         * runtime/IntlCollator.h:
15         (JSC::IntlCollator::usage):
16         (JSC::IntlCollator::setUsage):
17         (JSC::IntlCollator::locale):
18         (JSC::IntlCollator::setLocale):
19         (JSC::IntlCollator::collation):
20         (JSC::IntlCollator::setCollation):
21         (JSC::IntlCollator::numeric):
22         (JSC::IntlCollator::setNumeric):
23         (JSC::IntlCollator::sensitivity):
24         (JSC::IntlCollator::setSensitivity):
25         (JSC::IntlCollator::ignorePunctuation):
26         (JSC::IntlCollator::setIgnorePunctuation):
27         * runtime/IntlCollatorConstructor.cpp:
28         (JSC::sortLocaleData):
29         (JSC::searchLocaleData):
30         (JSC::initializeCollator):
31         (JSC::constructIntlCollator):
32         (JSC::callIntlCollator):
33         * runtime/IntlCollatorPrototype.cpp:
34         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
35         * runtime/IntlObject.cpp:
36         (JSC::defaultLocale):
37         (JSC::getIntlBooleanOption):
38         (JSC::getIntlStringOption):
39         (JSC::removeUnicodeLocaleExtension):
40         (JSC::lookupMatcher):
41         (JSC::bestFitMatcher):
42         (JSC::resolveLocale):
43         (JSC::lookupSupportedLocales):
44         * runtime/IntlObject.h:
45
46 2015-10-21  Saam barati  <sbarati@apple.com>
47
48         C calls in PolymorphicAccess shouldn't assume that the top of the stack looks like a JSC JIT frame and enable *ByIdFlush in FTL
49         https://bugs.webkit.org/show_bug.cgi?id=125711
50
51         Reviewed by Filip Pizlo.
52
53         This patch ensures that anytime we need to make a C call inside
54         PolymorphicAccess, we ensure there is enough space on the stack to do so.
55
56         This patch also enables GetByIdFlush/PutByIdFlush inside the FTL.
57         Because PolymorphicAccess now spills the necessary registers
58         before making a JS/C call, any registers that LLVM report as
59         being in use for the patchpoint will be spilled before making
60         a call by PolymorphicAccess.
61
62         * bytecode/PolymorphicAccess.cpp:
63         (JSC::AccessGenerationState::restoreScratch):
64         (JSC::AccessGenerationState::succeed):
65         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
66         (JSC::AccessCase::generate):
67         (JSC::PolymorphicAccess::regenerate):
68         * ftl/FTLCapabilities.cpp:
69         (JSC::FTL::canCompile):
70         * ftl/FTLLowerDFGToLLVM.cpp:
71         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
72         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetById):
73         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
74         * jit/AssemblyHelpers.h:
75         (JSC::AssemblyHelpers::emitTypeOf):
76         (JSC::AssemblyHelpers::makeSpaceOnStackForCCall):
77         (JSC::AssemblyHelpers::reclaimSpaceOnStackForCCall):
78         * jit/RegisterSet.cpp:
79         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
80         (JSC::RegisterSet::registersToNotSaveForJSCall):
81         (JSC::RegisterSet::registersToNotSaveForCCall):
82         (JSC::RegisterSet::allGPRs):
83         (JSC::RegisterSet::registersToNotSaveForCall): Deleted.
84         * jit/RegisterSet.h:
85         (JSC::RegisterSet::set):
86         * jit/ScratchRegisterAllocator.cpp:
87         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
88         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
89         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
90         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
91         These methods now take an extra parameter indicating if they
92         should create space for a C call at the top of the stack if
93         there are any reused registers to spill.
94
95         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
96         * jit/ScratchRegisterAllocator.h:
97         (JSC::ScratchRegisterAllocator::usedRegisters):
98
99 2015-10-21  Joseph Pecoraro  <pecoraro@apple.com>
100
101         Web Inspector: Array previews with Symbol objects have too few preview values
102         https://bugs.webkit.org/show_bug.cgi?id=150404
103
104         Reviewed by Timothy Hatcher.
105
106         * inspector/InjectedScriptSource.js:
107         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
108         We should be continuing inside this loop not returning.
109
110 2015-10-21  Filip Pizlo  <fpizlo@apple.com>
111
112         Failures in PutStackSinkingPhase should be less severe
113         https://bugs.webkit.org/show_bug.cgi?id=150400
114
115         Reviewed by Geoffrey Garen.
116
117         Make the PutStackSinkingPhase abort instead of asserting. To test that it's OK to not have
118         PutStackSinkingPhase run, this adds a test mode where we run without PutStackSinkingPhase.
119
120         * dfg/DFGPlan.cpp: Make it possible to not run PutStackSinkingPhase for tests.
121         (JSC::DFG::Plan::compileInThreadImpl):
122         * dfg/DFGPutStackSinkingPhase.cpp: PutStackSinkingPhase should abort instead of asserting, except when validation is enabled.
123         * runtime/Options.h: Add an option for disabling PutStackSinkingPhase.
124
125 2015-10-21  Saam barati  <sbarati@apple.com>
126
127         The FTL should place the CallSiteIndex on the call frame for JS calls when it fills in the patchpoint
128         https://bugs.webkit.org/show_bug.cgi?id=150104
129
130         Reviewed by Filip Pizlo.
131
132         We lower JS Calls to patchpoints in LLVM. LLVM may decide to duplicate
133         these patchpoints (or remove them). We eagerly store the CallSiteIndex on the 
134         call frame when lowering DFG to LLVM. But, because the patchpoint we lower to may
135         be duplicated, we really don't know the unique CallSiteIndex until we've
136         actually seen the resulting patchpoints after LLVM has completed its transformations.
137         To solve this, we now store the unique CallSiteIndex on the call frame header 
138         when generating code to fill into the patchpoint.
139
140         * ftl/FTLCompile.cpp:
141         (JSC::FTL::mmAllocateDataSection):
142         * ftl/FTLJSCall.cpp:
143         (JSC::FTL::JSCall::JSCall):
144         (JSC::FTL::JSCall::emit):
145         * ftl/FTLJSCall.h:
146         (JSC::FTL::JSCall::stackmapID):
147         * ftl/FTLJSCallBase.cpp:
148         (JSC::FTL::JSCallBase::JSCallBase):
149         (JSC::FTL::JSCallBase::emit):
150         (JSC::FTL::JSCallBase::link):
151         * ftl/FTLJSCallBase.h:
152         * ftl/FTLJSCallVarargs.cpp:
153         (JSC::FTL::JSCallVarargs::JSCallVarargs):
154         (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
155         (JSC::FTL::JSCallVarargs::emit):
156         * ftl/FTLJSCallVarargs.h:
157         (JSC::FTL::JSCallVarargs::node):
158         (JSC::FTL::JSCallVarargs::stackmapID):
159         * ftl/FTLJSTailCall.cpp:
160         (JSC::FTL::JSTailCall::JSTailCall):
161         (JSC::FTL::m_instructionOffset):
162         (JSC::FTL::JSTailCall::emit):
163         * ftl/FTLLowerDFGToLLVM.cpp:
164         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
165         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
166         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
167         (JSC::FTL::DFG::LowerDFGToLLVM::codeOriginDescriptionOfCallSite):
168         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
169
170 2015-10-21  Geoffrey Garen  <ggaren@apple.com>
171
172         Date creation should share a little code
173         https://bugs.webkit.org/show_bug.cgi?id=150399
174
175         Reviewed by Filip Pizlo.
176
177         I want to fix a bug in this code, but I don't want to fix it in two
178         different places. (See https://bugs.webkit.org/show_bug.cgi?id=150386.)
179
180         * runtime/DateConstructor.cpp:
181         (JSC::DateConstructor::getOwnPropertySlot):
182         (JSC::milliseconds): Factored out a shared helper function. If you look
183         closely, you'll see that one copy of this code previously checked isfinite
184         while the other checked isnan. isnan returning nan was obviously a no-op,
185         so I removed it. isfinite, it turns out, is also a no-op -- but less
186         obviously so, so I kept it for now.
187
188         (JSC::constructDate):
189         (JSC::dateUTC): Use the helper function.
190
191 2015-10-21  Guillaume Emont  <guijemont@igalia.com>
192
193         llint: align stack pointer on mips too
194
195         [MIPS] LLInt: align stack pointer on MIPS too
196         https://bugs.webkit.org/show_bug.cgi?id=150380
197
198         Reviewed by Michael Saboff.
199
200         * llint/LowLevelInterpreter32_64.asm:
201
202 2015-10-20  Mark Lam  <mark.lam@apple.com>
203
204         YarrPatternConstructor::containsCapturingTerms() should not assume that its terms.size() is greater than 0.
205         https://bugs.webkit.org/show_bug.cgi?id=150372
206
207         Reviewed by Geoffrey Garen.
208
209         * yarr/YarrPattern.cpp:
210         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
211         (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
212         (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
213         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
214
215 2015-10-20  Michael Saboff  <msaboff@apple.com>
216
217         REGRESSION (r191175): OSR Exit from an inlined tail callee trashes callee save registers
218         https://bugs.webkit.org/show_bug.cgi?id=150336
219
220         Reviewed by Mark Lam.
221
222         During OSR exit, we need to restore and transform the active stack into what the baseline
223         JIT expects.  Inlined call frames become true call frames.  When we reify an inlined call
224         frame and it is a tail call which we will be continuing from, we need to restore the tag
225         constant callee save registers with what was saved by the outermost caller.
226
227         Re-enabled tail calls and restored tests for tail calls.
228
229         * dfg/DFGOSRExitCompilerCommon.cpp:
230         (JSC::DFG::reifyInlinedCallFrames): Select whether or not we use the callee save tag register
231         contents or what was saved by the inlining caller when populating an inlined callee's
232         callee save registers.
233         * jit/AssemblyHelpers.h:
234         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor): This function no longer needs a stack offset.
235         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor): New helper.
236         * runtime/Options.h: Turned tail calls back on.
237         * tests/es6.yaml:
238         * tests/stress/dfg-tail-calls.js:
239         (nonInlinedTailCall.callee):
240         * tests/stress/mutual-tail-call-no-stack-overflow.js:
241         (shouldThrow):
242         * tests/stress/tail-call-in-inline-cache.js:
243         (tail):
244         * tests/stress/tail-call-no-stack-overflow.js:
245         (shouldThrow):
246         * tests/stress/tail-call-recognize.js:
247         (callerMustBeRun):
248         * tests/stress/tail-call-varargs-no-stack-overflow.js:
249         (shouldThrow):
250
251 2015-10-20  Joseph Pecoraro  <pecoraro@apple.com>
252
253         Web Inspector: JavaScriptCore should parse sourceURL and sourceMappingURL directives
254         https://bugs.webkit.org/show_bug.cgi?id=150096
255
256         Reviewed by Geoffrey Garen.
257
258         * inspector/ContentSearchUtilities.cpp:
259         (Inspector::ContentSearchUtilities::scriptCommentPattern): Deleted.
260         (Inspector::ContentSearchUtilities::findScriptSourceURL): Deleted.
261         (Inspector::ContentSearchUtilities::findScriptSourceMapURL): Deleted.
262         * inspector/ContentSearchUtilities.h:
263         No longer need to search script content.
264
265         * inspector/ScriptDebugServer.cpp:
266         (Inspector::ScriptDebugServer::dispatchDidParseSource):
267         Carry over the sourceURL and sourceMappingURL from the SourceProvider.
268
269         * inspector/agents/InspectorDebuggerAgent.cpp:
270         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
271         (Inspector::InspectorDebuggerAgent::didParseSource):
272         No longer do content searching.
273
274         * parser/Lexer.cpp:
275         (JSC::Lexer<T>::setCode):
276         (JSC::Lexer<T>::skipWhitespace):
277         (JSC::Lexer<T>::parseCommentDirective):
278         (JSC::Lexer<T>::parseCommentDirectiveValue):
279         (JSC::Lexer<T>::consume):
280         (JSC::Lexer<T>::lex):
281         * parser/Lexer.h:
282         (JSC::Lexer::sourceURL):
283         (JSC::Lexer::sourceMappingURL):
284         (JSC::Lexer::sourceProvider): Deleted.
285         Give lexer the ability to detect script comment directives.
286         This just consumes characters in single line comments and
287         ultimately sets the sourceURL or sourceMappingURL found.
288
289         * parser/Parser.h:
290         (JSC::Parser<LexerType>::parse):
291         * parser/SourceProvider.h:
292         (JSC::SourceProvider::url):
293         (JSC::SourceProvider::sourceURL):
294         (JSC::SourceProvider::sourceMappingURL):
295         (JSC::SourceProvider::setSourceURL):
296         (JSC::SourceProvider::setSourceMappingURL):
297         After parsing a script, update the Source Provider with the
298         value of directives that may have been found in the script.
299
300 2015-10-20  Saam barati  <sbarati@apple.com>
301
302         GCAwareJITStubRoutineWithExceptionHandler has a stale CodeBlock pointer in its destructor
303         https://bugs.webkit.org/show_bug.cgi?id=150351
304
305         Reviewed by Mark Lam.
306
307         We may regenerate many GCAwareJITStubRoutineWithExceptionHandler stubs per one PolymorphicAccess.
308         Only the last GCAwareJITStubRoutineWithExceptionHandler stub that was generated will get the CodeBlock's aboutToDie()
309         notification. All other GCAwareJITStubRoutineWithExceptionHandler stubs will still be holding a stale CodeBlock pointer
310         that they will use in their destructor. The solution is to have GCAwareJITStubRoutineWithExceptionHandler remove its
311         exception handler in observeZeroRefCount() instead of its destructor. observeZeroRefCount() will run when a PolymorphicAccess
312         replaces its m_stubRoutine.
313
314         * jit/GCAwareJITStubRoutine.cpp:
315         (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
316         (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
317         (JSC::createJITStubRoutine):
318         (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler): Deleted.
319         * jit/GCAwareJITStubRoutine.h:
320
321 >>>>>>> .r191351
322 2015-10-20  Tim Horton  <timothy_horton@apple.com>
323
324         Try to fix the build by disabling MAC_GESTURE_EVENTS on 10.9 and 10.10
325
326         * Configurations/FeatureDefines.xcconfig:
327
328 2015-10-20  Xabier Rodriguez Calvar  <calvaris@igalia.com>
329
330         [Streams API] Rework some readable stream internals that can be common to writable streams
331         https://bugs.webkit.org/show_bug.cgi?id=150133
332
333         Reviewed by Darin Adler.
334
335         * runtime/CommonIdentifiers.h:
336         * runtime/JSGlobalObject.cpp:
337         (JSC::JSGlobalObject::init): Added RangeError also as native functions.
338
339 2015-10-20  Yoav Weiss  <yoav@yoav.ws>
340
341         Rename the PICTURE_SIZES flag to CURRENTSRC
342         https://bugs.webkit.org/show_bug.cgi?id=150275
343
344         Reviewed by Dean Jackson.
345
346         * Configurations/FeatureDefines.xcconfig:
347
348 2015-10-19  Saam barati  <sbarati@apple.com>
349
350         FTL should generate a unique OSR exit for each duplicated OSR exit stackmap intrinsic.
351         https://bugs.webkit.org/show_bug.cgi?id=149970
352
353         Reviewed by Filip Pizlo.
354
355         When we lower DFG to LLVM, we generate a stackmap intrnsic for OSR 
356         exits. We also recorded the OSR exit inside FTL::JITCode during lowering.
357         This stackmap intrinsic may be duplicated or even removed by LLVM.
358         When the stackmap intrinsic is duplicated, we used to generate just
359         a single OSR exit data structure. Then, when we compiled an OSR exit, we 
360         would look for the first record in the record list that had the same stackmap ID
361         as what the OSR exit data structure had. We did this even when the OSR exit
362         stackmap intrinsic was duplicated. This would lead us to grab the wrong FTL::StackMaps::Record.
363
364         Now, each OSR exit knows exactly which FTL::StackMaps::Record it corresponds to.
365         We accomplish this by having an OSRExitDescriptor that is recorded during
366         lowering. Each descriptor may be referenced my zero, one, or more OSRExits.
367         Now, no more than one stackmap intrinsic corresponds to the same index inside 
368         JITCode's OSRExit Vector. Also, each OSRExit jump now jumps to a code location.
369
370         * ftl/FTLCompile.cpp:
371         (JSC::FTL::mmAllocateDataSection):
372         * ftl/FTLJITCode.cpp:
373         (JSC::FTL::JITCode::validateReferences):
374         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
375         * ftl/FTLJITCode.h:
376         * ftl/FTLJITFinalizer.cpp:
377         (JSC::FTL::JITFinalizer::finalizeFunction):
378         * ftl/FTLLowerDFGToLLVM.cpp:
379         (JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
380         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsUndefined):
381         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
382         (JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
383         (JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
384         (JSC::FTL::DFG::LowerDFGToLLVM::callStackmap):
385         * ftl/FTLOSRExit.cpp:
386         (JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
387         (JSC::FTL::OSRExitDescriptor::validateReferences):
388         (JSC::FTL::OSRExit::OSRExit):
389         (JSC::FTL::OSRExit::codeLocationForRepatch):
390         (JSC::FTL::OSRExit::validateReferences): Deleted.
391         * ftl/FTLOSRExit.h:
392         (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
393         * ftl/FTLOSRExitCompilationInfo.h:
394         (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
395         * ftl/FTLOSRExitCompiler.cpp:
396         (JSC::FTL::compileStub):
397         (JSC::FTL::compileFTLOSRExit):
398         * ftl/FTLStackMaps.cpp:
399         (JSC::FTL::StackMaps::computeRecordMap):
400         * ftl/FTLStackMaps.h:
401
402 2015-10-16  Brian Burg  <bburg@apple.com>
403
404         Unify handling of JavaScriptCore scripts that are used in WebCore
405         https://bugs.webkit.org/show_bug.cgi?id=150245
406
407         Reviewed by Alex Christensen.
408
409         Move all standalone JavaScriptCore scripts that are used by WebCore into the
410         JavaScriptCore/Scripts directory. Use JavaScriptCore_SCRIPTS_DIR to refer
411         to the path for these scripts.
412
413         * DerivedSources.make:
414
415             Define and use JavaScriptCore_SCRIPTS_DIR.
416
417         * JavaScriptCore.xcodeproj/project.pbxproj:
418
419             Make a new group in the Xcode project and clean up references.
420
421         * PlatformWin.cmake:
422
423             For Windows, copy these scripts over to ForwardingHeaders/Scripts since they
424             cannot be used directly from JAVASCRIPTCORE_DIR in AppleWin builds. Do the same
425             thing for both Windows variants to be consistent about it.
426
427         * Scripts/cssmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/cssmin.py.
428         * Scripts/generate-combined-inspector-json.py: Renamed from Source/JavaScriptCore/inspector/scripts/generate-combined-inspector-json.py.
429         * Scripts/generate-js-builtins: Renamed from Source/JavaScriptCore/generate-js-builtins.
430         * Scripts/inline-and-minify-stylesheets-and-scripts.py: Renamed from Source/JavaScriptCore/inspector/scripts/inline-and-minify-stylesheets-and-scripts.py.
431         * Scripts/jsmin.py: Renamed from Source/JavaScriptCore/inspector/scripts/jsmin.py.
432         * Scripts/xxd.pl: Renamed from Source/JavaScriptCore/inspector/scripts/xxd.pl.
433
434 2015-10-19  Tim Horton  <timothy_horton@apple.com>
435
436         Try to fix the iOS build
437
438         * Configurations/FeatureDefines.xcconfig:
439
440 2015-10-17  Keith Miller  <keith_miller@apple.com>
441
442         Add regression tests for TypedArray.prototype functions' error messages.
443         https://bugs.webkit.org/show_bug.cgi?id=150288
444
445         Reviewed by Darin Adler.
446
447         Fix a typo in the text passed by TypedArrray.prototype.filter type error message.
448         Add tests that check the actual error message text for all the TypeArray.prototype
449         functions that throw.
450
451         * builtins/TypedArray.prototype.js:
452         (filter):
453         * tests/stress/typedarray-every.js:
454         * tests/stress/typedarray-filter.js:
455         * tests/stress/typedarray-find.js:
456         * tests/stress/typedarray-findIndex.js:
457         * tests/stress/typedarray-forEach.js:
458         * tests/stress/typedarray-map.js:
459         * tests/stress/typedarray-reduce.js:
460         * tests/stress/typedarray-reduceRight.js:
461         * tests/stress/typedarray-some.js:
462
463 2015-10-19  Tim Horton  <timothy_horton@apple.com>
464
465         Add magnify and rotate gesture event support for Mac
466         https://bugs.webkit.org/show_bug.cgi?id=150179
467         <rdar://problem/8036240>
468
469         Reviewed by Darin Adler.
470
471         * Configurations/FeatureDefines.xcconfig:
472         New feature flag.
473
474 2015-10-19  Csaba Osztrogonác  <ossy@webkit.org>
475
476         Fix the ENABLE(WEBASSEMBLY) build after r190827
477         https://bugs.webkit.org/show_bug.cgi?id=150330
478
479         Reviewed by Geoffrey Garen.
480
481         * bytecode/CodeBlock.cpp:
482         (JSC::CodeBlock::CodeBlock): Removed the duplicated VM argument.
483         * bytecode/CodeBlock.h:
484         (JSC::WebAssemblyCodeBlock::create): Added new parameters to finishCreation() calls.
485         (JSC::WebAssemblyCodeBlock::WebAssemblyCodeBlock): Change VM parameter to pointer to match *CodeBlock classes.
486         * runtime/Executable.cpp:
487         (JSC::WebAssemblyExecutable::prepareForExecution): Removed extra ")" and pass pointer as it is expected.
488
489 2015-10-19  Mark Lam  <mark.lam@apple.com>
490
491         DoubleRep fails to convert SpecBoolean values.
492         https://bugs.webkit.org/show_bug.cgi?id=150313
493
494         Reviewed by Geoffrey Garen.
495
496         This was uncovered by the op_sub stress test on 32-bit builds.  On 32-bit builds,
497         DoubleRep will erroneously convert 'true' to a 'NaN' instead of a double 1.
498         On 64-bit, the same issue exists but is masked by another bug in DoubleRep where
499         boolean values will always erroneously trigger a BadType OSR exit.
500
501         The erroneous conversion of 'true' to 'NaN' is because the 'true' case in
502         compileDoubleRep() is missing a jump to the "done" destination.  Instead, it
503         fall through to the "isUndefined" case where it produces a NaN.
504
505         The 64-bit erroneous BadType OSR exit is due to the boolean type check being
506         implemented incorrectly.  It was checking if any bits other than bit 0 were set.
507         However, boolean JS values always have TagBitBool (the 3rd bit) set.  Hence, the
508         check will always fail if we have a boolean value.
509
510         This patch fixes both of these issues.
511
512         No new test is needed because these issues are already covered by scenarios in
513         the op_sub.js stress test.  This patch also fixes the op_sub.js test to throw an
514         exception if any failures are encountered (as expected by the stress test
515         harness).  This patch also re-worked the test code to provide more accurate
516         descriptions of each test scenario for error reporting.
517
518         * dfg/DFGSpeculativeJIT.cpp:
519         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
520
521         * tests/stress/op_sub.js:
522         (generateScenarios):
523         (func):
524         (initializeTestCases):
525         (runTest):
526         (stringify): Deleted.
527
528 2015-10-19  Yusuke Suzuki  <utatane.tea@gmail.com>
529
530         Drop !newTarget check since it always becomes true
531         https://bugs.webkit.org/show_bug.cgi?id=150308
532
533         Reviewed by Geoffrey Garen.
534
535         In a context of calling a constructor, `newTarget` should not become JSEmpty.
536         So `!newTarget` always becomes true. This patch drops this unneccessary check.
537         And to ensure the implementation of the constructor is only called under
538         the context of calling it as a constructor, we change these functions to
539         static and only use them for constructor implementations of InternalFunction.
540
541         * runtime/IntlCollatorConstructor.cpp:
542         (JSC::constructIntlCollator):
543         (JSC::callIntlCollator):
544         * runtime/IntlCollatorConstructor.h:
545         * runtime/IntlDateTimeFormatConstructor.cpp:
546         (JSC::constructIntlDateTimeFormat):
547         (JSC::callIntlDateTimeFormat):
548         * runtime/IntlDateTimeFormatConstructor.h:
549         * runtime/IntlNumberFormatConstructor.cpp:
550         (JSC::constructIntlNumberFormat):
551         (JSC::callIntlNumberFormat):
552         * runtime/IntlNumberFormatConstructor.h:
553         * runtime/JSPromiseConstructor.cpp:
554         (JSC::constructPromise):
555
556 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
557
558         Promise constructor should throw when not called with "new"
559         https://bugs.webkit.org/show_bug.cgi?id=149380
560
561         Reviewed by Darin Adler.
562
563         Implement handling new.target in Promise constructor. And
564         prohibiting Promise constructor call without "new".
565
566         * runtime/JSPromiseConstructor.cpp:
567         (JSC::constructPromise):
568         (JSC::callPromise):
569         (JSC::JSPromiseConstructor::getCallData):
570         * tests/es6.yaml:
571         * tests/stress/promise-cannot-be-called.js: Added.
572         (shouldBe):
573         (shouldThrow):
574         (Deferred):
575         (super):
576
577 2015-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
578
579         [ES6] Handle asynchronous tests in tests/es6
580         https://bugs.webkit.org/show_bug.cgi?id=150293
581
582         Reviewed by Darin Adler.
583
584         Since JSC can handle microtasks, some of ES6 Promise tests can be executed under the JSC shell.
585         Some of them still fail because it uses setTimeout that invokes macrotasks with explicit delay.
586
587         * tests/es6.yaml:
588         * tests/es6/Promise_Promise.all.js:
589         (test.asyncTestPassed):
590         (test):
591         * tests/es6/Promise_Promise.all_generic_iterables.js:
592         (test.asyncTestPassed):
593         (test):
594         * tests/es6/Promise_Promise.race.js:
595         (test.asyncTestPassed):
596         (test):
597         * tests/es6/Promise_Promise.race_generic_iterables.js:
598         (test.asyncTestPassed):
599         (test):
600         * tests/es6/Promise_basic_functionality.js:
601         (test.asyncTestPassed):
602         (test):
603         * tests/es6/Promise_is_subclassable_Promise.all.js:
604         (test.asyncTestPassed):
605         (test):
606         * tests/es6/Promise_is_subclassable_Promise.race.js:
607         (test.asyncTestPassed):
608         (test):
609         * tests/es6/Promise_is_subclassable_basic_functionality.js:
610         (test.asyncTestPassed):
611         (test):
612
613 2015-10-18  Sungmann Cho  <sungmann.cho@navercorp.com>
614
615         [Win] Fix the Windows builds.
616         https://bugs.webkit.org/show_bug.cgi?id=150300
617
618         Reviewed by Darin Adler.
619
620         Add missing files to JavaScriptCore.vcxproj.
621
622         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
623         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
624
625 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
626
627         Fix some generational heap growth pathologies
628         https://bugs.webkit.org/show_bug.cgi?id=150270
629
630         Reviewed by Andreas Kling.
631
632         When doing generational copying, we would pretend that the size of old space was increased
633         just by the amount of bytes we copied. In reality, it would be increased by the number of
634         bytes used by the copied blocks we created. This is a larger number, and in some simple
635         pathological programs, the difference can be huge.
636
637         Fixing this bug was relatively easy, and the only really meaningful change here is in
638         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
639         add some debugging code and I had to refactor some stuff so that it made more sense.
640
641         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
642         release builds to decide how much heap we are using at the end of collection. But I added a
643         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
644         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
645
646         Relanding with build fix.
647
648         * CMakeLists.txt:
649         * JavaScriptCore.xcodeproj/project.pbxproj:
650         * heap/CopiedBlock.cpp: Added.
651         (JSC::CopiedBlock::createNoZeroFill):
652         (JSC::CopiedBlock::destroy):
653         (JSC::CopiedBlock::create):
654         (JSC::CopiedBlock::zeroFillWilderness):
655         (JSC::CopiedBlock::CopiedBlock):
656         * heap/CopiedBlock.h:
657         (JSC::CopiedBlock::didSurviveGC):
658         (JSC::CopiedBlock::createNoZeroFill): Deleted.
659         (JSC::CopiedBlock::destroy): Deleted.
660         (JSC::CopiedBlock::create): Deleted.
661         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
662         (JSC::CopiedBlock::CopiedBlock): Deleted.
663         * heap/CopiedSpaceInlines.h:
664         (JSC::CopiedSpace::startedCopying):
665         * heap/Heap.cpp:
666         (JSC::Heap::updateObjectCounts):
667         (JSC::Heap::resetVisitors):
668         (JSC::Heap::capacity):
669         (JSC::Heap::protectedGlobalObjectCount):
670         (JSC::Heap::collectImpl):
671         (JSC::Heap::willStartCollection):
672         (JSC::Heap::updateAllocationLimits):
673         (JSC::Heap::didFinishCollection):
674         (JSC::Heap::sizeAfterCollect): Deleted.
675         * heap/Heap.h:
676         * heap/HeapInlines.h:
677         (JSC::Heap::shouldCollect):
678         (JSC::Heap::isBusy):
679         (JSC::Heap::collectIfNecessaryOrDefer):
680         * heap/MarkedBlock.cpp:
681         (JSC::MarkedBlock::create):
682         (JSC::MarkedBlock::destroy):
683
684 2015-10-17  Commit Queue  <commit-queue@webkit.org>
685
686         Unreviewed, rolling out r191240.
687         https://bugs.webkit.org/show_bug.cgi?id=150281
688
689         Broke 32-bit builds (Requested by smfr on #webkit).
690
691         Reverted changeset:
692
693         "Fix some generational heap growth pathologies"
694         https://bugs.webkit.org/show_bug.cgi?id=150270
695         http://trac.webkit.org/changeset/191240
696
697 2015-10-17  Sungmann Cho  <sungmann.cho@navercorp.com>
698
699         [Win] Fix the Windows build.
700         https://bugs.webkit.org/show_bug.cgi?id=150278
701
702         Reviewed by Brent Fulgham.
703
704         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
705         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
706
707 2015-10-17  Mark Lam  <mark.lam@apple.com>
708
709         Fixed typos from r191224.
710
711         Not reviewed.
712
713         * jit/JITSubGenerator.h:
714         (JSC::JITSubGenerator::generateFastPath):
715
716 2015-10-17  Filip Pizlo  <fpizlo@apple.com>
717
718         Fix some generational heap growth pathologies
719         https://bugs.webkit.org/show_bug.cgi?id=150270
720
721         Reviewed by Andreas Kling.
722
723         When doing generational copying, we would pretend that the size of old space was increased
724         just by the amount of bytes we copied. In reality, it would be increased by the number of
725         bytes used by the copied blocks we created. This is a larger number, and in some simple
726         pathological programs, the difference can be huge.
727
728         Fixing this bug was relatively easy, and the only really meaningful change here is in
729         Heap::updateAllocationLimits(). But to convince myself that the change was valid, I had to
730         add some debugging code and I had to refactor some stuff so that it made more sense.
731
732         This change does obviate the need for m_totalBytesCopied, because we no longer use it in
733         release builds to decide how much heap we are using at the end of collection. But I added a
734         FIXME about how we could restore our use of m_totalBytesCopied. So, I kept the logic, for
735         now. The FIXME references https://bugs.webkit.org/show_bug.cgi?id=150268.
736
737         * CMakeLists.txt:
738         * JavaScriptCore.xcodeproj/project.pbxproj:
739         * heap/CopiedBlock.cpp: Added.
740         (JSC::CopiedBlock::createNoZeroFill):
741         (JSC::CopiedBlock::destroy):
742         (JSC::CopiedBlock::create):
743         (JSC::CopiedBlock::zeroFillWilderness):
744         (JSC::CopiedBlock::CopiedBlock):
745         * heap/CopiedBlock.h:
746         (JSC::CopiedBlock::didSurviveGC):
747         (JSC::CopiedBlock::createNoZeroFill): Deleted.
748         (JSC::CopiedBlock::destroy): Deleted.
749         (JSC::CopiedBlock::create): Deleted.
750         (JSC::CopiedBlock::zeroFillWilderness): Deleted.
751         (JSC::CopiedBlock::CopiedBlock): Deleted.
752         * heap/CopiedSpaceInlines.h:
753         (JSC::CopiedSpace::startedCopying):
754         * heap/Heap.cpp:
755         (JSC::Heap::updateObjectCounts):
756         (JSC::Heap::resetVisitors):
757         (JSC::Heap::capacity):
758         (JSC::Heap::protectedGlobalObjectCount):
759         (JSC::Heap::collectImpl):
760         (JSC::Heap::willStartCollection):
761         (JSC::Heap::updateAllocationLimits):
762         (JSC::Heap::didFinishCollection):
763         (JSC::Heap::sizeAfterCollect): Deleted.
764         * heap/Heap.h:
765         * heap/HeapInlines.h:
766         (JSC::Heap::shouldCollect):
767         (JSC::Heap::isBusy):
768         (JSC::Heap::collectIfNecessaryOrDefer):
769         * heap/MarkedBlock.cpp:
770         (JSC::MarkedBlock::create):
771         (JSC::MarkedBlock::destroy):
772
773 2015-10-16  Yusuke Suzuki  <utatane.tea@gmail.com>
774
775         [ES6] Implement String.prototype.normalize
776         https://bugs.webkit.org/show_bug.cgi?id=150094
777
778         Reviewed by Geoffrey Garen.
779
780         This patch implements String.prototype.normalize leveraging ICU.
781         It can provide the feature applying {NFC, NFD, NFKC, NFKD} normalization to a given string.
782
783         * runtime/StringPrototype.cpp:
784         (JSC::StringPrototype::finishCreation):
785         (JSC::normalize):
786         (JSC::stringProtoFuncNormalize):
787         * tests/es6.yaml:
788         * tests/stress/string-normalize.js: Added.
789         (unicode):
790         (shouldBe):
791         (shouldThrow):
792         (normalizeTest):
793
794 2015-10-16  Geoffrey Garen  <ggaren@apple.com>
795
796         Update JavaScriptCore API docs
797         https://bugs.webkit.org/show_bug.cgi?id=150262
798
799         Reviewed by Mark Lam.
800
801         Apply some edits for clarity. These came out of a docs review.
802
803         * API/JSContext.h:
804         * API/JSExport.h:
805         * API/JSManagedValue.h:
806         * API/JSValue.h:
807
808 2015-10-16  Keith Miller  <keith_miller@apple.com>
809
810         Unreviewed. Fix typo in TypeError messages in TypedArray.prototype.forEach/filter.
811
812         * builtins/TypedArray.prototype.js:
813         (forEach):
814         (filter):
815
816 2015-10-16  Mark Lam  <mark.lam@apple.com>
817
818         Use JITSubGenerator to support UntypedUse operands for op_sub in the DFG.
819         https://bugs.webkit.org/show_bug.cgi?id=150038
820
821         Reviewed by Geoffrey Garen.
822
823         * bytecode/SpeculatedType.h:
824         (JSC::isUntypedSpeculationForArithmetic): Added
825         - Also fixed some comments.
826         
827         * dfg/DFGAbstractInterpreterInlines.h:
828         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
829
830         * dfg/DFGAbstractValue.cpp:
831         (JSC::DFG::AbstractValue::resultType):
832         * dfg/DFGAbstractValue.h:
833         - Added function to compute the ResultType of an operand from its SpeculatedType.
834
835         * dfg/DFGFixupPhase.cpp:
836         (JSC::DFG::FixupPhase::fixupNode):
837         - Fix up ArithSub to speculate its operands to be numbers.  But if an OSR exit
838           due to a BadType was seen at this node, we'll fix it up to expect UntypedUse
839           operands.  This gives the generated code a change to run fast if it only
840           receives numeric operands.
841
842         * dfg/DFGNode.h:
843         (JSC::DFG::Node::shouldSpeculateUntypedForArithmetic):
844
845         * dfg/DFGOperations.cpp:
846         * dfg/DFGOperations.h:
847         - Add the C++ runtime function to implement op_sub when we really encounter the
848           hard types in the operands.
849
850         * dfg/DFGSpeculativeJIT.cpp:
851         (JSC::DFG::SpeculativeJIT::compileArithSub):
852         - Added support for UntypedUse operands using the JITSubGenerator.
853
854         * dfg/DFGSpeculativeJIT.h:
855         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
856         (JSC::DFG::SpeculativeJIT::pickCanTrample):
857         (JSC::DFG::SpeculativeJIT::callOperation):
858
859         * ftl/FTLCapabilities.cpp:
860         (JSC::FTL::canCompile):
861         - Just refuse to FTL compile functions with UntypedUse op_sub operands for now.
862
863         * jit/AssemblyHelpers.h:
864         (JSC::AssemblyHelpers::boxDouble):
865         (JSC::AssemblyHelpers::unboxDoubleNonDestructive):
866         (JSC::AssemblyHelpers::unboxDouble):
867         (JSC::AssemblyHelpers::boxBooleanPayload):
868         * jit/JITArithmetic.cpp:
869         (JSC::JIT::emit_op_sub):
870
871         * jit/JITSubGenerator.h:
872         (JSC::JITSubGenerator::generateFastPath):
873         (JSC::JITSubGenerator::endJumpList):
874         - Added some asserts to document the contract that this generator expects in
875           terms of its incoming registers.
876
877           Also fixed the generated code to not be destructive with regards to incoming
878           registers.  The DFG expects this.
879
880           Also added an endJumpList so that we don't have to jump twice for the fast
881           path where both operands are ints.
882
883         * parser/ResultType.h:
884         (JSC::ResultType::ResultType):
885         - Make the internal Type bits and the constructor private.  Clients should only
886           create ResultType values using one of the provided factory methods.
887
888         * tests/stress/op_sub.js: Added.
889         (o1.valueOf):
890         (stringify):
891         (generateScenarios):
892         (printScenarios):
893         (testCases.func):
894         (func):
895         (initializeTestCases):
896         (runTest):
897         - test op_sub results by comparing one LLINT result against the output of
898           multiple LLINT, and JIT runs.  This test assume that we'll at least get the
899           right result some of the time (if not all the time), and confirms that the
900           various engines produce consistent results for all the various value pairs
901           being tested.
902
903 2015-10-15  Filip Pizlo  <fpizlo@apple.com>
904
905         CopyBarrier must be avoided for slow TypedArrays
906         https://bugs.webkit.org/show_bug.cgi?id=150217
907         rdar://problem/23128791
908
909         Reviewed by Michael Saboff.
910
911         Change how we access array buffer views so that we don't fire the barrier slow path, and
912         don't mask off the spaceBits, if the view is not FastTypedArray. That's because in that case
913         m_vector could be misaligned and so have meaningful non-space data in the spaceBits. Also in
914         that case, m_vector does not point into copied space.
915
916         * dfg/DFGSpeculativeJIT.cpp:
917         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
918         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
919         * ftl/FTLLowerDFGToLLVM.cpp:
920         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
921         (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
922         (JSC::FTL::DFG::LowerDFGToLLVM::isInToSpace):
923         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
924         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
925         (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
926         (JSC::FTL::DFG::LowerDFGToLLVM::isFastTypedArray):
927         (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
928         * heap/CopyBarrier.h:
929         (JSC::CopyBarrierBase::getWithoutBarrier):
930         (JSC::CopyBarrierBase::getPredicated):
931         (JSC::CopyBarrierBase::get):
932         (JSC::CopyBarrierBase::copyState):
933         (JSC::CopyBarrier::get):
934         (JSC::CopyBarrier::getPredicated):
935         (JSC::CopyBarrier::set):
936         * heap/Heap.cpp:
937         (JSC::Heap::copyBarrier):
938         * jit/AssemblyHelpers.cpp:
939         (JSC::AssemblyHelpers::branchIfNotType):
940         (JSC::AssemblyHelpers::branchIfFastTypedArray):
941         (JSC::AssemblyHelpers::branchIfNotFastTypedArray):
942         (JSC::AssemblyHelpers::loadTypedArrayVector):
943         (JSC::AssemblyHelpers::purifyNaN):
944         * jit/AssemblyHelpers.h:
945         (JSC::AssemblyHelpers::branchStructure):
946         (JSC::AssemblyHelpers::branchIfToSpace):
947         (JSC::AssemblyHelpers::branchIfNotToSpace):
948         (JSC::AssemblyHelpers::removeSpaceBits):
949         (JSC::AssemblyHelpers::addressForByteOffset):
950         * jit/JITPropertyAccess.cpp:
951         (JSC::JIT::emitIntTypedArrayGetByVal):
952         (JSC::JIT::emitFloatTypedArrayGetByVal):
953         (JSC::JIT::emitIntTypedArrayPutByVal):
954         (JSC::JIT::emitFloatTypedArrayPutByVal):
955         * runtime/JSArrayBufferView.h:
956         (JSC::JSArrayBufferView::vector):
957         (JSC::JSArrayBufferView::length):
958         * runtime/JSArrayBufferViewInlines.h:
959         (JSC::JSArrayBufferView::byteOffset):
960         * runtime/JSGenericTypedArrayView.h:
961         (JSC::JSGenericTypedArrayView::typedVector):
962         * runtime/JSGenericTypedArrayViewInlines.h:
963         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
964         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
965         * tests/stress/misaligned-int8-view-byte-offset.js: Added.
966         * tests/stress/misaligned-int8-view-read.js: Added.
967         * tests/stress/misaligned-int8-view-write.js: Added.
968
969 2015-10-16  Keith Miller  <keith_miller@apple.com>
970
971         Unreviewed. Build fix for 191215.
972
973         * jit/IntrinsicEmitter.cpp:
974
975 2015-10-16  Keith Miller  <keith@Keiths-MacBook-Pro-5.local>
976
977         Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties.
978         https://bugs.webkit.org/show_bug.cgi?id=149687
979
980         Reviewed by Geoffrey Garen.
981
982         Add the ability to create intrinsic getters in both the inline cache and the DFG/FTL. When the
983         getter fetched by a GetById has an intrinsic we know about we add a new intrinsic access case.
984         Once we get to the DFG, we observe that the access case was an intrinsic and add an appropriate
985         GetByIdVariant. We then parse the intrinsic into an appropriate DFG node.
986
987         The first intrinsics are the new TypedArray prototype getters length, byteLength, and byteOffset.
988
989         * CMakeLists.txt:
990         * JavaScriptCore.xcodeproj/project.pbxproj:
991         * bytecode/GetByIdStatus.cpp:
992         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
993         (JSC::GetByIdStatus::computeFor):
994         * bytecode/GetByIdVariant.cpp:
995         (JSC::GetByIdVariant::GetByIdVariant):
996         (JSC::GetByIdVariant::operator=):
997         (JSC::GetByIdVariant::canMergeIntrinsicStructures):
998         (JSC::GetByIdVariant::attemptToMerge):
999         (JSC::GetByIdVariant::dumpInContext):
1000         * bytecode/GetByIdVariant.h:
1001         (JSC::GetByIdVariant::intrinsicFunction):
1002         (JSC::GetByIdVariant::intrinsic):
1003         (JSC::GetByIdVariant::callLinkStatus): Deleted.
1004         * bytecode/PolymorphicAccess.cpp:
1005         (JSC::AccessGenerationState::addWatchpoint):
1006         (JSC::AccessGenerationState::restoreScratch):
1007         (JSC::AccessGenerationState::succeed):
1008         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
1009         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
1010         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
1011         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
1012         (JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
1013         (JSC::AccessGenerationState::originalExceptionHandler):
1014         (JSC::AccessGenerationState::originalCallSiteIndex):
1015         (JSC::AccessCase::getIntrinsic):
1016         (JSC::AccessCase::clone):
1017         (JSC::AccessCase::visitWeak):
1018         (JSC::AccessCase::generate):
1019         (WTF::printInternal):
1020         (JSC::AccessCase::AccessCase): Deleted.
1021         (JSC::AccessCase::get): Deleted.
1022         (JSC::AccessCase::replace): Deleted.
1023         (JSC::AccessCase::transition): Deleted.
1024         * bytecode/PolymorphicAccess.h:
1025         (JSC::AccessCase::isGet):
1026         (JSC::AccessCase::isPut):
1027         (JSC::AccessCase::isIn):
1028         (JSC::AccessCase::intrinsicFunction):
1029         (JSC::AccessCase::intrinsic):
1030         (JSC::AccessGenerationState::AccessGenerationState):
1031         (JSC::AccessGenerationState::liveRegistersForCall):
1032         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
1033         (JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation):
1034         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
1035         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
1036         * bytecode/PutByIdVariant.h:
1037         (JSC::PutByIdVariant::intrinsic):
1038         * dfg/DFGAbstractInterpreterInlines.h:
1039         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1040         * dfg/DFGArrayMode.cpp:
1041         (JSC::DFG::ArrayMode::alreadyChecked):
1042         (JSC::DFG::arrayTypeToString):
1043         (JSC::DFG::toTypedArrayType):
1044         (JSC::DFG::refineTypedArrayType):
1045         (JSC::DFG::permitsBoundsCheckLowering):
1046         * dfg/DFGArrayMode.h:
1047         (JSC::DFG::ArrayMode::supportsLength):
1048         (JSC::DFG::ArrayMode::isSomeTypedArrayView):
1049         * dfg/DFGByteCodeParser.cpp:
1050         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
1051         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1052         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1053         (JSC::DFG::ByteCodeParser::load):
1054         (JSC::DFG::ByteCodeParser::handleGetById):
1055         (JSC::DFG::ByteCodeParser::presenceLike): Deleted.
1056         (JSC::DFG::ByteCodeParser::store): Deleted.
1057         * dfg/DFGClobberize.h:
1058         (JSC::DFG::clobberize):
1059         * dfg/DFGFixupPhase.cpp:
1060         (JSC::DFG::FixupPhase::fixupNode):
1061         (JSC::DFG::FixupPhase::convertToGetArrayLength): Deleted.
1062         (JSC::DFG::FixupPhase::prependGetArrayLength): Deleted.
1063         (JSC::DFG::FixupPhase::fixupChecksInBlock): Deleted.
1064         * dfg/DFGGraph.cpp:
1065         (JSC::DFG::Graph::tryGetFoldableView):
1066         * dfg/DFGPredictionPropagationPhase.cpp:
1067         (JSC::DFG::PredictionPropagationPhase::propagate):
1068         * dfg/DFGSpeculativeJIT.cpp:
1069         (JSC::DFG::SpeculativeJIT::checkArray):
1070         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1071         * ftl/FTLCapabilities.cpp:
1072         (JSC::FTL::canCompile):
1073         * ftl/FTLLowerDFGToLLVM.cpp:
1074         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetArrayLength):
1075         * jit/IntrinsicEmitter.cpp: Added.
1076         (JSC::AccessCase::canEmitIntrinsicGetter):
1077         (JSC::AccessCase::emitIntrinsicGetter):
1078         * jit/Repatch.cpp:
1079         (JSC::tryCacheGetByID):
1080         * runtime/Intrinsic.h:
1081         * runtime/JSArrayBufferView.cpp:
1082         (JSC::JSArrayBufferView::put):
1083         (JSC::JSArrayBufferView::defineOwnProperty):
1084         (JSC::JSArrayBufferView::deleteProperty):
1085         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
1086         (JSC::JSArrayBufferView::getOwnPropertySlot): Deleted.
1087         (JSC::JSArrayBufferView::finalize): Deleted.
1088         * runtime/JSDataView.cpp:
1089         (JSC::JSDataView::getOwnPropertySlot):
1090         (JSC::JSDataView::put):
1091         (JSC::JSDataView::defineOwnProperty):
1092         (JSC::JSDataView::deleteProperty):
1093         (JSC::JSDataView::getOwnNonIndexPropertyNames):
1094         * runtime/JSDataView.h:
1095         * runtime/JSFunction.h:
1096         * runtime/JSFunctionInlines.h:
1097         (JSC::JSFunction::intrinsic):
1098         * runtime/JSGenericTypedArrayView.h:
1099         * runtime/JSGenericTypedArrayViewInlines.h:
1100         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1101         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1102         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1103         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex): Deleted.
1104         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Deleted.
1105         * runtime/JSObject.cpp:
1106         (JSC::JSObject::putDirectNativeIntrinsicGetter):
1107         * runtime/JSObject.h:
1108         * runtime/JSTypedArrayViewPrototype.cpp:
1109         (JSC::JSTypedArrayViewPrototype::finishCreation):
1110         * tests/stress/typedarray-add-property-to-base-object.js: Added.
1111         (body.foo):
1112         (body):
1113         * tests/stress/typedarray-bad-getter.js: Added.
1114         (body.foo):
1115         (body.get Bar):
1116         (body):
1117         * tests/stress/typedarray-getter-on-self.js: Added.
1118         (body.foo):
1119         (body.bar):
1120         (body.baz):
1121         (body.get for):
1122         (body):
1123         * tests/stress/typedarray-intrinsic-getters-change-prototype.js: Added.
1124         (body.foo):
1125         (body.bar):
1126         (body.baz):
1127         (body):
1128
1129 2015-10-16  Keith Miller  <keith_miller@apple.com>
1130
1131         Fix some issues with TypedArrays
1132         https://bugs.webkit.org/show_bug.cgi?id=150216
1133
1134         Reviewed by Geoffrey Garen.
1135
1136         This fixes a couple of issues:
1137         1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
1138            Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
1139            the two cases have been merged.
1140         2) If the length property on an object was unset then the construction could crash.
1141         3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
1142            length of the source object when the source object is a TypedArray.
1143         4) The conditions that were used to decide if the iterator could be skipped were incorrect.
1144            Instead of checking for have a bad time we should have checked the Indexing type did not allow for
1145            indexed accessors.
1146
1147         * dfg/DFGOperations.cpp:
1148         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1149         (JSC::constructGenericTypedArrayViewWithArguments):
1150         (JSC::constructGenericTypedArrayView):
1151         (JSC::constructGenericTypedArrayViewWithFirstArgument): Deleted.
1152
1153 2015-10-16  Anders Carlsson  <andersca@apple.com>
1154
1155         Fix Windows build.
1156
1157         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1158         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1159
1160 2015-10-16  Michael Saboff  <msaboff@apple.com>
1161
1162         REGRESSION (r191175): Still crashing when clicking back button on netflix.com
1163         https://bugs.webkit.org/show_bug.cgi?id=150251
1164
1165         Rubber stamped by Filip Pizlo.
1166
1167         Turning off Tail Calls and disabling tests until the crash is fixed.
1168
1169         * runtime/Options.h:
1170         * tests/es6.yaml:
1171         * tests/stress/dfg-tail-calls.js:
1172         (nonInlinedTailCall.callee):
1173         * tests/stress/mutual-tail-call-no-stack-overflow.js:
1174         (shouldThrow):
1175         * tests/stress/tail-call-in-inline-cache.js:
1176         (tail):
1177         * tests/stress/tail-call-no-stack-overflow.js:
1178         (shouldThrow):
1179         * tests/stress/tail-call-recognize.js:
1180         (callerMustBeRun):
1181         * tests/stress/tail-call-varargs-no-stack-overflow.js:
1182         (shouldThrow):
1183
1184 2015-10-16  Mark Lam  <mark.lam@apple.com>
1185
1186         Add MacroAssembler::callProbe() for supporting lambda JIT probes.
1187         https://bugs.webkit.org/show_bug.cgi?id=150186
1188
1189         Reviewed by Geoffrey Garen.
1190
1191         With callProbe(), we can now make probes that are lambdas.  For example, we can
1192         now conveniently add probes like so: 
1193
1194             // When you know exactly which register you want to inspect:
1195             jit.callProbe([] (MacroAssembler::ProbeContext* context) {
1196                 intptr_t value = reinterpret_cast<intptr_t>(context->cpu.eax);
1197                 dataLogF("eax %p\n", context->cpu.eax); // Inspect the register.
1198                 ASSERT(value > 10); // Add test code for debugging.
1199             });
1200
1201             // When you want to inspect whichever register the JIT allocated:
1202             auto reg = op1.gpr();
1203             jit.callProbe([reg] (MacroAssembler::ProbeContext* context) {
1204                 intptr_t value = reinterpret_cast<intptr_t>(context->gpr(reg));
1205                 dataLogF("reg %s: %ld\n", context->gprName(reg), value);
1206                 ASSERT(value > 10);
1207             });
1208
1209         callProbe() is only meant to be used for debugging sessions.  It is not
1210         appropriate to use it in permanent code (even for debug builds).
1211         This is because:
1212         1. The probe mechanism saves and restores all (and I really mean "all")
1213            registers, and is inherently slow.
1214         2. callProbe() currently works by allocating (via new) a std::function to
1215            guarantee that it is persisted for the duration that the JIT generated code is
1216            live.  We don't currently delete it ever i.e. it leaks a bit of memory each
1217            time the JIT generates code that contains such a lambda probe.
1218
1219         These limitations are acceptable for a debugging session (assuming you're not
1220         debugging a memory leak), but not for deployment code.  If there's a need, we can
1221         plug that leak in another patch.
1222
1223         * assembler/AbstractMacroAssembler.h:
1224         (JSC::AbstractMacroAssembler::CPUState::fpr):
1225         - Removed an unnecessary empty line.
1226         (JSC::AbstractMacroAssembler::ProbeContext::gpr):
1227         (JSC::AbstractMacroAssembler::ProbeContext::fpr):
1228         (JSC::AbstractMacroAssembler::ProbeContext::gprName):
1229         (JSC::AbstractMacroAssembler::ProbeContext::fprName):
1230         - Added some convenience functions that will make using the probe mechanism
1231           easier.
1232
1233         * assembler/MacroAssembler.cpp:
1234         (JSC::StdFunctionData::StdFunctionData):
1235         (JSC::stdFunctionCallback):
1236         (JSC::MacroAssembler::callProbe):
1237         * assembler/MacroAssembler.h:
1238
1239 2015-10-16  Andreas Kling  <akling@apple.com>
1240
1241         Remove unused StructureRareData::m_cachedGenericPropertyNameEnumerator.
1242         <https://webkit.org/b/150244>
1243
1244         Reviewed by Geoffrey Garen.
1245
1246         Remove an unused field from StructureRareData.
1247
1248         * runtime/StructureRareData.cpp:
1249         (JSC::StructureRareData::visitChildren): Deleted.
1250         * runtime/StructureRareData.h:
1251
1252 2015-10-16  Keith Miller  <keith_miller@apple.com>
1253
1254         Unreviewed, rolling out r191190.
1255
1256         Patch needs some design changes.
1257
1258         Reverted changeset:
1259
1260         "Fix some issues with TypedArrays"
1261         https://bugs.webkit.org/show_bug.cgi?id=150216
1262         http://trac.webkit.org/changeset/191190
1263
1264 2015-10-16  Mark Lam  <mark.lam@apple.com>
1265
1266         Move all the probe trampolines into their respective MacroAssembler files.
1267         https://bugs.webkit.org/show_bug.cgi?id=150239
1268
1269         Reviewed by Saam Barati.
1270
1271         This patch does not introduce any behavior changes.  It only moves the
1272         ctiMasmProbeTrampoline implementations from the respective JITStubs<CPU>.h
1273         files to the corresponding MacroAssembler<CPU>.cpp files. 
1274
1275         I also had to make some minor changes to get the code to build after this move:
1276         1. Added #include <wtf/InlineASM.h> in the MacroAssembler<CPU>.cpp files
1277            because the ctiMasmProbeTrampoline is an inline assembly blob.
1278         2. In the moved code, convert MacroAssembler:: qualifiers to the CPU specific
1279            MacroAssembler equivalent.  The referenced entities were always defined in
1280            the CPU specific MacroAssembler anyway, and indirectly referenced through
1281            the generic MacroAssembler.
1282
1283         With this, we can get rid of all the JITStubs<CPU>.cpp files.  There is one
1284         exception: JITStubsMSVC64.asm.  However, that one is unrelated to the probe
1285         mechanism.  So, I'll leave it as is.
1286
1287         We can also remove JITStubs.cpp and JITStubs.h which are now empty except for
1288         some stale unused code.
1289
1290         This patch has been build tested for x86, x86_64, armv7, and arm64.
1291
1292         * CMakeLists.txt:
1293         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1294         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1295         * JavaScriptCore.xcodeproj/project.pbxproj:
1296         * assembler/MacroAssemblerARM.cpp:
1297         (JSC::MacroAssemblerARM::probe):
1298         * assembler/MacroAssemblerARM64.cpp:
1299         (JSC::arm64ProbeTrampoline):
1300         (JSC::MacroAssemblerARM64::probe):
1301         * assembler/MacroAssemblerARMv7.cpp:
1302         (JSC::MacroAssemblerARMv7::probe):
1303         * assembler/MacroAssemblerX86Common.cpp:
1304         * bytecode/CodeBlock.cpp:
1305         * ftl/FTLCompile.cpp:
1306         * ftl/FTLLink.cpp:
1307         * jit/JITArithmetic.cpp:
1308         * jit/JITArithmetic32_64.cpp:
1309         * jit/JITCode.h:
1310         * jit/JITExceptions.cpp:
1311         * jit/JITStubs.cpp: Removed.
1312         * jit/JITStubs.h: Removed.
1313         * jit/JITStubsARM.h: Removed.
1314         * jit/JITStubsARM64.h: Removed.
1315         * jit/JITStubsARMv7.h: Removed.
1316         * jit/JITStubsX86.h: Removed.
1317         * jit/JITStubsX86Common.h: Removed.
1318         * jit/JITStubsX86_64.h: Removed.
1319         * jit/JSInterfaceJIT.h:
1320         * llint/LLIntOffsetsExtractor.cpp:
1321         * runtime/CommonSlowPaths.cpp:
1322
1323 2015-10-16  Keith Miller  <keith_miller@apple.com>
1324
1325         Fix some issues with TypedArrays
1326         https://bugs.webkit.org/show_bug.cgi?id=150216
1327
1328         Reviewed by Michael Saboff.
1329
1330         This fixes a couple of issues:
1331         1) The DFG had a separate case for creating new typedarrays in the dfg when the first argument is an object.
1332            Since the code for creating a Typedarray in the dfg is almost the same as the code in Baseline/LLInt
1333            the two cases have been merged.
1334         2) If the length property on an object was unset then the construction could crash.
1335         3) The TypedArray.prototype.set function and the TypedArray constructor should not call [[Get]] for the
1336            length of the source object when the source object is a TypedArray.
1337         4) The conditions that were used to decide if the iterator could be skipped were incorrect.
1338            Instead of checking for have a bad time we should have checked the Indexing type did not allow for
1339            indexed accessors.
1340
1341         * dfg/DFGOperations.cpp:
1342         (JSC::DFG::newTypedArrayWithOneArgument): Deleted.
1343         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1344         (JSC::constructGenericTypedArrayViewFromIterator):
1345         (JSC::constructGenericTypedArrayViewWithFirstArgument):
1346         (JSC::constructGenericTypedArrayView):
1347         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1348         (JSC::genericTypedArrayViewProtoFuncSet):
1349         * tests/stress/typedarray-construct-iterator.js: Added.
1350         (iterator.return.next):
1351         (iterator):
1352         (body):
1353
1354 2015-10-15  Michael Saboff  <msaboff@apple.com>
1355
1356         REGRESSION (r190289): Repro crash clicking back button on netflix.com
1357         https://bugs.webkit.org/show_bug.cgi?id=150220
1358
1359         Reviewed by Geoffrey Garen.
1360
1361         Since constructors check for a valid new "this" object and return it, we can't make
1362         a tail call to another function from within a constructor.
1363
1364         Re-enabled the tail calls and the related tail call tests.
1365
1366         Did some other miscellaneous clean up in the tail call code as part of the debugging.
1367
1368         * bytecompiler/BytecodeGenerator.cpp:
1369         (JSC::BytecodeGenerator::BytecodeGenerator):
1370         * ftl/FTLLowerDFGToLLVM.cpp:
1371         (JSC::FTL::DFG::LowerDFGToLLVM::callPreflight):
1372         * interpreter/Interpreter.h:
1373         (JSC::calleeFrameForVarargs):
1374         * runtime/Options.h:
1375         * tests/es6.yaml:
1376         * tests/stress/dfg-tail-calls.js:
1377         (nonInlinedTailCall.callee):
1378         * tests/stress/mutual-tail-call-no-stack-overflow.js:
1379         (shouldThrow):
1380         * tests/stress/tail-call-in-inline-cache.js:
1381         (tail):
1382         * tests/stress/tail-call-no-stack-overflow.js:
1383         (shouldThrow):
1384         * tests/stress/tail-call-recognize.js:
1385         (callerMustBeRun):
1386         * tests/stress/tail-call-varargs-no-stack-overflow.js:
1387         (shouldThrow):
1388
1389 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1390
1391         Unreviewed. Attempted EFL build fix 2 after r191159.
1392
1393         * PlatformEfl.cmake:
1394
1395 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1396
1397         Unreviewed. Attempted EFL build fix after r191159.
1398
1399         * PlatformEfl.cmake:
1400
1401 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1402
1403         Unreviewed. Build fix after r191160.
1404
1405         * inspector/agents/InspectorHeapAgent.cpp:
1406         (Inspector::InspectorHeapAgent::didGarbageCollect):
1407
1408 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1409
1410         Unreviewed. Revert part of r191159 which caused ASSERTs.
1411
1412         A review comment suggested using WeakPtr. It is not suitable
1413         here and causes ASSERTs across threads. Will address separately.
1414
1415         * inspector/agents/InspectorHeapAgent.h:
1416         * inspector/agents/InspectorHeapAgent.cpp:
1417         (Inspector::InspectorHeapAgent::didGarbageCollect):
1418         (Inspector::InspectorHeapAgent::InspectorHeapAgent): Deleted.
1419
1420 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
1421
1422         Web Inspector: Include Garbage Collection Event in Timeline
1423         https://bugs.webkit.org/show_bug.cgi?id=142510
1424
1425         Reviewed by Geoffrey Garen and Brian Burg.
1426
1427         * CMakeLists.txt:
1428         * DerivedSources.make:
1429         * JavaScriptCore.xcodeproj/project.pbxproj:
1430         Include new files in the build.
1431
1432         * heap/HeapObserver.h:
1433         (JSC::HeapObserver::~HeapObserver):
1434         * heap/Heap.cpp:
1435         (JSC::Heap::willStartCollection):
1436         (JSC::Heap::didFinishCollection):
1437         * heap/Heap.h:
1438         (JSC::Heap::addObserver):
1439         (JSC::Heap::removeObserver):
1440         Allow observers on heap to add hooks for starting / ending garbage collection.
1441
1442         * inspector/InspectorEnvironment.h:
1443         * inspector/JSGlobalObjectInspectorController.cpp:
1444         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1445         (Inspector::JSGlobalObjectInspectorController::vm):
1446         * inspector/JSGlobalObjectInspectorController.h:
1447         Access the VM through the InspectorEnvironment as it won't change.
1448
1449         * inspector/agents/InspectorHeapAgent.cpp: Added.
1450         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1451         (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
1452         (Inspector::InspectorHeapAgent::didCreateFrontendAndBackend):
1453         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
1454         (Inspector::InspectorHeapAgent::enable):
1455         (Inspector::InspectorHeapAgent::disable):
1456         (Inspector::InspectorHeapAgent::gc):
1457         (Inspector::protocolTypeForHeapOperation):
1458         (Inspector::InspectorHeapAgent::willGarbageCollect):
1459         (Inspector::InspectorHeapAgent::didGarbageCollect):
1460         * inspector/agents/InspectorHeapAgent.h: Added.
1461         * inspector/protocol/Heap.json: Added.
1462         New domain and agent to handle tasks related to the JavaScriptCore heap.
1463
1464 2015-10-15  Commit Queue  <commit-queue@webkit.org>
1465
1466         Unreviewed, rolling out r191135.
1467         https://bugs.webkit.org/show_bug.cgi?id=150197
1468
1469         This patch causes 50+ LayoutTest crashes related to the
1470         inspector (Requested by ryanhaddad on #webkit).
1471
1472         Reverted changeset:
1473
1474         "Web Inspector: JavaScriptCore should parse sourceURL and
1475         sourceMappingURL directives"
1476         https://bugs.webkit.org/show_bug.cgi?id=150096
1477         http://trac.webkit.org/changeset/191135
1478
1479 2015-10-15  Geoffrey Garen  <ggaren@apple.com>
1480
1481         Unreviewed, rolling out r191003.
1482         https://bugs.webkit.org/show_bug.cgi?id=150042
1483
1484         We're seeing some crashes in GC beneath speculationFromCell. Maybe this
1485         patch caused them?
1486
1487         Reverted changeset:
1488
1489         CodeBlock write barriers should be precise
1490         https://bugs.webkit.org/show_bug.cgi?id=150042
1491         http://trac.webkit.org/changeset/191003
1492
1493 2015-10-15  Joseph Pecoraro  <pecoraro@apple.com>
1494
1495         Web Inspector: JavaScriptCore should parse sourceURL and sourceMappingURL directives
1496         https://bugs.webkit.org/show_bug.cgi?id=150096
1497
1498         Reviewed by Geoffrey Garen.
1499
1500         * inspector/ContentSearchUtilities.cpp:
1501         (Inspector::ContentSearchUtilities::scriptCommentPattern): Deleted.
1502         (Inspector::ContentSearchUtilities::findScriptSourceURL): Deleted.
1503         (Inspector::ContentSearchUtilities::findScriptSourceMapURL): Deleted.
1504         * inspector/ContentSearchUtilities.h:
1505         No longer need to search script content.
1506
1507         * inspector/ScriptDebugServer.cpp:
1508         (Inspector::ScriptDebugServer::dispatchDidParseSource):
1509         Carry over the sourceURL and sourceMappingURL from the SourceProvider.
1510
1511         * inspector/agents/InspectorDebuggerAgent.cpp:
1512         (Inspector::InspectorDebuggerAgent::sourceMapURLForScript):
1513         (Inspector::InspectorDebuggerAgent::didParseSource):
1514         No longer do content searching.
1515
1516         * parser/Lexer.cpp:
1517         (JSC::Lexer<T>::setCode):
1518         (JSC::Lexer<T>::skipWhitespace):
1519         (JSC::Lexer<T>::parseCommentDirective):
1520         (JSC::Lexer<T>::parseCommentDirectiveValue):
1521         (JSC::Lexer<T>::consume):
1522         (JSC::Lexer<T>::lex):
1523         * parser/Lexer.h:
1524         (JSC::Lexer::sourceURL):
1525         (JSC::Lexer::sourceMappingURL):
1526         (JSC::Lexer::sourceProvider): Deleted.
1527         Give lexer the ability to detect script comment directives.
1528         This just consumes characters in single line comments and
1529         ultimately sets the sourceURL or sourceMappingURL found.
1530
1531         * parser/Parser.h:
1532         (JSC::Parser<LexerType>::parse):
1533         * parser/SourceProvider.h:
1534         (JSC::SourceProvider::url):
1535         (JSC::SourceProvider::sourceURL):
1536         (JSC::SourceProvider::sourceMappingURL):
1537         (JSC::SourceProvider::setSourceURL):
1538         (JSC::SourceProvider::setSourceMappingURL):
1539         After parsing a script, update the Source Provider with the
1540         value of directives that may have been found in the script.
1541
1542 2015-10-15  Filip Pizlo  <fpizlo@apple.com>
1543
1544         InferredTypeTable should ref its keys
1545         https://bugs.webkit.org/show_bug.cgi?id=150138
1546         rdar://problem/23080555
1547
1548         Reviewed by Michael Saboff.
1549
1550         InferredTypeTable was incorrectly using a key hash traits that caused the underlying HashTable to
1551         store keys as UniquedStringImpl* rather than RefPtr<UniquedStringImpl>, even though the HashMap's
1552         nominal key type was RefPtr<UniquedStringImpl>. This arose because I copy-pasted the HashMap type
1553         instantiation from other places and then made random changes to adapt it to my needs, rather than
1554         actually thinking about what I was doing. The solution is to remove the key hash traits argument,
1555         since all it accomplishes is to produce this bug.
1556
1557         The way this bug manifested is probably best described in http://webkit.org/b/150008. After a while
1558         the InferredTypeTable would have dangling references to its strings, if some recompilation or other
1559         thing caused us to drop all other references to those strings. InferredTypeTable is particularly
1560         susceptible to this because it is designed to know about a superset of the property names that its
1561         client Structures know about. The debug assert would then happen when we rehashed the
1562         InferredTypeTable's HashMap, because we'd try to get the hashes of strings that were already
1563         deleted. AFAICT, we didn't have release crashes arising from those strings' memory being returned
1564         to the OS - but it's totally possible that this could have happened. So, we definitely should treat
1565         this bug as more than just a debug issue.
1566
1567         Interestingly, we could have also solved this problem by changing the hash function to use PtrHash.
1568         In all other ways, it's OK for InferredTypeTable to hold dangling references, since it uses the
1569         address of the UniquedStringImpl as a way to name an abstract heap. It's fine if the name of an
1570         abstract heap is a bogus memory address, and it's also fine if that name referred to an entirely
1571         different UniquedStringImpl at some point in the past. That's a nice benefit of any data structure
1572         that keys by abstract heap - if two of them get unified then it's no big deal. I've filed another
1573         bug, http://webkit.org/b/150137 about changing all of our UniquedStringImpl* hashing to use
1574         PtrHash.
1575
1576         * runtime/Identifier.h: Add a comment about http://webkit.org/b/150137.
1577         * runtime/InferredTypeTable.h: Fix the bug.
1578         * tests/stress/inferred-type-table-stale-identifiers.js: Added. I couldn't get this to cause a crash before my change, but it's an interesting test nonetheless.
1579
1580 2015-10-15  Mark Lam  <mark.lam@apple.com>
1581
1582         Add MASM_PROBE support for ARM64.
1583         https://bugs.webkit.org/show_bug.cgi?id=150128
1584
1585         Reviewed by Michael Saboff.
1586
1587         * JavaScriptCore.xcodeproj/project.pbxproj:
1588         * assembler/ARM64Assembler.h:
1589         - Convert the ARM64 registers enum list into a macro list so that we can use
1590           it elsewhere e.g. to declare fields in the probe CPUState.
1591           Also de-tabbed the contents of the ARM64Registers namespace since the enum
1592           list change touches almost all of it anyway. This reduces the amount of
1593           complaints from the style checker.
1594
1595         * assembler/AbstractMacroAssembler.h:
1596         (JSC::AbstractMacroAssembler::CPUState::registerName):
1597         (JSC::AbstractMacroAssembler::CPUState::registerValue):
1598         - Change CPUState methods to allow for registers ID that do not map to one of
1599           its fields. This is needed because ARM64's registers include aliases for some
1600           register names. The CPUState will not allocate separate storage for the
1601           aliases. 
1602
1603         * assembler/MacroAssemblerARM64.cpp: Added.
1604         (JSC::arm64ProbeTrampoline):
1605         - Unlike the probe mechanism for other CPUs, the ARM64 implementation does not
1606           allow the probe function to modify the sp and pc registers.  We insert this
1607           wrapper function between ctiMasmProbeTrampoline() and the user's probe function
1608           so that we can check if the user tried to modify sp and pc.  If so, we will
1609           print an error message so that we can alert the user that we don't support
1610           that on ARM64.
1611
1612           See the comment in ctiMasmProbeTrampoline() in JITStubsARM64.h for details
1613           on why we cannot support sp and pc modifications by the probe function.
1614
1615         (JSC::MacroAssemblerARM64::probe):
1616
1617         * assembler/MacroAssemblerARM64.h:
1618         (JSC::MacroAssemblerARM64::repatchCall):
1619         (JSC::MacroAssemblerARM64::makeBranch):
1620         * jit/JITStubs.cpp:
1621         * jit/JITStubsARM64.h: Added.
1622
1623 2015-10-15  Mark Lam  <mark.lam@apple.com>
1624
1625         Fix some typos in comments.
1626         https://bugs.webkit.org/show_bug.cgi?id=150181
1627
1628         Rubber stamped by Michael Saboff.
1629
1630         * jit/JITStubsARM.h:
1631         * jit/JITStubsARMv7.h:
1632
1633 2015-10-15  Mark Lam  <mark.lam@apple.com>
1634
1635         Refactoring: give the MASM probe CPUState methods shorter names.
1636         https://bugs.webkit.org/show_bug.cgi?id=150177
1637
1638         Reviewed by Michael Saboff.
1639
1640         The existing names are longer than they need to be.  Renaming them as follows:
1641             For GPR, registerName ==> gprName
1642             For GPR, registerValue ==> gpr
1643             For FPR, registerName ==> fprName
1644             For FPR, registerValue ==> fpr
1645
1646         * assembler/AbstractMacroAssembler.h:
1647         (JSC::AbstractMacroAssembler::CPUState::gprName):
1648         (JSC::AbstractMacroAssembler::CPUState::fprName):
1649         (JSC::AbstractMacroAssembler::CPUState::gpr):
1650         (JSC::AbstractMacroAssembler::CPUState::fpr):
1651         (JSC::AbstractMacroAssembler::CPUState::registerName): Deleted.
1652         (JSC::AbstractMacroAssembler::CPUState::registerValue): Deleted.
1653
1654         * assembler/MacroAssemblerPrinter.cpp:
1655         (JSC::printRegister):
1656         (JSC::printMemory):
1657         - Updated to use the new names.
1658
1659 2015-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1660
1661         [ES6] Class expression should have lexical environment that has itself as an imutable binding
1662         https://bugs.webkit.org/show_bug.cgi?id=150089
1663
1664         Reviewed by Geoffrey Garen.
1665
1666         According to ES6 spec, class expression has its own lexical environment that holds itself
1667         as an immutable binding[1] (section 14.5.14 step 2, 3, 4, 23)
1668
1669         As a result, even if the binding declared in the outer scope is overridden, methods inside
1670         class expression can refer its class by the class name.
1671
1672         [1]: http://ecma-international.org/ecma-262/6.0/#sec-runtime-semantics-classdefinitionevaluation
1673
1674         * bytecompiler/NodesCodegen.cpp:
1675         (JSC::ClassExprNode::emitBytecode):
1676         * parser/ASTBuilder.h:
1677         (JSC::ASTBuilder::createClassExpr):
1678         * parser/NodeConstructors.h:
1679         (JSC::ClassExprNode::ClassExprNode):
1680         * parser/Nodes.h:
1681         * parser/Parser.cpp:
1682         (JSC::Parser<LexerType>::parseClass):
1683         * parser/SyntaxChecker.h:
1684         (JSC::SyntaxChecker::createClassExpr):
1685         * tests/es6.yaml:
1686         * tests/stress/class-expression-generates-environment.js: Added.
1687         (shouldBe):
1688         (shouldThrow):
1689         (prototype.method):
1690         (staticMethod):
1691         (A.prototype.method):
1692         (A.staticMethod):
1693         (A):
1694         * tests/stress/class-expression-should-be-tdz-in-heritage.js: Added.
1695         (shouldThrow):
1696         (shouldThrow.A):
1697
1698 2015-10-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1699
1700         [ES6] Class method should not declare any variables to upper scope.
1701         https://bugs.webkit.org/show_bug.cgi?id=150115
1702
1703         Reviewed by Geoffrey Garen.
1704
1705         In the current implementation, class methods attempt to declare variables to an upper scope with their method names.
1706         But this is not specified behavior in the ES6 spec.
1707
1708         And as a result, previously, we attempted to declare variables with invalid identifiers.
1709         For example, `class A { 1() { } }` attempt to declare a variable with name `1`.
1710         This (declaring variables with incorrect names) is not allowed in the lexical environment.
1711         And it fires assertions in https://bugs.webkit.org/show_bug.cgi?id=150089.
1712
1713         * parser/Parser.cpp:
1714         (JSC::Parser<LexerType>::parseClass): Deleted.
1715         * tests/stress/class-method-does-not-declare-variable-to-upper-scope.js: Added.
1716         (shouldBe):
1717         (A.prototype.method):
1718         (A.staticMethod):
1719         (A):
1720
1721 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
1722
1723         REGRESSION: Web Inspector hangs for many seconds when trying to reload page
1724         https://bugs.webkit.org/show_bug.cgi?id=150065
1725
1726         Reviewed by Mark Lam.
1727
1728         When debugging Web Pages, the same Debugger (PageScriptDebugServer) is
1729         attached to each of the different JSGlobalObjects on the page. This could
1730         mean multiple frames or isolated scripting contexts. Therefore we should
1731         only need to send sourceParsed events to the frontend for scripts within
1732         this new JSGlobalObject, not any JSGlobalObject that has this debugger.
1733
1734         * debugger/Debugger.cpp:
1735         (JSC::Debugger::attach):
1736         Only send sourceParsed events for Scripts in this JSGlobalObject.
1737
1738 2015-10-14  Joseph Pecoraro  <pecoraro@apple.com>
1739
1740         Remove unimplemented methods in CopiedSpace
1741         https://bugs.webkit.org/show_bug.cgi?id=150143
1742
1743         Reviewed by Andreas Kling.
1744
1745         * heap/CopiedSpace.h:
1746
1747 2015-10-14  Brent Fulgham  <bfulgham@apple.com>
1748
1749         [Win] Enforce launcher/library naming scheme
1750         https://bugs.webkit.org/show_bug.cgi?id=150124
1751
1752         Reviewed by Alex Christensen.
1753
1754         * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Look for
1755         {name}Lib.dll instead of {name}.dll.
1756         (wWinMain):
1757         * shell/PlatformWin.cmake: Add 'Lib' suffix to DLLs.
1758
1759 2015-10-14  Keith Miller  <keith_miller@apple.com>
1760
1761         ES6 Fix TypedArray constructors.
1762         https://bugs.webkit.org/show_bug.cgi?id=149975
1763
1764         Reviewed by Geoffrey Garen.
1765
1766         The ES6 spec requires that any object argument passed to a TypedArray constructor that is not a TypedArray
1767         and has an iterator should use the iterator to construct the TypedArray. To avoid performance regressions related
1768         to iterating we check if the iterator attached to the object points to the generic array iterator and length is a value.
1769         If so, we do not use the iterator since there should be no observable difference. Another other interesting note is
1770         that the ES6 spec has the of and from functions on a shared constructor between all the TypedArray constructors.
1771         When the TypedArray is constructed the expectation is to crawl the prototype chain of the this value
1772         passed to the function. If the function finds a known TypedArray constructor (Int32Array, Float64Array,...) then
1773         it creates a TypedArray of that type. This is implemented by adding a private function (@allocateTypedArray) to each
1774         of the constructors that can be called in order to construct the array. By using the private functions the JIT should
1775         hopefully be able to optimize this to a direct call.
1776
1777         * CMakeLists.txt:
1778         * JavaScriptCore.xcodeproj/project.pbxproj:
1779         * builtins/TypedArrayConstructor.js: Added.
1780         (of):
1781         (from):
1782         (allocateInt8Array):
1783         (allocateInt16Array):
1784         (allocateInt32Array):
1785         (allocateUint32Array):
1786         (allocateUint16Array):
1787         (allocateUint8Array):
1788         (allocateUint8ClampedArray):
1789         (allocateFloat32Array):
1790         (allocateFloat64Array):
1791         * runtime/CommonIdentifiers.h:
1792         * runtime/JSDataView.cpp:
1793         (JSC::JSDataView::setIndex):
1794         * runtime/JSDataView.h:
1795         * runtime/JSGenericTypedArrayView.h:
1796         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue):
1797         * runtime/JSGenericTypedArrayViewConstructor.h:
1798         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1799         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
1800         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::create):
1801         (JSC::constructGenericTypedArrayViewFromIterator):
1802         (JSC::constructGenericTypedArrayView):
1803         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1804         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1805         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1806         * runtime/JSGlobalObject.cpp:
1807         (JSC::JSGlobalObject::init):
1808         * runtime/JSTypedArrayViewConstructor.cpp: Added.
1809         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
1810         (JSC::JSTypedArrayViewConstructor::finishCreation):
1811         (JSC::JSTypedArrayViewConstructor::create):
1812         (JSC::JSTypedArrayViewConstructor::createStructure):
1813         (JSC::constructTypedArrayView):
1814         (JSC::JSTypedArrayViewConstructor::getConstructData):
1815         (JSC::JSTypedArrayViewConstructor::getCallData):
1816         * runtime/JSTypedArrayViewConstructor.h: Copied from Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructor.h.
1817         * runtime/JSTypedArrayViewPrototype.cpp:
1818         (JSC::JSTypedArrayViewPrototype::create):
1819         * tests/es6.yaml:
1820         * tests/stress/resources/typedarray-constructor-helper-functions.js: Added.
1821         (forEachTypedArray):
1822         (hasSameValues):
1823         (foo):
1824         (testConstructorFunction):
1825         (testConstructor):
1826         * tests/stress/typedarray-constructor.js: Added.
1827         (A):
1828         (iterator.return.next):
1829         (iterator):
1830         (obj.valueOf):
1831         (iterator2.return.next):
1832         (iterator2):
1833         * tests/stress/typedarray-from.js: Added.
1834         (even):
1835         (isBigEnoughAndException):
1836         * tests/stress/typedarray-of.js: Added.
1837
1838 2015-10-14  Mark Lam  <mark.lam@apple.com>
1839
1840         Rename some JSC option names to be more uniform.
1841         https://bugs.webkit.org/show_bug.cgi?id=150127
1842
1843         Reviewed by Geoffrey Garen.
1844
1845         Renaming JSC_enableXXX options to JSC_useXXX, and JSC_showXXX options to JSC_dumpXXX.
1846         Also will renaming a few other miscellaneous to options, to abide by this scheme.
1847
1848         Also renaming some functions to match the option names where relevant.
1849
1850         * API/tests/ExecutionTimeLimitTest.cpp:
1851         (testExecutionTimeLimit):
1852         * assembler/AbstractMacroAssembler.h:
1853         (JSC::optimizeForARMv7IDIVSupported):
1854         (JSC::optimizeForARM64):
1855         (JSC::optimizeForX86):
1856         * assembler/LinkBuffer.cpp:
1857         (JSC::shouldDumpDisassemblyFor):
1858         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1859         (JSC::shouldShowDisassemblyFor): Deleted.
1860         * assembler/LinkBuffer.h:
1861         * bytecode/CodeBlock.cpp:
1862         (JSC::CodeBlock::jettison):
1863         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1864         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
1865         * bytecompiler/BytecodeGenerator.cpp:
1866         (JSC::BytecodeGenerator::BytecodeGenerator):
1867         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
1868         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::fire):
1869         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
1870         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
1871         * dfg/DFGByteCodeParser.cpp:
1872         (JSC::DFG::ByteCodeParser::handleInlining):
1873         (JSC::DFG::ByteCodeParser::handleGetById):
1874         (JSC::DFG::ByteCodeParser::handlePutById):
1875         (JSC::DFG::ByteCodeParser::parse):
1876         * dfg/DFGCommon.h:
1877         (JSC::DFG::leastUpperBound):
1878         (JSC::DFG::shouldDumpDisassembly):
1879         (JSC::DFG::shouldShowDisassembly): Deleted.
1880         * dfg/DFGDriver.cpp:
1881         (JSC::DFG::compileImpl):
1882         * dfg/DFGJITCompiler.cpp:
1883         (JSC::DFG::JITCompiler::JITCompiler):
1884         (JSC::DFG::JITCompiler::disassemble):
1885         * dfg/DFGJumpReplacement.cpp:
1886         (JSC::DFG::JumpReplacement::fire):
1887         * dfg/DFGOSREntry.cpp:
1888         (JSC::DFG::prepareOSREntry):
1889         * dfg/DFGOSRExitCompiler.cpp:
1890         * dfg/DFGOSRExitFuzz.h:
1891         (JSC::DFG::doOSRExitFuzzing):
1892         * dfg/DFGPlan.cpp:
1893         (JSC::DFG::Plan::compileInThreadImpl):
1894         * dfg/DFGSpeculativeJIT.cpp:
1895         (JSC::DFG::SpeculativeJIT::compileArithSqrt):
1896         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1897         (JSC::DFG::TierUpCheckInjectionPhase::run):
1898         * ftl/FTLCompile.cpp:
1899         (JSC::FTL::mmAllocateDataSection):
1900         * ftl/FTLJITCode.cpp:
1901         (JSC::FTL::JITCode::~JITCode):
1902         * ftl/FTLLowerDFGToLLVM.cpp:
1903         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1904         * ftl/FTLOSRExitCompiler.cpp:
1905         (JSC::FTL::compileStub):
1906         (JSC::FTL::compileFTLOSRExit):
1907         * ftl/FTLState.h:
1908         (JSC::FTL::verboseCompilationEnabled):
1909         (JSC::FTL::shouldDumpDisassembly):
1910         (JSC::FTL::shouldShowDisassembly): Deleted.
1911         * heap/Heap.cpp:
1912         (JSC::Heap::addToRememberedSet):
1913         (JSC::Heap::didFinishCollection):
1914         (JSC::Heap::shouldDoFullCollection):
1915         * heap/Heap.h:
1916         (JSC::Heap::isDeferred):
1917         (JSC::Heap::structureIDTable):
1918         * heap/HeapStatistics.cpp:
1919         (JSC::StorageStatistics::storageCapacity):
1920         (JSC::HeapStatistics::dumpObjectStatistics):
1921         (JSC::HeapStatistics::showObjectStatistics): Deleted.
1922         * heap/HeapStatistics.h:
1923         * interpreter/StackVisitor.cpp:
1924         (JSC::StackVisitor::Frame::createArguments):
1925         * jit/AssemblyHelpers.cpp:
1926         (JSC::AssemblyHelpers::callExceptionFuzz):
1927         * jit/ExecutableAllocationFuzz.cpp:
1928         (JSC::doExecutableAllocationFuzzing):
1929         * jit/ExecutableAllocationFuzz.h:
1930         (JSC::doExecutableAllocationFuzzingIfEnabled):
1931         * jit/JIT.cpp:
1932         (JSC::JIT::privateCompile):
1933         * jit/JITCode.cpp:
1934         (JSC::JITCodeWithCodeRef::~JITCodeWithCodeRef):
1935         * jit/PolymorphicCallStubRoutine.cpp:
1936         (JSC::PolymorphicCallNode::unlink):
1937         (JSC::PolymorphicCallNode::clearCallLinkInfo):
1938         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1939         * jit/Repatch.cpp:
1940         (JSC::linkFor):
1941         (JSC::unlinkFor):
1942         (JSC::linkVirtualFor):
1943         * jsc.cpp:
1944         (functionEnableExceptionFuzz):
1945         (jscmain):
1946         * llvm/InitializeLLVM.cpp:
1947         (JSC::initializeLLVMImpl):
1948         * runtime/ExceptionFuzz.cpp:
1949         (JSC::doExceptionFuzzing):
1950         * runtime/ExceptionFuzz.h:
1951         (JSC::doExceptionFuzzingIfEnabled):
1952         * runtime/JSGlobalObject.cpp:
1953         (JSC::JSGlobalObject::init):
1954         * runtime/Options.cpp:
1955         (JSC::recomputeDependentOptions):
1956         (JSC::Options::initialize):
1957         (JSC::Options::dumpOptionsIfNeeded):
1958         (JSC::Options::setOption):
1959         (JSC::Options::dumpAllOptions):
1960         (JSC::Options::dumpAllOptionsInALine):
1961         (JSC::Options::dumpOption):
1962         * runtime/Options.h:
1963         * runtime/VM.cpp:
1964         (JSC::VM::VM):
1965         * runtime/VM.h:
1966         (JSC::VM::exceptionFuzzingBuffer):
1967         * runtime/WriteBarrierInlines.h:
1968         (JSC::WriteBarrierBase<T>::set):
1969         (JSC::WriteBarrierBase<Unknown>::set):
1970         * tests/executableAllocationFuzz.yaml:
1971         * tests/stress/arrowfunction-typeof.js:
1972         * tests/stress/disable-function-dot-arguments.js:
1973         (foo):
1974         * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js:
1975         (sqrtOnInteger):
1976         * tests/stress/regress-148564.js:
1977
1978 2015-10-14  Mark Lam  <mark.lam@apple.com>
1979
1980         Speculative build fix: the CallSiteIndex constructor is explicit and requires an uint32_t.
1981
1982         Not Reviewed.
1983
1984         * bytecode/CodeBlock.cpp:
1985         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
1986
1987 2015-10-14  Commit Queue  <commit-queue@webkit.org>
1988
1989         Unreviewed, rolling out r191030.
1990         https://bugs.webkit.org/show_bug.cgi?id=150116
1991
1992         caused js/class-syntax-method-names.html to crash on debug
1993         builds (Requested by alexchristensen_ on #webkit).
1994
1995         Reverted changeset:
1996
1997         "[ES6] Class expression should have lexical environment that
1998         has itself as an imutable binding"
1999         https://bugs.webkit.org/show_bug.cgi?id=150089
2000         http://trac.webkit.org/changeset/191030
2001
2002 2015-10-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2003
2004         [ES6] Class expression should have lexical environment that has itself as an imutable binding
2005         https://bugs.webkit.org/show_bug.cgi?id=150089
2006
2007         Reviewed by Geoffrey Garen.
2008
2009         According to ES6 spec, class expression has its own lexical environment that holds itself
2010         as an immutable binding[1] (section 14.5.14 step 2, 3, 4, 23)
2011
2012         As a result, even if the binding declared in the outer scope is overridden, methods inside
2013         class expression can refer its class by the class name.
2014
2015         [1]: http://ecma-international.org/ecma-262/6.0/#sec-runtime-semantics-classdefinitionevaluation
2016
2017         * bytecompiler/NodesCodegen.cpp:
2018         (JSC::ClassExprNode::emitBytecode):
2019         * parser/ASTBuilder.h:
2020         (JSC::ASTBuilder::createClassExpr):
2021         * parser/NodeConstructors.h:
2022         (JSC::ClassExprNode::ClassExprNode):
2023         * parser/Nodes.h:
2024         * parser/Parser.cpp:
2025         (JSC::Parser<LexerType>::parseClass):
2026         * parser/SyntaxChecker.h:
2027         (JSC::SyntaxChecker::createClassExpr):
2028         * tests/es6.yaml:
2029         * tests/stress/class-expression-generates-environment.js: Added.
2030         (shouldBe):
2031         (shouldThrow):
2032         (prototype.method):
2033         (staticMethod):
2034         (A.prototype.method):
2035         (A.staticMethod):
2036         (A):
2037         * tests/stress/class-expression-should-be-tdz-in-heritage.js: Added.
2038         (shouldThrow):
2039         (shouldThrow.A):
2040
2041 2015-10-13  Saam barati  <sbarati@apple.com>
2042
2043         We were creating a GCAwareJITStubRoutineWithExceptionHandler when we didn't actually have an exception handler in the CodeBlock's exception handler table
2044         https://bugs.webkit.org/show_bug.cgi?id=150016
2045
2046         Reviewed by Geoffrey Garen.
2047
2048         There was a bug where we created a GCAwareJITStubRoutineWithExceptionHandler
2049         for inline caches that were custom setters/getters (but not JS getters/setters).
2050         This is wrong; we only create GCAwareJITStubRoutineWithExceptionHandler when we have
2051         an inline cache with a JS getter/setter call which causes the inline cache to add itself
2052         to the CodeBlock's exception handling table. The problem was that we created
2053         a GCAwareJITStubRoutineWithExceptionHandler that tried to remove itself from
2054         the exception handler table only to find out that it didn't have an entry in the table.
2055
2056         * bytecode/PolymorphicAccess.cpp:
2057         (JSC::PolymorphicAccess::regenerate):
2058
2059 2015-10-13  Joseph Pecoraro  <pecoraro@apple.com>
2060
2061         Simplify WeakBlock visit and reap phases
2062         https://bugs.webkit.org/show_bug.cgi?id=150045
2063
2064         Reviewed by Geoffrey Garen.
2065
2066         WeakBlock visiting and reaping both happen after MarkedBlock marking.
2067         All the MarkedBlocks we encounter should be either Marked or Retired.
2068
2069         * heap/MarkedBlock.h:
2070         (JSC::MarkedBlock::isMarkedOrRetired):
2071         * heap/WeakBlock.cpp:
2072         (JSC::WeakBlock::visit):
2073         (JSC::WeakBlock::reap):
2074         * heap/WeakBlock.h:
2075
2076 2015-10-12  Geoffrey Garen  <ggaren@apple.com>
2077
2078         CodeBlock write barriers should be precise
2079         https://bugs.webkit.org/show_bug.cgi?id=150042
2080
2081         Reviewed by Saam Barati.
2082
2083         CodeBlock performs lots of unnecessary write barriers. This wastes
2084         performance and makes the code a bit harder to follow, and it might mask
2085         important bugs. Now is a good time to unmask important bugs.
2086
2087         * bytecode/CodeBlock.h:
2088         (JSC::CodeBlockSet::mark): Don't write barrier all CodeBlocks on the
2089         stack. Only CodeBlocks that do value profiling need write barriers, and
2090         they do those themselves.
2091
2092         In steady state, when most of our CodeBlocks are old and FTL-compiled,
2093         and we're doing eden GC's, we should almost never visit a CodeBlock.
2094
2095         * dfg/DFGOSRExitCompilerCommon.cpp:
2096         (JSC::DFG::osrWriteBarrier):
2097         (JSC::DFG::adjustAndJumpToTarget): Don't write barrier all inlined
2098         CodeBlocks on exit. That's not necessary. Instead, write barrier the 
2099         CodeBlock(s) we will exit to, along with the one we will write a value
2100         profile to.
2101
2102 2015-10-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2103
2104         REGRESSION: ASSERT (impl->isAtomic()) @ facebook.com
2105         https://bugs.webkit.org/show_bug.cgi?id=149965
2106
2107         Reviewed by Geoffrey Garen.
2108
2109         Edge filtering for CheckIdent ensures that a given value is either Symbol or StringIdent.
2110         However, this filtering is not applied to CheckIdent when propagating a constant value in
2111         the constant folding phase. As a result, it is not guaranteeed that a constant value
2112         propagated in constant folding is Symbol or StringIdent.
2113
2114         * dfg/DFGConstantFoldingPhase.cpp:
2115         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2116
2117 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2118
2119         Unreviewed, register symbol structure to fix Debug build
2120         https://bugs.webkit.org/show_bug.cgi?id=149622
2121
2122         Since InferredTypes for String or Symbol claim that they don't have any structure,
2123         `registerInferredType` does not register the structure for Symbol.
2124         We take the similar way to String to fix this issue; Registering Symbol structure
2125         explicitly in DFGStructureRegisterationPhase. Because,
2126
2127         1. InferredType::structure is only allowed for ObjectWithStructure / ObjectWithStructureOrOther.
2128            It looks clear to me that only ObjectWithStructure has structure.
2129         2. Symbol is similar primitive value to String. So handling its structure in similar way to String is nice.
2130
2131         * dfg/DFGStructureRegistrationPhase.cpp:
2132         (JSC::DFG::StructureRegistrationPhase::run):
2133
2134 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2135
2136         Iterator loops over key twice after delete
2137         https://bugs.webkit.org/show_bug.cgi?id=149811
2138
2139         Reviewed by Geoffrey Garen.
2140
2141         When an object is the dictionary mode, JSPropertyNameEnumerator collects property names through generic property name enumeration `getPropertyNames`.
2142         The result vector contains indexed property names. But in this case, `publicLength()` may not be 0.
2143         So without disabling indexed names enumeration phase explicitly, JSPropertyNameEnumerator produces indexed property names twice.
2144         One in indexed name enumeration phase, and another in generic property name enumeration phase.
2145         This patch disables indexed names enumeration by setting `indexedLength` to 0 when collecting names through generic property name enumeration.
2146
2147         * runtime/JSPropertyNameEnumerator.h:
2148         (JSC::propertyNameEnumerator):
2149         * tests/stress/property-name-enumerator-should-not-look-into-indexed-values-when-it-is-a-dictionary.js: Added.
2150         (shouldBe):
2151         (col2.of.Reflect.enumerate):
2152
2153 2015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2154
2155         Introduce Symbol type for property type inference
2156         https://bugs.webkit.org/show_bug.cgi?id=149622
2157
2158         Reviewed by Geoffrey Garen.
2159
2160         This patch introduces Symbol type into property type inference.
2161         One of the use cases of ES6 Symbol is enum value. In this case,
2162         we may hold different symbols as the same property of the same structure.
2163         Current property type inference does not support Symbol type, so in the
2164         above case, the property will be inferred as Top type.
2165
2166         * bytecode/PutByIdFlags.h:
2167         * dfg/DFGAbstractValue.cpp:
2168         (JSC::DFG::AbstractValue::set):
2169         * dfg/DFGInferredTypeCheck.cpp:
2170         (JSC::DFG::insertInferredTypeCheck):
2171         * ftl/FTLLowerDFGToLLVM.cpp:
2172         (JSC::FTL::DFG::LowerDFGToLLVM::checkInferredType):
2173         * jit/AssemblyHelpers.cpp:
2174         (JSC::AssemblyHelpers::branchIfNotType):
2175         * llint/LLIntData.cpp:
2176         (JSC::LLInt::Data::performAssertions):
2177         * llint/LowLevelInterpreter.asm:
2178         * llint/LowLevelInterpreter32_64.asm:
2179         * llint/LowLevelInterpreter64.asm:
2180         * runtime/InferredType.cpp:
2181         (JSC::InferredType::kindForFlags):
2182         (JSC::InferredType::Descriptor::forValue):
2183         (JSC::InferredType::Descriptor::putByIdFlags):
2184         (JSC::InferredType::Descriptor::merge):
2185         (WTF::printInternal):
2186         * runtime/InferredType.h:
2187         * tests/stress/prop-type-symbol-then-object.js: Added.
2188         (foo):
2189         (bar):
2190         (toString):
2191         * tests/stress/prop-type-symbol-then-string.js: Added.
2192         (foo):
2193         (bar):
2194
2195 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2196
2197         Web Inspector: Rebaseline Inspector generator tests and make better use of RWIProtocol constant
2198         https://bugs.webkit.org/show_bug.cgi?id=150044
2199
2200         Reviewed by Brian Burg.
2201
2202         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2203         (ObjCConfigurationHeaderGenerator.generate_output):
2204         (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
2205         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2206         (ObjCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
2207         * inspector/scripts/codegen/generate_objc_header.py:
2208         (ObjCHeaderGenerator.generate_output):
2209         * inspector/scripts/codegen/generate_objc_internal_header.py:
2210         (ObjCInternalHeaderGenerator.generate_output):
2211         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2212         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2213         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2214         * inspector/scripts/tests/expected/enum-values.json-result:
2215         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2216         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2217         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
2218         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
2219         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
2220         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
2221         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
2222         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2223         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2224
2225 2015-10-12  Myles C. Maxfield  <mmaxfield@apple.com>
2226
2227         Unreviewed build fix
2228
2229         * runtime/JSObject.cpp:
2230         (JSC::JSObject::reallocateAndShrinkButterfly):
2231
2232 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
2233
2234         GC should have a Baker barrier for concurrent copying
2235         https://bugs.webkit.org/show_bug.cgi?id=149852
2236
2237         Reviewed by Geoffrey Garen.
2238
2239         This adds a Baker-style read barrier [1] to copied space accesses. This barrier incurs some
2240         overhead (0%-2% depending on benchmark suite), but what it buys is the ability to make the GC copy
2241         phase concurrent.
2242
2243         The barrier relies on copied space pointers having two "space bits" in the low pointer bits. The
2244         space bits indicate whether the backing store is being copied right now or not, and if it is being
2245         copied, what stage of copying it's in. Two barrier variants are supported:
2246
2247         Read only barrier: if you load a backing store and immediately load from it without doing anything
2248         else, you can just mask off the bits. In the worst case, you'll get the old backing store while
2249         some copying thread is already allocating and populating the new version of the backing store. But
2250         in that case, forwarding to the new backing store will not enable you to load a more up-to-date
2251         value from the backing store. So, just masking the bits is enough. The read-only barrier is only
2252         used in ICs where we know that we are only reading, and opportunistically within the DFG and FTL
2253         thanks to the CopyBarrierOptimizationPhase. We never explicitly emit a read-only barrier in those
2254         compilers; instead the phase will turn a GetButterfly into GetButterflyReadOnly if it proves that a
2255         bunch of requirements are met.
2256
2257         Normal barrier: if the space bits are non-zero, call a slow path. The slow path will either do
2258         nothing (if the copy phase hasn't started yet), or it will copy the backing store and update the
2259         pointer (if the copy phase hasn't gotten around to copying this particular backing store), or it
2260         will wait for the copying thread to finish (if some thread is copying this backing store right
2261         now), or it will do nothing (if by the time we called into the slow path the backing store was
2262         already copied). This is just like Baker's CAR/CDR barrier, but with a lock thrown in to handle
2263         concurrent execution.
2264
2265         This is a 1% slow-down on SunSpider, a 1.5% slow-down on Octane, a 1.5% slow-down on Kraken, and a
2266         0% slow-down on AsmBench. Note that the Octane slow-down is excluding the SplayLatency benchmark.
2267         That benchmark will eventually speed up a lot once we finish doing all of this stuff. Probably, the
2268         JetStream splay-latency will see an even larger speed-up, since our version of the latency tests do
2269         a better job of punishing bad worst-case behavior.
2270
2271         [1] http://dspace.mit.edu/bitstream/handle/1721.1/41976/AI_WP_139.pdf, look for the CAR and CDR
2272         procedures on page 9.
2273
2274         * CMakeLists.txt:
2275         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2276         * JavaScriptCore.xcodeproj/project.pbxproj:
2277         * bytecode/PolymorphicAccess.cpp:
2278         (JSC::AccessCase::generate):
2279         * dfg/DFGAbstractInterpreterInlines.h:
2280         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2281         * dfg/DFGArgumentsEliminationPhase.cpp:
2282         * dfg/DFGClobberize.h:
2283         (JSC::DFG::clobberize):
2284         * dfg/DFGCopyBarrierOptimizationPhase.cpp: Added.
2285         (JSC::DFG::performCopyBarrierOptimization):
2286         * dfg/DFGCopyBarrierOptimizationPhase.h: Added.
2287         * dfg/DFGDoesGC.cpp:
2288         (JSC::DFG::doesGC):
2289         * dfg/DFGFixupPhase.cpp:
2290         (JSC::DFG::FixupPhase::fixupNode):
2291         * dfg/DFGHeapLocation.cpp:
2292         (WTF::printInternal):
2293         * dfg/DFGHeapLocation.h:
2294         * dfg/DFGLICMPhase.cpp:
2295         (JSC::DFG::LICMPhase::run):
2296         * dfg/DFGNodeType.h:
2297         * dfg/DFGOperations.cpp:
2298         * dfg/DFGOperations.h:
2299         * dfg/DFGPlan.cpp:
2300         (JSC::DFG::Plan::compileInThreadImpl):
2301         * dfg/DFGPredictionPropagationPhase.cpp:
2302         (JSC::DFG::PredictionPropagationPhase::propagate):
2303         * dfg/DFGSafeToExecute.h:
2304         (JSC::DFG::safeToExecute):
2305         * dfg/DFGSpeculativeJIT.cpp:
2306         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
2307         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2308         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2309         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2310         (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
2311         * dfg/DFGSpeculativeJIT.h:
2312         * dfg/DFGSpeculativeJIT32_64.cpp:
2313         (JSC::DFG::SpeculativeJIT::compile):
2314         * dfg/DFGSpeculativeJIT64.cpp:
2315         (JSC::DFG::SpeculativeJIT::compile):
2316         * dfg/DFGTypeCheckHoistingPhase.cpp:
2317         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2318         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2319         * ftl/FTLCapabilities.cpp:
2320         (JSC::FTL::canCompile):
2321         * ftl/FTLLowerDFGToLLVM.cpp:
2322         (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
2323         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
2324         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterflyReadOnly):
2325         (JSC::FTL::DFG::LowerDFGToLLVM::compileConstantStoragePointer):
2326         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
2327         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
2328         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
2329         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
2330         (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiPutByOffset):
2331         (JSC::FTL::DFG::LowerDFGToLLVM::compileGetDirectPname):
2332         (JSC::FTL::DFG::LowerDFGToLLVM::storageForTransition):
2333         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2334         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
2335         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
2336         (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
2337         (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
2338         (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
2339         (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
2340         (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
2341         * ftl/FTLOperations.cpp:
2342         (JSC::FTL::operationNewObjectWithButterfly):
2343         (JSC::FTL::operationPopulateObjectInOSR):
2344         * ftl/FTLOutput.h:
2345         (JSC::FTL::Output::testNonZero32):
2346         (JSC::FTL::Output::testIsZero64):
2347         (JSC::FTL::Output::testNonZero64):
2348         (JSC::FTL::Output::testIsZeroPtr):
2349         (JSC::FTL::Output::testNonZeroPtr):
2350         (JSC::FTL::Output::select):
2351         (JSC::FTL::Output::extractValue):
2352         * heap/CopyBarrier.h: Copied from Source/JavaScriptCore/heap/CopyWriteBarrier.h.
2353         (JSC::CopyBarrierBase::CopyBarrierBase):
2354         (JSC::CopyBarrierBase::operator!):
2355         (JSC::CopyBarrierBase::operator bool):
2356         (JSC::CopyBarrierBase::getWithoutBarrier):
2357         (JSC::CopyBarrierBase::get):
2358         (JSC::CopyBarrierBase::copyState):
2359         (JSC::CopyBarrierBase::setCopyState):
2360         (JSC::CopyBarrierBase::clear):
2361         (JSC::CopyBarrierBase::set):
2362         (JSC::CopyBarrierBase::setWithoutBarrier):
2363         (JSC::CopyBarrierBase::weakCASWithoutBarrier):
2364         (JSC::CopyBarrier::CopyBarrier):
2365         (JSC::CopyBarrier::getWithoutBarrier):
2366         (JSC::CopyBarrier::get):
2367         (JSC::CopyBarrier::set):
2368         (JSC::CopyBarrier::setWithoutBarrier):
2369         (JSC::CopyBarrier::weakCASWithoutBarrier):
2370         (JSC::CopyWriteBarrier::CopyWriteBarrier): Deleted.
2371         (JSC::CopyWriteBarrier::operator!): Deleted.
2372         (JSC::CopyWriteBarrier::operator bool): Deleted.
2373         (JSC::CopyWriteBarrier::get): Deleted.
2374         (JSC::CopyWriteBarrier::operator*): Deleted.
2375         (JSC::CopyWriteBarrier::operator->): Deleted.
2376         (JSC::CopyWriteBarrier::set): Deleted.
2377         (JSC::CopyWriteBarrier::setWithoutWriteBarrier): Deleted.
2378         (JSC::CopyWriteBarrier::clear): Deleted.
2379         * heap/CopyVisitorInlines.h:
2380         (JSC::CopyVisitor::checkIfShouldCopy):
2381         * heap/CopyWriteBarrier.h: Removed.
2382         * heap/Heap.cpp:
2383         (JSC::Heap::addToRememberedSet):
2384         (JSC::Heap::copyBarrier):
2385         (JSC::Heap::collectAndSweep):
2386         * heap/Heap.h:
2387         (JSC::Heap::writeBarrierBuffer):
2388         * heap/HeapInlines.h:
2389         * jit/AssemblyHelpers.h:
2390         (JSC::AssemblyHelpers::branchStructure):
2391         (JSC::AssemblyHelpers::branchIfNotToSpace):
2392         (JSC::AssemblyHelpers::removeSpaceBits):
2393         (JSC::AssemblyHelpers::addressForByteOffset):
2394         * jit/JIT.cpp:
2395         (JSC::JIT::privateCompileMainPass):
2396         (JSC::JIT::privateCompileSlowCases):
2397         * jit/JITOpcodes.cpp:
2398         (JSC::JIT::emitSlow_op_has_indexed_property):
2399         (JSC::JIT::emit_op_get_direct_pname):
2400         (JSC::JIT::emitSlow_op_get_direct_pname):
2401         * jit/JITOpcodes32_64.cpp:
2402         (JSC::JIT::emit_op_get_direct_pname):
2403         (JSC::JIT::emitSlow_op_get_direct_pname):
2404         * jit/JITPropertyAccess.cpp:
2405         (JSC::JIT::emitDoubleLoad):
2406         (JSC::JIT::emitContiguousLoad):
2407         (JSC::JIT::emitArrayStorageLoad):
2408         (JSC::JIT::emitSlow_op_get_by_val):
2409         (JSC::JIT::emitGenericContiguousPutByVal):
2410         (JSC::JIT::emitArrayStoragePutByVal):
2411         (JSC::JIT::emitSlow_op_put_by_val):
2412         (JSC::JIT::emit_op_get_from_scope):
2413         (JSC::JIT::emitSlow_op_get_from_scope):
2414         (JSC::JIT::emit_op_put_to_scope):
2415         (JSC::JIT::emitSlow_op_put_to_scope):
2416         (JSC::JIT::emitIntTypedArrayGetByVal):
2417         (JSC::JIT::emitFloatTypedArrayGetByVal):
2418         (JSC::JIT::emitIntTypedArrayPutByVal):
2419         (JSC::JIT::emitFloatTypedArrayPutByVal):
2420         * llint/LowLevelInterpreter.asm:
2421         * llint/LowLevelInterpreter64.asm:
2422         * runtime/DirectArguments.cpp:
2423         (JSC::DirectArguments::visitChildren):
2424         (JSC::DirectArguments::copyBackingStore):
2425         (JSC::DirectArguments::overrideThings):
2426         (JSC::DirectArguments::overrideThingsIfNecessary):
2427         (JSC::DirectArguments::overrideArgument):
2428         (JSC::DirectArguments::copyToArguments):
2429         * runtime/DirectArguments.h:
2430         (JSC::DirectArguments::canAccessIndexQuickly):
2431         (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG):
2432         * runtime/JSArray.cpp:
2433         (JSC::JSArray::setLength):
2434         (JSC::JSArray::pop):
2435         (JSC::JSArray::push):
2436         (JSC::JSArray::fastSlice):
2437         (JSC::JSArray::fastConcatWith):
2438         (JSC::JSArray::shiftCountWithArrayStorage):
2439         (JSC::JSArray::shiftCountWithAnyIndexingType):
2440         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2441         (JSC::JSArray::fillArgList):
2442         (JSC::JSArray::copyToArguments):
2443         * runtime/JSArrayBufferView.cpp:
2444         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2445         (JSC::JSArrayBufferView::JSArrayBufferView):
2446         (JSC::JSArrayBufferView::finishCreation):
2447         (JSC::JSArrayBufferView::finalize):
2448         * runtime/JSArrayBufferView.h:
2449         (JSC::JSArrayBufferView::vector):
2450         (JSC::JSArrayBufferView::length):
2451         * runtime/JSArrayBufferViewInlines.h:
2452         (JSC::JSArrayBufferView::neuter):
2453         (JSC::JSArrayBufferView::byteOffset):
2454         * runtime/JSGenericTypedArrayView.h:
2455         (JSC::JSGenericTypedArrayView::typedVector):
2456         * runtime/JSGenericTypedArrayViewInlines.h:
2457         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2458         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore):
2459         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2460         * runtime/JSMap.h:
2461         (JSC::JSMap::JSMap):
2462         * runtime/JSObject.cpp:
2463         (JSC::JSObject::copyButterfly):
2464         (JSC::JSObject::visitChildren):
2465         (JSC::JSObject::copyBackingStore):
2466         (JSC::JSObject::getOwnPropertySlotByIndex):
2467         (JSC::JSObject::putByIndex):
2468         (JSC::JSObject::enterDictionaryIndexingMode):
2469         (JSC::JSObject::createInitialIndexedStorage):
2470         (JSC::JSObject::createArrayStorage):
2471         (JSC::JSObject::convertUndecidedToInt32):
2472         (JSC::JSObject::convertUndecidedToDouble):
2473         (JSC::JSObject::convertUndecidedToContiguous):
2474         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2475         (JSC::JSObject::convertUndecidedToArrayStorage):
2476         (JSC::JSObject::convertInt32ToDouble):
2477         (JSC::JSObject::convertInt32ToContiguous):
2478         (JSC::JSObject::convertInt32ToArrayStorage):
2479         (JSC::JSObject::convertDoubleToContiguous):
2480         (JSC::JSObject::convertDoubleToArrayStorage):
2481         (JSC::JSObject::convertContiguousToArrayStorage):
2482         (JSC::JSObject::setIndexQuicklyToUndecided):
2483         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2484         (JSC::JSObject::deletePropertyByIndex):
2485         (JSC::JSObject::getOwnPropertyNames):
2486         (JSC::JSObject::putIndexedDescriptor):
2487         (JSC::JSObject::defineOwnIndexedProperty):
2488         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2489         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2490         (JSC::JSObject::getNewVectorLength):
2491         (JSC::JSObject::ensureLengthSlow):
2492         (JSC::JSObject::reallocateAndShrinkButterfly):
2493         (JSC::JSObject::growOutOfLineStorage):
2494         (JSC::JSObject::getOwnPropertyDescriptor):
2495         (JSC::JSObject::getEnumerableLength):
2496         * runtime/JSObject.h:
2497         (JSC::JSObject::getArrayLength):
2498         (JSC::JSObject::getVectorLength):
2499         (JSC::JSObject::canGetIndexQuickly):
2500         (JSC::JSObject::getIndexQuickly):
2501         (JSC::JSObject::tryGetIndexQuickly):
2502         (JSC::JSObject::canSetIndexQuickly):
2503         (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2504         (JSC::JSObject::setIndexQuickly):
2505         (JSC::JSObject::initializeIndex):
2506         (JSC::JSObject::hasSparseMap):
2507         (JSC::JSObject::inSparseIndexingMode):
2508         (JSC::JSObject::inlineStorage):
2509         (JSC::JSObject::butterfly):
2510         (JSC::JSObject::outOfLineStorage):
2511         (JSC::JSObject::locationForOffset):
2512         (JSC::JSObject::ensureInt32):
2513         (JSC::JSObject::ensureDouble):
2514         (JSC::JSObject::ensureContiguous):
2515         (JSC::JSObject::ensureArrayStorage):
2516         (JSC::JSObject::arrayStorage):
2517         (JSC::JSObject::arrayStorageOrNull):
2518         (JSC::JSObject::ensureLength):
2519         (JSC::JSObject::putDirectWithoutTransition):
2520         * runtime/JSSet.h:
2521         (JSC::JSSet::JSSet):
2522         * runtime/MapData.h:
2523         (JSC::JSIterator>::MapDataImpl):
2524         (JSC::JSIterator>::IteratorData::next):
2525         (JSC::JSIterator>::IteratorData::refreshCursor):
2526         * runtime/MapDataInlines.h:
2527         (JSC::JSIterator>::clear):
2528         (JSC::JSIterator>::find):
2529         (JSC::JSIterator>::add):
2530         (JSC::JSIterator>::remove):
2531         (JSC::JSIterator>::replaceAndPackBackingStore):
2532         (JSC::JSIterator>::replaceBackingStore):
2533         (JSC::JSIterator>::ensureSpaceForAppend):
2534         (JSC::JSIterator>::visitChildren):
2535         (JSC::JSIterator>::copyBackingStore):
2536         * runtime/Options.h:
2537
2538 2015-10-12  Saam barati  <sbarati@apple.com>
2539
2540         Update JSC features.json
2541         https://bugs.webkit.org/show_bug.cgi?id=150043
2542
2543         Reviewed by Mark Lam.
2544
2545         There were a lot of things implemented that weren't in
2546         the list. We should be better about updating the list
2547         as we land patches for new ES6 features.
2548
2549         * features.json:
2550
2551 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2552
2553         Cleanup Heap.h and some related headers
2554         https://bugs.webkit.org/show_bug.cgi?id=149981
2555
2556         Reviewed by Geoffrey Garen.
2557
2558         * heap/Heap.h:
2559         - Some functions did not need export.
2560         - threadDupStrings never had an implementation.
2561
2562         * heap/ConservativeRoots.cpp:
2563         * heap/ConservativeRoots.h:
2564         * heap/Heap.cpp:
2565         * heap/ListableHandler.h:
2566         * heap/WeakReferenceHarvester.h:
2567         * jit/Repatch.cpp:
2568         * runtime/JSONObject.h:
2569         * runtime/VM.h:
2570         - Stale forward declarations / includes.
2571
2572 2015-10-12  Saam barati  <sbarati@apple.com>
2573
2574         Each *ById inline cache in the FTL must have its own CallSiteIndex
2575         https://bugs.webkit.org/show_bug.cgi?id=150039
2576
2577         Reviewed by Geoffrey Garen and Filip Pizlo.
2578
2579         When lowering to LLVM, we create a patchpoint intrinsic for each
2580         *ById in DFG IR. LLVM may choose to duplicate these patchpoints.
2581         Therefore, we want each resulting inline cache to have a unique
2582         CallSiteIndex because each inline cache will have its own set of 
2583         used registers. This change is necessary when we implement try/catch 
2584         in the FTL because an inline cache will ask for the set of used 
2585         registers it will need to restore in the event of an exception 
2586         being thrown. It asks for this set of registers by giving JITCode
2587         a CallSiteIndex. Because each corresponding inline cache that results
2588         from a duplicated patchpoint may all ask this for this set of registers, 
2589         we must assign each inline cache a unique CallSiteIndex.
2590
2591         * bytecode/CodeBlock.cpp:
2592         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
2593         * dfg/DFGCommonData.cpp:
2594         (JSC::DFG::CommonData::addCodeOrigin):
2595         (JSC::DFG::CommonData::addUniqueCallSiteIndex):
2596         (JSC::DFG::CommonData::addCodeOriginUnconditionally): Deleted.
2597         * dfg/DFGCommonData.h:
2598         * ftl/FTLCompile.cpp:
2599         (JSC::FTL::mmAllocateDataSection):
2600         * ftl/FTLInlineCacheDescriptor.h:
2601         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
2602         (JSC::FTL::InlineCacheDescriptor::stackmapID):
2603         (JSC::FTL::InlineCacheDescriptor::codeOrigin):
2604         (JSC::FTL::InlineCacheDescriptor::uid):
2605         (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
2606         (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
2607         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
2608         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
2609         (JSC::FTL::InlineCacheDescriptor::callSiteIndex): Deleted.
2610         * ftl/FTLLowerDFGToLLVM.cpp:
2611         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
2612         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2613         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
2614         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2615
2616 2015-10-12  Andreas Kling  <akling@apple.com>
2617
2618         "A + B" with strings shouldn't copy if A or B is empty.
2619         <https://webkit.org/b/150034>
2620
2621         Reviewed by Anders Carlsson.
2622
2623         * runtime/JSStringBuilder.h:
2624         (JSC::jsMakeNontrivialString):
2625         * runtime/Lookup.cpp:
2626         (JSC::reifyStaticAccessor):
2627         * runtime/ObjectPrototype.cpp:
2628         (JSC::objectProtoFuncToString):
2629
2630 2015-10-12  Joseph Pecoraro  <pecoraro@apple.com>
2631
2632         VisitedValueCount GC Counter misses parallel SlotVisitors
2633         https://bugs.webkit.org/show_bug.cgi?id=149980
2634
2635         Reviewed by Geoffrey Garen.
2636
2637         * heap/Heap.cpp:
2638         (JSC::Heap::updateObjectCounts):
2639         Include threaded slot visitor's object counts in the debugging value.
2640
2641 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2642
2643         Unreviewed, fix non-FTL build for real.
2644
2645         * ftl/FTLLazySlowPath.h:
2646
2647 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2648
2649         Unreviewed, clarify a comment. The example code had a bug.
2650
2651         * ftl/FTLLowerDFGToLLVM.cpp:
2652
2653 2015-10-12  Filip Pizlo  <fpizlo@apple.com>
2654
2655         Unreviewed, fix no-FTL build.
2656
2657         * ftl/FTLLazySlowPath.cpp:
2658
2659 2015-10-12  Philip Chimento  <philip.chimento@gmail.com>
2660
2661         webkit-gtk 2.3.3 fails to build on OS X - Conflicting type "Fixed"
2662         https://bugs.webkit.org/show_bug.cgi?id=126433
2663
2664         Reviewed by Philippe Normand
2665
2666         Don't include CoreFoundation.h when building the GTK port.
2667
2668         * Source/JavaScriptCore/API/WebKitAvailability.h: Add !defined(BUILDING_GTK__) to defined(__APPLE__).
2669
2670 2015-10-10  Filip Pizlo  <fpizlo@apple.com>
2671
2672         FTL should generate code to call slow paths lazily
2673         https://bugs.webkit.org/show_bug.cgi?id=149936
2674
2675         Reviewed by Saam Barati.
2676
2677         We often have complex slow paths in FTL-generated code. Those slow paths may never run. Even
2678         if they do run, they don't need stellar performance. So, it doesn't make sense to have LLVM
2679         worry about compiling such slow path code.
2680
2681         This patch enables us to use our own MacroAssembler for compiling the slow path inside FTL
2682         code. It does this by using a crazy lambda thingy (see FTLLowerDFGToLLVM.cpp's lazySlowPath()
2683         and its documentation). The result is quite natural to use.
2684
2685         Even for straight slow path calls via something like vmCall(), the lazySlowPath offers the
2686         benefit that the call marshalling and the exception checking are not expressed using LLVM IR
2687         and do not require LLVM to think about it. It also has the benefit that we never generate the
2688         code if it never runs. That's great, since function calls usually involve ~10 instructions
2689         total (move arguments to argument registers, make the call, check exception, etc.).
2690
2691         This patch adds the lazy slow path abstraction and uses it for some slow paths in the FTL.
2692         The code we generate with lazy slow paths is worse than the code that LLVM would have
2693         generated. Therefore, a lazy slow path only makes sense when we have strong evidence that
2694         the slow path will execute infrequently relative to the fast path. This completely precludes
2695         the use of lazy slow paths for out-of-line Nodes that unconditionally call a C++ function.
2696         It also precludes their use for the GetByVal out-of-bounds handler, since when we generate
2697         a GetByVal with an out-of-bounds handler it means that we only know that the out-of-bounds
2698         case executed at least once. So, for all we know, it may actually be the common case. So,
2699         this patch just deployed the lazy slow path for GC slow paths and masquerades-as-undefined
2700         slow paths. It makes sense for GC slow paths because those have a statistical guarantee of
2701         slow path frequency - probably bounded at less than 1/10. It makes sense for masquerades-as-
2702         undefined because we can say quite confidently that this is an uncommon scenario on the
2703         modern Web.
2704
2705         Something that's always been challenging about abstractions involving the MacroAssembler is
2706         that linking is a separate phase, and there is no way for someone who is just given access to
2707         the MacroAssembler& to emit code that requires linking, since linking happens once we have
2708         emitted all code and we are creating the LinkBuffer. Moreover, the FTL requires that the
2709         final parts of linking happen on the main thread. This patch ran into this issue, and solved
2710         it comprehensively, by introducing MacroAssembler::addLinkTask(). This takes a lambda and
2711         runs it at the bitter end of linking - when performFinalization() is called. This ensure that
2712         the task added by addLinkTask() runs on the main thread. This patch doesn't replace all of
2713         the previously existing idioms for dealing with this issue; we can do that later.
2714
2715         This shows small speed-ups on a bunch of things. No big win on any benchmark aggregate. But
2716         mainly this is done for https://bugs.webkit.org/show_bug.cgi?id=149852, where we found that
2717         outlining the slow path in this way was a significant speed boost.
2718
2719         * CMakeLists.txt:
2720         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2721         * JavaScriptCore.xcodeproj/project.pbxproj:
2722         * assembler/AbstractMacroAssembler.h:
2723         (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
2724         (JSC::AbstractMacroAssembler::addLinkTask):
2725         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
2726         * assembler/LinkBuffer.cpp:
2727         (JSC::LinkBuffer::linkCode):
2728         (JSC::LinkBuffer::allocate):
2729         (JSC::LinkBuffer::performFinalization):
2730         * assembler/LinkBuffer.h:
2731         (JSC::LinkBuffer::wasAlreadyDisassembled):
2732         (JSC::LinkBuffer::didAlreadyDisassemble):
2733         (JSC::LinkBuffer::vm):
2734         (JSC::LinkBuffer::executableOffsetFor):
2735         * bytecode/CodeOrigin.h:
2736         (JSC::CodeOrigin::CodeOrigin):
2737         (JSC::CodeOrigin::isSet):
2738         (JSC::CodeOrigin::operator bool):
2739         (JSC::CodeOrigin::isHashTableDeletedValue):
2740         (JSC::CodeOrigin::operator!): Deleted.
2741         * ftl/FTLCompile.cpp:
2742         (JSC::FTL::mmAllocateDataSection):
2743         * ftl/FTLInlineCacheDescriptor.h:
2744         (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
2745         (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
2746         (JSC::FTL::LazySlowPathDescriptor::LazySlowPathDescriptor):
2747         * ftl/FTLJITCode.h:
2748         * ftl/FTLJITFinalizer.cpp:
2749         (JSC::FTL::JITFinalizer::finalizeFunction):
2750         * ftl/FTLJITFinalizer.h:
2751         * ftl/FTLLazySlowPath.cpp: Added.
2752         (JSC::FTL::LazySlowPath::LazySlowPath):
2753         (JSC::FTL::LazySlowPath::~LazySlowPath):
2754         (JSC::FTL::LazySlowPath::generate):
2755         * ftl/FTLLazySlowPath.h: Added.
2756         (JSC::FTL::LazySlowPath::createGenerator):
2757         (JSC::FTL::LazySlowPath::patchpoint):
2758         (JSC::FTL::LazySlowPath::usedRegisters):
2759         (JSC::FTL::LazySlowPath::callSiteIndex):
2760         (JSC::FTL::LazySlowPath::stub):
2761         * ftl/FTLLazySlowPathCall.h: Added.
2762         (JSC::FTL::createLazyCallGenerator):
2763         * ftl/FTLLowerDFGToLLVM.cpp:
2764         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateActivation):
2765         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
2766         (JSC::FTL::DFG::LowerDFGToLLVM::compileCreateDirectArguments):
2767         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewArrayWithSize):
2768         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
2769         (JSC::FTL::DFG::LowerDFGToLLVM::compileNotifyWrite):
2770         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsObjectOrNull):
2771         (JSC::FTL::DFG::LowerDFGToLLVM::compileIsFunction):
2772         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2773         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeNewObject):
2774         (JSC::FTL::DFG::LowerDFGToLLVM::compileMaterializeCreateActivation):
2775         (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckWatchdogTimer):
2776         (JSC::FTL::DFG::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
2777         (JSC::FTL::DFG::LowerDFGToLLVM::allocateObject):
2778         (JSC::FTL::DFG::LowerDFGToLLVM::allocateJSArray):
2779         (JSC::FTL::DFG::LowerDFGToLLVM::buildTypeOf):
2780         (JSC::FTL::DFG::LowerDFGToLLVM::sensibleDoubleToInt32):
2781         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
2782         (JSC::FTL::DFG::LowerDFGToLLVM::speculate):
2783         (JSC::FTL::DFG::LowerDFGToLLVM::emitStoreBarrier):
2784         * ftl/FTLOperations.cpp:
2785         (JSC::FTL::operationMaterializeObjectInOSR):
2786         (JSC::FTL::compileFTLLazySlowPath):
2787         * ftl/FTLOperations.h:
2788         * ftl/FTLSlowPathCall.cpp:
2789         (JSC::FTL::SlowPathCallContext::SlowPathCallContext):
2790         (JSC::FTL::SlowPathCallContext::~SlowPathCallContext):
2791         (JSC::FTL::SlowPathCallContext::keyWithTarget):
2792         (JSC::FTL::SlowPathCallContext::makeCall):
2793         (JSC::FTL::callSiteIndexForCodeOrigin):
2794         (JSC::FTL::storeCodeOrigin): Deleted.
2795         (JSC::FTL::callOperation): Deleted.
2796         * ftl/FTLSlowPathCall.h:
2797         (JSC::FTL::callOperation):
2798         * ftl/FTLState.h:
2799         * ftl/FTLThunks.cpp:
2800         (JSC::FTL::genericGenerationThunkGenerator):
2801         (JSC::FTL::osrExitGenerationThunkGenerator):
2802         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
2803         (JSC::FTL::registerClobberCheck):
2804         * ftl/FTLThunks.h:
2805         * interpreter/CallFrame.h:
2806         (JSC::CallSiteIndex::CallSiteIndex):
2807         (JSC::CallSiteIndex::operator bool):
2808         (JSC::CallSiteIndex::bits):
2809         * jit/CCallHelpers.h:
2810         (JSC::CCallHelpers::setupArgument):
2811         (JSC::CCallHelpers::setupArgumentsWithExecState):
2812         * jit/JITOperations.cpp:
2813
2814 2015-10-12  Philip Chimento  <philip.chimento@gmail.com>
2815
2816         webkit-gtk-2.3.4 fails to link JavaScriptCore, missing symbols add_history and readline
2817         https://bugs.webkit.org/show_bug.cgi?id=127059
2818
2819         Reviewed by Philippe Normand.
2820
2821         * shell/CMakeLists.txt: Link JSC with -ledit on Mac OSX.
2822
2823 2015-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2824
2825         ES6 classes: When a class extends B, super() invokes B.prototype.constructor() instead of B()
2826         https://bugs.webkit.org/show_bug.cgi?id=149001
2827
2828         Reviewed by Saam Barati.
2829
2830         This patch matches the `super()` call in the constructor to the latest spec.
2831         Before this patch, when calling `super()`, it loads `callee.[[HomeObject]].__proto__.constructor`
2832         as a super constructor. But after this patch, it loads `callee.__proto__` as a super constructor.
2833         This behavior corresponds to the section 12.3.5.2[1].
2834
2835         [1]: http://www.ecma-international.org/ecma-262/6.0/#sec-getsuperconstructor
2836
2837         * bytecompiler/NodesCodegen.cpp:
2838         (JSC::SuperNode::emitBytecode):
2839         * tests/stress/super-call-does-not-look-up-constructor.js: Added.
2840         (shouldBe):
2841         (B):
2842         (C):
2843         (B.prototype):
2844
2845 2015-10-10  Andreas Kling  <akling@apple.com>
2846
2847         Reduce pointless malloc traffic in CodeBlock construction.
2848         <https://webkit.org/b/149999>
2849
2850         Reviewed by Antti Koivisto.
2851
2852         Create the RefCountedArray<Instruction> for CodeBlock's m_instructions directly
2853         instead of first creating a Vector<Instruction> and then creating a RefCountedArray
2854         from that. None of the Vector functionality is needed here anyway.
2855
2856         * bytecode/CodeBlock.cpp:
2857         (JSC::CodeBlock::finishCreation):
2858         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
2859         * bytecode/CodeBlock.h:
2860
2861 2015-10-10  Dan Bernstein  <mitz@apple.com>
2862
2863         [iOS] Remove unnecessary iOS version checks
2864         https://bugs.webkit.org/show_bug.cgi?id=150002
2865
2866         Reviewed by Alexey Proskuryakov.
2867
2868         * llvm/library/LLVMExports.cpp:
2869         (initializeAndGetJSCLLVMAPI):
2870
2871 2015-10-10  Dan Bernstein  <mitz@apple.com>
2872
2873         [iOS] Remove project support for iOS 8
2874         https://bugs.webkit.org/show_bug.cgi?id=149993
2875
2876         Reviewed by Alexey Proskuryakov.
2877
2878         * Configurations/Base.xcconfig:
2879         * Configurations/JSC.xcconfig:
2880         * Configurations/JavaScriptCore.xcconfig:
2881         * Configurations/LLVMForJSC.xcconfig:
2882         * Configurations/ToolExecutable.xcconfig:
2883
2884 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
2885
2886         Modernize and cleanup an NSNumber constant
2887         https://bugs.webkit.org/show_bug.cgi?id=149962
2888
2889         Reviewed by Andreas Kling.
2890
2891         * API/JSVirtualMachine.mm:
2892         (-[JSVirtualMachine addExternalRememberedObject:]):
2893
2894 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
2895
2896         No need to keep setting needsVisit flag in SmallStrings
2897         https://bugs.webkit.org/show_bug.cgi?id=149961
2898
2899         Reviewed by Andreas Kling.
2900
2901         SmallStrings are all initialized at once privately before the VM
2902         enables Garbage Collection. There is no need to keep updating
2903         this flag, as it couldn't have changed.
2904
2905         * runtime/SmallStrings.cpp:
2906         (JSC::SmallStrings::createEmptyString):
2907         (JSC::SmallStrings::createSingleCharacterString):
2908         (JSC::SmallStrings::initialize):
2909         * runtime/SmallStrings.h:
2910
2911 2015-10-09  Geoffrey Garen  <ggaren@apple.com>
2912
2913         Unreviewed, rolling back in r190694
2914         https://bugs.webkit.org/show_bug.cgi?id=149727
2915
2916         This time for double sure?
2917
2918         The cause of the crash was an incorrect write barrier.
2919
2920         OSR exit was barriering the baseline codeblock for the top of the stack
2921         twice, missing the baseline codeblock for the bottom of the stack.
2922
2923         Restored changesets:
2924
2925         "CodeBlock should be a GC object"
2926         https://bugs.webkit.org/show_bug.cgi?id=149727
2927         http://trac.webkit.org/changeset/r190694
2928
2929 2015-10-09  Joseph Pecoraro  <pecoraro@apple.com>
2930
2931         Remove unused RecursiveAllocationScope
2932         https://bugs.webkit.org/show_bug.cgi?id=149967
2933
2934         Reviewed by Csaba Osztrogonác.
2935
2936         RecursiveAllocationScope has been unused since r163691.
2937
2938         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2939         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2940         * JavaScriptCore.xcodeproj/project.pbxproj:
2941         * heap/Heap.cpp:
2942         * heap/Heap.h:
2943         * heap/RecursiveAllocationScope.h: Removed.
2944         * runtime/VM.h:
2945
2946 2015-10-09  Geoffrey Garen  <ggaren@apple.com>
2947
2948         Unreviewed, rolling out r190694
2949         https://bugs.webkit.org/show_bug.cgi?id=148560
2950
2951         Crashes seen on PLT bots and facebook.com.
2952
2953         Reverted changesets:
2954
2955         "CodeBlock should be a GC object"
2956         https://bugs.webkit.org/show_bug.cgi?id=149727
2957         http://trac.webkit.org/changeset/190694
2958
2959 2015-10-09  Xabier Rodriguez Calvar  <calvaris@igalia.com> and Youenn Fablet  <youenn.fablet@crf.canon.fr>
2960
2961         Automate WebCore JS builtins generation and build system
2962         https://bugs.webkit.org/show_bug.cgi?id=149751
2963
2964         Reviewed by Darin Adler.
2965
2966         * generate-js-builtins: updating the part related to WebCore JS binding.
2967
2968 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
2969
2970         DFG SSA should remove unreachable code
2971         https://bugs.webkit.org/show_bug.cgi?id=149931
2972
2973         Reviewed by Geoffrey Garen.
2974
2975         Rolled back in with a call to m_state.reset(), which fixes the debug asserts.
2976
2977         * dfg/DFGConstantFoldingPhase.cpp:
2978         (JSC::DFG::ConstantFoldingPhase::run): Remove unreachable code.
2979         * dfg/DFGObjectAllocationSinkingPhase.cpp: Deal with the CFG changing.
2980         * dfg/DFGPutStackSinkingPhase.cpp: Deal with the CFG changing.
2981
2982 2015-10-08  Daniel Bates  <dabates@apple.com>
2983
2984         Add LLVM binaries for iOS 9 device
2985         https://bugs.webkit.org/show_bug.cgi?id=149913
2986
2987         Reviewed by Filip Pizlo.
2988
2989         Look for locally built/binary dropped LLVM headers and libraries when building for iOS device
2990         in WebKitBuild/usr/local.
2991
2992         Currently Mac and iOS look for the locally built/binary dropped LLVM in different directories:
2993         WebKitBuild/usr/local and /usr/local/LLVMForJavaScriptCore, respectively. This difference is
2994         due to dependencies with the Apple internal build system. We should look to resolve the
2995         Apple internal dependencies and standardize on one location for both platforms.
2996
2997         * Configurations/Base.xcconfig:
2998
2999 2015-10-08  Commit Queue  <commit-queue@webkit.org>
3000
3001         Unreviewed, rolling out r190749.
3002         https://bugs.webkit.org/show_bug.cgi?id=149938
3003
3004         Caused 50+ layout test failures
3005         https://build.webkit.org/results/Apple%20El%20Capitan%20Debug%20WK1%20(Tests)/r190749%20(213)/results.html
3006         (Requested by litherum1 on #webkit).
3007
3008         Reverted changeset:
3009
3010         "DFG SSA should remove unreachable code"
3011         https://bugs.webkit.org/show_bug.cgi?id=149931
3012         http://trac.webkit.org/changeset/190749
3013
3014 2015-10-08  Filip Pizlo  <fpizlo@apple.com>
3015
3016         DFG SSA should remove unreachable code
3017         https://bugs.webkit.org/show_bug.cgi?id=149931
3018
3019         Reviewed by Geoffrey Garen.
3020
3021         * dfg/DFGConstantFoldingPhase.cpp:
3022         (JSC::DFG::ConstantFoldingPhase::run): Remove unreachable code.
3023         * dfg/DFGObjectAllocationSinkingPhase.cpp: Deal with the CFG changing.
3024         * dfg/DFGPutStackSinkingPhase.cpp: Deal with the CFG changing.
3025
3026 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
3027
3028         Unreviewed build fix. Missing forward declaration.
3029
3030         * heap/Heap.h:
3031
3032 2015-10-08  Saam barati  <sbarati@apple.com>
3033
3034         Unreviewed Cloop build fix after bug: https://bugs.webkit.org/show_bug.cgi?id=149601
3035
3036         * bytecode/CodeBlock.cpp:
3037         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
3038         * jit/JITCode.cpp:
3039         (JSC::NativeJITCode::addressForCall):
3040         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3041         * jit/JITCode.h:
3042
3043 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
3044
3045         Clean up Marked classes
3046         https://bugs.webkit.org/show_bug.cgi?id=149853
3047
3048         Reviewed by Darin Adler.
3049
3050         * heap/Heap.h:
3051         Move include here where it is really needed.
3052
3053         * heap/HeapStatistics.cpp:
3054         * heap/HeapStatistics.h:
3055         Simplify includes.
3056
3057         * heap/MarkedAllocator.h:
3058         Add missing copyright header.
3059
3060         * heap/MarkedBlock.cpp:
3061         * heap/MarkedBlock.h:
3062         (JSC::MarkedBlock::needsSweeping):
3063         Remove unused constants. Add some static asserts. Add some `const` ness.
3064
3065         * heap/MarkedSpace.h:
3066         (JSC::MarkedSpace::isIterating):
3067         Update comments to better reflect actual values.
3068         Remove unimplemented method (moved to Heap).
3069
3070         * heap/MarkedSpace.cpp:
3071         (JSC::Free::Free):
3072         (JSC::Free::operator()):
3073         (JSC::Free::returnValue): Deleted.
3074         (JSC::FreeOrShrink::FreeOrShrink):
3075         (JSC::FreeOrShrink::operator()):
3076         (JSC::MarkedSpace::~MarkedSpace):
3077         (JSC::MarkedSpace::shrink):
3078         Replace conditional Functor that was not using return value
3079         with simplified targeted VoidFunctors.
3080
3081         (JSC::Shrink::operator()): Deleted.
3082         Remove unused functor.
3083
3084         * heap/WeakBlock.cpp:
3085         * heap/WeakBlock.h:
3086         * runtime/Options.cpp:
3087         Remove dead code.
3088
3089 2015-10-08  Saam barati  <sbarati@apple.com>
3090
3091         We should be able to inline getter/setter calls inside an inline cache even when the SpillRegistersMode is NeedsToSpill
3092         https://bugs.webkit.org/show_bug.cgi?id=149601
3093
3094         Reviewed by Filip Pizlo.
3095
3096         Before, if we had a PolymorphicAccess with and a StructureStubInfo
3097         with a NeedToSpill spillMode, we wouldn't generate getter/setter
3098         calls. This patch changes it such that we will generate the
3099         getter/setter call and do the necessary register spilling/filling
3100         around the getter/setter call to preserve any "usedRegisters".
3101
3102         This has an interesting story with how it relates to exception handling 
3103         inside the DFG. Because the GetById variants are considered a throwing call 
3104         site, we must make sure that we properly restore the registers spilled to the stack 
3105         in case of an exception being thrown inside the getter/setter call. We do 
3106         this by having the inline cache register itself as a new exception handling 
3107         call site. When the inline cache "catches" the exception (i.e, genericUnwind 
3108         will jump to this code), it will restore the registers it spilled that are 
3109         live inside the original catch handler, and then jump to the original catch 
3110         handler. We make sure to only generate this makeshift catch handler when we 
3111         actually need to do any cleanup. If we determine that we don't need to restore 
3112         any registers, we don't bother generating this makeshift catch handler.
3113
3114         * bytecode/CodeBlock.cpp:
3115         (JSC::CodeBlock::~CodeBlock):
3116         (JSC::CodeBlock::handlerForIndex):
3117         (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
3118         (JSC::CodeBlock::removeExceptionHandlerForCallSite):
3119         (JSC::CodeBlock::lineNumberForBytecodeOffset):
3120         * bytecode/CodeBlock.h:
3121         (JSC::CodeBlock::appendExceptionHandler):
3122         * bytecode/PolymorphicAccess.cpp:
3123         (JSC::AccessGenerationState::AccessGenerationState):
3124         (JSC::AccessGenerationState::restoreScratch):
3125         (JSC::AccessGenerationState::succeed):
3126         (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
3127         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
3128         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
3129         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
3130         (JSC::AccessGenerationState::liveRegistersForCall):
3131         (JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
3132         (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
3133         (JSC::AccessGenerationState::originalExceptionHandler):
3134         (JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation):
3135         (JSC::AccessGenerationState::needsToRestoreRegistersIfException):
3136         (JSC::AccessGenerationState::originalCallSiteIndex):
3137         (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
3138         (JSC::AccessCase::AccessCase):
3139         (JSC::AccessCase::generate):
3140         (JSC::PolymorphicAccess::regenerateWithCases):
3141         (JSC::PolymorphicAccess::regenerate):
3142         (JSC::PolymorphicAccess::aboutToDie):
3143         * bytecode/PolymorphicAccess.h:
3144         (JSC::AccessCase::doesCalls):
3145         (JSC::AccessCase::isGetter):
3146         (JSC::AccessCase::callLinkInfo):
3147         * bytecode/StructureStubInfo.cpp:
3148         (JSC::StructureStubInfo::deref):
3149         (JSC::StructureStubInfo::aboutToDie):
3150         (JSC::StructureStubInfo::addAccessCase):
3151         * bytecode/StructureStubInfo.h:
3152         * bytecode/ValueRecovery.h:
3153         (JSC::ValueRecovery::isInJSValueRegs):
3154         (JSC::ValueRecovery::fpr):
3155         * dfg/DFGCommonData.cpp:
3156         (JSC::DFG::CommonData::addCodeOrigin):
3157         (JSC::DFG::CommonData::addCodeOriginUnconditionally):
3158         (JSC::DFG::CommonData::lastCallSite):
3159         (JSC::DFG::CommonData::removeCallSiteIndex):
3160         (JSC::DFG::CommonData::shrinkToFit):
3161         * dfg/DFGCommonData.h:
3162         * dfg/DFGJITCode.cpp:
3163         (JSC::DFG::JITCode::reconstruct):
3164         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3165         (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
3166         * dfg/DFGJITCode.h:
3167         (JSC::DFG::JITCode::osrEntryBlock):
3168         (JSC::DFG::JITCode::setOSREntryBlock):
3169         * dfg/DFGJITCompiler.cpp:
3170         (JSC::DFG::JITCompiler::appendExceptionHandlingOSRExit):
3171         * dfg/DFGOSRExit.cpp:
3172         (JSC::DFG::OSRExit::OSRExit):
3173         * dfg/DFGOSRExit.h:
3174         * dfg/DFGSpeculativeJIT.cpp:
3175         (JSC::DFG::SpeculativeJIT::compileIn):
3176         * dfg/DFGSpeculativeJIT32_64.cpp:
3177         (JSC::DFG::SpeculativeJIT::cachedGetById):
3178         (JSC::DFG::SpeculativeJIT::cachedPutById):
3179         * dfg/DFGSpeculativeJIT64.cpp:
3180         (JSC::DFG::SpeculativeJIT::cachedGetById):
3181         (JSC::DFG::SpeculativeJIT::cachedPutById):
3182         * ftl/FTLCompile.cpp:
3183         (JSC::FTL::mmAllocateDataSection):
3184         * ftl/FTLJITCode.cpp:
3185         (JSC::FTL::JITCode::validateReferences):
3186         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3187         * ftl/FTLJITCode.h:
3188         (JSC::FTL::JITCode::handles):
3189         (JSC::FTL::JITCode::dataSections):
3190         * jit/GCAwareJITStubRoutine.cpp:
3191         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3192         (JSC::GCAwareJITStubRoutine::~GCAwareJITStubRoutine):
3193         (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
3194         (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal):
3195         (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
3196         (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
3197         (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler):
3198         (JSC::createJITStubRoutine):
3199         * jit/GCAwareJITStubRoutine.h:
3200         * jit/JITCode.cpp:
3201         (JSC::NativeJITCode::addressForCall):
3202         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
3203         * jit/JITCode.h:
3204         * jit/JITInlineCacheGenerator.cpp:
3205         (JSC::JITByIdGenerator::JITByIdGenerator):
3206         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3207         (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
3208         * jit/JITInlineCacheGenerator.h:
3209         (JSC::JITByIdGenerator::reportSlowPathCall):
3210         * jit/JITPropertyAccess.cpp:
3211         (JSC::JIT::emitGetByValWithCachedId):
3212         (JSC::JIT::emitPutByValWithCachedId):
3213         (JSC::JIT::emit_op_get_by_id):
3214         (JSC::JIT::emit_op_put_by_id):
3215         * jit/JITPropertyAccess32_64.cpp:
3216         (JSC::JIT::emitGetByValWithCachedId):
3217         (JSC::JIT::emitPutByValWithCachedId):
3218         (JSC::JIT::emit_op_get_by_id):
3219         (JSC::JIT::emit_op_put_by_id):
3220         * jit/JITStubRoutine.h:
3221         (JSC::JITStubRoutine::createSelfManagedRoutine):
3222         (JSC::JITStubRoutine::aboutToDie):
3223         * jit/RegisterSet.cpp:
3224         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
3225         (JSC::RegisterSet::registersToNotSaveForCall):
3226         (JSC::RegisterSet::allGPRs):
3227         * jit/RegisterSet.h:
3228         (JSC::RegisterSet::set):
3229         (JSC::RegisterSet::clear):
3230         * jit/ScratchRegisterAllocator.cpp:
3231         (JSC::ScratchRegisterAllocator::allocateScratchGPR):
3232         (JSC::ScratchRegisterAllocator::allocateScratchFPR):
3233         (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
3234         (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
3235         (JSC::ScratchRegisterAllocator::usedRegistersForCall):
3236         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
3237         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
3238         (JSC::ScratchRegisterAllocator::preserveRegistersToStackForCall):
3239         (JSC::ScratchRegisterAllocator::restoreRegistersFromStackForCall):
3240         * jit/ScratchRegisterAllocator.h:
3241         (JSC::ScratchRegisterAllocator::numberOfReusedRegisters):
3242         (JSC::ScratchRegisterAllocator::usedRegisters):
3243         * jsc.cpp:
3244         (WTF::CustomGetter::CustomGetter):
3245         (WTF::CustomGetter::createStructure):
3246         (WTF::CustomGetter::create):
3247         (WTF::CustomGetter::getOwnPropertySlot):
3248         (WTF::CustomGetter::customGetter):
3249         (WTF::Element::handleOwner):
3250         (GlobalObject::finishCreation):
3251         (functionCreateImpureGetter):
3252         (functionCreateCustomGetterObject):
3253         (functionSetImpureGetterDelegate):
3254         * tests/stress/try-catch-custom-getter-as-get-by-id.js: Added.
3255         (assert):
3256         (bar):
3257         (foo):
3258         * tests/stress/try-catch-getter-as-get-by-id-register-restoration.js: Added.
3259         (assert):
3260         (o1.get f):
3261         (bar):
3262         (foo):
3263         * tests/stress/try-catch-getter-as-get-by-id.js: Added.
3264         (assert):
3265         (o1.get f):
3266         (bar):
3267         (foo):
3268         * tests/stress/try-catch-setter-as-put-by-id.js: Added.
3269         (assert):
3270         (o1.set f):
3271         (bar):
3272         (foo):
3273         * tests/stress/try-catch-stub-routine-replaced.js: Added.
3274         (assert):
3275         (arr):
3276         (hello):
3277         (foo):
3278         (objChain.get f):
3279         (fakeOut.get f):
3280         (o.get f):
3281
3282 2015-10-08  Commit Queue  <commit-queue@webkit.org>
3283
3284         Unreviewed, rolling out r190716.
3285         https://bugs.webkit.org/show_bug.cgi?id=149924
3286
3287         broke mac build from time to time (Requested by youenn on
3288         #webkit).
3289
3290         Reverted changeset:
3291
3292         "Automate WebCore JS builtins generation and build system"
3293         https://bugs.webkit.org/show_bug.cgi?id=149751
3294         http://trac.webkit.org/changeset/190716
3295
3296 2015-10-08  Csaba Osztrogonác  <ossy@webkit.org>
3297
3298         Fix the WASM build on Linux
3299         https://bugs.webkit.org/show_bug.cgi?id=149919
3300
3301         Reviewed by Mark Lam.
3302
3303         * inspector/ScriptCallStackFactory.cpp:
3304         * wasm/JSWASMModule.cpp:
3305         * wasm/WASMFunctionCompiler.h:
3306         (JSC::sizeOfMemoryType):
3307         * wasm/WASMFunctionLLVMIRGenerator.h:
3308
3309 2015-10-08  Csaba Osztrogonác  <ossy@webkit.org>
3310
3311         Unreviewed CLOOP buildfix after r190718.
3312
3313         * jit/Repatch.h:
3314         (JSC::resetGetByID): Deleted.
3315         (JSC::resetPutByID): Deleted.
3316         (JSC::resetIn): Deleted.
3317
3318 2015-10-08  Joseph Pecoraro  <pecoraro@apple.com>
3319
3320         Remove references to removed class RepatchBuffer
3321         https://bugs.webkit.org/show_bug.cgi?id=149909
3322
3323         Reviewed by Csaba Osztrogonác.
3324
3325         * assembler/AbstractMacroAssembler.h:
3326         * assembler/MacroAssemblerARM.h:
3327         * assembler/MacroAssemblerARM64.h:
3328         * assembler/MacroAssemblerARMv7.h:
3329         * assembler/MacroAssemblerMIPS.h:
3330         * assembler/MacroAssemblerSH4.h:
3331         * assembler/MacroAssemblerX86.h:
3332         * assembler/MacroAssemblerX86_64.h:
3333         * jit/JITStubRoutine.h:
3334         * jit/Repatch.h:
3335
3336 2015-10-08  Xabier Rodriguez Calvar  <calvaris@igalia.com> and Youenn Fablet  <youenn.fablet@crf.canon.fr>
3337
3338         Automate WebCore JS builtins generation and build system
3339         https://bugs.webkit.org/show_bug.cgi?id=149751
3340
3341         Reviewed by Darin Adler.
3342
3343         * generate-js-builtins: updating the part related to WebCore JS binding.
3344
3345 2015-10-07  Joseph Pecoraro  <pecoraro@apple.com>
3346
3347         Clean up Copied classes
3348         https://bugs.webkit.org/show_bug.cgi?id=149863
3349
3350         Reviewed by Saam Barati.
3351
3352         * heap/CopiedAllocator.h:
3353         (JSC::CopiedAllocator::isValid):
3354         * heap/CopiedBlock.h:
3355         * heap/CopiedBlockInlines.h:
3356         * heap/CopiedSpace.cpp:
3357         * heap/CopiedSpace.h:
3358         (JSC::CopiedSpace::isInCopyPhase):
3359         (JSC::CopiedSpace::shouldDoCopyPhase):
3360         * heap/CopiedSpaceInlines.h:
3361         * heap/CopyToken.h:
3362         * heap/CopyVisitor.cpp:
3363         * heap/CopyVisitor.h:
3364         * heap/CopyVisitorInlines.h:
3365         * heap/CopyWorkList.h:
3366         * heap/HandleBlock.h:
3367         * heap/HandleSe