[ES6] Support subclassing the String builtin object
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-01-13  Keith Miller  <keith_miller@apple.com>
2
3         [ES6] Support subclassing the String builtin object
4         https://bugs.webkit.org/show_bug.cgi?id=153068
5
6         Reviewed by Michael Saboff.
7
8         This patch adds subclassing of strings. Also, this patch fixes a bug where we could have
9         the wrong indexing type for builtins constructed without storage.
10
11         * runtime/PrototypeMap.cpp:
12         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
13         * runtime/StringConstructor.cpp:
14         (JSC::constructWithStringConstructor):
15         * tests/stress/class-subclassing-string.js: Added.
16         (test):
17
18 2016-01-13  Mark Lam  <mark.lam@apple.com>
19
20         The StringFromCharCode DFG intrinsic should support untyped operands.
21         https://bugs.webkit.org/show_bug.cgi?id=153046
22
23         Reviewed by Geoffrey Garen.
24
25         The current StringFromCharCode DFG intrinsic assumes that its operand charCode
26         must be an Int32.  This results in 26000+ BadType OSR exits in the LongSpider
27         crypto-aes benchmark.  With support for Untyped operands, the number of OSR
28         exits drops to 202.
29
30         * dfg/DFGClobberize.h:
31         (JSC::DFG::clobberize):
32         * dfg/DFGFixupPhase.cpp:
33         (JSC::DFG::FixupPhase::fixupNode):
34         * dfg/DFGOperations.cpp:
35         * dfg/DFGOperations.h:
36         * dfg/DFGSpeculativeJIT.cpp:
37         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
38         * dfg/DFGSpeculativeJIT.h:
39         (JSC::DFG::SpeculativeJIT::callOperation):
40         * dfg/DFGValidate.cpp:
41         (JSC::DFG::Validate::validate):
42         * runtime/JSCJSValueInlines.h:
43         (JSC::JSValue::toUInt32):
44
45 2016-01-13  Mark Lam  <mark.lam@apple.com>
46
47         Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently.
48         https://bugs.webkit.org/show_bug.cgi?id=153080
49
50         Reviewed by Geoffrey Garen.
51
52         We currently have Graph::mulShouldSpeculateInt32/machineInt() and
53         Graph::negateShouldSpeculateInt32/MachineInt() functions which are only used by
54         the ArithMul and ArithNegate nodes.  However, the same tests need to be done for
55         many other arith nodes in the DFG.  This patch renames these functions as
56         Graph::binaryArithShouldSpeculateInt32/machineInt() and
57         Graph::unaryArithShouldSpeculateInt32/MachineInt(), and uses them consistently
58         in the DFG.
59
60         * dfg/DFGFixupPhase.cpp:
61         (JSC::DFG::FixupPhase::fixupNode):
62         * dfg/DFGGraph.h:
63         (JSC::DFG::Graph::addShouldSpeculateMachineInt):
64         (JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
65         (JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt):
66         (JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
67         (JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt):
68         (JSC::DFG::Graph::mulShouldSpeculateInt32): Deleted.
69         (JSC::DFG::Graph::mulShouldSpeculateMachineInt): Deleted.
70         (JSC::DFG::Graph::negateShouldSpeculateInt32): Deleted.
71         (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
72         * dfg/DFGPredictionPropagationPhase.cpp:
73         (JSC::DFG::PredictionPropagationPhase::propagate):
74         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
75
76 2016-01-13  Joseph Pecoraro  <pecoraro@apple.com>
77
78         Web Inspector: Inspector should use the last sourceURL / sourceMappingURL directive
79         https://bugs.webkit.org/show_bug.cgi?id=153072
80         <rdar://problem/24168312>
81
82         Reviewed by Timothy Hatcher.
83
84         * parser/Lexer.cpp:
85         (JSC::Lexer<T>::parseCommentDirective):
86         Just keep overwriting the member variable so we end up with
87         the last directive value.
88
89 2016-01-13  Commit Queue  <commit-queue@webkit.org>
90
91         Unreviewed, rolling out r194969.
92         https://bugs.webkit.org/show_bug.cgi?id=153075
93
94         This change broke the iOS build (Requested by ryanhaddad on
95         #webkit).
96
97         Reverted changeset:
98
99         "[JSC] Legalize Memory Offsets for ARM64 before lowering to
100         Air"
101         https://bugs.webkit.org/show_bug.cgi?id=153065
102         http://trac.webkit.org/changeset/194969
103
104 2016-01-13  Benjamin Poulain  <bpoulain@apple.com>
105
106         [JSC] Legalize Memory Offsets for ARM64 before lowering to Air
107         https://bugs.webkit.org/show_bug.cgi?id=153065
108
109         Reviewed by Mark Lam.
110         Reviewed by Filip Pizlo.
111
112         On ARM64, we cannot use signed 32bits offset for memory addressing.
113         There are two available addressing: signed 9bits and unsigned scaled 12bits.
114         Air already knows about it.
115
116         In this patch, the offsets are changed to something valid for ARM64
117         prior to lowering. When an offset is invalid, it is just computed
118         before the instruction and used as the base for addressing.
119
120         * JavaScriptCore.xcodeproj/project.pbxproj:
121         * b3/B3Generate.cpp:
122         (JSC::B3::generateToAir):
123         * b3/B3LegalizeMemoryOffsets.cpp: Added.
124         (JSC::B3::legalizeMemoryOffsets):
125         * b3/B3LegalizeMemoryOffsets.h: Added.
126         * b3/B3LowerToAir.cpp:
127         (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
128         * b3/testb3.cpp:
129         (JSC::B3::testLoadWithOffsetImpl):
130         (JSC::B3::testLoadOffsetImm9Max):
131         (JSC::B3::testLoadOffsetImm9MaxPlusOne):
132         (JSC::B3::testLoadOffsetImm9MaxPlusTwo):
133         (JSC::B3::testLoadOffsetImm9Min):
134         (JSC::B3::testLoadOffsetImm9MinMinusOne):
135         (JSC::B3::testLoadOffsetScaledUnsignedImm12Max):
136         (JSC::B3::testLoadOffsetScaledUnsignedOverImm12Max):
137         (JSC::B3::run):
138
139 2016-01-12  Per Arne Vollan  <peavo@outlook.com>
140
141         [FTL][Win64] Compile error.
142         https://bugs.webkit.org/show_bug.cgi?id=153031
143
144         Reviewed by Brent Fulgham.
145
146         The header file dlfcn.h does not exist on Windows.
147
148         * ftl/FTLLowerDFGToLLVM.cpp:
149
150 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
151
152         Add a build flag for custom element
153         https://bugs.webkit.org/show_bug.cgi?id=153005
154
155         Reviewed by Alex Christensen.
156
157         * Configurations/FeatureDefines.xcconfig:
158
159 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
160
161         [JSC] Remove some invalid immediate instruction forms from ARM64 Air
162         https://bugs.webkit.org/show_bug.cgi?id=153024
163
164         Reviewed by Michael Saboff.
165
166         * b3/B3BasicBlock.h:
167         Export the symbols for testb3.
168
169         * b3/air/AirOpcode.opcodes:
170         We had 2 invalid opcodes:
171         -Compare with immediate just does not exist.
172         -Test64 with immediate exists but Air does not recognize
173          the valid form of bit-immediates.
174
175         * b3/testb3.cpp:
176         (JSC::B3::genericTestCompare):
177         (JSC::B3::testCompareImpl):
178         Extend the tests to cover what was invalid.
179
180 2016-01-12  Benjamin Poulain  <bpoulain@apple.com>
181
182         [JSC] JSC does not build with FTL_USES_B3 on ARM64
183         https://bugs.webkit.org/show_bug.cgi?id=153011
184
185         Reviewed by Saam Barati.
186
187         Apparently the static const member can only be used for constexpr.
188         C++ is weird.
189
190         * jit/GPRInfo.cpp:
191         * jit/GPRInfo.h:
192
193 2016-01-11  Johan K. Jensen  <jj@johanjensen.dk>
194
195         Web Inspector: console.count() shouldn't show a colon in front of a number
196         https://bugs.webkit.org/show_bug.cgi?id=152038
197
198         Reviewed by Brian Burg.
199
200         * inspector/agents/InspectorConsoleAgent.cpp:
201         (Inspector::InspectorConsoleAgent::count):
202         Do not include title and colon if the title is empty.
203
204 2016-01-11  Dan Bernstein  <mitz@apple.com>
205
206         Reverted r194317.
207
208         Reviewed by Joseph Pecoraro.
209
210         r194317 did not contain a change log entry, did not explain the motivation, did not name a
211         reviewer, and does not seem necessary.
212
213         * JavaScriptCore.xcodeproj/project.pbxproj:
214
215 2016-01-11  Joseph Pecoraro  <pecoraro@apple.com>
216
217         keywords ("super", "delete", etc) should be valid method names
218         https://bugs.webkit.org/show_bug.cgi?id=144281
219
220         Reviewed by Ryosuke Niwa.
221
222         * parser/Parser.cpp:
223         (JSC::Parser<LexerType>::parseClass):
224         - When parsing "static(" treat it as a method named "static" and not a static method.
225         - When parsing a keyword treat it like a string method name (get and set are not keywords)
226         - When parsing a getter / setter method name identifier, allow lookahead to be a keyword
227
228         (JSC::Parser<LexerType>::parseGetterSetter):
229         - When parsing the getter / setter's name, allow it to be a keyword.
230
231 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
232
233         [JSC] Add Div/Mod and fix Mul for B3 ARM64
234         https://bugs.webkit.org/show_bug.cgi?id=152978
235
236         Reviewed by Filip Pizlo.
237
238         Add the 3 operands forms of Mul.
239         Remove the form taking immediate on ARM64, there are no such instruction.
240
241         Add Div with sdiv.
242
243         Unfortunately, I discovered ChillMod's division by zero
244         makes it non-trivial on ARM64. I just made it into a macro like on x86.
245
246         * assembler/MacroAssemblerARM64.h:
247         (JSC::MacroAssemblerARM64::mul32):
248         (JSC::MacroAssemblerARM64::mul64):
249         (JSC::MacroAssemblerARM64::div32):
250         (JSC::MacroAssemblerARM64::div64):
251         * b3/B3LowerMacros.cpp:
252         * b3/B3LowerToAir.cpp:
253         (JSC::B3::Air::LowerToAir::lower):
254         * b3/air/AirOpcode.opcodes:
255
256 2016-01-11  Keith Miller  <keith_miller@apple.com>
257
258         Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays
259         https://bugs.webkit.org/show_bug.cgi?id=152949
260
261         Reviewed by Michael Saboff.
262
263         This patch updates Array constructors to use the new InternalFunctionAllocationProfile.
264
265         * runtime/ArrayConstructor.cpp:
266         (JSC::constructArrayWithSizeQuirk):
267         (JSC::constructWithArrayConstructor):
268         * runtime/InternalFunction.h:
269         (JSC::InternalFunction::createStructure):
270         * runtime/JSGlobalObject.h:
271         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
272         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
273         (JSC::constructEmptyArray):
274         (JSC::constructArray):
275         (JSC::constructArrayNegativeIndexed):
276         * runtime/PrototypeMap.cpp:
277         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
278         * runtime/Structure.h:
279         * runtime/StructureInlines.h:
280
281 2016-01-08  Keith Miller  <keith_miller@apple.com>
282
283         Use a profile to store allocation structures for subclasses of InternalFunctions
284         https://bugs.webkit.org/show_bug.cgi?id=152942
285
286         Reviewed by Michael Saboff.
287
288         This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
289         a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
290         InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
291         constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
292         constructor as a new.target to any other constructor. This means that a user can pass some
293         non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
294         new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
295         need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
296         current constructor. By using different profiles, we only need to check the profile in InternalFunctions
297         as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
298         low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
299
300         Additionally, this patch adds subclassing to some omitted classes.
301
302         * API/JSObjectRef.cpp:
303         (JSObjectMakeDate):
304         (JSObjectMakeRegExp):
305         * JavaScriptCore.xcodeproj/project.pbxproj:
306         * bytecode/InternalFunctionAllocationProfile.h: Added.
307         (JSC::InternalFunctionAllocationProfile::structure):
308         (JSC::InternalFunctionAllocationProfile::clear):
309         (JSC::InternalFunctionAllocationProfile::visitAggregate):
310         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
311         * dfg/DFGByteCodeParser.cpp:
312         (JSC::DFG::ByteCodeParser::parseBlock):
313         * dfg/DFGOperations.cpp:
314         * dfg/DFGSpeculativeJIT32_64.cpp:
315         (JSC::DFG::SpeculativeJIT::compile):
316         * dfg/DFGSpeculativeJIT64.cpp:
317         (JSC::DFG::SpeculativeJIT::compile):
318         * jit/JITOpcodes.cpp:
319         (JSC::JIT::emit_op_create_this):
320         * jit/JITOpcodes32_64.cpp:
321         (JSC::JIT::emit_op_create_this):
322         * llint/LowLevelInterpreter32_64.asm:
323         * llint/LowLevelInterpreter64.asm:
324         * runtime/BooleanConstructor.cpp:
325         (JSC::constructWithBooleanConstructor):
326         * runtime/CommonSlowPaths.cpp:
327         (JSC::SLOW_PATH_DECL):
328         * runtime/DateConstructor.cpp:
329         (JSC::constructDate):
330         (JSC::constructWithDateConstructor):
331         * runtime/DateConstructor.h:
332         * runtime/ErrorConstructor.cpp:
333         (JSC::Interpreter::constructWithErrorConstructor):
334         * runtime/FunctionRareData.cpp:
335         (JSC::FunctionRareData::create):
336         (JSC::FunctionRareData::visitChildren):
337         (JSC::FunctionRareData::FunctionRareData):
338         (JSC::FunctionRareData::initializeObjectAllocationProfile):
339         (JSC::FunctionRareData::clear):
340         (JSC::FunctionRareData::finishCreation): Deleted.
341         (JSC::FunctionRareData::initialize): Deleted.
342         * runtime/FunctionRareData.h:
343         (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
344         (JSC::FunctionRareData::objectAllocationProfile):
345         (JSC::FunctionRareData::objectAllocationStructure):
346         (JSC::FunctionRareData::allocationProfileWatchpointSet):
347         (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
348         (JSC::FunctionRareData::internalFunctionAllocationStructure):
349         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
350         (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
351         (JSC::FunctionRareData::allocationProfile): Deleted.
352         (JSC::FunctionRareData::allocationStructure): Deleted.
353         (JSC::FunctionRareData::isInitialized): Deleted.
354         * runtime/InternalFunction.cpp:
355         (JSC::InternalFunction::createSubclassStructure):
356         * runtime/InternalFunction.h:
357         * runtime/JSArrayBufferConstructor.cpp:
358         (JSC::constructArrayBuffer):
359         * runtime/JSFunction.cpp:
360         (JSC::JSFunction::allocateRareData):
361         (JSC::JSFunction::allocateAndInitializeRareData):
362         (JSC::JSFunction::initializeRareData):
363         * runtime/JSFunction.h:
364         (JSC::JSFunction::rareData):
365         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
366         (JSC::constructGenericTypedArrayView):
367         * runtime/JSObject.h:
368         (JSC::JSFinalObject::typeInfo):
369         (JSC::JSFinalObject::createStructure):
370         * runtime/JSPromiseConstructor.cpp:
371         (JSC::constructPromise):
372         * runtime/JSPromiseConstructor.h:
373         * runtime/JSWeakMap.cpp:
374         * runtime/JSWeakSet.cpp:
375         * runtime/MapConstructor.cpp:
376         (JSC::constructMap):
377         * runtime/NativeErrorConstructor.cpp:
378         (JSC::Interpreter::constructWithNativeErrorConstructor):
379         * runtime/NumberConstructor.cpp:
380         (JSC::constructWithNumberConstructor):
381         * runtime/PrototypeMap.cpp:
382         (JSC::PrototypeMap::createEmptyStructure):
383         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
384         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
385         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
386         * runtime/PrototypeMap.h:
387         * runtime/RegExpConstructor.cpp:
388         (JSC::getRegExpStructure):
389         (JSC::constructRegExp):
390         (JSC::constructWithRegExpConstructor):
391         * runtime/RegExpConstructor.h:
392         * runtime/SetConstructor.cpp:
393         (JSC::constructSet):
394         * runtime/WeakMapConstructor.cpp:
395         (JSC::constructWeakMap):
396         * runtime/WeakSetConstructor.cpp:
397         (JSC::constructWeakSet):
398         * tests/stress/class-subclassing-misc.js:
399         (A):
400         (D):
401         (E):
402         (WM):
403         (WS):
404         (test):
405         * tests/stress/class-subclassing-typedarray.js: Added.
406         (test):
407
408 2016-01-11  Per Arne Vollan  <peavo@outlook.com>
409
410         [B3][Win64] Compile error.
411         https://bugs.webkit.org/show_bug.cgi?id=152984
412
413         Reviewed by Alex Christensen.
414
415         Windows does not have bzero, use memset instead.
416
417         * b3/air/AirIteratedRegisterCoalescing.cpp:
418
419 2016-01-11  Konstantin Tokarev  <annulen@yandex.ru>
420
421         Fixed compilation of JavaScriptCore with GCC 4.8 on 32-bit platforms
422         https://bugs.webkit.org/show_bug.cgi?id=152923
423
424         Reviewed by Alex Christensen.
425
426         * jit/CallFrameShuffler.h:
427         (JSC::CallFrameShuffler::assumeCalleeIsCell):
428
429 2016-01-11  Csaba Osztrogonác  <ossy@webkit.org>
430
431         [B3] Fix control reaches end of non-void function GCC warnings on Linux
432         https://bugs.webkit.org/show_bug.cgi?id=152887
433
434         Reviewed by Mark Lam.
435
436         * b3/B3LowerToAir.cpp:
437         (JSC::B3::Air::LowerToAir::createBranch):
438         (JSC::B3::Air::LowerToAir::createCompare):
439         (JSC::B3::Air::LowerToAir::createSelect):
440         * b3/B3Type.h:
441         (JSC::B3::sizeofType):
442         * b3/air/AirArg.cpp:
443         (JSC::B3::Air::Arg::isRepresentableAs):
444         * b3/air/AirArg.h:
445         (JSC::B3::Air::Arg::isAnyUse):
446         (JSC::B3::Air::Arg::isColdUse):
447         (JSC::B3::Air::Arg::isEarlyUse):
448         (JSC::B3::Air::Arg::isLateUse):
449         (JSC::B3::Air::Arg::isAnyDef):
450         (JSC::B3::Air::Arg::isEarlyDef):
451         (JSC::B3::Air::Arg::isLateDef):
452         (JSC::B3::Air::Arg::isZDef):
453         (JSC::B3::Air::Arg::widthForB3Type):
454         (JSC::B3::Air::Arg::isGP):
455         (JSC::B3::Air::Arg::isFP):
456         (JSC::B3::Air::Arg::isType):
457         (JSC::B3::Air::Arg::isValidForm):
458         * b3/air/AirCode.h:
459         (JSC::B3::Air::Code::newTmp):
460         (JSC::B3::Air::Code::numTmps):
461
462 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
463
464         Make it easier to introduce exotic instructions to Air
465         https://bugs.webkit.org/show_bug.cgi?id=152953
466
467         Reviewed by Benjamin Poulain.
468
469         Currently, you can define new "opcodes" in Air using either:
470
471         1) New opcode declared in AirOpcode.opcodes.
472         2) Patch opcode with a new implementation of Air::Special.
473
474         With (1), you are limited to fixed-argument-length instructions. There are other
475         restrictions as well, like that you can only use the roles that the AirOpcode syntax
476         supports.
477
478         With (2), you can do anything you like, but the instruction will be harder to match
479         since it will share the same opcode as any other Patch. Also, the instruction will have
480         the Special argument, which means more busy-work when creating the instruction and
481         validating it.
482
483         This introduces an in-between facility called "custom". This replaces what AirOpcode
484         previously called "special". A custom instruction is one whose behavior is defined by a
485         FooCustom struct with some static methods. Calls to those methods are emitted by
486         opcode_generator.rb.
487
488         The "custom" facility is powerful enough to be used to implement Patch, with the caveat
489         that we now treat the Patch instruction specially in a few places. Those places were
490         already effectively treating it specially by assuming that only Patch instructions have
491         a Special as their first argument.
492
493         This will let me implement the Shuffle instruction (bug 152952), which I think is needed
494         for performance work.
495
496         * JavaScriptCore.xcodeproj/project.pbxproj:
497         * b3/air/AirCustom.h: Added.
498         (JSC::B3::Air::PatchCustom::forEachArg):
499         (JSC::B3::Air::PatchCustom::isValidFormStatic):
500         (JSC::B3::Air::PatchCustom::isValidForm):
501         (JSC::B3::Air::PatchCustom::admitsStack):
502         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
503         (JSC::B3::Air::PatchCustom::generate):
504         * b3/air/AirHandleCalleeSaves.cpp:
505         (JSC::B3::Air::handleCalleeSaves):
506         * b3/air/AirInst.h:
507         * b3/air/AirInstInlines.h:
508         (JSC::B3::Air::Inst::forEach):
509         (JSC::B3::Air::Inst::extraClobberedRegs):
510         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
511         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
512         (JSC::B3::Air::Inst::reportUsedRegisters):
513         (JSC::B3::Air::Inst::hasSpecial): Deleted.
514         * b3/air/AirOpcode.opcodes:
515         * b3/air/AirReportUsedRegisters.cpp:
516         (JSC::B3::Air::reportUsedRegisters):
517         * b3/air/opcode_generator.rb:
518
519 2016-01-11  Filip Pizlo  <fpizlo@apple.com>
520
521         Turn Check(true) into Patchpoint() followed by Oops
522         https://bugs.webkit.org/show_bug.cgi?id=152968
523
524         Reviewed by Benjamin Poulain.
525
526         This is an obvious strength reduction to have, especially since if we discover that the
527         input to the Check is true after some amount of B3 optimization, then stubbing out the rest
528         of the basic block unlocks CFG simplification opportunities.
529
530         It's also a proof-of-concept for the Check->Patchpoint conversion that I'll use once I
531         implement sinking (bug 152162).
532
533         * b3/B3ControlValue.cpp:
534         (JSC::B3::ControlValue::convertToJump):
535         (JSC::B3::ControlValue::convertToOops):
536         (JSC::B3::ControlValue::dumpMeta):
537         * b3/B3ControlValue.h:
538         * b3/B3InsertionSet.h:
539         (JSC::B3::InsertionSet::insertValue):
540         * b3/B3InsertionSetInlines.h:
541         (JSC::B3::InsertionSet::insert):
542         * b3/B3ReduceStrength.cpp:
543         * b3/B3StackmapValue.h:
544         * b3/B3Value.h:
545         * tests/stress/ftl-force-osr-exit.js: Added.
546
547 2016-01-11  Benjamin Poulain  <bpoulain@apple.com>
548
549         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
550         https://bugs.webkit.org/show_bug.cgi?id=152840
551
552         Reviewed by Mark Lam.
553
554         ARM64 has two kinds of addressing with immediates:
555         -Signed 9bits direct (really only -256 to 255).
556         -Unsigned 12bits scaled by the load/store size.
557
558         When resolving the stack addresses, we easily run
559         past -256 bytes from FP. Addressing from SP gives us more
560         room to address the stack efficiently because we can
561         use unsigned immediates.
562
563         * b3/B3StackmapSpecial.cpp:
564         (JSC::B3::StackmapSpecial::repForArg):
565         * b3/air/AirAllocateStack.cpp:
566         (JSC::B3::Air::allocateStack):
567
568 2016-01-10  Saam barati  <sbarati@apple.com>
569
570         Implement a sampling profiler
571         https://bugs.webkit.org/show_bug.cgi?id=151713
572
573         Reviewed by Filip Pizlo.
574
575         This patch implements a sampling profiler for JavaScriptCore
576         that will be used in the Inspector UI. The implementation works as follows:
577         We queue the sampling profiler to run a task on a background
578         thread every 1ms. When the queued task executes, the sampling profiler
579         will pause the JSC execution thread and attempt to take a stack trace. 
580         The sampling profiler does everything it can to be very careful
581         while taking this stack trace. Because it's reading arbitrary memory,
582         the sampling profiler must validate every pointer it reads from.
583
584         The sampling profiler tries to get an ExecutableBase for every call frame
585         it reads. It first tries to read the CodeBlock slot. It does this because
586         it can be 100% certain that a pointer is a CodeBlock while it's taking a
587         stack trace. But, not every call frame will have a CodeBlock. So we must read
588         the call frame's callee. For these stack traces where we read the callee, we
589         must verify the callee pointer, and the pointer traversal to an ExecutableBase,
590         on the main JSC execution thread, and not on the thread taking the stack
591         trace. We do this verification either before we run the marking phase in
592         GC, or when somebody asks the SamplingProfiler to materialize its data.
593
594         The SamplingProfiler must also be careful to not grab any locks while the JSC execution
595         thread is paused (this means it can't do anything that mallocs) because
596         that could cause a deadlock. Therefore, the sampling profiler grabs
597         locks for all data structures it consults before it pauses the JSC
598         execution thread.
599
600         * CMakeLists.txt:
601         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
602         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
603         * JavaScriptCore.xcodeproj/project.pbxproj:
604         * bytecode/CodeBlock.h:
605         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
606         (JSC::CodeBlockSet::mark):
607         * dfg/DFGNodeType.h:
608         * heap/CodeBlockSet.cpp:
609         (JSC::CodeBlockSet::add):
610         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
611         (JSC::CodeBlockSet::clearMarksForFullCollection):
612         (JSC::CodeBlockSet::lastChanceToFinalize):
613         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
614         (JSC::CodeBlockSet::contains):
615         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
616         (JSC::CodeBlockSet::remove): Deleted.
617         * heap/CodeBlockSet.h:
618         (JSC::CodeBlockSet::getLock):
619         (JSC::CodeBlockSet::iterate):
620         The sampling pofiler uses the heap's CodeBlockSet to validate
621         CodeBlock pointers. This data structure must now be under a lock
622         because we must be certain we're not pausing the JSC execution thread
623         while it's manipulating this data structure.
624
625         * heap/ConservativeRoots.cpp:
626         (JSC::ConservativeRoots::ConservativeRoots):
627         (JSC::ConservativeRoots::grow):
628         (JSC::ConservativeRoots::genericAddPointer):
629         (JSC::ConservativeRoots::genericAddSpan):
630         (JSC::ConservativeRoots::add):
631         (JSC::CompositeMarkHook::CompositeMarkHook):
632         (JSC::CompositeMarkHook::mark):
633         * heap/ConservativeRoots.h:
634         * heap/Heap.cpp:
635         (JSC::Heap::markRoots):
636         (JSC::Heap::visitHandleStack):
637         (JSC::Heap::visitSamplingProfiler):
638         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
639         (JSC::Heap::snapshotMarkedSpace):
640         * heap/Heap.h:
641         (JSC::Heap::structureIDTable):
642         (JSC::Heap::codeBlockSet):
643         * heap/MachineStackMarker.cpp:
644         (pthreadSignalHandlerSuspendResume):
645         (JSC::getCurrentPlatformThread):
646         (JSC::MachineThreads::MachineThreads):
647         (JSC::MachineThreads::~MachineThreads):
648         (JSC::MachineThreads::Thread::createForCurrentThread):
649         (JSC::MachineThreads::Thread::operator==):
650         (JSC::isThreadInList):
651         (JSC::MachineThreads::addCurrentThread):
652         (JSC::MachineThreads::machineThreadForCurrentThread):
653         (JSC::MachineThreads::removeThread):
654         (JSC::MachineThreads::gatherFromCurrentThread):
655         (JSC::MachineThreads::Thread::Thread):
656         (JSC::MachineThreads::Thread::~Thread):
657         (JSC::MachineThreads::Thread::suspend):
658         (JSC::MachineThreads::Thread::resume):
659         (JSC::MachineThreads::Thread::getRegisters):
660         (JSC::MachineThreads::Thread::Registers::stackPointer):
661         (JSC::MachineThreads::Thread::Registers::framePointer):
662         (JSC::MachineThreads::Thread::Registers::instructionPointer):
663         (JSC::MachineThreads::Thread::freeRegisters):
664         (JSC::MachineThreads::tryCopyOtherThreadStacks):
665         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
666         (JSC::MachineThreads::Thread::operator!=): Deleted.
667         * heap/MachineStackMarker.h:
668         (JSC::MachineThreads::Thread::operator!=):
669         (JSC::MachineThreads::getLock):
670         (JSC::MachineThreads::threadsListHead):
671         We can now ask a MachineThreads::Thread for its frame pointer
672         and program counter on darwin and windows platforms. efl
673         and gtk implementations will happen in another patch.
674
675         * heap/MarkedBlockSet.h:
676         (JSC::MarkedBlockSet::getLock):
677         (JSC::MarkedBlockSet::add):
678         (JSC::MarkedBlockSet::remove):
679         (JSC::MarkedBlockSet::recomputeFilter):
680         (JSC::MarkedBlockSet::filter):
681         (JSC::MarkedBlockSet::set):
682         * heap/MarkedSpace.cpp:
683         (JSC::Free::Free):
684         (JSC::Free::operator()):
685         (JSC::FreeOrShrink::FreeOrShrink):
686         (JSC::FreeOrShrink::operator()):
687         (JSC::MarkedSpace::~MarkedSpace):
688         (JSC::MarkedSpace::isPagedOut):
689         (JSC::MarkedSpace::freeBlock):
690         (JSC::MarkedSpace::freeOrShrinkBlock):
691         (JSC::MarkedSpace::shrink):
692         * heap/MarkedSpace.h:
693         (JSC::MarkedSpace::forEachLiveCell):
694         (JSC::MarkedSpace::forEachDeadCell):
695         * interpreter/CallFrame.h:
696         (JSC::ExecState::calleeAsValue):
697         (JSC::ExecState::callee):
698         (JSC::ExecState::unsafeCallee):
699         (JSC::ExecState::codeBlock):
700         (JSC::ExecState::scope):
701         * jit/ExecutableAllocator.cpp:
702         (JSC::ExecutableAllocator::dumpProfile):
703         (JSC::ExecutableAllocator::getLock):
704         (JSC::ExecutableAllocator::isValidExecutableMemory):
705         * jit/ExecutableAllocator.h:
706         * jit/ExecutableAllocatorFixedVMPool.cpp:
707         (JSC::ExecutableAllocator::allocate):
708         (JSC::ExecutableAllocator::isValidExecutableMemory):
709         (JSC::ExecutableAllocator::getLock):
710         (JSC::ExecutableAllocator::committedByteCount):
711         The sampling profiler consults the ExecutableAllocator to check
712         if the frame pointer it reads is in executable allocated memory.
713
714         * jsc.cpp:
715         (GlobalObject::finishCreation):
716         (functionCheckModuleSyntax):
717         (functionStartSamplingProfiler):
718         (functionSamplingProfilerStackTraces):
719         * llint/LLIntPCRanges.h: Added.
720         (JSC::LLInt::isLLIntPC):
721         * offlineasm/asm.rb:
722         I added the ability to test whether the PC is executing
723         LLInt code because this code is not part of the memory
724         our executable allocator allocates.
725
726         * runtime/Executable.h:
727         (JSC::ExecutableBase::isModuleProgramExecutable):
728         (JSC::ExecutableBase::isExecutableType):
729         (JSC::ExecutableBase::isHostFunction):
730         * runtime/JSLock.cpp:
731         (JSC::JSLock::didAcquireLock):
732         (JSC::JSLock::unlock):
733         * runtime/Options.h:
734         * runtime/SamplingProfiler.cpp: Added.
735         (JSC::reportStats):
736         (JSC::FrameWalker::FrameWalker):
737         (JSC::FrameWalker::walk):
738         (JSC::FrameWalker::wasValidWalk):
739         (JSC::FrameWalker::advanceToParentFrame):
740         (JSC::FrameWalker::isAtTop):
741         (JSC::FrameWalker::resetAtMachineFrame):
742         (JSC::FrameWalker::isValidFramePointer):
743         (JSC::FrameWalker::isValidCodeBlock):
744         (JSC::FrameWalker::tryToGetExecutableFromCallee):
745         The FrameWalker class is used to walk the stack in a safe
746         manner. It doesn't do anything that would deadlock, and it
747         validates all pointers that it sees.
748
749         (JSC::SamplingProfiler::SamplingProfiler):
750         (JSC::SamplingProfiler::~SamplingProfiler):
751         (JSC::SamplingProfiler::visit):
752         (JSC::SamplingProfiler::shutdown):
753         (JSC::SamplingProfiler::start):
754         (JSC::SamplingProfiler::stop):
755         (JSC::SamplingProfiler::pause):
756         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
757         (JSC::SamplingProfiler::dispatchIfNecessary):
758         (JSC::SamplingProfiler::dispatchFunction):
759         (JSC::SamplingProfiler::noticeJSLockAcquisition):
760         (JSC::SamplingProfiler::noticeVMEntry):
761         (JSC::SamplingProfiler::observeStackTrace):
762         (JSC::SamplingProfiler::clearData):
763         (JSC::displayName):
764         (JSC::startLine):
765         (JSC::startColumn):
766         (JSC::sourceID):
767         (JSC::url):
768         (JSC::SamplingProfiler::stacktracesAsJSON):
769         * runtime/SamplingProfiler.h: Added.
770         (JSC::SamplingProfiler::getLock):
771         (JSC::SamplingProfiler::setTimingInterval):
772         (JSC::SamplingProfiler::stackTraces):
773         * runtime/VM.cpp:
774         (JSC::VM::VM):
775         (JSC::VM::~VM):
776         (JSC::VM::setLastStackTop):
777         (JSC::VM::createContextGroup):
778         (JSC::VM::ensureWatchdog):
779         (JSC::VM::ensureSamplingProfiler):
780         (JSC::thunkGeneratorForIntrinsic):
781         * runtime/VM.h:
782         (JSC::VM::watchdog):
783         (JSC::VM::isSafeToRecurse):
784         (JSC::VM::lastStackTop):
785         (JSC::VM::scratchBufferForSize):
786         (JSC::VM::samplingProfiler):
787         (JSC::VM::setShouldRewriteConstAsVar):
788         (JSC::VM::setLastStackTop): Deleted.
789         * runtime/VMEntryScope.cpp:
790         (JSC::VMEntryScope::VMEntryScope):
791         * tests/stress/sampling-profiler: Added.
792         * tests/stress/sampling-profiler-anonymous-function.js: Added.
793         (foo):
794         (baz):
795         * tests/stress/sampling-profiler-basic.js: Added.
796         (bar):
797         (foo):
798         (nothing):
799         (top):
800         (jaz):
801         (kaz):
802         (checkInlining):
803         * tests/stress/sampling-profiler-deep-stack.js: Added.
804         (foo):
805         (hellaDeep):
806         (start):
807         * tests/stress/sampling-profiler-microtasks.js: Added.
808         (testResults):
809         (loop.jaz):
810         (loop):
811         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
812         (assert):
813         (let.nodePrototype.makeChildIfNeeded):
814         (makeNode):
815         (updateCallingContextTree):
816         (doesTreeHaveStackTrace):
817         (makeTree):
818         (runTest):
819         (dumpTree):
820         * tools/JSDollarVMPrototype.cpp:
821         (JSC::JSDollarVMPrototype::isInObjectSpace):
822         (JSC::JSDollarVMPrototype::isInStorageSpace):
823         * yarr/YarrJIT.cpp:
824         (JSC::Yarr::YarrGenerator::generateEnter):
825         (JSC::Yarr::YarrGenerator::generateReturn):
826         (JSC::Yarr::YarrGenerator::YarrGenerator):
827         (JSC::Yarr::YarrGenerator::compile):
828         (JSC::Yarr::jitCompile):
829         We now have a boolean that's set to true when
830         we're executing a RegExp, and to false otherwise.
831         The boolean lives off of VM.
832
833         * CMakeLists.txt:
834         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
835         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
836         * JavaScriptCore.xcodeproj/project.pbxproj:
837         * bytecode/CodeBlock.h:
838         (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled):
839         (JSC::CodeBlockSet::mark):
840         * dfg/DFGNodeType.h:
841         * heap/CodeBlockSet.cpp:
842         (JSC::CodeBlockSet::add):
843         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
844         (JSC::CodeBlockSet::clearMarksForFullCollection):
845         (JSC::CodeBlockSet::lastChanceToFinalize):
846         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
847         (JSC::CodeBlockSet::contains):
848         (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks):
849         (JSC::CodeBlockSet::remove): Deleted.
850         * heap/CodeBlockSet.h:
851         (JSC::CodeBlockSet::getLock):
852         (JSC::CodeBlockSet::iterate):
853         * heap/ConservativeRoots.cpp:
854         (JSC::ConservativeRoots::ConservativeRoots):
855         (JSC::ConservativeRoots::genericAddPointer):
856         (JSC::ConservativeRoots::add):
857         (JSC::CompositeMarkHook::CompositeMarkHook):
858         (JSC::CompositeMarkHook::mark):
859         * heap/ConservativeRoots.h:
860         * heap/Heap.cpp:
861         (JSC::Heap::markRoots):
862         (JSC::Heap::visitHandleStack):
863         (JSC::Heap::visitSamplingProfiler):
864         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
865         * heap/Heap.h:
866         (JSC::Heap::structureIDTable):
867         (JSC::Heap::codeBlockSet):
868         * heap/HeapInlines.h:
869         (JSC::Heap::didFreeBlock):
870         (JSC::Heap::isPointerGCObject):
871         (JSC::Heap::isValueGCObject):
872         * heap/MachineStackMarker.cpp:
873         (pthreadSignalHandlerSuspendResume):
874         (JSC::getCurrentPlatformThread):
875         (JSC::MachineThreads::MachineThreads):
876         (JSC::MachineThreads::~MachineThreads):
877         (JSC::MachineThreads::Thread::createForCurrentThread):
878         (JSC::MachineThreads::Thread::operator==):
879         (JSC::isThreadInList):
880         (JSC::MachineThreads::addCurrentThread):
881         (JSC::MachineThreads::machineThreadForCurrentThread):
882         (JSC::MachineThreads::removeThread):
883         (JSC::MachineThreads::gatherFromCurrentThread):
884         (JSC::MachineThreads::Thread::Thread):
885         (JSC::MachineThreads::Thread::~Thread):
886         (JSC::MachineThreads::Thread::suspend):
887         (JSC::MachineThreads::Thread::resume):
888         (JSC::MachineThreads::Thread::getRegisters):
889         (JSC::MachineThreads::Thread::Registers::stackPointer):
890         (JSC::MachineThreads::Thread::Registers::framePointer):
891         (JSC::MachineThreads::Thread::Registers::instructionPointer):
892         (JSC::MachineThreads::Thread::freeRegisters):
893         (JSC::pthreadSignalHandlerSuspendResume): Deleted.
894         (JSC::MachineThreads::Thread::operator!=): Deleted.
895         * heap/MachineStackMarker.h:
896         (JSC::MachineThreads::Thread::operator!=):
897         (JSC::MachineThreads::getLock):
898         (JSC::MachineThreads::threadsListHead):
899         * heap/MarkedBlockSet.h:
900         * heap/MarkedSpace.cpp:
901         (JSC::Free::Free):
902         (JSC::Free::operator()):
903         (JSC::FreeOrShrink::FreeOrShrink):
904         (JSC::FreeOrShrink::operator()):
905         * interpreter/CallFrame.h:
906         (JSC::ExecState::calleeAsValue):
907         (JSC::ExecState::callee):
908         (JSC::ExecState::unsafeCallee):
909         (JSC::ExecState::codeBlock):
910         (JSC::ExecState::scope):
911         * jit/ExecutableAllocator.cpp:
912         (JSC::ExecutableAllocator::dumpProfile):
913         (JSC::ExecutableAllocator::getLock):
914         (JSC::ExecutableAllocator::isValidExecutableMemory):
915         * jit/ExecutableAllocator.h:
916         * jit/ExecutableAllocatorFixedVMPool.cpp:
917         (JSC::ExecutableAllocator::allocate):
918         (JSC::ExecutableAllocator::isValidExecutableMemory):
919         (JSC::ExecutableAllocator::getLock):
920         (JSC::ExecutableAllocator::committedByteCount):
921         * jsc.cpp:
922         (GlobalObject::finishCreation):
923         (functionCheckModuleSyntax):
924         (functionPlatformSupportsSamplingProfiler):
925         (functionStartSamplingProfiler):
926         (functionSamplingProfilerStackTraces):
927         * llint/LLIntPCRanges.h: Added.
928         (JSC::LLInt::isLLIntPC):
929         * offlineasm/asm.rb:
930         * runtime/Executable.h:
931         (JSC::ExecutableBase::isModuleProgramExecutable):
932         (JSC::ExecutableBase::isExecutableType):
933         (JSC::ExecutableBase::isHostFunction):
934         * runtime/JSLock.cpp:
935         (JSC::JSLock::didAcquireLock):
936         (JSC::JSLock::unlock):
937         * runtime/Options.h:
938         * runtime/SamplingProfiler.cpp: Added.
939         (JSC::reportStats):
940         (JSC::FrameWalker::FrameWalker):
941         (JSC::FrameWalker::walk):
942         (JSC::FrameWalker::wasValidWalk):
943         (JSC::FrameWalker::advanceToParentFrame):
944         (JSC::FrameWalker::isAtTop):
945         (JSC::FrameWalker::resetAtMachineFrame):
946         (JSC::FrameWalker::isValidFramePointer):
947         (JSC::FrameWalker::isValidCodeBlock):
948         (JSC::SamplingProfiler::SamplingProfiler):
949         (JSC::SamplingProfiler::~SamplingProfiler):
950         (JSC::SamplingProfiler::processUnverifiedStackTraces):
951         (JSC::SamplingProfiler::visit):
952         (JSC::SamplingProfiler::shutdown):
953         (JSC::SamplingProfiler::start):
954         (JSC::SamplingProfiler::stop):
955         (JSC::SamplingProfiler::pause):
956         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
957         (JSC::SamplingProfiler::dispatchIfNecessary):
958         (JSC::SamplingProfiler::dispatchFunction):
959         (JSC::SamplingProfiler::noticeJSLockAcquisition):
960         (JSC::SamplingProfiler::noticeVMEntry):
961         (JSC::SamplingProfiler::clearData):
962         (JSC::displayName):
963         (JSC::SamplingProfiler::stacktracesAsJSON):
964         (WTF::printInternal):
965         * runtime/SamplingProfiler.h: Added.
966         (JSC::SamplingProfiler::StackFrame::StackFrame):
967         (JSC::SamplingProfiler::getLock):
968         (JSC::SamplingProfiler::setTimingInterval):
969         (JSC::SamplingProfiler::stackTraces):
970         * runtime/VM.cpp:
971         (JSC::VM::VM):
972         (JSC::VM::~VM):
973         (JSC::VM::setLastStackTop):
974         (JSC::VM::createContextGroup):
975         (JSC::VM::ensureWatchdog):
976         (JSC::VM::ensureSamplingProfiler):
977         (JSC::thunkGeneratorForIntrinsic):
978         * runtime/VM.h:
979         (JSC::VM::watchdog):
980         (JSC::VM::samplingProfiler):
981         (JSC::VM::isSafeToRecurse):
982         (JSC::VM::lastStackTop):
983         (JSC::VM::scratchBufferForSize):
984         (JSC::VM::setLastStackTop): Deleted.
985         * runtime/VMEntryScope.cpp:
986         (JSC::VMEntryScope::VMEntryScope):
987         * tests/stress/sampling-profiler: Added.
988         * tests/stress/sampling-profiler-anonymous-function.js: Added.
989         (platformSupportsSamplingProfiler.foo):
990         (platformSupportsSamplingProfiler.baz):
991         (platformSupportsSamplingProfiler):
992         * tests/stress/sampling-profiler-basic.js: Added.
993         (platformSupportsSamplingProfiler.bar):
994         (platformSupportsSamplingProfiler.foo):
995         (platformSupportsSamplingProfiler.nothing):
996         (platformSupportsSamplingProfiler.top):
997         (platformSupportsSamplingProfiler.jaz):
998         (platformSupportsSamplingProfiler.kaz):
999         (platformSupportsSamplingProfiler.checkInlining):
1000         (platformSupportsSamplingProfiler):
1001         * tests/stress/sampling-profiler-deep-stack.js: Added.
1002         (platformSupportsSamplingProfiler.foo):
1003         (platformSupportsSamplingProfiler.let.hellaDeep):
1004         (platformSupportsSamplingProfiler.let.start):
1005         (platformSupportsSamplingProfiler):
1006         * tests/stress/sampling-profiler-microtasks.js: Added.
1007         (platformSupportsSamplingProfiler.testResults):
1008         (platformSupportsSamplingProfiler):
1009         (platformSupportsSamplingProfiler.loop.jaz):
1010         (platformSupportsSamplingProfiler.loop):
1011         * tests/stress/sampling-profiler/samplingProfiler.js: Added.
1012         (assert):
1013         (let.nodePrototype.makeChildIfNeeded):
1014         (makeNode):
1015         (updateCallingContextTree):
1016         (doesTreeHaveStackTrace):
1017         (makeTree):
1018         (runTest):
1019         (dumpTree):
1020         * yarr/YarrJIT.cpp:
1021         (JSC::Yarr::YarrGenerator::generateEnter):
1022         (JSC::Yarr::YarrGenerator::generateReturn):
1023         (JSC::Yarr::YarrGenerator::YarrGenerator):
1024         (JSC::Yarr::YarrGenerator::compile):
1025         (JSC::Yarr::jitCompile):
1026
1027 2016-01-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1028
1029         [JSC] Iterating over a Set/Map is too slow
1030         https://bugs.webkit.org/show_bug.cgi?id=152691
1031
1032         Reviewed by Saam Barati.
1033
1034         Set#forEach and Set & for-of are very slow. There are 2 reasons.
1035
1036         1. forEach is implemented in C++. And typically, taking JS callback and calling it from C++.
1037
1038         C++ to JS transition seems costly. perf result in Linux machine shows this.
1039
1040             Samples: 23K of event 'cycles', Event count (approx.): 21446074385
1041             34.04%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Interpreter::execute(JSC::CallFrameClosure&)
1042             20.48%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] vmEntryToJavaScript
1043              9.80%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
1044              7.95%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::setProtoFuncForEach(JSC::ExecState*)
1045              5.65%  jsc  perf-22854.map                      [.] 0x00007f5d2c204a6f
1046
1047         Writing forEach in JS eliminates this.
1048
1049             Samples: 23K of event 'cycles', Event count (approx.): 21255691651
1050             62.91%  jsc  perf-22890.map                      [.] 0x00007fd117c0a3b9
1051             24.89%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::privateFuncSetIteratorNext(JSC::ExecState*)
1052              0.29%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::updateAllPredictionsAndCountLiveness(unsigned int&, unsigned int&)
1053              0.24%  jsc  [vdso]                              [.] 0x00000000000008e8
1054              0.22%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::CodeBlock::predictedMachineCodeSize()
1055              0.16%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] WTF::MetaAllocator::currentStatistics()
1056              0.15%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::Lexer<unsigned char>::lex(JSC::JSToken*, unsigned int, bool)
1057
1058         2. Iterator result object allocation is costly.
1059
1060         Iterator result object allocation is costly. Even if the (1) is solved, when executing Set & for-of, perf result shows very slow performance due to (2).
1061
1062             Samples: 108K of event 'cycles', Event count (approx.): 95529273748
1063             18.02%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::createIteratorResultObject(JSC::ExecState*, JSC::JSValue, bool)
1064             15.68%  jsc  jsc                                 [.] JSC::JSObject::putDirect(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int)
1065             14.18%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::PrototypeMap::emptyObjectStructureForPrototype(JSC::JSObject*, unsigned int)
1066             13.40%  jsc  perf-25420.map                      [.] 0x00007fce158006a1
1067              6.79%  jsc  libjavascriptcoregtk-4.0.so.18.3.1  [.] JSC::StructureTransitionTable::get(WTF::UniquedStringImpl*, unsigned int) const
1068
1069         In the long term, we should implement SetIterator#next in JS and make the iterator result object allocation written in JS to encourage object allocation elimination in FTL.
1070         But seeing the perf result, we can find the easy to fix bottleneck in the current implementation.
1071         Every time createIteratorResultObject creates the empty object and use putDirect to store properties.
1072         The pre-baked Structure* with `done` and `value` properties makes this implementation fast.
1073
1074         After these improvements, the micro benchmark[1] shows the following.
1075
1076         old:
1077             Linked List x 212,776 ops/sec ±0.21% (162 runs sampled)
1078             Array x 376,156 ops/sec ±0.20% (162 runs sampled)
1079             Array forEach x 17,345 ops/sec ±0.99% (137 runs sampled)
1080             Array for-of x 16,518 ops/sec ±0.58% (160 runs sampled)
1081             Set forEach x 13,263 ops/sec ±0.20% (162 runs sampled)
1082             Set for-of x 4,732 ops/sec ±0.34% (123 runs sampled)
1083
1084         new:
1085             Linked List x 210,833 ops/sec ±0.28% (161 runs sampled)
1086             Array x 371,347 ops/sec ±0.36% (162 runs sampled)
1087             Array forEach x 17,460 ops/sec ±0.84% (136 runs sampled)
1088             Array for-of x 16,188 ops/sec ±1.27% (158 runs sampled)
1089             Set forEach x 23,684 ops/sec ±2.46% (139 runs sampled)
1090             Set for-of x 12,176 ops/sec ±0.54% (157 runs sampled)
1091
1092         Set#forEach becomes comparable to Array#forEach. And Set#forEach and Set & for-of are improved (1.79x, and 2.57x).
1093         After this optimizations, they are still much slower than linked list and array.
1094         This should be optimized in the long term.
1095
1096         [1]: https://gist.github.com/Constellation/8db5f5b8f12fe7e283d0
1097
1098         * CMakeLists.txt:
1099         * DerivedSources.make:
1100         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1101         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1102         * JavaScriptCore.xcodeproj/project.pbxproj:
1103         * builtins/MapPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
1104         (forEach):
1105         * builtins/SetPrototype.js: Copied from Source/JavaScriptCore/runtime/IteratorOperations.h.
1106         (forEach):
1107         * runtime/CommonIdentifiers.h:
1108         * runtime/IteratorOperations.cpp:
1109         (JSC::createIteratorResultObjectStructure):
1110         (JSC::createIteratorResultObject):
1111         * runtime/IteratorOperations.h:
1112         * runtime/JSGlobalObject.cpp:
1113         (JSC::JSGlobalObject::init):
1114         (JSC::JSGlobalObject::visitChildren):
1115         * runtime/JSGlobalObject.h:
1116         (JSC::JSGlobalObject::iteratorResultObjectStructure):
1117         (JSC::JSGlobalObject::iteratorResultStructure): Deleted.
1118         (JSC::JSGlobalObject::iteratorResultStructureOffset): Deleted.
1119         * runtime/MapPrototype.cpp:
1120         (JSC::MapPrototype::getOwnPropertySlot):
1121         (JSC::privateFuncIsMap):
1122         (JSC::privateFuncMapIterator):
1123         (JSC::privateFuncMapIteratorNext):
1124         (JSC::MapPrototype::finishCreation): Deleted.
1125         (JSC::mapProtoFuncForEach): Deleted.
1126         * runtime/MapPrototype.h:
1127         * runtime/SetPrototype.cpp:
1128         (JSC::SetPrototype::getOwnPropertySlot):
1129         (JSC::privateFuncIsSet):
1130         (JSC::privateFuncSetIterator):
1131         (JSC::privateFuncSetIteratorNext):
1132         (JSC::SetPrototype::finishCreation): Deleted.
1133         (JSC::setProtoFuncForEach): Deleted.
1134         * runtime/SetPrototype.h:
1135
1136 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
1137
1138         Unreviewed, fix ARM64 build.
1139
1140         * b3/air/AirOpcode.opcodes:
1141
1142 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
1143
1144         B3 should reduce Trunc(BitOr(value, constant)) where !(constant & 0xffffffff) to Trunc(value)
1145         https://bugs.webkit.org/show_bug.cgi?id=152955
1146
1147         Reviewed by Saam Barati.
1148
1149         This happens when we box an int32 and then immediately unbox it.
1150
1151         This makes an enormous difference on AsmBench/FloatMM. It's a 2x speed-up on that
1152         benchmark. It's neutral elsewhere.
1153
1154         * b3/B3ReduceStrength.cpp:
1155         * b3/testb3.cpp:
1156         (JSC::B3::testPowDoubleByIntegerLoop):
1157         (JSC::B3::testTruncOrHigh):
1158         (JSC::B3::testTruncOrLow):
1159         (JSC::B3::testBitAndOrHigh):
1160         (JSC::B3::testBitAndOrLow):
1161         (JSC::B3::zero):
1162         (JSC::B3::run):
1163
1164 2016-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
1165
1166         [ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class
1167         https://bugs.webkit.org/show_bug.cgi?id=149855
1168
1169         Reviewed by Saam Barati.
1170
1171         JSArrowFunction.h/cpp were removed from JavaScriptCore, because now is used new approach for storing 
1172         'this', 'arguments' and 'super'
1173
1174         * CMakeLists.txt:
1175         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1176         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1177         * JavaScriptCore.xcodeproj/project.pbxproj:
1178         * dfg/DFGAbstractInterpreterInlines.h:
1179         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1180         * dfg/DFGSpeculativeJIT.cpp:
1181         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1182         * dfg/DFGStructureRegistrationPhase.cpp:
1183         (JSC::DFG::StructureRegistrationPhase::run):
1184         * ftl/FTLAbstractHeapRepository.cpp:
1185         * ftl/FTLAbstractHeapRepository.h:
1186         * ftl/FTLLowerDFGToLLVM.cpp:
1187         (JSC::FTL::DFG::LowerDFGToLLVM::compileNewFunction):
1188         * interpreter/Interpreter.cpp:
1189         * interpreter/Interpreter.h:
1190         * jit/JITOpcodes.cpp:
1191         * jit/JITOpcodes32_64.cpp:
1192         * jit/JITOperations.cpp:
1193         * jit/JITOperations.h:
1194         * llint/LLIntOffsetsExtractor.cpp:
1195         * llint/LLIntSlowPaths.cpp:
1196         * runtime/JSArrowFunction.cpp: Removed.
1197         * runtime/JSArrowFunction.h: Removed.
1198         * runtime/JSGlobalObject.cpp:
1199         * runtime/JSGlobalObject.h:
1200
1201 2016-01-10  Filip Pizlo  <fpizlo@apple.com>
1202
1203         It should be possible to run liveness over registers without also tracking Tmps
1204         https://bugs.webkit.org/show_bug.cgi?id=152963
1205
1206         Reviewed by Saam Barati.
1207
1208         This adds a RegLivenessAdapter so that we can run Liveness over registers. This makes it
1209         easier to write certain kinds of phases, like ReportUsedRegisters. I anticipate writing more
1210         code like that for handling cold function calls. It also makes code like that somewhat more
1211         scalable, since we're no longer using HashSets.
1212
1213         Currently, the way we track sets of registers is with a BitVector. Normally, we use the
1214         RegisterSet class, which wraps BitVector, so that we can add()/contains() on Reg's. But in
1215         the liveness analysis, everything gets turned into an index. So, we want to use BitVector
1216         directly. To do that, I needed to make the BitVector API look a bit more like a set API. I
1217         think that this is good, because the lack of set methods (add/remove/contains) has caused
1218         bugs in the past. This makes BitVector have methods both for set operations on bits and array
1219         operations on bits. I think that's good, since BitVector gets used in both contexts.
1220
1221         * b3/B3IndexSet.h:
1222         (JSC::B3::IndexSet::Iterable::iterator::iterator):
1223         (JSC::B3::IndexSet::Iterable::begin):
1224         (JSC::B3::IndexSet::dump):
1225         * b3/air/AirInstInlines.h:
1226         (JSC::B3::Air::ForEach<Tmp>::forEach):
1227         (JSC::B3::Air::ForEach<Arg>::forEach):
1228         (JSC::B3::Air::ForEach<Reg>::forEach):
1229         (JSC::B3::Air::Inst::forEach):
1230         * b3/air/AirLiveness.h:
1231         (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter):
1232         (JSC::B3::Air::RegLivenessAdapter::maxIndex):
1233         (JSC::B3::Air::RegLivenessAdapter::acceptsType):
1234         (JSC::B3::Air::RegLivenessAdapter::valueToIndex):
1235         (JSC::B3::Air::RegLivenessAdapter::indexToValue):
1236         * b3/air/AirReportUsedRegisters.cpp:
1237         (JSC::B3::Air::reportUsedRegisters):
1238         * jit/Reg.h:
1239         (JSC::Reg::next):
1240         (JSC::Reg::index):
1241         (JSC::Reg::maxIndex):
1242         (JSC::Reg::isSet):
1243         (JSC::Reg::operator bool):
1244         * jit/RegisterSet.h:
1245         (JSC::RegisterSet::forEach):
1246
1247 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
1248
1249         [JSC] Make branchMul functional in ARM B3 and minor fixes
1250         https://bugs.webkit.org/show_bug.cgi?id=152889
1251
1252         Reviewed by Mark Lam.
1253
1254         ARM64 does not have a "S" version of MUL setting the flags.
1255         What we do is abstract that in the MacroAssembler. The problem
1256         is that form requires scratch registers.
1257
1258         For simplicity, I just exposed the two scratch registers
1259         for Air. Filip already added the concept of Scratch role,
1260         all I needed was to expose it for opcodes.
1261
1262         * assembler/MacroAssemblerARM64.h:
1263         (JSC::MacroAssemblerARM64::branchMul32):
1264         (JSC::MacroAssemblerARM64::branchMul64):
1265         Expose a version with the scratch registers as arguments.
1266
1267         * b3/B3LowerToAir.cpp:
1268         (JSC::B3::Air::LowerToAir::lower):
1269         Add the new form of CheckMul lowering.
1270
1271         * b3/air/AirOpcode.opcodes:
1272         Expose the new BranchMuls.
1273         Remove all the Test variants that use immediates
1274         since Air can't handle those immediates correctly yet.
1275
1276         * b3/air/opcode_generator.rb:
1277         Expose the Scratch role.
1278
1279         * b3/testb3.cpp:
1280         (JSC::B3::testPatchpointLotsOfLateAnys):
1281         Ooops, the scratch registers were not clobbered. We were just lucky
1282         on x86.
1283
1284 2016-01-10  Benjamin Poulain  <bpoulain@apple.com>
1285
1286         [JSC] B3 is unable to do function calls on ARM64
1287         https://bugs.webkit.org/show_bug.cgi?id=152895
1288
1289         Reviewed by Mark Lam.
1290
1291         Apparently iOS does not follow the ARM64 ABI for function calls.
1292         Instead of giving each value a 8 bytes slot, it must be packed
1293         while preserving alignment.
1294
1295         This patch adds a #ifdef to make function calls functional.
1296
1297         * b3/B3LowerToAir.cpp:
1298         (JSC::B3::Air::LowerToAir::marshallCCallArgument):
1299         (JSC::B3::Air::LowerToAir::lower):
1300
1301 2016-01-09  Filip Pizlo  <fpizlo@apple.com>
1302
1303         Air should support Branch64 with immediates
1304         https://bugs.webkit.org/show_bug.cgi?id=152951
1305
1306         Reviewed by Oliver Hunt.
1307
1308         This doesn't significantly improve performance on any benchmarks, but it's great to get this
1309         obvious omission out of the way.
1310
1311         * assembler/MacroAssemblerX86_64.h:
1312         (JSC::MacroAssemblerX86_64::branch64):
1313         * b3/air/AirOpcode.opcodes:
1314         * b3/testb3.cpp:
1315         (JSC::B3::testPowDoubleByIntegerLoop):
1316         (JSC::B3::testBranch64Equal):
1317         (JSC::B3::testBranch64EqualImm):
1318         (JSC::B3::testBranch64EqualMem):
1319         (JSC::B3::testBranch64EqualMemImm):
1320         (JSC::B3::zero):
1321         (JSC::B3::run):
1322
1323 2016-01-09  Dan Bernstein  <mitz@apple.com>
1324
1325         [Cocoa] Allow overriding the frameworks directory independently of using a staging install path
1326         https://bugs.webkit.org/show_bug.cgi?id=152926
1327
1328         Reviewed by Tim Horton.
1329
1330         Introduce a new build setting, WK_OVERRIDE_FRAMEWORKS_DIR. When not empty, it determines
1331         where the frameworks are installed. Setting USE_STAGING_INSTALL_PATH to YES sets
1332         WK_OVERRIDE_FRAMEWORKS_DIR to $(SYSTEM_LIBRARY_DIR)/StagedFrameworks/Safari.
1333
1334         Account for the possibility of WK_OVERRIDE_FRAMEWORKS_DIR containing spaces.
1335
1336         * Configurations/Base.xcconfig:
1337         - Replace STAGED_FRAMEWORKS_SEARCH_PATH in FRAMEWORK_SEARCH_PATHS with
1338           WK_OVERRIDE_FRAMEWORKS_DIR and add quotes to account for spaces.
1339         - Define JAVASCRIPTCORE_FRAMEWORKS_DIR based on WK_OVERRIDE_FRAMEWORKS_DIR.
1340         * Configurations/JSC.xcconfig:
1341           Add quotes to account for spaces.
1342         * Configurations/ToolExecutable.xcconfig:
1343           Ditto.
1344         * postprocess-headers.sh:
1345           Ditto.
1346
1347 2016-01-09  Mark Lam  <mark.lam@apple.com>
1348
1349         The FTL allocated spill slots for BinaryOps is sometimes inaccurate.
1350         https://bugs.webkit.org/show_bug.cgi?id=152918
1351
1352         Reviewed by Filip Pizlo and Saam Barati.
1353
1354         * ftl/FTLCompile.cpp:
1355         - Updated a comment.
1356         * ftl/FTLLowerDFGToLLVM.cpp:
1357         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1358         - The code to compute maxNumberOfCatchSpills was unnecessarily allocating an
1359           extra slot for BinaryOps that don't have Untyped operands, and failing to
1360           allocate that extra slot for some binary ops.  This is now fixed.
1361
1362         * tests/stress/ftl-shr-exception.js:
1363         * tests/stress/ftl-xor-exception.js:
1364         - Un-skipped these tests.  They now pass with this patch.
1365
1366 2016-01-09  Andreas Kling  <akling@apple.com>
1367
1368         Use NeverDestroyed instead of DEPRECATED_DEFINE_STATIC_LOCAL
1369         <https://webkit.org/b/152902>
1370
1371         Reviewed by Anders Carlsson.
1372
1373         Mostly mechanical conversion to NeverDestroyed throughout JavaScriptCore.
1374
1375         * API/JSAPIWrapperObject.mm:
1376         (jsAPIWrapperObjectHandleOwner):
1377         * API/JSManagedValue.mm:
1378         (managedValueHandleOwner):
1379         * inspector/agents/InspectorDebuggerAgent.cpp:
1380         (Inspector::objectGroupForBreakpointAction):
1381         * jit/ExecutableAllocator.cpp:
1382         (JSC::DemandExecutableAllocator::allocators):
1383
1384 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1385
1386         FTL B3 should do varargs tail calls and stack overflows
1387         https://bugs.webkit.org/show_bug.cgi?id=152934
1388
1389         Reviewed by Saam Barati.
1390
1391         I was trying to get tail-call-varargs-no-stack-overflow.js.ftl-no-cjit-validate to work and
1392         at first I hit the stack overflow issue and then I hit the varargs tail call issue. That's
1393         why I have two fixes in one change. Now the test passes.
1394
1395         This reduces the number of failures from 13 to 0.
1396
1397         * ftl/FTLLowerDFGToLLVM.cpp:
1398         (JSC::FTL::DFG::LowerDFGToLLVM::lower): Implement stack overflow handling.
1399         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs): Varargs tail calls need to
1400         append an Oops (i.e. "unreachable").
1401
1402 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1403
1404         B3 needs Neg()
1405         https://bugs.webkit.org/show_bug.cgi?id=152925
1406
1407         Reviewed by Mark Lam.
1408
1409         Previously we said that negation should be represented as Sub(0, x). That's wrong, since
1410         for floats, Sub(0, 0) == 0 while Neg(0) == -0.
1411
1412         One way to solve this would be to say that anyone trying to say Neg(x) where x is a float
1413         should instead say BitXor(x, -0). That's actually correct, but I think that it would be odd
1414         to use bitops to represent floating point operations. Whatever cuteness this would have
1415         bought us would be outweighed by the annoyance of having to write code that matches
1416         Sub(0, x) for integer negation and BitXor(x, -0) for double negation. For example, this
1417         would mean strictly more code for anyone implementing a Neg(Neg(x))=>x strength reduction.
1418         Also, I suspect that the omission of Neg would cause others to make the mistake of using
1419         Sub to represent floating point negation.
1420
1421         So, this introduces a proper Neg() opcode to B3. It's now the canonical way of saying
1422         negation for both ints and floats. For ints, we canonicalize Sub(0, x) to Neg(x). For
1423         floats, we lower it to BitXor(x, -0) on x86.
1424
1425         This reduces the number of failures from 13 to 12.
1426
1427         * assembler/MacroAssemblerX86Common.h:
1428         (JSC::MacroAssemblerX86Common::andFloat):
1429         (JSC::MacroAssemblerX86Common::xorDouble):
1430         (JSC::MacroAssemblerX86Common::xorFloat):
1431         (JSC::MacroAssemblerX86Common::convertInt32ToDouble):
1432         * b3/B3LowerMacrosAfterOptimizations.cpp:
1433         * b3/B3LowerToAir.cpp:
1434         (JSC::B3::Air::LowerToAir::lower):
1435         * b3/B3Opcode.cpp:
1436         (WTF::printInternal):
1437         * b3/B3Opcode.h:
1438         * b3/B3ReduceStrength.cpp:
1439         * b3/B3Validate.cpp:
1440         * b3/B3Value.cpp:
1441         (JSC::B3::Value::effects):
1442         (JSC::B3::Value::key):
1443         (JSC::B3::Value::typeFor):
1444         * b3/air/AirOpcode.opcodes:
1445         * ftl/FTLB3Output.cpp:
1446         (JSC::FTL::Output::lockedStackSlot):
1447         (JSC::FTL::Output::neg):
1448         (JSC::FTL::Output::bitNot):
1449         * ftl/FTLB3Output.h:
1450         (JSC::FTL::Output::chillDiv):
1451         (JSC::FTL::Output::mod):
1452         (JSC::FTL::Output::chillMod):
1453         (JSC::FTL::Output::doubleAdd):
1454         (JSC::FTL::Output::doubleSub):
1455         (JSC::FTL::Output::doubleMul):
1456         (JSC::FTL::Output::doubleDiv):
1457         (JSC::FTL::Output::doubleMod):
1458         (JSC::FTL::Output::doubleNeg):
1459         (JSC::FTL::Output::bitAnd):
1460         (JSC::FTL::Output::bitOr):
1461         (JSC::FTL::Output::neg): Deleted.
1462         * tests/stress/ftl-negate-zero.js: Added. This was already covered by op_negate but since
1463         it's such a glaring bug, I thought having a test for it specifically would be good.
1464
1465 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1466
1467         FTL B3 compile() doesn't clear exception handlers before we add FTL-specific ones
1468         https://bugs.webkit.org/show_bug.cgi?id=152922
1469
1470         Reviewed by Saam Barati.
1471
1472         FTL B3 was generating a handler table that first contained the old baseline handlers keyed
1473         by baseline's bytecode indices and then the FTL handlers keyed by FTL callsite index. That's
1474         wrong, since the FTL code block should not contain any baseline handlers. The fix is to
1475         clear the handlers before generation, sort of like FTL LLVM does.
1476
1477         Also added some stuff to make it easier to inspect the handler table.
1478
1479         This reduces the numbe rof failures from 25 to 13.
1480
1481         * bytecode/CodeBlock.cpp:
1482         (JSC::CodeBlock::dumpBytecode):
1483         (JSC::CodeBlock::dumpExceptionHandlers):
1484         (JSC::CodeBlock::beginDumpProfiling):
1485         * bytecode/CodeBlock.h:
1486         * ftl/FTLB3Compile.cpp:
1487         (JSC::FTL::compile):
1488
1489 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1490
1491         B3 incorrectly turns NotEqual(bool, 1) into Equal(bool, 1) instead of Equal(bool, 0)
1492         https://bugs.webkit.org/show_bug.cgi?id=152916
1493
1494         Reviewed by Mark Lam.
1495
1496         This was causing a failure in an ancient DFG layout test. Thanks, ftl-eager-no-cjit!
1497
1498         This reduces the number of failures from 27 to 25.
1499
1500         * b3/B3ReduceStrength.cpp:
1501
1502 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1503
1504         FTL B3 allocateCell() should not crash
1505         https://bugs.webkit.org/show_bug.cgi?id=152909
1506
1507         Reviewed by Mark Lam.
1508
1509         This code was crashing in some tests that forced GC slow paths because it was stubbed out
1510         due to the use of undef. B3 doesn't have undef. In this case, there's no good reason to use
1511         undef. We can just use zero. Since the path is dead anyway in that case, we weren't gaining
1512         any LLVM optimizations by using undef.
1513
1514         This reduces the number of failures from 35 to 27.
1515
1516         * ftl/FTLLowerDFGToLLVM.cpp:
1517         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
1518
1519 2016-01-08  Filip Pizlo  <fpizlo@apple.com>
1520
1521         FTL B3 fails to realize that binary snippets might choose to omit their fast path
1522         https://bugs.webkit.org/show_bug.cgi?id=152901
1523
1524         Reviewed by Mark Lam.
1525
1526         This reduces the number of failures from 99 to 35.
1527
1528         * ftl/FTLLowerDFGToLLVM.cpp:
1529         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1530
1531 2016-01-08  Saam barati  <sbarati@apple.com>
1532
1533         restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register
1534         https://bugs.webkit.org/show_bug.cgi?id=152879
1535
1536         Reviewed by Filip Pizlo.
1537
1538         We were clobbering a register we needed when picking
1539         a scratch register inside an FTL OSR Exit.
1540
1541         * dfg/DFGThunks.cpp:
1542         (JSC::DFG::osrEntryThunkGenerator):
1543         * jit/AssemblyHelpers.cpp:
1544         (JSC::AssemblyHelpers::emitRandomThunk):
1545         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer):
1546         * jit/AssemblyHelpers.h:
1547         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer):
1548         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
1549         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
1550         (foo):
1551
1552 2016-01-08  Mark Lam  <mark.lam@apple.com>
1553
1554         Rolling out: Rename StringFromCharCode to StringFromSingleCharCode.
1555         https://bugs.webkit.org/show_bug.cgi?id=152897
1556
1557         Not reviewed.
1558
1559         * dfg/DFGAbstractInterpreterInlines.h:
1560         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1561         * dfg/DFGByteCodeParser.cpp:
1562         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1563         * dfg/DFGClobberize.h:
1564         (JSC::DFG::clobberize):
1565         * dfg/DFGDoesGC.cpp:
1566         (JSC::DFG::doesGC):
1567         * dfg/DFGFixupPhase.cpp:
1568         (JSC::DFG::FixupPhase::fixupNode):
1569         * dfg/DFGNodeType.h:
1570         * dfg/DFGOperations.cpp:
1571         * dfg/DFGOperations.h:
1572         * dfg/DFGPredictionPropagationPhase.cpp:
1573         (JSC::DFG::PredictionPropagationPhase::propagate):
1574         * dfg/DFGSafeToExecute.h:
1575         (JSC::DFG::safeToExecute):
1576         * dfg/DFGSpeculativeJIT.cpp:
1577         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1578         * dfg/DFGSpeculativeJIT32_64.cpp:
1579         (JSC::DFG::SpeculativeJIT::compile):
1580         * dfg/DFGSpeculativeJIT64.cpp:
1581         (JSC::DFG::SpeculativeJIT::compile):
1582         * runtime/StringConstructor.cpp:
1583         (JSC::stringFromCharCode):
1584         (JSC::stringFromSingleCharCode): Deleted.
1585         * runtime/StringConstructor.h:
1586
1587 2016-01-08  Per Arne Vollan  <peavo@outlook.com>
1588
1589         [JSC] Use std::call_once instead of pthread_once when initializing LLVM.
1590         https://bugs.webkit.org/show_bug.cgi?id=152893
1591
1592         Reviewed by Mark Lam.
1593
1594         Use std::call_once since pthreads is not present on all platforms.
1595
1596         * llvm/InitializeLLVM.cpp:
1597         (JSC::initializeLLVMImpl):
1598         (JSC::initializeLLVM):
1599
1600 2016-01-08  Mark Lam  <mark.lam@apple.com>
1601
1602         Rename StringFromCharCode to StringFromSingleCharCode.
1603         https://bugs.webkit.org/show_bug.cgi?id=152897
1604
1605         Reviewed by Daniel Bates.
1606
1607         StringFromSingleCharCode is a better name because the intrinsic it represents
1608         only applies when we are converting from a single char code.  This is purely
1609         a refactoring patch.  There is no semantic change.
1610
1611         * dfg/DFGAbstractInterpreterInlines.h:
1612         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1613         * dfg/DFGByteCodeParser.cpp:
1614         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1615         * dfg/DFGClobberize.h:
1616         (JSC::DFG::clobberize):
1617         * dfg/DFGDoesGC.cpp:
1618         (JSC::DFG::doesGC):
1619         * dfg/DFGFixupPhase.cpp:
1620         (JSC::DFG::FixupPhase::fixupNode):
1621         * dfg/DFGNodeType.h:
1622         * dfg/DFGOperations.cpp:
1623         * dfg/DFGOperations.h:
1624         * dfg/DFGPredictionPropagationPhase.cpp:
1625         (JSC::DFG::PredictionPropagationPhase::propagate):
1626         * dfg/DFGSafeToExecute.h:
1627         (JSC::DFG::safeToExecute):
1628         * dfg/DFGSpeculativeJIT.cpp:
1629         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1630         * dfg/DFGSpeculativeJIT32_64.cpp:
1631         (JSC::DFG::SpeculativeJIT::compile):
1632         * dfg/DFGSpeculativeJIT64.cpp:
1633         (JSC::DFG::SpeculativeJIT::compile):
1634         * runtime/StringConstructor.cpp:
1635         (JSC::stringFromCharCode):
1636         (JSC::stringFromSingleCharCode):
1637         * runtime/StringConstructor.h:
1638
1639 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1640
1641         [mips] Fixed unused parameter warnings
1642         https://bugs.webkit.org/show_bug.cgi?id=152885
1643
1644         Reviewed by Mark Lam.
1645
1646         * jit/CCallHelpers.h:
1647         (JSC::CCallHelpers::setupArgumentsWithExecState):
1648
1649 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1650
1651         [mips] Max value of immediate arg of logical ops is 0xffff
1652         https://bugs.webkit.org/show_bug.cgi?id=152884
1653
1654         Reviewed by Michael Saboff.
1655
1656         Replaced imm.m_value < 65535 checks with imm.m_value <= 65535
1657
1658         * assembler/MacroAssemblerMIPS.h:
1659         (JSC::MacroAssemblerMIPS::and32):
1660         (JSC::MacroAssemblerMIPS::or32):
1661
1662 2016-01-08  Konstantin Tokarev  <annulen@yandex.ru>
1663
1664         [mips] Add new or32 implementation after r194613
1665         https://bugs.webkit.org/show_bug.cgi?id=152865
1666
1667         Reviewed by Michael Saboff.
1668
1669         * assembler/MacroAssemblerMIPS.h:
1670         (JSC::MacroAssemblerMIPS::or32):
1671
1672 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1673
1674         FTL B3 lazy slow paths should do exceptions
1675         https://bugs.webkit.org/show_bug.cgi?id=152853
1676
1677         Reviewed by Saam Barati.
1678
1679         This reduces the number of JSC test failures to 97.
1680
1681         * ftl/FTLLowerDFGToLLVM.cpp:
1682         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
1683         * tests/stress/ftl-new-negative-array-size.js: Added.
1684         (foo):
1685
1686 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1687
1688         Unreviewed, skip more tests that fail.
1689
1690         * tests/stress/ftl-shr-exception.js:
1691         (foo):
1692         * tests/stress/ftl-xor-exception.js:
1693         (foo):
1694
1695 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1696
1697         FTL B3 binary snippets should do exceptions
1698         https://bugs.webkit.org/show_bug.cgi?id=152852
1699
1700         Reviewed by Saam Barati.
1701
1702         This reduces the number of JSC test failures to 110.
1703
1704         * ftl/FTLLowerDFGToLLVM.cpp:
1705         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1706         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1707         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1708         * tests/stress/ftl-shr-exception.js: Added.
1709         (foo):
1710         (result.foo.valueOf):
1711         * tests/stress/ftl-sub-exception.js: Added.
1712         (foo):
1713         (result.foo.valueOf):
1714         * tests/stress/ftl-xor-exception.js: Added.
1715         (foo):
1716         (result.foo.valueOf):
1717
1718 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1719
1720         Unreviewed, skipping this test. Looks like LLVM can't handle this one, either.
1721
1722         * tests/stress/ftl-call-varargs-bad-args-exception-interesting-live-state.js:
1723         (foo):
1724
1725 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1726
1727         Unreviewed, skipping this test. Looks like LLVM can't handle it.
1728
1729         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js:
1730         (foo):
1731
1732 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1733
1734         FTL B3 JS calls should do exceptions
1735         https://bugs.webkit.org/show_bug.cgi?id=152851
1736
1737         Reviewed by Geoffrey Garen.
1738
1739         This reduces the number of JSC test failures with FTL B3 to 111.
1740
1741         * dfg/DFGSpeculativeJIT64.cpp:
1742         (JSC::DFG::SpeculativeJIT::emitCall):
1743         * ftl/FTLLowerDFGToLLVM.cpp:
1744         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
1745         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
1746         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1747         * tests/stress/ftl-call-bad-args-exception-interesting-live-state.js: Added.
1748         * tests/stress/ftl-call-bad-callee-exception-interesting-live-state.js: Added.
1749         * tests/stress/ftl-call-exception-interesting-live-state.js: Added.
1750         * tests/stress/ftl-call-exception-no-catch.js: Added.
1751         * tests/stress/ftl-call-exception.js: Added.
1752         * tests/stress/ftl-call-varargs-bad-callee-exception-interesting-live-state.js: Added.
1753         * tests/stress/ftl-call-varargs-exception-interesting-live-state.js: Added.
1754         * tests/stress/ftl-call-varargs-exception-no-catch.js: Added.
1755         * tests/stress/ftl-call-varargs-exception.js: Added.
1756
1757 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1758
1759         FTL B3 PutById should do exceptions
1760         https://bugs.webkit.org/show_bug.cgi?id=152850
1761
1762         Reviewed by Saam Barati.
1763
1764         Implemented PutById exception handling by following the idiom used in GetById. Reduces the
1765         number of JSC test failures to 128.
1766
1767         * ftl/FTLLowerDFGToLLVM.cpp:
1768         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1769         * tests/stress/ftl-put-by-id-setter-exception-interesting-live-state.js: Added.
1770         * tests/stress/ftl-put-by-id-setter-exception-no-catch.js: Added.
1771         * tests/stress/ftl-put-by-id-setter-exception.js: Added.
1772         * tests/stress/ftl-put-by-id-slow-exception-interesting-live-state.js: Added.
1773         * tests/stress/ftl-put-by-id-slow-exception-no-catch.js: Added.
1774         * tests/stress/ftl-put-by-id-slow-exception.js: Added.
1775
1776 2016-01-07  Commit Queue  <commit-queue@webkit.org>
1777
1778         Unreviewed, rolling out r194714.
1779         https://bugs.webkit.org/show_bug.cgi?id=152864
1780
1781         it broke many JSC tests when FTL B3 is enabled (Requested by
1782         pizlo on #webkit).
1783
1784         Reverted changeset:
1785
1786         "[JSC] When resolving Stack arguments, use addressing from SP
1787         when addressing from FP is invalid"
1788         https://bugs.webkit.org/show_bug.cgi?id=152840
1789         http://trac.webkit.org/changeset/194714
1790
1791 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1792
1793         [mips] Lower immediates of logical operations.
1794         https://bugs.webkit.org/show_bug.cgi?id=152693
1795
1796         On MIPS immediate operands of andi, ori, and xori are required to be 16-bit
1797         non-negative numbers.
1798
1799         Reviewed by Michael Saboff.
1800
1801         * offlineasm/mips.rb:
1802
1803 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1804
1805         [JSC] Update testCheckSubBadImm() for ARM64
1806         https://bugs.webkit.org/show_bug.cgi?id=152846
1807
1808         Reviewed by Mark Lam.
1809
1810         * b3/testb3.cpp:
1811         (JSC::B3::testCheckSubBadImm):
1812         The test was assuming the constant can always be used
1813         as immediate. That's obviously not the case on ARM64.
1814
1815 2016-01-07  Filip Pizlo  <fpizlo@apple.com>
1816
1817         FTL B3 getById() should do exceptions
1818         https://bugs.webkit.org/show_bug.cgi?id=152810
1819
1820         Reviewed by Saam Barati.
1821
1822         This adds abstractions for doing exceptions from patchpoints, and uses them to implement
1823         exceptions from GetById. This covers all of the following ways that a GetById might throw an
1824         exceptions:
1825
1826         - Throw without try/catch from the vmCall() in a GetById(Untyped:)
1827         - Throw with try/catch from the vmCall() in a GetById(Untyped:)
1828         - Throw without try/catch from the callOperation() in the patchpoint of a GetById
1829         - Throw with try/catch from the callOperation() in the patchpoint of a GetById
1830         - Throw without try/catch from the Call IC generated in the patchpoint of a GetById
1831         - Throw with try/catch from the Call IC generated in the patchpoint of a GetById
1832
1833         This requires having a default exception target in FTL-generated code, and ensuring that this
1834         target is generated regardless of whether we have branches to the B3 basic block of the
1835         default exception target. This also requires adding some extra arguments to a
1836         PatchpointValue, and then knowing that the arguments are used for OSR exit and not anything
1837         else. This also requires associating the CallSiteIndex of the patchpoint with the register
1838         set used for exit and with the OSR exit label for the unwind exit.
1839
1840         All of the stuff that you have to worry about when wiring a patchpoint to exception handling
1841         is covered by the new PatchpointExceptionHandle object. You create one by calling
1842         preparePatchpointForExceptions(). This sets up the B3 IR representation of the patchpoint
1843         with stackmap arguments for the exceptional exit, and creates a PatchpointExceptionHandle
1844         object that can be used to create zero or more actual OSR exits. It can create both OSR exits
1845         for operation calls and OSR exits for unwind. You call the
1846         PatchpointExceptionHandle::scheduleExitCreationXXX() methods from the generator callback to
1847         actually get OSR exits.
1848
1849         This API makes heavy use of Box<>, late paths, and link tasks. For example, you can use the
1850         PatchpointExceptionHandle to get a Box<JumpList> that you can append exception jumps to. When
1851         you use this API, it automatically registers a link task that will link the JumpList to the
1852         actual OSR exit label.
1853
1854         This API is very flexible about how you get to the label of the OSR exit. You are encouraged
1855         to use the Box<JumpList> approach, but if you really just need the label, you can also get
1856         a RefPtr<ExceptionTarget> and rely on the fact that the ExceptionTarget object will be able
1857         to vend you the OSR exit label at link-time.
1858
1859         This reduces the number of JSC test failures with FTL B3 from 186 to 133. It also adds a
1860         bunch of new tests specifically for all of the ways you might throw from GetById, and B3
1861         passes all of these new tests. Note that I'm not counting the new tests as part of the
1862         previous 186 test failures (FTL B3 failed all of the new tests prior to this change).
1863
1864         After this change, it should be easy to make all of the other patchpoints also handle
1865         exceptions by just following the preparePatchpointForExceptions() idiom.
1866
1867         * CMakeLists.txt:
1868         * JavaScriptCore.xcodeproj/project.pbxproj:
1869         * b3/B3StackmapValue.h:
1870         * b3/B3ValueRep.cpp:
1871         (JSC::B3::ValueRep::addUsedRegistersTo):
1872         (JSC::B3::ValueRep::usedRegisters):
1873         (JSC::B3::ValueRep::dump):
1874         * b3/B3ValueRep.h:
1875         (JSC::B3::ValueRep::doubleValue):
1876         (JSC::B3::ValueRep::withOffset):
1877         (JSC::B3::ValueRep::usedRegisters):
1878         * ftl/FTLB3Compile.cpp:
1879         (JSC::FTL::compile):
1880         * ftl/FTLB3Output.h:
1881         (JSC::FTL::Output::unreachable):
1882         (JSC::FTL::Output::speculate):
1883         * ftl/FTLExceptionTarget.cpp: Added.
1884         (JSC::FTL::ExceptionTarget::~ExceptionTarget):
1885         (JSC::FTL::ExceptionTarget::label):
1886         (JSC::FTL::ExceptionTarget::jumps):
1887         (JSC::FTL::ExceptionTarget::ExceptionTarget):
1888         * ftl/FTLExceptionTarget.h: Added.
1889         * ftl/FTLJITCode.cpp:
1890         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1891         * ftl/FTLLowerDFGToLLVM.cpp:
1892         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
1893         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
1894         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
1895         (JSC::FTL::DFG::LowerDFGToLLVM::compilePutById):
1896         (JSC::FTL::DFG::LowerDFGToLLVM::compileMakeRope):
1897         (JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstructVarargs):
1898         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
1899         (JSC::FTL::DFG::LowerDFGToLLVM::getById):
1900         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
1901         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
1902         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
1903         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
1904         (JSC::FTL::DFG::LowerDFGToLLVM::preparePatchpointForExceptions):
1905         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
1906         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
1907         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
1908         (JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
1909         * ftl/FTLPatchpointExceptionHandle.cpp: Added.
1910         (JSC::FTL::PatchpointExceptionHandle::create):
1911         (JSC::FTL::PatchpointExceptionHandle::defaultHandle):
1912         (JSC::FTL::PatchpointExceptionHandle::~PatchpointExceptionHandle):
1913         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreation):
1914         (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
1915         (JSC::FTL::PatchpointExceptionHandle::PatchpointExceptionHandle):
1916         (JSC::FTL::PatchpointExceptionHandle::createHandle):
1917         * ftl/FTLPatchpointExceptionHandle.h: Added.
1918         * ftl/FTLState.cpp:
1919         * ftl/FTLState.h:
1920         (JSC::FTL::verboseCompilationEnabled):
1921         * tests/stress/ftl-get-by-id-getter-exception-interesting-live-state.js: Added.
1922         * tests/stress/ftl-get-by-id-getter-exception-no-catch.js: Added.
1923         * tests/stress/ftl-get-by-id-getter-exception.js: Added.
1924         * tests/stress/ftl-get-by-id-slow-exception-interesting-live-state.js: Added.
1925         * tests/stress/ftl-get-by-id-slow-exception-no-catch.js: Added.
1926         * tests/stress/ftl-get-by-id-slow-exception.js: Added.
1927         * tests/stress/ftl-operation-exception-interesting-live-state.js: Added.
1928         * tests/stress/ftl-operation-exception-no-catch.js: Added.
1929
1930 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1931
1932         [mips] Implemented missing branch patching methods.
1933         https://bugs.webkit.org/show_bug.cgi?id=152845
1934
1935         Reviewed by Michael Saboff.
1936
1937         * assembler/MacroAssemblerMIPS.h:
1938         (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranch32WithPatch):
1939         (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
1940         (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
1941
1942 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
1943
1944         [JSC] When resolving Stack arguments, use addressing from SP when addressing from FP is invalid
1945         https://bugs.webkit.org/show_bug.cgi?id=152840
1946
1947         Reviewed by Mark Lam.
1948
1949         ARM64 has two kinds of addressing with immediates:
1950         -Signed 9bits direct (really only -256 to 255).
1951         -Unsigned 12bits scaled by the load/store size.
1952
1953         When resolving the stack addresses, we easily run
1954         past -256 bytes from FP. Addressing from SP gives us more
1955         room to address the stack efficiently because we can
1956         use unsigned immediates.
1957
1958         * b3/B3StackmapSpecial.cpp:
1959         (JSC::B3::StackmapSpecial::repForArg):
1960         * b3/air/AirAllocateStack.cpp:
1961         (JSC::B3::Air::allocateStack):
1962
1963 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1964
1965         [mips] Make repatchCall public to fix compilation.
1966         https://bugs.webkit.org/show_bug.cgi?id=152843
1967
1968         Reviewed by Michael Saboff.
1969
1970         * assembler/MacroAssemblerMIPS.h:
1971         (JSC::MacroAssemblerMIPS::repatchCall):
1972         (JSC::MacroAssemblerMIPS::linkCall): Deleted.
1973
1974 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
1975
1976         [mips] Replaced subi with addi in getHostCallReturnValue
1977         https://bugs.webkit.org/show_bug.cgi?id=152841
1978
1979         Reviewed by Michael Saboff.
1980
1981         MIPS architecture does not have subi instruction, addi with negative
1982         number should be used instead.
1983
1984         * jit/JITOperations.cpp:
1985
1986 2016-01-07  Mark Lam  <mark.lam@apple.com>
1987
1988         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
1989         https://bugs.webkit.org/show_bug.cgi?id=152833
1990
1991         Reviewed by Michael Saboff.
1992
1993         Follow-up patch to fix illegal use of memoryTempRegister as the src for ARM64's
1994         store32.
1995
1996         * assembler/MacroAssemblerARM64.h:
1997         (JSC::MacroAssemblerARM64::or32):
1998         (JSC::MacroAssemblerARM64::store):
1999
2000 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
2001
2002         [mips] GPRInfo::toArgumentRegister missing
2003         https://bugs.webkit.org/show_bug.cgi?id=152838
2004
2005         Reviewed by Michael Saboff.
2006
2007         * jit/GPRInfo.h:
2008         (JSC::GPRInfo::toArgumentRegister):
2009
2010 2016-01-07  Mark Lam  <mark.lam@apple.com>
2011
2012         ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister.
2013         https://bugs.webkit.org/show_bug.cgi?id=152833
2014
2015         Reviewed by Benjamin Poulain.
2016
2017         * assembler/MacroAssemblerARM.h:
2018         (JSC::MacroAssemblerARM::or32):
2019         - Added some assertions to make sure it is safe to use ARMRegisters::S0 as a temp.
2020         * assembler/MacroAssemblerARM64.h:
2021         (JSC::MacroAssemblerARM64::or32):
2022         - Implement an optimization that avoids reloading the memoryTempRegister when
2023           the immediate is encodable as an instruction immediate.
2024         * assembler/MacroAssemblerARMv7.h:
2025         (JSC::MacroAssemblerARMv7::or32):
2026         - Added an assertion to make sure it is safe to use the dataTempRegister as a temp.
2027         - Implement an optimization that avoids reloading the memoryTempRegister when
2028           the immediate is encodable as an instruction immediate.  In the event that we
2029           cannot encode the immediate, we'll use the addressTempRegister as a temp, and
2030           reload it later.
2031
2032 2016-01-07  Konstantin Tokarev  <annulen@yandex.ru>
2033
2034         [CMake] JSC shell sources should include JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
2035         https://bugs.webkit.org/show_bug.cgi?id=152664
2036
2037         Reviewed by Alex Christensen.
2038
2039         * shell/CMakeLists.txt:
2040
2041 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
2042
2043         Web Inspector: CRASH Attempting to pause on CSP violation not inside of script
2044         https://bugs.webkit.org/show_bug.cgi?id=152825
2045         <rdar://problem/24021276>
2046
2047         Reviewed by Timothy Hatcher.
2048
2049         * debugger/Debugger.cpp:
2050         (JSC::Debugger::breakProgram):
2051         We cannot pause if we are not evaluating JavaScript, so bail.
2052
2053 2016-01-07  Benjamin Poulain  <bpoulain@apple.com>
2054
2055         [JSC] Re-enable lea() in Air on ARM64
2056         https://bugs.webkit.org/show_bug.cgi?id=152832
2057
2058         Reviewed by Michael Saboff.
2059
2060         Lea() on the MacroAssembler is not the full x86 Lea (the real one being
2061         x86Lea32()). Instead, it is a addPtr() with SP and a constant.
2062
2063         The instruction is required to implement B3's StackSlot. It is not
2064         safe for big offsets but none of the stack operations are at the moment.
2065
2066         * b3/air/AirOpcode.opcodes:
2067
2068 2016-01-07  Julien Brianceau  <jbriance@cisco.com>
2069
2070         [mips] Add two missing abortWithReason implementations
2071         https://bugs.webkit.org/show_bug.cgi?id=136753
2072
2073         Reviewed by Benjamin Poulain.
2074
2075         * assembler/MacroAssemblerMIPS.h:
2076         (JSC::MacroAssemblerMIPS::memoryFence):
2077         (JSC::MacroAssemblerMIPS::abortWithReason):
2078         (JSC::MacroAssemblerMIPS::readCallTarget):
2079
2080 2016-01-07  Csaba Osztrogonác  <ossy@webkit.org>
2081
2082         Add new or32 implementation to MacroAssemblerARM after r194613
2083         https://bugs.webkit.org/show_bug.cgi?id=152784
2084
2085         Reviewed by Benjamin Poulain.
2086
2087         * assembler/MacroAssemblerARM.h:
2088         (JSC::MacroAssemblerARM::or32):
2089
2090 2016-01-06  Mark Lam  <mark.lam@apple.com>
2091
2092         REGRESSION(r194613): JITMulGenerator needs a scratch GPR on 32-bit too.
2093         https://bugs.webkit.org/show_bug.cgi?id=152805
2094
2095         Reviewed by Michael Saboff.
2096
2097         There aren't enough registers on x86 32-bit to allocate the needed scratch GPR.
2098         So, we'll continue to use one of the result registers as the scratch, and
2099         re-compute the result at the end.
2100
2101         * jit/JITMulGenerator.cpp:
2102         (JSC::JITMulGenerator::generateFastPath):
2103
2104 2016-01-06  Anders Carlsson  <andersca@apple.com>
2105
2106         Add a smart block pointer
2107         https://bugs.webkit.org/show_bug.cgi?id=152799
2108
2109         Reviewed by Tim Horton.
2110
2111         Get rid of RemoteTargetBlock and replace it with WTF::BlockPtr<void ()>.
2112
2113         * inspector/remote/RemoteConnectionToTarget.h:
2114         (Inspector::RemoteTargetBlock::RemoteTargetBlock): Deleted.
2115         (Inspector::RemoteTargetBlock::~RemoteTargetBlock): Deleted.
2116         (Inspector::RemoteTargetBlock::operator=): Deleted.
2117         (Inspector::RemoteTargetBlock::operator()): Deleted.
2118         * inspector/remote/RemoteConnectionToTarget.mm:
2119         (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
2120         (Inspector::RemoteConnectionToTarget::queueTaskOnPrivateRunLoop):
2121
2122 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
2123
2124         [JSC] More B3 tests passing on ARM64
2125         https://bugs.webkit.org/show_bug.cgi?id=152787
2126
2127         Reviewed by Michael Saboff.
2128
2129         Some more minor bugs.
2130
2131         * assembler/MacroAssemblerARM64.h:
2132         (JSC::MacroAssemblerARM64::urshift64):
2133         The offset was being truncated. That code was just copied
2134         from the 32bits version of urshift.
2135
2136         * b3/B3LowerToAir.cpp:
2137         (JSC::B3::Air::LowerToAir::createGenericCompare):
2138         Very few instructions can encode -1 as immediate.
2139         TST certainly can't. The fallback works for ARM.
2140
2141         * b3/air/AirOpcode.opcodes:
2142         Bit instructions have very specific immediate encoding.
2143         B3 cannot express that properly yet. I disabled those
2144         forms for now. Immediates encoding is something we'll really 
2145         have to look into at some point for B3 ARM64.
2146
2147 2016-01-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2148
2149         Silence -Wtautological-compare
2150         https://bugs.webkit.org/show_bug.cgi?id=152768
2151
2152         Reviewed by Saam Barati.
2153
2154         * runtime/Options.cpp:
2155         (JSC::Options::setAliasedOption):
2156
2157 2016-01-06  Filip Pizlo  <fpizlo@apple.com>
2158
2159         Make sure that the basic throw-from-operation mode of throwing makes sense in FTL B3
2160         https://bugs.webkit.org/show_bug.cgi?id=152798
2161
2162         Reviewed by Oliver Hunt.
2163
2164         This really just contains one change: we inline emitBranchToOSRExitIfWillCatchException()
2165         into callCheck(), since that was its only caller. This makes it a bit more clear what is
2166         going on.
2167
2168         It turns out that FTL B3 already handled this case properly. I added a test that I believe
2169         illustrates this. Note that although the test uses GetById, which ordinarily throws
2170         exceptions from inside a patchpoint, it uses it in such a way that the exception is thrown
2171         from the operation call for the non-cell bypass path of a GetById(UntypedUse:).
2172
2173         * ftl/FTLLowerDFGToLLVM.cpp:
2174         (JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
2175         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
2176         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2177         (JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException): Deleted.
2178         * tests/stress/ftl-operation-exception.js: Added.
2179         (foo):
2180
2181 2016-01-06  Joseph Pecoraro  <pecoraro@apple.com>
2182
2183         Web Inspector: Remove duplicate check
2184         https://bugs.webkit.org/show_bug.cgi?id=152792
2185
2186         Reviewed by Timothy Hatcher.
2187
2188         * inspector/InjectedScriptSource.js:
2189         (InjectedScript.RemoteObject.prototype._generatePreview): Deleted.
2190         This method is only called from one place, and it does an equivalent
2191         check before calling this function. Remove the duplicate check.
2192
2193 2016-01-06  Brian Burg  <bburg@apple.com>
2194
2195         Add a WebKit SPI for registering an automation controller with RemoteInspector
2196         https://bugs.webkit.org/show_bug.cgi?id=151576
2197
2198         Reviewed by Dan Bernstein and Joseph Pecoraro.
2199
2200         Given a RemoteInspector endpoint that is instantiated in UIProcess, there
2201         should be a way to delegate automation-related functionality and policy to
2202         clients of WebKit.
2203
2204         This class adds a RemoteInspector::Client interface that serves a delegate.
2205         This is ultimately delegated via _WKAutomationDelegate, which is an SPI
2206         that allows clients to install an Objective-C delegate for automation.
2207
2208         The setting for whether remote automation is allowed is included in the
2209         listing that RemoteInspector sends out. It is updated when RemoteInspector::Client
2210         is assigned, or when the client signals that its capabilities have changed.
2211
2212         * inspector/remote/RemoteInspector.h:
2213         * inspector/remote/RemoteInspector.mm:
2214         (Inspector::RemoteInspector::setRemoteInspectorClient): Added.
2215         (Inspector::RemoteInspector::pushListingsNow):
2216
2217             In the listing, include whether the application supports remote automation.
2218
2219         * inspector/remote/RemoteInspectorConstants.h: Add a constant.
2220
2221 2016-01-05  Keith Miller  <keith_miller@apple.com>
2222
2223         [ES6] Boolean, Number, Map, RegExp, and Set should be subclassable
2224         https://bugs.webkit.org/show_bug.cgi?id=152765
2225
2226         Reviewed by Michael Saboff.
2227
2228         This patch enables subclassing of five more builtins: Boolean, Number, Map, RegExp, and Set.
2229
2230         * runtime/BooleanConstructor.cpp:
2231         (JSC::constructWithBooleanConstructor):
2232         (JSC::constructBoolean): Deleted.
2233         * runtime/BooleanConstructor.h:
2234         * runtime/MapConstructor.cpp:
2235         (JSC::constructMap):
2236         * runtime/NumberConstructor.cpp:
2237         (JSC::constructWithNumberConstructor):
2238         * runtime/RegExpConstructor.cpp:
2239         (JSC::getRegExpStructure):
2240         (JSC::constructRegExp):
2241         * runtime/SetConstructor.cpp:
2242         (JSC::constructSet):
2243         * tests/es6.yaml:
2244         * tests/stress/class-subclassing-misc.js: Added.
2245         (B):
2246         (N):
2247         (M):
2248         (R):
2249         (S):
2250         (test):
2251
2252 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2253
2254         [mips] Fix branchTruncateDoubleToUint32 implementation in macro assembler
2255         https://bugs.webkit.org/show_bug.cgi?id=152782
2256
2257         Reviewed by Benjamin Poulain.
2258
2259         Already covered by LayoutTests/js/dfg-uint32array-overflow-values test.
2260
2261         * assembler/MacroAssemblerMIPS.h:
2262         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
2263
2264 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2265
2266         [mips] Fix or32 implementation in macro assembler
2267         https://bugs.webkit.org/show_bug.cgi?id=152781
2268
2269         Reviewed by Michael Saboff.
2270
2271         * assembler/MacroAssemblerMIPS.h:
2272         (JSC::MacroAssemblerMIPS::or32):
2273
2274 2016-01-06  Julien Brianceau  <jbriance@cisco.com>
2275
2276         [mips] Add missing branchAdd32 implementation in macro assembler
2277         https://bugs.webkit.org/show_bug.cgi?id=152785
2278
2279         Reviewed by Michael Saboff.
2280
2281         * assembler/MacroAssemblerMIPS.h:
2282         (JSC::MacroAssemblerMIPS::branchAdd32):
2283
2284 2016-01-06  Andy VanWagoner  <thetalecrafter@gmail.com>
2285
2286         [ES6] Date.prototype should be a plain object
2287         https://bugs.webkit.org/show_bug.cgi?id=152574
2288
2289         Reviewed by Benjamin Poulain.
2290
2291         * runtime/DateConstructor.cpp:
2292         (JSC::DateConstructor::finishCreation):
2293         * runtime/DatePrototype.cpp:
2294         (JSC::DatePrototype::DatePrototype):
2295         * runtime/DatePrototype.h:
2296         * tests/mozilla/mozilla-tests.yaml: Expect errors from old Date.prototype as Date instance tests.
2297
2298 2016-01-06  Benjamin Poulain  <bpoulain@apple.com>
2299
2300         [JSC] Get more of testb3 to pass on ARM64
2301         https://bugs.webkit.org/show_bug.cgi?id=152737
2302
2303         Reviewed by Geoffrey Garen.
2304
2305         A bunch of minor bugs and missing function to make most of testb3
2306         run on ARM64.
2307
2308         * JavaScriptCore.xcodeproj/project.pbxproj:
2309         * assembler/ARM64Assembler.h:
2310         (JSC::ARM64Assembler::canEncodePImmOffset):
2311         (JSC::ARM64Assembler::canEncodeSImmOffset):
2312         (JSC::isInt9): Deleted.
2313         (JSC::isUInt12): Deleted.
2314         * assembler/ARMv7Assembler.h:
2315         * assembler/AssemblerCommon.h: Added.
2316         (JSC::isInt9):
2317         (JSC::isUInt12):
2318         (JSC::isValidScaledUImm12):
2319         (JSC::isValidSignedImm9):
2320         * assembler/MacroAssemblerARM64.h:
2321         (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
2322         (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
2323         (JSC::MacroAssemblerARM64::store16):
2324         (JSC::MacroAssemblerARM64::absFloat):
2325         (JSC::MacroAssemblerARM64::loadFloat):
2326         (JSC::MacroAssemblerARM64::storeFloat):
2327         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate):
2328         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate):
2329         (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
2330         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<8>):
2331         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnsignedImmediate<16>):
2332         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<8>):
2333         (JSC::MacroAssemblerARM64::loadSignedAddressedByUnscaledImmediate<16>):
2334         * assembler/X86Assembler.h:
2335         * b3/B3LowerToAir.cpp:
2336         (JSC::B3::Air::LowerToAir::effectiveAddr):
2337         (JSC::B3::Air::LowerToAir::lower):
2338         * b3/air/AirArg.h:
2339         (JSC::B3::Air::Arg::isValidImmForm):
2340         (JSC::B3::Air::Arg::isValidAddrForm):
2341         (JSC::B3::Air::Arg::isValidForm):
2342         * b3/air/AirOpcode.opcodes:
2343
2344 2016-01-05  Zan Dobersek  <zdobersek@igalia.com>
2345
2346         [CMake] Remove USE_UDIS86 variable
2347         https://bugs.webkit.org/show_bug.cgi?id=152731
2348
2349         Reviewed by Gyuyoung Kim.
2350
2351         * CMakeLists.txt: Unconditionally build the Udis86-specific files.
2352
2353 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2354
2355         FTL B3 fails cdjs-tests.yaml/red_black_tree_test.js.ftl-eager-no-cjit
2356         https://bugs.webkit.org/show_bug.cgi?id=152770
2357
2358         Reviewed by Mark Lam.
2359
2360         It turns out that liveness didn't know that the return value GPR or FPR is live at the
2361         return. Consequently, we can end up with code that clobbers the return value register after
2362         the move of the return value into that register. This could happen if we start with
2363         something like:
2364
2365             Move 42(%tmp1), %tmp2
2366             Move 50(%tmp1), %tmp3
2367             Move %tmp3, 58(%tmp1)
2368             Move %tmp2, %rax
2369             Ret
2370
2371         Then we might coalesce %tmp2 with %rax:
2372
2373             Move 42(%tmp1), %rax
2374             Move 50(%tmp1), %tmp3
2375             Move %tmp3, 58(%tmp1)
2376             Ret
2377
2378         But now there is no use of %rax after that first instruction, so %rax appears dead at the
2379         other two Move's. So, the register allocator could then do this:
2380
2381             Move 42(%tmp1), %rax
2382             Move 50(%tmp1), %rax
2383             Move %rax, 58(%tmp1)
2384             Ret
2385
2386         And that's clearly wrong. This patch solves this issue by replacing the old Ret instruction
2387         with Ret32, Ret64, RetFloat, and RetDouble. These all take the return value register as an
2388         argument. They also tell Air which parts of the return value register the caller will
2389         observe. That's great for width analysis.
2390
2391         This resolves a test failure in the CDjs red_black_tree_test. This reduces the total number
2392         of JSC test failures from 217 to 191.
2393
2394         * assembler/MacroAssembler.h:
2395         (JSC::MacroAssembler::oops):
2396         (JSC::MacroAssembler::ret32):
2397         (JSC::MacroAssembler::ret64):
2398         (JSC::MacroAssembler::retFloat):
2399         (JSC::MacroAssembler::retDouble):
2400         (JSC::MacroAssembler::shouldConsiderBlinding):
2401         * b3/B3LowerToAir.cpp:
2402         (JSC::B3::Air::LowerToAir::lower):
2403         * b3/air/AirGenerate.cpp:
2404         (JSC::B3::Air::generate):
2405         * b3/air/AirHandleCalleeSaves.cpp:
2406         (JSC::B3::Air::handleCalleeSaves):
2407         * b3/air/AirOpcode.opcodes:
2408         * b3/air/opcode_generator.rb:
2409
2410 2016-01-05  Keith Miller  <keith_miller@apple.com>
2411
2412         Unreviewed build fix. A symbol was being exported that should not have been.
2413
2414         * runtime/Structure.h:
2415
2416 2016-01-05  Commit Queue  <commit-queue@webkit.org>
2417
2418         Unreviewed, rolling out r194603.
2419         https://bugs.webkit.org/show_bug.cgi?id=152762
2420
2421         This change introduced JSC test failures (Requested by
2422         ryanhaddad on #webkit).
2423
2424         Reverted changeset:
2425
2426         "[ES6] Date.prototype should be a plain object"
2427         https://bugs.webkit.org/show_bug.cgi?id=152574
2428         http://trac.webkit.org/changeset/194603
2429
2430 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2431
2432         stress/v8-crypto-strict.js.ftl-eager-no-cjit in FTL B3 fails with an assertion in the callframe shuffler
2433         https://bugs.webkit.org/show_bug.cgi?id=152756
2434
2435         Reviewed by Saam Barati.
2436
2437         This fixes a really obvious and dumb tail call bug in FTL B3. I think that tail calls work
2438         for real now. I have no idea why I got any tail call tests to pass before this fix.
2439
2440         * ftl/FTLLowerDFGToLLVM.cpp:
2441         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
2442
2443 2016-01-04  Mark Lam  <mark.lam@apple.com>
2444
2445         Profiling should detect when multiplication overflows but does not create negative zero.
2446         https://bugs.webkit.org/show_bug.cgi?id=132470
2447
2448         Reviewed by Geoffrey Garen.
2449
2450         * assembler/MacroAssemblerARM64.h:
2451         (JSC::MacroAssemblerARM64::or32):
2452         * assembler/MacroAssemblerARMv7.h:
2453         (JSC::MacroAssemblerARMv7::or32):
2454         - New or32 emitter needed by the mul snippet.
2455
2456         * bytecode/CodeBlock.cpp:
2457         (JSC::CodeBlock::resultProfileForBytecodeOffset):
2458         (JSC::CodeBlock::updateResultProfileForBytecodeOffset): Deleted.
2459         * bytecode/CodeBlock.h:
2460         (JSC::CodeBlock::ensureResultProfile):
2461         (JSC::CodeBlock::addResultProfile): Deleted.
2462         (JSC::CodeBlock::likelyToTakeDeepestSlowCase): Deleted.
2463         - Added a m_bytecodeOffsetToResultProfileIndexMap because we can now add result
2464           profiles in any order (based on runtime execution), not necessarily in bytecode
2465           order at baseline compilation time.
2466
2467         * bytecode/ValueProfile.cpp:
2468         (WTF::printInternal):
2469         * bytecode/ValueProfile.h:
2470         (JSC::ResultProfile::didObserveInt52Overflow):
2471         (JSC::ResultProfile::setObservedInt52Overflow):
2472         - Add new Int52Overflow flags.
2473
2474         * dfg/DFGByteCodeParser.cpp:
2475         (JSC::DFG::ByteCodeParser::makeSafe):
2476         - Now with more straightforward mapping of profiling info.
2477
2478         * dfg/DFGCommon.h:
2479         - Fixed a typo in a comment.
2480
2481         * dfg/DFGNode.h:
2482         (JSC::DFG::Node::arithNodeFlags):
2483         (JSC::DFG::Node::mayHaveNonIntResult):
2484         (JSC::DFG::Node::hasConstantBuffer):
2485         * dfg/DFGNodeFlags.cpp:
2486         (JSC::DFG::dumpNodeFlags):
2487         * dfg/DFGNodeFlags.h:
2488         (JSC::DFG::nodeMayOverflowInt52):
2489         (JSC::DFG::nodeCanSpeculateInt52):
2490         * dfg/DFGPredictionPropagationPhase.cpp:
2491         (JSC::DFG::PredictionPropagationPhase::propagate):
2492         - We now have profiling info for whether the result was ever seen to be a non-Int.
2493           Use this to make a better prediction.
2494
2495         * jit/JITArithmetic.cpp:
2496         (JSC::JIT::emit_op_div):
2497         (JSC::JIT::emit_op_mul):
2498         - Switch to using CodeBlock::ensureResultProfile().  ResultProfiles can now be
2499           created at any time (including the slow path), not just in bytecode order
2500           during baseline compilation.
2501
2502         * jit/JITMulGenerator.cpp:
2503         (JSC::JITMulGenerator::generateFastPath):
2504         - Removed the fast path profiling code for NegZero because we'll go to the slow
2505           path anyway.  Let the slow path do the profiling for us.
2506         - Added profiling for NegZero and potential Int52 overflows in the fast path
2507           that does double math.
2508
2509         * runtime/CommonSlowPaths.cpp:
2510         (JSC::updateResultProfileForBinaryArithOp):
2511         - Removed the RETURN_WITH_RESULT_PROFILING macro (2 less macros), and just use
2512           the RETURN_WITH_PROFILING macro instead with a call to
2513           updateResultProfileForBinaryArithOp().  This makes it clear what we're doing
2514           to do profiling in each case, and also allows us to do custom profiling for
2515           each opcode if needed.  However, so far, we always call
2516           updateResultProfileForBinaryArithOp().
2517
2518 2016-01-05  Keith Miller  <keith_miller@apple.com>
2519
2520         [ES6] Arrays should be subclassable.
2521         https://bugs.webkit.org/show_bug.cgi?id=152706
2522
2523         Reviewed by Benjamin Poulain.
2524
2525         This patch enables full subclassing of Arrays. We do this by fetching the new.target's prototype property
2526         in the Array constructor and transitioning the old structure to have the new prototype. This method has
2527         two downsides. The first is that we clobber the transition watchpoint on the base structure. The second,
2528         which is currently very significant but should be fixed in a future patch, is that we allocate a new
2529         structure for each new derived class we allocate.
2530
2531         * runtime/ArrayConstructor.cpp:
2532         (JSC::constructArrayWithSizeQuirk):
2533         (JSC::constructWithArrayConstructor):
2534         (JSC::callArrayConstructor):
2535         * runtime/ArrayConstructor.h:
2536         * runtime/JSGlobalObject.h:
2537         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
2538         (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
2539         (JSC::constructEmptyArray):
2540         (JSC::constructArray):
2541         (JSC::constructArrayNegativeIndexed):
2542         * runtime/PrototypeMap.h:
2543         * runtime/Structure.h:
2544         * runtime/StructureInlines.h:
2545         (JSC::Structure::createSubclassStructure):
2546         * tests/es6.yaml:
2547         * tests/stress/class-subclassing-array.js: Added.
2548         (A):
2549         (B.prototype.get 1):
2550         (B):
2551         (C):
2552         (test):
2553
2554 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2555
2556         regress/script-tests/deltablue-varargs.js.ftl-no-cjit-no-put-stack-validate on FTL B3 gets a B3 validation failure
2557         https://bugs.webkit.org/show_bug.cgi?id=152754
2558
2559         Reviewed by Geoffrey Garen and Saam Barati.
2560
2561         It turns out that the FTL was creating orphans. Rather than making the FTL handle them by
2562         itself, I gave B3 the power to eliminate them for you. I also made the dumper print them
2563         since otherwise, you wouldn't know anything about the orphan when looking at a validation
2564         failure or other kind of procedure dump.
2565
2566         * b3/B3IndexSet.h:
2567         (JSC::B3::IndexSet::add):
2568         (JSC::B3::IndexSet::addAll):
2569         (JSC::B3::IndexSet::remove):
2570         * b3/B3Procedure.cpp:
2571         (JSC::B3::Procedure::dump):
2572         (JSC::B3::Procedure::deleteValue):
2573         (JSC::B3::Procedure::deleteOrphans):
2574         (JSC::B3::Procedure::dominators):
2575         * b3/B3Procedure.h:
2576         (JSC::B3::Procedure::cfg):
2577         * ftl/FTLLowerDFGToLLVM.cpp:
2578         (JSC::FTL::DFG::LowerDFGToLLVM::lower):
2579
2580 2015-12-24  Mark Lam  <mark.lam@apple.com>
2581
2582         Re-landing: Add validation of JSC options to catch typos.
2583         https://bugs.webkit.org/show_bug.cgi?id=152549
2584
2585         Reviewed by Benjamin Poulain.
2586
2587         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
2588            an error message.
2589         2. If a --xxx jsc option is specified, but xxx is not a valid option, we will
2590            now log an error message.
2591         3. Added JSC_validateOptions, which if set to true will cause the VM to crash if
2592            an invalid option was seen during options parsing.
2593
2594         In this version for re-landing, I removed the change where I disallowed -- options
2595         after the script name.  Apparently, we have some test harnesses that do append the
2596         -- options after the script name.
2597
2598         * jsc.cpp:
2599         (CommandLine::parseArguments):
2600         * runtime/Options.cpp:
2601         (JSC::Options::initialize):
2602         * runtime/Options.h:
2603
2604 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2605
2606         FTL B3 should do ArithNegate
2607         https://bugs.webkit.org/show_bug.cgi?id=152745
2608
2609         Reviewed by Geoffrey Garen.
2610
2611         * ftl/FTLLowerDFGToLLVM.cpp:
2612         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithNegate):
2613
2614 2016-01-05  Andy VanWagoner  <thetalecrafter@gmail.com>
2615
2616         [ES6] Date.prototype should be a plain object
2617         https://bugs.webkit.org/show_bug.cgi?id=152574
2618
2619         Reviewed by Benjamin Poulain.
2620
2621         * runtime/DateConstructor.cpp:
2622         (JSC::DateConstructor::finishCreation):
2623         * runtime/DatePrototype.cpp:
2624         (JSC::DatePrototype::DatePrototype):
2625         * runtime/DatePrototype.h:
2626
2627 2016-01-05  Commit Queue  <commit-queue@webkit.org>
2628
2629         Unreviewed, rolling out r194590.
2630         https://bugs.webkit.org/show_bug.cgi?id=152751
2631
2632         "Causes bot failures" (Requested by mlam on #webkit).
2633
2634         Reverted changeset:
2635
2636         "Add validation of JSC options to catch typos."
2637         https://bugs.webkit.org/show_bug.cgi?id=152549
2638         http://trac.webkit.org/changeset/194590
2639
2640 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2641
2642         FTL B3 should do In
2643         https://bugs.webkit.org/show_bug.cgi?id=152744
2644
2645         Reviewed by Michael Saboff.
2646
2647         This was easy; I just used the same idiom that we already established for ICs in FTL B3.
2648
2649         * ftl/FTLLowerDFGToLLVM.cpp:
2650         (JSC::FTL::DFG::LowerDFGToLLVM::compileIn):
2651
2652 2016-01-05  Filip Pizlo  <fpizlo@apple.com>
2653
2654         Implement B3 version of FTL::Output::check()
2655         https://bugs.webkit.org/show_bug.cgi?id=152743
2656
2657         Reviewed by Geoffrey Garen.
2658
2659         Turns out this was just like the LLVM version.
2660
2661         * ftl/FTLB3Output.cpp:
2662         (JSC::FTL::Output::branch):
2663         (JSC::FTL::Output::check):
2664         * ftl/FTLB3Output.h:
2665         (JSC::FTL::Output::switchInstruction):
2666         (JSC::FTL::Output::check): Deleted.
2667
2668 2016-01-05  Mark Lam  <mark.lam@apple.com>
2669
2670         Add support for aliasing JSC Options.
2671         https://bugs.webkit.org/show_bug.cgi?id=152551
2672
2673         Reviewed by Filip Pizlo.
2674
2675         This allows us to use old options names as well.  This is for the benefit of
2676         third party tools which may have been built to rely on those old options.  The
2677         old option names will be mapped to the current option names in setOption().
2678
2679         For some options, the old option name specifies the inverse boolean value of the
2680         current option name.  setOption() will take care of inverting the value before
2681         applying it to the option.
2682
2683         * jsc.cpp:
2684         (CommandLine::parseArguments):
2685         - Switch to dumping only overridden options here.  Verbose dumping is too much
2686           for common usage.
2687         * runtime/Options.cpp:
2688         (JSC::overrideOptionWithHeuristic):
2689         (JSC::Options::overrideAliasedOptionWithHeuristic):
2690         (JSC::computeNumberOfWorkerThreads):
2691         (JSC::Options::initialize):
2692         (JSC::Options::setOptionWithoutAlias):
2693         (JSC::invertBoolOptionValue):
2694         (JSC::Options::setAliasedOption):
2695         (JSC::Options::setOption):
2696         (JSC::Options::dumpAllOptions):
2697         - String.ascii() converts newline characters to '?', and this was messing up the
2698           printing of the options.  Switched to using String.utf8() instead.
2699         (JSC::Options::dumpOption):
2700         * runtime/Options.h:
2701
2702 2016-01-05  Mark Lam  <mark.lam@apple.com>
2703
2704         Add validation of JSC options to catch typos.
2705         https://bugs.webkit.org/show_bug.cgi?id=152549
2706
2707         Reviewed by Benjamin Poulain.
2708
2709         1. If a JSC_xxx option is found and xxx is not a valid option, we will now log
2710            an error message.
2711         2. The jsc app is commonly used as follows:
2712
2713                $ jsc [jsc options] [scripts]
2714      
2715            Previously, we'll continue to parse for [jsc options] after [scripts] is seen.
2716            We won't do this anymore.  Any --xxx jsc options must precede the [scripts]
2717            arguments.
2718
2719         3. If a --xxx jsc option is specified, but xxx is not a valid option, we will
2720            now log an error message.
2721
2722         4. Added JSC_validateOptions, which if set to true will cause the VM to crash if
2723            an invalid option was seen during options parsing.
2724
2725         * jsc.cpp:
2726         (CommandLine::parseArguments):
2727         * runtime/Options.cpp:
2728         (JSC::Options::initialize):
2729         * runtime/Options.h:
2730
2731 2016-01-04  Keith Miller  <keith_miller@apple.com>
2732
2733         Turn off Internal Function inlining in the DFG for super calls.
2734         https://bugs.webkit.org/show_bug.cgi?id=152695
2735
2736         Reviewed by Geoffrey Garen.
2737
2738         Currently, we inline several InternalFunctions into an alloctation with a
2739         fixed structure in the DFG. This optimization is not valid when the
2740         InternalFunction is called via a super call.
2741
2742         * dfg/DFGByteCodeParser.cpp:
2743         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2744         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2745
2746 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2747
2748         FTL B3 should do binary snippets
2749         https://bugs.webkit.org/show_bug.cgi?id=152668
2750
2751         Reviewed by Mark Lam.
2752
2753         This finishes all of the rest of the snippets.
2754
2755         * ftl/FTLLowerDFGToLLVM.cpp:
2756         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitOr):
2757         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitXor):
2758         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitRShift):
2759         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitLShift):
2760         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitURShift):
2761         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2762         (JSC::FTL::DFG::LowerDFGToLLVM::emitRightShiftSnippet):
2763         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2764         * tests/stress/object-bit-or.js: Added.
2765         (foo):
2766         (things.valueOf):
2767         * tests/stress/object-bit-xor.js: Added.
2768         (foo):
2769         (things.valueOf):
2770         * tests/stress/object-lshift.js: Added.
2771         (foo):
2772         (things.valueOf):
2773         * tests/stress/object-rshift.js: Added.
2774         (foo):
2775         (things.valueOf):
2776         * tests/stress/object-urshift.js: Added.
2777         (foo):
2778         (things.valueOf):
2779         * tests/stress/untyped-bit-or.js: Added.
2780         (foo):
2781         (valueOf):
2782         * tests/stress/untyped-bit-xor.js: Added.
2783         (foo):
2784         (valueOf):
2785         * tests/stress/untyped-lshift.js: Added.
2786         (foo):
2787         (valueOf):
2788         * tests/stress/untyped-rshift.js: Added.
2789         (foo):
2790         (valueOf):
2791         * tests/stress/untyped-urshift.js: Added.
2792         (foo):
2793         (valueOf):
2794
2795 2016-01-04  Mark Lam  <mark.lam@apple.com>
2796
2797         isUntypedSpeculationForArithmetic is wrong.
2798         https://bugs.webkit.org/show_bug.cgi?id=152708
2799
2800         Reviewed by Filip Pizlo.
2801
2802         The isUntypedSpeculation...() checks should return true is we ever see
2803         non-numeric types, regardless of whether numeric types are seen or not.
2804         Previously, they only return true if we only see non-numeric types, and false if
2805         we ever see numeric types.
2806
2807         This patch is perf neutral on both x86_64 and x86.
2808
2809         * bytecode/SpeculatedType.h:
2810         (JSC::isUntypedSpeculationForArithmetic):
2811         (JSC::isUntypedSpeculationForBitOps):
2812
2813 2016-01-04  Tim Horton  <timothy_horton@apple.com>
2814
2815         Turn on gesture events when building for Yosemite
2816         https://bugs.webkit.org/show_bug.cgi?id=152704
2817         rdar://problem/24042472
2818
2819         Reviewed by Anders Carlsson.
2820
2821         * Configurations/FeatureDefines.xcconfig:
2822
2823 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2824
2825         FTL B3 should do BitAnd binary snippets
2826         https://bugs.webkit.org/show_bug.cgi?id=152713
2827
2828         Reviewed by Mark Lam.
2829
2830         Getting ready to finish up the binary bitop snippets.
2831
2832         * ftl/FTLLowerDFGToLLVM.cpp:
2833         (JSC::FTL::DFG::LowerDFGToLLVM::compileBitAnd):
2834         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2835         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinaryBitOpSnippet):
2836         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2837         * tests/stress/object-bit-and.js: Added.
2838         (foo):
2839         (things.valueOf):
2840         * tests/stress/untyped-bit-and.js: Added.
2841         (foo):
2842         (valueOf):
2843
2844 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2845
2846         FTL B3 should do all of the non-bitop binary snippets
2847         https://bugs.webkit.org/show_bug.cgi?id=152709
2848
2849         Reviewed by Mark Lam.
2850
2851         * ftl/FTLLowerDFGToLLVM.cpp:
2852         (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
2853         (JSC::FTL::DFG::LowerDFGToLLVM::compileStrCat):
2854         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
2855         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithDiv):
2856         * tests/stress/object-add.js: Added.
2857         (foo):
2858         (things.valueOf):
2859         * tests/stress/object-div.js: Added.
2860         (foo):
2861         (things.valueOf):
2862         * tests/stress/object-mul.js: Added.
2863         (foo):
2864         (things.valueOf):
2865         * tests/stress/untyped-add.js: Added.
2866         (foo):
2867         (valueOf):
2868         * tests/stress/untyped-div.js: Added.
2869         (foo):
2870         (valueOf):
2871         * tests/stress/untyped-mul.js: Added.
2872         (foo):
2873         (valueOf):
2874
2875 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2876
2877         FTL B3 should do the ArithSub binary snippet
2878         https://bugs.webkit.org/show_bug.cgi?id=152705
2879
2880         Reviewed by Saam Barati.
2881
2882         This implements the ArithSub binary snippet generator in FTL B3.
2883
2884         While doing this, I discovered that the DFG type inference logic for ArithSub contains a
2885         classic mistake: it causes the snippets to kick in when the type set does not contain numbers
2886         rather than kicking in when the type set contains non-numbers. So, the original test that I
2887         wrote for this doesn't work right (it runs to completion but OSR exits ad infinitum). I wrote
2888         a second test that is simpler, and that one shows that the binary snippets "work". That's
2889         sort of a joke though, since the only way to trigger binary snippets is to never pass numbers
2890         and the only way to actually cause a binary snippet to do meaninful work is to pass numbers.
2891         I filed a bug about this mess: https://bugs.webkit.org/show_bug.cgi?id=152708.
2892
2893         * ftl/FTLLowerDFGToLLVM.cpp:
2894         (JSC::FTL::DFG::LowerDFGToLLVM::compileUntypedBinaryOp):
2895         (JSC::FTL::DFG::LowerDFGToLLVM::compileArithAddOrSub):
2896         (JSC::FTL::DFG::LowerDFGToLLVM::nonSpeculativeCompare):
2897         (JSC::FTL::DFG::LowerDFGToLLVM::emitBinarySnippet):
2898         (JSC::FTL::DFG::LowerDFGToLLVM::allocateCell):
2899         (JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
2900         (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
2901         * tests/stress/object-sub.js: Added.
2902         (foo):
2903         (things.valueOf):
2904         * tests/stress/untyped-sub.js: Added.
2905         (foo):
2906         (valueOf):
2907
2908 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2909
2910         Unreviewed, disable FTL B3 for now. I didn't intend to enable it yet.
2911
2912         * dfg/DFGCommon.h:
2913
2914 2016-01-04  Filip Pizlo  <fpizlo@apple.com>
2915
2916         B3 patchpoints should allow requesting scratch registers
2917         https://bugs.webkit.org/show_bug.cgi?id=152669
2918
2919         Reviewed by Benjamin Poulain.
2920
2921         Scratch registers are something that we often need in many patchpoint use cases. In LLVM's
2922         patchpoints, we didn't have a good way to request scratch registers. So, our current FTL code
2923         often does crazy scratch register allocation madness even when it would be better to just ask
2924         the backend for some registers. This patch adds a mechanism for requesting scratch registers
2925         in B3, and wires it all the way to all of our register allocation and liveness
2926         infrastructure.
2927
2928         From the standpoint of a patchpoint, a "scratch register" is an instruction argument that
2929         only admits Tmp and is defined early (like an early clobber register) and is used late (like
2930         what we previously called LateUse, except that this time it's also a warm use). We already
2931         had the beginning of support for early def's because of early clobbers, and we already
2932         supported late uses albeit cold ones. I really only needed to add one new role: "Scratch",
2933         which means both early def and late use in much the same way as "UseDef" means both early
2934         use and late def. But, it feels better to complete the set of roles, so I added LateColdUse
2935         to differentiate from LateUse (which is now a warm use) and EarlyDef to differentiate from
2936         Def (which is, and always has been, a late def). Forcing the code to deal with the full
2937         matrix of possibilities resulted in what is probably a progression in how we handle defs in
2938         the register and stack allocators. The new Inst::forEachDef(Inst*, Inst*, callback) fully
2939         recognizes that a "def" is something that can come from either the preceding instruction or
2940         the succeeding one.
2941
2942         This doesn't add any new functionality to FTL B3 yet, but the new scratch register mechanism
2943         is covered by new testb3 tests.
2944
2945         * b3/B3CheckSpecial.cpp:
2946         (JSC::B3::CheckSpecial::isValid):
2947         (JSC::B3::CheckSpecial::admitsStack):
2948         (JSC::B3::CheckSpecial::generate):
2949         * b3/B3LowerToAir.cpp:
2950         (JSC::B3::Air::LowerToAir::lower):
2951         * b3/B3PatchpointSpecial.cpp:
2952         (JSC::B3::PatchpointSpecial::forEachArg):
2953         (JSC::B3::PatchpointSpecial::isValid):
2954         (JSC::B3::PatchpointSpecial::admitsStack):
2955         (JSC::B3::PatchpointSpecial::generate):
2956         * b3/B3PatchpointValue.cpp:
2957         (JSC::B3::PatchpointValue::dumpMeta):
2958         (JSC::B3::PatchpointValue::PatchpointValue):
2959         * b3/B3PatchpointValue.h:
2960         * b3/B3StackmapGenerationParams.cpp:
2961         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
2962         * b3/B3StackmapGenerationParams.h:
2963         (JSC::B3::StackmapGenerationParams::gpScratch):
2964         (JSC::B3::StackmapGenerationParams::fpScratch):
2965         * b3/B3StackmapSpecial.cpp:
2966         (JSC::B3::StackmapSpecial::forEachArgImpl):
2967         (JSC::B3::StackmapSpecial::isValidImpl):
2968         (JSC::B3::StackmapSpecial::admitsStackImpl):
2969         (JSC::B3::StackmapSpecial::repsImpl):
2970         (JSC::B3::StackmapSpecial::isArgValidForValue):
2971         (JSC::B3::StackmapSpecial::appendRepsImpl): Deleted.
2972         * b3/B3StackmapSpecial.h:
2973         * b3/air/AirAllocateStack.cpp:
2974         (JSC::B3::Air::allocateStack):
2975         * b3/air/AirArg.cpp:
2976         (WTF::printInternal):
2977         * b3/air/AirArg.h:
2978         (JSC::B3::Air::Arg::isAnyUse):
2979         (JSC::B3::Air::Arg::isColdUse):
2980         (JSC::B3::Air::Arg::isEarlyUse):
2981         (JSC::B3::Air::Arg::isLateUse):
2982         (JSC::B3::Air::Arg::isAnyDef):
2983         (JSC::B3::Air::Arg::isEarlyDef):
2984         (JSC::B3::Air::Arg::isLateDef):
2985         (JSC::B3::Air::Arg::isZDef):
2986         (JSC::B3::Air::Arg::Arg):
2987         (JSC::B3::Air::Arg::imm):
2988         (JSC::B3::Air::Arg::isDef): Deleted.
2989         * b3/air/AirBasicBlock.h:
2990         (JSC::B3::Air::BasicBlock::at):
2991         (JSC::B3::Air::BasicBlock::get):
2992         (JSC::B3::Air::BasicBlock::last):
2993         * b3/air/AirEliminateDeadCode.cpp:
2994         (JSC::B3::Air::eliminateDeadCode):
2995         * b3/air/AirFixPartialRegisterStalls.cpp:
2996         (JSC::B3::Air::fixPartialRegisterStalls):
2997         * b3/air/AirInst.cpp:
2998         (JSC::B3::Air::Inst::hasArgEffects):
2999         * b3/air/AirInst.h:
3000         * b3/air/AirInstInlines.h:
3001         (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
3002         (JSC::B3::Air::Inst::forEachDef):
3003         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
3004         (JSC::B3::Air::Inst::reportUsedRegisters):
3005         (JSC::B3::Air::Inst::forEachTmpWithExtraClobberedRegs): Deleted.
3006         * b3/air/AirIteratedRegisterCoalescing.cpp:
3007         * b3/air/AirLiveness.h:
3008         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
3009         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
3010         * b3/air/AirSpillEverything.cpp:
3011         (JSC::B3::Air::spillEverything):
3012         * b3/air/AirTmpWidth.cpp:
3013         (JSC::B3::Air::TmpWidth::recompute):
3014         * b3/air/AirUseCounts.h:
3015         (JSC::B3::Air::UseCounts::UseCounts):
3016         * b3/testb3.cpp:
3017         (JSC::B3::testPatchpointAny):
3018         (JSC::B3::testPatchpointGPScratch):
3019         (JSC::B3::testPatchpointFPScratch):
3020         (JSC::B3::testPatchpointLotsOfLateAnys):
3021         (JSC::B3::run):
3022
3023 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
3024
3025         Fix the !ENABLE(INTL) build after r193493
3026         https://bugs.webkit.org/show_bug.cgi?id=152689
3027
3028         Reviewed by Alex Christensen.
3029
3030         * runtime/NumberPrototype.cpp:
3031         (JSC::NumberPrototype::finishCreation):
3032
3033 2016-01-04  Csaba Osztrogonác  <ossy@webkit.org>
3034
3035         JSC generator scripts shouldn't have verbose output
3036         https://bugs.webkit.org/show_bug.cgi?id=152382
3037
3038         Reviewed by Michael Catanzaro.
3039
3040         * b3/air/opcode_generator.rb:
3041         * generate-bytecode-files:
3042         * offlineasm/asm.rb:
3043         * offlineasm/generate_offset_extractor.rb:
3044         * offlineasm/parser.rb:
3045
3046 2016-01-04  Benjamin Poulain  <bpoulain@apple.com>
3047
3048         [JSC] Build B3 by default on iOS ARM64
3049         https://bugs.webkit.org/show_bug.cgi?id=152525
3050
3051         Reviewed by Filip Pizlo.
3052
3053         Minor changes required to get testb3 to compile.
3054
3055         * Configurations/ToolExecutable.xcconfig:
3056         We need an entitlement to allocate executable memory.
3057
3058         * assembler/MacroAssemblerARM64.h:
3059         (JSC::MacroAssemblerARM64::scratchRegister):
3060         (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
3061         (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
3062         Expose one of the scratch registers for ValueRep::emitRestore().
3063         Guard the use of scratch registers when not allowed.
3064
3065         * b3/air/AirOpcode.opcodes:
3066         ARM addressing is a bit different. Skip Addr to make things build.
3067
3068         * b3/testb3.cpp:
3069         (JSC::B3::testPatchpointWithStackArgumentResult):
3070         Add on memory only exists on x86.
3071
3072         * jit/RegisterSet.cpp:
3073         (JSC::RegisterSet::macroScratchRegisters):
3074         Add the two scratch registers, useful for patchpoints.
3075
3076 2016-01-03  Khem Raj  <raj.khem@gmail.com>
3077
3078         WebKit fails to build with musl libc library
3079         https://bugs.webkit.org/show_bug.cgi?id=152625
3080
3081         Reviewed by Daniel Bates.
3082
3083         Qualify isnan() calls with std namespace.
3084
3085         * runtime/Options.cpp:
3086         (Option::operator==): Add std namespace qualifier.
3087
3088 2016-01-03  Andreas Kling  <akling@apple.com>
3089
3090         Remove redundant StringImpl substring creation function.
3091         <https://webkit.org/b/152652>
3092
3093         Reviewed by Daniel Bates.
3094
3095         Remove jsSubstring8() and make the only call site use jsSubstring().
3096
3097         * runtime/JSString.h:
3098         (JSC::jsSubstring8): Deleted.
3099         * runtime/StringPrototype.cpp:
3100         (JSC::replaceUsingRegExpSearch):
3101
3102 2016-01-02  Khem Raj  <raj.khem@gmail.com>
3103
3104         Clang's builtin for clear_cache accepts char* and errors out
3105         when using void*, using char* work on both gcc and clang
3106         since char* is auto-converted to void* in gcc case.
3107         https://bugs.webkit.org/show_bug.cgi?id=152654
3108
3109         Reviewed by Michael Saboff;
3110
3111         * assembler/ARM64Assembler.h:
3112         (linuxPageFlush): Convert arguments to __builtin___clear_cache()
3113         to char*.
3114
3115 2015-12-31  Andy Estes  <aestes@apple.com>
3116
3117         Replace WTF::move with WTFMove
3118         https://bugs.webkit.org/show_bug.cgi?id=152601
3119
3120         Reviewed by Brady Eidson.
3121
3122         * API/ObjCCallbackFunction.mm:
3123         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
3124         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3125         (JSC::ObjCCallbackFunction::create):
3126         (objCCallbackFunctionForInvocation):
3127         * assembler/AssemblerBuffer.h:
3128         (JSC::AssemblerBuffer::releaseAssemblerData):
3129         * assembler/LinkBuffer.cpp:
3130         (JSC::LinkBuffer::linkCode):
3131         * b3/B3BlockInsertionSet.cpp:
3132         (JSC::B3::BlockInsertionSet::insert):
3133         (JSC::B3::BlockInsertionSet::splitForward):
3134         * b3/B3LowerToAir.cpp:
3135         (JSC::B3::Air::LowerToAir::run):
3136         (JSC::B3::Air::LowerToAir::lower):
3137         * b3/B3OpaqueByproducts.cpp:
3138         (JSC::B3::OpaqueByproducts::add):
3139         * b3/B3Procedure.cpp:
3140         (JSC::B3::Procedure::addBlock):
3141         (JSC::B3::Procedure::addDataSection):
3142         * b3/B3Procedure.h:
3143         (JSC::B3::Procedure::releaseByproducts):
3144         * b3/B3ProcedureInlines.h:
3145         (JSC::B3::Procedure::add):
3146         * b3/B3Value.h:
3147         * b3/air/AirCode.cpp:
3148         (JSC::B3::Air::Code::addBlock):
3149         (JSC::B3::Air::Code::addStackSlot):
3150         (JSC::B3::Air::Code::addSpecial):
3151         * b3/air/AirInst.h:
3152         (JSC::B3::Air::Inst::Inst):
3153         * b3/air/AirIteratedRegisterCoalescing.cpp:
3154         * b3/air/AirSimplifyCFG.cpp:
3155         (JSC::B3::Air::simplifyCFG):
3156         * bindings/ScriptValue.cpp:
3157         (Deprecated::jsToInspectorValue):
3158         * builtins/BuiltinExecutables.cpp:
3159         (JSC::createExecutableInternal):
3160         * bytecode/BytecodeBasicBlock.cpp:
3161         (JSC::computeBytecodeBasicBlocks):
3162         * bytecode/CodeBlock.cpp:
3163         (JSC::CodeBlock::finishCreation):
3164         (JSC::CodeBlock::setCalleeSaveRegisters):
3165         * bytecode/CodeBlock.h:
3166         (JSC::CodeBlock::setJITCodeMap):
3167         (JSC::CodeBlock::livenessAnalysis):
3168         * bytecode/GetByIdStatus.cpp:
3169         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3170         * bytecode/GetByIdVariant.cpp:
3171         (JSC::GetByIdVariant::GetByIdVariant):
3172         * bytecode/PolymorphicAccess.cpp:
3173         (JSC::PolymorphicAccess::regenerateWithCases):
3174         (JSC::PolymorphicAccess::regenerateWithCase):
3175         (JSC::PolymorphicAccess::regenerate):
3176         * bytecode/PutByIdStatus.cpp:
3177         (JSC::PutByIdStatus::computeForStubInfo):
3178         * bytecode/PutByIdVariant.cpp:
3179         (JSC::PutByIdVariant::setter):
3180         * bytecode/StructureStubClearingWatchpoint.cpp:
3181         (JSC::StructureStubClearingWatchpoint::push):
3182         * bytecode/StructureStubClearingWatchpoint.h:
3183         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
3184         * bytecode/StructureStubInfo.cpp:
3185         (JSC::StructureStubInfo::addAccessCase):
3186         * bytecode/UnlinkedCodeBlock.cpp:
3187         (JSC::UnlinkedCodeBlock::setInstructions):
3188         * bytecode/UnlinkedFunctionExecutable.cpp:
3189         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3190         * bytecode/UnlinkedFunctionExecutable.h:
3191         * bytecompiler/SetForScope.h:
3192         (JSC::SetForScope::SetForScope):
3193         * dfg/DFGGraph.cpp:
3194         (JSC::DFG::Graph::livenessFor):
3195         (JSC::DFG::Graph::killsFor):
3196         * dfg/DFGJITCompiler.cpp:
3197         (JSC::DFG::JITCompiler::link):
3198         (JSC::DFG::JITCompiler::compile):
3199         (JSC::DFG::JITCompiler::compileFunction):
3200         * dfg/DFGJITFinalizer.cpp:
3201         (JSC::DFG::JITFinalizer::JITFinalizer):
3202         * dfg/DFGLivenessAnalysisPhase.cpp:
3203         (JSC::DFG::LivenessAnalysisPhase::process):
3204         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3205         * dfg/DFGSpeculativeJIT.cpp:
3206         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
3207         (JSC::DFG::SpeculativeJIT::compileIn):
3208         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3209         * dfg/DFGSpeculativeJIT32_64.cpp:
3210         (JSC::DFG::SpeculativeJIT::cachedGetById):
3211         (JSC::DFG::SpeculativeJIT::cachedPutById):
3212         * dfg/DFGSpeculativeJIT64.cpp:
3213         (JSC::DFG::SpeculativeJIT::cachedGetById):
3214         (JSC::DFG::SpeculativeJIT::cachedPutById):
3215         * dfg/DFGWorklist.cpp:
3216         (JSC::DFG::Worklist::finishCreation):
3217         * disassembler/Disassembler.cpp:
3218         (JSC::disassembleAsynchronously):
3219         * ftl/FTLB3Compile.cpp:
3220         (JSC::FTL::compile):
3221         * ftl/FTLCompile.cpp:
3222         (JSC::FTL::mmAllocateDataSection):
3223         * ftl/FTLJITCode.cpp:
3224         (JSC::FTL::JITCode::initializeB3Byproducts):
3225         * ftl/FTLJITFinalizer.h:
3226         (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
3227         * ftl/FTLLink.cpp:
3228         (JSC::FTL::link):
3229         * ftl/FTLLowerDFGToLLVM.cpp:
3230         (JSC::FTL::DFG::LowerDFGToLLVM::compileTailCall):
3231         (JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
3232         * heap/Heap.cpp:
3233         (JSC::Heap::releaseDelayedReleasedObjects):
3234         (JSC::Heap::markRoots):
3235         (JSC::Heap::setIncrementalSweeper):
3236         * heap/HeapInlines.h:
3237         (JSC::Heap::releaseSoon):
3238         (JSC::Heap::registerWeakGCMap):
3239         * heap/WeakInlines.h:
3240         * inspector/ConsoleMessage.cpp:
3241         (Inspector::ConsoleMessage::addToFrontend):
3242         * inspector/ContentSearchUtilities.cpp:
3243         (Inspector::ContentSearchUtilities::searchInTextByLines):
3244         * inspector/InjectedScript.cpp:
3245         (Inspector::InjectedScript::getFunctionDetails):
3246         (Inspector::InjectedScript::getProperties):
3247         (Inspector::InjectedScript::getDisplayableProperties):
3248         (Inspector::InjectedScript::getInternalProperties):
3249         (Inspector::InjectedScript::getCollectionEntries):
3250         (Inspector::InjectedScript::wrapCallFrames):
3251         * inspector/InspectorAgentRegistry.cpp:
3252         (Inspector::AgentRegistry::append):
3253         (Inspector::AgentRegistry::appendExtraAgent):
3254         * inspector/InspectorBackendDispatcher.cpp:
3255         (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
3256         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
3257         (Inspector::BackendDispatcher::BackendDispatcher):
3258         (Inspector::BackendDispatcher::create):
3259         (Inspector::BackendDispatcher::sendPendingErrors):
3260         * inspector/InspectorProtocolTypes.h:
3261         (Inspector::Protocol::Array::addItem):
3262         * inspector/InspectorValues.cpp:
3263         * inspector/InspectorValues.h:
3264         (Inspector::InspectorObjectBase::setValue):
3265         (Inspector::InspectorObjectBase::setObject):
3266         (Inspector::InspectorObjectBase::setArray):
3267         (Inspector::InspectorArrayBase::pushValue):
3268         (Inspector::InspectorArrayBase::pushObject):
3269         (Inspector::InspectorArrayBase::pushArray):
3270         * inspector/JSGlobalObjectConsoleClient.cpp:
3271         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
3272         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
3273         * inspector/JSGlobalObjectInspectorController.cpp:
3274         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3275         (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
3276         * inspector/JSInjectedScriptHost.cpp:
3277         (Inspector::JSInjectedScriptHost::JSInjectedScriptHost):
3278         * inspector/JSInjectedScriptHost.h:
3279         (Inspector::JSInjectedScriptHost::create):
3280         * inspector/agents/InspectorAgent.cpp:
3281         (Inspector::InspectorAgent::activateExtraDomain):
3282         * inspector/agents/InspectorConsoleAgent.cpp:
3283         (Inspector::InspectorConsoleAgent::addMessageToConsole):
3284         (Inspector::InspectorConsoleAgent::addConsoleMessage):
3285         * inspector/agents/InspectorDebuggerAgent.cpp:
3286         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3287         (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
3288         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3289         (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
3290         (Inspector::InspectorDebuggerAgent::breakProgram):
3291         * inspector/agents/InspectorHeapAgent.cpp:
3292         (Inspector::InspectorHeapAgent::didGarbageCollect):
3293         * inspector/agents/InspectorRuntimeAgent.cpp:
3294         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3295         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3296         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3297         (Inspector::InspectorScriptProfilerAgent::addEvent):
3298         (Inspector::buildInspectorObject):
3299         (Inspector::buildProfileInspectorObject):
3300         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
3301         * inspector/augmentable/AlternateDispatchableAgent.h:
3302         * inspector/scripts/codegen/cpp_generator_templates.py:
3303         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3304         (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
3305         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3306         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3307         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3308         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3309         (_generate_unchecked_setter_for_member):
3310         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3311         (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
3312         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3313         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3314         * inspector/scripts/codegen/objc_generator_templates.py:
3315         * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
3316         * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
3317         * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
3318         * inspector/scripts/tests/expected/enum-values.json-result:
3319         * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
3320         * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
3321         * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
3322         * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
3323         * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
3324         * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
3325         * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
3326         * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
3327         * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
3328         * jit/CallFrameShuffler.cpp:
3329         (JSC::CallFrameShuffler::performSafeWrites):
3330         * jit/PolymorphicCallStubRoutine.cpp:
3331         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
3332         * jit/Repatch.cpp:
3333         (JSC::tryCacheGetByID):
3334         (JSC::tryCachePutByID):
3335         (JSC::tryRepatchIn):
3336         (JSC::linkPolymorphicCall):
3337         * parser/Nodes.cpp:
3338         (JSC::ProgramNode::setClosedVariables):
3339         * parser/Parser.cpp:
3340         (JSC::Parser<LexerType>::parseInner):
3341         (JSC::Parser<LexerType>::parseFunctionInfo):
3342         * parser/Parser.h:
3343         (JSC::Parser::closedVariables):
3344         * parser/SourceProviderCache.cpp:
3345         (JSC::SourceProviderCache::add):
3346         * profiler/ProfileNode.h:
3347         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
3348         * replay/EncodedValue.cpp:
3349         (JSC::EncodedValue::get<EncodedValue>):
3350         * replay/scripts/CodeGeneratorReplayInputs.py:
3351         (Generator.generate_member_move_expression):
3352         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
3353         (Test::HandleWheelEvent::HandleWheelEvent):
3354         (JSC::InputTraits<Test::HandleWheelEvent>::decode):
3355         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
3356         (Test::MapInput::MapInput):
3357         (JSC::InputTraits<Test::MapInput>::decode):
3358         * runtime/ConsoleClient.cpp:
3359         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
3360         (JSC::ConsoleClient::logWithLevel):
3361         (JSC::ConsoleClient::clear):
3362         (JSC::ConsoleClient::dir):
3363         (JSC::ConsoleClient::dirXML):
3364         (JSC::ConsoleClient::table):
3365         (JSC::ConsoleClient::trace):
3366         (JSC::ConsoleClient::assertCondition):
3367         (JSC::ConsoleClient::group):
3368         (JSC::ConsoleClient::groupCollapsed):
3369         (JSC::ConsoleClient::groupEnd):
3370         * runtime/JSNativeStdFunction.cpp:
3371         (JSC::JSNativeStdFunction::create):
3372         * runtime/JSString.h:
3373         (JSC::jsNontrivialString):
3374         * runtime/JSStringJoiner.cpp:
3375         (JSC::JSStringJoiner::join):
3376         * runtime/JSStringJoiner.h:
3377         (JSC::JSStringJoiner::append):
3378         * runtime/NativeStdFunctionCell.cpp:
3379         (JSC::NativeStdFunctionCell::create):
3380         (JSC::NativeStdFunctionCell::NativeStdFunctionCell):
3381         * runtime/ScopedArgumentsTable.cpp:
3382         (JSC::ScopedArgumentsTable::setLength):
3383         * runtime/StructureIDTable.cpp:
3384         (JSC::StructureIDTable::resize):
3385         * runtime/TypeSet.cpp:
3386         (JSC::StructureShape::inspectorRepresentation):
3387         * runtime/WeakGCMap.h:
3388         (JSC::WeakGCMap::set):
3389         * tools/CodeProfile.h:
3390         (JSC::CodeProfile::addChild):
3391         * yarr/YarrInterpreter.cpp:
3392         (JSC::Yarr::ByteCompiler::compile):
3393         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
3394         * yarr/YarrInterpreter.h:
3395         (JSC::Yarr::BytecodePattern::BytecodePa