op_add/ValueAdd should be an IC in all JIT tiers
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2016-07-21  Saam Barati  <sbarati@apple.com>
2
3         op_add/ValueAdd should be an IC in all JIT tiers
4         https://bugs.webkit.org/show_bug.cgi?id=159649
5
6         Reviewed by Benjamin Poulain.
7
8         This patch makes Add an IC inside all JIT tiers. It does so in a
9         simple, but effective, way. We will try to generate an int+int add
10         that will repatch itself if its type checks fail. Sometimes though,
11         we have runtime type data saying that the add won't be int+int.
12         In those cases, we will just generate a full snippet that doesn't patch itself.
13         Other times, we may generate no inline code and defer to making a C call. A lot
14         of this patch is just refactoring ResultProfile into what we're now calling ArithProfile.
15         ArithProfile does everything ResultProfile used to do, and more. It records simple type
16         data about the LHS/RHS operands it sees. This allows us to determine if an op_add
17         has only seen int+int operands, etc. ArithProfile will also contain the ResultType
18         for the LHS/RHS that the parser feeds into op_add. ArithProfile now fits into 32-bits.
19         This means instead of having a side table like we did for ResultProfile, we just
20         inject the ArithProfile into the bytecode instruction stream. This makes asking
21         for ArithProfile faster; we no longer need to lock around this operation.
22
23         The size of an Add has gone down on average, but we can still do better.
24         We still generate a lot of code because we generate calls to the slow path.
25         I think we can make this better by moving the slow path to a shared thunk
26         system. This patch mostly lays the foundation for future improvements to Add,
27         and a framework to move all other arithmetic operations to be typed-based ICs.
28
29         Here is some data I took on the average op_add/ValueAdd size on various benchmarks:
30                    |   JetStream  |  Speedometer |  Unity 3D  |
31              ------| -------------|-----------------------------
32               Old  |  189 bytes   |  169 bytes   |  192 bytes |
33              ------| -------------|-----------------------------
34               New  |  148 bytes   |  124 bytes   |  143 bytes |
35              ---------------------------------------------------
36
37         Making an arithmetic IC is now easy. The JITMathIC class will hold a snippet
38         generator as a member variable. To make a snippet an IC, you need to implement
39         a generateInline(.) method, which generates the inline IC. Then, you need to
40         generate the IC where you used to generate the snippet. When generating the
41         IC, we need to inform JITMathIC of various data like we do with StructureStubInfo.
42         We need to tell it about where the slow path starts, where the slow path call is, etc.
43         When generating a JITMathIC, it may tell you that it didn't generate any code inline.
44         This is a request to the user of JITMathIC to just generate a C call along the
45         fast path. JITMathIC may also have the snippet tell it to just generate the full
46         snippet instead of the int+int path along the fast path.
47
48         In subsequent patches, we can improve upon how we decide to generate int+int or
49         the full snippet. I tried to get clever by having double+double, double+int, int+double,
50         fast paths, but they didn't work out nearly as well as the int+int fast path. I ended up
51         generating a lot of code when I did this and ended up using more memory than just generating
52         the full snippet. There is probably some way we can be clever and generate specialized fast
53         paths that are more successful than what I tried implementing, but I think that's worth deferring
54         this to follow up patches once the JITMathIC foundation has landed.
55
56         This patch also fixes a bug inside the slow path lambdas in the DFG.
57         Before, it was not legal to emit an exception check inside them. Now,
58         it is. So it's now easy to define arbitrary late paths using the DFG
59         slow path lambda API.
60
61         * CMakeLists.txt:
62         * JavaScriptCore.xcodeproj/project.pbxproj:
63         * bytecode/ArithProfile.cpp: Added.
64         (JSC::ArithProfile::emitObserveResult):
65         (JSC::ArithProfile::shouldEmitSetDouble):
66         (JSC::ArithProfile::emitSetDouble):
67         (JSC::ArithProfile::shouldEmitSetNonNumber):
68         (JSC::ArithProfile::emitSetNonNumber):
69         (WTF::printInternal):
70         * bytecode/ArithProfile.h: Added.
71         (JSC::ObservedType::ObservedType):
72         (JSC::ObservedType::sawInt32):
73         (JSC::ObservedType::isOnlyInt32):
74         (JSC::ObservedType::sawNumber):
75         (JSC::ObservedType::isOnlyNumber):
76         (JSC::ObservedType::sawNonNumber):
77         (JSC::ObservedType::isOnlyNonNumber):
78         (JSC::ObservedType::isEmpty):
79         (JSC::ObservedType::bits):
80         (JSC::ObservedType::withInt32):
81         (JSC::ObservedType::withNumber):
82         (JSC::ObservedType::withNonNumber):
83         (JSC::ObservedType::withoutNonNumber):
84         (JSC::ObservedType::operator==):
85         (JSC::ArithProfile::ArithProfile):
86         (JSC::ArithProfile::fromInt):
87         (JSC::ArithProfile::lhsResultType):
88         (JSC::ArithProfile::rhsResultType):
89         (JSC::ArithProfile::lhsObservedType):
90         (JSC::ArithProfile::rhsObservedType):
91         (JSC::ArithProfile::setLhsObservedType):
92         (JSC::ArithProfile::setRhsObservedType):
93         (JSC::ArithProfile::tookSpecialFastPath):
94         (JSC::ArithProfile::didObserveNonInt32):
95         (JSC::ArithProfile::didObserveDouble):
96         (JSC::ArithProfile::didObserveNonNegZeroDouble):
97         (JSC::ArithProfile::didObserveNegZeroDouble):
98         (JSC::ArithProfile::didObserveNonNumber):
99         (JSC::ArithProfile::didObserveInt32Overflow):
100         (JSC::ArithProfile::didObserveInt52Overflow):
101         (JSC::ArithProfile::setObservedNonNegZeroDouble):
102         (JSC::ArithProfile::setObservedNegZeroDouble):
103         (JSC::ArithProfile::setObservedNonNumber):
104         (JSC::ArithProfile::setObservedInt32Overflow):
105         (JSC::ArithProfile::setObservedInt52Overflow):
106         (JSC::ArithProfile::addressOfBits):
107         (JSC::ArithProfile::observeResult):
108         (JSC::ArithProfile::lhsSawInt32):
109         (JSC::ArithProfile::lhsSawNumber):
110         (JSC::ArithProfile::lhsSawNonNumber):
111         (JSC::ArithProfile::rhsSawInt32):
112         (JSC::ArithProfile::rhsSawNumber):
113         (JSC::ArithProfile::rhsSawNonNumber):
114         (JSC::ArithProfile::observeLHSAndRHS):
115         (JSC::ArithProfile::bits):
116         (JSC::ArithProfile::hasBits):
117         (JSC::ArithProfile::setBit):
118         * bytecode/CodeBlock.cpp:
119         (JSC::CodeBlock::dumpRareCaseProfile):
120         (JSC::CodeBlock::dumpArithProfile):
121         (JSC::CodeBlock::dumpBytecode):
122         (JSC::CodeBlock::addStubInfo):
123         (JSC::CodeBlock::addJITAddIC):
124         (JSC::CodeBlock::findStubInfo):
125         (JSC::CodeBlock::resetJITData):
126         (JSC::CodeBlock::shrinkToFit):
127         (JSC::CodeBlock::dumpValueProfiles):
128         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
129         (JSC::CodeBlock::arithProfileForBytecodeOffset):
130         (JSC::CodeBlock::arithProfileForPC):
131         (JSC::CodeBlock::couldTakeSpecialFastCase):
132         (JSC::CodeBlock::dumpResultProfile): Deleted.
133         (JSC::CodeBlock::resultProfileForBytecodeOffset): Deleted.
134         (JSC::CodeBlock::specialFastCaseProfileCountForBytecodeOffset): Deleted.
135         (JSC::CodeBlock::ensureResultProfile): Deleted.
136         * bytecode/CodeBlock.h:
137         (JSC::CodeBlock::stubInfoBegin):
138         (JSC::CodeBlock::stubInfoEnd):
139         (JSC::CodeBlock::couldTakeSlowCase):
140         (JSC::CodeBlock::numberOfResultProfiles): Deleted.
141         * bytecode/MethodOfGettingAValueProfile.cpp:
142         (JSC::MethodOfGettingAValueProfile::emitReportValue):
143         * bytecode/MethodOfGettingAValueProfile.h:
144         (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
145         * bytecode/ValueProfile.cpp:
146         (JSC::ResultProfile::emitDetectNumericness): Deleted.
147         (JSC::ResultProfile::emitSetDouble): Deleted.
148         (JSC::ResultProfile::emitSetNonNumber): Deleted.
149         (WTF::printInternal): Deleted.
150         * bytecode/ValueProfile.h:
151         (JSC::getRareCaseProfileBytecodeOffset):
152         (JSC::ResultProfile::ResultProfile): Deleted.
153         (JSC::ResultProfile::bytecodeOffset): Deleted.
154         (JSC::ResultProfile::specialFastPathCount): Deleted.
155         (JSC::ResultProfile::didObserveNonInt32): Deleted.
156         (JSC::ResultProfile::didObserveDouble): Deleted.
157         (JSC::ResultProfile::didObserveNonNegZeroDouble): Deleted.
158         (JSC::ResultProfile::didObserveNegZeroDouble): Deleted.
159         (JSC::ResultProfile::didObserveNonNumber): Deleted.
160         (JSC::ResultProfile::didObserveInt32Overflow): Deleted.
161         (JSC::ResultProfile::didObserveInt52Overflow): Deleted.
162         (JSC::ResultProfile::setObservedNonNegZeroDouble): Deleted.
163         (JSC::ResultProfile::setObservedNegZeroDouble): Deleted.
164         (JSC::ResultProfile::setObservedNonNumber): Deleted.
165         (JSC::ResultProfile::setObservedInt32Overflow): Deleted.
166         (JSC::ResultProfile::setObservedInt52Overflow): Deleted.
167         (JSC::ResultProfile::addressOfFlags): Deleted.
168         (JSC::ResultProfile::addressOfSpecialFastPathCount): Deleted.
169         (JSC::ResultProfile::detectNumericness): Deleted.
170         (JSC::ResultProfile::hasBits): Deleted.
171         (JSC::ResultProfile::setBit): Deleted.
172         (JSC::getResultProfileBytecodeOffset): Deleted.
173         * bytecompiler/BytecodeGenerator.cpp:
174         (JSC::BytecodeGenerator::emitBinaryOp):
175         * dfg/DFGByteCodeParser.cpp:
176         (JSC::DFG::ByteCodeParser::makeSafe):
177         * dfg/DFGGraph.cpp:
178         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
179         * dfg/DFGJITCompiler.cpp:
180         (JSC::DFG::JITCompiler::exceptionCheck):
181         * dfg/DFGSlowPathGenerator.h:
182         (JSC::DFG::SlowPathGenerator::generate):
183         * dfg/DFGSpeculativeJIT.cpp:
184         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
185         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
186         (JSC::DFG::SpeculativeJIT::compileValueAdd):
187         * dfg/DFGSpeculativeJIT.h:
188         (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
189         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
190         (JSC::DFG::SpeculativeJIT::callOperation):
191         * ftl/FTLLowerDFGToB3.cpp:
192         (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
193         (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
194         * jit/CCallHelpers.h:
195         (JSC::CCallHelpers::setupArgumentsWithExecState):
196         (JSC::CCallHelpers::setupArguments):
197         * jit/JIT.h:
198         * jit/JITAddGenerator.cpp:
199         (JSC::JITAddGenerator::generateInline):
200         (JSC::JITAddGenerator::generateFastPath):
201         * jit/JITAddGenerator.h:
202         (JSC::JITAddGenerator::JITAddGenerator):
203         (JSC::JITAddGenerator::didEmitFastPath): Deleted.
204         (JSC::JITAddGenerator::endJumpList): Deleted.
205         (JSC::JITAddGenerator::slowPathJumpList): Deleted.
206         * jit/JITArithmetic.cpp:
207         (JSC::JIT::emit_op_jless):
208         (JSC::JIT::emitSlow_op_urshift):
209         (JSC::getOperandTypes):
210         (JSC::JIT::emit_op_add):
211         (JSC::JIT::emitSlow_op_add):
212         (JSC::JIT::emit_op_div):
213         (JSC::JIT::emit_op_mul):
214         (JSC::JIT::emitSlow_op_mul):
215         (JSC::JIT::emit_op_sub):
216         (JSC::JIT::emitSlow_op_sub):
217         * jit/JITDivGenerator.cpp:
218         (JSC::JITDivGenerator::generateFastPath):
219         * jit/JITDivGenerator.h:
220         (JSC::JITDivGenerator::JITDivGenerator):
221         * jit/JITInlines.h:
222         (JSC::JIT::callOperation):
223         * jit/JITMathIC.h: Added.
224         (JSC::JITMathIC::doneLocation):
225         (JSC::JITMathIC::slowPathStartLocation):
226         (JSC::JITMathIC::slowPathCallLocation):
227         (JSC::JITMathIC::generateInline):
228         (JSC::JITMathIC::generateOutOfLine):
229         (JSC::JITMathIC::finalizeInlineCode):
230         * jit/JITMathICForwards.h: Added.
231         * jit/JITMathICInlineResult.h: Added.
232         * jit/JITMulGenerator.cpp:
233         (JSC::JITMulGenerator::generateFastPath):
234         * jit/JITMulGenerator.h:
235         (JSC::JITMulGenerator::JITMulGenerator):
236         * jit/JITOperations.cpp:
237         * jit/JITOperations.h:
238         * jit/JITSubGenerator.cpp:
239         (JSC::JITSubGenerator::generateFastPath):
240         * jit/JITSubGenerator.h:
241         (JSC::JITSubGenerator::JITSubGenerator):
242         * jit/Repatch.cpp:
243         (JSC::readCallTarget):
244         (JSC::ftlThunkAwareRepatchCall):
245         (JSC::tryCacheGetByID):
246         (JSC::repatchGetByID):
247         (JSC::appropriateGenericPutByIdFunction):
248         (JSC::tryCachePutByID):
249         (JSC::repatchPutByID):
250         (JSC::tryRepatchIn):
251         (JSC::repatchIn):
252         (JSC::linkSlowFor):
253         (JSC::resetGetByID):
254         (JSC::resetPutByID):
255         (JSC::repatchCall): Deleted.
256         * jit/Repatch.h:
257         * llint/LLIntData.cpp:
258         (JSC::LLInt::Data::performAssertions):
259         * llint/LowLevelInterpreter.asm:
260         * llint/LowLevelInterpreter32_64.asm:
261         * llint/LowLevelInterpreter64.asm:
262         * parser/ResultType.h:
263         (JSC::ResultType::ResultType):
264         (JSC::ResultType::isInt32):
265         (JSC::ResultType::definitelyIsNumber):
266         (JSC::ResultType::definitelyIsString):
267         (JSC::ResultType::definitelyIsBoolean):
268         (JSC::ResultType::mightBeNumber):
269         (JSC::ResultType::isNotNumber):
270         (JSC::ResultType::forBitOp):
271         (JSC::ResultType::bits):
272         (JSC::OperandTypes::OperandTypes):
273         * runtime/CommonSlowPaths.cpp:
274         (JSC::SLOW_PATH_DECL):
275         (JSC::updateArithProfileForBinaryArithOp):
276         (JSC::updateResultProfileForBinaryArithOp): Deleted.
277         * tests/stress/op-add-exceptions.js: Added.
278         (assert):
279         (f1):
280         (f2):
281         (f3):
282         (let.oException.valueOf):
283         (foo):
284         (ident):
285         (bar):
286
287 2016-07-21  Csaba Osztrogonác  <ossy@webkit.org>
288
289         Clarify testing mode names in run-jsc-stress-tests
290         https://bugs.webkit.org/show_bug.cgi?id=160021
291
292         Reviewed by Mark Lam.
293
294         Default should mean really default, not default with disabled FTL, renamed
295         - runMozillaTestDefault to runMozillaTestNoFTL
296         - runMozillaTestDefaultFTL to runMozillaTestDefault
297         - runDefault to runNoFTL
298         - runDefaultFTL to runDefault
299         - runLayoutTestDefault to runLayoutTestNoFTL
300         - runLayoutTestDefaultFTL to runLayoutTestDefault
301         - runNoisyTestDefault to runNoisyTestNoFTL
302         - runNoisyTestDefaultFTL to runNoisyTestDefault
303
304         * tests/mozilla/mozilla-tests.yaml:
305         * tests/stress/lift-tdz-bypass-catch.js:
306         * tests/stress/obscure-error-message-dont-crash.js:
307         * tests/stress/shadow-chicken-disabled.js:
308
309 2016-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
310
311         [ES7] Introduce exponentiation expression
312         https://bugs.webkit.org/show_bug.cgi?id=159969
313
314         Reviewed by Saam Barati.
315
316         This patch implements the exponentiation expression, e.g. `x ** y`.
317         The exponentiation expression is introduced in ECMA262 2016 and ECMA262 2016
318         is already released. So this is not the draft spec.
319
320         The exponentiation expression has 2 interesting points.
321
322         1. Right associative
323
324             To follow the Math expression, ** operator is right associative.
325             When we execute `x ** y ** z`, this is handled as `x ** (y ** z)`, not `(x ** y) ** z`.
326             This patch introduces the right associativity to the binary operator and handles it
327             in the operator precedence parser in Parser.cpp.
328
329         2. LHS of the exponentiation expression is UpdateExpression
330
331             ExponentiationExpression[Yield]:
332                 UnaryExpression[?Yield]
333                 UpdateExpression[?Yield] ** ExponentiationExpression[?Yield]
334
335             As we can see, the left hand side of the ExponentiationExpression is UpdateExpression, not UnaryExpression.
336             It means that `+x ** y` becomes a syntax error. This is intentional. Without superscript in JS,
337             `-x**y` is confusing between `-(x ** y)` and `(-x) ** y`. So ECMA262 intentionally avoids UnaryExpression here.
338             If we need to use a negated value, we need to write parentheses explicitly e.g. `(-x) ** y`.
339             In this patch, we ensure that the left hand side is not an unary expression by checking an operator in
340             parseBinaryExpression. This works since `**` has the highest operator precedence in the binary operators.
341
342         We introduce a new bytecode, op_pow. That simply works as similar as the other binary operators.
343         And it is converted to ArithPow in DFG and handled in DFG and FTL.
344         In this patch, we take the approach just introducing a new bytecode instead of calling Math.pow.
345         This is because we would like to execute ToNumber in the caller side, not in the callee (Math.pow) side.
346         And we don't want to compile ** into the following.
347
348             lhsNumber = to_number (lhs)
349             rhsNumber = to_number (rhs)
350             call Math.pow(lhsNumber, rhsNumber)
351
352         We ensure that this patch passes all the test262 tests related to the exponentiation expression.
353
354         The only sensitive part to the performance is the parser changes.
355         So we measured the code-load performance and it is neutral in my x64 Linux box (hanayamata).
356
357             Collected 30 samples per benchmark/VM, with 30 VM invocations per benchmark. Emitted a call to
358             gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used
359             the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark
360             execution times with 95% confidence intervals in milliseconds.
361
362                                      baseline                  patched
363
364             closure              0.60499+-0.00250          0.60180+-0.00244
365             jquery               7.89175+-0.02433    ?     7.91287+-0.04759       ?
366
367             <geometric>          2.18499+-0.00523          2.18207+-0.00689         might be 1.0013x faster
368
369         * bytecode/BytecodeList.json:
370         * bytecode/BytecodeUseDef.h:
371         (JSC::computeUsesForBytecodeOffset):
372         (JSC::computeDefsForBytecodeOffset):
373         * bytecode/CodeBlock.cpp:
374         (JSC::CodeBlock::dumpBytecode):
375         * bytecompiler/NodesCodegen.cpp:
376         (JSC::emitReadModifyAssignment):
377         * dfg/DFGByteCodeParser.cpp:
378         (JSC::DFG::ByteCodeParser::parseBlock):
379         * dfg/DFGCapabilities.cpp:
380         (JSC::DFG::capabilityLevel):
381         * jit/JIT.cpp:
382         (JSC::JIT::privateCompileMainPass):
383         * jit/JIT.h:
384         * jit/JITArithmetic.cpp:
385         (JSC::JIT::emit_op_pow):
386         * llint/LowLevelInterpreter.asm:
387         * parser/ASTBuilder.h:
388         (JSC::ASTBuilder::operatorStackShouldReduce):
389         (JSC::ASTBuilder::makePowNode):
390         (JSC::ASTBuilder::makeMultNode):
391         (JSC::ASTBuilder::makeDivNode):
392         (JSC::ASTBuilder::makeModNode):
393         (JSC::ASTBuilder::makeSubNode):
394         (JSC::ASTBuilder::makeBinaryNode):
395         (JSC::ASTBuilder::operatorStackHasHigherPrecedence): Deleted.
396         * parser/Lexer.cpp:
397         (JSC::Lexer<T>::lex):
398         * parser/NodeConstructors.h:
399         (JSC::PowNode::PowNode):
400         * parser/Nodes.h:
401         * parser/Parser.cpp:
402         (JSC::Parser<LexerType>::parseAssignmentExpression):
403         (JSC::isUnaryOpExcludingUpdateOp):
404         (JSC::Parser<LexerType>::parseBinaryExpression):
405         (JSC::isUnaryOp): Deleted.
406         * parser/ParserTokens.h:
407         (JSC::isUpdateOp):
408         (JSC::isUnaryOp):
409         * parser/SyntaxChecker.h:
410         (JSC::SyntaxChecker::operatorStackPop):
411         * runtime/CommonSlowPaths.cpp:
412         (JSC::SLOW_PATH_DECL):
413         * runtime/CommonSlowPaths.h:
414         * tests/stress/pow-basics.js: Added.
415         (valuesAreClose):
416         (mathPowDoubleDouble1):
417         (mathPowDoubleInt1):
418         (test1):
419         (mathPowDoubleDouble2):
420         (mathPowDoubleInt2):
421         (test2):
422         (mathPowDoubleDouble3):
423         (mathPowDoubleInt3):
424         (test3):
425         (mathPowDoubleDouble4):
426         (mathPowDoubleInt4):
427         (test4):
428         (mathPowDoubleDouble5):
429         (mathPowDoubleInt5):
430         (test5):
431         (mathPowDoubleDouble6):
432         (mathPowDoubleInt6):
433         (test6):
434         (mathPowDoubleDouble7):
435         (mathPowDoubleInt7):
436         (test7):
437         (mathPowDoubleDouble8):
438         (mathPowDoubleInt8):
439         (test8):
440         (mathPowDoubleDouble9):
441         (mathPowDoubleInt9):
442         (test9):
443         (mathPowDoubleDouble10):
444         (mathPowDoubleInt10):
445         (test10):
446         (mathPowDoubleDouble11):
447         (mathPowDoubleInt11):
448         (test11):
449         * tests/stress/pow-coherency.js: Added.
450         (pow42):
451         (build42AsDouble.opaqueAdd):
452         (build42AsDouble):
453         (powDouble42):
454         (clobber):
455         (pow42NoConstantFolding):
456         (powDouble42NoConstantFolding):
457         * tests/stress/pow-evaluation-order.js: Added.
458         (shouldBe):
459         (throw.new.Error):
460         * tests/stress/pow-expects-update-expression-on-lhs.js: Added.
461         (testSyntax):
462         (testSyntaxError):
463         (throw.new.Error):
464         (let.token.of.tokens.testSyntax.pow):
465         (testSyntax.pow):
466         * tests/stress/pow-integer-exponent-fastpath.js: Added.
467         (valuesAreClose):
468         (mathPowDoubleDoubleTestExponentFifty):
469         (mathPowDoubleIntTestExponentFifty):
470         (testExponentFifty):
471         (mathPowDoubleDoubleTestExponentTenThousands):
472         (mathPowDoubleIntTestExponentTenThousands):
473         (testExponentTenThousands):
474         * tests/stress/pow-nan-behaviors.js: Added.
475         (testIntegerBaseWithNaNExponentStatic):
476         (mathPowIntegerBaseWithNaNExponentDynamic):
477         (testIntegerBaseWithNaNExponentDynamic):
478         (testFloatingPointBaseWithNaNExponentStatic):
479         (mathPowFloatingPointBaseWithNaNExponentDynamic):
480         (testFloatingPointBaseWithNaNExponentDynamic):
481         (testNaNBaseStatic):
482         (mathPowNaNBaseDynamic1):
483         (mathPowNaNBaseDynamic2):
484         (mathPowNaNBaseDynamic3):
485         (mathPowNaNBaseDynamic4):
486         (testNaNBaseDynamic):
487         (infiniteExponentsStatic):
488         (mathPowInfiniteExponentsDynamic1):
489         (mathPowInfiniteExponentsDynamic2):
490         (mathPowInfiniteExponentsDynamic3):
491         (mathPowInfiniteExponentsDynamic4):
492         (infiniteExponentsDynamic):
493         * tests/stress/pow-simple.js: Added.
494         (shouldBe):
495         (throw.new.Error):
496         * tests/stress/pow-stable-results.js: Added.
497         (opaquePow):
498         (isIdentical):
499         * tests/stress/pow-to-number-should-be-executed-in-code-side.js: Added.
500         (shouldBe):
501         (throw.new.Error):
502         * tests/stress/pow-with-constants.js: Added.
503         (exponentIsZero):
504         (testExponentIsZero):
505         (exponentIsOne):
506         (testExponentIsOne):
507         (powUsedAsSqrt):
508         (testPowUsedAsSqrt):
509         (powUsedAsOneOverSqrt):
510         (testPowUsedAsOneOverSqrt):
511         (powUsedAsSquare):
512         (testPowUsedAsSquare):
513         (intIntConstantsSmallNumbers):
514         (intIntConstantsLargeNumbers):
515         (intIntSmallConstants):
516         (intDoubleConstants):
517         (doubleDoubleConstants):
518         (doubleIntConstants):
519         (testBaseAndExponentConstantLiterals):
520         (exponentIsIntegerConstant):
521         (testExponentIsIntegerConstant):
522         (exponentIsDoubleConstant):
523         (testExponentIsDoubleConstant):
524         (exponentIsInfinityConstant):
525         (testExponentIsInfinityConstant):
526         (exponentIsNegativeInfinityConstant):
527         (testExponentIsNegativeInfinityConstant):
528         * tests/stress/pow-with-never-NaN-exponent.js: Added.
529         (exponentIsNonNanDouble1):
530         (exponentIsNonNanDouble2):
531         (testExponentIsDoubleConstant):
532         * tests/test262.yaml:
533
534 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
535
536         Switching on symbols should be fast
537         https://bugs.webkit.org/show_bug.cgi?id=158892
538
539         Reviewed by Keith Miller.
540         
541         This does two things: fixes some goofs in our lowering of symbol equality and adds a new phase
542         to B3 to infer switch statements from linear chains of branches.
543         
544         This changes how we compile equality to Symbols to constant-fold the load of the Symbol's UID.
545         This is necessary for making switches on Symbols inferrable. This also gives us the ability to
546         efficiently compile strict equality comparisons of SymbolUse and UntypedUse.
547
548         This adds a new phase to B3, which finds chains of branches that test for (in)equality on the
549         same value and constants, and turns them into a Switch. This can turn O(n) code into
550         O(log n) code, or even O(1) code if the switch cases are dense.
551         
552         This can make a big difference in JS. Say you write a switch in which the case statements are
553         variable resolutions. The bytecode generator cannot use a bytecode switch in this case, since
554         we're required to evaluate the resolutions in order. But in DFG IR, we will often turn those
555         variable resolutions into constants, since we do that for any immutable singleton. This means
556         that B3 will see a chain of Branches: the else case of one Branch will point to a basic block
557         that does nothing but Branch on equality on the same value as the first Branch.
558
559         The inference algorithm is quite simple. The basic building block is the ability to summarize
560         a block's switch behavior. For a block that ends in a switch, this is just the collection of
561         switch cases. For a block that ends in a branch, we recognize Branch(Equal(value, const)),
562         Branch(NotEqual(value, const)), and Branch(value). Each of these are summarized as if they
563         were one-case switches. We infer a new switch if both some block and its sole predecessor
564         can be described as switches on the same value, nothing shady is going on (like loops), and
565         the block in question does no work other than this switch. In that case, the block is killed
566         and its cases (which we get from the summary) are added to the predecessor's switch. This
567         algorithm runs to fixpoint.
568         
569         * CMakeLists.txt:
570         * JavaScriptCore.xcodeproj/project.pbxproj:
571         * b3/B3Generate.cpp:
572         (JSC::B3::generateToAir):
573         * b3/B3InferSwitches.cpp: Added.
574         (JSC::B3::inferSwitches):
575         * b3/B3InferSwitches.h: Added.
576         * b3/B3Procedure.h:
577         (JSC::B3::Procedure::cfg):
578         * b3/B3ReduceStrength.cpp:
579         * b3/B3Value.cpp:
580         (JSC::B3::Value::performSubstitution):
581         (JSC::B3::Value::isFree):
582         (JSC::B3::Value::dumpMeta):
583         * b3/B3Value.h:
584         * ftl/FTLLowerDFGToB3.cpp:
585         (JSC::FTL::DFG::LowerDFGToB3::compileCheckIdent):
586         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
587         (JSC::FTL::DFG::LowerDFGToB3::lowSymbol):
588         (JSC::FTL::DFG::LowerDFGToB3::lowSymbolUID):
589         (JSC::FTL::DFG::LowerDFGToB3::lowNonNullObject):
590
591 2016-07-20  Filip Pizlo  <fpizlo@apple.com>
592
593         FTL snippet generators should be able to request a different register for output and input
594         https://bugs.webkit.org/show_bug.cgi?id=160010
595         rdar://problem/27439330
596
597         Reviewed by Saam Barati.
598         
599         The BitOr and BitXor snippet generators have problems if the register for the right input is
600         the same as the register for the result. We could fix those generators, but I'm not convinced
601         that the other snippet generators don't have this bug. So, the approach that this patch takes
602         is to teach the FTL to request that B3 to use a different register for the result than for
603         any input to the snippet patchpoint.
604         
605         Air already has the ability to let any instruction do an EarlyDef, which means exactly this.
606         But B3 did not expose this via ValueRep. This patch exposes this in ValueRep as
607         SomeEarlyRegister. That's most of the change.
608         
609         This adds a testb3 test for SomeEarlyRegister and a regression test for this particular
610         problem. The regression test failed on trunk JSC before this.
611
612         * b3/B3LowerToAir.cpp:
613         (JSC::B3::Air::LowerToAir::lower):
614         * b3/B3PatchpointSpecial.cpp:
615         (JSC::B3::PatchpointSpecial::forEachArg):
616         (JSC::B3::PatchpointSpecial::admitsStack):
617         * b3/B3StackmapSpecial.cpp:
618         (JSC::B3::StackmapSpecial::forEachArgImpl):
619         (JSC::B3::StackmapSpecial::isArgValidForRep):
620         * b3/B3Validate.cpp:
621         * b3/B3ValueRep.cpp:
622         (JSC::B3::ValueRep::addUsedRegistersTo):
623         (JSC::B3::ValueRep::dump):
624         (WTF::printInternal):
625         * b3/B3ValueRep.h:
626         (JSC::B3::ValueRep::ValueRep):
627         (JSC::B3::ValueRep::reg):
628         (JSC::B3::ValueRep::isAny):
629         (JSC::B3::ValueRep::isReg):
630         (JSC::B3::ValueRep::isSomeRegister): Deleted.
631         * b3/testb3.cpp:
632         * ftl/FTLLowerDFGToB3.cpp:
633         (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
634         (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
635         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
636         * tests/stress/ftl-bit-xor-right-result-interference.js: Added.
637
638 2016-07-20  Michael Saboff  <msaboff@apple.com>
639
640         CrashOnOverflow in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets
641         https://bugs.webkit.org/show_bug.cgi?id=159954
642
643         Reviewed by Benjamin Poulain.
644
645         YarrPatternConstructor::setupAlternativeOffsets() is using the checked arithmetic class
646         Checked<>, for offset calculations.  However the default use will just crash on
647         overflow.  Instead we should stop processing and propagate the error up the call stack.
648
649         Consolidated explicit error string with the common RegExp parsing error logic.
650         Moved that logic to YarrPattern as that seems like a better common place to put it.
651
652         * jit/JITOperations.cpp:
653         * llint/LLIntSlowPaths.cpp:
654         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
655         * tests/stress/regress-159954.js: New test.
656         * yarr/YarrParser.h:
657         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
658         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
659         (JSC::Yarr::Parser::Parser):
660         (JSC::Yarr::Parser::isIdentityEscapeAnError):
661         (JSC::Yarr::Parser::parseEscape):
662         (JSC::Yarr::Parser::parseCharacterClass):
663         (JSC::Yarr::Parser::parseParenthesesBegin):
664         (JSC::Yarr::Parser::parseParenthesesEnd):
665         (JSC::Yarr::Parser::parseQuantifier):
666         (JSC::Yarr::Parser::parseTokens):
667         (JSC::Yarr::Parser::parse):
668         * yarr/YarrPattern.cpp:
669         (JSC::Yarr::YarrPatternConstructor::disjunction):
670         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
671         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
672         (JSC::Yarr::YarrPattern::errorMessage):
673         (JSC::Yarr::YarrPattern::compile):
674         * yarr/YarrPattern.h:
675         (JSC::Yarr::YarrPattern::reset):
676
677 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
678
679         The default testing mode should not involve disabling the FTL JIT
680         https://bugs.webkit.org/show_bug.cgi?id=159929
681
682         Rubber stamped by Mark Lam and Saam Barati.
683         
684         Use the new powers to make some tests run only in the default configuration (i.e. FTL,
685         concurrent JIT).
686
687         * tests/mozilla/mozilla-tests.yaml:
688
689 2016-07-19  Keith Miller  <keith_miller@apple.com>
690
691         Test262 should have a file with the revision and url
692         https://bugs.webkit.org/show_bug.cgi?id=159937
693
694         Reviewed by Mark Lam.
695
696         The file.
697
698         * tests/test262/test262-Revision.txt: Added.
699
700 2016-07-19  Anders Carlsson  <andersca@apple.com>
701
702         WebCore-7602.1.42 fails to build: error: private field 'm_vm' is not used
703         https://bugs.webkit.org/show_bug.cgi?id=159944
704         rdar://problem/27420308
705
706         Reviewed by Dan Bernstein.
707
708         Wrap the m_vm declaration and initialization in conditional guards.
709
710         * Scripts/builtins/builtins_generate_internals_wrapper_header.py:
711         (generate_members):
712         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
713         (BuiltinsInternalsWrapperImplementationGenerator.generate_constructor):
714         Add guards.
715
716         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
717         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
718         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
719         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
720         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
721         Update expected results.
722
723 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
724
725         REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
726         https://bugs.webkit.org/show_bug.cgi?id=159930
727
728         Reviewed by Geoffrey Garen.
729         
730         The problem is that the 32-bit DFG can flush the scope register as an unboxed cell, but the
731         Register::scope() method was causing us to assert that it's a JSValue with proper cell
732         boxing. We could have forced the DFG to flush it as a boxed JSValue, but I don't think that
733         would have made anything better. This fixes the issue by teaching Register::scope() that it
734         might see unboxed cells.
735
736         * runtime/JSScope.h:
737         (JSC::Register::scope):
738         (JSC::ExecState::lexicalGlobalObject):
739
740 2016-07-19  Filip Pizlo  <fpizlo@apple.com>
741
742         B3 methods that mutate the successors array should take FrequentedBlock by value
743         https://bugs.webkit.org/show_bug.cgi?id=159935
744
745         Reviewed by Michael Saboff.
746         
747         This bug was found by ASan testing. setSuccessors() takes a const FrequentedBlock&, and the
748         caller that caused the ASan crash was doing:
749
750         block->setSuccessors(block->notTaken())
751
752         So, inside setSuccessors(), after we resize() the successors array, the const
753         FrequentedBlock& points to nonsense.
754
755         The fix is to pass FrequentedBlock by value in all of these kinds of methods.
756         
757         No new tests, but ASan testing catches this instantly for anything that triggers CFG
758         simplification in B3. So like half of our tests.
759
760         * b3/B3BasicBlock.cpp:
761         (JSC::B3::BasicBlock::clearSuccessors):
762         (JSC::B3::BasicBlock::appendSuccessor):
763         (JSC::B3::BasicBlock::setSuccessors):
764         * b3/B3BasicBlock.h:
765         (JSC::B3::BasicBlock::successors):
766         (JSC::B3::BasicBlock::successorBlock):
767         * b3/B3Value.cpp:
768         (JSC::B3::Value::replaceWithPhi):
769         (JSC::B3::Value::replaceWithJump):
770         (JSC::B3::Value::replaceWithOops):
771         * b3/B3Value.h:
772
773 2016-07-18  Joseph Pecoraro  <pecoraro@apple.com>
774
775         Make builtin TypeErrors consistent
776         https://bugs.webkit.org/show_bug.cgi?id=159899
777
778         Reviewed by Keith Miller.
779
780         Converge on the single TypeError for non-coercible this objects in builtins.
781         Also update some other style to be more consistent with-in builtins.
782
783         * builtins/ArrayIteratorPrototype.js:
784         (next):
785         * builtins/ArrayPrototype.js:
786         (values):
787         (keys):
788         (entries):
789         (reduce):
790         (reduceRight):
791         (every):
792         (forEach):
793         (filter):
794         (map):
795         (some):
796         (fill):
797         (find):
798         (findIndex):
799         (includes):
800         (sort):
801         (concatSlowPath):
802         (copyWithin):
803         * builtins/StringPrototype.js:
804         (match):
805         (repeat):
806         (padStart):
807         (padEnd):
808         (intrinsic.StringPrototypeReplaceIntrinsic.replace):
809         (localeCompare):
810         (search):
811         (split):
812         * tests/es6/String.prototype_methods_String.prototype.padEnd.js:
813         * tests/es6/String.prototype_methods_String.prototype.padStart.js:
814         * tests/stress/array-iterators-next-error-messages.js:
815         (catch):
816         * tests/stress/array-iterators-next-with-call.js:
817         * tests/stress/regexp-match.js:
818         (shouldThrow):
819         * tests/stress/regexp-search.js:
820         (shouldThrow):
821
822 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
823
824         Implement table-based switches in B3/Air
825         https://bugs.webkit.org/show_bug.cgi?id=151141
826
827         Reviewed by Benjamin Poulain.
828
829         If a switch statement gets large, it's better to express it as an indirect jump rather than
830         using a binary switch (divide-and-conquer tree of comparisons leading to O(log n) branches to
831         get to the switch case). When dealing with integer switches, FTL will already use the B3
832         Switch and expect this to get lowered as efficiently as possible; it's a bug that B3 will
833         always use a binary switch rather than indirect jumps. When dealing with switches over some
834         more sophisticated types, we'd want FTL to build an indirect jump table itself and use
835         something like a hashtable to feed it. In that case, there will be no B3 Switch; we'll want
836         some way for the FTL to directly express an indirection jump when emitting B3.
837         
838         This implies that we want B3 to have the ability to lower Switch to indirect jumps and to
839         expose those indirect jumps in IR so that the FTL could do its own indirect jumps for
840         switches over more complicated things like strings. But indirect jumps are tough to express
841         in IR. For example, the LLVM approach ("indirectbr" and "blockaddress", see
842         http://blog.llvm.org/2010/01/address-of-label-and-indirect-branches.html) means that some
843         control flow edges cannot be split. Indirectbr takes an address as input and jumps to it, and
844         blockaddress lets you build jump tables out of basic block addresses. This means that the
845         compiler can never change any successor of an indirectbr, since the client will have already
846         arranged for that indirectbr to jump to exactly those successors. We don't want such
847         restrictions in B3, since B3 relies on being able to break critical edges for SSA conversion.
848         Also, indirectbr is not cloneable, which would break any hope of doing specialization-based
849         transformations like we want to do for multiple entrypoints (bug 159391). The goal of this
850         change is to let clients do indirect jumps without placing any restrictions on IR.
851         
852         The trick is to allow Patchpoints to be used as block terminals. Patchpoints already allow
853         clients of B3 to emit whatever code they like. Patchpoints are friendly to B3's other
854         transformations because the client of the patchpoint has to play along with whatever
855         decisions B3 had made around the patchpoint: what registers got used, what the control flow
856         looks like, etc. Patchpoints can even be cloned by B3, and the client has to accommodate this
857         in their patchpoint generator. It turns out that using Patchpoints as terminals is quite
858         natural. We accomplish this by moving the successor edges out of ControlValue and into
859         BasicBlock, and removing ControlValue entirely. This way, any Value subclass can be a
860         terminal. It was already true that a Value is a terminal if value->effects().terminal, which
861         works great with Patchpoints since they control their effects via PatchpointValue::effects.
862         You can make your Patchpoint into a terminal by placing it at the end of a block and doing:
863         
864         patchpoint->effects.terminal = true;
865         
866         A Patchpoints in terminal position gets access to additional API in StackmapGenerationParams.
867         The generator can get a Box<Label> for each successor to its owning block. For example, to
868         implement a jump-table-based switch, you would make your patchpoint take the table index as
869         its sole input. Inside the generator, you allocate the jump table and emit a BaseIndex jump
870         that uses the jump table pointer (which will be a constant known to the generator since it
871         just allocated it) as the base and the patchpoint input as an index. The jump table can be
872         populated by MacroAssemblerCodePtr's computed by installing a link task to resolve the labels
873         to concrete locations. This change makes LowerMacros do such a lowering for Switches that can
874         benefit from jump tables. This happens recursively: if the original Switch is too sparse, we
875         will divide-and-conquer as before. If at any recursion step we find that the remaining cases
876         are dense and large enough to profit from a jump table, then those cases will be lowered to a
877         Patchpoint that does the table jump. This is a fun way to do stepwise lowering: LowerMacros
878         is essentially pre-lowering the Switch directly to machine code, and wrapping that machine
879         code in a Patchpoint so that the rest of the compiler doesn't have to know anything about
880         what happened. I suspect that in the future we will want to do other pre-lowerings this way,
881         whenever the B3 IR phases have some special knowledge about what machine code should be
882         emitted and it would be annoying to drag that knowledge through the rest of the compiler.
883         
884         One downside of this change is that we used ControlValue in so many places. Most of this
885         patch involves removing references to ControlValue. It would be less than 100kb if it wasn't
886         for that. To make this a bit easier, I added "appendNewControlValue" methods to BasicBlock,
887         which allocate a Value and set the successors as if you had done "appendNew<ControlValue>".
888         This made for an easy search-and-replace in testb3 and FTLOutput. I filed bug 159440 to
889         remove this ugly stopgap method.
890         
891         I think that we will also end up using this facility to extend our use of snippets. We
892         already use shared snippet generators for the generic forms of arithmetic. We will probably
893         also want to do this for generic forms of branches. This wouldn't have been possible prior to
894         this change, since there would have been no way to emit a control snippet in FTL. Now we can
895         emit control snippets using terminal patchpoints.
896
897         This is a ~30% speed-up on microbenchmarks that have big switch statements (~60 cases). It's
898         not a speed-up on mainstream benchmarks.
899         
900         This also adds a new test to testb3 for terminal Patchpoints, Get, and Set. The FTL does not
901         currently use terminal Patchpoints directly, but we want this to be possible. It also doesn't
902         use Get/Set directly even though we want this to be possible. It's important to test these
903         since opcodes that result from lowering don't affect early phases, so we could have
904         regressions in early phases related to these opcodes that wouldn't be caught by any JS test.
905         So, this adds a very basic threaded interpreter to testb3 for a Brainfuck-style language, and
906         tests it by having it run a program that prints the numbers 1..100 in a loop. Unlike a real
907         threaded interpreter, it uses a common dispatch block rather than having dispatch at the
908         terminus of each opcode. That's necessary because PolyJump is not cloneable. The state of the
909         interpreter is represented using Variables that we Get and Set, so it tests Get/Set as well.
910
911         * CMakeLists.txt:
912         * JavaScriptCore.xcodeproj/project.pbxproj:
913         * assembler/MacroAssemblerARM64.h:
914         (JSC::MacroAssemblerARM64::jump):
915         * assembler/MacroAssemblerX86Common.h:
916         (JSC::MacroAssemblerX86Common::jump):
917         * assembler/X86Assembler.h:
918         (JSC::X86Assembler::jmp_m):
919         * b3/B3BasicBlock.cpp:
920         (JSC::B3::BasicBlock::append):
921         (JSC::B3::BasicBlock::appendNonTerminal):
922         (JSC::B3::BasicBlock::removeLast):
923         (JSC::B3::BasicBlock::appendIntConstant):
924         (JSC::B3::BasicBlock::clearSuccessors):
925         (JSC::B3::BasicBlock::appendSuccessor):
926         (JSC::B3::BasicBlock::setSuccessors):
927         (JSC::B3::BasicBlock::replaceSuccessor):
928         (JSC::B3::BasicBlock::addPredecessor):
929         (JSC::B3::BasicBlock::deepDump):
930         (JSC::B3::BasicBlock::appendNewControlValue):
931         * b3/B3BasicBlock.h:
932         (JSC::B3::BasicBlock::numSuccessors):
933         (JSC::B3::BasicBlock::successor):
934         (JSC::B3::BasicBlock::successors):
935         (JSC::B3::BasicBlock::successorBlock):
936         (JSC::B3::BasicBlock::successorBlocks):
937         (JSC::B3::BasicBlock::numPredecessors):
938         (JSC::B3::BasicBlock::predecessor):
939         (JSC::B3::BasicBlock::frequency):
940         * b3/B3BasicBlockInlines.h:
941         (JSC::B3::BasicBlock::replaceLastWithNew):
942         (JSC::B3::BasicBlock::taken):
943         (JSC::B3::BasicBlock::notTaken):
944         (JSC::B3::BasicBlock::fallThrough):
945         (JSC::B3::BasicBlock::numSuccessors): Deleted.
946         (JSC::B3::BasicBlock::successor): Deleted.
947         (JSC::B3::BasicBlock::successors): Deleted.
948         (JSC::B3::BasicBlock::successorBlock): Deleted.
949         (JSC::B3::BasicBlock::successorBlocks): Deleted.
950         * b3/B3BlockInsertionSet.cpp:
951         (JSC::B3::BlockInsertionSet::splitForward):
952         * b3/B3BreakCriticalEdges.cpp:
953         (JSC::B3::breakCriticalEdges):
954         * b3/B3CaseCollection.cpp: Added.
955         (JSC::B3::CaseCollection::dump):
956         * b3/B3CaseCollection.h: Added.
957         (JSC::B3::CaseCollection::CaseCollection):
958         (JSC::B3::CaseCollection::operator[]):
959         (JSC::B3::CaseCollection::iterator::iterator):
960         (JSC::B3::CaseCollection::iterator::operator*):
961         (JSC::B3::CaseCollection::iterator::operator++):
962         (JSC::B3::CaseCollection::iterator::operator==):
963         (JSC::B3::CaseCollection::iterator::operator!=):
964         (JSC::B3::CaseCollection::begin):
965         (JSC::B3::CaseCollection::end):
966         * b3/B3CaseCollectionInlines.h: Added.
967         (JSC::B3::CaseCollection::fallThrough):
968         (JSC::B3::CaseCollection::size):
969         (JSC::B3::CaseCollection::at):
970         * b3/B3CheckSpecial.cpp:
971         (JSC::B3::CheckSpecial::CheckSpecial):
972         (JSC::B3::CheckSpecial::hiddenBranch):
973         * b3/B3Common.h:
974         (JSC::B3::is64Bit):
975         * b3/B3ControlValue.cpp: Removed.
976         * b3/B3ControlValue.h: Removed.
977         * b3/B3DataSection.cpp:
978         (JSC::B3::DataSection::DataSection):
979         * b3/B3DuplicateTails.cpp:
980         * b3/B3FixSSA.cpp:
981         * b3/B3FoldPathConstants.cpp:
982         * b3/B3LowerMacros.cpp:
983         * b3/B3LowerToAir.cpp:
984         (JSC::B3::Air::LowerToAir::run):
985         (JSC::B3::Air::LowerToAir::lower):
986         * b3/B3MathExtras.cpp:
987         (JSC::B3::powDoubleInt32):
988         * b3/B3Opcode.h:
989         (JSC::B3::isConstant):
990         (JSC::B3::isDefinitelyTerminal):
991         * b3/B3PatchpointSpecial.cpp:
992         (JSC::B3::PatchpointSpecial::generate):
993         (JSC::B3::PatchpointSpecial::isTerminal):
994         (JSC::B3::PatchpointSpecial::dumpImpl):
995         * b3/B3PatchpointSpecial.h:
996         * b3/B3Procedure.cpp:
997         (JSC::B3::Procedure::resetReachability):
998         * b3/B3Procedure.h:
999         (JSC::B3::Procedure::lastPhaseName):
1000         (JSC::B3::Procedure::byproducts):
1001         * b3/B3ReduceStrength.cpp:
1002         * b3/B3StackmapGenerationParams.cpp:
1003         (JSC::B3::StackmapGenerationParams::unavailableRegisters):
1004         (JSC::B3::StackmapGenerationParams::successorLabels):
1005         (JSC::B3::StackmapGenerationParams::fallsThroughToSuccessor):
1006         (JSC::B3::StackmapGenerationParams::proc):
1007         * b3/B3StackmapGenerationParams.h:
1008         (JSC::B3::StackmapGenerationParams::gpScratch):
1009         (JSC::B3::StackmapGenerationParams::fpScratch):
1010         * b3/B3SwitchValue.cpp:
1011         (JSC::B3::SwitchValue::~SwitchValue):
1012         (JSC::B3::SwitchValue::removeCase):
1013         (JSC::B3::SwitchValue::hasFallThrough):
1014         (JSC::B3::SwitchValue::setFallThrough):
1015         (JSC::B3::SwitchValue::appendCase):
1016         (JSC::B3::SwitchValue::dumpSuccessors):
1017         (JSC::B3::SwitchValue::dumpMeta):
1018         (JSC::B3::SwitchValue::cloneImpl):
1019         (JSC::B3::SwitchValue::SwitchValue):
1020         * b3/B3SwitchValue.h:
1021         (JSC::B3::SwitchValue::accepts):
1022         (JSC::B3::SwitchValue::caseValues):
1023         (JSC::B3::SwitchValue::cases):
1024         (JSC::B3::SwitchValue::fallThrough): Deleted.
1025         (JSC::B3::SwitchValue::size): Deleted.
1026         (JSC::B3::SwitchValue::at): Deleted.
1027         (JSC::B3::SwitchValue::operator[]): Deleted.
1028         (JSC::B3::SwitchValue::iterator::iterator): Deleted.
1029         (JSC::B3::SwitchValue::iterator::operator*): Deleted.
1030         (JSC::B3::SwitchValue::iterator::operator++): Deleted.
1031         (JSC::B3::SwitchValue::iterator::operator==): Deleted.
1032         (JSC::B3::SwitchValue::iterator::operator!=): Deleted.
1033         (JSC::B3::SwitchValue::begin): Deleted.
1034         (JSC::B3::SwitchValue::end): Deleted.
1035         * b3/B3Validate.cpp:
1036         * b3/B3Value.cpp:
1037         (JSC::B3::Value::replaceWithPhi):
1038         (JSC::B3::Value::replaceWithJump):
1039         (JSC::B3::Value::replaceWithOops):
1040         (JSC::B3::Value::dump):
1041         (JSC::B3::Value::deepDump):
1042         (JSC::B3::Value::dumpSuccessors):
1043         (JSC::B3::Value::negConstant):
1044         (JSC::B3::Value::typeFor):
1045         * b3/B3Value.h:
1046         * b3/air/AirCode.cpp:
1047         (JSC::B3::Air::Code::addFastTmp):
1048         (JSC::B3::Air::Code::addDataSection):
1049         (JSC::B3::Air::Code::jsHash):
1050         * b3/air/AirCode.h:
1051         (JSC::B3::Air::Code::isFastTmp):
1052         (JSC::B3::Air::Code::setLastPhaseName):
1053         * b3/air/AirCustom.h:
1054         (JSC::B3::Air::PatchCustom::shouldTryAliasingDef):
1055         (JSC::B3::Air::PatchCustom::isTerminal):
1056         (JSC::B3::Air::PatchCustom::hasNonArgNonControlEffects):
1057         (JSC::B3::Air::PatchCustom::generate):
1058         (JSC::B3::Air::CCallCustom::admitsStack):
1059         (JSC::B3::Air::CCallCustom::isTerminal):
1060         (JSC::B3::Air::CCallCustom::hasNonArgNonControlEffects):
1061         (JSC::B3::Air::ShuffleCustom::admitsStack):
1062         (JSC::B3::Air::ShuffleCustom::isTerminal):
1063         (JSC::B3::Air::ShuffleCustom::hasNonArgNonControlEffects):
1064         * b3/air/AirGenerate.cpp:
1065         (JSC::B3::Air::generate):
1066         * b3/air/AirGenerationContext.h:
1067         * b3/air/AirInst.h:
1068         (JSC::B3::Air::Inst::hasNonControlEffects):
1069         * b3/air/AirSimplifyCFG.cpp:
1070         (JSC::B3::Air::simplifyCFG):
1071         * b3/air/AirSpecial.cpp:
1072         (JSC::B3::Air::Special::shouldTryAliasingDef):
1073         (JSC::B3::Air::Special::isTerminal):
1074         (JSC::B3::Air::Special::hasNonArgNonControlEffects):
1075         * b3/air/AirSpecial.h:
1076         * b3/air/AirValidate.cpp:
1077         * b3/air/opcode_generator.rb:
1078         * b3/testb3.cpp:
1079         * ftl/FTLLowerDFGToB3.cpp:
1080         * ftl/FTLOutput.cpp:
1081         (JSC::FTL::Output::jump):
1082         (JSC::FTL::Output::branch):
1083         (JSC::FTL::Output::ret):
1084         (JSC::FTL::Output::unreachable):
1085         (JSC::FTL::Output::speculate):
1086         (JSC::FTL::Output::trap):
1087         (JSC::FTL::Output::anchor):
1088         (JSC::FTL::Output::decrementSuperSamplerCount):
1089         (JSC::FTL::Output::addIncomingToPhi):
1090         * ftl/FTLOutput.h:
1091         (JSC::FTL::Output::constIntPtr):
1092         (JSC::FTL::Output::callWithoutSideEffects):
1093         (JSC::FTL::Output::switchInstruction):
1094         (JSC::FTL::Output::phi):
1095         (JSC::FTL::Output::addIncomingToPhi):
1096
1097 2016-07-18  Anders Carlsson  <andersca@apple.com>
1098
1099         WebKit nightly fails to build on macOS Sierra
1100         https://bugs.webkit.org/show_bug.cgi?id=159902
1101         rdar://problem/27365672
1102
1103         Reviewed by Tim Horton.
1104
1105         * icu/unicode/ucurr.h: Added.
1106         Add ucurr.h from ICU.
1107
1108 2016-07-18  Michael Saboff  <msaboff@apple.com>
1109
1110         ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp
1111         https://bugs.webkit.org/show_bug.cgi?id=159883
1112
1113         Reviewed by Filip Pizlo.
1114
1115         New test.
1116
1117         * tests/stress/regress-159883.js: Added.
1118
1119 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
1120
1121         MarkedBlocks should know that they can be used for more than JSCells
1122         https://bugs.webkit.org/show_bug.cgi?id=159643
1123
1124         Reviewed by Geoffrey Garen.
1125         
1126         This teaches the Heap that a MarkedBlock may hold either JSCells, or Auxiliary, which is
1127         not a JSCell. It teaches the heap and all of the things that walk the heap to ignore
1128         non-JSCells whenever they are looking for global objects, JSObjects, and things to trace
1129         for debugging or profiling. The idea is that we will be able to allocate butterflies and
1130         typed array backing stores as Auxiliary in MarkedSpace rather than allocating those things
1131         in CopiedSpace. That's what bug 159658 is all about.
1132         
1133         This gives us a new type, called HeapCell, which is just meant to be a class distinct from
1134         JSCell or any type we would use for Auxiliary. For convenience, JSCell is a subclass of
1135         HeapCell. HeapCell has an enum called HeapCell::Kind, which is either HeapCell::JSCell or
1136         HeapCell::Auxiliary. MarkedSpace no longer speaks of JSCells directly except when dealing
1137         with destruction.
1138         
1139         This change required doing a lot of stuff to all of those functor callbacks, since they
1140         now take HeapCell* instead of JSCell* and they take an extra HeapCell::Kind argument to
1141         tell them if they are dealing with JSCells or Auxiliary. I figured that this would be as
1142         good a time as any to convert those functors to being lambda-compatible. This means that
1143         operator() must be const. In some cases, converting the operator() to be const would have
1144         taken more work than just turning the whole thing into a lambda. Whenever this was the
1145         case, I converted the code to use lambdas. I left a lot of functors alone. In cases where
1146         the functor would benefit from being a lambda, for example because it would get rid of
1147         const_casts or mutables, I put in a FIXME referencing bug 159644.
1148
1149         * CMakeLists.txt:
1150         * JavaScriptCore.xcodeproj/project.pbxproj:
1151         * debugger/Debugger.cpp:
1152         (JSC::Debugger::SetSteppingModeFunctor::SetSteppingModeFunctor):
1153         (JSC::Debugger::SetSteppingModeFunctor::operator()):
1154         (JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor):
1155         (JSC::Debugger::ToggleBreakpointFunctor::operator()):
1156         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::ClearCodeBlockDebuggerRequestsFunctor):
1157         (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator()):
1158         (JSC::Debugger::ClearDebuggerRequestsFunctor::ClearDebuggerRequestsFunctor):
1159         (JSC::Debugger::ClearDebuggerRequestsFunctor::operator()):
1160         * heap/CodeBlockSet.h:
1161         (JSC::CodeBlockSet::iterate):
1162         * heap/HandleSet.h:
1163         (JSC::HandleNode::next):
1164         (JSC::HandleSet::forEachStrongHandle):
1165         * heap/Heap.cpp:
1166         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
1167         (JSC::GatherHeapSnapshotData::operator()):
1168         (JSC::RemoveDeadHeapSnapshotNodes::RemoveDeadHeapSnapshotNodes):
1169         (JSC::RemoveDeadHeapSnapshotNodes::operator()):
1170         (JSC::Heap::protectedGlobalObjectCount):
1171         (JSC::Heap::globalObjectCount):
1172         (JSC::Heap::protectedObjectCount):
1173         (JSC::Heap::protectedObjectTypeCounts):
1174         (JSC::Heap::objectTypeCounts):
1175         (JSC::Heap::deleteAllCodeBlocks):
1176         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
1177         (JSC::MarkedBlockSnapshotFunctor::operator()):
1178         (JSC::Zombify::visit):
1179         (JSC::Zombify::operator()):
1180         (JSC::Heap::zombifyDeadObjects):
1181         (JSC::Heap::flushWriteBarrierBuffer):
1182         * heap/Heap.h:
1183         (JSC::Heap::handleSet):
1184         (JSC::Heap::handleStack):
1185         * heap/HeapCell.cpp: Added.
1186         (WTF::printInternal):
1187         * heap/HeapCell.h: Added.
1188         (JSC::HeapCell::HeapCell):
1189         (JSC::HeapCell::zap):
1190         (JSC::HeapCell::isZapped):
1191         * heap/HeapInlines.h:
1192         (JSC::Heap::deprecatedReportExtraMemory):
1193         (JSC::Heap::forEachCodeBlock):
1194         (JSC::Heap::forEachProtectedCell):
1195         (JSC::Heap::allocateWithDestructor):
1196         * heap/HeapStatistics.cpp:
1197         (JSC::StorageStatistics::visit):
1198         (JSC::StorageStatistics::operator()):
1199         * heap/HeapVerifier.cpp:
1200         (JSC::GatherLiveObjFunctor::visit):
1201         (JSC::GatherLiveObjFunctor::operator()):
1202         * heap/MarkedAllocator.cpp:
1203         (JSC::MarkedAllocator::allocateBlock):
1204         (JSC::MarkedAllocator::addBlock):
1205         (JSC::MarkedAllocator::reset):
1206         (JSC::MarkedAllocator::lastChanceToFinalize):
1207         (JSC::LastChanceToFinalize::operator()): Deleted.
1208         * heap/MarkedAllocator.h:
1209         (JSC::MarkedAllocator::takeLastActiveBlock):
1210         (JSC::MarkedAllocator::resumeAllocating):
1211         (JSC::MarkedAllocator::forEachBlock):
1212         * heap/MarkedBlock.cpp:
1213         (JSC::MarkedBlock::create):
1214         (JSC::MarkedBlock::destroy):
1215         (JSC::MarkedBlock::MarkedBlock):
1216         (JSC::MarkedBlock::callDestructor):
1217         (JSC::MarkedBlock::specializedSweep):
1218         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
1219         (JSC::SetNewlyAllocatedFunctor::operator()):
1220         (JSC::MarkedBlock::stopAllocating):
1221         (JSC::MarkedBlock::didRetireBlock):
1222         * heap/MarkedBlock.h:
1223         (JSC::MarkedBlock::CountFunctor::CountFunctor):
1224         (JSC::MarkedBlock::CountFunctor::count):
1225         (JSC::MarkedBlock::CountFunctor::returnValue):
1226         (JSC::MarkedBlock::needsDestruction):
1227         (JSC::MarkedBlock::cellKind):
1228         (JSC::MarkedBlock::size):
1229         (JSC::MarkedBlock::clearNewlyAllocated):
1230         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
1231         (JSC::MarkedBlock::isLive):
1232         (JSC::MarkedBlock::isLiveCell):
1233         (JSC::MarkedBlock::forEachCell):
1234         (JSC::MarkedBlock::forEachLiveCell):
1235         (JSC::MarkedBlock::forEachDeadCell):
1236         * heap/MarkedSpace.cpp:
1237         (JSC::MarkedSpace::MarkedSpace):
1238         (JSC::MarkedSpace::~MarkedSpace):
1239         (JSC::MarkedSpace::lastChanceToFinalize):
1240         (JSC::MarkedSpace::sweep):
1241         (JSC::MarkedSpace::zombifySweep):
1242         (JSC::MarkedSpace::resetAllocators):
1243         (JSC::MarkedSpace::visitWeakSets):
1244         (JSC::MarkedSpace::reapWeakSets):
1245         (JSC::MarkedSpace::forEachAllocator):
1246         (JSC::MarkedSpace::stopAllocating):
1247         (JSC::MarkedSpace::resumeAllocating):
1248         (JSC::MarkedSpace::isPagedOut):
1249         (JSC::MarkedSpace::shrink):
1250         (JSC::clearNewlyAllocatedInBlock):
1251         (JSC::MarkedSpace::clearNewlyAllocated):
1252         (JSC::MarkedSpace::clearMarks):
1253         (JSC::Free::Free): Deleted.
1254         (JSC::Free::operator()): Deleted.
1255         (JSC::FreeOrShrink::FreeOrShrink): Deleted.
1256         (JSC::FreeOrShrink::operator()): Deleted.
1257         (JSC::VisitWeakSet::VisitWeakSet): Deleted.
1258         (JSC::VisitWeakSet::operator()): Deleted.
1259         (JSC::ReapWeakSet::operator()): Deleted.
1260         (JSC::LastChanceToFinalize::operator()): Deleted.
1261         (JSC::StopAllocatingFunctor::operator()): Deleted.
1262         (JSC::ResumeAllocatingFunctor::operator()): Deleted.
1263         (JSC::ClearNewlyAllocated::operator()): Deleted.
1264         (JSC::VerifyNewlyAllocated::operator()): Deleted.
1265         * heap/MarkedSpace.h:
1266         (JSC::MarkedSpace::forEachLiveCell):
1267         (JSC::MarkedSpace::forEachDeadCell):
1268         (JSC::MarkedSpace::allocatorFor):
1269         (JSC::MarkedSpace::allocateWithDestructor):
1270         (JSC::MarkedSpace::forEachBlock):
1271         (JSC::MarkedSpace::didAddBlock):
1272         (JSC::MarkedSpace::objectCount):
1273         (JSC::MarkedSpace::size):
1274         (JSC::MarkedSpace::capacity):
1275         (JSC::ClearMarks::operator()): Deleted.
1276         (JSC::Sweep::operator()): Deleted.
1277         (JSC::ZombifySweep::operator()): Deleted.
1278         (JSC::MarkCount::operator()): Deleted.
1279         (JSC::Size::operator()): Deleted.
1280         * runtime/JSCell.h:
1281         (JSC::JSCell::zap): Deleted.
1282         (JSC::JSCell::isZapped): Deleted.
1283         * runtime/JSCellInlines.h:
1284         (JSC::allocateCell):
1285         (JSC::JSCell::isObject):
1286         (JSC::isZapped): Deleted.
1287         * runtime/JSGlobalObject.cpp:
1288         * tools/JSDollarVMPrototype.cpp:
1289         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1290         (JSC::CellAddressCheckFunctor::operator()):
1291
1292 2016-07-18  Filip Pizlo  <fpizlo@apple.com>
1293
1294         Repeatedly creating and destroying workers that enqueue DFG plans can outpace the DFG worklist, which then causes VM shutdown to stall, which then causes memory growth
1295         https://bugs.webkit.org/show_bug.cgi?id=159754
1296
1297         Reviewed by Geoffrey Garen.
1298         
1299         If you create and destroy workers at a high rate and those workers enqueue some DFG plans
1300         that are still not compiled at the time that the worker is closed, then the closed workers
1301         end up stalling in VM::~VM waiting for the DFG worklist thread to finish those plans. Since
1302         we don't actually cancel the plans, it's easy to create a situation where the workers
1303         outpace the DFG worklist, especially if you create many workers at a time and each one
1304         finishes just after enqueueing those plans.
1305         
1306         The solution is to allow VM::~VM to remove plans from the DFG worklist that are related to
1307         that VM but aren't currently being worked on. That turns out to be an easy change.
1308         
1309         I have a test that repros this, but it's quite long-running. I call it workers/bomb.html. We
1310         may want to exclude it from test runs because of how long it takes.
1311
1312         * dfg/DFGWorklist.cpp:
1313         (JSC::DFG::Worklist::removeDeadPlans):
1314         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
1315         (JSC::DFG::Worklist::queueLength):
1316         (JSC::DFG::Worklist::runThread):
1317         * dfg/DFGWorklist.h:
1318         * runtime/VM.cpp:
1319         (JSC::VM::~VM):
1320
1321 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
1322
1323         Object.preventExtensions/seal/freeze makes code much slower
1324         https://bugs.webkit.org/show_bug.cgi?id=143247
1325
1326         Reviewed by Michael Saboff.
1327         
1328         This has been a huge pet peeve of mine for a long time, but I was always afraid of fixing
1329         it because I thought that it would be hard. Well, it looks like it's not hard at all.
1330         
1331         The problem is that you cannot mutate a structure that participates in transition caching.
1332         You can only clone the structure and mutate that one. But if you do this, you have to make
1333         a hard choice:
1334         
1335         1) Clone the structure without caching the transition. This is what the code did before
1336            this change. It's the most obvious choice, but it introduces an uncacheable transition
1337            that leads to an explosion of structures, which then breaks all inline caches.
1338         
1339         2) Perform one of the existing cacheable transitions. Cacheable transitions can either add
1340            properties or they can do one of the NonPropertyTransitions, which until now have been
1341            restricted to just IndexingType transitions. So, only adding transitions or making
1342            certain prescribed changes to the indexing type count as cacheable transitions.
1343         
1344         This change decouples NonPropertyTransition from IndexingType and adds three new kinds of
1345         transitions: PreventExtensions, Seal, and Freeze. We have to give any cacheable transition
1346         a name that fully disambiguates this transition from any other, so that the transition can
1347         be cached. Since we're already giving them names in an enum, I figured that the most
1348         pragmatic way to implement them is to have Structure::nonPropertyTransition() case on the
1349         NonPropertyTransition and implement all of the mutations associated with that transition.
1350         The alternative would have been to allow callers of nonPropertyTransition() to supply
1351         something like a lambda that describes the mutation, but this seemed awkward since each
1352         set of mutations has to anyway be tied to one of the NonPropertyTransition members.
1353         
1354         This is an enormous speed-up on microbenchmarks that use Object.preventExtensions(),
1355         Object.seal(), or Object.freeze(). I don't know if "real" benchmarks use these features
1356         and I don't really care. This should be fast.
1357
1358         * runtime/JSObject.cpp:
1359         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
1360         (JSC::JSObject::createInitialUndecided):
1361         (JSC::JSObject::createInitialInt32):
1362         (JSC::JSObject::createInitialDouble):
1363         (JSC::JSObject::createInitialContiguous):
1364         (JSC::JSObject::convertUndecidedToInt32):
1365         (JSC::JSObject::convertUndecidedToDouble):
1366         (JSC::JSObject::convertUndecidedToContiguous):
1367         (JSC::JSObject::convertInt32ToDouble):
1368         (JSC::JSObject::convertInt32ToContiguous):
1369         (JSC::JSObject::convertDoubleToContiguous):
1370         (JSC::JSObject::switchToSlowPutArrayStorage):
1371         * runtime/Structure.cpp:
1372         (JSC::Structure::suggestedArrayStorageTransition):
1373         (JSC::Structure::addPropertyTransition):
1374         (JSC::Structure::toUncacheableDictionaryTransition):
1375         (JSC::Structure::sealTransition):
1376         (JSC::Structure::freezeTransition):
1377         (JSC::Structure::preventExtensionsTransition):
1378         (JSC::Structure::takePropertyTableOrCloneIfPinned):
1379         (JSC::Structure::nonPropertyTransition):
1380         (JSC::Structure::pin):
1381         (JSC::Structure::pinForCaching):
1382         (JSC::Structure::allocateRareData):
1383         * runtime/Structure.h:
1384         * runtime/StructureTransitionTable.h:
1385         (JSC::toAttributes):
1386         (JSC::changesIndexingType):
1387         (JSC::newIndexingType):
1388         (JSC::preventsExtensions):
1389         (JSC::setsDontDeleteOnAllProperties):
1390         (JSC::setsReadOnlyOnAllProperties):
1391
1392 2016-07-17  Filip Pizlo  <fpizlo@apple.com>
1393
1394         RegisterSet should use a Bitmap instead of a BitVector so that it never allocates memory and is trivial to copy
1395         https://bugs.webkit.org/show_bug.cgi?id=159863
1396
1397         Reviewed by Saam Barati.
1398         
1399         Switch RegisterSet set to Bitmap because Bitmap doesn't ever allocate memory and can be
1400         assigned by memcpy. This should be a performance improvement for compiler code that does a
1401         lot of things with RegisterSet. For example, it's one of the fundamental data structures in
1402         Air. The previous use of BitVector meant that almost every operation on RegisterSet would
1403         have a slow path call. On ARM64, it would mean memory allocation for any RegisterSet that
1404         used all available registers.
1405         
1406         This meant adding even more GPR/FPR reflection to the MacroAssembler API: we now have consts
1407         called numGPRs and numFPRs. This is necessary to statically size the Bitmap in RegisterSet.
1408         
1409         Here's the breakdown of sizes of RegisterSet on different CPUs:
1410         
1411         x86-32: 8 bits (GPRs) + 8 bits (FPRs) + 1 bit (is deleted) = 1x uint32_t.
1412         x86-64: 16 bits + 16 bits + 1 bit = 2x uint32_t.
1413         ARMv7: 16 bits + 16 bits + 1 bit = 2x uint32_t.
1414         ARM64: 32 bits + 32 bits + 1 bit = 3x uint32_t.
1415
1416         * assembler/MacroAssemblerARM.h:
1417         * assembler/MacroAssemblerARM64.h:
1418         * assembler/MacroAssemblerARMv7.h:
1419         * assembler/MacroAssemblerX86.h:
1420         * assembler/MacroAssemblerX86Common.h:
1421         (JSC::MacroAssemblerX86Common::scratchRegister):
1422         * assembler/MacroAssemblerX86_64.h:
1423         * jit/RegisterSet.h:
1424         (JSC::RegisterSet::set):
1425         (JSC::RegisterSet::get):
1426         (JSC::RegisterSet::setAll):
1427         (JSC::RegisterSet::merge):
1428         (JSC::RegisterSet::filter):
1429         (JSC::RegisterSet::exclude):
1430         (JSC::RegisterSet::numberOfSetRegisters):
1431         (JSC::RegisterSet::RegisterSet):
1432         (JSC::RegisterSet::isEmptyValue):
1433         (JSC::RegisterSet::isDeletedValue):
1434         (JSC::RegisterSet::operator==):
1435         (JSC::RegisterSet::operator!=):
1436         (JSC::RegisterSet::hash):
1437         (JSC::RegisterSet::forEach):
1438         (JSC::RegisterSet::setMany):
1439
1440 2016-07-15  Filip Pizlo  <fpizlo@apple.com>
1441
1442         DFG and FTL should support op_call_eval
1443         https://bugs.webkit.org/show_bug.cgi?id=159786
1444
1445         Reviewed by Saam Barati.
1446         
1447         This adds support for op_call_eval in DFG and FTL by brute force:
1448         
1449         - There is now a CallEval() node type, which compiles exactly the same way that we do in
1450           baseline.
1451         
1452         - We teach the DFG and bytecode liveness that the scope register and 'this' are read by
1453           CallEval()/op_call_eval.
1454         
1455         We can compile eval quite well, except that right now we cannot inline functions that use
1456         eval. It would be nice to do that, but the payoff is probably smaller. "Don't inline users
1457         of eval" may even be an OK inlining heuristic. Not inlining users of eval allows me to
1458         reuse the baseline implementation, which is really great. Otherwise, I'd have to get rid
1459         of things like the rogue reads of scope register and 'this'.
1460         
1461         The goal here is to produce speed-ups for code that has functions that do both eval and
1462         some computational stuff. Obviously, we're not producing any benefit for the eval itself.
1463         But now the other stuff in a function that uses eval will get to participate in
1464         optimization.
1465         
1466         This is a huge speed-up on microbenchmarks.
1467
1468         * bytecode/BytecodeUseDef.h:
1469         (JSC::computeUsesForBytecodeOffset):
1470         * bytecode/CodeBlock.cpp:
1471         (JSC::CodeBlock::printCallOp):
1472         (JSC::CodeBlock::dumpBytecode):
1473         * dfg/DFGAbstractInterpreterInlines.h:
1474         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1475         * dfg/DFGByteCodeParser.cpp:
1476         (JSC::DFG::ByteCodeParser::setLocal):
1477         (JSC::DFG::ByteCodeParser::setArgument):
1478         (JSC::DFG::ByteCodeParser::flush):
1479         (JSC::DFG::ByteCodeParser::parseBlock):
1480         * dfg/DFGCapabilities.cpp:
1481         (JSC::DFG::capabilityLevel):
1482         * dfg/DFGClobberize.h:
1483         (JSC::DFG::clobberize):
1484         * dfg/DFGDoesGC.cpp:
1485         (JSC::DFG::doesGC):
1486         * dfg/DFGFixupPhase.cpp:
1487         (JSC::DFG::FixupPhase::fixupNode):
1488         * dfg/DFGGraph.h:
1489         (JSC::DFG::Graph::needsScopeRegister):
1490         (JSC::DFG::Graph::needsFlushedThis):
1491         * dfg/DFGHeapLocation.cpp:
1492         (WTF::printInternal):
1493         * dfg/DFGHeapLocation.h:
1494         * dfg/DFGMayExit.cpp:
1495         * dfg/DFGNode.h:
1496         (JSC::DFG::Node::hasHeapPrediction):
1497         * dfg/DFGNodeType.h:
1498         * dfg/DFGOSRExitCompiler.cpp:
1499         * dfg/DFGPredictionPropagationPhase.cpp:
1500         * dfg/DFGSafeToExecute.h:
1501         (JSC::DFG::safeToExecute):
1502         * dfg/DFGSpeculativeJIT32_64.cpp:
1503         (JSC::DFG::SpeculativeJIT::emitCall):
1504         (JSC::DFG::SpeculativeJIT::compile):
1505         * dfg/DFGSpeculativeJIT64.cpp:
1506         (JSC::DFG::SpeculativeJIT::emitCall):
1507         (JSC::DFG::SpeculativeJIT::compile):
1508         * dfg/DFGStackLayoutPhase.cpp:
1509         (JSC::DFG::StackLayoutPhase::run):
1510         * dfg/DFGWatchpointCollectionPhase.cpp:
1511         (JSC::DFG::WatchpointCollectionPhase::handle):
1512         * ftl/FTLCapabilities.cpp:
1513         (JSC::FTL::canCompile):
1514         * ftl/FTLCompile.cpp:
1515         (JSC::FTL::compile):
1516         * ftl/FTLLowerDFGToB3.cpp:
1517         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1518         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
1519         (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
1520         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
1521         * jit/AssemblyHelpers.cpp:
1522         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1523         (JSC::AssemblyHelpers::emitDumbVirtualCall):
1524         * jit/AssemblyHelpers.h:
1525         (JSC::AssemblyHelpers::emitTypeOf):
1526         * jit/JITCall.cpp:
1527         (JSC::JIT::compileCallEvalSlowCase):
1528         * jit/JITCall32_64.cpp:
1529         (JSC::JIT::compileCallEvalSlowCase):
1530         * jit/JITOperations.cpp:
1531         * tests/stress/exit-then-eval.js: Added.
1532         (foo):
1533         * tests/stress/force-exit-then-eval-dfg.js: Added.
1534         (foo):
1535         * tests/stress/force-exit-then-eval.js: Added.
1536         (foo):
1537
1538 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
1539
1540         DFG should really support jneq_ptr
1541         https://bugs.webkit.org/show_bug.cgi?id=159700
1542
1543         Reviewed by Keith Miller.
1544         
1545         Prior to this change, DFG statically speculated that jneq_ptr would always fall through. This
1546         meant that programs that called o.apply() or o.call() where apply or call weren't the
1547         expected ones (i.e. the function.prototype.apply/call) would rage-recompile forever.
1548         
1549         This adds profiling to jneq_ptr. We now know if it always falls through or sometimes doesn't.
1550         If it sometimes doesn't, we now emit an actual control flow diamond. I decided to add a new
1551         NodeType for "equal pointer", since none of the existing ones really captured that. For
1552         example, there was no way to express "equal pointer" for strings or symbols. We don't use it
1553         for that right now, but we might, and if we did, then it would be hugely surprising that the
1554         DFG interpreted this as value equality. So, the DFG now has CompareEqPtr, which means exactly
1555         what jneq_ptr means by "equal pointer".
1556         
1557         This is an enormous speed-up on microbenchmarks. I would assume that it's a speed-up on some
1558         real things, too, but I don't know that for a fact.
1559
1560         * bytecode/BytecodeList.json:
1561         * bytecode/CodeBlock.cpp:
1562         (JSC::CodeBlock::dumpBytecode):
1563         * bytecompiler/BytecodeGenerator.cpp:
1564         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
1565         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
1566         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
1567         * dfg/DFGAbstractInterpreterInlines.h:
1568         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1569         * dfg/DFGByteCodeParser.cpp:
1570         (JSC::DFG::ByteCodeParser::parseBlock):
1571         * dfg/DFGClobberize.h:
1572         (JSC::DFG::clobberize):
1573         * dfg/DFGDoesGC.cpp:
1574         (JSC::DFG::doesGC):
1575         * dfg/DFGFixupPhase.cpp:
1576         (JSC::DFG::FixupPhase::fixupNode):
1577         * dfg/DFGNode.h:
1578         (JSC::DFG::Node::hasCellOperand):
1579         * dfg/DFGNodeType.h:
1580         * dfg/DFGSafeToExecute.h:
1581         (JSC::DFG::safeToExecute):
1582         * dfg/DFGSpeculativeJIT.cpp:
1583         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
1584         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1585         * dfg/DFGSpeculativeJIT.h:
1586         * dfg/DFGSpeculativeJIT32_64.cpp:
1587         (JSC::DFG::SpeculativeJIT::compile):
1588         * dfg/DFGSpeculativeJIT64.cpp:
1589         (JSC::DFG::SpeculativeJIT::compile):
1590         * dfg/DFGValidate.cpp:
1591         * ftl/FTLCapabilities.cpp:
1592         (JSC::FTL::canCompile):
1593         * ftl/FTLLowerDFGToB3.cpp:
1594         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1595         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1596         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEqPtr):
1597         (JSC::FTL::DFG::LowerDFGToB3::compileCompareLess):
1598         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEqConstant): Deleted.
1599         * jit/JITOpcodes.cpp:
1600         (JSC::JIT::emit_op_jneq_ptr):
1601         (JSC::JIT::emit_op_eq):
1602         * jit/JITOpcodes32_64.cpp:
1603         (JSC::JIT::emit_op_jneq_ptr):
1604         (JSC::JIT::emit_op_eq):
1605         * llint/LowLevelInterpreter32_64.asm:
1606         * llint/LowLevelInterpreter64.asm:
1607
1608 2016-07-12  Filip Pizlo  <fpizlo@apple.com>
1609
1610         OSR entry into DFG has problems with lexical scoping
1611         https://bugs.webkit.org/show_bug.cgi?id=159687
1612
1613         Reviewed by Saam Barati.
1614         
1615         What a fun bug! It turns out that uses of lexical scoping, like "let", may sometimes cause us
1616         to not be able to OSR enter into a loop from baseline to DFG. The bug is in a mitigation for
1617         a different bug, which in turn had a mitigation for yet another bug, so the story here is a
1618         long one.
1619         
1620         DFG OSR entry has long had a mitigation for the following bug: the DFG bytecode parser may
1621         choose to make us always OSR exit at some instruction if it thinks that it doesn't have
1622         enough profiling for that instruction. We will do this if some kinds of put_by_id only
1623         execute once, for example. This causes problems for loopy benchmarks like this:
1624         
1625             put_by_id(something crazy);
1626             for (var i = 0; i < bigNumber; ++i) simpleMath;
1627         
1628         In this case, the put_by_id will have only executed once, and since it did something crazy
1629         that one time, the bytecode parser will replace it with ForceOSRExit.
1630         
1631         This creates an OSR entry bug: DFG CFA will then prove that the loop is unreachable, and will
1632         tell OSR entry that it's impossible to enter into that loop.
1633         
1634         We mitigated this bug a long time ago by recording mustHandleValues for loops at which we
1635         want to enter. We inject these values into DFG CFA and we force CFA to recognize that the
1636         loop is reachable even if CFA wanted to prove that it wasn't.
1637         
1638         But this leads to another bug: we need to scrape the values from the stack inside
1639         operationOptimize() and then we need to reason about them in the compiler. Some of those
1640         values may be garbage, which would cause pandemonium inside the compiler. We also mitigated
1641         this bug, by only recording the "vars", since those are guaranteed to be reset by op_enter.
1642         
1643         And that's where the lexical scoping bug happens: "let" bound variables aren't part of the
1644         "vars". DFG will see that they are live, but mustHandleValues will not have anything for
1645         those variables, so CFA will prove that the values are Bottom. Then OSR entry will always
1646         fail because no value is ever a subset of Bottom.
1647         
1648         The first part of the fix is to ensure that mustHandleValues record all of the values on the
1649         stack (i.e. within m_numCalleeLocals, rather than just m_numVars). But this creates a second
1650         problem: we may record garbage. This patch includes a better fix for the garbage: before
1651         touching mustHandleValues we run the bytecode liveness analysis and clear any values that are
1652         not live. This ensures that we clear the garbage.
1653         
1654         This is an enormous speed-up on microbenchmarks that use lexical scoping and have some crazy
1655         put_by_id in the lead-up to the hot loop.
1656
1657         * dfg/DFGCFAPhase.cpp:
1658         (JSC::DFG::CFAPhase::run):
1659         * dfg/DFGOSREntry.cpp:
1660         (JSC::DFG::prepareOSREntry):
1661         * dfg/DFGPlan.cpp:
1662         (JSC::DFG::Plan::compileInThreadImpl):
1663         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1664         (JSC::DFG::Plan::cancel):
1665         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
1666         * dfg/DFGPlan.h:
1667         (JSC::DFG::Plan::canTierUpAndOSREnter):
1668         * jit/JITOperations.cpp:
1669
1670 2016-07-18  Youenn Fablet  <youenn@apple.com>
1671
1672         REGRESSION(r202975): --minimal build is broken
1673         https://bugs.webkit.org/show_bug.cgi?id=159765
1674
1675         Reviewed by Chris Dumez.
1676
1677         Covered partially by builtin generated test code.
1678
1679         Updating generator to add a global compilation guard around the code that generates all global internal properties.
1680         Split the generate_methods function in two, one dedicated to the visit method and the second one dedicated to
1681         the initialize method.
1682
1683         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
1684         (BuiltinsInternalsWrapperImplementationGenerator.generate_section_for_object): Use splitted generation functions.
1685         (BuiltinsInternalsWrapperImplementationGenerator.generate_visit_method): Response to generate the visit method.
1686         (BuiltinsInternalsWrapperImplementationGenerator._generate_initialize_static_globals): Responsible to generate
1687         the code to initialize the internal globals. This code is put in a global compilation guard in case all
1688         internals are compiled out by specific builds.
1689         (BuiltinsInternalsWrapperImplementationGenerator):
1690         (BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method): Responsible to generate the
1691         initialize method.
1692         (BuiltinsInternalsWrapperImplementationGenerator.generate_methods): Deleted.
1693         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result: Copyright change.
1694         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result: Ditto.
1695         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result: Ditto.
1696         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result: Ditto.
1697         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result: Reflects partially the built-in
1698         generator change.
1699
1700 2016-07-18  Keith Miller  <keith_miller@apple.com>
1701
1702         Fix bad assertions in genericTypedArrayViewPrivateFuncSubarrayCreate
1703         https://bugs.webkit.org/show_bug.cgi?id=159882
1704         <rdar://problem/27327111>
1705
1706         Reviewed by Mark Lam.
1707
1708         According the spec toInteger can return values we don't consider ints.
1709         Such as, -0 and +/-Infinity. This broke some assertions in
1710         genericTypedArrayViewPrivateFuncSubarrayCreate.
1711
1712         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1713         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1714         * tests/stress/typedarray-subarray.js:
1715
1716 2016-07-16  Filip Pizlo  <fpizlo@apple.com>
1717
1718         DFG CSE is broken for MultiGetByOffset
1719         https://bugs.webkit.org/show_bug.cgi?id=159858
1720
1721         Reviewed by Saam Barati.
1722         
1723         This disabled CSE for MultiGetByOffset. I opened bug 159859 for the long-term fix, which
1724         would teach CSE (and other passes also) how to decay a removed MultiGetByOffset to a
1725         CheckStructure. Since we currently just decay MultiGetByOffset to Check, we forget the
1726         structure checks. So, if we CSE a MultiGetByOffset that checks for one set of structures with
1727         a heap access on the same property and base that checks for different structures, then we
1728         will forget some structure checks that we had previously. It's unsound to forget checks in
1729         DFG IR.
1730         
1731         This bug mostly manifested as a high-volume crash at Unreachable in FTL, because we'd prove
1732         that the code after the MultiGetByOffset was unreachable due to the structure checks and then
1733         CSE would remove everything but the Unreachable.
1734
1735         * dfg/DFGClobberize.h:
1736         (JSC::DFG::clobberize): Remove the def() for MultiGetByOffset to disable CSE for this node for now.
1737         * tests/stress/cse-multi-get-by-offset-remove-checks.js: Added. This used to fail with FTL enabled.
1738         (Cons1):
1739         (Cons2):
1740         (Cons3):
1741         (foo):
1742         (bar):
1743
1744 2016-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1745
1746         [JSC] Enable test262 module tests
1747         https://bugs.webkit.org/show_bug.cgi?id=159854
1748
1749         Reviewed by Saam Barati.
1750
1751         This patch enables test262 module tests. Before this patch, the modules tests in test262 do not work fine.
1752         This patch fixes the following 2 things.
1753
1754         1. Test harness
1755
1756             Before this patch, there is only one global switch "-m" in jsc shell. So we cannot load the test262 test harness before evaluating the module tests.
1757             This patch adds a new option, "--module-file=". It is similar to "--strict-file=". When we specify the file with "--module-file=", it is evaluated as
1758             a module, while the other files are evaluated by following the JSC's default manner. This option allows us to load the test harness files into the
1759             global context before loading the module tests.
1760
1761         2. Module's asynchronous errors
1762
1763             Before this patch, the errors caused in the module evaluation are not handled as the same to the usual sync files. In synchronous execution, we have
1764             "--exception=" option to pass the expected exception to the JSC shell. But this option does not work in the module evaluation.
1765             This patch correctly handles this expected exception in the module evaluation promise's fulfill and reject handlers.
1766
1767         And we fix the YAML file. Now the recorded :fail and :normal are the correct test results for the module tests.
1768
1769         * jsc.cpp:
1770         (Script::Script):
1771         (checkUncaughtException):
1772         (runWithScripts):
1773         (printUsageStatement):
1774         (CommandLine::parseArguments):
1775         (dumpException): Deleted.
1776         * tests/test262.yaml:
1777
1778 2016-07-17  Yusuke Suzuki  <utatane.tea@gmail.com>
1779
1780         [JSC] Mask TrustedImm32 to 8bit in MacroAssembler for 8bit operations
1781         https://bugs.webkit.org/show_bug.cgi?id=159334
1782
1783         Reviewed by Filip Pizlo.
1784
1785         Previously, in 8bit operations (like add8, compare8, test8, branch8, branchTest8 etc.),
1786         we require that the given TrustedImm32 is in range of 8bit. While achieving this in
1787         the manual MacroAssembler calling is easy, in Air, we don't guarantee that the higher bit
1788         of the 8bit argument is cleared. So the current assertions are invalid.
1789
1790         This patch relaxes the above restriction. By removing this assertion,
1791         8bit operations can take arbitrary 32bit imms. And only lower 8bit are effective when
1792         emitting the code in these methods.
1793
1794         * assembler/MacroAssembler.h:
1795         (JSC::MacroAssembler::branchTest8):
1796         * assembler/MacroAssemblerARM.h:
1797         (JSC::MacroAssemblerARM::store8):
1798         (JSC::MacroAssemblerARM::branch8):
1799         (JSC::MacroAssemblerARM::branchTest8):
1800         (JSC::MacroAssemblerARM::compare8):
1801         (JSC::MacroAssemblerARM::test8):
1802         * assembler/MacroAssemblerARM64.h:
1803         (JSC::MacroAssemblerARM64::store8):
1804         (JSC::MacroAssemblerARM64::branch8):
1805         (JSC::MacroAssemblerARM64::branchTest8):
1806         (JSC::MacroAssemblerARM64::compare8):
1807         (JSC::MacroAssemblerARM64::test8):
1808         * assembler/MacroAssemblerARMv7.h:
1809         (JSC::MacroAssemblerARMv7::store8):
1810         (JSC::MacroAssemblerARMv7::branch8):
1811         (JSC::MacroAssemblerARMv7::branchTest8):
1812         (JSC::MacroAssemblerARMv7::compare8):
1813         (JSC::MacroAssemblerARMv7::test8):
1814         * assembler/MacroAssemblerMIPS.h:
1815         (JSC::MacroAssemblerMIPS::store8):
1816         (JSC::MacroAssemblerMIPS::branch8):
1817         (JSC::MacroAssemblerMIPS::compare8):
1818         (JSC::MacroAssemblerMIPS::branchTest8):
1819         (JSC::MacroAssemblerMIPS::test8):
1820         * assembler/MacroAssemblerSH4.h:
1821         (JSC::MacroAssemblerSH4::store8):
1822         (JSC::MacroAssemblerSH4::branchTest8):
1823         (JSC::MacroAssemblerSH4::branch8):
1824         (JSC::MacroAssemblerSH4::compare8):
1825         (JSC::MacroAssemblerSH4::test8):
1826         * assembler/MacroAssemblerX86.h:
1827         (JSC::MacroAssemblerX86::store8):
1828         (JSC::MacroAssemblerX86::branch8):
1829         (JSC::MacroAssemblerX86::branchTest8):
1830         * assembler/MacroAssemblerX86Common.h:
1831         (JSC::MacroAssemblerX86Common::add8):
1832         (JSC::MacroAssemblerX86Common::store8):
1833         (JSC::MacroAssemblerX86Common::branch8):
1834         (JSC::MacroAssemblerX86Common::branchTest8):
1835         (JSC::MacroAssemblerX86Common::compare8):
1836         (JSC::MacroAssemblerX86Common::test8):
1837         * assembler/MacroAssemblerX86_64.h:
1838         (JSC::MacroAssemblerX86_64::store8):
1839         (JSC::MacroAssemblerX86_64::branch8):
1840         (JSC::MacroAssemblerX86_64::branchTest8):
1841
1842 2016-07-16  Chris Dumez  <cdumez@apple.com>
1843
1844         Unreviewed, rolling out r203318.
1845
1846         Regressed most JS Benchmarks on MacBook Air by ~2% (7% on
1847         SunSpider)
1848
1849         Reverted changeset:
1850
1851         "[JSC] Change some parameters based on a random search"
1852         https://bugs.webkit.org/show_bug.cgi?id=158514
1853         http://trac.webkit.org/changeset/203318
1854
1855 2016-07-15  Benjamin Poulain  <bpoulain@apple.com>
1856
1857         [JSC] Convert the remaining createOutOfMemoryError()+throwException() into throwOutOfMemoryError()
1858         https://bugs.webkit.org/show_bug.cgi?id=159665
1859
1860         Reviewed by Saam Barati.
1861
1862         * API/JSTypedArray.cpp:
1863         (createTypedArray):
1864         * runtime/Error.cpp:
1865         (JSC::createOutOfMemoryError):
1866         * runtime/Error.h:
1867         * runtime/ExceptionHelpers.cpp:
1868         (JSC::throwOutOfMemoryError):
1869         * runtime/JSArrayBufferConstructor.cpp:
1870         (JSC::constructArrayBuffer):
1871         * runtime/JSArrayBufferPrototype.cpp:
1872         (JSC::arrayBufferProtoFuncSlice):
1873         * runtime/JSGenericTypedArrayViewInlines.h:
1874         (JSC::JSGenericTypedArrayView<Adaptor>::create):
1875         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
1876
1877 2016-07-15  Benjamin Poulain  <bpoulain@apple.com>
1878
1879         [JSC] Change some parameters based on a random search
1880         https://bugs.webkit.org/show_bug.cgi?id=158514
1881
1882         Reviewed by Saam Barati.
1883
1884         * bytecode/CodeBlock.cpp:
1885         (JSC::CodeBlock::optimizationThresholdScalingFactor):
1886         * runtime/Options.h:
1887
1888 2016-07-15  Mark Lam  <mark.lam@apple.com>
1889
1890         Assertion failures and crashes with missing TDZ checks for catch-node bindings.
1891         https://bugs.webkit.org/show_bug.cgi?id=158797
1892
1893         Reviewed by Saam Barati.
1894
1895         * bytecompiler/BytecodeGenerator.cpp:
1896         (JSC::BytecodeGenerator::emitPushCatchScope):
1897         (JSC::BytecodeGenerator::emitPopCatchScope):
1898         * tests/stress/catch-clause-should-be-under-tdz1.js: Added.
1899         * tests/stress/catch-clause-should-be-under-tdz2.js: Added.
1900         * tests/stress/catch-clause-should-be-under-tdz3.js: Added.
1901         * tests/stress/catch-clause-should-be-under-tdz4.js: Added.
1902         * tests/stress/catch-clause-should-be-under-tdz5.js: Added.
1903
1904 2016-07-15  Geoffrey Garen  <ggaren@apple.com>
1905
1906         Added a makeRef<T> helper
1907         https://bugs.webkit.org/show_bug.cgi?id=159835
1908
1909         Reviewed by Andreas Kling.
1910
1911         Anders told me to!
1912
1913         * inspector/InjectedScriptHost.cpp:
1914         (Inspector::InjectedScriptHost::wrapper):
1915
1916 2016-07-15  Mark Lam  <mark.lam@apple.com>
1917
1918         FunctionOverride's parseClause() needs to keep the CString instance in scope while its data is being used.
1919         https://bugs.webkit.org/show_bug.cgi?id=159828
1920
1921         Reviewed by Saam Barati.
1922
1923         Otherwise, we'll have a use after free.  This issue was caught when running an
1924         ASan debug build of testapi.
1925
1926         * tools/FunctionOverrides.cpp:
1927         (JSC::parseClause):
1928
1929 2016-07-15  Keith Miller  <keith_miller@apple.com>
1930
1931         %TypedArray%.prototype.indexOf is coercing non-integers or non-floats to numbers wrongly
1932         https://bugs.webkit.org/show_bug.cgi?id=159400
1933
1934         Reviewed by Geoffrey Garen.
1935
1936         This patch fixes coercion of non-numbers in indexOf/lastIndexOf.
1937         Additionally, this patch fixes an issue with includes where it
1938         would not check that the buffer remained non-neutered after
1939         calling the toInteger() function. Lastly, some extra release
1940         asserts have been added in some places to inform us of any issues
1941         in the future.
1942
1943         Additionally, this patch changes bool toNativeFromDouble to
1944         Optional<Type> toNativeFromDoubleWithoutCoercion. This makes it a
1945         little clearer what the function does and also removes the return
1946         argument. The only behavior change is that the function no longer
1947         coerces non-numbers into numbers. That behavior was unused (maybe
1948         unintended), however.
1949
1950         * runtime/JSGenericTypedArrayView.h:
1951         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion):
1952         (JSC::JSGenericTypedArrayView::sort):
1953         (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
1954         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1955         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1956         (JSC::genericTypedArrayViewProtoFuncIncludes):
1957         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1958         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1959         * runtime/ToNativeFromValue.h:
1960         (JSC::toNativeFromValueWithoutCoercion):
1961         (JSC::toNativeFromValue): Deleted.
1962         * runtime/TypedArrayAdaptors.h:
1963         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
1964         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32WithoutCoercion):
1965         (JSC::IntegralTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
1966         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32WithoutCoercion):
1967         (JSC::FloatTypedArrayAdaptor::toNativeFromDoubleWithoutCoercion):
1968         (JSC::Uint8ClampedAdaptor::toNativeFromInt32WithoutCoercion):
1969         (JSC::Uint8ClampedAdaptor::toNativeFromDoubleWithoutCoercion):
1970         (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32): Deleted.
1971         (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32): Deleted.
1972         (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble): Deleted.
1973         (JSC::FloatTypedArrayAdaptor::toNativeFromInt32): Deleted.
1974         (JSC::FloatTypedArrayAdaptor::toNativeFromDouble): Deleted.
1975         (JSC::Uint8ClampedAdaptor::toNativeFromInt32): Deleted.
1976         (JSC::Uint8ClampedAdaptor::toNativeFromDouble): Deleted.
1977         * tests/stress/resources/typedarray-test-helper-functions.js:
1978         * tests/stress/typedarray-functions-with-neutered.js:
1979         (callWithArgs):
1980         * tests/stress/typedarray-includes.js: Added.
1981         * tests/stress/typedarray-indexOf.js:
1982         * tests/stress/typedarray-lastIndexOf.js:
1983
1984 2016-07-15  Csaba Osztrogonác  <ossy@webkit.org>
1985
1986         Add new functions to ARMAssembler after r202214
1987         https://bugs.webkit.org/show_bug.cgi?id=159713
1988
1989         Reviewed by Saam Barati.
1990
1991         * assembler/ARMAssembler.h:
1992         (JSC::ARMAssembler::fillNops):
1993         * assembler/MacroAssemblerARM.h:
1994         (JSC::MacroAssemblerARM::patchableBranch32):
1995         (JSC::MacroAssemblerARM::internalCompare32):
1996
1997 2016-07-15  Mark Lam  <mark.lam@apple.com>
1998
1999         Stack overflow error for deeply nested classes.
2000         https://bugs.webkit.org/show_bug.cgi?id=157086
2001
2002         Reviewed by Geoffrey Garen.
2003
2004         Changed the StructureStubClearingWatchpoint destructor to iteratively destruct
2005         its chain of next StructureStubClearingWatchpoints instead of recursively doing
2006         so.
2007
2008         The added deep-StructureStubClearingWatchpoint-destructor-recursion.js test
2009         produces a crash before the fix is applied, but takes about 14 minutes to run.
2010         Hence, it is skipped.
2011
2012         * bytecode/StructureStubClearingWatchpoint.cpp:
2013         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
2014         * tests/stress/deep-StructureStubClearingWatchpoint-destructor-recursion.js: Added.
2015
2016 2016-07-15  Csaba Osztrogonác  <ossy@webkit.org>
2017
2018         Fix expectations in test262.yaml
2019         https://bugs.webkit.org/show_bug.cgi?id=159810
2020
2021         Reviewed by Keith Miller.
2022
2023         * tests/test262.yaml:
2024
2025 2016-07-15  Csaba Osztrogonác  <ossy@webkit.org>
2026
2027         [ARM] Disable Inline Caching on ARMv7 traditional until proper fix
2028         https://bugs.webkit.org/show_bug.cgi?id=159759
2029
2030         Reviewed by Saam Barati.
2031
2032         * jit/Repatch.cpp:
2033         (JSC::forceICFailure):
2034
2035 2016-07-14  Keith Miller  <keith_miller@apple.com>
2036
2037         Add Test262 test files and yaml
2038
2039         Rubber Stamped by Benjamin Poulain.
2040
2041         This patch adds all the test262 test files and the yaml that drives
2042         run-jsc-stress-tests.
2043
2044         * tests/test262.yaml: Added. Yaml file to drive the test262 test suite with our driver.
2045         * tests/test262/LICENSE: Added. License for the test262 test suite.
2046         * tests/test262/harness/: Added. Harness directory for the test262 tests.
2047         * tests/test262/test/: Added. Directory with all the actual test files.
2048
2049 2016-07-14  Joseph Pecoraro  <pecoraro@apple.com>
2050
2051         Return the correct value from Heap::externalMemorySize
2052         https://bugs.webkit.org/show_bug.cgi?id=159797
2053         <rdar://problem/27362446>
2054
2055         Reviewed by Timothy Hatcher.
2056
2057         * heap/Heap.h:
2058         (JSC::Heap::externalMemorySize):
2059         We should have been returning m_externalMemorySize which is a subset
2060         of m_extraMemorySize. In practice the difference can be small. A major
2061         difference in "extra memory size" may be from deprecated memory size
2062         and array buffer sizes.
2063
2064 2016-07-14  Saam Barati  <sbarati@apple.com>
2065
2066         It should be a syntax error to have a 'use strict' directive inside a function that has a non-simple parameter list
2067         https://bugs.webkit.org/show_bug.cgi?id=159790
2068         <rdar://problem/27171636>
2069
2070         Reviewed by Geoffrey Garen.
2071
2072         Is is a syntax error for a function's parameter list to be non-simple
2073         and for the function to also contain a 'use strict' directive.
2074
2075         See section 14.2.1 of the spec:
2076         https://tc39.github.io/ecma262/#sec-arrow-function-definitions-static-semantics-early-errors
2077
2078         * parser/Parser.cpp:
2079         (JSC::Parser<LexerType>::parseSourceElements):
2080         (JSC::Parser<LexerType>::parseFormalParameters):
2081         * parser/Parser.h:
2082         (JSC::Scope::Scope):
2083         (JSC::Scope::strictMode):
2084         (JSC::Scope::isValidStrictMode):
2085         (JSC::Scope::shadowsArguments):
2086         (JSC::Scope::setHasNonSimpleParameterList):
2087         (JSC::Scope::hasNonSimpleParameterList):
2088         (JSC::Scope::copyCapturedVariablesToVector):
2089
2090 2016-07-14  Geoffrey Garen  <ggaren@apple.com>
2091
2092         ASSERTION FAILED: : this != replacement()
2093         https://bugs.webkit.org/show_bug.cgi?id=159779
2094
2095         Reviewed by Michael Saboff.
2096
2097         * bytecode/CodeBlock.cpp:
2098         (JSC::CodeBlock::jettison): If we jettison during GC, and our owner
2099         is dead, we choose not to replace ourselves. (See
2100         https://bugs.webkit.org/show_bug.cgi?id=159588.) So, it's possible to
2101         invalidate and still be our owner's CodeBlock. Relax our ASSERT to allow
2102         for this.
2103
2104 2016-07-14  Mark Lam  <mark.lam@apple.com>
2105
2106         JSONObject Walker::walk must save array length before processing array elements.
2107         https://bugs.webkit.org/show_bug.cgi?id=153485
2108
2109         Reviewed by Darin Adler and Michael Saboff.
2110
2111         According to https://tc39.github.io/ecma262/#sec-internalizejsonproperty,
2112         JSON.parse() should cache the length of an array and use the cached length when
2113         iterating array elements (see section 24.3.1.1 2.b.iii).
2114
2115         * runtime/JSONObject.cpp:
2116         (JSC::Walker::walk):
2117         * tests/stress/JSON-parse-should-cache-array-lengths.js: Added.
2118         (toString):
2119         (shouldBe):
2120         (test):
2121         (test2):
2122
2123 2016-07-14  Julien Brianceau  <jbriance@cisco.com>
2124
2125         [mips] Handle properly unaligned halfword load
2126         https://bugs.webkit.org/show_bug.cgi?id=153226
2127
2128         Reviewed by Michael Catanzaro.
2129
2130         Waiting for the kernel to silently fix-up unaligned accesses is
2131         not efficient, so let's provide an implementation of load16Unaligned
2132         in mips macro assembler.
2133
2134         Performance improvement seen with SunSpider's regexp-dna test.
2135
2136         * assembler/MacroAssemblerMIPS.h:
2137         (JSC::MacroAssemblerMIPS::load16Unaligned):
2138         (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
2139
2140 2016-07-14  Youenn Fablet  <youenn@apple.com>
2141
2142         DOM value iterable interfaces should use Array prototype methods
2143         https://bugs.webkit.org/show_bug.cgi?id=159296
2144
2145         Reviewed by Chris Dumez and Mark Lam.
2146
2147         * JavaScriptCore.xcodeproj/project.pbxproj: Marking some header files as private so that they can be included in
2148         WebCore.
2149         * runtime/ArrayPrototype.cpp:
2150         (JSC::ArrayPrototype::finishCreation): copying iterable methods (entries, forEach, keys and values) to private slots.
2151
2152 2016-07-13  Csaba Osztrogonác  <ossy@webkit.org>
2153
2154         Fix the magic numbers for ARM traditional in InlineAccess.h
2155         https://bugs.webkit.org/show_bug.cgi?id=159708
2156
2157         Reviewed by Saam Barati.
2158
2159         * bytecode/InlineAccess.h:
2160         (JSC::InlineAccess::sizeForPropertyAccess):
2161         (JSC::InlineAccess::sizeForPropertyReplace):
2162         (JSC::InlineAccess::sizeForLengthAccess):
2163
2164 2016-07-13  Michael Saboff  <msaboff@apple.com>
2165
2166         YARR uses mixture of int and unsigned values to index into subject string
2167         https://bugs.webkit.org/show_bug.cgi?id=159744
2168
2169         Reviewed by Benjamin Poulain.
2170
2171         In most cases, we refer to characters in subject strings using a negative index from the number of
2172         "checked" characters in a subject string.  The required length is compared against the actual length
2173         and then we use that required length as the checked amount.  For example, when matching the string of
2174         4 digits in the RegExp /abc \d{4}/, we know that need 8 characters in the subject string.  We refer
2175         to the digits part of the expression from an already checked index of 8 and use negative offsets of
2176         -4 through -1.  In many cases we used a signed int for the negative offsets.  There are other cases
2177         where we used unsigned values as the amount of negative offset to use when accessing subject characters.
2178
2179         Changed all occurrances of character offsets to unsigned or Checked Arithmetic unsigned values.  Note
2180         that the pre-existing Checked class is used in other places to check for under/overflow with arithmetic
2181         operations.  Those unsigned offsets are always the number of characters before (negative) from the
2182         current checked character offset.  Also added some asserts for cases where arithmetic is not protected
2183         by other checks or with Checked<> wrapped values.
2184
2185         In the case of the JIT, subject characters are accessed using base with scaled index and offset
2186         addressing.  The MacroAssembler provides this addressing using the BaseIndex struct.  The offset for
2187         this struct is a 32 bit signed quantity.  Since we only care about negative offsets, we really only
2188         have 31 bits.  Changed the generation of a BaseOffset address to handle the case when the offset and
2189         scaled combination will exceed the 31 bits of negative offset.  This is done by moving the base value
2190         into a temp register and biasing the temp base and offset to smaller values so that we can emit
2191         instructions that can reference characters without exceeding the 31 bits of negative offset.
2192
2193         To abstract the character address generation, put the base with scaled index and offset into
2194         one function and used that function everywhere the YARR JIT wants to access subject characters.
2195         Also consilidated a few cases where we were generating inline what readCharacter() does.  Usually
2196         this was due to using a different index register.
2197
2198         Added a new regression test.
2199
2200         * tests/stress/regress-159744.js: Added regression test.
2201         (testRegExp):
2202         * yarr/YarrInterpreter.cpp:
2203         (JSC::Yarr::Interpreter::recordParenthesesMatch):
2204         (JSC::Yarr::Interpreter::resetMatches):
2205         (JSC::Yarr::Interpreter::matchParenthesesOnceEnd):
2206         (JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd):
2207         (JSC::Yarr::ByteCompiler::closeBodyAlternative):
2208         (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
2209         (JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
2210         (JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
2211         (JSC::Yarr::ByteCompiler::emitDisjunction):
2212         * yarr/YarrInterpreter.h:
2213         (JSC::Yarr::ByteTerm::ByteTerm):
2214         (JSC::Yarr::ByteTerm::BOL):
2215         (JSC::Yarr::ByteTerm::UncheckInput):
2216         (JSC::Yarr::ByteTerm::EOL):
2217         (JSC::Yarr::ByteTerm::WordBoundary):
2218         (JSC::Yarr::ByteTerm::BackReference):
2219         * yarr/YarrJIT.cpp:
2220         (JSC::Yarr::YarrGenerator::notAtEndOfInput):
2221         (JSC::Yarr::YarrGenerator::negativeOffsetIndexedAddress):
2222         (JSC::Yarr::YarrGenerator::readCharacter):
2223         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
2224         (JSC::Yarr::YarrGenerator::storeToFrame):
2225         (JSC::Yarr::YarrGenerator::generateAssertionBOL):
2226         (JSC::Yarr::YarrGenerator::backtrackAssertionBOL):
2227         (JSC::Yarr::YarrGenerator::generateAssertionEOL):
2228         (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
2229         (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
2230         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2231         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
2232         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
2233         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
2234         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2235         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2236         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2237         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2238         (JSC::Yarr::YarrGenerator::generate):
2239         (JSC::Yarr::YarrGenerator::backtrack):
2240         (JSC::Yarr::YarrGenerator::YarrGenerator):
2241         * yarr/YarrPattern.h:
2242         (JSC::Yarr::PatternTerm::PatternTerm):
2243
2244 2016-07-13  Keith Miller  <keith_miller@apple.com>
2245
2246         Crashes with detached ArrayBuffers
2247         https://bugs.webkit.org/show_bug.cgi?id=157088
2248         <rdar://problem/27327362>
2249
2250         Reviewed by Filip Pizlo.
2251
2252         TypedArray.prototype.fill was incorrect because it should perform
2253         ToNumber coercion each time it tries to store the
2254         object. Currently, we only perform the coercion once at the
2255         beginning of the loop. If we find that we need to improve the
2256         performance of this function, we can add a faster C++ path back
2257         that only handles the primitive case.
2258
2259         This patch also moves the isNeutered() checks from put and
2260         putByIndex into setIndex. This fixes an issue where setIndex might
2261         store to a no longer valid offset.
2262
2263         * builtins/TypedArrayPrototype.js:
2264         (globalPrivate.typedArrayClampArgumentToStartOrEnd):
2265         (fill):
2266         * runtime/JSGenericTypedArrayView.h:
2267         (JSC::JSGenericTypedArrayView::setIndexQuickly):
2268         (JSC::JSGenericTypedArrayView::setIndex):
2269         (JSC::JSGenericTypedArrayView::setRangeToValue): Deleted.
2270         * runtime/JSGenericTypedArrayViewInlines.h:
2271         (JSC::JSGenericTypedArrayView<Adaptor>::put): Deleted.
2272         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): Deleted.
2273         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2274         (JSC::genericTypedArrayViewProtoFuncFill): Deleted.
2275         * runtime/JSTypedArrayViewPrototype.cpp:
2276         (JSC::JSTypedArrayViewPrototype::finishCreation):
2277         (JSC::typedArrayViewProtoFuncFill): Deleted.
2278         * tests/stress/typedarray-fill.js:
2279         * tests/stress/typedarray-functions-with-neutered.js:
2280         (defaultForArg):
2281         (test2):
2282         (checkArgumentsForType): Deleted.
2283         (checkArguments): Deleted.
2284
2285 2016-07-13  Michael Saboff  <msaboff@apple.com>
2286
2287         Some bad unicode regex escapes aren't flagged as errors
2288         https://bugs.webkit.org/show_bug.cgi?id=158080
2289
2290         Reviewed by Saam Barati.
2291
2292         If we have a partial unicode escape, eg /\u{1/u or /\u12|abc/u, we
2293         didn't check for the closing '}' and processed the unicode escape with
2294         the hex value provided.  
2295
2296         Added a check that we properly terminated a \u{} unicode escape.
2297         If we fail that check and there isn't a prior error, we record that we
2298         have an invalid unicode escape.  The next existing line in the code will
2299         terminate parsing and bubble up the error.
2300
2301         * yarr/YarrParser.h:
2302         (JSC::Yarr::Parser::parseEscape):
2303
2304 2016-07-13  Chris Dumez  <cdumez@apple.com>
2305
2306         Unreviewed, rolling out r203199.
2307
2308         Broke the build
2309
2310         Reverted changeset:
2311
2312         "Crashes with detached ArrayBuffers"
2313         https://bugs.webkit.org/show_bug.cgi?id=157088
2314         http://trac.webkit.org/changeset/203199
2315
2316 2016-07-13  Keith Miller  <keith_miller@apple.com>
2317
2318         Crashes with detached ArrayBuffers
2319         https://bugs.webkit.org/show_bug.cgi?id=157088
2320         <rdar://problem/27327362>
2321
2322         Reviewed by Filip Pizlo.
2323
2324         TypedArray.prototype.fill was incorrect because it should perform
2325         ToNumber coercion each time it tries to store the
2326         object. Currently, we only perform the coercion once at the
2327         beginning of the loop. If we find that we need to improve the
2328         performance of this function, we can add a faster C++ path back
2329         that only handles the primitive case.
2330
2331         This patch also moves the isNeutered() checks from put and
2332         putByIndex into setIndex. This fixes an issue where setIndex might
2333         store to a no longer valid offset.
2334
2335         * builtins/TypedArrayPrototype.js:
2336         (globalPrivate.typedArrayClampArgumentToStartOrEnd):
2337         (fill):
2338         * runtime/JSGenericTypedArrayView.h:
2339         (JSC::JSGenericTypedArrayView::setIndexQuickly):
2340         (JSC::JSGenericTypedArrayView::setIndex):
2341         (JSC::JSGenericTypedArrayView::setRangeToValue): Deleted.
2342         * runtime/JSGenericTypedArrayViewInlines.h:
2343         (JSC::JSGenericTypedArrayView<Adaptor>::put): Deleted.
2344         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): Deleted.
2345         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2346         (JSC::genericTypedArrayViewProtoFuncFill): Deleted.
2347         * runtime/JSTypedArrayViewPrototype.cpp:
2348         (JSC::JSTypedArrayViewPrototype::finishCreation):
2349         (JSC::typedArrayViewProtoFuncFill): Deleted.
2350         * tests/stress/typedarray-fill.js:
2351         * tests/stress/typedarray-functions-with-neutered.js:
2352         (defaultForArg):
2353         (test2):
2354         (checkArgumentsForType): Deleted.
2355         (checkArguments): Deleted.
2356
2357 2016-07-13  Enrica Casucci  <enrica@apple.com>
2358
2359         Update supported platforms in xcconfig files to match the sdk names.
2360         https://bugs.webkit.org/show_bug.cgi?id=159728
2361
2362         Reviewed by Tim Horton.
2363
2364         * Configurations/Base.xcconfig:
2365
2366 2016-07-13  Csaba Osztrogonác  <ossy@webkit.org>
2367
2368         CLoop buildfix after r203142
2369         https://bugs.webkit.org/show_bug.cgi?id=159706
2370
2371         Unreviewed buildfix.
2372
2373         * interpreter/CLoopStack.cpp:
2374         (JSC::CLoopStack::isSafeToRecurse):
2375         * interpreter/CLoopStack.h:
2376         * interpreter/CLoopStackInlines.h:
2377         (JSC::CLoopStack::isSafeToRecurse): Deleted.
2378
2379 2016-07-12  Benjamin Poulain  <bpoulain@apple.com>
2380
2381         [JSC] Array.prototype.join() fails some conformance tests
2382         https://bugs.webkit.org/show_bug.cgi?id=159657
2383
2384         Reviewed by Saam Barati.
2385
2386         There were a couple of failures:
2387         -separator.toString() was called *before* we get the length
2388          and process ToLength() on it.
2389         -We were using toUInt32() on length instead of ToLength(),
2390          failing on big integers and various negative numbers.
2391
2392         Additionally, I replaced the "fast" ArrayStorage path
2393         by a fully generic implementation that does not depends on StringJoiner.
2394
2395         The reason is StringJoiner was doing poorly on sparse objects
2396         in certain cases.
2397         If you have a sparse object with a length > INT_MAX but very few
2398         indices defined, and you join on the empty string, it should be possible
2399         to join the array (albeit very slowly). With StringJoiner, we fail
2400         because we try to allocate > INT_MAX empty strings in a contiguous vector.
2401
2402         * runtime/ArrayPrototype.cpp:
2403         (JSC::slowJoin):
2404         (JSC::canUseFastJoin):
2405         (JSC::fastJoin):
2406         (JSC::arrayProtoFuncJoin):
2407         (JSC::join): Deleted.
2408         * runtime/JSArray.h:
2409         (JSC::toLength):
2410
2411 2016-07-12  Mark Lam  <mark.lam@apple.com>
2412
2413         Gardening: C Loop build fix after r203142.
2414
2415         Not reviewed.
2416
2417         * interpreter/CLoopStackInlines.h:
2418         (JSC::CLoopStack::isSafeToRecurse):
2419
2420 2016-07-12  Commit Queue  <commit-queue@webkit.org>
2421
2422         Unreviewed, rolling out r203131.
2423         https://bugs.webkit.org/show_bug.cgi?id=159698
2424
2425         This change caused an existing LayoutTest to time out on debug
2426         testers (Requested by ryanhaddad on #webkit).
2427
2428         Reverted changeset:
2429
2430         "[JSC] Array.prototype.join() fails some conformance tests"
2431         https://bugs.webkit.org/show_bug.cgi?id=159657
2432         http://trac.webkit.org/changeset/203131
2433
2434 2016-07-12  Mark Lam  <mark.lam@apple.com>
2435
2436         We should use different stack limits for stack checks from JS and host code.
2437         https://bugs.webkit.org/show_bug.cgi?id=159442
2438         <rdar://problem/26889188>
2439
2440         Reviewed by Geoffrey Garen.
2441
2442         We have 2 stack reservedZoneSizes:
2443         1. Options::softReservedZoneSize()
2444         2. Options::reservedZoneSize()
2445
2446         Respectively, there are used to define 2 stack limits based on these reserved
2447         zone sizes:
2448         1. VM::m_softStackLimit
2449         2. VM::m_stackLimit
2450
2451         Options::reservedZoneSize() is the amount of the stack space that JSC guarantees
2452         to the VM and client host code for it's use.  Host code that has well known
2453         stack usage characteristics (i.e. doesn't call arbitrary code) may do stack
2454         checks against the VM::m_stackLimit limit (which is computed using
2455         Options::reservedZoneSize()).
2456
2457         Options::softReservedZoneSize() is a more conservative amount of reserved stack
2458         space.  This is used to compute the VM::m_softStackLimit limit.  Any code that
2459         is difficult to have its stack usage characterized (i.e. may call arbitrary code)
2460         may need more stack space for its work.  Hence, these should do stack checks
2461         against the VM::m_softStackLimit limit.
2462
2463         JS code and host code that may call into JS code falls into the category of code
2464         that may call arbitrary code.  Hence, they should do stack checks against the
2465         VM::m_softStackLimit limit.
2466
2467         Accordingly, the VM now provides 2 recursion check functions:
2468
2469         1. VM::isSafeToRecurseSoft() will do a stack check against VM::m_softStackLimit.
2470            In addition, for C Loop builds, VM::isSafeToRecurseSoft() will also
2471            check the CLoopStack against VM::m_cloopStackLimit.
2472
2473         2. VM::isSafeToRecurse() will do a stack check against VM::m_stackLimit.
2474
2475         Also added a promise-infinite-recursion-should-not-crash.js test.
2476
2477         * bytecompiler/BytecodeGenerator.h:
2478         (JSC::BytecodeGenerator::emitNodeInTailPosition):
2479         (JSC::BytecodeGenerator::emitNodeInConditionContext):
2480         * interpreter/CLoopStack.cpp:
2481         (JSC::CLoopStack::grow):
2482         * interpreter/CLoopStack.h:
2483         (JSC::CLoopStack::size):
2484         * interpreter/CLoopStackInlines.h:
2485         (JSC::CLoopStack::ensureCapacityFor):
2486         (JSC::CLoopStack::isSafeToRecurse):
2487         (JSC::CLoopStack::topOfFrameFor):
2488         * interpreter/CachedCall.h:
2489         (JSC::CachedCall::CachedCall):
2490         * interpreter/Interpreter.cpp:
2491         (JSC::Interpreter::execute):
2492         (JSC::Interpreter::executeCall):
2493         (JSC::Interpreter::executeConstruct):
2494         * llint/LLIntSlowPaths.cpp:
2495         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2496         * parser/Parser.cpp:
2497         * runtime/Options.h:
2498         * runtime/ProxyObject.cpp:
2499         (JSC::performProxyGet):
2500         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2501         (JSC::ProxyObject::performHasProperty):
2502         (JSC::ProxyObject::getOwnPropertySlotCommon):
2503         (JSC::ProxyObject::performPut):
2504         (JSC::performProxyCall):
2505         (JSC::performProxyConstruct):
2506         (JSC::ProxyObject::performDelete):
2507         (JSC::ProxyObject::performPreventExtensions):
2508         (JSC::ProxyObject::performIsExtensible):
2509         (JSC::ProxyObject::performDefineOwnProperty):
2510         (JSC::ProxyObject::performGetOwnPropertyNames):
2511         (JSC::ProxyObject::performSetPrototype):
2512         (JSC::ProxyObject::performGetPrototype):
2513         * runtime/RegExp.cpp:
2514         (JSC::RegExp::finishCreation):
2515         (JSC::RegExp::compile):
2516         (JSC::RegExp::compileMatchOnly):
2517         * runtime/StringRecursionChecker.h:
2518         (JSC::StringRecursionChecker::performCheck):
2519         * runtime/VM.cpp:
2520         (JSC::VM::setStackPointerAtVMEntry):
2521         (JSC::VM::updateSoftReservedZoneSize):
2522         (JSC::preCommitStackMemory):
2523         (JSC::VM::updateStackLimits):
2524         (JSC::VM::updateStackLimit): Deleted.
2525         * runtime/VM.h:
2526         (JSC::VM::stackLimit):
2527         (JSC::VM::softStackLimit):
2528         (JSC::VM::addressOfSoftStackLimit):
2529         (JSC::VM::setCLoopStackLimit):
2530         (JSC::VM::isSafeToRecurse):
2531         (JSC::VM::lastStackTop):
2532         (JSC::VM::setException):
2533         * runtime/VMInlines.h:
2534         (JSC::VM::ensureStackCapacityFor):
2535         (JSC::VM::isSafeToRecurseSoft):
2536         (JSC::VM::shouldTriggerTermination):
2537         * tests/stress/promise-infinite-recursion-should-not-crash.js: Added.
2538         (testPromise):
2539         (promiseFunc):
2540         * yarr/YarrPattern.cpp:
2541
2542 2016-07-12  Per Arne Vollan  <pvollan@apple.com>
2543
2544         [Win] Fix for build error when trying to version stamp dll.
2545         https://bugs.webkit.org/show_bug.cgi?id=159692
2546
2547         Reviewed by Brent Fulgham.
2548
2549         Use correct path to version stamp script.
2550
2551         * CMakeLists.txt:
2552
2553 2016-07-12  Benjamin Poulain  <bpoulain@apple.com>
2554
2555         [JSC] Array.prototype.join() fails some conformance tests
2556         https://bugs.webkit.org/show_bug.cgi?id=159657
2557
2558         Reviewed by Saam Barati.
2559
2560         There were a couple of failures:
2561         -separator.toString() was called *before* we get the length
2562          and process ToLength() on it.
2563         -We were using toUInt32() on length instead of ToLength(),
2564          failing on big integers and various negative numbers.
2565
2566         Additionally, I replaced the "fast" ArrayStorage path
2567         by a fully generic implementation that does not depends on StringJoiner.
2568
2569         The reason is StringJoiner was doing poorly on sparse objects
2570         in certain cases.
2571         If you have a sparse object with a length > INT_MAX but very few
2572         indices defined, and you join on the empty string, it should be possible
2573         to join the array (albeit very slowly). With StringJoiner, we fail
2574         because we try to allocate > INT_MAX empty strings in a contiguous vector.
2575
2576         * runtime/ArrayPrototype.cpp:
2577         (JSC::slowJoin):
2578         (JSC::canUseFastJoin):
2579         (JSC::fastJoin):
2580         (JSC::arrayProtoFuncJoin):
2581         (JSC::join): Deleted.
2582         * runtime/JSArray.h:
2583         (JSC::toLength):
2584
2585 2016-07-12  Mark Lam  <mark.lam@apple.com>
2586
2587         More stack limit and reserved zone renaming.
2588         https://bugs.webkit.org/show_bug.cgi?id=159690
2589
2590         Rubber-stamped by Geoffrey Garen.
2591
2592         We should rename the following:
2593             osStackLimitWithReserve => softStackLimit
2594             reservedZoneSize => softReservedZoneSize
2595             errorModeReservedZoneSize => reservedZoneSize
2596
2597         * API/tests/PingPongStackOverflowTest.cpp:
2598         (testPingPongStackOverflow):
2599         * dfg/DFGJITCompiler.cpp:
2600         (JSC::DFG::JITCompiler::compile):
2601         (JSC::DFG::JITCompiler::compileFunction):
2602         * ftl/FTLLowerDFGToB3.cpp:
2603         (JSC::FTL::DFG::LowerDFGToB3::lower):
2604         * interpreter/CLoopStack.cpp:
2605         (JSC::CLoopStack::CLoopStack):
2606         (JSC::CLoopStack::grow):
2607         (JSC::CLoopStack::releaseExcessCapacity):
2608         (JSC::CLoopStack::addToCommittedByteCount):
2609         (JSC::CLoopStack::setSoftReservedZoneSize):
2610         (JSC::CLoopStack::setReservedZoneSize): Deleted.
2611         * interpreter/CLoopStack.h:
2612         (JSC::CLoopStack::size):
2613         * interpreter/CLoopStackInlines.h:
2614         (JSC::CLoopStack::shrink):
2615         * jit/JIT.cpp:
2616         (JSC::JIT::compileWithoutLinking):
2617         * jit/SetupVarargsFrame.cpp:
2618         (JSC::emitSetupVarargsFrameFastCase):
2619         * llint/LLIntSlowPaths.cpp:
2620         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2621         * llint/LowLevelInterpreter.asm:
2622         * llint/LowLevelInterpreter32_64.asm:
2623         * llint/LowLevelInterpreter64.asm:
2624         * runtime/ErrorHandlingScope.cpp:
2625         (JSC::ErrorHandlingScope::ErrorHandlingScope):
2626         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
2627         * runtime/ErrorHandlingScope.h:
2628         * runtime/Options.h:
2629         * runtime/RegExp.cpp:
2630         (JSC::RegExp::finishCreation):
2631         (JSC::RegExp::compile):
2632         (JSC::RegExp::compileMatchOnly):
2633         * runtime/VM.cpp:
2634         (JSC::VM::VM):
2635         (JSC::VM::setStackPointerAtVMEntry):
2636         (JSC::VM::updateSoftReservedZoneSize):
2637         (JSC::VM::updateStackLimit):
2638         (JSC::VM::updateReservedZoneSize): Deleted.
2639         * runtime/VM.h:
2640         (JSC::VM::stackPointerAtVMEntry):
2641         (JSC::VM::softReservedZoneSize):
2642         (JSC::VM::softStackLimit):
2643         (JSC::VM::addressOfSoftStackLimit):
2644         (JSC::VM::cloopStackLimit):
2645         (JSC::VM::setCLoopStackLimit):
2646         (JSC::VM::isSafeToRecurse):
2647         (JSC::VM::reservedZoneSize): Deleted.
2648         (JSC::VM::osStackLimitWithReserve): Deleted.
2649         (JSC::VM::addressOfOSStackLimitWithReserve): Deleted.
2650         * runtime/VMInlines.h:
2651         (JSC::VM::ensureStackCapacityFor):
2652         * wasm/WASMFunctionCompiler.h:
2653         (JSC::WASMFunctionCompiler::startFunction):
2654
2655 2016-07-12  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
2656
2657         Remove ENABLE_CSS3_TEXT_LINE_BREAK flag
2658         https://bugs.webkit.org/show_bug.cgi?id=159671
2659
2660         Reviewed by Csaba Osztrogonác.
2661
2662         ENABLE_CSS3_TEXT_LINE_BREAK feature was implemented without guards.
2663         https://bugs.webkit.org/show_bug.cgi?id=89235
2664
2665         So this guard can be removed in build scripts.
2666
2667         * Configurations/FeatureDefines.xcconfig:
2668
2669 2016-07-12  Per Arne Vollan  <pvollan@apple.com>
2670
2671         [Win] DLLs are missing version information.
2672         https://bugs.webkit.org/show_bug.cgi?id=159349
2673
2674         Reviewed by Brent Fulgham.
2675
2676         Generate autoversion.h and run perl version stamp utility.
2677
2678         * CMakeLists.txt:
2679
2680 2016-07-11  Caio Lima  <ticaiolima@gmail.com>
2681
2682         ECMAScript 2016: %TypedArray%.prototype.includes implementation
2683         https://bugs.webkit.org/show_bug.cgi?id=159385
2684
2685         Reviewed by Benjamin Poulain.
2686
2687         This patch implements the ECMAScript 2016:
2688         %TypedArray%.prototype.includes
2689         following spec 22.2.3.14
2690         https://tc39.github.io/ecma262/2016/#sec-%typedarray%.prototype.includes
2691
2692         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2693         (JSC::genericTypedArrayViewProtoFuncIncludes):
2694         * runtime/JSTypedArrayViewPrototype.cpp:
2695         (JSC::typedArrayViewProtoFuncIncludes):
2696         (JSC::JSTypedArrayViewPrototype::finishCreation):
2697
2698 2016-07-11  Benjamin Poulain  <benjamin@webkit.org>
2699
2700         [JSC] Array.from() and Array.of() try to build objects even if "this" is not a constructor
2701         https://bugs.webkit.org/show_bug.cgi?id=159604
2702
2703         Reviewed by Yusuke Suzuki.
2704
2705         The spec says IsConstructor(), we were just checking if "this"
2706         is any function.
2707
2708         * builtins/ArrayConstructor.js:
2709         (of):
2710         (from):
2711
2712 2016-07-11  Keith Miller  <keith_miller@apple.com>
2713
2714         defineProperty on a index of a TypedArray should throw if configurable
2715         https://bugs.webkit.org/show_bug.cgi?id=159653
2716
2717         Reviewed by Saam Barati.
2718
2719         When I fixed this before I misread the spec and thought it said we
2720         should throw if the descriptor said the proprety is not
2721         configurable. This is the opposite. We should throw if the
2722         descriptor says the property is configurable.
2723
2724         * runtime/JSGenericTypedArrayViewInlines.h:
2725         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2726         * tests/stress/typedarray-access-monomorphic-neutered.js:
2727         * tests/stress/typedarray-access-neutered.js:
2728         * tests/stress/typedarray-configure-index.js: Added.
2729         (assert):
2730         (assertThrows):
2731         (makeDescriptor):
2732         (test):
2733
2734 2016-07-11  Saam Barati  <sbarati@apple.com>
2735
2736         some paths in Array.prototype.splice don't account for the array not having certain indexed properties
2737         https://bugs.webkit.org/show_bug.cgi?id=159641
2738         <rdar://problem/27171999>
2739
2740         Reviewed by Filip Pizlo and Keith Miller.
2741
2742         Array.prototype.splice was incorrectly putting properties on
2743         the result array even if the |this| array didn't have those
2744         properties. This is not the behavior of the spec. However, this
2745         could also cause a crash because we can construct a program where
2746         we would putByIndex on a typed array where the value we are
2747         putting is JSValue(). This is bad because the typed array will
2748         try to convert JSValue() into an integer.
2749
2750         * runtime/ArrayPrototype.cpp:
2751         (JSC::arrayProtoFuncSplice):
2752         * tests/stress/array-prototype-splice-making-typed-array.js: Added.
2753         (assert):
2754         (test):
2755
2756 2016-07-11  Mark Lam  <mark.lam@apple.com>
2757
2758         Refactor JSStack to only be the stack data structure for the C Loop.
2759         https://bugs.webkit.org/show_bug.cgi?id=159545
2760
2761         Reviewed by Geoffrey Garen.
2762
2763         Changes made:
2764         1. Renamed JSStack to CLoopStack.
2765         2. Made all of CLoopStack code to conditional on #if !ENABLE(JIT) i.e. they will
2766            only be in effect for the C Loop build.
2767         3. Changed clients of JSStack to use new equivalent VM APIs:
2768             a. JSStack::ensureCapacityFor() => VM::ensureStackCapacityFor()
2769             b. JSStack::committedByteCount() => VM::committedStackByteCount()
2770         4. Made VM::updateReservedZoneSize() call CLoopStack::setReservedZoneSize()
2771            instead of calling it from all the clients of VM::updateReservedZoneSize().
2772         5. Removed all unnecessary references to JSStack.
2773
2774         * CMakeLists.txt:
2775         * JavaScriptCore.xcodeproj/project.pbxproj:
2776         * assembler/MaxFrameExtentForSlowPathCall.h:
2777         * bytecode/BytecodeConventions.h:
2778         * dfg/DFGGraph.h:
2779         * dfg/DFGOSREntry.cpp:
2780         (JSC::DFG::prepareOSREntry):
2781         * ftl/FTLOSREntry.cpp:
2782         (JSC::FTL::prepareOSREntry):
2783         * heap/Heap.cpp:
2784         (JSC::Heap::finalizeUnconditionalFinalizers):
2785         (JSC::Heap::willStartIterating):
2786         (JSC::Heap::gatherJSStackRoots):
2787         (JSC::Heap::stack): Deleted.
2788         * heap/Heap.h:
2789         * interpreter/CLoopStack.cpp: Copied from Source/JavaScriptCore/interpreter/JSStack.cpp.
2790         (JSC::commitSize):
2791         (JSC::CLoopStack::CLoopStack):
2792         (JSC::CLoopStack::~CLoopStack):
2793         (JSC::CLoopStack::grow):
2794         (JSC::CLoopStack::gatherConservativeRoots):
2795         (JSC::CLoopStack::sanitizeStack):
2796         (JSC::CLoopStack::releaseExcessCapacity):
2797         (JSC::CLoopStack::addToCommittedByteCount):
2798         (JSC::CLoopStack::setReservedZoneSize):
2799         (JSC::CLoopStack::committedByteCount):
2800         (JSC::JSStack::JSStack): Deleted.
2801         (JSC::JSStack::~JSStack): Deleted.
2802         (JSC::JSStack::growSlowCase): Deleted.
2803         (JSC::JSStack::gatherConservativeRoots): Deleted.
2804         (JSC::JSStack::sanitizeStack): Deleted.
2805         (JSC::JSStack::releaseExcessCapacity): Deleted.
2806         (JSC::JSStack::addToCommittedByteCount): Deleted.
2807         (JSC::JSStack::setReservedZoneSize): Deleted.
2808         (JSC::JSStack::lowAddress): Deleted.
2809         (JSC::JSStack::highAddress): Deleted.
2810         (JSC::JSStack::committedByteCount): Deleted.
2811         * interpreter/CLoopStack.h: Copied from Source/JavaScriptCore/interpreter/JSStack.h.
2812         (JSC::CLoopStack::containsAddress):
2813         (JSC::CLoopStack::lowAddress):
2814         (JSC::CLoopStack::highAddress):
2815         (JSC::CLoopStack::reservationTop):
2816         (JSC::JSStack::containsAddress): Deleted.
2817         (JSC::JSStack::lowAddress): Deleted.
2818         (JSC::JSStack::highAddress): Deleted.
2819         (JSC::JSStack::reservationTop): Deleted.
2820         * interpreter/CLoopStackInlines.h: Copied from Source/JavaScriptCore/interpreter/JSStackInlines.h.
2821         (JSC::CLoopStack::ensureCapacityFor):
2822         (JSC::CLoopStack::topOfFrameFor):
2823         (JSC::CLoopStack::topOfStack):
2824         (JSC::CLoopStack::shrink):
2825         (JSC::CLoopStack::setCLoopStackLimit):
2826         (JSC::JSStack::ensureCapacityFor): Deleted.
2827         (JSC::JSStack::topOfFrameFor): Deleted.
2828         (JSC::JSStack::topOfStack): Deleted.
2829         (JSC::JSStack::shrink): Deleted.
2830         (JSC::JSStack::grow): Deleted.
2831         (JSC::JSStack::setCLoopStackLimit): Deleted.
2832         * interpreter/CallFrame.cpp:
2833         (JSC::CallFrame::unsafeCallSiteIndex):
2834         (JSC::CallFrame::currentVPC):
2835         (JSC::CallFrame::stack): Deleted.
2836         * interpreter/CallFrame.h:
2837         (JSC::ExecState::callerFrameAndPC):
2838         (JSC::ExecState::unsafeCallerFrameAndPC):
2839         * interpreter/Interpreter.cpp:
2840         (JSC::sizeOfVarargs):
2841         (JSC::sizeFrameForForwardArguments):
2842         (JSC::sizeFrameForVarargs):
2843         (JSC::Interpreter::Interpreter):
2844         * interpreter/Interpreter.h:
2845         (JSC::Interpreter::cloopStack):
2846         (JSC::Interpreter::getOpcode):
2847         (JSC::Interpreter::isCallBytecode):
2848         (JSC::Interpreter::stack): Deleted.
2849         * interpreter/JSStack.cpp: Removed.
2850         * interpreter/JSStack.h: Removed.
2851         * interpreter/JSStackInlines.h: Removed.
2852         * interpreter/StackVisitor.cpp:
2853         (JSC::StackVisitor::Frame::dump):
2854         * jit/JIT.h:
2855         * jit/JITOperations.cpp:
2856         * jit/JSInterfaceJIT.h:
2857         * jit/SpecializedThunkJIT.h:
2858         * jit/ThunkGenerators.cpp:
2859         * llint/LLIntOffsetsExtractor.cpp:
2860         * llint/LLIntSlowPaths.cpp:
2861         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2862         (JSC::LLInt::llint_stack_check_at_vm_entry):
2863         * llint/LLIntThunks.cpp:
2864         * llint/LowLevelInterpreter.cpp:
2865         (JSC::CLoop::execute):
2866         * runtime/CommonSlowPaths.cpp:
2867         (JSC::SLOW_PATH_DECL):
2868         * runtime/CommonSlowPaths.h:
2869         (JSC::CommonSlowPaths::arityCheckFor):
2870         * runtime/ErrorHandlingScope.cpp:
2871         (JSC::ErrorHandlingScope::ErrorHandlingScope):
2872         (JSC::ErrorHandlingScope::~ErrorHandlingScope):
2873         * runtime/JSGlobalObject.h:
2874         * runtime/MemoryStatistics.cpp:
2875         (JSC::globalMemoryStatistics):
2876         * runtime/StackAlignment.h:
2877         * runtime/VM.cpp:
2878         (JSC::VM::VM):
2879         (JSC::VM::updateReservedZoneSize):
2880         (JSC::sanitizeStackForVM):
2881         (JSC::VM::committedStackByteCount):
2882         * runtime/VM.h:
2883         (JSC::VM::reservedZoneSize):
2884         (JSC::VM::osStackLimitWithReserve):
2885         (JSC::VM::addressOfOSStackLimitWithReserve):
2886         * runtime/VMInlines.h:
2887         (JSC::VM::ensureStackCapacityFor):
2888         (JSC::VM::shouldTriggerTermination):
2889
2890 2016-07-11  Keith Miller  <keith_miller@apple.com>
2891
2892         STP TypedArray.subarray 5x slowdown compared to 9.1
2893         https://bugs.webkit.org/show_bug.cgi?id=156404
2894         <rdar://problem/26493032>
2895
2896         Reviewed by Geoffrey Garen.
2897
2898         This patch moves the species constructor work for
2899         %TypedArray%.prototype.subarray to a js wrapper. By moving the
2900         species constructor work to JS we are able to completely optimize
2901         it out in DFG. The actual work of creating a TypedArray is still
2902         done in C++ since we are able to avoid calling into the
2903         constructor, which is expensive. This patch also changes the error
2904         message when a %TypedArray%.prototype function is passed a non-typed
2905         array this value. Finally, we used to check that the this value
2906         had not been detached, however, this behavior was incorrect.
2907
2908         * builtins/BuiltinNames.h:
2909         * builtins/TypedArrayPrototype.js:
2910         (globalPrivate.typedArraySpeciesConstructor):
2911         (subarray):
2912         * runtime/ConstructData.cpp:
2913         (JSC::construct):
2914         * runtime/ConstructData.h:
2915         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2916         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2917         (JSC::genericTypedArrayViewProtoFuncSubarray): Deleted.
2918         * runtime/JSGlobalObject.cpp:
2919         (JSC::JSGlobalObject::init):
2920         * runtime/JSTypedArrayViewPrototype.cpp:
2921         (JSC::typedArrayViewPrivateFuncLength):
2922         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
2923         (JSC::JSTypedArrayViewPrototype::finishCreation):
2924         (JSC::typedArrayViewProtoFuncSubarray): Deleted.
2925         * runtime/JSTypedArrayViewPrototype.h:
2926
2927 2016-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2928
2929         REGRESSION(r202992): JSC varargs tests are broken
2930         https://bugs.webkit.org/show_bug.cgi?id=159616
2931
2932         Reviewed by Csaba Osztrogonác.
2933
2934         The substitution miss in r202992 causes varargs tests failures in GTK port.
2935
2936         * jit/SetupVarargsFrame.cpp:
2937         (JSC::emitSetupVarargsFrameFastCase):
2938
2939 2016-07-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2940
2941         [ES6] Promise.{all,race} no longer use @@species
2942         https://bugs.webkit.org/show_bug.cgi?id=159615
2943
2944         Reviewed by Keith Miller.
2945
2946         As per the latest ES draft, Promise.{all,race} no longer use @@species.
2947         So, this patch drops FIXMEs.
2948
2949         * builtins/PromiseConstructor.js:
2950         (all):
2951         (race):
2952         * tests/stress/ignore-promise-species.js: Added.
2953         (shouldBe):
2954         (DerivedPromise.prototype.get Symbol):
2955         (DerivedPromise):
2956
2957 2016-07-10  Commit Queue  <commit-queue@webkit.org>
2958
2959         Unreviewed, rolling out r203037.
2960         https://bugs.webkit.org/show_bug.cgi?id=159614
2961
2962         The JSC tests are breaking in elcapitan-debug-tests-jsc and
2963         elcapitan-release-tests-jsc (Requested by caiolima on
2964         #webkit).
2965
2966         Reverted changeset:
2967
2968         "ECMAScript 2016: %TypedArray%.prototype.includes
2969         implementation"
2970         https://bugs.webkit.org/show_bug.cgi?id=159385
2971         http://trac.webkit.org/changeset/203037
2972
2973 2016-07-10  Caio Lima  <ticaiolima@gmail.com>
2974
2975         ECMAScript 2016: %TypedArray%.prototype.includes implementation
2976         https://bugs.webkit.org/show_bug.cgi?id=159385
2977
2978         Reviewed by Benjamin Poulain.
2979
2980         This patch implements the ECMAScript 2016:
2981         %TypedArray%.prototype.includes
2982         following spec 22.2.3.14
2983         https://tc39.github.io/ecma262/2016/#sec-%typedarray%.prototype.includes
2984
2985         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2986         (JSC::genericTypedArrayViewProtoFuncIncludes):
2987         * runtime/JSTypedArrayViewPrototype.cpp:
2988         (JSC::typedArrayViewProtoFuncIncludes):
2989         (JSC::JSTypedArrayViewPrototype::finishCreation):
2990
2991 2016-07-09  Filip Pizlo  <fpizlo@apple.com>
2992
2993         REGRESSION(201900): validation failure for GetByOffset/PutByOffset in VALIDATE((node), node->child1().node() == node->child2().node() || node->child1()->result() == NodeResultStorage)
2994         https://bugs.webkit.org/show_bug.cgi?id=159603
2995
2996         Reviewed by Keith Miller.
2997         
2998         This removes an incorrect validation rule and replaces it with a FIXME about how to make this
2999         aspect of IR easier to validate soundly.
3000         
3001         It's not valid to assert that two children of a node are the same. It should always be valid
3002         to take:
3003         
3004         Foo(@x, @x)
3005         
3006         and turn it into:
3007         
3008         a: ValueRep(@x)
3009         b: ValueRep(@x)
3010         Foo(@a, @b)
3011         
3012         or even something like:
3013         
3014         y: Identity(@y)
3015         Foo(@x, @y)
3016         
3017         That's because it should be possible to rewire any data flow edge something that produces an
3018         equivalent value.
3019         
3020         The validation rule that this patch removes meant that such rewirings were invalid on
3021         GetByOffset/PutByOffset. FixupPhase did such a rewiring sometimes.
3022
3023         * dfg/DFGValidate.cpp:
3024         * tests/stress/get-by-offset-double.js: Added.
3025
3026 2016-07-09  Keith Miller  <keith_miller@apple.com>
3027
3028         appendMemcpy might fail in concatAppendOne
3029         https://bugs.webkit.org/show_bug.cgi?id=159601
3030         <rdar://problem/27211300>
3031
3032         Reviewed by Mark Lam.
3033
3034         There are multiple reasons why we might fail appendMemcpy. One
3035         reason, which I suspect was the source of the crashes, is that one
3036         of the Array prototypes has an indexed property. This patch
3037         consolidates the two old cases by just creating an array then
3038         attempting to memcpy append. If that fails, we fall back to
3039         moveElements.
3040
3041         * runtime/ArrayPrototype.cpp:
3042         (JSC::concatAppendOne):
3043         * tests/stress/concat-with-holesMustForwardToPrototype.js: Added.
3044         (arrayEq):
3045
3046 2016-07-09  Benjamin Poulain  <bpoulain@apple.com>
3047
3048         [JSC] Fix the Template Raw Value of \ (escape) + LineTerminatorSequence
3049         https://bugs.webkit.org/show_bug.cgi?id=159595
3050
3051         Reviewed by Yusuke Suzuki.
3052
3053         The spec (https://tc39.github.io/ecma262/#sec-static-semantics-tv-and-trv)
3054         says:
3055         "The TRV of LineContinuation::\LineTerminatorSequence is the sequence
3056          consisting of the code unit value 0x005C followed by the code units
3057          of TRV of LineTerminatorSequence."
3058         
3059         We were not normalizing the LineTerminatorSequence in that case, but it should
3060         be as it is the TRV of LineTerminatorSequence.
3061
3062         * parser/Lexer.cpp:
3063         (JSC::Lexer<T>::parseTemplateLiteral):
3064         * tests/stress/tagged-templates-raw-strings.js:
3065
3066 2016-07-08  Saam Barati  <sbarati@apple.com>
3067
3068         We may add a ReadOnly property without setting the corresponding bit on Structure
3069         https://bugs.webkit.org/show_bug.cgi?id=159542
3070         <rdar://problem/27084591>
3071
3072         Reviewed by Benjamin Poulain.
3073
3074         The reason this usually is OK is due to happenstance. Often, instances that putDirectWithoutTransition
3075         also happen to have a static property table. Having a static property table causes the
3076         HasReadOnlyOrGetterSetterPropertiesExcludingProto on the structure to be set. However, 
3077         there are times where an object calls putDirectWithoutTransition, and it doesn't have a
3078         static property hash table. The fix is simple, putDirectWithTransition needs to set the
3079         HasReadOnlyOrGetterSetterPropertiesExcludingProto if it puts a ReadOnly property.
3080
3081         * runtime/JSObject.h:
3082         (JSC::JSObject::putDirectWithoutTransition):
3083         * tests/stress/proper-property-store-with-prototype-property-that-is-not-writable.js: Added.
3084         (assert):
3085
3086 2016-07-08  Michael Saboff  <msaboff@apple.com>
3087
3088         ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *)
3089         https://bugs.webkit.org/show_bug.cgi?id=159588
3090
3091         Reviewed by Geoffrey Garen.
3092
3093         We were jettisoning a CodeBlock during GC that won't survive and its owning script
3094         won't survive either.  We can't install any code on the owning script as that involves
3095         a write barrier that will "pull" the script back into the remembered set.  Badness would
3096         ensue.  Added an early return in CodeBlock::jettison() when we are garbage collecting
3097         and the owning script isn't marked.
3098
3099         * bytecode/CodeBlock.cpp:
3100         (JSC::CodeBlock::jettison):
3101
3102 2016-07-08  Mark Lam  <mark.lam@apple.com>
3103
3104         Move CallFrame header info from JSStack.h to CallFrame.h
3105         https://bugs.webkit.org/show_bug.cgi?id=159549
3106
3107         Reviewed by Geoffrey Garen.
3108
3109         CallFrame.h is a much better location for CallFrame header info.
3110
3111         Replaced CallFrame::init() with ExecState::initGlobalExec() because normal
3112         CallFrames are setup by a different mechanism now.  Only the globalExec is still
3113         using it.  So, might as well change it to be specifically for the globalExec.
3114
3115         Removed the use of JSStack::containsAddress() in ExecState::initGlobalExec()
3116         because it is not relevant to the globalExec.
3117
3118         Also removed some unused code: JSStack::gatherConservativeRoots() and
3119         JSStack::sanitizeStack() is never called for JIT builds.
3120
3121         * bytecode/PolymorphicAccess.cpp:
3122         (JSC::AccessCase::generateImpl):
3123         * bytecode/VirtualRegister.h:
3124         (JSC::VirtualRegister::isValid):
3125         (JSC::VirtualRegister::isLocal):
3126         (JSC::VirtualRegister::isArgument):
3127         (JSC::VirtualRegister::isHeader):
3128         (JSC::VirtualRegister::isConstant):
3129         (JSC::VirtualRegister::toLocal):
3130         (JSC::VirtualRegister::toArgument):
3131         * bytecompiler/BytecodeGenerator.cpp:
3132         (JSC::BytecodeGenerator::BytecodeGenerator):
3133         (JSC::BytecodeGenerator::emitCall):
3134         (JSC::BytecodeGenerator::emitConstruct):
3135         * bytecompiler/BytecodeGenerator.h:
3136         (JSC::CallArguments::thisRegister):
3137         (JSC::CallArguments::argumentRegister):
3138         (JSC::CallArguments::stackOffset):
3139         (JSC::CallArguments::argumentCountIncludingThis):
3140         (JSC::CallArguments::argumentsNode):
3141         (JSC::BytecodeGenerator::registerFor):
3142         * bytecompiler/NodesCodegen.cpp:
3143         (JSC::emitHomeObjectForCallee):
3144         (JSC::emitGetSuperFunctionForConstruct):
3145         (JSC::CallArguments::CallArguments):
3146         * dfg/DFGArgumentsEliminationPhase.cpp:
3147         * dfg/DFGArgumentsUtilities.cpp:
3148         (JSC::DFG::argumentsInvolveStackSlot):
3149         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
3150         * dfg/DFGByteCodeParser.cpp:
3151         (JSC::DFG::ByteCodeParser::get):
3152         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
3153         (JSC::DFG::ByteCodeParser::flush):
3154         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
3155         (JSC::DFG::ByteCodeParser::getArgumentCount):
3156         (JSC::DFG::ByteCodeParser::inlineCall):
3157         (JSC::DFG::ByteCodeParser::handleInlining):
3158         (JSC::DFG::ByteCodeParser::handleGetById):
3159         (JSC::DFG::ByteCodeParser::handlePutById):
3160         (JSC::DFG::ByteCodeParser::parseBlock):
3161         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3162         * dfg/DFGClobberize.h:
3163         (JSC::DFG::clobberize):
3164         * dfg/DFGGraph.cpp:
3165         (JSC::DFG::Graph::isLiveInBytecode):
3166         * dfg/DFGGraph.h:
3167         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3168         * dfg/DFGJITCompiler.cpp:
3169         (JSC::DFG::JITCompiler::compileEntry):
3170         (JSC::DFG::JITCompiler::compileSetupRegistersForEntry):
3171         (JSC::DFG::JITCompiler::compileFunction):
3172         * dfg/DFGJITCompiler.h:
3173         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
3174         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3175         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
3176         * dfg/DFGOSREntry.cpp:
3177         (JSC::DFG::prepareOSREntry):
3178         * dfg/DFGOSRExitCompiler.cpp:
3179         (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
3180         * dfg/DFGOSRExitCompilerCommon.cpp:
3181         (JSC::DFG::reifyInlinedCallFrames):
3182         * dfg/DFGOSRExitCompilerCommon.h:
3183         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
3184         * dfg/DFGPreciseLocalClobberize.h:
3185         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3186         * dfg/DFGSpeculativeJIT.cpp:
3187         (JSC::DFG::SpeculativeJIT::emitGetLength):
3188         (JSC::DFG::SpeculativeJIT::emitGetCallee):
3189         (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
3190         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3191         * dfg/DFGSpeculativeJIT32_64.cpp:
3192         (JSC::DFG::SpeculativeJIT::emitCall):
3193         (JSC::DFG::SpeculativeJIT::compile):
3194         * dfg/DFGSpeculativeJIT64.cpp:
3195         (JSC::DFG::SpeculativeJIT::emitCall):
3196         (JSC::DFG::SpeculativeJIT::compile):
3197         * dfg/DFGStackLayoutPhase.cpp:
3198         (JSC::DFG::StackLayoutPhase::run):
3199         * dfg/DFGThunks.cpp:
3200         (JSC::DFG::osrEntryThunkGenerator):
3201         * ftl/FTLLink.cpp:
3202         (JSC::FTL::link):
3203         * ftl/FTLLowerDFGToB3.cpp:
3204         (JSC::FTL::DFG::LowerDFGToB3::lower):
3205         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3206         (JSC::FTL::DFG::LowerDFGToB3::compileGetCallee):
3207         (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
3208         (JSC::FTL::DFG::LowerDFGToB3::compileGetScope):
3209         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
3210         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3211         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
3212         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
3213         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
3214         (JSC::FTL::DFG::LowerDFGToB3::getCurrentCallee):
3215         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsStart):
3216         (JSC::FTL::DFG::LowerDFGToB3::callPreflight):
3217         * ftl/FTLOSRExitCompiler.cpp:
3218         (JSC::FTL::compileStub):
3219         * ftl/FTLSlowPathCall.h:
3220         (JSC::FTL::callOperation):
3221         * interpreter/CallFrame.cpp:
3222         (JSC::ExecState::initGlobalExec):
3223         (JSC::CallFrame::callSiteBitsAreBytecodeOffset):
3224         (JSC::CallFrame::callSiteAsRawBits):
3225         (JSC::CallFrame::unsafeCallSiteAsRawBits):
3226         (JSC::CallFrame::callSiteIndex):
3227         (JSC::CallFrame::setCurrentVPC):
3228         (JSC::CallFrame::callSiteBitsAsBytecodeOffset):
3229         * interpreter/CallFrame.h:
3230         (JSC::CallSiteIndex::CallSiteIndex):
3231         (JSC::ExecState::calleeAsValue):
3232         (JSC::ExecState::callee):
3233         (JSC::ExecState::unsafeCallee):
3234         (JSC::ExecState::codeBlock):
3235         (JSC::ExecState::unsafeCodeBlock):
3236         (JSC::ExecState::scope):
3237         (JSC::ExecState::setCallerFrame):
3238         (JSC::ExecState::setScope):
3239         (JSC::ExecState::argumentCount):
3240         (JSC::ExecState::argumentCountIncludingThis):
3241         (JSC::ExecState::argumentOffset):
3242         (JSC::ExecState::argumentOffsetIncludingThis):
3243         (JSC::ExecState::offsetFor):
3244         (JSC::ExecState::noCaller):
3245         (JSC::ExecState::setArgumentCountIncludingThis):
3246         (JSC::ExecState::setCallee):
3247         (JSC::ExecState::setCodeBlock):
3248         (JSC::ExecState::setReturnPC):
3249         (JSC::ExecState::argIndexForRegister):
3250         (JSC::ExecState::callerFrameAndPC):
3251         (JSC::ExecState::unsafeCallerFrameAndPC):
3252         (JSC::ExecState::init): Deleted.
3253         * interpreter/Interpreter.cpp:
3254         (JSC::Interpreter::dumpRegisters):
3255         * interpreter/Interpreter.h:
3256         (JSC::calleeFrameForVarargs):
3257         * interpreter/JSStack.h:
3258         (JSC::JSStack::containsAddress):
3259         (JSC::JSStack::gatherConservativeRoots): Deleted.
3260         (JSC::JSStack::sanitizeStack): Deleted.
3261         * jit/AssemblyHelpers.cpp:
3262         (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
3263         (JSC::AssemblyHelpers::emitRandomThunk):
3264         * jit/AssemblyHelpers.h:
3265         (JSC::AssemblyHelpers::restoreReturnAddressBeforeReturn):
3266         (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
3267         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
3268         (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
3269         (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
3270         (JSC::AssemblyHelpers::emitPutToCallFrameHeaderBeforePrologue):
3271         (JSC::AssemblyHelpers::emitPutPayloadToCallFrameHeaderBeforePrologue):
3272         (JSC::AssemblyHelpers::emitPutTagToCallFrameHeaderBeforePrologue):
3273         (JSC::AssemblyHelpers::calleeFrameSlot):
3274         * jit/CCallHelpers.cpp:
3275         (JSC::CCallHelpers::logShadowChickenProloguePacket):
3276         * jit/CCallHelpers.h:
3277         (JSC::CCallHelpers::prepareForTailCallSlow):
3278         * jit/CallFrameShuffler.cpp:
3279         (JSC::CallFrameShuffler::CallFrameShuffler):
3280         (JSC::CallFrameShuffler::dump):
3281         (JSC::CallFrameShuffler::extendFrameIfNeeded):
3282         (JSC::CallFrameShuffler::prepareForSlowPath):
3283         (JSC::CallFrameShuffler::prepareForTailCall):
3284         (JSC::CallFrameShuffler::prepareAny):
3285         * jit/CallFrameShuffler.h:
3286         (JSC::CallFrameShuffler::snapshot):
3287         (JSC::CallFrameShuffler::setCalleeJSValueRegs):
3288         (JSC::CallFrameShuffler::assumeCalleeIsCell):
3289         (JSC::CallFrameShuffler::numLocals):
3290         (JSC::CallFrameShuffler::getOld):
3291         (JSC::CallFrameShuffler::setOld):
3292         (JSC::CallFrameShuffler::firstOld):
3293         (JSC::CallFrameShuffler::lastOld):
3294         (JSC::CallFrameShuffler::isValidOld):
3295         (JSC::CallFrameShuffler::argCount):
3296         (JSC::CallFrameShuffler::getNew):
3297         * jit/JIT.cpp:
3298         (JSC::JIT::compileWithoutLinking):
3299         * jit/JIT.h:
3300         * jit/JITCall.cpp:
3301         (JSC::JIT::compileSetupVarargsFrame):
3302         (JSC::JIT::compileCallEvalSlowCase):
3303         (JSC::JIT::compileOpCall):
3304         * jit/JITCall32_64.cpp:
3305         (JSC::JIT::compileSetupVarargsFrame):
3306         (JSC::JIT::compileCallEvalSlowCase):
3307         (JSC::JIT::compileOpCall):
3308         * jit/JITInlines.h:
3309         (JSC::JIT::getConstantOperand):
3310         (JSC::JIT::emitPutIntToCallFrameHeader):
3311         (JSC::JIT::updateTopCallFrame):
3312         * jit/JITOpcodes.cpp:
3313         (JSC::JIT::emit_op_get_scope):
3314         (JSC::JIT::emit_op_argument_count):
3315         (JSC::JIT::emit_op_get_rest_length):
3316         * jit/JITOpcodes32_64.cpp:
3317         (JSC::JIT::privateCompileCTINativeCall):
3318         (JSC::JIT::emit_op_get_scope):
3319         * jit/JSInterfaceJIT.h:
3320         (JSC::JSInterfaceJIT::emitJumpIfNotType):
3321         (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr):
3322         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
3323         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
3324         * jit/SetupVarargsFrame.cpp:
3325         (JSC::emitSetVarargsFrame):
3326         (JSC::emitSetupVarargsFrameFastCase):
3327         * jit/SpecializedThunkJIT.h:
3328         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
3329         * jit/ThunkGenerators.cpp:
3330         (JSC::nativeForGenerator):
3331         (JSC::arityFixupGenerator):
3332         (JSC::boundThisNoArgsFunctionCallGenerator):
3333         * llint/LLIntData.cpp:
3334         (JSC::LLInt::Data::performAssertions):
3335         * llint/LLIntSlowPaths.cpp:
3336         (JSC::LLInt::genericCall):
3337         (JSC::LLInt::varargsSetup):
3338         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3339         * runtime/CommonSlowPaths.h:
3340         (JSC::CommonSlowPaths::arityCheckFor):
3341         * runtime/JSGlobalObject.cpp:
3342         (JSC::JSGlobalObject::init):
3343         * runtime/JSGlobalObject.h:
3344         * runtime/StackAlignment.h:
3345         (JSC::roundArgumentCountToAlignFrame):
3346         (JSC::roundLocalRegisterCountForFramePointerOffset):
3347         (JSC::logStackAlignmentRegisters):
3348         * wasm/WASMFunctionCompiler.h:
3349         (JSC::WASMFunctionCompiler::startFunction):
3350         (JSC::WASMFunctionCompiler::endFunction):
3351         (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
3352         (JSC::WASMFunctionCompiler::callAndUnboxResult):
3353         * wasm/WASMFunctionSyntaxChecker.h:
3354         (JSC::WASMFunctionSyntaxChecker::updateTempStackHeightForCall):
3355
3356 2016-07-08  Chris Dumez  <cdumez@apple.com>
3357
3358         Object.defineProperty() should maintain existing getter / setter if not overridden in the new descriptor
3359         https://bugs.webkit.org/show_bug.cgi?id=159576
3360         <rdar://problem/27242197>
3361
3362         Reviewed by Mark Lam.
3363
3364         Object.defineProperty() should maintain existing getter / setter if not
3365         overridden in the new descriptor. Previously, if the property is a had
3366         a custom getter / setter, and if the new descriptor only had a setter
3367         (or only a getter), JSC would clear the existing getter (or setter).
3368         This behavior did not match the EcmaScript specification or Firefox /
3369         Chrome. This patch fixes the issue.
3370
3371         This fixes searching and search suggestions on www.iciba.com.
3372
3373         * runtime/JSObject.cpp: