3351930b62ae448830a27b0142ca9e43bd0f0b31
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2016-06-01  Michael Saboff  <msaboff@apple.com>
2
3         Runaway WebContent process CPU & memory @ foxnews.com
4         https://bugs.webkit.org/show_bug.cgi?id=158290
5
6         Reviewed by Mark Lam.
7
8         Clear the thrown value at the end of the catch block so that the stack scanner won't
9         find the value during GC.
10
11         Added a new stress test.
12
13         * bytecompiler/NodesCodegen.cpp:
14         (JSC::TryNode::emitBytecode):
15         * tests/stress/recursive-try-catch.js: Added.
16         (logError):
17         (tryCallingBadFunction):
18         (recurse):
19         (test):
20
21 2016-06-01  Benjamin Poulain  <bpoulain@apple.com>
22
23         [JSC] Some setters for components of Date do not timeClip() their result
24         https://bugs.webkit.org/show_bug.cgi?id=158278
25         rdar://problem/25131426
26
27         Reviewed by Geoffrey Garen.
28
29         Many of the setters where not doing timeClip() on the computed UTC
30         time since Epoch.
31
32         See http://www.ecma-international.org/ecma-262/6.0/#sec-date.prototype.setdate
33         and the following sections for the definition.
34
35         * runtime/DatePrototype.cpp:
36         (JSC::setNewValueFromTimeArgs):
37         (JSC::setNewValueFromDateArgs):
38
39 2016-06-01  Keith Miller  <keith_miller@apple.com>
40
41         canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints
42         https://bugs.webkit.org/show_bug.cgi?id=158291
43
44         Reviewed by Benjamin Poulain.
45
46         The old StringObject primitive access code used structure watchpoints. This meant that
47         if you set a watchpoint on String.prototype prior to tiering up to the DFG then added
48         a new property to String.prototype then we would never use StringObject optimizations.
49         This made property caching in the LLInt bad because it meant we would watchpoint
50         String.prototype very early in the program, which hurt date-format-xpab.js since that
51         benchmark relies on the StringObject optimizations.
52
53         This patch also extends ObjectPropertyConditionSet to be able to handle a slotBase
54         equivalence condition. Since that makes the code for generating the DFG watchpoints
55         significantly cleaner.
56
57         * bytecode/ObjectPropertyCondition.cpp:
58         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
59         * bytecode/ObjectPropertyConditionSet.cpp:
60         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
61         (JSC::ObjectPropertyConditionSet::slotBaseCondition):
62         (JSC::generateConditionsForPrototypeEquivalenceConcurrently):
63         * bytecode/ObjectPropertyConditionSet.h:
64         * dfg/DFGGraph.cpp:
65         (JSC::DFG::Graph::isStringPrototypeMethodSane):
66         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
67         * dfg/DFGGraph.h:
68
69 2016-06-01  Geoffrey Garen  <ggaren@apple.com>
70
71         Unreviewed, rolling in r201436.
72         https://bugs.webkit.org/show_bug.cgi?id=158143
73
74         r201562 should haved fixed the Dromaeo DOM core regression.
75
76         Restored changeset:
77
78         "REGRESSION: JSBench spends a lot of time transitioning
79         to/from dictionary"
80         https://bugs.webkit.org/show_bug.cgi?id=158045
81         http://trac.webkit.org/changeset/201436
82
83
84 2016-06-01  Commit Queue  <commit-queue@webkit.org>
85
86         Unreviewed, rolling out r201488.
87         https://bugs.webkit.org/show_bug.cgi?id=158268
88
89         Caused 23% regression on JetStream's crypto-md5 (Requested by
90         rniwa on #webkit).
91
92         Reverted changeset:
93
94         "[ESNext] Support trailing commas in function param lists"
95         https://bugs.webkit.org/show_bug.cgi?id=158020
96         http://trac.webkit.org/changeset/201488
97
98 2016-05-31  Geoffrey Garen  <ggaren@apple.com>
99
100         Dictionary property access should be fast
101         https://bugs.webkit.org/show_bug.cgi?id=158250
102
103         Reviewed by Keith Miller.
104
105         We have some remnant code that unnecessarily takes a slow path for
106         dictionaries. This caused the Dromaeo regression in r201436. Let's fix
107         that.
108
109         * jit/Repatch.cpp:
110         (JSC::tryCacheGetByID): Attempt to flatten a dictionary if necessary, but
111         not too much. This is our idiom in other places.
112
113         (JSC::tryCachePutByID): See tryCacheGetByID.
114
115         * llint/LLIntSlowPaths.cpp:
116         (JSC::LLInt::setupGetByIdPrototypeCache): See tryCacheGetByID.
117
118         * runtime/JSObject.cpp:
119         (JSC::JSObject::fillGetterPropertySlot):
120         * runtime/JSObject.h:
121         (JSC::JSObject::fillCustomGetterPropertySlot): The rules for caching a
122         getter are the same as the rules for caching anything else: We're
123         allowed to cache even in dictionaries, as long as they're cacheable
124         dictionaries. Any transition that would change to/from getter/setter
125         or change other attributes requires a structure transition.
126
127 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
128
129         [JSC] Drop "replace" from JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET
130         https://bugs.webkit.org/show_bug.cgi?id=158223
131
132         Reviewed by Darin Adler.
133
134         This list maintains "not implemented yet" well-known symbols.
135         `Symbol.replace` is already implemented.
136
137         * runtime/CommonIdentifiers.h:
138
139 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
140
141         Unreviewed, roll out r201481, r201523: 0.3% regression in Octane code-load
142         https://bugs.webkit.org/show_bug.cgi?id=158249
143
144         * API/JSScriptRef.cpp:
145         (parseScript):
146         * CMakeLists.txt:
147         * DerivedSources.make:
148         * JavaScriptCore.xcodeproj/project.pbxproj:
149         * builtins/AsyncFunctionPrototype.js: Removed.
150         (asyncFunctionResume): Deleted.
151         * builtins/BuiltinExecutables.cpp:
152         (JSC::BuiltinExecutables::createExecutable):
153         * bytecode/BytecodeList.json:
154         * bytecode/BytecodeUseDef.h:
155         (JSC::computeUsesForBytecodeOffset): Deleted.
156         (JSC::computeDefsForBytecodeOffset): Deleted.
157         * bytecode/CodeBlock.cpp:
158         (JSC::CodeBlock::finishCreation):
159         (JSC::CodeBlock::dumpBytecode): Deleted.
160         * bytecode/UnlinkedCodeBlock.h:
161         (JSC::UnlinkedCodeBlock::isArrowFunction):
162         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction): Deleted.
163         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction): Deleted.
164         * bytecode/UnlinkedFunctionExecutable.cpp:
165         (JSC::generateUnlinkedFunctionCodeBlock):
166         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
167         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
168         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
169         * bytecode/UnlinkedFunctionExecutable.h:
170         * bytecompiler/BytecodeGenerator.cpp:
171         (JSC::BytecodeGenerator::BytecodeGenerator):
172         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
173         (JSC::BytecodeGenerator::emitNewMethodDefinition):
174         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
175         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon): Deleted.
176         (JSC::BytecodeGenerator::emitNewFunction): Deleted.
177         * bytecompiler/BytecodeGenerator.h:
178         (JSC::BytecodeGenerator::makeFunction):
179         * bytecompiler/NodesCodegen.cpp:
180         (JSC::FunctionNode::emitBytecode): Deleted.
181         * inspector/agents/InspectorRuntimeAgent.cpp:
182         (Inspector::InspectorRuntimeAgent::parse):
183         * jit/JIT.cpp:
184         (JSC::JIT::privateCompileMainPass): Deleted.
185         * jit/JIT.h:
186         * jit/JITOpcodes.cpp:
187         (JSC::JIT::emitNewFuncCommon): Deleted.
188         (JSC::JIT::emit_op_new_async_func): Deleted.
189         (JSC::JIT::emitNewFuncExprCommon): Deleted.
190         (JSC::JIT::emit_op_new_async_func_exp): Deleted.
191         * jit/JITOperations.cpp:
192         * jit/JITOperations.h:
193         * jsc.cpp:
194         (runInteractive):
195         (printUsageStatement): Deleted.
196         * llint/LLIntSlowPaths.cpp:
197         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
198         * llint/LLIntSlowPaths.h:
199         * llint/LowLevelInterpreter.asm:
200         * parser/ASTBuilder.h:
201         (JSC::ASTBuilder::createAsyncFunctionBody): Deleted.
202         * parser/Keywords.table:
203         * parser/Parser.cpp:
204         (JSC::Parser<LexerType>::Parser):
205         (JSC::Parser<LexerType>::parseInner):
206         (JSC::Parser<LexerType>::isArrowFunctionParameters):
207         (JSC::Parser<LexerType>::parseStatementListItem):
208         (JSC::Parser<LexerType>::parseStatement):
209         (JSC::Parser<LexerType>::parseFunctionParameters):
210         (JSC::Parser<LexerType>::parseFunctionInfo):
211         (JSC::Parser<LexerType>::parseClass):
212         (JSC::Parser<LexerType>::parseImportClauseItem):
213         (JSC::Parser<LexerType>::parseImportDeclaration):
214         (JSC::Parser<LexerType>::parseExportDeclaration):
215         (JSC::Parser<LexerType>::parseAssignmentExpression):
216         (JSC::Parser<LexerType>::parseProperty):
217         (JSC::Parser<LexerType>::parsePropertyMethod):
218         (JSC::Parser<LexerType>::parsePrimaryExpression):
219         (JSC::Parser<LexerType>::parseMemberExpression):
220         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
221         (JSC::Parser<LexerType>::printUnexpectedTokenText):
222         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements): Deleted.
223         (JSC::Parser<LexerType>::parseVariableDeclarationList): Deleted.
224         (JSC::Parser<LexerType>::parseDestructuringPattern): Deleted.
225         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement): Deleted.
226         (JSC::Parser<LexerType>::parseFormalParameters): Deleted.
227         (JSC::stringForFunctionMode): Deleted.
228         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration): Deleted.
229         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement): Deleted.
230         (JSC::Parser<LexerType>::parseAwaitExpression): Deleted.
231         (JSC::Parser<LexerType>::parseAsyncFunctionExpression): Deleted.
232         (JSC::Parser<LexerType>::parseUnaryExpression): Deleted.
233         * parser/Parser.h:
234         (JSC::Scope::Scope):
235         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
236         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
237         (JSC::Parser::pushScope):
238         (JSC::Parser::popScopeInternal):
239         (JSC::Parser::matchSpecIdentifier):
240         (JSC::parse):
241         (JSC::Scope::setSourceParseMode): Deleted.
242         (JSC::Scope::isAsyncFunction): Deleted.
243         (JSC::Scope::isAsyncFunctionBoundary): Deleted.
244         (JSC::Scope::isModule): Deleted.
245         (JSC::Scope::setIsFunction): Deleted.
246         (JSC::Scope::setIsAsyncArrowFunction): Deleted.
247         (JSC::Scope::setIsAsyncFunction): Deleted.
248         (JSC::Scope::setIsAsyncFunctionBody): Deleted.
249         (JSC::Scope::setIsAsyncArrowFunctionBody): Deleted.
250         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError): Deleted.
251         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction): Deleted.
252         (JSC::Parser::forceClassifyExpressionError): Deleted.
253         (JSC::Parser::declarationTypeToVariableKind): Deleted.
254         (JSC::Parser::upperScope): Deleted.
255         (JSC::Parser::isDisallowedIdentifierAwait): Deleted.
256         (JSC::Parser::disallowedIdentifierAwaitReason): Deleted.
257         * parser/ParserModes.h:
258         (JSC::isFunctionParseMode):
259         (JSC::isModuleParseMode):
260         (JSC::isProgramParseMode):
261         (JSC::SourceParseModeSet::SourceParseModeSet): Deleted.
262         (JSC::SourceParseModeSet::contains): Deleted.
263         (JSC::SourceParseModeSet::mergeSourceParseModes): Deleted.
264         (JSC::isAsyncFunctionParseMode): Deleted.
265         (JSC::isAsyncArrowFunctionParseMode): Deleted.
266         (JSC::isAsyncFunctionWrapperParseMode): Deleted.
267         (JSC::isAsyncFunctionBodyParseMode): Deleted.
268         (JSC::constructAbilityForParseMode): Deleted.
269         * parser/ParserTokens.h:
270         * parser/SourceCodeKey.h:
271         (JSC::SourceCodeKey::SourceCodeKey):
272         (JSC::SourceCodeKey::operator==):
273         (JSC::SourceCodeKey::runtimeFlags): Deleted.
274         * parser/SyntaxChecker.h:
275         (JSC::SyntaxChecker::createAsyncFunctionBody): Deleted.
276         * runtime/AsyncFunctionConstructor.cpp: Removed.
277         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor): Deleted.
278         (JSC::AsyncFunctionConstructor::finishCreation): Deleted.
279         (JSC::callAsyncFunctionConstructor): Deleted.
280         (JSC::constructAsyncFunctionConstructor): Deleted.
281         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
282         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
283         * runtime/AsyncFunctionConstructor.h: Removed.
284         (JSC::AsyncFunctionConstructor::create): Deleted.
285         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
286         * runtime/AsyncFunctionPrototype.cpp: Removed.
287         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype): Deleted.
288         (JSC::AsyncFunctionPrototype::finishCreation): Deleted.
289         * runtime/AsyncFunctionPrototype.h: Removed.
290         (JSC::AsyncFunctionPrototype::create): Deleted.
291         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
292         * runtime/CodeCache.cpp:
293         (JSC::CodeCache::getGlobalCodeBlock):
294         (JSC::CodeCache::getProgramCodeBlock):
295         (JSC::CodeCache::getEvalCodeBlock):
296         (JSC::CodeCache::getModuleProgramCodeBlock):
297         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
298         * runtime/CodeCache.h:
299         * runtime/CommonIdentifiers.h:
300         * runtime/Completion.cpp:
301         (JSC::checkSyntax):
302         (JSC::checkModuleSyntax):
303         * runtime/Completion.h:
304         * runtime/Executable.cpp:
305         (JSC::ScriptExecutable::newCodeBlockFor):
306         (JSC::ProgramExecutable::checkSyntax):
307         * runtime/Executable.h:
308         * runtime/FunctionConstructor.cpp:
309         (JSC::constructFunctionSkippingEvalEnabledCheck):
310         * runtime/FunctionConstructor.h:
311         * runtime/JSAsyncFunction.cpp: Removed.
312         (JSC::JSAsyncFunction::JSAsyncFunction): Deleted.
313         (JSC::JSAsyncFunction::createImpl): Deleted.
314         (JSC::JSAsyncFunction::create): Deleted.
315         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint): Deleted.
316         * runtime/JSAsyncFunction.h: Removed.
317         (JSC::JSAsyncFunction::allocationSize): Deleted.
318         (JSC::JSAsyncFunction::createStructure): Deleted.
319         * runtime/JSFunction.cpp:
320         (JSC::JSFunction::getOwnPropertySlot):
321         * runtime/JSGlobalObject.cpp:
322         (JSC::JSGlobalObject::createProgramCodeBlock):
323         (JSC::JSGlobalObject::createEvalCodeBlock):
324         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
325         (JSC::JSGlobalObject::init): Deleted.
326         * runtime/JSGlobalObject.h:
327         (JSC::JSGlobalObject::asyncFunctionPrototype): Deleted.
328         (JSC::JSGlobalObject::asyncFunctionStructure): Deleted.
329         * runtime/ModuleLoaderObject.cpp:
330         (JSC::moduleLoaderObjectParseModule):
331         * runtime/RuntimeFlags.h:
332         (JSC::RuntimeFlags::operator==): Deleted.
333         (JSC::RuntimeFlags::operator!=): Deleted.
334         * tests/stress/async-await-basic.js: Removed.
335         (shouldBe): Deleted.
336         (shouldBeAsync): Deleted.
337         (shouldThrow): Deleted.
338         (shouldThrowAsync): Deleted.
339         (shouldThrowSyntaxError): Deleted.
340         (let.AsyncFunction.async): Deleted.
341         (async.asyncFunctionForProto): Deleted.
342         (Object.getPrototypeOf.async): Deleted.
343         (Object.getPrototypeOf.async.method): Deleted.
344         (async): Deleted.
345         (async.method): Deleted.
346         (async.asyncNonConstructorDecl): Deleted.
347         (shouldThrow.new.async): Deleted.
348         (shouldThrow.new.async.nonConstructor): Deleted.
349         (async.asyncDecl): Deleted.
350         (async.f): Deleted.
351         (MyError): Deleted.
352         (async.asyncDeclThrower): Deleted.
353         (shouldThrowAsync.async): Deleted.
354         (resolveLater): Deleted.
355         (rejectLater): Deleted.
356         (async.resumeAfterNormal): Deleted.
357         (O.async.resumeAfterNormal): Deleted.
358         (resumeAfterNormalArrow.async): Deleted.
359         (async.resumeAfterThrow): Deleted.
360         (O.async.resumeAfterThrow): Deleted.
361         (resumeAfterThrowArrow.async): Deleted.
362         (catch): Deleted.
363         * tests/stress/async-await-module-reserved-word.js: Removed.
364         (shouldThrow): Deleted.
365         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await): Deleted.
366         (checkModuleSyntaxError.String.raw.await): Deleted.
367         (checkModuleSyntaxError.String.raw.async.await): Deleted.
368         (SyntaxError.Cannot.declare.named): Deleted.
369         * tests/stress/async-await-mozilla.js: Removed.
370         (shouldBe): Deleted.
371         (shouldBeAsync): Deleted.
372         (shouldThrow): Deleted.
373         (shouldThrowAsync): Deleted.
374         (assert): Deleted.
375         (shouldThrowSyntaxError): Deleted.
376         (mozSemantics.async.empty): Deleted.
377         (mozSemantics.async.simpleReturn): Deleted.
378         (mozSemantics.async.simpleAwait): Deleted.
379         (mozSemantics.async.simpleAwaitAsync): Deleted.
380         (mozSemantics.async.returnOtherAsync): Deleted.
381         (mozSemantics.async.simpleThrower): Deleted.
382         (mozSemantics.async.delegatedThrower): Deleted.
383         (mozSemantics.async.tryCatch): Deleted.
384         (mozSemantics.async.tryCatchThrow): Deleted.
385         (mozSemantics.async.wellFinally): Deleted.
386         (mozSemantics.async.finallyMayFail): Deleted.
387         (mozSemantics.async.embedded.async.inner): Deleted.
388         (mozSemantics.async.embedded): Deleted.
389         (mozSemantics.async.fib): Deleted.
390         (mozSemantics.async.isOdd.async.isEven): Deleted.
391         (mozSemantics.async.isOdd): Deleted.
392         (mozSemantics.hardcoreFib.async.fib2): Deleted.
393         (mozSemantics.namedAsyncExpr.async.simple): Deleted.
394         (mozSemantics.async.executionOrder.async.first): Deleted.
395         (mozSemantics.async.executionOrder.async.second): Deleted.
396         (mozSemantics.async.executionOrder.async.third): Deleted.
397         (mozSemantics.async.executionOrder): Deleted.
398         (mozSemantics.async.miscellaneous): Deleted.
399         (mozSemantics.thrower): Deleted.
400         (mozSemantics.async.defaultArgs): Deleted.
401         (mozSemantics.shouldThrow): Deleted.
402         (mozSemantics): Deleted.
403         (mozMethods.X): Deleted.
404         (mozMethods.X.prototype.async.getValue): Deleted.
405         (mozMethods.X.prototype.setValue): Deleted.
406         (mozMethods.X.prototype.async.increment): Deleted.
407         (mozMethods.X.prototype.async.getBaseClassName): Deleted.
408         (mozMethods.X.async.getStaticValue): Deleted.
409         (mozMethods.Y.prototype.async.getBaseClassName): Deleted.
410         (mozMethods.Y): Deleted.
411         (mozFunctionNameInferrence.async.test): Deleted.
412         (mozSyntaxErrors): Deleted.
413         * tests/stress/async-await-reserved-word.js: Removed.
414         (assert): Deleted.
415         (shouldThrowSyntaxError): Deleted.
416         (AsyncFunction.async): Deleted.
417         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Removed.
418         (shouldBe): Deleted.
419         (shouldBeAsync): Deleted.
420         (shouldThrowAsync): Deleted.
421         (noArgumentsArrow2.async): Deleted.
422         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Removed.
423         (shouldBe): Deleted.
424         (shouldBeAsync): Deleted.
425         (shouldThrowAsync): Deleted.
426         (C1): Deleted.
427         (C2): Deleted.
428         (shouldThrowAsync.async): Deleted.
429         * tests/stress/async_arrow_functions_lexical_super_binding.js: Removed.
430         (shouldBe): Deleted.
431         (shouldBeAsync): Deleted.
432         (BaseClass.prototype.baseClassValue): Deleted.
433         (BaseClass.prototype.get property): Deleted.
434         (BaseClass): Deleted.
435         (ChildClass.prototype.asyncSuperProp): Deleted.
436         (ChildClass.prototype.asyncSuperProp2): Deleted.
437         (ChildClass): Deleted.
438         (ChildClass2): Deleted.
439         * tests/stress/async_arrow_functions_lexical_this_binding.js: Removed.
440         (shouldBe): Deleted.
441         (shouldBeAsync): Deleted.
442         (d.y): Deleted.
443
444 2016-05-31  Commit Queue  <commit-queue@webkit.org>
445
446         Unreviewed, rolling out r201363 and r201456.
447         https://bugs.webkit.org/show_bug.cgi?id=158240
448
449         "40% regression on date-format-xparb" (Requested by
450         keith_miller on #webkit).
451
452         Reverted changesets:
453
454         "LLInt should be able to cache prototype loads for values in
455         GetById"
456         https://bugs.webkit.org/show_bug.cgi?id=158032
457         http://trac.webkit.org/changeset/201363
458
459         "get_by_id should support caching unset properties in the
460         LLInt"
461         https://bugs.webkit.org/show_bug.cgi?id=158136
462         http://trac.webkit.org/changeset/201456
463
464 2016-05-31  Commit Queue  <commit-queue@webkit.org>
465
466         Unreviewed, rolling out r201359.
467         https://bugs.webkit.org/show_bug.cgi?id=158238
468
469         "It was not a speedup on anything" (Requested by saamyjoon on
470         #webkit).
471
472         Reverted changeset:
473
474         "We can cache lookups to JSScope::abstractResolve inside
475         CodeBlock::finishCreation"
476         https://bugs.webkit.org/show_bug.cgi?id=158036
477         http://trac.webkit.org/changeset/201359
478
479 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
480
481         [JSC] Recover parser performance regression by async support
482         https://bugs.webkit.org/show_bug.cgi?id=158228
483
484         Reviewed by Saam Barati.
485
486         This patch recovers parser performance regression caused in r201481.
487
488         Compared to the version that reverts r201481, still ~1% regression remains.
489         But compared to ToT, this patch significantly improves the code-load performance.
490
491         In Linux x64 JSCOnly port, with GCC 5.3.1.
492
493         reverted v.s. patched.
494                                  reverted                  patched
495
496         closure              0.61805+-0.00376    ?     0.62280+-0.00525       ?
497         jquery               8.03778+-0.02114          8.03453+-0.04646
498
499         <geometric>          2.22883+-0.00836    ?     2.23688+-0.00995       ? might be 1.0036x slower
500
501         ToT v.s. patched.
502                                  baseline                  patched
503
504         closure              0.65490+-0.00351    ^     0.62473+-0.00363       ^ definitely 1.0483x faster
505         jquery               8.25373+-0.06256    ^     8.04701+-0.03455       ^ definitely 1.0257x faster
506
507         <geometric>          2.32488+-0.00921    ^     2.24210+-0.00592       ^ definitely 1.0369x faster
508
509         * bytecode/UnlinkedFunctionExecutable.cpp:
510         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
511         * bytecode/UnlinkedFunctionExecutable.h:
512         Extend SourceParseMode.
513
514         * parser/Parser.cpp:
515         (JSC::Parser<LexerType>::parseInner):
516         (JSC::Parser<LexerType>::isArrowFunctionParameters):
517         Do not call `matchSpecIdentifier()` as much as we can. This greatly improves the performance.
518
519         (JSC::Parser<LexerType>::parseStatementListItem):
520         (JSC::Parser<LexerType>::parseStatement):
521         (JSC::Parser<LexerType>::parseFunctionParameters):
522         (JSC::Parser<LexerType>::parseFunctionInfo):
523         Do not touch `currentScope()->isGenerator()` even if it is unnecessary in parseFunctionInfo.
524         And accidental `syntaxChecker => context` changes are fixed.
525
526         (JSC::Parser<LexerType>::parseClass):
527         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
528         (JSC::Parser<LexerType>::parseImportClauseItem):
529         (JSC::Parser<LexerType>::parseExportDeclaration):
530         (JSC::Parser<LexerType>::parseAssignmentExpression):
531         Do not use matchSpecIdentifier() in the hot paths.
532
533         (JSC::Parser<LexerType>::parseProperty):
534         (JSC::Parser<LexerType>::parsePrimaryExpression):
535         (JSC::Parser<LexerType>::parseMemberExpression):
536         (JSC::Parser<LexerType>::parseUnaryExpression):
537         (JSC::Parser<LexerType>::printUnexpectedTokenText): Deleted.
538         * parser/Parser.h:
539         (JSC::isIdentifierOrKeyword):
540         AWAIT shoud be one of the keywords. This AWAIT check is unnecessary.
541
542         (JSC::Parser::upperScope):
543         (JSC::Parser::matchSpecIdentifier):
544         Touching currentScope() and its member causes significant performance degradation.
545         We carefully remove the above access in the hot paths.
546
547         (JSC::Parser::isDisallowedIdentifierAwait):
548         * parser/ParserModes.h:
549         (JSC::SourceParseModeSet::SourceParseModeSet):
550         (JSC::SourceParseModeSet::contains):
551         (JSC::SourceParseModeSet::mergeSourceParseModes):
552         (JSC::isFunctionParseMode):
553         (JSC::isAsyncFunctionParseMode):
554         (JSC::isAsyncArrowFunctionParseMode):
555         (JSC::isAsyncFunctionWrapperParseMode):
556         (JSC::isAsyncFunctionBodyParseMode):
557         (JSC::isModuleParseMode):
558         (JSC::isProgramParseMode):
559         (JSC::constructAbilityForParseMode):
560         The parser frequently checks SourceParseMode. And variety of SourceParseMode becomes many.
561         So using switch onto SourceParseMode degrades the performance. Instead, we use bit tests to guard against
562         many SourceParseModes. We expect that this will be efficiently compiled into test & jmp.
563
564         * parser/ParserTokens.h:
565         Change AWAIT to one of the keywords, as the same to YIELD / LET.
566
567 2016-05-31  Saam Barati  <sbarati@apple.com>
568
569         Web Inspector: capturing with Allocations timeline causes GC to take 100x longer and cause frame drops
570         https://bugs.webkit.org/show_bug.cgi?id=158054
571         <rdar://problem/25280762>
572
573         Reviewed by Joseph Pecoraro.
574
575         HeapSnapshot::sweepCell was taking a long time on 
576         http://bl.ocks.org/syntagmatic/6c149c08fc9cde682635
577         because it has to do a binary search to find if
578         an item is or is not in the list. 90% of the binary searches
579         would not find anything. This resulted in a lot of wasted time.
580
581         This patch adds a TinyBloomFilter member variable to HeapSnapshot.
582         We use this filter to try to bypass doing a binary search when the
583         filter tells us that a particular JSCell is definitely not in our
584         list. This is a 2x speedup on the steady state GC of the above
585         website.
586
587         * heap/HeapSnapshot.cpp:
588         (JSC::HeapSnapshot::appendNode):
589         (JSC::HeapSnapshot::sweepCell):
590         (JSC::HeapSnapshot::shrinkToFit):
591         (JSC::HeapSnapshot::nodeForCell):
592         * heap/HeapSnapshot.h:
593
594 2016-05-29  Saam barati  <sbarati@apple.com>
595
596         Stack overflow crashes with deep or cyclic proxy prototype chains
597         https://bugs.webkit.org/show_bug.cgi?id=157087
598
599         Reviewed by Filip Pizlo and Mark Lam.
600
601         Because a Proxy can call back into the JS runtime in arbitrary
602         ways, we may have effectively cyclic prototype chains and property lookups
603         by using a Proxy. We may also have arbitrarily long Proxy chains
604         where we call into a C frame for each link in the Proxy chain.
605         This means that every Proxy hook must be aware that it can stack overflow.
606         Before, only certain hooks were aware of this fact. That was a bug,
607         all hooks must assume they can stack overflow.
608
609         Also, because we may have effectively cyclic prototype chains, we
610         compile ProxyObject.cpp with -fno-optimize-sibling-calls. This prevents
611         tail call optimization from happening on any of the calls from
612         ProxyObject.cpp. We do this because we rely on the machine stack
613         growing for throwing a stack overflow error. It's better for developers
614         to be able to see a stack overflow error than to have their program
615         infinite loop because the compiler performed TCO.
616
617         This patch also fixes a couple call sites of various methods
618         where we didn't check for an exception.
619
620         * CMakeLists.txt:
621         * JavaScriptCore.xcodeproj/project.pbxproj:
622         * interpreter/Interpreter.cpp:
623         (JSC::sizeOfVarargs):
624         * runtime/InternalFunction.cpp:
625         (JSC::InternalFunction::createSubclassStructure):
626         * runtime/JSArray.h:
627         (JSC::getLength):
628         * runtime/ObjectPrototype.cpp:
629         (JSC::objectProtoFuncToString):
630         * runtime/ProxyObject.cpp:
631         (JSC::performProxyGet):
632         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
633         (JSC::ProxyObject::performHasProperty):
634         (JSC::ProxyObject::getOwnPropertySlotCommon):
635         (JSC::ProxyObject::performPut):
636         (JSC::performProxyCall):
637         (JSC::performProxyConstruct):
638         (JSC::ProxyObject::performDelete):
639         (JSC::ProxyObject::performPreventExtensions):
640         (JSC::ProxyObject::performIsExtensible):
641         (JSC::ProxyObject::performDefineOwnProperty):
642         (JSC::ProxyObject::performGetOwnPropertyNames):
643         (JSC::ProxyObject::getOwnPropertyNames):
644         (JSC::ProxyObject::getPropertyNames):
645         (JSC::ProxyObject::getOwnNonIndexPropertyNames):
646         (JSC::ProxyObject::performSetPrototype):
647         (JSC::ProxyObject::performGetPrototype):
648         * runtime/ProxyObject.h:
649         (JSC::ProxyObject::create):
650         * tests/stress/proxy-stack-overflow-exceptions.js: Added.
651         (shouldThrowStackOverflow):
652         (const.emptyFunction):
653         (makeLongProxyChain):
654         (shouldThrowStackOverflow.longProxyChain):
655         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain1):
656         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain2):
657         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain3):
658         (shouldThrowStackOverflow.longProxyChainBind):
659         (shouldThrowStackOverflow.longProxyChainPropertyAccess):
660         (shouldThrowStackOverflow.longProxyChainReflectConstruct):
661         (shouldThrowStackOverflow.longProxyChainReflectSet):
662         (shouldThrowStackOverflow.longProxyChainReflectOwnKeys):
663         (shouldThrowStackOverflow.longProxyChainGetPrototypeOf):
664         (shouldThrowStackOverflow.longProxyChainSetPrototypeOf):
665         (shouldThrowStackOverflow.longProxyChainGetOwnPropertyDescriptor):
666         (shouldThrowStackOverflow.longProxyChainDefineProperty):
667         (shouldThrowStackOverflow.longProxyChainIsExtensible):
668         (shouldThrowStackOverflow.longProxyChainPreventExtensions):
669         (shouldThrowStackOverflow.longProxyChainDeleteProperty):
670         (shouldThrowStackOverflow.longProxyChainWithScope):
671         (shouldThrowStackOverflow.longProxyChainWithScope2):
672         (shouldThrowStackOverflow.longProxyChainWithScope3):
673         (shouldThrowStackOverflow.longProxyChainArrayPrototypePush):
674         (shouldThrowStackOverflow.longProxyChainWithScope4):
675         (shouldThrowStackOverflow.longProxyChainCall):
676         (shouldThrowStackOverflow.longProxyChainConstruct):
677         (shouldThrowStackOverflow.longProxyChainHas):
678
679 2016-05-28  Andreas Kling  <akling@apple.com>
680
681         JSGlobalLexicalEnvironment leaks SegmentedVector due to lack of destructor.
682         <https://webkit.org/b/158186>
683
684         Reviewed by Saam Barati.
685
686         Give JSGlobalLexicalEnvironment a destroy() and set up a finalizer for it
687         like we do with JSGlobalObject. (This is needed because they don't inherit
688         from JSDestructibleObjects and thus can't use JSCell::needsDestruction to
689         ask for allocation in destructor space.)
690
691         This stops us from leaking all the SegmentedVector backing stores.
692
693         * runtime/JSGlobalLexicalEnvironment.cpp:
694         (JSC::JSGlobalLexicalEnvironment::destroy):
695         * runtime/JSGlobalLexicalEnvironment.h:
696         (JSC::JSGlobalLexicalEnvironment::create):
697
698 2016-05-28  Skachkov Oleksandr  <gskachkov@gmail.com>
699         [ESNext] Trailing commas in function parameters.
700         https://bugs.webkit.org/show_bug.cgi?id=158020
701
702         Reviewed by Keith Miller.
703
704         ESNext allow to add trailing commas in function parameters and function arguments.
705         Link to spec - https://jeffmo.github.io/es-trailing-function-commas 
706         Example of using - (function (a, b,) { return a + b; })(1,2,);
707
708         * parser/Parser.cpp:
709         (JSC::Parser<LexerType>::parseFormalParameters):
710         (JSC::Parser<LexerType>::parseArguments):
711         * tests/stress/trailing-comma-in-function-paramters.js: Added.
712
713 2016-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
714
715         [JSC] op_new_arrow_func_exp is no longer necessary
716         https://bugs.webkit.org/show_bug.cgi?id=158180
717
718         Reviewed by Saam Barati.
719
720         This patch removes op_new_arrow_func_exp bytecode since
721         what op_new_arrow_func_exp is doing is completely the same to op_new_func_exp.
722
723         * bytecode/BytecodeList.json:
724         * bytecode/BytecodeUseDef.h:
725         (JSC::computeUsesForBytecodeOffset): Deleted.
726         (JSC::computeDefsForBytecodeOffset): Deleted.
727         * bytecode/CodeBlock.cpp:
728         (JSC::CodeBlock::dumpBytecode): Deleted.
729         * bytecompiler/BytecodeGenerator.cpp:
730         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
731         * dfg/DFGByteCodeParser.cpp:
732         (JSC::DFG::ByteCodeParser::parseBlock):
733         * dfg/DFGCapabilities.cpp:
734         (JSC::DFG::capabilityLevel): Deleted.
735         * jit/JIT.cpp:
736         (JSC::JIT::privateCompileMainPass): Deleted.
737         * jit/JIT.h:
738         * jit/JITOpcodes.cpp:
739         (JSC::JIT::emitNewFuncExprCommon):
740         (JSC::JIT::emit_op_new_arrow_func_exp): Deleted.
741         * llint/LLIntSlowPaths.cpp:
742         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
743         * llint/LLIntSlowPaths.h:
744         * llint/LowLevelInterpreter.asm:
745
746 2016-05-27  Caitlin Potter  <caitp@igalia.com>
747
748         [JSC] implement async functions proposal
749         https://bugs.webkit.org/show_bug.cgi?id=156147
750
751         Reviewed by Yusuke Suzuki.
752
753         Adds support for `async` functions, proposed in https://tc39.github.io/ecmascript-asyncawait/.
754
755         On the front-end side, "await" becomes a contextual keyword when used within an async function,
756         which triggers parsing an AwaitExpression. "await" becomes an illegal identifier name within
757         these contexts. The bytecode generated from an "await" expression is identical to that generated
758         in a "yield" expression in a Generator, as AsyncFunction reuses generator's state machine mechanism.
759
760         There are numerous syntactic forms for language features, including a variation on ArrowFunctions,
761         requiring the keyword `async` to precede ArrowFormalParameters, and similarly, MethodDefinitions,
762         which are ordinary MethodDefinitions preceded by the keyword `async`.
763
764         An async function desugars to the following:
765
766         ```
767         async function asyncFn() {
768         }
769
770         becomes:
771
772         function asyncFn() {
773             let generator = {
774                 @generatorNext: function(@generator, @generatorState, @generatorValue, @generatorResumeMode) {
775                   // generator state machine stuff here
776                 },
777                 @generatorState: 0,
778                 @generatorThis: this,
779                 @generatorFrame: null
780             };
781             return @asyncFunctionResume(generator, undefined, GeneratorResumeMode::NormalMode);
782         }
783         ```
784
785         `@asyncFunctionResume()` is similar to `@generatorResume`, with the exception that it will wrap the
786         result of invoking `@generatorNext()` in a Promise, and will avoid allocating an iterator result
787         object.
788
789         If the generator has yielded (an AwaitExpression has occurred), resumption will occur automatically
790         once the await-expression operand is finished, via Promise chaining.
791
792         * API/JSScriptRef.cpp:
793         (parseScript):
794         * CMakeLists.txt:
795         * DerivedSources.make:
796         * JavaScriptCore.xcodeproj/project.pbxproj:
797         * builtins/AsyncFunctionPrototype.js: Added.
798         (asyncFunctionResume):
799         * builtins/BuiltinExecutables.cpp:
800         (JSC::BuiltinExecutables::createExecutable):
801         * bytecode/BytecodeList.json:
802         * bytecode/BytecodeUseDef.h:
803         (JSC::computeUsesForBytecodeOffset):
804         (JSC::computeDefsForBytecodeOffset):
805         * bytecode/CodeBlock.cpp:
806         (JSC::CodeBlock::dumpBytecode):
807         (JSC::CodeBlock::finishCreation):
808         * bytecode/UnlinkedCodeBlock.h:
809         (JSC::UnlinkedCodeBlock::isArrowFunction):
810         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction):
811         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction):
812         * bytecode/UnlinkedFunctionExecutable.cpp:
813         (JSC::generateUnlinkedFunctionCodeBlock):
814         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
815         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
816         * bytecode/UnlinkedFunctionExecutable.h:
817         * bytecompiler/BytecodeGenerator.cpp:
818         (JSC::BytecodeGenerator::BytecodeGenerator):
819         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
820         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
821         (JSC::BytecodeGenerator::emitNewMethodDefinition):
822         (JSC::BytecodeGenerator::emitNewFunction):
823         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
824         * bytecompiler/BytecodeGenerator.h:
825         (JSC::BytecodeGenerator::makeFunction):
826         * bytecompiler/NodesCodegen.cpp:
827         (JSC::FunctionNode::emitBytecode):
828         * inspector/agents/InspectorRuntimeAgent.cpp:
829         (Inspector::InspectorRuntimeAgent::parse):
830         * jit/JIT.cpp:
831         (JSC::JIT::privateCompileMainPass):
832         * jit/JIT.h:
833         * jit/JITOpcodes.cpp:
834         (JSC::JIT::emitNewFuncCommon):
835         (JSC::JIT::emit_op_new_async_func):
836         (JSC::JIT::emitNewFuncExprCommon):
837         (JSC::JIT::emit_op_new_async_func_exp):
838         * jit/JITOperations.cpp:
839         * jit/JITOperations.h:
840         * jsc.cpp:
841         (runInteractive):
842         (printUsageStatement):
843         * llint/LLIntSlowPaths.cpp:
844         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
845         * llint/LLIntSlowPaths.h:
846         * llint/LowLevelInterpreter.asm:
847         * parser/ASTBuilder.h:
848         (JSC::ASTBuilder::createAsyncFunctionBody):
849         * parser/Keywords.table:
850         * parser/Parser.cpp:
851         (JSC::Parser<LexerType>::Parser):
852         (JSC::Parser<LexerType>::parseInner):
853         (JSC::Parser<LexerType>::isArrowFunctionParameters):
854         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
855         (JSC::Parser<LexerType>::parseStatementListItem):
856         (JSC::Parser<LexerType>::parseVariableDeclarationList):
857         (JSC::Parser<LexerType>::parseDestructuringPattern):
858         (JSC::Parser<LexerType>::parseStatement):
859         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
860         (JSC::Parser<LexerType>::parseFormalParameters):
861         (JSC::stringForFunctionMode):
862         (JSC::Parser<LexerType>::parseFunctionParameters):
863         (JSC::Parser<LexerType>::parseFunctionInfo):
864         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
865         (JSC::Parser<LexerType>::parseClass):
866         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
867         (JSC::Parser<LexerType>::parseImportClauseItem):
868         (JSC::Parser<LexerType>::parseImportDeclaration):
869         (JSC::Parser<LexerType>::parseExportDeclaration):
870         (JSC::Parser<LexerType>::parseAssignmentExpression):
871         (JSC::Parser<LexerType>::parseAwaitExpression):
872         (JSC::Parser<LexerType>::parseProperty):
873         (JSC::Parser<LexerType>::parsePropertyMethod):
874         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
875         (JSC::Parser<LexerType>::parsePrimaryExpression):
876         (JSC::Parser<LexerType>::parseMemberExpression):
877         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
878         (JSC::Parser<LexerType>::parseUnaryExpression):
879         (JSC::Parser<LexerType>::printUnexpectedTokenText):
880         * parser/Parser.h:
881         (JSC::isIdentifierOrKeyword):
882         (JSC::Scope::Scope):
883         (JSC::Scope::setSourceParseMode):
884         (JSC::Scope::isAsyncFunction):
885         (JSC::Scope::isAsyncFunctionBoundary):
886         (JSC::Scope::isModule):
887         (JSC::Scope::setIsFunction):
888         (JSC::Scope::setIsAsyncArrowFunction):
889         (JSC::Scope::setIsAsyncFunction):
890         (JSC::Scope::setIsAsyncFunctionBody):
891         (JSC::Scope::setIsAsyncArrowFunctionBody):
892         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError):
893         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
894         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction):
895         (JSC::Parser::forceClassifyExpressionError):
896         (JSC::Parser::declarationTypeToVariableKind):
897         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
898         (JSC::Parser::pushScope):
899         (JSC::Parser::popScopeInternal):
900         (JSC::Parser::matchSpecIdentifier):
901         (JSC::Parser::isDisallowedIdentifierAwait):
902         (JSC::Parser::disallowedIdentifierAwaitReason):
903         (JSC::parse):
904         * parser/ParserModes.h:
905         (JSC::isFunctionParseMode):
906         (JSC::isAsyncFunctionParseMode):
907         (JSC::isAsyncArrowFunctionParseMode):
908         (JSC::isAsyncFunctionWrapperParseMode):
909         (JSC::isAsyncFunctionBodyParseMode):
910         (JSC::isModuleParseMode):
911         (JSC::isProgramParseMode):
912         (JSC::constructAbilityForParseMode):
913         * parser/ParserTokens.h:
914         * parser/SourceCodeKey.h:
915         (JSC::SourceCodeKey::SourceCodeKey):
916         (JSC::SourceCodeKey::runtimeFlags):
917         (JSC::SourceCodeKey::operator==):
918         * parser/SyntaxChecker.h:
919         (JSC::SyntaxChecker::createAsyncFunctionBody):
920         * runtime/AsyncFunctionConstructor.cpp: Added.
921         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
922         (JSC::AsyncFunctionConstructor::finishCreation):
923         (JSC::callAsyncFunctionConstructor):
924         (JSC::constructAsyncFunctionConstructor):
925         (JSC::AsyncFunctionConstructor::getCallData):
926         (JSC::AsyncFunctionConstructor::getConstructData):
927         * runtime/AsyncFunctionConstructor.h: Added.
928         (JSC::AsyncFunctionConstructor::create):
929         (JSC::AsyncFunctionConstructor::createStructure):
930         * runtime/AsyncFunctionPrototype.cpp: Added.
931         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype):
932         (JSC::AsyncFunctionPrototype::finishCreation):
933         * runtime/AsyncFunctionPrototype.h: Added.
934         (JSC::AsyncFunctionPrototype::create):
935         (JSC::AsyncFunctionPrototype::createStructure):
936         * runtime/CodeCache.cpp:
937         (JSC::CodeCache::getGlobalCodeBlock):
938         (JSC::CodeCache::getProgramCodeBlock):
939         (JSC::CodeCache::getEvalCodeBlock):
940         (JSC::CodeCache::getModuleProgramCodeBlock):
941         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
942         * runtime/CodeCache.h:
943         * runtime/CommonIdentifiers.h:
944         * runtime/Completion.cpp:
945         (JSC::checkSyntax):
946         (JSC::checkModuleSyntax):
947         * runtime/Completion.h:
948         * runtime/Executable.cpp:
949         (JSC::ScriptExecutable::newCodeBlockFor):
950         (JSC::ProgramExecutable::checkSyntax):
951         * runtime/Executable.h:
952         * runtime/FunctionConstructor.cpp:
953         (JSC::constructFunctionSkippingEvalEnabledCheck):
954         * runtime/FunctionConstructor.h:
955         * runtime/JSAsyncFunction.cpp: Added.
956         (JSC::JSAsyncFunction::JSAsyncFunction):
957         (JSC::JSAsyncFunction::createImpl):
958         (JSC::JSAsyncFunction::create):
959         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
960         * runtime/JSAsyncFunction.h: Added.
961         (JSC::JSAsyncFunction::allocationSize):
962         (JSC::JSAsyncFunction::createStructure):
963         * runtime/JSFunction.cpp:
964         (JSC::JSFunction::getOwnPropertySlot):
965         * runtime/JSGlobalObject.cpp:
966         (JSC::JSGlobalObject::init):
967         (JSC::JSGlobalObject::createProgramCodeBlock):
968         (JSC::JSGlobalObject::createEvalCodeBlock):
969         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
970         * runtime/JSGlobalObject.h:
971         (JSC::JSGlobalObject::asyncFunctionPrototype):
972         (JSC::JSGlobalObject::asyncFunctionStructure):
973         * runtime/ModuleLoaderObject.cpp:
974         (JSC::moduleLoaderObjectParseModule):
975         * runtime/RuntimeFlags.h:
976         (JSC::RuntimeFlags::operator==):
977         (JSC::RuntimeFlags::operator!=):
978         * tests/stress/async-await-basic.js: Added.
979         (shouldBe):
980         (shouldBeAsync):
981         (shouldThrow):
982         (shouldThrowAsync):
983         (let.AsyncFunction.async):
984         (async.asyncFunctionForProto):
985         (Object.getPrototypeOf.async):
986         (Object.getPrototypeOf.async.method):
987         (async):
988         (async.method):
989         (async.asyncNonConstructorDecl):
990         (shouldThrow.new.async):
991         (shouldThrow.new.async.nonConstructor):
992         (async.asyncDecl):
993         (async.f):
994         (MyError):
995         (async.asyncDeclThrower):
996         (shouldThrowAsync.async):
997         (resolveLater):
998         (rejectLater):
999         (async.resumeAfterNormal):
1000         (O.async.resumeAfterNormal):
1001         (resumeAfterNormalArrow.async):
1002         (async.resumeAfterThrow):
1003         (O.async.resumeAfterThrow):
1004         (resumeAfterThrowArrow.async):
1005         (catch):
1006         * tests/stress/async-await-module-reserved-word.js: Added.
1007         (shouldThrow):
1008         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await):
1009         (checkModuleSyntaxError.String.raw.await):
1010         (checkModuleSyntaxError.String.raw.async.await):
1011         (SyntaxError.Cannot.declare.named):
1012         * tests/stress/async-await-mozilla.js: Added.
1013         (shouldBe):
1014         (shouldBeAsync):
1015         (shouldThrow):
1016         (shouldThrowAsync):
1017         (assert):
1018         (shouldThrowSyntaxError):
1019         (mozSemantics.async.empty):
1020         (mozSemantics.async.simpleReturn):
1021         (mozSemantics.async.simpleAwait):
1022         (mozSemantics.async.simpleAwaitAsync):
1023         (mozSemantics.async.returnOtherAsync):
1024         (mozSemantics.async.simpleThrower):
1025         (mozSemantics.async.delegatedThrower):
1026         (mozSemantics.async.tryCatch):
1027         (mozSemantics.async.tryCatchThrow):
1028         (mozSemantics.async.wellFinally):
1029         (mozSemantics.async.finallyMayFail):
1030         (mozSemantics.async.embedded.async.inner):
1031         (mozSemantics.async.embedded):
1032         (mozSemantics.async.fib):
1033         (mozSemantics.async.isOdd.async.isEven):
1034         (mozSemantics.async.isOdd):
1035         (mozSemantics.hardcoreFib.async.fib2):
1036         (mozSemantics.namedAsyncExpr.async.simple):
1037         (mozSemantics.async.executionOrder.async.first):
1038         (mozSemantics.async.executionOrder.async.second):
1039         (mozSemantics.async.executionOrder.async.third):
1040         (mozSemantics.async.executionOrder):
1041         (mozSemantics.async.miscellaneous):
1042         (mozSemantics.thrower):
1043         (mozSemantics.async.defaultArgs):
1044         (mozSemantics.shouldThrow):
1045         (mozSemantics):
1046         (mozMethods.X):
1047         (mozMethods.X.prototype.async.getValue):
1048         (mozMethods.X.prototype.setValue):
1049         (mozMethods.X.prototype.async.increment):
1050         (mozMethods.X.prototype.async.getBaseClassName):
1051         (mozMethods.X.async.getStaticValue):
1052         (mozMethods.Y.prototype.async.getBaseClassName):
1053         (mozMethods.Y):
1054         (mozFunctionNameInferrence.async.test):
1055         (mozSyntaxErrors):
1056         * tests/stress/async-await-reserved-word.js: Added.
1057         (assert):
1058         (shouldThrowSyntaxError):
1059         (AsyncFunction.async):
1060         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Added.
1061         (shouldBe):
1062         (shouldBeAsync):
1063         (shouldThrowAsync):
1064         (noArgumentsArrow2.async):
1065         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Added.
1066         (shouldBe):
1067         (shouldBeAsync):
1068         (shouldThrowAsync):
1069         (C1):
1070         (C2):
1071         (shouldThrowAsync.async):
1072         * tests/stress/async_arrow_functions_lexical_super_binding.js: Added.
1073         (shouldBe):
1074         (shouldBeAsync):
1075         (BaseClass.prototype.baseClassValue):
1076         (BaseClass):
1077         (ChildClass.prototype.asyncSuperProp):
1078         (ChildClass.prototype.asyncSuperProp2):
1079         (ChildClass):
1080         * tests/stress/async_arrow_functions_lexical_this_binding.js: Added.
1081         (shouldBe):
1082         (shouldBeAsync):
1083         (d.y):
1084
1085 2016-05-27  Saam barati  <sbarati@apple.com>
1086
1087         DebuggerCallFrame crashes when updated with the globalExec because neither ShadowChicken's algorithm nor StackVisitor's algorithm reasons about the globalExec
1088         https://bugs.webkit.org/show_bug.cgi?id=158104
1089
1090         Reviewed by Filip Pizlo.
1091
1092         I think globalExec is a special enough case that it should be handled
1093         at the layers above ShadowChicken and StackVisitor. Those APIs should
1094         deal with real stack frames on the machine stack, not a heap constructed frame.
1095
1096         This patch makes DebuggerCallFrame::create aware that it may be
1097         created with the globalObject->globalExec() by having it construct
1098         a single DebuggerCallFrame that wraps the globalExec.
1099
1100         This fixes a crasher because we will construct a DebuggerCallFrame
1101         with the globalExec when the Inspector is set to pause on all uncaught
1102         exceptions and the JS program has a syntax error. Because the program
1103         hasn't begun execution, there is no machine JS stack frame yet. So
1104         DebuggerCallFrame is created with globalExec, which will cause it
1105         to hit an assertion that dictates that the stack have size greater
1106         than zero.
1107
1108         * debugger/DebuggerCallFrame.cpp:
1109         (JSC::DebuggerCallFrame::create):
1110
1111 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
1112
1113         DFG::LazyJSValue::tryGetStringImpl() crashes for empty values
1114         https://bugs.webkit.org/show_bug.cgi?id=158170
1115
1116         Reviewed by Michael Saboff.
1117
1118         The problem here is that jsDynamicCast<>() is evil! It avoids checking for the empty
1119         value, presumably because this makes it soooper fast. In DFG IR, empty values can appear
1120         anywhere because of TDZ.
1121         
1122         This patch doesn't change jsDynamicCast<>(), but it hardens our wrappers for it in the DFG
1123         and it has the affected code use one of those wrappers.
1124         
1125         * dfg/DFGFrozenValue.h:
1126         (JSC::DFG::FrozenValue::dynamicCast): Harden this.
1127         (JSC::DFG::FrozenValue::cast):
1128         * dfg/DFGLazyJSValue.cpp:
1129         (JSC::DFG::LazyJSValue::tryGetStringImpl): Use the hardened wrapper.
1130         * tests/stress/strcat-emtpy.js: Added. This used to crash every time.
1131         (foo):
1132         (i.catch):
1133
1134 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
1135
1136         regExpProtoFuncSplitFast should OOM before it swaps
1137         https://bugs.webkit.org/show_bug.cgi?id=158157
1138
1139         Reviewed by Mark Lam.
1140         
1141         This is a huge speed-up on some jsfunfuzz test cases because it makes us realize much
1142         sooner that running a regexp split will result in swapping. It uses the same basic
1143         approach as http://trac.webkit.org/changeset/201451: if the result array crosses a certain
1144         size threshold, we proceed with a dry run to see how big the array will get before
1145         allocating anything else. This way, bogus uses of split that would have OOMed only after
1146         killing the user's machine will now OOM before killing the user's machine.
1147         
1148         This is an enormous speed-up on some jsfunfuzz tests: they go from running for a long
1149         time to running instantly.
1150
1151         * runtime/RegExpPrototype.cpp:
1152         (JSC::advanceStringIndex):
1153         (JSC::genericSplit):
1154         (JSC::regExpProtoFuncSplitFast):
1155         * runtime/StringObject.h:
1156         (JSC::jsStringWithReuse):
1157         (JSC::jsSubstring):
1158         * tests/stress/big-split-captures.js: Added.
1159         * tests/stress/big-split.js: Added.
1160
1161 2016-05-27  Saam barati  <sbarati@apple.com>
1162
1163         ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
1164         https://bugs.webkit.org/show_bug.cgi?id=158131
1165
1166         Reviewed by Yusuke Suzuki.
1167
1168         There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
1169         frame(s) are tail deleted.
1170
1171         DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
1172         tail deleted. This is clearly wrong. The following program proves that this assertion
1173         was misguided:
1174         ```
1175         "use strict";
1176         setTimeout(function foo() { return bar(); }, 0);
1177         ```
1178
1179         ShadowChicken had a very subtle bug when creating the shadow stack when 
1180         the entry frames of the stack were tail deleted. Because it places frames into its shadow
1181         stack by walking the machine frame and looking up entries in the log,
1182         the machine frame doesn't have any notion of those tail deleted frames
1183         at the entry of execution. ShadowChicken would never find those frames
1184         because it would look for tail deleted frames *before* consulting the
1185         current machine frame. This is wrong because if the entry frames
1186         are tail deleted, then there is no machine frame for them because there
1187         is no machine frame before them! Therefore, we must search for tail deleted
1188         frames *after* consulting a machine frame. This is sound because we will always
1189         have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
1190         So when we consult the machine frame that is the entry frame on the machine stack,
1191         we will search for tail deleted frames that come before it in the shadow stack.
1192         This will allow us to find those tail deleted frames that are the entry frames
1193         for the shadow stack.
1194
1195         * debugger/DebuggerCallFrame.cpp:
1196         (JSC::DebuggerCallFrame::create):
1197         * interpreter/ShadowChicken.cpp:
1198         (JSC::ShadowChicken::Packet::dump):
1199         (JSC::ShadowChicken::update):
1200         (JSC::ShadowChicken::dump):
1201
1202 2016-05-27  Chris Dumez  <cdumez@apple.com>
1203
1204         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables
1205         https://bugs.webkit.org/show_bug.cgi?id=158111
1206
1207         Reviewed by Darin Adler.
1208
1209         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables.
1210         These are often used cross-thread and copying the captured lambda variables can be
1211         dangerous (e.g. we do not want to copy a String after calling isolatedCopy() upon
1212         capture).
1213
1214         * runtime/Watchdog.cpp:
1215         (JSC::Watchdog::startTimer):
1216         (JSC::Watchdog::Watchdog): Deleted.
1217         (JSC::Watchdog::setTimeLimit): Deleted.
1218         * runtime/Watchdog.h:
1219
1220 2016-05-27  Konstantin Tokarev  <annulen@yandex.ru>
1221
1222         Removed unused headers from ExecutableAllocatorFixedVMPool.cpp.
1223         https://bugs.webkit.org/show_bug.cgi?id=158159
1224
1225         Reviewed by Darin Adler.
1226
1227         * jit/ExecutableAllocatorFixedVMPool.cpp:
1228
1229 2016-05-27  Keith Miller  <keith_miller@apple.com>
1230
1231         get_by_id should support caching unset properties in the LLInt
1232         https://bugs.webkit.org/show_bug.cgi?id=158136
1233
1234         Reviewed by Benjamin Poulain.
1235
1236         Recently, we started supporting prototype load caching for get_by_id
1237         in the LLInt. This patch extends that to caching unset properties.
1238         While it is uncommon in general for a program to see a single structure
1239         without a given property, the Array.prototype.concat function needs to
1240         lookup the Symbol.isConcatSpreadable property. For any existing code
1241         That property will never be set as it did not exist prior to ES6.
1242
1243         Similarly to the get_by_id_proto_load bytecode, this patch adds a new
1244         bytecode, get_by_id_unset that checks the structureID of the base and
1245         assigns undefined to the result.
1246
1247         There are no new tests here since we already have many tests that
1248         incidentally cover this change.
1249
1250         * bytecode/BytecodeList.json:
1251         * bytecode/BytecodeUseDef.h:
1252         (JSC::computeUsesForBytecodeOffset):
1253         (JSC::computeDefsForBytecodeOffset):
1254         * bytecode/CodeBlock.cpp:
1255         (JSC::CodeBlock::printGetByIdOp):
1256         (JSC::CodeBlock::dumpBytecode):
1257         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1258         * bytecode/GetByIdStatus.cpp:
1259         (JSC::GetByIdStatus::computeFromLLInt):
1260         * dfg/DFGByteCodeParser.cpp:
1261         (JSC::DFG::ByteCodeParser::parseBlock):
1262         * dfg/DFGCapabilities.cpp:
1263         (JSC::DFG::capabilityLevel):
1264         * jit/JIT.cpp:
1265         (JSC::JIT::privateCompileMainPass):
1266         (JSC::JIT::privateCompileSlowCases):
1267         * llint/LLIntSlowPaths.cpp:
1268         (JSC::LLInt::setupGetByIdPrototypeCache):
1269         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1270         * llint/LLIntSlowPaths.h:
1271         * llint/LowLevelInterpreter32_64.asm:
1272         * llint/LowLevelInterpreter64.asm:
1273
1274 2016-05-26  Filip Pizlo  <fpizlo@apple.com>
1275
1276         Bogus uses of regexp matching should realize that they will OOM before they start swapping
1277         https://bugs.webkit.org/show_bug.cgi?id=158142
1278
1279         Reviewed by Michael Saboff.
1280         
1281         Refactored the RegExpObject::matchGlobal() code so that there is less duplication. Took
1282         advantage of this to make the code more resilient in case of absurd situations: if the
1283         result array gets large, it proceeds with a dry run to detect how many matches there will
1284         be. This allows it to OOM before it starts swapping.
1285         
1286         This also improves the overall performance of the code by using lightweight substrings and
1287         skipping the whole intermediate argument array.
1288         
1289         This makes some jsfunfuzz tests run a lot faster and use a lot less memory.
1290         
1291         * builtins/RegExpPrototype.js:
1292         * CMakeLists.txt:
1293         * JavaScriptCore.xcodeproj/project.pbxproj:
1294         * runtime/MatchResult.cpp: Added.
1295         (JSC::MatchResult::dump):
1296         * runtime/MatchResult.h:
1297         (JSC::MatchResult::empty):
1298         (MatchResult::empty): Deleted.
1299         * runtime/RegExpObject.cpp:
1300         (JSC::RegExpObject::match):
1301         (JSC::collectMatches):
1302         (JSC::RegExpObject::matchGlobal):
1303         * runtime/StringObject.h:
1304         (JSC::jsStringWithReuse):
1305         (JSC::jsSubstring):
1306         * tests/stress/big-match.js: Added. Make sure that this optimization doesn't break big matches.
1307
1308 2016-05-26  Gavin & Ellie Barraclough  <barraclough@apple.com>
1309
1310         Static table property lookup should not require getOwnPropertySlot override.
1311         https://bugs.webkit.org/show_bug.cgi?id=158059
1312
1313         Reviewed by Darin Adler.
1314
1315         Currently JSObject does not handle property lookup of entries in the static
1316         table. Each subclass with static properties mut override getOwnPropertySlot,
1317         and explicitly call the lookup functions. This has the following drawbacks:
1318
1319         - Performance: for any class with static properties, property acces becomes
1320           virtual (via method table).
1321         - Poor encapsulation: implementation detail of static property access is
1322           spread throughout & cross projects, rather than being contained in JSObject.
1323         - Code size: this results in a great many additional functions.
1324         - Inconsistency: static table presence has to be be taken into account in many
1325           other operations, e.g. presence of read-only properties for put.
1326         - Memory: in order to avoid the virtual lookup, DOM prototypes eagerly reify
1327           all properties. This is likely suboptimal.
1328
1329         Instead, JSObject::getPropertySlot / JSObject::getOwnPropertySlot should be
1330         able to handle static properties.
1331
1332         This is actually a fairly small & simple change.
1333
1334         The common pattern is for subclasses of JObject to override getOwnPropertySlot
1335         to first defer to JSObject for property storage lookup, and only if this fails
1336         consult the static table. They just want the static tables to be consulted after
1337         regular property storgae lookup. So just add a fast flag in TypeInfo for JSObject
1338         to check, and where it is set, do so. Then it's just a question of switching
1339         classes over to start setting this flag, and drop the override.
1340
1341         The new mechanism does change static table lookup order from oldest-ancestor
1342         first to most-derived first. The new ordering makes more sense (means derived
1343         class static tables can now override entries from parents), and shoudn't affect
1344         any existing code (since overriding didn't previously work, there likely aren't
1345         shadowing properties in more derived types).
1346
1347         This patch changes all classes in JavaScriptCore over to using the new mechanism,
1348         except JSGlobalObject. I'll move classes in WebCore over as a separate patch
1349         (this is also why I've not moved JSGlobalObject in this patch - doing so would
1350         move JSDOMWindow, and I'd rather handle that separately).
1351
1352         * runtime/JSTypeInfo.h:
1353         (JSC::TypeInfo::hasStaticPropertyTable):
1354             - Add HasStaticPropertyTable flag.
1355         * runtime/Lookup.cpp:
1356         (JSC::setUpStaticFunctionSlot):
1357             - Change setUpStaticFunctionSlot to take a VM&.
1358         * runtime/Lookup.h:
1359         (JSC::getStaticPropertySlotFromTable):
1360             - Added helper function to perform static lookup alone.
1361         (JSC::getStaticPropertySlot):
1362         (JSC::getStaticFunctionSlot):
1363             - setUpStaticFunctionSlot changed to take a VM&.
1364         * runtime/JSObject.cpp:
1365         (JSC::JSObject::getOwnStaticPropertySlot):
1366             - Added, walks ClassInfo chain looking for static properties.
1367         * runtime/JSObject.h:
1368         (JSC::JSObject::getOwnNonIndexPropertySlot):
1369             - getOwnNonIndexPropertySlot is used internally by getPropertySlot
1370               & getOwnPropertySlot. If property is not present in storage array
1371               then check the static table.
1372         * runtime/ArrayConstructor.cpp:
1373         (JSC::ArrayConstructor::finishCreation):
1374         (JSC::constructArrayWithSizeQuirk):
1375         (JSC::ArrayConstructor::getOwnPropertySlot): Deleted.
1376         * runtime/ArrayConstructor.h:
1377         (JSC::ArrayConstructor::create):
1378         * runtime/ArrayIteratorPrototype.cpp:
1379         (JSC::ArrayIteratorPrototype::finishCreation):
1380         (JSC::ArrayIteratorPrototype::getOwnPropertySlot): Deleted.
1381         * runtime/ArrayIteratorPrototype.h:
1382         (JSC::ArrayIteratorPrototype::create):
1383         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
1384         * runtime/BooleanPrototype.cpp:
1385         (JSC::BooleanPrototype::finishCreation):
1386         (JSC::booleanProtoFuncToString):
1387         (JSC::BooleanPrototype::getOwnPropertySlot): Deleted.
1388         * runtime/BooleanPrototype.h:
1389         (JSC::BooleanPrototype::create):
1390         * runtime/DateConstructor.cpp:
1391         (JSC::DateConstructor::finishCreation):
1392         (JSC::millisecondsFromComponents):
1393         (JSC::DateConstructor::getOwnPropertySlot): Deleted.
1394         * runtime/DateConstructor.h:
1395         (JSC::DateConstructor::create):
1396         * runtime/DatePrototype.cpp:
1397         (JSC::DatePrototype::finishCreation):
1398         (JSC::dateProtoFuncToString):
1399         (JSC::DatePrototype::getOwnPropertySlot): Deleted.
1400         * runtime/DatePrototype.h:
1401         (JSC::DatePrototype::create):
1402         * runtime/ErrorPrototype.cpp:
1403         (JSC::ErrorPrototype::finishCreation):
1404         (JSC::ErrorPrototype::getOwnPropertySlot): Deleted.
1405         * runtime/ErrorPrototype.h:
1406         (JSC::ErrorPrototype::create):
1407         * runtime/GeneratorPrototype.cpp:
1408         (JSC::GeneratorPrototype::finishCreation):
1409         (JSC::GeneratorPrototype::getOwnPropertySlot): Deleted.
1410         * runtime/GeneratorPrototype.h:
1411         (JSC::GeneratorPrototype::create):
1412         (JSC::GeneratorPrototype::createStructure):
1413         (JSC::GeneratorPrototype::GeneratorPrototype):
1414         * runtime/InspectorInstrumentationObject.cpp:
1415         (JSC::InspectorInstrumentationObject::finishCreation):
1416         (JSC::InspectorInstrumentationObject::isEnabled):
1417         (JSC::InspectorInstrumentationObject::getOwnPropertySlot): Deleted.
1418         * runtime/InspectorInstrumentationObject.h:
1419         (JSC::InspectorInstrumentationObject::create):
1420         (JSC::InspectorInstrumentationObject::createStructure):
1421         * runtime/IntlCollatorConstructor.cpp:
1422         (JSC::IntlCollatorConstructor::getCallData):
1423         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1424         (JSC::IntlCollatorConstructor::getOwnPropertySlot): Deleted.
1425         * runtime/IntlCollatorConstructor.h:
1426         * runtime/IntlCollatorPrototype.cpp:
1427         (JSC::IntlCollatorPrototype::finishCreation):
1428         (JSC::IntlCollatorFuncCompare):
1429         (JSC::IntlCollatorPrototype::getOwnPropertySlot): Deleted.
1430         * runtime/IntlCollatorPrototype.h:
1431         * runtime/IntlDateTimeFormatConstructor.cpp:
1432         (JSC::IntlDateTimeFormatConstructor::getCallData):
1433         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1434         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot): Deleted.
1435         * runtime/IntlDateTimeFormatConstructor.h:
1436         * runtime/IntlDateTimeFormatPrototype.cpp:
1437         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1438         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1439         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot): Deleted.
1440         * runtime/IntlDateTimeFormatPrototype.h:
1441         * runtime/IntlNumberFormatConstructor.cpp:
1442         (JSC::IntlNumberFormatConstructor::getCallData):
1443         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1444         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot): Deleted.
1445         * runtime/IntlNumberFormatConstructor.h:
1446         * runtime/IntlNumberFormatPrototype.cpp:
1447         (JSC::IntlNumberFormatPrototype::finishCreation):
1448         (JSC::IntlNumberFormatFuncFormatNumber):
1449         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot): Deleted.
1450         * runtime/IntlNumberFormatPrototype.h:
1451         * runtime/JSDataViewPrototype.cpp:
1452         (JSC::JSDataViewPrototype::createStructure):
1453         (JSC::getData):
1454         (JSC::JSDataViewPrototype::getOwnPropertySlot): Deleted.
1455         * runtime/JSDataViewPrototype.h:
1456         * runtime/JSInternalPromiseConstructor.cpp:
1457         (JSC::JSInternalPromiseConstructor::getCallData):
1458         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot): Deleted.
1459         * runtime/JSInternalPromiseConstructor.h:
1460         * runtime/JSONObject.cpp:
1461         (JSC::Walker::Walker):
1462         (JSC::JSONObject::getOwnPropertySlot): Deleted.
1463         * runtime/JSONObject.h:
1464         (JSC::JSONObject::create):
1465         * runtime/JSPromiseConstructor.cpp:
1466         (JSC::JSPromiseConstructor::getCallData):
1467         (JSC::JSPromiseConstructor::getOwnPropertySlot): Deleted.
1468         * runtime/JSPromiseConstructor.h:
1469         * runtime/JSPromisePrototype.cpp:
1470         (JSC::JSPromisePrototype::addOwnInternalSlots):
1471         (JSC::JSPromisePrototype::getOwnPropertySlot): Deleted.
1472         * runtime/JSPromisePrototype.h:
1473         * runtime/MapPrototype.cpp:
1474         (JSC::MapPrototype::finishCreation):
1475         (JSC::getMap):
1476         (JSC::MapPrototype::getOwnPropertySlot): Deleted.
1477         * runtime/MapPrototype.h:
1478         (JSC::MapPrototype::create):
1479         (JSC::MapPrototype::MapPrototype):
1480         * runtime/ModuleLoaderObject.cpp:
1481         (JSC::ModuleLoaderObject::finishCreation):
1482         (JSC::printableModuleKey):
1483         (JSC::ModuleLoaderObject::getOwnPropertySlot): Deleted.
1484         * runtime/ModuleLoaderObject.h:
1485         * runtime/NumberPrototype.cpp:
1486         (JSC::NumberPrototype::finishCreation):
1487         (JSC::toThisNumber):
1488         (JSC::NumberPrototype::getOwnPropertySlot): Deleted.
1489         * runtime/NumberPrototype.h:
1490         (JSC::NumberPrototype::create):
1491         * runtime/ObjectConstructor.cpp:
1492         (JSC::ObjectConstructor::addDefineProperty):
1493         (JSC::constructObject):
1494         (JSC::ObjectConstructor::getOwnPropertySlot): Deleted.
1495         * runtime/ObjectConstructor.h:
1496         (JSC::ObjectConstructor::create):
1497         (JSC::ObjectConstructor::createStructure):
1498         * runtime/ReflectObject.cpp:
1499         (JSC::ReflectObject::finishCreation):
1500         (JSC::ReflectObject::getOwnPropertySlot): Deleted.
1501         * runtime/ReflectObject.h:
1502         (JSC::ReflectObject::create):
1503         (JSC::ReflectObject::createStructure):
1504         * runtime/RegExpConstructor.cpp:
1505         (JSC::RegExpConstructor::getRightContext):
1506         (JSC::regExpConstructorDollar):
1507         (JSC::RegExpConstructor::getOwnPropertySlot): Deleted.
1508         * runtime/RegExpConstructor.h:
1509         (JSC::RegExpConstructor::create):
1510         (JSC::RegExpConstructor::createStructure):
1511         * runtime/SetPrototype.cpp:
1512         (JSC::SetPrototype::finishCreation):
1513         (JSC::getSet):
1514         (JSC::SetPrototype::getOwnPropertySlot): Deleted.
1515         * runtime/SetPrototype.h:
1516         (JSC::SetPrototype::create):
1517         (JSC::SetPrototype::SetPrototype):
1518         * runtime/StringConstructor.cpp:
1519         (JSC::StringConstructor::finishCreation):
1520         (JSC::stringFromCharCodeSlowCase):
1521         (JSC::StringConstructor::getOwnPropertySlot): Deleted.
1522         * runtime/StringConstructor.h:
1523         (JSC::StringConstructor::create):
1524         * runtime/StringIteratorPrototype.cpp:
1525         (JSC::StringIteratorPrototype::finishCreation):
1526         (JSC::StringIteratorPrototype::getOwnPropertySlot): Deleted.
1527         * runtime/StringIteratorPrototype.h:
1528         (JSC::StringIteratorPrototype::create):
1529         (JSC::StringIteratorPrototype::StringIteratorPrototype):
1530         * runtime/StringPrototype.cpp:
1531         (JSC::StringPrototype::create):
1532         (JSC::substituteBackreferencesSlow):
1533         (JSC::StringPrototype::getOwnPropertySlot): Deleted.
1534         * runtime/StringPrototype.h:
1535         * runtime/SymbolConstructor.cpp:
1536         (JSC::SymbolConstructor::finishCreation):
1537         (JSC::callSymbol):
1538         (JSC::SymbolConstructor::getOwnPropertySlot): Deleted.
1539         * runtime/SymbolConstructor.h:
1540         (JSC::SymbolConstructor::create):
1541         * runtime/SymbolPrototype.cpp:
1542         (JSC::SymbolPrototype::finishCreation):
1543         (JSC::SymbolPrototype::getOwnPropertySlot): Deleted.
1544         * runtime/SymbolPrototype.h:
1545         (JSC::SymbolPrototype::create):
1546             - remove getOwnPropertySlot, replace OverridesGetOwnPropertySlot flag with HasStaticPropertyTable.
1547
1548 2016-05-26  Commit Queue  <commit-queue@webkit.org>
1549
1550         Unreviewed, rolling out r201436.
1551         https://bugs.webkit.org/show_bug.cgi?id=158143
1552
1553         Caused 30% regression on Dromaeo DOM core tests (Requested by
1554         rniwa on #webkit).
1555
1556         Reverted changeset:
1557
1558         "REGRESSION: JSBench spends a lot of time transitioning
1559         to/from dictionary"
1560         https://bugs.webkit.org/show_bug.cgi?id=158045
1561         http://trac.webkit.org/changeset/201436
1562
1563 2016-05-26  Geoffrey Garen  <ggaren@apple.com>
1564
1565         REGRESSION: JSBench spends a lot of time transitioning to/from dictionary
1566         https://bugs.webkit.org/show_bug.cgi?id=158045
1567
1568         Reviewed by Saam Barati.
1569
1570         15% speedup on jsbench-amazon-firefox, possibly 5% speedup overall on jsbench.
1571
1572         This regression seems to have two parts:
1573
1574         (1) Transitioning the window object to/from dictionary is more expensive
1575         than it used to be to because the window object has lots more properties.
1576         The window object has more properties because, for WebIDL compatibility,
1577         we reify DOM APIs as properties when you delete.
1578
1579         (2) DOM prototypes transition to/from dictionary upon creation
1580         because, once again for WebIDL compatibility, we reify their static
1581         APIs eagerly.
1582
1583         The solution is to chill out a bit on dictionary transitions.
1584
1585         * bytecode/ObjectPropertyConditionSet.cpp: Don't flatten a dictionary
1586         if we've already done so before. This avoids pathological churn, and it
1587         is our idiom in other places.
1588
1589         * interpreter/Interpreter.cpp:
1590         (JSC::Interpreter::execute): Do flatten the global object unconditionally
1591         if it is an uncacheable dictionary because the global object is super
1592         important.
1593
1594         * runtime/BatchedTransitionOptimizer.h:
1595         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1596         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): Deleted.
1597         Don't transition away from dictionary after a batched set of property
1598         puts because normal dictionaries are cacheable and that's a perfectly
1599         fine state to be in -- and the transition is expensive.
1600
1601         * runtime/JSGlobalObject.cpp:
1602         (JSC::JSGlobalObject::init): Do start the global object out as a cacheable
1603         dictionary because it will inevitably have enough properties to become
1604         a dictionary.
1605
1606         * runtime/Operations.h:
1607         (JSC::normalizePrototypeChain): Same as ObjectPropertyConditionSet.cpp.
1608
1609 2016-05-25  Geoffrey Garen  <ggaren@apple.com>
1610
1611         replaceable own properties seem to ignore replacement after property caching
1612         https://bugs.webkit.org/show_bug.cgi?id=158091
1613
1614         Reviewed by Darin Adler.
1615
1616         * runtime/Lookup.h:
1617         (JSC::replaceStaticPropertySlot): New helper function for replacing a
1618         static property with a direct property. We need to do an attribute changed
1619         transition because client code might have cached our static property.
1620
1621 2016-05-25  Benjamin Poulain  <benjamin@webkit.org>
1622
1623         [JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr
1624         https://bugs.webkit.org/show_bug.cgi?id=158011
1625         rdar://problem/25946592
1626
1627         Reviewed by Saam Barati.
1628
1629         When generating the meta-data required for compilation,
1630         Yarr uses a recursive function over the various expression in the pattern.
1631
1632         If you have many nested expressions, you can run out of stack
1633         and crash the WebProcess.
1634         This patch changes that into a soft failure. The expression is just
1635         considered invalid.
1636
1637         * runtime/RegExp.cpp:
1638         (JSC::RegExp::finishCreation):
1639         (JSC::RegExp::compile):
1640         (JSC::RegExp::compileMatchOnly):
1641         * yarr/YarrPattern.cpp:
1642         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
1643         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
1644         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1645         (JSC::Yarr::YarrPattern::compile):
1646         (JSC::Yarr::YarrPattern::YarrPattern):
1647         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): Deleted.
1648         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): Deleted.
1649         * yarr/YarrPattern.h:
1650
1651 2016-05-25  Alex Christensen  <achristensen@webkit.org>
1652
1653         Fix Win64 build after r201335
1654         https://bugs.webkit.org/show_bug.cgi?id=158078
1655
1656         Reviewed by Mark Lam.
1657
1658         * offlineasm/x86.rb:
1659         Add intel implementations for loadbs and loadhs
1660
1661 2016-05-25  Carlos Garcia Campos  <cgarcia@igalia.com>
1662
1663         REGRESSION(r201066): [GTK] Several intl tests started to fail in GTK+ bot after r201066
1664         https://bugs.webkit.org/show_bug.cgi?id=158066
1665
1666         Reviewed by Darin Adler.
1667
1668         run-javascriptcore-tests does $ENV{LANG}="en_US.UTF-8"; but we are not actually honoring the environment
1669         variables at all when using jsc binary. We are using setlocale() with a nullptr locale to get the current one, but
1670         the current one is always "C", because to set the locale according to the environment variables we need to call
1671         setlocale with an empty string as locale. That's done by gtk_init(), which is called by all our binaries (web
1672         process, network process, etc.), but not by jsc (because jsc doesn't depend on GTK+). The reason why it has
1673         always worked for EFL is because they call ecore_init() in jsc that calls setlocale.
1674
1675         * jsc.cpp:
1676         (main): Call setlocale(LC_ALL, "") on GTK+.
1677
1678 2016-05-25  Csaba Osztrogon√°c  <ossy@webkit.org>
1679
1680         [ARM] Fix the Wcast-align warning in LinkBuffer.cpp
1681         https://bugs.webkit.org/show_bug.cgi?id=157889
1682
1683         Reviewed by Darin Adler.
1684
1685         * assembler/LinkBuffer.cpp:
1686         (JSC::recordLinkOffsets):
1687
1688 2016-05-24  Keith Miller  <keith_miller@apple.com>
1689
1690         TypedArray.prototype.slice should not throw if no arguments are provided
1691         https://bugs.webkit.org/show_bug.cgi?id=158044
1692         <rdar://problem/26433280>
1693
1694         Reviewed by Geoffrey Garen.
1695
1696         We were throwing an exception if the TypedArray.prototype.slice function
1697         was not provided arguments. This was wrong. Instead we should just assume
1698         the first argument was 0.
1699
1700         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1701         (JSC::genericTypedArrayViewProtoFuncSlice): Deleted.
1702         * tests/stress/typedarray-slice.js:
1703
1704 2016-05-24  Keith Miller  <keith_miller@apple.com>
1705
1706         LLInt should be able to cache prototype loads for values in GetById
1707         https://bugs.webkit.org/show_bug.cgi?id=158032
1708
1709         Reviewed by Filip Pizlo.
1710
1711         This patch adds prototype value caching to the LLInt for op_get_by_id.
1712         Two previously unused words in the op_get_by_id bytecode have been
1713         repurposed to hold extra information for the cache. The first is a
1714         counter that records the number of get_by_ids that hit a cacheable value
1715         on a prototype. When the counter is decremented from one to zero we
1716         attempt to cache the prototype load, which will be discussed further
1717         below. The second word is used to hold the prototype object when we have
1718         started caching.
1719
1720         When the counter is decremented to zero we first attempt to generate and
1721         watch the property conditions needed to ensure the validity of prototype
1722         load. If the watchpoints are successfully created and installed we
1723         replace the op_get_by_id opcode with the new op_get_by_id_proto_load
1724         opcode, which tells the LLInt to use the cache prototype object for the
1725         load rather than the base value.
1726
1727         Prior to this patch there was not LLInt specific data onCodeBlocks.
1728         Since the CodeBlock needs to own the Watchpoints for the cache, a weak
1729         map from each base structure to a bag of Watchpoints created for that
1730         structure by some op_get_by_id has been added to the CodeBlock. During
1731         GC, if we find that the a structure in the map has not been marked we
1732         free the associated bag on the CodeBlock.
1733
1734         * JavaScriptCore.xcodeproj/project.pbxproj:
1735         * bytecode/BytecodeList.json:
1736         * bytecode/BytecodeUseDef.h:
1737         (JSC::computeUsesForBytecodeOffset):
1738         (JSC::computeDefsForBytecodeOffset):
1739         * bytecode/CodeBlock.cpp:
1740         (JSC::CodeBlock::printGetByIdOp):
1741         (JSC::CodeBlock::printGetByIdCacheStatus):
1742         (JSC::CodeBlock::dumpBytecode):
1743         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1744         * bytecode/CodeBlock.h:
1745         (JSC::CodeBlock::llintGetByIdWatchpointMap):
1746         (JSC::clearLLIntGetByIdCache):
1747         * bytecode/GetByIdStatus.cpp:
1748         (JSC::GetByIdStatus::computeFromLLInt):
1749         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Added.
1750         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
1751         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
1752         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1753         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Added.
1754         * bytecode/ObjectPropertyConditionSet.cpp:
1755         (JSC::ObjectPropertyConditionSet::isValidAndWatchable):
1756         * bytecode/ObjectPropertyConditionSet.h:
1757         * bytecompiler/BytecodeGenerator.cpp:
1758         (JSC::BytecodeGenerator::emitGetById):
1759         * dfg/DFGByteCodeParser.cpp:
1760         (JSC::DFG::ByteCodeParser::parseBlock):
1761         * dfg/DFGCapabilities.cpp:
1762         (JSC::DFG::capabilityLevel):
1763         * jit/JIT.cpp:
1764         (JSC::JIT::privateCompileMainPass):
1765         (JSC::JIT::privateCompileSlowCases):
1766         * llint/LLIntSlowPaths.cpp:
1767         (JSC::LLInt::setupGetByIdPrototypeCache):
1768         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1769         * llint/LLIntSlowPaths.h:
1770         * llint/LowLevelInterpreter32_64.asm:
1771         * llint/LowLevelInterpreter64.asm:
1772         * runtime/Options.h:
1773         * tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js: Added.
1774         (test):
1775
1776 2016-05-24  Keith Miller  <keith_miller@apple.com>
1777
1778         We should be able to use the sampling profiler with DRT/WTR.
1779         https://bugs.webkit.org/show_bug.cgi?id=158041
1780
1781         Reviewed by Saam Barati.
1782
1783         This patch makes the sampling profiler use a new option, samplingProfilerPath, which
1784         specifies the path to a directory to output sampling profiler data when the program
1785         terminates or the VM is destroyed. Additionally, it fixes some other issues with the
1786         bytecode profiler that would cause crashes on debug builds.
1787
1788         * profiler/ProfilerDatabase.cpp:
1789         (JSC::Profiler::Database::ensureBytecodesFor):
1790         (JSC::Profiler::Database::performAtExitSave):
1791         * runtime/Options.h:
1792         * runtime/SamplingProfiler.cpp:
1793         (JSC::SamplingProfiler::registerForReportAtExit):
1794         (JSC::SamplingProfiler::reportDataToOptionFile):
1795         (JSC::SamplingProfiler::reportTopFunctions):
1796         (JSC::SamplingProfiler::reportTopBytecodes):
1797         * runtime/SamplingProfiler.h:
1798         * runtime/VM.cpp:
1799         (JSC::VM::VM):
1800         (JSC::VM::~VM):
1801
1802 2016-05-24  Saam barati  <sbarati@apple.com>
1803
1804         We can cache lookups to JSScope::abstractResolve inside CodeBlock::finishCreation
1805         https://bugs.webkit.org/show_bug.cgi?id=158036
1806
1807         Reviewed by Geoffrey Garen.
1808
1809         This patch implements a 1 item cache for JSScope::abstractResolve. I also tried
1810         implementing the cache as a HashMap, but it seemed either less profitable on some
1811         benchmarks or just as profitable on others. Therefore, it's cleaner to just
1812         use a 1 item cache.
1813
1814         * bytecode/CodeBlock.cpp:
1815         (JSC::CodeBlock::CodeBlock):
1816         (JSC::AbstractResolveKey::AbstractResolveKey):
1817         (JSC::AbstractResolveKey::operator==):
1818         (JSC::AbstractResolveKey::isEmptyValue):
1819         (JSC::CodeBlock::finishCreation):
1820         * runtime/GetPutInfo.h:
1821         (JSC::needsVarInjectionChecks):
1822         (JSC::ResolveOp::ResolveOp):
1823
1824 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
1825
1826         Unreviwed, add a comment to describe the test's failure mode. Suggested by mlam.
1827
1828         * tests/stress/override-map-constructor.js:
1829         (Map):
1830
1831 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
1832
1833         Map should not be in JSGlobalObject's static hashtable because it's initialized eagerly via FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR
1834         https://bugs.webkit.org/show_bug.cgi?id=158031
1835         rdar://problem/26353661
1836
1837         Reviewed by Geoffrey Garen.
1838         
1839         We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
1840         not a LazyClassStructure<> and there is nothing lazy about it.
1841
1842         * runtime/JSGlobalObject.cpp: The fix is to remove Map here.
1843         * runtime/Lookup.cpp: Add some dumping on the assert path.
1844         (JSC::setUpStaticFunctionSlot):
1845         * tests/stress/override-map-constructor.js: Added. This test used to crash.
1846         (Map):
1847
1848 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
1849
1850         LLInt64 should have typed array fast paths for get_by_val
1851         https://bugs.webkit.org/show_bug.cgi?id=157931
1852
1853         Reviewed by Keith Miller.
1854
1855         I think that the LLInt should be able to access typed arrays more quickly than it does now.
1856         Ideally we would have fast paths for every major typed array operation and we would use
1857         inline cache optimizations. I don't want to do this all in one go, so my plan is to
1858         incrementally add support for this as time allows.
1859         
1860         This change just adds the easy typed array fast paths for get_by_val in the 64-bit version
1861         of LLInt.
1862         
1863         Another bug, https://bugs.webkit.org/show_bug.cgi?id=157922, tracks the overall task of
1864         adding all typed array fast paths to both versions of the LLInt.
1865         
1866         This is a 30% speed-up on typed array benchmarks in LLInt. This is not a speed-up when the
1867         JITs are enabled.
1868
1869         * llint/LLIntData.cpp:
1870         (JSC::LLInt::Data::performAssertions):
1871         * llint/LLIntOffsetsExtractor.cpp:
1872         * llint/LowLevelInterpreter.asm:
1873         * llint/LowLevelInterpreter64.asm:
1874         * offlineasm/backends.rb:
1875         * runtime/JSArrayBufferView.h:
1876         * runtime/JSType.h:
1877
1878 2016-05-24  Saam barati  <sbarati@apple.com> and Yusuke Suzuki <utatane.tea@gmail.com>
1879
1880         ThisTDZMode is no longer needed
1881         https://bugs.webkit.org/show_bug.cgi?id=157209
1882
1883         Reviewed by Saam Barati.
1884
1885         ThisTDZMode is no longer needed because we have ConstructorKind
1886         and DerivedContextType. The value of ThisTDZMode is strictly less
1887         expressive than the combination of those two values. We were
1888         using those values anyways, and this patch just makes it official
1889         by removing ThisTDZMode.
1890
1891         This patch also cleans up caching keys. We extract SourceCodeFlags
1892         from SourceCodeKey and use it in EvalCodeCache. It correctly
1893         contains needed cache attributes: EvalContextType, DerivedContextType,
1894         etc. Here, we still use specialized keys for EvalCodeCache instead
1895         of SourceCodeKey for performance; it does not include name String and
1896         does not allocate SourceCode.
1897
1898         * bytecode/EvalCodeCache.h:
1899         (JSC::EvalCodeCache::CacheKey::CacheKey):
1900         (JSC::EvalCodeCache::CacheKey::operator==):
1901         (JSC::EvalCodeCache::CacheKey::Hash::equal):
1902         (JSC::EvalCodeCache::tryGet):
1903         (JSC::EvalCodeCache::getSlow):
1904         * bytecompiler/NodesCodegen.cpp:
1905         (JSC::ThisNode::emitBytecode): Deleted.
1906         * debugger/DebuggerCallFrame.cpp:
1907         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1908         * interpreter/Interpreter.cpp:
1909         (JSC::eval):
1910         * parser/ASTBuilder.h:
1911         (JSC::ASTBuilder::createThisExpr):
1912         * parser/NodeConstructors.h:
1913         (JSC::ThisNode::ThisNode):
1914         * parser/Nodes.h:
1915         * parser/Parser.cpp:
1916         (JSC::Parser<LexerType>::Parser):
1917         (JSC::Parser<LexerType>::parsePrimaryExpression):
1918         * parser/Parser.h:
1919         (JSC::parse):
1920         * parser/ParserModes.h:
1921         * parser/SourceCodeKey.h:
1922         (JSC::SourceCodeFlags::SourceCodeFlags):
1923         (JSC::SourceCodeFlags::operator==):
1924         (JSC::SourceCodeKey::SourceCodeKey):
1925         (JSC::SourceCodeKey::Hash::hash):
1926         (JSC::SourceCodeKey::Hash::equal):
1927         (JSC::SourceCodeKey::HashTraits::isEmptyValue):
1928         (JSC::SourceCodeKeyHash::hash): Deleted.
1929         (JSC::SourceCodeKeyHash::equal): Deleted.
1930         (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
1931         * parser/SyntaxChecker.h:
1932         (JSC::SyntaxChecker::createThisExpr):
1933         * runtime/CodeCache.cpp:
1934         (JSC::CodeCache::getGlobalCodeBlock):
1935         (JSC::CodeCache::getProgramCodeBlock):
1936         (JSC::CodeCache::getEvalCodeBlock):
1937         (JSC::CodeCache::getModuleProgramCodeBlock):
1938         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1939         * runtime/CodeCache.h:
1940         * runtime/Executable.cpp:
1941         (JSC::EvalExecutable::create):
1942         * runtime/Executable.h:
1943         * runtime/JSGlobalObject.cpp:
1944         (JSC::JSGlobalObject::createEvalCodeBlock):
1945         * runtime/JSGlobalObject.h:
1946         * runtime/JSGlobalObjectFunctions.cpp:
1947         (JSC::globalFuncEval):
1948         * tests/stress/code-cache-incorrect-caching.js: Added.
1949         (shouldBe):
1950         (hello):
1951         (catch):
1952         (shouldBe.test.hello):
1953         (globalEval.ok):
1954         (global.hello.hello):
1955
1956 2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1957
1958         Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
1959         https://bugs.webkit.org/show_bug.cgi?id=157080
1960
1961         Reviewed by Saam Barati.
1962
1963         In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
1964         In this patch, we add a new parameter, "slotBase". This represents the base value offering
1965         this custom getter. And use it in ProxyObject's performGet custom accessor getter.
1966
1967         * API/JSCallbackObject.h:
1968         * API/JSCallbackObjectFunctions.h:
1969         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1970         (JSC::JSCallbackObject<Parent>::callbackGetter):
1971         * bytecode/PolymorphicAccess.cpp:
1972         (JSC::AccessCase::generateImpl):
1973         In PolymorphicAccess case, the thisValue and the slotBase are always cells.
1974         This is because IC is enabled in the case that the base value is a cell.
1975         And slotBase is always on the prototype chain from this base value.
1976
1977         * jit/CCallHelpers.h:
1978         (JSC::CCallHelpers::setupArgumentsWithExecState):
1979         * jsc.cpp:
1980         (WTF::CustomGetter::customGetter):
1981         (WTF::RuntimeArray::lengthGetter):
1982         * runtime/CustomGetterSetter.cpp:
1983         (JSC::callCustomSetter):
1984         * runtime/JSBoundSlotBaseFunction.cpp:
1985         (JSC::boundSlotBaseFunctionCall):
1986         * runtime/JSFunction.cpp:
1987         (JSC::JSFunction::argumentsGetter):
1988         (JSC::JSFunction::callerGetter):
1989         * runtime/JSFunction.h:
1990         * runtime/JSModuleNamespaceObject.cpp:
1991         (JSC::callbackGetter):
1992         * runtime/PropertySlot.cpp:
1993         (JSC::PropertySlot::customGetter):
1994         * runtime/PropertySlot.h:
1995         * runtime/ProxyObject.cpp:
1996         (JSC::performProxyGet):
1997         * runtime/RegExpConstructor.cpp:
1998         (JSC::regExpConstructorDollar):
1999         (JSC::regExpConstructorInput):
2000         (JSC::regExpConstructorMultiline):
2001         (JSC::regExpConstructorLastMatch):
2002         (JSC::regExpConstructorLastParen):
2003         (JSC::regExpConstructorLeftContext):
2004         (JSC::regExpConstructorRightContext):
2005         (JSC::regExpConstructorDollar1): Deleted.
2006         (JSC::regExpConstructorDollar2): Deleted.
2007         (JSC::regExpConstructorDollar3): Deleted.
2008         (JSC::regExpConstructorDollar4): Deleted.
2009         (JSC::regExpConstructorDollar5): Deleted.
2010         (JSC::regExpConstructorDollar6): Deleted.
2011         (JSC::regExpConstructorDollar7): Deleted.
2012         (JSC::regExpConstructorDollar8): Deleted.
2013         (JSC::regExpConstructorDollar9): Deleted.
2014         * tests/stress/proxy-get-with-primitive-receiver.js: Added.
2015         (shouldBe):
2016
2017 2016-05-23  Geoffrey Garen  <ggaren@apple.com>
2018
2019         REGRESSION (196374): deleting a global property is expensive
2020         https://bugs.webkit.org/show_bug.cgi?id=158005
2021
2022         Reviewed by Chris Dumez.
2023
2024         * runtime/JSObject.cpp:
2025         (JSC::JSObject::deleteProperty): We only need to reify static properties
2026         if the name being deleted matches a static property. Otherwise, we can
2027         be sure that delete won't observe any static properties.
2028
2029 2016-05-23  Saam barati  <sbarati@apple.com>
2030
2031         The baseline JIT crashes when compiling "(1,1)/1"
2032         https://bugs.webkit.org/show_bug.cgi?id=157933
2033
2034         Reviewed by Benjamin Poulain.
2035
2036         op_div in the baseline JIT needed to better handle when both the lhs
2037         and rhs are constants. It needs to make sure to load either the lhs or
2038         the rhs into a register since the div generator can't handle both
2039         the lhs and rhs being constants.
2040
2041         * jit/JITArithmetic.cpp:
2042         (JSC::JIT::emit_op_div):
2043         * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
2044         (assert):
2045         (test):
2046
2047 2016-05-23  Saam barati  <sbarati@apple.com>
2048
2049         String template don't handle let initialization properly inside eval
2050         https://bugs.webkit.org/show_bug.cgi?id=157991
2051
2052         Reviewed by Oliver Hunt.
2053
2054         The fix is to make sure we emit TDZ checks. 
2055
2056         * bytecompiler/NodesCodegen.cpp:
2057         (JSC::TaggedTemplateNode::emitBytecode):
2058         * tests/stress/tagged-template-tdz.js: Added.
2059         (shouldThrowTDZ):
2060         (test):
2061
2062 2016-05-22  Saam barati  <sbarati@apple.com>
2063
2064         Unreviewed. Fixed debug assertion failures from r201235.
2065
2066         * runtime/JSScope.cpp:
2067         (JSC::abstractAccess):
2068
2069 2016-05-22  Brady Eidson  <beidson@apple.com>
2070
2071         Attempted Yosemite build fix after http://trac.webkit.org/changeset/201255
2072
2073         Suggested by and reviewed by Anders Carlsson.
2074
2075         * b3/B3CCallValue.h: Initialize the effects member more conventionally.
2076
2077 2016-05-22  Brady Eidson  <beidson@apple.com>
2078
2079         Move to C++14.
2080         https://bugs.webkit.org/show_bug.cgi?id=157948
2081
2082         Reviewed by Michael Catanzaro.
2083
2084         * Configurations/Base.xcconfig:
2085
2086 2016-05-22  Saam barati  <sbarati@apple.com>
2087
2088         REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
2089         https://bugs.webkit.org/show_bug.cgi?id=157968
2090         <rdar://problem/26404735>
2091
2092         Reviewed by Ryosuke Niwa and Filip Pizlo.
2093
2094         There was a bug in the DFG where we were checking a condition
2095         on the wrong variable.
2096
2097         * dfg/DFGStrengthReductionPhase.cpp:
2098         (JSC::DFG::StrengthReductionPhase::handleNode):
2099
2100 2016-05-22  Chris Dumez  <cdumez@apple.com>
2101
2102         Remove uses of PassRefPtr in JS bindings code
2103         https://bugs.webkit.org/show_bug.cgi?id=157949
2104
2105         Reviewed by Andreas Kling.
2106
2107         Remove uses of PassRefPtr in JS bindings code.
2108
2109         * runtime/JSGlobalObject.cpp:
2110         (JSC::JSGlobalObject::queueMicrotask):
2111         * runtime/JSGlobalObject.h:
2112
2113 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
2114
2115         Remove LegacyProfiler
2116         https://bugs.webkit.org/show_bug.cgi?id=153565
2117
2118         Reviewed by Mark Lam.
2119
2120         JavaScriptCore now provides a sampling profiler and it is enabled
2121         by all ports. Web Inspector switched months ago to using the
2122         sampling profiler and displaying its data. Remove the legacy
2123         profiler, as it is no longer being used by anything other then
2124         console.profile and tests. We will update console.profile's
2125         behavior soon to have new behavior and use the sampling data.
2126
2127         * API/JSProfilerPrivate.cpp: Removed.
2128         * API/JSProfilerPrivate.h: Removed.
2129         * CMakeLists.txt:
2130         * JavaScriptCore.xcodeproj/project.pbxproj:
2131         * bytecode/BytecodeList.json:
2132         * bytecode/BytecodeUseDef.h:
2133         (JSC::computeUsesForBytecodeOffset): Deleted.
2134         (JSC::computeDefsForBytecodeOffset): Deleted.
2135         * bytecode/CodeBlock.cpp:
2136         (JSC::CodeBlock::dumpBytecode): Deleted.
2137         * bytecode/UnlinkedFunctionExecutable.cpp:
2138         (JSC::generateUnlinkedFunctionCodeBlock):
2139         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2140         * bytecode/UnlinkedFunctionExecutable.h:
2141         * bytecompiler/BytecodeGenerator.cpp:
2142         (JSC::BytecodeGenerator::BytecodeGenerator):
2143         (JSC::BytecodeGenerator::emitCall):
2144         (JSC::BytecodeGenerator::emitCallVarargs):
2145         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
2146         (JSC::BytecodeGenerator::emitConstructVarargs):
2147         (JSC::BytecodeGenerator::emitConstruct):
2148         * bytecompiler/BytecodeGenerator.h:
2149         (JSC::CallArguments::profileHookRegister): Deleted.
2150         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
2151         * bytecompiler/NodesCodegen.cpp:
2152         (JSC::CallFunctionCallDotNode::emitBytecode):
2153         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2154         (JSC::CallArguments::CallArguments): Deleted.
2155         * dfg/DFGAbstractInterpreterInlines.h:
2156         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
2157         * dfg/DFGByteCodeParser.cpp:
2158         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
2159         * dfg/DFGCapabilities.cpp:
2160         (JSC::DFG::capabilityLevel): Deleted.
2161         * dfg/DFGClobberize.h:
2162         (JSC::DFG::clobberize): Deleted.
2163         * dfg/DFGDoesGC.cpp:
2164         (JSC::DFG::doesGC): Deleted.
2165         * dfg/DFGFixupPhase.cpp:
2166         (JSC::DFG::FixupPhase::fixupNode): Deleted.
2167         * dfg/DFGNodeType.h:
2168         * dfg/DFGPredictionPropagationPhase.cpp:
2169         * dfg/DFGSafeToExecute.h:
2170         (JSC::DFG::safeToExecute): Deleted.
2171         * dfg/DFGSpeculativeJIT32_64.cpp:
2172         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2173         * dfg/DFGSpeculativeJIT64.cpp:
2174         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2175         * inspector/InjectedScriptBase.cpp:
2176         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2177         * interpreter/Interpreter.cpp:
2178         (JSC::UnwindFunctor::operator()): Deleted.
2179         (JSC::Interpreter::execute): Deleted.
2180         (JSC::Interpreter::executeCall): Deleted.
2181         (JSC::Interpreter::executeConstruct): Deleted.
2182         * jit/JIT.cpp:
2183         (JSC::JIT::privateCompileMainPass): Deleted.
2184         * jit/JIT.h:
2185         * jit/JITOpcodes.cpp:
2186         (JSC::JIT::emit_op_profile_will_call): Deleted.
2187         (JSC::JIT::emit_op_profile_did_call): Deleted.
2188         * jit/JITOpcodes32_64.cpp:
2189         (JSC::JIT::emit_op_profile_will_call): Deleted.
2190         (JSC::JIT::emit_op_profile_did_call): Deleted.
2191         * jit/JITOperations.cpp:
2192         * jit/JITOperations.h:
2193         * llint/LLIntSlowPaths.cpp:
2194         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2195         * llint/LLIntSlowPaths.h:
2196         * llint/LowLevelInterpreter.asm:
2197         * parser/ParserModes.h:
2198         * profiler/CallIdentifier.h: Removed.
2199         * profiler/LegacyProfiler.cpp: Removed.
2200         * profiler/LegacyProfiler.h: Removed.
2201         * profiler/Profile.cpp: Removed.
2202         * profiler/Profile.h: Removed.
2203         * profiler/ProfileGenerator.cpp: Removed.
2204         * profiler/ProfileGenerator.h: Removed.
2205         * profiler/ProfileNode.cpp: Removed.
2206         * profiler/ProfileNode.h: Removed.
2207         * profiler/ProfilerJettisonReason.cpp:
2208         (WTF::printInternal): Deleted.
2209         * profiler/ProfilerJettisonReason.h:
2210         * runtime/CodeCache.cpp:
2211         (JSC::CodeCache::getGlobalCodeBlock):
2212         (JSC::CodeCache::getProgramCodeBlock):
2213         (JSC::CodeCache::getEvalCodeBlock):
2214         (JSC::CodeCache::getModuleProgramCodeBlock):
2215         * runtime/CodeCache.h:
2216         * runtime/Executable.cpp:
2217         (JSC::ScriptExecutable::newCodeBlockFor):
2218         * runtime/JSGlobalObject.cpp:
2219         (JSC::JSGlobalObject::createProgramCodeBlock):
2220         (JSC::JSGlobalObject::createEvalCodeBlock):
2221         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2222         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
2223         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
2224         * runtime/JSGlobalObject.h:
2225         * runtime/Options.h:
2226         * runtime/VM.cpp:
2227         (JSC::VM::VM): Deleted.
2228         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
2229         (JSC::VM::setEnabledProfiler): Deleted.
2230         * runtime/VM.h:
2231         (JSC::VM::enabledProfiler): Deleted.
2232         (JSC::VM::enabledProfilerAddress): Deleted.
2233
2234 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
2235
2236         Remove LegacyProfiler
2237         https://bugs.webkit.org/show_bug.cgi?id=153565
2238
2239         Reviewed by Saam Barati.
2240
2241         * inspector/protocol/Timeline.json:
2242         * jsc.cpp:
2243         * runtime/JSGlobalObject.cpp:
2244         (JSC::JSGlobalObject::hasLegacyProfiler):
2245         * runtime/JSGlobalObject.h:
2246         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
2247
2248 2016-05-20  Saam barati  <sbarati@apple.com>
2249
2250         JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference
2251         https://bugs.webkit.org/show_bug.cgi?id=157956
2252
2253         Reviewed by Geoffrey Garen.
2254
2255         A SymbolTableEntry may be a FatEntry. Copying a FatEntry is slow because we have to
2256         malloc memory for it, then free the malloced memory once the entry goes out of
2257         scope. abstractAccess uses a SymbolTableEntry temporarily when performing scope
2258         accesses during bytecode linking. It copies out the SymbolTableEntry every time
2259         it does a SymbolTable lookup. This is not cheap when the entry happens to be a
2260         FatEntry. We should really just be using a reference to the entry because
2261         there is no need to copy it in such a scenario.
2262
2263         * runtime/JSScope.cpp:
2264         (JSC::abstractAccess):
2265
2266 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
2267
2268         Web Inspector: retained size for typed arrays does not count native backing store
2269         https://bugs.webkit.org/show_bug.cgi?id=157945
2270         <rdar://problem/26392238>
2271
2272         Reviewed by Geoffrey Garen.
2273
2274         * runtime/JSArrayBuffer.h:
2275         * runtime/JSArrayBuffer.cpp:
2276         (JSC::JSArrayBuffer::estimatedSize):
2277         Include an estimatedSize implementation for JSArrayBuffer.
2278         ArrayBuffer has a unique path, different from other data
2279         stored in the Heap.
2280
2281         * tests/heapProfiler/typed-array-sizes.js: Added.
2282         Test sizes of TypedArray with and without an ArrayBuffer.
2283         When the TypedArray is a view wrapping an ArrayBuffer, the
2284         ArrayBuffer has the size.
2285
2286 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
2287
2288         reifyAllStaticProperties makes two copies of every string
2289         https://bugs.webkit.org/show_bug.cgi?id=157953
2290
2291         Reviewed by Mark Lam.
2292
2293         Let's not do that.
2294
2295         * runtime/JSObject.cpp:
2296         (JSC::JSObject::reifyAllStaticProperties): Pass our Identifier to
2297         reifyStaticProperty so it doesn't have to make its own.
2298
2299         * runtime/Lookup.h:
2300         (JSC::reifyStaticProperty): No need to null check because callers never
2301         pass null anymore. No need to make an identifier because callers pass
2302         us one.
2303
2304         (JSC::reifyStaticProperties): Honor new interface.
2305
2306 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
2307
2308         JSBench regression: CodeBlock linking always copies the symbol table
2309         https://bugs.webkit.org/show_bug.cgi?id=157951
2310
2311         Reviewed by Saam Barati.
2312
2313         We always put a SymbolTable into the constant pool, even in simple
2314         functions in which it won't be used -- i.e., there's on eval and there
2315         are no captured variables and so on.
2316
2317         This is costly because linking must copy any provided symbol tables.
2318
2319         * bytecompiler/BytecodeGenerator.cpp:
2320         (JSC::BytecodeGenerator::BytecodeGenerator):
2321         (JSC::BytecodeGenerator::emitProfileType): Only add the symbol table
2322         as a constant if we will use it at runtime.
2323
2324 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
2325
2326         [JSC] Improve int->float conversion in FTL
2327         https://bugs.webkit.org/show_bug.cgi?id=157936
2328
2329         Reviewed by Filip Pizlo.
2330
2331         The integer -> floating point lowering was very barebone.
2332
2333         For example, converting a constant integer to double
2334         was doing:
2335             mov #const, %eax
2336             xor %xmm0, %xmm0
2337             cvtsi2sd %eax, %xmm0
2338
2339         Conversion from integer to float was also missing.
2340         We were always converting to double then rounding the double
2341         to float.
2342
2343         This patch adds the basics:
2344         -Constant folding.
2345         -Integer to Float opcode.
2346         -Reducing int->double to int->float when used by DoubleToFloat.
2347
2348         * assembler/MacroAssemblerX86Common.h:
2349         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
2350         * assembler/MacroAssemblerX86_64.h:
2351         (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
2352         (JSC::MacroAssemblerX86_64::convertInt64ToFloat):
2353         * assembler/X86Assembler.h:
2354         (JSC::X86Assembler::cvtsi2ss_rr):
2355         (JSC::X86Assembler::cvtsi2ssq_rr):
2356         (JSC::X86Assembler::cvtsi2sdq_mr):
2357         (JSC::X86Assembler::cvtsi2ssq_mr):
2358         (JSC::X86Assembler::cvtsi2ss_mr):
2359         * assembler/MacroAssemblerARM64.h:
2360         * b3/B3Const32Value.cpp:
2361         (JSC::B3::Const32Value::iToDConstant):
2362         (JSC::B3::Const32Value::iToFConstant):
2363         * b3/B3Const32Value.h:
2364         * b3/B3Const64Value.cpp:
2365         (JSC::B3::Const64Value::iToDConstant):
2366         (JSC::B3::Const64Value::iToFConstant):
2367         * b3/B3Const64Value.h:
2368         * b3/B3LowerToAir.cpp:
2369         (JSC::B3::Air::LowerToAir::lower):
2370         * b3/B3Opcode.cpp:
2371         (WTF::printInternal):
2372         * b3/B3Opcode.h:
2373         * b3/B3ReduceDoubleToFloat.cpp:
2374         * b3/B3ReduceStrength.cpp:
2375         * b3/B3Validate.cpp:
2376         * b3/B3Value.cpp:
2377         (JSC::B3::Value::iToDConstant):
2378         (JSC::B3::Value::iToFConstant):
2379         (JSC::B3::Value::isRounded):
2380         (JSC::B3::Value::effects):
2381         (JSC::B3::Value::key):
2382         (JSC::B3::Value::typeFor):
2383         * b3/B3Value.h:
2384         * b3/B3ValueKey.cpp:
2385         (JSC::B3::ValueKey::materialize):
2386         * b3/air/AirFixPartialRegisterStalls.cpp:
2387         * b3/air/AirOpcode.opcodes:
2388         * b3/testb3.cpp:
2389         (JSC::B3::int64Operands):
2390         (JSC::B3::testIToD64Arg):
2391         (JSC::B3::testIToF64Arg):
2392         (JSC::B3::testIToD32Arg):
2393         (JSC::B3::testIToF32Arg):
2394         (JSC::B3::testIToD64Mem):
2395         (JSC::B3::testIToF64Mem):
2396         (JSC::B3::testIToD32Mem):
2397         (JSC::B3::testIToF32Mem):
2398         (JSC::B3::testIToD64Imm):
2399         (JSC::B3::testIToF64Imm):
2400         (JSC::B3::testIToD32Imm):
2401         (JSC::B3::testIToF32Imm):
2402         (JSC::B3::testIToDReducedToIToF64Arg):
2403         (JSC::B3::testIToDReducedToIToF32Arg):
2404         (JSC::B3::run):
2405
2406 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
2407
2408         [JSC] FTL can crash on stack overflow
2409         https://bugs.webkit.org/show_bug.cgi?id=157881
2410         rdar://problem/24665964
2411
2412         Reviewed by Michael Saboff.
2413
2414         The VM's m_largestFTLStackSize was never set anywhere (updateFTLLargestStackSize()
2415         was never called). We forgot to change that when implementing B3.
2416
2417         Even when it is set, we still have a problem on OSR Exit.
2418         If the last frame is a FTL frame and it OSR Exits, the space required for
2419         that frame becomes significantly larger. What happens is we crash in the OSR Exit
2420         instead of the FTL frame (this is what happens in rdar://problem/24665964).
2421
2422         This patch changes the stack boundary checks in FTL to be the same as DFG:
2423         we verify that we have enough space for the current optimized function but
2424         also for the baseline version (including inlining) in case of exit.
2425
2426         * ftl/FTLLowerDFGToB3.cpp:
2427         (JSC::FTL::DFG::LowerDFGToB3::lower):
2428         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack): Deleted.
2429         * runtime/VM.cpp:
2430         (JSC::VM::VM): Deleted.
2431         (JSC::VM::updateStackLimit): Deleted.
2432         (JSC::VM::updateFTLLargestStackSize): Deleted.
2433         * runtime/VM.h:
2434         (JSC::VM::addressOfFTLStackLimit): Deleted.
2435
2436 2016-05-18  Filip Pizlo  <fpizlo@apple.com>
2437
2438         DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header
2439         https://bugs.webkit.org/show_bug.cgi?id=144527
2440
2441         Reviewed by Saam Barati.
2442         
2443         This adds a control flow equivalence analysis (called ControlEquivalenceAnalysis) based on
2444         dominator analysis over the backwards CFG. Two basic blocks are control flow equivalent if
2445         the execution of one implies that the other one must also execute. It means that the two
2446         blocks' forward and backward dominance are reciprocated: (A dom B and B backdom A) or (B dom
2447         A and A backdom B). LICM now uses it to become more conservative about hoisting checks, if
2448         this has caused problems in the past. If we hoist something that may exit from a block that
2449         was not control equivalent to the pre-header then it's possible that the node's speculation
2450         will fail even though it wouldn't have if it wasn't hoisted. So, we flag these nodes'
2451         origins as being "wasHoisted" and we track all of their exits as "HoistingFailed". LICM will
2452         turn off such speculative hoisting if the CodeBlock from which we are hoisting had the
2453         HoistingFailed exit kind.
2454         
2455         Note that this deliberately still allows us to hoist things that may exit even if they are
2456         not control equivalent to the pre-header. This is necessary because the profitability of
2457         hoisting is so huge in all of the cases that we're aware of that it's worth giving it a
2458         shot.
2459         
2460         This is neutral on macrobenchmarks since none of the benchmarks we track have a hoistable
2461         operation that would exit only if hoisted. I added microbenchmarks to illustrate the problem
2462         and two of them speed up by ~40% while one of them is neutral (Int52 saves us from having
2463         problems on that program even though LICM previously did the wrong thing).
2464
2465         * JavaScriptCore.xcodeproj/project.pbxproj:
2466         * bytecode/ExitKind.cpp:
2467         (JSC::exitKindToString):
2468         * bytecode/ExitKind.h:
2469         * dfg/DFGAtTailAbstractState.h:
2470         (JSC::DFG::AtTailAbstractState::operator bool):
2471         (JSC::DFG::AtTailAbstractState::initializeTo):
2472         * dfg/DFGBackwardsCFG.h: Added.
2473         (JSC::DFG::BackwardsCFG::BackwardsCFG):
2474         * dfg/DFGBackwardsDominators.h: Added.
2475         (JSC::DFG::BackwardsDominators::BackwardsDominators):
2476         * dfg/DFGCommon.h:
2477         (JSC::DFG::checkAndSet): Deleted.
2478         * dfg/DFGControlEquivalenceAnalysis.h: Added.
2479         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
2480         (JSC::DFG::ControlEquivalenceAnalysis::dominatesEquivalently):
2481         (JSC::DFG::ControlEquivalenceAnalysis::areEquivalent):
2482         * dfg/DFGGraph.cpp:
2483         (JSC::DFG::Graph::dump):
2484         (JSC::DFG::Graph::dumpBlockHeader):
2485         (JSC::DFG::Graph::invalidateCFG):
2486         (JSC::DFG::Graph::substituteGetLocal):
2487         (JSC::DFG::Graph::handleAssertionFailure):
2488         (JSC::DFG::Graph::ensureDominators):
2489         (JSC::DFG::Graph::ensurePrePostNumbering):
2490         (JSC::DFG::Graph::ensureNaturalLoops):
2491         (JSC::DFG::Graph::ensureBackwardsCFG):
2492         (JSC::DFG::Graph::ensureBackwardsDominators):
2493         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
2494         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2495         * dfg/DFGGraph.h:
2496         (JSC::DFG::Graph::hasDebuggerEnabled):
2497         * dfg/DFGInPlaceAbstractState.h:
2498         (JSC::DFG::InPlaceAbstractState::operator bool):
2499         (JSC::DFG::InPlaceAbstractState::createValueForNode):
2500         (JSC::DFG::InPlaceAbstractState::forNode):
2501         * dfg/DFGLICMPhase.cpp:
2502         (JSC::DFG::LICMPhase::run):
2503         (JSC::DFG::LICMPhase::attemptHoist):
2504         * dfg/DFGMayExit.cpp:
2505         (JSC::DFG::mayExit):
2506         * dfg/DFGMayExit.h:
2507         * dfg/DFGNode.h:
2508         * dfg/DFGNodeOrigin.cpp:
2509         (JSC::DFG::NodeOrigin::dump):
2510         * dfg/DFGNodeOrigin.h:
2511         (JSC::DFG::NodeOrigin::takeValidExit):
2512         (JSC::DFG::NodeOrigin::withWasHoisted):
2513         (JSC::DFG::NodeOrigin::forInsertingAfter):
2514         * dfg/DFGNullAbstractState.h: Added.
2515         (JSC::DFG::NullAbstractState::NullAbstractState):
2516         (JSC::DFG::NullAbstractState::operator bool):
2517         (JSC::DFG::NullAbstractState::forNode):
2518         * dfg/DFGOSRExit.cpp:
2519         (JSC::DFG::OSRExit::OSRExit):
2520         * dfg/DFGOSRExitBase.cpp:
2521         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2522         * dfg/DFGOSRExitBase.h:
2523         (JSC::DFG::OSRExitBase::OSRExitBase):
2524         * dfg/DFGTypeCheckHoistingPhase.cpp:
2525         (JSC::DFG::TypeCheckHoistingPhase::run):
2526         * ftl/FTLOSRExit.cpp:
2527         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2528         (JSC::FTL::OSRExit::OSRExit):
2529         * ftl/FTLOSRExit.h:
2530
2531 2016-05-19  Mark Lam  <mark.lam@apple.com>
2532
2533         Code that null checks the VM pointer before any use should ref the VM.
2534         https://bugs.webkit.org/show_bug.cgi?id=157864
2535
2536         Reviewed by Filip Pizlo and Keith Miller.
2537
2538         JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
2539         through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
2540         after their null checks.
2541
2542         * bytecode/CodeBlock.h:
2543         (JSC::CodeBlock::vm):
2544         (JSC::CodeBlock::setVM): Deleted.
2545         - Not used, and suggests that it can be changed during the lifetime of the
2546           CodeBlock (which should not be).
2547
2548         * heap/HeapTimer.cpp:
2549         (JSC::HeapTimer::timerDidFire):
2550         * runtime/JSLock.cpp:
2551         (JSC::JSLock::willReleaseLock):
2552         - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
2553           the raw VM pointer.  This makes the null check a strong guarantee that the
2554           VM pointer is valid while these functions are using it.
2555
2556 2016-05-19  Saam barati  <sbarati@apple.com>
2557
2558         arrow function lexical environment should reuse the same environment as the function's lexical environment where possible
2559         https://bugs.webkit.org/show_bug.cgi?id=157908
2560
2561         Reviewed by Filip Pizlo.
2562
2563         We can safely combine these two environment when we have
2564         a simple parameter list (no default parameters, no destructring parameters).
2565
2566         * bytecompiler/BytecodeGenerator.cpp:
2567         (JSC::BytecodeGenerator::BytecodeGenerator):
2568         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2569         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2570         * bytecompiler/BytecodeGenerator.h:
2571
2572 2016-05-19  Michael Saboff  <msaboff@apple.com>
2573
2574         Unreviewed build fix.
2575
2576         Skipping this new test as it times out on the bots.
2577
2578         Issue tracked in https://bugs.webkit.org/show_bug.cgi?id=157903
2579
2580         * tests/stress/regress-157595.js:
2581         (MyRegExp):
2582
2583 2016-05-19  Guillaume Emont  <guijemont@igalia.com>
2584
2585         JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis
2586         https://bugs.webkit.org/show_bug.cgi?id=157741
2587
2588         Reviewed by Saam Barati.
2589
2590         The PutByValWithThis case needs a special case for MIPS because we
2591         don't have enough registers. The special case needs to be different
2592         from the x86 one because we have a different ABI.
2593
2594         * dfg/DFGSpeculativeJIT32_64.cpp:
2595         (JSC::DFG::SpeculativeJIT::compile):
2596
2597 2016-05-19  Brian Burg  <bburg@apple.com>
2598
2599         Web Inspector: use a consistent prefix for injected scripts
2600         https://bugs.webkit.org/show_bug.cgi?id=157715
2601         <rdar://problem/26287188>
2602
2603         Reviewed by Timothy Hatcher.
2604
2605         * CMakeLists.txt:
2606         * DerivedSources.make:
2607         * inspector/InjectedScriptSource.js:
2608
2609 2016-05-19  Csaba Osztrogon√°c  <ossy@webkit.org>
2610
2611         [ARM] Remove redefined macro after r200606
2612         https://bugs.webkit.org/show_bug.cgi?id=157890
2613
2614         Reviewed by Michael Saboff.
2615
2616         * bytecode/PolymorphicAccess.cpp:
2617         * jit/CCallHelpers.h:
2618
2619 2016-05-18  Saam barati  <sbarati@apple.com>
2620
2621         Function with default parameter values that are arrow functions that capture this isn't working
2622         https://bugs.webkit.org/show_bug.cgi?id=157786
2623         <rdar://problem/26327329>
2624
2625         Reviewed by Geoffrey Garen.
2626
2627         To make the scopes ordered properly, I needed to initialize the arrow 
2628         function lexical environment before initializing default parameter values.
2629         I also made the code easier to reason about by never reusing the function's
2630         var lexical environment for the arrow function lexical environment. The
2631         reason for this is that that code was wrong, and we just didn't have code to
2632         that properly tested it. It was easy for that code to be wrong because
2633         sometimes the function's lexical environment isn't the top-most scope
2634         (namely, when a function's parameter list is non-simple) and sometimes
2635         it is (when the function's parameter list is simple).
2636
2637         Also, because a function's default parameter values may capture the
2638         'arguments' variable inside an arrow function, I needed to take care
2639         to initialize the 'arguments' variable as part of whichever scope
2640         is the top-most scope. It's either the function's var environment
2641         if the parameter list is simple, or it's the function's parameter
2642         environment if the parameter list is non-simple.
2643
2644         * bytecompiler/BytecodeGenerator.cpp:
2645         (JSC::BytecodeGenerator::BytecodeGenerator):
2646         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2647         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2648         (JSC::BytecodeGenerator::initializeParameters):
2649         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
2650         (JSC::BytecodeGenerator::visibleNameForParameter):
2651         * bytecompiler/BytecodeGenerator.h:
2652         * tests/stress/arrow-functions-as-default-parameter-values.js: Added.
2653         (assert):
2654         (test):
2655         (test.foo):
2656         * tests/stress/op-push-name-scope-crashes-profiler.js:
2657         (test):
2658
2659 2016-05-18  Michael Saboff  <msaboff@apple.com>
2660
2661         r199812 broke test262
2662         https://bugs.webkit.org/show_bug.cgi?id=157595
2663
2664         Reviewed by Filip Pizlo.
2665
2666         Added a reasonable limit to the size of the match result array to catch possible
2667         infinite loops when matching.
2668         Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
2669         by creating a subclass of RegExp where the base RegExp's global flag is false and
2670         the subclass overrides .global with a getter that always returns true.
2671
2672         * builtins/RegExpPrototype.js:
2673         (match):
2674         * tests/stress/regress-157595.js: Added.
2675         (MyRegExp):
2676         (MyRegExp.prototype.get global):
2677         (test):
2678         (catch):
2679
2680 2016-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2681
2682         [ES6] Namespace object re-export should be handled as local export
2683         https://bugs.webkit.org/show_bug.cgi?id=157806
2684
2685         Reviewed by Mark Lam.
2686
2687         We align the implementation of ExportEntry to the spec; remove Type::Namespace.
2688         This Type::Namespace is used for re-exported namespace object binding. For example,
2689
2690             import * as namespace from "namespace.js"
2691             export { namespace }
2692
2693         In the above case, we used ExportEntry(Type::Namespace). In this patch, we drop this
2694         and use normal local export (Type::Local) instead because namespace object actually has
2695         the local binding in the above module environment. And this handling strictly meets the
2696         spec (Sec 15.2.1.16.1 step 11-a-ii-2-b).
2697
2698         And we also clean up the ExportEntry implementation; dropping unnecessary information.
2699         This change fixes the test262/test/language/module-code/instn-star-equality.js crash.
2700
2701         * parser/ModuleAnalyzer.cpp:
2702         (JSC::ModuleAnalyzer::exportVariable):
2703         * runtime/JSModuleRecord.cpp:
2704         (JSC::getExportedNames):
2705         (JSC::JSModuleRecord::dump): Deleted.
2706         * runtime/JSModuleRecord.h:
2707         * tests/modules/namespace-re-export.js: Added.
2708         * tests/modules/namespace-re-export/namespace-re-export-fixture.js: Added.
2709         * tests/modules/namespace-re-export/namespace-re-export.js: Added.
2710         * tests/modules/resources/assert.js:
2711         (export.shouldNotBe):
2712
2713 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
2714
2715         JSC should detect the right default locale even when it's not embedded in WebCore
2716         https://bugs.webkit.org/show_bug.cgi?id=157755
2717         rdar://problem/24665424
2718
2719         Reviewed by Keith Miller.
2720         
2721         This makes JSC try to use WTF's platform user preferred language detection if the DOM did
2722         not register a defaultLanguage callback. The result is that when JSC runs standalone it
2723         will detect the platform user preferred language almost the same way as when it's embedded
2724         in WebCore. The only difference is that WebCore may have its own additional overrides via
2725         the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
2726         back to.
2727         
2728         We first found this bug because on iOS, the intl tests would fail because ICU would report
2729         a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
2730         back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
2731         OS X, just less so. For example, setting things to Poland did not result in the jsc shell
2732         printing dates Polish-style. Now it will print them Polish-style if your system preferences
2733         say so. Also, the tests don't fail on iOS anymore.
2734         
2735         * runtime/IntlObject.cpp:
2736         (JSC::defaultLocale):
2737
2738 2016-05-17  Dean Jackson  <dino@apple.com>
2739
2740         Remove ES6_GENERATORS flag
2741         https://bugs.webkit.org/show_bug.cgi?id=157815
2742         <rdar://problem/26332894>
2743
2744         Reviewed by Geoffrey Garen.
2745
2746         This flag isn't needed. Generators are enabled everywhere and
2747         part of a stable specification.
2748
2749         * Configurations/FeatureDefines.xcconfig:
2750         * parser/Parser.cpp:
2751         (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
2752         (JSC::Parser<LexerType>::parseClass): Deleted.
2753         (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
2754         (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
2755         (JSC::Parser<LexerType>::parseProperty): Deleted.
2756         (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.
2757
2758 2016-05-17  Keith Miller  <keith_miller@apple.com>
2759
2760         Rollout r200426 since it causes PLT regressions.
2761         https://bugs.webkit.org/show_bug.cgi?id=157812
2762
2763         Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
2764
2765 2016-05-17  Keith Miller  <keith_miller@apple.com>
2766
2767         Add test262 harness support code
2768         https://bugs.webkit.org/show_bug.cgi?id=157797
2769
2770         Reviewed by Filip Pizlo.
2771
2772         This patch adds some new tooling needed to run Test262 with the jsc
2773         CLI. There were three options that needed to be added for Test262:
2774
2775         1) "--test262-async" This option overrides the print function in the test runner to look for
2776         'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
2777         and that string is not passed then the test is marked as failing.
2778
2779         2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
2780         passed file before passing the source code to the VM. This option can, in theory, be passed
2781         multiple times.
2782
2783         3) "--exception=<name>" This option asserts that at the end of the last script file passed
2784         the VM has an uncaught exception with its name property equal to the passed name.
2785
2786         * jsc.cpp:
2787         (Script::Script):
2788         (fillBufferWithContentsOfFile):
2789         (functionPrint):
2790         (checkUncaughtException):
2791         (runWithScripts):
2792         (printUsageStatement):
2793         (CommandLine::parseArguments):
2794         (runJSC):
2795
2796 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
2797
2798         WTF should know about Language
2799         https://bugs.webkit.org/show_bug.cgi?id=157756
2800
2801         Reviewed by Geoffrey Garen.
2802
2803         Teach our scripts that a ObjC class beginning with WTF is totally cool.
2804
2805         * JavaScriptCore.xcodeproj/project.pbxproj:
2806
2807 2016-05-17  Joseph Pecoraro  <pecoraro@apple.com>
2808
2809         console namespace breaks putting properties on console.__proto__
2810         https://bugs.webkit.org/show_bug.cgi?id=157782
2811         <rdar://problem/26250526>
2812
2813         Reviewed by Geoffrey Garen.
2814
2815         Some websites currently depend on console.__proto__ existing and being
2816         a separate object from Object.prototype. This patch adds back a basic
2817         console.__proto__ object, but all the console functions are left on
2818         the ConsoleObject itself.
2819
2820         * runtime/JSGlobalObject.cpp:
2821         (JSC::createConsoleProperty):
2822
2823 2016-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2824
2825         Unreviewed, dump more information when math-pow-stable-results.js failed
2826         https://bugs.webkit.org/show_bug.cgi?id=157168
2827
2828         * tests/stress/math-pow-stable-results.js:
2829
2830 2016-05-16  Saam barati  <sbarati@apple.com>
2831
2832         ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
2833         https://bugs.webkit.org/show_bug.cgi?id=157770
2834
2835         Reviewed by Filip Pizlo.
2836
2837         ShadowChicken was reading the scope from a half formed
2838         frame as it threw a stack overflow exception. The frame had
2839         a valid CodeBlock pointer, but it did not have a valid scope.
2840         The code in ShadowChicken's throw packet logging mechanism didn't
2841         account for this. The fix is to respect whether genericUnwind wants
2842         to unwind from the current frame or the caller's frame. For stack
2843         overflow errors, we always unwind the caller's frame.
2844
2845         * jit/JITExceptions.cpp:
2846         (JSC::genericUnwind):
2847
2848 2016-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2849
2850         REGRESSION(r200208): It made 2 JSC stress tests fail on x86
2851         https://bugs.webkit.org/show_bug.cgi?id=157168
2852
2853         Reviewed by Benjamin Poulain.
2854
2855         The fast path in operationMathPow produces different results between x87 and the other environments.
2856         This is because x87 calculates the double value in 80bit precision.
2857         The situation is the following: in x86 32bit environment, floating point operations are compiled to
2858         x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
2859         if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
2860         and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
2861         problem since x87 has 80bit precision while SSE2 has 64bit precision.
2862
2863         In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
2864         is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
2865         occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.
2866
2867         * b3/B3MathExtras.cpp:
2868         (JSC::B3::powDoubleInt32):
2869         * runtime/MathCommon.cpp:
2870         (JSC::operationMathPow):
2871
2872 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
2873
2874         [JSC] "return this" in a constructor does not need a branch on isObject(this)
2875         https://bugs.webkit.org/show_bug.cgi?id=157775
2876
2877         Reviewed by Saam Barati and Ryosuke Niwa.
2878
2879         When returning "this" in a constructor, the bytecode generator was generating:
2880             is_object         locX, this
2881             jtrue             locX, 5(->second ret)
2882             ret               this
2883             ret               this
2884
2885         That code is eliminated in DFG but it is pretty costly lower tiers.
2886
2887         This patch changes bytecode generation to avoid the is_object test
2888         when possible and not generate two ret if they encode the same thing.
2889
2890         * bytecompiler/BytecodeGenerator.cpp:
2891         (JSC::BytecodeGenerator::emitReturn):
2892
2893 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
2894
2895         [JSC] Remove the index check from op_get_by_val/op_put_by_val when the index is constant
2896         https://bugs.webkit.org/show_bug.cgi?id=157766
2897
2898         Reviewed by Geoffrey Garen.
2899
2900         If the index is an integer constant, do not generate the index check.
2901
2902         * jit/JITPropertyAccess.cpp:
2903         (JSC::JIT::emit_op_get_by_val):
2904         (JSC::JIT::emitSlow_op_get_by_val):
2905         (JSC::JIT::emit_op_put_by_val):
2906         (JSC::JIT::emitSlow_op_put_by_val):
2907
2908 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
2909
2910         [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
2911         https://bugs.webkit.org/show_bug.cgi?id=157700
2912
2913         Reviewed by Michael Saboff.
2914
2915         In general, fillSpeculateInt32() originate from SpeculateInt32
2916         and the user does not care about the tag.
2917
2918         This is particularily obvious on Sunspider's math-spectral-norm.js.
2919         In that test, registers are frequently spilled because of x86's DIV.
2920
2921         When they are re-filled, they were always tagged.
2922         Since the loops are small, all the tagging adds up.
2923
2924         * dfg/DFGSpeculativeJIT64.cpp:
2925         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2926
2927 2016-05-16  Saam barati  <sbarati@apple.com>
2928
2929         Unreviewed Cloop build fix.
2930
2931         * bytecode/CodeBlock.cpp:
2932         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
2933
2934 2016-05-16  Saam barati  <sbarati@apple.com>
2935
2936         Hook up ShadowChicken to the debugger to show tail deleted frames
2937         https://bugs.webkit.org/show_bug.cgi?id=156685
2938         <rdar://problem/25770521>
2939
2940         Reviewed by Filip Pizlo and Mark Lam and Joseph Pecoraro.
2941
2942         The heart of this patch hooks up ShadowChicken to DebuggerCallFrame to
2943         allow the Web Inspector to display the ShadowChicken's shadow stack.
2944         This means the Web Inspector can now display tail deleted frames.
2945         To make this work, I made the necessary changes to ShadowChicken and
2946         DebuggerCallFrame to allow DebuggerCallFrame to keep the same API
2947         when representing both machine frames and tail deleted frames.
2948
2949         - ShadowChicken prologue packets now log the current scope. Tail packets
2950           log the current scope, the 'this' value, the CodeBlock, and the
2951           CallSiteIndex. This allows the inspector to not only show the
2952           tail deleted frame, but also show exactly where the tail call happened (line and column numbers),
2953           with which scope it executed, and with which 'this' value. This
2954           patch also allows DebuggerCallFrame to execute console statements
2955           in a tail deleted frame.
2956
2957         - I changed ShadowChicken's stack resizing algorithm. ShadowChicken
2958           now only keeps a maximum number of tail deleted frames in its shadow stack.
2959           It will happily represent all machine frames without limit. Right now, the
2960           maximum number of tail deleted frames I chose to keep alive is 128.
2961           We will keep frames alive starting from the top of the stack. This
2962           allows us to have a strong defense against runaway memory usage. We will only
2963           keep around at most 128 "shadow" frames that wouldn't have naturally been kept
2964           alive by the executing program. We can play around with this number
2965           if we find that 128 is either too many or too few frames.
2966
2967         - DebuggerCallFrame is no longer a cheap class to create. When it is created,
2968           we will eagerly create the entire virtual debugger stack. So I modified the
2969           existing code to lazily create DebuggerCallFrames only when necessary. We
2970           used to eagerly create them at each op_debug statement even though we would
2971           just throw them away if we didn't hit a breakpoint.
2972
2973         - A valid DebuggerCallFrame will always have a valid CallFrame* pointer
2974           into the stack. This pointer won't always refer to the logical frame
2975           that the DebuggerCallFrame represents because a DebuggerCallFrame can
2976           now represent a tail deleted frame. To do this, DebuggerCallFrame now
2977           has a ShadowChicken::Frame member variable. This allows DebuggerCallFrame
2978           to know when it represents a tail deleted frame and gives DebuggerCallFrame
2979           a mechanism to ask the tail deleted frame for interesting information
2980           (like its 'this' value, scope, CodeBlock, etc). A tail deleted frame's
2981           machine frame pointer will be the machine caller of the tail deleted frame
2982           (or the machine caller of the first of a series of consecutive tail calls).
2983
2984         - I added a new flag to UnlinkedCodeBlock to indicate when it is compiled
2985           with debugging opcodes. I did this because ShadowChicken may read a JSScope
2986           from the machine stack. This is only safe if the machine CodeBlock was
2987           compiled with debugging opcodes. This is safer than asking if the
2988           CodeBlock's global object has an interactive debugger enabled because
2989           it's theoretically possible for the debugger to be enabled while code
2990           compiled without a debugger is still live on the stack. This field is
2991           also now used to indicate to the DFGGraph that the interactive debugger
2992           is enabled.
2993
2994         - Finally, this patch adds a new field to the Inspector's CallFrame protocol
2995           object called 'isTailDeleted' to allow the Inspector to know when a
2996           CallFrame represents a tail deleted frame.
2997
2998         * JavaScriptCore.xcodeproj/project.pbxproj:
2999         * bytecode/BytecodeList.json:
3000         * bytecode/BytecodeUseDef.h:
3001         (JSC::computeUsesForBytecodeOffset):
3002         * bytecode/CodeBlock.cpp:
3003         (JSC::CodeBlock::dumpBytecode):
3004         (JSC::CodeBlock::findPC):
3005         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3006         * bytecode/CodeBlock.h:
3007         (JSC::CodeBlock::clearDebuggerRequests):
3008         (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes):
3009         * bytecode/UnlinkedCodeBlock.cpp:
3010         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3011         * bytecode/UnlinkedCodeBlock.h:
3012         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes):
3013         (JSC::UnlinkedCodeBlock::finishCreation):
3014         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
3015         * bytecode/UnlinkedFunctionExecutable.cpp:
3016         (JSC::generateUnlinkedFunctionCodeBlock):
3017         * bytecompiler/BytecodeGenerator.cpp:
3018         (JSC::BytecodeGenerator::generate):
3019         (JSC::BytecodeGenerator::BytecodeGenerator):
3020         (JSC::BytecodeGenerator::emitEnter):
3021         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
3022         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
3023         (JSC::BytecodeGenerator::emitCallDefineProperty):
3024         * debugger/Debugger.cpp:
3025         (JSC::DebuggerPausedScope::DebuggerPausedScope):
3026         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
3027         (JSC::Debugger::didReachBreakpoint):
3028         (JSC::Debugger::currentDebuggerCallFrame):
3029         * debugger/Debugger.h:
3030         * debugger/DebuggerCallFrame.cpp:
3031         (JSC::LineAndColumnFunctor::operator()):
3032         (JSC::DebuggerCallFrame::create):
3033         (JSC::DebuggerCallFrame::DebuggerCallFrame):
3034         (JSC::DebuggerCallFrame::callerFrame):
3035         (JSC::DebuggerCallFrame::globalExec):
3036         (JSC::DebuggerCallFrame::vmEntryGlobalObject):
3037         (JSC::DebuggerCallFrame::sourceID):
3038         (JSC::DebuggerCallFrame::functionName):
3039         (JSC::DebuggerCallFrame::scope):
3040         (JSC::DebuggerCallFrame::type):
3041         (JSC::DebuggerCallFrame::thisValue):
3042         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
3043         (JSC::DebuggerCallFrame::invalidate):
3044         (JSC::DebuggerCallFrame::currentPosition):
3045         (JSC::DebuggerCallFrame::positionForCallFrame):
3046         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
3047         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): Deleted.
3048         (JSC::FindCallerMidStackFunctor::operator()): Deleted.
3049         (JSC::FindCallerMidStackFunctor::getCallerFrame): Deleted.
3050         (JSC::DebuggerCallFrame::thisValueForCallFrame): Deleted.
3051         * debugger/DebuggerCallFrame.h:
3052         (JSC::DebuggerCallFrame::isValid):
3053         (JSC::DebuggerCallFrame::isTailDeleted):
3054         (JSC::DebuggerCallFrame::create): Deleted.
3055         (JSC::DebuggerCallFrame::exec): Deleted.
3056         * dfg/DFGByteCodeParser.cpp:
3057         (JSC::DFG::ByteCodeParser::parseBlock):
3058         * dfg/DFGFixupPhase.cpp:
3059         (JSC::DFG::FixupPhase::fixupNode):
3060         * dfg/DFGGraph.cpp:
3061         (JSC::DFG::Graph::Graph):
3062         (JSC::DFG::Graph::~Graph):
3063         * dfg/DFGJITCompiler.h:
3064         (JSC::DFG::JITCompiler::addCallSite):
3065         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
3066         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
3067         * dfg/DFGSpeculativeJIT32_64.cpp:
3068         (JSC::DFG::SpeculativeJIT::compile):
3069         * dfg/DFGSpeculativeJIT64.cpp:
3070         (JSC::DFG::SpeculativeJIT::compile):
3071         * ftl/FTLAbstractHeapRepository.h:
3072         * ftl/FTLLowerDFGToB3.cpp:
3073         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
3074         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
3075         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3076         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3077         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3078         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket): Deleted.
3079         * inspector/InjectedScriptSource.js:
3080         (InjectedScript.CallFrameProxy):
3081         * inspector/JSJavaScriptCallFrame.cpp:
3082         (Inspector::JSJavaScriptCallFrame::thisObject):
3083         (Inspector::JSJavaScriptCallFrame::isTailDeleted):
3084         (Inspector::JSJavaScriptCallFrame::type):
3085         * inspector/JSJavaScriptCallFrame.h:
3086         * inspector/JSJavaScriptCallFramePrototype.cpp:
3087         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
3088         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
3089         (Inspector::jsJavaScriptCallFrameAttributeType):
3090         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
3091         * inspector/JavaScriptCallFrame.h:
3092         (Inspector::JavaScriptCallFrame::type):
3093         (Inspector::JavaScriptCallFrame::scopeChain):
3094         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
3095         (Inspector::JavaScriptCallFrame::isTailDeleted):
3096         (Inspector::JavaScriptCallFrame::thisValue):
3097         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
3098         * inspector/ScriptDebugServer.cpp:
3099         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3100         * inspector/protocol/Debugger.json:
3101         * interpreter/ShadowChicken.cpp:
3102         (JSC::ShadowChicken::update):
3103         (JSC::ShadowChicken::visitChildren):
3104         (JSC::ShadowChicken::reset):
3105         * interpreter/ShadowChicken.h:
3106         (JSC::ShadowChicken::Packet::throwMarker):
3107         (JSC::ShadowChicken::Packet::prologue):
3108         (JSC::ShadowChicken::Packet::tail):
3109         (JSC::ShadowChicken::Frame::Frame):
3110         (JSC::ShadowChicken::Frame::operator==):
3111         * jit/CCallHelpers.cpp:
3112         (JSC::CCallHelpers::logShadowChickenProloguePacket):
3113         (JSC::CCallHelpers::logShadowChickenTailPacket):
3114         (JSC::CCallHelpers::ensureShadowChickenPacket):
3115         (JSC::CCallHelpers::setupShadowChickenPacket): Deleted.
3116         * jit/CCallHelpers.h:
3117         * jit/JITOpcodes.cpp:
3118         (JSC::JIT::emit_op_profile_type):
3119         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3120         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3121         (JSC::JIT::emit_op_get_enumerable_length):
3122         (JSC::JIT::emit_op_resume):
3123         * jit/JITOpcodes32_64.cpp:
3124         (JSC::JIT::emit_op_profile_type):
3125         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3126         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3127         * jit/RegisterSet.cpp:
3128         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
3129         (JSC::RegisterSet::argumentGPRS):
3130         (JSC::RegisterSet::registersToNotSaveForJSCall):
3131         * jit/RegisterSet.h:
3132         * llint/LLIntData.cpp:
3133         (JSC::LLInt::Data::performAssertions):
3134         * llint/LLIntSlowPaths.cpp:
3135         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3136         * llint/LowLevelInterpreter.asm:
3137         * llint/LowLevelInterpreter32_64.asm:
3138         * llint/LowLevelInterpreter64.asm:
3139         * runtime/CodeCache.cpp:
3140         (JSC::CodeCache::getGlobalCodeBlock):
3141         * runtime/Options.h:
3142         * tests/stress/shadow-chicken-enabled.js:
3143         (test5a.foo):
3144         (test5a):
3145         (test5b.foo):
3146         (test5b):
3147         (test6.foo):
3148         (test6):
3149
3150 2016-05-16  Saam barati  <sbarati@apple.com>
3151
3152         TypeSet/StructureShape have a flawed sense of JS prototype chains
3153         https://bugs.webkit.org/show_bug.cgi?id=157760
3154
3155         Reviewed by Joseph Pecoraro.
3156
3157         There was an assumption that we would bottom out in "Object". This is
3158         not true for many reasons. JS objects may not end in Object.prototype.
3159         Also, our mechanism of grabbing an Object's class name may also not
3160         bottom out in "Object". We were seeing this in the JS objects we use
3161         in the InjectedScriptSource.js inspector script.
3162
3163         * runtime/TypeSet.cpp:
3164         (JSC::StructureShape::leastCommonAncestor):
3165         * tests/typeProfiler/weird-prototype-chain.js: Added.
3166         (wrapper.foo):
3167         (wrapper.let.o2):
3168         (wrapper):
3169
3170 2016-05-16  Joseph Pecoraro  <pecoraro@apple.com>
3171
3172         Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
3173
3174         * API/JSProfilerPrivate.cpp: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
3175         (JSStartProfiling):
3176         (JSEndProfiling):
3177         * API/JSProfilerPrivate.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
3178         * CMakeLists.txt:
3179         * JavaScriptCore.xcodeproj/project.pbxproj:
3180         * bytecode/BytecodeList.json:
3181         * bytecode/BytecodeUseDef.h:
3182         (JSC::computeUsesForBytecodeOffset):
3183         (JSC::computeDefsForBytecodeOffset):
3184         * bytecode/CodeBlock.cpp:
3185         (JSC::CodeBlock::dumpBytecode):
3186         * bytecode/UnlinkedFunctionExecutable.cpp:
3187         (JSC::generateUnlinkedFunctionCodeBlock):
3188         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3189         * bytecode/UnlinkedFunctionExecutable.h:
3190         * bytecompiler/BytecodeGenerator.cpp:
3191         (JSC::BytecodeGenerator::BytecodeGenerator):
3192         (JSC::BytecodeGenerator::emitCall):
3193         (JSC::BytecodeGenerator::emitCallVarargs):
3194         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
3195         (JSC::BytecodeGenerator::emitConstructVarargs):
3196         (JSC::BytecodeGenerator::emitConstruct):
3197         * bytecompiler/BytecodeGenerator.h:
3198         (JSC::CallArguments::profileHookRegister):
3199         (JSC::BytecodeGenerator::shouldEmitProfileHooks):
3200         * bytecompiler/NodesCodegen.cpp:
3201         (JSC::CallArguments::CallArguments):
3202         (JSC::CallFunctionCallDotNode::emitBytecode):
3203         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3204         * dfg/DFGAbstractInterpreterInlines.h:
3205         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3206         * dfg/DFGByteCodeParser.cpp:
3207         (JSC::DFG::ByteCodeParser::parseBlock):
3208         * dfg/DFGCapabilities.cpp:
3209         (JSC::DFG::capabilityLevel):
3210         * dfg/DFGClobberize.h:
3211         (JSC::DFG::clobberize):
3212         * dfg/DFGDoesGC.cpp:
3213         (JSC::DFG::doesGC):
3214         * dfg/DFGFixupPhase.cpp:
3215         (JSC::DFG::FixupPhase::fixupNode):
3216         * dfg/DFGNodeType.h:
3217         * dfg/DFGPredictionPropagationPhase.cpp:
3218         * dfg/DFGSafeToExecute.h:
3219         (JSC::DFG::safeToExecute):
3220         * dfg/DFGSpeculativeJIT32_64.cpp:
3221         (JSC::DFG::SpeculativeJIT::compile):
3222         * dfg/DFGSpeculativeJIT64.cpp:
3223         (JSC::DFG::SpeculativeJIT::compile):
3224         * inspector/InjectedScriptBase.cpp:
3225         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
3226         * inspector/protocol/Timeline.json:
3227         * interpreter/Interpreter.cpp:
3228         (JSC::UnwindFunctor::operator()):
3229         (JSC::Interpreter::execute):
3230         (JSC::Interpreter::executeCall):
3231         (JSC::Interpreter::executeConstruct):
3232         * jit/JIT.cpp:
3233         (JSC::JIT::privateCompileMainPass):
3234         * jit/JIT.h:
3235         * jit/JITOpcodes.cpp:
3236         (JSC::JIT::emit_op_profile_will_call):
3237         (JSC::JIT::emit_op_profile_did_call):
3238         * jit/JITOpcodes32_64.cpp:
3239         (JSC::JIT::emit_op_profile_will_call):
3240         (JSC::JIT::emit_op_profile_did_call):
3241         * jit/JITOperations.cpp:
3242         * jit/JITOperations.h:
3243         * jsc.cpp:
3244         * llint/LLIntSlowPaths.cpp:
3245         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3246         * llint/LLIntSlowPaths.h:
3247         * llint/LowLevelInterpreter.asm:
3248         * parser/ParserModes.h:
3249         * profiler/CallIdentifier.h: Added.
3250         (JSC::CallIdentifier::CallIdentifier):
3251         (JSC::CallIdentifier::functionName):
3252         (JSC::CallIdentifier::url):
3253         (JSC::CallIdentifier::lineNumber):
3254         (JSC::CallIdentifier::columnNumber):
3255         (JSC::CallIdentifier::operator==):
3256         (JSC::CallIdentifier::operator!=):
3257         (JSC::CallIdentifier::Hash::hash):
3258         (JSC::CallIdentifier::Hash::equal):
3259         (JSC::CallIdentifier::hash):
3260         (JSC::CallIdentifier::operator const char*):
3261         (JSC::CallIdentifier::c_str):
3262         (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
3263         (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
3264         * profiler/LegacyProfiler.cpp: Added.
3265         (JSC::LegacyProfiler::profiler):
3266         (JSC::LegacyProfiler::startProfiling):
3267         (JSC::LegacyProfiler::stopProfiling):
3268         (JSC::callFunctionForProfilesWithGroup):
3269         (JSC::LegacyProfiler::suspendProfiling):
3270         (JSC::LegacyProfiler::unsuspendProfiling):
3271         (JSC::LegacyProfiler::willExecute):
3272         (JSC::LegacyProfiler::didExecute):
3273         (JSC::LegacyProfiler::exceptionUnwind):
3274         (JSC::LegacyProfiler::createCallIdentifier):
3275         (JSC::createCallIdentifierFromFunctionImp):
3276         * profiler/LegacyProfiler.h: Added.
3277         (JSC::LegacyProfiler::currentProfiles):
3278         * profiler/Profile.cpp: Added.
3279         (JSC::Profile::create):
3280         (JSC::Profile::Profile):
3281         (JSC::Profile::~Profile):
3282         (JSC::Profile::debugPrint):
3283         (JSC::functionNameCountPairComparator):
3284         (JSC::Profile::debugPrintSampleStyle):
3285         * profiler/Profile.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
3286         * profiler/ProfileGenerator.cpp: Added.
3287         (JSC::ProfileGenerator::create):
3288         (JSC::ProfileGenerator::ProfileGenerator):
3289         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
3290         (JSC::AddParentForConsoleStartFunctor::foundParent):
3291         (JSC::AddParentForConsoleStartFunctor::operator()):
3292         (JSC::ProfileGenerator::addParentForConsoleStart):
3293         (JSC::ProfileGenerator::title):
3294         (JSC::ProfileGenerator::beginCallEntry):
3295         (JSC::ProfileGenerator::endCallEntry):
3296         (JSC::ProfileGenerator::willExecute):
3297         (JSC::ProfileGenerator::didExecute):
3298         (JSC::ProfileGenerator::exceptionUnwind):
3299         (JSC::ProfileGenerator::stopProfiling):
3300         (JSC::ProfileGenerator::removeProfileStart):
3301         (JSC::ProfileGenerator::removeProfileEnd):
3302         * profiler/ProfileGenerator.h: Added.
3303         (JSC::ProfileGenerator::profile):
3304         (JSC::ProfileGenerator::origin):
3305         (JSC::ProfileGenerator::profileGroup):
3306         (JSC::ProfileGenerator::setIsSuspended):
3307         * profiler/ProfileNode.cpp: Added.
3308         (JSC::ProfileNode::ProfileNode):
3309         (JSC::ProfileNode::addChild):
3310         (JSC::ProfileNode::removeChild):
3311         (JSC::ProfileNode::spliceNode):
3312         (JSC::ProfileNode::traverseNextNodePostOrder):
3313         (JSC::ProfileNode::debugPrint):
3314         (JSC::ProfileNode::debugPrintSampleStyle):
3315         (JSC::ProfileNode::debugPrintRecursively):
3316         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
3317         * profiler/ProfileNode.h: Added.
3318         (JSC::ProfileNode::create):
3319         (JSC::ProfileNode::Call::Call):
3320         (JSC::ProfileNode::Call::startTime):
3321         (JSC::ProfileNode::Call::setStartTime):
3322         (JSC::ProfileNode::Call::elapsedTime):
3323         (JSC::ProfileNode::Call::setElapsedTime):
3324         (JSC::ProfileNode::operator==):
3325         (JSC::ProfileNode::callerCallFrame):
3326         (JSC::ProfileNode::callIdentifier):
3327         (JSC::ProfileNode::id):
3328         (JSC::ProfileNode::functionName):
3329         (JSC::ProfileNode::url):
3330         (JSC::ProfileNode::lineNumber):
3331         (JSC::ProfileNode::columnNumber):
3332         (JSC::ProfileNode::parent):
3333         (JSC::ProfileNode::setParent):
3334         (JSC::ProfileNode::calls):
3335         (JSC::ProfileNode::lastCall):
3336         (JSC::ProfileNode::appendCall):
3337         (JSC::ProfileNode::children):
3338         (JSC::ProfileNode::firstChild):
3339         (JSC::ProfileNode::lastChild):
3340         (JSC::ProfileNode::nextSibling):
3341         (JSC::ProfileNode::setNextSibling):
3342         (JSC::ProfileNode::forEachNodePostorder):
3343         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
3344         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
3345         * profiler/ProfilerJettisonReason.cpp:
3346         (WTF::printInternal):
3347         * profiler/ProfilerJettisonReason.h:
3348         * runtime/CodeCache.cpp:
3349         (JSC::CodeCache::getGlobalCodeBlock):
3350         (JSC::CodeCache::getProgramCodeBlock):
3351         (JSC::CodeCache::getEvalCodeBlock):
3352         (JSC::CodeCache::getModuleProgramCodeBlock):
3353         * runtime/CodeCache.h:
3354         * runtime/Executable.cpp:
3355         (JSC::ScriptExecutable::newCodeBlockFor):
3356         * runtime/JSGlobalObject.cpp:
3357         (JSC::JSGlobalObject::~JSGlobalObject):
3358         (JSC::JSGlobalObject::hasLegacyProfiler):
3359         (JSC::JSGlobalObject::createProgramCodeBlock):
3360         (JSC::JSGlobalObject::createEvalCodeBlock):
3361         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
3362         * runtime/JSGlobalObject.h:
3363         (JSC::JSGlobalObject::supportsLegacyProfiling):
3364         * runtime/Options.h:
3365         * runtime/VM.cpp:
3366         (JSC::VM::VM):
3367         (JSC::SetEnabledProfilerFunctor::operator()):
3368         (JSC::VM::setEnabledProfiler):
3369         * runtime/VM.h:
3370         (JSC::VM::enabledProfiler):
3371         (JSC::VM::enabledProfilerAddress):
3372
3373 2016-05-16  Konstantin Tokarev  <annulen@yandex.ru>
3374
3375         Unreviewed, fixed typo in a comment.
3376
3377         * assembler/MacroAssembler.h: Replaced "onvenience" with
3378         "convenience".
3379
3380 2016-05-16  Filip Pizlo  <fpizlo@apple.com>
3381
3382         FixupPhase should be more eager to demote bit math to untyped
3383         https://bugs.webkit.org/show_bug.cgi?id=157746
3384
3385         Reviewed by Mark Lam.
3386         
3387         This just makes the logic for how we fixup bit math match the way we do it in other places.
3388         This doesn't affect performance on any major benchmark but it's a big win on new
3389         microbenchmarks added in this change.
3390         
3391         Details:
3392
3393         object-and                                     11.1610+-0.7602     ^      4.8105+-0.1690        ^ definitely 2.3201x faster
3394         object-or                                      11.0845+-0.2487     ^      4.7146+-0.0374        ^ definitely 2.3511x faster
3395         object-xor                                     10.2946+-0.9946     ^      4.7278+-0.0814        ^ definitely 2.1775x faster
3396         object-lshift                                  10.4896+-1.0867     ^      4.7699+-0.0721        ^ definitely 2.1991x faster
3397         object-rshift                                  11.1239+-0.5010     ^      4.7194+-0.0445        ^ definitely 2.3570x faster
3398         object-urshift                                 10.9745+-0.1315     ^      4.7848+-0.0479        ^ definitely 2.2936x faster
3399
3400         * dfg/DFGFixupPhase.cpp:
3401         (JSC::DFG::FixupPhase::fixupNode):
3402
3403 2016-05-15  Michael Saboff  <msaboff@apple.com>
3404
3405         RegExp /y flag incorrect handling of mixed-length alternation
3406         https://bugs.webkit.org/show_bug.cgi?id=157723
3407
3408         Reviewed by Filip Pizlo.
3409
3410         Previously for sticky patterns, we were bailing out and exiting when backtracking
3411         alternatives with dissimilar match lengths.  Deleted that code.  Instead, for
3412         sticky patterns we need to process the backtracking except for advancing to the
3413         next input index.
3414
3415         * yarr/YarrJIT.cpp:
3416         (JSC::Yarr::YarrGenerator::backtrack):
3417
3418 2016-05-15  Filip Pizlo  <fpizlo@apple.com>
3419
3420         DFG::Plan shouldn't read from its VM once it's been cancelled
3421         https://bugs.webkit.org/show_bug.cgi?id=157726
3422
3423         Reviewed by Saam Barati.
3424         
3425         Plan::vm was a reference, not a pointer, and so wasn't nulled by Plan::cancel(). So, a
3426         cancelled plan may have a dangling pointer to a VM: we could delete the VM after cancelling
3427         the plan.
3428         
3429         Prior to http://trac.webkit.org/changeset/200705, this was probably fine because nobody
3430         would read Plan::vm if the plan was cancelled. But r200705 changed that. It was a hard
3431         regression to spot because usually a cancelled plan will still refer to a valid VM.
3432         
3433         This change fixes the regression and makes it a lot easier to spot the regression in the
3434         future. Plan::vm is now a pointer and we null it in Plan::cancel(). Now if you make this
3435         mistake, you will get a crash anytime the Plan is cancelled, not just anytime the plan is
3436         cancelled and the VM gets deleted. Also, it's now very clear what to do when you want to
3437         use Plan::vm on the cancel path: you can null-check vm; if it's null, assume the worst.
3438         
3439         Because we null the VM of a cancelled plan, we cannot have Safepoint::vm() return the
3440         plan's VM anymore. That's because when we cancel a plan that is at a safepoint, we use the
3441         safepoint's VM to determine whether this is one of our safepoints *after* the plan is
3442         already cancelled. So, Safepoint now has its own copy of m_vm, and that copy gets nulled
3443         when the Safepoint is cancelled. The Safepoint's m_vm will be nulled moments after Plan's
3444         vm gets nulled (see Worklist::removeDeadPlans(), which has a cancel path for Plans in one
3445         loop and a cancel path for Safepoints in the loop after it).
3446
3447         * dfg/DFGJITFinalizer.cpp:
3448         (JSC::DFG::JITFinalizer::finalizeCommon):
3449         * dfg/DFGPlan.cpp:
3450         (JSC::DFG::Plan::Plan):
3451         (JSC::DFG::Plan::computeCompileTimes):
3452         (JSC::DFG::Plan::reportCompileTimes):
3453         (JSC::DFG::Plan::compileInThreadImpl):
3454         (JSC::DFG::Plan::reallyAdd):
3455         (JSC::DFG::Plan::notifyCompiling):
3456         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3457         (JSC::DFG::Plan::cancel):
3458         * dfg/DFGPlan.h:
3459         (JSC::DFG::Plan::canTierUpAndOSREnter):
3460         * dfg/DFGSafepoint.cpp:
3461         (JSC::DFG::Safepoint::cancel):
3462         (JSC::DFG::Safepoint::vm):
3463         * dfg/DFGSafepoint.h:
3464         * dfg/DFGWorklist.cpp:
3465         (JSC::DFG::Worklist::isActiveForVM):
3466         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3467         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3468         (JSC::DFG::Worklist::rememberCodeBlocks):
3469         (JSC::DFG::Worklist::visitWeakReferences):
3470         (JSC::DFG::Worklist::removeDeadPlans):
3471         (JSC::DFG::Worklist::runThread):
3472         * ftl/FTLJITFinalizer.cpp:
3473         (JSC::FTL::JITFinalizer::finalizeFunction):
3474
3475 2016-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3476
3477         Modernize Intl constructors; using InternalFunction::createSubclassStructure
3478         https://bugs.webkit.org/show_bug.cgi?id=157082
3479
3480         Reviewed by Darin Adler.
3481
3482         Previously, Intl constructors retrieve "prototype" to inherit the "new.target".
3483         At that time, this mis-assumed that getDirect() always returns meaningful JS value.
3484         Actually, it returns an empty value if a property does not exist.
3485
3486         Instead of fixing this assertion, we now use InternalFunction::createSubclassStructure
3487         in Intl constructors. It is modern and preferable way since it can cache the derived
3488         structures in InternalFunction.
3489
3490         This patch also cleans up the workaround in Intl.NumberFormat and Intl.DateTimeFormat.
3491         Those code are largely duplicate. This is now extracted into
3492         constructIntlInstanceWithWorkaroundForLegacyIntlConstructor. This clean up does not
3493         have any behavior changes. They are already tested in LayoutTests/js/intl-datetimeformat
3494         and LayoutTests/js/intl-numberformat.
3495
3496         * JavaScriptCore.xcodeproj/project.pbxproj:
3497         * runtime/IntlCollator.cpp:
3498         (JSC::IntlCollator::create):
3499         * runtime/IntlCollator.h:
3500         * runtime/IntlCollatorConstructor.cpp:
3501         (JSC::constructIntlCollator):
3502         (JSC::callIntlCollator):
3503         * runtime/IntlDateTimeFormat.cpp:
3504         (JSC::IntlDateTimeFormat::create):
3505         * runtime/IntlDateTimeFormat.h:
3506         * runtime/IntlDateTimeFormatConstructor.cpp:
3507         (JSC::constructIntlDateTimeFormat):
3508         (JSC::callIntlDateTimeFormat):
3509         * runtime/IntlDateTimeFormatPrototype.cpp:
3510         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3511         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
3512         * runtime/IntlNumberFormat.cpp:
3513         (JSC::IntlNumberFormat::create):
3514         * runtime/IntlNumberFormat.h:
3515         * runtime/IntlNumberFormatConstructor.cpp:
3516         (JSC::constructIntlNumberFormat):
3517         (JSC::callIntlNumberFormat):
3518         * runtime/IntlNumberFormatPrototype.cpp:
3519         (JSC::IntlNumberFormatPrototypeGetterFormat):
3520         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3521         * runtime/IntlObjectInlines.h: Added.
3522         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
3523         * tests/stress/intl-constructors-with-proxy.js: Added.
3524         (shouldBe):
3525         (throw.new.Error.Empty):
3526         (throw.new.Error):
3527         (shouldBe.Empty):
3528
3529 2016-05-14  Joseph Pecoraro  <pecoraro@apple.com>
3530
3531         Remove LegacyProfiler
3532         https://bugs.webkit.org/show_bug.cgi?id=153565
3533
3534         Reviewed by Mark Lam.
3535
3536         JavaScriptCore now provides a sampling profiler and it is enabled
3537         by all ports. Web Inspector switched months ago to using the
3538         sampling profiler and displaying its data. Remove the legacy
3539         profiler, as it is no longer being used by anything other then
3540         console.profile and tests. We will update console.profile's
3541         behavior soon to have new behavior and use the sampling data.
3542
3543         * API/JSProfilerPrivate.cpp: Removed.
3544         * API/JSProfilerPrivate.h: Removed.
3545         * CMakeLists.txt:
3546         * JavaScriptCore.xcodeproj/project.pbxproj:
3547         * bytecode/BytecodeList.json:
3548         * bytecode/BytecodeUseDef.h:
3549         (JSC::computeUsesForBytecodeOffset): Deleted.
3550         (JSC::computeDefsForBytecodeOffset): Deleted.
3551         * bytecode/CodeBlock.cpp:
3552         (JSC::CodeBlock::dumpBytecode): Deleted.
3553         * bytecode/UnlinkedFunctionExecutable.cpp:
3554         (JSC::generateUnlinkedFunctionCodeBlock):
3555         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3556         * bytecode/UnlinkedFunctionExecutable.h:
3557         * bytecompiler/BytecodeGenerator.cpp:
3558         (JSC::BytecodeGenerator::BytecodeGenerator):
3559         (JSC::BytecodeGenerator::emitCall):
3560         (JSC::BytecodeGenerator::emitCallVarargs):
3561         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
3562         (JSC::BytecodeGenerator::emitConstructVarargs):
3563         (JSC::BytecodeGenerator::emitConstruct):
3564         * bytecompiler/BytecodeGenerator.h:
3565         (JSC::CallArguments::profileHookRegister): Deleted.
3566         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
3567         * bytecompiler/NodesCodegen.cpp:
3568         (JSC::CallFunctionCallDotNode::emitBytecode):
3569         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3570         (JSC::CallArguments::CallArguments): Deleted.
3571         * dfg/DFGAbstractInterpreterInlines.h:
3572         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
3573         * dfg/DFGByteCodeParser.cpp:
3574         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
3575         * dfg/DFGCapabilities.cpp:
3576         (JSC::DFG::capabilityLevel): Deleted.
3577         * dfg/DFGClobberize.h:
3578         (JSC::DFG::clobberize): Deleted.
3579         * dfg/DFGDoesGC.cpp:
3580         (JSC::DFG::doesGC): Deleted.
3581         * dfg/DFGFixupPhase.cpp:
3582         (JSC::DFG::FixupPhase::fixupNode): Deleted.
3583         * dfg/DFGNodeType.h:
3584         * dfg/DFGPredictionPropagationPhase.cpp:
3585         * dfg/DFGSafeToExecute.h:
3586         (JSC::DFG::safeToExecute): Deleted.
3587         * dfg/DFGSpeculativeJIT32_64.cpp:
3588         (JSC::DFG::SpeculativeJIT::compile): Deleted.
3589         * dfg/DFGSpeculativeJIT64.cpp:
3590         (JSC::DFG::SpeculativeJIT::compile): Deleted.
3591         * inspector/InjectedScriptBase.cpp:
3592         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
3593         * inspector/protocol/Timeline.json:
3594         * interpreter/Interpreter.cpp:
3595         (JSC::UnwindFunctor::operator()): Deleted.
3596         (JSC::Interpreter::execute): Deleted.
3597         (JSC::Interpreter::executeCall): Deleted.
3598         (JSC::Interpreter::executeConstruct): Deleted.
3599         * jit/JIT.cpp:
3600         (JSC::JIT::privateCompileMainPass): Deleted.
3601         * jit/JIT.h:
3602         * jit/JITOpcodes.cpp:
3603         (JSC::JIT::emit_op_profile_will_call): Deleted.
3604         (JSC::JIT::emit_op_profile_did_call): Deleted.
3605         * jit/JITOpcodes32_64.cpp:
3606         (JSC::JIT::emit_op_profile_will_call): Deleted.
3607         (JSC::JIT::emit_op_profile_did_call): Deleted.
3608         * jit/JITOperations.cpp:
3609         * jit/JITOperations.h:
3610         * jsc.cpp:
3611         * llint/LLIntSlowPaths.cpp:
3612         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
3613         * llint/LLIntSlowPaths.h:
3614         * llint/LowLevelInterpreter.asm:
3615         * parser/ParserModes.h:
3616         * profiler/CallIdentifier.h: Removed.
3617         * profiler/LegacyProfiler.cpp: Removed.
3618         * profiler/LegacyProfiler.h: Removed.
3619         * profiler/Profile.cpp: Removed.
3620         * profiler/Profile.h: Removed.
3621         * profiler/ProfileGenerator.cpp: Removed.
3622         * profiler/ProfileGenerator.h: Removed.
3623         * profiler/ProfileNode.cpp: Removed.
3624         * profiler/ProfileNode.h: Removed.
3625         * profiler/ProfilerJettisonReason.cpp:
3626         (WTF::printInternal): Deleted.
3627         * profiler/ProfilerJettisonReason.h:
3628         * runtime/CodeCache.cpp:
3629         (JSC::CodeCache::getGlobalCodeBlock):
3630         (JSC::CodeCache::getProgramCodeBlock):
3631         (JSC::CodeCache::getEvalCodeBlock):
3632         (JSC::CodeCache::getModuleProgramCodeBlock):
3633         * runtime/CodeCache.h:
3634         * runtime/Executable.cpp:
3635         (JSC::ScriptExecutable::newCodeBlockFor):
3636         * runtime/JSGlobalObject.cpp:
3637         (JSC::JSGlobalObject::createProgramCodeBlock):
3638         (JSC::JSGlobalObject::createEvalCodeBlock):
3639         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
3640         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
3641         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
3642         * runtime/JSGlobalObject.h:
3643         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
3644         * runtime/Options.h:
3645         * runtime/VM.cpp:
3646         (JSC::VM::VM): Deleted.
3647         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
3648         (JSC::VM::setEnabledProfiler): Deleted.
3649         * runtime/VM.h:
3650         (JSC::VM::enabledProfiler): Deleted.
3651         (JSC::VM::enabledProfilerAddress): Deleted.
3652
3653 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
3654
3655         jsc: samplingProfilerStackTraces() without starting sampling should not cause jsc to crash
3656         https://bugs.webkit.org/show_bug.cgi?id=157704
3657
3658         Reviewed by Saam Barati.
3659
3660         * jsc.cpp:
3661         (functionStartSamplingProfiler):
3662         (functionSamplingProfilerStackTraces):
3663         Throw an exception instead of crashing if we haven't started sampling.
3664
3665         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3666         (Inspector::InspectorScriptProfilerAgent::startTracking):
3667         * runtime/VM.h:
3668         * runtime/VM.cpp:
3669         (JSC::VM::ensureSamplingProfiler):
3670         Switch ensure to returning a reference, like most other ensures.
3671
3672 2016-05-13  Saam barati  <sbarati@apple.com>
3673
3674         DFG/FTL have a few bugs in their reasoning about the scope
3675         https://bugs.webkit.org/show_bug.cgi?id=157696
3676
3677         Reviewed by Benjamin Poulain.
3678
3679         1. When the debugger is enabled, it is easier for the DFG to reason
3680         about the scope register by simply claiming all nodes read the scope
3681         register. This prevents us from ever entering the runtime where we
3682         may take a stack trace but there isn't a scope on the stack.
3683
3684         2. This patch fixes a bug where the FTL compilation wasn't properly
3685         setting the CodeBlock register. It was only doing this when there
3686         was inline data, but when the debugger is enabled, we never inline.
3687         So this code just needed to be removed from that loop. It was never
3688         right for it to be inside the loop.
3689
3690         * dfg/DFGClobberize.h:
3691         (JSC::DFG::clobberize):
3692         * ftl/FTLCompile.cpp:
3693         (JSC::FTL::compile):
3694
3695 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
3696
3697         [JSC] SetLocal without exit do not need phantoms
3698         https://bugs.webkit.org/show_bug.cgi?id=157653
3699
3700         Reviewed by Filip Pizlo.
3701
3702         I made a mistake in r200498.
3703
3704         If a SetLocal cannot possibly exit, we were not clearing
3705         the source of the operand. As a result, we sometime kept
3706         a value alive up to the end of the block.
3707
3708         That's uncommon because SetLocal typically appear
3709         toward the end of blocks. That's probably why there was
3710         no perf impact with that fix.
3711
3712         * dfg/DFGPhantomInsertionPhase.cpp:
3713
3714 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
3715
3716         [JSC] Move the CheckTierUp function calls out of the main path
3717         https://bugs.webkit.org/show_bug.cgi?id=157668
3718
3719         Reviewed by Mark Lam.
3720
3721         If you have a tiny tiny loop (for example, Sunspider's bits-in-byte),
3722         the size of CheckTierUp is a problem.
3723
3724         On multi-issue CPUs, the node is so big that we do not
3725         get to run anything from the loop in the instruction fetch.
3726
3727         On x86, having a bigger loop also pushes us out of the LSD.
3728
3729         This is a 6% improvement on bits-in-byte. Other Sunspider tests
3730         only improves marginally.
3731
3732         * dfg/DFGSpeculativeJIT.cpp:
3733         (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
3734         (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
3735         * dfg/DFGSpeculativeJIT.h:
3736         (JSC::DFG::SpeculativeJIT::silentSpill):
3737         (JSC::DFG::SpeculativeJIT::silentFill):
3738         * dfg/DFGSpeculativeJIT64.cpp:
3739         (JSC::DFG::SpeculativeJIT::compile):
3740
3741 2016-05-13  Benjamin Poulain  <bpoulain@apple.com>
3742
3743         [JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used
3744         https://bugs.webkit.org/show_bug.cgi?id=157671
3745
3746         Reviewed by Mark Lam.
3747
3748         This improves the chances of having a value
3749         when issuing the TEST.
3750
3751         * jit/JITPropertyAccess.cpp:
3752         (JSC::JIT::emitLoadWithStructureCheck):
3753
3754 2016-05-13  Joseph Pecoraro  <pecoraro@apple.com>
3755
3756         Web Inspector: Inform augmenting client when inspector controller is destroyed
3757         https://bugs.webkit.org/show_bug.cgi?id=157688
3758         <rdar://problem/25832724>
3759
3760         Reviewed by Timothy Hatcher.
3761
3762         * inspector/JSGlobalObjectInspectorController.cpp:
3763         (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
3764         * inspector/augmentable/AugmentableInspectorControllerClient.h:
3765         There is a weak relationship between the InspectorController and the
3766         AugmentingClient. Let the augmenting client know when the controller
3767         is destroyed so it doesn't try to use us anymore.
3768
3769 2016-05-13  Geoffrey Garen  <ggaren@apple.com>
3770
3771         Runaway malloc memory usage in this simple JSC program
3772         https://bugs.webkit.org/show_bug.cgi?id=157682
3773
3774         Reviewed by Mark Lam.
3775
3776         * heap/WeakSet.cpp:
3777         (JSC::WeakSet::sweep): Whenever we might add a block to
3778         m_logicallyEmptyWeakBlocks, be sure also to sweep a block in
3779         m_logicallyEmptyWeakBlocks. Otherwise, additions might outpace removals
3780         even when all memory is freed.
3781
3782         We do this whenever we *might* add a block and not just whenever we *do*
3783         add a block because we'd like to sweep the entries in
3784         m_logicallyEmptyWeakBlocks promptly even when it's not growing, and this
3785         is a reasonably rate-limited opportunity to do so.
3786
3787 2016-05-13  Mark Lam  <mark.lam@apple.com>
3788
3789         We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.
3790         https://bugs.webkit.org/show_bug.cgi?id=157537
3791         <rdar://problem/24794845>
3792
3793         Reviewed by Michael Saboff.
3794
3795         The pre-existing code behaves this way:
3796
3797         1. When JS code throws an exception, it saves callee save registers in
3798            the VM calleeSaveRegistersBuffer.  These values are meant to be restored
3799            to the callee save registers later either at the catch handler or at the
3800            uncaught exception handler.
3801
3802         2. If the Inspector is enable, the VM will invoke inspector C++ code to inspect
3803            the exception.  That C++ code can change the values of the callee save
3804            registers.
3805
3806            The inspector code in turn re-enters the VM to execute JS inspector code.
3807
3808            The JS inspector code can run hot enough that we do an enterOptimizationCheck
3809            on it.  The enterOptimizationCheck first saves all callee save registers
3810            into the VM calleeSaveRegistersBuffer.
3811
3812            This effectively overwrites the values in the VM calleeSaveRegistersBuffer
3813            from (1).
3814
3815         3. Eventually, execution returns to the catch handler or the uncaught exception
3816            handler which restores the overwritten values in the VM
3817            calleeSaveRegistersBuffer to the callee save registers.
3818
3819            When execution returns to the C++ code that entered the VM before (1), the
3820            values in the callee registers are not what that code expects, and badness
3821            and/or crashes ensues.
3822
3823         This patch applies the following fix:
3824         
3825         1. Allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer.
3826            This ensures that each VM entry session has its own buffer to use, and will
3827            not corrupt the one from the previous VM entry session.
3828
3829            Delete the VM calleeSaveRegistersBuffer.
3830
3831         2. Change all locations that uses the VM calleeSaveRegistersBuffer to use the
3832            calleeSaveRegistersBuffer in the current VMEntryFrame.
3833
3834         3. Renamed all uses of the term "VMCalleeSavesBuffer" to
3835            "VMEntryFrameCalleeSavesBuffer".
3836
3837         This fix has been tested on the following configurations:
3838         1. JSC and layout tests on a debug ASan build for 64-bit x86_64.
3839         2. JSC tests on a release ASan build for 32-bit x86.
3840         3. JSC tests on a release normal (non-ASan) build for ARM64.
3841         4. JSC tests on a release normal (non-ASan) build for ARMv7 and ARMv7s.
3842         5. JSC tests on a release ASan CLOOP build for x86_64.
3843
3844         These test runs did not produce any new crashes.  The ASan CLOOP has some
3845         pre-existing crashes which are not due to this patch.
3846
3847         This bug can be tested by running the inspector/debugger/regress-133182.html test
3848         on an ASan build.
3849
3850         * bytecode/PolymorphicAccess.cpp:
3851         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3852         * dfg/DFGJITCompiler.cpp:
3853         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3854         * dfg/DFGOSREntry.cpp:
3855         (JSC::DFG::prepareOSREntry):
3856         * dfg/DFGOSRExitCompiler.cpp:
3857         * dfg/DFGOSRExitCompiler32_64.cpp:
3858         (JSC::DFG::OSRExitCompiler::compileExit):
3859         * dfg/DFGOSRExitCompiler64.cpp:
3860         (JSC::DFG::OSRExitCompiler::compileExit):
3861         * dfg/DFGThunks.cpp:
3862         (JSC::DFG::osrEntryThunkGenerator):
3863         * ftl/FTLCompile.cpp:
3864         (JSC::FTL::compile):
3865         * ftl/FTLLowerDFGToB3.cpp:
3866         (JSC::FTL::DFG::LowerDFGToB3::lower):
3867         * ftl/FTLOSRExitCompiler.cpp:
3868         (JSC::FTL::compileStub):
3869         * interpreter/Interpreter.cpp:
3870         (JSC::UnwindFunctor::operator()):
3871         (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3872         (JSC::UnwindFunctor::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
3873         * interpreter/Interpreter.h:
3874         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
3875         * interpreter/VMEntryRecord.h:
3876         (JSC::VMEntryRecord::calleeSaveRegistersBufferOffset):
3877         (JSC::VMEntryRecord::prevTopCallFrame):
3878         (JSC::VMEntryRecord::unsafePrevTopCallFrame):
3879         (JSC::VMEntryFrame::vmEntryRecordOffset):
3880         (JSC::VMEntryFrame::calleeSaveRegistersBufferOffset):
3881         * jit/AssemblyHelpers.cpp:
3882         (JSC::AssemblyHelpers::emitRandomThunk):
3883         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3884         (JSC::AssemblyHelpers::restoreCalleeSavesFromVMCalleeSavesBuffer): Deleted.
3885         * jit/AssemblyHelpers.h:
3886         (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
3887         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3888         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
3889         (JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer): Deleted.
3890         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMCalleeSavesBuffer): Deleted.
3891         * jit/JIT.cpp:
3892         (JSC::JIT::emitEnterOptimizationCheck):
3893         (JSC::JIT::privateCompileExceptionHandlers):
3894         * jit/JITOpcodes.cpp:
3895         (JSC::JIT::emit_op_throw):
3896         (JSC::JIT::emit_op_catch):
3897         (JSC::JIT::emitSlow_op_loop_hint):
3898         * jit/JITOpcodes32_64.cpp:
3899         (JSC::JIT::emit_op_throw):
3900         (JSC::JIT::emit_op_catch):
3901         * jit/ThunkGenerators.cpp:
3902         (JSC::throwExceptionFromCallSlowPathGenerator):
3903         (JSC::nativeForGenerator):
3904         * llint/LLIntThunks.cpp:
3905         (JSC::vmEntryRecord):
3906         * llint/LowLevelInterpreter.asm:
3907         * llint/LowLevelInterpreter32_64.asm:
3908         * llint/LowLevelInterpreter64.asm:
3909         * runtime/VM.h:
3910         (JSC::VM::getCTIStub):
3911         (JSC::VM::calleeSaveRegistersBufferOffset): Deleted.
3912         * wasm/WASMFunctionCompiler.h:
3913         (JSC::WASMFunctionCompiler::endFunction):
3914
3915 2016-05-13  Beth Dakin  <bdakin@apple.com>
3916
3917         Add dyldSPI.h for linked on or after checks, and add one for link preview
3918         https://bugs.webkit.org/show_bug.cgi?id=157401
3919         -and corresponding-
3920         rdar://problem/26253396
3921
3922         Reviewed by Darin Adler.
3923
3924         Import #import <wtf/spi/darwin/dyldSPI.h> which now declares all of the 
3925         needed dyld code.
3926         * API/JSWrapperMap.mm:
3927
3928 2016-05-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3929
3930         Assertion failure for direct eval in non-class method
3931         https://bugs.webkit.org/show_bug.cgi?id=157138
3932
3933         Reviewed by Saam Barati.
3934
3935         This assertion was incorrect. In method definitions in object literals,
3936         it can be sloppy mode, but its DerivedContextType may not be DerivedContextType::None.
3937
3938         * bytecode/EvalCodeCache.h:
3939         (JSC::EvalCodeCache::CacheKey::CacheKey):
3940         (JSC::EvalCodeCache::CacheKey::operator==):
3941         (JSC::EvalCodeCache::CacheKey::Hash::equal):
3942         (JSC::EvalCodeCache::tryGet):
3943         (JSC::EvalCodeCache::getSlow):
3944         * interpreter/Interpreter.cpp:
3945         (JSC::eval):
3946         * tests/stress/direct-eval-in-object-literal-methods.js: Added.
3947         (shouldBe):
3948         (throw.new.Error):
3949         (shouldBe.Parent.prototype.l):
3950         (shouldBe.Parent):
3951         (shouldBe.Derived.prototype.m):
3952         (shouldBe.Derived):
3953
3954 2016-05-13  Skachkov Oleksandr  <gskachkov@gmail.com>
3955
3956         Assertion failure for super() call in arrow function default parameters
3957         https://bugs.webkit.org/show_bug.cgi?id=157079
3958
3959         Reviewed by Saam Barati.
3960
3961         Root of the issue that in arrow function we load bounded variables this/super/new.target just after 
3962         input parameters were initialized, and did not covered case of default values for 
3963         function parameters. 
3964         Current patch tried to fix issue and allow to load bounded variables earlier, before the input 
3965         parameters are assigned by default values.
3966
3967         * bytecompiler/BytecodeGenerator.cpp: