Structure::previousID() races with Structure::allocateRareData()
[WebKit.git] / Source / JavaScriptCore / ChangeLog
1 2016-06-01  Filip Pizlo  <fpizlo@apple.com>
2
3         Structure::previousID() races with Structure::allocateRareData()
4         https://bugs.webkit.org/show_bug.cgi?id=158280
5
6         Reviewed by Mark Lam.
7         
8         The problem is that previousID() would test hasRareData() and then either load the
9         previous Structure from the rare data, or load it directly. allocateRareData() would set
10         the hasRareData() bit separately from moving the Structure pointer into the rare data. So
11         we'd have a race that would cause previousID() to sometimes return the rarae data instead
12         of the previous Structure.
13
14         The fix is to get rid of the hasRareData bit. We can use the structureID of the
15         previousOrRareData cell to determine if it's the previousID or the RareData. This fixes the
16         race and it's probably not any slower.
17
18         * runtime/Structure.cpp:
19         (JSC::Structure::Structure):
20         (JSC::Structure::allocateRareData):
21         * runtime/Structure.h:
22
23 2016-06-01  Michael Saboff  <msaboff@apple.com>
24
25         Runaway WebContent process CPU & memory @ foxnews.com
26         https://bugs.webkit.org/show_bug.cgi?id=158290
27
28         Reviewed by Mark Lam.
29
30         Clear the thrown value at the end of the catch block so that the stack scanner won't
31         find the value during GC.
32
33         Added a new stress test.
34
35         * bytecompiler/NodesCodegen.cpp:
36         (JSC::TryNode::emitBytecode):
37         * tests/stress/recursive-try-catch.js: Added.
38         (logError):
39         (tryCallingBadFunction):
40         (recurse):
41         (test):
42
43 2016-06-01  Benjamin Poulain  <bpoulain@apple.com>
44
45         [JSC] Some setters for components of Date do not timeClip() their result
46         https://bugs.webkit.org/show_bug.cgi?id=158278
47         rdar://problem/25131426
48
49         Reviewed by Geoffrey Garen.
50
51         Many of the setters where not doing timeClip() on the computed UTC
52         time since Epoch.
53
54         See http://www.ecma-international.org/ecma-262/6.0/#sec-date.prototype.setdate
55         and the following sections for the definition.
56
57         * runtime/DatePrototype.cpp:
58         (JSC::setNewValueFromTimeArgs):
59         (JSC::setNewValueFromDateArgs):
60
61 2016-06-01  Keith Miller  <keith_miller@apple.com>
62
63         canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints
64         https://bugs.webkit.org/show_bug.cgi?id=158291
65
66         Reviewed by Benjamin Poulain.
67
68         The old StringObject primitive access code used structure watchpoints. This meant that
69         if you set a watchpoint on String.prototype prior to tiering up to the DFG then added
70         a new property to String.prototype then we would never use StringObject optimizations.
71         This made property caching in the LLInt bad because it meant we would watchpoint
72         String.prototype very early in the program, which hurt date-format-xpab.js since that
73         benchmark relies on the StringObject optimizations.
74
75         This patch also extends ObjectPropertyConditionSet to be able to handle a slotBase
76         equivalence condition. Since that makes the code for generating the DFG watchpoints
77         significantly cleaner.
78
79         * bytecode/ObjectPropertyCondition.cpp:
80         (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint):
81         * bytecode/ObjectPropertyConditionSet.cpp:
82         (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition):
83         (JSC::ObjectPropertyConditionSet::slotBaseCondition):
84         (JSC::generateConditionsForPrototypeEquivalenceConcurrently):
85         * bytecode/ObjectPropertyConditionSet.h:
86         * dfg/DFGGraph.cpp:
87         (JSC::DFG::Graph::isStringPrototypeMethodSane):
88         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
89         * dfg/DFGGraph.h:
90
91 2016-06-01  Geoffrey Garen  <ggaren@apple.com>
92
93         Unreviewed, rolling in r201436.
94         https://bugs.webkit.org/show_bug.cgi?id=158143
95
96         r201562 should haved fixed the Dromaeo DOM core regression.
97
98         Restored changeset:
99
100         "REGRESSION: JSBench spends a lot of time transitioning
101         to/from dictionary"
102         https://bugs.webkit.org/show_bug.cgi?id=158045
103         http://trac.webkit.org/changeset/201436
104
105
106 2016-06-01  Commit Queue  <commit-queue@webkit.org>
107
108         Unreviewed, rolling out r201488.
109         https://bugs.webkit.org/show_bug.cgi?id=158268
110
111         Caused 23% regression on JetStream's crypto-md5 (Requested by
112         rniwa on #webkit).
113
114         Reverted changeset:
115
116         "[ESNext] Support trailing commas in function param lists"
117         https://bugs.webkit.org/show_bug.cgi?id=158020
118         http://trac.webkit.org/changeset/201488
119
120 2016-05-31  Geoffrey Garen  <ggaren@apple.com>
121
122         Dictionary property access should be fast
123         https://bugs.webkit.org/show_bug.cgi?id=158250
124
125         Reviewed by Keith Miller.
126
127         We have some remnant code that unnecessarily takes a slow path for
128         dictionaries. This caused the Dromaeo regression in r201436. Let's fix
129         that.
130
131         * jit/Repatch.cpp:
132         (JSC::tryCacheGetByID): Attempt to flatten a dictionary if necessary, but
133         not too much. This is our idiom in other places.
134
135         (JSC::tryCachePutByID): See tryCacheGetByID.
136
137         * llint/LLIntSlowPaths.cpp:
138         (JSC::LLInt::setupGetByIdPrototypeCache): See tryCacheGetByID.
139
140         * runtime/JSObject.cpp:
141         (JSC::JSObject::fillGetterPropertySlot):
142         * runtime/JSObject.h:
143         (JSC::JSObject::fillCustomGetterPropertySlot): The rules for caching a
144         getter are the same as the rules for caching anything else: We're
145         allowed to cache even in dictionaries, as long as they're cacheable
146         dictionaries. Any transition that would change to/from getter/setter
147         or change other attributes requires a structure transition.
148
149 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
150
151         [JSC] Drop "replace" from JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET
152         https://bugs.webkit.org/show_bug.cgi?id=158223
153
154         Reviewed by Darin Adler.
155
156         This list maintains "not implemented yet" well-known symbols.
157         `Symbol.replace` is already implemented.
158
159         * runtime/CommonIdentifiers.h:
160
161 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
162
163         Unreviewed, roll out r201481, r201523: 0.3% regression in Octane code-load
164         https://bugs.webkit.org/show_bug.cgi?id=158249
165
166         * API/JSScriptRef.cpp:
167         (parseScript):
168         * CMakeLists.txt:
169         * DerivedSources.make:
170         * JavaScriptCore.xcodeproj/project.pbxproj:
171         * builtins/AsyncFunctionPrototype.js: Removed.
172         (asyncFunctionResume): Deleted.
173         * builtins/BuiltinExecutables.cpp:
174         (JSC::BuiltinExecutables::createExecutable):
175         * bytecode/BytecodeList.json:
176         * bytecode/BytecodeUseDef.h:
177         (JSC::computeUsesForBytecodeOffset): Deleted.
178         (JSC::computeDefsForBytecodeOffset): Deleted.
179         * bytecode/CodeBlock.cpp:
180         (JSC::CodeBlock::finishCreation):
181         (JSC::CodeBlock::dumpBytecode): Deleted.
182         * bytecode/UnlinkedCodeBlock.h:
183         (JSC::UnlinkedCodeBlock::isArrowFunction):
184         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction): Deleted.
185         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction): Deleted.
186         * bytecode/UnlinkedFunctionExecutable.cpp:
187         (JSC::generateUnlinkedFunctionCodeBlock):
188         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
189         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
190         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
191         * bytecode/UnlinkedFunctionExecutable.h:
192         * bytecompiler/BytecodeGenerator.cpp:
193         (JSC::BytecodeGenerator::BytecodeGenerator):
194         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
195         (JSC::BytecodeGenerator::emitNewMethodDefinition):
196         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
197         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon): Deleted.
198         (JSC::BytecodeGenerator::emitNewFunction): Deleted.
199         * bytecompiler/BytecodeGenerator.h:
200         (JSC::BytecodeGenerator::makeFunction):
201         * bytecompiler/NodesCodegen.cpp:
202         (JSC::FunctionNode::emitBytecode): Deleted.
203         * inspector/agents/InspectorRuntimeAgent.cpp:
204         (Inspector::InspectorRuntimeAgent::parse):
205         * jit/JIT.cpp:
206         (JSC::JIT::privateCompileMainPass): Deleted.
207         * jit/JIT.h:
208         * jit/JITOpcodes.cpp:
209         (JSC::JIT::emitNewFuncCommon): Deleted.
210         (JSC::JIT::emit_op_new_async_func): Deleted.
211         (JSC::JIT::emitNewFuncExprCommon): Deleted.
212         (JSC::JIT::emit_op_new_async_func_exp): Deleted.
213         * jit/JITOperations.cpp:
214         * jit/JITOperations.h:
215         * jsc.cpp:
216         (runInteractive):
217         (printUsageStatement): Deleted.
218         * llint/LLIntSlowPaths.cpp:
219         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
220         * llint/LLIntSlowPaths.h:
221         * llint/LowLevelInterpreter.asm:
222         * parser/ASTBuilder.h:
223         (JSC::ASTBuilder::createAsyncFunctionBody): Deleted.
224         * parser/Keywords.table:
225         * parser/Parser.cpp:
226         (JSC::Parser<LexerType>::Parser):
227         (JSC::Parser<LexerType>::parseInner):
228         (JSC::Parser<LexerType>::isArrowFunctionParameters):
229         (JSC::Parser<LexerType>::parseStatementListItem):
230         (JSC::Parser<LexerType>::parseStatement):
231         (JSC::Parser<LexerType>::parseFunctionParameters):
232         (JSC::Parser<LexerType>::parseFunctionInfo):
233         (JSC::Parser<LexerType>::parseClass):
234         (JSC::Parser<LexerType>::parseImportClauseItem):
235         (JSC::Parser<LexerType>::parseImportDeclaration):
236         (JSC::Parser<LexerType>::parseExportDeclaration):
237         (JSC::Parser<LexerType>::parseAssignmentExpression):
238         (JSC::Parser<LexerType>::parseProperty):
239         (JSC::Parser<LexerType>::parsePropertyMethod):
240         (JSC::Parser<LexerType>::parsePrimaryExpression):
241         (JSC::Parser<LexerType>::parseMemberExpression):
242         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
243         (JSC::Parser<LexerType>::printUnexpectedTokenText):
244         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements): Deleted.
245         (JSC::Parser<LexerType>::parseVariableDeclarationList): Deleted.
246         (JSC::Parser<LexerType>::parseDestructuringPattern): Deleted.
247         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement): Deleted.
248         (JSC::Parser<LexerType>::parseFormalParameters): Deleted.
249         (JSC::stringForFunctionMode): Deleted.
250         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration): Deleted.
251         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement): Deleted.
252         (JSC::Parser<LexerType>::parseAwaitExpression): Deleted.
253         (JSC::Parser<LexerType>::parseAsyncFunctionExpression): Deleted.
254         (JSC::Parser<LexerType>::parseUnaryExpression): Deleted.
255         * parser/Parser.h:
256         (JSC::Scope::Scope):
257         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
258         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
259         (JSC::Parser::pushScope):
260         (JSC::Parser::popScopeInternal):
261         (JSC::Parser::matchSpecIdentifier):
262         (JSC::parse):
263         (JSC::Scope::setSourceParseMode): Deleted.
264         (JSC::Scope::isAsyncFunction): Deleted.
265         (JSC::Scope::isAsyncFunctionBoundary): Deleted.
266         (JSC::Scope::isModule): Deleted.
267         (JSC::Scope::setIsFunction): Deleted.
268         (JSC::Scope::setIsAsyncArrowFunction): Deleted.
269         (JSC::Scope::setIsAsyncFunction): Deleted.
270         (JSC::Scope::setIsAsyncFunctionBody): Deleted.
271         (JSC::Scope::setIsAsyncArrowFunctionBody): Deleted.
272         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError): Deleted.
273         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction): Deleted.
274         (JSC::Parser::forceClassifyExpressionError): Deleted.
275         (JSC::Parser::declarationTypeToVariableKind): Deleted.
276         (JSC::Parser::upperScope): Deleted.
277         (JSC::Parser::isDisallowedIdentifierAwait): Deleted.
278         (JSC::Parser::disallowedIdentifierAwaitReason): Deleted.
279         * parser/ParserModes.h:
280         (JSC::isFunctionParseMode):
281         (JSC::isModuleParseMode):
282         (JSC::isProgramParseMode):
283         (JSC::SourceParseModeSet::SourceParseModeSet): Deleted.
284         (JSC::SourceParseModeSet::contains): Deleted.
285         (JSC::SourceParseModeSet::mergeSourceParseModes): Deleted.
286         (JSC::isAsyncFunctionParseMode): Deleted.
287         (JSC::isAsyncArrowFunctionParseMode): Deleted.
288         (JSC::isAsyncFunctionWrapperParseMode): Deleted.
289         (JSC::isAsyncFunctionBodyParseMode): Deleted.
290         (JSC::constructAbilityForParseMode): Deleted.
291         * parser/ParserTokens.h:
292         * parser/SourceCodeKey.h:
293         (JSC::SourceCodeKey::SourceCodeKey):
294         (JSC::SourceCodeKey::operator==):
295         (JSC::SourceCodeKey::runtimeFlags): Deleted.
296         * parser/SyntaxChecker.h:
297         (JSC::SyntaxChecker::createAsyncFunctionBody): Deleted.
298         * runtime/AsyncFunctionConstructor.cpp: Removed.
299         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor): Deleted.
300         (JSC::AsyncFunctionConstructor::finishCreation): Deleted.
301         (JSC::callAsyncFunctionConstructor): Deleted.
302         (JSC::constructAsyncFunctionConstructor): Deleted.
303         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
304         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
305         * runtime/AsyncFunctionConstructor.h: Removed.
306         (JSC::AsyncFunctionConstructor::create): Deleted.
307         (JSC::AsyncFunctionConstructor::createStructure): Deleted.
308         * runtime/AsyncFunctionPrototype.cpp: Removed.
309         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype): Deleted.
310         (JSC::AsyncFunctionPrototype::finishCreation): Deleted.
311         * runtime/AsyncFunctionPrototype.h: Removed.
312         (JSC::AsyncFunctionPrototype::create): Deleted.
313         (JSC::AsyncFunctionPrototype::createStructure): Deleted.
314         * runtime/CodeCache.cpp:
315         (JSC::CodeCache::getGlobalCodeBlock):
316         (JSC::CodeCache::getProgramCodeBlock):
317         (JSC::CodeCache::getEvalCodeBlock):
318         (JSC::CodeCache::getModuleProgramCodeBlock):
319         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
320         * runtime/CodeCache.h:
321         * runtime/CommonIdentifiers.h:
322         * runtime/Completion.cpp:
323         (JSC::checkSyntax):
324         (JSC::checkModuleSyntax):
325         * runtime/Completion.h:
326         * runtime/Executable.cpp:
327         (JSC::ScriptExecutable::newCodeBlockFor):
328         (JSC::ProgramExecutable::checkSyntax):
329         * runtime/Executable.h:
330         * runtime/FunctionConstructor.cpp:
331         (JSC::constructFunctionSkippingEvalEnabledCheck):
332         * runtime/FunctionConstructor.h:
333         * runtime/JSAsyncFunction.cpp: Removed.
334         (JSC::JSAsyncFunction::JSAsyncFunction): Deleted.
335         (JSC::JSAsyncFunction::createImpl): Deleted.
336         (JSC::JSAsyncFunction::create): Deleted.
337         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint): Deleted.
338         * runtime/JSAsyncFunction.h: Removed.
339         (JSC::JSAsyncFunction::allocationSize): Deleted.
340         (JSC::JSAsyncFunction::createStructure): Deleted.
341         * runtime/JSFunction.cpp:
342         (JSC::JSFunction::getOwnPropertySlot):
343         * runtime/JSGlobalObject.cpp:
344         (JSC::JSGlobalObject::createProgramCodeBlock):
345         (JSC::JSGlobalObject::createEvalCodeBlock):
346         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
347         (JSC::JSGlobalObject::init): Deleted.
348         * runtime/JSGlobalObject.h:
349         (JSC::JSGlobalObject::asyncFunctionPrototype): Deleted.
350         (JSC::JSGlobalObject::asyncFunctionStructure): Deleted.
351         * runtime/ModuleLoaderObject.cpp:
352         (JSC::moduleLoaderObjectParseModule):
353         * runtime/RuntimeFlags.h:
354         (JSC::RuntimeFlags::operator==): Deleted.
355         (JSC::RuntimeFlags::operator!=): Deleted.
356         * tests/stress/async-await-basic.js: Removed.
357         (shouldBe): Deleted.
358         (shouldBeAsync): Deleted.
359         (shouldThrow): Deleted.
360         (shouldThrowAsync): Deleted.
361         (shouldThrowSyntaxError): Deleted.
362         (let.AsyncFunction.async): Deleted.
363         (async.asyncFunctionForProto): Deleted.
364         (Object.getPrototypeOf.async): Deleted.
365         (Object.getPrototypeOf.async.method): Deleted.
366         (async): Deleted.
367         (async.method): Deleted.
368         (async.asyncNonConstructorDecl): Deleted.
369         (shouldThrow.new.async): Deleted.
370         (shouldThrow.new.async.nonConstructor): Deleted.
371         (async.asyncDecl): Deleted.
372         (async.f): Deleted.
373         (MyError): Deleted.
374         (async.asyncDeclThrower): Deleted.
375         (shouldThrowAsync.async): Deleted.
376         (resolveLater): Deleted.
377         (rejectLater): Deleted.
378         (async.resumeAfterNormal): Deleted.
379         (O.async.resumeAfterNormal): Deleted.
380         (resumeAfterNormalArrow.async): Deleted.
381         (async.resumeAfterThrow): Deleted.
382         (O.async.resumeAfterThrow): Deleted.
383         (resumeAfterThrowArrow.async): Deleted.
384         (catch): Deleted.
385         * tests/stress/async-await-module-reserved-word.js: Removed.
386         (shouldThrow): Deleted.
387         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await): Deleted.
388         (checkModuleSyntaxError.String.raw.await): Deleted.
389         (checkModuleSyntaxError.String.raw.async.await): Deleted.
390         (SyntaxError.Cannot.declare.named): Deleted.
391         * tests/stress/async-await-mozilla.js: Removed.
392         (shouldBe): Deleted.
393         (shouldBeAsync): Deleted.
394         (shouldThrow): Deleted.
395         (shouldThrowAsync): Deleted.
396         (assert): Deleted.
397         (shouldThrowSyntaxError): Deleted.
398         (mozSemantics.async.empty): Deleted.
399         (mozSemantics.async.simpleReturn): Deleted.
400         (mozSemantics.async.simpleAwait): Deleted.
401         (mozSemantics.async.simpleAwaitAsync): Deleted.
402         (mozSemantics.async.returnOtherAsync): Deleted.
403         (mozSemantics.async.simpleThrower): Deleted.
404         (mozSemantics.async.delegatedThrower): Deleted.
405         (mozSemantics.async.tryCatch): Deleted.
406         (mozSemantics.async.tryCatchThrow): Deleted.
407         (mozSemantics.async.wellFinally): Deleted.
408         (mozSemantics.async.finallyMayFail): Deleted.
409         (mozSemantics.async.embedded.async.inner): Deleted.
410         (mozSemantics.async.embedded): Deleted.
411         (mozSemantics.async.fib): Deleted.
412         (mozSemantics.async.isOdd.async.isEven): Deleted.
413         (mozSemantics.async.isOdd): Deleted.
414         (mozSemantics.hardcoreFib.async.fib2): Deleted.
415         (mozSemantics.namedAsyncExpr.async.simple): Deleted.
416         (mozSemantics.async.executionOrder.async.first): Deleted.
417         (mozSemantics.async.executionOrder.async.second): Deleted.
418         (mozSemantics.async.executionOrder.async.third): Deleted.
419         (mozSemantics.async.executionOrder): Deleted.
420         (mozSemantics.async.miscellaneous): Deleted.
421         (mozSemantics.thrower): Deleted.
422         (mozSemantics.async.defaultArgs): Deleted.
423         (mozSemantics.shouldThrow): Deleted.
424         (mozSemantics): Deleted.
425         (mozMethods.X): Deleted.
426         (mozMethods.X.prototype.async.getValue): Deleted.
427         (mozMethods.X.prototype.setValue): Deleted.
428         (mozMethods.X.prototype.async.increment): Deleted.
429         (mozMethods.X.prototype.async.getBaseClassName): Deleted.
430         (mozMethods.X.async.getStaticValue): Deleted.
431         (mozMethods.Y.prototype.async.getBaseClassName): Deleted.
432         (mozMethods.Y): Deleted.
433         (mozFunctionNameInferrence.async.test): Deleted.
434         (mozSyntaxErrors): Deleted.
435         * tests/stress/async-await-reserved-word.js: Removed.
436         (assert): Deleted.
437         (shouldThrowSyntaxError): Deleted.
438         (AsyncFunction.async): Deleted.
439         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Removed.
440         (shouldBe): Deleted.
441         (shouldBeAsync): Deleted.
442         (shouldThrowAsync): Deleted.
443         (noArgumentsArrow2.async): Deleted.
444         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Removed.
445         (shouldBe): Deleted.
446         (shouldBeAsync): Deleted.
447         (shouldThrowAsync): Deleted.
448         (C1): Deleted.
449         (C2): Deleted.
450         (shouldThrowAsync.async): Deleted.
451         * tests/stress/async_arrow_functions_lexical_super_binding.js: Removed.
452         (shouldBe): Deleted.
453         (shouldBeAsync): Deleted.
454         (BaseClass.prototype.baseClassValue): Deleted.
455         (BaseClass.prototype.get property): Deleted.
456         (BaseClass): Deleted.
457         (ChildClass.prototype.asyncSuperProp): Deleted.
458         (ChildClass.prototype.asyncSuperProp2): Deleted.
459         (ChildClass): Deleted.
460         (ChildClass2): Deleted.
461         * tests/stress/async_arrow_functions_lexical_this_binding.js: Removed.
462         (shouldBe): Deleted.
463         (shouldBeAsync): Deleted.
464         (d.y): Deleted.
465
466 2016-05-31  Commit Queue  <commit-queue@webkit.org>
467
468         Unreviewed, rolling out r201363 and r201456.
469         https://bugs.webkit.org/show_bug.cgi?id=158240
470
471         "40% regression on date-format-xparb" (Requested by
472         keith_miller on #webkit).
473
474         Reverted changesets:
475
476         "LLInt should be able to cache prototype loads for values in
477         GetById"
478         https://bugs.webkit.org/show_bug.cgi?id=158032
479         http://trac.webkit.org/changeset/201363
480
481         "get_by_id should support caching unset properties in the
482         LLInt"
483         https://bugs.webkit.org/show_bug.cgi?id=158136
484         http://trac.webkit.org/changeset/201456
485
486 2016-05-31  Commit Queue  <commit-queue@webkit.org>
487
488         Unreviewed, rolling out r201359.
489         https://bugs.webkit.org/show_bug.cgi?id=158238
490
491         "It was not a speedup on anything" (Requested by saamyjoon on
492         #webkit).
493
494         Reverted changeset:
495
496         "We can cache lookups to JSScope::abstractResolve inside
497         CodeBlock::finishCreation"
498         https://bugs.webkit.org/show_bug.cgi?id=158036
499         http://trac.webkit.org/changeset/201359
500
501 2016-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
502
503         [JSC] Recover parser performance regression by async support
504         https://bugs.webkit.org/show_bug.cgi?id=158228
505
506         Reviewed by Saam Barati.
507
508         This patch recovers parser performance regression caused in r201481.
509
510         Compared to the version that reverts r201481, still ~1% regression remains.
511         But compared to ToT, this patch significantly improves the code-load performance.
512
513         In Linux x64 JSCOnly port, with GCC 5.3.1.
514
515         reverted v.s. patched.
516                                  reverted                  patched
517
518         closure              0.61805+-0.00376    ?     0.62280+-0.00525       ?
519         jquery               8.03778+-0.02114          8.03453+-0.04646
520
521         <geometric>          2.22883+-0.00836    ?     2.23688+-0.00995       ? might be 1.0036x slower
522
523         ToT v.s. patched.
524                                  baseline                  patched
525
526         closure              0.65490+-0.00351    ^     0.62473+-0.00363       ^ definitely 1.0483x faster
527         jquery               8.25373+-0.06256    ^     8.04701+-0.03455       ^ definitely 1.0257x faster
528
529         <geometric>          2.32488+-0.00921    ^     2.24210+-0.00592       ^ definitely 1.0369x faster
530
531         * bytecode/UnlinkedFunctionExecutable.cpp:
532         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
533         * bytecode/UnlinkedFunctionExecutable.h:
534         Extend SourceParseMode.
535
536         * parser/Parser.cpp:
537         (JSC::Parser<LexerType>::parseInner):
538         (JSC::Parser<LexerType>::isArrowFunctionParameters):
539         Do not call `matchSpecIdentifier()` as much as we can. This greatly improves the performance.
540
541         (JSC::Parser<LexerType>::parseStatementListItem):
542         (JSC::Parser<LexerType>::parseStatement):
543         (JSC::Parser<LexerType>::parseFunctionParameters):
544         (JSC::Parser<LexerType>::parseFunctionInfo):
545         Do not touch `currentScope()->isGenerator()` even if it is unnecessary in parseFunctionInfo.
546         And accidental `syntaxChecker => context` changes are fixed.
547
548         (JSC::Parser<LexerType>::parseClass):
549         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
550         (JSC::Parser<LexerType>::parseImportClauseItem):
551         (JSC::Parser<LexerType>::parseExportDeclaration):
552         (JSC::Parser<LexerType>::parseAssignmentExpression):
553         Do not use matchSpecIdentifier() in the hot paths.
554
555         (JSC::Parser<LexerType>::parseProperty):
556         (JSC::Parser<LexerType>::parsePrimaryExpression):
557         (JSC::Parser<LexerType>::parseMemberExpression):
558         (JSC::Parser<LexerType>::parseUnaryExpression):
559         (JSC::Parser<LexerType>::printUnexpectedTokenText): Deleted.
560         * parser/Parser.h:
561         (JSC::isIdentifierOrKeyword):
562         AWAIT shoud be one of the keywords. This AWAIT check is unnecessary.
563
564         (JSC::Parser::upperScope):
565         (JSC::Parser::matchSpecIdentifier):
566         Touching currentScope() and its member causes significant performance degradation.
567         We carefully remove the above access in the hot paths.
568
569         (JSC::Parser::isDisallowedIdentifierAwait):
570         * parser/ParserModes.h:
571         (JSC::SourceParseModeSet::SourceParseModeSet):
572         (JSC::SourceParseModeSet::contains):
573         (JSC::SourceParseModeSet::mergeSourceParseModes):
574         (JSC::isFunctionParseMode):
575         (JSC::isAsyncFunctionParseMode):
576         (JSC::isAsyncArrowFunctionParseMode):
577         (JSC::isAsyncFunctionWrapperParseMode):
578         (JSC::isAsyncFunctionBodyParseMode):
579         (JSC::isModuleParseMode):
580         (JSC::isProgramParseMode):
581         (JSC::constructAbilityForParseMode):
582         The parser frequently checks SourceParseMode. And variety of SourceParseMode becomes many.
583         So using switch onto SourceParseMode degrades the performance. Instead, we use bit tests to guard against
584         many SourceParseModes. We expect that this will be efficiently compiled into test & jmp.
585
586         * parser/ParserTokens.h:
587         Change AWAIT to one of the keywords, as the same to YIELD / LET.
588
589 2016-05-31  Saam Barati  <sbarati@apple.com>
590
591         Web Inspector: capturing with Allocations timeline causes GC to take 100x longer and cause frame drops
592         https://bugs.webkit.org/show_bug.cgi?id=158054
593         <rdar://problem/25280762>
594
595         Reviewed by Joseph Pecoraro.
596
597         HeapSnapshot::sweepCell was taking a long time on 
598         http://bl.ocks.org/syntagmatic/6c149c08fc9cde682635
599         because it has to do a binary search to find if
600         an item is or is not in the list. 90% of the binary searches
601         would not find anything. This resulted in a lot of wasted time.
602
603         This patch adds a TinyBloomFilter member variable to HeapSnapshot.
604         We use this filter to try to bypass doing a binary search when the
605         filter tells us that a particular JSCell is definitely not in our
606         list. This is a 2x speedup on the steady state GC of the above
607         website.
608
609         * heap/HeapSnapshot.cpp:
610         (JSC::HeapSnapshot::appendNode):
611         (JSC::HeapSnapshot::sweepCell):
612         (JSC::HeapSnapshot::shrinkToFit):
613         (JSC::HeapSnapshot::nodeForCell):
614         * heap/HeapSnapshot.h:
615
616 2016-05-29  Saam barati  <sbarati@apple.com>
617
618         Stack overflow crashes with deep or cyclic proxy prototype chains
619         https://bugs.webkit.org/show_bug.cgi?id=157087
620
621         Reviewed by Filip Pizlo and Mark Lam.
622
623         Because a Proxy can call back into the JS runtime in arbitrary
624         ways, we may have effectively cyclic prototype chains and property lookups
625         by using a Proxy. We may also have arbitrarily long Proxy chains
626         where we call into a C frame for each link in the Proxy chain.
627         This means that every Proxy hook must be aware that it can stack overflow.
628         Before, only certain hooks were aware of this fact. That was a bug,
629         all hooks must assume they can stack overflow.
630
631         Also, because we may have effectively cyclic prototype chains, we
632         compile ProxyObject.cpp with -fno-optimize-sibling-calls. This prevents
633         tail call optimization from happening on any of the calls from
634         ProxyObject.cpp. We do this because we rely on the machine stack
635         growing for throwing a stack overflow error. It's better for developers
636         to be able to see a stack overflow error than to have their program
637         infinite loop because the compiler performed TCO.
638
639         This patch also fixes a couple call sites of various methods
640         where we didn't check for an exception.
641
642         * CMakeLists.txt:
643         * JavaScriptCore.xcodeproj/project.pbxproj:
644         * interpreter/Interpreter.cpp:
645         (JSC::sizeOfVarargs):
646         * runtime/InternalFunction.cpp:
647         (JSC::InternalFunction::createSubclassStructure):
648         * runtime/JSArray.h:
649         (JSC::getLength):
650         * runtime/ObjectPrototype.cpp:
651         (JSC::objectProtoFuncToString):
652         * runtime/ProxyObject.cpp:
653         (JSC::performProxyGet):
654         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
655         (JSC::ProxyObject::performHasProperty):
656         (JSC::ProxyObject::getOwnPropertySlotCommon):
657         (JSC::ProxyObject::performPut):
658         (JSC::performProxyCall):
659         (JSC::performProxyConstruct):
660         (JSC::ProxyObject::performDelete):
661         (JSC::ProxyObject::performPreventExtensions):
662         (JSC::ProxyObject::performIsExtensible):
663         (JSC::ProxyObject::performDefineOwnProperty):
664         (JSC::ProxyObject::performGetOwnPropertyNames):
665         (JSC::ProxyObject::getOwnPropertyNames):
666         (JSC::ProxyObject::getPropertyNames):
667         (JSC::ProxyObject::getOwnNonIndexPropertyNames):
668         (JSC::ProxyObject::performSetPrototype):
669         (JSC::ProxyObject::performGetPrototype):
670         * runtime/ProxyObject.h:
671         (JSC::ProxyObject::create):
672         * tests/stress/proxy-stack-overflow-exceptions.js: Added.
673         (shouldThrowStackOverflow):
674         (const.emptyFunction):
675         (makeLongProxyChain):
676         (shouldThrowStackOverflow.longProxyChain):
677         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain1):
678         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain2):
679         (shouldThrowStackOverflow.effecivelyCyclicProxyProtoChain3):
680         (shouldThrowStackOverflow.longProxyChainBind):
681         (shouldThrowStackOverflow.longProxyChainPropertyAccess):
682         (shouldThrowStackOverflow.longProxyChainReflectConstruct):
683         (shouldThrowStackOverflow.longProxyChainReflectSet):
684         (shouldThrowStackOverflow.longProxyChainReflectOwnKeys):
685         (shouldThrowStackOverflow.longProxyChainGetPrototypeOf):
686         (shouldThrowStackOverflow.longProxyChainSetPrototypeOf):
687         (shouldThrowStackOverflow.longProxyChainGetOwnPropertyDescriptor):
688         (shouldThrowStackOverflow.longProxyChainDefineProperty):
689         (shouldThrowStackOverflow.longProxyChainIsExtensible):
690         (shouldThrowStackOverflow.longProxyChainPreventExtensions):
691         (shouldThrowStackOverflow.longProxyChainDeleteProperty):
692         (shouldThrowStackOverflow.longProxyChainWithScope):
693         (shouldThrowStackOverflow.longProxyChainWithScope2):
694         (shouldThrowStackOverflow.longProxyChainWithScope3):
695         (shouldThrowStackOverflow.longProxyChainArrayPrototypePush):
696         (shouldThrowStackOverflow.longProxyChainWithScope4):
697         (shouldThrowStackOverflow.longProxyChainCall):
698         (shouldThrowStackOverflow.longProxyChainConstruct):
699         (shouldThrowStackOverflow.longProxyChainHas):
700
701 2016-05-28  Andreas Kling  <akling@apple.com>
702
703         JSGlobalLexicalEnvironment leaks SegmentedVector due to lack of destructor.
704         <https://webkit.org/b/158186>
705
706         Reviewed by Saam Barati.
707
708         Give JSGlobalLexicalEnvironment a destroy() and set up a finalizer for it
709         like we do with JSGlobalObject. (This is needed because they don't inherit
710         from JSDestructibleObjects and thus can't use JSCell::needsDestruction to
711         ask for allocation in destructor space.)
712
713         This stops us from leaking all the SegmentedVector backing stores.
714
715         * runtime/JSGlobalLexicalEnvironment.cpp:
716         (JSC::JSGlobalLexicalEnvironment::destroy):
717         * runtime/JSGlobalLexicalEnvironment.h:
718         (JSC::JSGlobalLexicalEnvironment::create):
719
720 2016-05-28  Skachkov Oleksandr  <gskachkov@gmail.com>
721         [ESNext] Trailing commas in function parameters.
722         https://bugs.webkit.org/show_bug.cgi?id=158020
723
724         Reviewed by Keith Miller.
725
726         ESNext allow to add trailing commas in function parameters and function arguments.
727         Link to spec - https://jeffmo.github.io/es-trailing-function-commas 
728         Example of using - (function (a, b,) { return a + b; })(1,2,);
729
730         * parser/Parser.cpp:
731         (JSC::Parser<LexerType>::parseFormalParameters):
732         (JSC::Parser<LexerType>::parseArguments):
733         * tests/stress/trailing-comma-in-function-paramters.js: Added.
734
735 2016-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
736
737         [JSC] op_new_arrow_func_exp is no longer necessary
738         https://bugs.webkit.org/show_bug.cgi?id=158180
739
740         Reviewed by Saam Barati.
741
742         This patch removes op_new_arrow_func_exp bytecode since
743         what op_new_arrow_func_exp is doing is completely the same to op_new_func_exp.
744
745         * bytecode/BytecodeList.json:
746         * bytecode/BytecodeUseDef.h:
747         (JSC::computeUsesForBytecodeOffset): Deleted.
748         (JSC::computeDefsForBytecodeOffset): Deleted.
749         * bytecode/CodeBlock.cpp:
750         (JSC::CodeBlock::dumpBytecode): Deleted.
751         * bytecompiler/BytecodeGenerator.cpp:
752         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
753         * dfg/DFGByteCodeParser.cpp:
754         (JSC::DFG::ByteCodeParser::parseBlock):
755         * dfg/DFGCapabilities.cpp:
756         (JSC::DFG::capabilityLevel): Deleted.
757         * jit/JIT.cpp:
758         (JSC::JIT::privateCompileMainPass): Deleted.
759         * jit/JIT.h:
760         * jit/JITOpcodes.cpp:
761         (JSC::JIT::emitNewFuncExprCommon):
762         (JSC::JIT::emit_op_new_arrow_func_exp): Deleted.
763         * llint/LLIntSlowPaths.cpp:
764         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
765         * llint/LLIntSlowPaths.h:
766         * llint/LowLevelInterpreter.asm:
767
768 2016-05-27  Caitlin Potter  <caitp@igalia.com>
769
770         [JSC] implement async functions proposal
771         https://bugs.webkit.org/show_bug.cgi?id=156147
772
773         Reviewed by Yusuke Suzuki.
774
775         Adds support for `async` functions, proposed in https://tc39.github.io/ecmascript-asyncawait/.
776
777         On the front-end side, "await" becomes a contextual keyword when used within an async function,
778         which triggers parsing an AwaitExpression. "await" becomes an illegal identifier name within
779         these contexts. The bytecode generated from an "await" expression is identical to that generated
780         in a "yield" expression in a Generator, as AsyncFunction reuses generator's state machine mechanism.
781
782         There are numerous syntactic forms for language features, including a variation on ArrowFunctions,
783         requiring the keyword `async` to precede ArrowFormalParameters, and similarly, MethodDefinitions,
784         which are ordinary MethodDefinitions preceded by the keyword `async`.
785
786         An async function desugars to the following:
787
788         ```
789         async function asyncFn() {
790         }
791
792         becomes:
793
794         function asyncFn() {
795             let generator = {
796                 @generatorNext: function(@generator, @generatorState, @generatorValue, @generatorResumeMode) {
797                   // generator state machine stuff here
798                 },
799                 @generatorState: 0,
800                 @generatorThis: this,
801                 @generatorFrame: null
802             };
803             return @asyncFunctionResume(generator, undefined, GeneratorResumeMode::NormalMode);
804         }
805         ```
806
807         `@asyncFunctionResume()` is similar to `@generatorResume`, with the exception that it will wrap the
808         result of invoking `@generatorNext()` in a Promise, and will avoid allocating an iterator result
809         object.
810
811         If the generator has yielded (an AwaitExpression has occurred), resumption will occur automatically
812         once the await-expression operand is finished, via Promise chaining.
813
814         * API/JSScriptRef.cpp:
815         (parseScript):
816         * CMakeLists.txt:
817         * DerivedSources.make:
818         * JavaScriptCore.xcodeproj/project.pbxproj:
819         * builtins/AsyncFunctionPrototype.js: Added.
820         (asyncFunctionResume):
821         * builtins/BuiltinExecutables.cpp:
822         (JSC::BuiltinExecutables::createExecutable):
823         * bytecode/BytecodeList.json:
824         * bytecode/BytecodeUseDef.h:
825         (JSC::computeUsesForBytecodeOffset):
826         (JSC::computeDefsForBytecodeOffset):
827         * bytecode/CodeBlock.cpp:
828         (JSC::CodeBlock::dumpBytecode):
829         (JSC::CodeBlock::finishCreation):
830         * bytecode/UnlinkedCodeBlock.h:
831         (JSC::UnlinkedCodeBlock::isArrowFunction):
832         (JSC::UnlinkedCodeBlock::isOrdinaryArrowFunction):
833         (JSC::UnlinkedCodeBlock::isAsyncArrowFunction):
834         * bytecode/UnlinkedFunctionExecutable.cpp:
835         (JSC::generateUnlinkedFunctionCodeBlock):
836         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
837         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
838         * bytecode/UnlinkedFunctionExecutable.h:
839         * bytecompiler/BytecodeGenerator.cpp:
840         (JSC::BytecodeGenerator::BytecodeGenerator):
841         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
842         (JSC::BytecodeGenerator::emitNewArrowFunctionExpression):
843         (JSC::BytecodeGenerator::emitNewMethodDefinition):
844         (JSC::BytecodeGenerator::emitNewFunction):
845         (JSC::BytecodeGenerator::emitLoadArrowFunctionLexicalEnvironment):
846         * bytecompiler/BytecodeGenerator.h:
847         (JSC::BytecodeGenerator::makeFunction):
848         * bytecompiler/NodesCodegen.cpp:
849         (JSC::FunctionNode::emitBytecode):
850         * inspector/agents/InspectorRuntimeAgent.cpp:
851         (Inspector::InspectorRuntimeAgent::parse):
852         * jit/JIT.cpp:
853         (JSC::JIT::privateCompileMainPass):
854         * jit/JIT.h:
855         * jit/JITOpcodes.cpp:
856         (JSC::JIT::emitNewFuncCommon):
857         (JSC::JIT::emit_op_new_async_func):
858         (JSC::JIT::emitNewFuncExprCommon):
859         (JSC::JIT::emit_op_new_async_func_exp):
860         * jit/JITOperations.cpp:
861         * jit/JITOperations.h:
862         * jsc.cpp:
863         (runInteractive):
864         (printUsageStatement):
865         * llint/LLIntSlowPaths.cpp:
866         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
867         * llint/LLIntSlowPaths.h:
868         * llint/LowLevelInterpreter.asm:
869         * parser/ASTBuilder.h:
870         (JSC::ASTBuilder::createAsyncFunctionBody):
871         * parser/Keywords.table:
872         * parser/Parser.cpp:
873         (JSC::Parser<LexerType>::Parser):
874         (JSC::Parser<LexerType>::parseInner):
875         (JSC::Parser<LexerType>::isArrowFunctionParameters):
876         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
877         (JSC::Parser<LexerType>::parseStatementListItem):
878         (JSC::Parser<LexerType>::parseVariableDeclarationList):
879         (JSC::Parser<LexerType>::parseDestructuringPattern):
880         (JSC::Parser<LexerType>::parseStatement):
881         (JSC::Parser<LexerType>::parseFunctionDeclarationStatement):
882         (JSC::Parser<LexerType>::parseFormalParameters):
883         (JSC::stringForFunctionMode):
884         (JSC::Parser<LexerType>::parseFunctionParameters):
885         (JSC::Parser<LexerType>::parseFunctionInfo):
886         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
887         (JSC::Parser<LexerType>::parseClass):
888         (JSC::Parser<LexerType>::parseExpressionOrLabelStatement):
889         (JSC::Parser<LexerType>::parseImportClauseItem):
890         (JSC::Parser<LexerType>::parseImportDeclaration):
891         (JSC::Parser<LexerType>::parseExportDeclaration):
892         (JSC::Parser<LexerType>::parseAssignmentExpression):
893         (JSC::Parser<LexerType>::parseAwaitExpression):
894         (JSC::Parser<LexerType>::parseProperty):
895         (JSC::Parser<LexerType>::parsePropertyMethod):
896         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
897         (JSC::Parser<LexerType>::parsePrimaryExpression):
898         (JSC::Parser<LexerType>::parseMemberExpression):
899         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
900         (JSC::Parser<LexerType>::parseUnaryExpression):
901         (JSC::Parser<LexerType>::printUnexpectedTokenText):
902         * parser/Parser.h:
903         (JSC::isIdentifierOrKeyword):
904         (JSC::Scope::Scope):
905         (JSC::Scope::setSourceParseMode):
906         (JSC::Scope::isAsyncFunction):
907         (JSC::Scope::isAsyncFunctionBoundary):
908         (JSC::Scope::isModule):
909         (JSC::Scope::setIsFunction):
910         (JSC::Scope::setIsAsyncArrowFunction):
911         (JSC::Scope::setIsAsyncFunction):
912         (JSC::Scope::setIsAsyncFunctionBody):
913         (JSC::Scope::setIsAsyncArrowFunctionBody):
914         (JSC::Parser::ExpressionErrorClassifier::forceClassifyExpressionError):
915         (JSC::Parser::ExpressionErrorClassifier::propagateExpressionErrorClass):
916         (JSC::Parser::ExpressionErrorClassifier::indicatesPossibleAsyncArrowFunction):
917         (JSC::Parser::forceClassifyExpressionError):
918         (JSC::Parser::declarationTypeToVariableKind):
919         (JSC::Parser::closestParentOrdinaryFunctionNonLexicalScope):
920         (JSC::Parser::pushScope):
921         (JSC::Parser::popScopeInternal):
922         (JSC::Parser::matchSpecIdentifier):
923         (JSC::Parser::isDisallowedIdentifierAwait):
924         (JSC::Parser::disallowedIdentifierAwaitReason):
925         (JSC::parse):
926         * parser/ParserModes.h:
927         (JSC::isFunctionParseMode):
928         (JSC::isAsyncFunctionParseMode):
929         (JSC::isAsyncArrowFunctionParseMode):
930         (JSC::isAsyncFunctionWrapperParseMode):
931         (JSC::isAsyncFunctionBodyParseMode):
932         (JSC::isModuleParseMode):
933         (JSC::isProgramParseMode):
934         (JSC::constructAbilityForParseMode):
935         * parser/ParserTokens.h:
936         * parser/SourceCodeKey.h:
937         (JSC::SourceCodeKey::SourceCodeKey):
938         (JSC::SourceCodeKey::runtimeFlags):
939         (JSC::SourceCodeKey::operator==):
940         * parser/SyntaxChecker.h:
941         (JSC::SyntaxChecker::createAsyncFunctionBody):
942         * runtime/AsyncFunctionConstructor.cpp: Added.
943         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
944         (JSC::AsyncFunctionConstructor::finishCreation):
945         (JSC::callAsyncFunctionConstructor):
946         (JSC::constructAsyncFunctionConstructor):
947         (JSC::AsyncFunctionConstructor::getCallData):
948         (JSC::AsyncFunctionConstructor::getConstructData):
949         * runtime/AsyncFunctionConstructor.h: Added.
950         (JSC::AsyncFunctionConstructor::create):
951         (JSC::AsyncFunctionConstructor::createStructure):
952         * runtime/AsyncFunctionPrototype.cpp: Added.
953         (JSC::AsyncFunctionPrototype::AsyncFunctionPrototype):
954         (JSC::AsyncFunctionPrototype::finishCreation):
955         * runtime/AsyncFunctionPrototype.h: Added.
956         (JSC::AsyncFunctionPrototype::create):
957         (JSC::AsyncFunctionPrototype::createStructure):
958         * runtime/CodeCache.cpp:
959         (JSC::CodeCache::getGlobalCodeBlock):
960         (JSC::CodeCache::getProgramCodeBlock):
961         (JSC::CodeCache::getEvalCodeBlock):
962         (JSC::CodeCache::getModuleProgramCodeBlock):
963         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
964         * runtime/CodeCache.h:
965         * runtime/CommonIdentifiers.h:
966         * runtime/Completion.cpp:
967         (JSC::checkSyntax):
968         (JSC::checkModuleSyntax):
969         * runtime/Completion.h:
970         * runtime/Executable.cpp:
971         (JSC::ScriptExecutable::newCodeBlockFor):
972         (JSC::ProgramExecutable::checkSyntax):
973         * runtime/Executable.h:
974         * runtime/FunctionConstructor.cpp:
975         (JSC::constructFunctionSkippingEvalEnabledCheck):
976         * runtime/FunctionConstructor.h:
977         * runtime/JSAsyncFunction.cpp: Added.
978         (JSC::JSAsyncFunction::JSAsyncFunction):
979         (JSC::JSAsyncFunction::createImpl):
980         (JSC::JSAsyncFunction::create):
981         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
982         * runtime/JSAsyncFunction.h: Added.
983         (JSC::JSAsyncFunction::allocationSize):
984         (JSC::JSAsyncFunction::createStructure):
985         * runtime/JSFunction.cpp:
986         (JSC::JSFunction::getOwnPropertySlot):
987         * runtime/JSGlobalObject.cpp:
988         (JSC::JSGlobalObject::init):
989         (JSC::JSGlobalObject::createProgramCodeBlock):
990         (JSC::JSGlobalObject::createEvalCodeBlock):
991         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
992         * runtime/JSGlobalObject.h:
993         (JSC::JSGlobalObject::asyncFunctionPrototype):
994         (JSC::JSGlobalObject::asyncFunctionStructure):
995         * runtime/ModuleLoaderObject.cpp:
996         (JSC::moduleLoaderObjectParseModule):
997         * runtime/RuntimeFlags.h:
998         (JSC::RuntimeFlags::operator==):
999         (JSC::RuntimeFlags::operator!=):
1000         * tests/stress/async-await-basic.js: Added.
1001         (shouldBe):
1002         (shouldBeAsync):
1003         (shouldThrow):
1004         (shouldThrowAsync):
1005         (let.AsyncFunction.async):
1006         (async.asyncFunctionForProto):
1007         (Object.getPrototypeOf.async):
1008         (Object.getPrototypeOf.async.method):
1009         (async):
1010         (async.method):
1011         (async.asyncNonConstructorDecl):
1012         (shouldThrow.new.async):
1013         (shouldThrow.new.async.nonConstructor):
1014         (async.asyncDecl):
1015         (async.f):
1016         (MyError):
1017         (async.asyncDeclThrower):
1018         (shouldThrowAsync.async):
1019         (resolveLater):
1020         (rejectLater):
1021         (async.resumeAfterNormal):
1022         (O.async.resumeAfterNormal):
1023         (resumeAfterNormalArrow.async):
1024         (async.resumeAfterThrow):
1025         (O.async.resumeAfterThrow):
1026         (resumeAfterThrowArrow.async):
1027         (catch):
1028         * tests/stress/async-await-module-reserved-word.js: Added.
1029         (shouldThrow):
1030         (SyntaxError.Canstring_appeared_hereawait.checkModuleSyntaxError.String.raw.await):
1031         (checkModuleSyntaxError.String.raw.await):
1032         (checkModuleSyntaxError.String.raw.async.await):
1033         (SyntaxError.Cannot.declare.named):
1034         * tests/stress/async-await-mozilla.js: Added.
1035         (shouldBe):
1036         (shouldBeAsync):
1037         (shouldThrow):
1038         (shouldThrowAsync):
1039         (assert):
1040         (shouldThrowSyntaxError):
1041         (mozSemantics.async.empty):
1042         (mozSemantics.async.simpleReturn):
1043         (mozSemantics.async.simpleAwait):
1044         (mozSemantics.async.simpleAwaitAsync):
1045         (mozSemantics.async.returnOtherAsync):
1046         (mozSemantics.async.simpleThrower):
1047         (mozSemantics.async.delegatedThrower):
1048         (mozSemantics.async.tryCatch):
1049         (mozSemantics.async.tryCatchThrow):
1050         (mozSemantics.async.wellFinally):
1051         (mozSemantics.async.finallyMayFail):
1052         (mozSemantics.async.embedded.async.inner):
1053         (mozSemantics.async.embedded):
1054         (mozSemantics.async.fib):
1055         (mozSemantics.async.isOdd.async.isEven):
1056         (mozSemantics.async.isOdd):
1057         (mozSemantics.hardcoreFib.async.fib2):
1058         (mozSemantics.namedAsyncExpr.async.simple):
1059         (mozSemantics.async.executionOrder.async.first):
1060         (mozSemantics.async.executionOrder.async.second):
1061         (mozSemantics.async.executionOrder.async.third):
1062         (mozSemantics.async.executionOrder):
1063         (mozSemantics.async.miscellaneous):
1064         (mozSemantics.thrower):
1065         (mozSemantics.async.defaultArgs):
1066         (mozSemantics.shouldThrow):
1067         (mozSemantics):
1068         (mozMethods.X):
1069         (mozMethods.X.prototype.async.getValue):
1070         (mozMethods.X.prototype.setValue):
1071         (mozMethods.X.prototype.async.increment):
1072         (mozMethods.X.prototype.async.getBaseClassName):
1073         (mozMethods.X.async.getStaticValue):
1074         (mozMethods.Y.prototype.async.getBaseClassName):
1075         (mozMethods.Y):
1076         (mozFunctionNameInferrence.async.test):
1077         (mozSyntaxErrors):
1078         * tests/stress/async-await-reserved-word.js: Added.
1079         (assert):
1080         (shouldThrowSyntaxError):
1081         (AsyncFunction.async):
1082         * tests/stress/async_arrow_functions_lexical_arguments_binding.js: Added.
1083         (shouldBe):
1084         (shouldBeAsync):
1085         (shouldThrowAsync):
1086         (noArgumentsArrow2.async):
1087         * tests/stress/async_arrow_functions_lexical_new.target_binding.js: Added.
1088         (shouldBe):
1089         (shouldBeAsync):
1090         (shouldThrowAsync):
1091         (C1):
1092         (C2):
1093         (shouldThrowAsync.async):
1094         * tests/stress/async_arrow_functions_lexical_super_binding.js: Added.
1095         (shouldBe):
1096         (shouldBeAsync):
1097         (BaseClass.prototype.baseClassValue):
1098         (BaseClass):
1099         (ChildClass.prototype.asyncSuperProp):
1100         (ChildClass.prototype.asyncSuperProp2):
1101         (ChildClass):
1102         * tests/stress/async_arrow_functions_lexical_this_binding.js: Added.
1103         (shouldBe):
1104         (shouldBeAsync):
1105         (d.y):
1106
1107 2016-05-27  Saam barati  <sbarati@apple.com>
1108
1109         DebuggerCallFrame crashes when updated with the globalExec because neither ShadowChicken's algorithm nor StackVisitor's algorithm reasons about the globalExec
1110         https://bugs.webkit.org/show_bug.cgi?id=158104
1111
1112         Reviewed by Filip Pizlo.
1113
1114         I think globalExec is a special enough case that it should be handled
1115         at the layers above ShadowChicken and StackVisitor. Those APIs should
1116         deal with real stack frames on the machine stack, not a heap constructed frame.
1117
1118         This patch makes DebuggerCallFrame::create aware that it may be
1119         created with the globalObject->globalExec() by having it construct
1120         a single DebuggerCallFrame that wraps the globalExec.
1121
1122         This fixes a crasher because we will construct a DebuggerCallFrame
1123         with the globalExec when the Inspector is set to pause on all uncaught
1124         exceptions and the JS program has a syntax error. Because the program
1125         hasn't begun execution, there is no machine JS stack frame yet. So
1126         DebuggerCallFrame is created with globalExec, which will cause it
1127         to hit an assertion that dictates that the stack have size greater
1128         than zero.
1129
1130         * debugger/DebuggerCallFrame.cpp:
1131         (JSC::DebuggerCallFrame::create):
1132
1133 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
1134
1135         DFG::LazyJSValue::tryGetStringImpl() crashes for empty values
1136         https://bugs.webkit.org/show_bug.cgi?id=158170
1137
1138         Reviewed by Michael Saboff.
1139
1140         The problem here is that jsDynamicCast<>() is evil! It avoids checking for the empty
1141         value, presumably because this makes it soooper fast. In DFG IR, empty values can appear
1142         anywhere because of TDZ.
1143         
1144         This patch doesn't change jsDynamicCast<>(), but it hardens our wrappers for it in the DFG
1145         and it has the affected code use one of those wrappers.
1146         
1147         * dfg/DFGFrozenValue.h:
1148         (JSC::DFG::FrozenValue::dynamicCast): Harden this.
1149         (JSC::DFG::FrozenValue::cast):
1150         * dfg/DFGLazyJSValue.cpp:
1151         (JSC::DFG::LazyJSValue::tryGetStringImpl): Use the hardened wrapper.
1152         * tests/stress/strcat-emtpy.js: Added. This used to crash every time.
1153         (foo):
1154         (i.catch):
1155
1156 2016-05-27  Filip Pizlo  <fpizlo@apple.com>
1157
1158         regExpProtoFuncSplitFast should OOM before it swaps
1159         https://bugs.webkit.org/show_bug.cgi?id=158157
1160
1161         Reviewed by Mark Lam.
1162         
1163         This is a huge speed-up on some jsfunfuzz test cases because it makes us realize much
1164         sooner that running a regexp split will result in swapping. It uses the same basic
1165         approach as http://trac.webkit.org/changeset/201451: if the result array crosses a certain
1166         size threshold, we proceed with a dry run to see how big the array will get before
1167         allocating anything else. This way, bogus uses of split that would have OOMed only after
1168         killing the user's machine will now OOM before killing the user's machine.
1169         
1170         This is an enormous speed-up on some jsfunfuzz tests: they go from running for a long
1171         time to running instantly.
1172
1173         * runtime/RegExpPrototype.cpp:
1174         (JSC::advanceStringIndex):
1175         (JSC::genericSplit):
1176         (JSC::regExpProtoFuncSplitFast):
1177         * runtime/StringObject.h:
1178         (JSC::jsStringWithReuse):
1179         (JSC::jsSubstring):
1180         * tests/stress/big-split-captures.js: Added.
1181         * tests/stress/big-split.js: Added.
1182
1183 2016-05-27  Saam barati  <sbarati@apple.com>
1184
1185         ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
1186         https://bugs.webkit.org/show_bug.cgi?id=158131
1187
1188         Reviewed by Yusuke Suzuki.
1189
1190         There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
1191         frame(s) are tail deleted.
1192
1193         DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
1194         tail deleted. This is clearly wrong. The following program proves that this assertion
1195         was misguided:
1196         ```
1197         "use strict";
1198         setTimeout(function foo() { return bar(); }, 0);
1199         ```
1200
1201         ShadowChicken had a very subtle bug when creating the shadow stack when 
1202         the entry frames of the stack were tail deleted. Because it places frames into its shadow
1203         stack by walking the machine frame and looking up entries in the log,
1204         the machine frame doesn't have any notion of those tail deleted frames
1205         at the entry of execution. ShadowChicken would never find those frames
1206         because it would look for tail deleted frames *before* consulting the
1207         current machine frame. This is wrong because if the entry frames
1208         are tail deleted, then there is no machine frame for them because there
1209         is no machine frame before them! Therefore, we must search for tail deleted
1210         frames *after* consulting a machine frame. This is sound because we will always
1211         have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
1212         So when we consult the machine frame that is the entry frame on the machine stack,
1213         we will search for tail deleted frames that come before it in the shadow stack.
1214         This will allow us to find those tail deleted frames that are the entry frames
1215         for the shadow stack.
1216
1217         * debugger/DebuggerCallFrame.cpp:
1218         (JSC::DebuggerCallFrame::create):
1219         * interpreter/ShadowChicken.cpp:
1220         (JSC::ShadowChicken::Packet::dump):
1221         (JSC::ShadowChicken::update):
1222         (JSC::ShadowChicken::dump):
1223
1224 2016-05-27  Chris Dumez  <cdumez@apple.com>
1225
1226         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables
1227         https://bugs.webkit.org/show_bug.cgi?id=158111
1228
1229         Reviewed by Darin Adler.
1230
1231         WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables.
1232         These are often used cross-thread and copying the captured lambda variables can be
1233         dangerous (e.g. we do not want to copy a String after calling isolatedCopy() upon
1234         capture).
1235
1236         * runtime/Watchdog.cpp:
1237         (JSC::Watchdog::startTimer):
1238         (JSC::Watchdog::Watchdog): Deleted.
1239         (JSC::Watchdog::setTimeLimit): Deleted.
1240         * runtime/Watchdog.h:
1241
1242 2016-05-27  Konstantin Tokarev  <annulen@yandex.ru>
1243
1244         Removed unused headers from ExecutableAllocatorFixedVMPool.cpp.
1245         https://bugs.webkit.org/show_bug.cgi?id=158159
1246
1247         Reviewed by Darin Adler.
1248
1249         * jit/ExecutableAllocatorFixedVMPool.cpp:
1250
1251 2016-05-27  Keith Miller  <keith_miller@apple.com>
1252
1253         get_by_id should support caching unset properties in the LLInt
1254         https://bugs.webkit.org/show_bug.cgi?id=158136
1255
1256         Reviewed by Benjamin Poulain.
1257
1258         Recently, we started supporting prototype load caching for get_by_id
1259         in the LLInt. This patch extends that to caching unset properties.
1260         While it is uncommon in general for a program to see a single structure
1261         without a given property, the Array.prototype.concat function needs to
1262         lookup the Symbol.isConcatSpreadable property. For any existing code
1263         That property will never be set as it did not exist prior to ES6.
1264
1265         Similarly to the get_by_id_proto_load bytecode, this patch adds a new
1266         bytecode, get_by_id_unset that checks the structureID of the base and
1267         assigns undefined to the result.
1268
1269         There are no new tests here since we already have many tests that
1270         incidentally cover this change.
1271
1272         * bytecode/BytecodeList.json:
1273         * bytecode/BytecodeUseDef.h:
1274         (JSC::computeUsesForBytecodeOffset):
1275         (JSC::computeDefsForBytecodeOffset):
1276         * bytecode/CodeBlock.cpp:
1277         (JSC::CodeBlock::printGetByIdOp):
1278         (JSC::CodeBlock::dumpBytecode):
1279         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1280         * bytecode/GetByIdStatus.cpp:
1281         (JSC::GetByIdStatus::computeFromLLInt):
1282         * dfg/DFGByteCodeParser.cpp:
1283         (JSC::DFG::ByteCodeParser::parseBlock):
1284         * dfg/DFGCapabilities.cpp:
1285         (JSC::DFG::capabilityLevel):
1286         * jit/JIT.cpp:
1287         (JSC::JIT::privateCompileMainPass):
1288         (JSC::JIT::privateCompileSlowCases):
1289         * llint/LLIntSlowPaths.cpp:
1290         (JSC::LLInt::setupGetByIdPrototypeCache):
1291         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1292         * llint/LLIntSlowPaths.h:
1293         * llint/LowLevelInterpreter32_64.asm:
1294         * llint/LowLevelInterpreter64.asm:
1295
1296 2016-05-26  Filip Pizlo  <fpizlo@apple.com>
1297
1298         Bogus uses of regexp matching should realize that they will OOM before they start swapping
1299         https://bugs.webkit.org/show_bug.cgi?id=158142
1300
1301         Reviewed by Michael Saboff.
1302         
1303         Refactored the RegExpObject::matchGlobal() code so that there is less duplication. Took
1304         advantage of this to make the code more resilient in case of absurd situations: if the
1305         result array gets large, it proceeds with a dry run to detect how many matches there will
1306         be. This allows it to OOM before it starts swapping.
1307         
1308         This also improves the overall performance of the code by using lightweight substrings and
1309         skipping the whole intermediate argument array.
1310         
1311         This makes some jsfunfuzz tests run a lot faster and use a lot less memory.
1312         
1313         * builtins/RegExpPrototype.js:
1314         * CMakeLists.txt:
1315         * JavaScriptCore.xcodeproj/project.pbxproj:
1316         * runtime/MatchResult.cpp: Added.
1317         (JSC::MatchResult::dump):
1318         * runtime/MatchResult.h:
1319         (JSC::MatchResult::empty):
1320         (MatchResult::empty): Deleted.
1321         * runtime/RegExpObject.cpp:
1322         (JSC::RegExpObject::match):
1323         (JSC::collectMatches):
1324         (JSC::RegExpObject::matchGlobal):
1325         * runtime/StringObject.h:
1326         (JSC::jsStringWithReuse):
1327         (JSC::jsSubstring):
1328         * tests/stress/big-match.js: Added. Make sure that this optimization doesn't break big matches.
1329
1330 2016-05-26  Gavin & Ellie Barraclough  <barraclough@apple.com>
1331
1332         Static table property lookup should not require getOwnPropertySlot override.
1333         https://bugs.webkit.org/show_bug.cgi?id=158059
1334
1335         Reviewed by Darin Adler.
1336
1337         Currently JSObject does not handle property lookup of entries in the static
1338         table. Each subclass with static properties mut override getOwnPropertySlot,
1339         and explicitly call the lookup functions. This has the following drawbacks:
1340
1341         - Performance: for any class with static properties, property acces becomes
1342           virtual (via method table).
1343         - Poor encapsulation: implementation detail of static property access is
1344           spread throughout & cross projects, rather than being contained in JSObject.
1345         - Code size: this results in a great many additional functions.
1346         - Inconsistency: static table presence has to be be taken into account in many
1347           other operations, e.g. presence of read-only properties for put.
1348         - Memory: in order to avoid the virtual lookup, DOM prototypes eagerly reify
1349           all properties. This is likely suboptimal.
1350
1351         Instead, JSObject::getPropertySlot / JSObject::getOwnPropertySlot should be
1352         able to handle static properties.
1353
1354         This is actually a fairly small & simple change.
1355
1356         The common pattern is for subclasses of JObject to override getOwnPropertySlot
1357         to first defer to JSObject for property storage lookup, and only if this fails
1358         consult the static table. They just want the static tables to be consulted after
1359         regular property storgae lookup. So just add a fast flag in TypeInfo for JSObject
1360         to check, and where it is set, do so. Then it's just a question of switching
1361         classes over to start setting this flag, and drop the override.
1362
1363         The new mechanism does change static table lookup order from oldest-ancestor
1364         first to most-derived first. The new ordering makes more sense (means derived
1365         class static tables can now override entries from parents), and shoudn't affect
1366         any existing code (since overriding didn't previously work, there likely aren't
1367         shadowing properties in more derived types).
1368
1369         This patch changes all classes in JavaScriptCore over to using the new mechanism,
1370         except JSGlobalObject. I'll move classes in WebCore over as a separate patch
1371         (this is also why I've not moved JSGlobalObject in this patch - doing so would
1372         move JSDOMWindow, and I'd rather handle that separately).
1373
1374         * runtime/JSTypeInfo.h:
1375         (JSC::TypeInfo::hasStaticPropertyTable):
1376             - Add HasStaticPropertyTable flag.
1377         * runtime/Lookup.cpp:
1378         (JSC::setUpStaticFunctionSlot):
1379             - Change setUpStaticFunctionSlot to take a VM&.
1380         * runtime/Lookup.h:
1381         (JSC::getStaticPropertySlotFromTable):
1382             - Added helper function to perform static lookup alone.
1383         (JSC::getStaticPropertySlot):
1384         (JSC::getStaticFunctionSlot):
1385             - setUpStaticFunctionSlot changed to take a VM&.
1386         * runtime/JSObject.cpp:
1387         (JSC::JSObject::getOwnStaticPropertySlot):
1388             - Added, walks ClassInfo chain looking for static properties.
1389         * runtime/JSObject.h:
1390         (JSC::JSObject::getOwnNonIndexPropertySlot):
1391             - getOwnNonIndexPropertySlot is used internally by getPropertySlot
1392               & getOwnPropertySlot. If property is not present in storage array
1393               then check the static table.
1394         * runtime/ArrayConstructor.cpp:
1395         (JSC::ArrayConstructor::finishCreation):
1396         (JSC::constructArrayWithSizeQuirk):
1397         (JSC::ArrayConstructor::getOwnPropertySlot): Deleted.
1398         * runtime/ArrayConstructor.h:
1399         (JSC::ArrayConstructor::create):
1400         * runtime/ArrayIteratorPrototype.cpp:
1401         (JSC::ArrayIteratorPrototype::finishCreation):
1402         (JSC::ArrayIteratorPrototype::getOwnPropertySlot): Deleted.
1403         * runtime/ArrayIteratorPrototype.h:
1404         (JSC::ArrayIteratorPrototype::create):
1405         (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
1406         * runtime/BooleanPrototype.cpp:
1407         (JSC::BooleanPrototype::finishCreation):
1408         (JSC::booleanProtoFuncToString):
1409         (JSC::BooleanPrototype::getOwnPropertySlot): Deleted.
1410         * runtime/BooleanPrototype.h:
1411         (JSC::BooleanPrototype::create):
1412         * runtime/DateConstructor.cpp:
1413         (JSC::DateConstructor::finishCreation):
1414         (JSC::millisecondsFromComponents):
1415         (JSC::DateConstructor::getOwnPropertySlot): Deleted.
1416         * runtime/DateConstructor.h:
1417         (JSC::DateConstructor::create):
1418         * runtime/DatePrototype.cpp:
1419         (JSC::DatePrototype::finishCreation):
1420         (JSC::dateProtoFuncToString):
1421         (JSC::DatePrototype::getOwnPropertySlot): Deleted.
1422         * runtime/DatePrototype.h:
1423         (JSC::DatePrototype::create):
1424         * runtime/ErrorPrototype.cpp:
1425         (JSC::ErrorPrototype::finishCreation):
1426         (JSC::ErrorPrototype::getOwnPropertySlot): Deleted.
1427         * runtime/ErrorPrototype.h:
1428         (JSC::ErrorPrototype::create):
1429         * runtime/GeneratorPrototype.cpp:
1430         (JSC::GeneratorPrototype::finishCreation):
1431         (JSC::GeneratorPrototype::getOwnPropertySlot): Deleted.
1432         * runtime/GeneratorPrototype.h:
1433         (JSC::GeneratorPrototype::create):
1434         (JSC::GeneratorPrototype::createStructure):
1435         (JSC::GeneratorPrototype::GeneratorPrototype):
1436         * runtime/InspectorInstrumentationObject.cpp:
1437         (JSC::InspectorInstrumentationObject::finishCreation):
1438         (JSC::InspectorInstrumentationObject::isEnabled):
1439         (JSC::InspectorInstrumentationObject::getOwnPropertySlot): Deleted.
1440         * runtime/InspectorInstrumentationObject.h:
1441         (JSC::InspectorInstrumentationObject::create):
1442         (JSC::InspectorInstrumentationObject::createStructure):
1443         * runtime/IntlCollatorConstructor.cpp:
1444         (JSC::IntlCollatorConstructor::getCallData):
1445         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1446         (JSC::IntlCollatorConstructor::getOwnPropertySlot): Deleted.
1447         * runtime/IntlCollatorConstructor.h:
1448         * runtime/IntlCollatorPrototype.cpp:
1449         (JSC::IntlCollatorPrototype::finishCreation):
1450         (JSC::IntlCollatorFuncCompare):
1451         (JSC::IntlCollatorPrototype::getOwnPropertySlot): Deleted.
1452         * runtime/IntlCollatorPrototype.h:
1453         * runtime/IntlDateTimeFormatConstructor.cpp:
1454         (JSC::IntlDateTimeFormatConstructor::getCallData):
1455         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1456         (JSC::IntlDateTimeFormatConstructor::getOwnPropertySlot): Deleted.
1457         * runtime/IntlDateTimeFormatConstructor.h:
1458         * runtime/IntlDateTimeFormatPrototype.cpp:
1459         (JSC::IntlDateTimeFormatPrototype::finishCreation):
1460         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1461         (JSC::IntlDateTimeFormatPrototype::getOwnPropertySlot): Deleted.
1462         * runtime/IntlDateTimeFormatPrototype.h:
1463         * runtime/IntlNumberFormatConstructor.cpp:
1464         (JSC::IntlNumberFormatConstructor::getCallData):
1465         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1466         (JSC::IntlNumberFormatConstructor::getOwnPropertySlot): Deleted.
1467         * runtime/IntlNumberFormatConstructor.h:
1468         * runtime/IntlNumberFormatPrototype.cpp:
1469         (JSC::IntlNumberFormatPrototype::finishCreation):
1470         (JSC::IntlNumberFormatFuncFormatNumber):
1471         (JSC::IntlNumberFormatPrototype::getOwnPropertySlot): Deleted.
1472         * runtime/IntlNumberFormatPrototype.h:
1473         * runtime/JSDataViewPrototype.cpp:
1474         (JSC::JSDataViewPrototype::createStructure):
1475         (JSC::getData):
1476         (JSC::JSDataViewPrototype::getOwnPropertySlot): Deleted.
1477         * runtime/JSDataViewPrototype.h:
1478         * runtime/JSInternalPromiseConstructor.cpp:
1479         (JSC::JSInternalPromiseConstructor::getCallData):
1480         (JSC::JSInternalPromiseConstructor::getOwnPropertySlot): Deleted.
1481         * runtime/JSInternalPromiseConstructor.h:
1482         * runtime/JSONObject.cpp:
1483         (JSC::Walker::Walker):
1484         (JSC::JSONObject::getOwnPropertySlot): Deleted.
1485         * runtime/JSONObject.h:
1486         (JSC::JSONObject::create):
1487         * runtime/JSPromiseConstructor.cpp:
1488         (JSC::JSPromiseConstructor::getCallData):
1489         (JSC::JSPromiseConstructor::getOwnPropertySlot): Deleted.
1490         * runtime/JSPromiseConstructor.h:
1491         * runtime/JSPromisePrototype.cpp:
1492         (JSC::JSPromisePrototype::addOwnInternalSlots):
1493         (JSC::JSPromisePrototype::getOwnPropertySlot): Deleted.
1494         * runtime/JSPromisePrototype.h:
1495         * runtime/MapPrototype.cpp:
1496         (JSC::MapPrototype::finishCreation):
1497         (JSC::getMap):
1498         (JSC::MapPrototype::getOwnPropertySlot): Deleted.
1499         * runtime/MapPrototype.h:
1500         (JSC::MapPrototype::create):
1501         (JSC::MapPrototype::MapPrototype):
1502         * runtime/ModuleLoaderObject.cpp:
1503         (JSC::ModuleLoaderObject::finishCreation):
1504         (JSC::printableModuleKey):
1505         (JSC::ModuleLoaderObject::getOwnPropertySlot): Deleted.
1506         * runtime/ModuleLoaderObject.h:
1507         * runtime/NumberPrototype.cpp:
1508         (JSC::NumberPrototype::finishCreation):
1509         (JSC::toThisNumber):
1510         (JSC::NumberPrototype::getOwnPropertySlot): Deleted.
1511         * runtime/NumberPrototype.h:
1512         (JSC::NumberPrototype::create):
1513         * runtime/ObjectConstructor.cpp:
1514         (JSC::ObjectConstructor::addDefineProperty):
1515         (JSC::constructObject):
1516         (JSC::ObjectConstructor::getOwnPropertySlot): Deleted.
1517         * runtime/ObjectConstructor.h:
1518         (JSC::ObjectConstructor::create):
1519         (JSC::ObjectConstructor::createStructure):
1520         * runtime/ReflectObject.cpp:
1521         (JSC::ReflectObject::finishCreation):
1522         (JSC::ReflectObject::getOwnPropertySlot): Deleted.
1523         * runtime/ReflectObject.h:
1524         (JSC::ReflectObject::create):
1525         (JSC::ReflectObject::createStructure):
1526         * runtime/RegExpConstructor.cpp:
1527         (JSC::RegExpConstructor::getRightContext):
1528         (JSC::regExpConstructorDollar):
1529         (JSC::RegExpConstructor::getOwnPropertySlot): Deleted.
1530         * runtime/RegExpConstructor.h:
1531         (JSC::RegExpConstructor::create):
1532         (JSC::RegExpConstructor::createStructure):
1533         * runtime/SetPrototype.cpp:
1534         (JSC::SetPrototype::finishCreation):
1535         (JSC::getSet):
1536         (JSC::SetPrototype::getOwnPropertySlot): Deleted.
1537         * runtime/SetPrototype.h:
1538         (JSC::SetPrototype::create):
1539         (JSC::SetPrototype::SetPrototype):
1540         * runtime/StringConstructor.cpp:
1541         (JSC::StringConstructor::finishCreation):
1542         (JSC::stringFromCharCodeSlowCase):
1543         (JSC::StringConstructor::getOwnPropertySlot): Deleted.
1544         * runtime/StringConstructor.h:
1545         (JSC::StringConstructor::create):
1546         * runtime/StringIteratorPrototype.cpp:
1547         (JSC::StringIteratorPrototype::finishCreation):
1548         (JSC::StringIteratorPrototype::getOwnPropertySlot): Deleted.
1549         * runtime/StringIteratorPrototype.h:
1550         (JSC::StringIteratorPrototype::create):
1551         (JSC::StringIteratorPrototype::StringIteratorPrototype):
1552         * runtime/StringPrototype.cpp:
1553         (JSC::StringPrototype::create):
1554         (JSC::substituteBackreferencesSlow):
1555         (JSC::StringPrototype::getOwnPropertySlot): Deleted.
1556         * runtime/StringPrototype.h:
1557         * runtime/SymbolConstructor.cpp:
1558         (JSC::SymbolConstructor::finishCreation):
1559         (JSC::callSymbol):
1560         (JSC::SymbolConstructor::getOwnPropertySlot): Deleted.
1561         * runtime/SymbolConstructor.h:
1562         (JSC::SymbolConstructor::create):
1563         * runtime/SymbolPrototype.cpp:
1564         (JSC::SymbolPrototype::finishCreation):
1565         (JSC::SymbolPrototype::getOwnPropertySlot): Deleted.
1566         * runtime/SymbolPrototype.h:
1567         (JSC::SymbolPrototype::create):
1568             - remove getOwnPropertySlot, replace OverridesGetOwnPropertySlot flag with HasStaticPropertyTable.
1569
1570 2016-05-26  Commit Queue  <commit-queue@webkit.org>
1571
1572         Unreviewed, rolling out r201436.
1573         https://bugs.webkit.org/show_bug.cgi?id=158143
1574
1575         Caused 30% regression on Dromaeo DOM core tests (Requested by
1576         rniwa on #webkit).
1577
1578         Reverted changeset:
1579
1580         "REGRESSION: JSBench spends a lot of time transitioning
1581         to/from dictionary"
1582         https://bugs.webkit.org/show_bug.cgi?id=158045
1583         http://trac.webkit.org/changeset/201436
1584
1585 2016-05-26  Geoffrey Garen  <ggaren@apple.com>
1586
1587         REGRESSION: JSBench spends a lot of time transitioning to/from dictionary
1588         https://bugs.webkit.org/show_bug.cgi?id=158045
1589
1590         Reviewed by Saam Barati.
1591
1592         15% speedup on jsbench-amazon-firefox, possibly 5% speedup overall on jsbench.
1593
1594         This regression seems to have two parts:
1595
1596         (1) Transitioning the window object to/from dictionary is more expensive
1597         than it used to be to because the window object has lots more properties.
1598         The window object has more properties because, for WebIDL compatibility,
1599         we reify DOM APIs as properties when you delete.
1600
1601         (2) DOM prototypes transition to/from dictionary upon creation
1602         because, once again for WebIDL compatibility, we reify their static
1603         APIs eagerly.
1604
1605         The solution is to chill out a bit on dictionary transitions.
1606
1607         * bytecode/ObjectPropertyConditionSet.cpp: Don't flatten a dictionary
1608         if we've already done so before. This avoids pathological churn, and it
1609         is our idiom in other places.
1610
1611         * interpreter/Interpreter.cpp:
1612         (JSC::Interpreter::execute): Do flatten the global object unconditionally
1613         if it is an uncacheable dictionary because the global object is super
1614         important.
1615
1616         * runtime/BatchedTransitionOptimizer.h:
1617         (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1618         (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): Deleted.
1619         Don't transition away from dictionary after a batched set of property
1620         puts because normal dictionaries are cacheable and that's a perfectly
1621         fine state to be in -- and the transition is expensive.
1622
1623         * runtime/JSGlobalObject.cpp:
1624         (JSC::JSGlobalObject::init): Do start the global object out as a cacheable
1625         dictionary because it will inevitably have enough properties to become
1626         a dictionary.
1627
1628         * runtime/Operations.h:
1629         (JSC::normalizePrototypeChain): Same as ObjectPropertyConditionSet.cpp.
1630
1631 2016-05-25  Geoffrey Garen  <ggaren@apple.com>
1632
1633         replaceable own properties seem to ignore replacement after property caching
1634         https://bugs.webkit.org/show_bug.cgi?id=158091
1635
1636         Reviewed by Darin Adler.
1637
1638         * runtime/Lookup.h:
1639         (JSC::replaceStaticPropertySlot): New helper function for replacing a
1640         static property with a direct property. We need to do an attribute changed
1641         transition because client code might have cached our static property.
1642
1643 2016-05-25  Benjamin Poulain  <benjamin@webkit.org>
1644
1645         [JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr
1646         https://bugs.webkit.org/show_bug.cgi?id=158011
1647         rdar://problem/25946592
1648
1649         Reviewed by Saam Barati.
1650
1651         When generating the meta-data required for compilation,
1652         Yarr uses a recursive function over the various expression in the pattern.
1653
1654         If you have many nested expressions, you can run out of stack
1655         and crash the WebProcess.
1656         This patch changes that into a soft failure. The expression is just
1657         considered invalid.
1658
1659         * runtime/RegExp.cpp:
1660         (JSC::RegExp::finishCreation):
1661         (JSC::RegExp::compile):
1662         (JSC::RegExp::compileMatchOnly):
1663         * yarr/YarrPattern.cpp:
1664         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
1665         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
1666         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1667         (JSC::Yarr::YarrPattern::compile):
1668         (JSC::Yarr::YarrPattern::YarrPattern):
1669         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets): Deleted.
1670         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): Deleted.
1671         * yarr/YarrPattern.h:
1672
1673 2016-05-25  Alex Christensen  <achristensen@webkit.org>
1674
1675         Fix Win64 build after r201335
1676         https://bugs.webkit.org/show_bug.cgi?id=158078
1677
1678         Reviewed by Mark Lam.
1679
1680         * offlineasm/x86.rb:
1681         Add intel implementations for loadbs and loadhs
1682
1683 2016-05-25  Carlos Garcia Campos  <cgarcia@igalia.com>
1684
1685         REGRESSION(r201066): [GTK] Several intl tests started to fail in GTK+ bot after r201066
1686         https://bugs.webkit.org/show_bug.cgi?id=158066
1687
1688         Reviewed by Darin Adler.
1689
1690         run-javascriptcore-tests does $ENV{LANG}="en_US.UTF-8"; but we are not actually honoring the environment
1691         variables at all when using jsc binary. We are using setlocale() with a nullptr locale to get the current one, but
1692         the current one is always "C", because to set the locale according to the environment variables we need to call
1693         setlocale with an empty string as locale. That's done by gtk_init(), which is called by all our binaries (web
1694         process, network process, etc.), but not by jsc (because jsc doesn't depend on GTK+). The reason why it has
1695         always worked for EFL is because they call ecore_init() in jsc that calls setlocale.
1696
1697         * jsc.cpp:
1698         (main): Call setlocale(LC_ALL, "") on GTK+.
1699
1700 2016-05-25  Csaba Osztrogon√°c  <ossy@webkit.org>
1701
1702         [ARM] Fix the Wcast-align warning in LinkBuffer.cpp
1703         https://bugs.webkit.org/show_bug.cgi?id=157889
1704
1705         Reviewed by Darin Adler.
1706
1707         * assembler/LinkBuffer.cpp:
1708         (JSC::recordLinkOffsets):
1709
1710 2016-05-24  Keith Miller  <keith_miller@apple.com>
1711
1712         TypedArray.prototype.slice should not throw if no arguments are provided
1713         https://bugs.webkit.org/show_bug.cgi?id=158044
1714         <rdar://problem/26433280>
1715
1716         Reviewed by Geoffrey Garen.
1717
1718         We were throwing an exception if the TypedArray.prototype.slice function
1719         was not provided arguments. This was wrong. Instead we should just assume
1720         the first argument was 0.
1721
1722         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1723         (JSC::genericTypedArrayViewProtoFuncSlice): Deleted.
1724         * tests/stress/typedarray-slice.js:
1725
1726 2016-05-24  Keith Miller  <keith_miller@apple.com>
1727
1728         LLInt should be able to cache prototype loads for values in GetById
1729         https://bugs.webkit.org/show_bug.cgi?id=158032
1730
1731         Reviewed by Filip Pizlo.
1732
1733         This patch adds prototype value caching to the LLInt for op_get_by_id.
1734         Two previously unused words in the op_get_by_id bytecode have been
1735         repurposed to hold extra information for the cache. The first is a
1736         counter that records the number of get_by_ids that hit a cacheable value
1737         on a prototype. When the counter is decremented from one to zero we
1738         attempt to cache the prototype load, which will be discussed further
1739         below. The second word is used to hold the prototype object when we have
1740         started caching.
1741
1742         When the counter is decremented to zero we first attempt to generate and
1743         watch the property conditions needed to ensure the validity of prototype
1744         load. If the watchpoints are successfully created and installed we
1745         replace the op_get_by_id opcode with the new op_get_by_id_proto_load
1746         opcode, which tells the LLInt to use the cache prototype object for the
1747         load rather than the base value.
1748
1749         Prior to this patch there was not LLInt specific data onCodeBlocks.
1750         Since the CodeBlock needs to own the Watchpoints for the cache, a weak
1751         map from each base structure to a bag of Watchpoints created for that
1752         structure by some op_get_by_id has been added to the CodeBlock. During
1753         GC, if we find that the a structure in the map has not been marked we
1754         free the associated bag on the CodeBlock.
1755
1756         * JavaScriptCore.xcodeproj/project.pbxproj:
1757         * bytecode/BytecodeList.json:
1758         * bytecode/BytecodeUseDef.h:
1759         (JSC::computeUsesForBytecodeOffset):
1760         (JSC::computeDefsForBytecodeOffset):
1761         * bytecode/CodeBlock.cpp:
1762         (JSC::CodeBlock::printGetByIdOp):
1763         (JSC::CodeBlock::printGetByIdCacheStatus):
1764         (JSC::CodeBlock::dumpBytecode):
1765         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1766         * bytecode/CodeBlock.h:
1767         (JSC::CodeBlock::llintGetByIdWatchpointMap):
1768         (JSC::clearLLIntGetByIdCache):
1769         * bytecode/GetByIdStatus.cpp:
1770         (JSC::GetByIdStatus::computeFromLLInt):
1771         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Added.
1772         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
1773         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
1774         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1775         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Added.
1776         * bytecode/ObjectPropertyConditionSet.cpp:
1777         (JSC::ObjectPropertyConditionSet::isValidAndWatchable):
1778         * bytecode/ObjectPropertyConditionSet.h:
1779         * bytecompiler/BytecodeGenerator.cpp:
1780         (JSC::BytecodeGenerator::emitGetById):
1781         * dfg/DFGByteCodeParser.cpp:
1782         (JSC::DFG::ByteCodeParser::parseBlock):
1783         * dfg/DFGCapabilities.cpp:
1784         (JSC::DFG::capabilityLevel):
1785         * jit/JIT.cpp:
1786         (JSC::JIT::privateCompileMainPass):
1787         (JSC::JIT::privateCompileSlowCases):
1788         * llint/LLIntSlowPaths.cpp:
1789         (JSC::LLInt::setupGetByIdPrototypeCache):
1790         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1791         * llint/LLIntSlowPaths.h:
1792         * llint/LowLevelInterpreter32_64.asm:
1793         * llint/LowLevelInterpreter64.asm:
1794         * runtime/Options.h:
1795         * tests/stress/llint-get-by-id-cache-prototype-load-from-dictionary.js: Added.
1796         (test):
1797
1798 2016-05-24  Keith Miller  <keith_miller@apple.com>
1799
1800         We should be able to use the sampling profiler with DRT/WTR.
1801         https://bugs.webkit.org/show_bug.cgi?id=158041
1802
1803         Reviewed by Saam Barati.
1804
1805         This patch makes the sampling profiler use a new option, samplingProfilerPath, which
1806         specifies the path to a directory to output sampling profiler data when the program
1807         terminates or the VM is destroyed. Additionally, it fixes some other issues with the
1808         bytecode profiler that would cause crashes on debug builds.
1809
1810         * profiler/ProfilerDatabase.cpp:
1811         (JSC::Profiler::Database::ensureBytecodesFor):
1812         (JSC::Profiler::Database::performAtExitSave):
1813         * runtime/Options.h:
1814         * runtime/SamplingProfiler.cpp:
1815         (JSC::SamplingProfiler::registerForReportAtExit):
1816         (JSC::SamplingProfiler::reportDataToOptionFile):
1817         (JSC::SamplingProfiler::reportTopFunctions):
1818         (JSC::SamplingProfiler::reportTopBytecodes):
1819         * runtime/SamplingProfiler.h:
1820         * runtime/VM.cpp:
1821         (JSC::VM::VM):
1822         (JSC::VM::~VM):
1823
1824 2016-05-24  Saam barati  <sbarati@apple.com>
1825
1826         We can cache lookups to JSScope::abstractResolve inside CodeBlock::finishCreation
1827         https://bugs.webkit.org/show_bug.cgi?id=158036
1828
1829         Reviewed by Geoffrey Garen.
1830
1831         This patch implements a 1 item cache for JSScope::abstractResolve. I also tried
1832         implementing the cache as a HashMap, but it seemed either less profitable on some
1833         benchmarks or just as profitable on others. Therefore, it's cleaner to just
1834         use a 1 item cache.
1835
1836         * bytecode/CodeBlock.cpp:
1837         (JSC::CodeBlock::CodeBlock):
1838         (JSC::AbstractResolveKey::AbstractResolveKey):
1839         (JSC::AbstractResolveKey::operator==):
1840         (JSC::AbstractResolveKey::isEmptyValue):
1841         (JSC::CodeBlock::finishCreation):
1842         * runtime/GetPutInfo.h:
1843         (JSC::needsVarInjectionChecks):
1844         (JSC::ResolveOp::ResolveOp):
1845
1846 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
1847
1848         Unreviwed, add a comment to describe the test's failure mode. Suggested by mlam.
1849
1850         * tests/stress/override-map-constructor.js:
1851         (Map):
1852
1853 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
1854
1855         Map should not be in JSGlobalObject's static hashtable because it's initialized eagerly via FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR
1856         https://bugs.webkit.org/show_bug.cgi?id=158031
1857         rdar://problem/26353661
1858
1859         Reviewed by Geoffrey Garen.
1860         
1861         We were listing Map as being a lazy class structure. It's not. m_mapStructure is a WriteBarrier<>
1862         not a LazyClassStructure<> and there is nothing lazy about it.
1863
1864         * runtime/JSGlobalObject.cpp: The fix is to remove Map here.
1865         * runtime/Lookup.cpp: Add some dumping on the assert path.
1866         (JSC::setUpStaticFunctionSlot):
1867         * tests/stress/override-map-constructor.js: Added. This test used to crash.
1868         (Map):
1869
1870 2016-05-24  Filip Pizlo  <fpizlo@apple.com>
1871
1872         LLInt64 should have typed array fast paths for get_by_val
1873         https://bugs.webkit.org/show_bug.cgi?id=157931
1874
1875         Reviewed by Keith Miller.
1876
1877         I think that the LLInt should be able to access typed arrays more quickly than it does now.
1878         Ideally we would have fast paths for every major typed array operation and we would use
1879         inline cache optimizations. I don't want to do this all in one go, so my plan is to
1880         incrementally add support for this as time allows.
1881         
1882         This change just adds the easy typed array fast paths for get_by_val in the 64-bit version
1883         of LLInt.
1884         
1885         Another bug, https://bugs.webkit.org/show_bug.cgi?id=157922, tracks the overall task of
1886         adding all typed array fast paths to both versions of the LLInt.
1887         
1888         This is a 30% speed-up on typed array benchmarks in LLInt. This is not a speed-up when the
1889         JITs are enabled.
1890
1891         * llint/LLIntData.cpp:
1892         (JSC::LLInt::Data::performAssertions):
1893         * llint/LLIntOffsetsExtractor.cpp:
1894         * llint/LowLevelInterpreter.asm:
1895         * llint/LowLevelInterpreter64.asm:
1896         * offlineasm/backends.rb:
1897         * runtime/JSArrayBufferView.h:
1898         * runtime/JSType.h:
1899
1900 2016-05-24  Saam barati  <sbarati@apple.com> and Yusuke Suzuki <utatane.tea@gmail.com>
1901
1902         ThisTDZMode is no longer needed
1903         https://bugs.webkit.org/show_bug.cgi?id=157209
1904
1905         Reviewed by Saam Barati.
1906
1907         ThisTDZMode is no longer needed because we have ConstructorKind
1908         and DerivedContextType. The value of ThisTDZMode is strictly less
1909         expressive than the combination of those two values. We were
1910         using those values anyways, and this patch just makes it official
1911         by removing ThisTDZMode.
1912
1913         This patch also cleans up caching keys. We extract SourceCodeFlags
1914         from SourceCodeKey and use it in EvalCodeCache. It correctly
1915         contains needed cache attributes: EvalContextType, DerivedContextType,
1916         etc. Here, we still use specialized keys for EvalCodeCache instead
1917         of SourceCodeKey for performance; it does not include name String and
1918         does not allocate SourceCode.
1919
1920         * bytecode/EvalCodeCache.h:
1921         (JSC::EvalCodeCache::CacheKey::CacheKey):
1922         (JSC::EvalCodeCache::CacheKey::operator==):
1923         (JSC::EvalCodeCache::CacheKey::Hash::equal):
1924         (JSC::EvalCodeCache::tryGet):
1925         (JSC::EvalCodeCache::getSlow):
1926         * bytecompiler/NodesCodegen.cpp:
1927         (JSC::ThisNode::emitBytecode): Deleted.
1928         * debugger/DebuggerCallFrame.cpp:
1929         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1930         * interpreter/Interpreter.cpp:
1931         (JSC::eval):
1932         * parser/ASTBuilder.h:
1933         (JSC::ASTBuilder::createThisExpr):
1934         * parser/NodeConstructors.h:
1935         (JSC::ThisNode::ThisNode):
1936         * parser/Nodes.h:
1937         * parser/Parser.cpp:
1938         (JSC::Parser<LexerType>::Parser):
1939         (JSC::Parser<LexerType>::parsePrimaryExpression):
1940         * parser/Parser.h:
1941         (JSC::parse):
1942         * parser/ParserModes.h:
1943         * parser/SourceCodeKey.h:
1944         (JSC::SourceCodeFlags::SourceCodeFlags):
1945         (JSC::SourceCodeFlags::operator==):
1946         (JSC::SourceCodeKey::SourceCodeKey):
1947         (JSC::SourceCodeKey::Hash::hash):
1948         (JSC::SourceCodeKey::Hash::equal):
1949         (JSC::SourceCodeKey::HashTraits::isEmptyValue):
1950         (JSC::SourceCodeKeyHash::hash): Deleted.
1951         (JSC::SourceCodeKeyHash::equal): Deleted.
1952         (JSC::SourceCodeKeyHashTraits::isEmptyValue): Deleted.
1953         * parser/SyntaxChecker.h:
1954         (JSC::SyntaxChecker::createThisExpr):
1955         * runtime/CodeCache.cpp:
1956         (JSC::CodeCache::getGlobalCodeBlock):
1957         (JSC::CodeCache::getProgramCodeBlock):
1958         (JSC::CodeCache::getEvalCodeBlock):
1959         (JSC::CodeCache::getModuleProgramCodeBlock):
1960         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1961         * runtime/CodeCache.h:
1962         * runtime/Executable.cpp:
1963         (JSC::EvalExecutable::create):
1964         * runtime/Executable.h:
1965         * runtime/JSGlobalObject.cpp:
1966         (JSC::JSGlobalObject::createEvalCodeBlock):
1967         * runtime/JSGlobalObject.h:
1968         * runtime/JSGlobalObjectFunctions.cpp:
1969         (JSC::globalFuncEval):
1970         * tests/stress/code-cache-incorrect-caching.js: Added.
1971         (shouldBe):
1972         (hello):
1973         (catch):
1974         (shouldBe.test.hello):
1975         (globalEval.ok):
1976         (global.hello.hello):
1977
1978 2016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1979
1980         Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
1981         https://bugs.webkit.org/show_bug.cgi?id=157080
1982
1983         Reviewed by Saam Barati.
1984
1985         In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
1986         In this patch, we add a new parameter, "slotBase". This represents the base value offering
1987         this custom getter. And use it in ProxyObject's performGet custom accessor getter.
1988
1989         * API/JSCallbackObject.h:
1990         * API/JSCallbackObjectFunctions.h:
1991         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1992         (JSC::JSCallbackObject<Parent>::callbackGetter):
1993         * bytecode/PolymorphicAccess.cpp:
1994         (JSC::AccessCase::generateImpl):
1995         In PolymorphicAccess case, the thisValue and the slotBase are always cells.
1996         This is because IC is enabled in the case that the base value is a cell.
1997         And slotBase is always on the prototype chain from this base value.
1998
1999         * jit/CCallHelpers.h:
2000         (JSC::CCallHelpers::setupArgumentsWithExecState):
2001         * jsc.cpp:
2002         (WTF::CustomGetter::customGetter):
2003         (WTF::RuntimeArray::lengthGetter):
2004         * runtime/CustomGetterSetter.cpp:
2005         (JSC::callCustomSetter):
2006         * runtime/JSBoundSlotBaseFunction.cpp:
2007         (JSC::boundSlotBaseFunctionCall):
2008         * runtime/JSFunction.cpp:
2009         (JSC::JSFunction::argumentsGetter):
2010         (JSC::JSFunction::callerGetter):
2011         * runtime/JSFunction.h:
2012         * runtime/JSModuleNamespaceObject.cpp:
2013         (JSC::callbackGetter):
2014         * runtime/PropertySlot.cpp:
2015         (JSC::PropertySlot::customGetter):
2016         * runtime/PropertySlot.h:
2017         * runtime/ProxyObject.cpp:
2018         (JSC::performProxyGet):
2019         * runtime/RegExpConstructor.cpp:
2020         (JSC::regExpConstructorDollar):
2021         (JSC::regExpConstructorInput):
2022         (JSC::regExpConstructorMultiline):
2023         (JSC::regExpConstructorLastMatch):
2024         (JSC::regExpConstructorLastParen):
2025         (JSC::regExpConstructorLeftContext):
2026         (JSC::regExpConstructorRightContext):
2027         (JSC::regExpConstructorDollar1): Deleted.
2028         (JSC::regExpConstructorDollar2): Deleted.
2029         (JSC::regExpConstructorDollar3): Deleted.
2030         (JSC::regExpConstructorDollar4): Deleted.
2031         (JSC::regExpConstructorDollar5): Deleted.
2032         (JSC::regExpConstructorDollar6): Deleted.
2033         (JSC::regExpConstructorDollar7): Deleted.
2034         (JSC::regExpConstructorDollar8): Deleted.
2035         (JSC::regExpConstructorDollar9): Deleted.
2036         * tests/stress/proxy-get-with-primitive-receiver.js: Added.
2037         (shouldBe):
2038
2039 2016-05-23  Geoffrey Garen  <ggaren@apple.com>
2040
2041         REGRESSION (196374): deleting a global property is expensive
2042         https://bugs.webkit.org/show_bug.cgi?id=158005
2043
2044         Reviewed by Chris Dumez.
2045
2046         * runtime/JSObject.cpp:
2047         (JSC::JSObject::deleteProperty): We only need to reify static properties
2048         if the name being deleted matches a static property. Otherwise, we can
2049         be sure that delete won't observe any static properties.
2050
2051 2016-05-23  Saam barati  <sbarati@apple.com>
2052
2053         The baseline JIT crashes when compiling "(1,1)/1"
2054         https://bugs.webkit.org/show_bug.cgi?id=157933
2055
2056         Reviewed by Benjamin Poulain.
2057
2058         op_div in the baseline JIT needed to better handle when both the lhs
2059         and rhs are constants. It needs to make sure to load either the lhs or
2060         the rhs into a register since the div generator can't handle both
2061         the lhs and rhs being constants.
2062
2063         * jit/JITArithmetic.cpp:
2064         (JSC::JIT::emit_op_div):
2065         * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
2066         (assert):
2067         (test):
2068
2069 2016-05-23  Saam barati  <sbarati@apple.com>
2070
2071         String template don't handle let initialization properly inside eval
2072         https://bugs.webkit.org/show_bug.cgi?id=157991
2073
2074         Reviewed by Oliver Hunt.
2075
2076         The fix is to make sure we emit TDZ checks. 
2077
2078         * bytecompiler/NodesCodegen.cpp:
2079         (JSC::TaggedTemplateNode::emitBytecode):
2080         * tests/stress/tagged-template-tdz.js: Added.
2081         (shouldThrowTDZ):
2082         (test):
2083
2084 2016-05-22  Saam barati  <sbarati@apple.com>
2085
2086         Unreviewed. Fixed debug assertion failures from r201235.
2087
2088         * runtime/JSScope.cpp:
2089         (JSC::abstractAccess):
2090
2091 2016-05-22  Brady Eidson  <beidson@apple.com>
2092
2093         Attempted Yosemite build fix after http://trac.webkit.org/changeset/201255
2094
2095         Suggested by and reviewed by Anders Carlsson.
2096
2097         * b3/B3CCallValue.h: Initialize the effects member more conventionally.
2098
2099 2016-05-22  Brady Eidson  <beidson@apple.com>
2100
2101         Move to C++14.
2102         https://bugs.webkit.org/show_bug.cgi?id=157948
2103
2104         Reviewed by Michael Catanzaro.
2105
2106         * Configurations/Base.xcconfig:
2107
2108 2016-05-22  Saam barati  <sbarati@apple.com>
2109
2110         REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
2111         https://bugs.webkit.org/show_bug.cgi?id=157968
2112         <rdar://problem/26404735>
2113
2114         Reviewed by Ryosuke Niwa and Filip Pizlo.
2115
2116         There was a bug in the DFG where we were checking a condition
2117         on the wrong variable.
2118
2119         * dfg/DFGStrengthReductionPhase.cpp:
2120         (JSC::DFG::StrengthReductionPhase::handleNode):
2121
2122 2016-05-22  Chris Dumez  <cdumez@apple.com>
2123
2124         Remove uses of PassRefPtr in JS bindings code
2125         https://bugs.webkit.org/show_bug.cgi?id=157949
2126
2127         Reviewed by Andreas Kling.
2128
2129         Remove uses of PassRefPtr in JS bindings code.
2130
2131         * runtime/JSGlobalObject.cpp:
2132         (JSC::JSGlobalObject::queueMicrotask):
2133         * runtime/JSGlobalObject.h:
2134
2135 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
2136
2137         Remove LegacyProfiler
2138         https://bugs.webkit.org/show_bug.cgi?id=153565
2139
2140         Reviewed by Mark Lam.
2141
2142         JavaScriptCore now provides a sampling profiler and it is enabled
2143         by all ports. Web Inspector switched months ago to using the
2144         sampling profiler and displaying its data. Remove the legacy
2145         profiler, as it is no longer being used by anything other then
2146         console.profile and tests. We will update console.profile's
2147         behavior soon to have new behavior and use the sampling data.
2148
2149         * API/JSProfilerPrivate.cpp: Removed.
2150         * API/JSProfilerPrivate.h: Removed.
2151         * CMakeLists.txt:
2152         * JavaScriptCore.xcodeproj/project.pbxproj:
2153         * bytecode/BytecodeList.json:
2154         * bytecode/BytecodeUseDef.h:
2155         (JSC::computeUsesForBytecodeOffset): Deleted.
2156         (JSC::computeDefsForBytecodeOffset): Deleted.
2157         * bytecode/CodeBlock.cpp:
2158         (JSC::CodeBlock::dumpBytecode): Deleted.
2159         * bytecode/UnlinkedFunctionExecutable.cpp:
2160         (JSC::generateUnlinkedFunctionCodeBlock):
2161         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2162         * bytecode/UnlinkedFunctionExecutable.h:
2163         * bytecompiler/BytecodeGenerator.cpp:
2164         (JSC::BytecodeGenerator::BytecodeGenerator):
2165         (JSC::BytecodeGenerator::emitCall):
2166         (JSC::BytecodeGenerator::emitCallVarargs):
2167         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
2168         (JSC::BytecodeGenerator::emitConstructVarargs):
2169         (JSC::BytecodeGenerator::emitConstruct):
2170         * bytecompiler/BytecodeGenerator.h:
2171         (JSC::CallArguments::profileHookRegister): Deleted.
2172         (JSC::BytecodeGenerator::shouldEmitProfileHooks): Deleted.
2173         * bytecompiler/NodesCodegen.cpp:
2174         (JSC::CallFunctionCallDotNode::emitBytecode):
2175         (JSC::ApplyFunctionCallDotNode::emitBytecode):
2176         (JSC::CallArguments::CallArguments): Deleted.
2177         * dfg/DFGAbstractInterpreterInlines.h:
2178         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
2179         * dfg/DFGByteCodeParser.cpp:
2180         (JSC::DFG::ByteCodeParser::parseBlock): Deleted.
2181         * dfg/DFGCapabilities.cpp:
2182         (JSC::DFG::capabilityLevel): Deleted.
2183         * dfg/DFGClobberize.h:
2184         (JSC::DFG::clobberize): Deleted.
2185         * dfg/DFGDoesGC.cpp:
2186         (JSC::DFG::doesGC): Deleted.
2187         * dfg/DFGFixupPhase.cpp:
2188         (JSC::DFG::FixupPhase::fixupNode): Deleted.
2189         * dfg/DFGNodeType.h:
2190         * dfg/DFGPredictionPropagationPhase.cpp:
2191         * dfg/DFGSafeToExecute.h:
2192         (JSC::DFG::safeToExecute): Deleted.
2193         * dfg/DFGSpeculativeJIT32_64.cpp:
2194         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2195         * dfg/DFGSpeculativeJIT64.cpp:
2196         (JSC::DFG::SpeculativeJIT::compile): Deleted.
2197         * inspector/InjectedScriptBase.cpp:
2198         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2199         * interpreter/Interpreter.cpp:
2200         (JSC::UnwindFunctor::operator()): Deleted.
2201         (JSC::Interpreter::execute): Deleted.
2202         (JSC::Interpreter::executeCall): Deleted.
2203         (JSC::Interpreter::executeConstruct): Deleted.
2204         * jit/JIT.cpp:
2205         (JSC::JIT::privateCompileMainPass): Deleted.
2206         * jit/JIT.h:
2207         * jit/JITOpcodes.cpp:
2208         (JSC::JIT::emit_op_profile_will_call): Deleted.
2209         (JSC::JIT::emit_op_profile_did_call): Deleted.
2210         * jit/JITOpcodes32_64.cpp:
2211         (JSC::JIT::emit_op_profile_will_call): Deleted.
2212         (JSC::JIT::emit_op_profile_did_call): Deleted.
2213         * jit/JITOperations.cpp:
2214         * jit/JITOperations.h:
2215         * llint/LLIntSlowPaths.cpp:
2216         (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
2217         * llint/LLIntSlowPaths.h:
2218         * llint/LowLevelInterpreter.asm:
2219         * parser/ParserModes.h:
2220         * profiler/CallIdentifier.h: Removed.
2221         * profiler/LegacyProfiler.cpp: Removed.
2222         * profiler/LegacyProfiler.h: Removed.
2223         * profiler/Profile.cpp: Removed.
2224         * profiler/Profile.h: Removed.
2225         * profiler/ProfileGenerator.cpp: Removed.
2226         * profiler/ProfileGenerator.h: Removed.
2227         * profiler/ProfileNode.cpp: Removed.
2228         * profiler/ProfileNode.h: Removed.
2229         * profiler/ProfilerJettisonReason.cpp:
2230         (WTF::printInternal): Deleted.
2231         * profiler/ProfilerJettisonReason.h:
2232         * runtime/CodeCache.cpp:
2233         (JSC::CodeCache::getGlobalCodeBlock):
2234         (JSC::CodeCache::getProgramCodeBlock):
2235         (JSC::CodeCache::getEvalCodeBlock):
2236         (JSC::CodeCache::getModuleProgramCodeBlock):
2237         * runtime/CodeCache.h:
2238         * runtime/Executable.cpp:
2239         (JSC::ScriptExecutable::newCodeBlockFor):
2240         * runtime/JSGlobalObject.cpp:
2241         (JSC::JSGlobalObject::createProgramCodeBlock):
2242         (JSC::JSGlobalObject::createEvalCodeBlock):
2243         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
2244         (JSC::JSGlobalObject::~JSGlobalObject): Deleted.
2245         (JSC::JSGlobalObject::hasLegacyProfiler): Deleted.
2246         * runtime/JSGlobalObject.h:
2247         * runtime/Options.h:
2248         * runtime/VM.cpp:
2249         (JSC::VM::VM): Deleted.
2250         (JSC::SetEnabledProfilerFunctor::operator()): Deleted.
2251         (JSC::VM::setEnabledProfiler): Deleted.
2252         * runtime/VM.h:
2253         (JSC::VM::enabledProfiler): Deleted.
2254         (JSC::VM::enabledProfilerAddress): Deleted.
2255
2256 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
2257
2258         Remove LegacyProfiler
2259         https://bugs.webkit.org/show_bug.cgi?id=153565
2260
2261         Reviewed by Saam Barati.
2262
2263         * inspector/protocol/Timeline.json:
2264         * jsc.cpp:
2265         * runtime/JSGlobalObject.cpp:
2266         (JSC::JSGlobalObject::hasLegacyProfiler):
2267         * runtime/JSGlobalObject.h:
2268         (JSC::JSGlobalObject::supportsLegacyProfiling): Deleted.
2269
2270 2016-05-20  Saam barati  <sbarati@apple.com>
2271
2272         JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference
2273         https://bugs.webkit.org/show_bug.cgi?id=157956
2274
2275         Reviewed by Geoffrey Garen.
2276
2277         A SymbolTableEntry may be a FatEntry. Copying a FatEntry is slow because we have to
2278         malloc memory for it, then free the malloced memory once the entry goes out of
2279         scope. abstractAccess uses a SymbolTableEntry temporarily when performing scope
2280         accesses during bytecode linking. It copies out the SymbolTableEntry every time
2281         it does a SymbolTable lookup. This is not cheap when the entry happens to be a
2282         FatEntry. We should really just be using a reference to the entry because
2283         there is no need to copy it in such a scenario.
2284
2285         * runtime/JSScope.cpp:
2286         (JSC::abstractAccess):
2287
2288 2016-05-20  Joseph Pecoraro  <pecoraro@apple.com>
2289
2290         Web Inspector: retained size for typed arrays does not count native backing store
2291         https://bugs.webkit.org/show_bug.cgi?id=157945
2292         <rdar://problem/26392238>
2293
2294         Reviewed by Geoffrey Garen.
2295
2296         * runtime/JSArrayBuffer.h:
2297         * runtime/JSArrayBuffer.cpp:
2298         (JSC::JSArrayBuffer::estimatedSize):
2299         Include an estimatedSize implementation for JSArrayBuffer.
2300         ArrayBuffer has a unique path, different from other data
2301         stored in the Heap.
2302
2303         * tests/heapProfiler/typed-array-sizes.js: Added.
2304         Test sizes of TypedArray with and without an ArrayBuffer.
2305         When the TypedArray is a view wrapping an ArrayBuffer, the
2306         ArrayBuffer has the size.
2307
2308 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
2309
2310         reifyAllStaticProperties makes two copies of every string
2311         https://bugs.webkit.org/show_bug.cgi?id=157953
2312
2313         Reviewed by Mark Lam.
2314
2315         Let's not do that.
2316
2317         * runtime/JSObject.cpp:
2318         (JSC::JSObject::reifyAllStaticProperties): Pass our Identifier to
2319         reifyStaticProperty so it doesn't have to make its own.
2320
2321         * runtime/Lookup.h:
2322         (JSC::reifyStaticProperty): No need to null check because callers never
2323         pass null anymore. No need to make an identifier because callers pass
2324         us one.
2325
2326         (JSC::reifyStaticProperties): Honor new interface.
2327
2328 2016-05-20  Geoffrey Garen  <ggaren@apple.com>
2329
2330         JSBench regression: CodeBlock linking always copies the symbol table
2331         https://bugs.webkit.org/show_bug.cgi?id=157951
2332
2333         Reviewed by Saam Barati.
2334
2335         We always put a SymbolTable into the constant pool, even in simple
2336         functions in which it won't be used -- i.e., there's on eval and there
2337         are no captured variables and so on.
2338
2339         This is costly because linking must copy any provided symbol tables.
2340
2341         * bytecompiler/BytecodeGenerator.cpp:
2342         (JSC::BytecodeGenerator::BytecodeGenerator):
2343         (JSC::BytecodeGenerator::emitProfileType): Only add the symbol table
2344         as a constant if we will use it at runtime.
2345
2346 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
2347
2348         [JSC] Improve int->float conversion in FTL
2349         https://bugs.webkit.org/show_bug.cgi?id=157936
2350
2351         Reviewed by Filip Pizlo.
2352
2353         The integer -> floating point lowering was very barebone.
2354
2355         For example, converting a constant integer to double
2356         was doing:
2357             mov #const, %eax
2358             xor %xmm0, %xmm0
2359             cvtsi2sd %eax, %xmm0
2360
2361         Conversion from integer to float was also missing.
2362         We were always converting to double then rounding the double
2363         to float.
2364
2365         This patch adds the basics:
2366         -Constant folding.
2367         -Integer to Float opcode.
2368         -Reducing int->double to int->float when used by DoubleToFloat.
2369
2370         * assembler/MacroAssemblerX86Common.h:
2371         (JSC::MacroAssemblerX86Common::convertInt32ToFloat):
2372         * assembler/MacroAssemblerX86_64.h:
2373         (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
2374         (JSC::MacroAssemblerX86_64::convertInt64ToFloat):
2375         * assembler/X86Assembler.h:
2376         (JSC::X86Assembler::cvtsi2ss_rr):
2377         (JSC::X86Assembler::cvtsi2ssq_rr):
2378         (JSC::X86Assembler::cvtsi2sdq_mr):
2379         (JSC::X86Assembler::cvtsi2ssq_mr):
2380         (JSC::X86Assembler::cvtsi2ss_mr):
2381         * assembler/MacroAssemblerARM64.h:
2382         * b3/B3Const32Value.cpp:
2383         (JSC::B3::Const32Value::iToDConstant):
2384         (JSC::B3::Const32Value::iToFConstant):
2385         * b3/B3Const32Value.h:
2386         * b3/B3Const64Value.cpp:
2387         (JSC::B3::Const64Value::iToDConstant):
2388         (JSC::B3::Const64Value::iToFConstant):
2389         * b3/B3Const64Value.h:
2390         * b3/B3LowerToAir.cpp:
2391         (JSC::B3::Air::LowerToAir::lower):
2392         * b3/B3Opcode.cpp:
2393         (WTF::printInternal):
2394         * b3/B3Opcode.h:
2395         * b3/B3ReduceDoubleToFloat.cpp:
2396         * b3/B3ReduceStrength.cpp:
2397         * b3/B3Validate.cpp:
2398         * b3/B3Value.cpp:
2399         (JSC::B3::Value::iToDConstant):
2400         (JSC::B3::Value::iToFConstant):
2401         (JSC::B3::Value::isRounded):
2402         (JSC::B3::Value::effects):
2403         (JSC::B3::Value::key):
2404         (JSC::B3::Value::typeFor):
2405         * b3/B3Value.h:
2406         * b3/B3ValueKey.cpp:
2407         (JSC::B3::ValueKey::materialize):
2408         * b3/air/AirFixPartialRegisterStalls.cpp:
2409         * b3/air/AirOpcode.opcodes:
2410         * b3/testb3.cpp:
2411         (JSC::B3::int64Operands):
2412         (JSC::B3::testIToD64Arg):
2413         (JSC::B3::testIToF64Arg):
2414         (JSC::B3::testIToD32Arg):
2415         (JSC::B3::testIToF32Arg):
2416         (JSC::B3::testIToD64Mem):
2417         (JSC::B3::testIToF64Mem):
2418         (JSC::B3::testIToD32Mem):
2419         (JSC::B3::testIToF32Mem):
2420         (JSC::B3::testIToD64Imm):
2421         (JSC::B3::testIToF64Imm):
2422         (JSC::B3::testIToD32Imm):
2423         (JSC::B3::testIToF32Imm):
2424         (JSC::B3::testIToDReducedToIToF64Arg):
2425         (JSC::B3::testIToDReducedToIToF32Arg):
2426         (JSC::B3::run):
2427
2428 2016-05-19  Benjamin Poulain  <bpoulain@apple.com>
2429
2430         [JSC] FTL can crash on stack overflow
2431         https://bugs.webkit.org/show_bug.cgi?id=157881
2432         rdar://problem/24665964
2433
2434         Reviewed by Michael Saboff.
2435
2436         The VM's m_largestFTLStackSize was never set anywhere (updateFTLLargestStackSize()
2437         was never called). We forgot to change that when implementing B3.
2438
2439         Even when it is set, we still have a problem on OSR Exit.
2440         If the last frame is a FTL frame and it OSR Exits, the space required for
2441         that frame becomes significantly larger. What happens is we crash in the OSR Exit
2442         instead of the FTL frame (this is what happens in rdar://problem/24665964).
2443
2444         This patch changes the stack boundary checks in FTL to be the same as DFG:
2445         we verify that we have enough space for the current optimized function but
2446         also for the baseline version (including inlining) in case of exit.
2447
2448         * ftl/FTLLowerDFGToB3.cpp:
2449         (JSC::FTL::DFG::LowerDFGToB3::lower):
2450         (JSC::FTL::DFG::LowerDFGToB3::didOverflowStack): Deleted.
2451         * runtime/VM.cpp:
2452         (JSC::VM::VM): Deleted.
2453         (JSC::VM::updateStackLimit): Deleted.
2454         (JSC::VM::updateFTLLargestStackSize): Deleted.
2455         * runtime/VM.h:
2456         (JSC::VM::addressOfFTLStackLimit): Deleted.
2457
2458 2016-05-18  Filip Pizlo  <fpizlo@apple.com>
2459
2460         DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header
2461         https://bugs.webkit.org/show_bug.cgi?id=144527
2462
2463         Reviewed by Saam Barati.
2464         
2465         This adds a control flow equivalence analysis (called ControlEquivalenceAnalysis) based on
2466         dominator analysis over the backwards CFG. Two basic blocks are control flow equivalent if
2467         the execution of one implies that the other one must also execute. It means that the two
2468         blocks' forward and backward dominance are reciprocated: (A dom B and B backdom A) or (B dom
2469         A and A backdom B). LICM now uses it to become more conservative about hoisting checks, if
2470         this has caused problems in the past. If we hoist something that may exit from a block that
2471         was not control equivalent to the pre-header then it's possible that the node's speculation
2472         will fail even though it wouldn't have if it wasn't hoisted. So, we flag these nodes'
2473         origins as being "wasHoisted" and we track all of their exits as "HoistingFailed". LICM will
2474         turn off such speculative hoisting if the CodeBlock from which we are hoisting had the
2475         HoistingFailed exit kind.
2476         
2477         Note that this deliberately still allows us to hoist things that may exit even if they are
2478         not control equivalent to the pre-header. This is necessary because the profitability of
2479         hoisting is so huge in all of the cases that we're aware of that it's worth giving it a
2480         shot.
2481         
2482         This is neutral on macrobenchmarks since none of the benchmarks we track have a hoistable
2483         operation that would exit only if hoisted. I added microbenchmarks to illustrate the problem
2484         and two of them speed up by ~40% while one of them is neutral (Int52 saves us from having
2485         problems on that program even though LICM previously did the wrong thing).
2486
2487         * JavaScriptCore.xcodeproj/project.pbxproj:
2488         * bytecode/ExitKind.cpp:
2489         (JSC::exitKindToString):
2490         * bytecode/ExitKind.h:
2491         * dfg/DFGAtTailAbstractState.h:
2492         (JSC::DFG::AtTailAbstractState::operator bool):
2493         (JSC::DFG::AtTailAbstractState::initializeTo):
2494         * dfg/DFGBackwardsCFG.h: Added.
2495         (JSC::DFG::BackwardsCFG::BackwardsCFG):
2496         * dfg/DFGBackwardsDominators.h: Added.
2497         (JSC::DFG::BackwardsDominators::BackwardsDominators):
2498         * dfg/DFGCommon.h:
2499         (JSC::DFG::checkAndSet): Deleted.
2500         * dfg/DFGControlEquivalenceAnalysis.h: Added.
2501         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
2502         (JSC::DFG::ControlEquivalenceAnalysis::dominatesEquivalently):
2503         (JSC::DFG::ControlEquivalenceAnalysis::areEquivalent):
2504         * dfg/DFGGraph.cpp:
2505         (JSC::DFG::Graph::dump):
2506         (JSC::DFG::Graph::dumpBlockHeader):
2507         (JSC::DFG::Graph::invalidateCFG):
2508         (JSC::DFG::Graph::substituteGetLocal):
2509         (JSC::DFG::Graph::handleAssertionFailure):
2510         (JSC::DFG::Graph::ensureDominators):
2511         (JSC::DFG::Graph::ensurePrePostNumbering):
2512         (JSC::DFG::Graph::ensureNaturalLoops):
2513         (JSC::DFG::Graph::ensureBackwardsCFG):
2514         (JSC::DFG::Graph::ensureBackwardsDominators):
2515         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
2516         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2517         * dfg/DFGGraph.h:
2518         (JSC::DFG::Graph::hasDebuggerEnabled):
2519         * dfg/DFGInPlaceAbstractState.h:
2520         (JSC::DFG::InPlaceAbstractState::operator bool):
2521         (JSC::DFG::InPlaceAbstractState::createValueForNode):
2522         (JSC::DFG::InPlaceAbstractState::forNode):
2523         * dfg/DFGLICMPhase.cpp:
2524         (JSC::DFG::LICMPhase::run):
2525         (JSC::DFG::LICMPhase::attemptHoist):
2526         * dfg/DFGMayExit.cpp:
2527         (JSC::DFG::mayExit):
2528         * dfg/DFGMayExit.h:
2529         * dfg/DFGNode.h:
2530         * dfg/DFGNodeOrigin.cpp:
2531         (JSC::DFG::NodeOrigin::dump):
2532         * dfg/DFGNodeOrigin.h:
2533         (JSC::DFG::NodeOrigin::takeValidExit):
2534         (JSC::DFG::NodeOrigin::withWasHoisted):
2535         (JSC::DFG::NodeOrigin::forInsertingAfter):
2536         * dfg/DFGNullAbstractState.h: Added.
2537         (JSC::DFG::NullAbstractState::NullAbstractState):
2538         (JSC::DFG::NullAbstractState::operator bool):
2539         (JSC::DFG::NullAbstractState::forNode):
2540         * dfg/DFGOSRExit.cpp:
2541         (JSC::DFG::OSRExit::OSRExit):
2542         * dfg/DFGOSRExitBase.cpp:
2543         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
2544         * dfg/DFGOSRExitBase.h:
2545         (JSC::DFG::OSRExitBase::OSRExitBase):
2546         * dfg/DFGTypeCheckHoistingPhase.cpp:
2547         (JSC::DFG::TypeCheckHoistingPhase::run):
2548         * ftl/FTLOSRExit.cpp:
2549         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
2550         (JSC::FTL::OSRExit::OSRExit):
2551         * ftl/FTLOSRExit.h:
2552
2553 2016-05-19  Mark Lam  <mark.lam@apple.com>
2554
2555         Code that null checks the VM pointer before any use should ref the VM.
2556         https://bugs.webkit.org/show_bug.cgi?id=157864
2557
2558         Reviewed by Filip Pizlo and Keith Miller.
2559
2560         JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
2561         through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
2562         after their null checks.
2563
2564         * bytecode/CodeBlock.h:
2565         (JSC::CodeBlock::vm):
2566         (JSC::CodeBlock::setVM): Deleted.
2567         - Not used, and suggests that it can be changed during the lifetime of the
2568           CodeBlock (which should not be).
2569
2570         * heap/HeapTimer.cpp:
2571         (JSC::HeapTimer::timerDidFire):
2572         * runtime/JSLock.cpp:
2573         (JSC::JSLock::willReleaseLock):
2574         - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
2575           the raw VM pointer.  This makes the null check a strong guarantee that the
2576           VM pointer is valid while these functions are using it.
2577
2578 2016-05-19  Saam barati  <sbarati@apple.com>
2579
2580         arrow function lexical environment should reuse the same environment as the function's lexical environment where possible
2581         https://bugs.webkit.org/show_bug.cgi?id=157908
2582
2583         Reviewed by Filip Pizlo.
2584
2585         We can safely combine these two environment when we have
2586         a simple parameter list (no default parameters, no destructring parameters).
2587
2588         * bytecompiler/BytecodeGenerator.cpp:
2589         (JSC::BytecodeGenerator::BytecodeGenerator):
2590         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2591         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2592         * bytecompiler/BytecodeGenerator.h:
2593
2594 2016-05-19  Michael Saboff  <msaboff@apple.com>
2595
2596         Unreviewed build fix.
2597
2598         Skipping this new test as it times out on the bots.
2599
2600         Issue tracked in https://bugs.webkit.org/show_bug.cgi?id=157903
2601
2602         * tests/stress/regress-157595.js:
2603         (MyRegExp):
2604
2605 2016-05-19  Guillaume Emont  <guijemont@igalia.com>
2606
2607         JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis
2608         https://bugs.webkit.org/show_bug.cgi?id=157741
2609
2610         Reviewed by Saam Barati.
2611
2612         The PutByValWithThis case needs a special case for MIPS because we
2613         don't have enough registers. The special case needs to be different
2614         from the x86 one because we have a different ABI.
2615
2616         * dfg/DFGSpeculativeJIT32_64.cpp:
2617         (JSC::DFG::SpeculativeJIT::compile):
2618
2619 2016-05-19  Brian Burg  <bburg@apple.com>
2620
2621         Web Inspector: use a consistent prefix for injected scripts
2622         https://bugs.webkit.org/show_bug.cgi?id=157715
2623         <rdar://problem/26287188>
2624
2625         Reviewed by Timothy Hatcher.
2626
2627         * CMakeLists.txt:
2628         * DerivedSources.make:
2629         * inspector/InjectedScriptSource.js:
2630
2631 2016-05-19  Csaba Osztrogon√°c  <ossy@webkit.org>
2632
2633         [ARM] Remove redefined macro after r200606
2634         https://bugs.webkit.org/show_bug.cgi?id=157890
2635
2636         Reviewed by Michael Saboff.
2637
2638         * bytecode/PolymorphicAccess.cpp:
2639         * jit/CCallHelpers.h:
2640
2641 2016-05-18  Saam barati  <sbarati@apple.com>
2642
2643         Function with default parameter values that are arrow functions that capture this isn't working
2644         https://bugs.webkit.org/show_bug.cgi?id=157786
2645         <rdar://problem/26327329>
2646
2647         Reviewed by Geoffrey Garen.
2648
2649         To make the scopes ordered properly, I needed to initialize the arrow 
2650         function lexical environment before initializing default parameter values.
2651         I also made the code easier to reason about by never reusing the function's
2652         var lexical environment for the arrow function lexical environment. The
2653         reason for this is that that code was wrong, and we just didn't have code to
2654         that properly tested it. It was easy for that code to be wrong because
2655         sometimes the function's lexical environment isn't the top-most scope
2656         (namely, when a function's parameter list is non-simple) and sometimes
2657         it is (when the function's parameter list is simple).
2658
2659         Also, because a function's default parameter values may capture the
2660         'arguments' variable inside an arrow function, I needed to take care
2661         to initialize the 'arguments' variable as part of whichever scope
2662         is the top-most scope. It's either the function's var environment
2663         if the parameter list is simple, or it's the function's parameter
2664         environment if the parameter list is non-simple.
2665
2666         * bytecompiler/BytecodeGenerator.cpp:
2667         (JSC::BytecodeGenerator::BytecodeGenerator):
2668         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
2669         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
2670         (JSC::BytecodeGenerator::initializeParameters):
2671         (JSC::BytecodeGenerator::initializeVarLexicalEnvironment):
2672         (JSC::BytecodeGenerator::visibleNameForParameter):
2673         * bytecompiler/BytecodeGenerator.h:
2674         * tests/stress/arrow-functions-as-default-parameter-values.js: Added.
2675         (assert):
2676         (test):
2677         (test.foo):
2678         * tests/stress/op-push-name-scope-crashes-profiler.js:
2679         (test):
2680
2681 2016-05-18  Michael Saboff  <msaboff@apple.com>
2682
2683         r199812 broke test262
2684         https://bugs.webkit.org/show_bug.cgi?id=157595
2685
2686         Reviewed by Filip Pizlo.
2687
2688         Added a reasonable limit to the size of the match result array to catch possible
2689         infinite loops when matching.
2690         Added a new tests that creates an infinite loop in RegExp.prototype.[Symbol.match]
2691         by creating a subclass of RegExp where the base RegExp's global flag is false and
2692         the subclass overrides .global with a getter that always returns true.
2693
2694         * builtins/RegExpPrototype.js:
2695         (match):
2696         * tests/stress/regress-157595.js: Added.
2697         (MyRegExp):
2698         (MyRegExp.prototype.get global):
2699         (test):
2700         (catch):
2701
2702 2016-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2703
2704         [ES6] Namespace object re-export should be handled as local export
2705         https://bugs.webkit.org/show_bug.cgi?id=157806
2706
2707         Reviewed by Mark Lam.
2708
2709         We align the implementation of ExportEntry to the spec; remove Type::Namespace.
2710         This Type::Namespace is used for re-exported namespace object binding. For example,
2711
2712             import * as namespace from "namespace.js"
2713             export { namespace }
2714
2715         In the above case, we used ExportEntry(Type::Namespace). In this patch, we drop this
2716         and use normal local export (Type::Local) instead because namespace object actually has
2717         the local binding in the above module environment. And this handling strictly meets the
2718         spec (Sec 15.2.1.16.1 step 11-a-ii-2-b).
2719
2720         And we also clean up the ExportEntry implementation; dropping unnecessary information.
2721         This change fixes the test262/test/language/module-code/instn-star-equality.js crash.
2722
2723         * parser/ModuleAnalyzer.cpp:
2724         (JSC::ModuleAnalyzer::exportVariable):
2725         * runtime/JSModuleRecord.cpp:
2726         (JSC::getExportedNames):
2727         (JSC::JSModuleRecord::dump): Deleted.
2728         * runtime/JSModuleRecord.h:
2729         * tests/modules/namespace-re-export.js: Added.
2730         * tests/modules/namespace-re-export/namespace-re-export-fixture.js: Added.
2731         * tests/modules/namespace-re-export/namespace-re-export.js: Added.
2732         * tests/modules/resources/assert.js:
2733         (export.shouldNotBe):
2734
2735 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
2736
2737         JSC should detect the right default locale even when it's not embedded in WebCore
2738         https://bugs.webkit.org/show_bug.cgi?id=157755
2739         rdar://problem/24665424
2740
2741         Reviewed by Keith Miller.
2742         
2743         This makes JSC try to use WTF's platform user preferred language detection if the DOM did
2744         not register a defaultLanguage callback. The result is that when JSC runs standalone it
2745         will detect the platform user preferred language almost the same way as when it's embedded
2746         in WebCore. The only difference is that WebCore may have its own additional overrides via
2747         the WK API. But in the absence of overrides, WebCore uses the same WTF logic that JSC falls
2748         back to.
2749         
2750         We first found this bug because on iOS, the intl tests would fail because ICU would report
2751         a somewhat bogus locale on that platform. Prior to this change, standalone JSC would fall
2752         back to ICU's locale detection. It turns out that the ICU default locale is also bogus on
2753         OS X, just less so. For example, setting things to Poland did not result in the jsc shell
2754         printing dates Polish-style. Now it will print them Polish-style if your system preferences
2755         say so. Also, the tests don't fail on iOS anymore.
2756         
2757         * runtime/IntlObject.cpp:
2758         (JSC::defaultLocale):
2759
2760 2016-05-17  Dean Jackson  <dino@apple.com>
2761
2762         Remove ES6_GENERATORS flag
2763         https://bugs.webkit.org/show_bug.cgi?id=157815
2764         <rdar://problem/26332894>
2765
2766         Reviewed by Geoffrey Garen.
2767
2768         This flag isn't needed. Generators are enabled everywhere and
2769         part of a stable specification.
2770
2771         * Configurations/FeatureDefines.xcconfig:
2772         * parser/Parser.cpp:
2773         (JSC::Parser<LexerType>::parseFunctionDeclaration): Deleted.
2774         (JSC::Parser<LexerType>::parseClass): Deleted.
2775         (JSC::Parser<LexerType>::parseExportDeclaration): Deleted.
2776         (JSC::Parser<LexerType>::parseAssignmentExpression): Deleted.
2777         (JSC::Parser<LexerType>::parseProperty): Deleted.
2778         (JSC::Parser<LexerType>::parseFunctionExpression): Deleted.
2779
2780 2016-05-17  Keith Miller  <keith_miller@apple.com>
2781
2782         Rollout r200426 since it causes PLT regressions.
2783         https://bugs.webkit.org/show_bug.cgi?id=157812
2784
2785         Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
2786
2787 2016-05-17  Keith Miller  <keith_miller@apple.com>
2788
2789         Add test262 harness support code
2790         https://bugs.webkit.org/show_bug.cgi?id=157797
2791
2792         Reviewed by Filip Pizlo.
2793
2794         This patch adds some new tooling needed to run Test262 with the jsc
2795         CLI. There were three options that needed to be added for Test262:
2796
2797         1) "--test262-async" This option overrides the print function in the test runner to look for
2798         'Test262:AsyncTestComplete' instead of printing the passed text. If test262-async mode is on
2799         and that string is not passed then the test is marked as failing.
2800
2801         2) "--strict-file=<file>" This option appends `"use strict";\n` to the beginning of the
2802         passed file before passing the source code to the VM. This option can, in theory, be passed
2803         multiple times.
2804
2805         3) "--exception=<name>" This option asserts that at the end of the last script file passed
2806         the VM has an uncaught exception with its name property equal to the passed name.
2807
2808         * jsc.cpp:
2809         (Script::Script):
2810         (fillBufferWithContentsOfFile):
2811         (functionPrint):
2812         (checkUncaughtException):
2813         (runWithScripts):
2814         (printUsageStatement):
2815         (CommandLine::parseArguments):
2816         (runJSC):
2817
2818 2016-05-17  Filip Pizlo  <fpizlo@apple.com>
2819
2820         WTF should know about Language
2821         https://bugs.webkit.org/show_bug.cgi?id=157756
2822
2823         Reviewed by Geoffrey Garen.
2824
2825         Teach our scripts that a ObjC class beginning with WTF is totally cool.
2826
2827         * JavaScriptCore.xcodeproj/project.pbxproj:
2828
2829 2016-05-17  Joseph Pecoraro  <pecoraro@apple.com>
2830
2831         console namespace breaks putting properties on console.__proto__
2832         https://bugs.webkit.org/show_bug.cgi?id=157782
2833         <rdar://problem/26250526>
2834
2835         Reviewed by Geoffrey Garen.
2836
2837         Some websites currently depend on console.__proto__ existing and being
2838         a separate object from Object.prototype. This patch adds back a basic
2839         console.__proto__ object, but all the console functions are left on
2840         the ConsoleObject itself.
2841
2842         * runtime/JSGlobalObject.cpp:
2843         (JSC::createConsoleProperty):
2844
2845 2016-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2846
2847         Unreviewed, dump more information when math-pow-stable-results.js failed
2848         https://bugs.webkit.org/show_bug.cgi?id=157168
2849
2850         * tests/stress/math-pow-stable-results.js:
2851
2852 2016-05-16  Saam barati  <sbarati@apple.com>
2853
2854         ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
2855         https://bugs.webkit.org/show_bug.cgi?id=157770
2856
2857         Reviewed by Filip Pizlo.
2858
2859         ShadowChicken was reading the scope from a half formed
2860         frame as it threw a stack overflow exception. The frame had
2861         a valid CodeBlock pointer, but it did not have a valid scope.
2862         The code in ShadowChicken's throw packet logging mechanism didn't
2863         account for this. The fix is to respect whether genericUnwind wants
2864         to unwind from the current frame or the caller's frame. For stack
2865         overflow errors, we always unwind the caller's frame.
2866
2867         * jit/JITExceptions.cpp:
2868         (JSC::genericUnwind):
2869
2870 2016-05-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2871
2872         REGRESSION(r200208): It made 2 JSC stress tests fail on x86
2873         https://bugs.webkit.org/show_bug.cgi?id=157168
2874
2875         Reviewed by Benjamin Poulain.
2876
2877         The fast path in operationMathPow produces different results between x87 and the other environments.
2878         This is because x87 calculates the double value in 80bit precision.
2879         The situation is the following: in x86 32bit environment, floating point operations are compiled to
2880         x87 operations by default even if we can use SSE2. But in DFG environment, we aggressively use SSE2
2881         if the cpuid reports SSE2 is available. As a result, the implementations differ between C runtime
2882         and DFG JIT code. The C runtime uses x87 while DFG JIT code uses SSE2. This causes a precision
2883         problem since x87 has 80bit precision while SSE2 has 64bit precision.
2884
2885         In this patch, in x86 32bit environment, we use `volatile double` if the `-mfpmath=sse and -msse2 (or later)`
2886         is not specified. This will round the x87 value into 64bit per multiplying. Note that this problem does not
2887         occur in OS X clang 32bit environment. This is because `-mfpmath=sse` is enabled by default in OS X clang 32bit.
2888
2889         * b3/B3MathExtras.cpp:
2890         (JSC::B3::powDoubleInt32):
2891         * runtime/MathCommon.cpp:
2892         (JSC::operationMathPow):
2893
2894 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
2895
2896         [JSC] "return this" in a constructor does not need a branch on isObject(this)
2897         https://bugs.webkit.org/show_bug.cgi?id=157775
2898
2899         Reviewed by Saam Barati and Ryosuke Niwa.
2900
2901         When returning "this" in a constructor, the bytecode generator was generating:
2902             is_object         locX, this
2903             jtrue             locX, 5(->second ret)
2904             ret               this
2905             ret               this
2906
2907         That code is eliminated in DFG but it is pretty costly lower tiers.
2908
2909         This patch changes bytecode generation to avoid the is_object test
2910         when possible and not generate two ret if they encode the same thing.
2911
2912         * bytecompiler/BytecodeGenerator.cpp:
2913         (JSC::BytecodeGenerator::emitReturn):
2914
2915 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
2916
2917         [JSC] Remove the index check from op_get_by_val/op_put_by_val when the index is constant
2918         https://bugs.webkit.org/show_bug.cgi?id=157766
2919
2920         Reviewed by Geoffrey Garen.
2921
2922         If the index is an integer constant, do not generate the index check.
2923
2924         * jit/JITPropertyAccess.cpp:
2925         (JSC::JIT::emit_op_get_by_val):
2926         (JSC::JIT::emitSlow_op_get_by_val):
2927         (JSC::JIT::emit_op_put_by_val):
2928         (JSC::JIT::emitSlow_op_put_by_val):
2929
2930 2016-05-16  Benjamin Poulain  <bpoulain@apple.com>
2931
2932         [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
2933         https://bugs.webkit.org/show_bug.cgi?id=157700
2934
2935         Reviewed by Michael Saboff.
2936
2937         In general, fillSpeculateInt32() originate from SpeculateInt32
2938         and the user does not care about the tag.
2939
2940         This is particularily obvious on Sunspider's math-spectral-norm.js.
2941         In that test, registers are frequently spilled because of x86's DIV.
2942
2943         When they are re-filled, they were always tagged.
2944         Since the loops are small, all the tagging adds up.
2945
2946         * dfg/DFGSpeculativeJIT64.cpp:
2947         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2948
2949 2016-05-16  Saam barati  <sbarati@apple.com>
2950
2951         Unreviewed Cloop build fix.
2952
2953         * bytecode/CodeBlock.cpp:
2954         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
2955
2956 2016-05-16  Saam barati  <sbarati@apple.com>
2957
2958         Hook up ShadowChicken to the debugger to show tail deleted frames
2959         https://bugs.webkit.org/show_bug.cgi?id=156685
2960         <rdar://problem/25770521>
2961
2962         Reviewed by Filip Pizlo and Mark Lam and Joseph Pecoraro.
2963
2964         The heart of this patch hooks up ShadowChicken to DebuggerCallFrame to
2965         allow the Web Inspector to display the ShadowChicken's shadow stack.
2966         This means the Web Inspector can now display tail deleted frames.
2967         To make this work, I made the necessary changes to ShadowChicken and
2968         DebuggerCallFrame to allow DebuggerCallFrame to keep the same API
2969         when representing both machine frames and tail deleted frames.
2970
2971         - ShadowChicken prologue packets now log the current scope. Tail packets
2972           log the current scope, the 'this' value, the CodeBlock, and the
2973           CallSiteIndex. This allows the inspector to not only show the
2974           tail deleted frame, but also show exactly where the tail call happened (line and column numbers),
2975           with which scope it executed, and with which 'this' value. This
2976           patch also allows DebuggerCallFrame to execute console statements
2977           in a tail deleted frame.
2978
2979         - I changed ShadowChicken's stack resizing algorithm. ShadowChicken
2980           now only keeps a maximum number of tail deleted frames in its shadow stack.
2981           It will happily represent all machine frames without limit. Right now, the
2982           maximum number of tail deleted frames I chose to keep alive is 128.
2983           We will keep frames alive starting from the top of the stack. This
2984           allows us to have a strong defense against runaway memory usage. We will only
2985           keep around at most 128 "shadow" frames that wouldn't have naturally been kept
2986           alive by the executing program. We can play around with this number
2987           if we find that 128 is either too many or too few frames.
2988
2989         - DebuggerCallFrame is no longer a cheap class to create. When it is created,
2990           we will eagerly create the entire virtual debugger stack. So I modified the
2991           existing code to lazily create DebuggerCallFrames only when necessary. We
2992           used to eagerly create them at each op_debug statement even though we would
2993           just throw them away if we didn't hit a breakpoint.
2994
2995         - A valid DebuggerCallFrame will always have a valid CallFrame* pointer
2996           into the stack. This pointer won't always refer to the logical frame
2997           that the DebuggerCallFrame represents because a DebuggerCallFrame can
2998           now represent a tail deleted frame. To do this, DebuggerCallFrame now
2999           has a ShadowChicken::Frame member variable. This allows DebuggerCallFrame
3000           to know when it represents a tail deleted frame and gives DebuggerCallFrame
3001           a mechanism to ask the tail deleted frame for interesting information
3002           (like its 'this' value, scope, CodeBlock, etc). A tail deleted frame's
3003           machine frame pointer will be the machine caller of the tail deleted frame
3004           (or the machine caller of the first of a series of consecutive tail calls).
3005
3006         - I added a new flag to UnlinkedCodeBlock to indicate when it is compiled
3007           with debugging opcodes. I did this because ShadowChicken may read a JSScope
3008           from the machine stack. This is only safe if the machine CodeBlock was
3009           compiled with debugging opcodes. This is safer than asking if the
3010           CodeBlock's global object has an interactive debugger enabled because
3011           it's theoretically possible for the debugger to be enabled while code
3012           compiled without a debugger is still live on the stack. This field is
3013           also now used to indicate to the DFGGraph that the interactive debugger
3014           is enabled.
3015
3016         - Finally, this patch adds a new field to the Inspector's CallFrame protocol
3017           object called 'isTailDeleted' to allow the Inspector to know when a
3018           CallFrame represents a tail deleted frame.
3019
3020         * JavaScriptCore.xcodeproj/project.pbxproj:
3021         * bytecode/BytecodeList.json:
3022         * bytecode/BytecodeUseDef.h:
3023         (JSC::computeUsesForBytecodeOffset):
3024         * bytecode/CodeBlock.cpp:
3025         (JSC::CodeBlock::dumpBytecode):
3026         (JSC::CodeBlock::findPC):
3027         (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
3028         * bytecode/CodeBlock.h:
3029         (JSC::CodeBlock::clearDebuggerRequests):
3030         (JSC::CodeBlock::wasCompiledWithDebuggingOpcodes):
3031         * bytecode/UnlinkedCodeBlock.cpp:
3032         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3033         * bytecode/UnlinkedCodeBlock.h:
3034         (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes):
3035         (JSC::UnlinkedCodeBlock::finishCreation):
3036         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
3037         * bytecode/UnlinkedFunctionExecutable.cpp:
3038         (JSC::generateUnlinkedFunctionCodeBlock):
3039         * bytecompiler/BytecodeGenerator.cpp:
3040         (JSC::BytecodeGenerator::generate):
3041         (JSC::BytecodeGenerator::BytecodeGenerator):
3042         (JSC::BytecodeGenerator::emitEnter):
3043         (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
3044         (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
3045         (JSC::BytecodeGenerator::emitCallDefineProperty):
3046         * debugger/Debugger.cpp:
3047         (JSC::DebuggerPausedScope::DebuggerPausedScope):
3048         (JSC::DebuggerPausedScope::~DebuggerPausedScope):
3049         (JSC::Debugger::didReachBreakpoint):
3050         (JSC::Debugger::currentDebuggerCallFrame):
3051         * debugger/Debugger.h:
3052         * debugger/DebuggerCallFrame.cpp:
3053         (JSC::LineAndColumnFunctor::operator()):
3054         (JSC::DebuggerCallFrame::create):
3055         (JSC::DebuggerCallFrame::DebuggerCallFrame):
3056         (JSC::DebuggerCallFrame::callerFrame):
3057         (JSC::DebuggerCallFrame::globalExec):
3058         (JSC::DebuggerCallFrame::vmEntryGlobalObject):
3059         (JSC::DebuggerCallFrame::sourceID):
3060         (JSC::DebuggerCallFrame::functionName):
3061         (JSC::DebuggerCallFrame::scope):
3062         (JSC::DebuggerCallFrame::type):
3063         (JSC::DebuggerCallFrame::thisValue):
3064         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
3065         (JSC::DebuggerCallFrame::invalidate):
3066         (JSC::DebuggerCallFrame::currentPosition):
3067         (JSC::DebuggerCallFrame::positionForCallFrame):
3068         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
3069         (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): Deleted.
3070         (JSC::FindCallerMidStackFunctor::operator()): Deleted.
3071         (JSC::FindCallerMidStackFunctor::getCallerFrame): Deleted.
3072         (JSC::DebuggerCallFrame::thisValueForCallFrame): Deleted.
3073         * debugger/DebuggerCallFrame.h:
3074         (JSC::DebuggerCallFrame::isValid):
3075         (JSC::DebuggerCallFrame::isTailDeleted):
3076         (JSC::DebuggerCallFrame::create): Deleted.
3077         (JSC::DebuggerCallFrame::exec): Deleted.
3078         * dfg/DFGByteCodeParser.cpp:
3079         (JSC::DFG::ByteCodeParser::parseBlock):
3080         * dfg/DFGFixupPhase.cpp:
3081         (JSC::DFG::FixupPhase::fixupNode):
3082         * dfg/DFGGraph.cpp:
3083         (JSC::DFG::Graph::Graph):
3084         (JSC::DFG::Graph::~Graph):
3085         * dfg/DFGJITCompiler.h:
3086         (JSC::DFG::JITCompiler::addCallSite):
3087         (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
3088         (JSC::DFG::JITCompiler::emitStoreCallSiteIndex):
3089         * dfg/DFGSpeculativeJIT32_64.cpp:
3090         (JSC::DFG::SpeculativeJIT::compile):
3091         * dfg/DFGSpeculativeJIT64.cpp:
3092         (JSC::DFG::SpeculativeJIT::compile):
3093         * ftl/FTLAbstractHeapRepository.h:
3094         * ftl/FTLLowerDFGToB3.cpp:
3095         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenPrologue):
3096         (JSC::FTL::DFG::LowerDFGToB3::compileLogShadowChickenTail):
3097         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3098         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3099         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3100         (JSC::FTL::DFG::LowerDFGToB3::setupShadowChickenPacket): Deleted.
3101         * inspector/InjectedScriptSource.js:
3102         (InjectedScript.CallFrameProxy):
3103         * inspector/JSJavaScriptCallFrame.cpp:
3104         (Inspector::JSJavaScriptCallFrame::thisObject):
3105         (Inspector::JSJavaScriptCallFrame::isTailDeleted):
3106         (Inspector::JSJavaScriptCallFrame::type):
3107         * inspector/JSJavaScriptCallFrame.h:
3108         * inspector/JSJavaScriptCallFramePrototype.cpp:
3109         (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
3110         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
3111         (Inspector::jsJavaScriptCallFrameAttributeType):
3112         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
3113         * inspector/JavaScriptCallFrame.h:
3114         (Inspector::JavaScriptCallFrame::type):
3115         (Inspector::JavaScriptCallFrame::scopeChain):
3116         (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
3117         (Inspector::JavaScriptCallFrame::isTailDeleted):
3118         (Inspector::JavaScriptCallFrame::thisValue):
3119         (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension):
3120         * inspector/ScriptDebugServer.cpp:
3121         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3122         * inspector/protocol/Debugger.json:
3123         * interpreter/ShadowChicken.cpp:
3124         (JSC::ShadowChicken::update):
3125         (JSC::ShadowChicken::visitChildren):
3126         (JSC::ShadowChicken::reset):
3127         * interpreter/ShadowChicken.h:
3128         (JSC::ShadowChicken::Packet::throwMarker):
3129         (JSC::ShadowChicken::Packet::prologue):
3130         (JSC::ShadowChicken::Packet::tail):
3131         (JSC::ShadowChicken::Frame::Frame):
3132         (JSC::ShadowChicken::Frame::operator==):
3133         * jit/CCallHelpers.cpp:
3134         (JSC::CCallHelpers::logShadowChickenProloguePacket):
3135         (JSC::CCallHelpers::logShadowChickenTailPacket):
3136         (JSC::CCallHelpers::ensureShadowChickenPacket):
3137         (JSC::CCallHelpers::setupShadowChickenPacket): Deleted.
3138         * jit/CCallHelpers.h:
3139         * jit/JITOpcodes.cpp:
3140         (JSC::JIT::emit_op_profile_type):
3141         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3142         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3143         (JSC::JIT::emit_op_get_enumerable_length):
3144         (JSC::JIT::emit_op_resume):
3145         * jit/JITOpcodes32_64.cpp:
3146         (JSC::JIT::emit_op_profile_type):
3147         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3148         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3149         * jit/RegisterSet.cpp:
3150         (JSC::RegisterSet::webAssemblyCalleeSaveRegisters):
3151         (JSC::RegisterSet::argumentGPRS):
3152         (JSC::RegisterSet::registersToNotSaveForJSCall):
3153         * jit/RegisterSet.h:
3154         * llint/LLIntData.cpp:
3155         (JSC::LLInt::Data::performAssertions):
3156         * llint/LLIntSlowPaths.cpp:
3157         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3158         * llint/LowLevelInterpreter.asm:
3159         * llint/LowLevelInterpreter32_64.asm:
3160         * llint/LowLevelInterpreter64.asm:
3161         * runtime/CodeCache.cpp:
3162         (JSC::CodeCache::getGlobalCodeBlock):
3163         * runtime/Options.h:
3164         * tests/stress/shadow-chicken-enabled.js:
3165         (test5a.foo):
3166         (test5a):
3167         (test5b.foo):
3168         (test5b):
3169         (test6.foo):
3170         (test6):
3171
3172 2016-05-16  Saam barati  <sbarati@apple.com>
3173
3174         TypeSet/StructureShape have a flawed sense of JS prototype chains
3175         https://bugs.webkit.org/show_bug.cgi?id=157760
3176
3177         Reviewed by Joseph Pecoraro.
3178
3179         There was an assumption that we would bottom out in "Object". This is
3180         not true for many reasons. JS objects may not end in Object.prototype.
3181         Also, our mechanism of grabbing an Object's class name may also not
3182         bottom out in "Object". We were seeing this in the JS objects we use
3183         in the InjectedScriptSource.js inspector script.
3184
3185         * runtime/TypeSet.cpp:
3186         (JSC::StructureShape::leastCommonAncestor):
3187         * tests/typeProfiler/weird-prototype-chain.js: Added.
3188         (wrapper.foo):
3189         (wrapper.let.o2):
3190         (wrapper):
3191
3192 2016-05-16  Joseph Pecoraro  <pecoraro@apple.com>
3193
3194         Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
3195
3196         * API/JSProfilerPrivate.cpp: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
3197         (JSStartProfiling):
3198         (JSEndProfiling):
3199         * API/JSProfilerPrivate.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
3200         * CMakeLists.txt:
3201         * JavaScriptCore.xcodeproj/project.pbxproj:
3202         * bytecode/BytecodeList.json:
3203         * bytecode/BytecodeUseDef.h:
3204         (JSC::computeUsesForBytecodeOffset):
3205         (JSC::computeDefsForBytecodeOffset):
3206         * bytecode/CodeBlock.cpp:
3207         (JSC::CodeBlock::dumpBytecode):
3208         * bytecode/UnlinkedFunctionExecutable.cpp:
3209         (JSC::generateUnlinkedFunctionCodeBlock):
3210         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
3211         * bytecode/UnlinkedFunctionExecutable.h:
3212         * bytecompiler/BytecodeGenerator.cpp:
3213         (JSC::BytecodeGenerator::BytecodeGenerator):
3214         (JSC::BytecodeGenerator::emitCall):
3215         (JSC::BytecodeGenerator::emitCallVarargs):
3216         (JSC::BytecodeGenerator::emitCallVarargsInTailPosition):
3217         (JSC::BytecodeGenerator::emitConstructVarargs):
3218         (JSC::BytecodeGenerator::emitConstruct):
3219         * bytecompiler/BytecodeGenerator.h:
3220         (JSC::CallArguments::profileHookRegister):
3221         (JSC::BytecodeGenerator::shouldEmitProfileHooks):
3222         * bytecompiler/NodesCodegen.cpp:
3223         (JSC::CallArguments::CallArguments):
3224         (JSC::CallFunctionCallDotNode::emitBytecode):
3225         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3226         * dfg/DFGAbstractInterpreterInlines.h:
3227         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3228         * dfg/DFGByteCodeParser.cpp:
3229         (JSC::DFG::ByteCodeParser::parseBlock):
3230         * dfg/DFGCapabilities.cpp:
3231         (JSC::DFG::capabilityLevel):
3232         * dfg/DFGClobberize.h:
3233         (JSC::DFG::clobberize):
3234         * dfg/DFGDoesGC.cpp:
3235         (JSC::DFG::doesGC):
3236         * dfg/DFGFixupPhase.cpp:
3237         (JSC::DFG::FixupPhase::fixupNode):
3238         * dfg/DFGNodeType.h:
3239         * dfg/DFGPredictionPropagationPhase.cpp:
3240         * dfg/DFGSafeToExecute.h:
3241         (JSC::DFG::safeToExecute):
3242         * dfg/DFGSpeculativeJIT32_64.cpp:
3243         (JSC::DFG::SpeculativeJIT::compile):
3244         * dfg/DFGSpeculativeJIT64.cpp:
3245         (JSC::DFG::SpeculativeJIT::compile):
3246         * inspector/InjectedScriptBase.cpp:
3247         (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
3248         * inspector/protocol/Timeline.json:
3249         * interpreter/Interpreter.cpp:
3250         (JSC::UnwindFunctor::operator()):
3251         (JSC::Interpreter::execute):
3252         (JSC::Interpreter::executeCall):
3253         (JSC::Interpreter::executeConstruct):
3254         * jit/JIT.cpp:
3255         (JSC::JIT::privateCompileMainPass):
3256         * jit/JIT.h:
3257         * jit/JITOpcodes.cpp:
3258         (JSC::JIT::emit_op_profile_will_call):
3259         (JSC::JIT::emit_op_profile_did_call):
3260         * jit/JITOpcodes32_64.cpp:
3261         (JSC::JIT::emit_op_profile_will_call):
3262         (JSC::JIT::emit_op_profile_did_call):
3263         * jit/JITOperations.cpp:
3264         * jit/JITOperations.h:
3265         * jsc.cpp:
3266         * llint/LLIntSlowPaths.cpp:
3267         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3268         * llint/LLIntSlowPaths.h:
3269         * llint/LowLevelInterpreter.asm:
3270         * parser/ParserModes.h:
3271         * profiler/CallIdentifier.h: Added.
3272         (JSC::CallIdentifier::CallIdentifier):
3273         (JSC::CallIdentifier::functionName):
3274         (JSC::CallIdentifier::url):
3275         (JSC::CallIdentifier::lineNumber):
3276         (JSC::CallIdentifier::columnNumber):
3277         (JSC::CallIdentifier::operator==):
3278         (JSC::CallIdentifier::operator!=):
3279         (JSC::CallIdentifier::Hash::hash):
3280         (JSC::CallIdentifier::Hash::equal):
3281         (JSC::CallIdentifier::hash):
3282         (JSC::CallIdentifier::operator const char*):
3283         (JSC::CallIdentifier::c_str):
3284         (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
3285         (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
3286         * profiler/LegacyProfiler.cpp: Added.
3287         (JSC::LegacyProfiler::profiler):
3288         (JSC::LegacyProfiler::startProfiling):
3289         (JSC::LegacyProfiler::stopProfiling):
3290         (JSC::callFunctionForProfilesWithGroup):
3291         (JSC::LegacyProfiler::suspendProfiling):
3292         (JSC::LegacyProfiler::unsuspendProfiling):
3293         (JSC::LegacyProfiler::willExecute):
3294         (JSC::LegacyProfiler::didExecute):
3295         (JSC::LegacyProfiler::exceptionUnwind):
3296         (JSC::LegacyProfiler::createCallIdentifier):
3297         (JSC::createCallIdentifierFromFunctionImp):
3298         * profiler/LegacyProfiler.h: Added.
3299         (JSC::LegacyProfiler::currentProfiles):
3300         * profiler/Profile.cpp: Added.
3301         (JSC::Profile::create):
3302         (JSC::Profile::Profile):
3303         (JSC::Profile::~Profile):
3304         (JSC::Profile::debugPrint):
3305         (JSC::functionNameCountPairComparator):
3306         (JSC::Profile::debugPrintSampleStyle):
3307         * profiler/Profile.h: Copied from Source/JavaScriptCore/profiler/ProfilerJettisonReason.h.
3308         * profiler/ProfileGenerator.cpp: Added.
3309         (JSC::ProfileGenerator::create):
3310         (JSC::ProfileGenerator::ProfileGenerator):
3311         (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
3312         (JSC::AddParentForConsoleStartFunctor::foundParent):
3313         (JSC::AddParentForConsoleStartFunctor::operator()):
3314         (JSC::ProfileGenerator::addParentForConsoleStart):
3315         (JSC::ProfileGenerator::title):
3316         (JSC::ProfileGenerator::beginCallEntry):
3317         (JSC::ProfileGenerator::endCallEntry):
3318         (JSC::ProfileGenerator::willExecute):
3319         (JSC::ProfileGenerator::didExecute):
3320         (JSC::ProfileGenerator::exceptionUnwind):
3321         (JSC::ProfileGenerator::stopProfiling):
3322         (JSC::ProfileGenerator::removeProfileStart):
3323         (JSC::ProfileGenerator::removeProfileEnd):
3324         * profiler/ProfileGenerator.h: Added.
3325         (JSC::ProfileGenerator::profile):
3326         (JSC::ProfileGenerator::origin):
3327         (JSC::ProfileGenerator::profileGroup):
3328         (JSC::ProfileGenerator::setIsSuspended):
3329         * profiler/ProfileNode.cpp: Added.
3330         (JSC::ProfileNode::ProfileNode):
3331         (JSC::ProfileNode::addChild):
3332         (JSC::ProfileNode::removeChild):
3333         (JSC::ProfileNode::spliceNode):
3334         (JSC::ProfileNode::traverseNextNodePostOrder):
3335         (JSC::ProfileNode::debugPrint):
3336         (JSC::ProfileNode::debugPrintSampleStyle):
3337         (JSC::ProfileNode::debugPrintRecursively):
3338         (JSC::ProfileNode::debugPrintSampleStyleRecursively):
3339         * profiler/ProfileNode.h: Added.
3340         (JSC::ProfileNode::create):
3341         (JSC::ProfileNode::Call::Call):
3342         (JSC::ProfileNode::Call::startTime):
3343         (JSC::ProfileNode::Call::setStartTime):
3344         (JSC::ProfileNode::Call::elapsedTime):
3345         (JSC::ProfileNode::Call::setElapsedTime):
3346         (JSC::ProfileNode::operator==):
3347         (JSC::ProfileNode::callerCallFrame):
3348         (JSC::ProfileNode::callIdentifier):
3349         (JSC::ProfileNode::id):
3350         (JSC::ProfileNode::functionName):
3351         (JSC::ProfileNode::url):
3352         (JSC::ProfileNode::lineNumber):
3353         (JSC::ProfileNode::columnNumber):
3354         (JSC::ProfileNode::parent):
3355         (JSC::ProfileNode::setParent):
3356         (JSC::ProfileNode::calls):
3357         (JSC::ProfileNode::lastCall):
3358         (JSC::ProfileNode::appendCall):
3359         (JSC::ProfileNode::children):
3360         (JSC::ProfileNode::firstChild):
3361         (JSC::ProfileNode::lastChild):
3362         (JSC::ProfileNode::nextSibling):
3363         (JSC::ProfileNode::setNextSibling):
3364         (JSC::ProfileNode::forEachNodePostorder):
3365         (JSC::CalculateProfileSubtreeDataFunctor::operator()):
3366         (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
3367         * profiler/ProfilerJettisonReason.cpp:
3368         (WTF::printInternal):
3369         * profiler/ProfilerJettisonReason.h:
3370         * runtime/CodeCache.cpp:
3371         (JSC::CodeCache::getGlobalCodeBlock):
3372         (JSC::CodeCache::getProgramCodeBlock):
3373         (JSC::CodeCache::getEvalCodeBlock):
3374         (JSC::CodeCache::getModuleProgramCodeBlock):
3375         * runtime/CodeCache.h:
3376         * runtime/Executable.cpp:
3377         (JSC::ScriptExecutable::newCodeBlockFor):
3378         * runtime/JSGlobalObject.cpp:
3379         (JSC::JSGlobalObject::~JSGlobalObject):
3380         (JSC::JSGlobalObject::hasLegacyProfiler):
3381         (JSC::JSGlobalObject::createProgramCodeBlock):
3382         (JSC::JSGlobalObject::createEvalCodeBlock):
3383         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
3384         * runtime/JSGlobalObject.h:
3385         (JSC::JSGlobalObject::supportsLegacyProfiling):
3386         * runtime/Options.h:
3387         * runtime/VM.cpp:
3388         (JSC::VM::VM):
3389         (JSC::SetEnabledProfilerFunctor::operator()):
3390         (JSC::VM::setEnabledProfiler):
3391         * runtime/VM.h:
3392         (JSC::VM::enabledProfiler):
3393         (JSC::VM::enabledProfilerAddress):
3394
3395 2016-05-16  Konstantin Tokarev  <annulen@yandex.ru>
3396
3397         Unreviewed, fixed typo in a comment.
3398
3399         * assembler/MacroAssembler.h: Replaced "onvenience" with
3400         "convenience".
3401
3402 2016-05-16  Filip Pizlo  <fpizlo@apple.com>
3403