2015-07-20 Matthew Hanson Merge r186819. rdar://problem/21729083 2015-07-14 Matthew Mirman Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32. https://bugs.webkit.org/show_bug.cgi?id=146910 rdar://problem/21729083 Reviewed by Filip Pizlo. Also fixes the debug build problem where all edges are assumed to have UntypedUse before the fixup phase. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithSub): * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary): * tests/stress/arith-add-with-constants.js: Added some tests for this case. (arithAdd42WrittenAsInteger): (testArithAdd42WrittenAsInteger): (arithSub42WrittenAsDouble): (testArithSub42WrittenAsDouble): (doubleConstant): (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0) (arithAdd42WrittenAsDouble): Deleted. (testArithAdd42WrittenAsDouble): Deleted. 2015-07-20 Matthew Hanson Merge r187028. rdar://problem/21869970 2015-07-18 Filip Pizlo REGRESSION(186691): OSR entry is broken on loop headers that have no live variables https://bugs.webkit.org/show_bug.cgi?id=147074 rdar://problem/21869970 Reviewed by Michael Saboff. The OSR entry must-handle block/value widening introduced in r186691 would cause the CFA to reexecute if it caused any live local variables to change value. But this fails if the must-handle block has no live local variables, and the entry block otherwise appears to be unreachable. This fixes the bug by having the change detection include whether the block hadn't been visited in addition to whether any local variable values got widened. This is a ~4% speed-up on SunSpider in browser. * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::run): 2015-07-16 Matthew Hanson Merge r186920. rdar://problem/21764196 2015-07-16 Mark Lam RegExp::match() should set m_state to ByteCode if compilation fails. https://bugs.webkit.org/show_bug.cgi?id=147023 Reviewed by Michael Saboff. A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code. If one of these compilations succeeds, RegExp::m_state will be set to JITCode. Subsequently, if RegExp tries to compile another one of these but fails, m_state will be left untouched i.e. it still says JITCode. As a result, when RegExp::match() later tries to execute the non-existant compiled code, it will crash. The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile. This failure should be rare. We'll do the minimal work here to fix the issue and keep an eye on the perf bots. If perf regresses, we can do some optimization work then. This issue is difficult to test for since it either requires a low memory condition to trigger a failed RegExp compilation at the right moment, or for the RegExp to succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode. Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every 10 compilation attempts. * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::compileMatchOnly): 2015-07-15 Lucas Forschler Merge r186826 2015-07-14 Anders Carlsson Assertions.h should include ExportMacros.h https://bugs.webkit.org/show_bug.cgi?id=146948 Reviewed by Tim Horton. Remove now unneeded WTF_EXPORT_PRIVATE define. * API/JSBase.h: 2015-07-13 Babak Shafiei Merge r186777. 2015-07-13 Anders Carlsson Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API https://bugs.webkit.org/show_bug.cgi?id=146913 rdar://problem/21789252 Reviewed by Dan Bernstein. Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to /System/Library/Frameworks/JavaScriptCore.framework. * JavaScriptCore.xcodeproj/project.pbxproj: 2015-07-12 Babak Shafiei Merge r186702. 2015-07-10 Filip Pizlo AI folding of IsObjectOrNull is broken for non-object types that may be null https://bugs.webkit.org/show_bug.cgi?id=146867 Reviewed by Ryosuke Niwa. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): Fix the bug and add some text describing what is going on. * tests/stress/misc-is-object-or-null.js: Added. Test for the bug. (foo): * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced. (foo): 2015-07-12 Babak Shafiei Merge r186691. 2015-07-04 Filip Pizlo DFG fragile frozen values are fundamentally broken https://bugs.webkit.org/show_bug.cgi?id=146602 Reviewed by Mark Lam. This change gets rid of the FragileValue value strength, because it was fundamentally broken. FragileValue was a value known to the compiler but not tracked by the GC in any way - it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR must-handle values. The philosophy was that if the compiler did use the value for optimization, it would have been strengthened to a weak value (or maybe even a strong value, though we probably won't do that). But this was too much of a pipe dream. I've found at least one case where the compiler did use the value, but never strengthened it: it would happen if the value ended up in an OSR entry data expected value. Then if we GCed, we might have killed the value, but OSR entry would still try to use it for validation. That might have sort of just worked, but it's clearly shady. The reason why we made must-handle values fragile and not weak is that most of the time the values disappear from the abstract state: they are LUBed to a non-constant. If we kept them around as weak, we'd have too many cases of the GC killing the code because it thought that the value was somehow meaningful to the code when it was only used as a temporary artifact of optimization. So, it's true that it's very important for must-handle values not to automatically be weak or strong. It's also true that the values are necessary for AI bootstrap because we need to know what values OSR entry will require. But we shouldn't accomplish these goals by having the compiler hold onto what are essentially dangling pointers. This implements a better solution: instead of having InPlaceAbstractState bootstrap the AI with must-handle values at the beginning, we now widen the valuesAtHead of the must-handle block after AI converges. This widening is done in CFAPhase. This allows us to see if the must-handle values are necessary at all. In most cases, the widening takes a non-constant abstract value and simply amends something to its type based on the type of the must-handle value, and so the must-handle value never actually shows up in either the IR or any abstract value. In the unlikely event that the value at head is bottom, we freeze the must-handle value. This change removes FragileValue, and this freezing uses WeakValue as the strength. That makes sense: since the abstract value was bottom, the must-handle value becomes integral to the IR and so it makes no sense for the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will sometimes happen for example if you have a very long-running loop whose pre-header allocates some object, but that pre-header appears to always exit to the optimizing JIT because it was only profiled once in the LLInt and that profiling appears insufficient to the DFG. In that case, we'll effectively constant-fold the references to the object inside the loop, which is both efficient (yay constant folding!) and necessary (otherwise we wouldn't know what the type of the variable should have been). Testing and debugging this is complicated. So, this adds some new capabilities: - DFG IR dumps also dump all of the FrozenValues that point to the heap along with their strengths, so that it's easy to see what GC objects the DFG feels are necessary for the compilation. - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy to see what GC pointers (and other things) are used for OSR entry validation. The printouts are quite detailed, and should also help other kinds of OSR entry debugging. - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode data structures are also properly registered as either weak or strong pointers in the CodeBlock. This validation check previously failed due to fragile values ending up in the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js) and in some pre-existing tests (like earley-boyer and 3d-raytrace). * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::stronglyVisitStrongReferences): * bytecode/CodeOrigin.cpp: (JSC::InlineCallFrame::visitAggregate): * bytecode/Operands.h: (JSC::Operands::operand): (JSC::Operands::hasOperand): * bytecode/StructureSet.cpp: (JSC::StructureSet::dump): (JSC::StructureSet::validateReferences): * bytecode/StructureSet.h: * bytecode/TrackedReferences.cpp: Added. (JSC::TrackedReferences::TrackedReferences): (JSC::TrackedReferences::~TrackedReferences): (JSC::TrackedReferences::add): (JSC::TrackedReferences::check): (JSC::TrackedReferences::dump): * bytecode/TrackedReferences.h: Added. * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::observeTransitions): (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::fixTypeForRepresentation): (JSC::DFG::AbstractValue::mergeOSREntryValue): (JSC::DFG::AbstractValue::filter): (JSC::DFG::AbstractValue::dumpInContext): (JSC::DFG::AbstractValue::validateReferences): (JSC::DFG::AbstractValue::setOSREntryValue): Deleted. * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::fullTop): (JSC::DFG::AbstractValue::merge): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::run): * dfg/DFGCommonData.cpp: (JSC::DFG::CommonData::invalidate): (JSC::DFG::CommonData::validateReferences): * dfg/DFGCommonData.h: (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit): * dfg/DFGFrozenValue.h: (JSC::DFG::FrozenValue::FrozenValue): (JSC::DFG::FrozenValue::strengthenTo): (JSC::DFG::FrozenValue::pointsToHeap): (JSC::DFG::FrozenValue::strength): (JSC::DFG::FrozenValue::freeze): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::Graph): (JSC::DFG::Graph::dump): (JSC::DFG::Graph::registerFrozenValues): (JSC::DFG::Graph::visitChildren): (JSC::DFG::Graph::freeze): (JSC::DFG::Graph::freezeStrong): (JSC::DFG::Graph::freezeFragile): Deleted. * dfg/DFGGraph.h: * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::initialize): * dfg/DFGJITCode.cpp: (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult): (JSC::DFG::JITCode::validateReferences): * dfg/DFGJITCode.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::addressOfDoubleConstant): (JSC::DFG::JITCompiler::noticeOSREntry): * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::branchStructurePtr): (JSC::DFG::JITCompiler::jitCode): (JSC::DFG::JITCompiler::noticeOSREntry): Deleted. * dfg/DFGMinifiedGraph.cpp: Added. (JSC::DFG::MinifiedGraph::prepareAndShrink): (JSC::DFG::MinifiedGraph::validateReferences): * dfg/DFGMinifiedGraph.h: (JSC::DFG::MinifiedGraph::append): (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted. * dfg/DFGOSREntry.cpp: (JSC::DFG::OSREntryData::dumpInContext): (JSC::DFG::OSREntryData::dump): (JSC::DFG::prepareOSREntry): * dfg/DFGOSREntry.h: (JSC::DFG::getOSREntryDataBytecodeIndex): * dfg/DFGPlan.cpp: (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::linkOSREntries): (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): * dfg/DFGStructureAbstractValue.cpp: (JSC::DFG::StructureAbstractValue::dump): (JSC::DFG::StructureAbstractValue::validateReferences): * dfg/DFGStructureAbstractValue.h: * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate): * dfg/DFGValueStrength.cpp: (WTF::printInternal): * dfg/DFGValueStrength.h: (JSC::DFG::merge): * ftl/FTLExitPropertyValue.cpp: (JSC::FTL::ExitPropertyValue::dump): (JSC::FTL::ExitPropertyValue::validateReferences): * ftl/FTLExitPropertyValue.h: * ftl/FTLExitTimeObjectMaterialization.cpp: (JSC::FTL::ExitTimeObjectMaterialization::dump): (JSC::FTL::ExitTimeObjectMaterialization::validateReferences): * ftl/FTLExitTimeObjectMaterialization.h: * ftl/FTLExitValue.cpp: (JSC::FTL::ExitValue::dump): (JSC::FTL::ExitValue::validateReferences): * ftl/FTLExitValue.h: * ftl/FTLJITCode.cpp: (JSC::FTL::JITCode::dfgCommon): (JSC::FTL::JITCode::validateReferences): * ftl/FTLJITCode.h: (JSC::FTL::JITCode::handles): (JSC::FTL::JITCode::dataSections): * ftl/FTLOSRExit.cpp: (JSC::FTL::OSRExit::codeLocationForRepatch): (JSC::FTL::OSRExit::validateReferences): * ftl/FTLOSRExit.h: (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite): * jit/JITCode.cpp: (JSC::JITCode::typeName): (JSC::JITCode::validateReferences): (JSC::JITCode::execute): * jit/JITCode.h: (JSC::JITCode::start): * tests/stress/dead-osr-entry-value.js: Added. (foo): 2015-07-10 Matthew Hanson Disable non-shipping features. * Configurations/FeatureDefines.xcconfig: 2015-07-09 Mark Lam SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector. https://bugs.webkit.org/show_bug.cgi?id=146807 Reviewed by Filip Pizlo. When we capture an argument by name and we use "arguments", we put all of the arguments into the scope. But destructured arguments are put into the scope anonymously i.e. the SymbolTable knows that the scope offset is in use via SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in SymbolTable::m_map. The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will have a size which is based on the largest ScopeOffset in the m_map. If we have a scenario where the anonymous argument is at a higher ScopeOffset than all the named arguments, then the m_localsToEntry vector will not have an entry for it i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of the anonymous argument. Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is within the bounds of the m_localToEntry vector before indexing into it. * runtime/SymbolTable.cpp: (JSC::SymbolTable::entryFor): 2015-07-09 Michael Saboff REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20 https://bugs.webkit.org/show_bug.cgi?id=146767 Reviewed by Geoffrey Garen. If the stack check fails at the top most frame, we must use that frame to generate the exception. Reverted the code to always use the current frame to throw an out of stack exception. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): 2015-07-03 Filip Pizlo OSR exit fuzzing should allow us to select a static exit site https://bugs.webkit.org/show_bug.cgi?id=146601 Reviewed by Geoffrey Garen. The original implementation of the fuzzer allows us to trigger an exit based on its index in the dynamic sequence of exit sites encountered. But there are usually millions of dynamically encountered exit sites, even if the program only has thousands of static exit sites. That means that we would at best be able to do a random sampling of exits, and those would be biased to the hottest exit sites. This change allows us to also select exit sites based on their index in the static sequence of exit sites that the compiler compiled. Then, once that static exit site is selected, we can select which dynamic exit at that exit site we should trigger. Since the number of static exit sites is usually smallish (it's bounded by program size), we can do an exhaustive search over all exit sites in most programs. * dfg/DFGOSRExitFuzz.cpp: (JSC::numberOfStaticOSRExitFuzzChecks): (JSC::numberOfOSRExitFuzzChecks): * dfg/DFGOSRExitFuzz.h: (JSC::DFG::doOSRExitFuzzing): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit): * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: 2015-07-08 Joseph Pecoraro Fix grammar issue in TypeError attempting to change an unconfigurable property https://bugs.webkit.org/show_bug.cgi?id=146774 Reviewed by Brent Fulgham. * runtime/JSFunction.cpp: (JSC::JSFunction::defineOwnProperty): * runtime/JSObject.cpp: (JSC::JSObject::defineOwnNonIndexProperty): * runtime/StringObject.cpp: (JSC::StringObject::defineOwnProperty): 2015-07-06 Csaba Osztrogonác Remove the unused HeapBlock.h https://bugs.webkit.org/show_bug.cgi?id=146580 Reviewed by Andreas Kling. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * heap/CopiedBlock.h: * heap/CopiedSpace.h: * heap/CopiedSpaceInlines.h: * heap/HandleBlock.h: * heap/HeapBlock.h: Removed. * heap/MarkedBlock.h: 2015-07-06 Saam barati JSC's parser should follow the ES6 spec with respect to parsing Declarations https://bugs.webkit.org/show_bug.cgi?id=146621 Reviewed by Mark Lam. There were a few locations where JSC would allow declaration statements in incorrect ways. JSC didn't distinguish between 'Statement' and 'StatementListItem' grammar productions. The relevant grammar is here: http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements From the ECMA Script 6.0 spec: 1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems. (Same with 'while/for/do-while' loop bodies). 2. Section 13 ECMAScript Language: Statements and Declarations (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations) defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations (const, let, see 13.3.1 Let and Const Declarations). Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2). Hence, the following style of declarations are no longer allowed: 'if/for/while (condition) const x = 40;' 'if/for/while (condition) class C { }' Instead, we mandate such declaration constructs are within a StatementList (which is the production that JSC's Parser::parseSourceElements function parses): 'if/for/while (condition) { const x = 40; }' 'if/for/while (condition) { class C { } }' * parser/Parser.cpp: (JSC::Parser::parseSourceElements): (JSC::Parser::parseStatementListItem): (JSC::Parser::parseVarDeclaration): (JSC::Parser::parseStatement): (JSC::Parser::parseExpressionStatement): * parser/Parser.h: (JSC::Parser::getLabel): 2015-07-06 Alex Christensen Unreviewed debug build fix after r186358. * runtime/JSArray.cpp: (JSC::JSArray::fastConcatWith): Pass vm parameter to fastConcatType. 2015-07-06 Ryosuke Niwa Array.concat should be fast for integer or double arrays https://bugs.webkit.org/show_bug.cgi?id=146260 Reviewed by Darin Adler. Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous arrays, simply memcopy the arrays into a new uninitialized buffer. This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncConcat): * runtime/JSArray.cpp: (JSC::JSArray::fastConcatWith): Added. * runtime/JSArray.h: (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use the fact path. Returns NonArray otherwise. 2015-07-06 Youenn Fablet [Streams API] Remove ReadableStream custom constructor https://bugs.webkit.org/show_bug.cgi?id=146547 Reviewed by Darin Adler. Adding helper function to throw range errors. * runtime/Error.h: (JSC::throwRangeError): (JSC::throwVMRangeError): 2015-07-05 Yusuke Suzuki [ES6] Implement the latest Promise spec in JS https://bugs.webkit.org/show_bug.cgi?id=146229 Reviewed by Sam Weinig. Updated the Promise implementation to meet to the ES6 spec. This patch 1. Implement ES6 Promise and related abstract operations in builtins JS 2. Expose @enqueueJob private function to JS world to post the microtask Updated implementation has one-on-one correspondence to the ES6 spec description. And keep the JSPromiseDeferred because it is the interface used from the WebCore. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * builtins/Array.prototype.js: (reduce): (reduceRight): (every): (forEach): (filter): (map): (some): (fill): (find): (findIndex): (includes): (copyWithin): ToInteger / ToLength are renamed to toInteger and toLength. * builtins/ArrayConstructor.js: (from): ToInteger / ToLength are renamed to toInteger and toLength. * builtins/GlobalObject.js: (toInteger): (toLength): (isObject): (ToInteger): Deleted. (ToLength): Deleted. ToInteger / ToLength are renamed to toInteger and toLength. Add new abstract operation, isObject. * builtins/Operations.Promise.js: Added. (isPromise): (newPromiseReaction): (newPromiseDeferred): (newPromiseCapability.executor): (newPromiseCapability): (triggerPromiseReactions): (rejectPromise): (fulfillPromise): (createResolvingFunctions.resolve): (createResolvingFunctions.reject): (createResolvingFunctions): (promiseReactionJob): (promiseResolveThenableJob): (initializePromise): Added Promise related abstract operations. * builtins/Promise.prototype.js: (catch): (.onFulfilled): (.onRejected): (then): Promise#then implementation in JS. * builtins/PromiseConstructor.js: Added. (all.newResolveElement): (all): (race): (reject): (resolve): Promise static functions implementations in JS. * builtins/StringConstructor.js: (raw): ToInteger / ToLength are renamed to toInteger and toLength. * inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::getInternalProperties): * runtime/CommonIdentifiers.h: * runtime/JSGlobalObject.cpp: (JSC::enqueueJob): (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::initializePromiseFunction): (JSC::JSGlobalObject::newPromiseDeferredFunction): * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h. (JSC::createJSJob): (JSC::JSJobMicrotask::run): * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h. * runtime/JSPromise.cpp: (JSC::JSPromise::create): (JSC::JSPromise::JSPromise): (JSC::JSPromise::finishCreation): (JSC::JSPromise::result): (JSC::JSPromise::destroy): Deleted. (JSC::JSPromise::visitChildren): Deleted. (JSC::JSPromise::reject): Deleted. (JSC::JSPromise::resolve): Deleted. (JSC::JSPromise::appendResolveReaction): Deleted. (JSC::JSPromise::appendRejectReaction): Deleted. (JSC::triggerPromiseReactions): Deleted. * runtime/JSPromise.h: (JSC::JSPromise::status): Deleted. (JSC::JSPromise::result): Deleted. (JSC::JSPromise::constructor): Deleted. * runtime/JSPromiseConstructor.cpp: (JSC::constructPromise): (JSC::JSPromiseConstructorFuncResolve): Deleted. (JSC::JSPromiseConstructorFuncReject): Deleted. (JSC::performPromiseRaceLoop): Deleted. (JSC::JSPromiseConstructorFuncRace): Deleted. (JSC::performPromiseAll): Deleted. (JSC::JSPromiseConstructorFuncAll): Deleted. * runtime/JSPromiseDeferred.cpp: (JSC::JSPromiseDeferred::create): (JSC::createJSPromiseDeferredFromConstructor): Deleted. (JSC::updateDeferredFromPotentialThenable): Deleted. (JSC::performDeferredResolve): Deleted. (JSC::performDeferredReject): Deleted. (JSC::abruptRejection): Deleted. * runtime/JSPromiseDeferred.h: * runtime/JSPromiseFunctions.cpp: Removed. (JSC::deferredConstructionFunction): Deleted. (JSC::createDeferredConstructionFunction): Deleted. (JSC::identifyFunction): Deleted. (JSC::createIdentifyFunction): Deleted. (JSC::promiseAllCountdownFunction): Deleted. (JSC::createPromiseAllCountdownFunction): Deleted. (JSC::promiseResolutionHandlerFunction): Deleted. (JSC::createPromiseResolutionHandlerFunction): Deleted. (JSC::rejectPromiseFunction): Deleted. (JSC::createRejectPromiseFunction): Deleted. (JSC::resolvePromiseFunction): Deleted. (JSC::createResolvePromiseFunction): Deleted. (JSC::throwerFunction): Deleted. (JSC::createThrowerFunction): Deleted. * runtime/JSPromisePrototype.cpp: (JSC::JSPromisePrototypeFuncThen): Deleted. * runtime/JSPromiseReaction.cpp: Removed. (JSC::createExecutePromiseReactionMicrotask): Deleted. (JSC::ExecutePromiseReactionMicrotask::run): Deleted. (JSC::JSPromiseReaction::create): Deleted. (JSC::JSPromiseReaction::JSPromiseReaction): Deleted. (JSC::JSPromiseReaction::finishCreation): Deleted. (JSC::JSPromiseReaction::visitChildren): Deleted. * runtime/VM.cpp: (JSC::VM::VM): Deleted. * runtime/VM.h: 2015-07-04 Chris Dumez Drop RefPtr::clear() method https://bugs.webkit.org/show_bug.cgi?id=146556 Reviewed by Brady Eidson. Drop RefPtr::clear() method in favor of "= nullptr;" pattern. 2015-07-03 Dan Bernstein Just give up on -Wunreachable-code in JavaScriptCore. * Configurations/Base.xcconfig: * llint/LowLevelInterpreter.cpp: (JSC::CLoop::execute): 2015-07-03 Dan Bernstein Fixed the LLINT CLoop build. * llint/LowLevelInterpreter.cpp: (JSC::CLoop::execute): 2015-07-03 Dan Bernstein [Xcode] Update some build settings as recommended by Xcode 7 https://bugs.webkit.org/show_bug.cgi?id=146597 Reviewed by Sam Weinig. * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING. * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck. * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings. 2015-07-03 Yusuke Suzuki Relax builtin JS restriction about try-catch https://bugs.webkit.org/show_bug.cgi?id=146555 Reviewed by Sam Weinig. When retrieving the captured variables from the full activated scope, it swapped the given vector with the stored declared variables vector. This is because retrieving the captured variables are executed in the last sequence of the parser, so declared variables are no longer used. However, in builtins functions case, after retrieving the captured variables, we check the variables by using declared variables vector. So at that time, the declared variables vector becomes empty and it raises assertion failures when the builtins function contains the full activated scope. try-catch's catch scope requires the upper scope full activated, so JS code in the builtins cannot use the try-catch. This patch relaxes this restriction. When retrieving the captured variables from the scope, just copy to the given vector. * parser/Parser.h: (JSC::Scope::getCapturedVariables): 2015-07-02 Filip Pizlo DFG and FTL should have an OSR exit fuzzer https://bugs.webkit.org/show_bug.cgi?id=146562 Reviewed by Benjamin Poulain. Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how to harness this after I land it. Since it's turned off by default, it should have no effect on behavior. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGOSRExitFuzz.cpp: Added. (JSC::numberOfOSRExitFuzzChecks): * dfg/DFGOSRExitFuzz.h: Added. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitGetArgumentStart): (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck): (JSC::DFG::SpeculativeJIT::speculationCheck): * dfg/DFGSpeculativeJIT.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit): * jsc.cpp: (jscmain): * runtime/Options.h: * runtime/TestRunnerUtils.h: 2015-07-02 Saam barati Rename "Deconstruction" to "Destructuring" throughout JSC https://bugs.webkit.org/show_bug.cgi?id=146100 Reviewed by Mark Lam. It is good to use the same naming conventions as the ES6 spec because it is the de facto way of speaking about these language features. This also has the benefit of improving JSC's hackability because it improves code readability for newcomers to JSC or newcomers to this part of the code base. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::initializeNextParameter): (JSC::BytecodeGenerator::visibleNameForParameter): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::registerFor): * bytecompiler/NodesCodegen.cpp: (JSC::ForInNode::tryGetBoundLocal): (JSC::ForInNode::emitLoopHeader): (JSC::ForOfNode::emitBytecode): (JSC::ClassExprNode::emitBytecode): (JSC::DestructuringAssignmentNode::emitBytecode): (JSC::DestructuringPatternNode::~DestructuringPatternNode): (JSC::ArrayPatternNode::collectBoundIdentifiers): (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted. (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted. * parser/ASTBuilder.h: (JSC::ASTBuilder::createElementList): (JSC::ASTBuilder::createFormalParameterList): (JSC::ASTBuilder::createClause): (JSC::ASTBuilder::createClauseList): (JSC::ASTBuilder::createForInLoop): (JSC::ASTBuilder::createForOfLoop): (JSC::ASTBuilder::isBindingNode): (JSC::ASTBuilder::isResolve): (JSC::ASTBuilder::createDestructuringAssignment): (JSC::ASTBuilder::createArrayPattern): (JSC::ASTBuilder::appendArrayPatternSkipEntry): (JSC::ASTBuilder::appendArrayPatternEntry): (JSC::ASTBuilder::appendArrayPatternRestEntry): (JSC::ASTBuilder::createObjectPattern): (JSC::ASTBuilder::appendObjectPatternEntry): (JSC::ASTBuilder::createDeconstructingAssignment): Deleted. * parser/NodeConstructors.h: (JSC::TryNode::TryNode): (JSC::ParameterNode::ParameterNode): (JSC::ForOfNode::ForOfNode): (JSC::DestructuringPatternNode::DestructuringPatternNode): (JSC::ArrayPatternNode::ArrayPatternNode): (JSC::ArrayPatternNode::create): (JSC::ObjectPatternNode::ObjectPatternNode): (JSC::BindingNode::create): (JSC::BindingNode::BindingNode): (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode): (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted. (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted. * parser/Nodes.cpp: (JSC::FunctionParameters::create): * parser/Nodes.h: (JSC::ExpressionNode::isResolveNode): (JSC::ExpressionNode::isBracketAccessorNode): (JSC::ExpressionNode::isDotAccessorNode): (JSC::ExpressionNode::isDestructuringNode): (JSC::ExpressionNode::isFuncExprNode): (JSC::ExpressionNode::isCommaNode): (JSC::ExpressionNode::isSimpleArray): (JSC::ParameterNode::pattern): (JSC::ParameterNode::nextParam): (JSC::FunctionParameters::size): (JSC::FunctionParameters::at): (JSC::FunctionParameters::patterns): (JSC::DestructuringPatternNode::isBindingNode): (JSC::DestructuringPatternNode::emitDirectBinding): (JSC::ArrayPatternNode::appendIndex): (JSC::ObjectPatternNode::appendEntry): (JSC::BindingNode::boundProperty): (JSC::DestructuringAssignmentNode::bindings): (JSC::ExpressionNode::isDeconstructionNode): Deleted. (JSC::DeconstructionPatternNode::isBindingNode): Deleted. (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted. (JSC::DeconstructingAssignmentNode::bindings): Deleted. * parser/Parser.cpp: (JSC::Parser::parseVarDeclaration): (JSC::Parser::parseWhileStatement): (JSC::Parser::parseVarDeclarationList): (JSC::Parser::createBindingPattern): (JSC::Parser::tryParseDestructuringPatternExpression): (JSC::Parser::parseDestructuringPattern): (JSC::Parser::parseDefaultValueForDestructuringPattern): (JSC::Parser::parseForStatement): (JSC::Parser::parseFormalParameters): (JSC::Parser::parseFunctionParameters): (JSC::Parser::parseAssignmentExpression): (JSC::Parser::tryParseDeconstructionPatternExpression): Deleted. (JSC::Parser::parseDeconstructionPattern): Deleted. (JSC::Parser::parseDefaultValueForDeconstructionPattern): Deleted. * parser/Parser.h: (JSC::isEvalNode): * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createPropertyList): (JSC::SyntaxChecker::createElementList): (JSC::SyntaxChecker::createFormalParameterList): (JSC::SyntaxChecker::createClause): (JSC::SyntaxChecker::createClauseList): (JSC::SyntaxChecker::operatorStackPop): * tests/stress/reserved-word-with-escape.js: * tests/stress/rest-elements.js: 2015-07-02 Mark Lam Build fix for Win EWS bot. https://bugs.webkit.org/show_bug.cgi?id=146551 Not reviewed. * tools/JSDollarVMPrototype.cpp: (JSC::functionCrash): 2015-07-02 Dan Bernstein [iOS] Stop making symlinks from PrivateFrameworks to Frameworks https://bugs.webkit.org/show_bug.cgi?id=146542 Reviewed by Sam Weinig. * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink. 2015-07-01 Joseph Pecoraro Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes https://bugs.webkit.org/show_bug.cgi?id=146536 Reviewed by Timothy Hatcher. * inspector/protocol/Timeline.json: Change a CPUProfile from sending a required "calls" param to sending a required "callInfo" param which includes aggregated information about the calls. 2015-06-30 Filip Pizlo DFG::freezeFragile should register the frozen value's structure https://bugs.webkit.org/show_bug.cgi?id=136055 rdar://problem/21042120 Reviewed by Mark Lam and Geoffrey Garen. This fixes weird concurrency bugs where the constant folding phase tries to convert something to a constant but then crashes because the constant's structure wasn't registered. The AI was registering the structure of any value it saw, but constant folding wasn't - and that's fine so long as there ain't no concurrency. The best fix is to just make it impossible to introduce a constant into the IR without registering its structure. That's what this change does. This is not only a great concurrency fix - it also makes the compiler somewhat easier to hack on because it's one less case of structure registering that you have to remember about. * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::setOSREntryValue): No need to register. (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::freezeFragile): Register the structure. * dfg/DFGStructureRegistrationPhase.cpp: (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered. 2015-07-01 Matthew Mirman Unreviewed, rolling out r185889 https://bugs.webkit.org/show_bug.cgi?id=146528 rdar://problem/21573959 Patch breaks chromeexperiments.com Reverted changeset: * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * inspector/InjectedScriptSource.js: (.): * runtime/JSBoundSlotBaseFunction.cpp: Removed. * runtime/JSBoundSlotBaseFunction.h: Removed. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): Deleted. (JSC::JSGlobalObject::visitChildren): Deleted. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted. * runtime/JSObject.cpp: (JSC::JSObject::getOwnPropertyDescriptor): (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted. * runtime/VM.cpp: (JSC::VM::VM): Deleted. * runtime/VM.h: 2015-07-01 Dean Jackson Disable the experimental WebGL2 implementation https://bugs.webkit.org/show_bug.cgi?id=146526 Reviewed by Myles Maxfield. Add (and disable) an ENABLE_WEBGL2 flag. * Configurations/FeatureDefines.xcconfig: 2015-07-01 Matthew Daiter Enable MEDIA_STREAM flag https://bugs.webkit.org/show_bug.cgi?id=145947 Reviewed by Eric Carlson. * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag 2015-06-30 Andy VanWagoner Implement ECMAScript Internationalization API https://bugs.webkit.org/show_bug.cgi?id=90906 Reviewed by Benjamin Poulain. * CMakeLists.txt: add IntlObject.cpp * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject * runtime/CommonIdentifiers.h: add "Intl" name * runtime/IntlObject.cpp: Added. (JSC::IntlObject::IntlObject): (JSC::IntlObject::create): (JSC::IntlObject::finishCreation): (JSC::IntlObject::createStructure): * runtime/IntlObject.h: Added. * runtime/JSGlobalObject.cpp: Add global Intl (JSC::JSGlobalObject::init): 2015-06-30 Basile Clement Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes https://bugs.webkit.org/show_bug.cgi?id=146431 Reviewed by Filip Pizlo. * dfg/DFGNode.h: (JSC::DFG::Node::isFunctionAllocation): (JSC::DFG::Node::isPhantomFunctionAllocation): * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): * dfg/DFGPromoteHeapAccess.h: (JSC::DFG::promoteHeapAccess): 2015-06-30 Matt Baker Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing https://bugs.webkit.org/show_bug.cgi?id=146168 Reviewed by Brian Burg. * inspector/protocol/Timeline.json: New timeline record type for compositing events. 2015-06-29 Dean Jackson Temporarily disable PICTURE_SIZES https://bugs.webkit.org/show_bug.cgi?id=146435 Reviewed by Tim Horton. Temporarily disable PICTURE_SIZES because it causes problems with out of date polyfills. * Configurations/FeatureDefines.xcconfig: 2015-06-29 Youenn Fablet Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue https://bugs.webkit.org/show_bug.cgi?id=146403 Reviewed by Darin Adler. * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue. 2015-06-28 Aleksandr Skachkov [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and => https://bugs.webkit.org/show_bug.cgi?id=146394 Reviewed by Yusuke Suzuki. * parser/Parser.cpp: (JSC::Parser::parseFunctionInfo): 2015-06-27 Darin Adler Make converting JSString to StringView idiomatically safe https://bugs.webkit.org/show_bug.cgi?id=146387 Reviewed by Anders Carlsson. * jsc.cpp: (functionPrint): Add explicit call to SafeView::get, needed since there is no StringView temporary. (functionDebug): Ditto. * runtime/ArrayPrototype.cpp: (JSC::holesMustForwardToPrototype): Refactored into helper function. (JSC::join): Refactored so that StringView is a function argument, making the lifetime simpler. (JSC::arrayProtoFuncJoin): Ditto. (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper. * runtime/JSGlobalObjectFunctions.cpp: (JSC::encode): Add explicit call to SafeView::get. * runtime/JSString.h: Moved declarations of functions to the top of the file instead of mixing them in with the function definitions. Changed return type of the view function to return a JSString::SafeView so that the JSString's lifetime will last as long as the StringView does in typical coding idioms. (JSC::JSString::getIndex): Use unsafeView so we can index into the view; could also have used view.get but here in this class this seems fine. (JSC::JSRopeString::unsafeView): Renamed existing view function to this. (JSC::JSString::unsafeView): Ditto. (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState and a JSString. The ExecState is needed to create the StringView, and the JSString needs to be kept alive as long as the StringView is. (JSC::JSString::SafeView::operator StringView): Call unsafeView. (JSC::JSString::SafeView::get): Convenience for when we want to call StringView member functions. (JSC::JSString::view): Added. Returns a SafeView. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get. 2015-06-26 Csaba Osztrogonác Remove ARMv7Assembler.cpp https://bugs.webkit.org/show_bug.cgi?id=146340 Reviewed by Filip Pizlo. * CMakeLists.txt: * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/ARMv7Assembler.cpp: Removed. 2015-06-26 Csaba Osztrogonác Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989 https://bugs.webkit.org/show_bug.cgi?id=146344 Reviewed by Yusuke Suzuki. * parser/Parser.cpp: (JSC::Parser::parseSourceElements): 2015-06-26 Aleksandr Skachkov [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. https://bugs.webkit.org/show_bug.cgi?id=144955 Reviewed by Yusuke Suzuki. Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc. This patch implements the simplest cases of arrow function declaration: parameters () => 10 + 20 parameter x => x + 20 parameters (x, y) => x + y function with block x => { return x*10; } Not implemented: bind of the this, arguments, super and etc. exception in case of trying to use 'new' with arrow function * parser/ASTBuilder.h: (JSC::ASTBuilder::createFunctionExpr): (JSC::ASTBuilder::createArrowFunctionExpr): (JSC::ASTBuilder::createGetterOrSetterProperty): (JSC::ASTBuilder::createFuncDeclStatement): * parser/Lexer.cpp: (JSC::Lexer::setTokenPosition): (JSC::Lexer::lex): * parser/Lexer.h: (JSC::Lexer::lastTokenLocation): (JSC::Lexer::setTerminator): * parser/Parser.cpp: (JSC::Parser::parseInner): (JSC::Parser::parseSourceElements): (JSC::Parser::parseArrowFunctionSingleExpressionBody): (JSC::Parser::parseSwitchClauses): (JSC::Parser::parseSwitchDefaultClause): (JSC::Parser::parseBlockStatement): (JSC::Parser::parseFunctionBody): (JSC::stringForFunctionMode): (JSC::Parser::parseFunctionParameters): (JSC::Parser::parseFunctionInfo): (JSC::Parser::parseFunctionDeclaration): (JSC::Parser::parseClass): (JSC::Parser::parseAssignmentExpression): (JSC::Parser::parsePropertyMethod): (JSC::Parser::parseGetterSetter): (JSC::Parser::parseArrowFunctionExpression): * parser/Parser.h: (JSC::Parser::locationBeforeLastToken): (JSC::Parser::isEndOfArrowFunction): (JSC::Parser::isArrowFunctionParamters): (JSC::Parser::setEndOfStatement): * parser/ParserFunctionInfo.h: * parser/ParserTokens.h: * parser/SourceCode.h: (JSC::SourceCode::subArrowExpression): * parser/SourceProviderCacheItem.h: (JSC::SourceProviderCacheItem::endFunctionToken): (JSC::SourceProviderCacheItem::SourceProviderCacheItem): * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createArrowFunctionExpr): (JSC::SyntaxChecker::setFunctionNameStart): 2015-06-25 Yusuke Suzuki [ES6] Support rest element in destructuring assignments https://bugs.webkit.org/show_bug.cgi?id=146206 Reviewed by Oliver Hunt. This patch enables rest element (...rest) in array binding patterns. It generates array from the iterables. In variable declarations and parameters, `[...identifier]` form is only allowed, while expressions can take `[...[...rest]]` pattern. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitEnumeration): (JSC::BytecodeGenerator::emitIteratorNext): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayPatternNode::bindValue): (JSC::ArrayPatternNode::toString): * parser/ASTBuilder.h: (JSC::ASTBuilder::appendArrayPatternSkipEntry): (JSC::ASTBuilder::appendArrayPatternEntry): (JSC::ASTBuilder::appendArrayPatternRestEntry): * parser/Nodes.h: (JSC::ArrayPatternNode::appendIndex): * parser/Parser.cpp: (JSC::Parser::parseDeconstructionPattern): * parser/SyntaxChecker.h: (JSC::SyntaxChecker::operatorStackPop): * tests/stress/rest-elements.js: Added. (shouldBe): (shouldThrow): 2015-06-25 Commit Queue Unreviewed, rolling out r185956. https://bugs.webkit.org/show_bug.cgi?id=146321 Causes massive crashes on test bots (Requested by bfulgham on #webkit). Reverted changeset: "Enabling MEDIA_STREAM" https://bugs.webkit.org/show_bug.cgi?id=145947 http://trac.webkit.org/changeset/185956 2015-06-25 Michael Saboff Minor fix to idx bounds check after 185954 Rubber Stamped by Ryosuke Niwa. Changed "idx > 1" to "idx > 0" in two places. * runtime/ExceptionHelpers.cpp: (JSC::functionCallBase): 2015-06-25 Keith Miller Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack. https://bugs.webkit.org/show_bug.cgi?id=146297 Reviewed by Filip Pizlo. Since we cannot blacklist the system memcpy we must use our own naive implementation, copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is only called as part of an O(heapsize) operation. As the heap is generally much larger than the stack the performance hit is minimal. * heap/MachineStackMarker.cpp: (JSC::copyMemory): (JSC::MachineThreads::tryCopyOtherThreadStack): (JSC::asanUnsafeMemcpy): Deleted. 2015-06-25 Matthew Daiter Enabling MEDIA_STREAM https://bugs.webkit.org/show_bug.cgi?id=145947 Reviewed by Brent Fulgham. * Configurations/FeatureDefines.xcconfig: 2015-06-25 Michael Saboff REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689) https://bugs.webkit.org/show_bug.cgi?id=146298 Reviewed by Mark Lam. We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left string index. Added checks that idx stays within the string. Also added a termination condition when idx is 0. * runtime/ExceptionHelpers.cpp: (JSC::functionCallBase): 2015-06-24 Chris Dumez Unreviewed, speculative build fix after r185942. Add missing include for StrongInlines.h. * runtime/ArrayPrototype.cpp: 2015-06-24 Darin Adler Optimize Array.join and Array.reverse for high speed array types https://bugs.webkit.org/show_bug.cgi?id=146275 Reviewed by Mark Lam. This seems to yield another 17% speed improvement in the array test from the Peacekeeper benchmark. * runtime/ArrayPrototype.cpp: (JSC::isHole): Added. Helper to check for holes. (JSC::containsHole): Ditto. (JSC::arrayProtoFuncJoin): Added special cases for the various types of arrays that could be in a butterfly. (JSC::arrayProtoFuncReverse): Ditto. * runtime/JSStringJoiner.h: Made appendEmptyString public so we can call it from the new parts of Array.join. 2015-06-24 Filip Pizlo DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear https://bugs.webkit.org/show_bug.cgi?id=146291 rdar://problem/21435366 Reviewed by Michael Saboff. The filter() method returns Contradiction only when a value *becomes* clear. This is necessary for supporting the convention that non-JSValue nodes have a bottom proved type. (We should fix that convention eventually, but for now let's just be consistent about it.) * dfg/DFGFiltrationResult.h: Document the issue. * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue. (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): * dfg/DFGSpeculativeJIT64.cpp: Work around the issue. (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 2015-06-24 Michael Saboff Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo https://bugs.webkit.org/show_bug.cgi?id=146285 Reviewed by Filip Pizlo. CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains a collection of PolymorphicCallNode. Those PolymorphicCallNodes have a reference back to the CallLinkInfo. When a CallLinkInfo replaces or clears "stub", the ref count of the PolymorphicCallStubRoutine is decremented as expected, but since it inherits from GCAwareJITStubRoutine, it isn't actually deleted until GC. In the mean time, the original CallLinkInfo can go away. If PolymorphicCallNode::unlink() is called at that point, it will try to unlink a now deleted CallLinkInfo and crash as a result. The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when when we set a new stub or clear an existing stub for a CallLinkInfo. This is done by calling PolymorphicCallNode::clearCallNodesFor() on the old stub. The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor. This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo. Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo. In the process I refactored CallLinkInfo from a struct to a class with proper accessors and made all the data elements private. * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor() to clear the back references to this CallLinkInfo. * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub(). (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub. 2015-06-24 Michael Saboff Refactor CallLinkInfo from a struct to a class https://bugs.webkit.org/show_bug.cgi?id=146292 Rubber stamped by Filip Pizlo. Refactored CallLinkInfo from a struct to a class with proper accessors and made all the data elements private. Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285. * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::clearStub): (JSC::CallLinkInfo::unlink): (JSC::CallLinkInfo::visitWeak): * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::callTypeFor): (JSC::CallLinkInfo::CallLinkInfo): (JSC::CallLinkInfo::~CallLinkInfo): (JSC::CallLinkInfo::specializationKindFor): (JSC::CallLinkInfo::specializationKind): (JSC::CallLinkInfo::isLinked): (JSC::CallLinkInfo::setUpCall): (JSC::CallLinkInfo::setCallLocations): (JSC::CallLinkInfo::setUpCallFromFTL): (JSC::CallLinkInfo::callReturnLocation): (JSC::CallLinkInfo::hotPathBegin): (JSC::CallLinkInfo::hotPathOther): (JSC::CallLinkInfo::setCallee): (JSC::CallLinkInfo::clearCallee): (JSC::CallLinkInfo::callee): (JSC::CallLinkInfo::setLastSeenCallee): (JSC::CallLinkInfo::clearLastSeenCallee): (JSC::CallLinkInfo::lastSeenCallee): (JSC::CallLinkInfo::haveLastSeenCallee): (JSC::CallLinkInfo::setStub): (JSC::CallLinkInfo::stub): (JSC::CallLinkInfo::seenOnce): (JSC::CallLinkInfo::clearSeen): (JSC::CallLinkInfo::setSeen): (JSC::CallLinkInfo::hasSeenClosure): (JSC::CallLinkInfo::setHasSeenClosure): (JSC::CallLinkInfo::clearedByGC): (JSC::CallLinkInfo::setCallType): (JSC::CallLinkInfo::callType): (JSC::CallLinkInfo::addressOfMaxNumArguments): (JSC::CallLinkInfo::maxNumArguments): (JSC::CallLinkInfo::offsetOfSlowPathCount): (JSC::CallLinkInfo::setCalleeGPR): (JSC::CallLinkInfo::calleeGPR): (JSC::CallLinkInfo::slowPathCount): (JSC::CallLinkInfo::setCodeOrigin): (JSC::CallLinkInfo::codeOrigin): (JSC::getCallLinkInfoCodeOrigin): * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFor): (JSC::CallLinkStatus::computeFromCallLinkInfo): (JSC::CallLinkStatus::computeDFGStatuses): * bytecode/CallLinkStatus.h: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::printCallOp): (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::reifyInlinedCallFrames): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * ftl/FTLJSCallBase.cpp: (JSC::FTL::JSCallBase::link): * jit/AccessorCallJITStubRoutine.h: * jit/JIT.cpp: (JSC::JIT::privateCompile): * jit/JIT.h: * jit/JITCall.cpp: (JSC::JIT::compileSetupVarargsFrame): (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileSetupVarargsFrame): (JSC::JIT::compileOpCall): * jit/JITOperations.cpp: * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::unlink): (JSC::PolymorphicCallNode::clearCallLinkInfo): * jit/PolymorphicCallStubRoutine.h: * jit/Repatch.cpp: (JSC::generateByIdStub): (JSC::linkSlowFor): (JSC::linkFor): (JSC::revertCall): (JSC::unlinkFor): (JSC::linkPolymorphicCall): * jit/ThunkGenerators.cpp: (JSC::virtualForThunkGenerator): 2015-06-24 Doug Russell Bug 146177 - AX: AXObjectCache should try to use an unignored accessibilityObject when posting a selection notification when on the border between two accessibilityObjects https://bugs.webkit.org/show_bug.cgi?id=146177 Add an adopt() function to simplify JSRetainPtr { Adopt, string } to adopt(string). Reviewed by Darin Adler. * API/JSRetainPtr.h: (adopt): 2015-06-24 Keith Miller Strict Equality on objects should only check that one of the two sides is an object. https://bugs.webkit.org/show_bug.cgi?id=145992 This patch adds a new optimization for checking strict equality on objects. If we speculate that a strict equality comparison has an object on one side we only need to type check that side. Equality is then determined by a pointer comparison between the two values (although in the 32-bit case we must also check that the other side is a cell). Once LICM hoists type checks out of a loop we can be cleverer about how we choose the operand we type check if both are speculated to be objects. For testing I added the addressOf function, which returns the address of a Cell to the runtime. Reviewed by Mark Lam. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileStrictEq): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq): * jsc.cpp: (GlobalObject::finishCreation): (functionAddressOf): * tests/stress/equality-type-checking.js: Added. (Foo): (checkStrictEq): (checkStrictEqOther): 2015-06-24 Mark Lam Fixed assertion in JSStringJoiner::join() (regression from r185899). Not reviewed. JSStringJoiner did not account for the case where the array being joined can have null or undefined elements. As a result, its size may be less than its initially reserved capacity (which was estimated based on the array length). * runtime/JSStringJoiner.cpp: (JSC::JSStringJoiner::join): 2015-06-24 Darin Adler Fix Array.concat with RuntimeArray (regression from my last patch) * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length. * runtime/JSArray.cpp: (JSC::JSArray::defineOwnProperty): Added comment about use of JSArray::length here that is incorrect (in a really non-obvious way). (JSC::JSArray::fillArgList): Ditto. (JSC::JSArray::copyToArguments): Ditto. * runtime/JSArray.h: Added a comment explaining that it is not always safe to use JSArray::length. 2015-06-23 Mark Lam Gardening: Fixing 2 bad asserts from r185889. https://bugs.webkit.org/show_bug.cgi?id=140575 Not reviewed. * runtime/JSBoundSlotBaseFunction.cpp: (JSC::JSBoundSlotBaseFunction::finishCreation): 2015-06-23 Dan Bernstein Fixed iOS production builds. * JavaScriptCore.xcodeproj/project.pbxproj: 2015-06-22 Darin Adler Make Array.join work directly on substrings without reifying them https://bugs.webkit.org/show_bug.cgi?id=146191 Reviewed by Andreas Kling. Besides the Array.join change, this has other optimizations based on profiling the Peacekeeper array benchmark. I measured a 14% speed improvement in the Peacekeeper array benchmark. Still a lot of low hanging fruit in that test because so many of functions on the array prototype are not optimizing for simple cases. For example, the reverse function does individual get and put calls even when the array is entirely made up of integers in contiguous storage. * runtime/ArrayPrototype.cpp: (JSC::getProperty): Use tryGetIndexQuickly first before getPropertySlot. (JSC::argumentClampedIndexFromStartOrEnd): Marked inline. (JSC::shift): Use the getProperty helper in this file instead of using getPropertySlot. Use putByIndexInline instead of calling putByIndex directly. In both cases this can yield a faster code path. (JSC::unshift): Ditto. (JSC::arrayProtoFuncToString): Updated to use the new JSStringJoiner interface. Changed local variable name to thisArray since it's not a JSObject*. Changed loop index to i instead of k. (JSC::arrayProtoFuncToLocaleString): Updated to use the new JSStringJoiner interface. Renamed thisObj to thisObject. Added a missing exception check after the toLocaleString function is called, but before toString is called the result of that function. (JSC::arrayProtoFuncJoin): Updated to use the new JSStringJointer interface. Added a missing exception check after calling toString on the separator but before calling get to get the first element in the array-like object being joined. Changed loop index to i instead of k. Added missing exception check after calling toString on each string from the array before calling get for the next element. (JSC::arrayProtoFuncConcat): Use JSArray::length instead of using the getLength function. (JSC::arrayProtoFuncReverse): Ditto. Also use putByIndexInline. (JSC::arrayProtoFuncShift): Ditto. (JSC::arrayProtoFuncSplice): Use getIndex instead of get, which includes some additional optimizations. (JSC::getOrHole): Deleted. Unused function. (JSC::arrayProtoFuncUnShift): Use putByIndexInline. * runtime/ExceptionHelpers.cpp: (JSC::errorDescriptionForValue): Removed the duplicate copy of the the logic from JSValue::toString. * runtime/JSCJSValue.cpp: (JSC::JSValue::toStringSlowCase): Improved the performance when converting a small integer to a single character string. (JSC::JSValue::toWTFStringSlowCase): Moved the contents of the inlineJSValueNotStringtoString function here. * runtime/JSCJSValue.h: Removed no longer used toWTFStringInline and fixed a comment with a typo. * runtime/JSObject.h: (JSC::JSObject::putByIndexInline): Marked ALWAYS_INLINE because this was not getting inlined at some call sites. (JSC::JSObject::indexingData): Deleted. Unused function. (JSC::JSObject::currentIndexingData): Deleted. Unused function. (JSC::JSObject::getHolyIndexQuickly): Deleted. Unused function. (JSC::JSObject::relevantLength): Deleted. Unused function. (JSC::JSObject::currentRelevantLength): Deleted. Unused function. * runtime/JSString.h: Added the StringViewWithUnderlyingString struct and the viewWithUnderlyingString function. Removed the inlineJSValueNotStringtoString and toWTFStringInline functions. * runtime/JSStringJoiner.cpp: (JSC::appendStringToData): Changed this to be a template instead of writing it out, since StringView::getCharactersWithUpconvert does almsot exactly what this function was trying to do. (JSC::joinStrings): Rewrote this to use StringView. (JSC::JSStringJoiner::joinedLength): Added. Factored out from the join function. (JSC::JSStringJoiner::join): Rewrote to make it a bit simpler. Added an assertion that we entirely filled capacity, since we are now reserving capacity and using uncheckedAppend. Use String instead of RefPtr because there was no particular value to using the impl directly. * runtime/JSStringJoiner.h: Changed the interface to the class to use StringView. Also changed this class so it now has the responsibility to convert each JSValue into a string. This let us share more code between toString and join, and also lets us use the new viewWithUnderlyingString function, which could be confusing at all the call sites, but is easier to understand here. 2015-06-23 Matthew Mirman Completes native binding descriptors with native getters and potentially setters. https://bugs.webkit.org/show_bug.cgi?id=140575 rdar://problem/19506502 Reviewed by Mark Lam. * CMakeLists.txt: Added JSBoundSlotBaseFunction.cpp * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * inspector/InjectedScriptSource.js: Added case for descriptor having a native getter. * runtime/JSBoundSlotBaseFunction.cpp: Added. (JSC::boundSlotBaseFunctionCall): (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction): Necessary wrapper for custom getters and setters as objects. (JSC::JSBoundSlotBaseFunction::create): (JSC::JSBoundSlotBaseFunction::visitChildren): (JSC::JSBoundSlotBaseFunction::finishCreation): * runtime/JSBoundSlotBaseFunction.h: Added. (JSC::JSBoundSlotBaseFunction::createStructure): (JSC::JSBoundSlotBaseFunction::boundSlotBase): (JSC::JSBoundSlotBaseFunction::customGetterSetter): (JSC::JSBoundSlotBaseFunction::isGetter): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): Added a globally initialized structure for JSBoundSlotBaseFunction (JSC::JSGlobalObject::visitChildren): visits that structure * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): added a getter for that structure * runtime/JSObject.cpp: (JSC::JSObject::getOwnPropertyDescriptor): extends the case for CustomGetterSetter to actually include GetterSetter as a JSBoundSlotBaseFunction * runtime/VM.cpp: Added initializer for customGetterSetterFunctionMap * runtime/VM.h: Added cache for JSBoundSlotBaseFunction 2015-06-22 Yusuke Suzuki [ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern https://bugs.webkit.org/show_bug.cgi?id=146192 Reviewed by Darin Adler. According to the ES6 spec, trailing comma in ArrayBindingPattern and ObjectBindingPattern is allowed. And empty ArrayBindingPattern and ObjectBindingPattern is also allowed. This patch allows trailing comma and empty binding patterns. * bytecompiler/NodesCodegen.cpp: (JSC::ArrayPatternNode::bindValue): * parser/Parser.cpp: (JSC::Parser::parseDeconstructionPattern): * tests/stress/trailing-comma-in-patterns.js: Added. (shouldBe): (iterator): 2015-06-20 Yusuke Suzuki [ES6] Destructuring assignment need to accept iterables https://bugs.webkit.org/show_bug.cgi?id=144111 Reviewed by Darin Adler. This patch makes that destructuring assignments to array binding patterns accept iterables. Previously, it just access the indexed properties. After this patch, it iterates the given value by using ES6 iterator protocol. The iteration becomes different from the for-of case. 1. Since there's no break/continue case, finally scope is not necessary. 2. When the error is raised, the close status of the iterator becomes true. So IteratorClose is not called for that. 3. Since the array binding patterns requires a limited count of iterations (if there is no rest(...rest) case), IteratorClose is called when the iteration does not consume the all values of the iterator. 4. Since the array binding patterns requires a specified count of iterations, iterator's next call is skipped when iterator becomes closed. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitIteratorClose): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::ArrayPatternNode::bindValue): * parser/ASTBuilder.h: (JSC::ASTBuilder::finishArrayPattern): * parser/Nodes.h: * parser/Parser.cpp: (JSC::Parser::parseDeconstructionPattern): * parser/SyntaxChecker.h: (JSC::SyntaxChecker::operatorStackPop): * tests/stress/destructuring-assignment-accepts-iterables.js: Added. (shouldBe): (shouldThrow): (.set shouldThrow): 2015-06-19 Devin Rousso Web Inspector: Highlight currently edited CSS selector https://bugs.webkit.org/show_bug.cgi?id=145658 Reviewed by Joseph Pecoraro. * inspector/protocol/DOM.json: Added highlightSelector to show highlight over multiple nodes. 2015-06-19 Mark Lam Gardening: fix build for EWS bots. Not reviewed. * runtime/JSArray.cpp: (JSC::JSArray::setLengthWithArrayStorage): 2015-06-19 Michael Saboff Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL::fixFunctionBasedOnStackMaps + 17225 https://bugs.webkit.org/show_bug.cgi?id=146133 Reviewed by Geoffrey Garen. When generating code to put in inline caching areas, if there isn't enough space, then create and link to an out of line area. We connect the inline code to this out of line code area by planting a jump from the inline area to the out of line code and appending a jump at the end of the out of line code bck to the instruction following the inline area. We fill the unused inline area with nops, primarily to ensure the disassembler doesn't get confused. * ftl/FTLCompile.cpp: (generateInlineIfPossibleOutOfLineIfNot): New function that determines if there is enough space in the inline code area for the code to link. If so, it links inline, otherwise it links the code out of line and plants appropriate jumps to/from the out of line code. (generateICFastPath): (generateCheckInICFastPath): (fixFunctionBasedOnStackMaps): Use generateInlineIfPossibleOutOfLineIfNot() to link code intended for inline cache space. * ftl/FTLJITFinalizer.cpp: (JSC::FTL::JITFinalizer::finalizeFunction): * ftl/FTLJITFinalizer.h: (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo): Added code to finalize any out of line LinkBuffer created by generateInlineIfPossibleOutOfLineIfNot(). 2015-06-19 Geoffrey Garen WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276 https://bugs.webkit.org/show_bug.cgi?id=146163 Reviewed by Michael Saboff. There's no good way to test this in our test harness because we don't have a way to simulate executable memory pressure, and doing so would cause the cases that still use JITCompilationMustSucceed to crash. Instead, I tested by manually forcing all regexp JIT compilation to fail and running the JavaScriptCore tests. * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can fall back to the regexp interpreter if we need to. 2015-06-19 Mark Lam Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround. https://bugs.webkit.org/show_bug.cgi?id=146154 Reviewed by Darin Adler. * assembler/MacroAssemblerCodeRef.h: (JSC::MacroAssemblerCodePtr::dataLocation): (JSC::MacroAssemblerCodePtr::operator bool): (JSC::MacroAssemblerCodePtr::operator==): (JSC::MacroAssemblerCodeRef::tryToDisassemble): (JSC::MacroAssemblerCodeRef::operator bool): (JSC::MacroAssemblerCodeRef::dump): (JSC::MacroAssemblerCodePtr::operator UnspecifiedBoolType*): Deleted. (JSC::MacroAssemblerCodeRef::operator UnspecifiedBoolType*): Deleted. * bytecode/CodeOrigin.cpp: (JSC::CodeOrigin::isApproximatelyEqualTo): - Fixed a bug here where we were expecting to compare Executable pointers, but ended up comparing a (UnspecifiedBoolType*)1 with another (UnspecifiedBoolType*)1. * bytecode/LLIntCallLinkInfo.h: (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo): (JSC::LLIntCallLinkInfo::isLinked): (JSC::LLIntCallLinkInfo::unlink): * dfg/DFGBlockWorklist.h: (JSC::DFG::BlockWith::BlockWith): (JSC::DFG::BlockWith::operator bool): (JSC::DFG::BlockWithOrder::BlockWithOrder): (JSC::DFG::BlockWithOrder::operator bool): (JSC::DFG::BlockWith::operator UnspecifiedBoolType*): Deleted. (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*): Deleted. * dfg/DFGIntegerRangeOptimizationPhase.cpp: * dfg/DFGLazyNode.h: (JSC::DFG::LazyNode::operator!): (JSC::DFG::LazyNode::operator bool): (JSC::DFG::LazyNode::operator UnspecifiedBoolType*): Deleted. * heap/CopyWriteBarrier.h: (JSC::CopyWriteBarrier::operator!): (JSC::CopyWriteBarrier::operator bool): (JSC::CopyWriteBarrier::get): (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*): Deleted. * heap/Handle.h: (JSC::HandleBase::operator!): (JSC::HandleBase::operator bool): (JSC::HandleBase::slot): (JSC::HandleBase::operator UnspecifiedBoolType*): Deleted. * heap/Strong.h: (JSC::Strong::operator!): (JSC::Strong::operator bool): (JSC::Strong::swap): (JSC::Strong::operator UnspecifiedBoolType*): Deleted. * jit/JITWriteBarrier.h: (JSC::JITWriteBarrierBase::operator bool): (JSC::JITWriteBarrierBase::operator!): (JSC::JITWriteBarrierBase::setFlagOnBarrier): (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*): Deleted. * runtime/JSArray.cpp: (JSC::JSArray::setLengthWithArrayStorage): * runtime/JSCJSValue.h: * runtime/JSCJSValueInlines.h: (JSC::JSValue::JSValue): (JSC::JSValue::operator bool): (JSC::JSValue::operator==): (JSC::JSValue::operator UnspecifiedBoolType*): Deleted. * runtime/JSObject.h: (JSC::JSObject::hasSparseMap): * runtime/PropertyDescriptor.h: (JSC::PropertyDescriptor::writablePresent): (JSC::PropertyDescriptor::enumerablePresent): (JSC::PropertyDescriptor::configurablePresent): (JSC::PropertyDescriptor::setterPresent): (JSC::PropertyDescriptor::getterPresent): * runtime/WriteBarrier.h: (JSC::WriteBarrierBase::slot): (JSC::WriteBarrierBase::operator bool): (JSC::WriteBarrierBase::operator!): (JSC::WriteBarrierBase::tagPointer): (JSC::WriteBarrierBase::payloadPointer): (JSC::WriteBarrierBase::operator bool): (JSC::WriteBarrierBase::operator!): (JSC::WriteBarrierBase::operator UnspecifiedBoolType*): Deleted. (JSC::WriteBarrierBase::operator UnspecifiedBoolType*): Deleted. 2015-06-19 Anders Carlsson Add a JSC symlink in /System/Library/PrivateFrameworks https://bugs.webkit.org/show_bug.cgi?id=146158 rdar://problem/21465968 Reviewed by Dan Bernstein. * JavaScriptCore.xcodeproj/project.pbxproj: 2015-06-19 Joseph Pecoraro Web Inspector: Avoid getOwnPropertyNames/Symbols on very large lists https://bugs.webkit.org/show_bug.cgi?id=146141 Reviewed by Timothy Hatcher. * inspector/InjectedScriptSource.js: (InjectedScript.prototype._propertyDescriptors): Avoid calling getOwnPropertyNames/Symbols on very large lists. Instead just generate property descriptors for the first 100 indexes. Note this would behave poorly for sparse arrays with a length > 100, but general support for lists with more than 100 elements is poor. See: Web Inspector: Better handling for large collections in Object Trees 2015-06-18 Yusuke Suzuki [DFG] Avoid OSR exit in the middle of string concatenation https://bugs.webkit.org/show_bug.cgi?id=145820 Reviewed by Filip Pizlo. DFG attempt to compile ValueAdd with String type into MakeRope(left, ToString(ToPrimitive(right))). So when right is speculated as SpecObject, ToPrimitive(SpecObject) is speculated as SpecString. It leads ToString to become Identity with a speculated type check. However, ToPrimitive and ToString are originated from the same bytecode. And ToPrimitive may have an observable side effect when the given parameter is an object (calling object.{toString,valueOf}). So when object.toString() returns a number (it is allowed in the ES spec), ToPrimitive performs observable `object.toString()` calling. But ToString is converted into a speculated type check for SpecString and it raises OSR exit. And we exit to the original ValueAdd's bytecode position and it redundantly performs an observable ToPrimitive execution. To fix this, this patch avoid fixing up for newly introduced ToString node. Since fix up phase is not iterated repeatedly, by avoiding fixing up when generating the node, we can avoid conversion from ToString to Check. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): * tests/stress/toprimitive-speculated-types.js: Added. (shouldBe): (raw): (Counter): 2015-06-18 Brian J. Burg Web Inspector: improve generated types for objects passed to backend commands https://bugs.webkit.org/show_bug.cgi?id=146091 Reviewed by Joseph Pecoraro. The main change is that objects passed in will have a type like const T& or const T*, rather than const RefPtr&&. These protocol objects are owned by the generated dispatcher methods and only exist to pass data to backend command implementations. So, there is no reason for callees to add a reference or take ownership of these inputs. Some small improvements were made in the code generator to standardize how these expressions are generated for parameters. Optional in parameters are now prefixed with 'opt_in_' to make the generated method signatures and implementations clearer. * inspector/InspectorValues.cpp: (Inspector::InspectorArrayBase::get): Add const qualifier. * inspector/InspectorValues.h: * inspector/agents/InspectorDebuggerAgent.cpp: (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): (Inspector::parseLocation): (Inspector::InspectorDebuggerAgent::setBreakpoint): (Inspector::InspectorDebuggerAgent::continueToLocation): * inspector/agents/InspectorDebuggerAgent.h: * inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::InspectorRuntimeAgent::callFunctionOn): (Inspector::InspectorRuntimeAgent::saveResult): (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): * inspector/agents/InspectorRuntimeAgent.h: * inspector/scripts/codegen/cpp_generator.py: Always generate PrimitiveType('array'). (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Alter the type signature for an unchecked input to use pointers or references. * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): Local variables for optional parameters now have the 'opt_' prefix. * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): Local variables for optional parameters now have the 'opt_' prefix. Split parameterName and parameterKey into two separate template variables to avoid mixups. * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: 2015-06-18 Joseph Pecoraro Unreviewed. Rollout r185670 as it caused some tests to be flakey. * debugger/Debugger.cpp: 2015-06-17 Alex Christensen [Content Extensions] Log blocked loads to the WebInspector console https://bugs.webkit.org/show_bug.cgi?id=146089 Reviewed by Joseph Pecoraro. * inspector/ConsoleMessage.cpp: (Inspector::messageSourceValue): * inspector/protocol/Console.json: * runtime/ConsoleTypes.h: Add content blocker message source. 2015-06-18 Saam Barati [ES6] support default values in deconstruction parameter nodes https://bugs.webkit.org/show_bug.cgi?id=142679 Reviewed by Darin Adler. ES6 destructuring allows destructuring properties to assign default values. A link to the spec: https://people.mozilla.org/~jorendorff/es6-draft.html#sec-destructuring-binding-patterns This patch implements default values for all places where deconstruction is allowed besides function parameters. This is because function parameters are parsed in a separate parser arena than the function body itself and ExpresionNode's which are default values for deconstruction parameters will be deallocated by the time we parse the body of the function. I have opened a bug to address this problem: https://bugs.webkit.org/show_bug.cgi?id=145995 * bytecompiler/NodesCodegen.cpp: (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): (JSC::assignDefaultValueIfUndefined): (JSC::ArrayPatternNode::bindValue): (JSC::ArrayPatternNode::emitDirectBinding): (JSC::ArrayPatternNode::toString): (JSC::ArrayPatternNode::collectBoundIdentifiers): (JSC::ObjectPatternNode::bindValue): * parser/ASTBuilder.h: (JSC::ASTBuilder::appendArrayPatternSkipEntry): (JSC::ASTBuilder::appendArrayPatternEntry): (JSC::ASTBuilder::createObjectPattern): (JSC::ASTBuilder::appendObjectPatternEntry): (JSC::ASTBuilder::createBindingLocation): * parser/Nodes.h: (JSC::ArrayPatternNode::appendIndex): (JSC::ObjectPatternNode::appendEntry): (JSC::ObjectPatternNode::Entry::Entry): Deleted. * parser/Parser.cpp: (JSC::Parser::parseDeconstructionPattern): (JSC::Parser::parseDefaultValueForDeconstructionPattern): (JSC::Parser::parseConstDeclarationList): * parser/Parser.h: * parser/SyntaxChecker.h: (JSC::SyntaxChecker::operatorStackPop): 2015-06-17 Joseph Pecoraro Web Inspector: Do not show JavaScriptCore builtins in inspector https://bugs.webkit.org/show_bug.cgi?id=146049 Reviewed by Timothy Hatcher. * debugger/Debugger.cpp: 2015-06-17 Andreas Kling [JSC] jsSubstring() should have a fast path for 0..baseLength "substrings." Reviewed by Anders Carlsson. If asked to make a substring that actually spans the entire base string, have jsSubstring() just return the base instead of allocating a new JSString. 3% speed-up on Octane/regexp. * runtime/JSString.h: (JSC::jsSubstring): 2015-06-16 Alex Christensen 32-bit build fix after r185640. * dfg/DFGIntegerRangeOptimizationPhase.cpp: Explicitly cast clamped int64_t to an int. 2015-06-09 Filip Pizlo FTL should eliminate array bounds checks in loops https://bugs.webkit.org/show_bug.cgi?id=145768 Reviewed by Benjamin Poulain. This adds a phase that does forward propagation of integer inequalities. This allows us to do the algebraic reasoning we need to eliminate array bounds checks in loops. It also eliminates overflow checks on ArithAdd with a constant. The phase's analysis produces results that are powerful enough to do speculative bounds check hoisting, but this phase currently only does elimination. We can implement hoisting later. On programs that just loop over an array like: for (var i = 0; i < array.length; ++i) thingy += array[i] This change is a 60% speed-up. This is also a ~3% speed-up on Kraken, and it shows various speed-ups on individual tests in Octane. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGIntegerRangeOptimizationPhase.cpp: Added. (JSC::DFG::performIntegerRangeOptimization): * dfg/DFGIntegerRangeOptimizationPhase.h: Added. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * tests/stress/add-overflows-after-not-equal.js: Added. * tests/stress/no-abc-skippy-loop.js: Added. * tests/stress/no-abc-skippy-paired-loop.js: Added. * tests/stress/sub-overflows-after-not-equal.js: Added. 2015-06-16 Andreas Kling Remove unused template parameter InlineCapacity from SegmentedVector. Reviewed by Anders Carlsson. * bytecode/ArrayProfile.h: * dfg/DFGCommonData.h: 2015-06-16 Michael Saboff Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the calling function https://bugs.webkit.org/show_bug.cgi?id=146029 Reviewed by Benjamin Poulain. Save and restore m_currentInstruction around call to ByteCodeParser::inlineCall() as it will use m_currentInstruction during its own parsing. This happens because inlineCall() parses the inlined callee's bytecodes by calling parseCodeBlock() which calls parseBlock() on each block. It is in parseBlock() that we set m_currentInstruction to an instruction before we parse it. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::attemptToInlineCall): (JSC::DFG::ByteCodeParser::parseBlock): Added an ASSERT to catch this issue. 2015-06-16 Filip Pizlo Unreviewed, roll out unintended JSC change from https://trac.webkit.org/changeset/185425. * bytecode/CodeBlock.h: (JSC::CodeBlock::hasExitSite): (JSC::CodeBlock::exitProfile): (JSC::CodeBlock::numberOfExitSites): Deleted. * bytecode/DFGExitProfile.cpp: (JSC::DFG::ExitProfile::add): * bytecode/DFGExitProfile.h: (JSC::DFG::ExitProfile::hasExitSite): (JSC::DFG::ExitProfile::size): Deleted. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::inliningCost): * runtime/Options.h: 2015-06-16 Mark Lam Use NakedPtr& to return exception results. https://bugs.webkit.org/show_bug.cgi?id=145870 Reviewed by Anders Carlsson and Filip Pizlo. Before r185259, calls into the VM takes a JSValue* exception result argument for returning any uncaught exception that may have been thrown while executing JS code. As a result, clients of the VM functions will declare a local JSValue exception result which is automatically initialized to a null value (i.e. the empty value, not the JS null value). With r185259, the VM functions were changed to take an Exception*& exception result instead, and the VM functions are responsible for initializing the exception result to null if no exception is thrown. This introduces 2 issues: 1. the VM functions are vulnerable to modifications that may add early returns before the exception result is nullified. This can result in the exception result being used without initialization. 2. Previously, a client could technically use the same exception result for more than one calls into the VM functions. If an earlier call sets it to a thrown value, the thrown value will stick unless a subsequent call throws a different exception. With the new Exception*& exception result, the VM functions will always clear the exception result before proceeding. As a result, the client's exception result will be null after the second call even though the first call saw an exception thrown. This is a change in the expected behavior. To fix these issues, we'll introduce a NakedPtr smart pointer whose sole purpose is to guarantee that the pointer is initialized. The VM functions will now take a NakedPtr& instead of the Exception*&. This ensures that the exception result is initialized. The VM functions be also reverted to only set the exception result if a new exception is thrown. * API/JSBase.cpp: (JSEvaluateScript): * API/JSScriptRef.cpp: * bindings/ScriptFunctionCall.cpp: (Deprecated::ScriptFunctionCall::call): * bindings/ScriptFunctionCall.h: * debugger/Debugger.cpp: (JSC::Debugger::hasBreakpoint): * debugger/Debugger.h: * debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::thisValue): (JSC::DebuggerCallFrame::evaluate): * debugger/DebuggerCallFrame.h: (JSC::DebuggerCallFrame::isValid): * inspector/InjectedScriptManager.cpp: (Inspector::InjectedScriptManager::createInjectedScript): * inspector/InspectorEnvironment.h: * inspector/JSJavaScriptCallFrame.cpp: (Inspector::JSJavaScriptCallFrame::evaluate): * inspector/JavaScriptCallFrame.h: (Inspector::JavaScriptCallFrame::vmEntryGlobalObject): (Inspector::JavaScriptCallFrame::thisValue): (Inspector::JavaScriptCallFrame::evaluate): * inspector/ScriptDebugServer.cpp: (Inspector::ScriptDebugServer::evaluateBreakpointAction): * jsc.cpp: (functionRun): (functionLoad): (runWithScripts): (runInteractive): * runtime/CallData.cpp: (JSC::call): * runtime/CallData.h: * runtime/Completion.cpp: (JSC::checkSyntax): (JSC::evaluate): * runtime/Completion.h: (JSC::evaluate): 2015-06-15 Filip Pizlo FTL boolify() UntypedUse is wrong in the masquerades-as-undefined case https://bugs.webkit.org/show_bug.cgi?id=146002 Reviewed by Darin Adler. * ftl/FTLLowerDFGToLLVM.cpp: Put this in an anonymous namespace. We should have done that all along. It makes it easier to add debug code. (JSC::FTL::DFG::LowerDFGToLLVM::boolify): Fix the bug. * tests/stress/logical-not-masquerades.js: Added. This test creates a masquerader so that the watchpoint is invalid. Previously this would fail for the normal object cases. (foo): 2015-06-16 Andreas Kling [JSC] Pre-bake final Structure for RegExp matches arrays. Reviewed by Darin Adler. Since we always add the "index" and "input" fields to RegExp matches arrays, cache a finished structure on the global object so we can create these arrays without starting from scratch with a bare array every time. 10% progression on Octane/regexp (on my MBP.) * runtime/JSArray.h: (JSC::JSArray::create): (JSC::JSArray::tryCreateUninitialized): (JSC::JSArray::createWithButterfly): Factored out JSArray construction into a helper so we can call this from RegExpMatchesArray.cpp. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::regExpMatchesArrayStructure): Add a cached Structure for RegExp subpattern matches arrays. * runtime/JSObject.h: (JSC::JSNonFinalObject::finishCreation): Tweak assertion that used to check that JSNonFinalObjects always start out with zero capacity. Since RegExp matches arrays now start out with capacity for 2 properties, that won't work. Change it to check that we don't have inline storage instead, since that should only be used by final objects. * runtime/RegExpMatchesArray.h: * runtime/RegExpMatchesArray.cpp: (JSC::tryCreateUninitializedRegExpMatchesArray): Helper to construct a JSArray with the cached Structure and a Butterfly with 2 slots of property storage. (JSC::createRegExpMatchesArray): (JSC::createRegExpMatchesArrayStructure): Creates the array Structure that gets cached by the JSGlobalObject. 2015-06-16 Saam Barati LLInt's code path for get_from_scope with case GlobalVarWithVarInjectionChecks has dead code https://bugs.webkit.org/show_bug.cgi?id=144268 Reviewed by Darin Adler. The call to loadVariable(.) both for 32bit and 64bit is unnecessary. It grabs a value that is immediately overwritten by a call to getGlobalVar(). * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2015-06-14 Yusuke Suzuki [ES6] Introduce %IteratorPrototype% and drop all XXXIteratorConstructor https://bugs.webkit.org/show_bug.cgi?id=145963 Reviewed by Darin Adler. ES6 iterators inherit %IteratorPrototype%. And these prototype objects of derived iterators don't have @@iterator methods. Instead they use the %IteratorPrototype%[@@iterator] method. To encourage inlining in for-of statement, we define this method in JS builtins. And these iterator prototype objects don't have any constructor function. This patch drops them (like StringIteratorConstructor). * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * builtins/Iterator.prototype.js: Renamed from Source/JavaScriptCore/runtime/StringIteratorConstructor.cpp. (SymbolIterator): * runtime/ArrayIteratorConstructor.cpp: (JSC::ArrayIteratorConstructor::finishCreation): Deleted. * runtime/ArrayIteratorConstructor.h: Removed. (JSC::ArrayIteratorConstructor::create): Deleted. (JSC::ArrayIteratorConstructor::createStructure): Deleted. (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor): Deleted. * runtime/ArrayIteratorPrototype.cpp: (JSC::ArrayIteratorPrototype::finishCreation): (JSC::arrayIteratorProtoFuncIterator): Deleted. * runtime/IteratorPrototype.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorConstructor.cpp. (JSC::IteratorPrototype::finishCreation): * runtime/IteratorPrototype.h: Renamed from Source/JavaScriptCore/runtime/SetIteratorConstructor.h. (JSC::IteratorPrototype::create): (JSC::IteratorPrototype::createStructure): (JSC::IteratorPrototype::IteratorPrototype): * runtime/JSFunction.cpp: (JSC::JSFunction::createBuiltinFunction): * runtime/JSFunction.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::iteratorPrototype): * runtime/MapIteratorConstructor.cpp: Removed. (JSC::MapIteratorConstructor::finishCreation): Deleted. * runtime/MapIteratorConstructor.h: Removed. (JSC::MapIteratorConstructor::create): Deleted. (JSC::MapIteratorConstructor::createStructure): Deleted. (JSC::MapIteratorConstructor::MapIteratorConstructor): Deleted. * runtime/MapIteratorPrototype.cpp: (JSC::MapIteratorPrototype::finishCreation): Deleted. (JSC::MapIteratorPrototypeFuncIterator): Deleted. * runtime/SetIteratorConstructor.cpp: Removed. (JSC::SetIteratorConstructor::finishCreation): Deleted. * runtime/SetIteratorConstructor.h: (JSC::SetIteratorConstructor::create): Deleted. (JSC::SetIteratorConstructor::createStructure): Deleted. (JSC::SetIteratorConstructor::SetIteratorConstructor): Deleted. * runtime/SetIteratorPrototype.cpp: (JSC::SetIteratorPrototype::finishCreation): Deleted. (JSC::SetIteratorPrototypeFuncIterator): Deleted. * runtime/StringIteratorConstructor.cpp: (JSC::StringIteratorConstructor::finishCreation): Deleted. * runtime/StringIteratorConstructor.h: Removed. (JSC::StringIteratorConstructor::create): Deleted. (JSC::StringIteratorConstructor::createStructure): Deleted. (JSC::StringIteratorConstructor::StringIteratorConstructor): Deleted. * runtime/StringIteratorPrototype.cpp: (JSC::StringIteratorPrototype::finishCreation): (JSC::stringIteratorPrototypeIterator): Deleted. * tests/stress/iterator-prototype.js: Added. (shouldBe): (inheritIteratorPrototype): (testChain): 2015-06-15 Michael Saboff JIT bug - fails when inspector closed, works when open https://bugs.webkit.org/show_bug.cgi?id=145243 Reviewed by Oliver Hunt. We need to provide the Arguments object as the base when creating the HeapLocation for GetFromArguments and PutToArguments. Otherwise we endup creating a HeapLocation for any arguments object, not the one we need. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): 2015-06-13 Joseph Pecoraro Web Inspector: console.table() with a list of objects no longer works https://bugs.webkit.org/show_bug.cgi?id=145952 Reviewed by Timothy Hatcher. * inspector/InjectedScriptSource.js: (InjectedScript.RemoteObject.prototype._generatePreview): Calling generatePreview again was actually starting with a preview of the current object instead of the sub-value. Go down the other path that correctly generates sub-previews. Leave filtering on the backend unimplemented, which we were already ignoring. 2015-06-13 Youenn Fablet [Streams API] ReadableJSStream should handle promises returned by JS source start callback https://bugs.webkit.org/show_bug.cgi?id=145792 Reviewed by Darin Adler. Added support for JSFunction implemented by std::function. * runtime/JSFunction.cpp: (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create (JSC::JSFunction::create): (JSC::runStdFunction): * runtime/JSFunction.h: Added std::function based JSFunction::create prototype. * runtime.JSPromise.h: 2015-06-12 Gyuyoung Kim Purge PassRefPtr in JavaScriptCore - 2 https://bugs.webkit.org/show_bug.cgi?id=145834 Reviewed by Darin Adler. As a step to remove PassRefPtr, this patch cleans up PassRefPtr as much as possible in JavaScriptCore. * API/JSClassRef.cpp: (OpaqueJSClass::create): * API/JSClassRef.h: * debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::callerFrame): * debugger/DebuggerCallFrame.h: * dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::jitCode): * inspector/ScriptCallStackFactory.cpp: (Inspector::createScriptCallStack): (Inspector::createScriptCallStackForConsole): (Inspector::createScriptCallStackFromException): (Inspector::createScriptArguments): * inspector/ScriptCallStackFactory.h: * jit/ExecutableAllocator.cpp: (JSC::ExecutableAllocator::allocate): * jit/ExecutableAllocator.h: * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::ExecutableAllocator::allocate): * profiler/LegacyProfiler.cpp: (JSC::LegacyProfiler::stopProfiling): * profiler/LegacyProfiler.h: * runtime/DateInstanceCache.h: * runtime/Executable.cpp: (JSC::ScriptExecutable::newCodeBlockFor): * runtime/Executable.h: * runtime/GenericTypedArrayView.h: * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView::create): (JSC::GenericTypedArrayView::createUninitialized): 2015-06-12 Darin Adler Fix minor ES6 compliance issue in RegExp.prototype.toString and optimize performance a little https://bugs.webkit.org/show_bug.cgi?id=145935 Reviewed by Anders Carlsson. Test: js/regexp-toString.html * runtime/RegExpPrototype.cpp: (JSC::getFlags): Avoid memory allocation for the flags string by returning it in a character buffer instead of constructing a WTF::String for it. (JSC::regExpProtoFuncToString): Require only that the this value be an object; don't require that it is actually a regular expression object. This is covered in the ES6 specification. Also removed comment about the "/(?:)/" trick since that is now the repsonsibility of the getter for the "source" property. Updated to use getFlags so we do one less memory allocation. (JSC::regExpProtoGetterFlags): Chagned to use getFlags instead of the old flagsString. 2015-06-12 Basile Clement DFG Object Allocation Sinking should not consider GetClosureVar as escapes https://bugs.webkit.org/show_bug.cgi?id=145904 Reviewed by Filip Pizlo. The object allocation sinking phase is currently able to sink CreateActivation nodes, but will consider any GetClosureVar node as escaping. This is not problematic in general as most of the GetClosureVar nodes we would have been able to sink over will have been eliminated by CSE anyway. Still, this is an oversight that we should fix since the machinery is already in place. * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): * dfg/DFGPromoteHeapAccess.h: (JSC::DFG::promoteHeapAccess): 2015-06-11 Mark Lam WebCore::reportException() needs to be able to accept a raw thrown value in addition to Exception objects. https://bugs.webkit.org/show_bug.cgi?id=145872 Reviewed by Michael Saboff. In r185259, we changed exception handling code inside the VM to work with Exception objects instead of the thrown JSValue. The handling code will get the exception stack trace from the Exception object. However, there is some code that cannot be updated to pass the Exception object. An example of this are the ObjC API functions. Those functions are specified to return any thrown exception JSValue in a JSValueRef. Since these APIs are public, we cannot arbitrarily change them to use the Exception object. There are client code that calls these APIs and then passes the returned exception JSValue to WebCore::reportException() to be reported. WebCore::reportException() previously relied on the VM::exceptionStackTrace() to provide a cache of the stack trace of the last thrown exception. VM::exceptionStackTrace() no longer exists in the current code. To restore this functionality, we will introduce VM::lastException() which caches the last thrown Exception object. With this, if the exception passed to WebCore::reportException() to be reported isn't an Exception object (which has its own stack trace), reportException() can again use the cached exception stack trace which is available from VM::lastException(). * heap/Heap.cpp: (JSC::Heap::visitException): - visit VM::m_lastException on GCs. * interpreter/CallFrame.h: (JSC::ExecState::lastException): (JSC::ExecState::clearLastException): - convenience functions to get and clear the last exception. * runtime/Exception.cpp: (JSC::Exception::create): (JSC::Exception::finishCreation): - add support to create an Exception object without capturing the JS stack trace. This is needed for making an Exception object to wrap a thrown value that does not have a stack trace. Currently, this is only used by WebCore::reportException() when there is no Exception object and no last exception available to provide a stack trace. * runtime/Exception.h: (JSC::Exception::cast): Deleted. No longer needed. * runtime/VM.h: (JSC::VM::clearLastException): (JSC::VM::setException): (JSC::VM::lastException): (JSC::VM::addressOfLastException): - Added support for VM::m_lastException. VM::m_lastException serves to cache the exception stack of the most recently thrown exception like VM::exceptionStackTrace() used to before r185259. * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): - Clear VM::m_lastException when we re-enter the VM. Exceptions should have been handled before we re-enter the VM anyway. So, this is a good place to release the cached last exception. NOTE: this is also where the old code before r185259 clears the last exception stack trace. So, we're just restoring the previous behavior here in terms of the lifecycle of the last exception stack. 2015-06-11 Andreas Kling jsSubstring() should support creating substrings from substrings. Reviewed by Geoffrey Garen Tweak jsSubstring() to support base strings that are themselves substrings. They will now share the same grandparent base. This avoids creating a new StringImpl. * runtime/JSString.h: (JSC::jsSubstring): Don't force rope resolution here. Instead do that in finishCreation() if the base string is a non-substring rope. Note that resolveRope() is the very last thing called, since it may allocate and the JSRopeString needs to be ready for marking. (JSC::JSString::isSubstring): Added a helper to find out if a JSString is a substring. This is just for internal use, so you don't have to cast to JSRopeString for the real substringness flag. 2015-06-11 Commit Queue Unreviewed, rolling out r185465. https://bugs.webkit.org/show_bug.cgi?id=145893 "This patch is breaking 32bit mac build" (Requested by youenn on #webkit). Reverted changeset: "[Streams API] ReadableJSStream should handle promises returned by JS source start callback" https://bugs.webkit.org/show_bug.cgi?id=145792 http://trac.webkit.org/changeset/185465 2015-06-11 Youenn Fablet [Streams API] ReadableJSStream should handle promises returned by JS source start callback https://bugs.webkit.org/show_bug.cgi?id=145792 Reviewed by Darin Adler. Added support for JSFunction implemented by std::function. * runtime/JSFunction.cpp: (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create (JSC::JSFunction::create): (JSC::runStdFunction): * runtime/JSFunction.h: Added std::function based JSFunction::create prototype. * runtime.JSPromise.h: 2015-06-10 Yusuke Suzuki ASSERTION FAILED: s.length() > 1 on LayoutTests/js/regexp-flags.html https://bugs.webkit.org/show_bug.cgi?id=145599 Unreviewed, simple follow up patch. use jsString instead of jsMakeNontrivialString since the flag string may be trivial (0 or 1 length). * runtime/RegExpPrototype.cpp: (JSC::regExpProtoGetterFlags): 2015-06-10 Yusuke Suzuki JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure https://bugs.webkit.org/show_bug.cgi?id=90678 Reviewed by Darin Adler. After ES6, escaped reserved words in identifiers are prohibited. After parsing Identifier, we should perform `m_buffer16.shrink(0)`. * parser/Lexer.cpp: (JSC::Lexer::parseIdentifierSlowCase): * tests/mozilla/ecma_3/Unicode/uc-003.js: (test): Deleted. * tests/stress/reserved-word-with-escape.js: Added. (testSyntax): (testSyntaxError): 2015-06-10 Jordan Harband Implement RegExp.prototype.flags https://bugs.webkit.org/show_bug.cgi?id=145599 Reviewed by Geoffrey Garen. Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-get-regexp.prototype.flags * runtime/CommonIdentifiers.h: * runtime/RegExpPrototype.cpp: (JSC::flagsString): (JSC::regExpProtoFuncToString): (JSC::regExpProtoGetterFlags): * tests/stress/static-getter-in-names.js: 2015-06-10 Filip Pizlo DFG ASSERTION FAILED: !iterate() on stress/singleton-scope-then-overwrite.js.ftl-eager https://bugs.webkit.org/show_bug.cgi?id=145853 Unreviewed, remove the assertion. * dfg/DFGCSEPhase.cpp: 2015-06-10 Commit Queue Unreviewed, rolling out r185414. https://bugs.webkit.org/show_bug.cgi?id=145844 broke debug and jsc tests (Requested by alexchristensen on #webkit). Reverted changeset: "JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure" https://bugs.webkit.org/show_bug.cgi?id=90678 http://trac.webkit.org/changeset/185414 2015-06-10 Yusuke Suzuki JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure https://bugs.webkit.org/show_bug.cgi?id=90678 Reviewed by Darin Adler. After ES6, escaped reserved words in identifiers are prohibited. * parser/Lexer.cpp: (JSC::Lexer::parseIdentifierSlowCase): * tests/stress/reserved-word-with-escape.js: Added. (testSyntax): (testSyntaxError): 2015-06-10 Andreas Kling [JSC] InlineCallFrame::arguments should be sized-to-fit. Reviewed by Darin Adler. I spotted this Vector looking a bit chubby in Instruments, with 354 kB of memory allocated on cnet.com. Use resizeToFit() instead of resize() since we know the final size up front. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 2015-06-09 Chris Dumez Allow one sync GC per gcTimer interval on critical memory pressure warning https://bugs.webkit.org/show_bug.cgi?id=145773 Reviewed by Geoffrey Garen. On critical memory pressure warning, we were calling GCController::garbageCollectSoon(), which does not offer any guarantee on when the garbage collection will actually take place. On critical memory pressure, we need to free up memory as soon as possible to avoid getting killed so this is an issue. Also, the fact that we clear the PageCache on critical memory pressure means a GC would likely be useful, even if the last collection did not free much memory. This patch adds a new GCController::garbageCollectNowIfNotDoneRecently() API that allows one synchronous GC per gcTimer interval on critical memory pressure warning. This makes us more responsive to critical memory pressure and avoids doing synchronous GCs too often. * heap/FullGCActivityCallback.cpp: (JSC::FullGCActivityCallback::doCollection): * heap/FullGCActivityCallback.h: (JSC::GCActivityCallback::createFullTimer): * heap/GCActivityCallback.h: * heap/Heap.cpp: (JSC::Heap::collectAllGarbageIfNotDoneRecently): * heap/Heap.h: * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::doWork): Deleted. * heap/IncrementalSweeper.h: Drop fullSweep() API as it no longer seems useful. garbageCollectNow() already does a sweep after the full collection. 2015-06-09 Andreas Kling [JSC] CodeBlock::m_constantRegisters should be sized-to-fit. Reviewed by Darin Adler. Spotted this Vector looking chubby on cnet.com, with 1.23 MB of memory allocated below CodeBlock::setConstantRegisters(). Use resizeToFit() instead since we know the final size up front. Also removed some unused functions that operated on this constants vector and the corresponding one in UnlinkedCodeBlock. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::addOrFindConstant): Deleted. (JSC::CodeBlock::findConstant): Deleted. * bytecode/CodeBlock.h: (JSC::CodeBlock::setConstantRegisters): (JSC::CodeBlock::numberOfConstantRegisters): Deleted. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::addOrFindConstant): Deleted. * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::numberOfConstantRegisters): Deleted. (JSC::UnlinkedCodeBlock::getConstant): Deleted. 2015-06-09 Andreas Kling [JSC] Polymorphic{Get,Put}ByIdList::addAccess() should optimize for size, not speed. Reviewed by Darin Adler. These functions already contained comments saying they optimize for size over speed, but they were using Vector::resize() which adds the usual slack for faster append(). Switch them over to using Vector::resizeToFit() instead, which makes the Vector allocate a perfectly sized backing store. Spotted 670 kB of the GetById ones, and 165 kB of PutById on cnet.com, so these Vectors are definitely worth shrink-wrapping. * bytecode/PolymorphicGetByIdList.cpp: (JSC::PolymorphicGetByIdList::addAccess): * bytecode/PolymorphicPutByIdList.cpp: (JSC::PolymorphicPutByIdList::addAccess): 2015-06-09 Andreas Kling [JSC] JSPropertyNameEnumerator's property name vector should be sized-to-fit. Reviewed by Darin Adler. Saw 108 kB worth of JSPropertyNameEnumerator backing store Vectors on cnet.com. Use Vector::resizeToFit() since we know the perfect size up front. * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::finishCreation): 2015-06-09 Andreas Kling FunctionExecutable::isCompiling() is weird and wrong. Reviewed by Geoffrey Garen. Remove FunctionExecutable::isCompiling() and the clearCodeIfNotCompiling() style functions that called it before throwing away code. isCompiling() would consider the executable to be "compiling" if it had a CodeBlock but no JITCode. In practice, every executable gets a JITCode at the same time as it gets a CodeBlock, by way of prepareForExecutionImpl(). * debugger/Debugger.cpp: * heap/Heap.cpp: (JSC::Heap::deleteAllCompiledCode): (JSC::Heap::deleteAllUnlinkedFunctionCode): * inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::TypeRecompiler::visit): * runtime/Executable.cpp: (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): (JSC::FunctionExecutable::clearCodeIfNotCompiling): Deleted. (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling): Deleted. * runtime/Executable.h: * runtime/VM.cpp: (JSC::StackPreservingRecompiler::visit): 2015-06-09 Yusuke Suzuki Introduce getter definition into static hash tables and use it for getters in RegExp.prototype. https://bugs.webkit.org/show_bug.cgi?id=145705 Reviewed by Darin Adler. In this patch, we introduce Accessor type into property tables. With Accessor type, create_hash_table creates a static getter property. This getter property is reified as the same to the static functions. In the mean time, we only support getter because `putEntry` and `lookupPut` only work with null setter currently. However, in the spec, there's no need to add static setter properties. So we will add it if it becomes necessary in the future. And at the same time, this patch fixes the issue 145738. Before this patch, `putEntry` in `JSObject::deleteProperty` adds `undefined` property if `isValidOffset(...)` is false (deleted). As the result, deleting twice revives the property with `undefined` value. If the static functions are reified and the entry is `BuiltinOrFunctionOrAccessor`, there's no need to execute `putEntry` with static hash table entry. They should be handled in the normal structure's looking up because they should be already reified. So added guard for this. * CMakeLists.txt: * DerivedSources.make: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * create_hash_table: * runtime/JSObject.cpp: (JSC::getClassPropertyNames): (JSC::JSObject::put): (JSC::JSObject::deleteProperty): (JSC::JSObject::reifyStaticFunctionsForDelete): * runtime/Lookup.cpp: (JSC::reifyStaticAccessor): (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::HashTableValue::propertyGetter): (JSC::HashTableValue::propertyPutter): (JSC::HashTableValue::accessorGetter): (JSC::HashTableValue::accessorSetter): (JSC::getStaticPropertySlot): (JSC::getStaticValueSlot): (JSC::putEntry): (JSC::reifyStaticProperties): * runtime/PropertySlot.h: * runtime/RegExpObject.cpp: (JSC::RegExpObject::getOwnPropertySlot): (JSC::regExpObjectGlobal): Deleted. (JSC::regExpObjectIgnoreCase): Deleted. (JSC::regExpObjectMultiline): Deleted. (JSC::appendLineTerminatorEscape): Deleted. (JSC::appendLineTerminatorEscape): Deleted. (JSC::regExpObjectSourceInternal): Deleted. (JSC::regExpObjectSource): Deleted. * runtime/RegExpPrototype.cpp: (JSC::RegExpPrototype::getOwnPropertySlot): (JSC::regExpProtoGetterGlobal): (JSC::regExpProtoGetterIgnoreCase): (JSC::regExpProtoGetterMultiline): (JSC::appendLineTerminatorEscape): (JSC::appendLineTerminatorEscape): (JSC::regExpProtoGetterSourceInternal): (JSC::regExpProtoGetterSource): * tests/stress/static-function-delete.js: Added. (shouldBe): * tests/stress/static-function-put.js: Added. (shouldBe): * tests/stress/static-getter-delete.js: Added. (shouldBe): (shouldThrow): * tests/stress/static-getter-descriptors.js: Added. (shouldBe): * tests/stress/static-getter-enumeration.js: Added. (shouldBe): * tests/stress/static-getter-get.js: Added. (shouldBe): * tests/stress/static-getter-in-names.js: Added. (shouldBe): * tests/stress/static-getter-names.js: Added. (shouldBe): * tests/stress/static-getter-put.js: Added. (shouldBe): (shouldThrow): 2015-06-09 Andreas Kling [JSC] JSString::getIndex() should avoid reifying substrings. Reviewed by Darin Adler. Implement getIndex() using JSString::view(), which cuts it down to a one-liner and also avoids reifying substrings. I saw 178 kB of reified substrings below operationGetByVal -> getIndex() on cnet.com, so this should help. * runtime/JSString.cpp: (JSC::JSRopeString::getIndexSlowCase): Deleted. * runtime/JSString.h: (JSC::JSString::getIndex): 2015-06-09 Andreas Kling [JSC] String.prototype.indexOf() should use StringView. Reviewed by Darin Adler. Use StringView::find() to implement String.prototype.indexOf(). This avoids reifying the needle and haystack JSStrings in case they are substrings. Reduces malloc memory by ~190 kB on cnet.com. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncIndexOf): 2015-06-09 Csaba Osztrogonác [cmake] Fix the style issues in cmake project files https://bugs.webkit.org/show_bug.cgi?id=145755 Reviewed by Darin Adler. * CMakeLists.txt: 2015-06-08 Gyuyoung Kim Purge PassRefPtr in JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=145750 As a step to purge PassRefPtr, this patch replaces PassRefPtr with Ref or RefPtr. Reviewed by Darin Adler. * API/JSClassRef.cpp: (OpaqueJSClass::createNoAutomaticPrototype): * API/JSClassRef.h: * API/JSContextRef.cpp: * API/JSScriptRef.cpp: (OpaqueJSScript::create): * API/JSStringRef.cpp: (JSStringCreateWithCharacters): (JSStringCreateWithUTF8CString): * API/OpaqueJSString.cpp: (OpaqueJSString::create): * API/OpaqueJSString.h: (OpaqueJSString::create): * bytecompiler/StaticPropertyAnalysis.h: (JSC::StaticPropertyAnalysis::create): * debugger/DebuggerCallFrame.h: (JSC::DebuggerCallFrame::create): * dfg/DFGToFTLDeferredCompilationCallback.cpp: (JSC::DFG::ToFTLDeferredCompilationCallback::create): * dfg/DFGToFTLDeferredCompilationCallback.h: * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: (JSC::DFG::RefToFTLForOSREntryDeferredCompilationCallback::create): (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create): Deleted. * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: * dfg/DFGWorklist.cpp: (JSC::DFG::Worklist::create): (JSC::DFG::ensureGlobalDFGWorklist): (JSC::DFG::ensureGlobalFTLWorklist): * dfg/DFGWorklist.h: * heap/EdenGCActivityCallback.h: (JSC::GCActivityCallback::createEdenTimer): * heap/FullGCActivityCallback.h: (JSC::GCActivityCallback::createFullTimer): * heap/GCActivityCallback.h: * inspector/InjectedScriptHost.h: * inspector/JavaScriptCallFrame.h: (Inspector::JavaScriptCallFrame::create): * inspector/ScriptArguments.cpp: (Inspector::ScriptArguments::create): * inspector/ScriptArguments.h: * jit/JITStubRoutine.h: (JSC::JITStubRoutine::createSelfManagedRoutine): * jit/JITToDFGDeferredCompilationCallback.cpp: (JSC::JITToDFGDeferredCompilationCallback::create): * jit/JITToDFGDeferredCompilationCallback.h: * jsc.cpp: (jscmain): * parser/NodeConstructors.h: (JSC::ArrayPatternNode::create): (JSC::ObjectPatternNode::create): (JSC::BindingNode::create): * parser/Nodes.cpp: (JSC::FunctionParameters::create): * parser/Nodes.h: * parser/SourceProvider.h: (JSC::StringSourceProvider::create): * profiler/Profile.cpp: (JSC::Profile::create): * profiler/Profile.h: * profiler/ProfileGenerator.cpp: (JSC::ProfileGenerator::create): * profiler/ProfileGenerator.h: * profiler/ProfileNode.h: (JSC::ProfileNode::create): * runtime/DataView.cpp: (JSC::DataView::create): * runtime/DataView.h: * runtime/DateInstanceCache.h: (JSC::DateInstanceData::create): * runtime/JSPromiseReaction.cpp: (JSC::createExecutePromiseReactionMicrotask): * runtime/JSPromiseReaction.h: * runtime/PropertyNameArray.h: (JSC::PropertyNameArrayData::create): * runtime/TypeSet.h: (JSC::StructureShape::create): (JSC::TypeSet::create): * runtime/TypedArrayBase.h: (JSC::TypedArrayBase::create): (JSC::TypedArrayBase::createUninitialized): (JSC::TypedArrayBase::subarrayImpl): * runtime/VM.cpp: (JSC::VM::createContextGroup): (JSC::VM::create): (JSC::VM::createLeaked): * runtime/VM.h: * yarr/RegularExpression.cpp: (JSC::Yarr::RegularExpression::Private::create): 2015-06-08 Filip Pizlo It should be possible to hoist all constants in DFG SSA https://bugs.webkit.org/show_bug.cgi?id=145769 Reviewed by Geoffrey Garen. It's sometimes somewhat more efficient, and convenient, to have all constants at the top of the root block. We don't require this as an IR invariant because too many phases want to be able to insert constants in weird places. But, this phase will be great for preparing for https://bugs.webkit.org/show_bug.cgi?id=145768. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGConstantHoistingPhase.cpp: Added. (JSC::DFG::performConstantHoisting): * dfg/DFGConstantHoistingPhase.h: Added. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): 2015-06-07 Filip Pizlo The tiny set magic in StructureSet should be available in WTF https://bugs.webkit.org/show_bug.cgi?id=145722 Reviewed by Geoffrey Garen. I moved the generic logic of small sets of pointers and moved it into WTF. Now, StructureSet is a subclass of TinyPtrSet. There shouldn't be any functional change. * bytecode/StructureSet.cpp: (JSC::StructureSet::filter): (JSC::StructureSet::filterArrayModes): (JSC::StructureSet::speculationFromStructures): (JSC::StructureSet::arrayModesFromStructures): (JSC::StructureSet::dumpInContext): (JSC::StructureSet::dump): (JSC::StructureSet::clear): Deleted. (JSC::StructureSet::add): Deleted. (JSC::StructureSet::remove): Deleted. (JSC::StructureSet::contains): Deleted. (JSC::StructureSet::merge): Deleted. (JSC::StructureSet::exclude): Deleted. (JSC::StructureSet::isSubsetOf): Deleted. (JSC::StructureSet::overlaps): Deleted. (JSC::StructureSet::operator==): Deleted. (JSC::StructureSet::addOutOfLine): Deleted. (JSC::StructureSet::containsOutOfLine): Deleted. (JSC::StructureSet::copyFromOutOfLine): Deleted. (JSC::StructureSet::OutOfLineList::create): Deleted. (JSC::StructureSet::OutOfLineList::destroy): Deleted. * bytecode/StructureSet.h: (JSC::StructureSet::onlyStructure): (JSC::StructureSet::StructureSet): Deleted. (JSC::StructureSet::operator=): Deleted. (JSC::StructureSet::~StructureSet): Deleted. (JSC::StructureSet::isEmpty): Deleted. (JSC::StructureSet::genericFilter): Deleted. (JSC::StructureSet::isSupersetOf): Deleted. (JSC::StructureSet::size): Deleted. (JSC::StructureSet::at): Deleted. (JSC::StructureSet::operator[]): Deleted. (JSC::StructureSet::last): Deleted. (JSC::StructureSet::iterator::iterator): Deleted. (JSC::StructureSet::iterator::operator*): Deleted. (JSC::StructureSet::iterator::operator++): Deleted. (JSC::StructureSet::iterator::operator==): Deleted. (JSC::StructureSet::iterator::operator!=): Deleted. (JSC::StructureSet::begin): Deleted. (JSC::StructureSet::end): Deleted. (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine): Deleted. (JSC::StructureSet::ContainsOutOfLine::operator()): Deleted. (JSC::StructureSet::copyFrom): Deleted. (JSC::StructureSet::OutOfLineList::list): Deleted. (JSC::StructureSet::OutOfLineList::OutOfLineList): Deleted. (JSC::StructureSet::deleteStructureListIfNecessary): Deleted. (JSC::StructureSet::isThin): Deleted. (JSC::StructureSet::pointer): Deleted. (JSC::StructureSet::singleStructure): Deleted. (JSC::StructureSet::structureList): Deleted. (JSC::StructureSet::set): Deleted. (JSC::StructureSet::setEmpty): Deleted. (JSC::StructureSet::getReservedFlag): Deleted. (JSC::StructureSet::setReservedFlag): Deleted. * dfg/DFGStructureAbstractValue.cpp: (JSC::DFG::StructureAbstractValue::clobber): (JSC::DFG::StructureAbstractValue::filter): (JSC::DFG::StructureAbstractValue::filterSlow): (JSC::DFG::StructureAbstractValue::contains): * dfg/DFGStructureAbstractValue.h: (JSC::DFG::StructureAbstractValue::makeTop): 2015-06-08 Csaba Osztrogonác [ARM] Add the missing setupArgumentsWithExecState functions after r185240 https://bugs.webkit.org/show_bug.cgi?id=145754 Reviewed by Benjamin Poulain. * jit/CCallHelpers.h: (JSC::CCallHelpers::setupArgumentsWithExecState): 2015-06-08 Brady Eidson Completely remove all IDB properties/constructors when it is disabled at runtime. rdar://problem/18429374 and https://bugs.webkit.org/show_bug.cgi?id=137034 Reviewed by Geoffrey Garen. * runtime/CommonIdentifiers.h: 2015-06-06 Mark Lam Returned Exception* values need to be initialized to nullptr when no exceptions are thrown. https://bugs.webkit.org/show_bug.cgi?id=145720 Reviewed by Dan Bernstein. * debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::evaluate): 2015-06-05 Mark Lam Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren(). https://bugs.webkit.org/show_bug.cgi?id=145709 Reviewed by Geoffrey Garen. * jsc.cpp: (functionSetElementRoot): - The Element class has a member of type Root which extends JSDestructibleObject. It should be stored in a WriteBarrier, and visited by visitChildren(). * runtime/ClonedArguments.cpp: (JSC::ClonedArguments::materializeSpecialsIfNecessary): (JSC::ClonedArguments::visitChildren): * runtime/ClonedArguments.h: - Add missing visitChildren(). * tests/stress/cloned-arguments-should-visit-callee-during-gc.js: Added. (makeTransientFunction.transientFunc): (makeTransientFunction): 2015-06-05 Geoffrey Garen DropAllLocks RELEASE_ASSERT on iOS https://bugs.webkit.org/show_bug.cgi?id=139654 Reviewed by Mark Lam. * runtime/JSLock.cpp: (JSC::JSLock::dropAllLocks): Removed a comment because it duplicated the code beneath it. Removed a FIXME because we can't ASSERT that we're holding the lock. WebKit1 on iOS drops the lock before calling to delegates, not knowing whether it holds the lock or not. (JSC::JSLock::DropAllLocks::DropAllLocks): Only ASSERT that we are not GC'ing if we hold the lock. If we do not hold the lock, it is perfectly valid for some other thread, which does hold the lock, to be GC'ing. What is not valid is to drop the lock in the middle of GC, since GC must be atomic. 2015-06-05 Filip Pizlo speculateRealNumber() should early exit if you're already a real number, not if you're already a real double. Rubber stamped by Mark Lam. This was causing: https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK1%20(Tests)/r185261%20(5180)/webaudio/note-grain-on-timing-crash-log.txt * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculateRealNumber): 2015-06-05 Mark Lam finally blocks should not set the exception stack trace when re-throwing the exception. https://bugs.webkit.org/show_bug.cgi?id=145525 Reviewed by Geoffrey Garen. How exceptions presently work: ============================= 1. op_throw can throw any JSValue. 2. the VM tries to capture the stack at the throw point and propagate that as needed. 3. finally blocks are implemented using op_catch to catch the thrown value, and throws it again using op_throw. What's wrong with how it presently works: ======================================== 1. finally's makes for bad exception throw line numbers in the Inspector console. The op_throw in finally will throw the value anew i.e. it captures a stack from the re-throw point. As a result, the Inspector sees the finally block as the throw point. The original stack is lost. 2. finally's breaks the Inspector's "Breaks on Uncaught Exception" This is because finally blocks are indistinguishable from catch blocks. As a result, a try-finally, which should break in the Inspector on the throw, does not because the Inspector thought the exception was "caught". 3. finally's yields confusing break points when the Inspector "Breaks on All Exceptions" a. In a try-finally scenario, the Inspector breaks 2 times: 1 at the throw, 1 at the finally. b. In a for-of loop (which has synthesized finallys), the Inspector will do another break. Similarly for other cases of JS code which synthesize finallys. c. At VM re-entry boundaries (e.g. js throws & returns to native code, which returns to js), the Inspector will do another break if there's an uncaught exception. How this patch fixes the issues: =============================== 1. We introduce an Exception object that wraps the thrown value and the exception stack. When throwing an exception, the VM will check if the thrown value is an Exception object or not. If it is not an Exception object, then we must be throwing a new exception. The VM will create an Exception object to wrap the thrown value and capture the current stack for it. If the thrown value is already an Exception object, then the requested throw operation must be a re-throw. The VM will not capture a new stack for it. 2. op_catch will now populate 2 locals: 1 for the Exception, 1 for the thrown JSValue. The VM is aware of the Exception object and uses it for rethrows in finally blocks. JS source code is never aware of the Exception object. JS code is aware of the thrown value. If it throws the caught thrown value, that constitutes a new throw, and a new Exception object will be created for it. 3. The VM no longer tracks the thrown JSValue and the exception stack. It will only track a m_exception field which is an Exception*. 4. The BytecodeGenerator has already been updated in a prior patch to distinguish between Catch, Finally, and SynthesizedFinally blocks. The interpreter runtime will now report to the debugger whether we have a Catch handler, not just any handlers. The debugger will use this detail to determine whether to break or not. "Break on uncaught exceptions" will only break if no Catch handler was found. This solves the issue of the debugger breaking at finally blocks, and for-of statements. 5. The Exception object will also have a flag to indicate whether the debugger has been notified of the Exception being thrown. Once the Interpreter notifies the debugger of the Exception object, it will mark this flag and not repeat the notify the debugger again of the same Exception. This solves the issue of the debugger breaking at VM re-entry points due to uncaught exceptions. 6. The life-cycle of the captured exception stack trace will now follow the life-cycle of the Exception object. Other changes: 7. Change all clients of the VM::exception() to expect an Exception* instead of JSValue. 8. Fixed a few bugs where thrown exceptions are not cleared before exiting the VM. 9. Also renamed some variables and classes to better describe what they are. * API/JSBase.cpp: (JSEvaluateScript): (JSCheckScriptSyntax): * API/JSObjectRef.cpp: (handleExceptionIfNeeded): - The functions below all do the same exception check. Added this helper to simplify the code. (JSClassCreate): (JSObjectMakeFunction): (JSObjectMakeArray): (JSObjectMakeDate): (JSObjectMakeError): (JSObjectMakeRegExp): (JSObjectGetProperty): (JSObjectSetProperty): (JSObjectGetPropertyAtIndex): (JSObjectSetPropertyAtIndex): (JSObjectDeleteProperty): (JSObjectCallAsFunction): (JSObjectCallAsConstructor): * API/JSScriptRef.cpp: * API/JSValue.mm: (JSContainerConvertor::take): (reportExceptionToInspector): * API/JSValueRef.cpp: (handleExceptionIfNeeded): - The functions below all do the same exception check. Added this helper to simplify the code. (evernoteHackNeeded): (JSValueIsEqual): (JSValueIsInstanceOfConstructor): (JSValueCreateJSONString): (JSValueToNumber): (JSValueToStringCopy): (JSValueToObject): * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: - Added new files Exception.h and Exception.cpp. * bindings/ScriptFunctionCall.cpp: (Deprecated::ScriptFunctionCall::call): * bindings/ScriptFunctionCall.h: * bytecode/BytecodeList.json: - op_catch now had 2 operands: the exception register, and the thrown value register. * bytecode/BytecodeUseDef.h: (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::handlerForBytecodeOffset): * bytecode/CodeBlock.h: - handlerForBytecodeOffset() now can look for just Catch handlers only. * bytecode/HandlerInfo.h: - Cleaned up some white space I accidentally added in a previous patch. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::pushTry): (JSC::BytecodeGenerator::popTryAndEmitCatch): (JSC::BytecodeGenerator::emitThrowReferenceError): (JSC::BytecodeGenerator::emitEnumeration): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitThrow): * bytecompiler/NodesCodegen.cpp: (JSC::TryNode::emitBytecode): - Adding support for op_catch's 2 operands. * debugger/Debugger.cpp: (JSC::Debugger::hasBreakpoint): (JSC::Debugger::pauseIfNeeded): (JSC::Debugger::exception): * debugger/Debugger.h: * debugger/DebuggerCallFrame.cpp: (JSC::DebuggerCallFrame::thisValue): (JSC::DebuggerCallFrame::evaluate): * debugger/DebuggerCallFrame.h: (JSC::DebuggerCallFrame::isValid): * inspector/InjectedScriptManager.cpp: (Inspector::InjectedScriptManager::createInjectedScript): * inspector/InspectorEnvironment.h: * inspector/JSGlobalObjectInspectorController.cpp: (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): (Inspector::JSGlobalObjectInspectorController::reportAPIException): * inspector/JSGlobalObjectInspectorController.h: * inspector/JSGlobalObjectScriptDebugServer.h: * inspector/JSJavaScriptCallFrame.cpp: (Inspector::JSJavaScriptCallFrame::evaluate): * inspector/JavaScriptCallFrame.h: (Inspector::JavaScriptCallFrame::vmEntryGlobalObject): (Inspector::JavaScriptCallFrame::thisValue): (Inspector::JavaScriptCallFrame::evaluate): * inspector/ScriptCallStackFactory.cpp: (Inspector::extractSourceInformationFromException): (Inspector::createScriptCallStackFromException): * inspector/ScriptCallStackFactory.h: * inspector/ScriptDebugServer.cpp: (Inspector::ScriptDebugServer::evaluateBreakpointAction): (Inspector::ScriptDebugServer::handleBreakpointHit): (Inspector::ScriptDebugServer::handleExceptionInBreakpointCondition): * inspector/ScriptDebugServer.h: * interpreter/CallFrame.h: (JSC::ExecState::clearException): (JSC::ExecState::exception): (JSC::ExecState::hadException): (JSC::ExecState::atomicStringTable): (JSC::ExecState::propertyNames): (JSC::ExecState::clearSupplementaryExceptionInfo): Deleted. * interpreter/Interpreter.cpp: (JSC::unwindCallFrame): (JSC::Interpreter::stackTraceAsString): (JSC::GetCatchHandlerFunctor::GetCatchHandlerFunctor): (JSC::GetCatchHandlerFunctor::operator()): (JSC::Interpreter::unwind): - Added a check for didNotifyInspectorOfThrow() here to prevent duplicate reports of the same Exception to the debugger. (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor): Deleted. (JSC::GetExceptionHandlerFunctor::operator()): Deleted. - Renamed GetExceptionHandlerFunctor to GetCatchHandlerFunctor since the debugger is only interested in knowing whether we have Catch handlers. * interpreter/Interpreter.h: (JSC::SuspendExceptionScope::SuspendExceptionScope): (JSC::SuspendExceptionScope::~SuspendExceptionScope): (JSC::Interpreter::sampler): (JSC::ClearExceptionScope::ClearExceptionScope): Deleted. (JSC::ClearExceptionScope::~ClearExceptionScope): Deleted. - Renamed ClearExceptionScope to SuspendExceptionScope because "clear" implies that we're purging the exception. Instead, we're merely suspending any handling of that exception for a period defined by the scope. * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitExceptionCheck): * jit/JITExceptions.cpp: (JSC::genericUnwind): - Removed the exception argument. It is always the value in VM::exception() anyway. genericUnwind() can just get it from the VM, and save everyone some work. * jit/JITExceptions.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_catch): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTINativeCall): (JSC::JIT::emit_op_catch): - Add support for the new op_catch operands. * jit/JITOperations.cpp: * jit/ThunkGenerators.cpp: (JSC::nativeForGenerator): * jsc.cpp: (functionRun): (functionLoad): (runWithScripts): (runInteractive): * llint/LLIntOffsetsExtractor.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: - Add support for the new op_catch operands. Also update the code to handle VM::m_exception being an Exception pointer, not a JSValue. * parser/NodeConstructors.h: (JSC::TryNode::TryNode): * parser/Nodes.h: * runtime/CallData.cpp: (JSC::call): * runtime/CallData.h: * runtime/Completion.cpp: (JSC::evaluate): * runtime/Completion.h: (JSC::evaluate): - Change evaluate() to take a reference to the returned exception value instead of a pointer. In all but 2 or 3 cases, we want the returned exception anyway. Might as well simplify the code by requiring the reference. * runtime/Error.h: (JSC::throwVMError): (JSC::throwVMTypeError): * runtime/Exception.cpp: Added. (JSC::Exception::create): (JSC::Exception::destroy): (JSC::Exception::createStructure): (JSC::Exception::visitChildren): (JSC::Exception::Exception): (JSC::Exception::~Exception): * runtime/Exception.h: Added. (JSC::Exception::valueOffset): (JSC::Exception::cast): (JSC::Exception::value): (JSC::Exception::stack): (JSC::Exception::didNotifyInspectorOfThrow): (JSC::Exception::setDidNotifyInspectorOfThrow): * runtime/ExceptionHelpers.cpp: (JSC::createTerminatedExecutionException): (JSC::isTerminatedExecutionException): (JSC::createStackOverflowError): * runtime/ExceptionHelpers.h: * runtime/GetterSetter.cpp: (JSC::callGetter): * runtime/IteratorOperations.cpp: (JSC::iteratorClose): * runtime/JSObject.cpp: * runtime/JSPromiseConstructor.cpp: (JSC::constructPromise): * runtime/JSPromiseDeferred.cpp: (JSC::updateDeferredFromPotentialThenable): (JSC::abruptRejection): * runtime/JSPromiseReaction.cpp: (JSC::ExecutePromiseReactionMicrotask::run): * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::releaseExecutableMemory): (JSC::VM::throwException): (JSC::VM::setStackPointerAtVMEntry): (JSC::VM::getExceptionInfo): Deleted. (JSC::VM::setExceptionInfo): Deleted. (JSC::VM::clearException): Deleted. (JSC::clearExceptionStack): Deleted. * runtime/VM.h: (JSC::VM::targetMachinePCForThrowOffset): (JSC::VM::clearException): (JSC::VM::setException): (JSC::VM::exception): (JSC::VM::addressOfException): (JSC::VM::exceptionStack): Deleted. * runtime/VMEntryScope.cpp: (JSC::VMEntryScope::VMEntryScope): (JSC::VMEntryScope::setEntryScopeDidPopListener): 2015-06-04 Benjamin Poulain [JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case https://bugs.webkit.org/show_bug.cgi?id=145673 Reviewed by Geoffrey Garen. Previously, we were deciding to use out-of-bounds speculation based on two informations: -Explicitly detected out-of-bounds accesses tracked on ArrayProfile. -The number of time we took the slow cases in the baseline JIT. The heuristic based on slow cases was a little too fragile. In some cases, we were running into that limit just because the indexing type changes between two values (typically Int32Array and DoubleArray). Sometimes we were just unlucky on what we used for the inline cache. In Kraken, this was hurting us on "audio-beat-detection" and "audio-fft". The array types we see change between Int32 and Double. We run into the slow path a bit but never hit out-of-bounds. By the time we compile in DFG, we have stable Double Arrays but we speculate out-of-bounds based on the number of slow cases we took. Because of that, we start boxing the double on GetByVal, using DoubleRep, etc. adding a ton of overhead over otherwise very simple operations. WebXPRT was also suffering from this problem but the other way arround: we were missing the out-of-bounds accesses due to changes in indexing types, we were below the threshold of slow-path access, thus we predicted in-bounds accesses for code that was doing plenty of out-of-bands. This patch fixes the problem by tracking the out-of-bounds access explicitly any time we go into the slow path in baseline JIT. Since we no longer miss any out-of-bounds, we can remove the slow-path heuristic. There is new additional special case in the C code regarding out-of-bounds: Arguments access. Mispredicting out-of-bounds accesses on arguments is a disaster for performance, so those are tracked in the way DFG expect it. There are a few important cases that are still not covered optimally: -PutByVal on Arguments. -Get/Put ByVal on TypedArray. Those are simply not used by DFG in any way. TypedArrays should probably be looked at in the future. * bytecode/ArrayProfile.cpp: (JSC::ArrayProfile::computeUpdatedPrediction): The inline-cache repatch cases now update the ArrayProfile information. This has no value in baseline JIT but it helps avoiding one recompile in DFG for the missing ArrayProfile information. * bytecode/ArrayProfile.h: (JSC::ArrayProfile::setOutOfBounds): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::getArrayMode): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath): Deleted. * jit/CCallHelpers.h: (JSC::CCallHelpers::setupArgumentsWithExecState): * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::callOperation): * jit/JITOpcodes.cpp: (JSC::JIT::emitSlow_op_has_indexed_property): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emitSlow_op_has_indexed_property): * jit/JITOperations.cpp: (JSC::canUseFastArgumentAccess): This is not my favorite part of this patch. I tried having JSObject::canGetIndexQuickly() handle arguments which would put everything on the generic path. Unfortunately, that code is very performance sensitive and some benchmarks were impacted by over 10% I left JSObject::canGetIndexQuickly() alone, and I added the canUseFastArgumentAccess() mirroring how DFG uses out-of-bounds for Arguments. (JSC::getByVal): * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emitSlow_op_put_by_val): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitSlow_op_get_by_val): (JSC::JIT::emitSlow_op_put_by_val): * runtime/JSPromiseFunctions.cpp: * tests/stress/get-by-val-out-of-bounds-basics.js: Added. (opaqueGetByValOnInt32ArrayEarlyOutOfBounds): (testInt32ArrayEarlyOutOfBounds): (testIndexingTypeChangesOnInt32Array): (opaqueGetByValOnStringArrayHotOutOfBounds): (testStringArrayHotOutOfBounds): (testIndexingTypeChangesOnStringArray): (opaqueGetByValOnStringAndInt32ArrayHotOutOfBounds): (testStringAndInt32ArrayHotOutOfBounds): (opaqueGetByValOnDoubleArrayHotOutOfBounds): * tests/stress/put-by-val-out-of-bounds-basics.js: Added. (opaquePutByValOnInt32ArrayEarlyOutOfBounds): (testInt32ArrayEarlyOutOfBounds): (opaquePutByValOnStringArrayHotOutOfBounds): (testStringArrayHotOutOfBounds): 2015-06-03 Filip Pizlo Simplify unboxing of double JSValues known to be not NaN and not Int32 https://bugs.webkit.org/show_bug.cgi?id=145618 Reviewed by Geoffrey Garen. In many cases we know that we most likely loaded a non-NaN double value from the heap. Prior to this patch, we would do two branches before unboxing the double. This patch reduces this to one branch in the common case. Before: if (is int32) unbox int32 and convert to double else if (is number) unbox double else exit After: tmp = unbox double if (tmp == tmp) done else if (is int32) unbox int32 and convert to double else exit We only use the new style if we have profiling that tells us that we are unlikely to see either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch. This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up. Rolling this back in after I made DFG::SpeculativeJIT call a new version of unboxDouble() that doesn't assert that the JSValue is a double, since we are intentionally using it before doing the "is a double" test. This wasn't a problem on 32-bit since unboxDouble() does no such assertion on 32-bit. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::observeUseKindOnNode): (JSC::DFG::FixupPhase::fixEdgeRepresentation): (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateDouble): (JSC::DFG::Node::shouldSpeculateDoubleReal): (JSC::DFG::Node::shouldSpeculateNumber): * dfg/DFGSafeToExecute.h: (JSC::DFG::SafeToExecuteEdge::operator()): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileDoubleRep): (JSC::DFG::SpeculativeJIT::speculateNumber): (JSC::DFG::SpeculativeJIT::speculateRealNumber): (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal): (JSC::DFG::SpeculativeJIT::speculate): (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGUseKind.cpp: (WTF::printInternal): * dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): (JSC::DFG::isNumerical): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): (JSC::FTL::LowerDFGToLLVM::boxDouble): (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): (JSC::FTL::LowerDFGToLLVM::speculate): (JSC::FTL::LowerDFGToLLVM::speculateNumber): (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal): (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted. (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfNotOther): (JSC::AssemblyHelpers::branchIfInt32): (JSC::AssemblyHelpers::branchIfNotInt32): (JSC::AssemblyHelpers::branchIfNumber): 2015-06-04 Joseph Pecoraro Web Inspector: Class constructor appearing as Object Tree property does not include parameters https://bugs.webkit.org/show_bug.cgi?id=145661 Reviewed by Timothy Hatcher. * inspector/InjectedScriptSource.js: (InjectedScript.prototype._classPreview): (InjectedScript.RemoteObject.prototype._appendPropertyPreviews): The string we will return for previews of class constructor functions. (InjectedScript.RemoteObject): (InjectedScript.RemoteObject.prototype._describe): No longer return the class name as the description string. Instead return the class name for the RemoteObject.className. 2015-06-04 Commit Queue Unreviewed, rolling out r185216. https://bugs.webkit.org/show_bug.cgi?id=145666 it caused a bunch of debug crashes (Requested by pizlo on #webkit). Reverted changeset: "Simplify unboxing of double JSValues known to be not NaN and not Int32" https://bugs.webkit.org/show_bug.cgi?id=145618 http://trac.webkit.org/changeset/185216 2015-06-03 Filip Pizlo Simplify unboxing of double JSValues known to be not NaN and not Int32 https://bugs.webkit.org/show_bug.cgi?id=145618 Reviewed by Geoffrey Garen. In many cases we know that we most likely loaded a non-NaN double value from the heap. Prior to this patch, we would do two branches before unboxing the double. This patch reduces this to one branch in the common case. Before: if (is int32) unbox int32 and convert to double else if (is number) unbox double else exit After: tmp = unbox double if (tmp == tmp) done else if (is int32) unbox int32 and convert to double else exit We only use the new style if we have profiling that tells us that we are unlikely to see either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch. This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::observeUseKindOnNode): (JSC::DFG::FixupPhase::fixEdgeRepresentation): (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateDouble): (JSC::DFG::Node::shouldSpeculateDoubleReal): (JSC::DFG::Node::shouldSpeculateNumber): * dfg/DFGSafeToExecute.h: (JSC::DFG::SafeToExecuteEdge::operator()): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileDoubleRep): (JSC::DFG::SpeculativeJIT::speculateNumber): (JSC::DFG::SpeculativeJIT::speculateRealNumber): (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal): (JSC::DFG::SpeculativeJIT::speculate): (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGUseKind.cpp: (WTF::printInternal): * dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): (JSC::DFG::isNumerical): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): (JSC::FTL::LowerDFGToLLVM::boxDouble): (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): (JSC::FTL::LowerDFGToLLVM::speculate): (JSC::FTL::LowerDFGToLLVM::speculateNumber): (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal): (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted. (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfNotOther): (JSC::AssemblyHelpers::branchIfInt32): (JSC::AssemblyHelpers::branchIfNotInt32): (JSC::AssemblyHelpers::branchIfNumber): 2015-06-04 Filip Pizlo SideState should be a distinct abstract heap from Heap and Stack https://bugs.webkit.org/show_bug.cgi?id=145653 Reviewed by Geoffrey Garen. Before, SideState fit into the hierarchy like so: World | +-- Stack | +-- Heap | +-- SideState Now we will have: World | +-- Stack | +-- Heap | +-- SideState This makes it easy to ask if a writing operation wrote to anything that is observable even if we don't exit. SideState is only observable if we exit. * dfg/DFGAbstractHeap.h: (JSC::DFG::AbstractHeap::AbstractHeap): (JSC::DFG::AbstractHeap::supertype): 2015-06-04 Chris Dumez [WK2] Prune more resources from the MemoryCache before process suspension https://bugs.webkit.org/show_bug.cgi?id=145633 Reviewed by Andreas Kling. No longer move protect IncrementalSweeper::fullSweep() behind USE(CF) so we don't need #ifdefs at call sites, similarly to what is done for the rest of the IncrementalSweeper API. * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::fullSweep): * heap/IncrementalSweeper.h: 2015-06-01 Filip Pizlo CallLinkStatus should return takesSlowPath if the GC often cleared the IC https://bugs.webkit.org/show_bug.cgi?id=145502 Reviewed by Geoffrey Garen. CallLinkInfo now remembers when it has been cleared by GC. This has some safeguards for when a call gets cleared by GC only because we hadn't converted it into a closure call; in that case the GC will just tell us that it should be a closure call. The DFG will not optimize a call that was cleared by GC, and the DFG will always prefer a closure call if the GC told us that the specific callee was dead but the executable wasn't. This guards us from some scenarios that came up in Speedometer. It's neutral on the pure JS benchmarks, most likely just because those benchmarks aren't real enough to have interesting GC of code. * bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::visitWeak): (JSC::CallLinkInfo::dummy): * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::CallLinkInfo): * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromCallLinkInfo): 2015-06-02 Filip Pizlo GetById and PutById profiling should be more precise about it takes slow path https://bugs.webkit.org/show_bug.cgi?id=145590 Reviewed by Geoffrey Garen. If a ById access ever takes slow path, we want the DFG and FTL to know this. Previously we were relying on slow path counts, which conflate slow paths taken due to a megamorphic access and slow paths taken due to IC building. * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFor): (JSC::GetByIdStatus::computeForStubInfo): * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFor): (JSC::PutByIdStatus::computeForStubInfo): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::StructureStubInfo): * ftl/FTLIntrinsicRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileGetById): * jit/JITOperations.cpp: * jit/JITOperations.h: 2015-06-03 Michael Saboff Improve test coverage for changes made in 145527 https://bugs.webkit.org/show_bug.cgi?id=145578 Reviewed by Geoffrey Garen. Added more complexity to poly-setter-combo.js stress test to create more turmoil in the polymorphic get-by-id / put-by-id with getters and setters to exercise the code change in https://bugs.webkit.org/show_bug.cgi?id=145527. By changing the objects that the main test function sees, we are able to test those paths. Verified with temporary logging code. * tests/stress/poly-setter-combo.js: (Cons2): (Cons3): (Cons4): (foo): (test): (runTestWithConstructors): 2015-06-02 Mark Lam Gardening: fix broken CLoop build. Not reviewed. * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeExitSiteData): 2015-06-02 Keith Miller JavaScriptCore: JSExport protocol with an NSInteger property converts negative values to 18446744073709552000 https://bugs.webkit.org/show_bug.cgi?id=145563 Reviewed by Darin Adler. The Objective-C bindings were improperly converting negative long long/NSIntegers to 18446744073709552000 because they were converted to unsigned numbers. * API/ObjcRuntimeExtras.h: (parseObjCType): * API/tests/testapi.mm: (testObjectiveCAPIMain): (checkNegativeNSIntegers): (testObjectiveCAPI): 2015-06-02 Yusuke Suzuki Heap-use-after-free read of size 4 in JavaScriptCore: WTF::StringImpl::isSymbol() (StringImpl.h:496) https://bugs.webkit.org/show_bug.cgi?id=145532 Reviewed by Geoffrey Garen. AtomicStringImpl::lookUp returns AtomicStringImpl*, it doesn't give any ownership to the caller. Originally, this is ok because the ownership is taken by AtomicStringImpl's table (& the register side). But if we would like to use this returned AtomicStringImpl*, we should take its ownership immediately. Because if the register side releases its ownership (ref count), it will be destroyed. In JSString::toExistingAtomicString, it returns AtomicStringImpl*. But it's not appropriate. If the owner of AtomicStringImpl* is always JSString*, it is ok. But it looks up the table-registered AtomicStringImpl* from the AtomicStringImpl table. So JSString* may not have the ownership of the returned AtomicStringImpl*. The failure situation is the following. 1. A creates AtomicStringImpl. A has its ownership. And A registers it to AtomicStringImpl table. 2. JSString looks up the AtomicStringImpl from the table. It gets AtomicStringImpl*. And JSString doesn't have its ownership. It returns the raw pointer immediately to the users 3. A is released. There's no owner for AtomicStringImpl*. So it's also destroyed. 4. Use looked up AtomicStringImpl in (2). It becomes use-after-free. This patch fixes it by the following changes. 1. Change the signature of `AtomicStringImpl* AtomicStringImpl::lookUp(...)` to `RefPtr AtomicStringImpl::lookUp(..)`. Use `RefPtr` because it may return `nullptr`. 2. Change the signature of `AtomicStringImpl* JSString::toExistingAtomicString(...)` to `RefPtr JSString::toExistingAtomicString(...)`. Using `RefPtr` is the same reason. 3. Receive the result with `RefPtr` in the caller side. * dfg/DFGOperations.cpp: * jit/JITOperations.cpp: (JSC::getByVal): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::getByVal): * runtime/JSString.cpp: (JSC::JSRopeString::resolveRopeToExistingAtomicString): * runtime/JSString.h: (JSC::JSString::toExistingAtomicString): 2015-05-30 Filip Pizlo Any exit from any JIT due to profiling for an inline cache should force all future compilations to be wary https://bugs.webkit.org/show_bug.cgi?id=145496 Reviewed by Geoffrey Garen. This pessimizes compilation a bit, but it reduces the likelihood of exiting from FTL. I couldn't find any convincing reason not to do this, and we know from Speedometer that this change is necessary for weirder code. * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFor): (JSC::CallLinkStatus::computeExitSiteData): (JSC::CallLinkStatus::computeDFGStatuses): * bytecode/CallLinkStatus.h: * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::appendVariant): (JSC::GetByIdStatus::hasExitSite): (JSC::GetByIdStatus::computeFor): * bytecode/GetByIdStatus.h: * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::appendVariant): (JSC::PutByIdStatus::hasExitSite): (JSC::PutByIdStatus::computeFor): * bytecode/PutByIdStatus.h: 2015-05-31 Filip Pizlo If a call has ever taken the virtual slow path, make sure that the DFG knows this https://bugs.webkit.org/show_bug.cgi?id=145501 Reviewed by Geoffrey Garen. Now now return higher fidelity information in the case of no polymorphic call stub. If the virtual slow path was ever taken, we note this, and we note either zero or one call variant based on the IC's last callee. * bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeFromCallLinkInfo): (JSC::CallLinkStatus::computeFor): 2015-06-01 Michael Saboff Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24 https://bugs.webkit.org/show_bug.cgi?id=145527 Reviewed by Filip Pizlo. If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it. Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo is going away. * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::~CallLinkInfo): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::unlink): (JSC::PolymorphicCallNode::clearCallLinkInfo): (JSC::PolymorphicCallCase::dump): (JSC::PolymorphicCallStubRoutine::edges): (JSC::PolymorphicCallStubRoutine::clearCallNodesFor): (JSC::PolymorphicCallStubRoutine::visitWeak): * jit/PolymorphicCallStubRoutine.h: (JSC::PolymorphicCallNode::hasCallLinkInfo): 2015-06-01 Mark Lam Add the ability to tell between Catch and Finally blocks. https://bugs.webkit.org/show_bug.cgi?id=145524 Reviewed by Michael Saboff. ... and also SynthesizedFinally blocks too. A SynthesizedFinally block is a finally block that is synthesized by the bytecode generator but does not actually correspond to any exception handling construct at the JS source code level. An example of this is the "for ... of" statement where it needs to do some "final" clean up before passing on the exception. Manually tested by inspecting the bytecode dump of functions with try-catch-finally blocks as well as for of statements which have synthesized finally blocks. The bytecode dumps contains the exception handlers table which has these blocks labelled with their newly added types. No automatic test because this type info is not visible to JS code. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): * bytecode/HandlerInfo.h: (JSC::HandlerInfoBase::type): (JSC::HandlerInfoBase::setType): (JSC::HandlerInfoBase::typeName): (JSC::HandlerInfoBase::isCatchHandler): (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo): (JSC::HandlerInfo::initialize): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): (JSC::BytecodeGenerator::pushTry): (JSC::BytecodeGenerator::popTryAndEmitCatch): (JSC::BytecodeGenerator::emitEnumeration): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitThrow): * bytecompiler/NodesCodegen.cpp: (JSC::TryNode::emitBytecode): 2015-05-29 Geoffrey Garen REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower https://bugs.webkit.org/show_bug.cgi?id=145412 Reviewed by Darin Adler. Moar speedup. Added a bucket sort for string sorting. * builtins/Array.prototype.js: (sort.compactSparse): (sort.compactSlow): (sort.compact): Split out a compaction fast path for dense arrays. Without it, compaction can increase sort time by 2X for simple sorts. (sort.bucketSort): (sort.stringSort): Use a bucket sorting algorithm if we know we're sorting strings. This makes average case string sorting O(N) with O(N) additional memory use. The worst case bucket sort can require O(M * N) additional space. We avoid this by falling back to merge sort when things are simple or overly duplicative. These are the two cases that accumulate excessive -- and potentially pathological -- bucketing overhead. 2015-06-01 Mark Lam HandlerInfo::initialize() should not assume that CodeLocationLabel is available. https://bugs.webkit.org/show_bug.cgi?id=145515 Reviewed by Csaba Osztrogonác. CodeLocationLabel is only defined for ENABLE(ASSEMBLER) builds. r185022's attempt at simplifying code to increase readability failed to take this into account. This patch fixes it. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * bytecode/HandlerInfo.h: (JSC::HandlerInfo::initialize): 2015-05-31 Filip Pizlo Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=145503. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::inliningCost): 2015-05-31 Yusuke Suzuki [ES6] Drop WeakMap#clear https://bugs.webkit.org/show_bug.cgi?id=145489 Reviewed by Mark Lam. ES6 spec intentionally drops the WeakMap#clear to allow engine to implement WeakMap as a per-object table. This patch drops WeakMap.prototype.clear. * runtime/WeakMapPrototype.cpp: (JSC::WeakMapPrototype::finishCreation): Deleted. (JSC::protoFuncWeakMapClear): Deleted. 2015-05-31 Jordan Harband Array#reduce and reduceRight don't follow ToLength https://bugs.webkit.org/show_bug.cgi?id=145364 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength Reviewed by Yusuke Suzuki. * builtins/Array.prototype.js: (reduce): (reduceRight): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::finishCreation): (JSC::arrayProtoFuncReduce): Deleted. (JSC::arrayProtoFuncReduceRight): Deleted. 2015-05-29 Filip Pizlo FTL codegen for MultiGetByOffset and MultiPutByOffset where the structure set is already proved should have an unreachable default case instead of an exit https://bugs.webkit.org/show_bug.cgi?id=145469 Reviewed by Geoffrey Garen. Omitting the speculation on the fail path when the speculation is guaranteed not to be taken hints to LLVM that the default case is impossible. This enables some useful optimizations. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): 2015-05-29 Mark Lam Refactoring HandlerInfo and UnlinkedHandlerInfo. https://bugs.webkit.org/show_bug.cgi?id=145480 Reviewed by Benjamin Poulain. HandlerInfo and UnlinkedHandlerInfo have common parts, but are not currently expressed as 2 unrelated structs that happen to have near identical fields. We can refactor them to better express their relationship. We can also add some convenience functions to make the code that uses them a little more readable. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::handlerForBytecodeOffset): * bytecode/HandlerInfo.h: (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo): (JSC::HandlerInfo::initialize): - I chose to include CodeLocationLabel arg even though it is unused by by non-JIT builds. This makes the call site cleaner to read. * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedSimpleJumpTable::add): (JSC::UnlinkedInstruction::UnlinkedInstruction): (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): (JSC::UnlinkedCodeBlock::addExceptionHandler): (JSC::UnlinkedCodeBlock::exceptionHandler): (JSC::UnlinkedCodeBlock::symbolTable): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): 2015-05-28 Filip Pizlo Non-speculative Branch should be fast in the FTL https://bugs.webkit.org/show_bug.cgi?id=145452 Reviewed by Andreas Kling. Inlines the code for convertJSValueToBoolean into the FTL. This also includes some other clean-ups that I found along the way. I found this by looking at the hottest functions in DeltaBlue. Despite having so many Branch specializations, apparently there was still a hot one that we missed that was going down the untyped path. It was either Int32 or Other. Maybe we could specialize for that combo, but it makes so much sense to just make all of this nonsense fast. * dfg/DFGWatchpointCollectionPhase.cpp: (JSC::DFG::WatchpointCollectionPhase::handle): Need to watch the masquerades watchpoint on UntypedUse: forms of Branch now. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::boolify): The actual fix. (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52): (JSC::FTL::LowerDFGToLLVM::isInt32): (JSC::FTL::LowerDFGToLLVM::isNotInt32): (JSC::FTL::LowerDFGToLLVM::unboxInt32): * runtime/JSCellInlines.h: (JSC::JSCell::toBoolean): Symbol is always true. (JSC::JSCell::pureToBoolean): Symbol is always true. * runtime/JSString.cpp: (JSC::JSString::getPrimitiveNumber): (JSC::JSString::toNumber): (JSC::JSString::toBoolean): Deleted. This is a tiny method. It doesn't need to be out-of-line. * runtime/JSString.h: (JSC::JSString::length): (JSC::JSString::toBoolean): This method shouldbe inline. * runtime/Symbol.cpp: (JSC::Symbol::toPrimitive): (JSC::Symbol::getPrimitiveNumber): (JSC::Symbol::toBoolean): Deleted. A Symbol is always true, so we don't need a method for this. * runtime/Symbol.h: 2015-05-29 Commit Queue Unreviewed, rolling out r184860. https://bugs.webkit.org/show_bug.cgi?id=145456 May have caused ~1% Octane regression (Requested by kling on #webkit). Reverted changeset: "Try to use StringView when comparing JSStrings for equality." https://bugs.webkit.org/show_bug.cgi?id=145379 http://trac.webkit.org/changeset/184860 2015-05-28 Michael Saboff mozilla/js1_5/Array/regress-154338.js test causes ARM 32 bit iOS devices to run out of memory https://bugs.webkit.org/show_bug.cgi?id=145444 Reviewed by Geoffrey Garen. Disabled mozilla/js1_5/Array/regress-154338.js when run on iOS ARM 32 bit devices and the --memory-limited option is passed to run-jsc-stress-tests. * tests/mozilla/mozilla-tests.yaml: 2015-05-28 Benjamin Poulain [iOS8][ARMv7(s)] Optimized Object.create in 'use strict' context sometimes breaks. https://bugs.webkit.org/show_bug.cgi?id=138038 Reviewed by Michael Saboff. TL;DR: sometimes the baseline JIT could accidentally nuke the tag before calling to C++, making put_by_id behave erratically. The bug was that put_by_id would randomly not work correctly in 32bits. It happened in the baseline JIT if we were unlucky enough: -The code get hot enough and the structure is stable so we get a fast path for put_by_id. -We repatch the fast-path branch with a stub generated by emitPutTransitionStubAndGetOldStructure(). -In emitPutTransitionStubAndGetOldStructure(), we only preserve the payload of the base register, the tag register is ignored. -emitPutTransitionStubAndGetOldStructure() allocate 2 to 3 registers. Any of those could be the one used for the base's tag before the fast path and the value is trashed. -If we hit one of the failure case, we fallback to the slow path, but we destroyed the tag pointer. -We now have unrelated bits in the tag, the most likely value type is now "double" and we fail the put_by_id because we try to set a property on a number. The most obvious solution would be to change emitPutTransitionStubAndGetOldStructure() to preserve the tag register in addition to the value register. I decided against that option because of the added complexity. The DFG does not need that case, so I would have to add branches everywhere to distinguish the cases were we need to preserve the tag or not. Instead, I just load the tag back from memory in the slow path. The function in the slow path is several order of magnitude slower than a load, it is not worth eliminating it, especially in baseline JIT. I also discovered 4 useless loads in the fast path, so even with my extra load, this patch makes the baseline faster :) * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::emit_op_put_by_id): Deleted. * tests/stress/put-by-id-on-new-object-after-prototype-transition-non-strict.js: Added. (opaqueNewObject): (putValueOnNewObject): * tests/stress/put-by-id-on-new-object-after-prototype-transition-strict.js: Added. (string_appeared_here.opaqueNewObject): (putValueOnNewObject): 2015-05-28 Benjamin Poulain [JSC] reduction the iteration count of the DoubleRep stress tests Once again, I used big numbers for manual testing and I forgot to fix them before landing. * tests/stress/double-rep-with-non-cell.js: * tests/stress/double-rep-with-null.js: * tests/stress/double-rep-with-undefined.js: 2015-05-28 Basile Clement Add debug mode assertions for accessors casting JSC::DFG::Node.m_opInfo https://bugs.webkit.org/show_bug.cgi?id=145441 Reviewed by Filip Pizlo. Most accessor functions casting m_opInfo in JSC::DFG::Node are performing debug checks that they are only accessed for node types that should have them. This patch adds similar checks for the accessors that were missing them. * dfg/DFGNode.h: (JSC::DFG::Node::watchpointSet): (JSC::DFG::Node::storagePointer): (JSC::DFG::Node::multiGetByOffsetData): (JSC::DFG::Node::multiPutByOffsetData): (JSC::DFG::Node::hasTypeLocation): (JSC::DFG::Node::typeLocation): (JSC::DFG::Node::hasBasicBlockLocation): (JSC::DFG::Node::basicBlockLocation): 2015-05-28 Matt Rajca Add ENABLE_MEDIA_SESSION feature flag (which is off by default). https://bugs.webkit.org/show_bug.cgi?id=145415 Reviewed by Eric Carlson. * Configurations/FeatureDefines.xcconfig: 2015-05-27 Jordan Harband Array.of should work with other constructors https://bugs.webkit.org/show_bug.cgi?id=145365 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.of step 4 Reviewed by Yusuke Suzuki. * builtins/ArrayConstructor.js: (of): * runtime/ArrayConstructor.cpp: (JSC::arrayConstructorOf): Deleted. 2015-05-27 Benjamin Poulain [JSC] Add undefined->double conversion to DoubleRep https://bugs.webkit.org/show_bug.cgi?id=145293 Reviewed by Filip Pizlo. This patch adds undefined to double conversion to the DoubleRep node for the cases were we speculate "undefined" as part of the types processed. The use case is doing math with accidental out-of-bounds access. For example, something like: for (var i = 0; i <= length; ++i) ouptput += array[i]; would cause us to OSR exit every time i === length. When hitting one of those cases, we would already speculate double math, but the DoubleRep node was unable to convert the undefined and would exit. With this patch the use kind NotCellUse cover this conversion for DoubleRep. I have been quite conservative so in general we will not find "undefined" until a few recompile but being optimistic seems better since this is a corner case. This patch is a 80% progression on WebXPRT's DNA Sequencing test. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): * dfg/DFGNode.h: (JSC::DFG::Node::sawUndefined): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::SafeToExecuteEdge::operator()): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileDoubleRep): * dfg/DFGUseKind.cpp: (WTF::printInternal): * dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): * tests/stress/double-rep-with-undefined.js: Added. (addArgsNumberAndUndefined): (addArgsInt32AndUndefined): (testFallbackWithDouble): (addArgsDoubleAndUndefined): (testFallbackWithObject.): (testFallbackWithObject): (addArgsOnlyUndefined): (testFallbackWithString): 2015-05-27 Dean Jackson img.currentSrc problem in strict mode with old picturefill https://bugs.webkit.org/show_bug.cgi?id=144095 Reviewed by Simon Fraser. Add a PICTURE_SIZES flag. * Configurations/FeatureDefines.xcconfig: 2015-05-27 Basile Clement LazyNode comparison can return incorrect results when comparing an empty value https://bugs.webkit.org/show_bug.cgi?id=145421 Reviewed by Geoffrey Garen. When comparing a LazyNode to another, we compare the value pointers if we have one, and otherwise compare the nodes. We should be comparing value pointers if the other LazyNode has one as well, otherwise we risk an incoherency when we are a empty LazyNode being compared to a FrozenValue without node. Note that this is not a problem in any other case because if we don't have a FrozenValue and we are not an empty LazyNode, we are a non-constant node, and comparing the node pointers is correct. * dfg/DFGLazyNode.h: (JSC::DFG::LazyNode::operator==): 2015-05-27 Geoffrey Garen REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower https://bugs.webkit.org/show_bug.cgi?id=145412 Reviewed by Benjamin Poulain. Cache strings when doing a string-converting sort. This is a 21% speedup. * builtins/Array.prototype.js: (sort.stringComparator): Use subtraction instead of branching because it's slightly faster. (sort.comparatorSort): (sort.stringSort): (sort): Add a special case for string sorting to avoid redundant string conversion. * parser/Parser.cpp: (JSC::Parser::createBindingPattern): Names can be empty if they are private names. 2015-05-26 Filip Pizlo JIT-generated store barrier code should assume the buffer pointer and capacity to be compile-time constants https://bugs.webkit.org/show_bug.cgi?id=145404 Reviewed by Andreas Kling. We never change the capacity of a write barrier buffer. We never repoint the buffer pointer. So, the JIT shouldn't load those from memory; it should take advantage of the fact that these are compile-time constants. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): * heap/WriteBarrierBuffer.h: (JSC::WriteBarrierBuffer::currentIndexAddress): (JSC::WriteBarrierBuffer::capacity): (JSC::WriteBarrierBuffer::buffer): (JSC::WriteBarrierBuffer::currentIndexOffset): Deleted. (JSC::WriteBarrierBuffer::capacityOffset): Deleted. (JSC::WriteBarrierBuffer::bufferOffset): Deleted. * jit/Repatch.cpp: (JSC::emitPutTransitionStubAndGetOldStructure): 2015-05-27 Geoffrey Garen REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower https://bugs.webkit.org/show_bug.cgi?id=145412 Reviewed by Darin Adler. Use @toString instead of the String constructor because calls to the String constructor are never optimized. (See https://bugs.webkit.org/show_bug.cgi?id=144458.) This is a ~2X speedup. * builtins/Array.prototype.js: (sort.stringComparator): 2015-05-27 Dan Bernstein Remove JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 https://bugs.webkit.org/show_bug.cgi?id=145403 Reviewed by Anders Carlsson. JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 was used to enable the JavaScriptCore Objective-C API for WebKit and Safari projects building with JavaScriptCore targeting OS X 10.8. We don’t need it anymore. * API/JSBase.h: * API/JSContext.h: * API/JSManagedValue.h: * API/JSValue.h: * API/JSVirtualMachine.h: * Configurations/Base.xcconfig: * postprocess-headers.sh: 2015-05-26 Geoffrey Garen Photo Booth hangs under JSC::MachineThreads::tryCopyOtherThreadStacks https://bugs.webkit.org/show_bug.cgi?id=145395 Reviewed by Mark Hahnenberg. No test case because we already have --threaded mode, which runs lots of parallel GC, but it (and the original in-app test case) can't reproduce this bug. * heap/MachineStackMarker.cpp: (JSC::MachineThreads::tryCopyOtherThreadStacks): Use a lock to prevent two threads from mutually suspending each other. 2015-05-26 Yusuke Suzuki Add Array.prototype.copyWithin to JSC features.json https://bugs.webkit.org/show_bug.cgi?id=145387 Reviewed by Darin Adler. * features.json: 2015-05-26 Yusuke Suzuki Reflect nits for r184863 https://bugs.webkit.org/show_bug.cgi?id=145107 Reviewed by Darin Adler. 1. Added the copyright line. 2. Added an optional argument (/*, end */). To do so, fixed generate-js-builtins. 3. Dropped the unnecessary variable `thisValue`. 4. Fix the type error messages. This is also found in StringIterator.prototype.js. 5. Added tests for 0 arguments. * builtins/Array.prototype.js: (copyWithin): * builtins/StringIterator.prototype.js: (next): * generate-js-builtins: * tests/stress/array-copywithin.js: * tests/stress/string-iterators.js: 2015-05-26 Yusuke Suzuki Inline @Array / @Object callsites https://bugs.webkit.org/show_bug.cgi?id=145382 Reviewed by Geoffrey Garen. As the same to Array/Object callsite inlining, @Array/@Object also should be inlined in bytecode level. While `new @Object` style is not encouraged in the builtins, `@Array(len)` is already used at least in Array.from code. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::expectedFunctionForIdentifier): 2015-05-26 Andreas Kling String.prototype.charCodeAt() should use StringView. Reviewed by Darin Adler. Use JSString::view() in charCodeAt() to avoid reifying the JSString if it's a substring. This avoids StringImpl allocation in some cases and ref churn in all cases. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncCharCodeAt): 2015-05-26 Andreas Kling String.prototype.charAt() should use StringView. Reviewed by Darin Adler. Remove the jsSingleCharacterSubstring() function since it's actually completely counter-productive: it could create a single-character string that would retain a much larger string for the duration of its lifetime. This made sense before StringImpl learned to put its characters at the tail end of its own allocation. Now that it does, it's far better to just create a new single-character StringImpl. With that out of the way, we can make String.prototype.charAt() use StringView to avoid reifying substring JSStrings (and avoid some ref churn too.) * runtime/JSString.cpp: (JSC::JSRopeString::getIndexSlowCase): * runtime/JSString.h: (JSC::JSString::getIndex): (JSC::jsSingleCharacterSubstring): Deleted. * runtime/StringPrototype.cpp: (JSC::stringProtoFuncCharAt): (JSC::stringProtoFuncSplit): 2015-05-26 Yusuke Suzuki [ES6] Implement Array.prototype.copyWithin https://bugs.webkit.org/show_bug.cgi?id=145107 Reviewed by Darin Adler. This patch implements ES6 Array.prototype.copyWithin. It is intended to be used for copying the region to the other region in the callee array itself safely (like memmove, not memcpy). This function is proposed in the context of WebGL. * builtins/Array.prototype.js: (.maxWithPositives): (.minWithMaybeNegativeZeroAndPositive): (copyWithin): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::finishCreation): * tests/stress/array-copywithin.js: Added. (shouldBe): (shouldBeArray): (shouldThrow): (arrayToObject): (valueOf): 2015-05-26 Dan Bernstein Update build settings Reviewed by Anders Carlsson. * Configurations/DebugRelease.xcconfig: * Configurations/FeatureDefines.xcconfig: * Configurations/Version.xcconfig: 2015-05-26 Andreas Kling Try to use StringView when comparing JSStrings for equality. Reviewed by Darin Adler. Use JSString::view() when sending two JSStrings to WTF::equal() for comparison. This avoids creating new objects in the case where the strings are actually substrings. * jit/JITOperations.cpp: * runtime/JSCJSValueInlines.h: (JSC::JSValue::equalSlowCaseInline): (JSC::JSValue::strictEqualSlowCaseInline): 2015-05-26 Yusuke Suzuki [JSC] Generate put_by_val_direct for indexed identifiers instead of put_by_id with direct postfix https://bugs.webkit.org/show_bug.cgi?id=145360 Reviewed by Darin Adler. JSObject::putDirect only accepts non-indexed properties. So when generating put_by_id (with direct postfix) for indexed property, we should generate put_by_val_direct instead. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDirectPutById): * bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitPutConstantProperty): * tests/stress/put-by-id-direct-should-be-done-for-non-index-property.js: Added. 2015-05-24 Jordan Harband Array#findIndex/find should not skip holes https://bugs.webkit.org/show_bug.cgi?id=145361 per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.prototype.findindex and https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.prototype.find Reviewed by Yusuke Suzuki. * builtins/Array.prototype.js: (find): Deleted. (findIndex): Deleted. 2015-05-24 Brian J. Burg Web Inspector: Uncaught exception when using Inspect tool on SVG elements https://bugs.webkit.org/show_bug.cgi?id=145363 Reviewed by Joseph Pecoraro. The injected script failed by chaining a call to String.prototype.trim to the result of SVG*Element.className, which is an SVGAnimatedString and lacks useful methods. So, obtain the class name using Node.getAttribute, which always returns a DOMString. * inspector/InjectedScriptSource.js: (InjectedScriptSource.prototype._getDescription): use getAttribute instead of className. 2015-05-23 Dan Bernstein Remove unused definitions of WEBKIT_VERSION_MIN_REQUIRED https://bugs.webkit.org/show_bug.cgi?id=145345 Reviewed by Sam Weinig. * Configurations/Base.xcconfig: Also changed to use $(inherited). 2015-05-23 Yusuke Suzuki Introduce UniquedStringImpl and SymbolImpl to separate symbolic strings from AtomicStringImpl https://bugs.webkit.org/show_bug.cgi?id=144848 Reviewed by Darin Adler. Use UniquedStringImpl, SymbolImpl and AtomicStringImpl. * API/JSCallbackObject.h: * builtins/BuiltinNames.h: (JSC::BuiltinNames::isPrivateName): * bytecode/BytecodeIntrinsicRegistry.h: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * bytecode/ComplexGetStatus.cpp: (JSC::ComplexGetStatus::computeFor): * bytecode/ComplexGetStatus.h: * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): (JSC::GetByIdStatus::computeFor): (JSC::GetByIdStatus::computeForStubInfo): * bytecode/GetByIdStatus.h: * bytecode/Instruction.h: (JSC::Instruction::Instruction): * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFromLLInt): (JSC::PutByIdStatus::computeFor): (JSC::PutByIdStatus::computeForStubInfo): * bytecode/PutByIdStatus.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::visibleNameForParameter): (JSC::BytecodeGenerator::hasConstant): (JSC::BytecodeGenerator::addConstant): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitBytecode): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): * dfg/DFGDesiredIdentifiers.cpp: (JSC::DFG::DesiredIdentifiers::addLazily): (JSC::DFG::DesiredIdentifiers::at): (JSC::DFG::DesiredIdentifiers::reallyAdd): * dfg/DFGDesiredIdentifiers.h: (JSC::DFG::DesiredIdentifiers::operator[]): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIn): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::identifierUID): (JSC::DFG::SpeculativeJIT::callOperation): * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateDataSection): * ftl/FTLInlineCacheDescriptor.h: (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor): (JSC::FTL::InlineCacheDescriptor::uid): (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor): (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor): (JSC::FTL::CheckInDescriptor::CheckInDescriptor): * ftl/FTLIntrinsicRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compilePutById): (JSC::FTL::LowerDFGToLLVM::compileIn): (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation): (JSC::FTL::LowerDFGToLLVM::getById): * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): * ftl/FTLSlowPathCall.cpp: (JSC::FTL::callOperation): * ftl/FTLSlowPathCall.h: * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::callOperation): * jit/JITOperations.cpp: * jit/JITOperations.h: * parser/Nodes.cpp: (JSC::ProgramNode::setClosedVariables): * parser/Nodes.h: (JSC::ScopeNode::captures): (JSC::ScopeNode::setClosedVariables): (JSC::ProgramNode::closedVariables): * parser/Parser.cpp: (JSC::Parser::parseInner): (JSC::Parser::didFinishParsing): (JSC::Parser::parseContinueStatement): * parser/Parser.h: (JSC::Scope::Scope): (JSC::Scope::pushLabel): (JSC::Scope::getLabel): (JSC::Scope::declareCallee): (JSC::Scope::declareVariable): (JSC::Scope::declareParameter): (JSC::Scope::declareBoundParameter): (JSC::Scope::useVariable): (JSC::Scope::copyCapturedVariablesToVector): (JSC::Parser::closedVariables): (JSC::ScopeLabelInfo::ScopeLabelInfo): Deleted. * parser/SourceProviderCacheItem.h: (JSC::SourceProviderCacheItem::usedVariables): (JSC::SourceProviderCacheItem::writtenVariables): (JSC::SourceProviderCacheItem::create): * runtime/CommonIdentifiers.cpp: (JSC::CommonIdentifiers::isPrivateName): * runtime/CommonIdentifiers.h: * runtime/Identifier.h: (JSC::Identifier::impl): (JSC::Identifier::Identifier): (JSC::parseIndex): (JSC::IdentifierRepHash::hash): * runtime/IdentifierInlines.h: (JSC::Identifier::fromUid): * runtime/IntendedStructureChain.cpp: (JSC::IntendedStructureChain::mayInterceptStoreTo): * runtime/IntendedStructureChain.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/Lookup.h: (JSC::HashTable::entry): * runtime/MapData.h: * runtime/ObjectConstructor.cpp: (JSC::objectConstructorGetOwnPropertySymbols): * runtime/PrivateName.h: (JSC::PrivateName::PrivateName): (JSC::PrivateName::uid): * runtime/PropertyMapHashTable.h: * runtime/PropertyName.h: (JSC::PropertyName::PropertyName): (JSC::PropertyName::uid): (JSC::PropertyName::publicName): (JSC::parseIndex): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::addKnownUnique): (JSC::PropertyNameArray::add): * runtime/Structure.cpp: (JSC::StructureTransitionTable::contains): (JSC::StructureTransitionTable::get): (JSC::StructureTransitionTable::add): (JSC::Structure::addPropertyTransitionToExistingStructureImpl): (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): (JSC::Structure::getConcurrently): (JSC::Structure::add): (JSC::Structure::remove): (JSC::Structure::toStructureShape): * runtime/Structure.h: (JSC::PropertyMapEntry::PropertyMapEntry): * runtime/StructureInlines.h: (JSC::Structure::getConcurrently): * runtime/StructureTransitionTable.h: (JSC::StructureTransitionTable::Hash::hash): * runtime/Symbol.cpp: (JSC::Symbol::Symbol): * runtime/Symbol.h: * runtime/SymbolConstructor.cpp: (JSC::symbolConstructorFor): (JSC::symbolConstructorKeyFor): * runtime/SymbolTable.cpp: (JSC::SymbolTable::uniqueIDForVariable): (JSC::SymbolTable::globalTypeSetForVariable): * runtime/SymbolTable.h: * runtime/TypeSet.cpp: (JSC::StructureShape::addProperty): (JSC::StructureShape::propertyHash): * runtime/TypeSet.h: 2015-05-21 Filip Pizlo Arguments elimination phase mishandles arity check failure in its reduction of LoadVarargs to GetStack/PutStacks https://bugs.webkit.org/show_bug.cgi?id=145298 Reviewed by Geoffrey Garen. * dfg/DFGArgumentsEliminationPhase.cpp: Fix the bug. I restructured the loop to make it more obvious that we're initializing everything that we're supposed to initialize. * dfg/DFGNode.h: Add a comment to clarify something I was confused about while writing this code. * dfg/DFGPutStackSinkingPhase.cpp: Hacking on PutStacks made me think deep thoughts, and I added some FIXMEs. * tests/stress/fold-load-varargs-arity-check-fail-barely.js: Added. This test crashes or fails before this patch. * tests/stress/fold-load-varargs-arity-check-fail.js: Added. This is even more sure to crash or fail. * tests/stress/simplify-varargs-mandatory-minimum-smaller-than-limit.js: Added. Not sure if we had coverage for this case before. 2015-05-22 Basile Clement Allow DFGClobberize to return non-node constants that must be later created https://bugs.webkit.org/show_bug.cgi?id=145272 Reviewed by Filip Pizlo. This adds a new LazyNode class in DFG that represents either a Node*, or a FrozenValue* with a way to convert it to a Node* provided a block to insert it into. DFGClobberize is converted to use LazyNode instead of Node* when def()'ing values, which allows to now define the array's length as well as the value of its various fields in NewArray and NewArrayBuffer nodes. We also introduce a Vector in DFG::Graph to collect all the values that can be used as index, in order to avoid def()'ing too many values at once for big NewArrayBuffers. HeapLocation had to be updated to use a LazyNode as its index to be able to define array values. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGCSEPhase.cpp: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): (JSC::DFG::DefMethodClobberize::operator()): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::freezeFragile): * dfg/DFGGraph.h: * dfg/DFGHeapLocation.h: (JSC::DFG::HeapLocation::HeapLocation): (JSC::DFG::HeapLocation::index): (JSC::DFG::HeapLocation::hash): * dfg/DFGLazyNode.cpp: Added. (JSC::DFG::LazyNode::dump): * dfg/DFGLazyNode.h: Added. (JSC::DFG::LazyNode::LazyNode): (JSC::DFG::LazyNode::setNode): (JSC::DFG::LazyNode::isHashTableDeletedValue): (JSC::DFG::LazyNode::isNode): (JSC::DFG::LazyNode::op): (JSC::DFG::LazyNode::asNode): (JSC::DFG::LazyNode::asValue): (JSC::DFG::LazyNode::hash): (JSC::DFG::LazyNode::operator==): (JSC::DFG::LazyNode::operator!=): (JSC::DFG::LazyNode::ensureIsNode): (JSC::DFG::LazyNode::operator->): (JSC::DFG::LazyNode::operator*): (JSC::DFG::LazyNode::operator!): (JSC::DFG::LazyNode::operator UnspecifiedBoolType*): (JSC::DFG::LazyNode::setFrozenValue): * dfg/DFGPreciseLocalClobberize.h: (JSC::DFG::PreciseLocalClobberizeAdaptor::def): * dfg/DFGPutStackSinkingPhase.cpp: 2015-05-22 Andreas Kling [JSC] Speed up new array construction in Array.prototype.splice(). Reviewed by Benjamin Poulain. Give splice() a fast path just like slice(), for indexing types where the backing store can be memcpy'd. I generalized JSArray::fastSlice() a little bit so it works for this optimization as well. 7% progression on Kraken/stanford-crypto-pbkdf2. * runtime/JSArray.h: * runtime/JSArray.cpp: (JSC::JSArray::fastSlice): Tweak this to return JSArray*, and don't bother throwing out-of-memory exceptions. Let the caller worry about that. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSlice): Update for fastSlice() changes. (JSC::arrayProtoFuncSplice): If the object we're splicing out of is a bona fide JSArray, use fastSlice() to create the returned array instead of doing a generic get/put loop. 2015-05-21 Filip Pizlo CPS rethreading should really get rid of GetLocals https://bugs.webkit.org/show_bug.cgi?id=145290 Reviewed by Benjamin Poulain. CPS rethreading is intended to get rid of redundant GetLocals. CSE can also do it, but the idea is that you should be able to disable CSE and everything would still work. This fixes a bug in CPS rethreading's GetLocal elimination: we should be calling replaceWith rather than setReplacement, since setReplacement still leaves the original node. * dfg/DFGCPSRethreadingPhase.cpp: (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): Fix the bug. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): Eliminating GetLocals means that they turn into Check. We should handle Checks that have zero inputs. * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validateCPS): Add a validation for what a GetLocal should look like in ThreadedCPS. * tests/stress/get-local-elimination.js: Added. (foo): 2015-05-21 Saam Barati Object allocation sinking phase should explicitly create bottom values for CreateActivation sink candidates and CreateActivation should have SymbolTable as a child node https://bugs.webkit.org/show_bug.cgi?id=145192 Reviewed by Filip Pizlo. When we sink CreateActivation and generate MaterializeCreateActivation in the object allocation sinking phase, we now explictly add PutHints for all variables on the activation setting those variables to their default value (undefined for Function activations and soon to be JS Empty Value for block scope activations). This allows us to remove code that fills FTL fast activation allocations with Undefined. This patch also adds the constant SymbolTable as an OpInfo of CreateActivation and MaterializeCreateActivation nodes. This is in preparation for ES6 block scoping which will introduce a new op code that gets lowered to CreateActivation. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGNode.h: (JSC::DFG::Node::hasCellOperand): (JSC::DFG::Node::cellOperand): * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): * dfg/DFGPromotedHeapLocation.cpp: (WTF::printInternal): * dfg/DFGPromotedHeapLocation.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCreateActivation): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileCreateActivation): (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation): * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): * tests/stress/activation-sink-default-value.js: Added. (bar): * tests/stress/activation-sink-osrexit-default-value.js: Added. (foo.set result): 2015-05-21 Per Arne Vollan MSVC internal compiler error when compiling TemplateRegistryKey class. https://bugs.webkit.org/show_bug.cgi?id=145259 Reviewed by Alex Christensen. MSVC is not able to handle the brace initialization of a class member in this case. * runtime/TemplateRegistryKey.h: 2015-05-21 Csaba Osztrogonác Fix the !ENABLE(ES6_TEMPLATE_LITERAL_SYNTAX) build after r184337 https://bugs.webkit.org/show_bug.cgi?id=145248 Reviewed by Yusuke Suzuki. * bytecompiler/BytecodeGenerator.cpp: * bytecompiler/BytecodeGenerator.h: * parser/Parser.cpp: (JSC::Parser::parseMemberExpression): 2015-05-20 Joseph Pecoraro Web Inspector: array previews should have a much smaller cap on values https://bugs.webkit.org/show_bug.cgi?id=145195 Reviewed by Timothy Hatcher. * inspector/InjectedScriptSource.js: (InjectedScript.RemoteObject.prototype._generatePreview): Reduce the indexes threshold for previews. 2015-05-20 Joseph Pecoraro Web Inspector: Use native Arguments detection instead of using toString https://bugs.webkit.org/show_bug.cgi?id=145235 Reviewed by Timothy Hatcher. * inspector/InjectedScriptSource.js: (InjectedScript.prototype._subtype): Deleted the old string code. * inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::subtype): Replaced with a stricter, more accurate check. 2015-05-20 Andreas Kling Remove unused MarkedBlock::m_rememberedSet. Reviewed by Mark Hahnenberg. The MarkedBlock had a copy of the remembered bit for each of its cells, and we were maintaining that bitmap despite no one actually ever consulting it. This patch removes MarkedBlock::m_rememberedSet, freeing up 128 bytes in each block and making write barriers a little faster. * heap/Heap.cpp: (JSC::Heap::clearRememberedSet): (JSC::Heap::addToRememberedSet): * heap/HeapInlines.h: (JSC::Heap::isRemembered): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::clearRememberedSet): Deleted. (JSC::MarkedBlock::clearMarksWithCollectionType): * heap/MarkedBlock.h: (JSC::MarkedBlock::setRemembered): Deleted. (JSC::MarkedBlock::clearRemembered): Deleted. (JSC::MarkedBlock::atomicClearRemembered): Deleted. (JSC::MarkedBlock::isRemembered): Deleted. * heap/MarkedSpace.h: (JSC::ClearRememberedSet::operator()): Deleted. (JSC::MarkedSpace::clearRememberedSet): Deleted. 2015-05-20 Andreas Kling Eden collections should extend the IncrementalSweeper work list, not replace it. Reviewed by Geoffrey Garen. After an eden collection, the garbage collector was adding all MarkedBlocks containing new objects to the IncrementalSweeper's work list, to make sure they didn't have to wait until the next full collection before getting swept. Or at least, that's what it thought it was doing. It turns out that IncrementalSweeper's internal work list is really just a reference to Heap::m_blockSnapshot. I didn't realize this when writing the post-eden sweep code, and instead made eden collections cancel all pending sweeps and *replace* them with the list of blocks with new objects. This made it so that rapidly occurring eden collections could prevent large numbers of heap blocks from ever getting swept. This would manifest as accumulation of MarkedBlocks when a system under heavy load was also allocating short lived objects at a high rate. Things would eventually get cleaned up when there was a lull and a full collection was allowed to run its heap sweep to completion. Fix this by moving all management of the block snapshot to Heap. snapshotMarkedSpace() now handles eden collections by merging the list of blocks with new objects into the existing block snapshot. * heap/Heap.cpp: (JSC::Heap::snapshotMarkedSpace): (JSC::Heap::notifyIncrementalSweeper): * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::startSweeping): (JSC::IncrementalSweeper::addBlocksAndContinueSweeping): Deleted. * heap/IncrementalSweeper.h: 2015-05-20 Youenn Fablet AudioContext resume/close/suspend should reject promises with a DOM exception in lieu of throwing exceptions https://bugs.webkit.org/show_bug.cgi?id=145064 Reviewed by Darin Adler. Added default message for TypeError. * runtime/Error.cpp: (JSC::throwTypeError): * runtime/Error.h: 2015-05-20 Joseph Pecoraro No LLInt Test Failure: jsc-layout-tests.yaml/js/script-tests/object-literal-duplicate-properties.js.layout-no-llint https://bugs.webkit.org/show_bug.cgi?id=145219 Reviewed by Mark Lam. * jit/JITOperations.cpp: Throw the error we just got, instead of a stack overflow exception. This matches other error handling for callers of prepareForExecution. 2015-05-19 Filip Pizlo Add some assertions about the CFG in the loop pre-header creation phase https://bugs.webkit.org/show_bug.cgi?id=145205 Reviewed by Geoffrey Garen. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::currentNodeOrigin): Add a FIXME. * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::run): Add a FIXME. * dfg/DFGLoopPreHeaderCreationPhase.cpp: (JSC::DFG::LoopPreHeaderCreationPhase::run): Add the assertions. 2015-05-20 Joseph Pecoraro ES6: Implement Object.setPrototypeOf https://bugs.webkit.org/show_bug.cgi?id=145202 Reviewed by Darin Adler. * runtime/JSGlobalObjectFunctions.h: * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncProtoSetter): (JSC::checkProtoSetterAccessAllowed): Extract a helper to share this code between __proto__ setter and setPrototypeOf. * runtime/ObjectConstructor.cpp: (JSC::objectConstructorSetPrototypeOf): Implementation is very similiar to __proto__ setter. 2015-05-20 Joseph Pecoraro ES6: Should not allow duplicate basic __proto__ properties in Object Literals https://bugs.webkit.org/show_bug.cgi?id=145138 Reviewed by Darin Adler. Implement ES6 Annex B.3.1, which disallows duplicate basic __proto__ properties in object literals. This doesn't affect computed properties, shorthand properties, or getters/setters all of which avoid setting the actual prototype of the object anyway. * interpreter/Interpreter.cpp: (JSC::eval): Remove out of date comment. Duplicate property names are allowed now in ES6, they were not in ES5 strict mode. * parser/ASTBuilder.h: (JSC::ASTBuilder::getName): (JSC::ASTBuilder::getType): * parser/SyntaxChecker.h: (JSC::SyntaxChecker::getName): Add back getName to get the property name depending on the tree builder. Also tighten up the parameter types. * runtime/LiteralParser.cpp: (JSC::LiteralParser::parse): In quick JSON literal parsing for eval, we actually need to evaluate the __proto__ property assignment, instead of just building up a list of direct properties. Only do this when not doing a strict JSON parse. * parser/Nodes.h: Add "Shorthand" to the list of PropertyNode types to allow it to be distinguished without relying on other information. * parser/Parser.h: * parser/Parser.cpp: (JSC::Parser::parseProperty): Add the Shorthand type when parsing a shorthand property. (JSC::Parser::shouldCheckPropertyForUnderscoreProtoDuplicate): (JSC::Parser::parseObjectLiteral): (JSC::Parser::parseStrictObjectLiteral): Check for duplicate __proto__ properties, and throw a SyntaxError if that was the case. 2015-05-20 Csaba Osztrogonác [JSC] Add missing copyrights and licenses for some scripts https://bugs.webkit.org/show_bug.cgi?id=145044 Reviewed by Darin Adler. * build-symbol-table-index.py: * create-llvm-ir-from-source-file.py: * create-symbol-table-index.py: 2015-05-20 Joseph Pecoraro Web Inspector: Slightly better node previews in arrays https://bugs.webkit.org/show_bug.cgi?id=145188 Reviewed by Timothy Hatcher. * inspector/InjectedScriptSource.js: (InjectedScript.prototype._nodeDescription): (InjectedScript.prototype._nodePreview): Different stringified representations for a basic object description or in a preview. (InjectedScript.RemoteObject.prototype._appendPropertyPreviews): Use the node preview string representation inside previews. 2015-05-19 Commit Queue Unreviewed, rolling out r184613 and r184614. https://bugs.webkit.org/show_bug.cgi?id=145206 Broke 10 tests :| (Requested by kling on #webkit). Reverted changesets: "[JSC] Speed up URL encode/decode by using bitmaps instead of strchr()." https://bugs.webkit.org/show_bug.cgi?id=145115 http://trac.webkit.org/changeset/184613 "[JSC] Speed up URL encode/decode by using bitmaps instead of strchr()." https://bugs.webkit.org/show_bug.cgi?id=145115 http://trac.webkit.org/changeset/184614 2015-05-19 Andreas Kling Give StringView a utf8() API. Reviewed by Anders Carlsson. Use JSString::view() in a few places where we couldn't before due to StringView lacking a utf8() API. This is a minor speed-up on Kraken's crypto subtests, which like to call encode() with substring JSStrings. * jsc.cpp: (functionPrint): (functionDebug): * runtime/JSGlobalObjectFunctions.cpp: (JSC::encode): 2015-05-19 Andreas Kling [JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). Incorporate review feedback from Darin, removing some unnecessary zero checks. * runtime/JSGlobalObjectFunctions.cpp: (JSC::encode): (JSC::decode): (JSC::globalFuncEscape): 2015-05-19 Yusuke Suzuki Move AtomicStringImpl table related operations from AtomicString to AtomicStringImpl https://bugs.webkit.org/show_bug.cgi?id=145109 Reviewed by Darin Adler. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::nameForRegister): * runtime/Identifier.cpp: (JSC::Identifier::add): (JSC::Identifier::add8): * runtime/Identifier.h: (JSC::Identifier::add): * runtime/IdentifierInlines.h: (JSC::Identifier::Identifier): (JSC::Identifier::add): * runtime/JSString.cpp: (JSC::JSRopeString::resolveRopeToExistingAtomicString): * runtime/JSString.h: (JSC::JSString::toExistingAtomicString): * runtime/SmallStrings.cpp: (JSC::SmallStringsStorage::SmallStringsStorage): * runtime/TypeSet.cpp: (JSC::StructureShape::propertyHash): 2015-05-19 Joseph Pecoraro Web Inspector: Improve Preview for NodeList / array like collections https://bugs.webkit.org/show_bug.cgi?id=145177 Reviewed by Timothy Hatcher. * inspector/InjectedScriptSource.js: (InjectedScript.RemoteObject.prototype._appendPropertyPreviews): For "array" like object previews skip over non-index properties. We are not marking the object as lossless by choice, but we may return to this decision later. 2015-05-19 Michael Saboff REGRESSION(183787): JIT is enabled for all builds https://bugs.webkit.org/show_bug.cgi?id=145179 Reviewed by Geoffrey Garen. Eliminated the setting of ENABLE_JIT, as wtf/Platform.h has appropriate logic to set it depending on OS and CPU type. * Configurations/FeatureDefines.xcconfig: 2015-05-19 Youenn Fablet Rename createIterResultObject as createIteratorResultObject https://bugs.webkit.org/show_bug.cgi?id=145116 Reviewed by Darin Adler. Renamed createIterResultObject as createIteratorResultObject. Made this function exportable for future use by streams API. * runtime/IteratorOperations.cpp: (JSC::createIteratorResultObject): * runtime/IteratorOperations.h: * runtime/MapIteratorPrototype.cpp: (JSC::MapIteratorPrototypeFuncNext): * runtime/SetIteratorPrototype.cpp: (JSC::SetIteratorPrototypeFuncNext): 2015-05-19 Yusuke Suzuki Array.prototype methods must use ToLength https://bugs.webkit.org/show_bug.cgi?id=144128 Reviewed by Oliver Hunt. Patch by Jordan Harband and Yusuke Suzuki Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength This patch introduces ToLength and ToInteger JS implementation to encourage the DFG/FTL's inlining. These implementations are located in GlobalObject.js. And set to the JSGlobalObject with the private symbols @ToLength and @ToInteger manually. * builtins/Array.prototype.js: (every): (forEach): (filter): (map): (some): (fill): (find): (findIndex): (includes): * builtins/ArrayConstructor.js: (from): * builtins/GlobalObject.js: Copied from Source/JavaScriptCore/builtins/StringConstructor.js. (ToInteger): (ToLength): * builtins/StringConstructor.js: (raw): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObjectFunctions.h: 2015-05-19 Mark Lam Fix the build of a universal binary with ARMv7k of JavaScriptCore. https://bugs.webkit.org/show_bug.cgi?id=145143 Reviewed by Geoffrey Garen. The offlineasm works in 3 phases: Phase 1: Parse the llint asm files for config options and desired offsets. Let's say the offlineasm discovers C unique options and O unique offsets. The offlineasm will then generate a LLIntDesiredOffsets.h file with C x C build configurations, each with a set of O offsets. Each of these build configurations is given a unique configuration index number. Phase 2: Compile the LLIntDesiredOffsets.h file into a JSCLLIntOffsetsExtractor binary. If we're building a fat binary with 2 configurations: armv7, and armv7k, then the fat binary will contain 2 blobs of offsets, one for each of these build configurations. Phase 3: Parse the llint asm files and emit asm code using the offsets that are extracted from the JSCLLIntOffsetsExtractor binary for the corresponding configuration index number. In the pre-existing code, there are no "if ARMv7k" statements in the llint asm source. As a result, OFFLINE_ASM_ARMv7k is not one of the config options in the set of C unique options. For armv7k builds, OFFLINE_ASM_ARMv7 is also true. As a result, for an armv7k target, we will end up building armv7 source. In general, this is fine except: 1. armv7k has different alignment requirements from armv7. Hence, their offset values (in JSCLLIntOffsetsExtractor) will be different. 2. The offlineasm was never told that it needed to make a different configuration for armv7k builds. Hence, the armv7k build of LLIntDesiredOffsets.h will build the armv7 configuration, and consequently, the armv7k blob of offsets in JSCLLIntOffsetsExtractor will have the same configuration index number as the armv7 blob of offsets. In phase 3, when the offlineasm parses the JSCLLIntOffsetsExtractor fat binary looking for the armv7 build's configuration index number, it discovers the armv7k blob which has the same configuration number. As a result, it erroneously thinks the armv7k offsets are appropriate for emitting armv7 code. Needless to say, armv7 code using armv7k offsets will lead to incorrect behavior and all round badness. The fix is to add a simple "if ARMv7k" statement to the llint asm files. While the if statement has no body, it does make the offlineasm aware of the need for ARMv7k as a configuration option. As a result, it will generate an armv7k variant configuration in the LLIntDesiredOffsets.h file with its own unique configuration index number. With that, the JSCLLIntOffsetsExtractor fat binary will no longer have duplicate configuration index numbers for the armv7 and armv7k blobs of offsets, and the issue is resolved. * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: 2015-05-19 Andreas Kling Give JSString a StringView getter and start using it. Reviewed by Anders Carlsson. When JSString is a substring internally, calling value(ExecState*) on it will reify the baseString/start/length tuple into a new StringImpl. For clients that only want to look at the characters of a JSString, but don't actually need a reffable StringImpl, adding a light-weight StringView getter lets them avoid constructing anything. This patch adds JSString::view(ExecState*) and uses it in a few places. There are many more opportunities to use this API, but let's do a few things at a time. * runtime/FunctionConstructor.cpp: (JSC::constructFunctionSkippingEvalEnabledCheck): * runtime/JSGlobalObjectFunctions.cpp: (JSC::decode): (JSC::parseInt): (JSC::jsToNumber): (JSC::parseFloat): (JSC::globalFuncParseInt): (JSC::globalFuncParseFloat): (JSC::globalFuncEscape): (JSC::globalFuncUnescape): * runtime/JSGlobalObjectFunctions.h: * runtime/JSONObject.cpp: (JSC::JSONProtoFuncParse): * runtime/JSString.cpp: (JSC::JSString::getPrimitiveNumber): (JSC::JSString::toNumber): * runtime/JSString.h: (JSC::JSRopeString::view): (JSC::JSString::view): 2015-05-18 Filip Pizlo Better optimize 'if' with ternaries conditional tests. https://bugs.webkit.org/show_bug.cgi?id=144136 Reviewed by Benjamin Poulain. This is the last fix I'll do for this for now. BooleanToNumber(Untyped:) where the input is proved to be either BoolInt32 or Boolean should be optimized to just masking the lowest bit. This is another 37% speed-up on JSRegress/slow-ternaries. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): 2015-05-18 Benjamin Poulain cloberrize() is wrong for ArithRound because it doesn't account for the arith mode https://bugs.webkit.org/show_bug.cgi?id=145147 Reviewed by Filip Pizlo. Really stupid bug: ArithRound nodes with different rounding modes were not distinguished and CSE would happily unify with a node of a different rounding mode. DFG::clobberize() already support additional data but I was not using it. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * tests/stress/math-round-arith-rounding-mode.js: Added. (firstCareAboutZeroSecondDoesNot): (firstDoNotCareAboutZeroSecondDoes): (warmup): (verifyNegativeZeroIsPreserved): 2015-05-18 Filip Pizlo Add SpecBoolInt32 type that means "I'm an int and I'm either 0 or 1" https://bugs.webkit.org/show_bug.cgi?id=145137 Reviewed by Benjamin Poulain. It's super useful to know if an integer value could be either zero or one. We have an immediate need for this because of Int32|Boolean uses, where knowing that the Int32 is either 0 or 1 means that there is no actual polymorphism if you just look at the low bit (1 behaves like true, 0 behaves like false, and the low bit of 1|true is 1, and the low bit of 0|false is 0). We do this by splitting the SpecInt32 type into SpecBoolInt32 and SpecNonBoolInt32. This change doesn't have any effect on behavior, yet. But it does give us the ability to predict and prove when values are SpecBoolInt32; it's just we don't leverage this yet. This is perf-neutral. * bytecode/SpeculatedType.cpp: (JSC::dumpSpeculation): (JSC::speculationToAbbreviatedString): (JSC::speculationFromValue): * bytecode/SpeculatedType.h: (JSC::isStringOrStringObjectSpeculation): (JSC::isBoolInt32Speculation): (JSC::isInt32Speculation): (JSC::isInt32OrBooleanSpeculation): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): 2015-05-18 Michael Catanzaro [CMake] Ignore warnings in system headers https://bugs.webkit.org/show_bug.cgi?id=144747 Reviewed by Darin Adler. Separate include directories into WebKit project includes and system includes. Suppress all warnings from headers in system include directories using the SYSTEM argument to the include_directories command. * CMakeLists.txt: * PlatformGTK.cmake: 2015-05-18 Skachkov Alexandr [ES6] Arrow function syntax. Feature flag for arrow function https://bugs.webkit.org/show_bug.cgi?id=145108 Reviewed by Ryosuke Niwa. Added feature flag ENABLE_ES6_ARROWFUNCTION_SYNTAX for arrow function * Configurations/FeatureDefines.xcconfig: 2015-05-18 Benjamin Poulain [JSC] When entering a CheckTierUp without OSREntry, force the CheckTierUp for the outer loops with OSR Entry https://bugs.webkit.org/show_bug.cgi?id=145092 Reviewed by Filip Pizlo. When we have a hot loop without OSR Entry inside a slower loop that support OSR Entry, we get the inside loop driving the tierUpCounter and we have very little chance of doing a CheckTierUp on the outer loop. In turn, this give almost no opportunity to tier up in the outer loop and OSR Enter there. This patches changes CheckTierUp to force its outer loops to do a CheckTierUp themselves. To do that, CheckTierUp sets a flag "nestedTriggerIsSet" to force the outer loop to enter their CheckTierUp regardless of the tier-up counter. * bytecode/ExecutionCounter.cpp: (JSC::ExecutionCounter::setThreshold): This is somewhat unrelated. This assertion is incorrect because it relies on m_counter, which changes on an other thread. I have hit it a couple of times with this patch because we are a bit more aggressive on CheckTierUp. What happens is: 1) ExecutionCounter::checkIfThresholdCrossedAndSet() first checks hasCrossedThreshold(), and it is false. 2) On the main thread, the hot loops keeps running and the counter becomes large enough to cross the threshold. 3) ExecutionCounter::checkIfThresholdCrossedAndSet() runs the next test, setThreshold(), where the assertion is. Since the counter is now large enough, the assertion fails. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGJITCode.h: I used a uint8_t instead of a boolean to make the code generation clearer in DFGSpeculativeJIT64. * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): This is a bit annoying: we have the NaturalLoops analysis that provides us everything we need to know about loops, but the TierUpCheck are conservative and set on LoopHint. To make the two work together, we first find all the CheckTierUp that cannot OSR enter and we keep a list of all the natural loops containing them. Then we do a second pass over the LoopHints, get their NaturalLoop, and check if it contains a loop that cannot OSR enter. * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGTierUpCheckInjectionPhase.cpp: (JSC::DFG::TierUpCheckInjectionPhase::run): (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint): 2015-05-18 Filip Pizlo Add a Int-or-Boolean speculation to Branch https://bugs.webkit.org/show_bug.cgi?id=145134 Reviewed by Benjamin Poulain. After https://bugs.webkit.org/show_bug.cgi?id=126778 we no longer have a reason not to do the int-or-boolean optimization that we already do everywhere else. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): 2015-05-18 Andreas Kling [JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). Reviewed by Anders Carlsson. We were calling strchr() for every character when doing URL encoding/decoding and it stood out like a sore O(n) thumb in Instruments. Optimize this by using a Bitmap<256> instead. 5.5% progression on Kraken/stanford-crypto-sha256-iterative. * runtime/JSGlobalObjectFunctions.cpp: (JSC::makeCharacterBitmap): (JSC::encode): (JSC::decode): (JSC::globalFuncDecodeURI): (JSC::globalFuncDecodeURIComponent): (JSC::globalFuncEncodeURI): (JSC::globalFuncEncodeURIComponent): (JSC::globalFuncEscape): 2015-05-17 Benjamin Poulain Do not use fastMallocGoodSize anywhere https://bugs.webkit.org/show_bug.cgi?id=145103 Reviewed by Michael Saboff. * assembler/AssemblerBuffer.h: (JSC::AssemblerData::AssemblerData): (JSC::AssemblerData::grow): 2015-05-17 Benjamin Poulain [JSC] Make StringRecursionChecker faster in the simple cases without any recursion https://bugs.webkit.org/show_bug.cgi?id=145102 Reviewed by Darin Adler. In general, the array targeted by Array.toString() or Array.join() are pretty simple. In those simple cases, we spend as much time in StringRecursionChecker as we do on the actual operation. The reason for this is the HashSet stringRecursionCheckVisitedObjects used to detect recursion. We are constantly adding and removing objects which dirty buckets and force constant rehash. This patch adds a simple shortcut for those simple case: in addition to the HashSet, we keep a pointer to the root object of the recursion. In the vast majority of cases, we no longer touch the HashSet at all. This patch is a 12% progression on the overall score of ArrayWeighted. * runtime/StringRecursionChecker.h: (JSC::StringRecursionChecker::performCheck): (JSC::StringRecursionChecker::~StringRecursionChecker): * runtime/VM.h: 2015-05-17 Filip Pizlo Insert store barriers late so that IR transformations don't have to worry about them https://bugs.webkit.org/show_bug.cgi?id=145015 Reviewed by Geoffrey Garen. We have had three kinds of bugs with store barriers. For the sake of discussion we say that a store barrier is needed when we have something like: base.field = value - We sometimes fail to realize that we could remove a barrier when value is a non-cell. This might happen if we prove value to be a non-cell even though in the FixupPhase it wasn't predicted non-cell. - We sometimes have a barrier in the wrong place after object allocation sinking. We might sink an allocation to just above the store, but that puts it just after the StoreBarrier that FixupPhase inserted. - We don't remove redundant barriers across basic blocks. This comprehensively fixes these issues by doing store barrier insertion late, and removing the store barrier elision phase. Store barrier insertion uses an epoch-based algorithm to determine when stores need barriers. Briefly, a barrier is not needed if base is in the current GC epoch (i.e. was the last object that we allocated or had a barrier since last GC) or if base has a newer GC epoch than value (i.e. value would have always been allocated before base). We do conservative things when merging epoch state between basic blocks, and we only do such inter-block removal in the FTL. FTL also queries AI to determine what type we've proved about value, and avoids barriers when value is not a cell. FixupPhase still inserts type checks on some stores, to maximize the likelihood that this AI-based removal is effective. Rolling back in after fixing some debug build test failures. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGBlockMap.h: (JSC::DFG::BlockMap::at): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): * dfg/DFGEpoch.h: (JSC::DFG::Epoch::operator<): (JSC::DFG::Epoch::operator>): (JSC::DFG::Epoch::operator<=): (JSC::DFG::Epoch::operator>=): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::speculateForBarrier): (JSC::DFG::FixupPhase::insertStoreBarrier): Deleted. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * dfg/DFGStoreBarrierElisionPhase.cpp: Removed. * dfg/DFGStoreBarrierElisionPhase.h: Removed. * dfg/DFGStoreBarrierInsertionPhase.cpp: Added. (JSC::DFG::performFastStoreBarrierInsertion): (JSC::DFG::performGlobalStoreBarrierInsertion): * dfg/DFGStoreBarrierInsertionPhase.h: Added. * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): Fix an unrelated debug-only bug. * tests/stress/load-varargs-then-inlined-call-and-exit.js: Test for that debug-only bug. * tests/stress/load-varargs-then-inlined-call-and-exit-strict.js: Strict version of that test. 2015-05-16 Commit Queue Unreviewed, rolling out r184415. https://bugs.webkit.org/show_bug.cgi?id=145096 Broke several tests (Requested by msaboff on #webkit). Reverted changeset: "Insert store barriers late so that IR transformations don't have to worry about them" https://bugs.webkit.org/show_bug.cgi?id=145015 http://trac.webkit.org/changeset/184415 2015-05-14 Filip Pizlo Insert store barriers late so that IR transformations don't have to worry about them https://bugs.webkit.org/show_bug.cgi?id=145015 Reviewed by Geoffrey Garen. We have had three kinds of bugs with store barriers. For the sake of discussion we say that a store barrier is needed when we have something like: base.field = value - We sometimes fail to realize that we could remove a barrier when value is a non-cell. This might happen if we prove value to be a non-cell even though in the FixupPhase it wasn't predicted non-cell. - We sometimes have a barrier in the wrong place after object allocation sinking. We might sink an allocation to just above the store, but that puts it just after the StoreBarrier that FixupPhase inserted. - We don't remove redundant barriers across basic blocks. This comprehensively fixes these issues by doing store barrier insertion late, and removing the store barrier elision phase. Store barrier insertion uses an epoch-based algorithm to determine when stores need barriers. Briefly, a barrier is not needed if base is in the current GC epoch (i.e. was the last object that we allocated or had a barrier since last GC) or if base has a newer GC epoch than value (i.e. value would have always been allocated before base). We do conservative things when merging epoch state between basic blocks, and we only do such inter-block removal in the FTL. FTL also queries AI to determine what type we've proved about value, and avoids barriers when value is not a cell. FixupPhase still inserts type checks on some stores, to maximize the likelihood that this AI-based removal is effective. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGBlockMap.h: (JSC::DFG::BlockMap::at): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): * dfg/DFGEpoch.h: (JSC::DFG::Epoch::operator<): (JSC::DFG::Epoch::operator>): (JSC::DFG::Epoch::operator<=): (JSC::DFG::Epoch::operator>=): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::speculateForBarrier): (JSC::DFG::FixupPhase::insertStoreBarrier): Deleted. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * dfg/DFGStoreBarrierElisionPhase.cpp: Removed. * dfg/DFGStoreBarrierElisionPhase.h: Removed. * dfg/DFGStoreBarrierInsertionPhase.cpp: Added. (JSC::DFG::performFastStoreBarrierInsertion): (JSC::DFG::performGlobalStoreBarrierInsertion): * dfg/DFGStoreBarrierInsertionPhase.h: Added. 2015-05-15 Benjamin Poulain [ARM64] Do not fail branchConvertDoubleToInt32 when the result is zero and not negative zero https://bugs.webkit.org/show_bug.cgi?id=144976 Reviewed by Michael Saboff. Failing the conversion on zero is pretty dangerous as we discovered on x86. This patch does not really impact performance significantly because r184220 removed the zero checks from Kraken. This patch is just to be on the safe side for cases not covered by existing benchmarks. * assembler/MacroAssemblerARM64.h: (JSC::MacroAssemblerARM64::branchConvertDoubleToInt32): 2015-05-15 Sungmann Cho Remove unnecessary forward declarations in PropertyNameArray.h. https://bugs.webkit.org/show_bug.cgi?id=145058 Reviewed by Andreas Kling. No new tests, no behavior change. * runtime/PropertyNameArray.h: 2015-05-15 Mark Lam JSArray::setLength() should reallocate instead of zero-filling if the reallocation would be small enough. https://bugs.webkit.org/show_bug.cgi?id=144622 Reviewed by Geoffrey Garen. When setting the array to a new length that is shorter, we now check if it is worth just making a new butterfly instead of clearing out the slots in the old butterfly that resides beyond the new length. If so, we will make a new butterfly instead. There is no perf differences in the benchmark results. However, this does benefit the perf of pathological cases where we need to shorten the length of a very large array, as is the case in tests/mozilla/js1_5/Array/regress-101964.js. With this patch, we can expect that test to complete in a short time again. * runtime/JSArray.cpp: (JSC::JSArray::setLength): * runtime/JSObject.cpp: (JSC::JSObject::reallocateAndShrinkButterfly): - makes a new butterfly with a new shorter length. * runtime/JSObject.h: * tests/mozilla/js1_5/Array/regress-101964.js: - Undo this test change since this patch will prevent us from spending a lot of time clearing a large butterfly. 2015-05-15 Basile Clement DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic https://bugs.webkit.org/show_bug.cgi?id=145062 Reviewed by Filip Pizlo. We assert in various places (including NodeOrigin::isSet()) that a NodeOrigin's semantic and forExit must be either both set, or both unset. However, LICM'ing a node with unset NodeOrigin would only set forExit, and leave semantic unset. This can for instance happen when a Phi node is constant-folded into a JSConstant, which in turn gets LICM'd. This patch changes DFGLICMPhase to set the NodeOrigin's semantic in addition to its forExit if semantic was previously unset. It also adds two validators to DFGValidate.cpp: - In both SSA and CPS form, a NodeOrigin semantic and forExit must be either both set or both unset - In CPS form, all nodes must have a set NodeOrigin forExit (this is the CPS counterpart to the SSA validator that checks that all nodes must have a set NodeOrigin except possibly for a continuous chunk of nodes at the top of a block) * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate): (JSC::DFG::Validate::validateCPS): 2015-05-15 Filip Pizlo Unreviewed, remove an unused declaration. * dfg/DFGSpeculativeJIT.h: 2015-05-14 Filip Pizlo Remove unused constant-base and constant-value store barrier code in the DFG https://bugs.webkit.org/show_bug.cgi?id=145039 Reviewed by Andreas Kling. Just killing dead code. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Deleted. (JSC::DFG::SpeculativeJIT::writeBarrier): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::writeBarrier): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::writeBarrier): 2015-05-15 Alexandr Skachkov Fix typo in function name parseFunctionParamters -> parseFunctionParameters https://bugs.webkit.org/show_bug.cgi?id=145040 Reviewed by Mark Lam. * parser/Parser.h: * parser/Parser.cpp: 2015-05-14 Filip Pizlo Remove StoreBarrierWithNullCheck, nobody ever generates this. Rubber stamped by Benjamin Poulain and Michael Saboff. If we did bring something like this back in the future, we would just use UntypedUse instead of CellUse to indicate that this is what we want. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::isStoreBarrier): * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileStoreBarrier): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck): Deleted. 2015-05-14 Filip Pizlo PutGlobalVar should reference the global object it's storing into https://bugs.webkit.org/show_bug.cgi?id=145036 Reviewed by Michael Saboff. This makes it easier to reason about store barrier insertion and elimination. This changes the format of PutGlobalVar so that child1 is the global object and child2 is the value. Previously it just had child1, and that was the value. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar): 2015-05-14 Michael Catanzaro [CMake] Error out when ruby is too old https://bugs.webkit.org/show_bug.cgi?id=145014 Reviewed by Martin Robinson. Don't enforce the check for the Ruby executable here; it's now enforced in the top-level CMakeLists.txt instead. * CMakeLists.txt: 2015-05-12 Basile Clement Enforce options coherency https://bugs.webkit.org/show_bug.cgi?id=144921 Reviewed by Mark Lam. JavaScriptCore should be failing early when the options are set in such a way that we don't have a meaningful way to execute JavaScript, rather than failing for obscure reasons at some point during execution. This patch adds a new function that checks whether the options are set in a coherent way, and makes JSC::Options::initialize() crash when the environment enforces incoherent options. Client applications able to add or change additional options are responsible to check for coherency again before starting to actually execute JavaScript, if any additional options have been set. This is implemented for the jsc executable in this patch. * jsc.cpp: (CommandLine::parseArguments): * runtime/Options.cpp: (JSC::Options::initialize): (JSC::Options::ensureOptionsAreCoherent): Added. * runtime/Options.h: (JSC::Options::ensureOptionsAreCoherent): Added. 2015-05-14 Yusuke Suzuki REGRESSION (r184337): [EFL] unresolved reference errors in ARM builds https://bugs.webkit.org/show_bug.cgi?id=145019 Reviewed by Ryosuke Niwa. Attempt to fix compile errors in EFL ARM buildbots. By executing `nm`, found JSTemplateRegistryKey.cpp.o and TemplateRegistry.cpp.o have unresolved reference to Structure::get. That is inlined function in StructureInlines.h. * runtime/JSTemplateRegistryKey.cpp: * runtime/TemplateRegistry.cpp: 2015-05-14 Alexandr Skachkov Small refactoring before implementation of the ES6 arrow function. https://bugs.webkit.org/show_bug.cgi?id=144954 Reviewed by Ryosuke Niwa. * parser/Parser.h: * parser/Parser.cpp: 2015-05-14 Yusuke Suzuki REGRESSION (r184337): ASSERT failed in debug builds for tagged templates https://bugs.webkit.org/show_bug.cgi?id=145013 Reviewed by Filip Pizlo. Fix the regression introduced by r184337. 1. JSTemporaryRegistryKey::s_info should inherit the Base::s_info, JSDestructibleObject::s_info. 2. The first register argument of BytecodeGenerator::emitNode should be a referenced register if it is a temporary register. * bytecompiler/NodesCodegen.cpp: (JSC::TaggedTemplateNode::emitBytecode): * runtime/JSTemplateRegistryKey.cpp: 2015-05-14 Andreas Kling String.prototype.split() should create efficient substrings. Reviewed by Geoffrey Garen. Teach split() how to make substring JSStrings instead of relying on StringImpl's substring sharing mechanism. The optimization works by deferring the construction of a StringImpl until the substring's value is actually needed. This knocks ~2MB off of theverge.com by avoiding the extra StringImpl allocations. Out of ~70000 substrings created by split(), only ~2000 of them get reified. * runtime/StringPrototype.cpp: (JSC::jsSubstring): (JSC::splitStringByOneCharacterImpl): (JSC::stringProtoFuncSplit): 2015-05-14 Yusuke Suzuki Change the status of ES6 tagged templates to Done in features.json https://bugs.webkit.org/show_bug.cgi?id=145003 Reviewed by Benjamin Poulain. Now it's implemented in r184337. * features.json: 2015-05-14 Yusuke Suzuki Introduce SymbolType into SpeculativeTypes https://bugs.webkit.org/show_bug.cgi?id=142651 Reviewed by Filip Pizlo. Introduce SpecSymbol type into speculative types. Previously symbol type is categorized into SpecCellOther. But SpecCellOther is not intended to be used for such cells. This patch just introduces SpecSymbol. It represents the type of target value is definitely the symbol type. It is the part of SpecCell. In this patch, we do not introduce SymbolUse tracking. It will be added in the separate patch. * bytecode/SpeculatedType.cpp: (JSC::dumpSpeculation): (JSC::speculationFromStructure): * bytecode/SpeculatedType.h: (JSC::isSymbolSpeculation): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::setType): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * tests/stress/typeof-symbol.js: Added. 2015-05-14 Yusuke Suzuki [ES6] Implement tagged templates https://bugs.webkit.org/show_bug.cgi?id=143183 Reviewed by Oliver Hunt. This patch implements ES6 tagged templates. In tagged templates, the function takes the template object. The template object contains the raw and cooked template strings, so when parsing the tagged templates, we need to tokenize the raw and cooked strings. While tagged templates require the both strings, the template literal only requires the cooked strings. So when tokenizing under the template literal context, we only builds the cooked strings. As per ES6 spec, the template objects for the same raw strings are shared in the same realm. The template objects is cached. And every time we evaluate the same tagged templates, the same (cached) template objects are used. Since the spec freezes this template objects completely, we cannot attach some properties to it. So we can say that it behaves as if the template objects are the primitive values (like JSString). Since we cannot attach properties, the only way to test the identity of the template object is comparing. (===) As the result, when there is no reference to the template object, we can garbage collect it because the user has no way to test that the newly created template object does not equal to the already collected template object. So, to implement tagged templates, we implement the following components. 1. JSTemplateRegistryKey It holds the template registry key and it does not exposed to users. TemplateRegistryKey holds the vector of raw and cooked strings with the pre-computed hash value. When obtaining the template object for the (statically, a.k.a. at the parsing time) given raw string vectors, we use this JSTemplateRegistryKey as a key to the map and look up the template object from TemplateRegistry. JSTemplateRegistryKey is created at the bytecode compiling time and stored in the CodeBlock as like as JSString content values. 2. TemplateRegistry This manages the cached template objects. It holds the weak map (JSTemplateRegistryKey -> the template object). The template object is weakly referenced. So if there is no reference to the template object, the template object is automatically GC-ed. When looking up the template object, it searches the cached template object. If it is found, it is returned to the users. If there is no cached template objects, it creates the new template object and stores it with the given template registry key. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): (JSC::BytecodeGenerator::emitGetTemplateObject): * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::TaggedTemplateNode::emitBytecode): (JSC::TemplateLiteralNode::emitBytecode): Deleted. * parser/ASTBuilder.h: (JSC::ASTBuilder::createTaggedTemplate): (JSC::ASTBuilder::createTemplateLiteral): Deleted. * parser/Lexer.cpp: (JSC::Lexer::setCode): (JSC::Lexer::parseTemplateLiteral): (JSC::Lexer::lex): (JSC::Lexer::scanTrailingTemplateString): (JSC::Lexer::clear): * parser/Lexer.h: (JSC::Lexer::makeEmptyIdentifier): * parser/NodeConstructors.h: (JSC::TaggedTemplateNode::TaggedTemplateNode): (JSC::TemplateLiteralNode::TemplateLiteralNode): Deleted. * parser/Nodes.h: (JSC::TemplateLiteralNode::templateStrings): (JSC::TemplateLiteralNode::templateExpressions): (JSC::TaggedTemplateNode::templateLiteral): * parser/Parser.cpp: (JSC::Parser::parseTemplateString): (JSC::Parser::parseTemplateLiteral): (JSC::Parser::parsePrimaryExpression): (JSC::Parser::parseMemberExpression): * parser/Parser.h: * parser/ParserArena.h: (JSC::IdentifierArena::makeEmptyIdentifier): * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createTaggedTemplate): (JSC::SyntaxChecker::createTemplateLiteral): Deleted. * runtime/CommonIdentifiers.h: * runtime/JSGlobalObject.cpp: (JSC::getTemplateObject): (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::templateRegistry): * runtime/JSTemplateRegistryKey.cpp: Added. (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey): (JSC::JSTemplateRegistryKey::create): (JSC::JSTemplateRegistryKey::destroy): * runtime/JSTemplateRegistryKey.h: Added. * runtime/ObjectConstructor.cpp: (JSC::objectConstructorFreeze): * runtime/ObjectConstructor.h: * runtime/TemplateRegistry.cpp: Added. (JSC::TemplateRegistry::TemplateRegistry): (JSC::TemplateRegistry::getTemplateObject): * runtime/TemplateRegistry.h: Added. * runtime/TemplateRegistryKey.h: Added. (JSC::TemplateRegistryKey::isDeletedValue): (JSC::TemplateRegistryKey::isEmptyValue): (JSC::TemplateRegistryKey::hash): (JSC::TemplateRegistryKey::rawStrings): (JSC::TemplateRegistryKey::cookedStrings): (JSC::TemplateRegistryKey::operator==): (JSC::TemplateRegistryKey::operator!=): (JSC::TemplateRegistryKey::Hasher::hash): (JSC::TemplateRegistryKey::Hasher::equal): (JSC::TemplateRegistryKey::TemplateRegistryKey): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * tests/stress/tagged-templates-identity.js: Added. (shouldBe): * tests/stress/tagged-templates-raw-strings.js: Added. (shouldBe): (tag): (testEval): * tests/stress/tagged-templates-syntax.js: Added. (tag): (testSyntax): (testSyntaxError): * tests/stress/tagged-templates-template-object.js: Added. (shouldBe): (tag): * tests/stress/tagged-templates-this.js: Added. (shouldBe): (tag): * tests/stress/tagged-templates.js: Added. (shouldBe): (raw): (cooked): (Counter): 2015-05-13 Ryosuke Niwa REGRESSION(r180595): same-callee profiling no longer works https://bugs.webkit.org/show_bug.cgi?id=144787 Reviewed by Filip Pizlo. This patch introduces a DFG optimization to use NewObject node when the callee of op_create_this is always the same JSFunction. This condition doesn't hold when the byte code creates multiple JSFunction objects at runtime as in: function y() { return function () {} }; new y(); new y(); To enable this optimization, LLint and baseline JIT now store the last callee we saw in the newly added fourth operand of op_create_this. We use this JSFunction's structure in DFG after verifying our speculation that the callee is the same. To avoid recompiling the same code for different callee objects in the polymorphic case, the special value of seenMultipleCalleeObjects() is set in LLint and baseline JIT when multiple callees are observed. Tests: stress/create-this-with-callee-variants.js * bytecode/BytecodeList.json: Increased the number of operands to 5. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): Dump the newly added callee cache. (JSC::CodeBlock::finalizeUnconditionally): Clear the callee cache if the callee is no longer alive. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitCreateThis): Add the instruction to propertyAccessInstructions so that we can clear the callee cache in CodeBlock::finalizeUnconditionally. Also initialize the newly added operand. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): Implement the optimization. Speculate the actual callee to match the cache. Use the cached callee's structure if the speculation succeeds. Otherwise, OSR exit. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_create_this): Go to the slow path to update the cache unless it's already marked as seenMultipleCalleeObjects() to indicate the polymorphic behavior and/or we've OSR exited here. (JSC::JIT::emitSlow_op_create_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_create_this): Ditto. (JSC::JIT::emitSlow_op_create_this): * llint/LowLevelInterpreter32_64.asm: (_llint_op_create_this): Ditto. * llint/LowLevelInterpreter64.asm: (_llint_op_create_this): Ditto. * runtime/CommonSlowPaths.cpp: (slow_path_create_this): Set the callee cache to the actual callee if it's not set. If the cache has been set to a JSFunction* different from the actual callee, set it to seenMultipleCalleeObjects(). * runtime/JSCell.h: (JSC::JSCell::seenMultipleCalleeObjects): Added. * runtime/WriteBarrier.h: (JSC::WriteBarrierBase::unvalidatedGet): Removed the compile guard around it. * tests/stress/create-this-with-callee-variants.js: Added. 2015-05-13 Joseph Pecoraro Clean up some possible RefPtr to PassRefPtr churn https://bugs.webkit.org/show_bug.cgi?id=144779 Reviewed by Darin Adler. * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView::create): (JSC::GenericTypedArrayView::createUninitialized): * runtime/JSArrayBufferConstructor.cpp: (JSC::constructArrayBuffer): * runtime/Structure.cpp: (JSC::Structure::toStructureShape): * runtime/TypedArrayBase.h: (JSC::TypedArrayBase::create): (JSC::TypedArrayBase::createUninitialized): * tools/FunctionOverrides.cpp: (JSC::initializeOverrideInfo): Release the last use of a RefPtr as it is passed on. 2015-05-13 Joseph Pecoraro ES6: Allow duplicate property names https://bugs.webkit.org/show_bug.cgi?id=142895 Reviewed by Geoffrey Garen. Introduce new `op_put_getter_by_id` and `op_put_setter_by_id` opcodes that will define a single getter or setter property on an object. The existing `op_put_getter_setter` opcode is still preferred for putting both a getter and setter at the same time but cannot be used for putting an individual getter or setter which is needed in some cases. Add a new slow path when generating bytecodes for a property list with computed properties, as computed properties are the only time the list of properties cannot be determined statically. * bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitBytecode): - fast path for all constant properties - slow but paired getter/setter path if there are no computed properties - slow path, individual put operation for every property, if there are computed properties * parser/Nodes.h: Distinguish a Computed property from a Constant property. * parser/Parser.cpp: (JSC::Parser::parseProperty): (JSC::Parser::parsePropertyMethod): Distingish Computed and Constant properties. (JSC::Parser::parseObjectLiteral): When we drop into strict mode it is because we saw a getter or setter, so be more explicit. (JSC::Parser::parseStrictObjectLiteral): Eliminate duplicate property syntax error exception. * parser/SyntaxChecker.h: (JSC::SyntaxChecker::getName): * parser/ASTBuilder.h: (JSC::ASTBuilder::getName): Deleted. No longer used. * runtime/JSObject.h: (JSC::JSObject::putDirectInternal): When updating a property. If the Accessor attribute changed update the Structure. * runtime/JSObject.cpp: (JSC::JSObject::putGetter): (JSC::JSObject::putSetter): Called by the opcodes, just perform the same operation that __defineGetter__ or __defineSetter__ would do. (JSC::JSObject::putDirectNonIndexAccessor): This transition is now handled in putDirectInternal. * runtime/Structure.h: Add needed export. * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitPutGetterById): (JSC::BytecodeGenerator::emitPutSetterById): * bytecompiler/BytecodeGenerator.h: * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITInlines.h: (JSC::JIT::callOperation): * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_getter_by_id): (JSC::JIT::emit_op_put_setter_by_id): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_getter_by_id): (JSC::JIT::emit_op_put_setter_by_id): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LLIntSlowPaths.h: * llint/LowLevelInterpreter.asm: New bytecodes. Modelled after existing op_put_getter_setter. 2015-05-13 Filip Pizlo Creating a new blank document in icloud pages causes an AI error: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble. https://bugs.webkit.org/show_bug.cgi?id=144856 Reviewed by Benjamin Poulain. First I made fixTypeForRepresentation() print out better diagnostics when it dies. Then I fixed the bug: Node::convertToIdentityOn(Node*) needs to make sure that when it converts to a representation-changing node, it needs to use one of the UseKinds that such a node expects. For example, DoubleRep(UntypedUse:) doesn't make sense; it needs to be something like DoubleRep(NumberUse:) since it will speculate that the input is a number. * dfg/DFGAbstractInterpreter.h: (JSC::DFG::AbstractInterpreter::setBuiltInConstant): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::fixTypeForRepresentation): * dfg/DFGAbstractValue.h: * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::initialize): * dfg/DFGNode.cpp: (JSC::DFG::Node::convertToIdentityOn): * tests/stress/cloned-arguments-get-by-val-double-array.js: Added. (foo): 2015-05-13 Commit Queue Unreviewed, rolling out r184313. https://bugs.webkit.org/show_bug.cgi?id=144974 Introduced an assertion failure in class-syntax- declaration.js, class-syntax-expression.js, and object- literal-syntax.js (Requested by rniwa on #webkit). Reverted changeset: "Small refactoring before ES6 Arrow function implementation." https://bugs.webkit.org/show_bug.cgi?id=144954 http://trac.webkit.org/changeset/184313 2015-05-13 Oliver Hunt Ensure that all the smart pointer types in WTF clear their pointer before deref https://bugs.webkit.org/show_bug.cgi?id=143789 Reviewed by Ryosuke Niwa. One of the simpler cases of this in JavaScriptCore. There are other cases where we need to guard the derefs but they are more complex cases. * inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::releaseImpl): * inspector/JSJavaScriptCallFrame.cpp: (Inspector::JSJavaScriptCallFrame::releaseImpl): 2015-05-13 Alexandr Skachkov Small refactoring before ES6 Arrow function implementation. https://bugs.webkit.org/show_bug.cgi?id=144954 Reviewed by Filip Pizlo. * parser/Parser.h: * parser/Parser.cpp: 2015-05-13 Filip Pizlo The liveness pruning done by ObjectAllocationSinkingPhase ignores the possibility of an object's bytecode liveness being longer than its DFG liveness https://bugs.webkit.org/show_bug.cgi?id=144945 Reviewed by Michael Saboff. We were making the mistake of using DFG liveness for object allocation sinking decisions. This is wrong. In fact we almost never want to use DFG liveness directly. The only place where that makes sense is pruning in DFG AI. So, I created a CombinedLiveness class that combines the DFG liveness with bytecode liveness. In the process of doing this, I realized that the DFGForAllKills definition of combined liveness at block tail was not strictly right; it was using the bytecode liveness at the block terminal instead of the union of the bytecode live-at-heads of successor blocks. So, I changed DFGForAllKills to work in terms of CombinedLiveness. This allows me to unskip the test I added in r184260. I also added a new test that tries to trigger this bug more directly. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGCombinedLiveness.cpp: Added. (JSC::DFG::liveNodesAtHead): (JSC::DFG::CombinedLiveness::CombinedLiveness): * dfg/DFGCombinedLiveness.h: Added. (JSC::DFG::CombinedLiveness::CombinedLiveness): * dfg/DFGForAllKills.h: (JSC::DFG::forAllKillsInBlock): (JSC::DFG::forAllLiveNodesAtTail): Deleted. * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): * tests/stress/escape-object-in-diamond-then-exit.js: Added. * tests/stress/sink-object-past-invalid-check-sneaky.js: 2015-05-13 Ryosuke Niwa I skipped a wrong test in r184270. Fix that. The failure is tracked by webkit.org/b/144947. * tests/stress/arith-modulo-node-behaviors.js: * tests/stress/arith-mul-with-constants.js: 2015-05-13 Joseph Pecoraro Avoid always running some debug code in type profiling https://bugs.webkit.org/show_bug.cgi?id=144775 Reviewed by Daniel Bates. * runtime/TypeProfilerLog.cpp: (JSC::TypeProfilerLog::processLogEntries): 2015-05-13 Joseph Pecoraro Pass String as reference in more places https://bugs.webkit.org/show_bug.cgi?id=144769 Reviewed by Daniel Bates. * debugger/Breakpoint.h: (JSC::Breakpoint::Breakpoint): * parser/Parser.h: (JSC::Parser::setErrorMessage): (JSC::Parser::updateErrorWithNameAndMessage): * parser/ParserError.h: (JSC::ParserError::ParserError): * runtime/RegExp.cpp: (JSC::RegExpFunctionalTestCollector::outputOneTest): * runtime/RegExpObject.cpp: (JSC::regExpObjectSourceInternal): * runtime/TypeProfiler.cpp: (JSC::TypeProfiler::typeInformationForExpressionAtOffset): * runtime/TypeProfilerLog.cpp: (JSC::TypeProfilerLog::processLogEntries): * runtime/TypeProfilerLog.h: * tools/FunctionOverrides.cpp: (JSC::initializeOverrideInfo): * inspector/scripts/codegen/generate_objc_conversion_helpers.py: (ObjCConversionHelpersGenerator._generate_enum_from_protocol_string): * inspector/scripts/codegen/objc_generator_templates.py: * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: * inspector/scripts/tests/expected/enum-values.json-result: * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: * inspector/scripts/tests/expected/type-declaration-array-type.json-result: * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: * inspector/scripts/tests/expected/type-declaration-object-type.json-result: * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Rebaseline tests after updating the generator. 2015-05-13 Michael Saboff com.apple.WebKit.WebContent crashed at JavaScriptCore: JSC::CodeBlock::finalizeUnconditionally https://bugs.webkit.org/show_bug.cgi?id=144933 Changed the RELEASE_ASSERT_NOT_REACHED into an ASSERT. Added some diagnostic messages to help determine the cause for any crash. Reviewed by Geoffrey Garen. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::finalizeUnconditionally): 2015-05-13 Filip Pizlo REGRESSION(r184260): arguments elimination has stopped working because of Check(UntypedUse:) from SSAConversionPhase https://bugs.webkit.org/show_bug.cgi?id=144951 Reviewed by Michael Saboff. There were two issues here: - In r184260 we expected a small number of possible use kinds in Check nodes, and UntypedUse was not one of them. That seemed like a sensible assumption because we don't create Check nodes unless it's to have a check. But, SSAConversionPhase was creating a Check that could have UntypedUse. I fixed this. It's cleaner for SSAConversionPhase to follow the same idiom as everyone else and not create tautological checks. - It's clearly not very robust to assume that Checks will not be used tautologically. So, this changes how we validate Checks in the escape analyses. We now use willHaveCheck, which catches cases that AI would have already marked as unnecessary. It then also uses a new helper called alreadyChecked(), which allows us to just ask if the check is unnecessary for objects. That's a good fall-back in case AI hadn't run yet. * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGMayExit.cpp: * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): * dfg/DFGSSAConversionPhase.cpp: (JSC::DFG::SSAConversionPhase::run): * dfg/DFGUseKind.h: (JSC::DFG::alreadyChecked): * dfg/DFGVarargsForwardingPhase.cpp: k 2015-05-13 Yusuke Suzuki [ES6] Implement String.raw https://bugs.webkit.org/show_bug.cgi?id=144330 Reviewed by Filip Pizlo. Implement String.raw. It is intended to be used with tagged-templates syntax. To implement ToString abstract operation efficiently, we introduce @toString bytecode intrinsic. It emits op_to_string directly. * CMakeLists.txt: * builtins/StringConstructor.js: Added. (raw): * bytecompiler/NodesCodegen.cpp: (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString): * runtime/CommonIdentifiers.h: * runtime/StringConstructor.cpp: * tests/stress/string-raw.js: Added. (shouldBe): (.get shouldBe): (Counter): 2015-05-12 Ryosuke Niwa Temporarily disable the test on Windows. The failure is tracked in webkit.org/b/144897. * tests/stress/arith-mul-with-constants.js: 2015-05-12 Filip Pizlo js/dom/stack-trace.html fails with eager compilation https://bugs.webkit.org/show_bug.cgi?id=144853 Reviewed by Benjamin Poulain. All of our escape analyses were mishandling Check(). They were assuming that this is a non-escaping operation. But, if we do for example a Check(Int32:@x) and @x is an escape candidate, then we need to do something: if we eliminate or sink @x, then the check no longer makes any sense since a phantom allocation has no type. This will make us forget that this operation would have exited. This was causing us to not call a valueOf method in js/dom/stack-trace.html with eager compilation enabled, because it was doing something like +o where o had a valueOf method, and o was otherwise sinkable. This changes our escape analyses to basically pretend that any Check() that isn't obviously unnecessary is an escape. We don't have to be super careful here. Most checks will be completely eliminated by constant-folding. If that doesn't run in time, then the most common check we will see is CellUse. So, we just recognize some very obvious check kinds that we know would have passed, and for all of the rest we just assume that it's an escape. This was super tricky to test. The obvious way to test it is to use +o like stack-trace.html, except that doing so relies on the fact that we still haven't implemented the optimal behavior for op_to_number. So, I take four approaches in testing this patch: 1) Use +o. These will test what we want it to test for now, but at some point in the future these tests will just be a good sanity-check that our op_to_number implementation is right. 2) Do fancy control flow tricks to fool the profiling into thinking that some arithmetic operation always sees integers even though we eventually feed it an object and that object is a sink candidate. 3) Introduce a new jsc.cpp intrinsic called isInt32() which returns true if the incoming value is an int32. This intrinsic is required to be implemented by DFG by unconditionally speculating that the input is int32. This allows us to write much more targetted tests of the underlying issue. 4) I made a version of stack-trace.html that runs in run-jsc-stress-tests, so that we can get regression test coverage of this test in eager mode. * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): * dfg/DFGVarargsForwardingPhase.cpp: * ftl/FTLExitValue.cpp: (JSC::FTL::ExitValue::dumpInContext): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::buildExitArguments): * ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileFTLOSRExit): * jsc.cpp: (GlobalObject::finishCreation): (functionIsInt32): * runtime/Intrinsic.h: * tests/stress/sink-arguments-past-invalid-check-dfg.js: Added. * tests/stress/sink-arguments-past-invalid-check-int32-dfg.js: Added. * tests/stress/sink-arguments-past-invalid-check-int32.js: Added. * tests/stress/sink-arguments-past-invalid-check-sneakier.js: Added. * tests/stress/sink-arguments-past-invalid-check.js: Added. * tests/stress/sink-function-past-invalid-check-sneakier.js: Added. * tests/stress/sink-function-past-invalid-check-sneaky.js: Added. * tests/stress/sink-object-past-invalid-check-int32.js: Added. * tests/stress/sink-object-past-invalid-check-sneakier.js: Added. * tests/stress/sink-object-past-invalid-check-sneaky.js: Added. * tests/stress/sink-object-past-invalid-check.js: Added. 2015-05-12 Benjamin Poulain Fix the iteration count of arith-modulo-node-behaviors.js * tests/stress/arith-modulo-node-behaviors.js: No need for big numbers for the real testing. 2015-05-12 Mark Lam Windows: Cannot use HANDLE from GetCurrentThread() to get the CONTEXT of another thread. https://bugs.webkit.org/show_bug.cgi?id=144924 Reviewed by Alex Christensen. The present stack scanning code in the Windows port is expecting that the GetCurrentThread() API will provide a unique HANDLE for each thread. The code then saves and later uses that HANDLE with GetThreadContext() to get the runtime state of the target thread from the GC thread. According to https://msdn.microsoft.com/en-us/library/windows/desktop/ms683182(v=vs.85).aspx, GetCurrentThread() does not provide this unique HANDLE that we expect: "The function cannot be used by one thread to create a handle that can be used by other threads to refer to the first thread. The handle is always interpreted as referring to the thread that is using it. A thread can create a "real" handle to itself that can be used by other threads, or inherited by other processes, by specifying the pseudo handle as the source handle in a call to the DuplicateHandle function." As a result of this, GetCurrentThread() always returns the same HANDLE value, and we end up never scanning the stacks of other threads because we wrongly think that they are all equal (in identity) to the scanning thread. This, in turn, results in crashes due to objects that are incorrectly collected. The fix is to call DuplicateHandle() to create a HANDLE that we can use. The MachineThreads::Thread class already accurately tracks the period of time when we need that HANDLE for the VM. Hence, the life-cycle of the HANDLE can be tied to the life-cycle of the MachineThreads::Thread object for the corresponding thread. * heap/MachineStackMarker.cpp: (JSC::getCurrentPlatformThread): (JSC::MachineThreads::Thread::Thread): (JSC::MachineThreads::Thread::~Thread): (JSC::MachineThreads::Thread::suspend): (JSC::MachineThreads::Thread::resume): (JSC::MachineThreads::Thread::getRegisters): 2015-05-12 Benjamin Poulain [JSC] Make the NegZero backward propagated flags of ArithMod stricter https://bugs.webkit.org/show_bug.cgi?id=144897 Reviewed by Geoffrey Garen. The NegZero flags of ArithMod were the same as ArithDiv: both children were marked as needing to handle NegativeZero. Lucky for us, ArithMod is quite a bit different than ArithDiv. First, the sign of the result is completely independent from the sign of the divisor. A zero on the divisor always produces a NaN. That's great, we can remove the NodeBytecodeNeedsNegZero from the flags propagated to child2. Second, the sign of the result is always the same as the sign of the dividend. A dividend of zero produces a zero of same sign unless the divisor is zero (in which case the result is NaN). This is great too: we can just pass the flags we got into ArithMod. With those two out of the way, we can make a faster version of ArithRound for Kraken's oscillator. Since we no longer care about negative zero, rounding becomes cast(value + 0.5). This gives ~3% faster runtime on the benchmark. Unfortunatelly, most of the time is spent in FTL and the same optimization does not apply well just yet: rdar://problem/20904149. * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): Never add NodeBytecodeNeedsNegZero unless needed by the users of this node. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithRound): Faster Math.round() when negative zero is not important. * tests/stress/arith-modulo-node-behaviors.js: Added. (moduloWithNegativeZeroDividend): (moduloWithUnusedNegativeZeroDividend): (moduloWithNegativeZeroDivisor): 2015-05-12 Mark Lam Refactor MachineStackMarker.cpp so that it's easier to reason about MachineThreads::Thread. https://bugs.webkit.org/show_bug.cgi?id=144925 Reviewed by Michael Saboff. Currently, the code in MachineStackMarker.cpp is written as a bunch of functions that operate on the platformThread value in the MachineThreads::Thread struct. Instead, we can apply better OO encapsulation and convert all these functions into methods of the MachineThreads::Thread struct. This will also make it easier to reason about the fix for https://bugs.webkit.org/show_bug.cgi?id=144924 later. * heap/MachineStackMarker.cpp: (JSC::getCurrentPlatformThread): (JSC::MachineThreads::Thread::createForCurrentThread): (JSC::MachineThreads::Thread::operator!=): (JSC::MachineThreads::Thread::operator==): (JSC::MachineThreads::addCurrentThread): (JSC::MachineThreads::removeThreadIfFound): (JSC::MachineThreads::Thread::suspend): (JSC::MachineThreads::Thread::resume): (JSC::MachineThreads::Thread::getRegisters): (JSC::MachineThreads::Thread::Registers::stackPointer): (JSC::MachineThreads::Thread::freeRegisters): (JSC::MachineThreads::Thread::captureStack): (JSC::MachineThreads::tryCopyOtherThreadStack): (JSC::MachineThreads::tryCopyOtherThreadStacks): (JSC::equalThread): Deleted. (JSC::suspendThread): Deleted. (JSC::resumeThread): Deleted. (JSC::getPlatformThreadRegisters): Deleted. (JSC::otherThreadStackPointer): Deleted. (JSC::freePlatformThreadRegisters): Deleted. (JSC::otherThreadStack): Deleted. 2015-05-12 Ryosuke Niwa Array.slice should have a fast path like Array.splice https://bugs.webkit.org/show_bug.cgi?id=144901 Reviewed by Geoffrey Garen. Add a fast memcpy path to Array.prototype.slice as done for Array.prototype.splice. In Kraken, this appears to be 30% win on stanford-crypto-ccm and 10% win on stanford-crypto-pbkdf2. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSlice): * runtime/JSArray.cpp: (JSC::JSArray::fastSlice): Added. * runtime/JSArray.h: 2015-05-11 Filip Pizlo OSR availability analysis would be more scalable (and correct) if it did more liveness pruning https://bugs.webkit.org/show_bug.cgi?id=143078 Reviewed by Andreas Kling. In https://bugs.webkit.org/show_bug.cgi?id=144883, we found an example of where liveness pruning is actually necessary. Well, not quite: we just need to prune out keys from the heap availability map where the base node doesn't dominate the point where we are asking for availability. If we don't do this, then eventually the IR gets corrupt because we'll insert PutHints that reference the base node in places where the base node doesn't dominate. But if we're going to do any pruning, then it makes sense to prune by bytecode liveness. This is the strongest possible pruning we can do, and it should be sound. We shouldn't have a node available for a virtual register if that register is live and the node doesn't dominate. Making this work meant reusing the prune-to-liveness algorithm from the FTL backend. So, I abstracted this a bit better. You can now availabilityMap.pruneByLiveness(graph, origin). * dfg/DFGAvailabilityMap.cpp: (JSC::DFG::AvailabilityMap::pruneHeap): (JSC::DFG::AvailabilityMap::pruneByLiveness): (JSC::DFG::AvailabilityMap::prune): Deleted. * dfg/DFGAvailabilityMap.h: * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: (JSC::DFG::OSRAvailabilityAnalysisPhase::run): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::buildExitArguments): * tests/stress/liveness-pruning-needed-for-osr-availability.js: Added. This is a proper regression test. * tests/stress/liveness-pruning-needed-for-osr-availability-eager.js: Added. This is the original reduced test case, requires eager-no-cjit to fail prior to this changeset. 2015-05-12 Gabor Loki Workaround for Cortex-A53 erratum 843419 https://bugs.webkit.org/show_bug.cgi?id=144680 Reviewed by Michael Saboff. This patch is about to give simple workaround for Cortex-A53 erratum 843419. It inserts nops after ADRP instruction to avoid wrong address accesses. * assembler/ARM64Assembler.h: (JSC::ARM64Assembler::adrp): (JSC::ARM64Assembler::nopCortexA53Fix843419): 2015-05-11 Commit Queue Unreviewed, rolling out r184009. https://bugs.webkit.org/show_bug.cgi?id=144900 Caused crashes on inspector tests (Requested by ap on #webkit). Reverted changeset: "MapDataImpl::add() shouldn't do the same hash lookup twice." https://bugs.webkit.org/show_bug.cgi?id=144759 http://trac.webkit.org/changeset/184009 2015-05-11 Commit Queue Unreviewed, rolling out r184123. https://bugs.webkit.org/show_bug.cgi?id=144899 Seems to have introduced flaky crashes in many JS tests (Requested by rniwa on #webkit). Reverted changeset: "REGRESSION(r180595): same-callee profiling no longer works" https://bugs.webkit.org/show_bug.cgi?id=144787 http://trac.webkit.org/changeset/184123 2015-05-11 Brent Fulgham [Win] Move Windows build target to Windows 7 (or newer) https://bugs.webkit.org/show_bug.cgi?id=144890 Reviewed by Anders Carlsson. Update linked SDK and minimal Windows level to be compatible with Windows 7 or newer. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: * config.h: 2015-05-08 Filip Pizlo CPS rethreading phase's flush detector flushes way too many SetLocals https://bugs.webkit.org/show_bug.cgi?id=144819 Reviewed by Geoffrey Garen. After probably unrelated changes, this eventually caused some arguments elimination to stop working because it would cause more SetLocals to turn into PutStacks. But it was a bug for a long time. Basically, we don't want the children of a SetLocal to be flushed. Flushing is meant to only affect the SetLocal itself. This is a speed-up on Octane/earley. * dfg/DFGCPSRethreadingPhase.cpp: (JSC::DFG::CPSRethreadingPhase::computeIsFlushed): 2015-05-11 Filip Pizlo gmail and google maps fail to load with eager compilation: Failed to insert inline cache for varargs call (specifically, CallForwardVarargs) because we thought the size would be 250 but it ended up being 262 prior to compaction. https://bugs.webkit.org/show_bug.cgi?id=144854 Reviewed by Oliver Hunt. This is easy: just lift the threshold. Also remove the need for some duplicate thresholds. It used to be that Construct required less code, but that's not the case for now. * ftl/FTLInlineCacheSize.cpp: (JSC::FTL::sizeOfCallForwardVarargs): (JSC::FTL::sizeOfConstructVarargs): (JSC::FTL::sizeOfConstructForwardVarargs): 2015-05-11 Ryosuke Niwa REGRESSION(r180595): same-callee profiling no longer works https://bugs.webkit.org/show_bug.cgi?id=144787 Reviewed by Michael Saboff. This patch introduces a DFG optimization to use NewObject node when the callee of op_create_this is always the same JSFunction. This condition doesn't hold when the byte code creates multiple JSFunction objects at runtime as in: function y() { return function () {} }; new y(); new y(); To enable this optimization, LLint and baseline JIT now store the last callee we saw in the newly added fourth operand of op_create_this. We use this JSFunction's structure in DFG after verifying our speculation that the callee is the same. To avoid recompiling the same code for different callee objects in the polymorphic case, the special value of seenMultipleCalleeObjects() is set in LLint and baseline JIT when multiple callees are observed. Tests: stress/create-this-with-callee-variants.js * bytecode/BytecodeList.json: Increased the number of operands to 5. * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): op_create_this uses 2nd (constructor) and 4th (callee cache) operands. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): Dump the newly added callee cache. (JSC::CodeBlock::finalizeUnconditionally): Clear the callee cache if the callee is no longer alive. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitCreateThis): Add the instruction to propertyAccessInstructions so that we can clear the callee cache in CodeBlock::finalizeUnconditionally. Also initialize the newly added operand. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): Implement the optimization. Speculate the actual callee to match the cache. Use the cached callee's structure if the speculation succeeds. Otherwise, OSR exit. * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_create_this): Go to the slow path to update the cache unless it's already marked as seenMultipleCalleeObjects() to indicate the polymorphic behavior. (JSC::JIT::emitSlow_op_create_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_create_this): Ditto. (JSC::JIT::emitSlow_op_create_this): * llint/LowLevelInterpreter32_64.asm: (_llint_op_create_this): Ditto. * llint/LowLevelInterpreter64.asm: (_llint_op_create_this): Ditto. * runtime/CommonSlowPaths.cpp: (slow_path_create_this): Set the callee cache to the actual callee if it's not set. If the cache has been set to a JSFunction* different from the actual callee, set it to seenMultipleCalleeObjects(). * runtime/JSCell.h: (JSC::JSCell::seenMultipleCalleeObjects): Added. * runtime/WriteBarrier.h: (JSC::WriteBarrierBase::unvalidatedGet): Removed the compile guard around it. * tests/stress/create-this-with-callee-variants.js: Added. 2015-05-11 Andreas Kling PropertyNameArray should use a Vector when there are few entries. Reviewed by Geoffrey Garen. Bring back an optimization that was lost in the for-in refactoring. PropertyNameArray now holds a Vector until there are enough (20) entries to justify converting to a HashSet for contains(). Also inlined the code while we're here, since it has so few clients and the call overhead adds up. ~5% progression on Kraken/json-stringify-tinderbox. * runtime/PropertyNameArray.cpp: Removed. * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::canAddKnownUniqueForStructure): (JSC::PropertyNameArray::add): (JSC::PropertyNameArray::addKnownUnique): 2015-05-11 Matt Baker Web Inspector: REGRESSION (r175203): No profile information is shown in Inspector https://bugs.webkit.org/show_bug.cgi?id=144808 Reviewed by Darin Adler. Since a profile can be started after a timeline recording has already begun, we can't assume a zero start time. The start time for the root node's call entry should be based on the stopwatch used by the ProfileGenerator. * profiler/Profile.cpp: (JSC::Profile::create): (JSC::Profile::Profile): * profiler/Profile.h: * profiler/ProfileGenerator.cpp: (JSC::ProfileGenerator::ProfileGenerator): (JSC::AddParentForConsoleStartFunctor::operator()): 2015-05-11 Basile Clement Unreviewed, remove unintended change. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): 2015-05-11 Filip Pizlo Make it easy to enable eager/non-concurrent JIT compilation https://bugs.webkit.org/show_bug.cgi?id=144877 Reviewed by Michael Saboff. * runtime/Options.cpp: (JSC::recomputeDependentOptions): * runtime/Options.h: 2015-05-10 Filip Pizlo We shouldn't promote LoadVarargs to a sequence of GetStacks and PutStacks if doing so would exceed the LoadVarargs' limit https://bugs.webkit.org/show_bug.cgi?id=144851 Reviewed by Michael Saboff. LoadVarargs loads arguments from some object and puts them on the stack. The region of stack is controlled by a bunch of meta-data, including InlineCallFrame. InlineCallFrame shouldn't really be edited after ByteCodeParser, so we cannot convert LoadVarargs to something that uses more stack than the LoadVarargs wanted to. This check was missing in the ArgumentsEliminationPhase's LoadVarargs->GetStack+PutStack promoter. This is an important promotion rule for performance, and in cases where we are compiling truly hot code, the LoadVarargs limit will be at least as big as the length of the phantom arguments array that this phase sees. The LoadVarargs limit is based on profiling and the phantom arguments array is a proof; in most cases the profiling is more conservative. But, you could write some crazy code where the statically obvious arguments array value is bigger than what the profiling would have told you. When this happens, this promotion effectively removes a bounds check. This either results in us clobbering a bunch of stack, or it means that we never initialize a region of the stack that a later operation will read (the uninitialization happens because PutStackSinkingPhase removes PutStacks that appear unnecessary, and a GetMyArgumentByVal will claim not to use the region of the stack outside the original LoadVarargs limit). * dfg/DFGArgumentsEliminationPhase.cpp: * tests/stress/load-varargs-elimination-bounds-check-barely.js: Added. (foo): (bar): (baz): * tests/stress/load-varargs-elimination-bounds-check.js: Added. (foo): (bar): (baz): 2015-05-11 Andreas Kling JSON.stringify shouldn't use generic get() to access Array.length Reviewed by Geoffrey Garen. If the value being serialized is a JSArray object, we can downcast and call its length() directly instead of doing a generic property lookup. 0.5% progression on Kraken/json-stringify-tinderbox. * runtime/JSONObject.cpp: (JSC::Stringifier::Holder::appendNextProperty): 2015-05-10 Andreas Kling Remove unnecessary AtomicStringImpl* hash specification in PropertyNameArray. Follow up to r184050 suggested by Darin. * runtime/PropertyNameArray.h: 2015-05-10 Andreas Kling Remove unused things from PropertyNameArray. Reviewed by Filip Pizlo. PropertyNameArray had a bunch of bells and whistles added to it when for-in iteration was refactored and optimized last year. Then more refactoring happened and this class doesn't need to ring and toot anymore. The RefCountedIdentifierSet class disappears since the JSPropertyNameEnumerator wasn't actually using it for anything and we were just wasting time creating these. Also made the member functions take AtomicStringImpl* instead of plain StringImpl*. * runtime/JSObject.cpp: (JSC::JSObject::getPropertyNames): * runtime/JSPropertyNameEnumerator.cpp: (JSC::JSPropertyNameEnumerator::create): (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator): * runtime/JSPropertyNameEnumerator.h: * runtime/PropertyNameArray.cpp: (JSC::PropertyNameArray::add): (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties): Deleted. * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::add): (JSC::PropertyNameArray::addKnownUnique): (JSC::PropertyNameArray::canAddKnownUniqueForStructure): (JSC::RefCountedIdentifierSet::contains): Deleted. (JSC::RefCountedIdentifierSet::size): Deleted. (JSC::RefCountedIdentifierSet::add): Deleted. (JSC::PropertyNameArray::identifierSet): Deleted. (JSC::PropertyNameArray::numCacheableSlots): Deleted. (JSC::PropertyNameArray::setNumCacheableSlotsForObject): Deleted. (JSC::PropertyNameArray::setBaseObject): Deleted. (JSC::PropertyNameArray::setPreviouslyEnumeratedLength): Deleted. 2015-05-09 Yoav Weiss Remove the PICTURE_SIZES build flag https://bugs.webkit.org/show_bug.cgi?id=144679 Reviewed by Benjamin Poulain. Removed the PICTURE_SIZES build time flag. * Configurations/FeatureDefines.xcconfig: 2015-05-08 Filip Pizlo Extend the SaneChain optimization to Contiguous arrays https://bugs.webkit.org/show_bug.cgi?id=144664 Reviewed by Mark Lam. Previously if you loaded from a hole, you'd either have to take slow path for the array load (which means C++ calls and prototype chain walks) or you'd exit (if you hadn't gathered the necessary profiling yet). But that's unnecessary if we know that the prototype chain is sane - i.e. has no indexed properties. Then we can just return Undefined for the hole. Making this change requires setting more watchpoints on the array prototype chain. But that hit a horrible bug: ArrayPrototype still uses the static lookup tables and builds itself up lazily. This means that this increased the number of recompilations we'd get due to the array prototype chain being built up. So, this change also removes the laziness and static tables from ArrayPrototype. But to make that change, I also had to add a helper for eagerly building up a prototype that has builtin functions. * CMakeLists.txt: * DerivedSources.make: * dfg/DFGArrayMode.h: * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileGetByVal): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::finishCreation): (JSC::ArrayPrototype::getOwnPropertySlot): Deleted. * runtime/ArrayPrototype.h: * runtime/JSObject.h: 2015-05-08 Michael Saboff Creating a large MarkedBlock sometimes results in more than one cell in the block https://bugs.webkit.org/show_bug.cgi?id=144815 Reviewed by Mark Lam. Large MarkedBlocks should have one and only one cell. Changed the calculation of m_endAtom for large blocks to use the location of the first cell + 1. This assures that large blocks only have one cell. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): 2015-05-08 Oliver Hunt MapDataImpl::add() shouldn't do the same hash lookup twice. https://bugs.webkit.org/show_bug.cgi?id=144759 Reviewed by Gavin Barraclough. We don't actually need to do a double lookup here, all we need to do is update the index to point to the correct m_size. * runtime/MapDataInlines.h: (JSC::JSIterator>::add): 2015-05-08 Andreas Kling Micro-optimize JSON serialization of string primitives. Reviewed by Sam Weinig. Don't use the out-of-line JSValue::getString() to grab at string primitives in serialization. Just check if it's a JSString and then downcast to grab at the WTF::String inside. 2% progression on Kraken/json-stringify-tinderbox. * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): 2015-05-08 Andreas Kling Optimize serialization of quoted JSON strings. Reviewed by Darin Adler. Optimized the serialization of quoted strings into JSON by moving the logic into StringBuilder so it can make smarter decisions about buffering. 12% progression on Kraken/json-stringify-tinderbox (on my Mac Pro.) * bytecompiler/NodesCodegen.cpp: (JSC::ObjectPatternNode::toString): Use the new StringBuilder API. * runtime/JSONObject.h: * runtime/JSONObject.cpp: (JSC::Stringifier::Holder::appendNextProperty): (JSC::appendStringToStringBuilder): Deleted. (JSC::appendQuotedJSONStringToBuilder): Deleted. (JSC::Stringifier::appendQuotedString): Deleted. (JSC::Stringifier::appendStringifiedValue): Moved the bulk of this logic to StringBuilder and call that from here. 2015-05-07 Commit Queue Unreviewed, rolling out r183961. https://bugs.webkit.org/show_bug.cgi?id=144784 Broke js/dom/JSON-stringify.html (Requested by kling on #webkit). Reverted changeset: "Optimize serialization of quoted JSON strings." https://bugs.webkit.org/show_bug.cgi?id=144754 http://trac.webkit.org/changeset/183961 2015-05-07 Filip Pizlo GC has trouble with pathologically large array allocations https://bugs.webkit.org/show_bug.cgi?id=144609 Reviewed by Geoffrey Garen. The bug was that SlotVisitor::copyLater() would return early for oversize blocks (right after pinning them), and would skip the accounting. The GC calculates the size of the heap in tandem with the scan to save time, and that accounting was part of how the GC would know how big the heap was. The GC would then think that oversize copied blocks use no memory, and would then mess up its scheduling of the next GC. Fixing this bug is harder than it seems. When running an eden GC, we figure out the heap size by summing the size from the last collection and the size by walking the eden heap. But this breaks when we eagerly delete objects that the last collection touched. We can do that in one corner case: copied block reallocation. The old block will be deleted from old space during the realloc and a new block will be allocated in new space. In order for the GC to know that the size of old space actually shrank, we need a field to tell us how much such shrinkage could occur. Since this is a very dirty corner case and it only works for very particular reasons arising from the special properties of copied space (single owner, and the realloc is used in places where the compiler already knows that it cannot register allocate a pointer to the old block), I opted for an equally dirty shrinkage counter devoted just to this case. It's called bytesRemovedFromOldSpaceDueToReallocation. To test this, I needed to add an Option to force a particular RAM size in the GC. This allows us to write tests that assert that the GC heap size is some value X, without worrying about machine-to-machine variations due to GC heuristics changing based on RAM size. * heap/CopiedSpace.cpp: (JSC::CopiedSpace::CopiedSpace): Initialize the dirty shrinkage counter. (JSC::CopiedSpace::tryReallocateOversize): Bump the dirty shrinkage counter. * heap/CopiedSpace.h: (JSC::CopiedSpace::takeBytesRemovedFromOldSpaceDueToReallocation): Swap out the counter. Used by the GC when it does its accounting. * heap/Heap.cpp: (JSC::Heap::Heap): Allow the user to force the RAM size. (JSC::Heap::updateObjectCounts): Use the dirty shrinkage counter to good effect. Also, make this code less confusing. * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::copyLater): The early return for isOversize() was the bug. We still need to report these bytes as live. Otherwise the GC doesn't know that it owns this memory. * jsc.cpp: Add size measuring hooks to write the largeish test. (GlobalObject::finishCreation): (functionGCAndSweep): (functionFullGC): (functionEdenGC): (functionHeapSize): * runtime/Options.h: * tests/stress/new-array-storage-array-with-size.js: Fix this so that it actually allocates ArrayStorage arrays and tests the thing it was supposed to test. * tests/stress/new-largeish-contiguous-array-with-size.js: Added. This tests what the other test accidentally started testing, but does so without running your system out of memory. (foo): (test): 2015-05-07 Saam Barati Global functions should be initialized as JSFunctions in byte code https://bugs.webkit.org/show_bug.cgi?id=144178 Reviewed by Geoffrey Garen. This patch makes the initialization of global functions more explicit by moving initialization into bytecode. It also prepares JSC for having ES6 style lexical scoping because initializing global functions in bytecode easily allows global functions to be initialized with the proper scope that will have access to global lexical variables. Global lexical variables should be visible to global functions but don't live on the global object. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedProgramCodeBlock::visitChildren): * bytecode/UnlinkedCodeBlock.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): (JSC::BytecodeGenerator::BytecodeGenerator): * bytecompiler/BytecodeGenerator.h: * runtime/Executable.cpp: (JSC::ProgramExecutable::initializeGlobalProperties): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::addGlobalVar): (JSC::JSGlobalObject::addFunction): * runtime/JSGlobalObject.h: 2015-05-07 Benjamin Poulain Fix the x86 32bits build * assembler/X86Assembler.h: 2015-05-07 Benjamin Poulain [JSC] Add basic DFG/FTL support for Math.round https://bugs.webkit.org/show_bug.cgi?id=144725 Reviewed by Filip Pizlo. This patch adds two optimizations targeting Math.round(): -Add a DFGNode ArithRound corresponding to the intrinsic RoundIntrinsic. -Change the MacroAssembler to be stricter on how we fail to convert a double to ingeter. Previously, any number valued zero would fail, now we only fail for -0. Since ArithRound speculate it produces int32, the MacroAssembler assembler part became necessary because zero is a pretty common output of Math.round() and we would OSR exit a lot (and eventually recompile for doubles). The implementation itself of the inline Math.round() is exactly the same as the C function that exists for Math.round(). We can very likely do better but it is a good start known to be valid and inlining alone alread provides significant speedups. * assembler/X86Assembler.h: (JSC::X86Assembler::movmskpd_rr): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32): When we have a zero, get the sign bit out of the double and check if is one. I'll look into doing the same improvement for ARM. * bytecode/SpeculatedType.cpp: (JSC::typeOfDoubleRounding): (JSC::typeOfDoubleFRound): Deleted. * bytecode/SpeculatedType.h: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGGraph.h: (JSC::DFG::Graph::roundShouldSpeculateInt32): (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted. * dfg/DFGNode.h: (JSC::DFG::Node::arithNodeFlags): (JSC::DFG::Node::hasHeapPrediction): (JSC::DFG::Node::hasArithMode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithRound): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLIntrinsicRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::convertDoubleToInt32): (JSC::FTL::LowerDFGToLLVM::compileDoubleAsInt32): (JSC::FTL::LowerDFGToLLVM::compileArithRound): * ftl/FTLOutput.h: (JSC::FTL::Output::ceil64): * jit/ThunkGenerators.cpp: * runtime/MathCommon.cpp: * runtime/MathCommon.h: * runtime/MathObject.cpp: (JSC::mathProtoFuncRound): * tests/stress/math-round-basics.js: Added. (mathRoundOnIntegers): (mathRoundOnDoubles): (mathRoundOnBooleans): (uselessMathRound): (mathRoundWithOverflow): (mathRoundConsumedAsDouble): (mathRoundDoesNotCareAboutMinusZero): (mathRoundNoArguments): (mathRoundTooManyArguments): (testMathRoundOnConstants): (mathRoundStructTransition): (Math.round): 2015-05-07 Saam Barati exceptionFuzz tests should explicitly initialize the exceptionFuzz boolean in JavaScript code through a function in jsc.cpp https://bugs.webkit.org/show_bug.cgi?id=144753 Reviewed by Mark Lam. This allows the BytecodeGenerator to freely emit startup code that "may" throw exceptions without worrying that this startup code will trigger the exceptionFuzz exception. The exceptionFuzz counter will only begin ticking when the 'enableExceptionFuzz' function is explicitly called in the exceptionFuzz tests. * jsc.cpp: (GlobalObject::finishCreation): (functionEnableExceptionFuzz): * tests/exceptionFuzz/3d-cube.js: * tests/exceptionFuzz/date-format-xparb.js: * tests/exceptionFuzz/earley-boyer.js: 2015-05-07 Andreas Kling Optimize serialization of quoted JSON strings. Reviewed by Darin Adler. Optimized the serialization of quoted strings into JSON by moving the logic into StringBuilder so it can make smarter decisions about buffering. 12% progression on Kraken/json-stringify-tinderbox (on my Mac Pro.) * bytecompiler/NodesCodegen.cpp: (JSC::ObjectPatternNode::toString): Use the new StringBuilder API. * runtime/JSONObject.h: * runtime/JSONObject.cpp: (JSC::Stringifier::Holder::appendNextProperty): (JSC::appendStringToStringBuilder): Deleted. (JSC::appendQuotedJSONStringToBuilder): Deleted. (JSC::Stringifier::appendQuotedString): Deleted. (JSC::Stringifier::appendStringifiedValue): Moved the bulk of this logic to StringBuilder and call that from here. 2015-05-07 Yusuke Suzuki FunctionCallBracketNode should store the base value to the temporary when subscript has assignment https://bugs.webkit.org/show_bug.cgi?id=144678 Reviewed by Geoffrey Garen. Currently, FunctionCallBracketNode directly use the RegisterID returned by emitNode. But if the base part is the local register and the subscript part has assignment to it, the base result is accidentally rewritten. function t() { var ok = {null: function () { } }; ok[ok = null](); } t(); // Should not throw error. This patch takes care about `subscriptHasAssignment`. By using `emitNodeForLeftHandSide`, when there's assignment to local variables in RHS, it correctly moves the LHS value to a temporary register. * bytecompiler/NodesCodegen.cpp: (JSC::FunctionCallBracketNode::emitBytecode): * parser/ASTBuilder.h: (JSC::ASTBuilder::makeFunctionCallNode): * parser/NodeConstructors.h: (JSC::FunctionCallBracketNode::FunctionCallBracketNode): * parser/Nodes.h: * tests/stress/assignment-in-function-call-bracket-node.js: Added. (shouldBe): (shouldBe.): 2015-05-07 Basile Clement Unreviewed, add missing braces on a single-line if that got expanded in r183939 * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::buildExitArguments): 2015-05-05 Myles C. Maxfield Revert "Introducing the Platform Abstraction Layer (PAL)" https://bugs.webkit.org/show_bug.cgi?id=144751 Unreviewed. PAL should be a new target inside WebCore, rather than a top-level folder. * Configurations/FeatureDefines.xcconfig: Updated 2015-05-07 Basile Clement Dumping OSR ExitValue should expand materializations only once https://bugs.webkit.org/show_bug.cgi?id=144694 Reviewed by Filip Pizlo. Currently, dumping OSR exit values will print the full materialization information each time it is encountered. We change it to print only a brief description (only the materialization's address), and print the whole set of materializations later on. This makes the dump less confusing (less likely to think that two instances of the same materialization are different), and will be a necessary change if/when we support materialization cycles. * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateDataSection): * ftl/FTLExitValue.cpp: (JSC::FTL::ExitValue::dumpInContext): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::buildExitArguments): 2015-05-07 Andreas Kling Worker threads leak WeakBlocks (as seen on leaks bot) Reviewed by Darin Adler. Nuke any remaining empty WeakBlocks when the Heap is being torn down. Trying to peek into these blocks after the VM is dead would be a bug anyway. This fixes a ~750 KB leak seen on the leaks bot. * heap/Heap.cpp: (JSC::Heap::~Heap): 2015-05-05 Geoffrey Garen Don't branch when accessing the callee https://bugs.webkit.org/show_bug.cgi?id=144645 Reviewed by Michael Saboff. The branch was added in without explanation. kling found it to be a performance problem. See . Our theory of access to Registers is that it's up to the client to access them in the right way. So, let's do that. * interpreter/CallFrame.h: (JSC::ExecState::callee): (JSC::ExecState::setCallee): Call the field object instead of function because nothing guarantees that it's a function. * interpreter/ProtoCallFrame.h: (JSC::ProtoCallFrame::callee): (JSC::ProtoCallFrame::setCallee): * interpreter/Register.h: * runtime/JSObject.h: (JSC::Register::object): Just do a cast like our other accessors do. (JSC::Register::operator=): (JSC::Register::function): Deleted. (JSC::Register::withCallee): Deleted. 2015-05-07 Dan Bernstein [Xcode] Remove usage of AspenFamily.xcconfig in Source/ https://bugs.webkit.org/show_bug.cgi?id=144727 Reviewed by Darin Adler. * Configurations/Base.xcconfig: Don’t include AspenFamily.xcconfig, and define INSTALL_PATH_PREFIX and LD_DYLIB_INSTALL_NAME for the iOS 8.x Simulator. 2015-05-07 Andreas Kling Special-case Int32 values in JSON.stringify(). Reviewed by Michael Saboff. Add a fast path for serializing Int32 values to JSON. This is far faster than dragging simple integers through the full-blown dtoa() machinery. ~50% speedup on Kraken/json-stringify-tinderbox. * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): 2015-05-06 Ryosuke Niwa ToT WebKit crashes while loading ES6 compatibility table https://bugs.webkit.org/show_bug.cgi?id=144726 Reviewed by Filip Pizlo. The bug was caused by parseClass superfluously avoiding to build up the string after seeing {. Always build the identifier here as it could be a method name. * parser/Parser.cpp: (JSC::Parser::parseClass): 2015-05-05 Filip Pizlo Sane chain and string watchpoints should be set in FixupPhase or the backend rather than WatchpointCollectionPhase https://bugs.webkit.org/show_bug.cgi?id=144665 Reviewed by Michael Saboff. This is a step towards getting rid of WatchpointCollectionPhase. It's also a step towards extending SaneChain to all indexing shapes. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase. (JSC::DFG::FixupPhase::checkArray): Clarify the need for checking the structure. We often forget why we do this instead of always using CheckArray. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnString): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase. * dfg/DFGWatchpointCollectionPhase.cpp: (JSC::DFG::WatchpointCollectionPhase::handle): Remove some code. (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal): Deleted. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase. 2015-04-02 Myles C. Maxfield Introducing the Platform Abstraction Layer (PAL) https://bugs.webkit.org/show_bug.cgi?id=143358 Reviewed by Simon Fraser. * Configurations/FeatureDefines.xcconfig: Updated 2015-05-06 Andreas Kling Don't allocate a StringImpl for every Number JSValue in JSON.stringify(). Reviewed by Darin Adler. We were creating a new String for every number JSValue passing through the JSON stringifier. These StringImpl allocations were dominating one of the Kraken JSON benchmarks. Optimize this by using StringBuilder::appendECMAScriptNumber() which uses a stack buffer for the conversion instead. 13% progression on Kraken/json-stringify-tinderbox. * runtime/JSONObject.cpp: (JSC::Stringifier::appendStringifiedValue): 2015-05-06 Commit Queue Unreviewed, rolling out r183847. https://bugs.webkit.org/show_bug.cgi?id=144691 Caused many assertion failures (Requested by ap on #webkit). Reverted changeset: "GC has trouble with pathologically large array allocations" https://bugs.webkit.org/show_bug.cgi?id=144609 http://trac.webkit.org/changeset/183847 2015-05-05 Filip Pizlo PutGlobalVar shouldn't have an unconditional store barrier https://bugs.webkit.org/show_bug.cgi?id=133104 Reviewed by Benjamin Poulain. We don't need a store barrier on PutGlobalVar if the value being stored can be speculated to not be a cell. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): 2015-05-05 Filip Pizlo CopiedBlock::reportLiveBytes() should be totally cool with oversize blocks https://bugs.webkit.org/show_bug.cgi?id=144667 Reviewed by Andreas Kling. We are now calling this method for oversize blocks. It had an assertion that indirectly implied that the block is not oversize, because it was claiming that the number of live bytes should be smaller than the non-oversize-block size. * heap/CopiedBlockInlines.h: (JSC::CopiedBlock::reportLiveBytes): 2015-05-05 Filip Pizlo GC has trouble with pathologically large array allocations https://bugs.webkit.org/show_bug.cgi?id=144609 Reviewed by Mark Lam. * heap/Heap.cpp: (JSC::Heap::updateObjectCounts): Make this code less confusing. * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::copyLater): The early return for isOversize() was the bug. We still need to report these bytes as live. Otherwise the GC doesn't know that it owns this memory. * jsc.cpp: Add size measuring hooks to write the largeish test. (GlobalObject::finishCreation): (functionGCAndSweep): (functionFullGC): (functionEdenGC): (functionHeapSize): * tests/stress/new-array-storage-array-with-size.js: Fix this so that it actually allocates ArrayStorage arrays and tests the thing it was supposed to test. * tests/stress/new-largeish-contiguous-array-with-size.js: Added. This tests what the other test accidentally started testing, but does so without running your system out of memory. (foo): (test): 2015-05-05 Filip Pizlo FTL SwitchString slow case creates duplicate switch cases https://bugs.webkit.org/show_bug.cgi?id=144634 Reviewed by Geoffrey Garen. The problem of duplicate switches is sufficiently annoying that I fixed the issue and also added mostly-debug-only asserts to catch such issues earlier. * bytecode/CallVariant.cpp: (JSC::variantListWithVariant): Assertion to prevent similar bugs. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::switchStringRecurse): Assertion to prevent similar bugs. (JSC::FTL::LowerDFGToLLVM::switchStringSlow): This is the bug. * jit/BinarySwitch.cpp: (JSC::BinarySwitch::BinarySwitch): Assertion to prevent similar bugs. * jit/Repatch.cpp: (JSC::linkPolymorphicCall): Assertion to prevent similar bugs. * tests/stress/ftl-switch-string-slow-duplicate-cases.js: Added. This tests the FTL SwitchString bug. It was previously crashing every time. (foo): (cat): 2015-05-05 Basile Clement Fix debug builds after r183812 https://bugs.webkit.org/show_bug.cgi?id=144300 Rubber stamped by Andreas Kling and Filip Pizlo. hasObjectMaterializationData() didn't treat MaterializeCreateActivation as having materialization data, which was causing an assertion failure when sinking CreateActivations on debug builds. * dfg/DFGNode.h: (JSC::DFG::Node::hasObjectMaterializationData): 2015-05-04 Basile Clement Allow CreateActivation sinking https://bugs.webkit.org/show_bug.cgi?id=144300 Reviewed by Filip Pizlo. This pursues the work started in https://bugs.webkit.org/show_bug.cgi?id=144016 to expand the set of allocations we are able to sink by allowing sinking of CreateActivation node. This is achieved by following closely the way NewObject is currently sunk: we add a new PhantomCreateActivation node to record the initial position of the CreateActivation node, new ClosureVarPLoc promoted heap locations to keep track of the variables put in the activation, and a new MaterializeCreateActivation node to allocate and populate the sunk activation. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.cpp: (JSC::DFG::Node::convertToPutClosureVarHint): * dfg/DFGNode.h: (JSC::DFG::Node::convertToPhantomCreateActivation): (JSC::DFG::Node::isActivationAllocation): (JSC::DFG::Node::isPhantomActivationAllocation): (JSC::DFG::Node::isPhantomAllocation): * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGPromotedHeapLocation.cpp: (WTF::printInternal): * dfg/DFGPromotedHeapLocation.h: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validateCPS): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation): * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): * tests/stress/activation-sink-osrexit.js: Added. (bar): (foo.set result): * tests/stress/activation-sink.js: Added. (bar): 2015-05-04 Filip Pizlo Unreviewed, fix stale comment. * tests/mozilla/js1_5/Array/regress-101964.js: 2015-05-04 Filip Pizlo Large array shouldn't be slow https://bugs.webkit.org/show_bug.cgi?id=144617 Rubber stamped by Mark Lam. * tests/mozilla/js1_5/Array/regress-101964.js: 500ms isn't enough in debug mode. We don't care how long this takes so long as we run it to completion. I've raised the limit much higher. 2015-05-04 Filip Pizlo Large array shouldn't be slow https://bugs.webkit.org/show_bug.cgi?id=144617 Rubber stamped by Mark Lam. * tests/mozilla/js1_5/Array/regress-101964.js: Mozilla may have cared about this being fast a decade ago (or more), but we don't care. We've consistently found that an array implementation that punishes this case to get speed on common-case array accesses is better. This should fix some test failures on the bots. 2015-05-04 Commit Queue Unreviewed, rolling out r183789. https://bugs.webkit.org/show_bug.cgi?id=144620 Causing flakiness on exceptionFuzz tests locally on 32-bit build (Requested by saamyjoon on #webkit). Reverted changeset: "Global functions should be initialized as JSFunctions in byte code" https://bugs.webkit.org/show_bug.cgi?id=144178 http://trac.webkit.org/changeset/183789 2015-05-04 Saam Barati Global functions should be initialized as JSFunctions in byte code https://bugs.webkit.org/show_bug.cgi?id=144178 Reviewed by Geoffrey Garen. This patch makes the initialization of global functions more explicit by moving initialization into bytecode. It also prepares JSC for having ES6 style lexical scoping because initializing global functions in bytecode easily allows global functions to be initialized with the proper scope that will have access to global lexical variables. Global lexical variables should be visible to global functions but don't live on the global object. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedProgramCodeBlock::visitChildren): * bytecode/UnlinkedCodeBlock.h: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): (JSC::BytecodeGenerator::BytecodeGenerator): * bytecompiler/BytecodeGenerator.h: * runtime/Executable.cpp: (JSC::ProgramExecutable::initializeGlobalProperties): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::addGlobalVar): (JSC::JSGlobalObject::addFunction): * runtime/JSGlobalObject.h: 2015-05-04 Filip Pizlo Large array shouldn't be slow https://bugs.webkit.org/show_bug.cgi?id=144617 Reviewed by Geoffrey Garen. Decouple MIN_SPARSE_ARRAY_INDEX, which is the threshold for storing to the sparse map when you're already using ArrayStorage mode, from the minimul array length required to use ArrayStorage in a new Array(length) allocation. Lift the array allocation length threshold to something very high. If this works, we'll probably remove that threshold entirely. This is a 27% speed-up on JetStream/hash-map. Because run-jsc-benchmarks still can't run JetStream as a discrete suite, this adds hash-map to LongSpider so that we run it somewhere for now. * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): * runtime/ArrayConventions.h: * runtime/JSArray.h: (JSC::JSArray::create): * runtime/JSGlobalObject.h: (JSC::constructEmptyArray): * tests/stress/new-array-storage-array-with-size.js: Skip this test until we fix https://bugs.webkit.org/show_bug.cgi?id=144609. 2015-05-03 Yusuke Suzuki Add backed intrinsics to private functions exposed with private symbols in global object https://bugs.webkit.org/show_bug.cgi?id=144545 Reviewed by Darin Adler. Math.abs and Math.floor have ASM intrinsics And it is further accelerated in DFG/FTL layers. This patch adds intrinsic to private functions exposed with private symbols in global object, @floor and @abs. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalPrivateFuncAbs): Deleted. (JSC::globalPrivateFuncFloor): Deleted. * runtime/MathObject.cpp: * runtime/MathObject.h: * tests/stress/array-from-abs-and-floor.js: Added. (target1): (target2): (target3): 2015-05-04 Csaba Osztrogonác [cmake] ARM related build system cleanup https://bugs.webkit.org/show_bug.cgi?id=144566 Reviewed by Darin Adler. * CMakeLists.txt: 2015-05-04 Andreas Kling Optimize WeakBlock's "reap" and "visit" operations. Reviewed by Geoffrey Garen. WeakBlock was using Heap::isLive(void*) to determine the liveness of weak pointees. That function was really written with conservative roots marking in mind, and will do a bunch of sanity and bounds checks. For weaks, we know that the pointer will have been a valid cell pointer into a block of appropriate cell size, so we can skip a lot of the checks. We now keep a pointer to the MarkedBlock in each WeakBlock. That way we no longer have to do MarkedBlock::blockFor() for every single cell when iterating. Note that a WeakBlock's MarkedBlock pointer becomes null when we detach a logically empty WeakBlock from its WeakSet and transfer ownership to Heap. At that point, the block will never be pointing to any live cells, and the only operation that will run on the block is sweep(). Finally, MarkedBlock allows liveness queries in three states: Marked, Retired, and Allocated. In Allocated state, all cells are reported as live. This state will reset to Marked on next GC. This patch uses that knowledge to avoid branching on the MarkedBlock's state for every cell. This is a ~3x speedup of visit() and a ~2x speedup of reap() on Dromaeo/dom-modify, netting what looks like a 1% speedup locally. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): Pass *this to the WeakSet's ctor. * heap/MarkedBlock.h: (JSC::MarkedBlock::isMarkedOrNewlyAllocated): Added, stripped-down version of isLive() when the block's state is known to be either Marked or Retired. (JSC::MarkedBlock::isAllocated): Added, tells WeakBlock it's okay to skip reap/visit since isLive() would report that all cells are live anyway. * heap/WeakBlock.cpp: (JSC::WeakBlock::create): (JSC::WeakBlock::WeakBlock): Stash a MarkedBlock* on each WeakBlock. (JSC::WeakBlock::visit): (JSC::WeakBlock::reap): Optimized these two to avoid a bunch of pointer arithmetic and branches. * heap/WeakBlock.h: (JSC::WeakBlock::disconnectMarkedBlock): Added. * heap/WeakSet.cpp: (JSC::WeakSet::sweep): Call the above when removing a WeakBlock from WeakSet and transferring ownership to Heap until it can die peacefully. (JSC::WeakSet::addAllocator): * heap/WeakSet.h: (JSC::WeakSet::WeakSet): Give WeakSet a MarkedBlock& for passing on to WeakBlocks. 2015-05-04 Basile Clement Allocation sinking is prohibiting the creation of phis between a Phantom object and its materialization https://bugs.webkit.org/show_bug.cgi?id=144587 Rubber stamped by Filip Pizlo. When sinking object allocations, we ensure in determineMaterializationPoints that whenever an allocation is materialized on a path to a block, it is materialized in all such paths. Thus when running the SSA calculator to place Phis in placeMaterializationPoints, we can't encounter a situation where some Upsilons are referring to a materialization while others are referring to the phantom object. This replaces the code that was adding a materialization late in placeMaterializationPoints to handle that case by an assertion that it does not happen, which will make https://bugs.webkit.org/show_bug.cgi?id=143073 easier to implement. * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): 2015-05-04 Ryosuke Niwa Extending undefined in class syntax should throw a TypeError https://bugs.webkit.org/show_bug.cgi?id=144284 Reviewed by Darin Adler. The bug was caused by op_eq_null evaluating to true when compared to undefined. Explicitly check op_eq_undefined first to detect the case where we're extending undefined. We also had bogus test cases checked in class-syntax-extends.html. This patch also fixes them. * bytecompiler/NodesCodegen.cpp: (JSC::ClassExprNode::emitBytecode): 2015-05-04 Ryosuke Niwa new super should be a syntax error https://bugs.webkit.org/show_bug.cgi?id=144282 Reviewed by Joseph Pecoraro. Disallow "new super" as ES6 spec doesn't allow this. * parser/Parser.cpp: (JSC::Parser::parseMemberExpression): 2015-05-04 Saam Barati JSCallbackObject does not maintain symmetry between accesses for getOwnPropertySlot and put https://bugs.webkit.org/show_bug.cgi?id=144265 Reviewed by Geoffrey Garen. JSCallbackObject will defer to a parent's implementation of getOwnPropertySlot for a static function if the parent has that property slot. JSCallbackObject::put did not maintain this symmetry of also calling ::put on the parent if the parent has the property. We should ensure that this symmetry exists. * API/JSCallbackObjectFunctions.h: (JSC::JSCallbackObject::put): * API/tests/testapi.c: * API/tests/testapi.js: (globalStaticFunction2): (this.globalStaticFunction2): (iAmNotAStaticFunction): (this.iAmNotAStaticFunction): 2015-05-04 Andreas Kling Make ExecState::vm() branchless in release builds. Reviewed by Geoffrey Garen. Avoid null checking the ExecState's callee() before getting the VM from it. The code was already dereferencing it anyway, since we know it's not gonna be null. * runtime/JSCellInlines.h: (JSC::ExecState::vm): 2015-05-04 Basile Clement Object allocation not sinking properly through CheckStructure https://bugs.webkit.org/show_bug.cgi?id=144465 Reviewed by Filip Pizlo. Currently, sinking an allocation through a CheckStructure will completely ignore all structure checking, which is obviously wrong. A CheckStructureImmediate node type was present for that purpose, but the CheckStructures were not properly replaced. This ensures that CheckStructure nodes are replaced by CheckStructureImmediate nodes when sunk through, and that structure checking happens correctly. * dfg/DFGNode.h: (JSC::DFG::Node::convertToCheckStructureImmediate): Added. (JSC::DFG::Node::hasStructureSet): * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate): (JSC::FTL::LowerDFGToLLVM::checkStructure): * tests/stress/sink_checkstructure.js: Added. (foo): 2015-05-01 Geoffrey Garen REGRESSION(r183570): jslib-traverse-jquery is 22% slower https://bugs.webkit.org/show_bug.cgi?id=144476 Reviewed by Sam Weinig. jslib-traverse-jquery is now 31% faster than its unregressed baseline. The jQuery algorithm for sorting DOM nodes is so pathologically slow that, to my knowledge, the topic of how to optimize it is not covered in any literature about sorting. On the slowest jQuery sorting test -- prevAll -- our new Array.prototype.sort, compared to its predecessor, performed 12% fewer comparisons and requireed 10X less overhead per comparison. Yet, it was slower. It was slower because it inadvertantly increased the average cost of the comparison function by 2X. jQuery uses compareDocumentPosition to compare DOM nodes, and compareDocumentPosition(a, b) is O(N) in the distance required to traverse backwards from b to a. In prevAll, we encounter the worst case for merge sort of compareDocumentPosition: A long list of DOM nodes in mostly reverse order. In this case, merge sort will sequentially compareDocumentPosition(a, b), where a is not reachable backwards from b, and therefore compareDocumentPosition will traverse the whole sibling list. The solution is simple enough: Call compareDocumentPosition(b, a) instead. This is a pretty silly thing to do, but it is harmless, and jQuery is popular, so let's do it. We do not risk suffering the same problem in reverse when sorting a long list of DOM nodes in forward order. (We still have a 37% speedup on the nextAll benchmark.) The reason is that merge sort performs 2X fewer comparisons when the list is already sorted, so we can worry less about the cost of each comparison. A fully principled soultion to this problem would probably do something like Python's timsort, which special-cases ordered ranges to perform only O(n) comparisons. But that would contradict our original goal of just having something simple that works. Another option is for elements to keep a compareDocumentPosition cache, like a node list cache, which allows you to determine the absolute position of a node using a hash lookup. I will leave this as an exercise for kling. * builtins/Array.prototype.js: (sort.merge): Compare in an order that is favorable to a comparator that calls compareDocumentPosition. 2015-05-04 Csaba Osztrogonác [cmake] Fix generate-js-builtins related incremental build issue https://bugs.webkit.org/show_bug.cgi?id=144094 Reviewed by Michael Saboff. * CMakeLists.txt: Generated JSCBuiltins. should depend on Source/JavaScriptCore/builtins directory. Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js. * DerivedSources.make: Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js. * generate-js-builtins: Accept input files and input directory too. 2015-05-03 Simon Fraser Make some static data const https://bugs.webkit.org/show_bug.cgi?id=144552 Reviewed by Andreas Kling. Turn characterSetInfo into const data. * yarr/YarrCanonicalizeUCS2.cpp: * yarr/YarrCanonicalizeUCS2.h: 2015-05-01 Filip Pizlo TypeOf should be fast https://bugs.webkit.org/show_bug.cgi?id=144396 Reviewed by Geoffrey Garen. Adds comprehensive support for fast typeof to the optimizing JITs. Calls into the runtime are only used for very exotic objects - they must have either the MasqueradesAsUndefined or TypeOfShouldCallGetCallData type flags set. All other cases are handled inline. This means optimizing IsObjectOrNull, IsFunction, and TypeOf - all node types that used to rely heavily on C++ calls to fulfill their function. Because TypeOf is now so fast, we no longer need to do any speculations on this node. In the FTL, we take this further by querying AI for each branch in the TypeOf decision tree. This means that if the TypeOf is dominated by any type checks, we will automatically prune out cases that are redundant. This patch anticipates the addition of SwitchTypeOf or something like that. So, the TypeOf code generation is designed to be reusable. This is a speed-up on most typeof benchmarks. But, it is a slow-down on benchmarks that take the exotic call trap hook. That hook is now in a deeper slow path than before. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): TypeOf was pure all along, but we failed to realize this. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull): (JSC::DFG::SpeculativeJIT::compileIsFunction): (JSC::DFG::SpeculativeJIT::compileTypeOf): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::blessedBooleanResult): (JSC::DFG::SpeculativeJIT::callOperation): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLIntrinsicRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull): (JSC::FTL::LowerDFGToLLVM::compileIsFunction): (JSC::FTL::LowerDFGToLLVM::compileTypeOf): (JSC::FTL::LowerDFGToLLVM::buildTypeOf): Reusable TypeOf building for the FTL. (JSC::FTL::LowerDFGToLLVM::isExoticForTypeof): * ftl/FTLSwitchCase.h: (JSC::FTL::SwitchCase::SwitchCase): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfNotEqual): (JSC::AssemblyHelpers::branchIfEqual): (JSC::AssemblyHelpers::branchIfNumber): (JSC::AssemblyHelpers::branchIfNotNumber): (JSC::AssemblyHelpers::branchIfBoolean): (JSC::AssemblyHelpers::branchIfNotBoolean): (JSC::AssemblyHelpers::boxBooleanPayload): (JSC::AssemblyHelpers::boxBoolean): (JSC::AssemblyHelpers::emitTypeOf): Reusable TypeOf building for assembly JITs. * jit/JITOperations.h: * runtime/SmallStrings.h: (JSC::SmallStrings::typeString): * runtime/TypeofType.cpp: Added. (WTF::printInternal): * runtime/TypeofType.h: Added. * tests/stress/type-of-functions-and-objects.js: Modified this test to give more comprehensive feedback. 2015-05-02 Filip Pizlo Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=144527. * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): 2015-05-02 Filip Pizlo Unreviewed, add FIXMEs referencing https://bugs.webkit.org/show_bug.cgi?id=144524 and https://bugs.webkit.org/show_bug.cgi?id=144525. * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGPhantomInsertionPhase.cpp: 2015-05-02 Yusuke Suzuki Static property hashtable should only lookup with non-symbol key https://bugs.webkit.org/show_bug.cgi?id=144438 Reviewed by Darin Adler. Static property hashtable compares the Identifier's uid with the normal C string without interning it. So this comparison is performed in their contents. As the result, in this comparison, symbol-ness is not considered. So if accidentally the hash collision occur with the symbol and the string and they have the same contents, the hash table entry is looked up incorrectly. * runtime/Lookup.h: (JSC::HashTable::entry): 2015-05-01 Ryosuke Niwa Class syntax should allow string and numeric identifiers for method names https://bugs.webkit.org/show_bug.cgi?id=144254 Reviewed by Darin Adler. Added the support for string and numeric identifiers in class syntax. * parser/Parser.cpp: (JSC::Parser::parseFunctionInfo): Instead of using ConstructorKind to indicate whether we're inside a class or not, use the newly added SuperBinding argument instead. ConstructorKind is now None outside a class constructor as it should be. (JSC::Parser::parseFunctionDeclaration): (JSC::Parser::parseClass): No longer expects an identifier at the beginning of every class element to allow numeric and string method names. For both of those method names, parse it here instead of parseFunctionInfo since it doesn't support either type. Also pass in SuperBinding::Needed. (JSC::Parser::parsePropertyMethod): Call parseFunctionInfo with SuperBinding::NotNeeded since this function is never used to parse a class method. (JSC::Parser::parseGetterSetter): Pass in superBinding argument to parseFunctionInfo. (JSC::Parser::parsePrimaryExpression): Call parseFunctionInfo with SuperBinding::NotNeeded. * parser/Parser.h: * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createProperty): 2015-05-01 Filip Pizlo FTL should use AI more https://bugs.webkit.org/show_bug.cgi?id=144500 Reviewed by Oliver Hunt. This makes our type check folding even more comprehensive by ensuring that even if the FTL decides to emit some checks, it will still do another query to the abstract interpreter to see if the check is necessary. This helps with cases where we decided early on to speculate one way, but later proved a more specific type of the value in question, and the constant folder didn't catch it. This also makes it more natural to query the abstract interpreter. For example, if you just want the proven type, you can now say provenType(node) or provenType(edge). * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::alreadyChecked): * dfg/DFGArrayMode.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): (JSC::FTL::LowerDFGToLLVM::compileToThis): (JSC::FTL::LowerDFGToLLVM::compileValueAdd): (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): (JSC::FTL::LowerDFGToLLVM::compileArithPow): (JSC::FTL::LowerDFGToLLVM::compileArithNegate): (JSC::FTL::LowerDFGToLLVM::compileGetById): (JSC::FTL::LowerDFGToLLVM::compileCheckArray): (JSC::FTL::LowerDFGToLLVM::compilePutByVal): (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor): (JSC::FTL::LowerDFGToLLVM::compileToPrimitive): (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt): (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): (JSC::FTL::LowerDFGToLLVM::compileSwitch): (JSC::FTL::LowerDFGToLLVM::compileIsBoolean): (JSC::FTL::LowerDFGToLLVM::compileIsNumber): (JSC::FTL::LowerDFGToLLVM::compileIsString): (JSC::FTL::LowerDFGToLLVM::compileIsObject): (JSC::FTL::LowerDFGToLLVM::compileInstanceOf): (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32): (JSC::FTL::LowerDFGToLLVM::baseIndex): (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): (JSC::FTL::LowerDFGToLLVM::typedArrayLength): (JSC::FTL::LowerDFGToLLVM::boolify): (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): (JSC::FTL::LowerDFGToLLVM::lowInt32): (JSC::FTL::LowerDFGToLLVM::lowInt52): (JSC::FTL::LowerDFGToLLVM::lowCell): (JSC::FTL::LowerDFGToLLVM::lowBoolean): (JSC::FTL::LowerDFGToLLVM::lowDouble): (JSC::FTL::LowerDFGToLLVM::isCellOrMisc): (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc): (JSC::FTL::LowerDFGToLLVM::isNumber): (JSC::FTL::LowerDFGToLLVM::isNotNumber): (JSC::FTL::LowerDFGToLLVM::isNotCell): (JSC::FTL::LowerDFGToLLVM::isCell): (JSC::FTL::LowerDFGToLLVM::isNotMisc): (JSC::FTL::LowerDFGToLLVM::isMisc): (JSC::FTL::LowerDFGToLLVM::isNotBoolean): (JSC::FTL::LowerDFGToLLVM::isBoolean): (JSC::FTL::LowerDFGToLLVM::isNotOther): (JSC::FTL::LowerDFGToLLVM::isOther): (JSC::FTL::LowerDFGToLLVM::isProvenValue): (JSC::FTL::LowerDFGToLLVM::isObject): (JSC::FTL::LowerDFGToLLVM::isNotObject): (JSC::FTL::LowerDFGToLLVM::isNotString): (JSC::FTL::LowerDFGToLLVM::isString): (JSC::FTL::LowerDFGToLLVM::isFunction): (JSC::FTL::LowerDFGToLLVM::isNotFunction): (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID): (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar): (JSC::FTL::LowerDFGToLLVM::abstractValue): (JSC::FTL::LowerDFGToLLVM::provenType): (JSC::FTL::LowerDFGToLLVM::provenValue): (JSC::FTL::LowerDFGToLLVM::abstractStructure): 2015-05-01 Martin Robinson USE(...) macro should expect unprefixed variables https://bugs.webkit.org/show_bug.cgi?id=144454 Reviewed by Daniel Bates. * CMakeLists.txt: Replace all occurrences WTF_USE with USE. 2015-05-01 Jordan Harband String#startsWith/endsWith/includes don't handle Infinity position/endPosition args correctly https://bugs.webkit.org/show_bug.cgi?id=144314 Reviewed by Darin Adler. Fixing handling of Infinity position args, per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith * runtime/StringPrototype.cpp: (JSC::clampInt32): (JSC::stringProtoFuncStartsWith): (JSC::stringProtoFuncEndsWith): (JSC::stringProtoFuncIncludes): 2015-05-01 Basile Clement Math.abs() returns negative https://bugs.webkit.org/show_bug.cgi?id=137827 Reviewed by Michael Saboff. Math.abs() on doubles was mistakenly assumed by the DFG AI to be the identity function. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * tests/stress/math-abs-positive.js: Added, was previously failing. (foo): 2015-05-01 Basile Clement Function allocation sinking shouldn't be performed on singleton functions https://bugs.webkit.org/show_bug.cgi?id=144166 Reviewed by Geoffrey Garen. Function allocations usually are free of any other side effects, but this is not the case for allocations performed while the underlying FunctionExecutable is still a singleton (as this allogation will fire watchpoints invalidating code that depends on it being a singleton). As the object allocation sinking phase assumes object allocation is free of side-effects, sinking these allocations is not correct. This also means that when materializing a function allocation on OSR exit, that function's executable will never be a singleton, and we don't have to worry about its watchpoint, allowing us to use JSFunction::createWithInvalidatedRellocationWatchpoint instead of JSFunction::create. * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): 2015-04-30 Jon Davis Web Inspector: console should show an icon for console.info() messages https://bugs.webkit.org/show_bug.cgi?id=18530 Reviewed by Timothy Hatcher. * inspector/ConsoleMessage.cpp: (Inspector::messageLevelValue): * inspector/protocol/Console.json: * runtime/ConsoleClient.cpp: (JSC::appendMessagePrefix): * runtime/ConsolePrototype.cpp: (JSC::ConsolePrototype::finishCreation): (JSC::consoleProtoFuncInfo): * runtime/ConsoleTypes.h: 2015-04-30 Filip Pizlo Move all of the branchIs helpers from SpeculativeJIT into AssemblyHelpers https://bugs.webkit.org/show_bug.cgi?id=144462 Reviewed by Geoffrey Garen and Mark Lam. At some point we started adding representation-agnostic helpers for doing common type tests. We added some in SpeculativeJIT, and then some in AssemblyHelpers. Prior to this change, they had overlapping powers, though SpeculativeJIT was a bit better. This removes SpeculativeJIT's helpers and strengthens AssemblyHelpers' helpers. This is better because now all of these helpers can be used in all of the assembly-based JITs, not just the DFG. It also settles on what I find to be a slightly better naming convention. For example where we previously would have said branchIsString, now we say branchIfString. Similarly, branchNotString becomes branchIfNotString. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): (JSC::DFG::SpeculativeJIT::compileValueToInt32): (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): (JSC::DFG::SpeculativeJIT::compileInstanceOf): (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell): (JSC::DFG::SpeculativeJIT::speculateObject): (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): (JSC::DFG::SpeculativeJIT::speculateString): (JSC::DFG::SpeculativeJIT::speculateNotStringVar): (JSC::DFG::SpeculativeJIT::speculateNotCell): (JSC::DFG::SpeculativeJIT::speculateOther): (JSC::DFG::SpeculativeJIT::emitSwitchChar): (JSC::DFG::SpeculativeJIT::emitSwitchString): (JSC::DFG::SpeculativeJIT::branchIsObject): Deleted. (JSC::DFG::SpeculativeJIT::branchNotObject): Deleted. (JSC::DFG::SpeculativeJIT::branchIsString): Deleted. (JSC::DFG::SpeculativeJIT::branchNotString): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted. (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted. (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted. (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::compileObjectEquality): (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::writeBarrier): (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted. (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted. (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted. (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted. * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::branchIfCell): (JSC::AssemblyHelpers::branchIfOther): (JSC::AssemblyHelpers::branchIfNotOther): (JSC::AssemblyHelpers::branchIfObject): (JSC::AssemblyHelpers::branchIfNotObject): (JSC::AssemblyHelpers::branchIfType): (JSC::AssemblyHelpers::branchIfNotType): (JSC::AssemblyHelpers::branchIfString): (JSC::AssemblyHelpers::branchIfNotString): (JSC::AssemblyHelpers::branchIfSymbol): (JSC::AssemblyHelpers::branchIfNotSymbol): (JSC::AssemblyHelpers::branchIfFunction): (JSC::AssemblyHelpers::branchIfNotFunction): (JSC::AssemblyHelpers::branchIfEmpty): (JSC::AssemblyHelpers::branchIsEmpty): Deleted. (JSC::AssemblyHelpers::branchIfCellNotObject): Deleted. * jit/JITPropertyAccess.cpp: (JSC::JIT::emitScopedArgumentsGetByVal): 2015-04-30 Filip Pizlo js/regress/is-string-fold-tricky.html and js/regress/is-string-fold.html are crashing https://bugs.webkit.org/show_bug.cgi?id=144463 Reviewed by Benjamin Poulain. Fixup phase was super cleverly folding an IsString(@x) when @x is predicted SpecString into a Check(String:@x) followed by JSConstant(true). Then in these tests the ValueAdd(IsString(@x), @stuff) would try to turn this into an integer add by cleverly converting the boolean into an integer. But as part of doing that, it would try to short-circuit any profiling by leveraging the fact that the IsString is now a constant, and it would try to figure out if the addition might overflow. Part of that logic involved checking if the immediate is either a boolean or a sufficiently small integer. But: it would check if it's a sufficiently small integer before checking if it was a boolean, so it would try to call asNumber() on the boolean. All of this cleverness was very deliberate, but apparently the @stuff + booleanConstant case was previously never hit until I wrote these tests, and so we never knew that calling asNumber() on a boolean was wrong. The fix is super simple: the expression should just check for boolean first. This bug was benign in release builds. JSValue::asNumber() on a boolean would return garbage, and that's OK, since we'd take the boolean case anyway. * dfg/DFGGraph.h: (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): 2015-04-30 Filip Pizlo Unreviewed, add a FIXME comment referencing https://bugs.webkit.org/show_bug.cgi?id=144458. * jit/JITOperations.cpp: 2015-04-30 Filip Pizlo Add a comment clarifying the behavior and semantics of getCallData/getConstructData, in particular that they cannot change their minds and may be called from compiler threads. Rubber stamped by Geoffrey Garen. * runtime/JSCell.h: 2015-04-29 Filip Pizlo DFG Is versions of TypeOf should fold based on proven input type https://bugs.webkit.org/show_bug.cgi?id=144409 Reviewed by Geoffrey Garen. We were missing some obvious folding opportunities here. I don't know how this affects real code, but in general, we like to ensure that our constant folding is comprehensive. So this is more about placating my static analysis OCD than anything else. I added a bunch of speed/correctness tests for this in LayoutTests/js/regress. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): 2015-04-30 Yusuke Suzuki Use the default hash value for Symbolized StringImpl https://bugs.webkit.org/show_bug.cgi?id=144347 Reviewed by Darin Adler. Before this patch, symbolized StringImpl* has a special hash value to avoid the hash collision with the other normal StringImpl*. I guess that it is introduced when private symbols are introduced. However, it prevents using symbolized StringImpl* in the other place For example, using it as WTFString cause a problem because of its special hash value. When only using private symbols, they are not exposed to the outside of JSC, so we can handle it carefully. But now, it's extended to symbols. So I think storing a special hash value in StringImpl* causes an error. To avoid this, I propose using the usual hash value in symbolized StringImpl*. And to provide significantly different hash value when using it as symbol, store the additional hash value in symbolized StringImpl*. It is used when the hash value is required by IdentifierRepHash. * runtime/Identifier.h: (JSC::IdentifierRepHash::hash): * runtime/Lookup.h: (JSC::HashTable::entry): * runtime/PropertyMapHashTable.h: (JSC::PropertyTable::find): (JSC::PropertyTable::get): * runtime/Structure.cpp: (JSC::PropertyTable::checkConsistency): 2015-04-29 Benjamin Poulain [JSC] Remove RageConvert array conversion https://bugs.webkit.org/show_bug.cgi?id=144433 Reviewed by Filip Pizlo. RageConvert was causing a subtle bug that was hitting the Kraken crypto tests pretty hard: -The indexing types shows that the array access varies between Int32 and DoubleArray. -ArrayMode::fromObserved() decided to use the most generic type: DoubleArray. An Arrayify node would convert the Int32 to that type. -Somewhere, a GetByVal or PutByVal would have the flag NodeBytecodeUsesAsInt. That node would use RageConvert instead of Convert. -The Arrayify for that GetByVal with RageConvert would not convert the array to Contiguous. -All the following array access that do not have the flag NodeBytecodeUsesAsInt would now expect a DoubleArray and always get a Contiguous Array. The CheckStructure fail systematically and we never get to run the later code. Getting rid of RageConvert fixes the problem and does not seems to have any negative side effect on other benchmarks. The improvments on Kraken are: -stanford-crypto-aes: definitely 1.0915x faster. -stanford-crypto-pbkdf2: definitely 1.2446x faster. -stanford-crypto-sha256-iterative: definitely 1.0544x faster. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::refine): (JSC::DFG::arrayConversionToString): * dfg/DFGArrayMode.h: * dfg/DFGArrayifySlowPathGenerator.h: * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGTypeCheckHoistingPhase.cpp: (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): * runtime/JSObject.cpp: (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::ensureContiguousSlow): (JSC::JSObject::genericConvertDoubleToContiguous): Deleted. (JSC::JSObject::rageConvertDoubleToContiguous): Deleted. (JSC::JSObject::rageEnsureContiguousSlow): Deleted. * runtime/JSObject.h: (JSC::JSObject::rageEnsureContiguous): Deleted. 2015-04-29 Joseph Pecoraro Gracefully handle missing auto pause key on remote inspector setup https://bugs.webkit.org/show_bug.cgi?id=144411 Reviewed by Timothy Hatcher. * inspector/remote/RemoteInspector.mm: (Inspector::RemoteInspector::receivedSetupMessage): 2015-04-29 Joseph Pecoraro NodeList has issues with Symbol and empty string https://bugs.webkit.org/show_bug.cgi?id=144310 Reviewed by Darin Adler. * runtime/PropertyName.h: (JSC::PropertyName::isSymbol): Helper to check if the PropertyName is a string or symbol property. 2015-04-29 Alex Christensen Fix non-cygwin incremental builds on Windows. https://bugs.webkit.org/show_bug.cgi?id=143264 Reviewed by Brent Fulgham. * generate-js-builtins: Remove stale headers before calling os.rename to replace them. 2015-04-29 Filip Pizlo JSTypeInfo should have an inline type flag to indicate of getCallData() has been overridden https://bugs.webkit.org/show_bug.cgi?id=144397 Reviewed by Andreas Kling. Add the flag to JSTypeInfo. It's an inline flag so that it's fast to query. Slap the flag on callback objects and internal functions. Modify the TypeOf operation to use this flag to avoid making a getCallData() call if it isn't necessary. * API/JSCallbackObject.h: * runtime/InternalFunction.h: * runtime/JSTypeInfo.h: (JSC::TypeInfo::typeOfShouldCallGetCallData): * runtime/Operations.cpp: (JSC::jsTypeStringForValue): * tests/stress/type-of-functions-and-objects.js: Added. (foo): (bar): (baz): (fuzz): (expect): (test): 2015-04-28 Geoffrey Garen It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array. https://bugs.webkit.org/show_bug.cgi?id=144013 Reviewed by Mark Lam. This patch implements Array.prototype.sort in JavaScript, removing the C++ implementations. It is simpler and less error-prone to express our operations in JavaScript, which provides memory safety, exception safety, and recursion safety. The performance result is mixed, but net positive in my opinion. It's difficult to enumerate all the results, since we used to have so many different sorting modes, and there are lots of different data patterns across which you might want to measure sorting. Suffice it to say: (*) The benchmarks we track are faster or unchanged. (*) Sorting random input using a comparator -- which we think is common -- is 3X faster. (*) Sorting random input in a non-array object -- which jQuery does -- is 4X faster. (*) Sorting random input in a compact array of integers using a trivial pattern-matchable comparator is 2X *slower*. * builtins/Array.prototype.js: (sort.min): (sort.stringComparator): (sort.compactSparse): Special case compaction for sparse arrays because we don't want to hang when sorting new Array(BIG). (sort.compact): (sort.merge): (sort.mergeSort): Use merge sort because it's a reasonably efficient stable sort. We have evidence that some sites depend on stable sort, even though the ES6 spec does not mandate it. (See .) This is a textbook implementation of merge sort with three optimizations: (1) Use iteration instead of recursion; (2) Use array subscripting instead of array copying in order to create logical sub-lists without creating physical sub-lists; (3) Swap src and dst at each iteration instead of copying src into dst, and only copy src into the subject array at the end if src is not the subject array. (sort.inflate): (sort.comparatorSort): (sort): Sort in JavaScript for the win. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private names so we can use helper functions. * bytecode/CodeBlock.h: (JSC::CodeBlock::isNumericCompareFunction): Deleted. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted. (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::FunctionNode::emitBytecode): We don't do this special casing based on pattern matching anymore. This was mainly an optimization to avoid the overhead of calling from C++ to JS, which we now avoid by sorting in JS. * heap/Heap.cpp: (JSC::Heap::markRoots): (JSC::Heap::pushTempSortVector): Deleted. (JSC::Heap::popTempSortVector): Deleted. (JSC::Heap::visitTempSortVectors): Deleted. * heap/Heap.h: We don't have temp sort vectors anymore because we sort in JavaScript using a normal JavaScript array for our temporary storage. * parser/Parser.cpp: (JSC::Parser::parseInner): Allow capturing so we can use helper functions. * runtime/ArrayPrototype.cpp: (JSC::isNumericCompareFunction): Deleted. (JSC::attemptFastSort): Deleted. (JSC::performSlowSort): Deleted. (JSC::arrayProtoFuncSort): Deleted. * runtime/CommonIdentifiers.h: New strings used by sort. * runtime/JSArray.cpp: (JSC::compareNumbersForQSortWithInt32): Deleted. (JSC::compareNumbersForQSortWithDouble): Deleted. (JSC::compareNumbersForQSort): Deleted. (JSC::compareByStringPairForQSort): Deleted. (JSC::JSArray::sortNumericVector): Deleted. (JSC::JSArray::sortNumeric): Deleted. (JSC::ContiguousTypeAccessor::getAsValue): Deleted. (JSC::ContiguousTypeAccessor::setWithValue): Deleted. (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. (JSC::ContiguousTypeAccessor::getAsValue): Deleted. (JSC::ContiguousTypeAccessor::setWithValue): Deleted. (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. (JSC::JSArray::sortCompactedVector): Deleted. (JSC::JSArray::sort): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted. (JSC::JSArray::sortVector): Deleted. (JSC::JSArray::compactForSorting): Deleted. * runtime/JSArray.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::finishCreation): Provide some builtins used by sort. 2015-04-29 Mark Lam Safari WebKit crash when loading Google Spreadsheet. https://bugs.webkit.org/show_bug.cgi?id=144020 Reviewed by Filip Pizlo. The bug is that the object allocation sinking phase did not account for a case where a property of a sunken object is only initialized on one path and not another. As a result, on the path where the property is not initialized, we'll encounter an Upsilon with a BottomValue (which is not allowed by definition). The fix is to use a JSConstant(undefined) as the bottom value instead (of BottomValue). If the property is uninitialized, it should still be accessible and have the value undefined. * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): * tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js: Added. (foo): (foo2): 2015-04-29 Yusuke Suzuki REGRESSION (r183373): ASSERT failed in wtf/SHA1.h https://bugs.webkit.org/show_bug.cgi?id=144257 Reviewed by Darin Adler. SHA1 is used to calculate CodeBlockHash. To calculate hash value, we pass the source code UTF-8 CString to SHA1::addBytes. However, the source code can contain null character. So when performing `strlen` on the source code's CString, it returns the incorrect length. In SHA1::addBytes, there's assertion `input.length() == strlen(string)` and it fails. In the template-literal-syntax.js, we perform `eval` with the script contains "\0". As the result, `strlen(string)` accidentally shortened by the contained "\0", and assertion fails. CString will be changed not to contain a null-character[1]. However, inserting the assertion here is not correct. Because 1. If CString should not contain a null character, this should be asserted in CString side instead of SHA1::addBytes. 2. If CString can contain a null character, this assertion becomes incorrect. So this patch just drops the assertion. In the current implementation, we once convert the entire source code to the newly allocated UTF-8 string and pass it to the SHA1 processing. However, this is memory consuming. Ideally, we should stream the decoded bytes into the SHA1 processing iteratively. We'll implement it in the separate patch[2]. [1]: https://bugs.webkit.org/show_bug.cgi?id=144339 [2]: https://bugs.webkit.org/show_bug.cgi?id=144263 * tests/stress/eval-script-contains-null-character.js: Added. (shouldBe): (test): * tests/stress/template-literal-line-terminators.js: * tests/stress/template-literal-syntax.js: * tests/stress/template-literal.js: 2015-04-29 Filip Pizlo Evict IsEnvironmentRecord from inline type flags https://bugs.webkit.org/show_bug.cgi?id=144398 Reviewed by Mark Lam and Michael Saboff. In https://bugs.webkit.org/show_bug.cgi?id=144397, we'll need an extra bit in the inline type flags. This change picks the least important inline type flag - IsEnvironmentRecord - and evicts it into the out-of-line type flags. This change has no performance implications because we never even accessed IsEnvironmentRecord via the StructureIDBlob. The only place where we access it at all is in String.prototype.repeat, and there we already load the structure anyway. * runtime/JSTypeInfo.h: (JSC::TypeInfo::implementsHasInstance): (JSC::TypeInfo::structureIsImmortal): (JSC::TypeInfo::isEnvironmentRecord): 2015-04-29 Darin Adler [ES6] Implement Unicode code point escapes https://bugs.webkit.org/show_bug.cgi?id=144377 Reviewed by Antti Koivisto. * parser/Lexer.cpp: Moved the UnicodeHexValue class in here from the header. Made it a non-member class so it doesn't need to be part of a template. Made it use UChar32 instead of int for the value to make it clearer what goes into this class. (JSC::ParsedUnicodeEscapeValue::isIncomplete): Added. Replaces the old type() function. (JSC::Lexer::parseUnicodeEscape): Renamed from parseFourDigitUnicodeHex and added support for code point escapes. (JSC::isLatin1): Added an overload for UChar32. (JSC::isIdentStart): Changed this to take UChar32; no caller tries to call it with a UChar, so no need to overload for that type for now. (JSC::isNonLatin1IdentPart): Changed argument type to UChar32 for clarity. Also added FIXME about a subtle ES6 change that we might want to make later. (JSC::isIdentPart): Changed this to take UChar32; no caller tries to call it with a UChar, so no need to overload for that type for now. (JSC::isIdentPartIncludingEscapeTemplate): Made this a template so that we don't need to repeat the code twice. Added code to handle code point escapes. (JSC::isIdentPartIncludingEscape): Call the template instead of having the code in line. (JSC::Lexer::recordUnicodeCodePoint): Added. (JSC::Lexer::parseIdentifierSlowCase): Made small tweaks and updated to call parseUnicodeEscape instead of parseFourDigitUnicodeHex. (JSC::Lexer::parseComplexEscape): Call parseUnicodeEscape instead of parseFourDigitUnicodeHex. Move the code to handle "\u" before the code that handles the escapes, since the code point escape code now consumes characters while parsing rather than peeking ahead. Test case covers this: Symptom would be that "\u{" would evaluate to "u" instead of giving a syntax error. * parser/Lexer.h: Updated for above changes. * runtime/StringConstructor.cpp: (JSC::stringFromCodePoint): Use ICU's UCHAR_MAX_VALUE instead of writing out 0x10FFFF; clearer this way. 2015-04-29 Martin Robinson [CMake] [GTK] Organize and clean up unused CMake variables https://bugs.webkit.org/show_bug.cgi?id=144364 Reviewed by Gyuyoung Kim. * PlatformGTK.cmake: Add variables specific to this project. 2015-04-28 Filip Pizlo TypeOf should return SpecStringIdent and the DFG should know this https://bugs.webkit.org/show_bug.cgi?id=144376 Reviewed by Andreas Kling. Make TypeOf return atomic strings. That's a simple change in SmallStrings. Make the DFG know this and use it for optimization. This makes Switch(TypeOf) a bit less bad. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::setType): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::setType): * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::initialize): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * runtime/SmallStrings.cpp: (JSC::SmallStrings::initialize): * tests/stress/switch-typeof-indirect.js: Added. (bar): (foo): (test): * tests/stress/switch-typeof-slightly-indirect.js: Added. (foo): (test): * tests/stress/switch-typeof.js: Added. (foo): (test): 2015-04-29 Joseph Pecoraro REGRESSION(181868): Windows Live SkyDrive cannot open an excel file https://bugs.webkit.org/show_bug.cgi?id=144373 Reviewed by Darin Adler. Revert r181868 as it caused a failure on live.com. We can try re-enabling this exception after we make idl attributes configurable, which may have prevented this particular failure. * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncDefineGetter): (JSC::objectProtoFuncDefineSetter): 2015-04-28 Joseph Pecoraro Deadlock on applications using JSContext on non-main thread https://bugs.webkit.org/show_bug.cgi?id=144370 Reviewed by Timothy Hatcher. * inspector/remote/RemoteInspector.mm: (Inspector::RemoteInspector::singleton): Prevent a possible deadlock by assuming we can synchronously run something on the main queue at this time. 2015-04-28 Filip Pizlo FTL should fully support Switch (it currently lacks the SwitchString variant) https://bugs.webkit.org/show_bug.cgi?id=144348 Reviewed by Benjamin Poulain. This adds SwitchString support to the FTL. This is already tested by switch microbenchmarks in LayoutTests/js/regress. * dfg/DFGCommon.cpp: (JSC::DFG::stringLessThan): * dfg/DFGCommon.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<): Deleted. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLIntrinsicRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileSwitch): (JSC::FTL::LowerDFGToLLVM::switchString): (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::StringSwitchCase): (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::operator<): (JSC::FTL::LowerDFGToLLVM::CharacterCase::CharacterCase): (JSC::FTL::LowerDFGToLLVM::CharacterCase::operator<): (JSC::FTL::LowerDFGToLLVM::switchStringRecurse): (JSC::FTL::LowerDFGToLLVM::switchStringSlow): (JSC::FTL::LowerDFGToLLVM::appendOSRExit): * ftl/FTLOutput.cpp: (JSC::FTL::Output::check): * ftl/FTLOutput.h: * ftl/FTLWeight.h: (JSC::FTL::Weight::inverse): * jit/JITOperations.h: 2015-04-28 Michael Catanzaro Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT https://bugs.webkit.org/show_bug.cgi?id=144304 Reviewed by Geoffrey Garen. * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of ENABLE_LLINT_C_LOOP, disabled by default. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP. 2015-04-28 Commit Queue Unreviewed, rolling out r183514. https://bugs.webkit.org/show_bug.cgi?id=144359 It broke cloop test bots (Requested by mcatanzaro on #webkit). Reverted changeset: "Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT" https://bugs.webkit.org/show_bug.cgi?id=144304 http://trac.webkit.org/changeset/183514 2015-04-28 Michael Catanzaro Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT https://bugs.webkit.org/show_bug.cgi?id=144304 Reviewed by Geoffrey Garen. * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of ENABLE_LLINT_C_LOOP, disabled by default. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP. 2015-04-28 Joseph Pecoraro Fix common typo "targetting" => "targeting" https://bugs.webkit.org/show_bug.cgi?id=144349 Reviewed by Daniel Bates. * bytecode/ExecutionCounter.h: 2015-04-28 Yusuke Suzuki Update the features.json for WeakSet, WeakMap, Template literals, Tagged templates https://bugs.webkit.org/show_bug.cgi?id=144328 Reviewed by Andreas Kling. Update the status of ES6 features. * features.json: 2015-04-28 Filip Pizlo DFG should not use or preserve Phantoms during transformations https://bugs.webkit.org/show_bug.cgi?id=143736 Reviewed by Geoffrey Garen. Since http://trac.webkit.org/changeset/183207 and http://trac.webkit.org/changeset/183406, it is no longer necessary to preserve Phantoms during transformations. They are still useful just before FixupPhase to support backwards propagation analyses. They are still inserted late in the game in the DFG backend. But transformations don't need to worry about them. Inside a basic block, we can be sure that so long as the IR pinpoints the place where the value becomes available in a bytecode register (using MovHint) and so long as there is a SetLocal anytime some other block would need the value (either for OSR or for DFG execution), then we don't need any liveness markers. So, this removes any places where we inserted Phantoms just for liveness during transformation and it replaces convertToPhantom() with remove(), which just converts the node to a Check. A Check node only keeps its children so long as those children have checks. The fact that we no longer convertToPhantom() means that we have to be more careful when constant-folding GetLocal. Previously we would convertToPhantom() and use the fact that Phantom(Phi) was a valid construct. It's not valid anymore. So, when constant folding encounters a GetLocal it needs to insert a PhantomLocal directly. This allows us to simplify Graph::convertToConstant() a bit. Luckily, none of the other users of this method would see GetLocals. The only Phantom-like cruft left over after this patch is: - Phantoms before FixupPhase. I kind of like these. It means that before FixupPhase, we can do backwards analyses and rely on the fact that the users of a node in DFG IR are a superset of the users of the original local's live range in bytecode. This is essential for supporting our BackwardsPropagationPhase, which is an important optimization for things like asm.js. - PhantomLocals and GetLocals being NodeMustGenerate. See discussion in https://bugs.webkit.org/show_bug.cgi?id=144086. It appears that this is not as evil as the alternatives. The best long-term plan is to simply ditch the ThreadedCPS IR entirely and have the DFG use SSA. For now, so long as any new DFG optimizations we add are block-local and treat GetLocal/SetLocal conservatively, this should all be sound. This change should be perf-neutral although it does reduce the total work that the compiler does. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGAdjacencyList.h: (JSC::DFG::AdjacencyList::justChecks): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGBasicBlock.cpp: (JSC::DFG::BasicBlock::replaceTerminal): * dfg/DFGBasicBlock.h: (JSC::DFG::BasicBlock::findTerminal): * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): (JSC::DFG::CFGSimplificationPhase::mergeBlocks): * dfg/DFGCPSRethreadingPhase.cpp: (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase): (JSC::DFG::CPSRethreadingPhase::clearVariables): (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): * dfg/DFGCSEPhase.cpp: * dfg/DFGCleanUpPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp. (JSC::DFG::CleanUpPhase::CleanUpPhase): (JSC::DFG::CleanUpPhase::run): (JSC::DFG::performCleanUp): (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase): Deleted. (JSC::DFG::PhantomRemovalPhase::run): Deleted. (JSC::DFG::performPhantomRemoval): Deleted. * dfg/DFGCleanUpPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h. * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::addBaseCheck): (JSC::DFG::ConstantFoldingPhase::fixUpsilons): * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::run): (JSC::DFG::DCEPhase::fixupBlock): (JSC::DFG::DCEPhase::cleanVariables): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupBlock): (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::convertStringAddUse): (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): (JSC::DFG::FixupPhase::checkArray): (JSC::DFG::FixupPhase::fixIntConvertingEdge): (JSC::DFG::FixupPhase::fixIntOrBooleanEdge): (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge): (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): (JSC::DFG::FixupPhase::tryToRelaxRepresentation): (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): (JSC::DFG::FixupPhase::addRequiredPhantom): Deleted. (JSC::DFG::FixupPhase::addPhantomsIfNecessary): Deleted. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::convertToConstant): (JSC::DFG::Graph::mergeRelevantToOSR): Deleted. * dfg/DFGGraph.h: * dfg/DFGInsertionSet.h: (JSC::DFG::InsertionSet::insertCheck): * dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGNode.cpp: (JSC::DFG::Node::remove): * dfg/DFGNode.h: (JSC::DFG::Node::replaceWith): (JSC::DFG::Node::convertToPhantom): Deleted. (JSC::DFG::Node::convertToCheck): Deleted. (JSC::DFG::Node::willHaveCodeGenOrOSR): Deleted. * dfg/DFGNodeFlags.h: * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): * dfg/DFGPhantomCanonicalizationPhase.cpp: Removed. * dfg/DFGPhantomCanonicalizationPhase.h: Removed. * dfg/DFGPhantomRemovalPhase.cpp: Removed. * dfg/DFGPhantomRemovalPhase.h: Removed. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * dfg/DFGPutStackSinkingPhase.cpp: * dfg/DFGResurrectionForValidationPhase.cpp: Removed. * dfg/DFGResurrectionForValidationPhase.h: Removed. * dfg/DFGSSAConversionPhase.cpp: (JSC::DFG::SSAConversionPhase::run): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): * dfg/DFGStoreBarrierElisionPhase.cpp: (JSC::DFG::StoreBarrierElisionPhase::elideBarrier): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild): * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate): (JSC::DFG::Validate::validateCPS): (JSC::DFG::Validate::validateSSA): * dfg/DFGVarargsForwardingPhase.cpp: * ftl/FTLLink.cpp: (JSC::FTL::link): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileNoOp): (JSC::FTL::LowerDFGToLLVM::compilePhantom): Deleted. 2015-04-28 Andreas Kling DFG+FTL should generate efficient code for branching on a string's boolean value. Reviewed by Geoff Garen & Filip Pizlo Teach Branch nodes about StringUse and have them generate an efficient zero-length string check instead of dropping out to C++ whenever we branch on a string. The FTL JIT already handled Branch nodes with StringUse through its use of boolify(), so only the DFG JIT gets some new codegen logic in this patch. Test: js/regress/branch-on-string-as-boolean.js (~4.5x speedup) * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitStringBranch): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitBranch): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitBranch): 2015-04-28 Filip Pizlo VarargsForwardingPhase should only consider MovHints that have the candidate as a child https://bugs.webkit.org/show_bug.cgi?id=144340 Reviewed by Michael Saboff and Mark Lam. Since we were considering all MovHints, we'd assume that the CreateDirectArguments or CreateClosedArguments node was live so long as any MovHinted bytecode variable was alive. Basically, we'd keep it alive until the end of the block. This maximized the chances of there being an interfering operation, which would prevent elimination. The fix is to only consider MovHints that have the arguments candidate as a child. We only care to track the liveness of those bytecode locals that would need an arguments object recovery on OSR exit. This is a speed-up on V8Spider/raytrace and Octane/raytrace because it undoes the regression introduced in http://trac.webkit.org/changeset/183406. * dfg/DFGVarargsForwardingPhase.cpp: 2015-04-28 Csaba Osztrogonác Remove WinCE cruft from cmake build system https://bugs.webkit.org/show_bug.cgi?id=144325 Reviewed by Gyuyoung Kim. * CMakeLists.txt: * create_jit_stubs: Removed. 2015-04-27 Andreas Kling RegExp matches arrays should use contiguous indexing. Reviewed by Geoffrey Garen. We had a custom Structure being used for RegExp matches arrays that would put the arrays into SlowPutArrayStorageShape mode. This was just left from when matches arrays were custom, lazily initialized objects. This change removes that Structure and switches the matches arrays to using the default ContiguousShape Structure. This allows the FTL JIT to compile the inner loop of the Octane/regexp benchmark. Also made a version of initializeIndex() [inline] that takes the indexing type in an argument, allowing createRegExpMatchesArray() to initialize the entire array without branching on the indexing type for each entry. ~3% progression on Octane/regexp. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::mapStructure): (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted. * runtime/JSObject.h: (JSC::JSObject::initializeIndex): * runtime/RegExpMatchesArray.cpp: (JSC::createRegExpMatchesArray): 2015-04-27 Filip Pizlo FTL failed to initialize arguments.callee on the slow path as well as the fast path https://bugs.webkit.org/show_bug.cgi?id=144293 Reviewed by Mark Lam. The slow path doesn't fully initialize DirectArguments - it leaves callee blank. So, we need to initialize the callee on the common path after the fast and slow path. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments): * tests/stress/arguments-callee-uninitialized.js: Added. (foo): 2015-04-27 Benjamin Poulain [JSC] Add support for typed arrays to the Array profiling https://bugs.webkit.org/show_bug.cgi?id=143913 Reviewed by Filip Pizlo. This patch adds ArrayModes for every typed arrays. Having that information let us generate better GetByVal and PutByVal when the type speculation are not good enough. A typical case where this is useful is any basic block for which the type of the object is always more restrictive than the speculation (for example, a basic block gated by a branch only taken for on type). * bytecode/ArrayProfile.cpp: (JSC::dumpArrayModes): * bytecode/ArrayProfile.h: (JSC::arrayModeFromStructure): * dfg/DFGArrayMode.cpp: (JSC::DFG::ArrayMode::fromObserved): (JSC::DFG::ArrayMode::refine): Maintain the refine() semantic. We do not support OutOfBounds access for GetByVal on typed array. * runtime/IndexingType.h: * tests/stress/typed-array-get-by-val-profiling.js: Added. (testArray.testCode): (testArray): * tests/stress/typed-array-put-by-val-profiling.js: Added. (testArray.testCode): (testArray): 2015-04-27 Filip Pizlo Unreviewed, roll out r183438 "RegExp matches arrays should use contiguous indexing". It causes many debug test failures. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::regExpMatchesArrayStructure): * runtime/JSObject.h: (JSC::JSObject::initializeIndex): * runtime/RegExpMatchesArray.cpp: (JSC::createRegExpMatchesArray): 2015-04-27 Andreas Kling RegExp matches arrays should use contiguous indexing. Reviewed by Geoffrey Garen. We had a custom Structure being used for RegExp matches arrays that would put the arrays into SlowPutArrayStorageShape mode. This was just left from when matches arrays were custom, lazily initialized objects. This change removes that Structure and switches the matches arrays to using the default ContiguousShape Structure. This allows the FTL JIT to compile the inner loop of the Octane/regexp benchmark. Also made a version of initializeIndex() [inline] that takes the indexing type in an argument, allowing createRegExpMatchesArray() to initialize the entire array without branching on the indexing type for each entry. ~3% progression on Octane/regexp. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::mapStructure): (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted. * runtime/JSObject.h: (JSC::JSObject::initializeIndex): * runtime/RegExpMatchesArray.cpp: (JSC::createRegExpMatchesArray): 2015-04-27 Ryosuke Niwa REGRESSION (r183373): ASSERT failed in wtf/SHA1.h https://bugs.webkit.org/show_bug.cgi?id=144257 Temporarily disable skip these tests. * tests/stress/template-literal-line-terminators.js: * tests/stress/template-literal-syntax.js: * tests/stress/template-literal.js: 2015-04-27 Basile Clement Function allocations shouldn't sink through Put operations https://bugs.webkit.org/show_bug.cgi?id=144176 Reviewed by Filip Pizlo. By design, we don't support function allocation sinking through any related operation ; however object allocation can sink through PutByOffset et al. Currently, the checks to prevent function allocation to sink through these are misguided and do not prevent anything ; function allocation sinking through these operations is prevented as a side effect of requiring an AllocatePropertyStorage through which the function allocation is seen as escaping. This changes it so that ObjectAllocationSinkingPhase::handleNode() checks properly that only object allocations sink through related write operations. * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): 2015-04-25 Filip Pizlo VarargsForwardingPhase should use bytecode liveness in addition to other uses to determine the last point that a candidate is used https://bugs.webkit.org/show_bug.cgi?id=143843 Reviewed by Geoffrey Garen. It will soon come to pass that Phantom isn't available at the time that VarargsForwardingPhase runs. So, it needs to use some other mechanism for discovering when a value dies for OSR. This is simplified by two things: 1) The bytecode kill analysis is now reusable. This patch makes it even more reusable than before by polishing the API. 2) This phase already operates on one node at a time and allows itself to do a full search of the enclosing basic block for that node. This is fine because CreateDirectArguments and friends is a rarely occurring node. The fact that it operates on one node at a time makes it even easier to reason about OSR liveness - we just track the list of locals in which it is live. This change has no effect right now but it is a necessary prerequisite to implementing https://bugs.webkit.org/show_bug.cgi?id=143736. * dfg/DFGBasicBlock.h: (JSC::DFG::BasicBlock::tryAt): * dfg/DFGForAllKills.h: (JSC::DFG::forAllKilledOperands): * dfg/DFGPhantomInsertionPhase.cpp: * dfg/DFGVarargsForwardingPhase.cpp: 2015-04-27 Jordan Harband Map#entries and Map#keys error for non-Maps is swapped https://bugs.webkit.org/show_bug.cgi?id=144253 Reviewed by Simon Fraser. Correcting error messages on Set/Map methods when called on incompatible objects. * runtime/MapPrototype.cpp: (JSC::mapProtoFuncEntries): (JSC::mapProtoFuncKeys): * runtime/SetPrototype.cpp: (JSC::setProtoFuncEntries): 2015-04-24 Filip Pizlo Rationalize DFG DCE handling of nodes that perform checks that propagate through AI https://bugs.webkit.org/show_bug.cgi?id=144186 Reviewed by Geoffrey Garen. If I do ArithAdd(Int32Use, Int32Use, CheckOverflow) then AI will prove that this returns Int32. We may later perform code simplifications based on the proof that this is Int32, and we may kill all DFG users of this ArithAdd. Then we may prove that there is no exit site at which the ArithAdd is live. This seems like it is sufficient to then kill the ArithAdd, except that we still need the overflow check! Previously we mishandled this: - In places where we want the overflow check we need to use MustGenerate(@ArithAdd) as a hack to keep it alive. That's dirty and it's just indicative of a deeper issue. - Our MovHint removal doesn't do Phantom canonicalization which essentially makes it powerless. This was sort of hiding the bug. - Nodes that have checks that AI leverages should always be NodeMustGenerate. You can't kill something that you are relying on for subsequent simplifications. This fixes MovHint removal to also canonicalize Phantoms. This also adds ModeMustGenerate to nodes that may perform checks that are used by AI to guarantee the result type. As a result, we no longer need the weird MustGenerate node. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::run): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::tryToRelaxRepresentation): * dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): Deleted. * dfg/DFGMayExit.cpp: (JSC::DFG::mayExit): * dfg/DFGNode.h: (JSC::DFG::Node::willHaveCodeGenOrOSR): * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): * dfg/DFGPhantomCanonicalizationPhase.cpp: (JSC::DFG::PhantomCanonicalizationPhase::run): * dfg/DFGPhantomRemovalPhase.cpp: (JSC::DFG::PhantomRemovalPhase::run): * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGTypeCheckHoistingPhase.cpp: (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): * dfg/DFGVarargsForwardingPhase.cpp: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): * tests/stress/fold-based-on-int32-proof-mul-branch.js: Added. (foo): * tests/stress/fold-based-on-int32-proof-mul.js: Added. (foo): * tests/stress/fold-based-on-int32-proof-or-zero.js: Added. (foo): * tests/stress/fold-based-on-int32-proof.js: Added. (foo): 2015-04-26 Ryosuke Niwa Class body ending with a semicolon throws a SyntaxError https://bugs.webkit.org/show_bug.cgi?id=144244 Reviewed by Darin Adler. The bug was caused by parseClass's inner loop for method definitions not moving onto the next iteration it encounters a semicolon. As a result, we always expected a method to appear after a semicolon. Fixed it by continue'ing when it encounters a semicolon. * parser/Parser.cpp: (JSC::Parser::parseClass): 2015-04-26 Ryosuke Niwa Getter or setter method named "prototype" or "constrcutor" should throw SyntaxError https://bugs.webkit.org/show_bug.cgi?id=144243 Reviewed by Darin Adler. Fixed the bug by adding explicit checks in parseGetterSetter when we're parsing class methods. * parser/Parser.cpp: (JSC::Parser::parseGetterSetter): 2015-04-26 Jordan Harband Map#forEach does not pass "map" argument to callback. https://bugs.webkit.org/show_bug.cgi?id=144187 Reviewed by Darin Adler. Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-map.prototype.foreach step 7.a.i., the callback should be called with three arguments. * runtime/MapPrototype.cpp: (JSC::mapProtoFuncForEach): 2015-04-26 Yusuke Suzuki [ES6] Implement ES6 template literals https://bugs.webkit.org/show_bug.cgi?id=142691 Reviewed by Darin Adler. This patch implements TemplateLiteral. Since TaggedTemplate requires some global states and primitive operations like GetTemplateObject, we separate the patch. It will be implemented in a subsequent patch. Template Literal Syntax is guarded by ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX compile time flag. By disabling it, we can disable Template Literal support. To implement template literals, in this patch, we newly introduces bytecode op_to_string. In template literals, we alternately evaluate the expression and perform ToString onto the result of evaluation. For example, `${f1()} ${f2()}` In this template literal, execution order is the following, 1. calling f1() 2. ToString(the result of f1()) 3. calling f2() 4. ToString(the result of f2()) op_strcat also performs ToString. However, performing ToString onto expressions are batched in op_strcat, it's not the same to the template literal spec. In the above example, ToString(f1()) should be called before calling f2(). * Configurations/FeatureDefines.xcconfig: * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): * bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitToString): (JSC::BytecodeGenerator::emitToNumber): Deleted. * bytecompiler/NodesCodegen.cpp: (JSC::TemplateStringNode::emitBytecode): (JSC::TemplateLiteralNode::emitBytecode): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_to_string): (JSC::JIT::emitSlow_op_to_string): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_to_string): (JSC::JIT::emitSlow_op_to_string): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * parser/ASTBuilder.h: (JSC::ASTBuilder::createTemplateString): (JSC::ASTBuilder::createTemplateStringList): (JSC::ASTBuilder::createTemplateExpressionList): (JSC::ASTBuilder::createTemplateLiteral): * parser/Lexer.cpp: (JSC::Lexer::Lexer): (JSC::Lexer::parseIdentifierSlowCase): (JSC::Lexer::parseString): (JSC::LineNumberAdder::LineNumberAdder): (JSC::LineNumberAdder::clear): (JSC::LineNumberAdder::add): (JSC::Lexer::parseTemplateLiteral): (JSC::Lexer::lex): (JSC::Lexer::scanRegExp): (JSC::Lexer::scanTrailingTemplateString): (JSC::Lexer::parseStringSlowCase): Deleted. * parser/Lexer.h: * parser/NodeConstructors.h: (JSC::TemplateExpressionListNode::TemplateExpressionListNode): (JSC::TemplateStringNode::TemplateStringNode): (JSC::TemplateStringListNode::TemplateStringListNode): (JSC::TemplateLiteralNode::TemplateLiteralNode): * parser/Nodes.h: (JSC::TemplateExpressionListNode::value): (JSC::TemplateExpressionListNode::next): (JSC::TemplateStringNode::cooked): (JSC::TemplateStringNode::raw): (JSC::TemplateStringListNode::value): (JSC::TemplateStringListNode::next): * parser/Parser.cpp: (JSC::Parser::parseTemplateString): (JSC::Parser::parseTemplateLiteral): (JSC::Parser::parsePrimaryExpression): * parser/Parser.h: * parser/ParserTokens.h: * parser/SyntaxChecker.h: (JSC::SyntaxChecker::createTemplateString): (JSC::SyntaxChecker::createTemplateStringList): (JSC::SyntaxChecker::createTemplateExpressionList): (JSC::SyntaxChecker::createTemplateLiteral): (JSC::SyntaxChecker::createSpreadExpression): Deleted. * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: * tests/stress/template-literal-line-terminators.js: Added. (test): (testEval): (testEvalLineNumber): * tests/stress/template-literal-syntax.js: Added. (testSyntax): (testSyntaxError): * tests/stress/template-literal.js: Added. (test): (testEval): (testEmbedded): 2015-04-26 Jordan Harband Set#forEach does not pass "key" or "set" arguments to callback. https://bugs.webkit.org/show_bug.cgi?id=144188 Reviewed by Darin Adler. Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.foreach Set#forEach should pass 3 arguments to the callback. * runtime/SetPrototype.cpp: (JSC::setProtoFuncForEach): 2015-04-26 Benjamin Poulain [JSC] Implement Math.clz32(), remove Number.clz() https://bugs.webkit.org/show_bug.cgi?id=144205 Reviewed by Michael Saboff. This patch adds the ES6 function Math.clz32(), and remove the non-standard Number.clz(). Number.clz() probably came from an older draft. The new function has a corresponding instrinsic: Clz32Intrinsic, and a corresponding DFG node: ArithClz32, optimized all the way to LLVM. * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::countLeadingZeros32): * assembler/X86Assembler.h: (JSC::X86Assembler::bsr_rr): The x86 assembler did not have countLeadingZeros32() because there is no native CLZ instruction on that architecture. I have added the version with bsr + branches for the case of zero. An other popular version uses cmov to handle the case of zero. I kept it simple since the Assembler has no support for cmov. It is unlikely to matter much. If the code is hot enough, LLVM picks something good based on the surrounding code. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): Constant handling + effect propagation. The node only produces integer (between 0 and 32). * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): Thanks to the definition of toUint32(), we can ignore plenty of details from doubles. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithClz32): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLIntrinsicRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileArithClz32): * ftl/FTLOutput.h: (JSC::FTL::Output::ctlz32): * jit/ThunkGenerators.cpp: (JSC::clz32ThunkGenerator): * jit/ThunkGenerators.h: * runtime/Intrinsic.h: * runtime/MathCommon.h: (JSC::clz32): Fun fact: InstCombine does not recognize this pattern to eliminate the branch which makes our FTL version better than the C version. * runtime/MathObject.cpp: (JSC::MathObject::finishCreation): (JSC::mathProtoFuncClz32): * runtime/NumberPrototype.cpp: (JSC::clz): Deleted. (JSC::numberProtoFuncClz): Deleted. * runtime/VM.cpp: (JSC::thunkGeneratorForIntrinsic): * tests/stress/math-clz32-basics.js: Added. (mathClz32OnInteger): (testMathClz32OnIntegers): (verifyMathClz32OnIntegerWithOtherTypes): (mathClz32OnDouble): (testMathClz32OnDoubles): (verifyMathClz32OnDoublesWithOtherTypes): (mathClz32NoArguments): (mathClz32TooManyArguments): (testMathClz32OnConstants): (mathClz32StructTransition): (Math.clz32): 2015-04-26 Yusuke Suzuki [ES6] Array.from need to accept iterables https://bugs.webkit.org/show_bug.cgi?id=141055 Reviewed by Darin Adler. ES6 spec requires that Array.from accepts iterable objects. This patch introduces this functionality, Array.from accepting iterable objects. Currently, `isConstructor` is not used. Instead of it, `typeof thiObj === "function"` is used. However, it doesn't conform to the spec. While `isConstructor` queries the given object has `[[Construct]]`, `typeof thisObj === "function"` queries the given object has `[[Call]]`. This will be fixed in the subsequent patch[1]. [1]: https://bugs.webkit.org/show_bug.cgi?id=144093 * builtins/ArrayConstructor.js: (from): * parser/Parser.cpp: (JSC::Parser::parseInner): * runtime/CommonIdentifiers.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * tests/stress/array-from-with-iterable.js: Added. (shouldBe): (.set for): (.set var): (.get var): (argumentsGenerators): (.set shouldBe): (.set new): * tests/stress/array-from-with-iterator.js: Added. (shouldBe): (shouldThrow): (createIterator.iterator.return): (createIterator): (.): 2015-04-25 Jordan Harband Set#keys !== Set#values https://bugs.webkit.org/show_bug.cgi?id=144190 Reviewed by Darin Adler. per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.keys Set#keys should === Set#values * runtime/SetPrototype.cpp: (JSC::SetPrototype::finishCreation): (JSC::setProtoFuncValues): (JSC::setProtoFuncEntries): (JSC::setProtoFuncKeys): Deleted. 2015-04-25 Joseph Pecoraro Allow for pausing a JSContext when opening a Web Inspector Reviewed by Timothy Hatcher. * inspector/remote/RemoteInspector.mm: (Inspector::RemoteInspector::receivedSetupMessage): * inspector/remote/RemoteInspectorConstants.h: * inspector/remote/RemoteInspectorDebuggable.h: * inspector/remote/RemoteInspectorDebuggableConnection.h: * inspector/remote/RemoteInspectorDebuggableConnection.mm: (Inspector::RemoteInspectorDebuggableConnection::setup): On any incoming setup message, we may want to automatically pause the debuggable. If requested, pause the debuggable after we have setup the frontend connection. * runtime/JSGlobalObjectDebuggable.h: * runtime/JSGlobalObjectDebuggable.cpp: (JSC::JSGlobalObjectDebuggable::pause): Pass through to the inspector controller. * inspector/JSGlobalObjectInspectorController.h: * inspector/JSGlobalObjectInspectorController.cpp: (Inspector::JSGlobalObjectInspectorController::pause): Enable pause on next statement. 2015-04-23 Ryosuke Niwa class methods should be non-enumerable https://bugs.webkit.org/show_bug.cgi?id=143181 Reviewed by Darin Adler. Fixed the bug by using Object.defineProperty to define methods. This patch adds the concept of link time constants and uses it to resolve Object.defineProperty inside CodeBlock's constructor since bytecode can be linked against multiple global objects. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): Resolve link time constants that are used. Ignore ones with register index of zero. * bytecode/SpecialPointer.h: Added a new enum for link time constants. It currently contains exactly one entry for Object.defineProperty. * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::addConstant): Added. Like addConstant that takes JSValue, allocate a new constant register for the link time constant we're adding. (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Added. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitMoveLinkTimeConstant): Added. Like addConstantValue, allocate a new register for the specified link time constant and notify UnlinkedCodeBlock about it. (JSC::BytecodeGenerator::emitCallDefineProperty): Added. Create a new property descriptor and call Object.defineProperty with it. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::PropertyListNode::emitBytecode): Make static and non-static getters and setters for classes non-enumerable by using emitCallDefineProperty to define them. (JSC::PropertyListNode::emitPutConstantProperty): Ditto for a non-accessor properties. (JSC::ClassExprNode::emitBytecode): Make prototype.constructor non-enumerable and make prototype property on the class non-writable, non-configurable, and non-enumerable by using defineProperty. * runtime/CommonIdentifiers.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): Set m_definePropertyFunction. (JSC::JSGlobalObject::visitChildren): Visit m_definePropertyFunction. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::definePropertyFunction): Added. (JSC::JSGlobalObject::actualPointerFor): Added a variant that takes LinkTimeConstant. (JSC::JSGlobalObject::jsCellForLinkTimeConstant): Like actualPointerFor, takes LinkTimeConstant and returns a JSCell; e.g. Object.defineProperty. * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::addDefineProperty): Added. Returns Object.defineProperty. * runtime/ObjectConstructor.h: 2015-04-25 Yusuke Suzuki [ES6] Implement String.fromCodePoint https://bugs.webkit.org/show_bug.cgi?id=144160 Reviewed by Darin Adler. This patch implements String.fromCodePoint. It accepts multiple code points and generates a string that consists of given code points. The range [0x0000 - 0x10FFFF] is valid for code points. If the given value is out of range, throw a range error. When a 0xFFFF <= valid code point is given, String.fromCodePoint generates a string that contains surrogate pairs. * runtime/StringConstructor.cpp: (JSC::stringFromCodePoint): (JSC::constructWithStringConstructor): * tests/stress/string-from-code-point.js: Added. (shouldBe): (shouldThrow): (toCodePoints): (passThrough): 2015-04-25 Martin Robinson Rename ENABLE_3D_RENDERING to ENABLE_3D_TRANSFORMS https://bugs.webkit.org/show_bug.cgi?id=144182 Reviewed by Simon Fraser. * Configurations/FeatureDefines.xcconfig: Replace all instances of 3D_RENDERING with 3D_TRANSFORMS. 2015-04-25 Mark Lam mayExit() is wrong about Branch nodes with ObjectOrOtherUse: they can exit. https://bugs.webkit.org/show_bug.cgi?id=144152 Reviewed by Filip Pizlo. Changed the EdgeMayExit functor to recognize ObjectUse, ObjectOrOtherUse, StringObjectUse, and StringOrStringObjectUse kinds as potentially triggering OSR exits. This was overlooked in the original code. While only the ObjectOrOtherUse kind is relevant for manifesting this bug with the Branch node, the other 3 may also trigger the same bug for other nodes. To prevent this bug from manifesting with other nodes (and future ones that are yet to be added to mayExits()'s "potential won't exit" set), we fix the EdgeMayExit functor to handle all 4 use kinds (instead of just ObjectOrOtherUse). Also added a test to exercise a code path that will trigger this bug with the Branch node before the fix is applied. * dfg/DFGMayExit.cpp: * tests/stress/branch-may-exit-due-to-object-or-other-use-kind.js: Added. (inlinedFunction): (foo): 2015-04-24 Commit Queue Unreviewed, rolling out r183288. https://bugs.webkit.org/show_bug.cgi?id=144189 Made js/sort-with-side-effecting-comparisons.html time out in debug builds (Requested by ap on #webkit). Reverted changeset: "It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array." https://bugs.webkit.org/show_bug.cgi?id=144013 http://trac.webkit.org/changeset/183288 2015-04-24 Filip Pizlo CRASH in operationCreateDirectArgumentsDuringExit() https://bugs.webkit.org/show_bug.cgi?id=143962 Reviewed by Geoffrey Garen. We shouldn't assume that constant-like OSR exit values are always recoverable. They are only recoverable so long as they are live. Therefore, OSR exit should track liveness of constants instead of assuming that they are always live. * dfg/DFGGenerationInfo.h: (JSC::DFG::GenerationInfo::noticeOSRBirth): (JSC::DFG::GenerationInfo::appendBirth): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): * dfg/DFGVariableEvent.cpp: (JSC::DFG::VariableEvent::dump): * dfg/DFGVariableEvent.h: (JSC::DFG::VariableEvent::birth): (JSC::DFG::VariableEvent::id): (JSC::DFG::VariableEvent::dataFormat): * dfg/DFGVariableEventStream.cpp: (JSC::DFG::VariableEventStream::reconstruct): * tests/stress/phantom-direct-arguments-clobber-argument-count.js: Added. (foo): (bar): * tests/stress/phantom-direct-arguments-clobber-callee.js: Added. (foo): (bar): 2015-04-24 Benjamin Poulain [JSC] When inserting a NaN into a Int32 array, we convert it to DoubleArray then to ContiguousArray https://bugs.webkit.org/show_bug.cgi?id=144169 Reviewed by Geoffrey Garen. * runtime/JSObject.cpp: (JSC::JSObject::convertInt32ForValue): DoubleArray do not store NaN, they are used for holes. What happened was: 1) We fail to insert the NaN in the Int32 array because it is a double. 2) We were converting the array to DoubleArray. 3) We were trying to insert the value again. We would fail again because DoubleArray does not store NaN. 4) We would convert the DoubleArrayt to Contiguous Array, converting the values to boxed values. * tests/stress/int32array-transition-on-nan.js: Added. The behavior is not really observable. This only test nothing crashes in those cases. (insertNaNWhileFilling): (testInsertNaNWhileFilling): (insertNaNAfterFilling): (testInsertNaNAfterFilling): (pushNaNWhileFilling): (testPushNaNWhileFilling): 2015-04-21 Geoffrey Garen It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array. https://bugs.webkit.org/show_bug.cgi?id=144013 Reviewed by Mark Lam. This patch implements Array.prototype.sort in JavaScript, removing the C++ implementations. It is simpler and less error-prone to express our operations in JavaScript, which provides memory safety, exception safety, and recursion safety. The performance result is mixed, but net positive in my opinion. It's difficult to enumerate all the results, since we used to have so many different sorting modes, and there are lots of different data patterns across which you might want to measure sorting. Suffice it to say: (*) The benchmarks we track are faster or unchanged. (*) Sorting random input using a comparator -- which we think is common -- is 3X faster. (*) Sorting random input in a non-array object -- which jQuery does -- is 4X faster. (*) Sorting random input in a compact array of integers using a trivial pattern-matchable comparator is 2X *slower*. * builtins/Array.prototype.js: (sort.min): (sort.stringComparator): (sort.compactSparse): Special case compaction for sparse arrays because we don't want to hang when sorting new Array(BIG). (sort.compact): (sort.merge): (sort.mergeSort): Use merge sort because it's a reasonably efficient stable sort. We have evidence that some sites depend on stable sort, even though the ES6 spec does not mandate it. (See .) This is a textbook implementation of merge sort with three optimizations: (1) Use iteration instead of recursion; (2) Use array subscripting instead of array copying in order to create logical sub-lists without creating physical sub-lists; (3) Swap src and dst at each iteration instead of copying src into dst, and only copy src into the subject array at the end if src is not the subject array. (sort.inflate): (sort.comparatorSort): (sort): Sort in JavaScript for the win. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private names so we can use helper functions. * bytecode/CodeBlock.h: (JSC::CodeBlock::isNumericCompareFunction): Deleted. * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): * bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted. (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted. * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted. * bytecompiler/BytecodeGenerator.h: * bytecompiler/NodesCodegen.cpp: (JSC::FunctionNode::emitBytecode): We don't do this special casing based on pattern matching anymore. This was mainly an optimization to avoid the overhead of calling from C++ to JS, which we now avoid by sorting in JS. * heap/Heap.cpp: (JSC::Heap::markRoots): (JSC::Heap::pushTempSortVector): Deleted. (JSC::Heap::popTempSortVector): Deleted. (JSC::Heap::visitTempSortVectors): Deleted. * heap/Heap.h: We don't have temp sort vectors anymore because we sort in JavaScript using a normal JavaScript array for our temporary storage. * parser/Parser.cpp: (JSC::Parser::parseInner): Allow capturing so we can use helper functions. * runtime/ArrayPrototype.cpp: (JSC::isNumericCompareFunction): Deleted. (JSC::attemptFastSort): Deleted. (JSC::performSlowSort): Deleted. (JSC::arrayProtoFuncSort): Deleted. * runtime/CommonIdentifiers.h: New strings used by sort. * runtime/JSArray.cpp: (JSC::compareNumbersForQSortWithInt32): Deleted. (JSC::compareNumbersForQSortWithDouble): Deleted. (JSC::compareNumbersForQSort): Deleted. (JSC::compareByStringPairForQSort): Deleted. (JSC::JSArray::sortNumericVector): Deleted. (JSC::JSArray::sortNumeric): Deleted. (JSC::ContiguousTypeAccessor::getAsValue): Deleted. (JSC::ContiguousTypeAccessor::setWithValue): Deleted. (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. (JSC::ContiguousTypeAccessor::getAsValue): Deleted. (JSC::ContiguousTypeAccessor::setWithValue): Deleted. (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. (JSC::JSArray::sortCompactedVector): Deleted. (JSC::JSArray::sort): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted. (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted. (JSC::JSArray::sortVector): Deleted. (JSC::JSArray::compactForSorting): Deleted. * runtime/JSArray.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::finishCreation): Provide some builtins used by sort. 2015-04-24 Matthew Mirman Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined https://bugs.webkit.org/show_bug.cgi?id=141865 rdar://problem/19927273 Reviewed by Filip Pizlo. * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncProtoGetter): (JSC::globalFuncProtoSetter): 2015-04-23 Benjamin Poulain Remove a useless branch on DFGGraph::addShouldSpeculateMachineInt() https://bugs.webkit.org/show_bug.cgi?id=144118 Reviewed by Geoffrey Garen. * dfg/DFGGraph.h: (JSC::DFG::Graph::addShouldSpeculateMachineInt): Both block do the same thing. 2015-04-23 Joseph Pecoraro Web Inspector: Speculative fix for non-main thread auto-attach failures https://bugs.webkit.org/show_bug.cgi?id=144134 Reviewed by Timothy Hatcher. * inspector/remote/RemoteInspector.mm: (Inspector::RemoteInspector::singleton): 2015-04-23 Basile Clement Allow function allocation sinking https://bugs.webkit.org/show_bug.cgi?id=144016 Reviewed by Filip Pizlo. This adds the ability to sink function allocations in the DFGObjectAllocationSinkingPhase. In order to enable this, we add a new PhantomNewFunction node that is used similarily to the PhantomNewObject node, i.e. as a placeholder to replace a sunk NewFunction and keep track of the allocations that have to be performed in case of OSR exit after the sunk allocation but before the real one. The FunctionExecutable and JSLexicalEnvironment (activation) of the function are stored onto the PhantomNewFunction through PutHints in order for them to be recovered on OSR exit. Contrary to sunk object allocations, sunk function allocations do not support any kind of operations (e.g. storing into a field) ; any such operation will mark the function allocation as escaping and trigger materialization. As such, function allocations can only be sunk to places where it would have been correct to syntactically move them, and we don't need a special MaterializeNewFunction node to recover possible operations on the function. A sunk NewFunction node will simply create new NewFunction nodes, then replace itself with a PhantomNewFunction node. In itself, this change is not expected to have a significant impact on performances other than in degenerate cases (see e.g. JSRegress/sink-function), but it is a step towards being able to sink recursive closures onces we support CreateActivation sinking as well as allocation cycles sinking. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::convertToPhantomNewFunction): (JSC::DFG::Node::isPhantomAllocation): * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGPromotedHeapLocation.cpp: (WTF::printInternal): * dfg/DFGPromotedHeapLocation.h: * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validateCPS): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): * tests/stress/function-sinking-no-double-allocate.js: Added. (call): (.f): (sink): * tests/stress/function-sinking-osrexit.js: Added. (.g): (sink): * tests/stress/function-sinking-put.js: Added. (.g): (sink): 2015-04-23 Basile Clement Make FunctionRareData allocation thread-safe https://bugs.webkit.org/show_bug.cgi?id=144001 Reviewed by Mark Lam. The two things we want to prevent are: 1. A thread seeing a pointer to a not-yet-fully-created rare data from a JSFunction 2. A thread seeing a pointer to a not-yet-fully-created Structure from an ObjectAllocationProfile For 1., only the JS thread can be creating the rare data (in runtime/CommonSlowPaths.cpp or in dfg/DFGOperations.cpp), so we don't need to worry about concurrent writes, and we don't need any fences when *reading* the rare data from the JS thread. Thus we only need a storeStoreFence between the rare data creation and assignment to m_rareData in JSFunction::createAndInitializeRareData() to ensure that when the store to m_rareData is issued, the rare data has been properly created. For the DFG compilation threads, the only place they can access the rare data is through JSFunction::rareData(), and so we only need a loadLoadFence there to ensure that when we see a non-null pointer in m_rareData, the pointed object will be seen as a fully created FunctionRareData. For 2., the structure is created in ObjectAllocationProfile::initialize() (which appears to be called only by the JS thread as well, in bytecode/CodeBlock.cpp and on rare data initialization, which always happen in the JS thread), and read through ObjectAllocationProfile::structure() and ObjectAllocationProfile::inlineCapacity(), so following the same reasoning we put a storeStoreFence in ObjectAllocationProfile::initialize() and a loadLoadFence in ObjectAllocationProfile::structure() (and change ObjectAllocationProfile::inlineCapacity() to go through ObjectAllocationProfile::structure()). We don't need a fence in ObjectAllocationProfile::clear() because clearing the structure is already as atomic as it gets. Finally, notice that we don't care about the ObjectAllocationProfile's m_allocator as that is only used by ObjectAllocationProfile::initialize() and ObjectAllocationProfile::clear() that are always run in the JS thread. ObjectAllocationProfile::isNull() could cause some trouble, but it is currently only used in the ObjectAllocationProfile::clear()'s ASSERT in the JS thread. Doing isNull()-style pre-checks would be wrong in any other concurrent thread anyway. * bytecode/ObjectAllocationProfile.h: (JSC::ObjectAllocationProfile::initialize): (JSC::ObjectAllocationProfile::structure): (JSC::ObjectAllocationProfile::inlineCapacity): * runtime/JSFunction.cpp: (JSC::JSFunction::allocateAndInitializeRareData): * runtime/JSFunction.h: (JSC::JSFunction::rareData): (JSC::JSFunction::allocationStructure): Deleted. This is no longer used, as all the accesses to the ObjectAllocationProfile go through the rare data. 2015-04-22 Filip Pizlo DFG should insert Phantoms late using BytecodeKills and block-local OSR availability https://bugs.webkit.org/show_bug.cgi?id=143735 Reviewed by Geoffrey Garen. We've always had bugs arising from the fact that we would MovHint something into a local, and then fail to keep it alive. We would then try to keep things alive by putting Phantoms on those Nodes that were MovHinted. But this became increasingly tricky. Given the sophistication of the transformations we are doing today, this approach is just not sound anymore. This comprehensively fixes these bugs by having the DFG backend automatically insert Phantoms just before codegen based on bytecode liveness. To make this practical, this also makes it much faster to query bytecode liveness. It's about as perf-neutral as it gets for a change that increases compiler work without actually optimizing anything. Later changes will remove the old Phantom-preserving logic, which should then speed us up. I can't really report concrete slow-down numbers because they are low enough to basically be in the noise. For example, a 20-iteration run of SunSpider yields "maybe 0.8% slower", whatever that means. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/BytecodeLivenessAnalysis.cpp: (JSC::BytecodeLivenessAnalysis::computeFullLiveness): * bytecode/FullBytecodeLiveness.h: (JSC::FullBytecodeLiveness::getLiveness): * bytecode/VirtualRegister.h: (JSC::VirtualRegister::operator+): (JSC::VirtualRegister::operator-): * dfg/DFGForAllKills.h: (JSC::DFG::forAllLiveNodesAtTail): (JSC::DFG::forAllKilledOperands): (JSC::DFG::forAllKilledNodesAtNodeIndex): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::isLiveInBytecode): (JSC::DFG::Graph::localsLiveInBytecode): * dfg/DFGGraph.h: (JSC::DFG::Graph::forAllLocalsLiveInBytecode): (JSC::DFG::Graph::forAllLiveInBytecode): * dfg/DFGMayExit.cpp: (JSC::DFG::mayExit): * dfg/DFGMovHintRemovalPhase.cpp: * dfg/DFGNodeType.h: * dfg/DFGPhantomInsertionPhase.cpp: Added. (JSC::DFG::performPhantomInsertion): * dfg/DFGPhantomInsertionPhase.h: Added. * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * dfg/DFGScoreBoard.h: (JSC::DFG::ScoreBoard::sortFree): (JSC::DFG::ScoreBoard::assertClear): * dfg/DFGVirtualRegisterAllocationPhase.cpp: (JSC::DFG::VirtualRegisterAllocationPhase::run): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::buildExitArguments): * tests/stress/phantom-inadequacy.js: Added. (bar): (baz): (foo): 2015-04-23 Filip Pizlo Rename HardPhantom to MustGenerate. Rubber stamped by Geoffrey Garen. We are steadily moving towards Phantom just being a backend hack in the DFG. HardPhantom is more than that; it's a utility for forcing the execution of otherwise killable nodes. NodeMustGenerate is the flag we use to indicate that something isn't killable. So this node should just be called MustGenerate. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::run): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::tryToRelaxRepresentation): * dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): * dfg/DFGMayExit.cpp: (JSC::DFG::mayExit): * dfg/DFGNode.h: (JSC::DFG::Node::willHaveCodeGenOrOSR): * dfg/DFGNodeType.h: * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): * dfg/DFGPhantomCanonicalizationPhase.cpp: (JSC::DFG::PhantomCanonicalizationPhase::run): * dfg/DFGPhantomRemovalPhase.cpp: (JSC::DFG::PhantomRemovalPhase::run): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGTypeCheckHoistingPhase.cpp: (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): * dfg/DFGVarargsForwardingPhase.cpp: * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): 2015-04-23 Jordan Harband Implement `Object.assign` https://bugs.webkit.org/show_bug.cgi?id=143980 Reviewed by Filip Pizlo. per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.assign * builtins/ObjectConstructor.js: Added. (assign): * runtime/CommonIdentifiers.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/ObjectConstructor.cpp: * runtime/ObjectConstructor.h: 2015-04-22 Filip Pizlo Unreviewed, fix debug build. * dfg/DFGGraph.h: (JSC::DFG::Graph::performSubstitutionForEdge): 2015-04-22 Filip Pizlo Nodes should have an optional epoch field https://bugs.webkit.org/show_bug.cgi?id=144084 Reviewed by Ryosuke Niwa and Mark Lam. This makes it easier to do epoch-based analyses on nodes. I plan to do just that in https://bugs.webkit.org/show_bug.cgi?id=143735. Currently the epoch field is not yet used. * dfg/DFGCPSRethreadingPhase.cpp: (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): * dfg/DFGCSEPhase.cpp: * dfg/DFGEpoch.h: (JSC::DFG::Epoch::fromUnsigned): (JSC::DFG::Epoch::toUnsigned): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::clearReplacements): (JSC::DFG::Graph::clearEpochs): * dfg/DFGGraph.h: (JSC::DFG::Graph::performSubstitutionForEdge): * dfg/DFGNode.h: (JSC::DFG::Node::Node): (JSC::DFG::Node::replaceWith): (JSC::DFG::Node::replacement): (JSC::DFG::Node::setReplacement): (JSC::DFG::Node::epoch): (JSC::DFG::Node::setEpoch): * dfg/DFGSSAConversionPhase.cpp: (JSC::DFG::SSAConversionPhase::run): 2015-04-22 Mark Lam Fix assertion failure and race condition in Options::dumpSourceAtDFGTime(). https://bugs.webkit.org/show_bug.cgi?id=143898 Reviewed by Filip Pizlo. CodeBlock::dumpSource() will access SourceCode strings in a way that requires ref'ing of the underlying StringImpls. This is unsafe to do from arbitrary compilation threads because StringImpls are not thread safe. As a result, we get an assertion failure when we run with JSC_dumpSourceAtDFGTime=true on a debug build. This patch fixes the issue by only collecting the CodeBlock (and associated info) into a DeferredSourceDump record while compiling, and stashing it away in a deferredSourceDump list in the DeferredCompilationCallback object to be dumped later. When compilation is done, the callback object will be notified that compilationDidComplete(). We will dump the SourceCode strings from there. Since compilationDidComplete() is guaranteed to only be called on the thread doing JS execution, it is safe to access the SourceCode strings there and ref their underlying StringImpls as needed. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/DeferredCompilationCallback.cpp: (JSC::DeferredCompilationCallback::compilationDidComplete): (JSC::DeferredCompilationCallback::sourceDumpInfo): (JSC::DeferredCompilationCallback::dumpCompiledSources): * bytecode/DeferredCompilationCallback.h: * bytecode/DeferredSourceDump.cpp: Added. (JSC::DeferredSourceDump::DeferredSourceDump): (JSC::DeferredSourceDump::dump): * bytecode/DeferredSourceDump.h: Added. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseCodeBlock): * dfg/DFGDriver.cpp: (JSC::DFG::compileImpl): 2015-04-22 Benjamin Poulain Implement String.codePointAt() https://bugs.webkit.org/show_bug.cgi?id=143934 Reviewed by Darin Adler. This patch adds String.codePointAt() as defined by ES6. I opted for a C++ implementation for now. * runtime/StringPrototype.cpp: (JSC::StringPrototype::finishCreation): (JSC::codePointAt): (JSC::stringProtoFuncCodePointAt): 2015-04-22 Mark Lam SparseArrayEntry's write barrier owner should be the SparseArrayValueMap. https://bugs.webkit.org/show_bug.cgi?id=144067 Reviewed by Michael Saboff. Currently, there are a few places where the JSObject that owns the SparseArrayValueMap is designated as the owner of the SparseArrayEntry write barrier. This is a bug and can result in the GC collecting the SparseArrayEntry even though it is being referenced by the SparseArrayValueMap. This patch fixes the bug. * runtime/JSObject.cpp: (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): (JSC::JSObject::putIndexedDescriptor): * tests/stress/sparse-array-entry-update-144067.js: Added. (useMemoryToTriggerGCs): (foo): 2015-04-22 Mark Lam Give the heap object iterators the ability to return early. https://bugs.webkit.org/show_bug.cgi?id=144011 Reviewed by Michael Saboff. JSDollarVMPrototype::isValidCell() uses a heap object iterator to validate candidate cell pointers, and, when in use, is called a lot more often than the normal way those iterators are used. As a result, I see my instrumented VM killed with a SIGXCPU (CPU time limit exceeded). This patch gives the callback functor the ability to tell the iterators to return early when the functor no longer needs to continue iterating. With this, my instrumented VM is useful again for debugging. Since heap iteration is not something that we do in a typical fast path, I don't expect this to have any noticeable impact on performance. I also renamed ObjectAddressCheckFunctor to CellAddressCheckFunctor since it checks JSCell addresses, not just JSObjects. * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * debugger/Debugger.cpp: * heap/GCLogging.cpp: (JSC::LoggingFunctor::operator()): * heap/Heap.cpp: (JSC::Zombify::visit): (JSC::Zombify::operator()): * heap/HeapStatistics.cpp: (JSC::StorageStatistics::visit): (JSC::StorageStatistics::operator()): * heap/HeapVerifier.cpp: (JSC::GatherLiveObjFunctor::visit): (JSC::GatherLiveObjFunctor::operator()): * heap/MarkedBlock.cpp: (JSC::SetNewlyAllocatedFunctor::operator()): * heap/MarkedBlock.h: (JSC::MarkedBlock::forEachCell): (JSC::MarkedBlock::forEachLiveCell): (JSC::MarkedBlock::forEachDeadCell): * heap/MarkedSpace.h: (JSC::MarkedSpace::forEachLiveCell): (JSC::MarkedSpace::forEachDeadCell): * inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::TypeRecompiler::visit): (Inspector::TypeRecompiler::operator()): * runtime/IterationStatus.h: Added. * runtime/JSGlobalObject.cpp: * runtime/VM.cpp: (JSC::StackPreservingRecompiler::visit): (JSC::StackPreservingRecompiler::operator()): * tools/JSDollarVMPrototype.cpp: (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor): (JSC::CellAddressCheckFunctor::operator()): (JSC::JSDollarVMPrototype::isValidCell): (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor): Deleted. (JSC::ObjectAddressCheckFunctor::operator()): Deleted. 2015-04-22 Yusuke Suzuki [[Set]] should be properly executed in JS builtins https://bugs.webkit.org/show_bug.cgi?id=143996 Reviewed by Geoffrey Garen. Currently, all assignments in builtins JS code is compiled into put_by_val_direct. However, 1. Some functions (like Array.from) needs [[Set]]. (but it is now compiled into put_by_val_direct, [[DefineOwnProperty]]). 2. It's different from the default JS behavior. In this patch, we implement the bytecode intrinsic emitting put_by_val_direct and use it explicitly. And dropping the current hack for builtins. * builtins/Array.prototype.js: (filter): (map): (find): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitPutByVal): * tests/stress/array-fill-put-by-val.js: Added. (shouldThrow): (.set get array): * tests/stress/array-filter-put-by-val-direct.js: Added. (shouldBe): (.set get var): * tests/stress/array-find-does-not-lookup-twice.js: Added. (shouldBe): (shouldThrow): (.get shouldBe): * tests/stress/array-from-put-by-val-direct.js: Added. (shouldBe): (.set get var): * tests/stress/array-from-set-length.js: Added. (shouldBe): (ArrayLike): (ArrayLike.prototype.set length): (ArrayLike.prototype.get length): * tests/stress/array-map-put-by-val-direct.js: Added. (shouldBe): (.set get var): 2015-04-22 Basile Clement Don't de-allocate FunctionRareData https://bugs.webkit.org/show_bug.cgi?id=144000 Reviewed by Michael Saboff. A function rare data (containing most notably its allocation profile) is currently freed and re-allocated each time the function's prototype is cleared. This is not optimal as it means we are invalidating the watchpoint and recompiling the scope each time the prototype is cleared. This makes it so that a single rare data is reused, clearing the underlying ObjectAllocationProfile instead of throwing away the whole rare data on .prototype updates. * runtime/FunctionRareData.cpp: (JSC::FunctionRareData::create): (JSC::FunctionRareData::finishCreation): * runtime/FunctionRareData.h: * runtime/JSFunction.cpp: (JSC::JSFunction::allocateAndInitializeRareData): (JSC::JSFunction::initializeRareData): 2015-04-21 Filip Pizlo Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2015-04-21 Filip Pizlo DFG should allow Phantoms after terminals https://bugs.webkit.org/show_bug.cgi?id=126778 Reviewed by Mark Lam. It's important for us to be able to place liveness-marking nodes after nodes that do things. These liveness-marking nodes are nops. Previously, we disallowed such nodes after terminals. That made things awkward, especially for Switch and Branch, which may do things that necessitate liveness markers (for example they might want to use a converted version of a value rather than the value that was MovHinted). We previously made this work by disallowing certain optimizations on Switch and Branch, which was probably a bad thing. This changes our IR to allow for the terminal to not be the last node in a block. Asking for the terminal involves a search. DFG::validate() checks that the nodes after the terminal are liveness markers that have no effects or checks. This is perf-neutral but will allow more optimizations in the future. It will also make it cleaner to fix https://bugs.webkit.org/show_bug.cgi?id=143735. * dfg/DFGBasicBlock.cpp: (JSC::DFG::BasicBlock::replaceTerminal): * dfg/DFGBasicBlock.h: (JSC::DFG::BasicBlock::findTerminal): (JSC::DFG::BasicBlock::terminal): (JSC::DFG::BasicBlock::insertBeforeTerminal): (JSC::DFG::BasicBlock::numSuccessors): (JSC::DFG::BasicBlock::successor): (JSC::DFG::BasicBlock::successorForCondition): (JSC::DFG::BasicBlock::successors): (JSC::DFG::BasicBlock::last): Deleted. (JSC::DFG::BasicBlock::takeLast): Deleted. (JSC::DFG::BasicBlock::insertBeforeLast): Deleted. (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable): Deleted. (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator): Deleted. (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*): Deleted. (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++): Deleted. (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==): Deleted. (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=): Deleted. (JSC::DFG::BasicBlock::SuccessorsIterable::begin): Deleted. (JSC::DFG::BasicBlock::SuccessorsIterable::end): Deleted. * dfg/DFGBasicBlockInlines.h: (JSC::DFG::BasicBlock::appendNonTerminal): (JSC::DFG::BasicBlock::replaceTerminal): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addToGraph): (JSC::DFG::ByteCodeParser::inlineCall): (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::linkBlock): (JSC::DFG::ByteCodeParser::parseCodeBlock): * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::run): (JSC::DFG::CFGSimplificationPhase::convertToJump): (JSC::DFG::CFGSimplificationPhase::mergeBlocks): * dfg/DFGCPSRethreadingPhase.cpp: (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): * dfg/DFGCommon.h: (JSC::DFG::NodeAndIndex::NodeAndIndex): (JSC::DFG::NodeAndIndex::operator!): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupBlock): (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): (JSC::DFG::FixupPhase::clearPhantomsAtEnd): Deleted. * dfg/DFGForAllKills.h: (JSC::DFG::forAllLiveNodesAtTail): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::terminalsAreValid): (JSC::DFG::Graph::dumpBlockHeader): * dfg/DFGGraph.h: * dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::mergeToSuccessors): * dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::run): (JSC::DFG::LICMPhase::attemptHoist): * dfg/DFGMovHintRemovalPhase.cpp: * dfg/DFGNode.h: (JSC::DFG::Node::SuccessorsIterable::SuccessorsIterable): (JSC::DFG::Node::SuccessorsIterable::iterator::iterator): (JSC::DFG::Node::SuccessorsIterable::iterator::operator*): (JSC::DFG::Node::SuccessorsIterable::iterator::operator++): (JSC::DFG::Node::SuccessorsIterable::iterator::operator==): (JSC::DFG::Node::SuccessorsIterable::iterator::operator!=): (JSC::DFG::Node::SuccessorsIterable::begin): (JSC::DFG::Node::SuccessorsIterable::end): (JSC::DFG::Node::successors): * dfg/DFGObjectAllocationSinkingPhase.cpp: (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): * dfg/DFGPhantomRemovalPhase.cpp: (JSC::DFG::PhantomRemovalPhase::run): * dfg/DFGPutStackSinkingPhase.cpp: * dfg/DFGSSAConversionPhase.cpp: (JSC::DFG::SSAConversionPhase::run): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStaticExecutionCountEstimationPhase.cpp: (JSC::DFG::StaticExecutionCountEstimationPhase::run): * dfg/DFGTierUpCheckInjectionPhase.cpp: (JSC::DFG::TierUpCheckInjectionPhase::run): * dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): * tests/stress/closure-call-exit.js: Added. (foo): 2015-04-21 Basile Clement PhantomNewObject should be marked NodeMustGenerate https://bugs.webkit.org/show_bug.cgi?id=143974 Reviewed by Filip Pizlo. * dfg/DFGNode.h: (JSC::DFG::Node::convertToPhantomNewObject): Was not properly marking NodeMustGenerate when converting. 2015-04-21 Filip Pizlo DFG Call/ConstructForwardVarargs fails to restore the stack pointer https://bugs.webkit.org/show_bug.cgi?id=144007 Reviewed by Mark Lam. We were conditioning the stack pointer restoration on isVarargs, but we also need to do it if isForwardVarargs. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * tests/stress/varargs-then-slow-call.js: Added. (foo): (bar): (fuzz): (baz): 2015-04-21 Basile Clement Remove AllocationProfileWatchpoint node https://bugs.webkit.org/show_bug.cgi?id=143999 Reviewed by Filip Pizlo. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGHeapLocation.cpp: (WTF::printInternal): * dfg/DFGHeapLocation.h: * dfg/DFGNode.h: (JSC::DFG::Node::hasCellOperand): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGWatchpointCollectionPhase.cpp: (JSC::DFG::WatchpointCollectionPhase::handle): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): * runtime/JSFunction.h: (JSC::JSFunction::rareData): (JSC::JSFunction::allocationProfileWatchpointSet): Deleted. 2015-04-19 Filip Pizlo MovHint should be a strong use https://bugs.webkit.org/show_bug.cgi?id=143734 Reviewed by Geoffrey Garen. This disables any DCE that assumes equivalence between DFG IR uses and bytecode uses. Doing so is a major step towards allowing more fancy DFG transformations and also probably fixing some bugs. Just making MovHint a strong use would also completely disable DCE. So we mitigate this by introducing a MovHint removal phase that runs in FTL. This is a slight slowdown on Octane/gbemu, but it's basically neutral on suite averages. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeOrigin.cpp: (JSC::InlineCallFrame::dumpInContext): * dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::fixupBlock): * dfg/DFGDisassembler.cpp: (JSC::DFG::Disassembler::createDumpList): * dfg/DFGEpoch.cpp: Added. (JSC::DFG::Epoch::dump): * dfg/DFGEpoch.h: Added. (JSC::DFG::Epoch::Epoch): (JSC::DFG::Epoch::first): (JSC::DFG::Epoch::operator!): (JSC::DFG::Epoch::next): (JSC::DFG::Epoch::bump): (JSC::DFG::Epoch::operator==): (JSC::DFG::Epoch::operator!=): * dfg/DFGMayExit.cpp: (JSC::DFG::mayExit): * dfg/DFGMovHintRemovalPhase.cpp: Added. (JSC::DFG::performMovHintRemoval): * dfg/DFGMovHintRemovalPhase.h: Added. * dfg/DFGNodeType.h: * dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/Options.h: 2015-04-21 Basile Clement REGRESSION (r182899): icloud.com crashes https://bugs.webkit.org/show_bug.cgi?id=143960 Reviewed by Filip Pizlo. * runtime/JSFunction.h: (JSC::JSFunction::allocationStructure): * tests/stress/dfg-rare-data.js: Added. (F): Regression test 2015-04-21 Michael Saboff Crash in JSC::Interpreter::execute https://bugs.webkit.org/show_bug.cgi?id=142625 Reviewed by Filip Pizlo. We need to keep the FunctionExecutables in the code block for the eval flavor of Interpreter::execute() in order to create the scope used to eval. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): Deleted. * bytecode/CodeBlock.h: * dfg/DFGGraph.cpp: (JSC::DFG::Graph::registerFrozenValues): 2015-04-21 Chris Dumez Make Vector(const Vector&) constructor explicit https://bugs.webkit.org/show_bug.cgi?id=143970 Reviewed by Darin Adler. Make Vector(const Vector&) constructor explicit as it copies the vector and it is easy to call it by mistake. * bytecode/UnlinkedInstructionStream.cpp: (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream): * bytecode/UnlinkedInstructionStream.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::lower): 2015-04-20 Basile Clement PhantomNewObject should be marked NodeMustGenerate https://bugs.webkit.org/show_bug.cgi?id=143974 Reviewed by Filip Pizlo. * dfg/DFGNodeType.h: Mark PhantomNewObject as NodeMustGenerate 2015-04-20 Joseph Pecoraro Cleanup some StringBuilder use https://bugs.webkit.org/show_bug.cgi?id=143550 Reviewed by Darin Adler. * runtime/Symbol.cpp: (JSC::Symbol::descriptiveString): * runtime/TypeProfiler.cpp: (JSC::TypeProfiler::typeInformationForExpressionAtOffset): * runtime/TypeSet.cpp: (JSC::TypeSet::toJSONString): (JSC::StructureShape::propertyHash): (JSC::StructureShape::stringRepresentation): (JSC::StructureShape::toJSONString): 2015-04-20 Mark Lam Add debugging tools to test if a given pointer is a valid object and in the heap. https://bugs.webkit.org/show_bug.cgi?id=143910 Reviewed by Geoffrey Garen. When doing debugging from lldb, sometimes, it is useful to be able to tell if a purported JSObject is really a valid object in the heap or not. We can add the following utility functions to help: isValidCell(heap, candidate) - returns true if the candidate is a "live" cell in the heap. isInHeap(heap, candidate) - returns true if the candidate is the heap's Object space or Storage space. isInObjectSpace(heap, candidate) - returns true if the candidate is the heap's Object space. isInStorageSpace(heap, candidate) - returns true if the candidate is the heap's Storage space. Also moved lldb callable debug utility function prototypes from JSDollarVMPrototype.cpp to JSDollarVMPrototype.h as static members of the JSDollarVMPrototype class. This is so that we can conveniently #include that file to get the prototypes when we need to call them programmatically from instrumentation that we add while debugging an issue. * heap/Heap.h: (JSC::Heap::storageSpace): * tools/JSDollarVMPrototype.cpp: (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock): (JSC::ensureCurrentThreadOwnsJSLock): (JSC::JSDollarVMPrototype::gc): (JSC::functionGC): (JSC::JSDollarVMPrototype::edenGC): (JSC::functionEdenGC): (JSC::JSDollarVMPrototype::isInHeap): (JSC::JSDollarVMPrototype::isInObjectSpace): (JSC::JSDollarVMPrototype::isInStorageSpace): (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor): (JSC::ObjectAddressCheckFunctor::operator()): (JSC::JSDollarVMPrototype::isValidCell): (JSC::JSDollarVMPrototype::isValidCodeBlock): (JSC::JSDollarVMPrototype::codeBlockForFrame): (JSC::functionCodeBlockForFrame): (JSC::codeBlockFromArg): (JSC::JSDollarVMPrototype::printCallFrame): (JSC::JSDollarVMPrototype::printStack): (JSC::JSDollarVMPrototype::printValue): (JSC::currentThreadOwnsJSLock): Deleted. (JSC::gc): Deleted. (JSC::edenGC): Deleted. (JSC::isValidCodeBlock): Deleted. (JSC::codeBlockForFrame): Deleted. (JSC::printCallFrame): Deleted. (JSC::printStack): Deleted. (JSC::printValue): Deleted. * tools/JSDollarVMPrototype.h: 2015-04-20 Joseph Pecoraro Web Inspector: Improve Support for WeakSet in Console https://bugs.webkit.org/show_bug.cgi?id=143951 Reviewed by Darin Adler. * inspector/InjectedScriptSource.js: * inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::subtype): (Inspector::JSInjectedScriptHost::weakSetSize): (Inspector::JSInjectedScriptHost::weakSetEntries): * inspector/JSInjectedScriptHost.h: * inspector/JSInjectedScriptHostPrototype.cpp: (Inspector::JSInjectedScriptHostPrototype::finishCreation): (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize): (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries): Treat WeakSets like special sets. * inspector/protocol/Runtime.json: Add a new object subtype, "weakset". 2015-04-20 Yusuke Suzuki HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols https://bugs.webkit.org/show_bug.cgi?id=143947 Reviewed by Darin Adler. Type profiler has map between PropertyKey (StringImpl*) and offset. StringImpl* is also used for Symbol PropertyKey. So equality of hash tables is considered by interned StringImpl*'s pointer value. To do so, use IdentifierRepHash instead of StringHash. * runtime/SymbolTable.h: 2015-04-20 Jordan Harband Implement `Object.is` https://bugs.webkit.org/show_bug.cgi?id=143865 Reviewed by Darin Adler. Expose sameValue to JS, via Object.is https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.is * runtime/ObjectConstructor.cpp: (JSC::objectConstructorIs): * runtime/PropertyDescriptor.cpp: (JSC::sameValue): 2015-04-19 Darin Adler Remove all the remaining uses of OwnPtr and PassOwnPtr in JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=143941 Reviewed by Gyuyoung Kim. * API/JSCallbackObject.h: Use unique_ptr for m_callbackObjectData. * API/JSCallbackObjectFunctions.h: Ditto. * API/ObjCCallbackFunction.h: Use unique_ptr for the arguments to the create function and the constructor and for m_impl. * API/ObjCCallbackFunction.mm: (CallbackArgumentOfClass::CallbackArgumentOfClass): Streamline this class by using RetainPtr. (ArgumentTypeDelegate::typeInteger): Use make_unique. (ArgumentTypeDelegate::typeDouble): Ditto. (ArgumentTypeDelegate::typeBool): Ditto. (ArgumentTypeDelegate::typeVoid): Ditto. (ArgumentTypeDelegate::typeId): Ditto. (ArgumentTypeDelegate::typeOfClass): Ditto. (ArgumentTypeDelegate::typeBlock): Ditto. (ArgumentTypeDelegate::typeStruct): Ditto. (ResultTypeDelegate::typeInteger): Ditto. (ResultTypeDelegate::typeDouble): Ditto. (ResultTypeDelegate::typeBool): Ditto. (ResultTypeDelegate::typeVoid): Ditto. (ResultTypeDelegate::typeId): Ditto. (ResultTypeDelegate::typeOfClass): Ditto. (ResultTypeDelegate::typeBlock): Ditto. (ResultTypeDelegate::typeStruct): Ditto. (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): Use unique_ptr for the arguments to the constructor, m_arguments, and m_result. Use RetainPtr for m_instanceClass. (JSC::objCCallbackFunctionCallAsConstructor): Use nullptr instead of nil or 0 for non-Objective-C object pointer null. (JSC::ObjCCallbackFunction::ObjCCallbackFunction): Use unique_ptr for the arguments to the constructor and for m_impl. (JSC::ObjCCallbackFunction::create): Use unique_ptr for arguments. (skipNumber): Mark this static since it's local to this source file. (objCCallbackFunctionForInvocation): Call parseObjCType without doing any explicit adoptPtr since the types in the traits are now unique_ptr. Also use nullptr instead of nil for JSObjectRef values. (objCCallbackFunctionForMethod): Tweaked comment. (objCCallbackFunctionForBlock): Use nullptr instead of 0 for JSObjectRef. * bytecode/CallLinkInfo.h: Removed unneeded include of OwnPtr.h. * heap/GCThread.cpp: (JSC::GCThread::GCThread): Use unique_ptr. * heap/GCThread.h: Use unique_ptr for arguments to the constructor and for m_slotVisitor and m_copyVisitor. * heap/GCThreadSharedData.cpp: (JSC::GCThreadSharedData::GCThreadSharedData): Ditto. * parser/SourceProvider.h: Removed unneeded include of PassOwnPtr.h. 2015-04-19 Benjamin Poulain Improve the feature.json files * features.json: 2015-04-19 Yusuke Suzuki Introduce bytecode intrinsics https://bugs.webkit.org/show_bug.cgi?id=143926 Reviewed by Filip Pizlo. This patch introduces bytecode level intrinsics into builtins/*.js JS code. When implementing functions in builtins/*.js, sometimes we require lower level functionality. For example, in the current Array.from, we use `result[k] = value`. The spec requires `[[DefineOwnProperty]]` operation here. However, usual `result[k] = value` is evaluated as `[[Set]]`. (`PutValue` => `[[Set]]`) So if we implement `Array.prototype[k]` getter/setter, the difference is observable. Ideally, reaching here, we would like to use put_by_val_direct bytecode. However, there's no syntax to generate it directly. This patch introduces bytecode level intrinsics into JSC BytecodeCompiler. Like @call, @apply, we introduce a new node, Intrinsic. These are generated when calling appropriate private symbols in privileged code. AST parser detects them and generates Intrinsic nodes and BytecodeCompiler detects them and generate required bytecodes. Currently, Array.from implementation works fine without this patch. This is because when the target code is builtin JS, BytecodeGenerator emits put_by_val_direct instead of put_by_val. This solves the above issue. However, instead of solving this issue, it raises another issue; There's no way to emit `[[Set]]` operation. `[[Set]]` operation is actually used in the spec (Array.from's "length" is set by `[[Set]]`). So to implement it precisely, introducing bytecode level intrinsics is necessary. In the subsequent fixes, we'll remove that special path emitting put_by_val_direct for `result[k] = value` under builtin JS environment. Instead of that special handling, use bytecode intrinsics instead. It solves problems and it is more intuitive because written JS code in builtin works as the same to the usual JS code. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * builtins/ArrayConstructor.js: (from): * bytecode/BytecodeIntrinsicRegistry.cpp: Added. (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): (JSC::BytecodeIntrinsicRegistry::lookup): * bytecode/BytecodeIntrinsicRegistry.h: Added. * bytecompiler/NodesCodegen.cpp: (JSC::BytecodeIntrinsicNode::emitBytecode): (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect): * parser/ASTBuilder.h: (JSC::ASTBuilder::makeFunctionCallNode): * parser/NodeConstructors.h: (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode): * parser/Nodes.h: (JSC::BytecodeIntrinsicNode::identifier): * runtime/CommonIdentifiers.cpp: (JSC::CommonIdentifiers::CommonIdentifiers): * runtime/CommonIdentifiers.h: (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry): * tests/stress/array-from-with-accessors.js: Added. (shouldBe): 2015-04-19 Yusuke Suzuki Make Builtin functions non constructible https://bugs.webkit.org/show_bug.cgi?id=143923 Reviewed by Darin Adler. Builtin functions defined by builtins/*.js accidentally have [[Construct]]. According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]]. This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error. Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough. However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType. In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]]. So in this patch, we check `isBuiltinFunction()` in those places. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::inliningCost): * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::setUpCall): * runtime/JSFunction.cpp: (JSC::JSFunction::getConstructData): * tests/stress/builtin-function-is-construct-type-none.js: Added. (shouldThrow): 2015-04-19 Yusuke Suzuki [ES6] Implement WeakSet https://bugs.webkit.org/show_bug.cgi?id=142408 Reviewed by Darin Adler. This patch implements ES6 WeakSet. Current implementation simply leverages WeakMapData with undefined value. This WeakMapData should be optimized in the same manner as MapData/SetData in the subsequent patch[1]. And in this patch, we also fix WeakMap/WeakSet behavior to conform the ES6 spec. Except for adders (WeakMap.prototype.set/WeakSet.prototype.add), methods return false (or undefined for WeakMap.prototype.get) when a key is not Object instead of throwing a type error. [1]: https://bugs.webkit.org/show_bug.cgi?id=143919 * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * runtime/CommonIdentifiers.h: * runtime/JSGlobalObject.cpp: * runtime/JSGlobalObject.h: * runtime/JSWeakSet.cpp: Added. (JSC::JSWeakSet::finishCreation): (JSC::JSWeakSet::visitChildren): * runtime/JSWeakSet.h: Added. (JSC::JSWeakSet::createStructure): (JSC::JSWeakSet::create): (JSC::JSWeakSet::weakMapData): (JSC::JSWeakSet::JSWeakSet): * runtime/WeakMapPrototype.cpp: (JSC::getWeakMapData): (JSC::protoFuncWeakMapDelete): (JSC::protoFuncWeakMapGet): (JSC::protoFuncWeakMapHas): * runtime/WeakSetConstructor.cpp: Added. (JSC::WeakSetConstructor::finishCreation): (JSC::callWeakSet): (JSC::constructWeakSet): (JSC::WeakSetConstructor::getConstructData): (JSC::WeakSetConstructor::getCallData): * runtime/WeakSetConstructor.h: Added. (JSC::WeakSetConstructor::create): (JSC::WeakSetConstructor::createStructure): (JSC::WeakSetConstructor::WeakSetConstructor): * runtime/WeakSetPrototype.cpp: Added. (JSC::WeakSetPrototype::finishCreation): (JSC::getWeakMapData): (JSC::protoFuncWeakSetDelete): (JSC::protoFuncWeakSetHas): (JSC::protoFuncWeakSetAdd): * runtime/WeakSetPrototype.h: Added. (JSC::WeakSetPrototype::create): (JSC::WeakSetPrototype::createStructure): (JSC::WeakSetPrototype::WeakSetPrototype): * tests/stress/weak-set-constructor-adder.js: Added. (WeakSet.prototype.add): * tests/stress/weak-set-constructor.js: Added. 2015-04-17 Alexey Proskuryakov Remove unused BoundsCheckedPointer https://bugs.webkit.org/show_bug.cgi?id=143896 Reviewed by Geoffrey Garen. * bytecode/SpeculatedType.cpp: The header was included here. 2015-04-17 Yusuke Suzuki [ES6] Fix name enumeration of static functions for Symbol constructor https://bugs.webkit.org/show_bug.cgi?id=143891 Reviewed by Geoffrey Garen. Fix missing symbolPrototypeTable registration to the js class object. This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor. * runtime/SymbolConstructor.cpp: 2015-04-17 Basile Clement Inline JSFunction allocation in DFG https://bugs.webkit.org/show_bug.cgi?id=143858 Reviewed by Filip Pizlo. Followup to my previous patch which inlines JSFunction allocation when using FTL, now also enabled in DFG. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewFunction): 2015-04-16 Jordan Harband Number.parseInt is not === global parseInt in nightly r182673 https://bugs.webkit.org/show_bug.cgi?id=143799 Reviewed by Darin Adler. Ensuring parseInt === Number.parseInt, per spec https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint * runtime/CommonIdentifiers.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::parseIntFunction): * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::finishCreation): 2015-04-16 Mark Lam Gardening: fix CLOOP build after r182927. Not reviewed. * interpreter/StackVisitor.cpp: (JSC::StackVisitor::Frame::print): 2015-04-16 Basile Clement Inline JSFunction allocation in FTL https://bugs.webkit.org/show_bug.cgi?id=143851 Reviewed by Filip Pizlo. JSFunction allocation is a simple operation that should be inlined when possible. * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNewFunction): * runtime/JSFunction.h: (JSC::JSFunction::allocationSize): 2015-04-16 Mark Lam Add $vm debugging tool. https://bugs.webkit.org/show_bug.cgi?id=143809 Reviewed by Geoffrey Garen. For debugging VM bugs, it would be useful to be able to dump VM data structures from JS code that we instrument. To this end, let's introduce a JS_enableDollarVM option that, if true, installs an $vm property into each JS global object at creation time. The $vm property refers to an object that provides a collection of useful utility functions. For this initial implementation, $vm will have the following: crash() - trigger an intentional crash. dfgTrue() - returns true if the current function is DFG compiled, else returns false. jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false. llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false. gc() - runs a full GC. edenGC() - runs an eden GC. codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc). printSourceFor(codeBlock) - prints the source code for the codeBlock. printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock. print(str) - prints a string to dataLog output. printCallFrame() - prints the current CallFrame. printStack() - prints the JS stack. printInternal(value) - prints the JSC internal info for the specified value. With JS_enableDollarVM=true, JS code can use the above functions like so: $vm.print("Using $vm features\n"); * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::printCallOp): - FTL compiled functions don't like it when we try to compute the CallLinkStatus. Hence, we skip this step if we're dumping an FTL codeBlock. * heap/Heap.cpp: (JSC::Heap::collectAndSweep): (JSC::Heap::collectAllGarbage): Deleted. * heap/Heap.h: (JSC::Heap::collectAllGarbage): - Add ability to do an Eden collection and sweep. * interpreter/StackVisitor.cpp: (JSC::printIndents): (JSC::log): (JSC::logF): (JSC::StackVisitor::Frame::print): (JSC::jitTypeName): Deleted. (JSC::printif): Deleted. - Modernize the implementation of StackVisitor::Frame::print(), and remove some now redundant code. - Also fix it so that it downgrades gracefully when encountering inlined DFG and compiled FTL functions. (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted. (DebugPrintFrameFunctor::operator()): Deleted. (debugPrintCallFrame): Deleted. (debugPrintStack): Deleted. - these have been moved into JSDollarVMPrototype.cpp. * interpreter/StackVisitor.h: - StackVisitor::Frame::print() is now enabled for release builds as well so that we can call it from $vm. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: - Added the $vm instance to global objects conditional on the JSC_enableDollarVM option. * runtime/Options.h: - Added the JSC_enableDollarVM option. * tools/JSDollarVM.cpp: Added. * tools/JSDollarVM.h: Added. (JSC::JSDollarVM::createStructure): (JSC::JSDollarVM::create): (JSC::JSDollarVM::JSDollarVM): * tools/JSDollarVMPrototype.cpp: Added. - This file contains 2 sets of functions: a. a C++ implementation of debugging utility functions that are callable when doing debugging from lldb. To the extent possible, these functions try to be cautious and not cause unintended crashes should the user call them with the wrong info. Hence, they are designed to be robust rather than speedy. b. the native implementations of JS functions in the $vm object. Where there is overlapping functionality, these are built on top of the C++ functions above to do the work. Note: it does not make sense for all of the $vm functions to have a C++ counterpart for lldb debugging. For example, the $vm.dfgTrue() function is only useful for JS code, and works via the DFG intrinsics mechanism. When doing debugging via lldb, the optimization level of the currently executing JS function can be gotten by dumping the current CallFrame instead. (JSC::currentThreadOwnsJSLock): (JSC::ensureCurrentThreadOwnsJSLock): (JSC::JSDollarVMPrototype::addFunction): (JSC::functionCrash): - $vm.crash() (JSC::functionDFGTrue): - $vm.dfgTrue() (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor): (JSC::CallerFrameJITTypeFunctor::operator()): (JSC::CallerFrameJITTypeFunctor::jitType): (JSC::functionLLintTrue): - $vm.llintTrue() (JSC::functionJITTrue): - $vm.jitTrue() (JSC::gc): (JSC::functionGC): - $vm.gc() (JSC::edenGC): (JSC::functionEdenGC): - $vm.edenGC() (JSC::isValidCodeBlock): (JSC::codeBlockForFrame): (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber) (JSC::codeBlockFromArg): (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock) (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock) (JSC::functionPrint): - $vm.print(str) (JSC::PrintFrameFunctor::PrintFrameFunctor): (JSC::PrintFrameFunctor::operator()): (JSC::printCallFrame): (JSC::printStack): (JSC::functionPrintCallFrame): - $vm.printCallFrame() (JSC::functionPrintStack): - $vm.printStack() (JSC::printValue): (JSC::functionPrintValue): - $vm.printValue() (JSC::JSDollarVMPrototype::finishCreation): * tools/JSDollarVMPrototype.h: Added. (JSC::JSDollarVMPrototype::create): (JSC::JSDollarVMPrototype::createStructure): (JSC::JSDollarVMPrototype::JSDollarVMPrototype): 2015-04-16 Geoffrey Garen Speculative fix after r182915 https://bugs.webkit.org/show_bug.cgi?id=143404 Reviewed by Alexey Proskuryakov. * runtime/SymbolConstructor.h: 2015-04-16 Mark Lam Fixed some typos in a comment. Not reviewed. * dfg/DFGGenerationInfo.h: 2015-04-16 Yusuke Suzuki [ES6] Implement Symbol.for and Symbol.keyFor https://bugs.webkit.org/show_bug.cgi?id=143404 Reviewed by Geoffrey Garen. This patch implements Symbol.for and Symbol.keyFor. SymbolRegistry maintains registered StringImpl* symbols. And to make this mapping enabled over realms, VM owns this mapping (not JSGlobalObject). While there's Default AtomicStringTable per thread, SymbolRegistry should not exist over VMs. So everytime VM is created, SymbolRegistry is also created. In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design). Theres are several reasons. 1. StringImpl* which represents identity of Symbols is not GC-managed object. So we cannot use WeakGCMap directly. While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness, because distinct Symbol* can exist. Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same. 2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr. However there's problem about when we prune staled entries in SymbolRegistry. Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content, and it is not in GC-heap. While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied. So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback. As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory. So instead of using Weak reference, we take relatively easy design. When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that. And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable. * CMakeLists.txt: * DerivedSources.make: * runtime/SymbolConstructor.cpp: (JSC::SymbolConstructor::getOwnPropertySlot): (JSC::symbolConstructorFor): (JSC::symbolConstructorKeyFor): * runtime/SymbolConstructor.h: * runtime/VM.cpp: * runtime/VM.h: (JSC::VM::symbolRegistry): * tests/stress/symbol-registry.js: Added. (test): 2015-04-16 Yusuke Suzuki [ES6] Use specific functions for @@iterator functions https://bugs.webkit.org/show_bug.cgi?id=143838 Reviewed by Geoffrey Garen. In ES6, some methods are defined with the different names. For example, Map.prototype[Symbol.iterator] === Map.prototype.entries Set.prototype[Symbol.iterator] === Set.prototype.values Array.prototype[Symbol.iterator] === Array.prototype.values %Arguments%[Symbol.iterator] === Array.prototype.values However, current implementation creates different function objects per name. This patch fixes it by setting the object that is used for the other method to @@iterator. e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator]. And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation with Array.prototype.values to conform to the spec. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * inspector/JSInjectedScriptHost.cpp: (Inspector::JSInjectedScriptHost::subtype): (Inspector::JSInjectedScriptHost::getInternalProperties): (Inspector::JSInjectedScriptHost::iteratorEntries): * runtime/ArgumentsIteratorConstructor.cpp: Removed. * runtime/ArgumentsIteratorConstructor.h: Removed. * runtime/ArgumentsIteratorPrototype.cpp: Removed. * runtime/ArgumentsIteratorPrototype.h: Removed. * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::finishCreation): * runtime/ArrayPrototype.h: * runtime/ClonedArguments.cpp: (JSC::ClonedArguments::getOwnPropertySlot): (JSC::ClonedArguments::put): (JSC::ClonedArguments::deleteProperty): (JSC::ClonedArguments::defineOwnProperty): (JSC::ClonedArguments::materializeSpecials): * runtime/ClonedArguments.h: * runtime/CommonIdentifiers.h: * runtime/DirectArguments.cpp: (JSC::DirectArguments::overrideThings): * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments::getOwnPropertySlot): (JSC::GenericArguments::getOwnPropertyNames): (JSC::GenericArguments::put): (JSC::GenericArguments::deleteProperty): (JSC::GenericArguments::defineOwnProperty): * runtime/JSArgumentsIterator.cpp: Removed. * runtime/JSArgumentsIterator.h: Removed. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::arrayProtoValuesFunction): * runtime/MapPrototype.cpp: (JSC::MapPrototype::finishCreation): * runtime/ScopedArguments.cpp: (JSC::ScopedArguments::overrideThings): * runtime/SetPrototype.cpp: (JSC::SetPrototype::finishCreation): * tests/stress/arguments-iterator.js: Added. (test): (testArguments): * tests/stress/iterator-functions.js: Added. (test): (argumentsTests): 2015-04-14 Mark Lam Add JSC_functionOverrides= debugging tool. https://bugs.webkit.org/show_bug.cgi?id=143717 Reviewed by Geoffrey Garen. This tool allows us to do runtime replacement of function bodies with alternatives for debugging purposes. For example, this is useful when we need to debug VM bugs which manifest in scripts executing in webpages downloaded from remote servers that we don't control. The tool allows us to augment those scripts with logging or test code to help isolate the bugs. This tool works by substituting the SourceCode at FunctionExecutable creation time. It identifies which SourceCode to substitute by comparing the source string against keys in a set of key value pairs. The keys are function body strings defined by 'override' clauses in the overrides file specified by in the JSC_functionOverrides option. The values are function body strings defines by 'with' clauses in the overrides file. See comment blob at top of FunctionOverrides.cpp on the formatting of the overrides file. At FunctionExecutable creation time, if the SourceCode string matches one of the 'override' keys from the overrides file, the tool will replace the SourceCode with a new one based on the corresponding 'with' value string. The FunctionExecutable will then be created with the new SourceCode instead. Some design decisions: 1. We opted to require that the 'with' clause appear on a separate line than the 'override' clause because this makes it easier to read and write when the 'override' clause's function body is single lined and long. 2. The user can use any sequence of characters for the delimiter (except for '{', '}' and white space characters) because this ensures that there can always be some delimiter pattern that does not appear in the function body in the clause e.g. in the body of strings in the JS code. '{' and '}' are disallowed because they are used to mark the boundaries of the function body string. White space characters are disallowed because they can be error prone (the user may not be able to tell between spaces and tabs). 3. The start and end delimiter must be an identical sequence of characters. I had considered allowing the use of complementary characters like <>, [], and () for making delimiter pairs like: [[[[ ... ]]]] <[([( ... )])]> But in the end, decided against it because: a. These sequences of complementary characters can exists in JS code. In contrast, a repeating delimiter like %%%% is unlikely to appear in JS code. b. It can be error prone for the user to have to type the exact complement character for the end delimiter in reverse order. In contrast, a repeating delimiter like %%%% is much easier to type and less error prone. Even a sequence like @#$%^ is less error prone than a complementary sequence because it can be copy-pasted, and need not be typed in reverse order. c. It is easier to parse for the same delimiter string for both start and end. 4. The tool does a lot of checks for syntax errors in the overrides file because we don't want any overrides to fail silently. If a syntax error is detected, the tool will print an error message and call exit(). This avoids the user wasting time doing debugging only to be surprised later that their specified overrides did not take effect because of some unnoticed typo. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedFunctionExecutable::link): * runtime/Executable.h: * runtime/Options.h: * tools/FunctionOverrides.cpp: Added. (JSC::FunctionOverrides::overrides): (JSC::FunctionOverrides::FunctionOverrides): (JSC::initializeOverrideInfo): (JSC::FunctionOverrides::initializeOverrideFor): (JSC::hasDisallowedCharacters): (JSC::parseClause): (JSC::FunctionOverrides::parseOverridesInFile): * tools/FunctionOverrides.h: Added. 2015-04-16 Basile Clement Extract the allocation profile from JSFunction into a rare object https://bugs.webkit.org/show_bug.cgi?id=143807 Reviewed by Filip Pizlo. The allocation profile is only needed for those functions that are used to create objects with [new]. Extracting it into its own JSCell removes the need for JSFunction and JSCallee to be JSDestructibleObjects, which should improve performances in most cases at the cost of an extra pointer dereference when the allocation profile is actually needed. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_create_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_create_this): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): * runtime/FunctionRareData.cpp: Added. (JSC::FunctionRareData::create): (JSC::FunctionRareData::destroy): (JSC::FunctionRareData::createStructure): (JSC::FunctionRareData::visitChildren): (JSC::FunctionRareData::FunctionRareData): (JSC::FunctionRareData::~FunctionRareData): (JSC::FunctionRareData::finishCreation): * runtime/FunctionRareData.h: Added. (JSC::FunctionRareData::offsetOfAllocationProfile): (JSC::FunctionRareData::allocationProfile): (JSC::FunctionRareData::allocationStructure): (JSC::FunctionRareData::allocationProfileWatchpointSet): * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::destroy): Deleted. * runtime/JSBoundFunction.h: * runtime/JSCallee.cpp: (JSC::JSCallee::destroy): Deleted. * runtime/JSCallee.h: * runtime/JSFunction.cpp: (JSC::JSFunction::JSFunction): (JSC::JSFunction::createRareData): (JSC::JSFunction::visitChildren): (JSC::JSFunction::put): (JSC::JSFunction::defineOwnProperty): (JSC::JSFunction::destroy): Deleted. (JSC::JSFunction::createAllocationProfile): Deleted. * runtime/JSFunction.h: (JSC::JSFunction::offsetOfRareData): (JSC::JSFunction::rareData): (JSC::JSFunction::allocationStructure): (JSC::JSFunction::allocationProfileWatchpointSet): (JSC::JSFunction::offsetOfAllocationProfile): Deleted. (JSC::JSFunction::allocationProfile): Deleted. * runtime/JSFunctionInlines.h: (JSC::JSFunction::JSFunction): * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: 2015-04-16 Csaba Osztrogonác Remove the unnecessary WTF_CHANGES define https://bugs.webkit.org/show_bug.cgi?id=143825 Reviewed by Andreas Kling. * config.h: 2015-04-15 Andreas Kling Make MarkedBlock and WeakBlock 4x smaller. Reviewed by Mark Hahnenberg. To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB. In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size. Some examples: apple.com: 6.3MB -> 5.5MB (14.5% smaller) reddit.com: 4.5MB -> 4.1MB ( 9.7% smaller) twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller) cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller) Benchmarks look mostly neutral. Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider. * heap/MarkedBlock.h: * heap/WeakBlock.h: * llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions): * llint/LowLevelInterpreter.asm: 2015-04-15 Jordan Harband String.prototype.startsWith/endsWith/includes have wrong length in r182673 https://bugs.webkit.org/show_bug.cgi?id=143659 Reviewed by Benjamin Poulain. Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith * runtime/StringPrototype.cpp: (JSC::StringPrototype::finishCreation): 2015-04-15 Mark Lam Remove obsolete VMInspector debugging tool. https://bugs.webkit.org/show_bug.cgi?id=143798 Reviewed by Michael Saboff. I added the VMInspector tool 3 years ago to aid in VM hacking work. Some of it has bit rotted, and now the VM also has better ways to achieve its functionality. Hence this code is now obsolete and should be removed. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * interpreter/CallFrame.h: * interpreter/VMInspector.cpp: Removed. * interpreter/VMInspector.h: Removed. * llint/LowLevelInterpreter.cpp: 2015-04-15 Jordan Harband Math.imul has wrong length in Safari 8.0.4 https://bugs.webkit.org/show_bug.cgi?id=143658 Reviewed by Benjamin Poulain. Correcting function length from 1, to 2, to match spec https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul * runtime/MathObject.cpp: (JSC::MathObject::finishCreation): 2015-04-15 Jordan Harband Number.parseInt in nightly r182673 has wrong length https://bugs.webkit.org/show_bug.cgi?id=143657 Reviewed by Benjamin Poulain. Correcting function length from 1, to 2, to match spec https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint * runtime/NumberConstructor.cpp: (JSC::NumberConstructor::finishCreation): 2015-04-15 Filip Pizlo Harden DFGForAllKills https://bugs.webkit.org/show_bug.cgi?id=143792 Reviewed by Geoffrey Garen. Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent bugs in https://bugs.webkit.org/show_bug.cgi?id=143734. Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong: - It looks for kill sites at forExit origin boundaries. But, something might have been killed by an operation that was logically in between the forExit origins at the boundary, but was removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction gaps. - It overlooked the fact that a MovHint that addresses a local that is always live kills that local. For example, storing to an argument means that the prior value of the argument is killed. This fixes the analysis by making it handle MovHints directly, and making it define kills in the most conservative way possible: it asks if you were live before but dead after. If we have the compile time budget to afford this more direct approach, then it's definitel a good idea since it's so fool-proof. * dfg/DFGArgumentsEliminationPhase.cpp: * dfg/DFGForAllKills.h: (JSC::DFG::forAllKilledOperands): (JSC::DFG::forAllKilledNodesAtNodeIndex): (JSC::DFG::forAllDirectlyKilledOperands): Deleted. 2015-04-15 Joseph Pecoraro Provide SPI to allow changing whether JSContexts are remote debuggable by default https://bugs.webkit.org/show_bug.cgi?id=143681 Reviewed by Darin Adler. * API/JSRemoteInspector.h: * API/JSRemoteInspector.cpp: (JSRemoteInspectorGetInspectionEnabledByDefault): (JSRemoteInspectorSetInspectionEnabledByDefault): Provide SPI to toggle the default enabled inspection state of debuggables. * API/JSContextRef.cpp: (JSGlobalContextCreateInGroup): Respect the default setting. 2015-04-15 Joseph Pecoraro JavaScriptCore: Use kCFAllocatorDefault where possible https://bugs.webkit.org/show_bug.cgi?id=143747 Reviewed by Darin Adler. * heap/HeapTimer.cpp: (JSC::HeapTimer::HeapTimer): * inspector/remote/RemoteInspectorDebuggableConnection.mm: (Inspector::RemoteInspectorInitializeGlobalQueue): (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop): For consistency and readability use the constant instead of different representations of null. 2015-04-14 Michael Saboff Remove JavaScriptCoreUseJIT default from JavaScriptCore https://bugs.webkit.org/show_bug.cgi?id=143746 Reviewed by Mark Lam. * runtime/VM.cpp: (JSC::enableAssembler): 2015-04-14 Chris Dumez Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type https://bugs.webkit.org/show_bug.cgi?id=143745 Reviewed by Joseph Pecoraro. Add assertion in ContentSearchUtilities::findMagicComment() to make sure the content String is not null or we would crash in JSC::Yarr::interpret() later. * inspector/ContentSearchUtilities.cpp: (Inspector::ContentSearchUtilities::findMagicComment): 2015-04-14 Michael Saboff DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format https://bugs.webkit.org/show_bug.cgi?id=143727 Reviewed by Geoffrey Garen. Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible with the requested fill format. If filter() reports a contradiction, then we force an OSR exit. Removed individual checks made redundant by the new check. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 2015-04-14 Joseph Pecoraro Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI https://bugs.webkit.org/show_bug.cgi?id=143691 Reviewed by Geoffrey Garen. * API/JSRemoteInspector.h: * API/JSRemoteInspector.cpp: (JSRemoteInspectorSetLogToSystemConsole): Add SPI to enable/disable logging to the system console. This only affects JSContext `console` logs and warnings. * inspector/JSGlobalObjectConsoleClient.h: * inspector/JSGlobalObjectConsoleClient.cpp: (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole): (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole): (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted. Simplify access to the setting now that it doesn't need to initialize its value from preferences. 2015-04-14 Joseph Pecoraro Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch https://bugs.webkit.org/show_bug.cgi?id=143682 Reviewed by Timothy Hatcher. * inspector/remote/RemoteInspector.mm: (Inspector::RemoteInspector::singleton): If we are on the main thread, run the initialization immediately. Otherwise dispatch to the main thread. This way if the first JSContext was created on the main thread it can get auto-attached if applicable. 2015-04-14 Joseph Pecoraro Unreviewed build fix for Mavericks. Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR so the Inspector namespace is not available when compiling this file. * API/JSRemoteInspector.cpp: 2015-04-14 Joseph Pecoraro Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit https://bugs.webkit.org/show_bug.cgi?id=143729 Reviewed by Timothy Hatcher. * API/JSRemoteInspector.h: Added. * API/JSRemoteInspector.cpp: Added. (JSRemoteInspectorDisableAutoStart): (JSRemoteInspectorStart): (JSRemoteInspectorSetParentProcessInformation): Add the new SPIs for basic remote inspection behavior. * JavaScriptCore.xcodeproj/project.pbxproj: Add the new files to Mac only, since remote inspection is only enabled there anyways. 2015-04-14 Mark Lam Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist. https://bugs.webkit.org/show_bug.cgi?id=143722 Reviewed by Michael Saboff. Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is shorter, and easier to remember (without having to look it up) and to type. JSC options now support descriptions, and one can always look up the description if the option's purpose is not already obvious. * dfg/DFGFunctionWhitelist.cpp: (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): (JSC::DFG::FunctionWhitelist::contains): * runtime/Options.h: 2015-04-13 Filip Pizlo Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED. * runtime/InferredValue.h: 2015-04-13 Filip Pizlo Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written. * runtime/InferredValue.h: 2015-04-08 Filip Pizlo JSC should detect singleton functions https://bugs.webkit.org/show_bug.cgi?id=143232 Reviewed by Geoffrey Garen. This started out as an attempt to make constructors faster by detecting when a constructor is a singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint along with an inferred value - that detects if only one JSFunction has been allocated for that executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable, if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid), we can constant-fold GetCallee. Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the process I realized a bunch of things: - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes had even in code where our singleton-closure detection worked. That's because singleton-closure inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant values. - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and created InferredValue. InferredValue is a cell, so it can handle its own GC magic. FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions. - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways. First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant scope. Ths saves compile times and it allows prediction propagation to benefit from the constant folding. Second, it means that we will detect a singleton scope even if it is referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring allows us to eliminate the function reentry watchpoint. - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring constant values in scopes. Previously when the DFG inferred that a closure variable was constant, it wouldn't know which closure that variable was in and so it couldn't just load that value. But now we are first inferring that the function is a singleton, which means that we know exactly what scope it points to, and we can load the value from the scope. Using a WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable. I've tweaked the code of VariableWatchpointSet to reduce its power to just be what FunctionExecutable wants. This also has the effect of simplifying the implementation of block scoping. Prior to this change, block scoping would have needed to have some story for the function reentry watchpoint on any nested symbol table. That's totally weird to think about; it's not really a function reentry but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes will "just work": if we prove that we know the constant value of the scope then the machinery kicks in, otherwise it doesn't. This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/BytecodeList.json: * bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset): * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::finalizeUnconditionally): (JSC::CodeBlock::valueProfileForBytecodeOffset): * bytecode/CodeBlock.h: (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted. * bytecode/CodeOrigin.cpp: (JSC::InlineCallFrame::calleeConstant): (JSC::InlineCallFrame::visitAggregate): * bytecode/CodeOrigin.h: (JSC::InlineCallFrame::calleeConstant): Deleted. (JSC::InlineCallFrame::visitAggregate): Deleted. * bytecode/Instruction.h: * bytecode/VariableWatchpointSet.cpp: Removed. * bytecode/VariableWatchpointSet.h: Removed. * bytecode/VariableWatchpointSetInlines.h: Removed. * bytecode/VariableWriteFireDetail.cpp: Added. (JSC::VariableWriteFireDetail::dump): (JSC::VariableWriteFireDetail::touch): * bytecode/VariableWriteFireDetail.h: Added. (JSC::VariableWriteFireDetail::VariableWriteFireDetail): * bytecode/Watchpoint.h: (JSC::WatchpointSet::stateOnJSThread): (JSC::WatchpointSet::startWatching): (JSC::WatchpointSet::fireAll): (JSC::WatchpointSet::touch): (JSC::WatchpointSet::invalidate): (JSC::InlineWatchpointSet::stateOnJSThread): (JSC::InlineWatchpointSet::state): (JSC::InlineWatchpointSet::hasBeenInvalidated): (JSC::InlineWatchpointSet::invalidate): (JSC::InlineWatchpointSet::touch): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::get): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::getScope): Deleted. * dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDesiredWatchpoints.cpp: (JSC::DFG::InferredValueAdaptor::add): (JSC::DFG::DesiredWatchpoints::addLazily): (JSC::DFG::DesiredWatchpoints::reallyAdd): (JSC::DFG::DesiredWatchpoints::areStillValid): * dfg/DFGDesiredWatchpoints.h: (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated): (JSC::DFG::DesiredWatchpoints::isWatched): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): (JSC::DFG::Graph::tryGetConstantClosureVar): * dfg/DFGNode.h: (JSC::DFG::Node::hasWatchpointSet): (JSC::DFG::Node::watchpointSet): (JSC::DFG::Node::hasVariableWatchpointSet): Deleted. (JSC::DFG::Node::variableWatchpointSet): Deleted. * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileNewFunction): (JSC::DFG::SpeculativeJIT::compileCreateActivation): (JSC::DFG::SpeculativeJIT::compileNotifyWrite): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGVarargsForwardingPhase.cpp: * ftl/FTLIntrinsicRepository.h: * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileCreateActivation): (JSC::FTL::LowerDFGToLLVM::compileNewFunction): (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite): * interpreter/Interpreter.cpp: (JSC::StackFrame::friendlySourceURL): (JSC::StackFrame::friendlyFunctionName): * interpreter/Interpreter.h: (JSC::StackFrame::friendlySourceURL): Deleted. (JSC::StackFrame::friendlyFunctionName): Deleted. * jit/JIT.cpp: (JSC::JIT::emitNotifyWrite): (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_touch_entry): Deleted. * jit/JITOperations.cpp: * jit/JITOperations.h: * jit/JITPropertyAccess.cpp: (JSC::JIT::emitPutGlobalVar): (JSC::JIT::emitPutClosureVar): (JSC::JIT::emitNotifyWrite): Deleted. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitPutGlobalVar): (JSC::JIT::emitPutClosureVar): (JSC::JIT::emitNotifyWrite): Deleted. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL): Deleted. * runtime/CommonSlowPaths.h: * runtime/Executable.cpp: (JSC::FunctionExecutable::finishCreation): (JSC::FunctionExecutable::visitChildren): * runtime/Executable.h: (JSC::FunctionExecutable::singletonFunction): * runtime/InferredValue.cpp: Added. (JSC::InferredValue::create): (JSC::InferredValue::destroy): (JSC::InferredValue::createStructure): (JSC::InferredValue::visitChildren): (JSC::InferredValue::InferredValue): (JSC::InferredValue::~InferredValue): (JSC::InferredValue::notifyWriteSlow): (JSC::InferredValue::ValueCleanup::ValueCleanup): (JSC::InferredValue::ValueCleanup::~ValueCleanup): (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): * runtime/InferredValue.h: Added. (JSC::InferredValue::inferredValue): (JSC::InferredValue::state): (JSC::InferredValue::isStillValid): (JSC::InferredValue::hasBeenInvalidated): (JSC::InferredValue::add): (JSC::InferredValue::notifyWrite): (JSC::InferredValue::invalidate): * runtime/JSEnvironmentRecord.cpp: (JSC::JSEnvironmentRecord::visitChildren): * runtime/JSEnvironmentRecord.h: (JSC::JSEnvironmentRecord::isValid): (JSC::JSEnvironmentRecord::finishCreation): * runtime/JSFunction.cpp: (JSC::JSFunction::create): * runtime/JSFunction.h: (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint): (JSC::JSFunction::createImpl): (JSC::JSFunction::create): Deleted. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::addGlobalVar): (JSC::JSGlobalObject::addFunction): * runtime/JSGlobalObject.h: * runtime/JSLexicalEnvironment.cpp: (JSC::JSLexicalEnvironment::symbolTablePut): * runtime/JSScope.h: (JSC::ResolveOp::ResolveOp): * runtime/JSSegmentedVariableObject.h: (JSC::JSSegmentedVariableObject::finishCreation): * runtime/JSSymbolTableObject.h: (JSC::JSSymbolTableObject::JSSymbolTableObject): (JSC::JSSymbolTableObject::setSymbolTable): (JSC::symbolTablePut): (JSC::symbolTablePutWithAttributes): * runtime/PutPropertySlot.h: * runtime/SymbolTable.cpp: (JSC::SymbolTableEntry::prepareToWatch): (JSC::SymbolTable::SymbolTable): (JSC::SymbolTable::finishCreation): (JSC::SymbolTable::visitChildren): (JSC::SymbolTableEntry::inferredValue): Deleted. (JSC::SymbolTableEntry::notifyWriteSlow): Deleted. (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted. (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted. (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted. * runtime/SymbolTable.h: (JSC::SymbolTableEntry::disableWatching): (JSC::SymbolTableEntry::watchpointSet): (JSC::SymbolTable::singletonScope): (JSC::SymbolTableEntry::notifyWrite): Deleted. * runtime/TypeProfiler.cpp: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: * tests/stress/infer-uninitialized-closure-var.js: Added. (foo.f): (foo): * tests/stress/singleton-scope-then-overwrite.js: Added. (foo.f): (foo): * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added. (foo): * tests/stress/singleton-scope-then-realloc.js: Added. (foo): 2015-04-13 Andreas Kling Don't segregate heap objects based on Structure immortality. Reviewed by Darin Adler. Put all objects that need a destructor call into the same MarkedBlock. This reduces memory consumption in many situations, while improving locality, since much more of the MarkedBlock space can be shared. Instead of branching on the MarkedBlock type, we now check a bit in the JSCell's inline type flags (StructureIsImmortal) to see whether it's safe to access the cell's Structure during destruction or not. Performance benchmarks look mostly neutral. Maybe a small regression on SunSpider's date objects. On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along with a bunch of WeakBlocks that were hanging off of them. That's on the higher end of savings we can get from this, but still a very real improvement. Most of this patch is removing the "hasImmortalStructure" constant from JSCell derived classes and passing that responsibility to the StructureIsImmortal flag. StructureFlags is made public so that it's accessible from non-member functions. I made sure to declare it everywhere and make classes final to try to make it explicit what each class is doing to its inherited flags. * API/JSCallbackConstructor.h: * API/JSCallbackObject.h: * bytecode/UnlinkedCodeBlock.h: * debugger/DebuggerScope.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileMakeRope): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMakeRope): * heap/Heap.h: (JSC::Heap::subspaceForObjectDestructor): (JSC::Heap::allocatorForObjectWithDestructor): (JSC::Heap::subspaceForObjectNormalDestructor): Deleted. (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted. (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted. (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted. * heap/HeapInlines.h: (JSC::Heap::allocateWithDestructor): (JSC::Heap::allocateObjectOfType): (JSC::Heap::subspaceForObjectOfType): (JSC::Heap::allocatorForObjectOfType): (JSC::Heap::allocateWithNormalDestructor): Deleted. (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted. * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::allocateBlock): * heap/MarkedAllocator.h: (JSC::MarkedAllocator::needsDestruction): (JSC::MarkedAllocator::MarkedAllocator): (JSC::MarkedAllocator::init): (JSC::MarkedAllocator::destructorType): Deleted. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::create): (JSC::MarkedBlock::MarkedBlock): (JSC::MarkedBlock::callDestructor): (JSC::MarkedBlock::specializedSweep): (JSC::MarkedBlock::sweep): (JSC::MarkedBlock::sweepHelper): * heap/MarkedBlock.h: (JSC::MarkedBlock::needsDestruction): (JSC::MarkedBlock::destructorType): Deleted. * heap/MarkedSpace.cpp: (JSC::MarkedSpace::MarkedSpace): (JSC::MarkedSpace::resetAllocators): (JSC::MarkedSpace::forEachAllocator): (JSC::MarkedSpace::isPagedOut): (JSC::MarkedSpace::clearNewlyAllocated): * heap/MarkedSpace.h: (JSC::MarkedSpace::subspaceForObjectsWithDestructor): (JSC::MarkedSpace::destructorAllocatorFor): (JSC::MarkedSpace::allocateWithDestructor): (JSC::MarkedSpace::forEachBlock): (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted. (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted. (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted. (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted. (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted. (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted. * inspector/JSInjectedScriptHost.h: * inspector/JSInjectedScriptHostPrototype.h: * inspector/JSJavaScriptCallFrame.h: * inspector/JSJavaScriptCallFramePrototype.h: * jsc.cpp: * runtime/ArrayBufferNeuteringWatchpoint.h: * runtime/ArrayConstructor.h: * runtime/ArrayIteratorPrototype.h: * runtime/BooleanPrototype.h: * runtime/ClonedArguments.h: * runtime/CustomGetterSetter.h: * runtime/DateConstructor.h: * runtime/DatePrototype.h: * runtime/ErrorPrototype.h: * runtime/ExceptionHelpers.h: * runtime/Executable.h: * runtime/GenericArguments.h: * runtime/GetterSetter.h: * runtime/InternalFunction.h: * runtime/JSAPIValueWrapper.h: * runtime/JSArgumentsIterator.h: * runtime/JSArray.h: * runtime/JSArrayBuffer.h: * runtime/JSArrayBufferView.h: * runtime/JSBoundFunction.h: * runtime/JSCallee.h: * runtime/JSCell.h: * runtime/JSCellInlines.h: (JSC::JSCell::classInfo): * runtime/JSDataViewPrototype.h: * runtime/JSEnvironmentRecord.h: * runtime/JSFunction.h: * runtime/JSGenericTypedArrayView.h: * runtime/JSGlobalObject.h: * runtime/JSLexicalEnvironment.h: * runtime/JSNameScope.h: * runtime/JSNotAnObject.h: * runtime/JSONObject.h: * runtime/JSObject.h: (JSC::JSFinalObject::JSFinalObject): * runtime/JSPromiseConstructor.h: * runtime/JSPromiseDeferred.h: * runtime/JSPromisePrototype.h: * runtime/JSPromiseReaction.h: * runtime/JSPropertyNameEnumerator.h: * runtime/JSProxy.h: * runtime/JSScope.h: * runtime/JSString.h: * runtime/JSSymbolTableObject.h: * runtime/JSTypeInfo.h: (JSC::TypeInfo::structureIsImmortal): * runtime/MathObject.h: * runtime/NumberConstructor.h: * runtime/NumberPrototype.h: * runtime/ObjectConstructor.h: * runtime/PropertyMapHashTable.h: * runtime/RegExp.h: * runtime/RegExpConstructor.h: * runtime/RegExpObject.h: * runtime/RegExpPrototype.h: * runtime/ScopedArgumentsTable.h: * runtime/SparseArrayValueMap.h: * runtime/StrictEvalActivation.h: * runtime/StringConstructor.h: * runtime/StringIteratorPrototype.h: * runtime/StringObject.h: * runtime/StringPrototype.h: * runtime/Structure.cpp: (JSC::Structure::Structure): * runtime/Structure.h: * runtime/StructureChain.h: * runtime/StructureRareData.h: * runtime/Symbol.h: * runtime/SymbolPrototype.h: * runtime/SymbolTable.h: * runtime/WeakMapData.h: 2015-04-13 Mark Lam DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit. https://bugs.webkit.org/show_bug.cgi?id=143407 Reviewed by Filip Pizlo. DFG inlining of a varargs call / construct needs to keep the local containing the callee alive with a Phantom node because the LoadVarargs node may OSR exit. After the OSR exit, the baseline JIT executes the op_call_varargs with that callee in the local. Previously, because that callee local was not explicitly kept alive, the op_call_varargs case can OSR exit a DFG function and leave an undefined value in that local. As a result, the baseline observes the side effect of an op_call_varargs on an undefined value instead of the function it expected. Note: this issue does not manifest with op_construct_varargs because the inlined constructor will have an op_create_this which operates on the incoming callee value, thereby keeping it alive. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleInlining): * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added. (foo): (Foo): (doTest): 2015-04-12 Yusuke Suzuki [ES6] Implement Array.prototype.values https://bugs.webkit.org/show_bug.cgi?id=143633 Reviewed by Darin Adler. Symbol.unscopables is implemented, so we can implement Array.prototype.values without largely breaking the web. The following script passes. var array = []; var values = 42; with (array) { assert(values, 42); } * runtime/ArrayPrototype.cpp: * tests/stress/array-iterators-next.js: * tests/stress/map-iterators-next.js: * tests/stress/set-iterators-next.js: * tests/stress/values-unscopables.js: Added. (test): 2015-04-11 Yusuke Suzuki Run flaky conservative GC related test first before polluting stack and registers https://bugs.webkit.org/show_bug.cgi?id=143634 Reviewed by Ryosuke Niwa. After r182653, JSC API tests fail. However, it's not related to the change. After investigating the cause of this failure, I've found that the failed test is flaky because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive due to conservative roots in C stack and registers, this test fails. Since GC marks C stack and registers as roots conservatively, objects not referenced logically can be accidentally marked and alive. To avoid this situation as possible as we can, 1. run this test first before stack is polluted, 2. extract this test as a function to suppress stack height. * API/tests/testapi.mm: (testWeakValue): (testObjectiveCAPIMain): (testObjectiveCAPI): 2015-04-11 Matt Baker Web Inspector: create content view and details sidebar for Frames timeline https://bugs.webkit.org/show_bug.cgi?id=143533 Reviewed by Timothy Hatcher. Refactoring: RunLoop prefix changed to RenderingFrame. * inspector/protocol/Timeline.json: 2015-04-11 Yusuke Suzuki [ES6] Enable Symbol in web pages https://bugs.webkit.org/show_bug.cgi?id=143375 Reviewed by Ryosuke Niwa. Expose Symbol to web pages. Symbol was exposed, but it was hidden since it breaks Facebook comments. This is because at that time Symbol is implemented, but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet and it breaks React.js and immutable.js. Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented and make sure that Facebook comment input functionality is not broken with exposed Symbol. So this patch replaces runtime flags SymbolEnabled to SymbolDisabled and makes enabling symbols by default. * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::finishCreation): * runtime/CommonIdentifiers.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::finishCreation): * runtime/RuntimeFlags.h: 2015-04-10 Yusuke Suzuki ES6: Iterator toString names should be consistent https://bugs.webkit.org/show_bug.cgi?id=142424 Reviewed by Geoffrey Garen. Iterator Object Names in the spec right now have spaces. In our implementation some do and some don't. This patch aligns JSC to the spec. * runtime/JSArrayIterator.cpp: * runtime/JSStringIterator.cpp: * tests/stress/iterator-names.js: Added. (test): (iter): (check): 2015-04-10 Michael Saboff REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests https://bugs.webkit.org/show_bug.cgi?id=143582 Reviewed by Mark Lam. For 32 bit builds, we favor spilling unboxed values. The ASSERT at the root of this bug doesn't fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS). For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell). The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits if the spillFormat is DataFormatCell. Had we spilled in DataFormatJS and the value was a JSCell*, we would still OSR exit after the speculation check. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 2015-04-10 Milan Crha Disable Linux-specific code in a Windows build https://bugs.webkit.org/show_bug.cgi?id=137973 Reviewed by Joseph Pecoraro. * inspector/JSGlobalObjectInspectorController.cpp: (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): 2015-04-10 Csaba Osztrogonác [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516 https://bugs.webkit.org/show_bug.cgi?id=143368 Reviewed by Michael Saboff. * jit/RegisterSet.cpp: (JSC::RegisterSet::calleeSaveRegisters): 2015-04-08 Joseph Pecoraro Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters https://bugs.webkit.org/show_bug.cgi?id=143430 Reviewed by Darin Adler. * runtime/ExceptionHelpers.cpp: (JSC::errorDescriptionForValue): * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToExponential): (JSC::numberProtoFuncToPrecision): (JSC::numberProtoFuncToString): * runtime/SymbolPrototype.cpp: (JSC::symbolProtoFuncToString): 2015-04-08 Filip Pizlo JSArray::sortNumeric should handle ArrayWithUndecided https://bugs.webkit.org/show_bug.cgi?id=143535 Reviewed by Geoffrey Garen. ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it. * runtime/JSArray.cpp: (JSC::JSArray::sortNumeric): * tests/stress/sort-array-with-undecided.js: Added. 2015-04-08 Filip Pizlo DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around https://bugs.webkit.org/show_bug.cgi?id=143532 Reviewed by Gavin Barraclough. Oh the irony! We were protecting an optimization that only worked if there was no wrap-around in JavaScript. But the C++ code had wrap-around, which is undef in C++. So, if the compiler was smart enough, our compiler would think that there never was wrap-around. This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang. * dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::isValid): 2015-04-07 Michael Saboff Lazily initialize LogToSystemConsole flag to reduce memory usage https://bugs.webkit.org/show_bug.cgi?id=143506 Reviewed by Mark Lam. Only call into CF preferences code when we need to in order to reduce memory usage. * inspector/JSGlobalObjectConsoleClient.cpp: (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole): (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole): (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient): 2015-04-07 Benjamin Poulain Get the features.json files ready for open contributions https://bugs.webkit.org/show_bug.cgi?id=143436 Reviewed by Darin Adler. * features.json: 2015-04-07 Filip Pizlo Constant folding of typed array properties should be handled by AI rather than strength reduction https://bugs.webkit.org/show_bug.cgi?id=143496 Reviewed by Geoffrey Garen. Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA phase and whatever other phase did the folding in order to find all constants. This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint directly. This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not found because all of the tests for it involved the property getting constant folded. I found that the codegen was bad because an earlier version of the patch broke that constant folding. This adds a new test for that node type, which makes constant folding impossible by allocating a new typed array every type. The lesson here is: if you write a test for something, run the test with full IR dumps to make sure it's actually testing the thing you want it to test. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): (JSC::DFG::Graph::tryGetFoldableView): (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted. * dfg/DFGGraph.h: * dfg/DFGNode.h: (JSC::DFG::Node::hasTypedArray): Deleted. (JSC::DFG::Node::typedArray): Deleted. * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode): (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted. (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted. * dfg/DFGWatchpointCollectionPhase.cpp: (JSC::DFG::WatchpointCollectionPhase::handle): (JSC::DFG::WatchpointCollectionPhase::addLazily): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset): (JSC::FTL::LowerDFGToLLVM::typedArrayLength): * tests/stress/fold-typed-array-properties.js: (foo): * tests/stress/typed-array-byte-offset.js: Added. (foo): 2015-04-07 Matthew Mirman Source and stack information should get appended only to native errors and should be added directly after construction rather than when thrown. This fixes frozen objects being unfrozen when thrown while conforming to ecma script standard and other browser behavior. rdar://problem/19927293 https://bugs.webkit.org/show_bug.cgi?id=141871 Reviewed by Geoffrey Garen. Appending stack, source, line, and column information to an object whenever that object is thrown is incorrect because it violates the ecma script standard for the behavior of throw. Suppose for example that the object being thrown already has one of these properties or is frozen. Adding the properties would then violate the frozen contract or overwrite those properties. Other browsers do not do this, and doing this causes unnecessary performance hits in code with heavy use of the throw construct as a control flow construct rather than just an error reporting mechanism. Because WebCore adds "native" errors which do not inherit from any JSC native error, appending the error properties as a seperate call after construction of the error is required to avoid having to manually truncate the stack and gather local source information due to the stack being extended by a nested call to construct one of the native jsc error. * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): * interpreter/Interpreter.h: * parser/ParserError.h: (JSC::ParserError::toErrorObject): * runtime/CommonIdentifiers.h: * runtime/Error.cpp: (JSC::createError): (JSC::createEvalError): (JSC::createRangeError): (JSC::createReferenceError): (JSC::createSyntaxError): (JSC::createTypeError): (JSC::createNotEnoughArgumentsError): (JSC::createURIError): (JSC::createOutOfMemoryError): (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): (JSC::addErrorInfoAndGetBytecodeOffset): Added. (JSC::addErrorInfo): Added special case for appending complete error info to a newly constructed error object. * runtime/Error.h: * runtime/ErrorConstructor.cpp: (JSC::Interpreter::constructWithErrorConstructor): (JSC::Interpreter::callErrorConstructor): * runtime/ErrorInstance.cpp: (JSC::appendSourceToError): Moved from VM.cpp (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): (JSC::addErrorInfoAndGetBytecodeOffset): (JSC::ErrorInstance::finishCreation): * runtime/ErrorInstance.h: (JSC::ErrorInstance::create): * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::finishCreation): * runtime/ExceptionFuzz.cpp: (JSC::doExceptionFuzzing): * runtime/ExceptionHelpers.cpp: (JSC::createError): (JSC::createInvalidFunctionApplyParameterError): (JSC::createInvalidInParameterError): (JSC::createInvalidInstanceofParameterError): (JSC::createNotAConstructorError): (JSC::createNotAFunctionError): (JSC::createNotAnObjectError): (JSC::throwOutOfMemoryError): (JSC::createStackOverflowError): Deleted. (JSC::createOutOfMemoryError): Deleted. * runtime/ExceptionHelpers.h: * runtime/JSArrayBufferConstructor.cpp: (JSC::constructArrayBuffer): * runtime/JSArrayBufferPrototype.cpp: (JSC::arrayBufferProtoFuncSlice): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView::create): (JSC::JSGenericTypedArrayView::createUninitialized): * runtime/NativeErrorConstructor.cpp: (JSC::Interpreter::constructWithNativeErrorConstructor): (JSC::Interpreter::callNativeErrorConstructor): * runtime/VM.cpp: (JSC::VM::throwException): (JSC::appendSourceToError): Moved to Error.cpp (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted. (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted. (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted. (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted. * tests/stress/freeze_leek.js: Added. 2015-04-07 Joseph Pecoraro Web Inspector: ES6: Show Symbol properties on Objects https://bugs.webkit.org/show_bug.cgi?id=141279 Reviewed by Timothy Hatcher. * inspector/protocol/Runtime.json: Give PropertyDescriptor a reference to the Symbol RemoteObject if the property is a symbol property. * inspector/InjectedScriptSource.js: Enumerate symbol properties on objects. 2015-04-07 Filip Pizlo Make it possible to enable LLVM FastISel https://bugs.webkit.org/show_bug.cgi?id=143489 Reviewed by Michael Saboff. The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system if we should enable it. * ftl/FTLCompile.cpp: (JSC::FTL::mmAllocateDataSection): * llvm/InitializeLLVM.cpp: (JSC::initializeLLVMImpl): * llvm/InitializeLLVM.h: * llvm/InitializeLLVMLinux.cpp: (JSC::getLLVMInitializerFunction): (JSC::initializeLLVMImpl): Deleted. * llvm/InitializeLLVMMac.cpp: (JSC::getLLVMInitializerFunction): (JSC::initializeLLVMImpl): Deleted. * llvm/InitializeLLVMPOSIX.cpp: (JSC::getLLVMInitializerFunctionPOSIX): (JSC::initializeLLVMPOSIX): Deleted. * llvm/InitializeLLVMPOSIX.h: * llvm/InitializeLLVMWin.cpp: (JSC::getLLVMInitializerFunction): (JSC::initializeLLVMImpl): Deleted. * llvm/LLVMAPI.cpp: * llvm/LLVMAPI.h: * llvm/library/LLVMExports.cpp: (initCommandLine): (initializeAndGetJSCLLVMAPI): * runtime/Options.cpp: (JSC::Options::initialize): 2015-04-06 Yusuke Suzuki put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex https://bugs.webkit.org/show_bug.cgi?id=140426 Reviewed by Darin Adler. In the put_by_val_direct operation, we use JSObject::putDirect. However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex. This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex. * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): (JSC::DFG::operationPutByValInternal): * jit/JITOperations.cpp: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/Identifier.h: (JSC::isIndex): (JSC::parseIndex): * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added. (lookupWithKey): (toStringThrowsError.toString): 2015-04-06 Alberto Garcia [GTK] Fix HPPA build https://bugs.webkit.org/show_bug.cgi?id=143453 Reviewed by Darin Adler. Add HPPA to the list of supported CPUs. * CMakeLists.txt: 2015-04-06 Mark Lam In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well. Reviewed by Filip Pizlo. The DFG was neglecting to set the result boolean. The FTL was setting it with an inverted value. Both of these are now resolved. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty): * tests/stress/for-in-array-mode.js: Added. (.): (test): 2015-04-06 Yusuke Suzuki [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString https://bugs.webkit.org/show_bug.cgi?id=143424 Reviewed by Geoffrey Garen. In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString). ToString(symbol) throws a type error. However, String(symbol) produces SymbolDescriptiveString(symbol). So, in DFG and FTL phase, they should not inline StringConstructor to ToString. Now, in the template literals patch, ToString DFG operation is planned to be used. And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better. So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL. In CallStringConstructor, all behavior in DFG analysis is the same. Only the difference from ToString is, when calling DFG operation functions, it calls operationCallStringConstructorOnCell and operationCallStringConstructor instead of operationToStringOnCell and operationToString. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::propagate): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor): (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): (JSC::DFG::FixupPhase::fixupToString): Deleted. * dfg/DFGNodeType.h: * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell): (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted. * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGStructureRegistrationPhase.cpp: (JSC::DFG::StructureRegistrationPhase::run): * ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor): (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted. * runtime/StringConstructor.cpp: (JSC::stringConstructor): (JSC::callStringConstructor): * runtime/StringConstructor.h: * tests/stress/symbol-and-string-constructor.js: Added. (performString): 2015-04-06 Yusuke Suzuki Return Optional from PropertyName::asIndex https://bugs.webkit.org/show_bug.cgi?id=143422 Reviewed by Darin Adler. PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex. But it's not obvious to callers. This patch changes 1. PropertyName::asIndex() to return Optional and 2. function name `asIndex()` to `parseIndex()`. It forces callers to check the value is index or not explicitly. * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFor): * bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFor): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitDirectPutById): * jit/Repatch.cpp: (JSC::emitPutTransitionStubAndGetOldStructure): * jsc.cpp: * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncSort): * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments::getOwnPropertySlot): (JSC::GenericArguments::put): (JSC::GenericArguments::deleteProperty): (JSC::GenericArguments::defineOwnProperty): * runtime/Identifier.h: (JSC::parseIndex): (JSC::Identifier::isSymbol): * runtime/JSArray.cpp: (JSC::JSArray::defineOwnProperty): * runtime/JSCJSValue.cpp: (JSC::JSValue::putToPrimitive): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView::getOwnPropertySlot): (JSC::JSGenericTypedArrayView::put): (JSC::JSGenericTypedArrayView::defineOwnProperty): (JSC::JSGenericTypedArrayView::deleteProperty): * runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::putDirectAccessor): (JSC::JSObject::putDirectCustomAccessor): (JSC::JSObject::deleteProperty): (JSC::JSObject::putDirectMayBeIndex): (JSC::JSObject::defineOwnProperty): * runtime/JSObject.h: (JSC::JSObject::getOwnPropertySlot): (JSC::JSObject::getPropertySlot): (JSC::JSObject::putDirectInternal): * runtime/JSString.cpp: (JSC::JSString::getStringPropertyDescriptor): * runtime/JSString.h: (JSC::JSString::getStringPropertySlot): * runtime/LiteralParser.cpp: (JSC::LiteralParser::parse): * runtime/PropertyName.h: (JSC::parseIndex): (JSC::toUInt32FromCharacters): Deleted. (JSC::toUInt32FromStringImpl): Deleted. (JSC::PropertyName::asIndex): Deleted. * runtime/PropertyNameArray.cpp: (JSC::PropertyNameArray::add): * runtime/StringObject.cpp: (JSC::StringObject::deleteProperty): * runtime/Structure.cpp: (JSC::Structure::prototypeChainMayInterceptStoreTo): 2015-04-05 Andreas Kling URI encoding/escaping should use efficient string building instead of calling snprintf(). Reviewed by Gavin Barraclough. I saw 0.5% of main thread time in snprintf() on which seemed pretty silly. This change gets that down to nothing in favor of using our existing JSStringBuilder and HexNumber.h facilities. These APIs are well-exercised by our existing test suite. * runtime/JSGlobalObjectFunctions.cpp: (JSC::encode): (JSC::globalFuncEscape): 2015-04-05 Masataka Yakura documentation for ES Promises points to the wrong one https://bugs.webkit.org/show_bug.cgi?id=143263 Reviewed by Darin Adler. * features.json: 2015-04-05 Simon Fraser Remove "go ahead and" from comments https://bugs.webkit.org/show_bug.cgi?id=143421 Reviewed by Darin Adler, Benjamin Poulain. Remove the phrase "go ahead and" from comments where it doesn't add anything (which is almost all of them). * interpreter/JSStack.cpp: (JSC::JSStack::growSlowCase): 2015-04-04 Andreas Kling Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely. Reviewed by Geoffrey Garen. Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone, we had a little problem where WeakBlocks with only null pointers would still keep their MarkedBlock alive. This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC, destroying them once they're fully dead. This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves a mysterious issue where doing two full garbage collections back-to-back would free additional memory in the second collection. Management of detached WeakBlocks is implemented as a Vector in Heap, along with an index of the next block in that vector that needs to be swept. The IncrementalSweeper then calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time. * heap/Heap.h: * heap/Heap.cpp: (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks owned by Heap, after everything else has been swept. (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks after a full garbage collection ends. Note that we don't do this after Eden collections, since they are unlikely to cause entire WeakBlocks to go empty. (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock to the Heap when it's detached from a WeakSet. (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all of the logically empty WeakBlocks owned by Heap. (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed and updates the next-logically-empty-weak-block-to-sweep index. (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there won't be another chance after this. * heap/IncrementalSweeper.h: (JSC::IncrementalSweeper::hasWork): Deleted. * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::fullSweep): (JSC::IncrementalSweeper::doSweep): (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is changed to return a bool (true if there's more work to be done.) * heap/WeakBlock.cpp: (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't contain any pointers to live objects. The answer is stored in a new SweepResult member. * heap/WeakBlock.h: (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine if the WeakBlock could be detached from the MarkedBlock. (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables when declaring them. 2015-04-04 Yusuke Suzuki Implement ES6 Object.getOwnPropertySymbols https://bugs.webkit.org/show_bug.cgi?id=141106 Reviewed by Geoffrey Garen. This patch implements `Object.getOwnPropertySymbols`. One technical issue is that, since we use private symbols (such as `@Object`) in the privileged JS code in `builtins/`, they should not be exposed. To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name before adding it into PropertyNameArray. To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames` since all private symbols are held in this map. * builtins/BuiltinExecutables.cpp: (JSC::BuiltinExecutables::createExecutableInternal): * builtins/BuiltinNames.h: (JSC::BuiltinNames::isPrivateName): * runtime/CommonIdentifiers.cpp: (JSC::CommonIdentifiers::isPrivateName): * runtime/CommonIdentifiers.h: * runtime/EnumerationMode.h: (JSC::EnumerationMode::EnumerationMode): (JSC::EnumerationMode::includeSymbolProperties): * runtime/ExceptionHelpers.cpp: (JSC::createUndefinedVariableError): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSLexicalEnvironment.cpp: (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): * runtime/JSSymbolTableObject.cpp: (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::finishCreation): (JSC::objectConstructorGetOwnPropertySymbols): (JSC::defineProperties): (JSC::objectConstructorSeal): (JSC::objectConstructorFreeze): (JSC::objectConstructorIsSealed): (JSC::objectConstructorIsFrozen): * runtime/ObjectConstructor.h: (JSC::ObjectConstructor::create): * runtime/Structure.cpp: (JSC::Structure::getPropertyNamesFromStructure): * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added. (compare): * tests/stress/object-get-own-property-symbols.js: Added. (forIn): * tests/stress/symbol-define-property.js: Added. (testSymbol): * tests/stress/symbol-seal-and-freeze.js: Added. * tests/stress/symbol-with-json.js: Added. 2015-04-03 Mark Lam Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner. Reviewed by Geoffrey Garen. For debugging purposes, sometimes, we want to be able to make compilation happen sooner to see if we can accelerate the manifestation of certain events / bugs. Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds which make up the compilation policy. Let's add a single knob that can tune all the thresholds up / down in one go proportionately so that we can easily tweak how soon compilation occurs. * runtime/Options.cpp: (JSC::scaleJITPolicy): (JSC::recomputeDependentOptions): * runtime/Options.h: 2015-04-03 Geoffrey Garen is* API methods should be @properties https://bugs.webkit.org/show_bug.cgi?id=143388 Reviewed by Mark Lam. This appears to be the preferred idiom in WebKit, CA, AppKit, and Foundation. * API/JSValue.h: Be @properties. * API/tests/testapi.mm: (testObjectiveCAPI): Use the @properties. 2015-04-03 Mark Lam Some JSC Options refactoring and enhancements. Rubber stamped by Benjamin Poulain. Create a better encapsulated Option class to make working with options easier. This is a building block towards a JIT policy scaling debugging option I will introduce later. This work entails: 1. Convert Options::Option into a public class Option (who works closely with Options). 2. Convert Options::EntryType into an enum class Options::Type and make it public. 3. Renamed Options::OPT_