Changeset 190370 in webkit

Timestamp:

Sep 30, 2015 3:28:08 PM (9 years ago)

Author:

msaboff@apple.com

Message:

Source/JavaScriptCore:
Relanding r190289 with the following two fixes:

1. REGRESSION(r190289): It made Speedometer/Full.html performance test fail ​https://bugs.webkit.org/show_bug.cgi?id=149621

Reviewed by Saam Barati.

We need to restore callee saves for both the fast and slow paths before making a
tail call in the FTL.

• ftl/FTLJSCallBase.cpp: (JSC::FTL::JSCallBase::emit):

2. [ARM] REGRESSION(r190289): It made 374 tests crash on 32 bit ARM Linux ​https://bugs.webkit.org/show_bug.cgi?id=149619

Reviewed by Filip Pizlo.

Need to check for ARMv7_TRADITIONAL and ARMv7 in addition to ARM in "if"
statement to handle platforms with a link register.

• llint/LowLevelInterpreter.asm: (prepareForTailCall):

LayoutTests:
Relanding r190289 after fixes tracked in ​https://bugs.webkit.org/show_bug.cgi?id=149619
and ​https://bugs.webkit.org/show_bug.cgi?id=149621

Reviewed by Saam Barati.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/caller-property-expected.txt (modified) (1 diff)
• LayoutTests/js/script-tests/caller-property.js (modified) (2 diffs)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (2 diffs)
• Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters (modified) (2 diffs)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGTierUpCheckInjectionPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCompile.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLInlineCacheSize.cpp (modified) (4 diffs)
• Source/JavaScriptCore/ftl/FTLInlineCacheSize.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLJSCall.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLJSCallBase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLJSCallBase.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLJSCallVarargs.cpp (modified) (5 diffs)
• Source/JavaScriptCore/ftl/FTLJSTailCall.cpp (added)
• Source/JavaScriptCore/ftl/FTLJSTailCall.h (added)
• Source/JavaScriptCore/ftl/FTLLocation.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (modified) (8 diffs)
• Source/JavaScriptCore/ftl/FTLState.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/AssemblyHelpers.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/CallFrameShuffleData.h (modified) (1 diff)
• Source/JavaScriptCore/jit/CallFrameShuffler.cpp (modified) (9 diffs)
• Source/JavaScriptCore/jit/CallFrameShuffler.h (modified) (8 diffs)
• Source/JavaScriptCore/jit/CallFrameShuffler64.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITCall.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/Reg.h (modified) (3 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• Source/JavaScriptCore/runtime/Options.h (modified) (1 diff)
• Source/JavaScriptCore/tests/es6.yaml (modified) (1 diff)
• Source/JavaScriptCore/tests/stress/dfg-tail-calls.js (added)
• Source/JavaScriptCore/tests/stress/mutual-tail-call-no-stack-overflow.js (added)
• Source/JavaScriptCore/tests/stress/tail-call-no-stack-overflow.js (added)
• Source/JavaScriptCore/tests/stress/tail-call-recognize.js (added)
• Source/JavaScriptCore/tests/stress/tail-call-varargs-no-stack-overflow.js (added)
• Source/JavaScriptCore/tests/stress/tail-calls-dont-overwrite-live-stack.js (added)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-09-30  Michael Saboff  <msaboff@apple.com>
+
+        Relanding r190289 after fixes tracked in https://bugs.webkit.org/show_bug.cgi?id=149619
+        and https://bugs.webkit.org/show_bug.cgi?id=149621
+
+        Reviewed by Saam Barati.
+
 2015-09-29  Simon Fraser  <simon.fraser@apple.com>
 

trunk/LayoutTests/js/caller-property-expected.txt

@@ -11 +11 @@
 PASS strictCaller(nonStrictCallee) threw exception TypeError: Function.caller used to retrieve strict caller.
 PASS strictCaller(strictCallee) threw exception TypeError: Type error.
+PASS strictTailCaller(nonStrictCallee) is null
+PASS strictTailCaller(strictCallee) threw exception TypeError: Type error.
 PASS nonStrictCaller(boundNonStrictCallee) is nonStrictCaller
 PASS nonStrictCaller(boundStrictCallee) threw exception TypeError: Type error.
 PASS strictCaller(boundNonStrictCallee) threw exception TypeError: Function.caller used to retrieve strict caller.
 PASS strictCaller(boundStrictCallee) threw exception TypeError: Type error.
+PASS strictTailCaller(boundNonStrictCallee) is null
+PASS strictTailCaller(boundStrictCallee) threw exception TypeError: Type error.
 PASS nonStrictGetter(nonStrictAccessor) is nonStrictGetter
 PASS nonStrictSetter(nonStrictAccessor) is true

trunk/LayoutTests/js/script-tests/caller-property.js

@@ -24 +24 @@
 function strictCallee() { "use strict"; return strictCallee.caller; }
 function nonStrictCaller(x) { return x(); }
-function strictCaller(x) { "use strict"; return x(); }
+// Tail calls leak and show our caller's caller, which is null here
+function strictCaller(x) { "use strict"; var result = x(); return result; }
+function strictTailCaller(x) { "use strict"; return x(); }
 shouldBe("nonStrictCaller(nonStrictCallee)", "nonStrictCaller");
 shouldThrow("nonStrictCaller(strictCallee)", '"TypeError: Type error"');
 shouldThrow("strictCaller(nonStrictCallee)", '"TypeError: Function.caller used to retrieve strict caller"');
 shouldThrow("strictCaller(strictCallee)", '"TypeError: Type error"');
+shouldBe("strictTailCaller(nonStrictCallee)", "null");
+shouldThrow("strictTailCaller(strictCallee)", '"TypeError: Type error"');
 
 // .caller within a bound function reaches the caller, ignoring the binding.
@@ -37 +41 @@
 shouldThrow("strictCaller(boundNonStrictCallee)", '"TypeError: Function.caller used to retrieve strict caller"');
 shouldThrow("strictCaller(boundStrictCallee)", '"TypeError: Type error"');
+shouldBe("strictTailCaller(boundNonStrictCallee)", "null");
+shouldThrow("strictTailCaller(boundStrictCallee)", '"TypeError: Type error"');
 
 // Check that .caller works (or throws) as expected, over an accessor call.

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -905 +905 @@
         ftl/FTLJSCallBase.cpp
         ftl/FTLJSCallVarargs.cpp
+        ftl/FTLJSTailCall.cpp
         ftl/FTLLink.cpp
         ftl/FTLLocation.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-09-30  Michael Saboff  <msaboff@apple.com>
+
+        Relanding r190289 with the following two fixes:
+
+         1. REGRESSION(r190289): It made Speedometer/Full.html performance test fail
+            https://bugs.webkit.org/show_bug.cgi?id=149621
+
+            Reviewed by Saam Barati.
+
+            We need to restore callee saves for both the fast and slow paths before making a
+            tail call in the FTL.
+
+            * ftl/FTLJSCallBase.cpp:
+            (JSC::FTL::JSCallBase::emit):
+
+         2. [ARM] REGRESSION(r190289): It made 374 tests crash on 32 bit ARM Linux
+            https://bugs.webkit.org/show_bug.cgi?id=149619
+
+            Reviewed by Filip Pizlo.
+
+            Need to check for ARMv7_TRADITIONAL and ARMv7 in addition to ARM in "if"
+            statement to handle platforms with a link register.
+            
+            * llint/LowLevelInterpreter.asm:
+            (prepareForTailCall):
+
 2015-09-30  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -540 +540 @@
     <ClCompile Include="..\ftl\FTLJSCallBase.cpp" />
     <ClCompile Include="..\ftl\FTLJSCallVarargs.cpp" />
+    <ClCompile Include="..\ftl\FTLJSTailCall.cpp" />
     <ClCompile Include="..\ftl\FTLLink.cpp" />
     <ClCompile Include="..\ftl\FTLLocation.cpp" />
@@ -1301 +1302 @@
     <ClInclude Include="..\ftl\FTLJSCallBase.h" />
     <ClInclude Include="..\ftl\FTLJSCallVarargs.h" />
+    <ClInclude Include="..\ftl\FTLJSTailCall.h" />
     <ClInclude Include="..\ftl\FTLLink.h" />
     <ClInclude Include="..\ftl\FTLLocation.h" />

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters

@@ -1585 +1585 @@
       <Filter>ftl</Filter>
     </ClCompile>
+    <ClCompile Include="..\ftl\FTLJSTailCall.cpp">
+      <Filter>ftl</Filter>
+    </ClCompile>
     <ClCompile Include="..\ftl\FTLLink.cpp">
       <Filter>ftl</Filter>
@@ -4152 +4155 @@
     </ClInclude>
     <ClInclude Include="..\ftl\FTLJSCall.h">
+      <Filter>ftl</Filter>
+    </ClInclude>
+    <ClInclude Include="..\ftl\FTLJSTailCall.h">
       <Filter>ftl</Filter>
     </ClInclude>

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -981 +981 @@
                 627673231B680C1E00FD9F2E /* CallMode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 627673211B680C1E00FD9F2E /* CallMode.cpp */; };
                 627673241B680C1E00FD9F2E /* CallMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 627673221B680C1E00FD9F2E /* CallMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                62774DAA1B8D4B190006F05A /* FTLJSTailCall.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62774DA81B8D4B190006F05A /* FTLJSTailCall.cpp */; };
+                62774DAB1B8D4B190006F05A /* FTLJSTailCall.h in Headers */ = {isa = PBXBuildFile; fileRef = 62774DA91B8D4B190006F05A /* FTLJSTailCall.h */; };
                 62D2D38F1ADF103F000206C1 /* FunctionRareData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62D2D38D1ADF103F000206C1 /* FunctionRareData.cpp */; };
                 62D2D3901ADF103F000206C1 /* FunctionRareData.h in Headers */ = {isa = PBXBuildFile; fileRef = 62D2D38E1ADF103F000206C1 /* FunctionRareData.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -2805 +2807 @@
                 627673211B680C1E00FD9F2E /* CallMode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallMode.cpp; sourceTree = "<group>"; };
                 627673221B680C1E00FD9F2E /* CallMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallMode.h; sourceTree = "<group>"; };
+                62774DA81B8D4B190006F05A /* FTLJSTailCall.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLJSTailCall.cpp; path = ftl/FTLJSTailCall.cpp; sourceTree = "<group>"; };
+                62774DA91B8D4B190006F05A /* FTLJSTailCall.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLJSTailCall.h; path = ftl/FTLJSTailCall.h; sourceTree = "<group>"; };
                 62A9A29E1B0BED4800BD54CA /* DFGLazyNode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGLazyNode.cpp; path = dfg/DFGLazyNode.cpp; sourceTree = "<group>"; };
                 62A9A29F1B0BED4800BD54CA /* DFGLazyNode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGLazyNode.h; path = dfg/DFGLazyNode.h; sourceTree = "<group>"; };
@@ -3983 +3987 @@
                                 0FD120311A8C85BD000F5280 /* FTLJSCallVarargs.cpp */,
                                 0FD120321A8C85BD000F5280 /* FTLJSCallVarargs.h */,
+                                62774DA81B8D4B190006F05A /* FTLJSTailCall.cpp */,
+                                62774DA91B8D4B190006F05A /* FTLJSTailCall.h */,
                                 0F8F2B93172E049E007DBDA5 /* FTLLink.cpp */,
                                 0F8F2B94172E049E007DBDA5 /* FTLLink.h */,
@@ -6331 +6337 @@
                                 0FD120301A8AED12000F5280 /* FTLJSCallBase.h in Headers */,
                                 0FD120341A8C85BD000F5280 /* FTLJSCallVarargs.h in Headers */,
+                                62774DAB1B8D4B190006F05A /* FTLJSTailCall.h in Headers */,
                                 0F8F2B96172E04A3007DBDA5 /* FTLLink.h in Headers */,
                                 0FCEFAE0180738C000472CE4 /* FTLLocation.h in Headers */,
@@ -7703 +7710 @@
                                 0FD1202F1A8AED12000F5280 /* FTLJSCallBase.cpp in Sources */,
                                 0FD120331A8C85BD000F5280 /* FTLJSCallVarargs.cpp in Sources */,
+                                62774DAA1B8D4B190006F05A /* FTLJSTailCall.cpp in Sources */,
                                 0F8F2B95172E04A0007DBDA5 /* FTLLink.cpp in Sources */,
                                 0FCEFADF180738C000472CE4 /* FTLLocation.cpp in Sources */,

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1883 +1883 @@
         m_exitOK = true;
         processSetLocalQueue(); // This only comes into play for intrinsics, since normal inlined code will leave an empty queue.
-        addToGraph(Jump);
+        if (Node* terminal = m_currentBlock->terminal())
+            ASSERT_UNUSED(terminal, terminal->op() == TailCall || terminal->op() == TailCallVarargs);
+        else {
+            addToGraph(Jump);
+            landingBlocks.append(m_currentBlock);
+        }
         if (verbose)
             dataLog("Marking ", RawPointer(m_currentBlock), " as linked (tail of poly inlinee)\n");
         m_currentBlock->didLink();
-        landingBlocks.append(m_currentBlock);
 
         if (verbose)
@@ -1920 +1924 @@
     m_exitOK = true; // Origin changed, so it's fine to exit again.
     processSetLocalQueue();
-    addToGraph(Jump);
-    landingBlocks.append(m_currentBlock);
+    if (Node* terminal = m_currentBlock->terminal())
+        ASSERT_UNUSED(terminal, terminal->op() == TailCall || terminal->op() == TailCallVarargs);
+    else {
+        addToGraph(Jump);
+        landingBlocks.append(m_currentBlock);
+    }
     
     RefPtr<BasicBlock> continuationBlock = adoptRef(
@@ -3665 +3673 @@
                 Node* terminal = m_currentBlock->terminal();
                 ASSERT_UNUSED(terminal, terminal->op() == TailCall || terminal->op() == TailCallVarargs);
-                LAST_OPCODE(op_ret);
+                LAST_OPCODE(op_jmp);
             }
             int relativeOffset = currentInstruction[1].u.operand;

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -1036 +1036 @@
     case ThrowReferenceError:
         write(SideState);
-        read(HeapObjectCount);
-        write(HeapObjectCount);
         return;
         

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -1117 +1117 @@
             return false;
         }
+    }
+
+    bool isFunctionTerminal()
+    {
+        if (isTerminal() && !numSuccessors())
+            return true;
+
+        return false;
     }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -772 +772 @@
             callee.use();
 
+            shuffleData.tagTypeNumber = GPRInfo::tagTypeNumberRegister;
             shuffleData.numLocals = m_jit.graph().frameRegisterCount();
             shuffleData.callee = ValueRecovery::inGPR(calleeGPR, DataFormatJS);
@@ -869 +870 @@
     }
 
-    callLinkInfo->setUpCall(callType, m_currentNode->origin.semantic,  calleeGPR);    
+    callLinkInfo->setUpCall(callType, m_currentNode->origin.semantic, calleeGPR);
     m_jit.addJSCall(fastCall, slowCall, targetToCheck, callLinkInfo);
 }

trunk/Source/JavaScriptCore/dfg/DFGTierUpCheckInjectionPhase.cpp

@@ -96 +96 @@
             
             NodeAndIndex terminal = block->findTerminal();
-            if (terminal.node->op() == Return) {
+            if (terminal.node->isFunctionTerminal()) {
                 insertionSet.insertNode(
                     terminal.index, SpecNone, CheckTierUpAtReturn, terminal.node->origin);

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -131 +131 @@
     case StoreBarrier:
     case Call:
+    case TailCall:
+    case TailCallInlinedCaller:
     case Construct:
     case CallVarargs:
+    case TailCallVarargs:
+    case TailCallVarargsInlinedCaller:
+    case ConstructVarargs:
     case CallForwardVarargs:
-    case ConstructVarargs:
+    case TailCallForwardVarargs:
+    case TailCallForwardVarargsInlinedCaller:
     case ConstructForwardVarargs:
     case LoadVarargs:

trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp

@@ -619 +619 @@
         });
     }
+
+    adjustCallICsForStackmaps(state.jsTailCalls, recordMap);
+
+    for (unsigned i = state.jsTailCalls.size(); i--;) {
+        JSTailCall& call = state.jsTailCalls[i];
+
+        CCallHelpers fastPathJIT(&vm, codeBlock);
+        call.emit(*state.jitCode.get(), fastPathJIT);
+
+        char* startOfIC = bitwise_cast<char*>(generatedFunction) + call.m_instructionOffset;
+        size_t sizeOfIC = call.estimatedSize();
+
+        generateInlineIfPossibleOutOfLineIfNot(state, vm, codeBlock, fastPathJIT, startOfIC, sizeOfIC, "tail call inline cache", [&] (LinkBuffer& linkBuffer, CCallHelpers&, bool) {
+            call.link(vm, linkBuffer);
+        });
+    }
     
     auto iter = recordMap.find(state.handleStackOverflowExceptionStackmapID);

trunk/Source/JavaScriptCore/ftl/FTLInlineCacheSize.cpp

@@ -83 +83 @@
 }
 
+size_t sizeOfTailCallVarargs()
+{
+#if CPU(ARM64)
+    return 188 + sizeOfCallVarargs();
+#else
+    return 151 + sizeOfCallVarargs();
+#endif
+}
+
 size_t sizeOfCallForwardVarargs()
 {
@@ -89 +98 @@
 #else
     return 262;
+#endif
+}
+
+size_t sizeOfTailCallForwardVarargs()
+{
+#if CPU(ARM64)
+    return 188 + sizeOfCallForwardVarargs();
+#else
+    return 151 + sizeOfCallForwardVarargs();
 #endif
 }
@@ -122 +140 @@
         return sizeOfCall();
     case CallVarargs:
+    case TailCallVarargsInlinedCaller:
         return sizeOfCallVarargs();
+    case TailCallVarargs:
+        return sizeOfTailCallVarargs();
     case CallForwardVarargs:
+    case TailCallForwardVarargsInlinedCaller:
         return sizeOfCallForwardVarargs();
+    case TailCallForwardVarargs:
+        return sizeOfTailCallForwardVarargs();
     case ConstructVarargs:
         return sizeOfConstructVarargs();
@@ -132 +156 @@
         return sizeOfIn();
     default:
-        return 0;
+        RELEASE_ASSERT_NOT_REACHED();
     }
 }

trunk/Source/JavaScriptCore/ftl/FTLInlineCacheSize.h

@@ -41 +41 @@
 size_t sizeOfCall();
 size_t sizeOfCallVarargs();
+size_t sizeOfTailCallVarargs();
 size_t sizeOfCallForwardVarargs();
+size_t sizeOfTailCallForwardVarargs();
 size_t sizeOfConstructVarargs();
 size_t sizeOfConstructForwardVarargs();

trunk/Source/JavaScriptCore/ftl/FTLJSCall.cpp

@@ -49 +49 @@
     , m_instructionOffset(0)
 {
-    ASSERT(node->op() == Call || node->op() == Construct);
+    ASSERT(node->op() == Call || node->op() == Construct || node->op() == TailCallInlinedCaller);
 }
 

trunk/Source/JavaScriptCore/ftl/FTLJSCallBase.cpp

@@ -53 +53 @@
     m_callLinkInfo = jit.codeBlock()->addCallLinkInfo();
     
+    if (CallLinkInfo::callModeFor(m_type) == CallMode::Tail)
+        jit.emitRestoreCalleeSaves();
+
     CCallHelpers::Jump slowPath = jit.branchPtrWithPatch(
         CCallHelpers::NotEqual, GPRInfo::regT0, m_targetToCheck,
         CCallHelpers::TrustedImmPtr(0));
-    
-    m_fastCall = jit.nearCall();
-    CCallHelpers::Jump done = jit.jump();
-    
+
+    CCallHelpers::Jump done;
+
+    if (CallLinkInfo::callModeFor(m_type) == CallMode::Tail) {
+        jit.prepareForTailCallSlow();
+        m_fastCall = jit.nearTailCall();
+    } else {
+        m_fastCall = jit.nearCall();
+        done = jit.jump();
+    }
+
     slowPath.link(&jit);
-    
+
     jit.move(CCallHelpers::TrustedImmPtr(m_callLinkInfo), GPRInfo::regT2);
     m_slowCall = jit.nearCall();
-    
-    done.link(&jit);
+
+    if (CallLinkInfo::callModeFor(m_type) == CallMode::Tail)
+        jit.abortWithReason(JITDidReturnFromTailCall);
+    else
+        done.link(&jit);
+
+    m_callLinkInfo->setUpCall(m_type, m_origin, GPRInfo::regT0);
 }
 
@@ -73 +88 @@
         m_slowCall, FunctionPtr(vm.getCTIStub(linkCallThunkGenerator).code().executableAddress()));
 
-    m_callLinkInfo->setUpCallFromFTL(m_type, m_origin, linkBuffer.locationOfNearCall(m_slowCall),
-        linkBuffer.locationOf(m_targetToCheck), linkBuffer.locationOfNearCall(m_fastCall),
-        GPRInfo::regT0);
+    m_callLinkInfo->setCallLocations(linkBuffer.locationOfNearCall(m_slowCall),
+        linkBuffer.locationOf(m_targetToCheck), linkBuffer.locationOfNearCall(m_fastCall));
 }
 

trunk/Source/JavaScriptCore/ftl/FTLJSCallBase.h

@@ -51 +51 @@
     void link(VM&, LinkBuffer&);
     
-private:
+protected:
     CallLinkInfo::CallType m_type;
     CodeOrigin m_origin;

trunk/Source/JavaScriptCore/ftl/FTLJSCallVarargs.cpp

@@ -52 +52 @@
     , m_callBase(
         (node->op() == ConstructVarargs || node->op() == ConstructForwardVarargs)
-        ? CallLinkInfo::ConstructVarargs : CallLinkInfo::CallVarargs,
+        ? CallLinkInfo::ConstructVarargs : (node->op() == TailCallVarargs || node->op() == TailCallForwardVarargs)
+        ? CallLinkInfo::TailCallVarargs : CallLinkInfo::CallVarargs,
         node->origin.semantic)
     , m_instructionOffset(0)
@@ -58 +59 @@
     ASSERT(
         node->op() == CallVarargs || node->op() == CallForwardVarargs
+        || node->op() == TailCallVarargsInlinedCaller || node->op() == TailCallForwardVarargsInlinedCaller
+        || node->op() == TailCallVarargs || node->op() == TailCallForwardVarargs
         || node->op() == ConstructVarargs || node->op() == ConstructForwardVarargs);
 }
@@ -84 +87 @@
     switch (m_node->op()) {
     case CallVarargs:
+    case TailCallVarargs:
+    case TailCallVarargsInlinedCaller:
     case ConstructVarargs:
         argumentsGPR = GPRInfo::argumentGPR1;
@@ -89 +94 @@
         break;
     case CallForwardVarargs:
+    case TailCallForwardVarargs:
+    case TailCallForwardVarargsInlinedCaller:
     case ConstructForwardVarargs:
         thisGPR = GPRInfo::argumentGPR1;
@@ -197 +204 @@
     // stack frame to already be set up, which it is.
     jit.store64(GPRInfo::regT0, CCallHelpers::calleeFrameSlot(JSStack::Callee));
-    
+
     m_callBase.emit(jit);
     

trunk/Source/JavaScriptCore/ftl/FTLLocation.h

@@ -121 +121 @@
     }
     
-    bool operator!() const { return kind() == Unprocessed && !u.variable.offset; }
+    explicit operator bool() const { return kind() != Unprocessed || u.variable.offset; }
+
+    bool operator!() const { return !static_cast<bool>(*this); }
     
     bool isHashTableDeletedValue() const { return kind() == Unprocessed && u.variable.offset; }

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -174 +174 @@
                 switch (node->op()) {
                 case CallVarargs:
+                case TailCallVarargs:
+                case TailCallVarargsInlinedCaller:
                 case CallForwardVarargs:
+                case TailCallForwardVarargs:
+                case TailCallForwardVarargsInlinedCaller:
                 case ConstructVarargs:
                 case ConstructForwardVarargs:
@@ -724 +728 @@
             break;
         case Call:
+        case TailCallInlinedCaller:
         case Construct:
             compileCallOrConstruct();
             break;
+        case TailCall:
+            compileTailCall();
+            break;
         case CallVarargs:
         case CallForwardVarargs:
+        case TailCallVarargs:
+        case TailCallVarargsInlinedCaller:
+        case TailCallForwardVarargs:
+        case TailCallForwardVarargsInlinedCaller:
         case ConstructVarargs:
         case ConstructForwardVarargs:
@@ -4401 +4413 @@
         setJSValue(call);
     }
+
+    void compileTailCall()
+    {
+        int numArgs = m_node->numChildren() - 1;
+        ExitArgumentList exitArguments;
+        exitArguments.reserveCapacity(numArgs + 6);
+
+        unsigned stackmapID = m_stackmapIDs++;
+        exitArguments.append(lowJSValue(m_graph.varArgChild(m_node, 0)));
+        exitArguments.append(m_tagTypeNumber);
+
+        Vector<ExitValue> callArguments(numArgs);
+
+        bool needsTagTypeNumber { false };
+        for (int i = 0; i < numArgs; ++i) {
+            callArguments[i] =
+                exitValueForTailCall(exitArguments, m_graph.varArgChild(m_node, 1 + i).node());
+            if (callArguments[i].dataFormat() == DataFormatInt32)
+                needsTagTypeNumber = true;
+        }
+
+        JSTailCall tailCall(stackmapID, m_node, WTF::move(callArguments));
+
+        exitArguments.insert(0, m_out.constInt32(needsTagTypeNumber ? 2 : 1));
+        exitArguments.insert(0, constNull(m_out.ref8));
+        exitArguments.insert(0, m_out.constInt32(tailCall.estimatedSize()));
+        exitArguments.insert(0, m_out.constInt64(stackmapID));
+
+        LValue call =
+            m_out.call(m_out.patchpointVoidIntrinsic(), exitArguments);
+        setInstructionCallingConvention(call, LLVMAnyRegCallConv);
+        m_out.unreachable();
+
+        m_ftlState.jsTailCalls.append(tailCall);
+    }
     
     void compileCallOrConstructVarargs()
@@ -4411 +4458 @@
         switch (m_node->op()) {
         case CallVarargs:
+        case TailCallVarargs:
+        case TailCallVarargsInlinedCaller:
         case ConstructVarargs:
             jsArguments = lowJSValue(m_node->child2());
             break;
         case CallForwardVarargs:
+        case TailCallForwardVarargs:
+        case TailCallForwardVarargsInlinedCaller:
         case ConstructForwardVarargs:
             break;
@@ -4441 +4492 @@
         
         m_ftlState.jsCallVarargses.append(JSCallVarargs(stackmapID, m_node));
-        
-        setJSValue(call);
+
+        switch (m_node->op()) {
+        case TailCallVarargs:
+        case TailCallForwardVarargs:
+            m_out.unreachable();
+            break;
+
+        default:
+            setJSValue(call);
+        }
     }
     
@@ -8257 +8316 @@
     void callPreflight()
     {
-        callPreflight(m_node->origin.semantic);
+        CodeOrigin codeOrigin = m_node->origin.semantic;
+
+        if (m_node->op() == TailCallInlinedCaller
+            || m_node->op() == TailCallVarargsInlinedCaller
+            || m_node->op() == TailCallForwardVarargsInlinedCaller)
+            codeOrigin =*codeOrigin.inlineCallFrame->getCallerSkippingDeadFrames();
+
+        callPreflight(codeOrigin);
     }
     
@@ -8528 +8594 @@
         return ExitValue::dead();
     }
-    
+
     ExitValue exitArgument(ExitArgumentList& arguments, DataFormat format, LValue value)
     {
@@ -8534 +8600 @@
         arguments.append(value);
         return result;
+    }
+
+    ExitValue exitValueForTailCall(ExitArgumentList& arguments, Node* node)
+    {
+        ASSERT(node->shouldGenerate());
+        ASSERT(node->hasResult());
+
+        switch (node->op()) {
+        case JSConstant:
+        case Int52Constant:
+        case DoubleConstant:
+            return ExitValue::constant(node->asJSValue());
+
+        default:
+            break;
+        }
+
+        LoweredNodeValue value = m_jsValueValues.get(node);
+        if (isValid(value))
+            return exitArgument(arguments, DataFormatJS, value.value());
+
+        value = m_int32Values.get(node);
+        if (isValid(value))
+            return exitArgument(arguments, DataFormatInt32, value.value());
+
+        value = m_booleanValues.get(node);
+        if (isValid(value)) {
+            LValue valueToPass = m_out.zeroExt(value.value(), m_out.int32);
+            return exitArgument(arguments, DataFormatBoolean, valueToPass);
+        }
+
+        // Doubles and Int52 have been converted by ValueRep()
+        DFG_CRASH(m_graph, m_node, toCString("Cannot find value for node: ", node).data());
     }
     

trunk/Source/JavaScriptCore/ftl/FTLState.h

@@ -38 +38 @@
 #include "FTLJSCall.h"
 #include "FTLJSCallVarargs.h"
+#include "FTLJSTailCall.h"
 #include "FTLStackMaps.h"
 #include "FTLState.h"
@@ -80 +81 @@
     Vector<JSCall> jsCalls;
     Vector<JSCallVarargs> jsCallVarargses;
+    Vector<JSTailCall> jsTailCalls;
     Vector<CString> codeSectionNames;
     Vector<CString> dataSectionNames;

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -339 +339 @@
     if (width == NormalJumpWidth)
         return result;
-    
+
     PatchableJump realJump = patchableJump();
     result.link(this);

trunk/Source/JavaScriptCore/jit/CallFrameShuffleData.h

@@ -40 +40 @@
 #if USE(JSVALUE64)
     RegisterMap<ValueRecovery> registers;
+    GPRReg tagTypeNumber { InvalidGPRReg };
 
     void setupCalleeSaveRegisters(CodeBlock*);

trunk/Source/JavaScriptCore/jit/CallFrameShuffler.cpp

@@ -72 +72 @@
             addNew(reg.fpr(), data.registers[reg]);
     }
+
+    m_tagTypeNumber = data.tagTypeNumber;
+    if (m_tagTypeNumber != InvalidGPRReg)
+        lockGPR(m_tagTypeNumber);
 #endif
 }
@@ -81 +85 @@
     static const char* dangerBoundsDelimiter = " XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ";
     static const char* emptySpace            = "                                   ";
-    ASSERT(m_alignedNewFrameSize <= numLocals());
     out.print("          ");
     out.print("           Old frame               ");
     out.print("           New frame               ");
     out.print("\n");
-    for (int i = 0; i < m_alignedOldFrameSize + numLocals() + 3; ++i) {
+    int totalSize = m_alignedOldFrameSize + std::max(numLocals(), m_alignedNewFrameSize) + 3;
+    for (int i = 0; i < totalSize; ++i) {
         VirtualRegister old { m_alignedOldFrameSize - i - 1 };
         VirtualRegister newReg { old + m_frameDelta };
@@ -205 +209 @@
     if (m_newFrameOffset)
         out.print("   New frame offset is ", m_newFrameOffset, "\n");
+#if USE(JSVALUE64)
+    if (m_tagTypeNumber != InvalidGPRReg)
+        out.print("   TagTypeNumber is currently in ", m_tagTypeNumber, "\n");
+#endif
 }
 
@@ -248 +256 @@
 
     VirtualRegister spillSlot { 0 };
-    for (VirtualRegister slot = firstOld(); slot <= lastOld(); slot -= 1) {
-        ASSERT(slot < newAsOld(firstNew()));
+    for (VirtualRegister slot = firstOld(); slot <= lastOld(); slot += 1) {
+        if (slot >= newAsOld(firstNew()))
+            break;
+
         if (getOld(slot))
             continue;
@@ -256 +266 @@
         break;
     }
-    // We must have enough slots to be able to fit the whole
-    // callee's frame for the slow path.
-    RELEASE_ASSERT(spillSlot.isLocal());
+    // We must have enough slots to be able to fit the whole callee's
+    // frame for the slow path - unless we are in the FTL. In that
+    // case, we are allowed to extend the frame *once*, since we are
+    // guaranteed to have enough available space for that.
+    if (spillSlot >= newAsOld(firstNew()) || !spillSlot.isLocal()) {
+        RELEASE_ASSERT(!m_didExtendFrame);
+        extendFrameIfNeeded();
+        spill(cachedRecovery);
+        return;
+    }
 
     if (verbose)
@@ -287 +304 @@
 }
 
+void CallFrameShuffler::extendFrameIfNeeded()
+{
+    ASSERT(!m_didExtendFrame);
+    ASSERT(!isUndecided());
+
+    VirtualRegister firstRead { firstOld() };
+    for (; firstRead <= virtualRegisterForLocal(0); firstRead += 1) {
+        if (getOld(firstRead))
+            break;
+    }
+    size_t availableSize = static_cast<size_t>(firstRead.offset() - firstOld().offset());
+    size_t wantedSize = m_newFrame.size() + m_newFrameOffset;
+
+    if (availableSize < wantedSize) {
+        size_t delta = WTF::roundUpToMultipleOf(stackAlignmentRegisters(), wantedSize - availableSize);
+        m_oldFrame.grow(m_oldFrame.size() + delta);
+        for (size_t i = 0; i < delta; ++i)
+            m_oldFrame[m_oldFrame.size() - i - 1] = nullptr;
+        m_jit.subPtr(MacroAssembler::TrustedImm32(delta * sizeof(Register)), MacroAssembler::stackPointerRegister);
+
+        if (isSlowPath())
+            m_frameDelta = numLocals() + JSStack::CallerFrameAndPCSize;
+        else
+            m_oldFrameOffset = numLocals();
+
+        if (verbose)
+            dataLogF("  Not enough space - extending the old frame %zu slot\n", delta);
+    }
+
+    m_didExtendFrame = true;
+}
+
 void CallFrameShuffler::prepareForSlowPath()
 {
@@ -297 +346 @@
 
     if (verbose)
-        dataLog("\n\nPreparing frame for slow path call:\n", *this);
+        dataLog("\n\nPreparing frame for slow path call:\n");
+
+    // When coming from the FTL, we need to extend the frame. In other
+    // cases, we may end up extending the frame if we previously
+    // spilled things (e.g. in polymorphic cache).
+    extendFrameIfNeeded();
+
+    if (verbose)
+        dataLog(*this);
 
     prepareAny();
@@ -647 +704 @@
     }
 
+#if USE(JSVALUE64)
+    if (m_tagTypeNumber != InvalidGPRReg && m_newRegisters[m_tagTypeNumber])
+        releaseGPR(m_tagTypeNumber);
+#endif
+
     // Handle 2) by loading all registers. We don't have to do any
     // writes, since they have been taken care of above.
@@ -660 +722 @@
         ASSERT(cachedRecovery->targets().isEmpty());
     }
+
+#if USE(JSVALUE64)
+    if (m_tagTypeNumber != InvalidGPRReg)
+        releaseGPR(m_tagTypeNumber);
+#endif
 
     // At this point, we have read everything we cared about from the

trunk/Source/JavaScriptCore/jit/CallFrameShuffler.h

@@ -72 +72 @@
         }
         m_lockedRegisters.clear(gpr);
+    }
+
+    void restoreGPR(GPRReg gpr)
+    {
+        if (!m_newRegisters[gpr])
+            return;
+
+        ensureGPR();
+#if USE(JSVALUE32_64)
+        GPRReg tempGPR { getFreeGPR() };
+        lockGPR(tempGPR);
+        ensureGPR();
+        releaseGPR(tempGPR);
+#endif
+        emitDisplace(*m_newRegisters[gpr]);
     }
 
@@ -310 +325 @@
     }
 
+    bool m_didExtendFrame { false };
+
+    void extendFrameIfNeeded();
+
     // This stores, for each slot in the new frame, information about
     // the recovery for the value that should eventually go into that
@@ -386 +405 @@
     // ensure that we have at least 2 available registers for loading
     // a pair on 32bits.
-    RegisterSet m_lockedRegisters;
+    mutable RegisterSet m_lockedRegisters;
 
     // This stores the current recoveries present in registers. A null
@@ -392 +411 @@
     // care about it. 
     RegisterMap<CachedRecovery*> m_registers;
+
+#if USE(JSVALUE64)
+    mutable GPRReg m_tagTypeNumber;
+
+    bool tryAcquireTagTypeNumber();
+#endif
 
     // This stores, for each register, information about the recovery
@@ -422 +447 @@
             }
         }
+
+#if USE(JSVALUE64)
+        if (!nonTemp && m_tagTypeNumber != InvalidGPRReg && check(Reg { m_tagTypeNumber })) {
+            ASSERT(m_lockedRegisters.get(m_tagTypeNumber));
+            m_lockedRegisters.clear(m_tagTypeNumber);
+            nonTemp = Reg { m_tagTypeNumber };
+            m_tagTypeNumber = InvalidGPRReg;
+        }
+#endif
         return nonTemp;
+    }
+
+    GPRReg getFreeTempGPR() const
+    {
+        Reg freeTempGPR { getFreeRegister([this] (Reg reg) { return reg.isGPR() && !m_newRegisters[reg]; }) };
+        if (!freeTempGPR)
+            return InvalidGPRReg;
+        return freeTempGPR.gpr();
     }
 
@@ -520 +562 @@
     }
 
+    void ensureTempGPR()
+    {
+        if (getFreeTempGPR() != InvalidGPRReg)
+            return;
+
+        if (verbose)
+            dataLog("  Finding a temp GPR to spill\n");
+        ensureRegister(
+            [this] (const CachedRecovery& cachedRecovery) {
+                if (cachedRecovery.recovery().isInGPR()) {
+                    return !m_lockedRegisters.get(cachedRecovery.recovery().gpr()) 
+                        && !m_newRegisters[cachedRecovery.recovery().gpr()];
+                }
+#if USE(JSVALUE32_64)
+                if (cachedRecovery.recovery().technique() == InPair) {
+                    return !m_lockedRegisters.get(cachedRecovery.recovery().tagGPR())
+                        && !m_lockedRegisters.get(cachedRecovery.recovery().payloadGPR())
+                        && !m_newRegisters[cachedRecovery.recovery().tagGPR()]
+                        && !m_newRegisters[cachedRecovery.recovery().payloadGPR()];
+                }
+#endif
+                return false;
+            });
+    }
+
     void ensureGPR()
     {
@@ -574 +641 @@
         ASSERT(jsValueRegs && !getNew(jsValueRegs));
         CachedRecovery* cachedRecovery = addCachedRecovery(recovery);
-        ASSERT(!cachedRecovery->wantedJSValueRegs());
-        cachedRecovery->setWantedJSValueRegs(jsValueRegs);
 #if USE(JSVALUE64)
+        if (cachedRecovery->wantedJSValueRegs())
+            m_newRegisters[cachedRecovery->wantedJSValueRegs().gpr()] = nullptr;
         m_newRegisters[jsValueRegs.gpr()] = cachedRecovery;
 #else
+        if (JSValueRegs oldRegs { cachedRecovery->wantedJSValueRegs() }) {
+            if (oldRegs.payloadGPR())
+                m_newRegisters[oldRegs.payloadGPR()] = nullptr;
+            if (oldRegs.tagGPR())
+                m_newRegisters[oldRegs.tagGPR()] = nullptr;
+        }
         if (jsValueRegs.payloadGPR() != InvalidGPRReg)
             m_newRegisters[jsValueRegs.payloadGPR()] = cachedRecovery;
@@ -584 +657 @@
             m_newRegisters[jsValueRegs.tagGPR()] = cachedRecovery;
 #endif
+        ASSERT(!cachedRecovery->wantedJSValueRegs());
+        cachedRecovery->setWantedJSValueRegs(jsValueRegs);
     }
 

trunk/Source/JavaScriptCore/jit/CallFrameShuffler64.cpp

@@ -88 +88 @@
                 cachedRecovery.recovery().gpr(),
                 cachedRecovery.recovery().gpr());
-            // We have to do this the hard way.
-            m_jit.or64(MacroAssembler::TrustedImm64(TagTypeNumber),
-                cachedRecovery.recovery().gpr());
+            m_lockedRegisters.set(cachedRecovery.recovery().gpr());
+            if (tryAcquireTagTypeNumber())
+                m_jit.or64(m_tagTypeNumber, cachedRecovery.recovery().gpr());
+            else {
+                // We have to do this the hard way
+                m_jit.or64(MacroAssembler::TrustedImm64(TagTypeNumber),
+                    cachedRecovery.recovery().gpr());
+            }
+            m_lockedRegisters.clear(cachedRecovery.recovery().gpr());
             cachedRecovery.setRecovery(
                 ValueRecovery::inGPR(cachedRecovery.recovery().gpr(), DataFormatJS));
@@ -142 +148 @@
             m_jit.purifyNaN(cachedRecovery.recovery().fpr());
             m_jit.moveDoubleTo64(cachedRecovery.recovery().fpr(), resultGPR);
-            m_jit.sub64(MacroAssembler::TrustedImm64(TagTypeNumber), resultGPR);
+            m_lockedRegisters.set(resultGPR);
+            if (tryAcquireTagTypeNumber())
+                m_jit.sub64(m_tagTypeNumber, resultGPR);
+            else
+                m_jit.sub64(MacroAssembler::TrustedImm64(TagTypeNumber), resultGPR);
+            m_lockedRegisters.clear(resultGPR);
             updateRecovery(cachedRecovery, ValueRecovery::inGPR(resultGPR, DataFormatJS));
             if (verbose)
@@ -338 +349 @@
     ASSERT(m_registers[wantedReg] == &cachedRecovery);
 }
+    
+bool CallFrameShuffler::tryAcquireTagTypeNumber()
+{
+    if (m_tagTypeNumber != InvalidGPRReg)
+        return true;
+
+    m_tagTypeNumber = getFreeGPR();
+
+    if (m_tagTypeNumber == InvalidGPRReg)
+        return false;
+
+    m_lockedRegisters.set(m_tagTypeNumber);
+    m_jit.move(MacroAssembler::TrustedImm64(TagTypeNumber), m_tagTypeNumber);
+    return true;
+}
 
 } // namespace JSC

trunk/Source/JavaScriptCore/jit/JITCall.cpp

@@ -194 +194 @@
     if (opcodeID == op_tail_call) {
         CallFrameShuffleData shuffleData;
+        shuffleData.tagTypeNumber = GPRInfo::tagTypeNumberRegister;
         shuffleData.numLocals =
             instruction[4].u.operand - sizeof(CallerFrameAndPC) / sizeof(Register);

trunk/Source/JavaScriptCore/jit/Reg.h

@@ -56 +56 @@
     {
     }
+
+    Reg(WTF::HashTableDeletedValueType)
+        : m_index(deleted())
+    {
+    }
     
     Reg(MacroAssembler::RegisterID reg)
@@ -103 +108 @@
     bool operator!() const { return !isSet(); }
     explicit operator bool() const { return isSet(); }
+
+    bool isHashTableDeletedValue() const { return m_index == deleted(); }
     
     bool isGPR() const
@@ -166 +173 @@
 private:
     static uint8_t invalid() { return 0xff; }
+
+    static uint8_t deleted() { return 0xfe; }
     
     uint8_t m_index;
 };
 
+struct RegHash {
+    static unsigned hash(const Reg& key) { return key.hash(); }
+    static bool equal(const Reg& a, const Reg& b) { return a == b; }
+    static const bool safeToCompareToEmptyOrDeleted = true;
+};
+
 } // namespace JSC
 
+namespace WTF {
+
+template<typename T> struct DefaultHash;
+template<> struct DefaultHash<JSC::Reg> {
+    typedef JSC::RegHash Hash;
+};
+
+template<typename T> struct HashTraits;
+template<> struct HashTraits<JSC::Reg> : SimpleClassHashTraits<JSC::Reg> {
+    static const bool emptyValueIsZero = false;
+ };
+
+} // namespace WTF
+
 #endif // ENABLE(JIT)
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -754 +754 @@
     andi ~StackAlignmentMask, temp2
 
-    if ARM or SH4 or ARM64 or C_LOOP or MIPS
+    if ARM or ARMv7_TRADITIONAL or ARMv7 or SH4 or ARM64 or C_LOOP or MIPS
         addp 2 * PtrSize, sp
         subi 2 * PtrSize, temp2

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -129 +129 @@
     \
     v(bool, enableFunctionDotArguments, true, nullptr) \
-    v(bool, enableTailCalls, false, nullptr) \
+    v(bool, enableTailCalls, true, nullptr) \
     \
     /* showDisassembly implies showDFGDisassembly. */ \

trunk/Source/JavaScriptCore/tests/es6.yaml

@@ -878 +878 @@
   cmd: runES6 :fail
 - path: es6/proper_tail_calls_tail_call_optimisation_direct_recursion.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/proper_tail_calls_tail_call_optimisation_mutual_recursion.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/prototype_of_bound_functions_arrow_functions.js
   cmd: runES6 :fail