WebAssembly: clear out insignificant i32 bits when calling JavaScript
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-02-22  JF Bastien  <jfbastien@apple.com>
2
3         WebAssembly: clear out insignificant i32 bits when calling JavaScript
4         https://bugs.webkit.org/show_bug.cgi?id=166677
5
6         Reviewed by Keith Miller.
7
8         When WebAssembly calls JavaScript it needs to clear out the
9         insignificant bits of int32 values:
10
11           +------------------- tag
12           |  +---------------- insignificant
13           |  |   +------------ 32-bit integer value
14           |  |   |
15           |--|---|-------|
16         0xffff0000ffffffff
17
18         At least some JavaScript code assumes that these bits are all
19         zero. In the wasm-to-wasm.js example we store a 64-bit value in an
20         object with lo / hi fields, each containing 32-bit integers. We
21         then load these back, and the baseline compiler fails its
22         comparison because it first checks the value are the same type
23         (yes, because the int32 tag is set in both), and then whether they
24         have the same value (no, because comparing the two registers
25         fails). We could argue that the baseline compiler is wrong for
26         performing a 64-bit comparison, but it doesn't really matter
27         because there's not much of a point in breaking that invariant for
28         WebAssembly's sake.
29
30         * wasm/WasmBinding.cpp:
31         (JSC::Wasm::wasmToJs):
32
33 2017-02-22  Keith Miller  <keith_miller@apple.com>
34
35         Remove the demand executable allocator
36         https://bugs.webkit.org/show_bug.cgi?id=168754
37
38         Reviewed by Saam Barati.
39
40         We currently only use the demand executable allocator for non-iOS 32-bit platforms.
41         Benchmark results on a MBP indicate there is no appreciable performance difference
42         between a the fixed and demand allocators. In a future patch I will go back through
43         this code and remove more of the abstractions.
44
45         * JavaScriptCore.xcodeproj/project.pbxproj:
46         * jit/ExecutableAllocator.cpp:
47         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
48         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
49         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
50         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
51         (JSC::ExecutableAllocator::initializeAllocator):
52         (JSC::ExecutableAllocator::ExecutableAllocator):
53         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
54         (JSC::ExecutableAllocator::isValid):
55         (JSC::ExecutableAllocator::underMemoryPressure):
56         (JSC::ExecutableAllocator::memoryPressureMultiplier):
57         (JSC::ExecutableAllocator::allocate):
58         (JSC::ExecutableAllocator::isValidExecutableMemory):
59         (JSC::ExecutableAllocator::getLock):
60         (JSC::ExecutableAllocator::committedByteCount):
61         (JSC::ExecutableAllocator::dumpProfile):
62         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
63         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
64         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
65         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
66         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
67         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
68         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
69         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
70         (JSC::DemandExecutableAllocator::allocators): Deleted.
71         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
72         * jit/ExecutableAllocator.h:
73         * jit/ExecutableAllocatorFixedVMPool.cpp: Removed.
74         * jit/JITStubRoutine.h:
75         (JSC::JITStubRoutine::canPerformRangeFilter):
76         (JSC::JITStubRoutine::filteringStartAddress):
77         (JSC::JITStubRoutine::filteringExtentSize):
78
79 2017-02-22  Saam Barati  <sbarati@apple.com>
80
81         Add biased coloring to Briggs and IRC
82         https://bugs.webkit.org/show_bug.cgi?id=168611
83
84         Reviewed by Filip Pizlo.
85
86         This patch implements biased coloring as proposed by Briggs. See section
87         5.3.3 of his thesis for more information: http://www.cs.utexas.edu/users/mckinley/380C/lecs/briggs-thesis-1992.pdf
88
89         The main idea of biased coloring is this:
90         We try to coalesce a move between u and v, but the conservative heuristic
91         fails. We don't want coalesce the move because we don't want to risk
92         creating an uncolorable graph. However, if the conservative heuristic fails,
93         it's not proof that the graph is uncolorable if the move were indeed coalesced.
94         So, when we go to color the tmps, we'll remember that we really want the
95         same register for u and v, and if legal during coloring, we will
96         assign them to the same register.
97
98         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
99
100 2017-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
101
102         JSModuleNamespace object should have IC
103         https://bugs.webkit.org/show_bug.cgi?id=160590
104
105         Reviewed by Saam Barati.
106
107         This patch optimizes accesses to module namespace objects.
108
109         1. Cache the resolutions for module namespace objects.
110
111             When constructing the module namespace object, we already resolves all the exports.
112             The module namespace object caches this result and leverage it in the later access in
113             getOwnPropertySlot. This avoids resolving bindings through resolveExport.
114
115         2. Introduce ModuleNamespaceLoad IC.
116
117             This patch adds new IC for module namespace objects. The mechanism is simple, getOwnPropertySlot
118             tells us about module namespace object resolution. The IC first checks whether the given object
119             is an expected module namespace object. If this check succeeds, we load the value from the module
120             environment.
121
122         3. Introduce DFG/FTL optimization.
123
124             After exploiting module namespace object accesses in (2), DFG can recognize this in ByteCodeParser.
125             DFG will convert it to CheckCell with the namespace object and GetClosureVar from the cached environment.
126             At that time, we have a chance to fold it to the constant.
127
128         This optimization improves the performance of accessing to module namespace objects.
129
130         Before
131             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-namespace.js
132             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.43s user 0.03s system 101% cpu 0.451 total
133             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-binding.js
134             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.08s user 0.02s system 103% cpu 0.104 total
135
136         After
137             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-namespace.js
138             ../../WebKitBuild/module-ic/Release/bin/jsc -m   0.11s user 0.01s system 106% cpu 0.109 total
139             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.js
140             ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.j  0.08s user 0.02s system 102% cpu 0.105 total
141
142         * CMakeLists.txt:
143         * JavaScriptCore.xcodeproj/project.pbxproj:
144         * bytecode/AccessCase.cpp:
145         (JSC::AccessCase::create):
146         (JSC::AccessCase::guardedByStructureCheck):
147         (JSC::AccessCase::canReplace):
148         (JSC::AccessCase::visitWeak):
149         (JSC::AccessCase::generateWithGuard):
150         (JSC::AccessCase::generateImpl):
151         * bytecode/AccessCase.h:
152         * bytecode/GetByIdStatus.cpp:
153         (JSC::GetByIdStatus::GetByIdStatus):
154         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
155         (JSC::GetByIdStatus::makesCalls):
156         (JSC::GetByIdStatus::dump):
157         * bytecode/GetByIdStatus.h:
158         (JSC::GetByIdStatus::isModuleNamespace):
159         (JSC::GetByIdStatus::takesSlowPath):
160         (JSC::GetByIdStatus::moduleNamespaceObject):
161         (JSC::GetByIdStatus::moduleEnvironment):
162         (JSC::GetByIdStatus::scopeOffset):
163         * bytecode/ModuleNamespaceAccessCase.cpp: Added.
164         (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
165         (JSC::ModuleNamespaceAccessCase::create):
166         (JSC::ModuleNamespaceAccessCase::~ModuleNamespaceAccessCase):
167         (JSC::ModuleNamespaceAccessCase::clone):
168         (JSC::ModuleNamespaceAccessCase::emit):
169         * bytecode/ModuleNamespaceAccessCase.h: Added.
170         (JSC::ModuleNamespaceAccessCase::moduleNamespaceObject):
171         (JSC::ModuleNamespaceAccessCase::moduleEnvironment):
172         (JSC::ModuleNamespaceAccessCase::scopeOffset):
173         * bytecode/PolymorphicAccess.cpp:
174         (WTF::printInternal):
175         * dfg/DFGByteCodeParser.cpp:
176         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
177         (JSC::DFG::ByteCodeParser::handleGetById):
178         * jit/AssemblyHelpers.h:
179         (JSC::AssemblyHelpers::loadValue):
180         * jit/Repatch.cpp:
181         (JSC::tryCacheGetByID):
182         * runtime/AbstractModuleRecord.cpp:
183         (JSC::AbstractModuleRecord::getModuleNamespace):
184         * runtime/JSModuleNamespaceObject.cpp:
185         (JSC::JSModuleNamespaceObject::finishCreation):
186         (JSC::JSModuleNamespaceObject::visitChildren):
187         (JSC::getValue):
188         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
189         (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
190         * runtime/JSModuleNamespaceObject.h:
191         (JSC::isJSModuleNamespaceObject):
192         (JSC::JSModuleNamespaceObject::create): Deleted.
193         (JSC::JSModuleNamespaceObject::createStructure): Deleted.
194         (JSC::JSModuleNamespaceObject::moduleRecord): Deleted.
195         * runtime/JSModuleRecord.h:
196         (JSC::JSModuleRecord::moduleEnvironment): Deleted.
197         * runtime/PropertySlot.h:
198         (JSC::PropertySlot::PropertySlot):
199         (JSC::PropertySlot::domJIT):
200         (JSC::PropertySlot::moduleNamespaceSlot):
201         (JSC::PropertySlot::setValueModuleNamespace):
202         (JSC::PropertySlot::setCacheableCustom):
203
204 2017-02-22  Saam Barati  <sbarati@apple.com>
205
206         Unreviewed. Rename AirGraphColoring.* files to AirAllocateRegistersByGraphColoring.* to be more consistent with the rest of the Air file names.
207
208         * CMakeLists.txt:
209         * JavaScriptCore.xcodeproj/project.pbxproj:
210         * b3/air/AirAllocateRegistersByGraphColoring.cpp: Copied from Source/JavaScriptCore/b3/air/AirGraphColoring.cpp.
211         * b3/air/AirAllocateRegistersByGraphColoring.h: Copied from Source/JavaScriptCore/b3/air/AirGraphColoring.h.
212         * b3/air/AirGenerate.cpp:
213         * b3/air/AirGraphColoring.cpp: Removed.
214         * b3/air/AirGraphColoring.h: Removed.
215
216 2017-02-21  Youenn Fablet  <youenn@apple.com>
217
218         [WebRTC][Mac] Activate libwebrtc
219         https://bugs.webkit.org/show_bug.cgi?id=167293
220         <rdar://problem/30401864>
221
222         Reviewed by Alex Christensen.
223
224         * Configurations/FeatureDefines.xcconfig:
225
226 2017-02-21  Saam Barati  <sbarati@apple.com>
227
228         Add the Briggs optimistic allocator to run on ARM64
229         https://bugs.webkit.org/show_bug.cgi?id=168454
230
231         Reviewed by Filip Pizlo.
232
233         This patch adds the Briggs allocator to Air:
234         http://www.cs.utexas.edu/users/mckinley/380C/lecs/briggs-thesis-1992.pdf
235         It uses it by default on ARM64. I was measuring an 8-10% speedup
236         in the phase because of this. I also wasn't able to detect a slowdown 
237         for generated code on ARM64. There are still a few things we can do
238         to speed things up even further. Moving the interference graph into
239         a BitVector was another 10-20% speedup. We should consider doing this
240         in a follow up patch. This is especially important now, since making
241         register allocation faster has a direct impact on startup time for
242         Wasm modules.
243         
244         I abstracted away the common bits between Briggs and IRC, and moved
245         them into a common super class. In a follow up to this patch, I plan
246         on implementing biased coloring for both Briggs and IRC (this is
247         described in Briggs's thesis). I was able to detect a 1% slowdown
248         with Briggs on Octane for x86-64. This is because the register file
249         for x86-64 is smaller than ARM64. When I implemented biased coloring,
250         I was no longer able to detect this slowdown. I still think it's a
251         sensible plan to run Briggs on ARM64 and IRC on x86-64.
252
253         * CMakeLists.txt:
254         * JavaScriptCore.xcodeproj/project.pbxproj:
255         * b3/air/AirGenerate.cpp:
256         (JSC::B3::Air::prepareForGeneration):
257         * b3/air/AirGraphColoring.cpp: Copied from Source/JavaScriptCore/b3/air/AirIteratedRegisterCoalescing.cpp.
258         (JSC::B3::Air::allocateRegistersByGraphColoring):
259         (JSC::B3::Air::iteratedRegisterCoalescing): Deleted.
260         * b3/air/AirGraphColoring.h: Copied from Source/JavaScriptCore/b3/air/AirIteratedRegisterCoalescing.h.
261         * b3/air/AirIteratedRegisterCoalescing.cpp: Removed.
262         * b3/air/AirIteratedRegisterCoalescing.h: Removed.
263         * runtime/Options.h:
264
265 2017-02-21  Mark Lam  <mark.lam@apple.com>
266
267         Add more missing exception checks detected by running marathon.js.
268         https://bugs.webkit.org/show_bug.cgi?id=168697
269
270         Reviewed by Saam Barati.
271
272         * runtime/StringPrototype.cpp:
273         (JSC::replaceUsingRegExpSearch):
274         (JSC::replaceUsingStringSearch):
275
276 2017-02-21  JF Bastien  <jfbastien@apple.com>
277
278         FullCodeOrigin for CodeBlock+CodeOrigin printing
279         https://bugs.webkit.org/show_bug.cgi?id=168673
280
281         Reviewed by Filip Pizlo.
282
283         WebAssembly doesn't have a CodeBlock, so printing it isn't
284         valid. This patch adds FullCodeOrigin to handle the
285         CodeBlock+CodeOrigin printing pattern, and uses it through all the
286         places I could find, including Repatch.cpp where it's relevant for
287         WebAssembly.
288
289         * CMakeLists.txt:
290         * JavaScriptCore.xcodeproj/project.pbxproj:
291         * bytecode/CodeBlock.cpp:
292         (JSC::CodeBlock::noticeIncomingCall):
293         * bytecode/FullCodeOrigin.cpp: Added.
294         (JSC::FullCodeOrigin::dump):
295         (JSC::FullCodeOrigin::dumpInContext):
296         * bytecode/FullCodeOrigin.h: Added.
297         (JSC::FullCodeOrigin::FullCodeOrigin):
298         * bytecode/PolymorphicAccess.cpp:
299         (JSC::PolymorphicAccess::regenerate):
300         * jit/PolymorphicCallStubRoutine.cpp:
301         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
302         * jit/Repatch.cpp:
303         (JSC::linkFor):
304         (JSC::linkDirectFor):
305         (JSC::linkVirtualFor):
306
307 2017-02-21  Filip Pizlo  <fpizlo@apple.com>
308
309         Unreviewed, fix cloop. I managed to have my local patch for relanding be the one without the cloop
310         fix. I keep forgetting about cloop!
311
312         * heap/Heap.cpp:
313         (JSC::Heap::stopThePeriphery):
314         * runtime/JSLock.cpp:
315
316 2017-02-21  Mark Lam  <mark.lam@apple.com>
317
318         Add missing exception checks detected by running marathon.js.
319         https://bugs.webkit.org/show_bug.cgi?id=168687
320
321         Reviewed by Saam Barati.
322
323         When running the marathon.js test from https://bugs.webkit.org/show_bug.cgi?id=168580,
324         we get some crashes due to missing exception checks.  This patch adds those
325         missing exception checks.
326
327         * runtime/JSCJSValueInlines.h:
328         (JSC::JSValue::toPropertyKey):
329         * runtime/JSObject.cpp:
330         (JSC::JSObject::getPrimitiveNumber):
331
332 2017-02-20  Filip Pizlo  <fpizlo@apple.com>
333
334         The collector thread should only start when the mutator doesn't have heap access
335         https://bugs.webkit.org/show_bug.cgi?id=167737
336
337         Reviewed by Keith Miller.
338         
339         This turns the collector thread's workflow into a state machine, so that the mutator thread can
340         run it directly. This reduces the amount of synchronization we do with the collector thread, and
341         means that most apps will never start the collector thread. The collector thread will still start
342         when we need to finish collecting and we don't have heap access.
343         
344         In this new world, "stopping the world" means relinquishing control of collection to the mutator.
345         This means tracking who is conducting collection. I use the GCConductor enum to say who is
346         conducting. It's either GCConductor::Mutator or GCConductor::Collector. I use the term "conn" to
347         refer to the concept of conducting (having the conn, relinquishing the conn, taking the conn).
348         So, stopping the world means giving the mutator the conn. Releasing heap access means giving the
349         collector the conn.
350         
351         This meant bringing back the conservative scan of the calling thread. It turns out that this
352         scan was too slow to be called on each GC increment because apparently setjmp() now does system
353         calls. So, I wrote our own callee save register saving for the GC. Then I had doubts about
354         whether or not it was correct, so I also made it so that the GC only rarely asks for the register
355         state. I think we still want to use my register saving code instead of setjmp because setjmp
356         seems to save things we don't need, and that could make us overly conservative.
357         
358         It turns out that this new scheduling discipline makes the old space-time scheduler perform
359         better than the new stochastic space-time scheduler on systems with fewer than 4 cores. This is
360         because the mutator having the conn enables us to time the mutator<->collector context switches
361         by polling. The OS is never involved. So, we can use super precise timing. This allows the old
362         space-time schduler to shine like it hadn't before.
363         
364         The splay results imply that this is all a good thing. On 2-core systems, this reduces pause
365         times by 40% and it increases throughput about 5%. On 1-core systems, this reduces pause times by
366         half and reduces throughput by 8%. On 4-or-more-core systems, this doesn't seem to have much
367         effect.
368
369         * CMakeLists.txt:
370         * JavaScriptCore.xcodeproj/project.pbxproj:
371         * bytecode/CodeBlock.cpp:
372         (JSC::CodeBlock::visitChildren):
373         * dfg/DFGWorklist.cpp:
374         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
375         (JSC::DFG::Worklist::dump):
376         (JSC::DFG::numberOfWorklists):
377         (JSC::DFG::ensureWorklistForIndex):
378         (JSC::DFG::existingWorklistForIndexOrNull):
379         (JSC::DFG::existingWorklistForIndex):
380         * dfg/DFGWorklist.h:
381         (JSC::DFG::numberOfWorklists): Deleted.
382         (JSC::DFG::ensureWorklistForIndex): Deleted.
383         (JSC::DFG::existingWorklistForIndexOrNull): Deleted.
384         (JSC::DFG::existingWorklistForIndex): Deleted.
385         * heap/CollectingScope.h: Added.
386         (JSC::CollectingScope::CollectingScope):
387         (JSC::CollectingScope::~CollectingScope):
388         * heap/CollectorPhase.cpp: Added.
389         (JSC::worldShouldBeSuspended):
390         (WTF::printInternal):
391         * heap/CollectorPhase.h: Added.
392         * heap/EdenGCActivityCallback.cpp:
393         (JSC::EdenGCActivityCallback::lastGCLength):
394         * heap/FullGCActivityCallback.cpp:
395         (JSC::FullGCActivityCallback::doCollection):
396         (JSC::FullGCActivityCallback::lastGCLength):
397         * heap/GCConductor.cpp: Added.
398         (JSC::gcConductorShortName):
399         (WTF::printInternal):
400         * heap/GCConductor.h: Added.
401         * heap/GCFinalizationCallback.cpp: Added.
402         (JSC::GCFinalizationCallback::GCFinalizationCallback):
403         (JSC::GCFinalizationCallback::~GCFinalizationCallback):
404         * heap/GCFinalizationCallback.h: Added.
405         (JSC::GCFinalizationCallbackFuncAdaptor::GCFinalizationCallbackFuncAdaptor):
406         (JSC::createGCFinalizationCallback):
407         * heap/Heap.cpp:
408         (JSC::Heap::Thread::Thread):
409         (JSC::Heap::Heap):
410         (JSC::Heap::lastChanceToFinalize):
411         (JSC::Heap::gatherStackRoots):
412         (JSC::Heap::updateObjectCounts):
413         (JSC::Heap::sweepSynchronously):
414         (JSC::Heap::collectAllGarbage):
415         (JSC::Heap::collectAsync):
416         (JSC::Heap::collectSync):
417         (JSC::Heap::shouldCollectInCollectorThread):
418         (JSC::Heap::collectInCollectorThread):
419         (JSC::Heap::checkConn):
420         (JSC::Heap::runNotRunningPhase):
421         (JSC::Heap::runBeginPhase):
422         (JSC::Heap::runFixpointPhase):
423         (JSC::Heap::runConcurrentPhase):
424         (JSC::Heap::runReloopPhase):
425         (JSC::Heap::runEndPhase):
426         (JSC::Heap::changePhase):
427         (JSC::Heap::finishChangingPhase):
428         (JSC::Heap::stopThePeriphery):
429         (JSC::Heap::resumeThePeriphery):
430         (JSC::Heap::stopTheMutator):
431         (JSC::Heap::resumeTheMutator):
432         (JSC::Heap::stopIfNecessarySlow):
433         (JSC::Heap::collectInMutatorThread):
434         (JSC::Heap::waitForCollector):
435         (JSC::Heap::acquireAccessSlow):
436         (JSC::Heap::releaseAccessSlow):
437         (JSC::Heap::relinquishConn):
438         (JSC::Heap::finishRelinquishingConn):
439         (JSC::Heap::handleNeedFinalize):
440         (JSC::Heap::notifyThreadStopping):
441         (JSC::Heap::finalize):
442         (JSC::Heap::addFinalizationCallback):
443         (JSC::Heap::requestCollection):
444         (JSC::Heap::waitForCollection):
445         (JSC::Heap::updateAllocationLimits):
446         (JSC::Heap::didFinishCollection):
447         (JSC::Heap::collectIfNecessaryOrDefer):
448         (JSC::Heap::notifyIsSafeToCollect):
449         (JSC::Heap::preventCollection):
450         (JSC::Heap::performIncrement):
451         (JSC::Heap::markToFixpoint): Deleted.
452         (JSC::Heap::shouldCollectInThread): Deleted.
453         (JSC::Heap::collectInThread): Deleted.
454         (JSC::Heap::stopTheWorld): Deleted.
455         (JSC::Heap::resumeTheWorld): Deleted.
456         * heap/Heap.h:
457         (JSC::Heap::machineThreads):
458         (JSC::Heap::lastFullGCLength):
459         (JSC::Heap::lastEdenGCLength):
460         (JSC::Heap::increaseLastFullGCLength):
461         * heap/HeapInlines.h:
462         (JSC::Heap::mutatorIsStopped): Deleted.
463         * heap/HeapStatistics.cpp: Removed.
464         * heap/HeapStatistics.h: Removed.
465         * heap/HelpingGCScope.h: Removed.
466         * heap/IncrementalSweeper.cpp:
467         (JSC::IncrementalSweeper::stopSweeping):
468         (JSC::IncrementalSweeper::willFinishSweeping): Deleted.
469         * heap/IncrementalSweeper.h:
470         * heap/MachineStackMarker.cpp:
471         (JSC::MachineThreads::gatherFromCurrentThread):
472         (JSC::MachineThreads::gatherConservativeRoots):
473         (JSC::callWithCurrentThreadState):
474         * heap/MachineStackMarker.h:
475         * heap/MarkedAllocator.cpp:
476         (JSC::MarkedAllocator::allocateSlowCaseImpl):
477         * heap/MarkedBlock.cpp:
478         (JSC::MarkedBlock::Handle::sweep):
479         * heap/MarkedSpace.cpp:
480         (JSC::MarkedSpace::sweep):
481         * heap/MutatorState.cpp:
482         (WTF::printInternal):
483         * heap/MutatorState.h:
484         * heap/RegisterState.h: Added.
485         * heap/RunningScope.h: Added.
486         (JSC::RunningScope::RunningScope):
487         (JSC::RunningScope::~RunningScope):
488         * heap/SlotVisitor.cpp:
489         (JSC::SlotVisitor::SlotVisitor):
490         (JSC::SlotVisitor::drain):
491         (JSC::SlotVisitor::drainFromShared):
492         (JSC::SlotVisitor::drainInParallelPassively):
493         (JSC::SlotVisitor::donateAll):
494         (JSC::SlotVisitor::donate):
495         * heap/SlotVisitor.h:
496         (JSC::SlotVisitor::codeName):
497         * heap/StochasticSpaceTimeMutatorScheduler.cpp:
498         (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection):
499         (JSC::StochasticSpaceTimeMutatorScheduler::synchronousDrainingDidStall):
500         (JSC::StochasticSpaceTimeMutatorScheduler::timeToStop):
501         * heap/SweepingScope.h: Added.
502         (JSC::SweepingScope::SweepingScope):
503         (JSC::SweepingScope::~SweepingScope):
504         * jit/JITWorklist.cpp:
505         (JSC::JITWorklist::Thread::Thread):
506         * jsc.cpp:
507         (GlobalObject::finishCreation):
508         (functionFlashHeapAccess):
509         * runtime/InitializeThreading.cpp:
510         (JSC::initializeThreading):
511         * runtime/JSCellInlines.h:
512         (JSC::JSCell::classInfo):
513         * runtime/Options.cpp:
514         (JSC::overrideDefaults):
515         * runtime/Options.h:
516         * runtime/TestRunnerUtils.cpp:
517         (JSC::finalizeStatsAtEndOfTesting):
518
519 2017-02-21  Saam Barati  <sbarati@apple.com>
520
521         Air should have a disassembly mode that dumps IR and assembly intermixed
522         https://bugs.webkit.org/show_bug.cgi?id=168629
523
524         Reviewed by Filip Pizlo.
525
526         This will make dumping FTL disassembly dump Air intermixed
527         with the assembly generated by each Air Inst. This is similar
528         to how dumpDFGDisassembly dumps the generated assembly for each
529         Node.
530         
531         Here is what the output will look like:
532         
533         Generated FTL JIT code for foo#CUaFiQ:[0x10b76c960->0x10b76c2d0->0x10b7b6da0, FTLFunctionCall, 40 (NeverInline)], instruction count = 40:
534         BB#0: ; frequency = 1.000000
535                 0x469004e02e00: push %rbp
536                 0x469004e02e01: mov %rsp, %rbp
537                 0x469004e02e04: add $0xffffffffffffffd0, %rsp
538             Move $0x10b76c960, %rax, $4487301472(@16)
539                 0x469004e02e08: mov $0x10b76c960, %rax
540             Move %rax, 16(%rbp), @19
541                 0x469004e02e12: mov %rax, 0x10(%rbp)
542             Patch &Patchpoint2, %rbp, %rax, @20
543                 0x469004e02e16: lea -0x50(%rbp), %rax
544                 0x469004e02e1a: mov $0x1084081e0, %r11
545                 0x469004e02e24: cmp %rax, (%r11)
546                 0x469004e02e27: ja 0x469004e02e9a
547             Move 56(%rbp), %rdx, @23
548                 0x469004e02e2d: mov 0x38(%rbp), %rdx
549             Move $0xffff000000000002, %rax, $-281474976710654(@15)
550                 0x469004e02e31: mov $0xffff000000000002, %rax
551             Patch &BranchTest64(3,SameAsRep)1, NonZero, %rdx, %rax, %rdx, @26
552                 0x469004e02e3b: test %rdx, %rax
553                 0x469004e02e3e: jnz 0x469004e02f08
554             Move 48(%rbp), %rax, @29
555                 0x469004e02e44: mov 0x30(%rbp), %rax
556             Move %rax, %rcx, @31
557                 0x469004e02e48: mov %rax, %rcx
558             Xor64 $6, %rcx, @31
559                 0x469004e02e4b: xor $0x6, %rcx
560             Patch &BranchTest64(3,SameAsRep)1, NonZero, %rcx, $-2, %rax, @35
561                 0x469004e02e4f: test $0xfffffffffffffffe, %rcx
562                 0x469004e02e56: jnz 0x469004e02f12
563             Patch &Branch32(3,SameAsRep)0, NotEqual, (%rdx), $266, %rdx, @45
564                 0x469004e02e5c: cmp $0x10a, (%rdx)
565                 0x469004e02e62: jnz 0x469004e02f1c
566             BranchTest32 NonZero, %rax, $1, @49
567                 0x469004e02e68: test $0x1, %al
568                 0x469004e02e6a: jnz 0x469004e02e91
569           Successors: #3, #1
570         BB#1: ; frequency = 1.000000
571           Predecessors: #0
572             Move $0, %rcx, @65
573                 0x469004e02e70: xor %rcx, %rcx
574             Jump @66
575           Successors: #2
576         BB#2: ; frequency = 1.000000
577           Predecessors: #1, #3
578             Move 24(%rdx), %rax, @58
579                 0x469004e02e73: mov 0x18(%rdx), %rax
580             Patch &BranchAdd32(4,ForceLateUseUnlessRecoverable)3, Overflow, %rcx, %rax, %rcx, %rcx, %rax, @60
581                 0x469004e02e77: add %eax, %ecx
582                 0x469004e02e79: jo 0x469004e02f26
583             Move $0xffff000000000000, %rax, $-281474976710656(@14)
584                 0x469004e02e7f: mov $0xffff000000000000, %rax
585             Add64 %rcx, %rax, %rax, @62
586                 0x469004e02e89: add %rcx, %rax
587             Ret64 %rax, @63
588                 0x469004e02e8c: mov %rbp, %rsp
589                 0x469004e02e8f: pop %rbp
590                 0x469004e02e90: ret 
591         BB#3: ; frequency = 1.000000
592           Predecessors: #0
593             Move 16(%rdx), %rcx, @52
594                 0x469004e02e91: mov 0x10(%rdx), %rcx
595             Jump @55
596                 0x469004e02e95: jmp 0x469004e02e73
597           Successors: #2
598
599         * CMakeLists.txt:
600         * JavaScriptCore.xcodeproj/project.pbxproj:
601         * b3/air/AirCode.h:
602         (JSC::B3::Air::Code::setDisassembler):
603         (JSC::B3::Air::Code::disassembler):
604         * b3/air/AirDisassembler.cpp: Added.
605         (JSC::B3::Air::Disassembler::startEntrypoint):
606         (JSC::B3::Air::Disassembler::endEntrypoint):
607         (JSC::B3::Air::Disassembler::startLatePath):
608         (JSC::B3::Air::Disassembler::endLatePath):
609         (JSC::B3::Air::Disassembler::startBlock):
610         (JSC::B3::Air::Disassembler::addInst):
611         (JSC::B3::Air::Disassembler::dump):
612         * b3/air/AirDisassembler.h: Added.
613         * b3/air/AirGenerate.cpp:
614         (JSC::B3::Air::generate):
615         * ftl/FTLCompile.cpp:
616         (JSC::FTL::compile):
617
618 2017-02-21  Ryan Haddad  <ryanhaddad@apple.com>
619
620         Unreviewed, rolling out r212712.
621
622         This change broke the CLoop build.
623
624         Reverted changeset:
625
626         "JSModuleNamespace object should have IC"
627         https://bugs.webkit.org/show_bug.cgi?id=160590
628         http://trac.webkit.org/changeset/212712
629
630 2017-02-21  Yusuke Suzuki  <utatane.tea@gmail.com>
631
632         JSModuleNamespace object should have IC
633         https://bugs.webkit.org/show_bug.cgi?id=160590
634
635         Reviewed by Saam Barati.
636
637         This patch optimizes accesses to module namespace objects.
638
639         1. Cache the resolutions for module namespace objects.
640
641             When constructing the module namespace object, we already resolves all the exports.
642             The module namespace object caches this result and leverage it in the later access in
643             getOwnPropertySlot. This avoids resolving bindings through resolveExport.
644
645         2. Introduce ModuleNamespaceLoad IC.
646
647             This patch adds new IC for module namespace objects. The mechanism is simple, getOwnPropertySlot
648             tells us about module namespace object resolution. The IC first checks whether the given object
649             is an expected module namespace object. If this check succeeds, we load the value from the module
650             environment.
651
652         3. Introduce DFG/FTL optimization.
653
654             After exploiting module namespace object accesses in (2), DFG can recognize this in ByteCodeParser.
655             DFG will convert it to CheckCell with the namespace object and GetClosureVar from the cached environment.
656             At that time, we have a chance to fold it to the constant.
657
658         This optimization improves the performance of accessing to module namespace objects.
659
660         Before
661             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-namespace.js
662             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.43s user 0.03s system 101% cpu 0.451 total
663             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-binding.js
664             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.08s user 0.02s system 103% cpu 0.104 total
665
666         After
667             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-namespace.js
668             ../../WebKitBuild/module-ic/Release/bin/jsc -m   0.11s user 0.01s system 106% cpu 0.109 total
669             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.js
670             ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.j  0.08s user 0.02s system 102% cpu 0.105 total
671
672         * CMakeLists.txt:
673         * JavaScriptCore.xcodeproj/project.pbxproj:
674         * bytecode/AccessCase.cpp:
675         (JSC::AccessCase::create):
676         (JSC::AccessCase::guardedByStructureCheck):
677         (JSC::AccessCase::canReplace):
678         (JSC::AccessCase::visitWeak):
679         (JSC::AccessCase::generateWithGuard):
680         (JSC::AccessCase::generateImpl):
681         * bytecode/AccessCase.h:
682         * bytecode/GetByIdStatus.cpp:
683         (JSC::GetByIdStatus::GetByIdStatus):
684         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
685         (JSC::GetByIdStatus::makesCalls):
686         (JSC::GetByIdStatus::dump):
687         * bytecode/GetByIdStatus.h:
688         (JSC::GetByIdStatus::isModuleNamespace):
689         (JSC::GetByIdStatus::takesSlowPath):
690         (JSC::GetByIdStatus::moduleNamespaceObject):
691         (JSC::GetByIdStatus::moduleEnvironment):
692         (JSC::GetByIdStatus::scopeOffset):
693         * bytecode/ModuleNamespaceAccessCase.cpp: Added.
694         (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
695         (JSC::ModuleNamespaceAccessCase::create):
696         (JSC::ModuleNamespaceAccessCase::~ModuleNamespaceAccessCase):
697         (JSC::ModuleNamespaceAccessCase::clone):
698         (JSC::ModuleNamespaceAccessCase::emit):
699         * bytecode/ModuleNamespaceAccessCase.h: Added.
700         (JSC::ModuleNamespaceAccessCase::moduleNamespaceObject):
701         (JSC::ModuleNamespaceAccessCase::moduleEnvironment):
702         (JSC::ModuleNamespaceAccessCase::scopeOffset):
703         * bytecode/PolymorphicAccess.cpp:
704         (WTF::printInternal):
705         * dfg/DFGByteCodeParser.cpp:
706         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
707         (JSC::DFG::ByteCodeParser::handleGetById):
708         * jit/AssemblyHelpers.h:
709         (JSC::AssemblyHelpers::loadValue):
710         * jit/Repatch.cpp:
711         (JSC::tryCacheGetByID):
712         * runtime/AbstractModuleRecord.cpp:
713         (JSC::AbstractModuleRecord::getModuleNamespace):
714         * runtime/JSModuleNamespaceObject.cpp:
715         (JSC::JSModuleNamespaceObject::finishCreation):
716         (JSC::JSModuleNamespaceObject::visitChildren):
717         (JSC::getValue):
718         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
719         (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
720         * runtime/JSModuleNamespaceObject.h:
721         (JSC::isJSModuleNamespaceObject):
722         (JSC::JSModuleNamespaceObject::create): Deleted.
723         (JSC::JSModuleNamespaceObject::createStructure): Deleted.
724         (JSC::JSModuleNamespaceObject::moduleRecord): Deleted.
725         * runtime/JSModuleRecord.h:
726         (JSC::JSModuleRecord::moduleEnvironment): Deleted.
727         * runtime/PropertySlot.h:
728         (JSC::PropertySlot::PropertySlot):
729         (JSC::PropertySlot::domJIT):
730         (JSC::PropertySlot::moduleNamespaceSlot):
731         (JSC::PropertySlot::setValueModuleNamespace):
732         (JSC::PropertySlot::setCacheableCustom):
733
734 2017-02-21  Yusuke Suzuki  <utatane.tea@gmail.com>
735
736         ASSERTION FAILED: "!scope.exception()" with Object.isSealed/isFrozen and uninitialized module bindings
737         https://bugs.webkit.org/show_bug.cgi?id=168605
738
739         Reviewed by Saam Barati.
740
741         We should check exception state after calling getOwnPropertyDescriptor() since it can throw errors.
742
743         * runtime/ObjectConstructor.cpp:
744         (JSC::objectConstructorIsSealed):
745         (JSC::objectConstructorIsFrozen):
746
747 2017-02-20  Mark Lam  <mark.lam@apple.com>
748
749         [Re-landing] CachedCall should let GC know to keep its arguments alive.
750         https://bugs.webkit.org/show_bug.cgi?id=168567
751         <rdar://problem/30475767>
752
753         Reviewed by Saam Barati.
754
755         We fix this by having CachedCall use a MarkedArgumentBuffer to store its
756         arguments instead of a Vector.
757
758         Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
759         WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
760         correctness.
761
762         Update: the original patch has a bug in MarkedArgumentBuffer::expandCapacity()
763         where it was copying and calling addMarkSet() on values in m_buffer beyond m_size
764         (up to m_capacity).  As a result, depending on the pre-existing values in
765         m_inlineBuffer, this may result in a computed Heap pointer that is wrong, and
766         subsequently, manifest as a crash.  This is likely to be the cause of the PLT
767         regression.
768
769         I don't have a new test for this fix because the issue relies on sufficiently bad
770         values randomly showing up in m_inlineBuffer when we do an ensureCapacity() which
771         calls expandCapacity().
772
773         * interpreter/CachedCall.h:
774         (JSC::CachedCall::CachedCall):
775         (JSC::CachedCall::call):
776         (JSC::CachedCall::clearArguments):
777         (JSC::CachedCall::appendArgument):
778         (JSC::CachedCall::setArgument): Deleted.
779         * interpreter/CallFrame.h:
780         (JSC::ExecState::emptyList):
781         * interpreter/Interpreter.cpp:
782         (JSC::Interpreter::prepareForRepeatCall):
783         * interpreter/Interpreter.h:
784         * interpreter/ProtoCallFrame.h:
785         * runtime/ArgList.cpp:
786         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
787         (JSC::MarkedArgumentBuffer::expandCapacity):
788         (JSC::MarkedArgumentBuffer::slowAppend):
789         * runtime/ArgList.h:
790         (JSC::MarkedArgumentBuffer::append):
791         (JSC::MarkedArgumentBuffer::ensureCapacity):
792         * runtime/StringPrototype.cpp:
793         (JSC::replaceUsingRegExpSearch):
794         * runtime/VM.cpp:
795         (JSC::VM::VM):
796         * runtime/VM.h:
797
798 2017-02-20  Commit Queue  <commit-queue@webkit.org>
799
800         Unreviewed, rolling out r212618.
801         https://bugs.webkit.org/show_bug.cgi?id=168609
802
803         "Appears to cause PLT regression" (Requested by mlam on
804         #webkit).
805
806         Reverted changeset:
807
808         "CachedCall should let GC know to keep its arguments alive."
809         https://bugs.webkit.org/show_bug.cgi?id=168567
810         http://trac.webkit.org/changeset/212618
811
812 2017-02-19  Mark Lam  <mark.lam@apple.com>
813
814         BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
815         https://bugs.webkit.org/show_bug.cgi?id=168585
816
817         Reviewed by Yusuke Suzuki.
818
819         This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
820         consecutive indices in the vector are not guaranteed to be consecutive in memory
821         layout.  Instead, we should be using indexing instead.
822
823         This issue was detected by the marathon.js test from
824         https://bugs.webkit.org/show_bug.cgi?id=168580.
825
826         * bytecompiler/BytecodeGenerator.cpp:
827         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
828         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
829
830 2017-02-20  Manuel Rego Casasnovas  <rego@igalia.com>
831
832         [css-grid] Remove compilation flag ENABLE_CSS_GRID_LAYOUT
833         https://bugs.webkit.org/show_bug.cgi?id=167693
834
835         Reviewed by Sergio Villar Senin.
836
837         * Configurations/FeatureDefines.xcconfig:
838
839 2017-02-19  Commit Queue  <commit-queue@webkit.org>
840
841         Unreviewed, rolling out r212472.
842         https://bugs.webkit.org/show_bug.cgi?id=168584
843
844         Broke CLoop builds when r212466 was rolled out in r212616
845         (Requested by rniwa on #webkit).
846
847         Reverted changeset:
848
849         "Unreviewed, fix cloop build."
850         http://trac.webkit.org/changeset/212472
851
852 2017-02-19  Mark Lam  <mark.lam@apple.com>
853
854         functionTestWasmModuleFunctions() should use a MarkedArgumentBuffer for storing args instead of a Vector.
855         https://bugs.webkit.org/show_bug.cgi?id=168574
856
857         Reviewed by Filip Pizlo.
858
859         * jsc.cpp:
860         (callWasmFunction):
861         (functionTestWasmModuleFunctions):
862         * runtime/ArgList.h:
863
864 2017-02-19  Mark Lam  <mark.lam@apple.com>
865
866         CachedCall should let GC know to keep its arguments alive.
867         https://bugs.webkit.org/show_bug.cgi?id=168567
868         <rdar://problem/30475767>
869
870         Reviewed by Saam Barati.
871
872         We fix this by having CachedCall use a MarkedArgumentBuffer to store its
873         arguments instead of a Vector.
874
875         Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
876         WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
877         correctness.
878
879         * interpreter/CachedCall.h:
880         (JSC::CachedCall::CachedCall):
881         (JSC::CachedCall::call):
882         (JSC::CachedCall::clearArguments):
883         (JSC::CachedCall::appendArgument):
884         (JSC::CachedCall::setArgument): Deleted.
885         * interpreter/CallFrame.h:
886         (JSC::ExecState::emptyList):
887         * interpreter/Interpreter.cpp:
888         (JSC::Interpreter::prepareForRepeatCall):
889         * interpreter/Interpreter.h:
890         * interpreter/ProtoCallFrame.h:
891         * runtime/ArgList.cpp:
892         (JSC::MarkedArgumentBuffer::expandCapacity):
893         * runtime/ArgList.h:
894         (JSC::MarkedArgumentBuffer::ensureCapacity):
895         * runtime/StringPrototype.cpp:
896         (JSC::replaceUsingRegExpSearch):
897         * runtime/VM.cpp:
898         (JSC::VM::VM):
899         * runtime/VM.h:
900
901 2017-02-19  Commit Queue  <commit-queue@webkit.org>
902
903         Unreviewed, rolling out r212466.
904         https://bugs.webkit.org/show_bug.cgi?id=168577
905
906         causes crashes on AArch64 on linux, maybe it's causing crashes
907         on iOS too (Requested by pizlo on #webkit).
908
909         Reverted changeset:
910
911         "The collector thread should only start when the mutator
912         doesn't have heap access"
913         https://bugs.webkit.org/show_bug.cgi?id=167737
914         http://trac.webkit.org/changeset/212466
915
916 2017-02-17  Michael Saboff  <msaboff@apple.com>
917
918         Improve ARM64 disassembler handling of pseudo ops, unsupported opcodes and zero reg
919         https://bugs.webkit.org/show_bug.cgi?id=168527
920
921         Reviewed by Filip Pizlo.
922
923         Added support for data processing 1 source instructions like rbit, rev, clz and cls.
924         Added support for the FP conditional select instruction, fcsel.  Consolidated the
925         two classes for handling dmb instructions into one class.  Fixed the instruction
926         selection mask in the integer conditional select class, A64DOpcodeConditionalSelect.
927         Fixed the processing of extract instruction (extr) including the rotate right (ror)
928         pseudo instruction.  Changed the printing of x31 and w31 to xzr and wzr as operands
929         according to the spec.  Added support for common pseudo instructions.  This includes:
930         - mvn x1, X2 in place of orn x1, xzr, x2
931         - lsl x3, x4, #count in place of ubfiz x3, x4, #count, #count
932         - smull x5, w6, w7 in place of smaddl x5, w6, w7, XZR
933         - More understandable mov x8, #-304 in place of movn x8, #0x12f
934         - Eliminated xzr from register index loads and stores, outputing
935           ldr x10, [x11] instead of ldr x10, [x11, xzr]
936
937         Changed the move wide instructions to use hex literals for movz and movk.
938         This makes it much easier to decifer sequences of wide moves for large literals.
939                 Before                       After
940           movz   x17, #26136           movz   x17, #0x6618
941           movk   x17, #672, lsl #16    movk   x17, #0x2a0, lsl #16
942           movk   x17, #1, lsl #32      movk   x17, #0x1, lsl #32
943
944         Verified that all instructions currently generated by the JSC stress tests are
945         disassembled.
946
947         * disassembler/ARM64/A64DOpcode.cpp:
948         (JSC::ARM64Disassembler::A64DOpcodeBitfield::format):
949         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format):
950         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format):
951         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::format):
952         (JSC::ARM64Disassembler::A64DOpcodeExtract::format):
953         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::format):
954         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::format):
955         (JSC::ARM64Disassembler::A64DOpcodeDmb::format):
956         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::format):
957         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterOffset::format):
958         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterPair::format):
959         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreUnsignedImmediate::format):
960         (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::format):
961         (JSC::ARM64Disassembler::A64DOpcodeMoveWide::format):
962         (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::format): Deleted.
963         (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::format): Deleted.
964         * disassembler/ARM64/A64DOpcode.h:
965         (JSC::ARM64Disassembler::A64DOpcode::appendSignedImmediate64):
966         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedHexImmediate):
967         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opName):
968         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::sBit):
969         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode):
970         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode2):
971         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opNameIndex):
972         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::opName):
973         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::opName):
974         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::condition):
975         (JSC::ARM64Disassembler::A64DOpcodeDmb::option):
976         (JSC::ARM64Disassembler::A64DOpcodeDmb::crM):
977         (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::isMov):
978         (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::opName): Deleted.
979         (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::opName): Deleted.
980
981 2017-02-17  Zan Dobersek  <zdobersek@igalia.com>
982
983         [GLib] GCActivityCallback::scheduleTimer() keeps pushing dispatch into the future
984         https://bugs.webkit.org/show_bug.cgi?id=168363
985
986         Reviewed by Carlos Garcia Campos.
987
988         Mimic the USE(CF) implementation of GCActivityCallback and HeapTimer by
989         scheduling the timer a decade into the future instead of completely
990         cancelling it. That way new dispatch times for GCActivityCallback can be
991         computed by simply deducting the difference in the new and previous
992         delay from the GSource's current dispatch time. Previously we handled an
993         extra 'paused' state (where m_delay was -1) and allowed for a delay of
994         an infinite value to be valid, complicating the next dispatch time
995         computation.
996
997         HeapTimer gains the static s_decade variable. The dispatch function in
998         heapTimerSourceFunctions only dispatches the callback, which now delays
999         the GSource by a decade. HeapTimer::scheduleTimer() simply schedules the
1000         source to dispatch in the specified amount of time, and cancelTimer()
1001         'cancels' the source by setting the dispatch time to a decade.
1002
1003         GCActivityCallback constructor initializes the delay to the s_decade
1004         value and immediately sets the ready time for GSource a decade into the
1005         future, avoiding the default -1 value as the ready time that would cause
1006         problems in scheduleTimer(). scheduleTimer() doesn't special-case the
1007         zero-delay value anymore, instead it just computes the difference
1008         between the old and the new delay and rolls back the GSource's ready
1009         time for that amount. cancelTimer() sets m_delay to the decade value and
1010         delays the GSource for that same amount.
1011
1012         * heap/GCActivityCallback.cpp:
1013         (JSC::GCActivityCallback::GCActivityCallback):
1014         (JSC::GCActivityCallback::scheduleTimer):
1015         (JSC::GCActivityCallback::cancelTimer):
1016         * heap/GCActivityCallback.h:
1017         * heap/HeapTimer.cpp:
1018         (JSC::HeapTimer::HeapTimer):
1019         (JSC::HeapTimer::scheduleTimer):
1020         (JSC::HeapTimer::cancelTimer):
1021         * heap/HeapTimer.h:
1022
1023 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1024
1025         [JSC] Drop PassRefPtr from ArrayBuffer
1026         https://bugs.webkit.org/show_bug.cgi?id=168455
1027
1028         Reviewed by Geoffrey Garen.
1029
1030         This patch finally drops all the PassRefPtr in JSC.
1031         We changed PassRefPtr<ArrayBuffer> to RefPtr<ArrayBuffer>&&.
1032         Since ArrayBuffer may be nullptr if the array is neutered,
1033         we hold it as RefPtr<> instead of Ref<>.
1034
1035         And we also drops 2 files, TypedArrayBase.h and IntegralTypedArrayBase.h.
1036         They are not used (and they are not referenced from the project file).
1037
1038         * inspector/JavaScriptCallFrame.h:
1039         * jsc.cpp:
1040         (functionDollarAgentReceiveBroadcast):
1041         * runtime/ArrayBufferView.cpp:
1042         (JSC::ArrayBufferView::ArrayBufferView):
1043         * runtime/ArrayBufferView.h:
1044         (JSC::ArrayBufferView::possiblySharedBuffer):
1045         (JSC::ArrayBufferView::unsharedBuffer):
1046         (JSC::ArrayBufferView::verifySubRangeLength):
1047         (JSC::ArrayBufferView::clampOffsetAndNumElements):
1048         * runtime/ClassInfo.h:
1049         * runtime/DataView.cpp:
1050         (JSC::DataView::DataView):
1051         (JSC::DataView::create):
1052         * runtime/DataView.h:
1053         * runtime/GenericTypedArrayView.h:
1054         * runtime/GenericTypedArrayViewInlines.h:
1055         (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
1056         (JSC::GenericTypedArrayView<Adaptor>::create):
1057         (JSC::GenericTypedArrayView<Adaptor>::subarray):
1058         * runtime/IntegralTypedArrayBase.h: Removed.
1059         * runtime/JSArrayBuffer.cpp:
1060         (JSC::JSArrayBuffer::JSArrayBuffer):
1061         (JSC::JSArrayBuffer::create):
1062         * runtime/JSArrayBuffer.h:
1063         * runtime/JSArrayBufferPrototype.cpp:
1064         (JSC::arrayBufferProtoFuncSlice):
1065         * runtime/JSArrayBufferView.cpp:
1066         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1067         * runtime/JSArrayBufferView.h:
1068         * runtime/JSArrayBufferViewInlines.h:
1069         (JSC::JSArrayBufferView::possiblySharedImpl):
1070         (JSC::JSArrayBufferView::unsharedImpl):
1071         * runtime/JSCell.cpp:
1072         (JSC::JSCell::slowDownAndWasteMemory):
1073         (JSC::JSCell::getTypedArrayImpl):
1074         * runtime/JSCell.h:
1075         * runtime/JSDataView.cpp:
1076         (JSC::JSDataView::create):
1077         (JSC::JSDataView::possiblySharedTypedImpl):
1078         (JSC::JSDataView::unsharedTypedImpl):
1079         (JSC::JSDataView::getTypedArrayImpl):
1080         * runtime/JSDataView.h:
1081         * runtime/JSGenericTypedArrayView.h:
1082         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1083         (JSC::constructGenericTypedArrayViewWithArguments):
1084         * runtime/JSGenericTypedArrayViewInlines.h:
1085         (JSC::JSGenericTypedArrayView<Adaptor>::create):
1086         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
1087         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
1088         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl):
1089         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1090         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1091         * runtime/JSTypedArrays.cpp:
1092         (JSC::createUint8TypedArray):
1093         * runtime/TypedArrayBase.h: Removed.
1094
1095 2017-02-16  Keith Miller  <keith_miller@apple.com>
1096
1097         ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
1098         https://bugs.webkit.org/show_bug.cgi?id=168354
1099
1100         Reviewed by Geoffrey Garen.
1101
1102         Instead of adding a custom vmEntryGlobalObject for the debugger
1103         we can just have it use vmEntryScope instead.
1104
1105         * debugger/Debugger.cpp:
1106         (JSC::Debugger::detach):
1107         * interpreter/CallFrame.cpp:
1108         (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach): Deleted.
1109         * interpreter/CallFrame.h:
1110
1111 2017-02-16  Filip Pizlo  <fpizlo@apple.com>
1112
1113         Unreviewed, fix cloop build.
1114
1115         * heap/Heap.cpp:
1116         (JSC::Heap::stopThePeriphery):
1117         * runtime/JSLock.cpp:
1118
1119 2017-02-10  Filip Pizlo  <fpizlo@apple.com>
1120
1121         The collector thread should only start when the mutator doesn't have heap access
1122         https://bugs.webkit.org/show_bug.cgi?id=167737
1123
1124         Reviewed by Keith Miller.
1125         
1126         This turns the collector thread's workflow into a state machine, so that the mutator thread can
1127         run it directly. This reduces the amount of synchronization we do with the collector thread, and
1128         means that most apps will never start the collector thread. The collector thread will still start
1129         when we need to finish collecting and we don't have heap access.
1130         
1131         In this new world, "stopping the world" means relinquishing control of collection to the mutator.
1132         This means tracking who is conducting collection. I use the GCConductor enum to say who is
1133         conducting. It's either GCConductor::Mutator or GCConductor::Collector. I use the term "conn" to
1134         refer to the concept of conducting (having the conn, relinquishing the conn, taking the conn).
1135         So, stopping the world means giving the mutator the conn. Releasing heap access means giving the
1136         collector the conn.
1137         
1138         This meant bringing back the conservative scan of the calling thread. It turns out that this
1139         scan was too slow to be called on each GC increment because apparently setjmp() now does system
1140         calls. So, I wrote our own callee save register saving for the GC. Then I had doubts about
1141         whether or not it was correct, so I also made it so that the GC only rarely asks for the register
1142         state. I think we still want to use my register saving code instead of setjmp because setjmp
1143         seems to save things we don't need, and that could make us overly conservative.
1144         
1145         It turns out that this new scheduling discipline makes the old space-time scheduler perform
1146         better than the new stochastic space-time scheduler on systems with fewer than 4 cores. This is
1147         because the mutator having the conn enables us to time the mutator<->collector context switches
1148         by polling. The OS is never involved. So, we can use super precise timing. This allows the old
1149         space-time schduler to shine like it hadn't before.
1150         
1151         The splay results imply that this is all a good thing. On 2-core systems, this reduces pause
1152         times by 40% and it increases throughput about 5%. On 1-core systems, this reduces pause times by
1153         half and reduces throughput by 8%. On 4-or-more-core systems, this doesn't seem to have much
1154         effect.
1155
1156         * CMakeLists.txt:
1157         * JavaScriptCore.xcodeproj/project.pbxproj:
1158         * dfg/DFGWorklist.cpp:
1159         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
1160         (JSC::DFG::Worklist::dump):
1161         (JSC::DFG::numberOfWorklists):
1162         (JSC::DFG::ensureWorklistForIndex):
1163         (JSC::DFG::existingWorklistForIndexOrNull):
1164         (JSC::DFG::existingWorklistForIndex):
1165         * dfg/DFGWorklist.h:
1166         (JSC::DFG::numberOfWorklists): Deleted.
1167         (JSC::DFG::ensureWorklistForIndex): Deleted.
1168         (JSC::DFG::existingWorklistForIndexOrNull): Deleted.
1169         (JSC::DFG::existingWorklistForIndex): Deleted.
1170         * heap/CollectingScope.h: Added.
1171         (JSC::CollectingScope::CollectingScope):
1172         (JSC::CollectingScope::~CollectingScope):
1173         * heap/CollectorPhase.cpp: Added.
1174         (JSC::worldShouldBeSuspended):
1175         (WTF::printInternal):
1176         * heap/CollectorPhase.h: Added.
1177         * heap/EdenGCActivityCallback.cpp:
1178         (JSC::EdenGCActivityCallback::lastGCLength):
1179         * heap/FullGCActivityCallback.cpp:
1180         (JSC::FullGCActivityCallback::doCollection):
1181         (JSC::FullGCActivityCallback::lastGCLength):
1182         * heap/GCConductor.cpp: Added.
1183         (JSC::gcConductorShortName):
1184         (WTF::printInternal):
1185         * heap/GCConductor.h: Added.
1186         * heap/Heap.cpp:
1187         (JSC::Heap::Thread::Thread):
1188         (JSC::Heap::Heap):
1189         (JSC::Heap::lastChanceToFinalize):
1190         (JSC::Heap::gatherStackRoots):
1191         (JSC::Heap::updateObjectCounts):
1192         (JSC::Heap::shouldCollectInCollectorThread):
1193         (JSC::Heap::collectInCollectorThread):
1194         (JSC::Heap::checkConn):
1195         (JSC::Heap::runCurrentPhase):
1196         (JSC::Heap::runNotRunningPhase):
1197         (JSC::Heap::runBeginPhase):
1198         (JSC::Heap::runFixpointPhase):
1199         (JSC::Heap::runConcurrentPhase):
1200         (JSC::Heap::runReloopPhase):
1201         (JSC::Heap::runEndPhase):
1202         (JSC::Heap::changePhase):
1203         (JSC::Heap::finishChangingPhase):
1204         (JSC::Heap::stopThePeriphery):
1205         (JSC::Heap::resumeThePeriphery):
1206         (JSC::Heap::stopTheMutator):
1207         (JSC::Heap::resumeTheMutator):
1208         (JSC::Heap::stopIfNecessarySlow):
1209         (JSC::Heap::collectInMutatorThread):
1210         (JSC::Heap::collectInMutatorThreadImpl):
1211         (JSC::Heap::waitForCollector):
1212         (JSC::Heap::acquireAccessSlow):
1213         (JSC::Heap::releaseAccessSlow):
1214         (JSC::Heap::relinquishConn):
1215         (JSC::Heap::finishRelinquishingConn):
1216         (JSC::Heap::handleNeedFinalize):
1217         (JSC::Heap::notifyThreadStopping):
1218         (JSC::Heap::finalize):
1219         (JSC::Heap::requestCollection):
1220         (JSC::Heap::waitForCollection):
1221         (JSC::Heap::updateAllocationLimits):
1222         (JSC::Heap::didFinishCollection):
1223         (JSC::Heap::collectIfNecessaryOrDefer):
1224         (JSC::Heap::preventCollection):
1225         (JSC::Heap::performIncrement):
1226         (JSC::Heap::markToFixpoint): Deleted.
1227         (JSC::Heap::shouldCollectInThread): Deleted.
1228         (JSC::Heap::collectInThread): Deleted.
1229         (JSC::Heap::stopTheWorld): Deleted.
1230         (JSC::Heap::resumeTheWorld): Deleted.
1231         * heap/Heap.h:
1232         (JSC::Heap::machineThreads):
1233         (JSC::Heap::lastFullGCLength):
1234         (JSC::Heap::lastEdenGCLength):
1235         (JSC::Heap::increaseLastFullGCLength):
1236         * heap/HeapInlines.h:
1237         (JSC::Heap::mutatorIsStopped): Deleted.
1238         * heap/HeapStatistics.cpp: Removed.
1239         * heap/HeapStatistics.h: Removed.
1240         * heap/HelpingGCScope.h: Removed.
1241         * heap/MachineStackMarker.cpp:
1242         (JSC::MachineThreads::gatherFromCurrentThread):
1243         (JSC::MachineThreads::gatherConservativeRoots):
1244         * heap/MachineStackMarker.h:
1245         * heap/MarkedBlock.cpp:
1246         (JSC::MarkedBlock::Handle::sweep):
1247         * heap/MutatorState.cpp:
1248         (WTF::printInternal):
1249         * heap/MutatorState.h:
1250         * heap/RegisterState.h: Added.
1251         * heap/SlotVisitor.cpp:
1252         (JSC::SlotVisitor::drainFromShared):
1253         (JSC::SlotVisitor::drainInParallelPassively):
1254         (JSC::SlotVisitor::donateAll):
1255         * heap/StochasticSpaceTimeMutatorScheduler.cpp:
1256         (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection):
1257         (JSC::StochasticSpaceTimeMutatorScheduler::synchronousDrainingDidStall):
1258         (JSC::StochasticSpaceTimeMutatorScheduler::timeToStop):
1259         * heap/SweepingScope.h: Added.
1260         (JSC::SweepingScope::SweepingScope):
1261         (JSC::SweepingScope::~SweepingScope):
1262         * jit/JITWorklist.cpp:
1263         (JSC::JITWorklist::Thread::Thread):
1264         * jsc.cpp:
1265         (GlobalObject::finishCreation):
1266         (functionFlashHeapAccess):
1267         * runtime/InitializeThreading.cpp:
1268         (JSC::initializeThreading):
1269         * runtime/JSCellInlines.h:
1270         (JSC::JSCell::classInfo):
1271         * runtime/Options.cpp:
1272         (JSC::overrideDefaults):
1273         * runtime/Options.h:
1274         * runtime/TestRunnerUtils.cpp:
1275         (JSC::finalizeStatsAtEndOfTesting):
1276
1277 2017-02-16  Anders Carlsson  <andersca@apple.com>
1278
1279         Remove EFL from JavaScriptCore
1280         https://bugs.webkit.org/show_bug.cgi?id=168459
1281
1282         Reviewed by Geoffrey Garen.
1283
1284         * heap/GCActivityCallback.cpp:
1285         (JSC::GCActivityCallback::GCActivityCallback):
1286         (JSC::GCActivityCallback::cancelTimer):
1287         (JSC::GCActivityCallback::didAllocate):
1288         * heap/GCActivityCallback.h:
1289         * heap/HeapTimer.cpp:
1290         (JSC::HeapTimer::add): Deleted.
1291         (JSC::HeapTimer::stop): Deleted.
1292         (JSC::HeapTimer::timerEvent): Deleted.
1293         * heap/HeapTimer.h:
1294         * inspector/EventLoop.cpp:
1295         (Inspector::EventLoop::cycle):
1296         * jsc.cpp:
1297         (main):
1298         * tools/CodeProfiling.cpp:
1299         (JSC::CodeProfiling::begin):
1300         (JSC::CodeProfiling::end):
1301
1302 2017-02-15  Brian Burg  <bburg@apple.com>
1303
1304         [Cocoa] Web Inspector: Inspector::fromProtocolString<T> should return std::optional<T>
1305         https://bugs.webkit.org/show_bug.cgi?id=168018
1306         <rdar://problem/30468779>
1307
1308         Reviewed by Joseph Pecoraro.
1309
1310         These methods parse untrusted string inputs, so they should return an optional instead
1311         of asserting or crashing when the input is not usable.
1312
1313         Update various pieces of generated code to handle the error case gracefully.
1314
1315         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1316         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
1317         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
1318         The local variable holding the ObjC-friendly converted value should take a std::optional
1319         when converting an enum from a string into an NS_ENUM value. If the enum command parameter
1320         is not optional, then send a response with a command failure message and return.
1321
1322         The optional enum parameter case is not handled correctly, but no existing code requires it.
1323
1324         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1325         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_from_protocol_string):
1326         Fix signature and remove default case ASSERT_NOT_REACHED.
1327
1328         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
1329         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_method_implementation):
1330         Since this code assumes all inputs to be valid and throws an exception otherwise, we
1331         try to convert the enum and throw an exception if it's nullopt. If it's valid, write to outValue.
1332
1333         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1334         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
1335         The local variable holding the ObjC-friendly converted value should take a std::optional
1336         when converting an enum from a string into an NS_ENUM value. If the enum command parameter
1337         is not optional, then throw an exception if the value is nullopt. Otherwise, allow it to be empty.
1338
1339         * inspector/scripts/codegen/objc_generator.py:
1340         (ObjCGenerator.protocol_to_objc_expression_for_member):
1341         Unconditionally unwrap the optional. This expression is only used inside the typechecked
1342         ObjC protocol objects. In this case we are guaranteed to have already initialized the enum with a valid
1343         value, but must store it as a string inside a wrapped InspectorObject. The getter needs to
1344         re-convert the stored string into an NS_ENUM value.
1345
1346         * inspector/scripts/codegen/objc_generator_templates.py:
1347         Update type template for fromProtocolString<T>().
1348
1349         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1350         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1351         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1352         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1353         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1354         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1355         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1356         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1357         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1358         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1359         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1360         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1361         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1362         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1363         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1364         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1365         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1366         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1367         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1368         Rebaseline tests.
1369
1370 2017-02-16  Keith Miller  <keith_miller@apple.com>
1371
1372         ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
1373         https://bugs.webkit.org/show_bug.cgi?id=168354
1374
1375         Reviewed by Filip Pizlo.
1376
1377         Add a new vmEntryGlobalObject method for the debugger so that
1378         the debugger does not crash in debug builds when trying to
1379         detach itself from a global object.
1380
1381         * debugger/Debugger.cpp:
1382         (JSC::Debugger::detach):
1383         * interpreter/CallFrame.cpp:
1384         (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach):
1385         * interpreter/CallFrame.h:
1386
1387 2017-02-16  Keith Miller  <keith_miller@apple.com>
1388
1389         Refactor AccessCase to be more like B3Value
1390         https://bugs.webkit.org/show_bug.cgi?id=168408
1391
1392         Reviewed by Filip Pizlo.
1393
1394         This patch makes AccessCase (and new subclasses) more like B3Value. In the new system each
1395         type has an associated AccessCase subclass. For instance any getter should use the
1396         GetterSetterAccessCase subclass. The new system is easier to follow since you no longer need
1397         to know exactly which members are used by which types. The subclass to AccessType mapping is:
1398
1399         GetterSetterAccessCase:
1400             Getter
1401             CustomAccessorGetter
1402             CustomValueGetter
1403             Setter
1404
1405         ProxyableAccessCase:
1406             Load
1407             Miss
1408             GetGetter
1409
1410         IntrinsicGetterAccessCase:
1411             IntrinsicGetter
1412
1413         AccessCase:
1414             Everything else
1415
1416         It also has the additional advantage that it uses less memory for the cases where we would have needed
1417         rare data in the past but that case would only use a small bit of it.
1418
1419         This patch also removes megamorphic loads and renames some TryGetById related enum values from Pure to Try.
1420
1421         * CMakeLists.txt:
1422         * JavaScriptCore.xcodeproj/project.pbxproj:
1423         * bytecode/AccessCase.cpp: Added.
1424         (JSC::AccessCase::AccessCase):
1425         (JSC::AccessCase::create):
1426         (JSC::AccessCase::~AccessCase):
1427         (JSC::AccessCase::fromStructureStubInfo):
1428         (JSC::AccessCase::clone):
1429         (JSC::AccessCase::commit):
1430         (JSC::AccessCase::guardedByStructureCheck):
1431         (JSC::AccessCase::doesCalls):
1432         (JSC::AccessCase::couldStillSucceed):
1433         (JSC::AccessCase::canReplace):
1434         (JSC::AccessCase::dump):
1435         (JSC::AccessCase::visitWeak):
1436         (JSC::AccessCase::propagateTransitions):
1437         (JSC::AccessCase::generateWithGuard):
1438         (JSC::AccessCase::generate):
1439         (JSC::AccessCase::generateImpl):
1440         * bytecode/AccessCase.h: Added.
1441         (JSC::AccessCase::as):
1442         (JSC::AccessCase::create):
1443         (JSC::AccessCase::type):
1444         (JSC::AccessCase::state):
1445         (JSC::AccessCase::offset):
1446         (JSC::AccessCase::structure):
1447         (JSC::AccessCase::newStructure):
1448         (JSC::AccessCase::conditionSet):
1449         (JSC::AccessCase::alternateBase):
1450         (JSC::AccessCase::additionalSet):
1451         (JSC::AccessCase::viaProxy):
1452         (JSC::AccessCase::isGetter):
1453         (JSC::AccessCase::isAccessor):
1454         (JSC::AccessCase::dumpImpl):
1455         (JSC::AccessCase::resetState):
1456         * bytecode/GetByIdStatus.cpp:
1457         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1458         * bytecode/GetterSetterAccessCase.cpp: Added.
1459         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1460         (JSC::GetterSetterAccessCase::create):
1461         (JSC::GetterSetterAccessCase::~GetterSetterAccessCase):
1462         (JSC::GetterSetterAccessCase::clone):
1463         (JSC::GetterSetterAccessCase::alternateBase):
1464         (JSC::GetterSetterAccessCase::dumpImpl):
1465         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1466         * bytecode/GetterSetterAccessCase.h: Added.
1467         (JSC::GetterSetterAccessCase::callLinkInfo):
1468         (JSC::GetterSetterAccessCase::customSlotBase):
1469         (JSC::GetterSetterAccessCase::domJIT):
1470         * bytecode/IntrinsicGetterAccessCase.cpp: Added.
1471         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
1472         (JSC::IntrinsicGetterAccessCase::create):
1473         (JSC::IntrinsicGetterAccessCase::~IntrinsicGetterAccessCase):
1474         (JSC::IntrinsicGetterAccessCase::clone):
1475         * bytecode/IntrinsicGetterAccessCase.h: Added.
1476         (JSC::IntrinsicGetterAccessCase::intrinsicFunction):
1477         (JSC::IntrinsicGetterAccessCase::intrinsic):
1478         * bytecode/PolymorphicAccess.cpp:
1479         (JSC::PolymorphicAccess::regenerate):
1480         (WTF::printInternal):
1481         (JSC::AccessCase::AccessCase): Deleted.
1482         (JSC::AccessCase::tryGet): Deleted.
1483         (JSC::AccessCase::get): Deleted.
1484         (JSC::AccessCase::megamorphicLoad): Deleted.
1485         (JSC::AccessCase::replace): Deleted.
1486         (JSC::AccessCase::transition): Deleted.
1487         (JSC::AccessCase::setter): Deleted.
1488         (JSC::AccessCase::in): Deleted.
1489         (JSC::AccessCase::getLength): Deleted.
1490         (JSC::AccessCase::getIntrinsic): Deleted.
1491         (JSC::AccessCase::~AccessCase): Deleted.
1492         (JSC::AccessCase::fromStructureStubInfo): Deleted.
1493         (JSC::AccessCase::clone): Deleted.
1494         (JSC::AccessCase::commit): Deleted.
1495         (JSC::AccessCase::guardedByStructureCheck): Deleted.
1496         (JSC::AccessCase::alternateBase): Deleted.
1497         (JSC::AccessCase::doesCalls): Deleted.
1498         (JSC::AccessCase::couldStillSucceed): Deleted.
1499         (JSC::AccessCase::canBeReplacedByMegamorphicLoad): Deleted.
1500         (JSC::AccessCase::canReplace): Deleted.
1501         (JSC::AccessCase::dump): Deleted.
1502         (JSC::AccessCase::visitWeak): Deleted.
1503         (JSC::AccessCase::propagateTransitions): Deleted.
1504         (JSC::AccessCase::generateWithGuard): Deleted.
1505         (JSC::AccessCase::generate): Deleted.
1506         (JSC::AccessCase::generateImpl): Deleted.
1507         (JSC::AccessCase::emitDOMJITGetter): Deleted.
1508         * bytecode/PolymorphicAccess.h:
1509         (JSC::AccessCase::type): Deleted.
1510         (JSC::AccessCase::state): Deleted.
1511         (JSC::AccessCase::offset): Deleted.
1512         (JSC::AccessCase::viaProxy): Deleted.
1513         (JSC::AccessCase::structure): Deleted.
1514         (JSC::AccessCase::newStructure): Deleted.
1515         (JSC::AccessCase::conditionSet): Deleted.
1516         (JSC::AccessCase::intrinsicFunction): Deleted.
1517         (JSC::AccessCase::intrinsic): Deleted.
1518         (JSC::AccessCase::domJIT): Deleted.
1519         (JSC::AccessCase::additionalSet): Deleted.
1520         (JSC::AccessCase::customSlotBase): Deleted.
1521         (JSC::AccessCase::isGetter): Deleted.
1522         (JSC::AccessCase::callLinkInfo): Deleted.
1523         (JSC::AccessCase::RareData::RareData): Deleted.
1524         * bytecode/ProxyableAccessCase.cpp: Added.
1525         (JSC::ProxyableAccessCase::ProxyableAccessCase):
1526         (JSC::ProxyableAccessCase::create):
1527         (JSC::ProxyableAccessCase::~ProxyableAccessCase):
1528         (JSC::ProxyableAccessCase::clone):
1529         (JSC::ProxyableAccessCase::dumpImpl):
1530         * bytecode/ProxyableAccessCase.h: Added.
1531         * bytecode/PutByIdStatus.cpp:
1532         (JSC::PutByIdStatus::computeForStubInfo):
1533         * bytecode/StructureStubInfo.cpp:
1534         (JSC::StructureStubInfo::reset):
1535         * bytecode/StructureStubInfo.h:
1536         * dfg/DFGByteCodeParser.cpp:
1537         (JSC::DFG::ByteCodeParser::parseBlock):
1538         * dfg/DFGSpeculativeJIT.cpp:
1539         (JSC::DFG::SpeculativeJIT::compileTryGetById):
1540         * ftl/FTLLowerDFGToB3.cpp:
1541         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1542         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
1543         * jit/IntrinsicEmitter.cpp:
1544         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
1545         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1546         (JSC::AccessCase::canEmitIntrinsicGetter): Deleted.
1547         (JSC::AccessCase::emitIntrinsicGetter): Deleted.
1548         * jit/JITOperations.cpp:
1549         * jit/JITPropertyAccess.cpp:
1550         (JSC::JIT::emit_op_try_get_by_id):
1551         * jit/JITPropertyAccess32_64.cpp:
1552         (JSC::JIT::emit_op_try_get_by_id):
1553         * jit/Repatch.cpp:
1554         (JSC::tryCacheGetByID):
1555         (JSC::tryCachePutByID):
1556         (JSC::tryRepatchIn):
1557         * jit/Repatch.h:
1558         * runtime/Options.h:
1559
1560 2017-02-16  Filip Pizlo  <fpizlo@apple.com>
1561
1562         JSONParseTest needs to hold the lock when the VM is destroyed
1563         https://bugs.webkit.org/show_bug.cgi?id=168450
1564
1565         Rubber stamped by Alex Christensen.
1566
1567         * API/tests/JSONParseTest.cpp:
1568         (testJSONParse):
1569
1570 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1571
1572         [JSC] Drop PassRefPtr in inspector/
1573         https://bugs.webkit.org/show_bug.cgi?id=168420
1574
1575         Reviewed by Alex Christensen.
1576
1577         Drop PassRefPtr uses.
1578         And use Ref<Inspector::ScriptArguments> and Ref<ScriptCallStack> as much as possible.
1579         It drops some unnecessary null checks.
1580
1581         * debugger/Debugger.cpp:
1582         (JSC::Debugger::hasBreakpoint):
1583         (JSC::Debugger::currentDebuggerCallFrame):
1584         * debugger/Debugger.h:
1585         * inspector/AsyncStackTrace.cpp:
1586         (Inspector::AsyncStackTrace::create):
1587         (Inspector::AsyncStackTrace::AsyncStackTrace):
1588         (Inspector::AsyncStackTrace::buildInspectorObject):
1589         (Inspector::AsyncStackTrace::truncate):
1590         * inspector/AsyncStackTrace.h:
1591         * inspector/ConsoleMessage.cpp:
1592         (Inspector::ConsoleMessage::ConsoleMessage):
1593         * inspector/ConsoleMessage.h:
1594         * inspector/InjectedScriptManager.cpp:
1595         (Inspector::InjectedScriptManager::InjectedScriptManager):
1596         (Inspector::InjectedScriptManager::injectedScriptHost):
1597         * inspector/InjectedScriptManager.h:
1598         * inspector/JSGlobalObjectConsoleClient.cpp:
1599         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
1600         (Inspector::JSGlobalObjectConsoleClient::count):
1601         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
1602         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
1603         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
1604         * inspector/JSGlobalObjectConsoleClient.h:
1605         ConsoleClient now takes Ref<ScriptArgument>&& instead of RefPtr<ScriptArgument>&&.
1606
1607         * inspector/JSGlobalObjectInspectorController.cpp:
1608         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1609         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1610         * inspector/JSGlobalObjectInspectorController.h:
1611         * inspector/JSJavaScriptCallFrame.cpp:
1612         (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame):
1613         (Inspector::toJS):
1614         * inspector/JSJavaScriptCallFrame.h:
1615         (Inspector::JSJavaScriptCallFrame::create):
1616         * inspector/JavaScriptCallFrame.cpp:
1617         (Inspector::JavaScriptCallFrame::JavaScriptCallFrame):
1618         (Inspector::JavaScriptCallFrame::caller):
1619         * inspector/JavaScriptCallFrame.h:
1620         (Inspector::JavaScriptCallFrame::create):
1621         * inspector/ScriptDebugServer.cpp:
1622         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
1623         (Inspector::ScriptDebugServer::dispatchDidPause):
1624         (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
1625         * inspector/agents/InspectorConsoleAgent.cpp:
1626         (Inspector::InspectorConsoleAgent::stopTiming):
1627         (Inspector::InspectorConsoleAgent::count):
1628         * inspector/agents/InspectorConsoleAgent.h:
1629         * inspector/agents/InspectorDebuggerAgent.cpp:
1630         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1631         * runtime/ConsoleClient.cpp:
1632         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1633         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
1634         (JSC::ConsoleClient::logWithLevel):
1635         (JSC::ConsoleClient::dir):
1636         (JSC::ConsoleClient::dirXML):
1637         (JSC::ConsoleClient::table):
1638         (JSC::ConsoleClient::trace):
1639         (JSC::ConsoleClient::assertion):
1640         (JSC::ConsoleClient::group):
1641         (JSC::ConsoleClient::groupCollapsed):
1642         (JSC::ConsoleClient::groupEnd):
1643         * runtime/ConsoleClient.h:
1644         * runtime/ConsoleObject.cpp:
1645         (JSC::consoleLogWithLevel):
1646         (JSC::consoleProtoFuncDir):
1647         (JSC::consoleProtoFuncDirXML):
1648         (JSC::consoleProtoFuncTable):
1649         (JSC::consoleProtoFuncTrace):
1650         (JSC::consoleProtoFuncAssert):
1651         (JSC::consoleProtoFuncCount):
1652         (JSC::consoleProtoFuncTimeStamp):
1653         (JSC::consoleProtoFuncGroup):
1654         (JSC::consoleProtoFuncGroupCollapsed):
1655         (JSC::consoleProtoFuncGroupEnd):
1656
1657 2017-02-15  Keith Miller  <keith_miller@apple.com>
1658
1659         Weak should not use jsCast in its accessors
1660         https://bugs.webkit.org/show_bug.cgi?id=168406
1661
1662         Reviewed by Filip Pizlo.
1663
1664         This can cause assertion failures in WebCore where classes might remove themselves
1665         from a data structure in a weak reference, if that reference is still alive.
1666
1667         * heap/WeakInlines.h:
1668         (JSC::>):
1669         (JSC::Weak<T>::operator):
1670         (JSC::Weak<T>::get):
1671
1672 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1673
1674         Web Inspector: allow import() inside the inspector
1675         https://bugs.webkit.org/show_bug.cgi?id=167457
1676
1677         Reviewed by Ryosuke Niwa.
1678
1679         We relax import module hook to accept null SourceOrigin.
1680         Such a script can be evaluated from the inspector console.
1681
1682         * jsc.cpp:
1683         (GlobalObject::moduleLoaderImportModule):
1684         * runtime/JSGlobalObjectFunctions.cpp:
1685         (JSC::globalFuncImportModule):
1686
1687 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1688
1689         [JSC] Update module namespace object according to the latest ECMA262
1690         https://bugs.webkit.org/show_bug.cgi?id=168280
1691
1692         Reviewed by Saam Barati.
1693
1694         Reflect updates to the module namespace object.
1695
1696         1. @@iterator property is dropped[1].
1697         2. @@toStringTag property becomes non-configurable[1].
1698         3. delete with Symbol should be delegated to the JSObject's one[2].
1699
1700         [1]: https://tc39.github.io/ecma262/#sec-module-namespace-objects
1701         [2]: https://github.com/tc39/ecma262/pull/767
1702
1703         * runtime/JSModuleNamespaceObject.cpp:
1704         (JSC::JSModuleNamespaceObject::finishCreation):
1705         (JSC::JSModuleNamespaceObject::deleteProperty):
1706         (JSC::moduleNamespaceObjectSymbolIterator): Deleted.
1707
1708 2017-02-16  Carlos Garcia Campos  <cgarcia@igalia.com>
1709
1710         Unreviewed. Fix the build after r212424.
1711
1712         Add missing file.
1713
1714         * inspector/remote/RemoteInspector.cpp: Added.
1715         (Inspector::RemoteInspector::startDisabled):
1716         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
1717         (Inspector::RemoteInspector::registerTarget):
1718         (Inspector::RemoteInspector::unregisterTarget):
1719         (Inspector::RemoteInspector::updateTarget):
1720         (Inspector::RemoteInspector::updateClientCapabilities):
1721         (Inspector::RemoteInspector::setRemoteInspectorClient):
1722         (Inspector::RemoteInspector::setupFailed):
1723         (Inspector::RemoteInspector::setupCompleted):
1724         (Inspector::RemoteInspector::waitingForAutomaticInspection):
1725         (Inspector::RemoteInspector::clientCapabilitiesDidChange):
1726         (Inspector::RemoteInspector::stop):
1727         (Inspector::RemoteInspector::listingForTarget):
1728         (Inspector::RemoteInspector::updateHasActiveDebugSession):
1729
1730 2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1731
1732         [JSC] Drop PassRefPtr in bytecompiler/
1733         https://bugs.webkit.org/show_bug.cgi?id=168374
1734
1735         Reviewed by Sam Weinig.
1736
1737         This patch drops PassRefPtr in bytecompiler directory.
1738         We carefully change this to Ref<>. And we use Ref<Label>
1739         as much as possible instead of using RefPtr<Label>.
1740         And use Label& instead of Label* as much as possible.
1741
1742         Currently we do not apply this change for RefPtr<RegisterID>,
1743         to reduce the size of this patch.
1744
1745         * bytecompiler/BytecodeGenerator.cpp:
1746         (JSC::BytecodeGenerator::BytecodeGenerator):
1747         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1748         (JSC::BytecodeGenerator::newLabelScope):
1749         (JSC::BytecodeGenerator::newLabel):
1750         (JSC::BytecodeGenerator::newEmittedLabel):
1751         Introduce a new helper function, which returns new label that is emitted right here.
1752
1753         (JSC::BytecodeGenerator::emitLabel):
1754         (JSC::BytecodeGenerator::emitJump):
1755         (JSC::BytecodeGenerator::emitJumpIfTrue):
1756         (JSC::BytecodeGenerator::emitJumpIfFalse):
1757         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
1758         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
1759         Drop returning Ref<Label> since nobody uses it.
1760
1761         (JSC::BytecodeGenerator::emitGetByVal):
1762         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
1763         (JSC::BytecodeGenerator::emitCall):
1764         (JSC::BytecodeGenerator::emitReturn):
1765         (JSC::BytecodeGenerator::emitConstruct):
1766         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
1767         (JSC::BytecodeGenerator::breakTarget):
1768         (JSC::BytecodeGenerator::pushTry):
1769         (JSC::BytecodeGenerator::popTry):
1770         (JSC::prepareJumpTableForSwitch):
1771         (JSC::prepareJumpTableForStringSwitch):
1772         (JSC::BytecodeGenerator::endSwitch):
1773         (JSC::BytecodeGenerator::emitEnumeration):
1774         (JSC::BytecodeGenerator::emitIteratorNext):
1775         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
1776         (JSC::BytecodeGenerator::emitIteratorClose):
1777         (JSC::BytecodeGenerator::pushIndexedForInScope):
1778         (JSC::BytecodeGenerator::pushStructureForInScope):
1779         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
1780         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
1781         (JSC::BytecodeGenerator::emitYieldPoint):
1782         (JSC::BytecodeGenerator::emitYield):
1783         (JSC::BytecodeGenerator::emitDelegateYield):
1784         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
1785         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
1786         (JSC::BytecodeGenerator::emitFinallyCompletion):
1787         (JSC::BytecodeGenerator::emitJumpIf):
1788         * bytecompiler/BytecodeGenerator.h:
1789         FinallyJump, FinallyContext, TryData, TryContext and TryRange hold Ref<Label>
1790         instead of RefPtr<Label>. They are never nullptr.
1791
1792         (JSC::FinallyJump::FinallyJump):
1793         (JSC::FinallyContext::FinallyContext):
1794         (JSC::FinallyContext::registerJump):
1795         (JSC::BytecodeGenerator::emitNodeInConditionContext):
1796         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
1797         * bytecompiler/Label.h:
1798         Make Label noncopyable.
1799
1800         * bytecompiler/LabelScope.h:
1801         (JSC::LabelScope::LabelScope):
1802         (JSC::LabelScope::breakTarget):
1803         breakTarget always returns Label&. On the other hand, continueTarget may be nullptr.
1804         So it returns Label*.
1805
1806         * bytecompiler/NodesCodegen.cpp:
1807         (JSC::ExpressionNode::emitBytecodeInConditionContext):
1808         (JSC::ConstantNode::emitBytecodeInConditionContext):
1809         (JSC::FunctionCallValueNode::emitBytecode):
1810         (JSC::CallFunctionCallDotNode::emitBytecode):
1811         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1812         (JSC::LogicalNotNode::emitBytecodeInConditionContext):
1813         (JSC::BinaryOpNode::emitBytecodeInConditionContext):
1814         (JSC::InstanceOfNode::emitBytecode):
1815         (JSC::LogicalOpNode::emitBytecode):
1816         (JSC::LogicalOpNode::emitBytecodeInConditionContext):
1817         (JSC::ConditionalNode::emitBytecode):
1818         (JSC::IfElseNode::emitBytecode):
1819         (JSC::DoWhileNode::emitBytecode):
1820         (JSC::WhileNode::emitBytecode):
1821         (JSC::ForNode::emitBytecode):
1822         (JSC::ForInNode::emitBytecode):
1823         (JSC::ContinueNode::trivialTarget):
1824         (JSC::ContinueNode::emitBytecode):
1825         (JSC::BreakNode::trivialTarget):
1826         (JSC::CaseBlockNode::emitBytecodeForBlock):
1827         (JSC::TryNode::emitBytecode):
1828         (JSC::FunctionNode::emitBytecode):
1829         (JSC::ClassExprNode::emitBytecode):
1830         (JSC::assignDefaultValueIfUndefined):
1831         (JSC::ArrayPatternNode::bindValue):
1832         Use Ref<Label> and Label&.
1833
1834         * parser/Nodes.h:
1835
1836 2017-02-15  Alex Christensen  <achristensen@webkit.org>
1837
1838         Unreviewed, rolling out r212394.
1839
1840         Fixed iOS WebInspector
1841
1842         Reverted changeset:
1843
1844         "Unreviewed, rolling out r212169."
1845         https://bugs.webkit.org/show_bug.cgi?id=166681
1846         http://trac.webkit.org/changeset/212394
1847
1848 2017-02-15  Guillaume Emont  <guijemont@igalia.com>
1849
1850         MIPS: add missing implementations of load8SignedExtendTo32()
1851
1852         JSC: missing implementations of MacroAssemblerMIPS::load8SignedExtendTo32()
1853         https://bugs.webkit.org/show_bug.cgi?id=168350
1854
1855         Reviewed by Yusuke Suzuki.
1856
1857         * assembler/MacroAssemblerMIPS.h:
1858         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
1859         Add missing implementations
1860
1861 2017-02-15  Alex Christensen  <achristensen@webkit.org>
1862
1863         Unreviewed, rolling out r212169.
1864
1865         Broke iOS WebInspector
1866
1867         Reverted changeset:
1868
1869         "WebInspector: refactor RemoteInspector to move cocoa specific
1870         code to their own files"
1871         https://bugs.webkit.org/show_bug.cgi?id=166681
1872         http://trac.webkit.org/changeset/212169
1873
1874 2017-02-15  Chris Dumez  <cdumez@apple.com>
1875
1876         Expose Symbol.toPrimitive / valueOf on Location instances
1877         https://bugs.webkit.org/show_bug.cgi?id=168295
1878
1879         Reviewed by Geoffrey Garen, Keith Miller and Mark Lam.
1880
1881         Cache origin objectProtoValueOf function on JSGlobalObject.
1882
1883         * runtime/JSGlobalObject.cpp:
1884         (JSC::JSGlobalObject::init):
1885         * runtime/JSGlobalObject.h:
1886         (JSC::JSGlobalObject::objectProtoValueOfFunction):
1887
1888 2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1889
1890         [JSC] Drop PassRefPtr
1891         https://bugs.webkit.org/show_bug.cgi?id=168320
1892
1893         Reviewed by Saam Barati.
1894
1895         * API/JSContextRef.cpp:
1896         (JSGlobalContextCreateInGroup):
1897         Use Ref<VM> from the factory function.
1898
1899         * API/JSScriptRef.cpp:
1900         (OpaqueJSScript::create):
1901         Return Ref<> instead.
1902
1903         * API/tests/JSONParseTest.cpp:
1904         (testJSONParse):
1905         Use Ref<VM>.
1906
1907         * assembler/LinkBuffer.cpp:
1908         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
1909         Use reference since we already perform null check.
1910
1911         * assembler/MacroAssemblerCodeRef.h:
1912         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
1913         Take Ref<>&& instead of PassRefPtr<>.
1914
1915         * bytecode/CallLinkInfo.h:
1916         (JSC::CallLinkInfo::setStub):
1917         (JSC::CallLinkInfo::setSlowStub):
1918         Take Ref<>&& instead of PassRefPtr<>.
1919
1920         * bytecode/CodeBlock.cpp:
1921         (JSC::CodeBlock::CodeBlock):
1922         Take RefPtr<SourceProvider>. Currently, the SourceProvider would be nullptr.
1923         We will change it to Ref<SourceProvider> in https://bugs.webkit.org/show_bug.cgi?id=168325.
1924
1925         (JSC::CodeBlock::finishCreation):
1926         Take Ref<TypeSet>&&.
1927
1928         * bytecode/CodeBlock.h:
1929         (JSC::CodeBlock::setJITCode):
1930         Take Ref<>&& instead.
1931
1932         (JSC::CodeBlock::jitCode):
1933         Return RefPtr<> instead.
1934
1935         * bytecode/EvalCodeBlock.h:
1936         (JSC::EvalCodeBlock::create):
1937         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1938
1939         (JSC::EvalCodeBlock::EvalCodeBlock):
1940         * bytecode/FunctionCodeBlock.h:
1941         (JSC::FunctionCodeBlock::create):
1942         (JSC::FunctionCodeBlock::FunctionCodeBlock):
1943         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1944
1945         * bytecode/GlobalCodeBlock.h:
1946         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1947         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1948
1949         * bytecode/ModuleProgramCodeBlock.h:
1950         (JSC::ModuleProgramCodeBlock::create):
1951         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock):
1952         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1953
1954         * bytecode/ProgramCodeBlock.h:
1955         (JSC::ProgramCodeBlock::create):
1956         (JSC::ProgramCodeBlock::ProgramCodeBlock):
1957         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
1958
1959         * debugger/DebuggerParseData.cpp:
1960         (JSC::gatherDebuggerParseDataForSource):
1961         Ensure the provider is not nullptr. It is OK because we already
1962         touch `provider->xxx` values.
1963
1964         * dfg/DFGBlockInsertionSet.cpp:
1965         (JSC::DFG::BlockInsertionSet::insert):
1966         Take Ref<>&& instead.
1967
1968         * dfg/DFGBlockInsertionSet.h:
1969         * dfg/DFGByteCodeParser.cpp:
1970         (JSC::DFG::ByteCodeParser::inlineCall):
1971         (JSC::DFG::ByteCodeParser::handleInlining):
1972         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1973         Pass Ref<>&& to appendBlock.
1974
1975         * dfg/DFGDriver.cpp:
1976         (JSC::DFG::compileImpl):
1977         (JSC::DFG::compile):
1978         Pass Ref<Plan>&&. And take Ref<>&& callback.
1979
1980         * dfg/DFGDriver.h:
1981         * dfg/DFGGraph.h:
1982         appendBlock takes Ref<>&&.
1983
1984         (JSC::DFG::Graph::appendBlock):
1985         * dfg/DFGJITCompiler.cpp:
1986         (JSC::DFG::JITCompiler::compile):
1987         (JSC::DFG::JITCompiler::compileFunction):
1988         * dfg/DFGJITCompiler.h:
1989         (JSC::DFG::JITCompiler::jitCode):
1990         * dfg/DFGJITFinalizer.cpp:
1991         (JSC::DFG::JITFinalizer::JITFinalizer):
1992         Take Ref<JITCode>&&.
1993
1994         (JSC::DFG::JITFinalizer::finalize):
1995         (JSC::DFG::JITFinalizer::finalizeFunction):
1996         (JSC::DFG::JITFinalizer::finalizeCommon):
1997         Pass compilation reference since we already perform null check.
1998
1999         * dfg/DFGJITFinalizer.h:
2000         * dfg/DFGWorklist.cpp:
2001         (JSC::DFG::Worklist::enqueue):
2002         Take Ref<Plan>&&.
2003
2004         * dfg/DFGWorklist.h:
2005         * ftl/FTLJITFinalizer.cpp:
2006         (JSC::FTL::JITFinalizer::finalizeFunction):
2007         Dereference and pass jitCode & compilation references.
2008
2009         * jit/GCAwareJITStubRoutine.cpp:
2010         (JSC::createJITStubRoutine):
2011         Return Ref<> instead.
2012
2013         * jit/GCAwareJITStubRoutine.h:
2014         (JSC::createJITStubRoutine):
2015         * jit/JIT.cpp:
2016         (JSC::JIT::link):
2017         Pass compilation reference since we already perform null check.
2018
2019         * jit/JITStubRoutine.h:
2020         (JSC::JITStubRoutine::asCodePtr):
2021         Take Ref<>&& instead. And this drops unnecessary null check.
2022
2023         * jit/JITThunks.cpp:
2024         (JSC::JITThunks::hostFunctionStub):
2025         Pass Ref<> to NativeExecutable::create.
2026
2027         * llint/LLIntEntrypoint.cpp:
2028         (JSC::LLInt::setFunctionEntrypoint):
2029         (JSC::LLInt::setEvalEntrypoint):
2030         (JSC::LLInt::setProgramEntrypoint):
2031         (JSC::LLInt::setModuleProgramEntrypoint):
2032         Use Ref<>&& instead.
2033
2034         * parser/SourceCode.h:
2035         (JSC::SourceCode::SourceCode):
2036         (JSC::SourceCode::subExpression):
2037         Add constructors taking Ref<>&&.
2038         We still have constructors that take RefPtr<>&&.
2039         We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.
2040
2041         * parser/UnlinkedSourceCode.h:
2042         (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
2043         Add constructors taking Ref<>&&.
2044         We still have constructors that take RefPtr<>&&.
2045         We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.
2046
2047         * profiler/ProfilerDatabase.cpp:
2048         (JSC::Profiler::Database::addCompilation):
2049         Take Ref<Compilation>&&.
2050
2051         * profiler/ProfilerDatabase.h:
2052         Change data structures to hold Ref<> instead of RefPtr<>.
2053
2054         * runtime/EvalExecutable.h:
2055         (JSC::EvalExecutable::generatedJITCode):
2056         Return Ref<> instead.
2057
2058         * runtime/ExecutableBase.h:
2059         (JSC::ExecutableBase::generatedJITCodeForCall):
2060         (JSC::ExecutableBase::generatedJITCodeForConstruct):
2061         (JSC::ExecutableBase::generatedJITCodeFor):
2062         Return Ref<> instead.
2063
2064         * runtime/Identifier.cpp:
2065         (JSC::Identifier::add):
2066         (JSC::Identifier::add8):
2067         * runtime/Identifier.h:
2068         (JSC::Identifier::add):
2069         * runtime/JSGlobalObject.cpp:
2070         (JSC::JSGlobalObject::setInputCursor):
2071         And take Ref<> in this method.
2072
2073         * runtime/JSGlobalObject.h:
2074         (JSC::JSGlobalObject::inputCursor):
2075         Change m_inputCursor from RefPtr<> to Ref<>.
2076
2077         * runtime/JSPropertyNameEnumerator.cpp:
2078         (JSC::JSPropertyNameEnumerator::create):
2079         (JSC::JSPropertyNameEnumerator::finishCreation):
2080         Take Ref<PropertyNameArray>&&.
2081
2082         * runtime/JSPropertyNameEnumerator.h:
2083         (JSC::propertyNameEnumerator):
2084         * runtime/JSString.h:
2085         (JSC::JSString::JSString):
2086         Take Ref<StringImpl>&& since we do not allow nullptr in this constructor.
2087
2088         (JSC::JSString::create):
2089         (JSC::JSString::createHasOtherOwner):
2090         Take Ref<StringImpl>&& in these factory functions. And drop unnecessary assertions.
2091
2092         (JSC::jsSingleCharacterString):
2093         Use StringImpl::create() which returns Ref<>.
2094
2095         (JSC::jsNontrivialString):
2096         Dereference impl() since we ensure that `s.length() > 1`.
2097
2098         (JSC::jsString):
2099         Use releaseNonNull() since we ensure that `s.length() > 1`.
2100
2101         (JSC::jsOwnedString):
2102         Use releaseNonNull() since we ensure that `s.length() > 1`.
2103
2104         * runtime/ModuleProgramExecutable.h:
2105         * runtime/NativeExecutable.cpp:
2106         (JSC::NativeExecutable::create):
2107         (JSC::NativeExecutable::finishCreation):
2108         Take Ref<JITCode>&&.
2109
2110         * runtime/NativeExecutable.h:
2111         * runtime/ProgramExecutable.h:
2112         Return Ref<JITCode>.
2113
2114         * runtime/PropertyNameArray.h:
2115         (JSC::PropertyNameArray::releaseData):
2116         (JSC::PropertyNameArray::setData): Deleted.
2117         This is not used.
2118
2119         * runtime/RegExpKey.h:
2120         (JSC::RegExpKey::RegExpKey):
2121         Take RefPtr<>&&.
2122
2123         * runtime/SmallStrings.cpp:
2124         (JSC::SmallStringsStorage::rep):
2125         Return StringImpl& since m_reps is already initialized in the constructor.
2126
2127         (JSC::SmallStrings::createEmptyString):
2128         Dereference StringImpl::empty().
2129
2130         (JSC::SmallStrings::createSingleCharacterString):
2131         Use StringImpl&.
2132
2133         (JSC::SmallStrings::singleCharacterStringRep):
2134         Return StringImpl&.
2135
2136         (JSC::SmallStrings::initialize):
2137         Use AtomicStringImpl::add instead.
2138
2139         * runtime/SmallStrings.h:
2140         * runtime/Structure.cpp:
2141         (JSC::Structure::toStructureShape):
2142         Return Ref<>.
2143
2144         * runtime/Structure.h:
2145         * runtime/TypeLocationCache.cpp:
2146         (JSC::TypeLocationCache::getTypeLocation):
2147         Take RefPtr<TypeSet>&&.
2148
2149         * runtime/TypeLocationCache.h:
2150         * runtime/TypeProfilerLog.cpp:
2151         Pass Ref<>&&.
2152
2153         (JSC::TypeProfilerLog::processLogEntries):
2154         * runtime/TypeSet.cpp:
2155         (JSC::TypeSet::addTypeInformation):
2156         Take RefPtr<>&& since it can be nullptr.
2157         And clean up "not found" code.
2158
2159         (JSC::TypeSet::allStructureRepresentations):
2160         Use range based iteration.
2161
2162         (JSC::StructureShape::leastCommonAncestor):
2163         We found that this method accidentally takes `const Vector<>` instead of `const Vector<>&`.
2164         And internally, we just use raw pointers since these StructureShapes are owned by the m_proto trees which starts from the given Vector<>.
2165
2166         (JSC::StructureShape::hasSamePrototypeChain):
2167         Take const reference instead. And use raw pointers internally.
2168
2169         (JSC::StructureShape::merge):
2170         Take Ref<>&&.
2171
2172         * runtime/TypeSet.h:
2173         (JSC::StructureShape::setProto):
2174         Take Ref<>&&.
2175
2176         * runtime/VM.cpp:
2177         (JSC::VM::getHostFunction):
2178         Pass Ref<>&&.
2179
2180         (JSC::VM::queueMicrotask):
2181         Take and pass Ref<>&&.
2182
2183         * runtime/VM.h:
2184         (JSC::QueuedTask::QueuedTask):
2185         Take Ref<>&&.
2186
2187         * tools/FunctionOverrides.cpp:
2188         (JSC::initializeOverrideInfo):
2189         We need this change due to Ref<>&& and RefPtr<>&& ambiguity of SourceCode constructors.
2190         Once SourceCode is fixed to only take Ref<>&&, this change is unnecessary.
2191
2192 2017-02-15  Csaba Osztrogonác  <ossy@webkit.org>
2193
2194         [Mac][cmake] Unreviewed trivial buildfix after r212169.
2195         https://bugs.webkit.org/show_bug.cgi?id=166681
2196
2197         * PlatformMac.cmake: Removed inspector/remote/RemoteInspectorXPCConnection.mm.
2198
2199 2017-02-14  Mark Lam  <mark.lam@apple.com>
2200
2201         Add JSC_sweepSynchronously and fix JSC_useZombieMode options.
2202         https://bugs.webkit.org/show_bug.cgi?id=168257
2203         <rdar://problem/30451496>
2204
2205         Reviewed by Filip Pizlo.
2206
2207         JSC_useZombieMode now basically enables JSC_sweepSynchronously and
2208         JSC_scribbleFreeCells, which together does the job of zombifying dead objects
2209         immediately after a GC.
2210
2211         * heap/Heap.cpp:
2212         (JSC::Heap::sweepSynchronously):
2213         (JSC::Heap::collectAllGarbage):
2214         (JSC::Heap::finalize):
2215         (JSC::Heap::didFinishCollection):
2216         (JSC::Zombify::visit): Deleted.
2217         (JSC::Zombify::operator()): Deleted.
2218         (JSC::Heap::zombifyDeadObjects): Deleted.
2219         * heap/Heap.h:
2220         (JSC::Heap::isZombified): Deleted.
2221         * runtime/Options.cpp:
2222         (JSC::recomputeDependentOptions):
2223         * runtime/Options.h:
2224
2225 2017-02-13  Michael Saboff  <msaboff@apple.com>
2226
2227         asyncDisassembly crashes on iOS
2228         https://bugs.webkit.org/show_bug.cgi?id=168259
2229
2230         Reviewed by Filip Pizlo.
2231
2232         Eliminated the dumping of  the disassembly for the JIT write thunk.
2233         Not only does it fix the crash, but given the nature of the JIT
2234         write thunk, we probably don't want to disassemble it anyway.
2235         
2236         * jit/ExecutableAllocatorFixedVMPool.cpp:
2237         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
2238
2239 2017-02-12  Ryosuke Niwa  <rniwa@webkit.org>
2240
2241         C loop build fix attempt after r212207.
2242
2243         * runtime/Lookup.h:
2244
2245 2017-02-11  Sam Weinig  <sam@webkit.org>
2246
2247         Remove the remaining functions out of JSDOMBinding
2248         https://bugs.webkit.org/show_bug.cgi?id=168179
2249
2250         Reviewed by Darin Adler.
2251
2252         Move utility functions into more appropriate locations.
2253         - Move hasIteratorMethod to IteratorOperations.
2254         - Move nonCachingStaticFunctionGetter to Lookup
2255
2256         * runtime/IteratorOperations.cpp:
2257         (JSC::hasIteratorMethod):
2258         * runtime/IteratorOperations.h:
2259         * runtime/Lookup.h:
2260         (JSC::nonCachingStaticFunctionGetter):
2261
2262 2017-02-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2263
2264         [JSC] Implement (Shared)ArrayBuffer.prototype.byteLength
2265         https://bugs.webkit.org/show_bug.cgi?id=166476
2266
2267         Reviewed by Saam Barati.
2268
2269         `byteLength` becomes getter and is set in ArrayBuffer.prototype
2270         and SharedArrayBuffer.prototype. This patch implements the
2271         above getter in native function. We do not have any optimization
2272         path for that for now since ArrayBuffer.prototype.byteLength is
2273         not considered a hot function: while TypedArrays have [] accesses,
2274         ArrayBuffer does not have that. Thus byteLength getter is not so
2275         meaningful for a hot paths like iterations.
2276
2277         * runtime/JSArrayBuffer.cpp:
2278         (JSC::JSArrayBuffer::getOwnPropertySlot): Deleted.
2279         (JSC::JSArrayBuffer::put): Deleted.
2280         (JSC::JSArrayBuffer::defineOwnProperty): Deleted.
2281         (JSC::JSArrayBuffer::deleteProperty): Deleted.
2282         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames): Deleted.
2283         * runtime/JSArrayBuffer.h:
2284         (JSC::JSArrayBuffer::impl): Deleted.
2285         * runtime/JSArrayBufferPrototype.cpp:
2286         (JSC::arrayBufferProtoGetterFuncByteLength):
2287         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
2288         (JSC::JSArrayBufferPrototype::finishCreation):
2289
2290 2017-02-10  Saam Barati  <sbarati@apple.com>
2291
2292         Object allocation sinking phase doesn't properly handle control flow when emitting a PutHint of a materialized object into a PromotedHeapLocation of a still sunken object
2293         https://bugs.webkit.org/show_bug.cgi?id=168140
2294         <rdar://problem/30205880>
2295
2296         Reviewed by Filip Pizlo.
2297
2298         This patch fixes a bug in allocation sinking phase where
2299         we don't properly handle control flow when materializing
2300         an object and also PutHinting that materialization into
2301         a still sunken object. We were performing the PutHint
2302         for the materialization at the point of materialization,
2303         however, we may have materialized along both edges
2304         of a control flow diamond, in which case, we need to
2305         also PutHint at the join point. Consider this program:
2306         
2307         ```
2308         bb#0:
2309         b: PhantomActivation()
2310         a: PhantomNewFunction()
2311         c: PutHint(@a, @b, ActivationLoc)
2312         Branch(#1, #2)
2313         
2314         bb#1:
2315         d: MaterializeActivation()
2316         e: PutHint(@a, @d, ActivationLoc)
2317         f: Upsilon(@d, ^p)
2318         Jump(#3)
2319         
2320         bb#2:
2321         g: MaterializeActivation()
2322         h: PutHint(@a, @g, ActivationLoc)
2323         i: Upsilon(@d, ^p)
2324         Jump(#3)
2325         
2326         bb#3:
2327         p: Phi()
2328         // What is PromotedHeapLocation(@a, ActivationLoc) here?
2329         // What would we do if we exited?
2330         ```
2331         Before this patch, we didn't perform a PutHint of the Phi.
2332         However, we need to, otherwise when exit, we won't know
2333         the value of PromotedHeapLocation(@a, ActivationLoc)
2334         
2335         The program we need then, for correctness, is this:
2336         ```
2337         bb#0:
2338         b: PhantomActivation()
2339         a: PhantomNewFunction()
2340         c: PutHint(@a, @b, ActivationLoc)
2341         Branch(#1, #2)
2342         
2343         bb#1:
2344         d: MaterializeActivation()
2345         e: PutHint(@a, @d, ActivationLoc)
2346         f: Upsilon(@d, ^p)
2347         Jump(#3)
2348         
2349         bb#2:
2350         g: MaterializeActivation()
2351         h: PutHint(@a, @g, ActivationLoc)
2352         i: Upsilon(@d, ^p)
2353         Jump(#3)
2354         
2355         bb#3:
2356         p: Phi()
2357         j: PutHint(@a, @p, ActivationLoc)
2358         ```
2359         
2360         This patch makes it so that we emit the necessary PutHint at node `j`.
2361         I've also added more validation to the OSRAvailabilityAnalysisPhase
2362         to catch this problem during validation.
2363
2364         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2365         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2366         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2367         * ftl/FTLOperations.cpp:
2368         (JSC::FTL::operationMaterializeObjectInOSR):
2369
2370 2017-02-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2371
2372         WebInspector: refactor RemoteInspector to move cocoa specific code to their own files
2373         https://bugs.webkit.org/show_bug.cgi?id=166681
2374
2375         Reviewed by Michael Catanzaro.
2376
2377         Move RemoteConnectionToTarget.mm and RemoteInspector.mm to a cocoa directory renamed with a Cocoa prefix,
2378         because those are now the cocoa implementation of RemoteConnectionToTarget and RemoteInspector. The
2379         cross-platform parts of RemoteInspector have been moced to a new RemoteInspector.cpp file. Also moved to cocoa
2380         directory RemoteInspectorXPCConnection.h and RemoteInspectorXPCConnection.mm keeping the same name. Other than
2381         that there aren't important code changes, only some cocoa specific types like NSString used in common headers,
2382         and some other platform ifdefs needed. This is in preparation for adding a remote inspector implementation for
2383         the GTK+ port.
2384
2385         * API/JSRemoteInspector.cpp:
2386         (JSRemoteInspectorSetParentProcessInformation): Add PLATFORM(COCOA) to the ifdef.
2387         * JavaScriptCore.xcodeproj/project.pbxproj:
2388         * PlatformMac.cmake:
2389         * inspector/remote/RemoteConnectionToTarget.h: Add platform ifdefs for cocoa specific parts and change
2390         sendMessageToTarget to receive a WTF String instead of an NSString.
2391         * inspector/remote/RemoteControllableTarget.h: Add platform ifdefs for CF specific parts.
2392         * inspector/remote/RemoteInspectionTarget.h:
2393         * inspector/remote/RemoteInspector.cpp: Added.
2394         (Inspector::RemoteInspector::startDisabled):
2395         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
2396         (Inspector::RemoteInspector::registerTarget):
2397         (Inspector::RemoteInspector::unregisterTarget):
2398         (Inspector::RemoteInspector::updateTarget):
2399         (Inspector::RemoteInspector::updateClientCapabilities):
2400         (Inspector::RemoteInspector::setRemoteInspectorClient):
2401         (Inspector::RemoteInspector::setupFailed):
2402         (Inspector::RemoteInspector::setupCompleted):
2403         (Inspector::RemoteInspector::waitingForAutomaticInspection):
2404         (Inspector::RemoteInspector::clientCapabilitiesDidChange):
2405         (Inspector::RemoteInspector::stop):
2406         (Inspector::RemoteInspector::listingForTarget):
2407         (Inspector::RemoteInspector::updateHasActiveDebugSession):
2408         * inspector/remote/RemoteInspector.h: Add platform ifdefs for cocoa specific parts. Also add TargetListing
2409         typedef to define platform specific types for the listings without more ifdefs.
2410         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteConnectionToTarget.mm.
2411         (Inspector::RemoteTargetInitializeGlobalQueue):
2412         (Inspector::RemoteConnectionToTarget::setup):
2413         (Inspector::RemoteConnectionToTarget::close):
2414         (Inspector::RemoteConnectionToTarget::sendMessageToTarget):
2415         (Inspector::RemoteConnectionToTarget::setupRunLoop):
2416         * inspector/remote/cocoa/RemoteInspectorCocoa.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspector.mm.
2417         (Inspector::canAccessWebInspectorMachPort):
2418         (Inspector::RemoteInspector::singleton):
2419         (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
2420         (Inspector::RemoteInspector::start):
2421         (Inspector::RemoteInspector::pushListingsSoon):
2422         (Inspector::RemoteInspector::receivedIndicateMessage):
2423         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2424         * inspector/remote/cocoa/RemoteInspectorXPCConnection.h: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspectorXPCConnection.h.
2425         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Renamed from Source/JavaScriptCore/inspector/remote/RemoteInspectorXPCConnection.mm.
2426         (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
2427
2428 2017-02-10  Brian Burg  <bburg@apple.com>
2429
2430         [Cocoa] Web Inspector: payload initializers for ObjC protocol types handles special-cased property names incorrectly
2431         https://bugs.webkit.org/show_bug.cgi?id=168141
2432
2433         Reviewed by Joseph Pecoraro.
2434
2435         The generated code erroneously uses the ObjC variable name as the payload key,
2436         rather than the raw type member name. For example, 'identifier' would be used instead of 'id'.
2437
2438         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2439         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
2440
2441         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2442         Rebaseline an affected test.
2443
2444 2017-02-10  Mark Lam  <mark.lam@apple.com>
2445
2446         StructureStubInfo::considerCaching() should write barrier its owner CodeBlock when buffering a new Structure.
2447         https://bugs.webkit.org/show_bug.cgi?id=168137
2448         <rdar://problem/28656664>
2449
2450         Reviewed by Filip Pizlo.
2451
2452         If we're adding a new structure to StructureStubInfo's bufferedStructures, we
2453         should write barrier the StubInfo's owner CodeBlock because that structure may be
2454         collected during the next GC.  Write barrier-ing the owner CodeBlock ensures that
2455         CodeBlock::finalizeBaselineJITInlineCaches() is called on it during the GC,
2456         which, in turn, gives the StructureStubInfo the opportunity to filter out the
2457         dead structure.
2458
2459         * bytecode/StructureStubInfo.h:
2460         (JSC::StructureStubInfo::considerCaching):
2461         * jit/JITOperations.cpp:
2462
2463 2017-02-10  Brian Burg  <bburg@apple.com>
2464
2465         [Cocoa] Web Inspector: generate an NS_ENUM containing platforms supported by the protocol code generator
2466         https://bugs.webkit.org/show_bug.cgi?id=168019
2467         <rdar://problem/28718990>
2468
2469         Reviewed by Joseph Pecoraro.
2470
2471         It's useful to have an symbolic value (not a string) for each of the supported platform values.
2472         Generate this once per protocol for the Objective-C bindings. Covered by existing tests.
2473
2474         * inspector/scripts/codegen/generate_objc_header.py:
2475         (ObjCHeaderGenerator.generate_output):
2476         (ObjCHeaderGenerator._generate_enum_for_platforms):
2477         Create an NS_ENUM for Platform values in Platforms.
2478
2479         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2480         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
2481         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_conversion_for_platforms):
2482         Add type conversion/parsing methods for the newly added enum.
2483
2484         * inspector/scripts/codegen/generator.py:
2485         (Generator.stylized_name_for_enum_value):
2486         (Generator.stylized_name_for_enum_value.replaceCallback):
2487         Support arbitrary special-cased substrings in enums, not just all-caps. Add 'IOS' and 'MacOS'.
2488
2489         * inspector/scripts/codegen/models.py:
2490         (Platforms):
2491         Use lower-case string values for platform names, to avoid guesswork.
2492
2493         (Platforms.__metaclass__):
2494         (Platforms.__metaclass__.__iter__):
2495         Make it possible to iterate over Platform instances of Platforms.
2496
2497         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2498         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2499         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2500         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2501         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2502         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2503         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2504         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2505         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2506         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2507         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2508         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2509         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2510         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2511         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2512         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2513         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2514         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2515         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2516         Rebaseline results.
2517
2518 2017-02-09  Filip Pizlo  <fpizlo@apple.com>
2519
2520         SharedArrayBuffer does not need to be in the transfer list
2521         https://bugs.webkit.org/show_bug.cgi?id=168079
2522
2523         Reviewed by Geoffrey Garen and Keith Miller.
2524         
2525         Exposes a simple shareWith() API for when you know you want to share the contents of
2526         a shared buffer. Also a useful explicit operator bool.
2527
2528         * runtime/ArrayBuffer.cpp:
2529         (JSC::ArrayBuffer::shareWith):
2530         * runtime/ArrayBuffer.h:
2531         (JSC::ArrayBufferContents::operator bool):
2532
2533 2017-02-09  Mark Lam  <mark.lam@apple.com>
2534
2535         B3::Procedure::deleteOrphans() should neutralize upsilons with dead phis.
2536         https://bugs.webkit.org/show_bug.cgi?id=167437
2537         <rdar://problem/30198083>
2538
2539         Reviewed by Filip Pizlo.
2540
2541         * b3/B3Procedure.cpp:
2542         (JSC::B3::Procedure::deleteOrphans):
2543
2544 2017-02-09  Saam Barati  <sbarati@apple.com>
2545
2546         Sloppy mode: We don't properly hoist functions names "arguments" when we have a non-simple parameter list
2547         https://bugs.webkit.org/show_bug.cgi?id=167319
2548         <rdar://problem/30149432>
2549
2550         Reviewed by Mark Lam.
2551
2552         When hoisting a function inside sloppy mode, we were assuming all "var"s are inside
2553         what we call the "var" SymbolTableEntry. This was almost true, execpt for "arguments",
2554         which has sufficiently weird behavior. "arguments" can be visible to the default
2555         parameter expressions inside a function, therefore can't go inside the "var"
2556         SymbolTableEntry since the parameter SymbolTableEntry comes before the "var"
2557         SymbolTableEntry in the scope chain.  Therefore, if we hoist a function named
2558         "arguments", then we must also look for that variable inside the parameter scope
2559         stack entry.
2560
2561         * bytecompiler/BytecodeGenerator.cpp:
2562         (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
2563
2564 2017-02-09  Mark Lam  <mark.lam@apple.com>
2565
2566         Fix max length check in ArrayPrototype.js' concatSlowPath().
2567         https://bugs.webkit.org/show_bug.cgi?id=167270
2568         <rdar://problem/30128133>
2569
2570         Reviewed by Filip Pizlo.
2571
2572         1. Fixed concatSlowPath() to ensure that the result array length does not exceed
2573            @MAX_ARRAY_INDEX.  The old code was checking against @MAX_SAFE_INTEGER in some
2574            cases, but this is overly permissive.
2575
2576         2. Changed concatSlowPath() to throw a RangeError instead of a TypeError to be
2577            consistent with the C++ runtime functions in JSArray.cpp.
2578
2579         3. Changed the RangeError message in concatSlowPath() and JSArray.cpp to "Length
2580            exceeded the maximum array length" when the error is that the result length
2581            exceeds MAX_ARRAY_INDEX.  We do this for 2 reasons:
2582            a. "Length exceeded the maximum array length" is more informative than
2583               "Invalid array length".
2584            b. We want to use the same string consistently for the same error.
2585
2586            There are still 2 places in JSArray.cpp that still throws a RangeError with
2587            message "Invalid array length".  In those cases, the error is not necessarily
2588            due to the result length exceeding MAX_ARRAY_INDEX, but is due to attempting to
2589            set a length value that is not an integer that fits in MAX_ARRAY_INDEX e.g.
2590            an attempt to set a fractional length value.  Hence, "Invalid array length" is
2591            appropriate for those cases.
2592
2593         4. Fixed JSArray::appendMemcpy() to handle overflows when computing the result
2594            array length.
2595
2596         * builtins/ArrayPrototype.js:
2597         (concatSlowPath):
2598         * bytecode/BytecodeIntrinsicRegistry.cpp:
2599         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2600         * bytecode/BytecodeIntrinsicRegistry.h:
2601         * runtime/ArrayPrototype.cpp:
2602         (JSC::concatAppendOne):
2603         (JSC::arrayProtoPrivateFuncAppendMemcpy):
2604         * runtime/JSArray.cpp:
2605         (JSC::JSArray::appendMemcpy):
2606         (JSC::JSArray::push):
2607
2608 2017-02-09  Mark Lam  <mark.lam@apple.com>
2609
2610         Constructed object's global object should be the global object of the constructor.
2611         https://bugs.webkit.org/show_bug.cgi?id=167121
2612         <rdar://problem/30054759>
2613
2614         Reviewed by Filip Pizlo and Geoffrey Garen.
2615
2616         The realm (i.e. globalObject) of any object should be the same as the constructor
2617         that instantiated the object.  Changed PrototypeMap::createEmptyStructure() to
2618         be passed the correct globalObject to use instead of assuming it's the same one
2619         as the prototype object.
2620
2621         * bytecode/CodeBlock.cpp:
2622         (JSC::CodeBlock::finishCreation):
2623         * bytecode/InternalFunctionAllocationProfile.h:
2624         (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
2625         * bytecode/ObjectAllocationProfile.h:
2626         (JSC::ObjectAllocationProfile::initialize):
2627         * runtime/FunctionRareData.cpp:
2628         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2629         * runtime/FunctionRareData.h:
2630         (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
2631         * runtime/InternalFunction.cpp:
2632         (JSC::InternalFunction::createSubclassStructure):
2633         * runtime/IteratorOperations.cpp:
2634         (JSC::createIteratorResultObjectStructure):
2635         * runtime/JSBoundFunction.cpp:
2636         (JSC::getBoundFunctionStructure):
2637         * runtime/JSFunction.cpp:
2638         (JSC::JSFunction::allocateAndInitializeRareData):
2639         (JSC::JSFunction::initializeRareData):
2640         * runtime/JSGlobalObject.cpp:
2641         (JSC::JSGlobalObject::init):
2642         * runtime/JSProxy.cpp:
2643         (JSC::JSProxy::setTarget):
2644         * runtime/ObjectConstructor.h:
2645         (JSC::constructEmptyObject):
2646         * runtime/PrototypeMap.cpp:
2647         (JSC::PrototypeMap::createEmptyStructure):
2648         (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
2649         (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2650         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
2651         * runtime/PrototypeMap.h:
2652
2653 2017-02-09  Keith Miller  <keith_miller@apple.com>
2654
2655         We should not allow Function.caller to be used on native functions
2656         https://bugs.webkit.org/show_bug.cgi?id=165628
2657
2658         Reviewed by Mark Lam.
2659
2660         Also remove unneeded dynamic cast.
2661
2662         * runtime/JSFunction.cpp:
2663         (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
2664         (JSC::JSFunction::callerGetter):
2665
2666 2017-02-08  Keith Miller  <keith_miller@apple.com>
2667
2668         [JSC] op_in should have ArrayProfile
2669         https://bugs.webkit.org/show_bug.cgi?id=164581
2670
2671         Reviewed by Filip Pizlo.
2672
2673         This patch adds an ArrayProfile to the op_in bytecode. In the
2674         DFG, if we see that we the key is an int32 we will convert the In
2675         DFG node to a HasIndexedProperty node instead.
2676
2677         This patch also flips the two arguments of op_in and the In node
2678         to reflect the other property lookup bytecodes.
2679
2680         * bytecode/BytecodeList.json:
2681         * bytecode/CodeBlock.cpp:
2682         (JSC::CodeBlock::dumpBytecode):
2683         (JSC::CodeBlock::finishCreation):
2684         * bytecompiler/BytecodeGenerator.cpp:
2685         (JSC::BytecodeGenerator::emitIn):
2686         * bytecompiler/BytecodeGenerator.h:
2687         (JSC::BytecodeGenerator::emitIn): Deleted.
2688         * bytecompiler/NodesCodegen.cpp:
2689         (JSC::InNode::emitBytecode):
2690         * dfg/DFGByteCodeParser.cpp:
2691         (JSC::DFG::ByteCodeParser::parseBlock):
2692         * dfg/DFGFixupPhase.cpp:
2693         (JSC::DFG::FixupPhase::fixupNode):
2694         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
2695         * dfg/DFGNode.h:
2696         (JSC::DFG::Node::hasArrayMode):
2697         (JSC::DFG::Node::hasInternalMethodType):
2698         (JSC::DFG::Node::internalMethodType):
2699         (JSC::DFG::Node::setInternalMethodType):
2700         * dfg/DFGSpeculativeJIT.cpp:
2701         (JSC::DFG::SpeculativeJIT::compileIn):
2702         * dfg/DFGSpeculativeJIT.h:
2703         (JSC::DFG::SpeculativeJIT::callOperation):
2704         * dfg/DFGSpeculativeJIT32_64.cpp:
2705         (JSC::DFG::SpeculativeJIT::compile):
2706         * dfg/DFGSpeculativeJIT64.cpp:
2707         (JSC::DFG::SpeculativeJIT::compile):
2708         * ftl/FTLLowerDFGToB3.cpp:
2709         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2710         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2711         * jit/JITOperations.cpp:
2712         * jit/JITOperations.h:
2713         * llint/LowLevelInterpreter.asm:
2714         * parser/Nodes.h:
2715         * runtime/CommonSlowPaths.cpp:
2716         (JSC::SLOW_PATH_DECL):
2717         * runtime/CommonSlowPaths.h:
2718         (JSC::CommonSlowPaths::opIn):
2719
2720 2017-02-08  Saam Barati  <sbarati@apple.com>
2721
2722         Air IRC might spill a terminal that produces a value after the terminal
2723         https://bugs.webkit.org/show_bug.cgi?id=167919
2724         <rdar://problem/29754721>
2725
2726         Reviewed by Filip Pizlo.
2727
2728         IRC may spill a value-producing terminal (a patchpoint can be a value-producing terminal).
2729         It used to do this by placing the spill *after* the terminal. This produces an invalid
2730         graph because no instructions are allowed after the terminal.
2731         
2732         I fixed this bug by having a cleanup pass over the IR after IRC is done.
2733         The pass detects this problem, and fixes it by moving the spill into the
2734         successors. However, it is careful to detect when the edge to the
2735         successor is a critical edge. If the value-producing patchpoint is
2736         the only predecessor of the successor, it just moves the spill
2737         code to the beginning of the successor. Otherwise, it's a critical
2738         edge and it breaks it by adding a block that does the spilling then
2739         jumps to the successor.
2740
2741         * b3/air/AirInsertionSet.cpp:
2742         * b3/air/AirInsertionSet.h:
2743         (JSC::B3::Air::InsertionSet::insertInsts):
2744         * b3/air/AirIteratedRegisterCoalescing.cpp:
2745         * b3/testb3.cpp:
2746         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
2747         (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
2748         (JSC::B3::run):
2749
2750 2017-02-07  Mark Lam  <mark.lam@apple.com>
2751
2752         SigillCrashAnalyzer::analyze() should use a do-while loop instead of a lambda.
2753         https://bugs.webkit.org/show_bug.cgi?id=167950
2754
2755         Reviewed by Michael Saboff.
2756
2757         Lambdas aren't free (apparently, the compiler isn't able to detect that the
2758         lambda does not escape and can be inlined completely).  So, use a do-while loop
2759         instead since we don't really need a lambda here.
2760
2761         * tools/SigillCrashAnalyzer.cpp:
2762
2763 2017-02-05  Mark Lam  <mark.lam@apple.com>
2764
2765         The SigillCrashAnalyzer should play nicer with client code that may install its own SIGILL handler.
2766         https://bugs.webkit.org/show_bug.cgi?id=167858
2767
2768         Reviewed by Michael Saboff.
2769
2770         Here are the scenarios that may come up:
2771
2772         1. Client code did not install a SIGILL handler.
2773            - In this case, once we're done analyzing the SIGILL, we can just restore the
2774              default handler and return to let the OS do the default action i.e. capture
2775              a core dump.
2776
2777         2. Client code installed a SIGILL handler before JSC does.
2778            - In this case, we will see a non-null handler returned as the old signal
2779              handler when we install ours.
2780            - In our signal handler, after doing our crash analysis, we should invoke the
2781              client handler to let it do its work.
2782            - Our analyzer can also tell us if the SIGILL source is from JSC code in
2783              general (right now, this would just mean JIT code).
2784            - If the SIGILL source is not from JSC, we'll just let the client handler
2785              decided how to proceed.  We assume that the client handler will do the right
2786              thing (which is how the old behavior is before the SigillCrashAnalyzer was
2787              introduced).
2788            - If the SIGILL source is from JSC, then we know the SIGILL is an unrecoverable
2789              condition.  Hence, after we have given the client handler a chance to run,
2790              we should restore the default handler and let the OS capture a core dump.
2791              This intentionally overrides whatever signal settings the client handler may
2792              have set.
2793
2794         3. Client code installed a SIGILL handler after JSC does.
2795            - In this case, we are dependent on the client handler to call our handler
2796              after it does its work.  This is compatible with the old behavior before
2797              SigillCrashAnalyzer was introduced.
2798            - In our signal handler, if we determine that the SIGILL source is from JSC
2799              code, then the SIGILL is not recoverable.  We should then restore the
2800              default handler and get a core dump.
2801            - If the SIGILL source is not from JSC, we check to see if there's a client
2802              handler installed after us.
2803            - If we detect a client handler installed after us, we defer judgement on what
2804              to do to the client handler.  Since the client handler did not uninstall
2805              itself, it must have considered itself to have recovered from the SIGILL.
2806              We'll trust the client handler and take no restore action of our own (which
2807              is compatible with old code behavior).
2808            - If we detect no client handler and we have no previous handler, then we
2809              should restore the default handler and get a core dump.
2810
2811         * tools/SigillCrashAnalyzer.cpp:
2812         (JSC::handleCrash):
2813         (JSC::installCrashHandler):
2814         (JSC::SigillCrashAnalyzer::analyze): Deleted.
2815
2816 2017-02-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2817
2818         Unreviewed, manual roll out of r211777
2819         https://bugs.webkit.org/show_bug.cgi?id=167457
2820
2821         * jsc.cpp:
2822         (GlobalObject::moduleLoaderImportModule):
2823         * runtime/JSGlobalObjectFunctions.cpp:
2824         (JSC::globalFuncImportModule):
2825
2826 2017-02-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2827
2828         Web Inspector: allow import() inside the inspector
2829         https://bugs.webkit.org/show_bug.cgi?id=167457
2830
2831         Reviewed by Ryosuke Niwa.
2832
2833         We relax import module hook to accept null SourceOrigin.
2834         Such a script can be evaluated from the inspector console.
2835
2836         * jsc.cpp:
2837         (GlobalObject::moduleLoaderImportModule):
2838         * runtime/JSGlobalObjectFunctions.cpp:
2839         (JSC::globalFuncImportModule):
2840
2841 2017-02-06  Joseph Pecoraro  <pecoraro@apple.com>
2842
2843         Web Inspector: Do not use RunLoop when dispatching inspector GC event
2844         https://bugs.webkit.org/show_bug.cgi?id=167683
2845         <rdar://problem/30167791>
2846
2847         Reviewed by Brian Burg.
2848
2849         Move the RunLoop deferred implementation to WebCore. It is not needed
2850         for JSContext inspection, and in JSContext inspection we are not
2851         guarenteed a RunLoop to defer to.
2852
2853         * inspector/agents/InspectorHeapAgent.h:
2854         * inspector/agents/InspectorHeapAgent.cpp:
2855         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
2856         (Inspector::InspectorHeapAgent::~InspectorHeapAgent):
2857         (Inspector::InspectorHeapAgent::disable):
2858         (Inspector::InspectorHeapAgent::didGarbageCollect):
2859         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask): Deleted.
2860         (Inspector::SendGarbageCollectionEventsTask::addGarbageCollection): Deleted.
2861         (Inspector::SendGarbageCollectionEventsTask::reset): Deleted.
2862         (Inspector::SendGarbageCollectionEventsTask::timerFired): Deleted.
2863
2864         (Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
2865         Make a virtual method so that WebCore implementations of this agent can choose
2866         to dispatch this event asynchronously.
2867
2868         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2869         Remove unnecessary RunLoop include.
2870
2871 2017-02-06  Joseph Pecoraro  <pecoraro@apple.com>
2872
2873         Static Analyzer: JSContext.mm: Incorrect decrement of the reference count of an object
2874         https://bugs.webkit.org/show_bug.cgi?id=167848
2875
2876         Reviewed by Saam Barati.
2877
2878         Source/JavaScriptCore/API/JSContext.mm:87:5: warning: Incorrect decrement of the reference count of an object that is not owned at this point by the caller
2879             [self.exceptionHandler release];
2880             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2881         1 warning generated.
2882
2883         * API/JSContext.mm:
2884         (-[JSContext dealloc]):
2885         Use the ivar in dealloc instead of going through the getter.
2886
2887 2017-02-05  Mark Lam  <mark.lam@apple.com>
2888
2889         The VMInspector should use an RAII Locker.
2890         https://bugs.webkit.org/show_bug.cgi?id=167854
2891
2892         Reviewed by Saam Barati.
2893
2894         Previously, VMInspector::lock() was returning an expected LockToken, and there's
2895         no way to unlock it when we're done with it.  This was not a problem before
2896         because the VMInspector had only one client, the SigillCrashAnalyzer, that
2897         expected the process to crash due to a SIGILL shortly thereafter.
2898
2899         However, the VMInspector is useful as a debugging tool that we can apply in other
2900         debugging tasks.  Fixing VMInspector::lock() to return an RAII locker will enable
2901         other use cases.  Plus it's just bad form to be able to lock something and never
2902         be able to unlock it.
2903
2904         * tools/SigillCrashAnalyzer.cpp:
2905         (JSC::SigillCrashAnalyzer::analyze):
2906         * tools/VMInspector.cpp:
2907         * tools/VMInspector.h:
2908
2909 2017-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2910
2911         Static Analyzer: Value stored to 'recordedMachineThreads' during its initialization is never read
2912         https://bugs.webkit.org/show_bug.cgi?id=167845
2913
2914         Reviewed by Saam Barati.
2915
2916         Source/JavaScriptCore/heap/MachineStackMarker.cpp:151:14: warning: Value stored to 'recordedMachineThreads' during its initialization is never read
2917                 auto recordedMachineThreads = m_set.take(machineThreads);
2918                      ^~~~~~~~~~~~~~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~~~~~~~~
2919
2920         * heap/MachineStackMarker.cpp:
2921         (JSC::ActiveMachineThreadsManager::remove):
2922
2923 2017-02-04  Joseph Pecoraro  <pecoraro@apple.com>
2924
2925         Static Analyzer: Value stored to 'prev' is never read
2926         https://bugs.webkit.org/show_bug.cgi?id=167844
2927
2928         Reviewed by Saam Barati.
2929
2930         Source/JavaScriptCore/runtime/JSMapIterator.h:60:13: warning: Value stored to 'prev' is never read
2931                     prev = bucket;
2932                     ^      ~~~~~~
2933         Source/JavaScriptCore/runtime/JSSetIterator.h:60:13: warning: Value stored to 'prev' is never read
2934                     prev = bucket;
2935                     ^      ~~~~~~
2936
2937         * runtime/JSMapIterator.h:
2938         (JSC::JSMapIterator::advanceIter):
2939         * runtime/JSSetIterator.h:
2940         (JSC::JSSetIterator::advanceIter):
2941
2942 2017-02-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2943
2944         [JSC] Add operationToInt32SensibleSlow to optimize kraken pbkdf2 and sha256
2945         https://bugs.webkit.org/show_bug.cgi?id=167736
2946
2947         Reviewed by Saam Barati.
2948
2949         Add a new function operationToInt32SensibleSlow. This function is only
2950         called after x86 cvttss2si_rr is failed. This means that the
2951         given double number never in range of int32 truncatable numbers.
2952
2953         As a result, exp in operationToInt32 always becomes >= 31. So
2954         we can change the condition from `exp < 32` to `exp == 31`.
2955         This makes missingOne constant. And it leads significantly good
2956         code generation.
2957
2958         The original operationToInt32 code.
2959
2960             170:   66 48 0f 7e c1          movq   %xmm0,%rcx
2961             175:   31 c0                   xor    %eax,%eax
2962             177:   66 48 0f 7e c6          movq   %xmm0,%rsi
2963             17c:   48 c1 f9 34             sar    $0x34,%rcx
2964             180:   81 e1 ff 07 00 00       and    $0x7ff,%ecx
2965             186:   8d 91 01 fc ff ff       lea    -0x3ff(%rcx),%edx
2966             18c:   83 fa 53                cmp    $0x53,%edx
2967             18f:   77 37                   ja     1c8 <_ZN3JSC16operationToInt32Ed+0x58>
2968             191:   83 fa 34                cmp    $0x34,%edx
2969             194:   7f 3a                   jg     1d0 <_ZN3JSC16operationToInt32Ed+0x60>
2970             196:   b9 34 00 00 00          mov    $0x34,%ecx
2971             19b:   66 48 0f 7e c7          movq   %xmm0,%rdi
2972             1a0:   29 d1                   sub    %edx,%ecx
2973             1a2:   48 d3 ff                sar    %cl,%rdi
2974             1a5:   83 fa 1f                cmp    $0x1f,%edx
2975             1a8:   89 f8                   mov    %edi,%eax
2976             1aa:   7f 12                   jg     1be <_ZN3JSC16operationToInt32Ed+0x4e>
2977             1ac:   89 d1                   mov    %edx,%ecx
2978             1ae:   b8 01 00 00 00          mov    $0x1,%eax
2979             1b3:   d3 e0                   shl    %cl,%eax
2980             1b5:   89 c2                   mov    %eax,%edx
2981             1b7:   8d 40 ff                lea    -0x1(%rax),%eax
2982             1ba:   21 f8                   and    %edi,%eax
2983             1bc:   01 d0                   add    %edx,%eax
2984             1be:   89 c2                   mov    %eax,%edx
2985             1c0:   f7 da                   neg    %edx
2986             1c2:   48 85 f6                test   %rsi,%rsi
2987             1c5:   0f 48 c2                cmovs  %edx,%eax
2988             1c8:   f3 c3                   repz retq
2989             1ca:   66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)
2990             1d0:   66 48 0f 7e c0          movq   %xmm0,%rax
2991             1d5:   81 e9 33 04 00 00       sub    $0x433,%ecx
2992             1db:   48 d3 e0                shl    %cl,%rax
2993             1de:   eb de                   jmp    1be <_ZN3JSC16operationToInt32Ed+0x4e>
2994
2995         The operationToInt32SensibleSlow code.
2996
2997             1e0:   66 48 0f 7e c1          movq   %xmm0,%rcx
2998             1e5:   66 48 0f 7e c2          movq   %xmm0,%rdx
2999             1ea:   48 c1 f9 34             sar    $0x34,%rcx
3000             1ee:   81 e1 ff 07 00 00       and    $0x7ff,%ecx
3001             1f4:   8d b1 01 fc ff ff       lea    -0x3ff(%rcx),%esi
3002             1fa:   83 fe 34                cmp    $0x34,%esi
3003             1fd:   7e 21                   jle    220 <_ZN3JSC28operationToInt32SensibleSlowEd+0x40>
3004             1ff:   66 48 0f 7e c0          movq   %xmm0,%rax
3005             204:   81 e9 33 04 00 00       sub    $0x433,%ecx
3006             20a:   48 d3 e0                shl    %cl,%rax
3007             20d:   89 c1                   mov    %eax,%ecx
3008             20f:   f7 d9                   neg    %ecx
3009             211:   48 85 d2                test   %rdx,%rdx
3010             214:   0f 48 c1                cmovs  %ecx,%eax
3011             217:   c3                      retq
3012             218:   0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
3013             21f:   00
3014             220:   66 48 0f 7e c0          movq   %xmm0,%rax
3015             225:   b9 34 00 00 00          mov    $0x34,%ecx
3016             22a:   29 f1                   sub    %esi,%ecx
3017             22c:   48 d3 f8                sar    %cl,%rax
3018             22f:   89 c1                   mov    %eax,%ecx
3019             231:   81 c9 00 00 00 80       or     $0x80000000,%ecx
3020             237:   83 fe 1f                cmp    $0x1f,%esi
3021             23a:   0f 44 c1                cmove  %ecx,%eax
3022             23d:   89 c1                   mov    %eax,%ecx
3023             23f:   f7 d9                   neg    %ecx
3024             241:   48 85 d2                test   %rdx,%rdx
3025             244:   0f 48 c1                cmovs  %ecx,%eax
3026             247:   c3                      retq
3027             248:   0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
3028             24f:   00
3029
3030         This improves kraken pbkdf2 by 10.8% and sha256 by 7.5%.
3031
3032                                                        baseline                  patched
3033
3034             stanford-crypto-pbkdf2                 153.195+-2.745      ^     138.204+-2.513         ^ definitely 1.1085x faster
3035             stanford-crypto-sha256-iterative        49.047+-1.038      ^      45.610+-1.235         ^ definitely 1.0754x faster
3036
3037             <arithmetic>                           101.121+-1.379      ^      91.907+-1.500         ^ definitely 1.1003x faster
3038
3039         * assembler/CPU.h:
3040         (JSC::hasSensibleDoubleToInt):
3041         * dfg/DFGSpeculativeJIT.cpp:
3042         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3043         * ftl/FTLLowerDFGToB3.cpp:
3044         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
3045         (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
3046         * ftl/FTLOutput.cpp:
3047         (JSC::FTL::Output::hasSensibleDoubleToInt): Deleted.
3048         * ftl/FTLOutput.h:
3049         * runtime/MathCommon.cpp:
3050         (JSC::operationToInt32SensibleSlow):
3051         * runtime/MathCommon.h:
3052
3053 2017-02-03  Joseph Pecoraro  <pecoraro@apple.com>
3054
3055         Unreviewed rollout of r211486, r211629.
3056
3057         Original change is not ideal and is causing issues.
3058
3059         * inspector/agents/InspectorHeapAgent.cpp:
3060         (Inspector::SendGarbageCollectionEventsTask::SendGarbageCollectionEventsTask):
3061         * runtime/InitializeThreading.cpp:
3062         (JSC::initializeThreading):
3063
3064 2017-02-03  JF Bastien  <jfbastien@apple.com>
3065
3066         OSR entry: delay outer-loop compilation when at inner-loop
3067         https://bugs.webkit.org/show_bug.cgi?id=167149
3068
3069         Reviewed by Filip Pizlo.
3070
3071         r211224 and r211461 were reverted because they caused massive
3072         kraken/ai-astar regressions. This patch instead does the
3073         minimally-disruptive change to fix the original bug as described
3074         below, but omits extra tuning and refactoring which I had
3075         before. I'll commit tuning and refactoring separately, if this
3076         sticks. This patch is therefore very minimal, and layers carefully
3077         on top of the complex spaghetti-logic. The only change it makes is
3078         that it uses triggers to indicate to outer loops that they should
3079         compile, which fixes the immediate bug and seems roughly perf
3080         neutral (maybe a small gain on kraken sometimes, other times a
3081         small regression as would be expected from slightly compiling
3082         later). As opposed to r211461 this patch doesn't unconditionally
3083         unset the trigger because it prevents further DFG executions from
3084         entering. It therefore makes the trigger a tri-state enum class:
3085         don't trigger, compilation done, start compilation. Only "start
3086         compilation" gets reset to "don't trigger". "Compilation done"
3087         does not (unless there's a problem compiling, then it gets set
3088         back to "don't trigger").
3089
3090         As of https://bugs.webkit.org/show_bug.cgi?id=155217 OSR
3091         compilation can be kicked off for an entry into an outer-loop,
3092         while executing an inner-loop. This is desirable because often the
3093         codegen from an inner-entry isn't as good as the codegen from an
3094         outer-entry, but execution from an inner-loop is often pretty hot
3095         and likely to kick off compilation. This approach provided nice
3096         speedups on Kraken because we'd select to enter to the outer-loop
3097         very reliably, which reduces variability (the inner-loop was
3098         selected roughly 1/5 times from my unscientific measurements).
3099
3100         When compilation starts we take a snapshot of the JSValues at the
3101         current execution state using OSR's recovery mechanism. These
3102         values are passed to the compiler and are used as way to perform
3103         type profiling, and could be used to observe cell types as well as
3104         to perform predictions such as through constant propagation.
3105
3106         It's therefore desired to enter from the outer-loop when we can,
3107         but we need to be executing from that location to capture the
3108         right JSValues, otherwise we're confusing the compiler and giving
3109         it inaccurate JSValues which can lead it to predict the wrong
3110         things, leading to suboptimal code or recompilation due to
3111         misprediction, or in super-corner-cases a crash.
3112
3113         DFG tier-up was added here:
3114         https://bugs.webkit.org/show_bug.cgi?id=112838
3115
3116         * dfg/DFGJITCode.h:
3117         * dfg/DFGJITCompiler.cpp:
3118         (JSC::DFG::JITCompiler::JITCompiler):
3119         * dfg/DFGOperations.cpp:
3120         * dfg/DFGSpeculativeJIT64.cpp:
3121         (JSC::DFG::SpeculativeJIT::compile):
3122         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3123         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
3124         (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
3125         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
3126         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
3127         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
3128
3129 2017-02-03  Saam Barati  <sbarati@apple.com>
3130
3131         When OSR entering to the baseline JIT from the LLInt for a ProgramCodeBlock we can skip compiling a lot of the program
3132         https://bugs.webkit.org/show_bug.cgi?id=167725
3133         <rdar://problem/30339082>
3134
3135         Reviewed by Michael Saboff.
3136
3137         We often want to baseline compile ProgramCode once we hit a loop in the LLInt.
3138         However, some programs execute a non-trivial amount of code before the loop.
3139         This code can never be executed again because ProgramCodeBlocks never run more
3140         than once. We're wasting time and memory by compiling code that is unreachable
3141         from the OSR entry destination. This patch fixes this by only compiling code
3142         that is reachable from the OSR entry destination.
3143
3144         This is a speedup on Kraken/ai-astar for devices with limited CPUs (I've been
3145         testing on devices with 2 CPUs). On ai-astar, we were spending 50-100ms compiling
3146         a huge ProgramCodeBlock in the baseline JIT where the majority of the code
3147         would never execute. If this compilation was kicked off on the main thread,
3148         then we'd be stalled for a long time. If it were started on the baseline JITs
3149         background compilation thread, we'd still waste 50-100ms in that thread, causing
3150         all other baseline compilations to happen on the main thread.
3151
3152         * interpreter/Interpreter.cpp:
3153         (JSC::Interpreter::executeProgram):
3154         * interpreter/Interpreter.h:
3155         * jit/JIT.cpp:
3156         (JSC::JIT::JIT):
3157         (JSC::JIT::privateCompileMainPass):
3158         * jit/JIT.h:
3159         (JSC::JIT::compile):
3160         * jit/JITWorklist.cpp:
3161         (JSC::JITWorklist::Plan::Plan):
3162         (JSC::JITWorklist::Plan::compileNow):
3163         (JSC::JITWorklist::compileLater):
3164         (JSC::JITWorklist::compileNow):
3165         * jit/JITWorklist.h:
3166         * llint/LLIntSlowPaths.cpp:
3167         (JSC::LLInt::jitCompileAndSetHeuristics):
3168         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3169         * runtime/Completion.cpp:
3170         (JSC::evaluate):
3171
3172 2017-02-03  Csaba Osztrogonác  <ossy@webkit.org>
3173
3174         Unreviewed typo fix after r211630.
3175
3176         * CMakeLists.txt:
3177
3178 2017-02-03  Carlos Garcia Campos  <cgarcia@igalia.com>
3179
3180         [GTK] Add initial implementation of resource usage overlay
3181         https://bugs.webkit.org/show_bug.cgi?id=167731
3182
3183         Reviewed by Michael Catanzaro.
3184
3185         Also expose nextFireTime() for GTK+ port.
3186
3187         * heap/GCActivityCallback.cpp:
3188         (JSC::GCActivityCallback::scheduleTimer):
3189         (JSC::GCActivityCallback::cancelTimer):
3190         * heap/GCActivityCallback.h:
3191
3192 2017-02-03  Csaba Osztrogonác  <ossy@webkit.org>
3193
3194         [cmake] Unreviewed AArch64 buildfix after r211603.
3195         https://bugs.webkit.org/show_bug.cgi?id=167714
3196
3197         * CMakeLists.txt:
3198
3199 2017-02-02  Andreas Kling  <akling@apple.com>
3200
3201         [Mac] In-process memory pressure monitor for WebContent processes AKA websam
3202         <https://webkit.org/b/167491>
3203         <rdar://problem/30116072>
3204
3205         Reviewed by Antti Koivisto.
3206
3207         Remove the sloppy "max live heap size" mechanism from JSC in favor of the new
3208         WebCore-side memory footprint monitor.
3209
3210         * heap/Heap.cpp:
3211         (JSC::Heap::updateAllocationLimits):
3212         (JSC::Heap::didExceedMaxLiveSize): Deleted.
3213         * heap/Heap.h:
3214         (JSC::Heap::setMaxLiveSize): Deleted.
3215
3216 2017-02-02  Mark Lam  <mark.lam@apple.com>
3217
3218         Add a SIGILL crash analyzer to make debugging SIGILLs easier.
3219         https://bugs.webkit.org/show_bug.cgi?id=167714
3220         <rdar://problem/30318237>
3221
3222         Not reviewed.
3223
3224         Build fix for CLOOP build.
3225
3226         * tools/VMInspector.cpp:
3227
3228 2017-02-02  Mark Lam  <mark.lam@apple.com>
3229
3230         Add a SIGILL crash analyzer to make debugging SIGILLs easier.
3231         https://bugs.webkit.org/show_bug.cgi?id=167714
3232         <rdar://problem/30318237>
3233
3234         Reviewed by Filip Pizlo.
3235
3236         The current implementation is only for X86_64 and ARM64 on OS(DARWIN).  The
3237         analyzer is not enabled for all other ports.
3238
3239         * CMakeLists.txt:
3240         * JavaScriptCore.xcodeproj/project.pbxproj:
3241         * API/JSVirtualMachine.mm:
3242         * assembler/ARM64Assembler.h:
3243         (JSC::ARM64Assembler::illegalInstruction):
3244         * assembler/MacroAssemblerARM64.h:
3245         (JSC::MacroAssemblerARM64::illegalInstruction):
3246         * assembler/MacroAssemblerX86Common.h:
3247         (JSC::MacroAssemblerX86Common::illegalInstruction):
3248         * assembler/X86Assembler.h:
3249         (JSC::X86Assembler::illegalInstruction):
3250         * heap/Heap.cpp:
3251         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
3252         * heap/Heap.h:
3253         * heap/HeapInlines.h:
3254         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
3255         * runtime/Options.cpp:
3256         (JSC::Options::isAvailable):
3257         (JSC::recomputeDependentOptions):
3258         * runtime/Options.h:
3259         * runtime/VM.cpp:
3260         (JSC::VM::VM):
3261         (JSC::VM::~VM):
3262         * runtime/VM.h:
3263         * tools/SigillCrashAnalyzer.cpp: Added.
3264         (JSC::SignalContext::SignalContext):
3265         (JSC::SignalContext::dump):
3266         (JSC::handleCrash):
3267         (JSC::initializeCrashHandler):
3268         (JSC::ensureSigillCrashAnalyzer):
3269         (JSC::SigillCrashAnalyzer::analyze):
3270         (JSC::SigillCrashAnalyzer::dumpCodeBlock):
3271         * tools/SigillCrashAnalyzer.h: Added.
3272         * tools/VMInspector.cpp: Added.
3273         (JSC::VMInspector::instance):
3274         (JSC::VMInspector::add):
3275         (JSC::VMInspector::remove):
3276         (JSC::ensureIsSafeToLock):
3277         * tools/VMInspector.h: Added.
3278         (JSC::VMInspector::iterate):
3279
3280 2017-02-02  Chris Dumez  <cdumez@apple.com>
3281
3282         {}.toString.call(crossOriginWindow) should return "[object Object]"
3283         https://bugs.webkit.org/show_bug.cgi?id=167701
3284         <rdar://problem/30330797>
3285
3286         Reviewed by Keith Miller.
3287
3288         Have JSProxy forward toStringName calls to its target so Window
3289         can override it.
3290
3291         * runtime/JSProxy.cpp:
3292         (JSC::JSProxy::toStringName):
3293         * runtime/JSProxy.h:
3294
3295 2017-02-02  Commit Queue  <commit-queue@webkit.org>
3296
3297         Unreviewed, rolling out r211571 and r211582.
3298         https://bugs.webkit.org/show_bug.cgi?id=167751
3299
3300         This change caused API test WebKit1.MemoryPressureHandler to
3301         fail with an assertion. (Requested by ryanhaddad on #webkit).
3302
3303         Reverted changesets: