[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-10-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Move InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero to out of line type info flags
        https://bugs.webkit.org/show_bug.cgi?id=163716

        Reviewed by Saam Barati.

        We found that all the accesses to the InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero flag is
        done through the Structure. There is no user that accesses this flag in the cell inlined member. And JIT
        code does not access it directly. That means that we can move this flag from inlined flags to out of line
        flags. This patch moves it to the out of line flags. And make one bit empty in inlined flags. Later this
        new empty flag will be used by megamorphic DOMJIT implementation.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::hasStaticPropertyTable):
        (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):

2016-10-20  Keith Miller  <keith_miller@apple.com>

        Invalid assertion in arguments elimination
        https://bugs.webkit.org/show_bug.cgi?id=163740
        <rdar://problem/27911462>

        Reviewed by Michael Saboff.

        The DFGFTL's arguments elimination phase incorrectly asserted that a GetFromArguments' first
        child would always be a CreateDirectArguments.  While we only create the
        op_get_from_arguments bytecode pointing to a create_direct_arguments, its possible for a
        number of reasons that a DFG GetFromArguments may not point to a CreateDirectArguments. For
        example, if we are OSR entering in some function with direct arguments the
        CreateDirectArguments node might become ExtractOSREntryLocals.

        * dfg/DFGArgumentsEliminationPhase.cpp:

2016-10-20  Caitlin Potter  <caitp@igalia.com>

        [JSC] throw TypeError when constructing dynamically created JSGeneratorFunction
        https://bugs.webkit.org/show_bug.cgi?id=163714

        Reviewed by Mark Lam.

        According to CreateDynamicFunction() (https://tc39.github.io/ecma262/#sec-createdynamicfunction),
        non-normal functions are not constructors. Previously, dynamically created functions would always
        be constructible, and so it was possible to evaluate `new  (function*() {}.constructor())`,
        and have it return an Iterator object.

        This change selects a dynamically created function's ConstructAbility based on its parse mode instead.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):

2016-10-19  JF Bastien  <jfbastien@apple.com>

        create_hash_table: allow empty tables

        The Windows build was broken by because I added empty tables and Windows insists that empty tables are horrible. Put in dummy entries in that case.

        create_hash_table: allow empty tables
        https://bugs.webkit.org/show_bug.cgi?id=163701

        Reviewed by Keith Miller.

        * create_hash_table:

2016-10-19  JF Bastien  <jfbastien@apple.com>

        JavaScript WebAssembly API: baby steps

         - Expand WebAssembly constructors into their own files. This requires a lot of
           boilerplate, as well as adding the .lut.h files. All of the
           JSWebAssembly*.{h,cpp}, as well as Constructor and Prototype files, are
           currently the same between the 4 specified WebAssembly constructors. It'll be
           easy to implement individual functions on constructed objects as per the
           spec, and have each of these files diverge. The error constructors are also
           similar, except that their instance derives from ErrorInstance.
         - Use constructor macro when initializing the global object.
         - Dramatically improve testing of the WebAssembly API by checking for
           properties specified in the spec [*].
         - Clean up assert.js' exception testing.
         - Fix a copy-paste bug in wasm.json: floating-point const return values were
           swapped.

        [*] https://github.com/WebAssembly/design/blob/master/JS.md

        Implement more of the JavaScript WebAssembly API
        https://bugs.webkit.org/show_bug.cgi?id=163571

        Reviewed by Keith Miller.

        * CMakeLists.txt: add .lut.h generation
        * DerivedSources.make: ditto
        * JavaScriptCore.xcodeproj/project.pbxproj: add .lut.h generation and all the new files
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): use macro to list all constructors
        * wasm/WebAssemblyObject.cpp: unboilerplate, all constructors into their own files
        * wasm/WebAssemblyObject.h: ditto
        * wasm/js/JSWebAssemblyCompileError.cpp: Added.
        (JSC::JSWebAssemblyCompileError::create):
        (JSC::JSWebAssemblyCompileError::createStructure):
        (JSC::JSWebAssemblyCompileError::JSWebAssemblyCompileError):
        (JSC::JSWebAssemblyCompileError::finishCreation):
        (JSC::JSWebAssemblyCompileError::destroy):
        (JSC::JSWebAssemblyCompileError::visitChildren):
        * wasm/js/JSWebAssemblyCompileError.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/JSWebAssemblyInstance.cpp: Added.
        (JSC::JSWebAssemblyInstance::create):
        (JSC::JSWebAssemblyInstance::createStructure):
        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
        (JSC::JSWebAssemblyInstance::finishCreation):
        (JSC::JSWebAssemblyInstance::destroy):
        (JSC::JSWebAssemblyInstance::visitChildren):
        * wasm/js/JSWebAssemblyInstance.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/JSWebAssemblyMemory.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::JSWebAssemblyMemory::create):
        (JSC::JSWebAssemblyMemory::createStructure):
        (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
        (JSC::JSWebAssemblyMemory::finishCreation):
        (JSC::JSWebAssemblyMemory::destroy):
        (JSC::JSWebAssemblyMemory::visitChildren):
        * wasm/js/JSWebAssemblyMemory.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/JSWebAssemblyModule.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::JSWebAssemblyModule::create):
        (JSC::JSWebAssemblyModule::createStructure):
        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
        (JSC::JSWebAssemblyModule::finishCreation):
        (JSC::JSWebAssemblyModule::destroy):
        (JSC::JSWebAssemblyModule::visitChildren):
        * wasm/js/JSWebAssemblyModule.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/JSWebAssemblyRuntimeError.cpp: Added.
        (JSC::JSWebAssemblyRuntimeError::create):
        (JSC::JSWebAssemblyRuntimeError::createStructure):
        (JSC::JSWebAssemblyRuntimeError::JSWebAssemblyRuntimeError):
        (JSC::JSWebAssemblyRuntimeError::finishCreation):
        (JSC::JSWebAssemblyRuntimeError::destroy):
        (JSC::JSWebAssemblyRuntimeError::visitChildren):
        * wasm/js/JSWebAssemblyRuntimeError.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/JSWebAssemblyTable.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::JSWebAssemblyTable::create):
        (JSC::JSWebAssemblyTable::createStructure):
        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
        (JSC::JSWebAssemblyTable::finishCreation):
        (JSC::JSWebAssemblyTable::destroy):
        (JSC::JSWebAssemblyTable::visitChildren):
        * wasm/js/JSWebAssemblyTable.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp: Added.
        (JSC::constructJSWebAssemblyCompileError):
        (JSC::callJSWebAssemblyCompileError):
        (JSC::WebAssemblyCompileErrorConstructor::create):
        (JSC::WebAssemblyCompileErrorConstructor::createStructure):
        (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
        (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
        (JSC::WebAssemblyCompileErrorConstructor::getConstructData):
        (JSC::WebAssemblyCompileErrorConstructor::getCallData):
        (JSC::WebAssemblyCompileErrorConstructor::visitChildren):
        * wasm/js/WebAssemblyCompileErrorConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyCompileErrorConstructor::CompileErrorStructure):
        * wasm/js/WebAssemblyCompileErrorPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyCompileErrorPrototype::create):
        (JSC::WebAssemblyCompileErrorPrototype::createStructure):
        (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
        (JSC::WebAssemblyCompileErrorPrototype::WebAssemblyCompileErrorPrototype):
        * wasm/js/WebAssemblyCompileErrorPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/WebAssemblyInstanceConstructor.cpp: Added.
        (JSC::constructJSWebAssemblyInstance):
        (JSC::callJSWebAssemblyInstance):
        (JSC::WebAssemblyInstanceConstructor::create):
        (JSC::WebAssemblyInstanceConstructor::createStructure):
        (JSC::WebAssemblyInstanceConstructor::finishCreation):
        (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
        (JSC::WebAssemblyInstanceConstructor::getConstructData):
        (JSC::WebAssemblyInstanceConstructor::getCallData):
        (JSC::WebAssemblyInstanceConstructor::visitChildren):
        * wasm/js/WebAssemblyInstanceConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyInstanceConstructor::InstanceStructure):
        * wasm/js/WebAssemblyInstancePrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyInstancePrototype::create):
        (JSC::WebAssemblyInstancePrototype::createStructure):
        (JSC::WebAssemblyInstancePrototype::finishCreation):
        (JSC::WebAssemblyInstancePrototype::WebAssemblyInstancePrototype):
        * wasm/js/WebAssemblyInstancePrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/WebAssemblyMemoryConstructor.cpp: Added.
        (JSC::constructJSWebAssemblyMemory):
        (JSC::callJSWebAssemblyMemory):
        (JSC::WebAssemblyMemoryConstructor::create):
        (JSC::WebAssemblyMemoryConstructor::createStructure):
        (JSC::WebAssemblyMemoryConstructor::finishCreation):
        (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
        (JSC::WebAssemblyMemoryConstructor::getConstructData):
        (JSC::WebAssemblyMemoryConstructor::getCallData):
        (JSC::WebAssemblyMemoryConstructor::visitChildren):
        * wasm/js/WebAssemblyMemoryConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyMemoryConstructor::MemoryStructure):
        * wasm/js/WebAssemblyMemoryPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyMemoryPrototype::create):
        (JSC::WebAssemblyMemoryPrototype::createStructure):
        (JSC::WebAssemblyMemoryPrototype::finishCreation):
        (JSC::WebAssemblyMemoryPrototype::WebAssemblyMemoryPrototype):
        * wasm/js/WebAssemblyMemoryPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/WebAssemblyModuleConstructor.cpp: Added.
        (JSC::constructJSWebAssemblyModule):
        (JSC::callJSWebAssemblyModule):
        (JSC::WebAssemblyModuleConstructor::create):
        (JSC::WebAssemblyModuleConstructor::createStructure):
        (JSC::WebAssemblyModuleConstructor::finishCreation):
        (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
        (JSC::WebAssemblyModuleConstructor::getConstructData):
        (JSC::WebAssemblyModuleConstructor::getCallData):
        (JSC::WebAssemblyModuleConstructor::visitChildren):
        * wasm/js/WebAssemblyModuleConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyModuleConstructor::ModuleStructure):
        * wasm/js/WebAssemblyModulePrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyModulePrototype::create):
        (JSC::WebAssemblyModulePrototype::createStructure):
        (JSC::WebAssemblyModulePrototype::finishCreation):
        (JSC::WebAssemblyModulePrototype::WebAssemblyModulePrototype):
        * wasm/js/WebAssemblyModulePrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp: Added.
        (JSC::constructJSWebAssemblyRuntimeError):
        (JSC::callJSWebAssemblyRuntimeError):
        (JSC::WebAssemblyRuntimeErrorConstructor::create):
        (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
        (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
        (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
        (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData):
        (JSC::WebAssemblyRuntimeErrorConstructor::getCallData):
        (JSC::WebAssemblyRuntimeErrorConstructor::visitChildren):
        * wasm/js/WebAssemblyRuntimeErrorConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyRuntimeErrorConstructor::RuntimeErrorStructure):
        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyRuntimeErrorPrototype::create):
        (JSC::WebAssemblyRuntimeErrorPrototype::createStructure):
        (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
        (JSC::WebAssemblyRuntimeErrorPrototype::WebAssemblyRuntimeErrorPrototype):
        * wasm/js/WebAssemblyRuntimeErrorPrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        * wasm/js/WebAssemblyTableConstructor.cpp: Added.
        (JSC::constructJSWebAssemblyTable):
        (JSC::callJSWebAssemblyTable):
        (JSC::WebAssemblyTableConstructor::create):
        (JSC::WebAssemblyTableConstructor::createStructure):
        (JSC::WebAssemblyTableConstructor::finishCreation):
        (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
        (JSC::WebAssemblyTableConstructor::getConstructData):
        (JSC::WebAssemblyTableConstructor::getCallData):
        (JSC::WebAssemblyTableConstructor::visitChildren):
        * wasm/js/WebAssemblyTableConstructor.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyTableConstructor::TableStructure):
        * wasm/js/WebAssemblyTablePrototype.cpp: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.
        (JSC::WebAssemblyTablePrototype::create):
        (JSC::WebAssemblyTablePrototype::createStructure):
        (JSC::WebAssemblyTablePrototype::finishCreation):
        (JSC::WebAssemblyTablePrototype::WebAssemblyTablePrototype):
        * wasm/js/WebAssemblyTablePrototype.h: Copied from Source/JavaScriptCore/wasm/WebAssemblyObject.h.

2016-10-19  Caitlin Potter  <caitp@igalia.com>

        [JSC] forbid "use strict" directive in generator functions with non-simple parameters
        https://bugs.webkit.org/show_bug.cgi?id=163683

        Reviewed by Geoffrey Garen.

        Because generator functions and async functions both have an implicit
        inner function whose arguments are inherited from its parent, "use strict"
        directives within these functions did not yield a SyntaxError.

        Now, the correct syntax error is reported, fixing several test262 failures
        for generators and async functions.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):

2016-10-19  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r207557.

        This change caused animations/font-variations tests to time
        out on pre-Sierra Macs.

        Reverted changeset:

        "[macOS] [iOS] Disable variation fonts on macOS El Capitan and
        iOS 9"
        https://bugs.webkit.org/show_bug.cgi?id=163374
        http://trac.webkit.org/changeset/207557

2016-10-19  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT should use AutomaticThread
        https://bugs.webkit.org/show_bug.cgi?id=163686

        Reviewed by Geoffrey Garen.
        
        Change the JITWorklist to use AutomaticThread, so that the Baseline JIT's concurrent
        compiler thread shuts down automatically after inactivity.
        
        With this change, all of JSC's threads shut down automatically. If you run splay for a few
        seconds (which fires up all threads - compiler and GC) and then go to sleep for a second,
        you'll see that the only threads left are the main thread and the bmalloc thread.

        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::Thread::Thread):
        (JSC::JITWorklist::JITWorklist):
        (JSC::JITWorklist::completeAllForVM):
        (JSC::JITWorklist::poll):
        (JSC::JITWorklist::compileLater):
        (JSC::JITWorklist::compileNow):
        (JSC::JITWorklist::finalizePlans):
        (JSC::JITWorklist::runThread): Deleted.
        * jit/JITWorklist.h:

2016-10-19  Myles C. Maxfield  <mmaxfield@apple.com>

        [macOS] [iOS] Disable variation fonts on macOS El Capitan and iOS 9
        https://bugs.webkit.org/show_bug.cgi?id=163374

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:

2016-10-19  Aaron Chu  <aaron_chu@apple.com>

        Web Inspector: AXI: expose computed tree node and heading level
        https://bugs.webkit.org/show_bug.cgi?id=130825
        <rdar://problem/16442349>

        Reviewed by Joseph Pecoraro.

        Exposing two new accessibility properties: Heading Level and Hierarchical Level.

        * inspector/protocol/DOM.json:

2016-10-18  Filip Pizlo  <fpizlo@apple.com>

        DFG worklist should use AutomaticThread
        https://bugs.webkit.org/show_bug.cgi?id=163615

        Reviewed by Mark Lam.
        
        AutomaticThread is a new feature in WTF that allows you to easily create worker threads that
        shut down automatically. This changes DFG::Worklist to use AutomaticThread, so that its
        threads shut down automatically, too. This has the potential to save a lot of memory.
        
        This required some improvements to AutomaticThread: Worklist likes to be able to keep state
        around for the whole lifetime of a thread, and so it likes knowing when threads are born and
        when they die. I added virtual methods for that. Also, Worklist uses notifyOne() so I added
        that, too.
        
        This looks to be perf-neutral.

        * dfg/DFGThreadData.cpp:
        (JSC::DFG::ThreadData::ThreadData):
        * dfg/DFGThreadData.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::ThreadBody::ThreadBody):
        (JSC::DFG::Worklist::Worklist):
        (JSC::DFG::Worklist::~Worklist):
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::isActiveForVM):
        (JSC::DFG::Worklist::enqueue):
        (JSC::DFG::Worklist::compilationState):
        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
        (JSC::DFG::Worklist::removeAllReadyPlansForVM):
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        (JSC::DFG::Worklist::rememberCodeBlocks):
        (JSC::DFG::Worklist::visitWeakReferences):
        (JSC::DFG::Worklist::removeDeadPlans):
        (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
        (JSC::DFG::Worklist::queueLength):
        (JSC::DFG::Worklist::dump):
        (JSC::DFG::Worklist::runThread): Deleted.
        (JSC::DFG::Worklist::threadFunction): Deleted.
        * dfg/DFGWorklist.h:

2016-10-19  Dan Bernstein  <mitz@apple.com>

        [Xcode] JavaScriptCore fails to build when CLANG_WARN_DOCUMENTATION_COMMENTS is enabled
        https://bugs.webkit.org/show_bug.cgi?id=163642

        Reviewed by Darin Adler.

        * API/JSClassRef.cpp: Removed a bad headerdoc comment inside an implementation file.
        * API/JSContext.h: Changed @methodgroup to @functiongroup, because the compiler requires the
          former to be followed by a method (and we have a property), but not the latter. Changed
          a couple of instances of “method” to “@method”. Removed empty @param entries.
        * API/JSContextRefInternal.h: Named a parameter referenced in a @param entry.
        * API/JSContextRefPrivate.h: Ditto.
        * API/JSManagedValue.h: Removed empty @param entries.
        * API/JSObjectRef.h: Corrected parameter name in @param entry.
        * API/JSTypedArray.h: Ditto.
        * API/JSValue.h: Removed empty @param entries, changed @methodgroup to @functiongroup, and
          changed @method to @property where appropriate. Removed empty @param entries.
        * API/JSValueRef.h: Named a parameter referenced in a @param entry.
        * API/JSWeakObjectMapRefPrivate.h: Ditto.
        * Configurations/Base.xcconfig: Enabled CLANG_WARN_DOCUMENTATION_COMMENTS. Made the compiler
          treat the icu headers as system headers, to stop it from emitting warnings about headers
          we don’t want to change.
        * Configurations/ToolExecutable.xcconfig: Made the compiler treat the icu headers as system
          headers.

2016-10-19  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed ARM buildfix after r207475.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::relinkJumpToNop):

2016-10-18  Mark Lam  <mark.lam@apple.com>

        Invoking Object.prototype.__proto__ accessors directly should throw a TypeError.
        https://bugs.webkit.org/show_bug.cgi?id=154377
        <rdar://problem/27330808>

        Reviewed by Filip Pizlo and Saam Barati.

        In a scenario where we cache the __proto__ accessors in global variables, and
        later explicitly invoke those accessors as functions, the spec for Function Calls
        (see https://tc39.github.io/ecma262/#sec-function-calls) states that the function
        ref value is of type Reference, and base of ref is an Environment Record.  Then,
        it follows that the thisValue should be set to refEnv.WithBaseObject()
        (see section 4.b.ii of 12.3.4.1 at
        https://tc39.github.io/ecma262/#sec-function-calls-runtime-semantics-evaluation).

        refEnv in this case is the environment record that the cached accessors were
        found in i.e. the global object.  The WithBaseObject() of the global object is
        undefined (see details about WithBaseObject at
        https://tc39.github.io/ecma262/#sec-environment-records).

        Hence, the __proto__ accessors should see a thisValue of undefined, and throw
        TypeErrors.  See https://tc39.github.io/ecma262/#sec-get-object.prototype.__proto__,
        https://tc39.github.io/ecma262/#sec-set-object.prototype.__proto__,
        https://tc39.github.io/ecma262/#sec-toobject, and
        https://tc39.github.io/ecma262/#sec-requireobjectcoercible.

        In JSC's implementation, the callee needs to do a ToThis operation on the
        incoming "this" argument in order to get the specified thisValue.  The
        implementations of the __proto__ accessors were not doing this correctly.  This
        has now been fixed.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):

2016-10-18  Sam Weinig  <sam@webkit.org>

        Replace std::experimental::variant with WTF::Variant (or similar)
        https://bugs.webkit.org/show_bug.cgi?id=163626

        Reviewed by Chris Dumez.

        Rename std::experimental::variant, Variant. Move helpers get/holds_alternative/etc.
        into the WTF namespace.

        * domjit/DOMJITReg.h:
        (JSC::DOMJIT::Reg::gpr):
        (JSC::DOMJIT::Reg::fpr):
        (JSC::DOMJIT::Reg::jsValueRegs):

2016-10-18  Keith Miller  <keith_miller@apple.com>

        GetByVal to GetById conversion in the DFG is incorrect for getters with control flow
        https://bugs.webkit.org/show_bug.cgi?id=163629

        Reviewed by Yusuke Suzuki.

        This patch fixes a bug in the DFG when attempt to convert a
        GetByVal into a GetById. While converting the GetByVal, during
        handleGetById in the Bytecode parser, we would mistakenly use the
        opcode length of op_get_by_id rather than op_get_by_val. This causes
        the new basic block we create to point to the wrong offset. In the
        added test this will cause us to infinite loop.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):

2016-10-18  Dean Jackson  <dino@apple.com>

        Remove CSS_SHAPES feature definition. This should always be on.
        https://bugs.webkit.org/show_bug.cgi?id=163628
        <rdar://problem/28834613>
        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2016-10-18  Michael Saboff  <msaboff@apple.com>

        Add JSC option to show time spent in each optimization phase
        https://bugs.webkit.org/show_bug.cgi?id=163617

        Reviewed by Saam Barati.

        Added reportDFGPhaseTimes option.  This outputs one line per phase similar to
            Phase CPS rethreading took 0.2661 ms

        One line is output for each phase run.

        * dfg/DFGPhase.h:
        (JSC::DFG::runAndLog):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2016-10-18  Filip Pizlo  <fpizlo@apple.com>

        WTF should make it easier to create threads that die automatically after inactivity
        https://bugs.webkit.org/show_bug.cgi?id=163576

        Reviewed by Andreas Kling.
        
        Added a sleepSeconds() function, which made it easier for me to test this change.
        
        The WTF changes in this patch change how the JSC GC manages threads: the GC threads will now
        shut down automatically after 1 second of inactivity. Maybe this will save some memory.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionSleepSeconds):

2016-10-18  Keith Miller  <keith_miller@apple.com>

        Cleanup Wasm memory.
        https://bugs.webkit.org/show_bug.cgi?id=163601

        Reviewed by Saam Barati.

        There were a couple of issues with the original Wasm memory patch.
        This is a follow-up patch to fix those issues.

        * wasm/WASMMemory.cpp:
        (JSC::WASM::Memory::Memory):
        * wasm/WASMMemory.h:

2016-10-15  Filip Pizlo  <fpizlo@apple.com>

        DFG and FTL should be able to use DirectCall ICs when they proved the callee or its executable
        https://bugs.webkit.org/show_bug.cgi?id=163371

        Reviewed by Geoffrey Garen and Saam Barati.
        
        This adds a new kind of call inline cache for when the DFG can prove what the callee
        executable is. In those cases, we can skip some of the things that the traditional call IC
        would do:
        
        - No need to check who the callee is.
        - No need to do arity checks.
        
        This case isn't as simple as just emitting a call instruction since the callee may not be
        compiled at the time that the caller is compiled. So, we need lazy resolution. Also, the
        callee may be jettisoned independently of the caller, so we need to be able to revert the
        call to an unlinked state. This means that we need almost all of the things that
        CallLinkInfo has. CallLinkInfo already knows about different kinds of calls. This patch
        teaches it about new "Direct" call types.
        
        The direct non-tail call IC looks like this:
        
                set up arguments
            FastPath:
                call _SlowPath
                lea -FrameSize(%rbp), %rsp
            
            SlowPath:
                pop
                call operationLinkDirectCall
                check exception
                jmp FastPath
        
        The job of operationLinkDirectCall is to link the fast path's call entrypoint of the callee.
        This means that in steady state, a call is just that: a call. There are no extra branches or
        checks.
        
        The direct tail call IC is a bit more complicated because the act of setting up arguments
        destroys our frame, which would prevent us from being able to throw an exception if we
        failed to compile the callee. So, direct tail call ICs look like this:
        
                jmp _SlowPath
            FastPath:
                set up arguments
                jmp 0 // patch to jump to callee
            
            SlowPath:
                silent spill
                call operationLinkDirectCall
                silent fill
                check exception
                jmp FastPath
        
        The jmp to the slow path is patched to be a fall-through jmp when we link the call.
        
        Direct calls mean less code at call sites, fewer checks on the steady state call fast path,
        and no need for arity fixup. This looks like a slight speed-up (~0.8%) on both Octane and
        AsmBench.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::relinkJumpToNop):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::relinkJumpToNop):
        (JSC::ARMv7Assembler::relinkJump): Deleted.
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::repatchJumpToNop):
        (JSC::AbstractMacroAssembler::repatchJump): Deleted.
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::relinkJumpToNop):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::callReturnLocation):
        (JSC::CallLinkInfo::patchableJump):
        (JSC::CallLinkInfo::hotPathBegin):
        (JSC::CallLinkInfo::slowPathStart):
        (JSC::CallLinkInfo::setCallee):
        (JSC::CallLinkInfo::clearCallee):
        (JSC::CallLinkInfo::callee):
        (JSC::CallLinkInfo::setCodeBlock):
        (JSC::CallLinkInfo::clearCodeBlock):
        (JSC::CallLinkInfo::codeBlock):
        (JSC::CallLinkInfo::setLastSeenCallee):
        (JSC::CallLinkInfo::clearLastSeenCallee):
        (JSC::CallLinkInfo::lastSeenCallee):
        (JSC::CallLinkInfo::haveLastSeenCallee):
        (JSC::CallLinkInfo::setExecutableDuringCompilation):
        (JSC::CallLinkInfo::executable):
        (JSC::CallLinkInfo::setMaxNumArguments):
        (JSC::CallLinkInfo::visitWeak):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::specializationKindFor):
        (JSC::CallLinkInfo::callModeFor):
        (JSC::CallLinkInfo::isDirect):
        (JSC::CallLinkInfo::nearCallMode):
        (JSC::CallLinkInfo::isLinked):
        (JSC::CallLinkInfo::setCallLocations):
        (JSC::CallLinkInfo::addressOfMaxNumArguments):
        (JSC::CallLinkInfo::maxNumArguments):
        (JSC::CallLinkInfo::isTailCall): Deleted.
        (JSC::CallLinkInfo::setUpCallFromFTL): Deleted.
        (JSC::CallLinkInfo::callReturnLocation): Deleted.
        (JSC::CallLinkInfo::hotPathBegin): Deleted.
        (JSC::CallLinkInfo::callee): Deleted.
        (JSC::CallLinkInfo::setLastSeenCallee): Deleted.
        (JSC::CallLinkInfo::clearLastSeenCallee): Deleted.
        (JSC::CallLinkInfo::lastSeenCallee): Deleted.
        (JSC::CallLinkInfo::haveLastSeenCallee): Deleted.
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeDFGStatuses):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::forEachReg):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::findTerminal):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
        (JSC::DFG::ByteCodeParser::handleCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::parameterSlotsForArgCount):
        * dfg/DFGGraph.h:
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addJSDirectCall):
        (JSC::DFG::JITCompiler::addJSDirectTailCall):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
        (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
        (JSC::DFG::JITCompiler::currentJSCallIndex): Deleted.
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToDirectCall):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isTerminal):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasCellOperand):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * jit/JIT.cpp:
        (JSC::JIT::link):
        * jit/JITCall.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileSetupVarargsFrame):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/Repatch.cpp:
        (JSC::linkDirectFor):
        (JSC::revertCall):
        * jit/Repatch.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::prepareForExecution):
        * runtime/Options.h:

2016-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Not emit exception case if it is not necessary
        https://bugs.webkit.org/show_bug.cgi?id=163589

        Reviewed by Sam Weinig.

        We should not emit exception case if we do not use the slow path calls.
        For example, nodeType accessor does not use the slow path calls.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::emitDOMJITGetter):

2016-10-18  Caitlin Potter  <caitp@igalia.com>

        [JSC] ES6 Method functions should not have prototype
        https://bugs.webkit.org/show_bug.cgi?id=162530

        Reviewed by Saam Barati.

        ECMA-262 only adds "prototype" properties to specific syntactic function forms.
        Specific items which do not contain "prototype" include (most) built-in functions (such as Math.pow),
        MethodDefinitions which are not either class "constructor" methods or GeneratorMethods, AsyncFunctions,
        and ArrowFunctions.
        
        For details, see the following spec text, and the difference between GeneratorMethod evaluation and
        the evaluation of other MethodDefinition forms.
        
        - https://tc39.github.io/ecma262/#sec-method-definitions-runtime-semantics-propertydefinitionevaluation
        - https://tc39.github.io/ecma262/#sec-arrow-function-definitions-runtime-semantics-evaluation
        - https://tc39.github.io/ecmascript-asyncawait/#async-function-instances
        - https://tc39.github.io/ecma262/#sec-generator-function-definitions-runtime-semantics-propertydefinitionevaluation
        

        * runtime/Executable.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::deleteProperty):

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * runtime/Executable.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::deleteProperty):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):

2016-10-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Use NativeCallFrameTracer for operations used for DOMJIT slow calls
        https://bugs.webkit.org/show_bug.cgi?id=163586

        Reviewed by Saam Barati.

        C functions called from the DOMJIT slow path calls should use NativeCallFrameTracer.
        This fixes the debug assertion caused in r207427.

        * bytecode/DOMJITAccessCasePatchpointParams.cpp:
        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
        (JSC::DOMJITAccessCasePatchpointParams::emitSlowPathCalls):
        * bytecode/DOMJITAccessCasePatchpointParams.h:
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::emitDOMJITGetter):
        * jsc.cpp:
        (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall):
        (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall):

2016-10-17  Keith Miller  <keith_miller@apple.com>

        Add support for WASM Memory.
        https://bugs.webkit.org/show_bug.cgi?id=161710

        Reviewed by Geoffrey Garen.

        This patch add initial support for WASM memory operations. First,
        it adds the concept of a WASM Module memory management object.
        This object currently mmaps a 32-bit address space for WASM use,
        although it marks all the memory outside the current breakpoint as
        PROT_NONE. For now, we do a range check on each store and load. In
        the future, we should change this to be an signal handler that
        checks what module the program trapped in.

        Additionally, this patch changes the way that our temporary tests
        call into WASM code. There is now a true "thunk" that relocates
        arguments and calls into WASM. This thunk does not tail call
        because we use pinned values to memory base-pointer and
        size. We use the new B3 pinned register api to pin the values.

        * CMakeLists.txt:
        * Configurations/ToolExecutable.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * testWASM.cpp:
        (runWASMTests):
        (main):
        * wasm/WASMB3IRGenerator.cpp:
        (JSC::WASM::createJSWrapper):
        (JSC::WASM::parseAndCompile):
        * wasm/WASMB3IRGenerator.h:
        * wasm/WASMCallingConvention.h:
        (JSC::WASM::CallingConvention::iterate):
        (JSC::WASM::CallingConvention::setupCall):
        (JSC::WASM::nextJSCOffset):
        * wasm/WASMFormat.h:
        * wasm/WASMFunctionParser.h:
        (JSC::WASM::FunctionParser<Context>::parseExpression):
        * wasm/WASMMemory.cpp: Copied from Source/JavaScriptCore/wasm/WASMPlan.cpp.
        (JSC::WASM::Memory::Memory):
        * wasm/WASMMemory.h: Copied from Source/JavaScriptCore/wasm/WASMModuleParser.h.
        (JSC::WASM::Memory::~Memory):
        (JSC::WASM::Memory::memory):
        (JSC::WASM::Memory::size):
        (JSC::WASM::Memory::pinnedRegisters):
        (JSC::WASM::Memory::mode):
        (JSC::WASM::Memory::growMemory):
        (JSC::WASM::Memory::offsetOfSize):
        * wasm/WASMModuleParser.cpp:
        (JSC::WASM::ModuleParser::parse):
        (JSC::WASM::ModuleParser::parseMemory):
        * wasm/WASMModuleParser.h:
        (JSC::WASM::ModuleParser::functionInformation):
        (JSC::WASM::ModuleParser::memory):
        * wasm/WASMOps.h:
        * wasm/WASMPlan.cpp:
        (JSC::WASM::Plan::Plan):
        * wasm/WASMPlan.h:
        * wasm/WASMSections.h:

2016-10-17  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Add toggles for debugger pauses at console.assert failures
        https://bugs.webkit.org/show_bug.cgi?id=139542
        <rdar://problem/19281600>

        Reviewed by Timothy Hatcher.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::disable):
        (Inspector::InspectorDebuggerAgent::setPauseOnAssertions):
        Toggle pause on assertions state. Default is disabled,
        and disable it when frontends disconnect.

        (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
        Instead of using the PauseOnAllExceptions state, use this
        new state specific to assertions.

        * inspector/protocol/Debugger.json:
        New protocol method to toggle pausing on assertions.

2016-10-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT][JSC] Add Option::useDOMJIT
        https://bugs.webkit.org/show_bug.cgi?id=163457

        Reviewed by Saam Barati.

        Add an option to switch the DOMJIT optimization.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateImpl):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2016-10-17  Filip Pizlo  <fpizlo@apple.com>

        Air::IRC doesn't need to have a special-case for uncolored Tmps since they all get colored
        https://bugs.webkit.org/show_bug.cgi?id=163548
        <rdar://problem/28804381>

        Reviewed by Geoffrey Garen.
        
        Before r207408, IRC had a mode where it would silently assign the first assignable register (so
        %rax, %xmm0, etc) to any tmp that was not colorable due to a pathological interference fencepost.
        We reason about interference at instruction boundaries. This means that if you have, for example,
        an instruction that clobbers all registers late followed by an instruction that has an early def
        in the same register file, then the early def will not be colorable because it interferes with
        all registers. This already happens in our tests, but IRC silently returns the first assignable
        register to such tmps. For some reason the resulting code works OK - probably because this tends
        to only be hit by fuzzing, which may not then stress that code enough to shake out the register
        corruption. Also, this can only happen for floating point registers, so it's hard to get an
        exciting crash. The worst case is that your numbers get all messed up.
        
        This change fixes the issue:
        
        - IRC will now crash if it can't color a tmp.
        
        - IRC doesn't crash on our tests anymore because I added a padInterference() utility that works
          around the interference problem by inserting Nops to pad between those instructions where
          conflating their early and late actions into one interference fencepost could create an
          uncolorable graph.
        
        See https://bugs.webkit.org/show_bug.cgi?id=163548#c2 for a detailed discussion of how the
        problem can arise.
        
        This problem almost made me want to abandon our use of interference at instruction boundaries,
        and introduce something more comprehensive, like interference at various stages of an
        instruction's execution. The reason why I didn't do this is that this problem only arises in well
        confined corner cases: you need an instruction that does a late use or def followed by an
        instruction that does an early def. Register clobbers count as defs for this equation.
        Fortunately, early defs are rare, and even when they do happen, you still need the previous
        instruction to have a late something. Late uses are rare and many instructions don't have defs at
        all, which means that it's actually pretty common for an instruction to not have anything late.
        This means that the padInterference() strategy is ideal: our algorithms stay simple because they
        only have to worry about interference at boundaries, and we rarely insert any Nops in
        padInterference() so the IR stays nice and compact. Those Nops get removed by any phase that does
        DCE, which includes eliminateDeadCode(), allocateStack(), and reportUsedRegisters(). In practice
        allocateStack() kills them.
        
        This also finally refactors our passing of RegisterSet to pass it by value, since it's small
        enough that we're not gaining anything by using references. On x86, RegisterSet ought to be
        smaller than a pointer.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::extraClobberedRegs):
        (JSC::B3::StackmapSpecial::extraEarlyClobberedRegs):
        * b3/B3StackmapSpecial.h:
        * b3/air/AirCCallSpecial.cpp:
        (JSC::B3::Air::CCallSpecial::extraEarlyClobberedRegs):
        (JSC::B3::Air::CCallSpecial::extraClobberedRegs):
        * b3/air/AirCCallSpecial.h:
        * b3/air/AirInst.h:
        * b3/air/AirInstInlines.h:
        (JSC::B3::Air::Inst::extraClobberedRegs):
        (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
        * b3/air/AirIteratedRegisterCoalescing.cpp:
        (JSC::B3::Air::iteratedRegisterCoalescing):
        * b3/air/AirPadInterference.cpp: Added.
        (JSC::B3::Air::padInterference):
        * b3/air/AirPadInterference.h: Added.
        * b3/air/AirSpecial.h:
        * b3/air/AirSpillEverything.cpp:
        (JSC::B3::Air::spillEverything):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::isEmpty):

2016-10-17  JF Bastien  <jfbastien@apple.com>

        WebAssembly JS API: implement basic stub

        Implement the global WebAssembly JavaScript object, and its constructor +
        function properties as described in:
          https://github.com/WebAssembly/design/blob/master/JS.md

        These don't do anything at the moment, the parent bug will take care of adding
        more functionality and associated tests.

        WebAssembly JS API: implement basic stub
        https://bugs.webkit.org/show_bug.cgi?id=163404

        Reviewed by Keith Miller.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinNames.h: register the new WebAssembly object's name and its constructor properties
        * jsc.cpp: remove useless include
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): add the WebAssembly global object and its constructor properties, but only if the JSC option enables it
        * runtime/Options.h: add the useWebAssembly (alias: enableWebAssembly) option, defaulting to false
        * wasm/WebAssemblyObject.cpp: Added.
        (JSC::WebAssemblyObject::create): boilerplate
        (JSC::WebAssemblyObject::createStructure): boilerplate
        (JSC::WebAssemblyObject::finishCreation): boilerplate
        (JSC::WebAssemblyObject::WebAssemblyObject): boilerplate
        (JSC::wasmObjectFuncvalidate): auto-throws for now
        (JSC::wasmObjectFunccompile): auto-throws for now
        * wasm/WebAssemblyObject.h: Added.

2016-10-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix after r207428
        https://bugs.webkit.org/show_bug.cgi?id=163223

        Previous build fix r207428 broke all the builds.

        * bytecode/PolymorphicAccess.h:

2016-10-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for GTK and Windows
        https://bugs.webkit.org/show_bug.cgi?id=163223

        Attempt to fix build failures in GTK port and Windows port.

        * bytecode/PolymorphicAccess.cpp:
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessGenerationState::SpillState::SpillState):

2016-10-17  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Use DOMJIT::Patchpoint in IC
        https://bugs.webkit.org/show_bug.cgi?id=163223

        Reviewed by Saam Barati.

        This patch uses DOMJIT::Patchpoint to inline DOM accesses even in IC!
        It is useful for Baseline JIT cases and GetById cases in DFG and FTL.
        In AccessCase, we construct the environment that allows DOMJIT::Patchpoint
        to emit code and make DOMJIT accessors inlined in IC.

        To allow DOMJIT::Patchpoint to emit code, we create a mechanism to emit calls
        required in DOMJIT::Patchpoint. This system is useful when we create the super-
        polymorphic support[1] later. And inlining mechanism is useful even after
        introducing super-polymorphic support since it can work even after we fire the
        watchpoint for super-polymorphic handling.

        This patch improves Dromaeo dom-traverse 8% (263.95 runs/s v.s. 244.07 runs/s).

        [1]: https://bugs.webkit.org/show_bug.cgi?id=163226

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/DOMJITAccessCasePatchpointParams.cpp: Added.
        (JSC::SlowPathCallGeneratorWithArguments::SlowPathCallGeneratorWithArguments):
        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
        (JSC::DOMJITAccessCasePatchpointParams::emitSlowPathCalls):
        * bytecode/DOMJITAccessCasePatchpointParams.h: Copied from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
        (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
        (JSC::DOMJITAccessCasePatchpointParams::SlowPathCallGenerator::~SlowPathCallGenerator):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::liveRegistersForCall):
        (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite):
        (JSC::calleeSaveRegisters):
        (JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
        (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCallWithThrownException):
        (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
        (JSC::AccessGenerationState::callSiteIndexForExceptionHandlingOrOriginal):
        (JSC::AccessGenerationState::originalExceptionHandler):
        (JSC::AccessCase::generateImpl):
        (JSC::AccessCase::emitDOMJITGetter):
        (JSC::PolymorphicAccess::regenerate):
        (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall): Deleted.
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessGenerationState::SpillState::isEmpty):
        (JSC::AccessGenerationState::setSpillStateForJSGetterSetter):
        (JSC::AccessGenerationState::spillStateForJSGetterSetter):
        (JSC::AccessGenerationState::liveRegistersForCall): Deleted.
        (JSC::AccessGenerationState::numberOfStackBytesUsedForRegisterPreservation): Deleted.
        (JSC::AccessGenerationState::liveRegistersToPreserveAtExceptionHandlingCallSite): Deleted.
        * dfg/DFGDOMJITPatchpointParams.cpp:
        * dfg/DFGDOMJITPatchpointParams.h:
        * domjit/DOMJITPatchpoint.h:
        * domjit/DOMJITPatchpointParams.h:
        (JSC::DOMJIT::PatchpointParams::addSlowPathCall):
        * ftl/FTLDOMJITPatchpointParams.cpp:
        * ftl/FTLDOMJITPatchpointParams.h:
        * jsc.cpp:
        (WTF::DOMJITNode::checkDOMJITNode):
        (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
        (WTF::DOMJITGetterComplex::createStructure):
        (WTF::DOMJITGetterComplex::create):
        (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT):
        (WTF::DOMJITGetterComplex::domJITNodeGetterSetter):
        (WTF::DOMJITGetterComplex::finishCreation):
        (WTF::DOMJITGetterComplex::functionEnableException):
        (WTF::DOMJITGetterComplex::customGetter):
        (GlobalObject::finishCreation):
        (functionCreateDOMJITGetterComplexObject):

2016-10-17  Saam Barati  <sbarati@apple.com>

        Build fix for HasOwnPropertyCache::Entry caused slowdown by introducing a constructor that doesn't use move semantics for the RefPtr<UniquedStringImpl> parameter
        https://bugs.webkit.org/show_bug.cgi?id=163490

        Reviewed by Darin Adler.

        * runtime/HasOwnPropertyCache.h:
        (JSC::HasOwnPropertyCache::Entry::Entry):
        (JSC::HasOwnPropertyCache::tryAdd):

2016-10-17  Mark Lam  <mark.lam@apple.com>

        Use the reject() helper function for conditionally throwing TypeErrors.
        https://bugs.webkit.org/show_bug.cgi?id=163491

        Reviewed by Filip Pizlo.

        In some places where we may conditionally throw a TypeError (e.g. when in strict
        mode), we already use the reject() helper function to conditionally throw the
        TypeError.  Doing so makes the code mode compact.  This patch applies this idiom
        consistently in all places that throws TypeError where appropriate.

        This patch also does the following:
        1. Make the reject() helper function take an ASCIILiteral instead of a const char*
           because we always pass it a literal string anyway.
        2. Change the reject helper() to take a ThrowScope&.  This allows the thrown
           error to be attributed to its caller.
        3. When an error message string is instantiated repeatedly in more than 1 place,
           create a common copy of that literal string in JSObject.cpp (if one doesn't
           already exist) and use that common string in all those places.
        4. Since I was auditing call sites of throwTypeError() to check if they should be
           using the reject() helper instead, I also fixed those up to pass the error
           message as an ASCIILiteral where appropriate.
        5. In functions that I touched, change the code to not recompute the VM& when it
           is already available.

        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ArrayPrototype.cpp:
        (JSC::shift):
        (JSC::unshift):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncReverse):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/GetterSetter.cpp:
        (JSC::callSetter):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::setLengthWithArrayStorage):
        (JSC::JSArray::pop):
        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::put):
        (JSC::JSArrayBuffer::defineOwnProperty):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        (JSC::JSValue::putToPrimitiveByIndex):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::put):
        (JSC::JSDataView::defineOwnProperty):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayView.h:
        (JSC::JSGenericTypedArrayView::setIndex):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
        (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::speciesConstruct):
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::defineOwnProperty):
        * runtime/JSObject.cpp:
        (JSC::ordinarySetSlow):
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::validateAndApplyPropertyDescriptor):
        * runtime/JSObject.h:
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putInline):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setPrototype):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::defineOwnProperty):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setLastIndex):
        * runtime/Reject.h:
        (JSC::reject):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putEntry):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::SparseArrayEntry::put):
        * runtime/StringObject.cpp:
        (JSC::StringObject::put):
        (JSC::StringObject::putByIndex):
        * runtime/SymbolConstructor.cpp:
        (JSC::symbolConstructorKeyFor):

2016-10-16  Filip Pizlo  <fpizlo@apple.com>

        Air::IRC needs to place all Tmps on some worklist, even if they have no interference edges
        https://bugs.webkit.org/show_bug.cgi?id=163509

        Reviewed by Mark Lam.
        
        The worklist building function in IRC skips temporaries that have no degree. This doesn't appear
        to be necessary. This has been there since the original IRC commit. It hasn't caused bugs because
        ordinarily, the only way to have a tmp with no degree is to not have any mention of that tmp. But
        while working on bug 163371, I hit a crazy corner case where a temporary would have no
        interference edges (i.e. no degree). Here's how it happens:
        
        A spill tmp from a previous iteration of IRC may have no degree: imagine a tmp that is live
        everywhere and interferes with everyone, but has one use like:

        Move %ourTmp, %someOtherTmp

        Where there are no other tmps live.  After spill conversion, this may look like:

        Move (ourSpill), %newTmp
        Move %newTmp, %someOtherTmp

        Of course, we'd rather not get this kind of spill code but it's totally possible because we now
        have a bunch of random conditions under which we won't slap the spill address directly into the
        Move.

        After this happens, assuming that the only thing live was %someOtherTmp, we will have zero degree
        for %newTmp because the Move is coalescable and does not contribute to interference.

        Then, we might coalesce %someOtherTmp with %newTmp.  Once this happens, if we make the %newTmp be
        the master, we're in deep trouble because %newTmp is not on any worklist.
        
        I don't know how to reproduce this except through the patch in bug 163371. Removing the two lines
        of code that skipped no-degree tmps causes no regressions, and resolves the problem I was having.

        * b3/air/AirIteratedRegisterCoalescing.cpp:

2016-10-15  Mark Lam  <mark.lam@apple.com>

        Add a $vm.getpid() method.
        https://bugs.webkit.org/show_bug.cgi?id=163493

        Reviewed by Saam Barati.

        This is especially useful when we need to know the pid of an instance of jsc in
        the foreground that we're trying to attach a debugger to while the JSC tests are
        running in the background with a gazillion other jsc processes live at the same
        time.

        Currently, $vm.getpid() is only supported on non-Windows platforms.
        According to https://msdn.microsoft.com/en-us/library/ms235372.aspx, getpid() is
        deprecated.  According to https://msdn.microsoft.com/en-us/library/t2y34y40.aspx,
        _getpid() cannot be used in applications that execute in the Windows Runtime.

        Since this is only a debugging tool and is not a required feature, I'll defer
        the Windows implementation of this function till the time when someone actually
        needs it.

        * tools/JSDollarVMPrototype.cpp:
        (JSC::functionGetPID):
        (JSC::JSDollarVMPrototype::finishCreation):

2016-10-15  Saam Barati  <sbarati@apple.com>

        Assertion failed under operationToLowerCase with a rope with zero length
        https://bugs.webkit.org/show_bug.cgi?id=163314

        Reviewed by Mark Lam.

        There are some ways to get JSC to create empty rope strings. ToLowerCase
        inside the DFG/FTL goes to the slow path when the argument is a rope.
        operationToLowerCase was calling into a WTF string function that
        assumed we are passing it a this value that has non-zero length.
        However, we were calling it with a string that did have zero length.
        To fix this, we make operationToLowerCase return the empty JSString
        if it is going to make a string with zero length.

        * dfg/DFGOperations.cpp:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionIsRope):

2016-10-14  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] op_negate should with any type
        https://bugs.webkit.org/show_bug.cgi?id=162587

        Reviewed by Saam Barati.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        ArithNegate is quite simple. If the input is double, the output
        is double. The other cases are set from the LLInt slow case.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        Tweak a bit the IntegerRangeOptimizationPhase when simplifying
        ArithAbs to ArithNegate.
        We should not do the conversion if the target nodes OSR Exits
        on different input than the source node.

        In particular, Checked ArithNegate exits on zero while
        ArithAbs has not problem with it.
        Unchecked ArithAbs() do not OSR Exit on INT_MIN, ArithNeg
        should not either.

        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileMathIC):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):

        * jit/JITNegGenerator.cpp:
        (JSC::JITNegGenerator::generateFastPath):
        * jit/JITOperations.cpp:
        Add result profiling in baseline to have types we can use
        in DFG and FTL.

2016-10-14  Keith Miller  <keith_miller@apple.com>

        B3 needs a special WasmAddress Opcode
        https://bugs.webkit.org/show_bug.cgi?id=163394

        Reviewed by Filip Pizlo.

        This patch adds support for WasmAddress. WasmAddress will be used by
        Wasm to compute the address of a memory operation from the pinned
        base pointer. WasmAddress takes an IntPtr so we can avoid emitting
        unnecessary Move32s in Air. This could happen in the following case:

        @ptr = Trunc(...)
        WasmAddress(@ptr, pinnedGPR)
        ...
        PatchPoint(...) // Do Wasm call
        WasmAddress(@ptr, pinnedGPR)
        ...

        In this case we will not be able to CSE the WasmAddresses since the
        call writes to pinnedGPR. Thus if WasmAddress took an Int32 we would need
        to emit an extra Move32 at the second WasmAddress to ensure it saw a proper
        32-bit value. If Wasm ensures that there there is a leading ZExt32 then
        the duplicated moves become unnecessary.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::effectiveAddr):
        (JSC::B3::Air::LowerToAir::lower):
        * b3/B3Opcode.cpp:
        (WTF::printInternal):
        * b3/B3Opcode.h:
        * b3/B3Validate.cpp:
        * b3/B3Value.cpp:
        (JSC::B3::Value::effects):
        * b3/B3WasmAddressValue.cpp: Added.
        (JSC::B3::WasmAddressValue::~WasmAddressValue):
        (JSC::B3::WasmAddressValue::dumpMeta):
        (JSC::B3::WasmAddressValue::cloneImpl):
        (JSC::B3::WasmAddressValue::WasmAddressValue):
        * b3/B3WasmAddressValue.h: Added.
        * b3/testb3.cpp:
        (JSC::B3::testWasmAddress):
        (JSC::B3::run):

2016-10-14  Joseph Pecoraro  <pecoraro@apple.com>

        test262: @isConstructor incorrectly thinks Math.cos is a constructor
        https://bugs.webkit.org/show_bug.cgi?id=163437

        Reviewed by Saam Barati.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getConstructData):
        By default, Host JSFunctions are not constructable. They get
        the default callHostFunctionAsConstructor native constructor.
        When getting construct data we can return ConstructType::None
        in these cases instead of indicating it might be constructable
        and later throwing an exception when construction is attempted.

2016-10-14  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r207322.

        This change caused JSC test failures

        Reverted changeset:

        "Fix Array.prototype.splice ES6 compliance."
        https://bugs.webkit.org/show_bug.cgi?id=163372
        http://trac.webkit.org/changeset/207322

2016-10-14  Mark Lam  <mark.lam@apple.com>

        JSON.parse should not modify frozen objects.
        https://bugs.webkit.org/show_bug.cgi?id=163430

        Reviewed by Saam Barati.

        The ES6 spec for JSON.parse (https://tc39.github.io/ecma262/#sec-json.parse and
        https://tc39.github.io/ecma262/#sec-internalizejsonproperty) states that it uses
        CreateDataProperty() (https://tc39.github.io/ecma262/#sec-createdataproperty) to
        set values returned by a reviver.  The spec for CreateDataPropertyOrThrow states:

        "This abstract operation creates a property whose attributes are set to the same
        defaults used for properties created by the ECMAScript language assignment
        operator. Normally, the property will not already exist. If it does exist and is
        not configurable or if O is not extensible, [[DefineOwnProperty]] will return
        false."

        Note: CreateDataProperty() will not throw a TypeError.

        Since the properties of frozen objects are not extensible, not configurable, and
        not writeable, JSON.parse should fail to write to any frozen objects.  Similarly,
        JSON.parse should fail to delete properties in frozen objects.

        In JSON.parse(), we previously write to array elements using the form of
        putDirectIndex() that uses mode PutDirectIndexLikePutDirect.  This makes it so
        that the write (i.e. put) is always successful.  We've now fixed this to use
        PutDirectIndexShouldNotThrow mode instead, which will fail to put the element if
        the array is not writeable.

        Also changed Walker::walk() to use the version of methodTable() that takes a VM&
        since the VM& is already available.

        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):

2016-10-14  Joseph Pecoraro  <pecoraro@apple.com>

        test262: Failure with RegExp.prototype.compile when pattern is undefined
        https://bugs.webkit.org/show_bug.cgi?id=163431

        Reviewed by Yusuke Suzuki.

        If pattern is undefined let P be the empty String.
        https://tc39.github.io/ecma262/#sec-regexpinitialize

        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):

2016-10-13  Joseph Pecoraro  <pecoraro@apple.com>

        Exception message for expressions with multiple bracket accesses is inconsistent / incorrect
        https://bugs.webkit.org/show_bug.cgi?id=163426

        Reviewed by Geoffrey Garen.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BracketAccessorNode::emitBytecode):
        It matters where emitExpressionInfo is called since it gathers
        info about where we are in the instruction stream. We need to
        emit it before the bytecode that we want to associate the data
        with. In this case, before the getById / getByVal.

2016-10-13  Mark Lam  <mark.lam@apple.com>

        Fix Array.prototype.splice ES6 compliance.
        https://bugs.webkit.org/show_bug.cgi?id=163372

        Reviewed by Geoffrey Garen and Yusuke Suzuki.

        Our Array.prototype.splice implementation neglected to set length on the result
        array (step 12 of https://tc39.github.io/ecma262/#sec-array.prototype.splice) in
        a certain code path.  This is now fixed.

        I'm deferring the implementation of step 8 till later because it requires more
        careful consideration and the fix is of a lesser value (and therefore, of less
        urgency).  See https://bugs.webkit.org/show_bug.cgi?id=163417

        Also added some needed exception checks and assertions.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSplice):

2016-10-13  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Stepping highlight for dot/bracket expressions in if statements highlights subset of the expression
        https://bugs.webkit.org/show_bug.cgi?id=163378
        <rdar://problem/28749376>

        Reviewed by Saam Barati.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        Since each expression builds on the previous, always keep the starting
        location the first location.

2016-10-13  Per Arne Vollan  <pvollan@apple.com>

        [Win64] Compile fix.
        https://bugs.webkit.org/show_bug.cgi?id=163384

        Reviewed by Brent Fulgham.

        Fix use of potentially uninitialized variable.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2016-10-12  Chris Dumez  <cdumez@apple.com>

        [Web IDL] Drop support for legacy [ConstructorConditional=*]
        https://bugs.webkit.org/show_bug.cgi?id=163368

        Reviewed by Ryosuke Niwa.

        Drop ENABLE_DOM4_EVENTS_CONSTRUCTOR compiler flag.

        * Configurations/FeatureDefines.xcconfig:

2016-10-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: step-into `console.log(o)` should not step through inspector javascript
        https://bugs.webkit.org/show_bug.cgi?id=161656
        <rdar://problem/28181123>

        Reviewed by Timothy Hatcher.

        * debugger/Debugger.h:
        * debugger/Debugger.cpp:
        (JSC::Debugger::pauseIfNeeded):
        If the Script is blacklisted skip checking if we need to pause.

        (JSC::Debugger::isBlacklisted):
        (JSC::Debugger::addToBlacklist):
        (JSC::Debugger::clearBlacklist):
        Add the ability to add a Script to a blacklist. Currently the blacklist
        only prevents pausing in the Script.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::isWebKitInjectedScript):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        Always add Internal InjectedScripts to the Debugger's blacklist.

        (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
        Clear blacklists when clearing debugger state.

2016-10-12  Keith Miller  <keith_miller@apple.com>

        B3 needs a special WasmBoundsCheck Opcode
        https://bugs.webkit.org/show_bug.cgi?id=163246

        Reviewed by Filip Pizlo.

        This patch adds a new Opcode, WasmBoundsCheck, as well as a B3::Value subclass for it,
        WasmBoundsCheckValue. WasmBoundsCheckValue takes three pieces of information. The first is
        the Int32 pointer value used to be used by the Load.  Next is the pinned register. The
        pinned register must be pinned by calling proc.setPinned() prior to compiling the
        Procedure. Lastly, the WasmBoundsCheckValue takes an offset. The WasmBoundsCheckValue is
        will then emit code that side-exits if the Int64 sum of the offset and pointer is greater
        than or equal to the value in the pinnedRegister. Instead of taking a generator for each
        value like Check/Patchpoint, WasmBoundsCheck gets its generator directly off Air::Code. In
        Air this patch adds a new Custom opcode, WasmBoundsCheck.

        In the future we should add WasmBoundsCheck to CSE so it can eliminate redundant bounds
        checks. At the first cut, we can remove any WasmBoundsCheck dominated by another
        WasmBoundsCheck with the same pointer and pinnedGPR, and a larger offset.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::imm):
        (JSC::B3::Air::LowerToAir::lower):
        * b3/B3Opcode.cpp:
        (WTF::printInternal):
        * b3/B3Opcode.h:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::setWasmBoundsCheckGenerator):
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::setWasmBoundsCheckGenerator):
        * b3/B3Validate.cpp:
        * b3/B3Value.cpp:
        (JSC::B3::Value::effects):
        (JSC::B3::Value::typeFor):
        * b3/B3WasmBoundsCheckValue.cpp: Added.
        (JSC::B3::WasmBoundsCheckValue::~WasmBoundsCheckValue):
        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
        (JSC::B3::WasmBoundsCheckValue::dumpMeta):
        * b3/B3WasmBoundsCheckValue.h: Added.
        (JSC::B3::WasmBoundsCheckValue::accepts):
        (JSC::B3::WasmBoundsCheckValue::pinnedGPR):
        (JSC::B3::WasmBoundsCheckValue::offset):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::setWasmBoundsCheckGenerator):
        (JSC::B3::Air::Code::wasmBoundsCheckGenerator):
        * b3/air/AirCustom.cpp:
        (JSC::B3::Air::WasmBoundsCheckCustom::isValidForm):
        * b3/air/AirCustom.h:
        (JSC::B3::Air::WasmBoundsCheckCustom::forEachArg):
        (JSC::B3::Air::WasmBoundsCheckCustom::isValidFormStatic):
        (JSC::B3::Air::WasmBoundsCheckCustom::admitsStack):
        (JSC::B3::Air::WasmBoundsCheckCustom::isTerminal):
        (JSC::B3::Air::WasmBoundsCheckCustom::hasNonArgNonControlEffects):
        (JSC::B3::Air::WasmBoundsCheckCustom::generate):
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::testWasmBoundsCheck):
        (JSC::B3::run):

2016-10-12  Filip Pizlo  <fpizlo@apple.com>

        The blackening of CellState is a bad way of tracking if the object is being marked for the first time
        https://bugs.webkit.org/show_bug.cgi?id=163343

        Reviewed by Mark Lam.
        
        When I first added the concept of NewGrey/OldGrey, I had the SlotVisitor store the old cell
        state in itself, so that it could use it to decide what to do for reportExtraMemoryVisited().
        
        Then I changed it in a recent commit, because I wanted the freedom to have SlotVisitor visit
        multiple objects in tandem. But I never ended up using this capability. Still, I liked the
        new way better: instead of the SlotVisitor rembemering the state-before-blackening, we would
        make the object's state reflect whether it was black for the first time or not. That seemed
        convenient.
        
        Unfortunately it's wrong. After we blacken the object, a concurrent barrier could instantly
        grey it. Then we would forget that we are visiting this object for the first time.
        Subsequent visits will think that they are not the first. So, we will fail to do the right
        thing in reportExtraMemoryVisited().
        
        So, this reverts that change. This is a little more than just a revert, though. I've changed
        the terminology a bit. For example, I got tired of reading Black and having to remind myself
        that it really means that the object has begun being visited, instead of the more strict
        meaning that implies that it has already been visited. We want to say that it's Black or
        currently being scanned. I'm going to adopt Siebert's term for this: Anthracite [1]. So, our
        black CellState is now called AnthraciteOrBlack.
        
        [1] https://pdfs.semanticscholar.org/7ae4/633265aead1f8835cf7966e179d02c2c8a4b.pdf

        * heap/CellState.h:
        (JSC::isBlack): Deleted.
        (JSC::blacken): Deleted.
        * heap/Heap.cpp:
        (JSC::Heap::addToRememberedSet):
        (JSC::Heap::writeBarrierSlowPath):
        * heap/Heap.h:
        * heap/HeapInlines.h:
        (JSC::Heap::reportExtraMemoryVisited):
        (JSC::Heap::reportExternalMemoryVisited):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::visitChildren):
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::reportExtraMemoryVisited):
        (JSC::SlotVisitor::reportExternalMemoryVisited):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:

2016-10-12  Mark Lam  <mark.lam@apple.com>

        Rename variables in arrayProtoFuncSplice() to match names in the spec.
        https://bugs.webkit.org/show_bug.cgi?id=163354

        Reviewed by Saam Barati.

        This will make it easier to see whether the code matches the spec or not.
        Ref: https://tc39.github.io/ecma262/#sec-array.prototype.splice

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSplice):

2016-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT][JSC] Explore the way to embed nodeType into JSC::JSType in WebCore
        https://bugs.webkit.org/show_bug.cgi?id=163245

        Reviewed by Filip Pizlo.

        We reserve the highest bit of JSC::JSType for extensions outside JSC.
        JSC does not use JSType bits so many: only 52 types are defined.

        And we extend CallDOM patchpoint to claim that it does not require a global object.
        This global object is used to generate a DOM wrapper. However, nodeType does not require
        it since it just returns integer. In the future, we will extend CallDOM to claim
        its result type. And we can decide this `requireGlobalObject` condition automatically
        according to the result type.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasCheckDOMPatchpoint):
        (JSC::DFG::Node::checkDOMPatchpoint):
        (JSC::DFG::Node::hasCallDOMPatchpoint):
        (JSC::DFG::Node::callDOMPatchpoint):
        (JSC::DFG::Node::hasDOMJIT): Deleted.
        (JSC::DFG::Node::domJIT): Deleted.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        (JSC::DFG::SpeculativeJIT::compileCheckDOM):
        * domjit/DOMJITCallDOMPatchpoint.h: Copied from Source/JavaScriptCore/domjit/DOMJITGetterSetter.h.
        (JSC::DOMJIT::CallDOMPatchpoint::create):
        * domjit/DOMJITGetterSetter.h:
        * domjit/DOMJITPatchpoint.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        * jsc.cpp:
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * runtime/JSType.h:

2016-10-12  Keith Miller  <keith_miller@apple.com>

        Handle non-function, non-undefined comparator in Array.prototype.sort
        https://bugs.webkit.org/show_bug.cgi?id=163085

        Reviewed by Yusuke Suzuki.

        * builtins/ArrayPrototype.js:
        (sort.comparatorSort):
        (sort.stringSort):
        (sort):

2016-10-12  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r207179): ASSERTION FAILED: node.cell != previousCell
        https://bugs.webkit.org/show_bug.cgi?id=163337

        Reviewed by Mark Lam.
        
        It turns out that HeapSnapshot was not down with revisiting. The concurrent GC is going to be
        built around the idea that we can revisit objects many times. This means that any action that
        should only take place once per object must check the object's state. This fixes the snapshot
        code to do this.
        
        While writing this code, I realized that we're actually doing this check incorrectly, so I
        filed bug 163343. That bug requires a race, so we aren't going to see it yet.

        * heap/HeapSnapshot.cpp:
        (JSC::HeapSnapshot::finalize):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::visitChildren):

2016-10-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Improve support for logging Proxy objects in console
        https://bugs.webkit.org/show_bug.cgi?id=163323
        <rdar://problem/28432553>

        Reviewed by Timothy Hatcher.

        This is based off of similiar patches in Blink for Proxy handling.

        * bindings/ScriptValue.cpp:
        (Deprecated::ScriptValue::isEqual):
        Use strict equality. This is the intent, and it prevents the possibility of triggering
        primitive conversion on objects in previous ConsoleMessage argument lists.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype._propertyDescriptors):
        Bail if the object is a Proxy.

        (InjectedScript.prototype._describe):
        Provide a friendlier name, "Proxy" instead of "ProxyObject".
        
        (InjectedScript.RemoteObject):
        When generating a preview for a Proxy object, generate it from the final target
        and mark it as lossy so that the object can always be expanded to get the internal
        target/handler properties.

        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        New subtype for Proxy objects.

        (Inspector::JSInjectedScriptHost::proxyTargetValue):
        Resolve the final target value for a Proxy.

        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeFunctionProxyTargetValue):
        Add the new method.

        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getFirstArgumentAsString):
        Avoid triggering Proxy traps on a Proxy object when getting a quick
        string description for ConsoleMessages.

        * inspector/protocol/Runtime.json:
        Add new "proxy" subtype.

2016-10-12  Joseph Pecoraro  <pecoraro@apple.com>

        Emit DebugHooks uniformly with pause locations instead of having separate pause locations and op_debug emits
        https://bugs.webkit.org/show_bug.cgi?id=162809

        Reviewed by Geoffrey Garen.

        Change how BytecodeGeneration emits debug hooks to be more consistent.
        Previously most nodes individually generated their own debug hook
        and we asserted that it matched a breakpoint location identified
        by the parser. This could get out of sync, or nodes could forget to
        emit debug hooks expected by the parser.
        
        With this change, we always check and emit a debug hook for any
        node. The default behavior is for BytecodeGenerator::emitNode
        to emit the debug hook when emitting the node itself. This covers
        the majority of cases (statements).

        There are a few exceptions where we continue to need to customize
        emitting debug hooks:

            1. Nodes with emitBytecodeInConditionContext
                - non-Expression nodes customize how they emit their children
                - constants conditions may emit nothing, but we had recorded a breakpoint location so emit a debug hook
                - always emit one debug hook in case we recorded a breakpoint location, but avoid emitting multiple
                  in nodes which may call up to the ExpressionNode::emitBytecodeInConditionContext base impl.
            2. Specialized Debug Hooks
                - such as hooks for Program start/end, debugger statements, etc.
            3. Debug Hooks in for..of / for..in that don't correspond to re-emitting nodes
                - such as pausing on the assignment expression inside these loops

        The majority of nodes no longer have custom emits.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNodeInTailPosition):
        (JSC::BytecodeGenerator::emitNodeInConditionContext):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDebugHook):
        (JSC::BytecodeGenerator::emitEnumeration):
        By default, when emitting a node check if we should also emit an op_debug for it.
        This default DebugHook is WillExecuteStatement, which is a normal pause point.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ConstantNode::emitBytecodeInConditionContext):
        (JSC::LogicalNotNode::emitBytecodeInConditionContext):
        (JSC::BinaryOpNode::emitBytecodeInConditionContext):
        (JSC::LogicalOpNode::emitBytecodeInConditionContext):
        The parser would have generated a pause location for these conditions
        no matter what constant folding and re-writing these nodes may perform.
        So, when emitting these nodes in condition context check if they need
        emit their own debug hook.

        (JSC::EmptyStatementNode::emitBytecode):
        (JSC::ExprStatementNode::emitBytecode):
        (JSC::DeclarationStatement::emitBytecode):
        (JSC::IfElseNode::emitBytecode):
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        (JSC::ThrowNode::emitBytecode):
        No longer need to custom emit debug hooks. The default emitNode will handle these.

        (JSC::ForInNode::emitBytecode):
        Include extra debug hooks the user expects to return back to the assignment
        expression in the loop header before starting the body again. The same is done
        for for..of with emitEnumeration.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createExportDefaultDeclaration):
        (JSC::ASTBuilder::createExportLocalDeclaration):
        These are no longer needed to fake-satisfy assertions. We never wanted to
        emit debug hooks for these inner statements because the export statement
        will already have the debug hooks.

        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::createForOfLoop):
        Include the correct location where the declaration starts.

        (JSC::ASTBuilder::breakpointLocation):
        Simplify to a general implementation for Node.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createForInLoop):
        (JSC::SyntaxChecker::createForOfLoop):
        Ignore the new extra parameter.

        * parser/Nodes.h:
        (JSC::Node::needsDebugHook):
        (JSC::Node::setNeedsDebugHook):
        (JSC::ExpressionNode::needsDebugHook): Deleted.
        (JSC::ExpressionNode::setNeedsDebugHook): Deleted.
        (JSC::StatementNode::isEmptyStatement): Deleted.
        (JSC::StatementNode::needsDebugHook): Deleted.
        (JSC::StatementNode::setNeedsDebugHook): Deleted.
        Move debug hook logic into the base Node class.

        (JSC::StatementNode::isDebuggerStatement):
        Provide a way to distinguish a debugger statement.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseForStatement):
        Provide the location before the declaration starts.

2016-10-12  Mark Lam  <mark.lam@apple.com>

        Array.prototype.slice should not modify frozen objects.
        https://bugs.webkit.org/show_bug.cgi?id=163338

        Reviewed by Filip Pizlo.

        1. The ES6 spec for Array.prototype.slice
           (https://tc39.github.io/ecma262/#sec-array.prototype.slice) states that it uses
           the CreateDataPropertyOrThrow()
           (https://tc39.github.io/ecma262/#sec-createdatapropertyorthrow) to add items to
           the result array.  The spec for CreateDataPropertyOrThrow states:

           "This abstract operation creates a property whose attributes are set to the
           same defaults used for properties created by the ECMAScript language assignment
           operator. Normally, the property will not already exist. If it does exist and
           is not configurable or if O is not extensible, [[DefineOwnProperty]] will
           return false causing this operation to throw a TypeError exception."

        2. Array.prototype.slice also uses a Set function
           (https://tc39.github.io/ecma262/#sec-set-o-p-v-throw) to set the "length"
           property and passes true for the Throw argument.  Ultimately, it ends up
           calling the OrdinarySet function
           (https://tc39.github.io/ecma262/#sec-ordinaryset) that will fail if the
           property is not writable.  This failure should result in a TypeError being
           thrown in Set.

           Since the properties of frozen objects are not extensible, not configurable,
           and not writeable, Array.prototype.slice should fail to write to the result
           array if it is frozen.

        If the source array being sliced has 1 or more elements, (1) will take effect
        when we try to set the element in the non-writeable result obj.
        If the source array being sliced has 0 elements, we will not set any elements and
        (1) will not trigger.  Subsequently, (2) will take effect when we will try to
        set the length of the result obj.

        * runtime/ArrayPrototype.cpp:
        (JSC::putLength):
        (JSC::setLength):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):

2016-10-12  Filip Pizlo  <fpizlo@apple.com>

        Remove JITWriteBarrier.h
        https://bugs.webkit.org/show_bug.cgi?id=163334

        Reviewed by Mark Lam.
        
        I guess that the idea of JITWriteBarrier was to make sure that if you slap some heap pointer
        bits into machine code, then you better execute a barrier on the code block. But it's a
        complicated piece of code, and I can never remember how it quite works. These days it looks
        vestigial, particularly since only the CallLinkInfo patchable callee immediate uses it. It's
        not really necessary to have something like this, since our convention is that any pointer
        stored in machine code must always be shadowed in the GC heap. I think that convention has
        won by overwhelming majority, so we should finally remove JITWriteBarrier.
        
        A practical outcome of this change is that it makes it easier to implement DirectCall ICs,
        which will have to store the callee in the CallLinkInfo but not in the machine code.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::setCallee):
        (JSC::CallLinkInfo::clearCallee):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::setCallee): Deleted.
        (JSC::CallLinkInfo::clearCallee): Deleted.
        * heap/SlotVisitor.h:
        * jit/JITWriteBarrier.h: Removed.

2016-10-12  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed buildfix for GCC 4.9 after r207186.
        https://bugs.webkit.org/show_bug.cgi?id=163255

        * runtime/HasOwnPropertyCache.h:
        (JSC::HasOwnPropertyCache::Entry::Entry):

2016-10-11  Saam Barati  <sbarati@apple.com>

        HasOwnPropertyCache needs to ref the UniquedStringImpls it sees
        https://bugs.webkit.org/show_bug.cgi?id=163255

        Reviewed by Geoffrey Garen.

        The cache needs to be responsible for ensuring that things
        in the cache stay alive. Before, it wasn't doing this, and
        that was wrong.

        * runtime/HasOwnPropertyCache.h:
        (JSC::HasOwnPropertyCache::Entry::operator=):
        (JSC::HasOwnPropertyCache::operator delete):
        (JSC::HasOwnPropertyCache::create):
        (JSC::HasOwnPropertyCache::get):
        (JSC::HasOwnPropertyCache::tryAdd):
        (JSC::HasOwnPropertyCache::clear):
        (JSC::HasOwnPropertyCache::zeroBuffer):

2016-10-06  Filip Pizlo  <fpizlo@apple.com>

        MarkedBlock should know what objects are live during marking
        https://bugs.webkit.org/show_bug.cgi?id=162309

        Reviewed by Geoffrey Garen.
        
        It used to be that we would forget which objects are live the moment we started collection.
        That's because the flip at the beginning clears all mark bits.
        
        But we already have a facility for tracking objects that are live-but-not-marked. It's called
        newlyAllocated. So, instead of clearing mark bits, we want to just transfer them to
        newlyAllocated. Then we want to clear all newlyAllocated after GC.
        
        This implements such an approach, along with a versioning optimization for newlyAllocated.
        Instead of walking the whole heap to clear newlyAllocated bits at the end of the GC, we bump
        the newlyAllocatedVersion, which causes MarkedBlock to treat newlyAllocated as if it was
        clear.
        
        We could have even avoided allocating newlyAllocated in most cases, since empirically most
        blocks are either completely empty or completely full. An earlier version of this patch did
        this, but it was not better than this patch. In fact, it seemed to actually be worse for PLT
        and membuster.
        
        To validate this change, we now run the conservative scan after the beginMarking flip. And it
        totally works!
        
        This is a huge step towards concurrent GC. It means that we ought to be able to run the
        allocator while marking. Since we already separately made it possible to run the barrier
        while marking, this means that we're pretty much ready for some serious concurrency action.
        
        This appears to be perf-neutral and space-neutral.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlockSet::mark): Deleted.
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::writeBarrierCurrentlyExecuting):
        (JSC::CodeBlockSet::clearCurrentlyExecuting):
        (JSC::CodeBlockSet::writeBarrierCurrentlyExecutingCodeBlocks): Deleted.
        * heap/CodeBlockSet.h:
        * heap/CodeBlockSetInlines.h: Added.
        (JSC::CodeBlockSet::mark):
        * heap/ConservativeRoots.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::beginMarking):
        (JSC::Heap::collectImpl):
        (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
        (JSC::Heap::clearCurrentlyExecutingCodeBlocks):
        * heap/Heap.h:
        * heap/HeapUtil.h:
        (JSC::HeapUtil::findGCObjectPointersForMarking):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::isPagedOut):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::Handle):
        (JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated):
        (JSC::MarkedBlock::Handle::stopAllocating):
        (JSC::MarkedBlock::Handle::lastChanceToFinalize):
        (JSC::MarkedBlock::Handle::resumeAllocating):
        (JSC::MarkedBlock::aboutToMarkSlow):
        (JSC::MarkedBlock::Handle::resetAllocated):
        (JSC::MarkedBlock::resetMarks):
        (JSC::MarkedBlock::setNeedsDestruction):
        (JSC::MarkedBlock::Handle::didAddToAllocator):
        (JSC::MarkedBlock::Handle::isLive):
        (JSC::MarkedBlock::Handle::isLiveCell):
        (JSC::MarkedBlock::clearMarks): Deleted.
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::Handle::newlyAllocatedVersion):
        (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
        (JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::cellsPerBlock):
        (JSC::MarkedBlock::Handle::isLive):
        (JSC::MarkedBlock::Handle::isLiveCell):
        (JSC::MarkedBlock::Handle::isNewlyAllocatedStale):
        (JSC::MarkedBlock::Handle::hasAnyNewlyAllocatedWithSweep):
        (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
        (JSC::MarkedBlock::heap):
        (JSC::MarkedBlock::space):
        (JSC::MarkedBlock::Handle::space):
        (JSC::MarkedBlock::resetMarkingVersion): Deleted.
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::beginMarking):
        (JSC::MarkedSpace::endMarking):
        (JSC::MarkedSpace::clearNewlyAllocated): Deleted.
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::nextVersion):
        (JSC::MarkedSpace::newlyAllocatedVersion):
        (JSC::MarkedSpace::markingVersion): Deleted.
        * runtime/SamplingProfiler.cpp:

2016-10-11  Mark Lam  <mark.lam@apple.com>

        Array.prototype.concat should not modify frozen objects.
        https://bugs.webkit.org/show_bug.cgi?id=163302

        Reviewed by Filip Pizlo.

        The ES6 spec for Array.prototype.concat states that it uses the
        CreateDataPropertyOrThrow() to add items to the result array.  The spec for
        CreateDataPropertyOrThrow states:

        "This abstract operation creates a property whose attributes are set to the same
        defaults used for properties created by the ECMAScript language assignment
        operator. Normally, the property will not already exist. If it does exist and is
        not configurable or if O is not extensible, [[DefineOwnProperty]] will return
        false causing this operation to throw a TypeError exception."

        Since the properties of frozen objects are not extensible, not configurable, and
        not writable, Array.prototype.concat should fail to write to the result array if
        it is frozen.

        Ref: https://tc39.github.io/ecma262/#sec-array.prototype.concat,
        https://tc39.github.io/ecma262/#sec-createdatapropertyorthrow, and
        https://tc39.github.io/ecma262/#sec-createdataproperty.

        The fix consists of 2 parts:
        1. moveElement() should use the PutDirectIndexShouldThrow mode when invoking
           putDirectIndex(), and
        2. SparseArrayValueMap::putDirect() should check for the case where the property
           is read only.

        (2) ensures that we don't write into a non-writable property.
        (1) ensures that we throw a TypeError for attempts to write to a non-writeable
        property.

        * runtime/ArrayPrototype.cpp:
        (JSC::moveElements):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putDirect):

2016-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
        https://bugs.webkit.org/show_bug.cgi?id=163224

        Reviewed by Filip Pizlo.

        We use the GetGlobalObject DFG node to retrieve a global object from a DOM node.
        This global object is necessary to check whether the world is normal before entering
        the fast path of looking up the DOM wrapper cache.
        We can sometimes constant-fold this GetGlobalObject. For example, if we performed
        CheckStructure, the structure can offer the information about the possible result
        of GetGlobalObject. By using this constant-folded global object, we can drop some
        checks.

        This patch introduces the way to tell the constant-folded values to DOMJIT::Patchpoint.
        We pass DOMJIT::Value instead of DOMJIT::Reg as a parameter of DOMJIT::PatchpointParams.
        This DOMJIT::Value is a pair of DOMJIT::Reg and JSValue. If the given parameter has a
        constant value, this JSValue is filled with it.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGDOMJITPatchpointParams.h:
        (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        (JSC::DFG::SpeculativeJIT::compileCheckDOM):
        * domjit/DOMJITPatchpointParams.h:
        (JSC::DOMJIT::PatchpointParams::at):
        (JSC::DOMJIT::PatchpointParams::operator[]):
        (JSC::DOMJIT::PatchpointParams::PatchpointParams):
        * domjit/DOMJITValue.h: Copied from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
        (JSC::DOMJIT::Value::Value):
        (JSC::DOMJIT::Value::isGPR):
        (JSC::DOMJIT::Value::isFPR):
        (JSC::DOMJIT::Value::isJSValueRegs):
        (JSC::DOMJIT::Value::gpr):
        (JSC::DOMJIT::Value::fpr):
        (JSC::DOMJIT::Value::jsValueRegs):
        (JSC::DOMJIT::Value::reg):
        (JSC::DOMJIT::Value::value):
        * ftl/FTLDOMJITPatchpointParams.h:
        (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):

2016-10-10  Filip Pizlo  <fpizlo@apple.com>

        Air should be able to replace constant materializations with adds
        https://bugs.webkit.org/show_bug.cgi?id=162749

        Reviewed by Yusuke Suzuki.
        
        We have a lot of defenses against emitting code that materializes huge contants. But if we do
        end up with such code in the backend, it's better to convert those materializations into add
        instructions by checking if other registers are known to contain nearby constants. That's
        what this patch does.

        * b3/air/AirFixObviousSpills.cpp:
        * b3/testb3.cpp:

2016-10-11  Filip Pizlo  <fpizlo@apple.com>

        B3->Air lowering needs the same defenses in effectiveAddr() that it has in tryAppendLea()
        https://bugs.webkit.org/show_bug.cgi?id=163264

        Reviewed by Mark Lam.
        
        When writing the lea patch (r207039), I was very careful about how I convert a Shl into a
        BaseIndex scale. But I forgot to check if the older code for creating BaseIndexes for
        effectiveAddr() got this right. It turns out that the older code missed the <<32 corner
        case.
        
        It's sad that the two paths can't share all of their code, but it's somewhat inevitable due
        to how matching an address and matching a lea have to do very different things. Matching a
        lea means creating an instruction that is distinct from other instructions to do multiple
        math operations at once. Matching an address means making some instruction do extra work
        for free. Also, address matching can take advantage of the fact that the offset is already
        associated with the memory operation by strength reduction - lea matching can't do this; it
        has to figure out Add(@value, $const) on its own. This change makes the situation slightly
        more sane by adding a scaleForShl() helper that handles this weird case. It's based on the
        new Shl handling from r207039, and exposes it as an API for effectiveAddr() to use.
        
        The testLoadBaseIndexShift32() used to crash. I don't think that this case affects JS
        content, since <<32 is such a bizarre outlier. I don't think we even have a path along
        which the FTL would emit a 64-bit <<32. It probably won't even affect WebAssembly since
        that uses 32-bit pointers, so we won't see 64-bit <<32 in effectiveAddr() there.

        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::scaleForShl):
        (JSC::B3::Air::LowerToAir::effectiveAddr):
        (JSC::B3::Air::LowerToAir::tryAppendLea):
        (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
        * b3/testb3.cpp:
        (JSC::B3::testLoadBaseIndexShift2):
        (JSC::B3::testLoadBaseIndexShift32):
        (JSC::B3::run):

2016-10-11  Saam Barati  <sbarati@apple.com>

        ValueAdd should be constant folded if the operands are constant String,Primitive or Primitive,String
        https://bugs.webkit.org/show_bug.cgi?id=163182

        Reviewed by Filip Pizlo.

        This code pattern shows up in Dromaeo, so it's worth optimizing for.
        This might also show up in real world JS code due to inlining and other
        types of constant folding.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::getValue):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):

2016-10-10  Zan Dobersek  <zdobersek@igalia.com>

        Add ENABLE_ENCRYPTED_MEDIA configuration option
        https://bugs.webkit.org/show_bug.cgi?id=163219

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:
        Add the ENABLE_ENCRYPTED_MEDIA configuration option. It will be used
        to enable or disable the new EME implementation at build-time.

2016-10-10  Filip Pizlo  <fpizlo@apple.com>

        B3->Air lowering should be able to emit complex leas on x86
        https://bugs.webkit.org/show_bug.cgi?id=163234

        Reviewed by Saam Barati.
        
        This adds comprehensive support for emitting lea on x86.
        
        When adding this, I found that it was useful to also finally add more reassociation. That
        reduces the amount of patterns that the instruction selector has to deal with.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::lea32):
        (JSC::MacroAssembler::lea64):
        (JSC::MacroAssembler::lea): Deleted.
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::commitInternal):
        (JSC::B3::Air::LowerToAir::tryAppendLea):
        (JSC::B3::Air::LowerToAir::lower):
        (JSC::B3::Air::LowerToAir::createSelect): Deleted.
        * b3/B3ReduceStrength.cpp:
        * b3/B3Value.h:
        * b3/B3ValueInlines.h:
        (JSC::B3::Value::isRepresentableAs):
        (JSC::B3::Value::representableAs): Deleted.
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp: Lots of tests for lea and reassociation.

2016-10-10  Mark Lam  <mark.lam@apple.com>

        Change ArrayPrototype.cpp's putLength() and setLength() to take a VM& so that we can use vm.propertyNames.
        https://bugs.webkit.org/show_bug.cgi?id=163260

        Reviewed by Saam Barati.

        In all cases where we call these, we already have the VM& anyway.

        * runtime/ArrayPrototype.cpp:
        (JSC::putLength):
        (JSC::setLength):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):

2016-10-10  Mark Lam  <mark.lam@apple.com>

        Rename the StrictModeReadonlyPropertyWriteError string to ReadonlyPropertyWriteError.
        https://bugs.webkit.org/show_bug.cgi?id=163239

        Reviewed by Filip Pizlo.

        This string is also used for reporting the same error in cases which have nothing
        to do with strict mode.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/GetterSetter.cpp:
        (JSC::callSetter):
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLengthWithArrayStorage):
        (JSC::JSArray::pop):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        (JSC::JSValue::putToPrimitiveByIndex):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::put):
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::put):
        (JSC::JSModuleNamespaceObject::putByIndex):
        * runtime/JSObject.cpp:
        (JSC::ordinarySetSlow):
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        * runtime/JSObject.h:
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putInline):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setLastIndex):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putEntry):
        (JSC::SparseArrayEntry::put):
        * runtime/StringObject.cpp:
        (JSC::StringObject::put):
        (JSC::StringObject::putByIndex):

2016-10-10  Saam Barati  <sbarati@apple.com>

        compileCheckStringIdent in the FTL is wrong
        https://bugs.webkit.org/show_bug.cgi?id=163215

        Reviewed by Mark Lam and Filip Pizlo.

        lowStringIdent() returns the StringImpl pointer. The compileCheckStringIdent()
        was treating its return value as the actual JSString. This is wrong.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckStringIdent):

2016-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Implement Node accessors in DOMJIT
        https://bugs.webkit.org/show_bug.cgi?id=163005

        Reviewed by Filip Pizlo.

        Add some helper methods and offsetOfXXX for JSC::Weak since it is used
        for DOM wrapper caching.

        And make DOMJIT::Patchpoint in FTL closer to one in DFG. We add resultConstraint
        to avoid the situation that the same register is allocated to child and result.

        We also extend DOMJIT::Patchpoint to tell useTagTypeNumberRegister / useTagMaskRegister.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * domjit/DOMJITSlowPathCalls.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        * heap/WeakImpl.h:
        (JSC::WeakImpl::offsetOfJSValue):
        (JSC::WeakImpl::offsetOfWeakHandleOwner):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::boxCell):
        (JSC::AssemblyHelpers::boxInt32): Deleted.
        * jit/JITOperations.h:

2016-10-09  Filip Pizlo  <fpizlo@apple.com>

        Air should expose API for pinning registers
        https://bugs.webkit.org/show_bug.cgi?id=163175

        Reviewed by Keith Miller.
        
        You can now call Procedure::pinRegister(), or Code::pinRegister(), and it will make this
        register behave as follows:
        
        - B3 and Air will emit no code that modifies the value in this register, except if that
          happens via a Patchpoint or stackmap constraint (i.e. the user explicitly asked for it).
        - B3 and Air will allow others to modify the register. For example, if the register is not
          callee-save, then the compiler knows that the register's value will be trashed by any
          C-style call.
        - Air will be happy to emit code that reads from this register, including coalescing tmps
          with it, so longer as there is no interference (i.e. no chance of the register's value
          changing). For example, if we went back to having pinned tag registers, we would tell B3
          to use them by (1) excluding them from any clobber set (easy, since they're callee save)
          and (2) emitting ArgumentReg to grab their value. There's a test that does this.
        
        This is accomplished by taking regsInPriorityOrder() and making it a method of Code. Air 
        already used this API when choosing registers in register allocation. Code now also vends a
        mutableRegs() set, which is derived from regsInPriorityOrder(), that can quickly tell you if
        a register can be mutated. Doing it this way means that most of this is a purely mechanical
        change. The calls to mutableRegs() are the places where we had to change logic:
        
        - The register allocators needs to know that coalescing with a precolored pinned tmp is free.
        - The callee-save handler needs to know that we're not supposed to save/restore pinned
          registers.
        
        Note that in this scheme, pinned registers are simply registers that do not appear in
        regsInPriorityOrder(). This means, for example, that we will now say that FP is pinned. So,
        this means that you can also pin registers by calling setRegsInPriorityOrder() and passing a
        vector that excludes some registers. More generally, this means that clients can now tweak
        the register allocator's register preferences, since the ordering in that list reflects the
        order in which the allocator will try registers.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::pinRegister):
        * b3/B3Procedure.h:
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::Code):
        (JSC::B3::Air::Code::setRegsInPriorityOrder):
        (JSC::B3::Air::Code::pinRegister):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::regsInPriorityOrder):
        (JSC::B3::Air::Code::mutableRegs):
        (JSC::B3::Air::Code::isPinned):
        (JSC::B3::Air::Code::regsInPriorityOrderImpl):
        (JSC::B3::Air::Code::proc): Deleted.
        * b3/air/AirEmitShuffle.cpp:
        (JSC::B3::Air::emitShuffle):
        * b3/air/AirEmitShuffle.h:
        * b3/air/AirHandleCalleeSaves.cpp:
        (JSC::B3::Air::handleCalleeSaves):
        * b3/air/AirIteratedRegisterCoalescing.cpp:
        * b3/air/AirLowerAfterRegAlloc.cpp:
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirRegisterPriority.cpp: Removed.
        * b3/air/AirRegisterPriority.h: Removed.
        * b3/air/AirSpillEverything.cpp:
        (JSC::B3::Air::spillEverything):
        * b3/air/testair.cpp:
        (JSC::B3::Air::testShuffleBroadcastAllRegs):
        (JSC::B3::Air::testShuffleShiftAllRegs):
        (JSC::B3::Air::testShuffleRotateAllRegs):
        (JSC::B3::Air::testShuffleShiftMemoryAllRegs):
        (JSC::B3::Air::testShuffleShiftMemoryAllRegs64):
        (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth):
        (JSC::B3::Air::testShuffleRotateMemoryAllRegs64):
        (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth):
        * b3/testb3.cpp:
        (JSC::B3::testPinRegisters):
        (JSC::B3::run):
        * jit/RegisterSet.h:

2016-10-08  Filip Pizlo  <fpizlo@apple.com>

        B3 should know about mutable pinned registers
        https://bugs.webkit.org/show_bug.cgi?id=163172

        Reviewed by Keith Miller.
        
        If we have mutable pinned registers then we need to know which operations mutate them. At
        first I considered making this into a heap range thing, but I think that this would be very
        confusing. Also, in the future, we might want to make Effects track register sets of
        clobbered registers (see bug 163173).

        * b3/B3Effects.cpp:
        (JSC::B3::Effects::interferes):
        (JSC::B3::Effects::operator==):
        (JSC::B3::Effects::dump):
        * b3/B3Effects.h:
        (JSC::B3::Effects::forCall):
        (JSC::B3::Effects::mustExecute):

2016-10-08  Saam Barati  <sbarati@apple.com>

        HasIndexedProperty clobberize rule is wrong for Array::ForceOSRExit
        https://bugs.webkit.org/show_bug.cgi?id=159942
        <rdar://problem/27328836>

        Reviewed by Filip Pizlo.

        When HasIndexedProperty has a ForceOSRExit array mode, it should
        report to write to side state, like the ForceOSRExit node, and the
        other nodes with ForceOSRExit array mode.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

2016-10-07  Mark Lam  <mark.lam@apple.com>

        Object.freeze() and seal() should throw if [[PreventExtensions]]() fails.
        https://bugs.webkit.org/show_bug.cgi?id=163160

        Reviewed by Saam Barati.

        See https://tc39.github.io/ecma262/#sec-object.freeze,
        https://tc39.github.io/ecma262/#sec-object.seal, and
        https://tc39.github.io/ecma262/#sec-setintegritylevel.  We need to call
        preventExtensions first before proceeding to freeze / seal the object.  If
        preventExtensions fails, we should throw a TypeError.

        * runtime/ObjectConstructor.cpp:
        (JSC::setIntegrityLevel):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):

2016-10-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Support slow path call
        https://bugs.webkit.org/show_bug.cgi?id=162978

        Reviewed by Saam Barati.

        One of the most important features required in DOMJIT::Patchpoint is slow path calls.
        DOM operation typically returns DOMWrapper object. At that time, if wrapper cache hits, we can go
        to the fast path. However, if we cannot use the cache, we need to go to the slow path to call toJS function.
        At that time, slow path call functionality is necessary.

        This patch expose DOMJIT::PatchpointParams::addSlowPathCall. We can request slow path call code generation
        through this interface. DOMJIT::PatchpointParams automatically leverages appropriate slow path call systems
        in each tier. In DFG, we use slow path call system. In FTL, we implement slow path call by using addLatePath
        to construct slow path call. But these details are completely hidden by DOMJIT::PatchpointParams. Users can
        just use addSlowPathCall.

        Since DFG and FTL slow path call systems are implemented in variadic templates, directly using this means
        that we need to expose core part of DFG and FTL. For example, DFG::SpeculativeJIT need to be exposed in
        such a design. That is too bad. Instead, we use magical macro in DOMJITSlowPathCalls.h. We can list up the
        call signatures in DOMJIT_SLOW_PATH_CALLS. DOMJIT uses these signatures to generate an interface to request
        slow path calls inside DFG and FTL instead of exposing everything.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCommon.h:
        * dfg/DFGDOMJITPatchpointParams.cpp: Copied from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
        (JSC::DFG::dispatch):
        * dfg/DFGDOMJITPatchpointParams.h: Copied from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
        (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        (JSC::DFG::SpeculativeJIT::compileCheckDOM):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::extractResult): Deleted.
        * domjit/DOMJITPatchpointParams.h:
        (JSC::DOMJIT::PatchpointParams::addSlowPathCall):
        * domjit/DOMJITSlowPathCalls.h: Copied from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
        * ftl/FTLDOMJITPatchpointParams.cpp: Added.
        (JSC::FTL::dispatch):
        * ftl/FTLDOMJITPatchpointParams.h: Copied from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
        (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        * jit/GPRInfo.h:
        (JSC::extractResult):
        * jsc.cpp:

2016-10-06  Saam Barati  <sbarati@apple.com>

        HasOwnPropertyCache flattening dictionaries is causing insane memory usage with the uBlock Safari extension
        https://bugs.webkit.org/show_bug.cgi?id=163091

        Reviewed by Mark Lam.

        I'm investigating a real fix for this in:
        https://bugs.webkit.org/show_bug.cgi?id=163092
        However, it's best to get this out of trunk for now.

        * runtime/HasOwnPropertyCache.h:
        (JSC::HasOwnPropertyCache::tryAdd):

2016-10-06  Keith Miller  <keith_miller@apple.com>

        getInternalObjcObject should validate the JSManagedObject's value.
        https://bugs.webkit.org/show_bug.cgi?id=162985

        Reviewed by Geoffrey Garen.

        Previously, if, for instance, the JSManagedObject's weak value had been
        cleared we would call tryUnwrapObjcObject with a nil context and value.
        This triggered assertions failures as those functions expect their inputs
        to be valid.

        * API/JSVirtualMachine.mm:
        (getInternalObjcObject):

2016-10-06  Brian Burg  <bburg@apple.com>

        Web Inspector: RemoteInspector should cache client capabilities for off-main thread usage
        https://bugs.webkit.org/show_bug.cgi?id=163039
        <rdar://problem/28571460>

        Reviewed by Timothy Hatcher.

        The fix in r206797 was incorrect because listings are always pushed out on the XPC connection queue.
        Instead of delaying the listing needlessly, RemoteInspector should cache the capabilities of its
        client while on the main thread, then use the cached struct data on the XPC connection queue rather
        than directly accessing m_client. This is similar to how RemoteConnectionToTarget marshalls listing
        information from arbitrary queues into m_targetListingMap, which can then be read from any queue.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::updateClientCapabilities): Cache the capabilities.
        (Inspector::RemoteInspector::setRemoteInspectorClient):
        Re-cache the capabilities. Scope the lock to avoid reentrant locking.

        (Inspector::RemoteInspector::clientCapabilitiesDidChange): Cache the capabilities.
        (Inspector::RemoteInspector::pushListingsNow): Use cached client capabilities.
        (Inspector::RemoteInspector::receivedGetListingMessage): Revert the change in r206797.
        (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):

2016-10-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WebCore][JSC] Use new @throwTypeError and @throwRangeError intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=163001

        Reviewed by Keith Miller.

        Previously, the argument of @throwXXXError intrinsics must be string literal.
        But it is error-prone restriction. This patch relaxes the restriction to accept
        arbitrary values. To keep emitted bytecode small, if the argument is string literal,
        we generate the same bytecode as before. If the argument is not string literal,
        we evaluate it and perform to_string before passing to throw_static_error.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitThrowStaticError):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwTypeError):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwRangeError):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2016-10-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add @throwXXXError bytecode intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=162995

        Reviewed by Saam Barati.

        Builtin JS code need to check arguments carefully since it is somewhat standard library for JS.
        So bunch of `throw new @TypeError("...")` exists while usual code does not have so many.
        However the above code bloats 32 instructions per site, enlarges the size of bytecodes of builtins,
        and prevent us from inlining. We should have a way to reduce this size.

        Fortunately, we already have such a opcode: op_throw_static_error. In this patch,
        1. We extends op_throw_static_error to throw arbitrary errors. Previously, only TypeError and ReferenceError are allowed.
           We can embed ErrorType enum in op_throw_static_error to throw any types of errors.
        2. We introduce several new bytecode intrinsics, `@throwTypeError("...")`, `@throwRangeError("...")`,
           and `@throwOutOfMemoryError()`. And use it inside builtin JS instead of `throw new @TypeError("...")` thingy.
        3. DFG Node for throw_static_error is incorrectly named as "ThrowReferenceError". This patch renames it to "ThrowStaticError".

        * builtins/ArrayConstructor.js:
        * builtins/ArrayIteratorPrototype.js:
        (next):
        * builtins/ArrayPrototype.js:
        (values):
        (keys):
        (entries):
        (reduce):
        (reduceRight):
        (every):
        (forEach):
        (filter):
        (map):
        (some):
        (fill):
        (find):
        (findIndex):
        (includes):
        (sort):
        (concatSlowPath):
        (copyWithin):
        * builtins/DatePrototype.js:
        (toLocaleString.toDateTimeOptionsAnyAll):
        (toLocaleString):
        (toLocaleDateString.toDateTimeOptionsDateDate):
        (toLocaleDateString):
        (toLocaleTimeString.toDateTimeOptionsTimeTime):
        (toLocaleTimeString):
        * builtins/FunctionPrototype.js:
        (bind):
        * builtins/GeneratorPrototype.js:
        (globalPrivate.generatorResume):
        * builtins/GlobalOperations.js:
        (globalPrivate.speciesConstructor):
        * builtins/MapPrototype.js:
        (forEach):
        * builtins/ModuleLoaderPrototype.js:
        (provide):
        * builtins/ObjectConstructor.js:
        (values):
        (entries):
        (assign):
        * builtins/PromiseConstructor.js:
        (race):
        (reject):
        (resolve):
        * builtins/PromiseOperations.js:
        (globalPrivate.newPromiseCapability.executor):
        (globalPrivate.newPromiseCapability):
        (globalPrivate.initializePromise):
        * builtins/PromisePrototype.js:
        * builtins/ReflectObject.js:
        (apply):
        (deleteProperty):
        (has):
        * builtins/RegExpPrototype.js:
        (globalPrivate.regExpExec):
        (match):
        (replace):
        (search):
        (split):
        (intrinsic.RegExpTestIntrinsic.test):
        * builtins/SetPrototype.js:
        (forEach):
        * builtins/StringConstructor.js:
        (raw):
        * builtins/StringIteratorPrototype.js:
        (next):
        * builtins/StringPrototype.js:
        (match):
        (globalPrivate.repeatSlowPath):
        (repeat):
        (padStart):
        (padEnd):
        (intrinsic.StringPrototypeReplaceIntrinsic.replace):
        (localeCompare):
        (search):
        (split):
        * builtins/TypedArrayConstructor.js:
        (of):
        (from):
        * builtins/TypedArrayPrototype.js:
        (globalPrivate.typedArraySpeciesConstructor):
        (every):
        (find):
        (findIndex):
        (forEach):
        (some):
        (subarray):
        (reduce):
        (reduceRight):
        (map):
        (filter):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitThrowStaticError):
        (JSC::BytecodeGenerator::emitThrowReferenceError):
        (JSC::BytecodeGenerator::emitThrowTypeError):
        (JSC::BytecodeGenerator::emitThrowRangeError):
        (JSC::BytecodeGenerator::emitThrowOutOfMemoryError):
        (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwTypeError):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwRangeError):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_throwOutOfMemoryError):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_throw_static_error):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_throw_static_error): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/Error.cpp:
        (JSC::createError):
        (WTF::printInternal):
        * runtime/Error.h:

2016-10-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, attempt to fix CLoop build after r206846
        https://bugs.webkit.org/show_bug.cgi?id=162941

        Attempt to fix CLoop build part 2. r206847 was not valid.

        * jsc.cpp:

2016-10-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix after r206846
        https://bugs.webkit.org/show_bug.cgi?id=162941

        DOMJIT::Patchpoint part should be guarded by ENABLE(JIT).

        * jsc.cpp:

2016-10-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Add initial CheckDOM and CallDOM implementations
        https://bugs.webkit.org/show_bug.cgi?id=162941

        Reviewed by Filip Pizlo.

        This patch implements a prototype of DOMJIT accelerated getter.
        We add two new DFG nodes, CheckDOM and CallDOM.

        CheckDOM is used to filter inappropriate |this| object for DOM getter. Its functionality
        is equivalent to jsDynamicCast's Check. You can use like "CheckDOM, @1, JSNode::info()",
        and this CheckDOM incurs a BadType exit if the class of the given @1 is not a subclass of
        JSNode::info().

        CallDOM is used to emit actual DOM operations. It takes GlobalObject and checked DOM
        object. And it returns JSValue as its result.

        Both CheckDOM and CallDOM can take a DOMJIT::Patchpoint. This is somewhat code snippet
        generator, and is injectable to DFG and FTL. DFG and FTL set up registers correctly
        according to DOMJIT::Patchpoint's requirement and invoke this patchpoint generator to emit code.
        While CallDOM always requires a patchpoint, ideally CheckDOM does not require it since
        isSubclassOf check can be implemented in DFG / FTL side. However, some classes have a
        faster way to query isSubclassOf. For example, JSNode in WebCore introduces a special
        JSType to optimize this query. CheckDOM's patchpoint gives us a chance to emit special
        faster code for such a case.

        By leveraging above nodes, we can construct DOMJIT accelerated getter. When DFG recognizes the
        given getter call is CustomGetter and it has DOMJIT::GetterSetter information, DFG emits the above nodes.
        We implemented a prototype in jsc.cpp shell as DOMJITGetter to test the functionality.

        Notes about the future extensions.

        1. Currently, we do not allow CallDOM to emit any function calls. This will be extended by
           adding `addSlowPathCall` functionality to DOMJIT::Patchpoint later. Interesting thing is that
           we need to create an abstraction over DFG slow path call and FTL slow path call!

        2. CheckDOM is not handled in DFGTypeCheckHoistingPhase yet. And we have a chance to merge several CheckDOM into one.
           For example, given CheckDOM A and CheckDOM B to the same target. If A is subclass of B, we can merge them to CheckDOM A.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3Effects.h:
        (JSC::B3::Effects::forCheck):
        * b3/B3Value.cpp:
        (JSC::B3::Value::effects):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        (JSC::GetByIdStatus::makesCalls):
        (JSC::GetByIdStatus::dump):
        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):
        (JSC::GetByIdStatus::isCustom):
        (JSC::GetByIdStatus::takesSlowPath):
        (JSC::GetByIdStatus::isSimple): Deleted.
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromClassInfo):
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::filterClassInfo):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterClassInfo):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::filterClassInfo):
        * dfg/DFGAbstractValue.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
        (JSC::DFG::ByteCodeParser::handleGetById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasDOMJIT):
        (JSC::DFG::Node::domJIT):
        (JSC::DFG::Node::hasClassInfo):
        (JSC::DFG::Node::classInfo):
        (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
        (JSC::DFG::Node::OpInfoWrapper::operator=):
        * dfg/DFGNodeType.h:
        * dfg/DFGOpInfo.h:
        (JSC::DFG::OpInfo::OpInfo):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::allocateTemporaryRegistersForPatchpoint):
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        (JSC::DFG::SpeculativeJIT::compileCheckDOM):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureAbstractValue.cpp:
        (JSC::DFG::StructureAbstractValue::filterClassInfoSlow):
        (JSC::DFG::StructureAbstractValue::isSubClassOf):
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::filterClassInfo):
        (JSC::DFG::StructureAbstractValue::filter): Deleted.
        * domjit/DOMJITPatchpointParams.h: Copied from Source/JavaScriptCore/dfg/DFGOpInfo.h.
        (JSC::DOMJIT::PatchpointParams::~PatchpointParams):
        (JSC::DOMJIT::PatchpointParams::size):
        (JSC::DOMJIT::PatchpointParams::at):
        (JSC::DOMJIT::PatchpointParams::operator[]):
        (JSC::DOMJIT::PatchpointParams::gpScratch):
        (JSC::DOMJIT::PatchpointParams::fpScratch):
        (JSC::DOMJIT::PatchpointParams::PatchpointParams):
        * domjit/DOMJITReg.h: Added.
        (JSC::DOMJIT::Reg::Reg):
        (JSC::DOMJIT::Reg::isGPR):
        (JSC::DOMJIT::Reg::isFPR):
        (JSC::DOMJIT::Reg::isJSValueRegs):
        (JSC::DOMJIT::Reg::gpr):
        (JSC::DOMJIT::Reg::fpr):
        (JSC::DOMJIT::Reg::jsValueRegs):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable): Deleted.
        * jit/AssemblyHelpers.h:
        * jsc.cpp:
        (WTF::DOMJITNode::DOMJITNode):
        (WTF::DOMJITNode::createStructure):
        (WTF::DOMJITNode::create):
        (WTF::DOMJITNode::value):
        (WTF::DOMJITNode::offsetOfValue):
        (WTF::DOMJITGetter::DOMJITGetter):
        (WTF::DOMJITGetter::createStructure):
        (WTF::DOMJITGetter::create):
        (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT):
        (WTF::DOMJITGetter::domJITNodeGetterSetter):
        (WTF::DOMJITGetter::finishCreation):
        (WTF::DOMJITGetter::customGetter):
        (GlobalObject::finishCreation):
        (functionCreateDOMJITNodeObject):
        (functionCreateDOMJITGetterObject):

2016-10-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Do not construct Simple GetByIdStatus against self-custom-accessor case
        https://bugs.webkit.org/show_bug.cgi?id=162993

        Reviewed by Filip Pizlo.

        We accidentally created a Simple GetByIdStatus against self-custom-accessor case: the object has own custom accessor property and get_by_id hits.
        If we returned such a result, the GetById will be turned to GetByOffset and it looks up incorrect thing like CustomGetterSetter object.
        We do not hit this bug before since maybe there is no object that has own custom-accessor and this custom-accessor does not raise an error.
        For example, "Node.prototype" has "firstChild" custom accessor. But since "Node.prototype" itself does not have Node::info(), "Node.prototype.firstChild"
        access always raises an error. I guess all the custom accessors follow this pattern. This bug is uncovered when testing DOMJIT (This bug causes crash and
        it can occur even if we disabled DOMJIT).

        But such a assumption is not guaranteed. In this patch, we fix this by not returning Simple GetById.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        (JSC::GetByIdStatus::computeFor):

2016-10-05  Saam Barati  <sbarati@apple.com>

        PCToCodeOriginMap builder should use labelIgnoringWatchpoints() inside the DFG
        https://bugs.webkit.org/show_bug.cgi?id=162936

        Reviewed by Michael Saboff.

        label() may insert nops because of an InvalidationPoint. It does that
        because we don't want code that comes after an InvalidationPoint that isn't
        effected by the invalidation point to be overwritten if we fire the
        InvalidationPoint. PCToCodeOriginMap just grabs labels to build
        a mapping, it never emits code that actually jumps to those labels.
        Therefore, it should never cause us to emit nops.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):

2016-10-05  Myles C. Maxfield  <mmaxfield@apple.com>

        Put variation fonts work behind a compile-time flag
        https://bugs.webkit.org/show_bug.cgi?id=162949

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2016-10-05  Andy VanWagoner  <thetalecrafter@gmail.com>

        [INTL] Implement Intl.getCanonicalLocales
        https://bugs.webkit.org/show_bug.cgi?id=162768

        Reviewed by Benjamin Poulain.

        Implement Intl.getCanonicalLocales from ECMA 402 (3rd edition)
        http://ecma-international.org/ecma-402/3.0/index.html#sec-intl.getcanonicallocales

        Reuse canonicalizeLocaleList and copy the results into a new JSArray.

        * runtime/IntlObject.cpp:
        (JSC::IntlObject::finishCreation):
        (JSC::intlObjectFuncGetCanonicalLocales):

2016-10-05  Michael Saboff  <msaboff@apple.com>

        Bad ASSERT in ClonedArguments::createByCopyingFrom()
        https://bugs.webkit.org/show_bug.cgi?id=162988

        Reviewed by Keith Miller.

        Removed bogus assert.

        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createByCopyingFrom):

2016-10-05  Zan Dobersek  <zdobersek@igalia.com>

        Rename ENABLE_ENCRYPTED_MEDIA_V2 to ENABLE_LEGACY_ENCRYPTED_MEDIA
        https://bugs.webkit.org/show_bug.cgi?id=162903

        Reviewed by Alex Christensen.

        Rename build guards for the remaining implementation of the legacy EME API
        to ENABLE_LEGACY_ENCRYPTED_MEDIA. This will allow for the future implementation
        of the near-finished API to be guarded with the simple ENABLE_ENCRYPTED_MEDIA guards.

        * Configurations/FeatureDefines.xcconfig:

2016-10-05  Csaba Osztrogonác  <ossy@webkit.org>

        ARM EABI buildfix after r206778
        https://bugs.webkit.org/show_bug.cgi?id=162964

        Unreviewed trivial fix.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2016-10-04  Saam Barati  <sbarati@apple.com>

        String.prototype.toLowerCase should be a DFG/FTL intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=162887

        Reviewed by Filip Pizlo and Yusuke Suzuki.

        This patch makes ToLowerCase an intrinsic in the DFG/FTL. On the fast
        path, the intrinsic will loop over an 8-bit string ensuring it's already
        lower case, and simply return the string. In the slow path, it'll call
        into C code to make a new string.

        This is a 7-8% speedup on ES6SampleBench/Basic.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileToLowerCase):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
        * jit/JITOperations.h:
        * runtime/Intrinsic.h:
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):

2016-10-04  Brian Burg  <bburg@apple.com>

        Web Inspector: don't synchronously send a listing message if we might need to query _WKAutomationDelegate
        https://bugs.webkit.org/show_bug.cgi?id=162810
        <rdar://problem/28571460>

        Reviewed by Timothy Hatcher.

        We shouldn't ever access the _WKAutomationDelegate through RemoteInspector::Client methods
        off of the main thread, because it could cause problems. This happens when we pushListingsNow()
        in response to a WIRApplicationGetListingMessage XPC message. In this case, just use
        pushListingsSoon() since it dispatches on the correct (main) queue to gather listing information.

        This may induce a slight update delay when first connecting to the UIProcess through RemoteInspector,
        but this is at most 200ms and will coalesce with other updates that happen when UIProcess gets set up.

        There are no other code paths through RemoteInspector (for UIProcess) that could cause a call
        to pushListingsNow(), so this only needs to be changed in the XPC message handler.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::receivedGetListingMessage):

2016-10-04  JF Bastien  <jfbastien@apple.com>

        WebAssembly: handle a few corner cases
        https://bugs.webkit.org/show_bug.cgi?id=162884

        Reviewed by Keith Miller.

        * wasm/JSWASMModule.cpp: missing include broke cmake build
        * wasm/WASMFunctionParser.h:
        (JSC::WASM::FunctionParser<Context>::parseBlock): check op is valid
        (JSC::WASM::FunctionParser<Context>::parseExpression): switch covers all cases
        * wasm/WASMOps.h:
        (JSC::WASM::isValidOpType): op is valid
        * wasm/WASMParser.h:
        (JSC::WASM::Parser::consumeString): avoid str[i] being one-past-the-end
        (JSC::WASM::Parser::parseUInt32): shift math around to avoid overflow

2016-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        REGRESSION (r206778): Release JSC test ChakraCore.yaml/ChakraCore/test/Error/validate_line_column.js.default failing
        https://bugs.webkit.org/show_bug.cgi?id=162937

        Reviewed by Saam Barati.

        We dropped expression info accidentally at r206777.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCallDefineProperty):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitPutConstantProperty):
        (JSC::ClassExprNode::emitBytecode):

2016-10-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DOMJIT] Introduce DOMJIT::GetterSetter to tell JIT information
        https://bugs.webkit.org/show_bug.cgi?id=162916

        Reviewed by Filip Pizlo.

        In this patch, we introduce DOMJIT::GetterSetter.
        This class maintains information required to emit JIT code in DFG and FTL.
        DOMJIT::GetterSetter has 2 virtual functions: checkDOM and callDOM.
        These functions can return a DOMJIT::Patchpoint that allows us to inject
        appropriate machine code during DFG and FTL phases. DFG and FTL will invoke
        these functions to get a patchpoint. And this patchpoint will be used to
        emit code corresponding to CheckDOM and CallDOM DFG nodes, which will be added
        in subsqeunt patch.

        We propagate DOMJIT::GetterSetter through PropertySlot, AccessCase, GetByIdVariant,
        and GetByIdStatus along with CustomGetter to teach DFG that this custom access
        code has a chance to be inlined with this DOMJIT::GetterSetter information.
        Instead of propagating CustomGetterSetter holding DOMJIT::GetterSetter and CustomGetter,
        we propagate CustomGetter and DOMJIT::GetterSetter. This is because of the current
        CustomGetterSetter design that we reify CustomGetterSetters only when we need to reify
        all the properties. This design allows us to avoid frequent CustomGetterSetter allocations
        and structure transitions.

        Currently, domJIT field is always nullptr since there is no DOMJITAttribute user.
        When we add this, we will add code handling this DOMJIT::GetterSetter in DFG::ByteCodeParser.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/GetByIdVariant.cpp:
        (JSC::GetByIdVariant::GetByIdVariant):
        (JSC::GetByIdVariant::operator=):
        (JSC::GetByIdVariant::attemptToMerge):
        (JSC::GetByIdVariant::dumpInContext):
        * bytecode/GetByIdVariant.h:
        (JSC::GetByIdVariant::domJIT):
        (JSC::GetByIdVariant::intrinsic): Deleted.
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::get):
        (JSC::AccessCase::clone):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessCase::domJIT):
        (JSC::AccessCase::RareData::RareData):
        * dfg/DFGNode.h:
        * domjit/DOMJITGetterSetter.h: Added.
        (JSC::DOMJIT::GetterSetter::GetterSetter):
        (JSC::DOMJIT::GetterSetter::~GetterSetter):
        (JSC::DOMJIT::GetterSetter::getter):
        (JSC::DOMJIT::GetterSetter::setter):
        (JSC::DOMJIT::GetterSetter::thisClassInfo):
        * domjit/DOMJITPatchpoint.h: Added.
        (JSC::DOMJIT::Patchpoint::create):
        (JSC::DOMJIT::Patchpoint::setGenerator):
        (JSC::DOMJIT::Patchpoint::generator):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        * runtime/CustomGetterSetter.h:
        * runtime/JSObject.h:
        (JSC::JSObject::fillCustomGetterPropertySlot):
        * runtime/Lookup.h:
        (JSC::HashTableValue::domJIT):
        (JSC::getStaticPropertySlotFromTable):
        (JSC::putEntry):
        (JSC::reifyStaticProperty):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::domJIT):
        (JSC::PropertySlot::setCacheableCustom):

2016-09-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add a new byte code op_define_property instead of calling defineProperty
        https://bugs.webkit.org/show_bug.cgi?id=162108

        Reviewed by Saam Barati.

        To construct ES6 class, we emitted bytecode that performs the following operations.

            1. construct a new object
            2. put "configurable", "enumerable" etc. fields
            3. call "defineProperty" function

        However, this approach has problems. Every time we define a class method, we need to create
        a new object to represent property descriptor. This can be removed if we can introduce
        a special bytecode or special function.

        This patch introduces new bytecodes, op_define_data_property and op_define_accessor_property.
        Instead of taking an object, they takes several registers to avoid object allocations.
        We're planning to use this bytecode to implement Object.defineProperty in builtin JS next.
        This allows us to leverage object allocation sinking. And it also gives us a chance to use
        faster ::get and ::hasProperty in JS.

        Originally, I attempted to create one bytecode, op_define_property. However, it takes too many
        children in DFG and uses so many registers in DFG. This leads tricky program in 32bit platforms.
        Furthermore, it does not fit to the number of x64 argument registers. So instead, we introduce
        two bytecodes.

        And for op_define_accessor_property, we perform CellUse edge filter to getter and setter children.
        This edge filter makes us possible to use SpeculateCellOperand and reduce the number of used registers
        in comparison with JSValueOperand. To make children Cells even if we do not specify some accessors (for
        example, { get: func, set: null } case), we fill registers with special throwTypeErrorFunction.
        The attributes bitset keep information like "This property descriptor only has getter slot".

        In these two bytecodes, we take attributes (configurable, enumerable, writable, hasGetter etc.) as
        register instead of embedding constant int value because we will use these bytecodes to implement
        Object.defineProperty next. In Object.defineProperty case, an attributes are not statically defined
        at bytecode compiling time.

        Run ES6SampleBench/Air 20 times. The result shows ~2% performance improvement.

        Baseline:
            firstIteration:     84.05 ms +- 4.37 ms
            averageWorstCase:   40.54 ms +- 2.81 ms
            steadyState:        3317.49 ms +- 48.25 ms
            summary:            223.51 ms +- 5.07 ms

        Patched:
            firstIteration:     84.46 ms +- 4.22 ms
            averageWorstCase:   41.48 ms +- 2.33 ms
            steadyState:        3253.48 ms +- 29.31 ms
            summary:            224.40 ms +- 4.72 ms

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/SpecialPointer.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitMoveLinkTimeConstant):
        (JSC::BytecodeGenerator::emitCallDefineProperty):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitPutConstantProperty):
        (JSC::BitwiseNotNode::emitBytecode):
        (JSC::ClassExprNode::emitBytecode):
        (JSC::ObjectPatternNode::bindValue):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDefineDataProperty):
        (JSC::DFG::SpeculativeJIT::compileDefineAccessorProperty):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis): Deleted.
        * jit/CCallHelpers.cpp:
        (JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupFourStubArgsGPR):
        (JSC::CCallHelpers::setupFiveStubArgsGPR):
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        (JSC::CCallHelpers::setupStubArgsGPR):
        (JSC::CCallHelpers::prepareForTailCallSlow): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_define_data_property):
        (JSC::JIT::emit_op_define_accessor_property):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/DefinePropertyAttributes.h: Added.
        (JSC::DefinePropertyAttributes::DefinePropertyAttributes):
        (JSC::DefinePropertyAttributes::rawRepresentation):
        (JSC::DefinePropertyAttributes::hasValue):
        (JSC::DefinePropertyAttributes::setValue):
        (JSC::DefinePropertyAttributes::hasGet):
        (JSC::DefinePropertyAttributes::setGet):
        (JSC::DefinePropertyAttributes::hasSet):
        (JSC::DefinePropertyAttributes::setSet):
        (JSC::DefinePropertyAttributes::writable):
        (JSC::DefinePropertyAttributes::configurable):
        (JSC::DefinePropertyAttributes::enumerable):
        (JSC::DefinePropertyAttributes::setWritable):
        (JSC::DefinePropertyAttributes::setConfigurable):
        (JSC::DefinePropertyAttributes::setEnumerable):
        (JSC::DefinePropertyAttributes::fillWithTriState):
        (JSC::DefinePropertyAttributes::extractTriState):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::throwTypeErrorFunction):
        (JSC::JSGlobalObject::definePropertyFunction): Deleted.
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::addDefineProperty): Deleted.
        * runtime/ObjectConstructor.h:
        * runtime/PropertyDescriptor.h:
        (JSC::toPropertyDescriptor):

2016-10-04  Saam Barati  <sbarati@apple.com>

        Follow up fix to GetMapBucket and MapHash speculating on child node types.
        To fix this, on 32-bit platforms, we do not speculate on the child
        type since we just call into C code for these nodes.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2016-10-03  Saam Barati  <sbarati@apple.com>

        GetMapBucket node should speculate on the type of its 'key' child
        https://bugs.webkit.org/show_bug.cgi?id=161638

        Reviewed by Filip Pizlo.

        This eliminates type-check branches when we've already
        proven the type of the incoming key. Also, it reduces
        the branches we emit when type checking the bucket's key.

        This is a 2-3% speedup on ES6SampleBench/Basic.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):

2016-10-03  Christopher Reid  <Christopher.Reid@am.sony.com>

        Offline asm should not output masm assembly when using a x86_64 asm backend
        https://bugs.webkit.org/show_bug.cgi?id=162705

        When cross compiling on windows to Clang, masm was being generated simply because
        the os was windows. This change adds a command line parameter --assembler=MASM
        to set the output assembly to masm.
        The functions isGCC and isCompilingToWindows were removed as they are no longer called.

        Reviewed by Mark Lam.

        * CMakeLists.txt:
        * offlineasm/asm.rb:
        * offlineasm/x86.rb:

2016-10-03  JF Bastien  <jfbastien@apple.com>

        Auto-generate WASMOps.h, share with testing JSON file
        https://bugs.webkit.org/show_bug.cgi?id=162870

        Reviewed by Keith Miller.

        Add a few new opcodes, but keep this mostly as-is for now. I want
        to generate smarter code but will do so in a later update to
        reduce disruption.

        * wasm/WASMOps.h: auto-generated from ./JSTests/stress/wasm/to-c++.js

2016-10-03  Michael Saboff  <msaboff@apple.com>

        Creating pcToOriginMap in FTL shouldn't insert unnecessary NOPs
        https://bugs.webkit.org/show_bug.cgi?id=162879

        Reviewed by Filip Pizlo.

        If there is a recent watchpoint label, using MacroAssembler::label() will pad
        the instruction stream with NOPs to provide space for a jump.  This changes
        Air::generate() to use labelIgnoringWatchpoints() to create pcToOriginMap
        entries to eliminate unneccesary NOPs.
        
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::generate):
        * b3/testb3.cpp:
        (JSC::B3::testPCOriginMapDoesntInsertNops): New test.
        (JSC::B3::run):

2016-10-03  Saam Barati  <sbarati@apple.com>

        MapHash should speculate on the type of its child node
        https://bugs.webkit.org/show_bug.cgi?id=161922

        Reviewed by Filip Pizlo.

        This allows us to remove runtime type checks when we've already
        proven the type of the incoming value.

        This is a 2-3% speedup on ES6SampleBench/Basic.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::wangsInt64Hash):
        (JSC::FTL::DFG::LowerDFGToB3::mapHashString):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):

2016-10-03  Filip Pizlo  <fpizlo@apple.com>

        B3 trapping memory accesses should be documented
        https://bugs.webkit.org/show_bug.cgi?id=162845

        Reviewed by Geoffrey Garen.
        
        While writing some documentation, I found some small holes in the code.

        * b3/B3Effects.cpp:
        (JSC::B3::Effects::operator==): Need this to write tests.
        (JSC::B3::Effects::operator!=): Need this to write tests.
        * b3/B3Effects.h:
        * b3/B3HeapRange.h:
        * b3/B3MemoryValue.cpp:
        (JSC::B3::MemoryValue::dumpMeta): Sometimes the heap range dump won't show you the memory value's actual range. This makes the dump show you the actual range in that case.
        * b3/B3Value.cpp:
        (JSC::B3::Value::effects): While documenting this, I remembered that trapping also has to imply reading top. I fixed this.
        * b3/testb3.cpp:
        (JSC::B3::testTrappingLoad): Added checks for the effects of trapping loads.
        (JSC::B3::testTrappingStore): Added checks for the effects of trapping stores.
        (JSC::B3::testMoveConstants): Made this not crash with validation.

2016-10-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] GeneratorFunction (a.k.a. GeneratorWrapperFunction)'s prototype object does not have constructor property
        https://bugs.webkit.org/show_bug.cgi?id=162849

        Reviewed by Geoffrey Garen.

        Since GeneratorFunction is not constructible, GeneratorFunction.prototype does not have "constructor" property.

            function* generatorFunction() { }
            generatorFunction.prototype.constructor // undefined

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):

2016-10-03  Nicolas Breidinger  <Nicolas.Breidinger@sony.com>

        JSStringRef should define JSChar without platform checks
        https://bugs.webkit.org/show_bug.cgi?id=162808

        Reviewed by Mark Lam.

        * API/JSStringRef.h:

2016-10-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] Align attributes of Generator related properties to spec
        https://bugs.webkit.org/show_bug.cgi?id=162839

        Reviewed by Saam Barati.

        This patch fixes attributes of Generator related properties.
        These fixes are covered by test262.

        * runtime/GeneratorFunctionConstructor.cpp:
        (JSC::GeneratorFunctionConstructor::finishCreation):
        * runtime/GeneratorFunctionConstructor.h:
        * runtime/GeneratorFunctionPrototype.cpp:
        (JSC::GeneratorFunctionPrototype::finishCreation):
        * runtime/GeneratorFunctionPrototype.h:
        * runtime/GeneratorPrototype.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2016-10-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] GeneratorFunction constructor should instantiate generator function
        https://bugs.webkit.org/show_bug.cgi?id=162838

        Reviewed by Saam Barati.

        GeneratorFunction's constructor should return an instance of JSGeneratorFunction
        instead of JSFunction. In this patch, we fix the following 2 things.

        1. GeneratorFunction constructor should use JSGeneratorFunction

            Previously, we used JSFunction to construct a result. It's wrong. We use JSGeneratorFunction.

        2. Pass newTarget into GeneratorFunction constructor to make it subclassible

            We did not leverage newTarget when using GeneratorFunction constructor.
            Using it correctly to create the subclass Structure and making GeneratorFunction subclassible.

        Test262 test covers (1), but (2) is not covered. We add tests that covers both to stress tests.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/GeneratorFunctionConstructor.cpp:
        (JSC::constructGeneratorFunctionConstructor):
        * runtime/JSGeneratorFunction.cpp:
        (JSC::JSGeneratorFunction::JSGeneratorFunction):
        (JSC::JSGeneratorFunction::createImpl):
        (JSC::JSGeneratorFunction::create):
        (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
        * runtime/JSGeneratorFunction.h:

2016-10-01  Filip Pizlo  <fpizlo@apple.com>

        Get rid of isMarkedOrNewlyAllocated
        https://bugs.webkit.org/show_bug.cgi?id=162842

        Reviewed by Dan Bernstein.
        
        This function has become dead code. This change removes it.

        * heap/CellContainer.h:
        * heap/CellContainerInlines.h:
        (JSC::CellContainer::isMarkedOrNewlyAllocated): Deleted.
        * heap/LargeAllocation.h:
        (JSC::LargeAllocation::isLive):
        (JSC::LargeAllocation::isMarkedOrNewlyAllocated): Deleted.
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated): Deleted.
        (JSC::MarkedBlock::isMarkedOrNewlyAllocated): Deleted.
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated): Deleted.
        (JSC::MarkedBlock::isMarkedOrNewlyAllocated): Deleted.

2016-10-01  Joseph Pecoraro  <pecoraro@apple.com>

        Rename DebugHookID to DebugHookType
        https://bugs.webkit.org/show_bug.cgi?id=162820

        Reviewed by Alex Christensen.

        * bytecode/CodeBlock.cpp:
        (JSC::debugHookName):
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDebugHook):
        * bytecompiler/BytecodeGenerator.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::debug):
        * interpreter/Interpreter.h:
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2016-09-30  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Stepping to a line with an autoContinue breakpoint should still pause
        https://bugs.webkit.org/show_bug.cgi?id=161712
        <rdar://problem/28193970>

        Reviewed by Brian Burg.

        * debugger/Debugger.cpp:
        (JSC::Debugger::pauseIfNeeded):
        If we stepped to an auto-continue breakpoint we should continue
        stepping, not just continue.

2016-09-30  Filip Pizlo  <fpizlo@apple.com>

        B3 should support trapping memory accesses
        https://bugs.webkit.org/show_bug.cgi?id=162689

        Reviewed by Geoffrey Garen.
        
        This adds a traps flag to B3::Kind. It also makes B3::Kind work more like Air::Kind, in the
        sense that it's a bag of distinct bits - it doesn't need to be a union unless we get enough
        things that it would make a difference.
        
        The only analysis that needs to know about traps is effects. It now knows that traps implies
        sideExits, which means that this turns off DCE. The only optimization that needs to know
        about traps is eliminateCommonSubexpressions(), which needs to pessimize its store
        elimination if the store traps.
        
        The hard part of this change is teaching the instruction selector to faithfully carry the
        traps flag down to Air. I got this to work by making ArgPromise a non-copyable object that
        knows whether you've used it in an instruction. It knows when you call consume(). If you do
        this then ArgPromise cannot be destructed without first passing your inst through it. This,
        along with a few other hacks, means that all of the load-op and load-op-store fusions
        correctly carry the trap bit: if any of the B3 loads or stores involved traps then you get
        traps in Air.
        
        This framework also sets us up to do bug 162688, since the ArgPromise::inst() hook is
        powerful enough to allow wrapping the instruction with a Patch.
        
        I added some tests to testb3 that verify that optimizations are appropriately inhibited and
        that the traps flag survives until the bitter end of Air.

        * b3/B3EliminateCommonSubexpressions.cpp:
        * b3/B3Kind.cpp:
        (JSC::B3::Kind::dump):
        * b3/B3Kind.h:
        (JSC::B3::Kind::Kind):
        (JSC::B3::Kind::hasExtraBits):
        (JSC::B3::Kind::isChill):
        (JSC::B3::Kind::setIsChill):
        (JSC::B3::Kind::hasTraps):
        (JSC::B3::Kind::traps):
        (JSC::B3::Kind::setTraps):
        (JSC::B3::Kind::operator==):
        (JSC::B3::Kind::hash):
        (JSC::B3::trapping):
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::ArgPromise::swap):
        (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise):
        (JSC::B3::Air::LowerToAir::ArgPromise::operator=):
        (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise):
        (JSC::B3::Air::LowerToAir::ArgPromise::setTraps):
        (JSC::B3::Air::LowerToAir::ArgPromise::consume):
        (JSC::B3::Air::LowerToAir::ArgPromise::inst):
        (JSC::B3::Air::LowerToAir::trappingInst):
        (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode):
        (JSC::B3::Air::LowerToAir::appendUnOp):
        (JSC::B3::Air::LowerToAir::appendBinOp):
        (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp):
        (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
        (JSC::B3::Air::LowerToAir::appendStore):
        (JSC::B3::Air::LowerToAir::append):
        (JSC::B3::Air::LowerToAir::createGenericCompare):
        (JSC::B3::Air::LowerToAir::createBranch):
        (JSC::B3::Air::LowerToAir::createCompare):
        (JSC::B3::Air::LowerToAir::createSelect):
        (JSC::B3::Air::LowerToAir::lower):
        * b3/B3Validate.cpp:
        * b3/B3Value.cpp:
        (JSC::B3::Value::effects):
        * b3/B3Value.h:
        * b3/air/AirCode.h:
        * b3/testb3.cpp:
        (JSC::B3::testTrappingLoad):
        (JSC::B3::testTrappingStore):
        (JSC::B3::testTrappingLoadAddStore):
        (JSC::B3::testTrappingLoadDCE):
        (JSC::B3::testTrappingStoreElimination):
        (JSC::B3::run):

2016-09-30  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Stepping over/out of a function sometimes resumes instead of taking you to caller
        https://bugs.webkit.org/show_bug.cgi?id=162802
        <rdar://problem/28569982>

        Reviewed by Mark Lam.

        * debugger/Debugger.cpp:
        (JSC::Debugger::stepOverStatement):
        (JSC::Debugger::stepOutOfFunction):
        Enable stepping mode when we start stepping.

2016-09-30  Filip Pizlo  <fpizlo@apple.com>

        B3::moveConstants should be able to edit code to minimize the number of constants
        https://bugs.webkit.org/show_bug.cgi?id=162764

        Reviewed by Saam Barati.
        
        There are some interesting cases where we can reduce the number of constant materializations if
        we teach moveConstants() how to edit code. The two examples that this patch supports are:
        
            - Loads and stores from a constant pointer. Since loads and stores get an offset for free
              and the instruction selector is really good at handling it, and since we can query Air to
              see what kinds of offsets are legal, we can sometimes avoid using a constant pointer that
              is specific to the absolute address of that load and instead pick some other constant
              that is within offset distance of ours.
            
            - Add and Sub by a constant (x + c, x - c). Since x + c = x - -c and x - c = x + -c, we can
              flip Add to Sub or vice versa if the negated constant is available.
        
        This change makes moveConstants() pick the most dominant constant that works for an value. In
        the case of memory accesses, it uses Air::Arg::isValidAddrForm() to work out what other
        constants would work. In the case of Add/Sub, it simply looks for the negated constant. This
        should result in something like a minimal number of constants since these rules always pick the
        most dominant constant that works - so if an Add's constant is already most dominant then
        nothing changes, but if the negated one is more dominant then it becomes a Sub.
        
        This is a 0.5% speed-up on LongSpider and neutral elsewhere. It's a speed-up because the
        absolute address thing reduces the number of address materializations that we have to do, while
        the add/sub thing prevents us from having to materialize 0x1000000000000 to box doubles.
        However, this may introduce a pathology, which I've filed a bug for: bug 162796.

        * b3/B3MoveConstants.cpp:
        * b3/B3MoveConstants.h:
        * b3/B3UseCounts.h:
        * b3/air/AirFixObviousSpills.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testMoveConstants):
        (JSC::B3::run):

2016-09-30  Joseph Pecoraro  <pecoraro@apple.com>

        Fix modules tests after r206653 handle breakpoint locations in import/export statements
        https://bugs.webkit.org/show_bug.cgi?id=162807

        Reviewed by Mark Lam.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createExportDefaultDeclaration):
        (JSC::ASTBuilder::createExportLocalDeclaration):
        Don't record an extra breakpoint location for the statement
        within an export statement.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseModuleSourceElements):
        Record a pause location for import/export statements.

2016-09-30  Mark Lam  <mark.lam@apple.com>

        Remove the dumping of the stack back trace in VM::verifyExceptionCheckNeedIsSatisfied().
        https://bugs.webkit.org/show_bug.cgi?id=162797

        Reviewed by Geoffrey Garen.

        This is because the RELEASE_ASSERT() that follows immediately after will also
        dump the stack back trace.  Hence, the first dump will be redundant.

        Also removed an extra space in the dataLog output.

        * runtime/VM.cpp:
        (JSC::VM::verifyExceptionCheckNeedIsSatisfied):

2016-09-30  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Stepping through `a(); b(); c();` it is unclear where we are and what is about to execute
        https://bugs.webkit.org/show_bug.cgi?id=161658
        <rdar://problem/28181254>

        Reviewed by Geoffrey Garen.
<