38399a89efb948cde0de36757ff9ed450920d3af
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-03-01  Alex Christensen  <achristensen@webkit.org>
2
3         Continue enabling WebRTC
4         https://bugs.webkit.org/show_bug.cgi?id=169056
5
6         Reviewed by Jon Lee.
7
8         * Configurations/FeatureDefines.xcconfig:
9
10 2017-03-01  Michael Saboff  <msaboff@apple.com>
11
12         Source/JavaScriptCore/ChangeLog
13         https://bugs.webkit.org/show_bug.cgi?id=169055
14
15         Reviewed by Mark Lam.
16
17         Made local copies of options strings for OptionRange and string typed options.
18
19         * runtime/Options.cpp:
20         (JSC::parse):
21         (JSC::OptionRange::init):
22
23 2017-03-01  Mark Lam  <mark.lam@apple.com>
24
25         [Re-landing] Change JSLock to stash PlatformThread instead of std::thread::id.
26         https://bugs.webkit.org/show_bug.cgi?id=168996
27
28         Reviewed by Filip Pizlo and Saam Barati.
29
30         PlatformThread is more useful because it allows us to:
31         1. find the MachineThreads::Thread which is associated with it.
32         2. suspend / resume threads.
33         3. send a signal to a thread.
34
35         We can't do those with std::thread::id.  We will need one or more of these
36         capabilities to implement non-polling VM traps later.
37
38         Update: Since we don't have a canonical "uninitialized" value for PlatformThread,
39         we now have a JSLock::m_hasOwnerThread flag that is set to true if and only the
40         m_ownerThread value is valid.  JSLock::currentThreadIsHoldingLock() now checks
41         JSLock::m_hasOwnerThread before doing the thread identity comparison.
42
43         * JavaScriptCore.xcodeproj/project.pbxproj:
44         * heap/MachineStackMarker.cpp:
45         (JSC::MachineThreads::Thread::createForCurrentThread):
46         (JSC::MachineThreads::machineThreadForCurrentThread):
47         (JSC::MachineThreads::removeThread):
48         (JSC::MachineThreads::Thread::suspend):
49         (JSC::MachineThreads::tryCopyOtherThreadStacks):
50         (JSC::getCurrentPlatformThread): Deleted.
51         * heap/MachineStackMarker.h:
52         * runtime/JSCellInlines.h:
53         (JSC::JSCell::classInfo):
54         * runtime/JSLock.cpp:
55         (JSC::JSLock::JSLock):
56         (JSC::JSLock::lock):
57         (JSC::JSLock::unlock):
58         (JSC::JSLock::currentThreadIsHoldingLock): Deleted.
59         * runtime/JSLock.h:
60         (JSC::JSLock::ownerThread):
61         (JSC::JSLock::currentThreadIsHoldingLock):
62         * runtime/PlatformThread.h: Added.
63         (JSC::currentPlatformThread):
64         * runtime/VM.cpp:
65         (JSC::VM::~VM):
66         * runtime/VM.h:
67         (JSC::VM::ownerThread):
68         * runtime/Watchdog.cpp:
69         (JSC::Watchdog::setTimeLimit):
70         (JSC::Watchdog::shouldTerminate):
71         (JSC::Watchdog::startTimer):
72         (JSC::Watchdog::stopTimer):
73         * tools/JSDollarVMPrototype.cpp:
74         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
75         * tools/VMInspector.cpp:
76
77 2017-03-01  Saam Barati  <sbarati@apple.com>
78
79         Implement a mega-disassembler that'll be used in the FTL
80         https://bugs.webkit.org/show_bug.cgi?id=168685
81
82         Reviewed by Mark Lam.
83
84         This patch extends the previous Air disassembler to print the
85         DFG and B3 nodes belonging to particular Air instructions.
86         The algorithm I'm using to do this is not perfect. For example,
87         it won't try to print the entire DFG/B3 graph. It'll just print
88         the related nodes for particular Air instructions. We can make the
89         algorithm more sophisticated as we get more experience looking at
90         these IR dumps and get a better feel for what we want out of them.
91
92         This is an example of the output:
93
94         ...
95         ...
96         200:<!0:->  InvalidationPoint(MustGen, W:SideState, Exits, bc#28, exit: bc#25 --> _getEntry#DlGw2r:<0x10276f980> bc#37)
97            Void @54 = Patchpoint(@29:ColdAny, @29:ColdAny, @53:ColdAny, DFG:@200, generator = 0x1015d6c18, earlyClobbered = [], lateClobbered = [], usedRegisters = [%r0, %r19, %r20, %r21, %r22, %fp], resultConstraint = WarmAny, ExitsSideways|WritesPinned|ReadsPinned|Reads:Top)
98                Patch &Patchpoint2, %r20, %r20, %r0, @54
99          76:< 6:->  GetByOffset(KnownCell:@44, KnownCell:@44, JS|UseAsOther, Array, id3{_elementData}, 2, inferredType = Object, R:NamedProperties(3), Exits, bc#37)  predicting Array
100            Int64 @57 = Load(@29, DFG:@76, offset = 32, ControlDependent|Reads:100...101)
101                Move 32(%r20), %r5, @57
102                       0x389cc9ac0:    ldur   x5, [x20, #32]
103         115:<!0:->  CheckStructure(Cell:@76, MustGen, [0x1027eae20:[Array, {}, ArrayWithContiguous, Proto:0x1027e0140]], R:JSCell_structureID, Exits, bc#46)
104            Int32 @58 = Load(@57, DFG:@115, ControlDependent|Reads:16...17)
105                Move32 (%r5), %r1, @58
106                       0x389cc9ac4:    ldur   w1, [x5]
107            Int32 @59 = Const32(DFG:@115, 92)
108            Int32 @60 = NotEqual(@58, $92(@59), DFG:@115)
109            Void @61 = Check(@60:WarmAny, @57:ColdAny, @29:ColdAny, @29:ColdAny, @53:ColdAny, @57:ColdAny, DFG:@115, generator = 0x1057991e0, earlyClobbered = [], lateClobbered = [], usedRegisters = [%r0, %r5, %r19, %r20, %r21, %r22, %fp], ExitsSideways|Reads:Top)
110                Patch &Branch32(3,SameAsRep)1, NotEqual, %r1, $92, %r5, %r20, %r20, %r0, %r5, @61
111                       0x389cc9ac8:    cmp    w1, #92
112                       0x389cc9acc:    b.ne   0x389cc9dac
113         117:< 2:->  GetButterfly(Cell:@76, Storage|PureInt, R:JSObject_butterfly, Exits, bc#46)
114            Int64 @64 = Load(@57, DFG:@117, offset = 8, ControlDependent|Reads:24...25)
115                Move 8(%r5), %r4, @64
116                       0x389cc9ad0:    ldur   x4, [x5, #8]
117          79:< 2:->  GetArrayLength(KnownCell:@76, Untyped:@117, JS|PureInt|UseAsInt, Nonboolint32, Contiguous+OriginalArray+InBounds+AsIs, R:Butterfly_publicLength, Exits, bc#46)
118            Int32 @67 = Load(@64, DFG:@79, offset = -8, ControlDependent|Reads:3...4)
119                Move32 -8(%r4), %r2, @67
120                       0x389cc9ad4:    ldur   w2, [x4, #-8]
121       192:< 1:->  JSConstant(JS|PureInt, Nonboolint32, Int32: -1, bc#0)
122            Int32 @68 = Const32(DFG:@192, -1)
123                Move $0xffffffffffffffff, %r1, $-1(@68)
124                       0x389cc9ad8:    mov    x1, #-1
125          83:<!2:->  ArithAdd(Int32:Kill:@79, Int32:Kill:@192, Number|MustGen|PureInt|UseAsInt, Int32, Unchecked, Exits, bc#55)
126            Int32 @69 = Add(@67, $-1(@68), DFG:@83)
127                Add32 %r2, %r1, %r1, @69
128                       0x389cc9adc:    add    w1, w2, w1
129          86:< 3:->  BitAnd(Check:Int32:@71, Int32:Kill:@83, Int32|UseAsOther|UseAsInt|ReallyWantsInt, Int32, Exits, bc#60)
130            Int32 @70 = Below(@53, $-281474976710656(@15), DFG:@86)
131            Void @71 = Check(@70:WarmAny, @53:ColdAny, @29:ColdAny, @29:ColdAny, @53:ColdAny, @69:ColdAny, DFG:@86, generator = 0x105799370, earlyClobbered = [], lateClobbered = [], usedRegisters = [%r0, %r1, %r2, %r4, %r5, %r19, %r20, %r21, %r22, %fp], ExitsSideways|Reads:Top)
132                Patch &Branch64(3,SameAsRep)0, Below, %r0, %r22, %r0, %r20, %r20, %r0, %r1, @71
133                       0x389cc9ae0:    cmp    x0, x22
134                       0x389cc9ae4:    b.lo   0x389cc9dc0
135            Int32 @72 = Trunc(@53, DFG:@86)
136            Int32 @73 = BitAnd(@69, @72, DFG:@86)
137                And32 %r1, %r0, %r1, @73
138                       0x389cc9ae8:    and    w1, w1, w0
139            16:<!0:->  PutStack(KnownInt32:@71, MustGen, loc27, machine:loc3, FlushedInt32, W:Stack(-28), bc#19)
140            Int32 @72 = Trunc(@53, DFG:@86)
141            Int64 @11 = SlotBase(stack0)
142            Void @76 = Store(@72, @11, DFG:@16, offset = 32, ControlDependent|Writes:94...95)
143                Move32 %r0, -64(%fp), @76
144                       0x389cc9aec:    stur   w0, [fp, #-64]
145            12:<!0:->  PutStack(Untyped:@86, MustGen, loc28, machine:loc4, FlushedJSValue, W:Stack(-29), bc#19)
146            Int64 @77 = ZExt32(@73, DFG:@12)
147            Int64 @78 = Add(@77, $-281474976710656(@15), DFG:@12)
148                Add64 %r1, %r22, %r3, @78
149                       0x389cc9af0:    add    x3, x1, x22
150            Int64 @11 = SlotBase(stack0)
151            Void @81 = Store(@78, @11, DFG:@12, offset = 24, ControlDependent|Writes:95...96)
152                Move %r3, -72(%fp), @81
153                       0x389cc9af4:    stur   x3, [fp, #-72]
154            10:<!0:->  PutStack(KnownInt32:@46, MustGen, loc29, machine:loc5, FlushedInt32, W:Stack(-30), bc#19)
155            Int32 @82 = Trunc(@24, DFG:@10)
156            Int64 @11 = SlotBase(stack0)
157            Void @85 = Store(@82, @11, DFG:@10, offset = 16, ControlDependent|Writes:96...97)
158                Move32 %r21, -80(%fp), @85
159                       0x389cc9af8:    stur   w21, [fp, #-80]
160           129:<!10:->  GetByVal(KnownCell:Kill:@76, Int32:Kill:@86, Untyped:Kill:@117, JS|MustGen|UseAsOther, FinalOther, Contiguous+OriginalArray+OutOfBounds+AsIs, R:World, W:Heap, Exits, ClobbersExit, bc#19)  predicting FinalOther
161            Int32 @89 = AboveEqual(@73, @67, DFG:@129)
162            Void @90 = Branch(@89, DFG:@129, Terminal)
163                Branch32 AboveOrEqual, %r1, %r2, @90
164                       0x389cc9afc:    cmp    w1, w2
165                       0x389cc9b00:    b.hs   0x389cc9bec
166         ...
167         ...
168
169         * b3/air/AirDisassembler.cpp:
170         (JSC::B3::Air::Disassembler::dump):
171         * b3/air/AirDisassembler.h:
172         * ftl/FTLCompile.cpp:
173         (JSC::FTL::compile):
174         * ftl/FTLLowerDFGToB3.cpp:
175         (JSC::FTL::DFG::LowerDFGToB3::lower):
176         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
177         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
178         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
179         (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
180
181 2017-03-01  Mark Lam  <mark.lam@apple.com>
182
183         REGRESSION (r213202?): Assertion failed: (!"initialized()"), function operator().
184         https://bugs.webkit.org/show_bug.cgi?id=169042
185
186         Not reviewed.
187
188         Rolling out r213229 and r213202.
189
190         * JavaScriptCore.xcodeproj/project.pbxproj:
191         * heap/MachineStackMarker.cpp:
192         (JSC::getCurrentPlatformThread):
193         (JSC::MachineThreads::Thread::createForCurrentThread):
194         (JSC::MachineThreads::machineThreadForCurrentThread):
195         (JSC::MachineThreads::removeThread):
196         (JSC::MachineThreads::Thread::suspend):
197         (JSC::MachineThreads::tryCopyOtherThreadStacks):
198         * heap/MachineStackMarker.h:
199         * runtime/JSCellInlines.h:
200         (JSC::JSCell::classInfo):
201         * runtime/JSLock.cpp:
202         (JSC::JSLock::JSLock):
203         (JSC::JSLock::lock):
204         (JSC::JSLock::unlock):
205         (JSC::JSLock::currentThreadIsHoldingLock):
206         * runtime/JSLock.h:
207         (JSC::JSLock::ownerThread):
208         (JSC::JSLock::currentThreadIsHoldingLock): Deleted.
209         * runtime/PlatformThread.h: Removed.
210         * runtime/VM.cpp:
211         (JSC::VM::~VM):
212         * runtime/VM.h:
213         (JSC::VM::ownerThread):
214         * runtime/Watchdog.cpp:
215         (JSC::Watchdog::setTimeLimit):
216         (JSC::Watchdog::shouldTerminate):
217         (JSC::Watchdog::startTimer):
218         (JSC::Watchdog::stopTimer):
219         * tools/JSDollarVMPrototype.cpp:
220         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
221         * tools/VMInspector.cpp:
222
223 2017-03-01  Mark Lam  <mark.lam@apple.com>
224
225         REGRESSION (r213202?): Assertion failed: (!"initialized()"), function operator()
226         https://bugs.webkit.org/show_bug.cgi?id=169042
227
228         Reviewed by Filip Pizlo.
229
230         * runtime/JSLock.h:
231         (JSC::JSLock::currentThreadIsHoldingLock):
232
233 2017-02-28  Brian Burg  <bburg@apple.com>
234
235         REGRESSION(r211344): Remote Inspector: listingForAutomationTarget() is called off-main-thread, causing assertions
236         https://bugs.webkit.org/show_bug.cgi?id=168695
237         <rdar://problem/30643899>
238
239         Reviewed by Joseph Pecoraro.
240
241         The aforementioned commit added some new calls to update target listings. This causes RemoteInspector
242         to update some listings underneath an incoming setup message on the XPC queue, which is not a safe place
243         to gather listing information for RemoteAutomationTargets.
244
245         Update the listing asynchronously since we don't need it immediately. Since this really only happens when
246         the connection to the target is set up and shut down, we can trigger listings to be refreshed from
247         the async block that's called on the target's queue inside RemoteConnectionToTarget::{setup,close}.
248
249         * inspector/remote/RemoteInspector.h:
250         Make updateListingForTarget(unsigned) usable from RemoteConnectionToTarget.
251
252         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
253         (Inspector::RemoteConnectionToTarget::setup):
254         (Inspector::RemoteConnectionToTarget::close):
255         Grab the target identifier while the RemoteControllableTarget pointer is still valid,
256         and use it inside the block later after it may have been destructed already. If that happens,
257         then updateTargetListing will bail out because the targetIdentifier cannot be found in the mapping.
258
259         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
260         (Inspector::RemoteInspector::updateTargetListing):
261         We need to make sure to request a listing push after the target is updated, so implicitly call
262         pushListingsSoon() from here. That method doesn't require any particular queue or holding a lock.
263
264         (Inspector::RemoteInspector::receivedSetupMessage):
265         (Inspector::RemoteInspector::receivedDidCloseMessage):
266         (Inspector::RemoteInspector::receivedConnectionDiedMessage):
267         Remove calls to updateTargetListing() and pushListingsSoon(), as these happen implicitly
268         and asynchronously on the target's queue when the connection to target is opened or closed.
269
270 2017-03-01  Tomas Popela  <tpopela@redhat.com>
271
272         Leak under Options::setOptions
273         https://bugs.webkit.org/show_bug.cgi?id=169029
274
275         Reviewed by Michael Saboff.
276
277         Don't leak the optionsStrCopy variable.
278
279         * runtime/Options.cpp:
280         (JSC::Options::setOptions):
281
282 2017-03-01  Yusuke Suzuki  <utatane.tea@gmail.com>
283
284         [JSC] Allow UnlinkedCodeBlock to dump its bytecode sequence
285         https://bugs.webkit.org/show_bug.cgi?id=168968
286
287         Reviewed by Saam Barati.
288
289         This patch decouples dumping bytecode sequence from CodeBlock.
290         This change allows UnlinkedCodeBlock to dump its bytecode sequence.
291         It is useful because we now have complex phase between UnlinkedCodeBlock and CodeBlock,
292         called Generatorification.
293
294         We introduce BytecodeDumper<Block>. Both CodeBlock and UnlinkedCodeBlock can use
295         this class to dump bytecode sequence.
296
297         And this patch also adds Option::dumpBytecodesBeforeGeneratorification,
298         which dumps unlinked bytecode sequence before generatorification if it is enabled.
299
300         * CMakeLists.txt:
301         * JavaScriptCore.xcodeproj/project.pbxproj:
302         * bytecode/BytecodeDumper.cpp: Added.
303         (JSC::getStructureID):
304         (JSC::getSpecialPointer):
305         (JSC::getPutByIdFlags):
306         (JSC::getToThisStatus):
307         (JSC::getPointer):
308         (JSC::getStructureChain):
309         (JSC::getStructure):
310         (JSC::getCallLinkInfo):
311         (JSC::getBasicBlockLocation):
312         (JSC::BytecodeDumper<Block>::actualPointerFor):
313         (JSC::BytecodeDumper<CodeBlock>::actualPointerFor):
314         (JSC::beginDumpProfiling):
315         (JSC::BytecodeDumper<Block>::dumpValueProfiling):
316         (JSC::BytecodeDumper<CodeBlock>::dumpValueProfiling):
317         (JSC::BytecodeDumper<Block>::dumpArrayProfiling):
318         (JSC::BytecodeDumper<CodeBlock>::dumpArrayProfiling):
319         (JSC::BytecodeDumper<Block>::dumpProfilesForBytecodeOffset):
320         (JSC::dumpRareCaseProfile):
321         (JSC::dumpArithProfile):
322         (JSC::BytecodeDumper<CodeBlock>::dumpProfilesForBytecodeOffset):
323         (JSC::BytecodeDumper<Block>::vm):
324         (JSC::BytecodeDumper<Block>::identifier):
325         (JSC::regexpToSourceString):
326         (JSC::regexpName):
327         (JSC::printLocationAndOp):
328         (JSC::isConstantRegisterIndex):
329         (JSC::debugHookName):
330         (JSC::BytecodeDumper<Block>::registerName):
331         (JSC::idName):
332         (JSC::BytecodeDumper<Block>::constantName):
333         (JSC::BytecodeDumper<Block>::printUnaryOp):
334         (JSC::BytecodeDumper<Block>::printBinaryOp):
335         (JSC::BytecodeDumper<Block>::printConditionalJump):
336         (JSC::BytecodeDumper<Block>::printGetByIdOp):
337         (JSC::dumpStructure):
338         (JSC::dumpChain):
339         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
340         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
341         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
342         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
343         (JSC::BytecodeDumper<Block>::printCallOp):
344         (JSC::BytecodeDumper<Block>::printPutByIdOp):
345         (JSC::BytecodeDumper<Block>::printLocationOpAndRegisterOperand):
346         (JSC::BytecodeDumper<Block>::dumpBytecode):
347         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
348         (JSC::BytecodeDumper<Block>::dumpConstants):
349         (JSC::BytecodeDumper<Block>::dumpRegExps):
350         (JSC::BytecodeDumper<Block>::dumpExceptionHandlers):
351         (JSC::BytecodeDumper<Block>::dumpSwitchJumpTables):
352         (JSC::BytecodeDumper<Block>::dumpStringSwitchJumpTables):
353         (JSC::BytecodeDumper<Block>::dumpBlock):
354         * bytecode/BytecodeDumper.h: Added.
355         (JSC::BytecodeDumper::BytecodeDumper):
356         (JSC::BytecodeDumper::block):
357         (JSC::BytecodeDumper::instructionsBegin):
358         * bytecode/BytecodeGeneratorification.cpp:
359         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
360         (JSC::performGeneratorification):
361         * bytecode/BytecodeLivenessAnalysis.cpp:
362         (JSC::BytecodeLivenessAnalysis::dumpResults):
363         * bytecode/CodeBlock.cpp:
364         (JSC::CodeBlock::dumpBytecode):
365         (JSC::CodeBlock::finishCreation):
366         (JSC::CodeBlock::propagateTransitions):
367         (JSC::CodeBlock::finalizeLLIntInlineCaches):
368         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
369         (JSC::CodeBlock::usesOpcode):
370         (JSC::CodeBlock::valueProfileForBytecodeOffset):
371         (JSC::CodeBlock::arithProfileForPC):
372         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
373         (JSC::idName): Deleted.
374         (JSC::CodeBlock::registerName): Deleted.
375         (JSC::CodeBlock::constantName): Deleted.
376         (JSC::regexpToSourceString): Deleted.
377         (JSC::regexpName): Deleted.
378         (JSC::debugHookName): Deleted.
379         (JSC::CodeBlock::printUnaryOp): Deleted.
380         (JSC::CodeBlock::printBinaryOp): Deleted.
381         (JSC::CodeBlock::printConditionalJump): Deleted.
382         (JSC::CodeBlock::printGetByIdOp): Deleted.
383         (JSC::dumpStructure): Deleted.
384         (JSC::dumpChain): Deleted.
385         (JSC::CodeBlock::printGetByIdCacheStatus): Deleted.
386         (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
387         (JSC::CodeBlock::printCallOp): Deleted.
388         (JSC::CodeBlock::printPutByIdOp): Deleted.
389         (JSC::CodeBlock::dumpExceptionHandlers): Deleted.
390         (JSC::CodeBlock::beginDumpProfiling): Deleted.
391         (JSC::CodeBlock::dumpValueProfiling): Deleted.
392         (JSC::CodeBlock::dumpArrayProfiling): Deleted.
393         (JSC::CodeBlock::dumpRareCaseProfile): Deleted.
394         (JSC::CodeBlock::dumpArithProfile): Deleted.
395         (JSC::CodeBlock::printLocationAndOp): Deleted.
396         (JSC::CodeBlock::printLocationOpAndRegisterOperand): Deleted.
397         * bytecode/CodeBlock.h:
398         (JSC::CodeBlock::constantRegisters):
399         (JSC::CodeBlock::numberOfRegExps):
400         (JSC::CodeBlock::bitVectors):
401         (JSC::CodeBlock::bitVector):
402         * bytecode/HandlerInfo.h:
403         (JSC::HandlerInfoBase::typeName):
404         * bytecode/UnlinkedCodeBlock.cpp:
405         (JSC::UnlinkedCodeBlock::dump):
406         * bytecode/UnlinkedCodeBlock.h:
407         (JSC::UnlinkedCodeBlock::getConstant):
408         * bytecode/UnlinkedInstructionStream.cpp:
409         (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
410         * bytecode/UnlinkedInstructionStream.h:
411         (JSC::UnlinkedInstructionStream::Reader::next):
412         * runtime/Options.h:
413
414 2017-02-28  Mark Lam  <mark.lam@apple.com>
415
416         Change JSLock to stash PlatformThread instead of std::thread::id.
417         https://bugs.webkit.org/show_bug.cgi?id=168996
418
419         Reviewed by Filip Pizlo.
420
421         PlatformThread is more useful because it allows us to:
422         1. find the MachineThreads::Thread which is associated with it.
423         2. suspend / resume threads.
424         3. send a signal to a thread.
425
426         We can't do those with std::thread::id.  We will need one or more of these
427         capabilities to implement non-polling VM traps later.
428
429         * JavaScriptCore.xcodeproj/project.pbxproj:
430         * heap/MachineStackMarker.cpp:
431         (JSC::MachineThreads::Thread::createForCurrentThread):
432         (JSC::MachineThreads::machineThreadForCurrentThread):
433         (JSC::MachineThreads::removeThread):
434         (JSC::MachineThreads::Thread::suspend):
435         (JSC::MachineThreads::tryCopyOtherThreadStacks):
436         (JSC::getCurrentPlatformThread): Deleted.
437         * heap/MachineStackMarker.h:
438         * runtime/JSCellInlines.h:
439         (JSC::JSCell::classInfo):
440         * runtime/JSLock.cpp:
441         (JSC::JSLock::lock):
442         (JSC::JSLock::unlock):
443         (JSC::JSLock::currentThreadIsHoldingLock): Deleted.
444         * runtime/JSLock.h:
445         (JSC::JSLock::ownerThread):
446         (JSC::JSLock::currentThreadIsHoldingLock):
447         * runtime/PlatformThread.h: Added.
448         (JSC::currentPlatformThread):
449         * runtime/VM.cpp:
450         (JSC::VM::~VM):
451         * runtime/VM.h:
452         (JSC::VM::ownerThread):
453         * runtime/Watchdog.cpp:
454         (JSC::Watchdog::setTimeLimit):
455         (JSC::Watchdog::shouldTerminate):
456         (JSC::Watchdog::startTimer):
457         (JSC::Watchdog::stopTimer):
458         * tools/JSDollarVMPrototype.cpp:
459         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
460         * tools/VMInspector.cpp:
461
462 2017-02-28  Mark Lam  <mark.lam@apple.com>
463
464         Enable the SigillCrashAnalyzer by default for iOS.
465         https://bugs.webkit.org/show_bug.cgi?id=168989
466
467         Reviewed by Keith Miller.
468
469         * runtime/Options.cpp:
470         (JSC::overrideDefaults):
471
472 2017-02-28  Mark Lam  <mark.lam@apple.com>
473
474         Remove setExclusiveThread() and peers from the JSLock.
475         https://bugs.webkit.org/show_bug.cgi?id=168977
476
477         Reviewed by Filip Pizlo.
478
479         JSLock::setExclusiveThread() was only used by WebCore.  Benchmarking with
480         Speedometer, we see that removal of exclusive thread status has no measurable
481         impact on performance.  So, let's remove the code for handling exclusive thread
482         status, and simplify the JSLock code.
483
484         For the records, exclusive thread status does improve JSLock locking/unlocking
485         time by up to 20%.  However, this difference is not measurable in the way WebCore
486         uses the JSLock as confirmed by Speedometer.
487
488         Also applied a minor optimization in JSLock::lock() to assume the initial lock
489         entry case (as opposed to the re-entry case).  This appears to shows a small
490         fractional improvement (about 5%) in JSLock cumulative locking and unlocking
491         time in a micro-benchmark.
492
493         * heap/Heap.cpp:
494         (JSC::Heap::Heap):
495         * heap/MachineStackMarker.cpp:
496         (JSC::MachineThreads::MachineThreads):
497         (JSC::MachineThreads::addCurrentThread):
498         * heap/MachineStackMarker.h:
499         * runtime/JSLock.cpp:
500         (JSC::JSLock::JSLock):
501         (JSC::JSLock::lock):
502         (JSC::JSLock::unlock):
503         (JSC::JSLock::currentThreadIsHoldingLock):
504         (JSC::JSLock::dropAllLocks):
505         (JSC::JSLock::grabAllLocks):
506         (JSC::JSLock::setExclusiveThread): Deleted.
507         * runtime/JSLock.h:
508         (JSC::JSLock::ownerThread):
509         (JSC::JSLock::hasExclusiveThread): Deleted.
510         (JSC::JSLock::exclusiveThread): Deleted.
511         * runtime/VM.h:
512         (JSC::VM::hasExclusiveThread): Deleted.
513         (JSC::VM::exclusiveThread): Deleted.
514         (JSC::VM::setExclusiveThread): Deleted.
515
516 2017-02-28  Saam Barati  <sbarati@apple.com>
517
518         Arm64 disassembler prints "ars" instead of "asr"
519         https://bugs.webkit.org/show_bug.cgi?id=168923
520
521         Rubber stamped by Michael Saboff.
522
523         * disassembler/ARM64/A64DOpcode.cpp:
524         (JSC::ARM64Disassembler::A64DOpcodeBitfield::format):
525
526 2017-02-28  Oleksandr Skachkov  <gskachkov@gmail.com>
527
528         Use of arguments in arrow function is slow
529         https://bugs.webkit.org/show_bug.cgi?id=168829
530
531         Reviewed by Saam Barati.
532
533         Current patch improves performance access to arguments within arrow functuion
534         by preventing create arguments variable within arrow function, also allow to cache 
535         arguments variable. Before arguments variable always have Dynamic resolve type, after 
536         patch it can be ClosureVar, that increase performance of access to arguments variable
537         in 9 times inside of the arrow function. 
538
539         * bytecompiler/BytecodeGenerator.cpp:
540         (JSC::BytecodeGenerator::BytecodeGenerator):
541         * runtime/JSScope.cpp:
542         (JSC::abstractAccess):
543
544 2017-02-28  Michael Saboff  <msaboff@apple.com>
545
546         Add ability to configure JSC options from a file
547         https://bugs.webkit.org/show_bug.cgi?id=168914
548
549         Reviewed by Filip Pizlo.
550
551         Added the ability to set options and DataLog file location via a configuration file.
552         The configuration file is specified with the --configFile option to JSC or the
553         JSC_configFile environment variable.
554
555         The file format allows for options conditionally dependent on various attributes.
556         Currently those attributes are the process name, parent process name and build
557         type (Release or Debug).  In this patch, the parent process type is not set.
558         That will be set up in WebKit code with a follow up patch.
559
560         Here is an example config file:
561
562             logFile = "/tmp/jscLog.%pid.txt"
563
564             jscOptions {
565                 dumpOptions = 2
566             }
567
568             build == "Debug" {
569                 jscOptions {
570                     useConcurrentJIT = false
571                     dumpDisassembly = true
572                 }
573             }
574
575             build == "Release" && processName == "jsc" {
576                 jscOptions {
577                     asyncDisassembly = true
578                 }
579             }
580
581         Eliminated the prior options file code.
582
583         * CMakeLists.txt:
584         * JavaScriptCore.xcodeproj/project.pbxproj:
585         * jsc.cpp:
586         (jscmain):
587         * runtime/ConfigFile.cpp: Added.
588         (JSC::ConfigFileScanner::ConfigFileScanner):
589         (JSC::ConfigFileScanner::start):
590         (JSC::ConfigFileScanner::lineNumber):
591         (JSC::ConfigFileScanner::currentBuffer):
592         (JSC::ConfigFileScanner::atFileEnd):
593         (JSC::ConfigFileScanner::tryConsume):
594         (JSC::ConfigFileScanner::tryConsumeString):
595         (JSC::ConfigFileScanner::tryConsumeUpto):
596         (JSC::ConfigFileScanner::fillBufferIfNeeded):
597         (JSC::ConfigFileScanner::fillBuffer):
598         (JSC::ConfigFile::ConfigFile):
599         (JSC::ConfigFile::setProcessName):
600         (JSC::ConfigFile::setParentProcessName):
601         (JSC::ConfigFile::parse):
602         * runtime/ConfigFile.h: Added.
603         * runtime/Options.cpp:
604         (JSC::Options::initialize):
605         (JSC::Options::setOptions):
606         * runtime/Options.h:
607
608 2017-02-27  Alex Christensen  <achristensen@webkit.org>
609
610         Begin enabling WebRTC on 64-bit
611         https://bugs.webkit.org/show_bug.cgi?id=168915
612
613         Reviewed by Eric Carlson.
614
615         * Configurations/FeatureDefines.xcconfig:
616
617 2017-02-27  Mark Lam  <mark.lam@apple.com>
618
619         Introduce a VM Traps mechanism and refactor Watchdog to use it.
620         https://bugs.webkit.org/show_bug.cgi?id=168842
621
622         Reviewed by Filip Pizlo.
623
624         Currently, the traps mechanism is only used for the JSC watchdog, and for
625         asynchronous termination requests (which is currently only used for worker
626         threads termination).
627
628         This first cut of the traps mechanism still relies on polling from DFG and FTL
629         code.  This is done to keep the patch as small as possible.  The work to do
630         a non-polling version of the traps mechanism for DFG and FTL code is deferred to
631         another patch.
632
633         In this patch, worker threads still need to set the VM::m_needAsynchronousTerminationSupport
634         flag to enable the traps polling in the DFG and FTL code.  When we have the
635         non-polling version of the DFG and FTL traps mechanism, we can remove the use of
636         the VM::m_needAsynchronousTerminationSupport flag.
637
638         Note: this patch also separates asynchronous termination support from the JSC
639         watchdog.  This separation allows us to significantly simplify the locking
640         requirements in the watchdog code, and make it easier to reason about its
641         correctness.
642
643         * CMakeLists.txt:
644         * JavaScriptCore.xcodeproj/project.pbxproj:
645         * bytecode/BytecodeList.json:
646         * bytecode/BytecodeUseDef.h:
647         (JSC::computeUsesForBytecodeOffset):
648         (JSC::computeDefsForBytecodeOffset):
649         * bytecode/CodeBlock.cpp:
650         (JSC::CodeBlock::dumpBytecode):
651         * bytecompiler/BytecodeGenerator.cpp:
652         (JSC::BytecodeGenerator::BytecodeGenerator):
653         (JSC::BytecodeGenerator::emitLoopHint):
654         (JSC::BytecodeGenerator::emitCheckTraps):
655         (JSC::BytecodeGenerator::emitWatchdog): Deleted.
656         * bytecompiler/BytecodeGenerator.h:
657         * dfg/DFGAbstractInterpreterInlines.h:
658         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
659         * dfg/DFGByteCodeParser.cpp:
660         (JSC::DFG::ByteCodeParser::parseBlock):
661         * dfg/DFGCapabilities.cpp:
662         (JSC::DFG::capabilityLevel):
663         * dfg/DFGClobberize.h:
664         (JSC::DFG::clobberize):
665         * dfg/DFGDoesGC.cpp:
666         (JSC::DFG::doesGC):
667         * dfg/DFGFixupPhase.cpp:
668         (JSC::DFG::FixupPhase::fixupNode):
669         * dfg/DFGNodeType.h:
670         * dfg/DFGPredictionPropagationPhase.cpp:
671         * dfg/DFGSafeToExecute.h:
672         (JSC::DFG::safeToExecute):
673         * dfg/DFGSpeculativeJIT.cpp:
674         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
675         * dfg/DFGSpeculativeJIT.h:
676         * dfg/DFGSpeculativeJIT32_64.cpp:
677         (JSC::DFG::SpeculativeJIT::compile):
678         * dfg/DFGSpeculativeJIT64.cpp:
679         (JSC::DFG::SpeculativeJIT::compile):
680         * ftl/FTLCapabilities.cpp:
681         (JSC::FTL::canCompile):
682         * ftl/FTLLowerDFGToB3.cpp:
683         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
684         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
685         (JSC::FTL::DFG::LowerDFGToB3::compileCheckWatchdogTimer): Deleted.
686         * interpreter/Interpreter.cpp:
687         (JSC::Interpreter::executeProgram):
688         (JSC::Interpreter::executeCall):
689         (JSC::Interpreter::executeConstruct):
690         (JSC::Interpreter::execute):
691         * jit/JIT.cpp:
692         (JSC::JIT::privateCompileMainPass):
693         (JSC::JIT::privateCompileSlowCases):
694         * jit/JIT.h:
695         * jit/JITOpcodes.cpp:
696         (JSC::JIT::emit_op_check_traps):
697         (JSC::JIT::emitSlow_op_check_traps):
698         (JSC::JIT::emit_op_watchdog): Deleted.
699         (JSC::JIT::emitSlow_op_watchdog): Deleted.
700         * jit/JITOperations.cpp:
701         * jit/JITOperations.h:
702         * llint/LLIntSlowPaths.cpp:
703         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
704         * llint/LLIntSlowPaths.h:
705         * llint/LowLevelInterpreter.asm:
706         * llint/LowLevelInterpreter32_64.asm:
707         * llint/LowLevelInterpreter64.asm:
708         * runtime/VM.cpp:
709         (JSC::VM::~VM):
710         (JSC::VM::ensureWatchdog):
711         (JSC::VM::handleTraps):
712         * runtime/VM.h:
713         (JSC::VM::ownerThread):
714         (JSC::VM::needTrapHandling):
715         (JSC::VM::needTrapHandlingAddress):
716         (JSC::VM::notifyNeedTermination):
717         (JSC::VM::notifyNeedWatchdogCheck):
718         (JSC::VM::needAsynchronousTerminationSupport):
719         (JSC::VM::setNeedAsynchronousTerminationSupport):
720         * runtime/VMInlines.h:
721         (JSC::VM::shouldTriggerTermination): Deleted.
722         * runtime/VMTraps.cpp: Added.
723         (JSC::VMTraps::fireTrap):
724         (JSC::VMTraps::takeTrap):
725         * runtime/VMTraps.h: Added.
726         (JSC::VMTraps::needTrapHandling):
727         (JSC::VMTraps::needTrapHandlingAddress):
728         (JSC::VMTraps::hasTrapForEvent):
729         (JSC::VMTraps::setTrapForEvent):
730         (JSC::VMTraps::clearTrapForEvent):
731         * runtime/Watchdog.cpp:
732         (JSC::Watchdog::Watchdog):
733         (JSC::Watchdog::setTimeLimit):
734         (JSC::Watchdog::shouldTerminate):
735         (JSC::Watchdog::enteredVM):
736         (JSC::Watchdog::exitedVM):
737         (JSC::Watchdog::startTimer):
738         (JSC::Watchdog::stopTimer):
739         (JSC::Watchdog::willDestroyVM):
740         (JSC::Watchdog::terminateSoon): Deleted.
741         (JSC::Watchdog::shouldTerminateSlow): Deleted.
742         * runtime/Watchdog.h:
743         (JSC::Watchdog::shouldTerminate): Deleted.
744         (JSC::Watchdog::timerDidFireAddress): Deleted.
745
746 2017-02-27  Commit Queue  <commit-queue@webkit.org>
747
748         Unreviewed, rolling out r213019.
749         https://bugs.webkit.org/show_bug.cgi?id=168925
750
751         "It broke 32-bit jsc tests in debug builds" (Requested by
752         saamyjoon on #webkit).
753
754         Reverted changeset:
755
756         "op_get_by_id_with_this should use inline caching"
757         https://bugs.webkit.org/show_bug.cgi?id=162124
758         http://trac.webkit.org/changeset/213019
759
760 2017-02-27  JF Bastien  <jfbastien@apple.com>
761
762         WebAssembly: miscellaneous spec fixes part deux
763         https://bugs.webkit.org/show_bug.cgi?id=168861
764
765         Reviewed by Keith Miller.
766
767         * wasm/WasmFunctionParser.h: add some FIXME
768
769 2017-02-27  Alex Christensen  <achristensen@webkit.org>
770
771         [libwebrtc] Enable WebRTC in some Production Builds
772         https://bugs.webkit.org/show_bug.cgi?id=168858
773
774         * Configurations/FeatureDefines.xcconfig:
775
776 2017-02-26  Caio Lima  <ticaiolima@gmail.com>
777
778         op_get_by_id_with_this should use inline caching
779         https://bugs.webkit.org/show_bug.cgi?id=162124
780
781         Reviewed by Saam Barati.
782
783         This patch is enabling inline cache for op_get_by_id_with_this in all
784         tiers. It means that operations using ```super.member``` are going to
785         be able to be optimized by PIC. To enable it, we introduced a new
786         member of StructureStubInfo.patch named thisGPR, created a new class
787         to manage the IC named JITGetByIdWithThisGenerator and changed
788         PolymorphicAccess.regenerate that uses StructureStubInfo.patch.thisGPR
789         to decide the correct this value on inline caches.
790         With inline cached enabled, ```super.member``` are ~4.5x faster,
791         according microbenchmarks.
792
793         * bytecode/AccessCase.cpp:
794         (JSC::AccessCase::generateImpl):
795         * bytecode/PolymorphicAccess.cpp:
796         (JSC::PolymorphicAccess::regenerate):
797         * bytecode/PolymorphicAccess.h:
798         * bytecode/StructureStubInfo.cpp:
799         (JSC::StructureStubInfo::reset):
800         * bytecode/StructureStubInfo.h:
801         * dfg/DFGFixupPhase.cpp:
802         (JSC::DFG::FixupPhase::fixupNode):
803         * dfg/DFGJITCompiler.cpp:
804         (JSC::DFG::JITCompiler::link):
805         * dfg/DFGJITCompiler.h:
806         (JSC::DFG::JITCompiler::addGetByIdWithThis):
807         * dfg/DFGSpeculativeJIT.cpp:
808         (JSC::DFG::SpeculativeJIT::compileIn):
809         * dfg/DFGSpeculativeJIT.h:
810         (JSC::DFG::SpeculativeJIT::callOperation):
811         * dfg/DFGSpeculativeJIT32_64.cpp:
812         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
813         (JSC::DFG::SpeculativeJIT::compile):
814         * dfg/DFGSpeculativeJIT64.cpp:
815         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
816         (JSC::DFG::SpeculativeJIT::compile):
817         * ftl/FTLLowerDFGToB3.cpp:
818         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
819         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
820         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
821         * jit/CCallHelpers.h:
822         (JSC::CCallHelpers::setupArgumentsWithExecState):
823         * jit/ICStats.h:
824         * jit/JIT.cpp:
825         (JSC::JIT::JIT):
826         (JSC::JIT::privateCompileSlowCases):
827         (JSC::JIT::link):
828         * jit/JIT.h:
829         * jit/JITInlineCacheGenerator.cpp:
830         (JSC::JITByIdGenerator::JITByIdGenerator):
831         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
832         (JSC::JITGetByIdWithThisGenerator::generateFastPath):
833         * jit/JITInlineCacheGenerator.h:
834         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
835         * jit/JITInlines.h:
836         (JSC::JIT::callOperation):
837         * jit/JITOperations.cpp:
838         * jit/JITOperations.h:
839         * jit/JITPropertyAccess.cpp:
840         (JSC::JIT::emit_op_get_by_id_with_this):
841         (JSC::JIT::emitSlow_op_get_by_id_with_this):
842         * jit/JITPropertyAccess32_64.cpp:
843         (JSC::JIT::emit_op_get_by_id_with_this):
844         (JSC::JIT::emitSlow_op_get_by_id_with_this):
845         * jit/Repatch.cpp:
846         (JSC::appropriateOptimizingGetByIdFunction):
847         (JSC::appropriateGenericGetByIdFunction):
848         (JSC::tryCacheGetByID):
849         * jit/Repatch.h:
850         * jsc.cpp:
851         (WTF::CustomGetter::getOwnPropertySlot):
852         (WTF::CustomGetter::customGetterAcessor):
853
854 2017-02-24  JF Bastien  <jfbastien@apple.com>
855
856         WebAssembly: miscellaneous spec fixes
857         https://bugs.webkit.org/show_bug.cgi?id=168822
858
859         Reviewed by Saam Barati.
860
861         * wasm/WasmModuleParser.cpp: "unknown" sections are now called "custom" sections
862         * wasm/WasmSections.h:
863         (JSC::Wasm::validateOrder):
864         (JSC::Wasm::makeString): fix ASSERT_UNREACHABLE bug in printing
865         * wasm/js/WebAssemblyInstanceConstructor.cpp:
866         (JSC::constructJSWebAssemblyInstance): disallow i64 import
867         * wasm/js/WebAssemblyModuleRecord.cpp:
868         (JSC::WebAssemblyModuleRecord::link): disallow i64 export
869         (JSC::WebAssemblyModuleRecord::evaluate):
870
871 2017-02-24  Filip Pizlo  <fpizlo@apple.com>
872
873         Move Arg::Type and Arg::Width out into the B3 namespace, since they are general concepts
874         https://bugs.webkit.org/show_bug.cgi?id=168833
875
876         Reviewed by Saam Barati.
877         
878         I want to use the Air::Arg::Type and Air::Arg::Width concepts in B3. We are already
879         doing this a bit, and it's akward because of the namespacing. Throughout B3 we take the
880         approach that if something is not specific to Air, then it should be in the B3
881         namespace.
882         
883         This moves Air::Arg::Type to B3::Bank. This moves Air::Arg::Width to B3::Width.
884         
885         I renamed Arg::Type to Bank because there is already a B3::Type and because Arg::Type
886         was never really a type. Its purpose was always to identify register banks, and we use
887         this enum when the thing we care about is whether the value is most appropriate for
888         GPRs or FPRs.
889         
890         I kept both as non-enum classes because I think that we've learned that terse compiler
891         code is a good thing. I don't want to say Bank::GP when I can say GP. With Width, the
892         argument is even stronger, since you cannot say Width::8 but you can say Width8.
893
894         * CMakeLists.txt:
895         * JavaScriptCore.xcodeproj/project.pbxproj:
896         * b3/B3Bank.cpp: Added.
897         (WTF::printInternal):
898         * b3/B3Bank.h: Added.
899         (JSC::B3::forEachBank):
900         (JSC::B3::bankForType):
901         * b3/B3CheckSpecial.cpp:
902         (JSC::B3::CheckSpecial::forEachArg):
903         * b3/B3LegalizeMemoryOffsets.cpp:
904         * b3/B3LowerToAir.cpp:
905         (JSC::B3::Air::LowerToAir::run):
906         (JSC::B3::Air::LowerToAir::tmp):
907         (JSC::B3::Air::LowerToAir::scaleForShl):
908         (JSC::B3::Air::LowerToAir::effectiveAddr):
909         (JSC::B3::Air::LowerToAir::addr):
910         (JSC::B3::Air::LowerToAir::createGenericCompare):
911         (JSC::B3::Air::LowerToAir::createBranch):
912         (JSC::B3::Air::LowerToAir::createCompare):
913         (JSC::B3::Air::LowerToAir::createSelect):
914         (JSC::B3::Air::LowerToAir::lower):
915         * b3/B3MemoryValue.cpp:
916         (JSC::B3::MemoryValue::accessWidth):
917         * b3/B3MemoryValue.h:
918         * b3/B3MoveConstants.cpp:
919         * b3/B3PatchpointSpecial.cpp:
920         (JSC::B3::PatchpointSpecial::forEachArg):
921         * b3/B3StackmapSpecial.cpp:
922         (JSC::B3::StackmapSpecial::forEachArgImpl):
923         * b3/B3Value.h:
924         * b3/B3Variable.h:
925         (JSC::B3::Variable::width):
926         (JSC::B3::Variable::bank):
927         * b3/B3WasmAddressValue.h:
928         * b3/B3Width.cpp: Added.
929         (WTF::printInternal):
930         * b3/B3Width.h: Added.
931         (JSC::B3::pointerWidth):
932         (JSC::B3::widthForType):
933         (JSC::B3::conservativeWidth):
934         (JSC::B3::minimumWidth):
935         (JSC::B3::bytes):
936         (JSC::B3::widthForBytes):
937         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
938         * b3/air/AirAllocateStack.cpp:
939         (JSC::B3::Air::allocateStack):
940         * b3/air/AirArg.cpp:
941         (JSC::B3::Air::Arg::canRepresent):
942         (JSC::B3::Air::Arg::isCompatibleBank):
943         (JSC::B3::Air::Arg::isCompatibleType): Deleted.
944         * b3/air/AirArg.h:
945         (JSC::B3::Air::Arg::hasBank):
946         (JSC::B3::Air::Arg::bank):
947         (JSC::B3::Air::Arg::isBank):
948         (JSC::B3::Air::Arg::forEachTmp):
949         (JSC::B3::Air::Arg::forEachType): Deleted.
950         (JSC::B3::Air::Arg::pointerWidth): Deleted.
951         (JSC::B3::Air::Arg::typeForB3Type): Deleted.
952         (JSC::B3::Air::Arg::widthForB3Type): Deleted.
953         (JSC::B3::Air::Arg::conservativeWidth): Deleted.
954         (JSC::B3::Air::Arg::minimumWidth): Deleted.
955         (JSC::B3::Air::Arg::bytes): Deleted.
956         (JSC::B3::Air::Arg::widthForBytes): Deleted.
957         (JSC::B3::Air::Arg::hasType): Deleted.
958         (JSC::B3::Air::Arg::type): Deleted.
959         (JSC::B3::Air::Arg::isType): Deleted.
960         * b3/air/AirArgInlines.h:
961         (JSC::B3::Air::ArgThingHelper<Tmp>::forEach):
962         (JSC::B3::Air::ArgThingHelper<Arg>::forEach):
963         (JSC::B3::Air::ArgThingHelper<Reg>::forEach):
964         (JSC::B3::Air::Arg::forEach):
965         * b3/air/AirCCallSpecial.cpp:
966         (JSC::B3::Air::CCallSpecial::forEachArg):
967         * b3/air/AirCCallingConvention.cpp:
968         * b3/air/AirCode.cpp:
969         (JSC::B3::Air::Code::Code):
970         (JSC::B3::Air::Code::setRegsInPriorityOrder):
971         (JSC::B3::Air::Code::pinRegister):
972         * b3/air/AirCode.h:
973         (JSC::B3::Air::Code::regsInPriorityOrder):
974         (JSC::B3::Air::Code::newTmp):
975         (JSC::B3::Air::Code::numTmps):
976         (JSC::B3::Air::Code::regsInPriorityOrderImpl):
977         * b3/air/AirCustom.cpp:
978         (JSC::B3::Air::PatchCustom::isValidForm):
979         (JSC::B3::Air::ShuffleCustom::isValidForm):
980         * b3/air/AirCustom.h:
981         (JSC::B3::Air::PatchCustom::forEachArg):
982         (JSC::B3::Air::CCallCustom::forEachArg):
983         (JSC::B3::Air::ColdCCallCustom::forEachArg):
984         (JSC::B3::Air::ShuffleCustom::forEachArg):
985         (JSC::B3::Air::WasmBoundsCheckCustom::forEachArg):
986         * b3/air/AirDumpAsJS.cpp:
987         (JSC::B3::Air::dumpAsJS):
988         * b3/air/AirEliminateDeadCode.cpp:
989         (JSC::B3::Air::eliminateDeadCode):
990         * b3/air/AirEmitShuffle.cpp:
991         (JSC::B3::Air::emitShuffle):
992         * b3/air/AirEmitShuffle.h:
993         (JSC::B3::Air::ShufflePair::ShufflePair):
994         (JSC::B3::Air::ShufflePair::width):
995         * b3/air/AirFixObviousSpills.cpp:
996         * b3/air/AirFixPartialRegisterStalls.cpp:
997         (JSC::B3::Air::fixPartialRegisterStalls):
998         * b3/air/AirInst.cpp:
999         (JSC::B3::Air::Inst::hasArgEffects):
1000         * b3/air/AirInst.h:
1001         (JSC::B3::Air::Inst::forEachTmp):
1002         * b3/air/AirInstInlines.h:
1003         (JSC::B3::Air::Inst::forEach):
1004         (JSC::B3::Air::Inst::forEachDef):
1005         (JSC::B3::Air::Inst::forEachDefWithExtraClobberedRegs):
1006         * b3/air/AirLiveness.h:
1007         (JSC::B3::Air::TmpLivenessAdapter::numIndices):
1008         (JSC::B3::Air::TmpLivenessAdapter::acceptsBank):
1009         (JSC::B3::Air::TmpLivenessAdapter::valueToIndex):
1010         (JSC::B3::Air::TmpLivenessAdapter::indexToValue):
1011         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank):
1012         (JSC::B3::Air::RegLivenessAdapter::acceptsBank):
1013         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
1014         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
1015         (JSC::B3::Air::TmpLivenessAdapter::acceptsType): Deleted.
1016         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsType): Deleted.
1017         (JSC::B3::Air::RegLivenessAdapter::acceptsType): Deleted.
1018         * b3/air/AirLogRegisterPressure.cpp:
1019         (JSC::B3::Air::logRegisterPressure):
1020         * b3/air/AirLowerAfterRegAlloc.cpp:
1021         (JSC::B3::Air::lowerAfterRegAlloc):
1022         * b3/air/AirLowerMacros.cpp:
1023         (JSC::B3::Air::lowerMacros):
1024         * b3/air/AirPadInterference.cpp:
1025         (JSC::B3::Air::padInterference):
1026         * b3/air/AirReportUsedRegisters.cpp:
1027         (JSC::B3::Air::reportUsedRegisters):
1028         * b3/air/AirSpillEverything.cpp:
1029         (JSC::B3::Air::spillEverything):
1030         * b3/air/AirTmpInlines.h:
1031         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::absoluteIndex): Deleted.
1032         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::lastMachineRegisterIndex): Deleted.
1033         (JSC::B3::Air::AbsoluteTmpMapper<Arg::GP>::tmpFromAbsoluteIndex): Deleted.
1034         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::absoluteIndex): Deleted.
1035         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::lastMachineRegisterIndex): Deleted.
1036         (JSC::B3::Air::AbsoluteTmpMapper<Arg::FP>::tmpFromAbsoluteIndex): Deleted.
1037         * b3/air/AirTmpWidth.cpp:
1038         (JSC::B3::Air::TmpWidth::recompute):
1039         * b3/air/AirTmpWidth.h:
1040         (JSC::B3::Air::TmpWidth::width):
1041         (JSC::B3::Air::TmpWidth::requiredWidth):
1042         (JSC::B3::Air::TmpWidth::defWidth):
1043         (JSC::B3::Air::TmpWidth::useWidth):
1044         (JSC::B3::Air::TmpWidth::Widths::Widths):
1045         * b3/air/AirUseCounts.h:
1046         (JSC::B3::Air::UseCounts::UseCounts):
1047         * b3/air/AirValidate.cpp:
1048         * b3/air/opcode_generator.rb:
1049         * b3/air/testair.cpp:
1050         (JSC::B3::Air::compile): Deleted.
1051         (JSC::B3::Air::invoke): Deleted.
1052         (JSC::B3::Air::compileAndRun): Deleted.
1053         (JSC::B3::Air::testSimple): Deleted.
1054         (JSC::B3::Air::loadConstantImpl): Deleted.
1055         (JSC::B3::Air::loadConstant): Deleted.
1056         (JSC::B3::Air::loadDoubleConstant): Deleted.
1057         (JSC::B3::Air::testShuffleSimpleSwap): Deleted.
1058         (JSC::B3::Air::testShuffleSimpleShift): Deleted.
1059         (JSC::B3::Air::testShuffleLongShift): Deleted.
1060         (JSC::B3::Air::testShuffleLongShiftBackwards): Deleted.
1061         (JSC::B3::Air::testShuffleSimpleRotate): Deleted.
1062         (JSC::B3::Air::testShuffleSimpleBroadcast): Deleted.
1063         (JSC::B3::Air::testShuffleBroadcastAllRegs): Deleted.
1064         (JSC::B3::Air::testShuffleTreeShift): Deleted.
1065         (JSC::B3::Air::testShuffleTreeShiftBackward): Deleted.
1066         (JSC::B3::Air::testShuffleTreeShiftOtherBackward): Deleted.
1067         (JSC::B3::Air::testShuffleMultipleShifts): Deleted.
1068         (JSC::B3::Air::testShuffleRotateWithFringe): Deleted.
1069         (JSC::B3::Air::testShuffleRotateWithFringeInWeirdOrder): Deleted.
1070         (JSC::B3::Air::testShuffleRotateWithLongFringe): Deleted.
1071         (JSC::B3::Air::testShuffleMultipleRotates): Deleted.
1072         (JSC::B3::Air::testShuffleShiftAndRotate): Deleted.
1073         (JSC::B3::Air::testShuffleShiftAllRegs): Deleted.
1074         (JSC::B3::Air::testShuffleRotateAllRegs): Deleted.
1075         (JSC::B3::Air::testShuffleSimpleSwap64): Deleted.
1076         (JSC::B3::Air::testShuffleSimpleShift64): Deleted.
1077         (JSC::B3::Air::testShuffleSwapMixedWidth): Deleted.
1078         (JSC::B3::Air::testShuffleShiftMixedWidth): Deleted.
1079         (JSC::B3::Air::testShuffleShiftMemory): Deleted.
1080         (JSC::B3::Air::testShuffleShiftMemoryLong): Deleted.
1081         (JSC::B3::Air::testShuffleShiftMemoryAllRegs): Deleted.
1082         (JSC::B3::Air::testShuffleShiftMemoryAllRegs64): Deleted.
1083         (JSC::B3::Air::combineHiLo): Deleted.
1084         (JSC::B3::Air::testShuffleShiftMemoryAllRegsMixedWidth): Deleted.
1085         (JSC::B3::Air::testShuffleRotateMemory): Deleted.
1086         (JSC::B3::Air::testShuffleRotateMemory64): Deleted.
1087         (JSC::B3::Air::testShuffleRotateMemoryMixedWidth): Deleted.
1088         (JSC::B3::Air::testShuffleRotateMemoryAllRegs64): Deleted.
1089         (JSC::B3::Air::testShuffleRotateMemoryAllRegsMixedWidth): Deleted.
1090         (JSC::B3::Air::testShuffleSwapDouble): Deleted.
1091         (JSC::B3::Air::testShuffleShiftDouble): Deleted.
1092         (JSC::B3::Air::testX86VMULSD): Deleted.
1093         (JSC::B3::Air::testX86VMULSDDestRex): Deleted.
1094         (JSC::B3::Air::testX86VMULSDOp1DestRex): Deleted.
1095         (JSC::B3::Air::testX86VMULSDOp2DestRex): Deleted.
1096         (JSC::B3::Air::testX86VMULSDOpsDestRex): Deleted.
1097         (JSC::B3::Air::testX86VMULSDAddr): Deleted.
1098         (JSC::B3::Air::testX86VMULSDAddrOpRexAddr): Deleted.
1099         (JSC::B3::Air::testX86VMULSDDestRexAddr): Deleted.
1100         (JSC::B3::Air::testX86VMULSDRegOpDestRexAddr): Deleted.
1101         (JSC::B3::Air::testX86VMULSDAddrOpDestRexAddr): Deleted.
1102         (JSC::B3::Air::testX86VMULSDBaseNeedsRex): Deleted.
1103         (JSC::B3::Air::testX86VMULSDIndexNeedsRex): Deleted.
1104         (JSC::B3::Air::testX86VMULSDBaseIndexNeedRex): Deleted.
1105         (JSC::B3::Air::run): Deleted.
1106
1107 2017-02-24  Keith Miller  <keith_miller@apple.com>
1108
1109         We should be able to use std::tuples as keys in HashMap
1110         https://bugs.webkit.org/show_bug.cgi?id=168805
1111
1112         Reviewed by Filip Pizlo.
1113
1114         Convert the mess of std::pairs we used as the keys in PrototypeMap
1115         to a std::tuple. I also plan on using this for a HashMap in wasm.
1116
1117         * JavaScriptCore.xcodeproj/project.pbxproj:
1118         * runtime/PrototypeMap.cpp:
1119         (JSC::PrototypeMap::createEmptyStructure):
1120         (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1121         * runtime/PrototypeMap.h:
1122
1123 2017-02-24  Saam Barati  <sbarati@apple.com>
1124
1125         Unreviewed. Remove inaccurate copy-paste comment from r212939.
1126
1127         * dfg/DFGOperations.cpp:
1128
1129 2017-02-23  Saam Barati  <sbarati@apple.com>
1130
1131         Intrinsicify parseInt
1132         https://bugs.webkit.org/show_bug.cgi?id=168627
1133
1134         Reviewed by Filip Pizlo.
1135
1136         This patch makes parseInt an intrinsic in the DFG and FTL.
1137         We do our best to eliminate this node. If we speculate that
1138         the first operand to the operation is an int32, and that there
1139         isn't a second operand, we convert to the identity of the first
1140         operand. That's because parseInt(someInt) === someInt.
1141         
1142         If the first operand is proven to be an integer, and the second
1143         operand is the integer 0 or the integer 10, we can eliminate the
1144         node by making it an identity over its first operand. That's
1145         because parseInt(someInt, 0) === someInt and parseInt(someInt, 10) === someInt.
1146         
1147         If we are not able to constant fold the node away, we try to remove
1148         checks. The most common use case of parseInt is that its first operand
1149         is a proven string. The DFG might be able to remove type checks in this
1150         case. We also set up CSE rules for parseInt(someString, someIntRadix)
1151         because it's a "pure" operation (modulo resolving a rope).
1152
1153         This looks to be a 4% Octane/Box2D progression.
1154
1155         * dfg/DFGAbstractInterpreterInlines.h:
1156         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1157         * dfg/DFGByteCodeParser.cpp:
1158         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1159         * dfg/DFGClobberize.h:
1160         (JSC::DFG::clobberize):
1161         * dfg/DFGConstantFoldingPhase.cpp:
1162         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1163         * dfg/DFGDoesGC.cpp:
1164         (JSC::DFG::doesGC):
1165         * dfg/DFGFixupPhase.cpp:
1166         (JSC::DFG::FixupPhase::fixupNode):
1167         * dfg/DFGNode.h:
1168         (JSC::DFG::Node::hasHeapPrediction):
1169         * dfg/DFGNodeType.h:
1170         * dfg/DFGOperations.cpp:
1171         (JSC::DFG::parseIntResult):
1172         * dfg/DFGOperations.h:
1173         * dfg/DFGPredictionPropagationPhase.cpp:
1174         * dfg/DFGSafeToExecute.h:
1175         (JSC::DFG::safeToExecute):
1176         * dfg/DFGSpeculativeJIT.cpp:
1177         (JSC::DFG::SpeculativeJIT::compileParseInt):
1178         * dfg/DFGSpeculativeJIT.h:
1179         (JSC::DFG::SpeculativeJIT::callOperation):
1180         (JSC::DFG::SpeculativeJIT::appendCallSetResult):
1181         * dfg/DFGSpeculativeJIT32_64.cpp:
1182         (JSC::DFG::SpeculativeJIT::compile):
1183         * dfg/DFGSpeculativeJIT64.cpp:
1184         (JSC::DFG::SpeculativeJIT::compile):
1185         * ftl/FTLCapabilities.cpp:
1186         (JSC::FTL::canCompile):
1187         * ftl/FTLLowerDFGToB3.cpp:
1188         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1189         (JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
1190         * jit/JITOperations.h:
1191         * parser/Lexer.cpp:
1192         * runtime/ErrorInstance.cpp:
1193         * runtime/Intrinsic.h:
1194         * runtime/JSGlobalObject.cpp:
1195         (JSC::JSGlobalObject::init):
1196         * runtime/JSGlobalObjectFunctions.cpp:
1197         (JSC::toStringView): Deleted.
1198         (JSC::isStrWhiteSpace): Deleted.
1199         (JSC::parseDigit): Deleted.
1200         (JSC::parseIntOverflow): Deleted.
1201         (JSC::parseInt): Deleted.
1202         * runtime/JSGlobalObjectFunctions.h:
1203         * runtime/ParseInt.h: Added.
1204         (JSC::parseDigit):
1205         (JSC::parseIntOverflow):
1206         (JSC::isStrWhiteSpace):
1207         (JSC::parseInt):
1208         (JSC::toStringView):
1209         * runtime/StringPrototype.cpp:
1210
1211 2017-02-23  JF Bastien  <jfbastien@apple.com>
1212
1213         WebAssembly: support 0x1 version
1214         https://bugs.webkit.org/show_bug.cgi?id=168672
1215
1216         Reviewed by Keith Miller.
1217
1218         * wasm/wasm.json: update the version number, everything is based
1219         on its value
1220
1221 2017-02-23  Saam Barati  <sbarati@apple.com>
1222
1223         Make Briggs fixpoint validation run only with validateGraphAtEachPhase
1224         https://bugs.webkit.org/show_bug.cgi?id=168795
1225
1226         Rubber stamped by Keith Miller.
1227
1228         The Briggs allocator was running intensive validation
1229         on each step of the fixpoint. Instead, it now will just
1230         do it when shouldValidateIRAtEachPhase() is true because
1231         doing this for all !ASSERT_DISABLED builds takes too long.
1232
1233         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1234
1235 2017-02-23  Filip Pizlo  <fpizlo@apple.com>
1236
1237         SpeculativeJIT::compilePutByValForIntTypedArray should only do the constant-folding optimization when the constant passes the type check
1238         https://bugs.webkit.org/show_bug.cgi?id=168787
1239
1240         Reviewed by Michael Saboff and Mark Lam.
1241
1242         * dfg/DFGSpeculativeJIT.cpp:
1243         (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1244
1245 2017-02-23  Mark Lam  <mark.lam@apple.com>
1246
1247         Ensure that the end of the last invalidation point does not extend beyond the end of the buffer.
1248         https://bugs.webkit.org/show_bug.cgi?id=168786
1249
1250         Reviewed by Filip Pizlo.
1251
1252         In practice, we will always have multiple instructions after invalidation points,
1253         and have enough room in the JIT buffer for the invalidation point to work with.
1254         However, as a precaution, we can guarantee that there's enough room by always
1255         emitting a label just before we link the buffer.  The label will emit nop padding
1256         if needed.
1257
1258         * assembler/LinkBuffer.cpp:
1259         (JSC::LinkBuffer::linkCode):
1260
1261 2017-02-23  Keith Miller  <keith_miller@apple.com>
1262
1263         Unreviewed, fix the cloop build. Needed a #if.
1264
1265         * jit/ExecutableAllocator.cpp:
1266
1267 2017-02-22  Carlos Garcia Campos  <cgarcia@igalia.com>
1268
1269         Better handle Thread and RunLoop initialization
1270         https://bugs.webkit.org/show_bug.cgi?id=167828
1271
1272         Reviewed by Yusuke Suzuki.
1273
1274         * runtime/InitializeThreading.cpp:
1275         (JSC::initializeThreading): Do not initialize double_conversion, that is already initialized by WTF, and GC
1276         threads that will be initialized by WTF main thread when needed.
1277
1278 2017-02-22  JF Bastien  <jfbastien@apple.com>
1279
1280         WebAssembly: clear out insignificant i32 bits when calling JavaScript
1281         https://bugs.webkit.org/show_bug.cgi?id=166677
1282
1283         Reviewed by Keith Miller.
1284
1285         When WebAssembly calls JavaScript it needs to clear out the
1286         insignificant bits of int32 values:
1287
1288           +------------------- tag
1289           |  +---------------- insignificant
1290           |  |   +------------ 32-bit integer value
1291           |  |   |
1292           |--|---|-------|
1293         0xffff0000ffffffff
1294
1295         At least some JavaScript code assumes that these bits are all
1296         zero. In the wasm-to-wasm.js example we store a 64-bit value in an
1297         object with lo / hi fields, each containing 32-bit integers. We
1298         then load these back, and the baseline compiler fails its
1299         comparison because it first checks the value are the same type
1300         (yes, because the int32 tag is set in both), and then whether they
1301         have the same value (no, because comparing the two registers
1302         fails). We could argue that the baseline compiler is wrong for
1303         performing a 64-bit comparison, but it doesn't really matter
1304         because there's not much of a point in breaking that invariant for
1305         WebAssembly's sake.
1306
1307         * wasm/WasmBinding.cpp:
1308         (JSC::Wasm::wasmToJs):
1309
1310 2017-02-22  Keith Miller  <keith_miller@apple.com>
1311
1312         Remove the demand executable allocator
1313         https://bugs.webkit.org/show_bug.cgi?id=168754
1314
1315         Reviewed by Saam Barati.
1316
1317         We currently only use the demand executable allocator for non-iOS 32-bit platforms.
1318         Benchmark results on a MBP indicate there is no appreciable performance difference
1319         between a the fixed and demand allocators. In a future patch I will go back through
1320         this code and remove more of the abstractions.
1321
1322         * JavaScriptCore.xcodeproj/project.pbxproj:
1323         * jit/ExecutableAllocator.cpp:
1324         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1325         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1326         (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
1327         (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
1328         (JSC::ExecutableAllocator::initializeAllocator):
1329         (JSC::ExecutableAllocator::ExecutableAllocator):
1330         (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
1331         (JSC::ExecutableAllocator::isValid):
1332         (JSC::ExecutableAllocator::underMemoryPressure):
1333         (JSC::ExecutableAllocator::memoryPressureMultiplier):
1334         (JSC::ExecutableAllocator::allocate):
1335         (JSC::ExecutableAllocator::isValidExecutableMemory):
1336         (JSC::ExecutableAllocator::getLock):
1337         (JSC::ExecutableAllocator::committedByteCount):
1338         (JSC::ExecutableAllocator::dumpProfile):
1339         (JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
1340         (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
1341         (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
1342         (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
1343         (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
1344         (JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
1345         (JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
1346         (JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
1347         (JSC::DemandExecutableAllocator::allocators): Deleted.
1348         (JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
1349         * jit/ExecutableAllocator.h:
1350         * jit/ExecutableAllocatorFixedVMPool.cpp: Removed.
1351         * jit/JITStubRoutine.h:
1352         (JSC::JITStubRoutine::canPerformRangeFilter):
1353         (JSC::JITStubRoutine::filteringStartAddress):
1354         (JSC::JITStubRoutine::filteringExtentSize):
1355
1356 2017-02-22  Saam Barati  <sbarati@apple.com>
1357
1358         Add biased coloring to Briggs and IRC
1359         https://bugs.webkit.org/show_bug.cgi?id=168611
1360
1361         Reviewed by Filip Pizlo.
1362
1363         This patch implements biased coloring as proposed by Briggs. See section
1364         5.3.3 of his thesis for more information: http://www.cs.utexas.edu/users/mckinley/380C/lecs/briggs-thesis-1992.pdf
1365
1366         The main idea of biased coloring is this:
1367         We try to coalesce a move between u and v, but the conservative heuristic
1368         fails. We don't want coalesce the move because we don't want to risk
1369         creating an uncolorable graph. However, if the conservative heuristic fails,
1370         it's not proof that the graph is uncolorable if the move were indeed coalesced.
1371         So, when we go to color the tmps, we'll remember that we really want the
1372         same register for u and v, and if legal during coloring, we will
1373         assign them to the same register.
1374
1375         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1376
1377 2017-02-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1378
1379         JSModuleNamespace object should have IC
1380         https://bugs.webkit.org/show_bug.cgi?id=160590
1381
1382         Reviewed by Saam Barati.
1383
1384         This patch optimizes accesses to module namespace objects.
1385
1386         1. Cache the resolutions for module namespace objects.
1387
1388             When constructing the module namespace object, we already resolves all the exports.
1389             The module namespace object caches this result and leverage it in the later access in
1390             getOwnPropertySlot. This avoids resolving bindings through resolveExport.
1391
1392         2. Introduce ModuleNamespaceLoad IC.
1393
1394             This patch adds new IC for module namespace objects. The mechanism is simple, getOwnPropertySlot
1395             tells us about module namespace object resolution. The IC first checks whether the given object
1396             is an expected module namespace object. If this check succeeds, we load the value from the module
1397             environment.
1398
1399         3. Introduce DFG/FTL optimization.
1400
1401             After exploiting module namespace object accesses in (2), DFG can recognize this in ByteCodeParser.
1402             DFG will convert it to CheckCell with the namespace object and GetClosureVar from the cached environment.
1403             At that time, we have a chance to fold it to the constant.
1404
1405         This optimization improves the performance of accessing to module namespace objects.
1406
1407         Before
1408             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-namespace.js
1409             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.43s user 0.03s system 101% cpu 0.451 total
1410             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-binding.js
1411             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.08s user 0.02s system 103% cpu 0.104 total
1412
1413         After
1414             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-namespace.js
1415             ../../WebKitBuild/module-ic/Release/bin/jsc -m   0.11s user 0.01s system 106% cpu 0.109 total
1416             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.js
1417             ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.j  0.08s user 0.02s system 102% cpu 0.105 total
1418
1419         * CMakeLists.txt:
1420         * JavaScriptCore.xcodeproj/project.pbxproj:
1421         * bytecode/AccessCase.cpp:
1422         (JSC::AccessCase::create):
1423         (JSC::AccessCase::guardedByStructureCheck):
1424         (JSC::AccessCase::canReplace):
1425         (JSC::AccessCase::visitWeak):
1426         (JSC::AccessCase::generateWithGuard):
1427         (JSC::AccessCase::generateImpl):
1428         * bytecode/AccessCase.h:
1429         * bytecode/GetByIdStatus.cpp:
1430         (JSC::GetByIdStatus::GetByIdStatus):
1431         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1432         (JSC::GetByIdStatus::makesCalls):
1433         (JSC::GetByIdStatus::dump):
1434         * bytecode/GetByIdStatus.h:
1435         (JSC::GetByIdStatus::isModuleNamespace):
1436         (JSC::GetByIdStatus::takesSlowPath):
1437         (JSC::GetByIdStatus::moduleNamespaceObject):
1438         (JSC::GetByIdStatus::moduleEnvironment):
1439         (JSC::GetByIdStatus::scopeOffset):
1440         * bytecode/ModuleNamespaceAccessCase.cpp: Added.
1441         (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
1442         (JSC::ModuleNamespaceAccessCase::create):
1443         (JSC::ModuleNamespaceAccessCase::~ModuleNamespaceAccessCase):
1444         (JSC::ModuleNamespaceAccessCase::clone):
1445         (JSC::ModuleNamespaceAccessCase::emit):
1446         * bytecode/ModuleNamespaceAccessCase.h: Added.
1447         (JSC::ModuleNamespaceAccessCase::moduleNamespaceObject):
1448         (JSC::ModuleNamespaceAccessCase::moduleEnvironment):
1449         (JSC::ModuleNamespaceAccessCase::scopeOffset):
1450         * bytecode/PolymorphicAccess.cpp:
1451         (WTF::printInternal):
1452         * dfg/DFGByteCodeParser.cpp:
1453         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
1454         (JSC::DFG::ByteCodeParser::handleGetById):
1455         * jit/AssemblyHelpers.h:
1456         (JSC::AssemblyHelpers::loadValue):
1457         * jit/Repatch.cpp:
1458         (JSC::tryCacheGetByID):
1459         * runtime/AbstractModuleRecord.cpp:
1460         (JSC::AbstractModuleRecord::getModuleNamespace):
1461         * runtime/JSModuleNamespaceObject.cpp:
1462         (JSC::JSModuleNamespaceObject::finishCreation):
1463         (JSC::JSModuleNamespaceObject::visitChildren):
1464         (JSC::getValue):
1465         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1466         (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
1467         * runtime/JSModuleNamespaceObject.h:
1468         (JSC::isJSModuleNamespaceObject):
1469         (JSC::JSModuleNamespaceObject::create): Deleted.
1470         (JSC::JSModuleNamespaceObject::createStructure): Deleted.
1471         (JSC::JSModuleNamespaceObject::moduleRecord): Deleted.
1472         * runtime/JSModuleRecord.h:
1473         (JSC::JSModuleRecord::moduleEnvironment): Deleted.
1474         * runtime/PropertySlot.h:
1475         (JSC::PropertySlot::PropertySlot):
1476         (JSC::PropertySlot::domJIT):
1477         (JSC::PropertySlot::moduleNamespaceSlot):
1478         (JSC::PropertySlot::setValueModuleNamespace):
1479         (JSC::PropertySlot::setCacheableCustom):
1480
1481 2017-02-22  Saam Barati  <sbarati@apple.com>
1482
1483         Unreviewed. Rename AirGraphColoring.* files to AirAllocateRegistersByGraphColoring.* to be more consistent with the rest of the Air file names.
1484
1485         * CMakeLists.txt:
1486         * JavaScriptCore.xcodeproj/project.pbxproj:
1487         * b3/air/AirAllocateRegistersByGraphColoring.cpp: Copied from Source/JavaScriptCore/b3/air/AirGraphColoring.cpp.
1488         * b3/air/AirAllocateRegistersByGraphColoring.h: Copied from Source/JavaScriptCore/b3/air/AirGraphColoring.h.
1489         * b3/air/AirGenerate.cpp:
1490         * b3/air/AirGraphColoring.cpp: Removed.
1491         * b3/air/AirGraphColoring.h: Removed.
1492
1493 2017-02-21  Youenn Fablet  <youenn@apple.com>
1494
1495         [WebRTC][Mac] Activate libwebrtc
1496         https://bugs.webkit.org/show_bug.cgi?id=167293
1497         <rdar://problem/30401864>
1498
1499         Reviewed by Alex Christensen.
1500
1501         * Configurations/FeatureDefines.xcconfig:
1502
1503 2017-02-21  Saam Barati  <sbarati@apple.com>
1504
1505         Add the Briggs optimistic allocator to run on ARM64
1506         https://bugs.webkit.org/show_bug.cgi?id=168454
1507
1508         Reviewed by Filip Pizlo.
1509
1510         This patch adds the Briggs allocator to Air:
1511         http://www.cs.utexas.edu/users/mckinley/380C/lecs/briggs-thesis-1992.pdf
1512         It uses it by default on ARM64. I was measuring an 8-10% speedup
1513         in the phase because of this. I also wasn't able to detect a slowdown 
1514         for generated code on ARM64. There are still a few things we can do
1515         to speed things up even further. Moving the interference graph into
1516         a BitVector was another 10-20% speedup. We should consider doing this
1517         in a follow up patch. This is especially important now, since making
1518         register allocation faster has a direct impact on startup time for
1519         Wasm modules.
1520         
1521         I abstracted away the common bits between Briggs and IRC, and moved
1522         them into a common super class. In a follow up to this patch, I plan
1523         on implementing biased coloring for both Briggs and IRC (this is
1524         described in Briggs's thesis). I was able to detect a 1% slowdown
1525         with Briggs on Octane for x86-64. This is because the register file
1526         for x86-64 is smaller than ARM64. When I implemented biased coloring,
1527         I was no longer able to detect this slowdown. I still think it's a
1528         sensible plan to run Briggs on ARM64 and IRC on x86-64.
1529
1530         * CMakeLists.txt:
1531         * JavaScriptCore.xcodeproj/project.pbxproj:
1532         * b3/air/AirGenerate.cpp:
1533         (JSC::B3::Air::prepareForGeneration):
1534         * b3/air/AirGraphColoring.cpp: Copied from Source/JavaScriptCore/b3/air/AirIteratedRegisterCoalescing.cpp.
1535         (JSC::B3::Air::allocateRegistersByGraphColoring):
1536         (JSC::B3::Air::iteratedRegisterCoalescing): Deleted.
1537         * b3/air/AirGraphColoring.h: Copied from Source/JavaScriptCore/b3/air/AirIteratedRegisterCoalescing.h.
1538         * b3/air/AirIteratedRegisterCoalescing.cpp: Removed.
1539         * b3/air/AirIteratedRegisterCoalescing.h: Removed.
1540         * runtime/Options.h:
1541
1542 2017-02-21  Mark Lam  <mark.lam@apple.com>
1543
1544         Add more missing exception checks detected by running marathon.js.
1545         https://bugs.webkit.org/show_bug.cgi?id=168697
1546
1547         Reviewed by Saam Barati.
1548
1549         * runtime/StringPrototype.cpp:
1550         (JSC::replaceUsingRegExpSearch):
1551         (JSC::replaceUsingStringSearch):
1552
1553 2017-02-21  JF Bastien  <jfbastien@apple.com>
1554
1555         FullCodeOrigin for CodeBlock+CodeOrigin printing
1556         https://bugs.webkit.org/show_bug.cgi?id=168673
1557
1558         Reviewed by Filip Pizlo.
1559
1560         WebAssembly doesn't have a CodeBlock, so printing it isn't
1561         valid. This patch adds FullCodeOrigin to handle the
1562         CodeBlock+CodeOrigin printing pattern, and uses it through all the
1563         places I could find, including Repatch.cpp where it's relevant for
1564         WebAssembly.
1565
1566         * CMakeLists.txt:
1567         * JavaScriptCore.xcodeproj/project.pbxproj:
1568         * bytecode/CodeBlock.cpp:
1569         (JSC::CodeBlock::noticeIncomingCall):
1570         * bytecode/FullCodeOrigin.cpp: Added.
1571         (JSC::FullCodeOrigin::dump):
1572         (JSC::FullCodeOrigin::dumpInContext):
1573         * bytecode/FullCodeOrigin.h: Added.
1574         (JSC::FullCodeOrigin::FullCodeOrigin):
1575         * bytecode/PolymorphicAccess.cpp:
1576         (JSC::PolymorphicAccess::regenerate):
1577         * jit/PolymorphicCallStubRoutine.cpp:
1578         (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
1579         * jit/Repatch.cpp:
1580         (JSC::linkFor):
1581         (JSC::linkDirectFor):
1582         (JSC::linkVirtualFor):
1583
1584 2017-02-21  Filip Pizlo  <fpizlo@apple.com>
1585
1586         Unreviewed, fix cloop. I managed to have my local patch for relanding be the one without the cloop
1587         fix. I keep forgetting about cloop!
1588
1589         * heap/Heap.cpp:
1590         (JSC::Heap::stopThePeriphery):
1591         * runtime/JSLock.cpp:
1592
1593 2017-02-21  Mark Lam  <mark.lam@apple.com>
1594
1595         Add missing exception checks detected by running marathon.js.
1596         https://bugs.webkit.org/show_bug.cgi?id=168687
1597
1598         Reviewed by Saam Barati.
1599
1600         When running the marathon.js test from https://bugs.webkit.org/show_bug.cgi?id=168580,
1601         we get some crashes due to missing exception checks.  This patch adds those
1602         missing exception checks.
1603
1604         * runtime/JSCJSValueInlines.h:
1605         (JSC::JSValue::toPropertyKey):
1606         * runtime/JSObject.cpp:
1607         (JSC::JSObject::getPrimitiveNumber):
1608
1609 2017-02-20  Filip Pizlo  <fpizlo@apple.com>
1610
1611         The collector thread should only start when the mutator doesn't have heap access
1612         https://bugs.webkit.org/show_bug.cgi?id=167737
1613
1614         Reviewed by Keith Miller.
1615         
1616         This turns the collector thread's workflow into a state machine, so that the mutator thread can
1617         run it directly. This reduces the amount of synchronization we do with the collector thread, and
1618         means that most apps will never start the collector thread. The collector thread will still start
1619         when we need to finish collecting and we don't have heap access.
1620         
1621         In this new world, "stopping the world" means relinquishing control of collection to the mutator.
1622         This means tracking who is conducting collection. I use the GCConductor enum to say who is
1623         conducting. It's either GCConductor::Mutator or GCConductor::Collector. I use the term "conn" to
1624         refer to the concept of conducting (having the conn, relinquishing the conn, taking the conn).
1625         So, stopping the world means giving the mutator the conn. Releasing heap access means giving the
1626         collector the conn.
1627         
1628         This meant bringing back the conservative scan of the calling thread. It turns out that this
1629         scan was too slow to be called on each GC increment because apparently setjmp() now does system
1630         calls. So, I wrote our own callee save register saving for the GC. Then I had doubts about
1631         whether or not it was correct, so I also made it so that the GC only rarely asks for the register
1632         state. I think we still want to use my register saving code instead of setjmp because setjmp
1633         seems to save things we don't need, and that could make us overly conservative.
1634         
1635         It turns out that this new scheduling discipline makes the old space-time scheduler perform
1636         better than the new stochastic space-time scheduler on systems with fewer than 4 cores. This is
1637         because the mutator having the conn enables us to time the mutator<->collector context switches
1638         by polling. The OS is never involved. So, we can use super precise timing. This allows the old
1639         space-time schduler to shine like it hadn't before.
1640         
1641         The splay results imply that this is all a good thing. On 2-core systems, this reduces pause
1642         times by 40% and it increases throughput about 5%. On 1-core systems, this reduces pause times by
1643         half and reduces throughput by 8%. On 4-or-more-core systems, this doesn't seem to have much
1644         effect.
1645
1646         * CMakeLists.txt:
1647         * JavaScriptCore.xcodeproj/project.pbxproj:
1648         * bytecode/CodeBlock.cpp:
1649         (JSC::CodeBlock::visitChildren):
1650         * dfg/DFGWorklist.cpp:
1651         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
1652         (JSC::DFG::Worklist::dump):
1653         (JSC::DFG::numberOfWorklists):
1654         (JSC::DFG::ensureWorklistForIndex):
1655         (JSC::DFG::existingWorklistForIndexOrNull):
1656         (JSC::DFG::existingWorklistForIndex):
1657         * dfg/DFGWorklist.h:
1658         (JSC::DFG::numberOfWorklists): Deleted.
1659         (JSC::DFG::ensureWorklistForIndex): Deleted.
1660         (JSC::DFG::existingWorklistForIndexOrNull): Deleted.
1661         (JSC::DFG::existingWorklistForIndex): Deleted.
1662         * heap/CollectingScope.h: Added.
1663         (JSC::CollectingScope::CollectingScope):
1664         (JSC::CollectingScope::~CollectingScope):
1665         * heap/CollectorPhase.cpp: Added.
1666         (JSC::worldShouldBeSuspended):
1667         (WTF::printInternal):
1668         * heap/CollectorPhase.h: Added.
1669         * heap/EdenGCActivityCallback.cpp:
1670         (JSC::EdenGCActivityCallback::lastGCLength):
1671         * heap/FullGCActivityCallback.cpp:
1672         (JSC::FullGCActivityCallback::doCollection):
1673         (JSC::FullGCActivityCallback::lastGCLength):
1674         * heap/GCConductor.cpp: Added.
1675         (JSC::gcConductorShortName):
1676         (WTF::printInternal):
1677         * heap/GCConductor.h: Added.
1678         * heap/GCFinalizationCallback.cpp: Added.
1679         (JSC::GCFinalizationCallback::GCFinalizationCallback):
1680         (JSC::GCFinalizationCallback::~GCFinalizationCallback):
1681         * heap/GCFinalizationCallback.h: Added.
1682         (JSC::GCFinalizationCallbackFuncAdaptor::GCFinalizationCallbackFuncAdaptor):
1683         (JSC::createGCFinalizationCallback):
1684         * heap/Heap.cpp:
1685         (JSC::Heap::Thread::Thread):
1686         (JSC::Heap::Heap):
1687         (JSC::Heap::lastChanceToFinalize):
1688         (JSC::Heap::gatherStackRoots):
1689         (JSC::Heap::updateObjectCounts):
1690         (JSC::Heap::sweepSynchronously):
1691         (JSC::Heap::collectAllGarbage):
1692         (JSC::Heap::collectAsync):
1693         (JSC::Heap::collectSync):
1694         (JSC::Heap::shouldCollectInCollectorThread):
1695         (JSC::Heap::collectInCollectorThread):
1696         (JSC::Heap::checkConn):
1697         (JSC::Heap::runNotRunningPhase):
1698         (JSC::Heap::runBeginPhase):
1699         (JSC::Heap::runFixpointPhase):
1700         (JSC::Heap::runConcurrentPhase):
1701         (JSC::Heap::runReloopPhase):
1702         (JSC::Heap::runEndPhase):
1703         (JSC::Heap::changePhase):
1704         (JSC::Heap::finishChangingPhase):
1705         (JSC::Heap::stopThePeriphery):
1706         (JSC::Heap::resumeThePeriphery):
1707         (JSC::Heap::stopTheMutator):
1708         (JSC::Heap::resumeTheMutator):
1709         (JSC::Heap::stopIfNecessarySlow):
1710         (JSC::Heap::collectInMutatorThread):
1711         (JSC::Heap::waitForCollector):
1712         (JSC::Heap::acquireAccessSlow):
1713         (JSC::Heap::releaseAccessSlow):
1714         (JSC::Heap::relinquishConn):
1715         (JSC::Heap::finishRelinquishingConn):
1716         (JSC::Heap::handleNeedFinalize):
1717         (JSC::Heap::notifyThreadStopping):
1718         (JSC::Heap::finalize):
1719         (JSC::Heap::addFinalizationCallback):
1720         (JSC::Heap::requestCollection):
1721         (JSC::Heap::waitForCollection):
1722         (JSC::Heap::updateAllocationLimits):
1723         (JSC::Heap::didFinishCollection):
1724         (JSC::Heap::collectIfNecessaryOrDefer):
1725         (JSC::Heap::notifyIsSafeToCollect):
1726         (JSC::Heap::preventCollection):
1727         (JSC::Heap::performIncrement):
1728         (JSC::Heap::markToFixpoint): Deleted.
1729         (JSC::Heap::shouldCollectInThread): Deleted.
1730         (JSC::Heap::collectInThread): Deleted.
1731         (JSC::Heap::stopTheWorld): Deleted.
1732         (JSC::Heap::resumeTheWorld): Deleted.
1733         * heap/Heap.h:
1734         (JSC::Heap::machineThreads):
1735         (JSC::Heap::lastFullGCLength):
1736         (JSC::Heap::lastEdenGCLength):
1737         (JSC::Heap::increaseLastFullGCLength):
1738         * heap/HeapInlines.h:
1739         (JSC::Heap::mutatorIsStopped): Deleted.
1740         * heap/HeapStatistics.cpp: Removed.
1741         * heap/HeapStatistics.h: Removed.
1742         * heap/HelpingGCScope.h: Removed.
1743         * heap/IncrementalSweeper.cpp:
1744         (JSC::IncrementalSweeper::stopSweeping):
1745         (JSC::IncrementalSweeper::willFinishSweeping): Deleted.
1746         * heap/IncrementalSweeper.h:
1747         * heap/MachineStackMarker.cpp:
1748         (JSC::MachineThreads::gatherFromCurrentThread):
1749         (JSC::MachineThreads::gatherConservativeRoots):
1750         (JSC::callWithCurrentThreadState):
1751         * heap/MachineStackMarker.h:
1752         * heap/MarkedAllocator.cpp:
1753         (JSC::MarkedAllocator::allocateSlowCaseImpl):
1754         * heap/MarkedBlock.cpp:
1755         (JSC::MarkedBlock::Handle::sweep):
1756         * heap/MarkedSpace.cpp:
1757         (JSC::MarkedSpace::sweep):
1758         * heap/MutatorState.cpp:
1759         (WTF::printInternal):
1760         * heap/MutatorState.h:
1761         * heap/RegisterState.h: Added.
1762         * heap/RunningScope.h: Added.
1763         (JSC::RunningScope::RunningScope):
1764         (JSC::RunningScope::~RunningScope):
1765         * heap/SlotVisitor.cpp:
1766         (JSC::SlotVisitor::SlotVisitor):
1767         (JSC::SlotVisitor::drain):
1768         (JSC::SlotVisitor::drainFromShared):
1769         (JSC::SlotVisitor::drainInParallelPassively):
1770         (JSC::SlotVisitor::donateAll):
1771         (JSC::SlotVisitor::donate):
1772         * heap/SlotVisitor.h:
1773         (JSC::SlotVisitor::codeName):
1774         * heap/StochasticSpaceTimeMutatorScheduler.cpp:
1775         (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection):
1776         (JSC::StochasticSpaceTimeMutatorScheduler::synchronousDrainingDidStall):
1777         (JSC::StochasticSpaceTimeMutatorScheduler::timeToStop):
1778         * heap/SweepingScope.h: Added.
1779         (JSC::SweepingScope::SweepingScope):
1780         (JSC::SweepingScope::~SweepingScope):
1781         * jit/JITWorklist.cpp:
1782         (JSC::JITWorklist::Thread::Thread):
1783         * jsc.cpp:
1784         (GlobalObject::finishCreation):
1785         (functionFlashHeapAccess):
1786         * runtime/InitializeThreading.cpp:
1787         (JSC::initializeThreading):
1788         * runtime/JSCellInlines.h:
1789         (JSC::JSCell::classInfo):
1790         * runtime/Options.cpp:
1791         (JSC::overrideDefaults):
1792         * runtime/Options.h:
1793         * runtime/TestRunnerUtils.cpp:
1794         (JSC::finalizeStatsAtEndOfTesting):
1795
1796 2017-02-21  Saam Barati  <sbarati@apple.com>
1797
1798         Air should have a disassembly mode that dumps IR and assembly intermixed
1799         https://bugs.webkit.org/show_bug.cgi?id=168629
1800
1801         Reviewed by Filip Pizlo.
1802
1803         This will make dumping FTL disassembly dump Air intermixed
1804         with the assembly generated by each Air Inst. This is similar
1805         to how dumpDFGDisassembly dumps the generated assembly for each
1806         Node.
1807         
1808         Here is what the output will look like:
1809         
1810         Generated FTL JIT code for foo#CUaFiQ:[0x10b76c960->0x10b76c2d0->0x10b7b6da0, FTLFunctionCall, 40 (NeverInline)], instruction count = 40:
1811         BB#0: ; frequency = 1.000000
1812                 0x469004e02e00: push %rbp
1813                 0x469004e02e01: mov %rsp, %rbp
1814                 0x469004e02e04: add $0xffffffffffffffd0, %rsp
1815             Move $0x10b76c960, %rax, $4487301472(@16)
1816                 0x469004e02e08: mov $0x10b76c960, %rax
1817             Move %rax, 16(%rbp), @19
1818                 0x469004e02e12: mov %rax, 0x10(%rbp)
1819             Patch &Patchpoint2, %rbp, %rax, @20
1820                 0x469004e02e16: lea -0x50(%rbp), %rax
1821                 0x469004e02e1a: mov $0x1084081e0, %r11
1822                 0x469004e02e24: cmp %rax, (%r11)
1823                 0x469004e02e27: ja 0x469004e02e9a
1824             Move 56(%rbp), %rdx, @23
1825                 0x469004e02e2d: mov 0x38(%rbp), %rdx
1826             Move $0xffff000000000002, %rax, $-281474976710654(@15)
1827                 0x469004e02e31: mov $0xffff000000000002, %rax
1828             Patch &BranchTest64(3,SameAsRep)1, NonZero, %rdx, %rax, %rdx, @26
1829                 0x469004e02e3b: test %rdx, %rax
1830                 0x469004e02e3e: jnz 0x469004e02f08
1831             Move 48(%rbp), %rax, @29
1832                 0x469004e02e44: mov 0x30(%rbp), %rax
1833             Move %rax, %rcx, @31
1834                 0x469004e02e48: mov %rax, %rcx
1835             Xor64 $6, %rcx, @31
1836                 0x469004e02e4b: xor $0x6, %rcx
1837             Patch &BranchTest64(3,SameAsRep)1, NonZero, %rcx, $-2, %rax, @35
1838                 0x469004e02e4f: test $0xfffffffffffffffe, %rcx
1839                 0x469004e02e56: jnz 0x469004e02f12
1840             Patch &Branch32(3,SameAsRep)0, NotEqual, (%rdx), $266, %rdx, @45
1841                 0x469004e02e5c: cmp $0x10a, (%rdx)
1842                 0x469004e02e62: jnz 0x469004e02f1c
1843             BranchTest32 NonZero, %rax, $1, @49
1844                 0x469004e02e68: test $0x1, %al
1845                 0x469004e02e6a: jnz 0x469004e02e91
1846           Successors: #3, #1
1847         BB#1: ; frequency = 1.000000
1848           Predecessors: #0
1849             Move $0, %rcx, @65
1850                 0x469004e02e70: xor %rcx, %rcx
1851             Jump @66
1852           Successors: #2
1853         BB#2: ; frequency = 1.000000
1854           Predecessors: #1, #3
1855             Move 24(%rdx), %rax, @58
1856                 0x469004e02e73: mov 0x18(%rdx), %rax
1857             Patch &BranchAdd32(4,ForceLateUseUnlessRecoverable)3, Overflow, %rcx, %rax, %rcx, %rcx, %rax, @60
1858                 0x469004e02e77: add %eax, %ecx
1859                 0x469004e02e79: jo 0x469004e02f26
1860             Move $0xffff000000000000, %rax, $-281474976710656(@14)
1861                 0x469004e02e7f: mov $0xffff000000000000, %rax
1862             Add64 %rcx, %rax, %rax, @62
1863                 0x469004e02e89: add %rcx, %rax
1864             Ret64 %rax, @63
1865                 0x469004e02e8c: mov %rbp, %rsp
1866                 0x469004e02e8f: pop %rbp
1867                 0x469004e02e90: ret 
1868         BB#3: ; frequency = 1.000000
1869           Predecessors: #0
1870             Move 16(%rdx), %rcx, @52
1871                 0x469004e02e91: mov 0x10(%rdx), %rcx
1872             Jump @55
1873                 0x469004e02e95: jmp 0x469004e02e73
1874           Successors: #2
1875
1876         * CMakeLists.txt:
1877         * JavaScriptCore.xcodeproj/project.pbxproj:
1878         * b3/air/AirCode.h:
1879         (JSC::B3::Air::Code::setDisassembler):
1880         (JSC::B3::Air::Code::disassembler):
1881         * b3/air/AirDisassembler.cpp: Added.
1882         (JSC::B3::Air::Disassembler::startEntrypoint):
1883         (JSC::B3::Air::Disassembler::endEntrypoint):
1884         (JSC::B3::Air::Disassembler::startLatePath):
1885         (JSC::B3::Air::Disassembler::endLatePath):
1886         (JSC::B3::Air::Disassembler::startBlock):
1887         (JSC::B3::Air::Disassembler::addInst):
1888         (JSC::B3::Air::Disassembler::dump):
1889         * b3/air/AirDisassembler.h: Added.
1890         * b3/air/AirGenerate.cpp:
1891         (JSC::B3::Air::generate):
1892         * ftl/FTLCompile.cpp:
1893         (JSC::FTL::compile):
1894
1895 2017-02-21  Ryan Haddad  <ryanhaddad@apple.com>
1896
1897         Unreviewed, rolling out r212712.
1898
1899         This change broke the CLoop build.
1900
1901         Reverted changeset:
1902
1903         "JSModuleNamespace object should have IC"
1904         https://bugs.webkit.org/show_bug.cgi?id=160590
1905         http://trac.webkit.org/changeset/212712
1906
1907 2017-02-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1908
1909         JSModuleNamespace object should have IC
1910         https://bugs.webkit.org/show_bug.cgi?id=160590
1911
1912         Reviewed by Saam Barati.
1913
1914         This patch optimizes accesses to module namespace objects.
1915
1916         1. Cache the resolutions for module namespace objects.
1917
1918             When constructing the module namespace object, we already resolves all the exports.
1919             The module namespace object caches this result and leverage it in the later access in
1920             getOwnPropertySlot. This avoids resolving bindings through resolveExport.
1921
1922         2. Introduce ModuleNamespaceLoad IC.
1923
1924             This patch adds new IC for module namespace objects. The mechanism is simple, getOwnPropertySlot
1925             tells us about module namespace object resolution. The IC first checks whether the given object
1926             is an expected module namespace object. If this check succeeds, we load the value from the module
1927             environment.
1928
1929         3. Introduce DFG/FTL optimization.
1930
1931             After exploiting module namespace object accesses in (2), DFG can recognize this in ByteCodeParser.
1932             DFG will convert it to CheckCell with the namespace object and GetClosureVar from the cached environment.
1933             At that time, we have a chance to fold it to the constant.
1934
1935         This optimization improves the performance of accessing to module namespace objects.
1936
1937         Before
1938             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-namespace.js
1939             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.43s user 0.03s system 101% cpu 0.451 total
1940             $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-binding.js
1941             ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.08s user 0.02s system 103% cpu 0.104 total
1942
1943         After
1944             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-namespace.js
1945             ../../WebKitBuild/module-ic/Release/bin/jsc -m   0.11s user 0.01s system 106% cpu 0.109 total
1946             $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.js
1947             ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.j  0.08s user 0.02s system 102% cpu 0.105 total
1948
1949         * CMakeLists.txt:
1950         * JavaScriptCore.xcodeproj/project.pbxproj:
1951         * bytecode/AccessCase.cpp:
1952         (JSC::AccessCase::create):
1953         (JSC::AccessCase::guardedByStructureCheck):
1954         (JSC::AccessCase::canReplace):
1955         (JSC::AccessCase::visitWeak):
1956         (JSC::AccessCase::generateWithGuard):
1957         (JSC::AccessCase::generateImpl):
1958         * bytecode/AccessCase.h:
1959         * bytecode/GetByIdStatus.cpp:
1960         (JSC::GetByIdStatus::GetByIdStatus):
1961         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1962         (JSC::GetByIdStatus::makesCalls):
1963         (JSC::GetByIdStatus::dump):
1964         * bytecode/GetByIdStatus.h:
1965         (JSC::GetByIdStatus::isModuleNamespace):
1966         (JSC::GetByIdStatus::takesSlowPath):
1967         (JSC::GetByIdStatus::moduleNamespaceObject):
1968         (JSC::GetByIdStatus::moduleEnvironment):
1969         (JSC::GetByIdStatus::scopeOffset):
1970         * bytecode/ModuleNamespaceAccessCase.cpp: Added.
1971         (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
1972         (JSC::ModuleNamespaceAccessCase::create):
1973         (JSC::ModuleNamespaceAccessCase::~ModuleNamespaceAccessCase):
1974         (JSC::ModuleNamespaceAccessCase::clone):
1975         (JSC::ModuleNamespaceAccessCase::emit):
1976         * bytecode/ModuleNamespaceAccessCase.h: Added.
1977         (JSC::ModuleNamespaceAccessCase::moduleNamespaceObject):
1978         (JSC::ModuleNamespaceAccessCase::moduleEnvironment):
1979         (JSC::ModuleNamespaceAccessCase::scopeOffset):
1980         * bytecode/PolymorphicAccess.cpp:
1981         (WTF::printInternal):
1982         * dfg/DFGByteCodeParser.cpp:
1983         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
1984         (JSC::DFG::ByteCodeParser::handleGetById):
1985         * jit/AssemblyHelpers.h:
1986         (JSC::AssemblyHelpers::loadValue):
1987         * jit/Repatch.cpp:
1988         (JSC::tryCacheGetByID):
1989         * runtime/AbstractModuleRecord.cpp:
1990         (JSC::AbstractModuleRecord::getModuleNamespace):
1991         * runtime/JSModuleNamespaceObject.cpp:
1992         (JSC::JSModuleNamespaceObject::finishCreation):
1993         (JSC::JSModuleNamespaceObject::visitChildren):
1994         (JSC::getValue):
1995         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1996         (JSC::JSModuleNamespaceObject::getOwnPropertyNames):
1997         * runtime/JSModuleNamespaceObject.h:
1998         (JSC::isJSModuleNamespaceObject):
1999         (JSC::JSModuleNamespaceObject::create): Deleted.
2000         (JSC::JSModuleNamespaceObject::createStructure): Deleted.
2001         (JSC::JSModuleNamespaceObject::moduleRecord): Deleted.
2002         * runtime/JSModuleRecord.h:
2003         (JSC::JSModuleRecord::moduleEnvironment): Deleted.
2004         * runtime/PropertySlot.h:
2005         (JSC::PropertySlot::PropertySlot):
2006         (JSC::PropertySlot::domJIT):
2007         (JSC::PropertySlot::moduleNamespaceSlot):
2008         (JSC::PropertySlot::setValueModuleNamespace):
2009         (JSC::PropertySlot::setCacheableCustom):
2010
2011 2017-02-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2012
2013         ASSERTION FAILED: "!scope.exception()" with Object.isSealed/isFrozen and uninitialized module bindings
2014         https://bugs.webkit.org/show_bug.cgi?id=168605
2015
2016         Reviewed by Saam Barati.
2017
2018         We should check exception state after calling getOwnPropertyDescriptor() since it can throw errors.
2019
2020         * runtime/ObjectConstructor.cpp:
2021         (JSC::objectConstructorIsSealed):
2022         (JSC::objectConstructorIsFrozen):
2023
2024 2017-02-20  Mark Lam  <mark.lam@apple.com>
2025
2026         [Re-landing] CachedCall should let GC know to keep its arguments alive.
2027         https://bugs.webkit.org/show_bug.cgi?id=168567
2028         <rdar://problem/30475767>
2029
2030         Reviewed by Saam Barati.
2031
2032         We fix this by having CachedCall use a MarkedArgumentBuffer to store its
2033         arguments instead of a Vector.
2034
2035         Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
2036         WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
2037         correctness.
2038
2039         Update: the original patch has a bug in MarkedArgumentBuffer::expandCapacity()
2040         where it was copying and calling addMarkSet() on values in m_buffer beyond m_size
2041         (up to m_capacity).  As a result, depending on the pre-existing values in
2042         m_inlineBuffer, this may result in a computed Heap pointer that is wrong, and
2043         subsequently, manifest as a crash.  This is likely to be the cause of the PLT
2044         regression.
2045
2046         I don't have a new test for this fix because the issue relies on sufficiently bad
2047         values randomly showing up in m_inlineBuffer when we do an ensureCapacity() which
2048         calls expandCapacity().
2049
2050         * interpreter/CachedCall.h:
2051         (JSC::CachedCall::CachedCall):
2052         (JSC::CachedCall::call):
2053         (JSC::CachedCall::clearArguments):
2054         (JSC::CachedCall::appendArgument):
2055         (JSC::CachedCall::setArgument): Deleted.
2056         * interpreter/CallFrame.h:
2057         (JSC::ExecState::emptyList):
2058         * interpreter/Interpreter.cpp:
2059         (JSC::Interpreter::prepareForRepeatCall):
2060         * interpreter/Interpreter.h:
2061         * interpreter/ProtoCallFrame.h:
2062         * runtime/ArgList.cpp:
2063         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
2064         (JSC::MarkedArgumentBuffer::expandCapacity):
2065         (JSC::MarkedArgumentBuffer::slowAppend):
2066         * runtime/ArgList.h:
2067         (JSC::MarkedArgumentBuffer::append):
2068         (JSC::MarkedArgumentBuffer::ensureCapacity):
2069         * runtime/StringPrototype.cpp:
2070         (JSC::replaceUsingRegExpSearch):
2071         * runtime/VM.cpp:
2072         (JSC::VM::VM):
2073         * runtime/VM.h:
2074
2075 2017-02-20  Commit Queue  <commit-queue@webkit.org>
2076
2077         Unreviewed, rolling out r212618.
2078         https://bugs.webkit.org/show_bug.cgi?id=168609
2079
2080         "Appears to cause PLT regression" (Requested by mlam on
2081         #webkit).
2082
2083         Reverted changeset:
2084
2085         "CachedCall should let GC know to keep its arguments alive."
2086         https://bugs.webkit.org/show_bug.cgi?id=168567
2087         http://trac.webkit.org/changeset/212618
2088
2089 2017-02-19  Mark Lam  <mark.lam@apple.com>
2090
2091         BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
2092         https://bugs.webkit.org/show_bug.cgi?id=168585
2093
2094         Reviewed by Yusuke Suzuki.
2095
2096         This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
2097         consecutive indices in the vector are not guaranteed to be consecutive in memory
2098         layout.  Instead, we should be using indexing instead.
2099
2100         This issue was detected by the marathon.js test from
2101         https://bugs.webkit.org/show_bug.cgi?id=168580.
2102
2103         * bytecompiler/BytecodeGenerator.cpp:
2104         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
2105         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
2106
2107 2017-02-20  Manuel Rego Casasnovas  <rego@igalia.com>
2108
2109         [css-grid] Remove compilation flag ENABLE_CSS_GRID_LAYOUT
2110         https://bugs.webkit.org/show_bug.cgi?id=167693
2111
2112         Reviewed by Sergio Villar Senin.
2113
2114         * Configurations/FeatureDefines.xcconfig:
2115
2116 2017-02-19  Commit Queue  <commit-queue@webkit.org>
2117
2118         Unreviewed, rolling out r212472.
2119         https://bugs.webkit.org/show_bug.cgi?id=168584
2120
2121         Broke CLoop builds when r212466 was rolled out in r212616
2122         (Requested by rniwa on #webkit).
2123
2124         Reverted changeset:
2125
2126         "Unreviewed, fix cloop build."
2127         http://trac.webkit.org/changeset/212472
2128
2129 2017-02-19  Mark Lam  <mark.lam@apple.com>
2130
2131         functionTestWasmModuleFunctions() should use a MarkedArgumentBuffer for storing args instead of a Vector.
2132         https://bugs.webkit.org/show_bug.cgi?id=168574
2133
2134         Reviewed by Filip Pizlo.
2135
2136         * jsc.cpp:
2137         (callWasmFunction):
2138         (functionTestWasmModuleFunctions):
2139         * runtime/ArgList.h:
2140
2141 2017-02-19  Mark Lam  <mark.lam@apple.com>
2142
2143         CachedCall should let GC know to keep its arguments alive.
2144         https://bugs.webkit.org/show_bug.cgi?id=168567
2145         <rdar://problem/30475767>
2146
2147         Reviewed by Saam Barati.
2148
2149         We fix this by having CachedCall use a MarkedArgumentBuffer to store its
2150         arguments instead of a Vector.
2151
2152         Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
2153         WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
2154         correctness.
2155
2156         * interpreter/CachedCall.h:
2157         (JSC::CachedCall::CachedCall):
2158         (JSC::CachedCall::call):
2159         (JSC::CachedCall::clearArguments):
2160         (JSC::CachedCall::appendArgument):
2161         (JSC::CachedCall::setArgument): Deleted.
2162         * interpreter/CallFrame.h:
2163         (JSC::ExecState::emptyList):
2164         * interpreter/Interpreter.cpp:
2165         (JSC::Interpreter::prepareForRepeatCall):
2166         * interpreter/Interpreter.h:
2167         * interpreter/ProtoCallFrame.h:
2168         * runtime/ArgList.cpp:
2169         (JSC::MarkedArgumentBuffer::expandCapacity):
2170         * runtime/ArgList.h:
2171         (JSC::MarkedArgumentBuffer::ensureCapacity):
2172         * runtime/StringPrototype.cpp:
2173         (JSC::replaceUsingRegExpSearch):
2174         * runtime/VM.cpp:
2175         (JSC::VM::VM):
2176         * runtime/VM.h:
2177
2178 2017-02-19  Commit Queue  <commit-queue@webkit.org>
2179
2180         Unreviewed, rolling out r212466.
2181         https://bugs.webkit.org/show_bug.cgi?id=168577
2182
2183         causes crashes on AArch64 on linux, maybe it's causing crashes
2184         on iOS too (Requested by pizlo on #webkit).
2185
2186         Reverted changeset:
2187
2188         "The collector thread should only start when the mutator
2189         doesn't have heap access"
2190         https://bugs.webkit.org/show_bug.cgi?id=167737
2191         http://trac.webkit.org/changeset/212466
2192
2193 2017-02-17  Michael Saboff  <msaboff@apple.com>
2194
2195         Improve ARM64 disassembler handling of pseudo ops, unsupported opcodes and zero reg
2196         https://bugs.webkit.org/show_bug.cgi?id=168527
2197
2198         Reviewed by Filip Pizlo.
2199
2200         Added support for data processing 1 source instructions like rbit, rev, clz and cls.
2201         Added support for the FP conditional select instruction, fcsel.  Consolidated the
2202         two classes for handling dmb instructions into one class.  Fixed the instruction
2203         selection mask in the integer conditional select class, A64DOpcodeConditionalSelect.
2204         Fixed the processing of extract instruction (extr) including the rotate right (ror)
2205         pseudo instruction.  Changed the printing of x31 and w31 to xzr and wzr as operands
2206         according to the spec.  Added support for common pseudo instructions.  This includes:
2207         - mvn x1, X2 in place of orn x1, xzr, x2
2208         - lsl x3, x4, #count in place of ubfiz x3, x4, #count, #count
2209         - smull x5, w6, w7 in place of smaddl x5, w6, w7, XZR
2210         - More understandable mov x8, #-304 in place of movn x8, #0x12f
2211         - Eliminated xzr from register index loads and stores, outputing
2212           ldr x10, [x11] instead of ldr x10, [x11, xzr]
2213
2214         Changed the move wide instructions to use hex literals for movz and movk.
2215         This makes it much easier to decifer sequences of wide moves for large literals.
2216                 Before                       After
2217           movz   x17, #26136           movz   x17, #0x6618
2218           movk   x17, #672, lsl #16    movk   x17, #0x2a0, lsl #16
2219           movk   x17, #1, lsl #32      movk   x17, #0x1, lsl #32
2220
2221         Verified that all instructions currently generated by the JSC stress tests are
2222         disassembled.
2223
2224         * disassembler/ARM64/A64DOpcode.cpp:
2225         (JSC::ARM64Disassembler::A64DOpcodeBitfield::format):
2226         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format):
2227         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format):
2228         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::format):
2229         (JSC::ARM64Disassembler::A64DOpcodeExtract::format):
2230         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::format):
2231         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::format):
2232         (JSC::ARM64Disassembler::A64DOpcodeDmb::format):
2233         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::format):
2234         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterOffset::format):
2235         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterPair::format):
2236         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreUnsignedImmediate::format):
2237         (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::format):
2238         (JSC::ARM64Disassembler::A64DOpcodeMoveWide::format):
2239         (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::format): Deleted.
2240         (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::format): Deleted.
2241         * disassembler/ARM64/A64DOpcode.h:
2242         (JSC::ARM64Disassembler::A64DOpcode::appendSignedImmediate64):
2243         (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedHexImmediate):
2244         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opName):
2245         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::sBit):
2246         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode):
2247         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opCode2):
2248         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::opNameIndex):
2249         (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::opName):
2250         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::opName):
2251         (JSC::ARM64Disassembler::A64DOpcodeFloatingPointConditionalSelect::condition):
2252         (JSC::ARM64Disassembler::A64DOpcodeDmb::option):
2253         (JSC::ARM64Disassembler::A64DOpcodeDmb::crM):
2254         (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::isMov):
2255         (JSC::ARM64Disassembler::A64DOpcodeDmbIsh::opName): Deleted.
2256         (JSC::ARM64Disassembler::A64DOpcodeDmbIshSt::opName): Deleted.
2257
2258 2017-02-17  Zan Dobersek  <zdobersek@igalia.com>
2259
2260         [GLib] GCActivityCallback::scheduleTimer() keeps pushing dispatch into the future
2261         https://bugs.webkit.org/show_bug.cgi?id=168363
2262
2263         Reviewed by Carlos Garcia Campos.
2264
2265         Mimic the USE(CF) implementation of GCActivityCallback and HeapTimer by
2266         scheduling the timer a decade into the future instead of completely
2267         cancelling it. That way new dispatch times for GCActivityCallback can be
2268         computed by simply deducting the difference in the new and previous
2269         delay from the GSource's current dispatch time. Previously we handled an
2270         extra 'paused' state (where m_delay was -1) and allowed for a delay of
2271         an infinite value to be valid, complicating the next dispatch time
2272         computation.
2273
2274         HeapTimer gains the static s_decade variable. The dispatch function in
2275         heapTimerSourceFunctions only dispatches the callback, which now delays
2276         the GSource by a decade. HeapTimer::scheduleTimer() simply schedules the
2277         source to dispatch in the specified amount of time, and cancelTimer()
2278         'cancels' the source by setting the dispatch time to a decade.
2279
2280         GCActivityCallback constructor initializes the delay to the s_decade
2281         value and immediately sets the ready time for GSource a decade into the
2282         future, avoiding the default -1 value as the ready time that would cause
2283         problems in scheduleTimer(). scheduleTimer() doesn't special-case the
2284         zero-delay value anymore, instead it just computes the difference
2285         between the old and the new delay and rolls back the GSource's ready
2286         time for that amount. cancelTimer() sets m_delay to the decade value and
2287         delays the GSource for that same amount.
2288
2289         * heap/GCActivityCallback.cpp:
2290         (JSC::GCActivityCallback::GCActivityCallback):
2291         (JSC::GCActivityCallback::scheduleTimer):
2292         (JSC::GCActivityCallback::cancelTimer):
2293         * heap/GCActivityCallback.h:
2294         * heap/HeapTimer.cpp:
2295         (JSC::HeapTimer::HeapTimer):
2296         (JSC::HeapTimer::scheduleTimer):
2297         (JSC::HeapTimer::cancelTimer):
2298         * heap/HeapTimer.h:
2299
2300 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2301
2302         [JSC] Drop PassRefPtr from ArrayBuffer
2303         https://bugs.webkit.org/show_bug.cgi?id=168455
2304
2305         Reviewed by Geoffrey Garen.
2306
2307         This patch finally drops all the PassRefPtr in JSC.
2308         We changed PassRefPtr<ArrayBuffer> to RefPtr<ArrayBuffer>&&.
2309         Since ArrayBuffer may be nullptr if the array is neutered,
2310         we hold it as RefPtr<> instead of Ref<>.
2311
2312         And we also drops 2 files, TypedArrayBase.h and IntegralTypedArrayBase.h.
2313         They are not used (and they are not referenced from the project file).
2314
2315         * inspector/JavaScriptCallFrame.h:
2316         * jsc.cpp:
2317         (functionDollarAgentReceiveBroadcast):
2318         * runtime/ArrayBufferView.cpp:
2319         (JSC::ArrayBufferView::ArrayBufferView):
2320         * runtime/ArrayBufferView.h:
2321         (JSC::ArrayBufferView::possiblySharedBuffer):
2322         (JSC::ArrayBufferView::unsharedBuffer):
2323         (JSC::ArrayBufferView::verifySubRangeLength):
2324         (JSC::ArrayBufferView::clampOffsetAndNumElements):
2325         * runtime/ClassInfo.h:
2326         * runtime/DataView.cpp:
2327         (JSC::DataView::DataView):
2328         (JSC::DataView::create):
2329         * runtime/DataView.h:
2330         * runtime/GenericTypedArrayView.h:
2331         * runtime/GenericTypedArrayViewInlines.h:
2332         (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
2333         (JSC::GenericTypedArrayView<Adaptor>::create):
2334         (JSC::GenericTypedArrayView<Adaptor>::subarray):
2335         * runtime/IntegralTypedArrayBase.h: Removed.
2336         * runtime/JSArrayBuffer.cpp:
2337         (JSC::JSArrayBuffer::JSArrayBuffer):
2338         (JSC::JSArrayBuffer::create):
2339         * runtime/JSArrayBuffer.h:
2340         * runtime/JSArrayBufferPrototype.cpp:
2341         (JSC::arrayBufferProtoFuncSlice):
2342         * runtime/JSArrayBufferView.cpp:
2343         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2344         * runtime/JSArrayBufferView.h:
2345         * runtime/JSArrayBufferViewInlines.h:
2346         (JSC::JSArrayBufferView::possiblySharedImpl):
2347         (JSC::JSArrayBufferView::unsharedImpl):
2348         * runtime/JSCell.cpp:
2349         (JSC::JSCell::slowDownAndWasteMemory):
2350         (JSC::JSCell::getTypedArrayImpl):
2351         * runtime/JSCell.h:
2352         * runtime/JSDataView.cpp:
2353         (JSC::JSDataView::create):
2354         (JSC::JSDataView::possiblySharedTypedImpl):
2355         (JSC::JSDataView::unsharedTypedImpl):
2356         (JSC::JSDataView::getTypedArrayImpl):
2357         * runtime/JSDataView.h:
2358         * runtime/JSGenericTypedArrayView.h:
2359         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2360         (JSC::constructGenericTypedArrayViewWithArguments):
2361         * runtime/JSGenericTypedArrayViewInlines.h:
2362         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2363         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
2364         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
2365         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl):
2366         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2367         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2368         * runtime/JSTypedArrays.cpp:
2369         (JSC::createUint8TypedArray):
2370         * runtime/TypedArrayBase.h: Removed.
2371
2372 2017-02-16  Keith Miller  <keith_miller@apple.com>
2373
2374         ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
2375         https://bugs.webkit.org/show_bug.cgi?id=168354
2376
2377         Reviewed by Geoffrey Garen.
2378
2379         Instead of adding a custom vmEntryGlobalObject for the debugger
2380         we can just have it use vmEntryScope instead.
2381
2382         * debugger/Debugger.cpp:
2383         (JSC::Debugger::detach):
2384         * interpreter/CallFrame.cpp:
2385         (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach): Deleted.
2386         * interpreter/CallFrame.h:
2387
2388 2017-02-16  Filip Pizlo  <fpizlo@apple.com>
2389
2390         Unreviewed, fix cloop build.
2391
2392         * heap/Heap.cpp:
2393         (JSC::Heap::stopThePeriphery):
2394         * runtime/JSLock.cpp:
2395
2396 2017-02-10  Filip Pizlo  <fpizlo@apple.com>
2397
2398         The collector thread should only start when the mutator doesn't have heap access
2399         https://bugs.webkit.org/show_bug.cgi?id=167737
2400
2401         Reviewed by Keith Miller.
2402         
2403         This turns the collector thread's workflow into a state machine, so that the mutator thread can
2404         run it directly. This reduces the amount of synchronization we do with the collector thread, and
2405         means that most apps will never start the collector thread. The collector thread will still start
2406         when we need to finish collecting and we don't have heap access.
2407         
2408         In this new world, "stopping the world" means relinquishing control of collection to the mutator.
2409         This means tracking who is conducting collection. I use the GCConductor enum to say who is
2410         conducting. It's either GCConductor::Mutator or GCConductor::Collector. I use the term "conn" to
2411         refer to the concept of conducting (having the conn, relinquishing the conn, taking the conn).
2412         So, stopping the world means giving the mutator the conn. Releasing heap access means giving the
2413         collector the conn.
2414         
2415         This meant bringing back the conservative scan of the calling thread. It turns out that this
2416         scan was too slow to be called on each GC increment because apparently setjmp() now does system
2417         calls. So, I wrote our own callee save register saving for the GC. Then I had doubts about
2418         whether or not it was correct, so I also made it so that the GC only rarely asks for the register
2419         state. I think we still want to use my register saving code instead of setjmp because setjmp
2420         seems to save things we don't need, and that could make us overly conservative.
2421         
2422         It turns out that this new scheduling discipline makes the old space-time scheduler perform
2423         better than the new stochastic space-time scheduler on systems with fewer than 4 cores. This is
2424         because the mutator having the conn enables us to time the mutator<->collector context switches
2425         by polling. The OS is never involved. So, we can use super precise timing. This allows the old
2426         space-time schduler to shine like it hadn't before.
2427         
2428         The splay results imply that this is all a good thing. On 2-core systems, this reduces pause
2429         times by 40% and it increases throughput about 5%. On 1-core systems, this reduces pause times by
2430         half and reduces throughput by 8%. On 4-or-more-core systems, this doesn't seem to have much
2431         effect.
2432
2433         * CMakeLists.txt:
2434         * JavaScriptCore.xcodeproj/project.pbxproj:
2435         * dfg/DFGWorklist.cpp:
2436         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
2437         (JSC::DFG::Worklist::dump):
2438         (JSC::DFG::numberOfWorklists):
2439         (JSC::DFG::ensureWorklistForIndex):
2440         (JSC::DFG::existingWorklistForIndexOrNull):
2441         (JSC::DFG::existingWorklistForIndex):
2442         * dfg/DFGWorklist.h:
2443         (JSC::DFG::numberOfWorklists): Deleted.
2444         (JSC::DFG::ensureWorklistForIndex): Deleted.
2445         (JSC::DFG::existingWorklistForIndexOrNull): Deleted.
2446         (JSC::DFG::existingWorklistForIndex): Deleted.
2447         * heap/CollectingScope.h: Added.
2448         (JSC::CollectingScope::CollectingScope):
2449         (JSC::CollectingScope::~CollectingScope):
2450         * heap/CollectorPhase.cpp: Added.
2451         (JSC::worldShouldBeSuspended):
2452         (WTF::printInternal):
2453         * heap/CollectorPhase.h: Added.
2454         * heap/EdenGCActivityCallback.cpp:
2455         (JSC::EdenGCActivityCallback::lastGCLength):
2456         * heap/FullGCActivityCallback.cpp:
2457         (JSC::FullGCActivityCallback::doCollection):
2458         (JSC::FullGCActivityCallback::lastGCLength):
2459         * heap/GCConductor.cpp: Added.
2460         (JSC::gcConductorShortName):
2461         (WTF::printInternal):
2462         * heap/GCConductor.h: Added.
2463         * heap/Heap.cpp:
2464         (JSC::Heap::Thread::Thread):
2465         (JSC::Heap::Heap):
2466         (JSC::Heap::lastChanceToFinalize):
2467         (JSC::Heap::gatherStackRoots):
2468         (JSC::Heap::updateObjectCounts):
2469         (JSC::Heap::shouldCollectInCollectorThread):
2470         (JSC::Heap::collectInCollectorThread):
2471         (JSC::Heap::checkConn):
2472         (JSC::Heap::runCurrentPhase):
2473         (JSC::Heap::runNotRunningPhase):
2474         (JSC::Heap::runBeginPhase):
2475         (JSC::Heap::runFixpointPhase):
2476         (JSC::Heap::runConcurrentPhase):
2477         (JSC::Heap::runReloopPhase):
2478         (JSC::Heap::runEndPhase):
2479         (JSC::Heap::changePhase):
2480         (JSC::Heap::finishChangingPhase):
2481         (JSC::Heap::stopThePeriphery):
2482         (JSC::Heap::resumeThePeriphery):
2483         (JSC::Heap::stopTheMutator):
2484         (JSC::Heap::resumeTheMutator):
2485         (JSC::Heap::stopIfNecessarySlow):
2486         (JSC::Heap::collectInMutatorThread):
2487         (JSC::Heap::collectInMutatorThreadImpl):
2488         (JSC::Heap::waitForCollector):
2489         (JSC::Heap::acquireAccessSlow):
2490         (JSC::Heap::releaseAccessSlow):
2491         (JSC::Heap::relinquishConn):
2492         (JSC::Heap::finishRelinquishingConn):
2493         (JSC::Heap::handleNeedFinalize):
2494         (JSC::Heap::notifyThreadStopping):
2495         (JSC::Heap::finalize):
2496         (JSC::Heap::requestCollection):
2497         (JSC::Heap::waitForCollection):
2498         (JSC::Heap::updateAllocationLimits):
2499         (JSC::Heap::didFinishCollection):
2500         (JSC::Heap::collectIfNecessaryOrDefer):
2501         (JSC::Heap::preventCollection):
2502         (JSC::Heap::performIncrement):
2503         (JSC::Heap::markToFixpoint): Deleted.
2504         (JSC::Heap::shouldCollectInThread): Deleted.
2505         (JSC::Heap::collectInThread): Deleted.
2506         (JSC::Heap::stopTheWorld): Deleted.
2507         (JSC::Heap::resumeTheWorld): Deleted.
2508         * heap/Heap.h:
2509         (JSC::Heap::machineThreads):
2510         (JSC::Heap::lastFullGCLength):
2511         (JSC::Heap::lastEdenGCLength):
2512         (JSC::Heap::increaseLastFullGCLength):
2513         * heap/HeapInlines.h:
2514         (JSC::Heap::mutatorIsStopped): Deleted.
2515         * heap/HeapStatistics.cpp: Removed.
2516         * heap/HeapStatistics.h: Removed.
2517         * heap/HelpingGCScope.h: Removed.
2518         * heap/MachineStackMarker.cpp:
2519         (JSC::MachineThreads::gatherFromCurrentThread):
2520         (JSC::MachineThreads::gatherConservativeRoots):
2521         * heap/MachineStackMarker.h:
2522         * heap/MarkedBlock.cpp:
2523         (JSC::MarkedBlock::Handle::sweep):
2524         * heap/MutatorState.cpp:
2525         (WTF::printInternal):
2526         * heap/MutatorState.h:
2527         * heap/RegisterState.h: Added.
2528         * heap/SlotVisitor.cpp:
2529         (JSC::SlotVisitor::drainFromShared):
2530         (JSC::SlotVisitor::drainInParallelPassively):
2531         (JSC::SlotVisitor::donateAll):
2532         * heap/StochasticSpaceTimeMutatorScheduler.cpp:
2533         (JSC::StochasticSpaceTimeMutatorScheduler::beginCollection):
2534         (JSC::StochasticSpaceTimeMutatorScheduler::synchronousDrainingDidStall):
2535         (JSC::StochasticSpaceTimeMutatorScheduler::timeToStop):
2536         * heap/SweepingScope.h: Added.
2537         (JSC::SweepingScope::SweepingScope):
2538         (JSC::SweepingScope::~SweepingScope):
2539         * jit/JITWorklist.cpp:
2540         (JSC::JITWorklist::Thread::Thread):
2541         * jsc.cpp:
2542         (GlobalObject::finishCreation):
2543         (functionFlashHeapAccess):
2544         * runtime/InitializeThreading.cpp:
2545         (JSC::initializeThreading):
2546         * runtime/JSCellInlines.h:
2547         (JSC::JSCell::classInfo):
2548         * runtime/Options.cpp:
2549         (JSC::overrideDefaults):
2550         * runtime/Options.h:
2551         * runtime/TestRunnerUtils.cpp:
2552         (JSC::finalizeStatsAtEndOfTesting):
2553
2554 2017-02-16  Anders Carlsson  <andersca@apple.com>
2555
2556         Remove EFL from JavaScriptCore
2557         https://bugs.webkit.org/show_bug.cgi?id=168459
2558
2559         Reviewed by Geoffrey Garen.
2560
2561         * heap/GCActivityCallback.cpp:
2562         (JSC::GCActivityCallback::GCActivityCallback):
2563         (JSC::GCActivityCallback::cancelTimer):
2564         (JSC::GCActivityCallback::didAllocate):
2565         * heap/GCActivityCallback.h:
2566         * heap/HeapTimer.cpp:
2567         (JSC::HeapTimer::add): Deleted.
2568         (JSC::HeapTimer::stop): Deleted.
2569         (JSC::HeapTimer::timerEvent): Deleted.
2570         * heap/HeapTimer.h:
2571         * inspector/EventLoop.cpp:
2572         (Inspector::EventLoop::cycle):
2573         * jsc.cpp:
2574         (main):
2575         * tools/CodeProfiling.cpp:
2576         (JSC::CodeProfiling::begin):
2577         (JSC::CodeProfiling::end):
2578
2579 2017-02-15  Brian Burg  <bburg@apple.com>
2580
2581         [Cocoa] Web Inspector: Inspector::fromProtocolString<T> should return std::optional<T>
2582         https://bugs.webkit.org/show_bug.cgi?id=168018
2583         <rdar://problem/30468779>
2584
2585         Reviewed by Joseph Pecoraro.
2586
2587         These methods parse untrusted string inputs, so they should return an optional instead
2588         of asserting or crashing when the input is not usable.
2589
2590         Update various pieces of generated code to handle the error case gracefully.
2591
2592         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2593         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
2594         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
2595         The local variable holding the ObjC-friendly converted value should take a std::optional
2596         when converting an enum from a string into an NS_ENUM value. If the enum command parameter
2597         is not optional, then send a response with a command failure message and return.
2598
2599         The optional enum parameter case is not handled correctly, but no existing code requires it.
2600
2601         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2602         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_from_protocol_string):
2603         Fix signature and remove default case ASSERT_NOT_REACHED.
2604
2605         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2606         (ObjCProtocolTypeConversionsImplementationGenerator._generate_type_factory_method_implementation):
2607         Since this code assumes all inputs to be valid and throws an exception otherwise, we
2608         try to convert the enum and throw an exception if it's nullopt. If it's valid, write to outValue.
2609
2610         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2611         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_payload):
2612         The local variable holding the ObjC-friendly converted value should take a std::optional
2613         when converting an enum from a string into an NS_ENUM value. If the enum command parameter
2614         is not optional, then throw an exception if the value is nullopt. Otherwise, allow it to be empty.
2615
2616         * inspector/scripts/codegen/objc_generator.py:
2617         (ObjCGenerator.protocol_to_objc_expression_for_member):
2618         Unconditionally unwrap the optional. This expression is only used inside the typechecked
2619         ObjC protocol objects. In this case we are guaranteed to have already initialized the enum with a valid
2620         value, but must store it as a string inside a wrapped InspectorObject. The getter needs to
2621         re-convert the stored string into an NS_ENUM value.
2622
2623         * inspector/scripts/codegen/objc_generator_templates.py:
2624         Update type template for fromProtocolString<T>().
2625
2626         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2627         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2628         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2629         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2630         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2631         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2632         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2633         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2634         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2635         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2636         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2637         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2638         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2639         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2640         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2641         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2642         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2643         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2644         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2645         Rebaseline tests.
2646
2647 2017-02-16  Keith Miller  <keith_miller@apple.com>
2648
2649         ASSERTION FAILED: vm.heap.mutatorState() == MutatorState::Running || vm.apiLock().ownerThread() != std::this_thread::get_id()
2650         https://bugs.webkit.org/show_bug.cgi?id=168354
2651
2652         Reviewed by Filip Pizlo.
2653
2654         Add a new vmEntryGlobalObject method for the debugger so that
2655         the debugger does not crash in debug builds when trying to
2656         detach itself from a global object.
2657
2658         * debugger/Debugger.cpp:
2659         (JSC::Debugger::detach):
2660         * interpreter/CallFrame.cpp:
2661         (JSC::CallFrame::vmEntryGlobalObjectForDebuggerDetach):
2662         * interpreter/CallFrame.h:
2663
2664 2017-02-16  Keith Miller  <keith_miller@apple.com>
2665
2666         Refactor AccessCase to be more like B3Value
2667         https://bugs.webkit.org/show_bug.cgi?id=168408
2668
2669         Reviewed by Filip Pizlo.
2670
2671         This patch makes AccessCase (and new subclasses) more like B3Value. In the new system each
2672         type has an associated AccessCase subclass. For instance any getter should use the
2673         GetterSetterAccessCase subclass. The new system is easier to follow since you no longer need
2674         to know exactly which members are used by which types. The subclass to AccessType mapping is:
2675
2676         GetterSetterAccessCase:
2677             Getter
2678             CustomAccessorGetter
2679             CustomValueGetter
2680             Setter
2681
2682         ProxyableAccessCase:
2683             Load
2684             Miss
2685             GetGetter
2686
2687         IntrinsicGetterAccessCase:
2688             IntrinsicGetter
2689
2690         AccessCase:
2691             Everything else
2692
2693         It also has the additional advantage that it uses less memory for the cases where we would have needed
2694         rare data in the past but that case would only use a small bit of it.
2695
2696         This patch also removes megamorphic loads and renames some TryGetById related enum values from Pure to Try.
2697
2698         * CMakeLists.txt:
2699         * JavaScriptCore.xcodeproj/project.pbxproj:
2700         * bytecode/AccessCase.cpp: Added.
2701         (JSC::AccessCase::AccessCase):
2702         (JSC::AccessCase::create):
2703         (JSC::AccessCase::~AccessCase):
2704         (JSC::AccessCase::fromStructureStubInfo):
2705         (JSC::AccessCase::clone):
2706         (JSC::AccessCase::commit):
2707         (JSC::AccessCase::guardedByStructureCheck):
2708         (JSC::AccessCase::doesCalls):
2709         (JSC::AccessCase::couldStillSucceed):
2710         (JSC::AccessCase::canReplace):
2711         (JSC::AccessCase::dump):
2712         (JSC::AccessCase::visitWeak):
2713         (JSC::AccessCase::propagateTransitions):
2714         (JSC::AccessCase::generateWithGuard):
2715         (JSC::AccessCase::generate):
2716         (JSC::AccessCase::generateImpl):
2717         * bytecode/AccessCase.h: Added.
2718         (JSC::AccessCase::as):
2719         (JSC::AccessCase::create):
2720         (JSC::AccessCase::type):
2721         (JSC::AccessCase::state):
2722         (JSC::AccessCase::offset):
2723         (JSC::AccessCase::structure):
2724         (JSC::AccessCase::newStructure):
2725         (JSC::AccessCase::conditionSet):
2726         (JSC::AccessCase::alternateBase):
2727         (JSC::AccessCase::additionalSet):
2728         (JSC::AccessCase::viaProxy):
2729         (JSC::AccessCase::isGetter):
2730         (JSC::AccessCase::isAccessor):
2731         (JSC::AccessCase::dumpImpl):
2732         (JSC::AccessCase::resetState):
2733         * bytecode/GetByIdStatus.cpp:
2734         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2735         * bytecode/GetterSetterAccessCase.cpp: Added.
2736         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
2737         (JSC::GetterSetterAccessCase::create):
2738         (JSC::GetterSetterAccessCase::~GetterSetterAccessCase):
2739         (JSC::GetterSetterAccessCase::clone):
2740         (JSC::GetterSetterAccessCase::alternateBase):
2741         (JSC::GetterSetterAccessCase::dumpImpl):
2742         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2743         * bytecode/GetterSetterAccessCase.h: Added.
2744         (JSC::GetterSetterAccessCase::callLinkInfo):
2745         (JSC::GetterSetterAccessCase::customSlotBase):
2746         (JSC::GetterSetterAccessCase::domJIT):
2747         * bytecode/IntrinsicGetterAccessCase.cpp: Added.
2748         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
2749         (JSC::IntrinsicGetterAccessCase::create):
2750         (JSC::IntrinsicGetterAccessCase::~IntrinsicGetterAccessCase):
2751         (JSC::IntrinsicGetterAccessCase::clone):
2752         * bytecode/IntrinsicGetterAccessCase.h: Added.
2753         (JSC::IntrinsicGetterAccessCase::intrinsicFunction):
2754         (JSC::IntrinsicGetterAccessCase::intrinsic):
2755         * bytecode/PolymorphicAccess.cpp:
2756         (JSC::PolymorphicAccess::regenerate):
2757         (WTF::printInternal):
2758         (JSC::AccessCase::AccessCase): Deleted.
2759         (JSC::AccessCase::tryGet): Deleted.
2760         (JSC::AccessCase::get): Deleted.
2761         (JSC::AccessCase::megamorphicLoad): Deleted.
2762         (JSC::AccessCase::replace): Deleted.
2763         (JSC::AccessCase::transition): Deleted.
2764         (JSC::AccessCase::setter): Deleted.
2765         (JSC::AccessCase::in): Deleted.
2766         (JSC::AccessCase::getLength): Deleted.
2767         (JSC::AccessCase::getIntrinsic): Deleted.
2768         (JSC::AccessCase::~AccessCase): Deleted.
2769         (JSC::AccessCase::fromStructureStubInfo): Deleted.
2770         (JSC::AccessCase::clone): Deleted.
2771         (JSC::AccessCase::commit): Deleted.
2772         (JSC::AccessCase::guardedByStructureCheck): Deleted.
2773         (JSC::AccessCase::alternateBase): Deleted.
2774         (JSC::AccessCase::doesCalls): Deleted.
2775         (JSC::AccessCase::couldStillSucceed): Deleted.
2776         (JSC::AccessCase::canBeReplacedByMegamorphicLoad): Deleted.
2777         (JSC::AccessCase::canReplace): Deleted.
2778         (JSC::AccessCase::dump): Deleted.
2779         (JSC::AccessCase::visitWeak): Deleted.
2780         (JSC::AccessCase::propagateTransitions): Deleted.
2781         (JSC::AccessCase::generateWithGuard): Deleted.
2782         (JSC::AccessCase::generate): Deleted.
2783         (JSC::AccessCase::generateImpl): Deleted.
2784         (JSC::AccessCase::emitDOMJITGetter): Deleted.
2785         * bytecode/PolymorphicAccess.h:
2786         (JSC::AccessCase::type): Deleted.
2787         (JSC::AccessCase::state): Deleted.
2788         (JSC::AccessCase::offset): Deleted.
2789         (JSC::AccessCase::viaProxy): Deleted.
2790         (JSC::AccessCase::structure): Deleted.
2791         (JSC::AccessCase::newStructure): Deleted.
2792         (JSC::AccessCase::conditionSet): Deleted.
2793         (JSC::AccessCase::intrinsicFunction): Deleted.
2794         (JSC::AccessCase::intrinsic): Deleted.
2795         (JSC::AccessCase::domJIT): Deleted.
2796         (JSC::AccessCase::additionalSet): Deleted.
2797         (JSC::AccessCase::customSlotBase): Deleted.
2798         (JSC::AccessCase::isGetter): Deleted.
2799         (JSC::AccessCase::callLinkInfo): Deleted.
2800         (JSC::AccessCase::RareData::RareData): Deleted.
2801         * bytecode/ProxyableAccessCase.cpp: Added.
2802         (JSC::ProxyableAccessCase::ProxyableAccessCase):
2803         (JSC::ProxyableAccessCase::create):
2804         (JSC::ProxyableAccessCase::~ProxyableAccessCase):
2805         (JSC::ProxyableAccessCase::clone):
2806         (JSC::ProxyableAccessCase::dumpImpl):
2807         * bytecode/ProxyableAccessCase.h: Added.
2808         * bytecode/PutByIdStatus.cpp:
2809         (JSC::PutByIdStatus::computeForStubInfo):
2810         * bytecode/StructureStubInfo.cpp:
2811         (JSC::StructureStubInfo::reset):
2812         * bytecode/StructureStubInfo.h:
2813         * dfg/DFGByteCodeParser.cpp:
2814         (JSC::DFG::ByteCodeParser::parseBlock):
2815         * dfg/DFGSpeculativeJIT.cpp:
2816         (JSC::DFG::SpeculativeJIT::compileTryGetById):
2817         * ftl/FTLLowerDFGToB3.cpp:
2818         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2819         (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
2820         * jit/IntrinsicEmitter.cpp:
2821         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
2822         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2823         (JSC::AccessCase::canEmitIntrinsicGetter): Deleted.
2824         (JSC::AccessCase::emitIntrinsicGetter): Deleted.
2825         * jit/JITOperations.cpp:
2826         * jit/JITPropertyAccess.cpp:
2827         (JSC::JIT::emit_op_try_get_by_id):
2828         * jit/JITPropertyAccess32_64.cpp:
2829         (JSC::JIT::emit_op_try_get_by_id):
2830         * jit/Repatch.cpp:
2831         (JSC::tryCacheGetByID):
2832         (JSC::tryCachePutByID):
2833         (JSC::tryRepatchIn):
2834         * jit/Repatch.h:
2835         * runtime/Options.h:
2836
2837 2017-02-16  Filip Pizlo  <fpizlo@apple.com>
2838
2839         JSONParseTest needs to hold the lock when the VM is destroyed
2840         https://bugs.webkit.org/show_bug.cgi?id=168450
2841
2842         Rubber stamped by Alex Christensen.
2843
2844         * API/tests/JSONParseTest.cpp:
2845         (testJSONParse):
2846
2847 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2848
2849         [JSC] Drop PassRefPtr in inspector/
2850         https://bugs.webkit.org/show_bug.cgi?id=168420
2851
2852         Reviewed by Alex Christensen.
2853
2854         Drop PassRefPtr uses.
2855         And use Ref<Inspector::ScriptArguments> and Ref<ScriptCallStack> as much as possible.
2856         It drops some unnecessary null checks.
2857
2858         * debugger/Debugger.cpp:
2859         (JSC::Debugger::hasBreakpoint):
2860         (JSC::Debugger::currentDebuggerCallFrame):
2861         * debugger/Debugger.h:
2862         * inspector/AsyncStackTrace.cpp:
2863         (Inspector::AsyncStackTrace::create):
2864         (Inspector::AsyncStackTrace::AsyncStackTrace):
2865         (Inspector::AsyncStackTrace::buildInspectorObject):
2866         (Inspector::AsyncStackTrace::truncate):
2867         * inspector/AsyncStackTrace.h:
2868         * inspector/ConsoleMessage.cpp:
2869         (Inspector::ConsoleMessage::ConsoleMessage):
2870         * inspector/ConsoleMessage.h:
2871         * inspector/InjectedScriptManager.cpp:
2872         (Inspector::InjectedScriptManager::InjectedScriptManager):
2873         (Inspector::InjectedScriptManager::injectedScriptHost):
2874         * inspector/InjectedScriptManager.h:
2875         * inspector/JSGlobalObjectConsoleClient.cpp:
2876         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
2877         (Inspector::JSGlobalObjectConsoleClient::count):
2878         (Inspector::JSGlobalObjectConsoleClient::timeEnd):
2879         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
2880         (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
2881         * inspector/JSGlobalObjectConsoleClient.h:
2882         ConsoleClient now takes Ref<ScriptArgument>&& instead of RefPtr<ScriptArgument>&&.
2883
2884         * inspector/JSGlobalObjectInspectorController.cpp:
2885         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2886         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2887         * inspector/JSGlobalObjectInspectorController.h:
2888         * inspector/JSJavaScriptCallFrame.cpp:
2889         (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame):
2890         (Inspector::toJS):
2891         * inspector/JSJavaScriptCallFrame.h:
2892         (Inspector::JSJavaScriptCallFrame::create):
2893         * inspector/JavaScriptCallFrame.cpp:
2894         (Inspector::JavaScriptCallFrame::JavaScriptCallFrame):
2895         (Inspector::JavaScriptCallFrame::caller):
2896         * inspector/JavaScriptCallFrame.h:
2897         (Inspector::JavaScriptCallFrame::create):
2898         * inspector/ScriptDebugServer.cpp:
2899         (Inspector::ScriptDebugServer::evaluateBreakpointAction):
2900         (Inspector::ScriptDebugServer::dispatchDidPause):
2901         (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
2902         * inspector/agents/InspectorConsoleAgent.cpp:
2903         (Inspector::InspectorConsoleAgent::stopTiming):
2904         (Inspector::InspectorConsoleAgent::count):
2905         * inspector/agents/InspectorConsoleAgent.h:
2906         * inspector/agents/InspectorDebuggerAgent.cpp:
2907         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2908         * runtime/ConsoleClient.cpp:
2909         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2910         (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
2911         (JSC::ConsoleClient::logWithLevel):
2912         (JSC::ConsoleClient::dir):
2913         (JSC::ConsoleClient::dirXML):
2914         (JSC::ConsoleClient::table):
2915         (JSC::ConsoleClient::trace):
2916         (JSC::ConsoleClient::assertion):
2917         (JSC::ConsoleClient::group):
2918         (JSC::ConsoleClient::groupCollapsed):
2919         (JSC::ConsoleClient::groupEnd):
2920         * runtime/ConsoleClient.h:
2921         * runtime/ConsoleObject.cpp:
2922         (JSC::consoleLogWithLevel):
2923         (JSC::consoleProtoFuncDir):
2924         (JSC::consoleProtoFuncDirXML):
2925         (JSC::consoleProtoFuncTable):
2926         (JSC::consoleProtoFuncTrace):
2927         (JSC::consoleProtoFuncAssert):
2928         (JSC::consoleProtoFuncCount):
2929         (JSC::consoleProtoFuncTimeStamp):
2930         (JSC::consoleProtoFuncGroup):
2931         (JSC::consoleProtoFuncGroupCollapsed):
2932         (JSC::consoleProtoFuncGroupEnd):
2933
2934 2017-02-15  Keith Miller  <keith_miller@apple.com>
2935
2936         Weak should not use jsCast in its accessors
2937         https://bugs.webkit.org/show_bug.cgi?id=168406
2938
2939         Reviewed by Filip Pizlo.
2940
2941         This can cause assertion failures in WebCore where classes might remove themselves
2942         from a data structure in a weak reference, if that reference is still alive.
2943
2944         * heap/WeakInlines.h:
2945         (JSC::>):
2946         (JSC::Weak<T>::operator):
2947         (JSC::Weak<T>::get):
2948
2949 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2950
2951         Web Inspector: allow import() inside the inspector
2952         https://bugs.webkit.org/show_bug.cgi?id=167457
2953
2954         Reviewed by Ryosuke Niwa.
2955
2956         We relax import module hook to accept null SourceOrigin.
2957         Such a script can be evaluated from the inspector console.
2958
2959         * jsc.cpp:
2960         (GlobalObject::moduleLoaderImportModule):
2961         * runtime/JSGlobalObjectFunctions.cpp:
2962         (JSC::globalFuncImportModule):
2963
2964 2017-02-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2965
2966         [JSC] Update module namespace object according to the latest ECMA262
2967         https://bugs.webkit.org/show_bug.cgi?id=168280
2968
2969         Reviewed by Saam Barati.
2970
2971         Reflect updates to the module namespace object.
2972
2973         1. @@iterator property is dropped[1].
2974         2. @@toStringTag property becomes non-configurable[1].
2975         3. delete with Symbol should be delegated to the JSObject's one[2].
2976
2977         [1]: https://tc39.github.io/ecma262/#sec-module-namespace-objects
2978         [2]: https://github.com/tc39/ecma262/pull/767
2979
2980         * runtime/JSModuleNamespaceObject.cpp:
2981         (JSC::JSModuleNamespaceObject::finishCreation):
2982         (JSC::JSModuleNamespaceObject::deleteProperty):
2983         (JSC::moduleNamespaceObjectSymbolIterator): Deleted.
2984
2985 2017-02-16  Carlos Garcia Campos  <cgarcia@igalia.com>
2986
2987         Unreviewed. Fix the build after r212424.
2988
2989         Add missing file.
2990
2991         * inspector/remote/RemoteInspector.cpp: Added.
2992         (Inspector::RemoteInspector::startDisabled):
2993         (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
2994         (Inspector::RemoteInspector::registerTarget):
2995         (Inspector::RemoteInspector::unregisterTarget):
2996         (Inspector::RemoteInspector::updateTarget):
2997         (Inspector::RemoteInspector::updateClientCapabilities):
2998         (Inspector::RemoteInspector::setRemoteInspectorClient):
2999         (Inspector::RemoteInspector::setupFailed):
3000         (Inspector::RemoteInspector::setupCompleted):
3001         (Inspector::RemoteInspector::waitingForAutomaticInspection):
3002         (Inspector::RemoteInspector::clientCapabilitiesDidChange):
3003         (Inspector::RemoteInspector::stop):
3004         (Inspector::RemoteInspector::listingForTarget):
3005         (Inspector::RemoteInspector::updateHasActiveDebugSession):
3006
3007 2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3008
3009         [JSC] Drop PassRefPtr in bytecompiler/
3010         https://bugs.webkit.org/show_bug.cgi?id=168374
3011
3012         Reviewed by Sam Weinig.
3013
3014         This patch drops PassRefPtr in bytecompiler directory.
3015         We carefully change this to Ref<>. And we use Ref<Label>
3016         as much as possible instead of using RefPtr<Label>.
3017         And use Label& instead of Label* as much as possible.
3018
3019         Currently we do not apply this change for RefPtr<RegisterID>,
3020         to reduce the size of this patch.
3021
3022         * bytecompiler/BytecodeGenerator.cpp:
3023         (JSC::BytecodeGenerator::BytecodeGenerator):
3024         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
3025         (JSC::BytecodeGenerator::newLabelScope):
3026         (JSC::BytecodeGenerator::newLabel):
3027         (JSC::BytecodeGenerator::newEmittedLabel):
3028         Introduce a new helper function, which returns new label that is emitted right here.
3029
3030         (JSC::BytecodeGenerator::emitLabel):
3031         (JSC::BytecodeGenerator::emitJump):
3032         (JSC::BytecodeGenerator::emitJumpIfTrue):
3033         (JSC::BytecodeGenerator::emitJumpIfFalse):
3034         (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
3035         (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
3036         Drop returning Ref<Label> since nobody uses it.
3037
3038         (JSC::BytecodeGenerator::emitGetByVal):
3039         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3040         (JSC::BytecodeGenerator::emitCall):
3041         (JSC::BytecodeGenerator::emitReturn):
3042         (JSC::BytecodeGenerator::emitConstruct):
3043         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
3044         (JSC::BytecodeGenerator::breakTarget):
3045         (JSC::BytecodeGenerator::pushTry):
3046         (JSC::BytecodeGenerator::popTry):
3047         (JSC::prepareJumpTableForSwitch):
3048         (JSC::prepareJumpTableForStringSwitch):
3049         (JSC::BytecodeGenerator::endSwitch):
3050         (JSC::BytecodeGenerator::emitEnumeration):
3051         (JSC::BytecodeGenerator::emitIteratorNext):
3052         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
3053         (JSC::BytecodeGenerator::emitIteratorClose):
3054         (JSC::BytecodeGenerator::pushIndexedForInScope):
3055         (JSC::BytecodeGenerator::pushStructureForInScope):
3056         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
3057         (JSC::BytecodeGenerator::emitRequireObjectCoercible):
3058         (JSC::BytecodeGenerator::emitYieldPoint):
3059         (JSC::BytecodeGenerator::emitYield):
3060         (JSC::BytecodeGenerator::emitDelegateYield):
3061         (JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
3062         (JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):
3063         (JSC::BytecodeGenerator::emitFinallyCompletion):
3064         (JSC::BytecodeGenerator::emitJumpIf):
3065         * bytecompiler/BytecodeGenerator.h:
3066         FinallyJump, FinallyContext, TryData, TryContext and TryRange hold Ref<Label>
3067         instead of RefPtr<Label>. They are never nullptr.
3068
3069         (JSC::FinallyJump::FinallyJump):
3070         (JSC::FinallyContext::FinallyContext):
3071         (JSC::FinallyContext::registerJump):
3072         (JSC::BytecodeGenerator::emitNodeInConditionContext):
3073         (JSC::BytecodeGenerator::emitNodeForLeftHandSide):
3074         * bytecompiler/Label.h:
3075         Make Label noncopyable.
3076
3077         * bytecompiler/LabelScope.h:
3078         (JSC::LabelScope::LabelScope):
3079         (JSC::LabelScope::breakTarget):
3080         breakTarget always returns Label&. On the other hand, continueTarget may be nullptr.
3081         So it returns Label*.
3082
3083         * bytecompiler/NodesCodegen.cpp:
3084         (JSC::ExpressionNode::emitBytecodeInConditionContext):
3085         (JSC::ConstantNode::emitBytecodeInConditionContext):
3086         (JSC::FunctionCallValueNode::emitBytecode):
3087         (JSC::CallFunctionCallDotNode::emitBytecode):
3088         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3089         (JSC::LogicalNotNode::emitBytecodeInConditionContext):
3090         (JSC::BinaryOpNode::emitBytecodeInConditionContext):
3091         (JSC::InstanceOfNode::emitBytecode):
3092         (JSC::LogicalOpNode::emitBytecode):
3093         (JSC::LogicalOpNode::emitBytecodeInConditionContext):
3094         (JSC::ConditionalNode::emitBytecode):
3095         (JSC::IfElseNode::emitBytecode):
3096         (JSC::DoWhileNode::emitBytecode):
3097         (JSC::WhileNode::emitBytecode):
3098         (JSC::ForNode::emitBytecode):
3099         (JSC::ForInNode::emitBytecode):
3100         (JSC::ContinueNode::trivialTarget):
3101         (JSC::ContinueNode::emitBytecode):
3102         (JSC::BreakNode::trivialTarget):
3103         (JSC::CaseBlockNode::emitBytecodeForBlock):
3104         (JSC::TryNode::emitBytecode):
3105         (JSC::FunctionNode::emitBytecode):
3106         (JSC::ClassExprNode::emitBytecode):
3107         (JSC::assignDefaultValueIfUndefined):
3108         (JSC::ArrayPatternNode::bindValue):
3109         Use Ref<Label> and Label&.
3110
3111         * parser/Nodes.h:
3112
3113 2017-02-15  Alex Christensen  <achristensen@webkit.org>
3114
3115         Unreviewed, rolling out r212394.
3116
3117         Fixed iOS WebInspector
3118
3119         Reverted changeset:
3120
3121         "Unreviewed, rolling out r212169."
3122         https://bugs.webkit.org/show_bug.cgi?id=166681
3123         http://trac.webkit.org/changeset/212394
3124
3125 2017-02-15  Guillaume Emont  <guijemont@igalia.com>
3126
3127         MIPS: add missing implementations of load8SignedExtendTo32()
3128
3129         JSC: missing implementations of MacroAssemblerMIPS::load8SignedExtendTo32()
3130         https://bugs.webkit.org/show_bug.cgi?id=168350
3131
3132         Reviewed by Yusuke Suzuki.
3133
3134         * assembler/MacroAssemblerMIPS.h:
3135         (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
3136         Add missing implementations
3137
3138 2017-02-15  Alex Christensen  <achristensen@webkit.org>
3139
3140         Unreviewed, rolling out r212169.
3141
3142         Broke iOS WebInspector
3143
3144         Reverted changeset:
3145
3146         "WebInspector: refactor RemoteInspector to move cocoa specific
3147         code to their own files"
3148         https://bugs.webkit.org/show_bug.cgi?id=166681
3149         http://trac.webkit.org/changeset/212169
3150
3151 2017-02-15  Chris Dumez  <cdumez@apple.com>
3152
3153         Expose Symbol.toPrimitive / valueOf on Location instances
3154         https://bugs.webkit.org/show_bug.cgi?id=168295
3155
3156         Reviewed by Geoffrey Garen, Keith Miller and Mark Lam.
3157
3158         Cache origin objectProtoValueOf function on JSGlobalObject.
3159
3160         * runtime/JSGlobalObject.cpp:
3161         (JSC::JSGlobalObject::init):
3162         * runtime/JSGlobalObject.h:
3163         (JSC::JSGlobalObject::objectProtoValueOfFunction):
3164
3165 2017-02-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3166
3167         [JSC] Drop PassRefPtr
3168         https://bugs.webkit.org/show_bug.cgi?id=168320
3169
3170         Reviewed by Saam Barati.
3171
3172         * API/JSContextRef.cpp:
3173         (JSGlobalContextCreateInGroup):
3174         Use Ref<VM> from the factory function.
3175
3176         * API/JSScriptRef.cpp:
3177         (OpaqueJSScript::create):
3178         Return Ref<> instead.
3179
3180         * API/tests/JSONParseTest.cpp:
3181         (testJSONParse):
3182         Use Ref<VM>.
3183
3184         * assembler/LinkBuffer.cpp:
3185         (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
3186         Use reference since we already perform null check.
3187
3188         * assembler/MacroAssemblerCodeRef.h:
3189         (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
3190         Take Ref<>&& instead of PassRefPtr<>.
3191
3192         * bytecode/CallLinkInfo.h:
3193         (JSC::CallLinkInfo::setStub):
3194         (JSC::CallLinkInfo::setSlowStub):
3195         Take Ref<>&& instead of PassRefPtr<>.
3196
3197         * bytecode/CodeBlock.cpp:
3198         (JSC::CodeBlock::CodeBlock):
3199         Take RefPtr<SourceProvider>. Currently, the SourceProvider would be nullptr.
3200         We will change it to Ref<SourceProvider> in https://bugs.webkit.org/show_bug.cgi?id=168325.
3201
3202         (JSC::CodeBlock::finishCreation):
3203         Take Ref<TypeSet>&&.
3204
3205         * bytecode/CodeBlock.h:
3206         (JSC::CodeBlock::setJITCode):
3207         Take Ref<>&& instead.
3208
3209         (JSC::CodeBlock::jitCode):
3210         Return RefPtr<> instead.
3211
3212         * bytecode/EvalCodeBlock.h:
3213         (JSC::EvalCodeBlock::create):
3214         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3215
3216         (JSC::EvalCodeBlock::EvalCodeBlock):
3217         * bytecode/FunctionCodeBlock.h:
3218         (JSC::FunctionCodeBlock::create):
3219         (JSC::FunctionCodeBlock::FunctionCodeBlock):
3220         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3221
3222         * bytecode/GlobalCodeBlock.h:
3223         (JSC::GlobalCodeBlock::GlobalCodeBlock):
3224         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3225
3226         * bytecode/ModuleProgramCodeBlock.h:
3227         (JSC::ModuleProgramCodeBlock::create):
3228         (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock):
3229         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3230
3231         * bytecode/ProgramCodeBlock.h:
3232         (JSC::ProgramCodeBlock::create):
3233         (JSC::ProgramCodeBlock::ProgramCodeBlock):
3234         Take RefPtr<>&& instead since SourceProvider woule be nullptr.
3235
3236         * debugger/DebuggerParseData.cpp:
3237         (JSC::gatherDebuggerParseDataForSource):
3238         Ensure the provider is not nullptr. It is OK because we already
3239         touch `provider->xxx` values.
3240
3241         * dfg/DFGBlockInsertionSet.cpp:
3242         (JSC::DFG::BlockInsertionSet::insert):
3243         Take Ref<>&& instead.
3244
3245         * dfg/DFGBlockInsertionSet.h:
3246         * dfg/DFGByteCodeParser.cpp:
3247         (JSC::DFG::ByteCodeParser::inlineCall):
3248         (JSC::DFG::ByteCodeParser::handleInlining):
3249         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3250         Pass Ref<>&& to appendBlock.
3251
3252         * dfg/DFGDriver.cpp:
3253         (JSC::DFG::compileImpl):
3254         (JSC::DFG::compile):
3255         Pass Ref<Plan>&&. And take Ref<>&& callback.
3256
3257         * dfg/DFGDriver.h:
3258         * dfg/DFGGraph.h:
3259         appendBlock takes Ref<>&&.
3260
3261         (JSC::DFG::Graph::appendBlock):
3262         * dfg/DFGJITCompiler.cpp:
3263         (JSC::DFG::JITCompiler::compile):
3264         (JSC::DFG::JITCompiler::compileFunction):
3265         * dfg/DFGJITCompiler.h:
3266         (JSC::DFG::JITCompiler::jitCode):
3267         * dfg/DFGJITFinalizer.cpp:
3268         (JSC::DFG::JITFinalizer::JITFinalizer):
3269         Take Ref<JITCode>&&.
3270
3271         (JSC::DFG::JITFinalizer::finalize):
3272         (JSC::DFG::JITFinalizer::finalizeFunction):
3273         (JSC::DFG::JITFinalizer::finalizeCommon):
3274         Pass compilation reference since we already perform null check.
3275
3276         * dfg/DFGJITFinalizer.h:
3277         * dfg/DFGWorklist.cpp:
3278         (JSC::DFG::Worklist::enqueue):
3279         Take Ref<Plan>&&.
3280
3281         * dfg/DFGWorklist.h:
3282         * ftl/FTLJITFinalizer.cpp:
3283         (JSC::FTL::JITFinalizer::finalizeFunction):
3284         Dereference and pass jitCode & compilation references.
3285
3286         * jit/GCAwareJITStubRoutine.cpp:
3287         (JSC::createJITStubRoutine):
3288         Return Ref<> instead.
3289
3290         * jit/GCAwareJITStubRoutine.h:
3291         (JSC::createJITStubRoutine):
3292         * jit/JIT.cpp:
3293         (JSC::JIT::link):
3294         Pass compilation reference since we already perform null check.
3295
3296         * jit/JITStubRoutine.h:
3297         (JSC::JITStubRoutine::asCodePtr):
3298         Take Ref<>&& instead. And this drops unnecessary null check.
3299
3300         * jit/JITThunks.cpp:
3301         (JSC::JITThunks::hostFunctionStub):
3302         Pass Ref<> to NativeExecutable::create.
3303
3304         * llint/LLIntEntrypoint.cpp:
3305         (JSC::LLInt::setFunctionEntrypoint):
3306         (JSC::LLInt::setEvalEntrypoint):
3307         (JSC::LLInt::setProgramEntrypoint):
3308         (JSC::LLInt::setModuleProgramEntrypoint):
3309         Use Ref<>&& instead.
3310
3311         * parser/SourceCode.h:
3312         (JSC::SourceCode::SourceCode):
3313         (JSC::SourceCode::subExpression):
3314         Add constructors taking Ref<>&&.
3315         We still have constructors that take RefPtr<>&&.
3316         We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.
3317
3318         * parser/UnlinkedSourceCode.h:
3319         (JSC::UnlinkedSourceCode::UnlinkedSourceCode):
3320         Add constructors taking Ref<>&&.
3321         We still have constructors that take RefPtr<>&&.
3322         We will change it to Ref<SourceProvider>&& in https://bugs.webkit.org/show_bug.cgi?id=168325.
3323
3324         * profiler/ProfilerDatabase.cpp:
3325         (JSC::Profiler::Database::addCompilation):
3326         Take Ref<Compilation>&&.
3327
3328         * profiler/ProfilerDatabase.h:
3329         Change data structures to hold Ref<> instead of RefPtr<>.
3330
3331         * runtime/EvalExecutable.h:
3332         (JSC::EvalExecutable::generatedJITCode):
3333         Return Ref<> instead.
3334